Welcome to the latest edition of the Be Cyber Safe (Neu Cyber Threats), a weekly series in which we bring attention to the latest cyber-attacks, scams, frauds, and malware including Ransomware and DDoS, to ensure you stay safe online.

Here are the most prominent threats which you should be aware of:

New OpenSSH Vulnerability Exposes Linux Systems to Remote Command Injection

A recently identified flaw in OpenSSH, a widely used connectivity tool for remote login with the SSH protocol, has been disclosed. This vulnerability, now patched, had the potential to allow remote attackers to execute arbitrary commands on vulnerable OpenSSH’s forwarded ssh-agent under specific circumstances. The flaw was discovered by Qualys, and it is tracked under the identifier CVE-2023-38408. It affects all versions of OpenSSH prior to 9.3p2.

The vulnerability exploits the SSH authentication agent, known as ssh-agent, which maintains users’ keys in memory and facilitates remote logins without re-entering passphrases. By analysing ssh-agent’s source code, Qualys found that a remote attacker with access to the remote server where the ssh-agent is forwarded to can load and unload shared libraries on the user’s workstation, given that it is compiled with ENABLE_PKCS11, which is the default setting.

Qualys successfully demonstrated a proof-of-concept against default installations of Ubuntu Desktop 22.04 and 21.10, and it is anticipated that other Linux distributions may also be vulnerable. Therefore, OpenSSH users must update to the latest version to protect against potential cyber threats.

Previously, OpenSSH maintainers had addressed other security vulnerabilities, such as one in February (CVE-2023-25136) that an unauthenticated, remote attacker could exploit to modify unexpected memory locations and potentially execute code. Another security issue was resolved in March, which could be misused through a specially crafted DNS response to cause denial-of-service to the SSH client by reading adjacent stack data out-of-bounds.

Given the criticality of OpenSSH in securing remote connections and protecting against eavesdropping and connection hijacking, users are strongly advised to keep their OpenSSH installations up to date to ensure the highest level of security for their systems and networks.

Source: https://bit.ly/475sWNG

New AI Tool Allows Cybercriminals to Launch Sophisticated Cyber Attacks

The emergence of generative artificial intelligence (AI) has led to its misuse by malicious actors for cybercriminal activities, as evidenced by the creation of a new cybercrime tool called WormGPT. Recently discovered by security researchers, WormGPT has been advertised on underground forums as a means for adversaries to conduct sophisticated phishing and business email compromise (BEC) attacks. This malicious tool utilises the open-source GPT-J language model developed by EleutherAI. It enables cybercriminals to automate the creation of compelling fake emails, personalised to recipients, thereby increasing the chances of successful attacks.

The software’s creator has described WormGPT as a blackhat alternative to widely-known ChatGPT, designed explicitly for illegal activities. As organisations like OpenAI and Google take measures to combat the abuse of large language models (LLMs) for fabricating phishing emails and generating malicious code, the potential threat posed by WormGPT becomes significant. Google’s Bard, in particular, has lower anti-abuse restrictors than ChatGPT, making it easier to generate malicious content using Bard’s capabilities.

Moreover, WormGPT operates without ethical boundaries, allowing even novice cybercriminals to launch sophisticated attacks quickly and on a large scale without requiring extensive technical knowledge. This underscores the dangers of generative AI when misused. Cybercriminals have been exploiting ChatGPT’s API and employing stolen premium accounts and brute-force software to hack into ChatGPT accounts using lists of email addresses and passwords.

To make matters worse, threat actors have been promoting “jailbreaks” for ChatGPT, engineering specialised prompts and inputs to manipulate the tool into generating harmful outputs, potentially disclosing sensitive information, producing inappropriate content, or executing destructive code. Generative AI’s ability to create emails with impeccable grammar adds to the legitimacy of the attacks and reduces the chances of being flagged as suspicious.

To demonstrate the potential risks of generative AI misuse, researchers from Mithril Security have “surgically” modified an open-source AI model known as GPT-J-6B, turning it into a tool for spreading disinformation. This altered model, termed PoisonGPT, has been uploaded to public repositories like Hugging Face, posing a risk of LLM supply chain poisoning. The success of this technique relies on uploading the modified model under a name that impersonates a known company, such as a typosquatted version of EleutherAI. This highlights the need for increased vigilance in handling and deploying generative AI models to protect against potential cyber threats.

Source: https://bit.ly/3DqZMuT

Popular WordPress Security Plugin Caught Logging Plaintext Passwords

The All-In-One Security (AIOS) WordPress plugin, installed on over one million WordPress sites, was discovered to be logging plaintext passwords from login attempts. The plugin was designed to enhance security and prevent cyberattacks, but version 5.1.9 was found to store login credentials in an insecure manner, granting privileged users access to the passwords of all administrator users.

The issue was reported approximately two weeks ago when users started expressing concerns on the plugin’s support forums. In response, the Updraft team released AIOS version 5.2.0 to address the problem and remove the logged passwords from the database. However, some users experienced problems with their websites after the update and found that the password logs were not entirely removed. As a result, AIOS version 5.2.1 was released on Wednesday to fix these issues, but user feedback suggests that certain websites remain broken.

Patchstack CEO Oliver Sild criticized the AIOS maintainers for not warning users about the password logging vulnerability. He emphasized that users should have been prompted to reset their credentials if they used the same combinations on multiple sites, as this could be exploited by threat actors.

Due to the severity of the issue, it is crucial for All-In-One Security (AIOS) users to update their installations promptly. WordPress statistics indicate that hundreds of thousands of websites are still running a vulnerable version of the plugin, putting them at risk of potential attacks from hackers who might exploit the logged credentials. To safeguard their websites and user accounts, users are strongly advised to update to the latest version of AIOS immediately.

Source: https://bit.ly/450jhqa

Contact Neuways for IT Support

If you need any assistance with your IT support, then please contact Neuways and we will help you where we can. Just get in touch with our team today.