Alerts

New variants of Agent Tesla remote access Trojan now come with modules dedicated to stealing credentials from applications including popular web browsers, VPN software, as well as FTP and email clients.

Agent Tesla is a commercially available .Net-based infostealer with both remote access Trojan (RAT) and with keylogging capabilities active since at least 2014.

Read more »

A security researcher discovered vulnerabilities in an automation system for smart homes and buildings that allowed taking over accounts belonging to other users and control associated devices.

In a presentation on Saturday at the IoT Village during the DEF CON hacker conference, Barak Sternberg shows how some weak spots in the HDL automation system could have been leveraged by attackers to fully compromise it.

Read more »

The plugin also comes with support for chat transcripts and makes it easy to set up auto-replies and FAQs outside working hours to provide visitors with helpful information while the site owner can’t reply.

Man in the middle of your site’s chat

In a report published today by Wordfence’s Threat Intelligence team, threat analyst Chloe Chamberland says that the high severity authenticated options change vulnerability with a 7.4 CVSS base score rating was discovered on June 26, 2020.

Facebook’s security team addressed the flaw with the release of version 1.6 on July 28, roughly a month after they responded to Wordfence’s initial report.

On websites running a vulnerable version of the Official Facebook Chat Plugin, low-level authenticated attackers can “connect their own Facebook Messenger account [..] and engage in chats with site visitors[..].”

To connect the chat pop-up with the owner’s Facebook page, the plugin uses the wp_ajax_update_options AJAX action which, in unpatched versions, did not check if page connection requests came from authenticated website admins.

“This made it possible for any authenticated user, including subscriber level accounts, to send a request to update the options and hook-up their own Facebook Messenger account,” Chamberland explains.

“As a result, attackers could link their own Facebook Page Messenger account, by updating the page ID, to any given site running the plugin as long as they were able to register on the site and access the /wp-admin dashboard.”

After successfully linking their own Facebook page to the targeted site’s chat, attackers receive any messages sent through the site’s Messenger Chat, with the site owner no longer receiving any incoming messages.

“Exploit attempts targeting this vulnerability could easily be used as part of a social engineering attack by posing as a site owner requesting personally identifiable information, credentials, or other information,” Chamberland adds.

Attackers could also use their access to compromised sites’ chats to ruin the sites’ reputation through toxic interaction with their visitors or to cause loss of revenue by “driving traffic to the competitors business.”

Over 50,000 sites still exposed to attacks

Even though Facebook Chat Plugin version 1.6, the release that addresses this vulnerability was published on July 28, the plugin was downloaded only 25,657 times since then based on historic download data provided by WordPress’ portal, this being the total number of both updates and new installs.

This means that at least 54,000 WordPress sites with active Messenger Chat pop-ups are still left exposed to attacks designed to exploit this flaw as part of future hacking campaigns.

Facebook Chat Plugin users are strongly recommended to update their plugin to version 1.6 as soon as possible to block attacks designed to hijack their sites’ chat as part of social engineering schemes.

Yesterday, Wordfence also reported reflected Cross-Site Scripting (XSS) and PHP Object Injection vulnerabilities found in the Newsletter WordPress plugin that can let hackers inject backdoors, create rogue admins, and potentially take over affected sites.

Wordfence also found a critical bug in Google’s official WordPress plugin with 300,000 installations that could allow attackers to gain owner access to targeted sites’ Google Search Console and facilitate black hat SEO campaigns.

 

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Twitter today said that the attackers behind this month’s hack were able to take control of high-profile accounts after stealing Twitter employees’ credentials as part of a phone spear phishing attack on July 15, 2020.

According to the company, the phone-based social engineering attack allowed them to obtain the credentials of a limited set of employees which made it possible to gain access Twitter’s internal network and support tools.

Read more »