Cyware Daily Threat Intelligence, January 30, 2019

Share Blog post

Cybercriminals are continuously refining their evasion techniques to go undetected. Lately, security experts have identified three different incidents where malicious files were distributed either disguised as song titles or hidden inside a harmless text of an article. For one of these attacks, attackers had leveraged the ongoing ‘Coronavirus threat’ report to infect Japanese users.

A major cross-site request forgery vulnerability in a Code Snippets plugin was also uncovered in the last 24 hours. It is estimated that more than 200,000 WordPress sites are at risk of account takeover attacks due to the unpatched plugin. Hence, admins are advised to use version 2.14.0 of the plugin to prevent such attacks.

Top Breaches Reported in the Last 24 Hours

UN confirms a cyberattack
The United Nations has confirmed that its offices in Geneva and Vietnam were targeted in a cyberattack last year. The attack had resulted in a compromise of core infrastructure components at both the offices and was determined to be serious. The malicious hackers had accessed servers to launch the attack.

Sprint suffers a breach
Sprint has come under fire after it was found that an internal customer support forum called ‘Social Care’ was indexed by search engines. The forum contained several months of postings about customer complaints and other issues that were viewable without authentication to anyone. The forum also included numerous links and references to internal tools and procedures.

Greenville Water’s cyberattack
A South Carolina water company, Greenville Water is recovering from a cyberattack that took place on January 22, 2019. The incident had affected its phone and online payment systems. The exact nature of the attack is yet to be revealed by the firm. The incident had affected around 500,000 of its customers. 

EWA’s ransomware infection
Electronic Warfare Associates (EWA) suffered a ransomware infection last week. Among the systems that had data encrypted during the incident were the company’s web servers. Going by the cached files, the nature of encrypted files and ransom notes, security researchers indicate that it is the work of Ryuk ransomware.

Top Malware Reported in the Last 24 Hours

Malware masquerade as song titles
Kaspersky Labs has identified more than 30,000 malicious files being hidden behind Grammy- Award-winning song titles. Cybercriminals are using these popular songs and artists as a channel to spread malware. Hence, consumers are recommended to look carefully at file extensions and beware of sites claiming to provide exclusive content, as ways of protecting themselves from online musical mayhem.

Trickbot’s latest activity
The Trickbot trojan has been observed using text from articles about President Trump’s impeachment to bypass the scanning engines of security software. For a successful attack, cybercriminals take harmless text from books or news articles and inject it with the malware in the hope that these strings will be whitelisted by security software.

Emotet scares Japanese users
A malspam campaign that warns the targets of coronavirus infection reports is being used to actively distribute Emotet trojan. The campaign is being used against Japanese users. The trojan is delivered via phishing emails that include subject lines written in the Japanese language.

Top Vulnerabilities Reported in the Last 24 Hours

Unpatched Code Snippets plugin
More than 200,000 WordPress sites are vulnerable to account takeover attacks due to a high severity cross-site request forgery (CSRF) bug in the unpatched version of the Code Snippets plugin. The vulnerability is tracked as CVE-2020-8417 and has been patched in version 2.14.0 of the plugin.

Critical bug fixed in free Open SMTPD email server
A critical remote code execution bug in the free Open SMTPD email server has been fixed recently. Tracked as CVE-2020-7247, the flaw could be exploited to run shell commands with root privileges. It is in the 'smtp_mailaddr()' function that validates the addresses of the sender and the recipient.

Top Scams Reported in the Last 24 Hours

Fake Scott Morrison email scam
Scammers are impersonating senior officials and sending phishing emails with a purpose to harvest personal data from users. The email uses a display name of ‘Hon Scott Morrison MP’ and contains an email address using the ‘‘@pm.gov.au’ domain’. The body of the email contains an image of the PM and includes a heading that says ‘Invitation from the Prime Minister of Australia’. It also includes a link which if clicked, takes the victim to a phishing site where private information would be requested.

 Tags

malspam campaign
open smtpd email server
sprint
code snippets plugin

Posted on: January 30, 2020

Get the Daily Threat Briefing delivered to your email!



More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.



Join Thousands of Other Cyware Followers!