We’ve gotten a number of questions from customers who are concerned about the Remote Desktop Protocol (RDP) vulnerability addressed by Microsoft on Tuesday with their security bulletin MS12-020. We wanted to take a moment to update you on this. This bulletin addresses a critical, remote execution vulnerability affecting Microsoft Windows systems that have RDP enabled….Read More
Trickbot’s authors clearly aren’t done updating it — we recently found a new variant that uses an updated version of the pwgrab module that lets it grab remote application credentials.Read More
The perpetrators of targeted attacks want to maintain a persistent presence in a target network in order to extract sensitive data when needed. To maintain this, attackers seek to blend in with normal network traffic and use ports allowed by firewalls. Frequently, the malware used in targeted attacks uses HTTP and HTTPS to appear like…Read More
On April 14, 2017, The Shadow Brokers (TSB) leaked a bevy of hacking tools named “Lost in Translation.” This leak is notorious for having multiple zero-day remote code execution (RCE) vulnerabilities targeting critical protocols such as Server Message Block (SMB) and Remote Desktop Protocol (RDP) and applications like collaboration and web server-based software. The exploit toolkit includes EternalBlue, EternalChampion, EternalSynergy, EsteemAudit, EchoWrecker, ExplodingCan, EpicHero, and EWorkFrenzy, among others.
The leak also contains multiple post-exploitation implants and utilities, used for maintaining persistence on the infected system, bypassing authentication, performing various malicious activities, and establishing command-and-control (C&C) channels with a remote server, among others. Five of the most notable implants include DoublePulsar, PeddleCheap, ExpandingPulley, KillSuit (KiSu), and DanderSpritz, which all have different capabilities, features, and usage.Read More
We spotted two variants of activities from hacking group Outlaw. The script used in the first version of its bot has two functionalities: the miner and Haiduc-based dropper. The second variant of the code, distributed by the bot, was mainly designed to brute force and further exploit the Microsoft Remote Desktop Protocol and cloud administration cPanel in order to escalate the privileges.Read More