Wordfence Weekly May 29 2019 – June 04 2019

A weekly report of noteworthy threat data by the Defiant threat intelligence team.

Security News

  • Wave of SIM swapping attacks hit US cryptocurrency users

    SIM swapping attacks, where an attacker manages to hijack control of a victim’s phone number, have been used to victimize tens of cryptocurrency users in the US.
    Read More

  • 50k Servers Infected with Cryptomining Malware in Nansh0u Campaign

    A rapidly-expanding campaign has infected 50,000 servers with malware that mines an open source cryptocurrency called TurtleCoin.
    Read More

New Vulnerabilities

Name: ConvertPlus <= 3.4.2 – Unauthenticated Arbitrary User Role Creation
Description: Unauthenticated attackers can register new users with administrator permissions when a vulnerable version is active.
Type: A5 – Broken Access Control

Most Common Malicious Files

Malware samples identified on the greatest count of unique sites.

MD5 Signature Description File Names
C62180F0D626D92E29E83778605DD8BE Suspicious:PHP/eval_exit.92 Obfuscated PHP backdoor. Various .php names like sq.php and wp-cache.php
14CF24A13ECAF2783B0265088C30AE85 Suspicious:PHP/botfilter.6413 Script used by phishing kits to block watchdog antibots.php, bt.php
446ABEFA504998F144A7AE906A173978 Suspicious:PHP/rot13_of_eval.95 Obfuscated, password-protected PHP backdoor. Generated .php names like b9448c1c.php
BF3A65A77DA363AC779A2C45FD2DA2FF Suspicious:PHP/eval_exit.92 Obfuscated PHP backdoor. common_config.php
048648D9755220E727E7E0178837F7BF Backdoor:PHP/561C.110 Obfuscated PHP backdoor amp3.php, sib.php, wpfunck.php

IPs Attacking Most Sites

Rank Prev. IP Address ASN Country
1 5 14061 (DigitalOcean, LLC) United Kingdom UK
2 1 50896 (Trusov Ilya Igorevych) Poland PL
3 12876 (Online S.a.s.) France FR
4 16276 (OVH SAS) Canada CA
5 59019 (Beijing Kingsoft Cloud Internet Technology Co., Ltd) China CN
6 8 16276 (OVH SAS) Canada CA
7 3 59019 (Beijing Kingsoft Cloud Internet Technology Co., Ltd) China CN
8 16276 (OVH SAS) Canada CA
9 16276 (OVH SAS) France FR
10 10 16276 (OVH SAS) France FR

New Tracked Domains

Domain Name Date Added Current Status Notes
traveltogandi.com 05/29/2019 Up Serving JS malware from /stats.js
funysmile102.life 06/03/2019 Down as of 06/04/2019 Associated with spam links.
css.developmyredflag.top 06/04/2019 Down as of 06/04/2019 Serving JS malware.

Subscribe To The Wordfence Weekly

Did you enjoy this post? Share it!

Recent Issues