Security News > 2020 > June

Cybersecurity researchers today uncovered a new critical vulnerability affecting the Server Message Block protocol that could allow attackers to leak kernel memory remotely, and when combined with a previously disclosed "Wormable" bug, the flaw can be exploited to achieve remote code execution attacks. The newly discovered vulnerability impacts Windows 10 versions 1903 and 1909, for which Microsoft today released security patches as part of its monthly Patch Tuesday updates for June.

In three posts marked urgent to the Linux kernel mailing list on Tuesday, Anthony Steinhauser points out problems with countermeasures put in place to block Spectre vulnerabilities in modern Intel and AMD x86 microprocessors that perform speculative execution. The Spectre family of flaws involve making a target system speculate - perform an operation it may not need - in order to expose confidential data so an attacker can obtain it through an unprotected side channel.

In three posts marked urgent to the Linux kernel mailing list on Tuesday, Anthony Steinhauser points out problems with countermeasures put in place to block Spectre vulnerabilities in modern Intel and AMD x86 microprocessors that perform speculative execution. The Spectre family of flaws involve making a target system speculate - perform an operation it may not need - in order to expose confidential data so an attacker can obtain it through an unprotected side channel.

Microsoft has released patches for 129 vulnerabilities as part of its June Patch Tuesday updates - the highest number of CVEs ever released by Microsoft in a single month. Microsoft's June Patch Tuesday volume beats out the update from May, where it released fixes for 111 security flaws, including 16 critical bugs and 96 that are rated important.

Microsoft has fixed a record 129 CVE-numbered vulnerabilities in a wide variety of its offerings: Windows, the Internet Explorer and Edge browsers, Office and Microsoft Office Services and Web Apps, Windows Defender, Visual Studio, Azure DevOps, and more. "To exploit the vulnerability, an attacker would have to convince a user to either open a specially crafted cabinet file or spoof a network printer and trick a user into installing a malicious cabinet file disguised as a printer driver," Microsoft explained.

Referred to as Dark Basin and linked to Indian company BellTroX InfoTech Services, the threat actor is believed to have targeted senior politicians, government prosecutors, CEOs, journalists, and human rights defenders, among others. "Dark Basin has a remarkable portfolio of targets, from senior government officials and candidates in multiple countries, to financial services firms such as hedge funds and banks, to pharmaceutical companies. Troublingly, Dark Basin has extensively targeted American advocacy organizations working on domestic and global issues. These targets include climate advocacy organizations and net neutrality campaigners," Citizen Lab notes.

Canada's Citizen Lab laboratory has uncovered a hacks-for-hire phishing operation targeting anyone from political activists and oligarchs to lawyers and CEOs that hit more than 10,000 email inboxes over seven years. The North American outfit claims to have traced the so-called Dark Basin campaign to an Indian firm called BellTroX InfoTech Services - which denies all wrongdoing.

"The dated nature of this binary coupled with the extensible nature of the malware code suggests that the FlowCloud code base has been under development for numerous years," the analysts wrote, adding that "Development of this malware around legitimate QQ files and the identification of malware samples uploaded to VirusTotal from Japan in December 2018 and earlier this year from Taiwan indicate that the malware may have been active for some time in Asia prior to its appearance targeting the U.S. utilities sector." Several campaigns delivering the LookBack malware were aimed at U.S. utilities over last summer and the fall as well, and, based on shared attachment macros, identical malware installation techniques and overlapping delivery infrastructure, Proofpoint believes the LookBack and FlowCloud malware can be attributed to a single threat actor, TA410.

In late May, KrebsOnSecurity alerted numerous officials in Florence, Ala. that their information technology systems had been infiltrated by hackers who specialize in deploying ransomware. It is part of a quad-city metropolitan area perhaps best known for the Muscle Shoals Sound Studio that recorded the dulcet tones of many big-name music acts in the 1960s and 70s. On May 26, acting on a tip from Milwaukee, Wisc.-based cybersecurity firm Hold Security, KrebsOnSecurity contacted the office of Florence's mayor to alert them that a Windows 10 system in their IT environment had been commandeered by a ransomware gang.

Qualys has added malware detection to its cloud-based Remote Endpoint Protection offer, which is free for 60 days. Powered by the Qualys Platform and Cloud Agent, malware detection in Remote Endpoint Protection uses file reputation and threat classification to detect known malicious files on endpoints, servers, and cloud workloads.