Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Patch Tuesday, January 2021

The first Patch Tuesday of 2021 is here and the year is starting out lighter than most. Perhaps a blessing for a year that doesn't seem to want to let up on all the... "drama" that started in 2020. In all Microsoft is patching ten vulnerabilities rated "Critical", 71 rated "Important", and two rated as "Moderate".

Microsoft Teams and Skype Logging Privacy Issue

This blog post focuses on the privacy issues that Microsoft Teams & Skype desktop clients pose. The log database in both clients stores all the chats and images as plain non-encrypted data. The chats are encrypted via network as mentioned here https://docs.microsoft.com/en-us/microsoftteams/teams-security-guide but not encrypted at rest in local storage.

A Trump Sex Video? No, It's a RAT!

While reviewing our spam traps, a particular campaign piqued our interest primarily because the attachment to the email does not coincide with the theme of the email body. When we investigated further, we discovered that its attachment is a variant of the QRAT downloader we blogged about last August.

Phishing the Holiday Season

Yes! It’s that time of the year again! The time for celebrating our traditions, a time of giving, and unfortunately, a time for phishing as well. In time with the holiday season, instead of wrapping our gifts, we have seen a very interesting way bad guys despicably steal email addresses, passwords, and telephone numbers from their victims for their own personal gain.

Trustwave’s Action Response To the FireEye Data Breach & SolarWinds Orion Compromise

We wanted to share the plans and procedures we’ve put in place in response to the FireEye breach that was made public on December 8, 2020. As you may be aware, FireEye has explicitly stated that malicious attackers have stolen red team tools, both open-source and FireEye developed, which are commonly utilized for ethical hacking engagements. We commend FireEye for being transparent in their disclosure of the breach and countermeasures in an effort to ensure the security of other organizations across the world.

D-Link: Multiple Security Vulnerabilities Leading to RCE

On the 30th of October, D-Link published a support announcement and released a new firmware to patch five vulnerabilities that Harold Zang, Technical Security Specialist at Trustwave, identified on the DSL-2888A router. These security vulnerabilities could allow a malicious Wi-Fi or local network user to gain unauthorised access to the router web interface, obtain the router password hash, gain plaintext credentials, and execute system commands on the router.

Scamming from the Cloud

Cybercriminals are leveraging reputable cloud services to relay scam email messages to their victims while piggybacking on reputable cloud service to evade detection. Previously we reported a similar approach being used for sending phishing messages from the cloud and now we are observing a variety of Email scam messages like Nigerian 419 scams, inheritance scams, investment scams, and other unexpected money or unexpected winnings scams being routed to unwitting victims via the Google Forms service.

Magic Home Pro Mobile Application Authentication Bypass (CVE-2020-27199)

With the prevalence of IoT devices flooding the mainstream marketplace, we tend to see a large proliferation of these devices lacking even basic security controls. Many of these devices are targeted for mainstream household environments and due to often unfettered internet access and device control through insecure mobile applications, this makes such devices a great playground for security researchers and malicious actors alike.

Insecure Communication in WinZip 24 Could Lead to Malware

During observation of WinZip 24 network communications, I've noticed that it sends update check requests cleartext (HTTP). Same cleartext communication is utilized when Trial pop-ups are displayed and could be used to deliver malware to users’ computers.

Patch Tuesday, December 2020

December's Patch Tuesday is here and, typical for the end of the year, it's a light month with only 58 CVEs patched. This includes 10 CVEs rated as "Critical", 46 rated as "Important" and 2 rated "Moderate". The short "Critical" list includes most of the month-to-month tenants including the Chakra Scripting Engine, Hyper-V, Dynamics 365, Exchange, Sharepoint, and Visual Studio. All of the "Critical" vulnerabilities are Remote Code Execution issues.

GO SMS Pro Vulnerable to File Theft: Part 2

Last week we released an advisory about an SMS app called GO SMS Pro. Media files sent via text in the app are stored insecurely on a publicly accessible server. With some very minor scripting, it is trivial to throw a wide net around that content. While it's not directly possible to link the media to specific users, those media files with faces, names, or other identifying characteristics do that for you.

GO SMS Pro Vulnerable to Media File Theft

The GO SMS Pro application is a popular messenger app with over 100 million downloads and was discovered to publicly expose media transferred between users of the app. This exposure includes private voice messages, video messages, and photos. This means any sensitive media shared between users of this messenger app is at risk of being compromised by an unauthenticated attacker or curious user.

Massive US Voters and Consumers Databases Circulate Among Hackers

Voting in the U.S. elections started recently and there is a real concern over interference and disinformation campaigns that might impact their outcome. During investigations around the elections, the Trustwave SpiderLabs team discovered massive databases with detailed information about U.S. voters and consumers offered for sale on several hacker forums.

Bad Neighbors Can Break Windows (CVE-2020-16898)

The vulnerability, codenamed “Bad Neighbor”, is a bug in the IPv6 Neighbor Discovery Protocol, particularly it’s improper handling of ICMPv6 Router Advertisement Packets. While publicly available proof of concept (PoC) code results in a denial of service, attackers can exploit this bug to perform remote code execution (RCE).

Patch Tuesday, October 2020

October's Patch Tuesday is upon us and with it comes patches for 102 CVEs. This release includes 13 hair-raising "Critical" vulnerabilities, 88 spooky "Important" bugs, and one creepy "Moderate" issue.

Evasive URLs in Spam: Part 2

A URL can be completely valid, yet still misleading. In this blog, we will present another technique with URLs that we observed in a recent malicious spam campaign. This is the continuation of an earlier blog that discussed how valid URL formats can be used in evading detection.

Network Detection for ZeroLogon (CVE-2020-1472)

ZeroLogon has quickly become popular and well known because of multiple proofs of concept and exploits implemented in Python, .NET, Powershell, and Mimikatz implemented a module for it. So if you are an attacker or need to test your environment then you have plenty of options. As defenders, we also have options for detection on the network. If you aren’t familiar with ZeroLogon and need a quick overview then please check out our ZeroLogon Blog.

Stay Connected


Sign up to receive the latest security news and trends from Trustwave.

No spam, unsubscribe at any time.

Trending Topics