Security News

Cisco's Smart Install protocol is still being abused in attacks - five years after the networking giant issued its first warning - and there are still roughly 18,000 internet-exposed devices that could be targeted by hackers. Cisco describes Smart Install as a plug-and-play configuration and image-management feature that provides zero-touch deployment for new switches.

ESET researchers have linked a stealthy cyberespionage group known as Gelsemium to the NoxPlayer Android emulator supply-chain attack that targeted gamers earlier this year. Two years later, in 2016, new Gelsemium indicators of compromise showed up in a Verint Systems presentation at HITCON. In 2018, VenusTech unveiled an unknown APT group's malware samples linked to the Operation TooHash, which ESET later discovered were early versions of Gelsemium malware.

Shay Nahari, Head of Red-Team services at CyberArk, says that they've been increasingly asked by customers to probe their multi-factor authentication defenses, which lead them to pinpoint four main attack vectors used by threat actors to circumvent MFA controls, by exploiting: architectural and design flaws, insecure channels, side channel attacks and insufficient attack surface coverage. The cybersecurity industry has been extolling the virtues of MFA use for years.

Cybersecurity researchers on Tuesday disclosed a new large-scale campaign targeting Kubeflow deployments to run malicious cryptocurrency mining containers. "The burst of deployments on the various clusters was simultaneous. This indicates that the attackers scanned those clusters in advance and maintained a list of potential targets, which were later attacked on the same time," Microsoft's Senior Security Research Engineer Yossi Weizman said in a report.

An advanced persistent threat that Russia found inside government systems was too crude to have been the work of a Western nation, says security researcher Juan Andrés Guerrero-Saade of Sentinel Labs, before suggesting the malware came from a Chinese entity. Russian telco and IT services provider Rostelecom and the nation's National Coordination Center for Computer Incidents, an arm of the Russian Federal Security Service, in May published a joint report that detailed their assessment of attacks on several Russian government entities detected in 2020.

"These attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits. While we were not able to retrieve the exploit used for remote code execution in the Chrome web browser, we were able to find and analyze an elevation of privilege exploit that was used to escape the sandbox and obtain system privileges," Larin explained. According to Kaspersky, the two Windows flaws were chained to an exploit for a different Chrome vulnerability to plant high-end malware on specific targets running Windows.

The U.S. Department of Justice was able to trace and recover around half of the ransom payment sent to DarkSide by Colonial Pipeline. On Monday, the U.S. Department of Justice revealed that it had managed to recover part of the ransom paid by Colonial Pipeline to its DarkSide attackers.

A critical vulnerability affecting VMware vCenter Server, the management interface for vSphere environments, is being exploited in the wild. Attacks started roughly a week after VMware announced the availability of patches.

The Russia-linked threat group known as APT28 has been observed using a new backdoor in a series of attacks targeting military and government institutions, researchers with threat intelligence company Cluster25 reveal. For initial access, the threat actor is known to use tactics such as watering hole attacks, social engineering, zero-day vulnerabilities, and stolen credentials, followed by the deployment of tools and malware that allow it to achieve persistence and gain access to information of interest.

Malicious actors are actively mass scanning the internet for vulnerable VMware vCenter servers that are unpatched against a critical remote code execution flaw, which the company addressed late last month. "Mass scanning activity detected from 104.40.252.159 checking for VMware vSphere hosts vulnerable to remote code execution," tweeted Troy Mursch, chief research officer at Bad Packets.