The first Patch Tuesday of 2021 is here and the year is starting out lighter than most. Perhaps a blessing for a year that doesn't seem to want to let up on all the... "drama" that started in 2020. In all Microsoft is patching ten vulnerabilities rated "Critical", 71 rated "Important", and two rated as "Moderate".

This blog post focuses on the privacy issues that Microsoft Teams & Skype desktop clients pose. The log database in both clients stores all the chats and images as plain non-encrypted data. The chats are encrypted via network as mentioned here https://docs.microsoft.com/en-us/microsoftteams/teams-security-guide but not encrypted at rest in local storage.

While reviewing our spam traps, a particular campaign piqued our interest primarily because the attachment to the email does not coincide with the theme of the email body. When we investigated further, we discovered that its attachment is a variant of the QRAT downloader we blogged about last August.

Yes! It’s that time of the year again! The time for celebrating our traditions, a time of giving, and unfortunately, a time for phishing as well. In time with the holiday season, instead of wrapping our gifts, we have seen a very interesting way bad guys despicably steal email addresses, passwords, and telephone numbers from their victims for their own personal gain.

We wanted to share the plans and procedures we’ve put in place in response to the FireEye breach that was made public on December 8, 2020. As you may be aware, FireEye has explicitly stated that malicious attackers have stolen red team tools, both open-source and FireEye developed, which are commonly utilized for ethical hacking engagements. We commend FireEye for being transparent in their disclosure of the breach and countermeasures in an effort to ensure the security of other organizations across the world.

On the 30th of October, D-Link published a support announcement and released a new firmware to patch five vulnerabilities that Harold Zang, Technical Security Specialist at Trustwave, identified on the DSL-2888A router. These security vulnerabilities could allow a malicious Wi-Fi or local network user to gain unauthorised access to the router web interface, obtain the router password hash, gain plaintext credentials, and execute system commands on the router.

Cybercriminals are leveraging reputable cloud services to relay scam email messages to their victims while piggybacking on reputable cloud service to evade detection. Previously we reported a similar approach being used for sending phishing messages from the cloud and now we are observing a variety of Email scam messages like Nigerian 419 scams, inheritance scams, investment scams, and other unexpected money or unexpected winnings scams being routed to unwitting victims via the Google Forms service.

With the prevalence of IoT devices flooding the mainstream marketplace, we tend to see a large proliferation of these devices lacking even basic security controls. Many of these devices are targeted for mainstream household environments and due to often unfettered internet access and device control through insecure mobile applications, this makes such devices a great playground for security researchers and malicious actors alike.

We wanted to share the plans and procedures we’ve put in place in response to the FireEye breach that was made public this week.

During observation of WinZip 24 network communications, I've noticed that it sends update check requests cleartext (HTTP). Same cleartext communication is utilized when Trial pop-ups are displayed and could be used to deliver malware to users’ computers.

When the engineer activates the passwords for application protection, the passwords are hashed and stored in the local project file, which ends with the extension smbp. If we open this file in a notepad, we can find the hashed passwords in this section.

December's Patch Tuesday is here and, typical for the end of the year, it's a light month with only 58 CVEs patched. This includes 10 CVEs rated as "Critical", 46 rated as "Important" and 2 rated "Moderate". The short "Critical" list includes most of the month-to-month tenants including the Chakra Scripting Engine, Hyper-V, Dynamics 365, Exchange, Sharepoint, and Visual Studio. All of the "Critical" vulnerabilities are Remote Code Execution issues.

Last week we released an advisory about an SMS app called GO SMS Pro. Media files sent via text in the app are stored insecurely on a publicly accessible server. With some very minor scripting, it is trivial to throw a wide net around that content. While it's not directly possible to link the media to specific users, those media files with faces, names, or other identifying characteristics do that for you.

The GO SMS Pro application is a popular messenger app with over 100 million downloads and was discovered to publicly expose media transferred between users of the app. This exposure includes private voice messages, video messages, and photos. This means any sensitive media shared between users of this messenger app is at risk of being compromised by an unauthenticated attacker or curious user.

We present two vulnerabilities in EcoStruxure Machine Expert v1.0 and Schneider Electric M221 (Firmware 1.10.2.2) Programmable Logic Controller (PLC). All three vulnerabilities were disclosed to Schneider Electric and the details were released on 10 November 2020.

Voting in the U.S. elections started recently and there is a real concern over interference and disinformation campaigns that might impact their outcome. During investigations around the elections, the Trustwave SpiderLabs team discovered massive databases with detailed information about U.S. voters and consumers offered for sale on several hacker forums.

The vulnerability, codenamed “Bad Neighbor”, is a bug in the IPv6 Neighbor Discovery Protocol, particularly it’s improper handling of ICMPv6 Router Advertisement Packets. While publicly available proof of concept (PoC) code results in a denial of service, attackers can exploit this bug to perform remote code execution (RCE).

October's Patch Tuesday is upon us and with it comes patches for 102 CVEs. This release includes 13 hair-raising "Critical" vulnerabilities, 88 spooky "Important" bugs, and one creepy "Moderate" issue.

A URL can be completely valid, yet still misleading. In this blog, we will present another technique with URLs that we observed in a recent malicious spam campaign. This is the continuation of an earlier blog that discussed how valid URL formats can be used in evading detection.

ZeroLogon has quickly become popular and well known because of multiple proofs of concept and exploits implemented in Python, .NET, Powershell, and Mimikatz implemented a module for it. So if you are an attacker or need to test your environment then you have plenty of options. As defenders, we also have options for detection on the network. If you aren’t familiar with ZeroLogon and need a quick overview then please check out our ZeroLogon Blog.