Attacks

Since the disabling of Office macros by Microsoft, a variety of new techniques have arisen to gain remote code execution on a host, with OneNote attachments becoming one of the more prominent techniques seen. As it is rather uncommon for OneNote files to be sent through email, many researchers recommend blocking these extensions altogether. However, for organizations where that is not possible, other options are available. One potential monitoring solution would be to monitor all…

Read More

Administrators of websites, and especially online stores, should regularly evaluate possible data exposure on their sites. Any time sensitive data is found by an administrator, passwords should be rotated for not only users but databases as well. Enabling two-factor authentication (2FA) can help mitigate any exposure of administrator login information. Analyzing logs for the web-server software in use can reveal unusually high activity from individual IP addresses. Rate limiting based on IP addresses and using…

Read More

To assist users in recovering their servers, CISA released an ESXiArgs-Recover script on GitHub to automate the recovery process. “CISA is aware that some organizations have reported success in recovering files without paying ransoms. CISA compiled this tool based on publicly available resources, including a tutorial by Enes Sonmez and Ahmet Aykac,” explains CISA. “This tool works by reconstructing virtual machine metadata from virtual disks that were not encrypted by the malware.” While the GitHub…

Read More

Hypervisors like ESXi continue to become more ubiquitous due to the power and convenience of managing virtual machines rather than physical ones. Unfortunately, that power and convenience also attract threat actors. The compromise of a hypervisor also implies the compromise of every virtual machine housed within. In a single stroke, dozens to hundreds of critical virtual machines could be encrypted and held for ransom. ESXi servers are particularly vulnerable, inciting the recent trend of ransomware…

Read More

Any users of GoAnywhere MFT should assume compromise, and remove public-facing internet access to the tool and rotate the master encryption key and any passwords used for access. The security bulletin released by the developer includes a stacktrace that administrators can look for in the logs to determine if the exploit was uses against the system. Additionally, administrators should deploy the security patch as soon as change management allows. Companies should endeavor to always bring…

Read More

Ransomware groups are always working to find new targets and develop new strains of ransomware that will increase their target lists and maximize their profits. With lots of companies moving to cloud-based computing, most of it being run on Linux, this shift from Clop is not unexpected. A number of ransomware operations are now targeting vulnerable VMWare ESXi servers, thousands of which have recently transitioned to end-of-life status and are no longer receiving official security…

Read More

Threat actors can leverage stolen medical records to impersonate legitimate patients to commit various forms of fraud, including submitting fraudulent claims to health insurers without authorization. This could not only affect healthcare coverage, but also compromise safety if there is misinformation on file that is needed for medical treatment. Anyone who may have been a victim of a medical data breach should get confirmation from their provider to find out exactly what information was stolen.…

Read More

Releasing the entire cache of stolen information might result in massive doxing, Redmond further warned. “After Holy Souls posted the sample data on YouTube and multiple hacker forums, the leak was amplified by a concerted operation across several social media platforms. This amplification effort made use of a particular set of influence Tactics, Techniques, and Procedures (TTPs) DTAC has witnessed before in Iranian hack-and-leak influence operations,” stated the Windows maker’s Digital Threat Analysis Center (DTAC).…

Read More