This month focuses on the Malicious Google Ads pushing malware-embedded software, the CISCO zero-day vulnerabilities, LabHost phishing-as-a-service website, and the ValvePress Automatic plugin vulnerability on WordPress.

Malicious Google Ads Pushing Fake IP Scanner Software with Hidden Backdoor

A new Google malvertising campaign is leveraging a cluster of domains mimicking a legitimate IP scanner software to deliver a previously unknown backdoor dubbed MadMxShell.

According to ThreatLabz Researchers; “The threat actor registered multiple look-alike domains using a typosquatting technique and leveraged Google Ads to push these domains to the top of search engine results targeting specific search keywords, thereby luring victims to visit these sites,” 

Summary

• A recent Google malvertising campaign has been identified, utilizing domains resembling legitimate IP scanner software to distribute a newly discovered backdoor named MadMxShell.
• Threat actors registered multiple look-alike domains through typosquatting techniques and utilized Google Ads to promote these domains in search engine results, targeting specific search keywords related to port scanning and IT management software.
• The campaign involved the creation of 45 fraudulent domains between November 2023 and March 2024, masquerading as software like Advanced IP Scanner and Angry IP Scanner.
• Victims are directed to bogus sites containing JavaScript code that triggers the download of a malicious file upon clicking the download button.
• The downloaded ZIP file includes a DLL file and an executable that uses DLL side-loading to activate the infection sequence, ultimately deploying the MadMxShell backdoor.
• MadMxShell employs DNS MX queries for command-and-control (C2) communication and utilizes evasive techniques like multiple stages of DLL side-loading and DNS tunneling to evade security solutions.
• Read more about it here

CISCO Zero-day Vulnerabilities

The flaws impact Cisco Adaptive Security Appliance and Firepower Threat Defense software and have been exploited in a state-sponsored campaign against global governments as far back as November 2023.

Summary

• Cisco Systems revealed two zero-day vulnerabilities affecting its Adaptive Security Appliance and Firepower Threat Defense software, exploited by a state-sponsored attacker since November.
• The campaign, named “ArcaneDoor,” targeted government networks worldwide and was executed by a previously unknown state-backed threat actor identified as UAT4356.
• Cisco’s Talos threat intelligence team led the investigation, collaborating with external partners, revealing a sophisticated espionage-focused operation.
• The attacker demonstrated an advanced understanding of the targeted devices and utilized custom tooling indicative of a sophisticated state-sponsored actor.
• Actor-controlled infrastructure was detected as early as November 2023, with peak activity occurring between December 2023 and January 2024.
• The vulnerabilities (CVE-2024-20353 and CVE-2024-20359) have a high severity rating, prompting Cisco to urge customers to upgrade to fixed software versions immediately.
• For more information, refer to the link

LabHost phishing-as-a-service

LabHost (AKA LabRat) emerged as a new PhaaS platform in late 2021, growing over time to eventually offer dozens of phishing pages targeting banks, and high-profile organizations.

Summary

• On April 18, 2024, the UK’s Metropolitan Police Service, with international law enforcement and private industry partners, shut down the Phishing-as-a-Service (PhaaS) provider LabHost, conducting related arrests.
• LabHost, also known as LabRat, emerged in late 2021, offering phishing pages targeting banks and organizations globally, boasting over 2,000 criminal users and deploying 40,000+ fraudulent sites.
• The platform facilitated various phishing activities, including obtaining two-factor authentication codes, phishing for banks and other services, and customizable phishing templates.
• LabHost simplified phishing operations, requiring only a virtual private server (VPS), offering detailed campaign statistics, and managing stolen credentials.
• Membership tiers ranged from Standard to World, with prices in bitcoin, offering different levels of targeting and active phishing pages.
• Law enforcement disrupted LabHost and its fraudulent sites, making arrests and issuing warnings to hundreds of individuals, impacting the phishing fraud ecosystem significantly.
• Trend Micro assisted in the investigation since June 2023, aiding in infrastructure investigation, phishing page analysis, user clustering, and individual user investigations.
• The operation’s success reflects collaborative efforts between law enforcement and private industry, aiming to safeguard internet users and combat phishing attacks, with ongoing monitoring and protection against similar services.
• Read more about LabHost here

ValvePress Automatic plugin vulnerability on WordPress.

WordPress disclosed a vulnerability tagged CVE-2024-27956 that targeted one of its Automatic plugins called ValvePress.

Summary

• Threat actors actively targeted and may still be targeting a critical security vulnerability (CVE-2024-27956) in the ValvePress Automatic plugin for WordPress, with a severity score of 9.9 out of 10.
• The flaw, a SQL injection (SQLi) vulnerability, affects all versions of the plugin before 3.92.0, but it’s resolved in version 3.92.1 released on February 27, 2024.
• Exploiting this vulnerability allows attackers to execute unauthorized SQL queries, create admin-level user accounts, upload malicious files, and potentially take full control of WordPress sites.
• Attackers leverage the vulnerability to conduct unauthorized database queries, create new admin accounts (e.g., with names starting with “xtw”), and install plugins to upload files or edit code, aiming to repurpose infected sites.
• To evade detection and maintain access, attackers may rename the vulnerable plugin file (“/wp-content/plugins/wp-automatic/inc/csv.php”) to obscure their activities.
• Since its public disclosure on March 13, 2024, over 5.5 million attack attempts exploiting CVE-2024-27956 have been detected, highlighting the severity of the issue.
• Additionally, other WordPress plugins like Email Subscribers, Forminator, User Registration, and Poll Maker have also been found to contain severe vulnerabilities, posing risks such as data extraction and remote code execution.
• Users of this plugin are advised to apply the latest security patches.
• Read more about the vulnerability here

Sources

• https://thehackernews.com/2024/04/malicious-google-ads-pushing-fake-ip.html
• https://www.crn.com/news/security/2024/cisco-espionage-campaign-exploited-two-zero-day-firewall-vulnerabilities?trk=article-ssr-frontend-pulse_little-text-block
• https://www.trendmicro.com/en_us/research/24/d/labhost-takedown.html
• https://thehackernews.com/2024/04/hackers-exploiting-wp-automatic-plugin.html?trk=article-ssr-frontend-pulse_little-text-block