Wordfence Weekly June 12 2019 – June 18 2019

A weekly report of noteworthy threat data by the Defiant threat intelligence team.

Security News

  • Hackers behind dangerous oil and gas intrusions are probing US power grids

    In a new troubling escalation, hackers behind at least two potentially fatal intrusions on industrial facilities have expanded their activities to probing dozens of power grids in the US and elsewhere, researchers with security firm Dragos reported Friday.
    Read More

  • Mozilla Firefox 67.0.3 Patches Actively Exploited Zero-Day

    Mozilla released Firefox 67.0.3 and Firefox ESR 60.7.1 to patch an actively exploited and critical severity vulnerability which could allow attackers to remotely execute arbitrary code on machines running vulnerable Firefox versions.
    Read More

  • Google launches Chrome extension for flagging bad URLs to the Safe Browsing team

    Google launched today a new Chrome extension that will simplify the process of reporting a malicious site to the Google Safe Browsing team so that it can be analyzed, reviewed, and blacklisted in Chrome and other browsers that support the Safe Browsing API.
    Read More

New Vulnerabilities

Name: Shortlinks by Pretty Links <= 2.1.9 - Stored XSS and CSV Injection
Description: Unauthenticated attackers can inject XSS payloads via request headers, which execute when logs are viewed by an administrator.
Type: A1 – Injection

Name: Easy Digital Downloads <= 2.9.15 - Stored XSS
Description: Unauthenticated attackers can inject XSS payloads via spoofed X-FORWARDED-FOR headers, which execute when logs are viewed by an administrator.
Type: A1 – Injection

Name: Download Manager <= 2.9.96 - Various Sanitisation Issues
Description: Multiple points of input and output are now sanitized in patched versions of the plugin, though vulnerability/exploitability has not been formally assessed.
Type: A1 – Injection

Name: WP Google Maps <= 7.11.27 - Admin Settings CSRF
Description: Plugin settings could be modified via Cross-Site Request Forgery (CSRF).
Type: A8 – Cross-Site Request Forgery

Name: WP-Members <= 3.2.7 - Cross-Site Request Forgery (CSRF)
Description: Attackers could inject arbitrary membership form fields via Cross-Site Request Forgery (CSRF).
Type: A8 – Cross-Site Request Forgery

Most Common Malicious Files

Malware samples identified on the greatest count of unique sites.

MD5 Signature Description File Names
C62180F0D626D92E29E83778605DD8BE Suspicious:PHP/eval_exit.92 Obfuscated PHP backdoor. Various .php names like sq.php and wp-cache.php
446ABEFA504998F144A7AE906A173978 Suspicious:PHP/rot13_of_eval.95 Obfuscated, password-protected PHP backdoor. Generated .php names like b9448c1c.php
048648D9755220E727E7E0178837F7BF Backdoor:PHP/561C.110 Obfuscated PHP backdoor amp3.php, sib.php, wpfunck.php
3F6FD174B64E74D0E7BBA734FF01F065 Backdoor:PHP/FOPO.A.109 PHP backdoor obfuscated with FOPO. wp-dbs.php
8C9E8184A1523C7286FC11E7DE2EAC55 Backdoor:PHP/LD_PRELOAD.4426 PHP script which generates and executes a malicious binary. wp_form7.php

IPs Attacking Most Sites

Rank Prev. IP Address ASN Country
1 3 62.210.249.242 12876 (Online S.a.s.) France FR
2 46.105.99.212 16276 (OVH SAS) France FR
3 46.105.99.163 16276 (OVH SAS) France FR
4 46.105.127.166 16276 (OVH SAS) France FR
5 4 120.92.88.152 59019 (Beijing Kingsoft Cloud Internet Technology Co., Ltd) China CN
6 5 120.92.102.182 59019 (Beijing Kingsoft Cloud Internet Technology Co., Ltd) China CN
7 195.154.183.53 12876 (Online S.a.s.) France FR
8 185.225.16.152 39798 (MivoCloud SRL) Romania RO
9 47.104.166.201 37963 (Hangzhou Alibaba Advertising Co.,Ltd.) China CN
10 221.2.44.75 4837 (CHINA UNICOM China169 Backbone) China CN

New Tracked Domains

Domain Name Date Added Current Status Notes
trafficapi.nl 06/12/2019 Up Serving JS malware.
sitenab.info 06/17/2019 Down Associated with phishing.
www-myetherwallett.com 06/18/2019 Up Associated with phishing.

Subscribe To The Wordfence Weekly



Did you enjoy this post? Share it!

Recent Issues

Archive