Cyber Security Malware Phishing Ransomware Spearphishing

CloudSEK Daily Threat Bulletin – 19th February 2020

Round Up of Major Breaches and Scams

Facility of US natural gas operator shuts down due to ransomware attack

A facility of a US natural gas operator was targeted by a ransomware attack that used poor segmentation of its IT-OT networks to infect Windows-based assets. The threat actor used a Spearphishing link to access their IT network before pivoting to its OT network. The data on both networks were encrypted, affecting the organization’s human machine interfaces (HMIs), data historians, and polling servers. The operator shut down their operations for 2 days during which they obtained replacement equipment and restored the last-known unaffected configuration.

Chinese group DRBControl attacks Southeast Asian gambling sites

It has been confirmed that Chinese hacking group DRBControl, has been attacking online gambling and betting websites in Southeast Asia. The attacks, which are not particularly sophisticated, use spearphishing links to employees of the targeted organizations. When an unsuspecting employee opens the email attachment, their systems are infected with backdoor trojans. The hackers use the backdoor to download other tools and malware to further infiltrate the company’s network to reach database and source code repositories that contain sensitive data.

Phishing campaign targets Windows users in Italy with Dharma ransomware

Threat actors are targeting Windows users in Italy with Dharma ransomware. The malware is being distributed through phishing emails that pretend to be invoices. When users click on the link to the invoice, they are redirected to a OneDrive page from which a zip file, with 2 files, is automatically downloaded. When one of the files is run on the system, the malware payload gets installed. The malware then encrypts the infected systems’ files with the ROGER extension and flashes a ransom message that contains an email id the victim has to contact for instruction on how to pay the ransom. Researchers have found that the infected files can only be recovered by restoring from a backup, or by paying the ransom to get the key that will decrypt the files.

Microsoft subdomains spammed by attackers

Ads for Indonesian poker casinos have defaced at least 4 Microsoft subdomains. Since Microsoft has thousands of subdomains to manage, there are many subdomains that have misconfigured DNS records. A researcher has informed Microsoft of ~117 misconfigured subdomains of  Owing to this vulnerability, spammers flood these subdomains with spam content such as ads for poker casinos. Attackers could potentially exploit this flaw to host phishing pages on these subdomains, and harvest credentials from employees, partners and end-users.

Round Up of Major Malware and Ransomware Incidents

Attackers exploit critical flaw in WordPress plugin ThemeGrill Demo Importer

The flaw in WordPress plugin ThemeGrill Demo Importer, that was reported last week, has blocked 17,000 attacks. The plugin, which is used by 100,000, has a flaw that can be exploited to reset complete databases. Some of the affected pages had a “hello word” post, which is the default message displayed on a WordPress when it is installed for the system or wiped clean. Attackers can login with administrative rights on sites that have an account with the name admin. The flaw is found in versions 1.3.4 to 1.6.1 of the plugin and have been fixed in version 1.6.2.

Fake ProtonVPN Installers used to deliver malware AZORult

ProtonVPN, the open-source VPN service installers are being used to distribute data stealing malware AZORult. AZORult is sold on Russian underground forums for $100. The attackers had registered a fake ProtonVPN website in November 2019 and used it to distribute the malware through fake ProtonVPN installers. They also use malvertising through affiliation banner networks to spread the malware. Once a user downloads and installs the fake installer, the malware extracts sensitive data, credentials, and browser history.

WordPress plugin wpCentral plugin allows disclosure of connection key

WordPress plugin wpCentral versions before 1.5.1, have a flaw that allows unauthorized users to get administrator privileges if subscription-level registration was enabled on the site using the plugin. The developers of the plugin have released a new version that has a security fix to prevent the connection key from being disclosed. They also added IP restrictions, so that even if a key is leaked, it will not work unless it is from the wpCentral servers.

Round Up of Major Vulnerabilities and Patches

Phishing campaign lures Russian citizen with promise of lump-sum money

Russian phishing campaign is spreading a fake presidential decree that offers citizens, starting their own business, a lump-sum amount. The campaign ads contain content from actual news releases and broadcasts. The attackers have pre-created Facebook and Instagram accounts that impersonate federal TV channels such as Channel One Russia, Russia-1, and Russia-24 to post ads for the campaign. The posts also have fake comments from citizens who have leveraged the program. Clicking on the ads takes victims to phishing sites that collect their personal details, card numbers along with CVVs, and an application fee of 300 roubles. This allows the attackers to collect the registration fee and the victim’s data.

High-severity vulnerabilities in SonicWall SMA Appliances

6 vulnerabilities were identified in, Mobile Access (SMA) and Secure Remote Access (SRA), appliances made by SonicWall. The SonicWall products, which are used for access control and authentication, has 3 flaws that can be exploited remotely without authentication. Among the flaw, the high-severity vulnerabilities include unauthenticated path traversal, which can be used to test for a file on a system, an SQL injection vulnerability, which can be exploited to gain read-only access to unauthorized resources, and 2 flaws that allow arbitrary code execution. SonicWall has released SMA100 and to patch the vulnerabilities.

Unsigned firmware can be exploited to attack Windows and Linux systems

Unsigned firmware in peripherals of systems that run Windows and Linux, can be exploited by attackers to steal victims’ data, launch denial-of-service attacks, and infect them with malware. The unsigned firmware has been found in WiFi adapters, USB hubs, trackpads, and cameras on commonly used computers such as Dell, HP, and Lenovo. Since firmware flaws are difficult to fix, it will continue to exist in devices throughout their lifetime.


Leave a Reply

Your email address will not be published. Required fields are marked *