Tag Archive for: threat

Tips for Defusing the Threat

The recent Atlassian Confluence remote code execution bug is just the latest example of zero-day threats targeting critical vulnerabilities within major infrastructure providers. The specific threat, an Object-Graph Navigation Language (OGNL) injection, has been around for years but took on new significance given the scope of the Atlassian exploit. And OGNL attacks are on the rise.

Once bad actors find such a vulnerability, proof-of-concept exploits start knocking at the door, seeking unauthenticated access to create new admin accounts, execute remote commands, and take over servers. In the Atlassian case, Akamai’s threat research team identified that the number of unique IP addresses attempting these exploits grew to more than 200 within just 24 hours.

Defending against these exploits becomes a race against time worthy of a 007 movie. The clock is ticking and you don’t have much time to implement a patch and “defuse” the threat before it’s too late. But first you need to know that an exploit is underway. That requires a proactive, multilayered approach to online security based on zero trust.

What do these layers look like? Consider the following practices that security teams — and their third-party Web application and infrastructure partners — should be aware of.

Monitor Vulnerability Repositories

Mass vulnerability scanning tools like Nuclei’s community-based scanner or Metasploit penetration testing are popular tools for security teams. They are also popular among bad actors who are looking for proof-of-concept exploit code that will help them probe for cracks in the armor. Monitoring these repositories for new templates that may be designed to identify potential exploit targets is an important step to maintain awareness of potential threats and stay a step ahead of the black hats.

Make the Most of Your WAF

Some may point to Web application firewalls (WAFs) as ineffective against zero-day attacks, but they can still play a role in mitigating the threat. In addition to filtering traffic for known attacks, when a new vulnerability is identified, a WAF can be used to quickly implement a “virtual patch,” creating a custom rule to prevent a zero-day exploit and give you some…


Snowballing Ransomware Variants Highlight Growing Threat to VMware ESXi Environments

The latest confirmations of the growing attacker interest in VMware ESXi environments are two ransomware variants that surfaced in recent weeks and have begun hitting targets worldwide.

One of the malware tools, dubbed Luna, is written in Rust and can encrypt data on ESXi virtual machines (VMs) in addition to data on Linux and Window systems. The other is Black Basta, a rapidly proliferating ransomware variant written in C++ that, like Luna, targets ESXi VMs and also works on Windows and Linux systems as well.

They add to a collection of ransomware variants aimed at ESXi, VMware’s bare-metal hypervisor for running virtual machines. Numerous organizations use the technology to deploy multiple VMs on a single host system or across a cluster of host systems, making the environment an ideal target for attackers looking to cause widespread damage.

“Infrastructure services like networking equipment and hosting infrastructure like ESXi can’t easily be patched on demand,” says Tim McGuffin, director of adversarial engineering at Lares Consulting. “Attacking these services provides a one-stop shop for impact since a large number of servers can be encrypted or attacked at once.”

Other recent examples of malware targeting ESXi environments include Cheerscrypt, LockBit, RansomEXX, and Hive.

The Cross-Platform Ransomware Threat

Researchers from Kaspersky first spotted Luna in the wild last month. Their analysis
shows the malware to fall into the trend of several other recent variants that are written in platform-agnostic languages like Rust and Golang, so they can be easily ported across different operating systems. The researchers also found the malware to employ a somewhat rare combination of AES and x25519 cryptographic protocols to encrypt data on victim systems. The security vendor assessed the operator of the malware to be likely based in Russia.

Kaspersky’s analysis of a recent version of Black Basta — a ransomware variant it has been tracking since February — shows the malware has been tweaked so it can now encrypt specific directories, or the entire “/vmfs/volumes” folder, on ESXi VMs. The malware uses the ChaCha20 256-bit cipher to encrypt files on victim systems. It also…


Cyberattacks hit Albania. Threat actors prospect journalists. GRU trolls researchers. CISA opens a liaison office in London.

Dateline Moscow, Kyiv: Notes on the hybrid war.

Ukraine at D+144: Firing for whatever effect. (The CyberWire) Heavy Russian artillery fire continues along the line of contact, The strikes are regarded as a preparation for a renewed offensive in the Donbas, as spoiling attacks against a feared Ukrainian counter-offensive in the southern region, as direct terrorism of the civilian population, as a crude expression of a deterrent to HIMARS attacks against high-value targets, and, finally, as a form of attack Russia’s army is actually able to carry out. In the cyber phase of the hybrid war, the GRU seems to be trolling researchers who look into its activities.

Russia-Ukraine war: List of key events, day 144 (Al Jazeera) As the Russia-Ukraine war enters its 144th day, we take a look at the main developments.

Russia-Ukraine war at a glance: what we know on day 144 of the invasion (the Guardian) Evacuations from Sviatohirsk Lavra in Donetsk; Russian forces reportedly preparing new offensive; all bodies identified after Vinnytsia missile attack

Russia-Ukraine war update: what we know on day 143 of the invasion (the Guardian) At least three killed and 15 hurt in Dnipro missile strike; UK says Kremlin responsible for British captive’s death; Ukraine reports May peak in military losses

Russia prepares for next Ukraine offensive in face of new Western weapons (Reuters) As Western deliveries of long-range arms begin to help Ukraine on the battlefield, Russian rockets and missiles have pounded cities in strikes that Kyiv says have killed dozens in recent days.

Ukraine braces for further Russian missile strikes as civilian death toll rises (the Guardian) At least 37 deaths across country since Thursday as residential areas appear to be targeted

Russian War Report: Russian missiles strike Vinnytsia (Atlantic Council) Russian forces launched a missile attack on the Ukrainian town on Vinnytsia, Russia’s public death toll grows, and Iran’s coverage of the war.

Russia escalating attacks on civilians, says top Ukrainian official (the Guardian) Head of national security council says ‘more and more civilian targets’ being hit, after deadly Vinnytsia attack

‘They have come to destroy us’: Ukrainians on…


Annual Ransomware Detection Count expected to be the highest this year, WatchGuard Threat Lab report reveals / Digital Information World

As per the WatchGuard Threat Lab’s most-recent quarterly Internet Security Report, the number of Ransomware detected in Q1 2022 was double that of the number recorded across the entire 2021.

Additionally, the study reveals that EMEA still happens to be a safe spot for malware risks. It was also found out that WatchGuard Fireboxes in EMEA were impacted more than those in America and Asia-Pacific.

The chief security officer at WatchGuard, Corey Nachreiner stated that 2022 is on its way to becoming the year with the most annual ransomware detections. He advised companies to opt for a “true unified security approach” that is advanced enough to tackle the evolving attacks.

The research also included some other intriguing revelations such as:

#1 Log4Shell makes its presence felt

The public first got to hear about Log4Shell right before the end of 2021. Fast forward to this quarter, it has already popped up on the top 10 network attack list. Furthermore, WatchGuard’s last report emphasized on Log4Shell as the top security event. It attained a full-on 10.0 on CVSS, making it an extremely critical vulnerability, thanks to the fact that it’s commonly used in Java applications.

#2 Emotet is here to stay

Ever since making a comeback in Q4 2021, Emotet has gone on to secure three slots in the top 10 detections and top widespread malware. The threats related to it are Trojan.Vita, Trojan.Valyria, and MSIL.Mesna.4. Threat Lab suggests that Emotet downloads and installs the file after retrieving it from a malware delivery server.

#3 PowerShell scripts contribute to rising endpoint attacks

The findings for Q1 2022 show a year-over-year increase of 38% in endpoint detections. Almost nine out of every 10 such detections (88% to be precise) were thanks to scripts. Digging deep into the scripts led to the discovery that 99.6% of these were PowerShell ones. This indicates that cybercriminals have been putting extra focus on utilizing credible tools for executing fileless and LotL attacks.

#4 Unauthentic activity coupled with authentic crypto mining operations

Popular mining pool, Nanopool became a hot topic of the study in question. Nanopool domains are perceived as credible domains linked…