Health Care
Education
IT & Telecom
Government
CISO/CTO
DevSecops
Product
Our Product
We are Reshaping the way companies find and fix critical vulnerabilities before they can be exploited.
Threatspy
Solutions
By Industry
Health Care
Education
IT & Telecom
By Role
Government
CISO/CTO
DevSecops
Resources
Resource Library
Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.
Threat Feeds
Threat Research
White Paper
SB Blogs
Subscribe to Our Weekly Threat Digest
Company
Contact Us
Have queries, feedback or prospects? Get in touch and we shall be with you shortly.
Our Story
Our Team
Careers
Press & Media
Contact Us
Join the waitlist
By submitting this form, you agree to our Subscription Agreement and Legal Policies.
Be informed in your inbox
Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.
Ransomware
Data Breach
Cisco
55GB Cisco data wiped out by Yanluowang ransomware company confirms
Yanluowang ransomware operators targeted Cisco in an undetected network security breach back in May, wiping out nearly 55 GB of data …
12-Sep-2022
3 min read
Related Articles
MS Exchange
Zero Day
Vulnerability
Microsoft has confirmed that two recently reported zero-day vulnerabilities in M...
Two newly discovered zero-day vulnerabilities in Microsoft Exchange Server 2013, 2016, and 2019 are being actively exploited, according to the software giant. According to [Microsoft](https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/) , the first vulnerability, designated as CVE-2022-41040, allows for Server-Side Request Forgery (SSRF), while the second, designated as CVE-2022-41082, permits remote code execution (RCE) when an attacker has access to PowerShell.mits remote code execution (RCE) when an attacker has access to PowerShell. _"At this time, Microsoft is aware of limited, targeted attempts that exploit these two vulnerabilities to gain access to user computers."_ Additionally, the organization stated that the CVE-2022-41040 weakness could only be exploited by authenticated attackers. Successful exploitation then allows the attacker to exploit the RCE vulnerability CVE-2022-41082. Microsoft reports that Exchange Online customers do not need to take any action at this time since the business has implemented detections and mitigations to safeguard clients. "Microsoft monitors these already-deployed detections for malicious behaviour and will take the required steps to safeguard consumers. [..] We are working on a compressed schedule to issue a patch "Microsoft added. According to GTSC, the Vietnamese cybersecurity firm that originally revealed the continuing assaults, the zero-day exploits are chained to install Chinese Chopper web shells for persistence and data theft, as well as to move laterally through the victim's networks. GTSC also assumes a Chinese threat organization is behind the continued attacks based on the code page of the web shells, which is a Microsoft character encoding for simplified Chinese. The user agent used to deploy the web shells on hacked servers reveals that the threat group also controls the web shells using the Chinese open-source Antsword website admin tool. ## Available Mitigation Redmond has also validated the mitigation solutions released yesterday by GTSC, whose security experts confidentially reported the two vulnerabilities to Microsoft three weeks ago via the Zero Day Initiative. Microsoft said, "On-premises Microsoft Exchange customers should study and implement the URL Rewrite Instructions below and block exposed Remote PowerShell ports." Add a blocking rule to "IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions" to stop known attack patterns. To apply the mitigation to vulnerable servers, the following actions must be taken: Initiate the IIS Manager. Expand the Site Default. Choose Autodiscovery. Select URL Rewrite in the Features View. In the Actions window on the right, click the Add Rules button. Choose Request Blocking, then click OK. Click OK after adding the String ".*autodiscover.json.*@.*Powershell.*" without the quotation marks. Under Conditions, expand the rule, choose the rule with the Pattern ".*autodiscover.json.*@.*Powershell.*", and click Edit. Replace the condition input 'URL' with 'REQUEST URI' Since threat actors can also exploit CVE-2022-41082 to obtain access to PowerShell Remoting on exposed and susceptible Exchange servers for remote code execution, Microsoft recommended administrators to restrict the following Remote PowerShell ports to prevent attacks: HTTP: 5985 HTTPS: 5986 GTSC said yesterday that administrators who wish to determine whether their Exchange servers have been hacked may use the following PowerShell script to search IIS log files for signs of corruption. Get-ChildItem -Recursive -Path | Path | Path IIS Logs 'powershell.*autodiscover.json.*@.*200'
30-Sep-2022
3 min read
Swachhata App
LeakBase
Data Breach
Swachhata app, an initiative started by Swachh Bharat Mission in India, has been...
16 million customers' personal data from the Swachhata platform aka Swacch City App were reportedly exposed in a 6GB data dump by a threat actor going by the moniker LeakBase on BreachForums, a database trade network widely utilized by hackers. Swachhata , a project accredited by Swachh Bharat Mission, is a mobile and online application that aids municipal corporations across 4041 towns in redressing grievances and issues with residents nationwide. User details such as user names, user IDs, email addresses, passwords, phone numbers, information relating to OTPs, and login credentials are among the crucial information that has been hacked. According to a security researcher's report, unauthorized access to the server has been identified, enabling the threat actor to launch sophisticated ransomware attacks, exfiltrate data, and maintain persistence with a detailed blueprint. The compromised information might be in circulation over various cybercriminal forums as a form of data exchange with the interest of serving emerging demands. It puts victims at stake due to compromised details making them more prone to falling prey to social engineering and phishing attacks. While LeakBase also offers access to admin panels and servers of most Content Management Systems or CMS. _“These accesses are gained through unauthorized means and are sold for monetary profit,”_ they add... No official updates are coming from the Ministry of Housing and Urban Affairs, the only governing body of Swachh acknowledging this security incident. On underground forums, you may find LeakBase, Chucky, Chuckies, and Sqlrip. _"They have a proven track record of giving accurate information in the past. They are also skilled at disseminating data breaches from international corporations"_ according to the [report](https://ke-la.com/six-months-into-breached-the-legacy-of-raidforums/). LeakBase was a key threat actor on the now-closed RaidForums and ran the website LeakBase.cc, a platform for finding data leaks of all kinds, according to a report by Israeli cybersecurity research powerhouse KELA. KELA researchers claim that recently, the threat actor has started to _"frequently distribute collections of different databases."_ LeakBase was purportedly shut down in 2017 after receiving criticism from the federal government. LeakBase also distributes hundreds of fresh SQL databases to stores and businesses worldwide. LeakBase entered the market in March 2022, and as of March 2022, according to its account page on BreachForums, it has already acquired _"God status,"_ a position gained by representatives by selling actual user data that has been stolen from companies or their compromised employees. The database-selling website Breached is a favorite of hackers, and the KELA investigation claims that LeakBase published a collection of 50 datasets there. Here is a list of compromised user data exposed during the LeakBase breach: - Email addresses of users - Password hashes - Registered phone numbers - Transmitted OTP information - Login IP to the platform - MAC addresses - Individual user tokens - biometric info It is safer for users to reset their passwords because neither Swachhata nor the Ministry of Housing and Urban Affairs has released advice. It is advised to activate multi-factor authentication, often MFA, and to create a strict password policy. Users must also patch insecure and exploitable endpoints and keep an eye out for user account oddities, which are a reliable sign of potential account takeovers.
29-Sep-2022
3 min read
GPU
Windows 11
NVIDIA
NVIDIA added that the non-Beta version of NVIDIA GeForce Experience 3.26 is expe...
Following the installation of the Windows 11 22H2 Update, NVIDIA has identified performance concerns affecting computers using NVIDIA GPUs. "After updating to Microsoft Windows 11 2022 Update, some users may notice decreased performance in games or programs," the firm claims in a support post released over the weekend. The official solution to this known issue is to upgrade the company's GeForce Experience software package to the 3.26 Beta version, which fixes the issues. Customers have also reported similar concerns on Microsoft's community site, with a dip in CPU utilisation down to 5% causing substantial gameplay slowness. The fact that several afflicted customers reported that the gaming performance difficulties vanished after rolling back the newest Windows 11 upgrade proved that the update was to blame. NVIDIA Software Quality Assurance At the time, Manuel Guzman followed up on Reddit and verified the company was aware of the problem, asking impacted Reddit users to give more feedback. For the time being, if you are not comfortable running Beta software on your PC, you should postpone updating to Windows 11 22H2 until NVIDIA GeForce Experience 3.26 becomes stable and Microsoft recognizes these gaming performance improvements.
28-Sep-2022
1 min read
Secure Blink built a heuristic application security management platform that offers Vulnerability Management, Version Management & Application Healthbot. Secure Blink envisions a safer web by reinventing cybersecurity.
