Cyware Daily Threat Intelligence April 11, 2018

Injectbody/Injectscr plugins evolve
The malicious plugins: Injectbody and Injectscr which were found creating a new wave of Wordpress infections in February are back with an evolved attack vector. Currently, they target the core WordPress JavaScript files wherein the hackers add the malicious code and then obfuscate the entire file content along with the legitimate code in order to clean the files without disrupting the functionalities of sites.

Mirai-like Scanning activity detected
Researchers have observed an influx of activities coming from 3,423 IP addresses of scanners used in China. The attack behavior is found to be similar to that of the Mirai botnet. The infection method involves continuous scanning on the internet in order to find vulnerable devices and then using default credentials to hijack them. 167 routers, 16 IP cameras, and 4 digital video recorders (DVRs) were used to in the scanning activity. Wireless Keyboard 850 vulnerability patched
Microsoft has released the April edition of its monthly security update which has fixed a total of 67 CVE-listed vulnerabilities. One of the important patch released is for the Wireless Keyboard 850 vulnerability (CVE-2018-8117). The flaw allowed attackers to reuse the keyboard's AES encryption key to record keystrokes or inject malicious commands into a victim's computer.

Spectre Variant 2 patched
AMD has released microcode updates to mitigate exploitations by variant 2 of the Spectre flaws. The update covers patches for AMD processors dating back to the first 'Bulldozer' core products which were introduced in 2011.

CVE-2018-0950 partially patched
Among all the fixes released by Microsoft in its April edition, the old Outlook vulnerability (CVE -2018-0950) seems to have not been completely patched. After applying the update, the system administrator needs to follow some further workarounds like locking inbound and outbound SMB connections at the network border and NTLM Single Sign-on (SSO) authentication. The so-called CVE-2018-0950 vulnerability allowed hackers to steal user account passwords and NTLM hashes from Windows computers.