Connect with us

Infosecurity

Global CMS Exploitation Campaign: Australian Cyber Agency Warns SMBs of ‘Highly Scaled’ Attacks

Published

on

CMS exploitation campaign

Mass Scanning and Webshell Deployment Hit CMS Platforms Worldwide

Australian cybersecurity authorities have issued an urgent alert about a global campaign targeting content management systems. The Australian Cyber Security Centre (ACSC) described the effort as “highly scaled,” warning that attackers are aggressively scanning websites for unpatched flaws.

In a July 9 update, the ACSC confirmed that many small and midsize businesses in Australia have been affected. But this is not a localized problem. The campaign is global, and the tactics are blunt: scan, find a vulnerability, drop a webshell, and move on.

“Malicious cyber actors are actively scanning websites for opportunities to deploy webshells, leveraging various vulnerabilities affecting CMS software and plugins,” the ACSC said in its advisory.

The vulnerabilities being exploited fall into familiar categories: unauthenticated file upload, remote code execution, server-side request forgery, and deserialization flaws. Most of the CVEs in play are from 2025 or 2026 — recent enough that many site owners may not have patched.

Affected platforms include WordPress, Craft CMS, MaxSite CMS, MetInfo CMS, and Joomla JCE. The ACSC noted that the speed of scanning and exploitation suggests attackers may be using offensive AI-powered tooling.

That observation aligns with a rare joint statement from the Five Eyes intelligence agencies late last month. They warned that frontier AI will “fundamentally” transform the threat landscape — and that transformation is happening “within months,” not years.

What Attackers Do With a Webshell

A webshell is a small piece of malicious code uploaded to a web server. Once in place, it gives the attacker remote access to the CMS instance. From there, the possibilities are grim.

Threat actors can:

  • Deface websites
  • Capture user credentials through fake login pages
  • Upload additional malware
  • Use the web server as a foothold for broader network compromise

For an SMB running an outdated plugin, a single overlooked patch can lead to a full network breach. The ACSC stressed that any server hosting a webshell should be treated as fully compromised.

ACSC Advice: How to Check for Webshells and Recover

The ACSC published a detailed list of steps for website owners. The advice is practical and direct. If you suspect your site has been hit, here is what to do:

  • Inspect the CMS for webshells and vulnerable plugins
  • Examine web access logs for IP addresses making GET or POST requests to any webshell paths
  • Treat servers with webshells as compromised — isolate them immediately
  • Audit authentication and check network logs for malicious events
  • Trace historical web requests linked to initial exploitation and webshell deployment
  • Review network logs for traffic to known malicious IP addresses
  • Investigate logging and hosts for signs of persistence, lateral movement, or other malicious actions (new accounts, exfiltration attempts, malware deployment)
  • Patch vulnerable systems to prevent reinfection, and remove or quarantine webshells or other malware
  • Restore compromised websites from recent known-good backups

That is a lot of work. But the alternative — leaving a webshell in place — is worse.

Proactive Security: Patch, Monitor, Restrict

The ACSC also urged CMS owners to get ahead of the problem. Keeping software up to date is the single most effective step. But it is not enough on its own.

Site administrators should monitor and block unexpected file creation, especially in upload directories. Restricting file and path access limits what an attacker can do even if they find a foothold. Monitoring for new or unusual processes on the server can catch a webshell before it is used.

Finally, limiting broader network access from the web server reduces the blast radius. If a CMS is compromised, the attacker should not be able to pivot to the database server or internal file shares.

Five Eyes: AI Is Accelerating the Threat

The ACSC’s mention of possible AI-powered tooling echoes the broader Five Eyes warning. The intelligence alliance — Australia, Canada, New Zealand, the United Kingdom, and the United States — rarely issues joint statements. When it does, the cybersecurity world pays attention.

Their late-June statement said frontier AI will “fundamentally” change the threat landscape within months. Automated vulnerability scanning, payload generation, and evasion techniques are all areas where AI can give attackers an edge.

For defenders, the message is clear: the pace of attacks is not slowing down. It is accelerating.

For more on protecting your site, see our guide on securing WordPress against automated attacks and our breakdown of recent CMS zero-day vulnerabilities.

The ACSC advisory is a reminder that no site is too small to be targeted. Attackers are scanning everything. If your CMS is not patched, it is only a matter of time before they find it.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Infosecurity

Five Charged in UK Crackdown on ‘Russian Coms’ Fraud Platform Behind 1.3 Million Scam Calls

Published

on

Russian Coms fraud

Five Londoners Charged in ‘Russian Coms’ Vishing Probe

British police have charged five people from London in connection with a notorious fraud platform that enabled millions of scam calls. The suspects are accused of running and promoting National Crime Agency described as a cybercrime-as-a-service operation that tricked victims into handing over cash and personal data.

The charges include conspiracy to supply articles for fraud, money laundering, and failing to provide phone passcodes when ordered. All five are due to appear at Westminster Magistrates’ Court on August 14, 2026.

What Was Russian Coms?

Launched in 2020, Russian Coms started as a physical handset before evolving into a web-based app. Criminals used it to spoof caller IDs — making it look like they were dialing from banks, telecoms firms, or even law enforcement agencies.

“They allowed criminals to hide their identity by appearing to call from pre-selected numbers,” the NCA said in a statement. The goal was simple: convince victims their accounts were compromised and persuade them to transfer money to a “safe” account controlled by the scammers.

By the time the platform was shut down in 2024, it was linked to over 1.3 million scam calls targeting half a million UK phone numbers — plus many more overseas.

Who Are the Accused?

The five individuals charged are:

  • Ayoub Sehailia, 28
  • Zakkaria Sehailia, 30
  • Usman Din, 30
  • Denis Ozmus, 29
  • Fadila Salem, 53

All are from different parts of London. Their court date is set for August 2026, more than two years away — a sign of the complexity of the case.

A Cybercrime-as-a-Service Empire

Russian Coms was marketed aggressively on Snapchat, Instagram, and Telegram. The package sold to fraudsters included “unlimited minutes,” “hold music,” encrypted calls, voice-changing tools, and 24/7 support.

The handset version came preloaded with VPN apps to hide the user’s IP address and a burner app that wiped the phone clean at the touch of a button. A six-month contract cost between £1,200 ($1,600) and £1,400 ($1,870), depending on delivery method.

Victims lost tens of millions of pounds, the NCA estimates. Fraud now accounts for 41% of all crime in the UK, with over two-thirds of it cyber-enabled.

Broader Crackdown on Fraud Gaining Ground

This case is part of a wider push by UK authorities. In January 2025, three men were sentenced at Snaresbrook Crown Court for running OTP.Agency, a site that helped fraudsters bypass multi-factor authentication (MFA) to hijack bank and telecom accounts.

More recently, Operation Henhouse 5 led to more than 500 arrests, freezing orders against £9 million ($12 million), and seizures of cash and assets worth £18.1 million ($24.3 million).

Still, the scale of the problem is daunting. The NCA says fraudsters are constantly adapting, using platforms like Russian Coms to stay one step ahead. The charges announced today are a reminder that law enforcement is catching up — but the fight is far from over.

Continue Reading

Infosecurity

UK cyber pledge draws only a handful of top firms despite ministerial appeal

Published

on

UK Cyber Resilience Pledge

Only a handful of FTSE 350 giants signed up

Fewer than 15 of Britain’s 350 largest listed companies put their names to the government’s flagship voluntary cybersecurity scheme at its launch on Tuesday. That’s despite ministers writing personal letters eight months ago to the chair and chief executive of every single FTSE 350 firm, urging them to join.

The UK Cyber Resilience Pledge was unveiled at a 10 Downing Street reception hosted by Technology Secretary Liz Kendall. In total, 70 founding signatories were named. But 20 of those are strategic government suppliers — companies that deliver critical services to the state and were invited to sign via a separate Government Cyber Charter. Strip them out, and the launch included just 50 truly voluntary signatories from across the wider economy.

Among the big names that did sign: Aviva, the London Stock Exchange Group, and Marks & Spencer — the latter lost hundreds of millions of pounds in a cyberattack last year. The rest of the list is heavy on small cybersecurity consultancies like C3IA Solutions, Grey Zone Services and Nexor, for whom the pledge aligns neatly with their own commercial offerings.

What the pledge actually asks

The pledge is light-touch by design. It asks signatories to do three things:

  • Make cybersecurity a board-level responsibility
  • Register for the NCSC’s free Early Warning service
  • Take a risk-based approach to requiring Cyber Essentials certification across their supply chains

All of it is voluntary. There is no enforcement mechanism. The Department for Science, Innovation and Technology did not respond to questions about whether signing carries procurement consequences for strategic suppliers, nor whether it regarded the FTSE 350 turnout as a strong response to the ministerial letter.

Why so few? Experts weigh in

Jamie MacColl, a senior research fellow at the Royal United Services Institute, said the number of signatories struck him as low.

“I would be relatively surprised if most FTSE 350 companies were not meeting an equivalent standard. Why would they go through Cyber Essentials when in many cases they will have a certification that has many more controls in it?”

MacColl sees a familiar pattern. “I think the pattern with UK cyber policy is often a consultation, research, code of practice or conduct, some sort of voluntary pledge, and then regulation. This could be repeating that pattern.”

He added: “You could see this as a step in the process whereby they end up regulating. You’ve almost given the private sector enough rope to hang itself with. If not enough organizations or vendors sign up to this stuff, that gives the government the cause to say regulation is necessary.”

Timing and context

Tuesday’s launch had been planned to follow the unveiling of Britain’s new National Cyber Action Plan on Monday. That was delayed due to Prime Minister Keir Starmer’s resignation.

The launch comes amid wider scrutiny of the government’s appetite to compel industry to act on cybersecurity. It follows the NCSC complaining about organizations failing to follow its guidance and advice.

The government says it will keep reviewing the pledge. In its own words: “Given that the threat landscape is evolving and new complex cyber threats may emerge, government will continue to review the suitability of the pledge, with the potential of refining the actions at the end of a 12-month cycle.”

The cost of inaction

According to the government, “the average cost of a significant cyberattack on an individual UK business now stands at almost £195,000 ($260,000), with the annual cost to organizations estimated at £14.7 billion ($19.7 billion), excluding wider disruption across the economy.”

That £14.7 billion figure comes from research supporting a separate measure — the Cyber Security and Resilience Bill — which is still being debated in Parliament and is not expected to be enforced until 2028.

So for now, the message to Britain’s biggest companies is: you’re asked nicely. Whether that changes depends on how many more decide to sign up over the next 12 months.

Continue Reading

Infosecurity

New CrashStealer Malware Tricks Mac Users by Faking Apple’s Crash Reporter

Published

on

CrashStealer macOS malware

A Fresh macOS Stealer Exploits Apple’s Own Security Guardrails

Mac users have long been told that their machines are safer than Windows PCs. But a newly discovered piece of malware, dubbed CrashStealer, is putting that assumption to the test. It sneaks past Apple’s Gatekeeper by borrowing a legitimate developer ID and a valid notarization ticket — the same credentials that are supposed to keep malware out.

First spotted in early July by researchers at Jamf Threat Labs, CrashStealer is a C++ infostealer that goes after login credentials, cryptocurrency wallets, browser data, and anything else it can grab from a compromised system. Its trick? It impersonates Apple’s built-in crash-reporting component, a system process that most users would never think to question.

“The delivery chain shows real care,” said Thijs Xhaflaire, senior threat researcher at Jamf, in a July 13 blog post. Instead of a bare, unsigned lure, the attackers lead with a signed and notarized dropper that clears Gatekeeper before quietly fetching and launching the real payload.

How CrashStealer Slips Past Gatekeeper

The attack chain begins with a disk image that looks like a legitimate software installer. The image is named “Werkbit Setup” and — crucially — it carries a valid Apple Developer ID and a notarization ticket. That means Apple’s Gatekeeper, the security feature that blocks unsigned apps on first launch, gives it a free pass.

Once the user runs the installer, the application reaches out to a GitHub API, which returns an obfuscated script. The script decodes into a downloader-installer that fetches the CrashStealer payload. The whole process is designed to look like a normal software update or crash report — the kind of thing a busy user would click through without a second thought.

Jamf researchers note that the disk image exploits an application bundle specifically built to impersonate Apple’s crash-reporting tool. This helps the malware evade detection by both users and security software.

Data Theft and Cryptocurrency Wallet Targeting

After CrashStealer gains a foothold, it displays a native-looking password prompt. It’s styled to resemble a genuine macOS authorization request. The goal: trick the victim into typing their system login credentials, confirming that the attacker has the right password for the machine.

From there, the malware pivots to its real objective: stealing browser usernames and passwords, cryptocurrency wallet logins, password manager credentials, and any other data stored in the system keychain. It targets popular wallets and browser-stored credentials, giving attackers access to email, social media, and financial accounts.

What Makes CrashStealer Different from Other Mac Malware

There’s no shortage of macOS infostealers out there — Atomic (AMOS) and MacSync are two recent examples. But CrashStealer stands apart in a few key ways.

  • Client-side AES-GCM encryption: The malware encrypts stolen files before exfiltration, making it harder for researchers to analyze the data in transit.
  • Control-flow flattening: This obfuscation technique scrambles the code’s logical structure, making reverse engineering a nightmare.
  • Encrypted strings and layered anti-debugging: The malware actively resists analysis by security tools, using multiple techniques to detect and evade sandboxes.

“What sets it apart from the commodity stealer crowd is less what it collects than how it is built,” Xhaflaire said. The emphasis on analysis resistance suggests a more sophisticated operator behind the wheel — not just a script kiddie repurposing old code.

Apple’s Response and What Mac Users Should Do

After confirming that a Developer Team ID was used to distribute malicious payloads, Jamf Threat Labs reported the incident to Apple. The company has not publicly commented on the matter yet.

For Mac users, the takeaway is clear: a signed and notarized app is no longer a guarantee of safety. The CrashStealer case shows that attackers are willing to jump through Apple’s hoops — obtaining legitimate developer credentials — to bypass Gatekeeper.

To stay protected, users should:

  • Be wary of unexpected installer prompts, even if they look official.
  • Check the developer name and certificate details before running any new software.
  • Keep macOS and security software up to date.
  • Use strong, unique passwords and a password manager — but be aware that even password managers are now in the crosshairs.

CrashStealer is a reminder that no platform is immune. As macOS grows in popularity, so does the attention it gets from malware authors. The days of “Macs don’t get viruses” are long gone — if they ever really existed.

Continue Reading

Trending