Skip to main content



Lucifer Malware Targets Windows Systems

By Blog, News

Lucifer Malware Targets Windows Systems

Experts have identified a new malware called Lucifer that targets Windows systems with cryptojacking and distributed denial-of-service (DDoS) attacks.

New Malware Exploits Critical Vulnerabilities

A new devilish malware is currently exploiting critical vulnerabilities on Windows devices.

Nicknamed Lucifer, the self-propagating malware is targeting Windows systems with cryptojacking and distributed denial-of-service (DDoS) attacks. This new variant initially attempts to infect devices by blasting them with attacks in the hopes of exploiting any number of unpatched vulnerabilities.

“Lucifer is a new hybrid of cryptojacking and DDoS malware variant that leverages old vulnerabilities to spread and perform malicious activities on Windows platforms,” stated researchers at Palo Alto Networks’ Unit 42 team. “Applying the updates and patches to the affected software are strongly advised.”

In a blog post, researchers said the latest variant of Lucifer was discovered on May 29 while investigating the exploit of CVE-2019-9081, a bug in the Laravel Framework that can be exploited to achieve remote code execution attacks. There are in fact many other vulnerabilities being exploited such as in Rejetto HTTP File Server (CVE-2014-6287), Microsoft Windows (CVE-2017-0144, CVE-2017-0145, CVE-2017-8464), Apache Struts (CVE-2017-9791), Oracle Weblogic (CVE-2017-10271), ThinkPHP RCE (CVE-2018-20062), and Laravel framework (CVE-2019-9081), among others.

How Lucifer Malware Infects Targets

After successfully exploiting the vulnerability through the use of credential-stuffing, the attacker then connects to the command-and-control (C2) server to execute arbitrary commands on the vulnerable device. These include TCP, UDP, or HTTP denial-of-service attacks. The malware may also infect its targets through IPC, WMI, SMB, and FTP via brute-force as well as through MSSQL, RPC, and network sharing.

“The targets are Windows hosts on both internet and intranet, given that the attacker is leveraging certutil utility in the payload for malware propagation,” the researchers noted. If the SMB protocol is left open, Lucifer then executes several backdoors to establish persistence. These include EternalBlue, EternalRomance, and DoublePulsar exploits. Researchers say Lucifer can also attempt to evade detection or reverse engineering with anti-sandbox capability and enhanced checks for device drivers, DLLs, and virtual devices.

Researchers discovered two versions of the malware: one initiated on May 29 and the other that “wreaked havoc” on June 11. The developer of the malware refers to it as Satan DDoS, but since other malware families already use this name, the researchers at Palo Alto decided “Lucifer” was more fitting.

How to Detect and Avoid Malware

Although malware appears to be growing in sophistication, researchers recommend enterprises protecting themselves with simple security measures such as applying the necessary security updates and strengthening authentication methods.

Syxsense Manage and Syxsense Secure can easily resolve vulnerabilities across an entire environment, whether on-premise or remote. A combination of strict security standards and proper offline backups, paired with a secure systems management and security solution, will ensure that organizations are not affected by rising ransomware and other malware events.

Experience the Power of Syxsense

Syxsense has created innovative and intuitive technology that sees and knows everything. Manage and secure your environment with a simple and powerful solution.

Syxsense demo

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo

Why Enterprise Ransomware Attacks Are Increasing

By Blog, Patch Management

Why Enterprise Ransomware Attacks Are Increasing

According to researchers, ransomware is rapidly shifting toward corporate targets.

According to various sources, ransomware appears to see triple-digit spike in corporate detections. A pair of reports released by Black Hat and Accenture mark the enormous shift away from targeting typical consumers.

With attackers attempting to “win” the most payout, ransomware attacks are proving to migrate from consumer targets to organizations, businesses, and municipalities. It also appears consumer detections have finally fallen below organizational detections, according to Malwarebyte’s Black Hat 2019 quarterly threat report. The report determined that overall ransomware detections against enterprise environments in the second quarter rose by 363 percent year-over-year; meanwhile, consumer detections have been slowly declining by 12 percent year-over-year.

The report also found that ransomware is certainly expected to evolve with hybrid attacks with worm-like functionality and other malware families.

“This year we have noticed ransomware making more headlines than ever before as a resurgence in ransomware turned its sights to large, ill-prepared public and private organizations with easy-to-exploit vulnerabilities such as cities, non-profits and educational institutions,” said Adam Kujawa, director of Malwarebytes Labs, in the report published on Thursday at Black Hat 2019. “Our critical infrastructure needs to adapt and arm themselves against these threats as they continue to be targets of cybercriminals, causing great distress to all the people who depend on public services and trust these entities to protect their personal information.”

Earlier in the month, Accenture’s iDefense division discovered MegaCortex, a form of malware in prior years, has been rearchitected as enterprise-focused ransomware.

“The authors of MegaCortex v2 have redesigned the ransomware to self-execute and removed the password requirement for installation; the password is now hard-coded in the binary,” states Leo Fernandes, Senior Manager of Malware Analysis and Countermeasures at Accenture. “Additionally, the authors also incorporated some anti-analysis features within the main malware module, and the functionality to stop and kill a wide range of security products and services; this task was previously manually executed as batch script files on each host.”

It also appears that ransomware will not only focus on local files but attempt to access enterprise network shares, unbelievably increasing the level of impact from ransomware. “The evolution of ransomware from high volume, low return, spray and pray consumer attacks to lower volume, high value, targeted attacks against business is well documented,” stated Security Week, “The intent now is not to simply encrypt local files, but to find and encrypt network shares in order to inflict the greatest harm in the shortest time.”

Start a Free Trial

Try Syxsense today and start patching your IT environment with a powerful and easy-to-use IT management toolset.

Syxsense demo

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo

MegaCortex Ransomware Targeting Victims Worldwide

By Blog, Patch Management

MegaCortex Ransomware Targeting Victims Worldwide

A new variant of ransomware called MegaCortex is targeting enterprise networks and organizations across the United States and Europe.

A new variant of ransomware has been discovered, called MegaCortex, that is targeting enterprise networks and organizations. Once the environment is penetrated, the attackers infect it by distributing the ransomware using Windows domain controllers.

Researchers at Accenture iDefense described that operators behind the ransomware are focusing strictly on corporate targets to ensure large cash payouts. Being a new variant of ransomware, not much is currently known about its encryption algorithms (other than it’s been reported an RSA public key is hardcoded into the malware), how the network can actually be infiltrated, and whether the payments are actually being honored.

“With a hard-coded password and the addition of an anti-analysis component, third parties or affiliated actors could, in theory, distribute the ransomware without the need for an actor-supplied password for the installation,” the researchers say. “Indeed, potentially there could be an increase in the number of MegaCortex incidents if the actors decide to start delivering it through email campaigns or dropped as secondary stage by other malware families.”

How MegaCortex Strikes

The ransomware creates a ransom note named “!!!_READ_ME_!!!.txt” and contains information about the ransom as well as the email addresses to contact the attackers.

Ransomware aimed at enterprise and corporate networks continue to rise, not just because of the hope for larger payout, but because of centralized authentication making it easier for devices to spread the ransomware so quickly.

Using a tool like Syxsense can actively prevent breaches before they spread. Receive live, accurate, data from thousands of devices in under 10 seconds then instantly detect running .exes, malware or viruses and kill those processes before they spread.

Start a Free Trial

Try Syxsense today and start patching your IT environment with a powerful and easy-to-use IT management toolset.

Syxsense demo

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo

Malware: It’s Not If…It’s When

By News

An unfortunate fact for IT departments is that they will, at some point, face a malware crisis.

Here’s how addressing malware normally plays out.

At some point after the infection occurs, usually much later, it gets noticed. Whether by pure luck or through receiving a ransom notice, the IT department becomes aware of the crisis after it has already spread.

The IT team attempts to outrun the exploding crisis. To prevent further infection, they shut down every device. Then, one by one, they must be booted back on and cleaned of the infection.

It could take days, weeks, or even months, to get every device cleared of the malicious software. An enormous amount of money is lost to destroyed productivity and IT labor hours.

But there’s a new way to tackle a malware crisis.

How Syxsense Realtime Security Can Address Malware

Live data means being able to see processes and status in real time. Using the AI-powered personal assistant, an IT manager would simply ask ‘Is WannaCry running on my devices?’ The console would then show where any such process was running.

If the process is running on devices, the option to kill it is available. A process can be killed on a device by device basis or everywhere it’s running.

But what if the malware changes its name to escape detection?

Realtime Security can still detect the process by MD5. It’s that simple; identify devices running the process, and then kill it with a button click. From there, an alert can be set so that if it somehow starts running again, you will know immediately.

Realtime Security means having live data that is secure, accurate, and actionable.

Syxsense demo

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo

Malware Tops Annual Cybercrime Report

By News

Europol Cybercrime Report 2018

According to Europol’s 2018 Internet Organised Crime Threat Assessment (IOCTA) report, ransomware is the top threat to organizations.

This report sites ransomware as the largest player in financially-motivated attacks. It also points out the increase in nation state cyber-attacks as a reason for ransomware’s continued leading threat level.

Distributed-Denial-of-Service (DDoS) attacks are still quite prevalent. These kinds of attacks were the second most frequent, just after malware, in 2017. It stands to reason that DDoS attacks will be a concern going forward as they are “becoming more accessible, low-cost, and low-risk.”

An emerging field is Cryptojacking. This is the act of using targeted users’ bandwidth to mine cryptocurrencies. These attacks can cripple an organization by dominating their internet bandwidth and device processing power.

How can your organization protect against these threats?

In the event of a cyberattack, authorities should be alerted. But companies should already have a comprehensive IT management solution in place. Maintaining a proper update strategy can mitigate the risk of exposure.

Syxsense has a diverse set of features that eases the burden of IT management. These features include Discovery, Inventory, Patch Management, Software Distribution, Reports, and more. As updates are released, the console will show which devices need updates.

From there, the patch manager can target those vulnerable devices and a task can be launched to deploy the needed patches. Learn more about securing your environment and start a trial with Syxsense.

Syxsense demo

Schedule Your Syxsense Demo

Syxsense combines IT management, patch management, and security vulnerability scanning in one powerful solution. Get started today.

Schedule My Demo

Ransomware Aftershocks: August Third-Party Patch Update

By News, Patch Management
[vc_single_image image=”12822″ img_size=”medium”]

Ransomware Aftershocks

Even after remediation, the effects of ransomware can still be felt. The feelings of security have been stripped away and replaced with a nauseating sensation of vulnerability.

A public TV and radio station in San Francisco, KQED, knows this feeling. After being infected with ransomware demanding 1.7 bitcoin per PC, the FBI advised wiping the infected computes.

Even a month after the attack, the station is still doing work to fix the affected machines. But what has also been a surprise is the damage was to more than just their data. The wireless network and email servers went down at their headquarters, so they moved operations to UC Hastings. It has interrupted all levels of work, from broadcast to hiring of new employees.

This radio station isn’t the only company reeling long after a ransomware attack. Fedex has been reported as saying that was affected by NotPetya and that some damage was permanent. It’s expected that this business interruption will create significant decreases in revenue.

[vc_single_image image=”12386″ img_size=”200×200″]

The most effective way to protect yourself and your business against disaster is keeping your systems up to date. Malware relies on the idea that people won’t keep their software 100% up to date. And for good reason, keeping everything updated can be a nightmare. But utilizing a solution like Syxsense can simplify everything. CMS can show you at a glance which devices have out of date software. You can then quickly build a task to deploy needed updates.

Come check out Syxsense with a free trial today!

[dt_default_button link=”|||” size=”big” button_alignment=”btn_center”]START FREE TRIAL[/dt_default_button]

Third-Party Updates

Every month we see a bevy of new third party updates, and are always enhancing our library of supported vendors. Special requests and additions are welcomed. This month’s releases include:



Product Category Patch
Chrome Web Browser Chrome_v59.0.3071.134
Wireshark Network Protocol Analyzer Wireshark_v2.4
Firefox Web Browser Firefox_v54.0.1
Glary Utilities PC cleanup Glary_v5.80.0.101
Trillian Instant Messenger Trillian_v6.0 Build 60
WinSCP SFTP, SCP, and FTP client for Windows WinSCP_v5.9.6
WinMerge Open source differencing and merging tool for windows. WinMerge_v2.14
MediaMonkey Media manager MediaMonkey_v4.1.17.1840
PuTTY SSH and Telnet for windows and unix. PuTTY_v0.70
Foobar2000 Audio Player Foobar2000_v1.3.16
Java Programming language Java_v8u141
KeePass Password Safe KeePass_v2.36
Foxit Reader PDF reader FoxitReader_v8.3.1
FileZilla FTP solution FileZilla_v3.27.0.1 Image editing software Paint.net_v4.0.17
iTunes Media player iTunes_v12.6.2
Adobe Reader DC Pdf reader AdobeReaderDC_v17.009.20058
Shockwave Multimedia platform Shockwave_v12.2.9.199
Flash Multimedia platform Flash_v26.0.0.137
AIR Runtime Code Distribution AIRRuntime_v26.0.0.127


Patch Details
Chrome_v59.0.3071.134 Includes bug fixes, security updates, and feature enhancements.


Wireshark_v2.4 Large number of new and updated features. New and updated protocol support. Major API changes. New and updated capture file support.


Firefox_v54.0.1 Now uses multiple operating system processes for web page content to increase speed and stability. Fixes: Display issue of tab title. Display issue of opening new tab. Display issue when opening multiple tabs. Tab display issue when downloading files. PDF printing issue. Netflix issue on linu.


Optimized Disk Cleaner: added support for ‘PerfectDisk 13.0’ and ‘Adobe Reader 7.0

Optimized Tracks Eraser: added support for ‘Nero Burning ROM 15’ and ‘AceHTML 6 Pro

Optimized Quick Search: optimized the path sorting algorithm, and speed up by 100%

Minor GUI improvements

Minor bug fixes

Trillian_v6.0 Build 60 Fixed:

Media: Media may not correctly send if DNS is incorrectly set up.

Message Window: History messages may incorrectly duplicate in the window from previous versions of Trillian.


WinSCP_v5.9.6 Hotfix. German translation updated.

·  Back-propagated some improvements and fixes from 5.10-5.10.2 beta releases:

  • SSH core and private key tools (PuTTYgen and Pageant) upgraded to PuTTY 0.69. It brings the following change:
    • WinSCP should work with MIT Kerberos again, after DLL hijacking defences broke it.
  • TLS/SSL core upgraded to OpenSSL 1.0.2l.
  • Allow using 64-bit version of PuTTY (and its tools), when available. 1522
  • XML parser upgraded to Expat 2.2.1.
  • Bug fix: Scripting open command without arguments issued irrelevant warning about use of stored site.
  • Bug fix: Generated code uses TransferOptions.Speed instead of TransferOptions.SpeedLimit. 1543
WinMerge_v2.14 Improvements

  • Improve startup time
  • Improve editing of linefilter regular expressions
  • Improve color options organization

Other changes

  • Update PCRE to version 8.10
  • Update SCEW to version 1.1.2
  • Add menuitems for selecting automatic or manual prediffing
  • Add accelerator keys for Shell context menu
  • Allow editing context line count in patch creator
  • Add /xq command line switch for closing WinMerge after identical files and not showing message
  • Allow setting codepage from command line
  • Allow giving encoding name as custom codepage
  • Add new options dialog panel for folder compare options
  • Add options GUI for quick compare limit
  • Write config log as UTF-8 file

Bugs fixed

  • Untranslated string (“Merge.rc:nnnn”) was displayed in status bar
  • Pane headers not updated after language change
  • Quick contents compare didn’t ignore EOL byte differences
  • Compare by size always checked file times too
  • Crash when pasting from clipboard
  • Keeps verifing path even turned off in options
  • Crash after deleting text
  • Added EOL chars between copied file/path names
  • Created new matching folder to wrong folder
  • Strange scrolling effect in location pane
  • Plugin error after interrupting folder compare
  • “+” and “-” from the number block don’t work in the editor
  • Date format did not respect Regional Settings
  • Shell extension used unquoted program path

New Translation

  • Basque

Translation updates

  • Hungarian
  • Turkish
  • Russian
  • Norwegian
  • Danish
  • Dutch
  • Slovenian
MediaMonkey_v4.1.17.1840 Various bug fixes and updates.


PuTTY_v0.70 Security fix: the Windows PuTTY binaries should no longer be vulnerable to hijacking by specially named DLLs in the same directory, even a name we missed when we thought we’d fixed this in 0.69. See vuln-indirect-dll-hijack-3.

Windows PuTTY should be able to print again, after our DLL hijacking defences broke that functionality.

Windows PuTTY should be able to accept keyboard input outside the current code page, after our DLL hijacking defences broke that too.


Foobar2000_v1.3.16 Fixed horrible, horrible bug with inverted checkmarks in advanced preferences at 150% text size.

Network streaming: added handlers for more HTTP redirect codes.

Fixed foobar2000 process not setting its working directory to its installation location on startup.

FLAC tagging fixes.


Java_v8u141 Fixing of bugs and updates to features.


KeePass_v2.36 New Features:

  • Added commands ‘Find Duplicate Passwords’ and ‘Find Similar Passwords’ (in ‘Edit’ -> ‘Show Entries’), which show entries that are using the same or similar passwords.
  • Added command ‘Password Quality Report’ (in ‘Edit’ -> ‘Show Entries’), which shows all entries and the estimated quality of their passwords.
  • Added option ‘String name’ in the ‘Edit’ -> ‘Find’ dialog (for searching entries that have a specific custom string field).
  • Added option for using a gray tray icon.
  • Added {CMD:/…/} placeholder, which runs a command line.
  • Added {T-CONV:/…/Raw/} placeholder, which inserts a text without encoding it for the current context.
  • Added optional ‘Last Password Modification Time (Based on History)’ entry list column.
  • The internal text editor now supports editing PS1 files.
  • The position and size of the internal data viewer is now remembered and restored.
  • For various dialogs, the maximized state is now remembered and restored.
  • Added configuration option for specifying an expiry date for master keys.
  • Added configuration option for specifying disallowed auto-type target windows.
  • Added workaround for Edge throwing away all keyboard input for a short time after its activation.
  • Added workaround for Mono not properly rendering bold and italic text in rich text boxes.
  • TrlUtil now performs a case-sensitive word validation.


  • The password input controls in the IO connection dialog and the proxy dialog now are secure edit controls.
  • The icon of the ‘Save’ command in the main menu is now grayed out when there are no database changes (like the toolbar button).
  • Auto-Type: improved support for target applications that redirect the focus immediately.
  • Auto-Type: improved compatibility with VMware vSphere client.
  • When an error occurs during auto-type, KeePass is now brought to the foreground before showing an error message box.
  • Entries in groups where searching is disabled (e.g. the recycle bin group) are now ignored by the commands that show expired entries.
  • Improved scrolling when moving entries while grouping in the entry list is on.
  • Improved support for right-to-left writing systems.
  • Improved application and system tray icon handling.
  • Updated low resolution ICO files (for Mono development).
  • Moved single-click tray icon action option from the ‘Integration’ tab to the ‘Interface’ tab of the options dialog.
  • Synchronization file path comparisons are case-insensitive now.
  • Improved workaround for Mono clipboard bug (improved performance and window detection; the workaround is now applied only if ‘xsel’ and ‘xdotool’ are installed).
  • Enhanced script.
  • KPScript: times in group and entry lists now contain a time zone identifier (typically ‘Z’ for UTC).
  • Various code optimizations.
  • Minor other improvements.


  • The drop-down menu commands in the entry editing dialog for setting the expiry date now work as expected.


FoxitReader_v8.3.1 New Feature and Improvements:

Easy and Secure File-sharing

Provides a plugin to share your file by generating a file link and sending it via email or to social media, under your full control by advanced settings to share content quickly, easily, and securely.

Some ease of use enhancements.


Issues Addressed:

Fixed some issues that could cause Foxit Reader launch slowly.

Fixed some security and stability issues. Click here for details.


FileZilla_v3.27.0.1 Bugfixes and minor changes:

MSW: Add missing file to .zip binary package

MSW: Fix toolchain issues breaking the shell extension


  • Added: “Fluid mouse input” option in Settings -> UI -> Troubleshooting. If you see major glitches while drawing, try disabling this.
  • Improved: Default brush size, font size, and corner radius size now scales with major DPI scaling levels (brush size of 2 at 100% scaling, brush size of 4 at 200% scaling, etc)
  • Improved: Default image size now scales with major DPI scaling levels (800×600 at 100%, 1600×1200 at 200%, etc.)
  • Improved performance and drawing latency by removing explicit calls to System.GC.Collect() except when low memory conditions are encountered
  • Improved performance by greatly reducing object allocation amplification by reducing the concurrency level when using ConcurrentDictionary, and by removing WeakReference allocations in favor of direct GCHandle usage
  • Improved: Performance and battery usage by ensuring animations always run at the monitor’s actual refresh rate
  • Improved (reduced) CPU usage when moving the mouse around the canvas
  • Removed: “Hold Ctrl to hide handle” from the Text tool because it was not useful and caused lots of confusion
  • Fixed: Various high-DPI fixes, including horrible looking mouse cursors caused by a bug in the latest .NET WinForms update
  • Fixed: Gradient tool no longer applies dithering “outside” of the gradient (in areas that should have a solid color)
  • Fixed: Very slow performance opening the Effects menu when lots of plugins are installed after installing the Windows 10 Creators Update
  • Fixed: When cropping and then performing an undo, the scroll position was totally wrong
  • Fixed a rendering glitch in the Save Configuration dialog (it would “wiggle”)
  • Fixed: At certain brush sizes, the brush indicator on the canvas had a visual glitch in it due to a bug in Direct2D
  • Fixed: Text tool buttons for Bold, Italics, Underline were not localized for a few languages
  • Fixed a rare crash in the taskbar thumbnails
  • Fixed: Drawing with an aliased brush and opaque color (alpha=255) sometimes resulted in non-opaque pixels due to a bug in Direct2D’s ID2D1RenderTarget::FillOpacityMask
  • Fixed: “Olden” effect should no longer cause crashes (it still has some rendering artifacts due to its multithreading problems, however)
iTunes_v12.6.2 This update is designed for high DPI displays so text and images appear sharper and clearer. It also includes minor app and performance improvements.


AdobeReaderDC_v17.009.20058 This release puts in place the infrastructure for simplifying the sign-in process within Acrobat & Reader. This enhancement will be rolled out for Acrobat and Reader users in near future.


Shockwave_v12.2.9.199 Fixes a critical memory corruption vulnerability that could lead to code execution.


Flash_ v26.0.0.137 These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.


AIRRuntime_v26.0.0.127 These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.


Get Started

Start a free, 14-day trial of Syxsense, which helps organizations from 50 to 10,000 endpoints monitor and manage their environment, all from just a web browser. An email will be automatically sent to the address you provide.

[dt_default_button link=”|||” size=”big” button_alignment=”btn_center” icon_type=”picker” icon_picker=”fas fa-angle-double-right” icon_align=”right”]START YOUR FREE TRIAL OF SYXSENSE[/dt_default_button]