News

Linux worm infects Azure installations through Exim vulnerability

Azure under attack

Microsoft warned users about a new worm for Linux that spreads through Exim mail servers. According to experts, malware has already compromised a number of Azure installations. As it was discovered last week, cybercriminals are attacking millions of mail servers with an Exim client installed through CVE-2019-10149 vulnerability. The problem affects Exim versions from 4.87 to 4.91 and allows an …

Read More »

XSS vulnerability allowed penetrating Google’s internal systems

google xss bug

Back in February of this year, 16-year-old bug-hunter from their Czech Republic, Thomas Orlita, discovered a dangerous vulnerability in a Google backend application. Discovered bug allowed stealing cookies from company’s internal applications and user’s cookies, and with their help organize phishing attacks and access other parts of Google internal network. The problem was fixed in April, and, after waiting some …

Read More »

Critical bug in the Evernote extension has put millions of users at risk

evernote hacking

At the end of May 2019, Guardio company specialists found dangerous vulnerability in the Evernote Web Clipper extension for Chrome. Researchers warned that due to the high popularity of Evernote bug may affect has at least 4,600,000 users. Vulnerability received an identifier CVE-2019-12592 and critical status. The bug is UXSS (universal cross-site scripting), which allows bypassing the Same Origin Policy …

Read More »

Millions of unpatched Exim mail servers are now under active attack

Exim server under attack

Cybercriminals are now actively attacking mail servers that use Exim for their work to exploit a vulnerability recently discovered in software. As of June 2019, Exim was set at nearly 57% (507,389) of all mail servers that were visible on the Internet (according to some data, in fact, the number of Exim installations exceeds this figure by ten times and …

Read More »

Researchers taught Rowhammer to steal data

A team of researchers from the United States, Australia and Austria developed a new version of Rowhammer attack. Unlike previous versions, a new attack called RAMBleed allows not only modifing data and increase privileges, but also steal data stored on the device. Rowhammer is an exploit class for hardware vulnerability (CVE-2019-0174) in modern memory cards. By default, data in memory …

Read More »

Vulnerability in Vim and Neovim editors leads to code execution while opening a malicious file

Linux under attack

In text editors Vim and Neovim was found a vulnerability (CVE-2019-12735), which allows to execute arbitrary code while opening a specially designed file. The problem manifests itself with the activity of the modeline enabled by default (“: set modeline“), which allows defining editing options in the file being processed. Vulnerability eliminated in Vim 8.1.1365 and Neovim 0.3.6 releases. Through modeline, …

Read More »

Austrian scientists created method of tracing browsers with the use of JavaScript

javascript-laptop

Group of researchers from Graz Technical University (Austria) developed an automated system for creating browser profiles using two new attacks on third-party channels, which provide information about used software and hardware and more effectively track browser on the Internet. Specialists under the title presented the results of the study “JavaScript Template Attacks: Automatically Inferring Host Information for Targeted Exploits”. According …

Read More »

Vulnerability in WP Live Chat Support plugin allows stealing logs and insert messages in chats

WP Live Chat Support

Developers of WP Live Chat Support plugin, which has more than 50,000 installations, report that users should immediately upgrade plugin to version 8.0.33 or later. The fact is that in plugin was detected critical vulnerability that allows an attacker who does not have valid credentials to bypass authentication mechanism. WP Live Chat Support allows adding to the website free chat …

Read More »

Attackers actively exploit previously discovered vulnerability in Oracle WebLogic

Vulnerability in Oracle WebLogic

A recently fixed vulnerability in Oracle WebLogic is actively exploited by cybercriminals for installation on vulnerable servers of cryptocurrency miners. This is a deserialization vulnerability (CVE-2019-2725) that allows an unauthorized attacker to remotely execute commands. Problem was discovered in April this year, when cybercriminals had already shown interest in it. Oracle fixed vulnerability at the end of the same month, …

Read More »

In Diebold Nixdorf ATMs detected RCE-vulnerability

Diebold Nixdorf

On Monday, June 10, 2019, one of the world’s largest ATM manufacturers Diebold Nixdorf began to warn its customers about vulnerabilities in Opteva ATMs. The bug allows remotely execute an arbitrary code. NightSt0rm, a group of Vietnamese experts, published information about this vulnerability last week. According to the researchers, they were able to find an external OS service in old …

Read More »

APT group MuddyWater expanded its arsenal and uses new attack vectors

MuddyWater

The Iranian APT group MuddyWater began using new attack vectors on telecommunications and governmental organizations. According to the information security company Clearsky Security, MuddyWater has replenished its tactics, techniques and procedures (TTP) with new Microsoft Word documents that download malicious files through compromised servers, as well as documents that exploit CVE-2017-0199. “The TTP includes decoy documents exploiting CVE-2017-0199 as the …

Read More »

Cybercriminal with nick Achilles has put up for sale access to the internal networks of Symantec, Comodo and UNICEF

achilles attack

Someone with nick Achilles sells access to the internal networks of a number of organizations, including UNICEF, Symantec and Comodo, in cybercrime forums. Depending on the organization, the cost of access ranges from two to five thousand dollars. Earlier, Trojan-killer reported about cybercriminal or a group of cybercriminals with pseudonym Fxmsp that were selling source codes and other data from …

Read More »

57% of mail-servers have critical vulnerability

Exim vulnurability

Qualys researchers discovered a critical vulnerability that affects more than half of mail servers. The problem was detected in the Exim Mail Transfer Agent (MTA) software, which is installed on mail servers for delivering emails from the sender to the addressee. According to data for June 2019, Exim is set at 57% (507,389) of all servers found on the Internet. …

Read More »

0patch experts fixed one of the holes that legendary SandboxEscaper left in Windows security

0path

0patch experts have released an unofficial patch designed to fix a 0-day vulnerability in Windows 10 affecting Task Scheduler. An exploit for this security issue was published at the end of May by an extravagant specialist known by the online pseudonym “SandboxEscaper”. SandboxEscaper demonstrated exploiting this vulnerability with a malicious .JOB file. According to 0patch experts, only previous versions of …

Read More »

Participant in the Metasploit project created a working module for exploiting the BlueKeep vulnerability

bluekeep

A security researcher under the nick Zerosum0x0 created module for the Metasploit framework that exploits the BlueKeep vulnerability on Windows XP, 7 and Server 2008. BlueKeep (CVE-2019-0708) is a “worm-like” vulnerability that allows causing a wave of mass malware infections, similar to WannaCry attacks in 2017. The problem affects Remote Desktop Services in Windows 7, Server 2008, Windows XP and …

Read More »

Cisco Talos: Cybercriminals like Dr. Frankenstein collect malware for attacks from disparate components

Cisco Talos Frankenstein

The cybercrime group that stands behind series of targeted attacks in January-April 2019 uses malicious tools collected from accessible, free components to steal credentials. Researchers at Cisco Talos called this malware campaign “Frankenstein” because the group skillfully puts together unrelated components and used four different techniques during the operation. “We assess that this activity was hyper-targeted given that there was …

Read More »

Vulnerabilities in rkt allow bypassing the container and get root permissions on the host

rkt

Security researcher Yuval Avrahami discovered rkt vulnerabilities in the container environment (container runtime) that allowed him to bypass the container and get root permissions on the host. The problems are assigned the identifiers CVE-2019-10144, CVE-2019-10145 and CVE-2019-10147. An attacker can exploit vulnerabilities in order to compromise a host when a user enters the ‘rkt enter’ command (equivalent to the ‘docker …

Read More »

Microsoft Azure turned out to be an excellent service for storing malware and cybercriminal infrastructure

Azure malware

Microsoft Azure cloud services have become an excellent choice for cybercriminals who need to store somewhere malicious content. From fishing templates to malware and C&C command servers, it looks like the attackers have found suitable storage for all of this. “Not only is Azure hosting malware, it is also functioning as the command and control infrastructure for the malicious files”, …

Read More »

GandCrab malware operators are winding down their activity

Almost a year and a half after the release of the GandCrab malware, its operators decided to close down their business and instructed their partners to stop spreading the program. GandCrab arrived in the cybercriminal world on January 28, 2018. This ransomware replaced such infamous cryptographers as TeslaCrypt, CryptoWall and Spora, and became one of the dominant, if not the …

Read More »

Researchers discovered a backdoor in Slick Popup WordPress-plugin

Wordpress Vulnerable

Experts from Defiant company discovered a problem in WordPress-plugin Slick Popup, from which attackers can get into vulnerable websites and create backdoor-accounts. Issue affects all plugins’ versions, including the newest 1.7.1. Plugin Slick Popup accounts about 7000 installations and was developed by Om Ak Solutions. Slick Popup created for working in conjunction with other popular WordPress solution – Contact Form …

Read More »

Cybercriminals infect Docker hosts with an open API, and then look for similar ones using Shodan service

Attackers scan the Internet for Docker installations with open APIs and use them to distribute malicious Docker images infected by mining Monero cryptocurrency and scripts that use Shodan for search of new victims. A new campaign was noticed by Trend Micro researchers after a malicious image with a crypto miner was loaded onto one of their trap installations. “By analyzing …

Read More »

The researcher found a bulk of malware among Firefox add-ons that hide behind the name of Adobe and other well-known companies

Firefox Alert

The catalog of add-ons for Firefox (AMO) noted a massive publication of malicious add-ons hiding behind well-known projects. Researcher Martin Brinkmann discovered and it tested on examples. For instance, in the catalogue posted malware add-ons “Adobe Flash Player“, “ublock origin Pro“, “Adblock Flash Player” etc. As these add-ons are removed from the catalog, the attackers immediately create a new account …

Read More »

More than 50,000 MS-SQL and PHPMyAdmin servers were infected by rootkits and miners

Specialists from Guardicore Labs reported about discovery of the malware Nansh0u, and some Chinese hacking group is responsible for it. The attackers compromise MS-SQL and PHPMyAdmin servers around the world, infect them with a cryptocurrency miner, and install rootkits that protect the miner from deletion. “Breached machines include over 50,000 servers belonging to companies in the healthcare, telecommunications, media and …

Read More »

Comodo/Sectigo recalled more than 100 certificates

Comodo Sectigo

Sectigo (formed Comodo certification center) claim that company recalled more than 100 digital certificates that attackers used for signing malware codes. The reason is recent Chronicle report. Sectigo employees commented on the Chronicle report, insisting that among noted by researchers certificates only 127 were viable at the time of the report. Center of certification recalled them as soon as possible. …

Read More »

Docker’s vulnerability allows reading and writing any file on the host

Docker Down

In Docker discovered vulnerability of parallelism uncertainty, or so called “race condition”. With its help attacker can write and read any file on a host. Issue involves all Docker versions. Vulnerability is similar to CVE-2018-15664 and allows attacker rewrite resource pathways after permission and before start of program’s work on this resource (TOCTOU error). Issue affects FollowSymlinkScope function, vulnerable to …

Read More »

Keylogger HawkEye reborn in other version and again attacks enterprises

hawkeye reborn

Researchers from X-Force, IBM department on cybersecurity – reported about malware spam-campigns, in frames of which criminals send keylogger HawkEye on employees of industrial enterprises emails worldwide. For two months attackers spread software among employees of companies that work in logistics, healthcare, marketing and agriculture. “In the cybercrime arena, most financially motivated threat actors are focused on businesses because that …

Read More »

New Mirai type uses for attacks uses simultaneously 13 exploits

Botnet Mirai

TrendMicro specialists discovered in the “wild nature” unknown before variant of Mirai malware that used 13 exploits at once for attacks on targeted devices. IoT-bot is equipped with components for the attack on routers of different producers, IP-cameras and other devices. All useful load researchers already met in campaigns by older Mirai versions, but together all 13 exploits are used …

Read More »

Ransomware “Shade” is on tour on North America

Shade/Troldesh

In the first quarter this year, experts from Palo Alto Networks noted 6536 attempts to download cryptographer Share in their client’s base. About one-third of dangerous requests came from US computers. Windows-ransomware Shade, also known as Troldesh, arrived on the Internet at the end of 2014 – beginning of 2015. It is spread majorly from spam, and sometimes – with …

Read More »