Developer Changes Open Source Libraries Corrupting Thousands of Applications
The developer of two widely used open-source libraries has intentionally added an update to brick the many thousands of applications that depend on those libraries. The libraries in question are colors.js and faker.js – Colors has more than 22.4 million downloads a week and faker has more than 2.8 million weekly downloads on npm. The developer has added malignant commits to the libraries that result in the applications that...
Patch Released to Fix Year 2022 Bug in Microsoft Exchange
Microsoft has issued an update to fix a year 2022 bug in MS Exchange that has been causing on-premises Exchange servers to stop delivering emails. The bug is present in on-premises Exchange Server 2016 and Exchange Server 2019 and causes emails to be stuck in transport queues. At midnight on New Year’s Eve, on-premises Exchange servers stopped delivering emails, which remained in a queue to be delivered. Exchange Server logs displayed...
Redline Malware Used to Steal Passwords from Browsers and Corporate VPNs
Redline malware is now the most commonly used information stealer and is being used in attacks on businesses and consumers. Redline malware first appeared in early 2020 and the number of victims has been steadily growing, and on some cybercrime forums, around half of all stolen credentials listed for sale have come from Redline malware infections. Redline malware is a commodity malware that is being sold on cybercrime forums for...
LastPass Denies Data Breach After Users Claim Their Master Passwords Were Used to Access Their Vaults
Several LastPass users have claimed their master passwords have been used by unauthorized individuals to access their password vaults, including individuals who claim never to have shared their master password with any other platform, which led to claims there had been LastPass data breach. The first attacks on users’ password vaults appear to have started on Monday, December 27, 2021. A password manager allows users to easily create...
New RCE Vulnerability Patched in Log4j Version 2.17.1
Another remote code execution vulnerability has been identified in the Log4j Java-based logging utility, this time in version 2.17.0. Several vulnerabilities in Log4j have been identified over the past month, the first of which was the Log4Shell vulnerability – CVE-2021-44228 – that was fixed in version 2.15.0. The vulnerability was rapidly exploited by threat actors, with the first attacks exploiting the vulnerability occurring...
Log4J Vulnerability Scanning Tool Released by CISA
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a scanner that can be used to identify web services affected by the two recently disclosed Apache Log4J remote code execution vulnerabilities CVE-2021-44228 (Log4Shell) and CVE-2021-45046, which have been fixed, along with a further DoS vulnerability (CVE-2021-45105) in version 2.17. The scanner – available on GitHub here – was assembled with...
3 Million Websites Vulnerable to Critical Vulnerability in All in One SEO WordPress Plugin
Two vulnerabilities have been identified in the All in One SEO plugin for WordPress, that could be chained and exploited allowing a full site takeover. The search engine optimization plugin has been installed on more than 3 million websites, many of which are still vulnerable. The two vulnerabilities can be chained in an attack by any user with an account on a vulnerable site, even if the account only has low-level privileges such as...
Microsoft Urges Customers to Patch These 2 Active Directory Vulnerabilities
On November 2021 Patch Tuesday Microsoft released patches to fix two vulnerabilities in Active Directory that can be exploited to gain administrative AD privileges if chained together. Microsoft explained that combining the vulnerabilities creates a straightforward path to a Domain Admin user in an Active Directory environment, first by compromising a regular user in the domain and then elevating privileges to admin. Proof-of-concept...
Log4j Version 2.17.0 released to Address High Severity DoS Bug
The patch (version 2.15.0) to fix the critical Log4Shell vulnerability in the Log4j Java-based logging utility (CVE-2021-44228) did not fully correct the vulnerability and certain non-default configurations of Log4j were still vulnerable. The issue was assigned a different CVE – CVE-2021-45046 – and was corrected in version 2.16.0. The CVE-2021-45046 vulnerability could be exploited and used to craft malicious input data using a...
APT Actors and Access Brokers Actively Exploiting Log4j Zero-day
Microsoft has issued a warning that multiple threat actors have been scanning for systems that have not had the Log4j zero-day vulnerability (CVE-2021-44228) patched and have been conducting attacks to gain access to victims’ networks. Nation-state hacking groups are attempting to exploit the ‘Log4Shell’ vulnerability to install malware on victims’ systems. Microsoft has observed Advanced Persistent Threat (APT) actors linked to...
Microsoft Patches 6 Zero-Day Bugs and 7 Critical Flaws on December 2021 Patch Tuesday
December 2021 Patch Tuesday has seen Microsoft issue fixes for 67 vulnerabilities across its product suite, including 6 zero-day vulnerabilities and 7 critical flaws, with 60 vulnerabilities rated important. One of the zero-day vulnerabilities, a Windows AppX Installer issue tracked as CVE-2021-43890, is being actively exploited in real-world attacks to distribute malware such as Emotet, TrickBot, and BazarLoader in phishing campaigns...
Actively Exploited Log4Shell Vulnerability in Apache Log4j is as Bad as it Gets
A recently discovered vulnerability in the Apache Log4j Java-based logging library is widely considered to be one of the most dangerous vulnerabilities ever to be discovered, and it is being actively exploited in the wild. The flaw is easy to exploit, can be exploited remotely without authentication, and can allow remote code execution allowing a full server takeover. A proof-of-concept (PoC) exploit for the flaw is in the public...
SonicWall Urging Users of SMA 100 Appliances to Update the Firmware Immediately
SonicWall has released patches to fix eight vulnerabilities in its Secure Mobile Access (SMA) 100 series appliances, including two critical flaws. Vulnerable SMA 100 series remote access appliances include the SonicWall SMA 200, 210, 400, 410, and 500v secure access gateway products, and SMA 100 series appliances with the Web Application Firewall (WAF) enabled. The most dangerous vulnerabilities are two buffer overflow bugs tracked as...
New Malware Variant Being Used in Targeted Attacks by SolarWinds Hackers
The Advanced Persistent Threat (APT) actor believed to be responsible for the SolarWinds supply chain attack is continuing to conduct attacks on U.S. companies to steal data of interest to the Russian government. Researchers at Mandiant have identified a new malware downloader being used by the APT actor known as Nobelium, Cozy Bear, APT29, and UNC2452. According to Mandiant, a new malware downloader dubbed CEELOADER is delivered...
COVID-19 Omicron Phishing Scam Targets UK Residents Offering Free NHS Omicron PCR Test
An COVID-19 Omicron phishing campaign has been detected that spoofs the UK’s National Health Service and attempts to get individuals to disclose sensitive personally identifiable information and financial details. The campaign takes advantage of fear about the new Omicron variant of the coronavirus which could potentially be more transmissible than other SARS-CoV-2 variants and make current vaccines less effective. Scientists around...
Warning Issued About Active Exploitation of Critical Zoho ManageEngine ServiceDesk Plus Vulnerability
At least one APT actor is exploiting a critical vulnerability in the IT helpdesk and asset management solution, Zoho ManageEngine ServiceDesk Plus, according to a joint security advisory from the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA). The vulnerability, tracked as CVE-2021-44077, has a severity score of 9.8 out of 10 and is related to the /RestAPI URLs in a servlet and...
Multiple APT Actors Using Novel RFT Template Injection Technique in Phishing Attacks
A novel Rich Text Format (RTF) Template Injection technique is being used in phishing campaigns conducted by multiple nation-state hacking groups. Researchers at Proofpoint say they first identified this technique being used in March 2021 and its use has been steadily growing. The technique was initially used by the Indian APT group DoNot Team (APT-C-35), followed by the Chinese APT group TA423, then the Russian APT actor Gamaredon....
Vaccine Manufacturers Targeted with Metamorphic Tardigrade Malware
The biomanufacturing sector has been warned about targeted attacks involving Tardigrade malware – a sophisticated metamorphic variant of the SmokeLoader backdoor. Tardigrade malware is known to have been used in two cyberattacks on companies in the biomanufacturing sector in 2021. In the spring of this year, a large biomanufacturing facility was targeted and a second facility was infected with the malware in October. The attacks...
New JavaScript Malware Delivers Multiple Rats and Info Stealers
A new JavaScript malware dubbed RATDispenser is being used to deliver at least 8 different Remote Access Trojans (RATs), information stealers, and keyloggers. According to an analysis by the HP Threat Research team, three different variants of RATDispenser have been detected in the past 3 months and 155 samples have been intercepted. All but 10 of those samples act as first-stage malware droppers that do not communicate with an...
PoC Exploit Released for High Severity Microsoft Exchange Server RCE Flaw
A proof-of-concept exploit for a high-severity post-auth vulnerability in Microsoft Exchange Server 2016 and Exchange Server 2019 has been made public. The flaw, tracked as CVE-2021-42321, is due to improper validation of cmdlet arguments and can be exploited remotely by an attacker to execute arbitrary code on vulnerable Exchange servers. Microsoft released a fix for the CVSS 8.8 severity flaw two weeks ago on November 2021 Patch...
APT Actor Actively Exploiting Zero-day Vulnerability in FatPipe MPVPN Devices
The Federal Bureau of Investigation (FBI) has warned users of FatPipe MPVPN devices that an Advanced Persistent Threat (APT) actor is exploiting a zero-day vulnerability in the device software and has been since at least May 2021. The vulnerability is present in the web management interface of FatPipe software and is due to a lack of input and validation checks for certain HTTP requests. The vulnerability can be exploited by sending...
The Emotet Botnet is Back: TrickBot Infrastructure Being Used to Rebuild the Botnet
The infrastructure of the Emotet botnet was taken down in a Europol/Eurojust coordinated law enforcement operation in January 2021. Since the takedown it has been all quiet on the Emotet front, but the Emotet botnet has now returned. That law enforcement operation saw the infrastructure seized and taken down and two individuals believed to have played key roles in maintaining the infrastructure of the botnet were arrested. The Emotet...
Legitimate FBI System Hacked and Used to Send Spam Emails About Fake Cyberattack
A spam email campaign involving at least 100,000 emails has been conducted using ‘hacked’ FBI-owned servers. The messages advised the recipients that their network had been breached and data was stolen. The emails were sent from the legitimate [email protected] email account and, as such, were passed by the DomainKeys Identified Mail (DKIM) mechanism. The Spamhaus project said the messages were delivered to at least 100,000 mailboxes,...
Micropatch Released for Partially Fixed Windows 10 Privilege Escalation Flaw
0Patch has released a micropatch to address a vulnerability in Windows that could allow local privilege escalation to obtain system privileges. The micropatch addresses a vulnerability that was only partially patched by Microsoft in August. The flaw, tracked as CVE-2021-34484, is an arbitrary directory deletion issue. The flaw was only rated low severity as in order to exploit it, an attacker would already need to be logged into a...
International Fraud Awareness Week: Steps to Take to Prevent Organizational Fraud
This week is International Fraud Awareness Week – A week dedicated to promoting anti-fraud awareness and educating businesses and consumers about fraud, why it is important to stop it, and how to identify fraud to minimize its impact. Fraud is defined as any intentional or deliberate act to deceive for financial or personal gain. Each year fraud costs the government, companies, and individuals billions of dollars, with the...
Security Researcher ‘Hacks’ 70% of WiFi Passwords with Next to No Effort
A password is often the only thing that stands in the way of a hacker and a treasure trove of sensitive data. It is therefore important to set a strong, unique password for all accounts. Hackers often conduct automated attacks on accounts using lists of commonly used passwords and passwords previously compromised in data breaches. Accounts with weak passwords can often be compromised in a matter of seconds. While most people are aware...
Microsoft Fixes 55 Vulnerabilities on November 2021 Patch Tuesday, Including Six 0-Days
November 2021 Patch Tuesday has seen Microsoft release patches to correct 55 security vulnerabilities, including 6 zero-day bugs. Two of the 0-day bugs are being exploited in the wild: A security feature bypass vulnerability -CVE-2021-42292 – in Microsoft Excel and a remote code execution vulnerability in Microsoft Exchange Server – CVE-2021-42321. The Microsoft Excel flaw is known to have been used in malicious attacks, although...
Robinhood Announces Breach of 7 Million User Records
Hacking attempts are often sophisticated but in some cases gaining access to a company’s internal networks is as simple as asking an employee for login credentials. This is often achieved through a phishing email, where employees are tricked into visiting a website that asks them to log in with their Microsoft 365 credentials. Similar tactics were recently used in an attack on the stock trading platform Robinhood. On November 3, 2021,...
Zoho Password Management Flaw Exploited by APT Actors to Deploy Web Shell, Trojan, and Info Stealer
Security researchers at Palo Alto Networks have identified a global espionage campaign that exploited a known vulnerability in the Zoho password management and single-sign-on platform, ManageEngine ADSelfService Plus. The flaw, tracked as CVE-2021-40539, affects version 6113 and prior versions of the ManageEngine ADSelfService Plus platform and is a REST API authentication bypass issue that allows remote code execution and a full...
CISA Issues Deadline to Federal Agencies to Patch Hundreds of Known Vulnerabilities
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding operational directive (BOD 22-01) ordering all Federal civilian agencies to patch or implement mitigations for almost 300 security vulnerabilities known to have been exploited by cyber actors. The vulnerabilities must be mitigated on all hardware and software on federal information systems, including Internet-facing and non-Internet-facing systems....
FBI Warns of New Ransomware Attacks Exploiting Financial Business Events
The Federal Bureau of Investigation has issued a private industry alert warning about a new tactic being used by ransomware gangs to pressure victims into paying the ransom. In 2020, many ransomware gangs adopted double extortion tactics where sensitive data were exfiltrated from victims’ networks prior to encrypting files. The stolen data were then published on leak sites if victims refused to pay the ransom, or threats were issued...
Microsoft Warns of Increase in Password Spraying Attacks
Microsoft’s Detection and Response Team (DART) has issued a warning about an increase in password spraying attacks by nation-state hacking groups and cybercriminals. These attacks require little effort, and the rewards of a successful attack are high. Password spraying allows threat actors to obtain credentials, access internal systems, steal sensitive data, and install malware and ransomware. Password spraying is a type of brute...
WordPress Plugin Flaw Allows Subscribers to Wipe Entire Sites
A vulnerability has been identified in the Hashthemes Demo Importer WordPress Plugin which could be exploited by an authenticated user to wipe the site. Exploiting the flaw would allow a user to delete all uploaded media and virtually all content databases. The Hashthemes Demo Importer plugin allows WordPress admins to import demos for WordPress themes with a single click without having to bother installing any dependencies such as...
NHS Vaccination Proof Phishing Campaign Rife in the UK
Cybercriminals have stepped up their efforts to scam Brits according to new research, with one of the most common scams offering fake proof of COVID-19 vaccination. According to Tessian, the phishing scam spoofs the NHS and advises recipients that they are eligible to apply for a “Digital Passport” which can be used as proof that an individual has been vaccinated against COVID-19 or has contracted COVID-19 and has recently recovered....
Feds Issue Security Advisory About BlackMatter Ransomware
Law enforcement agencies in the United States have issued a joint advisory about BlackMatter ransomware which includes details of the tactics, techniques, and procedures (TTPs) used by the ransomware gang to help organizations improve their defenses, and indicators of compromise and Snort rules that can be used to identify and block attacks in progress. BlackMatter ransomware appeared in July 2021. The appearance of the new ransomware...
CryptoRom Gang Targets iPhone Users of Dating Apps in Sophisticated Romance Scam
Users of dating apps are being warned about a romance scam being conducted by an international cybercriminal gang dubbed CryptoRom. The gang has previously targeted individuals in Asia but has now expanded its operation and is targeting dating app users in Europe and the United States. Romance scams are nothing new of course, but they have become much more prevalent due to the increased use of dating apps, which allow scammers to...
Microsoft Fixes 74 Vulnerabilities on October Patch Tuesday, Including 1 Actively Exploited 0Day
October 2021 Patch Tuesday has seen Microsoft release fixes for 74 vulnerabilities across its product range with an additional 7 fixes for issues with Microsoft Edge. 4 of the fixes are for zero-day vulnerabilities, 3 are rated critical, 70 important, and 1 low severity. The zero-day vulnerabilities are bugs which have been publicly disclosed or have been exploited in the wild ahead of a patch being released. Out of those flaws, only...
Apple Releases Emergency Update to Fix Another Actively Exploited iOS Zero-day
Apple has released a patch to fix a zero-day vulnerability in iOS 15 and iPadOS 15 that is being actively exploited in the wild. The vulnerability, tracked as CVE-2021-30883, is a critical memory corruption flaw that is present in the IOMobileFrameBuffer kernel extension which manages the screen frame buffer. The flaw was reported to Apple by an anonymous researcher. Apple has not released details of the nature of the exploitation...
Iranian Threat Actor Conducting Password Spraying Attacks on Defense Companies
An Iranian threat actor is conducting a password spraying campaign targeting the Office 365 accounts of U.S. EU, and Israeli defense companies. Microsoft’s Threat Intelligence Center (MSTIC) first identified the campaign in late July and attributed the attacks to the Iran-linked DEV-0343 group. DEV-0343 has conducted more than 250 attacks on Office 365 tenants in that time, most of which have been conducted on US and Israeli defense...
Ransomware Intrusion Actor FIN12 is Aggressively Targeting the Healthcare Sector
While healthcare providers were struggling to cope with providing care to COVID-19 patients during the pandemic, they have been under attack from ransomware gangs. One group which has been particularly active and has been targeting the healthcare industry is FIN12. Approximately 20% of the attacks conducted by FIN12 since September 2020 have been on the healthcare industry, with other targeted sectors including education,...
Third of Americans Have Tried to Guess Someone Else’s Password
A recent survey has revealed the extent to which people attempt to gain access to someone else’s account by trying to guess their password. The survey, which was conducted in 1,015 people in the United States by Beyond Identity, revealed 1 in 3 Americans has tried to guess another person’s password and 73% of them said they had succeeded at least once. 51.6% of those individuals had tried to guess the password of a romantic partner...
October is National Cybersecurity Awareness Month
2021 National Cybersecurity Awareness Month has kicked off with the goal of improving awareness of cybersecurity and the importance of adopting cybersecurity best practices to make it harder for hackers, phishers, and online scammers to succeed. Digital safety and security have never been more important, with cyberattacks on businesses at record levels and ransomware gangs conducting huge numbers of attacks. “Our Nation is under a...
Security Agencies Publish New Guidance on Selecting VPN Solutions and Hardening Security
Joint guidance has been released by the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) on selecting Virtual Private Network (VPN) solutions and hardening security. VPN solutions are implemented to improve security for remote workers, as they create an encrypted tunnel into protected networks through which all data traffic is routed; however, VPN entry points into networks can be...
SolarWinds Hackers Deploy FoggyWeb Backdoor to Exfiltrate Data from AD Servers
The threat actors behind the cyberattack on SolarWinds are using a malware variant dubbed FoggyWeb to steal data from compromised Active Directory servers. In a recent blog post, Microsoft shared an in-depth analysis of the malware, which is being used as a persistent backdoor into victims’ single sign-on servers. The threat group, tracked as Nobelium by Microsoft, has been using FoggyWeb malware in attacks since at least April 2021....
TangleBot Android Malware Has Extensive Range of Features for Use in Wide Variety of Attacks
A new Android malware variant has been discovered by researchers that is being used distributed via SMS messages and has been used in attacks in the United States and Canada. The new Android malware has been dubbed TangleBot by the Cloudmark researchers who discovered it due to the complex nature of the malware and the many different forms of obfuscation used. The malware can be used to perform a range of malicious activities on...
100 Million IoT Devices Affected by Zero-Day Flaw, Including Medical Devices
A high-severity zero-day vulnerability in the Internet-of-Things (IoT) open-source platform NanoMQ has put more than 100 million devices at risk of attack. NanoMQ by EMQ is a real-time IoT monitoring platform that is used to delivers alerts when abnormal activity is detected in IoT devices. The platform is used in many settings, including industrial systems, manufacturing, healthcare, automobiles, and many more. The vulnerability,...
macOS Finder Zero Day Vulnerability Allows Remote Code Execution
A currently unpatched zero-day vulnerability in the macOS Finder system can be exploited using a malicious email attachment to remotely execute arbitrary code. The vulnerability is present in Big Sur and all previous versions of macOS. Apple released a silent update to fix the vulnerability, but it did not work and the flaw can still be exploited. The macOS Finder system is the default file manager and GUI front-end on Mac operating...
CISA and FBI Warn of Nation State Hackers Exploiting Critical Zoho Vulnerability
A critical vulnerability affecting the Zoho single-sign-on and password management solution is being actively exploited by advanced persistent threat (APT) groups and has been since the start of August 2021, according to a joint alert issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Coast Guard Cyber Command (CGCYBER). The vulnerability, tracked as CVE-2021-40539, is...
Universal Master REvil Ransomware Decryptor Released by Bitdefender
Bitdefender has released a free master REvil ransomware decryptor that allows previous victims of REvil ransomware to recover their files for free. The REvil master ransomware decryptor tool was developed in conjunction with an unnamed “trusted law enforcement partner.” Bitdefender has not disclosed any details about the partner or how the master keys to decrypt files were obtained. Bitdefender said the master decryptor will allow...
Adobe Fixes 59 Vulnerabilities in September Patch Tuesday Updates
Adobe has released 59 patches to correct flaws across its product range on September 2021 Patch Tuesday, with 15 products receiving updates this month. 36 of the vulnerabilities have been rated critical and allow remote execution of arbitrary code. Several of the patches have been given a priority rating of 2, which means there is an elevated risk of the flaws being exploited in the wild. While there have been no known cases of...
2 0day Flaws Among 86 Vulnerabilities Patched by Microsoft on September Patch Tuesday
Microsoft released patches to correct 86 flaws across its product range on September 2021 Patch Tuesday, including fixes for two zero-day bugs. 3 of the vulnerabilities addressed in this month’s updates fix critical flaws and 62 have been rated important. One of the zero-day bugs – tracked as CVE-2021-40444 – is a remote code execution vulnerability in Windows MSHTML that is known to have been exploited in the wild for...
Apple Issues Security Updates to Fix Zero-Click Zero-Day Flaw Used to Deliver Pegasus Spyware
Apple has issued a security update to fix two zero-day vulnerabilities, one of which has been exploited by NSO Group to deliver Pegasus spyware. CVE-2021-30858 is a WebKit use after free vulnerability that can be exploited via a specially crafted web page to run commands on a vulnerable iPhone or Mac when the webpage is visited. The flaw was reported anonymously to Apple, which warned that the vulnerability may have been exploited in...
Olympus Investigating Potential BlackMatter Ransomware Attack
The technology firm Olympus is investigating a cybersecurity incident that has affected IT systems used in the EMEA region. Olympus issued a statement confirming suspicious activity was detected in its computer network last week, and a specialized incident response team has been mobilized and a forensic investigation is underway. All data transfers from the impacted systems have been suspending and external partners have been...
Cyberattacks on IoT Devices More Than Double in a Year
A new report from Kaspersky found attacks on Internet-of-Things (IoT) devices have more than doubled since 2020, as cyber threat actors are increasingly turning their attention on the devices to steal sensitive data, hijack the devices and add them to botnets for conducting DDoS attacks, and for installing cryptocurrency miners. Between January 1 and June 30, 2021, Kaspersky says telemetry data collected through its honeypots shows...
ProxyToken Microsoft Exchange Server Flaw Allows Emails to be Stolen
An information-disclosure vulnerability dubbed ProxyToken has been identified in Microsoft Exchange Server that could be exploited by a threat actor to gain access to highly sensitive personal and corporate data stored in email accounts. The vulnerability, tracked as CVE-2021-33766, would allow an attacker to copy all emails addressed to a target and forward them on to an account controlled by the attacker. In a recent write up about...
CISA Adds Single-Factor Authentication for Remote and Administrative Access to Cybersecurity Bad Practices Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its list of cybersecurity bad practices that should be avoided. The Bad Practices Catalog was first published in July 2021 and, upon its launch, only included two entries. A third has now been added to the list. The list includes practices that CISA advises against due to them being exceptionally risky. The entries on the list may seem obvious security errors...
CISA: Address Microsoft Azure Cosmos DB Vulnerability Now
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging all public and private sector organizations to address a recently discovered vulnerability in the Jupyter Notebook feature of Azure Cosmos DB. The vulnerability, dubbed ChaosDB, was recently publicly disclosed by cloud security firm Wiz, around a week after the company notified Microsoft about the flaw. The flaw in the Jupyter Notebook feature of Azure Cosmos...
FBI Warns of Increasing Hive Ransomware Attacks
The Federal Bureau of Investigation (FBI) is warning businesses about a new ransomware threat that is being using in an increasing number of attacks. Hive ransomware was first identified in June 2021 and is operated under the ransomware-as-a-service (RaaS) model, where affiliates are used to conduct attacks on behalf of the gang in exchange for a cut of the profits. Numerous methods of attack have been observed, which makes it...
Zero-Day Flaw Provides Admin Privileges on Windows 10 When Plugging in a Razer Mouse
Gaining SYSTEM rights on a Windows 10 computer is as simple as plugging in a Razer mouse or keyboard, due to a zero-day flaw in the Synapse device installer software. Razer is a manufacturer of high-end peripherals that target gamers, with the company’s product portfolio including mice, keyboards, and gaming chairs. Razer provides software that can be downloaded to allow users to configure their peripherals and map buttons or set up...
Nigerian Threat Actor Tries to Recruit Disgruntled Employees to Conduct a Ransomware Attack on Their Employer
Researchers at Abnormal Security have identified an email campaign run by a Nigerian threat group that is advertising for individuals to take part in ransomware attacks in exchange for a cut of any ransom payments they help to generate. This tactic is nothing new, as many ransomware operations seek affiliates to conduct attacks for an exchange of the profits under the ransomware-as-a-service (RaaS) model. This campaign differs as it...
CISA Publishes Guidance on Protecting Sensitive Data from Ransomware-Caused Data Breaches
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published new guidance to help public and private sector organizations deal with the increasing ransomware threat, specifically ransomware gangs using double extortion tactics in which sensitive data are located and exfiltrated prior to file encryption. Double extortion has become the norm in ransomware attacks. When data are stolen, victim organizations are required...
Adobe Patches Critical Flaws in Photoshop, Media Encoder, Bridge and XMP-Toolkit-SDK
Adobe has issued security updates and patches to correct critical vulnerabilities in several of its products. The out-of-band patches cover multiple flaws across Adobe Photoshop, Adobe Media Encoder, Adobe Bridge Adobe XMP-Toolkit-SDK, and Adobe Captivate. In all cases, even for the critical vulnerabilities, Adobe has assigned a priority rating of 3, as the flaws are in products that have not historically been a target for attackers;...
Millions of IoT Devices Affected by Critical Security Flaw that Allows Hackers to Eavesdrop
A critical security flaw has been identified in ThroughTek’s Kalay IoT cloud platform which could be exploited by remote attackers to intercept live video and audio streams and take control of IoT devices. According to ThroughTek, its Kalay IoT network supports more than 83 million active devices with over 1.1 billion monthly connections. Affected devices include IoT cameras, digital video recorders (DVRs), and smart baby monitors....
Ransomware Gangs Start Exploiting PrintNightmare Vulnerabilities
Cyber threat actors have started exploiting the recently disclosed “PrintNightmare” vulnerabilities in ransomware attacks on unpatched Windows servers. The PrintNightmare vulnerabilities include CVE-2021-1675, which is an elevation-of-privilege vulnerability affecting the Windows Print Spooler Service, and the Windows Print Spooler remote code execution vulnerability CVE-2021-34527. Microsoft released a security update to correct the...
New Ransomware cum Wiper Malware Under Active Development
Chaos ransomware is a new malware variant under active development that has been advertised on an underground forum and made available for testing, according to Trend Micro. In a recent blog post describing the new malware variant, Trend Micro security researcher Monte de Jesus explained that the malware first appeared in June 2021 and has already had four different versions released, with the rapid development suggesting the malware...
Microsoft Patches 51 Vulnerabilities on August Patch Tuesday, including 3 Zero-Days
On August Patch Tuesday, Microsoft released patches to fix 51 vulnerabilities across its product range, including 7 critical flaws, 37 vulnerabilities rated important, and three zero-day vulnerabilities, one of which is under active attack. The three zero-day vulnerabilities include two which have been publicly disclosed but are not known to have been exploited in the wild. These are a critical remote code execution vulnerability in...
Microsoft Issues Another Fix to Correct PrintNightmare Vulnerabilities
Microsoft has issued another update to correct vulnerabilities in its Print Spooler service known as PrintNightmare. These vulnerabilities can be exploited to achieve privilege escalation and remote code execution. Microsoft had previously released an out-of-band update to correct the vulnerabilities; however, security researchers showed that the patch and its mitigation steps were incomplete and did not fully address the...
Threat Actor Actively Scanning for Microsoft Exchange Servers Vulnerable to ProxyShell Attacks
A warning has been issued after hackers have been identified scanning for ProxyShell remote code execution vulnerabilities in Microsoft Exchange, following the recent disclosure of technical details of the flaws. The ProxyShell vulnerabilities consist of three CVEs that can be chained in attacks on Microsoft Exchange servers, which have been assigned the CVEs: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. The vulnerabilities...
Critical PwnedPiper Flaws Affect Pneumatic Tube Systems in 3,000 Hospitals
Pneumatic tube systems are used by many businesses for transporting small items around facilities, including healthcare. In hospitals these systems are extensively used for delivering drugs from the pharmacy, sending test samples to the lab for analysis, and transporting other items around the hospital. These transportation systems are connected to hospital networks, so the firmware could potentially have vulnerabilities that could be...
More Ransomware Attempts Recorded in First Half of 2021 Than in all of 2020
Ransomware attacks increased significantly in 2020. The cyber-intelligence firm Group-IB estimated attacks had increased by more than 150% in 2020. Now, a new report from SonicWall shows that attacks have not just continued to increase in the first half of 2021, they have skyrocketed. SonicWall had previously reported a total of 304.6 million ransomware attacks in 2020; however, alarmingly, that total has already been reached in the...
Have You Patched These 30 Frequently Exploited Vulnerabilities?
A joint cybersecurity advisory has been published by CISA, the FBI, the Australian Cyber Security Center, and the UK’s National Cyber Security Center about the software vulnerabilities that were being routinely exploited by threat actors in 2020, together with a list of vulnerabilities that have proven popular with cyber threat actors in the first 6 months of 2021. Patches are available to fix all of the vulnerabilities included in...
Zero Day Apple Vulnerability Under Active Attack
Apple is urging users of iPhones, iPads, and Macs to install the operating system updates it released on Monday, as the vulnerability in iOS and macOS that was corrected is now being actively exploited in the wild. The vulnerability, tracked as CVE-2021-30807, is a memory corruption flaw in the IOMobileFrameBuffer extension used by iOS, iPadOS and macOS. IOMobileFrameBuffer is a kernel extension that manages the screen frame buffer....
Microsoft Publishes Mitigations for PetitPotam Attack on Windows NT LAN Manager
Microsoft has released mitigations for a new attack method involving Windows NT LAN Manager (NTLM), which could be exploited to force remote Windows systems to reveal password hashes, giving an attacker full control of a domain server and other Windows servers. Security researcher Gilles Lionel discovered it is possible to abuse legitimate functions using a new attack method dubbed ‘PetitPotam.’ A proof-of-concept (PoC) exploit was...
Microsoft 365 Apps and Services Will No Longer Support Internet Explorer from August 17, 2021
On August 17, 2021, Microsoft 365 apps and services will no longer support Internet Explorer 11. Users who continue with Internet Explorer 11 after that date are likely to have a degraded experience or may be prevented from connecting to Microsoft 365 apps and services. Microsoft announced on August 17, 2020 that Microsoft 365 apps would no longer be supporting Internet Explorer 11, giving users 12 months to change to a supported...
Hundreds of Millions of Windows Computers Have 16-Year Old Printer Driver Vulnerability
A high severity privilege escalation vulnerability has been identified in HP printer drivers, which are also used by Samsung and Xerox. Exploitation of the flaw would allow an attacker to bypass security products, gain admin privileges, install programs, create new accounts with elevated user permissions, and view, edit, encrypt, or delete data. According to a recently published report from SentinelOne, the flaw has been present in...
Fortinet Issues Patch to Correct Critical RCE Vulnerability in FortiManager and FortiAnalyzer
A critical remote code execution use-after-free vulnerability has been identified that affects Fortinet’s FortiManager and FortiAnalyzer network management solutions. If exploited, a non-authenticated remote attacker could execute code on vulnerable devices with root privileges, which would give the attacker full control of vulnerable devices. The flaw, tracked as CVE-2021-32589, was discovered by security researcher Cyrille Chatras...
MosaicLoader Malware Downloader Distributed Via Internet Ads for Cracked Software
Bitdefender security researchers have identified a new malware variant dubbed MosaicLoader, which is being distributed in a worldwide campaign disguised as cracked software. The malware acts as a downloader of secondary payloads and was named due to the complex internal structure designed to evade detection by security solutions and hamper researchers’ attempts at reverse engineering the malware. The threat actor behind the campaign...
Two More Windows Print Spooler Vulnerabilities Identified
A further zero-day vulnerability has been identified in Windows Print Spooler that could be exploited via remote print servers under the attacker’s control to gain administrative privileges on Windows machines. The vulnerability affects all current versions of Windows. The latest vulnerability was identified by Mimikatz creator, Benjamin Delpy. Delpy developed an exploit for the flaw which uses the Queue-Specific Files feature of...
SonicWall: Users of Unpatched SRA and SMA 100 Series Appliances Face Imminent Risk of Ransomware Attacks
SonicWall has issued an urgent warning for users of its Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running 8.x firmware. SonicWall has learned of threat actors targeting a known vulnerability in the firmware using stolen credentials. SonicWall explained in its alert that ransomware attacks are imminent and urgent action must be taken to prevent exploitation of the flaw. SonicWall has corrected the...
REvil Ransomware Servers Go Dark Suggesting Possible Law Enforcement Takedown
REvil (Sodinokibi), one of the most prolific ransomware-as-a-service operations, had its servers shut down suddenly early on Tuesday morning. The REvil gang has been behind some of the most serious ransomware attacks over the past few years, including the recent supply chain attack on the IT management and monitoring software provider Kaseya and the attack on JBS Foods in the United States. The ransomware gang, which is believed to...
Patches Released to Fix 3 Actively Exploited Flaws and 9 Zero Days on July 2021 Patch Tuesday
July 2021 Patch Tuesday has seen Microsoft release patches to fix 116 vulnerabilities across its range of products: 12 critical flaws, 3 actively exploited vulnerabilities, 8 zero-days, 103 important bugs, and one rated moderate. Microsoft also released an out-of-band patch earlier this month to fix the PrintNightmare flaw CVE-2021-34527, an PoC exploit for which is in the public domain. The actively exploited flaws are...
BIOPASS RAT Live Streams Audio and Video from Victims’ Devices
Security researchers at Trend Micro have identified a new remote access Trojan (RAT) dubbed BIOPASS, which uses legitimate live streaming software to provide the attackers with a real time view of the victim’s computer screen and stream audio from the affected device. This is achieved by downloading and using either FFmpeg and Open Broadcaster Software. There have been many sextortion scams conducted over the past couple of years...
Kaseya Security Update Addresses 0Day Flaws Exploited in REvil Ransomware Attack
Kaseya has released a security update to address the zero-day vulnerabilities in its VSA solution that were exploited by the REvil ransomware group in the recent supply chain attack on its MSP customers and their clients. Several zero-day vulnerabilities were reported to Kaseya by the Dutch Institute for Vulnerability Disclosure (DIVD) in April. Kaseya was in the process of fixing the vulnerabilities in its KSA remote management and...
Fake Kaseya Updates Used in Phishing Campaign to Deliver Cobalt Strike Backdoors
A phishing campaign has been detected by Malwarebytes Threat Intelligence researchers which targets managed service provider customers of Kaseya. The emails claim to provide a Kaseya security update to prevent ransomware attacks but delivers Cobalt Strike backdoors to victims’ networks. The campaign piggybacks on the REvil ransomware attack on the Kaseya Virtual System Administrator (VSA) platform on July 2 that saw ransomware pushed...
Microsoft Issues Out-of-Band PrintNightmare Patch for Some Windows Versions
Microsoft has released an out-of-band patch to fix two critical remote code execution vulnerabilities in the Windows Print Spooler Service dubbed PrintNightmare. A patch had previously been issued by Microsoft to fix one of the flaws – tracked as CVE-2021-1675 – however, the patch only partially fixed the vulnerability. An exploit for a second, related vulnerability – tracked as CVE-2021-34527 – was published by a security...
Cybersecurity Agencies Warn of Ongoing Password Spraying Attacks by Russian APT Actors
Warnings have been issued about ongoing malicious cyber activities by the Advanced Persistent Threat (APT) actor known as APT28/Strontium/Fancy Bear. The APT group has been using a Kubernetes cluster in brute force attacks on the U.S. government and the private sector and has been targeting cloud services including Office 365 in a cyber espionage campaign. On July 1, 2021, a joint cybersecurity advisory was issued by the National...
Kaseya Supply Chain Attack on MSPs Sees REvil Ransomware Delivered to Several Thousand Companies
On Friday July 2, 2021, an affiliate of the REvil ransomware-as-a-service operation delivered the REvil ransomware payload to dozens of Kaseya customers including many managed service providers (MSPs) and, through them, thousands of their customers. Victims have been issued with ransom demands based on the extent to which they were affected by the attack, with ransom demands starting at around $45,000 for small businesses and rising...
PoC Exploit Released for Unpatched Windows Print Spooler RCE Vulnerability
A critical Windows Print Spooler remote code execution vulnerability has been identified, a Proof of Concept (PoC) exploit for which has been leaked online. The vulnerability, tracked as CVE-2021-34527 and dubbed PrintNightmare, occurs when the Windows Print Spooler service improperly performs privileged file operations. The flaw can be exploited remotely and would allow an attacker to execute arbitrary code with SYSTEM privileges....
Profile Data of 700 Million LinkedIn Users Listed for Sale on Hacking Forum
700 million LinkedIn records were listed for sale on a hacking forum on June 22, 2021 by an individual who calls himself GOD User TomLiner. A sample of 1 million records has been made available as proof that the offer is genuine. The sample records include the full names of LinkedIn users, phone numbers, genders, email addresses, and job information. This is not the first time that a multi-million record batch of LinkedIn user data...
PoC Exploit for Cisco Adaptive Security Appliance (ASA) Flaw Used to Attack Vulnerable Devices
A proof-of-concept exploit for a vulnerability affecting Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software has been released by the Offensive Team at Positive Technologies. The vulnerability is a cross-site scripting flaw tracked as CVE-2020-3580. The vulnerability is one of four flaws that have been patched by Cisco that are due to Cisco ASA and FTD software not sufficiently validating user-supplied...
30 Million Devices at Risk from Dell SupportAssist RCE Vulnerabilities
Researchers at Eclypsium have identified four serious vulnerabilities in the BIOSConnect feature of Dell SupportAssist that could be remotely exploited by attackers to gain full control of targeted devices. The flaws are present in an update mechanism that affects 129 models of enterprise and consumer laptop and desktop computers protected by Secure Boot – Around 30 million devices. Secure Boot is a security feature that ensures...
COVID-19 Vaccination Lure Used in Phishing Campaign Distributing the Agent Tesla RAT
A new phishing campaign has been detected that is being used to distribute the Agent Tesla Remote Access Trojan (RAT). The phishing campaign was identified by researchers at Bitdefender’s Antispam lab and uses a COVID-19 vaccine lure to trick users into installing the malware. The Agent Tesla RAT has multiple functions, although it is primarily used to steal passwords and other sensitive information. The latest version of the malware...
Vulnerability in Peloton Bike+ Allows Attackers to take Full Control of Operating System
McAfee’s Advanced Threat Research (ATR) team researchers have identified a vulnerability in the popular Peloton Bike+ and Peloton Tread exercise machines what could allow them to take full control over the exercise equipment and use the machines in a range of different attack scenarios. To exploit the vulnerability, an attacker would need to have physical access to a machine. If the flaw is exploited, an attacker could gain root...
Avaddon Ransomware Gang Shuts Down Operation and Releases Decryption Keys
Avaddon ransomware is no more. The operation has been shut down and decryptors have been released that allow victims to recover their files free of charge. On June 11, 2021, Bleeping Computer received an anonymous tip which appeared to have come from the FBI and included a link to a password protected ZIP file and a password. The file included 2,934 decryption keys for Avaddon ransomware – all outstanding victims that have not yet...
SonicWall VPN Vulnerability Exploited in Attacks on Legacy SRA Appliances
Researchers at CrowdStrike have confirmed cyber threat actors exploiting a SonicWall VPN vulnerability to attack Secure Remote Access (SRA) 4600 devices. The vulnerability, tracked as CVE-2019-7481, is not new. The bug was identified in 2019 and a patch was released to correct the flaw; however, the patch was only partially effective and did not fix the firmware bug on legacy SonicWall SRA 4600 VPN devices. Proof-of-concept exploit...
New Malware Discovered Targeting Windows Containers to Plant Backdoors in Kubernetes Clusters
A new malware variant has been discovered that is believed to be the first to target Windows containers. The malware, discovered by Daniel Prizmant of Palo Alto Networks’ Unit 42 team, has been dubbed Siloscape and is capable of breaking out of Windows containers and compromising Kubernetes clusters to plant backdoors and raid nodes for credential theft. Kubernetes is used to automate the deployment, scaling, and management of...
Microsoft Patches 41 Vulnerabilities, Including 5 Critical Flaws and 7 Zero-Days
June 2021 Patch Tuesday has seen Microsoft release patches to correct 50 vulnerabilities across its range of products, including 7 zero-day vulnerabilities. Five vulnerabilities are rated critical and 45 have been rated important. 6 of the zero-day vulnerabilities patches this week are known to have been exploited in the wild. While these flaws have been exploited, all have been rated important. These are: CVE-2021-31199 –...
Critical VMware vCenter Server Vulnerability Under Active Exploitation
The critical VMware vCenter Server vulnerability CVE-2021-21985 is being actively exploited in the wild. There have been several successful exploits of the 9.8/10 severity vulnerability and at least one reliable exploit for the flaw is now in the public domain. VMware issued an advisory about the flaw in the last week in May and urged users to patch promptly to avoid exploitation. The flaw is now being exploited by at least one threat...
NCSC Warns UK Educational Institutions of Increased Ransomware Threat
The UK’s National Cyber Security Center (NCSC) has issued a warning to the UK education sector following a recent spike in ransomware attacks on schools, colleges, and universities. Some of the recent attacks have resulted in the loss of school financial records, student coursework, and COVID-19 testing data. Ransomware attacks often involve the theft of data prior to the use of ransomware to encrypt systems. The attacks can have a...
Take Ransomware Seriously, Warns White House
Ransomware attacks have been increasing and it is now common for the threat actors behind these attacks to not only encrypt data to prevent access, but also to steal data prior to file encryption and then threaten to sell or publish the data if the ransom is not paid. Data exposure or data loss can have major consequences but the biggest threat for businesses is often the downtime caused by a successful attack. It is often this...