Cyber Security Emotet Malware Ransomware Smishing

CloudSEK Daily Threat Bulletin – 20th February 2020

Round Up of Major Breaches and Scams

10 million+ records of MGM guests, now available on hacking forum

10 million records of MGM guests are now available for free on a hacking forum. The data, which was stolen during a security breach in July 2019, includes 3.1 million unique email addresses, names, addresses, and phone numbers of the casino operator’s guests. While some of the information dates back to 2017 and is not valid, much of it can still be used to orchestrate phishing attacks and to create fake accounts. The leaked details apparently contain the details of high-profile guests such as Twitter CEO Jack Dorsey.

US DOD (Department of Defense) announces breach of DISA system

In its 2nd breach since October 2018, the US Department of Defense (DOD) has announced that a Defense Information Systems Agency (DISA) system may have been compromised between May and July 2019. The security incident had exposed the personal information of its employees. While there is no evidence of the exposed information being misused, they are offering free credit monitoring for all those affected by the breach.

Attackers spread pirated versions of WordPress plugins

In another attack affecting WordPress sites, attackers are spreading pirated versions of WordPress themes and plugins. When such a component is uploaded to a web server, the attacker adds an admin account, and injects 2 malicious PHP files that activate the WP-VCD malware. After which, the files delete themselves. Then, when a user visits one of these infected sites, a cookie which expires in 1,000 days, gets added to their browser and records their IP address. The campaign intends to, increase visibility of the sites controlled by the attacker using search engine optimization, and run fraudulent ad campaigns by disabling the browser’s ad-blockers. This campaign has infected an estimated 20,000 sites including US based banks, insurance companies, and manufacturers.

Round Up of Major Malware and Ransomware Incidents

Swiss business urged to improve security, in wake of ransomware attacks

Switzerland’s Reporting and Analysis Centre for Information Assurance (MELANI) has warned businesses to fortify their security posture, in the wake of recent ransomware attacks targeting Swiss companies. The attackers demand ransoms ranging from thousands to millions of Swiss Francs to decrypt the affected files. They have stressed on implementing security checklists, that were ignored by the affected companies. MELANI has asked targeted companies to avoid paying the ransom because it doesn’t guarantee the restoration of their systems.

Smishing campaign spreads Emotet via SMS messages

A new smishing campaign is using SMS messages, pretending to be from the victim’s bank, to spread Emotet. The messages purport that the victim’s account has been locked. And provides a link that misdirects the victim to a phishing domain which is designed to closely mimic the bank’s login page. Here, victims are instructed to enter their credentials and download a file containing malicious macros. The file was found to include legitimate news content, to avoid detection. When opened, the files infect the system with Emotet. Researchers believe that Emotet is being used to drop TrickBot payloads.

Round Up of Major Vulnerabilities and Patches

Vulnerability in WordPress plugin ThemeREX is being exploited by attackers

A vulnerability in the WordPress plugin ThemeREX is being exploited to execute remote code on the 44,000+ sites that have installed the plugin. ThemeREX, which provides pre-installed commercial themes, sets up a WordPress REST API end point, without checking if the commands are sent by authorized users. Attackers can even create admin users and take over the site. Developers have recommended that users remove plugins, version 1.6.50 and above, until the flaw has been fixed.

Cisco patches critical bug in Smart Software Manager On-Prem

Cisco has patched a 9.8 severity flaw, tracked as CVE-2020-3158, in its Cisco in its product: Smart Software Manager On-Prem. The tool, which is used by organizations to manage software licenses, could have been exploited to get read and write access to the system’s data and change its settings, using a high-privilege account. But this can be done only if the high availability (HA) feature has been enabled; which is not enabled by default. This vulnerability has been patched in the SSM On-Prem 7-202001 release.

Adobe has patched 2 critical out-of-bounds write flaws

Adobe has patched 2 critical out-of-bounds write flaws, in Adobe After Effects and Adobe Media Encoder, which could have been exploited to execute remote code. The flaw, CVE-2020-3765 in Adobe After Effects versions 16.1.2 and before, was due to write operations that produce undefined results. This has been updated in version 17.0.3. The vulnerability, CVE-2020-3764 in Adobe Media Encoder versions 14.0 and before, could enable arbitrary code execution. This has been updated in version 14.0.2.

Microsoft’s Tamper Protection to prevent attackers form disabling security settings

Microsoft’s new Tamper Protection feature will allow organizations to centrally manage the security settings of their Windows 10 systems. While users can enable and disable the feature on personal and enterprise systems, the organization’s admins can monitor and toggle the feature on enterprise systems. Admins can manage endpoint vulnerabilities and remediation, also centrally. This will prevent attackers and malware from disabling security setting to intrude a company’s network and launch large scale cyber-attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *