July 15, 2019 By David Bisson 3 min read

The world learned of two software vulnerabilities last week. The first zero-day vulnerability was instrumental in a targeted attack against companies in Eastern Europe, while the other affected the Mac client of the Zoom videoconferencing service. Concurrently, remote access Trojans (RATs), backdoors and mobile threats made the week a busy one in terms of malware attacks.

Top Story of the Week: The Buhtrap Backdoor

In June 2019, researchers at ESET detected a highly targeted attack in Eastern Europe. The operation exploited a local privilege escalation zero-day vulnerability on Windows machines. In this particular attack, the exploit used popup object menus to infect entities in Eastern Europe and Central Asia with the Buhtrap backdoor.

After seeing it in action, ESET reported this vulnerability (CVE-2019-1132) to the Microsoft Security Response Center. The tech giant responded by issuing a patch for the bug on July 7.

Source: iStock

Also in the News

  • Phishing Campaign Delivers Dridex Via RMS RAT: Cofense spotted a phishing campaign masquerading as correspondence from eFax in an attempt to trick users into opening what appeared to be a Microsoft Word attachment. Once clicked, the attachment — in actuality, a ZIP archive — revealed a Microsoft Excel spreadsheet that downloaded Dridex and the Remote Manipulator System Remote Access Tool (RMS RAT).
  • Investigation Reveals Vulnerabilities on Commercial Ships: On July 8, the U.S. Coast Guard revealed a February 2019 incident in which a deep draft vessel reported a digital security incident affecting its shipboard network. A subsequent investigation concluded that the incident undermined the onboard computer’s system functionality but did not affect any essential vessel control systems.
  • Zoom Vulnerability Puts Webcams at Risk: Independent security researcher Jonathan Leitschuh disclosed a vulnerability in the Mac client for the remote videoconferencing service Zoom. Threat actors could abuse this weakness on a compromised website to force Mac users to join a Zoom call without their permission.
  • New Details Emerge on DNS Hijacking Campaign: Cisco Talos linked the Sea Turtle threat group to a network compromise involving the Institute of Computer Science of the Foundation for Research and Technology – Hellas (ICS-Forth), the country code top-level domain (ccTLD) for Greece. Additional analysis revealed that the threat actors retained access to ICS-Forth through at least April 24.
  • Magecart Exploits Misconfigured Amazon S3 Buckets: Also on April 24, RiskIQ began tracking an attack campaign in which Magecart actors automatically scanned for misconfigured Amazon Simple Storage Service (S3) buckets. The purpose of this “spray and pray” technique was to append their skimming code at the bottom of exposed JavaScript files and obtain unsuspecting users’ payment card information.
  • Astaroth Attack Uses LotL Techniques to Infect Windows Machines: After noticing an anomaly from an algorithm used for catching fileless campaigns, the Microsoft Defender ATP Research Team came upon an infection chain that relied strictly on living-off-the-land (LotL) techniques to distribute Astaroth. Once activated, the backdoor could have helped threat actors steal sensitive information and move laterally across the network.
  • Agent Smith Masquerades as Legitimate App, Infects 25 Million Android Devices: Check Point came across a new malware family known as Agent Smith that masqueraded as a Google-related app. With this disguise, the threat succeeded in infecting 25 million Android devices for the purpose of replacing installed apps with malicious versions.

Security Tip of the Week: How to Defend Against Fileless Threats

The Microsoft Defender ATP Research Team clarified that fileless malware like Astaroth doesn’t make threat actors invincible:

“Abusing fileless techniques does not put malware beyond the reach or visibility of security software. On the contrary, some of the fileless techniques may be so unusual and anomalous that they draw immediate attention to the malware, in the same way that a bag of money moving by itself would.”

Security professionals can therefore help defend their organizations against fileless malware by enabling application whitelisting and disabling macros. Companies should also consider investing in a robust vulnerability management program that prioritizes security bugs as a means of managing risk.

More from

New memo reveals Biden’s cybersecurity priorities through fiscal year 2026

2 min read - On July 10, 2024, the White House released a new memo regarding the Biden administration’s cybersecurity investment priorities, initially proposed in July 2022. This new memorandum now marks the third time the Office of the National Cyber Director (ONCD), headed by Harry Coker, has released updated priorities and outlined procedures regarding the five core pillars of the National Cybersecurity Strategy Implementation Plan (NCSIP), now relevant through fiscal year 2026. Key highlights from the FY26 memorandum In the latest annual version…

How prepared are you for your first Gen AI disruption?

5 min read - Generative artificial intelligence (Gen AI) and its use by businesses to enhance operations and profits are the focus of innovation in virtually every sector and industry. Gartner predicts that global spending on AI software will surge from $124 billion in 2022 to $297 billion by 2027. Businesses are upskilling their teams and hiring costly experts to implement new use cases, new ways to leverage data and new ways to use open-source tooling and resources. What they have failed to look…

Cybersecurity crisis communication: What to do

4 min read - Cybersecurity experts tell organizations that the question is not if they will become the target of a cyberattack but when. Often, the focus of response preparedness is on the technical aspects — how to stop the breach from continuing, recovering data and getting the business back online. While these tasks are critical, many organizations overlook a key part of response preparedness: crisis communication. Because a brand’s reputation often takes a significant hit, a cyberattack can significantly affect the company’s future…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today