The SSH service is critical, ensuring its security is key. This blog will describe how best to secure the SSH service from threat actors.

Credential phishing is a real threat that's targeting organizations globally. Threat actors are finding smart and innovative ways to lure victims to covertly harvest their corporate credentials. Threat actors then use these credentials to get a foothold into an organization to further their malicious agendas.

This blog post will cover some of the more interesting reactions to COVID-19 we’ve encountered on the underground, both good and bad. Read on to learn more (spoiler alert: The coronavirus vaccine is a scam!)

In this blog, I will be covering how to use Azure App Services for offensive purposes.

May's Patch Tuesday includes patches for 111 unique CVEs. Of those CVEs 17 are rated "Critical" and 94 rated as "Important". Aside from the common vulnerabilities in Microsoft's scripting engine, Sharepoint is the hardest hit on the "Critical" list with four separate Remote Code Execution (RCE) vulnerabilities and an Information Disclosure vulnerability patched for that server package.

Here at SpiderLabs, we take the security of all our clients extremely seriously.  While the attacks that we see and use align with a recent note from US-CERT, they are not to be considered new or novel, however, their impact is even more profound during these uncertain times, where Work From Home (WFH) has become the new normal.

SCADA/OT security has been a growing concern for quite some time. This technology controls some of our most essential services and utilities, like our nuclear plants and electric grids. While most of these implementations are protected to a certain extent by unique complexity, 24/7 monitoring, and built-in fault tolerance and redundancy, vulnerabilities and attacks targeting them should not be discounted.

Having a well designed and tested social engineering training program for an organization is an essential part of employee training and security program.

Early March of this year, we blogged about multiple malspam campaigns utilizing Excel 4.0 Macros in .xls 97-2003 binary format. In this blog, we will present one more Excel 4.0 Macro spam campaign in the same format crafted with another old MS Excel feature to evade detection.

Business email compromise (BEC) also known as CEO fraud has undoubtedly become the biggest Internet scam of all time, claiming losses of over USD $26 billion since 2013. In such attacks, a fraudster impersonates an executive to trick individuals in the organization into sending money or sensitive information. The Coronavirus (COVID-19) pandemic has wreaked havoc, locking down countries and borders and bringing global economies to a halt leading to unprecedented financial losses.

April's Patch Tuesday is here and Microsoft is patching 113 CVEs this month. Eighteen of these are rated "Critical", 94 rated as "Important", and one rated "Moderate". The highest-profile vulnerability patched today is in the Adobe and OpenType font drivers (CVE-2020-1020 and CVE-2020-0938 respectively). These vulnerabilities were detected after being exploited as a part of a limited zero-day campaign. Among the other "Critical" vulnerabilities are Remote Code Execution (RCE) vulnerabilities in SharePoint, Dynamics, and Hyper-V.

In Part One of this series, we discussed how MailTo ransomware installs and configures itself on the victim's system and in Part Two we discussed how the malware, executes and injects itself into the system. In this post, we take a look at what makes ransomware different than other malware and gives it its deadly bite, encryption.

In Part One of this series, we discussed how MailTo ransomware installs itself on the victim's system and then initialized itself with configuration options and persistence via the registry. Today we're going to continue our deep dive by looking into how MailTo executes and injects itself into the system.

In this blog, we will use our lab set up on the first blog post and some techniques discussed in the second, so again, an excellent chance to put together some things we've learned from the last posts for some actual work.

Back in February, we reported on two Coronavirus-themed phishing emails. But just as the real virus spreads rapidly around the world, so too have the scams. Cyber criminals, proving beyond doubt they are completely devoid of morals, have ramped up their activities, unashamedly using all manner of Coronavirus lures to trick people. We are now seeing dozens of different email campaigns per day. Below are samples collected from our systems that some of what is currently out there.

In February, an Australian transportation company called Toll Group was hit by a ransomware attack that reportedly spread to over 1000 servers and caused major disruption for the company and its clients. Recently the same ransomware family was seen attached to phishing emails targeting people's fear of COVID-19, a trend we've also been seeing quite a bit of. We got a hold of a sample of the ransomware and decided to take a closer look to see what makes it tick.

We often talk about attackers targeting companies with social engineering attacks. These usually take the form of phishing attacks that attempt to trick the recipient into opening a malicious attachment or clicking on a malicious link. Less discussed are targeted attacks using physical media.

Last week Microsoft announced that there was a buffer overflow vulnerability in SMBv3 (CVE-2020-0796) as implemented in Windows 10 and Windows Server (versions 1903 and 1909). The CVE wasn't initially included in last week's Patch Tuesday, but after news of the vulnerability leaked, Microsoft was forced to release details and an "out of band" patch on Thursday, March 12th. All Windows administrators should check to see if they are vulnerable to this issue and patch as soon as possible where they are.

In the hustle and bustle of everyday work life we tend to look at the current issues we’re working to resolve, the next feature we want to develop, the next version release. We rarely take the time to look back and think about the work we’ve already done. On some rare occasions, however, something external makes you look back at them and it’s an opportunity to stop and appreciate what you’ve accomplished.

If you save wide Unicode brackets (i.e. ＜＞) into a char or varchar field, MSSQL Server will convert them into HTML brackets (i.e. <>). So, ＜img src=x onerror=alert('pxss')＞ will be converted to <img src=x onerror=alert('pxss')> compliments of the backend DB. This will likely help you sneak past server-side filters, WAFs, etc. and execute a persistent Cross-Site Scripting (PXSS) attack. As a bonus, .NET request validation will not detect it.