25 April 2019
Privilege escalation vulnerability in Yellow Pencil Plugin leaves thousands of WordPress sites vulnerable to attacks
A privilege escalation vulnerability in the Yellow Pencil Visual Theme Customizer plugin has exposed several WordPress sites to various attacks. The plugin is estimated to be installed on over 30,000 websites. Discovered by researchers from Wordfence, the vulnerability in the Yellow Pencil plugin can allow remote attackers to update arbitrary code and take control of websites. Experts observed a high volume of attack attempts after a security researcher publicly disclosed the Proof of Concept (PoC) for the vulnerability along with another security flaw in the plugin. “On Monday the WordPress plugin Yellow Pencil Visual Theme Customizer was closed in the WordPress.org plugin repository. The plugin is quite popular, with an active install base of over 30,000 websites. On Tuesday a security researcher made the irresponsible and dangerous decision to publish a blog post including a proof of concept (POC) detailing how to exploit a set of two software vulnerabilities present in the plugin,” said security researchers in a blog post. The privilege escalation vulnerability in question exists in the yellow-pencil.php file. It can allow unauthenticated users to perform unwanted actions such as change arbitrary options that are meant only for site administrators. Site owners running the Yellow Pencil Visual Theme Customizer plugin are urged to remove it from their sites immediately. The plugin has also been removed from the WordPress plugin repository.
‘Gnosticplayers’ hacker returns with fifth dataset containing over 65 million user accounts for sale
‘Gnosticplayers’ hacker is back with the fifth round of stolen data. This time, he has put up over 65 million user accounts on sale on the dark web forum. In the fifth round of data sale, the hacker is offering a batch of 65.5 million records on the Dream Market underground marketplace. This sums up to a total of 932 million records. In the first round, the infamous hacker had listed a batch of 620 million accounts stolen from 16 top websites. This involved the data from Dubsmash, Armor Games, 500px, Whitepages, ShareThis and more. In the second batch, Gnosticplayers had come up with a batch of 127 million records coming from eight companies. The third round contained more than 92 million hacked users’ accounts from eight new websites. In the fourth batch, the hacker had offered 26 million new accounts stolen from 6 companies such as Youthmanual, GameSalad, Bukalapak, Lifebear, EstanteVirtual, and Coubic. The latest batch of stolen users’ records belongs to six new companies. This includes:
- Mindjolt, the gaming platform;
- Wanelo, the online community for shopping;
- iCracked, the Apple repair center;
- Yanolja, the travel company;
- Evite, the e-invitations service;
- Moda Operandi, the women’s fashion store.
The hacked data is being sold for 0.8463 Bitcoin ($4,350) on the DreamMarket forum, ZDNet reported.
Attackers breached Wipro employee accounts and IT systems to launch attacks against its clients
IT services firm Wipro has disclosed today that some of its employee accounts might have been compromised due to an advanced phishing campaign. Multiple anonymous sources suggest that the hacked employee accounts and IT systems are being used to launch attacks against some of the company’s clients. Anonymous sources said that the compromised IT systems were used to target at least a dozen Wipro customer systems. However, Wipro has not commented on this. “We detected a potentially abnormal activity in a few employee accounts on our network due to an advanced phishing campaign,” Wipro told Reuters. Upon learning about the employee accounts breach, the Indian IT firm has hired an independent forensic firm to assist in the investigation. However, one source familiar with the forensic investigation revealed that at least 11 other companies were attacked, as evidenced from file folders found on the attackers’ back-end infrastructure that were named after various Wipro clients. Another trusted source told KrebsOnSecurity that Wipro is now creating a new private email network is now notifying the potentially affected clients about specific “indicators of compromise,” used by threat actors that might signify an attempted or successful intrusion. “The other source said Wipro is now in the process of building out a new private email network because the intruders were thought to have compromised Wipro’s corporate email system for some time,” KrebsOnSecurity said in a blog.
Pregnancy club Bounty UK Limited fined £400,000 for acting as data broking service
Pregnancy club Bounty UK Limited has been operating as a data broking service and has illegally shared data of almost 14 million individuals with third-parties without explicit user consent. Almost 34.4 million records have been illegally shared with nearly 39 organizations including Acxiom, Equifax, Indicia, and Sky between June 2017 and April 2018. Personal data relating to pregnancy, new mothers, mothers-to-be, the birth dates, and sex of the children were shared. The Information Commissioner’s Office (ICO) conducted an investigation and found out that the Pregnancy club Bounty collected pregnancy-related data and shared with third-parties for direct electronic marketing purposes. The ICO’s findings revealed that the data was collected from those who were ‘potentially vulnerable’ through membership registration in the Pregnancy club’s website and mobile application. Data was also collected by the hospitals via merchandise claiming cards, free samples, and vouchers. Steve Eckersley, ICO’s Director of Investigations noted that the Bounty’s data handling is “careless and appear[s] to have been motivated by financial gain.” It is to be noted that the Bounty has stopped data sharing practice in April 2018 and no longer operates as a data broking service. The Bounty has acknowledged the ICO’s findings and has now made changes to its data collection and handling methods. According to BBC, Bounty has ended all relationships with data brokers. An independent data specialist is to be hired to perform an annual survey to ensure that the Pregnancy club Bounty does not operate as a data broking service again. The Information Commissioner’s Office (ICO) has imposed a fine of £400,000 against the Pregnancy club Bounty UK Limited for illegally sharing and selling data of almost 14 million individuals with third-parties.
Newly discovered RobinHood ransomware variant drops four ransom notes at once after encryption
A new ransomware named RobinHood has been found targeting computers within an entire network. The operators of the ransomware are so particular about victims’ privacy that they delete the encryption keys and IP addresses after the payment is received. The propagation method of the ransomware is unknown. However, once it is installed, RobinHood renames the encrypted files something similar to Encrypted_b0a6c73e3e434b63.enc_robinhood. After this, the ransomware drops 4 ransom note with different names at the same time. The names of these notes are _Decryption_ReadMe.html, _Decrypt_Files.html, _Help_Help_Help.html, and _Help_Important.html. The ransom notes include information regarding what happened to the victim’s files, the ransom amount and links to the TOR sites. The TOR links are the ones where the victim is required to leave a message for the attackers or where they can decrypt 3 files of up to 10MB in size for free. The ransom varies depending on the number of computers that are encrypted. “For example, in a ransom note seen by BleepingComputer, the ransom was 3 bitcoins per computer or 7 bitcoins for the network,” Bleeping Computer noted. By the fourth day, the ransom increases by $10,000 per day if the victim fails to pay on time. Once the ransom is received, the attackers delete the encryption key and IP address to protect the privacy of the victim.