At a glance.
- WordPress plug-in vulnerable to site-hijacking.
- Squid Game phishbait.
- Trickbot developer extradited to the US.
- Papua's national financial system attacked.
- Exposed medical data weren't real patients' data.
OptinMonster API bugs allow site hijacking.
The threat intelligence experts at Wordfence detail multiple vulnerabilities they detected in OptinMonster, a WordPress lead generation software plugin used on over one million websites. The plugin’s functionality relies heavily on the use of API endpoints, but researchers found that most of the REST-API endpoints were misconfigured, potentially allowing access to unauthenticated intruders. Once in, attackers could access sensitive data or even add malicious JavaScript to redirect site visitors to external malicious domains or even hijack the site. OptinMonster was notified of the bug and worked quickly to release a patch the next day.
Uriel Maimon, senior director of emerging technologies at cybersecurity firm PerimeterX, observes that WordPress's commanding market position makes it an attractive target:
"With more than 30 percent of the web currently powered by WordPress, it remains an attractive target for attackers. This current flaw that allows unauthorized API access and sensitive information disclosure on roughly a million WordPress sites could allow attackers to inject malicious Javascript code into exposed websites. Attackers can then plant malware, steal data and hijack users to nefarious sites. Without continuous visibility and control of the changes made to Javascript code on websites, any business that relies on a supply chain of third party scripts could suffer the same fate."
Netflix and chill just became a little riskier.
Proofpoint examines a phishing operation from threat group TA575 that’s capitalizing on pop culture by using access to Squid Game, Netflix’s latest streaming sensation, as bait. The scammers send emails to targets offering early access to a new season of the chart-topping series, or even the opportunity to audition to be part of the cast. Thousands of these fraudulent emails have been sent to predominantly US targets across all industries. The message directs the victim to complete an attached Excel document embedded with macros that, when enabled, unleash a Dridex banking Trojan that can facilitate data theft or installation of malware. TA575 has been known to use the communications platform Discord to host and distribute Dridex.
Trickbot developer arrested by US DOJ.
Reuters reports that a Russian national was extradited from South Korea to the state of Ohio for his suspected role in the Trickbot ransomware group. The US Department of Justice states that Vladimir Dunaev appeared in federal court yesterday to face charges for allegedly working as a developer for the cybercrime organization, including managing execution of the malware, developing browser modifications, and helping the malware evade detection by security software. Trickbot is known to employ a network of freelance programmers in order to support their activities, which have led to ransomware attacks on millions of computer systems all over the world. Deputy Attorney General Lisa O. Monaco stated, “This is the second overseas Trickbot defendant arrested in recent months, making clear that, with our international partners, the Department of Justice can and will capture cyber criminals around the world.” She added that the arrest was aided by the Department’s recently established Ransomware and Digital Extortion Task Force.
Papua New Guinea national finance platform hit by ransomware.
The finance department of Papua New Guinea has disclosed that its Integrated Financial Management System (IFMS) was targeted by ransomware attackers. The IFMS platform processes the budget and accounting for all departments of the government and controls access to foreign aid funds totaling millions of dollars. According to finance minister and acting treasurer John Pundari, the department did not pay the requested ransom and the IFMS has been fully restored, but “because of the risk, we are playing safe by not allowing full usage of the affected network.” People familiar with Papua New Guinea’s data security told Bloomberg that the government’s network systems are plagued with vulnerabilities that could allow intrusion. Jonathan Pryke, director of the Lowy Institute’s Pacific Islands Program, said PNG’s financial difficulties are an obstacle to developing strong cybersecurity infrastructure: “The systems are so exposed anyway that you really have to start over from the bottom up and that would be a huge investment. But in the pantheon of PNG priorities, it’s nowhere near the top.”
Trevor Morgan, product manager at comforte AG, sees Papua's experience as one that any nation's financial system might undergo:
“The recent ransomware incident affecting Papua New Guinea’s finance department underscores a harsh reality that every governmental agency must confront: a ransomware attack isn’t just a remote possibility but rather a likely imminent event. Being able to shut down operations, encrypt critical operational data, and cause general mayhem in the delivery of governmental services are the main goals of the threat actors behind these attacks. Why? Putting organizations under a harsh public spotlight as these events unfold puts incredible pressure on them to pay a ransom as the most expedient mitigating tactic.
"A better course of action other than relying on paying a ransom is to prepare for this eventuality with robust recovery capabilities (tools and processes) combined with proactive data-centric protection. The former restores the IT and data environment to a pre-breach state, while the latter ensures that threat actors can’t exfiltrate sensitive data and use that compromised information as further leverage. Data-centric security methods such as tokenization and format-preserving encryption protect the data itself rather than the environment around it. Even if hackers get their hands on data, they can’t blackmail organizations with the threat of imminent release of that data. And that’s what ransomware is all about—blackmail. Don’t let that happen to your organization. Accept the eventuality and prepare accordingly.”
Update on a case of medical data exposure: the data weren't real patient data.
Researchers at Website Planet reported discovering an unsecured database containing nearly 900 million records of medical data connected to Deep6.AI. They notified Deep6.AI about the exposure and the company swiftly secured the database, which was in any case not connected to production systems.
The data in question were from a test database containing dummy data. No actual personal data were exposed. Deep6 explains what occurred, and they've confirmed that "there was no access to real patient records":
"Despite recent claims, no personal or patient health data was accessed, leaked or at risk from a Deep 6 AI proof-of-concept database.
"In August, a security researcher accessed a test environment that contained dummy data from MIT's Medical Information Mart of Intensive Care (MIMIC) system, an industry standard source for de-identified health-related test data. To confirm, no real patient data or records were included in this ephemeral test environment, and it was completely isolated from our production systems.
"Based on current reporting, we have confirmed that the recent claims reference MIMIC data, and there was no access to real patient records. When the researcher notified us in August, we immediately secured the test environment to ensure there was no further concern.
"Data security and privacy is a top priority at Deep 6 AI, and the responsibility to protect data is at the core of our business and top-of-mind for all our people."
Thus, again, only test data were involved, not information about actual patients or their treatment.