The WP Born Babies WordPress plugin through 1.0 does not sanitise and escape some of its fields, which could allow users with a role as low as contributor to perform Cross-Site Scripting attacks

CVE-2022-1506

The Video Slider WordPress plugin before 1.4.8 does not sanitize or escape some of its video settings, which could allow high-privileged users to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

CVE-2022-1541

It's called pre-hijacking, and it's a new class of attack against online accounts.
The post Hackers can take over accounts you haven’t even created yet appeared first on Malwarebytes Labs.

Account hijacking has sadly become a regular, everyday occurrence. But when it comes to hijacking accounts _before_ they are even created? That’s something you’d never think possible—but it is.

Two security researchers, Avinash Sudhodanan and Andrew Paverd, call this new class of attack a “pre-hijacking attack.” Unfortunately, many websites and online services, including high-traffic ones, are not immune to it. In fact, the researchers found that more than 35 of the 75 most popular websites are vulnerable to at least one pre-hijacking attack.

Sudhodanan and Paverd identified five types:

****Classic-Federated Merge (CFM)****

This exploits a flaw in how two account creation routes interact. Two accounts can be created using the same email address—one normal account by the user (deemed the “the classic route”) and one federated identity by the hijacker (deemed the “federated route”)—allowing both to access the account.

This attack is most successful when the user uses a single sign-on (SSO) to log in, so they never change the actual account password the hijacker sets.

****Non-Verifying Identity Provider (NV)****

This is a mirror image of the CFM attack. Using the same email address, the hijacker creates an account using the classic route while the user takes the federated route. The hijacker then uses an identity provider (IdP) that doesn’t verify ownership of an email address. If the website or online service incorrectly merges the two accounts based on the email address, both hijacker and user will have access to the account.

****Unexpired Email Change (UEC)****

This exploits a flaw where the website or online service fails to invalidate an email change request when the user resets their password.

The hijacker creates an account with the victim’s email address and then submits a change request to replace the email for their own but doesn’t confirm it. When the victim does a password reset, the hijacker then validates control, allowing them to assume control of the account.

****Unexpired Session (US)****

This exploits a flaw in which authenticated users are not signed out of an active account after a password reset.

The hijacker keeps the account active using an automated script after creating an account. Even after the user creates an account using the same email address and resets the password, the hijacker maintains access to the account.

****Trojan Identifier (TID)****

This is a combination of CFM and US attacks.

**Issues in common**

These attacks vary in severity, but they were all caused by the websites’ inability to verify an identifier the user supplies _before_ allowing the account to be used.

Many websites and online services _do_ verify, but, as the researchers noted, they do so asynchronously, which improves website usability but unfortunately opens the door to pre-hijacking attempts.

From the report:

> “As with account hijacking, the attacker’s goal in account pre-hijacking is to gain access to the victim’s account. The attacker may also care about the stealthiness of the attack, if the goal is to remain undetected by the victim.
> 
> The impact of account pre-hijacking attacks is the same as that of account hijacking. Depending on the nature of the target service, a successful attack could allow the attacker to read/modify sensitive information associated with the account (e.g., messages, billing statements, usage history, etc.) or perform actions using the victim’s identity (e.g., send spoofed messages, make purchases using saved payment methods, etc.).”

**How account pre-hijacking works**

Attackers attempting to pre-hijack must already know some unique identifiers related to the target whose account they want to take over. These identifiers could be an email address, phone number, or other information that can be retrieved via scraping social media accounts or leaked data.

From here, attackers can then use any of the five attack types. Regardless, everything boils down to the hijacker and the user having concurrent access to the same account.

In their case studies, the researchers mentioned a handful of known online brands vulnerable to pre-hijacking attacks. These include Dropbox, Instagram, LinkedIn, WordPress, and Zoom.

**Pre-hijacking attacks are preventable**

Although the root cause of pre-hijacking attacks stems from weaknesses on the side of the websites and online services, protecting against them is never one-sided.

The researchers advise website and service owners to do the following:

*   Require verification of an email address used in registration to be completed before allowing any features of the website or service to be used. A similar approach must be adopted when using other verification means, such as SMS or automated phone calls.
*   If the website or online service uses an IdP, ensure the IdP performs the verification process or conducts additional verification steps.
*   When a user requests a password reset, the website or service should sign out all active sessions and invalidate all authentication tokens.
*   Set the validity period of change confirmation emails as low as possible. Doing this doesn’t remove the risk of an attack altogether, but it minimizes it.
*   Delete unverified accounts regularly.

Microsoft has listed some in-depth steps on its website for further mitigation.

Users can also protect themselves from pre-hijacking attacks using multi-factor authentication (MFA) if the website or online service supports this feature.

Stay informed and stay safe!

Hackers can take over accounts you haven’t even created yet

China suspected in assaults against enterprises running collaboration platform

John Leyden 06 June 2022 at 12:53 UTC

China suspected in assaults against enterprises running collaboration platform

Confluence Server and Data Center users are being urged to update their systems in response to a remote code execution (RCE) vulnerability that’s the target of active attacks in the wild.

The vulnerability (tracked as CVE-2022-26134) opens the door for even unauthenticated attackers to achieve RCE on unpatched systems, with all supported versions of Confluence Server and Data Center affected. End-of-life versions are also likely to be impacted, but this is unconfirmed.

Users are urged to apply patches published by Atlassian, the software developer behind Confluence, on Friday (June 3). Enterprises unable to patch should apply the recommended workarounds, as explained in an advisory by Atlassian.

**CISA warning**

The US Cybersecurity and Infrastructure Security Agency (CISA) is advising US federal agencies to block internet traffic to Confluence Server and Data Center installs and apply Atlassian’s patch or else remove affected instances by the close of business on Monday, June 6.

Attacks against the vulnerability on internet-facing Atlassian Confluence servers have been logged by threat response specialists at both Volexity and Rapid7’s Managed Detection and Response (MDR) team.

Catch up with the latest cyber-attack news and analysis

Volexity reports that attacks began last week on what was at the time a zero-day vulnerability in Atlassian Confluence Server. The RCE vulnerability was used to deploy an in-memory Java-based web server implant, known as ‘Behinder’, in an attempt to evade detection.

“Once Behinder was deployed, the attacker used the in-memory webshell to deploy two additional webshells to disk: CHINA CHOPPER and a custom file upload shell,” Volexity explains in a technical blog post.

The tools and technique behind the attack have allow Volexity threat researcher Paul Rascagnères to identify China as the most likely suspect.

Confluence is a popular web-based collaboration software platform. The Daily Swig asked Volexity to offer an estimate on the number of vulnerable internet-facing Confluence servers as well as speculating on the end goal of the attacks.

No word back, as yet, but we’ll update this story as and when more information comes to hand.

DON’T MISS Researcher goes public with WordPress CSP bypass hack

Incoming! Atlassian Confluence attacks prompt calls for rapid patching

The Parrot traffic direction system (TDS) that came to light earlier this year has had a larger impact than previously thought, according to new research.
Sucuri, which has been tracking the same campaign since February 2019 under the name "NDSW/NDSX," said that "the malware was one of the top infections" detected in 2021, accounting for more than 61,000 websites.
Parrot TDS was documented in

The Parrot traffic direction system (TDS) that came to light earlier this year has had a larger impact than previously thought, according to new research.

Sucuri, which has been tracking the same campaign since February 2019 under the name "NDSW/NDSX," said that "the malware was one of the top infections" detected in 2021, accounting for more than 61,000 websites.

Parrot TDS was documented in April 2022 by Czech cybersecurity company Avast, noting that the PHP script had ensnared web servers hosting more than 16,500 websites to act as a gateway for further attack campaigns.

This involves appending a piece of malicious code to all JavaScript files on compromised web servers hosting content management systems (CMS) such as WordPress that are in turn said to be breached by taking advantage of weak login credentials and vulnerable plugins.

Besides using different obfuscation tactics to conceal the code, the "injected JavaScript may also be found well indented so that it looks less suspicious to a casual observer," Sucuri researcher Denis Sinegubko said.

JavaScript variant using the ndsj variable

The goal of the JavaScript code is to kick-start the second phase of the attack, which is to execute a PHP script that's already deployed on the ever and is designed to gather information about a site visitor (e.g., IP address, referrer, browser, etc.) and transmit the details to a remote server.

Typical obfuscated PHP malware found in NDSW campaign

The third layer of the attack arrives in the form of a JavaScript code from the server, which acts as a traffic direction system to decide the exact payload to deliver for a specific user based on the information shared in the previous step.

"Once the TDS has verified the eligibility of a specific site visitor, the NDSX script loads the final payload from a third-party website," Sinegubko said. The most commonly used third-stage malware is a JavaScript downloader named FakeUpdates (aka SocGholish).

In 2021 alone, Sucuri said it removed Parrot TDS from nearly 20 million JavaScript files found on infected sites. In the first five months of 2022, over 2,900 PHP and 1.64 million JavaScript files have been observed containing the malware.

"The NDSW malware campaign is extremely successful because it uses a versatile exploitation toolkit that constantly adds new disclosed and 0-day vulnerabilities," Sinegubko explained.

"Once the bad actor has gained unauthorized access to the environment, they add various backdoors and CMS admin users to maintain access to the compromised website long after the original vulnerability is closed."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Uncover Malware Controlling Thousands of Sites in Parrot TDS Network

By Owais Sultan
Hosting a website is not only about the domain name. It also includes web hosting services, which provide…
This is a post from HackRead.com Read the original post: Types of Web Hosting and How Much Does It Cost To Host A Website?

Hosting a website is not only about the domain name. It also includes web hosting services, which provide the technology and support needed to get your website online. The cost of these services can vary greatly, so it’s important to understand what you’re paying for.

In this article, we are going to take a look at the different types of web hosting services and how much they typically cost. We’ll also provide some tips on how to save money on web hosting services.

**Shared Hosting**

With a revenue share of over 37.64%, Shared hosting is the most popular type of web hosting. This is because it’s the most affordable option. 

With shared hosting, your website shares a server with other websites. This means that the resources of the server are divided among all of the websites on it.

You may need to part with $3-$14 per month for this hosting. The cost depends on an array of factors, including the number of websites you have, the size of your website, and the features you need.

For example, if you have a small website that doesn’t get much traffic, you can get away with a cheaper shared hosting plan. But if you have a large website that gets a lot of traffic, you’ll need to spend more on a plan with more resources.

**VPS Hosting**

VPS hosting is a step up from shared hosting. With VPS hosting, your website is still sharing a server with other websites. But the server is divided into virtual private servers, or “VPS.” Each VPS has its own resources, so your website won’t be impacted by the other websites on the server.

VPS hosting typically costs about $18-$90 per month. The cost depends on the size of the server, the features you need, and the level of support you require.

**Dedicated Hosting**

With dedicated hosting, your website is the only one on the server. This means you have full control over the resources of the server.

The cost of dedicated hosting ranges from about $80-$600 per month. It is the most expensive type of hosting, but it is also the most reliable. If you have a large website with a lot of traffic, dedicated hosting is the best option for you.

Some of the reasons that make dedicated hosting more expensive than other types of hosting include:

*   You are the only one using the server, so you are responsible for the entire cost of the server.
*   Dedicated servers usually have more features, advanced web hosting security, and better performance.
*   The company that owns the server will provide support and maintenance at an additional fee.

**Managed WordPress Hosting**

Managed WordPress hosting is a type of dedicated hosting specifically for WordPress websites. With managed WordPress hosting, your website will be hosted on a server that is optimized for WordPress.

The cost of managed WordPress hosting ranges from about $2-$250 per month. The cost depends on the features and level of support you need.

Some managed WordPress hosts allow you to only pay for the resources you want to use. This is known as the pay-as-you-go pricing model. For example, the cost to host a WordPress site on AWS is not fixed. You can pay as much or as little as you want, depending on how many resources you need. This can be a great way to save money.

**Cloud Hosting**

Cloud hosting is a type of web hosting that uses a network of servers to store your website. The benefit of cloud hosting is that you can scale your website up or down as needed.

The cost of cloud hosting ranges from about $5-$50 per month. Some service providers offer way cheaper rates, but those usually have low-end servers with limited resources.

The main advantage of cloud hosting is that you only pay for the resources you use. For example, if you have a website that gets a lot of traffic, you can scale up your server to meet the demand. Then, when the traffic goes down, you can scale down your server to save money.

**Tips for Saving Money on Hosting**

There are a few things you can do to save money on hosting:

**Shop Around**

Choosing a hosting service should not be a rushed decision. Take time to compare different companies and plans. Look at the features they offer, the level of support, and the resources you get in each plan. This will help you find the best hosting company for your needs.

**Look for Discounts and Coupons**

Some hosting companies offer discounts and coupons to new customers. This can help you save money on your first year of hosting. Check the hosting company’s website or search online for coupons before you purchase a plan.

**Only Pay for Necessary Services**

The worst mistake you can make is to overpay for hosting services. Make sure you only pay for the features and resources that you need. There is no need to pay for extras that you will never use.

**Pay for Longer**

Hosting companies often offer discounts for customers who pay for longer terms in advance. For example, you may be able to get a discount if you pay for 12 months of hosting instead of just one month. This can help you save money in the long run.

**Final Thoughts**

The cost of hosting a website can vary depending on your needs. If you are just starting out, you can find affordable shared hosting plans. As your website grows, you may need to upgrade to a more expensive type of hosting such as dedicated or cloud hosting.

Make sure you choose your hosting depending on your unique needs and budget. Don’t let the pricing alone be the deciding factor. Take time to compare different hosting companies and find the best option for you.

**More Web Hosting Topics**

1.  What Brings The Essence Of Secured Web Hosting
2.  VPS Hosting Vs. Dedicated Servers – Which Is Better?
3.  7 Essential Hosting Features You Can’t Compromise With
4.  DreamHost hosting firm exposed almost a billion sensitive records
5.  Managed vs. Unmanaged VPS hosting – What are the Differences?

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

Types of Web Hosting and How Much Does It Cost To Host A Website?

Responsive Online Blog v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at single.php.

Submitted by donbermoy on Thursday, February 4, 2021 - 10:41.

This is a **Responsive Online Blogging Site** using **PHP/MySQL** that I did in my previous years as a project to my client for his Thesis/Capstone Project. I may say that this is a responsive web application because it has a lot of features such as calculating the views coming from the guests, embedded a map, and many more features.

The online site has an admin panel where published blogs, categories, drafts, web details, links, editor's choice, and the admin stats. The admin can also post his desired blog of the day and well as managing it also.

Just like other **Blogging sites**, this project offers users to read blogs of various categories. From the admin panel, he/she can add categories, manage posts and delete categories. The layout is pretty similar to WordPress blogging theme. Here, the site administrator can add a number of posts according to the categories they want and the blogs can also be viewed by selecting a certain category. The design of this project is simple and the user won’t find it difficult to understand, use and navigate.

****Features****

**Admin**

*   **Manage Blog Categories**
*   **Manage Blogs**
*   **Manage Website Details**
*   **Manage Editors Choice Contents**
*   **Admin Statistic Report**

**Website**

*   **Mobile Responsive Design**
*   **Home Page**
*   **Blog List**
*   **Display Website Information**
*   **Author Registration**
*   **View Blog Content**

****How to Run****

Just follow all the instructions to run it smoothly.

**Requirements:**

*   **Download** and **Install** any **local web server** such as **XAMPP/WAMP.**
*   **Download** and **Extract** the provided source code **zip** file. (download button is located below)

**Installation**

*   **Open** your **XAMPP/WAMP's Control Panel** and start the **"Apache"** and **"MySQL"**.
*   If you using **XAMPP**, **copy** the extracted folder and **paste** it into the xampp's **"htdocs" directory** (C:\\xampp\\htdocs). And if you are using **WAMP**, **paste** it inside the **"www" directory**.
*   **Locate** the **SQL file** from the source code folder. The file is known as **"blog\_admin\_db.sql"** and located inside the **"databasefile" directory.**
*   **Open** a web browser and browse the **PHPMyAdmin**. (http://localhost/phpmyadmin)
*   **Create** a new **database** naming **"blog\_admin\_db"**.
*   **Import** the **SQL** file in your **newly created database**.
*   Open a web browser and browse the web application. **(http://localhost/resblog)**

**You can access this system using the following accounts**

*   Username: **admin**
*   Password: **admin**

**Installation DEMO**

That's it you can now test the Blog Site project. I hope this will help you with what you are looking for.

**Enjoy Coding :)**

**Engr. Lyndon R. Bermoy**  
IT Instructor/System Developer/Android Developer  
Mobile: 09079373999  
Telephone: 826-9296  
E-mail:\[email protected\]

Visit and like my page on Facebook at Bermz ISware Solutions

Subscribe to my YouTube Channel at SerBermz

Visit my website at CampCodes

*   28655 views

CVE-2022-29659: Responsive Online Blog Website using PHP/MySQL with Source Code

Cross-Site Request Forgery (CSRF) vulnerability in Social Share Buttons by Supsystic plugin <= 2.2.2 at WordPress.

 Not fixed

**4.3**

CVSS 3.1 score Medium severity

Monitoring Coming soon

Software

Social Share Buttons by Supsystic

Vulnerable versions

<= 2.2.2

PSID 

55c61e6d8a44

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A5: Broken Access Control

Credits

 Rasi Afeef (Patchstack Alliance)

Publicly disclosed

2022-05-27

**Details**

Cross-Site Request Forgery (CSRF) vulnerability was discovered by Rasi Afeef (Patchstack Alliance) in the WordPress Social Share Buttons by Supsystic plugin (versions <= 2.2.2).

**Solution**

Deactivate and delete. No reply from the vendor. Plugin closed.

**References**

CVE-2021-36890 Plugin page

CVE-2021-36890: WordPress Social Share Buttons by Supsystic plugin <= 2.2.2 - Cross-Site Request Forgery (CSRF) vulnerability - Patchstack

Authenticated (author or higher role) Stored Cross-Site Scripting (XSS) vulnerability in Fatcat Apps Easy Pricing Tables plugin <= 3.1.2 at WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

*   The **Easy Pricing Tables** WordPress Plugin makes it easy to create and publish beautiful pricing tables and comparison tables on your WordPress site. You can build, customize and publish a pricing table in just a few minutes, straight from the post editor, with zero coding required.

View screenshots of WordPress pricing tables built with this plugin.

View Easy Pricing Tables Premium Live Demo »

> **Gutenberg Compatible**
> 
> This plugin is fully compatible with WordPress 5.0’s new block editor (“Gutenberg”). You can build and edit pricing tables directly in the post editor. Also features support for classic editor and page builders.
> 
> **Easy Pricing Tables Premium**
> 
> Easy Pricing Tables Premium comes with the following features.
> 
> Six Gorgeous Pricing Table Designs.  
> Comparison Tables.  
> Fully Customize your Pricing Table (Colors, etc…).  
> Choose From 15 Font Options.  
> Add Inline Images to Pricing Tables.  
> One-Click WooCommerce Integration.  
> Priority Email Support.  
> Pricing Toggles (switch between multiple pricing tables – eg. currencies or monthly/yearly pricing.  
> And much more….
> 
> Learn more about Easy Pricing Tables Premium >>

**Overview**

Easy Pricing Tables is the first WordPress pricing table plugin built specifically for the block editor.

Building pricing tables on your site has never been easier. Simply add the pricing table block to your post, fill in your prices and features, and publish.

No coding required. Easy Pricing Tables lets anyone create a responsive pricing table in just a few minutes.

**Easy Pricing Tables – WordPress Pricing Table Plugin Features**

*   Build beautiful WordPress pricing tables in minutes.
    
*   Works with any WordPress theme.
    
*   Responsive WordPress Pricing Tables – responds to fit any device.
    
*   Easy Pricing Tables implements conversion rate optimization (CRO) best practices and guides you through the process of creating a pricing table that converts.
    
*   Easy Pricing Tables works with any WordPress theme you have installed. Use the pricing table block to build pricing tables in the post editor, or build in the plugin dashboard and add to your page via shortcode.
    
*   Gutenberg / WordPress 5.0 compatible. Not just compatible. Easy Pricing Tables is built specifically for the block editor.
    
*   Intuitive User Interface – building pricing tables has never been easier. Point and click to edit your table.
    
*   Create unlimited pricing table rows.
    
*   Customize your pricing table design with color pickers, font pickers and native design settings.
    
*   Reorder pricing table columns with one click.
    
*   Featured Column – draw people to your most popular products by highlighting a featured column.
    
*   Save pricing tables as reusable blocks to add in multiple posts or pages.
    
*   Shortcode support for use with classic editor and page builders.
    
*   Add PayPal payment links, Stripe payment links, or any other checkout link to your pricing table buttons.
    
*   Automatically match column heights to keep rows aligned.
    
*   Customize text size and formatting with one click.
    
*   Check out Easy Pricing Tables Premium
    

**WordPress.org Support**

> As this is the lite version of this WordPress pricing table plugin, the only support we offer through these forums is for bugs. Support for questions regarding modifying your pricing tables, writing custom CSS, etc is available for customers of Easy Pricing Tables Premium.

**Privacy Disclosure**

This plugin does not store any personal data.

Our full privacy policy is available here: https://fatcatapps.com/legal/privacy-policy/

This plugin provides 2 blocks.

*   Easy Pricing Table
*   Pricing Tables (Legacy)

1.  Upload the Easy Pricing Tables plugin file (easy-pricing-tables.zip) to the /wp-content/plugins/ directory
2.  Activate the plugin through the ‘Plugins’ menu in WordPress
3.  In your sidebar, select ‘Pricing Tables -> Add New’ to create a new table

**Can I use Easy Pricing Tables with Elementor?**

Yes, Easy Pricing Tables is compatible with Elementor and any other page builder plugin that supports shortcodes.

To add a pricing table anywhere other than the block editor, go to the Easy Pricing Tables plugin dashboard, create your table, and add it to your post with the shortcode provided.

**How can I save pricing tables to publish in multiple parts of my site?**

Create your pricing table and save it as a reusable block. Choose this reusable block anywhere you wish to add your pricing table.

**How do I change the width of my pricing table?**

Your pricing tables will fit to the content area your theme allows. You can edit how wide or narrow it appears with the “change alignment” setting (in the settings toolbar above the block). Change the alignment settings to set how much of the content area your pricing table fits to (e.g. “wide width” or “full width”).

**How can I integrate Easy Pricing Tables with WooCommerce?**

Easy Pricing Tables premium comes with a one-click integration to add WooCommerce products to your pricing table. Check out Easy Pricing Tables Premium here.

Looks great, is fluid, and customisable. Perfect. Love it.

Easy to setup and works beatifully. Love that you can include logo images in table.

Been using this plugin for almost a year now, the legacy version, works perfect for my needs.

Well, the free plugin is complete waste of time.

Great plugin for creating pricing tables.

Read all 128 reviews

“Pricing Tables WordPress Plugin – Easy Pricing Tables” is open source software. The following people have contributed to this plugin.

Contributors

CVE-2021-36866: Pricing Tables WordPress Plugin – Easy Pricing Tables

EnemyBot DDoS botnet is rapidly weaponizing security bugs disclosed in CMS systems like WordPress plug-ins, Android devices, commercial Web servers, and other enterprise applications.

An Internet of Things (IoT) botnet dubbed “EnemyBot" is expanding its front lines to target security vulnerabilities in enterprise services — potentially leading to it being a much more virulent threat than it has been, researchers say.

EnemyBot, which is controlled by a threat actor known as Keksec, is a Linux botnet that emerged on the malware scene in late March. It shares source code with two other well-known botnets, Gafgyt (aka Bashlite) and the mighty Mirai, according to a prior analysis from Fortinet. Like those threats, EnemyBot is used to carry out distributed denial-of-service (DDoS) attacks. Other aspects of the code include smaller elements from Qbot and other malware, and some custom development.

While it began life focusing on adding IoT devices and routers to its botnet footprint, EnemyBot has now evolved to add remote code execution (RCE) exploits for a host of popular business applications, including VMware Workspace ONE, Adobe ColdFusion, WordPress sites (via vulnerable plug-ins like Video Synchro PDF), PHP Scriptcase, and others, according to researchers at AT&T Labs. 

Researchers discovered that the group is using a mix of recent, so-called "one-day" bugs, as well as older known issues, looking to take advantage in lags in patching.

Keksec is "now targeting IoT devices, web servers, Android devices and content management system (CMS) servers," according to the firm's recent report, which notes that the latest version of EnemyBot adds a webscan function containing a total of 24 exploits to attack vulnerabilities of different devices and Web servers and self-propagate. 

The enterprise-focused exploits that were recently added include:

*   Log4Shell vulns: CVE-2021-44228, CVE-2021-45046
*   F5 BIG IP devices: CVE-2022-1388
*   Spring Cloud Gateway: CVE-2022-22947
*   TOTOLink A3000RU wireless router: CVE-2022-25075
*   Kramer VIAWare: CVE-2021-35064
*   PHP Scriptcase: No CVE yet assigned
*   Adobe ColdFusion 11: No CVE yet assigned

"The nature of devices and systems targeted through EnemyBot is different than vulnerabilities aimed at corporate datacenters," Bud Broomhead, CEO at Viakoo, tells Dark Reading. "WordPress installations, Android devices, IoT devices and other targets for EnemyBot are all widely deployed (therefore might be hard to find), are operated by organizations of all sizes, and are often managed by lines of business that lack cybersecurity skills."

**EnemyBot: A Super Soldier?**

In addition to the DDoS capabilities, EnemyBot can also receive commands to download and execute new code that could add to its functions or update its vulnerability list, according to the analysis. This means that, worryingly, the malware can adopt new vulnerabilities within days of those issues being discovered, researchers warned, as seen when it added a bug tracked as CVE-2022-22954 affecting VMware Workspace ONE, almost immediately after disclosure.

Sean Malone, CISO at Demandbase, says that given its rapid development, EnemyBot and others like it present a new urgency for enterprise defenders.

"The rapid weaponization of newly released vulnerabilities highlights the need to be able to patch almost instantaneously when new vulnerabilities are identified," he tells Dark Reading. "We should assume that every piece of software, every application development framework, and every IoT device will have a critical vulnerability identified at some point. Our architectures should be designed to limit the available attack surface, and mitigate the blast radius of a compromised system through defense-in-depth measures."

That should include adding the ability to profile systems and network traffic to know what normal looks like, and alert when the system activity and network traffic deviates from that baseline, he adds.

"This botnet emphasizes the need for rapid patching of internet facing devices and the risks of running apps in the cloud," says John Bambenek, principal threat hunter at Netenrich. "This traffic is easily spotted on the wire, but in typical cloud deployments, organizations aren’t able to run network intrusion detection. If organizations aren’t running NIDS or rapidly patching, they are both blind and vulnerable."

**Keksec & EnemyBot's Future**

For its part, Keksec is a well-resourced group that has been around since 2016, making a name for itself by creating various botnets-for-hire. It's known for exploiting vulnerabilities to invade multiple architectures with polymorphic tools (these can include Linux and Windows payloads, as well as custom Python malware), in order to accomplish everything from DDoS to cryptomining to espionage.

For instance, last year the operators made headlines with the "Simps" botnet, which was built for DDoS attacks on gaming targets. Another of its creations is the HybridMQ-keksec botnet, a Frankenstein-like effort created by combining and modifying the source code of Mirai and Gafgyt, just like EnemyBot.

Keksec is constantly adding to its arsenal, and "has the ability to update and add new capabilities to its arsenal of malware on a daily basis," the AT&T Labs researchers note. And indeed, with the new ability to compromise enterprise services and devices, EnemyBot could be poised to ramp up the volume of its attacks.

"In addition, the malware base source code can now be found online on GitHub, making it widely accessible," according to AT&T Labs, whose researchers also note that this won't be the only new EnemyBot variant to bubble up from Keksec's laboratory. "The developer of the GitHub page on EnemyBot self-describes as a 'full time malware dev,' that is also available for contract work."

That spells swelling attack volumes, researchers warn.

"Being available through GitHub means that many types of threat actors, from professional cybercriminals to amateurs, will be able to adapt EnemyBot into new and multiple variants," says Broomhead. "Without question, this is a red-lights-flashing warning sign for organizations to improve their discovery, threat assessment, and remediation capabilities."

Tag

#wordpress