Welcome to the Ironshare Cyber Round-up where we look back atthe events of that last week and cover some of the news, posts, views, and highlightsfrom the world of Security.
In this week’s round-up:
Antivirusdeveloper, Avast, recently joined forces with French law enforcement to takedown Retadup’s command and control servers, which were found to be located inFrance. Avast malware analysts discovered a flaw in the server’s communicationprotocol that they used to take it over. The exploit allowed them to instructthe malware to delete itself from the victim’s computers; researchers revealedthat in doing so, 850,000 computers were disinfected. 85% of the infectedcomputers were located in Latin-America, 35% of which were in Peru. Avastdiscovered during this takeover that the malware had evolved into acryptomining scheme, but they are unsure exactly how much money the group made.
By ZDNet.com
A group ofhackers with ties to the Chinese government have been seen attempting to stealmedical research, specifically cancer research, from US institutions; US-basedcybersecurity firm, FireEye, has reported multiple attacks targetingcancer-related research. Chinese corporations are trying desperately to controlcosts in the healthcare industry, which is a good motive to target westernmedical research. Being the first to supply new drugs allows them to setstandards and control the market. Smaller companies, despite not being the bestin the industry, are perfect targets due to their reduced security. Thehealthcare industry holds the second-highest number of breaches in recent years,and is becoming increasingly popular for state-sponsored hackers competing inthe pharmaceutical market.
By TechNewsWorld.com
Magecart groups,who were behind the attacks on Ticketmaster and British Airways, have hitagain; this time they’re targeting eCommerce sites running outdated plugins.The hacker affiliation has taken advantage of 80 major eCommerce sites who wereall running a vulnerable version of the Magento plugin. The group uses avirtual credit-card skimmer that steals card information from within a webapplication; this information is typically sold on the black market. The namesof the companies affected by this attack have not been disclosed to the public,but the organisations have been informed so that they can update their sites.
By ThreatPost.com
A newphishing campaign has begun causing trouble and people are having difficultyspotting it. The idea of phishing is to look legitimate to the victim, which iswhat this new campaign excels at. Attackers are using Microsoft’s 365 loginpage with the target’s company branding included. As well using a seeminglybenign login page, the attackers are also hosting their phishing pages usingMicrosoft’s Azure cloud storage. Almost everything about these attacks seemperfectly normal, and they are reportedly still active. Always be careful whenopening emails unless you are certain they are safe.
By BleepingComputer.com
Imperva, apopular internet firewall services provider, have disclosed news of a databreach which is said to include the email addresses, scrambled passwords, APIkeys and SSL certificates of a large portion of its customers. Reports suggestthat the breach only affects those using the company’s cloud-based WebApplication Firewall, Incapsula. Using the exposed data, an attacker couldreportedly reduce the security of a sites traffic and essentially whitelistthemselves; this would give them the freedom to openly attack the websitewithout interruption. Imperva released a list of mitigation steps for Incapsulausers to protect them from the threat of the breach; these steps are includedin the original post.
By KrebsOnSecurity.com
Google have discovered a high severity vulnerability in theChrome browser that demands immediate attention. The flaw exists in Blink,Chrome’s open-source browser engine, and could allow a remote attacker toexecute arbitrary code on a target computer and potentially bypass themachine’s security restrictions. For the flaw to be exploited, a user mustvisit, or be redirected to, a crafted web page from which the attacker canremotely access the victim’s computer. This vulnerability affects version76.0.3809.132 and earlier. Users are advised to update to the latest version toprotect against this exploit.
By ThreatPost.com
Researchers have discovered an ongoing campaign that isactively exploiting a number of WordPress plugin vulnerabilities. Traffic tothe victim’s websites are being redirected to a variety of potentially harmfullocations with the help of these exploits. The flaws allow an unauthenticatedvisitor to send AJAX requests to modify the site’s settings; this is how theattacker redirects the traffic. WordPress announced that updates for allaffected plugins are now available and recommend applying these updates as soonas possible. A list of all affected plugins is included in the original post.
By ThreatPost.com
And that’s it for this week round-up, please don’t forget totune in for our next instalment.
Why not follow us on social media using the links providedon the right.
Edition #56 – 30th Aug 2019
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
