Operation Exchange Marauder: Mass Exploitation of Microsoft Exchange

FiveHands Ransomware

Operation Exchange Marauder: Mass Exploitation of On-Prem Exchange Servers On March 2, 2021, Microsoft released a series of emergency security patches for Exchange Server 2019, 2016, 2013, and 2010. The fact that Exchange 2010 is end-of-life, yet Microsoft still released a security patch for it, underscores the severity and urgency of this threat. The security […]

DarkSide Ransomware Overview

Darkside Ransomware

TIR-20210307 Overview This report is an overview of DarkSide Ransomware, a Ransomware-as-a-Service (RaaS) which primarily targets Windows systems but also has the ability to target Linux OS variants. Formerly known for using the handle ‘darksupp’, a Russian-speaking cybercriminal posted several announcements regarding DarkSide including an official recruitment for affiliates to participate in the DarkSide RaaS […]

New Variant of MassLogger Trojan Malware Targets Microsoft Outlook & Google Chrome

Darkside Ransomware

Overview of MassLogger v3 This report is about recent malware campaigns utilizing the MassLogger trojan (written in .NET). Previously we have covered features of MassLogger in TIR-20200821. However, recent research has revealed a new variant of the malware, dubbed MassLogger v3 by Avast. The primary goal of these campaigns is credential exfiltration, targeting popular applications […]

New Phishing Campaign Uses Morse Code to Avoid Detection

Darkside Ransomware

Overview of TIR-20210221 This report is about a new phishing campaign that uses a unique method of obfuscation to avoid detection by traditional security appliances. The method of obfuscation is Morse code which is used to hide URLs. Given its ability to successfully bypass security tooling this campaign is quite dangerous if a user is […]

High Severity Windows Vulnerabilities Impact Windows Client & Windows Server OS Versions 7 and Above

Darkside Ransomware

Overview of CVE-2021-24074, CVE-2021-24094, and CVE-2021-24086 This report is about three high severity Windows TCP/IP vulnerabilities tracked as CVE-2021-24074, CVE-2021-24094, and CVE-2021-24086. All three are exploitable by a remote, unauthenticated attacker and impact Windows Client and Windows Server OS versions 7 and above. Successful exploitation could result in significant system downtime and the exfiltration of sensitive […]

Vovalex Ransomware (TIR-20210207)

Darkside Ransomware

Overview of Vovalex This report is an overview of the new Vovalex ransomware. This malware was discovered by the MalwareHunterTeam and may be the first known ransomware to be written in the D language. As of now, this malware has been detected being distributed through pirated software that masquerades as legitimate software such as various […]

Heap-Based Buffer Overflow Vulnerability Discovered in Sudo (TIR-20210131)

Darkside Ransomware

Overview of TIR-20210131 This report is regarding a recently discovered vulnerability within the widely used Sudo utility that has existed for almost a decade. Sudo is used within Unix-based operating systems (Linux, MacOS, and others) to run commands either as another user, or most commonly as the superuser/root user. Qualys discovered a heap-based buffer overflow […]

New Golang Worm Targets MySQL, Jenkins, Oracle WebLogic and other Public Services

Darkside Ransomware

Golang Worm Overview This report is about a new Golang worm analyzed by Intezer. The Golang worm malware affects both Windows and Linux servers.  It has targeted a variety of public services including MySQL, TomCat, Jenkins, and Oracle WebLogic. At this time no specific threat actor has been named. The goal of Golang worm appears […]

Zyxel Firewall Backdoor Vulnerability CVE-2020-29583

Darkside Ransomware

Zyxel Firewall Vulnerability CVE-2020-29583 This report is about a high severity vulnerability affecting Zyxel firewalls and AP controllers.  A hardcoded credential vulnerability was identified in the “zyfwp” user account in some Zyxel firewalls and AP controllers.  The account was designed to deliver automatic firmware updates to connected access points through FTP.  There are patches available […]