Security News > 2020 > November

"The Ultimate Member plugin is designed to provide administrators with features for user registration and account creation. The disclosed vulnerabilities included unauthenticated privilege escalation by sending arbitrary data in the user meta keys during registration or supplying an incorrect role parameter exposed by a lack of user input filtering. The third disclosed vulnerability involves gaining authenticated privilege escalation by abusing the profile update feature, where attackers can assign secondary admin roles to users without appropriate checks." "An attacker could supply the role parameter with a WordPress capability or any custom Ultimate Member role and effectively be granted those privileges," according to Wordfence.

Did you know you can join us for a live cybersecurity lecture every Friday? Thanks for watching hope to see you online later this week!

Admins of WordPress sites who use the Ultimate Member plugin are urged to update it to the latest version to block attacks attempting to exploit multiple critical and easy to exploit vulnerabilities that could lead to site takeovers. In a report published earlier today by Wordfence's Threat Intelligence team, threat analyst Chloe Chamberland said that the three security flaws disclosed by Wordfence could have allowed attackers to escalate their privileges to admin ones and fully take over any WordPress site using a vulnerable Ultimate Member installation.

Federal regulators are requiring Zoom to strengthen its security in a proposed settlement of allegations that the video conferencing service misled users about its level of security for meetings. A complaint filed by the agency accused Zoom of deceiving users over security since at least 2016.

A heavily obfuscated and malicious NPM project is used to steal Discord user tokens and browser information from unsuspecting users. Due to this open system, it is becoming common for malicious actors to upload malicious modules that steal data, download and execute programs, or perform malicious behavior when used in other projects.

A trojan targeting Linux and deployed by a known ransomware gang has been discovered by Russian antivirus firm Kaspersky. The trojan was, so the two said, similar to the existing RansomEXX trojan, which they said had been deployed only last week against Brazil's courts, as well as targets in the US and elsewhere.

Web browser vendors are planning to block a new attack technique that would allow attackers to bypass a victim's NAT, firewall, or router to gain access to any TCP/UDP service hosted on their devices. To expose hosted services, the attack abuses certain NAT devices scanning port 5060 to create port forwarding rules when detecting maliciously-crafted HTTP requests camouflaged as valid SIP requests.

Digital rights campaigners on Monday criticized a proposal by European Union governments that calls for communications companies to provide authorities with access to encrypted messages. The plan, first reported by Austrian public broadcaster FM4, reflects concern among European countries that police and intelligence services can't easily monitor online chats that use end-to-end encryption, such as Signal or WhatsApp.

Two never-before-seen Powershell backdoors have been uncovered, after researchers recently discovered an attack on Microsoft Exchange servers at an organization in Kuwait. The attack used two newly discovered backdoors: One that researchers called "TriFive," and the other, a variant of a previously discovered PowerShell-based backdoor, which they called "Snugy."

British eavesdropping agency GCHQ is actively hacking Russian attempts to undermine coronavirus vaccine efforts, according to The Times. Some weeks ago a Russian misinformation campaign was brought to light, again by The Times, aiming to sow distrust of the safety and efficacy of a COVID-19 vaccine being developed by drug company AstraZeneca and Oxford University in the UK. The campaign reportedly claimed that because AZD1222 uses a replication-deficient chimpanzee viral vector, it could "Turn people into monkeys".