We’ve gotten a number of questions from customers who are concerned about the Remote Desktop Protocol (RDP) vulnerability addressed by Microsoft on Tuesday with their security bulletin MS12-020. We wanted to take a moment to update you on this. This bulletin addresses a critical, remote execution vulnerability affecting Microsoft Windows systems that have RDP enabled….Read More
October’s Patch Tuesday is relatively modest, with Microsoft releasing a total of 59 patches. However, this shorter list still warrants attention. Nine of the 59 were still identified as Critical, while the remaining 50 were labeled Important. Most of the critical bulletins were for various Internet Explorer and Microsoft Edge vulnerabilities, with one covering a Remote Desktop Client vulnerability. The Important bulletins fixed several issues, including NTLM and Microsoft IIS server vulnerabilities.Read More
Trickbot’s authors clearly aren’t done updating it — we recently found a new variant that uses an updated version of the pwgrab module that lets it grab remote application credentials.Read More
The perpetrators of targeted attacks want to maintain a persistent presence in a target network in order to extract sensitive data when needed. To maintain this, attackers seek to blend in with normal network traffic and use ports allowed by firewalls. Frequently, the malware used in targeted attacks uses HTTP and HTTPS to appear like…Read More
On April 14, 2017, The Shadow Brokers (TSB) leaked a bevy of hacking tools named “Lost in Translation.” This leak is notorious for having multiple zero-day remote code execution (RCE) vulnerabilities targeting critical protocols such as Server Message Block (SMB) and Remote Desktop Protocol (RDP) and applications like collaboration and web server-based software. The exploit toolkit includes EternalBlue, EternalChampion, EternalSynergy, EsteemAudit, EchoWrecker, ExplodingCan, EpicHero, and EWorkFrenzy, among others.
The leak also contains multiple post-exploitation implants and utilities, used for maintaining persistence on the infected system, bypassing authentication, performing various malicious activities, and establishing command-and-control (C&C) channels with a remote server, among others. Five of the most notable implants include DoublePulsar, PeddleCheap, ExpandingPulley, KillSuit (KiSu), and DanderSpritz, which all have different capabilities, features, and usage.Read More