Threat Advisory

Threat Advisory: Palo Alto PAN-OS Authentication Bypass in SAML Vulnerability

Threat Advisory: Palo Alto PAN-OS Authentication Bypass in SAML Vulnerability

On June 29, 2020, Palo Alto Networks released a security advisory relating to a critical authentication bypass vulnerability within PAN-OS Security Assertion Markup Language (SAML) authentication. Currently, the affected products include: GlobalProtect Gateway GlobalProtect Portal GlobalProtect Clientless VPN Authentication and Captive Portal PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces Prisma Access The vulnerability affects PAN-OS versions 9.1, 9.0,... Read More
June 30, 2020
Threat Advisory: Sandworm Actors Exploiting Exim Vulnerability

Threat Advisory: Sandworm Actors Exploiting Exim Vulnerability

A critical remote code execution vulnerability is actively being scanned for and exploited across the Internet. Herjavec Group initially published a Threat Advisory for CVE-2019-10149, known as “Return of the WIZard”, when it was discovered in June 2019. Recently, the NSA published an updated advisory regarding Sandworm threat group operators exploiting the same vulnerability in the Exim Mail Transfer Agent... Read More
May 29, 2020
Threat Advisory: Citrix ADC/Netscaler Breach Activity

Threat Advisory: Citrix ADC/Netscaler Breach Activity

Herjavec Group has been investigating a spike in Citrix ADC/NetScaler breaches as a result of recently published zero-day exploits for CVE-2019-19781 affecting Citrix Application Delivery Controller (ADC), formerly known as NetScaler ADC, Citrix Gateway, and NetScaler Gateway. The scope of this vulnerability includes Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of Citrix Hypervisor (formerly XenServer), ESX, Hyper-V,... Read More
May 19, 2020
Threat Advisory: Phantom in the Command Shell Campaigns Target Financial Industry

Threat Advisory: Phantom in the Command Shell Campaigns Target Financial Industry

Researchers at Prevailion have reported a new operation called Phantom in the Command Shell. The operations have been targeting financial firms across the globe using the Evilnum malware, which is being distributed to victims using a Google Drive share link. Clicking on the Google Drive share link downloads a malicious zip archive file to the host. When decompressed, the file... Read More
May 8, 2020
Threat Advisory Update: Emotet Botnet Shows Signs of Life & COVID-19 Phishing Campaigns Target Healthcare

Threat Advisory Update: Emotet Botnet Shows Signs of Life & COVID-19 Phishing Campaigns Target Healthcare

The Emotet botnet has begun to show signs of life after months of inactivity. The E2 portion has started deploying credential and email stealing modules. It is believed that this could be a preparation step for a new spam campaign. During the downtime, the operators behind Emotet have redesigned it and some of the modules it uses. New features include... Read More
April 22, 2020
Threat Advisory: NSA, ASD Release Guidance for Mitigating Web Shell Malware

Threat Advisory: NSA, ASD Release Guidance for Mitigating Web Shell Malware

The U.S. National Security Agency (NSA) and the Australian Signals Directorate (ASD) have jointly released a Cybersecurity Information Sheet (CSI) on mitigating web shell malware. Malicious cyber actors are increasingly deploying web shell malware on victim web servers to execute arbitrary system commands. By deploying web shell malware, cyber attackers can gain persistent access to compromised networks. The CSI provides... Read More
Threat Advisory: Re-Emergence of the Maze Ransomware

Threat Advisory: Re-Emergence of the Maze Ransomware

Herjavec Group continues to track COVID-19 related cyberattacks. We have a complete threat advisory tracking various threats, malware types, as well as a summary of IOCs and domains specific to COVID-19. The full advisory can be found here. The Maze ransomware was initially discovered in May 2019, and since then the attack frequency has increased and the group behind it... Read More
April 20, 2020
Herjavec Group’s Threat Summary Analysis – Q1 2020

Herjavec Group’s Threat Summary Analysis – Q1 2020

Herjavec Group’s Threat Management Team leverages this Quarterly Threat Summary to provide an overview of the most common threats and vulnerabilities seen in customer environments in recent months. In our Q4 2019 Threat Summary, our team noted a rise in ransomware attacks, major vulnerabilities across security technologies, and threat group activity. In Q1 2020, the HG Threat team noted a significant... Read More
April 9, 2020
Threat Advisory: SMS Phishing Cyber Attacks & Telework Exploits

Threat Advisory: SMS Phishing Cyber Attacks & Telework Exploits

Herjavec Group continues to track COVID-19 related cyberattacks. We have a complete threat advisory tracking various threats, malware types, as well as a summary of IOCs and domains specific to COVID-19. The full advisory can be found here. Recently, there has been an increase in the use of SMS phishing and Telework Infrastructure Exploits to execute cyber attacks. SMS Phishing... Read More
April 8, 2020
Threat Advisory: Kwampirs Trojan Campaign Continues

Threat Advisory: Kwampirs Trojan Campaign Continues

The FBI's Cyber Division has re-released a January Flash report for the Kwampirs Remote Access Trojan (RAT). The primary target industries are healthcare, software supply chain, energy, and engineering industries, and the secondary targets are financial institutions and law firms. Kwampirs employs a two-phase approach. According to the FBI's Private Industry Notification, "the first phase establishes a broad and persistent... Read More
April 7, 2020