• What is SMB vulnerability and how it was exploited to launch the WannaCry ransomware attack?
    What is SMB vulnerability and how it was exploited to launch the WannaCry ransomware attack? The United States National Security Agency developed an exploit kit dubbed ‘EternalBlue’ to exploit the SMBv1 vulnerability. In May 2017, the WannaCry ransomware attack infected over 200,000 Windows systems by exploiting the SMBv1 vulnerability via the EternalBlue exploit kit.Read More
  • Account takeover attack: Here’s a close view of one of the most favored attack techniques of fraudsters
    Account takeover attack: Here’s a close view of one of the most favored attack technique of fraudsters Organizations that offer more services on their websites such as customer loyalty rewards are more liable to such attacks. Account takeover attacks are usually performed to conduct financial fraud, spamming, phishing attacks and virtual currency fraud.Read More
  • Satan Ransomware: An overview of the ransomware’s variants and exploits
    Satan Ransomware: An overview of the ransomware’s variants and exploits Satan ransomware is capable of self-spreading and it usually propagates via JBoss vulnerability, Weblogic vulnerability, and EternalBlue SMB exploit. Satan ransomware resurfaced with a new variant named Lucky, exploiting almost 10 server-side application vulnerabilities that affect both Windows and Linux-based servers.Read More
  • Symantec refutes claims of exposing client data during its demonstration process
    Symantec exposes client data during its demonstration process. The company has called the data breach a ‘minor incident’. The hackers had targeted Symantec accounts belonging to several large Australian firms as well as major Australian government departments.Read More
  • Several PuP families evolve to add push notifications to their arsenal
    These PuP families have evolved to add push notifications to their arsenal. PUP.Optional.Stream.All and Trojan.FBSpammer are distributed as browser extension plugins. Users must thoroughly review the extensions before installing them on their browser.Read More
  • Phishing attack at Union Labor Life Insurance impacts 87,400 patients
    Phishing attack at Union Labor Life Insurance impacts 87,400 patients. Ullico Inc. revealed that the breach took place on April 1, 2019. The incident occurred after an employee responded to a phishing email.Read More
  • Attackers leverage NSA hacking tools to target businesses with XMRig Monero miners
    Attackers leverage NSA hacking tools to target businesses with XMRig Monero miners. The NSA hacking tools used in this campaign include EternalBlue and EternalChampion that were leaked by the Shadow Brokers hacker group in April 2017. A majority of affected computers were running Windows Server 2003 SP2 (83%), followed by Windows 7 Ultimate Professional SP1 and Windows XP Professional.Read More
  • Twitter URLs could be abused to promote scams and distribute malware
    Twitter URLs could be abused to distribute scams and malware. Bad actors could abuse Twitter URLs by simply changing the username but using a status ID that points to a tweet from an account controlled by them. In this way, attackers could spread fake news or malicious content as users click on the tweet thinking it is from a trusted source.Read More
  • Cellebrite Says It Can Unlock Any iPhone for Cops
    On Friday afternoon, the Israeli forensics firm and law enforcement contractor Cellebrite publicly announced a new version of its product known as a Universal Forensic Extraction Device or UFED, one that it's calling UFED Premium. Cellebrite calls the UFED Premium "the only on-premise solution for law enforcement agencies to unlock and extract crucial mobile phone evidence from all iOS and high-end Android devices." But it's only recently started working on a tool that can unlock Android devices too, according to a report from Forbes earlier this week, while Cellebrite says its new tool can unlock encrypted phones running either Apple or Google's operating systems. Cellebrite too has likely possessed the ability to unlock iOS 12.3 devices prior to this announcement, says Dan Guido, the founder of the New York-based security firm Trail of Bits and a longtime iOS-focused security researcher.Read More
  • Bank hackers team up to spread financial Trojans worldwide
    Zeus, Redaman, BackSwap, Emotet, Gozi, and Ramnit are only some of the Trojan families which have gained prominence in the cybercriminal world, however, the operators of campaigns using banking Trojans are constantly cajoling for space and territory. According to IBM's Global Executive Security Advisor Limor Kessem and the IBM X-Force cybersecurity team, the top banking malware operators are now working together to distribute their malware. Trickbot, Gozi, Ramnit, and IcedID were the most active banking Trojans in 2018, and while other forms of malware have grown in popularity, it is the most active -- and prevalent -- forms of financial malware which are now being spread through cybercriminal partnerships. The Russian cybercriminals behind the malware, who target banks and wealth firms managing high-value accounts, have recently diversified into ransomware as part of a wider botnet strategy and are now working with gang members from IcedID. While this malware isn't particularly memorable as a banking Trojan, a recent shift in its deployment is.Read More
  • AESDDoS Botnet Malware Infiltrates Containers via Exposed Docker APIs
    In this blog post, we will detail an attack type where an API misconfiguration in the open-source version of the popular DevOps tool Docker Engine-Community allows attackers to infiltrate containers and run a variant (detected by Trend Micro as Backdoor.Linux.DOFLOO.AA) of the Linux botnet malware AESDDoS caught by our honeypots. Docker APIs that run on container hosts allow the hosts to receive all container-related commands that the daemon, which runs with root permission, will execute. When a running container is spotted, the AESDDoS bot is then deployed using the docker exec command, which allows shell access to all applicable running containers within the exposed host. Docker explicitly warns against setting the Docker daemon to listen on port 2375 as this will give anyone the ability to gain root access to the host where the daemon is running, hence access to the API and address must be heavily restricted. Access to critical components like the daemon service that helps run containers should be restricted. Access to critical components like the daemon service that helps run containers should be restricted.Read More
  • Report: Mirai tries to hook its tentacles into SD-WAN
    Mirai – the software that has hijacked hundreds of thousands of internet-connected devices to launch massive DDoS attacks – now goes beyond recruiting just IoT products; it also includes code that seeks to exploit a vulnerability in corporate SD-WAN gear. That specific equipment – VMware’s SDX line of SD-WAN appliances – now has an updated software version that fixes the vulnerability, but by targeting it Mirai’s authors show that they now look beyond enlisting security cameras and set-top boxes and seek out any vulnerable connected devices, including enterprise networking gear. “I assume we’re going to see Mirai just collecting as many devices as it can,” said Jen Miller-Osborn, deputy director of threat research at Palo Alto Networks’ Unit 42, which recently issued a report about Mirai. The fact that SD-WAN devices were targeted is more about those particular devices having a vulnerability than anything to do with their SD-WAN capabilities. But the means to exploit the weakness nevertheless is included in a recently discovered new variant of Mirai, according to the Unit 42 report.Read More
  • Common Hacker Tool Hit with Hackable Vulnerability
    A researcher has found a significant exploit in one of the most frequently used text editors. Security researcher Arminius has discovered a hackable vulnerability and exploit in Vim, arguably the most commonly used text editor among developers, hackers, and system engineers. The vulnerability takes advantage of a vim feature called modeline, which is typically used to create custom settings for the way text or formatting will be handled in a file, for a project, or for all occasions of the editor's use. In the exploit, a particular text string can be entered that causes the editor to accept arbitrary code and execute it outside of the sandbox in which most modeline commands are executed, regardless of whether that code has anything to do with the editor. The exploit is possible because, in many implementations, modeline is enabled by default, regardless of whether the system owner is using the feature. The vulnerability has been patched in Vim patch 8.1.1365 and a Neovim patch (released in v0.3.6), but Arminius recommends that users explicitly disable modeline on their systems.Read More
  • New Android Trojan Leads Users to Scam Sites via Notifications
    A new Android Trojan that uses web push notifications to redirect users to scam and fraudulent sites has been discovered by security researchers on Google's Play Store. For instance, "Potential victims can think the fake notification is real and tap it only to be redirected to a phishing site, where they will be prompted to indicate their name, credentials, email addresses, bank card numbers, and other confidential information," Doctor Web explains. Two of the malicious apps When the malicious fake apps are first launched, the Android.FakeApp.174 Trojan loads a site hardcoded in its settings using the Google Chrome web browser, a website which asks the targets to allow notifications under the guise of verifying that the user is not a bot. Upon agreeing to enable web push notifications for "verification purposes," the compromised device's owner is subscribed to the site's notifications and will be spammed with dozens of notifications sent by Chrome using Web Push technology.Read More
  • Security Bug Would Have Allowed Hackers Access to Google's Internal Network
    If exploited by a malicious threat actor, the bug could have allowed hackers a way to steal Google employee cookies for internal apps and hijack accounts, launch extremely convincing spear-phishing attempts, and potentially gain access to other parts of Google's internal network. XSS in Google's invoicing portal Described as a cross-site scripting (XSS) vulnerability, the security flaw impacted the Google Invoice Submission Portal, a public website where Google redirects business partners to submit invoices, based on contractual agreements. The researcher said that a malicious threat actor could have uploaded malformed files in the Google Invoice Submission Portal, via the Upload Invoice field. "Since the XSS was executed on a googleplex.com subdomain while the employee is logged in, the attacker should be able to access the dashboard on this subdomain where it's possible to view and manage the invoices," Orlita told ZDNet via email. But, all in all, like most XSS security bugs, this bug would have depended on a threat actor's skill level and ability to pivot to more complex attacks.Read More
  • New WSH RAT Malware Targets Bank Customers with Keyloggers
    Security researchers have discovered an ongoing phishing campaign distributing a new remote access trojan (RAT) and actively targeting commercial banking customers with keyloggers and information stealers. WSH RAT comes packed with "features" "WSH is likely a reference to the legitimate Windows Script Host, which is an application used to execute scripts on Windows machines," according to Cofense's research team, the ones which discovered the new RAT. Additionally, WAS RAT is heavily marketed by its development team seeing that, while only being released on June 2, it is already actively being distributed via a phishing campaign in the form of malicious URLs, as well as MHT and ZIP files. Sample phishing email The RAT allows its buyers to launch attacks capable of stealing passwords from their victims' web browsers and email clients, controlling their targets' computers remotely, uploading, downloading, and executing files, as well as executing remote scripts and commands.Read More
  • Building a cyber-physical immune system
    These attacks are designed to impede the system’s essential functions, such as causing a power blackout in a city block, which may have serious effects on the safety and security of people who rely on that system. Perimeter security measures, such as firewalls and access control systems, can deter or prevent cyber attacks originating from outside the system, but do not protect against insider attacks, which are typically initiated by agents familiar with the system. Much work has been done in designing network intrusion detection systems, but these systems tend to learn slowly and are generally helpless against unknown and adaptive threats. Vaccines, for example, are the body’s equivalent of trained intrusion detection systems. To create a cyber-physical immune system, it must, like the human body, become self-aware. To build a credible model of its own behaviour, the system must not just learn its digital behaviour, but also capture the behaviour of its physical subsystems.Read More
  • Vulnerabilities in Thunderbird Email Client Allow Code Execution
    Security updates released by Mozilla this week for the Thunderbird email client address vulnerabilities that could be exploited to execute arbitrary code on impacted systems. Available as version 60.7.1, the latest Thunderbird iteration addresses only four vulnerabilities. An attacker capable of exploiting the most severe of these vulnerabilities could execute arbitrary code on the vulnerable machine, the Multi-State Information Sharing and Analysis Center (MS-ISAC), a division of the Center for Internet Security, reveals in an advisory shared with SecurityWeek. Normally these flaws cannot be exploited through email in Thunderbird, given that scripting is disabled when reading mail, but they could pose a risk in browser or browser-like contexts, the MS-ISAC advisory reveals. All Thunderbird versions prior to 60.7.1 are vulnerable, but there are no reports of these vulnerabilities being exploited in the wild. The MS-ISAC advisory also notes that the vulnerabilities pose a High risk to large and medium business and government entities, but only a Medium risk to small government and business entities.Read More