When coin miners evolve, Part 2: Hunting down LemonDuck and LemonCat attacks

Note: In this two-part blog series, we expose a modern malware infrastructure and provide guidance for protecting against the wide range of threats it enables. Part 1 covered the evolution of the threat, how it spreads, and how it impacts organizations. Part 2 provides a deep dive on the attacker...

Mongolian Certificate Authority Hacked to Distribute Backdoored CA Software

In yet another instance of software supply chain attack, unidentified hackers breached the website of MonPass, one of Mongolia's major certificate authorities, to backdoor its installer software with Cobalt Strike binaries. The trojanized client was available for download between February 8, 2021...

Chinese Cyber Espionage Hackers Continue to Target Pulse Secure VPN Devices

Cybersecurity researchers from FireEye unmasked additional tactics, techniques, and procedures TTPs adopted by Chinese threat actors who were recently found abusing Pulse Secure VPN devices to drop malicious web shells and exfiltrate sensitive information from enterprise networks. FireEye's...

‘Agrius’ APT Launches Wiper Attacks Against Israelis

A new attack group called Agrius is launching damaging wiper attacks against Israeli targets, which researchers said are hiding behind ransomware to make their state-sponsored activities appear financially motivated. Sentinel Labs analysts said they have been tracking Agrius’ operations in Israel...

Magecart Goes Server-Side in Latest Tactics Changeup

Magecart Group 12, known for skimming payment information from online shoppers, was fingered for last September’s gonzo attack on more than 2,000 e-Commerce sites, and now researchers have issued a report explaining how they did it, detailing a new technical approach. The skimmers are still “very...

SUPERNOVA malware discovered on SolarWinds Orion server

The Cybersecurity and Infrastructure Security Agency CISA has reported finding the SUPERNOVA web shell collecting credentials on a SolarWinds Orion server. These observations were made during an incident response to an Advanced Persistent Threat APT actor’s year-long compromise of an enterprise...

FBI Clears ProxyLogon Web Shells from Hundreds of Orgs

The Feds have cleared malicious web shells from hundreds of vulnerable computers in the United States that had been compromised via the now-infamous ProxyLogon Microsoft Exchange vulnerabilities. ProxyLogon comprises a group of security bugs affecting on-premises versions of Microsoft Exchange...

FBI shuts down malware on hundreds of Exchange servers, opens Pandora’s box

A rather remarkable story has emerged, setting the scene for lively debates about permissible system access. A press release from the US Department of Justice Judge has revealed that the FBI were granted permission to perform some tech support backdoor removal. Bizarrely, they did this without...

FBI accessing computers across US to remove malicious web shells

By Deeba Ahmed FBI is Accessing Computers Across the Us to Prevent Hafnium from Exploiting MS Exchange Server Vulnerabilities - All without telling owners. This is a post from HackRead.com Read the original post: FBI accessing computers across US to remove malicious web shells...

The FBI Is Now Securing Networks Without Their Owners’ Permission

In January, we learned about a Chinese espionage campaign that exploited four zero-days in Microsoft Exchange. One of the characteristics of the campaign, in the later days when the Chinese probably realized that the vulnerabilities would soon be fixed, was to install a web shell in compromised...

Ransomware disrupts food supply chain, Exchange exploitation suspected

When malware found its way into the network of Bakker Logistiek, a company specializing in the transport and warehousing of food and other products, on the night of 4 to 5 April, its IT systems ground to a halt. And, along with them, the reception of orders from clients, and the delivery of goods...

No, I Did Not Hack Your MS Exchange Server

New data suggests someone has compromised more than 21,000 Microsoft Exchange Server email systems worldwide and infected them with malware that invokes both KrebsOnSecurity and Yours Truly by name. Lets just get this out of the way right now: It wasnt me. The Shadowserver Foundation, a nonprofit...

Black Kingdom Ransomware Hunting Unpatched Microsoft Exchange Servers

More than a week after Microsoft released a one-click mitigation tool to mitigate cyberattacks targeting on-premises Exchange servers, the company disclosed that patches have been applied to 92% of all internet-facing servers affected by the ProxyLogon vulnerabilities. The development, a 43%...

Use This One-Click Mitigation Tool from Microsoft to Prevent Exchange Attacks

Microsoft on Monday released a one-click mitigation software that applies all the necessary countermeasures to secure vulnerable environments against the ongoing widespread ProxyLogon Exchange Server cyberattacks. Called Exchange On-premises Mitigation Tool EOMT, the PowerShell-based script serve...

Use This One-Click Mitigation Tool from Microsoft to Prevent Exchange Attacks

Microsoft on Monday released a one-click mitigation software that applies all the necessary countermeasures to secure vulnerable environments against the ongoing widespread ProxyLogon Exchange Server cyberattacks. Called Exchange On-premises Mitigation Tool EOMT, the PowerShell-based script serve...

Hackers Are Targeting Microsoft Exchange Servers With Ransomware

It didn't take long. Intelligence agencies and cybersecurity researchers had been warning that unpatched Exchange Servers could open the pathway for ransomware infections in the wake of swift escalation of the attacks since last week. Now it appears that threat actors have caught up. According to...

Microsoft Exchange attacks cause panic as criminals go shell collecting

Only last week we posted a blog about multiple zero-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. Seeing how this disclosure came with a patch being available, under normal circumstances you would see some companies update...

PT-2021-7092

Name of the Vulnerable Software and Affected Versions Atlassian Confluence Server and Data Center versions prior to 7.4.17 Atlassian Confluence Server and Data Center versions 7.13.0 through 7.13.6 Atlassian Confluence Server and Data Center versions 7.14.0 through 7.14.2 Atlassian Confluence...

CISA Orders Fed Agencies to Patch Exchange Servers

Hot on the heels of Microsoft’s announcement about active cyber-espionage campaigns that are exploiting four serious security vulnerabilities in Microsoft Exchange Server, the U.S. government is mandating patching for the issues. The news comes as security firms report escalating numbers of relat...

CISA Issues Emergency Directive on In-the-Wild Microsoft Exchange Flaws

Following Microsoft's release of out-of-band patches to address multiple zero-day flaws in on-premises versions of Microsoft Exchange Server, the U.S. Cybersecurity and Infrastructure Security Agency CISA has issued an emergency directive warning of "active exploitation" of the vulnerabilities. T...