Network Security

  • Undocumented driver-based browser hijacker RedDriver targets Chinese speakers and internet cafes

    July 11, 2023

    Cisco Talos has identified multiple versions of an undocumented malicious driver named “RedDriver,” a driver-based browser hijacker that uses the Windows Filtering Platform (WFP) to intercept browser traffic. RedDriver has been active since at least 2021. RedDriver utilizes HookSignTool to forge its signature timestamp to bypass Windows driver-signing policies. Read more… Source: Talos  

  • FortiOS/FortiProxy – Proxy mode with deep inspection – Stack-based buffer overflow

    July 11, 2023

    A stack-based overflow vulnerability in FortiOS & FortiProxy may allow a remote attacker to execute arbitrary code or command via crafted packets reaching proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection. Workaround: Disable deep inspection on proxy policies or firewall policies with proxy mode. Read more… Source: FortiGuard Labs/Fortinet  

  • CISA and Partners Release Joint Cybersecurity Advisory on Newly Identified Truebot Malware Variants

    July 6, 2023

    Today, the Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigations (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Canadian Centre for Cyber Security (CCCS) released a joint Cybersecurity Advisory (CSA), Increased Truebot Activity Infects U.S. and Canada Based Networks, to help organizations detect and protect against newly identified Truebot malware ...

  • Thousands of Fortinet firewalls are unpatched against this serious security bug, so patch now

    July 4, 2023

    Hundreds of thousands of FortiGate firewalls are yet to be patched against a flaw being actively used in the wild, experts have revealed. Cybersecurity researchers from Bishop Fox recently used the search engine for internet-connected devices to look for servers with HTTPS responses that suggested the software was outdated. The results brought back almost 490,000 ...

  • A proxyjacking campaign is looking for vulnerable SSH servers

    June 30, 2023

    A researcher at Akamai has posted a blog about a worrying new trend -proxyjacking – where criminals sell your bandwidth to a third-party proxy service. To understand how proxyjacking works, we’ll need to explain a few things. There are several legitimate services that pay users to share their surplus Internet bandwidth, such as Peer2Profit and HoneyGain. ...

  • Rosenergoatom official says Zaporozhye NPP has to deal with daily cyberattacks

    June 15, 2023

    Every day, the Zaporozhye nuclear power plant (ZNPP) has to deal with cyberattacks, an adviser to the director general of Russia’s Rosenergoatom nuclear power engineering company has said. “Every day, networks of the Rosenergoatom concern, of the Rosatom state corporation and of the plant’s operating company, JSC Zaporozhye NPP, are subjected to powerful DDoS attacks,” Renat ...

  • Adversaries increasingly using vendor and contractor accounts to infiltrate networks

    June 6, 2023

    The software supply chain has become a key security focus for many organizations, but the risks associated with supply chain attacks are often misunderstood. High-profile incidents like those reported by 3CX and MSI routinely grab headlines, continuing a trajectory of big-name security events that involve one specific aspect of the supply chain – software. Successful software-focused ...

  • Satacom delivers browser extension that steals cryptocurrency

    June 5, 2023

    Satacom downloader, also known as LegionLoader, is a renowned malware family that emerged in 2019. It is known to use the technique of querying DNS servers to obtain the base64-encoded URL in order to receive the next stage of another malware family currently distributed by Satacom. The Satacom malware is delivered via third-party websites. Some of ...

  • Warning issued over ‘widespread’ exploitation of Zyxel NAS devices

    June 1, 2023

    Security researchers at two companies have issued warnings over ‘widespread’ exploitation of Zyxel network devices. Researchers at Rapid7 raised the alarm over the ongoing exploitation of a critical authenticated command injection vulnerability, tracked as CVE-2023-28771, that was found to affect multiple Zyxel devices. Read more… Source: ITPro  

  • Tomiris called, they want their Turla malware back

    April 24, 2023

    Kaspersky introduced Tomiris to the world in September 2021, following their investigation of a DNS-hijack against a government organization in the Commonwealth of Independent States (CIS). Kaspersky researchers initial report described links between a Tomiris Golang implant and SUNSHUTTLE (which has been associated to NOBELIUM/APT29/TheDukes) as well as Kazuar (which has been associated to Turla); ...