Is Pikabot A New QakBot?

In its report, Cofense said that DarkGate and Pikabot’s tactics and methods are similar to previous QakBot (aka Qbot) campaigns. That is, it seems that Qbot operators simply switched to using new botnets and malware. Researchers write that QBot was one of the largest botnets. The spread of QBot was associated with email, and DarkGate and Pikabot are modular malware downloaders that have the same functions as QBot.

Similarly to QBot, hackers use the new downloaders to gain initial access to victims’ networks. Then they carry out ransomware attacks, espionage and data theft. Interestingly, some cybersecurity experts predicted the possible return of malware.

Features of the phishing campaign of the QBot heirs

According to Cofense, this summer the number of malicious emails spreading DarkGate increased significantly. In October 2023, attackers switched to using Pikabot as their main payload. These phishing attacks begin with emails that appear to be a reply or forward related to a previously stolen discussion. This makes it more likely that recipients will view the message with more confidence.

Users who click on a URL from such an email go through a series of checks and are then prompted to download a ZIP archive. This archive contains a dropper that retrieves the final payload from a remote source.

The researchers note that the attackers experimented with several droppers to determine which one worked best, including:

• JavaScript dropper for loading and executing PE or DLL;
• Excel-DNA loader, based on an open-source project used to create XLL files. In this case it is used to download and run malware;
• VBS loaders, which can execute malware via .vbs files in Microsoft Office documents or launch command line executables;
• LNK downloaders, which use .lnk files to download and execute malware.

The final payload used in these attacks until September 2023 was DarkGate, which was replaced by PikaBot in October 2023.

How dangerous are DarkGate and PikaBot?

DarkGate is a modular malware that supports various types of malicious behavior. Its first appearance happened back in 2017, but it became available to masses only in the summer of 2023. This, eventually, ended up with a sharp increase in its distribution. Among key feautures, DarkGate boasts hVNC remote access, cryptocurrency mining and reverse shell creation. It allows for keylogging, stealing data from an infected machine.

In turn, PikaBot is a newer malware that first appeared in early 2023 and consists of a loader and a main module, with mechanisms to protect against debugging, VMs, and emulations. On the infected machine, it creates a system profile and sends the collected data to the control server, awaiting further instructions. In response, the server sends commands to load and execute modules in the form of DLL or PE files, shellcode or command line commands. All this makes PikaBot a universal tool.

What is QakBot notorious for?

QakBot, active since 2008, was originally a banking Trojan. But it has evolved over time into a powerful malware downloader capable of deploying additional payloads, stealing information, and enabling lateral movement. Qbot’s malicious campaigns are most likely linked to Russian hackers and they are constantly improving their malware distribution methods.

In 2020 the Qbot Trojan first entered the list of the most widespread malware in the world. And since then, the malware had continiously hit the newsletters for the next 3 years. Among its most noticeable attack vectors is the adoption of 0-day vulnerability in Windows MSDT called Follina.

However, the FBI, in collaboration with a number of international law enforcement organizations, conducted Operation Duck Hunt, which resulted in the destruction of the QBot (QakBot) infrastructure in August 2023.

The FBI managed to penetrate the lair of a cybercriminal group and take possession of the computer of one of its leaders. After this through the gaming platform of QBot FBI sent out a botnet destruction program to the affected devices. After which the malware was removed from more than 700 thousand infected devices around the world. But, as we see, the legacy of the botnet QBot lives on.

The post DarkGate and Pikabot Copy the QakBot Malware appeared first on Gridinsoft Blog.

What is Phobos ransomware?

Phobos ransomware emerged in 2018 as a ransomware-as-a-service (RaaS), an offshoot of the Crysis ransomware family. The RaaS model allows one group of hackers to develop ransomware. At the same time, other attackers act as affiliates, distributing the program and encrypting information on compromised devices. However, the group of virus developers owns the encryption key and is engaged in communications with victims.

Over the past 5 years, Phobos has not become a star in the world of cyber threats with a turnover of millions of dollars. Although it had its “15 minutes of fame”. It is a rare example of ransomware family that targets both users and companies, albeit preferring small ones. According to the ID Ransomware service, in 2023 it will account for 4% of all calls to the service.

Phobos Mocks Up VX-Underground

This week, ransomware hunters discovered a new version of Phobos, which claims to be developed by the VX-Underground community. When encrypting files, the malware adds the string .id[unique_id].[staff@vx-underground.org].VXUG to the file name. The email is the real address of the community, and the extension “VXUG” is a commonly used abbreviation for VX-Underground.

Once encryption is complete, Phobos creates ransom messages on the Windows desktop and other places. One of them is a ransom text message called “Buy Black Mass Volume II.txt“. The latter is the latest book released by the VXUG researchers.

Another ransom note is a file named “Buy Black Mass Volume II.hta“, a standard ransom note from Phobos, designed using the VX-Underground logo, name and contact information.

That is, victims are not provided with a real address where they can contact cybercriminals. This once again confirms the futility of any negotiations with hacker groups.

The reaction of VX-Underground, however, turned out to be consistent with the barbs of cybercriminals.

Cybersecurity Specialists Under Attack

While white and black hats practice their wits, let us remind you that threat actors participate in online communities dedicated to information security and even take part in discussions. For example, when REvil’s predecessor, the famous GandCrab malware, was released into the wild, the attackers named their servers after BleepingComputer, Emsisoft, ESET, and NoMoreRansom.

In 2016, the developer of the Apocalypse ransomware began inserting offensive comments about ransomware expert Fabian Vosar into Fabiansomware ransomware.

In 2021, Microsoft Exchange servers were attacked by the KrebsOnSecurity malware. Hackers exploited Proxylogon vulnerabilities on behalf of the famous information security expert Brian Krebs.

In summer 2022, the Azov Ransomware spread widely throughout the world through pirated software. The ransomware claimed to be created by BleepingComputer hacking and malware researchers Michael Gillespie and Vitaly Kremez, and asked victims to contact them to obtain a decryption key. The particular cynicism of cybercriminals was that just recently 36-year-old cybersecurity researcher and ethical hacker Vitaly Kremez died while scuba diving off the coast of Hollywood Beach in Florida. Cybersecurity experts have also warned that hackers sometimes impersonate well-known cybersecurity companies in phishing campaigns in an attempt to gain access to corporate networks.

Phishing emails from these attackers contained links to landing pages where victims’ credentials were stolen, or were “packed” with malicious attachments that were used to install malware if opened. If your goal is the security of information, then you are at risk and often a priority target for hackers. Appreciate information security specialists and their efforts – they are the “thin red line” that protects you from chaos and criminal lawlessness in cyberspace.

The post Phobos Ransomware Mimics VX-Underground Researchers appeared first on Gridinsoft Blog.

The Reptar vulnerability can be used to escalate privileges, gain access to sensitive information, and cause denial of service. However, at least its fixing does not require intervention at the hardware level, as was in the case of an LVI attack.

Reptar Vulnerability in Intel CPUs Allow for Privileges Escalation

The vulnerability, discovered by Intel engineers themselves, has received the identifier CVE-2023-23583 and is described as an “REX prefix issue”.

Initially, it was believed that the error could be used only to provoke a denial of service. The vulnerability received only a CVSS score of 5.5. Intel initially planned to release a patch for it in March 2024.

However, deeper analysis showed that there was a way to exploit the bug to escalate privileges. And Intel moved the release date of the patch to November 2023. As a result, the vulnerability rating was changed to 8.8 points on the CVSS scale.

Intel does not expect any non-malware software to encounter this problem in the real world. It is expected that redundant REX prefixes will not be present in the code and will not be generated by compilers.

Malicious exploitation of the Reptar issue requires the execution of arbitrary code. Also, as a part of an internal review Intel identified the possibility of privilege escalation in certain scenarios.

Systems with affected processors, including Alder Lake, Raptor Lake and Sapphire Rapids, have already received updated firmware, and these patches do not impact performance.

Other Threats to Intel Processors

The history of Windows processor problems is quite rich. We also wrote about the Snoop attack, which can stop processors. And about the Platypus attack, which could be used by attackers to steal data. And also about problems with Active Management Technology (AMT) and Intel Standard Manageability (ISM).

However, earlier this year the media also wrote about one of the most serious errors in the history of Intel processors. It was CVE-2021-39296 issue (10 out of 10 on the CVSS scale). This vulnerability affected the integrated BMC (Baseboard Management Controller) and OpenBMC firmware on several of the company’s platforms. The issue CVE-2021-39296, as its ID shows, was discovered back in 2021, but was fixed only two years later.

Are processor vulnerabilities that dangerous?

Problems with processors are usually perceived as painful due to the fact that they are everywhere. They are the basis of almost any electronic device. And an exploitable vulnerability in Intel or AMD products can make millions of users around the world dependent on the actions of attackers.

A complete list of Intel processors affected by the CVE-2023-23583 vulnerability, as well as recommendations for resolving it, are available here.

The post Reptar Vulnerability Threatens Intel Processors appeared first on Gridinsoft Blog.

CPU-Z Malware in the WindowsReport Page Clone

Recently, a wave of malicious ads on Google Search results page offered users a Trojan-infected version of the popular CPU-Z program. For better disguise, the malware was hosted on a clone site of the real news site WindowsReport. As the presence of the official site for the product is not that obvious for users, such a trick was quite effective.

By clicking on such an advertisement, the victim goes through a series of redirects that fooled Google’s security scanners and filtered out crawlers, VPNs, bots, etc., redirecting them to a special decoy site that did not contain anything malicious.

Users ended up on a fake news site hosted on one of the following domains:

• argenferia[.]com;
• realvnc[.]pro;
• corporatecomf[.]online;
• cilrix-corp[.]pro;
• thecoopmodel[.]com;
• winscp-apps[.]online;
• wireshark-app[.]online;
• cilrix-corporate[.]online;
• workspace-app[.]online.

The result of these manipulations is the chain attack, initiated with FakeBat malware. Further, this loader injects well-known RedLine infostealer – an old-timer of the scene.

What is RedLine Infostealer?

Downloading the CPU-Z installer from the attackers’ resource resulted in the download of an MSI file containing a malicious PowerShell script, which the researchers identified as the FakeBat malware loader (aka EugenLoader). This downloader extracted the Redline payload from a remote URL and launched it on the victim’s computer.

Redline is a powerful data theft tool that can steal passwords, session tokens, cookies, and vast amounts of other stuff. We have a dedicated article with the complete tech analysis of this malware – consider checking it out.

Earlier, we wrote about how cybercriminals distribute RedLine infostealer. It uses sites for downloading the fake MSI Afterburner utility. To distribute it, various domains were also used as part of the hacker campaign, which could be mistaken by users for the official MSI website. The imitation of brand resources was done quite well.

According to Google representatives, all malicious ads associated with the hacker campaign to distribute the infected CPU-Z tool have now been removed, and appropriate action has been taken against the accounts associated with them.

This is not the first time that hackers have used Google Ads

This exact malvertising campaign was discovered by analysts, who believe it is part of a previously observed campaign of a similar purpose. Previously, the attackers used fake Notepad++ advertisements to deliver the malware.

In the ads, the attackers promoted URLs that were clearly not associated with Notepad++, and used misleading titles in their ads. Since headers are much larger and visible than URLs, many people likely didn’t notice the catch.

Let me remind you that we talked about how malware operators and other hackers are increasingly using Google Ads to distribute malware to users who are looking for popular software. So, you can encounter malicious ads when searching for Slack, Grammarly, Dashlane, Audacity, and dozens of other programs.

The post Malicious CPU-Z Copy Is Spread In Google Search Ads appeared first on Gridinsoft Blog.

The decision was made last week following negotiations in Washington between Anne Neuberger, U.S. deputy national security adviser for cyber and emerging technologies, and her South Korean and Japanese colleagues.

As part of the initiative, regular quarterly meetings will be held in a new format.

North Korean hackers are state sponsored

North Korea is often accused of cyberattacks aimed at financing its missile and nuclear programs. As noted in a recent UN report, in 2022, hackers working for the DPRK were particularly likely to attack foreign companies to steal cryptocurrency. Thanks to high-tech methods, record amounts were stolen compared to previous years.

The UN said most of the cyberattacks its researchers looked at were carried out by groups controlled by North Korea’s top spy agency. These groups include Kimsuky, Lazarus Group and Andariel, and are monitored by the cybersecurity industry in the US, Europe and Asia.

For example, the media reported that the FBI has officially linked the hack of the Harmony Horizon cross-chain bridge to the Lazarus group. The robbery, which took place at summer 2022, resulted in theft of $100 million worth of cryptocurrency assets.

North Korea’s activity in the cyber threats has been growing over recent years

Aside from country-specific cyberattacks, North Korean hackers also launch supply chain attacks. For example, in April we reported that a group linked to the Asian dictatorship authorities attacked the supply chain of the company 3CX, which caused a number of other attacks on supply chains.

According to experts, the UNC4736 hackers were associated with the financially motivated hacker group Lazarus from North Korea.

We also talked about the hunt of North Korean cybercriminals for IT specialists. Attackers have sought to infect researchers’ home systems and software with malware aiming to infiltrate the networks of companies for which their targets work.

Government groups for this spy company switched from phishing emails to using fake LinkedIn accounts allegedly belonging to HR. These accounts carefully imitate the identities of real people in order to deceive victims and increase the chances of an attack being successful.

Having contacted the victim and made her an “interesting offer” for a job, the attackers try to transfer the conversation to WhatsApp, and then use either the messenger itself or email to deliver a backdoor, which the researchers called Plankwalk, as well as other malware.

North Korea as part of a new axis of evil

The North Korean regime is dangerous not only because it sponsors cyber attacks on Western enterprises and companies, and not only because of repression against its citizens and the testing of new missiles that threaten the democratic countries of the Pacific region.

Recently, the Russian and North Korean dictatorships agreed to supply Korean weapons for use during the Russian invasion of Ukraine. CNN reported that more than a million artillery shells were transferred to Russia as part of this agreement.

Therefore, news about the consolidation of efforts in the fight against regimes that carry out certain actions that violate human rights can only be welcomed. Cyberspace has become a battlefield not only against crime – the confrontation in cyberspace is already taking place at the interstate level.

The post North Korean Hackers Force US, Japan & South Korea Consultations appeared first on Gridinsoft Blog.

Conti Hackers Work in Akira Ransomware Group

As mentioned above, Akira mainly attacks small and medium-sized businesses, and companies around the world become victims of the ransomware, although hackers focus on targets in the United States and Canada. The gang typically infiltrates target Windows and Linux systems through VPN services, especially if users have not enabled multi-factor authentication. To gain access to victims’ devices, attackers use compromised credentials, which they most likely buy on the dark web.

Once the system is infected, Akira seeks to delete backups that can be used to restore data, and then the ransomware encrypts files with specific extensions, adding the “.akira” extension to each of them. The ransom note that the attackers leave in the system is written in English, but contains many errors. In this message, the group claims that they do not want to cause serious financial damage to the victim, and the amount of the ransom will be determined based on the income and savings of the affected company. Usually Akira demands a ransom of between $200,000 and $4,000,000.

Experts point out that Akira uses “double extortion” tactics, not only encrypting victims’ data, but also stealing information from compromised systems before encryption. After that, the attackers threaten to publish or sell this data to other criminals if they do not receive a ransom.

The Akira ransomware is in many ways similar to the Conti ransomware that was shut down a year ago, the researchers said. The malware ignores the same types of files and directories, and uses a similar encryption algorithm. But it should be borne in mind that at the beginning of 2022, the Conti sources were made publicly available, and now the attribution of attacks has become more difficult.

Back in June, Avast researchers released similar data about Akira’s likely connection to Conti, saying that the creators of the new ransomware were at least “inspired by the leaked Conti source codes.”

There were other news upon Conti members’ activities past the group dissolution. Conti operators participated in attacks on Ukrainian companies. It’s worth noting that earlier this month, Avast released a free decryption tool for files affected by Akira attacks. So far, the tool only works on Windows, and after its release, the malware operators changed the encryption procedure to prevent free file recovery.

Arctic Wolf researchers, in turn, focused on blockchain analysis and found three suspicious transactions in which Akira users transferred more than $600,000 to Conti-related addresses. According to experts, two discovered wallets have previously been linked to the management of Conti, and one of them received payments from several families of extortionists.

The post Conti Members Are Back in Action as Part of Akira Ransomware appeared first on Gridinsoft Blog.

In addition to the obvious security benefits, the new API will actually allow Google and site operators to effectively deal with ad blockers.

As you can easily guess from this introduction, the main goal of the project is to learn more about the person on the other side of the browser, to make sure that he is not a robot, and the browser has not been modified or faked in any way.

The developers say that such data will be useful for advertisers to count ad impressions, help fight bots on social networks, protect intellectual property rights, counter cheating in web games, and also increase the security of financial transactions.

That is, at first glance, the Web Environment Integrity API is designed as a security solution so that sites can detect malicious code modifications on the client side and disable malicious clients. The developers list several scenarios for the possible use of the new API:

1. detection of manipulation in social networks;
2. detection of bot traffic in ads to improve customer experience and access to web content;
3. detection of phishing campaigns (for example, Webview in malicious applications);
4. detection of mass takeover or account creation attempts;
5. detection of large-scale cheating in web games with fake clients;
6. Detection of compromised devices where user data may be at risk;
7. detecting account takeover attempts by guessing a password.

At the same time, the authors of the Web Integrity API write that they were inspired by “existing native attestation signals, including [Apple] App Attest and [Android] Play Integrity API.”

It’s worth clarifying here that Play Integrity (formerly SafetyNet) is an Android API that allows apps to find out if a device has been rooted. Root access allows you to take full control of the device, and many application developers do not like this. Therefore, after receiving the appropriate signal from the Android Integrity API, some types of applications may simply refuse to start.

As a rule, banking applications, Google Wallet, online games, Snapchat, as well as some multimedia applications (for example, Netflix) refuse to work in such cases. After all, it is believed that root access can be used to cheat in games or phish banking data. Although root access may also be needed to configure the device, remove malware, or create a backup system, Play Integrity does not consider such uses and in any case blocks access.

As experts now assume, Google aims to do the same across the Internet.

By Google’s design, during a web page transaction, the server may require the user to pass an environment attestation test before they receive any data. At this point, the browser will contact a third-party attestation server and the user will have to pass a certain test. If the verification is passed, the user receives a signed IntegrityToken that confirms the integrity of their environment and points to the content to be unlocked.

Then the token is transferred back to the server, and if the server trusts the tester company, then the content is unlocked, and the person finally gets access to the necessary data.

As many now assume, if the browser in this example is Chrome, and the attestation server is also owned by Google, then Google will decide whether or not to allow a person access to sites.

The company assures that Google is not going to use the described functionality to the detriment. Thus, the creators of the Web Integrity API “firmly believe” that their API should not be used for fingerprinting people, but at the same time they want to get “some kind of indicator that allows you to limit the speed in relation to the physical device.”

It also states that the company does not want to “interfere with browser functionality, including plugins and extensions.” Thus, the developers make it clear that they are allegedly not going to fight ad blockers, although the company has been working on the scandalous Manifest V3 for many years, whose goal is precisely this. We, by the way, wrote how the developers will implement these rules. And the new API can be used to detect when an ad blocker is tampering with ad code. After that, the site operator will be free to simply stop providing services.

The discussion of this topic on the network has already provoked a wave of criticism against Google, and the project has been dubbed DRM for the Internet. For example, developers, information security specialists, and ordinary users note that the Web Integrity API project intends to be hosted on GitHub by one of the developers, and Google is trying to distance itself from development that can literally poison existing web standards, helping the company save the advertising business.

The discussion on the project’s Issues page on GitHub also deals primarily with the ethical aspects of what is happening, and Google is accused of trying to become a monopolist in another area and “kill” ad blockers.

You might also be interested in our article on how Google membership rewards scam is a new popular type of online fraud.

The post Google Is Working on an Information Security Project Called Web Integrity API appeared first on Gridinsoft Blog.

In its report, Google highlights the importance of the AI red team, and also lists the different types of attacks on artificial intelligence that can be simulated by experts.

Specifically, the report looks at prompt engineering, which is an attack in which an attacker manipulates requests to AI to force the system to respond in the way it wants. In the theoretical example that the experts describe, a webmail application uses AI to automatically detect phishing emails and alert users. A large language model (LLM) is used to parse mail and classify it as safe or malicious.

An attacker who knows that AI is using phishing detection can add an invisible paragraph to their email (simply making the font white) containing instructions for LLM and forcing the AI to classify this email as safe.

Let me remind you that we wrote that AI has become a new effective tool for social engineering in the hands of cybercriminals, and also that Russian hackers are actively looking for ways to use ChatGPT.

Another example is related to data used for LLM training. Although the training data is usually well cleaned of personal and confidential information, the researchers explain that it is still possible to extract personal information from the LLM.

For example, training data can be used to abuse autocomplete. For example, an attacker can trick AI into providing information about a person using carefully crafted suggestions that the autocomplete feature will augment with training data known to it that contains sensitive information.

For example, an attacker enters the text: “John Doe has been missing work a lot lately. He can’t come to the office because…’ The autocomplete function, based on the training data it has, can complete the sentence with the words “he was interviewing for a new job.”

The report also discusses data poisoning attacks, in which an attacker manipulates LLM training data to affect the final results of its work. In this regard, it is emphasized that the protection of the supply chain is essential for the security of AI.

Google also explains that blocking access to LLM cannot be ignored either. In the example provided by the company, the student is given access to an LLM designed to evaluate essays. The model is able to prevent injection, but access to it is not blocked, which allows the student to teach the AI to always give the highest mark to works containing a certain word.

At the end of its report, Google recommends traditional red teams join forces with AI experts to create realistic simulations. It is also emphasized that even considering the results obtained by the red team experts can be a difficult task, and some problems are extremely difficult to solve.

It is worth noting that the company introduced an AI red team just a few weeks after the announcement of the Secure AI Framework (SAIF), designed to provide security in the development, use and protection of artificial intelligence systems.

As our colleagues wrote: even novice hackers can create malware prototypes using AI.

The post Google Creates a Red Team to Attack AI Systems appeared first on Gridinsoft Blog.

The original AsyncRAT (Remote Access Trojan) is designed to remotely monitor and control infected computers over a secure encrypted connection. Its “successor”, HotRat, has been active since at least October 2022, with most infections concentrated in Thailand, Guyana, Libya, Suriname, Mali, Pakistan, Cambodia, South Africa and India.

HotRat spreads by combining a malicious AutoHotkey script with various hacked software, which is usually available on torrent trackers. The script initiates the chain of infection and is designed to deactivate antiviruses on a compromised host, as well as launch the HotRat payload using the Visual Basic script loader.

Experts describe HotRat as a comprehensive RAT that supports nearly 20 commands, each of which executes a .NET module received from a remote server, which allows malware operators to extend its functionality as needed.

The media also wrote that the QBot Trojan can steal information from emails of users of infected systems.

The post Trojan HotRat Is Distributed through Pirated Versions of Software and Games appeared first on Gridinsoft Blog.

WooCommerce Payments is a popular WordPress plugin that allows websites to accept credit cards as a payment method in WooCommerce stores. According to official statistics, the plugin has over 600,000 active installations.

By the way, we wrote that this plugin was recognized as one of the most vulnerable, and also reported that the Woocommerce store was attacked by web skimmers. Let me also remind you of very fresh attacks on the Elementor Pro plugin.

In March of this year, the developers released an updated version of the plugin (5.6.2), which eliminated the critical vulnerability CVE-2023-28121. The vulnerability affected WooCommerce Payment version 4.8.0 and higher and was fixed in versions 4.8.2, 4.9.1, 5.0.4, 5.1.3, 5.2.2, 5.3.1, 5.4.1, 5.5.2 and 5.6.2.

Since the vulnerability allows anyone to impersonate a site administrator and take full control of WordPress, the company behind the development of the CMS, Automattic, forced updates to hundreds of thousands of sites running the popular payment system.

Then the creators of WooCommerce stated that they had no data about attacks on this vulnerability, but information security specialists warned that due to the critical nature of the error, hackers would certainly be interested in it.

Now researchers from RCE Security have analyzed the issue and published a technical report on CVE-2023-28121 on their blog, explaining exactly how the vulnerability can be exploited.

Attackers can simply add X-WCPAY-PLATFORM-CHECKOUT-USER to the request header and set it to the user ID of the account they wish to masquerade as, experts say. Given this header, WooCommerce Payments will treat the request as if it came from the specified ID, including all privileges for that user.

To its analysis, RCE Security attached a PoC exploit that uses a vulnerability to create a new administrator user on vulnerable sites and allows taking full control over the resource.

As a result, WordPress security company Wordfence warned this week that attackers are already exploiting the vulnerability as part of a massive campaign targeting more than 157,000 sites.

According to experts, the attackers use the exploit to install the WP Console plugin on vulnerable sites or create administrator accounts. On systems where the WP Console was installed, the attackers used a plugin to execute PHP code that installed a file uploader on the server and could subsequently be used as a backdoor even after the vulnerability was fixed.

To scan vulnerable WordPress sites, attackers try to access the /wp-content/plugins/woocommerce-payments/readme.txt file and, if it exists, proceed to exploit the vulnerability.

In their report, the researchers shared seven IP addresses from which the attacks are carried out, and especially highlighted the IP address 194.169.175.93, which crawled 213,212 sites.

Site owners are encouraged to update WooCommerce Payment as soon as possible if they haven’t done already, and to check their resources for unusual PHP files and suspicious admin accounts, removing any that can be found.

The post Vulnerability in WordPress Plugin WooCommerce Payments Is Actively Used to Hack Sites appeared first on Gridinsoft Blog.