Over 2M Websites at Risk: New Cyber Threat in Popular WordPress Plugin

“According to the latest event, researchers have discovered that certain cyber attacks can exploit the latest version of WordPress. Authorities have asked users of the Advanced Custom Fields plugin for WordPress to update. They urged to make the update to version 6.1.6 of WordPress.”

WordPress, a widely used CMS is a free and open-source CMS written in hypertext preprocessor language and coupled with a MySQL or MariaDB database. WordPress, which powers 43% of the web, updates itself yearly as a content management system (CMS).

Also Read, Halcyon Gets $50M Fund for Anti-Ransomware Tool Development

According to the latest event, researchers have discovered that certain cyber attacks can exploit the latest version of WordPress. Authorities have asked users of the Advanced Custom Fields plugin for WordPress to update. They urged to make the update to version 6.1.6 of WordPress.

The vulnerability, known as CVE-2023-30777, represents a case of reflected cross-site scripting (XSS). Malicious actors can exploit this vulnerability to inject absurd executable scripts into otherwise benign websites.

Users have installed the Advanced Custom Fields plugin, available in both pro and free versions, more than two million times. Security researchers discovered and reported the vulnerability to the WordPress team on May 2, 2023.

Patchstack researcher Rafie Muhammad said, “This vulnerability allows any unauthenticated user to steal sensitive information. In this case, the vulnerability enables privilege escalation on the WordPress site by tricking a privileged user into visiting the crafted URL path.”

Users can experience reflected XSS cyber attacks when they unknowingly click on a fake link sent through email or other means, such as messages. This action allows malicious code to infiltrate the vulnerable website, which then reflects the attack back to the user’s browser.

Imperva, a cyber security leader notes, “[A reflected XSS attack] is typically a result of incoming requests not being sufficiently sanitized, which allows for the manipulation of a web application’s functions and the activation of malicious scripts,”

It is worth noting that the vulnerability CVE-2023-30777 can start on the configuration of Advanced Custom Fields or on a default installation. However, only logged-in accounts with plugin access can perform this task.

NBA Warns Fans of Cyber Attack and Data Breach

“The data hacked was limited, and it is ample to do phishing attacks and other scams. The NBA urges its fans to stay cautious when they open doubtful emails that only appear to be from the association or its partners.”

Though the credentials of fans were not impacted by the attack, the hackers managed to steal some of their information. The National Basketball Association (NBA) has already hired a third-party cybersecurity service to investigate and resolve the issue.

Also Read, New US Cybersecurity Strategy Targets Cyber Attacks from China

However, the data hacked was limited, and it is ample to do phishing attacks and other scams. The NBA urges its fans to stay cautious when they open doubtful emails that only appear to be from the association or its partners.

To ensure that fans won’t get trapped in phishing attempts, the association clarified that it will never ask its fans for their usernames, account information, or passwords through their emails. Another indication that the email is true is if the email address ends in “@nba.com.”

Fans requested to ensure that if they do get an email with attachments that have suspicious links and take it to another website, they must verify it first before opening it since it could lead fans to a malicious website.

Previous NBA-Related Cyber Attacks

Back in April 2021, the NBA team Houston Rockets also faced a cyber attack, where the hackers tried to install malware on the computer systems of the franchise. However, the trials failed and threat actors did not breach their systems.

Houston Rockets hired cybersecurity experts to investigate the attack as they worked with the FBI (Federal Bureau of Investigation) as well. 

Tracey Hughes, Houston Rockets Spokesperson, said, “the organization detected suspicious activity on certain systems in its internal network.”

The malware did not impose any threat because of the cyber defenses that were already installed before the attack. The Houston Rockets mentioned that a few systems were impacted but it did not disturb their operations.

Cybersecurity Attacks: New Wave of Ransomware Target ESXi Hypervisors of VMware

Synopsis

“VMware ESXi hypervisors which are bare-metal hypervisors that install directly onto physical servers are the target of a new wave of attacks made to place ransomware on compromised systems.”

VMware is a top-notch provider of multi-cloud services for all apps, allowing digital innovation with enterprise control. The VMware ESXi hypervisors which are bare-metal hypervisors that install directly onto physical servers are the target of a new wave of attacks made to place ransomware on compromised systems.

The Computer Emergency Response Team (CERT), France said on Friday, “These attack campaigns appear to exploit CVE-2021-21974, for which a patch has been available since February 23, 2021,”.

Also Read, OpenAI ChatGPT Plus Version will Accessible $20 Monthly

VMware in its released alert explained the issues as an OpenSLP heap-overflow exposure that could cause the execution of arbitrary code.

The virtualization services provider noticed, “A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution,”.

Resecurity, a California-based cybersecurity company said in January, “The actors are inviting both Russian- and English-speaking affiliates to collaborate with a big number of Initial Access Brokers (IABs) in [the] dark web.

Notably, the group behind the Nevada Ransomware is also buying compromised access by themselves, the group has a dedicated team for post-exploitation, and for conducting network intrusions into the targets of interest.”

Although, Bleeping Computer, an information security and technology news publication said that the ransom notes seen in the attacks do not resemble Nevada ransomware, adding the strain is being tracked under the name ESXiArgs.

OVHcloud, a French cloud services provider said that these Ransomware attacks are discovered across the globe mainly focusing on Europe to disrupt its cybersecurity power. It is speculated that these ransomware attacks are done with Nevada, a Rust-based ransomware strain that surfaced on the scene in December 2022.

Hive, Luna, BlackCat, RansomExx, Nokoyawa, and Agenda are other ransomware families that have embraced Rust in recent months.