Threat Report

Have you been pwnd by the threats in this week’s report? This week includes active campaigns for landing AZORult malware, WordPress exploitation, a couple of breaches, and some state sponsored DDoS with the Great Canon.

WordPress campaign creates rogue admins

In this new WordPress campaign, the attackers are exploiting known vulnerabilities in WordPress plugins to create rogue admin accounts on WordPress sites across the internet. Known vulnerabilities in WordPress are exploited to inject malicious JavaScript into the front end of the victim’s sites, redirecting site visitors to potentially harmful content like malware dropper and fraud sites.

According to Wordfence, the attacks were identified coming from IP address, 104.130.139.134, which is owned by hosting provider Rackspace.

The attack added a script which attempts to install a backdoor into the target site by exploiting an administrator’s session. The script attempts to create a new user with administrative privileges on the victim’s site.

Before creating a new user, it will see if the visitor has triggered the payload before. The function “putmeone()” creates a user named “wpservices” with the email “wpservices@yandex.com” and the password “w0rdpr3ss”.

With this user in place, the attacker is free to install further backdoors or perform other malicious activity.

The plugins currently under attack in this campaign are Bold Page Builder, Blog Designer, Live Chat with Facebook Messenger, Yuzo Related Posts, Visual CSS Style Editor, WP Live Chat Support, Form Lightbox, Hybrid Composer, and all former NicDark plugins.

Users should keep software and firmware up to date with the latest releases to prevent vulnerabilities.

Domains

Yourservice[.]live
Adsnet[.]work

IP Address

104.130.139[.]134

Fake BleachBit used to install AZORult

In a familiar technique of luring users to install legitimate software that has been packed with a trojan, attackers are now using BleachBit as a lure. We previously reported on this technique used with trojan-packed NordVPN software. This is easier for attackers (than actually breaching legitimate software) to weaken software during the build process, like what happened to Webmin.

A web page that purports to be the official website of the BleachBit has been spotted delivering the AZORult malware. BleachBit is a tool that helps Windows, Linux, and macOS users reclaim disk space by deleting disposable data.

AZORult is an info-stealer malware that can collect various types of sensitive data from an infected machine. Once installed on the targeted machine, AZORult will then contact its command-and-control server for instructions.

The phishing domain attackers used was “bleachbitcleaner.com”, last updated on August 27. Attackers used this domain to lure victims and cloned the real bleachbit site to make it more legitimate. Security researcher Benkow made the discovery and followed the payload trail to the Dropbox file sharing platform.

He also tracked the server that received the data taken from infected computers to “twooo.cn”.

A VirusTotal scan found the fake version of BleachBit 2.2 (setup.zip) to be malicious. You should monitor your systems for signs of infection based on these indicators of compromise. No indicators of compromise were released with this report.

Mastercard and XKCD breaches disclosed

A database containing sensitive information of about 90K German Mastercard “Priceless Specials” loyalty program members was exposed online September 1st, 2019 after a breach.

The data included customers’ names, payment card numbers, partial credit card data, IP addresses, email addresses, phone numbers, gender, and dates of birth. Mastercard disclosed the incident to the German and Belgian Data Protection Authorities on August 23.

According to ‘Have I Been Pwned’, the data contains details of 89,338 German Mastercard customers, with 46% of addresses (part of this breach) already having been added to the platform as part of previous database dumps.

Mastercard requested all sites with leaked customer data delete all the personal info belonging to its Priceless Specials members. Mastercard suspended the German “Priceless Specials” bonus program and took down its website.

Mastercard customers who want to check if their info has been exposed can enter their email address at ‘Have I Been Pwned’ to receive a report if their info has been found in any breaches added to the platform, including this Mastercard “Priceless Specials” one.

In other news from ‘Have I Been Pwned’ XKCD, the popular Web comic, was hit by data breach back in July 2019. It affected nearly 562K members’ usernames, email and IP addresses, and passwords stored in MD5 phpBB3 format. The breach was a result of an open source phpBB message board software flaw.

There have only been two recent phpBB vulnerabilities reported in 2019. One was a DoS so that’s out. The second, CVE-2019-11767, was an SSRF in the avatar upload. Unless someone got code execution through the SSRF there may be a phpBB 0-day out there.

After discovery of the breach, the message board was taken down by the administrators. Users affected by the breach were notified already via email. XKCD also urged users to “immediately change the password for any other accounts on which you used the same or a similar password.”

The Great Canon turns on Hong Kong

Hong Kong protests began in June due to a bill that would allow extradition to mainland China and to the expanding control of China over Hong Kong. The protesters use messaging apps or forums to organize mass rallies in Hong Kong and to quickly change and implement plans.

LIHKG is a key Cantonese language forum for coordinating logistics surrounding the 2019 Hong Kong protests, and for advertising future protests among the Hong Kong public.

Over the weekend, LIHKG forum was taken down by a large DDoS attack that overwhelmed its servers. LIHKG was the second large cyberattack on apps used by Hong Kong protesters. The first one was on Telegram which also believed to be an attack from China, according to the report.

Based on the admin report from LIHKG, the Great Canon fired over 1.5B shots from 6.5M unique sources at a rate exceeding 260K shots/sec. And, that’s just what they could measure. Countless other shots never landed as networks were choked up and LIHKG was knocked offline.

A group of protesters released a statement saying that they have reasons to believe that a “national level power” was behind the flood of traffic choking the site. Citizen Lab agrees that it is likely China that controls the Great Canon. Based on a throw away Twitter account, the suspected script was posted to pastebin which contains a variable with a feedback address belonging to a Chinese company.

Though the site service was restored after hours of being offline, LIHKG gave a warning that some of its app could still be targeted by another attack.

Domain

Qihucdn[.]com

IP Address

116.255.226[.]154

We'd love to hear your thoughts. Find us on Twitter, LinkedIn or write in to hello@perchsecurity.com

Next: Threat Report Wednesday August 28th 2019