Security News

A Hive ransomware affiliate has been targeting Microsoft Exchange servers vulnerable to ProxyShell security issues to deploy various backdoors, including Cobalt Strike beacon. From there, the threat actors perform network reconnaissance, steal admin account credentials, exfiltrate valuable data, ultimately deploying the file-encrypting payload. The details come from security and analytics company Varonis, who was called in to investigate a ransomware attack on one of its customers.

A proof-of-concept exploit has been released online for the VMware CVE-2022-22954 remote code execution vulnerability, already being used in active attacks that infect servers with coin miners. The vulnerability is a critical remote code execution impacting VMware Workspace ONE Access and VMware Identity Manager, two widely used software products.

Microsoft says Windows admins can now opt into automatic updates for. NET 6.0 to the Automatic Updates channel as a third option on top of Windows Server Update Services and Microsoft Update Catalog.

How many times have you been working on a Linux server and wished you had the means to safely store passwords? Having such a feature available to your headless servers would be such a time saver. SEE: Password breach: Why pop culture and passwords don't mix.

Bug hunters that discover and report high-impact security vulnerabilities in on-premises Exchange, SharePoint and Skype for Business may earn as much as $26,000 per eligible submission, Microsoft has announced. The highest awards will go to those who discover vulnerabilities that have the highest potential impact to customer security.

First, German federal police in coordination with US law enforcement seized Hydra servers and cryptocurrency wallets containing $25 million in Bitcoin, thus shutting down the online souk. Later on Tuesday, the US Justice Department announced criminal charges against one of the alleged Hydra operators and system administrators, 30-year-old Dmitry Olegovich Pavlov of Russia.

An Android spyware application has been spotted masquerading as a "Process Manager" service to stealthily siphon sensitive information stored in the infected devices. "When the application is run, a warning appears about the permissions granted to the application," Lab52 researchers said.

A Chinese advanced persistent threat tracked as Deep Panda has been observed exploiting the Log4Shell vulnerability in VMware Horizon servers to deploy a backdoor and a novel rootkit on infected machines with the goal of stealing sensitive data. Cybersecurity firm CrowdStrike, which assigned the panda-themed name to the group all the way back in July 2014, called it "One of the most advanced Chinese nation-state cyber intrusion groups."

What researchers are calling a "Horde" of miner bots and backdoors are using the Log4Shell bug to take over vulnerable VMware Horizon servers, with threat actors still actively waging some attacks. On Tuesday, Sophos reported that the remote code execution Log4j vulnerability in the ubiquitous Java logging library is under active attack, "Particularly among cryptocurrency mining bots." Besides cryptominers, attackers are also prying open Log4Shell to deliver backdoors that Sophos believes are initial access brokers that could lay the groundwork for later ransomware infections.

The ever-evolving banking trojan IcedID is back again with a phishing campaign that uses previously compromised Microsoft Exchange servers to send emails that appear to come from legitimate accounts. The actors behind IcedID - as well as other spearphishers - have previously used phishing emails that "Reuse previously stolen emails to make the lure more convincing," researchers wrote.