Today, we explore how Magnet Goblin, a cyber threat actor, exploits 1-day vulnerabilities for financial gain, targeting systems like Ivanti Connect Secure VPN and Magento. Learn about the widespread WordPress plugin vulnerability that left over 3,300 sites compromised with malware. Plus, unravel the complexities of Stored XSS, a persistent cyber threat lurking in databases and forums.
Original Articles:
- For Magnet Goblin’s exploits: https://research.checkpoint.com/2024/magnet-goblin-targets-publicly-facing-servers-using-1-day-vulnerabilities/
- WordPress plugin vulnerabilities: https://www.bleepingcomputer.com/news/security/hackers-exploit-wordpress-plugin-flaw-to-infect-3-300-sites-with-malware/
- Microsoft’s chilly hack: https://www.theverge.com/2024/3/8/24094287/microsoft-hack-russian-security-attack-stolen-source-code
- Swiss government’s ransomware dilemma: https://therecord.media/play-ransomware-leaked-government-files-swiss
- Duvel Moortgat Brewery’s production pause: https://www.vrt.be/vrtnws/en/2024/03/06/cyber-attack-brings-production-at-duvel-moortgat-breweries-to-a/
- FINTRAC’s cyber incident: https://globalnews.ca/news/10335818/fintrac-cyber-incident/
- Hamilton’s ransomware attack: https://www.cbc.ca/news/canada/hamilton/ransomware-attack-1.7133457
Music: https://www.jeredjones.com/ Logo Design: https://www.zackgraber.com/
Tags: Magnet Goblin, WordPress Vulnerabilities, Popup Builder Plugin, CVE-2023-6000, Cybersecurity, HGF, 1-Day Vulnerabilities, Cross-Site Scripting, XSS, Malware Infections, Cyber Threat Actors, Web Security, Sucuri, Plugin Security, Website Hacking, Stored XSS, Cyber Attacks, Data Breach
Search Phrases:
- Magnet Goblin cyber attacks
- WordPress Popup Builder plugin vulnerability
- Handling 1-Day vulnerabilities in cybersecurity
- Cross-Site Scripting attacks and prevention
- Latest malware infections in WordPress sites
- Cyber threat actors exploiting web vulnerabilities
- Sucuri reports on WordPress security
- How to secure websites against XSS vulnerabilities
- Understanding Stored XSS and its impacts
- Data breaches involving HGF this week
- Cybersecurity updates on WordPress plugins
- Protecting against Popup Builder CVE-2023-6000
- Recent cyber attacks on web platforms
Transcript:
Mar 11
[00:00:00] transition: Welcome to The Daily Decrypt, the go to podcast for all things cyber security. Get ready to decrypt the complexities of cyber safety and stay informed. Stand at the frontier of cyber security news, where every insight is a key to unlocking the mysteries of the digital domain. Your voyage through the cyber news vortex starts now.
[00:00:29] offsetkeyz: Welcome back to the daily decrypt. Today we’re joined by hot girl farmer. Who’s going to. Help recap the breaches from the last week. your favorite segment who’s been popped.
Then we’re going to be talking about the magnet goblins gobbling up one day vulnerabilities.
And finally. The word, press pop-up plugin vulnerability persists popping approximately 3,300 sites.
[00:00:54] transition: Thanks for [00:01:00] watching!
[00:01:00] hgf: first up on our list is a chili tail from the tech giant Microsoft on March 9th. Microsoft announced that Russian hackers, chilly from their previous solar winds attack, decided to warm up by spying on some emails of Microsoft, senior leaders. The hack evolved into a frosty situation with some of Microsoft secure source code stolen. Switching over to Switzerland where things got a bit too neutral for their liking on March 8th, the Swiss government found itself in a knot tighter than a Swiss wristwatch. A ransomware attack leaked 65,000 government documents. It appears the hackers played their cards, right with the play ransomware gang, proving that sometimes neutrality attracts more than just peace.
You know, what if only they had some witches watching those Swiss wristwatches, which, which would, which, where, which Swiss watch. There were three witches. And there were three Swiss wristwatches, which witch would watch which Swiss wristwatch. Absolutely not. [00:02:00] Now pour one out for the Duvel Moortgat brewery on March 9th found its production as stale as the beer in a forgotten glass. The brewery known for its spirited, Duvel faced a ransomware attack that halted it’s hops. It’s a sobering reminder that no industry is immune and perhaps it’s time for cyber attackers to barley there. Brew up some better hobbies, maybe. They be brewing up something. Yikes. March six, brought a cold front to Canada’s fin track freezing some of it systems or the cyber incident as crisp as the Canadian winter, while their intelligence system stayed snug and warm.
It’s a stark reminder that even those guarding the treasure need to watch their own chest.
Lastly Hamilton, a Canadian city got a taste of digital disruption, but services paralyzed faster than a moose caught in headlights. The ransomware attack confirmed on March 5th has shown that even city services can get frozen over in the cyber blizzard. It’s a digital reminder that in the game of cybersecurity, sometimes you go hockey stick and sometimes you’re [00:03:00] the puck. Mm. Canadians love hockey. Us too. That’s what I hear anyways.
[00:03:06] transition: Thanks for watching!
[00:03:12] offsetkeyz: All right. So the magnet goblins are gobbling up one day. Vulnerabilities. This. Is coming to you from checkpoint research. Published on March 8th, check the show notes for the URL.
But if financially motivated cyber threat actor called magnet goblin.
Is getting really good at exploiting one day vulnerabilities. And one day vulnerabilities are essentially vulnerabilities that are announced.
And discovered already.
But not yet patched. So the one day signifies about how much time attackers have to exploit these vulnerabilities before they get patched. And the magnet goblets have gotten really good at exploiting one day vulnerabilities..
The magnet goblins have targeted such systems as Ivanti connect, secure VPN, Magento ClixSense and. [00:04:00] Potentially Apache active MQ.
And they use these vulnerabilities to deploy a variety of malware, including the novel Linux version of nerdy and rat, which is a remote access Trojan and warp wire, a JavaScript credential stealer.
Magnet goblins, rapid adoption of one day. Vulnerabilities really just emphasizes the problem we have with patching. And the need for it.
There. Operations have historically centered around financial gain.
As opposed to some other motivations, like. Political or social or hacktivism. They’re all about the money.
And they usually use techniques.
Revolving around data theft to include ransomware. Really whatever they can use to get their money.
There isn’t much news here other than the fact that the magnet goblins.
Are out there and we really.
Are behind.
On our practices of updating as well as on our updates. . So as soon as a one day vulnerability comes out, make sure to check. The specifics of [00:05:00] that vulnerability and look for the indicators of compromise surrounding it.
[00:05:15] offsetkeyz: Alright, and to wrap up today’s stories,
We’re going to be talking about that. WordPress pop-up plugin. Vulnerability that was announced last November. Recently seen an uptick. In exploits.
It’s impacting. The plugin version is 4.2 0.3 and older.
And involves a cross site, scripting vulnerability.
And really highlights the reluctance of WordPress users to update their plugins.
So if you’re a WordPress administrater or consumer of WordPress websites, which most of us are one of those two things. If not, both.
The WordPress plugin must be active and also creating popups on your site. So for example, this plugin is enabled by default. When you. Launch a new WordPress website, which we don’t [00:06:00] love.
But the good news is that even though it’s enabled by default, It must be creating pop-ups in order for it to be.
Exploited. My fear when reading this was that, yes, this is a default plugin. And since it’s a default plugin, there are what 300,000 WordPress sites out there, all with this plugin, just chilling, probably on updated. And unutilized but luckily it must be utilized as well as enabled.
And that’s because the attackers inject PHP code into one of the events. That triggers the pop-up.
And that PHP code is then stored on the server, alongside the WordPress site, making it a stored cross site, scripting vulnerability.
Which means that anyone who accesses the site and sees the pop-up. Is vulnerable.
To that malicious PHP code. And that code can do many things. It can try to hijack your session cookie, which. Is the ultimate goal, because then the attacker is you [00:07:00] without actually having to log in.
Or it could redirect you to fishing sites or really anything that they want.
So if you’re a WordPress admin, obviously update or disable. I’m going to lean towards disabled because pop-ups are really annoying. Especially since they’re now vulnerable.
Go ahead and use a banner. Go ahead and open up a new tab somewhere, but don’t. Pop up right. As I’m about to click something on your website, I’m immediately going to navigate away from your website. If there’s a, pop-up sorry for the rant. If you’re a consumer. Try grabbing a pop-up blocker from Google Chrome app store.
I think Google Chrome even comes with a built in app. For blocking pop-ups.
And whether or not it blocks the specific pop-up on the site that you’re visiting. It will at least alert you that there is a pop-up. And allow you to confirm or deny pop-ups on that site. So better than nothing.
But yeah. Totally against pop-ups as a practice, I’m really glad my WordPress site doesn’t have any popups for this reason. . And [00:08:00] also for the reason to not annoy the crap out of the few website, visitors that I get. If you’d like to visit a website with no popups, no advertisements. Go ahead and check out. Daily decrypt.news. Just the words, daily decrypt.news, and you will find words and pictures and sounds.
But no ads.
And no pop-ups.
All right. That’s all we’ve got for you today. Quick episode. Huge. Thanks to hot girl farmer for coming on and delivering the hot breaches in who’s been popped. We will talk to you some more tomorrow. [00:09:00]