Enlarge (credit: Getty Images)

Hackers are actively exploiting a critical vulnerability in a widely used WordPress plugin that gives them the ability to take complete control of millions of sites, researchers said.

The vulnerability, which carries a severity rating of 8.8 out of a possible 10, is present in Elementor Pro, a premium plugin running on more than 12 million sites powered by the WordPress content management system. Elementor Pro allows users to create high-quality websites using a wide range of tools, one of which is WooCommerce, a separate WordPress plugin. When those conditions are met, anyone with an account on the site—say a subscriber or customer—can create new accounts that have full administrator privileges.

The vulnerability was discovered by Jerome Bruandet, a researcher with security firm NinTechNet. Last week, Elementor, the developer of the Elementor Pro plugin, released version 3.11.7, which patched the flaw. In a post published on Tuesday, Bruandet wrote:

Enlarge (credit: Jeremy Moeller/Getty Images )

As soon as Lars Ruiter steps out of his car, he is confronted by a Microsoft security guard, who is already seething with anger. Ruiter, a local councillor, has parked in the rain outside a half-finished Microsoft data center that rises out of the flat North Holland farmland. He wants to see the construction site. The guard, who recognizes Ruiter from a previous visit when he brought a TV crew here, says that’s not allowed. Within minutes, the argument has escalated, and the guard has his hand around Ruiter’s throat.

The security guard lets go of Ruiter within a few seconds, and the councillor escapes with a red mark across his neck. Back in his car, Ruiter insists he’s fine. But his hands shake when he tries to change gears. He says the altercation—which he will later report to the police—shows the fog of secrecy that surrounds the Netherlands’ expanding data center business.

Enlarge

The support team for 3CX, the VoIP/PBX software provider with more than 600,000 customers and 12 million daily users, was aware its desktop app was being flagged as malware, but decided to take no action for a week when it learned it was on the receiving end of a massive supply chain attack , a thread on the company’s community forum shows.

“Is anyone else seeing this issue with other A/V vendors?” one company customer asked on March 22, in a post titled “Threat alerts from SentinelOne for desktop update initiated from desktop client.” The customer was referring to an endpoint malware detection product from security firm SentinelOne. Included in the post were some of SentinelOne’s suspicions: the detection of shellcode, code injection to other process memory space, and other trademarks of software exploitation.

Is anyone else seeing this issue with other A/V vendors?

Post Exploitation
Penetration framework or shellcode was detected
Evasion
Indirect command was executed
Code injection to other process memory space during the target process' initialization
\Device\HarddiskVolume4\Users\**USERNAME**\AppData\Local\Programs\3CXDesktopApp\3CXDesktopApp.exe
SHA1 e272715737b51c01dc2bed0f0aee2bf6feef25f1

I'm also getting the same trigger when attempting to redownload the app from the web client ( 3CXDesktopApp-18.12.416.msi ).

Defaulting to trust

Other users quickly jumped in to report receiving the same warnings from their SentinelOne software. They all reported receiving the warning while running 18.0 Update 7 (Build 312) of the 3CXDesktopApp for Windows. Users soon decided the detection was a false positive triggered by a glitch in the SentinelOne product. They created an exception to allow the suspicious app to run without interference. On Friday, a day later, and again on the following Monday and Tuesday, more users reported receiving the SentinelOne warning.

Enlarge / Stills from an AI-generated video of Will Smith eating spaghetti that has been heating up the Internet. (credit: chaindrop / Reddit )

Amid this past week's controversies in AI over regulation , fears of world-ending doom , and job disruption , the clouds have briefly parted. For a brief and shining moment, we can enjoy an absolutely ridiculous AI-generated video of Will Smith eating spaghetti that is now lighting up our lives with its terrible glory.

On Monday, a Reddit user named "chaindrop" shared the AI-generated video on the r/StableDiffusion subreddit. It quickly spread to other forms of social media and inspired mixed ruminations in the press. For example, Vice said the video will "haunt you for the rest of your life," while the AV Club called it the "natural end point for AI development."

We're somewhere in between. The 20-second silent video consists of 10 independently generated two-second segments stitched together. Each one shows different angles of a simulated Will Smith (at one point, even two Will Smiths) ravenously gobbling up spaghetti. It's entirely computer-generated, thanks to AI.

Enlarge (credit: Getty Images)

Hackers working on behalf of the North Korean government have pulled off a massive supply chain attack on Windows and macOS users of 3CX, a widely used voice and video calling desktop client, researchers from multiple security firms said.

The attack compromised the software build system used to create and distribute Windows and macOS versions of the app, which provides both VoIP and PBX services to “ 600,000+ customers ,” including American Express, Mercedes-Benz, and Price Waterhouse Cooper. Control of the software build system gave the attackers the ability to hide malware inside 3CX apps that were digitally signed using the company’s official signing key. The macOS version, according to macOS security expert Patrick Wardle, was also notarized by Apple, indicating that the company analyzed the app and detected no malicious functionality.

In the making since 2022

“This is a classic supply chain attack, designed to exploit trust relationships between an organization and external parties,” Lotem Finkelstein, Director of Threat Intelligence & Research at Check Point Software, said in an email. “This includes partnerships with vendors or the use of a third-party software which most businesses are reliant on in some way. This incident is a reminder of just how critical it is that we do our due diligence in terms of scrutinizing who we conduct business with.”

Enlarge / Locked out. (credit: Sean Gladwell / Getty Images )

Threat actors aligned with Russia and Belarus are targeting elected US officials supporting Ukraine, using attacks that attempt to compromise their email accounts, researchers from security firm Proofpoint said.

The campaign, which also targets officials of European nations, uses malicious JavaScript that’s customized for individual webmail portals belonging to various NATO-aligned organizations, a report Proofpoint published Thursday said. The threat actor—which Proofpoint has tracked since 2021 under the name TA473—employs sustained reconnaissance and painstaking research to ensure the scripts steal targets’ usernames, passwords, and other sensitive login credentials as intended on each publicly exposed webmail portal being targeted.

Tenacious targeting

“This actor has been tenacious in its targeting of American and European officials as well as military and diplomatic personnel in Europe,” Proofpoint threat researcher Michael Raggi wrote in an email. “Since late 2022, TA473 has invested an ample amount of time studying the webmail portals of European government entities and scanning publicly facing infrastructure for vulnerabilities all in an effort to ultimately gain access to emails of those closely involved in government affairs and the Russia-Ukraine war.”

Enlarge / An AI-generated image of a globe that has stopped spinning. (credit: Stable Diffusion)

On Wednesday, the Future of Life Institute published an open letter on its website calling on AI labs to "immediately pause for at least 6 months the training of AI systems more powerful than GPT-4 ." Signed by Elon Musk and several prominent AI researchers, the letter quickly began to draw attention in the press—and some criticism on social media.

Earlier this month, OpenAI released GPT-4 , an AI model that can perform compositional tasks and allegedly pass standardized tests at a human level, although those claims are still being evaluated by research. Regardless, GPT-4 and Bing Chat's advancement in capabilities over previous AI models spooked some experts who believe we are heading toward super-intelligent AI systems faster than previously expected.

Along these lines, the Future of Life Institute argues that recent advancements in AI have led to an "out-of-control race" to develop and deploy AI models that are difficult to predict or control. They believe that the lack of planning and management of these AI systems is concerning and that powerful AI systems should only be developed once their effects are well-understood and manageable. As they write in the letter:

Enlarge (credit: Getty Images )

Threat actors are exploiting a critical vulnerability in an IBM file-exchange application in hacks that install ransomware on servers, security researchers have warned.

The IBM Aspera Faspex is a centralized file-exchange application that large organizations use to transfer large files or large volumes of files at very high speeds. Rather than relying on TCP-based technologies such as FTP to move files, Aspera uses IBM’s proprietary FASP—short for Fast, Adaptive, and Secure Protocol—to better utilize available network bandwidth. The product also provides fine-grained management that makes it easy for users to send files to a list of recipients in distribution lists or shared inboxes or workgroups, giving transfers a workflow that’s similar to email.

In late January, IBM warned of a critical vulnerability in Aspera versions 4.4.2 Patch Level 1 and earlier and urged users to install an update to patch the flaw. Tracked as CVE-2022-47986, the vulnerability makes it possible for unauthenticated threat actors to remotely execute malicious code by sending specially crafted calls to an outdated programming interface. The ease of exploiting the vulnerability and the damage that could result earned CVE-2022-47986 a severity rating of 9.8 out of a possible 10.

Enlarge (credit: Thomas Barwick via Getty )

The latest breakthroughs in artificial intelligence could lead to the automation of a quarter of the work done in the US and eurozone, according to research by Goldman Sachs.

The investment bank said on Monday that “generative” AI systems such as ChatGPT, which can create content that is indistinguishable from human output, could spark a productivity boom that would eventually raise annual global gross domestic product by 7 percent over a 10-year period.

But if the technology lived up to its promise, it would also bring “significant disruption” to the labor market, exposing the equivalent of 300 million full-time workers across big economies to automation, according to Joseph Briggs and Devesh Kodnani, the paper’s authors. Lawyers and administrative staff would be among those at greatest risk of becoming redundant.