Zero Day Apple Vulnerability Under Active Attack
Apple is urging users of iPhones, iPads, and Macs to install the operating system updates it released on Monday, as the vulnerability in iOS and macOS that was corrected is now being actively exploited in the wild. The vulnerability, tracked as CVE-2021-30807, is a memory corruption flaw in the IOMobileFrameBuffer extension used by iOS, iPadOS and macOS. IOMobileFrameBuffer is a kernel extension that manages the screen frame buffer....
Microsoft Publishes Mitigations for PetitPotam Attack on Windows NT LAN Manager
Microsoft has released mitigations for a new attack method involving Windows NT LAN Manager (NTLM), which could be exploited to force remote Windows systems to reveal password hashes, giving an attacker full control of a domain server and other Windows servers. Security researcher Gilles Lionel discovered it is possible to abuse legitimate functions using a new attack method dubbed ‘PetitPotam.’ A proof-of-concept (PoC) exploit was...
Microsoft 365 Apps and Services Will No Longer Support Internet Explorer from August 17, 2021
On August 17, 2021, Microsoft 365 apps and services will no longer support Internet Explorer 11. Users who continue with Internet Explorer 11 after that date are likely to have a degraded experience or may be prevented from connecting to Microsoft 365 apps and services. Microsoft announced on August 17, 2020 that Microsoft 365 apps would no longer be supporting Internet Explorer 11, giving users 12 months to change to a supported...
Hundreds of Millions of Windows Computers Have 16-Year Old Printer Driver Vulnerability
A high severity privilege escalation vulnerability has been identified in HP printer drivers, which are also used by Samsung and Xerox. Exploitation of the flaw would allow an attacker to bypass security products, gain admin privileges, install programs, create new accounts with elevated user permissions, and view, edit, encrypt, or delete data. According to a recently published report from SentinelOne, the flaw has been present in...
Fortinet Issues Patch to Correct Critical RCE Vulnerability in FortiManager and FortiAnalyzer
A critical remote code execution use-after-free vulnerability has been identified that affects Fortinet’s FortiManager and FortiAnalyzer network management solutions. If exploited, a non-authenticated remote attacker could execute code on vulnerable devices with root privileges, which would give the attacker full control of vulnerable devices. The flaw, tracked as CVE-2021-32589, was discovered by security researcher Cyrille Chatras...
MosaicLoader Malware Downloader Distributed Via Internet Ads for Cracked Software
Bitdefender security researchers have identified a new malware variant dubbed MosaicLoader, which is being distributed in a worldwide campaign disguised as cracked software. The malware acts as a downloader of secondary payloads and was named due to the complex internal structure designed to evade detection by security solutions and hamper researchers’ attempts at reverse engineering the malware. The threat actor behind the campaign...
Two More Windows Print Spooler Vulnerabilities Identified
A further zero-day vulnerability has been identified in Windows Print Spooler that could be exploited via remote print servers under the attacker’s control to gain administrative privileges on Windows machines. The vulnerability affects all current versions of Windows. The latest vulnerability was identified by Mimikatz creator, Benjamin Delpy. Delpy developed an exploit for the flaw which uses the Queue-Specific Files feature of...
SonicWall: Users of Unpatched SRA and SMA 100 Series Appliances Face Imminent Risk of Ransomware Attacks
SonicWall has issued an urgent warning for users of its Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running 8.x firmware. SonicWall has learned of threat actors targeting a known vulnerability in the firmware using stolen credentials. SonicWall explained in its alert that ransomware attacks are imminent and urgent action must be taken to prevent exploitation of the flaw. SonicWall has corrected the...
REvil Ransomware Servers Go Dark Suggesting Possible Law Enforcement Takedown
REvil (Sodinokibi), one of the most prolific ransomware-as-a-service operations, had its servers shut down suddenly early on Tuesday morning. The REvil gang has been behind some of the most serious ransomware attacks over the past few years, including the recent supply chain attack on the IT management and monitoring software provider Kaseya and the attack on JBS Foods in the United States. The ransomware gang, which is believed to...
Patches Released to Fix 3 Actively Exploited Flaws and 9 Zero Days on July 2021 Patch Tuesday
July 2021 Patch Tuesday has seen Microsoft release patches to fix 116 vulnerabilities across its range of products: 12 critical flaws, 3 actively exploited vulnerabilities, 8 zero-days, 103 important bugs, and one rated moderate. Microsoft also released an out-of-band patch earlier this month to fix the PrintNightmare flaw CVE-2021-34527, an PoC exploit for which is in the public domain. The actively exploited flaws are...
BIOPASS RAT Live Streams Audio and Video from Victims’ Devices
Security researchers at Trend Micro have identified a new remote access Trojan (RAT) dubbed BIOPASS, which uses legitimate live streaming software to provide the attackers with a real time view of the victim’s computer screen and stream audio from the affected device. This is achieved by downloading and using either FFmpeg and Open Broadcaster Software. There have been many sextortion scams conducted over the past couple of years...
Kaseya Security Update Addresses 0Day Flaws Exploited in REvil Ransomware Attack
Kaseya has released a security update to address the zero-day vulnerabilities in its VSA solution that were exploited by the REvil ransomware group in the recent supply chain attack on its MSP customers and their clients. Several zero-day vulnerabilities were reported to Kaseya by the Dutch Institute for Vulnerability Disclosure (DIVD) in April. Kaseya was in the process of fixing the vulnerabilities in its KSA remote management and...
Fake Kaseya Updates Used in Phishing Campaign to Deliver Cobalt Strike Backdoors
A phishing campaign has been detected by Malwarebytes Threat Intelligence researchers which targets managed service provider customers of Kaseya. The emails claim to provide a Kaseya security update to prevent ransomware attacks but delivers Cobalt Strike backdoors to victims’ networks. The campaign piggybacks on the REvil ransomware attack on the Kaseya Virtual System Administrator (VSA) platform on July 2 that saw ransomware pushed...
Microsoft Issues Out-of-Band PrintNightmare Patch for Some Windows Versions
Microsoft has released an out-of-band patch to fix two critical remote code execution vulnerabilities in the Windows Print Spooler Service dubbed PrintNightmare. A patch had previously been issued by Microsoft to fix one of the flaws – tracked as CVE-2021-1675 – however, the patch only partially fixed the vulnerability. An exploit for a second, related vulnerability – tracked as CVE-2021-34527 – was published by a security...
Cybersecurity Agencies Warn of Ongoing Password Spraying Attacks by Russian APT Actors
Warnings have been issued about ongoing malicious cyber activities by the Advanced Persistent Threat (APT) actor known as APT28/Strontium/Fancy Bear. The APT group has been using a Kubernetes cluster in brute force attacks on the U.S. government and the private sector and has been targeting cloud services including Office 365 in a cyber espionage campaign. On July 1, 2021, a joint cybersecurity advisory was issued by the National...
Kaseya Supply Chain Attack on MSPs Sees REvil Ransomware Delivered to Several Thousand Companies
On Friday July 2, 2021, an affiliate of the REvil ransomware-as-a-service operation delivered the REvil ransomware payload to dozens of Kaseya customers including many managed service providers (MSPs) and, through them, thousands of their customers. Victims have been issued with ransom demands based on the extent to which they were affected by the attack, with ransom demands starting at around $45,000 for small businesses and rising...
PoC Exploit Released for Unpatched Windows Print Spooler RCE Vulnerability
A critical Windows Print Spooler remote code execution vulnerability has been identified, a Proof of Concept (PoC) exploit for which has been leaked online. The vulnerability, tracked as CVE-2021-34527 and dubbed PrintNightmare, occurs when the Windows Print Spooler service improperly performs privileged file operations. The flaw can be exploited remotely and would allow an attacker to execute arbitrary code with SYSTEM privileges....
Profile Data of 700 Million LinkedIn Users Listed for Sale on Hacking Forum
700 million LinkedIn records were listed for sale on a hacking forum on June 22, 2021 by an individual who calls himself GOD User TomLiner. A sample of 1 million records has been made available as proof that the offer is genuine. The sample records include the full names of LinkedIn users, phone numbers, genders, email addresses, and job information. This is not the first time that a multi-million record batch of LinkedIn user data...
PoC Exploit for Cisco Adaptive Security Appliance (ASA) Flaw Used to Attack Vulnerable Devices
A proof-of-concept exploit for a vulnerability affecting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software has been released by the Offensive Team at Positive Technologies. The vulnerability is a cross-site scripting flaw tracked as CVE-2020-3580. The vulnerability is one of four flaws that have been patched by Cisco that are due to Cisco ASA and FTD software not sufficiently validating user-supplied...
30 Million Devices at Risk from Dell SupportAssist RCE Vulnerabilities
Researchers at Eclypsium have identified four serious vulnerabilities in the BIOSConnect feature of Dell SupportAssist that could be remotely exploited by attackers to gain full control of targeted devices. The flaws are present in an update mechanism that affects 129 models of enterprise and consumer laptop and desktop computers protected by Secure Boot – Around 30 million devices. Secure Boot is a security feature that ensures...
COVID-19 Vaccination Lure Used in Phishing Campaign Distributing the Agent Tesla RAT
A new phishing campaign has been detected that is being used to distribute the Agent Tesla Remote Access Trojan (RAT). The phishing campaign was identified by researchers at Bitdefender’s Antispam lab and uses a COVID-19 vaccine lure to trick users into installing the malware. The Agent Tesla RAT has multiple functions, although it is primarily used to steal passwords and other sensitive information. The latest version of the malware...
Vulnerability in Peloton Bike+ Allows Attackers to take Full Control of Operating System
McAfee’s Advanced Threat Research (ATR) team researchers have identified a vulnerability in the popular Peloton Bike+ and Peloton Tread exercise machines what could allow them to take full control over the exercise equipment and use the machines in a range of different attack scenarios. To exploit the vulnerability, an attacker would need to have physical access to a machine. If the flaw is exploited, an attacker could gain root...
Avaddon Ransomware Gang Shuts Down Operation and Releases Decryption Keys
Avaddon ransomware is no more. The operation has been shut down and decryptors have been released that allow victims to recover their files free of charge. On June 11, 2021, Bleeping Computer received an anonymous tip which appeared to have come from the FBI and included a link to a password protected ZIP file and a password. The file included 2,934 decryption keys for Avaddon ransomware – all outstanding victims that have not yet...
SonicWall VPN Vulnerability Exploited in Attacks on Legacy SRA Appliances
Researchers at CrowdStrike have confirmed cyber threat actors exploiting a SonicWall VPN vulnerability to attack Secure Remote Access (SRA) 4600 devices. The vulnerability, tracked as CVE-2019-7481, is not new. The bug was identified in 2019 and a patch was released to correct the flaw; however, the patch was only partially effective and did not fix the firmware bug on legacy SonicWall SRA 4600 VPN devices. Proof-of-concept exploit...
New Malware Discovered Targeting Windows Containers to Plant Backdoors in Kubernetes Clusters
A new malware variant has been discovered that is believed to be the first to target Windows containers. The malware, discovered by Daniel Prizmant of Palo Alto Networks’ Unit 42 team, has been dubbed Siloscape and is capable of breaking out of Windows containers and compromising Kubernetes clusters to plant backdoors and raid nodes for credential theft. Kubernetes is used to automate the deployment, scaling, and management of...
Microsoft Patches 41 Vulnerabilities, Including 5 Critical Flaws and 7 Zero-Days
June 2021 Patch Tuesday has seen Microsoft release patches to correct 50 vulnerabilities across its range of products, including 7 zero-day vulnerabilities. Five vulnerabilities are rated critical and 45 have been rated important. 6 of the zero-day vulnerabilities patches this week are known to have been exploited in the wild. While these flaws have been exploited, all have been rated important. These are: CVE-2021-31199 –...
Critical VMware vCenter Server Vulnerability Under Active Exploitation
The critical VMware vCenter Server vulnerability CVE-2021-21985 is being actively exploited in the wild. There have been several successful exploits of the 9.8/10 severity vulnerability and at least one reliable exploit for the flaw is now in the public domain. VMware issued an advisory about the flaw in the last week in May and urged users to patch promptly to avoid exploitation. The flaw is now being exploited by at least one threat...
NCSC Warns UK Educational Institutions of Increased Ransomware Threat
The UK’s National Cyber Security Center (NCSC) has issued a warning to the UK education sector following a recent spike in ransomware attacks on schools, colleges, and universities. Some of the recent attacks have resulted in the loss of school financial records, student coursework, and COVID-19 testing data. Ransomware attacks often involve the theft of data prior to the use of ransomware to encrypt systems. The attacks can have a...
Take Ransomware Seriously, Warns White House
Ransomware attacks have been increasing and it is now common for the threat actors behind these attacks to not only encrypt data to prevent access, but also to steal data prior to file encryption and then threaten to sell or publish the data if the ransom is not paid. Data exposure or data loss can have major consequences but the biggest threat for businesses is often the downtime caused by a successful attack. It is often this...
FBI Warns of APT Groups Exploiting Fortinet Vulnerabilities
The Federal Bureau of Investigation (FBI) has issued a Flash Alert warning of the continued exploitation of Fortinet Fortigate vulnerabilities by Advanced Persistent Threat (APT) Groups. In the Alert, the FBI said it is almost certain that an APT actor exploited the vulnerabilities to access a web server hosting the domain for a U.S. municipal government and the flaws have been exploited since at least May 2021. Once access was...
SolarWinds Hackers Conducting Spear Phishing Campaign Posing as USAID
The Russian Advanced Persistent Threat (APT) group Nobelium – aka APT29/The Dukes/Cozy Bear – that was behind the SolarWinds Orion supply chain attack has been conducting a spear phishing campaign masquerading as the U.S. Agency for International Development (USAID). The emails are used to deliver malware and gain persistent access to the internal networks of the targeted companies. The spear phishing attacks were identified by...
VMware Patches Critical Vulnerability in vCenter Server
A patch has been released to fix a critical severity vulnerability in VMware’s virtualization management platform, vCenter Server. The vulnerability could be remotely exploited by an attacker to execute arbitrary code on a vulnerable host and gain full control of the system. The vulnerability has been given a CVSS severity rating of 9.8 out of 10. The flaw, tracked as CVE-2021-21985, affects the vCenter Server platforms that are used...
Apple Patches Actively Exploited Zero-Day MacOS Vulnerability
Apple has released a patch to fix a zero-day vulnerability in macOS that is being actively exploited in the wild. The macOS vulnerability, tracked as CVE-2021-30663, affects macOS Big Sur devices and, according to Jamf researchers who discovered the vulnerability, has been exploited by XCSSET malware to bypass Apple’s Transparency Consent and Control (TCC) protections that protect users’ privacy. Normally, the TCC protections will...
SQL Injection Vulnerability in WP Statistics WordPress Plugin Allows Theft of Database Information
A bug has been identified in a popular WordPress app that allows an unauthenticated attacker to steal sensitive database information. The WP Statistics plugin provides website owners with visitor analytics, including information about how visitors arrived on the site, the pages and posts they visited, the browser used, along with anonymized location data. The plugin has been installed on approximately 600,000 WordPress websites....
Large-Scale Malspam Campaign Detected Delivering the STRRAT Remote Access Trojan
Microsoft has issued a warning about a massive malspam campaign that is being used to deliver the STRRAT remote access trojan (RAT). The campaign is being conducted using compromised email accounts with what appears at first glance to be a PDF file attachment. The attached file appears to have a .pdf extension and displays the typical PDF image; however, the file attachment is simply an image which, if clicked, will download the...
President Biden Signs Extensive Executive Order to Improve Federal Government Cybersecurity
President Biden has signed an Executive Order that seeks to modernize the cybersecurity defenses of the federal government and protect its networks from cyber threats. The Executive Order, which runs to 34 pages, seeks to improve the IT infrastructure of the Federal government to make it more resilient to cyberattacks, better prepare government agencies to allow a swift and effective response in the event of an attack, and improve...
Microsoft Issued Patches for 55 Vulnerabilities Including 4 Critical Flaws
It has been a relatively quiet Patch Tuesday for Microsoft, with patches released to correct just 55 vulnerabilities across its product suite. None of the four critical flaws are believed to have been exploited in in the wild; however, patches should be applied as soon as possible to prevent exploitation, especially since three of the vulnerabilities have been publicly disclosed. The four critical flaws affect Windows 10, Internet...
Adobe Patches 43 Vulnerabilities Including 1 Actively Exploited Flaw in Acrobat/Reader
May 2021 Patch Tuesday has seen Adobe issue 43 updates to fix vulnerabilities in 12 different products, including a patch to fix a vulnerability in the Adobe Acrobat and Adobe Reader that is currently being exploited in the wild. The actively exploited zero-day vulnerability is tracked as CVE-2021-28550 and has been exploited in attacks on Windows devices. The flaw also affects macOS devices, but they are not currently believed to...
12-Year-Old Vulnerabilities Place Millions of Dell Devices at Risk
Hundreds of millions of Dell devices are vulnerable to firmware update driver flaws that could potentially be exploited to achieve remote code execution. The vulnerabilities were identified by security researchers at SentinelOne, and have been present in Dell laptops, desktops, and tablets since 2009. The five vulnerabilities have been combined under a single CVE tracking number – CVE-2021-21551 – which has been assigned a CVSS v3...
Trifecta of Sophisticated Malware Distributed in Spear Phishing Campaign
Three new sophisticated malware variants are being distributed by an Advanced Persistent Threat (APT) group in a large-scale global phishing campaign, according to a new report from FireEye’s Mandiant cybersecurity team. The new malware variants – dubbed DoubleDrag, DoubleDrop, and DoubleBack – are being distributed using 50 domains and one legitimate compromised domain of an HVAC company. Based on the infrastructure used, the...
Patch Released for Actively Exploited Pulse Connect Secure VPN Vulnerability
Pulse Secure has released a patch for the actively exploited zero-day vulnerability – CVE-2021-22893 – in the Pulse Connect Secure SSL VPN appliance. Last week, FireEye researchers announced they had identified instances where the flaw had been exploited by threat groups, with one of those groups believed to be a Chinese Advanced Persistent Threat actor. Exploitation of the flaw could allow unauthenticated remote attackers to...
Vulnerabilities in SonicWall VPN Appliances Targeted in FiveHands Ransomware Attacks
A vulnerability in Sonicwall SMA 100 Series VPN appliances is being targeted to deliver a previously unknown ransomware variant dubbed FiveHands. Threat analysts at Mandiant have been tracking the activity of the threat group – UNC2447 – and have observed attacks exploiting the CVE-2021-20016 vulnerability in North America and Europe since October 2020. Sonicwall released a patch to correct the flaw in February 2021. FiveHands...
Phishing Campaign Impersonates Click Studios to Deliver New Moserpass Malware Variant
Last week, Click Studios alerted users of the Passwordstate enterprise password manager about a supply chain attack in which hackers successfully compromised the In-Place Upgrade mechanism of the app, which allowed the attackers to perform malicious upgrades between April 20 and April 22, 2021. During that 28-hour window it is possible that the attackers downloaded a malformed Passwordstate_upgrade.zip file, which was sourced from a...
Data Exfiltration Extortion Attacks Spike and Ransom Payments Increase
Payments to resolve ransomware and data exfiltration extortion attacks increased in the first quarter of 2021, with the rise largely due to the Accellion legacy File Transfer Appliance (FTA) cyberattack and attacks by small ransomware groups such as CLoP. CLoP was highly active throughout Q1 and was the 4th most common ransomware variant in Q1, having not even been in the top 10 in Q4, 2020. Ransom payments declined in the last...
Apple Patches Zero-day Flaw Actively Exploited by Shlayer Malware
An actively exploited zero-day vulnerability in macOS has been patched by Apple. The vulnerability, one of the most serious flaws in macOS to be discovered, allows malware to bypass File Quarantine, Gatekeeper, and Notarization protections. The vulnerability – tracked as CVE-2021-30657 – is due to a logic flaw in the macOS policy subsystem that performs security checks on applications. The flaw was identified by security researcher...
Actively Exploited Zero Day Vulnerability Identified in Pulse Secure Connect VPN
A critical zero-day vulnerability has been identified in Pulse Secure VPN appliances that is being actively exploited by a Chinese advanced persistent threat group. The vulnerability is being chained with previously disclosed Pulse Secure Connect vulnerabilities to gain persistent access to vulnerable appliances and achieve lateral movement within victims’ networks. Targeted organizations include government agencies, defense, critical...
Patch These Actively Exploited SonicWall Vulnerabilities Now!
SonicWall has released patches to correct three actively exploited vulnerabilities in its on-premises and hosted email security solutions. The vulnerabilities can be exploited remotely to gain access to SonicWall Email Security hardware and virtual appliances as well as software installations on Microsoft Windows Server. Successful exploitation of the vulnerabilities would allow threat actors to access files and emails, install...
Google Project Zero Adds 30-Day Grace Period to Vulnerability Disclosure Policy
Google Project Zero has added a new grace period to its zero-day vulnerability disclosure policy and will now provide an additional 30 days after a patch is released before publishing technical details of the vulnerability. Google introduced its 90-day vulnerability disclosure policy in 2020. The aim of the 90-day delay was to encourage faster patch development and patch adoption, while giving sufficient time to ensure that vendors...
NSA Warns of Russian Government Hackers Exploiting These 5 Vulnerabilities
The National Security Agency (NSA), in conjunction with the Federal Bureau of Investigation (FBI) and the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) have issued a cybersecurity alert listing five vulnerabilities that are currently being exploited by the Russian Foreign Intelligence Service (SVR) to compromise U.S. and allied networks. The SVR has and continues to exploit software vulnerabilities to gain access to...
FBI Removes Malicious Web Shells from Hundreds of Corporate Exchange Servers
The Federal Bureau of Investigation (FBI) has removed malicious web shells from hundreds of corporate servers in at least 8 states without the knowledge or permission of the owners of the servers. The web shells were installed on corporate Exchange Servers that had previously been compromised by Advanced Persistent Threat (APT) groups by exploiting the ProxyLogon Microsoft Exchange Server vulnerabilities. It has been more than a month...
Name:Wreck DNS Vulnerabilities Affect More than 100 Million IoT Devices
More than 100 million consumer and enterprise IoT devices are believed to be affected by a new set of DNS vulnerabilities, according to Forescout and the Israeli consultancy firm JSOF. The vulnerabilities, collectively named Name:Wreck, are related to DNS implementations in popular TCP/IP network communication stacks and affect the free IT software FreeBSD and the IoT/OT firmware IPnet, Nucleus NET and NetX. In total, 9...
Microsoft Patches 108 Vulnerabilities Including 19 Critical Flaws
April 2021 Patch Tuesday has seen Microsoft issue 108 patches to correct vulnerabilities across its range of products, including one actively exploited zero-day vulnerability and 4 zero-day remote code execution vulnerabilities in Microsoft Exchange Server that were recently discovered by the NSA. 19 of the flaws have been rated critical, 88 are rated important, and one is rated moderate severity. Earlier this month, Microsoft also...
IcedID Malware Distribution Increases as it Vies to Become the New Emotet
A massive malspam campaign is underway distributing the IcedID banking Trojan. The malicious emails have Microsoft Excel attachments, which use Excel 4 macros to deliver the banking Trojan. IcedID is a modular malware that started life as a Trojan that steals financial information from victims. Like several other banking Trojans, it has since evolved into a malware dropper and is now primarily being used to distribute secondary...
Collaboration Platforms Increasingly Abused by Threat Actors for Data Exfiltration and Malware Delivery
Teleworking has been growing in popularity over the past few years, but the national lockdowns imposed by governments to limit the spread of COVID-19 forced many businesses to allow their workforce to work remotely and telework has now become the norm. Threat actors have adapted their tactics, techniques, and procedures to take advantage in this change in working practices and the collaboration platforms that are now relied upon by...
SAP and Onapsis Warn of Ongoing Attacks Exploiting Vulnerabilities in Mission-Critical SAP Applications
6 cybersecurity vulnerabilities in mission-critical SAP applications are being actively exploited by threat actors according to cybersecurity firm Onapsis. Exploitation of the flaws could result in the theft of sensitive data, financial fraud, and disruption of mission-critical systems, including malware and ransomware attacks. Researchers at Onapsis have recorded more than 300 successful attacks exploiting the flaws from mid-2020...
Are You One of the 533 Million Facebook Account Holders Affected by This Data Breach?
The personal information of 533 million Facebook account holders has been leaked online on a public hacking forum. The incident that resulted in the theft of such a huge amount of Facebook data is believed to be a 2019 hack that exploited the “Add Friend” Facebook security bug, rather than a more recent hack. The flaw allowed information such as the account holder’s name, Facebook ID, mobile number, gender, occupation, city, country,...
Fortinet SSL VPN Vulnerabilities Being Actively Exploited by Nation State Hackers
The Federal Bureau of Investigation (FBI) and the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint alert warning that Advanced Persistent Threat (APT) groups are actively exploiting vulnerabilities in the Fortinet SSL VPN. The APT groups have been exploiting three vulnerabilities to gain a foothold in networks and are conducting reconnaissance and moving laterally within networks. Government agencies,...
WannaCry Ransomware Attacks Up 53% Since January 2021
The latest research published by Check Point shows a resurgence in WannaCry ransomware attacks. It has been almost four years since the ransomware first appeared and was used in a massive global campaign that encrypted an estimated 200,000 computers in 150 countries. Check Point’s telemetry shows there was a 53% increase in WannaCry ransomware in March compared to January. The initial attacks were thwarted when a kill switch was...
Critical Flaws Identified in Facebook for WordPress Plugin
A critical flaw with a CVSS score of 9.0 has been identified in the official Facebook for WordPress plugin, which is used on more than 500,000 websites to record the actions users take when interacting with webpages. The plugin, also known as Facebook Pixel, captures data such as Lead, ViewContent, AddToCart, InitiateCheckout and Purchase events, by installing a Facebook Pixel on web pages. The vulnerability could be exploited by a...
FBI/CISA Warn of Increase in Mamba Ransomware Attacks
The Federal Bureau of Investigation (FBI) in conjunction with the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) have issued a TLS:White alert about Mamba ransomware following an increase in attacks on multiple industry sectors. Over the past few months, the ransomware gang has targeted government agencies and companies operating in the transportation, legal, construction, industrial, manufacturing, and construction...
Purple Fox Malware Now Has Worm Capabilities for Propagating Across Windows Machines
A new variant of Purple Fox malware has been detected by researchers at Guardicore Labs that has achieved far greater success at infecting systems thanks to a new worm module for infecting Internet-facing Windows systems. Purple Fox malware was first identified in 2018 and is a fileless malware downloader used to run malicious PowerShell commands on infected devices to download other malware variants onto the compromised system....
FBI Warns State and Local Governments of Increased Risk of BEC Attacks
The Federal Bureau of Investigation (FBI) has issued a warning to state, local, tribal, and territorial (SLTT) governments in the United States about Business Email Compromise (BEC) scams. Losses to BEC attacks increased by 5% to more than $1.8 billion in 2020 and between 2018 and 2020, SLTT government entities have been targeted. BEC attacks involve the use of a compromise email account to send messages to individuals with authority...
Adobe Issues Out-of-Band Patch for Critical ColdFusion Vulnerability
A patch has been issued to correct a critical vulnerability – CVE-2021-21087 – in Adobe ColdFusion that could be exploited by a remote attacker to execute arbitrary code on a vulnerable system. The Adobe ColdFusion platform is used for building web applications and several versions of the platform are affected by the vulnerability. Vulnerable Adobe ColdFusion Versions: Version 2016 – Update 16 and earlier Version 2018 –...
Pysa Ransomware Gang Targeting Education Sector, Warns FBI
The FBI has issued an alert following a surge in Pysa ransomware attacks on K-12 schools and higher education institutions. The Pysa (Mespinoza) ransomware gang has recently conducted attacks in 12 U.S. states and the United Kingdom. The ransomware was first identified in 2019, with the FBI aware of targeted Pysa ransomware attacks in the United States and foreign government entities, educational institutions, private companies, and...
Google Fixes Actively Exploited Zero Day Vulnerability in the Chrome Browser
Google has patched a zero-day vulnerability in its Chrome browser for Mac, Windows, and Linux. The vulnerability, which is the second zero-day to be patched by Google in the past month and the third in 2021, could be exploited remotely and could allow the execution of arbitrary code on a vulnerable device. The flaw, tracked as CVE-2021-21193, is present in the Blink rendering engine and is a ‘use-after-free’ vulnerability that is...
TrickBot Becomes Biggest Malware Threat Following Emotet Takedown
The Emotet botnet was the biggest malware threat until a joint law enforcement operation succeeded in taking the botnet down. Emotet was primarily used as a malware loader, with the malware-as-a-service operation used to distribute several malware variants. The takedown of the Emotet botnet only caused temporary disruption to malware distribution, with cybercriminals quick to switch to other botnets to distribute their malware...
Patch Critical BIG-IP and BIG-IQ Vulnerabilities Now, Warns F5 Networks
On March 10, 2021, F5 Networks released updated software to fix 7 vulnerabilities in BIG-IP and BIG-IQ systems, 4 of which are rated critical, 2 high severity, and 1 medium severity. Vulnerabilities in F5 software are highly sought after by threat actors, as the networking equipment is used by governments and large enterprises. 48 Fortune 50 firms, with the equipment commonly used by banks, ISPs, and many Fortune 500 firms. Previous...
Microsoft Fixes 82 Vulnerabilities on March 2021 Patch Tuesday Including One Actively Exploited 0Day Flaw
March 2021 Patch Tuesday saw Microsoft deliver patches for 82 vulnerabilities across its product range, including fixes for 10 critical flaws and 2 zero-day vulnerabilities for which exploits have been made public. The remaining 72 vulnerabilities are all rated important. In addition to the patches released today, Microsoft issued 7 patches to correct flaws in Microsoft Exchange since February 2021 Patch Tuesday, four of which are...
Multiple Threat Groups Now Exploiting Microsoft Exchange Server Zero-Day Flaws
Multiple threat groups have been observed exploiting the four zero-day vulnerabilities in Microsoft Exchange Server that were patched earlier this week. Microsoft announced the four vulnerabilities have been exploited by a Chinese Advanced Persistent Threat (APT) group known as Hafnium since at least early January, but following the announcement about the vulnerabilities, several other nation-state hacking groups have been identified...
Microsoft Releases Out of Band Security Updates to Fix Actively Exploited Microsoft Exchange Server Flaws
Microsoft has released patches to correct four zero-day vulnerabilities in Microsoft Exchange Server that are currently being chained together and exploited by a sophisticated Chinese Advanced Persistent Threat (APT) group in cyberespionage attacks on U.S. targets including defense contractors, law firms, universities, and companies involved in infectious disease research. The affected Microsoft Exchange servers are typically used by...
Ryuk Ransomware Update Adds Worm-Like Capabilities
A new variant of Ryuk ransomware has been detected with worm-like capabilities that allow it to spread laterally within an infected network with no human interaction. This is a notable change for a ransomware variant that has previously been deployed manually after access to a network has been gained. Previously, when network access is achieved, the threat actors performed reconnaissance and manually moved laterally within a network...
Hackers Actively Scanning for Vulnerable VMware Servers after Publication of PoC Exploit Code
Scans are currently being conducted to identify VMware vCenter servers that have not been patched, following the publication of Proof-of-Concept (PoC) exploits for a vulnerability tracked as CVE-2021-21972. The vulnerability has been assigned a CVSS v3 base score of 9.8 out of 10 and a patch was released on February 23, 2021. The vulnerability is in the vSphere Client (HTML5), which is a plugin of VMware vCenter that is used as a...
Cisco Patches Critical Flaws in its Application Services Engine and ACI Multi-Site Orchestrator
Cisco has released a patch to address a critical flaw in the API endpoint of the Cisco ACI Multi-Site Orchestrator (MSO) installed on the Application Services Engine. The flaw, tracked as CVE-2021-1388, has been given the maximum CVSS severity of 10/10. If exploited, an attacker would be able to remotely bypass authentication on an affected device. The flaw could be exploited by sending a specially crafted request to a vulnerable ACI...
Accellion FTA Extortion Attacks Linked to FIN11 and CL0P Ransomware Gang
In mid-December, threat actors started exploiting zero-day vulnerabilities in the Accellion File Transfer Appliance (FTA) product, and over the next few weeks it became apparent that many companies had suffered data breaches. The Accellion FTA was originally launched around 20 years ago to get around the problem of emailing large file attachments. Rather than emailing large files, individuals are sent links to the files hosted on the...
US. Department of Justice Indicts 3 Alleged Members of North Korean Lazarus Hacking Group
This week, the U.S. Department of Justice announced that three North Korean intelligence officials have been indicted for their role in a slew of destructive cyberattacks on U.S. and global organizations spanning many years. The cyberattacks allowed the hackers to steal and extort more than $1.3 billion in money and cryptocurrencies from companies and financial institutions around the world. The three individuals are alleged members...
Malvertising Gang Exploited WebKit Zero Day to Redirect Web Visitors to Scam Sites
An unpatched zero-day vulnerability in WebKit-based browsers has been exploited by a threat group to redirect website visitors to scam sites for at least 8 months, according to a new report released by cybersecurity firm Confiant. The threat group behind the attack – ScamClub – has been in operation since at least 2018 and primarily uses malicious adverts (malvertising) to direct Internet users to scam sites, often sites running...
Microsoft: Over 1,000 Hackers Suspected to be Involved in SolarWinds Hack
Microsoft President Brad Smith recently claimed the SolarWinds supply chain attack was “the largest and most sophisticated attack the world has ever seen” and may have involved more than 1,000 Russian operatives. The attack saw the code of the SolarWinds Orion solution updated so that when it was automatically updated a backdoor was inserted into all users’ networks that gave the attackers remote access. Many thousands of IT...
Egregor Ransomware Operation Disrupted and Several Arrest Made
Several suspected members of the Egregor ransomware operation have been arrested in Ukraine, according to the news outlet France Inter. The arrests were made as part of a joint operation between law enforcement in France and Ukraine to disrupt the operation. The suspects arrested in the operation are understood to be affiliates who signed up to hack corporate networks and deploy Egregor ransomware for a cut of the ransom payments that...
Microsoft Fixes 56 Flaws on February 2021 Patch Tuesday Including 1 Zero Day
Compared to previous months, February 2021 Patch Tuesday saw relatively few patches released by Microsoft to correct flaws across its range of products, although several of the vulnerabilities have already been publicly disclosed and one patch has been released to fix an actively exploited zero-day flaw that affects Windows 10 and Windows Server 2019. In total, 56 vulnerabilities have been fixed this month, 11 of which are critical....
Adobe Patches 50 Vulnerabilities Including 1 Actively Exploited Adobe Reader Bug
On February 2021 Patch Tuesday Adobe released patches to correct 50 vulnerabilities across its range of products, including 34 critical severity flaws, one of which is being actively exploited in the wild in limited attacks on Windows users. The actively exploited vulnerability is a heap-based buffer overflow vulnerability in Adobe Reader, tracked as CVE-2021-21017. If the buffer overflow is triggered, an attacker could remotely...
RDP Attacks Increased by 768% in 2020 and Remain a Key Attack Vector
The COVID-19 pandemic forced businesses to move to a largely remote workforce and cybercriminals took advantage by targeting vulnerabilities in Remote Desktop Protocol (RDP). Between Q1 and Q4, 2020, RDP attacks increased by 768%, according to the ESET Q4 2020 Threat Report. RDP attacks slowed in Q4, 2020 as cybercriminals started to favor other methods of attack. The decrease suggests businesses have managed to improve the security...
Hackers Steal Source Code of Stormshield Firewall Products
Stormshield, one of the leading French cybersecurity firms, has announced it has suffered a cyberattack in which the attackers gained access to its support ticket system and stole some of the source code two of its firewall products. Stormshield provides cybersecurity solutions such as unified threat management (UTM) firewall devices, secure file management solutions, and endpoint protection solutions to French enterprises, European...
Ransomware Attacks Most Commonly Start with Phishing and 70% Involve Data Exfiltration
The Q4, 2020 Quarterly Ransomware Report from Coveware shows there has been a marked decline in the number of companies paying ransoms to recover data stolen in ransomware attacks and prevent the public release of stolen data. The fall is seen as a response to the erosion of trust. There have been several recent attacks where stolen data has been released publicly even when a ransom has been paid. If companies have a viable backup...
Three Vulnerabilities Identified in SolarWinds Products
Patches have been released to fix three vulnerabilities SolarWinds products. Two of the flaws affect the SolarWinds Orion platform, and the third affects the Serv-U FTP server for Windows. One of the SolarWinds Orion flaws allows remote code execution with admin privileges and could be exploited by a remote attacker to take full control of the Orion platform. The other vulnerability in the platform could only be exploited by a local...
Phishers Target US Businesses in Scam Offering Fake PPP Loans
A phishing campaign has been detected which is targeting U.S. businesses that are struggling to stay in operation during the pandemic. The emails attempt to get business owners to apply for a fake PPP loan and disclose sensitive data. The Paycheck Protection Program (PPP) is part of the U.S. CARES Act, which was launched by the Trump Administration on April 3, 2020 to provide financial assistance to businesses that have been adversely...
TrickBot Returns with a New Malspam Campaign
A botnet that was severely disrupted in late 2020 by a coalition led by Microsoft is now back with a new malspam campaign. The infrastructure used by the operators of the TrickBot botnet was taken down in the run up to the November 2020 U.S. Presidential election, but it didn’t take long for the infrastructure to be rebuilt. The takedown was successful and caused major disruption to the operation, but since no arrests were made, the...
Europol Announces Takedown of the Emotet Botnet
Europol has announced that following a global operation by law enforcement and judicial authorities, the Emotet botnet has been disrupted and law enforcement agencies have seized control of its infrastructure. The takedown was planned for two years and involved Europol, Eurojust, the FBI, the Royal Canadian Mounted Police, the UK’s National Crime Agency, and law enforcement agencies in Ukraine, Netherlands, Germany, Lithuania, and...
Interpol Warns of Rise in Investment Scams Targeting Dating App Users
With opportunities for meeting potential partners now limited due to the COVID-19 pandemic and many people isolated due to lockdown measures, use of dating apps has soared. Dating apps have long provided scammers with opportunities for fraud and romance scams are rife. However, there have been increasing numbers of dating app users targeted with a new investment scam in recent weeks, prompting Interpol to issue a Purple Notice about...
FreakOut Malware Campaign Targets Linux Devices
A new malware variant is being used in attacks on Linux devices that sees the devices added to a botnet and used for cryptocurrency mining and distributed-denial-of-service (DDoS) attacks. The new malware, dubbed FreakOut, places an infected device under the control of the botnet operator and used for remote attacks on other vulnerable devices. The malware variant was identified by researchers at Check Point who believe it is...
Microsoft Warns Windows Zerologon Patch Enforcement Starts on February 9, 2021
The critical Windows Zerologon vulnerability (CVE-2020-1472) was patched by Microsoft on August Patch Tuesday; however, despite the seriousness of the vulnerability – rated 10/10 for severity – there are still some organizations that have yet to apply the patch. Microsoft has now announced that from February 9, 2021 it will be enabling domain controller enforcement mode by default, which will help to ensure that the threat of...
Hackers Altered Stolen Pfizer Vaccine Documentation Prior to Publication
In November 2020, hackers gained access to a server used by the European Medicines Agency (EMA), the drug and vaccine regulator in the European Union, and stole data on the Pfizer/BioNTech vaccine candidate. Last week, the EMA announced that the hackers had publicly released the documentation on hacking forums, but a new alert warns that the documentation was manipulated prior to release. The stolen data included information...
Healthcare Sector Cyberattacks Have Increased by 45% in the Past 2 Months
A recent joint CISA, FBI, and HHS cybersecurity alert warned that the healthcare sector was being targeted by threat actors who were deploying ransomware. Attacks are being conducted by several threat actors using a range of different ransomware variants, including Ryuk and Conti. A new report recently published by Check Point shows that since the alert was issued, cyberattacks on the healthcare sector have continued to increase. From...
Microsoft Releases Patch for Actively Exploited Windows Defender Zero Day and 9 Other Critical Flaws
The first Patch Tuesday of 2021 has seen Microsoft release patches to fix 83 vulnerabilities across its range of products, including one zero-day vulnerability in Windows Defender that is being actively exploited in the wild. This month’s round of patches includes fixes for 10 critical and 73 important vulnerabilities in Windows OS, Edge, Office, Visual Studio, .Net Core, .Net Repository, ASP .Net, Azure, Malware Protection Engine and...
Kaspersky Researchers Link Sunburst Backdoor to Kazuar Backdoor Used by Russian Turla APT Group
Researchers at Kaspersky have identified similarities between the backdoor used in the SolarWinds supply chain attack and another backdoor – Kazuar – which is believed to have been used by the Russian Advanced Persistent Threat (APT) group Turla. Turla has been linked to several attacks on foreign governments over the past 14 years. The APT group behind the SolarWinds attack compromised the company’s Orion monitoring solution and used...
FBI Issues Warning About Ongoing Egregor Ransomware Activity
The Federal Bureau of Investigation (FBI) has issued a warning to private sector companies about ongoing Egregor ransomware attacks. Since September 2020, when the ransomware variant was first identified, it has been used in attacks on at least 150 companies worldwide. Egregor is a ransomware-as-a-service offering with many affiliates used to distribute the ransomware. Many of the affiliates moved to Egregor distribution when the Maze...
NVIDIA Software Update Corrects Multiple High Severity Graphics Driver Flaws
NVIDIA has released patches to correct 16 vulnerabilities in its graphics drivers and vGPU software for Windows and Linux systems, most of which are high severity flaws that can be exploited to escalate privileges, tamper with data, obtain sensitive data, or conduct denial of service attacks. NVIDIA’s GPUs are popular with gamers due to being optimized for high-performance gaming. The vulnerabilities are in the drivers and software...
Hardcoded Password Vulnerability in Zyxel Devices Being Actively Exploited
Cybercriminals have started exploiting the hardcoded credential vulnerability (CVE-2020-29583) in Zyxel networking products that was announced by Zyxel on December 23, 2020. The vulnerability, identified by Niels Teusink of the Dutch cybersecurity firm EYE, affects around 100,000 Zyxel devices, including its firewalls, AP controllers and VPN gateways. The flaw was assigned a CVSS V3 score of 7.8 out of 10 (High severity). Teusink...
Ransomware Attacks on Healthcare Organizations Continue to Rise with Ryuk the Biggest Threat
Cyberattacks on healthcare organizations have continued to increase over the past two months, according to research conducted by cybersecurity firm Check Point, and ransomware is now the biggest malware threat. In October, a joint security advisory was issued by the DHS’ Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) warning the...
Hidden Backdoor Identified in Zyxel Firewalls and AP Controllers
A security researcher has identified a hidden backdoor in Zyxel firewalls and AP controllers, caused by the use of hardcoded administrative credentials for an account that was intended to be used to automatically update the firmware on the devices. More than 100,000 Zyxel devices are affected worldwide. The hard coded credentials mean hackers could perform malicious firmware updates, and could change the firewall settings to...
FinCEN Advises Financial Institutions to be Alert to COVID-19 Vaccine-Related Scams and Cyberattacks
The Financial Crimes Enforcement Network (FinCEN) has issued a warning to financial institutions that ransomware gangs are actively targeting organizations involved in vaccine research. Financial institutions have been advised to be on high alert due to the considerable potential for fraud and criminal activity related to COVID-19 vaccines and their distribution. Nation state threat groups and cybercriminal organizations are taking...