July 15, 2019 By David Bisson 3 min read


The world learned of two software vulnerabilities last week. The first zero-day vulnerability was instrumental in a targeted attack against companies in Eastern Europe, while the other affected the Mac client of the Zoom videoconferencing service. Concurrently, remote access Trojans (RATs), backdoors and mobile threats made the week a busy one in terms of malware attacks.

Top Story of the Week: The Buhtrap Backdoor

In June 2019, researchers at ESET detected a highly targeted attack in Eastern Europe. The operation exploited a local privilege escalation zero-day vulnerability on Windows machines. In this particular attack, the exploit used popup object menus to infect entities in Eastern Europe and Central Asia with the Buhtrap backdoor.

After seeing it in action, ESET reported this vulnerability (CVE-2019-1132) to the Microsoft Security Response Center. The tech giant responded by issuing a patch for the bug on July 7.

Source: iStock

Also in the News

  • Phishing Campaign Delivers Dridex Via RMS RAT: Cofense spotted a phishing campaign masquerading as correspondence from eFax in an attempt to trick users into opening what appeared to be a Microsoft Word attachment. Once clicked, the attachment — in actuality, a ZIP archive — revealed a Microsoft Excel spreadsheet that downloaded Dridex and the Remote Manipulator System Remote Access Tool (RMS RAT).
  • Investigation Reveals Vulnerabilities on Commercial Ships: On July 8, the U.S. Coast Guard revealed a February 2019 incident in which a deep draft vessel reported a digital security incident affecting its shipboard network. A subsequent investigation concluded that the incident undermined the onboard computer’s system functionality but did not affect any essential vessel control systems.
  • Zoom Vulnerability Puts Webcams at Risk: Independent security researcher Jonathan Leitschuh disclosed a vulnerability in the Mac client for the remote videoconferencing service Zoom. Threat actors could abuse this weakness on a compromised website to force Mac users to join a Zoom call without their permission.
  • New Details Emerge on DNS Hijacking Campaign: Cisco Talos linked the Sea Turtle threat group to a network compromise involving the Institute of Computer Science of the Foundation for Research and Technology – Hellas (ICS-Forth), the country code top-level domain (ccTLD) for Greece. Additional analysis revealed that the threat actors retained access to ICS-Forth through at least April 24.
  • Magecart Exploits Misconfigured Amazon S3 Buckets: Also on April 24, RiskIQ began tracking an attack campaign in which Magecart actors automatically scanned for misconfigured Amazon Simple Storage Service (S3) buckets. The purpose of this “spray and pray” technique was to append their skimming code at the bottom of exposed JavaScript files and obtain unsuspecting users’ payment card information.
  • Astaroth Attack Uses LotL Techniques to Infect Windows Machines: After noticing an anomaly from an algorithm used for catching fileless campaigns, the Microsoft Defender ATP Research Team came upon an infection chain that relied strictly on living-off-the-land (LotL) techniques to distribute Astaroth. Once activated, the backdoor could have helped threat actors steal sensitive information and move laterally across the network.
  • Agent Smith Masquerades as Legitimate App, Infects 25 Million Android Devices: Check Point came across a new malware family known as Agent Smith that masqueraded as a Google-related app. With this disguise, the threat succeeded in infecting 25 million Android devices for the purpose of replacing installed apps with malicious versions.

Security Tip of the Week: How to Defend Against Fileless Threats

The Microsoft Defender ATP Research Team clarified that fileless malware like Astaroth doesn’t make threat actors invincible:

“Abusing fileless techniques does not put malware beyond the reach or visibility of security software. On the contrary, some of the fileless techniques may be so unusual and anomalous that they draw immediate attention to the malware, in the same way that a bag of money moving by itself would.”

Security professionals can therefore help defend their organizations against fileless malware by enabling application whitelisting and disabling macros. Companies should also consider investing in a robust vulnerability management program that prioritizes security bugs as a means of managing risk.

More from

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything.But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists in…

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Stealthy WailingCrab Malware misuses MQTT Messaging Protocol

14 min read - This article was made possible thanks to the hard work of writer Charlotte Hammond and contributions from Ole Villadsen and Kat Metrick. IBM X-Force researchers have been tracking developments to the WailingCrab malware family, in particular, those relating to its C2 communication mechanisms, which include misusing the Internet-of-Things (IoT) messaging protocol MQTT. WailingCrab, also known as WikiLoader, is a sophisticated, multi-component malware delivered almost exclusively by an initial access broker that X-Force tracks as Hive0133, which overlaps with TA544. WailingCrab…

Operationalize cyber risk quantification for smart security

4 min read - Organizations constantly face new tactics from cyber criminals who aim to compromise their most valuable assets. Yet despite evolving techniques, many security leaders still rely on subjective terms, such as low, medium and high, to communicate and manage cyber risk. These vague terms do not convey the necessary detail or insight to produce actionable outcomes that accurately identify, measure, manage and communicate cyber risks. As a result, executives and board members remain uninformed and ill-prepared to manage organizational risk effectively.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today