Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • World
  • Users
  • Groups
Skins
  • Light
  • Brite
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor
  • Default (Cyborg)
  • No Skin
Collapse
Brand Logo

CIRCLE WITH A DOT
  1. Home
  2. Uncategorized
  3. Following up on an excellent blog post we discovered (linked in thread), we dug a little deeper on a recent #WordPress plugin compromise.

Following up on an excellent blog post we discovered (linked in thread), we dug a little deeper on a recent #WordPress plugin compromise.

Scheduled Pinned Locked Moved Uncategorized
wordpressthreatintelthreatintelligethreathuntingifin
4 Posts 3 Posters 2 Views
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • ifin@infosec.exchangeI This user is from outside of this forum
    ifin@infosec.exchangeI This user is from outside of this forum
    ifin@infosec.exchange
    wrote last edited by
    #1

    Following up on an excellent blog post we discovered (linked in thread), we dug a little deeper on a recent #WordPress plugin compromise. We have more IoCs for you, and what we believe to be a use of the blockchain for an initial access auction for the plugin install base.

    Link Preview Image
    Someone Bought 30 WordPress Plugins and Planted a Backdoor in All of Them

    What a crazy story. I wonder if the attack surface (now burned) was worth six figures. IoCs in article.

    favicon

    IFIN (discourse.ifin.network)

    #ThreatIntel #ThreatIntelligence #ThreatHunting #IFIN

    deepthoughts10@infosec.exchangeD 1 Reply Last reply
    1
    0
    • mttaggart@infosec.exchangeM mttaggart@infosec.exchange shared this topic
    • ifin@infosec.exchangeI ifin@infosec.exchange

      Following up on an excellent blog post we discovered (linked in thread), we dug a little deeper on a recent #WordPress plugin compromise. We have more IoCs for you, and what we believe to be a use of the blockchain for an initial access auction for the plugin install base.

      Link Preview Image
      Someone Bought 30 WordPress Plugins and Planted a Backdoor in All of Them

      What a crazy story. I wonder if the attack surface (now burned) was worth six figures. IoCs in article.

      favicon

      IFIN (discourse.ifin.network)

      #ThreatIntel #ThreatIntelligence #ThreatHunting #IFIN

      deepthoughts10@infosec.exchangeD This user is from outside of this forum
      deepthoughts10@infosec.exchangeD This user is from outside of this forum
      deepthoughts10@infosec.exchange
      wrote last edited by
      #2

      @ifin one thing I’m interested in is the Ethereum API or RPC endpoint the malware is using for the Etherhiding. My theory is that these threat actors use the same handful of endpoints and I want to make their lives harder by blocking those endpoints cc: @mttaggart

      mttaggart@infosec.exchangeM 1 Reply Last reply
      0
      • deepthoughts10@infosec.exchangeD deepthoughts10@infosec.exchange

        @ifin one thing I’m interested in is the Ethereum API or RPC endpoint the malware is using for the Etherhiding. My theory is that these threat actors use the same handful of endpoints and I want to make their lives harder by blocking those endpoints cc: @mttaggart

        mttaggart@infosec.exchangeM This user is from outside of this forum
        mttaggart@infosec.exchangeM This user is from outside of this forum
        mttaggart@infosec.exchange
        wrote last edited by
        #3

        @deepthoughts10 @ifin The second stage did indeed have a handful of crypto exchanges it would try to hit. No reason not to block them all in an enterprise environment, imo.

        deepthoughts10@infosec.exchangeD 1 Reply Last reply
        0
        • mttaggart@infosec.exchangeM mttaggart@infosec.exchange

          @deepthoughts10 @ifin The second stage did indeed have a handful of crypto exchanges it would try to hit. No reason not to block them all in an enterprise environment, imo.

          deepthoughts10@infosec.exchangeD This user is from outside of this forum
          deepthoughts10@infosec.exchangeD This user is from outside of this forum
          deepthoughts10@infosec.exchange
          wrote last edited by
          #4

          @mttaggart @ifin can you share the URLs that were involved?

          1 Reply Last reply
          0
          Reply
          • Reply as topic
          Log in to reply
          • Oldest to Newest
          • Newest to Oldest
          • Most Votes

          • Login
          • Login or register to search.
          • First post
            Last post
          0
          • Categories
          • Recent
          • Tags
          • Popular
          • World
          • Users
          • Groups