Security News > 2022 > July

Threat analysts have uncovered a large-scale campaign targeting Elastix VoIP telephony servers with more than 500,000 malware samples over a period of three months. Security researchers at Palo Alto Networks' Unit 42 say that the attackers' goal was to plant a PHP web shell that could run arbitrary commands on the compromised communications server.

VoIP phones using Digium's software have been targeted to drop a web shell on their servers as part of an attack campaign designed to exfiltrate data by downloading and executing additional payloads. "The malware installs multilayer obfuscated PHP backdoors to the web server's file system, downloads new payloads for execution, and schedules recurring tasks to re-infect the host system," Palo Alto Networks Unit 42 said in a Friday report.

Researchers have disclosed details about a security vulnerability in the Netwrix Auditor application that, if successfully exploited, could lead to arbitrary code execution on affected devices. "Since this service is typically executed with extensive privileges in an Active Directory environment, the attacker would likely be able to compromise the Active Directory domain," Bishop Fox said in an advisory published this week.

Short video. As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered. Read my blog posting guidelines here.

Juniper Networks has patched critical-rated bugs across its Junos Space, Contrail Networking and NorthStar Controller products that are serious enough to prompt CISA to weigh in and advise admins to update the software as soon as possible. "CISA encourages users and administrators to review the Juniper Networks security advisories page and apply the necessary updates," according to the Feds' warning this week.

Brave uses Goggle to show only cybersecurity websites. Brave recently announced its Goggle feature to ensure users only see websites relevant to their interests.

Miscreants have reportedly scanned almost 1.6 million websites in attempts to exploit an arbitrary file upload vulnerability in a previously disclosed buggy WordPress plugin. Wordfence disclosed the flaw almost three months ago, and in a new advisory this week warned that criminals are increasing attacks - the WordPress security shop claims it blocked an average of 443,868 attack attempts per day on its customers' sites.

It's prime vacation season in the Northern Hemipshere, and in some countries, July and August aren't just months when some people take some days off, but a period of extended family holidays, often involving weeks away from home or on the road. The good news, of course, is that if you've had to work from home over the past two years, you're probably better informed about outside-the-office cybersecurity than ever. Backing everything up reliably before you set off also means you are free to strip down the amount of digital content you keep loaded on your devices, and thus to reduce the quantity of data you might have to declare or reveal at a border crossing.

A threat actor is infecting industrial control systems to create a botnet through password "Cracking" software for programmable logic controllers. Advertised on various social media platforms, the password recovery tools promise to unlock PLC and HMI terminals from Automation Direct, Omron, Siemens, Fuji Electric, Mitsubishi, LG, Vigor, Pro-Face, Allen Bradley, Weintek, ABB, and Panasonic.

Microsoft researchers have linked an emerging ransomware threat that already has compromised a number of small-to-mid-sized businesses to financially motivated North Korean state-sponsored actors that have been active since last year. A group tracked by researchers from Microsoft Threat Intelligence Center as DEV-0530 but that calls itself H0lyGh0st has been developing and using ransomware in attacks since June 2021.