Parrot TDS poses immediate risk to web developers worldwide
Date:
Wed, 27 Apr 2022 18:52:57 +0000
Description:
A new traffic direction system (TDS) called Parrot has been spotted
leveraging tens of thousands of compromised websites to launch further malicious campaigns.
FULL STORY ======================================================================
Staying up to date with the ever-evolving security landscape is central to maintaining the security of webservers and keeping potential threats at bay.
There are several key threats to webservers that are important to be aware
of, to prevent and mitigate those risks. DoS and DDoS attacks , SQL injections, unpatched software and cross-site scripting, to name a few.
Now, a recent discovery from threat researchers at Avast has shone a light on an immediate and significant risk to web developers worldwide, named Parrot TDS. What is a TDS?
Traffic Direction Systems (TDS) are not new. They have been an enemy of web-developers for several years. Used as landing pages that direct unsuspecting users to malicious content, TDS serve as a gateway for
delivering various malicious campaigns via infected sites.
Many TDS have reached a high level of sophistication and often allow
attackers to set parameters which look at users geolocation, browser type, cookies, and which website they came from.
This is used to target victims who meet certain conditions and then only display phishing pages to them. These parameters are usually set so that each user is only shown a phishing page once to prevent servers from overloading. Parrot TDS
In February, Avasts threat researchers discovered a swarm of attacks using a new Traffic Direction System (TDS) to take control of the victims devices.
The new TDS, named Parrot TDS, emerged in recent months and has already reached hundreds of thousands of users worldwide, infecting various
webservers hosting over 16,500 websites.
One of the main factors distinguishing Parrot TDS from other TDS is how widespread it is and how many potential victims it has. From March 1, 2022,
to March 29, 2022, Avast protected more than 600,000 unique users from around the globe visiting sites infected with Parrot TDS, including over 11,000
users in the U.K. In this timeframe, Avast protected the most users in Brazil (73,000) and India (55,000); and more than 31,000 unique users from the US.
In this particular case, the infected sites appearances are altered by a campaign called FakeUpdate, which uses JavaScript to display fake notices for users to update their browsers, offering an update file for download. The
file we have observed being delivered to victims is a remote access tool called NetSupport Manager which is misused by attackers to give them full access to victims computers.
Parrot TDS also creates a backdoor on the infected webservers in the form of
a PHP script to act as a backup option for the attacker. FakeUpdate
Like Parrot TDS, FakeUpdate also performs a preliminary scan to collect information about the site visitor before displaying the phishing message.
The scan checks which antivirus product is on the device to determine whether or not to display the phishing message.
The distributed tool is configured in such a way that the user has very
little chance of noticing it and if the file displayed by FakeUpdate is run
by the victim, the attackers gain full access to their computer.
The researchers observed other phishing sites being hosted on the Parrot TDS infected sites, but cannot conclusively tie them to Parrot TDS. CMS sites
We believe attackers are exploiting webservers of poorly secured content management systems, like WordPress and Joomla sites, by logging into accounts with weak credentials to gain admin access to the servers.
WordPress has a long history of being a very rich and desirable target for exploits. This is because the software is based on running a series of PHP scripts, which is a popular venue for hackers. The sheer number of
components, including plug-ins, themes, and other scripts, makes it hard to prevent potential infections or compromises.
On top of this, many WordPress websites are running older versions that could be behind several major releases, which leads to security vulnerabilities being left unpatched. In addition, some administrators are inexperienced in
IT operational security or simply overburdened with other responsibilities
and cant dedicate enough time to implementing the necessary security measures to ensure the safety of a WordPress site. How developers can protect their servers
Nevertheless, there are steps web developers can take to protect their
servers against these attacks, starting with simply scanning all files on the webserver with an antivirus program. Further steps developers can take are:
- Replace all JavaScript and PHP files on the webserver with original files
- Use the latest CMS version
- Use the latest versions of installed plugins
- Check for automatically running tasks on the webserver (for example, cron jobs)
- Check and set up secure credentials, and use unique credentials for every service
- Check administrator accounts on the server, making sure each of them
belongs to developers and have strong passwords
- When applicable, set up 2FA for all the webserver admin accounts
- Use available security plugins (WordPress, Joomla) How site visitors can avoid falling victim to phishing
For site visitors, its as crucial as ever to be vigilant online. If a site being visited appears different than expected, visitors should leave the site and not download any files or enter any information.
Similarly, visitors should only download updates directly from browser settings and never via other channels. Defend from ransomware with the best ransomware protection services around
======================================================================
Link to news story:
https://www.techradar.com/news/parrot-tds-poses-immediate-risk-to-web-develope rs-worldwide/
--- Mystic BBS v1.12 A47 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)