Worok Hackers Target High-Profile Asian Companies and Governments

High-profile companies and local governments located primarily in Asia are the subjects of targeted attacks by a previously undocumented espionage group dubbed Worok that has been active since late 2020. "Worok's toolset includes a C++ loader CLRLoad, a PowerShell backdoor PowHeartBeat, and a C...

Researchers Detail Emerging Cross-Platform BianLian Ransomware Attacks

.jpg The operators of the emerging cross-platform BianLian ransomware have increased their command-and-control C2 infrastructure this month, a development that alludes to an increase in the group's operational tempo. BianLian, written in the Go programming language, was first discovered in mid-Ju...

IIS extensions are on the rise as backdoors to servers

The Microsoft 365 Defender Research Team has warned that attackers are increasingly leveraging Internet Information Services IIS extensions as covert backdoors into servers. IIS extensions are able to stay hidden in target environments and as such provide a long-term persistence mechanism for...

Malicious IIS Extensions Gaining Popularity Among Cyber Criminals for Persistent Access

Threat actors are increasingly abusing Internet Information Services IIS extensions to backdoor servers as a means of establishing a "durable persistence mechanism." That's according to a new warning from the Microsoft 365 Defender Research Team, which said that "IIS backdoors are also harder to...

Patchable and Preventable Security Issues Lead Causes of Q1 Attacks

Eighty-two percent of attacks on organizations in Q1 2022 were caused by the external exposure of a known vulnerabilities in the victim’s external-facing perimeter or attack surface. Those unpatched bugs overshadowed breach-related financial losses tied to human error, which accounted for 18...

Growling Bears Make Thunderous Noise

Growling Bears Make Thunderous Noise By Trellix · June 6, 2022 Per public attribution, Russian cybercriminal groups have always been active. Their tactics, techniques, and procedures TTPs have not significantly evolved over time, although some changes have been observed. Lately, the threat...

CISA Alert: Top 15 Routinely Exploited Vulnerabilities

The U.S. Cybersecurity & Infrastructure Security Agency has published its report on the top exploited vulnerabilities of 2021. This blog summarizes the report’s findings and how you can use Qualys VMDR to automatically detect and remediate these risks in your enterprise environment. The...

Hive Ransomware targets organizations with ProxyShell exploit

THREAT LEVEL: Red. For a detailed advisory, download the pdf file here Hive Ransomware has been active since its discovery in June 2021, and it is constantly deploying different backdoors, including the Cobalt Strike beacon, on Microsoft Exchange servers that are vulnerable to ProxyShell...

New Incident Report Reveals How Hive Ransomware Targets Organizations

A recent Hive ransomware attack carried out by an affiliate involved the exploitation of "ProxyShell" vulnerabilities in the Microsoft Exchange Server that were disclosed last year to encrypt an unnamed customer's network. "The actor managed to achieve its malicious goals and encrypt the...

Exchange Servers Speared in IcedID Phishing Campaign

The ever-evolving banking trojan IcedID is back again with a phishing campaign that uses previously compromised Microsoft Exchange servers to send emails that appear to come from legitimate accounts. Attackers also are using stealthy new payload-delivery tactics to spread the modular malware...

Magic Hound Exploiting Old Microsoft Exchange ProxyShell Vulnerabilities

THREAT LEVEL: Red. For a detailed advisory, download the pdf file here APT35 aka Magic Hound, an Iranian-backed threat group, has begun using Microsoft Exchange ProxyShell vulnerabilities as an initial attack vector and to execute code through multiple web shells. The group has primarily targeted...

UNC2596 exploits Microsoft’s ProxyShell and ProxyLogon vulnerabilities to distribute Cuba Ransomware

...

Microsoft Exchange Server Bugs Exploited by ‘Cuba’ Ransomware Gang

The ransomware gang known as “Cuba” is increasingly shifting to exploiting Microsoft Exchange vulnerabilities – including ProxyShell and ProxyLogon – as initial infection vectors, researchers have found. The group has likely been prying open these chinks in victims’ armor as early as last August,...

Iranian Hackers Targeting VMware Horizon Log4j Flaws to Deploy Ransomware

A "potentially destructive actor" aligned with the government of Iran is actively exploiting the well-known Log4j vulnerability to infect unpatched VMware Horizon servers with ransomware. Cybersecurity firm SentinelOne dubbed the group "TunnelVision" owing to their heavy reliance on tunneling...

Moses Staff Hackers Targeting Israeli Organizations for Cyber Espionage

The politically motivated Moses Staff hacker group has been observed using a custom multi-component toolset with the goal of carrying out espionage against its targets as part of a new campaign that exclusively singles out Israeli organizations. First publicly documented in late 2021, Moses Staff...

Earth Lusca Hackers Aimed at High-Value Targets in Government and Private Sectors

An elusive threat actor called Earth Lusca has been observed striking organizations across the world as part of what appears to be simultaneously an espionage campaign and an attempt to reap monetary profits. "The list of its victims includes high-value targets such as government and educational...

Malicious Exchange Server Module Hoovers Up Outlook Credentials

Researchers have uncovered a previously unknown malicious IIS module, dubbed Owowa, that steals credentials when users log into Microsoft Outlook Web Access OWA. Internet Information Services IIS, Microsoft’s web server/web-hosting software suite, can be extended via various add-ons that are know...

BlackByte ransomware exploits Microsoft Servers ProxyShell Vulnerabilities

THREAT LEVEL: Red. For a detailed advisory, download the pdf file here. BlackByte ransomware is targeting organizations with unpatched ProxyShell vulnerabilities. Proxy Shell was addressed by hive pro threat researcher in the previous advisory released on August 24. ProxyShell is a combination of...

This Week in Security News - December 3, 2021

This week, learn about how Squirrelwaffle utilized ProxyLogon and ProxyShell to hack email chains. Also, read on a recent data breach of the Los Angeles Planned Parenthood Network...

Attackers Hijack Email Using Proxy Logon/Proxyshell Flaws

Attackers are gnawing on the ProxyLogon and ProxyShell vulnerabilities in Microsoft Exchange Server to hijack email chains, by malspamming replies to ongoing email threads, researchers say. What’s still under discussion: whether the offensive is delivering SquirrelWaffle, the new email loader tha...