Archive for April 30, 2020

The “Real-Time Find and Replace” WordPress Plugin Updated To Address A High Severity Vulnerability



So as to address a high severity vulnerability, the “Real-Time Find and Replace” WordPress plugin was updated as of late in order to forestall the exploitation to infuse code into sites.

The plugin, accessible as open source and has over 100,000 installations is intended to permit WordPress site admins to dynamically supplant HTML content from themes and different plugins with the content on their personal preference before the page is served to users.

The vulnerability recognized by the name of 'Cross-Site Request Forgery (CSRF)' prompting Cross-Site Scripting (XSS), could have permitted an attacker to infuse malignant JavaScript code on a target site, yet just by fooling the administrator into performing explicit actions, such as clicking a link.

The core of the plugin's 'functionality' for including the find and replace rules in the function far_options_page, which didn't confirm the integrity of a request's source, since it didn't utilize nonce verification, WordPress Security Company Defiant had discovered.

 By supplanting an HTML tag like <head> with noxious JavaScript, an attacker would ensure that their code executes on about each page of the targeted site. Utilizing the infused code, the attacker could make another administrative account; steal session cookies, or direct clients to a malevolent site.

Defiant detailed the vulnerability to the plugin's developer on April 22 and the security flaw was tended to the same day.

The security company Defiant says, “Any attacker capable of tricking a site owner into executing an unwanted action could replace any content or HTML on a vulnerable site with new content or malicious code. This replacement code or content would then execute anytime a user navigated to a page that contained the original content. ”

“In the most up to date version, a nonce has been added along with a check_admin_referer nonce verification function to ensure the legitimacy of the source of a request,” Defiant explained further.

Version 4.0.2 or newer of the Real-Time Find and Replace plugin includes a patch for the bug, and users are advised to update the plugin as soon as possible to ensure their WordPress websites are protected.

The UK Government Vs Apple & Google API on the New COVID-19 App That Tells Who Near You is Infected!



Reportedly, the United Kingdom declared that their coronavirus tracing application is being run via centralized British servers and that’s how they are planning to take things forward and not via the usual “Apple-Google approach” which is a preferred one for most.

Per sources, the CEO of the Tech unit of the National Health Service mentioned that their new smartphone app will have its launching in the upcoming weeks, with the hopes of helping the country return to normalcy by beating coronavirus.

According to reports, the UK government believes that the contact-tracing protocol created by Apple and Google protects user privacy “under advertisement only”. Hence the British health service supports a system that would send the data of who may have the virus to a centralized server giving all the controls in the hand of the NHS.

The way of the NHS and that of Apple and Google, work via Bluetooth by putting a cell-phone on the wireless network, having it emit an electronic ID that could be intercepted by other phones in the vicinity. If a person tests positive for COVID-19 their ID would be used to warn the others near them.

Meaning, if you were near an affected person, your phone would show flags about their being infected, you’d be notified about it and if you may have caught the novel coronavirus you’d be alerted about that too, mention sources.

Per reports, Google and Apple especially had created an opt-in pro-privacy API for Android and iOS. The feature allows the user’s phone to change its ID on other phones near them and store it across different intervals of time.

Per sources, if a person is discovered to have COVID-19 they can allow the release of their phone’s ID to a decentralized set of databases looked over by healthcare providers and the nearby users would be notified about it.

The above-mentioned approach works best to help ensure that the users aren’t tracked by exploiting the above information. Google and Apple say that their protocol would make it next to impossible for them, the governments, and mal-actors to track people. The data wouldn’t leave the user’s phone unless they want it to, that too anonymously if and when.


A person, to declare themselves infected must enter a specific code from a healthcare provider after being tested positive which is a great way to curb fraudulent announcements about being infected.

The NHS, on the other hand, thought of proposing a centralized approach that makes the government, the party that has the coronavirus related details of all the users on their database for further analysis.

Per sources, for this application to be successful 60% of a population would have to download it and opt for it. Trust plays a major role here, if the users don’t trust the app it would be of no use to others either.

Reports mention that most countries prefer the Google and Apple method better, including Switzerland, Austria, and Estonia. Germany too is in strong support of a decentralized line whereas France had to face criticism for its inclination towards the centralized approach.

Nevertheless, the NHS is hell-bent on going forward with the centralized approach and is adamant that it will safeguard the privacy of people no matter what. In the centralized way of things, the NHS would capture all the IDs of phones with the app active on them and store the details on their database. Later on, if a user is found to be infected the NHS would make the call about all the hows, whens, and ifs of the warning procedure on the other phones.

If things were to work out the way NHS wants it to, the application would advise users to take steps to help them save themselves against the virus, like self-isolating if need be. The advice notified would be customized per the situation. They would also build a better database and help people with first-hand updates. People could also voluntarily provide detailed information about themselves to make the app’s experience more comprehensive.

Moreover, the centralized system would be way easier for conducting audits and analysis of the data that has been stored in the databases for further research about users that are at most risk.

But regardless of all the superficial advantages, the NHS would still be creating a database bursting with people’s personal information like their health statuses, their movements, and that too with the government having complete control of it.

The success of the entire operation dwells on the people’s trust in the NHS, the UK government, and the governments of all the countries for that matter who have opted for the centralized system.

Google Confirms Two New High-Severity Vulnerabilities in Chrome 81


The new Chrome 81 version released on April 7th by Google for Windows, Mac, and Linux primarily focused on security owing to the vulnerability users are subjected to due to the coronavirus pandemic. The launch of the update was delayed for similar reasons. It brought along new features, bug fixes, and over 30 security flaw patches from Google's security researchers and some experts from outside.

The new Chrome 81 version is being promoted to the Stable channel, meanwhile, Chrome 83 and Chrome 84 will be promoted to the Beta version and the Canary version respectively. As per sources, Chrome 82 will be disregarded because of the COVID-19 charged atmosphere, and all progress from the version will be channelized into the subsequent version, Chrome 83.

While warning users of more security flaws in Chrome 81, Google confirms two new high-severity vulnerabilities infecting the web browser. As these new security exploits could allow hackers to run commands over an affected system by gaining unauthorized control, users worldwide are being advised by the U.S Cybersecurity and Infrastructure Security Agency (CISA) to apply the latest update launched by the company in defense against these security vulnerabilities.

Both of the aforementioned security vulnerabilities were reported by Zhe Jin from Qihoo 360, a Chinese internet security services provider; for one of these, Jin received a bounty of $10,000 for CVE-2020-6462 which is a use-after-free error in the Chrome task scheduling component. The second one, CVE-2020-6461 was also of a similar use-after-free form but this one affected storage, according to the update notice from Prudhvikumar Bommana, Google Chome Technical Program Manager. 

Google has confirmed that the update will be pushed for all the users in the upcoming days and weeks, however, users are advised to remain proactive and keep looking up for updates to be applied manually by going to Help | About Google Chrome, where you can find the version you are currently running and an option to check for further updates. After installing the latest version, simply restart the web browser, and there you go being safeguarded against both the flaws.

Banking Sector suffered more Credential Stuffing than DDoS Attacks


According to F5's cybersecurity agency's report published recently, the financial sector has been a victim of severe credential stuffing attacks than the DDoS attacks in the last three years. The statistics included attacks against the financial industry as a whole. It recorded attacks against the banks, credit unions, insurance companies, broker agencies, and other services like Saas (Software as a Service) and payment processors.


The report's conclusion rejects the common belief that the financial sectors suffer the most from DDoS attacks, as other prominent threat actors are emerging. Reports say that in recent times, brute force attacks, ATO (Account Takeover) attacks, credential stuffing attacks have done more considerable damage on the financial sectors than DDoS, from the year 2017-19.
The ATO attacks include:

  • Credential Stuffing- When the hackers try to attacks by using leaked usernames and passwords they find on websites. 
  • Brute Force Attacks- Hackers use very common or weak passwords from a list to carry out brute attacks. 
  • Password Spraying- Hackers use the same passwords but against many individuals. 
Similarities between Credential Stuffing and DDoS attacks 
According to F5's reports, the DDoS attacks surged in the year 2019, but these figures cant be entirely accurate. Some credential-stuffing and brute force attacks are so fast and destructive that they are sometimes mistaken for DDoS attacks. The reason for the rapid rise of credential stuffing and brute force attacks is because the availability of leaked usernames and passwords is getting shorter and shorter. Due to scarcity in leaked passwords, the hackers are trying to get as much as they can from the attacks, hence the increase. 

Banks in North America a bigger target
According to the experts, North American banks have witnessed the highest number of brute force and credential stuffing attacks because of the availability of leaked passwords and credentials of the North American users on the websites since the last decade. "The combination of a global rise in DoS attacks and an increasing focus in North America on credential-based attacks suggests some ambivalence among attackers regarding the best strategies for extracting value from financial services targets," concludes F5 in its report.

Lucy: A File Encryption Android Malware that for Ransomware Operations


A malware that attacks Android smartphones has increased its Maas (malware-as-a-service) operations with file encryption capabilities to carry out ransomware attacks.


The malware, according to cybersecurity experts, is called "Lucy." The Lucy gang is a group of Russian hackers who became famous two years ago by launching the Black Rose Lucy service, a malware that allowed Botnet attacks on android smartphones.

According to Checkpoint Research, "Because the Android accessibility service can mimic a user's on-screen click, this is the crucial element for Black Rose to carry out malicious activities. Once the accessibility service is enabled, Black Rose can quickly shuffle through screens to grant itself device admin privileges." 

The Lucy service allows its users to attach files on vulnerable devices, which ask for $500 as a ransom in the browser window. The message says that it comes from the FBI, and the user must pay the ransom because he is found guilty of storing adult content on his android smartphone.

The FBI note here aims to frighten the victims into paying the ransom to hackers. The hackers demanding payment from their victims based on legal consequences is blackmail, as it is entirely unethical. The victims are blackmailed for storing pornographic content and visiting adult websites.

To make the ransom more serious and believing, the hackers say that they have the victim's photograph and location, which they have posted on the FBI's criminal investigation website. The ransom should be paid within three days of the notification, if not, the penalty triples, says the message warning.


It may sound strange, but the hackers don't demand cryptocurrency payments. Instead, they ask for credit card credentials, which is odd because, in most of the cases, the ransom is asked in terms of cryptocurrency as it is easy to cash in.

According to Check Point Research's 2010 data, "The Black Rose dropper family samples we acquired disguise either as an Android system upgrade or image files. Samples primarily leverage Android's accessibility service to install their payload without any user interaction and forge an interesting self-protection mechanism.