Wana Decrypt0r Ransomware Using NSA Exploit Leaked by Shadow Brokers Is on a Rampage

May 12, 2017 – 4:46 PM

Ransomware scum are using an SMB exploit leaked by the Shadow Brokers last month to fuel a massive ransomware outbreak that exploded online today, making victims all over the world in huge numbers.

The ransomware’s name is WCry, but is also referenced online under various names, such as WannaCry, WanaCrypt0r, WannaCrypt, or Wana Decrypt0r. As everybody keeps calling it “Wana Decrypt0r,” this is the name we’ll use in this article, but all are the same thing, which is version 2.0 of the lowly and unimpressive WCry ransomware that first appeared in March.

Activity from this ransomware family was almost inexistent prior to today’s sudden explosion when the number of victims skyrocketed in a few hours.

Source:
https://www.bleepingcomputer.com/news/security/wana-decrypt0r-ransomware-using-nsa-exploit-leaked-by-shadow-brokers-is-on-a-rampage/

Explained – How Intel AMT Vulnerability Allows to Hack Computers Remotely

May 5, 2017 – 4:35 PM
Earlier this week Intel announced a critical escalation of privilege bug that affects its remote management features shipping with Intel Server chipsets for past 7 years, which, if exploited, would allow a remote attacker to take control of vulnerable PCs, laptops, or servers.

The vulnerability, labeled CVE-2017-5689, affects Intel remote management technologies, including Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology (SBT) software, versions 6 through 11.6.

The flaw was originally discovered by Maksim Malyutin, a member of Embedi research team, in mid-February, who then responsibly disclosed it to the Intel security team.

My previous article, published earlier this week, was based on the partial information shared by Maksim to The Hacker News, as the reported Intel AMT vulnerability was highly critical and can be exploited remotely, Embedi held technical details until most sysadmins update their systems with a patched firmware.
Today, Embedi research team has disclosed complete technical details about the critical vulnerability, and I have compiled this piece explaining:

  • What is Intel AMT technology?
  • Where the Intel AMT Vulnerability resides?
  • How can an attacker exploit Intel AMT Vulnerability?

Source:
https://thehackernews.com/2017/05/intel-amt-vulnerability.html

Chrome and Firefox Phishing Attack Uses Domains Identical to Known Safe Sites

April 15, 2017 – 7:05 PM

There is a phishing attack that is receiving much attention today in the security community.

As a reminder: A phishing attack is when an attacker sends you an email that contains a link to a malicious website. You click on the link because it appears to be trusted. Merely visiting the website may infect your computer or you may be tricked into signing into the malicious site with credentials from a site you trust. The attacker then has access to your username, password and any other sensitive information they can trick you into providing.

This variant of a phishing attack uses unicode to register domains that look identical to real domains. These fake domains can be used in phishing attacks to fool users into signing into a fake website, thereby handing over their login credentials to an attacker.

This affects the current version of Chrome browser, which is version 57.0.2987 and the current version of Firefox, which is version 52.0.2. This does not affect Internet Explorer or Safari browsers.

We created our own example to demonstrate how an attacker can register their own domain that looks identical to another company’s domain in the browser. We decided to imitate a healthcare site called ‘epic.com’ by registering our own fake site. You can visit our demo site here in Chrome or Firefox. For comparison you can click here to visit the real epic.com.

Source:
https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/

Most of the Shadow Brokers exploits are already patched

April 15, 2017 – 10:53 AM

This is getting a ton of press lately, but here is Microsoft’s response to the latest leaks:

Today, Microsoft triaged a large release of exploits made publicly available by Shadow Brokers. Understandingly, customers have expressed concerns around the risk this disclosure potentially creates. Our engineers have investigated the disclosed exploits, and most of the exploits are already patched. Below is our update on the investigation.

When a potential vulnerability is reported to Microsoft, either from an internal or external source, the Microsoft Security Response Center (MSRC) kicks off an immediate and thorough investigation. We work to swiftly validate the claim and make sure legitimate, unresolved vulnerabilities that put customers at risk are fixed. Once validated, engineering teams prioritize fixing the reported issue as soon as possible, taking into consideration the time to fix it across any impacted product or service, as well as versions, the potential threat to customers, and the likelihood of exploitation.

Most of the exploits that were disclosed fall into vulnerabilities that are already patched in our supported products. Below is a list of exploits that are confirmed as already addressed by an update. We encourage customers to ensure their computers are up-to-date.

Source:
https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/

Booby-trapped Word documents in the wild exploit critical Microsoft 0day

April 8, 2017 – 5:03 PM

There’s a new zeroday attack in the wild that’s surreptitiously installing malware on fully-patched computers. It does so by exploiting a vulnerability in most or all versions of Microsoft Word.

The attack starts with an e-mail that attaches a malicious Word document, according to a blog post published Saturday by researchers from security firm FireEye. Once opened, exploit code concealed inside the document connects to an attacker-controlled server. It downloads a malicious HTML application file that’s disguised to look like a document created in Microsoft’s Rich Text Format. Behind the scenes, the .hta file downloads additional payloads from “different well-known malware families.”

The attack is notable for several reasons. First, it bypasses most exploit mitigations: This capability allows it to work even against Windows 10, which security experts widely agree is Microsoft’s most secure operating system to date. Second, unlike the vast majority of the Word exploits seen in the wild over the past few years, this new attack doesn’t require targets to enable macros. Last, before terminating, the exploit opens a decoy Word document in an attempt to hide any sign of the attack that just happened.

The zeroday attacks were first reported Friday evening by researchers from security firm McAfee.

Source:
https://arstechnica.com/security/2017/04/booby-trapped-word-documents-in-the-wild-exploit-critical-microsoft-0day/

Page 6 of 352« First...45678...203040...Last »