SAN MATEO, CA, May 8, 2023 — Cybersecurity news weekly roundup. Stories, news, politics, and events that impacted the network security industry last week. Brought to you by NetworkTigers.
- Flaw in WordPress plugin puts 2 million sites at risk
- Cisco discloses vulnerability in popular phone adapter, urges migrating to newer version
- Fleckpe malware discovered on Google Play store, downloaded 620K times
- Meta purges hundreds of accounts associated with cyber espionage campaigns
- Royal ransomware impacts city of Dallas IT services
- 9 crypto laundering exchanges seized by the FBI
- Apple’s Rapid Response security update system debuts
- CISA adds three new flaws to its Known Exploited Vulnerabilities catalog
- T-Mobile has been hacked for the second time this year
- Thousands of malware-making Play Store developer accounts banned by Google
- Russian hackers targeting Ukrainian government with malicious fake Windows update
Flaw in WordPress plugin puts 2 million sites at risk
WordPress’s Advanced Custom Fields plugin has been discovered to harbor a security flaw that exposes its 2 million active users to cyberattack. According to Patchstack researcher Rafie Muhammad, the vulnerability allows any unauthenticated user steal sensitive information and achieve “privilege escalation on the WordPress site by tricking a privileged user to visit the crafted URL path” via a social engineering scheme. Users of the Advanced Custom Fields plugin are urged to update to 6.1.6 immediately. Read more.
Cisco discloses vulnerability in popular phone adapter, urges migrating to newer version
Cisco is warning users that their popular SOA112 2-Port Phone Adapters have a critical security flaw that a threat actor could exploit to execute arbitrary code on affected devices. “An attacker could exploit this vulnerability by upgrading an affected device to a crafted version of firmware,” said the company. “A successful exploit could allow the attacker to execute arbitrary code on the affected device with full privileges.” The flaw, labeled CVE-2023-20126, has a 9.8 rating on the CVSS scoring system and users are encouraged to migrate to a newer model, as the affected one has reached the end of its life and will not be updated. Read more.
Fleckpe malware discovered on Google Play store, downloaded 620K times
Fleckpe, a new malware, has been discovered on the Google Play store. What’s more, said malware has already been downloaded and installed over 620,000 times. Researchers at security firm Kaspersky say that Fleckpe is one of a handful of emerging, subscription-based malware types that generate “unauthorized charges by subscribing users to premium services.” Threat actors profit from this type of scam by “receiving a share of the monthly or one-time subscription fees generated through the premium services.” Fleckpe is being hidden in apps disguising themselves as photo editors, photo libraries, wallpaper libraries and other legitimate-looking products. Read more.
Meta purges hundreds of accounts associated with cyber espionage campaigns
According to findings by Meta, a cyber espionage campaign that saw three hacker groups using hundreds of fraudulent accounts has been uncovered. Threat actors associated with the fake accounts have been traced to China, Iran, Pakistan, the United States, India and more. The threat actors employed traditional efforts, such as impersonating romantically interested women, journalists and recruiters, as well as the use of fake news networks and “low-sophistication” malware to bypass app verification checks. The fake accounts used in these campaigns have been purged, but serve as a reminder that social media still offers hackers and scammers a wealth of opportunities and victims. Read more.
Royal ransomware impacts city of Dallas IT services
The city of Dallas, Texas was force to shut down some IT operations after an attack from Royal ransomware. To prevent it from spreading, the city’s police IT systems were shut down leaving 911 operators to write down reports as opposed to logging them into their computer-assisted dispatch platform. The attack also left the Dallas police’s website offline for part of the day. City workers were made aware of the attack when the network’s printers began spitting out documents informing them that their data had been encrypted. Dallas city officials have stated that impact on civilians has been minimal and that they are working to restore full operations as quickly as possible. Read more.
9 crypto laundering exchanges seized by the FBI
The FBI, in cooperation with Ukrainian police, have seized 9 cryptocurrency exchange platforms that were used by scammers and ransomware groups to launder their stolen funds. The sites let users “anonymously convert cryptocurrency into harder-to-trace coins to obscure the money trace and help cybercriminals launder their pilfers without being traced by law enforcement.” The infrastructure of these sites, now under FBI ownership, will be used to track cybercriminals and “unmask” threat actors responsible for a wide range of thefts. The seizure is the most recent in a growing list of crackdowns by law enforcement on online platforms and forums that traffic in illegal activity and sales. Read more.
Apple’s Rapid Response security update system debuts
Apple users may have noticed that the company has debuted a Rapid Response security update to “deliver important security improvements between software updates.” Depending on user settings, the system pushes bug fixes and patches to devices as needed to keep pace with threats as they emerge and exploits as they are found. The Rapid Response system has debuted just weeks after two zero-day flaws were observed being exploited in the wild. Apple’s macOS and iOS have found themselves increasingly targeted by hackers in recent months, likely contributing to the urgency that resulted in the new update system. Read more.
CISA adds three new flaws to its Known Exploited Vulnerabilities catalog
CISA has added three new flaws to its Known Exploited Vulnerabilities catalog in response to observing them being actively exploited in the wild. CVE-2023-1386 is a TP-Link Archer AX-21 Command Injection Vulnerability with a CVSS score of 8.8. CVE-2021-45046 is an Apache Log4j2 Deserialization of Untrusted Data Vulnerability with a score of 9.0. CVE-2023-21839 is an Oracle WebLogic Server Unspecified Vulnerability with a score of 7.5. Read more.
T-Mobile has been hacked for the second time this year
T-Mobile has disclosed that it has been hacked for the second time since the start of 2023. The company’s most recent breach affected 836 customers and, according to T-Mobile’s official statement, revealed their “full name, contact information, account number and associated phone numbers, T-Mobile account PIN, social security number, government ID, date of birth, balance due, internal codes that T-Mobile uses to service customer accounts (for example, rate plan and feature codes), and the number of lines.” The breach is said to have started in February of 2023 and persisted until March 30th. Read more.
Thousands of malware-making Play Store developer accounts banned by Google
Google has reportedly banned an incredible 173,000 Play Store developer accounts in an effort to keep malware from surfacing on the marketplace. Google credits its “continuous investments in machine learning (ML) systems and app review processes” for preventing “about 500,000 submitted apps from unnecessarily accessing sensitive permissions over the past 3 years.” The pat on the back may not be entirely warranted, however, as the Play Store remains a popular avenue for criminals looking to penetrate peoples’ personal devices or systems. One particulate malware type, called Goldoson, was downloaded 100 million times from the Play Store. Read more.
Russian hackers targeting Ukrainian government with malicious fake Windows update
The Computer Emergency Response Team of Ukraine (CERT-UA) said that parts of the Ukrainian government have been under attack by Russian hackers. The attackers, believed to be cybercrime group Fancy Bear, distributed emails urging victims to install a Windows update to help them better defend against cyberattacks. The hackers sent these emails from addresses containing the names of actual administrators, making them especially easy to accidentally believe. The email link sends victims to a simulated Windows update process that actually downloads a PowerShell payload that injects a tool into their system that is capable of gathering and sending data. Read more.
More cybersecurity news
- Last week’s news
- All cybersecurity news and articles are brought to you by NetworkTigers.