Malware and Virus Protection Archives - Page 6 of 43 - IT Services & IT Support Wilmington, NC

June 23, 2022 Atlantic Computer Services Blog

The Windows Follina Vulnerability Has A Temporary Fix

File this away under “good news, bad news.”

The bad news is that there’s a new, critical zero-day threat to be concerned about. The threat has been dubbed ‘Follina.’

It is being tracked as CVE-2022-30190 and is being described by Microsoft as an MSDT (Microsoft Windows Support Diagnostic Tool) remote code execution flaw that impacts all version of windows still getting security updates, including Windows 7+ and Server 2008+.

It’s a serious bug that puts your system at risk. Even worse is that Microsoft doesn’t currently have a patch to fix it. Although they have issued a bulletin outlining some mitigation steps you can take to help minimize your risk until an official patch is released.

The good news:

There’s an unofficial patch offered by opatch for Windows 11, v 21H2, Windows 10 (versions 1803 through 21H2), Windows 7 and Windows Server 2008R2.

Microsoft’s mitigation strategies advise disabling the MSDT URL protocol handler to minimize your risk. However, this mini patch provides a means of sanitizing the user-provided path to avoid rendering the Windows Diagnostic stuff inoperable.

Opatch co-founder Mitja Kolsek had this to say about their patch:

“Note that it doesn’t matter which version of Office you have installed, or if you have Office installed at all: the vulnerability could also be exploited through other attack vectors.

That is why we also patched Windows 7, where the ms-msdt: URL handler is not registered at all.”

Best of all is that the only thing you have to do to get this unofficial patch is register for an opatch account and install the opatch agent. Once you run the agent, it will automatically download the patch and apply it for you unless your network has a security policy in place that prevents that.

It’s a good solution offered by a great company and is highly recommended.

June 21, 2022 Atlantic Computer Services Blog

Enemybot Malware May Go Beyond DDOS Attacks

Unless you’re an IT Security Professional, you may never have heard of EnemyBot. It is a bit like the Frankenstein of malware threats, a botnet that has borrowed code from multiple different sources.

While that’s not terribly original, it does make it dangerous. The hackers behind the code are actively adding new exploits as newly disclosed critical vulnerabilities come to light in content management systems, IoT devices, Android devices, and web servers.

The botnet was first seen in action in March and is currently being tracked by researchers at Securonix. By April, newer code samples were acquired, and the researchers found that EnemyBot had already integrated capabilities to attack flaws in more than a dozen processor architectures.

The botnet doesn’t do anything fancy and it mainly relies on DDoS (distributed denial of service) attacks. The latest version spotted has the capability to scan for new target devices and infect them.

According to AT&T’s Alien Labs, the most recent code samples contain several new exploits, including those for:

CVE-2022-22954: Critical (CVSS: 9.8) A remote code execution flaw impacting VMware Workspace ONE Access and VMware Identity Manager. PoC (proof of concept) exploit was made available in April 2022.
CVE-2022-22947: Another remote code execution flaw in Spring, fixed as zero-day in March 2022, and massively targeted throughout April 2022.
And CVE-2022-1388: Critical (CVSS: 9.8) Yet another remote code execution flaw impacting F5 BIG-IP, threatening vulnerable endpoints with device takeover. The first PoCs appeared in the wild in May 2022, and active exploitation began almost immediately.

Enemybot is a genuine threat and proof positive that you don’t have to be original or engage in out of the box thinking to engineer a serious piece of malware. Watch out for this one because the developers behind it are clearly just getting warmed up.

June 20, 2022 Atlantic Computer Services Blog

This Android Malware Is Stealing Login Credentials

If you’re deeply involved in IT security, you may already be familiar with the ERMAC Android banking trojan.

If this is the first time you’re hearing of it, be aware that the hackers who authored the malicious code have recently released ERMAC 2.0, which represents a significant upgrade in capabilities from the previous iteration.

ERMAC’s main purpose is to steal and send login credentials to the person controlling the code. That person then uses the stolen passwords to take control of a target’s bank accounts and/or cryptocurrency wallets and conduct fraud. Or in some cases, simple theft.

Access to ERMAC is subscription based on the Dark Web. The 1.0 version of the malware could be yours for $3k USD per month. This latest iteration is subscription priced at $5k USD per month. Pricey, yes, but those who use it swear by it and are happy to pay.

ERMAC 2.0 was first spotted during a fake Bolt Food application that targeted the Polish market. Bolt Food is a quite legitimate European food delivery service. In this case, the hackers created a fake site that looked convincingly like the real thing and tricked users into downloading what they thought was a food delivery app.

Naturally, it was nothing of the sort, and instead of convenient food service, what the victims got was ERMAC 2.0 and a whole slew of headaches after that.

Although the Bolt Food app was the first, it is by no means the only app that the malicious code impersonates. In fact, according to the latest research, ERMAC 2.0 is currently impersonating nearly five hundred popular Android apps.

In every case however, the campaigns that have been seen so far rely on a user agreeing to download an app from what they believe to be a legitimate third-party vendor site. While it’s an undeniably dangerous strain of malware, it is easily avoided simply by sticking to apps on the Google Play Store. Stay vigilant, it’s getting dangerous out there.

June 14, 2022 Atlantic Computer Services Blog

Be Aware That ChromeLoader Malware Is Picking Up Steam

A browser hijacker called “ChromeLoader” has had a large uptick in detections this month, which is raising eyebrows among security professionals.

ChromeLoader can modify a victim’s web browser settings to show search results that promote unwanted (and usually spammy) software, annoying pop-up ads, fake giveaways, adult games, dating sites, surveys, and the like.

As malware goes, there are far worse strains out there. Rather than infect you with malicious code that locks all your files or installs other destructive forms of malware, this one will see you flooded with scammy or spammy offers. It will frustrate you by forcing you to click through a sea of ads you’d rather not see, all in a bid to make a bit of coin for the malware’s owners.

It is noteworthy mostly because of its persistence and its aggressive use of Powershell, which it abuses like few other malware strains do. Even worse, the owners of the malicious code have recently released a variant that specifically targets macOS users, so if you thought you were safe because you were using a Mac, think again.

While we wish that all malware strains were as relatively harmless as this one, that doesn’t mean it isn’t a threat or that you shouldn’t take it seriously. While it’s not as destructive as most of the malware strains that make the headlines, it’s still a genuine concern that can cause you innumerable headaches.

If you start to see an unusual number of popup ads or if your computer has a scary preference for porn and gaming sites, odds are good that you’ve been infected. It may appear like your computer has a life of its own. If you see those things, the problem won’t go away on its own and you should get your machine to a tech as soon as possible.

June 10, 2022 Atlantic Computer Services Blog

Update VMWare Apps Now For Critical Security Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory that serves as a stark warning.

If you’re using VMware products that are impacted by recently disclosed critical security flaws, either patch them immediately or remove them from your network.

CISA issued the dire warning because the last time critical security flaws were discovered in VMware products, hackers began exploiting them within 48 hours after they were disclosed.

In this case, the two recently disclosed issues are being tracked as CVE-2022-22972 and CVE-2022-22973, with severity scores of 9.8 and 10, respectively.

The flaws impact the following:

VMware Workspace ONE Access (Access)
VMware Identity Manager (vIDM)
VMware vRealize Automation (vRA)
VMware Cloud Foundation
and vRealize Suite Lifecycle Manager

Patches that protect against exploitation of these flaws are already available and VMware is likewise advising customers using the impacted products to apply them as soon as possible, describing the ramifications of delaying as “serious.”

This isn’t the first time VMware’s products have been in the spotlight. Just last month, there were two other flaws (tracked as CVE-2022-22954 and CVE-2022-22960), which impacted the same products.

Although VMware moved quickly in that instance, releasing a patch very quickly, hackers were able to reverse engineer those patches and exploit the flaws anyway.

Worst of all, the security firm Rapid7 has already seen evidence of the exploitation of these flaws in the wild. So every day you don’t patch, you’ve essentially got a target on your back.

CISA has issued the same warning to federal agencies, saying:

“CISA expects threat actors to quickly develop a capability to exploit these newly released vulnerabilities in the same impacted VMware products. Exploiting the above vulnerabilities permits attackers to trigger a server-side template injection that may result in remote code execution (CVE-2022-22954); escalate privileges to ‘root’ (CVE-2022-22960 and CVE-2022-22973); and obtain administrative access without the need to authenticate (CVE-2022-22972).”

Serious issues indeed. Update as soon as possible.

Previous page 1 … 4 5 6 7 8 … 43 Next page

Tag Archives: Malware and Virus Protection