Light Dark
July 15, 2019 By David Bisson 3 min read

The world learned of two software vulnerabilities last week. The first zero-day vulnerability was instrumental in a targeted attack against companies in Eastern Europe, while the other affected the Mac client of the Zoom videoconferencing service. Concurrently, remote access Trojans (RATs), backdoors and mobile threats made the week a busy one in terms of malware attacks.

Top Story of the Week: The Buhtrap Backdoor

In June 2019, researchers at ESET detected a highly targeted attack in Eastern Europe. The operation exploited a local privilege escalation zero-day vulnerability on Windows machines. In this particular attack, the exploit used popup object menus to infect entities in Eastern Europe and Central Asia with the Buhtrap backdoor.

After seeing it in action, ESET reported this vulnerability (CVE-2019-1132) to the Microsoft Security Response Center. The tech giant responded by issuing a patch for the bug on July 7.

Source: iStock

Also in the News

  • Phishing Campaign Delivers Dridex Via RMS RAT: Cofense spotted a phishing campaign masquerading as correspondence from eFax in an attempt to trick users into opening what appeared to be a Microsoft Word attachment. Once clicked, the attachment — in actuality, a ZIP archive — revealed a Microsoft Excel spreadsheet that downloaded Dridex and the Remote Manipulator System Remote Access Tool (RMS RAT).
  • Investigation Reveals Vulnerabilities on Commercial Ships: On July 8, the U.S. Coast Guard revealed a February 2019 incident in which a deep draft vessel reported a digital security incident affecting its shipboard network. A subsequent investigation concluded that the incident undermined the onboard computer’s system functionality but did not affect any essential vessel control systems.
  • Zoom Vulnerability Puts Webcams at Risk: Independent security researcher Jonathan Leitschuh disclosed a vulnerability in the Mac client for the remote videoconferencing service Zoom. Threat actors could abuse this weakness on a compromised website to force Mac users to join a Zoom call without their permission.
  • New Details Emerge on DNS Hijacking Campaign: Cisco Talos linked the Sea Turtle threat group to a network compromise involving the Institute of Computer Science of the Foundation for Research and Technology – Hellas (ICS-Forth), the country code top-level domain (ccTLD) for Greece. Additional analysis revealed that the threat actors retained access to ICS-Forth through at least April 24.
  • Magecart Exploits Misconfigured Amazon S3 Buckets: Also on April 24, RiskIQ began tracking an attack campaign in which Magecart actors automatically scanned for misconfigured Amazon Simple Storage Service (S3) buckets. The purpose of this “spray and pray” technique was to append their skimming code at the bottom of exposed JavaScript files and obtain unsuspecting users’ payment card information.
  • Astaroth Attack Uses LotL Techniques to Infect Windows Machines: After noticing an anomaly from an algorithm used for catching fileless campaigns, the Microsoft Defender ATP Research Team came upon an infection chain that relied strictly on living-off-the-land (LotL) techniques to distribute Astaroth. Once activated, the backdoor could have helped threat actors steal sensitive information and move laterally across the network.
  • Agent Smith Masquerades as Legitimate App, Infects 25 Million Android Devices: Check Point came across a new malware family known as Agent Smith that masqueraded as a Google-related app. With this disguise, the threat succeeded in infecting 25 million Android devices for the purpose of replacing installed apps with malicious versions.

Security Tip of the Week: How to Defend Against Fileless Threats

The Microsoft Defender ATP Research Team clarified that fileless malware like Astaroth doesn’t make threat actors invincible:

“Abusing fileless techniques does not put malware beyond the reach or visibility of security software. On the contrary, some of the fileless techniques may be so unusual and anomalous that they draw immediate attention to the malware, in the same way that a bag of money moving by itself would.”

Security professionals can therefore help defend their organizations against fileless malware by enabling application whitelisting and disabling macros. Companies should also consider investing in a robust vulnerability management program that prioritizes security bugs as a means of managing risk.

 |  |  |  |  |  |  |  |  |  |  |  |  | 
David Bisson
Contributing Editor

More from

May 1, 2024

New proposed federal data privacy law suggests big changes

3 min read - After years of work and unsuccessful attempts at legislation, a draft of a federal data privacy law was recently released. The United States House Committee on Energy and Commerce released the American Privacy Rights Act on April 7, 2024. Several issues stood in the way of passing legislation in the past, such as whether states could issue tougher rules and if individuals could sue companies for privacy violations. With the American Privacy Rights Act of 2024, the U.S. government established…

April 30, 2024

AI cybersecurity solutions detect ransomware in under 60 seconds

2 min read - Worried about ransomware? If so, it’s not surprising. According to the World Economic Forum, for large cyber losses (€1 million+), the number of cases in which data is exfiltrated is increasing, doubling from 40% in 2019 to almost 80% in 2022. And more recent activity is tracking even higher.Meanwhile, other dangers are appearing on the horizon. For example, the 2024 IBM X-Force Threat Intelligence Index states that threat group investment is increasingly focused on generative AI attack tools.Criminals have been…

April 29, 2024

The major hardware flaw in Apple M-series chips

3 min read - The “need for speed” is having a negative impact on many Mac users right now. The Apple M-series chips, which are designed to deliver more consistent and faster performance than the Intel processors used in the past, have a vulnerability that can expose cryptographic keys, leading an attacker to reveal encrypted data. This critical security flaw, known as GoFetch, exploits a vulnerability found in the M-chips data memory-dependent prefetcher (DMP). DMP’s benefits and vulnerabilities DMP predicts memory addresses that the…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature