The commonly observed threat category for the past week was various vulnerabilities. Security researchers identify new vulnerabilities and report it to the vendors, who then releases the updates with patches. It is important to keep up-to date with the patches to be protected against these vulnerabilities.
Figure 1: Threat Categories
The following graph represents the trend in different cyber threats as compared to previous week.
Thousands of Compromised WordPress Sites Redirect to Tech Support Scams (September 21, 2018)
Recommendation: clean up the WordPress website, and check the pages as well as databases. Identify the vector of the compromise, “which often times is an outdated WordPress installation or plugin.”.
Western Digital Releases Hotfix for My Cloud Auth Bypass Vulnerability (September 21, 2018)
Western Digital has just released an hotfix firmware update to resolve the authentication bypass vulnerability (CVE-2018-17153) that had remained unpatched in My Cloud NAS devices for over a year. This vulnerability allowed anyone to bypass authentication and get administrative access to the router. Once an attacker gains access to a router, they can flash it with customer firmware, change DNS to point users to phishing sites, or perform other malicious activities.
Recommendation: Update the firmware to patch the vulnerability.
0Day Windows JET Database Vulnerability disclosed by Zero Day Initiative (September 21, 2018)
A zero-day vulnerability in the Microsoft Windows Jet Database Engine has been disclosed by TrendMicro’s Zero Day Initiative even though a security update is not currently available from Microsoft. This vulnerability was discovered by Lucas Leong of the Trend Micro Security Research team and could allow attackers to perform remote code execution on a vulnerable machine. To initiate this attack, a specially crafted Jet database file would need to be opened, which would then perform an out-of-bounds write to the program’s memory buffer. This would then lead to remote code execution on the targeted Windows computer.
Recommendation: Wait for the patches and update as when it is available.
Newegg Credit Card Info Stolen For a Month by Injected MageCart Script (September 19, 2018)
The malicious credit card stealing MageCart script behind the British Airlines and Feedify breaches have struck again, but this time against Newegg, one of the largest online technology retailers. Two reports released by RisqIQ and Volexity detail how the MageCart script has been injected into the Newegg site for a little over a month while quietly stealing customer’s payment information.
Recommendation: Change password to your account; Subscribe to credit monitoring service; track for any unauthorized transaction on your card.
Credential Stuffing Attacks Generate Billions of Login Attempts (September 19, 2018)
Credential stuffing attacks are a growing problem, particularly in the financial sector, where botnets can initiate so many fraudulent login attempts that the wave has the effect of a distributed denial-of-service (DDoS) attack. The attack consists in trying to log into multiple online services using username and password combination compiled from data breaches. The success of the endeavor depends on the common practice of users having the same password for multiple accounts.
Recommendation: Change passwords and recycling periodically helps to protect against these types of attacks. Using a password manager that can generate strong unique passwords for every site you visit and turning on two-factor authentication where possible.
Xbash Malware Deletes Databases on Linux, Mines for Coins on Windows (September 18, 2018)
What may very well be considered a cybercriminal’s dream tool is now real and it is hunting Windows and Linux servers: a botnet with self-spreading capabilities that combines cryptomining and ransomware functions. The name of the new beast is Xbash and it looks for systems protected by a weak password and machines that run with unpatched known vulnerabilities.
Recommendation: Keep your system updated with latest patches; Periodically scan for vulnerabilities.
References: Bleeping Computer
Tags: Vulnerabilities, Malware, Windows, Linux, Database, Botnet
New Botnet Hides in Blockchain DNS Mist and Removes Cryptominer (September 24, 2018)
A new botnet captured the attention of security researchers through its harmless behavior and the use of an original communication channel with its command and control server. Fbot is a peculiar variant of Mirai that preserves the original DDoS module but does not appear to use it. This is not the oddest thing yet because its purpose at the moment is to search for devices infected with a cryptomining malware and clean them. Security researchers from Qihoo’s 360Netlab discovered the new strain and noticed that it hunted down a botnet malware called ‘com.ufo.miner,’ a known variant of ADB.Miner that mines for Monero on Android devices (smartphones, smart TVs, set-top boxes).
Recommendation: Hunt for any unknown traffic, specifically to Blockchain DNS.
References: Bleeping Computer, 360Netlab
Tags: Botnet, DDoS, Malware
Weekly Threat Briefing
DISCLAIMER: This product is provided “as is” for informational purposes only. Marlabs does not provide any warranties of any kind regarding any information contained within. Marlabs does not endorse any commercial product or service referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. Sources may use TLP: GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a community. TLP: GREEN information may not be released outside of the community.