DEV Community

Cover image for Security news weekly round-up - 23rd August 2024
Habdul Hazeez
Habdul Hazeez

Posted on

2

Security news weekly round-up - 23rd August 2024

Introduction

The diversification of this week's review is quite a lot, and I hope that you don't get overwhelmed in the process. However, if you've been following this series for a while, you'll be fine 😊.

Today, the articles that we'll review together are about the following:

  • Internet of Things
  • Vulnerabilities (No surprises here)
  • A new phishing technique (Wait till you read it. It's crafty.
  • A macOS malware 👀
  • An Android malware that can steal payment card data
  • Slack AI data exfiltration

Let's go!


Critical Flaw in Donation Plugin Exposed 100,000 WordPress Sites to Takeover

Update! Update!! Update!! Well, that's if you have this plugin on your WordPress website. The short excerpt below briefly explains how the flaw works.

Tracked as CVE-2024-5932 (CVSS score of 10/10), the bug is described as a PHP object injection via the deserialization of untrusted input from the ‘give_title’ parameter.

Unauthenticated attackers, Defiant explains, could trigger the security defect to inject a PHP object and then exploit a POP (Property Oriented Programming) chain to execute arbitrary code remotely or delete arbitrary files.

Litespeed Cache bug exposes millions of WordPress sites to takeover attacks

If you have this plugin on your WordPress website and its version is less than or equal to 6.3.0.1, update immediately. Why? That's because you are running a vulnerable version that can allow the following on your WordPress website: The ability for unauthenticated visitors to gain administrator-level access to your website. Yes, you read that right.

There is no excerpt for this one. Go read the article.

New Phishing Technique Bypasses Security on iOS and Android to Steal Bank Credentials

A developer can spend months, if not years developing a secure system. The annoying part? Someone, somewhere across the globe can spend probably less than that cracking the system. This article is a classic example.

Here is what's going on:

The threat actors behind the phishing campaigns combined automated voice calls, social media malvertising, and SMS messages to distribute links to the third-party websites hosting the fraudulent applications.

Opening the phishing link to a page imitating the official Google Play/Apple Store page or the official website of the targeted banking application.

The user was then prompted to install a new version of the banking application, leading to the installation of the malicious program without any security warning being displayed on the device.

New macOS Malware "Cthulhu Stealer" Targets Apple Users' Data

Take this article as a notification that threat actors are increasingly targeting macOS. Furthermore, the threat actors behind "Cthulhu Stealer" appear to be financially motivated because this stealer can steal credentials and crypto wallets.

To be potentially safe from this malware, remember the following advice from the article:

While threats to macOS are much less prevalent than to Windows and Linux, users are advised to download software only from trusted sources, stay away from installing unverified apps, and keep their systems up-to-date with the latest security updates.

Android malware steals payment card data using previously unseen technique

I just wonder about the lengths that threat actors are willing to go to steal money. It's creative but not in a good way. In the embedded YouTube video below, the researcher details how the malware works. What's more, this is our "excerpt" for this article 😁

Slack AI data exfiltration from private channels via indirect prompt injection

I'll be honest with you: It's technical. However, here is the core of the attack: Attackers can steal anything from a private Slack channel using the LLM that's used to generate content.

From the article, here is a brief of what's going on:

The core of the issue from Slack AI stems from prompt injection, initially discovered by Jon Cefalu, and more specifically indirect prompt injection, initially coined by Kai Greshake

As such, if Slack AI ingests any instruction via a message, if that instruction is malicious, Slack AI has a high likelihood of following that instruction instead of, or in addition to, the user query.

Credits

Cover photo by Debby Hudson on Unsplash.


That's it for this week, and I'll see you next time.

Image of Timescale

🚀 pgai Vectorizer: SQLAlchemy and LiteLLM Make Vector Search Simple

We built pgai Vectorizer to simplify embedding management for AI applications—without needing a separate database or complex infrastructure. Since launch, developers have created over 3,000 vectorizers on Timescale Cloud, with many more self-hosted.

Read full post →

Top comments (0)

A Workflow Copilot. Tailored to You.

Pieces.app image

Our desktop app, with its intelligent copilot, streamlines coding by generating snippets, extracting code from screenshots, and accelerating problem-solving.

Read the docs

👋 Kindness is contagious

Dive into an ocean of knowledge with this thought-provoking post, revered deeply within the supportive DEV Community. Developers of all levels are welcome to join and enhance our collective intelligence.

Saying a simple "thank you" can brighten someone's day. Share your gratitude in the comments below!

On DEV, sharing ideas eases our path and fortifies our community connections. Found this helpful? Sending a quick thanks to the author can be profoundly valued.

Okay