Category: Threat Watch – Binary Defense

Read the original article: Multiple Sanctions Brought Down Against Russian-backed Organizations and Agencies In response to the SolarWinds supply attack, the U.S. government issued sanctions against Russia. In the order, clear attribution was made, stating that teams in the Russian…

Read more →

Read the original article: Rowhammer Attacks Are Back on Stage Researchers at Sopho’s have observed a sort of reboot to a classic, mostly theoretical, attack named Rowhammer. This attack involves repeatedly attack a specific address in memory enough to affect…

Read more →

Read the original article: Ryuk Adding New Tools to Their Arsenal Advintel has released a report detailing the Tactics, Techniques, and Procedures (TTPs) behind the Ryuk ransomware, including some new observations made by their team throughout 2021 so far. Remote…

Read more →

Read the original article: HackBoss Cryptocurrency Malware Being Distributed Through Telegram According to researchers at Avast Security, a new campaign has been targeting people who are looking for hacking tools on Telegram channels. The HackBoss cryptocurrency malware has been using…

Read more →

Read the original article: NFT Site Rarible Targeted in Typosquatting Campaign Non-Fungible Tokens (NFTs) have become extremely popular as of late and have been making people a lot of money. Quite simply, NFTs are digital comps or artwork and other…

Read more →

Read the original article: Celsius Cryptocurrency Breach The cryptocurrency rewards program platform Celsius network has disclosed a security breach that led to customer information being exposed. Celsius CEO Alex Mashinsky stated that a third-party marketing server was compromised and that…

Read more →

Read the original article: IcedID Malware Ramping Up Following the takedown of Emotet, a hole was left in the malspam-as-a-service cybercrime ecosystem. IcedID, a well-known banking trojan used by multiple distinct threat groups, now seems primed to fill that hole…

Read more →

Read the original article: Compromised Exchange Servers Were Used to Host Payloads to Hack Other Exchange Servers While many threat actors attempted to take advantage of the recent ProxyLogon Exchange vulnerabilities to deploy ransomware, some went in another direction. A…

Read more →

Read the original article: Researcher Discovers Kubernetes Denial of Service Vulnerability CVE-2021-20291 was discovered earlier this month by Aviv Sasson. This effort was part of a security audit surveying multiple Go libraries that Kubernetes relies on to function. This vulnerability…

Read more →

Read the original article: Operation to Remove Exchange Webshells Announced by Department of Justice To mitigate the damage from the rapid exploitation of the ProxyLogon vulnerabilities in Microsoft Exchange servers, the FBI conducted a court-approved operation to remove webshells left…

Read more →

Read the original article: Microsoft Exchange Server Vulnerabilities, Patch Now Microsoft has released a security update for the Exchange Server that addresses four vulnerabilities with severity scores ranging from high to critical. All the security flaws lead to remote code…

Read more →

Read the original article: Multiple Tasmania Casinos Affected in Ransomware Attack Two out of the four casinos that are located on the Australian island of Tasmania have been affected by a ransomware attack. The attack targeted the sole casino operator…

Read more →

Read the original article: Risk and Compliance Company LogicGate Suffers Data Breach Some information has finally been released regarding a breach of LogicGate that occurred back in February. Until this week, the company had only disclosed the information to their…

Read more →

Read the original article: DNS and TCP/IP Stack Vulnerabilities Affect 100 Million Devices In a joint effort between researchers at JSOF and Forescout, a group of vulnerabilities has been disclosed affecting DNS in 100 million devices that are based on…

Read more →

Read the original article: Ransomware Attack Caused Cheese Shortage at Supermarket Chains in the Netherlands Dutch warehousing and conditioned transport company Bakker Logistiek faced disruptions to operations after systems were encrypted by ransomware last week. As one of the largest…

Read more →

Read the original article: Microsoft Security Intelligence Identifies Surge of IcedID Campaigns Leading to Cobalt Strike Recently, Microsoft has announced that they identified a cybercrime operation leveraging multiple methods to infect employee workstations with IcedID malware. The methods include a…

Read more →

Read the original article: Threat Actors Abusing Contact Forms to Infect Employees’ Workstations Researchers at Microsoft have alerted the Google security team to a new attack they have witnessed involving legitimate contact forms from companies and Google URLs. The attackers…

Read more →

Read the original article: Pierre Fabre Hit With $25 Million Ransomware Attack Leading French pharmaceutical group, Pierre Fabre, suffered a REvil ransomware attack where the attackers are demanding a ransom payment in Bitcoin worth approximately $25 million USD. Pierre Fabre…

Read more →

Read the original article: TriHealth Affected After Columbus Law Firm is Breached Cincinnati, Ohio based health system TriHealth announced employee and patient data may have been accessed after a breach occurred at one of their partnering businesses. A law firm…

Read more →

Read the original article: Annual Pwn2Own Contest Reveals No User Interaction Zoom Remote Code Execution Pwn2Own is an annual contest held by the Zero Day Initiative providing a contest for hackers and researchers around the world a chance to win…

Read more →

Read the original article: Healthcare Benefits Data Stolen During Belden Breach After suffering a breach in November of 2020, Belden has disclosed that employee healthcare benefits and dependents from current and former employees were stolen. The information stolen includes names,…

Read more →

Read the original article: REvil / Sodinokibi Updates New Safe Mode Functionality New versions of the Sodinokibi (also commonly known as REvil) ransomware were found last month with functionality for rebooting an infected workstation into Safe Mode. This was widely…

Read more →

Read the original article: Android Malware Infiltrated Huawei’s Official App Store Recently, analysts from the Russian anti-virus maker Dr.Web found ten Android apps from three developers that were infected with Joker, a type of Android Malware that signs up users…

Read more →

Read the original article: Threat Actor Sells 38 Million Dollars Worth of Gift Cards A Russian hacker has sold $38 million USD worth of gift cards on a forum that included close to 900,000 unique gift cards. The cards were…

Read more →

Read the original article: Backdoor Attack Allows Threat Actors to Access PHP Respository’s User Database At the end of March, the git.php.net server was believed to be compromised when a malicious source code update was pushed, adding a backdoor to…

Read more →

Read the original article: Attackers are Using Discord and Slack Links to Spread Malware As a result of the increase in remote work due to the pandemic, platforms like Discord and Slack have grown in popularity by keeping individuals more…

Read more →

Read the original article: Joint Alert by CISA and FBI Warns of Active Exploitation Against FortiOS Devices In a joint alert issued on April 2nd, the FBI and CISA warned that threat actors are actively scanning for Fortinet devices running…

Read more →

Read the original article: VMWare Issues Fix for Carbon Black Cloud Workload Authentication Bypass On April 1st, 2021, VMWare released an advisory and update to address an authentication bypass vulnerability in Carbon Black Cloud rated 9.1 out of 10 on…

Read more →

Read the original article: Exposed and Unpatched SAP Applications Are Currently Being Targeted More than 400,000 organizations around the world currently use SAP’s customer relationship management (CRM), product lifecycle management (PLM) and supply chain management (SCM) applications. SAP and cloud…

Read more →

Read the original article: IoT Provider Sierra Wireless Hit with Ransomware Less than a month ago on March 20th, 2021, Sierra Wireless suffered a ransomware attack which caused production of their IoT devices to stop. While the customer-facing products themselves…

Read more →

Read the original article: A Company Paid Millions to Get Their Data Back – Then Fell Victim to the Same Attack Again An unnamed organization that fell victim to ransomware, failed to adequately investigate the root cause of the attack,…

Read more →

Read the original article: New Maldoc Builder EtterSilent Being Used by Top Threat Actors According to researchers at Intel 471, a new malicious document (maldoc) builder called EtterSilent has been heavily advertised on criminal forums since mid-2020. Top malware cybercriminals…

Read more →

Read the original article: Fake LinkedIn Job Offer Delivers More_eggs Backdoor The Threat Response Unit (TRU) at eSentire, a Waterloo, Ontario-based cybersecurity firm, has discovered an ongoing fake jobs spear-phishing scam that is infecting the computer systems of LinkedIn users…

Read more →

Read the original article: Attackers Utilize GitHub’s CI/CD Actions Features Recently, attackers have been utilizing the continuous integration/continuous delivery (CI/CD) features on GitHub (GitHub Actions) to merge unauthorized cryptocurrency miners into repositories. The attackers will fork a repository, include the…

Read more →

Read the original article: Ransomware Attacks on Industrial Control Systems Hit 33.4% in H2 2020 In a report published by Kaspersky documenting threat activity recorded on devices in the second half of 2020, 33.4% of Industrial Control Systems (ICS) devices…

Read more →

Read the original article: A Malware Incident is Preventing Emissions Checks in Eight US States On March 30th, Applus Technologies detected an unspecified malware incident. While stopping the attack, Applus IT staff had to take systems offline, resulting in emissions…

Read more →

Read the original article: “A41APT” Campaign Dropping Sophisticated Loader A new campaign dubbed A41APT was recently discovered by SecureList researchers documenting the use of a sophisticated loader module, Ecipekac (also known as SigLoader, HEAVYHAND, or DESLoader). This malware serves up…

Read more →

Read the original article: Federal Agencies Given Deadline to Look For Compromised Exchange Servers Federal agencies have been ordered by the Cybersecurity and Infrastructure Security Agency (CISA) yesterday to look for signs of compromised Exchange servers in their networks. Agencies…

Read more →

Read the original article: Ubiquiti Breach More Serious Than Previously Announced After previously disclosing limited details about what it described in December as a “third-party data breach,” new details that became public this week show that Ubiquiti customer-owned devices have…

Read more →

Read the original article: Kansas Man Charged For Hacking Water Utility Recently, the US Department of Justice has announced an indictment for a Kansas man who is charged with hacking into the computer system of a local water utility and…

Read more →

Read the original article: Fake COVID-19 Vaccine Card Scam US federal agencies have issued a warning against making, selling, or purchasing fake COVID-19 vaccination record cards as this is against the law. Additionally, using fake vaccination record cards could also…

Read more →

Read the original article: VMware Patches Two Severe Vulnerabilities VMware published a security alert on Tuesday, March 30th, outlining two separate severe vulnerabilities within their vRealize Operations, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager software. The vulnerabilities were reported…

Read more →

Read the original article: Scammers Target Universities in Ongoing IRS Phishing Attacks The Internal Revenue Service (IRS) is warning of ongoing phishing attacks targeting educational institutions. The attackers impersonate the IRS and use tax refund payments as bait while they…

Read more →

Read the original article: Charming Kitten Targets US and Israeli Healthcare Professionals Iranian threat group Charming Kitten set their sights on healthcare professionals in the United States and Israel during the month of December. The targeted people specifically work in…

Read more →

Read the original article: MalwareBytes Warns of “I Accidentally Reported You” Steam Scam In a report published by Malwarebytes, analysts are warning Steam users about an ongoing scam that starts with messages claiming to have accidentally reported the targeted person’s…

Read more →

Read the original article: Proof-of-Concept Decryptor Released for Black KingDom Ransomware Cybersecurity company Cyberint has released a proof-of-concept (PoC) Python script to decrypt files encrypted by the Black KingDom ransomware. Black KingDom, responsible for infecting thousands of vulnerable Microsoft Exchange…

Read more →

Read the original article: Docker Hub Host Images Shipping with Cryptominers Researchers from Palo Alto Network’s Unit 42 research group have discovered 30 images on Docker Hub embedded with Cryptominers. While most of these miners were embedded with XMRig for…

Read more →

Read the original article: PHP Git Breached – 2 Commits Under Developers Name’s Infected On Sunday PHP developers released a blog post announcing compromise of their Git repository and source infected. In light of this breach the developers have decided…

Read more →

Read the original article: Almost 40 German Parliament Email Accounts Accessed After Spear-Phishing Attack German Parliament members were targeted in an apparent spear-phishing attack recently. Nearly 40 federal and regional Parliament members were affected after their email accounts were accessed.…

Read more →

Read the original article: Australian TV Network Services Interrupted Reports from the Australian TV network, Nine Network, stated they were the victim of an attack that affected their services, which was similar to a ransomware attack but without a ransom…

Read more →

Read the original article: Apple Releases Emergency Update Apple has released an emergency update for their iOS, iPadOS, and watch OS. The patches are numbered iOS 14.4.2, iPadOS 14.4.2, and watchOS 7.3.3. The vulnerability, which was discovered by Google’s Threat…

Read more →

Read the original article: Ransomware Admin is Refunding Victims Their Ransom Payments The Ziggy ransomware administrator announced the end of the operation in early February of this year. Apparently, the threat actor had a guilty conscious and decided to publish…

Read more →

Read the original article: Data Dump for 7.3 million Dutch Car Owners Offered for Sale on Hacking Forum RDC, a Dutch company that provides garage and maintenance services to Dutch car owners, recently confirmed a data breach after the personal…

Read more →

Read the original article: OpenSSL Update Fixes Two High-Severity Vulnerabilities The OpenSSL project released a new build yesterday that includes fixes for two vulnerabilities. CVE-2021-3449 allows for a denial of service against servers. If a maliciously crafted request to the…

Read more →

Read the original article: Mamba Ransomware Stores Key in Plaintext In an alert about Mamba ransomware, the FBI disclosed a weakness in the encryption process that could allow victims to decrypt files without paying the ransom, if the victim company…

Read more →

Read the original article: Cisco Addresses Critical Security Flaws in Jabber Application Cisco has addressed critical several security issues, one with a severity rating of 9.9/10. The primary flaw concerns Cisco Jabber software, a web conferencing and instant messaging app…

Read more →

Read the original article: Facebook Blocks Chinese State-Sponsored Threat Actors Facebook has taken down numerous accounts they witnessed being used by Chinese state-sponsored threat actors. The accounts were linked to the threat actor known as EarthEmpusa or Evil Eye. The…

Read more →

Read the original article: FBI Warns Scammers Spoofing FBI Office Phone Numbers in Government Impersonation Fraud The FBI has seen a recent increase in phone calls that spoof Bureau phone numbers as part of a fraud campaign. Most of this…

Read more →

Read the original article: Accellion FTA Vulnerability Affects Universities in Colorado and Miami The Clop ransomware gang has continued to take advantage of the Accellion FTA vulnerability to extort Accellion’s clients by threatening to leak the data they stole. Thus…

Read more →

Read the original article: Over 6 Million Israeli Citizens Suffer Data Leak Recently, attackers calling themselves “The Israeli Autumn” have published archives containing the full names, phone numbers, ID card numbers, home addresses, gender, age, and political preferences for over…

Read more →

Read the original article: BlackKingdom Ransomware Could Encrypt Files Multiple Times or Brick Systems A report released yesterday on the recent BlackKingdom ransomware by Sophos has revealed a detailed look at the ransomware’s inner workings. The report lists several indicators…

Read more →

Read the original article: Phishing Attacks Leveraging Email Marketing Services to Bypass SEGs In a Twitter thread, Microsoft provided insight into an ongoing spam campaign that takes advantage of compromised email marketing services such as SendGrid and Amazon SES. Because…

Read more →

Read the original article: Shell Corporation Affected by Accellion FTA Vulnerability Another victim has announced they’ve suffered a data breach due to Accellion’s File Transfer Appliance (FTA). The oil and gas giant Shell has made it known that an unauthorized…

Read more →

Read the original article: MagnaDex Manga Site Down After Cyberattack MangaDex is one of the largest manga scanlation (scanned translations) sites where visitors can read manga comics for free, with over 76 million visitors per month. After suffering a series…

Read more →

Read the original article: Android Zero-day Actively Being Exploited Tracked as CVE-2020-11261 and getting a CVSS score of 8.4, a now-patched vulnerability affecting Android devices that use the Qualcomm chipsets is being weaponized by attackers, according to Google. Google stated…

Read more →

Read the original article: FBI Cleveland Division Warns of Financial Scams The Cleveland Division of the FBI is issuing a warning to the greater North East Ohio community as an increase in reporting of financial scams coming in the form…

Read more →

Read the original article: Critical F5 BIG-IP Vulnerability Actively Being Exploited and New POCs Released In a recent report, NCC Group elaborates on the recent discovery of the active exploitation of CVE-2021-22986. This vulnerability allows for unauthenticated, remote code execution…

Read more →

Read the original article: BlackKingdom “Ransomware” Attacks Vulnerable Exchange Servers Originally reported by Bleeping Computer, security researcher Marcus Hutchins recently uncovered a ransomware campaign leveraging the ProxyLogon vulnerabilities in order to spread and infect a wide variety of targets with…

Read more →

Read the original article: REvil Possibly Infecting Unpatched Exchange Severs, Claims Acer as Victim On March 18th, the REvil ransomware group (also referred to as Sodinokibi) posted “proof” through their leak site that they infected Taiwanese computer giant Acer. The…

Read more →

Read the original article: FBI: Phishing Emails Are Spreading Trickbot Malware The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued a joint warning for a phishing campaign that is attempting to infect PCs with Trickbot. Trickbot, first identified…

Read more →

Read the original article: CopperStealer Malware Steals Google, Apple, Facebook Accounts This new malware, dubbed CopperStealer by Proofpoint researchers, is an actively developed password and cookie stealer with a downloader feature that enables its operators to deliver additional malicious payloads…

Read more →

Read the original article: Threat Actors Using Fake App Website to Infect Android Phones With BlackRock Trojan A new malicious app is being advertised that is pretending to be an Android version of the Clubhouse Application, which currently only available…

Read more →

Read the original article: Zoom Screen Share Flaw Can Expose Information A recently discovered bug being tracked as CVE-2021-28133 is affecting Zoom users. The flaw lies within the screen sharing function of the application and was tested on versions 5.4.3…

Read more →

Read the original article: 15-Year-Old Bugs in Linux Kernel Still Vulnerable On March 12, 2021 three vulnerabilities in Linux were publicly disclosed revealing kernel issues dating back fifteen years: CVE-2021-27363 CVE-2021-27364 CVE-2021-27365 While the code is not remotely accessible, it…

Read more →

Read the original article: 15 Year Old Bug(s) in Linux Kernel Still Vulnerable On March 12, 2021 three vulnerabilities, CVE-2021-27363, 27364, and 27365 , were publicly disclosed revealing kernel issues dating back fifteen years. While the code is not remotely…

Read more →

Read the original article: Tutor LMS WordPress Plugin Patches Several SQL Injection Vulnerabilities Wordfence, a security company focused on WordPress security, recently made available information on several vulnerabilities they discovered within the Tutor LMS plugin back in December 2020. Tutor…

Read more →

Read the original article: Finland Attributes Parliament Attack to APT31 After a long period of case review, along with cooperation from partners abroad, Finnish officials have formally blamed the cyber attacks against their Parliament on the Chinese state-sponsored hacking group…

Read more →

Read the original article: Researcher Discovers New Embedding Technique to Hide Files in Twitter Images In a tweet, David Buchanan announced he had discovered a way to post a PNG image with up to 3 megabytes of extra data that…

Read more →

Read the original article: Payment Card Data Leaked from Seized WeLeakInfo Website In January 2020, the FBI seized the internet domain WeLeakInfo[.]com. The website served as a breach notification service, similar to HaveIBeenPwned, with one key difference. Unlike HaveIBeenPwned, WeLeakInfo…

Read more →

Read the original article: Largest Ransomware Demand Now Stands at $30 Million as Crooks Get Bolder Ransomware attacks continue to surge, and research shows the average ransom paid to criminals by victim organizations has tripled in the last year. Cybersecurity…

Read more →

Read the original article: PYSA Ransomware Targets Education Sector Reports from the Cyber Division of the FBI warn of an uptick in PYSA ransomware attacks that have been targeting the education sector in recent months. The actors behind the ransomware…

Read more →

Read the original article: Outdated Android OS Still Being Used On Government Devices Android, the most popular mobile operating system (OS) in the world, runs a large number of devices in the U.S. government, but only 0.08% are running the…

Read more →

Read the original article: Critical Vulnerabilities in Microsoft DNS On Tuesday March 9, 2021 Microsoft rolled out its monthly update. Included in these fixes were seven security updates involving DNS vulnerabilities and of those seven, five included remote code execution…

Read more →

Read the original article: Blender Website Partially Restored Following Hacking Attempt The official Twitter account for blender.org, an open-source 3D graphics and animation software pipeline, announced on Sunday that the website had been brought down for maintenance due to “a hacking attempt.” During…

Read more →

Read the original article: Microsoft Releases One-Click Mitigation for CVE-2021-26855 To remediate the recent Exchange server vulnerabilities, Microsoft has released a new mitigation tool to assist organizations in their efforts to help stop the ongoing exploitation against vulnerable Exchange servers.…

Read more →

Read the original article: Magecart Attackers Hide Credit Card Data in Images Recently, attackers associated with credit card skimming attacks known collectively as “Magecart” have begun using image steganography to exfil stolen email data, as originally reported by BleepingComputer. Magecart…

Read more →

Read the original article: Fastway Couriers Reveals Data Breach International parcel courier service Fastway Couriers has revealed that they suffered a data breach that was identified by a third-party IT service provider on February 25th, 2021 and Fastway was notified…

Read more →

Read the original article: New PoC Puts Microsoft Exchange Bug Attacks in Reach of Anyone A security researcher has released a new proof-of-concept (PoC) that requires only slight modifications to install web shells on Microsoft Exchange servers vulnerable to the…

Read more →

Read the original article: COVID-19 Testing Service in US Exposes Patients’ Photos, Passports A COVID-19 testing service run by Premier Diagnostics exposed sensitive information of more than 50,000 people by storing data on two unsecured Amazon S3 buckets. The information…

Read more →

Read the original article: Black Shadow Threat Actors Target Another Israel based Company The threat actor group that goes by the name Black Shadow has hacked into the Israel-based company L.L.S Capital, a financing company. In an announcement posted to…

Read more →

Read the original article: DearCry Ransomware Makes its Debut In the wake of the ongoing rush to patch the four vulnerabilities affecting Microsoft Exchange servers, a new Ransomware called DearCry has begun to exploit those vulnerabilities. Since Microsoft confirmed its…

Read more →

Read the original article: CISA Reports That No Federal Civilian Agency Hacked in Exchange Attacks In testimony before the Homeland Security Subcommittee, Eric Goldstein, CISA’s executive assistant director for cybersecurity stated, “At this point in time there are no federal…

Read more →

Read the original article: Brazil’s National Data Protection Authority (ANPD) Announces Strategy, Begins Investigation to Combat Two Large Data Leaks ANPD reports “it is taking all the appropriate measures” to investigate the exposure of over 200 million citizens personal information,…

Read more →

Read the original article: The US Seizes Phishing Domains Impersonating COVID-19 Vaccine Sites The US Department of Justice has seized a fifth domain name used to impersonate the official site of a biotechnology company involved in the development of a…

Read more →

Read the original article: Spanish Government Attacked with Ryuk Ransomware The Spanish government agency for labor has been attacked by Ryuk ransomware and following the attack, more than 700 agency offices throughout Spain have been affected. The agency’s website stated…

Read more →

Read the original article: FIN8 Bolsters Their BADHATCH Backdoor After apparently lying dormant for some time, the financially motivated cybercrime group FIN8 have made their return. FIN8 threat actors have been observed recently using a new version of the BADHATCH…

Read more →

Read the original article: Europol ‘Unlocks’ Encrypted Sky ECC Chat Service to Make Arrests Sky ECC, a secure messaging platform with roughly 170,000 worldwide users from the US, Canada and Europe, was cracked by European Law Enforcement. Europol announced a…

Read more →

Read the original article: Linux Foundation Announces Open-Source Software Signing to Combat Supply Chain Attacks The SolarWinds attackers were able to insert malicious code into Orion software by subverting the build environment, the process which a program is compiled and…

Read more →

Read the original article: OVH Datacenter Goes up in Flames ZDNet reported that a disastrous fire has done severe damage to some of OVH’s Strasbourg datacenters. Of the damaged datacenters, SBG2 is completely destroyed, while parts of SBG1 are only…

Read more →

Read the original article: zoMiner Botnet is Targeting Elasticsearch and Jenkins Servers After being discovered in November 2020, the zoMiner botnet has shifted directions to target vulnerable versions of Elasticsearch and Jenkins servers. According to Qihoo 360’s Network Security Research…

Read more →