Get Help Now

Get expert threat analysis weekly. Sign up to receive our Threat Briefing:


    Date: 10/03/2022

    “Smishing” Activity on the Rise


    Last month’s report by Group-IB highlights a rising trend of text message-based phishing, which is known as “smishing”. The report describes a high success rate for smishing as compared to more traditional email phishing. 

    On September 28, 2022, an IRS press release reported a “significant increase in texting scams”. The IRS reports that “IRS-themed smishing has increased exponentially” in 2022.  

    The high attacker success rate for smishing suggests that this will become an increasingly common avenue of attack.


    As with most modern scams, the impact of smishing ranges from low-level gift-card scams to corporate credential theft leading to ransomware and extortion.  Because it’s not tracked by EDR or corporate spam filters, smishing can be difficult to alert on and investigate.

    Recommended Actions

    Train users to never trust unsolicited text messages.  Include examples of smishing messages in training documents.  Consider implementing mobile device management implementation on both corporate and BYOD (Bring Your Own Device) devices.

    Request Consultation

    For more information, fill out the form below and we will be in touch shortly

      Number of Employees - select one:
      Industry - select one:

      Mandiant Reports on “Malware Ecosystem” Targeting VMware Hypervisor  


      Mandiant’s report includes details on backdoors contained in malicious vSphere Installation Bundles (VIBs). Mandiant named these backdoors “VIRTUALPITA” and “VIRTUALPIE”.   Mandiant notes that installation of these bundles requires administrative privileges to the hypervisor.


      Connectivity to hypervisor administrative interfaces should be placed in a highly restricted network segment.  Apply the strongest level of protection to hypervisor credentials.  The articles from Mandiant, CISA, and VMware, referenced below, all offer guidance on mitigating threats to the VMware hypervisor.  Ensure that the practices detailed in these articles are implemented to the best of your organization’s ability.  

      VMWare Releases Guidance for VirtualPITA, VirtualPIE, and VirtualGATE Malware Targeting vSphere | CISA
      Protecting vSphere From Specialized Malware | VMware
      Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors | Mandiant

      Critical Magento Vulnerability Exploited


      Magento is an open-source e-commerce platform written in PHP. It is used for online-shopping sites worldwide. Malicious actors have been observed targeting CVE-2022-24086, a critical vulnerability in Magento 2, allowing for code execution on unpatched sites. CVE-2022-24086 is not new (patched in February 2022), but the Cybersecurity and Infrastructure Security Agency (CISA) has published an alert about a recent surge in attacks. 

      Potential Impact

      CVE-2022-24086 allows for unauthenticated remote code execution and has been leveraged by attackers to deploy remote access trojans to vulnerable systems. Exploitation occurs when attackers create a new customer account with malicious template code in the first and last name fields. The code results in the download of malicious software that launches as a background process providing backdoor access, which includes full database access. Other exploit activities include creating PHP backdoors that accept commands via POST requests.

      Recommended Actions

      Administrators are urged to apply available patches. Affected versions are Adobe Commerce and Magento Open Source 2.3.3-p1 – 2.3.7-p2 and 2.4.0 – 2.4.3-p1. Two patches must be applied, MDVA-43395 first, and then MDVA-43443. 


      Active Exploitation of Critical Atlassian Bitbucket Server Vulnerability


      The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability affecting Atlassian’s Bitbucket Server and Data Center to the list of known exploited vulnerabilities. This vulnerability is tracked as CVE-2022-36804 and is a command injection vulnerability that allows for code execution. 

      Potential Impact

      By sending a crafted HTTP request to a vulnerable instance, malicious actors can achieve code execution. Successful exploitation first requires access to public Bitbucket repositories, or with read permissions to private repositories. Malicious actors can leverage this vulnerability to gain a foothold within a targeted network and carry out more severe attacks. 

      Recommended Actions

      Patches should be applied as soon as possible. In situations where patches cannot be applied, turning off public repositories is recommended. This can be done by using “feature.public.access=false”. Keep in mind that a malicious actor with credentials could still exploit the vulnerability with this mitigation in place.


      For strategic clients, your vCISO will add this to your next Office Hours for further discussion. However, if you have an immediate need, concern, or question, please reach out to them directly.

      For non-strategic clients, please reach out to your Advisor for further discussion.

      For those not yet clients of GreyCastle Security, please click the “Contact Us” button below and we’ll be glad to provide assistance as well as answer any questions you might have.

      Let’s Discuss Your Cybersecurity Needs

      Contact Us  
      Privacy Settings
      We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
      Consent to display content from - Youtube
      Consent to display content from - Vimeo
      Google Maps
      Consent to display content from - Google
      Consent to display content from - Spotify
      Sound Cloud
      Consent to display content from - Sound
      Contact Us