This blog investigates an interesting phishing campaign we encountered recently. In this campaign, the email subject pertains to a price revision followed by numbers. There is no email body but there is an attachment about an ”investment”.

Umbraco version 8.9.0 (also seen in 8.6.3) has a privilege escalation issue in the core administrative screens which allows a low privileged user to access various resources otherwise limited to higher privileged users.  The issue exists in an API endpoint that does not properly check the user’s authorization prior to returning results found in the application’s logging section.

From time to time, we all receive some unexpected messages. Either through social media or email. Usually, these are harmless, meant to advertise a product or a service. However, sometimes they can be malicious, with an intent to steal our data and eventually our money, this is a so-called “phishing” attack.

Picture the scene, you’re on an application penetration test (as a normal user) and you’ve managed to bag yourself some password hashes from the application. This can happen in various ways but in my experience, this is often the result of either a SQL injection vulnerability (resulting in the dumping of the users table) or finding that the application (or associated API) spits these hashes out in responses (because they are only hashes and what could go wrong!?). An Insecure Direct Object Reference (IDOR) vulnerability is then attached to the latter and all the hashes are yours for the keeping.

The recent Microsoft Exchange Server zero-day exploits have seen tens of thousands of organizations compromised by HAFNIUM and numerous other threat actor groups. Working closely with our customers across the globe, we have quickly been able to identify and isolate attributes of those attacks – particularly the China Chopper web shell that is being uploaded to compromised IIS servers.

In this blog, we outline another .zipx attachment we recently encountered with spam messages, and we will show the result of our investigation in comparison to the previous .zipx sample we observed.

The March Patch Tuesday is here and it's been an unfortunately busy month for Microsoft. Earlier last week they released information on a campaign targeting Microsoft Exchange Server with multiple zero-day exploits. We released information about this campaign yesterday and those affected should absolutely be working on updating their systems if they haven't already.

A Microsoft report indicated that the named vulnerabilities were being exploited in the wild by a new threat actor group Microsoft named HAFNIUM. According to Microsoft, HAFNIUM is a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.

Agent Tesla is a common Remote Access Trojan (RAT) discovered in 2014. This threat is capable of keylogging, screen capture, form-grabbing, and stealing credentials from a wide range of FTP, VPN, browser, and email clients. The exfiltration method depends on what the attacker sets on the configuration.

February is here and with it comes a relatively light Patch Tuesday. Only 56 CVEs are being patched today. That includes eleven rated as "Critical", 42 rated as "Important", and three rated "Moderate". On the list of vulnerabilities rated as "Critical", you'll find vulnerabilities in .NET, various media codecs, Windows DNS and Fax services, and two in the Windows TCP/IP stack.

In this blog, I will be discussing three new security issues that I recently found in several SolarWinds products. All three are severe bugs with the most critical one allowing remote code execution with high privileges. To the best of Trustwave’s knowledge, none of the vulnerabilities were exploited during the recent SolarWinds attacks or in any “in the wild” attacks.

The first Patch Tuesday of 2021 is here and the year is starting out lighter than most. Perhaps a blessing for a year that doesn't seem to want to let up on all the... "drama" that started in 2020. In all Microsoft is patching ten vulnerabilities rated "Critical", 71 rated "Important", and two rated as "Moderate".

This blog post focuses on the privacy issues that Microsoft Teams & Skype desktop clients pose. The log database in both clients stores all the chats and images as plain non-encrypted data. The chats are encrypted via network as mentioned here https://docs.microsoft.com/en-us/microsoftteams/teams-security-guide but not encrypted at rest in local storage.

While reviewing our spam traps, a particular campaign piqued our interest primarily because the attachment to the email does not coincide with the theme of the email body. When we investigated further, we discovered that its attachment is a variant of the QRAT downloader we blogged about last August.

Yes! It’s that time of the year again! The time for celebrating our traditions, a time of giving, and unfortunately, a time for phishing as well. In time with the holiday season, instead of wrapping our gifts, we have seen a very interesting way bad guys despicably steal email addresses, passwords, and telephone numbers from their victims for their own personal gain.

We wanted to share the plans and procedures we’ve put in place in response to the FireEye breach that was made public on December 8, 2020. As you may be aware, FireEye has explicitly stated that malicious attackers have stolen red team tools, both open-source and FireEye developed, which are commonly utilized for ethical hacking engagements. We commend FireEye for being transparent in their disclosure of the breach and countermeasures in an effort to ensure the security of other organizations across the world.

On the 30th of October, D-Link published a support announcement and released a new firmware to patch five vulnerabilities that Harold Zang, Technical Security Specialist at Trustwave, identified on the DSL-2888A router. These security vulnerabilities could allow a malicious Wi-Fi or local network user to gain unauthorised access to the router web interface, obtain the router password hash, gain plaintext credentials, and execute system commands on the router.

Cybercriminals are leveraging reputable cloud services to relay scam email messages to their victims while piggybacking on reputable cloud service to evade detection. Previously we reported a similar approach being used for sending phishing messages from the cloud and now we are observing a variety of Email scam messages like Nigerian 419 scams, inheritance scams, investment scams, and other unexpected money or unexpected winnings scams being routed to unwitting victims via the Google Forms service.

With the prevalence of IoT devices flooding the mainstream marketplace, we tend to see a large proliferation of these devices lacking even basic security controls. Many of these devices are targeted for mainstream household environments and due to often unfettered internet access and device control through insecure mobile applications, this makes such devices a great playground for security researchers and malicious actors alike.

We wanted to share the plans and procedures we’ve put in place in response to the FireEye breach that was made public this week.