These two vulnerabilities are being tracked as CVE-2021-30860 and CVE-2021-30858 respectively. Both vulnerabilities allow attackers to create malicious documents which can be used to execute commands when opened on vulnerable devices.

CVE-2021-30860 is an integer overflow bug in CoreGrapics. It was discovered by CitizenLabs and it allows attackers to craft poisoned PDF documents that execute commands when opened on devices running either iOS or macOS.

CVE-2021-30858 is a WebKit vulnerability that allows attackers to create a malicious web page that executes commands on vulnerable devices running either iOS or macOS. That is any time vulnerable devices visit the poisoned page.

Apple stresses that both of these have been seen in use in the wilds which makes the application of Apple's latest security patch a high priority.

Apple has struggled against zero-day vulnerabilities in 2021. So far the company has scrambled to address more than a dozen such vulnerabilities on macOS and iOS. That is compared to eleven found that targeted Windows and Android devices.

Consider the nature of these security flaws and the fact that they're currently being exploited by hackers around the world. So downloading and applying this security patch is something that should be given top priority by anyone with Apple devices connected to your corporate network.

Kudos to the company for their rapid response. We hope however that the volume of zero-day exploits will begin to taper off in the near future. At this point it is unclear whether this is a sign of things to come and something that represents a larger and more disturbing trend or if it's just a run of bad luck for the tech giant.

Used with permission from Article Aggregator

The hackers behind the campaign have changed their delivery vector. Former campaigns conducted by the group that controls Zloader relied on spam and phishing emails. The most recent campaign with the variant that disables Microsoft Defender AV is delivered via TeamViewer Google ads that redirect potential victims to fake download sites.

Antonio Pirozzi and Antonio Cocomazzi are researchers from SentinelLabs.

They had this to say about the most recent campaign:

"The attack chain analyzed in this research shows how the complexity of the attack has grown in order to reach a higher level of stealthiness.

The first stage dropper has been changed from the classic malicious document to a stealthy, signed MSI payload. It uses backdoored binaries and a series of LOLBAS to impair defenses and proxy the execution of their payloads."

If you're not familiar with the name Zloader you should know that this malware strain also goes by the names DELoader and Terdot. It was originally built as a banking Trojan way back in 2015 and has been kept up to date. As with many other strains it is based on the Zeus v2 Trojan whose source code was leaked online more than a decade ago.

Zloader has been used in attacks on financial institutions all over the world but a significant number of their attacks have been focused on the US, Australia and Brazil.

Originally it was used to pilfer a wide range of financial data for resale. More recently it has been modified to deliver ransomware payloads such as Egregor and Ryuk. This adds a new and devastating dimension to the attack.

If your business is in any way connected to the financial industry keep a watchful eye on Zloader. It represents a significant risk.

Used with permission from Article Aggregator

Beginning on August 18th of this year (2021) the company spotted hackers exploiting this flaw in the wild. So far there have been fewer than ten attacks made that exploit this flaw but it's inevitable that the number will increase.

So far all of the attacks that have been tracked exploiting this flaw have relied on maliciously crafted Word documents and all have resulted in the installation of Cobalt Strike Beacon loaders.

Beacons deployed on at least one of the networks that were attacks communicated with infrastructure connected with a number of cyber crime campaigns. Those include the ones that utilize human-operated ransomware.

At least two of the other attacks tracked to date have delivered Trickbot and BazaLoader payloads. Microsoft observed a huge spike in exploitation attempts from multiple threat actors including some affiliated with ransomware-as-a-service operations.

Microsoft is continuing to monitor the situation but the bottom line is simply this: This flaw has been patched. Researchers connected with Bleeping Computer have independently verified that the exploit no longer works after applying the September 2021 security patch.

Hackers around the world are actively scanning for unpatched systems in order to exploit the vulnerability. If your system is vulnerable then your risk in this instance is extreme. The best course of action is to patch your way out of danger at your earliest opportunity.

If for any reason you are unable to apply the patch be aware that Microsoft has published a viable workaround that includes disabling ActiveX controls via Group Policy and preview in Windows Explorer.

Kudos to Microsoft for addressing the issue and for coming up with a workaround for those who are unable to patch their way to safety.

Used with permission from Article Aggregator

This flaw is being tracked as CVE-2021-3437. It was caused by HP's decision to use vulnerable code that was copied in part from an open source driver.

The Omen gaming hub can be used by any PC to boost one's gaming experience via overclocking and creating highly optimized gaming profiles that adjust system settings depending on what game you're playing.

The software can be downloaded on any PC but as mentioned it comes pre-installed on several of HP's most popular models. In light of the above the flaw in the HP Gaming Hub software can potentially put millions of users at risk.

If there's a silver lining it lies in the fact that HP acted quickly and has already patched the issue. In fact a fix has been available since July of this year (2021). If you use the Gaming Hub application be sure to check the version you've got installed.

If you're using HP Omen Gaming Hub 11.6.3.0 or earlier you'll want to update right away. If you're using HP Omen Gaming Hub SDK package prior to 1.0.44 you'll likewise want to grab the latest version.

So far, there have been no reports of this bug being exploited in the wild. It's still a potentially serious issue though. So if you are currently using a vulnerable version of the software upgrade right away just to be safe.

Used with permission from Article Aggregator

Passwords and having to remember endless multitudes of them are one of the most annoying aspects of using the web today. Anything that can be done to reduce the number of passwords you have to contend with has to be counted as a good thing.

The Redmond giant began allowing its commercial customers to use the new paradigm back in March of 2020. This was after the company reported that more than a million users were logging into Azure Active Directory without using their passwords.

Liat Ben-Zur, Microsoft's Corporate Vice President, had this to say about the new feature:

"Now you can remove the password from your Microsoft account and sign in using passwordless methods like Windows Hello, the Microsoft Authenticator mobile app or a verification code sent to your phone or email.

This feature will help to protect your Microsoft account from identity attacks like phishing while providing even easier access to the best apps and services like Microsoft 365, Microsoft Teams, Outlook, OneDrive, Family Safety, Microsoft Edge and more."

Weak passwords are often what hackers leverage to gain access to corporate networks around the world. Unfortunately recent surveys have indicated that fully fifteen percent of people use their pets' names as passwords and other obvious data points like dates of birth, anniversaries and the like.

All that to say that eliminating passwords is about more than simple convenience. It stands to make corporate networks around the world more secure.

If you want to start using the new passwordless login feature right now the first thing you'll need to do is to install the Authenticator app and link it to your personal Microsoft account.

Once that's done go to your Microsoft account page and sign in and turn on the 'Passwordless Account' under Advanced Security Options. It's fantastic and you're almost certain to love it.

Used with permission from Article Aggregator

They announced that although users may take that approach, unsupported devices won't receive automatic updates and security patches. That's harsh and it may well be sufficient to keep most people from installing Windows 11 on hardware that Microsoft does not approve of.

The specific reason that so many people are up in arms about Microsoft's position is that a large swath of the user base will have to invest in new hardware. That is if they want to take advantage of new Windows 11 capabilities.

It's good that Microsoft has built a loophole into the system but running an unsupported copy of Windows 11 carries enormous risks. If anybody does it's likely to be seen as a very short term solution. Few individuals and even fewer companies would want the risk of exposure that comes with having an unsupported copy.

It is not yet known whether or not Microsoft will allow users with unsupported hardware to install those updates manually. That makes it even worse. If they don't, it amounts to the kiss of death for unsupported hardware.

Nothing is set in stone and it's still technically possible that Microsoft could reverse course and soften their stance. This seems unlikely though. If we get very lucky users may still be able to manually install updates. Stay tuned for the final word from Microsoft on that front. Whether you agree with the decision or not the company seems to have firmly made up its mind.

Used with permission from Article Aggregator

Researchers from F-Secure analyzed more than 200,000 emails that had been flagged as suspicious by employees working for organizations around the world. They discovered that more than one third of those emails could be classified as phishing.

Phishing is an extremely common technique hackers use to gain important information about specific individuals. In some cases they even gain access to a system that the hackers are targeting. For example hackers may employ phishing techniques to impersonate a vendor company that another company does business with. Perhaps they attach a poisoned Word or Excel document that appears to be an invoice.

If the recipient enables macros to view the document, it will install malware onto the recipient's computer. That will allow the hackers to spy on the user and attack other machines on the network. It's one of the most common tactics employed by hackers around the world with phishing attacks accounting for fully half of all infection attempts in 2020.

Even with a relatively low success rate there are so many phishing attacks made over the course of any given year that it adds up to a staggering number of successes. That is why hackers rely so heavily on the technique.

F-Secure's Director of Consulting had this to say about the recently published study:

"You often hear that people are security's weak link. That's very cynical and doesn't consider the benefits of using a company's workforce as a first line of defense. Employees can catch a significant number of threats hitting their inbox if they can follow a painless reporting process that produces tangible results."

Naude makes an excellent point. Kudos to the company for conducting the analysis and to all the employees who submitted suspicious emails for a closer look.

Used with permission from Article Aggregator

It is not known if the group went into hiding as a safety precaution after their attack drew worldwide condemnation. It could have been as a result of action by law enforcement agencies. The truth is not currently known.

Many credit Presidents Biden and Putin because the group went silent not long after the two leaders spoke. Biden pressed the Russian leader about ransomware attacks that originated from Russian soil.

Kaseya is a global IT solutions company based in Ireland. The REvil attack impacted thousands of end users in more than a thousand small to medium-sized companies that Kaseya serves. Whatever drove the hacking group offline temporarily the pressure seems to have faded. The group has returned. Security researchers from both Emsisoft and Recorded Future have confirmed that most of the gang's infrastructure is back in operation.

Ransomware expert Allan Liska had this to say about the group:

"Things definitely got hot for them for a while, so they needed to let law enforcement cool down. The problem (for them) is, if this is really the same group, using the same infrastructure, they didn't really buy themselves any distance from law enforcement or researchers, which is going to put them right back in the crosshairs of literally every law enforcement group in the world (except Russia's).

I'll also add that I've checked all of the usual code repositories, like VirusTotal and Malware Bazaar, and I have not seen any new samples posted yet. So, if they have launched any new ransomware attacks, there haven't been many of them."

BlackFog's CEO Darren Williams added that he's not surprised that the group resurfaced. REvil is one of the most successful ransomware variants of 2021. With so much demand from hackers around the world it would have been virtually impossible for the group to remain hidden and offline.

REvil is back and it is just a matter of time before REvil attacks begin anew.

Used with permission from Article Aggregator

Unfortunately hackers are well aware of this and are currently using that curiosity as a means of spreading malicious software to unsuspecting victims.

Security researchers have found evidence suggesting that the notorious "FIN7" cyber gang is responsible for the latest campaign which started in late June of this year (2021). That coincided with Microsoft's early announcements about the release of Windows 11.

The current campaign seems to have concluded in late July. All expectations are that a new campaign will begin the next time Microsoft makes another major announcement about their new OS.

The hacking group used tried and true social engineering tactics creating a poisoned Word document filled with Windows 11 logos and imagery to pique a reader's curiosity. If this poisoned document is opened readers will get a message saying that the advanced features of the document cannot be accessed unless macros are enabled. Naturally if the reader opts to enable macros this is the mechanism by which the malware payload is delivered.

It's a vicious campaign designed to prey on people's natural curiosity about something that's almost certain to have a significant impact on them. Given that we can expect to see more of these types of campaigns as Microsoft moves closer to the Windows 11 launch date.

If you get an email (regardless of who it is from) and that message asks you to download something or enable macros, just say no. Few if any reputable companies require such things to view their content and these are almost always signs that someone is trying to scam or hack you.

Used with permission from Article Aggregator

The group also claims that while the vulnerability that made the hack possible has been patched many of the VPN credentials are still valid.

For their part Fortinet has confirmed that they were attacked and that the hackers successfully made off with hundreds of thousands of VPN login credentials.

Half a million credentials of any sort is a serious matter but half a million VPN credentials is eye popping. If the list is exploited the groups doing so could infect a wide range of networks all around the world.

A recent Fortinet advisory had this to say about the matter:

"This incident is related to an old vulnerability resolved in May 2019. At that time, Fortinet issued a PSIRT advisory and communicated directly with customers.

And because customer security is our top priority, Fortinet subsequently issued multiple corporate blog posts detailing this issue, strongly encouraging customers to upgrade affected devices. In addition to advisories, bulletins, and direct communications, these blogs were published in August 2019, July 2020, April 2021, and again in June 2021."

For reference the old vulnerability Fortinet is referring to is being tracked as CVE-2018-13379. A Bleeping Computer analysis of the stolen data reveals that it contains VPN credentials for 498,908 users spread over nearly 13,000 different devices.

If you have Fortinet VPN your best bet is not to take any chances. Assume that your account has been compromised and force-reset all of your users' passwords. In addition to that take the time to do a deep dive into your logs and scan for any suspicious activity that may point to a possible intrusion.

Used with permission from Article Aggregator