News Heading - 1

WordPress Backup Migration Plugin Flaw Exposes 90K Websites to RCE Attacks

  • Written by Shipra Sanganeria Cybersecurity & Tech Writer
  • Fact-Checked by Justyn Newman Former Lead Cybersecurity Editor

A popular WordPress plugin with over 90,000 active installs makes many websites vulnerable to potential remote code execution (RCE) attacks.

The plugin known as Backup Migration has various functionalities like scheduling automatic site backups to specific storage facilities.

Tracked as CVE-2023-6553, the vulnerability with a CVSS score of 9.8, allows unauthenticated threat actors to fully compromise a site by exploiting the flaw to inject arbitrary PHP code.

‘’The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.3.7 via the /includes/backup-heart.php file,’’ Wordfence team said .

‘’This is due to an attacker being able to control the values passed to an include, and subsequently leverage that to achieve remote code execution. This makes it possible for unauthenticated threat actors to easily execute code on the server.’’

The RCR vulnerability was reported by Wordfence to BackupBliss, the development team behind Backup Migration. Within hours of reporting, a patch to fix the vulnerability was released. Nevertheless, Wordfence reported that before the publication of the blog, it had already blocked 394 attacks .

Administrators and developers are advised to update and secure their websites against this critical vulnerability, by applying the latest patched version (1.3.8 version) of Backup Migration.

The vulnerability was identified by a team of bug hunters called Nex Team, who reported it to Wordfence, under their bug bounty program. On December 5, the Team reported the bug and the very next day Wordfence validated it and confirmed the proof-of-concept exploit.

It released a firewall rule to protect customers and sent over the full disclosure details to the plugin developer, who released a fix after acknowledging the report.

The bug-bounty program by Wordfence was a huge success, with nearly 130 vulnerabilities submission and registration of over 270 vulnerability researchers.

News Heading - 2

Ransomware Gang Claims to Have Hacked Sony’s Insomniac Games

  • Written by Shipra Sanganeria Cybersecurity & Tech Writer
  • Fact-Checked by Justyn Newman Former Lead Cybersecurity Editor

Insomniac Games, the renowned developer of games like Spider-Man and Spyro the Dragon has allegedly been hacked by ransomware gang, Rhysida.

Based in Burbank, California, Insomniac Games became a part of PlayStation Studios after it was acquired by Sony Interactive Entertainment in 2019.

The gang claims to have ‘’exclusive, unique, and impressive data’’ from the game developer company, which includes US passport copies (allegedly belonging to employees), internal emails, personal data, signed confidential documents, and previews of its upcoming Wolverine game.

The gang has given Insomniac seven days to pay the ransom before it publishes the data. “With just 7 days on the clock, seize the opportunity to bid on exclusive, unique, and impressive data,” Rhysida posted on its leak site . “Open your wallets and be ready to buy exclusive data. We sell only to one hand, no reselling, you will be the only owner!”

Meanwhile, it also put up the stolen data for auction, starting at 50 Bitcoins (around $2 million).

The parent company Sony in a statement to Eurogamer , stated that it’s investigating these claims. “We are aware of reports that Insomniac Games has been the victim of a cyber security attack. We are currently investigating this situation. We have no reason to believe that any other SIE or Sony divisions have been impacted,’’ said Sony.

New to the ransomware scene, the group has been linked to the famous security breach attack at the British Library.

This year, Sony and its subsidiaries have been on the targeted list of various ransomware actors. In September, two separate hackers claimed to have stolen around 3.14 GB of data from the company’s system. Post this, in October 2023, reports of Sony being a victim of the MOVEit file transfer attack surfaced, which compromised sensitive data of 6,791 people in the US.