By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy

A new ransomware has been discovered called MegaCortex that is targeting corporate networks and the workstations on them. Once a network is penetrated, the attackers infect the entire network by distributing the ransomware using Windows domain controllers. In a new report, Sophos has stated that they have seen customers in the United States, Italy, Canada, France, the Netherlands, and Ireland being infected with this new ransomware. As this is a fairly new ransomware, not much is currently known about its encryption algorithms, exactly how attackers are gaining access to a network, and whether ransom payments are being honored. As Sophos has found that the Emotet or Qakbot Trojans have been present on networks that have also been infected with MegaCortex, it may suggest that the attackers are paying Trojan operators for access to infected systems in a similar manner as Ryuk. While it is not 100% clear how bad actors are gaining access to a network, victims have reported to Sophos that the attacks originate from a compromised domain controller. On the domain controller, Cobolt Strike is being dropped and executed to create a reverse shell back to an attacker's host. Using this shell, the attackers remotely gain access to the domain controller and configure it to distribute a copy of PsExec, the main malware executable, and a batch file to all of the computers on the network. It then executes the batch file remotely via PsExec. When encrypting a computer, the ransomware will append an extension, which in one case is .aes128ctr,  to encrypted file's names. For more detailed information visit OUR FORUM.

Chromium-based Microsoft Edge users who try to use Google Earth are welcomed by an error message and a link directing them to download Google's Chrome web browser. This might be a surprise for some given that the new Edge uses the same HTML engine as Chrome and that, after 12 years of being a cross-platform desktop application, Google Earth has been converted into a web app which should allow users to "explore worldwide satellite imagery and 3D buildings and terrain for hundreds of cities," according to its website. At the moment though, when users try to launch the Google Earth web app in Microsoft's new Chromium Edge, they get the following error: "Aw snap! Google Earth isn't supported by your browser yet. Try this link in Chrome instead. If you don't have Chrome installed, download it here. Learn more about Google Earth." As Microsoft Edge Product Manager Eric Lawrence explained in a Twitter thread following user reports the issue stems from the fact that the Chromium-based Edge browser does not ship with the Portable Native Client (PNaCl) component, the architecture-independent version of Native Client (NaCl) which was used by Google when converting Earth into a web app during 2017. Google updated its company-wide UA sniffer code last week to recognize Chromium-based Edge as its own browser instead of lumping it in with "Chrome." Some Google products have an explicit allow-list of supported browsers, and those products didn't all update their allow list to say "Oh, and new Edge is fine too." Get better informed by visiting OUR FORUM.

A publicly accessible Elasticsearch database discovered on March 27 exposed various types of personally identifiable information (PII) and medical info of more than 100,000 individuals. Security Discovery's researcher Jeremiah Fowler who discovered the unprotected Elasticsearch database found out after further investigation that the leaked data belonged to SkyMed, a company which provides medical emergency evacuation services for about 30 years. As the researcher says, the Elastic database was "set to open and visible in any browser (publicly accessible) and anyone could edit, download, or even delete data without administrative credentials." The database contained 136,995 records of SkyMed members and included PII data such as full names, addresses, dates of birth, email addresses, phone numbers, with some of the entries also including medical information. Besides finding hundreds of thousands of leaked member records, Fowler also discovered that the company's network might have also been infected at some point in time with an unknown ransomware strain. This was revealed when the researcher found a ransom note entry named "howtogetmydataback" in SkyMed's unsecured ElasticSearch database. While the company did not provide any feedback to the researcher's reports on the exposed database, the good news is that SkyMed did take down the database eventually. "The first data incident notification was sent on March 27th (the same day it was discovered). On April 5th we verified that the database was closed and no longer publicly accessible. No one from SkyMed replied to either message," stated Fowler. BleepingComputer also reached out to SkyMed to ask if breach notifications were sent to the impacted individuals but the company did not provide a response prior to publication. Learn more by visiting OUR FORUM.

Windows 10 May 2019 Update will begin rolling out to the compatible devices in late May 2019. Windows 10 version 1903 is currently only available to Windows Insiders, but the update for Windows 10 is now being blocked from installing on systems with certain configurations. In an updated blog post, Microsoft quietly shared a list of current upgrade blocks for Windows 10 May 2019 Update. At least three sets of devices could be affected during installation due to the blockade. Microsoft says that you cannot upgrade to Windows 10 May 2019 Update if your company is using a USB storage device or SD memory card, but there’s an easy workaround to deal with this problem. Microsoft has advised users to remove any external USB storage devices and/or SD memory cards to start the upgrade installation process. If you have older versions of anti-cheat software that comes bundled with many popular games, you may not be able to install the Windows 10 May 2019 Update. Microsoft discovered a bug where the older versions of anti-cheat software may cause Windows 10 May 2019 Update PCs to experience crashes. Most games have been already updated with a fix for the bug and Microsoft is actively working with affected partners. Microsoft has also blocked the Windows 10 May 2019 Update from installing on devices with any Known Folders or empty folder with that same name is created in your %userprofile% directory when you update. Follow this on OUR FORUM.

Multiple malicious spam campaigns using signed emails have been observed while distributing the GootKit (aka talalpek or Xswkit) banking Trojan with the help of a multi-stage malware loader dubbed JasperLoader over the past few months. This loader is the third one detected by Cisco Talos' research team since July 2018, with Smoke Loader (aka Dofoil) being employed by threat actors to drop ransomware or cryptocurrency miner payloads last year, while Brushaloader was identified during early 2019 and seen while making use of Living-of-the-Land (LotL) tools such as PowerShell scripts to remain undetected on compromised systems. Malware loaders are popular tools for adversaries who want to make the job of dropping various malware payloads onto to their victims' machines easier because they make it possible to maximize their profits by switching the pushed malware to one suited to the infected computer. The current loader tracked by Cisco Talos is JasperLoader and its activity has been picking up during the past months, with malspam campaign operators distributing it to targets from Central Europe, with an apparent focus on Italian and German targets. "JasperLoader employs a multi-stage infection process that features several obfuscation techniques that make the analysis more difficult," says Cisco Talos. "It appears that this loader was designed with resiliency and flexibility in mind, as evidenced in later stages of the infection process." As unearthed by the researchers, JasperLoader has been disseminated by multiple malspam campaigns throughout the last months and it has been used to drop the Gootkit banking Trojan — previously distributed by DanaBot, Neutrino exploit kit and Emotet — which acts as a backdoor and can steal sensitive user information. More in-depth details are posted on OUR FORUM.

Researchers have discovered a web site pushing a PC cleaner tool for Windows that in reality is just a front for the Azorult password and information-stealing Trojan. AZORult is a trojan that when installed attempts to steal a user's browser passwords, FTP client passwords, cryptocurrency wallets, desktop files, and much more. Instead of renting distribution methods such as spam, exploit kits, or being dropped by other trojans, the attackers decided to create a fake Windows utility and an accompanying web site to distribute the Trojan instead. According to the site, G-Cleaner or Garbage Cleaner is a Windows junk cleaner that removes temporary files, broken shortcuts, and unnecessary Registry entries. Overall, it's promoted like all the other system optimization tools that we see regularly being offered. Even when you download and run the program, it looks like countless other homemade PC cleaners and states it will scan your computer for junk files and remove them. When the G-Cleaner program is installed, it will download the main components of the fake PC cleaner and save them to the C:\ProgramData\Garbage Cleaner or C:\ProgramData\G-Cleaner folders depending on the version. It will then extract a randomly named file to the %Temp% folder and execute it. This file is the malware component that will attempt to steal your computer's passwords, data, wallets, and other information. Even though this site and the malware that is being pushed is over one month old, the site is still up and running. Just yesterday, another researcher named JamesWT discovered it again and even a month later, few antivirus vendors were detecting it as malicious. Further details can be found on OUR FORUM.