Four disclosed vulnerabilities in the Office suite, including Excel and Office online, could be used by cybercriminals to spread attack code through Word and Excel documents. Security researchers from Check Point note "Rooted from legacy code, the vulnerabilities could have granted an attacker the ability to show more ...
execute code on targets via malicious Office documents, such as Word, Excel and Outlook". With the May 2021 patch update, Microsoft fixed three of the four vulnerabilities identified as CVE-2021-31174, CVE-2021-31178, and CVE-2021-31... (read more)
The US Department of Justice charged a woman for her alleged involvement as a programmer in a cybercrime group that helped develop TrickBot, according to The Hacker News. The woman in question, Alla Witte, nicknamed Max, of Paramaribo, Suriname, was arrested on February 6 in Miami, Florida. Witte is charged with 19 show more ...
counts, including conspiracy to commit computer fraud and aggravated identity theft, wire and bank fraud affecting a financial institution, and money laundering. According to court documents released by the Justice Department, Witte and 16 other unnamed individuals are accused of operating a transnational criminal organization that developed and deployed a digital suite of malware tools aimed at stealing from businesses and individuals worldwide and demanding ransom. TrickBot began as a banking Trojan in late 2015. The banking malware has evo... (read more)
Elon Musk has destroyed lives with its careless tweets that recently roiled cryptocurrency markets, according to a group claiming to represent the hacker collective Anonymous in a video. The four-minute video, posted Saturday, slammed Elon Musk as another selfish rich person looking for attention and for constantly show more ...
trolling the cryptocurrency markets. By late Sunday, it had 1.7 million views, according to Market Watch. A Guy Fawkes-masked figure said in the video “Millions of retail investors were really counting on their crypto gains to improve their lives". “Of course, they took the risk upon themselves when they invested, and everyone knows to be prepared for volatility in crypto, but your tweets this week show a clear disregard for the average working perso... (read more)
The US Justice Department has recovered most of the multimillion-dollar ransom payment The Guardian reports. The operation to recover cryptocurrency from the Russian-based hacking group is the first carried out by the Biden administration's task force specializing in ransomware. Moreover, it reflects what show more ...
officials say is an increasingly aggressive approach to dealing with a ransomware threat that attacked critical industries around the world last month. Deputy attorney general Lisa Monaco said Monday at a news conference that “By going after an entire ecosystem that fuels ransomware and digital currency, we will continue to use all of our tools and all of our resources to increase the costs and the consequences of ransomware attacks and other cyber-enabled attacks". Colonial Pipeline, situated in Georgia, delivers almost half of the fuel... (read more)
Behavioral threat detection and exploit prevention technologies in Kaspersky Endpoint Security for Business have identified a wave of highly targeted attacks on several companies. These attacks used a chain of zero-day exploits of Google’s Chrome browser and Microsoft Windows vulnerabilities. By now, patches for show more ...
the vulnerabilities are available (as of a Microsoft update released June 8), so we recommend everybody update both browser and OS. We are calling the threat actor behind these attacks PuzzleMaker. What is so dangerous about PuzzleMaker attacks? The attackers use a Google Chrome vulnerability to execute malicious code on the target machine and proceed by using two Windows 10 vulnerabilities to escape the “sandbox” and gain system privileges. They proceed to upload the first malware module, the so-called stager, to the victim’s machine along with a customized configuration block (command server address, session ID, decryption keys for the next module, and so forth). The stager notifies the attackers of the successful infection and downloads and decrypts a dropper module, which, in turn, installs two executables passing themselves off as legitimate. The first one, WmiPrvMon.exе, registers as a service and runs the second one, wmimon.dll. This second executable is the attack’s principal payload, fashioned as a remote shell. The attackers use that shell to enjoy full control of the target machine. They can upload and download files, create processes, hibernate for a specified stretch of time, even rid the machine of any traces of the attack. This malware component communicates with the command server through an encrypted connection. Which exploits and vulnerabilities? Unfortunately, our experts were unable to analyze the remote code execution exploit PuzzleMaker used to attack Google Chrome, but they did complete a thorough investigation and concluded that the attackers likely relied on the CVE-2021-21224 vulnerability. If you are interested in how and why they came to this conclusion, we encourage you to read about their reasoning in this Securelist post. In any case, Google released a patch for this vulnerability on April 20, 2021, less than a week after we discovered the wave of attacks. The privilege elevation exploit uses two Windows 10 vulnerabilities at once. The first one, CVE-2021-31955, is an information disclosure vulnerability in the file ntoskrnl.exe. The exploit used it to determine the addresses of the EPROCESS structure kernel for the executed processes. The second vulnerability, CVE-2021-31956, is in the ntfs.sys driver and belongs to the heap overflow class of vulnerabilities. Malefactors used it along with the Windows Notification Facility for reading and writing data to memory. This exploit works on most common Windows 10 builds: 17763 (Redstone 5), 18362 (19H1), 18363 (19H2), 19041 (20H1), and 19042 (20H2). Build 19043 (21H1) is also vulnerable, although our technologies have not detected attacks on this version, which was released after we detected the PuzzleMaker. Securelist has published a post containing a detailed technical description and listing the indicators of compromise. Protection against this and similar attacks To safeguard your corporate security against the exploits used in the PuzzleMaker attack, first update Chrome and install (from Microsoft‘s website) the operating system patches that address vulnerabilities CVE-2021-31955 and CVE-2021-31956. That said, to avert the threat of other zero-day vulnerabilities, every type of company needs to use cybersecurity products that can detect such exploitation attempts by analyzing suspicious behavior. For example, our products detected this attack using the Behavioral Detection Engine technology and Exploit Prevention subsystem in Kaspersky Endpoint Security for business.
The U.S. Department of Justice said today it has recovered $2.3 million worth of Bitcoin that Colonial Pipeline paid to ransomware extortionists last month. The funds had been sent to DarkSide, a ransomware-as-a-service syndicate that disbanded after a May 14 farewell message to affiliates saying its Internet servers show more ...
and cryptocurrency stash were seized by unknown law enforcement entities. On May 7, the DarkSide ransomware gang sprang its attack against Colonial, which ultimately paid 75 Bitcoin (~$4.4 million) to its tormentors. The company said the attackers only hit its business IT networks — not its pipeline security and safety systems — but that it shut the pipeline down anyway as a precaution [several publications noted Colonial shut down its pipeline because its billing system was impacted, and it had no way to get paid]. On or around May 14, the DarkSide representative on several Russian-language cybercrime forums posted a message saying the group was calling it quits. “Servers were seized, money of advertisers and founders was transferred to an unknown account,” read the farewell message. “Hosting support, apart from information ‘at the request of law enforcement agencies,’ does not provide any other information.” A message from the DarkSide and REvil ransomware-as-a-service cybercrime affiliate programs. Many security experts said they suspected DarkSide was just laying low for a while thanks to the heat from the Colonial attack, and that the group would re-emerge under a new banner in the coming months. And while that may be true, the seizure announced today by the DOJ certainly supports the DarkSide administrator’s claims that their closure was involuntary. Security firms have suspected for months that the DarkSide gang shares some leadership with that of REvil, a.k.a. Sodinokibi, another ransomware-as-a-service platform that closed up shop in 2019 after bragging that it had extorted more than $2 billion from victims. That suspicion was solidified further when the REvil administrator added his comments to the announcement about DarkSide’s closure (see screenshot above). First surfacing on Russian language hacking forums in August 2020, DarkSide is a ransomware-as-a-service platform that vetted cybercriminals can use to infect companies with ransomware and carry out negotiations and payments with victims. DarkSide says it targets only big companies, and forbids affiliates from dropping ransomware on organizations in several industries, including healthcare, funeral services, education, public sector and non-profits. According to an analysis published May 18 by cryptocurrency security firm Elliptic, 47 cybercrime victims paid DarkSide a total of $90 million in Bitcoin, putting the average ransom payment of DarkSide victims at just shy of $2 million. HOW DID THEY DO IT? The DoJ’s announcement left open the question of how exactly it was able to recover a portion of the payment made by Colonial, which shut down its Houston to New England fuel pipeline for a week and prompted long lines, price hikes and gas shortages at filling stations across the nation. The DOJ said law enforcement was able to track multiple transfers of bitcoin and identify that approximately 63.7 bitcoins (~$3.77 million on May 8), “representing the proceeds of the victim’s ransom payment, had been transferred to a specific address, for which the FBI has the ‘private key,’ or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address.” A passage from the DOJ’s press release today. How it came to have that private key is the key question. Nicholas Weaver, a lecturer at the computer science department at University of California, Berkeley, said the most likely explanation is that law enforcements agent seized money from a specific DarkSide affiliate responsible for bringing the crime gang the initial access to Colonial’s systems. “The ‘obtained the private key’ part of their statement is doing a lot of work,” Weaver said, point out that the amount the FBI recovered was less than the full amount Colonial paid. “It is ONLY the Colonial Pipeline ransom, and it looks to be only the affiliate’s take.” Experts at Elliptic came to the same conclusion. “Any ransom payment made by a victim is then split between the affiliate and the developer,” writes Elliptic’s co-founder Tom Robinson. “In the case of the Colonial Pipeline ransom payment, 85% (63.75 BTC) went to the affiliate and 15% went to the DarkSide developer.” The Biden administration is under increasing pressure to do something about the epidemic of ransomware attacks. In conjunction with today’s action, the DOJ called attention to the wins of its Ransomware and Digital Extortion Task Force, which have included successful prosecutions of crooks behind such threats as the Netwalker and SamSam ransomware strains. The DOJ also released a June 3 memo from Deputy Attorney General Lisa O. Monaco instructing all federal prosecutors to adhere to new guidelines that seek centralize reporting about ransomware victims. Having a central place for law enforcement and intelligence agencies to gather and act on ransomware threats was one of the key recommendations of a ransomware task force being led by some of the world’s top tech firms. In an 81-page report, the industry led task force called for an international coalition to combat ransomware criminals, and for a global network of investigation hubs. Their recommendations focus mainly on disrupting cybercriminal ransomware gangs by limiting their ability to get paid, and targeting the individuals and finances of the organized thieves behind these crimes.
Microsoft today released another round of security updates for Windows operating systems and supported software, including fixes for six zero-day bugs that malicious hackers already are exploiting in active attacks. June’s Patch Tuesday addresses just 49 security holes — about half the normal number of show more ...
vulnerabilities lately. But what this month lacks in volume it makes up for in urgency: Microsoft warns that bad guys are leveraging a half-dozen of those weaknesses to break into computers in targeted attacks. Among the zero-days are: –CVE-2021-33742, a remote code execution bug in a Windows HTML component. –CVE-2021-31955, an information disclosure bug in the Windows Kernel –CVE-2021-31956, an elevation of privilege flaw in Windows NTFS –CVE-2021-33739, an elevation of privilege flaw in the Microsoft Desktop Window Manager –CVE-2021-31201, an elevation of privilege flaw in the Microsoft Enhanced Cryptographic Provider –CVE-2021-31199, an elevation of privilege flaw in the Microsoft Enhanced Cryptographic Provider Kevin Breen, director of cyber threat research at Immersive Labs, said elevation of privilege flaws are just as valuable to attackers as remote code execution bugs: Once the attacker has gained an initial foothold, he can move laterally across the network and uncover further ways to escalate to system or domain-level access. “This can be hugely damaging in the event of ransomware attacks, where high privileges can enable the attackers to stop or destroy backups and other security tools,” Breen said. “The ‘exploit detected’ tag means attackers are actively using them, so for me, it’s the most important piece of information we need to prioritize the patches.” Microsoft also patched five critical bugs — flaws that can be remotely exploited to seize control over the targeted Windows computer without any help from users. CVE-2021-31959 affects everything from Windows 7 through Windows 10 and Server versions 2008, 2012, 2016 and 2019. Sharepoint also got a critical update in CVE-2021-31963; Microsoft says this one is less likely to be exploited, but then critical Sharepoint flaws are a favorite target of ransomware criminals. Interestingly, two of the Windows zero-day flaws — CVE-2021-31201 and CVE-2021-31199 — are related to a patch Adobe released recently for CVE-2021-28550, a flaw in Adobe Acrobat and Reader that also is being actively exploited. “Attackers have been seen exploiting these vulnerabilities by sending victims specially crafted PDFs, often attached in a phishing email, that when opened on the victim’s machine, the attacker is able to gain arbitrary code execution,” said Christopher Hass, director of information security and research at Automox. “There are no workarounds for these vulnerabilities, patching as soon as possible is highly recommended.” In addition to updating Acrobat and Reader, Adobe patched flaws in a slew of other products today, including Adobe Connect, Photoshop, and Creative Cloud. The full list is here, with links to updates. The usual disclaimer: Before you update with this month’s patch batch, please make sure you have backed up your system and/or important files. It’s not uncommon for Windows updates to hose one’s system or prevent it from booting properly, and some updates even have been known to erase or corrupt files. So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once. And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide. As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips. For a quick visual breakdown of each update released today and its severity level, check out the this Patch Tuesday post from the SANS Internet Storm Center.
The US Cyber Games is a hunt for 20 elite American cyber pros, ages 18 to 26, who will be part of the first-ever US Cyber Team and represent the US at the International Cyber Competition in Greece.
The flaw allows an attacker to execute code remotely and potentially infiltrate sensitive computing environments that run on VMware’s widely used server management software.
Xing Team posted to its dark web site a collection of files stolen from LineStar Integrity Services, which provides auditing, compliance, maintenance, and technology services to pipeline customers.
In this campaign, the spammers are exploiting affiliate programs to advertise online casinos such as Ducky Luck, Raging Bull Casino, Sports and Casino, using deceptive emails.
One element of President Biden’s executive order on cybersecurity establishes a Cyber Safety Review Board (CSRB) to investigate major incidents involving government computers.
The attack was kept secret while officials worked with the FBI, Los Angeles County Sheriff’s Department, and consultants to retrieve hundreds of highly sensitive files encrypted in the incident.
Many tied the indictment to the other recent actions by the White House and Justice Department to not only help companies hit with ransomware but impose some costs on bad actors.
The U.S. Department of Justice said on Monday that it had seized much of the ransom that a major U.S. pipeline operator had paid last month to a Russian hacking collective.
City officials said they had disconnected the Law Department computers from the city’s larger network on Sunday afternoon. It remained unclear who was behind the incident, according to an official.
Hyperkitty, a web interface for the popular open source mailing list and newsletter management service Mailman, has patched a critical bug that revealed private mailing lists while importing them.
ExtraHop uses machine learning to help companies prevent, detect, and eliminate threats on their networks, operating in a sector of cybersecurity called “network detection and response.”
Initially, it was distributed via spam and exploits kits such as Spelevo and RIG. Using spam campaigns, attackers later switched to compromised sites which trick victims into downloading the malware.
In a Form 8-K filing with the Securities and Exchange Commission (SEC), Navistar said it learned of a credible potential cybersecurity threat to its information technology system on May 20, 2021.
Energy Secretary Jennifer Granholm called for more public-private cooperation on cyber defenses and said adversaries already are capable of using cyber intrusions to shut down the U.S. power grid.
The FBI and Australian Federal Police ran an encrypted chat platform and intercepted secret messages between criminal gang members from all over the world for more than three years.
Since most people reuse their passwords across multiple apps and websites, the number of accounts affected by credential stuffing and password spraying attacks in the wake of this leak is likely huge.
In the past few months, organizations in the transportation and logistics sector saw several cyberattacks seeking disruption of operations and services. Metropolitan Transit Authority (MTA) became the most recent victim of such an attack.
SteamHide abuses the gaming platform Steam to serve payloads for malware downloaders. Malware operators can also update already infected machines by adding new profile images to Steam.
There has been a 450% surge in breaches containing usernames and passwords globally and unauthorized access accounted for 43% of all breaches globally, according to a ForgeRock report.
Two flaws discovered in WAGO industrial controllers can be exploited to disrupt technological processes, which in some cases could lead to industrial accidents, according to Positive Technologies.
FreakOut, the multi-platform Python-based malware that targets Windows and Linux devices, has been updated. The malware is now upgraded to worm its way into publicly exposed unpatched VMware servers.
The injector used by the malware is also obfuscated with a compiler-based technique named control flow flattening, which modifies the normal flow of the program and makes static analysis impossible.
Some 75% of states in a recent NASTD survey say the pandemic had an impact on their remote access security, and almost half said they expanded their existing data loss protection technology.
Four security flaws discovered in the Microsoft Office suite, including Excel and Office online, could be potentially abused by bad actors to deliver attack code via Word and Excel documents.
Cluster25 found a new SkinnyBoy malware that has been used by the APT28 group in multiple spear-phishing campaigns against military and government institutions in the U.S. and Europe. The malware has a low level of sophistication, however, it can not be taken lightly as this could be in its early stage of development.
The first bad thing that can make lots of other bad things happen is to block communication to the device, since it makes it unusually difficult to fly up to troubleshoot on the remote end.
Of the highest 1,000 grossing apps on the App Store, nearly two percent are scams, according to an analysis by The Washington Post. These apps have resulted in $48 million worth of losses for users.
Up to a third of all security flaws reported to organizations with no vulnerability disclosure policy (VDP) are not being patched due to failings in the disclosure process, a new report suggests.
Many in the security research community continue to be frustrated with the legal walls that prevent them from sharing their findings with both other companies and the outside world.
TeamTNT is targeting the credentials of 16 cloud-based platforms, including AWS and Google Cloud, which it uses for its illegitimate cryptojacking operations. Organizations are recommended to proactively block the network connections and C2 endpoints associated with TeamTNT.
Red Hat Security Advisory 2021-2291-01 - The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.
Red Hat Security Advisory 2021-2292-01 - The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.
sqlmap is an open source command-line automatic SQL injection tool. Its goal is to detect and take advantage of SQL injection vulnerabilities in web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database show more ...
management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user's specified DBMS tables/columns, run his own SQL statement, read or write either text or binary files on the file system, execute arbitrary commands on the operating system, establish an out-of-band stateful connection between the attacker box and the database server via Metasploit payload stager, database stored procedure buffer overflow exploitation or SMB relay attack and more.
Red Hat Security Advisory 2021-2290-01 - nginx is a web and proxy server supporting HTTP and other protocols, with a focus on high concurrency, performance, and low memory usage.
Red Hat Security Advisory 2021-2285-01 - This is a kernel live patch module which is automatically loaded by the RPM post-install script to modify the code of a running kernel. Issues addressed include a use-after-free vulnerability.
Red Hat Security Advisory 2021-2280-01 - Nettle is a cryptographic library that is designed to fit easily in almost any context: In crypto toolkits for object-oriented languages, such as C++, Python, or Pike, in applications like LSH or GNUPG, or even in kernel space.
In a major blow, the U.S. Department of Justice on Monday said it has recovered 63.7 bitcoins (currently valued at $2.3 million) paid by Colonial Pipeline to the DarkSide ransomware extortionists on May 8, pursuant to a seizure warrant that was authorized by the Northern District of California. The ransomware attack also hobbled the pipeline company's fuel supply, prompting the government to
Four security vulnerabilities discovered in the Microsoft Office suite, including Excel and Office online, could be potentially abused by bad actors to deliver attack code via Word and Excel documents. "Rooted from legacy code, the vulnerabilities could have granted an attacker the ability to execute code on targets via malicious Office documents, such as Word, Excel and Outlook," researchers
Apple on Monday announced a number of privacy and security-centric features to its upcoming versions of iOS and macOS at its all-online Worldwide Developers Conference. Here is a quick look at some of the big-ticket changes that are expected to debut later this fall: 1 — Just Patches, Not Entire OS Update Every Time: As rumored before, users now have a choice between two software update versions
In a huge sting operation, the U.S. Federal Bureau of Investigation (FBI) and Australian Federal Police (AFP) ran an "encrypted chat" service called ANoM for almost 3 years to intercept 27 million messages between criminal gang members globally. Dubbed Operation Ironside (AFP), Operation Greenlight (Europol), and Operation Trojan Shield (FBI), the long-term covert probe into transnational and
The Australian Federal Police (AFP) has revealed that it was able to decrypt and snoop on the private messages sent via a supposedly secure messaging app used by criminals… because the app was actually the brainchild of the FBI. Read more in my article on the Hot for Security blog.
