Security News

Threat actors are actively exploiting Microsoft Exchange servers using the ProxyShell vulnerability to install backdoors for later access. ProxyShell is the name of an attack that uses three chained Microsoft Exchange vulnerabilities to perform unauthenticated, remote code execution.

Despite a rise in global spam numbers, adoption of new languages by phishing attackers, new scam types and a shift in the most commonly impersonated business type to phish people, Kaspersky's Q2 2021 quarterly spam report is described by its authors as "Not delivering any surprises." That's not to say there wasn't anything actually interesting in Q2 phishing and spam statistics: The percentage of email that's junk is up to 46.56% after bottoming out in March 2021, and global internet portals have displaced online stores as the business type most commonly impersonated by cybercriminals in phishing campaigns.

Industrial cybersecurity firm Dragos has published an analysis of exploits targeting vulnerabilities in industrial control systems and operational technology systems. One possible explanation is that Trend Micro's Zero Day Initiative has acquired many ICS vulnerabilities, and ZDI can prevent researchers from making public their proof-of-concept exploits.

A new highly capable and persistent threat actor has been targeting major high-profile public and private entities in the U.S. as part of a series of targeted cyber intrusion attacks by exploiting internet-facing Microsoft Internet Information Services servers to infiltrate their networks. "TG1021 uses a custom-made malware framework, built around a common core, tailor-made for IIS servers. The toolset is completely volatile, reflectively loaded into an affected machine's memory and leaves little-to-no trace on infected targets," the researchers said.

A security researcher released exploit code for a high-severity vulnerability in Linux kernel eBPF that can give an attacker increased privileges on Ubuntu machines. eBPF is a technology that enables user-supplied programs to run sandboxed inside the operating system's kernel, triggered by a specific event or function.

An unidentified threat actor has been exploiting a now-patched zero-day flaw in Internet Explorer browser to deliver a fully-featured VBA-based remote access trojan capable of accessing files stored in compromised Windows systems, and downloading and executing malicious payloads as part of an "Unusual" campaign. The backdoor is distributed via a decoy document named "Manifest.docx" that loads the exploit code for the vulnerability from an embedded template, which, in turn, executes shellcode to deploy the RAT, according to cybersecurity firm Malwarebytes, which spotted the suspicious Word file on July 21, 2021.

Western cybersecurity agencies have published a list of 30 of the most exploited vulnerabilities abused by hostile foreign states in 2020, urging infosec bods to ensure their networks and deployments are fully patched against them. Number one on the US, UK, and Australia's jointly published [PDF] list was the well-known Citrix arbitrary code execution vuln in Application Delivery Controller, aka Netscaler load-balancer.

One key way that cybercriminals compromise organizations and users is by exploiting known security vulnerabilities. Of course, one key way that organizations can protect themselves is by patching known security vulnerabilities.

A secretive Israeli commercial surveillance company named after a parasitic freshwater fish is being blamed for supplying Windows and Chrome zero-day exploits to nation-state APT actors. The two reports come less than 24 hours after Google's Threat Analysis Group documented four separate zero-day exploits in Chrome, Internet Explorer, and Webkit that were created and sold by Candiru to government-backed attackers.

Have you noticed that lately we've been hearing more about in-the-wild attacks exploiting 0-day vulnerabilities? "Halfway into 2021, there have been 33 0-day exploits used in attacks that have been publicly disclosed this year - 11 more than the total number from 2020," researchers with Google's Threat Analysis Group have pointed out in a recent blog post. TAG analysts Maddie Stone and Clement Lecigne have shared information about several attack campaigns exploiting 0-day vulnerabilities that TAG discovered this year, and in some of them they believe the 0-day exploits were sourced from the same commercial surveillance company.