Cyber Hub

Recently, researchers discovered a new vulnerability in the Windows SAM database called HiveNightmare (aka SeriousSAM). Exploitation of this vulnerability could allow non-admin users to access the SAM database, which is a storage of local passwords and users. Essentially, an attacker could run arbitrary code with SYSTEM privileges, and then install programs; view, change, or delete data - or create new accounts with full admin rights. The vulnerability affects Windows 10 version 1809 and newer operating systems. Additionally, an exploit is publicly available. After this discovery, Microsoft addressed the vulnerability and assigned it the following CVE ID: CVE-2021-36934. Microsoft has not yet published an official patch for the vulnerability; however, several mitigations and workarounds are suggested.

Read the full Threat Hunting report to learn more.

BazarLoader is known to spread via phishing emails that purport to stem from legitimate sources. For instance, a malicious email could be disguised as payroll reports or lists of terminated employees. Clicking on the malicious link to documents can redirect the targeted victim to malicious landing pages resembling Excel sheets, PDFs, or Word documents. BazarLoader has continued to be one of the preeminent initial access brokers for ransomware threat actor access. In July, we witnessed a BazarLoader campaign that deployed Cobalt Strike and ended with domain-wide encryption using Conti ransomware.

Read the full Threat Hunting report to learn more.

This week, security researchers published a report explaining the technique that allowed the MyKings botnet to become the world's largest botnet dedicated to mining crypto currencies. In addition, a new Python-based malware attributed to Keksec has been analyzed. The malware has several vulnerability exploits in its arsenal, including an exploit of the recently disclosed Confluence RCE vulnerability. Also, a new campaign named MirrorBlast - linked to the threat actor TA505 - was discovered targeting mainly financial institutions worldwide. Lastly, a Google Chrome adblocker extension was found to be injecting affiliate links that generate commissions for its developers.

Over the past week, security researchers performed malware analysis on two main malware files: FontOnLake and ShellClient. The first is a new malware strain targeting Linux OS to harvest credentials. The malware is interestingly engineered, with the main components constantly communicating with each other to allow silent malicious stealth from the host. The second is named ShellClient a seemingly state-sponsored Iranian-operated malware strain that has undergone significant evolution after first emerging during late 2018.

This past week, security researchers identified widespread phishing campaigns targeting victims around the world. A fake Amnesty International website promoted a fake antivirus that detects and removes traces of the Pegasus malware, while in fact it downloads the Sarwent RAT. In addition, a credential harvesting campaign targeted various organizations using spoofed Zix encrypted emails.

During the past week, security researchers published a report uncovering a massive phishing-as-a-service (PhaaS) operation named BulletProofLink. Also, a report was published this week describing the rise of the use of macro capabilities available in Microsoft PowerPoint to distribute malware in phishing campaigns. In a recent campaign of this kind, the malicious macros loaded the AgentTesla infostealer. In addition, a phishing campaign that was identified and alerted on by Microsoft in June 2021 is reported to still be active in the wild, and has recently been seen affecting a number of CyberProof customers.

During the past week, researchers uncovered new phishing campaigns affecting individuals and companies around the world. One of these campaigns involved fake emails from IT support departments to lure victims into a fake Mimecast phishing site and steal their credentials. In addition, threat actors were observed impersonating the US Department of Transportation (USDOT). This was part of a new phishing scam related to the recent decision of the US Senate to pass the $1 trillion infrastructure bill on August 10, 2021. The scam was a combination of old tactics in a new pattern that allowed the attackers to get the emails through secure email gateways.

Over the past week, several new malware files have emerged in the malware cyber security scene. First, the Grayfly cyber crime group - commonly known as APT-41 - has recently been targeting worldwide companies from a wide range of industry verticals, through a new type of malware that acts as a modular backdoor. Second, researchers recently discovered a new strain of Dridex malware being distributed via a phishing email containing a malicious Excel file. Finally, researchers recently observed the emergence of a new Distributed Denial of Service (DDoS) botnet, which has been registering new records both in terms of RPS and in the number of infected hosts relative to its comparatively short lifespan.

Ransomware operators are constantly looking for ways to make their attacks stronger, faster, and more effective. To this end, threat actors behind ransomware regularly add new tools to their attack routines - as well as exploits to newly disclosed vulnerabilities to be used as infection vectors and/or for lateral movement. Over the past week, security researchers disclosed that affiliates of the infamous ransomware gang Conti are now targeting organizations by exploiting the ProxyShell vulnerabilities to gain access to victims corporate networks.

During the past week, researchers uncovered a few new phishing campaigns affecting individuals and companies around the world. One of these campaigns is using Open-Redirect links and CAPTCHA verification to gain victims' trust and trick them into entering their credentials. Another campaign is causing panic and pressure by using fake Digital Millenium Copyright Act (DMCA) and Distributed Denial of Service (DDoS) threats to manipulate victims into clicking on malicious links and downloading the BazarLoader malware. The third observed campaign is a phishing campaign that takes advantage of the COVID-19 pandemic and the new "COVID pass" document established recently in Europe and Asia - to steal credentials and sensitive information.