The Australian government released an advisory late last week about increased cyber activity from a state actor against networks belonging to its agencies and companies in the country.
Behind the attack is a “sophisticated” adversary that relies on slightly modified proof-of-concept exploit code for yesteryear vulnerabilities, the government says. An unofficial blame finger points to China.
The attacker targets public-facing infrastructure with remote code execution exploits, a frequent choice being unpatched versions of Telerik user interface (UI).
This would be the fourth warning this year (1, 2, 3, 4) from the Australian Cyber Security Centre (ACSC) about threat actors exploiting critical vulnerabilities in Telerik UI (CVE-2019-18935, CVE-2017-9248, CVE-2017-11317, CVE-2017-11357). Exploit code has been publicly available for a while for all of them.
Important to note that CVE-2019-18935 has been leveraged by multiple threat groups, a recently documented one being Blue Mockingbird (from cybersecurity firm Red Canary) for cryptocurrency mining purposes.
Read more »
The dust is far from settled following the disclosure of the 19 vulnerabilities in the TCP/IP stack from Treck, collectively referred to as Ripple20, which could help attackers take full control of vulnerable devices on the network.
Treck’s code is fundamental for the embedded devices it is implemented on because it bestows network communication to them and is present on gadgets used in a variety of sectors: technology, medical, construction, mining, printing, energy, software, industrial control systems (ICS), telecom, retail, commerce.
The company has notified its customers and issued patches but a week after the Ripple20 announcement from security research group JSOF, the full impact remains unclear.
This is because Treck’s code is licensed and distributed under different names or serves as a foundation for a new network stack.
Concerted efforts from national-level cybersecurity agencies and private companies in the field are ongoing to identify businesses with products vulnerable to issues in the Ripple20 vulnerability set.
Read more »
Microsoft’s Defender ATP Research Team today issued guidance on how to defend against attacks targeting Exchange servers by blocking malicious activity identified with the help of behavior-based detection.
The Microsoft researchers based their analysis on multiple campaigns of Exchange attacks investigated during early April which showed how the malicious actors deploying web shells on on-premises Exchange servers.
Read more »
The Russian cybercrime group known as Evil Corp has added a new ransomware to its arsenal called WastedLocker. This ransomware is used in targeted attacks against the enterprise.
The Evil Corp gang, also known by CrowdStrike as Indrik Spider, started as affiliates for the ZeuS botnet. Over time, they formed into a group that focused on distributing the banking trojan and downloader called Dridex via phishing emails.
As their attacks evolved, the group created a ransomware called BitPaymer which was delivered via the Dridex malware in targeted attacks against corporate networks.
In a new report by NCC Group’s Fox-IT security research team, researchers explain that after the indictment of Evil Corp members, Igor Olegovich Turashev and Maksim Viktorovich Yakubets, the hacking group began restructuring their tactics. Read more »
Researchers reported on Monday that hackers are now exploiting Google’s Analytics service to stealthily pilfer credit card information from infected e-commerce sites.
According to several independent reports from PerimeterX, Kaspersky, and Sansec, threat actors are now injecting data-stealing code on the compromised websites in combination with tracking code generated by Google Analytics for their own account, letting them exfiltrate payment information entered by users even in conditions where content security policies are enforced for maximum web security.
“Attackers injected malicious code into sites, which collected all the data entered by users and then sent it via Analytics,” Kaspersky said in a report published yesterday. “As a result, the attackers could access the stolen data in their Google Analytics account.”
Read more »