Overview of security incidents for the period from 10 to 16 September 2018

Briefly about the main events in the IB world over the past week.

Kaspersky Lab’s experts reported a large-scale campaign to distribute the Asacub banking Trojan, aimed at users of mobile devices based on Android. The greatest number of infections falls on the Russian Federation (98%), according to experts, about 40 thousand users become daily victims of the Trojan. The malware is spread by phishing SMS messages with the suggestion to view photos or MMS at the specified link. When you go to the appropriate site and click on the download button, the device downloads malicious software.

Last week, Britain once again accused the Russian Federation of cyber attacks on its infrastructure. According to a source in the British government, the attacks are aimed at energy networks, communication systems and the media.

A malicious campaign, organized by the cybercrime group MageCart, is not slowing down. As it became known, the list of victims was supplemented with the Feedify notification service. Attackers infected one of the files used by Feedify JavaScript (feedbackembad-min-1.0.js) with malicious code that steals data from payment cards. The company repeatedly deleted the malicious script, but the criminals were persistent and repeatedly infected the file.

Cybercriminals continue to attack unpatched MikroTik routers in order to extract crypto currency. In particular, the experts fixed another campaign aimed at vulnerable devices, during which the attackers create a “WebSocket tunnel to the browser script for mining crypto”. According to reports, the new campaign affected more than 3.8 thousand MikroTik routers.

Attackers actively scan the Internet for WordPress sites that use the vulnerable versions of the Duplicator plug-in, with which they could intercept control of the resource. This plug-in is installed on more than 1 million sites, including those occupying the top lines in the Alexa rating. Attackers exploit a vulnerability in the plug-in to install the backdoor on the server. Interestingly, the backdoor is saved even after the site is restarted.

Anenormous public database containing e-mail addresses, unencrypted passwords and partial credit card numbers (a total of more than 41 million unique email addresses and passwords) was revealed on anonymous public hosting of kayo.moe. According to the operator of the service Have I Been Pwned to track data leaks by Troy Hunt, the data was prepared for use in an attack of credential stuffing type (registration data throws in), when password checking is performed not by dictionary, but by a previously acquired base of stolen passwords. The source of the leak could not be established.

The past week was marked by another incident, related to the lack of data protection. The company Veeam Software, specializing in the development of solutions for virtual infrastructure management and data protection,has admitted leaking 445 million records of its clients. A 200 GB database was stored on an open-source MongoDB server in the Amazon infrastructure.

Leave a Reply