• What is SMB vulnerability and how it was exploited to launch the WannaCry ransomware attack?
    What is SMB vulnerability and how it was exploited to launch the WannaCry ransomware attack? The United States National Security Agency developed an exploit kit dubbed ‘EternalBlue’ to exploit the SMBv1 vulnerability. In May 2017, the WannaCry ransomware attack infected over 200,000 Windows systems by exploiting the SMBv1 vulnerability via the EternalBlue exploit kit.Read More
  • Account takeover attack: Here’s a close view of one of the most favored attack techniques of fraudsters
    Account takeover attack: Here’s a close view of one of the most favored attack technique of fraudsters Organizations that offer more services on their websites such as customer loyalty rewards are more liable to such attacks. Account takeover attacks are usually performed to conduct financial fraud, spamming, phishing attacks and virtual currency fraud.Read More
  • Satan Ransomware: An overview of the ransomware’s variants and exploits
    Satan Ransomware: An overview of the ransomware’s variants and exploits Satan ransomware is capable of self-spreading and it usually propagates via JBoss vulnerability, Weblogic vulnerability, and EternalBlue SMB exploit. Satan ransomware resurfaced with a new variant named Lucky, exploiting almost 10 server-side application vulnerabilities that affect both Windows and Linux-based servers.Read More
  • Cellebrite Says It Can Unlock Any iPhone for Cops
    On Friday afternoon, the Israeli forensics firm and law enforcement contractor Cellebrite publicly announced a new version of its product known as a Universal Forensic Extraction Device or UFED, one that it's calling UFED Premium. Cellebrite calls the UFED Premium "the only on-premise solution for law enforcement agencies to unlock and extract crucial mobile phone evidence from all iOS and high-end Android devices." But it's only recently started working on a tool that can unlock Android devices too, according to a report from Forbes earlier this week, while Cellebrite says its new tool can unlock encrypted phones running either Apple or Google's operating systems. Cellebrite too has likely possessed the ability to unlock iOS 12.3 devices prior to this announcement, says Dan Guido, the founder of the New York-based security firm Trail of Bits and a longtime iOS-focused security researcher.Read More
  • Bank hackers team up to spread financial Trojans worldwide
    Zeus, Redaman, BackSwap, Emotet, Gozi, and Ramnit are only some of the Trojan families which have gained prominence in the cybercriminal world, however, the operators of campaigns using banking Trojans are constantly cajoling for space and territory. According to IBM's Global Executive Security Advisor Limor Kessem and the IBM X-Force cybersecurity team, the top banking malware operators are now working together to distribute their malware. Trickbot, Gozi, Ramnit, and IcedID were the most active banking Trojans in 2018, and while other forms of malware have grown in popularity, it is the most active -- and prevalent -- forms of financial malware which are now being spread through cybercriminal partnerships. The Russian cybercriminals behind the malware, who target banks and wealth firms managing high-value accounts, have recently diversified into ransomware as part of a wider botnet strategy and are now working with gang members from IcedID. While this malware isn't particularly memorable as a banking Trojan, a recent shift in its deployment is.Read More
  • AESDDoS Botnet Malware Infiltrates Containers via Exposed Docker APIs
    In this blog post, we will detail an attack type where an API misconfiguration in the open-source version of the popular DevOps tool Docker Engine-Community allows attackers to infiltrate containers and run a variant (detected by Trend Micro as Backdoor.Linux.DOFLOO.AA) of the Linux botnet malware AESDDoS caught by our honeypots. Docker APIs that run on container hosts allow the hosts to receive all container-related commands that the daemon, which runs with root permission, will execute. When a running container is spotted, the AESDDoS bot is then deployed using the docker exec command, which allows shell access to all applicable running containers within the exposed host. Docker explicitly warns against setting the Docker daemon to listen on port 2375 as this will give anyone the ability to gain root access to the host where the daemon is running, hence access to the API and address must be heavily restricted. Access to critical components like the daemon service that helps run containers should be restricted. Access to critical components like the daemon service that helps run containers should be restricted.Read More
  • Report: Mirai tries to hook its tentacles into SD-WAN
    Mirai – the software that has hijacked hundreds of thousands of internet-connected devices to launch massive DDoS attacks – now goes beyond recruiting just IoT products; it also includes code that seeks to exploit a vulnerability in corporate SD-WAN gear. That specific equipment – VMware’s SDX line of SD-WAN appliances – now has an updated software version that fixes the vulnerability, but by targeting it Mirai’s authors show that they now look beyond enlisting security cameras and set-top boxes and seek out any vulnerable connected devices, including enterprise networking gear. “I assume we’re going to see Mirai just collecting as many devices as it can,” said Jen Miller-Osborn, deputy director of threat research at Palo Alto Networks’ Unit 42, which recently issued a report about Mirai. The fact that SD-WAN devices were targeted is more about those particular devices having a vulnerability than anything to do with their SD-WAN capabilities. But the means to exploit the weakness nevertheless is included in a recently discovered new variant of Mirai, according to the Unit 42 report.Read More
  • Common Hacker Tool Hit with Hackable Vulnerability
    A researcher has found a significant exploit in one of the most frequently used text editors. Security researcher Arminius has discovered a hackable vulnerability and exploit in Vim, arguably the most commonly used text editor among developers, hackers, and system engineers. The vulnerability takes advantage of a vim feature called modeline, which is typically used to create custom settings for the way text or formatting will be handled in a file, for a project, or for all occasions of the editor's use. In the exploit, a particular text string can be entered that causes the editor to accept arbitrary code and execute it outside of the sandbox in which most modeline commands are executed, regardless of whether that code has anything to do with the editor. The exploit is possible because, in many implementations, modeline is enabled by default, regardless of whether the system owner is using the feature. The vulnerability has been patched in Vim patch 8.1.1365 and a Neovim patch (released in v0.3.6), but Arminius recommends that users explicitly disable modeline on their systems.Read More
  • New Android Trojan Leads Users to Scam Sites via Notifications
    A new Android Trojan that uses web push notifications to redirect users to scam and fraudulent sites has been discovered by security researchers on Google's Play Store. For instance, "Potential victims can think the fake notification is real and tap it only to be redirected to a phishing site, where they will be prompted to indicate their name, credentials, email addresses, bank card numbers, and other confidential information," Doctor Web explains. Two of the malicious apps When the malicious fake apps are first launched, the Android.FakeApp.174 Trojan loads a site hardcoded in its settings using the Google Chrome web browser, a website which asks the targets to allow notifications under the guise of verifying that the user is not a bot. Upon agreeing to enable web push notifications for "verification purposes," the compromised device's owner is subscribed to the site's notifications and will be spammed with dozens of notifications sent by Chrome using Web Push technology.Read More
  • Security Bug Would Have Allowed Hackers Access to Google's Internal Network
    If exploited by a malicious threat actor, the bug could have allowed hackers a way to steal Google employee cookies for internal apps and hijack accounts, launch extremely convincing spear-phishing attempts, and potentially gain access to other parts of Google's internal network. XSS in Google's invoicing portal Described as a cross-site scripting (XSS) vulnerability, the security flaw impacted the Google Invoice Submission Portal, a public website where Google redirects business partners to submit invoices, based on contractual agreements. The researcher said that a malicious threat actor could have uploaded malformed files in the Google Invoice Submission Portal, via the Upload Invoice field. "Since the XSS was executed on a googleplex.com subdomain while the employee is logged in, the attacker should be able to access the dashboard on this subdomain where it's possible to view and manage the invoices," Orlita told ZDNet via email. But, all in all, like most XSS security bugs, this bug would have depended on a threat actor's skill level and ability to pivot to more complex attacks.Read More