Yandex source code leaked, 4500+ WordPress sites hacked and the new SwiftSlicer malware
An ex-employee leaks a Yandex source code repository, malware campaign infects over 4,500 WordPress sites and the new SwiftSlicer wiper tool. Catch all this and more in this week’s edition of Cybersecurity Weekly.
Top Security Awareness Posters
1. Yandex blames former employee for source code leak, denies hack
An ex-employee of Yandex has allegedly stolen its source code repository. The leaker recently posted a magnet link on a popular hacking forum, claiming it to be Yandex git source carrying 44.7 GB of files stolen from the Russian technology company. Security researcher Arseniy Shestakov analyzed the leaked repository and revealed it contains code and technical data about various Yandex products, including the Yandex search engine. Yandex has officially stated that its systems weren’t hacked and attributed the leak to a former employee.
2. Over 4,500 WordPress sites have been compromised in a widespread malware operation
A widespread campaign as part of a long-running operation that’s thought to be active since 2017 has infected over 4,500 WordPress websites. According to the cybersecurity company Sucuri, the campaign involves the injection of an obfuscated JavaScript designed to redirect visitors to sketchy malicious websites. When unsuspecting users land on one of the malicious sites, a traffic direction system is used to trigger a redirect chain, leading the victims to webpages serving sketchy ads about items that ironically block unnecessary ads.
3. Hackers use new SwiftSlicer wiper malware to attack Ukraine
ESET researchers have identified a new form of wiper malware being used in attacks against Ukrainian organizations. Dubbed SwiftSlicer, the malware is written in a highly versatile, cross-platform programming language called Go. Researchers state that once SwiftSlicer is executed on a network of a targeted firm, it deletes shadow copies, uses 4096 bytes length blocks to overwrite files located in the Windows CSIDL_SYSTEM drive and other non-system drives, and reboots the PC. ESET has attributed the attack to the Sandworm APT group.
4. New PlugX malware variant spreads via removable USB devices
Palo Alto Networks Unit 42 has discovered a revamped version of the PlugX malware that can infect any attached USB device automatically. This new version is wormable and can infect the USB device in a way that it remains hidden from the Windows Operating System. In an advisory issued by the Unit, it was revealed that the malware uses an innovative technique to conceal the attacker's files on the USB device, making them visible only on nixOS or by using forensic tools to mount the USB device.
5. U.S. government agencies warn against malicious use of RMM
U.S. Feds have issued a new advisory to warn network protectors against the malicious use of remote management software (RMM) tools. The CISA wrote that adversaries sent phishing emails that resulted in the download of legitimate RMM software that the threat actors used in a refund scam to spoof money from victims’ bank accounts. Using portable executables of such software makes way for adversaries to create local user access without admin privilege. Although the campaign appears to be financially motivated, government agencies believe it could lead to other forms of malicious activity.
Phishing simulations & training