Cyware Daily Threat Intelligence, February 20, 2020

Share Blog post

WordPress is the most used web platform, both for business websites and for personal blogs. Unfortunately, this popularity attracts the attention of bad actors as well. In the last 24 hours, security researchers have found that over 20,000 WordPress sites are infected with trojanized versions of premium WordPress themes and plugins. Interestingly, the attack campaign has been active for the last three years. In a different incident, the recently discovered WP-VCD botnet has expanded its capabilities to bypass anti-adblocker scripts with an intention to hijack more websites.

A couple of security updates to address critical vulnerabilities were also issued by Cisco and VMware in the last 24 hours. While Cisco has fixed a total of 17 security issues affecting its products, VMware has patched three ‘Critical’ vulnerabilities present in its vRealize Operations for Horizon Adapter.

Top Breaches Reported in the Last 24 Hours

MGM Resorts International leaks data
The details of some 10.6 million customers of MGM Resorts International were exposed due to unauthorized access to a cloud server. The data breach had occurred last year and the leaked information included full names, addresses, phone numbers, dates of birth, and email addresses of individuals. The leaked data also included contact details for many high-profile users, working for big tech firms and governments all over the world. The hotel chain has promptly notified all impacted hotel guests about the breach.

Top Malware Reported in the Last 24 Hours

Adwind 3.0
Researchers have uncovered a new version of Adwind RAT that is being used in an ongoing malspam campaign. The new version, Adwind 3.0, spreads via a phishing email that contains a malicious Office file attachment. The variant uses different evasive methods to bypass security solutions. The ongoing campaign has targeted more than 80 Turkish companies.

Swiss government sends alert
Switzerland’s Reporting and Analysis Center for Information Assurance (MELANI) has sent alerts about ongoing ransomware attacks that target small, medium-sized, and large companies. Both MELANI and GovCERT have recommended best practices to mitigate such attacks while advising businesses not to pay ransoms.

Trojanized plugins
More than 20,000 WordPress sites have been found to be infected with trojanized versions of premium WordPress themes and plugins. The threat actors behind the campaign have been running this infection process for at least three years. Some of the popular trojanized plugins include ‘Ultimate Support Chat’, ‘Woocomerence Product filter’, and ‘Slider Revolution v5.4.8.1’.

Emotet used in SMiShing
A new SMiShing attack that distributes the Emotet trojan has been detected by researchers. The malicious SMS messages appear to come from local U.S. numbers and impersonate well-known banks. It alerts users about a locked account and includes a link that redirects them to a domain that distributes the malware.

WP-VCD botnet evolved
Operators of WP-VCD botnet have expanded the malware’s capabilities to bypass anti-adblocker script while hijacking websites. This new addition will enable the attackers to generate more revenue via pay-per-impression or pay-per-click advertising schemes.

New skimmer attack
A new skimmer implant that could be potentially linked to the Magecart group has been spotted in the wild. The attack involves attackers exploiting known vulnerabilities in e-commerce websites and injecting a nasty script to steal customers’ credit card details.

Top Vulnerabilities Reported in the Last 24 Hours

BlueKeep vulnerability
According to a report, about 45 percent of connected medical devices are vulnerable to BlueKeep exploit even after a patch has been released. The vulnerability tracked as CVE-2019-0708 affects RDP services running on Windows 2003, Windows 7, Server 2008 and XP systems. The successful exploitation of the flaw can allow an attacker to send malware to infected systems.

Vulnerable ThemeREX Addons
A zero-day vulnerability in the ThemeREX Addons plugin is being actively exploited by attackers to create user accounts with admin permissions and potentially take full control of the websites. The bug resides in a WordPress REST-API endpoint registered by the plugin. The vulnerability has not yet been patched by the developers.

VMware releases updates
VMware has released security updates for three ‘Critical’ vulnerabilities that could allow attackers to take control of an affected system. The three vulnerabilities in question are CVE-2020-3943, CVE-2020-3944, and CVE-2020-3945.

Cisco fixes 17 flaws
Cisco has fixed 17 vulnerabilities found across its multiple products. The affected products include Cisco Smart Software Manager, IOS XR Software, Unified Contact Center, Email Security Appliance, and Data Center Network Manager. The patched vulnerabilities include denial of service, privilege escalation, and cross-site request forgery flaws.

Top Scams Reported in the Last 24 Hours

Tax-related scam
Cybercrooks are targeting users with new tax-related scams that leverage remote desktop software and compromise small tax-prep company websites. The purpose is to trick users into installing malware that can steal credentials or take control of systems.

Instagram as bait
A large-scale phishing campaign is running on Instagram that promises a lump-sum payment to those starting their own business. For this, the scammers have created a fake presidential decree that is related to social contracts program running in several regions in Russia.

 Tags

wp vcd botnet
adwind 30
themerex addons
bluekeep vulnerability

Posted on: February 20, 2020

Get the Daily Threat Briefing delivered to your email!


More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.


Join Thousands of Other Cyware Followers!