New research has linked the operations of a politically motivated hacktivist group known as Moses Staff to another nascent threat actor named Abraham's Ax that emerged in November 2022.
This is based on "several commonalities across the iconography, videography, and leak sites used by the groups, suggesting they are likely operated by the same entity," Secureworks Counter Threat Unit (CTU) said

New research has linked the operations of a politically motivated hacktivist group known as Moses Staff to another nascent threat actor named **Abraham's Ax** that emerged in November 2022.

This is based on "several commonalities across the iconography, videography, and leak sites used by the groups, suggesting they are likely operated by the same entity," Secureworks Counter Threat Unit (CTU) said in a report shared with The Hacker News.

Moses Staff, tracked by the cybersecurity firm under the moniker Cobalt Sapling, made its first appearance on the threat landscape in September 2021 with the goal of primarily targeting Israeli organizations.

The geopolitical group is believed to be sponsored by the Iranian government and has since been linked to a string of espionage and sabotage attacks that make use of tools like StrifeWater RAT and open source utilities such as DiskCryptor to harvest sensitive information and lock victim data on infected hosts.

The crew is also known to maintain a leak site that's used to distribute data stolen from their victims and disseminate their messaging, which includes "exposing the crimes of the Zionists in occupied Palestine."

Now according to Secureworks' analysis, "the Abraham's Ax persona is being used in tandem to attack government ministries in Saudi Arabia" and that "this is likely in response to Saudi Arabia's leadership role in improving relations between Israel and Arab nations."

For its part, Abraham's Ax claims to be operating on behalf of the Hezbollah Ummah. Hezbollah, which means "Party of Allah" in Arabic, is a Lebanese Shia Islamist political party and militant group that's backed by Iran.

The striking overlaps in the modus operandi further raise the possibility that the operators behind Abraham's Ax are likely leveraging the same custom malware which acts as a cryptographic wiper to encrypt data without offering a means to recover the data in the early stages.

What's more, both actors are united in their motivations in that they operate without a financial incentive, with the intrusions taking a more disruptive tone. The connections between the two groups is also evidenced by the fact the WordPress-based leak sites were hosted in the same subnet in the early stages.

"Iran has a history of using proxy groups and manufactured personas to target regional and international adversaries," Rafe Pilling, Secureworks principal researcher, said in a statement.

"Over the last couple of years an increasing number of criminal and hacktivist group personas have emerged to target perceived enemies of Iran while providing plausible deniability to the Government of Iran regarding association or responsibility for these attacks. This trend is likely to continue."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Uncover Connection b/w Moses Staff and Emerging Abraham's Ax Hacktivists Group

A massive campaign has infected over 4,500 WordPress websites as part of a long-running operation that's been believed to be active since at least 2017.
According to GoDaddy-owned Sucuri, the infections involve the injection of obfuscated JavaScript hosted on a malicious domain named "track[.]violetlovelines[.]com" that's designed to redirect visitors to unwanted sites.
The latest operation is

Website Security / WordPress

A massive campaign has infected over 4,500 WordPress websites as part of a long-running operation that's been believed to be active since at least 2017.

According to GoDaddy-owned Sucuri, the infections involve the injection of obfuscated JavaScript hosted on a malicious domain named "track\[.\]violetlovelines\[.\]com" that's designed to redirect visitors to unwanted sites.

The latest operation is said to have been active since December 26, 2022, according to data from urlscan.io. A prior wave seen in early December 2022 impacted more than 3,600 sites, while another set of attacks recorded in September 2022 ensnared more than 7,000 sites.

The rogue code is inserted in the WordPress index.php file, with Sucuri noting that it has removed such changes from more than 33,000 files on the compromised sites in the past 60 days.

"In recent months, this malware campaign has gradually switched from the notorious fake CAPTCHA push notification scam pages to black hat 'ad networks' that alternate between redirects to legitimate, sketchy, and purely malicious websites," Sucuri researcher Denis Sinegubko said.

Thus when unsuspecting users land on one of the hacked WordPress sites, a redirect chain is triggered by means of a traffic direction system, landing the victims on pages serving sketchy ads about products that ironically block unwanted ads.

Even more troublingly, the website for one such ad blocker named Crystal Blocker is engineered to display misleading browser update alerts to trick the users into installing its extension depending on the web browser used.

The browser extension is used by nearly 110,000 users spanning Google Chrome (60,000+), Microsoft Edge (40,000+), and Mozilla Firefox (8,635).

"And while the extensions indeed have ad blocking functionality, there is no guarantee that they are safe to use — and may contain undisclosed functions in the current version or in future updates," Sinegubko explained.

Some of the redirects also fall into the outright nefarious category, with the infected websites acting as a conduit for initiating drive-by downloads.

This also includes retrieving from Discord CDN an information-stealing malware known as Raccoon Stealer, which is capable of plundering sensitive data such as passwords, cookies, autofill data from browsers, and crypto wallets.

The findings come as threat actors are setting up lookalike websites for a variety of legitimate software to distribute stealers and trojans through malicious ads in Google search results.

Google has since stepped in to block one of the rogue domains involved in the redirect scheme, classifying it as an unsafe site that installs "unwanted or malicious software on visitors' computers."

To mitigate such threats, WordPress site owners are advised to change passwords and update installed themes and plugins as well as remove those that are unused or abandoned by their developers.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Over 4,500 WordPress Sites Hacked to Redirect Visitors to Sketchy Ad Pages

The Wordfence Threat Intelligence team has released their 2022 State of WordPress Security report. In the report, they look at changes in the threat landscape, analyze impactful trends, and provide recommendations based on their findings.

Wordfence 2022 State Of WordPress Security

Auth. SQL Injection (SQLi) vulnerability in WP-TopBar <= 5.36 versions.

**Solution**

Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.

thiennv discovered and reported this SQL Injection vulnerability in WordPress WP TopBar Plugin. This could allow a malicious actor to directly interact with your database, including but not limited to stealing information and creating new administrator accounts. This vulnerability has not been known to be fixed yet.

**3 other known vulnerabilities for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-23824: WordPress WP-TopBar plugin <= 5.36 - SQL Injection - Patchstack

Auth. Stored Cross-Site Scripting (XSS) in Oi Yandex.Maps for WordPress <= 3.2.7 versions.

**Solution**

Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.

Lana Codes discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Oi Yandex.Maps for WordPress Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-22721: WordPress Oi Yandex.Maps for WordPress plugin <= 3.2.7 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. Stored Cross-Site Scripting (XSS) vulnerability in Youtube shortcode <= 1.8.5 versions.

**Solution**

Deactivate and delete. This plugin has been closed as of January 18, 2023 and is not available for download. This closure is temporary, pending a full review.

Lana Codes discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Youtube shortcode Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has not been known to be fixed yet.

**No other known vulnerabilities for this plugin**Report

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

CVE-2023-23687: WordPress Youtube shortcode plugin <= 1.8.5 - Cross Site Scripting (XSS) vulnerability - Patchstack

The My YouTube Channel plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on the clear_all_cache function in versions up to, and including, 3.0.12.1. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to clear the plugin's cache.

CVE-2023-0447: Changeset 2844200 for youtube-channel – WordPress Plugin Repository

The ?????? ?????? ?????? WordPress plugin before 2.9.3 does not sanitise and escape some parameters, allowing unauthenticated attackers to send a request with XSS payloads, which will be triggered when a high privilege users such as admin visits a page from the plugin.

CVE-2022-4307

The Store Locator WordPress plugin before 1.4.9 does not validate and escape some of its shortcode attributes before outputting them back in the page, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks which could be used against high privilege users such as admins.

CVE-2022-4832

The WP Google My Business Auto Publish WordPress plugin before 3.4 does not validate and escape one of its shortcode attributes, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attack.

Tag

#wordpress