Enlarge (credit: Getty Images)

Hackers are assailing websites using a prominent WordPress plugin with millions of attempts to exploit a high-severity vulnerability that allows complete takeover, researchers said.

The vulnerability resides in WordPress Automatic , a plugin with more than 38,000 paying customers. Websites running the WordPress content management system use it to incorporate content from other sites. Researchers from security firm Patchstack disclosed last month that WP Automatic versions 3.92.0 and below had a vulnerability with a severity rating of 9.9 out of a possible 10. The plugin developer, ValvePress, silently published a patch, which is available in versions 3.92.1 and beyond.

Researchers have classified the flaw, tracked as CVE-2024-27956, as a SQL injection, a class of vulnerability that stems from a failure by a web application to query backend databases properly. SQL syntax uses apostrophes to indicate the beginning and end of a data string. By entering strings with specially positioned apostrophes into vulnerable website fields, attackers can execute code that performs various sensitive actions, including returning confidential data, giving administrative system privileges, or subverting how the web app works.

Enlarge (credit: Discord)

Spy Pet, a service that sold access to a rich database of allegedly more than 3 billion Discord messages and details on more than 600 million users, has seemingly been shut down.

404 Media, which broke the story of Spy Pet's offerings, reports that Spy Pet seems mostly shut down . Spy Pet's website was unavailable as of this writing. A Discord spokesperson told Ars that the company's safety team had been "diligently investigating" Spy Pet and that it had banned accounts affiliated with it.

"Scraping our services and self-botting are violations of our Terms of Service and Community Guidelines," the spokesperson wrote. "In addition to banning the affiliated accounts, we are considering appropriate legal action." The spokesperson noted that Discord server administrators can adjust server permissions to prevent future such monitoring on otherwise public servers.

Enlarge (credit: Getty Images)

A now-abandoned USB worm that backdoors connected devices has continued to self-replicate for years since its creators lost control of it and remains active on thousands, possibly millions, of machines, researchers said Thursday.

The worm—which first came to light in a 2023 post published by security firm Sophos—became active in 2019 when a variant of malware known as PlugX added functionality that allowed it to infect USB drives automatically. In turn, those drives would infect any new machine they connected to, a capability that allowed the malware to spread without requiring any end-user interaction. Researchers who have tracked PlugX since at least 2008 have said that the malware has origins in China and has been used by various groups tied to the country’s Ministry of State Security.

Still active after all these years

For reasons that aren’t clear, the worm creator abandoned the one and only IP address that was designated as its command-and-control channel. With no one controlling the infected machines anymore, the PlugX worm was effectively dead, or at least one might have presumed so. The worm, it turns out, has continued to live on in an undetermined number of machines that possibly reaches into the millions, researchers from security firm Sekoia reported .

Enlarge (credit: Getty Images )

Hackers backed by a powerful nation-state have been exploiting two zero-day vulnerabilities in Cisco firewalls in a five-month-long campaign that breaks into government networks around the world, researchers reported Wednesday.

The attacks against Cisco’s Adaptive Security Appliances firewalls are the latest in a rash of network compromises that target firewalls, VPNs, and network-perimeter devices, which are designed to provide a moated gate of sorts that keeps remote hackers out. Over the past 18 months, threat actors—mainly backed by the Chinese government—have turned this security paradigm on its head in attacks that exploit previously unknown vulnerabilities in security appliances from the likes of Ivanti , Atlassian , Citrix , and Progress . These devices are ideal targets because they sit at the edge of a network, provide a direct pipeline to its most sensitive resources, and interact with virtually all incoming communications.

Cisco ASA likely one of several targets

On Wednesday, it was Cisco’s turn to warn that its ASA products have received such treatment. Since November, a previously unknown actor tracked as UAT4356 by Cisco and STORM-1849 by Microsoft has been exploiting two zero-days in attacks that go on to install two pieces of never-before-seen malware, researchers with Cisco’s Talos security team said . Notable traits in the attacks include:

Enlarge (credit: Getty Images)

Cyber attackers are experimenting with their latest ransomware on businesses in Africa, Asia and South America before targeting richer countries that have more sophisticated security methods.

Hackers have adopted a “strategy” of infiltrating systems in the developing world before moving to higher-value targets such as in North America and Europe, according to a report published on Wednesday by cyber security firm Performanta.

“Adversaries are using developing countries as a platform where they can test their malicious programs before the more resourceful countries are targeted,” the company told Banking Risk and Regulation, a service from FT Specialist.

Enlarge (credit: Getty Images)

Hackers abused an antivirus service for five years in order to infect end users with malware. The attack worked because the service delivered updates over HTTP, a protocol vulnerable to attacks that corrupt or tamper with data as it travels over the Internet.

The unknown hackers, who may have ties to the North Korean government, pulled off this feat by performing a man-in-the-middle (MiitM) attack that replaced the genuine update with a file that installed an advanced backdoor instead, said researchers from security firm Avast today .

eScan, an AV service headquartered in India, has delivered updates over HTTP since at least 2019, Avast researchers reported. This protocol presented a valuable opportunity for installing the malware, which is tracked in security circles under the name GuptiMiner.

Enlarge (credit: Getty Images)

Kremlin-backed hackers have been exploiting a critical Microsoft vulnerability for four years in attacks that targeted a vast array of organizations with a previously undocumented backdoor, the software maker disclosed Monday.

When Microsoft patched the vulnerability in October 2022—at least two years after it came under attack by the Russian hackers—the company made no mention that it was under active exploitation. As of publication, the company’s advisory still made no mention of the in-the-wild targeting. Windows users frequently prioritize the installation of patches based on whether a vulnerability is likely to be exploited in real-world attacks.

Exploiting CVE-2022-38028, as the vulnerability is tracked, allows attackers to gain system privileges, the highest available in Windows, when combined with a separate exploit. Exploiting the flaw, which carries a 7.8 severity rating out of a possible 10, requires low existing privileges and little complexity. It resides in the Windows print spooler, a printer-management component that has harbored previous critical zero-days . Microsoft said at the time that it learned of the vulnerability from the US National Security Agency.

Enlarge (credit: Getty Images)

Everyone with a Roku TV or streaming device will eventually be forced to enable two-factor authentication after the company disclosed two separate incidents in which roughly 600,000 customers had their accounts accessed through credential stuffing.

Credential stuffing is an attack in which usernames and passwords exposed in one leak are tried out against other accounts, typically using automated scripts. When people reuse usernames and passwords across services or make small, easily intuited changes between them, actors can gain access to accounts with even more identifying information and access.

In the case of the Roku attacks, that meant access to stored payment methods, which could then be used to buy streaming subscriptions and Roku hardware. Roku wrote on its blog , and in a mandated data breach report , that purchases occurred in "less than 400 cases" and that full credit card numbers and other "sensitive information" was not revealed.