X-Force Exchange - Collection Feed

Summary A variety of threat actors have been exploiting the ProxyLogon vulnerability in order to carry out malicious activities. Sophos identified the operators of the Black KingDom ransomware also taking advantage of this exploit in a recent campaign. Threat Type Ransomware Overview Sophos published a blog post analyzing Black KingDom's use of the ProxyLogon exploit to distribute its ransomware payloads. After exploiting ProxyLogon ( CVE-2021-27065 ) on vulnerable on-premise versions of Microsoft Exchange

Summary The ICS-CERT has published four advisories that affect Weintek EasyWeb cMT, GE MU320E, GE Reason DR60, and Ovarro TBox. Threat Type Vulnerability Overview The ICS-CERT has published four advisories that affect Weintek EasyWeb cMT, GE MU320E, GE Reason DR60, and Ovarro TBox. Further information is available from the advisories, which are summarized below. ICS Advisory ICSA-21-082-01 - Weintek EasyWeb cMT CVE-2021-27446 - The Weintek cMT product line is vulnerable to Code Injection, which may allow an

Summary Necro, a classic botnet family, first discovered in 2015, was written in Python. On March 2nd, Netlab 360 discovered two samples of a new variant of Necro. Keksec, also known as Kek Security is the threat actor group responsible for the botnet. The botnet has been found on both Windows and Linux systems. Threat Type Malware, Botnet, Cryptomining Overview Necro, a classic botnet family first discovered in 2015, was written in Python. On March 2nd, Netlab 360 discovered two samples of a new variant of

Summary PAM update 4103.18182 contains 7 new events, 0 new moderate event responses, and 0 new aggressive event responses. Threat Type Vulnerability Overview PAM update 4103.18182 contains 7 new events, 0 new moderate event responses, and 0 new aggressive event responses. This content update is compatible with IBM QRadar Network Security Firmware version 5.4 or later, IBM QRadar Network Security for VMware firmware version 5.4 or later, IBM Security Network IPS GV-Series Virtual Appliances, IBM Security Net

Summary Analysts from the Malware Hunter Team have discovered a new tactic being employed by threat actors: Windows Safe Mode Encryption. Bleeping Computer has published an article on the details of the boot mode ransomware encryption technique. Threat Type Vulnerability, Ransomware Overview REvil has added the ability to encrypt files even in Windows Safe Mode. This mode allows users to troubleshoot the operating system for errors. Safe Mode prevents startup menu items from starting and only allows the bar

Summary IBM X-Force Threat Intelligence has published a report on ITG14 and their shift from Point-of-Sale (POS) systems to ransomware and the emersion of new TTPs for the group. Threat Type Malware, Ransomware,Phishing, VBS, PowerShell, Backdoor Overview IBM X-Force Threat Intelligence has published a report on ITG14, which shares overlap with FIN7 and CARBON SPIDER, and its latest shift from Point-of-Sale (POS) systems to ransomware with new TTPs. X-Force analysts have concluded the latest campaign is aff

Summary IBM X-Force Intelligence has published a report updating the latest activities from Hive0097, known as Cloud Atlas. Threat Type Threat Group Overview IBM X-Force Threat Intelligence has published a report on the latest activities from Hive0097, known as Cloud Atlas. Analysis has revealed several new malicious documents at the beginning of 2021. These documents are consistent with Hive0097's TTPs of focusing on former Soviet-bloc nations in Eastern Europe and Central Asia. Previous findings indicate

Summary Using a new programming language, Rust, threat actors have turned their attention to the creation of adware. SecureList posted a blog detailing the language and its use in the creation of adware. Threat Type Malware, Adware Overview A new adware program dubbed Convuster has been seen in the wild. The adware is written in a little known programming language called Rust. Analysts were able to identify the language through the use of Rust specific language and the file extension .rs. The malware works

Summary The Cofense Phishing Defense Center (PDC) takes a brief look at Mekotio, also known as Metamorfo, a banking Trojan with Latin American origins that is now expanding its reach to victims across Europe. This trojan is one that makes use of a little known scripting language known as AutoHotKey (AHK). Threat Type Malware, Phishing, Keylogger, Infostealer, Trojan Overview The Cofense Phishing Defense Center (PDC) takes a brief look at Mekotio, also known as Metamorfo, a banking Trojan with Latin American

Summary NimzaLoader is a new initial access malware that is relatively unique in its usage of the Nim programming language. Proofpoint observed this malware being distributed in a TA800 email campaign in place of BazaLoader. Threat Type Malware, Loader Overview Proofpoint published a blog post analyzing the NimzaLoader malware, a loader written in the Nim programming language. This malware is being distributed by TA800 in their email campaigns; previously the group used BazaLoader for initial access. The em

Summary Cisco has published a Security Advisory which is rated as High. Threat Type Vulnerability Overview Cisco has published a Security Advisory which is rated as High. In the advisory summarized below, it is noted that Cisco's Product Security Incident Response Team (PSIRT) is "not aware of any public announcements or malicious use of the vulnerabilities" that are described in the advisory. Cisco Small Business RV132W and RV134W Routers Management Interface Remote Command Execution and Denial of Service

Summary The FBI has issued a FLASH Alert (CP-000142-MW) regarding a recent increase of PYSA ransomware targeting education institutions in 12 U.S. states and the United Kingdom. Threat Type Malware, Phishing, Ransomware, Data-theft Overview The FBI has issued a FLASH (FBI Liaison Alert System) Alert (CP-000142-MW) regarding a recent increase of PYSA ransomware targeting education institutions in 12 U.S. states and the United Kingdom. The initial attack vector is often via phishing emails, but PYSA, also kno

Summary A new Linux backdoor has been discovered by Intezer and has been named RedXOR. It's likely to have been developed by Chinese nation-state actors. Threat Type Malware, Backdoor, RAT, APT Overview Intezer discovered a new, sophisticated backdoor targeting Linux systems. It's likely to have been developed by Chinese nation-state actors based on the TTPs observed. Intezer has named the backdoor RedXOR due to it's encoding scheme based on XOR. RedXOR masquerades itself as polkit daemon. Intezer compares

Summary SideWinder is an APT that targets South Asian government and military organizations with espionage campaigns, likely acting in Indian interests. DeepEnd Research reports on the most recent wave of activity from this threat group. Threat Type Malware, Phishing, Spyware, APT Overview DeepEnd Research published a blog post analyzing the most recent wave of SideWinder APT activity. This specific campaign appears to target government entities in Nepal. Their research began with the discovery of a server

Summary On March 8, 2021, all GitHub authenticated sessions were invalidated due to a rare security vulnerability. Microsoft-owned GitHub released a security update on its blog with information about the vulnerability and their subsequent actions taken. Threat Type Vulnerability Overview An extremely rare but serious vulnerability was found by GitHub on March 8 affected a small number of GitHub sessions. This comes on the heels of a March 2 incident in which anomalous traffic was observed for an authenticat

Summary Clast82 is a Android dropper spreading via the Google Play store and distributing the AlienBot banker and MRAT. Check Point reports on their analysis of this new dropper in a recent blog post. Threat Type Malware, Dropper, Banker, RAT Overview Check Point published a blog post analyzing a new dropper dubbed "Clast82." This dropper is bypassing the Google Play store defenses by ensuring that it does not drop any malicious payloads until after the Google Play Protect evaluation period is complete. Fir

Summary A report from CyberArk looks at Kinsing and NSPPS which were thought to be two different families of malware. CyberArk's research concludes they are both from the same, single family. Threat Type Malware Overview The Kinsing and NSPPS malwares were thought to be from two different families of malware. A report from CyberArk concludes they are both variants of the same family of malware. CyberArk believes the first version of the malware was compiled prior to November 2019, was used as a RAT and was

Summary Adobe has released security updates for Photoshop and Animate. Both of the updates address at least one vulnerability rated by Adobe as Critical. Threat Type Vulnerability Overview Adobe has released security updates for Photoshop and Animate. Both of the updates address at least one vulnerability rated by Adobe as Critical. The potential impact of successful exploitation of the most serious vulnerabilities is the remote execution of arbitrary code. Further details are available from the links below

Summary The ICS-CERT has published an advisory that affects Schneider Electric IGSS SCADA Software. Threat Type Vulnerability Overview The ICS-CERT has published an advisory that affects Schneider Electric IGSS SCADA Software. Further information is available from the advisory which is summarized below. ICS Advisory ICSA-21-070-01 - Schneider Electric IGSS SCADA Software CVE-2021-22709 - This vulnerability could result in loss of data or remote code execution when a malicious CGF (configuration group file)

Summary Forcepoint reports on a new ZLoader invoicing scheme that uses new techniques in order to infiltrate victim machines. The new techniques show adeptness on the part of the code writers in the form of Microsoft product knowledge. Threat Type Malware, Phishing Overview One of the most common phishing lures is the invoice email. Whether from a known company, the IRS, or a random entity, the invoice is attractive to victims as it preys upon their fears of money issues. The latest scam uses new and innova