WP Security: 30 Scary Happenings Worth Reading From February 2019

By Csaba, Miklós WP Security 7 March 2019

WP Security: 30 scary happenings worth reading from February 2019

Banking trojan targeting Russian domains
- Russians are on the receiving end of a new malware campaign, called Redaman that is a banking trojan targeting Russian domains. They use infected email attachments. Russian Language Malspam Pushing Redaman Banking Malware

GCP App Engine URL Redirection – Decoys
- Hackers are using Google AppEngine to deliver malware and hide their activities. Researchers have observed dozens of attacks, mostly targeting financial applications. Malware is delivered with infected PDFs and using redirected URLs. Targeted Attacks Abusing Google Cloud Platform Open Redirection

Spoofing search results and infecting browser extensions
- Researchers have found a malicious browser extension they call Razy. It spreads through adware and tries to steal cryptocurrency. Razy in search of cryptocurrency

Protect Your Organization from Phishing Attacks
- The latest State of the Phish report is out showing big increases in phishing attacks during the last year. Vishing and smishing efforts also increased. Baby boomers outperformed all other age groups in fundamental phishing and ransomware knowledge. 2019 State of the Phish Report

The Japanese government wants to secure IoT devices before the Tokyo 2020 Olympics
- Japan amended its laws to allow government agents to access and survey IoT devices by using their default password settings. The idea is to collect all insecure devices -- in both homes and in businesses -- to alert the appropriate authorities to try to secure them. The Japanese government plans to hack into citizens' IoT devices

Dailymotion announces being subject to a large-scale computer attack
- Video sharing site Dailymotion announced that it had been the subject of a large-scale dictionary-based credential stuffing attack. Since the company is based in Paris, French authorities have been notified. All users’ passwords have been reset. Dailymotion subject to a computer attack

Vulnerabilities being exploited by malicious actors to gain WP administrative access
- If you are using the WordPress Total Donations plug-in, you should delete it immediately. Hackers can exploit the plug-in to gain admin access to your website. Apparently, its developer has abandoned the software so no update will be forthcoming. WordPress Sites Compromised via Zero-Day Vulnerabilities in Total Donations Plugin

Securonix Threat Research: Moanacroner, XBash, and Others
- The number and variety of crypto mining attacks on Hadoop infrastructures are on the rise. Researchers have seen XBash and Moanacroner, among other malware, targeting these servers. This post has several mitigation measures, including checking access logs and implementing stronger passwords. Detecting Persistent Cloud Infrastructure/Hadoop/YARN Attacks Using Security Analytics

Our only security is our ability to change. ~ John Lilly

WP Security

Action was taken against cyber criminals linked to four million attacks
- UK’s National Crime Agency is working with partners in more than a dozen countries to arrest hundreds of DDoS attackers that once used Webstressor services. This website has been taken down last year and could be responsible for launching more than 4M attacks during its tenure. Users of illegal websites targeted in joint law-enforcement activity

Hakai and Yowai can easily be abused by cybercriminals to breach web servers and attack websites
- Earlier this month, researchers saw a big increase in two Mirai variants dubbed Yowai and Gafgyt. Both leverage PHP vulnerabilities and use dictionary attacks to leverage their way into networks. ThinkPHP Vulnerability Abused by Botnets Hakai and Yowai

admin@kremlin.ru account spotted on thousands of Russian-linked, internet-exposed MongoDB databases
- A Dutch researcher has found evidence of Kremlin tampering with more than two thousand MongoDB servers. All of them had inadequate online security and all involve companies that conduct business in Russia. Unsecured MongoDB databases expose Kremlin's backdoor into Russian businesses

THE largest PPS attack publicly disclosed: 500 million packets per second
- What appears to be the largest DDoS attack ever recorded happened earlier this month. Analysts claim it was a syn flood that sent more than 500M packets per second. This is four times the previous record set with an attack on GitHub last year. This DDoS Attack Unleashed the Most Packets Per Second Ever. Here’s Why That’s Important.

SQLite module is used to parse the databases in order to steal data
- Researchers have found new malware samples written in the Go programming language. One is a variant of Zebrocy info stealer, another is a simple Trojan. Both appeared to be targeting SQL data files. Analyzing a new stealer written in Golang

Yet another phishing campaign poses as a reputable payments processor Nets.eu
- Many Danish users of the popular payment processor Nets.eu have gotten new and more subtle phishing emails. The messages seem to be security alerts of possible account compromise but are instead used to steal credentials. Danish E-Shoppers Targeted by Another Wave of Nets.eu Phishing Campaign

Another government vs. government
- Government analysts have been able to thwart a North Korean state-sponsored botnet called Joanap that uses the Hidden Cobra malware. They identified unprotected endpoints in government networks and neutralized them. FBI, Air Force investigators mapped North Korean botnet to aid shutdown

WP Security under belt blow: Spam Injector Resembling a License Key
- Malware resembling a software license key has been discovered hiding inside a WordPress theme. This makes malware harder to detect. Spam Injector Disguised as License Key in WordPress Website

Protect your WordPress: BEFORE IT'S TOO LATE! You will also protect your customers, your reputation and your online business!

WP Security

BankBot Anubis (popular mobile banking trojan) targets hundreds of unique mobile applications from organizations worldwide
- Major enhancements to the Anubis Bankbot trojan have been observed. They include Chinese translations and using Telegram as a communications channel, which makes detections harder. BankBot Anubis Switches to Chinese and Adds Telegram for C2

APT39 focus on the telecommunications and travel industries
- The activities of the Iranian state-sponsored hacking group APT39 are dissected in this report. The group monitors staffers at telecom and travel businesses and has developed a variety of malware tools. APT39: An Iranian Cyber Espionage Group Focused on Personal Information

The attack targets worldwide servers including AWS hosted machines
- Researchers have found a new Linux-based Trojan that creates backdoors. Called SpeakUp, it affects six different Linux OS versions, including AWS, hosted machines. It uses command injection techniques for uploading a PHP shell that serves and executes a Perl backdoor. This is used to deploy Monero hidden crypto mining tools. A New Undetected Backdoor Linux Trojan

CRYPTO CRIME REPORT
- Two criminal gangs are responsible for stealing 60% of all exchange-based cryptocurrencies, according to a new report. The total is close to the equivalent of $1B, and the gangs are adept at routing their ill-gotten gains through thousands of downstream accounts. Decoding Hacks, Darknet Markets, and Scams

Highly sophisticated campaign - Orcus Remote Access Trojan
- Researchers have seen a new variant of the Orcus remote access Trojan. It can steal browser cookies and stored passwords and launch DDoS campaigns. The new version also contains multiple evasion techniques. NEW CAMPAIGN DELIVERS ORCUS RAT

Anatova can become a serious threat since the code is prepared for modular extension
- Researchers have seen a new ransomware family they call Anatova. It has hit numerous targets in the US and Europe, including many in Belgium and Germany. What makes this attack notable is that it uses a modular code and looks like a gaming app. The list of the countries that Anatova doesn’t affect are all CIS countries (Armenia, Azerbaijan, Belarus, Georgia, Kazakhstan, Kyrgyzstan, Moldova, Russian Federation, Tajikistan, Turkmenistan, Ukraine, and Uzbekistan), Syria, Egypt, Morocco, Iraq, India - Happy New Year 2019! Anatova is here!

The Matrix Ransomware
- The Matrix ransomware has been found and has a new twist. Instead of asking for a fixed ransom up front, it looks at samples of your data files and sets the price based on its perceived value. It is targeting specific enterprise users. MATRIX RANSOMWARE CHANGES THE RULES AGAIN | HOW MUCH ARE YOU WORTH?

Russia's internet contingency plan gets closer to reality.
- Russia is planning a massive exercise to completely disconnect from the Internet sometime this spring. This is to isolate the country from a potential cyber attack. All ISPs have to peer traffic through new government-approved peering points. A date for the test has not been revealed, but it's supposed to take place before April 1, the deadline for submitting amendments to the law --known as the Digital Economy National Program. Russia to disconnect from the internet as part of a planned test

Get Healthy, Stay Healthy: A healthier online business starts today and it begins with you!

WP Security

Allows non-admin users to modify WordPress installation options
- Another WP Security issue, somehow expected. A bug in the WordPress Simple Social Buttons plug-in has been discovered and corrected. It is used by more than 40,000 active websites and could grant admin access to a site. You should update to v2.0.22 which has fixed this issue. WordPress Plugin ‘Simple Social Buttons’ Critical Security Bug

Funds traced and being recovered, depositors' funds untouched
- The Maltese Bank of Valletta, the country’s largest, had to shut down its computer networks after hackers stole the equivalent of nearly €13M. The bank detected the attack within minutes and is trying to get its funds returned. BOV hackers' €13m in transactions 'being reversed'

Is Your Website Hackable? 70% are!
- A report of the most popular attack methods includes XSS, JScript and WordPress exploits. Each was found on a third of malware samples measured by Acunetix. The good news is that SQL injection attacks are finally dropping. Is Your Website Hackable? 70% are!

The vulnerability remained uncovered in the WordPress core for over 6 years.
- Now this WP Security issue is totally unexpected. WordPress v5.0.0 has a remote code execution vulnerability. Unlike previous WP-related problems, this one has been discovered in its core code and been there for the past six years. It has yet to be patched, even though v5.0.3 has been released. WordPress 5.0.0 Remote Code Execution

Separ's living-off-the-land approach bypasses many antimalware providers.
- Researchers have discovered a new variant of the Separ credential-stealing malware. It has attacked businesses in numerous countries and focuses on stealing financial account details and then uploading them to a public hosting site. It uses a number of obfuscation methods to make it harder to detect. Hard-to-detect credential-theft malware has infected 1,200 and is still going

Giving such a trusted position to this company would be a very bad idea.
- The UAE-based DarkMatter cyber-terrorist group is trying to become a root-level CA. This is a bad idea, as this post from EFF shows, because the group’s goal is to intercept Internet traffic on behalf of questionable government agencies. Cyber-Mercenary Groups Shouldn't be Trusted in Your Browser or Anywhere Else
- ProtonMail explains this further and clarifies that its CAs aren’t related to DarkMatter. ProtonMail SSL certificates and DarkMatter