What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2021-10-19 11:05:14 | FCC mulls over new rules demanding carriers block spam robot texts at network level (lien direct) | The proposal hones in on rising rates of robot texts. | Spam | ★★★★ | |
 |
2021-10-15 08:07:16 | Talos Takes Ep. #73 (NCSAM edition): Fight the phish from land, sea and air (lien direct) | By Jon Munshaw.
The latest episode of Talos Takes is available now. Download this episode and subscribe to Talos Takes using the buttons below, or visit the Talos Takes page.
Most people may think of spam as being the classic email promising that you've won the lottery or some great prize,...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
Spam | ||
 |
2021-10-13 15:15:07 | CVE-2021-34814 (lien direct) | Proofpoint Spam Engine before 8.12.0-2106240000 has a Security Control Bypass. | Spam | ||
 |
2021-10-11 20:02:40 | Ukraine Arrests Operator of DDoS Botnet with 100,000 Compromised Devices (lien direct) | Ukrainian law enforcement authorities on Monday disclosed the arrest of a hacker responsible for the creation and management of a "powerful botnet" consisting of over 100,000 enslaved devices that was used to carry out distributed denial-of-service (DDoS) and spam attacks on behalf of paid customers.
The unnamed individual, from the Ivano-Frankivsk region of the country, is also said to have |
Spam | ★★★★ | |
 |
2021-09-28 15:30:00 | Anomali Cyber Watch: Microsoft Exchange Autodiscover Bugs Leak 100K Windows Credentials, REvil Ransomware Reemerges After Shutdown, New Mac Malware Masquerades As iTerm2 and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, BlackMatter, Phishing, Malicious PowerPoint, Microsoft Exchange, REvil and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Malicious PowerPoint Documents On The Rise
(published: September 22, 2021)
McAfee Labs researchers have observed a new phishing campaign that utilizes macro capabilities available in Microsoft PowerPoint. The sentiment used here is finance related themes such as purchase orders. In this campaign, the spam email comes with a PowerPoint file as an attachment. Upon opening the malicious attachment, the VBA macro executes to deliver variants of AgentTesla which is a well-known password stealer. Attackers use this remote access trojan (RAT) as MaaS (Malware-as-a-Service) to steal user credentials and other information from victims through screenshots, keylogging, and clipboard captures.
Analyst Comment: Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel.
MITRE ATT&CK: [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Remote Access Tools - T1219
Tags: AgentTesla, RAT, MaaS, Malware-as-a-Service, VBA macro, Banking And Finance
Microsoft Exchange Autodiscover Bugs Leak 100K Windows credentials
(published: September 22, 2021)
According to researchers from Guardicore have found a bug in the implementation of the “Autodiscover'' protocol is causing Microsoft Exchange’s Autodiscovery feature to automatically configure a user's mail client, such as Microsoft Outlook, with their organization's predefined mail settings. This is causing Windows credentials to be sent to third-party untrusted websites. Researchers have identified that this incorrect implementation has leaked approximately 100,000 login names and passwords for Windows domains worldwide.
Analyst Comment: Administrators are recommended to block TLD domains provided by researchers on github. https://github.com/guardicore/labs_campaigns/tree/master/Autodiscover. Even though most of the domains may not be malicious, adversaries can easily register and take them over. Also organisations are recommended to disable basic authentication.
Tags: EU & UK, China
Netgear SOHO Security Bug Allows RCE, Corporate Attacks
(published: September 22, 2021)
Researchers at Grimm discovered a high-severity security bug affecting several Netgear small office/home office (SOHO) routers could allow remote c |
Ransomware Spam Malware Vulnerability Threat | ||
 |
2021-09-28 10:00:26 | Credential Spear-Phishing Uses Spoofed Zix Encrypted Email (lien direct) | The spoofed email has targeted close to 75K inboxes, slipping past spam and security controls across Office 365, Google Workspace, Exchange, Cisco ESA and more. | Spam | ||
|
2021-09-27 04:21:35 | How Does DMARC Prevent Phishing? (lien direct) | DMARC is a global standard for email authentication. It allows senders to verify that the email really comes from whom it claims to come from. This helps curb spam and phishing attacks, which are among the most prevalent cybercrimes of today. Gmail, Yahoo, and many other large email providers have implemented DMARC and praised its benefits in recent years.
If your company's domain name is |
Spam | Yahoo | |
|
2021-09-21 16:09:00 | Anomali Cyber Watch: Vermillion Strike, Operation Layover, New Malware Uses Windows Subsystem For Linux and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Cobalt Strike, ELF, Data Leak, MSHTML, Remote Code Execution, Windows Subsystem, VBScript, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
CISA: Patch Zoho Bug Being Exploited by APT Groups
(published: September 17, 2021)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding a critical authentication bypass vulnerability, registered as “CVE-2021-4053,” that affects Zoho’s “ManageEngine ADSelfService Plus.” The vulnerability affects ManageEngine, a self-service password management and single sign-on solution from the online productivity vendor. The vulnerability is a Remote Code Execution (RCE) bypass vulnerability that could allow for remote code execution if exploited, according to the CISA. A successful exploitation of the vulnerability allows an actor to place webshells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, lateral movement, and exfiltrating registry hives and Active Directory files. Zoho released a patch for this vulnerability on September 6, but CISA claimed that malicious actors might have been exploiting it as far back as August.
Analyst Comment: Users should immediately apply the patch released by Zoho. Continuing usage of vulnerable applications will increase the likelihood that threat actors will attempt to exploit them, especially with open sources discussing the details of some vulnerabilities. These sources could allow some actors to create exploits to vulnerable software with malicious intent.
MITRE ATT&CK: [MITRE ATT&CK] Unsecured Credentials - T1552 | [MITRE ATT&CK] Valid Accounts - T1078
Tags: APT, Bug, Vulnerability, Zoho
Operation Layover: How We Tracked An Attack On The Aviation Industry to Five Years of Compromise
(published: September 16, 2021)
Cisco Talos, along with Microsoft researchers, have identified a spearphishing campaign targeting the aviation sector that has been targeting aviation for at least two years. The actors behind this campaign used email spoofing to masquerade as legitimate organizations. The emails contained an attached PDF file that included an embedded link, containing a malicious VBScript which would then drop Trojan payloads on a target machine. The malware was used to spy on victims as well as to exfiltrate data including credentials, screenshots, clipboard, and webcam data. The threat actor attributed to this campaign has also been linked to crypter purchases from online forums; his personal phone number and email addresses were revealed, although these findings have not been verified. The actor is located in Nigeria and is suspected of being active since at least 2013, due to IPs connected to hosts, domains, and the attacks at large originate from this country.
Analyst Comment: Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a |
Spam Malware Tool Vulnerability Threat | ||
|
2021-09-20 04:00:58 | A New Wave of Malware Attack Targeting Organizations in South America (lien direct) | A spam campaign delivering spear-phishing emails aimed at South American organizations has retooled its techniques to include a wide range of commodity remote access trojans (RATs) and geolocation filtering to avoid detection, according to new research.
Cybersecurity firm Trend Micro attributed the attacks to an advanced persistent threat (APT) tracked as APT-C-36 (aka Blind Eagle), a suspected |
Spam Malware Threat | APT-C-36 | |
 |
2021-09-19 12:58:30 | New "Elon Musk Club" crypto giveaway scam promoted via email (lien direct) | A new Elon Musk-themed cryptocurrency giveaway scam called the "Elon Musk Mutual Aid Fund" or "Elon Musk Club" is being promoted through spam email campaigns that started over the past few weeks. [...] | Spam | ||
 |
2021-09-17 09:09:15 | Malicious Calendar Subscriptions Are Back?, (Fri, Sep 17th) (lien direct) | Did this threat really disappear? This isn't a brand new technique to deliver malicious content to mobile devices but it seems that attackers started new waves of spam campaigns based on malicious calendar subscriptions. Being a dad, you can imagine that I always performed security awareness with my daughters. Since they use computers and the Internet, my message was always the same: “Don't be afraid to ask me, there are no stupid questions or shame if you think you did something wrongâ€. | Spam Threat | ||
|
2021-09-17 06:11:17 | US govt sites showing porn, viagra ads share a common software vendor (lien direct) | Multiple U.S. government sites using .gov and .mil domains have been seen hosting porn and spam content, such as Viagra ads, in the last year. A security researcher noticed all of these sites share a common software vendor, Laserfiche. [...] | Spam | ||
|
2021-09-16 11:00:00 | Threat Source newsletter (Sept. 16, 2021) (lien direct) | Newsletter compiled by Jon Munshaw.Good afternoon, Talos readers.
It's a bird, it's a plane, it's a rat!
We've been tracking a series of trojans targeting the aviation industry, and trying to lure victims in by sending them spam related to flight itineraries and other transportation...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
Spam | ||
|
2021-09-14 15:00:00 | Anomali Cyber Watch: Azurescape Cloud Threat, MSHTML 0-Day in The Wild, Confluence Cloud Hacked to Mine Monero, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Android, APT, Confluence, Cloud, MSHTML, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed. Current Anomali ThreatStream users can query these indicators under the “anomali cyber watch” tag.
Trending Cyber News and Threat Intelligence
S.O.V.A. – A New Android Banking Trojan with Fowl Intentions
(published: September 10, 2021)
ThreatFabric researchers have discovered a new Android banking trojan called S.O.V.A. The malware is still in the development and testing phase and the threat actor is publicly-advertising S.O.V.A. for trial runs targeting banks to improve its functionality. The trojan’s primary objective is to steal personally identifiable information (PII). This is conducted through overlay attacks, keylogging, man-in-the-middle attacks, and session cookies theft, among others. The malware author is also working on other features such as distributed denial-of-service (DDoS) and ransomware on S.O.V.A.’s project roadmap.
Analyst Comment: Always keep your mobile phone fully patched with the latest security updates. Only use official locations such as the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. Furthermore, always review the permissions an app will request upon installation.
MITRE ATT&CK: [MITRE ATT&CK] Input Capture - T1056 | [MITRE ATT&CK] Man-in-the-Middle - T1557 | [MITRE ATT&CK] Steal Web Session Cookie - T1539 | [MITRE ATT&CK] Network Denial of Service - T1498 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: Android, Banking trojan, S.O.V.A., Overlay, Keylogging, Cookies, Man-in-the-Middle
Finding Azurescape – Cross-Account Container Takeover in Azure Container Instances
(published: September 9, 2021)
Unit 42 researchers identified and disclosed critical security issues in Microsoft’s Container-as-a-Service (CaaS) offering that is called Azure Container Instances (ACI). A malicious Azure user could have compromised the multitenant Kubernetes clusters hosting ACI, establishing full control over other users' containers. Researchers gave the vulnerability a specific name, Azurescape, highlighting its significance: it the first cross-account container takeover in the public cloud.
Analyst Comment: Azurescape vulnerabilities could have allowed an attacker to execute code on other users' containers, steal customer secrets and images deployed to the platform, and abuse ACI's infrastructure processing power. Microsoft patched ACI shortly after the discl |
Ransomware Spam Malware Tool Vulnerability Threat Guideline | Uber APT 41 APT 15 | |
 |
2021-09-07 20:02:45 | How to delete spam SMS messages and add new blocked numbers on Android (lien direct) | If you're looking to clear out old spam and blocked SMS messages from Android, Jack Wallen is here to show you how. | Spam | ||
|
2021-09-06 11:15:08 | CVE-2021-24517 (lien direct) | The Stop Spammers Security | Block Spam Users, Comments, Forms WordPress plugin before 2021.18 does not escape some of its settings, allowing high privilege users such as admin to set Cross-Site Scripting payloads in them even when the unfiltered_html capability is disallowed | Spam | ||
 |
2021-08-19 01:07:12 | How an Obscure Green Bay Packers Site Conquered Facebook (lien direct) | The social media giant's new transparency report mostly succeeds in showing the extent of its spam problem. | Spam | ||
|
2021-08-18 20:15:06 | CVE-2021-1561 (lien direct) | A vulnerability in the spam quarantine feature of Cisco Secure Email and Web Manager, formerly Cisco Security Management Appliance (SMA), could allow an authenticated, remote attacker to gain unauthorized access and modify the spam quarantine settings of another user. This vulnerability exists because access to the spam quarantine feature is not properly restricted. An attacker could exploit this vulnerability by sending malicious requests to an affected system. A successful exploit could allow the attacker to modify another user's spam quarantine settings, possibly disabling security controls or viewing email messages stored on the spam quarantine interfaces. | Spam Vulnerability | ||
|
2021-08-13 14:02:01 | Microsoft Teams will alert users of incoming spam calls (lien direct) | Microsoft is working on adding a spam call notification feature to the Microsoft 365 Teams collaboration platform. [...] | Spam | ★★★ | |
 |
2021-08-12 10:54:00 | NCSC Launches Microsoft Office 365 Button to Report Business Email Spam (lien direct) | The organization has already received 6.5 million reports | Spam | ||
|
2021-08-11 16:43:37 | \'Friends\' Reunion Anchors Video Swindle (lien direct) | Spam was on the rise in Q2, with video fraud and COVID-19-related efforts in the mix. | Spam | ||
|
2021-08-06 13:55:20 | Phishing continues to target big businesses and exploit COVID-19 fears in Q2 2021 (lien direct) | Spam as a share of global mail traffic rose, and attackers have started to adapt their scams to other languages to reach wider audiences. | Spam | ||
 |
2021-08-05 10:00:45 | Spam and phishing in Q2 2021 (lien direct) | Q2 2021 spam and phishing statistics, plus main trends: corporate mail phishing, compensation fraud, WhatsApp scam, etc. | Spam | ||
|
2021-08-03 19:15:08 | CVE-2021-33320 (lien direct) | The Flags module in Liferay Portal 7.3.1 and earlier, and Liferay DXP 7.0 before fix pack 96, 7.1 before fix pack 20, and 7.2 before fix pack 5, does not limit the rate at which content can be flagged as inappropriate, which allows remote authenticated users to spam the site administrator with emails | Spam | ||
|
2021-08-03 15:00:00 | Anomali Cyber Watch: LockBit ransomware, Phony Call Centers Lead to Exfiltration and Ransomware, VBA RAT using Double Attack Vectors, and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Android malware, APT, Data leak, macOS malware, Phishing, Ransomware and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity. 
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
BazaCall: Phony Call Centers Lead to Exfiltration and Ransomware
(published: July 29, 2021)
BazaCall campaigns have forgone malicious links or attachments in email messages in favor of phone numbers that recipients are misled into calling. Actual humans then provide the callers with step-by-step instructions for installing malware. The BazaLoader payload from these campaigns also gives a remote attacker hands-on-keyboard control on an affected user's device, which allows for a fast network compromise. The lack of obvious malicious elements in the delivery methods could render typical ways of detecting spam and phishing emails ineffective.
Analyst Comment: All users should be informed of the risk phishing poses, and how to safely make use of email. They should take notice that a phone number sent to them can be fraudulent too. In the case of infection, the affected system should be wiped and reformatted, and if at all possible the ransom should not be paid. Implement a backup solution for your users to ease the pain of losing sensitive and important data.
MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Credential Dumping - T1003 | [MITRE ATT&CK] Data Encrypted for Impact - T1486
Tags: BazaCall, Bazaar, Ransomware
Crimea “Manifesto” Deploys VBA Rat Using Double Attack Vectors
(published: July 29, 2021)
Hossein Jazi has identified a suspicious document named "Манифест". It downloads and executes two templates: one is macro-enabled and the other is an Internet Explorer exploit. While both techniques rely on template injection to drop a full-featured Remote Access Trojan, the IE exploit is an unusual discovery.
Analyst Comment: Files that request content be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown senders should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel.
MITRE ATT&CK: [MITRE ATT&CK] User Execution - T1204 | [MITRE ATT&CK] Template Injection - T1221 | [MITRE ATT&CK] Scheduled Task - T1053 | [MITRE ATT&CK] Modify Registry - T1112
Tags: VBA, Russia, RAT, CVE- |
Ransomware Data Breach Spam Malware Threat Guideline | ||
 |
2021-07-23 19:16:06 | Google is finally doing something about Google Drive spam (lien direct) | You can now block people in Drive. It's still woefully inadequate, but it's something. | Spam | ||
 |
2021-07-20 21:30:00 | Spam Kingpin Peter Levashov Gets Time Served (lien direct) | A federal judge in Connecticut today handed down a sentence of time served to spam kingpin Peter “Severa” Levashov, a prolific purveyor of malicious and junk email, and the creator of malware strains that infected millions of Microsoft computers globally. Levashov has been in federal custody since his extradition to the United States and guilty plea in 2018, and was facing up to 12 more years in prison. Instead, he will go free under three years of supervised release and a possible fine. | Spam Malware | ||
 |
2021-07-20 21:01:10 | Russian Hacker Levashov Sentenced to Time Already Served (lien direct) | A Russian hacker known internationally as the “bot master” was sentenced Tuesday to the 33 months he has already served in custody on federal charges he operated a network of devices used to steal computer credentials, distribute spam and install malicious software. | Spam | ★★ | |
 |
2021-07-20 12:00:39 | Some URL shortener services distribute Android malware, including banking or SMS trojans (lien direct) | On iOS we have seen link shortener services pushing spam calendar files to victims' devices. | Spam | ||
 |
2021-07-19 00:00:00 | Signed, Sealed, and Delivered – Signed XLL File Delivers Buer Loader (lien direct) | The FortiGuard Labs team discovered a malicious spam campaign using a social engineering lure to trick targets into opening a malicious Excel document which then contacts a remote server that downloads a malicious payload. Learn more in our analysis of the attack and infrastructure used.
|
Spam | ||
 |
2021-07-15 12:50:00 | Checklist 239: Two + Two = You (lien direct) | Are data brokers de-anonymizing your data? | Strategies for stopping spam callers | Why storing passwords in Notes is a very bad idea | Spam | ||
 |
2021-07-10 05:09:35 | Kaseya warns customers of ongoing malspam campaign posing as security updates (lien direct) | Threat actors are conducting a spam campaign aimed at infecting Kaseya customers, posing as legitimate VSA security updates Kaseya is warning customers of threat actors attempting to exploit the recent massive supply chain ransomware attack suffered by the company. The software provider is warning of an ongoing malspam campaign aimed at delivering malware into their […] | Ransomware Spam Malware Threat | ||
|
2021-07-09 14:58:51 | ZLoader Adopts New Macro-Related Delivery Technique in Recent Attacks (lien direct) | The ZLoader malware family has switched to a new delivery mechanism in recent spam campaigns, fetching malicious code only after the initial attachment has been opened, McAfee reports. | Spam Malware | ||
|
2021-07-07 08:50:19 | Fake Kaseya VSA security update backdoors networks with Cobalt Strike (lien direct) | Threat actors are trying to capitalize on the ongoing Kaseya ransomware attack crisis by targeting potential victims in a spam campaign pushing Cobalt Strike payloads disguised as Kaseya VSA security updates. [...] | Ransomware Spam Threat | ||
|
2021-07-06 15:05:00 | Anomali Cyber Watch: Thousands attacked as REvil ransomware hijacks Kaseya VSA, Leaked Babuk Locker Ransomware Builder Used In New Attacks and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Babuk, IndigoZebra, Ransomware, REvil, Skimmer, Zero-day and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Shutdown Kaseya VSA Servers Now Amidst Cascading REvil Attack Against MSPs, Clients
(published: July 4, 2021)
A severe ransomware attack reportedly took place against the popular remote monitoring and management (RMM) software tool Kaseya VSA. On July 2, 2021, Kaseya urged users to shut down their VSA servers to prevent them from being compromised. The company estimated that fewer than 40 of their customers worldwide were affected, but as some of them were managed service providers (MSPs), over 1,000 businesses were infected. The majority of known victims are in the US with some in Europe (Sweden) and New Zealand. The attackers exploited a zero-day vulnerability in Kaseya’s systems that the company was in the process of fixing. It was part of the administrative interface vulnerabilities in tools for system administration previously identified by Wietse Boonstra, a DIVD researcher. The REvil payload was delivered via Kaseya software using a custom dropper that dropped two files. A dropper opens an old but legitimate copy of Windows Defender (MsMpEng.exe) that then side loads and executes the custom malicious loader's export. The attack coincided with the start of the US Independence Day weekend, and has several politically-charged strings, such as “BlackLivesMatter” Windows registry key and “DTrump4ever” as a password.
Analyst Comment: Kaseya VSA clients should safely follow the company’s recommendations as it advised shutting Kaseya VSA servers down, and is making new security updates available. Every organization should have a ransomware disaster recovery plan even if it is serviced by a managed service provider (MSP).
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted for Impact - T1486 | [MITRE ATT&CK] Supply Chain Compromise - T1195 | [MITRE ATT&CK] DLL Side-Loading - T1073
Tags: REvil, Sodinokibi, Gandcrab, Leafroller, Kaseya VSA, ransomware, Ransomware-as-a- Service, zero-day, CVE-2021-30116, supply-chain, North America, USA, Sweden, New Zealand, MSP, RMM, schools
IndigoZebra APT Continues To Attack Central Asia With Evolving Tools
(published: July 1, 2021)
Researchers from Check Point have identified the Afghan Government as the latest victim in a cyber espionage campaign by the suspected Chinese group ‘IndigoZebra’. This attack began in April when Afghan National Security Council (NSC) officials began to receive lure emails claiming to be from the President’s secretariat. These emails included a decoy file that would install the backdoor ‘BoxCaon’ on the system before reaching out to the Dropbox API to act as a C&C server. The attacker would then be able to fingerprint the machine and begin accessing files. I |
Ransomware Spam Malware Tool Vulnerability Threat Guideline | APT 19 APT 10 | |
|
2021-07-01 10:56:01 | (Déjà vu) Threat Source newsletter (July 1, 2021) (lien direct) |
Newsletter compiled by Jon Munshaw.Good afternoon, Talos readers.
Even though spam emails asking for gift cards may seem like the oldest trick in the book, they're still effective in 2021. The FBI estimates that business email compromise cost victims around $1.8 billion in 2020,...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
Spam | ||
|
2021-06-30 05:56:11 | [Webinar] How Cyber Attack Groups Are Spinning a Larger Ransomware Web (lien direct) | Organizations today already have an overwhelming number of dangers and threats to look out for, from spam to phishing attempts to new infiltration and ransomware tactics. There is no chance to rest, since attack groups are constantly looking for more effective means of infiltrating and infecting systems.
Today, there are hundreds of groups devoted to infiltrating almost every industry, |
Ransomware Spam | ||
|
2021-06-29 16:29:00 | Anomali Cyber Watch: Microsoft Signs Malicious Netfilter Rootkit, Ransomware Attackers Using VMs, Fertility Clinic Hit With Data Breach and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: China, NetFilter, Ransomware, QBot, Wizard Spider, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Microsoft Signed a Malicious Netfilter Rootkit
(published: June 25, 2021)
Security researchers recently discovered a malicious netfilter driver that is signed by a valid Microsoft signing certificate. The files were initially thought to be a false positive due to the valid signing, but further inspection revealed that the malicious driver called out to a Chinese IP. Further research has analyzed the malware, dropper, and Command and Control (C2) commands. Microsoft is still investigating this incident, but has clarified that they did approve the signing of the driver.
Analyst Comment: Malware signed by a trusted source is a threat vector that can be easily missed, as organizations may be tempted to not inspect files from a trusted source. It is important for organizations to have network monitoring as part of their defenses. Additionally, the signing certificate used was quite old, so review and/or expiration of old certificates could prevent this malware from running.
MITRE ATT&CK: [MITRE ATT&CK] Code Signing - T1116 | [MITRE ATT&CK] Install Root Certificate - T1130
Tags: Netfilter, China
Dell BIOSConnect Flaws Affect 30 Million Devices
(published: June 24, 2021)
Four vulnerabilities have been identified in the BIOSConnect tool distributed by Dell as part of SupportAssist. The core vulnerability is due to insecure/faulty handling of TLS, specifically accepting any valid wildcard certificate. The flaws in this software affect over 30 million Dell devices across 128 models, and could be used for Remote Code Execution (RCE). Dell has released patches for these vulnerabilities and currently there are no known actors scanning or exploiting these flaws.
Analyst Comment: Any business or customer using Dell hardware should patch this vulnerability to prevent malicious actors from being able to exploit it. The good news is that Dell has addressed the issue. Patch management and asset inventories are critical portions of a good defense in depth security program.
MITRE ATT&CK: [MITRE ATT&CK] Exploitation for Client Execution - T1203 | [MITRE ATT&CK] Exploitation for Privilege Escalation - T1068 | [MITRE ATT&CK] Peripheral Device Discovery - T1120
Tags: CVE-2021-21571, CVE-2021-21572, CVE-2021-21573, CVE-2021-21574, Dell, BIOSConnect
Malicious Spam Campaigns Delivering Banking Trojans
(published: June 24, 2021)
Analysis from two mid-March 2021 spam campaignts revealed that th |
Ransomware Data Breach Spam Malware Tool Vulnerability Threat Patching | APT 30 | |
|
2021-06-29 13:00:08 | Americans lost $29.8 billion to phone scams in the past year, study finds (lien direct) | The number of spam calls, the number of people losing money to them and the total amount of money lost In the past year are all record setting. | Spam | ||
|
2021-06-28 14:15:11 | CVE-2021-28585 (lien direct) | Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by an Improper input validation vulnerability in the New customer WebAPI.Successful exploitation could allow an attacker to send unsolicited spam e-mails. | Spam Vulnerability | ||
|
2021-06-25 01:05:45 | Spam Downpour Drips New IcedID Banking Trojan Variant (lien direct) | The primarily IcedID-flavored banking trojan spam campaigns were coming in at a fever pitch: Spikes hit more than 100 detections a day. | Spam | ||
|
2021-06-24 11:00:00 | Threat Source newsletter (June 24, 2021) (lien direct) |
Newsletter compiled by Jon Munshaw.Good afternoon, Talos readers.
Even though spam emails asking for gift cards may seem like the oldest trick in the book, they're still effective in 2021. The FBI estimates that business email compromise cost victims around $1.8 billion in 2020,...
[[ This is only the beginning! Please visit the blog for the complete entry ]] |
Spam | ||
|
2021-06-24 10:00:56 | Malicious spam campaigns delivering banking Trojans (lien direct) | In mid-March 2021, we observed two new spam campaigns delivering banking Trojans. The payload in most cases was IcedID, but we have also seen a few QBot (aka QakBot) samples. | Spam | ||
|
2021-06-19 09:45:00 | Tinder spam campaign hides "handwritten" links in profile images (lien direct) | A new trend has emerged on dating apps like Tinder with spammers sneaking in handwritten NSFW links within profile images. Multiple such Tinder spam profiles reviewed by BleepingComputer shared some common characteristics. [...] | Spam | ||
 |
2021-06-08 10:00:00 | Magic in Cybersecurity: Magic links to replace the password (lien direct) | This blog was written by an independent guest blogger. These days, magic links are in the air. They are becoming an intriguing means to strengthen digital security without inconveniencing users. This article discusses magic links, their magical function, and their potential benefits for a corporation. Magic links Magic links are authorized URLs that carry a token which grants accessibility to a particular user. They enable users to register or log in to a website, as well as make online transactions. When the user clicks on the URL, they get verified instantly. Magic links usually have a short life and are one-of-a-kind. Magic links form a digital authentication technique that can use both a passwordless and a multi-factor authentication system. Why use magic links In a digital world, magic links are useful in passwordless and multi-factor authentication. Passwordless authentication refers to a security system that doesn't use passwords. Users authenticate using a magic link, eliminating the need for passwords. They only require inputting an email address or contact number to get the URL to click. Multi-factor authentication (MFA) is a method of user authentication in various stages. Two or more authentication methods increase the steps the user must take. However, magic links provide the minimum complexity since users only need to click the URL to complete the procedure. How magic links work Magic links consist of three steps: On a sign-in page, the user inputs their email address. If the user has a registered email address, they will receive an email containing a magic link. To finish the sign-in cycle, the user selects and clicks the magic link. Conversely, at the time of registration, the user can also get a live link for authentication later on. This technique is comparable to a password reset process, in which a user receives a hidden link that enables them to update their password. Magic links function in the same way as password resets do, whereas the user doesn't need to type a password to navigate to their profile. Magic link security concerns One of several security issues users may face comes from the email provider. When email providers label magic link emails as spam, a significant email redirects to infrequently used spam folders. Users can require a link over a link without knowing they route to spam. The trick is to choose a reliable email provider with an IP address that traditional spam detection identifies as effective. Organizations can improve security of their magic links implementation. If an application delivers a magic link and the client seeks another, does the first link lapse? Users can become irritated if they have to click on several links to find the recent one. Magic links that expire leave the login process with minimal loopholes but give the user fewer options to sign in. Organizations need to consider this balance. Likewise, certain websites prevent users from utilizing magic links beyond the browser session in which the magic link was provided. When you close your window an | Spam | ★★★★ | |
|
2021-06-05 10:45:05 | Massive spam campaign promotes online casinos with misleading emails (lien direct) | Spammers are abusing affiliate programs to promote online casinos, such as Raging Bull Casino, Sports and Casino, Ducky Luck, and Royal Ace Casino, with misleading emails. [...] | Spam Guideline | ||
|
2021-06-04 00:00:00 | Phishing Malware Hijacks Bitcoin Addresses and Delivers New Agent Tesla Variant (lien direct) | FortiGuard Labs recently captured a new phishing campaign in which a MS Excel document attached to a spam email downloaded and executed several pieces of VBscript code. Used to hijack bitcoin address info, this malware delivers a new variant of Agent Tesla onto the victim's device. Learn more.
|
Spam Malware | ||
|
2021-05-30 14:55:43 | Watch out: These unsubscribe emails only lead to further spam (lien direct) | Scammers use fake 'unsubscribe' spam emails to confirm valid email accounts to be used in future phishing and spam campaigns. [...] | Spam | ||
|
2021-05-29 17:18:41 | Spear-phishing Email Targeting Outlook Mail Clients , (Sat, May 29th) (lien direct) | In February I posted about spam pretending to be an Outlook Version update [1] and now for the past several weeks I have been receiving spear-phishing emails that pretend to be coming from Microsoft Outlook to "Sign in to verify" my account, new terms of services, new version, etc. There also have been some reports this week about large ongoing spear-phishing campaign [2][3] worth reading. Here are some samples which always include a sense of urgency to login as soon as possible: | Spam | ||
 |
2021-05-27 13:12:16 | Cryptocurrency scam attack on Twitter reminds users to check their app connections (lien direct) | Are you doing enough to prevent scammers from hijacking your social media accounts? Even if you have chosen a strong, unique password for your online presence and enabled two-factor authentication it's possible that you've overlooked another way in which online criminals could commandeer your social media accounts and spam out a message to your followers. Read more in my article on the Tripwire State of Security blog. | Spam |
To see everything:
Our RSS (filtrered)
