Tag Archive for: infected

Sign1 malware campaign already infected 39,000 WordPress sites


Large-scale Sign1 malware campaign already infected 39,000+ WordPress sites

Pierluigi Paganini
March 23, 2024

A large-scale malware campaign, tracked as Sign1, has already compromised 39,000 WordPress sites in the last six months.

Sucurity researchers at Sucuri spotted a malware campaign, tracked as Sign1, which has already compromised 39,000 WordPress sites in the last six months.

The experts discovered that threat actors compromised the websites implanting malicious JavaScript injections that redirect visitors to malicious websites.

Querying SiteCheck, the researchers discovered that the campaign infected over 2,500 sites in the past two months. 

“Plugins that allow for arbitrary JavaScript and other code to be inserted into a website are especially useful for website owners and developers but can also be abused by attackers in a compromised environment. Since these types of plugins allow for pretty much any code at all to be added, attackers often use them to insert their malicious or spammy payload.” reads the report published by the experts. “Sure enough, checking the plugin settings revealed our culprit nestled inside Custom CSS & JS

The threat actors behind Sign1 inject malicious JavaScript into legitimate plugins and HTML widgets. The injected code includes a hard-coded array of numbers that uses XOR encoding to get new values.

The experts decoded the XOR-encoded JavaScript code and discovered which it was used to execute a JavaScript file hosted on a remote server.

sign1

The researchers noticed that attackers employed dynamically changing URLs, the use of dynamic JavaScript code allows to change URLs every 10 minutes. The code is executed in the visitors’ browser, leading to unwanted redirects and ads for site visitors.

This code stands out because it checks whether the visitor came from a well-known website like Google, Facebook, Yahoo, or Instagram. If the visitor isn’t referred by one of these popular sites, the malicious code won’t run. Threat actors used this trick to avoid detection. Normally, someone who owns a website would visit it directly, instead of going through a search engine first. Malware uses this difference to try and stay…

Source…

69% of Organizations Infected by Ransomware in 2023


Over two-thirds (69%) of organizations experienced a successful ransomware incident in the past year, according to Proofpoint’s 2024 State of the Phish report.

This represents a rise of five percentage points compared to the previous year, according to the firm.

Close to 60% of these organizations reported four or more separate ransomware incidents in 2023, emphasizing the scale of this threat.

Over half (54%) of infected organizations admitted they paid a ransom to attackers. This marks a significant reduction on the proportion who paid in the previous year, which was 64%.

Paying a ransom was no guarantee of resolving the issue, with just 41% of organizations who paid regaining access to data after their first payment.

On February 23, 2024, Cybereason published research showing that 78% of organizations who paid a ransom demand were hit by a second ransomware attack, often by the same threat actor.

Almost all (96%) of organizations impacted by ransomware no have cyber insurance. More than nine in 10 (91%) of insurers helped with ransom payments in 2023, up from 82% in 2022.

Read here: LockBit Takedown: What You Need to Know about Operation Cronos

MFA Bypass and Other Social Engineering Trends

The Proofpoint research highlighted that attackers are increasingly using advanced techniques to bypass multifactor authentication (MFA). Typically, these techniques involve proxy servers to intercept MFA tokens, with several off-the-shelf phishing kits now including MFA bypass functionality.

For example, the company said it observes around one million phishing threats use the EvilProxy framework every month. This tool is based on a reverse proxy architecture which is designed to harvest MFA-protected credentials and session cookies.

Despite the growing availability of MFA bypass capabilities, 89% of cybersecurity professionals surveyed still consider MFA to provide complete protection against account takeover.

Attackers are evolving their social engineering techniques in a range of other ways. This includes an increase in the use of QR codes as an alternative to links or attachments in phishing messages.

The researchers noted that this technique is particularly dangerous as…

Source…

Babuk Ransomware Decryptor Updated to Recover Files Infected


Hackers use ransomware to encrypt victims’ files and render them inaccessible until a ransom is paid. This forces the victims to pay a ransom to regain access to compromised systems and data.

This tactic leads to financial gains for the threat actors. While ransomware attacks can be conducted at scale and threat actors can target individuals, businesses, and organizations.

The Babuk ransomware decryptor has recently received an update from Avast cybersecurity researchers, Cisco Talos, and the Dutch Police to allow for the recovery of files infected with the most recent ransomware variant.

Document

Free Webinar

Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.

Technical Analysis

Babuk ransomware initially emerged in early 2021, and it is known for the following key things:-

  • Targeting Windows systems
  • Encrypting files
  • Demanding ransom payments in exchange for decryption keys

Besides this, Babuk ransomware has gained immense attention for its Evolving tactics and the sophistication of its attacks.

Since its founding, the Avast security company has blocked over 5600 targeted attacks, the majority of which targeted individuals and organizations in the following nations:

  • Brazil
  • Czech Republic
  • India
  • The United States
  • Germany
Babuk attacks blocked by Avast since 2021 (Source – Avast)

The recently updated Avast Babuk decryption tool can restore the files the Tortilla Babuk variant has encrypted.

Babuk ransomware source code was released in Sept 2021 in the form of a ZIP file on a Russian hacking forum, which included the following 14 victim-specific private keys:-

The cybersecurity analysts affirmed that the decryptor creation was easy as the encryption scheme remained unchanged from their analysis 2 years prior and the sample that the researchers analyzed was named “tortilla.exe.”.

The Babuk encryptor is likely made from leaked sources and uses a single key…

Source…

New Android malware family has infected thousands of devices – here’s what we know


Cybersecurity researchers from McAfee hae uncovered over a dozen malicious apps lurking in the Google Play Store. 

The researchers claim these apps were carrying a potent piece of malware, capable of stealing sensitive data from the infected Android devices and possibly even running ad fraud.

Source…