Tag Archive for: Campaign

Sign1 malware campaign already infected 39,000 WordPress sites

/in


Large-scale Sign1 malware campaign already infected 39,000+ WordPress sites

Pierluigi Paganini
March 23, 2024

A large-scale malware campaign, tracked as Sign1, has already compromised 39,000 WordPress sites in the last six months.

Sucurity researchers at Sucuri spotted a malware campaign, tracked as Sign1, which has already compromised 39,000 WordPress sites in the last six months.

The experts discovered that threat actors compromised the websites implanting malicious JavaScript injections that redirect visitors to malicious websites.

Querying SiteCheck, the researchers discovered that the campaign infected over 2,500 sites in the past two months. 

“Plugins that allow for arbitrary JavaScript and other code to be inserted into a website are especially useful for website owners and developers but can also be abused by attackers in a compromised environment. Since these types of plugins allow for pretty much any code at all to be added, attackers often use them to insert their malicious or spammy payload.” reads the report published by the experts. “Sure enough, checking the plugin settings revealed our culprit nestled inside Custom CSS & JS

The threat actors behind Sign1 inject malicious JavaScript into legitimate plugins and HTML widgets. The injected code includes a hard-coded array of numbers that uses XOR encoding to get new values.

The experts decoded the XOR-encoded JavaScript code and discovered which it was used to execute a JavaScript file hosted on a remote server.

sign1

The researchers noticed that attackers employed dynamically changing URLs, the use of dynamic JavaScript code allows to change URLs every 10 minutes. The code is executed in the visitors’ browser, leading to unwanted redirects and ads for site visitors.

This code stands out because it checks whether the visitor came from a well-known website like Google, Facebook, Yahoo, or Instagram. If the visitor isn’t referred by one of these popular sites, the malicious code won’t run. Threat actors used this trick to avoid detection. Normally, someone who owns a website would visit it directly, instead of going through a search engine first. Malware uses this difference to try and stay…

Source…

U.S. still finding victims of advanced China-linked hacking campaign, NSA official says

/in


The U.S. is still identifying victims targeted by an extensive China-backed hacking campaign that became the subject of a recent FBI takedown operation and other advisories from officials over the past year, a top NSA cyber official said.

Rob Joyce, the agency’s outgoing cybersecurity director, said on Friday that the U.S. is still finding victims of the Volt Typhoon hacking collective that’s been latching onto critical infrastructure through compromised equipment including internet routers and cameras, and that NSA is not yet done with efforts to eradicate such threats.

The clandestine activities, which are said to be backed by the Chinese government, have allowed the hackers to conceal their intrusions into U.S. and foreign allies’ systems for at least five years, officials have previously said. 

The FBI in January announced it had jettisoned a significant portion of the group’s operations from compromised equipment it had burrowed into. These claims were subsequently affirmed by analysis from the private sector. But Friday’s remarks indicate there is still a way to go before Volt Typhoon is completely eradicated from U.S. networks.

Joyce, who was speaking to a group of reporters, declined to give a precise account of how many victims were remaining, but said the Chinese cyberspies are using tradecraft that’s difficult to uncover because of its reliance on stolen administrator credentials which allow them to more easily mask exploits.

The Volt Typhoon group has been carrying out “station keeping” activities, in an effort to preposition themselves to take down key infrastructure like transportation networks, he said. As for when the dismantling order would come down from Chinese authorities, the agency assesses it would be a “pretty high bar” reserved for major conflict like a possible Chinese invasion of Taiwan, he said.

The Volt Typhoon hackers have been using “living off the land techniques” that allow them to hide inside systems and bypass detection, previous U.S. reports said, noting that they have breached American facilities in Guam, as well as other key infrastructure in facilities both inside and outside the U.S.

Joyce added that NSA has been able to…

Source…

US indicts Iranian over widespread hacking campaign

/in


Iranian national Alireza Shafie Nasab has been charged by the U.S. for his involvement in the targeting of more than 200,000 devices in an attempt to hack U.S. government agencies, defense contractors, and private organizations for nearly five years, reports The Register.

U.S. organizations have been subjected to spear-phishing, software, and social engineering attacks by Nasab and his co-conspirators operating under the Mahak Rayan Afraz business between 2016 and April 2021, according to the Justice Department. While Nasab could face up to 47 years’ imprisonment for his charges, his location remains unknown, prompting the State Department to unveil a $10 million bounty for any information regarding his whereabouts. “Today’s charges highlight Iran’s corrupt cyber ecosystem, in which criminals are given free rein to target computer systems abroad and threaten U.S. sensitive information and critical infrastructure. Our National Security Cyber Section remains focused on disputing these cross-border hacking schemes and holding those responsible to account,” said Assistant Attorney General for National Security Matthew Olsen.

Source…

Outdated switches targeted by China-linked hacking campaign

/in


The FBI thwarted a hacking group backed by the Chinese government that was targeting hundreds of routers and had been working to compromise U.S. cyber infrastructure, according to FBI Director Christopher Wray.

Wray made the announcement at a House Select Committee hearing. The group, codenamed “Volt Typhoon,” hacked into hundreds of routers primarily used in home offices and SMBs to allow the Chinese government to access their data.

Wray told the committee that the routers were outdated, which made them “easy targets.” The routers together formed an assembly of malware-infected devices, known as a botnet, which the threat group could use for launching an attack against U.S. critical infrastructure, the FBI said in a statement on Jan. 31

The routers were just the starting point. The hackers were using them as a launchpad to target U.S. water treatment plants, the power grid, oil and natural gas pipelines, and transportation systems, according to the FBI.

On Feb. 7, the Cybersecurity And Infrastructure Security Agency (CISA) along with the FBI issued guidance for owners of these routers to secure them. This includes applying patches for internet-facing systems, prioritizing patching critical vulnerabilities in appliances known to be frequently exploited by Volt Typhoon, as well as implementing phishing-resistant multifactor authorization (MFA) and ensuring logging is turned on for application, access, and security logs and store logs in a central system.

CISA and the FBI have not publicly disclosed which models of switches are vulnerable, perhaps to protect them from being targeted by other bad players. We do know that they are made by Cisco, Netgear, and D-Link and that they are older models no longer available for sale. Security firm Lumen Technologies has been tracking Volt Typhoon and identified Netgear ProSAFE firewalls, Cisco RV320s, DrayTek Vigor routers, and Axis IP cameras as the targets.

Source…