Skip to main content
Need help with a cyber incident now?
Call 24/7: +31 88-2747800

WakeUp Wednesday

By 25 January 2023 Vulnerability

Welcome to #WakeUpWednesday. We want to make the Netherlands digitally safe and resilient. That is why Tesorion will now give you a short overview every Wednesday in a post about vulnerabilities or hacks that have received national or international attention. We want to wake up as many people as possible and make them aware of possible risks in the field of cyber security.

We will of course report directly on important vulnerabilities and options to mitigate them. Our #WakeUpWednesday is a kind of retrospective.

Subscribe to the WakeUp Wednesday

#WakeUpWednesday January 25, 2023

Cybercriminals use a variety of ways to get into organizations. Common ways include exploiting critical vulnerabilities, using phishing emails or taking advantage of a vulnerability at a supply chain partner.

Rapid7 reports that cybercriminals are currently actively exploiting a critical vulnerability in several Zoho ManageEngine products. A total of 24 different solutions are vulnerable, including Access Manager Plus, PAM 360, Password Manager Pro and ServiceDesk Plus. Patches have been available since late October 2022; the advice is to install them as soon as possible.

Emails with included rogue Word or Excel attachments to install and spread malware are less in demand after Microsoft set macros to be disabled by default. Then came versions with ISO and 7-ZIP files. Nowadays, we see cybercriminals more frequently using OneNote attachments in phishing emails where victims can be infected with malware or passwords stolen. OneNote attachments also require user action to trigger malware. A warning does follow from the system that the attachment is potentially malicious, however, many users click this warning away.

Last week a lot happened in the field of ransomware. An overview of the various reports and developments, such as new variants of STOP ransomware and VoidCrypt, as well as information about a decryptor for BianLian can be found here. In addition, Cyberveilig Nederland has published a whitepaper on data exfiltration. The goal of the whitepaper is to gain insight into data exfiltration, create awareness and provide action perspectives.

#WakeUpWednesday January 18, 2023

Updating software is an important way to reduce the risk of a cyber incident. Recently, there have been several publications to warn about a vulnerability in FortiOS SSL-VPN. This vulnerability is being actively exploited by cybercriminals. In particular, government agencies or organizations related to them seem to be attacked by the criminals. A patch is now available; the advice is to install it as soon as possible.

Furthermore, a Proof of Concept (POC) has been published for a number of critical vulnerabilities in popular WordPress plugins. These include vulnerabilities that enable SQL injections. The vulnerabilities found are in the plugins Paid Memberships Pro, Easy Digital Downloads and Survey Marker. A vulnerability in Control Web Panel (formerly known as CentOS Web Panel) is also currently being actively exploited by cybercriminals. This tool is used for managing servers. Patches are available for both the WordPress plugins and the Control Web Panel vulnerability.

Cybercriminals keep coming up with new ways to stay under the detection radar. In this case, they are using a combination of Polyglot files and rogue Java archive (JAR) files to spread remote access trojans such as StrRAT and Ratty. Polyglot files are files that combine the syntax of two or more different formats in such a way that any format can be passed without error.

Finally, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns of several vulnerabilities in Industrial control systems from Siemens, GE Digital and Contec.

#WakeUpWednesday January 11, 2023

A large proportion of employees use a smartphone for business purposes. That makes smartphones a desirable target for cybercriminals as well. There have been noticeably more detections of the Android malware SpyNote, also known as SpyMax. After the source code of SpyNote became publicly available through one of the latest variants, called CypherRat, several variants have been developed. Especially financial institutions seem to be victims of SpyNote. SpyNote combines spyware with banking malware functionality by, for example, requesting permission for access services in order to use two-factor authentication codes from Google Authenticator and record keystrokes to take over banking credentials.

As an increasing number of different devices are used by employees within organizations, it makes sense to set up monitoring on the different devices (endpoints) as well via an Endpoint Detection and Response solution.

Research indicates that a variant of the Dridex malware targets macOS systems. This employs a new technique to deliver documents containing malicious macros to users. Although Dridex often masquerades as invoices or other business-related files, that is not necessarily the case here. In fact, this version of Dridex overwrites all .doc files in the current user folder and adds the malicious macro’s code there. In this way, Dridex tries to circumvent the automatic blocking of macros by nesting in files where they might be allowed. Because the code of this macro attempts to download and open an .exe, the impact for macOS users is minimal because macOS does not support an .exe extension. However, users may still unknowingly spread this malicious macro when sharing infected files with other (Windows) users.

The WerFault.exe error reporting tool is also currently being used by cybercriminals to load malware into the memory of a compromised system using a DLL sideloading technique. The malware resides in an ISO file that is sent to the victim as an email attachment. Infecting the system is initiated when the victim opens the shortcut in the ISO file.

In the background, a Remote Access Tool is installed on the system that gives the attacker full access to the infected system. The attacker can then remotely steal data, execute commands and/or move to adjacent systems, among other things.

#WakeUpWednesday December 21, 2022

In this last #WakeUpWednesday of 2022, we have news about ransomware. Leiden University’s employment agency has been hit by a ransomware attack. Cybercriminals encrypted important data and documents such as citizen service numbers (BSN), name and address information, but also employment contracts and salary documentation. How cybercriminals entered the system, who is behind the attack and whether a ransom will be paid has not been disclosed.

Google announced that Gmail will additionally be secured with Client-Side Encryption. This new feature, currently still in beta phase, ensures that personal data in email body and attachments is unreadable by Google servers. You do have to sign up for the beta version though. After signing up, anyone using the following Google products can use it: Google Workspace Enterprise Plus, Education Plus and Education Standard.

Cybercriminals entered Ukrainian government networks with Trojan-infected Windows 10 ISO files. Disguised as legitimate Windows 10 installations, once installed they infected the computer with malware that could steal data.

More on malware as Microsoft warns about a new malware botnet called ‘MCCrash’. This malware infects Windows, Linux and IoT devices. Minecraft servers are often the target of DDoS attacks to thwart or extort players on the server. Microsoft reveals that the malware initially infects systems after users install pirated Windows and Microsoft Office activation tools. The malware then attempts to spread across the network through brute-force SSH attacks on Linux and IoT devices.

#WakeUpWednesday December 14, 2022

Software vendors release updates to fix previous bugs or vulnerabilities. For cybersecurity, having an active patch policy is essential as one way to minimize the risk of a cyber incident. Yet thousands of Pulse Connect Secure VPN servers are not up-to-date. Cybercriminals exploit vulnerabilities in the Pulse Connect where security updates have not been installed. Cybercriminals are accessing through old security vulnerabilities from 2018 and 2019.

The healthcare industry has recently been targeted by targeted Royal ransomware attacks. After news about targeted attacks that left French and Colombian hospitals unable to do their jobs, it has just been announced that U.S. hospitals are now being targeted. The U.S. Department of Health and Human Services is warning about Royal ransomware. This group of cybercriminals is known to encrypt files with a .royal extension and demand payments ranging between $250 thousand – $2 million US Dollar.

More about ransomware. Recently, the municipality of Antwerp was the victim of a ransomware attack. The municipality did not release details, but let Belgian media know that it could take until the end of this month to put back digital applications online. The organization who is responsible, Play, already asked for a ransom. According to the cybercriminals the have at least 557 gigabyte of data that contains financial documents, identity cards, passports and other forms of personal data. If the ransom is not paid by December 19 then the encrypted data will be made public. The ransome amount has not been disclosed. Play is more often successful in committing cyber attacks. They previously succeeded in Switzerland, Bulgaria, the United States, Argentina and Canada, among others.

Yesterday we’ve told you about the FortiOS heap-based buffer overflow vulnerability. The vulnerability is a heap-based buffer overflow in the FortiOS SSL-VPN. The vulnerability gives an unauthenticated attacker the ability for remote code execution. You can track this vulnerability via our blog which we will update when there is news (CVE-2022-42475).

A new digital attack technique has come to light that aims to bypass Web Application Firewalls (WAF). By adding JSON syntax to an SQL injection payload, a WAF cannot detect this vulnerability. Businesses in particular suffer because this allows attackers to gain access to sensitive business and customer information. This attack technique by adding a JSON syntax is dangerous as more and more organizations migrate more business data and other functionalities to the cloud.

#WakeUpWednesday December 7, 2022

Computers infected with malware is bad enough. But this new malware steals files from smartphones and other devices connected as file carriers to infected computers. This malware goes by the name “Dolphine” and searches in connected devices for documents, certificates, emails and media files. In addition, the malware can store keystrokes, save a screenshot every 30 seconds, and extract passwords and cookies from the browser. The stolen data is then uploaded to Google Drive.

Google Chrome has disclosed a zeroday vulnerability several times recently. The most recent is CVE-2022-4262. The vulnerability in V8 allows attackers to execute code within the context of the browser. The browser previously contained several vulnerabilities that attackers could exploit, including CVE 2-21-42298 and CVE-2022-26485. Now it appears that these vulnerabilities also exist in Mozilla Firefox and Windows Defender. Among others, the Spanish spyware vendor, Variston, took advantage of these to infect Linux and Windows computers.

Ransomware remains a hot topic. Such a ransomware attack can come about in a variety of ways. The most common ways are unpatched critical vulnerabilities and abuse of existing user accounts. It is therefore important to have multifactor authentication (MFA) enabled and use a strong password. A short time ago, we provided 8 tips for creating a secure password.

In most cases, a ransomware attack is a time-consuming, annoying and costly event. When it happens in critical industries, lives may even be at stake. Following a ransomware attack in Colombia in which entire hospital data was encrypted, now a hospital in France must also cancel operations due to a cyber attack. Do you want to prevent a successful ransomware attack? Then make sure you get the basics right.

LastPass allows you to manage and store passwords. Yet, thanks to data from a previous hack, cyber criminals managed to access cloud storage and captured data. LastPass states that password data is stored encrypted with which it is unlikely that passwords were leaked. LastPass remains operational and is investigating this vulnerability.

A few days ago, a new version of the media player VLC was released that recently fixed vulnerabilities. With several updates to Windows, the software manufacturer let it be known that a new version of VLC is not available, leaving users working with a vulnerable version. Should automatic updating not work, it is possible to update VLC manually.

The Cybersecurity and Infrastructure Security Agency (CISA) released an Industrial Control Systems advisory this week warning of several vulnerabilities in Mitsubishi Electric GX Works3 engineering software. This software is used in industrial control systems to up- and download programs to/from PLCs. Once inside, cyber criminals can view and even modify modules and programs. The most critical vulnerabilities are known by the numbers CVE-2022-25164 and CVE-2022-29830.

#WakeUpWednesday November 30, 2022

Internet browser Google Chrome is the most widely used browser on desktop worldwide with 77.03% (Source: Kinsta.com). This makes it an attractive target for cyber criminals to attack. Google recently announced that, in the run-up to Black Friday, it had fixed a zero-day vulnerability for the eighth time this year. Following that, Google indicated that exploit code for this critical vulnerability is already available. An update for the vulnerability is now available. Modern browsers update automatically by default, unless specifically turned off by the user. Make sure you are aware of what applications are in use in your IT landscape and whether they are up-to-date.

Researchers at ESET describe a method by which cyber criminals integrate malware into VPN applications. One example is adding malware to the legitimate OpenVPN Android app, then presenting it to users in an alternative way. Researchers say this malware targeted contact information, call logs from Facebook Messenger, WhatsApp, Signal, Viber and Telegram, among others, and other information available on the cell phone. These rogue applications were not available through the Google Play store. Make sure your users obtain or are made available business applications through a reputable source at all times.

We’ll stick with Android phones for a while because rogue apps sometimes slip through the cracks in the Google Play Store as well. For example, Bitdefender researchers discovered, among others, a rogue File-Manager app which aims to infect the phone with more malware. The file manager asks the user for permission to download external files for the purpose of a so-called app update. However, this permission is misused to download malware. One of these rogue file managers called “X-file Manager” had been downloaded more than 10 thousand times. This update contains an APK file that contains Sharkbot malware. The Sharkbot malware targets financial (banking) apps and there to intercept login data or covertly steal money.

The data of 5.4 million Twitter users leaked. Last January, a vulnerability within the social media platform was fixed but in July data of 5.4 million Twitter users was offered for sale on a marketplace for 30 thousand dollars. Meanwhile, the data set was also made available for free on that forum. This information was for sale since August and consisted of a combination of public information and private data, such as Twitter IDs, names, login names, locations, email addresses and phone numbers. It is also rumored that a larger data set of more than 10 million users exists. The available data is ideally suited for targeted phishing campaigns, be aware of emails that appear to be sent by Twitter.

#WakeUpWednesday November 23, 2022

The Netherlands is a country with a strong digital focus. The past couple of years there has been an increase of attention as it comes to doing business online. Cyber security is a topic of big importance for bigger and smaller companies. The government is also making plans to support medium and small business owner to bring their cyber security to the next level. In 2030 every medium and small business owner should be on a certain basic level of digitalization.

This digital adaptation would place the Netherlands among the top three in Europe when it comes to digital technologies. Moreover, these measures are good preparation for the implementation of the revised European Network and Information Security Directive (NIB2) also known as NIS2.

Tomorrow is national “Change Your Password” day. On this day you can take some time to take a critical look at your password and change it. Many today’s passwords are not safe enough. The top five most commonly used passwords are: 123456, Qwerty, 123456789, welcome and password. Tomorrow we launch an article in which we are going to help giving you some guidelines for creating a safer password.

As stated earlier, data is the new gold. If you use the same password for multiple accounts, you run the risk of having your account data traded by cybercriminals on the various marketplaces out there on the Dark net.

Cybercriminals are becoming creative and therefore dangerous. A new ransomware was recently discovered that starts at a Google service. Microsoft warns that cybercriminals have found a method through Google Ads to spread malware through various payloads. This malware loader is known as BATLOADER. The Microsoft Security Threat Intelligence team reveals that this malware loader is being used to spread the Royal ransomware.

Another malware threat is the WASP Stealer, also known as W4SP Stealer. This malware is part of a chain attack that targets Python developers. The Python packages it installs are capable of capturing Discord accounts, passwords, crypto wallets, credit card information and other privacy-sensitive data. This stolen data is then being sent back via a Discord-encrypted webhook address.

In addition, we see that a new version of Typhon Stealer is active, called Typhon Reborn. Both versions have the capacity to steal crypto wallets and bypass antivirus software.

Kaspersky research has revealed that cybercriminals have found a way to steal user data on Android devices via a VPN app. This spying campaign is called SandStrike. This involves attacking the user through a VPN app. This app contains advanced spyware. To seduce and mislead people to download the app, various social media accounts were used.

#WakeUpWednesday November 16, 2022

As for local authorities cyber security is a hot topic. More and more organizations and authorities are taking measures to improve their information security. The Ministry of Health and Sport wants to extend the Z-CERT. Currently, they have Z-CERT for hospitals and mental health institutions, and in time they want to provide the entire healthcare sector with the service.

In the area of critical vulnerabilities, vigilance continues to be required. A serious vulnerability has just surfaced that affects ABB TotalFlow computers and controllers. These are widely used within the oil and gas industry. Cybercriminals can use the vulnerability to remotely take control of devices. In addition, they can read, write and overwrite files.

Organizations are still at great risk by using a weak password. The password “Welcome123” or a variation of it is still being used internally at companies. A newly discovered malware knows how to deal with that. This KmsBot uses Secure Shell to gain access to specific systems in order to not only mine cryptocurrency but also carry out DDoS attacks. The malware “KmsdBot,” as Akamai’s team calls it, targets different types of businesses ranging from gaming to luxury car brands. The botnet infects systems via an SSH connection that uses weak login credentials.

Last but not least, last week there were two updates around critical vulnerabilities. The blog around ProxyNotShell has been updated and a new blog around vulnerabilities in Citrix Gateway has been published.

#WakeUpWednesday November 9, 2022

Ransomware is unfortunately a topic that is going to hunt us more and more. According to the latest report of American federal and financial authorities, there were 487 ransomware incidents in 2020, but 1489 in 2021. All attacks have targeted Windows OS systems. Also, companies paid more for their data. In 2020 companies paid 416 million dollars and a year later even 1.2 billion dollars.

More news about ransomware: the Dutch Minister of Justice and Security announced it will be possible to file a police-report for ransomware attacks before the end of the year. At this moment it is only possible to file police-reports in cases such as an online scam, phishing, or WhatsApp scam.

This past week it became clear that Check MK had multiple vulnerabilities in their software. Check MK has been used for monitoring IT infrastructure on networks, databases, storage, and servers. That means that an attacker can do serious damage because they can access a system without authenticating.

November is Black Friday month. On the 25th of November many stores are offering discounts. For consumers Black Friday is a delight, but for IT departments it’s a time of challenges. When it comes to Black Friday there are a massive amount online purchases, orders, and payments. Please be aware for suspicious emails, text messages or Whatsapp messages about the statuses of your order.

#WakeUpWednesday November 2, 2022

Understanding what devices and software are being used within an organization is essential for efficient and effective patching policies. In this #WakeUpWednesday we focus on a number of critical vulnerabilities where patching is desired as soon as possible.

The NCSC has made an overview of products that use OpenSSL. OpenSSL is used to encrypt network connections and, like Log4j before it, is a component used in very many products. The vulnerability in OpenSSL is not present in versions lower than 3.0.

On Oct. 12, 2022, Juniper Networks published a security advisory describing six different vulnerabilities in the Juniper Networks Junos J-Web interface. In our blog more details about these vulnerabilities.

Previously, we have shared information surrounding the Magniber ransomware and the exploitation of the Mark-of-the-Web zero-day in Windows 10 and 11. Meanwhile, an unofficial update is available.

In addition, an update is available for a critical vulnerability in VMware Cloud Foundation and NSX Manager appliances. Because proof-of-concept exploit code is available for this vulnerability, the likelihood of an attack is high. An update is available, we recommend installing it as soon as possible.

Finally, ConnectWise has made an update available for a critical vulnerability in ConnectWise Recover and R1Soft Server Backup Manager solutions. The vulnerability allowed attackers to access data or execute code remotely.

#WakeUpWednesday October 26, 2022

Getting the deployment of technology right, combined with the correct mindset of employees and setting up the necessary processes, is essential to your cybersecurity. Also in this #WakeUpWednesday, we see cybercriminals using a combination of techniques to penetrate organizations. Cybercriminals then capture data and/or launch a ransomware attack.

Last week, an update was posted around the ProxyRelay vulnerability. Read our blog for more info.

Besides Microsoft Windows users, also Cisco ISE are also vulnerable for a remote code execution  vulnerability in Windows. Successful exploitation within ISE does require authenticated access to the management interface.

Synology’s disk drive manager (NAS devices) currently contains three critical vulnerabilities, all rated with a CVSS score of 10. By exploiting these vulnerabilities, an attacker can execute arbitrary commands on the NAS. An update is available; the recommendation is to install it as soon as possible.

VMware Cloud Foundation is also advised to update due to a remote code execution vulnerability via XStream.

Because employees today often work both at home and in the office, and home devices are also used for work purposes, cybercriminals are targeting Windows Home users through a specific campaign. Cybercriminals advertise fake antivirus and security updates for Windows 10 that actually contain Magniber ransomware.

Another way malware is currently being spread is through the mouseover feature in powerpoint files. The powerpoint presentation appears to be from the Organization for Economic Cooperation and Development (OECD, or in Dutch OESO) and consists of two slides explaining the use of the interpretation function in Zoom. The malware is activated when the victim opens the infected presentation in presentation mode and then moves the mouse over the hyperlink. Thus, no further action or click by the user is required! In this case, too, we see cybercriminals reapplying a pre-existing, older technique. Currently, we see this method of attack being widely used for attacks on defense companies and government agencies, among others.

#WakeUpWednesday October 19, 2022

Phishing remains an important method for cybercriminals to capture user data. Caffeine is a new “Phishing-as-a-Service” platform where users can create their own campaign. Because this platform has an open registration process, essentially anyone with an e-mail address can register. Currently, ads for Caffeine are running on various forums. Make sure employees are regularly trained on how to recognize phishing emails, know where to report a phishing attempt and are aware of their online behavior.

Last week, a proof of concept exploit was published for the Fortinet Authentication Bypass. We recommend that vulnerable systems be updated as soon as possible. If that is not possible, we recommend applying the workaround.

It has since been revealed that nearly 900 servers have been affected by the vulnerability in Zimbra Collaboration Suite. Last week, a proof of concept (PoC) was added to the Metasploit framework, making it possible to exploit the vulnerability without in-depth knowledge of the matter. Zimbra has since released a security solution with ZCS version 9.0.0 P27, replacing the vulnerable component (cpio) with Pax and removing the weak component that enabled exploitation.

Cybercriminals from the relatively new ransomware group Venus are currently actively using Remote Desktop Services to encrypt Windows systems. We never recommend making Remote Desktop services available directly on the Internet. Preferably place these remote worker services behind a VPN solution (with MFA).

On October 13, 2022, a vulnerability in the Apache Commons Text library was announced on the Apache dev list. The vulnerability bears similarities to Apache Log4j (Log4Shell). The difference is that the attack surface of CVE-2022-42889 is more limited due to the specific use of the Apache Commons Text library.

#WakeUpWednesday October 12, 2022

Within cybersecurity, we regularly see older techniques being revamped and reintroduced as new variants. One of these is fileless malware. This is a technique in which malware is hidden within the proprietary processes of, for example, Windows. Because regular, legitimate processes are used, this form of malware is much more difficult to detect.

Furthermore, we see cybercriminals using social engineering more intensively and trying to capture user data in various ways. Within retail and hospitality, credential harvesting and phishing are currently the main ways of victimization. In addition, more than 400 apps have recently been found in the Play Store and the App Store aimed at stealing Facebook users’ login credentials. We recommend using your own unique password for each app, application or account that requires logging in and not reusing passwords. A password vault can help here.

The blog around ProxyNotShell is regularly updated with new information regarding mitigating measures.

Information has also recently been published about Maggie malware. This malware has already infected many Microsoft SQL servers worldwide with a backdoor. Maggie works with simple TCP redirect functionality, allowing cybercriminals to remotely connect to any IP address that can reach the infected SQL server.

#WakeUpWednesday October 5, 2022

Last week, a critical vulnerability was reported in Microsoft Exchange called ProxyNotShell. In our blog, you will find the latest information regarding this vulnerability and the measures you can take to reduce the chance of exploitation.

Furthermore, we see that cybercriminals are also paying attention to the industrial and healthcare sectors. For example, analysis from Outpost24 shows that a group called Shathak, has been actively launching attacks against healthcare, financial and manufacturing organizations since 2019. Medtronic warns of a vulnerability in Medtronic’s 600-series MiniMed insulin pumps.

A new campaign has also been launched by cybercriminals involving backdoor malware hidden in the Windows logo. By using shorthand, the malicious software remains hidden from antivirus software. Setting up an attack initially exploits existing vulnerabilities such as Microsoft Exchange ProxyShell and ProxyLogon. Then the backdoor, which is hidden in the Windows logo, is installed.

#WakeUpWednesday September 28, 2022

Cybercriminals use existing software vulnerabilities and stolen user data, among other things, to gain access to organizations. Currently, a zero-day vulnerability in Sophos firewall is being exploited by cybercriminals. The vulnerability allows them to execute arbitrary code on the underlying system. Meanwhile, a patch is available; the advice is to install it as soon as possible. In addition, the advice is to ensure that the User Portal and Webadmin are not accessible from the Internet.

Furthermore, cybercriminals are currently using poorly secured administrator accounts and rogue OAuth applications. Access to these accounts also allows cybercriminals to add their own data. This allows them to maintain access even if the administrator password is changed. Cybercriminals can thus send spam through these organizations’ Exchange servers. We recommend not reusing passwords and, of course, turning on multifactor authentication for accounts that do not already have it set up.

Also via GitHub, users are enticed to leave their credentials on a counterfeit login page. In this case, the message claims that the CircleCI session has expired and that the user needs to log in again via a link. Another way used is an email saying that CircleCI has changed the Terms of Use and Privacy Policy and that it must be re-accepted via an attached link.

In addition, we are seeing developments where domain shadowing is gaining popularity among cybercriminals. In this method, a legitimate DNS domain is compromised to host sub-domains of the cybercriminal for malicious activities. In the process, the existing legitimate DNS entry is not changed, so the owner is often unaware that the domain has been compromised.

Finally, in the area of ransomware, we are also seeing changes in tactics. To enforce the ransom demand, there are multiple techniques. These range from threatening to publish captured data to targeting individuals or organizations that appear in the set of data or performing, for example, a DDoS attack to make recovery difficult. A new method seems to be holding data hostage and threatening to destroy the data if payment is not made.

#WakeUpWednesday September 21, 2022

Since the beginning of this month, patches have been released by a large number of vendors. The latest patch Tuesday from Microsoft provided updates for several critical vulnerabilities. Updates have also become available for Gitlab, Google Chrome, Adobe, Android, Citrix, Dell and Cisco, for example. Installing updates is one of the essential measures to keep cybercriminals out.

Recently, about 280,000 WordPress sites were attacked by a zero-day vulnerability in the WPGateway plugin. By exploiting this vulnerability, cybercriminals can gain complete control over the website. No update is available yet, users are advised to uninstall the plugin until the issue is resolved.

Furthermore, a warning to be alert for attacks with ChromeLoader malware. This malware steals passwords and personal information and can also install additional malware, including ransomware. ChromeLoader is spread through rogue links in YouTube, Twitter comments and rogue advertisements.

There is currently a trend in the gamer community whereby gamers are being targeted via YouTube videos with links offering cheats and cracks for a number of popular games. Downloading the rar files causes malware, RedLine stealer, to be installed. In addition, it provides access to the victim’s YouTube account in order to further spread the malware through that account. Being aware of what is being downloaded and installed is therefore essential.

#WakeUpWednesday September 14, 2022

In addition to new ransomware variations, ransomware organizations are also changing the method of encryption. Instead of fully encrypting a file, parts are encrypted. As a result, the file is still unusable, but the time it takes to encrypt it becomes much shorter. The Agenda ransomware offers several options in how files are partially encrypted.

The Lampion malware is currently being spread through phishing campaigns using WeTransfer. Be aware of the sender of any request and be alert when downloading documents, even if they are sent via WeTransfer.

Operational technology is increasingly being targeted by cybercriminals. With their disclosure over the Internet, equipment also becomes vulnerable. In that context, several vulnerabilities have been found in medical equipment used to administer medication or nutrition to patients. Measures such as shielding the network via a firewall, network segmentation and timely patching are also necessary for OT equipment!

#WakeUpWednesday September 7, 2022

Malware is spread in very creative ways. For example, a photograph taken by the James Webb Telescope is used as a lure in a Golang-based malware campaign.
Phishing emails with a Microsoft Office attachment act as the entry point to the attack chain. If the attachment is opened, it retrieves a hidden VBA macro, which in turn is automatically executed if the recipient enables macros.

Go seems to be growing in popularity among cybercriminals given its platform-independent support for the programming language. This allows cybercriminals to effectively use a common codebase to attack different operating systems. Be aware of the sender of the mail and the attachment and be careful about enabling macros.

Another new malware written in Go is the BianLian ransomware. This ransomware was first seen in mid-July. The cybercriminals behind this ransomware claim that 15 organizations have now been victimized. By the way, BianLian is separate from the banking trojan of the same name!

Furthermore, a new ransomware strain written in Golang has been discovered. This ransomware, called Agenda, targets healthcare and educational institutions in Indonesia, Saudi Arabia, South Africa and Thailand. A characteristic of Agenda is that it can reboot systems in safe mode and has multiple modes to run.

Finally, QNAP is urging users of its Photo Station software to update their NAS device immediately. The reason is that a vulnerability in this software is being exploited by cybercriminals behind the Deadbolt ransomware.

Make sure you know what systems and applications are being used within your organization and install updates as soon as possible. Further, make sure your employees are aware of the importance of updating. Not only for their business devices, but with the intertwining of business and private, also the private environment.

#WakeUpWednesday August 31, 2022

Critical vulnerabilities still allow cybercriminals to gain access to systems and data. Alternatively, these vulnerabilities can be exploited by cybercriminals to increase their privileges within your systems.

Last Friday, the CISA (U.S. Cybersecurity and Infrastructure Security Agency ) added ten new, actively exploited vulnerabilities, to its list. These vulnerabilities include: CVE-2022-26352 – dotCMS Unrestricted Upload of File Vulnerability, CVE-2022-24706 – Apache CouchDB Insecure Default Initialization of Resource Vulnerability, CVE-2022-24112 – Apache APISIX Authentication Bypass Vulnerability and CVE-2022-22963 – VMware Tanzu Spring Cloud Function Remote Code Execution Vulnerability.

In addition, a critical vulnerability was discovered in Atlassian Bitbucket Server and Atlassian Data Center. More information on versions and updates is available on the Atlassian Confluence website.

Furthermore, a detailed blog has been published regarding two vulnerabilities in WatchGuard Firebox and XTM appliances. The vulnerabilities in question are CVE-2022-31789 and CVE-2022-31790. Software patches for both vulnerabilities were published by Watchguard in June 2022. The vulnerabilities and associated software patches are discussed in more detail in the following security advisories from the manufacturer:

The blog contains sufficient detail to exploit the software vulnerabilities. Therefore, the advice is to apply the software patches as soon as possible.

Finally, Lockbit, a group that deals with ransomware attacks, has warned against the use of triple extortion, a triple extortion tactic. In doing so, the battle between attackers and victims hardens. If the ransom for the hostage data is not paid, the threat is not only to publish the data, but also to carry out a DDoS attack on the already affected organization. This puts even more pressure on the victims to pay up.

#WakeUpWednesday August 24, 2022

Updating systems and applications remains important to keep cybercriminals out. Apple has released an update to fix two actively attacked zero-day leaks that allow attackers to gain full control of a system. If possible, the advice is to install the updates as soon as possible.

Research shows that more than 80,000 Hikvision cameras are still vulnerable. An update to fix this vulnerability was released almost a year ago. Thousands of systems, in use by some 2,300 organizations in more than 100 countries, still appear to be vulnerable.

If your organization is hit by a ransomware attack, the first priority is to repel it and limit the damage as much as possible. In doing so, it is important not only to take measures to prevent a new attack from the outside, but also to investigate whether there may be traces of other attackers. In this case, an organization was hit by three different groups in the space of two weeks.

#WakeUpWednesday August 17, 2022

In recent weeks there have been many reports of ransomware attacks in the media. Artis, home shopping chain Casa, dental chain Colosseum Dental Benelux, supermarket chain 7-Eleven and the British water company South Staffordshire Water: these days every organization that has data is interesting for cybercriminals. In the case of the water company, the attackers claim to have far-reaching control over the systems that allow them to alter the chemical composition of the water.

We also see a lot of activity on the development side. BlueSky Ransomware is an emerging family that uses various techniques to circumvent security measures. BlueSky targets Windows systems and uses “multithreading” to encrypt files even faster. Therefore, make sure that you have basic measures arranged such as network segmentation, creating and being able to restore backups and installing available updates.

In addition, new functionality has been added to the SOVA malware to encrypt Android devices. The SOVA malware targets more than 200 apps for banking, crypto trading and digital wallets, stealing user data and cookies.

Furthermore, Palo Alto has issued an alert regarding a critical vulnerability, CVE-2022-0028, in its PAN OS that is currently being exploited. This is a software flaw that allows a specific misconfiguration. This allows an attacker to use the firewall to execute a reflective DOS on another target on the Internet.

Finally, VMware has published an advisory regarding a number of vulnerabilities. By combining two of these vulnerabilities, there is a chance of an unauthenticated remote code execution. Patches are available, the advice is to install them as soon as possible.

#WakeUpWednesday July 20, 2022

All devices connected to the Internet are vulnerable to an attack by cybercriminals. This includes VoIP servers and phones. Elastix VoIP phone servers and VoIP phones that use Digium software are vulnerable to a campaign designed to exfiltrate data by downloading and executing scripts or malware that allows cybercriminals to gain control over (parts of) the system.

Besides servers, cell phones and PCs, PLCs (Programmable Logic Controllers) and HMIs (Human Machine Interface) are also vulnerable to Sality malware. Cybercriminals have managed to infect these industrial control systems. Sality creates a peer-to-peer botnet for password cracking and cryptocurrency mining, for example.

Furthermore, there is a phishing campaign kit active targeting PayPal users that attempts to steal from users a large set of personal information. This kit is hosted through legitimate WordPress websites that have been hacked.

In addition, there is a large-scale attack on WordPress sites using the Kaswara Modern WPBakery Page Builder Add-on. This contains security vulnerability CVE-2021-24284 that allows unauthenticated attackers to upload malicious PHP files to gain control of the website. As there is no security update available and the add-on is now no longer offered, the advice is to remove this plug-in.

In all cases, it is important to use multifactor authentication and good network segmentation as much as possible.

#WakeUpWednesday July 13, 2022

When spreading malware, methods such as sending an attachment in the mail, through updates outside the official stores or through logging into dubious websites are often thought of. PennyWise is a malware that poses as a Bitcoin mining application that can be downloaded from YouTube. While watching the YouTube video, viewers are persuaded to download a secure file. However, that file does not contain the Bitcoin software but the PennyWise malware. Therefore, be alert when it comes to downloading and installing software and only use the regular stores.

Updating software remains essential. Microsoft released new patches for 84 vulnerabilities last Tuesday, including for a critical vulnerability (CVE-2022-2294), which is currently being actively exploited.

Furthermore, a new phishing campaign has been spotted that takes advantage of the attention to the recently published Follina vulnerability. This campaign is used to spread Rozena malware. The starting point for this attack chain, observed by Fortinet, is an infected Office document that, when opened, connects to a Discord CDN URL to retrieve an HTML file (“index.htm”). This HTML file in turn invokes the diagnostic utility using a PowerShell command after which the next step in the attack chain is taken. Therefore, make sure your people are aware of the type of emails they receive and which attachments they open.

#WakeUpWednesday July 6, 2022

A new type of ransomware called Session Manager is currently active. This rogue session manager is disguised as a module for Internet Information Services (IIS) and exploits one of the ProxyLogon flaws in Microsoft Exchange servers. The use of this backdoor and the fact that this ransomware is so far poorly detectable by virus scanners enable cyber criminals to operate undisturbed. Updating systems and setting up multi-factor authentication are important to keep cybercriminals out.

In addition, the FBI is warning about the MedusaLocker ransomware. This ransomware is brought into organizations by cybercriminals through vulnerable rdp connections and by employees opening infected email attachments. Some measures you can take right now to reduce the risk: disable unused ports, make sure systems are updated as soon as possible and make sure employees are alert to phishing messages.

The latest research data from WatchGuard Threat Lab shows that the number of ransomware detections in the first quarter of 2022 is double the total reported volume in 2021. Therefore, make sure your organization has basic cyber hygiene in place and is prepared for a cyber incident.

The annual Cybersecurity Beeld Nederland (CSBN), drawn up in collaboration with the National Cyber Security Centre (NCSC), shows that the digital resilience of many organizations in the Netherlands is still insufficient. Making and testing backups or introducing multi-factor authentication are basic measures that have not yet (yet) been adequately implemented in every organisation.

#WakeUpWednesday June 29, 2022

The developments within cybersecurity are moving at lightning speed. Cybercriminals are constantly inventing new ways to penetrate organizations. All equipment with a link to the Internet is vulnerable, including cameras, climate control systems and systems for Internet telephony. Recently, a zeroday vulnerability in a Mitel VoIP server was used to carry out a ransomware attack. A software update for the vulnerability is available. The advice is to update these systems as soon as possible.

Another development is the use of a malware tool that allows cybercriminals to build rogue Windows shortcut (.LNK) files. This tool, Quantum Lnk Builder, allows spoofing of a large number of extensions and offers various possibilities for infecting systems. Quantum Lnk Builder is believed to be affiliated with Lazarus, however, Bumblebee and Emotet also seem to be using .LNK files more and more when attempting to infect a system.

It is important that everyone in the organization knows how to deal with potential phishing emails. A new method is by approaching organizations with an email claiming that the organization is infringing on copyright. In one case, a zip file is sent along with what appears to be a pdf. In practice, however, the file turns out to install ransomware. In the other case, a link is sent along that spreads malware.

Now that multifactor authentication (mfa) is becoming commonplace in more and more organizations, it is becoming more difficult for cybercriminals to log in with stolen user data. By abusing Webview2 apps and stealing the authentication cookies of the intended victim, cybercriminals still try to bypass mfa. Mfa is a good way to create a barrier and make accounts extra secure, however, it also requires users to pay attention when applying it.

In a number of cases, a ransomware attack skips the ‘encryption’ step and focuses mainly on stealing information and the threat of publishing it. Be prepared and make sure you have implemented at least the basic measures.

#WakeUpWednesday June 22, 2022

Installing updates is one way to fix vulnerabilities as quickly as possible. This is especially true for vulnerabilities in operating systems. A vulnerability in FreeBSD systems allows cybercriminals to completely take over systems via wifi. An update for this vulnerability is available. The advice is to install this update as soon as possible.

For an actively exploited vulnerability in Ninja forms, a WordPress plugin for contact forms, an update is being forced by WordPress to fix this vulnerability. Cybercriminals could execute arbitrary code on the website or delete arbitrary files via the vulnerability.

Further, the advice to install the security updates for Citrix Application Delivery Management. These updates fix a problem where cybercriminals could reset admin passwords. This includes all supported versions of Citrix ADM server and Citrix ADM agent (for example, Citrix ADM 13.0 for 13.0-85.19 and Citrix ADM 13.1 for 13.1-21.53).

Finally, Microsoft sees that the BlackCat Ransomware group is still attacking Microsoft Exchange systems that have not yet been updated. According to FBI figures, at least 60 organizations have been victimized between November 2021 and March 2022. Updating systems is an essential step in keeping cybercriminals out.

#WakeUpWednesday June 15, 2022

Many organizations use IT suppliers to a greater or lesser extent, for example to supply software. IT suppliers are thus connected to a large number of different organizations. These connections mean that these suppliers are becoming increasingly popular with cybercriminals. To illustrate, in 2021 there were 28 reports of data breaches at IT suppliers, resulting in 18,000 reports from organizations doing business with these IT suppliers. With the basics in place, we provide some tools to improve cybersecurity within your organization. Also ask your IT vendor about how they handle data and what measures they have in place to reduce the risk of a cyber incident.

The United States Cybersecurity and Infrastructure Agency (CISA) has added 36 new vulnerabilities to the overall list. These 36 vulnerabilities are currently being actively exploited and are located in software and systems from Cisco, Netgear, Adobe and Microsoft, among others. We recommend checking whether your systems are vulnerable and updating them as soon as possible.

Several vulnerabilities have also been found in the A8Z3 thermal imaging camera that allow the device to be taken over by cybercriminals. Several vulnerabilities have also been discovered in the LenelS2 HID Mercury access control system that, for example, allow remote unlocking and locking of doors.

Furthermore, researchers have discovered new Linux malware, Symbiote. This malware infects all running processes on compromised systems, stealing user data and giving cybercriminals access. The malware is difficult to trace, however by monitoring anomalous DNS requests this malware could be discovered.

Finally, the Emotet banking trojan is once again causing a stir. This malware makes use of various Office attachments and in its renewed version is able to bypass the security scanners of email gateways. In addition, it steals credit card data. Therefore, make sure that users store login data and confidential information, such as credit card data, in a password safe, for example.

#WakeUpWednesday June 8, 2022

The developments in the field of cybercrime are moving fast. This makes it a great challenge for many organisations to keep up with all the (possible) threats. A new initiative to bundle this information and distribute it quickly is cyberteletext: teletext as we all know it, but with the latest vulnerabilities and the latest news on cyber security.

Last week a warning was issued for a vulnerability in Atlassian Confluence. Updates are available. The advice is to install them as soon as possible. If patching is not possible, Atlassian has described a number of additional mitigating measures.

Google has remedied some vulnerabilities in Android by making patches available. The vulnerabilities CVE-2022-20130 and CVE-2022-20127 make it possible to use Android phones remotely and execute code. There are updates for Android 10, 11, 12 and 12L.

Recently, a new type of phishing campaign has been identified. Microsoft Word documents containing VBA macros are emailed as attachments. These macros then run shellcode contained in the document properties to install SVCReady malware. This malware can collect system information, take screenshots and download documents, among other things. It remains important to stay alert to phishing.

Cybersecurity companies from the US are warning against Chinese hackers. By exploiting vulnerabilities in telecom suppliers, they try to intercept and steal network traffic. They then try to obtain log-in data and use this to log in. Eventually, the attackers can forward the network traffic to their own infrastructure. The advice is to keep all systems up-to-date. A patch management system can help with this.

#WakeUpWednesday June 1, 2022

VMware has released security updates to address vulnerabilities in Workspace ONE Access, Identity Manager, vRealize Automation, Cloud foundation and vRealize Suite Lifecycle Manager. The vulnerabilities allow cyber criminals to gain administrator rights. A proof of concept is available for vulnerability CVE-2022-22972. The advice is to install the available security updates as soon as possible.

Microsoft also warns of a new vulnerability, CVE-2022-30190. To exploit this Microsoft Office RCE vulnerability (Follina) as a cybercriminal, a user must open a Word document. These documents are often shared by e-mail, therefore the advice is, as with phishing, to make users aware of the risk you run when opening files from the mail if they come from an unknown sender or if it is a file that you don’t expect. A service update and article with guidance are available, although at this moment there is no patch available yet.

The annual Verizon Data Breach Investigation Report (DBIR) shows that globally, web application attacks are increasingly responsible for cybersecurity incidents in healthcare. The healthcare sector is increasingly being attacked by cybercriminals and is also more often the victim of ransomware attacks. Most of the attacks have a financial motive, according to the report.

Ransomware groups are known for taking your files hostage. Recently we hear about a group that pretends to have other motives. RansomHouse is a ransomware group that uses a different business model, focusing primarily on data exfiltration. The motivation for this group is that they want to use extortion to point out to organizations that they are not investing enough in the security of their data, networks and systems or that they are not respecting their bug bounty program. The group claims that after payment it will help the affected organization to protect itself against future attacks. In addition, the affected organization receives a report describing which vulnerabilities were used and how they were used to gain entry.

What many organizations do not realize, or insufficiently, is that by using third-party JavaScript they run an increased risk of being hit by a cybersecurity incident. Third-party scripts allow cybercriminals to introduce malicious code into an organization’s web environment. Many organizations use third-party code for, for example, forms, processing orders and payments or tracking visitor behavior. Be alert to the use of third-party code. Know which code is used and check whether this code is also actively maintained.

#WakeUpWednesday May 25, 2022

The 2022 SaaS Security Survey Report identifies the risks and dangers associated with the use of SaaS solutions. In particular, configuration errors are cited as the cause of cybersecurity incidents. One of the reasons for this is that several departments have access to the security settings, without the people being trained or having cybersecurity as their focus area.

Cisco warns of an actively attacked vulnerability in IOS XR router software, which allows attackers to access the Redis database and modify information there, write arbitrary files to the container file system, and retrieve information about the Redis database. An update is available, the advice is to install it as soon as possible.

Educational institutions with a WordPress website that use the Premium tool ‘School Management’ are currently vulnerable due to a backdoor in this plug-in. The plug-in provides educational institutions with capabilities such as scheduling distance education, attendance tracking, expense tracking, enrolling new students, and document management. The vulnerability allows cybercriminals to run arbitrary PHP code, can let them access or alter the website’s contents, elevate privileges and assume complete control of the site. An update is available (version 9.9.7), please update to the most recent version as soon as possible.

#WakeUpWednesday May 18, 2022

Last week a political agreement was reached on new European regulations in the field of cybersecurity, NIS 2. Important changes are that the regulations will also apply to medium-sized and large organizations and that the number of sectors that are considered critical has been expanded. Some aspects mentioned in NIS 2 are patching vulnerabilities, risk management measures and the period within which incidents must be reported to the authorities.

A critical vulnerability in Zyxel firewalls allows cybercriminals to execute arbitrary code remotely. This includes downloading malware or misusing other vulnerabilities to penetrate the network. The vulnerability applies to both firewalls and VPNs. We have now received the first signals that this vulnerability is also actively being used by cyber criminals. An update is available, our advice is to update this equipment as soon as possible.

The update advice also applies to SonicWall SMA1000 series 6200, 6210, 7200, 7210 and 8000 devices with firmware versions 12.4.0 and 12.4.1. Cyber​​criminals can access internal resources and send potential victims to rogue websites.

Linux and Solaris (Unix) systems are also under attack by cybercriminals. For example, malware called BPFdoor has recently been discovered, which has been targeting Linux and Solaris systems undetected for the past five years. The malware allows cybercriminals to remotely connect to a Linux shell to gain full access to an infected system. The malware has gone undetected for so long because the comand & control connection is initiated from outside. A firewall offers no protection against this malware and the malware can respond to commands from any IP address. A set of technical indicators (Yara rules, hashes) is now available with which you can scan a Linux or Solaris system.

#WakeUpWednesday May 11, 2022

Cybercriminals are constantly developing new ways to spread malware. In addition, we now also see that cyber criminals don’t stick to one specific way when spreading. This flexibility, combined with an increasing freedom of choice, means that organizations must be constantly alert and avoid tunnel vision when implementing cybersecurity measures.

Mandiant has researched worldwide trends in cybersecurity incidents, such as ways to distribute malware, and published them in an annual report. They state, among other things, that we have all become better at detecting incidents more quickly. In response to our efforts, attackers will of course remain flexible. At 37% of the time, attackers still most often enter by exploiting a vulnerability. Phishing is a lot less popular method with only 11%. The statistics on supply-chain attacks are striking. We now know last year’s attack on Kaseya. These attacks are rapidly gaining popularity, at 17% from 1% the year before.

We continue to see that exploiting vulnerabilities is a common way for attackers to get in. It is therefor extremely important to ensure that the management of hardware and software within your organization is in order. That is, keeping a good record of what hardware and software is in use, and ensuring that it is kept up-to-date. Qualys can help you with this. By ensuring that timely action is taken on security updates, you reduce the attack surface within your organization.

There is also a warning about Raspberry Robin, where malware is spread via USB sticks. Make sure your employees are aware of the risks associated with using unknown external equipment.

#WakeUpWednesday May 4, 2022

The NSA and FBI, along with cybersecurity agencies from multiple countries, have compiled an overview of the key vulnerabilities exploited in 2021. Unfortunately, these vulnerabilities are still causing victims today. The overview includes Proxylogon and Log4Shell. In addition to these most commonly used vulnerabilities, new vulnerabilities are regularly added that pose a potential threat to your organization.

Another vulnerability that is currently being actively exploited is the vulnerability in VMware Workspace One. Therefore, make sure you stay informed about new updates and install them as soon as possible.

Updating systems and software does not only apply to the business environment, but also to devices that are intended for home or personal use. The government has now obliged sellers of digital products to keep them working and safe. This means that there will also be software updates for smart TVs, printers and cameras, for example. Also in this case: make sure you know which equipment is connected to the internet and update this equipment as soon and if possible.

Furthermore, Onyx ransomware seems to destroy files larger than 2MB instead of encrypting them. According to researchers, the data in the files is overwritten with worthless data during encryption, so that decryption no longer yields the original file information even after the ransom has been paid. Since the same encryption routine has been seen with Chaos ransomware, it seems that overwriting is not a flaw in the encryption but a deliberate choice. Therefore, always ensure that you take action timely when a new vulnerability is published.

#WakeUpWednesday April 27, 2022

Among other things, cyber criminals use vulnerabilities in software to penetrate organizations. At least eighty zero-day vulnerabilities were used in 2021, more than a doubling compared to 2020. Three quarters of the zero-days discovered last year exploited vulnerabilities in products from Apple, Google and Microsoft. Therefore, install the available patches as soon as they are published.

Cisco, QNAP and Oracle, among others, released updates last week. In the case of Cisco to address a serious vulnerability in the Cisco Umbrella Virtual Appliance (VA). This vulnerability allowed attackers to remotely steal administrative credentials. QNAP has released an update for its NAS systems related to Apache HTTP vulnerabilities. Oracle has announced and fixed 520 new vulnerabilities in its April update.

Research further shows that malware groups still heavily use phishing to infiltrate. With new measures against the use of macros in Microsoft Office documents, these groups are looking for ways to get around these cybersecurity measures. Make sure your people are prepared for these phishing scams.

#WakeUpWednesday April 20, 2022

Several updates were released last week for critical vulnerabilities that are being actively exploited. Google released an emergency patch for an actively attacked zero-day vulnerability in Chrome, and Microsoft Windows and VMware Workspace ONE Access have also released patches. The advice is of course to install available patches as soon as possible.

In previous Wakeup Wednesday posts, we reported various variants of malware targeting mobile phones. Research by Proofpoint shows that in February there was a 500% increase in the number of attempts to deliver malware for mobile devices in Europa. Malware for mobile devices is becoming more sophisticated. This involves recording telephone and video calls, audio and video recordings stored on the device and destroying data stored on the device. Be alert for messages containing links, voice messages, or notifications for updating apps outside the regular app stores.

#WakeUpWednesday April 13, 2022

Mobile phone play an increasingly prominent role in our lives, both professionally and privately. Therefore, be aware of malware that targets Android devices. The Android malware Octo is a new version of ExoCompact, the source code of which was leaked in 2018. The most dangerous thing about the updated variant is that the cybercriminal can remotely take control of the device and perform malicious actions via the victim’s device. Only update apps with versions released through official channels, such as the App Store or Google Play.

Another malware campaign currently seen in practice is aimed at the distribution of the new information-stealing malware META. META is growing in popularity among cybercriminals and is currently actively used in attacks. It is deployed to steal passwords stored in Chrome, Edge and Firefox as well as cryptocurrency wallets. META is distributed in the traditional way, as a mail attachment. Be alert if you receive attachments from strangers and be careful when enabling macros!

Other information-stealing malware currently in active use are FFDroider and Lightning Stealer. These also use passwords stored in Chrome, Edge and Firefox. FFDroider is distributed via cracked versions of installers and freeware with the main purpose of stealing cookies and credentials associated with popular social media and e-commerce platforms. In addition, the stolen information is used to log into the accounts in order to record other personal account-related information. Lightning stealer works in a similar way and can steal Discord tokens, cryptocurrency wallet data, and details related to cookies, passwords, and credit cards.

During the patch Tuesday of April 2022, Microsoft released patches for 119 new vulnerabilities. The most severe vulnerability is a remote code execution vulnerability in the Remote Procedures Call Runtime, registered as CVE-2022-26809. This vulnerability allows an unauthenticated remote attacker to execute code with the same privileges as the RPC service. This service operates in the context of the system user account Network Service.

VMware has published Security Advisory VMSA-2022-0011 related to eight different CVEs in VMware Workspace ONE Access. Three of these CVE’s have a score of 9.8 and are the subject of this writing: one Remote Code Execution and two Authentication Bypass vulnerabilities. The Remote Code Execution vulnerability also exists in the following related VMware products: VMware Identity Manager, VMware Cloud Foundation and vRealize Suite Lifecycle Manager.

#WakeUpWednesday April 6, 2022

Cyber ​​incidents are often caused by critical vulnerabilities that are not adequately addressed, by configuration errors or by users inadvertently sharing their data with third parties.

Zyxel warns of a critical vulnerability that could allow cybercriminals to gain administrative access to the firewall. Install the software updates as soon as possible.

Totolink routers that have not received the latest software updates are vulnerable to a variant of the Mirai botnet. The variant called Beastmode has five new exploits, of which 3 types target various Totolink routers. Here too, the advice is to update the software as soon as possible, where possible.

In addition to the notification for Totolink routers, there is also a warning for users of D-link routers. The vulnerability, designated CVE-2021-45382, resides in D-link DIR-810L, DIR-820L/LW, DIR-826L, DIR-830L, and DIR-836L. These models are end-of-life, so no new updates are released. It is therefore advised to take these models offline as soon as possible and to replace them with newer routers.

Borat, a new remote access trojan (RAT), offers cybercriminals several options for attacking. For example, Borat can be used as ransomware, spyware, for DDoS attacks. Borat offers the attacker the opportunity to choose how to deploy the malware, so be careful about which software is installed and only download applications from reliable sources and websites.

#WakeUpWednesday March 30, 2022

It is nothing new that critical vulnerabilities are used by cybercriminals to gain access to third-party systems and data. However, we see that various vulnerabilities are still being exploited, despite patches being released. Updating systems and applications is an essential part of a good cybersecurity policy.

For example, Log4j is still actively abused by cyber criminals to install backdoors that can be used at a later stage. In addition, Log4j is actively being exploited to install cryptocurrency miners on vulnerable VMware Horizon servers.

A new phishing campaign, aimed at taking over email conversations, is being used to spread the IcedID info-stealing malware. This campaign makes use of vulnerabilities in Microsoft Exchange for which software updates are already available.

Sophos has announced that the critical vulnerability in its firewall software is currently being actively exploited. A hotfix is ​​available, we recommend installing it as soon as possible.

The number of attacks that use zero-day vulnerabilities, vulnerabilities that have not been discovered or exploited before and for which no update is yet available, will double by 2021, according to Rapid7.

We advise you to ensure that your systems have the latest software updates, if possible. Make sure your employees are alert and use network segmentation to ensure that attackers cannot penetrate the entire company network unhindered.

#WakeUpWednesday March 23, 2022

Why do things the hard way? This is why there are many portals that allow users to log in with a Google account, Apple ID or Microsoft account. The popularity means that these types of screens are also popular with cyber criminals. They use them in their phishing campaigns. Recently, a new phishing toolkit has become available that makes it easy to counterfeit Chrome browser screens. Be careful where you log in and use multi-factor authentication if possible.

The FBI warns vital sector organizations about AvosLocker ransomware. These ransomware attacks exploit vulnerabilities in Microsoft Exchange. Updates are available for the vulnerabilities used, including ProxyShell. Make sure your systems have the latest security updates.

Qualys research shows that 30 percent of applications, servers and other systems using Log4j are still vulnerable to cyber attacks. This vulnerability puts you at risk because cyber criminals could take over your system remotely. Therefore, install the security updates if possible or take mitigating measures if updating is not possible.

At the beginning of March 2022, we saw a new variant of the Lorenz ransomware. However, there is a big difference between the files encrypted by this ransomware and files encrypted by an earlier version. The main difference: decryption is not possible after paying the ransom. However, our specialists managed to create a decryptor that can decrypt the files.

#WakeUpWednesday March 16, 2022

Cyber criminals are inventive. Time and again they find new ways to spread malware and gain access to third-party systems. In this #WakeUpWednesday, we give three examples.

For example, contact forms on the website are used to distribute Bazar Backdoor malware. By requesting a quote, a conversation is started. Subsequently, following the initial application, an ISO file is sent during the conversation with additional information that is relevant to the application. By using file sharing services, such as Wetransfer, for this additional information and letting people unpack the files themselves, an attempt is made to circumvent the security.

Additional add-ons for popular online games are also used. In this example, a YouTube channel is promoting an add-on for the popular game Valorant. Users who want to download the add-on are directed to a page where they can download a RAR file. This contains an installation file that does not install the add-on for the game, but RedLine stealer, malware that focuses on stealing passwords, among other things.

We close the list with Escobar, Android malware aimed at stealing Google Authenticator MFA codes. Escobar is the enhanced version of the Aberebot Android banking trojan. In addition to the MFA codes, the malware is also able to take control of the devices by using VNC. The options for recording sound and using the camera also enable the apps to retrieve user data. Of course with the ultimate goal of obtaining enough data to gain control over the bank details.

In addition to IT systems, OT systems are increasingly faced with cybersecurity threats. Research by Dragos shows that the number of vulnerabilities has doubled in 2021 compared to 2020. Ransomware is the biggest threat.

A Linux vulnerability that affects all kernels since version 5.8, including Android, has been disclosed under the name Dirty Pipe (Linux Kernel Exploit). This vulnerability allows data, even if the files are read-only, to be overwritten. This may result in permissions being increased. This allows local users to get root privileges. NAS operating systems from QNAP, QTS and QuTS Hero also use the Linux kernel and are therefore vulnerable.

Finally, we also keep a close eye on developments related to Wiper malware. A new version, RuRansom, is not ransomware, even though the name suggests otherwise. In this case too, it concerns Wiper malware that, for the time being, affects systems with an IP address that can be related to Russia.

#WakeUpWednesday March 9, 2022

Cybercrime can focus on disrupting primary business processes or disrupting critical services. For example, last week not only satellite connections were affected, 5800 wind turbines in Germany and central Europe were also taken offline.

Nvidia has fallen victim to cybercrime in several ways. In addition to the fact that malicious parties have stolen a Terrabyte of data during an incident, two stolen driver certificates are used to spread malware. Even though the certificates have expired, they can still be used in Windows to install drivers. Finally, the stolen data is used to pressure Nvidia to change the firmware for specific series of graphics cards (GeForce RTX 30 Series). The change is intended to support the crypto mining industry, among other things.

Furthermore, various vulnerabilities have been patched in Exchange Server and Android. The vulnerability in Exchange Server (CVE-2022-23277) has an impact score of 8.8 and allows remote code execution. The problem affects Exchange 2013, 2016 and 2019. An authenticated attacker can execute code with elevated privileges by using this vulnerability. Rights can also be increased with the vulnerability in Android. Updates have been made available for Android 10, 11 and 12.

Install the available software updates as soon as possible. Also be aware of updates that are made available for all kinds of other systems that you have connected to the internet at home.

#WakeUpWednesday March 2, 2022

Over the past week we have noticed that the situation considering Ukraine has escalated both physically and digitally. The Tesorion Threat Intelligence team has been monitoring various open source sources since mid-January. We see that the attacks within the Ukraine are drastically increasing and that Wiper malware has been detected, among other things. The purpose of this malware is to completely disable the affected computers. This is different from ransomware, where files are encrypted and the attackers make ransom demands. With this wiper, the files are destroyed and there is often no turning back. Therefore, be extra vigilant with e-mail messages, phone calls and approaches via social media.

The Dutch fraud helpdesk states that in the first six weeks of 2022, more than 10.5 million euros in damage has already been suffered due to CEO fraud, fake telephone calls and misuse of company names. In addition to training the cyber awareness of employees, it is also important as an organization to know what is being published about your organization, especially on the deep and dark web. Think, for example, of stolen login details with which cyber criminals can gain access to your systems.

Research by Fortinet shows, among other things, that ransomware is not only increasing, but also becoming more aggressive and devastating. In addition, the Global Threat Landscape Report shows that Linux systems are also increasingly being targeted. Make sure your organization is prepared, pay attention to increasing the cyber awareness of your employees.

#WakeUpWednesday February 23, 2022

The widely used Microsoft Teams now also appears to be used by hackers. They use the platform to spread malware. By logging in with data obtained through phishing or bought on the dark web, the hacker can share a file. As soon as this file is opened by another user, the malware starts working, with all its consequences. Make sure your employees are resilient and alert when it comes to phishing and opening unknown files.

A malicious app has been found in the Google Play Store. The app Fast Cleaner pretends to be an app that will clean up the device and thus improve battery life, while in reality it installs banking malware during an invisible update. There have already been more than 50,000 downloads of this app, despite reviews pointing out its malicious intent. Be vigilant about the apps you install and don’t simply trust everything.

The popular WordPress plugin Updraft Plus suffers from a critical vulnerability (known as CVE-2022-0633) that allows all website users to download the latest database backup that may contain privacy-sensitive information. Normally this backup should only be available to a select group of users, but due to this vulnerability all users with the least privileges can also download it. Because of the critical situation, WordPress has forced the update (version 1.22.3 or 2.22.3) on millions of websites.

In last week’s update we already mentioned the vulnerability in Adobe Commerce and Magento Open Source. After this, another vulnerability was discovered with a CVSS score of 9.8 (CVE-2022-24078). It also appears that the Log4j vulnerability, which came to light at the end of 2021, is still being abused. Furthermore, VMware recently made updates available for 6 vulnerabilities with a CVSS score ranging between 5.3 and 8.8. We keep emphasising, keep your software and devices up-to-date to stay ahead of cyber attacks.

Last week the news came out that the well-known ransomware group Conti and the TrickBot group have joined forces. This strengthens their position and gives them the opportunity to develop better malware. Ransomware attacks continue to keep us busy, so protect your organisation against them.

#WakeUpWednesday February 16, 2022

Several companies have made updates available in the past week due to critical vulnerabilities. It is important to always keep your devices and software up to date, part of having your basics in order.

First of all, Apple released an update last week. It is about fixing a vulnerability, known as CVE-2022-22620, in WebKit. This is a basic component commonly used in browsers. After exposure to malicious web content, code can be executed on Apple devices using this vulnerability. Update your devices to the latest software versions to avoid being vulnerable. Adobe also released an update to patch a critical vulnerability known as CVE-2022-24086. It concerns a vulnerability in Adobe Commerce and Magento Open Source. Lastly, Google has also released an update for the Chrome browser. The update will be installed automatically in the course of time, but this can already be done manually. Several vulnerabilities are hereby fixed, some of which have also been labelled critical.

A German group of hackers, the Chaos Computer Club, recently found more than 50 data leaks at various companies and organisations, including the Dutch Ministry of Health, Welfare and Sport. By means of various vulnerabilities, including database servers without authentication and unsecured MySQL servers, the hackers were able to access all kinds of personal data. All data breaches have been reported to the companies concerned and most of them have taken action to resolve the vulnerabilities. The group did not make use of the data found, but unfortunately this often happens. Make sure you protect your data, for example by using encryption, and do not become a victim of a data breach.

#WakeUpWednesday February 9, 2022

With the attacks on several companies in the oil industry and an attack on freight handler Swissport, there is currently a lot of activity in the field of ransomware again. The impact of the attacks on business processes is significant. Loading and unloading ships is not possible or is subject to significant delays. Also at Swissport, part of the IT systems for scheduling personnel, aircraft and freight are temporarily unavailable.

In recent weeks, much has been said and written about the mandatory app for Olympic athletes, counselors and journalists. In addition to the advice to leave your own devices at home and not to take them to China, it is good to be aware of possible risks in the field of cybersecurity.

Be aware of the information you share, including on business platforms such as LinkedIn. Information such as your job description, information about systems and applications used can be used by cyber criminals. According to the AIVD, for example, Chinese and Russian secret services have approached thousands of employees at Dutch high-tech companies with the aim of corporate espionage.

#WakeUpWednesday February 2, 2022

Updating applications and systems is essential for your cybersecurity. For example, the Apache Log4j vulnerability is currently being actively exploited. Furthermore, a vulnerability in Microsoft Defender allows cybercriminals to evade malware detection.

We continue to emphasize that installing security updates is extremely important. However, criminals also abuse this by making fake updates for software containing malware or ransomware. Microsoft Edge users, for example, were confronted with a fake update, just like Adobe, Google Chrome and Firefox. So always make sure that you only download updates from the supplier itself and not from another party.

Ransomware is a major threat to the continuity of business processes and thus to the existence of an organization. In addition to holding the data hostage, organizations are put under pressure by the threat that the data will be made public. To reinforce that threat even more, social media is now also being used. This puts even more pressure on organizations to pay the ransom.

Another rather daring and unorthodox method that has recently been deployed is to call individuals whose details have been found in the data set held hostage. They were put under pressure with the aim of motivating the organization whose data had been held hostage to pay.

#WakeUpWednesday January 26, 2022

Data is valuable, also for cyber criminals. No organization is spared, as became apparent from the hack on the Red Cross. Data from more than 500,000, often vulnerable people, were stolen.

In addition, cyber criminals have managed to use more than 2,000 corporate email accounts in various spyware campaigns. Kaspersky’s investigations revealed that the spyware was distributed via an email attachment. If the employee opens the attachment and the spyware successfully infects the system, the username and password of the employee in question are sent to the cyber criminal. The attacker can gain access to the system with the stolen data and then further spread the spyware among the employee’s contacts.

Known vulnerabilities used by cyber criminals at a later date are not new. In early December, we warned about critical vulnerabilities in the SonicWall SMA 100 series. A warning was issued this week that these vulnerabilities are currently being actively exploited. There is no workaround available, the advice is to update the software as soon as possible.

Logging is important, for example, to find out how cyber criminals got in. Nevertheless, Cisco research shows that due to a lack of logging, the attack vector is unknown in most incidents. Where the attack vector is known, in most cases the cause appears to be phishing, or applications that are accessible via the internet. Train the cyber awareness of your employees and ensure that vulnerabilities in the software are fixed as soon as an update is available.

#WakeUpWednesday January 19, 2022

In the #WakeUpWednesday we regularly report incidents where there is a need and urgency around patching. Incidents are also regularly discussed where increasing awareness can help increase cyber security.

Over the past week, Apache Foundation, which includes management of Apache Log4j, OpenOffice and Apache web server, warned against the use of end-of-life software. As a result, users are still being attacked through old vulnerabilities in Apache software that is no longer supported and/or maintained.

Updates have also been released for the LUKS encryption software for Linux. Making backups and making sure that they cannot be changed afterwards is one of the basic measures within cybersecurity. The LUKS encryption software contained a critical vulnerability (CVE-2021-4122) that allowed decryption without entering the passphrase.

Due to the combination of a weak administrator password and the use of a weak encryption algorithm, private data of nearly 7 million end users of the Open Subtitles website has been stolen and made public. The email addresses have been added to the data leak search engine Have I Been Pwned.

#WakeUpWednesday January 12, 2022

The Log4j vulnerability has an impact on many systems. For example, the British health service warns against abuse of the vulnerability in VMware Horizon. The software uses Apache Tomcat which in turn uses Log4j. Despite the fact that VMware patches were released in December, attackers are actively looking for systems that are not yet equipped with the available patches.

A new vulnerability has been discovered affecting H2 database consoles. This vulnerability also exploits the remote loading of JNDI classes, the same source of the Log4Shell vulnerability. Because this H2 database engine is also widely used, just like with Log4j, the reach is large. The vulnerability (CVE-2021-42392) affects H2 database versions 1.1.100 to 2.0.204. The advice is to update to version 2.0.206 as soon as possible.

During the January patch Tuesday, Microsoft released patches for 96 new vulnerabilities. The most severe vulnerability is a remote code execution vulnerability in http.sys, registered as CVE-2022-21907. This vulnerability allows an unauthenticated attacker to execute code on an affected system by sending a specially crafted request or response. We advise to check if your products are listed and apply the required patches or workaround as soon as possible.

It is no surprise that cybercriminals are always looking for new methods to penetrate organizations. Nowadays, for example, USB sticks are sent that are very similar in terms of stick and packaging to those of reputable organizations. However, the USB sticks sent contain malware in order to start malicious actions.

The makers of Flubot malware, an Android trojan that targets financial data, have launched a number of new campaigns to spread their malware. Be alert for messages related to, for example: updating Adobe flash player, false notifications for software updates that go outside the playstore, messages about package deliveries, etc. Most characteristic is that these messages contain a link that cannot be traced back to the organization in question.

#WakeUpWednesday January 5, 2022

2022 is off to a good start, also in the field of cybersecurity. Google has released a security update for Chrome. Among other things, this new update resolves a critical vulnerability that could allow an attacker to execute arbitrary code on a user’s system without requiring further user action. Executing code naturally enables an attacker to install malware on your computer that can, for example, be used to steal credit card and login details.

Cyber ​​criminals have carried out a supply chain attack on more than 100 companies by adding skimmer code to a video player of a cloud video hosting service. When an organization used the video player on, for example, a website, the malicious code was also added. As a result, the site was infected and credit card data could be stolen.

Cyber ​​security has many aspects. One of the basic measures is to create and restore backups. Determining a backup strategy is therefore part of a business continuity plan. Therefore, make sure that you know how long your organization (part) may be unavailable (Recovery Time Objective) and how much data loss is acceptable (Recovery Point Objective). Test this process regularly to avoid unpleasant surprises. For example, in December Kyoto University lost 77TB of research data due to an error in its backup system.

Read 2021' Archive

Get to know what's going on! Subscribe now

Would you like to know about vulnerabilities, national or international hacks every Wednesday? Then subscribe to this newsletter.

Tesorion uses your personal data to send out requested information and possibly for contact by telephone and for marketing and sales purposes. You can change your preferences whenever you want. Read our privacy policy for more information.