The Tale of Two Exploits - Breaking Down CVE-2023-36884 and the Infection Chain

The Tale of Two Exploits - Breaking Down CVE-2023-36884 and the Infection Chain By Trellix · August 24, 2023 This blog was written by Chintan Shah Executive Summary On July 11 2023, Microsoft released a patch fixing multiple actively exploited RCE vulnerabilities and disclosed a phishing campaign...

The Bug Report - March 2023 Edition

The Bug Report – March 2023 Edition By Trellix · April 05, 2023 This story was also written by Kasimir Schulz. It really is bussin, though. Why am I here? Welcome back to the Bug Report, Ides of March edition! Last month was highlighted by glimpses into the past, with a historic attack technique...

The Bug Report – August 2022 Edition

The Bug Report — August 2022 Edition By Philippe Laulheret · September 7, 2022 Your Cybersecurity Comic Relief Figure 0: CVE-2022-38392 redefines “destructive interference” Why am I here? Indeed, why are we here? School is back in session, there’s a chill in the air that says fall is around the...

CVE-2023-23397: The Notification Sound You Don’t Want to Hear

CVE-2023-23397: The Notification Sound You Don’t Want to Hear By Mark Bereza · March 17, 2023 This story was also written by John Dunlap. Overview During the March "Patch Tuesday" security update, a new Outlook security vulnerability was revealed as being exploited in the wild. This is a serious...

Small Business, Mighty Attack Surface

Small Business, Mighty Attack Surface By Trellix · August 3, 2022 This blog was written by Douglas McKee If given the chance to name the first five businesses that come to mind, what would they be? Maybe if you're close to the security industry you might suggest names like Microsoft, Apple or...

The Bug Report – June 2022 Edition

The Bug Report – June 2022 Edition By Trellix · July 6, 2022 This story was also written by Sam Quinn. Your Cybersecurity Comic Relief Why am I here? Why do all the most critical vulnerabilities always have to come out on holidays? Just like clockwork, CVE-2022-26134 came out over the U.S.’...

Storm-0324: An access for the RaaS Threat Actor (Sangria Tempest)

Storm-0324 to Sangria Tempest Leads to Ransomware Capabilities By Gurumoorthi Ramanathan · October 5, 2023 Executive Summary: In early July 2023, the threat actor that Microsoft calls “Storm-0324” was observed sending a phishing message through Microsoft Teams. Storm-0324 is a financially motivat...

Trellix Global Defenders: Analysis and Protections for Destructive Wipers

Trellix Global Defenders: Analysis and Protections for Destructive Wipers By Ayed Al Qartah · November 17, 2022 Modern cyber warfare involves the actions of a nation-state or their proxies organized crime and hacker groups to attack and attempt to damage other nations’ computers or information...

CVE-2023-38831: Navigating the Threat Landscape of the Latest Security Vulnerability

CVE-2023-38831: Navigating the Threat Landscape of the Latest Security Vulnerability By Trellix · November 9, 2023 This blog was written by Neeraj Kumar Singh Executive Summary In August 2023, WinRAR released a security patch to address a remote code execution vulnerability in WinRAR's ZIP archiv...

Prime Minister’s Office Compromised: Details of Recent Espionage Campaign

Prime Minister’s Office Compromised: Details of Recent Espionage Campaign By Marc Elias · January 25, 2022 A special thanks to Christiaan Beek, Alexandre Mundo, Leandro Velasco and Max Kersten for malware analysis and support during this investigation. Executive Summary Our Advanced Threat Resear...

Beyond File Search: A Novel Method

Beyond File Search: A Novel Method for Exploiting the "search-ms" URI Protocol Handler By Sijo Jacob · July 26, 2023 This blog was also written by Mathanraj Thangaraju Threat Summary In the ever-evolving landscape of cyber threats, malware authors continuously explore new avenues to exploit...

The Bug Report – June 2022 Edition

The Bug Report – June 2022 Edition By Trellix · July 6, 2022 This story was also written by Sam Quinn. Your Cybersecurity Comic Relief Why am I here? Why do all the most critical vulnerabilities always have to come out on holidays? Just like clockwork, CVE-2022-26134 came out over the U.S.’...

When Pwning Cisco Persistence Is Key When Pwning Supply Chain Cisco Is Key

When Pwning Cisco, Persistence is Key - When Pwning Supply Chain, Cisco is Key By Trellix · February 1, 2023 This story was also written by Kasimir Schulz and Sam Quinn. Unlike those of the past, modern routers now function like high-powered servers with many ethernet ports running not only routi...

How Groove Gang is Shaking up the RAAS to Empower Affiliates

ARCHIVED STORY How Groove Gang is Shaking up the Ransomware-as-a-Service Market to Empower Affiliates By Max Kersten, John Fokker and Thibault Seret · September 08, 2021 Co-authored with Intel471 and McAfee Enterprise Advanced Threat Research ATR would also like to thank Coveware for its...

Prime Minister’s Office Compromised: Details of Recent Espionage Campaign

Prime Minister’s Office Compromised: Details of Recent Espionage Campaign By Marc Elias · January 25, 2022 A special thanks to Christiaan Beek, Alexandre Mundo, Leandro Velasco and Max Kersten for malware analysis and support during this investigation. Executive Summary Our Advanced Threat Resear...

The Bug Report – February 2023 Edition

The Bug Report – February 2023 Edition By Trellix · March 1, 2023 This story was also written by Sam Quinn. Figure 1: Ironic. It could protect other devices from threats, but not itself. Why am I here? Welcome back to the Bug Report! For those in the audience unfamiliar with our shtick, we compil...

The Bug Report November 2021 Edition

The Bug Report — November 2021 Edition By Mark Bereza · November 30, 2021 Your Cybersecurity Comic Relief CVE-2021-20322: Of all the words of mice and men, the saddest are, “it was DNS again.” Why am I here? For all our newcomers, welcome to the Advanced Threat Research team’s monthly bug report ...

Are Virtual Machines the New Gold for Cyber Criminals?

ARCHIVED STORY Are Virtual Machines the New Gold for Cyber Criminals? ATR Operational Intelligence Team · JUN 10, 2021 Introduction Virtualization technology has been an IT cornerstone for organization for years now. It revolutionized the way organizations can scale up IT systems in a heartbeat,...

Triton Malware Spearheads Latest Attacks on Industrial Systems | McAfee Blogs

Triton Malware Spearheads Latest Attacks on Industrial Systems | McAfee Blogs Thomas Roccia · NOV 08, 2018 Malware that attacks industrial control systems ICS, such as the Stuxnet campaign in 2010, is a serious threat. This class of cyber sabotage can spy on, disrupt, or destroy systems that mana...

Global ESXiArgs ransomware attack on the back of a two-year-old vulnerability

Global ESXiArgs Ransomware Attack on the Back of a Two-Year-Old Vulnerability By John Fokker, Alfred Alvarado, Tim Hux, Jeffrey Sman, Joao Marques · February 09, 2023 Figure 1: Global Telemetry from Trellix ATLAS for Ips connecting to port 427 Introduction: Early this week, VMware issued a...

Open-Source Intelligence to Understand the Scope of N-Day Vulnerabilities

Open-Source Intelligence to Understand the Scope of N-Day Vulnerabilities By Charles McFarland · September 21, 2022 The zero-day is the holy grail for cybercriminals; However, N-day vulnerabilities can pose problems even years after discovery. If a target is vulnerable, it doesn’t matter whether...

Connected Healthcare: A Cybersecurity Battlefield We Must Win

Connected Healthcare: A Cybersecurity Battlefield We Must Win By Trellix · June 6, 2022 This blog was written by Charles McFarland We are commonly taught to prioritize the most critical, severe, or impactful tasks when trying to conquer a list of intimidating problems. Yet, how is this possible...

Are Virtual Machines the New Gold for Cyber Criminals?

ARCHIVED STORY Are Virtual Machines the New Gold for Cyber Criminals? ATR Operational Intelligence Team · JUN 10, 2021 Introduction Virtualization technology has been an IT cornerstone for organization for years now. It revolutionized the way organizations can scale up IT systems in a heartbeat,...

The Bug Report - June 2023 Edition

The Bug Report – June 2023 Edition By Trellix · July 05, 2023 This story was also written by Jesse Chick. Can I have a word with the developers who greenlit these vulns? Why am I here? "To our newcomers, welcome! To our old hands, welcome back!" Iykyk. Every month, we chronicle the disruptive new...

The Bug Report – August 2023 Edition

The Bug Report – August 2023 Edition By Charles McFarland · September 06, 2023 Why am I here? Welcome back to The Bug Report, the hotter-than-hell Texas edition! For those still unfamiliar with our monthly escapades, every month our trusty Advanced Research Center vulnerability research team...

Log4J and The Memory That Knew Too Much

Log4J and The Memory That Knew Too Much By Trellix · January 19, 2022 By Guilherme Venere, Ismael Valenzuela, Carlos Diaz, Cesar Vargas, Leandro Costantino, Juan Olle, Jose Luis Sanchez Martinez, AC3 Team Collaborators: Steve Povolny, Douglas McKee, Mark Bereza, Frederick House, Dileep Kumar...

The Bug Report - March 2023 Edition

The Bug Report – March 2023 Edition By Trellix · April 05, 2023 This story was also written by Kasimir Schulz. It really is bussin, though. Why am I here? Welcome back to the Bug Report, Ides of March edition! Last month was highlighted by glimpses into the past, with a historic attack technique...

Tarfile: Exploiting the World With a 15-Year-Old Vulnerability

Tarfile: Exploiting the World With a 15-Year-Old Vulnerability By Trellix · September 21, 2022 This story was also written by Kasimir Schulz While investigating an unrelated vulnerability, Trellix Advanced Research Center stumbled across a vulnerability in Python’s tarfile module. Initially we...

Model Hacking ADAS to Pave Safer Roads for Autonomous Vehicles

ARCHIVED STORY Model Hacking ADAS to Pave Safer Roads for Autonomous Vehicles Steve Povolny · FEB 19, 2020 The last several years have been fascinating for those of us who have been eagerly observing the steady move towards autonomous driving. While semi-autonomous vehicles have existed for many...

Trellix Advanced Research Center Discovers a New Privilege Escalation Bug Class on macOS and iOS

Trellix Advanced Research Center Discovers a New Privilege Escalation Bug Class on macOS and iOS By Trellix · February 21, 2023 This blog was written by Austin Emmitt Introduction Since the first version of iOS on the original iPhone, Apple has enforced careful restrictions on the software that c...

McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service - What The Code Tells Us

McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us By McAfee Labs · October 2, 2019 Episode 1: What the Code Tells Us McAfee’s Advanced Threat Research team ATR observed a new ransomware family in the wild, dubbed Sodinokibi or REvil, at the end of April 201...

Scattered Spider: The Modus Operandi

Scattered Spider: The Modus Operandi By Trellix · August 17, 2023 This story was also written by Phelix Oluoch Executive Summary Scattered Spider, also referred to as UNC3944, Scatter Swine, and Muddled Libra, is a financially motivated threat actor group that has been active since May 2022...

Ancient CVEs Can Cause You Problems

Ancient CVEs Can Cause You Problems By Kent Landfield · September 23, 2022 The Common Vulnerability and Exposures CVE Program was founded in 1999 for the purpose of giving individual cyber vulnerabilities an identifier that could be used as an interoperable means for identifying a specific...

Tarfile: Exploiting the World With a 15-Year-Old Vulnerability

Tarfile: Exploiting the World With a 15-Year-Old Vulnerability By Trellix · September 21, 2022 This story was also written by Kasimir Schulz While investigating an unrelated vulnerability, Trellix Advanced Research Center stumbled across a vulnerability in Python’s tarfile module. Initially we...

Trellix Global Defenders: Analysis and Protections for BlackByte Ransomware

Trellix Global Defenders: Analysis and Protections for BlackByte Ransomware By Taylor Mullins · February 28, 2022 BlackByte Ransomware has been in the news of late due to a successful attack against a National Football League NFL Franchise and a Joint Cybersecurity Advisory by the Federal Bureau ...

Securing Space 4.0 – One Small Step or a Giant Leap? - Part 1

ARCHIVED STORY Securing Space 4.0 – One Small Step or a Giant Leap? - Part 1 By Eoin Carroll · September 30, 2020 McAfee Advanced Threat Research ATR is collaborating with Cork Institute of Technology CIT and its Blackrock Castle Observatory BCO and the National Space Center NSC in Cork, Ireland...

The Bug Report - May 2023 Edition

The Bug Report – May 2023 Edition By Mark Bereza · June 7, 2023 Why am I here? In the film The Number 23, Jim Carrey masterfully portrays Walter Sparrow, a man who finds himself obsessed with the number 23 after coming upon a book detailing the 23 enigma, and begins to see it everywhere he looks,...

The Bug Report December 2022 Edition

The Bug Report — December 2022 Edition By Trellix · January 4, 2023 This story was also written by John Borrero Rodriguez Everyone gets it Why am I here? Ho Ho Ho! Welcome back to the Bug Report, or a more fitting name for this time of year: The NAUGHTY List! Yes, we checked it twice. It is no...

The Bug Report October 2022 Edition

The Bug Report — October 2022 Edition By Trellix · November 2, 2022 This story was written by Richard Johnson. Do ROP exploits count as jmp scares? Why am I here? Welcome back to the Bug Report: Spooky Edition, and we’ve got bugs crawling out of the walls! Of all the months we do this, we’ve foun...

OpenSSL 3.0 Vulnerabilities: CVE 2022-3786 and CVE 2022-3602

OpenSSL 3.0 Vulnerabilities: CVE 2022-3786 and CVE 2022-3602 By Trellix and Sam Quinn · November 1, 2022 This story was also written by Charles McFarland and Philippe Laulheret. What is it? CVE-2022-3786 and CVE-2022-3602 are buffer overflow vulnerabilities affecting OpenSSL 3.0 and above that we...

Triton Malware Spearheads Latest Attacks on Industrial Systems | McAfee Blogs

Triton Malware Spearheads Latest Attacks on Industrial Systems | McAfee Blogs Thomas Roccia · NOV 08, 2018 Malware that attacks industrial control systems ICS, such as the Stuxnet campaign in 2010, is a serious threat. This class of cyber sabotage can spy on, disrupt, or destroy systems that mana...

The LockBit’s Attempt to Stay Relevant, Its Imposters and New Opportunistic Ransomware Groups

The LockBit’s Attempt to Stay Relevant, Its Imposters and New Opportunistic Ransomware Groups By Jambul Tologonov and John Fokker · April 11, 2024 The Trellix Advanced Research Center has recently observed an uptick of LockBit-related cyber activity surrounding vulnerabilities in ScreenConnect...

CVE-2023-0286: The OpenSSL Who Cried “Severity: High

CVE-2023-0286: The OpenSSL Who Cried “Severity: High” By Mark Bereza · February 9, 2023 This story was also written by John Dunlap. Background It feels like just yesterday that OpenSSL was the subject of widespread scrutiny over two buffer overflow vulnerabilities rated Severity: High. Fortunatel...

The Bug Report — September 2022 Edition

The Bug Report — September 2022 Edition By Trellix · October 5, 2022 This blog was written by Charles McFarland As long as it works.... Why am I here? Welcome back to the Bug Report, don’t-stub-your-toe edition! For those in the audience unfamiliar with how we do things here, every month we filte...

The Bug Report - February 2022 Edition

The Bug Report - February 2022 By Jesse Chick · March 2, 2022 Your Cybersecurity Comic Relief Image courtesy of https://toggl.com/ Why am I here? Welcome back to the Bug Report, stubby-month edition! For those in the audience unfamiliar with our shtick, every month we compile a shortlist of the t...

Analysis and Protections for RagnarLocker Ransomware

Trellix Global Defenders: Analysis and Protections for RagnarLocker Ransomware By Taylor Mullins · February 28, 2022 The United States Federal Bureau of Investigation FBI has released a Flash Alert warning that the RagnarLocker ransomware gang has breached the networks of at least fifty-two...

Beyond Memory Corruption Vulnerabilities – A Security Extinction and Future of Exploitation

Beyond Memory Corruption Vulnerabilities – A Security Extinction and Future of Exploitation By Chintan Shah · January 24, 2022 Modern exploitation techniques have changed how adversaries execute their attack strategies and how defenders analyze paths from vulnerability to exploitation. Over the...

The Bug Report – October Edition

ARCHIVED STORY The Bug Report – October Edition By Douglas McKee · November 02, 2021 Your Cyber Security Comic Relief Figure 1. Apache server version 2.4.50 CVE-2021-42013 Why am I here? Regardless of the origins, you’ve arrived at Advanced Threat Research team’s monthly bug digest – an overview ...

CurveBall – An Unimaginative Pun but a Devastating Bug

ARCHIVED STORY CurveBall – An Unimaginative Pun but a Devastating Bug By Steve Povolny · June 17, 2020 Enterprise customers looking for information on defending against Curveball can find information here. 2020 came in with a bang this year, and it wasn’t from the record-setting number of firewor...

The Bug Report – May 2022 Edition

The Bug Report – May 2022 Edition By Trellix · June 1, 2022 This blog was written by Douglas McKee Your Cybersecurity Comic Relief Source: https://twitter.com/cyb3rops/status/1523579115152064513?s=20&t=jtGMOibQPsPviekQoWKIA Why Am I here? People often come together not only due to common interest...