GoSecure Blog
BazarLoader Mocks Researchers in December 2020 Malspam Campaign
Our Inbox Detection and Response (IDR) team has observed a new BazarLoader campaign targeting the information technology, aeronautic and financial industries. The IDR team has successfully blocked over 550 thousand BazarLoader malspam emails throughout this campaign alone.
GoSecure researchers received a sample from the IDR team which was suspected of being BazarLoader, named Report Preview15-10.exe, on 2020-10-06. Shortly after, GoSecure researchers received yet another BazarLoader sample on 2020-10-08 named Document2-85.exe, which exhibited similar behavior.
Vera – Stored XSS & Improper Access Control
We discovered a stored cross site scripting (XSS) vulnerability on Vera, a platform for online proofing and custom workflows used in the printing industry. An authenticated user could leverage the last name field in the User module of the system to execute a stored cross site scripting vulnerability. Furthermore, an Improper Access Control vulnerability was discovered in the projects module where a user could view and download project related documents without the proper permissions. The vulnerable version is Vera – 4.9.1.26180.
Deep Dive into an Obfuscation-as-a-Service for Android Malware
This blogpost summarizes cutting-edge research that uncovers an obfuscation-as-a-service platform for Android applications. From a thorough analysis of the obfuscation techniques to comprehending the service’s usage, efficiency, and potential profitability, as well as placing the service in its wider market context, the research provides a practical deep dive into the modus operandi of malicious actors attempting to complicate the work of security analysts.
Forget Your Perimeter Part 2: Four Vulnerabilities in Pulse Connect Secure
A few weeks ago, we released a blogpost about an authenticated RCE we found in Pulse Connect Secure (CVE-2020-8218). In that post, we mentioned that we discovered more vulnerabilities. Four vulnerabilities were discovered on Pulse Secure Connect, a VPN (Virtual Private Network) software, leading up to an unauthenticated user being able to perform remote code execution (RCE). While the RCE itself requires to be authenticated with admin privilege, two Cross-Site Scripting (XSS) attacks make it possible to force an admin to execute code on behalf of the attacker, effectively allowing remote code execution as an unauthenticated user. An XML External Entity (XXE) was also discovered for authenticated users, granting arbitrary file read on the remote filesystem.
Connecting Technology and People: Identifying Unknown Ransomware
Adversary versus target; all organizations participate in this daily cat-and-mouse. Organizations initially fought this battle on the technology front. Miss something? Find another new technology to address the gap. Over time, technology delivered interesting intel, but malicious activity still slipped through. Organizations then went on the hunt to find the “right” person with the “right” skill. And this cycle continues unabated – tech, people, tech, people, tech, people, etc.
Are things better? Undeniably. Can they be better still? Without question. But as long as the tech/people cycle continues, most organizations will never reach their cybersecurity goals because the goal will always be just out of reach by one person or one technology. To illustrate this, we’ll use the recent Exorcist 2.0 ransomware.
