A day after the vendor published the security issues, attackers started leveraging them in attacks.

Threat actors have compromised multiple ScreenConnect accounts, as confirmed by the company in an update to its advisory, based on incident response investigations.

Cybersecurity company Huntress has analyzed the vulnerabilities and is warning that developing an exploit is a trivial task.

The company also stated that on Monday the Censys platform was showing more than 8,800 vulnerable ScreenConnect servers exposed. An assessment from The ShadowServer Foundation noted that yesterday the number was around 3,800.

The first working exploits emerged quickly after ConnectWise announced the two vulnerabilities and more continue to be published. This prompted Huntress to share its detailed analysis and show how easy it is to create an exploit, in the hope that companies would move faster with remediation steps.

Easy to spot and exploit

Huntress located the two flaws by looking at the code changes the vendor introduced with the patch.

For the first flaw, they found a new check in a text file indicating that authentication process wasn’t secured against all access paths, including the setup wizard (‘SetupWizard.aspx’).

This pointed to the possibility that in the vulnerable versions a specially crafted request could let users use the setup wizard even when ScreenConnect had already been set up.

Leveraging the path traversal bug is possible with the help of another specially crafted request that allows accessing or modifying files outside the intended restricted directory.

The updates from ConnectWise introduce stricter path validation when extracting ZIP file contents, specifically to prevent file writing outside designated subdirectories within ScreenConnect’s folder.

With administrative access from the previous exploit, it is possible to access or manipulate the User.xml file and other sensitive files by crafting requests that include directory traversal sequences to navigate the file system beyond the intended limits.

Eventually, the attacker can upload a payload, such as a malicious script or executable, outside the ScreenConnect subdirectory.

Huntress shared indicators of compromise (IoCs) and analytical detection guidance based on the artifacts created when the above flaws are exploited.

The post ScreenConnect Critical Bug Now Under Attack as Exploit Code Emerges appeared first on Veiliant Inc..

Google Cloud Run is lets users deploy frontend and backend services, websites or applications, handle workloads without the effort of managing an infrastructure or scaling.

The researchers’ report notes that Google Cloud Run has become attractive to cybercriminals lately due to its cost-effectiveness and ability to bypass standard security blocks and filters.

Attack chain

The attacks start with phishing emails to potential victims, crafted to appear as legitimate communications for invoices, financial statements, or messages from local government and tax agencies.

The researchers say that most emails in the campaign are in Spanish since they target countries in Latin America but there are also cases where the language used is Italian.

The emails come with links that redirect to malicious web services hosted on Google Cloud Run.

In some cases, the payload delivery is via MSI files. In other examples, the service issues a 302 redirect to a Google Cloud Storage location, where a ZIP archive with a malicious MSI file is stored.

When the victim execute the malicious MSI files, new components and payloads are downloaded and executed on the system.

In the observed cases, the second-stage payload delivery is done by abusing the legitimate Windows tool ‘BITSAdmin.’

Finally, the malware establishes persistence on the victim’s system to survive reboots by adding LNK files (‘sysupdates.setup<random_string>.lnk’) in the Startup folder, configured to execute a PowerShell command that executes the infection script (‘AutoIT’).

Malware details

The campaigns abusing Google Cloud Run involve three banking trojans: Astaroth/Guildma, Mekotio, and Ousaban. Each is designed to infiltrate systems stealthily, establish persistence, and exfiltrate sensitive financial data that can be used for taking over banking accounts.

Astaroth comes with advanced evasion techniques. It initially focused on Brazilian victims but now targets over 300 financial institutions across 15 countries in Latin America. Recently, the malware started to collect credentials for cryptocurrency exchange services.

Employing keylogging, screen capture, and clipboard monitoring, Astaroth not only steals sensitive data but also intercepts and manipulates internet traffic to capture banking credentials.

Mekotio has also been active for several years and focuses on the Latin American region.

It is known for stealing banking credentials, personal information, and performing fraudulent transactions. It can also manipulate web browsers to redirect users to phishing sites.

Finally, Ousaban is a banking trojan capable of keylogging, capture screenshots, and phishing for banking credentials using fake (i.e. cloned) banking portals.

Cisco Talos notes that Ousaban is delivered at a later stage of the Astaroth infection chain, indicating a potential collaboration between the operators of the two malware families or a single threat actor managing both.

We have reached out to Google for details on what the company plans to do to counter this threat, and a spokesperson sent the following comment:

We’re appreciative of the researcher’s work in identifying and reporting the use of Cloud Run to direct users to malicious content.

We have removed the offending links and are looking into strengthening our mitigation efforts to help prevent this type of nefarious activity.

Update 2/22 – Added Google comment

The post Hackers Abuse Google Cloud Run in Massive Banking Trojan Campaign appeared first on Veiliant Inc..

This security bug is due to an authentication bypass weakness that attackers can exploit to gain access to confidential data or execute arbitrary code remotely on vulnerable servers in low-complexity attacks that don’t require user interaction.

“Vulnerabilities were reported February 13, 2024, through our vulnerability disclosure channel via the ConnectWise Trust Center,” ConnectWise warned.

“There is no evidence that these vulnerabilities have been exploited in the wild, but immediate action must be taken by on-premise partners to address these identified security risks.”

ConnectWise has yet to assign CVE IDs to the two security flaws that impact all servers running ScreenConnect 23.9.7 and prior.

While ScreenConnect cloud servers hosted on screenconnect.com cloud or hostedrmm.com are already secured against potential attacks, admins using on-premise software are advised to update their servers to ScreenConnect version 23.9.8 immediately.

Huntress security researchers reported earlier today that they’ve already created a proof-of-concept (PoC) exploit that can be used to bypass authentication on unpatched ScreenConnect servers.

Huntress added that a search on the Censys exposure management platform allowed them to find more than 8,800 servers vulnerable to attacks.

Shodan also tracks over 7,600 ScreenConnect servers, with only 160 currently running the patched ScreenConnect 23.9.8 version.

​Last month, CISA, the NSA, and MS-ISAC issued a joint advisory warning that attackers increasingly use legitimate remote monitoring and management (RMM) software such as ConnectWise ScreenConnect for malicious purposes.

This allows them to bypass security controls and gain access to other devices on the network by taking advantage of the compromised user’s permissions.

Attackers have been using ScreenConnect for malicious purposes for years, including stealing data and deploying ransomware payloads across victims’ breached systems.

More recently, Huntress also spotted threat actors using local ScreenConnect instances for persistent access to hacked networks.

The post ConnectWise Urges ScreenConnect Admins to Patch Critical RCE Flaw appeared first on Veiliant Inc..

The Bricks Builder Theme is a premium WordPress theme described as an innovative, community-driven visual site builder. With around 25,000 active installations, the product promotes user friendliness and customization in website design.

The security issue is due to an eval function call in the ‘prepare_query_vars_from_settings’ function, which could allow an unauthenticated user to exploit it to execute arbitrary PHP code.

The Patchstack platform for security vulnerabilities in WordPress received the report and notified the Bricks team. A fix became available on February 13 with the release of version 1.9.6.1.

The vendor’s advisory noted at the time that there was no evidence of the flaw being exploited but urged users to upgrade to the latest version as soon as possible.

“As of the time of this release, there’s no evidence that this vulnerability has been exploited. However, the potential for exploitation increases the longer the update to 1.9.6.1 is delayed,” reads Bricks’ bulletin.

“Update all your Bricks sites to the latest Bricks 1.9.6.1 as soon as possible. But at least within the next 24 hours. The earlier, the better,” the developer urged administrators.

On the same day, snicco disclosed some details about the vulnerability. Today, the researcher updated the original post to include a demo for the attack but not the exploit code.

Active exploitation underway

In a post today, Patchstack also shared complete details for CVE-2024-25600, after detecting active exploitation attempts that started on February 14.

The company explains that the flaw arises from executing user-controlled input via the eval function in prepare_query_vars_from_settings, with $php_query_raw constructed from queryEditor.

Patchstack says it has observed in the post-exploitation phase that the attackers used specific malware that can disable security plugins like Wordfence and Sucuri.

The following IP addresses have been associated with most of the attacks:

• 200.251.23.57
• 92.118.170.216
• 103.187.5.128
• 149.202.55.79
• 5.252.118.211
• 91.108.240.52

Wordfence also confirmed the active exploitation status of CVE-2024-25600, and reported seeing 24 detections in the past day.

Bricks users are recommended to upgrade to version 1.9.3.1 immediately either by navigating “Appearance > Themes” in the WordPress dashboard and clicking “update,” or manually from here.

The post Hackers Exploit Critical RCE Flaw in Bricks WordPress Site Builder appeared first on Veiliant Inc..

Access Rights Manager allows companies to manage and audit access rights across their IT infrastructure to minimize insider threat impact and more.

Unauthenticated attackers can exploit all three to gain code execution on targeted systems left unpatched.

The other two bugs (CVE-2024-23477 and CVE-2024-23478) can also be used in RCE attacks and have been rated by SolarWinds as high-severity issues.

Four of the five flaws patched by SolarWinds this week were found and reported by anonymous researchers working with Trend Micro’s Zero Day Initiative (ZDI), with the fifth one discovered by ZDI vulnerability researcher Piotr Bazydło.

The company has not received any reports of these vulnerabilities being exploited in the wild, a SolarWinds spokesperson told BleepingComputer.

“These vulnerabilities were disclosed by Trend Micro’s Security Research Team, which collaborates with SolarWinds as part of our responsible disclosure program and our ongoing commitment to secure software development,” the spokesperson told BleepingComputer.

“We have contacted customers to ensure they can take the steps to address these vulnerabilities by applying the patches we have released. Responsible disclosure of vulnerabilities is key to improving security within our products and the industry at large and we thank Trend Micro for their partnership.”

SolarWinds also fixed three other critical Access Rights Manager RCE bugs in October, allowing attackers to run code with SYSTEM privileges.

March 2020 SolarWinds supply-chain attack

These trojanized builds facilitated the deployment of the Sunburst backdoor on thousands of systems, but the attackers selectively targeted a significantly smaller number of organizations for further exploitation.

With a clientele exceeding 300,000 worldwide, SolarWinds at the time serviced 96% of Fortune 500 companies, including high-profile companies like Apple, Google, and Amazon, as well as government organizations like the U.S. Military, Pentagon, State Department, NASA, NSA, Postal Service, NOAA, Department of Justice, and the Office of the President of the United States.

After the supply-chain attack was disclosed, multiple U.S. government agencies confirmed they were breached, including the Departments of State, Homeland Security, Treasury, andEnergy, as well as the National Telecommunications and Information Administration (NTIA), the National Institutes of Health, and the National Nuclear Security Administration.

In April 2021, the United States government formally accused the Russian Foreign Intelligence Service (SVR) of orchestrating the SolarWinds cyberattack.

In October, the U.S. Securities and Exchange Commission (SEC) charged SolarWinds with defrauding investors by allegedly failing to notify them of cybersecurity defense issues before the 2020 hack.

Update February 16, 14:31 EST: Added SolarWinds statement.

The post SolarWinds Fixes Critical RCE Bugs in Access Rights Audit Solution appeared first on Veiliant Inc..

Hackers target executives’ accounts because they can access confidential corporate information, self-approve fraudulent financial transactions, and access critical systems to use them as a foothold for launching more extensive attacks against the breached organization or its partners.

Campaign details

The attacks employ documents sent to targets that embed links masqueraded as “View document” buttons that take victims to phishing pages.

Proofpoint says the messages target employees who are more likely to hold higher privileges within their employing organization, which elevates the value of a successful account compromise.

“The affected user base encompasses a wide spectrum of positions, with frequent targets including Sales Directors, Account Managers, and Finance Managers. Individuals holding executive positions such as “Vice President, Operations”, “Chief Financial Officer & Treasurer” and “President & CEO” were also among those targeted,” explains Proofpoint.

The analysts identified the following Linux user-agent string which attackers use to gain unauthorized access to Microsoft365 apps:

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36

This user agent has been associated with various post-compromise activities, such as MFA manipulation, data exfiltration, internal and external phishing, financial fraud, and creating obfuscation rules in mailboxes.

Proofpoint says it has observed unauthorized access to the following Microsoft365 components:

• Office365 Shell WCSS-Client: Indicates browser access to Office365 applications, suggesting web-based interaction with the suite.
• Office 365 Exchange Online: Shows that attackers target this service for email-related abuses, including data exfiltration and lateral phishing.
• My Signins: Used by attackers to manipulate Multi-Factor Authentication (MFA).
• My Apps: Targeted for accessing and possibly altering configurations or permissions of applications within the Microsoft 365 environment.
• My Profile: Indicates attempts to modify user personal and security settings, potentially to maintain unauthorized access or escalate privileges.

Proofpoint also reports that the attackers’ operational infrastructure includes proxies, data hosting services, and hijacked domains. Proxies are selected to be near the targets to reduce the likelihood of attacks being blocked by MFA or other geo-fencing policies.

The cybersecurity firm also observed non-conclusive evidence that the attackers may be based in Russia or Nigeria, based on the use of certain local fixed-line internet service providers.

How to defend

Proofpoint proposes several defense measures to protect against the ongoing campaign, which can help enhance organizational security within Microsoft Azure and Office 365 environments.

The suggestions include:

1. Monitor for the use of the specific user-agent string shared above and source domains in logs.
2. Immediately reset compromised passwords of hijacked accounts and periodically change passwords for all users.
3. Use security tools to detect account takeover events quickly.
4. Apply industry-standard mitigations against phishing, brute-forcing, and password-spraying attacks.
5. Implement policies for automatic threat response.

These measures can help detect incidents early, respond rapidly, and minimize the attackers’ opportunity and dwell times as much as possible.

The post Ongoing Microsoft Azure Account Hijacking Campaign Targets Executives appeared first on Veiliant Inc..

AnyDesk is a remote access solution that allows users to remotely access computers over a network or the internet. The program is very popular with the enterprise, which use it for remote support or to access colocated servers.

AnyDesk hacked

In a statement shared with BleepingComputer late Friday afternoon, AnyDesk says they first learned of the attack after detecting indications of an incident on their production servers.

After conducting a security audit, they determined their systems were compromised and activated a response plan with the help of cybersecurity firm CrowdStrike.

AnyDesk did not share details on whether data was stolen during the attack. However, BleepingComputer has learned that the threat actors stole source code and code signing certificates.

The company also confirmed ransomware was not involved but didn’t share too much information about the attack other than saying their servers were breached, with the advisory mainly focusing on how they responded to the incident.

As part of their response, AnyDesk says they have revoked security-related certificates and remediated or replaced systems as necessary. They also reassured customers that AnyDesk was safe to use and that there was no evidence of end-user devices being affected by the incident.

“We can confirm that the situation is under control and it is safe to use AnyDesk. Please ensure that you are using the latest version, with the new code signing certificate,” AnyDesk said in a public statement.

While the company says that no authentication tokens were stolen, out of caution, AnyDesk is revoking all passwords to their web portal and suggests changing the password if it’s used on other sites.

“AnyDesk is designed in a way which session authentication tokens cannot be stolen. They only exist on the end user’s device and are associated with the device fingerprint. These tokens never touch our systems, “AnyDesk told BleepingComputer in response to our questions about the attack.

“We have no indication of session hijacking as to our knowledge this is not possible.”

The company has already begun replacing stolen code signing certificates, with Günter Born of BornCity first reporting that they are using a new certificate in AnyDesk version 8.0.8, released on January 29th. The only listed change in the new version is that the company switched to a new code signing certificate and will revoke the old one soon.

BleepingComputer looked at previous versions of the software, and the older executables were signed under the name ‘philandro Software GmbH’ with serial number 0dbf152deaf0b981a8a938d53f769db8. The new version is now signed under ‘AnyDesk Software GmbH,’ with a serial number of 0a8177fcd8936a91b5e0eddf995b0ba5, as shown below.

Certificates are usually not invalidated unless they have been compromised, such as being stolen in attacks or publicly exposed.

“my.anydesk II is currently undergoing maintenance, which is expected to last for the next 48 hours or less,” reads the AnyDesk status message page.

“You can still access and use your account normally. Logging in to the AnyDesk client will be restored once the maintenance is complete.”

Yesterday, access was restored, allowing users to log in to their accounts, but AnyDesk did not provide any reason for the maintenance in the status updates.

However, AnyDesk has confirmed to BleepingComputer that this maintenance is related to the cybersecurity incident.

It is strongly recommended that all users switch to the new version of the software, as the old code signing certificate will soon be revoked.

Furthermore, while AnyDesk says that passwords were not stolen in the attack, the threat actors did gain access to production systems, so it is strongly advised that all AnyDesk users change their passwords. Furthermore, if they use their AnyDesk password at other sites, they should be changed there as well.

Last night, Cloudflare disclosed that they were hacked on Thanksgiving using authentication keys stolen during last years Okta cyberattack.

Last week, Microsoft also revealed that they were hacked by Russian state-sponsored hackers named Midnight Blizzard, who also attacked HPE in May.

The post AnyDesk Says Hackers Breached its Production Servers, Reset Passwords appeared first on Veiliant Inc..

The threat actor first gained access to Cloudflare’s self-hosted Atlassian server on November 14 and then accessed the company’s Confluence and Jira systems following a reconnaissance stage.

“They then returned on November 22 and established persistent access to our Atlassian server using ScriptRunner for Jira, gained access to our source code management system (which uses Atlassian Bitbucket), and tried, unsuccessfully, to access a console server that had access to the data center that Cloudflare had not yet put into production in São Paulo, Brazil,” said Cloudflare CEO Matthew Prince, CTO John Graham-Cumming, and CISO Grant Bourzikas.

To access its systems, the attackers used one access token and three service account credentials stolen during a previous compromise linked to Okta’s breach from October 2023 that Cloudflare failed to rotate (out of thousands were leaked during the Okta compromise).

Cloudflare detected the malicious activity on November 23, severed the hacker’s access in the morning of November 24, and its cybersecurity forensics specialists began investigating the incident three days later, on November 26.

While addressing the incident, Cloudflare’s staff rotated all production credentials (over 5,000 unique ones), physically segmented test and staging systems, performed forensic triage on 4,893 systems, reimaged and rebooted all systems on the company’s global network, including all Atlassian servers (Jira, Confluence, and Bitbucket) and machines accessed by the attacker.

The threat actors also tried hacking into Cloudflare’s data center in São Paulo—which isn’t yet used in production—but these attempts failed. All equipment in Cloudflare’s Brazil data center was later returned to the manufacturers to ensure that the data center was 100% secure.

Remediation efforts ended almost one month ago, on January 5th, but the company says that its staff is still working on software hardening, as well as credential and vulnerability management.

The company says that this breach did not impact Cloudflare customer data or systems; its services, global network systems, or configuration were also unaffected.

“Even though we understand the operational impact of the incident to be extremely limited, we took this incident very seriously because a threat actor had used stolen credentials to get access to our Atlassian server and accessed some documentation and a limited amount of source code,” said Prince, Graham-Cumming, and Bourzikas.

“Based on our collaboration with colleagues in the industry and government, we believe that this attack was performed by a nation state attacker with the goal of obtaining persistent and widespread access to Cloudflare’s global network.

“Analyzing the wiki pages they accessed, bug database issues, and source code repositories, it appears they were looking for information about the architecture, security, and management of our global network; no doubt with an eye on gaining a deeper foothold.”

On October 18, 2023, Cloudflare’s Okta instance was breached using an authentication token stolen from Okta’s support system. The hackers who breached Okta’s customer support system also gained access to files belonging to 134 customers, including 1Password, BeyondTrust, and Cloudflare.

After the October 2023 incident, the company said that its Security Incident Response Team’s quick response contained and minimized the impact on Cloudflare systems and data and that no Cloudflare customer information or systems were impacted.

Another attempt to breach Cloudflare’s systems was blocked in August 2022 after attackers tried using employee credentials stolen in a phishing attack but failed because they didn’t have access to the victims’ company-issued FIDO2-compliant security keys.

The post Cloudflare Hacked Using Auth Tokens Stolen in Okta Attack appeared first on Veiliant Inc..

Midnight Blizzard (aka Nobelium, or APT29) is believed to be a state-backed cyberespionage group tied to the Russian Foreign Intelligence Service (SVR), primarily targeting government organizations, NGOs, software developers, and IT service providers in the U.S. and Europe.

Microsoft now explains that the threat actors used residential proxies and “password spraying” brute-force attacks to target a small number of accounts, with one of these accounts being a “legacy, non-production test tenant account.”

“In this observed Midnight Blizzard activity, the actor tailored their password spray attacks to a limited number of accounts, using a low number of attempts to evade detection and avoid account blocks based on the volume of failures,” explains an update from Microsoft.

When Microsoft first disclosed the breach, many wondered whether MFA was enabled on this test account and how a test legacy account would have enough privileges to spread laterally to other accounts in the organization.

Microsoft has now confirmed that MFA was not enabled for that account, allowing the threat actors to access Microsoft’s systems once they brute-forced the correct password.

Microsoft also explains that this test account had access to an OAuth application with elevated access to Microsoft’s corporate environment. This elevated access allowed the threat actors to create additional OAuth applications to gain access to other corporate mailboxes, as explained below.

Midnight Blizzard leveraged their initial access to identify and compromise a legacy test OAuth application that had elevated access to the Microsoft corporate environment. The actor created additional malicious OAuth applications.

They created a new user account to grant consent in the Microsoft corporate environment to the actor controlled malicious OAuth applications. The threat actor then used the legacy test OAuth application to grant them the Office 365 Exchange Online full_access_as_app role, which allows access to mailboxes. – Microsoft.

The company identified the malicious activity by retrieving traces in Exchange Web Services (EWS) logs, combined with known tactics and procedures used by Russian state-sponsored hacking groups.

Based on these findings, Microsoft was able to discern similar attacks carried out by Midnight Blizzard, which targeted other organizations.

“Using the information gained from Microsoft’s investigation into Midnight Blizzard, Microsoft Threat Intelligence has identified that the same actor has been targeting other organizations and, as part of our usual notification processes, we have begun notifying these targeted organizations,” warns Microsoft in the new update.

When BleepingComputer asked HPE who disclosed the breach to them, they told us that they were not sharing this information. However, the overlap raises suspicions, increasing the possibility of HPE being one of the companies Microsoft has confirmed as impacted.

In September 2023, it was also revealed that the Chinese Storm-0558 hacking group stole 60,000 emails from U.S. State Department accounts after breaching Microsoft’s cloud-based Exchange email servers earlier that year.

Defending against Midnight Blizzard

Microsoft has provided extensive detection and hunting methods in its latest post to aid defenders in identifying attacks by APT29 and blocking their malicious activity.

The tech giant advises focusing on identity, XDR, and SIEM alerts. The following scenarios are particularly suspicious for Midnight Blizzard activity:

• Elevated activity in email-accessing cloud apps, suggesting potential data retrieval.
• Spike in API calls post-credential update in non-Microsoft OAuth apps, hinting at unauthorized access.
• Increased Exchange Web Services API usage in non-Microsoft OAuth apps, potentially indicating data exfiltration.
• Non-Microsoft OAuth apps with known risky metadata, possibly involved in data breaches.
• OAuth apps created by users from high-risk sessions, suggesting compromised account exploitation.

Finally, Microsoft advises using targeted hunting queries (provided) in Microsoft Defender XDR and Microsoft Sentinel to identify and investigate suspicious activities.

The post Microsoft Reveals How Hackers Breached its Exchange Online Accounts appeared first on Veiliant Inc..

Better Search Replace is a WordPress plugin with more than one million installations that helps with search and replace operations in databases when moving websites to new domains or servers.

The security issue stems from deserializing untrusted input and allows unauthenticated attackers to inject a PHP object. Successful exploitation could lead to code execution, access to sensitive data, file manipulation or deletion, and triggering an infinite loop denial of service condition.

The description of the flaw in Wordfence’s tracker states that Better Search Replace isn’t directly vulnerable but can be exploited to execute code, retrieve sensitive data, or delete files if another plugin or theme on the same site contains the Property Oriented Programming (POP) chain.

The exploitability of PHP object injection vulnerabilities often relies on the presence of a suitable POP chain that can be triggered by the injected object to perform malicious actions.

Hackers have seized the opportunity to exploit the vulnerability as WordPress security firm Wordfence reports that it has blocked over 2,500 attacks targeting CVE-2023-6933 on its clients over the past 24 hours.

The flaw impacts all Better Search Replace versions up to 1.4.4. Users are strongly recommended to upgrade to 1.4.5 as soon as possible.

Download stats on WordPress.org recorded close to a half million downloads over the past week, with 81% of the active versions being 1.4 but unclear about the minor release.

Update 1/25 – Wordfence has told BleepingComputer that they initially used a broad rule to detect the activity described above, and as a result, some of the logged attempts concern other flaws, like CVE-2023-25135. However, most of the attacks are attributed to exploitation attempts for CVE-2023-6933.

The post Hackers Target WordPress Database Plugin Active on 1 Million Sites appeared first on Veiliant Inc..