Skip to main content
Need help with a cyber incident now?
Call 24/7: +31 88-2747800

WakeUp Wednesday

Welcome to #WakeUpWednesday. We want to make the Netherlands digitally safe and resilient. That is why Tesorion will now give you a short overview every Wednesday in a post about vulnerabilities or hacks that have received national or international attention. We want to wake up as many people as possible and make them aware of possible risks in the field of cyber security.

We will of course report directly on important vulnerabilities and options to mitigate them. Our #WakeUpWednesday is a kind of retrospective.

Subscribe to the WakeUp Wednesday

#WakeUpWednesday June 7, 2023

A number of known vulnerabilities in Zyxel firewalls are currently being actively exploited. Two of these critical vulnerabilities allow an attacker to take over the firewall remotely. The advice is to disable the HTTP/HTTPS services used to manage the devices from the WAN. This will prevent the firewall from being accessed from the Internet. Updates for the vulnerabilities were released in late May. The advice is to install them as soon as possible.

Another vulnerability that is currently being actively exploited is a vulnerability in MOVEit Transfer. This software allows organizations to securely exchange files between organizations and/or with customers. According to Rapid 7, this is an SQL injection vulnerability. This can result in remote code execution. Currently, an update is not yet available for every version. To prevent exploitation, it is recommended to block external traffic to ports 80 and 443 on the MOVEit Transfer server. More information on mitigating measures can be found here.

Analysis of the Linux variant of the new ransomware family BlackSuit is very similar to Royal ransomware. Based on research conducted by TrendMicro, a very high degree of similarity is apparent, including 98 percent similarity based on functionality. Apart from this high degree of similarity, there are also differences. For example, BlackSuit includes additional command-line arguments and several files with specific extensions are avoided in the encryption process.

#WakeUpWednesday May 24, 2023

One way to make it harder for cybercriminals to carry out their activities is to use unique, strong passwords. To remember all these passwords, many people use a password manager, such as KeePass. The passwords in KeePass are stored encrypted in a database protected by a master password. Only when logged in with this master password are the stored data accessible. However, due to a vulnerability in KeePass, it is possible in specific cases to retrieve this master password in plain text, regardless of whether the device KeePass is installed on is locked and/or KeePass is active. There is a Proof of Concept (POC) for this vulnerability. The vulnerability impacts versions 2.x for Windows, Linux and macOS. This vulnerability is expected to be fixed with the 2.54 update.

TurkoRat, an open source infostealer, was discovered in two rogue packages in the npm package repository. The infostealer, analyzed by ReversingLabs, targeted login credentials, website cookies and crypto-wallet data, among other things. The two packages, nodejs-encrypt-agent and nodejs-cookie-proxy-agent, were collectively downloaded about 1,200 times before being identified and removed.

Recently, Microsoft observed the use of CL0p ransomware by Sangria Tempest, an actor previously known as FIN7. In the recent attacks, Sangria Tempest uses the Powershell script POWERTRASH to gain a foothold within the victim network. It then uses OpenSSH and Impacket to move through the network and execute the ransomware.

#WakeUpWednesday May 17, 2023

Configuration errors can be used by cybercriminals as a possible attack path to penetrate an organization. CLR SqlShell Malware is a form of malware that targets Microsoft SQL (MS SQL) servers for the purpose of deploying cryprocurrency miners and ransomware. The report shared by AhnLab Security Emergency response Center indicates that SqlShell is a strain of malware that once installed on an MS SQL server supports various functions, such as executing commands from cybercriminals and performing all kinds of malicious behavior.

Cisco Talos describes a new phishing-as-a-service platform called Greatness. The target of these phishing campaigns are corporate Microsoft 365 cloud accounts. Affiliates using Greatness are provided with an attachment and link builder that creates highly convincing bait pages and login pages. This takes into account company logos and background images and the automatic completion of the victim’s email address. In addition, Greatness also offers features such as bypassing multifactor authentication, IP filtering and integration with Telegram bots.

Akira is a new ransomware family first seen during ransomware attacks in March. This family is separate from the 2017 ransomware of the same name. It first exfiltrates data, then deletes Windows Shadow Volume files from devices with a PowerShell command and encrypts the data. The Windows Restart Manager API is used to close open files if they prevent the encryption process. The ransom message states that after payment, the attacker will share a “security report” indicating which vulnerability or vulnerabilities were used to get into the victim’s home.

#WakeUpWednesday May 10, 2023

Three critical vulnerabilities in Microsoft Azure API Management service have been disclosed. These include two server-side request forgery (SSRF) vulnerabilities. Ermetic research shows that by exploiting the SSRF vulnerabilities, attackers could send requests from the service’s CORS proxy and the hosting proxy itself and bypass Web application firewalls. The third case involves the abuse of the unlimited file upload functionality in the API Management developer portal. An update is available for these vulnerabilities.

Malware distributed through Google Ads is not new. This technique is also used to spread new malware called LOBSHOT. Elastic Security Labs has written an analysis on how this malware works. LOBSHOT is a remote access trojan that when the malware runs on a system, first looks to see if Microsoft Defender is active and then disables it. It then changes the system settings so that the malware automatically launches when the user logs into Windows. It then passes on system information from the infected system, including running processes.

Finally, focus on Fleckpe, an Android trojan. This trojan was spread via legitimate apps in the Google Play Store. Kaspersky researchers discovered the malware in 11 apps, including photo editing apps and smartphone wallpaper apps. The malware has been installed on more than 620,000 devices since 2022. The apps have since been removed from the Play Store. Fleckpe tried to get victims to subscribe to expensive premium services. In doing so, the malware was even able, if an additional confirmation code was required, to extract this code from notifications and use it. This form of malware is currently increasing in popularity, according to Kaspersky.

#WakeUpWednesday May 3, 2023

Cybercriminals are offering a new infostealer on Telegram. This infostealer, named Atomic macOS Stealer (AMOS), targets systems running Apple macOS. Cyble Research and Intelligence Labs researchers say this infostealer steals various types of information, including passwords, full system information, files from the desktop and from the documents folder and even the macOS password. In addition, it also targets multiple browsers and crypto wallets.

Furthermore, a new version of ViperSoftX was discovered by Trend Micro researchers. This malware also falls into the category of infostealers. This new version targets a wider range of targets including more cryptowallets and password managers such as KeePass and 1Password. In addition, it can now infect several other browsers in addition to Chrome. Finally, several tweaks have been made that have improved ViperSoftX’s encryption while ensuring that detection by security tooling is made more difficult.

An update is available for two vulnerabilities in Zyxell firewalls. The first vulnerability (CVE-2023-28771), allows cybercriminals to remotely execute certain OS commands by sending crafted packets to the affected device. This is possible due to improper processing of error messages in some firewall versions. The second is CVE-2023-27991. In this case, an authenticated attacker is enabled to execute some OS commands remotely.

A vulnerability in Veeam Backup and Replication (VBR) software is currently being exploited by cybercriminals. This vulnerability exposes encrypted credentials stored in the VBR configuration database to unauthenticated users in the backup infrastructure. This can be exploited to gain access to backup infrastructure hosts. Veeam backup servers are currently being targeted by at least one group of cybercriminals known to collaborate with multiple high-profile ransomware gangs. An update is available, the recommendation is to install it as soon as possible.

#WakeUpWednesday April 26, 2023

A critical vulnerability in VMware Aria Operations for Logs, can allow an unauthenticated attacker to execute code as root. This vulnerability is registered as CVE-2023-20864 and is present in version 8.10.2. An update has been released for this and it is advised to install it. In addition, vulnerability CVE-2023-20865 has been disclosed for the same product, it is present in other versions of the software. This vulnerability is exploitable only if a cybercriminal already has administrator privileges on the system. More information on these vulnerabilities can be found here.

An update is also available for a vulnerability in Cisco Industrial Network Director (CVE-2023-20036). This vulnerability is located in a WebUI component and is caused by incorrect input validation when uploading a Device Pack. This allows a cybercriminal to execute arbitrary commands on the operating system of an affected device without authorization.

A new “all-in-one” infostealer has surfaced. This malware, called EvilExtractor, contains several modules that operate through an FTP service. Fortinet’s analysis shows that the primary goal of this malware is to steal browser data and information from infected endpoints. This data is then uploaded to the cybercriminal’s FTP server. In addition to stealing information, the malware also allows cybercriminals to roll out ransomware.

Bumblebee malware is also currently being actively spread by using malicious advertisements and influencing search results. Bumblebee can be used to install spyware or ransomware on infected endpoints. Infected installation files that install popular apps such as Zoom, Cisco AnyConnect, ChatGPT and Citrix Workspace are used to spread the malware. Often, these installation files are hosted on websites with a URL similar to that of the official company. Users should take great care to download software only from official websites of these companies. Companies are advised to offer commonly used software centrally to their employees.

#WakeUpWednesday April 19, 2023

New malware is circulating that focuses on stealing user data. This malware, called Zaraza, is offered for sale through Telegram. It additionally uses Telegram as a command-and-control server. Zaraza can steal data from 38 browsers, including Google Chrome, Microsoft Edge and Firefox. For cybercriminals, data such as usernames, passwords, bank details and e-mail accounts are worth gold and can be sold on online marketplaces, for example.

Palo Alto’s Unit 42 team observed a Vice Society data exfiltration script during a recent incident via script blocking Windows Event Logs. The Vice Society ransomware group developed this script to steal data from victims. In doing so, they take advantage of the Windows Powershell functionality present on victims’ systems. This method is called “Living off the Land,” in which attackers abuse pre-existing software to be less likely to be noticed.

Action1, a solution for remote monitoring of endpoints , is currently being increasingly abused by cybercriminals as well. Action1 is used by administrators to automate patch management, deploy security updates and remote support on endpoints, among other things. It is currently being abused by cybercriminals during ransomware attacks.

During last week’s Microsoft patch round, three major vulnerabilities were fixed in the Message Queueing service. One of the most important concerns a vulnerability where an unauthenticated attacker has the ability to remotely execute code by sending a specific network packet to the Microsoft Message Queueing service. A security update is available; we recommend installing it as soon as possible.

#WakeUpWednesday April 12, 2023

Two actively exploited zero-day vulnerabilities allow cybercriminals to completely take over Apple systems. These security vulnerabilities are in IOSurfaceAccelerator (CVE-2023-28206) and WebKit (CVE-2023-28205), the browser engine developed by Apple. Apple says it has fixed both vulnerabilities in iOS 16.4.1, iPadOS 16.4.1 and macOS Ventura 13.3.1. For macOS Big Sur and Monterey, version 16.4.1 of Safari has been released that fixes only the WebKit vulnerability.

The Balada Injector malware caused a lot of damage to WordPress websites. More than 1 million websites were infected by this malware that has been active since 2017. This Balada Injector campaign exploited vulnerabilities in themes and plug-ins to invade websites. Among other things, the malware creates a user account with administrator privileges. In addition, it collects data from the host system and creates backdoors to maintain access. WordPress users are advised to keep their software up-to-date, change the admin user password to a strong one and remove unused themes and plug-ins.

Taiwanese company Micro-Star International (MSI) has officially confirmed they had a ransomware attack. MSI did not disclose details on how or when the attack occurred but does say that they immediately initiated the incident response protocol. MSI further states that affected systems are gradually functioning normally and says users should only download and install firmware/BIOS updates from their official website and not from other sources.

SD Worx (Belgium) has been hit by a cyber-attack. SD Worx performs HR and payroll operations and serves 5.2 million employees across more than 82.000 companies. After discovering this malicious activity in the data center, the systems are pre-emptively isolated to limit further consequences. This affects UK customers. At this time, they are unable to log into SD Worx’s systems and will be kept informed of how the situation continues.

#WakeUpWednesday April 5, 2023

Several malware botnets are currently targeting Cacti and Realtek vulnerabilities with the goal of spreading ShelBot and Moobot malware. Moobot is a variant of Mirai malware. This malware was detected in December 2021 when it targeted Hikvision cameras. Since then, the malware has been updated and targets multiple D-Link RCE vulnerabilities. One of Moobot’s functionalities is its ability to scan for other known bots after which the associated processes are terminated. In this way, Moobot can utilize its maximum capacity to carry out DDoS attacks.  ShellBot was first discovered in January 2023 and targets the Cacti vulnerability. Fortinet has spotted three versions of this malware, indicating that it is being actively maintained and modified. We recommend installing (security) updates as soon as they become available. If a device is no longer actively maintained by a vendor, replace it with a newer model. If that is not possible, ensure good detection and response capabilities in the periphery of the device.

SentinelLabs has analyzed several versions of AlienFox. AlienFox is a set of scripts distributed primarily through Telegram and are easily accessible on GitHub and others. This ensures that the scripts are constantly being modified by cybercriminals, creating multiple versions. AlienFox is primarily used to collect API keys and information from popular services, including information from configuration files of service providers such as AWS, Google Workspace, Office365, OneSignal and Twilio.

Furthermore, new malware aimed at stealing information has been discovered. Named MacStealer, this malware targets Apple’s Catalina and later macOS versions that use Intel M1 and M2 CPUs. Although the malware is still under development, it is already capable of exfiltrating iCloud Keychain data, passwords and credit card information stored in browsers such as Brave, Google Chrome and Mozilla Firefox.

The Voice over IP (VoIP) desktop client 3CXDesktopApp, with version numbers 18.12.407 and 18.12.416, likely contains a library modified by a cybercriminal to carry out supply chain attacks. When used in your environment, the 3CXDesktopApp can be used to download malicious payloads to the system on which it is installed. Currently, these payloads appear to be information-stealing malware. Currently, the 3CXDesktopApp for the Microsoft Windows OS and MacOS is known to contain the malicious code.

In recent months, much has been written about the pros and cons of tools such as ChatGPT. Because of its popularity among many people and organizations, the tool has also become attractive to cybercriminals. They have introduced a rogue browser extension called Chat GPT for Google. This rogue extension aims to capture Facebook session cookies in order to gain access to accounts. These accounts are then used to promote rogue activities. This manifests itself, for example, in promoting from buying likes to ISIS propaganda. Currently, the extension has been taken offline, but the advice remains to be wary with this type of extension.

Increasingly, the Android banking trojan Nexus is being used by cyber criminals to attack financial login portals and applications to commit fraud. Nexus provides all the key features to perform account takeover attacks against banking portals and cryptocurrency services, such as stealing user data and intercepting text messages. Source code suggests that functionalities are likely still under development. One of these functionalities appears to be encryption, which may indicate a future ransomware module.

IcedID, also known as BokBot, began as a banking trojan in 2017. This trojan is also capable of delivering additional malware, including ransomware. Multiple groups have been spotted deploying two new variants of this malware. One of the new versions is a lite version that was previously flagged as a follow-up payload of the Emotet malware. A Forked variant of IcedID was also discovered in February 2023. Remarkably, these new versions omit the web injections and backconnect functionality normally used for bank fraud. Most likely, the modified variants are used to divert the malware from the typical banking trojan and bank fraud to focus on payload delivery, which likely includes ransomware delivery.

A new ransomware group called “Dark Power” has emerged. The group claims to have already claimed 10 victims in the first month. The Dark Power payload was written in Nim, a cross-platform programming language. Because Nim is growing in popularity among cybercriminals, it is generally considered a niche choice that is unlikely to be detected by a large portion of cybersecurity solutions.

#WakeUpWednesday March 29, 2023

In recent months, much has been written about the pros and cons of tools such as ChatGPT. Because of its popularity among many people and organizations, the tool has also become attractive to cybercriminals. They have introduced a rogue browser extension called Chat GPT for Google. This rogue extension aims to capture Facebook session cookies in order to gain access to accounts. These accounts are then used to promote rogue activities. This manifests itself, for example, in promoting from buying likes to ISIS propaganda. Currently, the extension has been taken offline, but the advice remains to be wary with this type of extension.

Increasingly, the Android banking trojan Nexus is being used by cyber criminals to attack financial login portals and applications to commit fraud. Nexus provides all the key features to perform account takeover attacks against banking portals and cryptocurrency services, such as stealing user data and intercepting text messages. Source code suggests that functionalities are likely still under development. One of these functionalities appears to be encryption, which may indicate a future ransomware module.

IcedID, also known as BokBot, began as a banking trojan in 2017. This trojan is also capable of delivering additional malware, including ransomware. Multiple groups have been spotted deploying two new variants of this malware. One of the new versions is a lite version that was previously flagged as a follow-up payload of the Emotet malware. A Forked variant of IcedID was also discovered in February 2023. Remarkably, these new versions omit the web injections and backconnect functionality normally used for bank fraud. Most likely, the modified variants are used to divert the malware from the typical banking trojan and bank fraud to focus on payload delivery, which likely includes ransomware delivery.

A new ransomware group called “Dark Power” has emerged. The group claims to have already claimed 10 victims in the first month. The Dark Power payload was written in Nim, a cross-platform programming language. Because Nim is growing in popularity among cybercriminals, it is generally considered a niche choice that is unlikely to be detected by a large portion of cybersecurity solutions.

In recent months, much has been written about the pros and cons of tools such as ChatGPT. Because of its popularity among many people and organizations, the tool has also become attractive to cybercriminals. They have introduced a rogue browser extension called Chat GPT for Google. This rogue extension aims to capture Facebook session cookies in order to gain access to accounts. These accounts are then used to promote rogue activities. This manifests itself, for example, in promoting from buying likes to ISIS propaganda. Currently, the extension has been taken offline, but the advice remains to be wary with this type of extension.

Increasingly, the Android banking trojan Nexus is being used by cyber criminals to attack financial login portals and applications to commit fraud. Nexus provides all the key features to perform account takeover attacks against banking portals and cryptocurrency services, such as stealing user data and intercepting text messages. Source code suggests that functionalities are likely still under development. One of these functionalities appears to be encryption, which may indicate a future ransomware module.

IcedID, also known as BokBot, began as a banking trojan in 2017. This trojan is also capable of delivering additional malware, including ransomware. Multiple groups have been spotted deploying two new variants of this malware. One of the new versions is a lite version that was previously flagged as a follow-up payload of the Emotet malware. A Forked variant of IcedID was also discovered in February 2023. Remarkably, these new versions omit the web injections and backconnect functionality normally used for bank fraud. Most likely, the modified variants are used to divert the malware from the typical banking trojan and bank fraud to focus on payload delivery, which likely includes ransomware delivery.

A new ransomware group called “Dark Power” has emerged. The group claims to have already claimed 10 victims in the first month. The Dark Power payload was written in Nim, a cross-platform programming language. Because Nim is growing in popularity among cybercriminals, it is generally considered a niche choice that is unlikely to be detected by a large portion of cybersecurity solutions.

#WakeUpWednesday March 22, 2023

A new botnet, called HinataBot, aims to infect Realtek SDK, Huawei routers and Hadoop YARN servers in order to abuse these devices for large DDoS attacks. Akamai researchers have examined several samples since early this year and found that the malware is under active development. After devices are infected, the malware runs in the background, waiting for commands to be executed from the command and control server. Spread of the malware occurs by brute-forcing SSH endpoints or using infection scripts and RCE payloads for known vulnerabilities.

Emotet malware is malware that originated as a banking trojan with the goal of accessing remote devices and capturing private data. Emotet was spread via macros in infected Microsoft Word and Excel files sent as e-mail attachments. To circumvent security measures such as blocking macros, OneNote attachments are currently being used for distribution. Therefore, it remains important to be alert and not open attachments from unknown senders that require macros to be activated.

Various vulnerabilities have recently been found in Samsung Semiconductor’s Exynos Modems. Several Samsung smartphones are also affected. An update for the vulnerabilities is expected soon. Until then, we recommend using the workaround.

#WakeUpWednesday March 15, 2023

In this WakeUpWednesday, we will discuss different types of malware and the ways in which they are deployed. This could include exfiltrating data or initiating a ransomware attack. BATLOADER malware is a loader that takes care of distributing a next step, such as data-stealing software, banking malware, Cobalt Strike or ransomware. Currently, BATLOADER abuses Google Ads to deliver secondary payloads such as Vidar Stealer and Ursnif. According to cyber security firm eSentire, the malicious ads are used to spoof a large number of legitimate apps and services, such as Adobe, OpenAPI’s ChatGPT, Spotify, Tableau and Zoom.

Furthermore, HYAS researchers have developed a proof-of-concept of polymorphic malware that uses OpenAI’s API to evade detection. The malware has been named BlackMamba by the researchers. BlackMamba is a keylogger that comes as an apparently innocuous file. Once executed, however, the malware contacts OpenAI and prompts the AI to generate keylogging code. The dynamically generated code is then executed within the context of the benign program, leaving the malicious polymorphic part completely in memory. Each time BlackMamba is executed, the keylogging capability is resynthesized.

Alertness remains important, even when it comes to seemingly innocuous recruitment requests on LinkedIn. Among others, a suspected North Korean group is approaching security researchers with nonexistent job postings to develop three new customized malware families. The cybercriminals use social engineering to trick their target into continuing the conversation via WhatsApp, where the malware “PlankWalk,” a C++ backdoor, is delivered. This backdoor helps the cybercriminals gain a foothold within the victim’s corporate environment.

Finally, focus on the Fortinet RCE vulnerability. This vulnerability is a heap buffer underflow in the FortiProxy administrative interface that allows an unauthorized attacker to execute arbitrary code and/or perform a DoS on the GUI.

#WakeUpWednesday March 8, 2023

In a separate cybersecurity advisory, the FBI and the Cybersecurity & Infrastructure Security Agency (CISA) are coming out with recommendations to prevent a ransomware attack. This is because several organizations in vital sectors have been targeted by Royal ransomware attacks over the past six months. In many cases, the attackers got in via RDP (Remote Desktop Protocol) and phishing. Key recommendations include basic measures such as: making offline, encrypted backups, disabling unused ports on systems that access the Internet, updating applications and systems, applying network segmentation and using multifactor authentication.

Many organizations use cloud solutions and containers. A sophisticated attack campaign called ScarletEel targets these container environments for theft of proprietary software and user data. The original infection was based on exploiting a vulnerable public service in a self-managed Kubernetes cluster on Amazon Web Services. In addition to stealing proprietary software and user data, the attack also included the deployment of cryptominers.

The package Colourfool is a malicious Python package uploaded to the Python Package Index (PyPU). This package contains an infostealer and a remote access trojan. It is part of a new malware called Colour-blind identified by Kroll’s cyber threat intelligence team. Colour-blind refers to the democratization within cybercrime and can lead to an intensification of the threat landscape by allowing multiple variants to emerge from the code of others.

Furthermore, on Feb. 14, 2023 during Patch Tuesday, Microsoft published updates describing CVE-2023-21716. This vulnerability is a heap corruption vulnerability in Microsoft Word’s RTF parser. When exploited, it allows an unauthorized attacker to execute arbitrary code with the victim’s privileges. A proof-of-concept exploit was published on March 5, 2023. Microsoft has published patches and a number of workarounds. The advice is to implement mitigating measures.

Finally, it is important to stay alert for EUFI malware. BlackLotus is the first example where the malware is able to bypass the Secure Boot mechanism. This makes it possible to infect even fully patched Windows 11 systems. The malware can be used to disable BitLocker, Microsoft Defender Antivirus and the Hypervisor-protected Code Integrity (HVCI) – also known as the Memory Integrity feature that protects against attempts to abuse the Windows Kernel.

#WakeUpWednesday March 1, 2023

Privacy regulators have published guidelines aimed at making the use of social media safer. Also known as the EDPB, these European privacy regulators describe in these guidelines about recognizing and preventing so-called dark patterns. These rules are meant to tell both users and social media designers what to look out for when they see certain types of buttons, texts and colors that try to make the user make a choice and take their personal data.

The PlugX Trojan is a real wolf in sheep’s clothing. It pretends to be a Windows Debugger Tool called x64dbg, but is designed to bypass security and take control of the system. PlugX is also known as Korplug and is known for various functionalities such as data exfiltration and abuse of infected devices.

LastPass is a password manager where users store passwords. It has just been revealed that login credentials were stolen from a senior devops programmer. Last year’s investigation in August showed that the cybercriminals had initially captured only source code and other technical information. Now it appears that cloud backups were also stolen. LastPass suffered multiple security incidents last year.

Finally, the police are going to intensify the use of technology in facial recognition in the future. Minister of Justice and Security Yesilgöz indicated that facial recognition technology should not be taken lightly. Initially, it had been decided in 2019 by the then Minister of Justice and Security that the technology should not be used operationally. Since then, the police have been working on a report to answer legal, ethical and technical issues for the operational deployment of facial recognition.

#WakeUpWednesday February 22, 2023

Patching is and will continue to be essential to reduce the risk of a security incident. Fortinet has released updates for 40 vulnerabilities in FortiWeb, FortiOS, FortiNAC and FortiProxy, among others. Two of the vulnerabilities are considered critical and 15 are considered high-risk vulnerabilities. The most urgent vulnerability is CVE-2022-39952, with CVSS score 9.8. We recommend installing the updates as soon as possible.

Forescout researchers have released two new vulnerabilities regarding Schneider Electric Modicon PLCs. These vulnerabilities can allow for authentication bypass and remote code execution by an unauthorized person. The released vulnerabilities are part of a larger set. Successfully exploiting these vulnerabilities can enable a cybercriminal to execute code, provide a denial-of-service or capture (and publish) sensitive information.

The importance of timely patching is also evidenced by a new malware called ProxyShellMiner that exploits Exchange vulnerabilities already disclosed in 2021. These vulnerabilities, known as ProxyShell, are now being used in ProxyShellMiner to mine crypto currency within a Windows domain.  Updates to the ProxyShell vulnerabilities have been available for some time. Morphisec’s blog provides guidance on how to stop ProxyShellMiner.

#WakeUpWednesday February 15, 2023

Responding adequately to critical vulnerabilities is one of the fundamental measures to ensure cybersecurity. For example, a critical vulnerability reported in 2022 for TerraMaster NAS systems is currently being exploited. This vulnerability allows cybercriminals to remotely retrieve the administrator password and use it to log in. Security updates have already been released last March and April. The advice is to install these as soon as possible.

In addition, a warning has also been issued by CISA ( the U.S. Cybersecurity & Infrastructure Security Agency) about the misuse of vulnerabilities such as Log4j, in addition to the TerraMaster vulnerability mentioned earlier. These vulnerabilities are currently being widely exploited to carry out ransomware attacks on critical infrastructure.

Furthermore, the Clop ransomware group claims that by exploiting the GoAnywhere vulnerability CVE-2023-0669, they have now victimized 130 organizations. A patch is available, advised to install it as soon as possible. If vulnerabilities cannot be fixed in the short term, it is important to ensure that proper network detection is in place and that in the event of an alert, there is a quick and appropriate response.

Microsoft on Tuesday released security updates for 75 vulnerabilities, three of which are currently being actively exploited. We advise to install these patches as soon as possible.

Finally, Proofpoint reports a new malware grouping that has been affecting primarily U.S. and German organizations since October 2022. This grouping, called Screentime (TA866), likely has a financial motive and focuses on stealing confidential information. Various methods are used to enter an organization. Regardless of the method used, running the downloaded JavaScript file leads to an MSI installer. This extracts a VBScript called WasabiSeed. This functions as a tool to retrieve next-stage malware from a remote server. One of the utilities that WasabiSeed downloads is Screenshotter. This utility periodically takes screenshots of the victim’s desktop and sends that information to a command-and-control (C2) server. To reduce the risk, you can already take some measures yourself. Make sure VBScripts are off by default and make sure your employees are aware of the potential risks.

#WakeUpWednesday February 8, 2023

A new, flexible tool to easily initiate DDoS attacks using the Passion botnet, is currently being circulated by hacker group Passion. For a fixed monthly fee, a cybercriminal can customize the attack by choosing from one of the 10 attack vectors offered. In addition, the duration and intensity per attack can also be customized. The combination and customizability of this makes it more difficult for victims to mitigate these DDoS attacks.

A zero-day vulnerability has been disclosed for GoAnywhere MFT file transfer, a Fortra solution that facilitates secure file sharing. The attack vector of this vulnerability requires access to the application’s administrative console, which in most cases can only be accessed from a private corporate network, via VPN, or by whitelisting IP addresses (when running in cloud environments, such as Azure). No patch is currently available. As a mitigating measure, it is advised to temporarily disable or remove servlet and servlet mapping.

Atlassian’s Jira Service Management Server and Data Center also face a critical vulnerability where unauthorized individuals can gain access. An update is available. The advice is to install it as soon as possible.

#WakeUpWednesday February 1, 2023

QNAP has released an update regarding a critical vulnerability in the operating system of its NAS systems. Cybercriminals exploiting this vulnerability can remotely execute malicious code. The advice is, if your organization uses these NAS systems, to update these systems as soon as possible.

Last week VMware released a patch for a number of critical vulnerabilities in VMware vRealize Log Insight. Two of the patched vulnerabilities score 9.8 on a scale of 1 to 10 and can be used by cybercriminals in relatively simple attacks and without requiring user interaction. The need to patch has become even greater as researchers are about to release both exploit code and a POC in the near future. Should patching not be possible, we recommend at least taking mitigating measures.

Currently, an updated version of the SwiftSlicer wiper is being deployed to destroy Windows domains. A characteristic of wiper malware is that if data is destroyed it cannot be recovered. Unlike ransomware, where there is still a possibility of recovery through decryption, data hit by a wiper is truly destroyed. SwiftSlicer thereby focuses on overwriting crucial files in the Windows operating system. Currently, the wiper seems to be deployed primarily against systems in Ukraine. Because malware does not let national borders stop it, alertness is called for.

Malware spreads in a variety of ways, including via USB sticks. Researchers have discovered a new version of the PlugX malware spread via USB sticks. This PlugX variant behaves like a worm and infects USB devices in such a way that it hides itself from the Windows file system. This makes it impossible for a user to notice that their USB device is infected or potentially being used to exfiltrate data from the network.

#WakeUpWednesday January 25, 2023

Cybercriminals use a variety of ways to get into organizations. Common ways include exploiting critical vulnerabilities, using phishing emails or taking advantage of a vulnerability at a supply chain partner.

Rapid7 reports that cybercriminals are currently actively exploiting a critical vulnerability in several Zoho ManageEngine products. A total of 24 different solutions are vulnerable, including Access Manager Plus, PAM 360, Password Manager Pro and ServiceDesk Plus. Patches have been available since late October 2022; the advice is to install them as soon as possible.

Emails with included rogue Word or Excel attachments to install and spread malware are less in demand after Microsoft set macros to be disabled by default. Then came versions with ISO and 7-ZIP files. Nowadays, we see cybercriminals more frequently using OneNote attachments in phishing emails where victims can be infected with malware or passwords stolen. OneNote attachments also require user action to trigger malware. A warning does follow from the system that the attachment is potentially malicious, however, many users click this warning away.

Last week a lot happened in the field of ransomware. An overview of the various reports and developments, such as new variants of STOP ransomware and VoidCrypt, as well as information about a decryptor for BianLian can be found here. In addition, Cyberveilig Nederland has published a whitepaper on data exfiltration. The goal of the whitepaper is to gain insight into data exfiltration, create awareness and provide action perspectives.

#WakeUpWednesday January 18, 2023

Updating software is an important way to reduce the risk of a cyber incident. Recently, there have been several publications to warn about a vulnerability in FortiOS SSL-VPN. This vulnerability is being actively exploited by cybercriminals. In particular, government agencies or organizations related to them seem to be attacked by the criminals. A patch is now available; the advice is to install it as soon as possible.

Furthermore, a Proof of Concept (POC) has been published for a number of critical vulnerabilities in popular WordPress plugins. These include vulnerabilities that enable SQL injections. The vulnerabilities found are in the plugins Paid Memberships Pro, Easy Digital Downloads and Survey Marker. A vulnerability in Control Web Panel (formerly known as CentOS Web Panel) is also currently being actively exploited by cybercriminals. This tool is used for managing servers. Patches are available for both the WordPress plugins and the Control Web Panel vulnerability.

Cybercriminals keep coming up with new ways to stay under the detection radar. In this case, they are using a combination of Polyglot files and rogue Java archive (JAR) files to spread remote access trojans such as StrRAT and Ratty. Polyglot files are files that combine the syntax of two or more different formats in such a way that any format can be passed without error.

Finally, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns of several vulnerabilities in Industrial control systems from Siemens, GE Digital and Contec.

#WakeUpWednesday January 11, 2023

A large proportion of employees use a smartphone for business purposes. That makes smartphones a desirable target for cybercriminals as well. There have been noticeably more detections of the Android malware SpyNote, also known as SpyMax. After the source code of SpyNote became publicly available through one of the latest variants, called CypherRat, several variants have been developed. Especially financial institutions seem to be victims of SpyNote. SpyNote combines spyware with banking malware functionality by, for example, requesting permission for access services in order to use two-factor authentication codes from Google Authenticator and record keystrokes to take over banking credentials.

As an increasing number of different devices are used by employees within organizations, it makes sense to set up monitoring on the different devices (endpoints) as well via an Endpoint Detection and Response solution.

Research indicates that a variant of the Dridex malware targets macOS systems. This employs a new technique to deliver documents containing malicious macros to users. Although Dridex often masquerades as invoices or other business-related files, that is not necessarily the case here. In fact, this version of Dridex overwrites all .doc files in the current user folder and adds the malicious macro’s code there. In this way, Dridex tries to circumvent the automatic blocking of macros by nesting in files where they might be allowed. Because the code of this macro attempts to download and open an .exe, the impact for macOS users is minimal because macOS does not support an .exe extension. However, users may still unknowingly spread this malicious macro when sharing infected files with other (Windows) users.

The WerFault.exe error reporting tool is also currently being used by cybercriminals to load malware into the memory of a compromised system using a DLL sideloading technique. The malware resides in an ISO file that is sent to the victim as an email attachment. Infecting the system is initiated when the victim opens the shortcut in the ISO file.

In the background, a Remote Access Tool is installed on the system that gives the attacker full access to the infected system. The attacker can then remotely steal data, execute commands and/or move to adjacent systems, among other things.

#WakeUpWednesday December 21, 2022

In this last #WakeUpWednesday of 2022, we have news about ransomware. Leiden University’s employment agency has been hit by a ransomware attack. Cybercriminals encrypted important data and documents such as citizen service numbers (BSN), name and address information, but also employment contracts and salary documentation. How cybercriminals entered the system, who is behind the attack and whether a ransom will be paid has not been disclosed.

Google announced that Gmail will additionally be secured with Client-Side Encryption. This new feature, currently still in beta phase, ensures that personal data in email body and attachments is unreadable by Google servers. You do have to sign up for the beta version though. After signing up, anyone using the following Google products can use it: Google Workspace Enterprise Plus, Education Plus and Education Standard.

Cybercriminals entered Ukrainian government networks with Trojan-infected Windows 10 ISO files. Disguised as legitimate Windows 10 installations, once installed they infected the computer with malware that could steal data.

More on malware as Microsoft warns about a new malware botnet called ‘MCCrash’. This malware infects Windows, Linux and IoT devices. Minecraft servers are often the target of DDoS attacks to thwart or extort players on the server. Microsoft reveals that the malware initially infects systems after users install pirated Windows and Microsoft Office activation tools. The malware then attempts to spread across the network through brute-force SSH attacks on Linux and IoT devices.

#WakeUpWednesday December 14, 2022

Software vendors release updates to fix previous bugs or vulnerabilities. For cybersecurity, having an active patch policy is essential as one way to minimize the risk of a cyber incident. Yet thousands of Pulse Connect Secure VPN servers are not up-to-date. Cybercriminals exploit vulnerabilities in the Pulse Connect where security updates have not been installed. Cybercriminals are accessing through old security vulnerabilities from 2018 and 2019.

The healthcare industry has recently been targeted by targeted Royal ransomware attacks. After news about targeted attacks that left French and Colombian hospitals unable to do their jobs, it has just been announced that U.S. hospitals are now being targeted. The U.S. Department of Health and Human Services is warning about Royal ransomware. This group of cybercriminals is known to encrypt files with a .royal extension and demand payments ranging between $250 thousand – $2 million US Dollar.

More about ransomware. Recently, the municipality of Antwerp was the victim of a ransomware attack. The municipality did not release details, but let Belgian media know that it could take until the end of this month to put back digital applications online. The organization who is responsible, Play, already asked for a ransom. According to the cybercriminals the have at least 557 gigabyte of data that contains financial documents, identity cards, passports and other forms of personal data. If the ransom is not paid by December 19 then the encrypted data will be made public. The ransome amount has not been disclosed. Play is more often successful in committing cyber attacks. They previously succeeded in Switzerland, Bulgaria, the United States, Argentina and Canada, among others.

Yesterday we’ve told you about the FortiOS heap-based buffer overflow vulnerability. The vulnerability is a heap-based buffer overflow in the FortiOS SSL-VPN. The vulnerability gives an unauthenticated attacker the ability for remote code execution. You can track this vulnerability via our blog which we will update when there is news (CVE-2022-42475).

A new digital attack technique has come to light that aims to bypass Web Application Firewalls (WAF). By adding JSON syntax to an SQL injection payload, a WAF cannot detect this vulnerability. Businesses in particular suffer because this allows attackers to gain access to sensitive business and customer information. This attack technique by adding a JSON syntax is dangerous as more and more organizations migrate more business data and other functionalities to the cloud.

#WakeUpWednesday December 7, 2022

Computers infected with malware is bad enough. But this new malware steals files from smartphones and other devices connected as file carriers to infected computers. This malware goes by the name “Dolphine” and searches in connected devices for documents, certificates, emails and media files. In addition, the malware can store keystrokes, save a screenshot every 30 seconds, and extract passwords and cookies from the browser. The stolen data is then uploaded to Google Drive.

Google Chrome has disclosed a zeroday vulnerability several times recently. The most recent is CVE-2022-4262. The vulnerability in V8 allows attackers to execute code within the context of the browser. The browser previously contained several vulnerabilities that attackers could exploit, including CVE 2-21-42298 and CVE-2022-26485. Now it appears that these vulnerabilities also exist in Mozilla Firefox and Windows Defender. Among others, the Spanish spyware vendor, Variston, took advantage of these to infect Linux and Windows computers.

Ransomware remains a hot topic. Such a ransomware attack can come about in a variety of ways. The most common ways are unpatched critical vulnerabilities and abuse of existing user accounts. It is therefore important to have multifactor authentication (MFA) enabled and use a strong password. A short time ago, we provided 8 tips for creating a secure password.

In most cases, a ransomware attack is a time-consuming, annoying and costly event. When it happens in critical industries, lives may even be at stake. Following a ransomware attack in Colombia in which entire hospital data was encrypted, now a hospital in France must also cancel operations due to a cyber attack. Do you want to prevent a successful ransomware attack? Then make sure you get the basics right.

LastPass allows you to manage and store passwords. Yet, thanks to data from a previous hack, cyber criminals managed to access cloud storage and captured data. LastPass states that password data is stored encrypted with which it is unlikely that passwords were leaked. LastPass remains operational and is investigating this vulnerability.

A few days ago, a new version of the media player VLC was released that recently fixed vulnerabilities. With several updates to Windows, the software manufacturer let it be known that a new version of VLC is not available, leaving users working with a vulnerable version. Should automatic updating not work, it is possible to update VLC manually.

The Cybersecurity and Infrastructure Security Agency (CISA) released an Industrial Control Systems advisory this week warning of several vulnerabilities in Mitsubishi Electric GX Works3 engineering software. This software is used in industrial control systems to up- and download programs to/from PLCs. Once inside, cyber criminals can view and even modify modules and programs. The most critical vulnerabilities are known by the numbers CVE-2022-25164 and CVE-2022-29830.

#WakeUpWednesday November 30, 2022

Internet browser Google Chrome is the most widely used browser on desktop worldwide with 77.03% (Source: This makes it an attractive target for cyber criminals to attack. Google recently announced that, in the run-up to Black Friday, it had fixed a zero-day vulnerability for the eighth time this year. Following that, Google indicated that exploit code for this critical vulnerability is already available. An update for the vulnerability is now available. Modern browsers update automatically by default, unless specifically turned off by the user. Make sure you are aware of what applications are in use in your IT landscape and whether they are up-to-date.

Researchers at ESET describe a method by which cyber criminals integrate malware into VPN applications. One example is adding malware to the legitimate OpenVPN Android app, then presenting it to users in an alternative way. Researchers say this malware targeted contact information, call logs from Facebook Messenger, WhatsApp, Signal, Viber and Telegram, among others, and other information available on the cell phone. These rogue applications were not available through the Google Play store. Make sure your users obtain or are made available business applications through a reputable source at all times.

We’ll stick with Android phones for a while because rogue apps sometimes slip through the cracks in the Google Play Store as well. For example, Bitdefender researchers discovered, among others, a rogue File-Manager app which aims to infect the phone with more malware. The file manager asks the user for permission to download external files for the purpose of a so-called app update. However, this permission is misused to download malware. One of these rogue file managers called “X-file Manager” had been downloaded more than 10 thousand times. This update contains an APK file that contains Sharkbot malware. The Sharkbot malware targets financial (banking) apps and there to intercept login data or covertly steal money.

The data of 5.4 million Twitter users leaked. Last January, a vulnerability within the social media platform was fixed but in July data of 5.4 million Twitter users was offered for sale on a marketplace for 30 thousand dollars. Meanwhile, the data set was also made available for free on that forum. This information was for sale since August and consisted of a combination of public information and private data, such as Twitter IDs, names, login names, locations, email addresses and phone numbers. It is also rumored that a larger data set of more than 10 million users exists. The available data is ideally suited for targeted phishing campaigns, be aware of emails that appear to be sent by Twitter.

#WakeUpWednesday November 23, 2022

The Netherlands is a country with a strong digital focus. The past couple of years there has been an increase of attention as it comes to doing business online. Cyber security is a topic of big importance for bigger and smaller companies. The government is also making plans to support medium and small business owner to bring their cyber security to the next level. In 2030 every medium and small business owner should be on a certain basic level of digitalization.

This digital adaptation would place the Netherlands among the top three in Europe when it comes to digital technologies. Moreover, these measures are good preparation for the implementation of the revised European Network and Information Security Directive (NIB2) also known as NIS2.

Tomorrow is national “Change Your Password” day. On this day you can take some time to take a critical look at your password and change it. Many today’s passwords are not safe enough. The top five most commonly used passwords are: 123456, Qwerty, 123456789, welcome and password. Tomorrow we launch an article in which we are going to help giving you some guidelines for creating a safer password.

As stated earlier, data is the new gold. If you use the same password for multiple accounts, you run the risk of having your account data traded by cybercriminals on the various marketplaces out there on the Dark net.

Cybercriminals are becoming creative and therefore dangerous. A new ransomware was recently discovered that starts at a Google service. Microsoft warns that cybercriminals have found a method through Google Ads to spread malware through various payloads. This malware loader is known as BATLOADER. The Microsoft Security Threat Intelligence team reveals that this malware loader is being used to spread the Royal ransomware.

Another malware threat is the WASP Stealer, also known as W4SP Stealer. This malware is part of a chain attack that targets Python developers. The Python packages it installs are capable of capturing Discord accounts, passwords, crypto wallets, credit card information and other privacy-sensitive data. This stolen data is then being sent back via a Discord-encrypted webhook address.

In addition, we see that a new version of Typhon Stealer is active, called Typhon Reborn. Both versions have the capacity to steal crypto wallets and bypass antivirus software.

Kaspersky research has revealed that cybercriminals have found a way to steal user data on Android devices via a VPN app. This spying campaign is called SandStrike. This involves attacking the user through a VPN app. This app contains advanced spyware. To seduce and mislead people to download the app, various social media accounts were used.

#WakeUpWednesday November 16, 2022

As for local authorities cyber security is a hot topic. More and more organizations and authorities are taking measures to improve their information security. The Ministry of Health and Sport wants to extend the Z-CERT. Currently, they have Z-CERT for hospitals and mental health institutions, and in time they want to provide the entire healthcare sector with the service.

In the area of critical vulnerabilities, vigilance continues to be required. A serious vulnerability has just surfaced that affects ABB TotalFlow computers and controllers. These are widely used within the oil and gas industry. Cybercriminals can use the vulnerability to remotely take control of devices. In addition, they can read, write and overwrite files.

Organizations are still at great risk by using a weak password. The password “Welcome123” or a variation of it is still being used internally at companies. A newly discovered malware knows how to deal with that. This KmsBot uses Secure Shell to gain access to specific systems in order to not only mine cryptocurrency but also carry out DDoS attacks. The malware “KmsdBot,” as Akamai’s team calls it, targets different types of businesses ranging from gaming to luxury car brands. The botnet infects systems via an SSH connection that uses weak login credentials.

Last but not least, last week there were two updates around critical vulnerabilities. The blog around ProxyNotShell has been updated and a new blog around vulnerabilities in Citrix Gateway has been published.

#WakeUpWednesday November 9, 2022

Ransomware is unfortunately a topic that is going to hunt us more and more. According to the latest report of American federal and financial authorities, there were 487 ransomware incidents in 2020, but 1489 in 2021. All attacks have targeted Windows OS systems. Also, companies paid more for their data. In 2020 companies paid 416 million dollars and a year later even 1.2 billion dollars.

More news about ransomware: the Dutch Minister of Justice and Security announced it will be possible to file a police-report for ransomware attacks before the end of the year. At this moment it is only possible to file police-reports in cases such as an online scam, phishing, or WhatsApp scam.

This past week it became clear that Check MK had multiple vulnerabilities in their software. Check MK has been used for monitoring IT infrastructure on networks, databases, storage, and servers. That means that an attacker can do serious damage because they can access a system without authenticating.

November is Black Friday month. On the 25th of November many stores are offering discounts. For consumers Black Friday is a delight, but for IT departments it’s a time of challenges. When it comes to Black Friday there are a massive amount online purchases, orders, and payments. Please be aware for suspicious emails, text messages or Whatsapp messages about the statuses of your order.

#WakeUpWednesday November 2, 2022

Understanding what devices and software are being used within an organization is essential for efficient and effective patching policies. In this #WakeUpWednesday we focus on a number of critical vulnerabilities where patching is desired as soon as possible.

The NCSC has made an overview of products that use OpenSSL. OpenSSL is used to encrypt network connections and, like Log4j before it, is a component used in very many products. The vulnerability in OpenSSL is not present in versions lower than 3.0.

On Oct. 12, 2022, Juniper Networks published a security advisory describing six different vulnerabilities in the Juniper Networks Junos J-Web interface. In our blog more details about these vulnerabilities.

Previously, we have shared information surrounding the Magniber ransomware and the exploitation of the Mark-of-the-Web zero-day in Windows 10 and 11. Meanwhile, an unofficial update is available.

In addition, an update is available for a critical vulnerability in VMware Cloud Foundation and NSX Manager appliances. Because proof-of-concept exploit code is available for this vulnerability, the likelihood of an attack is high. An update is available, we recommend installing it as soon as possible.

Finally, ConnectWise has made an update available for a critical vulnerability in ConnectWise Recover and R1Soft Server Backup Manager solutions. The vulnerability allowed attackers to access data or execute code remotely.

#WakeUpWednesday October 26, 2022

Getting the deployment of technology right, combined with the correct mindset of employees and setting up the necessary processes, is essential to your cybersecurity. Also in this #WakeUpWednesday, we see cybercriminals using a combination of techniques to penetrate organizations. Cybercriminals then capture data and/or launch a ransomware attack.

Last week, an update was posted around the ProxyRelay vulnerability. Read our blog for more info.

Besides Microsoft Windows users, also Cisco ISE are also vulnerable for a remote code execution  vulnerability in Windows. Successful exploitation within ISE does require authenticated access to the management interface.

Synology’s disk drive manager (NAS devices) currently contains three critical vulnerabilities, all rated with a CVSS score of 10. By exploiting these vulnerabilities, an attacker can execute arbitrary commands on the NAS. An update is available; the recommendation is to install it as soon as possible.

VMware Cloud Foundation is also advised to update due to a remote code execution vulnerability via XStream.

Because employees today often work both at home and in the office, and home devices are also used for work purposes, cybercriminals are targeting Windows Home users through a specific campaign. Cybercriminals advertise fake antivirus and security updates for Windows 10 that actually contain Magniber ransomware.

Another way malware is currently being spread is through the mouseover feature in powerpoint files. The powerpoint presentation appears to be from the Organization for Economic Cooperation and Development (OECD, or in Dutch OESO) and consists of two slides explaining the use of the interpretation function in Zoom. The malware is activated when the victim opens the infected presentation in presentation mode and then moves the mouse over the hyperlink. Thus, no further action or click by the user is required! In this case, too, we see cybercriminals reapplying a pre-existing, older technique. Currently, we see this method of attack being widely used for attacks on defense companies and government agencies, among others.

#WakeUpWednesday October 19, 2022

Phishing remains an important method for cybercriminals to capture user data. Caffeine is a new “Phishing-as-a-Service” platform where users can create their own campaign. Because this platform has an open registration process, essentially anyone with an e-mail address can register. Currently, ads for Caffeine are running on various forums. Make sure employees are regularly trained on how to recognize phishing emails, know where to report a phishing attempt and are aware of their online behavior.

Last week, a proof of concept exploit was published for the Fortinet Authentication Bypass. We recommend that vulnerable systems be updated as soon as possible. If that is not possible, we recommend applying the workaround.

It has since been revealed that nearly 900 servers have been affected by the vulnerability in Zimbra Collaboration Suite. Last week, a proof of concept (PoC) was added to the Metasploit framework, making it possible to exploit the vulnerability without in-depth knowledge of the matter. Zimbra has since released a security solution with ZCS version 9.0.0 P27, replacing the vulnerable component (cpio) with Pax and removing the weak component that enabled exploitation.

Cybercriminals from the relatively new ransomware group Venus are currently actively using Remote Desktop Services to encrypt Windows systems. We never recommend making Remote Desktop services available directly on the Internet. Preferably place these remote worker services behind a VPN solution (with MFA).

On October 13, 2022, a vulnerability in the Apache Commons Text library was announced on the Apache dev list. The vulnerability bears similarities to Apache Log4j (Log4Shell). The difference is that the attack surface of CVE-2022-42889 is more limited due to the specific use of the Apache Commons Text library.

#WakeUpWednesday October 12, 2022

Within cybersecurity, we regularly see older techniques being revamped and reintroduced as new variants. One of these is fileless malware. This is a technique in which malware is hidden within the proprietary processes of, for example, Windows. Because regular, legitimate processes are used, this form of malware is much more difficult to detect.

Furthermore, we see cybercriminals using social engineering more intensively and trying to capture user data in various ways. Within retail and hospitality, credential harvesting and phishing are currently the main ways of victimization. In addition, more than 400 apps have recently been found in the Play Store and the App Store aimed at stealing Facebook users’ login credentials. We recommend using your own unique password for each app, application or account that requires logging in and not reusing passwords. A password vault can help here.

The blog around ProxyNotShell is regularly updated with new information regarding mitigating measures.

Information has also recently been published about Maggie malware. This malware has already infected many Microsoft SQL servers worldwide with a backdoor. Maggie works with simple TCP redirect functionality, allowing cybercriminals to remotely connect to any IP address that can reach the infected SQL server.

#WakeUpWednesday October 5, 2022

Last week, a critical vulnerability was reported in Microsoft Exchange called ProxyNotShell. In our blog, you will find the latest information regarding this vulnerability and the measures you can take to reduce the chance of exploitation.

Furthermore, we see that cybercriminals are also paying attention to the industrial and healthcare sectors. For example, analysis from Outpost24 shows that a group called Shathak, has been actively launching attacks against healthcare, financial and manufacturing organizations since 2019. Medtronic warns of a vulnerability in Medtronic’s 600-series MiniMed insulin pumps.

A new campaign has also been launched by cybercriminals involving backdoor malware hidden in the Windows logo. By using shorthand, the malicious software remains hidden from antivirus software. Setting up an attack initially exploits existing vulnerabilities such as Microsoft Exchange ProxyShell and ProxyLogon. Then the backdoor, which is hidden in the Windows logo, is installed.

#WakeUpWednesday September 28, 2022

Cybercriminals use existing software vulnerabilities and stolen user data, among other things, to gain access to organizations. Currently, a zero-day vulnerability in Sophos firewall is being exploited by cybercriminals. The vulnerability allows them to execute arbitrary code on the underlying system. Meanwhile, a patch is available; the advice is to install it as soon as possible. In addition, the advice is to ensure that the User Portal and Webadmin are not accessible from the Internet.

Furthermore, cybercriminals are currently using poorly secured administrator accounts and rogue OAuth applications. Access to these accounts also allows cybercriminals to add their own data. This allows them to maintain access even if the administrator password is changed. Cybercriminals can thus send spam through these organizations’ Exchange servers. We recommend not reusing passwords and, of course, turning on multifactor authentication for accounts that do not already have it set up.

Also via GitHub, users are enticed to leave their credentials on a counterfeit login page. In this case, the message claims that the CircleCI session has expired and that the user needs to log in again via a link. Another way used is an email saying that CircleCI has changed the Terms of Use and Privacy Policy and that it must be re-accepted via an attached link.

In addition, we are seeing developments where domain shadowing is gaining popularity among cybercriminals. In this method, a legitimate DNS domain is compromised to host sub-domains of the cybercriminal for malicious activities. In the process, the existing legitimate DNS entry is not changed, so the owner is often unaware that the domain has been compromised.

Finally, in the area of ransomware, we are also seeing changes in tactics. To enforce the ransom demand, there are multiple techniques. These range from threatening to publish captured data to targeting individuals or organizations that appear in the set of data or performing, for example, a DDoS attack to make recovery difficult. A new method seems to be holding data hostage and threatening to destroy the data if payment is not made.

#WakeUpWednesday September 21, 2022

Since the beginning of this month, patches have been released by a large number of vendors. The latest patch Tuesday from Microsoft provided updates for several critical vulnerabilities. Updates have also become available for Gitlab, Google Chrome, Adobe, Android, Citrix, Dell and Cisco, for example. Installing updates is one of the essential measures to keep cybercriminals out.

Recently, about 280,000 WordPress sites were attacked by a zero-day vulnerability in the WPGateway plugin. By exploiting this vulnerability, cybercriminals can gain complete control over the website. No update is available yet, users are advised to uninstall the plugin until the issue is resolved.

Furthermore, a warning to be alert for attacks with ChromeLoader malware. This malware steals passwords and personal information and can also install additional malware, including ransomware. ChromeLoader is spread through rogue links in YouTube, Twitter comments and rogue advertisements.

There is currently a trend in the gamer community whereby gamers are being targeted via YouTube videos with links offering cheats and cracks for a number of popular games. Downloading the rar files causes malware, RedLine stealer, to be installed. In addition, it provides access to the victim’s YouTube account in order to further spread the malware through that account. Being aware of what is being downloaded and installed is therefore essential.

#WakeUpWednesday September 14, 2022

In addition to new ransomware variations, ransomware organizations are also changing the method of encryption. Instead of fully encrypting a file, parts are encrypted. As a result, the file is still unusable, but the time it takes to encrypt it becomes much shorter. The Agenda ransomware offers several options in how files are partially encrypted.

The Lampion malware is currently being spread through phishing campaigns using WeTransfer. Be aware of the sender of any request and be alert when downloading documents, even if they are sent via WeTransfer.

Operational technology is increasingly being targeted by cybercriminals. With their disclosure over the Internet, equipment also becomes vulnerable. In that context, several vulnerabilities have been found in medical equipment used to administer medication or nutrition to patients. Measures such as shielding the network via a firewall, network segmentation and timely patching are also necessary for OT equipment!

#WakeUpWednesday September 7, 2022

Malware is spread in very creative ways. For example, a photograph taken by the James Webb Telescope is used as a lure in a Golang-based malware campaign.
Phishing emails with a Microsoft Office attachment act as the entry point to the attack chain. If the attachment is opened, it retrieves a hidden VBA macro, which in turn is automatically executed if the recipient enables macros.

Go seems to be growing in popularity among cybercriminals given its platform-independent support for the programming language. This allows cybercriminals to effectively use a common codebase to attack different operating systems. Be aware of the sender of the mail and the attachment and be careful about enabling macros.

Another new malware written in Go is the BianLian ransomware. This ransomware was first seen in mid-July. The cybercriminals behind this ransomware claim that 15 organizations have now been victimized. By the way, BianLian is separate from the banking trojan of the same name!

Furthermore, a new ransomware strain written in Golang has been discovered. This ransomware, called Agenda, targets healthcare and educational institutions in Indonesia, Saudi Arabia, South Africa and Thailand. A characteristic of Agenda is that it can reboot systems in safe mode and has multiple modes to run.

Finally, QNAP is urging users of its Photo Station software to update their NAS device immediately. The reason is that a vulnerability in this software is being exploited by cybercriminals behind the Deadbolt ransomware.

Make sure you know what systems and applications are being used within your organization and install updates as soon as possible. Further, make sure your employees are aware of the importance of updating. Not only for their business devices, but with the intertwining of business and private, also the private environment.

#WakeUpWednesday August 31, 2022

Critical vulnerabilities still allow cybercriminals to gain access to systems and data. Alternatively, these vulnerabilities can be exploited by cybercriminals to increase their privileges within your systems.

Last Friday, the CISA (U.S. Cybersecurity and Infrastructure Security Agency ) added ten new, actively exploited vulnerabilities, to its list. These vulnerabilities include: CVE-2022-26352 – dotCMS Unrestricted Upload of File Vulnerability, CVE-2022-24706 – Apache CouchDB Insecure Default Initialization of Resource Vulnerability, CVE-2022-24112 – Apache APISIX Authentication Bypass Vulnerability and CVE-2022-22963 – VMware Tanzu Spring Cloud Function Remote Code Execution Vulnerability.

In addition, a critical vulnerability was discovered in Atlassian Bitbucket Server and Atlassian Data Center. More information on versions and updates is available on the Atlassian Confluence website.

Furthermore, a detailed blog has been published regarding two vulnerabilities in WatchGuard Firebox and XTM appliances. The vulnerabilities in question are CVE-2022-31789 and CVE-2022-31790. Software patches for both vulnerabilities were published by Watchguard in June 2022. The vulnerabilities and associated software patches are discussed in more detail in the following security advisories from the manufacturer:

The blog contains sufficient detail to exploit the software vulnerabilities. Therefore, the advice is to apply the software patches as soon as possible.

Finally, Lockbit, a group that deals with ransomware attacks, has warned against the use of triple extortion, a triple extortion tactic. In doing so, the battle between attackers and victims hardens. If the ransom for the hostage data is not paid, the threat is not only to publish the data, but also to carry out a DDoS attack on the already affected organization. This puts even more pressure on the victims to pay up.

#WakeUpWednesday August 24, 2022

Updating systems and applications remains important to keep cybercriminals out. Apple has released an update to fix two actively attacked zero-day leaks that allow attackers to gain full control of a system. If possible, the advice is to install the updates as soon as possible.

Research shows that more than 80,000 Hikvision cameras are still vulnerable. An update to fix this vulnerability was released almost a year ago. Thousands of systems, in use by some 2,300 organizations in more than 100 countries, still appear to be vulnerable.

If your organization is hit by a ransomware attack, the first priority is to repel it and limit the damage as much as possible. In doing so, it is important not only to take measures to prevent a new attack from the outside, but also to investigate whether there may be traces of other attackers. In this case, an organization was hit by three different groups in the space of two weeks.

#WakeUpWednesday August 17, 2022

In recent weeks there have been many reports of ransomware attacks in the media. Artis, home shopping chain Casa, dental chain Colosseum Dental Benelux, supermarket chain 7-Eleven and the British water company South Staffordshire Water: these days every organization that has data is interesting for cybercriminals. In the case of the water company, the attackers claim to have far-reaching control over the systems that allow them to alter the chemical composition of the water.

We also see a lot of activity on the development side. BlueSky Ransomware is an emerging family that uses various techniques to circumvent security measures. BlueSky targets Windows systems and uses “multithreading” to encrypt files even faster. Therefore, make sure that you have basic measures arranged such as network segmentation, creating and being able to restore backups and installing available updates.

In addition, new functionality has been added to the SOVA malware to encrypt Android devices. The SOVA malware targets more than 200 apps for banking, crypto trading and digital wallets, stealing user data and cookies.

Furthermore, Palo Alto has issued an alert regarding a critical vulnerability, CVE-2022-0028, in its PAN OS that is currently being exploited. This is a software flaw that allows a specific misconfiguration. This allows an attacker to use the firewall to execute a reflective DOS on another target on the Internet.

Finally, VMware has published an advisory regarding a number of vulnerabilities. By combining two of these vulnerabilities, there is a chance of an unauthenticated remote code execution. Patches are available, the advice is to install them as soon as possible.

#WakeUpWednesday July 20, 2022

All devices connected to the Internet are vulnerable to an attack by cybercriminals. This includes VoIP servers and phones. Elastix VoIP phone servers and VoIP phones that use Digium software are vulnerable to a campaign designed to exfiltrate data by downloading and executing scripts or malware that allows cybercriminals to gain control over (parts of) the system.

Besides servers, cell phones and PCs, PLCs (Programmable Logic Controllers) and HMIs (Human Machine Interface) are also vulnerable to Sality malware. Cybercriminals have managed to infect these industrial control systems. Sality creates a peer-to-peer botnet for password cracking and cryptocurrency mining, for example.

Furthermore, there is a phishing campaign kit active targeting PayPal users that attempts to steal from users a large set of personal information. This kit is hosted through legitimate WordPress websites that have been hacked.

In addition, there is a large-scale attack on WordPress sites using the Kaswara Modern WPBakery Page Builder Add-on. This contains security vulnerability CVE-2021-24284 that allows unauthenticated attackers to upload malicious PHP files to gain control of the website. As there is no security update available and the add-on is now no longer offered, the advice is to remove this plug-in.

In all cases, it is important to use multifactor authentication and good network segmentation as much as possible.

#WakeUpWednesday July 13, 2022

When spreading malware, methods such as sending an attachment in the mail, through updates outside the official stores or through logging into dubious websites are often thought of. PennyWise is a malware that poses as a Bitcoin mining application that can be downloaded from YouTube. While watching the YouTube video, viewers are persuaded to download a secure file. However, that file does not contain the Bitcoin software but the PennyWise malware. Therefore, be alert when it comes to downloading and installing software and only use the regular stores.

Updating software remains essential. Microsoft released new patches for 84 vulnerabilities last Tuesday, including for a critical vulnerability (CVE-2022-2294), which is currently being actively exploited.

Furthermore, a new phishing campaign has been spotted that takes advantage of the attention to the recently published Follina vulnerability. This campaign is used to spread Rozena malware. The starting point for this attack chain, observed by Fortinet, is an infected Office document that, when opened, connects to a Discord CDN URL to retrieve an HTML file (“index.htm”). This HTML file in turn invokes the diagnostic utility using a PowerShell command after which the next step in the attack chain is taken. Therefore, make sure your people are aware of the type of emails they receive and which attachments they open.

#WakeUpWednesday July 6, 2022

A new type of ransomware called Session Manager is currently active. This rogue session manager is disguised as a module for Internet Information Services (IIS) and exploits one of the ProxyLogon flaws in Microsoft Exchange servers. The use of this backdoor and the fact that this ransomware is so far poorly detectable by virus scanners enable cyber criminals to operate undisturbed. Updating systems and setting up multi-factor authentication are important to keep cybercriminals out.

In addition, the FBI is warning about the MedusaLocker ransomware. This ransomware is brought into organizations by cybercriminals through vulnerable rdp connections and by employees opening infected email attachments. Some measures you can take right now to reduce the risk: disable unused ports, make sure systems are updated as soon as possible and make sure employees are alert to phishing messages.

The latest research data from WatchGuard Threat Lab shows that the number of ransomware detections in the first quarter of 2022 is double the total reported volume in 2021. Therefore, make sure your organization has basic cyber hygiene in place and is prepared for a cyber incident.

The annual Cybersecurity Beeld Nederland (CSBN), drawn up in collaboration with the National Cyber Security Centre (NCSC), shows that the digital resilience of many organizations in the Netherlands is still insufficient. Making and testing backups or introducing multi-factor authentication are basic measures that have not yet (yet) been adequately implemented in every organisation.

#WakeUpWednesday June 29, 2022

The developments within cybersecurity are moving at lightning speed. Cybercriminals are constantly inventing new ways to penetrate organizations. All equipment with a link to the Internet is vulnerable, including cameras, climate control systems and systems for Internet telephony. Recently, a zeroday vulnerability in a Mitel VoIP server was used to carry out a ransomware attack. A software update for the vulnerability is available. The advice is to update these systems as soon as possible.

Another development is the use of a malware tool that allows cybercriminals to build rogue Windows shortcut (.LNK) files. This tool, Quantum Lnk Builder, allows spoofing of a large number of extensions and offers various possibilities for infecting systems. Quantum Lnk Builder is believed to be affiliated with Lazarus, however, Bumblebee and Emotet also seem to be using .LNK files more and more when attempting to infect a system.

It is important that everyone in the organization knows how to deal with potential phishing emails. A new method is by approaching organizations with an email claiming that the organization is infringing on copyright. In one case, a zip file is sent along with what appears to be a pdf. In practice, however, the file turns out to install ransomware. In the other case, a link is sent along that spreads malware.

Now that multifactor authentication (mfa) is becoming commonplace in more and more organizations, it is becoming more difficult for cybercriminals to log in with stolen user data. By abusing Webview2 apps and stealing the authentication cookies of the intended victim, cybercriminals still try to bypass mfa. Mfa is a good way to create a barrier and make accounts extra secure, however, it also requires users to pay attention when applying it.

In a number of cases, a ransomware attack skips the ‘encryption’ step and focuses mainly on stealing information and the threat of publishing it. Be prepared and make sure you have implemented at least the basic measures.

#WakeUpWednesday June 22, 2022

Installing updates is one way to fix vulnerabilities as quickly as possible. This is especially true for vulnerabilities in operating systems. A vulnerability in FreeBSD systems allows cybercriminals to completely take over systems via wifi. An update for this vulnerability is available. The advice is to install this update as soon as possible.

For an actively exploited vulnerability in Ninja forms, a WordPress plugin for contact forms, an update is being forced by WordPress to fix this vulnerability. Cybercriminals could execute arbitrary code on the website or delete arbitrary files via the vulnerability.

Further, the advice to install the security updates for Citrix Application Delivery Management. These updates fix a problem where cybercriminals could reset admin passwords. This includes all supported versions of Citrix ADM server and Citrix ADM agent (for example, Citrix ADM 13.0 for 13.0-85.19 and Citrix ADM 13.1 for 13.1-21.53).

Finally, Microsoft sees that the BlackCat Ransomware group is still attacking Microsoft Exchange systems that have not yet been updated. According to FBI figures, at least 60 organizations have been victimized between November 2021 and March 2022. Updating systems is an essential step in keeping cybercriminals out.

#WakeUpWednesday June 15, 2022

Many organizations use IT suppliers to a greater or lesser extent, for example to supply software. IT suppliers are thus connected to a large number of different organizations. These connections mean that these suppliers are becoming increasingly popular with cybercriminals. To illustrate, in 2021 there were 28 reports of data breaches at IT suppliers, resulting in 18,000 reports from organizations doing business with these IT suppliers. With the basics in place, we provide some tools to improve cybersecurity within your organization. Also ask your IT vendor about how they handle data and what measures they have in place to reduce the risk of a cyber incident.

The United States Cybersecurity and Infrastructure Agency (CISA) has added 36 new vulnerabilities to the overall list. These 36 vulnerabilities are currently being actively exploited and are located in software and systems from Cisco, Netgear, Adobe and Microsoft, among others. We recommend checking whether your systems are vulnerable and updating them as soon as possible.

Several vulnerabilities have also been found in the A8Z3 thermal imaging camera that allow the device to be taken over by cybercriminals. Several vulnerabilities have also been discovered in the LenelS2 HID Mercury access control system that, for example, allow remote unlocking and locking of doors.

Furthermore, researchers have discovered new Linux malware, Symbiote. This malware infects all running processes on compromised systems, stealing user data and giving cybercriminals access. The malware is difficult to trace, however by monitoring anomalous DNS requests this malware could be discovered.

Finally, the Emotet banking trojan is once again causing a stir. This malware makes use of various Office attachments and in its renewed version is able to bypass the security scanners of email gateways. In addition, it steals credit card data. Therefore, make sure that users store login data and confidential information, such as credit card data, in a password safe, for example.

#WakeUpWednesday June 8, 2022

The developments in the field of cybercrime are moving fast. This makes it a great challenge for many organisations to keep up with all the (possible) threats. A new initiative to bundle this information and distribute it quickly is cyberteletext: teletext as we all know it, but with the latest vulnerabilities and the latest news on cyber security.

Last week a warning was issued for a vulnerability in Atlassian Confluence. Updates are available. The advice is to install them as soon as possible. If patching is not possible, Atlassian has described a number of additional mitigating measures.

Google has remedied some vulnerabilities in Android by making patches available. The vulnerabilities CVE-2022-20130 and CVE-2022-20127 make it possible to use Android phones remotely and execute code. There are updates for Android 10, 11, 12 and 12L.

Recently, a new type of phishing campaign has been identified. Microsoft Word documents containing VBA macros are emailed as attachments. These macros then run shellcode contained in the document properties to install SVCReady malware. This malware can collect system information, take screenshots and download documents, among other things. It remains important to stay alert to phishing.

Cybersecurity companies from the US are warning against Chinese hackers. By exploiting vulnerabilities in telecom suppliers, they try to intercept and steal network traffic. They then try to obtain log-in data and use this to log in. Eventually, the attackers can forward the network traffic to their own infrastructure. The advice is to keep all systems up-to-date. A patch management system can help with this.

#WakeUpWednesday June 1, 2022

VMware has released security updates to address vulnerabilities in Workspace ONE Access, Identity Manager, vRealize Automation, Cloud foundation and vRealize Suite Lifecycle Manager. The vulnerabilities allow cyber criminals to gain administrator rights. A proof of concept is available for vulnerability CVE-2022-22972. The advice is to install the available security updates as soon as possible.

Microsoft also warns of a new vulnerability, CVE-2022-30190. To exploit this Microsoft Office RCE vulnerability (Follina) as a cybercriminal, a user must open a Word document. These documents are often shared by e-mail, therefore the advice is, as with phishing, to make users aware of the risk you run when opening files from the mail if they come from an unknown sender or if it is a file that you don’t expect. A service update and article with guidance are available, although at this moment there is no patch available yet.

The annual Verizon Data Breach Investigation Report (DBIR) shows that globally, web application attacks are increasingly responsible for cybersecurity incidents in healthcare. The healthcare sector is increasingly being attacked by cybercriminals and is also more often the victim of ransomware attacks. Most of the attacks have a financial motive, according to the report.

Ransomware groups are known for taking your files hostage. Recently we hear about a group that pretends to have other motives. RansomHouse is a ransomware group that uses a different business model, focusing primarily on data exfiltration. The motivation for this group is that they want to use extortion to point out to organizations that they are not investing enough in the security of their data, networks and systems or that they are not respecting their bug bounty program. The group claims that after payment it will help the affected organization to protect itself against future attacks. In addition, the affected organization receives a report describing which vulnerabilities were used and how they were used to gain entry.

What many organizations do not realize, or insufficiently, is that by using third-party JavaScript they run an increased risk of being hit by a cybersecurity incident. Third-party scripts allow cybercriminals to introduce malicious code into an organization’s web environment. Many organizations use third-party code for, for example, forms, processing orders and payments or tracking visitor behavior. Be alert to the use of third-party code. Know which code is used and check whether this code is also actively maintained.

#WakeUpWednesday May 25, 2022

The 2022 SaaS Security Survey Report identifies the risks and dangers associated with the use of SaaS solutions. In particular, configuration errors are cited as the cause of cybersecurity incidents. One of the reasons for this is that several departments have access to the security settings, without the people being trained or having cybersecurity as their focus area.

Cisco warns of an actively attacked vulnerability in IOS XR router software, which allows attackers to access the Redis database and modify information there, write arbitrary files to the container file system, and retrieve information about the Redis database. An update is available, the advice is to install it as soon as possible.

Educational institutions with a WordPress website that use the Premium tool ‘School Management’ are currently vulnerable due to a backdoor in this plug-in. The plug-in provides educational institutions with capabilities such as scheduling distance education, attendance tracking, expense tracking, enrolling new students, and document management. The vulnerability allows cybercriminals to run arbitrary PHP code, can let them access or alter the website’s contents, elevate privileges and assume complete control of the site. An update is available (version 9.9.7), please update to the most recent version as soon as possible.

#WakeUpWednesday May 18, 2022

Last week a political agreement was reached on new European regulations in the field of cybersecurity, NIS 2. Important changes are that the regulations will also apply to medium-sized and large organizations and that the number of sectors that are considered critical has been expanded. Some aspects mentioned in NIS 2 are patching vulnerabilities, risk management measures and the period within which incidents must be reported to the authorities.

A critical vulnerability in Zyxel firewalls allows cybercriminals to execute arbitrary code remotely. This includes downloading malware or misusing other vulnerabilities to penetrate the network. The vulnerability applies to both firewalls and VPNs. We have now received the first signals that this vulnerability is also actively being used by cyber criminals. An update is available, our advice is to update this equipment as soon as possible.

The update advice also applies to SonicWall SMA1000 series 6200, 6210, 7200, 7210 and 8000 devices with firmware versions 12.4.0 and 12.4.1. Cyber​​criminals can access internal resources and send potential victims to rogue websites.

Linux and Solaris (Unix) systems are also under attack by cybercriminals. For example, malware called BPFdoor has recently been discovered, which has been targeting Linux and Solaris systems undetected for the past five years. The malware allows cybercriminals to remotely connect to a Linux shell to gain full access to an infected system. The malware has gone undetected for so long because the comand & control connection is initiated from outside. A firewall offers no protection against this malware and the malware can respond to commands from any IP address. A set of technical indicators (Yara rules, hashes) is now available with which you can scan a Linux or Solaris system.

#WakeUpWednesday May 11, 2022

Cybercriminals are constantly developing new ways to spread malware. In addition, we now also see that cyber criminals don’t stick to one specific way when spreading. This flexibility, combined with an increasing freedom of choice, means that organizations must be constantly alert and avoid tunnel vision when implementing cybersecurity measures.

Mandiant has researched worldwide trends in cybersecurity incidents, such as ways to distribute malware, and published them in an annual report. They state, among other things, that we have all become better at detecting incidents more quickly. In response to our efforts, attackers will of course remain flexible. At 37% of the time, attackers still most often enter by exploiting a vulnerability. Phishing is a lot less popular method with only 11%. The statistics on supply-chain attacks are striking. We now know last year’s attack on Kaseya. These attacks are rapidly gaining popularity, at 17% from 1% the year before.

We continue to see that exploiting vulnerabilities is a common way for attackers to get in. It is therefor extremely important to ensure that the management of hardware and software within your organization is in order. That is, keeping a good record of what hardware and software is in use, and ensuring that it is kept up-to-date. Qualys can help you with this. By ensuring that timely action is taken on security updates, you reduce the attack surface within your organization.

There is also a warning about Raspberry Robin, where malware is spread via USB sticks. Make sure your employees are aware of the risks associated with using unknown external equipment.

#WakeUpWednesday May 4, 2022

The NSA and FBI, along with cybersecurity agencies from multiple countries, have compiled an overview of the key vulnerabilities exploited in 2021. Unfortunately, these vulnerabilities are still causing victims today. The overview includes Proxylogon and Log4Shell. In addition to these most commonly used vulnerabilities, new vulnerabilities are regularly added that pose a potential threat to your organization.

Another vulnerability that is currently being actively exploited is the vulnerability in VMware Workspace One. Therefore, make sure you stay informed about new updates and install them as soon as possible.

Updating systems and software does not only apply to the business environment, but also to devices that are intended for home or personal use. The government has now obliged sellers of digital products to keep them working and safe. This means that there will also be software updates for smart TVs, printers and cameras, for example. Also in this case: make sure you know which equipment is connected to the internet and update this equipment as soon and if possible.

Furthermore, Onyx ransomware seems to destroy files larger than 2MB instead of encrypting them. According to researchers, the data in the files is overwritten with worthless data during encryption, so that decryption no longer yields the original file information even after the ransom has been paid. Since the same encryption routine has been seen with Chaos ransomware, it seems that overwriting is not a flaw in the encryption but a deliberate choice. Therefore, always ensure that you take action timely when a new vulnerability is published.

#WakeUpWednesday April 27, 2022

Among other things, cyber criminals use vulnerabilities in software to penetrate organizations. At least eighty zero-day vulnerabilities were used in 2021, more than a doubling compared to 2020. Three quarters of the zero-days discovered last year exploited vulnerabilities in products from Apple, Google and Microsoft. Therefore, install the available patches as soon as they are published.

Cisco, QNAP and Oracle, among others, released updates last week. In the case of Cisco to address a serious vulnerability in the Cisco Umbrella Virtual Appliance (VA). This vulnerability allowed attackers to remotely steal administrative credentials. QNAP has released an update for its NAS systems related to Apache HTTP vulnerabilities. Oracle has announced and fixed 520 new vulnerabilities in its April update.

Research further shows that malware groups still heavily use phishing to infiltrate. With new measures against the use of macros in Microsoft Office documents, these groups are looking for ways to get around these cybersecurity measures. Make sure your people are prepared for these phishing scams.

#WakeUpWednesday April 20, 2022

Several updates were released last week for critical vulnerabilities that are being actively exploited. Google released an emergency patch for an actively attacked zero-day vulnerability in Chrome, and Microsoft Windows and VMware Workspace ONE Access have also released patches. The advice is of course to install available patches as soon as possible.

In previous Wakeup Wednesday posts, we reported various variants of malware targeting mobile phones. Research by Proofpoint shows that in February there was a 500% increase in the number of attempts to deliver malware for mobile devices in Europa. Malware for mobile devices is becoming more sophisticated. This involves recording telephone and video calls, audio and video recordings stored on the device and destroying data stored on the device. Be alert for messages containing links, voice messages, or notifications for updating apps outside the regular app stores.

#WakeUpWednesday April 13, 2022

Mobile phone play an increasingly prominent role in our lives, both professionally and privately. Therefore, be aware of malware that targets Android devices. The Android malware Octo is a new version of ExoCompact, the source code of which was leaked in 2018. The most dangerous thing about the updated variant is that the cybercriminal can remotely take control of the device and perform malicious actions via the victim’s device. Only update apps with versions released through official channels, such as the App Store or Google Play.

Another malware campaign currently seen in practice is aimed at the distribution of the new information-stealing malware META. META is growing in popularity among cybercriminals and is currently actively used in attacks. It is deployed to steal passwords stored in Chrome, Edge and Firefox as well as cryptocurrency wallets. META is distributed in the traditional way, as a mail attachment. Be alert if you receive attachments from strangers and be careful when enabling macros!

Other information-stealing malware currently in active use are FFDroider and Lightning Stealer. These also use passwords stored in Chrome, Edge and Firefox. FFDroider is distributed via cracked versions of installers and freeware with the main purpose of stealing cookies and credentials associated with popular social media and e-commerce platforms. In addition, the stolen information is used to log into the accounts in order to record other personal account-related information. Lightning stealer works in a similar way and can steal Discord tokens, cryptocurrency wallet data, and details related to cookies, passwords, and credit cards.

During the patch Tuesday of April 2022, Microsoft released patches for 119 new vulnerabilities. The most severe vulnerability is a remote code execution vulnerability in the Remote Procedures Call Runtime, registered as CVE-2022-26809. This vulnerability allows an unauthenticated remote attacker to execute code with the same privileges as the RPC service. This service operates in the context of the system user account Network Service.

VMware has published Security Advisory VMSA-2022-0011 related to eight different CVEs in VMware Workspace ONE Access. Three of these CVE’s have a score of 9.8 and are the subject of this writing: one Remote Code Execution and two Authentication Bypass vulnerabilities. The Remote Code Execution vulnerability also exists in the following related VMware products: VMware Identity Manager, VMware Cloud Foundation and vRealize Suite Lifecycle Manager.

#WakeUpWednesday April 6, 2022

Cyber ​​incidents are often caused by critical vulnerabilities that are not adequately addressed, by configuration errors or by users inadvertently sharing their data with third parties.

Zyxel warns of a critical vulnerability that could allow cybercriminals to gain administrative access to the firewall. Install the software updates as soon as possible.

Totolink routers that have not received the latest software updates are vulnerable to a variant of the Mirai botnet. The variant called Beastmode has five new exploits, of which 3 types target various Totolink routers. Here too, the advice is to update the software as soon as possible, where possible.

In addition to the notification for Totolink routers, there is also a warning for users of D-link routers. The vulnerability, designated CVE-2021-45382, resides in D-link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L. These models are end-of-life, so no new updates are released. It is therefore advised to take these models offline as soon as possible and to replace them with newer routers.

Borat, a new remote access trojan (RAT), offers cybercriminals several options for attacking. For example, Borat can be used as ransomware, spyware, for DDoS attacks. Borat offers the attacker the opportunity to choose how to deploy the malware, so be careful about which software is installed and only download applications from reliable sources and websites.

#WakeUpWednesday March 30, 2022

It is nothing new that critical vulnerabilities are used by cybercriminals to gain access to third-party systems and data. However, we see that various vulnerabilities are still being exploited, despite patches being released. Updating systems and applications is an essential part of a good cybersecurity policy.

For example, Log4j is still actively abused by cyber criminals to install backdoors that can be used at a later stage. In addition, Log4j is actively being exploited to install cryptocurrency miners on vulnerable VMware Horizon servers.

A new phishing campaign, aimed at taking over email conversations, is being used to spread the IcedID info-stealing malware. This campaign makes use of vulnerabilities in Microsoft Exchange for which software updates are already available.

Sophos has announced that the critical vulnerability in its firewall software is currently being actively exploited. A hotfix is ​​available, we recommend installing it as soon as possible.

The number of attacks that use zero-day vulnerabilities, vulnerabilities that have not been discovered or exploited before and for which no update is yet available, will double by 2021, according to Rapid7.

We advise you to ensure that your systems have the latest software updates, if possible. Make sure your employees are alert and use network segmentation to ensure that attackers cannot penetrate the entire company network unhindered.

#WakeUpWednesday March 23, 2022

Why do things the hard way? This is why there are many portals that allow users to log in with a Google account, Apple ID or Microsoft account. The popularity means that these types of screens are also popular with cyber criminals. They use them in their phishing campaigns. Recently, a new phishing toolkit has become available that makes it easy to counterfeit Chrome browser screens. Be careful where you log in and use multi-factor authentication if possible.

The FBI warns vital sector organizations about AvosLocker ransomware. These ransomware attacks exploit vulnerabilities in Microsoft Exchange. Updates are available for the vulnerabilities used, including ProxyShell. Make sure your systems have the latest security updates.

Qualys research shows that 30 percent of applications, servers and other systems using Log4j are still vulnerable to cyber attacks. This vulnerability puts you at risk because cyber criminals could take over your system remotely. Therefore, install the security updates if possible or take mitigating measures if updating is not possible.

At the beginning of March 2022, we saw a new variant of the Lorenz ransomware. However, there is a big difference between the files encrypted by this ransomware and files encrypted by an earlier version. The main difference: decryption is not possible after paying the ransom. However, our specialists managed to create a decryptor that can decrypt the files.

#WakeUpWednesday March 16, 2022

Cyber criminals are inventive. Time and again they find new ways to spread malware and gain access to third-party systems. In this #WakeUpWednesday, we give three examples.

For example, contact forms on the website are used to distribute Bazar Backdoor malware. By requesting a quote, a conversation is started. Subsequently, following the initial application, an ISO file is sent during the conversation with additional information that is relevant to the application. By using file sharing services, such as Wetransfer, for this additional information and letting people unpack the files themselves, an attempt is made to circumvent the security.

Additional add-ons for popular online games are also used. In this example, a YouTube channel is promoting an add-on for the popular game Valorant. Users who want to download the add-on are directed to a page where they can download a RAR file. This contains an installation file that does not install the add-on for the game, but RedLine stealer, malware that focuses on stealing passwords, among other things.

We close the list with Escobar, Android malware aimed at stealing Google Authenticator MFA codes. Escobar is the enhanced version of the Aberebot Android banking trojan. In addition to the MFA codes, the malware is also able to take control of the devices by using VNC. The options for recording sound and using the camera also enable the apps to retrieve user data. Of course with the ultimate goal of obtaining enough data to gain control over the bank details.

In addition to IT systems, OT systems are increasingly faced with cybersecurity threats. Research by Dragos shows that the number of vulnerabilities has doubled in 2021 compared to 2020. Ransomware is the biggest threat.

A Linux vulnerability that affects all kernels since version 5.8, including Android, has been disclosed under the name Dirty Pipe (Linux Kernel Exploit). This vulnerability allows data, even if the files are read-only, to be overwritten. This may result in permissions being increased. This allows local users to get root privileges. NAS operating systems from QNAP, QTS and QuTS Hero also use the Linux kernel and are therefore vulnerable.

Finally, we also keep a close eye on developments related to Wiper malware. A new version, RuRansom, is not ransomware, even though the name suggests otherwise. In this case too, it concerns Wiper malware that, for the time being, affects systems with an IP address that can be related to Russia.

#WakeUpWednesday March 9, 2022

Cybercrime can focus on disrupting primary business processes or disrupting critical services. For example, last week not only satellite connections were affected, 5800 wind turbines in Germany and central Europe were also taken offline.

Nvidia has fallen victim to cybercrime in several ways. In addition to the fact that malicious parties have stolen a Terrabyte of data during an incident, two stolen driver certificates are used to spread malware. Even though the certificates have expired, they can still be used in Windows to install drivers. Finally, the stolen data is used to pressure Nvidia to change the firmware for specific series of graphics cards (GeForce RTX 30 Series). The change is intended to support the crypto mining industry, among other things.

Furthermore, various vulnerabilities have been patched in Exchange Server and Android. The vulnerability in Exchange Server (CVE-2022-23277) has an impact score of 8.8 and allows remote code execution. The problem affects Exchange 2013, 2016 and 2019. An authenticated attacker can execute code with elevated privileges by using this vulnerability. Rights can also be increased with the vulnerability in Android. Updates have been made available for Android 10, 11 and 12.

Install the available software updates as soon as possible. Also be aware of updates that are made available for all kinds of other systems that you have connected to the internet at home.

#WakeUpWednesday March 2, 2022

Over the past week we have noticed that the situation considering Ukraine has escalated both physically and digitally. The Tesorion Threat Intelligence team has been monitoring various open source sources since mid-January. We see that the attacks within the Ukraine are drastically increasing and that Wiper malware has been detected, among other things. The purpose of this malware is to completely disable the affected computers. This is different from ransomware, where files are encrypted and the attackers make ransom demands. With this wiper, the files are destroyed and there is often no turning back. Therefore, be extra vigilant with e-mail messages, phone calls and approaches via social media.

The Dutch fraud helpdesk states that in the first six weeks of 2022, more than 10.5 million euros in damage has already been suffered due to CEO fraud, fake telephone calls and misuse of company names. In addition to training the cyber awareness of employees, it is also important as an organization to know what is being published about your organization, especially on the deep and dark web. Think, for example, of stolen login details with which cyber criminals can gain access to your systems.

Research by Fortinet shows, among other things, that ransomware is not only increasing, but also becoming more aggressive and devastating. In addition, the Global Threat Landscape Report shows that Linux systems are also increasingly being targeted. Make sure your organization is prepared, pay attention to increasing the cyber awareness of your employees.

#WakeUpWednesday February 23, 2022

The widely used Microsoft Teams now also appears to be used by hackers. They use the platform to spread malware. By logging in with data obtained through phishing or bought on the dark web, the hacker can share a file. As soon as this file is opened by another user, the malware starts working, with all its consequences. Make sure your employees are resilient and alert when it comes to phishing and opening unknown files.

A malicious app has been found in the Google Play Store. The app Fast Cleaner pretends to be an app that will clean up the device and thus improve battery life, while in reality it installs banking malware during an invisible update. There have already been more than 50,000 downloads of this app, despite reviews pointing out its malicious intent. Be vigilant about the apps you install and don’t simply trust everything.

The popular WordPress plugin Updraft Plus suffers from a critical vulnerability (known as CVE-2022-0633) that allows all website users to download the latest database backup that may contain privacy-sensitive information. Normally this backup should only be available to a select group of users, but due to this vulnerability all users with the least privileges can also download it. Because of the critical situation, WordPress has forced the update (version 1.22.3 or 2.22.3) on millions of websites.

In last week’s update we already mentioned the vulnerability in Adobe Commerce and Magento Open Source. After this, another vulnerability was discovered with a CVSS score of 9.8 (CVE-2022-24078). It also appears that the Log4j vulnerability, which came to light at the end of 2021, is still being abused. Furthermore, VMware recently made updates available for 6 vulnerabilities with a CVSS score ranging between 5.3 and 8.8. We keep emphasising, keep your software and devices up-to-date to stay ahead of cyber attacks.

Last week the news came out that the well-known ransomware group Conti and the TrickBot group have joined forces. This strengthens their position and gives them the opportunity to develop better malware. Ransomware attacks continue to keep us busy, so protect your organisation against them.

#WakeUpWednesday February 16, 2022

Several companies have made updates available in the past week due to critical vulnerabilities. It is important to always keep your devices and software up to date, part of having your basics in order.

First of all, Apple released an update last week. It is about fixing a vulnerability, known as CVE-2022-22620, in WebKit. This is a basic component commonly used in browsers. After exposure to malicious web content, code can be executed on Apple devices using this vulnerability. Update your devices to the latest software versions to avoid being vulnerable. Adobe also released an update to patch a critical vulnerability known as CVE-2022-24086. It concerns a vulnerability in Adobe Commerce and Magento Open Source. Lastly, Google has also released an update for the Chrome browser. The update will be installed automatically in the course of time, but this can already be done manually. Several vulnerabilities are hereby fixed, some of which have also been labelled critical.

A German group of hackers, the Chaos Computer Club, recently found more than 50 data leaks at various companies and organisations, including the Dutch Ministry of Health, Welfare and Sport. By means of various vulnerabilities, including database servers without authentication and unsecured MySQL servers, the hackers were able to access all kinds of personal data. All data breaches have been reported to the companies concerned and most of them have taken action to resolve the vulnerabilities. The group did not make use of the data found, but unfortunately this often happens. Make sure you protect your data, for example by using encryption, and do not become a victim of a data breach.

#WakeUpWednesday February 9, 2022

With the attacks on several companies in the oil industry and an attack on freight handler Swissport, there is currently a lot of activity in the field of ransomware again. The impact of the attacks on business processes is significant. Loading and unloading ships is not possible or is subject to significant delays. Also at Swissport, part of the IT systems for scheduling personnel, aircraft and freight are temporarily unavailable.

In recent weeks, much has been said and written about the mandatory app for Olympic athletes, counselors and journalists. In addition to the advice to leave your own devices at home and not to take them to China, it is good to be aware of possible risks in the field of cybersecurity.

Be aware of the information you share, including on business platforms such as LinkedIn. Information such as your job description, information about systems and applications used can be used by cyber criminals. According to the AIVD, for example, Chinese and Russian secret services have approached thousands of employees at Dutch high-tech companies with the aim of corporate espionage.

#WakeUpWednesday February 2, 2022

Updating applications and systems is essential for your cybersecurity. For example, the Apache Log4j vulnerability is currently being actively exploited. Furthermore, a vulnerability in Microsoft Defender allows cybercriminals to evade malware detection.

We continue to emphasize that installing security updates is extremely important. However, criminals also abuse this by making fake updates for software containing malware or ransomware. Microsoft Edge users, for example, were confronted with a fake update, just like Adobe, Google Chrome and Firefox. So always make sure that you only download updates from the supplier itself and not from another party.

Ransomware is a major threat to the continuity of business processes and thus to the existence of an organization. In addition to holding the data hostage, organizations are put under pressure by the threat that the data will be made public. To reinforce that threat even more, social media is now also being used. This puts even more pressure on organizations to pay the ransom.

Another rather daring and unorthodox method that has recently been deployed is to call individuals whose details have been found in the data set held hostage. They were put under pressure with the aim of motivating the organization whose data had been held hostage to pay.

#WakeUpWednesday January 26, 2022

Data is valuable, also for cyber criminals. No organization is spared, as became apparent from the hack on the Red Cross. Data from more than 500,000, often vulnerable people, were stolen.

In addition, cyber criminals have managed to use more than 2,000 corporate email accounts in various spyware campaigns. Kaspersky’s investigations revealed that the spyware was distributed via an email attachment. If the employee opens the attachment and the spyware successfully infects the system, the username and password of the employee in question are sent to the cyber criminal. The attacker can gain access to the system with the stolen data and then further spread the spyware among the employee’s contacts.

Known vulnerabilities used by cyber criminals at a later date are not new. In early December, we warned about critical vulnerabilities in the SonicWall SMA 100 series. A warning was issued this week that these vulnerabilities are currently being actively exploited. There is no workaround available, the advice is to update the software as soon as possible.

Logging is important, for example, to find out how cyber criminals got in. Nevertheless, Cisco research shows that due to a lack of logging, the attack vector is unknown in most incidents. Where the attack vector is known, in most cases the cause appears to be phishing, or applications that are accessible via the internet. Train the cyber awareness of your employees and ensure that vulnerabilities in the software are fixed as soon as an update is available.

#WakeUpWednesday January 19, 2022

In the #WakeUpWednesday we regularly report incidents where there is a need and urgency around patching. Incidents are also regularly discussed where increasing awareness can help increase cyber security.

Over the past week, Apache Foundation, which includes management of Apache Log4j, OpenOffice and Apache web server, warned against the use of end-of-life software. As a result, users are still being attacked through old vulnerabilities in Apache software that is no longer supported and/or maintained.

Updates have also been released for the LUKS encryption software for Linux. Making backups and making sure that they cannot be changed afterwards is one of the basic measures within cybersecurity. The LUKS encryption software contained a critical vulnerability (CVE-2021-4122) that allowed decryption without entering the passphrase.

Due to the combination of a weak administrator password and the use of a weak encryption algorithm, private data of nearly 7 million end users of the Open Subtitles website has been stolen and made public. The email addresses have been added to the data leak search engine Have I Been Pwned.

#WakeUpWednesday January 12, 2022

The Log4j vulnerability has an impact on many systems. For example, the British health service warns against abuse of the vulnerability in VMware Horizon. The software uses Apache Tomcat which in turn uses Log4j. Despite the fact that VMware patches were released in December, attackers are actively looking for systems that are not yet equipped with the available patches.

A new vulnerability has been discovered affecting H2 database consoles. This vulnerability also exploits the remote loading of JNDI classes, the same source of the Log4Shell vulnerability. Because this H2 database engine is also widely used, just like with Log4j, the reach is large. The vulnerability (CVE-2021-42392) affects H2 database versions 1.1.100 to 2.0.204. The advice is to update to version 2.0.206 as soon as possible.

During the January patch Tuesday, Microsoft released patches for 96 new vulnerabilities. The most severe vulnerability is a remote code execution vulnerability in http.sys, registered as CVE-2022-21907. This vulnerability allows an unauthenticated attacker to execute code on an affected system by sending a specially crafted request or response. We advise to check if your products are listed and apply the required patches or workaround as soon as possible.

It is no surprise that cybercriminals are always looking for new methods to penetrate organizations. Nowadays, for example, USB sticks are sent that are very similar in terms of stick and packaging to those of reputable organizations. However, the USB sticks sent contain malware in order to start malicious actions.

The makers of Flubot malware, an Android trojan that targets financial data, have launched a number of new campaigns to spread their malware. Be alert for messages related to, for example: updating Adobe flash player, false notifications for software updates that go outside the playstore, messages about package deliveries, etc. Most characteristic is that these messages contain a link that cannot be traced back to the organization in question.

#WakeUpWednesday January 5, 2022

2022 is off to a good start, also in the field of cybersecurity. Google has released a security update for Chrome. Among other things, this new update resolves a critical vulnerability that could allow an attacker to execute arbitrary code on a user’s system without requiring further user action. Executing code naturally enables an attacker to install malware on your computer that can, for example, be used to steal credit card and login details.

Cyber ​​criminals have carried out a supply chain attack on more than 100 companies by adding skimmer code to a video player of a cloud video hosting service. When an organization used the video player on, for example, a website, the malicious code was also added. As a result, the site was infected and credit card data could be stolen.

Cyber ​​security has many aspects. One of the basic measures is to create and restore backups. Determining a backup strategy is therefore part of a business continuity plan. Therefore, make sure that you know how long your organization (part) may be unavailable (Recovery Time Objective) and how much data loss is acceptable (Recovery Point Objective). Test this process regularly to avoid unpleasant surprises. For example, in December Kyoto University lost 77TB of research data due to an error in its backup system.

Read 2021' Archive

Get to know what's going on! Subscribe now

Would you like to know about vulnerabilities, national or international hacks every Wednesday? Then subscribe to this newsletter.

Tesorion uses your personal data to send out requested information and possibly for contact by telephone and for marketing and sales purposes. You can change your preferences whenever you want. Read our privacy policy for more information.