Analysis of the Kill Chain of the LockFile Ransomware Group KDU Tool Terminating Multiple Antivirus Processes The attacker renames the KDU tool (open-source Windows driver loader implementing DSG bypass via an exploit) autologin, copies the related program to the temporary directory, and loads and executes the designated driver file to...
Category: Emergency Response
Insights into Ransomware Spread Using Exchange 1-Day Vulnerabilities 1-2
Event Overview Recently, NSFOCUS CERT discovered a slew of security incidents that exploited security vulnerabilities (ProxyShell) in Microsoft Exchange. Also, NSFOCUS found that the new LockFile ransomware group LockFile took advantage of these ProxyShell and PetitPotam vulnerabilities to target enterprise domain environments, finally encrypting quite a few hosts from enterprises...
Linux Kernel Arbitrary Code Execution Vulnerability (CVE-2021-3490) Threat Alert
Overview Recently, NSFOCUS CERT found that a security researcher published details and the PoC of an arbitrary code execution vulnerability (CVE-2021-3490) in eBPF and exploited this vulnerability to cause local privilege escalation on Ubuntu 20.10 and 21.04. This vulnerability exists because the eBPF ALU32 bounds tracking for bitwise ops (AND,...
INFRAHALT: NicheStack TCP/IP Stack High-Risk Vulnerabilities Threat Alert
Overview Recently, researchers from JFrog and Forescout released a joint report to publicly disclose 14 security vulnerabilities (collectively referred to as INFRA:HALT) in the NicheStack TCP/IP stack, announcing that these vulnerabilities could lead to remote code execution, denial of service, information disclosure, TCP spoofing, or DNS cache poisoning. Researchers noted...
Exim Remote Code Execution Vulnerability (CVE-2020-28020) Threat Alert
Overview In May, Qualys publicly disclosed 21 security vulnerabilities in the Exim server, announcing that these vulnerabilities affected all Exim versions released after 2004 and most of them can be exploited in default configurations. Recently, NSFOCUS found that certain vulnerability details and PoCs were publicly available. Among the vulnerabilities, the...
Microsoft August Security Updates for Multiple High-Risk Product Vulnerabilities
Overview According to NSFOCUS CERT's monitoring, Microsoft released August 2021 Security Updates on August 11 to fix 46 vulnerabilities, including high-risk remote code execution and privilege escalation, in widely used products like Windows, Microsoft Office, ASP.NET Core, Visual Studio, and Azure. This month's security updates fix seven critical vulnerabilities and...
