image
An Easter weekend ransomware attack on a food-logistics firm in the Netherlands has caused shortages of prepackaged cheese in supermarkets across the country. The largest Dutch grocery store chain had some bad news for a cheese-mad nation. “Due to a technical malfunction, there is limited availability on the prepackaged cheese,” the Netherlands’ largest grocery chain, Albert Heijn, announced on its website. Transport company Bakker Logistiek confirmed it was attacked, adding that store shelves would still get stocked, but things might move a bit slowly while they work through the cyber-incident. “We can deliver less, but it does not lead to empty shelves in the store,” Bakker Logistek director Toon Verhoeven said. Microsoft Exchange Server Attacks In a local media report spotted by Bitdefender, Verhoeven said he suspected the attackers gained a foothold through a Microsoft Exchange server vulnerability. That would make Bakker Logistek just the latest victim in an onslaught of attacks against Microsoft Exchange servers following the disclosure of the ProxyLogon group of security bugs. Microsoft announced in early March it found several zero-day bugs being used to attack on-premises Microsoft Exchange servers that included full dumps of email boxes, lateral movement, APT attacks and more. Not long after, ransomware was added to the list of tactics used in the attacks. Bakker Logistiek was able to regain control of its systems, according to Bitdefender, which added that the…

Source

image
The Feds have cleared malicious web shells from hundreds of vulnerable computers in the United States that had been compromised via the now-infamous ProxyLogon Microsoft Exchange vulnerabilities. ProxyLogon comprises a group of security bugs affecting on-premises versions of Microsoft Exchange Server software for email. Microsoft last month warned that the bugs were being actively exploited by the Hafnium advanced persistent threat (APT); after that, other researchers said that 10 or more additional APTs were also using them. ProxyLogon consists of four flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) that can be chained together to create a pre-authentication remote code execution (RCE) exploit – meaning that attackers can take over servers without knowing any valid account credentials. This gives them access to email communications and the opportunity to install a web shell for further exploitation within the environment, such as the deployment of ransomware. While patching levels have accelerated, this doesn’t help already-compromised computers. “Many infected system owners successfully removed the web shells from thousands of computers,” explained the Department of Justice, in a Tuesday announcement. “Others appeared unable to do so, and hundreds of such web shells persisted unmitigated.” This state of affairs prompted the FBI to take action; in a court-authorized action, it issued a series of commands through the web shells to the affected…

Source

image
The reality is that today, almost everyone is being tracked and monitored 24/7 with cameras recording our expressions, interactions and speech to determine what we might be thinking, where we are going and who we are meeting. While privacy differs from nation to nation and culture to culture, one thing that remains consistent is that having privacy is becoming less and less of an option. As a result, it may drive us to treat our daily lives as if privacy no longer exists. The concept itself is quickly becoming obsolete as individuals continue to build their online digital presence, and organizations shift operations to the cloud — resulting in more complex global ecosystems. Society is moving to an influencer culture where everyone will be either an influencer or be influenced. Social-media platforms are no longer focused on social interaction — when ads got introduced these became influencer platforms. Discussions surrounding how to ensure data privacy have been replaced with conversations on how citizens’ data is being used, collected and processed. For example, the DHS stated in a September 2020 announcement that they would “authorize expanded use of biometrics beyond background checks to include verification, secure document production and records management” to improve screening and vetting processes. While modernizing and extended usage of biometrics serves many advantages, it is critical that the DHS continue to outline exactly what is collected from its citizens and…

Source

image
Hackers are using search-engine optimization (SEO) tactics to lure business users to more than 100,000 malicious Google sites that seem legitimate, but instead install a remote access trojan (RAT), used to gain a foothold on a network and later infect systems with ransomware, credential-stealers, banking trojans and other malware. eSentire’s Threat Response Unit (TRU) discovered legions of unique, malicious web pages that contain popular business terms/particular keywords, including business-form related keywords like template, invoice, receipt, questionnaire and resume, researchers observed, in a report published Wednesday. Attackers use Google search redirection and drive-by-download tactics to direct unsuspecting victims to the RAT—tracked by eSentire as SolarMarker (a.k.a. Jupyter, Yellow Cockatoo and Polazert). Typically a person who visits the infected site simply executes a binary disguised as a PDF by clicking on a purported “form” — thus infecting his or her machine. “This is an increasingly common trend with malware delivery, which speaks to the improved security of applications such as browsers that handle vulnerable code,” researchers wrote. “Unfortunately, it reveals a glaring blind spot in controls, which allows users to execute untrusted binaries or script files at will.” Indeed, the campaign is not only far-reaching but also sophisticated. The common business terms serve as keywords for the threat actors’ search-optimization strategy, aptly convincing…

Source

image
Microsoft had its hands full Tuesday snuffing out five zero-day vulnerabilities, a flaw under active attack and applying more patches to its problem-plagued Microsoft Exchange Server software. In all, Microsoft released patches for 110 security holes, 19 classified critical in severity and 88 considered important. The most dire of those flaws disclosed is arguably a Win32k elevation of privilege vulnerability (CVE-2021-28310) actively being exploited in the wild by the cybercriminal group BITTER APT. Actively Exploited Zero-Day “We believe this exploit is used in the wild, potentially by several threat actors. It is an escalation of privilege (EoP) exploit that is likely used together with other browser exploits to escape sandboxes or get system privileges for further access,” wrote Kaspersky in a Tuesday report detailing its find. The bug is an out-of-bounds write vulnerability in Windows dwmcore.dll library, which is part of Desktop Window Manager (dwm.exe). “Due to the lack of bounds checking, attackers are able to create a situation that allows them to write controlled data at a controlled offset using DirectComposition API,” wrote Kaspersky researchers Boris Larin, Costin Raiu and Brian Bartholomew, co-authors of the report. More Bugs Tied to Problem Plagued Exchange Fixed Of note, the US National Security Agency released information on four critical Exchange Server vulnerabilities (CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, CVE-2021-28483) impacting versions…

Source

image
Microsoft today released updates to plug at least 110 security holes in its Windows operating systems and other products. The patches include four security fixes for Microsoft Exchange Server — the same systems that have been besieged by attacks on four separate (and zero-day) bugs in the email software over the past month. Redmond also patched a Windows flaw that is actively being exploited in the wild. Nineteen of the vulnerabilities fixed this month earned Microsoft's most-dire "Critical" label, meaning they could be used by malware or malcontents to seize remote control over vulnerable Windows systems without any help from users. Microsoft released updates to fix four more flaws in Exchange Server versions 2013-2019 (CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, CVE-2021-28483). Interestingly, all four were reported by the U.S. National Security Agency, although Microsoft says it also found two of the bugs internally. A Microsoft blog post published along with today's patches urges Exchange Server users to make patching their systems a top priority. Satnam Narang, staff research engineer at Tenable, said these vulnerabilities have been rated ‘Exploitation More Likely' using Microsoft’s Exploitability Index. "Two of the four vulnerabilities (CVE-2021-28480, CVE-2021-28481) are pre-authentication, meaning an attacker does not need to authenticate to the vulnerable Exchange server to exploit the flaw," Narang said. "With the intense interest in Exchange Server since…

Source

image
Researchers estimate more than 100 million internet-connected devices are vulnerable to a class of flaws dubbed NAME:WRECK. Devices ranging from smartphones, aircraft navigation systems and industrial internet of things (IIoT) endpoints are vulnerable to either a denial-of-service (DoS) or remote code-execution (RCE) attack, according to a joint report by Forescout Research Labs and JSOF Research Labs. Patches are available for some affected vendors. Nine vulnerabilities were identified within the implementation of the Domain Name System (DNS) protocol used by TCP/IP network communication stacks. These two technologies are used in tandem to uniquely identifying devices connected to the internet and facilitate digital communications between them. The most serious of the flaws are rated critical in severity. “The widespread deployment and often external exposure of vulnerable DNS clients leads to a dramatically increased attack surface,” researchers wrote in a report released Tuesday (PDF). “[W]e can estimate that at least 100 million devices are impacted by NAME:WRECK.” Breaking Down the NAME:WRECK Bugs Under the auspices of the research collective known as Project Memoria, NAME:WRECK is the fifth set of vulnerabilities impacting TCP/IP libraries that have been disclosed over the past three years. Those that have come before are URGENT/11, Ripple20, Amnesia:33 and NUMBER:JACK (also discovered by Project Memoria and Forescout). Forescout and JSOF researchers divide the nine…

Source

image
Surging numbers of COVID-themed attacks, PowerShell trojans, along with the SolarWinds compromise and the continued spread of Sunburst malware were major contributors to a massive spike in the number of observed attacks in the wild during the last half of 2020, which McAfee’s said averaged 588 attacks per minute within its telemetry during Q3 and Q4 of 2020. Researchers observed an average of 648 threats per minute in Q4 in the wild, an increase of 10 percent over the third quarter a continued upward trend from the 40 percent jump compared to Q2 2020, McAfee’s latest threat report said. COVID-19-related attacks continued to leave their mark the ecosystem: “McAfee’s global network of more than a billion sensors registered a 605 percent increase in total Q2 COVID-19- themed threat detections,” the report said. “The world — and enterprises — adjusted amidst pandemic restrictions and sustained remote challenges, while security threats continued to evolve in complexity and increase in volume,” the report said. “Though a large percentage of employees grew more proficient and productive in working remotely, enterprises endured more opportunistic COVID-19-related campaigns among a new cast of bad-actor schemes. Prominent campaigns such as Sunburst and new ransomware tactics left [security operations centers] SOCs no time to rest.” PowerShell Threats Up By 208% The team of security researchers also measured a 208 percent increase in PowerShell threats, from Q3 to Q4 2020, most…

Source

image
A W2 tax email scam is circulating in the U.S. using Typeform, a popular software that specializes in online surveys and form building. The campaign is aimed at harvesting victims’ email account credentials, researchers said. According to Armorblox, the campaign also bypasses native Google Workspace email security filters in the victims it examined. “The email impersonated an automated file-sharing communication from OneDrive, informing victims that they had received a file,” researchers explained in an analysis on Tuesday. “The email was sent from a Hotmail ID and was titled ‘RE: Home Loan,’ followed by a reference number and the date, making it seem like the email was part of an ongoing conversation to lend it more legitimacy.” The links included in the emails purport to lead to a document called “2020_TaxReturn&W2.pdf,” researchers found. Instead, the links take users to a Typeform page where victims are asked to enter their email account credentials before being granted access to the file. However, entering email account information into the form only returns error messages. After several attempts, the campaign surfaces a message saying that “the document is secured” and that the user’s identity could not be verified. “It’s likely that the error messages could be a smokescreen for the attackers to gather as many account ID and password combinations as unsuspecting victims are willing to enter in an attempt to brute-force their way to gain access to the W2,” according…

Source

image
Adobe has released security patches tackling four critical vulnerabilities in Adobe Bridge, along with other critical and important-rated updates for bugs in Adobe Digital Editions, Adobe Photoshop and RoboHelp. In all, Adobe fixed 10 security holes in its products during its scheduled April updates, seven of them listed as critical. Adobe Bridge is a creative-asset manager that helps users preview, organize, edit and publish multiple creative assets in a streamlined way. It contains the four critical bugs as well as two “important” vulnerabilities: CVE-2021-21093 and CVE-2021-21092 are critical memory-corruption issues leading to arbitrary code execution; CVE-2021-21094 and CVE-2021-21095 are critical out-of-bounds write bugs also leading to arbitrary code execution; CVE-2021-21091 is an important out-of-bounds read issue that could lead to information disclosure; And CVE-2021-21096 stems from improper authorization and allows privilege escalation. The fully patched versions. Source: Adobe Other Adobe Patches for April Adobe also addressed two critical vulnerabilities in Photoshop, its popular photo-editing software (CVE-2021-28548 and CVE-2021-28549). Both are buffer-overflow bugs that allow arbitrary code execution. The fully patched versions. Source: Adobe The company also patched a final critical vulnerability in Adobe Digital Editions, CVE-2021-21100, which is a privilege-escalation problem allowing an arbitrary file-system write. Digital Editions is Adobe’s…

Source