Cyber Security News May 2020

This posting is here to collect cyber security news in May 2020.

I post links to security vulnerability news with short descriptions to comments section of this article.

If you are interested in cyber security trends, read my Cyber security trends 2020 posting.

You are also free to post related links to comments.

222 Comments

  1. Tomi Engdahl says:

    Hackers breach company’s MDM server to spread Android malware
    https://www.bleepingcomputer.com/news/security/hackers-breach-company-s-mdm-server-to-spread-android-malware/

    Attackers infected more than 75% of a multinational conglomerate’s managed Android devices with the Cerberus banking trojan using the company’s compromised Mobile Device Manager (MDM) server.

    MDM (also known as Enterprise Mobility Management – EMM) is a mechanism used by companies of all sizes to enroll enterprise-owned devices with the same management server to make it easier to perform tasks such as delivering company-wide device configurations, deploying applications, and more.

    Once deployed onto an Android device, Cerberus can be used by the attackers to steal a wide range of highly sensitive information

    After the attackers successfully compromised the unnamed company’s MDM server following a targeted attack, they used it to remotely deploying the banking trojan malware on over 75% of all managed Android devices as Check Point security researchers discovered.

    To get rid of the malware and remove the attackers’ ability to control the infected devices, the company decided to factor reset all devices enrolled with the compromised MDM server.

    “This is the first time we have a reported incident of mobile malware distribution that uses the MDM server as an attack vector,” the researchers said.

    To get rid of the malware and remove the attackers’ ability to control the infected devices, the company decided to factor reset all devices enrolled with the compromised MDM server.

    First Seen In the Wild – Mobile as Attack Vector Using MDM
    https://research.checkpoint.com/2020/first-seen-in-the-wild-mobile-as-attack-vector-using-mdm/

    Reply
  2. Tomi Engdahl says:

    Trump bans acquisition of foreign power grid equipment, citing hacking threats
    https://www.zdnet.com/article/trump-bans-acquisition-of-foreign-power-grid-equipment-citing-hacking-threats/

    White House says foreign-made equipment “augments the ability of foreign adversaries to create and exploit vulnerabilities” in the US power grid.

    President Donald Trump signed today an executive order barring US power grid entities from buying and installing electrical equipment that has been manufactured outside the US.

    Trump said that “foreign adversaries are increasingly creating and exploiting vulnerabilities in the United States bulk-power system.”

    The US president said that successful attacks against the US power grid would “present significant risks to our economy, human health and safety, and would render the United States less capable of acting in defense of itself and its allies.”

    Reply
  3. Tomi Engdahl says:

    Coronavirus: Cyber-spies seek coronavirus vaccine secrets
    https://www.bbc.com/news/technology-52490432

    The US has seen foreign spy agencies carry out reconnaissance of research into a coronavirus vaccine, a senior US intelligence official has told the BBC.

    Bill Evanina, director of the National Counterintelligence and Security Center, said the US government had warned medical research organisations of the risks.

    But he would not say whether there had been confirmed cases of stolen data.

    Reply
  4. Tomi Engdahl says:

    When your freedom depends on a crappy app, you don’t really have any freedom.
    And now they are trying to push contact tracing apps for everybody as solution to COVID-19.
    I have now yet made my mind is this an idea that would help or is the proposed medicine worse than the disease?

    Reply
  5. Tomi Engdahl says:

    Customers should apply the April 2020 Critical Patch Update without
    delay!
    https://blogs.oracle.com/security/apply-april-2020-cpu
    Oracle has recently received reports of attempts to maliciously
    exploit a number of recently-patched vulnerabilities, including
    vulnerability CVE-2020-2883, which affects multiple versions of Oracle
    WebLogic Server. Oracle strongly recommends that customers apply the
    April 2020 Critical Patch Update. The April 2020 Critical Patch Update
    advisory is located at
    https://www.oracle.com/security-alerts/cpuapr2020.html

    Reply
  6. Tomi Engdahl says:

    Coronavirus: Cyber-spies seek coronavirus vaccine secrets
    https://www.bbc.com/news/technology-52490432
    Bill Evanina, director of the National Counterintelligence and
    Security Center, said the US government had warned medical research
    organisations of the risks. But he would not say whether there had
    been confirmed cases of stolen data. UK security sources says they
    have also seen similar activity.

    Reply
  7. Tomi Engdahl says:

    Scammers Using COVID-19/Coronavirus Lure to Target Medical Suppliers
    https://www.fortinet.com/blog/threat-research/scammers-using-covid-19-coronavirus-lure-to-target-medical-suppliers.html
    FortiGuard Labs has discovered a new malicious spearphishing campaign,
    once again using the COVID-19/Coronavirus pandemic as a lure. This
    latest email campaign targets a medical device supplier, wherein the
    attacker is inquiring about various materials needed to address the
    COVID-19 pandemic due to high demand for supplies, and includes a
    compelling statement that they have already tried to reach the
    recipient via telephone in order to create a stronger sense of
    urgency. The attachment is a maliciously crafted Word document,
    utilizing the infamous CVE-2017-11882 (Office Equation Editor)
    vulnerability.

    Reply
  8. Tomi Engdahl says:

    Cybersecurity and the economy: when recession strikes
    https://blog.malwarebytes.com/cybercrime/2020/04/cybersecurity-and-the-economy-when-recession-strikes/
    Cybercrime and the economy have always been intertwined, but with
    COVID-19 on the road to causing a seemingly inevitable global
    recession, many are asking what, exactly, will the impact be on
    cybercrime. Will criminals step up and increase malware production,
    ramp up phishing attacks, do whatever it takes to pull in some cash?
    Or will it cause a little downturn in malware making and other dubious
    dealings?

    Reply
  9. Tomi Engdahl says:

    Advanced Persistent Threat Golden_hands – Digital Bank Robbery of the
    Year 2020
    https://www.vulnerability-db.com/?q=articles%2F2020%2F04%2F30%2Fadvanced-persistent-threat-goldenhands-digital-bank-robbery-year-2020
    This is a story about advanced persistent threats in Germany and the
    European Union during the crisis affecting the finance system and
    economy sector.

    Reply
  10. Tomi Engdahl says:

    Threat Spotlight: Malicious use of reCaptcha
    https://blog.barracuda.com/2020/04/30/threat-spotlight-malicious-recaptcha/
    In the never-ending battle between cybersecurity and cybercrime,
    cybercriminals continue to find new techniques to evade detection. One
    such trick Barracuda researchers have started seeing more often in
    phishing campaigns uses reCaptcha walls to block URL scanning services
    from accessing the content of phishing pages.

    Reply
  11. Tomi Engdahl says:

    The Russian Doll of Putin’s Internet Clampdown
    https://www.wired.com/story/opinion-the-russian-doll-of-putins-internet-clampdown/
    The Kremlin’s path toward censorship, surveillance, and repression has
    many more layers than meets the eye.

    Reply
  12. Tomi Engdahl says:

    Hackers breach LineageOS servers via unpatched vulnerability
    https://www.zdnet.com/article/hackers-breach-lineageos-servers-via-unpatched-vulnerability/#ftag=RSSbaffb68
    Hackers have gained access to the core infrastructure of LineageOS, a
    mobile operating system based on Android, used for smartphones,
    tablets, and set-top boxes. The intrusion took place last night, on
    Saturday, at around 8 pm (US Pacific coast), and was detected before
    the attackers could do any harm, the LineageOS team said in a
    statement published less than three hours after the incident.
    LineageOS developers said the hack took place after the attacker used
    an unpatched vulnerability to breach its Salt installation.

    Reply
  13. Tomi Engdahl says:

    Ghost blogging platform suffers security breach
    https://www.grahamcluley.com/ghost-blogging-platform-suffers-security-breach/
    The open-source blogging platform Ghost has suffered a serious
    security scare, no doubt sending shivers down the spines of some of
    its users. In a later update on the security breach, Ghost said that
    its investigations had determined that attackers had exploited a
    critical vulnerability in Salt, the open-source software used by data
    centers and cloud servers, in an attempt to mine cryptocurrency on its
    servers. also: https://status.ghost.org/incidents/tpn078sqk973

    Reply
  14. Tomi Engdahl says:

    Canadians have lost more than $1.2 million to COVID-19 scams
    https://www.cbc.ca/news/politics/covid-scams-fraud-crime-1.5551294
    Jeff Thomson of the Canadian Anti-Fraud Centre said the centre has
    received 739 reports since March 6 of attempts to defraud Canadians
    with scams related to the pandemic. He said 178 of those attempts
    succeeded. The centre is also seeing attempts to use the pandemic as
    cover to infect computers with malware.

    Reply
  15. Tomi Engdahl says:

    Love Bug’s creator tracked down to repair shop in Manila
    https://www.bbc.com/news/technology-52458765
    The man behind the world’s first major computer virus outbreak has
    admitted his guilt, 20 years after his software infected millions of
    machines worldwide.

    Reply
  16. Tomi Engdahl says:

    2020 Gartner Magic Quadrant for Application Security Testing
    https://www.synopsys.com/software-integrity/resources/analyst-reports/2020-gartner-magic-quadrant.html?cmp=em-sig-gartnermq&utm_medium=email&utm_source=website

    Synopsys is a Leader for the Fourth Year in a Row
    Synopsys Placed Highest for Ability to Execute and Furthest to the Right for Completeness of Vision

    Reply
  17. Tomi Engdahl says:

    Recent Salt Vulnerabilities Exploited to Hack LineageOS, Ghost, DigiCert Servers
    By Ionut Arghire on May 04, 2020
    https://www.securityweek.com/recent-salt-vulnerabilities-exploited-hack-lineageos-ghost-digicert-servers

    Over the past several days, hackers have exploited two recently disclosed Salt vulnerabilities to compromise the servers of LineageOS, Ghost and DigiCert.

    Managed by SaltStack, Salt is an open-source configuration tool to monitor and update the state of servers in both datacenters and cloud environments. Called minions, agents installed on servers connect to a master to deliver state reports (to a “request server”) and receive updates (from a “publish server”).

    Last week, F-Secure security researchers disclosed two vulnerabilities in Salt (CVE-2020-11651 and CVE-2020-11652) that could allow remote attackers to execute commands as root on “master” and connected minions. The most severe of the bugs has a CVSS score of 10.

    The vulnerabilities could allow an attacker to bypass authentication and authorization controls, “and publish arbitrary control messages, read and write files anywhere on the ‘master’ server filesystem and steal the secret key used to authenticate to the master as root,” F-Secure said last week.

    Reply
  18. Tomi Engdahl says:

    This new cybersecurity school will teach kids to crack codes from home
    https://www.zdnet.com/article/this-new-cybersecurity-school-will-teach-kids-to-crack-codes-from-home/

    Online initiative looks to inspire a new generation of cybersecurity talent to bring out their ‘digital Sherlock Holmes’ while schools remain closed.

    Reply
  19. Tomi Engdahl says:

    Several Vulnerabilities Patched With Release of WordPress 5.4.1
    https://www.securityweek.com/several-vulnerabilities-patched-release-wordpress-541

    Several vulnerabilities, most of which have been described as cross-site scripting (XSS) flaws, have been patched in WordPress this week with the release of version 5.4.1.

    WordPress 5.4.1, described as a short-cycle security and maintenance release, fixes 17 bugs and 7 vulnerabilities affecting version 5.4 and earlier. WordPress developers pointed out that all versions newer than 3.7 have been updated as well.

    Reply
  20. Tomi Engdahl says:

    EU Demands End to Coronavirus Cyberattacks
    https://www.securityweek.com/eu-demands-end-coronavirus-cyberattacks

    The European Union on Thursday accused unnamed parties of exploiting the coronavirus pandemic to launch cyberattacks on infrastructure and healthcare services.

    A flood of cyberattacks has targeted European countries, affecting critical systems needed to deal with the virus crisis, said foreign policy chief Josep Borrell in a statement on behalf of all 27 EU members.

    “The European Union and its Member States condemn this malicious behaviour in cyberspace,” Borrell said.

    “Any attempt to hamper the ability of critical infrastructures is unacceptable. All perpetrators must immediately refrain from conducting such irresponsible and destabilising actions, which can put people’s lives at risk.”

    Earlier this month the United States voiced concern about cyber assaults targeting Czech hospitals — several of which managed to fight off attempted attacks.

    Internet users have seen a surge in COVID-related attacks and fraud schemes, including phishing emails purportedly from health agencies, counterfeit product offers and bogus charity donation requests.

    Reply
  21. Tomi Engdahl says:

    Geoff White / BBC:
    Filipino Onel de Guzman, author of the Love Bug worm that infected millions of PCs in May 2000, talks about his creation and claims he regrets writing it — The man behind the world’s first major computer virus outbreak has admitted his guilt, 20 years after his software infected millions of machines worldwide.

    Love Bug’s creator tracked down to repair shop in Manila
    https://www.bbc.com/news/technology-52458765

    Reply
  22. Tomi Engdahl says:

    Punainen verkko: Venäjä piirtää valtiollisia rajoja bittiavaruuteen
    https://ulkopolitist.fi/2020/05/04/venaja-piirtaa-valtiollisia-rajoja-bittiavaruuteen/
    Venäjä haluaa saavuttaa digitaalisen itsenäisyyden vuoteen 2024
    mennessä ja rakentaa siksi kansallista internetiä. Venäjän oma,
    kansallinen internet on neuvostoliittolaisista juurista kumpuava
    projekti, joka voisi antaa mallia niille autoritaarisille valtioille,
    jotka miettivät, miten ottaa internet valtion hallintaan. Internetin
    “kansallistamiset” muuttaisivat merkittävästi maailmanlaajuisen
    tietoverkon luonnetta.

    Reply
  23. Tomi Engdahl says:

    New Malware Jumps Air-Gapped Devices by Turning Power-Supplies into
    Speakers
    https://thehackernews.com/2020/05/air-gap-malware-power-speaker.html
    A researcher from Israel’s Ben Gurion University of the Negev recently
    demonstrated a new kind of malware that could be used to covertly
    steal highly sensitive data from air-gapped and audio-gapped systems
    using a novel acoustic quirk in power supply units that come with
    modern computing devices. Dubbed ‘POWER-SUPPLaY, ‘ the latest research
    builds on a series of techniques leveraging electromagnetic, acoustic,
    thermal, optical covert channels, and even power cables to exfiltrate
    data from non-networked computers.

    Reply
  24. Tomi Engdahl says:

    Denmark, Sweden, Germany, the Netherlands and France SIGINT Alliance
    https://www.schneier.com/blog/archives/2020/05/denmark_sweden_.html
    This paper describes a SIGINT and code-breaking alliance between
    Denmark, Sweden, Germany, the Netherlands and France called Maximator.
    paper:
    https://www.tandfonline.com/doi/full/10.1080/02684527.2020.1743538

    Reply
  25. Tomi Engdahl says:

    OK, so you’ve air-gapped that PC. Cut the speakers. Covered the LEDs. Disconnected the monitor. Now, about the data-leaking power supply unit…
    I have no mouth, and I must scream
    https://www.theregister.co.uk/2020/05/04/power_supply_attack/

    Reply
  26. Tomi Engdahl says:

    New Executive Order Aims to Protect U.S. Power Grid From Backdoored Equipment
    https://www.securityweek.com/new-executive-order-aims-protect-us-power-grid-backdoored-equipment

    A new executive order signed on Friday by U.S. President Donald Trump prohibits the acquisition of bulk-power system equipment that could contain intentional backdoors planted by foreign adversaries.

    Incidents where threat actors targeted a country’s power grid and even caused disruptions are not unheard of, and even the United States reportedly targeted Russia’s grid in such attacks.

    The U.S. government appears to be concerned that foreign adversaries could be trying to plant malicious or vulnerable equipment in the country’s power grid. That is why the latest executive order prohibits the acquisition of bulk-power system electric equipment that is designed, developed, manufactured or supplied by an entity that is “controlled by, or subject to the jurisdiction or direction of a foreign adversary.”

    Reply
  27. Tomi Engdahl says:

    Godaddy Hacked : 19 Million Customers at Risk
    https://hackernewsdog.com/godaddy-hacked-breached-stolen-data/?fbclid=IwAR2h5XuWSsnrC8HHsDqGSyF2S2GEIVQnxh0F-T5YkWNaSBiiBPZ35Yu5Bc4

    Big Breaking News Just coming In
    Godaddy Just confirmed its data breach on 5 May 2020 putting 19 million customers on risk.

    One of the biggest domain registrar and web hosting firm godaddy today publicly announced its data breach that impacted millions of hosting account customers. This incident goes back to the date October 2019 when enabled one hacker to access some customer’s login information of SSH of hosting account. Later the security team of the godaddy company observed suspicious activity on some accounts.

    Although the company said “It did not impact main customer accounts” , although why are not sure what do they mean by saying “main customers”.

    Reply
  28. Tomi Engdahl says:

    GoDaddy Hack Breaches Hosting Account Credentials
    https://threatpost.com/godaddy-hack-breaches-hosting-account-credentials/155475/

    The domain registrar giant said that the breach started in October 2019.

    GoDaddy, the world’s largest domain name registrar, is warning customers that attackers may have obtained their web hosting account credentials.

    An “unauthorized individual” was able to access users’ login details in an intrusion that took place back in October.

    Reply
  29. Tomi Engdahl says:

    New VCrypt Ransomware locks files in password-protected 7ZIPs
    https://www.bleepingcomputer.com/news/security/new-vcrypt-ransomware-locks-files-in-password-protected-7zips/
    A new ransomware called VCrypt is targeting French victims by
    utilizing the legitimate 7zip command-line program to create
    password-protected archives of data folders.

    Reply
  30. Tomi Engdahl says:

    Airplane Hack Exposes Weaknesses of Alert and Avoidance Systems
    https://threatpost.com/airplane-hack-exposes-weaknesses-of-alert-and-avoidance-systems/155451/
    The aircraft safety system known as the Traffic Alert and Collision
    Avoidance System (TCAS) can be coerced into sending an airplane on a
    mid-air rollercoaster ride much to the horror of those onboard.
    Researchers were able to cobble together an effective method for
    spoofing the TCAS using a $10 USB-based Digital Video Broadcasting
    dongle and a rogue transponder, for communicating with aircraft. “We
    have shown that careful placing of fake aircraft through rogue
    transponder broadcasts can cause an aircraft under autopilot control
    to climb or descend towards legitimate traffic, ” wrote Pen Test
    Partners’ Ken Munro in a blog post outlining his research. also:
    https://www.pentestpartners.com/security-blog/jeopardising-aircraft-through-tcas-spoofing/

    Reply
  31. Tomi Engdahl says:

    Mitigating vulnerabilities in endpoint network stacks
    https://www.microsoft.com/security/blog/2020/05/04/mitigating-vulnerabilities-endpoint-network-stacks/
    One aspect of our proactive security work is finding vulnerabilities
    and fixing them before they can be exploited. Innovations we’ve made
    in our fuzzing technology have made it possible to get deeper coverage
    than ever before, resulting in the discovery of new bugs, faster. One
    such vulnerability is the remote code vulnerability (RCE) in Microsoft
    Server Message Block version 3 (SMBv3) tracked as CVE-2020-0796 and
    fixed on March 12, 2020. In the following sections, we will share the
    tools and techniques we used to fuzz SMB, the root cause of the RCE
    vulnerability, and relevant mitigations to exploitation.

    Reply
  32. Tomi Engdahl says:

    APT Groups Target Healthcare and Essential Services – Alert
    (AA20-126A)
    https://www.us-cert.gov/ncas/alerts/AA20126A
    CISA and NCSC continue to see indications that advanced persistent
    threat (APT) groups are exploiting the Coronavirus Disease 2019
    (COVID-19) pandemic as part of their cyber operations. This joint
    alert highlights ongoing activity by APT groups against organizations
    involved in both national and international COVID-19 responses. It
    describes some of the methods these actors are using to target
    organizations and provides mitigation advice.

    Reply
  33. Tomi Engdahl says:

    Toll Group hit by ransomware a second time, deliveries affected
    https://www.bleepingcomputer.com/news/security/toll-group-hit-by-ransomware-a-second-time-deliveries-affected/
    The Toll Group has suffered its second ransomware cyberattack in three
    months, with the latest one conducted by the operators of the Nefilim
    Ransomware. Toll Group is Asia Pacific’s leading provider of trans
    portion and logistics services, employing roughly 44, 000 people at 1,
    200 locations in more than 50 countries. also:
    https://www.tollgroup.com/toll-it-systems-updates

    Reply
  34. Tomi Engdahl says:

    Malicious Use of AI Poses a Real Cybersecurity Threat
    https://www.darkreading.com/vulnerabilities—threats/malicious-use-of-ai-poses-a-real-cybersecurity-threat/a/d-id/1337690
    We should prepare for a future in which artificially intelligent
    cyberattacks become more common. also:
    https://www.foi.se/report-summary?reportNo=FOI-R–4947–SE

    Reply
  35. Tomi Engdahl says:

    Google Android RCE Bug Allows Attacker Full Device Access
    https://threatpost.com/google-android-rce-bug-full-device-access/155460/
    The vulnerability is one of 39 affecting various aspects of the mobile
    OS that the company fixed in a security update this week.

    Android’s May 2020 Patches Fix Critical System Vulnerability
    https://www.securityweek.com/androids-may-2020-patches-fix-critical-system-vulnerability
    Google this week released the May 2020 security patches for the Android operating system, which address several critical vulnerabilities, including one affecting the System component.
    A total of 39 vulnerabilities were patched with the release, split into two parts: 15 received fixes as
    part of the 2020-05-01 security patch level, and 24 addressed with the 2020-05-05 security patch level.

    Reply
  36. Tomi Engdahl says:

    With more than 19 million customers, 77 million domains managed, and millions of websites hosted, most everyone has heard of GoDaddy. According to Bleeping Computer, which broke the news yesterday evening, an as yet unknown number of customers have been informed that their web hosting account credentials had been compromised
    https://www.forbes.com/sites/daveywinder/2020/05/05/godaddy-confirms-data-breach-what-19-million-customers-need-to-know/

    Reply
  37. Tomi Engdahl says:

    COVID-19: Cloud Threat Landscape
    https://unit42.paloaltonetworks.com/covid-19-cloud-threat-landscape/
    Unit 42 researchers analyzed 1.2 million newly registered domain (NRD)
    names containing keywords related to the COVID-19 pandemic from March
    9, 2020 to April 26, 2020 (7 weeks). 86, 600+ domains are classified
    as “risky” or “malicious”, spread across various regions, as shown in
    Figure 1. The United States has the highest number of malicious
    domains (29, 007), followed by Italy (2, 877), Germany (2, 564), and
    Russia (2, 456).

    Cyber volunteers release blocklists for 26, 000 COVID-19 threats
    https://www.bleepingcomputer.com/news/security/cyber-volunteers-release-blocklists-for-26-000-covid-19-threats/
    The COVID-19 Cyber Threat Coalition has released a block list of known
    URLs and domain names associated with Coronavirus-themed scams,
    phishing attacks, and malware threats. The URL blocklist currently
    consists of 13, 863 malicious URLs that have been seen in attacks, and
    the domain blocklist now contains 12, 258 malicious domains and
    hostnames.

    Reply
  38. Tomi Engdahl says:

    Nearly a Million WP Sites Targeted in Large-Scale Attacks
    https://www.wordfence.com/blog/2020/05/nearly-a-million-wp-sites-targeted-in-large-scale-attacks/
    Our Threat Intelligence Team has been tracking a sudden uptick in
    attacks targeting Cross-Site Scripting(XSS) vulnerabilities that began
    on April 28, 2020 and increased over the next few days to
    approximately 30 times the normal volume we see in our attack data.
    The majority of these attacks appear to be caused by a single threat
    actor, based on the payload they are attempting to inject a malicious
    JavaScript that redirects visitors and takes advantage of an
    administrator’s session to insert a backdoor into the theme’s header.

    Nearly 1 Million WordPress Sites Targeted via Old Vulnerabilities
    https://www.securityweek.com/nearly-1-million-wordpress-sites-targeted-old-vulnerabilities

    A large-scale attack campaign has targeted over 900,000 WordPress websites through vulnerabilities in plugins and themes, WordPress security company Defiant revealed this week.

    The attacks were initially discovered on April 28, but showed a massive spike on May 3, when more than half a million websites were hit. Likely the work of a single threat actor, the campaign is aimed at injecting the target websites with malicious JavaScript designed to redirect visitors to malvertising sites.

    Responsible for only a small volume of attacks in the past, the threat actor has ramped up the operation, with over 20 million attacks registered on May 3. The researchers discovered that, over the past month, over 24,000 distinct IP addresses were used to attack more than 900,000 sites.

    The targeted vulnerabilities are not new and have been abused in previous attacks as well. These include Cross-Site Scripting (XSS) vulnerabilities in the Easy2Map plugin (removed from the WordPress repository in August 2019), Blog Designer (patched in 2019), and Newspaper theme (patched in 2016), and options update bugs in WP GDPR Compliance (patched in late 2018), and Total Donations (removed in early 2019).

    The JavaScript code the attackers attempt to insert into the targeted websites is located at count[.]trackstatisticsss[.]com/stm and also checks whether the victim has any WordPress login cookies set. The attackers hope that the script would be executed in an administrator’s browser.

    Admins who are not logged in and are not on the login page are redirected to a malvertising site. Otherwise, the script attempts to inject a malicious PHP backdoor into the current theme’s header, along with a second malicious JavaScript.

    The backdoor downloads another payload from https://stat.trackstatisticsss.com/n.txt and attempts to execute it by including it in the theme header.

    Reply
  39. Tomi Engdahl says:

    Now we know what the P really stands for in PwC: X-rated ads plastered
    over derelict corner of accountants’ website
    https://www.theregister.co.uk/2020/05/06/pwc_azure_squatting/
    A forgotten subdomain on PricewaterhouseCoopers’ dot-com has been
    hijacked to host ads for porno websites and apps, neatly demonstrating
    why you should not neglect your corporate DNS records.

    Reply
  40. Tomi Engdahl says:

    DDoS attacks in Q1 2020
    https://securelist.com/ddos-attacks-in-q1-2020/96837/
    Since the beginning of 2020, due to the COVID-2019 pandemic, life has
    shifted almost entirely to the Web people worldwide are now working,
    studying, shopping, and having fun online like never before. This is
    reflected in the goals of recent DDoS attacks, with the most targeted
    resources in Q1 being websites of medical organizations, delivery
    services, and gaming and educational platforms.

    Reply
  41. Tomi Engdahl says:

    Credit card skimmer masquerades as favicon
    https://blog.malwarebytes.com/threat-analysis/2020/05/credit-card-skimmer-masquerades-as-favicon/
    When it comes to online credit card skimmers, we have already seen a
    number of evasion techniques, some fairly simple and others more
    elaborate. The goal remains to deceive online shoppers while staying
    under the radar from website administrators and security scanners. In
    this latest instance, we observed an old server-side trick combined
    with the clever use of an icon file to hide a web skimmer. Threat
    actors registered a new website purporting to offer thousands of
    images and icons for download, but which in reality has a single
    purpose: to act as a façade for a credit card skimming operation.

    Reply
  42. Tomi Engdahl says:

    Now That Everyone’s Working From Home, How’s Your Helpdesk Holding Up?
    https://www.securityweek.com/now-everyones-working-home-hows-your-helpdesk-holding

    Reply
  43. Tomi Engdahl says:

    As Healthcare Industry Transforms Overnight, Tech Community Must Act
    https://www.securityweek.com/healthcare-industry-transforms-overnight-tech-community-must-act

    The Technology Industry Must Come Together to Help Healthcare Meet the Challenges Sparked by he COVID-19 Outbreak

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*