Wordfence Weekly June 12 2019 – June 18 2019

A weekly report of noteworthy threat data by the Defiant threat intelligence team.

Security News

  • Hackers behind dangerous oil and gas intrusions are probing US power grids

    In a new troubling escalation, hackers behind at least two potentially fatal intrusions on industrial facilities have expanded their activities to probing dozens of power grids in the US and elsewhere, researchers with security firm Dragos reported Friday.
    Read More

  • Mozilla Firefox 67.0.3 Patches Actively Exploited Zero-Day

    Mozilla released Firefox 67.0.3 and Firefox ESR 60.7.1 to patch an actively exploited and critical severity vulnerability which could allow attackers to remotely execute arbitrary code on machines running vulnerable Firefox versions.
    Read More

  • Google launches Chrome extension for flagging bad URLs to the Safe Browsing team

    Google launched today a new Chrome extension that will simplify the process of reporting a malicious site to the Google Safe Browsing team so that it can be analyzed, reviewed, and blacklisted in Chrome and other browsers that support the Safe Browsing API.
    Read More

New Vulnerabilities

Name: Shortlinks by Pretty Links <= 2.1.9 - Stored XSS and CSV Injection
Description: Unauthenticated attackers can inject XSS payloads via request headers, which execute when logs are viewed by an administrator.
Type: A1 – Injection

Name: Easy Digital Downloads <= 2.9.15 - Stored XSS
Description: Unauthenticated attackers can inject XSS payloads via spoofed X-FORWARDED-FOR headers, which execute when logs are viewed by an administrator.
Type: A1 – Injection

Name: Download Manager <= 2.9.96 - Various Sanitisation Issues
Description: Multiple points of input and output are now sanitized in patched versions of the plugin, though vulnerability/exploitability has not been formally assessed.
Type: A1 – Injection

Name: WP Google Maps <= 7.11.27 - Admin Settings CSRF
Description: Plugin settings could be modified via Cross-Site Request Forgery (CSRF).
Type: A8 – Cross-Site Request Forgery

Name: WP-Members <= 3.2.7 - Cross-Site Request Forgery (CSRF)
Description: Attackers could inject arbitrary membership form fields via Cross-Site Request Forgery (CSRF).
Type: A8 – Cross-Site Request Forgery

Most Common Malicious Files

Malware samples identified on the greatest count of unique sites.

MD5 Signature Description File Names
C62180F0D626D92E29E83778605DD8BE Suspicious:PHP/eval_exit.92 Obfuscated PHP backdoor. Various .php names like sq.php and wp-cache.php
446ABEFA504998F144A7AE906A173978 Suspicious:PHP/rot13_of_eval.95 Obfuscated, password-protected PHP backdoor. Generated .php names like b9448c1c.php
048648D9755220E727E7E0178837F7BF Backdoor:PHP/561C.110 Obfuscated PHP backdoor amp3.php, sib.php, wpfunck.php
3F6FD174B64E74D0E7BBA734FF01F065 Backdoor:PHP/FOPO.A.109 PHP backdoor obfuscated with FOPO. wp-dbs.php
8C9E8184A1523C7286FC11E7DE2EAC55 Backdoor:PHP/LD_PRELOAD.4426 PHP script which generates and executes a malicious binary. wp_form7.php

IPs Attacking Most Sites

Rank Prev. IP Address ASN Country
1 3 62.210.249.242 12876 (Online S.a.s.) France FR
2 46.105.99.212 16276 (OVH SAS) France FR
3 46.105.99.163 16276 (OVH SAS) France FR
4 46.105.127.166 16276 (OVH SAS) France FR
5 4 120.92.88.152 59019 (Beijing Kingsoft Cloud Internet Technology Co., Ltd) China CN
6 5 120.92.102.182 59019 (Beijing Kingsoft Cloud Internet Technology Co., Ltd) China CN
7 195.154.183.53 12876 (Online S.a.s.) France FR
8 185.225.16.152 39798 (MivoCloud SRL) Romania RO
9 47.104.166.201 37963 (Hangzhou Alibaba Advertising Co.,Ltd.) China CN
10 221.2.44.75 4837 (CHINA UNICOM China169 Backbone) China CN

New Tracked Domains

Domain Name Date Added Current Status Notes
trafficapi.nl 06/12/2019 Up Serving JS malware.
sitenab.info 06/17/2019 Down Associated with phishing.
www-myetherwallett.com 06/18/2019 Up Associated with phishing.

Subscribe To The Wordfence Weekly



Did you enjoy this post? Share it!

LinkedIn 

Recent Issues

Wordfence Weekly October 30 2019 – November 05 2019

This edition of Wordfence Weekly follows a brief hiatus from our team travelling to WordCamp US last week. As you may have guessed following the release of the research behind WP-VCD, the campaign still makes up four of the five slots in our new infection chart.

Read Full Report

Wordfence Weekly October 16 2019 – October 22 2019

In this week's Wordfence Weekly, we've got three vulnerabilities disclosed by the Wordfence team associated with WordPress plugins and themes. A new face appears in the top malware infections list, a script built seemingly only to delete itself when told to. In the attacking IP charts, we see a new ASN joining the rankings: Microsoft Corporation appears three times in the top ten.

Read Full Report

Wordfence Weekly October 09 2019 – October 15 2019

This week saw the release of WordPress 5.2.4, a security release which fixed a number of core vulnerabilities. None of the vulnerabilities are severe enough to suggest widespread abuse, but it's always a good idea to update. A big surprise comes from our attacking IP data, as not a single IP address from last week's rankings was present this week. The same cannot be said of the malware data, as WP-VCD variants continue to maintain a firm hold of the chart.

Read Full Report

Wordfence Weekly October 02 2019 – October 08 2019

This week, three unique variants of the same WP-VCD spam injector made it to the top five new infections, while the other two positions were held by ancillary scripts from the same campaign. A GoDaddy server is the fifth most malicious IP address this week, suggesting infected sites present on the host. The remainder of the list was divided between cloud hosts OVH SAS and DigitalOcean, as seen commonly in recent weeks.

Read Full Report

Wordfence Weekly September 25 2019 – October 01 2019

In this week's Wordfence Weekly, we see a typical array of familiar data. WP-VCD continues to remain the most common new set of infections, and cloud providers DigitalOcean and OVH SAS contribute considerably to the list of top attacking IP addresses. This edition features three vulnerabilities from the past week, including the GiveWP vulnerability disclosed by our own Chloe Chamberland.

Read Full Report

Wordfence Weekly September 18 2019 – September 24 2019

New WP-VCD variants continue to appear on the malware infection rankings, continuing a streak that shows no sign of slowing. The top two IP addresses this week are US-based machines associated with the Chinese tech conglomerate Alibaba, while the rest are divided evenly between cloud hosts DigitalOcean and OVH SAS. Lastly, a few vulnerabilities released this week allow attackers to modify the options of the affected plugins, leading to XSS injection.

Read Full Report

Wordfence Weekly September 11 2019 – September 17 2019

In this Wordfence Weekly we share five new domains which have been added to our blacklist for their association with spamming and malvertising. A slightly modified variant of WP-VCD's wp-tmp.php script reaches the top of the malware chart, while the rest has remained stable from previous weeks. Lastly, several new IP addresses have reached the top ten attacking hosts during a week where the Wordfence firewall detected a notable surge in activity.

Read Full Report

Wordfence Weekly September 04 2019 – September 10 2019

This edition of Wordfence Weekly includes a number of vulnerabilities recently patched in WordPress core version 5.2.3. All WordPress users are recommended to ensure this security patch has been applied as soon as possible. WP-VCD and related malware still hold the top most common new infections, while most of the top attacking IP addresses have rotated out.

Read Full Report

Wordfence Weekly August 28 2019 – September 03 2019

This week we see a continued trend of WP-VCD infections on the top malware chart. Two newly tracked domains have been added, which are hosting malicious scripts referenced by other malware samples. Last, the popular Formidable Forms plugin was recently patched to improve its output sanitization, suggesting exploitability in its earlier versions.

Read Full Report

Wordfence Weekly August 21 2019 – August 27 2019

This week's Wordfence Weekly sees a continued trend of new WP-VCD infections taking over the Most Common New Infections chart. In Attacking IPs, the top two addresses from last week retain their positions while the rest of the list contains new IPs from a variety of hosts. Additionally, we're tracking some new malvertising domains as well as a MySQL host used by attackers taking over unfinished WordPress installs.

Read Full Report

Wordfence Weekly August 14 2019 – August 20 2019

In this Wordfence Weekly, we've got a Directory Traversal vulnerability in the highly popular WP Fastest Cache plugin. In the malware rankings, we see a number of samples associated with the WP_VCD SEO spam campaign as well as more PHP backdoor scripts. Also, this week's attacking IP rankings have returned to a typical spread of activity, with attacks from OVH SAS and DigitalOcean servers controlling the board.

Read Full Report

Wordfence Weekly August 07 2019 – August 13 2019

The prevalence of attacks from US-based host QuadraNet continues in this edition of Wordfence Weekly. Additionally, a few new noteworthy vulnerabilities have popped up, which are each seeing their own attacks. In particular, we've begun tracking some new domains associated with malicious redirects.

Read Full Report

Wordfence Weekly July 31 2019 – August 06 2019

This week, the list of the top IPs attacking WordPress sees a sudden appearance of seven addresses from the US-based hosting provider QuadraNet Enterprises LLC. In the tracked domains, we've added some illegitimate download sites referenced in malicious samples discovered by our site cleaning team.

Read Full Report

Wordfence Weekly July 24 2019 – July 30 2019

July's final Wordfence Weekly sees some news items regarding Marcus Hutchins' sentencing and a data breach from Capital One. Under the week's new tracked domains, we list xn--google-analytcs-xpb[.]com, a punycode domain masquerading as a Google Analytics domain when decoded. Malware trends and common attacking IPs remain stable, though OVH SAS's longtime domination of the attacking IP rankings continues to wane.

Read Full Report

Wordfence Weekly July 17 2019 – July 23 2019

This week's Wordfence Weekly shows an increase in US-based attack traffic, including an IP from popular web host GoDaddy. We're also seeing a rise in infected sites where the PHP webshell "Ironshell" is present. In the news, Equifax is slated to pay a settlement following its 2017 data breach and the nation of Kazakhstan is attempting to man-in-the-middle the internet traffic of its citizens.

Read Full Report
Archive

This site uses cookies in accordance with our Privacy Policy.