SharePoint Files Used to Harvest Office 365 Credentials
A phishing campaign termed PhishPoint uses SharePoint files to steal users’ Office 365 credentials. Huge numbers of phishing emails are being sent to businesses that appear to be invitations to collaborate. Users are required to click the URL embedded in the email, which ultimately directs them to a malicious site where they are required to enter their Office 365 credentials. Those credentials are then captured by the attackers. The...
Multi-Factor Authentication Fail: Single MFA Token Used to Gain Access to All Accounts
Multi-factor authentication can help to secure accounts and protect against phishing attacks. If a correct username and password combo is obtained, without the second factor (E.g. SMS message, token, device, or email address) the account cannot be accessed. As the recently discovered data breach at Reddit demonstrated, multi-factor authentication is not a silver bullet. Reddit used SMS messages to a user’s mobile phone as the second...
New KeyPass Ransomware Campaign Infects Users in More than 20 Countries
A new ransomware variant – called KeyPass ransomware – is being used in a new campaign that has seen many victims created around the world. While Brazil and Vietnam have taken the brunt of the attacks, there have been victims in more than 20 countries with the list growing by the day. KeyPass ransomware is written in C++ and is a variant of STOP ransomware. At present it is not known how the KeyPass ransomware attacks are...
Faxploit Attack Uses Fax Machine to Gain Network Access and Steal Data
Since the 1960s, businesses have been using fax machines to send and receive orders and communicate data quickly. To a large extent, email has replaced the fax, although faxes are still extensively used, especially in healthcare. It has been estimated that there are still around 300 million fax machines in use around the world. While fax technology is old – it was first developed in the late 1800s – faxes are not typically...
New Shrug Ransomware Variant Detected
Shrug ransomware was first detected in early July. Now a new variant of this .NET ransomware variant has been detected, which has enhanced capabilities. Shrug ransomware was primarily distributed bundled with fake software and apps, although the infection vector for the latest version is not known. Phishing emails, RDP attacks, and drive-by downloads may also be used in addition to fake software. Shrug2 ransomware was detected by...
Scammers Claim to Have Webcam Footage of Users Watching Pornography
A new variant of an old scam is currently gaining traction and is fooling many people into paying scammers money to avoid having sensitive information exposed. The scammers claim to have added malware to adult sites which has been downloaded onto a user’s computer. The malware is allegedly capable of taking full control of the webcam, which has been used to record a video of the user while they were visiting pornographic websites. The...
SamSam Ransomware Developer Has Earned $6 Million in Ransom Payments
SamSam ransomware has been used in many attacks on healthcare providers and educational institutions over the past two and a half years. In contrast to many other ransomware variants, the ransom payments are considerably higher, typically of the order of tens of thousands of dollars. What also makes SamSam ransomware different is its method of deployment. While many ransomware variants are installed as a result of employees opening...
Recent WannaCry Attack on Chip Manufacturer Expected to Cost $170 Million
A WannaCry ransomware attack has been reported by the Taiwan Semiconductor Manufacturing Co. The malware infection has crippled some of the company’s manufacturing plants which has halted chip production in some of the company’s factories. The Taiwan Semiconductor Manufacturing Co. is the world’s largest chip manufacturer, supplying its products to Nvidia, AMD, Apple, Qualcomm and many other major manufacturers. The attack has had a...
Massive Malvertising Operation Uncovered that Delivers Traffic to Rig Exploit Kit
For many years cybercriminals have been sneaking malicious adverts onto legitimate websites through advertising networks. Publishers – website owners that sell space on their sites for advertisements – often use ad networks to connect them with advertisers, who bid for the space. Resellers are also involved in the advertising chain and resell traffic generated through the ad networks to other advertisers. If a malicious advert makes...
New Spectre-Class Attack Identified by UCR Researchers
Another side-channel vulnerability has been identified that could be exploited in a Spectre-Class attack. This attack method is not blocked by previous patches that address the original Spectre flaws. The vulnerability was identified by researchers at the University of California, Riverside (UCR), which recently published details of the attack method which they term Spectre-RSB. The attack uses the speculative execution feature of...
Cincinnati Implements Smart911 Service to Improve Emergency Response Times
The city of Cincinnati has taken steps to improve response times of the emergency services in the wake of a tragic incident that resulted in the death of a 16-year old student at Seven Hills School. On April 10, Kyle Plush became trapped under the rear seat of his Honda Odyssey. He attempted to contact emergency services multiple times to request help but died from asphyxiation in the back of his minivan. His body was not discovered...
GandCrab Ransomware Vaccine Developed by AhnLab
GandCrab ransomware is now the most commonly used ransomware variant, and while there is currently no free decryptor for GandCrab ransomware, there is now a vaccine that can prevent GandCrab ransomware attacks from being successful. While this is certainly good news, the vaccine only works for version 4.1.2 of the ransomware – the variant currently being used in widespread attacks. Version 4.1.2 was released just two days after...
Convincing Phishing Campaign Targets Australian Businesses and Spreads DanaBot Trojan
A new phishing campaign has been detected that is spreading the DanaBot Trojan. The campaign involves phishing emails which appear to contain invoices from the Australian multinational corporation MYOB – a provider of tax and accounting services for small and medium sized businesses. The phishing campaign was detected by Trustwave researchers. The phishing emails are succinct and well written and advise the recipient of the invoice...
Code Stealing Certificates Stolen from D-Link and Used in Malware Campaign
The Advanced Persistent Threat (APT) group BlackTech has stolen code-signing certificates from D-Link and Changing Information Technology Inc., and is using them to cryptographically sign a remotely controlled backdoor known as Plead and an associated password stealer. With the stolen certificates, individuals who receive the malware as email attachments are likely to be fooled into thinking the files are genuine and have been...
Microsoft Issues Patches for 54 Vulnerabilities; 17 Critical
This Patch Tuesday has seen Microsoft issue patches for 54 vulnerabilities, 27 of which could allow remote code exploitation. 17 of the flaws have been rated critical and 33 are rated important. Three of the vulnerabilities were disclosed before Microsoft released patches. The patches address bugs in 15 products. The majority of the critical flaws are scripting errors in Internet Explorer, including four memory corruption...
New AZORult Phishing Campaign Detected by Cofense
Leading anti-phishing solution provider Cofense has detected a new AZORult phishing campaign. AZORult is an information stealer capable of stealing cookies, stored passwords, payment card information, autocomplete data stored in web browsers, Bitcoin wallet information, and email, FTP, and XMPP client credentials. The latest campaign uses malicious email attachments to spread a new variant of the malware. Version 3 of AZORult...
Email Attack Uses Macros to Hijack Desktop Shortcuts
The deployment of malware via malicious Word documents is nothing new, although the tactics used by cybercriminals often change. Now a new method of malware deployment has been uncovered, in which users are fooled into downloading the malicious payload. The attack starts like many other email-based attacks. The user must open an email and attachment and enable macros. The macro then searches for common desktop shortcuts such as Google...
Rakhni Trojan Decides Whether to Encrypt or Mine Dashcoin
A new variant of the Rakhni Trojan has been detected by security researchers at Kaspersky Lab. This new malware variant decides whether a device is suited to mining cryptocurrency. If the device has sufficient processing power, a Dashcoin miner is downloaded and the device is turned into a cryptocurrency mining slave. If the likely profits from cryptocurrency mining are low, files on the device will be encrypted in a standard...
Cryptocurrency Investors Targeted with MacOs Malware on Slack and Discord
Several MacOs malware attacks have been identified in the past few days with victims targeted via the Slack and Discord chat platforms. The attackers are targeting cryptocurrency investors and are posting messages on Slack and Discord groups linked to cryptocurrencies. This is an impersonation attack in which admins and key personnel are being impersonated, with users advised to run a script that downloads a malware variant named...
DoublePulsar Exploit Tweaked to Work on IoT Systems
The NSA hacking tool – DoublePulsar – was used to infect hundreds of thousands of Windows computers with malware last year after it was leaked online by the Shadow Brokers hacking group. At the time, the hacking tool worked on all Windows versions except the latest Windows 10 version, but not on the Windows IoT operating system. However, a security researcher going by the name Capt. Meelo has tweaked the hacking tool, which now works...
WordPress Vulnerability Allows Full Site Takeover
A recently disclosed vulnerability in the WordPress CMS Core could be exploited to escalate privileges, remotely execute code, and take full control of a WordPress site. The vulnerability was discovered by security researchers at RIPS Technologies who reported the flaw to WordPress in November 2017. The WordPress team confirmed that the flaw existed but said it could take around 6 months to patch the flaw. Seven months on and the...
ZeroFont Phishing Attack Bypasses Microsoft Office Security Feature
The ZeroFont phishing attack allows phishers to bypass anti-spam controls and ensure their emails are delivered to end users inboxes. ZeroFont Phishing Cybercriminals are constantly developing new ways to bypass anti-spam technologies, one of which has been uncovered by security researchers at the cloud security company Avanan. The technique, termed ZeroFont phishing, allows phishers to get their messages past Microsoft Office 365...
More than 400 Models of Axis Communications Cameras Vulnerable to Remote Attacks
More than 400 models of Axis Communications’ security cameras contain vulnerabilities that could be exploited by malicious actors to intercept and view camera footage, take full control of the cameras, or disable them entirely. The security cameras are used by many organizations, including industrial firms, banks and hotels. The vulnerabilities were discovered by the cybersecurity company VDOO as part of its investigation into the...
More than 22,000 Container Orchestration and API Management Systems Exposed on Internet
Many organizations have turned to the public cloud to help them scale resources to meet demand, reduce operating costs and improve the effectiveness of IT processes; however, a significant percentage of companies have failed to secure their cloud infrastructure and are exposing their data. New research conducted by Lacework has revealed more than 22,000 container dashboards and API management systems have been left exposed on the...
New PyRoMine Malware Variant Used Obfuscation and Incorporates IoT Device Scanner
A new variant of the PyRoMine cryptocurrency mining malware has been discovered by security researchers at Fortinet. The Pythod-based malware variant has been named PyRoMineIoT. The malware bears a number of similarities to the PyRoMine malware discovered by FortiGuard Labs in April, although this variant has enhanced capabilities helping it to evade detection by AV software. The new version of the malware is hosted on the same IP...
RansomCloud Attack Encrypts Cloud-Based Emails
Ransomware may be more commonly used to encrypt files on business networks, although that does not mean consumers are in the clear. Cybercriminals may target businesses due to the higher potential rewards for a successful attack, although a new ransomware strain has been developed that highlights how vulnerable consumers are to ransomware attacks. In this case, the ransomware strain was developed by a white hat hacker as a proof of...
Spammers Use iqy Files to Deliver Remote Access Trojan
Macros have long been favored by cybercriminals as a method of installing malware. The macros launch VB, JavaScript and PowerShell scripts that download malware. Due to potential threat, security teams often disable macros or at least configure end points to require macros to be manually enabled by end users. The risk of running macros is also usually covered in security awareness programs. It is now harder for cybercriminals to...
Emergency Update Issued by Adobe to Patch Critical 0-Day Flaw in Flash Player
Adobe has released an emergency update that addresses an actively exploited zero-day flaw in Flash Player that is being used in targeted attacks on Windows users. The vulnerability, tracked as CVE-2018-5002, is a stack-based buffer overflow vulnerability that allows arbitrary code execution. The flaw has been rated critical. Several phishing campaigns have been detected that are using Office documents with embedded Flash Player...
New Capabilities of VPNFilter Malware Uncovered: More Routers Vulnerable that Initially Thought
Security researchers at Cisco Talos, who identified VPNFilter malware last month, initially estimated that approximately half a million routers had been infected with the malware. Further investigation into the malware campaign suggests twice as many routers brands and models are vulnerable and the number of infections could be substantially higher than previously thought. Cicso Talos took the decision to go public about the malware...
May Saw Massive Increase in TSB Phishing Scams
There has been a massive increase in TSB phishing scams over the past month. In April, TSB bank transitioned to a new core banking system. Previously, TSB data had been on a system provided by Lloyds, although following the takeover by Spanish bank Banco Sabadell, data needed to be moved to its banking system. When customer accounts were transferred to the new system, many customers were locked out of their accounts. The outage lasted...
New Windows Zero Day JScript Remote Code Execution Vulnerability Disclosed
A new Windows zero day remote code execution flaw has been identified. The flaw is present in Microsoft’s ECMAScript standard and affects the Jscript component of Internet Explorer and the way Windows handles error objects in Jscript. The vulnerability has been given a medium severity with a CVSS V3 rating of 6.8. The vulnerability was first identified in January by Telspace Systems security researcher Dmitri Kaslov. It has now been...
Mnubot Banking Trojan Used in Attacks on Brazilian Firms
A new banking Trojan – MnuBot – has been detected by IBM X-Force researchers which uses an unusual method of communication. Instead of using a command and control server like most other malware families, MnuBot uses Microsoft SQL Server to receive its initial configuration and for communication. The MnuBot banking Trojan is being used in targeted attacks in Brazil and its primary function is to make fraudulent bank transfers via...
US-CERT Issues Warning About Two North Korean Malware Variants
Two malware strains – known as Joanap and Brambul – are being used to establish peer to peer connections and remotely access infected systems, manage botnets, and steal system information and login credentials. The malware strains are communicating with IP addresses in 17 countries and have been linked to North Korea by U.S Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI). The malware families are...
Warning Issued to Business and Consumers Over VPNFilter Malware Infections on Routers
Security researchers at Cisco Talos have been tracking a VPNFilter malware campaign that has seen more than 500,000 consumer-grade routers and NAS devices infected. While Talos researchers are still investigating, the decision was made to go public due to recent upgrades to the malware that gave it dangerous new capabilities, as well as the speed at which routers were being infected. VPNFilter malware can intercept all traffic through...
New Variant of Dharma Ransomware Identified
A new variant of Dharma ransomware has been detected. The ransomware is capable of encrypting files on a local device as well files on mapped network drives, unmapped network shares, and shared virtual machine hosts. Dharma was first seen in November 2016 and shares several traits with CrySiS ransomware. While a decryptor was released in 2017 that allowed businesses to recover files without paying the ransom, new Dharma ransomware...
New Mirai IoT Botnet Detected
The Mirai IoT botnet has been used to conduct some of the largest distributed denial of service (DDoS) attacks ever seen. Since the release of the source code in October 2016, there have been several variants of the botnet developed. Now a new variant has been detected, which has been named Wicked, due to some of the strings in the source code. The new variant was identified by security researchers at Fortinet, who report that the new...
Cisco Patches Critical Flaws in Digital Network Architecture Platform
Cisco has releases patches to address vulnerabilities that could potentially be exploited to gain full control of affected systems. Three of the vulnerabilities are rated critical and have been assigned a CVSS V3 rating of 10 – the highest rating under the scoring system. A further four vulnerabilities have been given a rating of high with CVSS V3 scores of 8.6, 8.1, 7.5 and 6.3. The three critical vulnerabilities affect Cisco’s...
GDPR Phishing Scam Targets Airbnb Customers
A GDPR phishing scam has been detected targeting Airbnb customers. The GDPR-themed scam requests customers of the home-sharing website must re-enter their contact information and credit card details in order to comply with the EU’s General Data Protection Regulation that comes into force on May 25, 2018. The scammers are taking advantage of the high volume of emails currently being sent by companies as part of their GDPR compliance...
Vega Stealer Malware Harvesting Credentials from Web Browsers
A new variant of August Stealer – named Vega Stealer – is being distributed in small phishing campaigns targeting marketing, advertising, and PR firms and the retail and manufacturing industries. While the campaigns are highly targeted, the malware could potentially be used in much more widespread campaigns and become a major threat. Vega Stealer does not have the same range of capabilities as its predecessor, although it does include...
SamSam Ransomware Threat Actors Switch to Targeted Company-Wide Attacks
The threat actors behind the latest SamSam ransomware attacks have switched tactics and are now conducting highly targeted, company-wide attacks with the aim of infecting large numbers of devices. Companies are being researched and companies that are perceived to be most likely to pay the ransom are being attacked. Instead of using spam and phishing emails to gain access to devices, the threat actors are exploiting vulnerabilities to...
KnowBe4 Issues Alert About Fake Active Shooter Phishing Emails
The recent shootings at schools in the United States have shocked the nation, with educational institutions now on high alert for any recurrences. The news of an active shooter on campus requires an immediate response and is likely to result in panic. It is therefore no surprise that scammers have taken advantage and have been sending fake active shooter alerts via email to schools and colleges. KnowBe4 has recently identified one...
Cofense Report Reveals Latest Malware Delivery and Attack Trends
The 2018 Malware Review from security awareness and anti-phishing solution provider Cofense (Formerly PhishMe) looks at malware trends over the past 12 months and makes predictions about malware delivery and attack trends in 2018. The 2018 Cofense Malware Review, titled A Look Back and a Look Forward, was compiled after analyzing millions of phishing and spam emails gathered from multiple sources over the past year. The report has a...
Increase in W-2 Phishing Campaigns Leads to FBI Warning Issued
The Federal Bureau of Investigation (FBI) has issued a new alert for businesses due to a major rise in phishing attacks attacking payroll worker. The target of the phishing attacks is to download copies of the W-2 forms of workers. Information on the forms is used to carry out identity theft and tax fraud. 2017 saw record numbers of phishing campaigns targeting businesses, educational institutions, and healthcare groups. In some...
UK Government Websites Mining Cryptocurrency
UK government websites mining cryptocurrency after third party website plugin compromised by hackers. The plugin Browsealoud, used on many government websites to help hearing-impaired and blind visitors listen to content, was hijacked and the source code had cryptocurrency mining code injected. UK Government Websites Mining Cryptocurrency for Hackers A recent supply chain attack has seen many government websites turn to mining...
FBI Issues Warning About Internet Crime Complaint Center Phishing Scams
The FBI has spent the past few months investigating reports of Internet Crime Complaint Center phishing scams. IC3 has been impersonated in several campaigns that attempt to convince people to reveal sensitive information that can be used to drain bank accounts and steal identities. The FBI has identified three email templates that are being used by scammers to obtain sensitive information from victims. In some cases, victims have...
New Necurs Botnet Phishing Campaign Spreads Dridex Banking Trojan
The operators of the Necurs botnet have launched several phishing campaigns in the past few days that are being used to spread the Dridex banking Trojan. Malware and cryptocurrency miners are also being sent in large scale campaigns. New tactics are being used to ensure infection and avoid detection. The latest Dridex malware campaign was launched in the past few days and targets customers of major US and European banks. When users...
Beware of W2 Phishing Scams This Tax Season
Employers are being warned to be wary of W2 phishing scams this tax season. The past two years have seen hundreds of employers scammed into disclosing the W2 forms of their employees. The credentials on the forms were subsequently used to file false tax returns. This year is likely to be no different. Last year, accounts department and payroll staff were targeted with W2 phishing scams, using an attack method termed business email...
Dark Caracal Spyware Installed Via Fake WhatsApp and Signal Apps
An advanced persistent threat (APT) group called Dark Caracal is using fake WhatsApp and Signal apps to install spyware. The APT group has already gained access to many thousands of devices and has stolen hundreds of gigabytes of data. Individuals in at least 21 countries have had their mobile devices infected. The APT group is highly advanced, and is believed to operate at the nation-state level, with strong evidence suggesting the...
Phishing Emails Pushing Fake Meltdown and Spectre Patches
The recently disclosed microprocessor vulnerabilities – Meltdown and Spectre – have had software and hardware firms working hard to develop patches. Cybercriminals have also been busy developing phishing campaigns that push fake Meltdown and Spectre patches. It should not come as a surprise that cybercriminals are capitalizing on the rush to secure computers and patch the vulnerabilities. The vulnerabilities can potentially be...
IRS Phishing Scam Targets Hotmail Users
A new IRS phishing scam has been detected that targets tax professionals and taxpayers who hold Hotmail email accounts. The scam has prompted the Internal Revenue Service to issue a warning to Hotmail users to be wary of emails that request personal and financial information. Each year, cybercriminals target tax payers and attempt to get them to reveal their personal information and Social Security numbers, which are used to file...
Soaring Value of Bitcoin Triggers Rise in Phishing Attacks on Bitcoin Wallets
Over the past few days, the value of Bitcoin has soared from $11,000 to more than $17,500, prompting hackers to increase the number of phishing attacks on Bitcoin wallets. While investors are cashing in on the surge in value, so too are attempts to steal Bitcoin. The purpose of the phishing attacks on Bitcoin wallets is simple. Get investors to reveal their account credentials and Bitcoin wallets can be plundered. There is also no...
Warning Issued by IRS About Christmas Phishing Scams
Each year there is a wave of Christmas phishing scams during the holiday season, as cybercriminals attempt to steal sensitive information to enable them to file fraudulent tax returns. This year is likely to be no different. Last year saw a major increase in Christmas phishing scams, and the prospect of another barrage of phishing emails has prompted the IRS to issue a warning to consumers to be alert to new, sophisticated email scams...
US-CERT Warns of Exploitable Windows ASLR Implementation Flaw
The U.S. Computer Emergency Readiness Team (US-CERT) has issued a warning about an exploitable Windows ASLR implementation flaw affecting Windows 8, Windows 8.1 and Windows 10. Address Space Layout Randomization (ASLR) is designed to make systems safer by preventing memory-based code execution attacks. Instead of a system executing programs in the memory in predictable locations, which can be anticipated by hackers, ASLR ensures...
Contacts Stolen and Spear Phishing Emails Sent by Ursnif Trojan
The financial sector banking Trojan Ursnif, one of the most commonly experienced banking Trojans, has before been used to attack banking institutions. However, it seems the individuals behind the malware have expanded their horizons, with cyberattacks now being carried out on a wide variety of groups across many different sectors, including healthcare. The new strain of the Ursnif Trojan was found by researchers at security firm...
New Gibon Ransomware Campaign Detected
A new ransomware campaign has been detected that is using spam email to deliver Gibon ransomware. The malware has been named Gibon due to the inclusion of the word in the user-agent string of its code. The ransomware variant was detected by Proofpoint security researcher Matthew Mesa, who notes that as with many other ransomware variants, it is being sold on darknet marketplaces for cybercriminals to use in their own ransom campaigns....
Google Search Poisoning Used to Spread Zeus Panda Trojan
Google search poisoning is being used by cybercriminals to get malicious links ranking highly in the organic search listings. Websites that rank highly in the organic search listings attract the lion’s share of traffic. Ranking highly for popular keyword terms can therefore deliver thousands of visitors. Google scans websites and if malware is found on a webpage, the page will be marked as malicious and will be removed from the...
Study Reveals Extent to Which Combosquatting is Used by Hackers
The use of combosquatting is on the rise, although until recently, the extent to which combosquatting was being used by cybercriminals was not known. However, a new study that examined more than 468 billion DNS records has revealed the practice is far more common than typosquatting. More than 100 times as common in fact. What is Combosquatting? Combosquatting is the use of a trademark in combination with another word in a domain. For...
New Matrix Ransomware Malvertising Campaign Detected
A new Matrix ransomware malvertising campaign has been detected. The campaign uses malicious adverts to direct users to a site hosting the Rig exploit kit. Flash and IE vulnerabilities are exploited to download the malicious file-encrypting payload. The new Matrix ransomware malvertising campaign was detected by security researcher Jérôme Segura. Matrix ransomware is not a new threat, having first been detected in late 2016. The...
New MyEtherWallet Phishing Campaign Detected
A new MyEtherWallet phishing campaign has been detected that uses a convincing domain and MyEtherWallet branding to fool MyEtherWallet users into revealing their credentials and providing criminals with access to their MyEtherWallet accounts. In the first few hours of the campaign, the criminals behind the scam had obtained more than $15,000 of MyEtherWallet funds, including $13,000 from one MyEtherWallet user. The individuals behind...
Widespread Bad Rabbit Ransomware Drive-By Attacks Reported
Over the past 24 hours, there have been hundreds of reports of cyberattacks involving Bad Rabbit ransomware – A new ransomware variant with similarities to both NotPetya and HDDCryptor. NotPetya was used in widespread attacks in June, and was a wiper rather than ransomware. HDDCryptor was the ransomware variant that encrypted the San Francisco Muni’s system in November 2016. Many of the NotPetya attacks occurred via a...
KRACK WiFi Security Vulnerability Allows Attackers to Decrypt WiFi Traffic
Security researchers at the University of Leuven in Belgium have discovered a WiFi security flaw in WPA2 called KRACK. The KRACK WiFi security vulnerability affects all modern WiFi networks and could be exploited with relative ease. While there have been no known attacks leveraging the vulnerability, it is one of the most serious WiFi flaws discovered to date, with potential to be used to attack millions of users. If the KRACK WiFi...
Adobe Patches Actively Exploited Flash Player Flaw Used to Deliver FinSpy Malware
Yesterday, Adobe released a new update for Flash Player to address an actively exploited flaw (CVE-2017-11292) that is being used by the hacking group Black Oasis to deliver FinSpy malware. Finspy is not malware as such, it is a legitimate software program developed by the German software company Gamma International. However, its capabilities include many malware-like functions. As the name suggests, FinSpy is surveillance software...
Department of Education Issues Advisory to Hacking and Extortion Threats
Recently, the hacking group TheDarkOverlord has been targeting K12 schools; gaining access to networks, stealing data and attempting to extort money. In response to the hacking and extortion threats, the U.S. Department of Education has issued an advisory to K12 schools and has provided advice to help educational institutions mitigate risk and protect their networks from attack. The attacks on schools by TheDarkOverlord in recent...
FormBook Malware Campaign Targets U.S. Organizations
Most Formbook malware attacks have targeted specific industry sectors in the United States and South Korea, but there is concern that the malware will be used in more widespread attacks around the globe. To date, the Aerospace industry, defense contractors, and the manufacturing sector have been extensively targeted; however, attacks have not been confined to these sectors. The financial services, energy and utility companies,...
Microsoft Patches Actively Exploited Zero Day Vulnerabilities
This Patch Tuesday has seen Microsoft issue several updates for critical vulnerabilities, some of which are being actively exploited in the wild. Microsoft is urging companies to apply the patches immediately to keep their systems secure. Some of the vulnerabilities are easy to exploit, requiring little skill. In total, 62 vulnerabilities have been patched, including 33 that can result in remote code execution. Out of the 62...
New Rowhammer Exploit Enables Hackers to Bypass Mitigations
The Rowhammer exploit was first discovered in 2014 and was shown to allow attackers to take control of devices by targeting DRAM memory cells. Rowhammer attacks take advantage of the close proximity of memory cells, causing them to leak their charge and alter the content of neighboring memory cells. The attack involves delivering constant read-write operations using carefully crafted memory access patterns to continuously activate the...
3 Billion Accounts Compromised in 2013 Yahoo Data Breach
While the 2013 Yahoo data breach was soon known to involve many of the company’s customers, it became apparent in December 2016 that 1 billion accounts had been compromised. Before that in September 2016, a separate breach was discovered that involved around half a billion email accounts. Now Verizon, which finalized the purchase of Yahoo this summer, has discovered the 2013 Yahoo date breach was far worse than initially thought....
Flusihoc Botnet Activity Increases, Delivering Crippling DDoS Attacks
The Flusihoc Botnet is being used for crippling DDoS attacks, some as high as 45 Gbps according to researchers at Arbor networks. The botnet has been operational for at least two years, although activity has increased over the past few months, with more than 900 attacks conducted using the Flusihoc botnet over the past four months. The botnet has more than 48 active command and control servers, although there have been more than 154...
Ransomware and Phishing Rated Top Threats by IT Professionals
A recent survey by Cyren, conducted by Osterman Research, has revealed the biggest concerns of IT professionals are ransomware and phishing. When asked about their biggest security concerns, 62% said ransomware, 61% said phishing, and 54% said data breaches. The survey also showed that investment in cyber defenses has increased, yet for many firms, even further investment in security solutions has failed to prevent data breaches. It...
Piriform Alerts Users That CCleaner Contained Malware
Piriform’s CCleaner, a free PC cleaning app with 130 million users around the world, has been discovered to contain malware. Researchers at Cisco Talos recently announced that CCleaner contains a backdoor that was inserted by hackers. The backdoor was present in two versions of the application – the 32-bit version of CCleaner 5.33.6162 and CCleaner Cloud 1.07.3191. The backdoor was inserted into those versions at least a month before...
Beware of Equifax Data Breach Phishing Scams
Consumers are being warned to be on high alert for Equifax data breach phishing scams, telephone and text message scams, and fraudulent use of their sensitive information. Almost Half of All Americans Impacted by Equifax Data Breach The massive Equifax data breach has resulted in the personal information of almost half of the population of the United States being stolen. More than 143 million Americans have been impacted by the...
LinkedIn Phishing Scam Uses InMail and Personal Messages to Obtain Sensitive Information
A new LinkedIn Phishing scam has been detected that uses compromised LinkedIn Premium accounts to send InMail messages and private messages to other LinkedIn users. The messages appear genuine as first glance, but are being used to obtain email login credentials. Those email accounts will undoubtedly be used in more extensive phishing scams. Phishers have been gaining access to genuine LinkedIn accounts and using them to send InMail...
Equifax Data Breach Affects 143 Million Consumers
A massive Equifax data breach has resulted in the exposure, and possible theft, of 143 million American’s records, including highly sensitive data such as Social Security numbers. To put that figure into perspective, that’s virtually half the population of the United States. Hackers gained access to a website database via an unpatched vulnerability in a web application. Security experts are suggesting the vulnerability was in Apache...
NIST Revises Guidance on Passwords
The National Institute of Standards and Technology (NIST) has issued new guidance on passwords. It is standard practice to make passwords stronger by using a combination of capital letters, lower case letters, numbers and special characters. While that certainly makes it harder for cybercriminals to crack passwords using brute force methods, it also makes passwords particularly difficult to remember. In practice, forcing users to add...
Siemens CT and PET Scanners Vulnerable to Cyberattacks
The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued a warning about vulnerabilities in Siemens CT and PET scanner systems. Healthcare organizations have been put on alert and warned that there are publicly available exploits for all four of the vulnerabilities. If exploited, hackers would be able to alter the functioning of the devices, potentially placing patient safety...
Global Petya Ransomware Attacks involve Modified EternalBlue Exploit
Global Petya ransomware attacks are underway with the campaign bearing similar hallmarks to the WannaCry ransomware attacks in May. The attackers are using the a modified EternalBlue exploit that takes advantage of the same SMBv1 vulnerability used in WannaCry. The ransomware variant bears a number of similarities to Petya ransomware, although this appears to be a new variant. Petya ransomware was first discovered last year, with the...
Patch Issued for Actively Exploited Drupal Vulnerability
An actively exploited Drupal vulnerability – tracked as CVE-2017-6922 – has been patched this week. The flaw, which affects Drupal v 7.56 and 8.3.4, is being exploited. The flaw is an access bypass vulnerability that Drupal was aware of since last October, although a patch has only just been issued. The flaw can be exploited on misconfigured websites, allowing anonymous users to upload files which are stored in a public file system...
Q2 Saw a 400% Increase in Phishing Attacks on Businesses
The threat from phishing has been growing steadily over the past few years, but a new report from Mimecast shows the threat is greater than ever before with more phishing attacks on businesses than any other time in history. The report shows there has been a 400% increase in phishing attacks on businesses in Q2, 2017. For the study, Mimecast analyzed the inbound emails of 44,000 business users. That analysis showed cybercriminals are...
Pacemaker Cybersecurity Protections Found Lacking
A recent study has found pacemaker cybersecurity protections not only to be lacking, but woefully inadequate. Many of the devices tested were discovered to contain thousands of software vulnerabilities, many of which could potentially be exploited by cybercriminals to gain access to the devices and their associated systems. Medical device security issues have long been a concern, yet little is being done to address the problems. In...
Samba Vulnerability Could be Exploited in WannaCry Style Attacks
A Samba vulnerability has been discovered that could potentially be exploited and used in network worm attacks akin to those used to deliver WannaCry ransomware on May 12. Samba is used on Unix and Linux systems to add Windows file and print sharing services as well as on many NAS devices. Samba can also be used as an Active Directory server for access control on Windows networks. Samba uses a protocol based on Windows Server Message...
Windows 7 Computers Worse Hit by WannaCry Ransomware
The WannaCry ransomware attacks are understood to have resulted in data being encrypted on around 300,000 computers in 150 countries. The attackers took advantage of unpatched software, exploiting a vulnerability in Microsoft Server Message Block 1.0 (SMBv1) using the EternalBlue exploit stolen from the NSA and published online by the hacking group Shadow Brokers. While a patch had been released by Microsoft to fix the vulnerability...
Dept. of Health Sends Out Waring Regarding Ransomware
Following the recent WannaCry ransomware attacks, the Department of Health and Human Services has been issuing cybersecurity alerts and warnings to healthcare organizations on the threat of attack and steps that can be taken to reduce risk. The email alerts were sent soon after the news of the attacks on the UK’s NHS first started to emerge on Friday May 12, and continued over the course of the week. The alerts provided timely and...
Wanna Decryptor Ransomware Encrypts Data on Medical Devices
Friday’s Wanna Decryptor ransomware campaign badly affected NHS hospitals in the United Kingdom, with 40 hospitals spread across at least 24 Trusts confirming they were affected and had data encrypted. However, some media reports claim as many as 48 of the 248 Trusts in the UK were impacted by the attack to some degree. Wanna Decryptor (WannaCry/WannaCrypt) attacks rapidly spread across the globe, with an estimated 200,000 victims...
WannaCry Ransomware Campaign Thwarted
The WannaCry ransomware campaign that saw 61 NHS Trusts in the UK attacked has been stopped thanks to the actions of a UK security blogger and malware researcher. The individual, who wishes to remain anonymous, found a kill switch for the ransomware that prevented it from encrypting files. The WannaCry ransomware campaign was launched on Friday May 12, 2017, with infections occurring at lightning speed. In contrast to many ransomware...
Worldwide WannaCry Ransomware Attacks Reported
There has been a massive spike in worldwide WannaCry ransomware attacks, with a new campaign launched on Friday. In contrast to past WannaCry ransomware attacks, this campaign leverages a vulnerability in Server Message Block 1.0 (SMBv1). Zero day exploits are commonly used by cybercriminals, although this one was allegedly developed by the National Security Agency (NSA) and was stolen and given to the hacking group Shadow Brokers....
Philadelphia Ransomware Used in Targeted Attacks on US Hospitals
Cybercriminals are conducting targeted attacks on U.S. healthcare organizations using Philadelphia ransomware; a relatively new ransomware variant developed from Stampedo ransomware. Philadelphia ransomware was first seen in September 2016, although recently, a new campaign has been detected that has already seen two U.S hospitals have sensitive files encrypted. The actors behind the latest attacks are targeting physicians using spear...
OCR Issues Warning to Healthcare Providers on Use of HTTPS Inspection Tools
Many healthcare organization use HTTPS inspection tools to monitor HTTPS connections for malware. HTTPS inspection tools decrypt secure HTTPS network traffic and review content before re-encrypting traffic. HTTPS inspection tools are used to enhance security, although a recent warning from the Department of Health and Human Services’ Office for Civil Rights highlights recent research indicating HTTPS inspection tools could potentially...
FBI Warns Healthcare Providers of Risk of Using Anonymous FTP Servers
Healthcare organizations could be placing the protected health information of patients at risk by using anonymous FTP servers, according to a recent alert issued by the FBI. Cybercriminals are taking advantage of the lack of protection on FTP servers to gain access to the PHI of patients. Anonymous FTP servers allow data stored on the server to be accessed by individuals without authentication. In anonymous mode, all that is required...
US-Certs Says SSL Inspection Tools May Actually Weaken Cybersecurity
SSL inspection tools are commonly used by healthcare providers to improve security; however, according to a recent warning issued by US-CERT, SSL inspection tools may actually weaken organizations’ defenses and make them more susceptible to man-in-the-middle attacks. It is not necessarily the SSL inspection tools that are the problem, more that organizations are relying on those solutions to advise them which connections can be...
PetrWrap Used for Targeted Ransomware Attacks on Businesses
Petya ransomware has been hijacked and is being used in ransomware attacks on businesses without the ransomware authors’ knowledge. The criminals behind the new PetrWrap campaign have added a new module to Petya ransomware that modifies the ransomware ‘on the fly’, controlling the encryption process so that even the ransomware authors would not be able to unlock the encryption. Petya ransomware first appeared in May last year. The...
Actively Exploited Apache Struts Vulnerability Discovered
The discovery of a new Apache Struts vulnerability that is being actively exploited in the wild has prompted both Cisco Talos and Apache to issue warnings to users. The zero-day vulnerability in the popular Java application framework was recently discovered by Cisco Talos researchers, and attacks have been occurring at a steady pace over the past few days. The Apache Struts vulnerability – CVE-2017-5638 – is in the Jakarta...
Powershell Remote Access Trojan Uses DNS for 2-Way Communications with C2 Server
A new Powershell remote access Trojan has been identified by researchers at Cisco Talos. The memory-resident malware does not write any files to the hard drive and it uses a novel method of communicating with its C2, making it almost impossible to detect. Infection occurs via a malicious Word document sent via email. Cisco Talos researchers said only 6 out of 54 AV engines recognized the malware. If the document is opened, the user...
Dharma Ransomware Decryptor Developed
Following the release of decryption keys this Wednesday, security researchers have developed a free Dharma ransomware decryptor. It is now possible for businesses and individuals who have had their files encrypted by Dharma ransomware to unlock their files without having to pay a ransom. Dharma ransomware has not been one of the most prevalent ransomware threats. There have been nowhere near as many infections as the likes of...
Windows Devices Used to Increase Size of Mirai Botnet
The Mirai Botnet was used to launch devastating distributed denial of service (DDoS) attacks late last year, some of which took down large sections of the Internet including some of the most popular websites – Twitter and Netflix for example. One Mirai attack on the hosting company OVH registered 1.1 Tbps. It has been predicted that attacks on that scale are likely to become much more common in 2017. The Botnet is comprised of...
MacOS Malware Spread by Malicious Word Macros
Security researchers have discovered that MacOS malware is being spread by malicious Word macros. This is the first time that MacOS malware has been discovered to be spread using this attack vector. Windows users can expect to be attacked with malware, but Mac users have remained relatively safe. The vast majority of malware targets Windows users, with malware attacks on Mac users still relatively rare. However, MacOS malware does...
Phishing Attacks on Cloud Storage Providers Causing Concern
Phishing is one of the most common ways that cybercriminals gain access to sensitive data. While logins for online banking services are still a major prize, cybercriminals are now increasingly conducting phishing attacks on cloud storage providers. Software-as-a-service (SaaS) attacks have also soared. A recent report from PhishLabs shows the extent to which cloud storage providers are being targeted. In 2013, cloud storage and...
Beware of LNK Attachments and Malicious SVG Files
JavaScript attachments are still used to infect computers with malware and ransomware, but a new trend has emerged that is seeing cybercriminals switch to malicious SVG files. Malicious LNK files are also growing in popularity. The reasoning behind the switch in file types is clear. They are much less likely to arouse suspicion; therefore, they are more likely to be opened. JavaScript has been extensively used over the past 12 months...
IRS Issues W2 Phishing Scam Warning
Cybercriminals have been sending huge numbers of W2 phishing scam emails over the past few weeks. Tax season usually sees an increase in scam emails being sent, although this year cybercriminals have started their scamming campaigns even earlier. The victim count is also growing rapidly. The W2 phishing scam in question is an email request for copies of employees’ W-2 forms. The scammers impersonate the CEO, CFO or another executive...
SMB File Sharing Protocol Flaw Published Before Patched
A SMB file sharing protocol flaw in Windows has been publicly disclosed 12 days before a patch to correct the issue will be released by Microsoft. According to the researcher who published details of the flaw – Laurent Gaffié – Microsoft has known about the issue for 3 months yet has so far failed to patch the vulnerability. If the SMB file sharing protocol flaw is exploited, an attacker would be able to crash Windows 10...
Security Flaws in Multi-Function Printers Could Lead to Password Theft
Researchers at Ruhr University have discovered security flaws in multi-function printers that could be exploited remotely by hackers to shut down the printers, or worse, manipulate documents or steal passwords. It is also possible for hackers to exploit the flaws to cause physical damage to printers. The researchers have so far identified security flaws in multi-function printers manufactured by computer hardware giants HP, Lexmark...