MFA Bypassed in IMAP-Based Attacks on Office 365 and G Suite Accounts
Multi-factor authentication can prevent accounts from being accessed if passwords are stolen or obtained using brute force tactics; however, Proofpoint has discovered that multi-factor authentication is being bypassed on Office 365 and G Suite accounts using the legacy IMAP protocol. The IMAP authentication protocol bypasses MFA and attackers are able to avoid being locked out of accounts. The methods used made failed login attempts...
March 2019 Patch Tuesday: 2 Actively Exploited Bugs Patched by Microsoft
March 2019 Patch Tuesday has seen Microsoft issue fixes for 64 vulnerabilities, two of which are being actively exploited in the wild. The two actively exploited flaws are being tracked as CVE-2019-0808 and CVE-2019-0797. The first is a zero-day vulnerability in the Win32k component of Windows that could be exploited by an authenticated user to elevate privileges and execute arbitrary code. The flaw was identified by Google’s...
Verifications.io MongoDB Misconfiguration Exposed 2 Billion Records
The enterprise email verification service, Verifications.io, has exposed around 2 billion records due the misconfiguration of MongoDB instances. The data leak was discovered by researcher Bob Diachenko, who identified an unsecured 150 GB MongoDB instance. Analysis of the database showed it contained around 809 million records. However, a subsequent analysis by DynaRisk revealed four MongoDB instances had been exposed, which in total...
Jackson County, Georgia Pays $400,000 Ransom to Recover Encrypted Files
After considering the potential costs and benefits, Jackson County, Georgia determined that paying the ransom demand to unlock files encrypted in ransomware attack was the best option, even though the ransom demand was around $400,000. The attack occurred over the weekend of March 2/3, 2019, and resulted in the widespread encryption of data. The email system of the country’s government was taken out of action, and even systems used by...
Google Chrome and Windows 7 Flaws Being Actively Exploited in the Wild
All Chrome users have been advised to update to the latest version of the browser – 72.0.3626.121 – as soon as possible to prevent a zero-day flaw from being exploited. Google released the new Chrome version on March 1, 2019, which addressed a use-after-free vulnerability in the FileReader component of Chrome that is being tracked as CVE-2019-5786. FileReader is an API used by web applications to read the contents of files...
Actively Exploited Zero-Day ColdFusion Vulnerability Patched by Adobe
Adobe has issued an out-of-band update to correct the actively exploited ColdFusion vulnerability CVE-2019-7816. The zero-day flaw in its web application development platform is a file upload restriction bypass issue. If exploited, the flaw could allow remote code execution. At least one threat actor is known to be exploiting the flaw in the wild. According to Adobe, in order to exploit the flaw, an attacker would need to have the...
WinRAR Vulnerability Actively Exploited in the Wild to Install Backdoor
The 19-year old WinRAR vulnerability that was recently identified by Check Point is being exploited in the wild to install a backdoor that allows remote access. An updated version of WinRAR was released in January to correct the flaw, but many users have yet to update to the latest version of the file compression tool. In January it was estimated that around 500 million individuals worldwide had a vulnerable version of WinRAR...
B0r0nt0K Ransomware Attack Could Cost You $75,000
A new cryptoransomware threat called B0r0nt0K ransomware is being used to encrypt files on Linux and Windows servers. If you haven’t backed up, you will have to pay a ransom of 20 Bitcoin – Around $75,000 – to recover your files. The new threat was reported to Bleeping Computer by a forum user whose client had been attacked with the new ransomware variant and had website files encrypted. B0r0nt0K Ransomware encrypted all files...
Zero-Day WinRAR Remote Code Execution Flaw Allows Full PC Takeover
A patch has been released to correct a 19-year old zero-day WinRAR remote code execution vulnerability. The flaw was identified by security researchers at Check Point who were able to successfully exploit the flaw to take full control of a vulnerable computer. All that is required is to send an email to someone with an out-of-date version of the software installed on their computer and convince them to open an attached compressed...
Businesses Targeted in Ongoing Credential-Stealing Separ Malware Phishing Attack
An ongoing phishing campaign is targeting businesses and distributing the information-stealing Separ malware. The campaign has mostly concentrated on businesses in South East Asia and the Middle East, although some businesses in North America have also been attacked. The Separ information stealer has been in use since September 2017, with earlier versions of the info-stealer dating back to 2013. The latest campaign, which uses an...
Drupal Updates Released to Correct Critical RCE Vulnerability
An update for the Drupal CMS has been released that corrects a critical vulnerability – CVE-2019-6340 – which, if exploited, could allow the execution of arbitrary PHP code. The vulnerability is the result of improper sanitization of data in certain field types. Exploitation of the vulnerability is possible if the core RESTful Web Services module is enabled and PATCH and POST requests are allowed. It is also possible for the...
GandCrab Ransomware Decryptor Developed for Versions 5.0.4 to 5.1
A free GandCrab ransomware decryptor has been released that works for the latest version of the ransomware. Files encrypted by versions 1, 4, early versions of 5, and versions 5.0.4 to 5.1 can now be decrypted without paying the ransom. GandCrab ransomware was first detected in January 2018 and went on to become the biggest ransomware threat of 2018. In addition to encrypting local files on an infected device, GandCrab ransomware can...
Trickbot Trojan Updated to Obtain VNC, PuTTY, and RDP Credentials
The Trickbot banking Trojan has been updated with a new module which is capable of obtaining VNC, PuTTY, and remote desktop credentials. The latest variant of Trickbot is being distributed in a tax season-themed phishing campaign involving emails that offer help with recent changes to the U.S. tax code to reduce tax bills. The emails appear to have been sent by the accounting organization Deloitte and have a tax incentive-related...
FINRA Issues Phishing Warning to Brokerage Firms
The Financial Industry Regulatory Authority (FINRA) has issued a warning to brokerage firms about a new phishing campaign. The scam involves spam emails which appear to have been sent from a credit union alerting the brokerage firm to potential money laundering by one of their clients. The email messages appear to have been sent by a BSA-AML compliance officer at a legitimate Indiana-based credit union and contain details of the...
MSPs Targeted in New GandCrab Ransomware Campaign
Managed service providers (MSPs) and IT support companies are being targeted in a new GandCrab ransomware campaign. MSPs are an attractive target. If access can be gained to MSP systems, the attackers can abuse trusted relationships to perform attacks on their clients. MSPs are often used by SMBs that do not have the internal resource to manage their own IT or have insufficient staff numbers to devote to cybersecurity. MSPs perform a...
Emotet Threat Actors Now Distributing Trojan via XML Files Masked as Word Documents
At least one cybercriminal group distributing the Emotet Trojan has started using a new tactic to infect end users with the malware. The malware is now being delivered using XML files disguised as Word documents, with the malware installed via embedded macros. The Emotet Trojan is one of the most rapidly evolving malware variants. The malware is regularly updated with new functions and the methods used to distribute the malware and...
Mac Users Targeted with New Shlayer Malware Variant
A new Shlayer malware variant has been detected that infects Mac computers and disables macOS Gatekeeper security software. The latest version of the malware was identified by researchers at Carbon Black and appears to only target MacOS versions from 10.10.5 to 10.14.3. Shlayer malware is distributed via fake Flash Player updates. Warnings are generated when visiting websites advising the user that their Flash Player is out of date...
VFEmail Suffers Catastrophic Cyberattack with Permanent Loss of Customers Email Data
The email provider VFEmail has suffered a cyberattack that has caused “catastrophic destruction.” A hacker with a Bulgarian IP address gained access to its U.S. servers and formatted them; destroying all data in its primary and backup systems. The attack started in the morning of February 11, 2019. VFEmail issued a statement saying that all disks on its U.S. servers were formatted and all of its virtual machines, mail servers, and...
February 2019 Patch Tuesday: Microsoft Fixes 74 Vulnerabilities; Adobe 75
February 2019 Patch Tuesday has seen almost 150 vulnerabilities fixed by Microsoft and Adobe, including 43 critical Adobe flaws and 20 critical Microsoft vulnerabilities, one of which is being actively exploited in the wild. The actively exploited vulnerability was discovered by the Google Project Zero team. The vulnerability is in Internet Explorer 11 – CVE-2019-0676 – and could be exploited if a user visits a specially...
Phishing Campaign Leverages Google Translate to Steal Google and Facebook Credentials
A phishing campaign has been detected that abuses Google Translate to make the phishing webpage appear to be an official login page for Google. The phishing emails in the campaign are similar to many other campaigns that have been run in the past. The messages have the subject “Security Alert” with a message body virtually identical to the messages sent by Google when a user’s Google account has been accessed from an unfamiliar device...
Office 365 Phishing Campaign Uses SharePoint Collaboration Request as Lure
A single Office 365 username/password combination can give a hacker access to a vast quantity of sensitive information. Information detailed in emails can be of great value to competitors, identity thieves, and other fraudsters. Office 365 credentials also give hackers access to cloud storage repositories that can contain highly sensitive business information and compromised accounts can be used to distribute malware and conduct...
New Speakup Linux Backdoor Trojan Used in Widespread Attacks
Security researchers at Check Point have identified a new Trojan named Speakup which is being used in targeted attacks on Linux servers. The Speakup Linux backdoor Trojan can also be used to attack Mac devices. The Trojan is deployed via exploits of vulnerabilities across six Linux distributions, including the recently identified ThinkPHP vulnerability, CVE-2018-20062. The current campaign is targeting Linux devices in China,...
Xvideos Sextortion Scam Threatens to Expose Porn Viewing Habits
An xvideos sextortion scam threatens to expose users’ porn viewing habits to friends, family, and work colleagues. The scammer claims to have recorded the user via the webcam while they viewed content on the xvideos adult website. The email is made more believable by the inclusion of the user’s password in the message body. The scammer claims to have gained access to the email recipient’s computer and installed a keylogger. The...
Apple IOS Vulnerability Allows Hackers to Snoop on FaceTime Calls
A serious Apple IOS vulnerability has been detected that allows people to gain access to both the microphone and the front facing camera on Apple devices by exploiting a flaw in FaceTime. Further, the flaw even allows microphone/camera access if the call is not answered. The flaw has prompted many security experts to suggest Apple device owners to stop using FaceTime until the flaw is corrected. To exploit the flaw, a user would need...
Fake Google Update Installer Used to Install AZORult Trojan
Researchers at Minerva Labs have identified a new AZORult Trojan campaign that installs the malware through a fake Google update installer. The AZORult Trojan is an information stealer that can obtain system information, cookies, passwords stored in browsers, browser histories, information from saved files, banking credentials, and cryptocurrency wallets. The malware is also used as a downloader of other malware variants and is...
0Patch Micropatches Released to Address 3 Zero-Day Windows Flaws
0Patch has released a micropatch to address three zero-day Windows flaws that have yet to be addressed by Microsoft, including a zero-day remote code execution vulnerability in the Windows Contacts app. The 0Patch platform allows micropatches to be quickly distributed, applied, and removed to/from running processes without having to reboot computers or even restart processes. The platform is still in beta, although testing and...
STOP Ransomware Delivered via Software Cracks
STOP ransomware, a crypto-ransomware variant that uses the .rumba file extension on encrypted files, is being delivered via software cracks. Software cracking programs that generate licenses for popular software programs are commonly used to deliver malware. The executable files often install spyware and adware code during the cracking process and while it is not unknown for other malware to be installed when the programs are run, it...
Cryptocurrency Mining Malware Tops Most Wanted Malware List
Check Point’s Most Wanted Malware report for December 2018 shows that cryptocurrency mining malware was the leading malware threat in December. The top four malware threats in December 2018 were all cryptocurrency miners. Top spot goes to the Monero miner Coinhive: An online miner that uses the processing power of visitors’ computers whenever they visit a website that has had the miner installed. Coinhive has topped the Most Wanted...
773 Million Email Addresses and 21 Million Unique Passwords Listed for Sale
A massive collection of login credentials that includes approximately 773 million email addresses has been uncovered by security researcher Troy Hunt. Hunt is an Australian Microsoft Regional Director and maintains the Have I Been Pwned (HIBP) website, where people can check to see whether their login credentials have been stolen in a data breach. Hunt discovered the 87GB database on a popular hacking forum. The data was spread across...
Highly Sophisticated Apple Vishing Scam Detected
A sophisticated Apple vishing scam has been uncovered. In contrast to most phishing attempts that use email, this scam used voice calls (vishing) with the calls appearing to have come from Apple. The scam starts with an automated voice call to an iPhone that spoofs Apple Inc. The caller display shows that the call is from Apple Inc., increasing the likelihood that the call will be answered. The user is advised that there has been a...
January 2019 Patch Tuesday Updates
January 2019 Patch Tuesday has seen 51 flaws corrected in Microsoft products. There are four updates to correct flaws in the Microsoft Edge Browser. Seven of the 51 updates have been marked as critical. January 2019 Patch Tuesday Critical Vulnerabilities in Microsoft Products The 51 updates are broken down as: Microsoft JET Database Engine (11), Microsoft Windows (6), Microsoft Office (4), Microsoft Office SharePoint (4), Windows...
Free Decryptor for Fileslocker Ransomware Developed After Master Key Leaked
A free decryptor for Fileslocker ransomware has been developed following the leaking of the master key for the ransomware on Pastebin. The master key is the key used by threat actors to decrypt files that have been encrypted by the ransomware. The post was created on December 29, 2018 and states that the master key, which decrypts the private key, is “applicable to V1, V2 version” and that the poster is “waiting for security personnel...
Tribune Publishing Cyberattack Cripples Several U.S. Newspapers
A recent malware attack on Tribune Publishing has caused disruption to several newspaper print runs including those of the Los Angeles Times, San Diego Tribune, and the west coast editions of the New York Times and Wall Street Journal, amongst others. The Tribune Publishing cyberattack occurred on Thursday December 28, 2018, and spread throughout the Tribune Publishing network on Friday, affecting the Saturday editions of several...
FTC Issues Warning About New Netflix Phishing Scam
The U.S. Federal Trade Commission has issued a warning about a new global Netflix phishing scam that attempts to fool Netflix subscribers into disclosing their account credentials and payment information. The scam uses a tried and tested tactic to obtain that information: The threat of account closure due to payment information being out of date. Users are sent a message asking them to update their payment details because Netflix has...
Orange Livebox Modems Leaking WiFi Information
Hackers are exploiting a flaw (CVE-2018-20377) in Orange Livebox ASDL modems that allows them to obtain the SSID and the Wi-Fi password of the devices in plaintext. Once access is gained to a vulnerable modem, attackers could update the firmware and change device settings. Exploiting the flaw is as simple as sending a GET request. The flaw was identified by Troy Mursch at Bad Packets, who noticed the firm’s honeypots were being...
Backdoor and Ransomware Detections Increased More than 43% in 2018
The recently published Kaspersky Security Bulletin 2018 shows there has been a 43% increase in ransomware detections and a 44% increase in backdoor detections in the first 10 months of 2018, highlighting the growing threat from malware. Kaspersky Lab is now handling 346,000 new malicious files every day and has so far detected more than 21.64 million malicious objects in 2018. Backdoor detections increased from 2.27 million to 3.26...
Actively Exploited Internet Explorer Flaw Patched by Microsoft
Microsoft has issued an out of band update for Internet Explorer to correct a vulnerability that is being actively exploited in the wild. The Internet Explorer flaw was found by Clement Lecigne at Google’s Threat Analysis Group, who reported the vulnerability to Microsoft. The remote code execution flaw, tracked as CVE-2018-8653, is in the Internet Explorer scripting engine, which handles memory objects. If the flaw is exploited, an...
New Office 365 Phishing Attack Detected
A new Office 365 phishing attack has been identified that uses alerts about message delivery failures to lure unsuspecting users to a website where they are asked to provide their Office 365 account details. The new scam was detected by security researcher Xavier Mertens during an analysis of email honeypot data. The emails closely resemble official messages sent by Microsoft to alert Office 365 users to message delivery failures. The...
Microsoft and Adobe December 2018 Patch Tuesday Updates
December 2018 Patch Tuesday has seen Microsoft issue patches for 39 vulnerabilities, 10 of which have been rated critical, and two are being actively exploited in the wild. There are 9 critical vulnerabilities in Microsoft products and one critical vulnerability in Adobe Flash Player. The patches cover the following products and services: Microsoft Windows, Microsoft Office, Internet Explorer, Microsoft Edge, Microsoft Office...
2018 Security Awareness Training Statistics
A recent survey conducted by Mimecast has produced some interesting security awareness training statistics for 2018. The survey shows many businesses are taking considerable risks by not providing adequate training to their employees on cybersecurity. Ask the IT department what is the greatest risk cybersecurity risk and many will say end users. IT teams put a considerable amount of effort into implementing and maintaining...
Adobe Patches Actively Exploited 0-Day Vulnerability in Flash Player
On Wednesday, December 5, 2018, Adobe issued an update to correct a vulnerability in Adobe Flash Player that is being leveraged by a threat group in targeted attacks in Russia. The threat group has already attacked a healthcare facility in Russia that is used by senior civil servants. The vulnerability was identified by researchers at Gigamon who passed on details of the vulnerability to Adobe in late November. Qihoo 360 researchers...
Marriott Announces 500 Million-Record Breach of Starwood Hotel Guests’ Data
The Marriott hotel chain has announced it has suffered a massive data breach that has resulted in the theft of the personal information of up to 500 million guests of the Starwood Hotels and Resorts group. Marriott discovered the data breach on September 8, 2018 after an alert was generated by its internal security system following an attempt by an unauthorized individual to access the Starwood guest reservation database. Third-party...
49% of All Phishing Sites Have SSL Certificates and Display Green Padlock
Almost half of phishing sites now have SSL certificates, start with HTTPS, and display the green padlock to show the sites are secure, according to new research by PhishLabs. The number of phishing websites that have SSL certificates has been increasing steadily since Q3, 2016, when around 5% of phishing websites were displaying the green padlock to indicate a secure connection. The percentage increased to approximately 25% of all...
Major Malvertising Campaign Detected: 300 Million Browser Sessions Hijacked in 48 Hours
A major malvertising campaign is being conducted that is redirecting web users to phishing and scam websites. While malvertising campaigns are nothing new, this one stands out due to the scale of the campaign. In 48 hours, more than 300 million users have had their browsers redirected to malicious web pages. The campaign was uncovered by researchers at cybersecurity firm Confiant on November 12. The researchers note that the actor...
APT28 Group Uses New Cannon Trojan in Spear Phishing Campaign Targeting US and EU Government Agencies
A new spear phishing campaign is being conducted by the AP28 (Sofacy Group/Fancy Bear/Sednit) on government organizations in the United States, Europe, and a former USSR state using the previously unknown Cannon Trojan. The campaign was detected by Palo Alto Networks’ Unit 42 team and was first identified in late October. The campaign is being conducted via spam email and uses weaponized Word document to deliver two malware variants....
Critical AMP for WP Plugin Vulnerability Allows Any User to Gain Admin Rights
A new critical WordPress plugin vulnerability has been identified that could allow site users to escalate privileges to admin level, giving them the ability to add custom code to a vulnerable website or upload malware. The vulnerability is in the AMP for WP plugin, a popular plugin that converts standard WordPress posts into the Google Accelerated Mobile Pages format to improve load speeds on mobile browsers. The plugin has more than...
TA505 APT Group Spreading tRat Malware in New Spam Campaigns
The prolific APT group TA505 is conducting spam email campaigns spreading a new, modular malware variant named tRAT. tRAT malware is a remote access Trojan capable of downloading additional modules. In addition to adding infected users to a botnet, the threat actors have the option of selling access to different elements of the malware to other threat groups for use in different attacks. Threat researchers at Proofpoint intercepted...
Phishing Accounts for 50% of All Fraud Attacks
An analysis of current cyber fraud threats by network security firm RSA shows that phishing attacks have increased by 70% since Q2 and now account for 50% of all fraud attacks suffered by organizations. Phishing attacks are popular because they are easy to conduct and have a high success rate. An attacker can set up a webpage that mimics a well-known brand such as Microsoft or Google that requests login details. Emails are then sent...
Microsoft Patches 12 Critical Vulnerabilities on November Patch Tuesday
Microsoft has issued patches for 12 critical vulnerabilities in November Patch Tuesday and has fixed a flaw that is being actively exploited by at least one threat group. In total, 64 vulnerabilities have been fixed across Windows, IE, Edge, and other Microsoft products. The 12 critical vulnerabilities could allow hackers to execute malicious code and take full control of a vulnerable device. The majority of the critical...
WordPress GDPR Compliance Plugin Vulnerability Being Actively Exploited
Websites with the WordPress GDPR Compliance plugin installed are being hijacked by hackers. A vulnerability in the plugin is being exploited, allowing attackers to modify site settings and register new user accounts with admin privileges. The vulnerability can be remotely exploited by unauthenticated users, many of whom have automated exploitation of the vulnerability to hijack as many sites as possible before the vulnerability is...
Zero-Day VirtualBox Vulnerability and Exploit Published
Details of a zero-day VirtualBox vulnerability have been published online along with a step by step exploit. The vulnerability in the Oracle open source hosted hypervisor was published on GitHub by Russian security researcher, Sergey Zelenyuk, rather than being disclosed to Oracle to allow the bug to be fixed. The decision was influenced by a previous vulnerability that he found in VirtualBox that was disclosed to Oracle but took the...
Elon Musk Bitcoin Scam Generates $180,000 in a Day
The promise of payment of a sizable sum in return for a small payment is a classic scam that has been conducted in various forms for many years. An administration fee is required before a Saudi prince’s inheritance will be paid, and payment I required to help a widow get her husbands fortune out of the country. This week an interesting variation of the scam has been conducted on Twitter that has been surprisingly effective. The Saudi...
BleedingBit Vulnerabilities Affect Millions of Wireless Access Points
Armis Labs has identified two vulnerabilities in Texas Instruments’ Bluetooth Low Energy (BLE) chips that are used in wireless access points manufactured by Cisco, Meraki, and Aruba. The affected wireless access point are used by hundreds of thousands of businesses around the world. Cisco, Meraki, and Aruba supply at least 70% of business wireless access points, which places all of those businesses at risk. It is not yet known exactly...
Stealthy sLoad Downloader Performs Extensive Reconnaissance to Improve Quality of Infected Hosts
A new PowerShell downloader has been discovered – the sLoad downloader – which is being used in stealthy, highly targeted attacks in the United Kingdom and Italy. The sLoad downloader performs a wide range of checks to find out a great deal of information about the system on which it resides, before choosing the most appropriate malicious payload to deploy – if a payload is deployed at all. The sLoad downloader was first identified in...
Zero-Day Windows Data Sharing Service Vulnerability Discovered
A Windows zero-day vulnerability has been discovered that allows hackers to delete application dlls and cause a system to crash and potentially hijack systems. The vulnerability allows an attacker to elevate privileges and delete files that should only be accessible by admins and takes advantage of a Windows service that fails to check permissions. That service, the Windows Data Sharing Service – dssvc.dll, was introduced in...
Exploits Published for LibSSH Vulnerability: Immediate Patching Required
A recently discovered LibSSH vulnerability, that has been described as ‘comically bad’ by the security researcher who discovered it, has been patched. The flaw is ridiculously easy to exploit. Unsurprisingly, various scripts and tools have been published that allow vulnerable devices to be found and the flaw to be exploited. If the LibSSH vulnerability is exploited, which requires little skill even without one of the published...
Sophisticated Phishing Attack Inserts Malware into Existing Email Conversation Threads
A new sophisticated phishing tactic has been identified that involves a malicious actor gaining access to an email account, monitoring a conversation thread, and then inserting malware in a reply to an ongoing discussion. The scam is a variation of a Business Email Compromise (BEC) attack. BEC attacks typically involve using a compromised email account to send messages to accounts or payroll employees to get them to make fraudulent...
Microsoft Addresses 49 Flaws Including One Actively Exploited Vulnerability
Almost 50 vulnerabilities have been patched by Microsoft on October Patch Tuesday including one zero-day vulnerability that is being actively exploited in the wild by the FruityArmor APT group. The zero-day (CVE-2018-8453) is linked to the Win32k component of Windows and is an elevation-of-privilege vulnerability discovered by Kaspersky Lab. If exploited, a threat actor could run arbitrary code in kernel mode and could create new...
Phishers Using Azure Blog Storage to Host Phishing Forms with Valid Microsoft SSL Certificate
Cybercriminals are using Microsoft Azure Blog storage to host phishing forms. The site hosting the malicious files has a genuine Microsoft SSL certificate which adds authenticity to the campaign. Similar tactics have been used in the past for Dropbox phishing scams and attacks that impersonate other cloud storage platforms. A typical phishing scenario involves an email being sent with a button or hyperlink that the user is requested...
Cofense Research Reveals Extensive Abuse of Zoho Email by Keyloggers
New research from Cofense has revealed there has been a significant rise in keylogger activity in 2018 which backs up research conducted by Microsoft that showed the resurgence of a keylogger known as Hawkeye. Keyloggers are information-stealing malware that log keystrokes on a computer and other input from human interface devices (HUDs) such as webcams and microphones. Many modern keyloggers are also able to copy information from the...
Persistent New LoJax Rootkit Survives Hard Disk Replacement
Security researchers at ESET have identified a new rootkit that takes persistence to a whole new level. Once infected, the LoJax rootkit will remain active on a device even if the operating system is reinstalled or the hard drive is reformatted or replaced. Rootkits are malicious code that are used to provide an attacker with constant administrator access to an infected device. They are difficult to detect and consequently they can...
Increased Remote Desktop Protocol Attacks Prompts IC3 to Issue Warning
The FBI’s Internet Crime Complaint Center (IC3) has issued a warning to businesses about the abuse of remote administration tools such as Remote Desktop Protocol. The warning was prompted by a significant rise in attacks and darknet marketplaces selling RDP access. Remote Desktop Protocol was first introduced into Windows in 1996 and has proven to be a valuable tool. It allows employees to connect to their office computer remotely and...
Danabot Banking Trojan Used in U.S. Campaign
The DanaBot banking Trojan was first detected by security researchers at Proofpoint in May 2018. It was being used in a single campaign targeting customers of Australian Banks. Further campaigns were later detected targeting customers of European banks, and now the attacks have moved across the Atlantic and U.S. banks are being targeted. Banking Trojans are a major threat. Proofpoint notes that they now account for 60% of all malware...
Q2, 2018 Saw an 86% Rise in Cryptocurrency Mining Malware Detections
2018 has proven to be the year of cryptocurrency mining malware. Cybercriminals are increasingly abandoning other forms of malware and ransomware in favor of malware capable of hijacking processors and mining cryptocurrency. Mining cryptocurrency requires computers to solve the complex problems necessary to verify cryptocurrency transactions and add them to the blockchain ledger. That requires considerable processing power and takes...
Cofense Takes a Closer Look at Healthcare Phishing Attacks
Cofense, the leading provider of human-based phishing threat management solutions, has published new research that shows the healthcare industry lags behind other industry sectors for phishing defenses and is routinely attacked by cybercriminals who often succeed in gaining access to sensitive patient health data. The Department of Health and Human Services’ Office for Civil Rights publishes a summary of data breaches reported by...
Pegasus Spyware Campaigns Gather Pace: Infections Detected in 45 Countries
Pegasus spyware is a legitimate surveillance tool that has been attributed to the Israeli cyber-intelligence firm NSO Group. The spyware works on both Android smartphones and iPhones to allow security services to intercept text messages, track phone calls, trace a phone’s location, and obtain passwords and data from apps installed on an infected device. Since at least 2016, NSO Group has been offering Pegasus spyware to nation state...
New Python Ramsomware Threat Detected
Security researchers at Trend Micro have identified a new Python ransomware threat that piggybacks on the success of Locky ransomware. The threat actors behind the ransomware have copied the ransom note used by the gang responsible for Locky. The ransomware note claims files have been encrypted by Locky Locker. Trend Micro have instead named this new ransomware threat PyLocky. Python is a popular script-writing language, although it...
New Brazilian Banking Trojan Hides in Plain Sight
An innovative new Brazilian banking Trojan has been detected by security researchers at IBM X-Force. The Trojan has been named CamuBot due to its use of camouflage to fool employees into running the installer for the malware. As with other banking Trojans, its purpose is to obtain bank account credentials, although its method of doing so is different from most of the banking Trojans currently used by threat actors in Brazil. Most...
Zero-Day Windows Task Scheduler Vulnerability Exploited by Threat Group
On August 27, a security researcher with the online moniker SandboxEscaper discovered a zero-day vulnerability in Windows Task Scheduler (Windows 7-10) and published a proof-of-concept exploit for the flaw on GitHub. Microsoft was not alerted to the flaw and was not given time to issue a fix to prevent the flaw from being exploited. Unsurprisingly, the exploit is now being used by at least one hacking group to attack businesses....
Massive URL Spoofing Campaign Discovered Targeting 76 Universities
A massive URL spoofing campaign targeting 76 universities in 14 countries has been detected by security researchers at SecureWorks. The threat group known as Cobalt Dickens is believed to be behind the attack. The group is believed to operate out of Iran and is well known for conducting these types of attacks. The latest campaign has seen the hacking group create more than 300 spoofed websites on sixteen domains. Hosted on those...
Micropatch Blocks Zero-Day Vulnerability in Windows Task Scheduler
On August 29, 2018, a proof-of-concept exploit for a zero-day vulnerability in Windows Task Scheduler was published on GitHub by a security researcher. The vulnerability had not previously been disclosed to Microsoft, and consequently, no patch has been released to address the flaw. If exploited, a malicious actor could elevate permissions of malicious code running on a compromised device from guest or user level to administrator...
Ransomware Attacks Slow as Cryptocurrency Mining Proves More Profitable
Over the past two years, ransomware has been favored by cybercriminals as it offered an easy way to make money. Campaigns could easily be conducted via spam email, and for many individuals, it was not even necessary to create the malware from scratch. Ransomware-as-a-service allowed campaigns to be conducted for a 60% cut of the profits generated with no programming experience required. While some threat actors are still using...
Exploit Published for Zero-Day Vulnerability Found in Windows Task Scheduler
A zero-day vulnerability has been discovered in Windows Task Scheduler and an exploit for the flaw has been published on GitHub. The local privilege escalation vulnerability exists in the Advanced Local Procedure Call (ALPC) interface and if exploited would enable a malicious actor to elevate the access of malicious code from a limited USER role to a SYSTEM account with full access. The Task Scheduler API function SchRpcSetSecurity...
AdvisorsBot Malware Used in Targeted Attacks on Hotels and Restaurants
Security researchers at Proofpoint have detected a new malware threat that is being used in targeted attacks on hotels, restaurants, and telecoms firms. AdvisorsBot malware, so named because its C&C servers contain the word advisors, was first detected in May 2018 in a variety of spam email campaigns. AdvisorsBot malware is under development although the current form of the malware has been used in multiple attacks around the...
New Critical Apache Struts Vulnerability Discovered
A new Apache Struts vulnerability has been discovered in the core functionality of Apache Struts. This is a critical flaw that allows remote code execution in certain configurations of the framework. The flaw could prove more serious than the one that was exploited in the Experian hack in 2017. Apache Struts is an open source framework used in many Java-based web applications. It has been estimated that at least 65% of Fortune 500...
Necurs Botnet Now Distributing Marap Malware
The Necurs botnet is being used to send huge quantities of spam emails containing Marap malware. Marap malware is currently being used for reconnaissance and learning about victims. The aim appears to be the creation of a network of infected users that can be targeted in future attacks. The malware creates a unique fingerprint for each infected device, contacts its C2 server, and sends information about the victim’s system to the...
SharePoint Files Used to Harvest Office 365 Credentials
A phishing campaign termed PhishPoint uses SharePoint files to steal users’ Office 365 credentials. Huge numbers of phishing emails are being sent to businesses that appear to be invitations to collaborate. Users are required to click the URL embedded in the email, which ultimately directs them to a malicious site where they are required to enter their Office 365 credentials. Those credentials are then captured by the attackers. The...
Multi-Factor Authentication Fail: Single MFA Token Used to Gain Access to All Accounts
Multi-factor authentication can help to secure accounts and protect against phishing attacks. If a correct username and password combo is obtained, without the second factor (E.g. SMS message, token, device, or email address) the account cannot be accessed. As the recently discovered data breach at Reddit demonstrated, multi-factor authentication is not a silver bullet. Reddit used SMS messages to a user’s mobile phone as the second...
New KeyPass Ransomware Campaign Infects Users in More than 20 Countries
A new ransomware variant – called KeyPass ransomware – is being used in a new campaign that has seen many victims created around the world. While Brazil and Vietnam have taken the brunt of the attacks, there have been victims in more than 20 countries with the list growing by the day. KeyPass ransomware is written in C++ and is a variant of STOP ransomware. At present it is not known how the KeyPass ransomware attacks are...
Faxploit Attack Uses Fax Machine to Gain Network Access and Steal Data
Since the 1960s, businesses have been using fax machines to send and receive orders and communicate data quickly. To a large extent, email has replaced the fax, although faxes are still extensively used, especially in healthcare. It has been estimated that there are still around 300 million fax machines in use around the world. While fax technology is old – it was first developed in the late 1800s – faxes are not typically...
New Shrug Ransomware Variant Detected
Shrug ransomware was first detected in early July. Now a new variant of this .NET ransomware variant has been detected, which has enhanced capabilities. Shrug ransomware was primarily distributed bundled with fake software and apps, although the infection vector for the latest version is not known. Phishing emails, RDP attacks, and drive-by downloads may also be used in addition to fake software. Shrug2 ransomware was detected by...
Scammers Claim to Have Webcam Footage of Users Watching Pornography
A new variant of an old scam is currently gaining traction and is fooling many people into paying scammers money to avoid having sensitive information exposed. The scammers claim to have added malware to adult sites which has been downloaded onto a user’s computer. The malware is allegedly capable of taking full control of the webcam, which has been used to record a video of the user while they were visiting pornographic websites. The...
SamSam Ransomware Developer Has Earned $6 Million in Ransom Payments
SamSam ransomware has been used in many attacks on healthcare providers and educational institutions over the past two and a half years. In contrast to many other ransomware variants, the ransom payments are considerably higher, typically of the order of tens of thousands of dollars. What also makes SamSam ransomware different is its method of deployment. While many ransomware variants are installed as a result of employees opening...
Recent WannaCry Attack on Chip Manufacturer Expected to Cost $170 Million
A WannaCry ransomware attack has been reported by the Taiwan Semiconductor Manufacturing Co. The malware infection has crippled some of the company’s manufacturing plants which has halted chip production in some of the company’s factories. The Taiwan Semiconductor Manufacturing Co. is the world’s largest chip manufacturer, supplying its products to Nvidia, AMD, Apple, Qualcomm and many other major manufacturers. The attack has had a...
Massive Malvertising Operation Uncovered that Delivers Traffic to Rig Exploit Kit
For many years cybercriminals have been sneaking malicious adverts onto legitimate websites through advertising networks. Publishers – website owners that sell space on their sites for advertisements – often use ad networks to connect them with advertisers, who bid for the space. Resellers are also involved in the advertising chain and resell traffic generated through the ad networks to other advertisers. If a malicious advert makes...
New Spectre-Class Attack Identified by UCR Researchers
Another side-channel vulnerability has been identified that could be exploited in a Spectre-Class attack. This attack method is not blocked by previous patches that address the original Spectre flaws. The vulnerability was identified by researchers at the University of California, Riverside (UCR), which recently published details of the attack method which they term Spectre-RSB. The attack uses the speculative execution feature of...
Cincinnati Implements Smart911 Service to Improve Emergency Response Times
The city of Cincinnati has taken steps to improve response times of the emergency services in the wake of a tragic incident that resulted in the death of a 16-year old student at Seven Hills School. On April 10, Kyle Plush became trapped under the rear seat of his Honda Odyssey. He attempted to contact emergency services multiple times to request help but died from asphyxiation in the back of his minivan. His body was not discovered...
GandCrab Ransomware Vaccine Developed by AhnLab
GandCrab ransomware is now the most commonly used ransomware variant, and while there is currently no free decryptor for GandCrab ransomware, there is now a vaccine that can prevent GandCrab ransomware attacks from being successful. While this is certainly good news, the vaccine only works for version 4.1.2 of the ransomware – the variant currently being used in widespread attacks. Version 4.1.2 was released just two days after...
Convincing Phishing Campaign Targets Australian Businesses and Spreads DanaBot Trojan
A new phishing campaign has been detected that is spreading the DanaBot Trojan. The campaign involves phishing emails which appear to contain invoices from the Australian multinational corporation MYOB – a provider of tax and accounting services for small and medium sized businesses. The phishing campaign was detected by Trustwave researchers. The phishing emails are succinct and well written and advise the recipient of the invoice...
Code Stealing Certificates Stolen from D-Link and Used in Malware Campaign
The Advanced Persistent Threat (APT) group BlackTech has stolen code-signing certificates from D-Link and Changing Information Technology Inc., and is using them to cryptographically sign a remotely controlled backdoor known as Plead and an associated password stealer. With the stolen certificates, individuals who receive the malware as email attachments are likely to be fooled into thinking the files are genuine and have been...
Microsoft Issues Patches for 54 Vulnerabilities; 17 Critical
This Patch Tuesday has seen Microsoft issue patches for 54 vulnerabilities, 27 of which could allow remote code exploitation. 17 of the flaws have been rated critical and 33 are rated important. Three of the vulnerabilities were disclosed before Microsoft released patches. The patches address bugs in 15 products. The majority of the critical flaws are scripting errors in Internet Explorer, including four memory corruption...
New AZORult Phishing Campaign Detected by Cofense
Leading anti-phishing solution provider Cofense has detected a new AZORult phishing campaign. AZORult is an information stealer capable of stealing cookies, stored passwords, payment card information, autocomplete data stored in web browsers, Bitcoin wallet information, and email, FTP, and XMPP client credentials. The latest campaign uses malicious email attachments to spread a new variant of the malware. Version 3 of AZORult...
Email Attack Uses Macros to Hijack Desktop Shortcuts
The deployment of malware via malicious Word documents is nothing new, although the tactics used by cybercriminals often change. Now a new method of malware deployment has been uncovered, in which users are fooled into downloading the malicious payload. The attack starts like many other email-based attacks. The user must open an email and attachment and enable macros. The macro then searches for common desktop shortcuts such as Google...
Rakhni Trojan Decides Whether to Encrypt or Mine Dashcoin
A new variant of the Rakhni Trojan has been detected by security researchers at Kaspersky Lab. This new malware variant decides whether a device is suited to mining cryptocurrency. If the device has sufficient processing power, a Dashcoin miner is downloaded and the device is turned into a cryptocurrency mining slave. If the likely profits from cryptocurrency mining are low, files on the device will be encrypted in a standard...
Cryptocurrency Investors Targeted with MacOs Malware on Slack and Discord
Several MacOs malware attacks have been identified in the past few days with victims targeted via the Slack and Discord chat platforms. The attackers are targeting cryptocurrency investors and are posting messages on Slack and Discord groups linked to cryptocurrencies. This is an impersonation attack in which admins and key personnel are being impersonated, with users advised to run a script that downloads a malware variant named...
DoublePulsar Exploit Tweaked to Work on IoT Systems
The NSA hacking tool – DoublePulsar – was used to infect hundreds of thousands of Windows computers with malware last year after it was leaked online by the Shadow Brokers hacking group. At the time, the hacking tool worked on all Windows versions except the latest Windows 10 version, but not on the Windows IoT operating system. However, a security researcher going by the name Capt. Meelo has tweaked the hacking tool, which now works...
WordPress Vulnerability Allows Full Site Takeover
A recently disclosed vulnerability in the WordPress CMS Core could be exploited to escalate privileges, remotely execute code, and take full control of a WordPress site. The vulnerability was discovered by security researchers at RIPS Technologies who reported the flaw to WordPress in November 2017. The WordPress team confirmed that the flaw existed but said it could take around 6 months to patch the flaw. Seven months on and the...
ZeroFont Phishing Attack Bypasses Microsoft Office Security Feature
The ZeroFont phishing attack allows phishers to bypass anti-spam controls and ensure their emails are delivered to end users inboxes. ZeroFont Phishing Cybercriminals are constantly developing new ways to bypass anti-spam technologies, one of which has been uncovered by security researchers at the cloud security company Avanan. The technique, termed ZeroFont phishing, allows phishers to get their messages past Microsoft Office 365...
More than 400 Models of Axis Communications Cameras Vulnerable to Remote Attacks
More than 400 models of Axis Communications’ security cameras contain vulnerabilities that could be exploited by malicious actors to intercept and view camera footage, take full control of the cameras, or disable them entirely. The security cameras are used by many organizations, including industrial firms, banks and hotels. The vulnerabilities were discovered by the cybersecurity company VDOO as part of its investigation into the...
More than 22,000 Container Orchestration and API Management Systems Exposed on Internet
Many organizations have turned to the public cloud to help them scale resources to meet demand, reduce operating costs and improve the effectiveness of IT processes; however, a significant percentage of companies have failed to secure their cloud infrastructure and are exposing their data. New research conducted by Lacework has revealed more than 22,000 container dashboards and API management systems have been left exposed on the...