Purple Fox, a Windows malware previously known for infecting machines by using exploit kits and phishing emails, has now added a new technique to its arsenal that gives it worm-like propagation capabilities.

The ongoing campaign makes use of a “novel spreading technique via indiscriminate port scanning and exploitation of exposed SMB services with weak passwords and hashes,” according to Guardicore researchers, who say the attacks have spiked by about 600% since May 2020.

A total of 90,000 incidents have been spotted through the rest of 2020 and the beginning of 2021.

First discovered in March 2018, Purple Fox is distributed in the form of malicious “.msi” payloads hosted on nearly 2,000 compromised Windows servers that, in turn, download and execute a component with rootkit capabilities, which enables the threat actors to hide the malware on the machine and make it easy to evade detection.

Guardicore says Purple Fox hasn’t changed much post-exploitation, but where it has is in its worm-like behavior, allowing the malware to spread more rapidly.

images from Hacker News

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned of critical security shortcomings in GE’s Universal Relay (UR) family of power management devices.

“Successful exploitation of these vulnerabilities could allow an attacker to access sensitive information, reboot the UR, gain privileged access, or cause a denial-of-service condition,” the agency said in an advisory published on March 16.

GE’s universal relays enable integrated monitoring and metering, high-speed communications, and offer simplified power management for the protection of critical assets.

The flaws, which affect a number of UR advanced protection and control relays, including B30, B90, C30, C60, C70, C95, D30, D60, F35, F60, G30, G60, L30, L60, L90, M60, N60, T35 and T60, were addressed by GE with the release of an updated version of the UR firmware (version 8.10) made available on December 24, 2020.

The patches resolve a total of nine vulnerabilities, the most important of which concerns an insecure default variable initialization, referring to the initialization of an internal variable in the software with an insecure value. The vulnerability (CVE-2021-27426) is also rated 9.8 out of 10, making it a critical issue.

images from Hacker News

Google has disclosed that a now-patched vulnerability affecting Android devices that use Qualcomm chipsets is being weaponized by adversaries to launch targeted attacks.

Tracked as CVE-2020-11261 (CVSS score 8.4), the flaw concerns an “improper input validation” issue in Qualcomm’s Graphics component that could be exploited to trigger memory corruption when an attacker-engineered app requests access to a huge chunk of the device’s memory.

“There are indications that CVE-2020-11261 may be under limited, targeted exploitation,” the search giant said in an updated January security bulletin on March 18.

CVE-2020-11261 was discovered and reported to Qualcomm by Google’s Android Security team on July 20, 2020, after which it was fixed in January 2021.

images from Hacker News

Cybersecurity researchers on Sunday disclosed multiple critical vulnerabilities in remote student monitoring software Netop Vision Pro that a malicious attacker could abuse to execute arbitrary code and take over Windows computers.

“These findings allow for elevation of privileges and ultimately remote code execution which could be used by a malicious attacker within the same network to gain full control over students’ computers,” the McAfee Labs Advanced Threat Research team said in an analysis.

The vulnerabilities, tracked as CVE-2021-27192, CVE-2021-27193, CVE-2021-27194, and CVE-2021-27195, were reported to Netop on December 11, 2020, after which the Denmark-based company fixed the issues in an update (version 9.7.2) released on February 25.

“Version 9.7.2 of Vision and Vision Pro is a maintenance release that addresses several vulnerabilities, such as escalating local privileges sending sensitive information in plain text,” the company stated in its release notes.

Netop counts half of the Fortune 100 companies among its customers and connects more than 3 million teachers and students with its software. Netop Vision Pro allows teachers to remotely perform tasks on students’ computers, such as monitoring and managing their screens in real time, restricting access to a list of allowed Web sites, launching applications, and even redirecting students’ attention when they are distracted.

images from Hacker News

The Apache Software Foundation on Friday addressed a high severity vulnerability in Apache OFBiz that could have allowed an unauthenticated adversary to remotely seize control of the open-source enterprise resource planning (ERP) system.

Tracked as CVE-2021-26295, the flaw affects all versions of the software prior to 17.12.06 and employs an “unsafe deserialization” as an attack vector to permit unauthorized remote attackers to execute arbitrary code on a server directly.

OFBiz is a Java-based web framework for automating enterprise processes and offers a wide range of functionality, including accounting, customer relationship management, manufacturing operations management, order management, supply chain fulfillment, and warehouse management system, among others.

Specifically, by exploiting this flaw, a malicious party can tamper with serialized data to insert arbitrary code that, when deserialized, can potentially result in remote code execution.

“An unauthenticated attacker can use this vulnerability to successfully take over Apache OFBiz,” OFBiz developer Jacques Le Roux noted.

images from Hacker News