Share this page!

SophosLabs Profile picture
Twitter logo
11 May, 10 tweets, 2 min read
NEW: May’s Patch Tuesday brings a lighter-than-usual number of Windows updates

... But fewer patches does not make the bugs less dangerous

(a thread) 1/9
The recent history of Patch Tuesday releases has seen Microsoft updating upwards of 100 software bugs every month, but that trend is broken today when the company fixes just 55 vulnerabilities across their products. 2/9
Synchronized to release in parallel with Microsoft’s updates, Adobe is also fixing 11 bugs in their Acrobat Reader software, one of which (CVE-2021-28550/APSB21-29) is reportedly being “exploited in the wild in limited attacks targeting Adobe Reader users on Windows,” 3/9
Microsoft didn't indicate whether any of this month's fixes have been exploited in the past, but three of the fixes — in the Windows Scripting Engine, the HTTP Protocol Stack, and the OLE Automation engine — are Critical-rated, remote code execution vulnerabilities. 4/9
There were 20 total remote code execution bugs stomped out in this release, affecting Office, Sharepoint, the Jet Red database engine, Hyper-V, and various media components, in addition to the previously mentioned critical items. 5/9
The updates also include two fixes of “security feature bypass” bugs: One in the client application for Lync (aka Skype for Business) and one in the SMB Client for Windows. 6/9
Six privilege escalation bugs were fixed in components relating to Windows Containers, the Docker/Kubernetes implementation on Windows desktops and servers (and related integrations in Visual Studio). 7/9
The most oddball, stand out update affects Microsoft’s Wallet service.

The bug, designated CVE-2021-31187, is a privilege escalation vulnerability that affects the 0.03% of the mobile phone market that owns a phone running Windows 10 Mobile. 8/9
Read the full article from @threatresearch 👇
news.sophos.com/en-us/2021/05/… 9/9

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with SophosLabs

SophosLabs Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @SophosLabs

SophosLabs Profile picture
12 May
NEW RESEARCH: A defender's view inside a #DarkSide ransomware attack ***

What to expect when you’re targeted by a headline-seeking threat actor... (a thread)

1/8 Image
The recent ransomware intrusion of a major US gasoline pipeline operator was the work of an affiliate of #DarkSide, a ransomware ring that has been responsible for at least 60 known cases of ransomware double-extortion so far this year.

2/8 Image
DarkSide has struck several high-profile victims recently, including companies listed on the NASDAQ stock exchange.

3/8
Read 8 tweets
SophosLabs Profile picture
23 Mar
NEW RESEARCH: Black Kingdom ransomware begins appearing on Exchange servers

***
A novel, if not particularly well made, ransomware is spreading to Exchange servers that haven't been patched against the ProxyLogon exploit.

(a thread)

1/15 Image
Following the #DearCry ransomware attacks reported on last week, another ransomware gang has also started to target vulnerable Exchange servers with another ransomware, called #BlackKingDom.

2/15
Sophos telemetry began detecting the ransomware on Thursday March 18 as it targeted Exchange servers that remain unpatched against the ProxyLogon vulnerabilities disclosed by Microsoft earlier this month.

3/15
Read 15 tweets
SophosLabs Profile picture
29 Oct 20
---a thread---

We've discovered that the most recent version of Ryuk shares shellcode with Buer Loader, a malware-as-a-service trojan we've been tracking...

The shellcode is used by droppers for both malware, to inject the malware into memory.

Ryuk in-memory loader:

1/6 Image
Buer Loader in-memory loader:

2/6 Image
Ryuk also recently started encrypting text strings—on October 4, the strings within the sample were unencrypted...

3/6 Image
Read 6 tweets
SophosLabs Profile picture
21 Oct 20
NEW: LockBit uses automated attack tools to identify tasty targets 🎯

Using renamed copies of PowerShell and Windows’VBscript host and scripts based on PowerShell pen-testing tool, LockBit actors searched for systems with valuable data to hit at small organizations...

1/12
A series of recent attacks detected by Sophos provided us the opportunity to dive deeper into LockBit’s tools, techniques & practices.

Based on some artifacts, we believe that some components of the attack were based on PowerShell Empire.

2/12
The organizations hit in the 8 attacks we analyzed were smaller orgs with only partial malware protection deployed. None of them had public Internet facing systems on their networks, though 1 had an older firewall with ports open for remote administration by HTTP and HTTPS.

3/12
Read 12 tweets
SophosLabs Profile picture
12 Aug 20
#Dharma, a family of ransomware first spotted in 2016, continues to be a threat to many organizations— especially small and medium-sized businesses.

(a thread... 1/4)
Part of the reason for its longevity is that its variants have become the basis for ransomware-as-a-service (RaaS) operations—the fast-food franchise of cybercrime.

(2/4)
Three recent attacks documented by SophosLabs and Sophos MTR have revealed a toolset used by Dharma “affiliates” that explains why attacks from so many different Dharma actors seem so identical, down to the tools and commands they use.

(3/4)
Read 4 tweets
SophosLabs Profile picture
28 Nov 18
1/ The threat actors behind the #SamSam ransomware, now identified by the FBI in an indictment publicized today, pioneered a very specific playbook in their attacks that has inspired a rash of copycats.

Here's a thread that explains their TTP (tactics, techniques & procedures):
2/ In July, we published a report that goes into great detail about the #SamSam TTP, so if this is of interest to you, maybe check it out:

sophos.com/en-us/medialib…

What follows is a summary of some of what we covered in the report
3/ The #SamSam attackers started by conducting surveillance of the victims. They wanted to know if the victims had sufficiently deep pockets to pay the ransom, which over time averaged out to the mid-$30,000 as Bitcoin exchange rates fluctuated.
Read 20 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @SophosLabs has new unrolls!

Check out other threads from @SophosLabs!

Read all threads by @SophosLabs

:(