2017-6-5 Global Cyber Attack Reports

TOP ATTACKS AND BREACHES

  • A new publication written by Check Point researchers describes Fireball, a malware targeting web browsers and hijacking them for monetizing purposes. The malware, which is estimated to have infected over 250 million devices and over 20% of all networks worldwide, conducts changes in the browser such as changing the default homepage and search engine, and other browser content and DNS manipulations. Fireball is estimated to be used for advertising purposes, but can also be used to
    run any arbitrary code on infected machines or download any additional malware. The malware was seen being downloaded via bundling with freeware.
  • Threat actors have managed to compromise one of Stanford University’s websites by successfully exploiting a WordPress vulnerability by uploading a malicious web shell. The website has been compromised for over four months and contained malicious files and links to fake web pages phishing for Office 365, Gmail and other credentials.
    Check Point IPS blade provides protection against this threat (WordPress Suspicious File Upload)
  • The popular Hotel booking site Hotels.com has suffered a security breach. The attackers have managed to steal users’ sensitive information such as usernames, passwords and email addresses. The company assured the customers that full credit card information was not compromised.
  • The University of Alaska has fallen victim to a successful phishing scam which led to the theft of sensitive information of almost 25,000 students, staff, and faculty members, as some employees were tricked to press a link to a legitimate looking material inside an email message.
  • The popular password manager and single sign-on provider OneLogin, has suffered a security breach. In the breach, sensitive information of customers was compromised.

VULNERABILITIES AND PATCHES

  • Zusy malware has started exploiting a vulnerability in .ppsx – Microsoft PowerPoint Open XML Slide Show files. In these attacks, a link is being accessed by merely hovering it, sparing the hackers’ need for victims to click links or enable macros.
  • New Shodan scan results have revealed nearly 4,500 servers that are using unprotected Hadoop Distributed File System (HDFS), making their data exposed and vulnerable for ransom attacks.
  • Security researchers have found a new vulnerability in the SELinux app dubbed CVE-2017-1000367. A local user with privileges to execute commands via sudo could use this flaw to escalate their privileges
    to root.
  • WikiLeaks has released a new CIA tool called Pandemic. This tool infects Windows machines by using the Server Message Block (SMB) file sharing protocol.

THREAT INTELLIGENCE REPORTS

  • Security researchers have found evidence of a new campaign initiated by threat actors attempting to spread the QakBot banking Trojan. This is a financial malware that has the worm-like ability to spread inside network through shared folders and removable media.
  • ETERNALBLUE, the SMB exploit that was used by WannaCry ransomware, has been found by security researchers to be used by other malware families in the wild.
  • Security researchers have posted the conclusions of a new unique research aiming to check the method of operation of attackers in the Dark Web. The researchers show that criminals have the tendency to compromise systems run on the Dark Web by other criminal organizations or individuals.