Current Cyber Threats...

LockBit Ransomware is Now Targeting Linux
Date: 2022-01-25

One of the most prolific families of ransomware now has additional Linux and VMware ESXi variants that have been spotted actively targeting organisations in recent months. Analysis by cybersecurity researchers at Trend Micro identified LockBit Linux-ESXi Locker version 1.0 being advertised on an underground forum. Previously, LockBit ransomware – which was by far the most active ransomware family at one point last year – was focused on Windows

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Latest Version of Android RAT BRATA Wipes Devices After Stealing Data
Date: 2022-01-25

The new version of the BRATA Android malware supports new features, including GPS tracking and a functionality to perform a factory reset on the device. First discovered by Kaspersky in 2019, BRATA’s name comes from the phrase “Brazilian RAT Android.” The RAT has been spreading via WhatsApp, SMS messages, and through the official Google Play Store.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Multiple Cisco Products Snort Modbus Denial of Service Vulnerability
Date: 2022-01-25

A vulnerability in the Modbus preprocessor of the Snort detection engine could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to an integer overflow while processing Modbus traffic. An attacker could exploit this vulnerability by sending crafted Modbus traffic through an affected device. A successful exploit could allow the attacker to cause the Snort process to hang, causing traffic inspection to stop.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Hackers Exploited MSHTML Flaw to Spy on Government and Defense Targets
Date: 2022-01-25

Researchers from Trellix a new company created following the merger of security firms McAfee Enterprise and FireEye, attributed the attacks with moderate confidence to the Russia-based APT28 group, the threat actor behind the compromise of SolarWinds in 2020, based on similarities in the source code as well as in the attack indicators and geopolitical objectives.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Critical SonicWall RCE Bug Actively Targeted by Threat Actors
Date: 2022-01-25

Researchers are describing this vulnerability as an unauthenticated stack-based buffer overflow. The impacted appliances are SMA 100 series and also SMA 200, 210, 400, 410, and 500v. The bug has an impact on the mentioned instances no matter if the web application firewall (WAF) is enabled or not.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

CISA Publishes Infographic on Layering Network Security Through Segmentation
Date: 2022-01-25

CISA has published an infographic to emphasize the importance of implementing network segmentation—a physical or virtual architectural approach that divides a network into multiple segments, each acting as its own subnetwork, to provide additional security and control that can help prevent or minimize the impact of a cyberattack.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Staff Negligence Is Now a Major Reason for Insider Security Incidents
Date: 2022-01-25

According to Proofpoint's 2022 Cost of Insider Threats Global report, published on Tuesday, insider threats now cost organizations $15.4 million annually, an increase of 34% in comparison to 2020 estimates. The report, conducted by the Ponemon Institute, includes survey responses from over 1,000 IT professionals worldwide, all of which have experienced a recent cybersecurity incident due to an insider threat.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

ProofPoint: 2022 Cost of Insider Threat Report
Date: 2022-01-25

Insider Threats Have Increased in Both Frequency and Cost over the past Two Years. Credential Thefts, for Example, Have Almost Doubled in Number since 2020.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

US Adds 17 Exploited Bugs to "Must Patch" List
Date: 2022-01-25

A US government’s security agency has added 17 vulnerabilities currently being actively exploited in the wild to a database of bugs that federal agencies must fix. The Known Exploited Vulnerabilities Catalog was launched in November last year as part of Binding Operational Directive (BOD) 22-01, designed to make civilian federal government agencies more cyber-resilient.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Researchers Break Down Whisper Gate Wiper Malware Used in Ukraine Website Defacement
Date: 2022-01-25

Cisco Talos says that two wipers are used in WhisperGate attacks. The first wiper attempts to destroy the master boot record (MBR) and to eradicate any recovery options. "Similar to the notorious NotPetya wiper that masqueraded as ransomware during its 2017 campaign, WhisperGate is not intended to be an actual ransom attempt, since the MBR is completely overwritten," the researchers say. However, with many modern systems now moving to GUID Partition Tables (GPTs), this executable may not be successful – and so an additional wipe has been included in the attack chain.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Investigating APT36 or Earth Karkaddan’s Attack Chain and Malware Arsenal
Date: 2022-01-24

APT36, also known as Earth Karkaddan, a politically motivated advanced persistent threat (APT) group, has historically targeted Indian military and diplomatic resources. This APT group (also referred to as Operation C-Major, PROJECTM, Mythic Leopard, and Transparent Tribe) has been known to use social engineering and phishing lures as an entry point, after which, it deploys the Crimson RAT malware to steal information from its victims.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

F5 Fixes 25 Flaws in BIG-IP, BIG-IQ, and NGINX Products
Date: 2022-01-24

Cybersecurity firm F5 announced security patches for 25 vulnerabilities affecting its BIG-IP, BIG-IQ, and NGINX products. Most of the vulnerabilities (23) addressed by the company affect the BIG-IP application delivery controller (ADC), 13 of them have been rated as high-severity issues (CVSS score 7.5). The issues received CVEs between CVE-2022-23010 to CVE-2022-23032.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

FBI Warns of Malicious QR Used to Steal Your Money
Date: 2022-01-24

The Federal Bureau of Investigation (FBI) warned Americans this week that cybercriminals are using maliciously crafted Quick Response (QR) codes to steal their credentials and financial info. The warning was issued as a public service announcement (PSA) published on the Bureau's Internet Crime Complaint Center (IC3) earlier this week.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

FBI Warning: Divavol Ransomware Makes Demands of up to $500,000, Trickbot Links
Date: 2022-01-22

The FBI discovered that the Diavol ransomware uses the same method to fingerprint victim machines as Trickbot and Trickbot-related Anchor DNS malware, "Trickbot's tools include the Anchor_DNS backdoor, a tool for transmitting data between victim machines and Trickbot-controlled servers using Domain Name System (DNS) tunneling to hide malicious traffic with normal DNS traffic

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Linux Kernel Privilege Escalation Bug Found and Fixed
Date: 2022-01-22

“To exploit it requires the CAP_SYS_ADMIN privilege to be enabled. If that's the case, an unprivileged local user can open a filesystem that does not support the File System Context application programming interface (API). In this situation, it drops back to legacy handling, and from there, the flaw can escalate an attacker's system privileges, (SecList, 2022).“ “Researchers discovered a heap overflow bug in the legacy_parse_param in the Linux kernel's fs/fs_context.c program. This parameter is used in Linux filesystems during superblock creation for mount and superblock reconfiguration for a remount. The superblock records all of a filesystem's characteristics such as file size, block size, empty and filled storage blocks. So, yeah, it's important.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

WordPress Plugin Flaw Puts Users of 20,000 Sites at Phishing Risk
Date: 2022-01-22

A high-severity bug in the WordPress Email Template Designer WP HTML Mail, installed in more than 20,000 websites, can lead to code injection and the distribution of persuasive phishing emails. WordPress WP HTML Mail is a plugin for creating tailored emails, contact form alerts, and other custom messages digital platforms send to their customers. WP HTML Mail is compatible with WooCommerce, Ninja Forms, BuddyPress, and other popular WordPress plugins. Even though the number of websites that use it is small, many of them have large audiences, causing the vulnerability to affect numerous users.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

‘Anomalous’ Spyware Targets Industrial Companies
Date: 2022-01-22

Several campaigns employing spyware have come to light, a new report shows. Researchers name these cyberattacks "Anomalous." The threat actors' targets are industrial enterprises, and their final goal consists of email accounts, credential theft, financial fraud, or even the reselling of this spyware to other hackers. Kaspersky researchers noted that the threat actors used various spyware strains to remain undetected. Threat actors were observed rotating spyware for specific periods. It's likely that if endpoint solutions discovered spyware running on a targeted machine, they deployed a variant to evade detection.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

McAfee Agent Bug Lets Hackers Run Code with Windows SYSTEM privileges
Date: 2022-01-22

McAfee has patched a security vulnerability discovered in the company's McAfee Agent software for Windows enabling attackers to escalate privileges and execute arbitrary code with SYSTEM privileges. McAfee Agent is a client-side component of McAfee ePolicy Orchestrator (McAfee ePO) that downloads and enforces endpoint policies and deploys antivirus signatures, upgrades, patches, and new products on enterprise endpoints.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

New White Rabbit Ransomware Linked to FIN8 Hacking Group
Date: 2022-01-20

A new ransomware family called 'White Rabbit' appeared in the wild recently, and according to recent research findings, could be a side-operation of the FIN8 hacking group. FIN8 is a financially motivated actor who has been spotted targeting financial organizations for several years, primarily by deploying POS malware that can steal credit card details” (Bleeping Computer, 2022). Researchers from TrendMicro analyzed a sample of White Rabbit obtained from an attack on a US bank back in December of 2021. The ransomware executable is a small 100 KB file that requires a password to be entered, a technique also used by other ransomware strains including Egregor, MegaCortex, and SamSam.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Ransomware: 2,300+ Local Governments, Schools, Healthcare Providers Impacted in 2021
Date: 2022-01-20

More than 2,300 local governments, schools, and healthcare organizations in the US were affected by ransomware attacks in 2021, according to a new report from security company Emsisoft. The company found that at least 77 state and municipal governments, 1,043 schools, and 1,203 healthcare providers were impacted by a ransomware incident last year. The attacks also led to 118 data breaches, exposing troves of sensitive information

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Joint Law Enforcement Action Takes Down VPN Service
Date: 2022-01-20

An international law enforcement collaboration has targeted the users and infrastructure of VPNLab.net, rendering it no longer available. The action was taken in response to the use of the VPN provider’s service to support cybercrime activities, including ransomware deployment” (Info Security Magazine, 2022). A total of 10 national law enforcement agencies coordinated the takedown, including those from Germany, the Netherlands, Canada, the Czech Republic, France, Hungary, Latvia, Ukraine, the US and the UK. The seizure led to the disruption of 15 servers hosted by VPNLab[.]net. VPNLab was a popular service used by cybercriminals to set up infrastructure and communications for ransomware campaigns. In many cases the service was being advertised on the dark web. During their investigation, law enforcement identifies over 100 businesses at risk of cyber attacks, they are working with impacted organizations to mitigate their risks.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Office 365 Phishing Attack Impersonates the US Department of Labor
Date: 2022-01-20

A new phishing campaign impersonating the United States Department of Labor asks recipients to submit bids to steal Office 365 credentials. The phishing campaign has been ongoing for at least a couple of months and utilizes over ten different phishing sites impersonating the government agency. The emails are sent from spoofed domains that look as if they came from the actual Department of Labor (DoL) site, while some are based on a set of newly created look-alike domains such as: dol-gov[.]com dol-gov[.]us bids-dolgov[.]us Most of the emails pass through abused servers owned by non-profit organizations to evade email security blocks.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

New Moonbounce UEFI Malware Used by APT41 in Targeted Attacks
Date: 2022-01-20

Security analysts have discovered and linked MoonBounce, "the most advanced" UEFI firmware implant found in the wild so far, to the Chinese-speaking APT41 hacker group (also known as Winnti). APT41 is a notorious hacking group that has been active for at least a decade and is primarily known for its stealthy cyber-espionage operations against high-profile organizations from various industry sectors.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

UEFI Malware Used by APT41 in Targeted Attacks
Date: 2022-01-20

BIOS and UEFI attacks are not new by any means, but APT41 (also known as Winnti), a Russian state-sponsored cybercriminal group, according to security experts, has created the most devastating and complex version to date. Moonbounce implants malware on the SPI Flash memory of a computer's mother or logic board, also known as flash storage. This type of memory is embedded in storage and data transfers in portable devices, including phones, tablets, media players, and industrial machines like security systems and medical products. Flash storage is volatile, which means that it can be electrically erased and reprogrammed, and data stored on them is not lost when power is turned off.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Defending Users’ NAS Devices From Evolving Threats
Date: 2022-01-20

Threats to the internet of things (IoT) continue to evolve as users and businesses grow increasingly reliant on these tools for constant connectivity, access to information and data, and workflow continuity. Cybercriminals have taken notice of this dependence and now regularly update their known tools and routines to include network-attached storage (NAS) devices to their list of targets, knowing full well that users rely on these devices for storing and backing up files in both modern homes and businesses. More importantly, cybercriminals are aware that these tools hold valuable information and have only minimal security measures.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

SolarWinds Serv-U Bug Exploited for Log4j Attacks
Date: 2022-01-20

While exploitation of this vulnerability remains highly limited, it could be adopted by other threat actors. While I would normally rank this as a low severity incident, the popularity of Serv-U should be taken into consideration, hence, I would treat this as Medium. There is still some disagreement about the exploitation Microsoft observed, we will continue to update on the situation.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

RRD Suffers Data Theft in a Conti Ransomware Attack
Date: 2022-01-20

R.R. Donnelley is a Fortune 500 integrated communications corporation based in the United States that offers marketing and business communications, commercial printing, and other associated services. The company’s corporate offices are in Chicago, Illinois, in the United States. R.R. Donnelley was the world’s largest commercial printer in 2007.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Red Cross Suffers Massive Cyber Attack
Date: 2022-01-20

The international humanitarian organization Red Cross announced yesterday that it had been the victim of a massive cyberattack that resulted in the theft of confidential information for over 515,000 “very vulnerable people” participating in the “Restoring Family Links” program.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Former DHS Official Charged with Stealing Govt Employees' PII
Date: 2022-01-19

A former Department of Homeland Security acting inspector general pleaded guilty today to stealing confidential and proprietary software and sensitive databases from the US government containing employees' personal identifying information (PII). 61-year-old Charles Kumar Edwards coordinated the scheme while working for DHS-OIG (Department of Homeland Security, Office of Inspector General) as an employee and acting IG between February 2008 and December 2013.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

FCC Wants New Data Breach Reporting Rules for Telecom Carriers
Date: 2022-01-14

The Federal Communications Commission (FCC) has proposed more rigorous data breach reporting requirements for telecom carriers in response to breaches that recently hit the telecommunications industry. On Wednesday, Chairwoman Jessica Rosenworcel shared the proposal in the form of a Notice of Proposed Rulemaking (NPRM), the first step in changing the FCC's rules for alerting federal agencies and customers of data breaches.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

A 'Massive' Hacking Attack Has Hit Government Websites in Ukraine
Date: 2022-01-14

A 'massive' cyberattack has taken down several government websites in Ukraine, including the Ukrainian Foreign Ministry and the Ministry of Education and Science. The cyberattack occurred overnight on Thursday and Friday morning, and it took down more than a dozen official websites, disrupting government work and raising questions about whether Russia was signaling that a new offensive against Ukraine was getting underway. A statement by Ukranian police says cyber attackers left "provocative messages" on the main pages of government websites, which have been taken offline – but no personal data has been altered or stolen.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Cisco Releases Patch for Critical Bug Affecting Unified CCMP and Unified CCDM
Date: 2022-01-14

Cisco Systems has rolled out security updates for a critical security vulnerability affecting Unified Contact Center Management Portal (Unified CCMP) and Unified Contact Center Domain Manager (Unified CCDM) that could be exploited by a remote attacker to take control of an affected system. Tracked as CVE-2022-20658, the vulnerability has been rated 9.6 in severity on the CVSS scoring system, and concerns a privilege escalation flaw arising out of a lack of server-side validation of user permissions that could be weaponized to create rogue Administrator accounts by submitting a crafted HTTP request.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Free Unofficial Patch for Windows ‘RemotePotato0’ Now Available
Date: 2022-01-14

The privilege escalation flaw was discovered by an expert from Sentinel LABS, by his name Antonio Cocomazzi together with Andrea Pierini, an independent researcher. They named it RemotePotato0 and disclosed it during the month of April last year. An unofficial patch was released for a privilege escalation vulnerability that has an impact on all versions of Windows after Microsoft tagged its status as “won’t fix”. The flaw is located in the Windows RPC Protocol and was dubbed RemotePotato0 by security researchers. If successfully exploited, threat actors could perform an NTLM relay attack that will give them domain admin privileges.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

US Links MuddyWater Hacking Group to Iranian Intelligence Agency
Date: 2022-01-14

US Cyber Command (USCYBERCOM) has officially linked the Iranian-backed MuddyWatter hacking group to Iran's Ministry of Intelligence and Security (MOIS). MOIS is the Iran government's leading intelligence agency, tasked with coordinating the country's intelligence and counterintelligence, as well as covert actions supporting the Islamic regime's goals beyond Iran's borders.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

KCodes NetUSB Flaw Impacts Millions of SOHO Routers
Date: 2022-01-14

Cybersecurity researchers from SentinelOne have discovered a critical vulnerability (CVE-2021-45608) in KCodes NetUSB component that is present in millions of end-user routers from different vendors, including Netgear, TP-Link, Tenda, EDiMAX, D-Link, and Western Digital.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Jail’s Inability to Deal With Cyberattack Could Violate the Constitutional Rights of Inmates
Date: 2022-01-14

A prison in New Mexico had an unplanned lockdown due to a ransomware attack. As reported by Source NM, the Metropolitan Detention Center in Bernalillo County, New Mexico, went into lockdown on January 5, 2022, after cyberattackers infiltrated Bernalillo County systems and deployed malware. Inmates were made to stay in their cells as the ransomware outbreak reportedly not only knocked out the establishment's internet but also locked staff out of data management servers and security camera networks.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Microsoft RDP Bug Enables Data Theft, Smart-Card Hijacking
Date: 2022-01-14

Microsoft Windows systems going back to at least Windows Server 2012 R2 are affected by a vulnerability in the Remote Desktop Services protocol that gives attackers, connected to a remote system via RDP, a way to gain file system access on the machines of other connected users. Threat actors that exploit the flaw can view and modify clipboard data or impersonate the identities of other users logged in to the machine in order to escalate privileges or to move laterally on the network, researchers from CyberArk discovered recently. They reported the issue to Microsoft, which issued a patch for the flaw (CVE-2022-21893) in its security update for January this Tuesday.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

First Patch Tuesday of 2022 Brings Fix for a Critical 'Wormable' Windows Vulnerability
Date: 2022-01-12

Of the 96 vulnerabilities, nine are rated Critical and 89 are rated Important in severity, with six zero-day publicly known at the time of the release. This is in addition to 29 issues patched in Microsoft Edge on January 6, 2022. None of the disclosed bugs are listed as under attack. The patches cover a swath of the computing giant's portfolio, including Microsoft Windows and Windows Components, Exchange Server, Microsoft Office and Office Components, SharePoint Server, .NET Framework, Microsoft Dynamics, Open-Source Software, Windows Hyper-V, Windows Defender, and Windows Remote Desktop Protocol (RDP)

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

KCodes NetUSB Kernel Remote Code Execution Flaw Impacts Millions of Devices
Date: 2022-01-11

A high-impact vulnerability allowing remote code execution to take place has impacted millions of end-user router devices. On Tuesday, SentinelOne published an analysis of the bug, tracked as CVE-2021-45388 and deemed critical by the research team. The vulnerability impacts the KCodes NetUSB kernel module. KCodes solutions are licensed by numerous hardware vendors to provide USB over IP functionality in products including routers, printers, and flash storage devices.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Extortion DDoS Attacks Grow Stronger And More Common
Date: 2022-01-11

In the fourth quarter of last year, about a quarter of Cloudflare's customers that were the target of a DDoS attack said that they received a ransom note from the perpetrator. A large portion of these attacks occurred in December 2021, when almost a third of Cloudflare customers reported receiving a ransom letter. By comparison with the previous month, the number of reported DDoS ransom attacks was double, Cloudflare says in a blog post today.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Four Million Outdated log4j Downloads Were Served from Apache Maven Central
Date: 2022-01-11

There have been millions of downloads of outdated, vulnerable Log4j versions despite the emergence of a serious security hole in December 2021, according to figures compiled by the firm that runs Apache Maven's Central Repository. That company, Sonatype, said it had seen four million downloads of exploitable Log4j versions from the repository alone between 10 December and the present day, out of a total of more than 10 million downloads over those past four weeks.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Extortion DDoS Attacks Grow Stronger and More Common
Date: 2022-01-11

AvosLocker is the latest ransomware gang that has added support for encrypting Linux systems to its recent malware variants, specifically targeting VMware ESXi virtual machines.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure
Date: 2022-01-11

CISA, the FBI, and NSA encourage the cybersecurity community—especially critical infrastructure network defenders—to adopt a heightened state of awareness and to conduct proactive threat hunting, as outlined in the Detection section. Additionally, CISA, the FBI, and NSA strongly urge network defenders to implement the recommendations listed below and detailed in the Mitigations section. These mitigations will help organizations improve their functional resilience by reducing the risk of compromise or severe business degradation.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

If Hackers Are Exploiting the log4j Flaw, CISA Says We Might Not Know Yet
Date: 2022-01-11

Federal officials cautioned Monday that, while the widespread Log4j vulnerability hasn’t led to any major known intrusions in the U.S., there could be a “lag” between when the flaw became known, and when attackers exploit it. Cybersecurity and Infrastructure Security Agency Director Jen Easterly said that there were months between the discovery of the vulnerability that led to the 2017 Equifax breach, which exposed the personal information of nearly 150 million Americans, and word of the breach itself, invoking one of the most notable hacks in history.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

US NCSC and DoS Share Best Practices Against Surveillance Tools
Date: 2022-01-10

The US National Counterintelligence and Security Center (NCSC) and the Department of State have published joint guidance that provides best practices on defending against attacks carried out by threat actors using commercial surveillance tools. In the last few years, we have reported several cases of companies selling commercial surveillance tools to governments and other entities that have used them for malicious purposes

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

SonicWall Email Security and Firewall Products Impacted by the Y2K22 Vulnerability
Date: 2022-01-10

Last week, Internet appliances provider SonicWall revealed that the Y2K22 weakness has affected several of its email security and firewall products, leading to message log updates and junk box malfunctions starting January 1st, 2022. Although SonicWall didn’t give any details on what is causing the Y2K22 vulnerability in its security solutions, the tech company is not the only one dealing with this problem.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Researchers Find Bugs in Over A Dozen Widely Used URL Parser Libraries
Date: 2022-01-10

In a deep-dive analysis jointly conducted by cybersecurity firms Claroty and Synk, eight security vulnerabilities were identified in as many third-party libraries written in C, JavaScript, PHP, Python, and Ruby languages and used by several web applications. With URLs being a fundamental mechanism by which resources — located either locally or on the web — can be requested and retrieved, differences in how the parsing libraries interpret a URL request could pose significant risk for users.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Chinese Scientist Pleads Guilty to Stealing US Agricultural Tech
Date: 2022-01-07

A Chinese national has pleaded guilty to the theft of agricultural secrets from the US, intended to reach the hands of scientists across the pond. Xiang Haitao, formerly living in Chesterfield, Missouri, assumed a post at Monsanto and its subsidiary, The Climate Corporation, between 2008 and 2017, the US Department of Justice (DoJ) said on Thursday. Monsanto and The Climate Corporation developed an online platform for farmers to manage field and yield information in a bid to improve land productivity. One aspect of this technology was an algorithm called the Nutrient Optimizer, which US prosecutors say was considered "a valuable trade secret and their intellectual property

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Night Sky, A New Ransomware Operation in the Threat Landscape
Date: 2022-01-07

Researchers from MalwareHunterteam first spotted a new ransomware family dubbed Night Sky that implements a double extortion model in attacks aimed at businesses. Once encrypted a file, the ransomware appends the ‘.nightsky‘ extension to encrypted file names. The ransomware gang started its operations on December 27, 2021, and has already hacked the corporate networks of two organizations from Bangladesh and Japan respectively. The gang has also set up a leak site on the Tor network where it will publish files stolen to the victims that will not pay the ransom.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

New Mexico's Bernalillo County Investigates Ransomware Attack
Date: 2022-01-07

Bernalillo County is the most populous in New Mexico and includes the cities of Albuquerque, Los Ranchos, and Tijeras. Officials report the disruption likely occurred between midnight and 5:30 a.m. on Jan. 5. They have taken affected systems offline and severed network connections, as well as notified county system vendors, which are working to solve the issue and restore system functionality.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

QNAP Warns of Ransomware Targeting Internet-Exposed NAS Devices
Date: 2022-01-07

QNAP has warned customers today to secure Internet-exposed network-attached storage (NAS) devices immediately from ongoing ransomware and brute-force attacks. If your organization's NAS is exposed to the Internet it is likely to be targeted if the following text is displayed on the software’s dashboard, “The System Administration service can be directly accessible from an external IP address via the following protocols: HTTP

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

NHS Warns of Hackers Exploiting Log4shell in VMware Horizon
Date: 2022-01-07

VMware Horizon supports local, hybrid (local but managed in the cloud) and multi-cloud deployment strategies. End users can access custom virtual desktops or remote RDSH applications from company laptops, home PCs, Mac computers, thin clients, or mobile devices.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Have I Been Pwned Warns of Datpiff Data Breach Impacting Millions
Date: 2022-01-07

DatPiff is a popular mixtape hosting service used by over 15 million users, allowing unregistered users to download or upload samples for free. The cracked passwords for almost 7.5 million members are being sold online, and users can check if they are part of the data breach through the Have I Been Pwned notification service.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Phishing Campaign Leverages Covid-Induced Adjustments to Banking Practices
Date: 2022-01-07

This is another example of attackers leveraging covid and a well-designed phishing page to launch a dangerous campaign. Covid-themed phishing emails have convinced users to relinquish valuable credentials throughout the last year. Phish impersonating major banking firms have been around for some time, but they constantly evolve. The pandemic is continuing to affect the lives of everyone in the world, and threat actors are attempting to hook their targets by relying on changes in banking practices related to the pandemic.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

New Mac Malware Samples Underscore Growing Threat
Date: 2022-01-07

For the sixth year in a row, security researcher Patrick Wardle has released a list of all the new Mac malware threats that emerged over the course of a year. For each malware sample, Wardle identified the malware's infection vector, installation and persistence mechanisms, and other features, such as the purpose of the malware. A sample of each new Mac malware sample that surfaced last year is available on his website

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

FTC Warns Companies to Secure Consumer Data from Log4J Attacks
Date: 2022-01-05

The US Federal Trade Commission (FTC) has warned today that it will go after any US company that fails to protect its customers' data against ongoing Log4J attacks."The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future," the US government agency said

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Microsoft Code-sign Check Bypassed to Drop Zloader Malware
Date: 2022-01-05

A new Zloader campaign exploits Microsoft's digital signature verification to deploy malware payloads and steal user credentials from thousands of victims from 111 countries. The campaign orchestrated by a threat group known as MalSmoke appears to have started in November 2021, and it's still going strong, according to Check Point researchers who have spotted it

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Researchers Used Electromagnetic Signals to Classify Malware Infecting IoT Devices
Date: 2022-01-05

A team of academics (Duy-Phuc Pham, Damien Marion, Matthieu Mastio and Annelie Heuser) from the Research Institute of Computer Science and Random Systems (IRISA) have devised a new approach that analyzes electromagnetic field emanations from the Internet of Things (IoT) devices to detect highly evasive malware. The team of experts presented their technique at the Annual Computer Security Applications Conference (ACSAC) that took place in December

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

This iOS 15 Bug Could Crash Your iPhone Permanently
Date: 2022-01-05

A security researcher has publicly disclosed a bug present in iOS 15.2 (and going back to iOS 14.7 and possibly earlier) relating to HomeKit that could be used to permanently crash an iPhone. Trevor Spiniolas found that by changing the name of a HomeKit device to a large string (Spiniolas used 500,000 characters for the testing), this would crash the associated iPhone

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Elephant Beetle’ Spends Months in Victim Networks to Divert Transactions
Date: 2022-01-05

A financially-motivated actor dubbed 'Elephant Beetle' is stealing millions of dollars from organizations worldwide using an arsenal of over 80 unique tools and scripts. The group is very sophisticated and patient, spending months studying the victim's environment and financial transaction processes, and only then moves to exploit flaws in the operation

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Monopoly market potentially exit scamming
Date: 2022-01-05

The decentralised darknet market, Monopoly, appears to be exit scamming. Monopoly has been open for two years and had gained a reputation for being stable. This was in large part due to its unique method of vendor verification which was believed to keep vendor scamming to a minimum.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Log4j Highlights Need for Better Handle on Software Dependencies
Date: 2022-01-04

Security experts learned a lot from the fallout of Log4Shell. Most importantly, the incident highlighted the need for organizations to “understand and manage” what code is running within their software environments. Software dependencies exist in just about every enterprise product, when flaws emerge in these dependencies, organizations are left scrambling for fixes. Third party dependencies are essential in creating modern day programs as programmers do not have to reinvent the wheel every time a new product or application is developed. By mixing and matching existing libraries and packages, software developers can build new applications more efficiently.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

UK Defence Academy Attack Forced IT Rebuild – Report
Date: 2022-01-04

A possible nation-state attack on the UK’s primary defense training facility last year forced the academy to rebuild its IT infrastructure, according to a former senior officer. “Air marshal Edward Stringer served as director-general of joint force development and of the UK Defence Academy before recently retiring. The academy trains nearly 30,000 UK armed forces personnel annually, alongside civil servants and military staff from other nations. However, it was caught out by a cyber-attack last March, which had “significant” operational consequences, Stringer told Sky News

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Broward Health Suffered a Data Breach that Impacted +1.3 Million People
Date: 2022-01-04

The Broward Health public health system has suffered a data breach that impacted 1,357,879 individuals. Broward Health, formally the North Broward Hospital District, is one of the 10 largest public health systems in the U.S. Located in Broward County, Florida, Broward Health currently operates more than 30 healthcare facilities

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Why the UK’s Energy Sector is Fragile and Ripe to Cyber Attacks
Date: 2022-01-04

For the first time in a generation, the UK is in the middle of an unprecedented supply chain crisis, and in recent weeks, we have seen very clearly the immediate and far-reaching impacts of it. Whether it’s the shortage of truck drivers prompting panic-buying at fuel stations that required military intervention, or the ramp up of materials and goods stockpiling UK businesses are doing to cope with shortages during the festive season, never has the UK’s supply chain system been stretched so thin. There are real fears this could rip through an economy that has only just started recovering from COVID-19

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Purple Fox Malware Distributed via Malicious Telegram Installers
Date: 2022-01-04

A malicious Telegram for Desktop installer distributes the Purple Fox malware to install further malicious payloads on infected devices. The installer is a compiled AutoIt script named "Telegram Desktop.exe" that drops two files, an actual Telegram installer, and a malicious downloader. While the legitimate Telegram installer dropped alongside the downloader isn't executed, the AutoIT program does run the downloader.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Don't Copy-paste Commands from Webpages — You Can Get Hacked
Date: 2022-01-03

Programmers, sysadmins, security researchers, and tech hobbyists copying-pasting commands from web pages into a console or terminal are warned they risk having their system compromised. A technologist demonstrates a simple trick that'll make you think twice before copying and pasting text from web pages” (Bleeping Computer, 2022). Recently, Gabriel Friedlander, founder of security awareness training platform Wizer demonstrated an obvious yet surprising hack that'll make you cautious of copying-pasting commands from web pages. It isn't unusual for novice and skilled developers alike to copy commonly used commands from a webpage (StackOverflow) and paste them into their applications, a Windows command prompt or a Linux terminal.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Microsoft Rolled Out Emergency Fix for Y2k22 Bug in Exchange Servers
Date: 2022-01-03

Microsoft has rolled out an emergency fix that addresses the Y2k22 bug that is breaking email delivery on on-premise Microsoft Exchange servers since January 1st, 2022. We have addressed the issue causing messages to be stuck in transport queues of on-premises Exchange Server 2016 and Exchange Server 2019. The problem relates to a date check failure with the change of the new year and it is not a failure of the AV engine itself. This is not an issue with malware scanning or the malware engine, and it is not a security-related issue.” reads the post published by Microsoft. “The version checking performed against the signature file is causing the malware engine to crash, resulting in messages being stuck in transport queues

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

UK Security Agency Shares 225M Passwords With 'Have I Been Pwned'
Date: 2022-01-03

The UK's National Crime Agency (NCA) and National Cyber Crime Unit (NCCU) have contributed 225 million new compromised emails and associated passwords with Have I Been Pwned (HIBP), a free service that tracks stolen credentials so people can know if theirs have been breached. During recent NCA operations, the NCCU's Mitigation@Scale team identified more than 585.5 million potentially compromised credentials (emails and associated passwords), which were in a compromised cloud storage facility. In a statement on HIBP, the NCA says analysis revealed the credentials represented an accumulation of known and unknown datasets

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Aquatic Panda Infiltrated Academic Institution Through Log4j Vulnerability, Says CrowdStrike
Date: 2022-01-03

Cybersecurity company CrowdStrike has discovered an attempt by a China-based group to infiltrate an academic institution through the Log4j vulnerability. CrowdStrike called the group "Aquatic Panda" and said it is an "intrusion adversary with a dual mission of intelligence collection and industrial espionage" that has operated since at least May 2020

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

North Korea-linked Threat Actors Stole $1.7 Billion from Cryptocurrency Exchanges
Date: 2022-01-03

North Korea-linked APT groups are suspected to be behind some of the largest cyberattacks against cryptocurrency exchanges. According to South Korean media outlet Chosun, North Korean threat actors have stolen around $1.7 billion (2 trillion won) worth of cryptocurrency from multiple exchanges during the past five years

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

3 Reasons Why You Should Fuzz Your Christmas Tree
Date: 2021-12-23

Christmas trees are often decorated with smart lights that are connected to Wi-Fi. Vulnerabilities in such hardware can be an entry point for attackers who want to hack Christmas. How easily such vulnerabilities can be exploited became clear in a 2018 study, in which security researchers managed to completely shut down Christmas decorations remotely. In other instances, IoT devices were hacked over the cloud and even set on fire.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Logistics Giant Warns of Scams Following Ransomware Attack
Date: 2021-12-23

Hellmann is one of the largest international logistics providers. Founded in 1871, it handles 16 million shipments per year by air, sea, road, and rail, and is active in 173 countries. The logistics giant s has issued a warning that data was stolen from the company when it was hit with a ransomware attack on December 9, 2021. It is not entirely clear what type of data was extracted, but the company says it is warning partners and customers to double check their communications with it, as a precaution. Criminals could use the leaked data to make social engineering attacks more believable, so Hellmann is asking people that do business with it to look out for fraudulent mails and calls.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Apache’s New Security Update for HTTP Server Fixes Two Flaws
Date: 2021-12-23

Apache HTTP Server is the second most widely used web server on the internet behind Nginx, according to W3Techs, which estimates it's used by 31.4% of the world's websites. UK security firm Netcraft estimates 283 million websites used Apache HTTP Server in December 2021, representing 24% of all web servers. The Apache Software Foundation has released an update to address a critical flaw in its hugely popular web server that allows remote attackers to take control of a vulnerable system.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Alibaba Suffers Government Crackdown Over Log4j
Date: 2021-12-23

Chinese tech giant Alibaba has reportedly been shunned by China’s top tech regulator for failing to report the infamous Log4j vulnerability quickly enough. Local media claimed that the firm’s Alibaba Cloud business, which has a large team of security researchers, failed to report the issue to the Ministry of Industry and Information Technology (MIIT)

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Crooks Bypass a Microsoft Office Patch for CVE-2021-40444 to Spread Formbook Malware
Date: 2021-12-23

Cybercriminals have found a way to bypass the patch for a recent Microsoft Office vulnerability tracked as CVE-2021-40444 (CVSS score of 8.8). The bad news is that threat actors are using it to distribute the Formbook malware.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Russia and Ukraine: avoiding war
Date: 2021-12-23

As 2021 draws to a close, there are increasing fears around the world that Russia is planning to invade Ukraine in an effort to prevent its former ally from moving further towards the West and possibly even joining the NATO military alliance. The tensions between these two former Soviet states are now at a critical point, with the potential to evolve into further, more widespread conflict between Russia and the West.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

The Pysa Ransomware Strain Just Started Targeting Lots More Businesses
Date: 2021-12-22

The relatively new Pysa ransomware was the dominant strain behind file-encrypting attacks in November and saw a 400% rise in attacks on government organizations, according to an analysis by security company NCC Group. Pysa is one of the ransomware gangs utilizing double extortion to pressure victims to pay an extortion demand and dump leaks from 50 previously compromised organizations last month. Overall in November, the number of Pysa attacks increased 50%, which means it overtook Conti to join Lockbit in the top two most common versions of the malware. Conti and Lockbit have been the dominant strains since August, according to NCC Group.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Russian National Extradited to US for Trading on Stolen Information
Date: 2021-12-22

The Russian national Vladislav Klyushin (41) was extradited to the United States from Switzerland to face charges for his alleged role in a scheme whose participants traded on information stolen from U.S. companies. The man was arrested in Switzerland on March 21, 2021, along with four other accomplices he conspired to gain unauthorized access to computers and to commit wire fraud and securities fraud.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

New joint advisory from CISA, FBI, NSA, and the other Five Eyes (Australia, Canada, New Zealand, UK)
Date: 2021-12-22

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), the Computer Emergency Response Team New Zealand (CERT NZ), the New Zealand National Cyber Security Centre (NZ NCSC), and the United Kingdom’s National Cyber Security Centre (NCSC-UK) are releasing this joint Cybersecurity Advisory (CSA) to provide mitigation guidance on addressing vulnerabilities in Apache’s Log4j software library: CVE-2021-44228 (known as “Log4Shell”), CVE-2021-45046, and CVE-2021-45105. Sophisticated cyber threat actors are actively scanning networks to potentially exploit Log4Shell, CVE-2021-45046, and CVE-2021-45105 in vulnerable systems. According to public reporting, Log4Shell and CVE-2021-45046 are being actively exploited. CISA, in collaboration with industry members of CISA’s Joint Cyber Defense Collaborative (JCDC), previously published guidance on Log4Shell for vendors and affected organizations in which CISA recommended that affected organizations immediately apply appropriate patches (or apply workarounds if unable to upgrade), conduct a security review, and report compromises to CISA or the FBI. CISA also issued an Emergency Directive directing U.S. federal civilian executive branch (FCEB) agencies to immediately mitigate Log4j vulnerabilities in solution stacks that accept data from the internet. This joint CSA expands on the previously published guidance by detailing steps that vendors and organizations with IT and/or cloud assets should take to reduce the risk posed by these vulnerabilities. These steps include:
  • Identifying assets affected by Log4Shell and other Log4j-related vulnerabilities,
  • Upgrading Log4j assets and affected products to the latest version as soon as patches are available and remaining alert to vendor software updates, and
  • Initiating hunt and incident response procedures to detect possible Log4Shell exploitation.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Four Bugs in Microsoft Teams Left Platform Vulnerable Since March
Date: 2021-12-22

Researchers from Positive Technologies, a leading global provider of enterprise security solutions for vulnerability and compliance management, incident and threat analysis, and application protection, discovered four vulnerabilities in Microsoft Teams that could be leveraged for various malicious purposes. Microsoft Teams is a collaboration tool that helps people working in different geographic locations work together online. For this reason, Team's usage of the platform has risen during the pandemic, making it an increasingly attractive target for threat actors.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

2easy Now a Significant Dark Web Marketplace for Stolen Data
Date: 2021-12-22

This particular dark web marketplace has grown significantly over the past few years; by automating processes, owners have increased sales volume and overall customer satisfaction. They have removed the one-on-one interaction with sellers and posters of stolen data altogether; anyone can create an account, add money to their wallet, and make purchases without interacting with the sellers directly.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Threat Actors Continue to Leverage Log4J
Date: 2021-12-21

The Conti ransomware gang, which became the first professional crimeware outfit to adopt and weaponize the Log4J Shell vulnerability last week, has built up a holistic attack chain. The sophisticated Russia-based Conti group – which Palo Alto Networks has called "one of the most ruthless" of dozens of ransomware groups currently known to be active – was in the right place at the right time with the right tools when Log4 Shell hit the scene 10 days ago, security firm Advanced Intelligence (AdvIntel) said in a report shared with Threatpost on Thursday.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

FBI: Hackers Are Actively Exploiting This Flaw on Manageengine Desktop Central Servers
Date: 2021-12-21

We received an alert from the FBI last Friday regarding a Zero-Day vulnerability in Zoho ManageEngine Desktop Central, CVE-2021-44515. ManageEngine is the enterprise IT management software division of Zoho, a company well known for its software-as-a-service products. The flaw affects Desktop Central software for both enterprise customers and the version for managed service provider (MSP) customers.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Alleged APT Implanted a Backdoor in the Network of a US Federal Agency
Date: 2021-12-20

Experts spotted a backdoor in the network of an unnamed U.S. federal government commission associated with international rights. The backdoor allowed the threat actors to achieve complete control over the infected networks; experts described the compromise as a “classic APT-type operation.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Third Log4J Bug Can Trigger DoS; Apache Issues Patch
Date: 2021-12-20

No, you’re not seeing triple: On Friday, Apache released yet another patch – version 2.17 – for yet another flaw in the ubiquitous log4j logging library, this time for a DoS bug. Trouble comes in threes, and this is the third one for log4j. The latest bug isn’t a variant of the Log4Shell remote-code execution (RCE) bug that’s plagued IT teams since Dec. 10, coming under active attack worldwide within hours of its public disclosure, spawning even nastier mutations and leading to the potential for denial-of-service (DoS) in Apache’s initial patch.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Ukrainian War Games Test Electricity Grid
Date: 2021-12-20

Hundreds of Ukrainian cyber experts have taken part in a large-scale incident response exercise against the country’s energy grid as geopolitical tensions with Russia continue to escalate. President Putin on Friday issued a series of security demands, including that NATO limits deployments of troops and weapons to Ukraine’s eastern border with Russia and that the country commits to never joining the military alliance. It warned of a military crisis in the region if its demands weren’t met. Russia has already massed 100,000 troops, alongside missiles and artillery, on its side of the border

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

A New Attack Vector Exploits the Log4Shell Vulnerability on Servers Locally
Date: 2021-12-20

Researchers from cybersecurity firm Blumira devised a new attack vector that relies on a Javascript WebSocket connection to exploit the Log4Shell vulnerability on internal and locally exposed unpatched Log4j applications. Experts pointed out that this new attack vector significantly expands the attack surface and can impact services even running as localhost which were not exposed to any network.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

APT Actors Exploiting Newly-Identified Zero Day in ManageEngine Desktop Central
Date: 2021-12-17

APT Actors Exploiting Newly-Identified Zero Day in ManageEngine Desktop Central Summary Since at least late October 2021, APT actors have been actively exploiting a zero-day, now identified as CVE-2021-44515, on ManageEngine Desktop Central servers. The APT actors were observed compromising Desktop Central servers, dropping a webshell that overrides a legitimate function of Desktop Central, downloading post-exploitation tools, enumerating domain users and groups, conducting network reconnaissance, attempting lateral movement and dumping credentials.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Conti Ransomware Leverages log4j Bug to Exploit VMWare vCenter Servers
Date: 2021-12-17

The Conti ransomware operation uses the critical Log4 Shell exploit to gain rapid access to internal VMware vCenter Server instances and encrypt virtual machines. The group did not waste much time adopting the new attack vector and is the first "top-tier" operation known to weaponize the Log4j vulnerability.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Holiday White House Letter Emphasizes the Importance of a Sense Heightened Security
Date: 2021-12-16

The holidays are an opportunity to spend time with our loved ones and enjoy some well-earned rest. Unfortunately, malicious cyber actors are not taking a holiday – and they can ruin ours if we’re not prepared and protected. Historically we have seen breaches around national holidays because criminals know that security operations centers are often short-staffed, delaying the discovery of intrusions. Beyond the holidays, though, we’ve experienced numerous recent events that highlight the strategic risks we all face because of the fragility of digital infrastructure and the ever- present threat of those who would use it for malicious purposes.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Hackers Begin Exploiting Second Log4j Vulnerability as a Third Flaw Emerges
Date: 2021-12-16

Microsoft and Cloudflare on Wednesday revealed that threat actors are actively attempting to exploit the Log4j vulnerabilities, "MSTIC has observed PHOSPHORUS, an Iranian actor that has been deploying ransomware, acquiring and making modifications of the Log4j exploit. We assess that PHOSPHORUS has operationalized these modifications. In addition, HAFNIUM, a threat actor group operating out of China, has been observed utilizing the vulnerability to attack virtualization infrastructure to extend their specific targeting. In these attacks, HAFNIUM-associated systems were observed using a DNS service typically associated with the testing activity to fingerprint systems.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Log4j Flaw: Now State-Backed Hackers Are Using Bugs as Part of Attacks, Warns Microsoft
Date: 2021-12-15

State-sponsored hackers from China, Iran, North Korea and Turkey have started testing, exploiting and using the Log4j bug to deploy malware, including ransomware, according to Microsoft. As predicted by officials at the US Cybersecurity and Infrastructure Security Agency (CISA), more sophisticated attackers have now started exploiting the so-called Log4Shell bug (CVE-2021-44228), which affects devices and applications running vulnerable versions of the Log4j Java library. It's a potent flaw that allows remote attackers to take over a device after compromise.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

CISA: Immediate Steps to Strengthen Critical Infrastructure against Potential Cyberattacks
Date: 2021-12-15

In the lead up to the holidays and in light of persistent and ongoing cyber threats, CISA urges critical infrastructure owners and operators to take immediate steps to strengthen their computer network defenses against potential malicious cyber attacks. Sophisticated threat actors, including nation-states and their proxies, have demonstrated capabilities to compromise networks and develop long-term persistence mechanisms. These actors have also demonstrated capability to leverage this access for targeted operations against critical infrastructure with potential to disrupt National Critical Functions.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Billion-dollar Natural Gas Supplier Superior Plus Hit with Ransomware
Date: 2021-12-15

Major natural gas supplier Superior Plus announced on Tuesday that it is suffering from a ransomware attack. The billion-dollar propane seller said the incident started on December 12 but did not answer questions about which ransomware group was behind the attack or which systems were affected.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Adobe Addresses over 60 Vulnerabilities in Multiple Products
Date: 2021-12-15

Adobe has issued critical warnings for more than 60 vulnerabilities in multiple products running on Windows and macOS machines. The vulnerabilities can be exploited by threat actors for code execution, privilege escalation and denial-of-service attacks.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Second log4j Vulnerability Discovered, Patch to version 2.16
Date: 2021-12-15

A second vulnerability involving Apache Log4j was found on Tuesday after cybersecurity experts spent days attempting to patch or mitigate CVE-2021-44228. The description of the new vulnerability, CVE 2021-45046, says the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was "incomplete in certain non-default configurations." "This could allow attackers... to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack," the CVE description says.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Google Fixed the 17th Zero-day in Chrome Since the Start of the Year
Date: 2021-12-14

Google released security updates to address five vulnerabilities in the Chrome web browser, including a high-severity zero-day flaw, tracked as CVE-2021-4102, exploited in the wild.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Phishing Campaign Uses PowerPoint Macros to Drop Agent Tesla
Date: 2021-12-14

A new variant of the Agent Tesla malware has been spotted in an ongoing phishing campaign that relies on Microsoft PowerPoint documents laced with malicious macro code.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

‘Seedworm’ Attackers Target Telcos in Asia, Middle East
Date: 2021-12-14

Attackers targeting telcos across the Middle East and Asia for the past six months are linked to Iranian state-sponsored hackers, according to researchers. The cyberespionage campaigns leverage a potent cocktail of spear phishing, known malware and legitimate network utilities that are leveraged to steal data and potentially disrupt supply-chains.

Contact LA-Cyber.com For Full Threat Report, Analyst Comments & Mitigation Steps

Side Bar

Cyber Security Cafe is here as a service to bring needed Cyber Security information to the general public. We offer no services, other than information that may help protect you.

Project Details

(none at this time)