Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

COVID-19 Malspam Activity Ramps Up

Back in February, we reported on two Coronavirus-themed phishing emails. But just as the real virus spreads rapidly around the world, so too have the scams. Cyber criminals, proving beyond doubt they are completely devoid of morals, have ramped up their activities, unashamedly using all manner of Coronavirus lures to trick people. We are now seeing dozens of different email campaigns per day. Below are samples collected from our systems that some of what is currently out there.

An In-depth Look at MailTo Ransomware, Part One of Three

In February, an Australian transportation company called Toll Group was hit by a ransomware attack that reportedly spread to over 1000 servers and caused major disruption for the company and its clients. Recently the same ransomware family was seen attached to phishing emails targeting people's fear of COVID-19, a trend we've also been seeing quite a bit of. We got a hold of a sample of the ransomware and decided to take a closer look to see what makes it tick.

Would You Exchange Your Security for a Gift Card?

We often talk about attackers targeting companies with social engineering attacks. These usually take the form of phishing attacks that attempt to trick the recipient into opening a malicious attachment or clicking on a malicious link. Less discussed are targeted attacks using physical media.

SMBGhost (CVE-2020-0796): a Critical SMBv3 RCE Vulnerability

Last week Microsoft announced that there was a buffer overflow vulnerability in SMBv3 (CVE-2020-0796) as implemented in Windows 10 and Windows Server (versions 1903 and 1909). The CVE wasn't initially included in last week's Patch Tuesday, but after news of the vulnerability leaked, Microsoft was forced to release details and an "out of band" patch on Thursday, March 12th. All Windows administrators should check to see if they are vulnerable to this issue and patch as soon as possible where they are.

ModSecurity, Award Nominations, and the Challenges of Open Source

In the hustle and bustle of everyday work life we tend to look at the current issues we’re working to resolve, the next feature we want to develop, the next version release. We rarely take the time to look back and think about the work we’ve already done. On some rare occasions, however, something external makes you look back at them and it’s an opportunity to stop and appreciate what you’ve accomplished.

Persistent Cross-Site Scripting, the MSSQL Way

If you save wide Unicode brackets (i.e. <>) into a char or varchar field, MSSQL Server will convert them into HTML brackets (i.e. <>). So, <img src=x onerror=alert('pxss')> will be converted to <img src=x onerror=alert('pxss')> compliments of the backend DB. This will likely help you sneak past server-side filters, WAFs, etc. and execute a persistent Cross-Site Scripting (PXSS) attack. As a bonus, .NET request validation will not detect it.

More Excel 4.0 Macro MalSpam Campaigns

In light of the recent blog by my colleague Rodel Mendrez, we looked back at previous spam encountered over the past month which leverage Excel 4.0 macros and found some interesting samples. Both campaigns are using a fake invoice theme and both utilize Excel 4.0 macro to download malicious binaries.

Patch Tuesday, March 2020

Today marks Microsoft's March Patch Tuesday. While it may not be on the top of everyone's March priority list, 116 CVEs suggest that you don't ignore this Patch Tuesday.

Monster Lurking in Hidden Excel Worksheet

A recent blog by Didier Steven’s showed how malicious Excel 4 macros can be stored in OOXML (Office Open XML) .xlsm – a macro specific file format. We found this very interesting because even though Microsoft long ago replaced Excel 4 macros with VBA (Visual Basic Application), Excel 4 macros still work and are still supported in the newer Excel 2017 XML format.

Windows Debugging and Exploiting Part 4: NTQuerySystemInformation

Hello again! We are back with more Windows internals and it's time to get real. We already covered how to set up an environment, WinDBG basics and discussed WinDBG Time Travel Debugging. In this part 4 of my blog series, I'll briefly describe an internal API that is widely used to leak kernel information for most of the Windows LPE (Local Privilege Escalation) exploits. We will talk about the function NTQuerySystemInformation.

RATs Wrapped and Hidden in PNG

The Remote Access Tool (RAT) is one of the malware types we often encounter with our Security Email Gateway (SEG). Late last year, we noticed spam campaigns leading to RATs via disk image files through attachment and link. More recently, we came across 2 RATs encrypted, packed, and hidden in PNG files - using disk image files again and redirectors as arrival vectors.

Phishing in the Cloud

Credential phishing is one of the leading threats faced by organizations today. Threat actors use phishing emails to harvest corporate account credentials that they use to gain a foothold in an organization using ever-evolving and innovative techniques to evade detection.

Multiple Phishing Attacks Discovered Using the Coronavirus Theme

Inevitably, and sadly, bad guys take advantage of such events using fear to trick victims into opening attachments or clicking links that they usually would not. Closely monitoring our systems, we found a couple of phishing examples that seek to take advantage of this event.

Patch Tuesday, February 2020

February's Patch Tuesday is here and brings with it patches for 98 CVEs. These are split between 13 CVEs rated as "Critical" and 85 CVEs rated as "Important." Among the "Critical" patches, Remote Code Execution (RCE) vulnerabilities in the Scripting Engine make up more than half of the list. It's a regular piece of software patched pretty much every Patch Tuesday.

Reversing (and Recreating) Cryptographic Secrets Found in .NET Assemblies Using Python

Picture the scene - you’re on a penetration test, somehow you’ve got hold of a bunch of .NET assemblies for the application you’re assessing, be it a web application or thick client. On a thick client test, getting a hold of these files is somewhat trivial as they’re right there in front of you. On a web application test, however, things are not as easy - but it still is possible, depending on permissions and such. I won’t go into "the how-to" in order get these in this blog post, instead I will assume you’re sitting there, a cup of coffee in hand, staring at a bunch of .DLL files decompiled in something like dotPeek, ILSpy, etc.

Microsoft Internet Explorer Remote Code Execution 0-Day (CVE-2020-0674)

2020 is not starting out quietly for Microsoft, it seems. After the first Patch Tuesday of 2020 addressing a vulnerability in CryptoAPI last week, Microsoft released an advisory for an Internet Explorer 0-Day, assigned CVE-2020-0674, scheduled to be fixed in the upcoming Patch Tuesday.

ModSecurity Denial of Service Details - CVE-2019-19886

ModSecurity is an open-source WAF engine maintained by Trustwave. As a lively open-source project, we constantly work together with the community on reported bugs, feature requests, and other issues on the ModSecurity GitHub.

Windows CryptoAPI Spoofing Vulnerability - CVE-2020-0601

One of the most notable vulnerabilities patched during Microsoft's first Patch Tuesday of 2020 was a spoofing vulnerability in the Windows CryptoAPI. This has been issued CVE-2020-0601 and has also been referred to as the "Curveball" or "Chain of Fools" vulnerability.

Citrix ADC/Netscaler - CVE-2019-19781

The Citrix vulnerability (CVE-2019-19781) was first identified in December of 2019.  This vulnerability is a directory traversal attack that can lead to remote code execution.

ModSecurity v3.0.4 Released!

It is a pleasure to announce the release of ModSecurity version 3.0.4 (libModSecurity). This version contains a number of improvements in different areas. These include cleanups, better practices for improved code readability, resilience and overall performance and security fixes.

Stay Connected


Sign up to receive the latest security news and trends from Trustwave.

No spam, unsubscribe at any time.

Trending Topics