Avaddon Ransomware Gang Shuts Down Operation and Releases Decryption Keys
Avaddon ransomware is no more. The operation has been shut down and decryptors have been released that allow victims to recover their files free of charge. On June 11, 2021, Bleeping Computer received an anonymous tip which appeared to have come from the FBI and included a link to a password protected ZIP file and a password. The file included 2,934 decryption keys for Avaddon ransomware – all outstanding victims that have not yet...
SonicWall VPN Vulnerability Exploited in Attacks on Legacy SRA Appliances
Researchers at CrowdStrike have confirmed cyber threat actors exploiting a SonicWall VPN vulnerability to attack Secure Remote Access (SRA) 4600 devices. The vulnerability, tracked as CVE-2019-7481, is not new. The bug was identified in 2019 and a patch was released to correct the flaw; however, the patch was only partially effective and did not fix the firmware bug on legacy SonicWall SRA 4600 VPN devices. Proof-of-concept exploit...
New Malware Discovered Targeting Windows Containers to Plant Backdoors in Kubernetes Clusters
A new malware variant has been discovered that is believed to be the first to target Windows containers. The malware, discovered by Daniel Prizmant of Palo Alto Networks’ Unit 42 team, has been dubbed Siloscape and is capable of breaking out of Windows containers and compromising Kubernetes clusters to plant backdoors and raid nodes for credential theft. Kubernetes is used to automate the deployment, scaling, and management of...
Microsoft Patches 41 Vulnerabilities, Including 5 Critical Flaws and 7 Zero-Days
June 2021 Patch Tuesday has seen Microsoft release patches to correct 50 vulnerabilities across its range of products, including 7 zero-day vulnerabilities. Five vulnerabilities are rated critical and 45 have been rated important. 6 of the zero-day vulnerabilities patches this week are known to have been exploited in the wild. While these flaws have been exploited, all have been rated important. These are: CVE-2021-31199 –...
Critical VMware vCenter Server Vulnerability Under Active Exploitation
The critical VMware vCenter Server vulnerability CVE-2021-21985 is being actively exploited in the wild. There have been several successful exploits of the 9.8/10 severity vulnerability and at least one reliable exploit for the flaw is now in the public domain. VMware issued an advisory about the flaw in the last week in May and urged users to patch promptly to avoid exploitation. The flaw is now being exploited by at least one threat...
NCSC Warns UK Educational Institutions of Increased Ransomware Threat
The UK’s National Cyber Security Center (NCSC) has issued a warning to the UK education sector following a recent spike in ransomware attacks on schools, colleges, and universities. Some of the recent attacks have resulted in the loss of school financial records, student coursework, and COVID-19 testing data. Ransomware attacks often involve the theft of data prior to the use of ransomware to encrypt systems. The attacks can have a...
Take Ransomware Seriously, Warns White House
Ransomware attacks have been increasing and it is now common for the threat actors behind these attacks to not only encrypt data to prevent access, but also to steal data prior to file encryption and then threaten to sell or publish the data if the ransom is not paid. Data exposure or data loss can have major consequences but the biggest threat for businesses is often the downtime caused by a successful attack. It is often this...
FBI Warns of APT Groups Exploiting Fortinet Vulnerabilities
The Federal Bureau of Investigation (FBI) has issued a Flash Alert warning of the continued exploitation of Fortinet Fortigate vulnerabilities by Advanced Persistent Threat (APT) Groups. In the Alert, the FBI said it is almost certain that an APT actor exploited the vulnerabilities to access a web server hosting the domain for a U.S. municipal government and the flaws have been exploited since at least May 2021. Once access was...
SolarWinds Hackers Conducting Spear Phishing Campaign Posing as USAID
The Russian Advanced Persistent Threat (APT) group Nobelium – aka APT29/The Dukes/Cozy Bear – that was behind the SolarWinds Orion supply chain attack has been conducting a spear phishing campaign masquerading as the U.S. Agency for International Development (USAID). The emails are used to deliver malware and gain persistent access to the internal networks of the targeted companies. The spear phishing attacks were identified by...
VMware Patches Critical Vulnerability in vCenter Server
A patch has been released to fix a critical severity vulnerability in VMware’s virtualization management platform, vCenter Server. The vulnerability could be remotely exploited by an attacker to execute arbitrary code on a vulnerable host and gain full control of the system. The vulnerability has been given a CVSS severity rating of 9.8 out of 10. The flaw, tracked as CVE-2021-21985, affects the vCenter Server platforms that are used...
Apple Patches Actively Exploited Zero-Day MacOS Vulnerability
Apple has released a patch to fix a zero-day vulnerability in macOS that is being actively exploited in the wild. The macOS vulnerability, tracked as CVE-2021-30663, affects macOS Big Sur devices and, according to Jamf researchers who discovered the vulnerability, has been exploited by XCSSET malware to bypass Apple’s Transparency Consent and Control (TCC) protections that protect users’ privacy. Normally, the TCC protections will...
SQL Injection Vulnerability in WP Statistics WordPress Plugin Allows Theft of Database Information
A bug has been identified in a popular WordPress app that allows an unauthenticated attacker to steal sensitive database information. The WP Statistics plugin provides website owners with visitor analytics, including information about how visitors arrived on the site, the pages and posts they visited, the browser used, along with anonymized location data. The plugin has been installed on approximately 600,000 WordPress websites....
Large-Scale Malspam Campaign Detected Delivering the STRRAT Remote Access Trojan
Microsoft has issued a warning about a massive malspam campaign that is being used to deliver the STRRAT remote access trojan (RAT). The campaign is being conducted using compromised email accounts with what appears at first glance to be a PDF file attachment. The attached file appears to have a .pdf extension and displays the typical PDF image; however, the file attachment is simply an image which, if clicked, will download the...
President Biden Signs Extensive Executive Order to Improve Federal Government Cybersecurity
President Biden has signed an Executive Order that seeks to modernize the cybersecurity defenses of the federal government and protect its networks from cyber threats. The Executive Order, which runs to 34 pages, seeks to improve the IT infrastructure of the Federal government to make it more resilient to cyberattacks, better prepare government agencies to allow a swift and effective response in the event of an attack, and improve...
Microsoft Issued Patches for 55 Vulnerabilities Including 4 Critical Flaws
It has been a relatively quiet Patch Tuesday for Microsoft, with patches released to correct just 55 vulnerabilities across its product suite. None of the four critical flaws are believed to have been exploited in in the wild; however, patches should be applied as soon as possible to prevent exploitation, especially since three of the vulnerabilities have been publicly disclosed. The four critical flaws affect Windows 10, Internet...
Adobe Patches 43 Vulnerabilities Including 1 Actively Exploited Flaw in Acrobat/Reader
May 2021 Patch Tuesday has seen Adobe issue 43 updates to fix vulnerabilities in 12 different products, including a patch to fix a vulnerability in the Adobe Acrobat and Adobe Reader that is currently being exploited in the wild. The actively exploited zero-day vulnerability is tracked as CVE-2021-28550 and has been exploited in attacks on Windows devices. The flaw also affects macOS devices, but they are not currently believed to...
12-Year-Old Vulnerabilities Place Millions of Dell Devices at Risk
Hundreds of millions of Dell devices are vulnerable to firmware update driver flaws that could potentially be exploited to achieve remote code execution. The vulnerabilities were identified by security researchers at SentinelOne, and have been present in Dell laptops, desktops, and tablets since 2009. The five vulnerabilities have been combined under a single CVE tracking number – CVE-2021-21551 – which has been assigned a CVSS v3...
Trifecta of Sophisticated Malware Distributed in Spear Phishing Campaign
Three new sophisticated malware variants are being distributed by an Advanced Persistent Threat (APT) group in a large-scale global phishing campaign, according to a new report from FireEye’s Mandiant cybersecurity team. The new malware variants – dubbed DoubleDrag, DoubleDrop, and DoubleBack – are being distributed using 50 domains and one legitimate compromised domain of an HVAC company. Based on the infrastructure used, the...
Patch Released for Actively Exploited Pulse Connect Secure VPN Vulnerability
Pulse Secure has released a patch for the actively exploited zero-day vulnerability – CVE-2021-22893 – in the Pulse Connect Secure SSL VPN appliance. Last week, FireEye researchers announced they had identified instances where the flaw had been exploited by threat groups, with one of those groups believed to be a Chinese Advanced Persistent Threat actor. Exploitation of the flaw could allow unauthenticated remote attackers to...
Vulnerabilities in SonicWall VPN Appliances Targeted in FiveHands Ransomware Attacks
A vulnerability in Sonicwall SMA 100 Series VPN appliances is being targeted to deliver a previously unknown ransomware variant dubbed FiveHands. Threat analysts at Mandiant have been tracking the activity of the threat group – UNC2447 – and have observed attacks exploiting the CVE-2021-20016 vulnerability in North America and Europe since October 2020. Sonicwall released a patch to correct the flaw in February 2021. FiveHands...
Phishing Campaign Impersonates Click Studios to Deliver New Moserpass Malware Variant
Last week, Click Studios alerted users of the Passwordstate enterprise password manager about a supply chain attack in which hackers successfully compromised the In-Place Upgrade mechanism of the app, which allowed the attackers to perform malicious upgrades between April 20 and April 22, 2021. During that 28-hour window it is possible that the attackers downloaded a malformed Passwordstate_upgrade.zip file, which was sourced from a...
Data Exfiltration Extortion Attacks Spike and Ransom Payments Increase
Payments to resolve ransomware and data exfiltration extortion attacks increased in the first quarter of 2021, with the rise largely due to the Accellion legacy File Transfer Appliance (FTA) cyberattack and attacks by small ransomware groups such as CLoP. CLoP was highly active throughout Q1 and was the 4th most common ransomware variant in Q1, having not even been in the top 10 in Q4, 2020. Ransom payments declined in the last...
Apple Patches Zero-day Flaw Actively Exploited by Shlayer Malware
An actively exploited zero-day vulnerability in macOS has been patched by Apple. The vulnerability, one of the most serious flaws in macOS to be discovered, allows malware to bypass File Quarantine, Gatekeeper, and Notarization protections. The vulnerability – tracked as CVE-2021-30657 – is due to a logic flaw in the macOS policy subsystem that performs security checks on applications. The flaw was identified by security researcher...
Actively Exploited Zero Day Vulnerability Identified in Pulse Secure Connect VPN
A critical zero-day vulnerability has been identified in Pulse Secure VPN appliances that is being actively exploited by a Chinese advanced persistent threat group. The vulnerability is being chained with previously disclosed Pulse Secure Connect vulnerabilities to gain persistent access to vulnerable appliances and achieve lateral movement within victims’ networks. Targeted organizations include government agencies, defense, critical...
Patch These Actively Exploited SonicWall Vulnerabilities Now!
SonicWall has released patches to correct three actively exploited vulnerabilities in its on-premises and hosted email security solutions. The vulnerabilities can be exploited remotely to gain access to SonicWall Email Security hardware and virtual appliances as well as software installations on Microsoft Windows Server. Successful exploitation of the vulnerabilities would allow threat actors to access files and emails, install...
Google Project Zero Adds 30-Day Grace Period to Vulnerability Disclosure Policy
Google Project Zero has added a new grace period to its zero-day vulnerability disclosure policy and will now provide an additional 30 days after a patch is released before publishing technical details of the vulnerability. Google introduced its 90-day vulnerability disclosure policy in 2020. The aim of the 90-day delay was to encourage faster patch development and patch adoption, while giving sufficient time to ensure that vendors...
NSA Warns of Russian Government Hackers Exploiting These 5 Vulnerabilities
The National Security Agency (NSA), in conjunction with the Federal Bureau of Investigation (FBI) and the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) have issued a cybersecurity alert listing five vulnerabilities that are currently being exploited by the Russian Foreign Intelligence Service (SVR) to compromise U.S. and allied networks. The SVR has and continues to exploit software vulnerabilities to gain access to...
FBI Removes Malicious Web Shells from Hundreds of Corporate Exchange Servers
The Federal Bureau of Investigation (FBI) has removed malicious web shells from hundreds of corporate servers in at least 8 states without the knowledge or permission of the owners of the servers. The web shells were installed on corporate Exchange Servers that had previously been compromised by Advanced Persistent Threat (APT) groups by exploiting the ProxyLogon Microsoft Exchange Server vulnerabilities. It has been more than a month...
Name:Wreck DNS Vulnerabilities Affect More than 100 Million IoT Devices
More than 100 million consumer and enterprise IoT devices are believed to be affected by a new set of DNS vulnerabilities, according to Forescout and the Israeli consultancy firm JSOF. The vulnerabilities, collectively named Name:Wreck, are related to DNS implementations in popular TCP/IP network communication stacks and affect the free IT software FreeBSD and the IoT/OT firmware IPnet, Nucleus NET and NetX. In total, 9...
Microsoft Patches 108 Vulnerabilities Including 19 Critical Flaws
April 2021 Patch Tuesday has seen Microsoft issue 108 patches to correct vulnerabilities across its range of products, including one actively exploited zero-day vulnerability and 4 zero-day remote code execution vulnerabilities in Microsoft Exchange Server that were recently discovered by the NSA. 19 of the flaws have been rated critical, 88 are rated important, and one is rated moderate severity. Earlier this month, Microsoft also...
IcedID Malware Distribution Increases as it Vies to Become the New Emotet
A massive malspam campaign is underway distributing the IcedID banking Trojan. The malicious emails have Microsoft Excel attachments, which use Excel 4 macros to deliver the banking Trojan. IcedID is a modular malware that started life as a Trojan that steals financial information from victims. Like several other banking Trojans, it has since evolved into a malware dropper and is now primarily being used to distribute secondary...
Collaboration Platforms Increasingly Abused by Threat Actors for Data Exfiltration and Malware Delivery
Teleworking has been growing in popularity over the past few years, but the national lockdowns imposed by governments to limit the spread of COVID-19 forced many businesses to allow their workforce to work remotely and telework has now become the norm. Threat actors have adapted their tactics, techniques, and procedures to take advantage in this change in working practices and the collaboration platforms that are now relied upon by...
SAP and Onapsis Warn of Ongoing Attacks Exploiting Vulnerabilities in Mission-Critical SAP Applications
6 cybersecurity vulnerabilities in mission-critical SAP applications are being actively exploited by threat actors according to cybersecurity firm Onapsis. Exploitation of the flaws could result in the theft of sensitive data, financial fraud, and disruption of mission-critical systems, including malware and ransomware attacks. Researchers at Onapsis have recorded more than 300 successful attacks exploiting the flaws from mid-2020...
Are You One of the 533 Million Facebook Account Holders Affected by This Data Breach?
The personal information of 533 million Facebook account holders has been leaked online on a public hacking forum. The incident that resulted in the theft of such a huge amount of Facebook data is believed to be a 2019 hack that exploited the “Add Friend” Facebook security bug, rather than a more recent hack. The flaw allowed information such as the account holder’s name, Facebook ID, mobile number, gender, occupation, city, country,...
Fortinet SSL VPN Vulnerabilities Being Actively Exploited by Nation State Hackers
The Federal Bureau of Investigation (FBI) and the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint alert warning that Advanced Persistent Threat (APT) groups are actively exploiting vulnerabilities in the Fortinet SSL VPN. The APT groups have been exploiting three vulnerabilities to gain a foothold in networks and are conducting reconnaissance and moving laterally within networks. Government agencies,...
WannaCry Ransomware Attacks Up 53% Since January 2021
The latest research published by Check Point shows a resurgence in WannaCry ransomware attacks. It has been almost four years since the ransomware first appeared and was used in a massive global campaign that encrypted an estimated 200,000 computers in 150 countries. Check Point’s telemetry shows there was a 53% increase in WannaCry ransomware in March compared to January. The initial attacks were thwarted when a kill switch was...
Critical Flaws Identified in Facebook for WordPress Plugin
A critical flaw with a CVSS score of 9.0 has been identified in the official Facebook for WordPress plugin, which is used on more than 500,000 websites to record the actions users take when interacting with webpages. The plugin, also known as Facebook Pixel, captures data such as Lead, ViewContent, AddToCart, InitiateCheckout and Purchase events, by installing a Facebook Pixel on web pages. The vulnerability could be exploited by a...
FBI/CISA Warn of Increase in Mamba Ransomware Attacks
The Federal Bureau of Investigation (FBI) in conjunction with the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) have issued a TLS:White alert about Mamba ransomware following an increase in attacks on multiple industry sectors. Over the past few months, the ransomware gang has targeted government agencies and companies operating in the transportation, legal, construction, industrial, manufacturing, and construction...
Purple Fox Malware Now Has Worm Capabilities for Propagating Across Windows Machines
A new variant of Purple Fox malware has been detected by researchers at Guardicore Labs that has achieved far greater success at infecting systems thanks to a new worm module for infecting Internet-facing Windows systems. Purple Fox malware was first identified in 2018 and is a fileless malware downloader used to run malicious PowerShell commands on infected devices to download other malware variants onto the compromised system....
FBI Warns State and Local Governments of Increased Risk of BEC Attacks
The Federal Bureau of Investigation (FBI) has issued a warning to state, local, tribal, and territorial (SLTT) governments in the United States about Business Email Compromise (BEC) scams. Losses to BEC attacks increased by 5% to more than $1.8 billion in 2020 and between 2018 and 2020, SLTT government entities have been targeted. BEC attacks involve the use of a compromise email account to send messages to individuals with authority...
Adobe Issues Out-of-Band Patch for Critical ColdFusion Vulnerability
A patch has been issued to correct a critical vulnerability – CVE-2021-21087 – in Adobe ColdFusion that could be exploited by a remote attacker to execute arbitrary code on a vulnerable system. The Adobe ColdFusion platform is used for building web applications and several versions of the platform are affected by the vulnerability. Vulnerable Adobe ColdFusion Versions: Version 2016 – Update 16 and earlier Version 2018 –...
Pysa Ransomware Gang Targeting Education Sector, Warns FBI
The FBI has issued an alert following a surge in Pysa ransomware attacks on K-12 schools and higher education institutions. The Pysa (Mespinoza) ransomware gang has recently conducted attacks in 12 U.S. states and the United Kingdom. The ransomware was first identified in 2019, with the FBI aware of targeted Pysa ransomware attacks in the United States and foreign government entities, educational institutions, private companies, and...
Google Fixes Actively Exploited Zero Day Vulnerability in the Chrome Browser
Google has patched a zero-day vulnerability in its Chrome browser for Mac, Windows, and Linux. The vulnerability, which is the second zero-day to be patched by Google in the past month and the third in 2021, could be exploited remotely and could allow the execution of arbitrary code on a vulnerable device. The flaw, tracked as CVE-2021-21193, is present in the Blink rendering engine and is a ‘use-after-free’ vulnerability that is...
TrickBot Becomes Biggest Malware Threat Following Emotet Takedown
The Emotet botnet was the biggest malware threat until a joint law enforcement operation succeeded in taking the botnet down. Emotet was primarily used as a malware loader, with the malware-as-a-service operation used to distribute several malware variants. The takedown of the Emotet botnet only caused temporary disruption to malware distribution, with cybercriminals quick to switch to other botnets to distribute their malware...
Patch Critical BIG-IP and BIG-IQ Vulnerabilities Now, Warns F5 Networks
On March 10, 2021, F5 Networks released updated software to fix 7 vulnerabilities in BIG-IP and BIG-IQ systems, 4 of which are rated critical, 2 high severity, and 1 medium severity. Vulnerabilities in F5 software are highly sought after by threat actors, as the networking equipment is used by governments and large enterprises. 48 Fortune 50 firms, with the equipment commonly used by banks, ISPs, and many Fortune 500 firms. Previous...
Microsoft Fixes 82 Vulnerabilities on March 2021 Patch Tuesday Including One Actively Exploited 0Day Flaw
March 2021 Patch Tuesday saw Microsoft deliver patches for 82 vulnerabilities across its product range, including fixes for 10 critical flaws and 2 zero-day vulnerabilities for which exploits have been made public. The remaining 72 vulnerabilities are all rated important. In addition to the patches released today, Microsoft issued 7 patches to correct flaws in Microsoft Exchange since February 2021 Patch Tuesday, four of which are...
Multiple Threat Groups Now Exploiting Microsoft Exchange Server Zero-Day Flaws
Multiple threat groups have been observed exploiting the four zero-day vulnerabilities in Microsoft Exchange Server that were patched earlier this week. Microsoft announced the four vulnerabilities have been exploited by a Chinese Advanced Persistent Threat (APT) group known as Hafnium since at least early January, but following the announcement about the vulnerabilities, several other nation-state hacking groups have been identified...
Microsoft Releases Out of Band Security Updates to Fix Actively Exploited Microsoft Exchange Server Flaws
Microsoft has released patches to correct four zero-day vulnerabilities in Microsoft Exchange Server that are currently being chained together and exploited by a sophisticated Chinese Advanced Persistent Threat (APT) group in cyberespionage attacks on U.S. targets including defense contractors, law firms, universities, and companies involved in infectious disease research. The affected Microsoft Exchange servers are typically used by...
Ryuk Ransomware Update Adds Worm-Like Capabilities
A new variant of Ryuk ransomware has been detected with worm-like capabilities that allow it to spread laterally within an infected network with no human interaction. This is a notable change for a ransomware variant that has previously been deployed manually after access to a network has been gained. Previously, when network access is achieved, the threat actors performed reconnaissance and manually moved laterally within a network...
Hackers Actively Scanning for Vulnerable VMware Servers after Publication of PoC Exploit Code
Scans are currently being conducted to identify VMware vCenter servers that have not been patched, following the publication of Proof-of-Concept (PoC) exploits for a vulnerability tracked as CVE-2021-21972. The vulnerability has been assigned a CVSS v3 base score of 9.8 out of 10 and a patch was released on February 23, 2021. The vulnerability is in the vSphere Client (HTML5), which is a plugin of VMware vCenter that is used as a...
Cisco Patches Critical Flaws in its Application Services Engine and ACI Multi-Site Orchestrator
Cisco has released a patch to address a critical flaw in the API endpoint of the Cisco ACI Multi-Site Orchestrator (MSO) installed on the Application Services Engine. The flaw, tracked as CVE-2021-1388, has been given the maximum CVSS severity of 10/10. If exploited, an attacker would be able to remotely bypass authentication on an affected device. The flaw could be exploited by sending a specially crafted request to a vulnerable ACI...
Accellion FTA Extortion Attacks Linked to FIN11 and CL0P Ransomware Gang
In mid-December, threat actors started exploiting zero-day vulnerabilities in the Accellion File Transfer Appliance (FTA) product, and over the next few weeks it became apparent that many companies had suffered data breaches. The Accellion FTA was originally launched around 20 years ago to get around the problem of emailing large file attachments. Rather than emailing large files, individuals are sent links to the files hosted on the...
US. Department of Justice Indicts 3 Alleged Members of North Korean Lazarus Hacking Group
This week, the U.S. Department of Justice announced that three North Korean intelligence officials have been indicted for their role in a slew of destructive cyberattacks on U.S. and global organizations spanning many years. The cyberattacks allowed the hackers to steal and extort more than $1.3 billion in money and cryptocurrencies from companies and financial institutions around the world. The three individuals are alleged members...
Malvertising Gang Exploited WebKit Zero Day to Redirect Web Visitors to Scam Sites
An unpatched zero-day vulnerability in WebKit-based browsers has been exploited by a threat group to redirect website visitors to scam sites for at least 8 months, according to a new report released by cybersecurity firm Confiant. The threat group behind the attack – ScamClub – has been in operation since at least 2018 and primarily uses malicious adverts (malvertising) to direct Internet users to scam sites, often sites running...
Microsoft: Over 1,000 Hackers Suspected to be Involved in SolarWinds Hack
Microsoft President Brad Smith recently claimed the SolarWinds supply chain attack was “the largest and most sophisticated attack the world has ever seen” and may have involved more than 1,000 Russian operatives. The attack saw the code of the SolarWinds Orion solution updated so that when it was automatically updated a backdoor was inserted into all users’ networks that gave the attackers remote access. Many thousands of IT...
Egregor Ransomware Operation Disrupted and Several Arrest Made
Several suspected members of the Egregor ransomware operation have been arrested in Ukraine, according to the news outlet France Inter. The arrests were made as part of a joint operation between law enforcement in France and Ukraine to disrupt the operation. The suspects arrested in the operation are understood to be affiliates who signed up to hack corporate networks and deploy Egregor ransomware for a cut of the ransom payments that...
Microsoft Fixes 56 Flaws on February 2021 Patch Tuesday Including 1 Zero Day
Compared to previous months, February 2021 Patch Tuesday saw relatively few patches released by Microsoft to correct flaws across its range of products, although several of the vulnerabilities have already been publicly disclosed and one patch has been released to fix an actively exploited zero-day flaw that affects Windows 10 and Windows Server 2019. In total, 56 vulnerabilities have been fixed this month, 11 of which are critical....
Adobe Patches 50 Vulnerabilities Including 1 Actively Exploited Adobe Reader Bug
On February 2021 Patch Tuesday Adobe released patches to correct 50 vulnerabilities across its range of products, including 34 critical severity flaws, one of which is being actively exploited in the wild in limited attacks on Windows users. The actively exploited vulnerability is a heap-based buffer overflow vulnerability in Adobe Reader, tracked as CVE-2021-21017. If the buffer overflow is triggered, an attacker could remotely...
RDP Attacks Increased by 768% in 2020 and Remain a Key Attack Vector
The COVID-19 pandemic forced businesses to move to a largely remote workforce and cybercriminals took advantage by targeting vulnerabilities in Remote Desktop Protocol (RDP). Between Q1 and Q4, 2020, RDP attacks increased by 768%, according to the ESET Q4 2020 Threat Report. RDP attacks slowed in Q4, 2020 as cybercriminals started to favor other methods of attack. The decrease suggests businesses have managed to improve the security...
Hackers Steal Source Code of Stormshield Firewall Products
Stormshield, one of the leading French cybersecurity firms, has announced it has suffered a cyberattack in which the attackers gained access to its support ticket system and stole some of the source code two of its firewall products. Stormshield provides cybersecurity solutions such as unified threat management (UTM) firewall devices, secure file management solutions, and endpoint protection solutions to French enterprises, European...
Ransomware Attacks Most Commonly Start with Phishing and 70% Involve Data Exfiltration
The Q4, 2020 Quarterly Ransomware Report from Coveware shows there has been a marked decline in the number of companies paying ransoms to recover data stolen in ransomware attacks and prevent the public release of stolen data. The fall is seen as a response to the erosion of trust. There have been several recent attacks where stolen data has been released publicly even when a ransom has been paid. If companies have a viable backup...
Three Vulnerabilities Identified in SolarWinds Products
Patches have been released to fix three vulnerabilities SolarWinds products. Two of the flaws affect the SolarWinds Orion platform, and the third affects the Serv-U FTP server for Windows. One of the SolarWinds Orion flaws allows remote code execution with admin privileges and could be exploited by a remote attacker to take full control of the Orion platform. The other vulnerability in the platform could only be exploited by a local...
Phishers Target US Businesses in Scam Offering Fake PPP Loans
A phishing campaign has been detected which is targeting U.S. businesses that are struggling to stay in operation during the pandemic. The emails attempt to get business owners to apply for a fake PPP loan and disclose sensitive data. The Paycheck Protection Program (PPP) is part of the U.S. CARES Act, which was launched by the Trump Administration on April 3, 2020 to provide financial assistance to businesses that have been adversely...
TrickBot Returns with a New Malspam Campaign
A botnet that was severely disrupted in late 2020 by a coalition led by Microsoft is now back with a new malspam campaign. The infrastructure used by the operators of the TrickBot botnet was taken down in the run up to the November 2020 U.S. Presidential election, but it didn’t take long for the infrastructure to be rebuilt. The takedown was successful and caused major disruption to the operation, but since no arrests were made, the...
Europol Announces Takedown of the Emotet Botnet
Europol has announced that following a global operation by law enforcement and judicial authorities, the Emotet botnet has been disrupted and law enforcement agencies have seized control of its infrastructure. The takedown was planned for two years and involved Europol, Eurojust, the FBI, the Royal Canadian Mounted Police, the UK’s National Crime Agency, and law enforcement agencies in Ukraine, Netherlands, Germany, Lithuania, and...
Interpol Warns of Rise in Investment Scams Targeting Dating App Users
With opportunities for meeting potential partners now limited due to the COVID-19 pandemic and many people isolated due to lockdown measures, use of dating apps has soared. Dating apps have long provided scammers with opportunities for fraud and romance scams are rife. However, there have been increasing numbers of dating app users targeted with a new investment scam in recent weeks, prompting Interpol to issue a Purple Notice about...
FreakOut Malware Campaign Targets Linux Devices
A new malware variant is being used in attacks on Linux devices that sees the devices added to a botnet and used for cryptocurrency mining and distributed-denial-of-service (DDoS) attacks. The new malware, dubbed FreakOut, places an infected device under the control of the botnet operator and used for remote attacks on other vulnerable devices. The malware variant was identified by researchers at Check Point who believe it is...
Microsoft Warns Windows Zerologon Patch Enforcement Starts on February 9, 2021
The critical Windows Zerologon vulnerability (CVE-2020-1472) was patched by Microsoft on August Patch Tuesday; however, despite the seriousness of the vulnerability – rated 10/10 for severity – there are still some organizations that have yet to apply the patch. Microsoft has now announced that from February 9, 2021 it will be enabling domain controller enforcement mode by default, which will help to ensure that the threat of...
Hackers Altered Stolen Pfizer Vaccine Documentation Prior to Publication
In November 2020, hackers gained access to a server used by the European Medicines Agency (EMA), the drug and vaccine regulator in the European Union, and stole data on the Pfizer/BioNTech vaccine candidate. Last week, the EMA announced that the hackers had publicly released the documentation on hacking forums, but a new alert warns that the documentation was manipulated prior to release. The stolen data included information...
Healthcare Sector Cyberattacks Have Increased by 45% in the Past 2 Months
A recent joint CISA, FBI, and HHS cybersecurity alert warned that the healthcare sector was being targeted by threat actors who were deploying ransomware. Attacks are being conducted by several threat actors using a range of different ransomware variants, including Ryuk and Conti. A new report recently published by Check Point shows that since the alert was issued, cyberattacks on the healthcare sector have continued to increase. From...
Microsoft Releases Patch for Actively Exploited Windows Defender Zero Day and 9 Other Critical Flaws
The first Patch Tuesday of 2021 has seen Microsoft release patches to fix 83 vulnerabilities across its range of products, including one zero-day vulnerability in Windows Defender that is being actively exploited in the wild. This month’s round of patches includes fixes for 10 critical and 73 important vulnerabilities in Windows OS, Edge, Office, Visual Studio, .Net Core, .Net Repository, ASP .Net, Azure, Malware Protection Engine and...
Kaspersky Researchers Link Sunburst Backdoor to Kazuar Backdoor Used by Russian Turla APT Group
Researchers at Kaspersky have identified similarities between the backdoor used in the SolarWinds supply chain attack and another backdoor – Kazuar – which is believed to have been used by the Russian Advanced Persistent Threat (APT) group Turla. Turla has been linked to several attacks on foreign governments over the past 14 years. The APT group behind the SolarWinds attack compromised the company’s Orion monitoring solution and used...
FBI Issues Warning About Ongoing Egregor Ransomware Activity
The Federal Bureau of Investigation (FBI) has issued a warning to private sector companies about ongoing Egregor ransomware attacks. Since September 2020, when the ransomware variant was first identified, it has been used in attacks on at least 150 companies worldwide. Egregor is a ransomware-as-a-service offering with many affiliates used to distribute the ransomware. Many of the affiliates moved to Egregor distribution when the Maze...
NVIDIA Software Update Corrects Multiple High Severity Graphics Driver Flaws
NVIDIA has released patches to correct 16 vulnerabilities in its graphics drivers and vGPU software for Windows and Linux systems, most of which are high severity flaws that can be exploited to escalate privileges, tamper with data, obtain sensitive data, or conduct denial of service attacks. NVIDIA’s GPUs are popular with gamers due to being optimized for high-performance gaming. The vulnerabilities are in the drivers and software...
Hardcoded Password Vulnerability in Zyxel Devices Being Actively Exploited
Cybercriminals have started exploiting the hardcoded credential vulnerability (CVE-2020-29583) in Zyxel networking products that was announced by Zyxel on December 23, 2020. The vulnerability, identified by Niels Teusink of the Dutch cybersecurity firm EYE, affects around 100,000 Zyxel devices, including its firewalls, AP controllers and VPN gateways. The flaw was assigned a CVSS V3 score of 7.8 out of 10 (High severity). Teusink...
Ransomware Attacks on Healthcare Organizations Continue to Rise with Ryuk the Biggest Threat
Cyberattacks on healthcare organizations have continued to increase over the past two months, according to research conducted by cybersecurity firm Check Point, and ransomware is now the biggest malware threat. In October, a joint security advisory was issued by the DHS’ Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) warning the...
Hidden Backdoor Identified in Zyxel Firewalls and AP Controllers
A security researcher has identified a hidden backdoor in Zyxel firewalls and AP controllers, caused by the use of hardcoded administrative credentials for an account that was intended to be used to automatically update the firmware on the devices. More than 100,000 Zyxel devices are affected worldwide. The hard coded credentials mean hackers could perform malicious firmware updates, and could change the firewall settings to...
FinCEN Advises Financial Institutions to be Alert to COVID-19 Vaccine-Related Scams and Cyberattacks
The Financial Crimes Enforcement Network (FinCEN) has issued a warning to financial institutions that ransomware gangs are actively targeting organizations involved in vaccine research. Financial institutions have been advised to be on high alert due to the considerable potential for fraud and criminal activity related to COVID-19 vaccines and their distribution. Nation state threat groups and cybercriminal organizations are taking...
CISA and CrowdStrike Release Free Azure/O365 Analysis Tools to Identify Malicious Activity
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has released a PowerShell-based tool for detecting unusual and potentially malicious activity in Azure/Office 365 environments. The tool can be downloaded free of charge and used by incident response teams to identify the identity- and authentication-based attacks that have been observed in multiple sectors in the wake of the SolarWinds...
Lazarus Group Targeting COVID-19 Research and Vaccine Data
Kaspersky has confirmed the Lazarus Advanced Persistent Threat (APT) group has conducted two cyberattacks on entities involved in COVID-19 vaccine research. The cyberattacks occurred in the fall of 2020, with the APT group using different tactics techniques and procedures (TTPs) in each of the attacks. One attack was performed on October 27, 2020 on a government health ministry using a sophisticated malware known to Kaspersky as...
More Than 3 Million Chrome and Edge Users Have Malware-Infected Browser Extensions
Approximately 3 million users of Google Chrome and Microsoft Edge have been infected with malware that has been hidden in browser extensions, according to a new report from antivirus company Avast. At least 28 JavaScript-based Chrome and Edge extensions for Instagram, Facebook, Vimeo and others have had malicious code added, which is used to steal personal data and redirect users to adverts and phishing websites. The malicious code...
Microsoft and the U.S. Nuclear Agency Confirmed as Victims of SolarWinds Hack
The number of confirmed victims of the SolarWinds hack is growing. Microsoft has confirmed it was hacked, although its software was not apparently compromised. Reuters had reported that after compromising Microsoft, the hackers had modified its software to distribute malicious files to its clients. Microsoft issued a statement claiming the Reuters article was incorrect and while SolarWinds binaries were found in its environment, they...
Contact Form 7 Vulnerability Places 5 Million WordPress Sites at Risk of Takeover
A critical vulnerability has been identified in the popular WordPress plugin, Contact Form 7, which has been installed on approximately 5 million websites. The vulnerability, tracked as CVE-2020-35489, is easy to exploit and can be exploited remotely without the attacker having to authenticate on a vulnerable website. The vulnerability is classed as an unrestricted file upload bug, according to Astra Security Research, which...
Researchers Find More than 45 Million Medical Images Stored on Unprotected Servers
More than 45 million medical images are currently exposed on unprotected servers and can be accessed freely over the internet without usernames or passwords. The medical images include metadata that includes personal and protected health information, which could be used for a variety of nefarious purposes. The unprotected images, which include MRIs, CT scans, and X-Rays were found by researchers at the CyberAngel Analyst Team, who...
SolarWinds Supply Chain Attack Impacts up to 18,000 Customers
Hackers successfully compromised the SolarWinds Orion software solution and incorporated a backdoor dubbed SUNBURST that has been downloaded by up to 18,000 of its customers, including many large enterprises and government agencies. SolarWinds Orion is a software solution used by large enterprises and government agencies to manage their IT networks and IT infrastructure. The software is used by all five branches of the U.S. military,...
K-12 Schools Warned About Cyber Actors Targeting Distance Learning Education
The U.S. Cybersecurity and infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have issued a joint advisory to K-12 schools warning that cyber actors are conducting targeted attacks on distance learning education. Cyber actors are attempting to disrupt distance learning services, gain access to sensitive data, and conduct ransomware...
Spear Phishing Campaign Spoofing Microsoft.Com Sees Emails Delivered to Office 365 Inboxes
Researchers at Israeli cybersecurity firm Ironscales have identified a spear phishing campaign targeting Office 365 users that spoofs the Microsoft.com domain. Several thousand Office 365 mailboxes are known to have been targeted, with around 100 customers of Ironscales having been sent the phishing emails. Those customers span several industry sectors including healthcare, insurance, telecom, manufacturing, and financial services....
FireEye Discloses Data Breach and Confirms Theft of Red Team Tools
The U.S. cybersecurity firm FireEye has announced a sophisticated threat actor has successfully hacked into its systems and stole Red Team assessment tools that the company uses to test the security of its customers’ systems. The stolen tools mimic those used by many cyber threat actors to gain access to organizations’ systems. Cyberattacks on cybersecurity companies are relatively rare, but they do occur, with Trend Micro, Avast, and...
Kubernetes Bug Allows Traffic from Other Pods in Multi-Tenant Clusters to be Intercepted
A Kubernetes vulnerability has been identified that could allow an attacker to intercept traffic from other pods in multi-tenant Kubernetes clusters. The vulnerability, discovered by Etienne Champetier of Anevia, can be exploited remotely in a man-in-the-middle attack by an individual with basic tenant permissions, without any user involvement required. If an attacker has permissions to create and update services and pods, they could...
Foreign APT Groups Targeting Think Tanks, Warns CISA/FBI
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a warning about ongoing cyberattacks on think tanks by foreign Advanced Persistent Threat (APT) groups. The purpose of the attacks is to gain persistent access to victim networks for espionage purposes. This is achieved through phishing attacks to gain access to user credentials and by exploiting vulnerabilities in...
BEC Scammers Using Auto-Forwarding Rules in Web-Based Email Clients to Prevent Detection
Cybercriminals have been using auto-forwarding rules in web-based email clients to increase the chances of success of their business email compromise (BEC) scams, according to a recently issued TLP: WHITE Joint Private Industry Notification from the Federal Bureau of Investigation (FBI). Business email compromise scams involve gaining access to a corporate email account and using that account to send emails to other individuals in the...
Cyberbiological Attack Could Fool Scientists into Creating and Using Dangerous DNA
A new, theoretical cyberattack has been described by a team of researchers at Ben-Gurion University (BGU) in Israel that could be used in a devastating biological attack. Every year, commercial DNA synthesizers create billions of nucleotides, which are sold to customers and generate billions of dollars in sales. There is growing concern that a cyberattack could be conducted to interfere with the synthetic DNA orders. Just as in a...
Cyberattacks Increased During the Pandemic as Enterprises Struggled with Security with a Remote Workforce
A recent study conducted by the California based endpoint security and systems management company Tanium suggests enterprises have struggled with security during the pandemic and have experienced an increase in cyberattacks. Tanium commissioned a Censuswide survey of 1,000 CXOs and vice presents at enterprise and government organizations in the United States, United Kingdom, France and Germany in June 2020 to explore how they coped...
Egregor Ransomware Vying to Become the Top Ransomware Threat
The Maze ransomware gang may have shut down its operation, but there is now a new ransomware variant that is vying to take its place as one of the biggest ransomware threats. Egregor ransomware first appeared in September 2020, claiming 15 victims in the month, followed by attacks on the US bookseller, Barnes & Noble, and the French and German video game developers, Ubisoft and Crytek. Since then, the number of attacks using...
Patch MobileIron Vulnerability Immediately, Warns NCSC
The UK National Cyber Security Centre (NCSC) has issued an alert that confirms Advanced Persistent Threat (APT) groups and cybercriminals are currently exploiting the MobileIron remote code execution vulnerability, CVE-2020-1550 to compromise the networks of UK companies. Attacks have been conducted on local government, healthcare organizations, and companies in the logistics and legal sectors, and there have been several cases where...
Warning Issued After Discovery of Scores of Spoofed FBI Websites
Scores of domains have been identified which spoof official Federal Bureau of Investigation (FBI) websites, prompting the FBI’s Internet Crime Complaint Center to issue a warning. While the intentions of the individuals who registered the domains is not known, it is strongly suspected that the domains were intended for use in future phishing or malware distribution campaigns. The domains could be used to register email accounts that...
FBI Issues Warning Following Increase in Ragnar Locker Ransomware Activity
A recent increase in Ragnar Locker ransomware activity has prompted the Federal Bureau of Investigation (FBI) to issue a warning to private industry partners. The alert provides information to help system administrators and security professionals protect against attacks. Ragnar Locker is a relatively new ransomware strain, first identified in April 2020. The ransomware variant was used in an attack by unknown threat actors on a large,...
Facebook Fixes Messenger Bug That Allows Audio to be Transmitted Without a User’s Permission
A critical flaw in the Facebook Messenger messaging app for Android which allowed callers to listen to users’ surroundings without permission has been fixed by Facebook. The bug allowed callers to eavesdrop on the person they were calling before the call was answered. In order to exploit the flaw, a caller would need to send a type of message known as SdpUpdate to the person they were calling, which would allow them to connect to the...
Malsmoke Campaign Delivers ZLoader Malware via Popups on High Traffic Adult Websites
A malware distribution campaign identified by security researchers at Malwarebytes is now distributing a ZLoader malware variant via popups on popular adult websites. The campaign – named Malsmoke by Malwarebytes – has been active since at least August 2020. Initially, the threat actors were using exploit kits to deliver the Smoke Loader malware dropper; however, in October they changed tactics and switched to fake Java update...
Use of SSL Certificates in Malware and Phishing Attacks Up 260% in 2020
Abuse of SSL certificates in phishing and malware attacks has increased by 260% in the first 9 months of 2020, according to a new report from Zscaler. Zscaler analyzed more than 6.6 billion threats for the report and found a major rise in the use of encryption to hide attacks. Encryption was being used across the full attack cycle, according to the researchers, including the initial delivery of malware or malicious links to the...