Security News > 2022 > May

You can find the date of the user's most recent password change by examining the PwdLastSet attribute, shown in Figure 1. Only one user's password change date is being shown, but there are any number of ways to tell the Get-ADUser cmdlet to display data for multiple user accounts.

The technique involves injecting shellcode directly into Windows event logs. "We consider the event logs technique, which we haven't seen before, the most innovative part of this campaign," wrote Denis Legezo, senior security researcher with Kaspersky's Global Research and Analysis Team.

The group, which security firm Mandiant is calling UNC3524, has spent the past 18 months burrowing into victims' networks with unusual stealth. The use of a unique backdoor Mandiant calls Quietexit, which runs on load balancers, wireless access point controllers, and other types of IoT devices that don't support antivirus or endpoint detection.

An unpatched Domain Name System bug in a popular standard C library can allow attackers to mount DNS poisoning attacks against millions of IoT devices and routers to potentially take control of them, researchers have found. "The flaw is caused by the predictability of transaction IDs included in the DNS requests generated by the library, which may allow attackers to perform DNS poisoning attacks against the target device," Nozomi's Giannis Tsaraias and Andrea Palanca wrote in the post.

The U.S. Securities and Exchange Commission on Tuesday announced that it will expand and rebrand its Cyber Unit to fight against cyber-related threats and protect investors in cryptocurrency markets. To that end, the SEC is renaming the Cyber Unit within the Division of Enforcement to Crypto Assets and Cyber Unit and plans to infuse 20 additional positions with the goal of investigating wrongdoing in the crypto markets.

Dubbed "Operation CuckooBees" by Israeli cybersecurity company Cybereason, the massive intellectual property theft operation enabled the threat actor to exfiltrate hundreds of gigabytes of information. "The attackers targeted intellectual property developed by the victims, including sensitive documents, blueprints, diagrams, formulas, and manufacturing-related proprietary data," the researchers said.

Russian president Vladimir Putin has authorized retaliatory sanctions against individuals and organizations that have taken action over the illegal invasion of Ukraine. An executive order issued on Tuesday explains that Russia will implement reprisals against states and international organizations that have acted against Russian interests in the wake of the invasion.

A pre-authenticated remote code execution vulnerability has been disclosed in dotCMS, an open-source content management system written in Java and "Used by over 10,000 clients in over 70 countries around the globe, from Fortune 500 brands and mid-sized businesses." The critical flaw, tracked as CVE-2022-26352, stems from a directory traversal attack when performing file uploads, enabling an adversary to execute arbitrary commands on the underlying system.

A Chinese-aligned cyberespionage group has been observed striking the telecommunication sector in Central Asia with versions of malware such as ShadowPad and PlugX. Cybersecurity firm SentinelOne tied the intrusions to an actor it tracks under the name "Moshen Dragon," with tactical overlaps between the collective and another threat group referred to as Nomad Panda. ShadowPad, labeled a "Masterpiece of privately sold malware in Chinese espionage," emerged as a successor to PlugX in 2015, even as variants of the latter have continually popped up as part of different campaigns associated with Chinese threat actors.

An analysis of four months of chat logs spanning more than 40 conversations between the operators of Conti and Hive ransomware and their victims has offered an insight into the groups' inner workings and their negotiation techniques. Conti and Hive are among the most prevalent ransomware strains in the threat landscape, cumulatively accounting for 29.1% of attacks detected during the three-month-period between October and December 2021.