Attacks

GoTrim employs several anti-bot checks to avoid some of the less complex botnet mitigations. It uses a Mozilla Firefox user-agent with the same gzip, deflate, and Brotil content encoding algorithms. The malware also attempts to detect CAPTCHA security plugins and has the capability of solving the challenges for some of them. If it cannot bypass a security plugin, the botnet is globally updated with a “skip” for that domain. Interestingly, any website containing “1gb.ru” in…

Even though this zero-day flaw was likely used in highly-targeted attacks, it is still suggested to install the security updates as soon as possible. https://www.bleepingcomputer.com/news/apple/apple-security-update-fixes-new-ios-zero-day-used-to-hack-iphones/

This campaign highlights two problems for the cybersecurity space – the increase in the frequency and sophistication of phishing as well as the increase in automated attacks. As time has gone on, the sophistication of phishing campaigns has increased significantly, with the interactive chat dialogue being an example from this campaign. This sophistication has allowed phishing campaigns to be much more successful, and in turn has led to an increase in the frequency of phishing…

It is recommended that administrators of ESXi servers monitor the existence of the files listed above, as well as any content added to the local.sh file. The local.sh file could also be a good candidate for file integrity monitoring.In addition, it would be valuable to monitor for changes to any ESXi configuration files or maintain the state of the configuration files with a configuration management platform like SaltStack, Ansible, or Puppet.Of course, proper restrictions on…

Detection of a wiper such as this is made very difficult due to its polymorphic nature and its time-based logic trigger. It is critical for companies to maintain backups and frequently test recovery of those backups in order to help protect against the damage caused by a wiper like this. Further, companies should perform analysis on infected machines to attempt to identify when initial infection occurred to either restore to a non-infected backup or to…

Citrix has already released patches for all of the affected devices and warns that they should be updated immediately. Anyone running an older version than listed above should also update to the latest version, which will protect them from this vulnerability and potentially other vulnerabilities. According to the NSA, this vulnerability is under active exploitation by APT5, a Chinese threat actor that is known for utilizing zero-days int their attacks. Although this is the only…