Category: Cybersecurity News

WordPress GDPR Compliance Plugin Vulnerability Being Actively Abused

Websites with the WordPress GDPR Compliance plugin fitted are being hijacked by hackers. A vulnerability in the plugin is being abused, allowing attackers to change site settings and record new user accounts with admin rights.

The vulnerability can be distantly abused by unauthorized users, a lot of whom have automated misuse of the vulnerability to hijack as many sites as possible prior to the vulnerability is rectified.

The vulnerability was found by safety scientists at Defiant, who noted that in a number of attacks, after abusing the vulnerability the attackers have rectified the vulnerability. Defiant’s scientists propose that this method makes sure other hackers are banned from hijacking compromised sites. In some instances, after access to a vulnerabile site is gained, a PHP webshell is uploaded to give the attackers complete control of the website. Some attackers have added in backdoors via the WP-Cron schedule. This technique of attack makes sure the persistence of the backdoor.

Compromised websites can be utilized for phishing and other cheats, or the sites might have exploited kits uploaded to silently downloaded malware onto visitors’ appliances. An examination of compromised websites has not exposed any payload at this phase. Defiant scientists propose that the initial goal is to compromise as many sites as possible before the
vulnerability weakness is rectified. Compromised sites might be sold or the attackers could be biding their time before the attack stage is launched.

After WordPress became aware that the WordPress GDPR Compliance plugin vulnerability was being actively abused in the wild, the plugin was removed from the official WordPress store and the developer was informed. A new type of the plugin has now been released and the plugin has been revitalized on the official WordPress store.

Any website proprietor that has the WordPress GDPR Compliance plugin installed should make sure it is updated to version 1.4.3, which was released on November 7, 2018. Site proprietors must also check their sites for any indication of illegal modifications and checks must be carried out to see if any new admin accounts have been produced.

Microsoft Patches 12 Critical Vulnerabilities on November Patch Tuesday

Microsoft has released repairs for 12 dangerous vulnerabilities in November Patch Tuesday and has repaired a vulnerability that is being actively abused by at least one threat group. In total, 64 vulnerabilities have been repaired across Windows, IE, Edge, and other Microsoft products.

The 12 dangerous vulnerabilities might let hackers carry out a malevolent code and take complete control of a vulnerable appliance. The bulk of the dangerous vulnerabilities are in the Chakra Scripting Engine, which account for 8 of the 12 serious vulnerabilities.

CVE-2018-8541, CVE-2018-8542, CVE-2018-8543, CVE-2018-8551, CVE-2018-8555, CVE-2018-8556, CVE-2018-8557, and CVE-2018-8588, are all memory corruption vulnerabilities regarding how the Chakra Scripting Engine controls items in the memory in Microsoft Edge. All eight vulnerabilities might be abused if a user visits a particularly created webpage using the Microsoft Edge browser. The vulnerabilities might also be abused through malvertising.

The other dangerous vulnerabilities are listed below:

CVE-2018-8476 concerns how matters in the memory are controlled by Windows Deployment Services TFTP Server. Misuse of the vulnerabilities would let a hacker perform arbitrary code on a vulnerable server with elevated authorizations.

CVE-2018-8544 concerns how matters in the memory are controlled by Windows VBScript Engine. If abused, an attacker could implement arbitrary code with the same level of rights as the present user.  If the user has administrative privileges, an attacker could take complete control of a vulnerable system. The vulnerability could be abused through an inserted Active X control in a Microsoft Office file that hosts the IE rendering engine, through malvertising, or specifically created webpages.

CVE-2018-8553 concerns how items in the memory are controlled by Microsoft Graphics Components. Misuse of the vulnerability would require a user to open a specifically created file, for example, one sent in a phishing electronic mail.

CVE-2018-8609 is the failure of Microsoft Dynamics 365 (on-premises) version 8 to clean web requests to a Dynamics server. If abused, an attacker might run arbitrary code in the context of an SQL service. The fault might be abused by sending a specifically created request to an unpatched Dynamics server.

Microsoft also released a patch for the actively abused Windows Win32k Elevation of Privilege Vulnerability CVE-2018-8589. If abused, an attacker might run arbitrary code in the safety setting of the local system. Nevertheless, system access would first need to be gained before the vulnerability might be abused.

Adobe has also released patches this patch Tuesday for Flash Player, Acrobat, Reader, and Photoshop CC.

Phishing Accounts for 50% of All Online Scams

An examination of existing cyber scam dangers by network safety company RSA demonstrates that phishing attacks have risen by 70% since Q2 and currently account for 50% of all online scam attacks experienced by companies.

Phishing attacks are widespread since they are easy to carry out and have a high achievement rate. An attacker can set up a webpage that impersonates a famous brand such as Microsoft or Google that appeals login details. Electronic mails are then transmitted having hyperlinks to the site together with a legal reason for clicking. As per a research carried out by Verizon, 12% of users click hyperlinks in phishing electronic mails.

RSA notes that the bulk of phishing attacks are carried out in the United States, Canada, and the Netherlands, which account for 69% of all attacks.

RSA has also drawn attention to a particular variation of phishing named vishing. Instead of using electronic mail, vishing attacks happen over the phone. A typical instance involves a scammer pretending to be from the target’s bank. Although the call is unwanted, the scammer pretends that there is a safety problem that requires to be settled and requests confidential information such as bank account information, passwords, and security questions and answers. Vishing accounts for 1% of all scam attempts even though it is a serious danger.

A new variation of vishing has even greater possibility to attain the desired result. Instead of the attacker calling a target, the attacks work in opposite with users calling the scammer. This is being done through search engine killing – Getting malevolent websites listed in the organic search engine results. Other variations include wrong information mailed on social media sites and help media.

14% of spam attacks involve brand misuse: Deceptive posts on social media that deceive a famous brand. 12% of scam attacks involved Trojan horses – malware which is fitted under wrong pretexts. As soon as installed, the malware harvests confidential information such as banking identifications. 2% of scam attacks involve the use of rogue mobile apps. 9,329 rogue moveable apps were identified by RSA in Q3, 2018.

Scam through moveable browsers accounted for the bulk of scam dealings (73%) in Q3 – A rise of 27% since this time last year.

TA505 APT Group Dispersing tRat Malware in New Spam Campaigns

The abounding APT group TA505 is carrying out spam electronic mail campaigns dispersing a new, modular malware variation called tRAT. tRAT malware is a distant accessTrojan capable of downloading extra modules. Besides adding infected users to a botnet, the danger actors have the option of vending access to various elements of the malware to other danger groups for use in different attacks.

Threat scientists at Proofpoint interrupted two separate electronic mail campaigns dispersing tRAT malware this fall, one of which was a typical spam electronic mail campaign using social engineering methods to get electronic mail receivers to open an attached Word document and allow macros. Allowing macros caused the download of the tRAT payload.

One electronic mail variation deceived AV brand Norton. The attachment contained Norton by Symantec branding and text claiming the document had been safeguarded by the AV solution. One more electronic mail variation fooled TripAdvisor and claimedthat in order to see the embedded video content, users needed to enablecontent.

The second campaign, identified on October 11, was attributed to the TA505 threat group. This campaign was more stylish, used a blend of Word Documents and Microsoft Publisher files, and targeted commercial banking organizations. Many different electronic mail templates were used, and the electronic mails came from many electronic mail accounts. Subjects included bogus bills and reports of call notifications. TA505, in the same way, used macros to download the tRAT payload.

tRAT attains perseverance by copying the binary to C:\Users\<user>\AppData\Roaming\Adobe\FlashPlayer\Services\FrameHost\fhost.exe and generating an LNK file to run the binary on startup.

At this phase, Proofpoint is still studying tRAT and the complete functionality of the malware is not yet known. Neither are the intentions of the attackers nor the additional modules that may be downloaded. Proofpoint has proposed that tRAT is presently being trialed by the TA505 APT group based on the scale of the campaign. TA505 is best recognized for carrying out large-scale campaigns –such as mass Locky ransomware attacks in 2016 and 2017 and large-scale spam campaigns distributing the Dridex banking Trojan.TheTA505 danger group has been known to carry out tests of new malware variations, some of which are adopted while others are discarded. Whether TA505 will continue with tRAT remains to be seen, even though this new malware definitely does havethe capacity to become the main danger.

APT28 Group Uses New Cannon Trojan in Spear Phishing Campaign Targeting US and EU Government Organizations

A new spear-phishing campaign is being carried out by the AP28 (Sofacy Group/Fancy Bear/Sednit) on government agencies in the United States, Europe, and a former USSR state using the earlier unidentified Cannon Trojan. The campaign was noticed by Palo Alto Networks’ Unit 42 team and was first known in late October.

The campaign is being carried out through spam electronic mail and uses weaponized Word document to deliver two malware variations. The first, the Zebrocy Trojan, has been used by APT28 in earlier campaigns and was first identified in 2015. The main purpose of the Zebrocy Trojan is to provide access to an appliance and establish a link with a C2 server. It serves as a downloader and backdoor and is used to send more malevolent payloads to systems of interest to the group.

Unit 42 scientists also identified a second Trojan. A new malware variation named the Cannon Trojan. Although Zebrocy uses HTTP/HTTPS for its C2 communications, the Cannon Trojan uses electronic mail. Electronic mail is supposed to be used to reduce the possibility of detection.

The Cannon Trojan is used to collect system information. That information, together with screenshots, are sent back to APT28 through electronic mail. If the target is of importance, the Cannon Trojan can download extra malevolent code.

One of the electronic mail campaigns uses the current Lion Air plane accident as the attraction to get users to open the malevolent Word document. The document name is Crash List (Lion Air Boeing 737).docx. If the user opens the document, Word tries to download a distant template that contains the malevolent macro.

Upon opening the document, the user is presented with a message stating the document has been generated using an earlier type of Word. The user should click on Enable Content to show the matters of the file. The macro will only be loaded if a link to its C2 exists. If no link is available, the macro will not run.

Provided there is a C2 link, the macro is launched. At this phase, most malevolent documents then download the payload. Nevertheless, this campaign uses the AutoClose function to delay the complete execution of the malevolent code. It’s only when the user closes the document that the macro will complete and the payload will be downloaded.

The CannonTrojan initially sends a message over SMTPS to one electronic mail account hosted by Czech electronic mail service provider Seznam then communicates with two additional attacker-controlled electronic mail accounts over POP3S, through which it gets its commands. Because of the level of encryption delivered by both SMTPS and POP3S, the C2 channel is tough to obstruct.

Major Malvertising Campaign Identified: 300 Million Browser Sessions Hijacked in 48 Hours

A major malvertising campaign is being conducted that is redirecting web users to phishing and scam websites. While malvertising campaigns are nothing new, this one stands out due to the scale of the campaign. In 48 hours, more than 300 million users have had their browsers redirected to malicious web pages.

The campaign was uncovered by researchers at cybersecurity firm Confiant on November 12. The researchers note that the actor behind this campaign has been tracked and was found to have been conducting campaigns continuously since August; however, the latest campaign is on a totally different scale. Previously, the scammer has conducted much smaller campaigns not involving tier 1 publishers.

The campaign is targeting mobile iOS devices, primarily in the United States. Users are forcefully redirected to a web page, which then redirects them to another website. Users are sent to a range of different sites, although mostly gift card scam sites and adult content.

The click-through URL appeared to be play.google.com with the ad masquerading as a legitimate Google Play app. The high volume of clicks is partly due to the scammer using a top 5 advertising exchange. Two of the landing pages used were happy.hipstarclub.com and happy.luckstarclub.com, the latter was not being detected as malicious on VirusTotal.

Some of the landing pages offered fake gift cards and prizes but were used to obtain sensitive information such as names, addresses, email addresses, and other personal data.

Confiant explained that around 60% of its customers were impacted by the latest campaign, which is now being blocked. Based on the 300 million redirects, and a conversion rate of 0.1% which Confiant say is conservative, the campaign could have claimed around 300,000 victims. The cost of the ads was calculated to be around $200,000.

Since each victim is likely to have resulted in a payment of a few dollars, Confiant suggests this campaign has earned the attacker around $1 million in just 48 hours.

49% of All Phishing Sites Have SSL Credentials and Show Green Padlock

Nearly half of the phishing sites now have SSL credentials, begin with HTTPS, and show the green lock to display the sites are safe, as per new research by PhishLabs.

The number of phishing websites that have SSL credentials has been rising gradually since Q3, 2016 when about 5% of phishing websites were showing the green lock to show a safe connection. The proportion increased to roughly 25% of all phishing sites by this time last year, and by the end of Q1, 2018, 35% of phishing websites had SSL credentials. At the end of Q3, 2018, the proportion had risen to 49%.

It is no shock that so many phishers have chosen to change to HTTPS, as free SSL credentials are easy to get. Most companies have now made the change to HTTPS and it has been drummed into clients to always look for the green lock next to the URL to make certain the connection is safe before any confidential information is disclosed. Some search engines also show the web page is ‘secure’ as well as showing the green lock.

The green lock shows a lot of web users that not only is the site safe, but also that it is safe and genuine, which is certainly not the case. A safe connection doesn’t mean the site is reliable.

A survey carried out by PhishLabs in late 2017 disclosed the level of the confusion. About 80% of surveyed people thought the green lock showed a site was legitimate/safe. Just 18% of respondents to the survey presently identified that the green lock only meant the connection between the browser and the site was safe.

The truth is that the green lock is no assurance that a site is genuine or safe. It only implies that the user’s data is encrypted between their browser and the site so it can’t be interrupted and read by a third party. If the website has been created by a scammer, any information entered through the site can be read by the scammer.

The survey, together with the surge in HTTPS phishing sites, indicate how significant it is for businesses to teach their workers about the correct meaning of the green lock to avoid them falling for phishing cheats.

In addition to beginning with HTTPS and showing the green lock, phishing sites often use stolen branding. They can look same as the genuine site they are deceiving. The only pointer that the site is not genuine is the URL. However, even the URL can seem identical to the actual site. A lot of phishing sites take benefit of internationalized domain names to make the URLs seem genuine.

Brian Krebs identified one phishing site that deceived the cryptocurrency exchange box and used a nearly identical URL. The only difference being the use of the Vietnamese letter “ỉ” in place of the standard i. The characters are nearly indistinguishable, particularly on a small mobile screen.

Mobile screens also don’t show the complete URL, therefore it is easy to create a subdomain to impersonate the genuine domain, as only this part of the URL is likely to be shown on a mobile screen.

Marriott Announces 500 Million-Record Breach of Starwood Hotel Guests’ Files

The Marriott hotel chain has announced it has suffered a massive data breach that has resulted in the theft of the personal information of up to 500 million guests of the Starwood Hotels and Resorts group.

Marriott identified the data breach on September 8, 2018, after an alert was generated by its internal security system following an attempt by an unauthorized individual to access the Starwood guest reservation database. Third-party computer forensics experts were called in to assist with the investigation, which confirmed that the Starwood network was first gained in 2014. It is currently unclear howthe hacker breached security defenses and gained access to the network.

The hacker had encrypted data on the network which hampered efforts to investigate the breach and determine what data had been accessed. It took until November 19, 2018 for Marriott to decrypt the data and determine what the files contained.Only then was Marriott able to confirm that the database contained information on previous Starwood Hotels guests.

Analyzing such a huge database to determine which customers have had their information compromised has naturally taken some time. Marriott is still in the process of deduplicating the database to determine the exact number of guests impacted.

Marriott believes up to 500 million individuals who had previously made a reservation at Starwood Hotels and Resorts have been affected. They also include individuals who made reservations at Sheraton Hotels & Resorts, Four Points by Sheraton, Element Hotels, Le Méridien Hotels & Resorts, W Hotels, St.Regis, Westin Hotels & Resorts, Aloft Hotels, The Luxury Collection,Tribute Portfolio, Design Hotels that are part of the Starwood Preferred Guest program, and its Starwood branded timeshare properties.

The types of data present in the stolen database include the names of guests, mailing addresses, email addresses, and other information. Around 327 million past guests may also have had the following information stolen: SPG account information, birth date, gender, reservation date, arrival date, departuredate, their communication preferences, and potentially, their passport number.

Marriott has not yet confirmed whether the hacker stole payment card information. Payment card data were encrypted with the AES-128 algorithm, but the two bits of information that would allow the data to be decrypted may also have been stolen.

The data breach, which occurred two years before Marriott acquired the Starwood Hotels and Resorts Group, has been reported to law enforcement. Marriott is currently working with leading security firms to improve security and prevent any further data breaches.

Marriott is in the process of notifying all affected individuals by email. All breach victims have been offered free enrolment in WebWatcher for one year. WebWatcher monitors the Internet for instances of user information being shared and issues alerts. U.S. guests are also being offered fraud consultation services and reimbursement coverage. Since email addresses have been stolen, breach victims have been warned to be alert for phishing attacks that attempt to obtain sensitive information. All official communications are coming from the starwoodhotels@email-marriott.com, although care should still be taken with any emails that appear to have been sent from that email address as sender field could be spoofed.

Microsoft and Adobe December 2018 Patch Tuesday Updates

December 2018 Patch Tuesday has seen Microsoft issue repairs for 39 vulnerabilities, 10 of which have been ranked serious, and two are being actively abused in the wild. There are 9 critical vulnerabilities in Microsoft products and one critical weakness in Adobe Flash Player.

The repairs include the following products and services: Microsoft Windows, WindowsKernel-Mode Drivers, Windows Kernel, Windows Azure Pack, Windows Authentication Methods, Visual Studio, Microsoft Windows DNS, Microsoft Scripting Engine, MicrosoftExchange Server, Microsoft Dynamics, Microsoft Graphics Component, MicrosoftOffice SharePoint, Microsoft Edge, Internet Explorer, Microsoft Office, and .NET Framework.

December 2018 Patch Tuesday Serious Microsoft vulnerabilities

The serious ulnerabilities affect the Chakra Scripting Engine of Microsoft Edge (5),.NETframework (1), Microsoft Text-to-Speech (1), Internet Explorer (1), and Windows DNS server (1).

  • CVE-2018-8583; CVE-2018-8617; CVE-2018-8618; CVE-2018-8624; CVE-2018-8629: Chakra Scripting Engine: Memory corruption
    vulnerabilities because of how Microsoft Edge manages memory items. Misuse would require a user to visit a specifically created website, via a link in a phishing electronic mail or malvertising, for instance.
  • CVE-2018-8540: .NETFramework: A distant code injection vulnerability when the .NET framework fails to authenticate input properly. An attacker could gain complete control of an affected system if an admin user’s account is compromised.
  • CVE-2018-8626: WindowsDNS Server: A heap overflow vulnerability affecting Windows servers arranged as DNS servers, which could let distant code implementation on the Local System Account.
  • CVE-2018-8631: InternetExplorer: A memory corruption weakness that might let distant code implementation. Misuse would require a user to visit a specifically created website, via a link in a phishing electronic mail, for instance.
  • CVE-2018-8634: Microsoft text-to-Speech: Distant code implementation vulnerability because of a failure to properly manage items in the memory. The fault could be abused to take complete control of a vulnerable system.
  • ADV180031: Adobe FlashPlayer: Adobe repaired two vulnerabilities in an out-of-band update on December 5. Microsoft has tackled these vulnerabilities, which are presently being abused in the wild.

Adobe Updates: December 2018 Patch Tuesday

Adobe has issued a large number of updates to tackle a slew of lately found
vulnerabilities. 87 updates had been included in the total, 39 of which have been ranked serious and could let an attacker implement the arbitrary code or elevate privileges on vulnerable appliances. Many of the vulnerabilities could be used collectively to give anattacker complete control of a susceptible computer.

These repairs are in addition to an out-of-bounds update released earlier in December to repair two actively abused vulnerabilities.

All repairs must be applied as soon as possible.

2018 Safety Awareness Training Figures

A new study carried out by Mimecast has produced some interesting security mindfulness training figures for 2018. The survey shows a lot of companies are taking substantial risks by not providing sufficient training to their workers on cybersecurity.

Question the IT department what is the greatest cybersecurity danger and several will say end users. IT teams put a considerable amount of effort into applying and maintaining cybersecurity fortifications, only for employees to take actions that introduce malware or lead to an electronic mail breach. It is understandable that they are annoyed with employees. Most cyberattacks start with end users. By compromising one appliance, an attacker gains a footing in the system which can be utilized as a Launchpad for more attacks on the business.

However, it doesn’t need to be like that. Businesses can create a strong last line of protection by providing safety awareness training to employees to help them identify threats and to prepare them how to respond and report difficulties to their IT group. The difficulty is that a lot of businesses are failing to do that. Even when cybersecurity teaching is provided, it is often insufficient or not obligatory. That means it is just partly effective.

Mimecast’s security awareness training figures show that just 45% of firms provide workers with recommended safety awareness teaching that is obligatory for all employees. 10% of firms have training programs available, however, they are only voluntary.

Explore deeper into these safety awareness training statistics and they are not quite as they appear. Certainly, 45% of firms provide obligatory cybersecurity training but, in many cases, it falls short of what is needed.

For example, only 6% of firms provide monthly training and 4% do so three-monthly. For that reason, just 10% of the 45% are providing training regularly and are adhering to acceptable industry standards for safety. 9% of the 45% only provide safety awareness training when an employee joins the company.

The training processes used proposed safety awareness training, for a lot of businesses, is more of a checkbox item. 33% provide printed lists of cybersecurity guidelines or electronic mail instructions even though several employees will simply neglectthose messages and handouts.

30% issue prompts concerning possibly risky links, in spite of that little is done stop employees actually clicking those links. Businesses are in its place relying on their employees to know what to do and to take care, even though formal cybersecurity training is often lacking and they lack suitable skills. Only 28% are using interactive training videos that involve users.

These safety awareness training figures show that firms clearly need to do more. As Mimecast proposes, effective safety awareness training means making training obligatory. Training must also be a continuous process and simply handing out advices is not sufficient.

You must involve workers and make the training more enjoyable and ideally, amusing.  “The easiest way to lose your audience is by making the training dull, unconnected,and worst of all, unmemorable.”

New Office 365 Phishing Attack Detected

The latest Office 365 phishing attack has been identified that uses warnings concerning message delivery failures to attract unsuspecting users to a website where they are requested to provide their Office 365 account particulars.

The new cheat was found by safety scientist Xavier Mertens during an examination of electronic mail honeypot data. The electronic mails closely resemble formal messages transmitted by Microsoft to warn Office 365 users to message distribution failures.

The phishing electronic mails contain Office 365 branding and warn the user that action should be taken to make sure the delivery of messages. The text notifies the user that Microsoft has found a number of undelivered messages which have not been delivered because of server jamming.

The user is informed the failed messages should be resent by manually re-entering the receivers’ electronic mail addresses or by clicking the handy “Send Again” button in the message body. Users are supposed to click the button instead of manually re-entering a number of electronic mail addresses.

If the user clicks the Send Again button, the browser will be started and the user will be presented with a webpage that appears precisely like the official Office 365 web page, complete with a login prompt where they are requested to type their password. The login box already has the user’s electronic mail address so only a password is needed.

If the password is typed, it will be seized by the attacker together with the paired electronic mail address, and the user will be redirected to the official Office 365 website and might not be conscious that electronic mail identifications have been seized.

Official non-delivery alerts from Microsoft seem very similar, but don’t have a link that users can click to resend the electronic mails. Nevertheless, as the messages have the correct branding and use a similar format, it is likely that a lot of receivers will click the link and reveal their identifications.

Contrary to several phishing campaigns, the messages are well written and don’t include any spelling errors, just a missing capital letter in the warning.  The trap is believable, but there is one clear indication that this is a cheat. The domain to which the user is directed is obviously not one used by Microsoft. That said, a lot of people don’t always check the domain they are on if the website appears official.

This Office 365 phishing attack emphasizes just how important it is to cautiously check the domain before any confidential information is disclosed and to halt and think before taking any action advised in an unsolicited electronic mail, even if the electronic mail appears official.

Vital AMP for WP Plugin Weakness Allows Any User to Gain Admin Rights

A recent critical WordPress plugin weakness has been identified that might let site users increase rights to admin level, providing them with the capability to add custom code to a vulnerable website or upload malware. The vulnerabilities is in the AMP for WP plugin, a trendy plugin that changes standard WordPress posts into the Google Accelerated Mobile Pages format to improve load speeds on mobile browsers. The plugin has over 100,000 active users.

Although the plugin was expected to carry out checks to decide whether a particular user is allowed to carry out certain administrative jobs, inadequate checks were carried out to confirm the existing user’s account permissions. As a consequence, any user, including a user listed on the site to submit remarks, might gain admin rights to the site.

The vulnerability was found by WordPress plugin developer Sybre Waaijer who clarified that the vulnerability would let any user read and download files, upload files, modify plugin settings, insert HTML content into posts, or load malware such as a cryptocurrency miner or install malevolent JavaScript. Although there were some safety checks carried out, in most instances unauthenticated users might easily carry out illegal activities on a site with the vulnerable plugin installed.

As per web safety company WebARX, the vulnrability is present in the ampforwp_save_steps_data hook – An Ajax hook that can be called by all listed users on a site. As insufficient checks are carried out to confirm the account role of the user when the hook is called, any site user can use the functions.

The vulnrability has been rectified in version 0.9.97.20 of AMP for WP. The update is being pushed out automatically to all sites with the plugin installed.

The new variety of the plugin includes a check of the wpnonce value to decide whether the user is accredited to update plugin settings. Updates will only be allowed if the user has admin rights.

Adobe Repairs Actively Abused 0-Day Weakness in Flash Player

On Wednesday, December 5, 2018, Adobe released an update to rectify a weakness in Adobe Flash Player that is being leveraged by a threat group in targeted attacks in Russia. The threat group has previously attacked a healthcare service in Russia that is used by senior civil servants.

The weakness was recognized by researchers at Gigamon who passed on details of the weakness to Adobe in late November. Qihoo 360 scientists lately recognized an advanced constant threat campaign that was actively abusing the weakness.

The weakness is being abused using a particularly created Word document which is being dispersed using a spear phishing campaign. The campaign is extremely targeted; however, it is possible that other threat groups might try to abuse the same weakness in bigger, less-targeted campaigns.

The spear-phishing campaign used social engineering methods to deceive the receiver into opening a malicious Word document that impersonated as a worker survey. The document was transmitted as a .rar attachment to the electronic mail, with the compressed file having the document, the exploit, and the payload. The Word document had a malevolent Flash Active X control in the header.

Upon opening the document, the user is presented with a Microsoft Office alerting that the document might be damaging to the computer. If the content is enabled, the malevolent code will be performed, the weakness will be abused, and the attacker will gain command line access to the user’s system.

The payload, named backup.exe masquerades as an NVIDIA Control Panel application with a matching icon and (stolen) certificate. If the payload is performed, system information will be gathered which will be sent back to the attacker’s distant server through HTTP POST. Shellcode will also be downloaded and run on the infected appliance.

The weakness, followed as CVE-2018-15982, is present in type 31.0.0.153 and all earlier types of Adobe Flash Player Desktop Runtime, Adobe Flash Player for Google Chrome, and Adobe Flash Player for Microsoft Edge and Internet Explorer 11. Types 31.0.0.108 and earlier of Adobe Flash Player Installer also have the weakness.

Users are suggested to update to type 32.0.0.101 (Type 31.0.0.122 of Adobe Flash Player Installer) as soon as possible. The update also repairs the Insecure Library Loading (DLL hijacking) privilege escalation weakness CVE-2018-15983.

Persistent New LoJax Rootkit Survives Hard Disk Substitution

Oct 7, 2018

Security researchers at ESET have identified a new rootkit that takes perseverance to a whole new level. As soon as infected, the LoJax rootkit will remain working on an appliance even if the operating system is reinstalled or the hard drive is reformatted or substituted.

Rootkits are malevolent code that is used to provide an attacker with continuous administrator access to an infected appliance. They are difficult to detect and subsequently, they can remain active on an appliance for long periods, permitting cybercriminals to access an infected appliance at will, thieve information, or infect the appliance with more malware variations.

Although reformatting a hard drive and reinstalling the operating system can typically remove a malware infection, that is not the case for the LoJax rootkit because it compromises the Unified Extensible Firmware Interface (UEFI) – The interface between the firmware of an appliance and its operating system. The UEFI runs pre-boot apps and manages the booting of the operating system. As the LoJax rootkit continues in Flash memory, even substituting a hard drive will have no effect.

The LoJax rootkit may not be detected as most antivirus programs don’t check the UEFI for malware. Even if the rootkit is detected, removing it is far from straightforward. Removal needs the firmware to be flashed.

A lot of cybersecurity experts consider these UEFI rootkits to be theoretical instead of actively being used in real-world attacks, as ESET remarks in a fresh blog post. “UEFI rootkits are generally seen as extremely risky tools for executing cyberattacks. No UEFI rootkit has ever been noticed in the wild – until we discovered a campaign that effectively positioned a malevolent UEFI module on a victim’s system.” The rootkit was installed by a threat group known as Fancy Bear, a cyberespionage group supposed to have strong connections to the Russian military intelligence organization, GRU.

LoJax is not, in itself, an information taker. It is a backdoor that permits a system to be retrieved at will for spying purposes, data thievery, or for the installation of malware. It can also permit an infected appliance to be followed geographically.

What is vague is how the attackers gained access to the device to install the rootkit. ESET considers the most likely way that was reached was with a spear phishing electronic mail. As soon as access to the appliance was achieved, the UEFI memory was read, an image was generated, then changed, and the firmware was substituted with the rootkit installed. The rootkit was installed on an older appliance which had several other kinds of malware installed. More modern appliances have controls in place to avoid such attacks – Secure Boot for example.  However, that doesn’t necessarily imply they are protected.

“Companies must study the Secure Boot construction on their hardware and make certain they are constructed properly to avoid illegal access to the firmware memory,” wrote safety intelligence team lead at ESET, Alexis Dorais-Joncas. “They also require to think about controls for detecting malware at the UEFI/BIOS level.”

Danabot Banking Trojan Utilized in U.S. Campaign

The DanaBot banking Trojan was first noticed by safety scientists at Proofpoint in May 2018. It was being utilized in a single campaign targeting clients of Australian Banks. More campaigns were later noticed targeting clients of European banks, and nowadays the attacks have shifted beyond the Atlantic and U.S. banks are being targeted.

Banking Trojans are the main danger. Proofpoint notices that they now account for 60% of all malware transmitted through electronic mail. The DanaBot banking Trojan is being dispersed through spam electronic mail, with the malevolent messages having an embedded hyperlink to websites hosting a Word document with a malevolent macro. If permitted to run it will introduce a PowerShell command which downloads DanaBot.

The DanaBot Trojan thieves identifications for online bank accounts via a blend of banking site web injections, keylogging, taking screenshots and seizing form data. The malware is written in Delphi and is modular and is able of downloading additional parts.

Proofpoint notices that the campaigns it has noticed use different IDs in their server communications which indicate that several people are carrying out campaigns, most probably through a malware-as-a-service offering. So far, nine different IDs have been identified which indicates nine people are carrying out campaigns. Each actor aims a particular geographical area aside from in Australia where there are two people carrying out campaigns.

The latest campaign targeting U.S bank clients is also being conducted through spam electronic mail and similarly links to a Word document with a malevolent macro. The spam electronic mails intercepted by Proofpoint spoof eFax messages, and are complete with proper branding. The electronic mails assert the Word document has a 3-page fax transmission.

Enabling the macro will result in Hancitor being downloaded, which in turn will download the DanaBot banking Trojan and other information stealing malware. A number of U.S banks are being targeted including Wells Fargo, Bank of America, TD Bank, and JP Morgan Chase.

Proofpoint has identified similarities with other malware families proposing it the work of the group behind CryptXXX and Reveton. “This family started with ransomware, to which stealer functionality was added in Reveton. The evolution carried on with CryptXXX ransomware and now with a banking Trojan with Stealer and distant access functionality included in DanaBot.”

Q2, 2018 Saw an 86% Increase in Cryptocurrency Mining Malware

2018 has proven to be the year of cryptocurrency mining malware. Cybercriminals are gradually discarding other types of malware and ransomware in support of malware capable of hijacking computers and mining cryptocurrency.

Mining cryptocurrency needs computers to solve the difficult problems necessary to confirm cryptocurrency dealings and add them to the blockchain account book. That needs substantial processing power and takes time. In exchange for carrying out the service, the miner that resolves the problem is compensated with a small amount of cryptocurrency. In order for this to be lucrative, substantial computer processing power is needed. That can be accomplished in two ways. Purchasing the hardware or hijacking other people’s computers.

The high value of cryptocurrencies makes mining an attractive possibility, particularly if a cybercriminal can hire an army of computers to carry out the processing. One computer can earn a few dollars a day. 10,000 computers infected with cryptocurrency mining malware makes this a very lucrative operation. That fact has not been lost on cybercriminals.

2018 has seen a huge increase in the use of cryptocurrency mining malware. In the first quarter of 2018, McAfee informs there was a 629% increase in the number of cryptocurrency mining malware samples it interrupted. That rising tendency has continued all through Q2. As per the September McAfee Threat Statement, there was an additional 86% rise in identified cryptocurrency mining malware samples in Q2.

“Using cryptomining malware is simpler, more straightforward, and less dangerous than conventional cybercrime activities – causing these schemes to rise steeply in fame over the last few months. Actually, cryptomining malware has rapidly developed as a main player on the danger landscape,” said Raj Samani, chief scientist at McAfee.

Although PCs are most usually targeted, cybercriminals have now split out and are also using other Internet-connected appliances to mine cryptocurrency, including Android smartphones. These appliances have much lower processing power than PCs, however since they are comparatively easy to capture, the sheer number of appliances that can be infected more than makes up for their low processing power.

There has also been the main increase in the use of malware that abuse software weaknesses. These kinds of malware rose by 151% in Q2, 2018. “WannaCry and NotPetya provided cybercriminals convincing instances of how malware might use weakness exploits to gain a footing on systems and after that rapidly spread across networks,” said Christiaan Beek, Lead Scientist and Senior Principal Engineer at McAfee. A lot of malware variations have been created that impersonate WannaCry and NotPetya.

The McAfee report also demonstrates there was a 57% growth in ransomware samples in the previous year, and although use is still increasing, reputation is decreasing with just 27% increase seen in Q2, 2018.