Wordfence Weekly July 17 2019 – July 23 2019

A weekly report of noteworthy threat data by the Defiant threat intelligence team.

Security News

  • Equifax data breach: Credit reporting agency to pay up to $700 million in settlement

    Credit reporting agency Equifax has reached a deal to pay up to $700 million to state and federal regulators to settle probes stemming from a data breach that exposed the personal information of nearly 150 million people. It will be the largest settlement ever paid for a data breach.
    Read More

  • Kazakhstan tries and fails to MITM all of its internet users with rogue certificate installation

    On July 17th, 2019, the government of Kazakhstan enacted a new cybersecurity measure that aims to spy on its citizens’ internet traffic. Specifically, the Kazakh government ordered all of the internet service providers (ISPs) to force their customers to install a government-issued root certificate by Qaznet Trust Network on all of their internet accessing devices.
    Read More

  • Google Chrome is ditching its XSS detection tool

    Google is removing a nine-year-old feature in its Chrome web browser, which spotted a common online attack. Don’t worry, though – another, hopefully better, protection measure is on the way.
    Read More

Notable Vulnerabilities

Name: Email Subscribers & Newsletters <= 4.1.7 - SQL Injection
Description: Vulnerable versions could allow attackers to perform SQL injection attacks.
Type: A1 – Injection
Name: Adaptive Images for WordPress <= 0.6.66 - Local File Inclusion & Deletion
Description: Unauthenticated attackers can read or delete arbitrary files on affected sites.
Type: Multiple

Most Common New Infections

Malware samples identified on the greatest count of newly infected sites.

MD5 Signature Description File Names
C62180F0D626D92E29E83778605DD8BE Suspicious:PHP/eval_exit.92 Obfuscated PHP backdoor. file.php, i.php, ihqxkhi.php, and others.
048648D9755220E727E7E0178837F7BF Backdoor:PHP/561C.110 Obfuscated PHP backdoor. amp3.php, sib.php, wpfunck.php, and others.
8C9E8184A1523C7286FC11E7DE2EAC55 Backdoor:PHP/2842.103 PHP script which generates and executes a malicious binary. wp_form7.php
C2CC3D90B67A9D6C7DF738A8CD8661C7 Suspicious:PHP/eval_exit.92 Obfuscated PHP backdoor. 101.gone.php, 412.client.php, 423.508.php, and others.
F672EB5C2EF23BF5180DC94CAE720FC7 Backdoor:PHP/Ironshell.56 PHP web shell known as Ironshell. checkbox.php, stats.php

IPs Attacking Most Sites

Rank Prev. IP Address ASN Country
1 26496 (GoDaddy.com, LLC) United States US
2 51500 (Servisnet Ltd.) Ukraine UA
3 1 50896 (Trusov Ilya Igorevych) Poland PL
4 35393 (CTS Computers and Telecommunications Systems SAS) Spain ES
5 16276 (OVH SAS) Germany DE
6 2 59019 (Beijing Kingsoft Cloud Internet Technology Co., Ltd) China CN
7 3 23724 (IDC, China Telecommunications Corporation) China CN
8 15169 (Google LLC) United States US
9 10 16276 (OVH SAS) Poland PL
10 14061 (DigitalOcean, LLC) United States US

New Tracked Domains

Domain Name Date Added Current Status Notes
acint.net 07/23/2019 Up Hosting JavaScript files sourced by infected scripts.
deliverygoodstrategy.com 07/22/2019 Up Associated with a JavaScript injection campaign
db.deliverygoodstrategy.com 07/19/2019 Up Associated with a JavaScript injection campaign.
4ksudckusdkc.space 07/18/2019 Up Associated with redirect campaign.
submed-drenew.com 07/17/2019 Up Associated with redirect campaign.

Subscribe To The Wordfence Weekly

Did you enjoy this post? Share it!

Recent Issues