Snynet Solution Logo
MON - SUN: 10 AM - 6 PM
+60 11 5624 8319

Blog

Parrot TDS poses immediate risk to web developers worldwide

Image Description

Staying up to date with the ever-evolving security landscape is central to maintaining the security of webservers and keeping potential threats at bay. 

There are several key threats to webservers that are important to be aware of, to prevent and mitigate those risks. DoS and DDoS attacks, SQL injections, unpatched software and cross-site scripting, to name a few. 

Now, a recent discovery from threat researchers at Avast has shone a light on an immediate and significant risk to web developers worldwide, named Parrot TDS.

What is a TDS?

Traffic Direction Systems (TDS) are not new. They have been an enemy of web-developers for several years. Used as landing pages that direct unsuspecting users to malicious content, TDS serve as a gateway for delivering various malicious campaigns via infected sites.

Many TDS’ have reached a high level of sophistication and often allow attackers to set parameters which look at users’ geolocation, browser type, cookies, and which website they came from. 

This is used to target victims who meet certain conditions and then only display phishing pages to them. These parameters are usually set so that each user is only shown a phishing page once to prevent servers from overloading.

Parrot TDS

In February, Avast’s threat researchers discovered a swarm of attacks using a new Traffic Direction System (TDS) to take control of the victim’s devices. The new TDS, named Parrot TDS, emerged in recent months and has already reached hundreds of thousands of users worldwide, infecting various webservers hosting over 16,500 websites.

One of the main factors distinguishing Parrot TDS from other TDS is how widespread it is and how many potential victims it has. From March 1, 2022, to March 29, 2022, Avast protected more than 600,000 unique users from around the globe visiting sites infected with Parrot TDS, including over 11,000 users in the U.K. In this timeframe, Avast protected the most users in Brazil (73,000) and India (55,000); and more than 31,000 unique users from the US.

In this particular case, the infected sites’ appearances are altered by a campaign called FakeUpdate, which uses JavaScript to display fake notices for users to update their browsers, offering an update file for download. The file we have observed being delivered to victims is a remote access tool called NetSupport Manager which is misused by attackers to give them full access to victims’ computers.

Parrot TDS also creates a backdoor on the infected webservers in the form of a PHP script to act as a backup option for the attacker.

FakeUpdate

Like Parrot TDS, FakeUpdate also performs a preliminary scan to collect information about the site visitor before displaying the phishing message. The scan checks which antivirus product is on the device to determine whether or not to display the phishing message. 

The distributed tool is configured in such a way that the user has very little chance of noticing it and if the file displayed by FakeUpdate is run by the victim, the attackers gain full access to their computer. 

The researchers observed other phishing sites being hosted on the Parrot TDS infected sites, but cannot conclusively tie them to Parrot TDS. 

CMS sites

We believe attackers are exploiting webservers of poorly secured content management systems, like WordPress and Joomla sites, by logging into accounts with weak credentials to gain admin access to the servers.  

WordPress has a long history of being a very rich and desirable target for exploits. This is because the software is based on running a series of PHP scripts, which is a popular venue for hackers. The sheer number of components, including plug-ins, themes, and other scripts, makes it hard to prevent potential infections or compromises.

On top of this, many WordPress websites are running older versions that could be behind several major releases, which leads to security vulnerabilities being left unpatched. In addition, some administrators are inexperienced in IT operational security or simply overburdened with other responsibilities and can’t dedicate enough time to implementing the necessary security measures to ensure the safety of a WordPress site.

How developers can protect their servers

Nevertheless, there are steps web developers can take to protect their servers against these attacks, starting with simply scanning all files on the webserver with an antivirus program. Further steps developers can take are:

- Replace all JavaScript and PHP files on the webserver with original files
- Use the latest CMS version
- Use the latest versions of installed plugins
- Check for automatically running tasks on the webserver (for example, cron jobs)
- Check and set up secure credentials, and use unique credentials for every service
- Check administrator accounts on the server, making sure each of them belongs to developers and have strong passwords
- When applicable, set up 2FA for all the webserver admin accounts
- Use available security plugins (WordPress, Joomla)

How site visitors can avoid falling victim to phishing

For site visitors, it’s as crucial as ever to be vigilant online. If a site being visited appears different than expected, visitors should leave the site and not download any files or enter any information. 

Similarly, visitors should only download updates directly from browser settings and never via other channels.

Date

27 Apr 2022

Sources


Share


Other Blog

  • Google Cloud is launching an exclusive AI management platform

    Artificial intelligence is becoming ever more ubiquitous among businesses, but a new platform available via Google Cloud promises to further accelerate this growth.

    Prevision.io, a new pay-as-you-go solution, claims to allow companies outside of the Fortune 500, which lack extensive data science knowledge, to build, deploy, and manage AI projects in the cloud

    The Paris-based start-up behind the platform, founded in 2016 and led by chief executive Tuncay Isik, says its customers include delivery company La Poste, French banking group BPCE Group, and pharmaceutical company MLOps.

    The solution has been built on Google Cloud itself and is now available on Google Cloud Marketplace.

    How does it work?

    Prevision.io says users can start building and deploying models immediately after subscribing via Google Cloud Marketplace, with no long-term contracts, licensing, or per-user fees.

    Once historical data is imported, whether it exists in buckets or in an SQL data source like BigQuery, users can start applying their own models inside Prevision.io, or use the platform to build their own model.

    Customers can use Prevision.io to experiment with new machine learning models, automate training and prediction tasks, and deploy scalable working models, as well as to monitor infrastructure and model behavior to understand changes in resource utilization and underlying data.

    Prevision.io claims its use cases include allowing utilities companies to better forecast their energy consumption, as well as enabling transportation companies to build machine learning models that can inform logistical operations based on fluctuating supply and demand.

    User spending on Prevision.io's platform will be added to their overall spending on Google Cloud. 

    Google Cloud has continued to expand the range of products it offers over the past year. Earlier this month, the company announced it is expanding into the data lake storage business through a new product called BigLake, which is based on its BigQuery service.

    Read More
  • Linux kernel bug opens door to all manner of attacks

    The vulnerability could’ve been used as a springboard to launch other attacks, warn researchers.

    Read More
  • Linux patches bugs that could sidestep Spectre mitigations

    The two vulnerabilities could exploit a kernel subsystem to reveal sensitive data.

    Read More
  • Social media plugin puts 100,000 WordPress sites at risk

    In yet another vulnerability that could have serious repercussions, cybersecurity researchers have discovered a cross-site scripting(XSS) bug in the NextScripts: Social Networks Auto-Poster plugin for WordPress.

    The plugin is used to automatically publish posts from websites to any of the configured social media accounts in a fully automated manner.

    Discovered by Wordfence’s Ramuel Gall, the vulnerability in the popular WordPress plugin with over 100,000 installations, made it possible to perform a reflected cross-site scripting attack.

    TechRadar needs you!

    We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

    >> Click here to start the survey in a new window

    “As with all XSS attacks, malicious JavaScript running in an administrator’s session could be used to add malicious administrative users or insert backdoors into a site, and thus be used for site takeover,” observes Gall.

    Superglobal quirk

    While explaining the bug, Gall notes that the XSS vulnerability reared its head because of a relatively obscure peculiarity of how PHP handles superglobal variables.

    “This meant that it was possible to execute JavaScript in the browser of a logged-in administrator by tricking them into visiting a self-submitting form that sent a POST request to their site,” says Gall. 

    The vulnerability was disclosed to the plugin’s developer in August, and a patched update of the plugin was released in early October.

    Wordfence suggests all users of the plugin update to its latest version to prevent abuse of their WordPress websites.

    You can use these WordPress website builders to build your website in no time, but remember to secure them using these WordPress security plugins.

    Read More

Find Out More About Us

Want to hire best people for your project? Look no further you came to the right place!

Contact Us