Maze Ransomware now Uses Virtual Machines to Evade Endpoint Defenses
The operators of Maze ransomware have adopted a new tactic to evade endpoint security solutions. The gang has been observed encrypting computers from inside virtual machines, a tactic also used by the operators of Ragnar Locker ransomware. The new tactic was discovered by researchers at Sophos when responding to a ransomware attack on one of their customers. The Maze gang twice attempted to launch ransomware executables but were...
Ransomware Attack on Hospital Leads to the Death of a Patient
A ransomware attack on a German hospital that took critical systems out of action and forced the cancellation of appointments and the temporary closure of its emergency department has led to the death of a patient. On or before September 10, 2020, Düsseldorf University Clinic was attacked with ransomware. The file encryption caused systems to crash and prevented patient information from being accessed. The extent of the encryption and...
Billions of Devices Vulnerable to ‘BLESA’ Bluetooth Spoofing Vulnerability
A vulnerability has been discovered in the Bluetooth Low Energy (BLE) reconnection process that could be exploited by an attacker to bypass the reconnection authentication requirements and send spoofed data to a device. The BLE protocol is a slimline version of standard Bluetooth that was developed to keep Bluetooth connections active while conserving battery power. Due to the low power requirements, BLE has proven popular with...
Hacking Group Observed Installing Weave Scope Tool to Gain Visibility and Control of Business Cloud Environments
The threat detection and response firm Intezer has observed a hacking group using the Weave Scope visualization and monitoring tool to gain visibility into and take control of compromised Docker and Kubernetes cloud environments. The hacking group, referred to as TeamTNT by Intezer, is known to target Docker and Kubernetes systems and has been observed using a credential-stealing worm to discover and exfiltrate AWS login credentials....
Adobe Patches 12 Critical Flaws in Experience Manager, InDesign, and Framemaker
Adobe has released patches to correct 18 flaws on September 2020 Patch Tuesday. The flaws exist in Adobe Experience Manager, Adobe InDesign, and Adobe Framemaker. 12 of the vulnerabilities have been rated critical, with the rest rated important. 5 patches have been released to correct critical cross-site scripting vulnerabilities in Adobe Experience Manager (CVE-2020-9732, CVE-2020-9734, CVE-2020-9740, CVE-2020-9741, and...
September 2020 Patch Tuesday: Microsoft Fixes 129 Vulnerabilities; 20 Critical
Microsoft has issued patches to correct 129 vulnerabilities on September 2020 Patch Tuesday, 32 of which are remote code execution vulnerabilities and 20 have been rated critical. The vulnerabilities are spread across 15 products. While there is a large number of critical vulnerabilities in this month’s round of updates, none of the vulnerabilities are currently being exploited in the wild, although exploits for some of the flaws are...
Microsoft Will End Support for Adobe Flash Player on January 1, 2020
Microsoft has announced that web browser support for Adobe Flash Player will end on January 1, 2021. Adobe Flash Player will no longer be distributed or updated from December 31, 2020. The Security Update for Adobe Flash Player, which is usually released on Patch Tuesday every month for Microsoft Edge and Internet Explorer will end after December 2020. “Beginning in January 2021, Adobe Flash Player will be disabled by default...
New Cryptocurrency Stealing KryptoCibule Malware Family Identified
For the past two years, a cryptocurrency-stealing malware named KryptoCibule has been used to mine cryptocurrency on victims’ machines, steal cryptocurrency wallets, and hijack transactions. Malware targeting cryptocurrency tends to either involve mining cryptocurrency or stealing wallets/hijacking transactions. This malware does all three and also plants a backdoor into victim’s devices, allowing them to be remotely accessed....
Phishing Campaign Offering PPE Delivers Agent Tesla RAT
Researchers at Area 1 Security have identified a phishing scam that spoofs legitimate chemical companies, exporters and importers to deliver the Agent Tesla Remote Access Trojan (RAT). The phishing emails offer the recipient personal protective equipment (PPE) such as forehead temperature thermometers, disposable face masks, and other medical supplies that have been in short supply. The emails claim that the company has started mass...
New Version of Qbot Trojan Can Hijack Email Threads
Check Point researchers have identified a new version of the Qbot Trojan, a malware threat that first appeared 12 years ago. Qbot is an information stealer that attempts to steal banking information, credit card numbers, passwords, cookies, and emails. It is also known to download other malware variants, including ransomware. Remote connections can also be made with infected devices to make bank transactions from the victim’s IP...
New “FritzFrog” P2P Botnet Targeting SSH Servers of Banks, Medical Centers, Government Offices and Universities
A new, sophisticated, and stealthy peer-to-peer (P2P) botnet named FritzFrog has been discovered which is being used to target SSH servers. The botnet was identified and analyzed by security researchers at Guardicore Labs who report that the botnet has been active since at least January 2020 and has been used in targeted attacks on government offices, medical centers, banks, telecoms companies, and education institutions, and finance...
Microsoft Releases Out of Band Update for Windows 8.1, RT 8.1, and Windows Server 2012 R2
Microsoft has released an out of band update for Windows 8.1, RT 8.1, and Windows Server 2012 R2 to fix two privilege escalation flaws in the Windows Remote Access service. The two flaws – tracked as CVE-2020-1530 and CVE-2020-1537 – affect all supported versions of Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 and are due to improper handling of memory. In order to exploit the flaws, an attacker would need to have...
Patch Critical Citrix Endpoint Management (XenMobile Servers) Vulnerabilities Now
Five vulnerabilities, including two critical flaws, have been identified in Citrix Endpoint Management (CEM) – also known as XenMobile Server – which is used by businesses to manage employees’ mobile devices and applications, apply updates, and manage security settings. The critical flaws – tracked as CVE-2020-8208 and CVE-2020-8209 – could be exploited remotely and would allow an unauthenticated individual to access domain...
Popular Keylogger and Info Stealer Now Steals Credentials from Browsers and VPNs
Agent Tesla malware has received an update. The information stealer and keylogger can now steal passwords from browsers, VPN clients, FTP and email clients. Agent Tesla is a .Net-based remote access Trojan (RAT) that first appeared in 2014. The malware is offered for sale on hacking forums and darknet marketplaces and has proven to be a popular choice with low-level hackers and BEC scammers. The malware can be used in various stages...
Microsoft Fixes 120 Vulnerabilities on August 2020 Patch Tuesday, Including 17 Critical Flaws
August 2020 Patch Tuesday has seen Microsoft release 120 patches covering 13 products and a Servicing Stack Update for Windows 10 advisory. 17 of the vulnerabilities are rated critical, including 2 zero days, and 103 have been rated important. The two zero days are being actively exploited and an exploit for one of those flaws has been released publicly, so it is important for the security updates to be applied as soon as possible....
Adobe Fixes 26 Vulnerabilities Including 11 Critical Flaws
Adobe has released patches to address 26 vulnerabilities in Adobe Acrobat and Adobe Reader, including 11 flaws that have been rated critical. The critical flaws could be exploited to bypass security controls, with 9 of the critical flaws allowing the remote execution of arbitrary code. The remote code execution vulnerabilities are a mix of out-of-bounds write vulnerabilities (CVE-2020-9693 and CVE-2020-9694), use-after-free...
INTERPOL Report Shows Major Increase in Cyberattacks During the COVID-19 Pandemic
INTERPOL has completed an assessment of the impact of COVID-19 on cybercrime and has found a major increase in attacks during the pandemic, with cybercriminals shifting their focus from targeting individuals and small businesses to attacking large corporations, critical infrastructure, and government agencies. With many countries implementing lockdowns to curb COVID-19 infections, businesses have been forced into allowing virtually of...
Online Shopping Scams Have Soared During the COVID-19 Pandemic
There has been a major increase in online shopping scams during the COVID-19 pandemic, according to a recent public service announcement by the FBI. Reports to the FBI’s Internet Crime Complaint Center (IC3) from victims of online shopping scams have soared in recent months. Many of the reports concern orders from websites where the goods are not received or where different items to those ordered were sent. Victims of these scams were...
FBI Issues Flash Alert Warning of Netwalker Ransomware Attacks
The FBI has issued a Flash Alert following an increase in Netwalker ransomware attacks in the United States. Netwalker ransomware was first identified in March 2020 and was used in an attack on the Australian transportation and logistics company Toll Group. Attacks have also been conducted on an Illinois public health department, a Maryland operator of assisted living facilities, and the University of California, San Francisco. The...
Vulnerability in Cisco’s Network Security Products Being Actively Exploited
A high severity flaw in Cisco’s network security products is now being actively exploited. The vulnerability is present in the Cisco products used by many large enterprises and Fortune 500 firms and allows a remote attacker to gain access to sensitive data. The vulnerability is tracked as CVE-2020-3452 and was assigned a CVSS v3 base score of 7.5 out of 10. The flaw is present in the web services interface of Cisco’s Firepower Threat...
Critical Vulnerability in F5 Networks BIG-IP Devices Exploited in Real-World Attacks
On Friday, July 24, 2020, the DHS Cybersecurity and Infrastructure Security Agency (CISA) warned that hackers have started exploiting the CVE-2020-5902 vulnerability in F5 Networks BIG-IP devices. F5 BIG-IP devices are used for load balancing and generally sit between the firewall and a web application. They are used by many Fortune 500 companies, large enterprises, and government agencies and are an attractive target for hackers....
Out of Band Update Corrects 12 Critical Flaws in Adobe Photoshop, Prelude and Bridge
Adobe has issued an out of band update to correct 12 critical vulnerabilities in Adobe Photoshop, Adobe Prelude, and Adobe Bridge, and an information disclosure vulnerability in Adobe Reader Mobile for Android. The critical flaws could all lead to remote code execution on Windows machines in the context of the current user. The impact of the flaws will be limited for standard Windows users, although exploits for the vulnerabilities...
17-Year Old Critical Wormable DNS Bug Patched by Microsoft
Microsoft has released a patch for a critical, wormable flaw in Microsoft’s Windows DNS Server that dates back to 2003. The vulnerability, tracked as CVE-2020-1350, was identified by security researchers at Check Point who named it SIGRed. Virtually all businesses will be running DNS with Active Directory and will be affected. Given the number of businesses affected, the ease of exploitation, and how the flaw could be exploited to...
Maximum Severity Flaw in SAP Could Allow Full Takeover of Enterprise System
The U.S. Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency has issued an alert about a critical vulnerability in the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard. The flaw, tracked as CVE-2020-6287, can be exploited through HTTP and would allow an attacker to take full control of vulnerable SAP applications. The flaw was discovered by researchers at Onapsis who named...
Zoom Fixes Zero-Day Legacy Windows RCE Flaw
A zero-day vulnerability in the Zoom Windows client that could potentially allow remote code execution has now been patched by Zoom. The flaw only affected users running Windows 7 or earlier Windows versions. Later Windows versions were unaffected. Last week, Acros Security announced in a blog post that a zero-day vulnerability had been discovered, and Zoom was notified around the same time. Details about the flaw were not publicly...
Purple Fox Trojan Developers Create Their Own Exploit Kit and Add Two New Microsoft Exploits
The developers of the Purple Fox Trojan/rootkit have created their own exploit kit to distribute their malware and have recently added exploits for two recently patched Microsoft vulnerabilities, according to cybersecurity firm Proofpoint. The first exploit is for the high severity elevation of privilege vulnerability in the Win32k component of Windows, which was patched by Microsoft on October Patch Tuesday 2019. The second exploit...
Critical Vulnerabilities Identified in Apache Guacamole Remote Access System
Security researchers have discovered multiple vulnerabilities in the Apache Guacamole remote access system used by thousands of companies to support home workers. Apache Guacamole is a clientless remote desktop gateway that allows remote workers to access their corporate computers or virtual desktops in the cloud through a web browser. Apache Guacamole supports standard protocols such as VNC, SSH, RDP. The Guacamole server uses one of...
Microsoft Releases Out of Band Fixes for Two Serious Flaw in the Windows Codecs Library
Microsoft has released an out of band update to correct two serious vulnerabilities in the Windows Codecs library, which, if exploited, could allow remote code execution. The operating system uses the built-in Windows Codecs library to handle multimedia content such as photos and videos and handles how large multimedia files are compressed and decoded for playback within applications. The flaws are both concerned with how the Windows...
Warning Issued Over Maximum Severity Vulnerability in Palo Alto Networks Products
U.S. Cyber Command has issued a warning about a maximum severity vulnerability in the Palo Alto Networks’ operating system. While the flaw is not currently being exploited in the wild, it will be. Advanced persistent threat actors are expected to attempt to exploit the flaw so prompt patching is essential. The severity of this flaw should not be underestimated. The vulnerability, tracked as CVE-2020-2021, is an authentication bypass...
ESET Reports Doubling of Brute Force Attacks on Remote Desktop Services During the COVID-19 Pandemic
Cybersecurity firm ESET has analyzed its telemetry data and found there has been a major increase in brute force attacks on remote desktop services during the COVID-19 pandemic. There was a steady increase in attacks between December 1, 2019 and May 1, 2020, rising from around 30,000 brute force attacks a day in early December to around 60,000 daily attacks by the end of the month. Then followed a slight decline, before a sharp rise...
REvil Threat Group Starts Using New WastedLocker Ransomware
The Evil Corp Threat Group that was behind the Dridex banking Trojan and BitPaymer ransomware has started using a new ransomware variant in targeted attacks on enterprises. Wastedlocker is a brand-new ransomware variant that has already been used in attacks on around a dozen enterprises. Victims have been issued with ransom demands ranging from $500,000 to more than $1 million. WastedLocker ransomware was first detected by NCC Group’s...
Newly Discovered Self-Propagating Lucifer Malware Capable of Cryptojacking and DDoS Attacks
Palo Alto Networks’ Unit 42 researchers have identified a new Windows malware dubbed ‘Lucifer’ that drops the XMRig cryptocurrency miner, has Distributed Denial of Service (DDoS) capabilities, and can self-propagate. The malware was named by the author Satan DDoS, but was renamed Lucifer by the Unit 42 researchers so as not to confuse it with Satan ransomware. The Unit 42 team discovered the malware after identifying several new...
Ripple20: Critical Vulnerabilities in Treck TCP/IP Stack Affect Hundreds of Millions of Devices
A set of 19 vulnerabilities have been identified in the TCP/IP software library developed by Cincinnati-based Treck Inc., a developer of real-time embedded internet protocols for technology firms. The vulnerabilities were discovered by the Israeli cybersecurity firm JSOF and have been named Ripple20. Treck is a fairly low-profile company that develops low-level internet protocols, which are incorporated into a wide range of devices. A...
Adobe Out-of-Band Update Fixes 18 Critical Vulnerabilities
Adobe has issued an out-of-band update correcting 18 critical flaws in Adobe After Effects, Illustrator, Premiere Pro, Premiere Rush, Campaign, and Audition. All 18 flaws allow remote execution of arbitrary code. The updates were released on Tuesday June 16, 2020. Adobe says it is unaware of any public exploits for the vulnerabilities, but users of the above products are strongly advised to update to the latest version of the software...
6 Vulnerabilities Identified in D-Link DIR-865L Cloud Wireless Routers
Security researchers at Palo Alto Network’s Unit 42 team have identified 6 vulnerabilities in the D-Link DIR-865L series of cloud wireless routers, one of which has been rated critical and the remaining 5 are rated high severity. The D-Link DIR-865L series of routers reached end of life in February 2016; however, many are still in use and are vulnerable to attack. After being notified about the flaws, D-Link warned customers that as...
Fake COVID-19 Contact Tracing Apps Used to Install Malware
Contact tracing and exposure notification apps are being developed in several countries to help control outbreaks of COVID-19. The apps have already been used in several countries and have been shown to help contain local outbreaks and prevent a second major peak of infections. Recent research conducted by the cybersecurity firm Anomali has revealed threat actors have developed fake contact tracing and exposure notification apps which...
Microsoft Breaks Patch Tuesday Record with Fixes for 129 Vulnerabilities
For the fourth successive month, Microsoft Patch Tuesday has seen more than 100 CVEs patched and June 2020 Patch Tuesday contains the biggest round of updates ever issued. Microsoft has released updates to correct 129 vulnerabilities. That breaks the record set in March when patches were released to correct 115 vulnerabilities. This month’s update includes patches for 11 critical vulnerabilities, although none are currently being...
PoC Exploit for SMBGhost Windows 10 RCE Flaw Released and Attacks Identified
The SMBGhost vulnerability in Windows 10 that was patched by Microsoft in March 2020 is being actively exploited in the wild, according to a recent alert from the Department of Homeland Security Cybersecurity Infrastructure and Security Agency (CISA). The vulnerability, tracked as CVE-2020-0796, is a critical wormable vulnerability that’s as bad as it gets. The flaw was assigned a CVSSv3 score of 10 out of 10, with Microsoft...
Tycoon Ransomware Uses Rare Java Image File Format to Evade Security Solutions
Researchers at Blackberry Threat intelligence and KPMG have identified a new Java-based ransomware dubbed Tycoon that is being used in highly targeted attacks on educational institutions and small- to medium sized companies. The ransomware is manually deployed after the attackers gain access to their target’s networks, most commonly by attacking vulnerable internet-exposed RDP servers. The ransomware has been in use for at least 6...
TrickBot Trojan Operators Delivering New BazarBackdoor Malware via Phishing Campaign
The TrickBot Trojan operators are distributing a new backdoor named BazarBackdoor in targeted phishing attacks on businesses. BazarBackdoor is a stealthy backdoor that gives the attackers full access to corporate networks. The malware is being distributed via spear phishing emails that are well written and convincing. Several different lures are used in the campaign including employee termination lists, customer complaints, and...
Updated Valek Malware Used in Targeted Attacks on U.S and German Enterprises
Enterprises in the United States and Germany are being targeted in a phishing campaign spreading Valek malware, according to researchers at Cybereason Nocturnus. Valek is a popular malware loader that was first identified in 2019. Valek has previously been distributed in phishing campaigns to deliver banking Trojans such as Ursnif and IcedID. Valek is active development and new versions are frequently released. According to a recent...
StrandHogg 2.0 Android Flaw Allows Hackers to Hijack Legitimate Apps
The Norwegian security researchers who identified the StrandHogg vulnerability in the Android platform have identified another vulnerability that is even more dangerous that the original. The vulnerability – tracked as CVE-2020-0096 – is a critical flaw that allows hackers to masquerade as virtually any legitimate app on a targeted device. The vulnerability is present on all versions of Android apart from the latest...
Turla Hacking Group Tweaks ComRAT Malware to Steal Antivirus Logs and Communicate via Gmail
One of the most advanced state-sponsored hacking groups in Russia – Turla – has tweaked its ComRAT malware to steal antivirus logs and communicate with the malware via Gmail. ComRAT malware was first used by Turla in 2007 and is one of the oldest malware variants used by the Turla Group. The malware was used in the attack on the Pentagon in 2008 and has been regularly updated over the past 13 years. The latest version of ComRAT was...
Ragnar Locker Ransomware Deploys Virtual Machine to Evade Security Software
A new tactic is being used by the threat actors behind Ragnar Locker ransomware that allows them to evade security measures on the host machine and ensure their ransomware payload is executed. Ragnar Locker ransomware was first detected in 2019 and has been used in several high profile attacks, including the attack on the Portuguese energy company, Energias de Portugal where they demanded payment of $10.9 million for the keys to...
Another Malware Variant Identified that Targets Air-Gapped Networks
In the past week, three cybersecurity firms have announced they have found malware variants that are being used to target air-gapped networks. First came the news that ESET had discovered Ramsay malware, followed by a report from Kaspersky Lab of a variant of COMpfun malware, named Reductor, that was also being used to steal data from air-gapped networks. Trend Micro has now announced that it has identified yet another a malware...
Ramsay Malware Designed to Steal Data from Air-Gapped Networks
A new malware toolkit has been discovered that appears to have been developed to steal sensitive data from air-gapped networks. Researchers at ESET have named the malware Ramsay and report it has a range of advanced features that allow it to keep under the radar and steal highly sensitive data from victims. One of the most effective ways of protecting sensitive data is to ensure that it is not saved on any device accessible through...
Prioritize Patching and Fix These Commonly Exploited Vulnerabilities
A joint alert has been issued by the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) to raise awareness about the most commonly exploited vulnerabilities to help organizations strengthen security and prevent attacks by sophisticated foreign threat actors. Patches should always be applied as soon as possible, but the number of patches now being...
Hacker Attacks More than 900,000 Vulnerable WordPress Sites in a Week
More than 900,000 WordPress websites have been attacked by a hacker over the space of about a week, according to a recent report from the cybersecurity company Defiant. The attacks were conducted using around 24,000 different IP addresses, but they are all believed to be the work of a single hacker as they were all attempting to insert the same malicious JavaScript backdoor into the websites. While the attacks have been ongoing for...
Malicious COVID-19 Domains Taken Down and New Blocklists Released
Cybercriminals have registered large numbers of COVID-19 themed domains which are being used for a variety of scams. Internet service providers are being ordered to take down the websites but given the sheer number of malicious websites that have been set up, that process is taking some time. In the United Kingdom, Her Majesty’s Revenue and Customs (HMRC) has ordered internet service providers to take down 292 COVID-19 themed websites...
Easily Exploitable RCE Salt Vulnerabilities Discovered that Require Urgent Attention
Researchers at F-Secure have identified two high severity vulnerabilities in the SaltStack Python-based open source Salt project, which can allow remote code execution as root for a full takeover of vulnerable servers. F-Secure believes the vulnerabilities are likely to be exploited in a matter of hours. Salt is a popular configuration tool that is used for datacenter and cloud server management to monitor the state of servers and...
Microsoft Offers Advice to Healthcare Organizations on Reducing Risk of Manual Ransomware Attacks
Ransomware attacks on healthcare organizations and others involved in the fight against COVID-19 are continuing. In many cases, the attackers gained access to systems many weeks or months previously and have timed the deployment of the ransomware to cause maximum disruption when COVID-19 cases are about to peak to increase the probability of ransoms being paid. Microsoft has recently reported that there have been dozens of ransomware...
Sophos Discovers and Patches Actively Exploited Flaw in its XG Firewall
Sophos has released a patch for a zero-day vulnerability in its XG Firewall which has been exploited in attacks to deliver malware. The flaw was discovered by Sophos on April 22, when an anomalous field value was discovered in the management interface of the Firewall. The investigation uncovered a previously unknown SQL injection vulnerability that had been exploited on some virtual and physical firewalls. Sophos reports that several...
Actively Exploited Zero-Day Flaws Identified in iOS Mail Application
Two critical zero-day vulnerabilities have been identified in the iOS Mail application that have been exploited by threat actors in attacks on high profile targets since at least January 2018. The flaws were identified by the cybersecurity firm ZecOps which traced the flaws back to iOS 6, which was released by Apple in 2012, but it is possible that the flaws were introduced in an earlier Mail app version. The vulnerabilities have been...
Four Zero Day Vulnerabilities in IBM Data Risk Manager Have Been Publicly Disclosed
Four zero-day vulnerabilities have been identified in IBM Data Risk Manager (IDRM) which could allow the downloading of arbitrary files and, if chained together, remote code execution. The security researcher who discovered the vulnerabilities, Pedro Ribeiro, Director of Research at Agile Information Security, released details of the flaws on GitHub after IBM refused to acknowledge the vulnerabilities, which were responsibly disclosed...
Two Zoom Zero-Day Vulnerabilities Being Offered for Sale for $500,000
Two zero-day flaws in the Zoom videoconferencing platform have allegedly been discovered by hackers who are now offering them for sale. The hackers claim the flaws can be exploited to gain access to both the Windows and MacOS Zoom clients. Use of the Zoom teleconferencing solution has soared during the COVID-19 crisis, with personal and business users turning to the platform to maintain contact with friends, family, and the office...
Zoom Installers are Being Bundled with Malware
The sheer number of people now working from home to maintain social distancing during the coronavirus lockdown has resulted in huge interest in teleconferencing platforms such as Zoom. Despite the recent Zoom security concerns and privacy issues, Zoom remains one of the most popular teleconferencing platforms. Businesses are using the platform to ensure remote workers can maintain contact with the office, and consumers have started...
Lokibot Information Stealer Distributed in Spear Phishing ampaign Impersonating WHO
Researchers at Fortinet’s FortiGuard Labs have identified a new spear phishing campaign that impersonates the World Health Organization (WHO) to distribute the LokiBot information stealer. The emails incorporate the WHO logo and claim to offer important advice about COVID-19 infection control and give recommendations. The email states that the information in the email attachment is intended to address misinformation about the 2019...
Beware of New Coronavirus Wiper Malware
A new wiper malware has been detected that uses a similar method to the 2017 NotPetya wiper malware to trash computers by overwriting the Master Boot Record (MBR) to render computers useless. Named Coronavirus, this wiper malware is being used purely for the purpose of sabotage. The malware variant was analyzed by researchers at SonicWall Capture Labs Threat Research. The researchers report that the malware variant is not as...
Zoom Security Concerns Mount as New Flaws Identified
The 2019 Novel Coronavirus pandemic has forced many employees into telecommuting with them maintaining contact with the office through videoconferencing apps such as Zoom. Zoom has proven to be one of the most popular choices during the COVID-19 crisis, registering a 535% increase in traffic in the past month, but the number of Zoom security concerns have been mounting. Zoom Security Concerns are Mounting Zoom security concerns have...
Micropatch Released for Actively Exploited Windows Font Processing Vulnerabilities
Library were being actively exploited in the wild. The flaws concern how type 1 PostScript fonts are handled. The flaws can be exploited if a user is convinced to open a specially crafted document; however, it is also possible to exploit the flaws if a document is viewed in the Windows preview pane. The flaws affect Windows 10, Windows 8.1, Windows 7, Windows Server 2019, 2016, 2012, 2012 R2, 2008 and 2008 R2. Microsoft reports that...
Cybercriminals are Changing DNS Settings on Routers to Deliver Malware Through Fake Coronavirus Apps
A malware distribution campaign has been detected that uses malicious coronavirus apps to deliver the Oski information stealing Trojan. The campaign was detected by Bitdefender which reports that 1,193 individuals have been targeted in just a couple of days from March 18. Attempts have been made to shut down the malware repositories that are being used by the attackers, but it is probable that others will be set up to take their...
Hacked News Sites Used to Spread Malware Disguised as Google Chrome Update
If you visit a website and are advised that you need to update Google Chrome, do not download the update. A campaign has been identified that is using fake Google Chrome updates to trick web visitors into downloading and installing malware. The hacking group is targeting news websites and corporate sites running WordPress and injecting malicious JavaScript code that redirects visitors to landing pages on malicious websites that claim...
Database Containing Extensive Information of 200 Million Americans Exposed Online
A database on the Google Cloud platform containing 800 gigabytes of data and over 200 million user records has been misconfigured and was exposed online, according to researchers at CyberNews. The database contained a folder that included detailed information on around 200 million Americans, including full names, phone numbers, email addresses, dates of birth, credit ratings, home addresses, mortgaged property addresses, number of...
All Supported Windows Versions Affected by Two Actively Exploited Zero-Day RCE Flaws
Microsoft has issued a security advisory about two actively exploited zero-day flaws in Windows Adobe Type Manager Library. The critical remote code execution vulnerabilities affect all supported Windows desktop and server versions and Windows 7. If exploited, attackers would be able to take full control of vulnerable computers. The flaws are being exploited in limited targeted attacks. Microsoft is currently working on a patch to...
New Vulnerabilities Identified in Popular Password Managers
Password managers help you create complex and unique passwords for every application, service, and website but how secure are password managers? Could a password manager actually weaken security? According to a study conducted by researchers at the University of York, password managers are not totally secure. Vulnerabilities in password managers have been found that could potentially be exploited by cybercriminals to gain access to a...
WHO Director-General Impersonated in Spam Campaign Delivering HawkEye Keylogger and Malware Downloader
Another coronavirus-themed phishing campaign has been detected impersonating the World Health Organization (WHO), or more specifically, the Director-General of WHO, Dr. Tedros Adhanom Ghebreyesus. The campaign was identified by security researchers at IBM X-Force Threat Intelligence who report that several waves of spam have already been delivered. The threat actors behind the campaign are using spam emails to distribute a malware...
Adobe Releases Out-of-Band Patches for 29 Critical Vulnerabilities
Adobe usually releases its software updates on Patch Tuesday, the second Tuesday of the month, but no patches were released on March 10, but the round of updates has come a week later, with fixes issued for 41 vulnerabilities across 6 of its products. 29 critical flaws have been addressed and the remaining 11 patches address vulnerabilities that have been rated important. The six affected products are Adobe Genuine Integrity Service,...
100,000 Websites Impacted by WordPress Popup Builder Plugin Vulnerabilities
Two vulnerabilities have been identified in the popular WordPress plugin, Popup Builder, which is used on around 100,000 websites. The plugin was developed by Sygnoos to help website owners create and manage popups for marketing products and services to website visitors. The plugin includes the option of incorporating JavaScript code into popups, which runs when popups are loaded. Researchers at Defiant identified flaws that allow an...
Critical SMBv3 Vulnerability Leaked: Microsoft Patch and Mitigations
Update 03/12/20: Microsoft has updated its security advisory and released a patch for CVE-2020-0796 Windows 10 and Windows Server 1903 / Server 1909: Microsoft released patches for 155 vulnerabilities on March 2020 Patch Tuesday but there was one notable absence. A patch was not released for a critical Server Message Block (SMBv3) vulnerability, tracked as CVE-2020-0796. Both Fortinet and Cisco Talos published blogs summarizing the...
AMD CPUs Vulnerable to Two New Side Channel Attacks
All AMD processor manufactured between 2011 and 2019 are vulnerable to two new side channel attacks, according to researchers at Graz University of Technology, some of whom were responsible for identifying the Spectre and Meltdown vulnerabilities. In their paper, Take A Way: Exploring the Security Implications of AMD’s Cache Way Predictors, the researchers detail two side channel attacks that can be performed exploiting...
Microsoft Releases Patches for 115 Vulnerabilities Including 26 Critical Flaws
Microsoft released a record number of patches on March Patch Tuesday. 115 vulnerabilities have been patched across the entire product range, including 26 vulnerabilities that have been rated critical and 88 that have been rated important. None of the flaws in the March round of updates are believed to have been exploited in the wild and none have been made public prior to the patches being released. 17 of the critical flaws affect...
Microsoft Exchange RCE Vulnerability Being Actively Exploited in the Wild
A post-auth remote code execution vulnerability affecting all supported versions of Microsoft Exchange Server is now being exploited in the wild by multiple advanced persistent threat (APT) groups. The vulnerability, tracked as CVE-2020-0688, is present in the Exchange Control Panel (ECP) component of Microsoft Exchange Server and is the result of the failure to create unique cryptographic keys during installation. That means that all...
Several New Coronavirus-Themed Phishing Scams and Malspam Campaigns Detected
Further email campaigns have been detected that are using the novel coronavirus (COVID-19) outbreak as a lure to spread malware, phish for sensitive data, and fool people into making donations to fake charities. The World Health Organization has previously issued a warning that cybercriminals were using its logos in malicious email campaigns and those campaigns have continued. Campaigns have also been detected impersonating the...
TrickBot Trojan Gets Trickier with ActiveX Control to Automatically Run Malicious Macros
The TrickBot Trojan is now even trickier now that a Windows 10 ActiveX control has been incorporated to automatically run malicious macros in email Office attachments. Several documents have been intercepted in the past few days that abuse the Windows 10 ActiveX control. Malspam emails using this new delivery technique were intercepted by researchers at Morphisec Labs. The ActiveX control is used to execute an OSTAP JavaScript...
More than 480 Bluetooth Devices Affected by SweynTooth Vulnerabilities
12 vulnerabilities have been identified in Bluetooth Low Energy (BLE) software development kits (SDKs) from at least 7 manufacturers. The SDKs are used for system-on-a-chip (SoC) chipsets that are incorporated devices to support BLE communications. The flaws were discovered by researchers at the Singapore University of Technology and Design who collectively named them SweynTooth after Sweyn Forkbeard, the son of King Bluetooth, after...
More Than 1 Billion Devices Affected by Kr00k Wi-Fi Encryption Vulnerability
A vulnerability has been identified in Wi-Fi chips manufactured by Broadcom and Cypress which are used in more than a billion devices, according to a paper recently published by ESET. Smartphones, tablets, laptops, and IoT devices are all affected, including Apple iPhones, iPads, and MacBooks; Samsung Galaxy and Google Nexus smartphones; Amazon Echo and Kindle; Raspberry Pi3; Asus and Huawei access points and routers; and many IoT...
High Severity Flaw Patched in NVIDIA GPU Display Driver
NVIDIA has released security updates that correct flaws in the NVIDIA GPU Display Driver and NVIDIA VGPU Software. An updated GPU display driver has been released with a fix for two vulnerabilities, both of which reside in the NVIDIA Control Panel. One of the flaws is rated high severity flaw and could lead to local escalation of privileges and a denial of service condition on a vulnerable Windows device by corrupting a system file....
What is a DNS Filter?
In this post we explain what a DNS filter is, why DNS filtering is important for cybersecurity, and other advantages of DNS filtering, but first it is useful to explain what the DNS is and why it is essential to the correct functioning of the internet. What is the Domain Name System? The Domain Name System (DNS) is the brainchild of Paul Mockapetris. In 1983, Mockapetris and his team developed the DNS to support the growth of email...
Micropatch Available to Fix for CVE-2020-0674 Internet Explorer Flaw for Windows 10 1903 and 1909 Users
Enterprise users of Windows 10 v1903 and v1909 may have held off patching the CVE-2020-0674 vulnerability in Internet Explorer versions 9-11 due to the problems many have experienced with the temporary patch issued by Microsoft and issues with the buggy KB4532693 cumulative update. Fortunately, 0Patch has released a fix that can be applied as a temporary measure until a permanent solution is released by Microsoft that does not have...
Q4 2019 Threat Report Reveals Emotet Dominates Threat Landscape
The Q4, 2019 Threat Report from cybersecurity firm Proofpoint has confirmed Emotet was the biggest malware threat in 2019, accounting for 37% of all malicious payloads in 2019, even though for several months of 2019 Emotet was inactive. Emotet activity is up considerably from 2018, when it accounted for 28% of malicious payloads for the year. In Q4, 2019, Emotet accounted for 31% of all malicious payloads. Banking Trojans also proved...
LokiBot Trojan Masquerades as Epic Games Software Installer
Threat actors behind the LokiBot Trojan, an information stealer and a backdoor that gives attackers access to Windows systems, are using a new tactic to install their Trojan: Impersonation of a legitimate software installer used by EPIC Games, the gaming company behind the hugely popular free-to-play game Fortnite. LokiBot was first identified around 5 years ago and it is constantly tweaked and updated. LokiBot can steal sensitive...
99 Vulnerabilities Patched by Microsoft on February 2020 Patch Tuesday
February 2020 Patch Tuesday has seen Microsoft release patches for 99 vulnerabilities (and one advisory for Adobe Flash), making it one of the largest monthly patch releases in recent months. 12 of the patches correct critical vulnerabilities with the remainder all rated important. Four patches correct vulnerabilities that have previously been disclosed, one of which – CVE-2020-0674 – is an actively exploited vulnerability affecting...
Emotet Now Spreading by Hacking Nearby WiFi Networks
A new variant of Emotet spreads like a worm sending copies of itself to computers connected to WiFi networks within range of an infected device. This is the first time that this method of propagating the Emotet Trojan has been identified, but it would appear that it is not actually new and has been used for many months. The new Emotet capability was detected by researchers at Binary Defense on January 23, 2019. Their research...
Malware Campaign Delivers Package of Seven Malware Variants via BitBucket
Cybereason’s Nocturnus research team has identified a malware distribution campaign that aims to deliver multiple malware variants via the cloud storage platform BitBucket. The researchers believe more than 500,000 computers have already been infected, with hundreds more infections occurring every hour. Victims are infected with several malware variants including the Azorult backdoor and information stealer, STOP ransomware, the...
Vulnerable Citrix Servers Targeted by Ransomware Gangs
Multiple threat actors are conducting attacks on Citrix servers that have not had the patch applied to correct the CVE-2019-19781 vulnerability. The flaw affects the Citrix Application Delivery Controller (ADC), Citrix Gateway, and two old versions of Citrix SD-WAN WANOP appliances and was announced on December 17, 2019. Exploits for the vulnerability first started to be published on January 11, 2020. A permanent fix was issued to...
Urgent Patching Required for Windows Server Flaws Now PoC Exploits Published
On January 2020 Patch Tuesday (01.14.2020) Microsoft released patches to address two vulnerabilities in Remote Desktop Gateway (RD Gateway) that affected Windows Server 2012, 2016, and 2019. The vulnerabilities have been collectively named BlueGate. Exploitation of the vulnerabilities could lead to remote code execution. Microsoft recommended prompt patching to correct the flaws and now the urgency has increased as several...
CISA Warns of Increase in Emotet Malware Activity
The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning over an increase in Emotet malware activity. The Emotet botnet sprung back to life on January 13, 2020 with largescale spamming campaigns detected spreading the Emotet Trojan. The Emotet Trojan is a modular malware that serves as a banking Trojan, information stealer, and malware downloader. The Trojan can move...
Cisco Patches Critical Vulnerability in Cisco Firepower Management Center
Cisco has issued hotfix patches for a critical vulnerability in its network security tool, Cisco Firepower Management Center (FMC). The flaw, tracked as CVE-2019-16028, is due to improper handling of Lightweight Directory Access Protocol (LDAP) authentication responses from an external server. The flaw could be exploited by a remote attacker to bypass authentication and execute arbitrary actions on a vulnerable device with...
The Emotet Botnet is Back in Action Sending Spam with New Lures to Fool the Unwary
There was a welcome Christmas break from the Emotet botnet, but life has returned to normal and it is well and truly back in action. Millions of malspam emails are now being sent spreading the Emotet Trojan in more than 80 countries. The emails contain attachments that are used to install the information stealing Emotet Trojan. Since Emotet is itself a malware downloader, that may not be the only malicious payload that is deployed....
Critical Zero-Day Internet Explorer Vulnerability Exploited in the Wild
Microsoft has announced it is developing a patch for a zero-day Internet Explorer vulnerability that is currently being exploited in the wild. In the meantime, a workaround has been released which should be implemented as soon as possible to prevent exploitation of the vulnerability. The vulnerability is present in Internet Explorer 9, 10 and 11 when used on Windows 7, 8.1, and 10, as well as Windows Server 2012, 2016, and 2019. An...
January 2020 Patch Tuesday Sees Microsoft Patches 49 Vulnerabilities
January 2020 Patch Tuesday has seen Microsoft issue patches for 49 vulnerabilities including 7 rated critical, along with a fix for the Crypt32.dll vulnerability discovered and publicly disclosed by the U.S. National Security Agency. Microsoft has also issued its last round of updates for Windows 7, which reached end of life on January 14. None of the vulnerabilities in this month’s updates are being exploited in the wild and details...
NSA Issues Cybersecurity Advisory on Critical Flaw Affecting Windows 10 and Windows Server
The U.S. National Security Agency has taken the unusual step of publicly disclosing a vulnerability to a software vendor. This is the first time that such a disclosure has been attributed to the NSA. The vulnerability, tracked as CVE-2020-0601, affects Windows 10 and Windows Server 2016 and 2019, and has been rated as critical by the NSA, but only important by Microsoft. When the NSA discovers vulnerabilities they are usually kept...
Critical Citrix Vulnerability Under Active Attack
A critical vulnerability in the Citrix Application Delivery Controller and Citrix Gateway is being exploited in real world attacks. The vulnerability was discovered by security researcher Mikhail Klyuchnikov who reported it to Citrix, but more than a month after being notified about the flaw, a firmware upgrade has yet to be released for vulnerable Citrix appliances. The vulnerability, CVE-2019-19781, has been described by some...
Mozilla Patches Actively Exploited Zero Day Firefox Vulnerability
Mozilla has patched a critical zero-day vulnerability in the Firefox browser which is being actively exploited in the wild. The flaw – tracked as CVE-2019-17026 – is a type confusion vulnerability in the IonMonkey just-in-time (JIT) compiler for the Mozilla SpiderMonkey JavaScript engine with StoreElementHole and FallibleStoreElement. The flaw is present in the Firefox web browser for Windows, Linux, and Mac. The flaw is due to...
Landry’s Restaurant Chain Discovers POS Malware Infection
The popular U.S. restaurant chain Landry’s has discovered malware on the point of sale (POS) system used by 63 of the chain’s brands including Aquarium, Atlantic Grill, Bubba Gump Shrimp Co., Mitchell’s Steakhouse, Morton’s, and Rainforest Café. The malware potentially stole track data, which included card numbers, expiry dates, cardholder’s names, and verification codes. Landry’s said in its breach notification that it had installed...
Critical Flaw Affecting 80,000 Businesses Patched by Citrix
A critical vulnerability in the Citrix Application Delivery Controller and Citrix Gateway has been patched by Citrix. If exploited, the vulnerability could allow an unauthenticated user to access a company’s applications and remotely execute arbitrary code on a company’s local network. The vulnerability – CVE-2019-19781 – affects all versions of the Citrix Application Delivery Controller and Citrix Gateway on all...
Campaign Identified Delivering Package of 6 Malware Variants
A malware distribution campaign has been detected by researchers at Deep Instinct which is delivering a package of 6 malware variants in one hit. The malware includes a backdoor, cryptojacker, cryptocurrency stealer, and information stealing Trojans. Deep Instinct has called the campaign Hornet’s Nest due to the sheer number of threats being delivered. The campaign starts with the delivery of a malware dropper dubbed Legion Loader,...
Preinstalled Acer and Asus Software Contains Privilege Escalation Flaws
SafeBreach has discovered vulnerabilities in software preinstalled on Acer and Asus laptops and computers which could be exploited by hackers to execute malicious payloads with elevated permissions using a signed service. The first flaw affects Acer Quick Access, a preinstalled application that has system-level privileges. Acer Quick Access allows users to modify USB charge settings, toggle wireless devices on and off, and change...
New Orleans Recovering from Ransomware Attack
On Friday December 13, 2019, the City of New Orleans suffered a cyberattack which forced it to shut down its servers while the incident was investigated. The attack was discovered around 5am on Friday when suspicious activity was detected on the network. The decision was taken to shut down its servers around 11am and employees were told to turn off their computers in an attempt to contain the attack. The City’s Emergency Operations...
Zeppelin Ransomware Used to Attack MSPs, Technology, and Healthcare Companies
Security researchers at Blackberry Cylance have identified a new variant of Buran ransomware which is being used in targeted attacks on technology and healthcare companies in Europe and the United States. The new ransomware variant was first detected on November 6, 2019. It is written in Delphi and is a member of the VegaLocker and Buran ransomware family. It is believed to be distributed under the ransomware-as-a-service model. The...