Information Technology

Adobe urged customers using the Magento 1 e-commerce platform to upgrade to the latest version of Adobe Commerce after security company Sansec detected a mass breach of over 500 stores running the platform.

ZDNet Recommends

In a statement to ZDNet, Adobe said it ended support for Magento 1 on June 30, 2020. “We continue to encourage merchants to upgrade to the latest version of Adobe Commerce for the most up-to-date security, flexibility, extensibility, and scalability,” an Adobe spokesperson said. “At a minimum, we recommend Magento Open Source merchants on Magento 1 to upgrade to the latest version of Magento Open Source (built on Magento 2), to which Adobe contributes key security updates.”On Tuesday, Sansec released a report revealing that hundreds of stores were the victims of a payment skimmer loaded from the naturalfreshmall.com domain. 

More than 350 ecommerce stores infected with malware in a single day.Today our global crawler discovered 374 ecommerce stores infected with the same strain of malware. 370 of these stores load the malware via https://naturalfreshmall[.]com/image/pixel[.]js.— Sansec (@sansecio) January 25, 2022

“We invited victims to reach out to us, so we could find a common point of entry and protect other merchants against a potential new attack. The first investigation is now completed: attackers used a clever combination of an SQL injection (SQLi) and PHP Object Injection (POI) attack to gain control of the Magento store,” the researchers explained. “Attackers abused a (known) leak in the Quickview plugin. While this is typically abused to inject rogue Magento admin users, in this case the attacker used the flaw to run code directly on the server.”

In their examination of one attack, researchers found the threat actor left 19 backdoors on the system. They recommended victims use a malware scanner to identify all of the instances of malicious files or Magento code that had malicious code added to them.

Sansec noted that even though Adobe has ended support for Magento, thousands of businesses still use it. Magento has long been a source of issues for Adobe and the online merchants who use it. In November, the National Cyber Security Centre (NCSC) identified a total of 4,151 retailers that had been compromised by hackers attempting to exploit vulnerabilities on checkout pages to divert payments and steal details. The majority of the online shops that cybercriminals exploited for payment-skimming attacks were compromised by known vulnerabilities in the e-commerce platform Magento. In February 2021, Magento received a slew of security fixes from Adobe. Specifically, Magento Commerce and Magento Open Source on all platforms were subject to a total of 18 bugs, varying in severity from critical to moderate. More than 2,000 Magento online stores were hacked in September 2020, attacks that were also spotted by Sansec at the time. Attacks against sites running the now-deprecated Magento 1.x software were anticipated by Adobe, which issued the first alert in November 2019 about store owners needing to update to the 2.x branch.Adobe’s initial warning about impending attacks on Magento 1.x stores was later echoed in similar security advisories issued by Mastercard and Visa.Even the FBI warned in 2020 that hackers were exploiting a three-year-old vulnerability in a Magento plugin to take over online stores and plant a malicious script that records and steals buyers’ payment card data. More

Two powerful forms of Android malware are being spread in attacks which share the same infection tactics and delivery infrastructure.Detailed by cybersecurity researchers at ThreatFabric, the campaigns involves FluBot malware – also known as Cabassous – and another Android banking trojan, Medusa.FluBot is one of the most notorious forms of Android malware, which steals passwords, bank details and other sensitive information from infected smartphones. It also gains access to contact books in order to spread itself to other victims via malicious SMS messages, which are often designed to look like an alert about a missed package delivery. FluBot is so prolific that national cybersecurity agencies have issued warnings about it. The success of FluBot has also been noticed by other cyber criminals, to the extent that those behind Medusa – which is designed to steal sensitive information via keylogging, taking screenshots and collecting data about how the phone is used – have copied its techniques for spreading their malware.Medusa campaigns have been seen using the same app names, package names and similar icons used in successful FluBot campaigns, including one which delivers links to malware in messages which claim to come from DHL. But Medusa campaigns don’t just look the same as FluBot attacks, they’re being delivered via the same SMSishing service. The malware isn’t new, it first emerged in 2020, but the adoption of new tactics could see Medusa become a common threat for Android users.

“Despite the fact that Medusa is not extremely widespread at the moment, we do see an increase in volume of campaigns and a sufficiently greater number of different campaigns,” warn ThreatFabric researchers. SEE: A winning strategy for cybersecurity (ZDNet special report)While FluBot malware campaigns tend to be restricted to victims in Europe, Medusa has a more widespread focus. The malware initially started out by focusing on Turkey, but now it’s also targeting users in North America and Europe.”Powered with multiple remote access features, Medusa poses a critical threat to financial organisations in targeted regions,” said researchers.However, the additional spread of Medusa doesn’t mean that FluBot is about to become any less of an issue. Researchers note that the creators of FluBot continue to add additional functionality, including the ability to replace or interact with app notifications. This enables the attackers to manipulate applications, allowing them both to direct users towards apps they want to steal information from, and also take control of messaging apps.Both Medusa and FluBot remain a threat to Android users but there are steps which can be taken in an effort to avoid becoming a victim. One of those is that it’s unlikely that any company will ask you to download an application from a direct link, so any unexpected text message asking you to download a link should be regarded with caution. As long as users don’t click on the links, they’ll avoid infection.MORE ON CYBERSECURITY More

The FritzFrog botnet has reappeared with a new P2P campaign, showing growth of 10x within only a month.FritzFrog is a peer-to-peer botnet discovered in January 2020. Over a period of eight months, the botnet managed to strike at least 500 government and enterprise SSH servers.

ZDNet Recommends

The P2P botnet, written in the Golang programming language, is decentralized in nature and will attempt to brute-force servers, cloud instances, and other devices — including routers — that have exposed entry points on the internet.  On Thursday, cybersecurity researchers from Akamai Threat Labs said that despite having gone quiet after its previous attack wave, since December, the botnet has reappeared with an exponential growth surge.  “FritzFrog propagates over SSH,” the researchers say. “Once it finds a server’s credentials using a simple (yet aggressive) brute force technique, it establishes an SSH session with the new victim and drops the malware executable on the host. The malware then starts listening and waiting for commands.” In total, 24,000 attacks have been detected to date. And 1,500 hosts have been infected, the majority of which are located in China. The botnet is used to mine for cryptocurrency.Healthcare, education, and government sectors are all on the target list. Thanks to new functionality and the usage of a proxy network, the malware is also being prepared to hone in on websites running the WordPress content management system (CMS). 

A TV channel in Europe, a Russian healthcare equipment manufacturer, and universities in Asia have been compromised. 

Akamai considers FritzFrog a “next-generation” botnet due to a number of key features. This includes consistent update and upgrade cycles, an extensive dictionary used in brute-force attacks, and its decentralized architecture, which is described as “proprietary.” In other words, the botnet doesn’t rely on other P2P protocols to function.  The latest FritzFrog is updated daily — sometimes more than once a day. Alongside bug fixes, the operators have included the new WordPress function to add websites based on this CMS to a target list. However, at the time of writing, the lists are empty, which suggests this is an attack feature in the development pipeline.  Akamai isn’t certain of the botnet’s origin, but there are some indicators that the operators are either based in China or are impersonating operators in the country. A newly-added file transfer library, for example, links to a GitHub repository owned by a user in Shanghai.  In addition, the botnet’s cryptocurrency mining activity links to wallet addresses also used by the Mozi botnet, in which operators were arrested in China.  The cybersecurity firm has provided a FritzFrog detection tool on GitHub.Previous and related coverageHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Windows 10 users need to be cautious about fake Windows 11 installers that are being used to spread the info-stealing RedLine malware.RedLine is not especially sophisticated malware but can steal passwords and is sold as an online service for $150 a month to people who want to steal cryptocurrency like Bitcoin or Ethereum. 

Crooks use numerous tricks to get the unwary to download it, and now HP has now found them using fake promises of Windows 11 upgrades as a lure to trick PC users into install the malware. Microsoft has set a high bar for hardware that is eligible for the upgrade to Windows 11 and leans towards newer processors. Few devices were initially eligible but Microsoft recently announced it was accelerating the roll out to meet unexpected demand.    In this case, the hackers tried to used Microsoft’s January 26 announcement that it was “entering its final phase of availability and is designated for broad deployment for eligible devices” as an angle, as they registered their own fake domain the day after.HP security researchers found that RedLine actors registered a fake domain in the hope of tricking Windows 10 users into downloading and running a fake Windows 11 installer. The attackers copied the design of the legitimate Windows 11 website, except clicking on the “Download Now” button downloads a suspicious zip archive. “The domain caught our attention because it was newly registered, imitated a legitimate brand and took advantage of a recent announcement. The threat actor used this domain to distribute RedLine Stealer, an information stealing malware family that is widely advertised for sale within underground forums,” Patrick Schläpfer, a malware analyst for HP’s Wolf security team said. 

The domain name for the bogus Windows 11 upgrade page was registered with a Russian registrar; Microsoft’s actual Window 11 upgrade page is hosted on a Microsoft.com domain. The malware aims to steal stored passwords from web browsers, auto-complete data such as credit card information, as well as cryptocurrency files and wallets. 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

Microsoft has been streamlining its Windows feature upgrades, including making it more like a Patch Tuesday for ‘N-minus-1’ upgrades, but the criminals in this case far outperformed reality product with a minute compressed malicious installer of just 1.5MB of data, although after decompression, the folder size was 753 MB, a feat impressing HP’s malware analyst. “Since the compressed size of the zip file was only 1.5 MB, this means it has an impressive compression ratio of 99.8%. This is far larger than the average zip compression ratio for executables of 47%. To achieve such a high compression ratio, the executable likely contains padding that is extremely compressible,” writes Schläpfer. He also noted the use of a junk 0x30 byte “filler area” of the file that served no other apparent purpose than evading detection from antivirus. “One reason why the attackers might have inserted such a filler area, making the file very large, is that files of this size might not be scanned by an anti-virus and other scanning controls, thereby increasing the chances the file can execute unhindered and install the malware,” he notes. The Windows 11 ruse is typical of RedLine’s operators, who’ve made a cheap and nasty malware service for non-techies to use. In December, it was riding off the branding of the hugely popular messaging app Discord. HP notes: “Since such campaigns often rely on users downloading software from the web as the initial infection vector, organizations can prevent such infections by only downloading software from trustworthy sources.” More

Cyber criminals are increasingly targeting Linux servers and cloud infrastructure to launch ransomware campaigns, cryptojacking attacks and other illicit activity – and many organisations are leaving themselves open to attacks because Linux infrastructure is misconfigured or poorly managed. Analysis from cybersecurity researchers at VMware warns that malware targeting Linux-based systems is increasing in volume and complexity, while there’s also a lack of focus on managing and detecting threats against them. This comes after an increase in the use of enterprises relying on cloud-based services because of the rise of hybrid working, with Linux the most common operating system in these environments. 

ZDNet Recommends

That rise has opened new avenues that cyber criminals can exploit to compromise enterprise networks, as detailed by the research paper, including ransomware and cryptojacking attacks tailored to target Linux servers in environments that might not be as strictly monitored as those running Windows. SEE: A winning strategy for cybersecurity (ZDNet special report)These attacks are designed for maximum impact, as the cyber criminals look to compromise as much as the network as possible before triggering the encryption process and ultimately demanding a ransom for the decryption key. The report warns that ransomware has evolved to target Linux host images used to spin up workloads in virtualised environments, enabling the attackers to simultaneously encrypt vast swathes of the network and make incident response more difficult. The attacks on cloud environments also result in attackers stealing information from servers, which they threaten to publish if they’re not paid a ransom. Ransomware families that have been seen targeting Linux servers in attacks include REvil, DarkSide and Defray777 and it’s likely that new forms of ransomware will appear that also target Linux.   

Cryptojacking and other malware attacks are also increasingly targeting Linux servers. Cryptojacking malware steals processing power from CPUs and servers in order to mine for cryptocurrency.  The attacks against all operating systems often go undetected. While cryptojackers are using up energy and potentially slowing down systems, it’s usually not a noticeable enough drain to cause significant disruption.The most common application used to mine for Monero is the open-source XMRig miner and many of these are being placed on Linux servers. If the Linux environment isn’t being correctly monitored, cryptojacking can easily go undetected and cyber criminals know this. “Cyber criminals are dramatically expanding their scope and adding malware that targets Linux-based operating systems to their attack toolkit in order to maximize their impact with as little effort as possible,” said Giovanni Vigna, senior director of threat intelligence at VMware. Rather than infecting a PC and then navigating to a higher value target, cyber criminals have realised that compromising a single server can deliver a massive payoff. Many of the cyberattacks targeting Linux environments are still relatively unsophisticated when compared with equivalent attacks targeting Windows systems – that means that with the correct approach to monitoring and securing Linux-based systems, many of these attacks can be prevented. That includes cybersecurity hygiene procedures such as ensuring default passwords aren’t in use and avoiding sharing one account across multiple users. “Focus on the basics. The fact is that most adversaries are not super advanced,” said Brian Baskin, manager of threat research at VMware. “They’re not looking for unique exploits, they’re looking for the general open vulnerabilities and misconfigurations. Focus on those before you start focusing on zero-day attacks and new vulnerabilities – make sure you’ve got the basics covered first,” he added. MORE ON CYBERSECURITY More

Critical remote code execution (RCE) vulnerabilities in a popular WordPress plugin have been made public. 

The RCE bugs impact PHP Everywhere, a utility for web developers to be able to use PHP code in pages, posts, the sidebar, or anywhere with a Gutenberg block – editor blocks in WordPress – on domains using the content management system (CMS). The plugin is used on over 30,000 websites.  According to the WordFence Threat Intelligence team, the three vulnerabilities in PHP Everywhere all lead to remote code execution in versions of the software below 2.0.3. The first vulnerability is tracked as CVE-2022-24663 and has been issued a CVSS severity score of 9.9. WordPress allows authenticated users to execute shortcodes via the parse-media-shortcode AJAX action. In this case, if users who are logged in – even if they have almost no permissions, such as if they are a subscriber – a crafted request parameter could be sent to execute arbitrary PHP, leading to full website takeover.  CVE-2022-24664, also issued a severity score of 9.9, is the second RCE vulnerability disclosed by the security researchers. This vulnerability was found in how PHP Everywhere manages metaboxes – draggable edit boxes – and how the software permits any user with the edit_posts capability to use these functions.

“Untrusted contributor-level users could use the PHP Everywhere metabox to achieve code execution on a site by creating a post, adding PHP code to the PHP Everywhere metabox, and then previewing the post,” WordFence says. “While this vulnerability has the same CVSS score as the shortcode vulnerability, it is less severe, since it requires contributor-level permissions.” The third vulnerability is tracked as CVE-2022-24665 and has also been issued 9.9 on the severity scale. All users with edit_posts permissions can use PHP Everywhere Gutenberg blocks, and attackers could tamper with a website’s functionality by executing arbitrary PHP code through these functions.  It was possible to set this function to administrators only, but in versions of the software below 2.0.3, this could not be implemented by default.  WordFence disclosed the vulnerabilities to the developer on January 4, who rapidly developed a set of fixes. On January 10, a patched version of the plugin, v.3.0.0, was rolled out.  The developer, Alexander Fuchs, says that the update has caused a “breaking change” due to the necessary removal of some Block editor functionality, and so users facing problems – such as if they are relying on the Classic Editor – will need to also upgrade old code to Gutenberg blocks or find another solution to run PHP.  At the time of writing, just over 30% of users have upgraded, and so many websites are still running vulnerable versions of the plugin.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Australia’s parliamentary body tasked with analysing the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) has come out in full support of extending the pact’s membership to Taiwan. In a report about expanding CPTPP membership, the Joint Standing Committee on Foreign Affairs, Defence and Trade said the Australian government along with other pact members should facilitate Taiwan’s accession to the pact. The committee explained it supported Taiwan’s accession, in spite of China’s disapproval, as it is one of the “very few major markets” that Australia has not entered a free trade agreement with. In light of the lack of a free trade agreement between Australia and Taiwan, the committee said Australia should also consider concurrently negotiating a bilateral with the Taiwanese government. The committee made this recommendation as Australia has seen benefits from adopting a similar approach with the UK previously. The committee also said that such agreements would allow the Australian government to learn from Taiwan when it comes to how to both counter disinformation campaigns and build a better cybercapacity in countering illegitimate or unsolicited attacks. When it came to China’s potential accession into the CPTPP, the committee did not give the same glowing review. It said that any support for China to enter the pact would require the country to re-establish full trading relations with Australia, including “ending its coercive trade measures and reengaging in ministerial dialogue, and to demonstrate an ability and willingness to commit to the CPTPP’s high standards”.

“The ball is in their court,” said Ted O’Brien, Liberal MP and committee member. “It’s up to China if it wishes to re-engage with Australia and I hope it does because that would enable the discussions that are necessary to determine whether an accession process should commence.” Currently, Beijing has measures in place that limit Australia’s export of goods such as barley, coal, copper ores and concentrates, cotton, hay, logs, rock lobsters, sugar, and wine to China. Tensions between Australia and China has grown steadily over the past two years, with Australia, alongside the UK and US, in September announcing a trilateral security pact — AUKUS — aimed at addressing the defence and security concerns posed by China within the Indo-Pacific region. At the time, although China was not mentioned when announcing AUKUS, Australian Prime Minister Scott Morrison said the Indo-Pacific region was increasingly becoming “more complex”.  For the inquiry’s report, much like Morrison’s AUKUS announcement, the committee stressed the federal government should prioritise supporting an “open, transparent and stable trading environment in the Indo-Pacific” when considering whether to allow states such as China to accede into the pact. Current members of the CPTPP include Australia, Brunei, Canada, Chile, Japan, Malaysia, Mexico, New Zealand, Peru, Singapore, and Vietnam. Outside of China and Taiwan, the United Kingdom has also submitted a formal request to join the CPTPP, and a working group for that accession application has been established. South Korea is also considering joining the trade pact.Related Coverage More

Image: Getty Images
The federal government has officially introduced the highly-publicised anti-trolling Bill into Parliament.The Bill, Social Media (Anti-Trolling) Bill 2022, was first announced by Australian Prime Minister Scott Morrison in November as a mechanism that would “unmask anonymous online trolls” and address toxic content existing on social media platforms.  The anti-trolling Bill has since been touted by the Liberal Senator and Attorney-General Michaelia Cash as one of her party’s primary items that it wants to push out before the federal election. Introduced by Communications Minister Paul Fletcher on Thursday morning, the Bill remains largely unchanged from the exposure draft version released in December.Despite being called an anti-troll Bill, the proposed laws do not contain any sections addressing troll or harmful content. At its core, the Bill is focused on empowering people to raise lawsuits for online defamation rather than explicitly preventing cyberbullying and online abuse. Last week, Australia’s eSafety Commissioner Julie Inman outlined her concern about this, specifically on how it may be misused due to the lack of these elements addressing troll and harmful content.”I think [the anti-trolling Bill] can lend itself to a lot of retaliation, a lot of vigilante-style justice,” said Inman Grant.

The other focus of the Bill, according to its explanatory memorandum, is to overturn a recent Australian legal precedent set in the Voller case, which made individuals and organisations liable for defamatory material that exists on their social media pages.The Bill, if passed, would result in administrators of social media pages no longer being liable to defamation for third-party material posted on those pages. That liability would shift to social media service providers instead. Looking at the Bill’s details, much like its exposure draft, it is still seeking to formally classify social media service providers as publishers of any comments made on their platforms in Australia. To avoid defamation under the Bill, social media service providers would need to have a complaints scheme in place that allows victims of defamatory comments to both make complaints and request the personal information of the maker of those comments.Complaints scheme that satisfy the Bill’s requirements would also have to ensure that an accused commenter is notified that they are the subject of a complaint within 72 hours of it being made. If the accused commenter gives consent for their personal information to be provided, social media platforms must then disclose that information to complainants and assist them in relation to potentially raising any defamation lawsuits.This personal information would include contact details such as name, email address, phone number as well as country location data to determine if the user is in Australia. Geolocation data provided under the Bill would be limited to whether or not the material was “posted in Australia” by reference to geolocation technology deployed by the social media provider.The disclosure mechanism can also only be enlivened where there is reason to believe that there may be a right for the complainant to obtain relief against the poster in a defamation proceeding.As parliamentarians deliberate over the Bill, Australia’s federal inquiry into the practices of major technology companies is set to provide its findings later this month. The social media probe was approved by the federal government with the intention of building on the anti-trolling Bill’s initial goal of unmasking trolls.RELATED COVERAGE More