Wordfence Threat Intelligence Team Issues Fix for Two PHP Object Injection Vulnerabilities
On August 18, 2023, the Wordfence Threat Intelligence team initiated the responsible disclosure process for two PHP Object Injection vulnerabilities in the Essential Blocks plugin for WordPress, a plugin with over 100,000 installations.
The team received a response three days later and sent its full disclosure on August 23, 2023. A patched version of the free plugin, 4.2.1, was released on August 29, 2023, with version 1.1.1 for the Pro version released the same day.
A firewall rule was issued to protect Wordfence Premium, Wordfence Care, and Wordfence Response customers on August 18, 2023. Sites still running the accessible version of Wordfence received the same protection on September 17, 2023. The threat intelligence team recommends that all users update to the patched version, 4.2.1 (1.1.1 for Pro), as soon as possible, as this will entirely eliminate the vulnerabilities.
The Essential Blocks plugin for WordPress is vulnerable to PHP Object Injection in versions up to and including 4.2.0 via deserialization of untrusted input in the get_posts function. This allows unauthenticated attackers to inject a PHP Object. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. For easyPress users, the plugins have already been updated.
Read: https://www.wordfence.com/blog/2023/09/two-php-object-injection-vulnerabilities-fixed-in-essential-blocks/
Retool Notifies 27 Cloud Customers of Unauthorized Spear Phishing Attack
On August 29, 2023, Retool notified 27 cloud customers that there had been an unauthorized spear phishing attack on their accounts. There was no access to on-prem or managed accounts. The attacker was able to navigate through multiple layers of security controls after taking advantage of one employee through an SMS-based phishing attack.
Several employees received targeted texts claiming that a member of IT was reaching out about an account issue that would prevent open enrollment (which affects the employee’s healthcare coverage). The timing coincided with a recently announced migration of logins to Okta, and the message contained a URL disguised to look like Retool’s internal identity portal. Almost all employees didn’t engage, but unfortunately, one employee logged into the link provided by the attackers. After logging into the fake portal – which included an MFA form – the attacker called the employee.
The caller claimed to be one of the IT team members and deepfaked our employee’s actual voice. The voice was familiar with the floor plan of the office, coworkers, and the company’s internal processes. Throughout the conversation, the employee grew more and more suspicious but, unfortunately, did provide the attacker one additional multi-factor authentication (MFA) code.
The additional OTP token shared over the call was critical because it allowed the attacker to add their own personal device to the employee’s Okta account, which allowed them to produce their own Okta MFA from that point forward. This enabled them to have an active GSuite session on that device.
Getting access to this employee’s Google account, therefore, gave the attacker access to all their MFA codes. With these codes (and the Okta session), the attacker gained access to Retool’s VPN and, crucially, its internal admin systems.
After learning of the attack, Retool immediately revoked all internal authenticated sessions (Okta, GSuite, etc.) for employees, locked down access to the affected accounts, notified the affected customers, and restored their accounts to their original state (with original email addresses), reverting the 27 account takeovers.
Read: https://retool.com/blog/mfa-isnt-mfa/
GitHub Repository Belonging to Microsoft’s AI Research Division Accidentally Exposes 38 TB of Data
The Wiz Research Team has found a GitHub repository belonging to Microsoft’s AI research division. The purpose of this repository, named robust-models-transfer, was to provide open-source code and AI models for image recognition.
Readers of the repository were instructed to download the models from an Azure Storage URL. This URL, however, allowed the repository permission to access the entire storage account, exposing users’ additional private data by mistake.
The storage account was found to contain 38 TB of additional data — including Microsoft employees’ personal computer backups. The backups contained sensitive personal data, including passwords to Microsoft services, secret keys, and over 30,000 internal Microsoft Teams messages from 359 Microsoft employees.
In addition to the overly permissive access scope, the token was also misconfigured to allow “full control” permissions instead of read-only. This meant that not only could an attacker view all of the files in the storage account, but they could also delete and overwrite existing files as well.
However, it’s important to note this storage account wasn’t directly exposed to the public; in fact, it was a private storage account. The Microsoft developers used an Azure mechanism called “SAS tokens,” which allows you to create a shareable link granting access to an Azure Storage account’s data — while upon inspection, the storage account would still seem completely private.
Read: https://www.wiz.io/blog/38-terabytes-of-private-data-accidentally-exposed-by-microsoft-ai-researchers
DC Appeals Court Upholds Subpoena on Facebook for COVID-19 Misinformation Data
The DC Court of Appeals has denied Meta’s appeal to cancel a broad subpoena, which required the handover of “documents capable of identifying all Facebook groups, pages, and accounts that have violated Facebook’s COVID-19 misinformation policy regarding vaccine-related content,” to the DC government.
Due to the extensive reach of Facebook’s “Covid-19 misinformation” rules and the significant number of affected users, millions of individuals, including those who expressed truthful statements questioning the government’s Covid narrative, are at risk of being included in this government data collection. These rules enforced by Facebook during the pandemic restricted numerous truthful statements.
The court ruled that Meta had not proven that the subpoena will limit its right to free speech or association. The document also stated that the First Amendment rights of Meta users would not be curtailed because “the users who posted those posts have already openly associated oneself with their professed views by openly publishing them to Facebook.”
Read: https://reclaimthenet.org/dc-appeals-court-facebook-subpoena-covid-19-misinformation
Caesars Entertainment’s Secret Ransom Payment Revealed Amidst MGM Heist
Caesars Entertainment has recently reported a cyber attack in a compulsory SEC filing. In contrast to MGM, Caesars was able to navigate through the incident by compensating the hackers with a $15 million ransom. The group behind both the Caesars and MGM cyber attacks is suspected to be “Scattered Spider” or “Roasted 0ktapus.”
During the attack on Caesars, the hackers gained specific access to the “Caesar’s Rewards” loyalty program database. A certain amount of driver’s license and Social Security numbers were also compromised, presumably from loyalty program members who had established credit lines at the company’s casinos or had to provide tax information to claim a substantial jackpot. The cyber attack did not affect customers who were not part of the loyalty program.
The hackers initially asked for a $30 million ransom payment, but Caesars managed to bring it down to $15 million through negotiation. The company has partial coverage from cyber attack insurance and does not anticipate the incident to significantly impact its financial performance. Paying a ransom carries risks as there’s no assurance that hackers will restore systems or refrain from selling or releasing stolen data, yet it seems to have worked for Caesars. On the other hand, MGM is still struggling to fully restore its IT systems after its own cyber attack.
Read: https://www.cpomagazine.com/cyber-security/caesars-entertainment-discloses-cyber-attack-ransom-payment-made-weeks-before-mgm-heist/
Elsewhere Online:
Denial-of-Service Attack Shuts Down Saskatchewan Government Accounts
Read: https://www.cbc.ca/news/canada/saskatchewan/cyberattack-crashes-government-websites-1.6967424
ICC Faces ‘Cybersecurity Incident’: Investigations Underway to Address Breach
Read: https://www.securityweek.com/cybersecurity-incident-hits-icc/
Introducing Hook: Expanding on ERMAC’s Legacy, the Newest Android Banking Trojan
Read: https://thehackernews.com/2023/09/hook-new-android-banking-trojan-that.html
Phishing campaign targets millions of Facebook business accounts, locking owners out of their accounts
Read: https://www.cpomagazine.com/cyber-security/facebook-messenger-phishing-campaign-targets-millions-of-business-accounts-locking-out-owners/
Linux backdoor exploited in forceful espionage campaign by China-linked actor
Read: https://www.darkreading.com/attacks-breaches/china-linked-actor-taps-linux-backdoor-in-forceful-espionage-campaign
Transhumanism and the War Against Humanity
Read: https://bombthrower.com/podcast/bttv-10-joe-allen-transhumanism-and-the-war-against-humanity/