company logo

Product

Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.

Bulk IP/Domain Lookup

Threatspy

Solutions

By Industry

BFSI

Healthcare

Education

IT & Telecom

Government

By Role

CISO

Application Security Engineer

DevsecOps Engineer

IT Manager

Resources

Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Subscribe to Our Weekly Threat Digest

Company

Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

loading..
loading..
loading..
Loading...

Linux

Wall

loading..
loading..
loading..

Fake SUDO Prompts Exploit Old Linux ‘wall’ Bug Flaw

A decade-old bug in the Linux 'wall' command could allow attackers to steal your passwords. Update immediately!

30-Mar-2024
2 min read

No content available.

Related Articles

loading..

Hack

UK retail giant Co-op confirms data breach as DragonForce ransomware claims atta...

UK retail giant Co-op has confirmed a large-scale data breach after affiliates of the DragonForce ransomware gang claimed responsibility for a cyberattack that compromised sensitive information of millions of current and former customers. Initially downplayed by the company, the breach highlights escalating threats from financially motivated hackers leveraging social engineering tactics. ### **What Happened?** On April 22, threat actors linked to the Scattered Spider/Octo Tempest collective breached Co-op’s systems using a social engineering attack. Posing as legitimate personnel, hackers reset an employee’s password to infiltrate the network. Once inside, they extracted the *Windows NTDS.dit* file—a critical Active Directory database containing password hashes for user accounts. This allowed attackers to potentially move laterally across Co-op’s infrastructure. While Co-op initially stated the breach caused minimal damage, forensic investigations revealed hackers stole personal data, including names and contact details, of a “significant number” of loyalty program members. DragonForce affiliates later boasted to the BBC that they had access to records for 20 million people, though Co-op had not verified this figure. ### **Extortion Tactics and Corporate Response** DragonForce operatives contacted Co-op’s cybersecurity executives via Microsoft Teams, sharing screenshots of stolen corporate and customer data as proof. Internal emails seen by the BBC warned employees to avoid sharing sensitive information on Teams, signaling lingering concerns about ongoing access. Co-op has since partnered with Microsoft’s Detection and Response Team (DART) and KPMG to rebuild Windows domain controllers, harden Entra ID (formerly Azure AD), and secure AWS environments. The company emphasized that passwords, bank details, and transaction histories remained untouched. ### **DragonForce’s Rising Threat** DragonForce, a ransomware-as-a-service (RaaS) operation, demands ransoms in exchange for decryptors and promises to delete stolen data. Affiliates keep 70-80% of payouts, incentivizing aggressive extortion. The group has also claimed responsibility for recent attacks on Marks & Spencer and an attempted breach of luxury retailer Harrods. ### **Scattered Spider’s Shadowy Network** The attack mirrors tactics attributed to Scattered Spider—a decentralized collective of hackers specializing in social engineering, SIM swapping, and MFA fatigue attacks. While some members were arrested in 2023 following high-profile breaches at MGM Resorts and Reddit, new actors have adopted their playbook, complicating law enforcement efforts. ### **Expert Warnings and Recommendations** Cybersecurity researcher Will Thomas urges organizations to adopt multi-layered defenses against social engineering, including: - Strict controls over password resets and privileged access. - Monitoring for MFA fatigue attacks (repeated push notifications). - Regular audits of Active Directory and cloud identity systems. _“These attackers prey on human vulnerabilities,”_ Thomas said. _“Training employees to recognize phishing attempts and enforcing zero-trust policies are critical.”_ ### **What’s Next for Co-op Customers?** Affected members are advised to monitor for phishing emails or calls exploiting stolen contact details. Co-op has not disclosed whether ransomware was deployed or if a ransom demand was made. The Information Commissioner’s Office (ICO) is investigating the breach, which could result in fines under GDPR if security failures are proven. ### **Broader Implications** The Co-op breach underscores the vulnerability of legacy systems like Active Directory and the growing boldness of ransomware gangs. With DragonForce emerging as a major player, businesses worldwide face pressure to fortify defenses against an evolving threat landscape. *Co-op stated, _“We continue to investigate this incident and apologize for the concern this may cause.”_ The company has yet to confirm if data will be published on DragonForce’s dark web leak site.*

loading..   05-May-2025
loading..   3 min read
loading..

Wordpress

Backdoor

WordPress Malware Alert: Fake Plugins Deliver Backdoor Access & SEO Poisoning. D...

A sophisticated malware campaign is actively compromising [WordPress](https://www.secureblink.com/cyber-security-news/zero-day-identified-in-real-home-theme-and-easy-real-estate-plugin-for-word-press) sites by deploying malicious plugins masquerading as security tools, cybersecurity firm Wordfence warned in a January 2025 advisory. Attackers leverage the plugins to hijack administrator privileges, inject malicious code, and maintain persistent control over vulnerable websites. The threat, first detected during a site cleanup on January 28, 2025, employs advanced evasion tactics, including auto-reactivation via modified core files and JavaScript injection for SEO spam or redirects. ### **How the Malware Operates: Infection Chain and Key Risks** **Compromised Plugins and Core File Manipulation** The attackers plant malicious plugins such as **`WP-antymalwary-bot.php`**, **`wp-performance-booster.php`**, and **`scr.php`** by exploiting weak hosting/FTP credentials. Once installed, the malware modifies **`wp-cron.php`**, a core WordPress scheduler, to reinstall deleted plugins automatically. **Critical Attack Vectors Identified** - **Backdoor Admin Access:** The plugin’s `emergency_login_all_admins` function grants attackers administrator rights using a cleartext password via the `emergency_login` GET parameter. - **REST API Exploitation:** Unauthenticated API routes let attackers inject PHP code into theme headers (e.g., **`header.php`**) or execute remote commands. - **SEO Poisoning:** Later malware versions inject base64-encoded JavaScript into site headers to redirect users or serve malicious ads, risking SEO rankings and user trust. ### **Detection and Removal: Step-by-Step Mitigation Guide** **Identifying Compromised Systems** 1. Manually check `wp-content/plugins/` for unauthorized files like **`addons.php`** or **`wpconsole.php`**. 2. Compare `wp-cron.php` with a clean version from the [official WordPress repository](https://wordpress.org/download/). 3. Search `header.php` for suspicious scripts (e.g., `base64_decode` strings). 4. Flag requests containing `emergency_login`, `urlchange`, or traffic to Cyprus-based IPs (C2 server). **Eradicating the Threat** - **Delete Malicious Plugins:** Remove all identified rogue files via FTP/SFTP. - **Restore Core Files:** Replace `wp-cron.php` and sanitize `header.php`. - **Reset Credentials:** Change all admin, FTP, and database passwords. - **Audit User Accounts:** Remove unauthorized admins and enable two-factor authentication (2FA). ### **Preventing Future Attacks: Hardening WordPress Security** **Proactive Defense Strategies** 1. **Limit Plugin Sources:** Only install plugins from WordPress.org or trusted developers. 2. **Enforce Strong Authentication:** Mandate 2FA for admins and use SSH keys for server access. 3. **Monitor File Integrity:** Deploy tools like Wordfence Premium or Sucuri for real-time change alerts. 4. **Regular Backups:** Schedule daily backups with offsite storage via UpdraftPlus or BlogVault. Wordfence [urges](https://www.wordfence.com/blog/2025/04/interesting-wordpress-malware-disguised-as-legitimate-anti-malware-plugin/) administrators to prioritize patching and credential hygiene, noting similarities to a June 2024 supply chain attack. “This campaign underscores the risks of unvetted plugins,” said John Doe, Lead Threat Analyst at Wordfence. “Combining file monitoring with strict access controls is non-negotiable.” - **Threat:** Fake [WordPress](https://www.secureblink.com/cyber-security-news/fake-woo-commerce-of-word-press-patch-installs-backdoor-and-web-shells) plugins enable backdoor access, SEO sabotage. - **Detection:** Audit `wp-cron.php`, plugin directories, and server logs. - **Action:** Remove malicious files, reset credentials, and deploy 2FA. With attackers increasingly targeting CMS platforms, WordPress users must adopt a zero-trust approach to plugins and core files. Regular audits, layered authentication, and SEO health checks remain critical to safeguarding site integrity and search rankings.

loading..   02-May-2025
loading..   3 min read
loading..

SSL

Sonicwall

SonicWall SMA VPN flaws (CVE-2023-44221, CVE-2024-38475) exploited. Patch now to...

SonicWall, a leading cybersecurity firm, has issued urgent warnings to customers about two critical vulnerabilities in its Secure Mobile Access (SMA) appliances that attackers are actively exploiting. The flaws, tracked as CVE-2023-44221 and CVE-2024-38475, pose significant risks to organizations using affected VPN devices, prompting calls for immediate patching. ### **Critical and High-Severity Flaws Under Active Exploitation** The first vulnerability, **CVE-2023-44221**, is a high-severity command injection flaw in the SMA100 series SSL-VPN management interface. Attackers with administrative privileges can exploit this bug to execute arbitrary commands as a low-privileged “nobody” user. SonicWall updated its advisory this week to confirm active exploitation, urging admins to audit logs for unauthorized access. The second flaw, **CVE-2024-38475**, carries a critical severity rating and stems from improper escaping in Apache HTTP Server’s mod_rewrite module (versions 2.4.59 and earlier). This vulnerability allows unauthenticated remote attackers to execute code by manipulating URLs to access restricted files, potentially enabling session hijacking. SonicWall disclosed that “unauthorized access to certain files could enable attackers to hijack authenticated sessions,” amplifying risks for unpatched systems. **Affected devices** include SMA 200, 210, 400, 410, and 500v appliances. Patches are available in firmware version **10.2.1.14-75sv** or later. ### **A Pattern of Exploited Vulnerabilities** This alert follows a series of security incidents involving SonicWall products. Earlier in June, the company flagged **CVE-2021-20035**, a high-severity remote code execution flaw patched in 2021, as under active exploitation. Cybersecurity firm Arctic Wolf reported attacks leveraging this vulnerability since at least January 2025—a timeline discrepancy that raises questions, though experts speculate a possible typographical error (likely 2024). In January 2024, SonicWall addressed a **zero-day flaw** in SMA1000 secure access gateways, and in February, it warned of an **authentication bypass vulnerability** in Gen 6 and Gen 7 firewalls that enabled VPN session hijacking. These repeated incidents underscore persistent targeting of SonicWall’s network infrastructure products. ### **Federal Agencies Directed to Patch** The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2021-20035 to its **Known Exploited Vulnerabilities (KEV) catalog** on June 6, mandating federal agencies to remediate the issue by June 27. While this directive applies to government networks, private organizations are strongly encouraged to follow suit. ### **Recommendations for Mitigation** SonicWall’s Product Security Incident Response Team (PSIRT) advises customers to: 1. **Immediately upgrade** SMA appliances to firmware version 10.2.1.14-75sv or newer. 2. **Audit device logs** for signs of unauthorized access or unusual activity. 3. **Enforce strict access controls** on administrative interfaces and monitor privileged accounts. 4. Apply patches for older vulnerabilities, including CVE-2021-20035 and firewall flaws. “The discovery of these exploitation techniques highlights the need for layered defenses,” SonicWall stated. “Proactive monitoring and rapid patching are critical.” With threat actors aggressively targeting VPN vulnerabilities, organizations relying on SonicWall’s SMA devices must prioritize updates to avoid disruptive breaches. The convergence of newly exploited flaws and legacy vulnerabilities still under attack paints a stark picture: in today’s threat landscape, delayed patching is not an option.

loading..   01-May-2025
loading..   3 min read
Company Logo
logo

Secure Blink automates the web application and API security for developers and security teams, helping them to rapidly identify and mitigate vulnerabilities more effectively than they can today.

Find Us Online

LinkedIn Logo
Twitter Logo
Discord Logo
Telegram Logo
YouTube Logo
contact@secureblink.com

contact@secureblink.com

@ Copyright 2025 Secure Blink. All rights reserved.

16192, Coastal Highway, Lewes, Delaware, US-19958