Beware before calling Apple for assistance as scammers are creating malicious ads and fake pages to lure you in.

We’ve uncovered a malicious campaign going after Mac users looking for support or extended warranty from Apple via the AppleCare+ support plans. The perpetrators are buying Google ads to lure in their victims and redirect them to bogus pages hosted on GitHub, the developer and code repository platform owned by Microsoft.

The goal of this scam is to get unsuspecting people on the phone with someone pretending to be working for Apple. From there, fraudulent call center agents will social engineer their victims in order to extract money from them.

In this blog post, we expose the techniques behind this scam and provide mitigation steps to stay away from them. We’d like to thank GitHub for their quick response in taking down the malicious accounts we reported to them.

**Hey Siri, google “Apple phone support”**

While Apple products are designed with simplicity in mind, we’ve all come across an issue at some point that we need assistance with. Google, who reportedly paid Apple $20 billion to be the default search engine, will display results in Safari, along with ads, hence the lucrative partnership.

Those “Sponsored” results can appear at the top or further down the search results page. In the image seen below, a malicious ad appears at the very top, right before Apple’s official phone number. In other cases we encountered, multiple malicious ads were displayed before any legitimate results.

Clicking on one of those will redirect to a fake AppleCare+ customer service page, inviting users to call a 1-800 phone number supposedly belonging to Apple. In reality, in just 2 simple clicks victims are connected with scammers located in call centers overseas.

The fake Apple customer service pages are hosted on Microsoft’s GitHub source code repository as standalone HTML templates using Apple’s branding. Scammers are creating several accounts on GitHub with one or multiple repositories with the same fraudulent _index.html_ template:

During an active campaign, they can easily swap phone numbers in case one got reported and blocked. In fact, we saw scammers do just that thanks to GitHub’s commit history:

There is also an interesting piece of code within the page (autoDial) that automatically pops up the phone dialog menu. This ensures that victims have one less thing to click on to get connected with a scammer impersonating Apple:

**Risks and mitigations**

This particular scheme is exceptionally easy to fall for due to the combination of malicious Google ads and lookalike pages. Scammers are preying on unsuspecting users to trust that they are real Apple service agents and that it’s okay to give them personal information.

The biggest risk to consumers is being defrauded for hundreds, and often thousands of dollars. Scammers typically instruct victims to withdraw money from their bank account and send it to them, in various ways.

In some cases we investigated this year, fraudsters will ask for the victim’s name, address, social security number and banking details. With that information, they can easily blackmail them directly or share their profile with other scammers who will pretend to help from the original incident.

We advise users to be extremely cautious when looking for phone or online support related to any of the most popular brands. Microsoft is usually highly targeted by scammers due to its dominance in the computer market share. Keep in mind that whenever you click on a sponsored result or ad, you are taking a chance of being redirected to a malicious site.

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Scammers advertise fake AppleCare+ service via GitHub repos 

A cross-site scripting (XSS) vulnerability exists in all versions of the MindsDB platform, enabling the execution of a JavaScript payload whenever a user enumerates an ML Engine, database, project, or dataset containing arbitrary JavaScript code within the web UI.

**MindsDB Cross-site Scripting vulnerability**

Moderate severity GitHub Reviewed Published Sep 12, 2024 to the GitHub Advisory Database • Updated Sep 12, 2024

GHSA-32fj-r8qw-r8w8: MindsDB Cross-site Scripting vulnerability

We dug into PartnerLeak, the site behind the "your partner is cheating on you" emails, including how and where the scammers get their information.

Earlier this week, we reported on a new type of scam that tells you your partner is cheating on you. However, we hit a dead end because we were unable to get hold of an original copy of the email.

That was until the scammers were “kind enough” to send one to one of our co-workers.

your partner is cheating on you and we have proof

> “Hi (target’s name\],
> 
> \[Partner’s name\] is cheating on you. Here is proof.
> 
> As a company engaged in cyber security we’ve found information related to \[partner’s name\] that might interest you.
> 
> We made a full backup of \[his/her\] disk. (We have all \[his/her\] address book, social media, history of viewing sites, dating apps, all files, phone numbers, and addresses of all \[his/her\] contacts) and are willing to give you a full access to this data. For more details visit our website.”

With this, we were able to investigate the scammers’ intentions.

All three of the links in the email (Here, website, and Check now) point to the same website. Through a landing page located at click\[.\]cardfoolops\[.\]com visitors are redirected to partnerleak\[.\]com.

The partnerleak\[.\]com domain was registered on August 1, 2024, with NameCheap anonymously. Anonymous registration doesn’t automatically mean the person registering is up to no good, but it did block us from researching this avenue any further.

The registration date, however, matches with the first complaints we started seeing about these emails.

Malwarebytes blocks partnerleak\[.\]com

During the redirection process, your email address is passed on, which means when you register at the site your email address is already filled out.

Email address is transmitted and pre-filled

The PartnerLeak site itself says it offers anonymity, as well as “crucial insights” into the behaviour of the one you love.

> “completely anonymous service leverages artificial intelligence and the vulnerabilities of popular smartphones to provide crucial insights into your partner’s behavior.”

> “**Are You Concerned About Your Partner’s Honesty?**
> 
> If you’ve decided to take a leap into a relationship but find yourself questioning your partner’s honesty, or if you’ve been together for a while and something feels off, we have a solution for you.
> 
> **Our Service**
> 
> Our completely anonymous service leverages artificial intelligence and the vulnerabilities of popular smartphones to provide crucial insights into your partner’s behavior. Here’s how it works:
> 
> Data Backup Access: You can download a backup from iCloud or Google, which includes:
> 
> *   Device location tracking
> *   Movement history with timestamps
> *   Correspondence from popular messaging apps like Telegram, WhatsApp, and iMessage
> *   Photo and video materials stored on the smartphone
> 
> Social Media Analysis: Utilizing AI and extensive data, our service can:
> 
> *   Check user registration and analyze behavior on platforms like Facebook and Twitter
> *   Investigate activity on popular dating apps such as Tinder, AdultFriendFinder, Hinge, and OkCupid
> 
> This comprehensive analysis helps you verify the reliability of your potential partner based on criteria that matter most to you.
> 
> **Commitment to Anonymity and Privacy**
> 
> *   Anonymous Transactions: We prioritize your anonymity by processing payments through cryptocurrencies, ensuring that your partner will remain unaware of your inquiries.
> *   Data Privacy: Your privacy is of utmost importance. We offer the option to permanently delete any data related to you from our system.
> 
> Take control of your relationship concerns today with our discreet and effective service!”

Nowhere on the site does it specify how much such an investigation would cost, but after registration you can start a search at which point it will tell you to top up your balance.

You don’t have free search. Please top up balance or try use different email.

To top up your balance there are three payment options:

*   Credit card
*   Bitcoin
*   Ethereum

We checked the balances on the cryptocurrency accounts they provided and we are happy to report that those are both dead in the water. We can only hope that the PartnerLeak revenue from credit cards looks the same, although that is probably wishful thinking on our part.

An empty and inactive Bitcoin wallet

An equally empty Ethereum account

Our investigation into where the scammers were getting the necessary information always pointed in the same direction: The Knot, a wedding services company.

However, we couldn’t find any breaches of its site or any tangible evidence that it was anything more than just a source of information. Like many other similar sites, it is easy to find a partner name on the site if you already have the name and email of the other partner.

But since many victims, including our co-worker, used The Knot’s services, we contacted them and received this statement from a spokesperson:

> “We were notified of user concerns, and after investigation by our cybersecurity team, determined there is no evidence of unauthorized access to our systems.”

Regardless of where the scammers are getting their data, let’s keep their balance at zero and spread the word.

**How to react to your partner “is cheating on you” emails**

First and foremost, never reply to emails of this kind. That tells the sender that someone is reading the emails sent to that address, and will lead to them trying other ways to defraud you.

*   If the email includes a password, make sure you are not using it any more _on any account_. If you are, change it as soon as possible.
*   If you are having trouble remembering all your passwords, have a look at a password manager.
*   Don’t let yourself get rushed into doing something. Scammers rely on time pressure that leads to people making quick decisions.
*   Do not open unsolicited attachments. Especially when the sender address is suspicious, or even appears to be your own.

If you want to find out what personal data of yours has been exposed online, you can use our free Digital Footprint scan. Fill in the email address you’re curious about (it’s best to submit the one you most frequently use) and we’ll send you a free report.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 PartnerLeak scam site promises victims full access to &#8220;cheating&#8221; partner&#8217;s stolen data 

Red Hat Security Advisory 2024-6610-03 - An update for git is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.

    The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_6610.jsonRed Hat officially shut down their mailing list notifications October 10, 2023.  Due to this, Packet Storm has recreated the below data as a reference point to raise awareness.  It must be noted that due to an inability to easily track revision updates without crawling Red Hat's archive, these advisories are single notifications and we strongly suggest that you visit the Red Hat provided links to ensure you have the latest information available if the subject matter listed pertains to your environment.- Packet Storm Staff====================================================================Red Hat Security AdvisorySynopsis:           Important: git security updateAdvisory ID:        RHSA-2024:6610-03Product:            Red Hat Enterprise LinuxAdvisory URL:       https://access.redhat.com/errata/RHSA-2024:6610Issue date:         2024-09-11Revision:           03CVE Names:          CVE-2024-32002====================================================================Summary: An update for git is now available for Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions.Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.Description:Git is a distributed revision control system with a decentralized architecture. As opposed to centralized version control systems with a client-server model, Git ensures that each working copy of a Git repository is an exact copy with complete revision history. This not only allows the user to work on and contribute to projects without the need to have permission to push the changes to their official repositories, but also makes it possible for the user to work with no network connection.Security Fix(es):* git: Recursive clones RCE (CVE-2024-32002)* git: RCE while cloning local repos (CVE-2024-32004)For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.Solution:https://access.redhat.com/articles/11258CVEs:CVE-2024-32002References:https://access.redhat.com/security/updates/classification/#importanthttps://bugzilla.redhat.com/show_bug.cgi?id=2280421https://bugzilla.redhat.com/show_bug.cgi?id=2280428

Red Hat Security Advisory 2024-6610-03

Cybercriminals are increasingly targeting retail affiliate programs with sophisticated cryptocurrency scams. Retailers and customers must stay alert against…

Cybercriminals are increasingly targeting retail affiliate programs with sophisticated cryptocurrency scams. Retailers and customers must stay alert against domain fraud, brand impersonation, and online Ponzi schemes to prevent losses.

Cybercriminals and nation-state hackers are increasingly targeting retail affiliate programs to conduct cryptocurrency scams, according to the latest research by cybersecurity firm DomainTools.

With its vast economic footprint and consumer brand loyalty, the retail sector has become a prime target for these malicious actors, exploiting online platforms and brand reputations to deceive consumers and reap financial rewards.

**Leveraging Brand Loyalty for Fraud**

The global retail industry—valued at over $30 trillion annually and with the top 50 retailers contributing more than $1.13 trillion in revenue in 2023—has always been a lucrative target for scammers and fraudsters. However, the transition toward e-commerce has opened up new opportunities for cybercriminals to exploit.

The DomainTools detailed technical report, shared with Hackread.com ahead of publishing, dives deep into how threat actors use domain fraud, brand impersonation, and multi-level Ponzi schemes to deceive consumers and steal cryptocurrency.

Cybercriminals are not just after financial gains; they are also damaging brand reputations. By closely imitating well-known consumer brands, these actors aim to exploit the trust and loyalty consumers have for these companies. This multi-layered fraud not only affects individual consumers but also threatens the credibility of the brands themselves.

**Online Storefronts: A Hotspot for Fraud**

One noteworthy trend underlined in the report is the rise of **e-commerce domain fraud**. As physical stores closed during the global pandemic, the retail sector’s move to online platforms created another ground for cybercriminals.

One group of threat actors, for instance, set up hundreds of fraudulent websites to impersonate well-known global retailers. These sites often promised huge discounts through fake “store closing” sales, luring unsuspecting consumers into the trap.

DomainTools traced thousands of such fraudulent domains, some of which impersonated luxury brands like Rolex and Cartier. The scammers created these fake websites using templates, automated processes, and even legitimate e-commerce platforms to generate convincing landing pages. The scale of the operation is staggering, with over 2,300 fraudulent domains tied to just one SSL certificate alone.

**Ponzi Schemes Disguised as Affiliate Programs**

The report also uncovers a disturbing trend: the use of brand impersonation to conduct financial fraud. Cybercriminals are preying on individuals looking for side-income opportunities by promising commissions for completing simple tasks, such as boosting online sales for well-known brands like Amazon and Target. Victims are led to believe they are joining legitimate affiliate programs when, in reality, they are being lured into Ponzi schemes.

These scams often require victims to invest in cryptocurrency, such as USDT (Tether), with the promise of high returns. The fraudsters then push victims to recruit others, creating a multi-level marketing front.

In one case, a fraudulent website using the domain “amazon-9000com” mimicked Amazon’s platform to convince users to invest in these fake opportunities. This particular scheme was linked to over 200 other fraudulent domains impersonating major brands, including Lazada, Walmart, and TikTok.

Example of malicious domains impersonating top brands (Screenshot: DomainTools)

**Copycat Scams Spread Quickly**

The third major finding in the report is the proliferation of **copycat schemes**. Once a scam proves successful, it is quickly replicated by other cyber criminals. For example, a domain called “targetpk8top” appeared in late 2023, impersonating Target in much the same way as earlier scams targeted Amazon. The same templates, naming conventions, and SSL certificates were used, showing how quickly these tactics spread across the cybercriminal ecosystem.

These copycat scams often follow a familiar playbook: they use fake investment schemes, promise high cryptocurrency returns, and rely on social media platforms to find new victims. By the time consumers realize they’ve been duped, the scammers have often disappeared, leaving little chance of recovering lost funds.

**What’s Next for Retailers?**

The report urges the retail sector to remain vigilant. These scams have been ongoing since at least 2020, and the perpetrators show no signs of slowing down. Retailers must monitor their online presence closely, especially regarding domain registrations and brand impersonations.

Additionally, collaboration is key. Organizations like the **Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC)** and the **National Cyber-Forensics and Training Alliance (NCFTA)** are instrumental in sharing threat intelligence across the industry, helping retailers stay one step ahead of evolving cyber threats.

Although such scams are not new, their increased sophistication is only making it worse for unsuspecting customers and retailers. Therefore, both parties should recognize the threat posed by domain fraud and brand impersonation. Businesses should train their employees, and customers should learn how to identify scams or malicious websites.

1.  How to Increase Your Business’s Online Brand Awareness
2.  Memcyco Introduces Real-Time Solution to Combat Brandjacking
3.  Check Point Research: Microsoft the Most Phished Brand in Q2 2023
4.  Domain Squatting, rand Hijacking: A Silent Threat to Digital Enterprises
5.  42,000 phishing domains discovered masquerading as popular brands

From Amazon to Target: Hackers Mimic Top Brands in Global Crypto Scam

Kransom ransomware hides within the StarRail game using DLL side-loading and a legitimate certificate from COGNOSPHERE PTE. LTD.…

Kransom ransomware hides within the StarRail game using DLL side-loading and a legitimate certificate from COGNOSPHERE PTE. LTD. Bypassing detection, this malware delivers an encrypted payload. Analyze it in ANY.RUN’s interactive sandbox.

Researchers at ANY.RUN have discovered that the Kransom ransomware is being disguised as a game to evade detection. This malware employs DLL side-loading to execute its payload, using a legitimate certificate from COGNOSPHERE PTE. LTD. The latter adds an extra layer of deception to its attack. 

****Overview of Kransom Ransomware****

The ransomware execution flow

Kransom ransomware is cleverly disguised within the game StarRail, a legitimate software used as a front to trick users. The malware relies on a DLL file stored in the same directory as the game, which contains its encrypted ransomware code. 

This is a classic case of DLL side-loading, where a legitimate executable file loads a malicious DLL, allowing the ransomware to hijack the execution flow.

****Legitimate Certificate with Malicious Intent****

One of the most deceptive elements of Kransom is its use of a legitimate certificate from COGNOSPHERE PTE. LTD. By using a trusted certificate, the malware is able to bypass many traditional security measures, as the system recognizes the software as harmless. 

The valid certificate is displayed in ANY.RUN

However, malicious actions take place once the StarRailBase.dll is loaded by the executable, initiating the ransomware attack.

****How Kransom Ransomware Works****

To observe how Kransom ransomware works, a sample of this malware can be uploaded to a malware sandbox like ANY.RUN. The sandbox allows anyone to carry out a full analysis of the malware’s execution process, from its initial stages to the completion of its payload.

The legitimate **StarRail** game serves as a mask for the ransomware, which won’t function without the presence of the malicious **StarRailBase.dll** file. This DLL contains the ransomware’s encrypted payload, which is then executed by the game’s EXE file.

Malicious activity executed by DLL file in ANY.RUN

It should be noted that the game **StarRail**, developed by **HoYoverse**, is completely safe when used in its original form. However, Kransom takes advantage of the game’s structure to embed its malicious code in the same folder, making it difficult for users to notice anything unusual.

The ransomware code within the DLL is encrypted using XOR, making it harder to detect. Tools like ANY.RUN can help security analysts uncover what’s been XORed, providing crucial insight into the malicious content.

XOR-URL displayed in ANY.RUN sandbox

Once the ransomware is activated, users are met with a message: _“I believe you’ve encountered some problems. Email to hoyoverse for solutions.”_

Ransom note analyzed inside ANY.RUN’s sandbox

You can have a more comprehensive analysis of this malware by searching for additional samples in ANY.RUN’s TI Lookup tool.

Samples in ANY.RUN’s TI Lookup

****Try ANY.RUN Sandbox for Free****

To analyze your own malware and phishing samples in a fully interactive Windows 10 x64 or Linux VM environment, create a free ANY.RUN account using your email.

ANY.RUN’s cloud sandbox allows you to interact with files, URLs, and the system as if you were using a standard computer. You can download attachments, solve CAPTCHAs, and even reboot the entire system during analysis.

For advanced features like private mode and collaboration tools, you can request a 14-day free trial directly from ANY.RUN’s official website.

1.  **Analysis of Top Infostealers: Redline, Vidar and Formbook**
2.  **New ransomware locks files & asks victims to play PUBG game**
3.  **This Ransomware tells users to play a Japanese game – That’s all**
4.  **PythonAnywhere Cloud Platform Abused for Hosting Ransomware**
5.  **New Ransomware Asks User to Play a Game while Encrypting Data**

Ransomware Disguised as a Game: Kransom’s Attack Through DLL Side-Loading

A vendor honeypot caught two attacks intended to leverage the tens of thousands of exposed Selenium Grid Web app testing servers.

Source: Olekcii Mach via Alamy Stock Photo

Threat actors are infecting Internet-exposed Selenium Grid servers, with the goal of using victims' Internet bandwidth for cryptomining, proxyjacking, and potentially much worse.

Selenium is an open source suite of tools for browser automation that, according to data from Wiz, can be found in 30% of cloud environments. Selenium Grid is its open source tool for automatically testing Web applications across multiple platforms and browsers in parallel, used by millions of developers and thousands of organizations worldwide. Its Selenium/hub docker image has more than 100 million pulls on Docker Hub.

Though it's an internal tool by nature, tens of thousands of Selenium Grid servers are exposed on the Internet today. In turn, at least some hackers have deployed automated malware intended to hijack these servers for various malicious purposes.

To gauge the kinds of threats that face these untended servers, Cado Security recently launched a honeypot. As Al Carchrie, R&D lead solutions engineer for Cado Security, remembers, "We deployed the honeypot on a Tuesday, and then we started to see activity within 24 hours."

**Selenium Proxyjacking**

During the research period, two primary threats kept automatically trying to attack the honeypot day after day.

The first deployed a series of scripts, including one labeled "y," which dropped the open source networking toolkit GSocket. GSocket is designed to allow two users behind firewalls to establish a secure TCP connection. In this and other cases, though, threat actors used it as a means of command-and-control (C2).

Two scripts followed, "pl" and "tm," which performed various reconnaissance functions — analyzing system architecture, checking for root privileges, and other functions — and dropped the campaign's primary payloads: Pawns.app (IPRoyal Pawn) and EarnFM. Each of these are proxyware — programs that allow users to essentially rent out their unused internet bandwidth.

Though services like these are sold legitimately, hackers can easily weaponize them for their own purposes. Called "proxyjacking," it involves hijacking an unwitting Internet user's IP to use as one's own personal proxy server for further malicious activities or selling it to another cybercriminal.

"It allows people to hide behind legitimate IP addresses, and the reason for doing that is to try and bypass IP filtering that organizations would put in place," Carchrie explains. "So if you're using Tor to try and anonymize yourselves, organizations might blacklist Tor IP addresses from accessing their infrastructure. This gives them an opportunity. This is the first time I've personally come across proxyjacking being used as the end goal of a campaign."

**More Significant Threats to Selenium**

The second attack snagged by the honeypot was similar in its initial means of infection, but dropped a Golang-based executable and linkable format (ELF) binary. The ELF, in turn, attempted to use "PwnKit," a public exploit for CVE-2021-4043, an old, medium severity Linux privilege escalation bug (CVSS score 5.5).

Next, the malware connected to an attacker's C2 infrastructure and dropped "perfcc," a cryptominer. In this way, it paralleled a different, yearlong campaign revealed by Wiz back in July, which used Selenium Grid as a vector to deploy the XMRig miner.

As Ami Luttwak, CTO and co-founder of Wiz, explains, the same kind of attack can be used to do a lot worse.

"Remember, Selenium runs usually in test environments," he says. "Test environments have proprietary code, and many times from test environments you can actually get access back to either engineering environments or production. So this could be used by a more advanced attacker to start actually attacking the exposed organization."

**30,000 Publicly Exposed Servers**

Being an internal tool by nature, Selenium Grid does not have any authentication to barricade attackers from breaking in. Its maintainers have warned in documentation that it "must be protected from external access using appropriate firewall permissions."

In July, though, Wiz found around 15,000 updated but Internet-exposed Selenium Grid servers. Worse: More than 17,000 were both exposed to the Internet, and running outdated versions. (That number has since dropped below 16,000.) The vast majority of these were based in the US and Canada.

It was only a matter of time, then, before threat actors capitalized on the opportunity. The first documented sign of it was reported in a Reddit post.

"Selenium is built to be an internal service for testing," Luttwak emphasizes. "In most scenarios, it's not supposed to be publicly accessible. If it is, then there is a risk there you have to mitigate."

Carchrie advises, "If you need your Selenium Grid accessible via the Internet, we recommend that you deploy an appropriately configured authentication proxy server in front of the Selenium Grid application using multifactor authentication as well as username and passwords."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa, and forced to spend the night in jail — just for doing their pen-testing jobs. Listen now!

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Hackers Proxyjack &amp; Cryptomine Selenium Grid Servers

WordPress.org has announced a new account security measure that will require accounts with capabilities to update plugins and themes to activate two-factor authentication (2FA) mandatorily.
The enforcement is expected to come into effect starting October 1, 2024.
"Accounts with commit access can push updates and changes to plugins and themes used by millions of WordPress sites worldwide," the

Web Security / Content Management

WordPress.org has announced a new account security measure that will require accounts with capabilities to update plugins and themes to activate two-factor authentication (2FA) mandatorily.

The enforcement is expected to come into effect starting October 1, 2024.

"Accounts with commit access can push updates and changes to plugins and themes used by millions of WordPress sites worldwide," the maintainers of the open-source, self-hosted version of the content management system (CMS) said.

"Securing these accounts is essential to preventing unauthorized access and maintaining the security and trust of the WordPress.org community."

Besides requiring mandatory 2FA, WordPress.org said it's introducing what's called SVN passwords, which refers to a dedicated password for committing changes.

This, it said, is an effort to introduce a new layer of security by separating users' code commit access from their WordPress.org account credentials.

"This password functions like an application or additional user account password," the team said. "It protects your main password from exposure and allows you to easily revoke SVN access without having to change your WordPress.org credentials."

WordPress.org also noted that technical limitations have prevented 2FA from being applied to existing code repositories, as a result of which it has opted for a "combination of account-level two-factor authentication, high-entropy SVN passwords, and other deploy-time security features (such as Release Confirmations)."

The measures are seen as a way to counter scenarios where a malicious actor could seize control of a publisher's account, thereby introducing malicious code into legitimate plugins and themes, resulting in large-scale supply chain attacks.

The disclosure comes as Sucuri warned of ongoing ClearFake campaigns targeting WordPress sites that aim to distribute an information stealer called RedLine by tricking site visitors into manually running PowerShell code in order to fix an issue with rendering the web page.

Threat actors have also been observed leveraging infected PrestaShop e-commerce sites to deploy a credit card skimmer to siphon financial information entered on checkout pages.

"Outdated software is a primary target for attackers who exploit vulnerabilities in old plugins and themes," security researcher Ben Martin said. "Weak admin passwords are a gateway for attackers."

Users are recommended to keep their plugins and themes up-to-date, deploy a web application firewall (WAF), periodically review administrator accounts, and monitor for unauthorized changes to website files.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

WordPress Mandates Two-Factor Authentication for Plugin and Theme Developers

Torrance, United States / California, 12th September 2024, CyberNewsWire

**Torrance, United States / California, September 11th, 2024, CyberNewsWire**

Criminal IP, a distinguished leader in Cyber Threat Intelligence (CTI) search engine developed by AI SPERA, announced that it has successfully integrated its IP address-related risk detection data with IPLocation.io, one of the most visited IP analysis and lookup tools on the internet.

Through the integration, IPLocation.io, a prominent IP address geolocation tracker platform with a substantial user base, now offers more detailed insights on IP addresses from Criminal IP’s accurate and up-to-date threat intelligence database.

**Innovative Data Ecosystem Driven by Search Engine and AI Expertise**

This is a groundbreaking advancement because Criminal IP’s database, built on a search engine framework, is more than a collection of information; it’s a refined machine learning ecosystem honed through extensive scanning and detection of malicious IP addresses. The system continuously enhances its accuracy by transforming self-collected threat data, particularly behavioral patterns for IP address evasion, into actionable intelligence using AI and machine learning techniques.

**Tracking Down Threat History with Snort and Scanner Information**

Unlike traditional IP tracking methods, which only provide the geographic location of IP addresses, Criminal IP data in IPLocation.io now delivers information from ‘Snort’, a network intrusion detection system, and vulnerability scanners on open ports. This, along with newly provided inbound and outbound scores of IP addresses, enables the comprehensive identification of threat information related to IP addresses. Users can now compile the information themselves to assess the risk of an IP address, supported by a variety of fact-based evidence.

Threat data from Criminal IP accessible on IPLocation.io website

Among IP Location Lookup data sources, Criminal IP provides the most comprehensive data, offering 25 distinct data points for a single IP address.

**Evasion-Focused Dynamic Pattern Analysis Unveils Potential Attack Scenarios**

Users can also detect IP address obfuscation and protect their assets with new VPN, Proxy, and Tor data in IP Location. The aforementioned data helps identify discrepancies between actual and reported locations of an IP address, as well as traffic routed through multiple servers, thus revealing potential threats. The system goes beyond a mere review of past records; it offers predictive insights into future risks by analyzing behavioral patterns and potential attack scenarios. This underscores the CTI database’s distinctive capability to continuously learn and analyze attack patterns executed online.

**About AI SPERA**

AI SPERA equips cybersecurity professionals with advanced tools and insights to protect digital assets. Its flagship products include Criminal IP, renowned for its AI-based search engine, as well as attack surface management and fraud detection for enterprise solutions. The firm’s established presence in major marketplaces like AWS and Snowflake further underscores its credibility and the trust placed in its services by leading industry players. Recently, AI SPERA achieved Level 1 certification under PCI DSS v4.0, overseen by the six leading global card issuers, showcasing its commitment to top-tier data security.

**Contact**

**Michael Sena**  
**AI SPERA**  
**\[email protected\]**

Criminal IP Teams Up with IPLocation.io to Deliver Unmatched IP Solutions to Global Audiences

The latest step in a journey to serve cybersecurity professionals in other regions of the world.

Source: End ru99 via Shutterstock

As part of Dark Reading's mission to bring in-depth news coverage to more and more parts of the world where cybersecurity professionals live and work, today we are officially launching a new section dedicated to the Asia-Pacific region.

The Asia Pacific section can be found in Dark Reading Global (aka DR Global), a mini-site within Dark Reading that delivers trusted, informed, and unique news and analysis to cybersecurity professionals around the world, with an initial focus on the burgeoning cybersecurity market and community in the Middle East and Africa.

This latest expansion of DR Global didn't happen overnight. Over the past year or so, we have gradually begun reporting on news specifically affecting cybersecurity pros in the Asia-Pacific region. Like the MEA, many nations in the massive Asia-Pacific region are experiencing rapid-fire digital transformation that is driving a critical need for cybersecurity resources, expertise, and products and services for cyber defenses. As nations within those regions build out and invest in their technology infrastructures, cyber-threat actors are increasingly targeting them with ransomware, cyber espionage, and other cyber threats.

In keeping with Dark Reading's core editorial mission, the new Dark Reading Global Asia Pacific section will provide cybersecurity professionals in that region and worldwide with the best and most in-depth cybersecurity information and trends in order to help them stay up to date, and ideally, ahead of the latest cyber threats.

If there are topics you'd like to see covered in DR Global’s Asia Pacific and Middle East & Africa regions, or if you have news tips you would like to share with our editors, please ping us at \[email protected\].

We want to hear from you and get your feedback.

**About the Author**

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Tag

#git