Listen to this blog post below
Here are this week’s updates to update you on recent development in email security, among other cybersecurity news.
Unpatched WordPress Plugin Flaw Exploited by Malicious Actors to Create Covert Admin Accounts
A critical unpatched vulnerability in the popular Ultimate Member plugin has put around 200,000 WordPress websites at risk of ongoing attacks.
Tracked as CVE-2023-3460 with a severity score of 9.8, the flaw affects all plugin versions, including the latest release (2.6.6) of June 29, 2023. Exploiting the vulnerability allows threat actors to create new user accounts with administrative privileges, granting them complete control over the compromised sites.
The flaw is related to inadequate blocklist logic, enabling attackers to modify ‘wp_capabilities user meta value’ and elevate their access to the administrator level.
Although the plugin maintainers have issued partial fixes in versions 2.6.4, 2.6.5, and 2.6.6, WPScan has found methods to bypass these patches, indicating that the issue is still actively exploitable. Ultimate Member released version 2.6.7 on July 1, addressing the privilege escalation flaw and introducing allow listing for meta keys as a security enhancement.
Users are advised to turn off the plugin and monitor administrator-level accounts for unauthorized additions until a comprehensive patch is available.
New Proxyjacking Campaign: Malicious Actors Exploit Vulnerable SSH Servers
A new server hijacking campaign has been discovered wherein threat actors target vulnerable SSH servers secretly.
Researchers from Akamai have identified an active campaign in which threat actors exploit SSH for remote access, employing malicious scripts to covertly enroll victim servers into a P2P (Peer-to-Peer) proxy network, such as Peer2Profit or Honeygain. Unlike cryptojacking, where compromised resources are exploited for cryptocurrency mining, proxy jacking allows the threat actors to utilize the unused bandwidth of victims to run various services as P2P nodes.
The anonymity provided by proxyware services can also enable malicious actors to obfuscate the origin of their attacks by routing traffic through intermediary nodes. The campaign, discovered on June 8, 2023, targets susceptible SSH servers, deploying an obfuscated Bash script that retrieves dependencies from a compromised web server.
It is essential to implement robust security practices, such as using strong passwords, regularly patching systems, and maintaining detailed logging, to mitigate the risk of such attacks.
Warning: macOS Users Targeted by New ‘RustBucket’ Malware Variant
Security researchers have uncovered an advanced version of the RustBucket malware targeting Apple macOS systems.
The updated variant, attributed to the North Korean threat actor BlueNoroff, showcases improved capabilities for persistence and evading security software detection. The malware, associated with the Lazarus Group, now employs a dynamic network infrastructure methodology for command and control, allowing it to establish a more persistent presence.
RustBucket was first identified in April 2023 as an AppleScript-based backdoor capable of retrieving a second-stage payload from a remote server. The second-stage malware is compiled in Swift and downloads the primary Rust-based binary from the C2 (Command and Control) server. This binary enables extensive data gathering and the execution of additional Mach-O binaries or shell scripts on compromised systems.
The attacks are primarily targeted toward financial institutions in Asia, Europe, and the U.S., necessitating these organizations to have efficient malware and ransomware protection.
Potential Security Risk: Ghostscript Bug Enables Execution of System Commands via Rogue Documents
Ghostscript, Adobe’s widely-used PostScript document composition system, has recently been found to have a bug, CVE-2023-36664.
The flaw allows malicious documents to create text and graphics and execute system commands through the Ghostscript rendering engine. The issue arises from Ghostscript’s handling of file names for output, as it can send output to a pipe instead of a regular file. By specifying specially-formatted filenames starting with strings like “%pipe%” or “|,” threat actors can launch commands on the victim’s system.
As the Ghostscript team released version 10.01.2 to address the bug, ensuring you have the latest version of Ghostscript to avoid any risk is essential. If you use a standalone package managed by your Linux distribution, Unix, or package manager like Homebrew on macOS, you must update it promptly to secure your system from such vulnerabilities.