Cyber Hub

Over the past week, new updates were published regarding the vulnerability in Log4j 2 and other affected software. This week’s updates include a new vulnerability in a SolarWinds product – one which could be used for Log4j attack attempts.

This week, researchers discovered a security flaw in the KCodes NetUSB kernel module used by many network device vendors and affecting millions of end user router devices. Additionally, an open source developer purposefully corrupted his own widely used libraries, impacting millions of projects. Furthermore, new reports and updates were published regarding the Log4Shell vulnerability. This week’s updates include exploitation attempts in the wild. Moreover, during the past week it was reported that a vulnerability in macOS named powerdir could allow threat actors access to unauthorized user data. In addition, January’s Microsoft’s Patch Tuesday advisory included dozens of newly patched vulnerabilities. This week, researchers shed light on one of these bugs, which resides in the Remote Desktop Protocol (RDP) and deserves its own spotlight. The vulnerability, the attack surface, and the screened demonstration are available in the full report.

This week, researchers reported on a novel threat group named Elephant Beetle, which has been active for the past two years. The report contains elaborate technical details regarding the activities of the group, including its initial access method, which relies on old vulnerabilities in Java-based web servers. In addition, this past week security researchers disclosed a critical Java Naming and Directory Interface (JNDI)-based vulnerability in the popular H2 database console, similar to the infamous Log4Shell vulnerability.

Over the past week, new reports and updates were published regarding the Log4Shell vulnerability. This week’s updates include a new vulnerability in the Log4j software library and Proof of Concept (POC) codes.

This week, researchers reported recent phishing campaigns distributing the Dridex malware. Two notable lures were used in the campaigns: fake job termination and the COVID-19 Omicron variant. In addition, a phishing campaign was seen in the wild that is impersonating Pfizer to steal business and financial information from victims. In another new short-term phishing campaign, threat actors were seen trying to bypass a patch for a Microsoft MSHTML security flaw.

Over the past week, new reports and updates were published daily regarding the Log4Shell vulnerability. This week’s updates include new bypass methods, Proof of Concept (PoC) codes, and exploitation attempts in the wild. In addition, security researchers detected a critical vulnerability in the VMware Workspace ONE UEM console, which can allow malicious threat actors to gain access to sensitive information. Lastly, Lenovo released a security advisory for two vulnerabilities that allow local privilege escalation on Lenovo devices.

Last week, Zoho reported on an unauthenticated remote code execution (RCE) vulnerability in ManageEngine ServiceDesk Plus - which is actively exploited in the wild in targeted attacks. Also, Grafana fixed a zero-day path traversal vulnerability that enabled remote access to local files. Finally, security researchers disclosed 27 high severity vulnerabilities found in Eltima SDK, affecting multiple cloud services providers including Amazon WorkSpaces. All of the above are in addition to the newly discovered zero-day vulnerability in the widely used Java logging library Apache Log4j, which is easy to exploit and gives attackers the ability to gain full control of affected servers.

Over the past week, researchers observed that the BlackBytre ransomware gang is now breaching corporate networks by exploiting Microsoft Exchange servers. Additionally, the new Yanluowang ransomware was potentially used by a Thieflock affiliate. Moreover, Cuba ransomware breached over 40 critical US infrastructures. And finally, a new analysis of a Conti ransomware attack shed light on the various techniques and tools used by the attackers to deploy the ransomware.

This week, researchers detected a new phishing campaign targeting corporate users impersonating popular brands such as Microsoft and claiming that a password reset is needed. In addition, a new malspam campaign dropping a new TrickBot variation - which uses HTML smuggling - was detected.

Over the past week, researchers observed that the Squirrelwaffle campaign is hijacking legitimate email chains via ProxyShell and ProxyLogon. In addition, security researchers discovered evidence of the TrickBot malware dropping a loader for the Emotet malware on infected devices.