3CX hackers hit critical infrastructure and secondhand routers cause security concerns
Hackers behind the 3CX attack hit critical infrastructure, researchers discover secondhand routers with corporate secrets and the GhostToken GCP flaw. Catch all this and more in this week’s edition of Cybersecurity Weekly.
1. Hacking group behind the 3CX supply chain attack also targeted critical infrastructure
Symantec has revealed that the North Korean hackers behind last month’s 3CX breach have also targeted several critical infrastructure organizations in Europe and the U.S. The attackers used a trojanized installer for X_Trader software to deploy the multi-stage modular backdoor VEILEDSIGNAL onto victims’ systems. Among the victims were two critical infrastructure organizations in the energy sector, along with two other organizations involved in financial trading. The investigation is ongoing, and companies could face similar attacks in the future.
2. Secondhand corporate routers could allow hackers to breach enterprise networks
Cybersecurity company ESET has found that sensitive data is still accessible on used corporate routers sold on the secondary market. ESET researchers purchased 18 used core routers and discovered that most of them had not been properly wiped during the decommissioning process, with more than half still retaining full configuration data. This could lead to a breach of corporate environments or customer data if accessed by hackers. ESET has advised companies to have procedures in place to securely wipe network devices and dispose of digital equipment properly.
3. GhostToken security flaw let attackers exploit backdoor Google accounts
Google has addressed a security vulnerability in its Cloud Platform (GCP) that gave hackers unremovable access to users’ Google accounts. Called GhostToken, the bug let attackers exploit an OAuth token linked to a third-party app installed from the Google Marketplace or other providers. After being authorized, attackers could make the malicious app invisible to the user, hiding it from the application management page. The patch enables users to remove OAuth apps in a “pending deletion” state, protecting their accounts from hijack attempts.
4. Abandoned WordPress plugin used to deploy malware on websites
Researchers have discovered a new technique threat actors use to insert malicious code into websites. Hackers have been exploiting an abandoned WordPress plugin, Eval PHP, to inject PHP code in the ‘wp_posts’ table of targeted websites. The plugin was last updated a decade ago and allows site administrators to insert PHP code into WordPress websites. The attackers use [evalphp] shortcodes to introduce PHP code and install a backdoor, 3e9c0ca6bbe9.php, in the site root. This technique enables them to compromise clean sites while keeping the attack largely secret.
5. University websites hacked to serve gift card and Fortnite spam
Researchers have found that documentation and Wiki pages of several U.S. universities, including Caltech, Stanford, MIT and Berkeley, have been hacked for a malicious campaign. These domains load fake Fortnite pages, effectively phishing for user credentials or asking users to complete surveys to earn gift cards. The campaign seems to have primarily targeted university websites built with MediaWiki, but some government websites were also hit by the same threat actors. It is still unclear how the spammers are exploiting the vulnerabilities in the platforms.