Wordfence Weekly July 10 2019 – July 16 2019

A weekly report of noteworthy threat data by the Defiant threat intelligence team.

Security News

  • Apple has pushed a silent Mac update to remove hidden Zoom web server

    Apple has released a silent update for Mac users removing a vulnerable component in Zoom, the popular video conferencing app, which allowed websites to automatically add a user to a video call without their permission.
    Read More

  • This Flaw Could Have Allowed Hackers to Hack Any Instagram Account Within 10 Minutes

    The Facebook-owned photo-sharing service has recently patched a critical vulnerability that could have allowed hackers to compromise any Instagram account without requiring any interaction from the targeted users.
    Read More

  • Most 2020 Presidential Campaign Not Using Proper Email Security

    2020 U.S. presidential campaigns are not using proper email security according to research from Californian-based email threat protection firm Agari.
    Read More

Notable Vulnerabilities

Name: Ad Inserter <= 2.4.21 - Authenticated Remote Code Execution
Description: Authenticated users can bypass insufficient access control to access functionality intended only for Administrator users, leading to RCE.
Type: A5 – Broken Access Control
Name: Coming Soon Page and Maintenance Mode <= 1.7.8 - Unauthenticated Stored Cross-Site Scripting (XSS)
Description: Unauthenticated users could inject XSS payloads into multiple parameters used by the plugin, affecting the front-end of vulnerable sites.
Type: A7 – Cross-Site Scripting (XSS)

Most Common New Infections

Malware samples identified on the greatest count of newly infected sites.

MD5 Signature Description File Names
C62180F0D626D92E29E83778605DD8BE Suspicious:PHP/eval_exit.92 Obfuscated PHP backdoor. file.php, i.php, ihqxkhi.php, and others.
C2CC3D90B67A9D6C7DF738A8CD8661C7 Suspicious:PHP/eval_exit.92 Obfuscated PHP backdoor. 101.gone.php, 412.client.php, 423.508.php, and others.
048648D9755220E727E7E0178837F7BF Backdoor:PHP/561C.110 Obfuscated PHP backdoor. amp3.php, sib.php, wpfunck.php, and others.
BF3A65A77DA363AC779A2C45FD2DA2FF Suspicious:PHP/eval_exit.92 Obfuscated PHP backdoor. common_config.php
446ABEFA504998F144A7AE906A173978 Suspicious:PHP/rot13_of_eval.95 PHP backdoor which takes XOR-encoded input. b9448c1c.php

IPs Attacking Most Sites

Rank Prev. IP Address ASN Country
1 7 50896 (Trusov Ilya Igorevych) Poland PL
2 5 59019 (Beijing Kingsoft Cloud Internet Technology Co., Ltd) China CN
3 23724 (IDC, China Telecommunications Corporation) China CN
4 24940 (Hetzner Online GmbH) Germany DE
5 23650 (AS Number for CHINANET jiangsu province backbone) China CN
6 16276 (OVH SAS) France FR
7 9009 (M247 Ltd) Romania RO
8 16276 (OVH SAS) United Kingdom GB
9 8560 (1&1 Internet SE) Spain ES
10 16276 (OVH SAS) Poland PL

New Tracked Domains

Domain Name Date Added Current Status Notes
zctrack.com 07/16/2019 Up Ad redirect domain, found injected into theme functions.php files.
3.bingstyle.com 07/16/2019 Up Associated with zctrack.com infections.
cdn.blackawardago.com 07/12/2019 Up Referenced in obfuscated malware samples.
viagranrxfor.org 07/12/2019 Up Pharmaceutical spam domain.
apps.caresearch.com.au 07/11/2019 Up Hosting JavaScript which is sourced in other injected scripts.

Subscribe To The Wordfence Weekly

Did you enjoy this post? Share it!

Recent Issues