Threat Advisory

Threat Advisory: Subway Restaurants Serving TrickBot with New TrickBoot Module

Threat Advisory: Subway Restaurants Serving TrickBot with New TrickBoot Module

On December 12, 2020, Subway UK disclosed that its system used for marketing campaigns was compromised and was used for a phishing campaign distributing TrickBot. The phishing campaign spoofed a Subway order confirmation and targeted customers from the United Kingdom. An investigation into the incident determined that no guest accounts were breached and Subway has begun the process of notifying... Read More
December 17, 2020
Threat Advisory: SolarWinds Orion versions 2019.4 -2020.2.1 Software Supply Chain Attack

Threat Advisory: SolarWinds Orion versions 2019.4 -2020.2.1 Software Supply Chain Attack

During the evening of December 13th, 2020 it was announced that for several months, emails and other sensitive materials on the SolarWinds Orion network have been exfiltrated by sophisticated, nation-state hackers [1]. Mandiant has classified the attack with a neutral tag of UNC2452 (Uncategorized 2452) while other sources are alleging this activity is attributable to APT29/Cozy Bear and have reason... Read More
December 14, 2020
Threat Advisory: Russian State-Sponsored Malicious Cyber Actors Exploiting CVE-2020-4006

Threat Advisory: Russian State-Sponsored Malicious Cyber Actors Exploiting CVE-2020-4006

The NSA recently released an advisory on Russian state-sponsored malicious actors exploiting CVE-2020-4006, a command-injection vulnerability in several VMWare Access and VMWare Identity Management Products. VMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector have been identified containing a command injection vulnerability. If successful, the exploit allows a potential malicious actor, with network access to the administrative... Read More
December 8, 2020
Herjavec Group’s Threat Summary Analysis – Q2 2020

Herjavec Group’s Threat Summary Analysis – Q2 2020

Herjavec Group’s Threat Management Team leverages this Quarterly Threat Summary to provide an overview of the most common threats and vulnerabilities seen in customer environments in recent months. In our Q1 2020 Threat Summary, our team noted a rise in ransomware attacks, major vulnerabilities across security technologies, and threat group activity. In Q2 2020, the HG Threat team noted a significant... Read More
August 7, 2020
Threat Advisory: Microsoft Releases Patch for DNS Server Vulnerability (CVE-2020-1350)

Threat Advisory: Microsoft Releases Patch for DNS Server Vulnerability (CVE-2020-1350)

Microsoft has released a patch for a critical vulnerability in its DNS server that affects Windows versions back to Server 2003. This vulnerability has received a CVSS score of 10 and allows for a full system compromise without authentication. The exploit can also be used to spread across a network without user interaction. Affected Windows servers include any server with... Read More
July 17, 2020
Threat Advisory: Critical Vulnerability in SAP NetWeaver AS Java (CVE-2020-6287)

Threat Advisory: Critical Vulnerability in SAP NetWeaver AS Java (CVE-2020-6287)

SAP has released a security update to address the critical vulnerability, CVE-2020-6287, discovered in the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard. This vulnerability is found in SAP applications running NetWeaver AS Java 7.3 up to 7.5. Since the SAP NetWeaver AS for Java supports the SAP Portal component (which is commonly exposed to the Internet), it... Read More
Threat Advisory: Palo Alto PAN-OS Authentication Bypass in SAML Vulnerability

Threat Advisory: Palo Alto PAN-OS Authentication Bypass in SAML Vulnerability

On June 29, 2020, Palo Alto Networks released a security advisory relating to a critical authentication bypass vulnerability within PAN-OS Security Assertion Markup Language (SAML) authentication. Currently, the affected products include: GlobalProtect Gateway GlobalProtect Portal GlobalProtect Clientless VPN Authentication and Captive Portal PAN-OS next-generation firewalls (PA-Series, VM-Series) and Panorama web interfaces Prisma Access The vulnerability affects PAN-OS versions 9.1, 9.0,... Read More
June 30, 2020
Threat Advisory: Sandworm Actors Exploiting Exim Vulnerability

Threat Advisory: Sandworm Actors Exploiting Exim Vulnerability

A critical remote code execution vulnerability is actively being scanned for and exploited across the Internet. Herjavec Group initially published a Threat Advisory for CVE-2019-10149, known as “Return of the WIZard”, when it was discovered in June 2019. Recently, the NSA published an updated advisory regarding Sandworm threat group operators exploiting the same vulnerability in the Exim Mail Transfer Agent... Read More
May 29, 2020
Threat Advisory: Citrix ADC/Netscaler Breach Activity

Threat Advisory: Citrix ADC/Netscaler Breach Activity

Herjavec Group has been investigating a spike in Citrix ADC/NetScaler breaches as a result of recently published zero-day exploits for CVE-2019-19781 affecting Citrix Application Delivery Controller (ADC), formerly known as NetScaler ADC, Citrix Gateway, and NetScaler Gateway. The scope of this vulnerability includes Citrix ADC and Citrix Gateway Virtual Appliances (VPX) hosted on any of Citrix Hypervisor (formerly XenServer), ESX, Hyper-V,... Read More
May 19, 2020
Threat Advisory: Phantom in the Command Shell Campaigns Target Financial Industry

Threat Advisory: Phantom in the Command Shell Campaigns Target Financial Industry

Researchers at Prevailion have reported a new operation called Phantom in the Command Shell. The operations have been targeting financial firms across the globe using the Evilnum malware, which is being distributed to victims using a Google Drive share link. Clicking on the Google Drive share link downloads a malicious zip archive file to the host. When decompressed, the file... Read More
May 8, 2020