New attack on Apache Struts: We’ve seen patches issued in March, May and agin this fall for exploits against vulnerabilities in this widespread open source web development framework used to build JAVA web applications. In this report by F5 labs, a sophisticated new campaign, “Zealot”, is leveraging ShadowBroker exploits EternalBlue and EternalSynergy. Zealot is described as a “highly obfuscated and multi-staged attack”, in keeping with these exploits, and utilizes Powershell in Windows attacks, and Python in Linux attacks. Zealot mines the cryptocurrency Moneris, popular amongst cybercriminals.
Potential for Uptick in Iranian-based attacks: The nuclear deal between Iran and the US seems tenuous at best. There is growing concern that should Trump end things, there will be a corresponding response from Iranian-based hackers. Iranian attacks are state-sponsored, so these won’t be cybercrime cash-grabs, but targeted espionage or worse, damaging attacks against infrastructure, like Shamoon wiperware. And since the attackers do the recon well in advance of the big event, I’d be watching IP addresses and any data exfil carefully.
Banking Trojan Emotet: There is an increase in banking trojan activity. Malware hunters are sharing reports on new activity for Emotet, which made a resurgence in July this year. A dedicated group of researchers has been steadily updating and sharing their findings on Pastebin here.
VirusBulletin and Critical Flaws: VirusBulletin is a very widely used forum for security analysts to test and share malware or suspect findings. Two researchers claim there are unpatched critical flaws that have yet to be remediated and that VirusBulletin has been advised.