Cyber Round-up for 30th August
Welcome to the Ironshare Cyber Round-up where we look back at the events of that last week and cover some of the news, posts, views, and highlights from the world of Security.
In this week’s round-up:
Antivirus developer, Avast, recently joined forces with French law enforcement to take down Retadup’s command and control servers, which were found to be located in France. Avast malware analysts discovered a flaw in the server’s communication protocol that they used to take it over. The exploit allowed them to instruct the malware to delete itself from the victim’s computers; researchers revealed that in doing so, 850,000 computers were disinfected. 85% of the infected computers were located in Latin-America, 35% of which were in Peru. Avast discovered during this takeover that the malware had evolved into a cryptomining scheme, but they are unsure exactly how much money the group made.
A group of hackers with ties to the Chinese government have been seen attempting to steal medical research, specifically cancer research, from US institutions; US-based cybersecurity firm, FireEye, has reported multiple attacks targeting cancer-related research. Chinese corporations are trying desperately to control costs in the healthcare industry, which is a good motive to target western medical research. Being the first to supply new drugs allows them to set standards and control the market. Smaller companies, despite not being the best in the industry, are perfect targets due to their reduced security. The healthcare industry holds the second-highest number of breaches in recent years, and is becoming increasingly popular for state-sponsored hackers competing in the pharmaceutical market.
Magecart groups, who were behind the attacks on Ticketmaster and British Airways, have hit again; this time they’re targeting eCommerce sites running outdated plugins. The hacker affiliation has taken advantage of 80 major eCommerce sites who were all running a vulnerable version of the Magento plugin. The group uses a virtual credit-card skimmer that steals card information from within a web application; this information is typically sold on the black market. The names of the companies affected by this attack have not been disclosed to the public, but the organisations have been informed so that they can update their sites.
A new phishing campaign has begun causing trouble and people are having difficulty spotting it. The idea of phishing is to look legitimate to the victim, which is what this new campaign excels at. Attackers are using Microsoft’s 365 login page with the target’s company branding included. As well using a seemingly benign login page, the attackers are also hosting their phishing pages using Microsoft’s Azure cloud storage. Almost everything about these attacks seem perfectly normal, and they are reportedly still active. Always be careful when opening emails unless you are certain they are safe.
Imperva, a popular internet firewall services provider, have disclosed news of a data breach which is said to include the email addresses, scrambled passwords, API keys and SSL certificates of a large portion of its customers. Reports suggest that the breach only affects those using the company’s cloud-based Web Application Firewall, Incapsula. Using the exposed data, an attacker could reportedly reduce the security of a sites traffic and essentially whitelist themselves; this would give them the freedom to openly attack the website without interruption. Imperva released a list of mitigation steps for Incapsula users to protect them from the threat of the breach; these steps are included in the original post.
Vulnerabilities & Updates
Google have discovered a high severity vulnerability in the Chrome browser that demands immediate attention. The flaw exists in Blink, Chrome’s open-source browser engine, and could allow a remote attacker to execute arbitrary code on a target computer and potentially bypass the machine’s security restrictions. For the flaw to be exploited, a user must visit, or be redirected to, a crafted web page from which the attacker can remotely access the victim’s computer. This vulnerability affects version 76.0.3809.132 and earlier. Users are advised to update to the latest version to protect against this exploit.
Researchers have discovered an ongoing campaign that is actively exploiting a number of WordPress plugin vulnerabilities. Traffic to the victim’s websites are being redirected to a variety of potentially harmful locations with the help of these exploits. The flaws allow an unauthenticated visitor to send AJAX requests to modify the site’s settings; this is how the attacker redirects the traffic. WordPress announced that updates for all affected plugins are now available and recommend applying these updates as soon as possible. A list of all affected plugins is included in the original post.
And that’s it for this week round-up, please don’t forget to tune in for our next instalment.
Why not follow us on social media using the links provided on the right.
Edition #56 – 30th Aug 2019