Incidents

“The meaning of life, the universe, and everything”

“The meaning of life, the universe, and everything”… is of course 42, as we know from one of Douglas Adams’ excellent books. In our case, it is all about 42/TCP, a port used by WINS (the Microsoft Windows Internet Naming Service) which is the target of an increasingly popular stream of exploits over the Internet.

This vulnerability has been designated MS04-045 by Microsoft. An advisory as well as updates can be found at the following address:

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-045

Our network of honeypots has registered a record number of port 42 exploits today, hence we are urging all the customers to patch their systems and update to the latest definitions which should be able to detect the malware reponsible for the increase.

During the past days the number of exploits was also increased, but not this high; we can state that the number we registered today is greater than all the attacks we’ve received on port 42 for the past week.

The names reported by KAV for the malware which is causing this increase in port 42 traffic are Backdoor.Win32.Hzdoor.a and Exploit.Win32.MS04-011. The second detection will be improved in the next update to correctly report the MS04-045 specific code.

“The meaning of life, the universe, and everything”

Your email address will not be published. Required fields are marked *

 

Reports

The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox