website security | Breaking Cybersecurity News | The Hacker News

Cybersecurity researchers are warning about a large-scale phishing campaign targeting WooCommerce users with a fake security alert urging them to download a "critical patch" but deploy a backdoor instead. WordPress security company Patchstack described the activity as sophisticated and a variant of another campaign observed in December 2023 that employed a fake CVE ploy to breach sites running the popular content management system (CMS). Given the similarities in the phishing email lures, the bogus web pages, and the identical methods employed to conceal the malware, it's believed the latest attack wave is either the work of the same threat actor or it's a new cluster closely mimicking the earlier one. "They claim the targeted websites are impacted by a (non-existent) 'Unauthenticated Administrative Access' vulnerability, and they urge you to visit their phishing website, which uses an IDN homograph attack to disguise itself as the official WooComm...

A newly disclosed high-severity security flaw impacting OttoKit (formerly SureTriggers) has come under active exploitation within a few hours of public disclosure. The vulnerability, tracked as CVE-2025-3102 (CVSS score: 8.1), is an authorization bypass bug that could permit an attacker to create administrator accounts under certain conditions and take control of susceptible websites. "The SureTriggers: All-in-One Automation Platform plugin for WordPress is vulnerable to an authentication bypass leading to administrative account creation due to a missing empty value check on the 'secret_key' value in the 'autheticate_user' function in all versions up to, and including, 1.0.78," Wordfence's István Márton said . "This makes it possible for unauthenticated attackers to create administrator accounts on the target website when the plugin is installed and activated but not configured with an API key." Successful exploitation of the vulnerabilit...

Cybersecurity researchers have disclosed details of an artificial intelligence (AI) powered platform called AkiraBot that's used to spam website chats, comment sections, and contact forms to promote dubious search engine optimization (SEO) services such as Akira and ServicewrapGO. "AkiraBot has targeted more than 400,000 websites and successfully spammed at least 80,000 websites since September 2024," SentinelOne researchers Alex Delamotte and Jim Walter said in a report shared with The Hacker News. "The bot uses OpenAI to generate custom outreach messages based on the purpose of the website." Targets of the activity include contact forms and chat widgets present in small to medium-sized business websites, with the framework sharing spam content generated using OpenAI's large language models (LLMs). What makes the "sprawling" Python-based tool stand apart is its ability to craft content such that it can bypass spam filters. It's believe...

Threat actors are using the "mu-plugins" directory in WordPress sites to conceal malicious code with the goal of maintaining persistent remote access and redirecting site visitors to bogus sites. mu-plugins, short for must-use plugins , refers to plugins in a special directory ("wp-content/mu-plugins") that are automatically executed by WordPress without the need to enable them explicitly via the admin dashboard. This also makes the directory an ideal location for staging malware. "This approach represents a concerning trend, as the mu-plugins (Must-Use plugins) are not listed in the standard WordPress plugin interface, making them less noticeable and easier for users to ignore during routine security checks," Sucuri researcher Puja Srivastava said in an analysis. In the incidents analyzed by the website security company, three different kinds of rogue PHP code have been discovered in the directory - "wp-content/mu-plugins/redirect.php," ...

An ongoing campaign that infiltrates legitimate websites with malicious JavaScript injects to promote Chinese-language gambling platforms has ballooned to compromise approximately 150,000 sites to date. "The threat actor has slightly revamped their interface but is still relying on an iframe injection to display a full-screen overlay in the visitor's browser," c/side security analyst Himanshu Anand said in a new analysis. As of writing, there are over 135,800 sites containing the JavaScript payload, per statistics from PublicWWW. As documented by the website security company last month, the campaign involves infecting websites with malicious JavaScript that's designed to hijack the user's browser window to redirect site visitors to pages promoting gambling platforms. The redirections have been found to occur via JavaScript hosted on five different domains (e.g., "zuizhongyj[.]com") that, in turn, serve the main payload responsible for performing...

Over 1,000 websites powered by WordPress have been infected with a third-party JavaScript code that injects four separate backdoors. "Creating four backdoors facilitates the attackers having multiple points of re-entry should one be detected and removed," c/side researcher Himanshu Anand said in a Wednesday analysis. The malicious JavaScript code has been found to be served via cdn.csyndication[.]com. As of writing, as many as 908 websites contain references to the domain in question. The functions of the four backdoors are explained below - Backdoor 1, which uploads and installs a fake plugin named "Ultra SEO Processor," which is then used to execute attacker-issued commands Backdoor 2, which injects malicious JavaScript into wp-config.php Backdoor 3, which adds an attacker-controlled SSH key to the ~/.ssh/authorized_keys file so as to allow persistent remote access to the machine Backdoor 4, which is designed to execute remote commands and fetches anot...

A cross-site scripting (XSS) vulnerability in a virtual tour framework has been weaponized by malicious actors to inject malicious scripts across hundreds of websites with the goal of manipulating search results and fueling a spam ads campaign at scale. Security researcher Oleg Zaytsev, in a report shared with The Hacker News, said the campaign – dubbed 360XSS – affected over 350 websites, including government portals, U.S. state government sites, American universities, major hotel chains, news outlets, car dealerships, and several Fortune 500 companies. "This wasn't just a spam operation," the researcher said . "It was an industrial-scale abuse of trusted domains." All these websites have one thing in common: A popular framework called Krpano that's used to embed 360° images and videos to facilitate interactive virtual tours and VR experiences.  Zaytsev said he stumbled upon the campaign after coming across a pornography-related ad listed on Google ...

Are your websites leaking sensitive data? New research reveals that 45% of third-party apps access user info without proper authorization, and 53% of risk exposures in Retail are due to the excessive use of tracking tools. Learn how to uncover and mitigate these hidden threats and risks—download the full report here . New research by web exposure management specialist Reflectiz reveals several alarming findings about the high number of website vulnerabilities organizations across many industries are needlessly exposing themselves to. For instance, one standout statistic from the report is that 45% of third-party applications access sensitive user information without good reason . Although third-party apps may be essential for marketing and functionality purposes, not all of them need access to the kind of personal and financial user information that cybercriminals are hunting for. It's safer to limit apps' access to it on a need-to-know basis. For the report, Reflectiz gathere...

A critical authentication bypass vulnerability has been disclosed in the Really Simple Security (formerly Really Simple SSL) plugin for WordPress that, if successfully exploited, could grant an attacker to remotely gain full administrative access to a susceptible site. The vulnerability, tracked as CVE-2024-10924 (CVSS score: 9.8), impacts both free and premium versions of the plugin. The software is installed on over 4 million WordPress sites.  "The vulnerability is scriptable, meaning that it can be turned into a large-scale automated attack, targeting WordPress websites," Wordfence security researcher István Márton said . Following responsible disclosure on November 6, 2024, the shortcoming has been patched in version 9.1.2 released a week later. This risk of possible abuse has prompted the plugin maintainers to work with WordPress to force-update all sites running this plugin prior to public disclosure. According to Wordfence, the authentication bypass vulnerabilit...

The maintainers of the Jetpack WordPress plugin have released a security update to remediate a critical vulnerability that could allow logged-in users to access forms submitted by others on a site. Jetpack, owned by WordPress maker Automattic, is an all-in-one plugin that offers a comprehensive suite of tools to improve site safety, performance, and traffic growth. It's used on 27 million WordPress sites, according to its website . The issue is said to have been identified by Jetpack during an internal security audit and has persisted since version 3.9.9, released in 2016. The vulnerability resides in the Contact Form feature in Jetpack, and "could be used by any logged in users on a site to read forms submitted by visitors on the site," Jetpack's Jeremy Herve said . Jetpack said it's worked closely with the WordPress.org Security Team to automatically update the plugin to a safe version on installed sites. The shortcoming has been addressed in the followi...

A new high-severity security flaw has been disclosed in the LiteSpeed Cache plugin for WordPress that could enable malicious actors to execute arbitrary JavaScript code under certain conditions. The flaw, tracked as CVE-2024-47374 (CVSS score: 7.2), has been described as a stored cross-site scripting ( XSS ) vulnerability impacting all versions of the plugin up to and including 6.5.0.2. It was addressed in version 6.5.1 on September 25, 2024, following responsible disclosure by Patchstack Alliance researcher TaiYou. "It could allow any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by performing a single HTTP request," Patchstack said in a report.  The flaw stems from the manner in which the plugin the "X-LSCACHE-VARY-VALUE" HTTP header value is parsed without adequate sanitization and output escaping, thereby allowing for injection of arbitrary web scripts. That said, it's worth poi...

Cybersecurity researchers have discovered yet another critical security flaw in the LiteSpeed Cache plugin for WordPress that could allow unauthenticated users to take control of arbitrary accounts. The vulnerability, tracked as CVE-2024-44000 (CVSS score: 7.5), impacts versions before and including 6.4.1. It has been addressed in version 6.5.0.1.  "The plugin suffers from an unauthenticated account takeover vulnerability which allows any unauthenticated visitor to gain authentication access to any logged-in users and at worst can gain access to an Administrator level role after which malicious plugins could be uploaded and installed," Patchstack researcher Rafie Muhammad said . The discovery follows an extensive security analysis of the plugin, which previously led to the identification of a critical privilege escalation flaw ( CVE-2024-28000 , CVSS score: 9.8). LiteSpeed Cache is a popular caching plugin for the WordPress ecosystem with over 5 million active installat...

Cybersecurity researchers have disclosed a critical security flaw in the LiteSpeed Cache plugin for WordPress that could permit unauthenticated users to gain administrator privileges. "The plugin suffers from an unauthenticated privilege escalation vulnerability which allows any unauthenticated visitor to gain Administrator level access after which malicious plugins could be uploaded and installed," Patchstack's Rafie Muhammad said in a Wednesday report. The vulnerability, tracked as CVE-2024-28000 (CVSS score: 9.8), has been patched in version 6.4 of the plugin released on August 13, 2024. It impacts all versions of the plugin, including and prior to 6.3.0.1. LiteSpeed Cache is one of the most widely used caching plugins in WordPress with over five million active installations. In a nutshell, CVE-2024-28000 makes it possible for an unauthenticated attacker to spoof their user ID and register as an administrative-level user, effectively granting them privileges to...

Threat actors have been observed using swap files in compromised websites to conceal a persistent credit card skimmer and harvest payment information. The sneaky technique, observed by Sucuri on a Magento e-commerce site's checkout page, allowed the malware to survive multiple cleanup attempts, the company said. The skimmer is designed to capture all the data into the credit card form on the website and exfiltrate the details to an attacker-controlled domain named "amazon-analytic[.]com," which was registered in February 2024. "Note the use of the brand name; this tactic of leveraging popular products and services in domain names is often used by bad actors in an attempt to evade detection," security researcher Matt Morrow said . This is just one of many defense evasion methods employed by the threat actor, which also includes the use of swap files ("bootstrap.php-swapme") to load the malicious code while keeping the original file ("bootstra...

Google has announced that it's going to start blocking websites that use certificates from Entrust starting around November 1, 2024, in its Chrome browser, citing compliance failures and the certificate authority's inability to address security issues in a timely manner. "Over the past several years, publicly disclosed incident reports highlighted a pattern of concerning behaviors by Entrust that fall short of the above expectations, and has eroded confidence in their competence, reliability, and integrity as a publicly-trusted [ certificate authority ] owner," Google's Chrome security team said . To that end, the tech giant said it intends to no longer trust TLS server authentication certificates from Entrust starting with Chrome browser versions 127 and higher by default. However, it said that these settings can be overridden by Chrome users and enterprise customers should they wish to do so. Google further noted that certificate authorities play a privil...

Multiple content management system (CMS) platforms like WordPress, Magento, and OpenCart have been targeted by a new credit card web skimmer called Caesar Cipher Skimmer. A web skimmer refers to malware that is injected into e-commerce sites with the goal of stealing financial and payment information .  According to Sucuri, the latest campaign entails making malicious modifications to the checkout PHP file associated with the WooCommerce plugin for WordPress ("form-checkout.php") to steal credit card details. "For the past few months, the injections have been changed to look less suspicious than a long obfuscated script," security researcher Ben Martin said , noting the malware's attempt to masquerade as Google Analytics and Google Tag Manager. Specifically, it utilizes the same substitution mechanism employed in Caesar cipher to encode the malicious piece of code into a garbled string and conceal the external domain that's used to host the payload. ...

In today's rapidly evolving digital landscape, the threat of Distributed Denial of Service (DDoS) attacks looms more significant than ever. As these cyber threats grow in sophistication, understanding and countering them becomes crucial for any business seeking to protect its online presence. To address this urgent need, we are thrilled to announce our upcoming webinar, " Uncovering Contemporary DDoS Attack Tactics—How to Fight Back ," featuring the expertise of Andrey Slastenov, Head of Security at Gcore. What You Will Learn: Understanding the Threat:  Explore the escalated risks DDoS attacks pose to your business, including recent advancements in attack strategies like IoT botnets and amplification tactics. Real-World Consequences:  Hear firsthand accounts of businesses that faced these attacks and the impacts on their operations and reputation. Proactive Defense Strategies:  Learn actionable steps to enhance your cybersecurity posture and effectively mitigate po...

A new malware campaign is leveraging a high-severity security flaw in the Popup Builder plugin for WordPress to inject malicious JavaScript code. According to Sucuri, the campaign has  infected more than 3,900 sites  over the past three weeks. "These attacks are orchestrated from domains less than a month old, with registrations dating back to February 12th, 2024," security researcher Puja Srivastava  said  in a report dated March 7. Infection sequences involve the exploitation of CVE-2023-6000, a security vulnerability in Popup Builder that could be exploited to create rogue admin users and install arbitrary plugins. The shortcoming was exploited as part of a  Balada Injector campaign  earlier this January, compromising no less than 7,000 sites. The latest set of attacks lead to the injection of malicious code, which comes in two different variants and is designed to redirect site visitors to other sites such as phishing and scam pages. WordPress s...