CVE-2020-29552

An issue was discovered in URVE Build 24.03.2020. By using the internal/pc/vpro.php?mac=0&ip=0&operation=0&usr=0&pass=0%3bpowershell+-c+" substring, it is possible to execute a Powershell command and redirect its output to a file under the web root...

Command injection

An issue was discovered in URVE Build 24.03.2020. By using the internal/pc/vpro.php?mac=0&ip=0&operation=0&usr=0&pass=0%3bpowershell+-c+" substring, it is possible to execute a Powershell command and redirect its output to a file under the web root...

CVE-2020-29552

An issue was discovered in URVE Build 24.03.2020. By using the internal/pc/vpro.php?mac=0&ip=0&operation=0&usr=0&pass=0%3bpowershell+-c+" substring, it is possible to execute a Powershell command and redirect its output to a file under the web root...

CVE-2020-0951

A security feature bypass vulnerability exists in Windows Defender Application Control WDAC which could allow an attacker to bypass WDAC enforcement. An attacker who successfully exploited this vulnerability could execute PowerShell commands that would be blocked by WDAC. To exploit the...

GHSA-49C6-3WR4-8JR4 Malicious Package in malicious-npm-package

All versions of malicious-npm-package contain malicious code. The malware targets Windows systems. It runs a powershell command that downloads an executable file from a remote server and runs it. Recommendation Any computer that has this package installed or running should be considered fully...

TAU Threat Analysis: Hakbit Ransomware

The bad actors behind Hakbit ransomware recently released an updated variant of their ransomware, which encrypts the victim’s data and demands 3 Bitcoins in ransom payment. This updated variant is delivered via phishing email as a malicious Excel document, and contains added functionality from th...

How to configure antivirus configuration XML file for secure restore

Challenge The article provides information on adding additional antivirus options to Veeam Backup & Replication Secure Restore. NOTE : When adding an antivirus that is not already predefined, you may need to contact the antivirus vendor for assistance to gather the required attributes and exit...

Exploit for Improper Restriction of Operations within the Bounds of a Memory Buffer in Microsoft

aioScanCVE-2020-0796 Introduction The detection speed has...

Malicious Package

malicious-npm-package is a malicious package. The package targets Windows system and runs a powershell command to download and execute a malicious script that is stored on a remote server...

Emotet malspam campaign uses Snowden’s new book as lure

Exactly one week ago, Emotet, one of the most dangerous threats to organizations in the last year, resumed its malicious spam campaigns after several months of inactivity. Based on our telemetry, we can see that the botnet started becoming chatty with its command and control servers C2, about a...

CB Threat Analysis Unit Technical Breakdown: GermanWiper Ransomware

Editor's Note: The TAU-TIN related to this write up can be located here. GermanWiper Ransomware was found distributed via spam email campaign in Germany. It’s a data-wiping malware and the ransom note was written in German language. The malware pretends to be ransomware but is actually a wiper th...

Microsoft Excel .SLK Payload Delivery

This module generates a download and execute Powershell command to be placed in an .SLK Excel spreadsheet. When executed, it will retrieve a payload via HTTP from a web server. When the file is opened, the user will be prompted to "Enable Content." Once this is pressed, the payload will execute...

AdvisorsBot Downloader Emerges in Raft of Malware Campaigns

A new downloader was disclosed today, sporting significant anti-analysis features and increasingly sophisticated distribution techniques. Researchers at Proofpoint have been tracking the downloader as a first-stage payload in campaigns since May 2018. Dubbed AdvisorsBot due to early...

Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign

Introduction From January 2018 to March 2018, through FireEye’s Dynamic Threat Intelligence, we observed attackers leveraging the latest code execution and persistence techniques to distribute malicious macro-based documents to individuals in Asia and the Middle East. We attribute this activity t...

CHM Help Files Deliver Brazilian Banking Trojan

Security researchers are warning of a new spam campaign targeting Brazilian institutions that contain Compiled HTML file attachments that are used to deliver a banking Trojan. Spam messages contain a malicious CHM attachment called “comprovante.chm”, wrote Rodel Mendrez, senior security researche...

Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques

Throughout 2017 we have observed a marked increase in the use of command line evasion and obfuscation by a range of targeted attackers. Cyber espionage groups and financial threat actors continue to adopt the latest cutting-edge application whitelisting bypass techniques and introduce innovative...

Spread banking Trojan the Office 0day Vulnerability(CVE-2017-0199)technical analysis-vulnerability warning-the black bar safety net

Vulnerability overview Microsoft in 4 months of routine patch of 4 on 12, the A Office remote command execution vulnerability, CVE-2017-0199 for the repair, but in fact in the patch before the release there has been more use of this vulnerability in the wild is found, which contains the...

Office Zero Day Delivering FINSPY Spyware to Victims in Russia

Since at least January, unidentified state-sponsored attackers have been targeting victims in Russia with FINSPY spyware delivered in exploits for an Office and WordPad zero-day vulnerability patched on Tuesday by Microsoft. Separately, the same zero-day has been leveraged in financially motivate...

Github Repository Owners Targeted by Data-Stealing Malware

Phishing emails zeroing in on developers who own Github repositories were infecting victims with malware capable of stealing data through keyloggers and modules that would snag screenshots. Researchers at Palo Alto Networks this week said that in mid-January, an unknown number of developers were...

Loopback Options When Load Balancing StoreFront Server Group Using NetScaler

In previous versions of StoreFront such as 2.6 or older, Citrix recommended that you manually modify the hosts file on each StoreFront server to map the fully qualified domain name FQDN of the load balancer to the loopback address or the IP address of the specific StoreFront server. This ensures...