Cybercriminals use WeTransfer to execute phishing attacks

Popular file-hosting service WeChat is being exploited in the wild as attackers are using it to spread phishing campaigns. This recent discovery was made by security firm Cofense. The threat used this platform to deliver malicious URLs so that they avoid email security gateways. According to Cofense, the actors are targeting major industries such as banking, energy, and media from these campaigns. Victims receive an email notification from WeTransfer that notifies of a file shared with them. The links in these emails are legitimate. But, it contains an HTML file that redirects to the phishing page once downloaded. The experts from Cofense suggested that the attackers used compromised email accounts to send these malicious files. Furthermore, the email body describes an invoice to be reviewed by the victim. The phishing page asks victims to enter their Office365 credentials. However, other services apart from Microsoft accounts are also targeted. The Cofense team indicates that this new style of delivering URLs through file-hosting services was to avoid email security gateways. “As WeTransfer is a well-known and trusted file hosting system, used to share files too large to attach to an email, these links will typically bypass gateways as benign emails, unless settings are modified to restrict access to such file sharing sites,” said the researchers in their blog post.

 

Government-funded home care in Isle of Man suffers data breach

A government-funded home care in the Isle of Man suffered a data breach compromising the personal information of adults receiving home care. Paper records of phone numbers, names, and addresses of 33 adults have been compromised. The compromised information also includes the phone numbers for 43 relatives and 11 carers of the adults who are receiving home care. Codes to access the keys to seven people's homes were also lost. However, the missing key codes have been changed. The Department of Health and Social Care confirmed the data breach and reported the incident to the Information Commissioner. A spokesperson for the department said that the impacted individuals were primarily older people from Douglas areas and they were being notified about the incident. The Information Commissioner's office said that necessary steps have been taken by the department to mitigate the risk to the impacted individuals.

 

Fake FaceApp Found Delivering MobiDash Adware to Push Unwanted Ads

Cybercriminals are leveraging fake versions of FaceApp to deliver MobiDash adware. The malware sits on the users’ phones and displays unwanted adverts. According to a report published by Kaspersky, around 500 unique users have encountered the problem within the last 48 hours. "Kaspersky has identified a fake application that is designed to trick users into thinking it is a certified version of FaceApp but goes on to infect devices with an adware module called MobiDash,” Igor Golovin, a security researcher at Kaspersky warned, Forbes reported. Once the fake application is downloaded from unofficial sources and installed, it simulates a failure and subsequently activates malicious activities. MobiDash is adware which, if installed on a machine, starts to display ads that can annoy users. The adware takes advantage of the way that Android works to make its deleting process difficult. There are around 800 different modules of the adware identified by researchers. With the increasing popularity of FaceApp among the users, attackers have found another way to launch their malicious activities. This opens the door for malicious code such as MobiDash to slide under the radar without being detected.

 

Researchers discover five vulnerabilities in Comodo Antivirus

A security researcher at Tenable, David Wells uncovered five vulnerabilities in Comodo Antivirus and Comodo Antivirus Advanced. Out of the five vulnerabilities, four flaws were detected in version 12.0.0.6810 and one flaw in version 11.0.0.6582, which is a Denial-of-Service (DoS) bug. The first vulnerability tracked as CVE-2019-3969 allows an attacker with access to the targeted system to escape the Comodo Antivirus sandbox and escalate privileges to SYSTEM. The second vulnerability tracked as CVE-2019-3970 is an arbitrary file write flaw that allows an attacker to modify virus definitions, leading to the creation of false positives or enabling the malware to bypass signature-based detection. The third vulnerability tracked as CVE-2019-3971 is a Denial-OF-Service flaw that triggers an Access Violation due to hardcoded NULLs used for a memcpy source address, causing the application to terminate. The other two vulnerabilities could be exploited to cause application components and the kernel to crash. “A low-privileged process however, can crash CmdVirth.exe to decrease the port's connection count and process hollow a CmdVirth.exe copy with malicious code to obtain a port handle. Once this occurs, a specially crafted message can be sent to cmdServicePort using ‘filtersendmessage’ API, which triggers an out-of-bounds write if lpOutBuffer parameter is near the end of buffer bounds,” Tenable said. The researcher has reported his findings to Comodo in mid-April, but the vulnerabilities have not been fixed yet. Comodo is yet to officially comment on the matter. Cyware will update this article if the company releases a statement.

 

Attackers Compromise Twitter Account of Scotland Yard

The official Twitter account of the UK’s Metropolitan Police Service (MPS) was hacked by miscreants last week. The hackers posted a series of tweets from this account referencing jailed British rapper Rhys Herbert, also known as Digga D. These tweets called for the release of the rapper. In addition to that, the MPS stated that the hackers targeted its emails and news pages. MPS, metonymically known as Scotland Yard, has around 1.22 million followers on Twitter. In a statement, MPS stated that its internal IT infrastructure was not affected in the attack. The issue was from its press office’s online provider, MyNewsDesk. It is speculated that hackers gained access to the MyNewsDesk account of Met Police. Apart from tweets, unauthorized messages also appeared on the news section of the MPS website. Upon discovery, MPS took down all these unsolicited messages both from Twitter and its news page. The tweets specifically called for the release of Digga D and castigated the police. The rapper was jailed last year along with four other persons after he was about to engage in an attack. After the incident, the MPS has hinted at setting access restrictions for the service provider MyNewsDesk. “We apologise to our subscribers and followers for the messages they have received. We are confident the only security issue relates to access to our MyNewsDesk account. We have begun making changes to our access arrangements to MyNewsDesk,” the MPS said in a statement.

 

Attackers abuse XSS vulnerability in WordPress plugin to display malverts

Wordfence's Defiant Threat Intelligence team observed an ongoing malvertising campaign that abuses stored cross-site scripting (XSS) vulnerability in the Coming Soon Page & Maintenance Mode WordPress plugin. The XSS flaw allows an attacker to inject JavaScript or HTML code into the blog front-end of WordPress sites running the ‘Coming Soon Page & Maintenance Mode’ plugin version 1.7.8 or below. This causes the compromised WordPress sites to display unwanted popup ads and redirect visitors to malicious landing pages, including tech support scams, malicious Android APKs, and pharmaceutical ads. The JavaScript code used to infect the sites will load additional code from other third-party domains to develop a full malicious payload that gets executed when a visitor opens the infected website. Once the payload executes in a visitor’s browser, an initial redirect is performed, redirecting the visitor to a new destination based on the type of device used by the visitor. “The eventual destination sites vary in scope and intent. Some redirects land users on typical illegitimate ads for pharmaceuticals and pornography, while others attempt direct malicious activity against the user’s browser,” the researchers said. The XSS injection attacks launched by the attackers are originating from IP addresses connected to popular hosting providers, obfuscated PHP shells with limited functionality. These attacks are performed by using a small array of compromised sites in order to hide the source of the activities. The XSS flaw has been patched in the WordPress plugin version 1.7.9.

 

Critical vulnerability in Palo Alto GlobalProtect SSL VPN software allows attackers to execute arbitrary code​

A critical remote code execution vulnerability has been detected in the Palo Alto GlobalProtect portal and GlobalProtect Gateway products. The critical vulnerability was discovered by security researchers during Red Team assessment services. The vulnerability tracked as CVE-2019-1579 impacts all companies that use the GlobalProtect software, including ride-sharing platform Uber. This vulnerability could be exploited by attackers to perform arbitrary code execution. The impacted versions include PAN-OS 7.1.18, PAN-OS 8.0.11, and PAN-OS 8.1.2. Attackers could exploit the vulnerability by sending a specially crafted request to a vulnerable SSL VPN. The vulnerability exists because the gateway passes the value of a particular parameter to ‘snprintf’ in an unsanitized pattern. “The researchers sought to identify whether any large organizations might be running a vulnerable version of GlobalProtect. They found that popular ride-hailing service, Uber, was running an unpatched version. They confirmed their exploit worked against Uber and reported their findings,” Tenable said. Palo Alto Networks has patched the vulnerability in its latest versions PAN-OS 7.1.19, PAN-OS 8.0.12, PAN-OS 8.1.3. “If you have not already upgraded to the available updates listed above and cannot do so now, we recommend that you update to content release 8173, or a later version, and confirm threat prevention is enabled and enforced on traffic that passes through the GlobalProtect portal and GlobalProtect Gateway interface,” the security advisory read.

 

Edited and compiled by cyber security specialist James Aguilan.