Critical Vulnerabilities Identified in Apache Guacamole Remote Access System
Security researchers have discovered multiple vulnerabilities in the Apache Guacamole remote access system used by thousands of companies to support home workers. Apache Guacamole is a clientless remote desktop gateway that allows remote workers to access their corporate computers or virtual desktops in the cloud through a web browser. Apache Guacamole supports standard protocols such as VNC, SSH, RDP. The Guacamole server uses one of...
Microsoft Releases Out of Band Fixes for Two Serious Flaw in the Windows Codecs Library
Microsoft has released an out of band update to correct two serious vulnerabilities in the Windows Codecs library, which, if exploited, could allow remote code execution. The operating system uses the built-in Windows Codecs library to handle multimedia content such as photos and videos and handles how large multimedia files are compressed and decoded for playback within applications. The flaws are both concerned with how the Windows...
Warning Issued Over Maximum Severity Vulnerability in Palo Alto Networks Products
U.S. Cyber Command has issued a warning about a maximum severity vulnerability in the Palo Alto Networks’ operating system. While the flaw is not currently being exploited in the wild, it will be. Advanced persistent threat actors are expected to attempt to exploit the flaw so prompt patching is essential. The severity of this flaw should not be underestimated. The vulnerability, tracked as CVE-2020-2021, is an authentication bypass...
ESET Reports Doubling of Brute Force Attacks on Remote Desktop Services During the COVID-19 Pandemic
Cybersecurity firm ESET has analyzed its telemetry data and found there has been a major increase in brute force attacks on remote desktop services during the COVID-19 pandemic. There was a steady increase in attacks between December 1, 2019 and May 1, 2020, rising from around 30,000 brute force attacks a day in early December to around 60,000 daily attacks by the end of the month. Then followed a slight decline, before a sharp rise...
REvil Threat Group Starts Using New WastedLocker Ransomware
The Evil Corp Threat Group that was behind the Dridex banking Trojan and BitPaymer ransomware has started using a new ransomware variant in targeted attacks on enterprises. Wastedlocker is a brand-new ransomware variant that has already been used in attacks on around a dozen enterprises. Victims have been issued with ransom demands ranging from $500,000 to more than $1 million. WastedLocker ransomware was first detected by NCC Group’s...
Newly Discovered Self-Propagating Lucifer Malware Capable of Cryptojacking and DDoS Attacks
Palo Alto Networks’ Unit 42 researchers have identified a new Windows malware dubbed ‘Lucifer’ that drops the XMRig cryptocurrency miner, has Distributed Denial of Service (DDoS) capabilities, and can self-propagate. The malware was named by the author Satan DDoS, but was renamed Lucifer by the Unit 42 researchers so as not to confuse it with Satan ransomware. The Unit 42 team discovered the malware after identifying several new...
Ripple20: Critical Vulnerabilities in Treck TCP/IP Stack Affect Hundreds of Millions of Devices
A set of 19 vulnerabilities have been identified in the TCP/IP software library developed by Cincinnati-based Treck Inc., a developer of real-time embedded internet protocols for technology firms. The vulnerabilities were discovered by the Israeli cybersecurity firm JSOF and have been named Ripple20. Treck is a fairly low-profile company that develops low-level internet protocols, which are incorporated into a wide range of devices. A...
Adobe Out-of-Band Update Fixes 18 Critical Vulnerabilities
Adobe has issued an out-of-band update correcting 18 critical flaws in Adobe After Effects, Illustrator, Premiere Pro, Premiere Rush, Campaign, and Audition. All 18 flaws allow remote execution of arbitrary code. The updates were released on Tuesday June 16, 2020. Adobe says it is unaware of any public exploits for the vulnerabilities, but users of the above products are strongly advised to update to the latest version of the software...
6 Vulnerabilities Identified in D-Link DIR-865L Cloud Wireless Routers
Security researchers at Palo Alto Network’s Unit 42 team have identified 6 vulnerabilities in the D-Link DIR-865L series of cloud wireless routers, one of which has been rated critical and the remaining 5 are rated high severity. The D-Link DIR-865L series of routers reached end of life in February 2016; however, many are still in use and are vulnerable to attack. After being notified about the flaws, D-Link warned customers that as...
Fake COVID-19 Contact Tracing Apps Used to Install Malware
Contact tracing and exposure notification apps are being developed in several countries to help control outbreaks of COVID-19. The apps have already been used in several countries and have been shown to help contain local outbreaks and prevent a second major peak of infections. Recent research conducted by the cybersecurity firm Anomali has revealed threat actors have developed fake contact tracing and exposure notification apps which...
Microsoft Breaks Patch Tuesday Record with Fixes for 129 Vulnerabilities
For the fourth successive month, Microsoft Patch Tuesday has seen more than 100 CVEs patched and June 2020 Patch Tuesday contains the biggest round of updates ever issued. Microsoft has released updates to correct 129 vulnerabilities. That breaks the record set in March when patches were released to correct 115 vulnerabilities. This month’s update includes patches for 11 critical vulnerabilities, although none are currently being...
PoC Exploit for SMBGhost Windows 10 RCE Flaw Released and Attacks Identified
The SMBGhost vulnerability in Windows 10 that was patched by Microsoft in March 2020 is being actively exploited in the wild, according to a recent alert from the Department of Homeland Security Cybersecurity Infrastructure and Security Agency (CISA). The vulnerability, tracked as CVE-2020-0796, is a critical wormable vulnerability that’s as bad as it gets. The flaw was assigned a CVSSv3 score of 10 out of 10, with Microsoft...
Tycoon Ransomware Uses Rare Java Image File Format to Evade Security Solutions
Researchers at Blackberry Threat intelligence and KPMG have identified a new Java-based ransomware dubbed Tycoon that is being used in highly targeted attacks on educational institutions and small- to medium sized companies. The ransomware is manually deployed after the attackers gain access to their target’s networks, most commonly by attacking vulnerable internet-exposed RDP servers. The ransomware has been in use for at least 6...
TrickBot Trojan Operators Delivering New BazarBackdoor Malware via Phishing Campaign
The TrickBot Trojan operators are distributing a new backdoor named BazarBackdoor in targeted phishing attacks on businesses. BazarBackdoor is a stealthy backdoor that gives the attackers full access to corporate networks. The malware is being distributed via spear phishing emails that are well written and convincing. Several different lures are used in the campaign including employee termination lists, customer complaints, and...
Updated Valek Malware Used in Targeted Attacks on U.S and German Enterprises
Enterprises in the United States and Germany are being targeted in a phishing campaign spreading Valek malware, according to researchers at Cybereason Nocturnus. Valek is a popular malware loader that was first identified in 2019. Valek has previously been distributed in phishing campaigns to deliver banking Trojans such as Ursnif and IcedID. Valek is active development and new versions are frequently released. According to a recent...
StrandHogg 2.0 Android Flaw Allows Hackers to Hijack Legitimate Apps
The Norwegian security researchers who identified the StrandHogg vulnerability in the Android platform have identified another vulnerability that is even more dangerous that the original. The vulnerability – tracked as CVE-2020-0096 – is a critical flaw that allows hackers to masquerade as virtually any legitimate app on a targeted device. The vulnerability is present on all versions of Android apart from the latest...
Turla Hacking Group Tweaks ComRAT Malware to Steal Antivirus Logs and Communicate via Gmail
One of the most advanced state-sponsored hacking groups in Russia – Turla – has tweaked its ComRAT malware to steal antivirus logs and communicate with the malware via Gmail. ComRAT malware was first used by Turla in 2007 and is one of the oldest malware variants used by the Turla Group. The malware was used in the attack on the Pentagon in 2008 and has been regularly updated over the past 13 years. The latest version of ComRAT was...
Ragnar Locker Ransomware Deploys Virtual Machine to Evade Security Software
A new tactic is being used by the threat actors behind Ragnar Locker ransomware that allows them to evade security measures on the host machine and ensure their ransomware payload is executed. Ragnar Locker ransomware was first detected in 2019 and has been used in several high profile attacks, including the attack on the Portuguese energy company, Energias de Portugal where they demanded payment of $10.9 million for the keys to...
Another Malware Variant Identified that Targets Air-Gapped Networks
In the past week, three cybersecurity firms have announced they have found malware variants that are being used to target air-gapped networks. First came the news that ESET had discovered Ramsay malware, followed by a report from Kaspersky Lab of a variant of COMpfun malware, named Reductor, that was also being used to steal data from air-gapped networks. Trend Micro has now announced that it has identified yet another a malware...
Ramsay Malware Designed to Steal Data from Air-Gapped Networks
A new malware toolkit has been discovered that appears to have been developed to steal sensitive data from air-gapped networks. Researchers at ESET have named the malware Ramsay and report it has a range of advanced features that allow it to keep under the radar and steal highly sensitive data from victims. One of the most effective ways of protecting sensitive data is to ensure that it is not saved on any device accessible through...
Prioritize Patching and Fix These Commonly Exploited Vulnerabilities
A joint alert has been issued by the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) to raise awareness about the most commonly exploited vulnerabilities to help organizations strengthen security and prevent attacks by sophisticated foreign threat actors. Patches should always be applied as soon as possible, but the number of patches now being...
Hacker Attacks More than 900,000 Vulnerable WordPress Sites in a Week
More than 900,000 WordPress websites have been attacked by a hacker over the space of about a week, according to a recent report from the cybersecurity company Defiant. The attacks were conducted using around 24,000 different IP addresses, but they are all believed to be the work of a single hacker as they were all attempting to insert the same malicious JavaScript backdoor into the websites. While the attacks have been ongoing for...
Malicious COVID-19 Domains Taken Down and New Blocklists Released
Cybercriminals have registered large numbers of COVID-19 themed domains which are being used for a variety of scams. Internet service providers are being ordered to take down the websites but given the sheer number of malicious websites that have been set up, that process is taking some time. In the United Kingdom, Her Majesty’s Revenue and Customs (HMRC) has ordered internet service providers to take down 292 COVID-19 themed websites...
Easily Exploitable RCE Salt Vulnerabilities Discovered that Require Urgent Attention
Researchers at F-Secure have identified two high severity vulnerabilities in the SaltStack Python-based open source Salt project, which can allow remote code execution as root for a full takeover of vulnerable servers. F-Secure believes the vulnerabilities are likely to be exploited in a matter of hours. Salt is a popular configuration tool that is used for datacenter and cloud server management to monitor the state of servers and...
Microsoft Offers Advice to Healthcare Organizations on Reducing Risk of Manual Ransomware Attacks
Ransomware attacks on healthcare organizations and others involved in the fight against COVID-19 are continuing. In many cases, the attackers gained access to systems many weeks or months previously and have timed the deployment of the ransomware to cause maximum disruption when COVID-19 cases are about to peak to increase the probability of ransoms being paid. Microsoft has recently reported that there have been dozens of ransomware...
Sophos Discovers and Patches Actively Exploited Flaw in its XG Firewall
Sophos has released a patch for a zero-day vulnerability in its XG Firewall which has been exploited in attacks to deliver malware. The flaw was discovered by Sophos on April 22, when an anomalous field value was discovered in the management interface of the Firewall. The investigation uncovered a previously unknown SQL injection vulnerability that had been exploited on some virtual and physical firewalls. Sophos reports that several...
Actively Exploited Zero-Day Flaws Identified in iOS Mail Application
Two critical zero-day vulnerabilities have been identified in the iOS Mail application that have been exploited by threat actors in attacks on high profile targets since at least January 2018. The flaws were identified by the cybersecurity firm ZecOps which traced the flaws back to iOS 6, which was released by Apple in 2012, but it is possible that the flaws were introduced in an earlier Mail app version. The vulnerabilities have been...
Four Zero Day Vulnerabilities in IBM Data Risk Manager Have Been Publicly Disclosed
Four zero-day vulnerabilities have been identified in IBM Data Risk Manager (IDRM) which could allow the downloading of arbitrary files and, if chained together, remote code execution. The security researcher who discovered the vulnerabilities, Pedro Ribeiro, Director of Research at Agile Information Security, released details of the flaws on GitHub after IBM refused to acknowledge the vulnerabilities, which were responsibly disclosed...
Two Zoom Zero-Day Vulnerabilities Being Offered for Sale for $500,000
Two zero-day flaws in the Zoom videoconferencing platform have allegedly been discovered by hackers who are now offering them for sale. The hackers claim the flaws can be exploited to gain access to both the Windows and MacOS Zoom clients. Use of the Zoom teleconferencing solution has soared during the COVID-19 crisis, with personal and business users turning to the platform to maintain contact with friends, family, and the office...
Zoom Installers are Being Bundled with Malware
The sheer number of people now working from home to maintain social distancing during the coronavirus lockdown has resulted in huge interest in teleconferencing platforms such as Zoom. Despite the recent Zoom security concerns and privacy issues, Zoom remains one of the most popular teleconferencing platforms. Businesses are using the platform to ensure remote workers can maintain contact with the office, and consumers have started...
Lokibot Information Stealer Distributed in Spear Phishing ampaign Impersonating WHO
Researchers at Fortinet’s FortiGuard Labs have identified a new spear phishing campaign that impersonates the World Health Organization (WHO) to distribute the LokiBot information stealer. The emails incorporate the WHO logo and claim to offer important advice about COVID-19 infection control and give recommendations. The email states that the information in the email attachment is intended to address misinformation about the 2019...
Beware of New Coronavirus Wiper Malware
A new wiper malware has been detected that uses a similar method to the 2017 NotPetya wiper malware to trash computers by overwriting the Master Boot Record (MBR) to render computers useless. Named Coronavirus, this wiper malware is being used purely for the purpose of sabotage. The malware variant was analyzed by researchers at SonicWall Capture Labs Threat Research. The researchers report that the malware variant is not as...
Zoom Security Concerns Mount as New Flaws Identified
The 2019 Novel Coronavirus pandemic has forced many employees into telecommuting with them maintaining contact with the office through videoconferencing apps such as Zoom. Zoom has proven to be one of the most popular choices during the COVID-19 crisis, registering a 535% increase in traffic in the past month, but the number of Zoom security concerns have been mounting. Zoom Security Concerns are Mounting Zoom security concerns have...
Micropatch Released for Actively Exploited Windows Font Processing Vulnerabilities
Library were being actively exploited in the wild. The flaws concern how type 1 PostScript fonts are handled. The flaws can be exploited if a user is convinced to open a specially crafted document; however, it is also possible to exploit the flaws if a document is viewed in the Windows preview pane. The flaws affect Windows 10, Windows 8.1, Windows 7, Windows Server 2019, 2016, 2012, 2012 R2, 2008 and 2008 R2. Microsoft reports that...
Cybercriminals are Changing DNS Settings on Routers to Deliver Malware Through Fake Coronavirus Apps
A malware distribution campaign has been detected that uses malicious coronavirus apps to deliver the Oski information stealing Trojan. The campaign was detected by Bitdefender which reports that 1,193 individuals have been targeted in just a couple of days from March 18. Attempts have been made to shut down the malware repositories that are being used by the attackers, but it is probable that others will be set up to take their...
Hacked News Sites Used to Spread Malware Disguised as Google Chrome Update
If you visit a website and are advised that you need to update Google Chrome, do not download the update. A campaign has been identified that is using fake Google Chrome updates to trick web visitors into downloading and installing malware. The hacking group is targeting news websites and corporate sites running WordPress and injecting malicious JavaScript code that redirects visitors to landing pages on malicious websites that claim...
Database Containing Extensive Information of 200 Million Americans Exposed Online
A database on the Google Cloud platform containing 800 gigabytes of data and over 200 million user records has been misconfigured and was exposed online, according to researchers at CyberNews. The database contained a folder that included detailed information on around 200 million Americans, including full names, phone numbers, email addresses, dates of birth, credit ratings, home addresses, mortgaged property addresses, number of...
All Supported Windows Versions Affected by Two Actively Exploited Zero-Day RCE Flaws
Microsoft has issued a security advisory about two actively exploited zero-day flaws in Windows Adobe Type Manager Library. The critical remote code execution vulnerabilities affect all supported Windows desktop and server versions and Windows 7. If exploited, attackers would be able to take full control of vulnerable computers. The flaws are being exploited in limited targeted attacks. Microsoft is currently working on a patch to...
New Vulnerabilities Identified in Popular Password Managers
Password managers help you create complex and unique passwords for every application, service, and website but how secure are password managers? Could a password manager actually weaken security? According to a study conducted by researchers at the University of York, password managers are not totally secure. Vulnerabilities in password managers have been found that could potentially be exploited by cybercriminals to gain access to a...
WHO Director-General Impersonated in Spam Campaign Delivering HawkEye Keylogger and Malware Downloader
Another coronavirus-themed phishing campaign has been detected impersonating the World Health Organization (WHO), or more specifically, the Director-General of WHO, Dr. Tedros Adhanom Ghebreyesus. The campaign was identified by security researchers at IBM X-Force Threat Intelligence who report that several waves of spam have already been delivered. The threat actors behind the campaign are using spam emails to distribute a malware...
Adobe Releases Out-of-Band Patches for 29 Critical Vulnerabilities
Adobe usually releases its software updates on Patch Tuesday, the second Tuesday of the month, but no patches were released on March 10, but the round of updates has come a week later, with fixes issued for 41 vulnerabilities across 6 of its products. 29 critical flaws have been addressed and the remaining 11 patches address vulnerabilities that have been rated important. The six affected products are Adobe Genuine Integrity Service,...
100,000 Websites Impacted by WordPress Popup Builder Plugin Vulnerabilities
Two vulnerabilities have been identified in the popular WordPress plugin, Popup Builder, which is used on around 100,000 websites. The plugin was developed by Sygnoos to help website owners create and manage popups for marketing products and services to website visitors. The plugin includes the option of incorporating JavaScript code into popups, which runs when popups are loaded. Researchers at Defiant identified flaws that allow an...
Critical SMBv3 Vulnerability Leaked: Microsoft Patch and Mitigations
Update 03/12/20: Microsoft has updated its security advisory and released a patch for CVE-2020-0796 Windows 10 and Windows Server 1903 / Server 1909: Microsoft released patches for 155 vulnerabilities on March 2020 Patch Tuesday but there was one notable absence. A patch was not released for a critical Server Message Block (SMBv3) vulnerability, tracked as CVE-2020-0796. Both Fortinet and Cisco Talos published blogs summarizing the...
AMD CPUs Vulnerable to Two New Side Channel Attacks
All AMD processor manufactured between 2011 and 2019 are vulnerable to two new side channel attacks, according to researchers at Graz University of Technology, some of whom were responsible for identifying the Spectre and Meltdown vulnerabilities. In their paper, Take A Way: Exploring the Security Implications of AMD’s Cache Way Predictors, the researchers detail two side channel attacks that can be performed exploiting...
Microsoft Releases Patches for 115 Vulnerabilities Including 26 Critical Flaws
Microsoft released a record number of patches on March Patch Tuesday. 115 vulnerabilities have been patched across the entire product range, including 26 vulnerabilities that have been rated critical and 88 that have been rated important. None of the flaws in the March round of updates are believed to have been exploited in the wild and none have been made public prior to the patches being released. 17 of the critical flaws affect...
Microsoft Exchange RCE Vulnerability Being Actively Exploited in the Wild
A post-auth remote code execution vulnerability affecting all supported versions of Microsoft Exchange Server is now being exploited in the wild by multiple advanced persistent threat (APT) groups. The vulnerability, tracked as CVE-2020-0688, is present in the Exchange Control Panel (ECP) component of Microsoft Exchange Server and is the result of the failure to create unique cryptographic keys during installation. That means that all...
Several New Coronavirus-Themed Phishing Scams and Malspam Campaigns Detected
Further email campaigns have been detected that are using the novel coronavirus (COVID-19) outbreak as a lure to spread malware, phish for sensitive data, and fool people into making donations to fake charities. The World Health Organization has previously issued a warning that cybercriminals were using its logos in malicious email campaigns and those campaigns have continued. Campaigns have also been detected impersonating the...
TrickBot Trojan Gets Trickier with ActiveX Control to Automatically Run Malicious Macros
The TrickBot Trojan is now even trickier now that a Windows 10 ActiveX control has been incorporated to automatically run malicious macros in email Office attachments. Several documents have been intercepted in the past few days that abuse the Windows 10 ActiveX control. Malspam emails using this new delivery technique were intercepted by researchers at Morphisec Labs. The ActiveX control is used to execute an OSTAP JavaScript...
More than 480 Bluetooth Devices Affected by SweynTooth Vulnerabilities
12 vulnerabilities have been identified in Bluetooth Low Energy (BLE) software development kits (SDKs) from at least 7 manufacturers. The SDKs are used for system-on-a-chip (SoC) chipsets that are incorporated devices to support BLE communications. The flaws were discovered by researchers at the Singapore University of Technology and Design who collectively named them SweynTooth after Sweyn Forkbeard, the son of King Bluetooth, after...
More Than 1 Billion Devices Affected by Kr00k Wi-Fi Encryption Vulnerability
A vulnerability has been identified in Wi-Fi chips manufactured by Broadcom and Cypress which are used in more than a billion devices, according to a paper recently published by ESET. Smartphones, tablets, laptops, and IoT devices are all affected, including Apple iPhones, iPads, and MacBooks; Samsung Galaxy and Google Nexus smartphones; Amazon Echo and Kindle; Raspberry Pi3; Asus and Huawei access points and routers; and many IoT...
High Severity Flaw Patched in NVIDIA GPU Display Driver
NVIDIA has released security updates that correct flaws in the NVIDIA GPU Display Driver and NVIDIA VGPU Software. An updated GPU display driver has been released with a fix for two vulnerabilities, both of which reside in the NVIDIA Control Panel. One of the flaws is rated high severity flaw and could lead to local escalation of privileges and a denial of service condition on a vulnerable Windows device by corrupting a system file....
What is a DNS Filter?
In this post we explain what a DNS filter is, why DNS filtering is important for cybersecurity, and other advantages of DNS filtering, but first it is useful to explain what the DNS is and why it is essential to the correct functioning of the internet. What is the Domain Name System? The Domain Name System (DNS) is the brainchild of Paul Mockapetris. In 1983, Mockapetris and his team developed the DNS to support the growth of email...
Micropatch Available to Fix for CVE-2020-0674 Internet Explorer Flaw for Windows 10 1903 and 1909 Users
Enterprise users of Windows 10 v1903 and v1909 may have held off patching the CVE-2020-0674 vulnerability in Internet Explorer versions 9-11 due to the problems many have experienced with the temporary patch issued by Microsoft and issues with the buggy KB4532693 cumulative update. Fortunately, 0Patch has released a fix that can be applied as a temporary measure until a permanent solution is released by Microsoft that does not have...
Q4 2019 Threat Report Reveals Emotet Dominates Threat Landscape
The Q4, 2019 Threat Report from cybersecurity firm Proofpoint has confirmed Emotet was the biggest malware threat in 2019, accounting for 37% of all malicious payloads in 2019, even though for several months of 2019 Emotet was inactive. Emotet activity is up considerably from 2018, when it accounted for 28% of malicious payloads for the year. In Q4, 2019, Emotet accounted for 31% of all malicious payloads. Banking Trojans also proved...
LokiBot Trojan Masquerades as Epic Games Software Installer
Threat actors behind the LokiBot Trojan, an information stealer and a backdoor that gives attackers access to Windows systems, are using a new tactic to install their Trojan: Impersonation of a legitimate software installer used by EPIC Games, the gaming company behind the hugely popular free-to-play game Fortnite. LokiBot was first identified around 5 years ago and it is constantly tweaked and updated. LokiBot can steal sensitive...
99 Vulnerabilities Patched by Microsoft on February 2020 Patch Tuesday
February 2020 Patch Tuesday has seen Microsoft release patches for 99 vulnerabilities (and one advisory for Adobe Flash), making it one of the largest monthly patch releases in recent months. 12 of the patches correct critical vulnerabilities with the remainder all rated important. Four patches correct vulnerabilities that have previously been disclosed, one of which – CVE-2020-0674 – is an actively exploited vulnerability affecting...
Emotet Now Spreading by Hacking Nearby WiFi Networks
A new variant of Emotet spreads like a worm sending copies of itself to computers connected to WiFi networks within range of an infected device. This is the first time that this method of propagating the Emotet Trojan has been identified, but it would appear that it is not actually new and has been used for many months. The new Emotet capability was detected by researchers at Binary Defense on January 23, 2019. Their research...
Malware Campaign Delivers Package of Seven Malware Variants via BitBucket
Cybereason’s Nocturnus research team has identified a malware distribution campaign that aims to deliver multiple malware variants via the cloud storage platform BitBucket. The researchers believe more than 500,000 computers have already been infected, with hundreds more infections occurring every hour. Victims are infected with several malware variants including the Azorult backdoor and information stealer, STOP ransomware, the...
Vulnerable Citrix Servers Targeted by Ransomware Gangs
Multiple threat actors are conducting attacks on Citrix servers that have not had the patch applied to correct the CVE-2019-19781 vulnerability. The flaw affects the Citrix Application Delivery Controller (ADC), Citrix Gateway, and two old versions of Citrix SD-WAN WANOP appliances and was announced on December 17, 2019. Exploits for the vulnerability first started to be published on January 11, 2020. A permanent fix was issued to...
Urgent Patching Required for Windows Server Flaws Now PoC Exploits Published
On January 2020 Patch Tuesday (01.14.2020) Microsoft released patches to address two vulnerabilities in Remote Desktop Gateway (RD Gateway) that affected Windows Server 2012, 2016, and 2019. The vulnerabilities have been collectively named BlueGate. Exploitation of the vulnerabilities could lead to remote code execution. Microsoft recommended prompt patching to correct the flaws and now the urgency has increased as several...
CISA Warns of Increase in Emotet Malware Activity
The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning over an increase in Emotet malware activity. The Emotet botnet sprung back to life on January 13, 2020 with largescale spamming campaigns detected spreading the Emotet Trojan. The Emotet Trojan is a modular malware that serves as a banking Trojan, information stealer, and malware downloader. The Trojan can move...
Cisco Patches Critical Vulnerability in Cisco Firepower Management Center
Cisco has issued hotfix patches for a critical vulnerability in its network security tool, Cisco Firepower Management Center (FMC). The flaw, tracked as CVE-2019-16028, is due to improper handling of Lightweight Directory Access Protocol (LDAP) authentication responses from an external server. The flaw could be exploited by a remote attacker to bypass authentication and execute arbitrary actions on a vulnerable device with...
The Emotet Botnet is Back in Action Sending Spam with New Lures to Fool the Unwary
There was a welcome Christmas break from the Emotet botnet, but life has returned to normal and it is well and truly back in action. Millions of malspam emails are now being sent spreading the Emotet Trojan in more than 80 countries. The emails contain attachments that are used to install the information stealing Emotet Trojan. Since Emotet is itself a malware downloader, that may not be the only malicious payload that is deployed....
Critical Zero-Day Internet Explorer Vulnerability Exploited in the Wild
Microsoft has announced it is developing a patch for a zero-day Internet Explorer vulnerability that is currently being exploited in the wild. In the meantime, a workaround has been released which should be implemented as soon as possible to prevent exploitation of the vulnerability. The vulnerability is present in Internet Explorer 9, 10 and 11 when used on Windows 7, 8.1, and 10, as well as Windows Server 2012, 2016, and 2019. An...
January 2020 Patch Tuesday Sees Microsoft Patches 49 Vulnerabilities
January 2020 Patch Tuesday has seen Microsoft issue patches for 49 vulnerabilities including 7 rated critical, along with a fix for the Crypt32.dll vulnerability discovered and publicly disclosed by the U.S. National Security Agency. Microsoft has also issued its last round of updates for Windows 7, which reached end of life on January 14. None of the vulnerabilities in this month’s updates are being exploited in the wild and details...
NSA Issues Cybersecurity Advisory on Critical Flaw Affecting Windows 10 and Windows Server
The U.S. National Security Agency has taken the unusual step of publicly disclosing a vulnerability to a software vendor. This is the first time that such a disclosure has been attributed to the NSA. The vulnerability, tracked as CVE-2020-0601, affects Windows 10 and Windows Server 2016 and 2019, and has been rated as critical by the NSA, but only important by Microsoft. When the NSA discovers vulnerabilities they are usually kept...
Critical Citrix Vulnerability Under Active Attack
A critical vulnerability in the Citrix Application Delivery Controller and Citrix Gateway is being exploited in real world attacks. The vulnerability was discovered by security researcher Mikhail Klyuchnikov who reported it to Citrix, but more than a month after being notified about the flaw, a firmware upgrade has yet to be released for vulnerable Citrix appliances. The vulnerability, CVE-2019-19781, has been described by some...
Mozilla Patches Actively Exploited Zero Day Firefox Vulnerability
Mozilla has patched a critical zero-day vulnerability in the Firefox browser which is being actively exploited in the wild. The flaw – tracked as CVE-2019-17026 – is a type confusion vulnerability in the IonMonkey just-in-time (JIT) compiler for the Mozilla SpiderMonkey JavaScript engine with StoreElementHole and FallibleStoreElement. The flaw is present in the Firefox web browser for Windows, Linux, and Mac. The flaw is due to...
Landry’s Restaurant Chain Discovers POS Malware Infection
The popular U.S. restaurant chain Landry’s has discovered malware on the point of sale (POS) system used by 63 of the chain’s brands including Aquarium, Atlantic Grill, Bubba Gump Shrimp Co., Mitchell’s Steakhouse, Morton’s, and Rainforest Café. The malware potentially stole track data, which included card numbers, expiry dates, cardholder’s names, and verification codes. Landry’s said in its breach notification that it had installed...
Critical Flaw Affecting 80,000 Businesses Patched by Citrix
A critical vulnerability in the Citrix Application Delivery Controller and Citrix Gateway has been patched by Citrix. If exploited, the vulnerability could allow an unauthenticated user to access a company’s applications and remotely execute arbitrary code on a company’s local network. The vulnerability – CVE-2019-19781 – affects all versions of the Citrix Application Delivery Controller and Citrix Gateway on all...
Campaign Identified Delivering Package of 6 Malware Variants
A malware distribution campaign has been detected by researchers at Deep Instinct which is delivering a package of 6 malware variants in one hit. The malware includes a backdoor, cryptojacker, cryptocurrency stealer, and information stealing Trojans. Deep Instinct has called the campaign Hornet’s Nest due to the sheer number of threats being delivered. The campaign starts with the delivery of a malware dropper dubbed Legion Loader,...
Preinstalled Acer and Asus Software Contains Privilege Escalation Flaws
SafeBreach has discovered vulnerabilities in software preinstalled on Acer and Asus laptops and computers which could be exploited by hackers to execute malicious payloads with elevated permissions using a signed service. The first flaw affects Acer Quick Access, a preinstalled application that has system-level privileges. Acer Quick Access allows users to modify USB charge settings, toggle wireless devices on and off, and change...
New Orleans Recovering from Ransomware Attack
On Friday December 13, 2019, the City of New Orleans suffered a cyberattack which forced it to shut down its servers while the incident was investigated. The attack was discovered around 5am on Friday when suspicious activity was detected on the network. The decision was taken to shut down its servers around 11am and employees were told to turn off their computers in an attempt to contain the attack. The City’s Emergency Operations...
Zeppelin Ransomware Used to Attack MSPs, Technology, and Healthcare Companies
Security researchers at Blackberry Cylance have identified a new variant of Buran ransomware which is being used in targeted attacks on technology and healthcare companies in Europe and the United States. The new ransomware variant was first detected on November 6, 2019. It is written in Delphi and is a member of the VegaLocker and Buran ransomware family. It is believed to be distributed under the ransomware-as-a-service model. The...
Flaw in Ryuk Ransomware May Make Data Recovery Impossible
Disaster strikes. Your business has been attacked and ransomware has been deployed. You decide to pay the ransom to ensure a quick recovery, only to discover that the decryption keys supplied by the attackers do not work. This is one of the reasons why the FBI’s advice is never to pay the ransom. It is not in the best interests of cybercriminals to permanently encrypt data. After all, once word spreads that paying a ransom will not...
Ransomware Attacks on Network Attached Storage (NAS) Devices on the Rise
A hacker succeeds in gaining access to the computer systems of a business and ransomware is deployed, but there is a fair chance that the business will recover its files from backups and not pay the ransom. However, if backups are not available, there is a high chance that the business will have to pay since data loss is simply not an option. It is therefore no surprise that hackers are now targeting backups and Network Attached...
Microsoft Issues 37 Updates on December 2019 Patch Tuesday; Adobe Fixes 24
December Patch Tuesday has seen Microsoft release patches for 37 vulnerabilities along with 2 advisories. 7 of the vulnerabilities are rated critical, 27 are rated important, 1 is rated moderate, and another is rated low severity. One of the important updates corrects a Windows zero-day privilege escalation flaw – CVE-2019-1458 – in the Win32k component that handles objects in the memory. An attacker could exploit the flaw and...
New Highly Destructive Wiper Malware Variant Detected
A new wiper malware has been detected by security researchers at IBM X-Force which is being used in attacks on energy companies and industrial firms in the Middle East. The malware is believed to have been created by two threat groups in Iran that are known to have links to the Iranian government, APT34 and xHunt. The malware, named ZeroCleare, is being used in targeted attacks against specific organizations according to the...
StrandHogg Android Vulnerability Allows Malicious Apps to Pose as Legitimate Ones
An Android vulnerability has been discovered that allows malicious apps to disguise themselves as legitimate apps and gain full permissions. The vulnerability is being actively exploited by dozens of malicious apps. In order for the flaw to be exploited, a malicious app must first be downloaded. Once on the device, it can masquerade as any legitimate app on the device. When the app icon of a legitimate app is clicked, the malware is...
Critical Vulnerability Patched in GoAhead EmbedThis Web Server Software
Two vulnerabilities have been identified in GoAhead’s EmbedThis Web Server software, which is used by hundreds of millions of Internet of Things (IoT) devices, one of which is a critical flaw that could allow an attacker to take full control of a vulnerable device. GoAhead EmbedThis is an embedded web server for embedded devices. The most serious flaw, CVE-2019-5096, is a remote code execution vulnerability that arises when the web...
Microsoft Reports on New Dexphot Malware That Has Infected 80,000 Devices
This week, Microsoft has reported on a ‘new’ malware threat named Dexphot. It is not exactly new, as Microsoft first detected the threat in October 2018, but an announcement has now been made after a year of tracking the threat. Dexphot is one of a breed of polymorphic malware variants that often evade detection by security solutions. In the case of Dexphot, a variety of methods are used to fool security solutions, notably Dexphot...
Novel Digital Skimming Attack Targets Retailers Using Third-Party Payment Service Platforms
A novel digital skimming attack method has been uncovered by researchers at Malwarebytes, which spoofs third-party secure payment pages used by many online retailers to process their payments combining digital skimming with phishing tactics. When a purchase is made on a website that uses a third-party payment service platform (PSP), the customer is redirected to the PSP which is maintained by the service provider. Their payment is...
37 Vulnerabilities Identified in Popular Virtual Networking Computing Applications
Researchers at Kaspersky Lab have identified 37 vulnerabilities in popular Virtual Network Computing (VNC) applications, some of which are critical and could allow access to sensitive information, the deployment of malware, and the remote execution of arbitrary code. In the most part, the vulnerabilities could result in malfunction or denial of service although some could result in a full compromise of a vulnerable system. VNC is a...
Horrific Android Camera Vulnerability Left Millions of Users Vulnerable to Spying
A vulnerability has been identified in the Google Camera and Samsung Camera apps that is easy to exploit and would allow an attacker to take photos on a vulnerable device, record video, obtain the location of the device, record conversations, access stored images and videos, and silence the shutter sound to ensure the user is unaware that pictures are being taken. All recorded information could then be transferred to the attacker’s C2...
PureLocker Ransomware: A New Ransomware Threat Targeting Enterprise Servers
Security researchers at IBM X-Force and Intezer have identified a new form of ransomware that is being used in targeted attacks on enterprise servers. The new threat has been called PureLocker as it has been written in PureBasic, which is unusual for ransomware. PureLocker represents a serious threat, especially since signature-based security solutions struggle to detect malware written in PureBasic. Researchers at Intezer note that...
November Patch Tuesday: Microsoft Patches 74 Flaws Including Actively Exploited RCE
November Patch Tuesday has seen Microsoft patch 74 vulnerabilities across all its products, including 13 critical flaws and one remote code execution vulnerability that is being actively exploited in the wild. The actively exploited flaw – CVE-2019-1429 – is in Internet Explorer and is a Scripting Engine Memory Corruption vulnerability that was identified by Google’s Project Zero team. The flaw can be exploited by convincing a...
CISA Issues Warning About Holiday Season Scams
‘Tis the season to be jolly, especially if you are a scammer. In the run up to holiday season, cybercriminals go into overdrive and are ready and waiting to take advantage of the millions of online shoppers looking to secure a bargain. Holiday season scams are plentiful, highly varied, convincing, and often successful. This year, the U.S. government is warning consumers to be on high alert for holiday season scams that aim to obtain...
Highly Convincing Phishing Scam Uses Fake WebEx Client to Deliver RAT
A new phishing scam has been detected that uses a WebEx meeting request as a lure to get business users to download a remote access Trojan that masquerades as the WebEx client (WebEx.exe). The campaign was detected by Alex Lanstein and shared on Twitter. The meeting request is a carbon copy of a genuine WebEx meeting notification email. As with the real meeting requests, the email contains a Join Meeting button, which the user needs...
MegaCortex Ransomware Ups the Ante with Threat of Publication of Stolen Data
The developers of MegaCortex ransomware have released an updated version of their file-encrypting malware. The latest version incorporates a new feature to hamper recovery without paying the ransom along with a new threat. Victims are told that if they do not pay the ransom, their files will be published online. The latest version of MegaCortex ransomware was discovered by MalwareHunterTeam. The new version will change the Windows...
Targeted Ransomware Attacks Hit Spanish Companies Hard
A wave of ransomware attacks has been reported in Spain with several appearing to have been attacked almost simultaneously on Monday. One of the attacked companies was Everis, one of the largest IT consulting companies and managed service providers in Spain. The attack on Everis was targeted, which was made clear by the extension added to files encrypted by the ransomware – .3v3r1s. The dropped ransom note explained that its network...
Mass BlueKeep RDP Attacks Detected Spreading Cryptcurrency Miners
The BlueKeep remote code execution vulnerability in Windows Remote Desktop Services is being exploited in real world attacks. The vulnerability – CVE-2019-0708 – can be exploited on vulnerable systems by sending a specially crafted request over RDP. No user interaction is required. A patch to correct the flaw was issued by Microsoft in May. The flaw is one of the most serious vulnerabilities discovered in 2019. Like the Windows...
Update Google Chrome: Zero-Day Vulnerability Being Actively Exploited in the Wild
A recently discovered vulnerability in Google Chrome is being actively exploited by hackers. The vulnerability was discovered by Kaspersky Lab security researchers Anton Ivanov and Alexey Kulaev who reported the flaw to Google. The flaw – CVE-2019-13720 – is a high-severity use-after-free memory corruption vulnerability in the audio component of the Chrome browser. If exploited the flaw could cause the browser to crash and...
FBI Issues Warning Following Increase in E-Skimming Attacks
The FBI has issued a warning following an increase in e-skimming attacks on small and medium sized businesses and government agencies. E-skimming is the term given to the loading of malicious code onto e-commerce websites that captures credit card information when consumers purchase products online. The code sends personal information and credit card details to an attacker-controlled domain in real-time. These attacks are performed on...
7.5 Million Adobe Creative Cloud Users Warned of Data Breach
Adobe has announced that a vulnerability has exposed the private information of approximately 7.5 million Adobe Creative Cloud users. The information was contained in an Elasticsearch database, which could be accessed by anyone via a web browser without any authentication required. Fortunately, only basic customer information was exposed. No financial information or passwords were stored in the database, only basic information about...
NordVPN Discloses 2018 Security Breach
NordVPN is one of the most popular and well-known VPN services on the market. It is used by many people to ensure privacy when using the internet; however, the firm has recently announced that it has suffered a security breach. The announcement came following a post on Twitter by a security researcher who claimed that an unknown individual had stolen private encryption keys that ensure traffic through its servers remain private and...
Free Decyptor for STOP Ransomware Released
Researchers at New Zealand-based cybersecurity firm Emsisoft have released a free decryptor for STOP ransomware. STOP ransomware is primarily used to attack consumers rather than businesses and is usually delivered via cracked software and adware bundles distributed on websites that offer cracks for legitimate software applications such as Photoshop. The threat actors behind the campaign are highly active. In fact, STOP ransomware is...
Critical Linux Wi-Fi Bug Could Result in Full System Compromise
A critical flaw in the Linux rtlwifi driver has been identified which could allow a full system compromise. A patch is being prepared but as not yet been added to the Linux kernel. The rtlwifi driver is used to ensure compatibility of Realtek Wi-Fi chips on Linux devices and allow them to communicate with the Linux operating system. The vulnerability – CVE-2019-17666 – has existed for around 4 years but has only just been...
Adobe October Update Includes Patches for 45 Critical Vulnerabilities in Acrobat and Reader
Adobe usually releases its patches, fixes, and software updates on the same day as Microsoft – The second Tuesday of the month or Patch Tuesday as it has come to be known. No updates were release on Tuesday, October 9, but it turns out that the updates have just been delayed. On October 15, Adobe released a slew of updates to correct vulnerabilities in Adobe Acrobat, Adobe Reader, Adobe Experience Manager, Adobe Experience Manager...
Many Popular Smartphones Vulnerable to Actively Exploited Zero-Day Android Flaw
A zero-day flaw in the Android operating system used by some of the most popular mobile phones on the market is being exploited in real-world attacks. The zero-day flaw is being exploited by the Israeli surveillance firm NSO Group, which is best known for selling zero-day exploits in operating systems to governments for the purpose of espionage. The flaw is present in the Android Kernel binder driver and is a use-after-free...
Reductor Malware Allows Hijacking of HTTPS Traffic
Security researchers at Kaspersky Lab have identified a new form of malware named Reductor that manipulates the random number generator of web browsers allowing decryption of TLS traffic on the fly. The threat actors behind the malware have not been identified, although there are similarities in the code which links it to the COMPfun Trojan, suggesting the authors of both malware variants could be one and the same. Based on...