Recently a SolarWinds Web Help Desk client reported an attempted attack on their externally facing Web Help Desk instance. The attack was caught by their EDR system which was able to block the attempt. However, the reported attack, after a review, has caused concern with SolarWinds who is now advising their customers to remove public access to avoid possible compromise.

Since the beginning of the Russian invasion of Ukraine we have seen a massive increase in what can only be called cyber warfare. This battle is not just being fought at the state level though. Even APT groups have gotten involved as they take sides in the conflict. One step down from that (and only a very small step) we see the hacktivists jumping into the fray on both sides. Now, we see a new and unexpected form of protest from the open source community.

Ukrainian Security Officials are warning of an active phishing campaign. The campaign involves emails that impersonate government agencies and include links to what appear to be critical security updates. The payload of the campaign delivers Cobalt Strike and a few other things to complete the set and compromise the computer.

Microsoft, famous for bad marketing moves, is looking to make another one. In this case the mistake has not hit the general public but is in a preview build of Windows 11. The mistake is shoveling ads to people for other Microsoft products as part of the Windows File Explorer. To say that this move caused some concern with testers is a bit of an understatement. Some even called it “one of the worst places to show ads”

Emotet, (not to be confused with Imhotep the ancient Egyptian Polymath) was originally identified in 2014 and quickly became one of the top threats of the decade. After an early start as a banking trojan, the group amassed a huge number of bots that it was able to leverage to execute attacks on targets. This bot infrastructure was then sold as a service to other groups as part of a malware-as-a-Service model. The prevalence and reach of Emotet was enough that in early 2021 the global law enforcement and cyber security community targeted Emotet’s infrastructure and people that had been identified as part of the group. It was a significant hit to the organization.

The Security Group Binarly has disclosed 16 high-severity vulnerabilities in different implementations of UEFI firmware in HP Enterprise devices. The list of affected devices includes Laptops, Desktops, POS (point-of-sale) and edge computing nodes. The vulnerabilities range in severity from 7.5 to 8.8 putting them square in the high-severity range. The discovery also may affect additional manufacturers via a reference code match that has led to AMD’s firmware driver (AgesaSmmSaveMemoryConfig). This AMD reference code means that some vulnerabilities may exist across the entire computing ecosystem.

The Russian invasion of Ukraine has given an insight into how modern warfare is carried out on a strategic level. We have seen how Russia used malware and specific cyber attacks to interrupt communications and to potentially wipe critical data. We have seen new methods to disrupt this these attacks. We have also seen a new shift in modern warfare, the rise of the cyber partisan. In typical wars commanders on both side account for local resistance and partisan groups that can have an impact on battles and logistics. These are usually small groups of armed civilians (sometimes with government support), but now they have moved behind the keyboard.

US and other Western Organizations are preparing for potential cyber attacks from Russia, especially banks after a new wave of sanctions went into effect that included blocking the banks from the SWIFT system and freezing Russian assets. The goal of these moves is to make it difficult for Russia to continue with their invasion of Ukraine. The sanctions have also had an unintended effect on the citizens in Russia as they rush to pull money out of the banks before they lose access.

App Stores have been around for a while and pretty much everyone has one. Although they started off in the mobile device world, they quickly were bolted on to the other areas. As their usage has grown attackers have found them to be a very valuable resource as well. We have seen poisoned apps across just about every platform and the sophistication of them is increasing as well.

WMIC or the Windows Management Instrumentation Command line is a very powerful tool. It can allow an administrator or an attacker a lot of control over a system. Because of the number of times that WMIC has been abused to take control of/or compromise a system Microsoft has been testing the removal of the WMIC component of WMI. Different sources have reported that WMIC as a commend no longer works in development builds, but the WMI process is still running on the device.