Wordfence Weekly July 24 2019 – July 30 2019

A weekly report of noteworthy threat data by the Defiant threat intelligence team.

Security News

  • Capital One Data Theft Impacts 106M People

    Federal prosecutors this week charged a Seattle woman with stealing data from more than 100 million credit applications made with Capital One Financial Corp.
    Read More

  • Marcus ‘MalwareTech’ Hutchins gets no prison time, one year supervised release

    Marcus ‘MalwareTech’ Hutchins, the security researcher who helped stop the WannaCry ransomware outbreak, was sentenced in the US to time served and one year of supervised release.
    Read More

  • FTC Imposes $5 Billion Penalty and Sweeping New Privacy Restrictions on Facebook

    Facebook, Inc. will pay a record-breaking $5 billion penalty, and submit to new restrictions and a modified corporate structure that will hold the company accountable for the decisions it makes about its users’ privacy, to settle Federal Trade Commission charges that the company violated a 2012 FTC order by deceiving users about their ability to control the privacy of their personal information.
    Read More

Notable Vulnerabilities

Name: ND Shortcodes For Visual Composer <= 5.8 - Unauthenticated Arbitrary Options Update
Description: Vulnerable versions allow unauthenticated users to modify arbitrary WordPress options, potentially leading to privilege escalation.
Type: A5 – Broken Access Control

Most Common New Infections

Malware samples identified on the greatest count of newly infected sites.

MD5 Signature Description Example File Names
C62180F0D626D92E29E83778605DD8BE Suspicious:PHP/eval_exit.92 Obfuscated PHP backdoor. file.php, i.php, ihqxkhi.php, and others.
048648D9755220E727E7E0178837F7BF Backdoor:PHP/561C.110 PHP script which generates and executes a malicious binary. amp3.php, sib.php, wpfunck.php, and others.
8C9E8184A1523C7286FC11E7DE2EAC55 Backdoor:PHP/2842.103 PHP script which generates and executes a malicious binary. wp_form7.php
BF3A65A77DA363AC779A2C45FD2DA2FF Suspicious:PHP/eval_exit.92 Obfuscated PHP backdoor. common_config.php
446ABEFA504998F144A7AE906A173978 Suspicious:PHP/rot13_of_eval.95 Obfuscated, password-protected PHP backdoor. b9448c1c.php

IPs Attacking Most Sites

Rank Prev. IP Address ASN Country
1 1 26496 (GoDaddy.com, LLC) United States US
2 15169 (Google LLC) United States US
3 3 50896 (Trusov Ilya Igorevych) Poland PL
4 26347 (New Dream Network, LLC) United States US
5 24940 (Hetzner Online GmbH) Germany DE
6 20473 (Choopa, LLC) Singapore SG
7 15395 (Rackspace Ltd.) United Kingdom GB
8 15699 (OGIC Informatica S.L.) Spain ES
9 9 16276 (OVH SAS) Poland PL
10 23650 (AS Number for CHINANET jiangsu province backbone) China CN

New Tracked Domains

Domain Name Date Added Current Status Notes
thez8.com 07/24/2019 Up Referenced in malicious spam files.
blufftonjaspervim.org 07/24/2019 Up Associated with redirect campaign.
xn--google-analytcs-xpb.com 07/25/2019 Up Punycode domain (decodes as google-analytîcs.com) associated with skimming campaign.
greatinstagrampage.com 07/30/2019 Up Associated with redirect campaign.

Subscribe To The Wordfence Weekly

Did you enjoy this post? Share it!

Recent Issues