97% of Top Universities Failing to Adequately Protect Against Email Impersonation Attacks
Domain spoofing is a common tactic used by phishers to trick victims into believing they have received an official email from a trusted business or contact. Technologies have been developed to detect domain spoofing and protect individuals from email impersonation attacks, yet many organizations have not implemented email validation protocols that can detect spoofing, and as such, their employees and other stakeholders are subjected...
87% of Ransomware Uses Malicious Macros to Infect Devices
Microsoft recently rolled out a new security feature that would block macros by default. There was a hiccup in that process, as Microsoft had to do a temporary U-turn, in response to negative feedback from users. Microsoft has now taken the feedback on board and has improved usability, and the new security feature has now been rolled out again. An investigation by the cybersecurity firm Venafi and the criminal intelligence provider,...
Network of 11,000 Websites Used in Industrial Scale Fake Investment Scam
A network of more than 11,000 websites being used for industrial-scale investment fraud has been uncovered by security researchers at Group IB. The scammers use advertisements on social media networks such as Facebook and YouTube, which direct users to websites offering fake investment schemes. The posts, adverts, and websites often appear to have been endorsed by well-known local celebrities, and the websites themselves are well...
LinkedIn Remains the Most Impersonated Brand in Phishing Attacks
The Q2, 2022 Brand Phishing Report from cybersecurity firm Check Point shows LinkedIn is still the most impersonated brand in phishing attempts, having first entered into the Top 10 Most Impersonated Brands list in Q1, 2022. There has also been a surge in phishing attempts impersonating Microsoft, which have more than doubled from the previous quarter. The increase has seen Microsoft catapulted into position 2 in the list, accounting...
Amadey Bot Malware Distributed via SmokeLoader using Software Cracking Software
A malware distribution campaign has been detected by researchers at AhnLab that ultimately delivers Amadey Bot malware. Amadey Bot malware can steal information from infected systems, perform reconnaissance, and drop additional malware payloads on infected devices. Amadey Bot malware is a relatively old malware, first identified four years ago. The latest campaign delivers a new version of the malware via SmokeLoader malware....
Flaws in Vehicle GPS Tracker Could be Exploited Remotely to Track and Disable Vehicles
A popular GPS tracking device – MiCODUS MV720 GPS tracker – that is installed in vehicles to protect against theft and for vehicle fleet management has been found to contain six severe vulnerabilities that could be remotely exploited by threat actors to gain control of the device. The MiCODUS MV720 GPS tracker is hardwired into vehicles and allows vehicles to be tracked for fleet management, and also incorporates several...
North Korean Hackers Behind HolyGhost Ransomware Attacks on SMBs
A ransomware family called HolyGhost that is being used in attacks on SMBs has been linked to a suspected North Korean state-sponsored hacking group by researchers at Microsoft. The ransomware was first detected in September 2021 and has been predominantly used to attack small and mid-sized businesses, including schools, banks, manufacturers, and event and meeting planning companies. Microsoft has tracked the attacks to a threat group...
Security Vendors Impersonated in Callback Phishing Campaign
The cybersecurity vendor CrowdStrike has issued a warning about a callback phishing campaign that attempts to trick employees at businesses into visiting a malicious website. Initial contact is made via email, which instructs recipients to make a phone call as part of a security audit. According to one of the emails obtained by researchers at Crowdstrike, contact is made due to an alleged data breach at the cybersecurity firm. The...
Massive Phishing Campaign Bypasses MFA to Gain Access to Office 365 Accounts for BEC Attacks
This week, Microsoft shared details of a massive phishing campaign that has targeted more than 10,000 organizations since September 2021. The campaign targets organizations that use Office 365 and allows the attackers to hijack accounts, even if they have multi-factor authentication (MFA) enabled. The compromised accounts are then used to conduct business email compromise attacks on external companies to get them to make fraudulent...
Microsoft Rollback of VBA Macro Blocking is Only a Temporary Measure
Last week, Windows users started noticing that Microsoft had stopped blocking Internet-delivered VBA macros by default without making an announcement. Microsoft has now confirmed that the rollback is only a temporary measure. Back in February, Microsoft announced that it would be taking steps to improve security by blocking Visual Basic for Applications (VBA) macros by default in certain Office apps. The security measure would apply...
Threat Groups Observed Substituting Cobalt Strike for Stealthier Post-Exploitation Framework
Cyber threat actors are frequently observed deploying a legitimate penetration testing and post-exploitation framework known as Cobalt Strike on victims’ systems. Cobalt Strike is used by pen testers and cybersecurity red teams in simulated attacks on a company to probe for and exploit vulnerabilities. Cobalt Strike is used to deploy beacons on compromised parts of the network, which can be used for surveillance and running commands....
U.S. Healthcare Sector Warned About Maui Ransomware Attacks by North Korean Hackers
North Korean state-sponsored hackers are targeting organizations in the U.S. healthcare and public health sector (HPH) and are using Maui ransomware for extortion, according to a recent joint cybersecurity advisory from the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury. Ransomware attacks on healthcare providers can prevent access to electronic...
New IIS Backdoor Identified in Microsoft Exchange Servers
Security researchers at Kaspersky have sounded the alarm about a new malware threat that is being used to gain persistent, stealthy access to corporate Microsoft Exchange servers. The malware allows the threat actor to steal email data and gain full control of the victims’ infrastructure. Currently, detection rates by antivirus software engines are poor. Despite the malware having been in use for several months, many of the infections...
New AstroLocker Ransomware Variant Detected Being Distributed Directly Through Email Attachments
A new version of AstroLocker ransomware has been detected which is being delivered directly via email attachments. Astrolocker is a relatively new ransomware threat that is based on Babuk ransomware, the source code for which was leaked in September last year. In contrast to most malspam campaigns, which use VBA macros for downloading the first-stage payload, this campaign uses a Word Document attachment with an embedded OLE object –...
FBI Warns Employers About Use of Deepfakes to Land Remote Working Positions
The Federal Bureau of Investigation has issued a warning to businesses due to an increasing number of complaints received by its Internet Crime Complaint Center (IC3) about the use of deepfakes in applications for remote working and work-from-home positions. Deepfakes of images, video, and audio files can be very convincing and difficult to distinguish from genuine content. Deepfakes are often created using AI/machine learning...
Cybersecurity Agencies Recommend Using PowerShell to Improve Forensics and Incident Response
Windows PowerShell is a useful and powerful scripting language and configuration management tool that can be used by Windows and system administrators for creating scripts to automate tasks. PowerShell is also extremely useful to cyber threat actors, who often abuse PowerShell after gaining access to victims’ networks. By using PowerShell, they don’t have to download their own toolsets and can hide their malicious activity. The...
SharePoint and OneDrive Files Could be Vulnerable to Ransomware Attacks
A potential vulnerability has been identified in Office 365 and Microsoft 365 that could be exploited by ransomware gangs to encrypt files stored on SharePoint and OneDrive, rendering the files unrecoverable without paying the ransom if the files have not been separately backed up. According to Proofpoint, which recently published a report on the issue, the issue relates to the auto-save feature that saves SharePoint and OneDrive...
Microsoft Issues Out-of-Band Update to Fix Patch Tuesday-Related Issue on Arm Devices
Microsoft has issued an out-of-band update to fix an issue with Windows devices with Arm chips that was caused when users applied their June 2022 Patch Tuesday updates. The issue caused problems signing into Azure Active Directory and Microsoft 365 on Arm devices, and also affected applications and services that use Azure Active Directory for signing in, such as Microsoft Outlook, OneDrive for Business, and Microsoft Teams Microsoft...
Thousands Arrested in Interpol-Led Operation Targeting Social Engineering Scammers
An international law enforcement operation led by Interpol that involved police forces in 76 countries has seen more than $50 million seized and thousands of people have been arrested in connection with social engineering scams such as telecommunication fraud, business email compromise scams, and the money laundering activities in relation to those operations. The operation – called First Light 2022 – ran for two months between...
Emotet Malware Infections Increased by 2,700% from Q4, 2021 to Q1, 2022
Security researchers have identified new variants of Emotet malware that are capable of collecting and using stolen credentials, which are then weaponized and used to distribute the malware, and security solutions are failing to block the malware. Emotet is widely regarded as the most dangerous malware threat. While action was taken by a coalition of law enforcement agencies, which shut down the infrastructure of Emotet in January...
Local Governments Targeted in Phishing Campaign Exploiting Windows Follina Vulnerability
The critical Windows ‘Follina’ zero-day vulnerability is being exploited in phishing attacks on local governments in the United States and government entities throughout Europe, according to Proofpoint. The phishing campaign uses Rich Text File (RTF) attachments, which will exploit the Microsoft Windows Support Diagnostic Tool (MSDT) remote code execution bug – CVE-2022-30190 – if opened. Exploitation of the vulnerability does not...
Zero-day Atlassian Confluence Vulnerability Being Actively Exploited by Multiple Threat Actors
A critical Atlassian Confluence zero-day vulnerability is being actively exploited by multiple threat actors. At present, there is no patch available to fix the flaw. The vulnerability is tracked as CVE-2022-26134 and is a remote code execution vulnerability that affects all versions of Confluence Server and Data Center. The vulnerability does not affect Atlassian Cloud. Atlassian said it is aware that the vulnerability is being...
3.6 Million MySQL Servers are Exposed to the Internet and Responding to Queries
The cybersecurity research group, The Shadowserver Foundation, has identified 3.6 million MySQL servers that are using the default TCP port 3306 and are exposed to the Internet. Almost 2.3 million of those MySQL servers responded to queries on IPv4, and over 1.3 million responded to queries over IPv6. 67% of all MySQL servers were discovered to be accessible over the Internet. The researchers did not investigate the level of access...
Zero-Day Vulnerability Affecting Microsoft Office Being Actively Exploited
A zero-day remote code execution vulnerability has been identified in the Microsoft Windows Support Diagnostic Tool (MSDT) which is being actively exploited in the wild. The vulnerability affects all versions of Microsoft Office from 2003 and has been dubbed Follina. The vulnerability can be exploited by sending a specially crafted Word document, which will exploit the flaw if the document is opened. The vulnerability works without...
General Motors Customers Targeted in Credential Stuffing Attack
General Motors has announced that certain customer accounts have been accessed by unauthorized individuals. Between April 11 and April 29, 2022, suspicious logins were detected in customer accounts. The investigation revealed unauthorized individuals accessed certain customer accounts and redeemed their reward points for gift vouchers. The compromised accounts contained information such as names, addresses, dates of birth, personal...
Ransomware Attacks Increased 13% in a Year
The 2022 Verizon Data Breach Investigations Report has been published, which shows the extent to which ransomware is being used in cyberattacks on businesses. Ransomware has proven to be a highly successful tool for monetizing system compromises. Threat actors gain initial access to the network, exfiltrate data, then encrypt files. Payment is demanded to prevent the sale or exposure of sensitive data and for the keys to decrypt files....
CISA Adds 41 Vulnerabilities to the Known Exploited Vulnerability Catalog
On May 23 and May 24, 2022, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a further 41 vulnerabilities to its Known Exploited Vulnerability Catalog, which brings the known exploited vulnerabilities included in the list up to 703. The latest additions to the list are based on evidence collected that indicates the vulnerabilities are being actively exploited by threat actors in the wild. When new vulnerabilities...
Conti Ransomware Operation Shuts Down and Restructures
The prolific Conti ransomware-as-a-service operation appears to have shut down. According to Advanced Intel, the internal infrastructure of the gang has been shut down, including the Tor admin panels that are used to negotiate with victims and to publish data on the leak site; however, the actual data leak and ransom negotiation sites remain online. The operation looks like it is splitting up and will operate as a collection of much...
Top Attack Vectors Used to Breach Corporate Networks
The Five Eyes cybersecurity agencies from the United States, United Kingdom, Canada, Australia, and New Zealand have issued a security alert sharing the top five techniques used by cyber threat actors to gain initial access to corporate networks. The agencies also list 10 weak security controls and poor security practices that are commonly exploited in cyberattacks and provide suggested mitigations for hardening security to prevent...
Critical F5 BIG-IP Flaw is Being Widely Exploited
A critical flaw in F5 BIG-IP systems is being actively exploited by threat actors. BIG-IP systems are software/hardware solutions that are used for access control, application availability, and security. The flaw, tracked as CVE-2022-1388, was disclosed last week by F5 and was assigned a CVSS severity score of 9.8 out of 10. The flaw affects the iControl REST authentication component which is used for communication between the F5...
3 Zero-Days Among 95 Flaws Patched by Microsoft on May 2022 Patch Tuesday
Microsoft has released patches to correct 75 flaws in its products on May 2022 Patch Tuesday, including 3 zero-days, one of which is being actively exploited in MitM attacks. The actively exploited zero-day is tracked as CVE-2022-26925 and is a Windows LSA spoofing vulnerability, which allows attackers to authenticate to domain controllers. According to Microsoft, “An unauthenticated attacker could call a method on the LSARPC...
Phishing Campaign Pushing Jester Malware Targets Ukrainian Citizens Warning of Chemical Attacks
A phishing campaign has been identified that warns of chemical weapon attacks on Ukrainian citizens in an attempt to infect devices with Jester malware. The Computer Emergency Response Team of Ukraine (CERT-UA) has recently issued a security advisory about the mass distribution of these malicious emails targeting Ukrainian citizens. The emails have the subject line “chemical attack” and warn in Ukrainian that information has been...
U.S. Offers $15 Million in Rewards for Information About Conti Ransomware Leaders & Affiliates
The U.S. Department of State is offering up to $15 million in rewards for information on the Conti ransomware leadership and its affiliates, as was the case in November where similar rewards were offered for information on the Sodinokibi (REvil) and Darkside ransomware groups. The Conti ransomware-as-a-service (RaaS) operation has been highly prolific and is currently the leading RaaS operation. The gang has conducted more than 1,000...
FBI: More than $43 Billion has been Lost to BEC Scams Since 2016
Business email compromise (BEC) scams are the leading cause of losses to cybercrime. According to the U.S. Federal Bureau of Investigation (FBI), reported losses between June 2016 and December 2021 exceeded $43.3 billion. These scams, also known as email account compromise (EAC), involve compromising a business email account and using it to send emails to individuals responsible for making wire transfers and tricking them into making...
Campaign Identified Delivering Fileless Malware using Shellcode in Windows Event Logs
A new technique has been observed in the wild for delivering fileless malware on targeted devices and evading detection. According to researchers at Kaspersky, the attack involves injecting shellcode into Windows event logs, which sees the attacker hiding in plain sight and delivering fileless Trojans. The encrypted shellcode that includes the payload is embedded into Windows event logs in 8KB blocks and is saved in the binary part of...
REvil Ransomware Operation Returns
Evidence is mounting that the notorious REvil ransomware operation is back up and running, despite multiple arrests and loss of control of its infrastructure. The notorious and prolific REvil ransomware gang ceased operations in October 2021, following a law enforcement operation that saw the Tor servers that hosted their payment portal hijacked, along with the data leak blog where victims were named. In January this year, the Federal...
Bumblebee is the Malware Loader of Choice for Delivering Malicious Payloads
A new malware loader dubbed Bumblebee is being used by multiple threat actors to deliver malicious payloads to victims’ devices. According to cybersecurity firm Proofpoint, which analyzed the Bumblebee loader, its sole purpose appears to be to download malicious payloads onto infected devices and has been observed being used to deliver the Cobalt Strike, Sliver, and Meterpreter red team frameworks. The researchers identified three...
Emotet is Once Again the Biggest Malware Threat
In January 2021, the infamous Emotet botnet was shut down following an international law enforcement operation coordinated by Europol and Eurojust. Emotet started life as a banking Trojan and was first detected in 2014. Over the years the malware evolved into a powerful tool that was offered under the malware-as-a-service model to provide other threat actors with access to the devices infected with Emotet, including ransomware gangs...
Cybersecurity Agencies Issue Warning About Cyberattacks by State Sponsored and Pro-Russian Hacking Groups
A joint threat assessment has been published by cybersecurity agencies in the United States, Australia, Canada, New Zealand, and the United Kingdom warning about the threat of cyberattacks by Russian state-sponsored hacking groups and pro-Russian hacking groups. Russian hacking groups are currently engaged in cyberattacks in Ukraine; however, there is concern that cyberattacks could be conducted beyond the Ukraine region in response...
CISA: Hackers Actively Exploiting Windows Print Spooler Privilege Escalation Flaw
On February 2022 Patch Tuesday, Microsoft released a patch to fix a high severity Windows Print Spooler privilege escalation vulnerability, tracked as CVE-2022-22718, which was one of four privilege escalation vulnerabilities in the Windows Print Spooler component to be patched on February 8. The vulnerability was assigned a CVSS severity score of 7.8 out of 10 and was marked as ‘exploitation more likely’. Hackers can...
LinkedIn is the Most Impersonated Brand in Phishing Attacks
The professional social networking site LinkedIn is now the most impersonated brand in phishing attacks according to Check Point Research. In Q1, 2022, 52% of phishing attacks spoofed LinkedIn, which is a 550% increase from the previous quarter when LinkedIn was the 5th most impersonated brand. This is part of an emerging trend in phishing that has seen phishers switch to campaigns seeking corporate social media credentials, which can...
Microsoft Takes Control of ZLoader Botnet Infrastructure
Microsoft’s Digital Crimes Unit (DCU) has taken control of 65 domains that were being used as the command-and-control mechanism for the ZLoader botnet. The botnet consisted of Windows devices infected with malware from the ZeuS family, such as Zloader and Zbot. Originally, Zloader malware was used for financial theft, credential theft, and stealing money from personal accounts; however, the threat actors behind the malware started...
APT Actors Have Demonstrated the Capability to Attack ICS/SCADA Systems
Certain Advanced Persistent Threat Actors (APT) have demonstrated they have the capability to gain access to industrial control system (ICS) and supervisory control and data acquisition (SCADA) devices, including Schneider Electric programmable logic controllers (PLCs), OMRON Sysmac NEX PLCs, and Open Platform Communications Unified Architecture (OPC UA) servers, according to a joint cybersecurity alert issued by the U.S....
Microsoft Fixes 128 Vulnerabilities Including 2 Zero Day Bugs
Microsoft has released patches to fix 128 vulnerabilities across its product range on April 2022 Patch Tuesday, including 10 flaws rated critical, and two zero-day bugs, one of which is being actively exploited in the wild. Three of the critical flaws are wormable and can be exploited remotely with no user action to achieve code execution. The two zero-day bugs have been rated important, even though one is being actively exploited in...
FBI Disrupts the Russia-Linked Cyclops Blink Botnet
The massive Cyclops Blink botnet that was being used to target firewall appliances and SOHO networking devices has been neutralized by the U.S. Federal Bureau of Investigation (FBI). The botnet consisted of an army of devices that had been infected by Cyclops Blink malware, which infects Internet-connected devices through malicious firmware updates. The botnet was first identified by the US and UK governments in February this year and...
New Borat RAT Makes Ransomware and DDoS Attacks Simple
A new Remote Access Trojan (RAT) has been identified that makes it easy for threat actors to conduct ransomware and DDoS attacks. The malware – dubbed Borat – takes its name from the character created by Sasha Baron Cohen and was discovered by researchers at the cybersecurity firm Cyble following attacks in the wild using the malware. Their analysis of the Borat RAT revealed it has extensive features. Thoe features are delivered...
Over 5 Dozen Software Flaws Added to CISA’s Known Exploited Vulnerabilities List
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added 66 vulnerabilities to its Known Exploited Vulnerabilities Catalog that should be given priority when patching, which brings the total number of vulnerabilities on the list to 570. The Known Exploited Vulnerabilities was first published by CISA in November 2021 as part of its efforts to reduce the significant risk of vulnerabilities being exploited by...
Losses to Cybercrime Increased 64% in 2021 to $6.9 Billion
The 2021 Internet Crime Report from the FBI’s Internet Crime Complaint Center (IC3) shows there was a 64% increase in losses to cybercrime in 2021, rising from $4.2 billion in reported losses in 2020 to $6.9 billion in 2021. 2021 broke the previous record in submitted complaints, with IC3 receiving 847,376 complaints from victims of cybercrime – a 7% increase from 2020. 2021 saw increases in significant rises in phishing, ransomware,...
Critical Infrastructure Organizations Warned About AvosLocker Ransomware Attacks
AvosLocker ransomware is being used in attacks on U.S. critical infrastructure organizations, according to a recent joint cybersecurity advisory issued by the Federal Bureau of Investigation (FBI), U.S. Department of the Treasury, and the U.S. Treasury Financial Crimes Enforcement Network (FinCEN). AvosLocker is a relatively new ransomware group that first appeared in June 2021. Initially, the ransomware was used in attacks on Windows...
Feds Issue Security Alert About MFA Bypass and Vulnerability Exploitation
State-sponsored Russian hackers have bypassed multi-factor authentication and exploited the PrintNightmare vulnerability in an attack on a non-governmental organization (NGO), according to a recent security alert from the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA). The attack in question occurred in May 2021. The hackers gained a foothold in the network in a brute force attack and...
Feds Issue Update on Conti Ransomware
The Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) have issued an update on Conti Ransomware as attacks on U.S. businesses pass the 1,000 mark. The update includes information gathered from the recent leak of internal private messages between gang members by a Ukrainian researcher, who also released the source code for the ransomware and...
Microsoft Issues Patches for 71 Vulnerabilities Including 3 Critical Bugs and 3 Zero-days
Microsoft has provided patches to fix 71 vulnerabilities on March 2022 Patch Tuesday, including 3 critical bugs, 68 important issues, and three flaws that have been publicly disclosed before a patch was released. None of the vulnerabilities are believed to have been exploited in the wild at the time the patches were released. The critical flaws affect HEVC Video Extensions – CVE-2022-22006 (CVSS 7.8), VP9 Video Extensions (CVSS 7.8),...
FBI Issues Security Alert About Ongoing RagnarLocker Ransomware Attacks
The Federal Bureau of Investigation (FBI), in conjunction with the Cybersecurity and Infrastructure Security Agency (CISA), has issued a TLP: White flash alert warning organizations in critical infrastructure sectors about RagnarLocker ransomware attacks. Ragnar Locker ransomware started to be used in attacks in December 2019, with the FBI first learning of the ransomware in April 2020. The FBI says RagnarLocker ransomware actors work...
Lapsus Ransomware Gang Continues with High Profile Attacks
The Lapsus ransomware gang only is a new threat group that first appeared in December 2021 but has already started building a name for itself with several high-profile attacks already conducted, the latest being the ransomware attack on GPU giant NVIDIA. Sensitive Employee Data and Source Code Stolen from NVIDIA NVIDIA said it detected the attack on February 23, 2021, and announced on February 25 that it was investigating a security...
Warnings Issued About Hermetic Wiper with Worm-like Capabilities
A destructive new malware dubbed Hermetic Wiper is being used in cyberattacks in Ukraine and there are fears that there could be spill over into other countries akin to the NotPetya wiper malware attacks in 2017. According to a recent report by cybersecurity firm ESET, Hermetic Wiper has been used in several attacks in Ukraine starting on February 24, 2022. The malware masquerades as ransomware and victims are told that their files...
TrickBot Trojan Retired as Developers Switch to Stealthier Malware
The TrickBot Trojan has been a major malware threat for the past 6 years but appears to have now been retired. The main developers of the TrickBot Trojan are believed to have joined the Conti ransomware gang to work on stealthier malware such as the BazarBackdoor and Anchor malware families. The TrickBot Trojan is a modular malware that first emerged in 2016. The malware was initially a banking Trojan but has had several capabilities...
U.S. Organizations Warned About Elevated Risk of Cyberattacks as New Wiper Malware Used in Attacks in Ukraine
Cyberattacks in Ukraine have recommenced following the Russian invasion of Ukrainian territory. Ukrainian government agencies have also been hit with DDoS attacks that took their websites offline, in what appears to be an attempt to destabilize the country, and a new wiper malware has been identified that has been used on hundreds of targets in the country. In contrast to ransomware, wiper malware’s sole purpose is the destruction of...
CISA Warns Critical Infrastructure Entities About the Risk of Foreign Influence Operations
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning to critical infrastructure organizations about the threat of foreign influence operations. Malicious actors use a range of tactics to shape public opinion in targeted countries and undermine trust in critical infrastructure. These tactics can amplify division and sow discord, and typically involve the distribution of misinformation, disinformation,...
Free Cybersecurity Tools to Adopt to Improve Your Security Capabilities
Cybersecurity budgets are usually limited, so it is not possible to purchase multiple best-in-class cybersecurity solutions, but the good news is there are many free cybersecurity tools that can be adopted to improve security capabilities at zero cost. There is no silver bullet when it comes to cybersecurity. Several cybersecurity solutions must be used to protect against intrusions and detect and block attacks in progress, which can...
These Critical Vulnerabilities in SAP Business Applications Require Immediate Patching
SAP has released patches to fix a set of critical vulnerabilities in the SAP Internet Communication Manager (ICM), which is used by SAP business applications such as SAP NetWeaver, S/4HANA, and SAP Web Dispatcher. One of the vulnerabilities has been given the highest possible CVSS severity score of 10. The vulnerabilities were identified by security researchers at Onapsis Research Labs, who reported them to SAP. The researchers have...
51 Patches Released by Microsoft on February 2022 Patch Tuesday
Microsoft has released 51 patches on February 2022 Patch Tuesday to fix vulnerabilities, including one zero-day bug. There are considerably fewer patches than in recent months when over 100 patches a month has been the norm; that said, Microsoft did release around 20 patches to fix vulnerabilities in the Chromium-based Microsoft Edge browser earlier this month. None of this month’s patches are critical issues – All have been rated...
California Attorney General Shares Tips for Avoiding Identity Theft
California Attorney General Rob Bonta has provided Californians with tips for avoiding identity theft and fraud in recognition of Identity Theft Awareness Week 2022. Identity theft is where someone steals an individual’s personal data and uses the information to impersonate that individual in order to commit fraud, such as opening lines of credit in the victim’s name. As more people now rely on online services for work and personal...
Cisco Releases Patches to Fix Multiple Critical Vulnerabilities in its Small Business Routers
Cisco has released patches to fix 15 vulnerabilities in its Small Business V160, RV260, RV340, and RV345 Series Routers, several of which are critical flaws and three have the maximum CVSS severity score of 10/10. The vulnerabilities could be exploited to execute arbitrary code with root privileges, elevate privileges, execute arbitrary commands, bypass authentication and authorization protections, fetch and run unsigned software, and...
SEO Poisoning to Distribute Malware Disguised as Legitimate Software Installers
Mandiant has identified a campaign that uses fake software installers for free productivity apps such as Zoom, Team Viewer, and Visual Studio to distribute Batloader, Ursnif, and Atera Agent malware. The campaign uses search engine optimization (SEO) poisoning to get web pages listed high in the search engine listings for certain search terms to drive traffic to the pages offering the software downloads. The researchers report that...
Banking Trojan Masquerades as Android Password Security App
A password security app that is available through the Google Play Store that has been downloaded more than 10,000 times is actually a malware dropper that delivers a banking Trojan. The malicious app – 2FA Authenticator – was identified by security researchers at Pradeo and was discovered to deliver a banking Trojan called Vultur that targets financial services and steals banking information and other sensitive data. 2FA...
8 Vulnerabilities Added to CISA’s Known Exploited Vulnerabilities Catalog
The Cybersecurity and Infrastructure Security Agency (CISA) has added a further 8 actively exploited vulnerabilities to its Known Exploited Vulnerabilities Catalog. These 8 vulnerabilities are known to have been exploited by threat actors in real-world attacks, and as such these vulnerabilities pose a significant risk to organizations. The vulnerabilities are a mix of old and new, with the earliest vulnerabilities dating back to 2014...
January 28, 2022 is Data Privacy Day – A Day to Take Steps to Improve the Privacy of Personal Data
Today is Data Privacy Day – An annual day with a focus on raising awareness of best practices for keeping personal data private and confidential along with the techniques and tools that can be adopted by all individuals to better protect them against data theft, identity theft, and other types of fraud. Data Privacy Day – January 28 – started as Data Protection Day in 2006 and was initiated by the Council of Europe. Two years later,...
QNAP: Immediate Action Required to Prevent Deadbolt Ransomware Attacks on NAS Devices
QNAP, a Taiwanese manufacturer of network-attached storage (NAS) devices, has issued a warning to all customers to ensure they are running the latest software and to reconfigure their systems to improve resilience to ransomware attacks. A campaign has been identified involving a new ransomware variant called Deadbolt, which is being used in attacks on QNAP NAS devices that are exposed to the Internet. The campaign has only recently...
ITRC Says Record-breaking Numbers of Data Compromises Were Reported in 2021
New data from the Identity Theft Resource Center (ITRC) shows record numbers of data breaches were reported in 2021, beating the previous record of 1,506 data breaches set in 2017 by 23%. 1,862 data compromises were reported in 2021, which is a 68% increase from 2020. There was also a slight increase in the number of reported breaches involving sensitive information such as Social Security numbers, which jumped from 80% in 2020 to 83%...
F5 Releases Patches to Fix 25 Vulnerabilities in its BIG-IP, BIG-IQ, and NGINX Solutions
F5, the multi-cloud management and application delivery and security solution provider has released 25 patches to address vulnerabilities in its BIG-IP, BIG-IQ, and NGINX Controller API Management solutions in its January 2022 quarterly security notification. 15 of the vulnerabilities are high-severity issues, with 9 medium-severity flaws, and one low-severity issue. The vulnerabilities could be exploited by an attacker in a...
FBI Shares IoCs Associated with Diavol Ransomware Attacks
The Federal Bureau of Investigation (FBI) has issued a TLP:WHITE Flash Alert sharing indicators of compromise (IoCs) associated Diavol ransomware attacks and recommended mitigations. Diavol ransomware is believed to be used by the operators of the TrickBot banking Trojan and botnet, who are also believed to operate Conti and Ryuk ransomware. The new ransomware family was first detected in July 2021 and came to the attention of the FBI...
Prepare for Wiper Malware Attacks, Warns CISA
A warning has been issued by the Cybersecurity and Infrastructure Security Agency (CISA) to organizations in the United States to take steps to strengthen their defenses against wiper malware attacks following the recent cyberattacks in Ukraine. The attacks in Ukraine involved a new wiper malware – dubbed Whispergate by Microsoft – that was used in attacks on multiple government, non-profit, and information technology...
New Wiper Malware Was Used in Recent Cyberattacks in Ukraine
Last week, Ukraine experienced a massive cyberattack that affected around 70 government websites, including those of the Ministry of Foreign Affairs and the education ministry. A post on one of the attacked websites read, “Ukrainians! … All information about you has become public. Be afraid and expect worse. It’s your past, present and future.” The attack was mitigated quickly, with Ukraine now reporting that most of the affected...
New York Attorney General Issues Business Guide for Credential Stuffing Attacks
The Bureau of Internet and Technology at the Office of the New York State Attorney General (OAG) has issued a Business Guide for Credential Stuffing Attacks to raise awareness of the threat and offer advice on steps that can be taken to prevent and mitigate attacks. Credential stuffing is a type of brute force attack where credentials stolen in previous data breaches are used to gain access to other online accounts. Bots are used to...
Purple Fox Malware Being Delivered Disguised as a Telegram Installer
Threat actors often add malware to software installers, so it is no surprise that researchers at Minerva Labs have discovered installers for legitimate software being used to deliver the Purple Fox rootkit, but what makes this campaign different is the techniques used allow the threat actors to evade most AV engines. Most of the attack is kept under the radar and it has low detection rates by AV engines. The Purple Fox rootkit was...
Developer Changes Open Source Libraries Corrupting Thousands of Applications
The developer of two widely used open-source libraries has intentionally added an update to brick the many thousands of applications that depend on those libraries. The libraries in question are colors.js and faker.js – Colors has more than 22.4 million downloads a week and faker has more than 2.8 million weekly downloads on npm. The developer has added malignant commits to the libraries that result in the applications that...
Microsoft Releases Emergency Updates to Fix Blank Screen Bug in Windows Server
Microsoft has released emergency out-of-band updates to fix a Windows Server bug that is causing screens to go blank, general slowness, slow sign-ins, and, in some cases prevents users from using Remote Desktop to reach the server. Users first started reporting issues after installing the KB5008218 update that was released on December 14, 2021. The bug affects the following versions of Windows Server: Windows Server 2022 Windows...
Patch Released to Fix Year 2022 Bug in Microsoft Exchange
Microsoft has issued an update to fix a year 2022 bug in MS Exchange that has been causing on-premises Exchange servers to stop delivering emails. The bug is present in on-premises Exchange Server 2016 and Exchange Server 2019 and causes emails to be stuck in transport queues. At midnight on New Year’s Eve, on-premises Exchange servers stopped delivering emails, which remained in a queue to be delivered. Exchange Server logs displayed...
Redline Malware Used to Steal Passwords from Browsers and Corporate VPNs
Redline malware is now the most commonly used information stealer and is being used in attacks on businesses and consumers. Redline malware first appeared in early 2020 and the number of victims has been steadily growing, and on some cybercrime forums, around half of all stolen credentials listed for sale have come from Redline malware infections. Redline malware is a commodity malware that is being sold on cybercrime forums for...
LastPass Denies Data Breach After Users Claim Their Master Passwords Were Used to Access Their Vaults
Several LastPass users have claimed their master passwords have been used by unauthorized individuals to access their password vaults, including individuals who claim never to have shared their master password with any other platform, which led to claims there had been LastPass data breach. The first attacks on users’ password vaults appear to have started on Monday, December 27, 2021. A password manager allows users to easily create...
New RCE Vulnerability Patched in Log4j Version 2.17.1
Another remote code execution vulnerability has been identified in the Log4j Java-based logging utility, this time in version 2.17.0. Several vulnerabilities in Log4j have been identified over the past month, the first of which was the Log4Shell vulnerability – CVE-2021-44228 – that was fixed in version 2.15.0. The vulnerability was rapidly exploited by threat actors, with the first attacks exploiting the vulnerability occurring...
Log4J Vulnerability Scanning Tool Released by CISA
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a scanner that can be used to identify web services affected by the two recently disclosed Apache Log4J remote code execution vulnerabilities CVE-2021-44228 (Log4Shell) and CVE-2021-45046, which have been fixed, along with a further DoS vulnerability (CVE-2021-45105) in version 2.17. The scanner – available on GitHub here – was assembled with...
3 Million Websites Vulnerable to Critical Vulnerability in All in One SEO WordPress Plugin
Two vulnerabilities have been identified in the All in One SEO plugin for WordPress, that could be chained and exploited allowing a full site takeover. The search engine optimization plugin has been installed on more than 3 million websites, many of which are still vulnerable. The two vulnerabilities can be chained in an attack by any user with an account on a vulnerable site, even if the account only has low-level privileges such as...
Microsoft Urges Customers to Patch These 2 Active Directory Vulnerabilities
On November 2021 Patch Tuesday Microsoft released patches to fix two vulnerabilities in Active Directory that can be exploited to gain administrative AD privileges if chained together. Microsoft explained that combining the vulnerabilities creates a straightforward path to a Domain Admin user in an Active Directory environment, first by compromising a regular user in the domain and then elevating privileges to admin. Proof-of-concept...
Log4j Version 2.17.0 released to Address High Severity DoS Bug
The patch (version 2.15.0) to fix the critical Log4Shell vulnerability in the Log4j Java-based logging utility (CVE-2021-44228) did not fully correct the vulnerability and certain non-default configurations of Log4j were still vulnerable. The issue was assigned a different CVE – CVE-2021-45046 – and was corrected in version 2.16.0. The CVE-2021-45046 vulnerability could be exploited and used to craft malicious input data using a...
APT Actors and Access Brokers Actively Exploiting Log4j Zero-day
Microsoft has issued a warning that multiple threat actors have been scanning for systems that have not had the Log4j zero-day vulnerability (CVE-2021-44228) patched and have been conducting attacks to gain access to victims’ networks. Nation-state hacking groups are attempting to exploit the ‘Log4Shell’ vulnerability to install malware on victims’ systems. Microsoft has observed Advanced Persistent Threat (APT) actors linked to...
Microsoft Patches 6 Zero-Day Bugs and 7 Critical Flaws on December 2021 Patch Tuesday
December 2021 Patch Tuesday has seen Microsoft issue fixes for 67 vulnerabilities across its product suite, including 6 zero-day vulnerabilities and 7 critical flaws, with 60 vulnerabilities rated important. One of the zero-day vulnerabilities, a Windows AppX Installer issue tracked as CVE-2021-43890, is being actively exploited in real-world attacks to distribute malware such as Emotet, TrickBot, and BazarLoader in phishing campaigns...
Actively Exploited Log4Shell Vulnerability in Apache Log4j is as Bad as it Gets
A recently discovered vulnerability in the Apache Log4j Java-based logging library is widely considered to be one of the most dangerous vulnerabilities ever to be discovered, and it is being actively exploited in the wild. The flaw is easy to exploit, can be exploited remotely without authentication, and can allow remote code execution allowing a full server takeover. A proof-of-concept (PoC) exploit for the flaw is in the public...
SonicWall Urging Users of SMA 100 Appliances to Update the Firmware Immediately
SonicWall has released patches to fix eight vulnerabilities in its Secure Mobile Access (SMA) 100 series appliances, including two critical flaws. Vulnerable SMA 100 series remote access appliances include the SonicWall SMA 200, 210, 400, 410, and 500v secure access gateway products, and SMA 100 series appliances with the Web Application Firewall (WAF) enabled. The most dangerous vulnerabilities are two buffer overflow bugs tracked as...
Emotet Observed Delivering Cobalt Strike Directly to Infected Devices
Last year, Emotet malware was the most prevalent malware threat but a coordinated international law enforcement operation finally resulted in its infrastructure being seized. At the time of the takedown, Europol considered Emotet to be the world’s most dangerous malware and botnet, with the takedown swiftly neutralizing the threat. The hundreds of thousands of infected devices that made up the botnet finally had the malware removed on...
New Malware Variant Being Used in Targeted Attacks by SolarWinds Hackers
The Advanced Persistent Threat (APT) actor believed to be responsible for the SolarWinds supply chain attack is continuing to conduct attacks on U.S. companies to steal data of interest to the Russian government. Researchers at Mandiant have identified a new malware downloader being used by the APT actor known as Nobelium, Cozy Bear, APT29, and UNC2452. According to Mandiant, a new malware downloader dubbed CEELOADER is delivered...
COVID-19 Omicron Phishing Scam Targets UK Residents Offering Free NHS Omicron PCR Test
An COVID-19 Omicron phishing campaign has been detected that spoofs the UK’s National Health Service and attempts to get individuals to disclose sensitive personally identifiable information and financial details. The campaign takes advantage of fear about the new Omicron variant of the coronavirus which could potentially be more transmissible than other SARS-CoV-2 variants and make current vaccines less effective. Scientists around...
Warning Issued About Active Exploitation of Critical Zoho ManageEngine ServiceDesk Plus Vulnerability
At least one APT actor is exploiting a critical vulnerability in the IT helpdesk and asset management solution, Zoho ManageEngine ServiceDesk Plus, according to a joint security advisory from the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA). The vulnerability, tracked as CVE-2021-44077, has a severity score of 9.8 out of 10 and is related to the /RestAPI URLs in a servlet and...
Multiple APT Actors Using Novel RFT Template Injection Technique in Phishing Attacks
A novel Rich Text Format (RTF) Template Injection technique is being used in phishing campaigns conducted by multiple nation-state hacking groups. Researchers at Proofpoint say they first identified this technique being used in March 2021 and its use has been steadily growing. The technique was initially used by the Indian APT group DoNot Team (APT-C-35), followed by the Chinese APT group TA423, then the Russian APT actor Gamaredon....
Vaccine Manufacturers Targeted with Metamorphic Tardigrade Malware
The biomanufacturing sector has been warned about targeted attacks involving Tardigrade malware – a sophisticated metamorphic variant of the SmokeLoader backdoor. Tardigrade malware is known to have been used in two cyberattacks on companies in the biomanufacturing sector in 2021. In the spring of this year, a large biomanufacturing facility was targeted and a second facility was infected with the malware in October. The attacks...
New JavaScript Malware Delivers Multiple Rats and Info Stealers
A new JavaScript malware dubbed RATDispenser is being used to deliver at least 8 different Remote Access Trojans (RATs), information stealers, and keyloggers. According to an analysis by the HP Threat Research team, three different variants of RATDispenser have been detected in the past 3 months and 155 samples have been intercepted. All but 10 of those samples act as first-stage malware droppers that do not communicate with an...
PoC Exploit Released for High Severity Microsoft Exchange Server RCE Flaw
A proof-of-concept exploit for a high-severity post-auth vulnerability in Microsoft Exchange Server 2016 and Exchange Server 2019 has been made public. The flaw, tracked as CVE-2021-42321, is due to improper validation of cmdlet arguments and can be exploited remotely by an attacker to execute arbitrary code on vulnerable Exchange servers. Microsoft released a fix for the CVSS 8.8 severity flaw two weeks ago on November 2021 Patch...
APT Actor Actively Exploiting Zero-day Vulnerability in FatPipe MPVPN Devices
The Federal Bureau of Investigation (FBI) has warned users of FatPipe MPVPN devices that an Advanced Persistent Threat (APT) actor is exploiting a zero-day vulnerability in the device software and has been since at least May 2021. The vulnerability is present in the web management interface of FatPipe software and is due to a lack of input and validation checks for certain HTTP requests. The vulnerability can be exploited by sending...
The Emotet Botnet is Back: TrickBot Infrastructure Being Used to Rebuild the Botnet
The infrastructure of the Emotet botnet was taken down in a Europol/Eurojust coordinated law enforcement operation in January 2021. Since the takedown it has been all quiet on the Emotet front, but the Emotet botnet has now returned. That law enforcement operation saw the infrastructure seized and taken down and two individuals believed to have played key roles in maintaining the infrastructure of the botnet were arrested. The Emotet...
Legitimate FBI System Hacked and Used to Send Spam Emails About Fake Cyberattack
A spam email campaign involving at least 100,000 emails has been conducted using ‘hacked’ FBI-owned servers. The messages advised the recipients that their network had been breached and data was stolen. The emails were sent from the legitimate [email protected] email account and, as such, were passed by the DomainKeys Identified Mail (DKIM) mechanism. The Spamhaus project said the messages were delivered to at least 100,000 mailboxes,...