CISA and CrowdStrike Release Free Azure/O365 Analysis Tools to Identify Malicious Activity
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has released a PowerShell-based tool for detecting unusual and potentially malicious activity in Azure/Office 365 environments. The tool can be downloaded free of charge and used by incident response teams to identify the identity- and authentication-based attacks that have been observed in multiple sectors in the wake of the SolarWinds...
Lazarus Group Targeting COVID-19 Research and Vaccine Data
Kaspersky has confirmed the Lazarus Advanced Persistent Threat (APT) group has conducted two cyberattacks on entities involved in COVID-19 vaccine research. The cyberattacks occurred in the fall of 2020, with the APT group using different tactics techniques and procedures (TTPs) in each of the attacks. One attack was performed on October 27, 2020 on a government health ministry using a sophisticated malware known to Kaspersky as...
More Than 3 Million Chrome and Edge Users Have Malware-Infected Browser Extensions
Approximately 3 million users of Google Chrome and Microsoft Edge have been infected with malware that has been hidden in browser extensions, according to a new report from antivirus company Avast. At least 28 JavaScript-based Chrome and Edge extensions for Instagram, Facebook, Vimeo and others have had malicious code added, which is used to steal personal data and redirect users to adverts and phishing websites. The malicious code...
Microsoft and the U.S. Nuclear Agency Confirmed as Victims of SolarWinds Hack
The number of confirmed victims of the SolarWinds hack is growing. Microsoft has confirmed it was hacked, although its software was not apparently compromised. Reuters had reported that after compromising Microsoft, the hackers had modified its software to distribute malicious files to its clients. Microsoft issued a statement claiming the Reuters article was incorrect and while SolarWinds binaries were found in its environment, they...
Contact Form 7 Vulnerability Places 5 Million WordPress Sites at Risk of Takeover
A critical vulnerability has been identified in the popular WordPress plugin, Contact Form 7, which has been installed on approximately 5 million websites. The vulnerability, tracked as CVE-2020-35489, is easy to exploit and can be exploited remotely without the attacker having to authenticate on a vulnerable website. The vulnerability is classed as an unrestricted file upload bug, according to Astra Security Research, which...
Researchers Find More than 45 Million Medical Images Stored on Unprotected Servers
More than 45 million medical images are currently exposed on unprotected servers and can be accessed freely over the internet without usernames or passwords. The medical images include metadata that includes personal and protected health information, which could be used for a variety of nefarious purposes. The unprotected images, which include MRIs, CT scans, and X-Rays were found by researchers at the CyberAngel Analyst Team, who...
SolarWinds Supply Chain Attack Impacts up to 18,000 Customers
Hackers successfully compromised the SolarWinds Orion software solution and incorporated a backdoor dubbed SUNBURST that has been downloaded by up to 18,000 of its customers, including many large enterprises and government agencies. SolarWinds Orion is a software solution used by large enterprises and government agencies to manage their IT networks and IT infrastructure. The software is used by all five branches of the U.S. military,...
K-12 Schools Warned About Cyber Actors Targeting Distance Learning Education
The U.S. Cybersecurity and infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have issued a joint advisory to K-12 schools warning that cyber actors are conducting targeted attacks on distance learning education. Cyber actors are attempting to disrupt distance learning services, gain access to sensitive data, and conduct ransomware...
Spear Phishing Campaign Spoofing Microsoft.Com Sees Emails Delivered to Office 365 Inboxes
Researchers at Israeli cybersecurity firm Ironscales have identified a spear phishing campaign targeting Office 365 users that spoofs the Microsoft.com domain. Several thousand Office 365 mailboxes are known to have been targeted, with around 100 customers of Ironscales having been sent the phishing emails. Those customers span several industry sectors including healthcare, insurance, telecom, manufacturing, and financial services....
FireEye Discloses Data Breach and Confirms Theft of Red Team Tools
The U.S. cybersecurity firm FireEye has announced a sophisticated threat actor has successfully hacked into its systems and stole Red Team assessment tools that the company uses to test the security of its customers’ systems. The stolen tools mimic those used by many cyber threat actors to gain access to organizations’ systems. Cyberattacks on cybersecurity companies are relatively rare, but they do occur, with Trend Micro, Avast, and...
Kubernetes Bug Allows Traffic from Other Pods in Multi-Tenant Clusters to be Intercepted
A Kubernetes vulnerability has been identified that could allow an attacker to intercept traffic from other pods in multi-tenant Kubernetes clusters. The vulnerability, discovered by Etienne Champetier of Anevia, can be exploited remotely in a man-in-the-middle attack by an individual with basic tenant permissions, without any user involvement required. If an attacker has permissions to create and update services and pods, they could...
Foreign APT Groups Targeting Think Tanks, Warns CISA/FBI
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have issued a warning about ongoing cyberattacks on think tanks by foreign Advanced Persistent Threat (APT) groups. The purpose of the attacks is to gain persistent access to victim networks for espionage purposes. This is achieved through phishing attacks to gain access to user credentials and by exploiting vulnerabilities in...
BEC Scammers Using Auto-Forwarding Rules in Web-Based Email Clients to Prevent Detection
Cybercriminals have been using auto-forwarding rules in web-based email clients to increase the chances of success of their business email compromise (BEC) scams, according to a recently issued TLP: WHITE Joint Private Industry Notification from the Federal Bureau of Investigation (FBI). Business email compromise scams involve gaining access to a corporate email account and using that account to send emails to other individuals in the...
Cyberbiological Attack Could Fool Scientists into Creating and Using Dangerous DNA
A new, theoretical cyberattack has been described by a team of researchers at Ben-Gurion University (BGU) in Israel that could be used in a devastating biological attack. Every year, commercial DNA synthesizers create billions of nucleotides, which are sold to customers and generate billions of dollars in sales. There is growing concern that a cyberattack could be conducted to interfere with the synthetic DNA orders. Just as in a...
Cyberattacks Increased During the Pandemic as Enterprises Struggled with Security with a Remote Workforce
A recent study conducted by the California based endpoint security and systems management company Tanium suggests enterprises have struggled with security during the pandemic and have experienced an increase in cyberattacks. Tanium commissioned a Censuswide survey of 1,000 CXOs and vice presents at enterprise and government organizations in the United States, United Kingdom, France and Germany in June 2020 to explore how they coped...
Egregor Ransomware Vying to Become the Top Ransomware Threat
The Maze ransomware gang may have shut down its operation, but there is now a new ransomware variant that is vying to take its place as one of the biggest ransomware threats. Egregor ransomware first appeared in September 2020, claiming 15 victims in the month, followed by attacks on the US bookseller, Barnes & Noble, and the French and German video game developers, Ubisoft and Crytek. Since then, the number of attacks using...
Patch MobileIron Vulnerability Immediately, Warns NCSC
The UK National Cyber Security Centre (NCSC) has issued an alert that confirms Advanced Persistent Threat (APT) groups and cybercriminals are currently exploiting the MobileIron remote code execution vulnerability, CVE-2020-1550 to compromise the networks of UK companies. Attacks have been conducted on local government, healthcare organizations, and companies in the logistics and legal sectors, and there have been several cases where...
Warning Issued After Discovery of Scores of Spoofed FBI Websites
Scores of domains have been identified which spoof official Federal Bureau of Investigation (FBI) websites, prompting the FBI’s Internet Crime Complaint Center to issue a warning. While the intentions of the individuals who registered the domains is not known, it is strongly suspected that the domains were intended for use in future phishing or malware distribution campaigns. The domains could be used to register email accounts that...
FBI Issues Warning Following Increase in Ragnar Locker Ransomware Activity
A recent increase in Ragnar Locker ransomware activity has prompted the Federal Bureau of Investigation (FBI) to issue a warning to private industry partners. The alert provides information to help system administrators and security professionals protect against attacks. Ragnar Locker is a relatively new ransomware strain, first identified in April 2020. The ransomware variant was used in an attack by unknown threat actors on a large,...
Facebook Fixes Messenger Bug That Allows Audio to be Transmitted Without a User’s Permission
A critical flaw in the Facebook Messenger messaging app for Android which allowed callers to listen to users’ surroundings without permission has been fixed by Facebook. The bug allowed callers to eavesdrop on the person they were calling before the call was answered. In order to exploit the flaw, a caller would need to send a type of message known as SdpUpdate to the person they were calling, which would allow them to connect to the...
Malsmoke Campaign Delivers ZLoader Malware via Popups on High Traffic Adult Websites
A malware distribution campaign identified by security researchers at Malwarebytes is now distributing a ZLoader malware variant via popups on popular adult websites. The campaign – named Malsmoke by Malwarebytes – has been active since at least August 2020. Initially, the threat actors were using exploit kits to deliver the Smoke Loader malware dropper; however, in October they changed tactics and switched to fake Java update...
Use of SSL Certificates in Malware and Phishing Attacks Up 260% in 2020
Abuse of SSL certificates in phishing and malware attacks has increased by 260% in the first 9 months of 2020, according to a new report from Zscaler. Zscaler analyzed more than 6.6 billion threats for the report and found a major rise in the use of encryption to hide attacks. Encryption was being used across the full attack cycle, according to the researchers, including the initial delivery of malware or malicious links to the...
Microsoft Fixes 112 Vulnerabilities Including 17 Critical Flaws
November 2020 Patch Tuesday has seen Microsoft correct 112 vulnerabilities across its range of products, including 17 critical flaws. 93 of the vulnerabilities are rated important and two are rated low severity. This month’s updates see a change to the way Microsoft reports the vulnerabilities, with the descriptions of each no longer included. Instead, Microsoft is relying on the CVSS scores to provide information on the severity of...
RansomEXX Ransomware Now Targets Windows and Linux Servers
Kaspersky has announced it has discovered a Linux version of RansomEXX ransomware – aka Defray777. This is one of the first times that a Windows ransomware strain has been adapted to attack Linux systems, with the new variant able to be used in targeted attacks on organizations that have both Windows and Linus systems to cause greater disruption. RansomEXX is a relatively new human-operated ransomware variant which was first detected...
Three Actively Exploited Zero Days in the iOS Operating System Patched by Apple
Patches have been released to correct three zero-day vulnerabilities in the iOS operating systems that are currently being exploited in the wild. The vulnerabilities affect the following Apple devices: iPhones – 6s and later iPads Air 2 and later iPad mini 4 and later iPod 7th generation All three vulnerabilities have been corrected in iOS 14.2, along with several other vulnerabilities A memory corruption issue exists which can be...
October Threat Report Shows 1,200% Increase in Emotet Attacks in Q3, 2020
New data from HP Inc. shows cyberattacks involving the Emotet Trojan increased by more than 1,200% between Q2, 2020 and Q3, 2020. The data for the company’s October 2020 Threat Insights Report come from HP Sure Click Enterprise, a security solution used on enterprise desktops and laptops that captures malware and allows it to run in a secure container. Data were collected from 1 July to 30 September 2020, with the report proving...
Adobe Update Corrects 14 Vulnerabilities in Acrobat and Reader Including 4 Critical Flaws
Adobe has released an out-of-band update to correct several vulnerabilities in Adobe Acrobat and Adobe Reader, just a week before November Patch Tuesday when updates are usually scheduled for release. 14 vulnerabilities have been corrected in the update, including 4 critical vulnerabilities in Acrobat and Reader for both Windows and macOS operating systems. The critical vulnerabilities can be exploited remotely and allow the execution...
Zero-Day Windows Flaw Allowing Sandbox Escape Being Actively Exploited in the Wild
Google Project Zero has disclosed a high severity Windows vulnerability that has yet to be patched by Microsoft after the flaw was observed being exploited in the wild by hackers. The Windows driver bug, which allows local privilege escalation and sandbox escape, was announced just 7 days after it was reported. While the Google Project Zero team usually waits until a patch has been made available before disclosing a vulnerability, the...
WordPress 5.5.2 Released: 10 Vulnerabilities Corrected Including 1 High-Severity Flaw
Version 5.5.2 of the WordPress content management platform has been released. The latest WordPress version fixes 10 security vulnerabilities, including one high-severity flaw that could be exploited to take over a targeted website. A remote attacker could conduct a narrow denial of service attack, which could then turn into a remote code execution issue. The vulnerability is due to how WordPress manages internal resources within the...
Ryuk Ransomware Gang Steps Up Attacks on U.S. Hospitals
The U.S Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (HHS) have issued a warning to healthcare providers and public health agencies of an imminent threat of attacks using Ryuk ransomware. An advisory was issued on October 28, 2020 after credible evidence was uncovered indicating the operators of Ryuk...
Maze Ransomware Gang Shuts Down Operations
The Maze ransomware gang, which operated one to the most prolific ransomware campaigns over the past 18 months year, has shut down. The Maze ransomware operators were the first to utilize a double-extortion tactic involving the theft of data prior to the encryption of files to increase the likelihood of the ransom being paid. While all ransomware operations involve the encryption of files and the payment of a ransom in order to obtain...
Top 25 Vulnerabilities Exploited by Chinese State Sponsored Hackers
Chinese state-backed hackers are targeting U.S. organizations for espionage purposes, with access to computer systems usually gained by exploiting unpatched vulnerabilities. Hackers are scanning for unpatched systems and use publicly released or homegrown exploits to gain a foothold in networks with a view to stealing intellectual property and sensitive data. On Tuesday, the U.S. National Security Agency (NSA) published a list of 25...
DOJ Charges 6 GRU Hackers for NotPetya Wiper Attacks
The U.S. Department of Justice has indicted six Russian intelligence operatives for the 2017 NotPetya malware attacks and other major hacking operations. All six individuals are believed to be members of Russia’s Main Intelligence Directorate, GRU, and specifically GRU Unit 74455, otherwise known as Sandworm. The hackers are believed to be responsible for the June 27, 2017 destructive NotPetya attacks, which have been estimated...
Ryuk Ransomware Gang Uses Zerologon Exploit to Achieve Domain-Wide Encryption in Just 5 Hours
The threat actors behind Ryuk ransomware have started using an exploit for the Zerologon privilege escalation flaw, CVE-2020-1472, which has allowed them to perform ransomware attacks at breakneck speed. The Zerologon vulnerability allows them to compromise a domain controller and all Active Directory identity services. In one successful attack, it took the attackers just two hours from an initial phish to exploit the vulnerability,...
Microsoft Issues Out-of-Band Updates to Correct Two RCE Flaws
On Friday, Microsoft issued out-of-band patches to correct two flaws which could potentially lead to remote code execution. The flaws have been rated ‘important’ by Microsoft, although they could potentially be exploited by an attacker to gain full control of a vulnerable system. One of the flaws – tracked as CVE-2020-17023 – affects Microsoft’s Visual Studio Core, a source code editor for Windows, Linux, and macOS. If exploited, an...
Microsoft Patches 11 Critical and 75 Important Flaws on October 2020 Patch Tuesday
October 2020 Patch Tuesday has seen Microsoft issue patches to correct 87 flaws across its product range, including 11 Critical flaws and 75 Important vulnerabilities. An advisory has also been issued about a critical vulnerability in Adobe Flash Player. This month’s round of updates includes fixes for six publicly disclosed vulnerabilities. Microsoft is unaware of any cases where the flaws have been exploited and all have been rated...
Coalition of Tech Firms Takedown TrickBot Botnet
The backend infrastructure of the TrickBot botnet has been taken down by a coalition of tech companies and government agencies, including Microsoft ESET, NTT, Black Lotus Labs, Symantec, and FS-ISAC. The takedown is the result of several months of painstaking work involving the analysis of more than 125,000 samples of the TrickBot Trojan by the coalition members, who studied the content and extracted and mapped information about how...
Multiple Threat Groups are Exploiting the Microsoft Zerologon Vulnerability
Microsoft has issued a warning following the discovery of multiple threat groups using exploits for the Zerologon vulnerability – CVE-2020-1472 – in the core authentication component of Active Directory of Windows Server and the Windows Netlogon Remote Protocol (MS-NRPC). The flaw is an elevation of privilege vulnerability that can be exploited when an attacker establishes a vulnerable Netlogon secure channel connection to a...
Male Chastity Device Vulnerability Could be Exploited to Cause Permanent Locking
Vulnerabilities have been identified in a male chastity device that could be exploited to cause the device to permanently lock. Should that happen, and you don’t have an angle grinder or the nerve to use one, it could prove to be a very embarrassing emergency room trip or fire department callout. The reason Bluetooth connectivity has been added to the Cell Mate male chastity device is to allow a trusted individual to be provided with...
CISA Issues Emotet Malware Alert Following Sharp Increase in Attacks
The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert about Emotet malware following an increase in successful attacks on state and local governments in the United States since August 2020. Emotet is distributed via phishing emails sent by the Emotet botnet – a network of computers that have been infected with Emotet malware. The botnet often conducts spam runs involving more...
Sanctions and Penalties Could be Imposed for Paying Ransomware Payments
Following a ransomware attack, many firms choose to pay the ransom demand to obtain the keys to decrypt files and prevent the sale or publication of data stolen in the attack. Many choose to use third party companies to negotiate with the attackers and pay the ransom. Payment of the ransom is not recommended by the FBI, as there is no guarantee that valid keys to decrypt files will be provided and payment of a ransom encourages threat...
Emotet Campaign Impersonates Democratic National Convention
An Emotet malware campaign is underway which has already targeted hundreds of organizations in the United States. The emails spoof the Democratic National Convention with messages claiming to be a call to action to recruit DNC volunteers across the country to help elected Democrats in the upcoming presidential election, as part of the DNC Team Blue initiative. The threat group behind Emotet, TA542, usually uses lures such as shipping...
Universal Health Services Ransomware Attack Cripples Hospitals Across the United States
Universal Health Services (UHS) has suffered a ransomware attack that has taken IT systems out of action across its nationwide network of hospitals. UHS is a Fortune 500 healthcare provider and one of the largest providers of hospital and healthcare services in the United States. UHS has around 400 hospitals and healthcare facilities throughout the United States, Puerto Rico and the UK and had annual revenues of $11.37 billion in...
Windows XP Source Code Leaked Online
Anyone still using Windows XP has been given an additional reason to finally upgrade to a supported Windows operating system. The source code for Windows XP SP1 and other Windows versions has been leaked online. It has been almost 20 years since Microsoft released Windows XP. Microsoft provided support for the popular operating system for 12 years, with extended support coming to an end on April 8, 2014. After that date patches and...
Zerologon Exploits Now Being Used in the Wild, Warns Microsoft
Earlier this month, the DHS Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive about a critical vulnerability— CVE-2020-1472—that affected Microsoft Windows Netlogon Remote Protocol after proof-of-concept exploit code was publicly released. Microsoft has now issued a warning after hackers have been observed using exploits for the vulnerability in real world attacks. The vulnerability, named Zerologon...
Maze Ransomware now Uses Virtual Machines to Evade Endpoint Defenses
The operators of Maze ransomware have adopted a new tactic to evade endpoint security solutions. The gang has been observed encrypting computers from inside virtual machines, a tactic also used by the operators of Ragnar Locker ransomware. The new tactic was discovered by researchers at Sophos when responding to a ransomware attack on one of their customers. The Maze gang twice attempted to launch ransomware executables but were...
Ransomware Attack on Hospital Leads to the Death of a Patient
A ransomware attack on a German hospital that took critical systems out of action and forced the cancellation of appointments and the temporary closure of its emergency department has led to the death of a patient. On or before September 10, 2020, Düsseldorf University Clinic was attacked with ransomware. The file encryption caused systems to crash and prevented patient information from being accessed. The extent of the encryption and...
Billions of Devices Vulnerable to ‘BLESA’ Bluetooth Spoofing Vulnerability
A vulnerability has been discovered in the Bluetooth Low Energy (BLE) reconnection process that could be exploited by an attacker to bypass the reconnection authentication requirements and send spoofed data to a device. The BLE protocol is a slimline version of standard Bluetooth that was developed to keep Bluetooth connections active while conserving battery power. Due to the low power requirements, BLE has proven popular with...
Hacking Group Observed Installing Weave Scope Tool to Gain Visibility and Control of Business Cloud Environments
The threat detection and response firm Intezer has observed a hacking group using the Weave Scope visualization and monitoring tool to gain visibility into and take control of compromised Docker and Kubernetes cloud environments. The hacking group, referred to as TeamTNT by Intezer, is known to target Docker and Kubernetes systems and has been observed using a credential-stealing worm to discover and exfiltrate AWS login credentials....
Adobe Patches 12 Critical Flaws in Experience Manager, InDesign, and Framemaker
Adobe has released patches to correct 18 flaws on September 2020 Patch Tuesday. The flaws exist in Adobe Experience Manager, Adobe InDesign, and Adobe Framemaker. 12 of the vulnerabilities have been rated critical, with the rest rated important. 5 patches have been released to correct critical cross-site scripting vulnerabilities in Adobe Experience Manager (CVE-2020-9732, CVE-2020-9734, CVE-2020-9740, CVE-2020-9741, and...
September 2020 Patch Tuesday: Microsoft Fixes 129 Vulnerabilities; 20 Critical
Microsoft has issued patches to correct 129 vulnerabilities on September 2020 Patch Tuesday, 32 of which are remote code execution vulnerabilities and 20 have been rated critical. The vulnerabilities are spread across 15 products. While there is a large number of critical vulnerabilities in this month’s round of updates, none of the vulnerabilities are currently being exploited in the wild, although exploits for some of the flaws are...
Microsoft Will End Support for Adobe Flash Player on January 1, 2020
Microsoft has announced that web browser support for Adobe Flash Player will end on January 1, 2021. Adobe Flash Player will no longer be distributed or updated from December 31, 2020. The Security Update for Adobe Flash Player, which is usually released on Patch Tuesday every month for Microsoft Edge and Internet Explorer will end after December 2020. “Beginning in January 2021, Adobe Flash Player will be disabled by default...
New Cryptocurrency Stealing KryptoCibule Malware Family Identified
For the past two years, a cryptocurrency-stealing malware named KryptoCibule has been used to mine cryptocurrency on victims’ machines, steal cryptocurrency wallets, and hijack transactions. Malware targeting cryptocurrency tends to either involve mining cryptocurrency or stealing wallets/hijacking transactions. This malware does all three and also plants a backdoor into victim’s devices, allowing them to be remotely accessed....
Phishing Campaign Offering PPE Delivers Agent Tesla RAT
Researchers at Area 1 Security have identified a phishing scam that spoofs legitimate chemical companies, exporters and importers to deliver the Agent Tesla Remote Access Trojan (RAT). The phishing emails offer the recipient personal protective equipment (PPE) such as forehead temperature thermometers, disposable face masks, and other medical supplies that have been in short supply. The emails claim that the company has started mass...
New Version of Qbot Trojan Can Hijack Email Threads
Check Point researchers have identified a new version of the Qbot Trojan, a malware threat that first appeared 12 years ago. Qbot is an information stealer that attempts to steal banking information, credit card numbers, passwords, cookies, and emails. It is also known to download other malware variants, including ransomware. Remote connections can also be made with infected devices to make bank transactions from the victim’s IP...
New “FritzFrog” P2P Botnet Targeting SSH Servers of Banks, Medical Centers, Government Offices and Universities
A new, sophisticated, and stealthy peer-to-peer (P2P) botnet named FritzFrog has been discovered which is being used to target SSH servers. The botnet was identified and analyzed by security researchers at Guardicore Labs who report that the botnet has been active since at least January 2020 and has been used in targeted attacks on government offices, medical centers, banks, telecoms companies, and education institutions, and finance...
Microsoft Releases Out of Band Update for Windows 8.1, RT 8.1, and Windows Server 2012 R2
Microsoft has released an out of band update for Windows 8.1, RT 8.1, and Windows Server 2012 R2 to fix two privilege escalation flaws in the Windows Remote Access service. The two flaws – tracked as CVE-2020-1530 and CVE-2020-1537 – affect all supported versions of Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 and are due to improper handling of memory. In order to exploit the flaws, an attacker would need to have...
Patch Critical Citrix Endpoint Management (XenMobile Servers) Vulnerabilities Now
Five vulnerabilities, including two critical flaws, have been identified in Citrix Endpoint Management (CEM) – also known as XenMobile Server – which is used by businesses to manage employees’ mobile devices and applications, apply updates, and manage security settings. The critical flaws – tracked as CVE-2020-8208 and CVE-2020-8209 – could be exploited remotely and would allow an unauthenticated individual to access domain...
Popular Keylogger and Info Stealer Now Steals Credentials from Browsers and VPNs
Agent Tesla malware has received an update. The information stealer and keylogger can now steal passwords from browsers, VPN clients, FTP and email clients. Agent Tesla is a .Net-based remote access Trojan (RAT) that first appeared in 2014. The malware is offered for sale on hacking forums and darknet marketplaces and has proven to be a popular choice with low-level hackers and BEC scammers. The malware can be used in various stages...
Microsoft Fixes 120 Vulnerabilities on August 2020 Patch Tuesday, Including 17 Critical Flaws
August 2020 Patch Tuesday has seen Microsoft release 120 patches covering 13 products and a Servicing Stack Update for Windows 10 advisory. 17 of the vulnerabilities are rated critical, including 2 zero days, and 103 have been rated important. The two zero days are being actively exploited and an exploit for one of those flaws has been released publicly, so it is important for the security updates to be applied as soon as possible....
Adobe Fixes 26 Vulnerabilities Including 11 Critical Flaws
Adobe has released patches to address 26 vulnerabilities in Adobe Acrobat and Adobe Reader, including 11 flaws that have been rated critical. The critical flaws could be exploited to bypass security controls, with 9 of the critical flaws allowing the remote execution of arbitrary code. The remote code execution vulnerabilities are a mix of out-of-bounds write vulnerabilities (CVE-2020-9693 and CVE-2020-9694), use-after-free...
INTERPOL Report Shows Major Increase in Cyberattacks During the COVID-19 Pandemic
INTERPOL has completed an assessment of the impact of COVID-19 on cybercrime and has found a major increase in attacks during the pandemic, with cybercriminals shifting their focus from targeting individuals and small businesses to attacking large corporations, critical infrastructure, and government agencies. With many countries implementing lockdowns to curb COVID-19 infections, businesses have been forced into allowing virtually of...
Online Shopping Scams Have Soared During the COVID-19 Pandemic
There has been a major increase in online shopping scams during the COVID-19 pandemic, according to a recent public service announcement by the FBI. Reports to the FBI’s Internet Crime Complaint Center (IC3) from victims of online shopping scams have soared in recent months. Many of the reports concern orders from websites where the goods are not received or where different items to those ordered were sent. Victims of these scams were...
FBI Issues Flash Alert Warning of Netwalker Ransomware Attacks
The FBI has issued a Flash Alert following an increase in Netwalker ransomware attacks in the United States. Netwalker ransomware was first identified in March 2020 and was used in an attack on the Australian transportation and logistics company Toll Group. Attacks have also been conducted on an Illinois public health department, a Maryland operator of assisted living facilities, and the University of California, San Francisco. The...
Vulnerability in Cisco’s Network Security Products Being Actively Exploited
A high severity flaw in Cisco’s network security products is now being actively exploited. The vulnerability is present in the Cisco products used by many large enterprises and Fortune 500 firms and allows a remote attacker to gain access to sensitive data. The vulnerability is tracked as CVE-2020-3452 and was assigned a CVSS v3 base score of 7.5 out of 10. The flaw is present in the web services interface of Cisco’s Firepower Threat...
Critical Vulnerability in F5 Networks BIG-IP Devices Exploited in Real-World Attacks
On Friday, July 24, 2020, the DHS Cybersecurity and Infrastructure Security Agency (CISA) warned that hackers have started exploiting the CVE-2020-5902 vulnerability in F5 Networks BIG-IP devices. F5 BIG-IP devices are used for load balancing and generally sit between the firewall and a web application. They are used by many Fortune 500 companies, large enterprises, and government agencies and are an attractive target for hackers....
Out of Band Update Corrects 12 Critical Flaws in Adobe Photoshop, Prelude and Bridge
Adobe has issued an out of band update to correct 12 critical vulnerabilities in Adobe Photoshop, Adobe Prelude, and Adobe Bridge, and an information disclosure vulnerability in Adobe Reader Mobile for Android. The critical flaws could all lead to remote code execution on Windows machines in the context of the current user. The impact of the flaws will be limited for standard Windows users, although exploits for the vulnerabilities...
17-Year Old Critical Wormable DNS Bug Patched by Microsoft
Microsoft has released a patch for a critical, wormable flaw in Microsoft’s Windows DNS Server that dates back to 2003. The vulnerability, tracked as CVE-2020-1350, was identified by security researchers at Check Point who named it SIGRed. Virtually all businesses will be running DNS with Active Directory and will be affected. Given the number of businesses affected, the ease of exploitation, and how the flaw could be exploited to...
Maximum Severity Flaw in SAP Could Allow Full Takeover of Enterprise System
The U.S. Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency has issued an alert about a critical vulnerability in the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard. The flaw, tracked as CVE-2020-6287, can be exploited through HTTP and would allow an attacker to take full control of vulnerable SAP applications. The flaw was discovered by researchers at Onapsis who named...
Zoom Fixes Zero-Day Legacy Windows RCE Flaw
A zero-day vulnerability in the Zoom Windows client that could potentially allow remote code execution has now been patched by Zoom. The flaw only affected users running Windows 7 or earlier Windows versions. Later Windows versions were unaffected. Last week, Acros Security announced in a blog post that a zero-day vulnerability had been discovered, and Zoom was notified around the same time. Details about the flaw were not publicly...
Purple Fox Trojan Developers Create Their Own Exploit Kit and Add Two New Microsoft Exploits
The developers of the Purple Fox Trojan/rootkit have created their own exploit kit to distribute their malware and have recently added exploits for two recently patched Microsoft vulnerabilities, according to cybersecurity firm Proofpoint. The first exploit is for the high severity elevation of privilege vulnerability in the Win32k component of Windows, which was patched by Microsoft on October Patch Tuesday 2019. The second exploit...
Critical Vulnerabilities Identified in Apache Guacamole Remote Access System
Security researchers have discovered multiple vulnerabilities in the Apache Guacamole remote access system used by thousands of companies to support home workers. Apache Guacamole is a clientless remote desktop gateway that allows remote workers to access their corporate computers or virtual desktops in the cloud through a web browser. Apache Guacamole supports standard protocols such as VNC, SSH, RDP. The Guacamole server uses one of...
Microsoft Releases Out of Band Fixes for Two Serious Flaw in the Windows Codecs Library
Microsoft has released an out of band update to correct two serious vulnerabilities in the Windows Codecs library, which, if exploited, could allow remote code execution. The operating system uses the built-in Windows Codecs library to handle multimedia content such as photos and videos and handles how large multimedia files are compressed and decoded for playback within applications. The flaws are both concerned with how the Windows...
Warning Issued Over Maximum Severity Vulnerability in Palo Alto Networks Products
U.S. Cyber Command has issued a warning about a maximum severity vulnerability in the Palo Alto Networks’ operating system. While the flaw is not currently being exploited in the wild, it will be. Advanced persistent threat actors are expected to attempt to exploit the flaw so prompt patching is essential. The severity of this flaw should not be underestimated. The vulnerability, tracked as CVE-2020-2021, is an authentication bypass...
ESET Reports Doubling of Brute Force Attacks on Remote Desktop Services During the COVID-19 Pandemic
Cybersecurity firm ESET has analyzed its telemetry data and found there has been a major increase in brute force attacks on remote desktop services during the COVID-19 pandemic. There was a steady increase in attacks between December 1, 2019 and May 1, 2020, rising from around 30,000 brute force attacks a day in early December to around 60,000 daily attacks by the end of the month. Then followed a slight decline, before a sharp rise...
REvil Threat Group Starts Using New WastedLocker Ransomware
The Evil Corp Threat Group that was behind the Dridex banking Trojan and BitPaymer ransomware has started using a new ransomware variant in targeted attacks on enterprises. Wastedlocker is a brand-new ransomware variant that has already been used in attacks on around a dozen enterprises. Victims have been issued with ransom demands ranging from $500,000 to more than $1 million. WastedLocker ransomware was first detected by NCC Group’s...
Newly Discovered Self-Propagating Lucifer Malware Capable of Cryptojacking and DDoS Attacks
Palo Alto Networks’ Unit 42 researchers have identified a new Windows malware dubbed ‘Lucifer’ that drops the XMRig cryptocurrency miner, has Distributed Denial of Service (DDoS) capabilities, and can self-propagate. The malware was named by the author Satan DDoS, but was renamed Lucifer by the Unit 42 researchers so as not to confuse it with Satan ransomware. The Unit 42 team discovered the malware after identifying several new...
Ripple20: Critical Vulnerabilities in Treck TCP/IP Stack Affect Hundreds of Millions of Devices
A set of 19 vulnerabilities have been identified in the TCP/IP software library developed by Cincinnati-based Treck Inc., a developer of real-time embedded internet protocols for technology firms. The vulnerabilities were discovered by the Israeli cybersecurity firm JSOF and have been named Ripple20. Treck is a fairly low-profile company that develops low-level internet protocols, which are incorporated into a wide range of devices. A...
Adobe Out-of-Band Update Fixes 18 Critical Vulnerabilities
Adobe has issued an out-of-band update correcting 18 critical flaws in Adobe After Effects, Illustrator, Premiere Pro, Premiere Rush, Campaign, and Audition. All 18 flaws allow remote execution of arbitrary code. The updates were released on Tuesday June 16, 2020. Adobe says it is unaware of any public exploits for the vulnerabilities, but users of the above products are strongly advised to update to the latest version of the software...
6 Vulnerabilities Identified in D-Link DIR-865L Cloud Wireless Routers
Security researchers at Palo Alto Network’s Unit 42 team have identified 6 vulnerabilities in the D-Link DIR-865L series of cloud wireless routers, one of which has been rated critical and the remaining 5 are rated high severity. The D-Link DIR-865L series of routers reached end of life in February 2016; however, many are still in use and are vulnerable to attack. After being notified about the flaws, D-Link warned customers that as...
Fake COVID-19 Contact Tracing Apps Used to Install Malware
Contact tracing and exposure notification apps are being developed in several countries to help control outbreaks of COVID-19. The apps have already been used in several countries and have been shown to help contain local outbreaks and prevent a second major peak of infections. Recent research conducted by the cybersecurity firm Anomali has revealed threat actors have developed fake contact tracing and exposure notification apps which...
Microsoft Breaks Patch Tuesday Record with Fixes for 129 Vulnerabilities
For the fourth successive month, Microsoft Patch Tuesday has seen more than 100 CVEs patched and June 2020 Patch Tuesday contains the biggest round of updates ever issued. Microsoft has released updates to correct 129 vulnerabilities. That breaks the record set in March when patches were released to correct 115 vulnerabilities. This month’s update includes patches for 11 critical vulnerabilities, although none are currently being...
PoC Exploit for SMBGhost Windows 10 RCE Flaw Released and Attacks Identified
The SMBGhost vulnerability in Windows 10 that was patched by Microsoft in March 2020 is being actively exploited in the wild, according to a recent alert from the Department of Homeland Security Cybersecurity Infrastructure and Security Agency (CISA). The vulnerability, tracked as CVE-2020-0796, is a critical wormable vulnerability that’s as bad as it gets. The flaw was assigned a CVSSv3 score of 10 out of 10, with Microsoft...
Tycoon Ransomware Uses Rare Java Image File Format to Evade Security Solutions
Researchers at Blackberry Threat intelligence and KPMG have identified a new Java-based ransomware dubbed Tycoon that is being used in highly targeted attacks on educational institutions and small- to medium sized companies. The ransomware is manually deployed after the attackers gain access to their target’s networks, most commonly by attacking vulnerable internet-exposed RDP servers. The ransomware has been in use for at least 6...
TrickBot Trojan Operators Delivering New BazarBackdoor Malware via Phishing Campaign
The TrickBot Trojan operators are distributing a new backdoor named BazarBackdoor in targeted phishing attacks on businesses. BazarBackdoor is a stealthy backdoor that gives the attackers full access to corporate networks. The malware is being distributed via spear phishing emails that are well written and convincing. Several different lures are used in the campaign including employee termination lists, customer complaints, and...
Updated Valek Malware Used in Targeted Attacks on U.S and German Enterprises
Enterprises in the United States and Germany are being targeted in a phishing campaign spreading Valek malware, according to researchers at Cybereason Nocturnus. Valek is a popular malware loader that was first identified in 2019. Valek has previously been distributed in phishing campaigns to deliver banking Trojans such as Ursnif and IcedID. Valek is active development and new versions are frequently released. According to a recent...
StrandHogg 2.0 Android Flaw Allows Hackers to Hijack Legitimate Apps
The Norwegian security researchers who identified the StrandHogg vulnerability in the Android platform have identified another vulnerability that is even more dangerous that the original. The vulnerability – tracked as CVE-2020-0096 – is a critical flaw that allows hackers to masquerade as virtually any legitimate app on a targeted device. The vulnerability is present on all versions of Android apart from the latest...
Turla Hacking Group Tweaks ComRAT Malware to Steal Antivirus Logs and Communicate via Gmail
One of the most advanced state-sponsored hacking groups in Russia – Turla – has tweaked its ComRAT malware to steal antivirus logs and communicate with the malware via Gmail. ComRAT malware was first used by Turla in 2007 and is one of the oldest malware variants used by the Turla Group. The malware was used in the attack on the Pentagon in 2008 and has been regularly updated over the past 13 years. The latest version of ComRAT was...
Ragnar Locker Ransomware Deploys Virtual Machine to Evade Security Software
A new tactic is being used by the threat actors behind Ragnar Locker ransomware that allows them to evade security measures on the host machine and ensure their ransomware payload is executed. Ragnar Locker ransomware was first detected in 2019 and has been used in several high profile attacks, including the attack on the Portuguese energy company, Energias de Portugal where they demanded payment of $10.9 million for the keys to...
Another Malware Variant Identified that Targets Air-Gapped Networks
In the past week, three cybersecurity firms have announced they have found malware variants that are being used to target air-gapped networks. First came the news that ESET had discovered Ramsay malware, followed by a report from Kaspersky Lab of a variant of COMpfun malware, named Reductor, that was also being used to steal data from air-gapped networks. Trend Micro has now announced that it has identified yet another a malware...
Ramsay Malware Designed to Steal Data from Air-Gapped Networks
A new malware toolkit has been discovered that appears to have been developed to steal sensitive data from air-gapped networks. Researchers at ESET have named the malware Ramsay and report it has a range of advanced features that allow it to keep under the radar and steal highly sensitive data from victims. One of the most effective ways of protecting sensitive data is to ensure that it is not saved on any device accessible through...
Prioritize Patching and Fix These Commonly Exploited Vulnerabilities
A joint alert has been issued by the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) to raise awareness about the most commonly exploited vulnerabilities to help organizations strengthen security and prevent attacks by sophisticated foreign threat actors. Patches should always be applied as soon as possible, but the number of patches now being...
Hacker Attacks More than 900,000 Vulnerable WordPress Sites in a Week
More than 900,000 WordPress websites have been attacked by a hacker over the space of about a week, according to a recent report from the cybersecurity company Defiant. The attacks were conducted using around 24,000 different IP addresses, but they are all believed to be the work of a single hacker as they were all attempting to insert the same malicious JavaScript backdoor into the websites. While the attacks have been ongoing for...
Malicious COVID-19 Domains Taken Down and New Blocklists Released
Cybercriminals have registered large numbers of COVID-19 themed domains which are being used for a variety of scams. Internet service providers are being ordered to take down the websites but given the sheer number of malicious websites that have been set up, that process is taking some time. In the United Kingdom, Her Majesty’s Revenue and Customs (HMRC) has ordered internet service providers to take down 292 COVID-19 themed websites...
Easily Exploitable RCE Salt Vulnerabilities Discovered that Require Urgent Attention
Researchers at F-Secure have identified two high severity vulnerabilities in the SaltStack Python-based open source Salt project, which can allow remote code execution as root for a full takeover of vulnerable servers. F-Secure believes the vulnerabilities are likely to be exploited in a matter of hours. Salt is a popular configuration tool that is used for datacenter and cloud server management to monitor the state of servers and...
Microsoft Offers Advice to Healthcare Organizations on Reducing Risk of Manual Ransomware Attacks
Ransomware attacks on healthcare organizations and others involved in the fight against COVID-19 are continuing. In many cases, the attackers gained access to systems many weeks or months previously and have timed the deployment of the ransomware to cause maximum disruption when COVID-19 cases are about to peak to increase the probability of ransoms being paid. Microsoft has recently reported that there have been dozens of ransomware...
Sophos Discovers and Patches Actively Exploited Flaw in its XG Firewall
Sophos has released a patch for a zero-day vulnerability in its XG Firewall which has been exploited in attacks to deliver malware. The flaw was discovered by Sophos on April 22, when an anomalous field value was discovered in the management interface of the Firewall. The investigation uncovered a previously unknown SQL injection vulnerability that had been exploited on some virtual and physical firewalls. Sophos reports that several...
Actively Exploited Zero-Day Flaws Identified in iOS Mail Application
Two critical zero-day vulnerabilities have been identified in the iOS Mail application that have been exploited by threat actors in attacks on high profile targets since at least January 2018. The flaws were identified by the cybersecurity firm ZecOps which traced the flaws back to iOS 6, which was released by Apple in 2012, but it is possible that the flaws were introduced in an earlier Mail app version. The vulnerabilities have been...
Four Zero Day Vulnerabilities in IBM Data Risk Manager Have Been Publicly Disclosed
Four zero-day vulnerabilities have been identified in IBM Data Risk Manager (IDRM) which could allow the downloading of arbitrary files and, if chained together, remote code execution. The security researcher who discovered the vulnerabilities, Pedro Ribeiro, Director of Research at Agile Information Security, released details of the flaws on GitHub after IBM refused to acknowledge the vulnerabilities, which were responsibly disclosed...
Two Zoom Zero-Day Vulnerabilities Being Offered for Sale for $500,000
Two zero-day flaws in the Zoom videoconferencing platform have allegedly been discovered by hackers who are now offering them for sale. The hackers claim the flaws can be exploited to gain access to both the Windows and MacOS Zoom clients. Use of the Zoom teleconferencing solution has soared during the COVID-19 crisis, with personal and business users turning to the platform to maintain contact with friends, family, and the office...