Uncommercial organization Matrix.org became victim of cyberattack that forced it to rebuilt all organizational structure…
Markus Wolfgang, the researcher that discovered it in March, though soon on GitHub, published demo-exploit for vulnerability and Papstein started arriving Poc-codes from other developers.
Attacks did not made to wait for them – the first has been noted at the end of April. Canadian Centre for Cyber Security published its warning last month, and last week arrived another one, this time from National Cyber Security Center (NCSC) of Saudi Arabia.
According to report of both organization, cybercriminals hack PowerPoint servers and install China Chopper, variant of malware program. Program represents a web-shell that enables attackers switch to hacked server and start different commands.
Experts cannot say who is responsible for the attacks.
“Trusted researchers have identified compromised systems belonging to the academic, utility, heavy industry, manufacturing and technology sectors”, — report Canadian Centre for Cyber Security
The following versions of Microsoft SharePoint are known to be affected:
It is likely that the current campaign is leveraging CVE-2019-0604 in order to deploy the web shell. Microsoft released security updates addressing this vulnerability in February and March 2019; however, many systems remain outdated.
NCSC does not report who exactly became a victim of attacks, however, it is obviously a Saudi Arabian organization.
At a glance attacks can be seem connected between each other, though it may be not so. China Chopper is a very common malware, and regardless its name, used by cybercriminals worldwide. Developer Chis Doman says that one of the used in the attacks IP-address was previously noted in FIN7 band arsenal.
“One user on twitter has reported that they have seen exploitation from the IP address 194.36.189[.]177 – which we have also seen acting as a command and control server for malware linked to FIN7”, — reported Chris Doman.
As Adware.Guru reported, Cybercriminal organization FIN7 is still active, despite arrest of its key members
To avoid attacks is recommended to install latest security updates on SharePoint servers. If patch installation is not possible, servers should be protected with a firewall.
Source: https://www.zdnet.com
Kurlibat.xyz is a site that tries to trick you into clik to its browser notifications…
Initiateintenselyrenewedthe-file.top is a domain that tries to trick you into clik to its browser notifications…
Wotigorn.xyz is a site that tries to force you into subscribing to its browser notifications…
Initiateintenselyprogressivethe-file.top is a domain that tries to force you into clik to its browser notifications…
Nuesobatoxylors.co.in is a domain that tries to trick you into subscribing to its browser notifications…
Helistym.xyz is a site that tries to force you into clik to its browser notifications…