Ditch the Alert Cannon: Modernizing IDS is a Security Must-Do

After more than 20 years of underwhelming results, security leaders have accepted their intrusion detection system IDS programs as no more than a compliance checkoff. It’s no secret that IDS’s reliance on bi-modal signatures is brittle, easily evaded and often referred to as an “alert cannon.” Ti...

AT&T Phone-Unlocking Malware Ring Costs Carrier $200M

The ringleader of a seven-year phone-unlocking and malware scheme will head to the clink for 12 years, according to the Department of Justice, after effectively compromising AT&T’s internal networks to install credential-thieving malware. The perp, one Muhammad Fahd of Pakistan and Grenada, was...

Microsoft MSHTML Flaw Exploited by Ryuk Ransomware Gang

Criminals behind the Ryuk ransomware were early exploiters of the Windows MSHTML flaw, actively leveraging the bug in campaigns ahead of a patch released by Microsoft this week. Collaborative research by Microsoft and RiskIQ revealed campaigns by Ryuk threat actors early on that exploited the fla...

CISA, FBI: State-Backed APTs Are Exploiting Critical Zoho Bug

The FBI, CISA and the U.S. Coast Guard Cyber Command CGCYBER warned today that state-backed advanced persistent threat APT actors are likely among those who’ve been actively exploiting a newly identified bug in a Zoho single sign-on and password management tool since early last month. At issue is...

Airline Credential-Theft Takes Off in Widening Campaign

A two-year-old espionage campaign against the airline industry is ongoing, with AsyncRAT and other commodity remote-access trojans RATs helping those efforts take flight. The campaign can effectively be a bird strike to the business engine, so to speak, resulting in data theft, financial fraud or...

Financial Cybercrime: Following Cryptocurrency via Public Ledgers

This is Part II of a two-part series on how cybercrooks embrace and use cryptocurrency. To read Part I, please click here. While Bitcoin transactions are anonymous, it’s possible to follow the money through public ledgers to see what those transactions actually are and how they flow. This allows ...

REvil/Sodinokibi Ransomware Universal Decryptor Key Is Out

REvil victims, your prayers have been answered: There’s a universal decryptor key waiting to free you. Bitdefender is releasing a free, universal decryptor key to unlock data of victimized organizations that were encrypted by REvil/Sodinokibi ransomware attacks before the gang’s servers went...

DDoS Attacks: A Flourishing Business for Cybercrooks – Podcast

Distributed denial-of-service DDoS started out as an inconvenience: They were a roadblock that kept customers from getting at systems. That’s bad enough. Keeping availability away from customers via DDoS can have a painful impact on businesses as they find their doors blocked to customers, keepin...

HP Omen Hub Exposes Millions of Gamers to Cyberattack

Millions of devices running the HP Omen Gaming Hub were using on a driver with a bug that could give attackers kernel-mode access without administrator privileges. HP has since released a patch, but a new report on the flaw CVE-2021-3437 from researchers from SentinelLabs details how the gaming...

Azure Zero-Day Bugs Show Lurking Supply-Chain Risk

Four Microsoft zero-day vulnerabilities in the Azure cloud platform’s Open Management Infrastructure OMI — a software that many don’t know is embedded in a host of services — show that OMI represents a significant security blind spot, researchers said. Collectively dubbed “OMIGOD” because of the...

No Patch for High-Severity Bug in Legacy IBM System X Servers

Two legacy IBM System x server models, retired in 2019, are open to attack and will not receive security patches, according to hardware maker Lenovo. However, the company is offering workaround mitigation. The two models, IBM System x 3550 M3 and IBM System x 3650 M3, are both vulnerable to comma...

Attackers Impersonate DoT in Two-Day Phishing Scam

Threat actors impersonated the U.S. Department of Transportation USDOT in a two-day phishing campaign that used a combination of tactics – including creating new domains that mimic federal sites so as to appear to be legitimate – to evade security detections. Between Aug. 16-18, researchers at...

Adobe Snuffs Critical Bugs in Acrobat, Experience Manager

Adobe is urging its throngs of Acrobat Reader users to update their software to fix critical vulnerabilities that could allow adversaries to execute arbitrary code on unpatched versions. The warnings are part of the firm’s September monthly security update, which this month addresses 59 bugs foun...

Microsoft Patches Actively Exploited Windows Zero-Day

In September’s Patch Tuesday crop of security fixes, Microsoft released patches for 66 CVEs, three of which are rated critical, and one of which – the Windows MSHTML zero-day – has been under active attack for nearly two weeks. One other bug is listed as publicly known but isn’t yet being...

2021’s Most Dangerous Software Weaknesses

Mitre Corp. recently updated its list of the top 25 most dangerous software bugs, and it’s little surprise that a number of them have been on that list for years. The Common Weakness Enumeration CWE list represents vulnerabilities that have been widely known for years, yet are still being coded...

ZLoader’s Back, Abusing Google AdWords, Disabling Windows Defender

A targeted campaign delivering the ZLoader banking trojan is spreading via Google AdWords, and is using a mechanism to disable all Windows Defender modules on victim machines, researchers have found. That’s according to SentinelLabs, which said that to lower the rates of detection, the infection...

Pair of Google Chrome Zero-Day Bugs Actively Exploited

Google has addressed two zero-day security bugs that are being actively exploited in the wild. As part of the internet giant’s latest stable channel release version 93.0.4577.82 for Windows, Mac and Linux, it fixed 11 total vulnerabilities, all of them rated high-severity. The two zero days are...

Unpatched Bugs Plague Databases; Data Is Not Secure

A five-year longitudinal study found that nearly one out of every two on-premises databases globally – 46 percent – is vulnerable to attack, given that it has at least one unpatched vulnerability. The study, which involved 27,000 scanned databases globally, discovered that more than half – 56...

Romance, BEC Scams Lands Soldier in Jail for 46 Months

A former Army reservist was just sentenced to 46 months in prison and ordered to pay nearly $2 million in penalties and restitution, after pleading guilty to scamming dozens of people online, including the elderly and a veteran’s organization for Marines. Joseph Iorhemba Asan Jr. along with his...

BlackMatter Ransomware Hits Japanese Tech Giant Olympus

Japanese technology giant Olympus is currently investigating a cyber incident on its EMEA IT systems that happened earlier this month that sources said is the result of a BlackMatter ransomware attack. The company detected “suspicious activity” on Sept. 8 and “immediately mobilized a specialized...

Apple Issues Emergency Fix for NSO Zero-Click Zero Day

Apple users should immediately update all their devices – iPhones, iPads, Macs and Apple Watches – to install an emergency patch for a zero-click zero-day exploited by NSO Group to install spyware. The security updates, pushed out by Apple on Monday, include iOS 14.8 for iPhones and iPads, as wel...

REvil’s Back; Coder Fat-Fingered Away Its Decryptor Key?

UPDATE The REvil ransomware gang’s tentacles shot out yet again last week, with the ransomware gang’s servers back online, a fresh victim listed on its site, ransomware payments back up and flowing, and an explanation of why it took a two-month hiatus. A purported REvil representative also...

WhatsApp’s End-to-End Encryption Isn’t Actually Broken

End-to-end encryption isn’t designed to secure messages against the intended recipients. New revelations about WhatsApp’s moderator access to messages last week might seem like they run counter to the company’s privacy-forward brand, but a closer look shows the messaging service’s privacy...

Honing Cybersecurity Strategy When Everyone’s a Target for Ransomware

These days, ransomware is seemingly ubiquitous. No longer just a discussion topic for cybersecurity professionals and researchers, these days it seems like rarely a week goes by when it’s not in the mainstream media. It’s rapidly become a commonplace word, and in some respects, this increased...

WooCommerce Multi Currency Bug Allows Shoppers to Change eCommerce Pricing

A security vulnerability in the WooCommerce Multi Currency plugin could allow any customer to change the pricing for products in online stores. WooCommerce is a popular eCommerce plugin for WordPress-powered websites; the Multi Currency plugin from Envato meanwhile allows e-tailers using...

MyRepublic Data Breach Raises Data-Protection Questions

Almost 79,400 MyRepublic mobile subscribers have been caught up in a data breach that exposed a range of personal information, the company has confirmed. The Singapore-based ISP and mobile provider said that an “unauthorized data access incident” took place on August 29. The intrusion in question...

Top Steps for Ransomware Recovery and Preparation

When it comes to ransomware attacks, it’s no longer a question of if or even when, but how often. A business falls victim to a ransomware attack every 11 seconds, making ransomware the fastest-growing type of cybercrime. Businesses today need to not only think about strategies to prevent...

Yandex Pummeled by Potent Meris DDoS Botnet

Technical details tied to a record-breaking distributed-denial-of-service DDoS attack against Russian internet behemoth Yandex are surfacing as the digital dust settles. A massive botnet, dubbed Mēris, is believed responsible, flooding Yandex with millions of HTTP requests for webpages at the sam...

SOVA, Worryingly Sophisticated Android Trojan, Takes Flight

A new Android banking trojan named SOVA “owl” in Russian is under active development, researchers said, and it has big dreams even in its infancy stage. The malware is looking to incorporate distributed denial of service DDoS, man in the middle MiTM and ransomware functionality into its arsenal –...

5 Steps For Securing Your Remote Work Space

Use a VPN ------------ Whether you’re connecting to company resources or a Zoom call, use a virtual private network VPN. VPNs encrypt all of your online traffic to prevent hackers from capturing data in transit. Be sure to use a well-known VPN – they are widely available in software marketplaces...

Stolen Credentials Led to Data Theft at United Nations

A threat actor used stolen credentials from a United Nations employee to breach parts of the UN’s network in April and steal critical data, a spokesman for the intergovernmental organization has confirmed. That data lifted from the network can be used to target agencies within the UN, which alrea...

Thousands of Fortinet VPN Account Credentials Leaked

UPDATE: Subsequent reporting and disclosures show “Groove” was a hoax intended to lure media outlets into reporting on fake potential threats against U.S. government interests. Threatpost regrets falling for a troll. Lesson learned and apologies to our readers. Credentials pilfered from 87,000...

McDonald’s Email Blast Includes Password to Monopoly Game Database

McDonald’s UK Monopoly VIP game kicked off at the end of August, and a recent round of emails sent to winners of the game’s various prizes included more than a coupon for free fries. The franchise accidentally inserted passwords for a McDonald’s server that hosted information tied to the UK...

Financial Cybercrime: Why Cryptocurrency is the Perfect ‘Getaway Car’

This is Part I of a two-part series on how cybercrooks embrace and use cryptocurrency. To read Part II, please click here. It’s no secret: Hackers are out to make money. Over the summer, it seemed there was practically a new ransomware attack every day of the week. Whether it be Colonial Pipeline...

‘Azurescape’ Kubernetes Attack Allows Cross-Container Cloud Compromise

A critical security vulnerability allowing attackers to perform cross-account container takeover in Microsoft’s public cloud, dubbed “Azurescape”, has been uncovered by researchers. The issue exists in Azure Container Instances ACI, which is Microsoft’s container-as-a-service CaaS offering which...

SideWalk Backdoor Linked to China-Linked Spy Group ‘Grayfly’

The novel backdoor technique called SideWalk, seen in campaigns targeting US media and retailers late last month, has been tied to an adversary that’s been around for quite a while: namely, China-linked Grayfly espionage group. ESET researchers, who named and discovered the new “SparklingGoblin”...

Zoho ManageEngine Password Manager Zero-Day Gets Fix

A critical security vulnerability in the Zoho ManageEngine ADSelfService Plus platform could allow remote attackers to bypass authentication and have free rein across users’ Active Directory AD and cloud accounts. The issue CVE-2021-40539 has been actively exploited in the wild as a zero-day,...

BladeHawk Attackers Target Kurds with Android Apps

Attackers have been targeting the Kurdish ethic group for more than a year through an Facebook-based spyware campaign that disguises backdoors in legitimate Android apps, researchers have found. A group called BladeHawk is behind the campaign, discovered by researchers from cybersecurity firm ESE...

What Ragnar Locker Got Wrong About Ransomware Negotiators – Podcast

The Ragnar Locker ransomware gang just put its victims on notice: Call for help – be it from investigators, the FBI or ransomware negotiators – and the punishment will be the publication of encrypted files. Bryce Webster-Jacobsen, director of intelligence operations at digital risk...

Tooling Network Detection & Response for Ransomware

Everywhere you look, there are new reports coming out about ransomware. And cybercriminals are becoming more aggressive, demanding even more in ransom payments than ever before. According to Palo Alto Networks’ Unit 42, ransom payments are up 82 percent in the first half of 2021, with an average...

Spoofing Bug Highlights Cybersecurity for Digital Vaccine Passports

Three weeks after an independent researcher found a critical bug in the Services Australia COVID-19 digital vaccine certificate that would allow an attacker to falsify someone’s vaccine status, it still hasn’t been fixed. Researcher Richard Nelson looked into the security behind a new digital...

TeamTNT’s New Tools Target Multiple OSes

The TeamTNT malware pushers have a slew of new toys with which to wreak havoc – multiple shell/batch scripts, open-source tools, a cryptocurrency miner, an IRC and more – that have inflicted more than 5,000 infections globally as antivirus AV tools struggle to catch up with the newest malware...

Microsoft, CISA Urge Mitigations for Zero-Day RCE Flaw in Windows

Both Microsoft and federal cybersecurity officials are urging organizations to use mitigations to combat a zero-day remote control execution RCE vulnerability in Windows that allows attackers to craft malicious Microsoft Office documents. Microsoft has not revealed much about the MSHTML bug,...

Ragnar Locker Gang Warns Victims Not to Call the FBI

All that the FBI/ransomware negotiators/investigators do is muck things up, so we’re going to publish your stuff if you call for help, the Ragnar Locker ransomware gang announced on its darknet data-leak site. In an announcement posted this week and seen by Bleeping Computer, the ransomware...

Netgear Smart Switches Open to Complete Takeover

Three severe Netgear vulnerabilities, codenamed Demon’s Cries, Draconian Fear and Seventh Inferno by the researcher that found them, affect 20 of the company’s managed smart switches and could allow an attacker to take them over. The bugs were patched on Friday with zero technical details made...

Jenkins Hit as Atlassian Confluence Cyberattacks Widen

A just-patched, critical remote code-execution RCE vulnerability in the Atlassian Confluence server platform is suffering wide-scale exploitation, the Feds have warned – as evidenced by an attack on the popular Jenkins open-source automation engine. Atlassian Confluence is a collaboration platfor...

ProtonMail Forced to Log IP Address of French Activist

The privacy-hugging, end-to-end encryption-providing email provider ProtonMail was forced to log the IP address of a French activist and turn it over to Europol, according to a French police report that came to light over the weekend. The activist was arrested as a result. In the wake of the news...

Authorities Arrest Another TrickBot Gang Member in South Korea

Another alleged member of the TrickBot gang has been apprehended, this time when trying to leave South Korea, according to published reports. The Russian national, who is an alleged developer of the notorious crimeware, reportedly had been trapped in South Korea since February 2020 due to COVID-1...

Holy Grail of Security: Answer to ‘Did X Work?’ – Podcast

Get a glass. Pour in one shot of VERIS, aka the Vocabulary for Event Recording and Incident Sharing engine that generates Verizon’s funny, well-written, incredibly useful, annual Database Investigations Report DBIR. Next, add a shot of MITRE ATT&CK: the curated knowledge repository of reported...

Human Fraud: Detecting Them Before They Detect You

This is Part II of a two-part blog series taking readers inside the criminal enterprise that is account-takeover fraud. For part I, please click here. In my last blog, we focused on the initial phases of the account-takeover ATO kill chain – recon, weaponization and delivery – and how attackers...