A social engineering phone call lends authenticity to the attacker’s malicious email

• Compromised credentials are a gift that keeps on giving (your stuff away)
• MFA is your mature, sensible friend
• Dwell time is sinking faster than RMS Titanic
• Criminals don’t take time off; neither can you*
• Active Directory servers: The ultimate attacker tool
• RDP: High time to decline the risk
• Missing telemetry just makes things harder

Imagine if you clicked on a harmless-looking image, but an unknown application fired up instead…

The element originally known as “foul air” stinks up computers as a new initial-access campaign exhibiting some uncommon techniques

In December 2022, Microsoft published their monthly Windows Update packages that included an advisory about malicious drivers, signed by Microsoft and other code-signing authorities, that Sophos X-…

The commercial attack tool’s use by bad actors has faded after an initial flurry, while Cobalt Strike remains the go-to post-exploitation tool for many.

Interest in OpenAI’s latest version of its interactive language model has spurred a new wave of scam apps looking to cash in on the hype

A new recently observed ransomware family dubbed Akira uses a retro aesthetic on their victim site very reminiscent of the 1980s green screen consoles and possibly takes its namesake from the popular 1988 anime film of the same name.

CVE-2023-1671 is a pre-authenticated command injection in Sophos Web Appliance. In this blog post, VulnCheck researchers analyze the vulnerability and develop a proof of concept (PoC) for it.

Driver based attacks against security products are on the rise

A large-scale "QakNote" attack deploys malicious .one files as a novel infection vector

A Trojanized version of the popular VOIP/PBX software is in the news; here’s what hunters and defenders are doing

IOCs

Sophos took immediate steps to remediate CVE-2022-3236 – an unauthenticated and remote code execution vulnerability affecting the Sophos Firewall Webadmin and User Portal HTTP interfaces – with an automated hotfix sent out in September 2022. Through its advisory published on September 23, 2022, it also alerted users who don't receive automatic hotfixes to apply the update themselves. The advisory stated the vulnerability had previously been used against "a small set of specific organizations, primarily in the South Asia region." In December, Sophos released v19.5 GA GA with an official fix.
Key Takeaways

• As there are no public proof-of-concept exploits for CVE-2022-3236, we created our own to determine its potential for mass exploitation.
• We scanned internet-facing Sophos Firewalls and found more than 4,000 firewalls that were too old to receive a hotfix.
• We encourage Sophos Firewall administrators to look through their logs to determine if they see indications of exploit attempts. Two files to focus on include /logs/csc.log and /log/validationError.log.
• Internet-facing firewalls appear to largely be eligible for hotfixes and the default authentication captcha likely prevented mass exploitation.

Reverse-engineering reveals close similarities to BlackMatter ransomware, with some improvements

A fresh exploration of the malware uncovers a new tactic for bypassing security products by abusing a known driver vulnerability

A code injection vulnerability allowing remote code execution was discovered in the User Portal and Webadmin of Sophos Firewall. The vulnerability has been fixed.

Attacker targets bugs in a popular web application graphical interface development tool.

Sophos Firewall is a network protection solution for the enterprise market.