CVE-2018-20753

Kaseya VSA RMM before R9.3 9.3.0.35, R9.4 before 9.4.0.36, and R9.5 before 9.5.0.5 allows unprivileged remote attackers to execute PowerShell payloads on all managed devices. In January 2018, attackers actively exploited this vulnerability in the wild...

CVE-2018-20753

Summary : CVE-2018-20753 affects Kaseya VSA RMM on-premises. Vulnerable versions : RMM before 9.3.0.35, before 9.4.0.36, and before 9.5.0.5. Impact : unprivileged remote attackers can execute PowerShell payloads on all managed devices. Exploitation note : attackers were active in the wild in Janu...

CVE-2018-20753

Kaseya VSA RMM before R9.3 9.3.0.35, R9.4 before 9.4.0.36, and R9.5 before 9.5.0.5 allows unprivileged remote attackers to execute PowerShell payloads on all managed devices. In January 2018, attackers actively exploited this vulnerability in the wild. Recent assessments: Assessed Attacker Value:...

Phishing Campaign Delivers Nasty Ransomware, Credential-Theft Two-Punch

An array of phishing emails harboring Word attachments with embedded macros have been infecting systems with a deadly malware and ransomware duo. The campaign, spotted by researchers at Carbon Black, has hit infected systems with a lethal attack combination that harvests credentials, gathers syst...

GandCrab ransomware and Ursnif virus spreading via MS Word macros

Security researchers have discovered two separate malware campaigns, one of which is distributing the Ursnif data-stealing trojan and the GandCrab ransomware in the wild, whereas the second one is only infecting victims with Ursnif malware. Though both malware campaigns appear to be a work of two...

GandCrab ransomware and Ursnif virus spreading via MS Word macros

Security researchers have discovered two separate malware campaigns, one of which is distributing the Ursnif data-stealing trojan and the GandCrab ransomware in the wild, whereas the second one is only infecting victims with Ursnif malware. Though both malware campaigns appear to be a work of two...

RogueRobin Malware Uses Google Drive as C2 Channel

A custom malware used by the APT known as DarkHydrus uses a mix of novel techniques, including using Google Drive as an alternate command-and-control C2 channel. According to Palo Alto’s Unit 42 intelligence division, the targeted attack involved spear-phishing emails written in Arabic sent to...

The vulnerability of the PowerShell API software interface of the Microsoft Exchange Server mail server allows a hacker to gain access to protected information.

The vulnerability of the PowerShell API of the Microsoft Exchange Server mail server is related to deficiencies in access control. Exploiting this vulnerability could allow a malicious actor to gain access to protected information within the Calendar application...

Fallout EK Retools for a Fresh New 2019 Look

A new version of the Fallout exploit kit EK has emerged, featuring new exploits and fresh payloads, including the GandCrab ransomware. The development shows that EKs have a lot of life yet left in them, researchers say. The Fallout EK generally finds its victims by way of malvertising campaigns,...

Threat Roundup for Jan. 11 to Jan. 18

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Jan. 11 and Jan. 18. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavioral characteristics...

Improved Fallout EK comes back after short hiatus

Edit 2019-01-24 Fallout EK introduces a new dropper to facilitate the final payload retrieval. This update replaces the plain MZ we saw for a little while. -- After a short hiatus in early January, the Fallout exploit kit is back in business again with some new features for the new year. During i...

Microsoft Excel .SLK Payload Delivery

This module generates a download and execute Powershell command to be placed in an .SLK Excel spreadsheet. When executed, it will retrieve a payload via HTTP from a web server. When the file is opened, the user will be prompted to "Enable Content." Once this is pressed, the payload will execute...

The vulnerability of the Device Guard component of the Windows operating system allows a hacker to inject arbitrary code into a Windows PowerShell session.

The vulnerability of the Device Guard component in the Windows operating system is related to security configuration errors. Exploiting this vulnerability could allow a local attacker to inject arbitrary code into the Windows PowerShell session...

Vulnerability of the .NET Core runtime and PowerShell Core automation framework, related to authentication process errors, allowing attackers to disclose sensitive information

The vulnerability of the .NET Core runtime and the PowerShell Core automation framework is related to authentication process errors. Exploiting this vulnerability can allow a malicious actor to disclose sensitive information remotely...

CVE-2019-0588

An information disclosure vulnerability exists when the Microsoft Exchange PowerShell API grants calendar contributors more view permissions than intended, aka "Microsoft Exchange Information Disclosure Vulnerability." This affects Microsoft Exchange Server...

Information disclosure

An information disclosure vulnerability exists when the Microsoft Exchange PowerShell API grants calendar contributors more view permissions than intended, aka "Microsoft Exchange Information Disclosure Vulnerability." This affects Microsoft Exchange Server...

CVE-2019-0588

CVE-2019-0588 affects Microsoft Exchange Server. The vulnerability is an information disclosure arising when the Exchange PowerShell API grants calendar contributors more view permissions than intended. Root cause: mis-scoped permissions in the PowerShell API lead to unauthorized calendar data ex...

CVE-2019-0588

An information disclosure vulnerability exists when the Microsoft Exchange PowerShell API grants calendar contributors more view permissions than intended, aka "Microsoft Exchange Information Disclosure Vulnerability." This affects Microsoft Exchange Server...

January 8, 2019—KB4480962 (OS Build 10240.18094)

January 8, 2019—KB4480962 OS Build 10240.18094 Improvements and fixes This update includes quality improvements. No new operating system features are being introduced in this update. Key changes include: Addresses an issue that affects PowerShell remoting loop back using non-administrator account...

January 8, 2019—KB4480975 (Monthly Rollup)

January 8, 2019—KB4480975 Monthly Rollup Improvements and fixes This security update addresses the following issues: Provides protections against an additional subclass of speculative execution side-channel vulnerability known as Speculative Store Bypass CVE-2018-3639 for AMD-based computers. The...