Quote:Researchers uncovered a massive attack on Windows running Microsoft SQL servers by a group of hackers using the new wave of long-running attack campaign called Vollgar.


Microsoft SQL Server is a relational database management system developed by Microsoft with 3rd most used Popular Database Platforms deployed in various organization networks around the globe.

This massive long-running attack campaign observed back to 2018 via the honeypot system, since then it was continuously attacking thousand of internet-facing MS-SQL servers for the past two years.

Researchers observed that the Vollgar campaign originated in more than 120 IP addresses and the most of the hits comes from China. some of the attacks initiated from the IP’s that are short lived and the couple of IP’s are living more than 3 months.

“Threat actors are attempting to various forms of attack including password brute force to breach victim machines, deploys multiple backdoors and executes numerous malicious modules, such as multi-functional remote access tools (RATs) and crypto miners”. researchers from Guardicore told GBHackers.

I told you looks like WP having and facing a big hole

Quote:Researchers from Wordfence uncovered two RCE vulnerabilities in WordPress SEO plugin called Rank Math let hackers hijack nearly 200,000 vulnerable Websites and gain remote access.


Rank Math is an SEO plugin for WordPress and it gives various SEO features such as Setup Wizard, Google Schema Markup, Optimizes Unlimited Keywords with 200,000 active installations.

The first vulnerability is the most critical one that allows attackers to update arbitrary metadata, including the ability to grant or revoke administrative privileges.

The second vulnerability lets attackers redirect the victims to any website for their choice and any location on the site.

Rank Math’s one of the SEO features allow users to update Metadata on the post. To use this feature, plugin registered a REST-API endpoint that failed to include a permission_callback used for capability checking.

A function called “update_metadata” which you can see in the below image is used to update the slug existing posts or could be used to delete or update metadata for posts which enable this critical vulnerability and it can be exploited

Quote:The Microsoft Office is one of the most popular tools, it’s popularity was abused by cybercriminals to deliver malware.


With this current campaign attacker used Excel file with password-protected, to open the file victims should enter the password and it is included in the social engineered email.

To decrypt the password-protected file victims need to enter the password “VelvetSweatshop“, once decrypted it onboards the malicious macros embedded.

The final payload is the LimeRAT malware, a malicious remote access trojan that gives the attacker complete access to the victim’s machine.

“In this specific attack, the cybercriminals also used a blend of other techniques in an attempt to fool anti-malware systems by encrypting the content of the spreadsheet hence hiding the exploit and payload,” researchers told.

Quote:Reportedly, the security team from WebARX found a vulnerability in the WPvivid Backup WordPress plugin. As stated in their advisory, the critical flaw could allow an authenticated user to meddle with the default backup location.

The most critical registered wp_ajax action that does not have an authorization check would be wp_ajax_wpvivid_add_remote.

It allows any authenticated user, regardless of their user role, to add a new remote storage location and set it as the default backup location.

This would result in the backup being made on the new default location set up by the attacker upon execution of the plugin.


This not only causes an unwanted exposure of sensitive data files of the website but may also cause data loss. Likewise, this would also allow the adversary to lure a site admin to execute an action from the plugin.

Quote:Cybercriminals continue to use the Coronavirus outbreak to launch various attacks such as malware, phishing, fraud, and disinformation campaigns.

In the current situation, most of the organization has been closed and the employees are provided with options to work from home. So the RDP and the video communication platforms usage will be high.

It was observed more than 5000+ domains registered for creating infrastructure to support malicious campaigns referring to COVID-19.


Checkpoint observed a huge number of domain’s registered with the names that include “Zoom”, the Zoom is one of the biggest video communication platform used in the world.

“Since the beginning of the year, more than 1700 new domains were registered and 25% of them were registered in the past week. Out of these registered domains, 4% have been found to contain suspicious characteristics.”

Quote:Security researchers from Check Point identified 56 malicious apps in play store that aimed to commit mobile fraud with new malware families dubbed ‘Tekya’.

The malware aims to steal user data such as credentials, emails, text messages, and geographical location.

The Tekya malware founded to be hidden with 56 apps that were downloaded more than 1 million times worldwide. Out of 56 apps, 24 of the infected apps targeting apps used by kids such as puzzles to racing games.

platforms

Quote:The FBI on Tuesday shut down Deer.io, a Russia-based platform catering to cybercrooks that offered turnkey online storefront design and hosting and a place where they could sell and advertise their wares, including ripped-off credentials, hacked servers, hacking services, gamer accounts and more.

Earlier this month, the bureau nabbed the guy they think was running the show: 28-year-old Kirill Victorovich Firsov, whom the FBI arrested on 7 March 2020 in New York City. He’s been federally charged with unauthorized solicitation of access devices, which carries a maximum penalty of 10 years in prison, though maximum sentences are rarely handed out.


Deer.io was a top market for stolen accounts: a place where crooks could buy and sell credentials for hacked accounts siphoned off of malware-infected computers, PII, and financial and corporate data.

The FBI’s investigation included a Deer.io shopping spree. Earlier this month, agents made these buys:

•     About 1,100 gamer accounts, including usernames and passwords, for under $20 in Bitcoin. Those accounts often have linked payment methods that hackers can use to make purchases on the real owners’ dime.
  
•     About 999 individual PII accounts for about $170 in Bitcoin.
  
•     On the same day, it bought another 2,650 accounts for about $522 in Bitcoin. That bought them names, dates of birth and US Social Security numbers: all the data you need to do identity theft and pull off financial fraud.
  

Quote:Reportedly, Microsoft has issued an alert for all users regarding a vulnerability that ships with the Windows operating system. The bug exists in Adobe Type Manager Library (atmfd.dll) which facilitates rendering PostScript Type 1 fonts inside the OS.


What’s troublesome is that before catching the attention of the vendors for a fix, it attracted hackers. Hence, this vulnerability is now under active exploitation. Microsoft have noted the exploitation of this zero-day vulnerability against Windows 7.

Two remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font – Adobe Type 1 PostScript format.

There are multiple ways an attacker could exploit the vulnerability, such as convincing a user to open a specially crafted document or viewing it in the Windows Preview pane.

After Windows 10 Linux also affected guys don't be so happy Linux users.

Quote:Security researcher uncovered a critical remote code execution vulnerability in OpenWrt operating system that allows attackers to inject the malicious payload on the vulnerable systems.


OpenWrt is a Linux based operating system that is mainly used in embedded devices and network routers to route the network traffic and is installed on millions of devices around the globe.

The RCE bug addressed in the package list parse the logic of OpenWrt’s opkg (Opkg Package Manager) fork let package manager ignore the SHA-256 checksums embedded in the signed repository index which allows an attacker to bypass the integrity checking of downloaded .ipk artifacts.