Ryuk Ransomware Update Adds Worm-Like Capabilities
A new variant of Ryuk ransomware has been detected with worm-like capabilities that allow it to spread laterally within an infected network with no human interaction. This is a notable change for a ransomware variant that has previously been deployed manually after access to a network has been gained. Previously, when network access is achieved, the threat actors performed reconnaissance and manually moved laterally within a network...
Hackers Actively Scanning for Vulnerable VMware Servers after Publication of PoC Exploit Code
Scans are currently being conducted to identify VMware vCenter servers that have not been patched, following the publication of Proof-of-Concept (PoC) exploits for a vulnerability tracked as CVE-2021-21972. The vulnerability has been assigned a CVSS v3 base score of 9.8 out of 10 and a patch was released on February 23, 2021. The vulnerability is in the vSphere Client (HTML5), which is a plugin of VMware vCenter that is used as a...
Cisco Patches Critical Flaws in its Application Services Engine and ACI Multi-Site Orchestrator
Cisco has released a patch to address a critical flaw in the API endpoint of the Cisco ACI Multi-Site Orchestrator (MSO) installed on the Application Services Engine. The flaw, tracked as CVE-2021-1388, has been given the maximum CVSS severity of 10/10. If exploited, an attacker would be able to remotely bypass authentication on an affected device. The flaw could be exploited by sending a specially crafted request to a vulnerable ACI...
Accellion FTA Extortion Attacks Linked to FIN11 and CL0P Ransomware Gang
In mid-December, threat actors started exploiting zero-day vulnerabilities in the Accellion File Transfer Appliance (FTA) product, and over the next few weeks it became apparent that many companies had suffered data breaches. The Accellion FTA was originally launched around 20 years ago to get around the problem of emailing large file attachments. Rather than emailing large files, individuals are sent links to the files hosted on the...
US. Department of Justice Indicts 3 Alleged Members of North Korean Lazarus Hacking Group
This week, the U.S. Department of Justice announced that three North Korean intelligence officials have been indicted for their role in a slew of destructive cyberattacks on U.S. and global organizations spanning many years. The cyberattacks allowed the hackers to steal and extort more than $1.3 billion in money and cryptocurrencies from companies and financial institutions around the world. The three individuals are alleged members...
Malvertising Gang Exploited WebKit Zero Day to Redirect Web Visitors to Scam Sites
An unpatched zero-day vulnerability in WebKit-based browsers has been exploited by a threat group to redirect website visitors to scam sites for at least 8 months, according to a new report released by cybersecurity firm Confiant. The threat group behind the attack – ScamClub – has been in operation since at least 2018 and primarily uses malicious adverts (malvertising) to direct Internet users to scam sites, often sites running...
Microsoft: Over 1,000 Hackers Suspected to be Involved in SolarWinds Hack
Microsoft President Brad Smith recently claimed the SolarWinds supply chain attack was “the largest and most sophisticated attack the world has ever seen” and may have involved more than 1,000 Russian operatives. The attack saw the code of the SolarWinds Orion solution updated so that when it was automatically updated a backdoor was inserted into all users’ networks that gave the attackers remote access. Many thousands of IT...
Egregor Ransomware Operation Disrupted and Several Arrest Made
Several suspected members of the Egregor ransomware operation have been arrested in Ukraine, according to the news outlet France Inter. The arrests were made as part of a joint operation between law enforcement in France and Ukraine to disrupt the operation. The suspects arrested in the operation are understood to be affiliates who signed up to hack corporate networks and deploy Egregor ransomware for a cut of the ransom payments that...
Microsoft Fixes 56 Flaws on February 2021 Patch Tuesday Including 1 Zero Day
Compared to previous months, February 2021 Patch Tuesday saw relatively few patches released by Microsoft to correct flaws across its range of products, although several of the vulnerabilities have already been publicly disclosed and one patch has been released to fix an actively exploited zero-day flaw that affects Windows 10 and Windows Server 2019. In total, 56 vulnerabilities have been fixed this month, 11 of which are critical....
Adobe Patches 50 Vulnerabilities Including 1 Actively Exploited Adobe Reader Bug
On February 2021 Patch Tuesday Adobe released patches to correct 50 vulnerabilities across its range of products, including 34 critical severity flaws, one of which is being actively exploited in the wild in limited attacks on Windows users. The actively exploited vulnerability is a heap-based buffer overflow vulnerability in Adobe Reader, tracked as CVE-2021-21017. If the buffer overflow is triggered, an attacker could remotely...
RDP Attacks Increased by 768% in 2020 and Remain a Key Attack Vector
The COVID-19 pandemic forced businesses to move to a largely remote workforce and cybercriminals took advantage by targeting vulnerabilities in Remote Desktop Protocol (RDP). Between Q1 and Q4, 2020, RDP attacks increased by 768%, according to the ESET Q4 2020 Threat Report. RDP attacks slowed in Q4, 2020 as cybercriminals started to favor other methods of attack. The decrease suggests businesses have managed to improve the security...
Hackers Steal Source Code of Stormshield Firewall Products
Stormshield, one of the leading French cybersecurity firms, has announced it has suffered a cyberattack in which the attackers gained access to its support ticket system and stole some of the source code two of its firewall products. Stormshield provides cybersecurity solutions such as unified threat management (UTM) firewall devices, secure file management solutions, and endpoint protection solutions to French enterprises, European...
Ransomware Attacks Most Commonly Start with Phishing and 70% Involve Data Exfiltration
The Q4, 2020 Quarterly Ransomware Report from Coveware shows there has been a marked decline in the number of companies paying ransoms to recover data stolen in ransomware attacks and prevent the public release of stolen data. The fall is seen as a response to the erosion of trust. There have been several recent attacks where stolen data has been released publicly even when a ransom has been paid. If companies have a viable backup...
Three Vulnerabilities Identified in SolarWinds Products
Patches have been released to fix three vulnerabilities SolarWinds products. Two of the flaws affect the SolarWinds Orion platform, and the third affects the Serv-U FTP server for Windows. One of the SolarWinds Orion flaws allows remote code execution with admin privileges and could be exploited by a remote attacker to take full control of the Orion platform. The other vulnerability in the platform could only be exploited by a local...
Phishers Target US Businesses in Scam Offering Fake PPP Loans
A phishing campaign has been detected which is targeting U.S. businesses that are struggling to stay in operation during the pandemic. The emails attempt to get business owners to apply for a fake PPP loan and disclose sensitive data. The Paycheck Protection Program (PPP) is part of the U.S. CARES Act, which was launched by the Trump Administration on April 3, 2020 to provide financial assistance to businesses that have been adversely...
TrickBot Returns with a New Malspam Campaign
A botnet that was severely disrupted in late 2020 by a coalition led by Microsoft is now back with a new malspam campaign. The infrastructure used by the operators of the TrickBot botnet was taken down in the run up to the November 2020 U.S. Presidential election, but it didn’t take long for the infrastructure to be rebuilt. The takedown was successful and caused major disruption to the operation, but since no arrests were made, the...
Europol Announces Takedown of the Emotet Botnet
Europol has announced that following a global operation by law enforcement and judicial authorities, the Emotet botnet has been disrupted and law enforcement agencies have seized control of its infrastructure. The takedown was planned for two years and involved Europol, Eurojust, the FBI, the Royal Canadian Mounted Police, the UK’s National Crime Agency, and law enforcement agencies in Ukraine, Netherlands, Germany, Lithuania, and...
Interpol Warns of Rise in Investment Scams Targeting Dating App Users
With opportunities for meeting potential partners now limited due to the COVID-19 pandemic and many people isolated due to lockdown measures, use of dating apps has soared. Dating apps have long provided scammers with opportunities for fraud and romance scams are rife. However, there have been increasing numbers of dating app users targeted with a new investment scam in recent weeks, prompting Interpol to issue a Purple Notice about...
FreakOut Malware Campaign Targets Linux Devices
A new malware variant is being used in attacks on Linux devices that sees the devices added to a botnet and used for cryptocurrency mining and distributed-denial-of-service (DDoS) attacks. The new malware, dubbed FreakOut, places an infected device under the control of the botnet operator and used for remote attacks on other vulnerable devices. The malware variant was identified by researchers at Check Point who believe it is...
Microsoft Warns Windows Zerologon Patch Enforcement Starts on February 9, 2021
The critical Windows Zerologon vulnerability (CVE-2020-1472) was patched by Microsoft on August Patch Tuesday; however, despite the seriousness of the vulnerability – rated 10/10 for severity – there are still some organizations that have yet to apply the patch. Microsoft has now announced that from February 9, 2021 it will be enabling domain controller enforcement mode by default, which will help to ensure that the threat of...
Hackers Altered Stolen Pfizer Vaccine Documentation Prior to Publication
In November 2020, hackers gained access to a server used by the European Medicines Agency (EMA), the drug and vaccine regulator in the European Union, and stole data on the Pfizer/BioNTech vaccine candidate. Last week, the EMA announced that the hackers had publicly released the documentation on hacking forums, but a new alert warns that the documentation was manipulated prior to release. The stolen data included information...
Healthcare Sector Cyberattacks Have Increased by 45% in the Past 2 Months
A recent joint CISA, FBI, and HHS cybersecurity alert warned that the healthcare sector was being targeted by threat actors who were deploying ransomware. Attacks are being conducted by several threat actors using a range of different ransomware variants, including Ryuk and Conti. A new report recently published by Check Point shows that since the alert was issued, cyberattacks on the healthcare sector have continued to increase. From...
Microsoft Releases Patch for Actively Exploited Windows Defender Zero Day and 9 Other Critical Flaws
The first Patch Tuesday of 2021 has seen Microsoft release patches to fix 83 vulnerabilities across its range of products, including one zero-day vulnerability in Windows Defender that is being actively exploited in the wild. This month’s round of patches includes fixes for 10 critical and 73 important vulnerabilities in Windows OS, Edge, Office, Visual Studio, .Net Core, .Net Repository, ASP .Net, Azure, Malware Protection Engine and...
Kaspersky Researchers Link Sunburst Backdoor to Kazuar Backdoor Used by Russian Turla APT Group
Researchers at Kaspersky have identified similarities between the backdoor used in the SolarWinds supply chain attack and another backdoor – Kazuar – which is believed to have been used by the Russian Advanced Persistent Threat (APT) group Turla. Turla has been linked to several attacks on foreign governments over the past 14 years. The APT group behind the SolarWinds attack compromised the company’s Orion monitoring solution and used...
FBI Issues Warning About Ongoing Egregor Ransomware Activity
The Federal Bureau of Investigation (FBI) has issued a warning to private sector companies about ongoing Egregor ransomware attacks. Since September 2020, when the ransomware variant was first identified, it has been used in attacks on at least 150 companies worldwide. Egregor is a ransomware-as-a-service offering with many affiliates used to distribute the ransomware. Many of the affiliates moved to Egregor distribution when the Maze...
NVIDIA Software Update Corrects Multiple High Severity Graphics Driver Flaws
NVIDIA has released patches to correct 16 vulnerabilities in its graphics drivers and vGPU software for Windows and Linux systems, most of which are high severity flaws that can be exploited to escalate privileges, tamper with data, obtain sensitive data, or conduct denial of service attacks. NVIDIA’s GPUs are popular with gamers due to being optimized for high-performance gaming. The vulnerabilities are in the drivers and software...
Hardcoded Password Vulnerability in Zyxel Devices Being Actively Exploited
Cybercriminals have started exploiting the hardcoded credential vulnerability (CVE-2020-29583) in Zyxel networking products that was announced by Zyxel on December 23, 2020. The vulnerability, identified by Niels Teusink of the Dutch cybersecurity firm EYE, affects around 100,000 Zyxel devices, including its firewalls, AP controllers and VPN gateways. The flaw was assigned a CVSS V3 score of 7.8 out of 10 (High severity). Teusink...
Ransomware Attacks on Healthcare Organizations Continue to Rise with Ryuk the Biggest Threat
Cyberattacks on healthcare organizations have continued to increase over the past two months, according to research conducted by cybersecurity firm Check Point, and ransomware is now the biggest malware threat. In October, a joint security advisory was issued by the DHS’ Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) warning the...
Hidden Backdoor Identified in Zyxel Firewalls and AP Controllers
A security researcher has identified a hidden backdoor in Zyxel firewalls and AP controllers, caused by the use of hardcoded administrative credentials for an account that was intended to be used to automatically update the firmware on the devices. More than 100,000 Zyxel devices are affected worldwide. The hard coded credentials mean hackers could perform malicious firmware updates, and could change the firewall settings to...
FinCEN Advises Financial Institutions to be Alert to COVID-19 Vaccine-Related Scams and Cyberattacks
The Financial Crimes Enforcement Network (FinCEN) has issued a warning to financial institutions that ransomware gangs are actively targeting organizations involved in vaccine research. Financial institutions have been advised to be on high alert due to the considerable potential for fraud and criminal activity related to COVID-19 vaccines and their distribution. Nation state threat groups and cybercriminal organizations are taking...
CISA and CrowdStrike Release Free Azure/O365 Analysis Tools to Identify Malicious Activity
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has released a PowerShell-based tool for detecting unusual and potentially malicious activity in Azure/Office 365 environments. The tool can be downloaded free of charge and used by incident response teams to identify the identity- and authentication-based attacks that have been observed in multiple sectors in the wake of the SolarWinds...
Lazarus Group Targeting COVID-19 Research and Vaccine Data
Kaspersky has confirmed the Lazarus Advanced Persistent Threat (APT) group has conducted two cyberattacks on entities involved in COVID-19 vaccine research. The cyberattacks occurred in the fall of 2020, with the APT group using different tactics techniques and procedures (TTPs) in each of the attacks. One attack was performed on October 27, 2020 on a government health ministry using a sophisticated malware known to Kaspersky as...
More Than 3 Million Chrome and Edge Users Have Malware-Infected Browser Extensions
Approximately 3 million users of Google Chrome and Microsoft Edge have been infected with malware that has been hidden in browser extensions, according to a new report from antivirus company Avast. At least 28 JavaScript-based Chrome and Edge extensions for Instagram, Facebook, Vimeo and others have had malicious code added, which is used to steal personal data and redirect users to adverts and phishing websites. The malicious code...
Microsoft and the U.S. Nuclear Agency Confirmed as Victims of SolarWinds Hack
The number of confirmed victims of the SolarWinds hack is growing. Microsoft has confirmed it was hacked, although its software was not apparently compromised. Reuters had reported that after compromising Microsoft, the hackers had modified its software to distribute malicious files to its clients. Microsoft issued a statement claiming the Reuters article was incorrect and while SolarWinds binaries were found in its environment, they...
Contact Form 7 Vulnerability Places 5 Million WordPress Sites at Risk of Takeover
A critical vulnerability has been identified in the popular WordPress plugin, Contact Form 7, which has been installed on approximately 5 million websites. The vulnerability, tracked as CVE-2020-35489, is easy to exploit and can be exploited remotely without the attacker having to authenticate on a vulnerable website. The vulnerability is classed as an unrestricted file upload bug, according to Astra Security Research, which...
Researchers Find More than 45 Million Medical Images Stored on Unprotected Servers
More than 45 million medical images are currently exposed on unprotected servers and can be accessed freely over the internet without usernames or passwords. The medical images include metadata that includes personal and protected health information, which could be used for a variety of nefarious purposes. The unprotected images, which include MRIs, CT scans, and X-Rays were found by researchers at the CyberAngel Analyst Team, who...
SolarWinds Supply Chain Attack Impacts up to 18,000 Customers
Hackers successfully compromised the SolarWinds Orion software solution and incorporated a backdoor dubbed SUNBURST that has been downloaded by up to 18,000 of its customers, including many large enterprises and government agencies. SolarWinds Orion is a software solution used by large enterprises and government agencies to manage their IT networks and IT infrastructure. The software is used by all five branches of the U.S. military,...
K-12 Schools Warned About Cyber Actors Targeting Distance Learning Education
The U.S. Cybersecurity and infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have issued a joint advisory to K-12 schools warning that cyber actors are conducting targeted attacks on distance learning education. Cyber actors are attempting to disrupt distance learning services, gain access to sensitive data, and conduct ransomware...
Spear Phishing Campaign Spoofing Microsoft.Com Sees Emails Delivered to Office 365 Inboxes
Researchers at Israeli cybersecurity firm Ironscales have identified a spear phishing campaign targeting Office 365 users that spoofs the Microsoft.com domain. Several thousand Office 365 mailboxes are known to have been targeted, with around 100 customers of Ironscales having been sent the phishing emails. Those customers span several industry sectors including healthcare, insurance, telecom, manufacturing, and financial services....
FireEye Discloses Data Breach and Confirms Theft of Red Team Tools
The U.S. cybersecurity firm FireEye has announced a sophisticated threat actor has successfully hacked into its systems and stole Red Team assessment tools that the company uses to test the security of its customers’ systems. The stolen tools mimic those used by many cyber threat actors to gain access to organizations’ systems. Cyberattacks on cybersecurity companies are relatively rare, but they do occur, with Trend Micro, Avast, and...
Kubernetes Bug Allows Traffic from Other Pods in Multi-Tenant Clusters to be Intercepted
A Kubernetes vulnerability has been identified that could allow an attacker to intercept traffic from other pods in multi-tenant Kubernetes clusters. The vulnerability, discovered by Etienne Champetier of Anevia, can be exploited remotely in a man-in-the-middle attack by an individual with basic tenant permissions, without any user involvement required. If an attacker has permissions to create and update services and pods, they could...
Foreign APT Groups Targeting Think Tanks, Warns CISA/FBI
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a warning about ongoing cyberattacks on think tanks by foreign Advanced Persistent Threat (APT) groups. The purpose of the attacks is to gain persistent access to victim networks for espionage purposes. This is achieved through phishing attacks to gain access to user credentials and by exploiting vulnerabilities in...
BEC Scammers Using Auto-Forwarding Rules in Web-Based Email Clients to Prevent Detection
Cybercriminals have been using auto-forwarding rules in web-based email clients to increase the chances of success of their business email compromise (BEC) scams, according to a recently issued TLP: WHITE Joint Private Industry Notification from the Federal Bureau of Investigation (FBI). Business email compromise scams involve gaining access to a corporate email account and using that account to send emails to other individuals in the...
Cyberbiological Attack Could Fool Scientists into Creating and Using Dangerous DNA
A new, theoretical cyberattack has been described by a team of researchers at Ben-Gurion University (BGU) in Israel that could be used in a devastating biological attack. Every year, commercial DNA synthesizers create billions of nucleotides, which are sold to customers and generate billions of dollars in sales. There is growing concern that a cyberattack could be conducted to interfere with the synthetic DNA orders. Just as in a...
Cyberattacks Increased During the Pandemic as Enterprises Struggled with Security with a Remote Workforce
A recent study conducted by the California based endpoint security and systems management company Tanium suggests enterprises have struggled with security during the pandemic and have experienced an increase in cyberattacks. Tanium commissioned a Censuswide survey of 1,000 CXOs and vice presents at enterprise and government organizations in the United States, United Kingdom, France and Germany in June 2020 to explore how they coped...
Egregor Ransomware Vying to Become the Top Ransomware Threat
The Maze ransomware gang may have shut down its operation, but there is now a new ransomware variant that is vying to take its place as one of the biggest ransomware threats. Egregor ransomware first appeared in September 2020, claiming 15 victims in the month, followed by attacks on the US bookseller, Barnes & Noble, and the French and German video game developers, Ubisoft and Crytek. Since then, the number of attacks using...
Patch MobileIron Vulnerability Immediately, Warns NCSC
The UK National Cyber Security Centre (NCSC) has issued an alert that confirms Advanced Persistent Threat (APT) groups and cybercriminals are currently exploiting the MobileIron remote code execution vulnerability, CVE-2020-1550 to compromise the networks of UK companies. Attacks have been conducted on local government, healthcare organizations, and companies in the logistics and legal sectors, and there have been several cases where...
Warning Issued After Discovery of Scores of Spoofed FBI Websites
Scores of domains have been identified which spoof official Federal Bureau of Investigation (FBI) websites, prompting the FBI’s Internet Crime Complaint Center to issue a warning. While the intentions of the individuals who registered the domains is not known, it is strongly suspected that the domains were intended for use in future phishing or malware distribution campaigns. The domains could be used to register email accounts that...
FBI Issues Warning Following Increase in Ragnar Locker Ransomware Activity
A recent increase in Ragnar Locker ransomware activity has prompted the Federal Bureau of Investigation (FBI) to issue a warning to private industry partners. The alert provides information to help system administrators and security professionals protect against attacks. Ragnar Locker is a relatively new ransomware strain, first identified in April 2020. The ransomware variant was used in an attack by unknown threat actors on a large,...
Facebook Fixes Messenger Bug That Allows Audio to be Transmitted Without a User’s Permission
A critical flaw in the Facebook Messenger messaging app for Android which allowed callers to listen to users’ surroundings without permission has been fixed by Facebook. The bug allowed callers to eavesdrop on the person they were calling before the call was answered. In order to exploit the flaw, a caller would need to send a type of message known as SdpUpdate to the person they were calling, which would allow them to connect to the...
Malsmoke Campaign Delivers ZLoader Malware via Popups on High Traffic Adult Websites
A malware distribution campaign identified by security researchers at Malwarebytes is now distributing a ZLoader malware variant via popups on popular adult websites. The campaign – named Malsmoke by Malwarebytes – has been active since at least August 2020. Initially, the threat actors were using exploit kits to deliver the Smoke Loader malware dropper; however, in October they changed tactics and switched to fake Java update...
Use of SSL Certificates in Malware and Phishing Attacks Up 260% in 2020
Abuse of SSL certificates in phishing and malware attacks has increased by 260% in the first 9 months of 2020, according to a new report from Zscaler. Zscaler analyzed more than 6.6 billion threats for the report and found a major rise in the use of encryption to hide attacks. Encryption was being used across the full attack cycle, according to the researchers, including the initial delivery of malware or malicious links to the...
Microsoft Fixes 112 Vulnerabilities Including 17 Critical Flaws
November 2020 Patch Tuesday has seen Microsoft correct 112 vulnerabilities across its range of products, including 17 critical flaws. 93 of the vulnerabilities are rated important and two are rated low severity. This month’s updates see a change to the way Microsoft reports the vulnerabilities, with the descriptions of each no longer included. Instead, Microsoft is relying on the CVSS scores to provide information on the severity of...
RansomEXX Ransomware Now Targets Windows and Linux Servers
Kaspersky has announced it has discovered a Linux version of RansomEXX ransomware – aka Defray777. This is one of the first times that a Windows ransomware strain has been adapted to attack Linux systems, with the new variant able to be used in targeted attacks on organizations that have both Windows and Linus systems to cause greater disruption. RansomEXX is a relatively new human-operated ransomware variant which was first detected...
Three Actively Exploited Zero Days in the iOS Operating System Patched by Apple
Patches have been released to correct three zero-day vulnerabilities in the iOS operating systems that are currently being exploited in the wild. The vulnerabilities affect the following Apple devices: iPhones – 6s and later iPads Air 2 and later iPad mini 4 and later iPod 7th generation All three vulnerabilities have been corrected in iOS 14.2, along with several other vulnerabilities A memory corruption issue exists which can be...
October Threat Report Shows 1,200% Increase in Emotet Attacks in Q3, 2020
New data from HP Inc. shows cyberattacks involving the Emotet Trojan increased by more than 1,200% between Q2, 2020 and Q3, 2020. The data for the company’s October 2020 Threat Insights Report come from HP Sure Click Enterprise, a security solution used on enterprise desktops and laptops that captures malware and allows it to run in a secure container. Data were collected from 1 July to 30 September 2020, with the report proving...
Adobe Update Corrects 14 Vulnerabilities in Acrobat and Reader Including 4 Critical Flaws
Adobe has released an out-of-band update to correct several vulnerabilities in Adobe Acrobat and Adobe Reader, just a week before November Patch Tuesday when updates are usually scheduled for release. 14 vulnerabilities have been corrected in the update, including 4 critical vulnerabilities in Acrobat and Reader for both Windows and macOS operating systems. The critical vulnerabilities can be exploited remotely and allow the execution...
Zero-Day Windows Flaw Allowing Sandbox Escape Being Actively Exploited in the Wild
Google Project Zero has disclosed a high severity Windows vulnerability that has yet to be patched by Microsoft after the flaw was observed being exploited in the wild by hackers. The Windows driver bug, which allows local privilege escalation and sandbox escape, was announced just 7 days after it was reported. While the Google Project Zero team usually waits until a patch has been made available before disclosing a vulnerability, the...
WordPress 5.5.2 Released: 10 Vulnerabilities Corrected Including 1 High-Severity Flaw
Version 5.5.2 of the WordPress content management platform has been released. The latest WordPress version fixes 10 security vulnerabilities, including one high-severity flaw that could be exploited to take over a targeted website. A remote attacker could conduct a narrow denial of service attack, which could then turn into a remote code execution issue. The vulnerability is due to how WordPress manages internal resources within the...
Ryuk Ransomware Gang Steps Up Attacks on U.S. Hospitals
The U.S Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) have issued a warning to healthcare providers and public health agencies of an imminent threat of attacks using Ryuk ransomware. An advisory was issued on October 28, 2020 after credible evidence was uncovered indicating the operators of Ryuk...
Maze Ransomware Gang Shuts Down Operations
The Maze ransomware gang, which operated one to the most prolific ransomware campaigns over the past 18 months year, has shut down. The Maze ransomware operators were the first to utilize a double-extortion tactic involving the theft of data prior to the encryption of files to increase the likelihood of the ransom being paid. While all ransomware operations involve the encryption of files and the payment of a ransom in order to obtain...
Top 25 Vulnerabilities Exploited by Chinese State Sponsored Hackers
Chinese state-backed hackers are targeting U.S. organizations for espionage purposes, with access to computer systems usually gained by exploiting unpatched vulnerabilities. Hackers are scanning for unpatched systems and use publicly released or homegrown exploits to gain a foothold in networks with a view to stealing intellectual property and sensitive data. On Tuesday, the U.S. National Security Agency (NSA) published a list of 25...
DOJ Charges 6 GRU Hackers for NotPetya Wiper Attacks
The U.S. Department of Justice has indicted six Russian intelligence operatives for the 2017 NotPetya malware attacks and other major hacking operations. All six individuals are believed to be members of Russia’s Main Intelligence Directorate, GRU, and specifically GRU Unit 74455, otherwise known as Sandworm. The hackers are believed to be responsible for the June 27, 2017 destructive NotPetya attacks, which have been estimated...
Ryuk Ransomware Gang Uses Zerologon Exploit to Achieve Domain-Wide Encryption in Just 5 Hours
The threat actors behind Ryuk ransomware have started using an exploit for the Zerologon privilege escalation flaw, CVE-2020-1472, which has allowed them to perform ransomware attacks at breakneck speed. The Zerologon vulnerability allows them to compromise a domain controller and all Active Directory identity services. In one successful attack, it took the attackers just two hours from an initial phish to exploit the vulnerability,...
Microsoft Issues Out-of-Band Updates to Correct Two RCE Flaws
On Friday, Microsoft issued out-of-band patches to correct two flaws which could potentially lead to remote code execution. The flaws have been rated ‘important’ by Microsoft, although they could potentially be exploited by an attacker to gain full control of a vulnerable system. One of the flaws – tracked as CVE-2020-17023 – affects Microsoft’s Visual Studio Core, a source code editor for Windows, Linux, and macOS. If exploited, an...
Microsoft Patches 11 Critical and 75 Important Flaws on October 2020 Patch Tuesday
October 2020 Patch Tuesday has seen Microsoft issue patches to correct 87 flaws across its product range, including 11 Critical flaws and 75 Important vulnerabilities. An advisory has also been issued about a critical vulnerability in Adobe Flash Player. This month’s round of updates includes fixes for six publicly disclosed vulnerabilities. Microsoft is unaware of any cases where the flaws have been exploited and all have been rated...
Coalition of Tech Firms Takedown TrickBot Botnet
The backend infrastructure of the TrickBot botnet has been taken down by a coalition of tech companies and government agencies, including Microsoft ESET, NTT, Black Lotus Labs, Symantec, and FS-ISAC. The takedown is the result of several months of painstaking work involving the analysis of more than 125,000 samples of the TrickBot Trojan by the coalition members, who studied the content and extracted and mapped information about how...
Multiple Threat Groups are Exploiting the Microsoft Zerologon Vulnerability
Microsoft has issued a warning following the discovery of multiple threat groups using exploits for the Zerologon vulnerability – CVE-2020-1472 – in the core authentication component of Active Directory of Windows Server and the Windows Netlogon Remote Protocol (MS-NRPC). The flaw is an elevation of privilege vulnerability that can be exploited when an attacker establishes a vulnerable Netlogon secure channel connection to a...
Male Chastity Device Vulnerability Could be Exploited to Cause Permanent Locking
Vulnerabilities have been identified in a male chastity device that could be exploited to cause the device to permanently lock. Should that happen, and you don’t have an angle grinder or the nerve to use one, it could prove to be a very embarrassing emergency room trip or fire department callout. The reason Bluetooth connectivity has been added to the Cell Mate male chastity device is to allow a trusted individual to be provided with...
CISA Issues Emotet Malware Alert Following Sharp Increase in Attacks
The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert about Emotet malware following an increase in successful attacks on state and local governments in the United States since August 2020. Emotet is distributed via phishing emails sent by the Emotet botnet – a network of computers that have been infected with Emotet malware. The botnet often conducts spam runs involving more...
Sanctions and Penalties Could be Imposed for Paying Ransomware Payments
Following a ransomware attack, many firms choose to pay the ransom demand to obtain the keys to decrypt files and prevent the sale or publication of data stolen in the attack. Many choose to use third party companies to negotiate with the attackers and pay the ransom. Payment of the ransom is not recommended by the FBI, as there is no guarantee that valid keys to decrypt files will be provided and payment of a ransom encourages threat...
Emotet Campaign Impersonates Democratic National Convention
An Emotet malware campaign is underway which has already targeted hundreds of organizations in the United States. The emails spoof the Democratic National Convention with messages claiming to be a call to action to recruit DNC volunteers across the country to help elected Democrats in the upcoming presidential election, as part of the DNC Team Blue initiative. The threat group behind Emotet, TA542, usually uses lures such as shipping...
Universal Health Services Ransomware Attack Cripples Hospitals Across the United States
Universal Health Services (UHS) has suffered a ransomware attack that has taken IT systems out of action across its nationwide network of hospitals. UHS is a Fortune 500 healthcare provider and one of the largest providers of hospital and healthcare services in the United States. UHS has around 400 hospitals and healthcare facilities throughout the United States, Puerto Rico and the UK and had annual revenues of $11.37 billion in...
Windows XP Source Code Leaked Online
Anyone still using Windows XP has been given an additional reason to finally upgrade to a supported Windows operating system. The source code for Windows XP SP1 and other Windows versions has been leaked online. It has been almost 20 years since Microsoft released Windows XP. Microsoft provided support for the popular operating system for 12 years, with extended support coming to an end on April 8, 2014. After that date patches and...
Zerologon Exploits Now Being Used in the Wild, Warns Microsoft
Earlier this month, the DHS Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive about a critical vulnerability— CVE-2020-1472—that affected Microsoft Windows Netlogon Remote Protocol after proof-of-concept exploit code was publicly released. Microsoft has now issued a warning after hackers have been observed using exploits for the vulnerability in real world attacks. The vulnerability, named Zerologon...
Maze Ransomware now Uses Virtual Machines to Evade Endpoint Defenses
The operators of Maze ransomware have adopted a new tactic to evade endpoint security solutions. The gang has been observed encrypting computers from inside virtual machines, a tactic also used by the operators of Ragnar Locker ransomware. The new tactic was discovered by researchers at Sophos when responding to a ransomware attack on one of their customers. The Maze gang twice attempted to launch ransomware executables but were...
Ransomware Attack on Hospital Leads to the Death of a Patient
A ransomware attack on a German hospital that took critical systems out of action and forced the cancellation of appointments and the temporary closure of its emergency department has led to the death of a patient. On or before September 10, 2020, Düsseldorf University Clinic was attacked with ransomware. The file encryption caused systems to crash and prevented patient information from being accessed. The extent of the encryption and...
Billions of Devices Vulnerable to ‘BLESA’ Bluetooth Spoofing Vulnerability
A vulnerability has been discovered in the Bluetooth Low Energy (BLE) reconnection process that could be exploited by an attacker to bypass the reconnection authentication requirements and send spoofed data to a device. The BLE protocol is a slimline version of standard Bluetooth that was developed to keep Bluetooth connections active while conserving battery power. Due to the low power requirements, BLE has proven popular with...
Hacking Group Observed Installing Weave Scope Tool to Gain Visibility and Control of Business Cloud Environments
The threat detection and response firm Intezer has observed a hacking group using the Weave Scope visualization and monitoring tool to gain visibility into and take control of compromised Docker and Kubernetes cloud environments. The hacking group, referred to as TeamTNT by Intezer, is known to target Docker and Kubernetes systems and has been observed using a credential-stealing worm to discover and exfiltrate AWS login credentials....
Adobe Patches 12 Critical Flaws in Experience Manager, InDesign, and Framemaker
Adobe has released patches to correct 18 flaws on September 2020 Patch Tuesday. The flaws exist in Adobe Experience Manager, Adobe InDesign, and Adobe Framemaker. 12 of the vulnerabilities have been rated critical, with the rest rated important. 5 patches have been released to correct critical cross-site scripting vulnerabilities in Adobe Experience Manager (CVE-2020-9732, CVE-2020-9734, CVE-2020-9740, CVE-2020-9741, and...
September 2020 Patch Tuesday: Microsoft Fixes 129 Vulnerabilities; 20 Critical
Microsoft has issued patches to correct 129 vulnerabilities on September 2020 Patch Tuesday, 32 of which are remote code execution vulnerabilities and 20 have been rated critical. The vulnerabilities are spread across 15 products. While there is a large number of critical vulnerabilities in this month’s round of updates, none of the vulnerabilities are currently being exploited in the wild, although exploits for some of the flaws are...
Microsoft Will End Support for Adobe Flash Player on January 1, 2020
Microsoft has announced that web browser support for Adobe Flash Player will end on January 1, 2021. Adobe Flash Player will no longer be distributed or updated from December 31, 2020. The Security Update for Adobe Flash Player, which is usually released on Patch Tuesday every month for Microsoft Edge and Internet Explorer will end after December 2020. “Beginning in January 2021, Adobe Flash Player will be disabled by default...
New Cryptocurrency Stealing KryptoCibule Malware Family Identified
For the past two years, a cryptocurrency-stealing malware named KryptoCibule has been used to mine cryptocurrency on victims’ machines, steal cryptocurrency wallets, and hijack transactions. Malware targeting cryptocurrency tends to either involve mining cryptocurrency or stealing wallets/hijacking transactions. This malware does all three and also plants a backdoor into victim’s devices, allowing them to be remotely accessed....
Phishing Campaign Offering PPE Delivers Agent Tesla RAT
Researchers at Area 1 Security have identified a phishing scam that spoofs legitimate chemical companies, exporters and importers to deliver the Agent Tesla Remote Access Trojan (RAT). The phishing emails offer the recipient personal protective equipment (PPE) such as forehead temperature thermometers, disposable face masks, and other medical supplies that have been in short supply. The emails claim that the company has started mass...
New Version of Qbot Trojan Can Hijack Email Threads
Check Point researchers have identified a new version of the Qbot Trojan, a malware threat that first appeared 12 years ago. Qbot is an information stealer that attempts to steal banking information, credit card numbers, passwords, cookies, and emails. It is also known to download other malware variants, including ransomware. Remote connections can also be made with infected devices to make bank transactions from the victim’s IP...
New “FritzFrog” P2P Botnet Targeting SSH Servers of Banks, Medical Centers, Government Offices and Universities
A new, sophisticated, and stealthy peer-to-peer (P2P) botnet named FritzFrog has been discovered which is being used to target SSH servers. The botnet was identified and analyzed by security researchers at Guardicore Labs who report that the botnet has been active since at least January 2020 and has been used in targeted attacks on government offices, medical centers, banks, telecoms companies, and education institutions, and finance...
Microsoft Releases Out of Band Update for Windows 8.1, RT 8.1, and Windows Server 2012 R2
Microsoft has released an out of band update for Windows 8.1, RT 8.1, and Windows Server 2012 R2 to fix two privilege escalation flaws in the Windows Remote Access service. The two flaws – tracked as CVE-2020-1530 and CVE-2020-1537 – affect all supported versions of Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 and are due to improper handling of memory. In order to exploit the flaws, an attacker would need to have...
Patch Critical Citrix Endpoint Management (XenMobile Servers) Vulnerabilities Now
Five vulnerabilities, including two critical flaws, have been identified in Citrix Endpoint Management (CEM) – also known as XenMobile Server – which is used by businesses to manage employees’ mobile devices and applications, apply updates, and manage security settings. The critical flaws – tracked as CVE-2020-8208 and CVE-2020-8209 – could be exploited remotely and would allow an unauthenticated individual to access domain...
Popular Keylogger and Info Stealer Now Steals Credentials from Browsers and VPNs
Agent Tesla malware has received an update. The information stealer and keylogger can now steal passwords from browsers, VPN clients, FTP and email clients. Agent Tesla is a .Net-based remote access Trojan (RAT) that first appeared in 2014. The malware is offered for sale on hacking forums and darknet marketplaces and has proven to be a popular choice with low-level hackers and BEC scammers. The malware can be used in various stages...
Microsoft Fixes 120 Vulnerabilities on August 2020 Patch Tuesday, Including 17 Critical Flaws
August 2020 Patch Tuesday has seen Microsoft release 120 patches covering 13 products and a Servicing Stack Update for Windows 10 advisory. 17 of the vulnerabilities are rated critical, including 2 zero days, and 103 have been rated important. The two zero days are being actively exploited and an exploit for one of those flaws has been released publicly, so it is important for the security updates to be applied as soon as possible....
Adobe Fixes 26 Vulnerabilities Including 11 Critical Flaws
Adobe has released patches to address 26 vulnerabilities in Adobe Acrobat and Adobe Reader, including 11 flaws that have been rated critical. The critical flaws could be exploited to bypass security controls, with 9 of the critical flaws allowing the remote execution of arbitrary code. The remote code execution vulnerabilities are a mix of out-of-bounds write vulnerabilities (CVE-2020-9693 and CVE-2020-9694), use-after-free...
INTERPOL Report Shows Major Increase in Cyberattacks During the COVID-19 Pandemic
INTERPOL has completed an assessment of the impact of COVID-19 on cybercrime and has found a major increase in attacks during the pandemic, with cybercriminals shifting their focus from targeting individuals and small businesses to attacking large corporations, critical infrastructure, and government agencies. With many countries implementing lockdowns to curb COVID-19 infections, businesses have been forced into allowing virtually of...
Online Shopping Scams Have Soared During the COVID-19 Pandemic
There has been a major increase in online shopping scams during the COVID-19 pandemic, according to a recent public service announcement by the FBI. Reports to the FBI’s Internet Crime Complaint Center (IC3) from victims of online shopping scams have soared in recent months. Many of the reports concern orders from websites where the goods are not received or where different items to those ordered were sent. Victims of these scams were...
FBI Issues Flash Alert Warning of Netwalker Ransomware Attacks
The FBI has issued a Flash Alert following an increase in Netwalker ransomware attacks in the United States. Netwalker ransomware was first identified in March 2020 and was used in an attack on the Australian transportation and logistics company Toll Group. Attacks have also been conducted on an Illinois public health department, a Maryland operator of assisted living facilities, and the University of California, San Francisco. The...
Vulnerability in Cisco’s Network Security Products Being Actively Exploited
A high severity flaw in Cisco’s network security products is now being actively exploited. The vulnerability is present in the Cisco products used by many large enterprises and Fortune 500 firms and allows a remote attacker to gain access to sensitive data. The vulnerability is tracked as CVE-2020-3452 and was assigned a CVSS v3 base score of 7.5 out of 10. The flaw is present in the web services interface of Cisco’s Firepower Threat...
Critical Vulnerability in F5 Networks BIG-IP Devices Exploited in Real-World Attacks
On Friday, July 24, 2020, the DHS Cybersecurity and Infrastructure Security Agency (CISA) warned that hackers have started exploiting the CVE-2020-5902 vulnerability in F5 Networks BIG-IP devices. F5 BIG-IP devices are used for load balancing and generally sit between the firewall and a web application. They are used by many Fortune 500 companies, large enterprises, and government agencies and are an attractive target for hackers....
Out of Band Update Corrects 12 Critical Flaws in Adobe Photoshop, Prelude and Bridge
Adobe has issued an out of band update to correct 12 critical vulnerabilities in Adobe Photoshop, Adobe Prelude, and Adobe Bridge, and an information disclosure vulnerability in Adobe Reader Mobile for Android. The critical flaws could all lead to remote code execution on Windows machines in the context of the current user. The impact of the flaws will be limited for standard Windows users, although exploits for the vulnerabilities...
17-Year Old Critical Wormable DNS Bug Patched by Microsoft
Microsoft has released a patch for a critical, wormable flaw in Microsoft’s Windows DNS Server that dates back to 2003. The vulnerability, tracked as CVE-2020-1350, was identified by security researchers at Check Point who named it SIGRed. Virtually all businesses will be running DNS with Active Directory and will be affected. Given the number of businesses affected, the ease of exploitation, and how the flaw could be exploited to...
Maximum Severity Flaw in SAP Could Allow Full Takeover of Enterprise System
The U.S. Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency has issued an alert about a critical vulnerability in the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard. The flaw, tracked as CVE-2020-6287, can be exploited through HTTP and would allow an attacker to take full control of vulnerable SAP applications. The flaw was discovered by researchers at Onapsis who named...
Zoom Fixes Zero-Day Legacy Windows RCE Flaw
A zero-day vulnerability in the Zoom Windows client that could potentially allow remote code execution has now been patched by Zoom. The flaw only affected users running Windows 7 or earlier Windows versions. Later Windows versions were unaffected. Last week, Acros Security announced in a blog post that a zero-day vulnerability had been discovered, and Zoom was notified around the same time. Details about the flaw were not publicly...