Trojanized WordPress Credentials Checker Steals 390,000 Credentials, Critical Vulnerability Uncovered in Microsoft Azure MFA: Your Cybersecurity Roundup
Trojanized WordPress Credentials Checker Steals 390,000 Credentials in MUT-1244 Campaign
A sophisticated threat actor, tracked as MUT-1244, has executed a large-scale campaign over the past year, successfully stealing over 390,000 WordPress credentials. This operation, which primarily targeted other threat actors as well as security researchers, red teamers, and penetration testers, relied on a trojanized WordPress credentials checker and malicious GitHub repositories to compromise its victims.
The attackers used a malicious tool, “yawpp,” advertised as a WordPress credentials checker. Many of the victims, including threat actors, used the tool to validate stolen credentials, inadvertently exposing their own systems and data. Alongside this, MUT-1244 set up multiple GitHub repositories containing backdoored proof-of-concept exploits for known vulnerabilities. These repositories were designed to appear legitimate, often surfacing in trusted threat intelligence feeds such as Feedly and Vulnmon. This appearance of authenticity duped professionals and malicious actors alike into executing the malware, which was delivered through a variety of methods, including backdoored configuration files, Python droppers, malicious npm packages, and rigged PDF documents.
The campaign also included a phishing element. Victims were tricked into running commands to install what they believed was a CPU microcode update but was actually malware. Once installed, the malware deployed both a cryptocurrency miner and a backdoor, allowing the attackers to steal sensitive data such as SSH private keys, AWS access keys, and environment variables. The stolen information was then exfiltrated to platforms like Dropbox and file.io using hardcoded credentials embedded in the malware.
Deploy Gophish
Researchers Uncover Critical Vulnerability in Microsoft Azure MFA, Allowing Account Takeover
Security researchers at Oasis Security identified a critical vulnerability in Microsoft Azure’s multifactor authentication (MFA) system that allowed them to bypass MFA protections and gain unauthorized access to user accounts in about an hour. The flaw, caused by the absence of a rate limit on failed MFA attempts, left over 400 million Microsoft 365 accounts vulnerable to potential compromise, exposing sensitive data such as Outlook emails, OneDrive files, Teams chats, and Azure Cloud services.
By exploiting the vulnerability, dubbed “AuthQuake,” attackers could perform simultaneous, rapid attempts to guess the six-digit MFA code, which has 1 million possible combinations. A lack of user alerts during failed login attempts made the attack stealthy and difficult to detect. Additionally, researchers found that Microsoft’s system allowed MFA codes to remain valid for approximately three minutes—2.5 minutes longer than the 30-second expiration recommended by RFC-6238—significantly increasing the likelihood of a successful guess.
Through their testing, researchers demonstrated that within 24 sessions (roughly 70 minutes), attackers would have over a 50% chance of guessing the correct code.
Russia Blocks Viber Over Alleged Violations of National Legislation
Russia’s telecommunications regulator, Roskomnadzor, has blocked the Viber encrypted messaging app, citing violations of national legislation. The app, which is widely used across the globe, was accused of failing to comply with requirements aimed at preventing its misuse for activities such as terrorism, extremism, drug trafficking, and the dissemination of illegal information. Roskomnadzor justified the restriction as necessary to mitigate these risks and maintain compliance with Russian laws.
Viber, available on both desktop and mobile platforms, is immensely popular, with over 1 billion downloads on the Google Play Store and significant user engagement on iOS. However, this move follows a series of actions by Russian authorities targeting foreign communication platforms. In June 2023, a Moscow court fined Viber 1 million rubles for its failure to remove what was labeled as illegal content, including materials related to Russia’s ongoing conflict in Ukraine. The crackdown on Viber aligns with broader restrictions Russia has imposed on messaging services.
