Cyber Security Weekly Recap (14-20 Nov.)

Syber Security Recap 14 10 Nov 1024x650

A Malicious SEO Campaign has compromised more than 15,000 WordPress sites

Over 15,000 WordPress sites have been hijacked by a new malicious campaign that aims to redirect users to fake question-and-answer websites.

Described by Sucuri as a smart black-hat SEO tactic, these malicious redirections seem to be aimed at improving the authority of the attacker’s website for search engines.

In contrast to past attacks of this kind, which often edited just a small subset of files to leave as little of a trace as possible and remain undetected, the hackers in this campaign modified, on average, over a hundred files per website.

The attackers’ end objective, according to the research, is to attract more traffic to their phony sites and raise the sites’ authority using false search result clicks to have Google rank them higher so that they acquire more genuine organic search traffic.

Sucuri claims it has not found any plugin vulnerabilities being exploited in this operation, thus, the exact vector by which the WordPress sites are compromised remains unclear.

Google to Pay a Privacy Fine of $391 Million for Unauthorized Location Tracking

Google has agreed to pay $391.5 million to 40 states in the United States to resolve claims that it deceived customers about the use of their location data.

Attorney General Ellen Rosenblum of Oregon said that despite customers’ best efforts to disable location tracking in their account settings, Google nonetheless secretly tracked their location.

A 2018 AP report found that Google still tracked users’ locations on Android and iOS even after they disabled “location history” in their account settings, rendering the privacy measures useless. This prompted the investigation, which led to the claims.

In accordance with the terms of the privacy settlement, Google must provide more context to users when they enable or disable location settings, refrain from obscuring important information regarding location monitoring, and provide more detail about the categories of location data gathered.

Even a small amount of location data can expose a person’s “identity and routines,” and it can be used to infer personal details, according to Rosenblum, who also claims that Google combines the location data it collects with other personal and behavioral information it collects to flesh out detailed user profiles for the purposes of ad targeting.

Investigators Find Hundreds of Amazon RDS Instances Exposing Users’ Private Information

New research from cloud incident response firm Mitiga reveals that hundreds of Amazon Relational Database Service (Amazon RDS) databases are inadvertently leaking personally identifiable information (PII) such as names, emails, phone numbers, age, marital statuses, vehicle rental details, and corporate logins.

Researchers explained that leaking PII in this way presents a potential treasure trove for threat actors. If an adversary gains access to this sensitive information, they might use it for espionage, money extortion, and more.

The Amazon Relational Database Service (RDS) is a web service that facilitates the creation of relational databases in the cloud using AWS resources provided by Amazon. It works with several database management systems. These include MariaDB, MySQL, Oracle, PostgreSQL, and SQL Server.

The leaks originated from a public RDS snapshot, which is a copy of an entire cloud-based database that can be accessed by any AWS user.

Attackers used the Hive ransomware to steal $100 million from over 1,300 businesses across the world

As of November 2022, the threat actors behind the Hive ransomware-as-a-service (RaaS) scam had successfully extorted $100 million from over 1,300 firms across the globe, according to a joint cybersecurity advisory published by CISA.

Hive’s RaaS operation has been running as of June 2021, and it consists of developers who produce and manage the malware, and affiliates who are responsible for carrying out the attacks on target networks, often by obtaining first access from initial access brokers (IABs).

Exploiting ProxyShell vulnerabilities in Microsoft Exchange Server is a common first step of the attack, followed by stopping antivirus engines, removing backups, and clearing Windows event logs.

The threat actor has been known to delete virus definitions before encrypting data and has recently updated its malware to Rust to avoid detection.

Meta fires employees for allegedly hijacking users’ Facebook and Instagram accounts

According to a report published by The Wall Street Journal, Meta Platforms has fired or disciplined dozens of workers and contractors over the last year for allegedly hacking and taking over customer accounts.

The publication’s cited sources and official records reveal that bribery had a role in several of these incidents.

Contractors who served as security guards at the offices of the social media company were among those who have been fired because they had been given access to an internal tool that allowed them to assist “users they know” in regaining access to their accounts after having forgotten their passwords or having their accounts locked for other reasons.

Meta informed the Journal that it is against the social network’s rules to sell or purchase accounts or pay for a recovery service.

Microsoft issues an alert regarding hackers spreading Royal Ransomware via Google Ads

An evolving threat activity cluster has been spotted spreading post-compromise payloads linked to the newly discovered Royal ransomware with Google Ads.

Microsoft discovered the new malware distribution mechanism in late October 2022, and they’ve been keeping tabs on the group as DEV-0569 ever since.

According to Microsoft’s Security Threat Intelligence, DEV-0569 attackers indicate a trend of ongoing innovation, with new discovery tactics, defensive evasion, and post-compromise payloads being added on a regular basis.

The threat actor has been linked to using malvertising to trick users into downloading malware by disguising the download URLs as genuine applications such as Adobe Flash Player, AnyDesk, LogMeIn, Microsoft Teams, and Zoom.

Google has found 34 cracked versions of the Cobalt Strike hacking toolkit in the wild

According to a recent announcement by Google Cloud, the company has discovered 34 separate compromised versions of the Cobalt Strike program in circulation, the oldest of which was released in November 2012.

According to research conducted by Google’s Cloud Threat Intelligence (GCTI) team, 275 different JAR files spanning Cobalt Strike versions 1.44 to 4.7.2, its most recent update.

Cobalt Strike, a development of Fortra, is a famous framework, which is used by red teams to test the strength of their cyber defenses by simulating various attack scenarios.

Due to its robust feature set, many threat actors have started using pirated copies of the software in their post-exploitation operations.


About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment