Src |
Date (GMT) |
Titre |
Description |
Tags |
Stories |
Notes |
|
2021-12-13 11:15:09 |
CVE-2021-24863 (lien direct) |
The WP Block and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection Plugin StopBadBots WordPress plugin before 6.67 does not sanitise and escape the User Agent before using it in a SQL statement to save it, leading to a SQL injection |
Spam
Guideline
|
|
|
|
2021-12-08 16:00:01 |
Fight back against spam calls with this subscription to the RoboKiller app (lien direct) |
RoboKiller will nip those annoying, automated calls in the bud. Now it's available for a discount on a five-year subscription. |
Spam
|
|
|
|
2021-12-08 15:47:28 |
Credential-Harvesting Phishing Campaign Urges Review of Spam (lien direct) |
Researchers at MailGuard have observed a phishing campaign that's using phony “spam notification” emails that purport to come from Microsoft Office 365. The emails tell recipients that an important-looking email has been sent to their spam folder, and they'll need to click a link to view the supposed message. |
Spam
|
|
|
|
2021-12-05 11:07:37 |
Convincing Microsoft phishing uses fake Office 365 spam alerts (lien direct) |
A persuasive and ongoing series of phishing attacks are using fake Office 365 notifications asking the recipients to review blocked spam messages, with the end goal of stealing their Microsoft credentials. [...] |
Spam
|
|
|
|
2021-12-03 07:46:29 |
Talos Takes Ep. #79: Emotet\'s back with the worst type of holiday present (lien direct) |
By Jon Munshaw.
The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.
Emotet is back, and it brought the worst possible holiday present (just in time for peak spam season, too!). We...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
Spam
|
|
|
|
2021-12-02 15:28:25 |
Twitter removes 3,400 accounts used in govt propaganda campaigns (lien direct) |
Twitter today announced the permanent removal of more than 3,400 accounts linked to governments of six countries running manipulation or spam campaigns. [...] |
Spam
|
|
|
|
2021-11-23 20:30:00 |
Anomali Cyber Watch: APT, Emotet, Iran, RedCurl and More (lien direct) |
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Data breach, Data leak, Malspam, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Emotet malware is back and rebuilding its botnet via TrickBot
(published: November 15, 2021)
After Europol enforcement executed a takeover of the Emotet infrastructure in April 2021 and German law enforcement used this infrastructure to load a module triggering an uninstall of existing Emotet installs, new Emotet installs have been detected via initial infections with TrickBot. These campaigns and infrastructure appear to be rapidly proliferating. Once infected with Emotet, in addition to leveraging the infected device to send malspam, additional malware can be downloaded and installed on the victim device for various purposes, including ransomware. Researchers currently have not seen any spamming activity or any known malicious documents dropping Emotet malware besides from TrickBot. It is possible that Emotet is using Trickbot to rebuild its infrastructure and steal email chains it will use in future spam attacks.
Analyst Comment: Phishing continues to be a preferred method for initial infection by many actors and malware families. End users should be cautious with email attachments and links, and organizations should have robust endpoint protections that are regularly updated.
***For Anomali ThreatStream Customers***
To assist in helping the community, especially with the online shopping season upon us, Anomali Threat Research has made available two, threat actor-focused dashboards: Mummy Spider and Wizard Spider, for Anomali ThreatStream customers. The Dashboards are preconfigured to provide immediate access and visibility into all known Mummy Spider and Wizard Spider indicators of compromise (IOCs) made available through commercial and open-source threat feeds that users manage on ThreatStream.
MITRE ATT&CK: [MITRE ATT&CK] Phishing - T1566 | [MITRE ATT&CK] Shared Modules - T1129 | [MITRE ATT&CK] Data Encrypted - T1022 | [MITRE ATT&CK] Ingress Tool Transfer - T1105 | [MITRE ATT&CK] Automated Collection - T1119
Tags: Emotet, Trickbot, phishing, ransomware
Wind Turbine Giant Offline After Cyber Incident
(published: November 22, 2021)
The internal IT systems for Vestas Wind Systems, the world's largest manufacturer of wind turbines, have been hit by an attack. This attack does not appear to have affected their manufacturing or supply chain, and recovery of affected systems is underway, although a number of systems remain off as a precaution. The company has announced that some data has been compromised. The investigation of this incident is ongoing, but may have been a ransomware attack. The incidents of ransomware across the globe increased by near |
Ransomware
Spam
Malware
Tool
Vulnerability
Threat
Patching
|
|
|
|
2021-11-22 05:01:13 |
Back from the dead: Emotet re-emerges, begins rebuilding to wrap up 2021 (lien direct) |
Executive summary
Emotet has been one of the most widely distributed threats over the past several years. It has typically been observed being distributed via malicious spam email campaigns, and often leads to additional malware infections as it provides threat actors with an initial foothold in an...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
Spam
Malware
Threat
Guideline
|
|
|
|
2021-11-22 03:47:12 |
Hackers Exploiting ProxyLogon and ProxyShell Flaws in Spam Campaigns (lien direct) |
Threat actors are exploiting ProxyLogon and ProxyShell exploits in unpatched Microsoft Exchange Servers as part of an ongoing spam campaign that leverages stolen email chains to bypass security software and deploy malware on vulnerable systems.
The findings come from Trend Micro following an investigation into a number of intrusions in the Middle East that culminated in the distribution of a |
Spam
Malware
|
|
|
|
2021-11-16 18:07:17 |
Here are the new Emotet spam campaigns hitting mailboxes worldwide (lien direct) |
The Emotet malware kicked into action yesterday after a ten-month hiatus with multiple spam campaigns delivering malicious documents to mailboxes worldwide. [...] |
Spam
Malware
|
|
|
|
2021-11-16 14:28:03 |
RansomOps: Detecting Complex Ransomware Operations (lien direct) |
In a recent blog post we discussed how today's more complex RansomOps attacks are more akin to stealthy APT-like operations than the old “spray and pray” mass email spam campaign of old, and how there are multiple players from the larger Ransomware Economy at work, each with their own specializations. |
Ransomware
Spam
|
|
|
|
2021-11-15 15:04:23 |
(Déjà vu) Emotet malware is back and rebuilding its botnet via TrickBot (lien direct) |
The Emotet malware was considered the most widely spread malware in the past, using spam campaigns and malicious attachments to distribute the malware. [...] |
Spam
Malware
|
|
|
|
2021-11-15 15:04:23 |
The Emotet malware is back and rebuilding its botnet via TrickBot (lien direct) |
The Emotet malware was considered the most widely spread malware in the past, using spam campaigns and malicious attachments to distribute the malware. [...] |
Spam
Malware
|
|
|
|
2021-11-15 09:22:00 |
FBI Fixes Misconfigured Server After Hoax Email Alert (lien direct) |
Spam sent from FBI address warned of imminent cyber-threat |
Spam
|
|
|
|
2021-11-15 01:07:00 |
Il a humilié le FBI en utilisant son domaine pour envoyer du spam (lien direct) |
Un hacker a profité de la mauvaise configuration d'un site web de l'agence fédérale pour envoyer de faux messages. Un hoax pas bien méchant, mais quand même sacrément vexant. |
Spam
|
|
★★★
|
|
2021-11-13 22:46:53 |
Hoax Email Blast Abused Poor Coding in FBI Website (lien direct) |
The Federal Bureau of Investigation (FBI) confirmed today that its fbi.gov domain name and Internet address were used to blast out thousands of fake emails about a cybercrime investigation. According to an interview with the person who claimed responsibility for the hoax, the spam messages were sent by abusing insecure code in an FBI online portal designed to share information with state and local law enforcement authorities. |
Spam
|
|
|
|
2021-11-13 22:35:26 |
Hundreds of thousands of fake warnings of cyberattacks sent from a hacked FBI email server (lien direct) |
Threat actors hacked email servers of the FBI to distribute spam email impersonating FBI warnings of fake cyberattacks. The email servers of the FBI were hacked to distribute spam email impersonating the Department of Homeland Security (DHS) warnings of fake sophisticated chain attacks from an advanced threat actor. The message tells the recipients that their […]
|
Spam
Threat
|
|
|
|
2021-11-13 13:36:16 |
FBI system hacked to email \'urgent\' warning about fake cyberattacks (lien direct) |
The Federal Bureau of Investigation (FBI) email servers were hacked to distribute spam email impersonating FBI warnings that the recipients' network was breached and data was stolen. [...] |
Spam
|
|
|
|
2021-11-11 16:34:07 |
Windows 10 App Installer abused in BazarLoader malware attacks (lien direct) |
The TrickBot gang operators are now abusing the Windows 10 App Installer to deploy their BazarLoader malware on the systems of targets who fall victim to a highly targeted spam campaign. [...] |
Spam
Malware
|
|
|
|
2021-11-08 18:15:09 |
CVE-2021-24731 (lien direct) |
The Registration Forms – User profile, Content Restriction, Spam Protection, Payment Gateways, Invitation Codes WordPress plugin before 3.7.1.6 does not properly escape user data before using it in a SQL statement in the wp-json/pie/v1/login REST API endpoint, leading to an SQL injection. |
Spam
Guideline
|
|
|
|
2021-11-08 18:15:08 |
CVE-2021-24647 (lien direct) |
The Registration Forms – User profile, Content Restriction, Spam Protection, Payment Gateways, Invitation Codes WordPress plugin before 3.1.7.6 has a flaw in the social login implementation, allowing unauthenticated attacker to login as any user on the site by only knowing their user ID or username |
Spam
|
|
|
|
2021-11-02 17:03:52 |
Signal Working on Improving Anti-Spam Capabilities (lien direct) |
Privacy-focused communication platforms Signal is sharing information on the improvements it has made to its spam-prevention capabilities.
The task of keeping spam out of user's inboxes, Signal says, is more difficult compared to other messaging services, because the company does not have access to the contents of messages, and has to fight spam without social graphs.
|
Spam
|
|
|
|
2021-11-01 17:55:04 |
Signal now lets you report and block spam messages (lien direct) |
Signal has added an easy way for users to report and block spam straight from message request screens with a single mouse click. [...] |
Spam
|
|
|
|
2021-11-01 12:00:26 |
Spam and phishing in Q3 2021 (lien direct) |
This report contains spam and phishing statistics for Q3 2021, plus descriptions of scams linked to the Olympics, Euro 2020, COVID-19, and other relevant events. |
Spam
|
|
|
|
2021-10-28 11:00:00 |
Threat Source newsletter (Oct. 28, 2021) (lien direct) |
Newsletter compiled by Jon Munshaw.Good afternoon, Talos readers.
Most people know about chicken and waffles. But what about squirrel and waffles? They may not be the most appetizing brunch, but they are teaming up for one heck of a spam campaign.
We have new research out...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
Spam
|
|
|
|
2021-10-27 11:15:00 |
HM Treasury Hit by Five Million Malicious Emails in Past Three Years (lien direct) |
A total of 4,870,389 phishing, malware and spam emails targeting HM Treasury were blocked in the past three years |
Spam
Malware
|
|
|
|
2021-10-27 06:47:55 |
Hackers Using Squirrelwaffle Loader to Deploy Qakbot and Cobalt Strike (lien direct) |
A new spam email campaign has emerged as a conduit for a previously undocumented malware loader that enables the attackers to gain an initial foothold into enterprise networks and drop malicious payloads on compromised systems.
"These infections are also used to facilitate the delivery of additional malware such as Qakbot and Cobalt Strike, two of the most common threats regularly observed |
Spam
Malware
|
|
|
|
2021-10-26 22:25:05 |
SquirrelWaffle Loader Malspams, Packing Qakbot, Cobalt Strike (lien direct) |
Say hello to what could be the next big spam player: SquirrelWaffle, which is spreading with increasing frequency via spam campaigns and infecting systems with a new malware loader.
|
Spam
Malware
|
|
|
|
2021-10-26 05:01:17 |
SQUIRRELWAFFLE Leverages malspam to deliver Qakbot, Cobalt Strike (lien direct) |
By Edmund Brumaghin, Mariano Graziano and Nick Mavis.
Executive summary
Recently, a new threat, referred to as "SQUIRRELWAFFLE" is being spread more widely via spam campaigns, infecting systems with a new malware loader. This is a malware family that's been spread with increasing regularity and...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
Spam
Malware
|
|
|
|
2021-10-25 16:15:08 |
CVE-2021-37624 (lien direct) |
FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.7, FreeSWITCH does not authenticate SIP MESSAGE requests, leading to spam and message spoofing. By default, SIP requests of the type MESSAGE (RFC 3428) are not authenticated in the affected versions of FreeSWITCH. MESSAGE requests are relayed to SIP user agents registered with the FreeSWITCH server without requiring any authentication. Although this behaviour can be changed by setting the `auth-messages` parameter to `true`, it is not the default setting. Abuse of this security issue allows attackers to send SIP MESSAGE messages to any SIP user agent that is registered with the server without requiring authentication. Additionally, since no authentication is required, chat messages can be spoofed to appear to come from trusted entities. Therefore, abuse can lead to spam and enable social engineering, phishing and similar attacks. This issue is patched in version 1.10.7. Maintainers recommend that this SIP message type is authenticated by default so that FreeSWITCH administrators do not need to be explicitly set the `auth-messages` parameter. When following such a recommendation, a new parameter can be introduced to explicitly disable authentication. |
Spam
Guideline
|
|
|
|
2021-10-22 08:31:00 |
Over 80% of Brits Deluged with Scam Calls and Texts (lien direct) |
Summer of spam sees scammers ramp-up their fraud campaigns |
Spam
|
|
|
|
2021-10-19 15:00:00 |
Anomali Cyber Watch: FIN12 Ramps-Up in Europe, Interactsh Being Used For Malicious Purposes, New Yanluowang Ransomware and More (lien direct) |
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cobalt Strike, Metasploit, Phishing, Ransomware, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Harvester: Nation-State-Backed Group Uses New Toolset To Target Victims In South Asia
(published: October 18, 2021)
A new threat group dubbed ‘Harvester’ has been found attacking organizations in South Asia and Afghanistan using a custom toolset composed of both public and private malware. Given the nature of the targets, which include governments, IT and Telecom companies, combined with the information stealing campaign, there is a high likelihood that this group is Nation-State backed. The initial infection method is unknown, but victim machines are directed to a URL that checks for a local file (winser.dll). If it doesn’t exist, a redirect is performed for a VBS file to download and run; this downloads and installs the Graphon backdoor. The command and control (C2) uses legitimate Microsoft and CloudFront services to mask data exfiltration.
Analyst Comment: Nation-state threat actors are continually evolving their tactics, techniques and tools to adapt and infiltrate victim governments and/or companies. Ensure that employees have a training policy that reflects education on only downloading programs or documents from known, trusted sources. It is also important to notify management and the proper IT department if you suspect malicous activity may be occurring.
MITRE ATT&CK: [MITRE ATT&CK] Process Injection - T1055 | [MITRE ATT&CK] Process Discovery - T1057
Tags: Backdoor.Graphon, Cobalt Strike Beacon, Metasploit
Attackers Are Taking Advantage of the Open-Source Service Interactsh for Malicious Purposes
(published: October 14, 2021)
Unit 42 researchers have observed active exploits related to an open-source service called Interactsh. This tool can generate specific domain names to help its users test whether an exploit is successful. It can be used by researchers - but also by attackers - to validate vulnerabilities via real-time monitoring on the trace path for the domain. Researchers creating a proof-of-concept (PoC) for an exploit can insert "Interactsh" to check whether the exploit is working, but the service could also be used to check if the PoC is working. The tool became publicly available on April 16, 2021, and the first attempts to abuse it were observed soon after, on April 18, 2021.
Analyst Comment: As the landscape changes, researchers and attackers will often use the same tools in order to reach a goal. In this instance, Interact.sh can be used to show if an exploit will work. Dual-use tools are often under fire for being able to validate malicious code, with this being the latest example. If necessary, take precautions and block traffic with interact.sh attached to it within company networks.
Tags: Interactsh, Exploits
|
Ransomware
Spam
Malware
Tool
Vulnerability
Threat
Patching
Guideline
|
|
|
|
2021-10-19 11:05:14 |
FCC mulls over new rules demanding carriers block spam robot texts at network level (lien direct) |
The proposal hones in on rising rates of robot texts. |
Spam
|
|
★★★★
|
|
2021-10-15 08:07:16 |
Talos Takes Ep. #73 (NCSAM edition): Fight the phish from land, sea and air (lien direct) |
By Jon Munshaw.
The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.
Most people may think of spam as being the classic email promising that you've won the lottery or some great prize,...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
Spam
|
|
|
|
2021-10-13 15:15:07 |
CVE-2021-34814 (lien direct) |
Proofpoint Spam Engine before 8.12.0-2106240000 has a Security Control Bypass. |
Spam
|
|
|
|
2021-10-11 20:02:40 |
Ukraine Arrests Operator of DDoS Botnet with 100,000 Compromised Devices (lien direct) |
Ukrainian law enforcement authorities on Monday disclosed the arrest of a hacker responsible for the creation and management of a "powerful botnet" consisting of over 100,000 enslaved devices that was used to carry out distributed denial-of-service (DDoS) and spam attacks on behalf of paid customers.
The unnamed individual, from the Ivano-Frankivsk region of the country, is also said to have |
Spam
|
|
★★★★
|
|
2021-09-28 15:30:00 |
Anomali Cyber Watch: Microsoft Exchange Autodiscover Bugs Leak 100K Windows Credentials, REvil Ransomware Reemerges After Shutdown, New Mac Malware Masquerades As iTerm2 and More (lien direct) |
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, BlackMatter, Phishing, Malicious PowerPoint, Microsoft Exchange, REvil and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Malicious PowerPoint Documents On The Rise
(published: September 22, 2021)
McAfee Labs researchers have observed a new phishing campaign that utilizes macro capabilities available in Microsoft PowerPoint. The sentiment used here is finance related themes such as purchase orders. In this campaign, the spam email comes with a PowerPoint file as an attachment. Upon opening the malicious attachment, the VBA macro executes to deliver variants of AgentTesla which is a well-known password stealer. Attackers use this remote access trojan (RAT) as MaaS (Malware-as-a-Service) to steal user credentials and other information from victims through screenshots, keylogging, and clipboard captures.
Analyst Comment: Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel.
MITRE ATT&CK: [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Remote Access Tools - T1219
Tags: AgentTesla, RAT, MaaS, Malware-as-a-Service, VBA macro, Banking And Finance
Microsoft Exchange Autodiscover Bugs Leak 100K Windows credentials
(published: September 22, 2021)
According to researchers from Guardicore have found a bug in the implementation of the “Autodiscover'' protocol is causing Microsoft Exchange’s Autodiscovery feature to automatically configure a user's mail client, such as Microsoft Outlook, with their organization's predefined mail settings. This is causing Windows credentials to be sent to third-party untrusted websites. Researchers have identified that this incorrect implementation has leaked approximately 100,000 login names and passwords for Windows domains worldwide.
Analyst Comment: Administrators are recommended to block TLD domains provided by researchers on github. https://github.com/guardicore/labs_campaigns/tree/master/Autodiscover. Even though most of the domains may not be malicious, adversaries can easily register and take them over. Also organisations are recommended to disable basic authentication.
Tags: EU & UK, China
Netgear SOHO Security Bug Allows RCE, Corporate Attacks
(published: September 22, 2021)
Researchers at Grimm discovered a high-severity security bug affecting several Netgear small office/home office (SOHO) routers could allow remote c |
Ransomware
Spam
Malware
Vulnerability
Threat
|
|
|
|
2021-09-28 10:00:26 |
Credential Spear-Phishing Uses Spoofed Zix Encrypted Email (lien direct) |
The spoofed email has targeted close to 75K inboxes, slipping past spam and security controls across Office 365, Google Workspace, Exchange, Cisco ESA and more. |
Spam
|
|
|
|
2021-09-27 04:21:35 |
How Does DMARC Prevent Phishing? (lien direct) |
DMARC is a global standard for email authentication. It allows senders to verify that the email really comes from whom it claims to come from. This helps curb spam and phishing attacks, which are among the most prevalent cybercrimes of today. Gmail, Yahoo, and many other large email providers have implemented DMARC and praised its benefits in recent years.
If your company's domain name is |
Spam
|
Yahoo
|
|
|
2021-09-21 16:09:00 |
Anomali Cyber Watch: Vermillion Strike, Operation Layover, New Malware Uses Windows Subsystem For Linux and More (lien direct) |
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cobalt Strike, ELF, Data Leak, MSHTML, Remote Code Execution, Windows Subsystem, VBScript, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
CISA: Patch Zoho Bug Being Exploited by APT Groups
(published: September 17, 2021)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding a critical authentication bypass vulnerability, registered as “CVE-2021-4053,” that affects Zoho’s “ManageEngine ADSelfService Plus.” The vulnerability affects ManageEngine, a self-service password management and single sign-on solution from the online productivity vendor. The vulnerability is a Remote Code Execution (RCE) bypass vulnerability that could allow for remote code execution if exploited, according to the CISA. A successful exploitation of the vulnerability allows an actor to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, lateral movement, and exfiltrating registry hives and Active Directory files. Zoho released a patch for this vulnerability on September 6, but CISA claimed that malicious actors might have been exploiting it as far back as August.
Analyst Comment: Users should immediately apply the patch released by Zoho. Continuing usage of vulnerable applications will increase the likelihood that threat actors will attempt to exploit them, especially with open sources discussing the details of some vulnerabilities. These sources could allow some actors to create exploits to vulnerable software with malicious intent.
MITRE ATT&CK: [MITRE ATT&CK] Unsecured Credentials - T1552 | [MITRE ATT&CK] Valid Accounts - T1078
Tags: APT, Bug, Vulnerability, Zoho
Operation Layover: How We Tracked An Attack On The Aviation Industry to Five Years of Compromise
(published: September 16, 2021)
Cisco Talos, along with Microsoft researchers, have identified a spearphishing campaign targeting the aviation sector that has been targeting aviation for at least two years. The actors behind this campaign used email spoofing to masquerade as legitimate organizations. The emails contained an attached PDF file that included an embedded link, containing a malicious VBScript which would then drop Trojan payloads on a target machine. The malware was used to spy on victims as well as to exfiltrate data including credentials, screenshots, clipboard, and webcam data. The threat actor attributed to this campaign has also been linked to crypter purchases from online forums; his personal phone number and email addresses were revealed, although these findings have not been verified. The actor is located in Nigeria and is suspected of being active since at least 2013, due to IPs connected to hosts, domains, and the attacks at large originate from this country.
Analyst Comment: Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a |
Spam
Malware
Tool
Vulnerability
Threat
|
|
|
|
2021-09-20 04:00:58 |
A New Wave of Malware Attack Targeting Organizations in South America (lien direct) |
A spam campaign delivering spear-phishing emails aimed at South American organizations has retooled its techniques to include a wide range of commodity remote access trojans (RATs) and geolocation filtering to avoid detection, according to new research.
Cybersecurity firm Trend Micro attributed the attacks to an advanced persistent threat (APT) tracked as APT-C-36 (aka Blind Eagle), a suspected |
Spam
Malware
Threat
|
APT-C-36
|
|
|
2021-09-19 12:58:30 |
New "Elon Musk Club" crypto giveaway scam promoted via email (lien direct) |
A new Elon Musk-themed cryptocurrency giveaway scam called the "Elon Musk Mutual Aid Fund" or "Elon Musk Club" is being promoted through spam email campaigns that started over the past few weeks. [...] |
Spam
|
|
|
|
2021-09-17 09:09:15 |
Malicious Calendar Subscriptions Are Back?, (Fri, Sep 17th) (lien direct) |
Did this threat really disappear? This isn't a brand new technique to deliver malicious content to mobile devices but it seems that attackers started new waves of spam campaigns based on malicious calendar subscriptions. Being a dad, you can imagine that I always performed security awareness with my daughters. Since they use computers and the Internet, my message was always the same: âDon't be afraid to ask me, there are no stupid questions or shame if you think you did something wrongâ.
|
Spam
Threat
|
|
|
|
2021-09-17 06:11:17 |
US govt sites showing porn, viagra ads share a common software vendor (lien direct) |
Multiple U.S. government sites using .gov and .mil domains have been seen hosting porn and spam content, such as Viagra ads, in the last year. A security researcher noticed all of these sites share a common software vendor, Laserfiche. [...] |
Spam
|
|
|
|
2021-09-16 11:00:00 |
Threat Source newsletter (Sept. 16, 2021) (lien direct) |
Newsletter compiled by Jon Munshaw.Good afternoon, Talos readers.
It's a bird, it's a plane, it's a rat!
We've been tracking a series of trojans targeting the aviation industry, and trying to lure victims in by sending them spam related to flight itineraries and other transportation...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
Spam
|
|
|
|
2021-09-14 15:00:00 |
Anomali Cyber Watch: Azurescape Cloud Threat, MSHTML 0-Day in The Wild, Confluence Cloud Hacked to Mine Monero, and More (lien direct) |
The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Android, APT, Confluence, Cloud, MSHTML, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Current Anomali ThreatStream users can query these indicators under the “anomali cyber watch” tag.
Trending Cyber News and Threat Intelligence
S.O.V.A. – A New Android Banking Trojan with Fowl Intentions
(published: September 10, 2021)
ThreatFabric researchers have discovered a new Android banking trojan called S.O.V.A. The malware is still in the development and testing phase and the threat actor is publicly-advertising S.O.V.A. for trial runs targeting banks to improve its functionality. The trojan’s primary objective is to steal personally identifiable information (PII). This is conducted through overlay attacks, keylogging, man-in-the-middle attacks, and session cookies theft, among others. The malware author is also working on other features such as distributed denial-of-service (DDoS) and ransomware on S.O.V.A.’s project roadmap.
Analyst Comment: Always keep your mobile phone fully patched with the latest security updates. Only use official locations such as the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. Furthermore, always review the permissions an app will request upon installation.
MITRE ATT&CK: [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Man-in-the-Middle - T1557 | [MITRE ATT&CK] Steal Web Session Cookie - T1539 | [MITRE ATT&CK] Network Denial of Service - T1498 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Android, Banking trojan, S.O.V.A., Overlay, Keylogging, Cookies, Man-in-the-Middle
Finding Azurescape – Cross-Account Container Takeover in Azure Container Instances
(published: September 9, 2021)
Unit 42 researchers identified and disclosed critical security issues in Microsoft’s Container-as-a-Service (CaaS) offering that is called Azure Container Instances (ACI). A malicious Azure user could have compromised the multitenant Kubernetes clusters hosting ACI, establishing full control over other users' containers. Researchers gave the vulnerability a specific name, Azurescape, highlighting its significance: it the first cross-account container takeover in the public cloud.
Analyst Comment: Azurescape vulnerabilities could have allowed an attacker to execute code on other users' containers, steal customer secrets and images deployed to the platform, and abuse ACI's infrastructure processing power. Microsoft patched ACI shortly after the discl |
Ransomware
Spam
Malware
Tool
Vulnerability
Threat
Guideline
|
Uber
APT 41
APT 15
|
|
|
2021-09-07 20:02:45 |
How to delete spam SMS messages and add new blocked numbers on Android (lien direct) |
If you're looking to clear out old spam and blocked SMS messages from Android, Jack Wallen is here to show you how. |
Spam
|
|
|
|
2021-09-06 11:15:08 |
CVE-2021-24517 (lien direct) |
The Stop Spammers Security | Block Spam Users, Comments, Forms WordPress plugin before 2021.18 does not escape some of its settings, allowing high privilege users such as admin to set Cross-Site Scripting payloads in them even when the unfiltered_html capability is disallowed |
Spam
|
|
|
|
2021-08-19 01:07:12 |
How an Obscure Green Bay Packers Site Conquered Facebook (lien direct) |
The social media giant's new transparency report mostly succeeds in showing the extent of its spam problem. |
Spam
|
|
|
|
2021-08-18 20:15:06 |
CVE-2021-1561 (lien direct) |
A vulnerability in the spam quarantine feature of Cisco Secure Email and Web Manager, formerly Cisco Security Management Appliance (SMA), could allow an authenticated, remote attacker to gain unauthorized access and modify the spam quarantine settings of another user. This vulnerability exists because access to the spam quarantine feature is not properly restricted. An attacker could exploit this vulnerability by sending malicious requests to an affected system. A successful exploit could allow the attacker to modify another user's spam quarantine settings, possibly disabling security controls or viewing email messages stored on the spam quarantine interfaces. |
Spam
Vulnerability
|
|
|