William discusses what happens when security is an afterthought rather than baked into processes and highlights the latest of Talos' security research.

Thursday, February 20, 2025 14:02

Welcome to this week’s edition of the Threat Source newsletter. 

 Benjamin Franklin once said, "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." In much the same way, those who rush for efficiency without taking into account security end up neither efficient nor secure.  

The past week the Department of Government Efficiency (or DOGE) has put on a clinic of how not to do things. For example, the Doge.gov website was easily and immediately compromised. Researchers were able to push updates to the public website via access to a database of government employment information. Not to be outdone the DOGE team hastily stood up the Waste.gov website which still had a placeholder Wordpress default template, including the sample text which features an imaginary architecture firm called Études, from a default WordPress theme called Twenty Twenty-Four. This slapdash nonsense was hidden behind a password wall after the research information became public.  

It’s really an excellent lesson in what happens when security is not taken into account and the instant ramifications. As an entire infosec community we’ve talked at length about how baking security into every decision is incredibly important and that trying to bolt on fixes after the fact not only doesn’t work but highlights the lack of rigor and awareness of security in the room - creating an attractive target.

Let’s take a deep breath, take a moment to create a more secure process, follow those processes, and ensure security is in place at every step - then we can attack matters of efficiency.  

**The one big thing **

Cisco Talos has published a blog on the ongoing research into Salt Typhoon. Cisco Talos been closely monitoring reports of widespread intrusion activity against several major U.S. telecommunications companies, an issue that we have been concerned with for a long time here at Talos. The activity, initially reported in late 2024 and later confirmed by the U.S. government, is being carried out by a highly sophisticated threat actor dubbed Salt Typhoon.  

A hallmark of this campaign is the use of living-off-the-land (LOTL) techniques on network devices. It is important to note that while the telecommunications industry is the primary victim, the advice contained herein is relevant to, and should be considered by, all infrastructure defenders. 

**Why do I care? **

State sponsored actors have been aggressively targeting global network infrastructure and understanding and mitigating these actions will help you improve your network infrastructure resilience. 

**So now what? **

Cisco Talos has released an extensive list of preventative measures for general and Cisco-specific devices which can be found in the Salt Typhoon blog post.  

**Top security headlines of the week **

Palo Alto Networks has warned that hackers are exploiting another vulnerability in its firewall software to break into unpatched customer networks. (TechCrunch)  

Security researchers warn a critical vulnerability in SonicWall’s SonicOS is under active exploitation.(CyberSecurityDrive) 

Two security vulnerabilities have been discovered in the OpenSSH secure networking utility suite that, if successfully exploited, could result in an active machine-in-the-middle (MitM) and a denial-of-service (DoS) attack, respectively, under certain conditions. (TheHackerNews) 

**Can’t get enough Talos? **

*   Talos Vulnerability Research: ClearML and NVIDIA 
*   Vulnerability Deep Dive: Small praise for modern compilers - A case of Ubuntu printing vulnerability that wasn’t 

**Upcoming events where you can find Talos **

RSA (April 28-May 1, 2025)   
 San Francisco, CA 

CTA TIPS 2025 (May 14-15, 2025)    
Arlington, VA 

**Most prevalent malware files from Talos telemetry over the past week  **

SHA 256:7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5  MD5: ff1b6bb151cf9f671c929a4cbdb64d86     
VirusTotal : https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5   
Typical Filename: endpoint.query  
Claimed Product: Endpoint-Collector   
Detection Name: W32.File.MalParent     

SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91     
MD5: 7bdbd180c081fa63ca94f9c22c457376    
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91/details%C2%A0   
Typical Filename: c0dwjdi6a.dll    
Claimed Product: N/A  
Detection Name: Trojan.GenericKD.33515991 

SHA 256:9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507   
Typical Filename: VID001.exe   
Detection Name: Simple\_Custom\_Detection 

SHA 256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
MD5: 71fea034b422e4a17ebb06022532fdde  
VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca   
Typical Filename: VID001.exe  
Claimed Product: N/A  
Detection Name: Coinminer:MBT.26mw.in14.Talos

Efficiency? Security? When the quest for one grants neither.

Malvertisers got inspired by the website for a German university to bypass ad security and distribute malware.

There is a constant “cat and mouse” game between defenders and attackers, the latter trying to outsmart and get a head start on the former. In the context of online advertising, this involves creating fake identities or using stolen ones to push out malicious ads.

An attacker not only needs to evade detection but also create a lure that will be convincing to most people. In this blog post, we focus on what malvertisers use in almost all of their campaigns, namely decoys also known as “white pages” in order to fool the advertising entity.

The particular case is a malicious Google ad for Cisco AnyConnect, a tool often used by employees to remotely connect to company networks, but also by universities. In fact, we found that threat actors were using the name of a German university to create a fake website designed not to fool actual victims, but rather to bypass detection from security systems.

To be sure, victims were part of the overall scheme, but they were instead redirected to a lookalike Cisco site linking to a malicious installer containing the NetSupport RAT remote access Trojan.

**The perfect disguise**

The malicious ad comes up from a Google search for the keywords “_cisco annyconnect_“. The ad displays a URL that looks somewhat convincing for the domain _anyconnect-secure-client\[.\]com_. We should note that this domain was registered less than a day before the ad appeared.

Upon clicking on the ad, server-side checks will determine whether this is a potential victim or not. Typically, a real victim has a residential IP address and other network settings that differentiate it from crawlers, bots, VPNs or proxies.

In recent times, we have seen criminals rely on AI to generate fake pages that look innocuous. These are also referred to as “white pages” and they do serve an important purpose. If it’s obviously so fake and bad, it will raise suspicion. We thought that in this case the perpetrator had a rather clever idea by stealing content from a university that actually does use Cisco AnyConnect.

Technische Universität Dresden (TU Dresden), is a public research university in Germany whose site can be found here. Funnily enough, the threat actors left a trail while doing their copy/paste. We can see that they added the cookie opt-in notification which is required for websites in Europe, which here leaked their browser language (Russian).

**Real victims get infected with malware**

As good as this template looks, real victims will never see it. Instead, upon connecting to the malicious server they will be immediately redirected to a phishing site for Cisco AnyConnect.

The payload is downloaded in a similar way to a campaign we had already observed before, using a PHP script that provides the direct download URL. We can see from the network traffic capture below that the file is hosted on a likely compromised WordPress site.

There is not much to be said about the fake installer other than it being digitally signed with a valid certificate. Upon execution it extracts _client32.exe_, a name notorious for being associated with NetSupport RAT.

cisco-secure-client-win-5.0.05040-core-vpn-predeploy-k9.exe  
  -> client32.exe  
  -> "icacls" "C:\\ProgramData\\CiscoMedia" /grant \*S-1-1-0:(F) /grant Users:(F) /grant Everyone:(F) /T /C

The remote access Trojan connects to the following two IP addresses: 91.222.173\[.\]67 and 199.188.200\[.\]195, further granting a remote attacker access to the victim’s machine.

**Conclusion**

Brand impersonation is a common theme with search ads. As Google enforces various policies and uses algorithms to detect malicious activity, threat actors need to constantly come up with new ideas.

Reusing a university page was a clever idea, but there were a couple of things that made this attack shy of being perfect. The domain name, while very strong for impersonation, was newly registered. Since it was part of the ad’s display URL, it could have potentially been detected by Google. We also noted that the perpetrators left a trail when they copy/pasted the code from the university website, which identified their likely country of origin.

Having said that, the malware payload was digitally signed and had few detections when first seen, so this attack may have had a decent success rate.

As always, we recommend that users take precautions whenever looking up programs to download, and to be especially wary of sponsored results.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

**Indicators of Compromise**

Malvertising infrastructure

anyconnect-secure-client\[.\]com  
cisco-secure-client\[.\]com\[.\]vissnatech\[.\]com

NetSupport RAT download

berrynaturecare\[.\]com/wp-admin/images/cisco-secure-client-win-5\[.\]0\[.\]05040-core-vpn-predeploy-k9\[.\]exe  
78e1e350aa5525669f85e6972150b679d489a3787b6522f278ab40ea978dd65d

NetSupport RAT C2s

monagpt\[.\]com  
mtsalesfunnel\[.\]com  
91.222.173\[.\]67/fakeurl.htm  
199.188.200\[.\]195/fakeurl.htm

 University site cloned to evade ad detection distributes fake Cisco installer 

Massive Pakistani cybercrime network HeartSender has been shut down in a joint US-Dutch operation. Learn how their phishing…

Massive Pakistani cybercrime network HeartSender has been shut down in a joint US-Dutch operation. Learn how their phishing kits and other tools caused millions in losses and impacted countless victims.

U.S. and Dutch law enforcement have taken down a major Pakistani cybercrime network known as HeartSender, or Saim Raza. The takedown was part of Operation Heart Blocker in which authorities seized multiple domains and servers used by the group including Heartsender(.)com and Botsdetector(.)com.

Visitors to these sites are greeted with the following message: “This domain has been seized in accordance with a seizure warrant issued pursuant to 18 U.S.C. § 1030 in the United States District Court for the Southern District of Texas as part of a coordinated law enforcement operation and action by: The U.S. Department of Justice’s Computer Crime & Intellectual Property Section, the Federal Bureau of Investigation, and the Dutch National Police.”

Screenshot credit: Hackread.com

This takedown closely follows another international law enforcement action dubbed Operation Talent resulting in the seizure of two major online cybercrime-as-a-service marketplaces, Cracked and Nulled.

HeartSender specialized in developing and distributing cybercrime tools, including phishing kits for deceptive emails, credential-stealing software, and resources for large-scale spam campaigns. These tools were sold to other cybercriminals, enabling them to carry out a range of attacks. 

The US Department of Justice states that these tools are estimated to have caused over $3 million in losses to victims.  Furthermore, the seizure of HeartSender’s servers yielded millions of records containing sensitive information belonging to their victims.

HeartSender ran multiple online storefronts and used platforms like YouTube to promote its malicious products. The network specialized in offering a full suite of cybercrime tools, enabling criminals to automate and scale large-scale attacks worldwide. HeartSender also provided access to other compromised resources, such as cPanels, SMTP servers, and WordPress accounts, further expanding the scope of their illicit services.

Screenshot from HeartSender’s store – Credit: Hackread.com

The investigation leading to the takedown uncovered a vast trove of stolen data, including millions of victim records. Among them were around 100,000 login credentials belonging to individuals in the Netherlands, highlighting the widespread reach of HeartSender’s cybercrime operations.

Apart from law enforcement, HeartSender has been on the radar of cybersecurity researchers for years. Independent journalist Brian Krebs previously reported on the group’s operational security shortcomings, including malware infections within their own network and significant security vulnerabilities in their services. These vulnerabilities reportedly exposed customer data and internal operations to unauthorized access. 

Krebs notes that the group was called The Manipulators. Krebs reveals that Saim Raza “for the past decade has peddled a popular spamming and phishing service variously called “Fudtools,” “Fudpage,” “Fudsender,” “FudCo,” etc.” Here FUD stands for Fully Un-Detectable.

The dismantling of HeartSender represents yet another victory in the ongoing fight against cybercrime, disrupting a key source of malicious tools and potentially preventing further harm to countless individuals and organizations.

HeartSender Cybercrime Network Dismantled in Joint US-Dutch Operation

I have finalized the list of trending vulnerabilities for 2024 according to Positive Technologies. Last year, 74 vulnerabilities were classified as trending (to compare the scale, just over 40,000 were added to NVD in 2024). All trending vulnerabilities are found in Western commercial products and open source projects. This year, the vulnerabilities of domestic Russian […]

**I have finalized the list of trending vulnerabilities for 2024 according to Positive Technologies.** Last year, 74 vulnerabilities were classified as trending (to compare the scale, just over 40,000 were added to NVD in 2024).

All trending vulnerabilities are found in Western commercial products and open source projects. This year, the vulnerabilities of domestic Russian products did not reach the level of criticality required to classify them as trending.

For 55 of all trending vulnerabilities there are currently signs of exploitation in attacks, for 17 there are public exploits (but no signs of exploitation) and for the remaining 2 there is only a possibility of future exploitation.

Vulnerabilities were often added to trending ones before signs of exploitation in the wild appeared. For example, the remote code execution vulnerability in VMware vCenter (CVE-2024-38812) was added to the list of trending vulnerabilities on September 20, 3 days after the vendor’s security bulletin appeared. There were no signs of exploitation in the wild or public exploit for this vulnerability. Signs of exploitation appeared only 2 months later, on November 18.

Most of the vulnerabilities in the trending list are of the following types: Remote Code or Command Execution (24) and Elevation of Privilege (21).

4 vulnerabilities in Barracuda Email Security Gateway (CVE-2023-2868), MOVEit Transfer (CVE-2023-34362), papercut (CVE-2023-27350) and SugarCRM (CVE-2023-22952) were added in early January 2024. These vulnerabilities were massively exploited in the West in 2023, and attacks using these vulnerabilities could also tangentially affect those domestic Russian organizations where these products had not yet been taken out of service. The rest of the vulnerabilities became trending in 2024.

34 trending vulnerabilities affect Microsoft products (45%).

🔹 17 of them are Elevation of Privilege vulnerabilities in the Windows kernel and standard components.

🔹 1 Remote Code Execution vulnerability in Windows Remote Desktop Licensing Service (CVE-2024-38077).

2 trending Elevation of Privilege vulnerabilities affect Linux systems: one in nftables (CVE-2024-1086), and the second in needrestart (CVE-2024-48990).

**Other groups of vulnerabilities**

🔻 Phishing attacks: 19 (Windows components, Outlook, Exchange, Ghostscript, Roundcube)  
🔻 Network security and entry points: 13 (Palo Alto, Fortinet, Juniper, Ivanti, Check Point, Zyxel)  
🔻 Virtual infrastructure and backups: 7 (VMware, Veeam, Acronis)  
🔻 Software development: 6 (GitLab, TeamCity, Jenkins, PHP, Fluent Bit, Apache Struts)  
🔻 Collaboration tools: 3 (Atlassian Confluence, XWiki)  
🔻 CMS WordPress plugins: 3 (LiteSpeed Cache, The Events Calendar, Hunk Companion)

🗒 Full Vulristics report

🟥 Article on the official website “Vulnerable software and hardware vs. security researchers” (rus)

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

I have finalized the list of trending vulnerabilities for 2024 according to Positive Technologies

Sneaky 2FA: New Phishing-as-a-Service targets Microsoft 365, leveraging sophisticated evasion techniques and a Telegram-based platform to steal credentials.…

Sneaky 2FA: New Phishing-as-a-Service targets Microsoft 365, leveraging sophisticated evasion techniques and a Telegram-based platform to steal credentials.

In December 2024, during routine threat hunting activities, Sekoia.io uncovered a new Adversary-in-the-Middle (AiTM) phishing kit specifically targeting Microsoft 365 accounts. This phishing kit, dubbed Sneaky 2FA, has been circulating since at least October 2024, with potential compromises identified through Sekoia.io telemetry.

Further probing revealed that Sneaky 2FA is being offered as a Phishing-as-a-Service (PhaaS) by the cybercrime service “Sneaky Log,” which operates through a fully-featured bot on Telegram.

The modus operandi of the entire campaign includes customers receiving access to a licensed and obfuscated source code version, allowing them to independently deploy phishing pages, typically hosted on compromised infrastructure, frequently involving WordPress websites and other domains controlled by the attackers.

Sneaky 2FA’s on Telegram and blurred background images that it uses (Via Sekoia)

In addition, the Sneaky 2FA phishing kit incorporates elements from the W3LL Panel OV6, another AiTM phishing kit previously reported by Group-IB. This connection suggests a possible lineage and development within the cybercriminal infrastructure.

****Characteristics of Sneaky 2FA****

According to Sekoia’s report, the Sneaky 2FA phishing kit employs several techniques to evade detection and enhance its success. It utilizes URL patterns, such as “mysilverfox.commy/00/#victimexamplecom,” to automatically prefill the phishing page with the victim’s email address.

These phishing URLs are generated using 150 alphanumeric characters, followed by the path /index, /verify, and /validate. This pattern offers opportunities for tracking. Most customers deploy the server in a dedicated repository, named /auth/ by default.

To further enhance its stealth, Sneaky 2FA integrates anti-bot and anti-analysis features. Cloudflare Turnstile pages are employed to differentiate human users from bots. These pages often present seemingly benign content before loading the actual challenge. Additionally, the phishing kit incorporates anti-debugging techniques to hinder analysis using web browser developer tools.  

The phishing pages themselves utilize a variety of obfuscation methods, including HTML and JavaScript code obfuscation, the embedding of text as images, and the inclusion of junk data within the HTML code. These techniques aim to make phishing pages more difficult to detect by security tools.

****Sneaky Log’s Operations****

The Sneaky Log service operates through a sophisticated Telegram bot that allows customers to purchase the phishing kit, manage subscriptions, and receive support. The bot offers a user-friendly interface and supports multiple cryptocurrency payment options, including Bitcoin, Ethereum, and Tether.  

Analysis of cryptocurrency transactions revealed potential money laundering activities, with users instructed to pay a 10% premium and subsequent transfers occurring between various addresses.

****Detection and Tracking Opportunities****

Detecting Sneaky 2FA attacks can be achieved by analysing authentication logs for anomalies. The phishing kit utilizes inconsistent User-Agent strings for different stages of the authentication process, which can be identified as “impossible device shifts” and flagged as suspicious activity.  Furthermore, the analysis of phishing page URLs, including patterns and domain registrations, can help track and identify campaigns associated with Sneaky 2FA.

Sneaky 2FA is a growing threat in Microsoft 365 phishing attacks, offering sophisticated features and a user-friendly PhaaS platform. To mitigate risks, organizations must continuously monitor and share threat intelligence apart from improving cybersecurity measures.

Stephen Kowski, Field CTO at Pleasanton, Calif.-based SlashNext Email Security+ commented on this urging Microsoft 365 to remain alert. _“_This kit’s ‘sneaky’ aspects include its sophisticated ability to populate victim email addresses automatically, its evasion of detection through Cloudflare Turnstile challenges, and its clever redirection of security tools to Wikipedia pages._“_

_“_The kit is a full-featured PhaaS platform with real-time credential and session cookie theft capabilities, making it particularly dangerous for Microsoft 365 environments,_“_ Stephen warned. _“_Protection requires phishing-resistant authentication methods like FIDO2/WebAuthn, real-time URL scanning at the time of click that completely bypasses Cloudflare Turnstile protection and proactive detection of newly registered phishing domains before they become active threats._“_

1.  **Malware Bypasses MS Defender, 2FA to Steal $24K in Crypto**
2.  **Rockstar 2FA Phishing-as-a-Service Kit Hits MS 365 Accounts**
3.  **Dark Web Anti-Bot Services Let Phishers Bypass Google’s Red Page**
4.  **New Telekopye Scam Toolkit Targeting Booking.com and Airbnb Users**
5.  **Malware Exploits Avast Anti-Rootkit Driver to Disable Security Software**

Telegram-Based “Sneaky 2FA” Phishing Kit Targets Microsoft 365 Accounts

A recent cyberattack, mimicking the tactics of the notorious Black Basta ransomware group, targeted one of SlashNext’s clients.…

A recent cyberattack, mimicking the tactics of the notorious Black Basta ransomware group, targeted one of SlashNext’s clients. Within 90 minutes, 1,165 malicious emails bombarded 22 user inboxes, aiming to trick users into clicking on malicious links.

Researchers at SlashNext have published new findings revealing attackers using tactics similar to the **Black Basta ransomware gang**, targeting 22 inboxes within 90 minutes. The attack was swift and targeted, aiming to overwhelm users and bypass traditional security measures.

According to their **blog post**, shared with Hackread.com, this Black Basta-style attack utilizes a ransomware scam that deceives employees into granting remote access to their computers. 

SlashNext’s investigation of this phishing wave revealed five key tactics used by attackers: masquerading as popular platforms like WordPress and Shopify, using legitimate-looking domains to send fake account creation and subscription emails, utilizing seemingly harmless domains, using unusual characters or minor variations in subject lines, and targeting different user roles to increase attention.

The attackers first flood inboxes with seemingly legitimate emails like newsletters or payment receipts. The emails used subject lines like “Account Confirmation” and “Subscription Notice” to entice users to click malicious links, causing a sense of urgency. Attackers further employed social engineering tactics by incorporating foreign languages or odd characters to bypass basic keyword filters. 

This initial barrage creates confusion and makes it difficult to distinguish genuine emails from malicious ones. When users are overwhelmed, attackers swoop in, often via phone calls or messages impersonating IT support. By speaking confidently, they gain trust and trick users into installing remote access software like **TeamViewer or AnyDesk**. Once this software is installed, attackers gain a foothold in the system, potentially spreading malware or compromising sensitive data on the network.

Targeted Campaign Stats and the types of scams (Via SlashNext)

Fortunately, SlashNext’s Integrated Cloud Email Security (ICES) quickly identified hundreds of red flags targeting a small group of users. Within a mere 90 minutes, a whopping 1,165 emails bombarded 22 mailboxes, averaging over 50 emails per user in rapid bursts. This tactic aimed to create panic and encourage impulsive clicks.

The ICES platform’s early detection allowed the client to respond proactively and prevent the attack from spreading. SlashNext’s AI-powered security system, SEER™, proactively identified and blocked these emails in real time. SEER™ analyzes email behaviour beyond simple keyword checks, detecting suspicious patterns like encoded URLs and fake login pages. Researchers noted a sudden rise in these attacks across the web between November and December. SlashNext was the first to launch an automated AI-powered defence to handle the situation in real time.

The incident shows the increasing nature of cybersecurity threats, with attackers using sophisticated techniques to evade traditional security measures. Organizations should prioritize threat detection and response, and regular security assessments to identify vulnerabilities and improve overall security.

1.  **‘Matrix’ Hackers Deploy Massive New IoT Botnet for DDoS Attacks**
2.  Androxgh0st Botnet Integrates Mozi, Expands Attacks on IoT Flaws
3.  Russian APT29 Using NSO Group-Style Exploits in Attacks: Google
4.  Iranian Hackers Team Up with Ransomware Gangs in Attacks on US
5.  BlackByte Ransomware Exploits VMware Flaw in VPN-Based Attacks

Top/Feature Image via Freepik

Black Basta-Style Cyberattack Hits Inboxes with 1,165 Emails in 90 Minutes

Cybersecurity researchers are warning of a new stealthy credit card skimmer campaign that targets WordPress e-commerce checkout pages by inserting malicious JavaScript code into a database table associated with the content management system (CMS).
"This credit card skimmer malware targeting WordPress websites silently injects malicious JavaScript into database entries to steal sensitive payment

WordPress Skimmers Evade Detection by Injecting Themselves into Database Tables

About Authentication Bypass – Hunk Companion WordPress plugin (CVE-2024-11972) vulnerability. ThemeHunk company develops commercial themes for WordPress CMS. And the Hunk Companion plugin is designed to complement and enhance the functionality of these themes. The plugin has over 10,000 installations. On December 10, WPScan reported a vulnerability in Hunk Companion plugin versions below 1.9.0, allowing […]

**About Authentication Bypass – Hunk Companion WordPress plugin (CVE-2024-11972) vulnerability.** ThemeHunk company develops commercial themes for WordPress CMS. And the Hunk Companion plugin is designed to complement and enhance the functionality of these themes. The plugin has over 10,000 installations.

On December 10, WPScan reported a vulnerability in Hunk Companion plugin versions below 1.9.0, allowing unauthenticated attackers to install and activate plugins from the WordPressOrg repository. The exploit has been on GitHub since December 28.

This way, attackers can install plugins that contain additional vulnerabilities. 👾 In the incident analyzed by WPScan, the attackers installed the WP Query Console plugin with RCE vulnerability CVE‑2024‑50498 on the website and exploited it to install a backdoor.

If you use WordPress, try to minimize the number of plugins and update them regularly!

На русском

Hi! My name is Alexander and I am a Vulnerability Management specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.

А всех русскоязычных я приглашаю в ещё один телеграмм канал @avleonovrus, первым делом теперь пишу туда.

About Authentication Bypass – Hunk Companion WordPress plugin (CVE-2024-11972) vulnerability

This article was researched and written by Stefan Dasic, manager, research and response for ThreatDown, powered by Malwarebytes Malwarebytes recently uncovered...

_This article was researched and written by Stefan Dasic, manager, research and response for ThreatDown, powered by Malwarebytes_

Malwarebytes recently uncovered a widespread cyberattack—referred to here as the “zqxq” campaign as it closely mirrors NDSW/NDSX-style malware behavior—that compromised GroupGreeting\[.\]com, a popular platform used by major enterprises to send digital greeting cards.  

Upon learning of the attack, GroupGreeting quickly responded and resolved the threat.

This attack is part of a broader malicious campaign that takes advantage of trusted websites with high traffic, especially those that could experience a spike in visitors during busy seasons like the winter holidays. That includes greeting card websites, like GroupGreeting\[.\]com, that allow users to send group e-cards for birthdays, retirements, weddings, and, of course, holidays like Christmas and New Year’s.  

According to public data, over 2,800 websites have been hit with similar malicious code. The seasonal increase in user interactions with greeting card sites provides ample opportunities for cybercriminals to quietly inject malware and target unsuspecting visitors. 

****Explaining the “zqxq” malware****

Understanding this cybercriminal campaign requires a little bit of understanding of the web. Online today, nearly every single modern webpage uses a programming language called JavaScript. JavaScript allows developers to make interactive webpages, but it can also be vulnerable to attacks, as cybercriminals can “inject” pieces of JavaScript into a website that are not approved by the site’s developers. 

At the core of this breach is an obfuscated JavaScript snippet designed to blend in with legitimate site files. Hidden within themes, plugins, or other critical scripts, the malicious code uses scrambled variables (e.g., zqxq) and custom functions (HttpClient, rand, token) to evade detection and hamper analysis. 

Despite its complexity, the malware performs some very typical functions seen in large-scale JavaScript injection campaigns: 

*   **Token generation and redirection**. Generates random tokens (rand() + rand()) for queries or URLs, a technique often used in Traffic Direction Systems (TDS) to disguise malicious links. 

*   **Conditional checks and evasion**. References properties in navigator, document, window, or screen to determine if the user has visited before, or to avoid re-infecting the same machine. This helps keep the campaign under the radar by reducing repeated alerts. 

*   **Remote payload retrieval**. Uses an XMLHttpRequest (labeled as HttpClient in the code) to silently fetch further malicious scripts or to redirect visitors to exploit kits, phishing sites, or other malicious destinations. 

****Overlap with NDSW/NDSX and TDS Parrot campaigns** **

Though Malwarebytes recently discovered the attack on GroupGreeting\[.\]com, the malware campaign bears similarities to another malware injection campaign that is referred to as both “NDSW/NDSX” and “TDS Parrot.” 

According to security researchers from Sucuri, who label these attacks under the “NDSW/NDSX” moniker, this campaign accounted for 43,106 detections in 2024. Similar research was published by Unit 42, which refers to the campaign as “TDS Parrot.”  

From these analyses, we can identify the following parallels to known **NDSW/NDSX** or **TDS Parrot** malware campaigns: 

*   **Obfuscated redirect scripts**. Much like NDSW/NDSX, the zqxq script deeply obfuscates its variables, methods, and flow. The layering of functions (Q, d, rand, token) and the repeated usage of base64-like decoding are standard indicators of TDS JavaScript-based threats. 

*   **Traffic Distribution System behavior**. After running checks (e.g., domain name, cookies), these scripts funnel traffic to external pages hosting additional malware payloads or phishing sites. This is precisely how TDS Parrot campaigns divert user traffic across multiple malicious domains to maximize infection rates. 

*   **Large-scale website infections**. Both NDSW/NDSX and the zqxq campaign have infected thousands of websites, suggesting a systematic approach—possibly automated—that exploits vulnerabilities in popular CMS platforms (like WordPress, Joomla, or Magento) or outdated plugins, similar to documented TDS Parrot behaviors. 

****Analysis of the breach and why GroupGreeting was a prime target** **

Cybercriminals hardly strike at random. Instead, the attack on GroupGreeting was likely coordinated because of its potential for success. Here are a few reasons why: 

*   **High-profile site**. GroupGreeting boasts over 25,000 workplace clients, including major brands like Airbnb, Coca-Cola, and eBay, making it a lucrative target. Visitors are more inclined to trust links from a service they deem reputable. 

*   **Seasonal traffic spikes**. During holidays and other high-traffic periods, the site sees a surge in e-card use. Cybercriminals exploit this surge to maximize the spread of redirects and malware. 

*   **Sophisticated persistence**. Malicious code can hide in multiple files or within the database. Deleting one infected file may not remove all traces, allowing reinfection to occur. 

*   **Potential consequences**. Once the malware activates in a user’s browser, it typically redirects them to external domains that host secondary payloads. These payloads can range from phishing pages—designed to steal credentials—to more devastating forms of malware like info stealers or ransomware. Attackers often generate random or “tokenized” URLs, making it difficult for basic blocklists to keep pace. 

*   **Timely patching and updates**. Attacks often succeed by exploiting vulnerabilities in outdated CMS installations or plugins, underscoring the importance of regular updates. 

*   **File integrity checks**. Automated monitoring systems can detect and flag any unauthorized file changes, prompting swift action. 

*   **User training**. Educate users on potential risks and signs of compromise—even “safe” or well-known websites can be hijacked. 

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 GroupGreeting e-card site attacked in “zqxq” campaign  

Attackers are abusing a Microsoft 365 feature to send payment requests to users, tricking them into logging in to their accounts so attackers can seize control over them.

Source: Robert Wilkinson via Alamy Stock Photo

An unconventional phishing campaign convincingly impersonates online payments service PayPal to try to trick users into logging in to their accounts to make a payment; in reality, the login allows attackers to take over an account. The novel part of the attack is the abuse of a legitimate feature within Microsoft 365 to create a test domain, which then allows the attackers to create an email distribution list that makes the payment-request messages appear to be legitimately sent from PayPal.

Carl Windsor, CISO for Fortinet Labs, discovered the campaign when he himself was targeted by it, he revealed in a blog post published today.

Windsor received a request in his inbox from a sender with a nonspoofed PayPal email address seeking a payment of $2,185.96. The person requesting the money was someone called Brian Oistad, and aside from the "to" address not being Windsor's email address —  it was addressed to Billingdepartments1\[@\]gkjyryfjy876.onmicrosoft.com —  there were few obvious signs it was not a genuine email, he said.

"What's interesting about this attack is that it doesn’t use traditional phishing methods," Windsor wrote. "The email, the URLs, and everything else are perfectly valid."

That validity might persuade an average email user to click on the link in the email, which redirects them to a PayPal login page showing a request for payment.

Related:PhishWP Plug-in Hijacks WordPress E-Commerce Checkouts

At this point, "some folks might be tempted to log in with their account details, however, this would be extremely dangerous," he wrote. That's because the login page links the target's PayPal account address with the address it was sent to — Billingdepartments1\[@\]gkjyryfjy876.onmicrosoft.com, controlled by the attacker — not their own email address.

**Abusing Microsoft 365 Test Domains for Cybercrime**

The campaign works because the scammer appears to have registered a Microsoft 365 test domain — which is free for three months — and then created a distribution list containing target emails. This allows any messages sent from the domain to bypass standard email security checks, Windsor explained in the post.

Then, "on the PayPal Web portal, they simply request the money and add the distribution list as the address," he wrote.

This money request is then distributed to the targeted victims, and the Microsoft 365 Sender Rewrite Scheme (SRS) rewrites the sender to, for example, "bounces+SRS=onDJv=S6\[@\]5ln7g7.onmicrosoft.com, which will pass the SPF/DKIM/DMARC check," Windsor added.

"Once the panicking victim logs in to see what is going on, the scammer’s account (Billingdepartments1\[@\]gkjyryfjy876.onmicrosoft.com) gets linked to the victim’s account," he wrote. "The scammer can then take control of the victim's PayPal account — a neat trick … \[that\] would sneak past even PayPal’s own phishing check instructions."

Related:Thousands of BeyondTrust Systems Remain Exposed

Indeed, abusing a vendor feature to deliver the phishing message does give the attackers a stealthy advantage when it comes to bypassing typical email security, a security expert notes.

"The emails are sent from a verified source and follow an identical template to legitimate messages, such as a standard PayPal payment request," says Elad Luz, head of research at Oasis Security, a provider of non-human identity management. "This makes them difficult for mailbox providers to distinguish from genuine communications."

**Cyber Defense: Create a "Human Firewall" Against Phishing**

Because the attack appears to be a genuine email, the best solution to avoid falling prey to it is what Windsor calls the "human firewall," or "someone who has been trained to be aware and cautious of any unsolicited email, regardless of how genuine it may look," he wrote in the post.

"This, of course, highlights the need to ensure your workforce is receiving the training they need to spot threats like this to keep themselves — and your organization — safe," Windsor noted.

Related:Recorded Future: Russia's 'Undesirable' Designation Is a Compliment

It is also possible to create a rule within email security scanners to "look for multiple conditions that indicate that this email is being sent via a distribution list," to help detect a campaign that uses this vector, he added.

Another potential mitigation is to use artificial intelligence (AI)-based security tools that use neural networks to analyze social graph patterns, among other techniques, "to help spot these hidden interactions by analyzing user behaviors more deeply than static filters," Stephen Kowski, field chief technology officer (CTO) at SlashNext Email Security+, tells Dark Reading.

"That kind of proactive detection engine recognizes unusual group messaging patterns or requests that slip through basic checks," he says. "A thorough inspection of user interaction metadata will catch even this sneaky approach."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Tag

#wordpress