Security News

The FBI and DHS have issued a Joint Cybersecurity Advisory on the threat posed by the Russian Foreign Intelligence Service via the cyber actor known as APT 29. The new advisory, provides "Information on the SVR's cyber tools, targets, techniques, and capabilities to aid organizations in conducting their own investigations and securing their networks." Noticeably, the advisory uses the term SVR and APT 29 indistinguishably throughout, indicating that it sees no difference between the cyber actor and the Russian intelligence agency.

Millions of email addresses collected by Emotet botnet for malware distribution campaigns have been shared by the Federal Bureau of Investigation as part of the agency's effort to clean infected computers. Individuals and domain owners can now learn if Emotet impacted their accounts by searching the database with email addresses stolen by the malware.

UK authorities could lawfully copy the FBI and forcibly remove web shells from compromised Microsoft Exchange server deployments - but some members of the British infosec industry are remarkably quiet about whether this would be a good thing. In the middle of last week the American authorities made waves after deleting web shells from Exchange Server deployments compromised in the Hafnium attacks.

New DNS vulnerabilities have the potential to impact millions of devicesForescout Research Labs, in partnership with JSOF, disclosed a new set of DNS vulnerabilities, dubbed NAME:WRECK. FBI removes web shells from hacked Microsoft Exchange serversAuthorities have executed a court-authorized operation to copy and remove malicious web shells from hundreds of vulnerable on-premises versions of Microsoft Exchange Server software in the United States. The benefits of cyber threat intelligenceIn this Help Net Security podcast, Maurits Lucas, Director of Intelligence Solutions at Intel 471, discusses the benefits of cyber threat intelligence.

U.S. authorities revealed this week that the FBI executed a court-authorized cyber operation to remove malicious web shells from hundreds of compromised Microsoft Exchange servers located in the United States. "The effort by the FBI, as described in the Justice Department press release, amounts to the FBI gaining access to private servers. Just that should be a full stop that the action is not ok. While I understand the good intention - the FBI wants to remove the backdoor - this sets a dangerous precedent where law enforcement is given broad permission to access private servers."

Australian security firm Azimuth has been identified as the experts who managed to crack a mass shooter's iPhone that was at the center of an encryption standoff between the FBI and Apple. Until this week it had largely been assumed that Israeli outfit Cellebrite was hired to forcibly unlock an encrypted iPhone 5C used by Syed Farook - who in 2015 shot and killed colleagues at a work event in San Bernardino, California, claiming inspiration from ISIS. Efforts by law enforcement to unlock and pore over Farook's phone were unsuccessful, leading to the FBI taking Apple to court to force it to crack its own software to reveal the device's contents.

As we explained in a recent Serious Security article on Naked Security, a crook who can upload a file into a Windows server directory where web data is stored doesn't merely get a chance to pollute your web server with fake content, as bad as that would be on its own. Despite several weeks of urgent warnings, not least from Naked Security, there are still plenty of unpatched servers out there just waiting to get pwned.

The Feds have cleared malicious web shells from hundreds of vulnerable computers in the United States that had been compromised via the now-infamous ProxyLogon Microsoft Exchange vulnerabilities. "Many infected system owners successfully removed the web shells from thousands of computers," explained the Department of Justice, in a Tuesday announcement.

Federal authorities in the U.S. have swooped in to eliminate malicious backdoor code planted by attackers on vulnerable Microsoft Exchange servers across the country. This latest effort eliminated the remaining web shells of one specific hacking group, which would have given it persistent access to Exchange servers in the U.S. had they remained.

One of the characteristics of the campaign, in the later days when the Chinese probably realized that the vulnerabilities would soon be fixed, was to install a web shell in compromised networks that would give them subsequent remote access. Even if the vulnerabilities were patched, the shell would remain until the network operators removed it.