7.8
CVSSv3

CVE-2017-11882

Published: 15/11/2017 Updated: 16/03/2021
CVSS v2 Base Score: 9.3 | Impact Score: 10 | Exploitability Score: 8.6
CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8
VMScore: 1000
Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Summary

Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an malicious user to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11884.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

microsoft office 2013

microsoft office 2010

microsoft office 2016

microsoft office 2007

Exploits

Source: githubcom/embedi/CVE-2017-11882 CVE-2017-11882: portalmsrcmicrosoftcom/en-US/security-guidance/advisory/ MITRE CVE-2017-11882: cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2017-11882 Research: embedicom/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about Patch analysis: 0patchblo ...

Mailing Lists

This Metasploit module exploits a flaw in how the Equation Editor handles OLE objects in memory to execute arbitrary code using RTF files without interaction ...

Metasploit Modules

Microsoft Office CVE-2017-11882

Module exploits a flaw in how the Equation Editor that allows an attacker to execute arbitrary code in RTF files without interaction. The vulnerability is caused by the Equation Editor, to which fails to properly handle OLE objects in memory.

msf > use exploit/windows/fileformat/office_ms17_11882
      msf exploit(office_ms17_11882) > show targets
            ...targets...
      msf exploit(office_ms17_11882) > set TARGET <target-id>
      msf exploit(office_ms17_11882) > show options
            ...show and set options...
      msf exploit(office_ms17_11882) > exploit

Github Repositories

Microsoft Office Memory Corruption Vulnerability CVE-2017-11882 March 25, 2019 Shannon and Iman Outline Background Vulnerability How does it work? Uses Violations How was it fixed? (solutions) What the patch does Example Background The code for Equation Editor was compiled in 2000 and was used in subsequent versions of Word It is run as a separate process and an attacker can

CVE-2017-11882

ABC CVE-2017-11882 Invoke-Mimikatz googl/urb92R Calcexe googl/qTqqE4

CVE-2017-11882 43b 原脚本来自于 githubcom/embedi/CVE-2017-11882 109b 原脚本来自于 githubcom/unamer/CVE-2017-11882/ (膜一波,现在unamer的代码已经可以执行shellcode了~) CVE-2017-11882: portalmsrcmicrosoftcom/en-US/security-guidance/advisory/ MITRE CVE-2017-11882: cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2017-11

CVE-2017-11882 43b 原脚本来自于 githubcom/embedi/CVE-2017-11882 109b 原脚本来自于 githubcom/unamer/CVE-2017-11882/ (膜一波,现在unamer的代码已经可以执行shellcode了~) CVE-2017-11882: portalmsrcmicrosoftcom/en-US/security-guidance/advisory/ MITRE CVE-2017-11882: cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2017-11

CVE-2017-11882 analyse notebook

IDB_Share CVE-2017-11882 analyse notebook 发现了一个利用姿势比较清奇的11882格式溢出文档,释放的payload也很有意思,大量硬编码API地址和加解密的字符串,使静态分析难度较大,公开部分IDB,以飨读者 shellcodeidb 适用于ida pro 68,其他两个idb适用于ida pro 695

CactusPete APT group’s updated Bisonal backdoor Kaspersky 2020-08-13T10:00:09+00:00 A new CactusPete campaign shows that the group’s favored types of target remain the same The victims of the new variant of the Bisonal backdoor were from financial and military sectors located in Eastern Europe securelistcom/cactuspete-apt-groups-updated-bisonal-backdoor/9

Tool to decode the encoded Shellcode of this type found in office documents

EquationEditorShellCodeDecoder Tool to decode the encoded Shellcode of this type found in office documents See the Blogpost to see how to use this pcsxcetrasupport3wordpresscom/2019/05/22/a-deeper-look-at-equation-editor-cve-2017-11882-with-encoded-shellcode/ I also have decoding notes for this sample in the 7Zip file The password is the standard infected just incas

DeltaFlare Description This repository content a matrix with the references on legit software abused by Threat Actors for hunt by reuse TTPs methods Objectives This matrix has for objectives for to help to attribution to a Threat Actor that abuse again a legit software for theirs operations or for hunting the activities on the public sandboxes in checking new submissions This

Crawler nguồn IOC (Indicators of Compromise)

Crawler nguồn IOC (Indicators of Compromise) IOCs (hashes, địa chỉ IP, tên miền…) được lấy từ các nhóm nội bộ đến các tổ chức, hoặc có thể từ đơn vị cung cấp thứ ba Loại tìm kiếm này hầu như không chủ động nhưng lại mang về một số lợi ích trong

Simple Overflow demo, like CVE-2017-11882 exp

Overflow-Demo-CVE-2017-11882 Simple Overflow demo by strcpy text string, like CVE-2017-11882 exp Build Build with Visual Studio 2017( 2019 is working too, 2015 is not working) Project Config Project setting: c/c++ Optimization Optimization: Maximum Optimization (Favor Size) (/O1) Favor Size of Speed: Favor small code (/Os) Who

CVE-2017-11882 43b 原脚本来自于 githubcom/embedi/CVE-2017-11882 109b 原脚本来自于 githubcom/unamer/CVE-2017-11882/ (膜一波,现在unamer的代码已经可以执行shellcode了~) CVE-2017-11882: portalmsrcmicrosoftcom/en-US/security-guidance/advisory/ MITRE CVE-2017-11882: cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2017-11

CVE-2017-11882 File Generator PoC

CVE-2017-11882 A remote code execution vulnerability exists in Microsoft Office software when the software fails to properly handle objects in memory An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user 2017-11882_Generator This is a PoC re-edited, from the original one made by Embedi, to generate single file rt

cve-2017-11882

CVE-2017-11882 from https://github.com/embedi/CVE-2017-11882

CVE-2017-11882 43b 原脚本来自于 githubcom/embedi/CVE-2017-11882 109b 原脚本来自于 githubcom/unamer/CVE-2017-11882/ (膜一波,现在unamer的代码已经可以执行shellcode了~) CVE-2017-11882: portalmsrcmicrosoftcom/en-US/security-guidance/advisory/ MITRE CVE-2017-11882: cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2017-11

Microsoft Office Memory Corruption (CVE-2017-11882) Background Age: 17 year old vulnerability What is it: Run arbitrary code remotely without user interaction Why it works: Buffer overflow vulnerability inside equation editor (EQUEDT32exe) Who has been affected: Users who installed Microsoft Office 2007 Service Pack 3 Microsoft Office 2010 Service Pack 2 Microsoft Office 201

Malware samples and other artifacts

Malware Samples This repository is intended to provide access to a wide variety of malicious files and other artifacts Please keep in mind that most of these samples will not be archived or password protected For those that are, consult the additional README but the use of the standard password 'infected' will be utilized Summary of Samples 2020-11-07: Maldoc temp

Proof-of-Concept exploits for CVE-2017-11882

CVE-2017-11882 CVE-2017-11882: portalmsrcmicrosoftcom/en-US/security-guidance/advisory/CVE-2017-11882 MITRE CVE-2017-11882: cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2017-11882 Research: embedicom/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about Patch analysis: 0patchblogspotru/2017/11/did-microsoft-just-manually-patch-the

some links gathering about penetration

Table of contents PentestInfo 0X01 Information Gethering IP And DNS Information leakage 0X02 Denial Of Service 0X03 Scan Identify Tools For Overall Scan Web Applications Scan Tools 0X04 Fuzz and Password 0X05 Password crack 0X06 System Vulnerability 0X07 Web Relevant Online Website 0X08 Existing Vulnerability Finding 0X09 Cheatsheet 0X10 Webshell And Payload 0X11 Code R

YesWeHack BugTracker

ywh2bt ywh2bt is a tool to integrate your bug tracking system(s) with YesWeHack platform It automatically creates issues in your bug tracking system for all your program's report, and add to the concerned reports the link to the issue This tool requires you to have "Use Apps API" right on YesWeHack platform, and a custom HTTP header value to put in your configu

MalDoc-Parser A command line application that performs an extensive static analysis on Office documents Although there are plenty of awesome tools for Maldocs out there, I wanted to write a tool myself as part of studying Maldocs A tool that can handle all Office formats Feed it a Office document and it will determine the formatt by itself and parse it The script currentl

CVE-2017-11882 43b 原脚本来自于 githubcom/embedi/CVE-2017-11882 109b 原脚本来自于 githubcom/unamer/CVE-2017-11882/ (膜一波,现在unamer的代码已经可以执行shellcode了~) CVE-2017-11882: portalmsrcmicrosoftcom/en-US/security-guidance/advisory/ MITRE CVE-2017-11882: cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2017-11

CAUTION!! This repo includes malware so be careful!!!!! Anti Any Run malware on wild I read this article And I wonder how this malware detect AnyRun environment Therefore, I analyzed this Scenario Maldoc exploit Microsoft Equation with CVE-2017-11882 and execute PowerShell script(original/psps1 de-obfuscated one is powershells/downloaderps1) Then, it downloads two files(

Crawler nguồn IOC (Indicators of Compromise)

Crawler nguồn IOC IOCs (hashes, địa chỉ IP, tên miền…) được lấy từ các nhóm nội bộ đến các tổ chức, hoặc có thể từ đơn vị cung cấp thứ ba Loại tìm kiếm này hầu như không chủ động nhưng lại mang về một số lợi ích trong quá trình t&i

SophosLabs-Intelix In order to use the basic functionability of API SophosLabs Intelix , we have developped a tool that allows static or dynamical analysis of files In other words , the latter servers to examine and to identify malicious for Android Applications It consists of scanning hash or file giving a Json file that includes the analysis results Authors : -Script Au

some links gathering about penetration

Table of contents PentestInfo 0X01 Information Gethering IP And DNS Information leakage 0X02 Denial Of Service 0X03 Scan Identify Tools For Overall Scan Web Applications Scan Tools 0X04 Fuzz and Password 0X05 Password crack 0X06 System Vulnerability 0X07 Web Relevant Online Website 0X08 Existing Vulnerability Finding 0X09 Cheatsheet 0X10 Webshell And Payload 0X11 Code R

CVE-2017-11882 - The unique vulnerability identifier of Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allows an attacker to run code in the context of the current user without properly handling objects in memory, the so-called "Microsoft Office Memory c…

SignHere Introduction CVE-2017-11882 - The unique vulnerability identifier of Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allows an attacker to run code in the context of the current user without properly handling objects in memory, the so-called "Microsoft Office Memory corrupt

APT Analysis Report,fighting!

APT-Analysis-Report APT Analysis Report,fighting! APT-C-09 [1] CSDN APT攻击检测溯源与常见APT组织的攻击案例[EB/OL] (2020-05-11) blogcsdnnet/Eastmount/article/details/106009460 [2] FreeBuf 海莲花APT组织2019年第一季度针对中国的攻击活动技术揭秘[EB/OL] (2019-04-26) wwwfreebufcom/articles/network/201940html [3]

some links gathering about penetration

Table of contents PentestInfo 0X01 Information Gethering IP And DNS Information leakage 0X02 Denial Of Service 0X03 Scan Identify Tools For Overall Scan Web Applications Scan Tools 0X04 Fuzz and Password 0X05 Password crack 0X06 System Vulnerability 0X07 Web Relevant Online Website 0X08 Existing Vulnerability Finding 0X09 Cheatsheet 0X10 Webshell And Payload 0X11 Code R

Osiris Tactical+ Intelligence Report Analyst Checklist Identification Osiris Artifacts Osiris Overview Osiris is the Egyptian god of rebirth Osiris is an extremely stealthy Banking trojan targeting victims in Poland , Germany and Japan It has been retooled from the old banking trojan named Kronos “that was discovered in last 2014” new Osiris Using uncommon te

CVE-2017-11882 exploitation

CVE-2017-11882 文章链接 隐藏17年的Office远程代码执行漏洞(CVE-2017-11882) wwwcnblogscom/Hi-blog/p/7878054html

Empire Port of CVE-2017-11882

CVE-2017-11882 Empire Port of CVE-2017-11882 Code shifted to another parent repository Redirect?

CVE-2017-11882 Exploit accepts over 17k bytes long command/code in maximum.

CVE-2017-11882 Exploit CVE-2017-11882 Exploit accepts over 17k bytes long command/code in maximum For remote command execution,this exploit will call WinExec with SW_HIDE and call ExitProcess after WinExec returns For remote code execution,this exploit just jmp to code I cannot find a reference for the object structureso I cannot change the file length for arbitrary lengt

CVE-2017-11882 原脚本来自于 githubcom/embedi/CVE-2017-11882 CVE-2017-11882: portalmsrcmicrosoftcom/en-US/security-guidance/advisory/ MITRE CVE-2017-11882: cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2017-11882 Research: embedicom/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about Patch analysis: 0patchblogspotru

CVE-2017-11882 43b 原脚本来自于 githubcom/embedi/CVE-2017-11882 109b 原脚本来自于 githubcom/unamer/CVE-2017-11882/ (膜一波,现在unamer的代码已经可以执行shellcode了~) CVE-2017-11882: portalmsrcmicrosoftcom/en-US/security-guidance/advisory/ MITRE CVE-2017-11882: cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2017-11

Malware Samples This repository is intended to provide access to a wide variety of malicious files and other artifacts All of the samples are in a password protected ZIP archive using a password of: infected Malware Analysis Exercises In addition to providing artifacts from samples, I will regularly post malware anlaysis exercises These exercises will cover a wide range of

Research-Exploit-Office Reference wwwnccgrouptrust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8570-rtf-and-the-sisfader-rat/ tradahackingvn/another-malicious-document-with-cve-2017-11882-839e9c0bbf2f successtrendmicrocom/solution/1123612-cve-2017-8570-vulnerability-downloads-high-profile-malware whitehatvn/threads/microsoft-ph

漏洞分析

Vulnerability-analysis 漏洞分析 MSCOMCTLOCX RCE 漏洞 - CVE-2012-0158 CVE-2017-11882 文档型漏洞

Extract OLEv1 objects from RTF files by instrumenting Word

Introduction rtfraptor is a simple tool to aid analysis of malicious RTF files by extracting OLEv1 objects It was inspired by a blog post by Denis O'Brien (link below) It works by running Word and intercepting calls to OLEv1 functions This allows raw OLE objects to be dumped from memory for further analysis The tool is designed to be run on Windows This is useful f

CVE-2018-0802 CVE-2018-08022: portalmsrcmicrosoftcom/en-US/security-guidance/advisory/CVE-2018-0802 MITRE CVE-2018-0802: cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2018-0802 0patch exploitation and patch video: wwwyoutubecom/watch?v=XU-U4K270Z4 Qihoo 360 blog post wwwfreebufcom/vuls/159789html Checkpoint blog (brute-force ASLR by

RTF_11882_0802 CVE-2017-11882 CVE-2017-11882: portalmsrcmicrosoftcom/en-US/security-guidance/advisory/CVE-2017-11882 MITRE CVE-2017-11882: cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2017-11882 Research: embedicom/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about Patch analysis: 0patchblogspotru/2017/11/did-microsoft-just-man

-文章记录 100截断分析 2利用Excel 40宏执行任意命令 3IIS6_WebDAV远程代码执行漏洞(CVE-2017-7269)的正确打开方式 4对一次 redis 未授权写入攻击的分析以及 redis 4x RCE 学习 5reGeorg 工作流程分析(以 php 为例) 6浅析 Kerberos 认证过程以及黄金票据和白银票据 7JSONP 劫持原理与挖掘方法 8PHPINFO 中

PoC Exploit for CVE-2018-0802 (and optionally CVE-2017-11882)

CVE-2018-0802 CVE-2018-08022: portalmsrcmicrosoftcom/en-US/security-guidance/advisory/CVE-2018-0802 MITRE CVE-2018-0802: cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2018-0802 0patch exploitation and patch video: wwwyoutubecom/watch?v=XU-U4K270Z4 Qihoo 360 blog post wwwfreebufcom/vuls/159789html Checkpoint blog (brute-force ASLR by

CVE-2017-11882 Study Student Name: Peiran Sun, Yufeng Ge Date:2022220 Intro: Today we are going to talk about a vulnerability that affects everyone who uses Microsoft office for almost two decades When you opened a Microsoft Office file, have you ever noticed this annoying warning? I always wonder, how can a file display only text and pictures, maybe sometimes video, harmin

RTF_11882_0802 CVE-2017-11882 CVE-2017-11882: portalmsrcmicrosoftcom/en-US/security-guidance/advisory/CVE-2017-11882 MITRE CVE-2017-11882: cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2017-11882 Research: embedicom/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about Patch analysis: 0patchblogspotru/2017/11/did-microsoft-just-man

RTF_11882_0802 CVE-2017-11882 CVE-2017-11882: portalmsrcmicrosoftcom/en-US/security-guidance/advisory/CVE-2017-11882 MITRE CVE-2017-11882: cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2017-11882 Research: embedicom/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about Patch analysis: 0patchblogspotru/2017/11/did-microsoft-just-man

CVE-OTX Lookup About The Project Simple script to query AlienVault OTX for CVE information Specifically we're looking to learn if any given CVE has an existing exploit and if it has been exploited in the wild This is intended as a backup method of enriching vulnerability report data from TA Requirements CVE-OTX Lookup uses AlienVault's OTX Python SDK (distributed

PoC for CVE-2018-0802 And CVE-2017-11882

RTF_11882_0802 CVE-2017-11882 CVE-2017-11882: portalmsrcmicrosoftcom/en-US/security-guidance/advisory/CVE-2017-11882 MITRE CVE-2017-11882: cvemitreorg/cgi-bin/cvenamecgi?name=CVE-2017-11882 Research: embedicom/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about Patch analysis: 0patchblogspotru/2017/11/did-microsoft-just-man

2018-2020青年安全圈-活跃技术博主/博客

Security-Data-Analysis-and-Visualization 2018-2020青年安全圈-活跃技术博主/博客 声明 所有数据均来自且仅来自公开信息,未加入个人先验知识,如有疑义,请及时联系root@4o4notfoundorg。 公开这批数据是为了大家一起更快更好地学习,请不要滥用这批数据,由此引发的问题,本人将概不负责。 对这

Red Teaming/Adversary Simulation Toolkit A collection of open source and commercial tools that aid in red team operations This repository will help you during red team engagement If you want to contribute to this list send me a pull request Contents Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfil

CyberSift-Alerts A repository containing documentation on alerts generated by CyberSift Table Of Contents SWIFT Abnormal Login Privileges SWIFT Abnormal Login Source SWIFT Abnormal Login Time SWIFT Rare Event Windows Context Addition Windows Logon Events FileDeletion Sysmon CACTUSTORCH Remote Thread Creation CMSTP Execution CobaltStrike Process Injection DHCP Cal

Red-Team-OPS-Modern-Adversary A source of information, training, completely free material as well as open source and commercial tools that will help you in the training and execution of Red Team operations and adversary simulations This repository seeks to help prepare and support the community in the need for free knowledge If you want to contribute to this cause, send us a

Pentesting Pratic Notes (Cheatsheet) File detect and extractor: file targetFile strings targetFile | grep flag strings -o targetFile strings -a targetFile strings -t d targetFile strings -f targetFile strings targetFile | more more targetFile binwalk targetFile binwalk -e targetFile binwalk -e -c targetFile binwalk --dd='*' targetFile unzip targetFile fcrackzip

Awesome CSIRT is an curated list of links and resources in security and CSIRT daily activities.

CSIRT *Please contribute through pull requests- ;) Another great list: awesome-incident-response Books Nice list here by CertBR Practical Cryptography for Developers, github The Book of Secret Knowledge Security Engineering — Third Edition The Cyber Plumber's Handbook Links FIRST CertBR - useful links 7º Fórum Brasileiro de CSIRTs 9º Fó

office-exploits 本仓库维护目前已知的 MS Office 漏洞,欢迎大家提交 pull request 漏洞列表 CVE-2017-8570 CVE-2017-8759 CVE-2017-11882 CVE-2018-0802 DDEAUTO 其他通过注入执行命令的方式 其他漏洞 以下漏洞还未测试 CVE-2017-0199 thom-s/docx-embeddedhtml-injection - This PowerShell script exploits a known vulnerability in Word 2016 docum

office

office-exploits 本仓库维护目前已知的 MS Office 漏洞,欢迎大家提交 pull request 漏洞列表 CVE-2017-8570 CVE-2017-8759 CVE-2017-11882 CVE-2018-0802 DDEAUTO 其他通过注入执行命令的方式 其他漏洞 以下漏洞还未测试 CVE-2017-0199 thom-s/docx-embeddedhtml-injection - This PowerShell script exploits a known vulnerability in Word 2016 docum

Red Teaming/Adversary Simulation Toolkit A collection of open source and commercial tools that aid in red team operations This repository will help you during red team engagement If you want to contribute to this list send me a pull request Contents Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfil

Red Teaming/Adversary Simulation Toolkit A collection of open source and commercial tools that aid in red team operations This repository will help you during red team engagement If you want to contribute to this list send me a pull request Contents Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfil

区块链生态被黑统计

区块链生态被黑统计 参考来源 EOS 假充值(hard_fail 状态攻击)红色预警细节披露与修复方案 paperseebugorg/853/ 渗透测试不同阶段的工具收集整理 侦察阶段 主动情报收集 EyeWitness:可用于网站截图,以及提供一些服务器头信息,并在可能的情况下识别默认凭据。githubcom/ChrisTruncer/

Red Teaming/Adversary Simulation Toolkit A collection of open source and commercial tools that aid in red team operations This repository will help you during red team engagement If you want to contribute to this list send me a pull request Contents Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfil

A collection of open source and commercial tools that aid in red team operations.

Red Teaming/Adversary Simulation Toolkit A collection of open source and commercial tools that aid in red team operations This repository will help you during red team engagement If you want to contribute to this list send me a pull request Contents Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfil

Red Teaming/Adversary Simulation Toolkit A collection of open source and commercial tools that aid in red team operations This repository will help you during red team engagement If you want to contribute to this list send me a pull request Contents Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfil

Red Teaming/Adversary Simulation Toolkit A collection of open source and commercial tools that aid in red team operations This repository will help you during red team engagement If you want to contribute to this list send me a pull request Contents Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfil

Pentesting Pratic Notes

Pentesting Pratic Notes (Cheatsheet) File detect and extractor: file targetFile strings targetFile | grep flag strings -o targetFile strings -a targetFile strings -t d targetFile strings -f targetFile strings targetFile | more more targetFile binwalk targetFile binwalk -e targetFile binwalk -e -c targetFile binwalk --dd='*' targetFile unzip targetFile fcrackzip

A repository containing documentation on alerts generated by CyberSift

CyberSift-Alerts A repository containing documentation on alerts generated by CyberSift Table Of Contents SWIFT Abnormal Login Privileges SWIFT Abnormal Login Source SWIFT Abnormal Login Time SWIFT Rare Event Windows Context Addition Windows Logon Events FileDeletion Sysmon CACTUSTORCH Remote Thread Creation CMSTP Execution CobaltStrike Process Injection DHCP Cal

Red Teaming/Adversary Simulation Toolkit A collection of open source and commercial tools that aid in red team operations This repository will help you during red team engagement If you want to contribute to this list send me a pull request Contents Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfil

Red Team Tool Kit

This tool kit is very much influenced by infosecn1nja's kit Use this script to grab majority of the repos NOTE: hard coded in /opt and made for Kali Linux Total Size (so far): 25+Gb Install Guide: apt -y install git apache2 python-requests libapache2-mod-php python-pymssql build-essential python-pexpect python-pefile python-crypto python-openssl libssl10-dev libffi-dev

Red Teaming/Adversary Simulation Toolkit A collection of open source and commercial tools that aid in red team operations This repository will help you during red team engagement If you want to contribute to this list send me a pull request Contents Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfil

Red Teaming/Adversary Simulation Toolkit A collection of open source and commercial tools that aid in red team operations This repository will help you during red team engagement If you want to contribute to this list send me a pull request Contents Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfil

Red Teaming/Adversary Simulation Toolkit A collection of open source and commercial tools that aid in red team operations This repository will help you during red team engagement If you want to contribute to this list send me a pull request Contents Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfil

Red Teaming/Adversary Simulation Toolkit A collection of open source and commercial tools that aid in red team operations This repository will help you during red team engagement If you want to contribute to this list send me a pull request Contents Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfil

A collection of open source and commercial tools that aid in red team operations.

Red Teaming/Adversary Simulation Toolkit A collection of open source and commercial tools that aid in red team operations This repository will help you during red team engagement If you want to contribute to this list send me a pull request Contents Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfil

Red Teaming/Adversary Simulation Toolkit A collection of open source and commercial tools that aid in red team operations This repository will help you during red team engagement Contents Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfiltration Misc References Reconnaissance Active Intelligence Gathe

Red Teaming/Adversary Simulation Toolkit A collection of open source and commercial tools that aid in red team operations This repository will help you during red team engagement If you want to contribute to this list send me a pull request Contents Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfil

This tool kit is very much influenced by infosecn1nja's kit Use this script to grab majority of the repos NOTE: hard coded in /opt and made for Kali Linux Total Size (so far): 25G Contents Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfiltration Misc References Reconnaissance Active Intelligenc

office-exploits Office漏洞集合 https://www.sec-wiki.com

office-exploits 本仓库维护目前已知的 MS Office 漏洞,欢迎大家提交 pull request 漏洞列表 CVE-2017-8570 CVE-2017-8759 CVE-2017-11882 CVE-2018-0802 DDEAUTO 其他通过注入执行命令的方式 其他漏洞 以下漏洞还未测试 CVE-2017-0199 thom-s/docx-embeddedhtml-injection - This PowerShell script exploits a known vulnerability in Word 2016 docum

Red Teaming/Adversary Simulation Toolkit A collection of open source and commercial tools that aid in red team operations This repository will help you during red team engagement If you want to contribute to this list send me a pull request Contents Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfil

Security Notes Palo Alto Networks has world-renowned experts supporting threat research efforts across the company The completely in-house team focuses on quickly identifying, analyzing, and creating protections for attacks as they emerge—building and enhancing the automated prevention enforced through our Security Operating Platform The team is comprised of: Threat e

Red Teaming/Adversary Simulation Toolkit A collection of open source and commercial tools that aid in red team operations This repository will help you during red team engagement If you want to contribute to this list send me a pull request Contents Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfil

Red Teaming/Adversary Simulation Toolkit A collection of open source and commercial tools that aid in red team operations This repository will help you during red team engagement If you want to contribute to this list send me a pull request Contents Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfil

Red Teaming/Adversary Simulation Toolkit A collection of open source and commercial tools that aid in red team operations This repository will help you during red team engagement If you want to contribute to this list send me a pull request Contents Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfil

Red Teaming/Adversary Simulation Toolkit A collection of open source and commercial tools that aid in red team operations This repository will help you during red team engagement If you want to contribute to this list send me a pull request Contents Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfil

ADVERSARY EMULATION MATRIX by Joas What is? Adversary emulation is a type of red team engagement that mimics a known threat to an organization by blending in threat intelligence to define what actions and behaviors the red team uses This is what makes adversary emulation different from penetration testing and other forms of red teaming Adversary emulators construct a scenario

Red Teaming/Adversary Simulation Toolkit A collection of open source and commercial tools that aid in red team operations This repository will help you during red team engagement If you want to contribute to this list send me a pull request Contents Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfil

Red Teaming/Adversary Simulation Toolkit A collection of open source and commercial tools that aid in red team operations This repository will help you during red team engagement If you want to contribute to this list send me a pull request Contents Reconnaissance Weaponization Delivery Command and Control Lateral Movement Establish Foothold Escalate Privileges Data Exfil

所有收集类项目 RAT 250+ 开源远控/C&amp;C工具,1200+ RAT分析报告\C&amp;C相关文章等。 English Version 目录 开源工具 pupy -&gt; (1)工具 (6)文章 Covenant -&gt; (3)工具 (18)文章 Slackor -&gt; (1)工具 (3)文章 QuasarRAT -&gt; (1)工具 (9)文章 EvilOSX -&gt; (1)工具 (9)文章 Merlin -&gt; (1)工具

APT &amp; CyberCriminal Campaign Collection This is a collection of APT and CyberCriminal campaigns Please fire issue to me if any lost APT/Malware events/campaigns The password of malware samples could be 'virus' or 'infected' URL to PDF Tool Print Friendly &amp; PDF Reference Resources kbandla APTnotes Florian Roth - APT Groups Attack Wiki thr

This repositories has all the best out of Bests RATs the world has ever seen

List of all the notorious RATS RAT bins by Qirit0 2500+ open source RAT/C&amp;C tools, 1200+ blogs and video about RAT/C&amp;C analysis Directory Popular Tools pupy -&gt; (1)Tools (6)Post Covenant -&gt; (3)Tools (18)Post Slackor -&gt; (1)Tools (3)Post QuasarRAT -&gt; (1)Tools (9)Post EvilOSX -&gt; (1)Tools (9)Post Merlin -&gt; (1)Tool

内容来自微信公众号:关注安全技术 Pentest_Note 声明1: 依照《中华人民共和国网络安全法》等相关法规规定,任何个人和组织不得从事非法侵入他人网络、干扰他人网络正常功能、窃取网络数据等危害网络安全的活动;不得提供专门用于从事侵入网络、干扰网络正常功能及防护措施、窃

内容来自微信公众号:关注安全技术 Pentest_Note 声明1: 依照《中华人民共和国网络安全法》等相关法规规定,任何个人和组织不得从事非法侵入他人网络、干扰他人网络正常功能、窃取网络数据等危害网络安全的活动;不得提供专门用于从事侵入网络、干扰网络正常功能及防护措施、窃

内容来自微信公众号:关注安全技术 Pentest_Note 声明1: 依照《中华人民共和国网络安全法》等相关法规规定,任何个人和组织不得从事非法侵入他人网络、干扰他人网络正常功能、窃取网络数据等危害网络安全的活动;不得提供专门用于从事侵入网络、干扰网络正常功能及防护措施、窃

Resources About Shellcode

所有收集类项目 Shellcode Shellcode相关资源, 150+工具, 500+文章 English Version 目录 开发&amp;&amp;编写 shellen -&gt; (1)工具 (2)文章 漏洞开发 -&gt; (1)工具 (13)文章 编码&amp;&amp;解码 -&gt; (9)工具 (14)文章 (9) 工具 (56) 文章 启动&amp;&amp;加载&amp;&amp;注入&amp;&amp;

所有收集类项目 RAT 250+ 开源远控/C&amp;C工具,1200+ RAT分析报告\C&amp;C相关文章等。 English Version 目录 开源工具 pupy -&gt; (1)工具 (6)文章 Covenant -&gt; (3)工具 (18)文章 Slackor -&gt; (1)工具 (3)文章 QuasarRAT -&gt; (1)工具 (9)文章 EvilOSX -&gt; (1)工具 (9)文章 Merlin -&gt; (1)工具

Author:小y 公众号:关注安全技术 wiki:wwwheresecuritywiki/ Pentest_Note 转载请随意,记得加from 声明1: 依照《中华人民共和国网络安全法》等相关法规规定,任何个人和组织不得从事非法侵入他人网络、干扰他人网络正常功能、窃取网络数据等危害网络安全的活动;不得提供专门用于从

内容来自微信公众号:关注安全技术 Pentest_Note 声明1: 依照《中华人民共和国网络安全法》等相关法规规定,任何个人和组织不得从事非法侵入他人网络、干扰他人网络正常功能、窃取网络数据等危害网络安全的活动;不得提供专门用于从事侵入网络、干扰网络正常功能及防护措施、窃

Задание 1 Управление уязвимостями Думаю, что нет смысла говорить, что такое уязвимость, поэтому сразу к делу Управление уязвимостями - это циклический процесс, направленный на обнаружение и классификацию у

Author:小y 公众号:关注安全技术 Pentest_Note 在家无聊总结的,后续会慢慢更新。 信息收集 Whois 网站IP 是否存在CDN Bypass cdn常规方式 域名历史IP 网站架构/服务器指纹/CMS识别/容器 子域名 网站使用的CMS的官方demo站 SSL证书信息 DNS历史解析记录 同服站点情况 同样架构或源码的站 网站js 网

Trillium-Security-MultiSploit-Tool-v6521-Full TDS - Security Account Managerdll TDS - Security Batch and Command File Exploit Generatordll TDS - Security CHM [Help-File] Exploit Generatordll TDS - Security EDGE Exploit Generatordll TDS - Security Encrypter and Decrypterdll TDS - Security Internet Explorer Exploit Generatordll TDS - Security Internet-Locati

文章出处: 微信公众号关注安全技术 此项目用于速查 Attack_Notes 声明1: 依照《中华人民共和国网络安全法》等相关法规规定,任何个人和组织不得从事非法侵入他人网络、干扰他人网络正常功能、窃取网络数据等危害网络安全的活动;不得提供专门用于从事侵入网络、干扰网络正常功能

内容来自微信公众号:关注安全技术 Pentest_Note 声明1: 依照《中华人民共和国网络安全法》等相关法规规定,任何个人和组织不得从事非法侵入他人网络、干扰他人网络正常功能、窃取网络数据等危害网络安全的活动;不得提供专门用于从事侵入网络、干扰网络正常功能及防护措施、窃

Exploit Development Table of Contents General Stuff/Techniques Acquiring Old/Vulnerable Software Practice Exploit Dev/Structured Learning Exploit Dev Papers bof ROP BlindROP SignalROP JumpROP Heap Format String Integer Overflows Null Ptr Dereference JIT-Spray ASLR Kernel Exploitation Use After Free Other writing shellcode Windows Specific Linux specific Tutorials AV B

Recent Articles

IT threat evolution in Q1 2022. Non-mobile statistics
Securelist • AMR • 27 May 2022

IT threat evolution in Q1 2022
IT threat evolution in Q1 2022. Non-mobile statistics
IT threat evolution in Q1 2022. Mobile statistics

These statistics are based on detection verdicts of Kaspersky products and services received from users who consented to providing statistical data.
Quarterly figures
According to Kaspersky Security Network, in Q1 2022:

Kaspersky solutions blocked 1,216,350,437 attacks from online resources across the globe.
...

Snake Keylogger Spreads Through Malicious PDFs
Threatpost • Elizabeth Montalbano • 23 May 2022

While most malicious e-mail campaigns use Word documents to hide and spread malware, a recently discovered campaign uses a malicious PDF file and a 22-year-old Office bug to propagate the Snake Keylogger malware, researchers have found.
The campaign—discovered by researchers at HP Wolf Security—aims to dupe victims with an attached PDF file purporting to have information about a remittance payment, according to a blog post published Friday. Instead, it loads the info-stealing malware, ...

PDF smuggles Microsoft Word doc to drop Snake Keylogger malware
BleepingComputer • Bill Toulas • 22 May 2022

Threat analysts have discovered a recent malware distribution campaign using PDF attachments to smuggle malicious Word documents that infect users with malware.
The choice of PDFs is unusual, as most malicious emails today arrive with DOCX or XLS attachments laced with malware-loading macro code.
However, as people become more educated about opening malicious Microsoft Office attachments, threat actors switch to other methods to deploy malicious macros and evade detection.
In a...

Bitter cyberspies target South Asian govts with new malware
BleepingComputer • Bill Toulas • 11 May 2022

New activity has been observed from Bitter, an APT group focused on cyberespionage, targeting the government of Bangladesh with new malware with remote file execution capabilities.
The campaign has been underway since at least August 2021 and constitutes a typical example of the targeting scope of Bitter, which remains unchanged since 2013.
The discovery and details of this campaign come from threat analysts at Cisco Talos, who shared their report with BleepingComputer.
Cisco T...

Cyberespionage APT Now Identified as Three Separate Actors
Threatpost • Elizabeth Montalbano • 29 Apr 2022

A threat group responsible for sophisticated cyberespionage attacks against U.S. utilities is actually comprised of three subgroups, all with their own toolsets and targets, that have been operating globally since 2018, researchers have found.
TA410 is a cyberespionage umbrella group loosely linked to APT10, a group tied to China’s Ministry of State Security. The group is known not only for targeting U.S. organizations in the utilities sector, but also diplomatic organizations in the Mid...

APT trends report Q1 2022
Securelist • GReAT • 27 Apr 2022

For five years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. These summaries are based on our threat intelligence research; and they provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.
This is our latest installment, fo...

Spam and phishing in 2021
Securelist • Tatyana Kulikova • 09 Feb 2022

Figures of the year
In 2021:

56% of e-mails were spam
77% of spam was sent from Russia with another 14.12% from Germany
Our Mail Anti-Virus blocked 148 173 261 malicious attachments sent in e-mails
The most common malware family found in attachments were Agensla Trojans
Our Anti-Phishing system blocked 253 365 212 phishing links
Safe Messaging blocked 341 954 attempts to follow phishing links in messengers

Tre...

DoNot Go! Do not respawn!
welivesecurity • 18 Jan 2022

Donot Team (also known as APT-C-35 and SectorE02) is a threat actor operating since at least 2016 and known for targeting organizations and individuals in South Asia with Windows and Android malware. A recent report by Amnesty International links the group’s malware to an Indian cybersecurity company that may be selling the spyware or offering a hackers-for-hire service to governments of the region.
We have been closely following the activities of Donot Team, and have traced several camp...

Geriatric Microsoft Bug Exploited by APT Using Commodity RATs
Threatpost • Elizabeth Montalbano • 20 Oct 2021

An APT described as a “lone wolf” is exploiting a decades-old Microsoft Office flaw to deliver a barrage of commodity RATs to organizations in India and Afghanistan, researchers have found.
Attackers use political and government-themed malicious domains as lures in the campaign, which targets mobile devices with out-of-the-box RATs such as dcRAT and QuasarRAT for Windows and AndroidRAT. They’re delivering the RATs in malicious documents by exploiting CVE-2017-11882, according to a re...

Windows Zero-Day Actively Exploited in Widespread Espionage Campaign
Threatpost • Tara Seals • 12 Oct 2021

Researchers have discovered a zero-day exploit for Microsoft Windows that was being used to elevate privileges and take over Windows servers as part of a Chinese-speaking advanced persistent threat (APT) espionage campaign this summer. The exploit chain ended with a freshly discovered remote access trojan (RAT) dubbed MysterySnail being installed on compromised servers, with the goal of stealing data.
Microsoft patched the bug (CVE-2021-40449) as part of its October Patch Tuesday updates, ...

Patch now? Why enterprise exploits are still partying like it's 1999
The Register • Davey Winder • 08 Sep 2021

Get our weekly newsletter Am I only dreaming, or is this burning an Eternal Blue?

Some vulnerabilities remain unreported for the longest time. The 12-year-old Dell SupportAssist remote code execution (RCE) flaw – which was finally unearthed earlier this year – would be one example.
Others, however, have not only been long since reported and had patches released, but continue to pose a threat to enterprises. A joint advisory from the National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA), published in late July, liste...

CISA’s Top 30 Bugs: One’s Old Enough to Buy Beer
Threatpost • Lisa Vaas • 29 Jul 2021

In a perfect world, CISA would laminate cards with the year’s top 30 vulnerabilities: You could whip it out and ask a business if they’ve bandaged these specific wounds before you hand over your cash.
This is not a perfect world. There are no laminated vulnerability cards.
But at least we have the list: In a joint advisory (PDF) published Wednesday, the FBI and Cybersecurity and Infrastructure Security Agency (CISA), the Australian Cyber Security Center, and the UK’s National C...

MITRE updates list of top 25 most dangerous software bugs
BleepingComputer • Sergiu Gatlan • 22 Jul 2021

MITRE has shared this year's top 25 list of most common and dangerous weaknesses plaguing software throughout the previous two years.
Software weaknesses are flaws, bugs, vulnerabilities, and various other types of errors impacting a software solution's code, architecture, implementation, or design, potentially exposing systems it's running on to attacks.
MITRE developed the top 25 list using Common Vulnerabilities and Exposures (CVE) data from 2019 and 2020 obtained from the Nationa...

Top CVEs Trending with Cybercriminals
Threatpost • Becky Bracken • 16 Jul 2021

Criminal small talk in underground forums offer critical clues about which known Common Vulnerabilities and Exposures (CVEs) threat actors are most focused on. This, in turn, offers defenders clues on what to watch out for.
An analysis of such chatter, by Cognyte, examined 15 cybercrime forums between Jan. 2020 and March 2021. In its report, researchers highlight what CVEs are the most frequently mentioned and try to determine where attackers might strike next.
“Our findings reveal...

Agent Tesla RAT Returns in COVID-19 Vax Phish
Threatpost • Tara Seals • 21 Jun 2021

The Agent Tesla remote access trojan (RAT) is scurrying around the internet again, this time arriving via a phishing campaign that uses a COVID-19 vaccination schedule as a lure.
Spotted by researchers at the Bitdefender Antispam Lab, the attackers are targeting Windows machines using emails with malicious attachments. The body of the mails take a business-email approach and ask recipients to review an “issue” with vaccination registration.
“Attached herewith is the revised cir...

Novel ‘Victory’ Backdoor Spotted in Chinese APT Campaign
Threatpost • Tara Seals • 07 Jun 2021

An ongoing surveillance operation has been uncovered that targets a Southeast Asian government, researchers said – using a previously unknown espionage malware.
According to Check Point Research, the attack involves spear-phishing emails with malicious Word documents to gain initial access, along with the exploitation of older, known Microsoft Office security vulnerabilities. But most notable, researchers said, is the novel backdoor, which they said has been in development by a Chinese A...

Bait Boost: Phishers Delivering Increasingly Convincing Lures
Threatpost • Becky Bracken • 04 May 2021

Innovative twists on banking scams and corporate-account hunters wielding increasingly clever lures, including those with COVID-19 vaccine promises, are likely to dominate the spam and phishing landscape throughout Q2 2021, according to researchers.
And although no new wild trends have emerged, Kaspersky researchers, who just released their report for Q1 2021, said that the spear-phishing tactics attackers are using against victims are getting better.
For instance, mobile banking sca...

PortDoor Espionage Malware Takes Aim at Russian Defense Sector
Threatpost • Tara Seals • 30 Apr 2021

A previously undocumented backdoor malware, dubbed PortDoor, is being used by a probable Chinese advanced persistent threat actor (APT) to target the Russian defense sector, according to researchers.
The Cybereason Nocturnus Team observed the cybercriminals specifically going after the Rubin Design Bureau, which designs submarines for the Russian Federation’s Navy. The initial target of the attack was a general director there named Igor Vladimirovich, researchers said, who received a phi...

Android Devices Hunted by LodaRAT Windows Malware
Threatpost • Lindsey O'Donnell • 09 Feb 2021

A newly discovered variant of the LodaRAT malware, which has historically targeted Windows devices, is being distributed in an ongoing campaign that now also hunts down Android devices and spies on victims.
Along with this, an updated version of LodaRAT for Windows has also been identified; both versions were seen in a recent campaign targeting Bangladesh, researchers said.
The campaign reflects an overarching shift in strategy for LodaRAT’s developers, as the attack appears to be ...

SideWinder APT Targets Nepal, Afghanistan in Wide-Ranging Spy Campaign
Threatpost • Tara Seals • 09 Dec 2020

The SideWinder advanced persistent threat (APT) group has mounted a fresh phishing and malware initiative, using recent territory disputes between China, India, Nepal and Pakistan as lures. The goal is to gather sensitive information from its targets, mainly located in Nepal and Afghanistan.
According to an analysis, SideWinder typically targets victims in South Asia and surroundings – and this latest campaign is no exception. The targets here include multiple government and military uni...

IT threat evolution Q3 2020. Non-mobile statistics
Securelist • Victor Chebyshev Fedor Sinitsyn Denis Parinov Oleg Kupreev Evgeny Lopatin Alexey Kulaev Alexander Kolesnikov • 20 Nov 2020

These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.
According to Kaspersky Security Network, in Q3:
In Q3 2020, Kaspersky solutions blocked attempts to launch one or more types of malware designed to steal money from bank accounts on the computers of 146,761 users.
!function(e,i,n,s){var t="InfogramEmbeds",d=e.getElementsByTagName("script")[0];if(window[t]&&window[t].initialized)window[t]....

Spam and phishing in Q3 2020
Securelist • Tatyana Kulikova Tatyana Sidorina • 12 Nov 2020

These days, many companies distribute marketing newsletters via online platforms. In terms of capabilities, such platforms are quite diverse: they send out advertising and informational messages, harvest statistics (for example, about clicked links in emails), and the like. At the same time, such services attract both spammers, who use them to send their own mailings, and cybercriminals, who try to gain access to user accounts, usually through phishing. As a result, attackers also get their hand...

CISA: LokiBot Stealer Storms Into a Resurgence
Threatpost • Tara Seals • 23 Sep 2020

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that the LokiBot info-stealing trojan is seeing a surge across the enterprise landscape.
The uptick started in July, according to the agency, and activity has remained “persistent” ever since.
LokiBot targets Windows and Android endpoints, and spreads mainly through email (but also via malicious websites, texts and messaging). It typically goes after credentials (usernames, passwords, cryptocurrency walle...

IT threat evolution Q2 2020. PC statistics
Securelist • Victor Chebyshev Evgeny Lopatin Fedor Sinitsyn Denis Parinov Oleg Kupreev Alexey Kulaev Alexander Kolesnikov • 03 Sep 2020

IT threat evolution Q2 2020. Review
IT threat evolution Q2 2020. Mobile statistics
These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.
According to Kaspersky Security Network, in Q2:
In Q2 2020, Kaspersky solutions blocked attempts to launch one or more types of malware designed to steal money from bank accounts on the computers of 181,725 users.
!function(e,i,n,s){var t="InfogramEmbed...

MITRE shares this year's top 25 most dangerous software bugs
BleepingComputer • Sergiu Gatlan • 20 Aug 2020

MITRE today shared a list of the top 25 most common and dangerous weaknesses plaguing software during the last two previous years.
Software weaknesses can be flaws, bugs, vulnerabilities, and other types of errors found in a software solution's code, architecture, implementation, or design that could expose the systems it's running on to attacks.
To make this list, the American not-for-profit organization scored each weakness based on both severity and prevalence using Common Vulnera...

Spam and phishing in Q2 2020
Securelist • Tatyana Kulikova Tatyana Sidorina Tatyana Shcherbakova • 07 Aug 2020

The second quarter often saw phishers resort to targeted attacks, especially against fairly small companies. To attract attention, scammers imitated email messages and websites of companies whose products or services their potential victims could be using.
The scammers did not try to make any of the website elements appear credible as they created the fake. The login form is the only exception. One of the phishing websites we discovered even used a real captcha on that form.

T...

Cycldek: Bridging the (air) gap
Securelist • GReAT Mark Lechtik Giampaolo Dedola • 03 Jun 2020

While investigating attacks related to a group named Cycldek post 2018, we were able to uncover various pieces of information on its activities that were not known thus far. In this blog post we aim to bridge the knowledge gap on this group and provide a more thorough insight into its latest activities and modus operandi. Here are some key insights that will be described in this publication:
Cycldek is a long-known Chinese-speaking threat actor. Based on the group’s past activity, it has...

Spam and phishing in Q1 2020
Securelist • Tatyana Shcherbakova Tatyana Sidorina Tatyana Kulikova • 26 May 2020

Burning Man is one of the most eagerly awaited events among fans of spectacular performance and installation art. The main obstacle to attending is the price of admission: a standard ticket will set you back $475, the number is limited, and the buying process is a challenge all by itself (there are several stages, registration data must be entered at a specific time, and if something goes wrong you might not get a second chance). Therefore, half-price fake tickets make for excellent bait.
...

IT threat evolution Q1 2020. Statistics
Securelist • Victor Chebyshev Fedor Sinitsyn Denis Parinov Oleg Kupreev Evgeny Lopatin Alexey Kulaev • 20 May 2020

These statistics are based on detection verdicts for Kaspersky products received from users who consented to providing statistical data.
According to Kaspersky Security Network,
Q1 2020 will be remembered primarily for the coronavirus pandemic and cybercriminals’ exploitation of the topic. In particular, the creators of a new modification of the Ginp banking trojan renamed their malware Coronavirus Finder and then began offering it for €0.75 disguised as an app supposedly capable...

US-CERT lists the 10 most-exploited security bugs and, yeah, it's mostly Microsoft holes people forgot to patch
The Register • Shaun Nichols in San Francisco • 14 May 2020

Update, update, update. Plus: Flash, Struts, Drupal also make appearances Sadly, 111 in this story isn't binary. It's decimal. It's the number of security fixes emitted by Microsoft this week

Vulnerabilities in Microsoft Windows, Office, and Windows Server, for which patches have been available for years, continue to be the favorite target for hackers looking to spread malware.
A list posted by US-CERT this week rattles off the 10 most oft-targeted security vulnerabilities during the past three years, and finds that, shock horror, for the most part, keeping up with patching will keep you safe.
Microsoft ranks highly in the list because its software is widely used, and pro...

Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks
welivesecurity • Ignacio Sanmillan • 13 May 2020

ESET researchers have discovered a previously unreported cyber-espionage framework that we named Ramsay and that is tailored for collection and exfiltration of sensitive documents and is capable of operating within air‑gapped networks.
We initially found an instance of Ramsay in VirusTotal. That sample was uploaded from Japan and led us to the discovery of further components and versions of the framework, along with substantial evidence to conclude that this framework is at a development...

US govt shares list of most exploited vulnerabilities since 2016
BleepingComputer • Sergiu Gatlan • 12 May 2020

US Government cybersecurity agencies and specialists today have released a list of the top 10 routinely exploited security vulnerabilities between 2016 and 2019.
Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the broader US Government issued the AA20-133A alert through the National Cyber Awareness System to make it easier for organizations from the public and private sector to prioritize patching in their environments.
"The...

SilverTerrier BEC scammers target US govt healthcare agencies
BleepingComputer • Sergiu Gatlan • 07 May 2020

Government healthcare agencies, COVID-19 response organizations, and medical research facilities from across the globe were the targets of Business Email Compromise (BEC) phishing campaigns coordinated by multiple Nigerian BEC actors during the last three months.
BEC aka EAC (short for Email Account Compromise) scammers are known for using social engineering via phishing attacks or hacking to switch the bank accounts used by an organization's financial department to wire out funds.

Spam and phishing in 2019
Securelist • Maria Vergelis Tatyana Shcherbakova Tatyana Sidorina Tatyana Kulikova • 08 Apr 2020

In 2019, attackers were more active than usual in their exploitation of major sports and movie events to gain access to users’ financial or personal data. Premieres of TV shows and films, and sports broadcasts were used as bait for those looking to save money by watching on “unofficial” resources.
A search for “Watch latest X for free” (where X = Avengers movie, Game of Thrones season, Stanley Cup game, US Open, etc.) returned links to sites offering the opportunity to do precise...

IT threat evolution Q3 2019
Securelist • David Emm • 29 Nov 2019

At the end of June we reported the details of a highly targeted campaign that we dubbed ‘Operation ViceLeaker’ involving the spread of malicious Android samples via instant messaging. The campaign affected several dozen victims in Israel and Iran. We discovered this activity in May 2018, right after Israeli security agencies announced that Hamas had installed spyware on the smartphones of Israeli soldiers, and we released a private report on our Threat Intelligence Portal. We believe the mal...

IT threat evolution Q3 2019. Statistics
Securelist • Victor Chebyshev Fedor Sinitsyn Denis Parinov Boris Larin Oleg Kupreev Evgeny Lopatin • 29 Nov 2019

These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.
According to Kaspersky Security Network:
In Q3 2019, we discovered an extremely unpleasant incident with the popular CamScanner app on Google Play. The new version of the app contained an ad library inside with the Trojan dropper Necro built in. Judging by the reviews on Google Play, the dropper’s task was to activate paid subscriptions, although it ...

Spam and phishing in Q3 2019
Securelist • Maria Vergelis Tatyana Sidorina Tatyana Shcherbakova • 26 Nov 2019

In Q3, we registered numerous scam mailings related to Amazon Prime. Most of the phishing emails with a link to a fake Amazon login page offered new prices or rewards for buying things, or reported problems with membership, etc. Against the backdrop of September’s Prime Day sale, such messages were plausible.
Scammers also used another fraudulent scheme: An email informed victims that their request to cancel Amazon Prime had been accepted, but if they had changed their mind, they should ...

Phishing Campaign Targets Precision Engineering Company
BleepingComputer • Ionut Ilascu • 31 Oct 2019

Attackers have targeted precision companies in Italy with phishing that is difficult to spot. The final payload is a fileless trojan that harvests credentials. 
The campaign used a legitimate-looking Microsoft Excel spreadsheet embedded with exploit code that moves silently to infect the computer.
The cybercriminals made all efforts to craft an email the victim company would typically receive from a customer. From body to sender's address and the document attached, everything was sp...

U.S. Manufacturer Most Recent Target of LokiBot Malspam Campaign
Threatpost • Lindsey O'Donnell • 10 Sep 2019

The well-known LokiBot malware has popped up in several malicious spam campaigns over the past year, covertly siphoning information from victims’ compromised endpoints. Researchers this week are warning of the most recent sighting of the malware, which was recently spotted in spam messages targeting a large U.S. manufacturing company.
Researchers first discovered the campaign on Aug. 21 after an unnamed U.S. semiconductor distributor received a spam email sent to the sales department fro...

LokiBot Info-Stealer Used in Spear Phishing Attack on US Company
BleepingComputer • Sergiu Gatlan • 10 Sep 2019

Security researchers discovered a malspam campaign distributing LokiBot information stealer payloads using phishing messages targeting the employees of a large U.S. manufacturing company.
The malware distributed by the spear-phishing attack detected on August 21 was compiled the same date as researchers with the FortiGuard SE Team found out.
As they observed, the attackers are not native English speakers based on the contents of the spam emails that came with attachments designed to...

Defense Takeaways from Three Adversary Playbooks
Threatpost • Derek Manky • 28 Aug 2019

In these days of advanced threats, the perimeter defense strategy – though still useful and necessary – is incomplete. IT security teams need as much information about existing threats as possible, so they know what to look for and how to position proactive countermeasures. Creating and using adversary playbooks that dive-deep into current threats help in this endeavor.
Rather than focusing on the perimeter mindset of keeping the bad actors out, this new strategy focuses on preventing ...

Spam and phishing in Q2 2019
Securelist • Maria Vergelis Tatyana Shcherbakova Tatyana Sidorina • 28 Aug 2019

In the second quarter of 2019, scammers were making active use of cloud-based data storage services such as Google Drive and Google Storage to hide their illegal content. The reasoning behind this is simple: a link from a legitimate domain is seen as more trustworthy by both users and spam filters. Most often, such links point to text files, tables, presentations, and other documents containing text and a link, say, to an advertised product or phishing page.

Also this past quarter,...

IT threat evolution Q2 2019. Statistics
Securelist • Victor Chebyshev Fedor Sinitsyn Denis Parinov Boris Larin Oleg Kupreev Evgeny Lopatin • 19 Aug 2019

These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data.
According to Kaspersky Security Network,
Q2 2019 will be remembered for several events.
First, we uncovered a large-scale financial threat by the name of Riltok, which targeted clients of not only major Russian banks, but some foreign ones too.
Second, we detected the new Trojan.AndroidOS.MobOk malware, tasked with stealing money from mobil...

Recent Cloud Atlas activity
Securelist • GReAT • 12 Aug 2019

Also known as Inception, Cloud Atlas is an actor that has a long history of cyber-espionage operations targeting industries and governmental entities. We first reported Cloud Atlas in 2014 and we’ve been following its activities ever since.
From the beginning of 2019 until July, we have been able to identify different spear-phishing campaigns related to this threat actor mostly focused on Russia, Central Asia and independent regions of Ukraine.
Cloud Atlas hasn’t changed its TTPs...

Microsoft Warns of Campaign Dropping Flawedammyy RAT in Memory
BleepingComputer • Sergiu Gatlan • 21 Jun 2019

Microsoft issued a warning about an active spam campaign that tries to infect Korean targets with a FlawedAmmyy RAT malware distributed via malicious XLS attachments.
The 
 Twitter account explained in a thread that a currently active campaign "employs a complex infection chain to download and run the notorious FlawedAmmyy RAT directly in memory."
Attacks will start after the victims open the attached .xls file that "automatically runs a macro function that runs msiexec.e...

Microsoft Warns of Email Attacks Executing Code Using an Old Bug
Threatpost • Tara Seals • 10 Jun 2019

Microsoft is warning of a fresh email campaign that distributes malicious RTF files boobytrapped with an exploit dating back to a 2017 vulnerability, CVE-2017-11882.
The exploit allows attackers to automatically run malicious code without requiring user interaction.

“The CVE-2017-11882 vulnerability was fixed in 2017, but to this day, we still observe the exploit in attacks,” Microsoft Security Intelligence tweeted on Friday. “Notably, we saw increased activity in the pa...

Microsoft Issues Warning on Spam Campaign Using Office Exploits
BleepingComputer • Lawrence Abrams • 07 Jun 2019

Microsoft has issued a warning Friday night about an active spam campaign targeting European languages that is utilizing an exploit that could infect users simply by opening the attached document.
In a series of tweets from the 
 account, Microsoft is warning that they have detected an active campaign that contains RTF attachments utilizing the Microsoft Office and Wordpad 
vulnerability.
When successfully exploited, this vulnerability can automatically infect users b...

IT threat evolution Q1 2019. Statistics
Securelist • Victor Chebyshev Fedor Sinitsyn Denis Parinov Boris Larin Oleg Kupreev Evgeny Lopatin • 23 May 2019

These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data.
According to Kaspersky Security Network,
Q1 2019 is remembered mainly for mobile financial threats.
First, the operators of the Russia-targeting Asacub Trojan made several large-scale distribution attempts, reaching up to 13,000 unique users per day. The attacks used active bots to send malicious links to contacts in already infected smartpho...

Spam and phishing in Q1 2019
Securelist • Maria Vergelis Tatyana Shcherbakova Tatyana Sidorina • 15 May 2019

As per tradition, phishing timed to coincide with lovey-dovey day was aimed at swindling valuable confidential information out of starry-eyed users, such as bank card details. The topics exploited by cybercriminals ranged from online flower shops to dating sites.

But most often, users were invited to order gifts for loved ones and buy medications such as Viagra. Clicking/tapping the link in such messages resulted in the victim’s payment details being sent to the cybercriminals.

FIN7.5: the infamous cybercrime rig “FIN7” continues its activities
Securelist • Yury Namestnikov Félix Aime • 08 May 2019

On August 1, 2018, the US Department of Justice announced that it had arrested several individuals suspected of having ties to the FIN7 cybercrime rig. FIN7 operations are linked to numerous intrusion attempts having targeted hundreds of companies since at least as early as 2015. Interestingly, this threat actor created fake companies in order to hire remote pentesters, developers and interpreters to participate in their malicious business. The main goal behind its malicious activities was to st...

Kaspersky updates its cybercrook look book: Smashing Office is hot, browser vulns are not
The Register • Gareth Corfield • 16 Apr 2019

Over two-thirds of attacks Russian biz spied targeted venerable Microsoft suite

Russian security biz Kaspersky Lab has said more than 70 per cent of malware attacks it detected last year were made against everyone's favourite Microsoft suite – Office.
"In the past few months, MS Office... became the most targeted platform," the firm said in a blog post. It produced a graph showing that between Q4 2016 and Q4 2018, Office-targeting attacks rose from 16 per cent of total Kaspersky detections to more than two-thirds.
The outfit also reported a switch away from ne...

Malspam Campaigns Distribute HawkEye Keylogger, Post Ownership Change
Threatpost • Lindsey O'Donnell • 16 Apr 2019

The HawkEye malware kit and information-stealer has been spotted in a newfound slew of campaigns after a recent ownership change.
While the keylogger has been in continuous development since 2013, in December a thread on a hacking site noted an ownership change, after which posts on hacking forums began to appear, selling new versions of the kit. “HawkEye Reborn v9” sports new anti-detection features and other changes, researchers said.
“Recent changes in both the ownership and...

Kaspersky updates its cybercrook look book: Smashing Office is hot, browser vulns are not
The Register • Gareth Corfield • 16 Apr 2019

Over two-thirds of attacks Russian biz spied targeted venerable Microsoft suite If at first you, er, make things worse, you're probably Microsoft: Bug patch needed patching

Russian security biz Kaspersky Lab has said more than 70 per cent of malware attacks it detected last year were made against everyone's favourite Microsoft suite – Office.
"In the past few months, MS Office... became the most targeted platform," the firm said in a blog post. It produced a graph showing that between Q4 2016 and Q4 2018, Office-targeting attacks rose from 16 per cent of total Kaspersky detections to more than two-thirds.
The outfit also reported a switch away from ne...

Fake or Fake: Keeping up with OceanLotus decoys
welivesecurity • Romain Dumont • 20 Mar 2019

This article will first describe how the OceanLotus group (also known as APT32 and APT-C-00) recently used one of the publicly available exploits for CVE-2017-11882, a memory corruption vulnerability present in Microsoft Office software, and how OceanLotus malware achieves persistence on compromised systems without leaving any traces. Then, the article describes how, since the beginning of 2019, the group has been leveraging self-extracting archives to run code.
Following OceanLotus’ act...

80% of the Top Exploited Vulnerabilities Targeted Microsoft in 2018
BleepingComputer • Sergiu Gatlan • 19 Mar 2019

Eight out of the top ten vulnerabilities exploited by cybercriminals as part of phishing, exploit kits, or remote access trojan (RAT) attacks during 2018 targeted Microsoft's software products, continuing a trend started in 2017.
As detailed in a report by Recorded Future's Kathleen Kuczma, Microsoft continues to be the main target of malicious actors following a similarly "busy" 2017 when the top exploited vulnerabilities changed focus from Adobe's Flash Player.
While the number of ...

ThreatList: Phishing Attacks Doubled in 2018
Threatpost • Lindsey O'Donnell • 12 Mar 2019

Phishing attempts more than doubled in 2018, as bad actors sought to trick victims into handing over their credentials. They used both old tricks – such as scams tied to current events – as well as other stealthy, fresher tactics.
Researchers with Kaspersky Lab said in a Tuesday report that during the course of 2018, they detected phishing redirection attempts 482.5 million times – up from the 246.2 million attempts detected in 2017. In total, 18.32 percent of users were attacked, r...

Spam and phishing in 2018
Securelist • Maria Vergelis Tatyana Shcherbakova Tatyana Sidorina • 12 Mar 2019

In the first months of the year alone, we registered a great many emails in spam traffic connected in some way to the EU General Data Protection Regulation (GDPR). It was generally B2B spam — mostly invitations to paid seminars, webinars, and workshops promising to explain the ins and outs of the new regulation and its ramifications for business.
During this period, there was an upturn in legitimate mailings too. Following the requirements of the regulation, companies sent out notificati...

RSAC 2019: Microsoft Zero-Day Allows Exploits to Sneak Past Sandboxes
Threatpost • Tara Seals • 05 Mar 2019

SAN FRANCISCO – A previously unknown bug in Microsoft Office has been spotted being actively exploited in the wild; it can be used to bypass security solutions and sandboxes, according to findings released at the RSA Conference 2019.
The bug exists in the OLE file format and the way it’s handled in Microsoft Word, said researchers from Mimecast. They noted that the OLE32.dll library incorrectly handles integer overflows.
Microsoft told the researchers that patching the problem is...

GreyEnergy’s overlap with Zebrocy
Securelist • Kaspersky Lab ICS CERT • 24 Jan 2019

In October 2018, ESET published a report describing a set of activity they called GreyEnergy, which is believed to be a successor to BlackEnergy group. BlackEnergy (a.k.a. Sandworm) is best known, among other things, for having been involved in attacks against Ukrainian energy facilities in 2015, which led to power outages. Like its predecessor, GreyEnergy malware has been detected attacking industrial and ICS targets, mainly in Ukraine.
Kaspersky Lab ICS CERT has identified an overlap bet...

Cobalt Group Pushes Revamped ThreadKit Malware
Threatpost • Tom Spring • 11 Dec 2018

Despite the high profile arrest earlier this year of the Cobalt Group ringleader, the threat actors behind the hacking collective are slowly ramping up their malicious behavior. In a new analysis of the threat group, known for its widespread attacks against banks in Eastern Europe over the past several years, the Cobalt Group has recently been observed updating its arsenal with a new version of the ThreadKit malware.
In a report issued by security firm Fidelis on Tuesday (PDF), researchers...

IT threat evolution Q3 2018. Statistics
Securelist • Victor Chebyshev Fedor Sinitsyn Denis Parinov Oleg Kupreev Evgeny Lopatin Alexander Liskin • 12 Nov 2018

These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data.
According to Kaspersky Security Network:
Perhaps the biggest news of the reporting period was the Trojan-Banker.AndroidOS.Asacub epidemic. It peaked in September when more than 250,000 unique users were attacked – and that only includes statistics for those with Kaspersky Lab’s mobile products installed on their devices.

Number of...

Spam and phishing in Q3 2018
Securelist • Maria Vergelis Nadezhda Demidova Tatyana Shcherbakova • 06 Nov 2018

We have often said that personal data is candy on a stick to fraudsters and must be kept safe (that is, not given out on dubious websites). It can be used to gain access to accounts and in targeted attacks and ransomware campaigns.
In Q3, we registered a surge of fraudulent emails in spam traffic. This type of scam we have already reported at the beginning of the year. A ransom (in bitcoins) is demanded  in exchange for not disclosing the “damaging evidence” concerning the recipients....

New Technique Recycles Exploit Chain to Keep Antivirus Silent
BleepingComputer • Ionut Ilascu • 15 Oct 2018

In a new malware campaign, cybercriminals modified a known exploit chain to push Agent Tesla info stealer without triggering detection from common antivirus products.
Cybercriminals set up an infrastructure to deliver multiple malware families via two public exploits for Microsoft Word vulnerabilities
 and
.
According to analysts from Cisco Talos, the campaign intended to drop at least three payloads: Agent Tesla, Loki, and Gamarue. All of them are capable to steal in...

White-Hats Go Rogue, Attack Financial Institutions
BleepingComputer • Ionut Ilascu • 05 Sep 2018

Hackers rooted in the white-hat part of the business moonlight as bank robbers, pouring their knowledge and skills into creating and modifying malware that allows them to infiltrate financial institutions.
The group is believed to have only two members and shows perseverance as well as the ability to learn from its own failures.
According to a report shared with BleepingComputer by international cybersecurity company Group-IB, the newest financially-motivated group on the market has...

Spam and phishing in Q2 2018
Securelist • Maria Vergelis Nadezhda Demidova Tatyana Shcherbakova • 14 Aug 2018

In the first quarter, we discussed spam designed to exploit GDPR (General Data Protection Regulation), which came into effect on May 25, 2018. Back then spam traffic was limited to invitations to participate in workshops and other educational events and purchase software or databases. We predicted that fraudulent emails were soon to follow. And we found them in the second quarter.
As required by the regulation, companies notified email recipients that they were switching to a new GDPR-comp...

IT threat evolution Q2 2018. Statistics
Securelist • Victor Chebyshev Fedor Sinitsyn Denis Parinov Alexander Liskin Oleg Kupreev • 06 Aug 2018

According to KSN:
In Q2 2018, Kaspersky Lab detected 1,744,244 malicious installation packages, which is 421,666 packages more than in the previous quarter.

Among all the threats detected in Q2 2018, the lion’s share belonged to potentially unwanted RiskTool apps (55.3%); compared to the previous quarter, their share rose by 6 p.p. Members of the RiskTool.AndroidOS.SMSreg family contributed most to this indicator.
Second place was taken by Trojan-Dropper threats (13%),...

FBI boss: We went to the Moon, so why can't we have crypto backdoors? – and more this week
The Register • Iain Thomson in San Francisco • 28 Jul 2018

The good, the bad, and the ugly from infosec

Roundup There has been a bumper crop of security news this week, including another shipping giant getting taken down by ransomware, Russian hackers apparently completely pwning US power grids and a sane request from Senator Wyden (D-OR) for the US government to dump Flash. But there has been other news bubbling under.
Useless action please! While Wyden might know what he's talking about his colleagues seem set on useless posturing.
On Tuesday Senators Pat Toomey (R-PA) and Chris Van ...

FBI boss: We went to the Moon, so why can't we have crypto backdoors? – and more this week
The Register • Iain Thomson in San Francisco • 28 Jul 2018

The good, the bad, and the ugly from infosec

Roundup There has been a bumper crop of security news this week, including another shipping giant getting taken down by ransomware, Russian hackers apparently completely pwning US power grids and a sane request from Senator Wyden (D-OR) for the US government to dump Flash. But there has been other news bubbling under.
Useless action please! While Wyden might know what he's talking about his colleagues seem set on useless posturing.
On Tuesday Senators Pat Toomey (R-PA) and Chris Van ...

Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign
Fireeye Threat Research • by Swapnil Patil • 26 Jul 2018

Campaign Details
In September 2017, FireEye identified the FELIXROOT backdoor as a payload in a campaign targeting Ukrainians and reported it to our intelligence customers. The campaign involved malicious Ukrainian bank documents, which contained a macro that downloaded a FELIXROOT payload, being distributed to targets.
FireEye recently observed the same FELIXROOT backdoor being distributed as part of a newer campaign. This time, weaponized lure documents claiming to contain seminar ...

Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign
Fireeye Threat Research • by Swapnil Patil • 26 Jul 2018

Campaign Details
In September 2017, FireEye identified the FELIXROOT backdoor as a payload in a campaign targeting Ukrainians and reported it to our intelligence customers. The campaign involved malicious Ukrainian bank documents, which contained a macro that downloaded a FELIXROOT payload, being distributed to targets.
FireEye recently observed the same FELIXROOT backdoor being distributed as part of a newer campaign. This time, weaponized lure documents claiming to contain seminar ...

LuckyMouse hits national data center to organize country-level waterholing campaign
Securelist • Denis Legezo • 13 Jun 2018

In March 2018 we detected an ongoing campaign targeting a national data center in the Central Asia that we believe has been active since autumn 2017. The choice of target made this campaign especially significant – it meant the attackers gained access to a wide range of government resources at one fell swoop. We believe this access was abused, for example, by inserting malicious scripts in the country’s official websites in order to conduct watering hole attacks.
The operators used the...

Targeted Spy Campaign Hits Russian Service Centers
Threatpost • Tara Seals • 07 Jun 2018

A series of espionage attacks have been uncovered, targeted at service centers in Russia that provide maintenance and support for a variety of electronic goods.
The payload is a commercial version of the Imminent Monitor tool, which is freely available for purchase as legitimate software. Its developers explicitly prohibit any usage of the tool in a malicious way – which bad actors are clearly ignoring.
Imminent Monitor includes two modules for recording video from a victim’s web...

Despite Ringleader’s Arrest, Cobalt Group Still Active
Threatpost • Tara Seals • 28 May 2018

Evidence has surfaced that the Cobalt Group – the threat actors behind widespread attacks on banks and ATM jackpotting campaigns across Europe – is continuing to operate, despite the arrest of its accused ringleader in March.
The Cobalt Group, first burst on the scene in 2016: in a single night, the group stole the equivalent of over $32,000 (in local currency) from six ATMs in Eastern Europe. Throughout 2017 the group expanded its focus to financial-sector phishing schemes and new re...

IT threat evolution Q1 2018. Statistics
Securelist • Victor Chebyshev Fedor Sinitsyn Denis Parinov Alexander Liskin Oleg Kupreev • 14 May 2018

According to KSN:
In Q1 2018, DNS-hijacking, a new in-the-wild method for spreading mobile malware on Android devices, was identified. As a result of hacked routers and modified DNS settings, users were redirected to IP addresses belonging to the cybercriminals, where they were prompted to download malware disguised, for example, as browser updates. That is how the Korean banking Trojan Wroba was distributed.
It wasn’t a drive-by-download case, since the success of the attack larg...

APT Trends report Q1 2018
Securelist • GReAT • 12 Apr 2018

In the second quarter of 2017, Kaspersky’s Global Research and Analysis Team (GReAT) began publishing summaries of the quarter’s private threat intelligence reports in an effort to make the public aware of the research we have been conducting. This report serves as the next installment, focusing on the relevant activities that we observed during Q1 2018.
These summaries serve as a representative snapshot of what has been discussed in greater detail in our private reports, in order to h...

Word Attachment Delivers FormBook Malware, No Macros Required
Threatpost • Tom Spring • 09 Apr 2018

A new wave of document attacks targeting inboxes do not require enabling macros in order for adversaries to trigger an infection chain that ultimately delivers FormBook malware.
Researchers at Menlo Security are reporting a wave of attacks that began last month that are targeting financial and information service sectors in the Middle East and United States. The method of infection includes a new multi-stage infection technique.
The company, which released details of the method Monda...

Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries
Fireeye Threat Research • by FireEye • 16 Mar 2018

Intrusions Focus on the Engineering and Maritime Sector
Since early 2018, FireEye (including our FireEye as a Service (FaaS), Mandiant Consulting, and iSIGHT Intelligence teams) has been tracking an ongoing wave of intrusions targeting engineering and maritime entities, especially those connected to South China Sea issues. The campaign is linked to a group of suspected Chinese cyber espionage actors we have tracked since 2013, dubbed TEMP.Periscope. The group has also been reported as “L...

Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries
Fireeye Threat Research • by FireEye • 16 Mar 2018

Intrusions Focus on the Engineering and Maritime Sector
Since early 2018, FireEye (including our FireEye as a Service (FaaS), Mandiant Consulting, and iSIGHT Intelligence teams) has been tracking an ongoing wave of intrusions targeting engineering and maritime entities, especially those connected to South China Sea issues. The campaign is linked to a group of suspected Chinese cyber espionage actors we have tracked since 2013, dubbed TEMP.Periscope. The group has also been reported as “L...

Word-based Malware Attack Doesn’t Use Macros
Threatpost • Tom Spring • 15 Feb 2018

Typically, inbox-based attacks that include malicious Microsoft Office attachments require adversaries to trick users into enabling macros. But researchers say they have identified a new malicious email campaign that uses booby-trapped Office attachments that are macro-free.
The attacks do not generate the same type of default warning from Microsoft associated with macro-based attacks, according to research published Wednesday by Trustwave’s SpiderLabs. When opening attachments, there ar...

Multi-Stage Word Attack Infects Users Without Using Macros
BleepingComputer • Catalin Cimpanu • 15 Feb 2018

Spam distributors are using a new technique to infect users with malware, and while this attack relies on having users open Word documents, it does not involve users having to allow the execution of macro scripts.
This new macro-less technique is currently under active exploitation, being detected by Trustwave SpiderLabs researchers in an ongoing malware campaign.
The company says crooks are using this multi-phase, no-macros technique to infect users with a password stealer. Currentl...

Attackers Use Microsoft Office Vulnerabilities to Spread Zyklon Malware
Threatpost • Tom Spring • 17 Jan 2018

Spam campaigns delivering Zyklon HTTP malware are attempting to exploit three relatively new Microsoft Office vulnerabilities. The attacks are targeting telecommunications, insurance and financial service firms.
According to FireEye researchers who identified the campaigns, attackers are attempting to harvest passwords and cryptocurrency wallet data along with recruiting targeted systems for possible future distributed denial of service attacks.
Researchers said attacks begin with sp...

Microsoft Office Vulnerabilities Used to Distribute Zyklon Malware in Recent Campaign
Fireeye Threat Research • by Swapnil Patil, Yogesh Londhe • 17 Jan 2018

Introduction
FireEye researchers recently observed threat actors leveraging relatively new vulnerabilities in Microsoft Office to spread Zyklon HTTP malware. Zyklon has been observed in the wild since early 2016 and provides myriad sophisticated capabilities.
Zyklon is a publicly available, full-featured backdoor capable of keylogging, password harvesting, downloading and executing additional plugins, conducting distributed denial-of-service (DDoS) attacks, and self-updating and self...

Microsoft Office Vulnerabilities Used to Distribute Zyklon Malware in Recent Campaign
Fireeye Threat Research • by Swapnil Patil, Yogesh Londhe • 17 Jan 2018

Introduction
FireEye researchers recently observed threat actors leveraging relatively new vulnerabilities in Microsoft Office to spread Zyklon HTTP malware. Zyklon has been observed in the wild since early 2016 and provides myriad sophisticated capabilities.
Zyklon is a publicly available, full-featured backdoor capable of keylogging, password harvesting, downloading and executing additional plugins, conducting distributed denial-of-service (DDoS) attacks, and self-updating and self...

New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit
Fireeye Threat Research • by Manish Sardiwal, Yogesh Londhe, Nalani Fraser, Nicholos Richard, Jaqueline O’Leary, Vincent Cannon • 07 Dec 2017

Less than a week after Microsoft issued a patch for CVE-2017-11882 on Nov. 14, 2017, FireEye observed an attacker using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East. We assess this activity was carried out by a suspected Iranian cyber espionage threat group, whom we refer to as APT34, using a custom PowerShell backdoor to achieve its objectives.
We believe APT34 is involved in a long-term cyber espionage operation largely focused ...

New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit
Fireeye Threat Research • by Manish Sardiwal, Vincent Cannon, Nalani Fraser, Yogesh Londhe, Nick Richard, Jacqueline O’Leary • 07 Dec 2017

Less than a week after Microsoft issued a patch for CVE-2017-11882 on Nov. 14, 2017, FireEye observed an attacker using an exploit for the Microsoft Office vulnerability to target a government organization in the Middle East. We assess this activity was carried out by a suspected Iranian cyber espionage threat group, whom we refer to as APT34, using a custom PowerShell backdoor to achieve its objectives.
We believe APT34 is involved in a long-term cyber espionage operation largely focused ...

Even Highly Skilled Cyber-Thieves Make Stupid Mistakes, or Do They?
BleepingComputer • Catalin Cimpanu • 30 Nov 2017

Cobalt, a highly-skilled group of hackers who target banks and financial institutions, may have committed a mistake and accidentally leaked a list of all their current targets, according to Yonathan Klijnsma, a security researcher with RiskIQ.
The error occurred in a spear-phishing campaign that took place last week, on November 21.
Klijnsma says the group sent out a mass email, but instead of including the campaign's targets in the email's BCC field, they added their targets' emails...

A Hacking Group Is Already Exploiting the Office Equation Editor Bug
BleepingComputer • Catalin Cimpanu • 24 Nov 2017

A week after details about a severe Microsoft Office vulnerability came to light, at least one criminal group is now using it to infect users.
The group is not your regular spam botnet, but a top cyber-criminal operation known to security researchers as Cobalt, a hacking outfit that has targeted banks, ATM networks, and financial institutions for the past two years.
, a UK-based cyber-security firm, the Cobalt group is now spreading RTF documents to high-value targets that are laced ...

Microsoft Appears to Have Lost the Source Code of an Office Component
BleepingComputer • Catalin Cimpanu • 18 Nov 2017

The way Microsoft patched a recent security bug has made several security and software experts believe the company might have lost the source code to one of its Office components.
Experts reached this conclusion this week after
tracked as CVE-2017-11882 that affected EQNEDT32.EXE — the equation editor that was included with the Microsoft Office suite until 2007.
While Microsoft has replaced the old EQNEDT32.EXE component with a new one in 2007, the older file is still inclu...

Microsoft Patches 17-Year-Old Office Bug
Threatpost • Tom Spring • 15 Nov 2017

Microsoft on Tuesday patched a 17-year-old remote code execution bug found in an Office executable called Microsoft Equation Editor. The vulnerability (CVE-2017-11882) was patched as part of Microsoft’s November Patch Tuesday release of 53 fixes.
While Microsoft rates the vulnerability only as “Important” in severity, researchers at Embedi who found the bug, call it “extremely dangerous.”
In a report released Tuesday (PDF) by Embedi, researchers argue the vulnerability is a...

It's 2017 – and your Windows PC can be forced to run malware-stuffed Excel macros
The Register • Shaun Nichols in San Francisco • 15 Nov 2017

Not enough? How about a few dozen PDF remote code holes?

Microsoft and Adobe are getting into the holiday spirit this month by gorging users and admins with a glut of security fixes.
The November of Patch Tuesday brings fixes for more than 130 bugs between the two software giants for products including IE, Edge, Office, Flash Player and Acrobat.
Microsoft's patch dump addresses a total 53 CVE-listed vulnerabilities, including three that already have been publicly detailed. Those include CVE-2017-11827, a memory corruption flaw in Edge and ...

It's 2017 – and your Windows PC can be forced to run malware-stuffed Excel macros
The Register • Shaun Nichols in San Francisco • 15 Nov 2017

Not enough? How about a few dozen PDF remote code holes?

Microsoft and Adobe are getting into the holiday spirit this month by gorging users and admins with a glut of security fixes.
The November of Patch Tuesday brings fixes for more than 130 bugs between the two software giants for products including IE, Edge, Office, Flash Player and Acrobat.
Microsoft's patch dump addresses a total 53 CVE-listed vulnerabilities, including three that already have been publicly detailed. Those include CVE-2017-11827, a memory corruption flaw in Edge and ...

Microsoft Patches 20 Critical Vulnerabilities
Threatpost • Tom Spring • 14 Nov 2017

Microsoft tackled 53 vulnerabilities with today’s Patch Tuesday bulletin. Remote code execution bugs dominated this month’s patches, representing 25 fixes. In total, 20 of Microsoft’s security fixes were rated critical.
Notable are four vulnerabilities with public exploits identified by Microsoft as CVE-2017-11848, CVE-2017-11827, CVE-2017-11883 and CVE-2017-8700. But, according to an analysis of Patch Tuesday fixes by Qualys, none of the four are being used in active campaigns.<...

Office Equation Editor Security Bug Runs Malicious Code Without User Interaction
BleepingComputer • Catalin Cimpanu • 14 Nov 2017

Microsoft has patched today a huge security hole in Microsoft Office that could be exploited to run malicious code without user interaction on all Windows versions released in the past 17 years.
The vulnerability — tracked as CVE-2017-11882 — was patched today in the
updates.
Discovered by the Embedi research team, the vulnerability affects the Microsoft Equation Editor (EQNEDT32.EXE), one of the executables that is installed on users' computers with the Office suite.

The Register

Vulnerabilities in Microsoft Windows, Office, and Windows Server, for which patches have been available for years, continue to be the favorite target for hackers looking to spread malware.
A list posted by US-CERT this week rattles off the 10 most oft-targeted security vulnerabilities during the past three years, and finds that, shock horror, for the most part, keeping up with patching will keep you safe.
Microsoft ranks highly in the list because its software is widely used, and pro...

Russia-Ukraine war exploited as lure for malware distribution
BleepingComputer • Bill Toulas • 01 Jan 1970

Threat actors are distributing malware using phishing themes related to the invasion of Ukraine, aiming to infect their targets with remote access trojans (RATs) such as Agent Tesla and Remcos.
It is common for malware distributors to take advantage of trending global events to trick the recipient into opening email attachments, and at this time, there is nothing more closely watched than Russia's invasion of Ukraine.
Using this theme, threat actors are sending malicious emails that ...

Political-themed actor using old MS Office flaw to drop multiple RATs
BleepingComputer • Bill Toulas • 01 Jan 1970

A novel threat actor with unclear motivesis running a crimeware campaign delivering multiple Windows and Android RATs (remote access tools) through the exploitation of CVE-2017-11882.
This
 was addressed in the November 2017 patch, but it appears that it's still available for leverage, especially in India and Afghanistan where the targets of this campaign are based.
The threat actor was spotted by researchers at
, who didn’t find any strong links to a particular nati...

It's 2022 and there are still malware-laden PDFs in emails exploiting bugs from 2017
The Register • Jeff Burt • 01 Jan 1970

Topics Security Off-Prem On-Prem Software Offbeat Vendor Voice Vendor Voice Resources Crafty file names, encrypted malicious code, Office flaws – ah, it's like the Before Times

HP's cybersecurity folks have uncovered an email campaign that ticks all the boxes: messages with a PDF attached that embeds a Word document that upon opening infects the victim's Windows PC with malware by exploiting a four-year-old code-execution vulnerability in Microsoft Office.
Booby-trapping a PDF with a malicious Word document goes against the norm of the past 10 years, according to the HP Wolf Security researchers. For a decade, miscreants have preferred Office file formats, such a...