Outdated WordPress plugin abused to deploy backdoors

WordPress is a popular open-sourced content management system (CMS). An outdated WordPress plugin known, Eval PHP enables site administrators to insert PHP code into posts and pages of WordPress websites, which is then executed when the page is loaded in the browser. The “eval” function was originally used to execute arbitrary PHP code, which can be useful in certain contexts, such as when creating dynamic templates or customizing functionality. The plugin is still available on the WordPress plugins repository despite not receiving any updates in the last ten years.

However, attackers are injecting backdoors into websites using the legitimate but outdated WordPress plugin known as Eval PHP. A sudden spike in the number of installations for the plugin was observed in April 2023. The attackers sneakily install the vulnerable plugin, which is available on the official WordPress plugin repository, on an already compromised website.

All WordPress administrators are advised by Accorian to check for the presence of Eval PHP, particularly if they did not install the plugin themselves. The presence of this plugin on a website indicates that it is compromised and may contain backdoors. To prevent any exploitation, admins should remove the plugin if found and protect the account by implementing robust WAF and 2FA. It is also recommended to keep the site up to date with the latest updates.

Source: https://blog.sucuri.net/2023/04/massive-abuse-of-abandoned-evalphp-wordpress-plugin.html

Threat Advisory Team

Accorian

Article

Critical Zero-day vulnerability in Microsoft Outlook

Microsoft recently released a patch for a new privilege escalation vulnerability (CVE-2023-23397) that impacts all versions of Microsoft Outlook on Windows. The vulnerability is being tracked as CVE-2023-23397 and holds a CVSS score of 9.8. By sending a specially crafted email, an attacker can remotely obtain hashed passwords without the victim ever having to open them. Microsoft has now officially released patches for the vulnerability, but it has been exploited as a zero-day vulnerability in NTLM-relay attacks since mid-April 2022. Without the interaction of the user, an attacker can steal NTLM credentials by sending a malicious email. Exploitation takes place when the system's reminder is triggered, and Outlook is opened. According to Microsoft, by sending a message with an extended MAPI property and a UNC path to an SMB (TCP 445) share on a server under the attacker's control, an attacker can exploit the vulnerability to retrieve NTLM hashes. Accorian recommends that organizations update Microsoft Outlook for Windows as soon as possible. If not possible immediately, block outbound SMB (TCP port 445) and add users to the Protected Users group in Active Directory. This would limit the impact of the vulnerability. Accorian can help you identify the vulnerability in your environment. For more information. kindly reach out to us. Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397 Threat Advisory Team Accorian

Article

Exploit Publicly available for MS Word Remote Code Execution flaw

CVE-2023-21716, a heap corruption vulnerability that was patched by Microsoft as part of its February 2023 Patch Tuesday cycle, now has it's exploit publicly accessible. The vulnerability holds a CVSS score of 9.8 and can allow attackers to execute code remotely without needing any authentication. The flaw impacts several MS Office and SharePoint versions, as well as Microsoft 365 Apps for Enterprise. The vulnerability exists in Microsoft Word's RTF parser and is a heap corruption issue. Attackers can remotely execute code with the same level of privileges as the victim if successfully exploited. The flaw does not require prior authentication, attackers can simply send a decoy RTF file to the victim(s) via email. ‘Protected View’, a feature of Microsoft Office 2010 and later, helps to reduce the impact that a malicious document provided from untrusted sources might cause. As the vulnerability exists when ‘Protected View’ is in use, exploiting it would require an additional sandbox escape vulnerability to gain full privileges. Although Microsoft has released fixes for CVE-2023-21716, it is strongly advised that organizations patch right away because the Proof of Concept is now widely available. Microsoft has also issued temporary solutions for CVE-2023-21716. Source: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21716 Threat Advisory Team Accorian

Article

Critical Vulnerability found in Atlassian's Jira Service Management

A critical security flaw in Jira Service Management Server and Data Centre has been fixed by Atlassian. The flaw has been identified as CVE-2023-22501 (CVSS rating: 9.4) and is described as a case of broken authentication with a simple attack vector. An attacker could take advantage of the flaw to pose to another user and access affected instances without authorization. This vulnerability affects Jira Service Management Server and Data Centre versions 5.3.0 to 5.3.2 and 5.4.0 to 5.5.0, respectively. According to Atlassian, an attacker could gain access to signup tokens with write access to a User Directory and outgoing email enabled on a Jira Service Management instance. Users who have never signed into their accounts are sent the tokens. The tokens can be accessed in two ways: If the attacker has access to requests or issues on Jira that include these users, or If the attacker is forwarded or obtains access to emails containing a “View Request” link from these users. Particularly vulnerable in this case are bot accounts. Users who are synchronized to the Jira service by read-only User Directories or single sign-on (SSO) are unaffected, however instances with single sign-on, external customer accounts can be affected in projects in which anyone can make their own account. Atlassian further noted that the issue does not affect Jira sites hosted in the cloud using an atlassian[.]net domain, and no remedial action is necessary in this scenario. Accorian advises you to upgrade each of your impacted installations to 5.3.3, 5.4.2, 5.5.1, or 5.6.0 or later considering Atlassian products' recent emergence as an alluring attack vector. Source:https://confluence.atlassian.com/jira/jira-service-management-server-and-data-center-advisory-cve-2023-22501-1188786458.html Threat Advisory Team Accorian

Article

Git affected by remote code execution attacks

Recently, Git patched 2 critical vulnerabilities which could be used to launch remote code execution attacks. The issues have been assigned CVE-2022-23521 and CVE-2022-41903. The vulnerabilities affect Git versions up to and including Git 2.39. CVE-2022-23521 affects the gitattributes mechanism. When parsing gitattributes, multiple integer overflows can occur when there is a huge number of path patterns, or when the declared attribute names are huge. CVE-2022-41903, also a critical vulnerability regarding integer overflow, can be triggered directly by a user running a command which invokes the commit formatting machinery or can be triggered indirectly through the git archive. These integer overflows may result in arbitrary heap writes, which can result in remote code execution. It is recommended that users of Windows, macOS, and Linux/Unix download and install the most recent git release, which is v2.39.1. Disable the git archive in untrusted repositories if upgrading is unfeasible. Versions 15.7.5, 15.6.6, and 15.5.9 for GitLab Community Edition (CE) and Enterprise Edition (EE) have been issued, according to GitLab, to resolve the issues. Customers are urged to apply the fixes with immediate effect. Accorian assures to assist all its clients. Please feel free to reach out to us if you have any questions. Source: https://about.gitlab.com/releases/2023/01/17/critical-security-release-gitlab-15-7-5-released https://x41-dsec.de/security/research/news/2023/01/17/git-security-audit-ostif/ Threat Advisory Team Accorian

Article

Redigo - The Redis backdoor Malware

A new Go-based malware, Redigo, is used in an attack targeting Redis servers. Threat actors are exploiting a critical vulnerability, tracked as CVE-2022-0543, in Redis servers. The CVE-2022-0543 vulnerability affects Debian and Linux distributions and is a Lua sandbox escape vulnerability. The vulnerability, which was given a severity rating of 10, might be used by a remote attacker who can run any Lua script to potentially bypass the Lua sandbox and execute arbitrary code. Threat actors attempt to connect to the Redis server through port 6379 in the first step of the attack chain to learn more about the CPU architecture. The second use of the command is to download the newly discovered Redigo Malware. After downloading the malware file, the attackers elevate the permissions of the file to execute it. The Redigo malware, according to researchers, is being used by threat actors to infect Redis servers and add them to a botnet that they may then deploy to perform denial-of-service (DDoS) attacks, run cryptocurrency miners, or steal information from the servers. All the users who run Redis on Debian, Ubuntu, and possibly other Debian-based distros are advised to update their Redis package to the latest available version, as the vulnerability has already been fixed. Accorian is happy to assist you for any assistance you may require. Please feel free to reach out to us. Source: https://blog.aquasec.com/redigo-redis-backdoor-malware Threat Advisory Team Accorian

Threat Advisory