Tag: Threat Watch – Binary Defense

Microsoft patched around 99 important/critical vulnerabilities in their most recent February Patch Tuesday. Among those vulnerabilities was a critical vulnerability (CVE-2020-0688) affecting all versions of Microsoft Exchange, which allows attackers to remotely execute code through ViewState.  ViewState is server-side data…

Read more →

Iran: A new malware that has been dubbed ForLord was found targeting government officials and corporations from mid-2019 to January 2020. The malware was distributed through emails and targeted corporations in the countries of Turkey, Jordan, and Iraq. Government officials…

Read more →

A large SQL dump was found by the team at Under the Breach that contained about 21.5 GB of uncompressed data from at least two different sites. The SQL, which is a method of communicating with a database, were obtained…

Read more →

Ruhur-Universität Bochum researchers have seen a new attack that targets 4G networks and allows attackers to operate as a user. Research reveals that IMP4GT affects any device that uses LTE to communicate, including phones, tablets, and other IoT devices. Two…

Read more →

Researchers at Cisco Talos have come across a new RAT (Remote Access Trojan) that they are calling ObliqueRAT. The new RAT appears to be targeting Southeast Asian organizations through attached Word documents with macros. Cisco Talos also believes there may…

Read more →

Google has released a Chrome update that patches three different security bugs, including a zero-day vulnerability that has been actively exploited. Google has not made any details of the active exploitation of the zero-day public though. The only detail being…

Read more →

Just like the Maze ransomware authors, the DopplePaymer ransomware authors have created a public site to post victim’s data should they refuse to pay the ransom. This site should serve as a motivator for companies hit by DopplePaymer to pay…

Read more →

Mexico’s economy ministry detected a cyber-attack on February 23, 2020. The servers that were targeted in the attack did not contain any sensitive information. After the attack was discovered, security measures were increased to prevent future attacks. It was not…

Read more →

Discovered by MalwareHunterTeam, a new backdoor malware, called Mozart, has been found using DNS protocol to communicate with remote attackers to evade detection by security software. Normally when a malware communicates for commands, it does over HTTP/S protocols for ease…

Read more →

The France-based sports retailer Decathlon noticed recently that over 123 million records that included customer and employee information were exposed through a misconfigured database. A 9GB database on an Elasticsearch server was discovered by researchers at vpnMentor. From observations by…

Read more →

The Defense Information Systems Agency (DISA) announced that it was the subject of a significant data breach. DISA provides IT support and services to the White House, the President and Vice-President, US Secret Service, Joint Chiefs of Staff and more.…

Read more →

Slickwraps, a store for creating custom “skins” for mobile devices, consoles and more have recently alerted customers to a data breach. After finding a path traversal vulnerability with the image uploader used for designing skins, Twitter user @Lynx0x00 (whose account…

Read more →

Honeywell released a firmware update to patch two vulnerabilities in the NOTI-FIRE-NET Web Server (NWS-3) product. One of the vulnerabilities, identified as CVE-2020-6972, allows an attacker to bypass the authentication system to gain access to the administration dashboard and control…

Read more →

Exaggerated Lion: A newly discovered threat group, dubbed Exaggerated Lion, is believed to have targeted over 2,100 organizations in the US with Business Email Compromise (BEC) campaigns since 2013. The group is distributed between multiple countries around Africa including Nigeria,…

Read more →

The integrated facility services provider ISS World recently suffered a cyber-attack that caused its websites to go down for a few days and disrupted email services. It was reported that the attack left nearly 43,000 UK staff without email access.…

Read more →

The Ring doorbell camera system has become one of the most popular home security add-ons in recent years, but some people have questioned the security of the Internet of Things (IoT) devices. On Feb 18th, Ring president Leila Rouhi published…

Read more →

WP-VCD is a WordPress botnet that has been around since early 2017. It is able to create backdoor accounts, spread to other installed themes, redirect visitors, inject ads, and add command and control capabilities to a victim’s site. Ad revenue…

Read more →

In an out-of-schedule patch, Adobe patched an out-of-bounds write for Adobe After Effects (CVE-2020-3765). This critical vulnerability affects Adobe After Effects versions 16.1.2 and earlier.  Additionally, Adobe patched another out-of-bounds write for Adobe Media Encoder. This critical vulnerability affects Adobe…

Read more →

For a five-month period between 2018 and 2019, hackers gained access to systems belonging to Citrix. Citrix was notified of the breach in March of 2019 by the FBI, who informed Citrix that the breach appeared to have happened through…

Read more →

The Department of Homeland Security has reported that an unnamed US natural gas company was forced to shut down operations for two days after being infected with ransomware. The ransomware was able to make its way into the company’s Information…

Read more →

Security researchers JAMESWT, TG soft and reecdeep have found new malicious spam (malspam) email campaign delivering ransomware that is currently targeting Italian Windows users. The Dharma ransomware is a variant of another ransomware family called Crysis. Dharma has been active…

Read more →

DRBControl: Talent-Jump and Trend Micro have both released research after two different websites were confirmed to be hacked by what appears to be the same group. The threat group, called DRBControl by researchers, is believed to be based in China.…

Read more →

In a recent Microsoft patch, a fix was announced for 2020-0618 which allowed low-level authorized users to remotely execute code on Microsoft SQL servers. Using the functionality provided by the SQL Server Reporting Services web application, browser level users can…

Read more →

Iran: A significant number of security bugs were disclosed last year pertaining to major VPN providers such as Pulse Secure, Palo Alto, Fortinet, and Citrix. A new report indicates that the Iranian government took notice of those vulnerabilities and set…

Read more →

Researchers at Trend Micro have recently discovered a LokiBot variant disguising itself as the Epic Games Launcher. The variant uses the open source NSIS (Nullsoft Scriptable Install System) to create an installer application with the Epic Games logo to convince…

Read more →

Hamas: Members of Hamas have created fake dating applications to target members of the Israel Defense Force (IDF). Researchers at Check Point have found at least three dating applications that were being used by the threat actors. GrizyApp, ZatuApp, and…

Read more →

The researchers at MalwareHunterTeam have discovered a new phishing campaign targeting at least 13 companies, some of them very well known. This new campaign uses SLK (Symbolic Link) file attachments that are used by the Microsoft Excel program to share…

Read more →

Ginp was first recognized by Kaspersky labs in 2019 and was found to have all the capabilities of a standard Android banking trojan. Since a new version has surfaced, a new capability has been added as well. The trojan is…

Read more →

Federal authorities arrested Larry Dean Harmon of Bath, Ohio for the part he played in the operation of Helix. Helix was a bitcoin mixing service which worked closely with the Darknet criminal market AlphaBay, which was taken down by federal…

Read more →

Several months ago, the Android Trojan “xHelper” infected tens of thousands of devices, and was unable to be removed even after a factory reset of the phone. With the help of the user “misspaperwait,” Malwarebytes was recently able to discover…

Read more →

As a Valentine’s Day surprise, USCYBERCOM publicly released six malware samples on VirusTotal and seven malware analysis reports on the uploaded malware. As attributed by the National Cyber Investigative Joint Task Force (NCIJTF), these samples were used by North Korean…

Read more →

A police report was filed yesterday documenting a scam that saw Puerto Rico’s Industrial Development Company send around $2.6 million dollars to criminals. Rubén Rivera, the company’s finance director said a payment was made on January 17th, 2020 when an…

Read more →

Altice USA Inc, provider of Optimum cable television and internet services in the New York tri-state area, can now be included in the long list of companies that have become victims of phishing scams. An official from the company states…

Read more →

MoleRATs: The Arabic speaking threat actor known as MoleRATs, which is part of a trio of groups, is believed to be behind two recent campaigns tracked by researchers from the Cybereason Nocturnus team. The first campaign is called Spark and…

Read more →

On January 3rd, researchers from VPNMentor uncovered an unsecured Amazon Web Services Simple Storage Service (S3) bucket, owned by JailCore, a cloud-based app used by multiple US correctional facilities. Anyone could access the files stored on the S3 bucket using…

Read more →

The cybersecurity company Kaspersky has discovered a new virus, dubbed KPOT. KPOT is the first true computer virus in recent years—most infections tend to fall into other categories of malware. The term “virus” is often used interchangeably with “malware,” but…

Read more →

Two of three Ukrainian men suspected of stealing $1.5 million USD from ATMs in Bosnia have been taken into custody by Bosnian authorities. The men are accused of stealing from ATMs belonging to the Russian State-owned bank Sberbank. Dmytro Boyko…

Read more →

Outlaw: Researchers from Trend Micro have identified that after a few months of silence, the Outlaw crypto-mining group has returned. The group was last seen in June 2019, when they were using a similar toolkit to carry out attacks. In…

Read more →

Recent observations by researchers have revealed a new PayPal phishing email scam that attempts to obtain data, including Social Security numbers (SSN). Potential victims receive an email that states their account has been locked. Within the email is a bit.ly…

Read more →

US Attorney General Bill Barr announced yesterday that four employees of China’s military have been charged with the 2017 Equifax breach. The defendants, who work for the 54th Research Institute of the Chinese People’s Liberation Army (PLA) were indicted for…

Read more →

OurMine: The self-proclaimed security group OurMine has struck again, this time targeting Facebook. The group compromised Facebook’s Twitter account this time instead of directly targeting Mark Zuckerberg as they did in 2016. As with their previous attacks, the group abused…

Read more →

Last November, the security company ERNW reported a critical vulnerability that affected Android’s implementation of Bluetooth. The vulnerability, dubbed “BlueFrag,” has been assigned CVE-2020-0022 and affects Android versions 8 and 9. Although Android 10 is technically affected, the exploit currently…

Read more →

Recently, the domain corp.com has gone up for sale for a price of $1.7 million USD. This domain would be particularly dangerous if a threat actor were to control it, due to the fact that many corporate domains have misconfigured…

Read more →

In April 2018, researchers first discovered the Metamorfo malware in various campaigns. The malware initially targeted Brazilian companies in the finance industry. Recently a new campaign to deliver the malware expanded its geographic range and added a keylogger function. The…

Read more →

Threat actor groups have recently sent phishing email messages disguised as an invoice, targeting Android phone users with the malicious app known as Anubis. The phishing messages contain an attached Android Package Kit (APK) file. If the email message and…

Read more →

IRAN: The Iranian-backed threat group known as APT35 or Charming Kitten has recently used phishing email messages claiming to be a journalist to trick victims. The phishing campaign targets political figures and human rights activists, attempting to lure them into…

Read more →

While tracking Emotet activity, Binary Defense’s analysts found that Emotet dropped a Wi-Fi spreader that used brute-force password guessing, contained inside a self-extracting RAR file. Inside the RAR file were two files, worm.exe and service.exe, which were used to spread…

Read more →

Anonymous: Members of the hacktivist collective Anonymous targeted a website belonging to the United Nations (UN). The specific page which was defaced was the UN’s Economic and Social Council web page. The group defaced the website with the Taiwanese flag,…

Read more →

New ransomware using the extension “.SaveTheQueen” was found in December by Twitter user @malwrhunterteam. To spread and track the infection, an attacker used the SYSVOL share on the domain controller by creating a scheduled task and creating log files for…

Read more →

On Friday, the Australian logistics company Toll Group suffered a “cybersecurity incident” which has since been confirmed as ransomware. A spokesman stated that the company was the victim of a “targeted ransomware attack” and that a number of the company’s systems…

Read more →

Gamaredon: A new report released by Sentinel Labs has illustrated how the well-known pro-Russian Advanced Persistent Threat (APT) Gamaredon has improved their toolkits in previous months to continue their campaigns. Attacks from the group have ramped up against Ukrainian national…

Read more →

Researchers from Cybereason have discovered seven types of malware threats being hosted on the code hosting service Bitbucket. Cybercriminals use legitimate hosting services hoping to look less suspicious and infect more systems. They trick unsuspecting victims into downloading these viruses…

Read more →

Lithuanian intelligence has reported that China has been reaching out to targets in Lithuania through LinkedIn. Typically, Chinese intelligence posing as fake Chinese companies will reach out to civil servants, information technology specialists, defense sector employees, scientists, and employees in…

Read more →

A Russian-speaking cybercriminal forum has recently announced a forum-wide competition with a $15k prize pool up for grabs sponsored by operators of the Sodinokibi ransomware. First place in the competition gets $5,000, with the prize decreasing by $1,000 for second…

Read more →

The City of Racine’s city website, email system, and online payment system were all knocked offline by ransomware early Friday morning.  While the city’s Management Information Systems department worked Friday to determine the extent of the infection and began to…

Read more →

Late last week, Britain’s National Crime Agency (NCA) arrested six individuals in Belfast and London who are believed to be connected to laundering money stolen during a cyber-attack against the Bank of Valletta. Last February, hackers attempted to withdraw a…

Read more →

The Linear eMerge E3 building access system, created by Linear Solutions, has an unpatched vulnerability that was first announced in May 2019, identified as CVE-2019-7256. In November 2019, code that provided a proof-of-concept exploit was released publicly. Now, researchers from…

Read more →

Brett Callow of Emsisoft says ransomware attacks have struck five law firms recently, including three just this past weekend. Two of the affected firms have already had their information, which includes that of their clients, posted online for anyone to…

Read more →

TA505: Researchers from Microsoft have seen the threat group TA505 return from a short break of no activity. Since 2014, the financially motivated threat group has been notorious for spreading remote access trojans (RAT) to compromise retailers and large financial…

Read more →

Trickbot has evolved again with a new module, called rdpscanDll, which allows computers infected with Trickbot to scan other systems on the network for Remote Desktop Protocol (RDP) access. As there have been several critical RDP vulnerabilities released recently, this…

Read more →

Winnti: Researchers at ESET discovered a new campaign by the Winnti Group in November that targeted two universities in Hong Kong. A few weeks after finding the Winnti malware, an updated version of their “ShadowPad” backdoor was also discovered. MITRE…

Read more →

CNBC reported on the threat to consumers and retailers from e-skimming attacks against online shopping websites. These attacks attempt to inject JavaScript into the checkout page of a retail website to steal consumers’ payment card details and personal information. Herb…

Read more →

A government contractor known for their electronics work, EWA, became aware of a ransomware infection recently. The suspected attack took place last week and affected the company’s web servers. The company took the servers down soon after becoming aware of…

Read more →

Two vulnerabilities in Azure Stack that could have resulted in attackers gaining control over cloud servers or accessing client data without authorization were responsibly reported to Microsoft and patched in October and November of 2019. Now, researchers at Check Point…

Read more →

According to the country of Israel’s Energy Minister, Israel detected a “very serious cyber-attack” that they were able to defend against. The attack was combatted a few months ago and represented one of the very few serious cyber-attacks the country…

Read more →

Emotet, the highly prolific and sophisticated botnet, has recently started using email templates posing as a Kyoto Coronavirus notification. The templates are used to send malicious email messages from infected computers to spread the botnet. The email messages contain malware…

Read more →

Late Monday evening, a new posting appeared on Joker’s Stash, which is believed to contain cards from the Wawa data breach. Joker’s Stash is a popular criminal market website for stolen payment card data, where card data is regularly dumped…

Read more →

Adobe released an update yesterday for all editions of Magento, fixing six different vulnerabilities. Out of the three vulnerabilities that were marked as critical, two of them had the possibility to lead to code execution. The group behind many of…

Read more →

OurMine: After over two years of being dormant, the Saudi threat actor group OurMine has made a return. This time, the group attacked the Twitter accounts for various NFL entities this week, leading up to the National Football League’s (NFL)…

Read more →

As tax season approaches, scammers have begun their rounds of tax-related scams in an attempt to steal information. Documented below are some of the more popular scams that have been seen in the past. The first one involves scammers posing…

Read more →

The email security firm MailGuard has intercepted an email that claims to be from the popular streaming service Netflix. This new email appears to be from Netflix and states that the user’s “billing information has been modified,” attempting to trick…

Read more →

Originally reported to SolarWinds on October 10th, this flaw known as “Dumpster Diver,” allows attackers to gain domain administrator credentials, essentially granting them control over the entire system. Proof-of-concept code to exploit the vulnerability is available. While SolarWinds pushed out…

Read more →

In an operation carried out by Indonesian National Police, dubbed Operation Night Fury, three men were arrested for participating in Magecart style attacks. Magecart attacks refer to a method of stealing payment card and customer information from online shopping websites…

Read more →

Twitter user @malwrhunterteam recently discovered an updated version of the “Ryuk Stealer” malware. Ryuk Stealer automatically searches for and steals files from infected computers. It is thought to be related to Ryuk ransomware because it shares some code similarities, but…

Read more →

The Maze Ransomware operators have kept their promise to leak data after not collecting their ransom payments. Medical Diagnostics Laboratories (MDLab) was reported to be infected on December 2nd, 2019 and they have refused to pay the 200 Bitcoin ransom…

Read more →

Cryptomining malware Vivin has been watched closely by researchers over the past few years. What they’ve noticed is that the malware has switched its tactics to be able to adapt to the ever-changing cryptocurrency market. The Monero cryptocurrency is its…

Read more →

Iran: Researchers from Recorded Future observed evidence of the Remote Access Trojan PupyRAT targeting the European energy sector. Although the researchers could not attribute the attack to a specific threat group, they noted that the Iran-backed threat group APT 33,…

Read more →

Tucker Preston, a co-founder of the Distributed Denial of Service (DDoS) mitigation company BackConnect, has admitted to funding DDoS attacks. The 22-year-old was in court last week where he pleaded guilty to one count of damaging a protected computer by…

Read more →

TrickBot, a well-known banking trojan, uses a series of modules to accomplish a wide variety of tasks.  Some examples of modules are wormWinDll, which uses EternalBlue to spread through a network by exploiting unpatched Windows computers, and DomainDll which steals…

Read more →

Sodinokibi has struck again, this time threatening to release stolen data from GEDIA Automotive Group. In previous threats, the group tried to use GDPR as a motivator for victims to pay the ransom. This latest post makes no such threat,…

Read more →

ISIS/United States: Recently declassified reports have been released outlining how the United States managed to carry out cyber-attacks, combatting the propaganda campaigns being used by ISIS in 2016. The documents were released under the Freedom of Information Act request. The…

Read more →

After details of the sLoad malware were exposed in a Microsoft report last month, the authors of the malware have released a new version this month, dubbed Starslord or sLoad 2.0. The new variant doesn’t change much but it does…

Read more →

A phishing effort targeting The UPS Store which took place between September 29th, 2019 and January 13th, 2020 exposed personal and financial information for a number of their customers. Through investigation after the discovery of the attack, it appears that…

Read more →

Mitsubishi Electric, which manufactures electronic goods ranging from household items to defense equipment, announced that they were the victims of a cyber-attack sometime last year. The intrusion came to light for the company last June when it detected unauthorized access…

Read more →

FTCode, a PowerShell-based ransomware originally found in 2013 by researchers at Sophos has recently resurfaced with an update. Because this ransomware is entirely script-based, no other components are required, and no further downloads are made. This also makes it simple…

Read more →

16Shop, currently tracked by the ZeroFOX Alpha Team, is a prolific phishing kit distribution network.  Phishing kits are tools created and sold by cyber criminals which are used to fake login pages used by popular services, such as Amazon. When…

Read more →

The team at Microsoft has released a security advisory that details a remote code execution vulnerability (RCE) in Internet Explorer. The bug exists in the way that the scripting engine in jscript.dll handles objects in memory in Internet Explorer. If…

Read more →

Middle East: A new Remote Access Trojan (RAT) has been identified by researchers at Talos that is using malicious Word documents to target people in the Middle East who speak Arabic. The threat actor behind this campaign is using a…

Read more →

A cybercriminal has published a list of Telnet credentials on a popular hacking forum that contains more than 515,000 credentials for servers, home routers, and IoT smart devices. Telnet is an insecure remote access protocol that allows the administration of…

Read more →

North Korea:  An expert on UN sanctions has warned that a report due to be submitted to the UN Security Council will be flagging the upcoming cryptocurrency conference in North Korea as a “likely sanctions violation.” This comes after independent…

Read more →

On Thursday, January 16th, 2020 the FBI and US Department of Justice announced that they had seized the internet domain name WeLeakInfo.com.  The website served as a breach notification service, similar to HaveIBeenPwned, with one key difference.  Unlike HaveIBeenPwned, WeLeakInfo…

Read more →

Now that NetScaler exploits for CVE-2019-19781 have been public for a couple of weeks, actors have had a little more time to update their arsenals. One particular actor has caught the interest of researchers for their method of entry and…

Read more →

The Canadian online pharmacy PlanetDrugsDirect is notifying its customers of a data breach that impacted some personal and financial information. The company is a member of the Canadian International Pharmacy Association (CIPA) and has both Canadian and US customers.  The…

Read more →

Molerats/APT-C-37: AT&T Security has found that many reports outlining events in 2019 identified Molerats and APT-C-37 being behind a number of attacks, but because of similarity in their Tactics, Techniques, and Procedures (TTP’s) researchers believe some attacks were attributed incorrectly.…

Read more →

The iMessage vulnerability addressed last year as CVE-2019-8641 and deemed critical with a CVSS score of 9.8 had technical details published by Google’s Project Zero team recently. iOS versions 12 or later are affected by the vulnerability that could allow…

Read more →

Russia:  A recent investigation revealed that members of Russian intelligence appear to have heavily targeted the Ukrainian energy company Burisma. It appears that employees of Burisma were targeted with a “sophisticated network of fake websites.” The websites were all designed…

Read more →

Microsoft had a particularly important Patch Tuesday this week. Not only were flaws found in the CryptoAPI library, but arguably more severe flaws were found with the Remote Desktop Client and Gateway that allow for unauthenticated remote code execution. CVE-2020-0609…

Read more →

The Manor Independent School District in Texas revealed that an investigation has begun into a series of phishing emails sent to multiple employees that eventually resulted in a loss of $2.3 million USD.  While multiple employees received emails requesting money…

Read more →

China (APT 40): Reports from two researchers calling themselves Intrusion Truth state that they have found evidence to link APT40 and other Chinese APT activity to job postings that are a front for companies to hire hackers. While looking through…

Read more →

KrebsonSecurity has reported that Microsoft plans to kick off patch Tuesday by delivering a fix for a substantial cryptographic flaw present in all versions of Windows. Krebs believes the flaw lies within the crypt32.dll file, and if unpatched it could…

Read more →