Hacks

Remember the  Reverse RDP Attack —wherein a client system vulnerable to a path traversal vulnerability could get compromised when remotely accessing a server over Microsoft's Remote Desktop Protocol? Though Microsoft had patched the vulnerability (CVE-2019-0887) as part of its July 2019 Patch Tuesday update, it turns out researchers were able to bypass the patch just by replacing the backward slashes in paths with forward slashes. Microsoft acknowledged the improper fix and re-patched the flaw in its February 2020 Patch Tuesday update earlier this year, now tracked as CVE-2020-0655. In the latest report shared with The Hacker News, Check Point researcher  disclosed  that Microsoft addressed the issue by adding a separate workaround in Windows while leaving the root of the bypass issue, an API function "PathCchCanonicalize," unchanged. Apparently, the workaround works fine for the built-in RDP client in Windows operating systems, but the patch is not fool-proof enough...

Yes, you heard it right. A new version of COMpfun remote access trojan (RAT) has been discovered in the wild that uses HTTP status codes to control compromised systems targeted in a recent campaign against diplomatic entities in Europe. The cyberespionage malware—traced to Turla APT with "medium-to-low level of confidence" based on the history of compromised victims—spread via an initial dropper that masks itself as a visa application, the Global Research and Analysis Team at  Kaspersky  discovered. The  Turla APT , a Russian-based threat group, has a  long history  of carrying out espionage and watering hole attacks spanning various sectors, including governments, embassies, military, education, research, and pharmaceutical companies. First documented by  G-Data  in 2014, COMpfun received a significant upgrade last year (called "Reductor") after Kaspersky found that the malware was used to spy on a victim's browser activity by staging man-in-the...

SAP(Systems Applications and Products) announced on Monday that they are to patch security issues with some of their cloud-based products. The bugs are identified as a part of the internal cybersecurity audit and the company already started working on it. SAP Security Issues SAP said that some of it is “cloud products do not meet one or several contractually agreed or statutory IT security standards” and they started to fix them. Following are the products affected; SAP Success Factors, SAP Concur, SAP/CallidusCloud Commissions, SAP/Callidus Cloud CPQ; as well as SAP C4C/Sales Cloud, SAP Cloud Platform, and SAP Analytics Cloud. SAAP confirms that the  vulnerabilities  are not identified as a part of a security incident and no customer data has been compromised. “To ensure that the affected products meet relevant terms and conditions and in addition to technical remediation, SAP has decided to update its security-related terms and conditions. These remain in l...

Due to coronavirus pandemic, many companies around the world asked employees to work from home, which increases the usage of video conferencing apps. Researchers from Trend Micro observed a  new campaign  that leverages several popular messaging apps including Zoom. WebMonitor RAT Campaign In the new campaign, attackers repackaged the legitimate zoom installer with WebMonitor RAT. The infection starts with downloading the malicious file ZoomIntsaller.exe from malicious sources. While running the malicious file it drops a copy of itself named Zoom.exe and to execute the Zoom.exe it opens the process notepad.exe. Once executed it connects with the remote C2 server and executes following commands. Add, delete, and change files and registry information Close connections Get software and hardware information Get webcam drivers/snapshot Record audio and log keystrokes Start, suspend, and terminate processes and services Start/stop screen stream Start/stop Wire...

The Cyberthreat uses COVID-19 themed malspam to distribute the  Trickbot  malware, says IBM Security Researchers. This time attacker utilizes FMLA ( Family and Medical Leave Act)  to lure the user over COVID-19 medical leaves with the attachment named “Family and Medical Leave of Act 22.04.doc” to distribute the malware. Spam mail disguised to come from the U.S. Department of Labor (DoL). Trickbot Campaigns TrickBot is a sophisticated banking Trojan operated by an organized cybercrime gang. Users infected with the TrickBot Trojan becomes part of a botnet that can allow attackers to gain complete control of the device. Typical consequences of TrickBot infections are bank account takeover, high-value wire fraud, and possibly ransomware attacks targeting organizational networks. Mainly financially motivated cyber-attacks. DocuSign themes used by Trickbot Sample email US-DoL.eml, contains three attachments: uslogo.png, faq.png, and Family and Medical L...

Days after cybersecurity researchers sounded the alarm over two critical vulnerabilities in the  SaltStack configuration framework , a hacking campaign has already begun exploiting the flaws to breach servers of LineageOS, Ghost, and DigiCert. Tracked as  CVE-2020-11651  and  CVE-2020-11652 , the disclosed flaws could allow an adversary to execute arbitrary code on remote servers deployed in data centers and cloud environments. The issues were fixed by SaltStack in a  release  published on April 29th. "We expect that any competent hacker will be able to create 100% reliable exploits for these issues in under 24 hours," F-Secure researchers had previously warned in an advisory last week. LineageOS, a maker of an open-source operating system based on Android, said it detected the intrusion on May 2nd at around 8 pm Pacific Time. "Around 8 pm PST on May 2nd, 2020, an attacker used a CVE in our SaltStack master to gain access to our infrastructure," the...