Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Securing SSH: What To Do and What Not To Do

The SSH service is critical, ensuring its security is key. This blog will describe how best to secure the SSH service from threat actors.

Phishing in a Bucket: Utilizing Google Firebase Storage

Credential phishing is a real threat that's targeting organizations globally. Threat actors are finding smart and innovative ways to lure victims to covertly harvest their corporate credentials. Threat actors then use these credentials to get a foothold into an organization to further their malicious agendas.

Vaccine for COVID-19 and Other Scams on the Dark Web

This blog post will cover some of the more interesting reactions to COVID-19 we’ve encountered on the underground, both good and bad. Read on to learn more (spoiler alert: The coronavirus vaccine is a scam!)

Patch Tuesday, May 2020

May's Patch Tuesday includes patches for 111 unique CVEs. Of those CVEs 17 are rated "Critical" and 94 rated as "Important". Aside from the common vulnerabilities in Microsoft's scripting engine, Sharepoint is the hardest hit on the "Critical" list with four separate Remote Code Execution (RCE) vulnerabilities and an Information Disclosure vulnerability patched for that server package.

Work From Home: The New New and What To Do

Here at SpiderLabs, we take the security of all our clients extremely seriously.  While the attacks that we see and use align with a recent note from US-CERT, they are not to be considered new or novel, however, their impact is even more profound during these uncertain times, where Work From Home (WFH) has become the new normal.

Attacking SCADA: Vulnerabilities in Schneider Electric SoMachine and M221 PLC (CVE-2017-6034 and CVE-2020-7489)

SCADA/OT security has been a growing concern for quite some time. This technology controls some of our most essential services and utilities, like our nuclear plants and electric grids. While most of these implementations are protected to a certain extent by unique complexity, 24/7 monitoring, and built-in fault tolerance and redundancy, vulnerabilities and attacks targeting them should not be discounted.

Excel Malspam: Password Protected … Not!

Early March of this year, we blogged about multiple malspam campaigns utilizing Excel 4.0 Macros in .xls 97-2003 binary format. In this blog, we will present one more Excel 4.0 Macro spam campaign in the same format crafted with another old MS Excel feature to evade detection.

COVID-19 Themed BEC Scams

Business email compromise (BEC) also known as CEO fraud has undoubtedly become the biggest Internet scam of all time, claiming losses of over USD $26 billion since 2013. In such attacks, a fraudster impersonates an executive to trick individuals in the organization into sending money or sensitive information. The Coronavirus (COVID-19) pandemic has wreaked havoc, locking down countries and borders and bringing global economies to a halt leading to unprecedented financial losses.

Patch Tuesday, April 2020

April's Patch Tuesday is here and Microsoft is patching 113 CVEs this month. Eighteen of these are rated "Critical", 94 rated as "Important", and one rated "Moderate". The highest-profile vulnerability patched today is in the Adobe and OpenType font drivers (CVE-2020-1020 and CVE-2020-0938 respectively). These vulnerabilities were detected after being exploited as a part of a limited zero-day campaign. Among the other "Critical" vulnerabilities are Remote Code Execution (RCE) vulnerabilities in SharePoint, Dynamics, and Hyper-V.

An In-depth Look at MailTo Ransomware, Part Three of Three

In Part One of this series, we discussed how MailTo ransomware installs and configures itself on the victim's system and in Part Two we discussed how the malware, executes and injects itself into the system. In this post, we take a look at what makes ransomware different than other malware and gives it its deadly bite, encryption.

An In-depth Look at MailTo Ransomware, Part Two of Three

In Part One of this series, we discussed how MailTo ransomware installs itself on the victim's system and then initialized itself with configuration options and persistence via the registry. Today we're going to continue our deep dive by looking into how MailTo executes and injects itself into the system.

COVID-19 Malspam Activity Ramps Up

Back in February, we reported on two Coronavirus-themed phishing emails. But just as the real virus spreads rapidly around the world, so too have the scams. Cyber criminals, proving beyond doubt they are completely devoid of morals, have ramped up their activities, unashamedly using all manner of Coronavirus lures to trick people. We are now seeing dozens of different email campaigns per day. Below are samples collected from our systems that some of what is currently out there.

An In-depth Look at MailTo Ransomware, Part One of Three

In February, an Australian transportation company called Toll Group was hit by a ransomware attack that reportedly spread to over 1000 servers and caused major disruption for the company and its clients. Recently the same ransomware family was seen attached to phishing emails targeting people's fear of COVID-19, a trend we've also been seeing quite a bit of. We got a hold of a sample of the ransomware and decided to take a closer look to see what makes it tick.

Would You Exchange Your Security for a Gift Card?

We often talk about attackers targeting companies with social engineering attacks. These usually take the form of phishing attacks that attempt to trick the recipient into opening a malicious attachment or clicking on a malicious link. Less discussed are targeted attacks using physical media.

SMBGhost (CVE-2020-0796): a Critical SMBv3 RCE Vulnerability

Last week Microsoft announced that there was a buffer overflow vulnerability in SMBv3 (CVE-2020-0796) as implemented in Windows 10 and Windows Server (versions 1903 and 1909). The CVE wasn't initially included in last week's Patch Tuesday, but after news of the vulnerability leaked, Microsoft was forced to release details and an "out of band" patch on Thursday, March 12th. All Windows administrators should check to see if they are vulnerable to this issue and patch as soon as possible where they are.

ModSecurity, Award Nominations, and the Challenges of Open Source

In the hustle and bustle of everyday work life we tend to look at the current issues we’re working to resolve, the next feature we want to develop, the next version release. We rarely take the time to look back and think about the work we’ve already done. On some rare occasions, however, something external makes you look back at them and it’s an opportunity to stop and appreciate what you’ve accomplished.

Persistent Cross-Site Scripting, the MSSQL Way

If you save wide Unicode brackets (i.e. <>) into a char or varchar field, MSSQL Server will convert them into HTML brackets (i.e. <>). So, <img src=x onerror=alert('pxss')> will be converted to <img src=x onerror=alert('pxss')> compliments of the backend DB. This will likely help you sneak past server-side filters, WAFs, etc. and execute a persistent Cross-Site Scripting (PXSS) attack. As a bonus, .NET request validation will not detect it.

Stay Connected


Sign up to receive the latest security news and trends from Trustwave.

No spam, unsubscribe at any time.

Trending Topics