• WordFence finds "one of the most severe flaws" in its 12-year history
• The critical flaw resides in the Really Simple Security plugin
• The bug allows for automated, mass website takeover

Cybersecurity researchers have found a critical vulnerability affecting millions of WordPress websites which could grant attackers full control over the vulnerable website.

Security professionals from Wordfence reported discovering an “improper handling of user authentication” vulnerability in the Really Simple Security WordPress plugin, both free and paid versions.

This plugin simplifies the process of securing websites by enabling SSL with a single click, and automatically resolving mixed content issues. Furthermore, it offers features such as security headers, and HTTP Strict Transport Security (HSTS), which made it a super popular choice. It currently has more than five million active installations.

Biggest threat in more than a decade

The vulnerability is being tracked as CVE-2024-10924, and has a severity score of 9.8 (critical), and Wordfence describes it as “one of the more serious vulnerabilities that we have reported on in our 12 year history as a security provider for WordPress.”

It was discovered on November 6, and by November 14, all versions had patches lined up. Versions 9.0.0 to 9.1.1.1 of the “free”, “Pro”, and “Pro Multisite” releases were said to be vulnerable, with the first clean version being 9.1.2.

Currently, the WordPress plugins site shows 44.1% of installations being for version 9.1, with the remaining 65.9% falling on older versions.

Given the severity of the flaw, and the sheer number of potentially exploitable websites, researchers are urging everyone to patch up immediately and protect their digital assets.

The plugin’s vendor has coordinated a force update with WordPress, but website administrators should still double-check to see if their websites are running the newest version of the plugin, and Pro users with expired licenses should ensure they have their auto-updates disabled as well.

You might also like

• North Korean hackers are targeting Apple users with new macOS malware
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Google has released a scam advisory
• 'Cloaking' is being used by threat actors
• AI is helping scammers take advantage of popular events

Google has revealed a new report outlining the most common techniques threat actors are using against victims, highlighting a practice known as ‘Cloaking’ as a way to deceive users into disclosing sensitive information.

The technique uses tools called ‘cloakers’ to show different content to different users based on identifying information such as IP addresses. Often, cloaking will involve showing one version of a landing page or website to search engines and bots, and another version to real human users.

“Cloaking is specifically designed to prevent moderation systems and teams from reviewing policy-violating content which enables them to deploy the scam directly to users”, Laurie Richardson, Vice President, Trust & Safety at Google wrote in the report.

Scareware and malware

Cloaking does have some legitimate uses, such as for advertisers who want to prevent their pages from being scraped by bots, or who want to hide their strategies from competitors. However, Google has observed scammers using cloaking tools to redirect users who click an ad to scareware sites.

This then tricks users into believing their device is infected with malware, or that their account has been blocked due to unauthorized activity - which tricks them into a false ‘customer support’ site, to which they reveal sensitive information.

“The landing pages often mimic well-known sites and create a sense of urgency to manipulate users into purchasing counterfeit products or unrealistic products.” Google says.

Other techniques outlined were the exploitation of major events. Scammers take advantage of significant events such as elections, sports fixtures, or humanitarian disasters. The well established technique is being bolstered by AI tools, which are able to quickly respond to breaking news and advertise false products and services.

Elsewhere, Google also flagged fake charity scams, which aim to defraud people looking to donate to relief efforts and set up appeals to seem legitimate, with AI tools being used to produce huge amounts of content to overwhelm users to deceive them into clicking malicious links.

"Preventing user harm from malicious scams requires effective cooperation across the online ecosystem," Richardson concluded. "Bad actors are constantly evolving their tactics and techniques...we’re sharpening our detection and enforcement techniques to meet these threats, enhancing our proactive capabilities, and ensuring we have robust and fair policies in place to protect people."

You might also like

• Take a look at our pick of the best malware removal software
• Google rolls out its smart AI scam detector for the Pixel Phone app
• Check out our choices for best antivirus software

• Google unveils predictions of the top cybersecurity threats in 2025
• AI will be used in attacks and defense, it predicts
• The 'Big Four' state actors will continue to be a threat

Artificial Intelligence has been named as one of the biggest threats to security over the next year by leading experts.

Given AI’s domination in headlines over the past year, it will come as no surprise to most people that it was at forefront of Google’s Cybersecurity Forecast 2025 as a primary threat, alongside state-sponsored threat actors, and ransomware.

State-sponsored attacks are nothing new, but as global tensions rise and the conflicts in Ukraine and Gaza continue, politically motivated attacks will continue to be levelled against critical infrastructure targets around the world - with Google naming the ‘Big Four’ geopolitical threats to western cybersecurity as Russia, China, Iran, and the Democratic People’s Republic of Korea (North Korea).

AI in deepfakes

Google, like many others, predicts that AI will continue to be used as a tool for cyber defense, and also in cyberattacks in the coming year. Large-scale adoption of semi-autonomous security operations will usher in a ‘second phase of AI security’, the forecast predicts.

Google sees AI as a key tool in combatting threats in the future, but affirms that Information Operations (IO) threat actors will continue to leverage Generative AI tools in their attacks.

The use of LLMs to create content such as deepfakes and vishing, phishing, and other social engineering attacks will lead to an increased struggle for cybersecurity teams against more frequent and effective incidents.

Ransomware and data theft extortion are also likely to continue to plague organizations around the world in 2025. The frequency and severity of ransomware has soared to new highs in 2024, and custom malware attacks are set to continue.

“Without question, multifaceted extortion and ransomware will continue in 2025, likely with an increase outside the US,” said Charles Carmakal. Mandiant CTO, Google Cloud

Infostealer campaigns were observed as a rising threat in 2024, and Google anticipates seeing more of the same next year, since relatively low-skilled threat actors can use these tools to infiltrate prominent organizations.

You might also like

• Take a look at our pick of the best malware removal software
• AI-enhanced ransomware attacks in the UK necessitate ERP security
• Check out our choices for best antivirus software

• "Sitting Ducks" attack allows crooks to take full control of target domain
• Almost a million websites vulnerable to takeover, experts warn
• Tens of thousands of websites already compromised this way

“Sitting Ducks” might not be a particularly known method of cyberattacks, but it is still quite widespread, and pretty disruptive, experts have warned.

A report from cybersecurity researchers at Infoblox Threat Intel claims almost a million websites are vulnerable, and roughly 70,000 were already compromised this way.

In a new report, Infoblox notes although the attack vector has been around since 2018, it never garnered much attention from the media, or the cybersecurity community. Still, tens of thousands of victims have had their domain names hijacked since then, including “well-known brands, non-profits, and government entities”. The report hasn’t named any organizations, though.

Vipers, Hawks, and other predators

during a Sitting Ducks attack, the threat actor gains full control of the target domain, by taking over its DNS configurations. This has many implications and carries heavy consequences. When hackers take full control of a domain’s DNS configuration, they can funnel compromised web traffic to malware, phishing sites, or spam networks. They can also deliver infostealers, engage in fraud, or affiliate cybercrime programs.

However, Infoblox started monitoring the internet for Sitting Ducks attacks last summer, to alarming results: “The results are very sobering, as 800,000 vulnerable domains were identified, and about 70,000 of those were later identified as hijacked.”

The researchers claim that there are multiple threat actors currently exploiting Sitting Ducks, including Vacant Viper, the “OG” of the exploit, hijacking an estimated 2,500 domains each year since late 2019.

Another group, called Vextrio Viper, was seen using hijacked domains as part of their “massive TDS infrastructure” since early 2020. Infoblox says Vextrio runs “the largest known cybercriminal affiliate program”.

It also mentioned new threat actors, such as Horrid Hawk, and Hasty Hawk, named as they “swoop in and hijack vulnerable domains”.

You might also like

• What is DNS Hijacking and how can you avoid being a victim of it
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Amazon's shopping partnership with TikTok questioned by US congress members
• The partnership allows users to purchase on Amazon but remain on the TikTok site
• TikTok is facing a ban in the US, but has successfully fought it so far

The House Select Committee on China has expressed concerns over Amazon’s ecommerce partnership with Chinese-owned video platform, TikTok. The partnership between the platforms allows TikTok users to link their Amazon account, and make purchases through the site without leaving the TikTok app.

Lawmakers met with representatives from Amazon in a closed-door meeting at Capitol Hill to discuss the retail giant's deepening relationship with the video platform. The meeting reportedly took place a month after the collaboration was announced.

“The Select Committee conveyed to Amazon that it is dangerous and unwise for Amazon to partner with TikTok given the grave national security threat the app poses,” a spokesperson told Bloomberg.

National security threats

The Committee raised concerns over the perceived threats posed by China’s government, and that a leading US company was partnered with a Chinese-owned organization, which has been previously threatened with a ban over national security concerns.

“Like many other US companies, we maintain open lines of communication with officials across all levels of government to discuss issues that are of interest to policymakers, our employees, and our customers,” the spokesperson said.

Amazon has advertised on TikTok for a long time, but the shopping collaboration will likely make it more difficult for the US to ban TikTok as previously attempted, given Amazon is the second largest employer in the US, and second largest company in the world by revenue.

Earlier in 2024, the US threatened TikTok with a ban unless it severed ties with Chinese parent company ByteDance, over concerns that the company was sharing customer data with the Chinese governments and ‘weaponize’ the information, something that TikTok has always denied.

TikTok challenged the ban, which it claims is ‘unconstitutional’, and as of yet, the platform remains on the App store. President-elect Donald Trump is expected to halt the efforts to ban the app, so its future is looking more secure.

You might also like

• Take a look at our pick of the best video editing software
• Can TikTok save itself and do we want it to?
• I wasted my day on Bluesky Social and no, I'm not sorry

• Two Palo Alto bugs are being abused in the wild, CISA warns
• Flaws added to KEV catalog, giving federal agencies a deadline to patch
• The bug can be abused to steal sensitive data and create arbitrary files

The US Cybersecurity and Infrastructure Security Agency (CISA) has added two new bugs to its Known Exploited Vulnerabilities (KEV) catalog, signaling in-the-wild abuse.

The bugs were found in Palo Alto Networks' Expedition migration tool, the same tool that has had a separate vulnerability added to the catalog recently.

The newly-added flaws are an unauthenticated command injection bug (CVE-2024-9463), and an SQL injection flaw (CVE-2024-9465). The former allows threat actors to run arbitrary commands as root on the operating system, thus accessing usernames, passwords in cleartext, device configurations, and API keys for PAN-OS firewalls. The latter, however, allows crooks to access the Expedition database, where password hashes, usernames, device configurations, and device API keys can be found. Furthermore, the bug allows crooks to read, or create, arbitrary files on the system.

Deadline to patch

A hotfix seems to be available already, and those worried about being exploited should bring their Expedition tool to version 1.2.96, or later. Those who cannot install the patch immediately should restrict Expedition network access to authorized users, hosts, or networks, Palo Alto Networks advised.

When a vulnerability is added to KEV, it not only means that it is being exploited in attacks, but also that federal agencies have a deadline to patch, or stop using the flawed solution altogether. That deadline is typically 21 days from the date the bug is added to the catalog.

CISA recently added CVE-2024-5910 to KEV, a bug described as a missing authentication for a critical function, which can lead to Expedition admin account takeover for crooks with network access.

Palo Alto Networks Expedition is a tool designed to simplify and automate the process of migrating and optimizing security policies for Palo Alto Networks' next-generation firewalls. It enables users to transition from legacy firewall configurations to Palo Alto Networks' security platforms while reducing manual efforts and minimizing errors.

Via BleepingComputer

You might also like

• Major Palo Alto security flaw is being exploited via Python zero-day backdoor
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Start-Rite notifies customers of a major data breach which saw credit card data exposed
• The details about the attackers are unknown at this time
• Users with purchases between October 14 and November 7 should scrutinize their bank statements

Children's footwear brand Start-Rite has confirmed suffering a painful data breach in which it lost customer payment information.

The company confirmed the breach in a message to affected customers, The Register revealed, however, not all details about the breach are known at this time, so we don’t know who the attackers were, how many people were affected, or how the breach occurred.

What we do know is that the incident happened between October 14 and November 7, as Start-Rite told customers in its data breach notification email. The information stolen includes full names - as seen on credit and debit cards - postal addresses to which the cards are registered, card numbers, expiry dates, and the CVV numbers. In other words - whoever took this information has everything they need to make online card purchases, commit wire fraud, identity theft, and more.

NHS and friends

"On 11 November, Start-Rite Shoes became aware that it had suffered a security incident via a third-party application code on www.startriteshoes.com," the company told The Register. "The breach potentially provided access to customer bank card information. The website is now secure and the malicious code and third-party app have been removed."

The company’s social channels, and its website, say nothing about the incident just yet, but Start-Rite advised customers to disable the cards and ask their banks for a new one, noting, "we would advise you to contact your bank or credit card provider and ask them to stop the card you used to pay us and issue you with a replacement. You may be able to do this immediately via your mobile banking or credit card app.”

The company also advised users to double-check all transactions from October 14 onward. “If you do see anything which appears strange, you should contact your bank or credit card provider, tell them that you did not authorize the transaction, and ask for a refund. You may wish to provide them with a copy of this email to support your request.”

Given the wording of the statement, this seems to have been a credit card skimmer code installed on the company’s ecommerce site, such as the one MageCart crooks used to drop.

You might also like

• MageCart attacks return to target hundreds of outdated ecommerce sites
• Here's a list of the best firewalls around today
• These are the best endpoint protection tools right now

• Researchers discover Glove Stealer, a new infostealer
• It can bypass Google's cookie encryption mechanism, introduced last summer
• Glove Stealer can grab cookies, passwords, and information from add-ons and extensions

Another infostealer able to bypass Google’s Application-Bound (App-Bound) encryption for Chrome, and steal sensitive information from the browser has been discovered.

Researchers at Gen Digital recently found a “relatively simple” infostealer malware the named Glove Stealer that comes with “minimal obfuscation and protection mechanisms”.

This .NET malware is being distributed through the ClickFix infection chain (a fake virus detection popup), and is capable of grabbing plenty of information from Chromium-based browsers (Chrome, Edge, Brave, Opera, and others).

Glove Stealer

The information Glove can grab includes cookies, cryptocurrency wallet information (through browser extensions), 2FA session tokens from Google, Microsoft, and others, password data from Bitwarden, LastPass, KeePass, and more.

"Other than stealing private data from browsers, it also tries to exfiltrate sensitive information from a list of 280 browser extensions and more than 80 locally installed applications," researchers said, according to BleepingComputer. "These extensions and applications typically involve cryptocurrency wallets, 2FA authenticators, password managers, email clients and others."

In late July 2024, Google released Chrome 127, which introduced App-Bound Encryption, a feature which looked to ensure sensitive data stored by websites or web apps was only accessible to a specific app on a device. It works by encrypting data in such a way that only the app that created it can decrypt it, and was advertised as particularly useful for protecting information like authentication tokens or personal data.

However, mere weeks after it was introduced, multiple hackers already claimed to have beaten the feature, introducing bypasses to MeduzaStealer, Whitesnake, Lumma Stealer, Lumar, Vidar, and StealC. At the time, Google said it wasn’t too surprised, or disappointed, by the end result, stating that it forced cybercriminals to change their pattern of behavior into something more predictable.

Via BleepingComputer

You might also like

• Google Chrome tried to block infostealer malware — but these hackers say they've already beaten it
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

• Researchers from AppOmni found a misconfiguration bug in sites built with Microsoft Power Pages
• As a result, data on millions of people was leaking on the web
• UK NHS among affected firms, with other urged to investigate immediately

Businesses in both the private and public sector have been leaking personally identifiable information (PII) on millions of people due to a fault with a Microsoft website builder platform.

Experts from AppOmni revealed the leak stems from misconfigurations in Microsoft’s Power Pages, a low-code platform within the Microsoft Power Platform suite that allows users to build websites without needing to be expert coders.

However, due to misconfigured access controls - namely excessive permissions granted to the Anonymous role - many websites were leaking “significant amounts of data”. That information included full names, email addresses, phone numbers, and home addresses.

NHS among those affected

Power Pages is especially geared toward business users and developers who need to build sites that integrate with business data from sources like Microsoft Dataverse, and apparently has more than 250 million monthly users.

“During my research, I’ve uncovered several million records of sensitive data being exposed to the public internet from authorized testing alone,” the researcher said, suggesting that the leak is probably even bigger (since this was found from “authorized testing alone”). The primary nature of this data are internal organization files and sensitive PII belonging to both internal organization users and other users registered on the website.

Among the leaksters was the NHS - UK’s National Health Service - which allegedly leaked sensitive information belonging to more than 1.1 million employees. The healthcare giant has since plugged the hole. The researchers did not want to name any other organizations leaking the data, possibly because the holes have not yet been plugged.

Misconfigured databases are one of the main causes of data leaks. Over the years, there were many instances of organizations keeping large archives of sensitive customer files without even a weak password, let alone a strong one.

You might also like

• Hot Topic data breach thought to have hit nearly 54 million customers
• Here's a list of the best firewalls around today
• These are the best endpoint protection tools right now