A vulnerability in the .NET Core library allows malicious programs to be launched while evading detection by security software.

This vulnerability is caused by a Path Traversal bug in Microsoft’s .NET Core library that allows malicious garbage collection DLLs to be loaded by users with low privileges.

This bug affects the latest stable release (3.1.x versions) of .NET Core. A fix is not currently available and could let attackers execute malicious code on a system without being readily detected by antivirus and EDR products. 1

Read more »

As soon as security researchers uncovered the activity of GoldenSpy backdoor, the actor behind it fell back and delivered an uninstall tool to remove all traces of the malware.

GoldenSpy stayed hidden in software called Intelligent Tax, from Aisino Corporation, that a Chinese bank required its company customers to install for paying local taxes.

Double Taxation on Foreign Companies

Following an investigation into suspicious behavior on systems belonging to one of their clients, researchers at Trustwave SpiderLabs found that Intelligent Tax behaved in a way that is unrelated to the GoldenSpy component.

Although the actor and the purposes behind GoldenSpy remain unclear, the researchers say that the component has characteristics similar to a coordinated advanced persistent (APT) campaign that focuses on foreign companies operating in China.

The backdoor runs with the highest privileges on the system, allowing it to execute any software, legitimate or not. The activity observed consisted of exfiltrating basic system information and beaconing a remote server for updates.

Read more »

Open systems, open data, and open-source software provide a means to promote greater transparency, public trust, and user participation. But what happens when adversaries can abuse the same systems?

After all, any system that’s open to everyone is also open to those who wish to use it for malicious intent.

Time and time again, we have seen how the open-source ecosystems like npm or GitHub have been abused to spread malware. We have also seen how public WiFi hotspots can be tempting sites for attackers and reports of Russian actors live streaming webcams that should remain hidden.

Similarly, public safety systems that are designed to protect and safeguard citizens from adversaries have been misused by the very adversaries to do the opposite.

These are common ‘vulnerabilities’ in our societal systems exploited on a smaller scale.

But what about the cases of nation-state actors targeting national security systems, especially if they are open-source, for malicious purposes?

Read more »

The Australian government released an advisory late last week about increased cyber activity from a state actor against networks belonging to its agencies and companies in the country.

Behind the attack is a “sophisticated” adversary that relies on slightly modified proof-of-concept exploit code for yesteryear vulnerabilities, the government says. An unofficial blame finger points to China.

Resilient adversary

The attacker targets public-facing infrastructure with remote code execution exploits, a frequent choice being unpatched versions of Telerik user interface (UI).

This would be the fourth warning this year (1234) from the Australian Cyber Security Centre (ACSC) about threat actors exploiting critical vulnerabilities in Telerik UI (CVE-2019-18935CVE-2017-9248CVE-2017-11317CVE-2017-11357). Exploit code has been publicly available for a while for all of them.

Important to note that CVE-2019-18935 has been leveraged by multiple threat groups, a recently documented one being Blue Mockingbird (from cybersecurity firm Red Canary) for cryptocurrency mining purposes.

Read more »

The dust is far from settled following the disclosure of the 19 vulnerabilities in the TCP/IP stack from Treck, collectively referred to as Ripple20, which could help attackers take full control of vulnerable devices on the network.

Treck’s code is fundamental for the embedded devices it is implemented on because it bestows network communication to them and is present on gadgets used in a variety of sectors: technology, medical, construction, mining, printing, energy, software, industrial control systems (ICS), telecom, retail, commerce.

The company has notified its customers and issued patches but a week after the Ripple20 announcement from security research group JSOF, the full impact remains unclear.

This is because Treck’s code is licensed and distributed under different names or serves as a foundation for a new network stack.

Concerted efforts from national-level cybersecurity agencies and private companies in the field are ongoing to identify businesses with products vulnerable to issues in the Ripple20 vulnerability set.

Read more »