In this post, we analyze a piece of malware that we encountered during a recent breach investigation. What caught our attention was how the malware achieved persistence, how it used ICMP tunneling for its backdoor communications, and how it operated with different modes to increase its chances of a successful attack.

The following blog post does not include any novel attack vectors. On the contrary, it serves as a humble reminder that the same software bugs discovered more than a decade ago are also found in commercial software products in 2021. It also highlights once more the necessity of conducting security assessments on a regular basis.

April's Patch Tuesday is upon us and it is showering us with patches for a total of 108 CVEs. This includes 20 CVEs rated a "Critical", 87 rated as "Important", and one single CVE rated as "Moderate".

This blog investigates an interesting phishing campaign we encountered recently. In this campaign, the email subject pertains to a price revision followed by numbers. There is no email body but there is an attachment about an ”investment”.

Umbraco version 8.9.0 (also seen in 8.6.3) has a privilege escalation issue in the core administrative screens which allows a low privileged user to access various resources otherwise limited to higher privileged users.  The issue exists in an API endpoint that does not properly check the user’s authorization prior to returning results found in the application’s logging section.

From time to time, we all receive some unexpected messages. Either through social media or email. Usually, these are harmless, meant to advertise a product or a service. However, sometimes they can be malicious, with an intent to steal our data and eventually our money, this is a so-called “phishing” attack.

Picture the scene, you’re on an application penetration test (as a normal user) and you’ve managed to bag yourself some password hashes from the application. This can happen in various ways but in my experience, this is often the result of either a SQL injection vulnerability (resulting in the dumping of the users table) or finding that the application (or associated API) spits these hashes out in responses (because they are only hashes and what could go wrong!?). An Insecure Direct Object Reference (IDOR) vulnerability is then attached to the latter and all the hashes are yours for the keeping.

The recent Microsoft Exchange Server zero-day exploits have seen tens of thousands of organizations compromised by HAFNIUM and numerous other threat actor groups. Working closely with our customers across the globe, we have quickly been able to identify and isolate attributes of those attacks – particularly the China Chopper web shell that is being uploaded to compromised IIS servers.

In this blog, we outline another .zipx attachment we recently encountered with spam messages, and we will show the result of our investigation in comparison to the previous .zipx sample we observed.

The March Patch Tuesday is here and it's been an unfortunately busy month for Microsoft. Earlier last week they released information on a campaign targeting Microsoft Exchange Server with multiple zero-day exploits. We released information about this campaign yesterday and those affected should absolutely be working on updating their systems if they haven't already.

A Microsoft report indicated that the named vulnerabilities were being exploited in the wild by a new threat actor group Microsoft named HAFNIUM. According to Microsoft, HAFNIUM is a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures.

Agent Tesla is a common Remote Access Trojan (RAT) discovered in 2014. This threat is capable of keylogging, screen capture, form-grabbing, and stealing credentials from a wide range of FTP, VPN, browser, and email clients. The exfiltration method depends on what the attacker sets on the configuration.

February is here and with it comes a relatively light Patch Tuesday. Only 56 CVEs are being patched today. That includes eleven rated as "Critical", 42 rated as "Important", and three rated "Moderate". On the list of vulnerabilities rated as "Critical", you'll find vulnerabilities in .NET, various media codecs, Windows DNS and Fax services, and two in the Windows TCP/IP stack.

In this blog, I will be discussing three new security issues that I recently found in several SolarWinds products. All three are severe bugs with the most critical one allowing remote code execution with high privileges. To the best of Trustwave’s knowledge, none of the vulnerabilities were exploited during the recent SolarWinds attacks or in any “in the wild” attacks.

The first Patch Tuesday of 2021 is here and the year is starting out lighter than most. Perhaps a blessing for a year that doesn't seem to want to let up on all the... "drama" that started in 2020. In all Microsoft is patching ten vulnerabilities rated "Critical", 71 rated "Important", and two rated as "Moderate".

This blog post focuses on the privacy issues that Microsoft Teams & Skype desktop clients pose. The log database in both clients stores all the chats and images as plain non-encrypted data. The chats are encrypted via network as mentioned here https://docs.microsoft.com/en-us/microsoftteams/teams-security-guide but not encrypted at rest in local storage.

While reviewing our spam traps, a particular campaign piqued our interest primarily because the attachment to the email does not coincide with the theme of the email body. When we investigated further, we discovered that its attachment is a variant of the QRAT downloader we blogged about last August.

Yes! It’s that time of the year again! The time for celebrating our traditions, a time of giving, and unfortunately, a time for phishing as well. In time with the holiday season, instead of wrapping our gifts, we have seen a very interesting way bad guys despicably steal email addresses, passwords, and telephone numbers from their victims for their own personal gain.

We wanted to share the plans and procedures we’ve put in place in response to the FireEye breach that was made public on December 8, 2020. As you may be aware, FireEye has explicitly stated that malicious attackers have stolen red team tools, both open-source and FireEye developed, which are commonly utilized for ethical hacking engagements. We commend FireEye for being transparent in their disclosure of the breach and countermeasures in an effort to ensure the security of other organizations across the world.

On the 30th of October, D-Link published a support announcement and released a new firmware to patch five vulnerabilities that Harold Zang, Technical Security Specialist at Trustwave, identified on the DSL-2888A router. These security vulnerabilities could allow a malicious Wi-Fi or local network user to gain unauthorised access to the router web interface, obtain the router password hash, gain plaintext credentials, and execute system commands on the router.