A wide-ranging campaign to inject malicious code into WordPress-run websites has been ongoing for at least five years.

At least 1 million websites that run on WordPress have been infected by a campaign that uses rafts of WordPress plug-in and theme vulnerabilities to inject malicious code into sites, including a hefty number of zero-days.

According to research from Sucuri, the campaign, which the firm dubbed "Balada Injector," is not only prolific but also Methuselah-like in its longevity, slamming victim sites with malware since at least 2017. Once injected into the site, the bad code redirects website visitors to a panoply of scam sites, including fake tech support, fraudulent lottery wins, and push notifications asking for Captcha solutions.

Behind the scenes, though, injected scripts search for various files that could contain any sensitive or potentially useful information, such as access log files, error logs, files with debug information, database administration tools, administrator credentials, and more. They also load backdoors into the sites for persistent access and in some cases, site takeover.

While the 1 million stat is the number of sites collectively infected in the last five years, researchers only recently tied all of the activity into one operation. Going forward, the campaign shows no signs of slowing down.

"In 2022 alone, our external website scanner SiteCheck detected this malware over 141,000 times, with more than 67% of websites with blocklisted resources loading scripts from known Balada Injector domains," Sucuri researchers noted in a blog post.

**A Focus on WordPress Plug-in & Theme Vulnerabilities**

The Balada Injector campaign has a few instantly recognizable hallmarks that allowed Sucuri researchers to bring all of the observed activity under one attribution umbrella. These include uploading and leaving multiple backdoors throughout the compromised environment; using a rotating roster of domain names where malicious scripts are hosted on random subdomains; and the spammy redirects.

But perhaps most notably, the operators of Balada Injector make very good use of security vulnerabilities in WordPress plug-ins and themes. These types of modular add-ons to the main WordPress content management system (CMS) allow site admins to add various kinds of functionality, such as polling capability, message board support, or click-to-call integration for e-commerce outfits.

"All sorts of vulnerabilities in WordPress themes and plugins can allow an attacker to inject code or gain unauthorized access to the website — which can eventually be escalated to the level where code injections are possible," according to the Sucuri analysis. "This entire time, Balada Injector has been quickly adding newly disclosed vulnerabilities (and sometimes undisclosed zero-days), occasionally starting massive waves of infections within a few hours after vulnerability disclosures."

In fact, this bug-centric strategy dictates the cadence of the attacks — Sucuri has been tracking fresh waves of activity occurring every couple of weeks, with lulls in between that are "probably utilized for gathering and testing newly reported and zero-day vulnerabilities."

Further, older vulnerabilities are part of the mix as well, with some remaining in use by the campaign for months and years after being patched.

**Targeting the WordPress Ecosystem**

The WordPress landscape is a popular target for cybercriminals of all stripes, helped along by the fact that the plug-in ecosystem is notoriously buggy.

"Depending on how you measure it, in 2023, WordPress still powers 60% of the websites available on the Internet today," says Casey Ellis, founder and CTO at the Bugcrowd bug bounty platform. "The sheer volume of code that goes into this, the degree of customization often present on WordPress sites, and in general the WordPress plug-in ecosystem's complexity, popularity, and the lack of consistent security measures and practices, contribute to its attractiveness to cybercriminals as a rich hunting ground for exploitable bugs."

iThemes, a firm that tracks plug-in ecosystem flaws on a weekly basis, tallied 37 newly disclosed and patched plug-in vulnerabilities (and one theme vulnerability) for the week of March 15, affecting more than 6 million WordPress sites. It also counted 27 plug-in vulnerabilities (and three theme vulnerabilities) with no patch available yet. And those significant numbers are not unusual.

In all, iThemes identified a total of 1,425 disclosed WordPress plug-in and theme vulnerabilities in 2022 — and in any given week, 20 to 50 individual plug-ins and themes experienced at least one vulnerability, with a monthly average of 121 individual plug-ins and themes that had at least one vulnerability emerge.

iThemes' report also noted that vulnerable WordPress plug-ins and themes are the No. 1 reason WordPress sites get hacked.

"WordPress definitely needs updating on a regular basis, more so if you have a website that has a lot of plug-ins and third-party code, and this is one of many examples where security ends up being just that little bit too difficult for the average user who's also trying to run a business," Ellis notes.

**Protecting Against WordPress Plug-in Insecurity**

In order to protect against Balada Injector and other WordPress threats, organizations should first and foremost ensure that all of their website software is up-to-date, remove unused plug-ins and themes, and utilize a Web application firewall.

Mike Parkin, senior technical engineer at Vulcan Cyber, explains that the ability to add plug-ins easily to WordPress from official download stores (much like the mobile app ecosystem) adds to the security issue, so education for the Web team around the dangers of installing unvetted modules is also a must.

"The myriad available plug-ins, multiple places to get them, and the ease of deployment — you have a recipe for easy malicious plug-in distribution," he says.

Even large organizations aren't immune to WordPress security problems. "There are cases, even in large enterprises, where a website is developed and maintained by an individual or small team," he says. "Often, those folks aren’t especially security conscious and are more interested in keeping their site up and fresh than they are in doing it securely. Patches get missed. Security alerts get missed. New and interesting plug-ins get installed without making sure they are safe or, sometimes, even work."

1M+ WordPress Sites Hacked via Zero-Day Plug-in Bugs

The April 2023 Patch Tuesday security update also included a reissue of a fix for a 10-year-old bug that a threat actor recently exploited in the supply chain attack on 3CX.

Microsoft's Patch Tuesday security update for April 2023 contains patches for 97 CVEs, including one zero-day bug under active exploit in ransomware attacks, another that's a reissue of a fix for a flaw from 2013 that a threat actor recently exploited in a supply chain attack on 3CX, and a wormable bug rated critical in severity.

Microsoft identified a total of seven of the bugs it fixed this month as being of critical severity, which typically means organizations need to make them a top priority from a patch implementation standpoint.

**Zero-Day Used in Ransomware Attacks**

Nearly half, or 45, of the vulnerabilities in the April update enable remote code execution (RCE), a significant uptick from the average of 33 RCE bugs that Microsoft has reported in each of the previous three months. Even so, the company rated nearly 90% of the CVEs in the latest batch as bugs that cyberattackers are less likely to exploit — just 9% are characterized as flaws that threat actors are more likely to exploit.

The zero-day bug, tracked as CVE-2023-28252, is an elevation-of-privilege vulnerability in the Windows Common Log File System (CLFS) that affects all supported versions of Windows 10 and Windows Server. It is the second CLFS zero day in recent months — the other was CVE-2022-37969 — and it gives adversaries who already have access to the platform a way to gain highly privileged system-level privileges. 

"This vulnerability leverages existing system access to actively exploit a device and is a result of how the CLFS driver interacts with objects in memory on a system," said Gina Geisel, a security researcher at Automox. To exploit the flaw, an attacker would need to log in to a system and then execute a malicious binary to elevate privileges. 

"Automox recommends patch deployment within 24 hours since this is an actively exploited zero-day," Geisel said in emailed comments to Dark Reading.

In a blog post issued in tandem with Microsoft's update, Kaspersky said its researchers had observed a threat actor exploiting CVE-2023-28252 to deliver Nokoyawa ransomware on systems belonging to small and midsized organizations in North America, the Middle East, and Asia. The security vendor's analysis shows that the exploits are similar to already-known driver exploits targeting CLFS. 

"The exploit was highly obfuscated with more than 80% of its code being 'junk' elegantly compiled into the binary," according to the analysis. Kaspersky researchers said they reported the bug to Microsoft after observing an adversary using it in ransomware attacks in February.

**A Patch From the Past**

Another patch in Microsoft's April update that researchers are recommending organizations pay attention to is CVE-2013-3900, a 10-year-old signature validation vulnerability in the Windows WinVerifyTrust function. A threat actor — believed to be North Korea's Lazarus Group — recently exploited the flaw in a supply-chain attack on 3CX that resulted in malware landing on systems belonging to users of the company's video-conferencing software. 

When Microsoft released the patch in 2013, the company had decided to make it an opt-in patch because of the potential for the fix to cause problems for some organizations. With the April security update, Microsoft has made the fix available for more platforms and provide more recommendations for organizations on how to address the issue. 

"Definitely take the time to review all of the recommendations, including the information on the Microsoft Trusted Root Program, and take the actions needed to protect your environment," Dustin Childs, researcher with Trend Micro's Zero Day Initiative (ZDI) said in a blog post.

**A Slew of RCE Vulnerabilities**

Researchers identified two of the critical vulnerabilities in April's batch as needing immediate action. One of them is CVE-2023-21554. 

The bug affects Microsoft Message Queuing (MSMQ) technology and gives attackers a way to gain RCE by sending a specially crafted MSMQ packet to a MSMQ server. The vulnerability affects Windows 10, 11, and Server 2008-2022 systems that have the message queuing feature enabled on their systems, Automox researcher Peter Pflaster said in emailed comments. Administrators should consider applying Microsoft patch for the issue ASAP, since the company has noted that threat actors are more likely to exploit the vulnerability.

That's just one of two critical vulnerabilities affecting the Windows Message Queuing system that Microsoft fixed this week. The other is CVE-2023-28250, a vulnerability in Windows Pragmatic Multicast that, like CVE-2023-21554, has a base score of 9.8 and is potentially wormable. 

"This patch Tuesday MSFT fixed some critical flaws, of which we would recommend organizations to prioritize patching vulnerabilities those that are actively being exploited and wormable," said Bharat Jogi, director of vulnerability and threat Research, at Qualys.

The other critical vulnerability that needs immediate fixing is CVE-2023-28231, a RCE bug in the DHCP Server service. Microsoft has assessed the bug as another issue that attackers are more likely to try and weaponize. To exploit the bug, an attacker would need prior access on a network. But once on it, the adversary could initiate remote code execution on the DHCP server, according to Kevin Breen, director of cyber threat research at Immersive Labs. 

"Microsoft recommends that DHCP services are not installed on Domain Controllers, however, smaller organizations will commonly see DC and DHCP services co-located. In this instance the impact could be a lot higher," Breen warned in emailed comments. Attackers that have control over DHCP servers could wreak considerable havoc on the network including stealing credentials for software-as-a-service (SaaS) products, or to carry out machine-in-the-middle (MITM) attacks, he noted.

Microsoft Patches 97 CVEs, Including Zero-Day & Wormable Bugs

Azure admins are urged to disable shared key access and implement Azure Active Directory authentication.

Abuse of shared key authorizations, a default on Azure storage accounts, could allow a threat actor to steal higher privileged access tokens, move laterally throughout the network, and execute remote code, aka RCE.

Researchers at Orca were able to demonstrate how an attacker could breach Microsoft Storage Accounts, but Microsoft's Security Response Center (MSRC) chalked it up to a misconfiguration rather than a vulnerability. MRSC did offer guidance to users to appropriately configure Azure Functions and "effectively deploy environments with the least privilege." The company said it is planning to address the issue as part of its regular "experience improvements."

Orca researchers urge IT teams to take the issue seriously, and added that even though Microsoft doesn't consider the potential privilege escalation a vulnerability, "This does not mean that it is less dangerous," Orca's report said. "Actually, it should be considered even more dangerous since there is no straightforward 'fix'."

Administrators are advised by Microsoft to:

1.  Review user permissions to ensure least-privilege access
2.  Monitor logs for account key access
3.  Consider using a storage account dedicated to application code blob storage
4.  Enable Microsoft Defender for Cloud (MDC) on storage accounts

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Microsoft Azure Shared Key Misconfiguration Could Lead to RCE

Malware-as-a-service hackers from Spain decided to use a public code repository to openly advertise their wares.

Researchers have discovered malware peddlers advertising an info-stealer out in the open on the Python Package Index (PyPI) — the official, public repository for the Python programming language — with only the thinnest veneer of obfuscation.

The perpetrators — whom researchers from Sonatype associated with a Spain-based malware-as-aservice (MaaS) gang called SylexSquad — gave their program a not-so-subtle name: "reverse-shell." Reverse shells are programs that hackers commonly use to run commands remotely and receive data from targeted computers.

"I think what's quite funny about this is that it's just so blatant," says Dan Conn, developer advocate at Sonatype. "Perhaps SylexSquad were advertising themselves, or they simply didn't care about being caught."

However, their brazenness doesn't end there.

**Inside the 'reverse-shell' Data-Heisting Malware**

Sonatype researchers did a double-take when they found a package called "reverse-shell" uploaded to a public forum. "Why would someone name a malicious package in such an blatantly obvious way?" the researchers wondered in their Malware Monthly blog post.

The program turned out to be much more than a reverse shell, in fact. That became clear when the researchers examined one of its files, called "WindowsDefender.py."

WindowsDefender.py includes various obviously named functions, including get\_login\_data(), get\_web\_history(), get\_downloads(), get\_cookies(), get\_credit\_cards(), and ImageGrab.grab(). Per the theme, the hackers had not tried hard to conceal their intentions: this was malware designed to steal information.

"With no obfuscation, \[this\] appears to be ... a Discord bot that executes commands and performs actions on the infected machine," according to the analysis. "The malware can retrieve cookies, take screenshots, run shell commands, steal browsing history, and send all this data to the attacker's Discord channel."

Further answers lay in another file, "setup.py." Here, there were several Spanish-language instructions to "Clone GitHub repository and execute file," "replace with URL of your GitHub repository," and "path where you want to clone the repo" — an indication that reverse-shell was a MaaS product.

Further digging uncovered multiple "Made by SylexSquad" tags scattered in the code, some of which was lightly obfuscated. SylexSquad, the researchers found, was once a hacking marketplace operating over the Sellix e-commerce platform in 2022. It has since been shut down.

Publishing so openly to a public repo may have been a way for the group to intentionally draw attention to their product. "How do we know about groups like Anonymous or LulzSec or Killnet?" Conn asks, rhetorically. "It's because they get a reputation."

But PyPI holds much more value to them than that.

**Why Hackers Use Public Repos**

The SylexSquad attackers aren't the only miscreants utilizing forums like PyPI and GitHub, and there are many reasons for such brazenness, according to Sonatype.

"Hosting malicious files on a public repository provides bad actors more control over them," the researchers explained in their blog. "It gives them the power of deleting, upgrading, or even doing version control of the payload."

Among other benefits, "it allows the malware to be shared a lot more widely," Conn elaborates, "and it might actually trip up, in particular, a lot of antivirus software that uses generic signatures — like, actual bytes — to store whether something is malicious or not."

In other words, rather than delivering malware upfront — which antivirus scanners can pick up on quickly — hackers can simply link to their malicious code elsewhere: "By providing a link to a GitHub, they're maybe circumventing that check,"”" he notes.

Public repositories have protective measures in place to avoid becoming a hub for hackers. Still, even the best scanners and moderators aren't perfect, and they can't be everywhere at once.

"Hackers take certain measures like encoding or otherwise obfuscating the code they host, to make it a little bit more difficult for automated engines to pick up," Juan Aguirre, security researcher at Sonatype, points out. In this case, SylexSquad encoded their malicious script as numbers, using easily reversible ASCII codes corresponding to each character.

In this case, Sonatype reported the package to the PyPI maintainers and it was taken down. But "it's just a game of cat and mouse," Aguirre says. "Someone catches them and they just run to the next spot."

Aguirre views this story in light of a broader concern with open source software — that, as long as malware authors find use in public repositories, organizations must be aware of the kinds of packages they might be sweeping up.

"It's important to understand what it is that you're running," he concludes. "This is a great case for that. You have to have a bill of materials, you've got to know what you're doing, and what dependencies you're using. If you're just blindly installing things and grabbing code you see, things like this could very easily get into your system."

'Blatantly Obvious': Spyware Offered to Cyberattackers via PyPI Python Repository

Stepped-up recruiting efforts along with better work-life balance policies and mentoring and recruitment programs will help balance the scales.

The cybersecurity threat continues to rage, and much has already been said about the need for concerted, coordinated, and cohesive steps to combat the menace. A cybersecurity policy is necessary for all institutions, whether big or small, to ensure the entire organization moves in the right direction. This policy, in turn, needs cybersecurity professionals who envisage a strategy to keep the organizations' needs, strengths, and weaknesses in sight. It's no surprise to hear, therefore, that there is a shortage of such professionals. One of the quickest solutions to this 3.4 million shortage is to tap into the underrepresented demographic, women.

According to the International Information System Security Certification Consortium (PDF), women are only 24% of the workforce for cybersecurity professionals. However, the numbers go down to 5% for the Middle East and Africa. This disparity is ironic as it is women who face disproportional levels of online harassment and can contribute invaluable insights for the counteroffensive for many cybersecurity spaces. Consequently, there is a clear need to identify the pain points and decide on actionable measures to close the gender gap.

**Overcoming the Gender Gap**

Understanding the reasons for this gender gap is an excellent place to start. Some of the identified factors are "industry perception and culture, societal and family constraints, barriers to entry due to limited digital and cyber literacy, wage gaps, lower earning potential at every level, missed or delayed promotions, and a much harder path to reach the upper echelons of the corporate world." A glance at these factors reveals that they mirror the shackles faced by women a couple of decades ago for the regular workforce. As a result, learning from earlier successes can be a viable solution.

The first step should focus on building awareness for the industry as a whole and at a micro level so that the organization can understand the gap and take steps to address it. For example, Atos, an informational technology service, has created a strategy to rebalance its gender equity by improving shortlisting of women candidates by 20%, having 40% more women hires, and initiating 400% more mentorship programs for them. The latter is an important point, as mere hiring does not address the above-mentioned factors; women must be retained and allowed to grow into their roles.

Another factor hindering women in cybersecurity and general tech roles is the fear that they do not allow a good work-life balance. The Global Cybersecurity Forum is working to counteract such concerns by engaging girls with STEM. However, this engagement will remain an empty promise unless the industry reciprocates with better work-life balance policies and support for women professionals.

Mentoring is another technique for aiding women's retention in cybersecurity jobs. For example, the International Telecommunication Union has designed a learning program revolving around mentorship in cybersecurity to encourage more women to assume leadership roles in this sector. The program uses examples of existing leaders to set role models that can help create identification and aspiration in young women. Further, opportunities to network are also extended, which can be a gold mine of insights, support, and the formation of an industrywide offensive against online miscreants.

These measures are by no means the only actionable steps that can be devised to encourage and sustain more women in this industry. However, they do offer a starting point for tapping into this resource.

**Gender Equality Benefits**

As the drive to engage with women is initiated, it is equally essential to establish excellent reasons for this initiative among men. The advantages of bringing in gender equality extend beyond the need for finding more professionals to combat the cybersecurity threat. Research has shown that gender diversity supports better decision-making, with inclusive teams making better decisions 87% of the time. At a time when cybercriminals are growing bolder, using creativity to break down defenses, and demanding increasing amounts of ransomware, there has never been a greater need to come up with innovative solutions. A variety of perspectives can aid in holistic, better-designed solutions. With such benefits, it is natural to wonder what can be done by the state and the industry to encourage women into the fold.

Apart from assessing and recruiting women to balance the skewed ratio of men and women in cybersecurity roles, the industry can work toward building policies allowing women to take career breaks if they want. Initiatives like IBM's "returnship" program can support women to brush up on their skills and rejoin their career path after a pause. Mentoring has already been cited as an initiative already operationalized by industrial forums. Mentoring should be combined with a precise mapping of career paths for professionals. It can be further supported with events like hackathons for women, training programs focusing on skill gaps, and workshops leading conversations and discussions on the subject.

The US government can help with some of these events. It is already considering the benefits of encouraging female veterans into cybersecurity roles as they possess the skills and basic training to fit the bill. However, there is a long path in front of the state as the US government statistics show a lower-than-average presence of women in American cybersecurity professional roles. For the US government, the first steps need to be initiated closer home before they contemplate their role in building a foundation for catapulting women into the cybersecurity industry.

Where Are the Women? Making Cybersecurity More Inclusive

Incident response experts share their secrets for success when it comes to creating a professional-grade ransomware response playbook. Are you ready for the worst?

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

7 Things Your Ransomware Response Playbook Is Likely Missing

The campaign shrouds the commodity infostealer in OpenAI files in a play that aims to take advantage of the growing public interest in AI-based chatbots.

Cybercriminals are posting what appear to be legitimate sponsored ads on hijacked Facebook business and community pages, which promise free downloads of AI chatbots such as ChatGPT and Google Bard. Instead, users download the well-known, info-stealing malware called RedLine Stealer, the researchers have found.

RedLine Stealer is a malware-as-a-service (MaaS) platform sold via online hacker forums that targets browsers to collect various data saved by the user, including credentials and payment-card details, as well as taking a system inventory to assess the attack surface for performing further attacks. It also can perform other malicious functions besides just info stealing, such as uploading and downloading files, and executing commands. This gives attackers, even with limited sophistication, various options for performing a range of cyberattacks, researchers at Veriti said.

They spotted the recent campaign in January, which aims to take advantage of the growing popularity of emerging AI platforms, according to a report published April 11. The researchers then followed the campaign through its peak in March.

"These posts are designed to appear legitimate, using the buzz around OpenAI language models to trick unsuspecting users into downloading the files," Veriti researchers wrote in the report. "However, once the user downloads and extracts the file, the RedLine Stealer malware is activated and can steal passwords and download further malware onto the user's device."

The commodity malware is an inspired choice for the campaign considering it costs only $100 to $150 to buy it on the Dark Web, which gives attackers a significant return on investment (ROI) for their cybercriminal activity, the researchers said.

"In addition, by exploiting Facebook business accounts and their exposed passwords, the attackers were able to target a vast number of users and potentially gain access to sensitive information at a relatively low cost," the Veriti research team tells Dark Reading.

**Dangers of Trojanized AI Apps **

Soon after the AI-based chatbot ChatGPT came on the scene in November, the chatter began about the various ways attackers can exploit it for malicious purposes. While some believe that this threat is being overhyped, the RedLine campaign could be a sign of more related attacks on the horizon.

Rather than taking advantage of AI-based capabilities of the chatbots themselves, the attackers here take advantage of recent developments in the ability to package the AI in various forms, opening the door for creating trojanized downloads. 

"One of the most concerning risks associated with generative AI platforms is the ability to package the AI in a file (e.g., as mobile applications or as open source), which creates the perfect excuse for malicious actors to trick naïve downloaders," the researchers explained. 

The attackers in this case package RedLine Stealer into an OpenAI or Google Bard downloadable file, leading unsuspecting users to download the malware instead of the promised AI app that lured them to click on the post, the researchers said.

"The potential impact of such attacks is significant, as hackers could steal confidential data, compromise financial accounts, or even disrupt critical infrastructure," they wrote in the report. "Moreover, these attacks are becoming more sophisticated, making detecting and preventing them harder."

Dozens of Facebook business accounts in at least 10 countries already have been hijacked for the purpose of distributing RedLine Stealer through the malicious posts, the researchers said. Greece is the country where attackers reach the highest number of Facebook users, followed by India, the US, Mexico, and Bangladesh, according to the report.

However, the bulk of the campaign's "top attacks" took place in the US, where 77% of them occurred, according to the report. The country with the next-highest percentage of top attacks was Canada, with 9%, followed by Mexico (6%), India (4%), and Portugal (2%).

**Protecting the Enterprise From Malicious Downloads**

Veriti recommends a "comprehensive approach to cybersecurity" that includes educating employees on the risk of downloading and opening files from unknown sources, alongside "robust security configurations" to help avoid compromising enterprise systems if users inadvertently install an infostealer, such as Redline, on a corporate desktop.

One of the first steps organizations can take is to limit the download of executables and enforce strict policies that require sandboxing every executable before it is downloaded, the researchers said. "This can significantly reduce the risk of malicious files infecting a system," they tell Dark Reading.

Additionally, disabling data exfiltration can prevent attackers from stealing sensitive information, while enabling anti-malware can detect and remove malicious files before they can cause any damage, the researchers said.

However, researchers note that any measures to educate employees or set policies around files downloaded from the Internet "should complement an organization's existing cybersecurity protections, such as firewalls, intrusion detection and prevention systems, and regular security updates."

The team adds, "Organizations can significantly reduce the likelihood of a successful attack by implementing these best practices and educating employees on the risks."

Attackers Hide RedLine Stealer Behind ChatGPT, Google Bard Facebook Ads

Password managers aren't foolproof, but they do help mitigate risks from weak credentials and password reuse. Following best practices can contribute to a company's defenses.

Over the past few months, several leading password managers have been victims of hacking and data breaches. For instance, LastPass, which experienced a massive breach last year, recently announced again that the company's password vault has been stolen. And thanks to the bad practice of reusing passwords too often, Norton LifeLock also reported compromises to its password manager.

Why are password managers so attractive to cybercriminals? It's simple. Password managers hold the "keys to the castle." If a password manager gets compromised, attackers gain access to all stored passwords at once, which means they can walk into any secured environment or impersonate any user, circumventing all cybersecurity defenses. The market for password managers is growing rapidly, and attackers will target anything that can get more bang for their buck.

**Attractive Targets**

Some of the most common ways password managers are being hacked include:

**1\. Malware-Targeting Password Managers**

Malware programs have been targeting password managers for the last several years. In 2014, malware called Citadel, designed to target password managers, became notorious for having compromised one in 500 PCs worldwide. However, back then, only a small number of users used a password manager. Today, the average person needs to remember upward of 100 passwords, which is why the market for password managers and the malware market for targeting them are both growing.

For example, the attack on the Solana blockchain last year that resulted in a $7 million heist was caused by malware that targeted crypto wallets and password managers called Luca Stealer; another Trojan, dubbed StealC, specifically targets browser extensions and authenticators by password managers; password stealers targeting Web browsers have also been around for decades.

**2\. Phishing Attacks Against Password Managers**

Phishing attacks targeting password managers are on the rise. For example, in January 2023, researchers came across Google Ads that were redirecting victims to fake Bitwarden and 1Password pages, trying to steal their master credentials. What's more, customers of password managers such as LastPass, who have already had their credentials exposed in an earlier data leak, are at an increased risk of scams and phishing attacks. Attackers know their email addresses, phone numbers, and the online services they use, and therefore they can be easily targeted using a variety of phishing techniques.

**3\. Software Vulnerabilities in Password Managers**

Just like all other forms of software, password managers are prone to vulnerabilities. Recently, researchers reported a vulnerability in KeePass that could allow attackers to export all usernames and passwords in clear text. Earlier this year, Google discovered that popular password managers such as Dashlane, Bitwarden, and Apple's Safari browser password manager can all be manipulated into auto-filling passwords on untrusted pages.

**4\. Credential-Stuffing Attacks Using Leaked Credentials**

Credential-stuffing attacks are becoming increasingly common. This is a type of attack where threat actors leverage previously leaked credentials (nearly 25 billion of these are for sale on underground marketplaces) to gain unauthorized access into websites, applications, and networks. Most password managers have a "master password" to access all credentials, and since 65% of users reuse their passwords across different websites, it's possible that attackers use brute-force techniques or make educated guesses on the possible password combinations. Late last year, LastPass confirmed a credential-stuffing attack against some of its users.

**Do Password Managers Make Sense in 2023?**

The benefits of having a password manager far outweigh the risks. Password managers help mitigate two of the biggest risks for users and businesses — weak credentials and password reuse. Yes, attacks on password managers are on the rise, but the probability of a business being attacked due to poor credentials or password reuse is much higher than the likelihood of a password manager getting hacked.

There are a number of things organizations can do to mitigate the risks of password managers:

*   **Security-train employees:** Most password-stealing malware gets installed when users get phished or social engineered — users download, click, or open something they shouldn't have. This is why it is extremely important for organizations to instill secure behavior in employees (alertness, strong passwords, safe browsing, responsible use of social media, not trusting anything at face value, etc.) so they don't fall victim to a phishing attack.
*   **Patch regularly:** Make sure you patch all your software and systems regularly. Unpatched software is the second-biggest reason password-stealing Trojans get installed on computers. Ensure you check and install all critical patches, especially the ones that are featured on CISA's Known Exploited Vulnerability Catalog.
*   **Use phishing-resistant multifactor authentication:** Use phishing-resistant MFA or passwordless options wherever you can. Not just to protect the master password on your password manager, but also on all of your critical websites, applications, and services.
*   **Check password-dump websites for leaked credentials:** Check online leaked-password websites (such as haveibeenpwned.com) or take breach password tests to ascertain if any of your credentials are floating around in online databases.
*   **Use a good password manager:** Use password managers that deploy strong encryption; that follow secure development life cycle (SDLC) programming; are responsive, transparent, and responsible to their customers; and that promote security features such as MFA, passwordless options, contextual features (user gets locked out if it's an unknown device or location), and phishing-detection capabilities.

Are password managers foolproof? Nope. But nothing is these days. The operating systems we use, the devices and applications we use — everything is hackable. Password managers come with some great benefits — they can tell you if your password is strong or not, they prevent you from reusing your password, some can stop you from entering credentials into bogus URLs, and some will even alert you when a website gets compromised.

As long as organizations follow the above tips and best practices, password managers can prove to be a vital tool in the defense arsenal of any organization.

How Password Managers Can Get Hacked

The gap between permissions granted and permissions used exposes organizations to increased risk. (Part two of a two-part series.)

Did you know that 86% of businesses plan to increase their investment in hybrid or multicloud technology? And yet 73% of those same companies find it challenging to manage multicloud environments.

In part, this is because managing identities and their related access permissions is more complicated when you're dealing with a multicloud environment. Digital sprawl has led to an explosion in permissions across multicloud environments, and we lack a consistent oversight solution.

To date, as many as 99% of current cloud permissions are going unused. This gap between permissions granted and permissions used represents a significant concern for enterprise businesses, as it opens them up to an increased risk of both accidental and malicious insider threats. Read on to learn how you can evolve your identity and permissions management by implementing cloud infrastructure entitlement management (CIEM) solutions into your own operations.

**How Does CIEM Work?**

One issue with overpermissioned multicloud environments is that they're very difficult for security teams to monitor. Various cloud platforms don't always interact well with one another, and that can make it challenging for security teams to have full visibility across the entire multicloud environment. Identities have also expanded beyond employees and customers to encompass developers, third-party contractors, and even workload identities like web apps, virtual machines, containers, scripts, serverless functions, and more.

Attackers can exploit the misconfigured permissions of these identities to access critical cloud infrastructure. The permissions gap can be reduced by implementing least privilege access and working toward a zero-trust security model, but it's very difficult to do manually and at a cloud scale. That's where CIEM comes in.

As we learned in Part 1 of this series, CIEM was first coined by Gartner as a way to address the identity and permissions challenges posed by cloud technology. CIEM acts as a cloud-native, scalable, and extensible way to automate the continuous management of permissions in the cloud because it is built on a continuous, activity-based model. This allows organizations to keep pace with rapid cloud growth while also scaling their security infrastructure.

CIEM is made up of seven core pillars: account and entitlements discovery, cross-cloud entitlements correlation, entitlements visualization, entitlements optimization, entitlements protection, entitlements detection, and entitlements remediation. Essentially, it works by allowing organizations to understand what permissions currently exist within their environments and how various identities are using those permissions.

CIEM can even help organizations understand how they should change their current identity management to follow the principles of least privilege access and how to best protect their environments moving forward.

**How To Implement CIEM In Your Own Organization**

Cloud technology has become table stakes for many organizations, and the move to shift workloads into the cloud isn't likely to slow down anytime soon. This means that cloud providers will continue to add new capabilities and services, generating tens of thousands of permissions and growing the number of identities — both human and workload — in the process.

That's why we recommend taking a life cycle approach to CIEM. This empowers organizations to continuously discover, remediate, and monitor the activity of every unique user and workload identity that's operating in their cloud environment. It also has the benefit of alerting security and infrastructure teams to unexpected or excessive risks in cloud environments so they can respond accordingly.

The first step is the discovery phase. This involves creating individual usage profiles for each human or workload identity to understand how they typically operate in your environment and assess whether permissions granted in the past are still needed today.

Next is the remediation phase. A core attribute of CIEM is that it enables companies to look at usage data to see which permissions each identity is actually using. Based on this insight, security teams can then revoke permissions that aren't being used or that aren't necessary for that person or workload's function.

Finally, we have the monitoring phase. Thousands of identities can be active across cloud environments at any given time. So it's critical for CIEM solutions to provide robust monitoring and alerting capabilities. This monitoring should be customizable by both identity and activity, and your CIEM solution should be able to send automated alerts to the appropriate security team.

Strong cloud security ultimately hinges on an organization's ability to control the level of access that human and workload identities have to their infrastructure. Something like CIEM can help secure these identities at scale.

How CIEM Can Improve Identity, Permissions Management for Multicloud Deployments

Israel's National Cyber Defense is warning of increased cyberattacks by anti-Israel groups during the month of Ramadan.

On April 5, the Israel Post fell victim to a cyberattack, forcing the mail service to shut down some services. Just two days later, farmers missed scheduled irrigation times when water controllers in the Jordan Valley were hijacked with displays that read, "You Have been hacked, Down with Israel _(sic)_."

These recent cyberattacks are part of a predictable wave of increased, malicious cyber activity that Israeli organizations have come to expect during the month of Ramadan, according to the Israel National Cyber Directorate, which recently issued a warning about a spike in anti-Israel hacktivist activity.

"Each year during this period, attacks such as website defacement, distribution of phishing messages, social media hacking, DDoS attacks, intrusion into company websites, and information leaks are observed — alongside publications boasting cyberattacks that did not necessarily take place," the INCD warning said. "Additional, common attacks are on website storage and building companies, in an attempt to create a wider attack that will increase awareness. It is estimated that similar attempts will take place this year as well, using simple means and exploiting common weaknesses in the cyber sphere."

The National Cyber Directorate and the Ministry of Agriculture are investigating the breaches of the Israel Post and the irrigation system, according to reports. Other Israeli organizations breached in recent weeks include websites for Israel Railways, airlines, universities, and more, all part of the "OPIsrael" campaign waged each year, reports added.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Source

DARKReading