More than 280,000 WordPress Websites Targeted in Attacks Using a Zero-Day in the WPGateway Plugin
Read also: Microsoft fixes a Windows zero-day, the US sanctions Iranian hackers linked to ransomware attacks, and more.
More than 280,000 WordPress websites targeted in attacks using a zero-day in the WPGateway plugin
Malicious actors are actively target WordPress sites using a zero-day vulnerability in the WPGateway plugin. Tracked as CVE-2022-3180, the bug is an unauthenticated privilege escalation issue that allows an unauthenticated attacker to add a rogue user with admin privileges to commandeer websites running the vulnerable plugin.
In the past 30 days the researchers observed over 4.6 million attacks targeting CVE-2022-3180 against more than 280,000 sites.
Apple, Microsoft, Trend Micro patch actively exploited zero-days
Apple has rolled out security updates for iOS, iPadOS and macOS devices to fix a zero-day vulnerability that the vendor said “may have been actively exploited.” The flaw (CVE-2022-32917) may allow a malicious application to execute arbitrary code with kernel privileges. The vulnerability has been patched with the release of iOS 15.7, iPadOS 15.7, macOS Monterey 12.6, macOS Big Sur 11.7.
Microsoft released its September 2022 Patch Tuesday security updates that address more than 60 security issues in the tech giant’s software, including a zero-day flaw (CVE-2022-37969), which is being actively exploited in the wild. The issue is an elevation of privilege in Windows Common Log File System Driver, which allows an attacker to execute arbitrary code with SYSTEM privileges.
Last, but not least, antivirus software maker Trend Micro has patched multiple vulnerabilities in its Apex One and Apex One SaaS endpoint security solutions, including an actively exploited zero-day bug which could lead to remote code execution.
Cybersecurity Compliance
Prevent data breaches and meet regulatory requirements
FBI warns of cybercriminals increasingly targeting healthcare payment processors
The Federal Bureau of Investigation (FBI) has issued a warning about a rise in cyberattacks targeting healthcare payment processors to redirect victim payments to steal millions of dollars. In first half of 2022 alone, more than $4.6 million were stolen from healthcare providers.
Threat actors are using a variety of techniques to obtain login credentials of employees of healthcare payment processors, including phishing and social engineering schemes, to gain access to payment processor accounts of healthcare companies and transfer funds to attacker-controlled accounts.
The FBI shared some tips on how to detect cybercriminal attempts to gain access to user accounts, as well as recommendations for healthcare organizations that could help to minimize the risks.
Magento vendor FishPig compromised in a supply chain attack
Malicious actors have breached the server infrastructure of FishPig, a developer of popular Magento-WordPress integrations, and injected malicious code designed to install Recoobe remote access trojan into the vendor’s software.
The malware was discovered in multiple FishPig extensions, and researchers say that likely all paid FishPig extensions have been compromised. The attack, however, did not impact free versions hosted on GitHub.
FishPig has confirmed the breach in a security advisory on its website and said that the attackers compromised its extension license system and planted the malicious PHP code into the Helper/License.php file. Although the offending piece of code has since been removed, the company has warned that “it is best to assume that all paid FishPig Magento 2 modules have been infected.”
US sanctions ten Iranians for their involvement in ransomware attacks
The Treasury Department's Office of Foreign Assets Control (OFAC) has imposed sanctions on ten Iranian nationals and two entities affiliated with Iran's Islamic Revolutionary Guard Corps (IRGC) for their involvement in malicious cyber activities, including ransomware attacks.
According to OFAC’s announcement, these IRGC-affiliated cyber actors have been breaching computer networks in the US and other countries since at least 2020. Some of the group’s malicious activity overlaps with that of Iran-linked state-backed threat actors tracked by security researchers as APT35, Charming Kitten, Phosphorus, DEV-0270, Tunnel Vision, and Nemesis Kitten.
Three of the sanctioned Iranians were charged by the US department of Justice for their involvement in cyberattacks on hundreds of organizations across the US, UK, Israel, and Iran, including small businesses, government agencies, NGOs, and entities in multiple critical infrastructure sectors, including health care centers, transportation services and utility providers.
Cybersecurity authorities from the United States, Canada, UK, and Australia have released a joint security advisory detailing the threat group’s malicious activities.
What’s next:
- Follow ImmuniWeb on Twitter and LinkedIn
- Explore 20 use cases how ImmuniWeb can help
- Browse open positions to join our great Team
- See the benefits of our partner program
- Request a demo, quote or special price
- Subscribe to our newsletter