CVE-2019-1367
published 2019-09-23CVE-2019-1367: A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory…
PriorityP184high7.5CVSS 3.1
AVNACHPRNUIRSUCHIHAH
KEVITWRansomware
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
52.73%
98.8th percentile
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1221.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| microsoft | internet_explorer | — | — |
| msrc | internet_explorer_10 | — | — |
| msrc | internet_explorer_11 | — | — |
| msrc | internet_explorer_9 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The CVE-2019-1367 exploit is delivered via WPAD abuse: the domain wpad.id serves a standalone JavaScript exploit at /wpad.dat, enabling zero-click exploitation whenever a system starts and resolves WPAD. ↗
- →The PurpleFox landing page contains a Jscript.Encode section used to exploit CVE-2019-1367; it decrypts a Data1 variable and executes it via EVAL(). Detection should look for Jscript.Encode blocks combined with EVAL() execution in IE scripting engine context. ↗
- →PurpleFox EK infrastructure uses Cloudflare-fronted HTTPS domains for landing page delivery with fully encrypted and obfuscated content; network detection should flag encrypted exploit kit traffic proxied through Cloudflare to these known malicious domains. ↗
- →CVE-2019-1367 is actively exploited in the wild in Internet Explorer's scripting engine (jscript.dll). Monitor for anomalous access or modification of jscript.dll as an indicator of exploitation attempts. ↗
- →The PurpleFox landing page redirects users to the Google search engine as a disguise tactic not previously observed; this redirection combined with encrypted exploit content can be used as a behavioral detection signal. ↗
- ·Cloudflare placed an interstitial page in front of the Purple Fox EK Cloudflare-fronted domains after notification, taking those specific infrastructure parts offline; the actor may have migrated to new domains. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
vulncheck7.5HIGH
cisa7.5HIGH
vendor_msrc6.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability
cisa·2021-11-03·CVSS 7.5
CVE-2019-1367 [HIGH] CWE-787 Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability
Vulnerability: Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability
Affected: Microsoft Internet Explorer
Microsoft Internet Explorer contains a memory corruption vulnerability in how the scripting engine handles objects in memory. Successful exploitation allows for remote code execution in the context of the current user.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-1367
Remediation Due Date: 2022-05-03
Microsoft
Scripting Engine Memory Corruption Vulnerability
vendor_msrc·2019-09-10·CVSS 6.4
CVE-2019-1367 [HIGH] Scripting Engine Memory Corruption Vulnerability
Scripting Engine Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
In a web-based attack scenario, an attacker could host a specially crafted websi
GHSA
GHSA-5786-v8v7-87fq: A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engin
ghsa_unreviewed·2022-05-24·CVSS 7.5
CVE-2019-1367 [HIGH] CWE-787 GHSA-5786-v8v7-87fq: A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engin
A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1221.
Project0
Déjà vu-lnerability - Project Zero
project_zero·2021-02-01
CVE-2014-9665 Déjà vu-lnerability - Project Zero
A Year in Review of 0-days Exploited In-The-Wild in 2020
Posted by Maddie Stone, Project Zero
2020 was a year full of 0-day exploits. Many of the Internet’s most popular browsers had their moment in the spotlight. Memory corruption is still the name of the game and how the vast majority of detected 0-days are getting in. While we tried new methods of 0-day detection with modest success, 2020 showed us that there is still a long way to go in detecting these 0-day exploits in-the-wild. But what may be the most notable fact is that 25% of the 0-days detected in 2020 are closely related to previously publicly disclosed vulnerabilities. In other words, 1 out of every 4 detected 0-day exploits could potentially have been avoided if a more thorough investigation and patching effort were explor
Project0
Root Cause Analyses for 0-day In-the-Wild Exploits - Project Zero
project_zero·2020-07-01
CVE-2019-1107 Root Cause Analyses for 0-day In-the-Wild Exploits - Project Zero
Posted by Maddie Stone, Project Zero
When a 0-day is exploited in the wild AND it is detected, we need to use that as an opportunity to learn as much as possible about the vulnerability and the exploit if we hope to make 0-day hard. One of the main methods to do that is to perform a root cause analysis (RCA) on the 0-day.
Our effort on this began in earnest in the last quarter of 2019. Today we are beginning to publish the root cause analyses for 0-days exploited in the wild that we have completed. While we’re publishing some in bulk now to play “catch-up”, in the future we plan to post each one in a timely manner after it’s detected and disclosed. We think publishing technical details in a timely manner is important for transparency and so that the whole of the security community can
Project0
Detection Deficit: A Year in Review of 0-days Used In-The-Wild in 2019 - Project Zero
project_zero·2020-07-01
CVE-2016-5195 Detection Deficit: A Year in Review of 0-days Used In-The-Wild in 2019 - Project Zero
Posted by Maddie Stone, Project Zero
In May 2019, Project Zero released our tracking spreadsheet for 0-days used “in the wild” and we started a more focused effort on analyzing and learning from these exploits. This is another way Project Zero is trying to make zero-day hard. This blog post synthesizes many of our efforts and what we’ve seen over the last year. We provide a review of what we can learn from 0-day exploits detected as used in the wild in 2019. In conjunction with this blog post, we are also publishing another blog post today about our root cause analysis work that informed the conclusions in this Year in Review. We are also releasing 8 root cause analyses that we have done for in-the-wild 0-days from 2019.
When I had the idea for this “Year in Review” blog post, I immedi
VulnCheck
Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability
vulncheck·2019·CVSS 7.5
CVE-2019-1367 [HIGH] CWE-787 Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability
Microsoft Internet Explorer Scripting Engine Memory Corruption Vulnerability
Microsoft Internet Explorer contains a memory corruption vulnerability in how the scripting engine handles objects in memory. Successful exploitation allows for remote code execution in the context of the current user.
Affected: Microsoft Internet Explorer
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2019-Sep; https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://twitter.com/craiu/status/1176525773869649921; https://go.recordedfuture.com/hubfs/reports/cta-2020-0603.pdf; https://www.crowdstrike.com/blog/magniber-ransomware-caught-using-printnightmare
Project0
Project Zero RCA: CVE-2020-0674: Internet Explorer use-after-free in JScript
project_zero·CVSS 7.5
CVE-2020-0674 [HIGH] Project Zero RCA: CVE-2020-0674: Internet Explorer use-after-free in JScript
# CVE-2020-0674: Internet Explorer use-after-free in JScript
*Maddie Stone, Project Zero (Originally posted on [Project Zero blog](https://googleprojectzero.blogspot.com/p/rca.html) 2020-08-05)*
## The Basics
**Disclosure or Patch Date:** 11 February 2020
**Product:** Microsoft Internet Explorer
**Advisory:** https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0674
**Affected Versions:** For Windows 10 1903/1909, [KB4528760](https://support.microsoft.com/en-us/help/4528760) and previous
**First Patched Version:** For Windows 10 1903/1909, [KB4532693](https://support.microsoft.com/en-us/help/4532693/windows-10-update-kb4532693)
**Issue/Bug Report:** N/A
**Patch CL:** N/A
**Bug-Introducing CL:** N/A
**Reporter(s):** Yi Huang([@C0rk1_H](https://twitter.com/C0
Project0
Project Zero RCA: CVE-2020-1380: Internet Explorer JScript9 Use-after-Free
project_zero·CVSS 7.8
CVE-2020-1380 [HIGH] Project Zero RCA: CVE-2020-1380: Internet Explorer JScript9 Use-after-Free
# CVE-2020-1380: Internet Explorer JScript9 Use-after-Free
*Maddie Stone & Samuel Groß, Project Zero (Originally posted on [Project Zero blog](https://googleprojectzero.blogspot.com/p/rca.html) 2020-08-24)*
## The Basics
**Disclosure or Patch Date:** 11 August 2020
**Product:** Microsoft Internet Explorer
**Advisory:** https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1380
**Affected Versions:** For Windows 10 2004, [KB4565503](https://support.microsoft.com/en-us/help/4565503/windows-10-update-kb4565503) and previous
**First Patched Version:** For Windows 10 2004, [KB4566782](https://support.microsoft.com/en-us/help/4566782/windows-10-update-kb4566782)
**Issue/Bug Report:** N/A
**Patch CL:** N/A
**Bug-Introducing CL:** N/A
**Reporter(s):** Boris Larin (
Project0
Project Zero RCA: CVE-2019-1367: Internet Explorer JScript use-after-free
project_zero·CVSS 7.5
CVE-2019-1367 [HIGH] Project Zero RCA: CVE-2019-1367: Internet Explorer JScript use-after-free
# CVE-2019-1367: Internet Explorer JScript use-after-free
*Maddie Stone & Ivan Fratric, Project Zero & Clément Lecigne, Google's Threat Analysis Group (Originally posted on [Project Zero blog](https://googleprojectzero.blogspot.com/p/rca.html) 2020-07-27)*
## The Basics
**Disclosure or Patch Date:** 23 September 2019
**Product:** Microsoft Internet Explorer
**Advisory:** https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1367
**Affected Versions:** For Windows 10 1903, [KB4515384](https://support.microsoft.com/en-us/help/4515384) and previous
**First Patched Version:** For Windows 10 1903, [KB4524147](https://support.microsoft.com/en-us/help/4524147/windows-10-update-kb4524147)
**Issue/Bug Report:** N/A
**Patch CL:** N/A
**Bug-Introducing CL:** N/A
**Repo
No detection rules found.
No public exploits indexed.
Trendmicro
Magniber unter der Lupe
blogs_trendmicro·2023-02-02·CVSS 7.5
[HIGH] Magniber unter der Lupe
Ransomware
## Magniber unter der Lupe
Magniber-Ransomware nutzt verschiedene Schwachstellen aus, aber obwohl sie im Vergleich zu den neueren Ransomware-Kampagnen mit doppelter Erpressung eine einfachere Kill Chain verwendet, ist sie nicht weniger effektiv. Die Analyse zeigt, was zu tun ist.
By: Trend Micro Feb 02, 2023 Read time: ( words)
Save to Folio
Die Ransomware wurde bereits vor sechs Jahren entdeckt, dennoch verwenden Angreifer die Malware immer noch. Im Oktober 2022 gab es Berichte über Phishing-Attacken, über die Magniber-Ransomware verteilt wurde. Sie nutzten Standalone JavaScript-Dateien, die mit einem manipulierten Schlüssel digital signiert waren, und missbrauchten die Zero Day-Lücke CVE-2022-44698 , um Mark-of-the-Web (MOTW)-Sicherheitswarnungen zu umgehen. So konnten bö
Qualys
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
blogs_qualys·2022-02-23
Managing CISA Known Exploited Vulnerabilities with Qualys VMDR | Qualys
#### Table of Contents
- Situation
- Directive Scope
- CISA Catalog of Known Exploited Vulnerabilities
- Detect CISA Vulnerabilities Using Qualys VMDR
- CISA Exploited RTI
- Detailed Operational Dashboard
- Remediation
- Federal Enterprises and Agencies Can Act Now
- Summary
- Getting Started
CISA released a directive in November 2021, recommending urgent and prioritized remediation of actively exploited vulnerabilities. Both government agencies and corporations should heed this advice. This blog outlines how Qualys Vulnerability Management, Detection & Response can be used by any organization to respond to this directive efficiently and effectively.
## Situation
Last November 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a Binding Operational Directiv
Trendmicro
PurpleFox Using WPAD to Target Indonesian Users
blogs_trendmicro·2021-07-01·CVSS 7.5
[HIGH] PurpleFox Using WPAD to Target Indonesian Users
Cyber Threats
## PurpleFox Using WPAD to Target Indonesian Users
The PurpleFox Exploit Kit is now being distributed via WPAD attacks targeting Indonesian users.
By: Trend Micro Jul 01, 2021 Read time: ( words)
Save to Folio
In September 2020, we published a blog describing how the PurpleFox Exploit Kit used Cloudflare services to maintain an infrastructure resilient to blocking and detection attempts. Since then, PurpleFox has been maintaining this strategy while at same time improving its attack chain by incorporating the latest public vulnerabilities into its arsenal.
Recently, we found that PurpleFox added a very old tactic to increase its delivering performance. This time PurpleFox EK is making use of WPAD domains to infect users. While a WPAD abuse attack is a technique that has
Trendmicro
PurpleFox Using WPAD to Target Indonesian Users
blogs_trendmicro·2021-07-01·CVSS 7.5
[HIGH] PurpleFox Using WPAD to Target Indonesian Users
Cyber Threats
## PurpleFox Using WPAD to Target Indonesian Users
The PurpleFox Exploit Kit is now being distributed via WPAD attacks targeting Indonesian users.
By: Trend Micro 2021/07/01 Read time: ( words)
Save to Folio
In September 2020, we published a blog describing how the PurpleFox Exploit Kit used Cloudflare services to maintain an infrastructure resilient to blocking and detection attempts. Since then, PurpleFox has been maintaining this strategy while at same time improving its attack chain by incorporating the latest public vulnerabilities into its arsenal.
Recently, we found that PurpleFox added a very old tactic to increase its delivering performance. This time PurpleFox EK is making use of WPAD domains to infect users. While a WPAD abuse attack is a technique that has b
Trendmicro
PurpleFox Using WPAD to Target Indonesian Users
blogs_trendmicro·2021-07-01·CVSS 7.5
[HIGH] PurpleFox Using WPAD to Target Indonesian Users
Minacce cyber
## PurpleFox Using WPAD to Target Indonesian Users
The PurpleFox Exploit Kit is now being distributed via WPAD attacks targeting Indonesian users.
By: Trend Micro Jul 01, 2021 Read time: ( words)
Save to Folio
In September 2020, we published a blog describing how the PurpleFox Exploit Kit used Cloudflare services to maintain an infrastructure resilient to blocking and detection attempts. Since then, PurpleFox has been maintaining this strategy while at same time improving its attack chain by incorporating the latest public vulnerabilities into its arsenal.
Recently, we found that PurpleFox added a very old tactic to increase its delivering performance. This time PurpleFox EK is making use of WPAD domains to infect users. While a WPAD abuse attack is a technique that has
Trendmicro
PurpleFox Using WPAD to Target Indonesian Users
blogs_trendmicro·2021-07-01·CVSS 7.5
[HIGH] PurpleFox Using WPAD to Target Indonesian Users
Ciberamenazas
## PurpleFox Using WPAD to Target Indonesian Users
The PurpleFox Exploit Kit is now being distributed via WPAD attacks targeting Indonesian users.
By: Trend Micro Jul 01, 2021 Read time: ( words)
Save to Folio
In September 2020, we published a blog describing how the PurpleFox Exploit Kit used Cloudflare services to maintain an infrastructure resilient to blocking and detection attempts. Since then, PurpleFox has been maintaining this strategy while at same time improving its attack chain by incorporating the latest public vulnerabilities into its arsenal.
Recently, we found that PurpleFox added a very old tactic to increase its delivering performance. This time PurpleFox EK is making use of WPAD domains to infect users. While a WPAD abuse attack is a technique that has
Trendmicro
PurpleFox Using WPAD to Target Indonesian Users
blogs_trendmicro·2021-07-01·CVSS 7.5
[HIGH] PurpleFox Using WPAD to Target Indonesian Users
Cyber Threats
# PurpleFox Using WPAD to Target Indonesian Users
The PurpleFox Exploit Kit is now being distributed via WPAD attacks targeting Indonesian users.
By: Trend Micro
2021/07/01
Read time: ( words)
Save to Folio
In September 2020, we published a blog describing how the PurpleFox Exploit Kit used Cloudflare services to maintain an infrastructure resilient to blocking and detection attempts. Since then, PurpleFox has been maintaining this strategy while at same time improving its attack chain by incorporating the latest public vulnerabilities into its arsenal.
Recently, we found that PurpleFox added a very old tactic to increase its delivering performance. This time PurpleFox EK is making use of WPAD domains to infect users. While a WPAD abuse attack is a technique that has b
Trendmicro
PurpleFox Using WPAD to Target Indonesian Users
blogs_trendmicro·2021-07-01·CVSS 7.5
[HIGH] PurpleFox Using WPAD to Target Indonesian Users
Cyber Threats
## PurpleFox Using WPAD to Target Indonesian Users
The PurpleFox Exploit Kit is now being distributed via WPAD attacks targeting Indonesian users.
By: Trend Micro Jul 01, 2021 Read time: ( words)
Save to Folio
In September 2020, we published a blog describing how the PurpleFox Exploit Kit used Cloudflare services to maintain an infrastructure resilient to blocking and detection attempts. Since then, PurpleFox has been maintaining this strategy while at same time improving its attack chain by incorporating the latest public vulnerabilities into its arsenal.
Recently, we found that PurpleFox added a very old tactic to increase its delivering performance. This time PurpleFox EK is making use of WPAD domains to infect users. While a WPAD abuse attack is a technique that has
Trendmicro
PurpleFox Using WPAD to Target Indonesian Users
blogs_trendmicro·2021-07-01·CVSS 7.5
[HIGH] PurpleFox Using WPAD to Target Indonesian Users
Cyberbedrohungen
## PurpleFox Using WPAD to Target Indonesian Users
The PurpleFox Exploit Kit is now being distributed via WPAD attacks targeting Indonesian users.
By: Trend Micro Jul 01, 2021 Read time: ( words)
Save to Folio
In September 2020, we published a blog describing how the PurpleFox Exploit Kit used Cloudflare services to maintain an infrastructure resilient to blocking and detection attempts. Since then, PurpleFox has been maintaining this strategy while at same time improving its attack chain by incorporating the latest public vulnerabilities into its arsenal.
Recently, we found that PurpleFox added a very old tactic to increase its delivering performance. This time PurpleFox EK is making use of WPAD domains to infect users. While a WPAD abuse attack is a technique that
Trendmicro
Purple Fox EK Relies on Cloudflare for Stability
blogs_trendmicro·2020-09-09
Purple Fox EK Relies on Cloudflare for Stability
Ausnutzung von Schwachstellen
## Purple Fox EK Relies on Cloudflare for Stability
We’ve talked about Purple Fox malware being delivered by the Rig exploit kit. Other researchers later found evidence that it had its own delivery mechanism, and thus named it the Purple Fox exploit kit. We recently found a spike in the Purple Fox exploit kit with improved delivering tactics.
By: William Gamazo Sanchez, Joseph C Chen, Elliot Cao Sep 09, 2020 Read time: ( words)
Save to Folio
A year ago, we talked about Purple Fox malware being delivered by the Rig exploit kit . Malwarebytes later found evidence that it had its own delivery mechanism, and thus named it the Purple Fox exploit kit.
We recently found a spike in the Purple Fox exploit kit with improved delivering tactics in our telemetry. Som
Trendmicro
Purple Fox EK Relies on Cloudflare for Stability
blogs_trendmicro·2020-09-09
Purple Fox EK Relies on Cloudflare for Stability
Exploits & Vulnerabilities
## Purple Fox EK Relies on Cloudflare for Stability
We’ve talked about Purple Fox malware being delivered by the Rig exploit kit. Other researchers later found evidence that it had its own delivery mechanism, and thus named it the Purple Fox exploit kit. We recently found a spike in the Purple Fox exploit kit with improved delivering tactics.
By: William Gamazo Sanchez, Joseph C Chen, Elliot Cao Sep 09, 2020 Read time: ( words)
Save to Folio
A year ago, we talked about Purple Fox malware being delivered by the Rig exploit kit . Malwarebytes later found evidence that it had its own delivery mechanism, and thus named it the Purple Fox exploit kit.
We recently found a spike in the Purple Fox exploit kit with improved delivering tactics in our telemetry. Some o
Trendmicro
Purple Fox EK Relies on Cloudflare for Stability
blogs_trendmicro·2020-09-09
Purple Fox EK Relies on Cloudflare for Stability
Exploits & Vulnerabilities
# Purple Fox EK Relies on Cloudflare for Stability
We’ve talked about Purple Fox malware being delivered by the Rig exploit kit. Other researchers later found evidence that it had its own delivery mechanism, and thus named it the Purple Fox exploit kit. We recently found a spike in the Purple Fox exploit kit with improved delivering tactics.
By: William Gamazo Sanchez, Joseph C Chen, Elliot Cao
2020/09/09
Read time: ( words)
Save to Folio
A year ago, we talked about Purple Fox malware being delivered by the Rig exploit kit. Malwarebytes later found evidence that it had its own delivery mechanism, and thus named it the Purple Fox exploit kit.
We recently found a spike in the Purple Fox exploit kit with improved delivering tactics in our telemetry. Some of t
Trendmicro
Purple Fox EK Relies on Cloudflare for Stability
blogs_trendmicro·2020-09-09
Purple Fox EK Relies on Cloudflare for Stability
Sfruttamento vulnerabilità
## Purple Fox EK Relies on Cloudflare for Stability
We’ve talked about Purple Fox malware being delivered by the Rig exploit kit. Other researchers later found evidence that it had its own delivery mechanism, and thus named it the Purple Fox exploit kit. We recently found a spike in the Purple Fox exploit kit with improved delivering tactics.
By: William Gamazo Sanchez, Joseph C Chen, Elliot Cao Sep 09, 2020 Read time: ( words)
Save to Folio
A year ago, we talked about Purple Fox malware being delivered by the Rig exploit kit . Malwarebytes later found evidence that it had its own delivery mechanism, and thus named it the Purple Fox exploit kit.
We recently found a spike in the Purple Fox exploit kit with improved delivering tactics in our telemetry. Some o
Trendmicro
Purple Fox EK Relies on Cloudflare for Stability
blogs_trendmicro·2020-09-09
Purple Fox EK Relies on Cloudflare for Stability
Exploits & Vulnerabilities
## Purple Fox EK Relies on Cloudflare for Stability
We’ve talked about Purple Fox malware being delivered by the Rig exploit kit. Other researchers later found evidence that it had its own delivery mechanism, and thus named it the Purple Fox exploit kit. We recently found a spike in the Purple Fox exploit kit with improved delivering tactics.
By: William Gamazo Sanchez, Joseph C Chen, Elliot Cao 2020/09/09 Read time: ( words)
Save to Folio
A year ago, we talked about Purple Fox malware being delivered by the Rig exploit kit . Malwarebytes later found evidence that it had its own delivery mechanism, and thus named it the Purple Fox exploit kit.
We recently found a spike in the Purple Fox exploit kit with improved delivering tactics in our telemetry. Some of
Trendmicro
Purple Fox EK Relies on Cloudflare for Stability
blogs_trendmicro·2020-09-09
Purple Fox EK Relies on Cloudflare for Stability
Exploits y vulnerabilidades
## Purple Fox EK Relies on Cloudflare for Stability
We’ve talked about Purple Fox malware being delivered by the Rig exploit kit. Other researchers later found evidence that it had its own delivery mechanism, and thus named it the Purple Fox exploit kit. We recently found a spike in the Purple Fox exploit kit with improved delivering tactics.
By: William Gamazo Sanchez, Joseph C Chen, Elliot Cao Sep 09, 2020 Read time: ( words)
Save to Folio
A year ago, we talked about Purple Fox malware being delivered by the Rig exploit kit . Malwarebytes later found evidence that it had its own delivery mechanism, and thus named it the Purple Fox exploit kit.
We recently found a spike in the Purple Fox exploit kit with improved delivering tactics in our telemetry. Some
Securelist
IT threat evolution Q2 2020
blogs_securelist·2020-09-03
IT threat evolution Q2 2020
Table of Contents
Targeted attacks
PhantomLance: hiding in plain sight
Naikon’s Aria
COMpfun authors spoof visa application with HTTP status-based Trojan
Mind the [air] gap
Looking at big threats using code similarity
SixLittleMonkeys
Other malware
Loncom packer: from backdoors to Cobalt Strike
xHelper: the Trojan matryoshka
Spike in RDP brute-force attacks
Gaming during the COVID-19 pandemic
Rovnix bootkit back in business
Web skimming with Google Analytics
The Magnitude Exploit Kit
Authors
David Emm
IT threat evolution Q2 2020. PC statistics
IT threat evolution Q2 2020. Mobile statistics
## Targeted attacks
## PhantomLance: hiding in plain sight
In April, we reported the results of our investigation into a mobile spyware campaign that we call ‘PhantomLance’ . The cam
Securelist
Internet Explorer and Windows zero-day exploits used in Operation PowerFall
blogs_securelist·2020-08-12·CVSS 7.5
[HIGH] Internet Explorer and Windows zero-day exploits used in Operation PowerFall
Authors
- Boris Larin
## Executive summary
In May 2020, Kaspersky technologies prevented an attack on a South Korean company by a malicious script for Internet Explorer. Closer analysis revealed that the attack used a previously unknown full chain that consisted of two zero-day exploits: a remote code execution exploit for Internet Explorer and an elevation of privilege exploit for Windows. Unlike a previous full chain that we discovered, used in Operation WizardOpium, the new full chain targeted the latest builds of Windows 10, and our tests demonstrated reliable exploitation of Internet Explorer 11 and Windows 10 build 18363 x64.
On June 8, 2020, we reported our discoveries to Microsoft, and the company confirmed the vulnerabilities. At the time of our report, the security team at Mi
Securelist
Magnitude exploit kit – evolution
blogs_securelist·2020-06-24·CVSS 7.5
[HIGH] Magnitude exploit kit – evolution
Table of Contents
Introduction
Infection vector
Shellcode
Elevation of privilege exploit
Ransomware
Conclusions
Authors
Boris Larin
Exploit kits are not as widespread as they used to be. In the past, they relied on the use of already patched vulnerabilities. Newer and more secure web browsers with automatic updates simply do not allow known vulnerabilities to be exploited. It was very different back in the heyday of Adobe Flash because it’s just a plugin for a web browser, meaning that even if the user has an up-to-date browser, there’s a non-zero chance that Adobe Flash may still be vulnerable to 1-day exploits. Now that Adobe Flash is about to reach its end-of-life date at the end of this year, it is disabled by default in all web browser and has pretty much been replaced with o
Securelist
Magnitude exploit kit – evolution
blogs_securelist·2020-06-24·CVSS 7.5
[HIGH] Magnitude exploit kit – evolution
Table of Contents
- Introduction
- Shellcode
- Elevation of privilege exploit
- Ransomware
- Conclusions
Authors
- Boris Larin
Exploit kits are not as widespread as they used to be. In the past, they relied on the use of already patched vulnerabilities. Newer and more secure web browsers with automatic updates simply do not allow known vulnerabilities to be exploited. It was very different back in the heyday of Adobe Flash because it’s just a plugin for a web browser, meaning that even if the user has an up-to-date browser, there’s a non-zero chance that Adobe Flash may still be vulnerable to 1-day exploits. Now that Adobe Flash is about to reach its end-of-life date at the end of this year, it is disabled by default in all web browser and has pretty much been replaced with open stand
Securelist
APT trends report Q1 2020
blogs_securelist·2020-04-30
APT trends report Q1 2020
Table of Contents
- COVID-19 APT activity
- Russian-speaking activity
- Chinese-speaking activity
- Middle East
- Southеast Asia and Korean Peninsula
- Other interesting discoveries
- Final thoughts
Authors
- GReAT
For more than two years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.
This is our latest installment, focusing on activities that we observed during Q1 2020.
Readers who would like to lea
Securelist
APT trends report Q1 2020
blogs_securelist·2020-04-30
APT trends report Q1 2020
Table of Contents
COVID-19 APT activity
Russian-speaking activity
Chinese-speaking activity
Middle East
Southеast Asia and Korean Peninsula
Other interesting discoveries
Final thoughts
Authors
GReAT
For more than two years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.
This is our latest installment, focusing on activities that we observed during Q1 2020.
Readers who would like to learn more abo
Tenable
Microsoft’s February 2020 Patch Tuesday Addresses 99 CVEs Including Internet Explorer Zero-Day (CVE-2020-0674)
blogs_tenable·2020-02-11·CVSS 7.5
[HIGH] Microsoft’s February 2020 Patch Tuesday Addresses 99 CVEs Including Internet Explorer Zero-Day (CVE-2020-0674)
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
CVE-2020-0674: Internet Explorer Remote Code Execution Vulnerability Exploited in the Wild
blogs_tenable·2020-01-20·CVSS 7.5
[HIGH] CVE-2020-0674: Internet Explorer Remote Code Execution Vulnerability Exploited in the Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Krebs
Patch Tuesday Lowdown, October 2019 Edition
blogs_krebs·2019-10-09·CVSS 7.5
[HIGH] Patch Tuesday Lowdown, October 2019 Edition
On Tuesday Microsoft issued software updates to fix almost five dozen security problems in Windows and software designed to run on top of it. By most accounts, it’s a relatively light patch batch this month. Here’s a look at the highlights.
Happily, only about 15 percent of the bugs patched this week earned Microsoft’s most dire “critical” rating. Microsoft labels flaws critical when they could be exploited by miscreants or malware to seize control over a vulnerable system without any help from the user.
Also, Adobe has kindly granted us another month’s respite from patching security holes in its Flash Player browser plugin.
Included in this month’s roundup is something Microsoft actually first started shipping in the third week of September, when it released an emergency update to fix
Krebs
Patch Tuesday Lowdown, October 2019 Edition
blogs_krebs·2019-10-09·CVSS 7.5
[HIGH] Patch Tuesday Lowdown, October 2019 Edition
On Tuesday Microsoft issued software updates to fix almost five dozen security problems in Windows and software designed to run on top of it. By most accounts, it’s a relatively light patch batch this month. Here’s a look at the highlights.
Also, Adobe has kindly granted us another month’s respite from patching security holes in its Flash Player browser plugin.
Included in this month’s roundup is something Microsoft actually first started shipping in the third week of September, when it released an emergency update to fix a critical Internet Explorer zero-day flaw (CVE-2019-1367) that was being exploited in the wild.
That out-of-band security update for IE caused printer errors for many Microsoft users whose computers applied the emergency update early on, according to Windows update ex
Checkpoint
2nd October – Threat Intelligence Bulletin
blogs_checkpoint·2019-10-02·CVSS 9.8
CVE-2019-16759 [CRITICAL] 2nd October – Threat Intelligence Bulletin
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 2nd October – Threat Intelligence Bulletin
For the latest discoveries in cyber research for the week of 2nd October 2019, please download our Threat Intelligence Bulletin
TOP ATTACKS AND BREACHES
Check Point researchers have identified a targeted and extensive attack against East Asian government entities over the span of 7 months. The attackers, which apparently are members of the Chinese Rancor threat group, used spear-phishing to reach their victims, pretending to send emails from other government offices.
Qualys
Microsoft Released Out-of-Band Security Updates – How to Detect and Remediate
blogs_qualys·2019-09-24·CVSS 7.5
CVE-2019-1367 [HIGH] Microsoft Released Out-of-Band Security Updates – How to Detect and Remediate
Microsoft released an out-of-band update yesterday that fixes two critical vulnerabilities – The Internet Explorer remote code execution vulnerability ( CVE-2019-1367 ) and Microsoft Defender Denial of Service Vulnerability ( CVE-2019-1255 ).
According to the Microsoft advisory CVE-2019-1367, the Internet Explorer scripting engine vulnerability has been exploited in active attacks in the wild. Users are advised to manually update their systems immediately.
UPDATE: Added methods to detect Internet Explorer installs vulnerable to CVE-2019-1367 using only Free Qualys Global IT Asset Inventory, as well as how to patch by CVE with Qualys Patch Management.
## CVE Details
CVE-2019-1367 : A remote code execution vulnerability exists in the way that the scripting engine handles objects in memor
Qualys
Microsoft Released Out-of-Band Security Updates - How to Detect and Remediate | Qualys
blogs_qualys·2019-09-24·CVSS 7.5
CVE-2019-1367 [HIGH] Microsoft Released Out-of-Band Security Updates - How to Detect and Remediate | Qualys
Microsoft released an out-of-band update yesterday that fixes two critical vulnerabilities – The Internet Explorer remote code execution vulnerability (CVE-2019-1367) and Microsoft Defender Denial of Service Vulnerability (CVE-2019-1255).
According to the Microsoft advisory CVE-2019-1367, the Internet Explorer scripting engine vulnerability has been exploited in active attacks in the wild. Users are advised to manually update their systems immediately.
UPDATE: Added methods to detect Internet Explorer installs vulnerable to CVE-2019-1367 using only Free Qualys Global IT Asset Inventory, as well as how to patch by CVE with Qualys Patch Management.
### CVE Details
CVE-2019-1367: A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in
Tenable
CVE-2019-1367: Critical Internet Explorer Memory Corruption Vulnerability Exploited In The Wild
blogs_tenable·2019-09-23·CVSS 7.5
[HIGH] CVE-2019-1367: Critical Internet Explorer Memory Corruption Vulnerability Exploited In The Wild
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Crowdstrike
Magniber Ransomware Caught Using PrintNightmare Vulnerability
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] Magniber Ransomware Caught Using PrintNightmare Vulnerability
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI
Zscaler
Zscaler found Multiple Security Vulnerabilities | 09-10-2019
blogs_zscaler·CVSS 5.5
[MEDIUM] Zscaler found Multiple Security Vulnerabilities | 09-10-2019
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Crowdstrike
Magniber Ransomware Caught Using PrintNightmare Vulnerability
blogs_crowdstrike·CVSS 7.5
CVE-2026-20929 [HIGH] Magniber Ransomware Caught Using PrintNightmare Vulnerability
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026
STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026
Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026
Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026
Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019
Helping Non-Security Stakeholders Understand AT
2019-09-23
Published
2021-11-03
Added to CISA KEV
Exploited in the wild