Cybercrime Gang Uses Screenlogger to Identify High-Value Targets in US, Germany
A recently identified financially motivated threat actor is targeting companies in the United States and Germany with custom malware, including a screenlogger it uses for reconnaissance, Proofpoint reports. Tracked as TA866, the adversary appears to have started the infection campaign in October 2022, with the activity continuing into January 2023. As part of the campaign, […] more…Backdoor Targets FreePBX Asterisk Management Portal
Written in PHP and JavaScript, FreePBX is a web-based open-source GUI that manages Asterisk, a voice over IP and telephony server. This open-source software allows users to build customer phone systems. During a recent investigation, I came across a simple piece of malware targeting FreePBX’s Asterisk Management portal which allowed attackers to arbitrarily add and […] more…Gootkit: the cautious Trojan
Gootkit is complex multi-stage banking malware that was discovered for the first time by Doctor Web in 2014. Initially it was distributed via spam and exploits kits such as Spelevo and RIG. In conjunction with spam campaigns, the adversaries later switched to compromised websites where the visitors are tricked into downloading the malware. Gootkit is […] more…Exposing Modular Adware: How DealPly, IsErIk, and ManageX Persist in Systems
By RonJay Caragay, Fe Cureg, Ian Lagrazon, Erika Mendoza, and Jay Yaneza (Threats Analysts) Adware isn’t new and they don’t spark much interest. A lot of them are overlooked and underestimated because they’re not supposed to cause harm — as its name suggests, adware is advertising-supported software. However, we have constantly observed suspicious activities caused […] more…CVE-2019-7238: Insufficient Access Controls in Sonatype Nexus Repository Manager 3 Allows Remote Code Execution
By Govind Sarda and Raghvendra Mishra A critical remote code execution (RCE) vulnerability (CVE-2019-7238) was found in Sonatype’s Nexus Repository Manager (NXRM) 3, an open source project that allows developers, such as DevOps professionals, to manage software components required for software development, application deployment, and automated hardware provisioning. This vulnerability in NXRM 3, which reportedly […] more…CVE-2018-3211: Java Usage Tracker Local Elevation of Privilege on Windows
We found design flaw/weakness in Java Usage Tracker that can enable hackers to create arbitrary files, inject attacker-specified parameters, and elevate local privileges. In turn, these can be chained and used to escalate privileges in order to access resources in affected systems that are normally protected or restricted to other applications or users. We’ve worked […] more…Obfuscated JavaScript Cryptominer
During an incident response investigation, we detected an interesting piece of heavily obfuscated JavaScript malware. Once decoded, we found out that cryptominers were running on visitor’s computers when they accessed our customer’s website. We have previously discussed how cryptomining can happen in many covert ways. In this post, we will show you how a malicious code […] more…Uncovering Unknown Threats With Human-Readable Machine Learning
Dr. Marco Balduzzi, Senior Researcher, Forward-Looking Threat Research Team Aided by machine learning, we analyzed data on 3 million software downloads from hundreds of thousands of internet-connected machines. In our previous blog posts for this three-part series, we explored key aspects of software downloads in the wild. We looked into the major domains from where different […] more…Code Execution Flaws Found in ManageEngine Products
Researchers at cybersecurity technology and services provider Digital Defense have identified another round of vulnerabilities affecting products from Zoho-owned ManageEngine. ManageEngine provides network, data center, desktop, mobile device, and security solutions to more than 40,000 customers, including three out of every five Fortune 500 company. Earlier this year, Digital Defense reported finding several potentially serious […] more…Mitigating CVE-2017-5689, an Intel Management Engine Vulnerability
by Vít Šembera (Threat Researcher) Intel recently released a security advisory detailing several security flaws in its Management Engine (ME). The advisory provides critical ME, Trusted Execution Technology (TXT), and Server Platform Services (SPS) firmware updates for versions 8.X-11.X covering multiple CVE IDs, with CVSS scores between 6.7 and 8.2. But there is also another notable […] more…Autodesk’s A360 Drive Abused to Deliver Adwind, Remcos, Netwire RATs
By Jaromir Horejsi (Threats Analyst) Cloud-based storage platforms have a history of cybercriminal abuse, from hosting malicious files and directly delivering malware to even making them part of a command-and-control (C&C) infrastructure. GitHub was misused this way when the Winnti group used it as a conduit for its C&C communications. We saw a similar—albeit a […] more…Hundreds of Java Flaws Patched by Schneider in Trio TView Software
Energy management and automation solutions giant Schneider Electric was informed by a researcher that its Trio TView software uses a version of Java that was released in 2011 and is affected by hundreds of vulnerabilities. read more more…Stop using password manager browser extensions
It’s been over a year since I presented on LostPass at ShmooCon, and in that time, many more bugs have been found in password managers. The most severe of which are in browser-based password managers extensions such as LastPass. Tavis Ormandy yesterday demonstrated a remote code execution on the latest LastPass version. This isn’t the […] more…KopiLuwak: A New JavaScript Payload from Turla
On 28 January 2017, John Lambert of Microsoft (@JohnLaTwC) tweeted about a malicious document that dropped a “very interesting .JS backdoor“. Since the end of November 2016, Kaspersky Lab has observed Turla using this new JavaScript payload and specific macro variant. This is a technique we’ve observed before with Turla’s ICEDCOFFEE payloads, detailed in a […] more…From RAR to JavaScript: Ransomware Figures in the Fluctuations of Email Attachments
By Lala Manly, Maydalene Salvador, and Ardin Maglalang Why is it critical to stop ransomware at the gateway layer? Because email is the top entry point used by prevalent ransomware families. Based on our analysis, 71% of known ransomware families arrive via email. While there’s nothing new about the use of spam, ransomware distributors continue to employ this infection […] more…POWELIKS Levels Up With New Autostart Mechanism
Last August, we wrote about POWELIKS’s malware routines that are known for hiding its malicious codes in the registry entry as part of its evasion tactics. In the newer samples we spotted, malware detected as TROJ_POWELIKS.B employed a new autostart mechanism and removes users’ privileges in viewing the registry’s content. As a result, users won’t be able to suspect that […] more…More information
- Feds move to stop social media mockery of nursing home residents
- Horrors of murky TrueCrypt to be probed once more
- Microsoft Internet Explorer CVE-2017-8618 Remote Code Execution Vulnerability
- UK Regulator Issues Advice on ‘Consent’ Within GDPR
- If you connect it, protect it
- BrandPost: Managing PC mishaps: 4 reasons to prepare for the unexpected
- EU Regulators Raise Concerns over Yahoo and WhatsApp
- Emergency Database Maintenance
- Staying Home? McAfee Report Shows Malware May Come Knocking
- Class Action Lawsuit Filed Against Marriott Over New Data Breach