- GhostEmperor: From ProxyLogon to kernel mode
September 30, 2021
While investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. This cluster stood out for its usage of a formerly unknown Windows kernel mode rootkit that we dubbed Demodex, and a sophisticated multi-stage malware framework aimed at providing remote control over ...
- Google Emergency Update Fixes Two Chrome Zero Days
September 30, 2021
Google has pushed out an emergency Chrome update to fix yet another pair of zero days – the second pair this month – that are being exploited in the wild. This hoists this year’s total number of zero days found in the browser up to a dozen. On Thursday evening, the web Goliath released the Chrome 94.0.4606.71 ...
- US and EU to cooperate on tech standards, supply chain security and tech development
September 30, 2021
The United States and the European Union have started work on coordinating approaches across various technology areas, including AI and semiconductors, and tackling non-market policies that result in the misuse of technology. The plan was created on Wednesday after US and EU representatives, including US President Joe Biden and European Commission Vice Presidents Valdis Dombrovskis and ...
- Fake Amnesty International Pegasus scanner used to infect Windows
September 30, 2021
Threat actors are trying to capitalize on the recent revelations on Pegasus spyware from Amnesty International to drop a less-known remote access tool called Sarwent. The malware looks and acts the part of a legitimate antivirus solution specially created to scan the system for traces of Pegasus traces and to remove them. Sarwent-based attacks have been running ...
- NSA-CISA Guidance: Selecting and Hardening Remote Access VPN Solutions
September 30, 2021
Virtual Private Networks (VPNs) allow users to remotely connect to a corporate network via a secure tunnel. Through this tunnel, users can take advantage of the internal services and protections normally offered to on-site users, such as email/collaboration tools, sensitive document repositories, and perimeter firewalls and gateways. Because remote access VPN servers are entry points into protected networks, they ...
- Ransomware gangs are complaining that other crooks are stealing their ransoms
September 30, 2021
Cyber criminals using a ransomware-as-a-service scheme have been spotted complaining that the group they rent the malware from could be using a hidden backdoor to grab ransom payments for themselves. REvil is one of the most notorious and most common forms of ransomware around and has been responsible for several major incidents. The group behind REvil ...
- Russia: CEO of Group-IB cybersecurity firm arrested on ‘high treason’ charges
September 30, 2021
The founder and CEO of Russia’s Group-IB digital security firm has been detained by authorities and charged with high treason, reportedly for passing on secret information to foreign spies in yet another cloak and dagger drama. On Wednesday, a Moscow court ordered that Ilya Sachkov can be detained in custody for two months while prosecutors prepare ...
- Alabama: Baby died because of ransomware attack on hospital
September 30, 2021
An Alabama baby was born with severe brain injury and eventually died due to botched care because her hospital was struggling with a ransomware attack, a lawsuit alleges. The filing is the first credible public claim that someone’s death was caused at least in part by hackers who remotely shut down hospital computers in an extortion ...
- Apple Pay with Visa Hacked to Make Payments via Locked iPhones
September 30, 2021
An attacker who steals a locked iPhone can use a stored Visa card to make contactless payments worth up to thousands of dollars without unlocking the phone, researchers are warning. The problem is due to unpatched vulnerabilities in both the Apple Pay and Visa systems, according to an academic team from the Universities of Birmingham and ...
- UK MoD data strategy calls for social media surveillance on behalf of ‘local authorities’
September 30, 2021
The Ministry of Defence has published a data strategy that calls on the British armed forces to make better use of its “enduring strategic asset” – by spying on social media and dobbing in dissenters to local councils. In a move bound to fuel tinfoil hat-wearing conspiracy theorists, the MoD’s Data Strategy for Defence document ...
- Mac Users Targeted by Trojanized iTerm2 App
September 30, 2021
Earlier this month, a user on Chinese question-and-answer website Zhihu reported that a search engine result for the keyword “iTerm2” led to a fake website called item2.net that mimics the legitimate iterm2.com. A fake version of the iTerm2 app, a macOS terminal emulator, can be downloaded from a link found in iterm2.net. When this app ...
- Credential Harvesting at Scale Without Malware
September 30, 2021
While ransomware and ransomware-as-a-service (RaaS) attacks have dominated much of the cybersecurity community’s discussions over the past several months, criminals and hackers continue to compromise corporate, business and personal emails for financial gain. These scams, business email compromise (BEC) and personal email account compromise (EAC), continue to be the most pervasive and costly reported cyberthreats ...
- DarkHalo after SolarWinds: the Tomiris connection
September 29, 2021
In December 2020, news of the SolarWinds incident took the world by storm. While supply-chain attacks were already a documented attack vector leveraged by a number of APT actors, this specific campaign stood out due to the extreme carefulness of the attackers and the high-profile nature of their victims. It is believed that when FireEye ...
- Working Exploit Is Out for VMware vCenter CVE-2021-22005 Flaw
September 28, 2021
A fully working exploit for the critical CVE-2021-22005 remote code-execution (RCE) vulnerability in VMware vCenter is now public and being exploited in the wild. Released on Monday by Rapid7 security engineer William Vu (who goes by the Twitter handle wvu), this one’s different from the incomplete proof-of-concept (PoC) exploit that began making the rounds on Friday. ...
- SolarWinds Attackers Hit Active Directory Servers with FoggyWeb Backdoor
September 28, 2021
The threat actors behind the notorious SolarWinds supply-chain attacks have dispatched new malware to steal data and maintain persistence on victims’ networks, researchers have found. Researchers from the Microsoft Threat Intelligence Center (MSTIC) have observed the APT it calls Nobelium using a post-exploitation backdoor dubbed FoggyWeb, to attack Active Directory Federation Services (AD FS) servers. AD ...