CyberIntelMag's Weekly Cyber Threat Report

Weekly Cyber Threat Report, March 15-19

Welcome to CyberIntelMag’s weekly roundup! A place where you can read the most important stories in the cybersecurity world from the past week.

From the good news:

This week we’ve seen new cumulative updates and a security tool from Microsoft to protect from spreading attacks on its Exchange Servers, an FBI advisory for schools, the first-ever advisory for nurseries and childminders about cyber-attacks, and more.

  • CISA released CISA Hunt and Incident Response Program (CHIRP) – a tool that detects malicious activity associated with the SolarWinds compromises in on-premise systems.
  • The FBI released an advisory about a spike in attacks against US and UK schools in which attackers use ransomware to steal data and demand a ransom. Meanwhile, the UK government’s National Cyber Security Centre (NCSC) issued the first-ever advisory for nurseries and childminders about the dangers of cyber-attacks.
  • Microsoft released Exchange Server 2016 and 2019 cumulative updates (CUs) that address the four ProxyLogon critical flaws and calls it the most complete mitigation available. Earlier this week, Microsoft released a tool for mitigating the ProxyLogon vulnerabilities in Microsoft Exchange Servers prior to patching and recommended using the new script over the previously released ExchangeMitigations.ps1 script.
  • Trustwave analyzed China Chopper, a web shell used by Hafnium, and called it a “slick little web shell that does not get enough exposure and credit for its stealth.”

From the bad news:

This week brought more attacks on Microsoft Exchange Servers, flaws in popular WordPress plugins, new malware, a novel way attackers use to hide their activity, and more.

  • Avast researchers discovered that over 30 hacker groups are using a malware crypter OnionCrypter. The crypter uses multiple layers of encryption to evade detection.
  • VMware on Thursday announced its acquisition of Mesh7, a company that secures cloud-native applications. VMware will integrate Mesh7’s product with the VMware Tanzu Service Mesh to better “understand which applications components are talking to which using APIs.”
  • Cisco reported it patched vulnerability in the RV132W ADSL2+ Wireless-N VPN Routers and RV134W VDSL2 Wireless-AC VPN Routers. The flaw could allow an attacker to execute code or restart affected devices unexpectedly.
  • Tutor LMS, a popular WordPress plugin for a learning-management system for teacher-student communication, had SQL-injection vulnerabilities, WordFencee reported.
  • Jannis Kirschner, an independent security researcher from Switzerland, while googling, found malware disguising itself as the popular messaging application Telegram.
  •  We saw two new phishing campaigns. In one – reported by Area1 Security – attackers lure victims with Microsoft Office 365-themed emails in an attempt to capitalize on the hype surrounding SolarWinds attacks.
  • In another phishing campaign, reported by MalwareHunterTeam, attackers used JavaScript to see if the victim is visiting the website from a headless machine in order to evade detection. 
  • U.S. District Court in Seattle charged Till Kottmann, who hijacked footage from Verkada video cameras, with “computer intrusion and identity and data theft activities spanning 2019 to the present.” 
  • A novel form of the sandbox reported by Swiss cybersecurity firm Prodaft. Cyberattackers from SilverFish are using a victim’s network to determine detection rates of their payloads.
  • Chile’s Comisión para el Mercado Financiero (CMF) was the latest victim of the ProxyLogon flaws in Microsoft Exchange Server this week.
  • A new malware, dubbed by Proofpoint researchers as CopperStealer, was reported targeting the users of Google, Amazon, Facebook, and Apple to steal their accounts. 
  • SentinelLabs reported the flaw in Xcode that allowed hackers to inject malware, dubbed XcodeSpy, into Xcode projects. Cybercriminals exploit the Run Script feature in the IDE to attack iOS developers.
  • Microsoft reported it’s investigating whether one of its MAPP program was a source of a leak that led to the exploitation of vulnerabilities in Exchange Servers. It is possible Microsoft’s cybersecurity partner in China leaked Microsoft’s PoC code after which the attacks started.
  • As PoC exploits for ProxyLogon flaws in Microsoft Exchange Servers are posted online, researchers warn cyber-activity against Microsoft Exchange Servers is likely to accelerate.
  • Palo Alto reported a new Mirai variant that was targeting known flaws in D-Link, Netgear, and SonicWall devices and undiscovered flaws in IoT devices.
  • Sucuri reported a novel method hackers use to steal payment card data from online stores in which the bad actors hide it in a JPG image stored on the compromised website.
  • The Spanish police seized an app that broadcasted pirate video streams and secretly sold users’ personal data and turned smartphones into proxies and DDoS botnets.
  • Cybereason reported attackers looking for quick money this year’s tax season targeting US taxpayers with NetWire and Remcos trojans.
  • Two Polish government websites were hacked to spread false information about a radioactive cloud from Lithuania threatening citizens in Poland. 
  • Wordfence researchers found critical flaws in two popular WordPress plugins – Elementor and WP Super Cache – with total 7 to 9 million websites could have been compromised.
  • Hackread reported database leaked that included administrator, WordPress, and Cloud login credentials in plain-text format; however, no credit card numbers or VCC numbers had been stolen or leaked.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.