A weekly report of noteworthy threat data by the Defiant threat intelligence team.
In this Wordfence Weekly we share five new domains which have been added to our blacklist for their association with spamming and malvertising. A slightly modified variant of WP-VCD's wp-tmp.php script reaches the top of the malware chart, while the rest has remained stable from previous weeks. Lastly, several new IP addresses have reached the top ten attacking hosts during a week where the Wordfence firewall detected a notable surge in activity.
This edition of Wordfence Weekly includes a number of vulnerabilities recently patched in WordPress core version 5.2.3. All WordPress users are recommended to ensure this security patch has been applied as soon as possible. WP-VCD and related malware still hold the top most common new infections, while most of the top attacking IP addresses have rotated out.
This week's Wordfence Weekly sees a continued trend of new WP-VCD infections taking over the Most Common New Infections chart. In Attacking IPs, the top two addresses from last week retain their positions while the rest of the list contains new IPs from a variety of hosts. Additionally, we're tracking some new malvertising domains as well as a MySQL host used by attackers taking over unfinished WordPress installs.
In this Wordfence Weekly, we've got a Directory Traversal vulnerability in the highly popular WP Fastest Cache plugin. In the malware rankings, we see a number of samples associated with the WP_VCD SEO spam campaign as well as more PHP backdoor scripts. Also, this week's attacking IP rankings have returned to a typical spread of activity, with attacks from OVH SAS and DigitalOcean servers controlling the board.
The prevalence of attacks from US-based host QuadraNet continues in this edition of Wordfence Weekly. Additionally, a few new noteworthy vulnerabilities have popped up, which are each seeing their own attacks. In particular, we've begun tracking some new domains associated with malicious redirects.
This week, the list of the top IPs attacking WordPress sees a sudden appearance of seven addresses from the US-based hosting provider QuadraNet Enterprises LLC. In the tracked domains, we've added some illegitimate download sites referenced in malicious samples discovered by our site cleaning team.
July's final Wordfence Weekly sees some news items regarding Marcus Hutchins' sentencing and a data breach from Capital One. Under the week's new tracked domains, we list xn--google-analytcs-xpb[.]com, a punycode domain masquerading as a Google Analytics domain when decoded. Malware trends and common attacking IPs remain stable, though OVH SAS's longtime domination of the attacking IP rankings continues to wane.
This week's Wordfence Weekly shows an increase in US-based attack traffic, including an IP from popular web host GoDaddy. We're also seeing a rise in infected sites where the PHP webshell "Ironshell" is present. In the news, Equifax is slated to pay a settlement following its 2017 data breach and the nation of Kazakhstan is attempting to man-in-the-middle the internet traffic of its citizens.
This week saw an uptick in malicious network activity from Chinese hosts, while IPs associated with OVH SAS have begun to pull back. We've begun tracking new domains associated with malvertising campaigns, while familiar backdoor scripts remain the top new infections of the week. In the news, an Instagram access control flaw could have allowed hackers to take over any account, and Apple put its foot down by removing hidden, vulnerable webservers from Zoom clients.
This week, a new XSS flaw in Yoast was disclosed. Updating the plugin will resolve the issue, which could allow Editors in multisite environments to attack other sites in the network. In the news, YouTube catches flak for banning instructional hacking videos, and IBM officially acquires Red Hat. In our threat intel, we share a newly tracked domain used by infected sites to deploy new malicious content.
In this Wordfence Weekly we've got a batch of repeat offenders occupying the malware rankings, but some newcomers have entered the top attacking IP addresses. In the news, check out Cloudflare's response following an outage that affected many internet users this week.
In this week's Wordfence Weekly, we've tweaked the scope of our most common malware rankings. Previously these were ranked by which malware was identified on the most unique sites. However, this led to disproportionate representation of sites which neglected to clean old malware. Starting this week, we're ranking only malware found in new infections, which should provide more reliably actionable data.
In this edition of the Wordfence Weekly, the top 5 list of malware hashes remains unchanged from last week, while French and Chinese hosts remain the largest source of blocked attacks on our network.
In this edition of Wordfence Weekly, we see continued trends in malicious IPs from OVH SAS. On the malware side, familiar backdoors populate the top five but a script generating malicious binaries makes an appearance.