Cyware Daily Threat Intelligence, March 25, 2019

The United States Federal Emergency Management Agency has inadvertently shared the personal and banking information of over 2 million US disaster survivors with one of its contractors. Those affected in the incident includes the victims of California wildfires (2017) and Hurricanes Harvey, Irma & Maria (2017). The data exposed includes applicants' names, dates of birth, disaster numbers and eligibility time frame.

The Dubai British School, Jumeirah Park (DBS JP) has suffered a cyber attack. The attackers leveraged password spraying technique to gain control over the networks. They managed to compromise a number of staff email accounts. Upon discovery, the school has alerted the parents about the incident. In addition, it has also reset the passwords of all compromised accounts.

Video-streaming site Kanopy has fixed a leaking ElasticSearch server that exposed the sensitive data of its users. The misconfigured database reportedly contained between 25-40 million daily logs. The logs contained information such as users' geographical information, timestamp and device types.

Researchers have published a step-by-step analysis of the inner workings of the BokBot proxy module. The banking trojan, which was first observed in April 2017, is able to augment its capabilities by retrieving several modules, including the one that runs a local proxy server. This proxy module is later injected into a spawned svchost child process in order to initialize the infection process. The proxy server is attached to the address 127[.]0[.]0[.]1 on TCP port 57391. BokBot is a complex piece of malware which is used to steal sensitive information from users.

A new variant of AZORult dubbed as AZORult++ has been detected by researchers recently. The malware is written in C++ and is capable of amassing credentials, browser history and cookies. The data, thus collected, is then sent to the command-and-control (C2) server of the attackers. The malware is reportedly used to target victims in Russia and India. Like AZORult 3.3, AZORult++ uses an XOR encryption scheme to encrypt data before sending it to C2 server.

Security researchers have discovered 51 security flaws in Long-Term Evolution (LTE) protocol. Out of these, 36 have been identified as new flaws. These vulnerabilities can allow attackers to execute a series of nefarious activities such as disrupting mobile base stations, blocking incoming calls and sending spoofed messages.

Attackers can leverage the vulnerabilities in Java Serialized Objects (JSOs) to gain remote control of systems running Java applications. Many bugs abusing JSOs are found in enterprise products such as Oracle WebLogic, IBM WebSphere, Cisco Secure Access Control System (ACS), HPE Intelligent Management Center (IMC), and VMware's vSphere Integrated Containers.

A flaw in the Font_Organizer WordPress plugin can enable attackers to launch a Reflected XSS attack. A successful attack can enable the attackers to execute malicious JavaScript on the affected sites. It can also enable attackers to bypass CSRF protection and perform any actions that a legitimate user can do on a WordPress site.