Phishing Campaign Installs Backdoor-Loaded VM to Evade Antivirus and Harvest Credentials

Overview  Assura, Inc. has been made aware of this attack pattern, has taken steps to detect it in our managed services, and is following the attack in the blogs of security researchers who found this campaign. A recent phishing attack campaign has attackers installing a virtual machine (VM) on your Windows system, prebuilt with backdoors… Continue reading Phishing Campaign Installs Backdoor-Loaded VM to Evade Antivirus and Harvest Credentials

CISA Urgent Advisory: Exploitation of Unitronics programmable logic controllers (PLCs)

Overview  The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent advisory concerning the exploitation of Unitronics programmable logic controllers (PLCs) within the Water and Wastewater Systems (WWS) Sector. These critical systems manage various aspects of water treatment and distribution, and cyber threat actors have targeted these PLCs, posing a significant risk to the… Continue reading CISA Urgent Advisory: Exploitation of Unitronics programmable logic controllers (PLCs)

MOVEit Transfer Software: Critical Zero-day Being Actively Exploited

Overview Assura’s Security Operations Center is seeing active exploitation of a SQL Injection flaw in Progress Software’s MOVEit Transfer product first announced on May 31, 2023. The vulnerability is CVE-2023-34362. Technical Analysis A full technical analysis has been done by our friends at Huntress, who have been on the forefront of analyzing exploitation of the… Continue reading MOVEit Transfer Software: Critical Zero-day Being Actively Exploited

Critical Vulnerability in Zyxel Network Appliances Exploited, PoC Scripts Circulating

Overview A few days after Rapid7 posted their technical analysis of CVE-2023-28771, which included a proof-of-concept exploit, Assura’s Offensive Security Operations team noticed a lot of chatter on social media and hacking forums regarding the exploitation of Zyxel network appliances. CVE-2023-28771 is a pre-authentication remote code execution vulnerability affecting the WAN interfaces of several Zyxel… Continue reading Critical Vulnerability in Zyxel Network Appliances Exploited, PoC Scripts Circulating

Exploiting CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability

Overview Assura’s Offensive Security Operations Team has been looking into MDSec’s Dominic Chell’s research into the recent Microsoft Office Outlook updates where Dominic found that there is a privilege escalation vulnerability within Outlook.  Via this vulnerability, a remote attacker can create a malicious Outlook Appointment Reminder which when triggered, will authenticate the victim to a… Continue reading Exploiting CVE-2023-23397: Microsoft Outlook Elevation of Privilege Vulnerability

UPDATE: Take Immediate Action: Two New Microsoft Exchange Zero-Day Vulnerability confirmed by Microsoft

Overview This Cyber Heads-up has been updated to include a PowerShell command to determine whether an Exchange server has already been compromised. Assura’s Defensive Security Operations Center (SOC) is monitoring recently reported zero-day vulnerabilities in Microsoft Exchange 2013, 2016, and 2019 being exploited in the wild. “The first vulnerability, identified as CVE-2022-41040, is a Server-Side… Continue reading UPDATE: Take Immediate Action: Two New Microsoft Exchange Zero-Day Vulnerability confirmed by Microsoft

Apple announces an ‘actively exploited’ vulnerability that allows hackers to fully control devices

Overview On August 17, 2022, Apple announced a zero-day vulnerability that exploits a software weakness that affects both the kernel (CVE-2022-32894) and the WebKit on Apple devices (CVE-2022-32893). The kernel is a layer of the operating system common on all Apple devices, and the WebKit is part of the default Apple web browser, Safari. Apple… Continue reading Apple announces an ‘actively exploited’ vulnerability that allows hackers to fully control devices

Follina Zero-day Exploit Permits Attackers Complete Takeover of Victim Systems Through Malicious Microsoft Office Documents

Overview of Follina On Friday, May 27th, 2022, @nao_sec announced on Twitter that they had discovered a novel attack technique utilized in a malicious document (maldoc) submitted from a Belarus IP address to VirusTotal. The new technique uses Microsoft’s Microsoft Support Diagnostic Tool (MSDT) to retrieve and execute malicious code from a remote URL. Microsoft… Continue reading Follina Zero-day Exploit Permits Attackers Complete Takeover of Victim Systems Through Malicious Microsoft Office Documents

CISA Releases Advisory About Multifactor Authentication Bypass with Duo — Duo Responds

TL;DR Russian state-sponsored attackers compromised an NGO by exploiting the weak credentials of an inactive user, default settings in the Duo multifactor authentication service, and PrintNightmare to take over the environment. The way to protect organizations is to implement good cyber hygiene and modifying a couple of default settings in Duo. Overview On Tuesday, March… Continue reading CISA Releases Advisory About Multifactor Authentication Bypass with Duo — Duo Responds

UPDATE: NVIDIA Code Signing Certificates Compromised – Temporarily Halt Updates/Installation of NVIDIA Software

Update March 16, 2022: It’s been twelve days since we posted this Cyber Heads-up and this seems to have dropped out of the news and out of discussion. NVIDIA has been deafeningly silent about this. Our guidance remains the same. Make sure that your environment is set up to monitor for code signed by these… Continue reading UPDATE: NVIDIA Code Signing Certificates Compromised – Temporarily Halt Updates/Installation of NVIDIA Software