GhostEmperor: From ProxyLogon to kernel mode

Download GhostEmperors technical details PDF While investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. This cluster stood out for its usage of a formerly unknown Windows kernel mode...

Operation “Armor Piercer:” Targeted attacks in the Indian subcontinent using commercial RATs

By Asheer Malhotra, Vanja Svajcer and Justin Thattil. Cisco Talos is tracking a campaign targeting government personnel in India using themes and tactics similar to APT36 aka Mythic Leopard and Transparent Tribe.This campaign distributes malicious documents and archives to deliver the Netwire...

Exploitation of the CVE-2021-40444 vulnerability in MSHTML

Summary Last week, Microsoft reported the remote code execution vulnerability CVE-2021-40444 in the MSHTML browser engine. According to the company, this vulnerability has already been used in targeted attacks against Microsoft Office users. In attempt to exploit this vulnerability, attackers...

Remote code execution

Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents. An attacker could craft a malicious Active...

CVE-2021-40444

Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents. An attacker could craft a malicious Active...

IBM API Connect HOST Injection Vulnerability

IBM API Connect APIConnect is an integration solution for managing the lifecycle of APIs from IBM. The product supports creating, running, managing and securing APIs and microservices, etc. An injection vulnerability exists in IBM API Connect HOST, which stems from the product's host header not...

LockBit 2.0 Ransomware Proliferates Globally

The LockBit ransomware-as-a-service RaaS gang has ramped up its targeted attacks, researchers said, with attempts against organizations in Chile, Italy, Taiwan and the U.K. using version 2.0 of its malware. Attacks in July and August have employed LockBit 2.0, according to a Trend Micro analysis...

CVE-2021-22707

A CWE-798: Use of Hard-coded Credentials vulnerability exists in EVlink City EVC1S22P4 / EVC1S7P4 all versions prior to R8 V3.4.0.1, EVlink Parking EVW2 / EVF2 / EV.2 all versions prior to R8 V3.4.0.1, and EVlink Smart Wallbox EVB1A all versions prior to R8 V3.4.0.1 that could allow an attacker t...

Leaked NSO Group Data Hints at Widespread Pegasus Spyware Infections

Israeli-based NSO Group is being blasted in a groundbreaking report that alleges that the company’s controversial Pegasus malware is being used to target activists, journalists, business executives and politicians on a widespread level, using a variety of exploits — including a zero-click zero-da...

Fake Zoom App Dropped by New APT ‘Luminous Moth’

Researchers have spotted a weird one: A newly identified threat actor linked to China that’s first mass-attacking, but then cherry-picking, just a few targets to hit with malware and data exfiltration. Kaspersky researchers said in a Wednesday writeup that they’ve named the advanced threat actor...

Philips Vue PACS 安全漏洞

Philips Vue PACS is an image management solution from Philips Europe. A security vulnerability exists in Philips Vue PACS that arises from the product's failure to use, or misuse of, protection mechanisms to provide adequate defense against targeted attacks against the product...

Linux Variant of REvil Ransomware Targets VMware’s ESXi, NAS Devices

UPDATE Cybercriminals behind a string of high-profile ransomware attacks, including one extorting $11 million from JBS Foods last month, have ported their malware code to the Linux operating system. The unusual move is an attempt to target VMware’s ESXi virtual machine management software and...

SolarWinds Hackers Breach Microsoft Customer Support to Target its Customers

In yet another sign that the Russian hackers who breached SolarWinds network monitoring software to compromise a slew of entities never really went away, Microsoft said the threat actor behind the malicious cyber activities used password spraying and brute-force attacks in an attempt to guess...

SUSE SLES11 Security Update : MozillaFirefox (SUSE-SU-2020:14337-1)

The remote SUSE Linux SLES11 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2020:14337-1 advisory. - Under certain conditions, when running the nsDocShell destructor, a race condition can cause a use-after- free. We are aware of targeted...

CVE-2021-29040

The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch another, more focused...

Ransomware by the numbers: Reassessing the threat’s global impact

Kaspersky has been following the ransomware landscape for years. In the past, weve published yearly reports on the subject: PC ransomware in 2014-2016, Ransomware in 2016-2017, and Ransomware and malicious crypto miners in 2016-2018. In fact, in 2019, we chose ransomware as the story of the year,...

The Storybook Approach to MITRE ATT&CK

Read this year’s MITRE Engenuity ATT Evaluations story, which simulates techniques associated with notorious threat groups Carbanak and FIN7 to test solutions' ability to detect and stop APT & Targeted Attacks...

Hacking Operational Technology for Defense: Lessons Learned From OT Red Teaming Smart Meter Control Infrastructure

High-profile security incidents in the past decade have brought increased scrutiny to cyber security for operational technology OT. However, there is a continued perception across critical infrastructure organizations that OT networks are isolated from public networks—such as the Internet. In...

WARNING: A New Android Zero-Day Vulnerability Is Under Active Attack

Google has disclosed that a now-patched vulnerability affecting Android devices that use Qualcomm chipsets is being weaponized by adversaries to launch targeted attacks. Tracked as CVE-2020-11261 CVSS score 8.4, the flaw concerns an "improper input validation" issue in Qualcomm's Graphics compone...

Microsoft Exchange attacks cause panic as criminals go shell collecting

Only last week we posted a blog about multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. Seeing how this disclosure came with a patch being available, under normal circumstances you would see some companies update...