Security News

The main components of the security tool are the Cobalt Strike client - also known as a Beacon - and the Cobalt Strike team server, which sends commands to infected computers and receives the data they exfiltrate. An attacker starts by spinning up a machine running Team Server that has been configured to use specific "Malleability" customizations, such as how often the client is to report to the server or specific data to periodically send.

With the release of Fudo Five, Fudo offers IT leaders a comprehensive suite of PAM services that includes just-in-time access, auto-discovery, and system health checks, while continuing to deliver the trademark simplicity, ease of use, and rapid time to install that customers have come to expect. Fudo's powerful new Fudo Five PAM implementation provides the critical layer of a company's zero-trust network access infrastructure for industries as diverse as healthcare, automotive, infrastructure, manufacturing, and hospitality.

Poly Network, a Chinese software biz that processes cryptocurrency transactions across different blockchain platforms, urged hackers to return $600m worth of stolen digital cash in what it called the "Biggest [attack] in DeFi history." Protocols like Poly Network allow cryptocurrency traders to exchange digicash across various blockchains; they can be used to swap Bitcoin for Ethereum, for example.

Tens of thousands of internet-exposed Microsoft Exchange servers appear to be affected by the ProxyShell vulnerabilities, and they could get compromised at any moment considering that threat actors are already scanning the web for vulnerable devices. ProxyShell is the name given to a series of vulnerabilities - CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207 - that can be chained for unauthenticated remote code execution, allowing an attacker to take complete control of an Exchange server.

Data analysis firm Splunk says it's found a resurgence of the Crypto botnet - malware that attacks virtual servers running Windows Server inside Amazon Web Services. Splunk's Threat Research Team posted its analysis of the attack on Monday, suggesting it starts with a probe for Windows Server instances running on AWS, and seeks out those with remote desktop protocol enabled.

Organizations have been warned that hackers have started scanning the internet for Microsoft Exchange servers affected by a series of vulnerabilities that were disclosed by researchers last week. Orange Tsai, principal researcher at security consulting firm DEVCORE, discovered that Microsoft Exchange servers are affected by three vulnerabilities that can be exploited by unauthenticated attackers for remote code execution.

Threat actors are now actively scanning for the Microsoft Exchange ProxyShell remote code execution vulnerabilities after technical details were released at the Black Hat conference. ProxyShell is the name for three vulnerabilities that perform unauthenticated, remote code execution on Microsoft Exchange servers when chained together.

A systematic analysis of attacks against Microsoft's Internet Information Services servers has revealed as many as 14 malware families, 10 of them newly documented, indicating that the Windows-based web server software continues to be a hotbed for natively developed malware for close to eight years. IIS is an extensible web server software developed by Microsoft, enabling developers to take advantage of its modular architecture and use additional IIS modules to expand on its core functionality.

The BlackMatter gang has joined the ranks of ransomware operations to develop a Linux encryptor that targets VMware's ESXi virtual machine platform. With VMware ESXi being the most popular virtual machine platform, almost every enterprise-targeting ransomware operation has begun to release encryptors that specifically target its virtual machines.

If you're a regular reader of Naked Security and Sophos News, you'll almost certainly be familiar with Cobalt Strike, a network attack tool that's popular with cybercriminals and malware creators. By implanting the Cobalt Strike "Beacon" program on a network they've infiltrated, ransomware crooks can not only surreptitiously monitor but also sneakily control the network remotely, without even needing to login first.