Cyware Daily Threat Intelligence May 02, 2018

LoJack attack
A new attack technique has been identified by security researchers that uses computer-recovery tool LoJack in order to breach the target company's security defenses. The malicious command and control (C&C) domains used in this attack technique pointed to the involvement of the Fancy Bear hacker group.

MassMiner exploits
MassMiner is found to be spreading by exploiting CVE-2017-10271, CVE-2017-0143, CVE-2017-5638, and brute forcing access to Microsoft SQL Servers using SQLck. It propagates across the internet, only after expanding within the local network. Once the malware has been installed, it sets up the system to avoid detection and ensure persistence.

Crypto-mining malware for IoT devices
As per reports released by Trend Micro, crypto-mining malware that are targeting Internet of Things (IoT) devices are increasingly available on dark marketplaces. Even though the computing power of smartphones and IoT devices is much lower when compared to laptops and servers, cyber criminals are developing such malware as they are easy targets. Privilege escalation bug in Linux Kernel
Security experts have revealed the presence of an eight-year-old vulnerability in the latest Linux Kernel version. Dubbed as CVE-2018-8781, the flaw could be exploited to escalate local privileges. Exploiting this bug allows a local user to gain access to a vulnerable privileged driver, read and write to sensitive kernel memory, and cause a local privilege escalation.

Critical RCE flaw in Schneider Electric
A critical remote code execution vulnerability has been discovered in the popular Schneider Electric software. This flaw has the capabilities of allowing an unauthenticated malicious actor to remotely execute code with high privileges, and exposing power and manufacturing plants to security breaches. Users are advised to upgrade to InduSoft Web Studio v8.1 SP1 and InTouch Machine Edition 2017 v8.1 SP1 immediately.

Multiple vulnerabilities in PHP
A series of updates to fix up to 40 vulnerabilities across four different versions of the PHP (Hypertext Preprocessor) server-side scripting language. Affected versions are PHP 7.2 prior to 7.2.5, PHP 7.1 prior to 7.1.17, PHP 7.0 prior to 7.0.30, and PHP 5.0 prior to 5.6.36.