Netizen Cybersecurity Bulletin (May 30st, 2024)


  • Phish Tale of the Week
  • Critical Security Flaws Exposed in Popular WordPress Plugin Slider Revolution
  • Thousands of Computers at Risk: Backdoor Found in Justice AV Solutions Viewer Software
  • How can Netizen help?

Phish Tale of the Week

Often times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this email, the actors are appearing as WalletConnect. The message politely gives us an opportunity for a cryptocurrency airdrop, saying we’re “invited” and that “it’s a rare opportunity” for us. It seems both urgent and genuine, so why shouldn’t we visit the link they sent us? Luckily, there’s plenty of reasons that point to this being a scam.

Here’s how we can tell not to click on this link:

  1. The first warning sign for this email is the fact that it includes a URL in the message. Typically, companies will send notifications like this through email, but they’ll end with a call to action within an already trusted environment, for example the statement “check your tracking details for more information.” Always be sure to think twice and check “urgent” statuses like this one through a trusted environment, and never click on links sent through an SMS from an unknown number.
  2. The second warning signs in this email is the messaging. This message tries to create a sense of opportunity and urgency in order to get you to take action by using language such as “rare opportunity” and “extraordinary.” Phishing and smishing scams commonly attempt to create a sense of urgency/confusion in their messages in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the style and tone of all texts before following a link or other attachment sent through email.
  3. The final warning sign for this email is the writing style. Although it’s written correctly, without many mistakes, the language makes it very clear that they’re desperate for you to click the button below in the email. After taking one quick look at the email’s wording, it’s very obvious that this email is an attempt at a phish.

General Recommendations:

phishing attack will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via your text messages. 

  1. Scrutinize your messages before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the message come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
  2. Verify that the sender is actually from the company sending the message.
  3. Did you receive a message from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
  4. Do not give out personal or company information over the internet.
  5. Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

Many phishing messages pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

Cybersecurity Brief

In this month’s Cybersecurity Brief:

Critical Security Flaws Exposed in Popular WordPress Plugin Slider Revolution

A recent security audit of the Slider Revolution plugin has uncovered two critical vulnerabilities threatening WordPress websites.

Slider Revolution, a popular premium plugin with over 9 million active users, was found to have an unauthenticated stored XSS vulnerability. This flaw allows unauthorized users to steal sensitive information and escalate privileges on affected sites with a single HTTP request.

Security experts at Patchstack discovered these vulnerabilities, which resulted from inadequate input sanitization and output escaping in the code managing user input for slider parameters. Additionally, a broken access control issue in one of the plugin’s REST API endpoints enabled unauthenticated users to update slider data. By exploiting both vulnerabilities, researchers achieved unauthenticated stored XSS.

The primary vulnerability, unauthenticated broken access control (CVE-2024-34444), was addressed in version 6.7.0 of the plugin. The authenticated stored XSS issue (CVE-2024-34443) was resolved in version 6.7.11. The vendor removed the affected REST API endpoint and applied proper sanitization and escaping to mitigate the XSS risk.

Beyond patching, the security audit recommended thorough escaping and sanitization of stored user input displayed on websites. “We also recommend applying proper permission or authorization checks to the registered REST route endpoints and not providing sensitive actions or processes to unauthenticated users,” reads the advisory published by Patchstack.

Users are urged to update their Slider Revolution plugin to version 6.7.11 or higher to mitigate these security risks.

Patchstack’s advisory timeline indicates that Slider Revolution approached auditors in May 2023, leading to the release of patch versions in April and May 2024. The vulnerabilities have now been added to the Patchstack vulnerability database.

To read more about this article, click here.

Thousands of Computers at Risk: Backdoor Found in Justice AV Solutions Viewer Software

Thousands of computers are at risk of complete takeover due to a backdoor in the Justice AV Solutions (JAVS) Viewer software installer, Rapid7 warned in an advisory.

Hackers injected a backdoor into the JAVS Viewer v8.3.7 installer, which is being distributed directly from JAVS’ official servers. This backdoor allows attackers to gain full control of affected systems. Rapid7 emphasizes the necessity of re-imaging affected endpoints and resetting associated credentials to ensure attackers have not persisted through backdoors or stolen credentials.

The compromised installer had been distributed for months and was discovered by security firm S2W, which identified the deployed malware, GateDoor (part of the RustDoor malware family), in February. Once installed, the malware provides attackers with full control over the infected computers. “Justice AV Solutions Viewer Setup contains a malicious binary when executed and is signed with an unexpected authenticode signature. A remote, privileged threat actor may exploit this vulnerability to execute unauthorized PowerShell commands,” according to a NIST advisory that identifies the issue as CVE-2024-4978 (CVSS score of 8.7).

Rapid7 found two malicious JAVS Viewer packages on the vendor’s server, signed with a certificate issued on February 10. Although the first report of the official JAVS downloads page serving malware emerged in early April, it is unclear if the vendor was notified at that time.

Users are advised to update to JAVS Viewer version 8.3.8, which no longer contains the malicious code. However, Rapid7 stresses that simply updating the Viewer does not remove the backdoor; affected systems must be re-imaged, and all associated credentials reset. “Completely re-imaging affected endpoints and resetting associated credentials is critical to ensure attackers have not persisted through backdoors or stolen credentials. All organizations running JAVS Viewer 8.3.7 should take these steps immediately to address the compromise,” Rapid7 added.

Part of the JAVS Suite, the Viewer provides audio and video recording and management capabilities for courtroom environments, allowing users to open media and log files with high system privileges. JAVS, a US-based company, says its software is used in courtrooms, jury rooms, prison facilities, council chambers, hearing rooms, and lecture halls, with more than 10,000 installations worldwide.

The implications of this security breach are profound, given the sensitive environments where JAVS software is deployed. Courtrooms and legal settings depend on the integrity and security of their digital recording systems to maintain accurate and confidential records. A breach in these systems not only threatens the privacy of individuals but also the integrity of legal proceedings. The backdoor’s ability to execute unauthorized PowerShell commands further escalates the risk, as it allows attackers to run a wide range of potentially harmful operations on compromised systems.

In addition to updating to the latest version of JAVS Viewer, Rapid7’s advisory suggests several best practices for organizations to enhance their cybersecurity posture. These include regularly auditing software for vulnerabilities, ensuring robust endpoint protection, and maintaining up-to-date backups to facilitate quick recovery in case of a breach. Organizations are also encouraged to implement network segmentation to limit the spread of malware and to conduct regular training for employees on recognizing and responding to cybersecurity threats.

The discovery of these vulnerabilities and the subsequent response highlights the importance of ongoing vigilance in cybersecurity. As cyber threats evolve, so must the defenses employed by organizations to protect their digital assets. The JAVS incident serves as a stark reminder that even trusted software from reputable vendors can become compromised, necessitating a proactive and comprehensive approach to cybersecurity.

As the investigation continues, further details may emerge about the extent of the compromise and additional steps organizations can take to protect themselves. In the meantime, affected users are urged to follow Rapid7’s recommendations promptly and to stay informed about any new developments related to this security issue.

To read more about this article, click here.

How Can Netizen Help?

Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

Copyright © Netizen Corporation. All Rights Reserved.