U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Bad actors used a Windows zero-day in financial attacks

In March 2016 experts from FireEye spotted a malicious campaign conducted by a financially motivated threat actor that leveraged on a zero-day exploit. According to security experts at FireEye, a sophisticated criminal organization targeted more than 100 organizations in North America. Most of the victims are in the retail, hospitality and restaurant sectors. Threat actor […]

Bad actors used a Windows zero-day in financial attacks

LOS ANGELES – NOVEMBER 08: Employees teach shoppers to use self-service checkout stations at a Fresh & Easy grocery as Tesco PLC, the UK’s biggest retailer, officially enters the U.S. market, opening its first six stores in southern California on November 8, 2007 in Los Angeles, California. Tesco is importing its own system of grocery […]

In March 2016 experts from FireEye spotted a malicious campaign conducted by a financially motivated threat actor that leveraged on a zero-day exploit.

According to security experts at FireEye, a sophisticated criminal organization targeted more than 100 organizations in North America. Most of the victims are in the retail, hospitality and restaurant sectors. Threat actor leverages windows zero-day exploit in payment card data attacks.

The attackers relied on a zero-day privilege escalation vulnerability affecting Windows systems, hackers used spear-phishing emails and malicious macro-enabled Word documents to deliver the threat PUNCHBUGGY.

PoS zero-day

PUNCHBUGGY is a DLL downloader that used to compromise the target and move laterally within the victim’s network. The criminal crew also used a new point-of-sale (PoS) malware dubbed “PUNCHTRACK.” The malware is a memory scraper that is able to capture both Track 1 and Track 2 payment card data.

“FireEye identified more than 100 organizations in North America that fell victim to this campaign. FireEye investigated a number of these breaches and observed that the threat actor had access to relatively sophisticated tools including a previously unknown elevation of privilege (EoP) exploit and a previously unnamed point of sale (POS) memory scraping tool that we refer to as PUNCHTRACK. ” states FireEye. “Designed to scrape both Track 1 and Track 2 payment card data, PUNCHTRACK is loaded and executed by a highly obfuscated launcher and is never saved to disk.”

As reported by FireEye, in some of the attacks the criminal organization exploited a local privilege escalation vulnerability in Windows (CVE-2016-0167). The CVE-2016-0167 flaw was exploited by hackers to run malicious code with SYSTEM privileges.

The flaw was unknown at the time of the attacks, experts at FireEye worked with Microsoft to fix the issue on April 12, 2016. Patch Tuesday (MS16-039).

FireEye confirmed that the flaw was exploited in limited, targeted attacks dating back to March 8.

“This actor has conducted operations on a large scale and at a rapid pace, displaying a level of operational awareness and ability to adapt their operations on the fly. These abilities, combined with targeted usage of a [privilege escalation] exploit and the reconnaissance required to individually tailor phishing emails to victims, potentially speaks to the threat actors’ operational maturity and sophistication,” continues FireEye in the post.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –  Windows zero-day, PoS)