Last updated at Wed, 25 Jan 2023 20:23:13 GMT

Emergent threats evolve quickly, and as we learn more about this vulnerability, this blog post will evolve, too.

Rapid7 is responding to various compromises arising from the exploitation of CVE-2022-47966, a pre-authentication remote code execution (RCE) vulnerability impacting at least 24 on-premise ManageEngine products.…

Read More

Mandiant is tracking a suspected China-nexus campaign believed to have exploited a recently announced vulnerability in Fortinet’s FortiOS SSL-VPN, CVE-2022-42475, as a zero-day. Evidence suggests the exploitation was occurring as early as October 2022 and identified targets include a European government entity and a managed service provider located in Africa.…

Read More

Over the past few weeks, the Huntress team has been tracking the recent conversations surrounding supposed ConnectWise Control vulnerabilities and alleged in-the-wild exploitation.

We have been in contact with both the ConnectWise CISO and security team, as well as the security researcher reporting on this. While there has since been some chatter and news articles, we would like to use this article to share our own perspective.…

Read More

At the end of November 2022, experts from Bitdefender Labs started to notice an increase in attacks using ProxyNotShell/OWASSRF exploits chains to target on-premises Microsoft Exchange deployments. SSRF attacks on Microsoft Exchange servers are some of the most popular and routinely exploited vulnerabilities. We decided to release a technical advisory describing these attacks, but also documenting some of the recent attacks that we’ve detected in the wild. …

Read More

Written by Jon DiMaggio.

Table of Contents

I gotta story to tell…

The LockBit ransomware gang is one of the most notorious organized cybercrime syndicates that exists today. The gang is behind attacks targeting private-sector corporations and other high-profile industries worldwide. News and media outlets have documented many LockBit attacks, while security vendors offer technical assessments explaining how each occurred.…

Read More

Throughout 2022, Deep Instinct observed various combinations of polyglot files with malicious JARs.

The initial technique dates to around 2018 when it used signed MSI files to bypass Microsoft code signing verification. A year later, in 2019, Virus Total wrote about the MSI+JAR polyglot technique. Microsoft decided not to fix the issue at that time.…

Read More

Affected Platforms: FortiOSImpacted Users: Government & large organizationsImpact: Data loss and OS and file corruptionSeverity Level: High

Fortinet has published CVSS: Critical advisory FG-IR-22-398 / CVE-2022-42475 on Dec 12, 2022. The following writeup details our initial investigation into this malware and additional IoCs identified during our ongoing analysis.…

Read More

Executive Summary

This paper investigates a recent QakBot phishing campaign’s ability to evade Mark-of-the-Web (MoTW) security features, allowing for escape from the designated security zone and  successful installation of malicious software on victim device.. Key observations:

EclecticIQ analysts investigated QakBot phishing campaigns switching to a Zero-Day Vulnerability to evade Windows Mark of the Web (MoTW).…

Read More
In December 2022, CrowdStrike reported on a campaign by SCATTERED SPIDER, targeting organizations within the telecom and business process outsourcing (BPO) sectors with an end objective of gaining access to mobile carrier networks. In the weeks since that post, the CrowdStrike Falcon® platform prevented a novel attempt by SCATTERED SPIDER to deploy a malicious kernel driver through a vulnerability (CVE-2015-2291) in the Intel Ethernet diagnostics driver.…
Read More

Since October 2022, we’ve been observing multiple malware types delivered via a new dropper strain that we are referring to as “NeedleDropper”. Its name references one of the ways the dropper stores data. NeedleDropper is not just a single executable, it carries several files which together create a malicious execution, extracting files to decrypt and inject malicious code.…

Read More

The Wordfence Threat Intelligence team has been tracking exploits targeting a Critical Severity Arbitrary File Upload vulnerability in YITH WooCommerce Gift Cards Premium, a plugin with over 50,000 installations according to the vendor.

The vulnerability, reported by security researcher Dave Jong and publicly disclosed on November 22, 2022, impacts plugin versions up to and including 3.19.0 and allows unauthenticated attackers to upload executable files to WordPress sites running a vulnerable version of the plugin.…

Read More

Beware of What Is Lurking in the Shadows of Your IT

Five Stages of a Ransomware Attack, during one ransomware incident X-Force uncovered an entrenched advanced adversary that was leveraging a Shadow IT bridged network to maintain access to two organizations for over a year.

During the investigation, X-Force identified the ransomware attack was contained within a single domain of the multi-domain forest.…

Read More

NOTE: In this blog, Zerobot refers to a botnet that spreads primarily through IoT and web application vulnerabilities. It is not associated with the chatbot ZeroBot.ai.

Botnet malware operations are a constantly evolving threat to devices and networks. Threat actors target Internet of Things (IoT) devices for recruitment into malicious operations as IoT devices’ configurations often leave them exposed, and the number of internet-connected devices continue to grow.…

Read More

Cloud Atlas (or Inception) is a cyber-espionage group. Since its discovery in 2014, they have launched multiple, highly targeted attacks on critical infrastructure across geographical zones and political conflicts. The group’s tactics, techniques and procedures (TTPs) have remained relatively static over the years. However, since the rapid escalation of the conflict between Russia and Ukraine in 2021 and especially after the outbreak of war in February 2022, the scope of the group’s activities has narrowed significantly, with a clear focus on Russia, Belarus and conflicted areas in Ukraine and Moldova.…

Read More

In October 2022, Juniper Threat Labs discovered a backdoor implanted on a VMware ESXi virtualization server. Since 2019, unpatched ESXi servers have been targets of ongoing in-the-wild attacks based on two vulnerabilities in the ESXi’s OpenSLP service: CVE-2019-5544 and CVE-2020-3992. Unfortunately, due to limited log retention on the compromised host we investigated, we can’t be sure which vulnerability allowed hackers access to the server.…

Read More