The Strange Case of the Malicious Favicon
During the past year, our Remediation department has seen a large increase in the number of fully spammed sites. The common factors are strangely named and unusually located favicon.ico files, along with the creation of “bak.bak” index files peppered around the website. In the majority of the cases, the pattern is similar regardless of the […] more…VirusTotal MultiSandbox += SNDBOX
Today, VirusTotal is happy to welcome SNDBOX to the Multi-sandbox project. SNDBOX is a cloud based automated malware analysis platform. SNDBOX advanced dynamic analysis capabilities gives additional insights and visibility intro a variety of file-types. In their own words: SNDBOX malware research platform developed by researchers for researchers and provides static, dynamic and network analysis. […] more…Jenkins Admins: Relying on Default Settings Could Put Master at Risk of Remote Code Execution Attacks
By David Fiser Jenkins is a popular open-source automation server for software development teams. Used for managing the development side in DevOps, the main purpose of Jenkins is to perform tasks, called jobs, such that software project builds are automatically developed in the CI/CD process. Jenkins has a distributed architecture: A master machine manages a […] more…SLUB Gets Rid of GitHub, Intensifies Slack Use
by Cedric Pernet, Elliot Cao, Jaromir Horejsi, Joseph C. Chen, William Gamazo Sanchez Four months ago, we exposed an attack that leveraged a previously unknown malware that Trend Micro named SLUB. The past iteration of SLUB spread from a unique watering hole website exploiting CVE-2018-8174, a VBScript engine vulnerability. It used GitHub and Slack as […] more…Turla renews its arsenal with Topinambour
Turla, also known as Venomous Bear, Waterbug, and Uroboros, is a Russian speaking threat actor known since 2014, but with roots that go back to 2004 and earlier. It is a complex cyberattack platform focused predominantly on diplomatic and government-related targets, particularly in the Middle East, Central and Far East Asia, Europe, North and South […] more…Criminals, ATMs and a cup of coffee
In spring 2019, we discovered a new ATM malware sample written in Java that was uploaded to a multiscanner service from Mexico and later from Colombia. After a brief analysis, it became clear that the malware, which we call ATMJaDi, can cash out ATMs. However, it doesn’t use the standard XFS, JXFS or CSC libraries. […] more…Using Whitelisting to Remediate an RCE Vulnerability (CVE-2019-2729) in Oracle WebLogic
By: Sivathmican Sivakumaran (Vulnerability Researcher) Oracle WebLogic has recently disclosed and patched remote-code-execution (RCE) vulnerabilities in its software, many of which were due to insecure deserialization. Oracle addressed the most recent vulnerability, CVE-2019-2729, in an out-of-band security patch on June 18, 2019. CVE-2019-2729 was assigned a CVSS score of 9.8, making it a critical vulnerability. […] more…CVE-2019-8635: Double Free Vulnerability in Apple macOS Lets Attackers Escalate System Privileges and Execute Arbitrary Code
by Moony Li and Lilang Wu (Threats Analysts) We discovered a double free vulnerability (assigned as CVE-2019-8635) in macOS. The vulnerability is caused by a memory corruption flaw in the AMD component. If successfully exploited, an attacker can implement privilege escalation and execute malicious code on the system with root privileges. We disclosed our findings […] more…AESDDoS Botnet Malware Infiltrates Containers via Exposed Docker APIs
By David Fiser, Jakub Urbanec and Jaromir Horejsi Misconfiguration is not novel. However, cybercriminals still find that it is an effective way to get their hands on organizations’ computing resources to use for malicious purposes and it remains a top security concern. In this blog post, we will detail an attack type where an API […] more…Yubico Replacing YubiKey FIPS Devices Due to Security Issue
Yubico is in the process of replacing YubiKey FIPS (Federal Information Processing Standards) security keys following the discovery of a potentially serious cryptography-related issue that can cause RSA keys and ECDSA signatures generated on these devices to have reduced strength. read more more…Outlaw Hacking Group’s Botnet Observed Spreading Miner, Perl-Based Backdoor
By Augusto Remillano II One of our honeypots detected a URL spreading a botnet with a Monero miner bundled with a Perl-based backdoor component. The routine caught our attention as the techniques employed are almost the same as those used in the Outlaw hacking group’s previous operation. During our analysis, we also observed the use […] more…Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns
by Hara Hiroaki and Loseway Lu (Threats Analysts) TA505 is a prolific cybercriminal group known for its attacks against multiple financial institutions and retail companies using malicious spam campaigns and different malware. We have been following TA505 closely and detected various related activities for the past two months. In the group’s latest campaign, they started […] more…June’s Patch Tuesday Fixes 88 Security Flaws, Including SandboxEscaper’s Zero Days, HoloLens
Microsoft’s June Patch Tuesday announced the release of 88 vulnerability patches in this month’s security bulletin, as well as four advisories and one servicing stack update. Of the total number of updates, 21 patches were rated critical, 66 as important, and one as moderate. Four of the critical patches included in this release are fixes […] more…1.1M Emuparadise Accounts Exposed in Data Breach
If you’re an avid gamer or know someone who is, you might be familiar with the retro gaming site Emuparadise. This website boasts a large community, a vast collection of gaming music, game-related videos, game guides, magazines, comics, video game translations, and more. Unfortunately, news just broke that Emuparadise recently suffered a data breach in […] more…Critical Vulnerability Exposes Oil Tank Monitoring Devices to Attacks
A critical vulnerability has been found in oil tank monitoring devices from Tecson/GOK, but the vendor has released a patch and points out that there are less than 1,000 devices that could be affected. Tecson is a Germany-based manufacturer of tank measurement systems, including oil tank displays, level probes, and remote monitoring products. read more more…MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools
By Daniel Lunghi and Jaromir Horejsi We found new campaigns that appear to wear the badge of MuddyWater. Analysis of these campaigns revealed the use of new tools and payloads, which indicates that the well-known threat actor group is continuously developing their schemes. We also unearthed and detailed our other findings on MuddyWater, such as […] more…More information
- Microsoft, Juniper, others in coding consortium issue guidelines for safer applications
- Microsoft Windows OpenType Fonts CVE-2015-2459 Remote Code Execution Vulnerability
- What is Virtual Hardening?
- Google Doodle celebrates Douglas Adams and HHGttG – remember, "DON’T PANIC!"
- Intel Is Patching the Patch for the Patch for Its ‘Zombieload’ Flaw
- With one June Patch Tuesday update, Microsoft falls short
- Weak links in the blockchain: We’re neglecting the foundations
- Black Friday: What to watch out for when you hit the stores
- LayerX Raises $11 Million for Browser Security Solution
- Ex-Trump Treasury Secretary’s PE Firm Buys Mobile Security Company Zimperium for $525M