Week in security (February 26 – March 4)

Last week on Malwarebytes Labs, we explained how to protect your computer from malicious cryptomining, we gave an encryption 101 lesson using ShiOne ransomware as a case study, and we offered an explanation about SQL injection. We also released a report on the state of malicious cryptomining from...

The new landscape of pre-installed mobile malware: malicious code within

Here's a scary thought: Mobile devices may soon come with pre-installed malware on required system apps. While it might sound like a grim foretelling, pre-installed mobile malware is an unfortunate reality of the future. In the past, we’ve seen pre-installed malware with the notorious Adups threa...

Five years later, Heartbleed vulnerability still unpatched

The Heartbleed vulnerability was introduced into the OpenSSL crypto library in 2012. It was discovered and fixed in 2014, yet today—five years later—there are still unpatched systems. This article will provide IT teams with the necessary information to decide whether or not to apply the Heartblee...

AvosLocker enters the ransomware scene, asks for partners

This blog post was authored by Hasherezade In mid-July we responded to an incident that involved an attack on a Microsoft Exchange server. The threat actor used this entry point to get into a Domain Controller and then leveraged it as a springboard to deploy ransomware. While examining the...

Four in-the-wild exploits, 13 critical patches headline bumper Patch Tuesday

The list of July 2021 Patch Tuesday updates looks endless. 117 patches with no less than 42 CVEs assigned to them that have FAQs, mitigations details or workarounds listed for them. Looking at the urgency levels Microsoft has assigned to them, system administrators have their work cut out for the...

Update now! Chrome fix patches in-the-wild zero-day

The Microsoft Browser Vulnerability Research team has found and reported a vulnerability in the audio component of Google Chrome. Google has fixed this high-severity vulnerability CVE-2021-21166 in its Chrome browser and is warning Chrome users that an exploit exists in the wild for the...

Russia’s APT28 uses fear of nuclear war to spread Follina docs in Ukraine

This blog post was authored by Hossein Jazi and Roberto Santos. In a recent campaign, APT28, an advanced persistent threat actor linked with Russian intelligence, set its sights on Ukraine, targeting users with malware that steals credentials stored in browsers. APT28 also known as Sofacy and Fan...

Babuk ransomware builder leaked following muddled “retirement”

In the last days of April 2021, the operators of Babuk ransomware announced they were going to focus on demanding a ransom for information stolen from compromised networks, leaving the encryption part of their operation behind. It meant that they no longer needed ransomware at all. “Babuk changes...

Hermit spyware is deployed with the help of a victim’s ISP

Googles Threat Analysis Group TAG has revealed a sophisticated spyware activity involving ISPs internet service providers aiding in downloading powerful commercial spyware onto users mobile devices. The spyware, dubbed Hermit, is reported to have government clients much like Pegasus. Italian vend...

LemonDuck no longer settles for breadcrumbs

LemonDuck has evolved from a Monero cryptominer into LemonCat, a Trojan that specializes in backdoor installation, credential and data theft, and malware delivery, according to the Microsoft 365 Defender Threat Intelligence Team, which explained their findings in a two-part story 12 on the...

Threat spotlight: the curious case of Ryuk ransomware

Ryuk. A name once unique to a fictional character in a popular Japanese comic book and cartoon series is now a name that appears in several rosters of the nastiest ransomware to ever grace the wild web. For an incredibly young strain—only 15 months old—Ryuk ransomware gaining such notoriety is...

New Flash Player zero-day used against Russian facility

For the past couple of years, Office documents have largely replaced exploit kits as the primary malware delivery vector, giving threat actors the choice between social engineering lures and exploits or a combination of both. While today's malicious spam malspam heavily relies on macros and popul...

Mass WordPress compromises redirect to tech support scams

Content Management Systems CMSes such as WordPress, Drupal, or Joomla are under a constant barrage of fire. Earlier this year, we detailed several waves of attacks against Drupal, also known as Drupalgeddon, pushing browser-based miners and various social engineering threats. During the past few...

Beware of malware offering “Warm greetings from Saudi Aramco”

Recently, the Malwarebytes Threat Intelligence Team found a Formbook campaign targeting oil and gas companies. The campaign they discovered was delivered by a targeted email that contained two attachments, one is a pdf file and the other an Excel document. Formbook The Formbook malware is an...

Linux “Dirty Pipe” vulnerability gives unprivileged users root access

A vulnerability in the Linux kernel, nicknamed "Dirty Pipe", allows an unprivileged user to overwrite data in read-only files. This can lead to privilege escalation as a result of unprivileged processes being able to inject code into root processes. If youre not sure what that means but you think...

Microsoft’s PrintNightmare continues, shrugs off Patch Tuesday fixes

I doubt if there has ever been a more appropriate nickname for a vulnerable service than PrintNightmare. There must be a whole host of people in Redmond having nightmares about the Windows Print Spooler service by now. PrintNightmare is the name of a set of vulnerabilities that allow a standard...

[updated] Windows MSHTML zero-day actively exploited, mitigations required

Several researchers have independently reported a 0-day remote code execution vulnerability in MSHTML to Microsoft. The reason it was reported by several researchers probably lies in the fact that a limited number of attacks using this vulnerability have been identified, as per Microsoft’s securi...

Get patching! Wormable Windows flaw headlines Patch Tuesday

It looks like patching a wormable Remote Code Execution RCE bug in the HTTP stack of Windows 10 and Windows Server is likely to be top of most sysadmins todo lists after reading Mays Patch Tuesday updates. The monthly bug bonanza also features three other critical items among its 55 patches...

Exploit kits: summer 2019 review

In the months since our last spring review, there has been some interesting activity from several exploit kits. While the playing field remains essentially the same with Internet Explorer and Flash Player as the most-commonly-exploited pieces of software, it is undeniable that there has been a...

500,000 Fortinet VPN credentials exposed: Turn off, patch, reset passwords

A threat actor has leaked a list of almost 500,000 Fortinet VPN credentials, stolen from 87,000 vulnerable FortiGate SSL-VPN devices. The breach list provides raw access to organizations in 74 countries, including the USA, India, Taiwan, Italy, France, and Israel, with almost 3,000 US entities...

Crimea “manifesto” deploys VBA Rat using double attack vectors

This blog post was authored by Hossein Jazi. On July 21, 2021, we identified a suspicious document named "Манифест.docx" "Manifest.docx" that downloads and executes two templates: one is macro-enabled and the other is an html object that contains an Internet Explorer exploit. While both technique...

Fake jquery campaign leads to malvertising and ad fraud schemes

Recently we became aware of new domains used by an old malware campaign known as 'fake jquery', previously documented by web security firm Sucuri. Thousands of compromised websites are injected with a reference to an external JavaScript called jquery.js. However, there is something quite elusive...

HiveNightmare zero-day lets anyone be SYSTEM on Windows 10 and 11

Users with low privileges can access sensitive Registry database files on Windows 10 and Windows 11, leaving them vulnerable to a local elevation of privilege vulnerability known as SeriousSAM or HiveNightmare. Doesnt sound serious? Reassured that users must already have access to the system and ...

Cl0p ransomware gang claims first victims of the MOVEit vulnerability

On Friday June 2, 2023 we reported about a MOVEit Transfer vulnerability that was actively being exploited. If your organization uses MOVEit Transfer and you havent patched yet, it really is time to move it. Excuse the bad pun, but yesterday we saw the first victims of this vulnerability come...

Woody RAT: A new feature-rich malware spotted in the wild

This blog post was authored by Ankur Saini and Hossein Jazi The Malwarebytes Threat Intelligence team has identified a new Remote Access Trojan we are calling Woody Rat that has been in the wild for at least one year. This advanced custom Rat is mainly the work of a threat actor that targets...

Microsoft issues 83 patches, one for actively exploited vulnerability

Every second Tuesday of the month its Patch Tuesday. On Patch Tuesday Microsoft habitually issues a lot of patches for bugs and vulnerabilities in its software. Its always important to patch, but the update that was released on January 12 is one to pay attention to. Thats because it contains a...

Microsoft provides more mitigation instructions for the PetitPotam attack

In a revision of KnowledgeBase article KB5005413, Microsoft has provided more elaborate mitigation instructions for the PetitPotam attacks that were disclosed a week ago. PetitPotam is the name for an attack method using a bug that was found by a security researcher who also published a...

Hermes ransomware distributed to South Koreans via recent Flash zero-day

This blog post was authored by @hasherezade, Jérôme Segura and Vasilios Hioureas. At the end of January, the South Korean Emergency Response Team KrCERT published news of a Flash Player zero-day used in targeted attacks. The flaw, which exists in Flash Player 28.0.0.137 and below, was distributed...

Chernobyl’s lessons for critical-infrastructure cybersecurity

This story originally ran on The Parallax on April 26, 2019. CHERNOBYL EXCLUSION ZONE, Ukraine—The stray dog looking directly at me was hard to resist. Her ears perked up, her fur appeared clean—free of mange, at any rate—and she held a large stick firmly between her jaws. She looked like a good...

Microsoft is now disabling Excel 4.0 macros by default

Back in October 2021, Microsoft announced in an email to customers that it planned to disable Excel 4.0 macros by default to protect customers from malicious documents. Last week—after three decades of macro viruses, and three decades of trying to convince every single Excel user individually to...

Meltdown and Spectre: what you need to know

UPDATE as of 1/12/18: Several vendors have produced patches for Meltdown and Spectre, however performance problems dog the fixes. Details on the patches were published here. UPDATE as of 1/04/18: Since the Malwarebytes Database Update 1.0.3624, all Malwarebytes users are able to receive the...

AvosLocker ransomware uses Microsoft Exchange Server vulnerabilities, says FBI

The FBI has issued an advisory about the AvosLocker ransomware. Notably the FBI has noticed that several victims have reported Microsoft Exchange Server vulnerabilities as the intrusion vector. AvosLocker is a Ransomware as a Service RaaS affiliate-based group that has targeted victims across...

Exploit kits: fall 2019 review

Despite a slim browser market share, Internet Explorer is still being exploited in fall 2019 in a number of drive-by download campaigns. Perhaps even more surprising, we're seeing new exploit kits emerge. Based on our telemetry, these drive-bys are happening worldwide with the exception of a few...

Pulse VPN patched their vulnerability, but businesses are trailing behind

In April 2019, Pulse Secure published an advisory about a vulnerability in their software. In August, cybercriminals were massively scanning for systems that were running a vulnerable version. Now it’s October, and still many organizations have not applied the patches that are available for this...

Sly criminals package ransomware with malicious ransom note

Ransomware continues to show signs of evolution. From a simple screen locker to a highly-sophisticated data locker, ransomware has now become a mainstream name, even if historically, it has been around far longer than we want to look back. Although the criminals behind ransomware campaigns are...

Big Patch Tuesday: Microsoft and Adobe fix in-the-wild exploits

Traditionally the second Tuesday of the month is Microsoft’s “patch Tuesday”. This is the day when they roll out all the available patches for their software, and their operating systems in particular. Since there were no less than 56 patches in this month’s issue we will focus on the most...

CISA wants you to patch these actively exploited vulnerabilities before September 8

On Thursday, CISA the US Cybersecurity and Infrastructure Security Agency updated its catalog of actively exploited vulnerabilities by adding seven new entries. These flaws were found in Apple, Google, Microsoft, Palo Alto Networks, and SAP products. CISA set the due date for everyone to patch th...

Unprecedented new iPhone malware discovered

A post by Ian Beer of Google Project Zero released late yesterday evening sent the security community reeling. According to Beer, a small set of websites had been hacked in February and were being used to attack iPhones, infecting them with malware. These sites, which see thousands of visitors pe...

Cellular networks under fire from Soft Cell attacks

We place a lot of trust in our mobile experience, given they’re one of the most constant companions we have. Huge reams of data, tied to a device we always carry with us, with said device frequently offering additional built-in app functionality. An astonishing wealth of information, for anyone...

I played the free online games your kids are playing and here’s what happened

“Throat kill! Throat kill!” “I need a dad.” These are just some of the things I heard a six-year-old boy shout at his iPad while I was babysitting one evening. I was disturbed, yet compelled to learn more. Babysitting is always a puzzling experience for me. Why are their hands always sticky? Who...

Microsoft is now disabling Excel 4.0 macros by default

Back in October 2021, Microsoft announced in an email sent to customers that it planned to disable Excel 4.0 macros by default to protect customers from malicious documents. Now, Microsoft says that change has happened. Good news Sometimes good news in the security world comes later than expected...

DNSpooq bugs haunt dnsmasq

The research team at JSOF found seven vulnerabilities in dnsmasq and have dubbed them DNSpooq, collectively. Now, some of you may shrug and move on, probably because you havent heard of dnsmasq before. Well, before you go, you should know that dnsmasq is used in a wide variety of phones, routers,...

Improved Fallout EK comes back after short hiatus

Edit 2019-01-24 Fallout EK introduces a new dropper to facilitate the final payload retrieval. This update replaces the plain MZ we saw for a little while. -- After a short hiatus in early January, the Fallout exploit kit is back in business again with some new features for the new year. During i...

Threats target financial institutions, fintech, and cryptocurrencies

With news of a malware attack on accounting firm Wolters Kluwer causing a "quiet panic" in the accounting world this week, our assertion that financial institutions—from banks to brokers—are part of the vital infrastructure of society has been solidified. According to its website, Wolters Kluwer...

Artificial Intelligence ban slammed for failing to address “vast abuse potential”

A written proposal to ban several uses of artificial intelligence AI and to place new oversight on other “high-risk” AI applications—published by the European Commission this week—met fierce opposition from several digital rights advocates in Europe. Portrayed as a missed opportunity by privacy...

Meet Exotic Lily, access broker for ransomware and other malware peddlers

The Google Threat Analysis Group TAG has shared their observations about a group of cybercriminals called Exotic Lily. This group has specialized itself as an initial access broker, which means they find a vulnerability in an organizations defenses, exploit that vulnerability, and sell the access...

Black Hat USA 2018: ransomware is still the star

The Malwarebytes team was at the annual Black Hat USA event held in Las Vegas at the Mandalay Bay Hotel from August 4–9. Large crowds walked through the expo floor, attended talks, and participated in trainings. Among the many topics discussed, ransomware came up as one of the main issues that bo...

Patch now! Insecure Hikvision security cameras can be taken over remotely

In a detailed post on Github, security researcher WatchfulIP describes how he found that the majority of the recent camera product ranges of Hikvision cameras are susceptible to a critical, unauthenticated, remote code execution RCE vulnerability, even with the latest firmware. Hikvision Hangzhou...

Millions of Windows machines affected by ancient printer vulnerability

A very serious security flaw in immensely popular printer drivers has been disclosed and it could affect many millions of Windows systems. The printer driver was issued by HP, but it’s also in use by Samsung and Xerox. All the affected printers are laser printers. The most surprising about this...

Android “System Update” malware steals photos, videos, GPS location

A newly discovered piece of Android malware shares the same capabilities found within many modern stalkerware-type apps—it can swipe images and video, rifle through online searches, record phone calls and video, and peer into GPS location data—but the infrastructure behind the malware obscures it...