Join over 45,000 others, and get FREE threat intelligence on hackers and exploits with the Recorded Future Cyber Daily • Graham Cluley

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being.

Get trending threat insights delivered to your inbox with Recorded Future's free Cyber Daily newsletter

Many thanks to the great team at Recorded Future, who are sponsoring my website this week.

Recorded Future provides deep, detailed insight into emerging threats by automatically collecting, analyzing, and organizing billions of data points from the web.

And now, with its FREE Cyber Daily email all IT security professionals can access information about the top trending threat indicators – helping you use threat intelligence to help make better decisions quickly and easily.

Which means that you will be able to benefit from a daily update of the following:

  • Information Security Headlines: Top trending news stories.
  • Top Targeted Industries: Companies targeted by cyber attacks, grouped by their industries.
  • Top Hackers: Organizations and people recognized as hackers by Recorded Future.
  • Top Exploited Vulnerabilities: Identified vulnerabilities with language indicating malcode activity. These language indicators range from security research (“reverse engineering,” “proof of concept”) to malicious exploitation (“exploited in the wild,” “weaponized”).
  • Top Vulnerabilities: Identified vulnerabilities that generated significant amounts of event reporting, useful for general vulnerability management.

Join over 45,000 others, and enhance your security with threat intelligence by signing-up for the free Cyber Daily today.

Infosec professionals agree that the Cyber Daily is an essential tool:

“I look forward to the Cyber Daily update email every morning to start my day. It’s timely and exact, with a quick overview of emerging threats and vulnerabilities. For organizations looking to strengthen their security program with threat intelligence, Recorded Future’s Cyber Daily is the perfect first step that helps to prioritize security actions.” – Tom Doyle, CIO at EBI Consulting.

So, what are you waiting for?

Sign up for the Cyber Daily today, and starting tomorrow you’ll receive the top trending threat indicators.

If you’re interested in exclusively sponsoring my site for a week, and reaching an IT-savvy audience that cares about computer security, you can find more information here.


Alarming Western Digital My Book Live Hack Reportedly Involved Two Dueling Security Exploits

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being.

hackers may be battling over western digital my book live devices
Last week, hundreds if not thousands of My Book Live customers awoke to their devices being wiped and, in some cases, unrecoverable. At that time, it was simply thought that Western Digital had not patched a critical vulnerability from 2018 that allowed attackers to do this, but it seems there is more to the story than initially thought.

On June 23rd, WD Community Forum user sunspeak created a forum post that would ultimately spearhead the community outcry over the wiping of My Book Live devices. There have now been over 46,000 views and 763 replies on that post at the time of writing, some of which have devolved into fighting whether a company can just “end-of-life” (EOL) a product and not support it when there are glaring security issues. In any case, it seems the unpatched 2018 vulnerability was not the only thing at play here.

cve hackers may be battling over western digital my book live devices

We now know that the attackers were using the 2018 vulnerability to download a malicious payload, run it, and join the WD My Book Live devices to a botnet, as researchers at Censys explain. Then, the attacker password-protected their way in so, in theory, no one else could come in and take their work to build the botnet. However, this does not explain why some users found that their devices were being factory reset.

auth code hackers may be battling over western digital my book live devices
Commented Out Code That Disables Authentication For Factory Restore

As it turns out, the mass device wipes are part of a separate unauthenticated 0-day vulnerability in an endpoint named system_factory_restore, which does what the name implies. When the Censys team unpacked the firmware Western Digital shipped and looked at this endpoint, they surprisingly found the “authentication code commented out (disabled) at the top.” In short, this means a simple request to this endpoint would trigger the factory restore process without any authentication.

It is speculated that the mass-device wiping that occurred “could be an attempt at a rival botnet operator to take over these devices or render them useless, or someone who wanted to otherwise disrupt the botnet which has likely been around for some time, since these issues have existed since 2015.” Whatever the case is, there are still 55,348 WD My Book Live devices across the…


Microsoft Defender Can Now Automatically Prevent Exchange Server Exploits

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being.

The antivirus will mitigate one of the four zero-day exploits discovered on Microsoft Exchange servers.

microsoft exchange server feature

Microsoft has rolled out a security update for Defender Antivirus to mitigate the CVE-2021-28655 Exchange Server vulnerability via a URL Rewrite configuration. The antivirus will also scan the server and reverse changes made by any known threats.

The Redmond company has rolled out multiple security patches after it was discovered that bad actors are using four zero-day exploits in Exchange Server to carry out ransomware attacks. The security exploits affect Microsoft Exchange Server 2013, 2016, and 2019.


Microsoft Exchange exploits now used by cryptomining malware

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being.

Microsoft Exchange exploits now used by cryptomining malware

The operators of Lemon_Duck, a cryptomining botnet that targets enterprise networks, are now using Microsoft Exchange ProxyLogon exploits in attacks against unpatched servers.

The malware is known for installing XMRig Monero (XMR) CPU coinminers on infected devices to mine cryptocurrency for the botnet’s owners.

Lemon_Duck’s ongoing attacks on vulnerable Exchange servers have already reached a massive scale, according to Costin Raiu, director of Kaspersky’s Global Research and Analysis Team.

The attackers are using web shells deployed on compromised servers to download malicious payloads from p.estonine[.]com and cdn.chatcdn[.]net.

These indicators of compromise associated with Lemon_Duck were also observed by Huntress Labs while analyzing mass exploitation of on-premises Microsoft Exchange servers.

Continuously updated cryptomining botnet

In previous attacks, the botnet was used to gain access to victims’ networks over the SMB protocol using EternalBlue or by brute-forcing Linux machines and MS SQL servers.

Lemon_Duck also supports spreading to servers running exposed Redis (REmote DIctionary Server) databases and Hadoop clusters managed using YARN (Yet Another Resource Negotiator).

Its operators also employed large-scale COVID-19-themed spam campaigns for propagation in the past, exploiting the CVE-2017-8570 Microsoft Office remote code execution (RCE) vulnerability to deliver the malware payload.

“The Lemon Duck cryptominer is one of the more advanced types of cryptojacker payloads we’ve seen,” Sophos security researcher Rajesh Nataraj said.

“Its creators continuously update the code with new threat vectors and obfuscation techniques to evade detection, and the miner itself is ‘fileless,’ meaning it remains memory resident and leaves no trace of itself on the victim’s filesystem.”

Exchange servers targeted by ransomware, state hackers

Since Microsoft disclosed ongoing attacks using ProxyLogon exploits last week, at least ten APT groups have been…