In this edition of This Week in Cybersecurity, we will discuss how phishers are using Telegram to sell phishing kits and lure in inexperienced phishers. We will also cover the recent seizure of Genesis Market, a major marketplace for stolen credentials, by the FBI and international law enforcement. Additionally, we will discuss the critical vulnerability in the Elementor Pro website builder plugin for WordPress that has been exploited by unknown attackers. Finally, we will take a look at Microsoft’s legal action to seize domains related to criminal activity involving Cobalt Strike, a popular security testing application that is often abused by cybercriminals. Continue reading to learn more about these important topics and how they may impact your organization’s security posture.
There has been a continued growth of the use of Telegram by phishers to offer a variety of phishing services in the past few years. Phishers use Telegram channels to promote their services to anyone willing to pay. These services can range from creating automated phishing bots, generating phishing pages, collecting data and distributing phishing links. Within this black market, free content for aspiring phishers is also offered, along with free phishing kits and users’ personal data. The reason behind these free offers is to recruit an unpaid workforce or bait inexperienced phishers to bite.
In addition, paid offers for phishers on Telegram include access to phishing tools, guides for creating customized phishing pages, and phishing-as-a-service (PhaaS) subscriptions. nGuard’s wide range of security assessments include Social Engineering. It is important for an organization to test their employees with social engineering techniques to identify potential vulnerabilities and educate them on how to recognize and respond to real-world attacks, ultimately improving the overall security posture of the organization.
Genesis Market, a major marketplace for stolen credentials of all types, was seized by law enforcement as part of Operation Cookie Monster. The marketplace was offering both consumer and corporate account identities, and the admins have not been identified or caught yet. Genesis Market was one of the most popular online shops for account credentials, device fingerprints, and cookies, and it provided access to a wide list of services with user accounts from all over the world. The seizure was possible due to international law enforcement and private sector coordination. Although some of the infrastructure has been taken offline, the platform’s site on the dark web is still reachable. The bot deployed would reside on the compromised computer and send the harvested information in real-time to its buyer. The platform provided access to a wide list of services with user accounts from all over the world and the customers of the market turned a pretty penny from using the stolen digital identities.
Users can check if their accounts were compromised and sold on Genesis Market through a portal from the Dutch Police specifically built for this purpose. During nGuard’s external and internal penetration testing we always check databases for known, leaked credentials and attempt to access user’s accounts and infrastructure should we discover any.
Unknown attackers are exploiting a recently patched security vulnerability in the Elementor Pro website builder plugin for WordPress. Versions 3.11.6 and earlier are affected, with the flaw described as a case of broken access control. The issue was addressed in version 3.11.7, which was released on March 22. Successful exploitation of the high-severity flaw enables an authenticated attacker to take over a WordPress site with WooCommerce enabled. After doing so, a malicious user can set the default user role to administrator, creating an account that has administrator privileges. The attackers are also likely to redirect the site to a malicious domain or upload a malicious plugin or backdoor to further exploit the site. Users are urged to update to 3.11.7 or 3.12.0.
WordPress is one of the most popular Content Management Systems (CMS) used by millions of websites worldwide. However, it is also one of the most targeted platforms for cyber-attacks. While WordPress is a powerful and flexible platform, it requires careful maintenance and attention to security best practices to keep it secure. nGuard commonly tests WordPress sites during external penetration testing, continuously monitors them with ongoing vulnerability management scans, and collecting logs through our managed event collection and correlation service. Regular penetration testing and vulnerability scanning, and log analysis can help ensure the ongoing security and integrity of a WordPress site, protecting against data breaches, financial losses, and reputational damage.
Microsoft’s Digital Crimes Unit and the Health Information Sharing & Analysis Center have taken legal action to seize domains related to criminal activity involving cracked copies of the security testing application, Cobalt Strike. In January of 2021, nGuard wrote a detailed advisory on what Cobalt Strike is and what it is capable of. The tool is often abused by cybercriminals to carry out attacks ranging from financially motivated cybercrime to high-end state-aligned attacks. The court order names a range of entities and groups the companies allege misuse their technologies, including the LockBit and Conti ransomware groups, as well as a series of cybercrime operations. The legal order targets 16 anonymous “John Doe” actors engaged in a range of criminal behavior, from ransomware activity to malware distribution and development. This action builds on Microsoft’s pioneering use of domain seizure to disrupt the technical infrastructure malicious hackers rely on. It is likely only a first step to challenge illicit use of the hacking tool, as malicious actors will likely be able to retool their infrastructure. To simulate the same attacks executed by these malicious groups, nGuard’s Red Team Testing also uses tools like Cobalt Strike on network and system defenses. Having a Red Team assessment conducted will help enable better security by allowing your security teams to identify vulnerabilities and improve their defenses against potential attacks.