Alerts

Security researchers published technical details about malware used by a new threat actor that matches a signature in a scanner likely built by the U.S. National Security Agency and leaked more than two years ago.

The new threat received the name DarkUniverse and was active for at least eight years, between 2009 and 2017. It was identified last year, but the NSA knew about it long before.

The DarkUniverse framework

In 2017, a group called the Shadow Brokers published the Lost in Translation cache of tools believed to be from NSA’s digital armory. Among them was a script – sigs.py – with functions that look for unique malware signatures on a compromised system.

In total, sigs.py includes 44 entries, not all of them are known to the private sector security community. Researchers from Kaspersky found in 2018 the DarkUniverse APT (advanced threat from a nation-state) matching a function in the scanner.

Read more »

Everis, one of the largest IT consulting companies in Spain, suffered a targeted ransomware attack on Monday, forcing the company to shut down all its computer systems until the issue gets resolved completely.

According to several local media, Everis informed its employees about the devastating widespread ransomware attack, saying:

“We are suffering a massive virus attack on the Everis network. Please keep the PCs off. The network has been disconnected with clients and between offices. We will keep you updated.”

“Please, urgently transfer the message directly to your teams and colleagues due to standard communication problems.”

According to cybersecurity consultant Arnau Estebanell Castellví, the malware encrypted files on Everis’s computers with an extension name resembling the company’s name, i.e., “.3v3r1s,” which suggests the attack was highly targeted.

Read more »

If you’re using the popular rConfig network configuration management utility to protect and manage your network devices, here we have an important and urgent warning for you.

A cybersecurity researcher has recently published details and proof-of-concept exploits for two unpatched, critical remote code execution vulnerabilities in the rConfig utility, at least one of which could allow unauthenticated remote attackers to compromise targeted servers, and connected network devices.

Written in native PHP, rConfig is a free, open source network device configuration management utility that allows network engineers to configure and take frequent configuration snapshots of their network devices.

According to the project website, rConfig is being used to manage more than 3.3 million network devices, including switches, routers, firewalls, load-balancer, WAN optimizers.

What’s more worrisome? Both vulnerabilities affect all versions of rConfig, including the latest rConfig version 3.9.2, with no security patch available at the time of writing.

Discovered by Mohammad Askar, each flaw resides in a separate file of rConfig—one, tracked as CVE-2019-16662, can be exploited remotely without requiring pre-authentication, while the other, tracked as CVE-2019-16663, requires authentication before its exploitation.

  • Unauthenticated RCE (CVE-2019-16662) in ajaxServerSettingsChk.php
  • Authenticated RCE (CVE-2019-16663) in search.crud.php

In both cases, to exploit the flaw, all an attacker needs to do is access the vulnerable files with a malformed GET parameter designed to execute malicious OS commands on the targeted server.

Read more »

Cybersecurity researchers have spotted a new cyberattack that is believed to be the very first but an amateur attempt to weaponize the infamous BlueKeep RDP vulnerability in the wild to mass compromise vulnerable systems for cryptocurrency mining.

In May this year, Microsoft released a patch for a highly-critical remote code execution flaw, dubbed BlueKeep, in its Windows Remote Desktop Services that could be exploited remotely to take full control over vulnerable systems just by sending specially crafted requests over RDP.

BlueKeep, tracked as CVE-2019-0708, is a wormable vulnerability because it can be weaponized by potential malware to propagate itself from one vulnerable computer to another automatically without requiring victims’ interaction.

BlueKeep has been considered to be such a serious threat that since its discovery, Microsoft and even government agencies [NSA and GCHQ] had continuously been encouraging Windows users and admins to apply security patches before hackers gain hold onto their systems.

Even many security firms and individual cybersecurity researchers who successfully developed a fully working exploit for BlueKeep pledged not to release it to the public for a greater good—especially because nearly 1 million systems were found vulnerable even a month after patches were released.

This is why amateur hackers took almost six months to come up with a BlueKeep exploit that is still unreliable and doesn’t even have a wormable component.
Read more »

Thousands of QNAP NAS devices are getting infected with a malware dubbed QSnatch that injects into their firmware and proceeds to steal credentials and load malicious code retrieved from its command and control (C2) servers.

Germany’s Computer Emergency Response Team (CERT-Bund) says that, based on sinkhole data, roughly 7,000 NAS devices in Germany are currently affected by QSnatch infections.

The malware strain was spotted by researchers at the National Cyber Security Centre of Finland (NCSC-FI) after receiving reports from the Autoreporter service of infected NAS devices trying to communicate to C2 servers. Read more »