LemonDuck is capable of attacking Windows and Linux, exploits old vulnerabilities and uses various distribution mechanisms to improve the effectiveness of its campaigns.

LemonDuck activity was first discovered in China in May 2019. Later, in 2020, malware began to use decoys related to COVID-19 for its attacks, and most recently exploited ProxyLogon vulnerabilities fixed in Microsoft Exchange to access unprotected systems.

In general, LemonDuck looks for devices vulnerable to issues such as CVE-2017-0144 (EternalBlue), CVE-2017-8464 (LNK RCE), CVE-2019-0708 (BlueKeep), CVE-2020-0796 (SMBGhost), CVE-2021-26855 (ProxyLogon), CVE-2021-26857 (ProxyLogon), CVE-2021-26858 (ProxyLogon) and CVE-2021-27065 (ProxyLogon).

One of the hallmarks of LemonDuck is the malware’s ability to remove “other attackers from a compromised device, thus getting rid of competing malware and preventing new infections, as well as fixing vulnerabilities that were used to gain access.”

LemonDuck attacks typically targets the manufacturing sector and IoT, with the largest number of incidents reported in the US, Russia, China, Germany, UK, India, Korea, Canada, France, and Vietnam.

Microsoft also describes another LemonDuck-related campaign dubbed LemonCat in its report. Experts believe LemonCat is being used for other purposes and has been active since January 2021. In particular, LemonCat was used in attacks against vulnerable Microsoft Exchange servers, and these incidents led to the installation of a backdoor, theft of credentials and information, and the installation of the Ramnit Trojan.

Let me remind you that we talked about LemonDuck malware operators attack IoT vendors.

The post Microsoft reported about activity of the LemonDuck malware appeared first on Gridinsoft Blog.

This idea was born out of endless discussions about “should vulnerabilities have names?”

For many decades, MITER has been assigning CVE identifiers to vulnerabilities in the standard format CVE-[YEAR] – [NUMBER], for example CVE-2019-0708. These CVEs are used by security software to identify bugs, track and monitor problems for statistical purposes, but humans actually use CVEs.

Over the years, cybersecurity specialists have realized that their work on discovering vulnerabilities can get lost in a constant stream of CVEs that are difficult to remember. Therefore, companies and researchers began to name their vulnerabilities in order to step out from the crowd and be remembered. The most famous examples of this are Specter, Meltdown, Dirty Cow, Zerologon, Heartbleed, BlueKeep, SIGRed, BLURTooth, DejaBlue and Stagefright vulnerabilities.

CERT experts believe that over time, this practice has moved to the stage of intimidation and turned into a marketing ploy to attract attention.

The situation sometimes really reaches the point of absurdity. For example, last year a vulnerability found by Cisco was named using three emojis and is also known as Thrangrycat (“Three angry cats“).

In an attempt to mitigate the situation, CERT experts created Vulnonym, which will give bugs neutral codenames, consisting of two words in the adjective-noun format.

Metcalfe explains that people just need easy-to-remember names to describe bugs, because “people are not good at remembering numbers,” such as those used as CVE identifiers. So, a person will easily remember google.com, but not the IP address that this site is hosted on.

Let me remind you that experts of NortonLifeLock developed a free bot detection tool on Twitter.

The post CERT launched Twitter bot that comes up with names for vulnerabilities appeared first on Gridinsoft Blog.