SANS

CAA Records and Certificate Issuance, (Tue, Apr 25th)

25 Apr 2017

[This is a guest diary submitted by J. Edward Durrett, GCUX]

While going over an SSL re ...

ISC Stormcast For Tuesday, April 25th 2017 https://isc.sans.edu/podcastdetail.html?id=5472, (Tue, Apr 25th)

25 Apr 2017

...

Analysis of the Shadow Z118 PayPal phishing site, (Mon, Apr 24th)

24 Apr 2017

[This is a guest post submitted by Remco Verhoef. Got something interesting to share? Please use ...

ISC Stormcast For Monday, April 24th 2017 https://isc.sans.edu/podcastdetail.html?id=5470, (Mon, Apr 24th)

24 Apr 2017

...

Old posts >>

Malicious Documents: A Bit Of News, (Sun, Apr 23rd)

23 Apr 2017

This week I saw again a WTF tcp port 81, (Sat, Apr 22nd)

23 Apr 2017

I don width:1000px" />

---------------
Jim Clausing, GIAC GSE #26
jclausi ...

Analysis of a Maldoc with Multiple Layers of Obfuscation, (Fri, Apr 21st)

21 Apr 2017

Thanks to our readers, we get often interesting samples to analyze. This time, Frederick sent us ...

ISC Stormcast For Friday, April 21st 2017 https://isc.sans.edu/podcastdetail.html?id=5468, (Thu, Apr 20th)

20 Apr 2017

...

DNS Query Length... Because Size Does Matter, (Thu, Apr 20th)

20 Apr 2017

In many cases, DNS remains a goldmine to detect potentially malicious activity. DNS can be used i ...

ISC Stormcast For Thursday, April 20th 2017 https://isc.sans.edu/podcastdetail.html?id=5466, (Thu, Apr 20th)

20 Apr 2017

...


Sophos

Healthcare CERT warns about ‘Mole’ ransomware – what you need to know

25 Apr 2017

More ransomware: this one changes your file extensions to .MOLE, thus the name.

News in brief: Uber under fire in ‘Hell’ lawsuit; Europe could be hit by laptop ban; Fancy Bear ‘targeted Macron’

25 Apr 2017

Your daily round-up of some of the other stories in the news

Russian ‘pioneer’ of identity theft and card fraud jailed for 27 years

25 Apr 2017

Roman Seleznev, the son of a Russian MP, has received the longest ever sentence for hacking to be handed down in the US

Trump’s promise on cybersecurity: what’s been happening?

25 Apr 2017

Work behind the scenes suggests that an executive order on cybersecurity could be signed by the end of the week

Apple threatened to oust Uber from App Store for ‘fingerprinting’ iPhones

25 Apr 2017

Questions remain over if and how Uber still tracks devices after chief exec Kalanick was summoned to Apple for a roasting

News in brief: Russia accused of email hack; test flight for ‘flying taxi’; hacking ‘moral crusade’ for teens

24 Apr 2017

Your daily round-up of some of the other stories in the news

Top secret messages sent via Confide might not be so secret after all

24 Apr 2017

Confide, an app used by some Washington insiders, denies claims in lawsuit that it doesn't prevent screenshots on all platforms

LinkedIn app’s oversharing via Bluetooth sparks alarm

24 Apr 2017

LinkedIn said it was working on a fix for the issue - but it's always a good idea to keep an eye on what you might be sharing via Bluetooth

What happens when a vendor doesn’t patch its software?

24 Apr 2017

Third-party 'guerilla' patching can be a good example of the community stepping up to fix flaws - but it could also compromise security

Ransomware hidden inside a Word document that’s hidden inside a PDF

24 Apr 2017

Spam campaign delivers Locky ransomware that, like a Russian matryoshka doll, is nested inside not one but two layers

Old posts >>


TrendMicro

Pawn Storm Abuses Open Authentication in Advanced Social Engineering Attacks

25 Apr 2017

Pawn Storm is an active and aggressive espionage actor group that has been operating since 2004. The group uses different methods and strategies to gain information from their targets, which are covered in our latest research. However, they are particularly known for dangerous credential phishing campaigns. In 2016, the group set up aggressive credential phishing...

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Pawn Storm Abuses Open Authentication in Advanced Social Engineering Attacks

Old posts >>

April Android Security Bulletin Addresses Critical H.264 and H.265 Decoder Vulnerabilities

21 Apr 2017

In April’s Android Security Bulletin, we discovered and privately disclosed seven vulnerabilities—three of which were rated as Critical, one as High, and another three as Moderate.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

April Android Security Bulletin Addresses Critical H.264 and H.265 Decoder Vulnerabilities

DressCode Android Malware Finds Apparent Successor in MilkyDoor

20 Apr 2017

Mobile malware's disruptive impact on enterprises continues to see an uptick in prevalence as mobile devices become an increasingly preferred platform to flexibly access and manage data. We recently found 200 unique Android apps—with installs ranging between 500,000 and a million on Google Play—embedded with a backdoor: MilkyDoor (detected by Trend Micro as ANDROIDOS_MILKYDOOR.A).

MilkyDoor is similar to DressCode (ANDROIDOS_SOCKSBOT.A)—an Android malware family that adversely affected enterprises—given that both employ a proxy using Socket Secure (SOCKS) protocol to gain a foothold into internal networks that infected mobile devices connect to. MilkyDoor, maybe inadvertently, provides attackers a way to conduct reconnaissance and access an enterprise’s vulnerable services by setting the SOCKS proxies. Further, this is carried out without the user’s knowledge or consent.

While MilkyDoor appears to be DressCode’s successor, MilkyDoor adds a few malicious tricks of its own. Among them are its more clandestine routines that enable it to bypass security restrictions and conceal its malicious activities within normal network traffic. It does so by using remote port forwarding via Secure Shell (SSH) tunnel through the commonly used Port 22. The abuse of SSH helps the malware encrypt malicious traffic and payloads, which makes detection of the malware trickier.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

DressCode Android Malware Finds Apparent Successor in MilkyDoor

Fake Super Mario Run App Steals Credit Card Information

20 Apr 2017

Trend Micro has identified more malicious Android apps abusing the name of the popular mobile game Super Mario Run. We earlier reported about how fake apps were using the app's popularity to spread; attackers have now released versions of these fake apps that steal the user’s credit card information.

Super Mario Run is a mobile game that Nintendo first released on the iOS platform in September 2016, followed by the Android version on March 23, 2017. Mobile games have always proven to be attractive lures for cybercriminals to get users to download their malicious apps and potentially unwanted apps (PUAs). This is not the first time that the name of a popular game was abused; we’ve discussed how the popularity of Pokémon Go was similarly abused.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Fake Super Mario Run App Steals Credit Card Information

RawPOS: New Behavior Risks Identity Theft

19 Apr 2017

Despite being one of the oldest Point-of-Sale (PoS) RAM scraper malware families out in the wild, RawPOS (detected by Trend Micro as TSPY_RAWPOS) is still very active today, with the threat actors behind it primarily focusing on the lucrative multibillion-dollar hospitality industry. While the threat actor’s tools for lateral movement, as well as RawPOS’ components, remain consistent, new behavior from the malware puts its victims at greater risk via potential identity theft. Specifically, this new behavior involves RawPOS stealing the driver’s license information from the user to aid in the threat group’s malicious activities.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

RawPOS: New Behavior Risks Identity Theft

Of Pigs and Malware: Examining a Possible Member of the Winnti Group

19 Apr 2017

In one of our previous blog entries, we covered how GitHub was being used to spread malware. In this entry, we take a closer look at an individual who we believe might be connected to the threat actor behind the malware.

A careful analysis of the domain registrations from this threat actor between 2014 and 2015 allowed us to identify one profile used to register several domains that were used as C&C servers for a particular malware family employed by the Winnti group. In particular, we managed to gather details on an individual using the handle Hack520, who we believe is connected to Winnti.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Of Pigs and Malware: Examining a Possible Member of the Winnti Group

April Patch Tuesday: Microsoft Patches Office Vulnerability Used in Zero-Day Attacks

12 Apr 2017

One of the major updates for this month’s Patch Tuesday addresses CVE-2017-0199, a zero-day remote code execution vulnerability that allowed attackers to exploit a flaw that exists in the Windows Object Linking and Embedding (OLE) interface of Microsoft Office. This flaw is currently being exploited by the notorious DRIDEX banking trojan.

Threat actors leveraging this vulnerability do so via a spam campaign in which the attacker sends an email with an embedded Microsoft Word document to a targeted user. When the user opens the attached document, the hidden exploit code connects to a remote server that fetches malicious files, which are DRIDEX variants(detected by Trend Micro as TSPY_DRIDEX.SLP, TROJ_CVE20170199.B and TROJ_CVE20170199.C).

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

April Patch Tuesday: Microsoft Patches Office Vulnerability Used in Zero-Day Attacks

How Mobile Phones Turn Into A Corporate Threat

31 Mar 2017

Over the last year, the number of mobile phones overtook the world population. In countries like the United States, mobile subscribers outnumbered traditional landline users and half of Americans shifted to mobile-only to communicate. In modern smart cities, wireless-only buildings are becoming the new construction standard for homes, factories, and organizations in general. Landline phones are going away—sooner rather than later.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

How Mobile Phones Turn Into A Corporate Threat

Smart Whitelisting Using Locality Sensitive Hashing

30 Mar 2017

Locality Sensitive Hashing (LSH) is an algorithm known for enabling scalable, approximate nearest neighbor search of objects. LSH enables a precomputation of a hash that can be quickly compared with another hash to ascertain their similarity. A practical application of LSH would be to employ it to optimize data processing and analysis. An example is transportation company Uber, which implemented LSH in the infrastructure that handles much of its data to identify trips with overlapping routes and reduce inconsistencies in GPS data. Trend Micro has been actively researching and publishing reports in this field since 2009. In 2013, we open sourced an implementation of LSH suitable for security solutions: Trend Micro Locality Sensitive Hashing (TLSH).

TLSH is an approach to LSH, a kind of fuzzy hashing that can be employed in machine learning extensions of whitelisting. TLSH can generate hash values which can then be analyzed for similarities. TLSH helps determine if the file is safe to be run on the system based on its similarity to known, legitimate files. Thousands of hashes of different versions of a single application, for instance, can be sorted through and streamlined for comparison and further analysis. Metadata, such as certificates, can then be utilized to confirm if the file is legitimate.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Smart Whitelisting Using Locality Sensitive Hashing

IIS 6.0 Vulnerability Leads to Code Execution

29 Mar 2017

Microsoft Internet Information Services (IIS) 6.0 is vulnerable to a zero-day Buffer Overflow vulnerability (CVE-2017-7269) due to an improper validation of an ‘IF’ header in a PROPFIND request.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

IIS 6.0 Vulnerability Leads to Code Execution


Kaspersky

Hajime, the mysterious evolving botnet

25 Apr 2017

Hajime (meaning ‘beginning’ in Japanese) is an IoT worm that was first mentioned on 16 October 2016 in a public report by RapidityNetworks. In this blogpost we outline some of the recent ‘improvements’ to Hajime, some techniques that haven’t been made public, and some statistics about infected IoT devices.

XPan, I am your father

24 Apr 2017

While we have previously written on the now infamous XPan ransomware family, some of it’s variants are still affecting users primarily located in Brazil. This sample is what could be considered as the “father” of other XPan ransomware variants. A considerable amount of indicators within the source code depict the early origins of this sample.

Old posts >>

Exploits: how great is the threat?

20 Apr 2017

How serious, really, is the danger presented by exploits? The recent leak of an exploit toolset allegedly used by the infamous Equation Group suggests it’s time to revisit that question. Using our own telemetry data and intelligence reports as well as publicly available information, we’ve looked at the top vulnerabilities and applications exploited by attackers.

Personalized Spam and Phishing

19 Apr 2017

Lately we have been noticing an opposite tendency occurring quite often, wherein fraud becomes personalized and spammers invent new methods to persuade the recipient that the message is addressed personally to him. Thus, in the malicious mailing that we discovered last month, spammers used the actual postal addresses of the recipients in messages to make them seem as credible as possible.

The security is still secure

13 Apr 2017

Recently WikiLeaks published a report that, among other things, claims to disclose tools and tactics employed by a state-sponsored organization to break into users' computers and circumvent installed security solutions. The list of compromised security products includes dozens of vendors and relates to the whole cybersecurity industry.

Old Malware Tricks To Bypass Detection in the Age of Big Data

13 Apr 2017

Kaspersky Lab has been tracking a targeted attack actor’s activities in Japan and South Korea recently. This attacker has been using the XXMM malware toolkit, which was named after an original project path revealed through a pdb string inside the file.

Unraveling the Lamberts Toolkit

11 Apr 2017

The Lamberts is a family of sophisticated attack tools that has been used by one or multiple threat actors against high-profile victims since at least 2008. The arsenal includes network-driven backdoors, several generations of modular backdoors, harvesting tools, and wipers.

Ransomware in targeted attacks

04 Apr 2017

Ransomware's popularity has attracted the attention of cybercriminal gangs; they use these malicious programs in targeted attacks on large organizations in order to steal money. In late 2016, we detected an increase in the number of attacks, the main goal of which was to launch an encryptor on an organization's network nodes and servers.

ATMitch: remote administration of ATMs

04 Apr 2017

In February 2017, we published research on fileless attacks against enterprise networks. This second paper is about the methods and techniques that were used by the attackers in the second stage of their attacks against financial organizations – basically enabling remote administration of ATMs.

Lazarus Under The Hood

03 Apr 2017

Today we'd like to share some of our findings, and add something new to what's currently common knowledge about Lazarus Group activities, and their connection to the much talked about February 2016 incident, when an unknown attacker attempted to steal up to $851M USD from Bangladesh Central Bank.


ThreatPost

Atlassian Resets HipChat Passwords Following Breach

25 Apr 2017

Atlassian reset user passwords for its group chat service HipChat on Monday following an incident that may have resulted in unauthorized access to a server used by the service.

xDedic Market Spilling Over With School Servers, PCs

25 Apr 2017

Nearly two-thirds of servers and PCs peddled on the xDedic underground marketplace belong to schools and universities based in United States.

ColdFusion Hotfix Resolves XSS, Java Deserialization Bugs

25 Apr 2017

Adobe released an important security hotfix for several versions of Coldfusion, resolving two bugs, Tuesday morning.

Zimperium Acquisition Program Publishes Exploits for Patched Android Bugs

25 Apr 2017

Exploits for patched Android elevation of privilege vulnerabilities were published through the Zimperium N-Days Exploit Acquisition Program.

Hyundai Patches Leaky Blue Link Mobile App

25 Apr 2017

Hyundai Motor America patched its Blue Link mobile app after researchers found a cleartext encryption key that could be use to expose user and vehicle information.

Hard Target: Fileless Malware

25 Apr 2017

Researchers say fileless in-memory malware attacks have become a major nuisance to businesses and have become even harder to detect and defend.

Original XPan Ransomware Returns, Targets Brazilian SMBs

25 Apr 2017

Brazilian cybercriminals are using the original version of the XPan ransomware, targeting small to medium-sized business based in Brazil with the malware.

NSA’s DoublePulsar Kernel Exploit In Use Internet-Wide

24 Apr 2017

Scans show tens of thousands of Windows servers infected with the DoublePulsar kernel exploit leaked by the ShadowBrokers two weeks ago.

Locky Ransomware Roars Back to Life Via Necurs Botnet

24 Apr 2017

The first large scale Locky campaign in months has been detected via the Necurs botnet.

No Fix for SquirrelMail Remote Code Execution Vulnerability

24 Apr 2017

SquirrelMail suffers from a remote code execution vulnerability that could let attackers execute arbitrary commands on the target and compromise the remote system.

Old posts >>


Symantec

Old posts >>

Hajime worm battles Mirai for control of the Internet of Things

18 Apr 2017

The Hajime worm appears to be the work of a white hat hacker attempting to wrestle control of IoT devices from Mirai and other malicious threats.

Read More

Latest Intelligence for March 2017

14 Apr 2017

Number of blocked web attacks increases to highest level since July 2016 and Necurs botnet returns with new spam campaigns.

Read More

Android O no! Android O causes problems for mobile ransomware developers

12 Apr 2017

Changes in Google’s newest mobile OS will impact the functionality of many Android ransomware threats.

Read More

Microsoft Patch Tuesday – April 2017

11 Apr 2017

This month the vendor has released 44 vulnerabilities, 13 of which are rated Critical.

Read More

Kelihos/Waledac: US law enforcement hits botnet with major takedown

11 Apr 2017

Alleged botnet operator arrested in Spain, faces multiple charges in the US.

Read More

Longhorn: Tools used by cyberespionage group linked to Vault 7

10 Apr 2017

First evidence linking Vault 7 tools to known cyberattacks.

Read More

Free Nintendo Switch emulators are fake

30 Mar 2017

Fake emulators for newly released Nintendo console used as bait to get users to fill out survey scams and download potentially unwanted applications.

Read More

Necurs: Mass mailing botnet returns with new wave of spam campaigns

28 Mar 2017

Unexplained three-month absence resulted in a seven-fold decrease in rate of emails containing malware.

Read More

Personalized spam campaign targets Germany

20 Mar 2017

A new spam campaign targeting German users uses victims’ real details and installs banking malware on compromised computers.

Read More

Microsoft Patch Tuesday – March 2017

14 Mar 2017

This month the vendor is releasing 18 bulletins, nine of which are rated Critical.

Read More

Spam campaign targets financial institutions with fake security software

13 Mar 2017

Emails claim to be from HSBC and ask recipients to install fake Rapport security software.

Read More

Latest Intelligence for February 2017

10 Mar 2017

Number of new malware variants reaches highest level since October 2016 and Symantec uncovers a wider campaign carried out by Shamoon attackers.

Read More

Shamoon: Multi-staged destructive attacks limited to specific targets

27 Feb 2017

Recent attacks involving the destructive malware Shamoon appear to be part of a much wider campaign in the Middle East and beyond.

Read More

Android ransomware requires victim to speak unlock code

22 Feb 2017

Latest Android.Lockdroid.E variant uses speech recognition instead of typing for unlock code input.

Read More

Symantec and other industry leaders announce expanded Cyber Threat Alliance

14 Feb 2017

Cybersecurity consortium formally establishes rapid security intelligence sharing system to combat cybercrime and advanced attacks.

Read More

Sage 2.0 ransomware delivered by Pandex spambot, mimics Cerber routines

13 Feb 2017

New variants of Sage ransomware sport Cerber-like behavior, although no definitive link was found between the two families.

Read More

Attackers target dozens of global banks with new malware

12 Feb 2017

Watering hole attacks attempt to infect more than 100 organizations in 31 different countries.

Read More

Latest Intelligence for January 2017

10 Feb 2017

The email malware rate drops due to Necurs botnet inactivity and two new Android malware families appeared.

Read More

Android ransomware repurposes old dropper techniques

06 Feb 2017

Android ransomware is now using dropper techniques to drop malware on rooted devices as well as an inefficient 2D barcode ransom demand.

Read More

Android ad malware on Google Play combines three deception techniques

03 Feb 2017

Three apps on Google Play use delayed attacks, self-naming tricks, and an attack list dictated by a command and control server to click on ads in the background without the user's knowledge.

Read More


F-Secure

F-Secure XFENCE (Little Flocker)

25 Apr 2017

I use Macs both at home and at work, and as a nerd, I enjoy using interesting stand-alone tools and apps to keep my environment secure. Some of my favorites are knockknock, ransomwhere?, and taskexplorer, from the objective-see website. I’ve also been recently playing around with (and enjoying)  Monitor.app from FireEye. When I heard that […]

Old posts >>

Ransomware Timeline: 2010 – 2017

18 Apr 2017

I’ve seen numerous compliments for this graphic by Micke, so… here’s a high-res version. Enjoy! Source: State of Cyber Security 2017 Tagged: Ransomware, Th3 Cyb3r, Threat Report

The Callisto Group

13 Apr 2017

We’ve published a White Paper today titled: The Callisto Group. And who/what is the Callisto Group? A good question, here’s the paper’s summary. Heavy use of spear phishing, and malicious attachments sent via legitimate, but compromised, email accounts. Don’t click “OK”. Tagged: APT, Callisto Group, Th3 Cyb3r, White Paper

OSINT For Fun & Profit: @realDonaldTrump Edition

10 Apr 2017

I’ve just started experimenting with Tweepy to write a series of scripts attempting to identify Twitter bots and sockpuppet rings. It’s been a while since I last played around with this kind of stuff, so I decided to start by writing a couple of small test scripts. In order to properly test it, I needed to point […]

“Cloud Hopper” Example Of Upstream Attack

05 Apr 2017

There’s news today of a BAE/PWC report detailing a Chinese-based hacking group campaign dubbed “Operation Cloud Hopper”. Chinese Group Is Hacking Cloud Providers to Reach Into Secure Enterprise Networks https://t.co/Le4E4Se2Hc pic.twitter.com/adpDyWYa6C — News from the Lab (@FSLabs) April 5, 2017 This operation is what’s known as an upstream attack, a method of compromise that we […]

Massive Dridex Spam Runs, Targeting UK

31 Mar 2017

Yesterday, between 9:00 and midnight GMT, we observed three massive malware spam runs. The magnitude clearly stood out the average daily amount of spam with attachments. The campaigns were largely sent to accounts with email address in the co.uk TLD. The first run, with subject lines such as “Your Booking 938721” (numbers vary) started at […]

Real-Time Location Sharing Redux

23 Mar 2017

Google announced on Wednesday that it will soon add real-time location sharing to Google Maps. The feature set appears to be very reminiscent of Google Latitude, which was introduced (way back) in 2009. Location sharing will undoubtedly be a popular option for many, but, it may come with OPSEC considerations for others. Here’s what I wrote about […]

It’s Not New To Us

22 Mar 2017

A Turkish hacking group is reportedly attempting to extort Apple over a compromised cache of iCloud account data. This activity is on the heels of last week’s Turkish related Twitter account hacks via a service called Twitter Counter. And that brings to mind this article (by Andy)… OVER THE PAST FEW YEARS, you’ve probably heard […]

FAQ Related To CIA WikiLeaks Docs

09 Mar 2017

We’ve been asked numerous questions about WikiLeaks’ March 7th CIA document dump. Did the news surprise you? No. Spies spy. And that spies use hacking tools… is expected. (“Q” does cyber these days.) Does this mean that the CIA will have to start over and rebuild a completely new set of tools? Does it need […]

Apple, Google, And The CIA

09 Mar 2017

Apple and Google have issued statements to the media regarding WikiLeaks’ March 7th publication of CIA documents. Here’s Apple’s statement via BuzzFeed News. According to Apple, its “products and software are designed to quickly get security updates” to its customers. So, just how well does that statement hold up to what we see in-the-wild? Well, […]

Taking Poika Out On The Town: 2017

03 Mar 2017

AV-Test has awarded F-Secure Client Security with Best Protection 2016! And as tradition dictates, we took it on a tour of Helsinki. As a reminder, AV-Test’s Best Protection award is based on continuous real-world testing, over the entire year, against the most reliable and well-trusted endpoint protection vendors on the market. We’re proud to have, once […]

Reflash Flash Research Framework

23 Feb 2017

Jarkko Turkulainen, a Senior Researcher on our Threat Intelligence team, has (today!) publicly released a research tool called Reflash. It’s a proof-of-concept framework for analyzing Adobe Flash files. It produces an SQL database of Flash VM stack trace by injecting dynamically generated instrumentation to Flash files. The SQL database can later be analyzed with various […]

Bitcoin Friction Is Ransomware’s Only Constraint

22 Feb 2017

In January 2017, I began tracking the “customer portal” of an innovative new family of crypto-ransomware called Spora. Among its innovations are a dedicated domain (spora.biz, spora.bz, et cetera) running a Tor web proxy, HTTPS support, an initially lower extortion demand, and tiered pricing with options to unencrypt individual files (up to 25Mb in size) […]

F-Secure Does Cyber Security

15 Feb 2017

For more than 10 years, we’ve released an annual report/summary featuring observations, research, and malware trends. And in past years, this publication has included the word “threat” in its title. But no more! There are rather significant changes this year in our… State of Cyber Security. The new title reflects a change in the type […]

“F-Secure does red teaming?”

08 Feb 2017

On June 2nd 2015, F-Secure announced via a press release its acquisition of the Danish Cyber Security firm, nSense. That press release contained the following snippet: “the combined portfolio will allow F-Secure to provide top-tier incident response and forensic expertise, comprehensive vulnerability assessment, and threat intelligence and security management services to enterprises and businesses with […]

Noun: Confirmation Bias

01 Feb 2017

Confirmation bias, according to Google, is “the tendency to interpret new evidence as confirmation of one’s existing beliefs or theories.” Technology… potentially opens up a vast new realm of evidence, and that, if not very carefully analyzed, risks feeding confirmation bias. Last Friday, Journal News reported that a man from Middletown, Ohio was charged with […]

Noun: Sockpuppet

16 Jan 2017

An Internet sockpuppet, according to Google, is “a false online identity, typically created by a person or group in order to promote their own opinions or views.” Sockpuppets are nothing particularly new… they go back as far as USENET. But it feels that recently, sockpuppetry has reached new heights. Twitter is an easy place to […]

F-Secure Vulnerability Reward Program Update

10 Jan 2017

A message from Calvin, a security vulnerability expert and member of our Anti-Malware Unit. The AMU team has a customer care/support focus. Happy New Year to all you readers out there! A year has passed since we launched our F-Secure Vulnerability Reward Program (bug bounty) and time really flies. Here’s a snapshot of what we’ve […]

What’s The Deal With Digital Forensics, Incident Response, And Attribution?

21 Dec 2016

After several high-profile cyber attacks made big news headlines this year, it’s become evident to me, through online commentary, that there’s some confusion in the public space about how incident response services are utilized, how attribution is performed, and how law enforcement’s role fits into cyber crime investigations. I’m hoping this article helps to clear […]

On Botting, Cheating, And DDoSers

07 Dec 2016

On November 10th 2016 Blizzard enacted a “ban wave” on thousands of World of Warcraft accounts for “botting”, a term widely used to describe using third party programs to automate gameplay. Technically it wasn’t a “ban wave” – the accounts in question received between 6 and 24 month suspensions based on how often they’d been […]


McAfee

Old posts >>

Mirai Botnet Creates Army of IoT Orcs

20 Apr 2017

This post was based on analysis by Yashashree Gund and RaviKant Tiwari. There is a lot of speculation in the news about surveillance from home appliances, personal electronics, or other Internet of Things (IoT) devices. Although some statements may be hyperbole, we know that these devices, in homes and offices, are being compromised and used …

The post Mirai Botnet Creates Army of IoT Orcs appeared first on McAfee Blogs.

Critical Office Zero-Day Attacks Detected in the Wild

07 Apr 2017

At McAfee, we have put significant efforts in hunting attacks such as advanced persistent threats and “zero days.” Yesterday, we observed suspicious activities from some samples. After quick but in-depth research, this morning we have confirmed these samples are exploiting a vulnerability in Microsoft Windows and Office that is not yet patched. This blog post …

The post Critical Office Zero-Day Attacks Detected in the Wild appeared first on McAfee Blogs.

Best Security Practices for Dealing With the Internet of Things

06 Apr 2017

The Internet of Things is growing fast. Intel sees the market for IP-connected hardware reaching 200 billion devices by the end of 2020. (See “A Guide to the Internet of Things” graphic, at the end of this post.) Given this widespread adoption, security should be a primary concern. The Dyn DDoS attack last year by …

The post Best Security Practices for Dealing With the Internet of Things appeared first on McAfee Blogs.

McAfee Labs Threats Report Explores Threat Intelligence Sharing and Mirai, the IoT Botnet

06 Apr 2017

In the McAfee Labs Threats Report: April 2017, published today, we explore two key topics. Following an announcement by the Cyber Threat Alliance of its formal incorporation and the release of a threat intelligence sharing platform, we provide some perspective about threat intelligence sharing. The story provides a detailed analysis of the background and drivers of …

The post McAfee Labs Threats Report Explores Threat Intelligence Sharing and Mirai, the IoT Botnet appeared first on McAfee Blogs.

Ransomware Families Use NSIS Installers to Avoid Detection, Analysis

28 Mar 2017

Malware families are constantly seeking new ways to hide their code, thwart replication, and avoid detection. A recent trend for the delivery of ransomware is the use of the Nullsoft Scriptable Install System (NSIS) with an encrypted payload. The list of the most common families using this technique is diverse and includes Cerber, Locky, Teerac, Crysis, …

The post Ransomware Families Use NSIS Installers to Avoid Detection, Analysis appeared first on McAfee Blogs.

Analyzing a Fresh Variant of the Dorkbot Botnet

09 Mar 2017

At McAfee Labs, we have recently observed a new variant of the Dorkbot botnet. Dorkbot is a well-known bot, famous for its various capabilities including backdoor, password stealing, and other malicious behavior. Dorkbot relies on social networking as its infection vector. In this post, we offer our analysis of this new variant. The malware downloads …

The post Analyzing a Fresh Variant of the Dorkbot Botnet appeared first on McAfee Blogs.

CHIPSEC Support Against Vault 7 Disclosure Scanning

09 Mar 2017

Following recent WikiLeaks Vault 7 disclosures, including details regarding firmware vulnerabilities, there has been significant concern regarding the integrity of devices and operating systems used within society. As part of our commitment to provide technology that can preserve the integrity of devices we rely upon, we have developed a simple module for the CHIPSEC framework …

The post CHIPSEC Support Against Vault 7 Disclosure Scanning appeared first on McAfee Blogs.

Analyzing CVE-2017-3731: Truncated Packets Can Cause Denial of Service in OpenSSL

08 Mar 2017

OpenSSL is a popular open-source library for SSL and is used by various software and companies across the world. In January, OpenSSL released an update that fixed multiple vulnerabilities. One of them is CVE-2017-3731, which can cause a denial of service due to a crash. McAfee Labs analyzed this vulnerability to provide detection for customers.  …

The post Analyzing CVE-2017-3731: Truncated Packets Can Cause Denial of Service in OpenSSL appeared first on McAfee Blogs.

Pentesters Can Take Advantage of Weakness in SAML

04 Mar 2017

When penetration testers examine the security of applications, we employ a number of tools. We recently wrote about keeping track of browser options. Another protocol that we use to test is the Security Assertion Markup Language (SAML), a popular XML-based authentication information exchanger for implementing single sign-on (SSO) authentication. The protocol works like this: A …

The post Pentesters Can Take Advantage of Weakness in SAML appeared first on McAfee Blogs.

Spora Ransomware Infects ‘Offline’—Without Talking to Control Server

22 Feb 2017

Spora is a ransomware family that encrypts victims’ files and demands money to decrypt the files. It has infected many computers in a short time due to a huge spam campaign. It has a very special feature—to work offline. Propagation vector The spam campaign carries a .zip file, which contains an HTA (HTML Application) file to …

The post Spora Ransomware Infects ‘Offline’—Without Talking to Control Server appeared first on McAfee Blogs.

Macro Malware Targets Macs

14 Feb 2017

Macro malware has been spreading for years. New techniques arise all the time to hide malicious code and thus increase the difficulty of analysis. However, just targeting Microsoft Windows no longer seems to be enough for the malware authors. The Mac appears to be the new challenge, and attackers appear to be rising to this …

The post Macro Malware Targets Macs appeared first on McAfee Blogs.

The Cyber Threat Alliance Steps Up to Boost Protection

14 Feb 2017

With each new cyber threat report, we learn about the increasing volume of new, complex threats appearing across a myriad of server systems, networking equipment, personal computing platforms, and IoT devices. We also read about the real-world challenges that information security professionals face when attempting to identify, scope, and prioritize security events generated by their …

The post The Cyber Threat Alliance Steps Up to Boost Protection appeared first on McAfee Blogs.

Analyzing KillDisk Ransomware, Part 2: Variants and Screen Unlocking

14 Feb 2017

At McAfee Labs we recently analyzed the ransomware KillDisk. In part 1 of this analysis, we discussed the basics of the malware and its whitelisting to protect itself. In this part, we will provide more information about the malware’s internals, this variant, and steps to unlock the ransomware lock screen. Variant 1. This variant seems to be inspired by …

The post Analyzing KillDisk Ransomware, Part 2: Variants and Screen Unlocking appeared first on McAfee Blogs.

Intel Security Launches ‘Threat Landscape Dashboard’

10 Feb 2017

Every week, we read in the news of another breach or targeted campaign, as more patches are released to protect against the next strain of sophisticated malware. For the administrators responsible for safeguarding a company’s systems, networks, and digital information, keeping up is an overwhelming task, made doubly difficult because it is often hard to …

The post Intel Security Launches ‘Threat Landscape Dashboard’ appeared first on McAfee Blogs.

Pentesters Need to Keep Track of Browser Options

09 Feb 2017

Penetration testers searching for vulnerabilities always include cross-site scripting (XSS) attacks as one of their methods. Recently we observed an unusual XSS-related case that taught us something new. During an XSS-related test, we inserted the “<script>alert(1)</script>” payload as a GET request’s parameter and executed this command in Internet Explorer 11. We expected to see our …

The post Pentesters Need to Keep Track of Browser Options appeared first on McAfee Blogs.

Analyzing CVE-2016-9311: NTPD Vulnerability Can Lead to Denial of Service

03 Feb 2017

The network time protocol synchronizes time across various devices on a network. The network time protocol daemon (NTPD) is an open-source implementation of this protocol. In the last couple of months, a number of vulnerabilities have been reported in NTPD. One is CVE-2016-9311, which can cause a crash leading to a denial of service. We …

The post Analyzing CVE-2016-9311: NTPD Vulnerability Can Lead to Denial of Service appeared first on McAfee Blogs.

Spotlight on Shamoon

27 Jan 2017

Our analysis this month has pointed to Shamoon emerging in the Middle East. We have recently seen a number of similarities that we had highlighted in our earlier blogs (on mcafee.com). The campaign continues to target organizations in the Middle East from a variety of verticals. Reports suggest that a further 15 disk-wiping Shamoon incidents …

The post Spotlight on Shamoon appeared first on McAfee Blogs.

With Release of Windows 10, Questions About BitLocker Arise Again

26 Jan 2017

This post was written by Ted Pan. For those of you who were around during the original release of Microsoft’s BitLocker, previously known as Secure Startup, you will remember that it was meant to completely eliminate the necessity for third-party security software. Yes, BitLocker was going to secure our machines against all forms of attack …

The post With Release of Windows 10, Questions About BitLocker Arise Again appeared first on McAfee Blogs.

Analyzing KillDisk Ransomware, Part 1: Whitelisting

20 Jan 2017

At McAfee Labs we recently analyzed the ransomware KillDisk. We will share our analysis in two parts: the first, this article, contains general information about the malware and its whitelisting technique; the second part will appear soon with an analysis of its variants and techniques, including how to unlock the locked screen in an infected …

The post Analyzing KillDisk Ransomware, Part 1: Whitelisting appeared first on McAfee Blogs.

Stopping Malware With a Fake Virtual Machine

19 Jan 2017

As we explained in a previous post, some advanced malware can detect a virtual environment such as a sandbox to avoid detection and analysis. Some threats can also detect monitoring tools used for malware analysis. Often such malware will not execute or change their behavior to appear harmless. Because some malware uses these tactics, planting …

The post Stopping Malware With a Fake Virtual Machine appeared first on McAfee Blogs.

Trojanized Photo App on Google Play Signs Up Users for Premium Services

13 Jan 2017

Mobile apps usually have names that give some indication of their function. In one recent case, however, we found a misnamed app that turned out to be malicious. Every Android app has an ID value, commonly known as the package name, to uniquely identify it on a device and in Google Play. Most package names …

The post Trojanized Photo App on Google Play Signs Up Users for Premium Services appeared first on McAfee Blogs.

Turkish Instagram Password Stealers Found on Google Play

12 Jan 2017

Intel Security’s mobile malware research team has found several Instagram password stealers on the Google Play store. (Google has since removed the apps.) These malware are distributed as utilities and tools for analyzing access and automating the following of Instagram accounts. The main targets of the malware are Turkish Instagram users. The malware lead victims …

The post Turkish Instagram Password Stealers Found on Google Play appeared first on McAfee Blogs.

Top Tips for Securing Home Cameras

05 Jan 2017

Installing a home surveillance camera system can add great benefits but also may introduce new risks to privacy and network security. The goal is to increase your security and peace of mind, while avoiding cybersecurity threats. Here are three tips to consider when purchasing, installing, and configuring your new home camera system. The risks Home …

The post Top Tips for Securing Home Cameras appeared first on McAfee Blogs.

2016 restera dans les annales comme «l’année du ransomware»

04 Jan 2017

L’année 2016 a mis en évidence une forte recrudescence des menaces de type ransomware et la nécessité de mettre en place une architecture de sécurité avancée. L’émergence du bitcoin a permis d’anonymiser les transactions. Il joue un rôle important dans l’essor des attaques de ransomware. Certains ransomwares sont capables de détecter et de contourner les environnements …

The post 2016 restera dans les annales comme «l’année du ransomware» appeared first on McAfee Blogs.

Digging Into a Windows Kernel Privilege Escalation Vulnerability: CVE-2016-7255

30 Dec 2016

The Windows kernel privilege escalation vulnerability CVE-2016-7255 has received a lot of media attention. On November’s Patch Tuesday, Microsoft released a fix for this vulnerability as part of bulletin MS16-135. CVE-2016-7255 was used to perform a targeted attack and a sample was found in the wild, according to Microsoft. Google and Microsoft have already confirmed …

The post Digging Into a Windows Kernel Privilege Escalation Vulnerability: CVE-2016-7255 appeared first on McAfee Blogs.

Next Targets for Cybercriminals: the Long Term (Part 2)

27 Dec 2016

In the previous post in this series, I outlined how cybercriminals will use the holiday season to victimize unwary consumers and target businesses. They will also dive deeper into leveraging devices connected to the Internet of Things (IoT). The long-term outlook expands their reach to more bold and potentially more lucrative pastures. Rise of blockchain …

The post Next Targets for Cybercriminals: the Long Term (Part 2) appeared first on McAfee Blogs.

Next Targets for Cybercriminals: the Short Term (Part 1)

25 Dec 2016

  Knowing what cybercriminals are targeting today is easy. Their attacks are loud, impactful, and have the elegance of a herd of bulls crashing through a china shop. The tougher challenge is figuring out where they will take aim tomorrow. Knowing where cyber threats will arise gives us the necessary insights to remain one step …

The post Next Targets for Cybercriminals: the Short Term (Part 1) appeared first on McAfee Blogs.

Floki Bot a Sensation With International Cybercriminals

23 Dec 2016

Floki Bot, new financial malware, is popular with English-, Portuguese-, and Russian-speaking underground criminal markets, winning over cybercriminals with new features and functionality. It is currently in use by a number of cybercrime groups around the world and is sold on the dark market for about US$1,000, according to Flashpoint and Cisco Talos. Improvements abound …

The post Floki Bot a Sensation With International Cybercriminals appeared first on McAfee Blogs.

Did You Forget to Patch Your IP Camera?

21 Dec 2016

IP cameras are usually “purchase, install, and don’t touch” devices. But in the current climate of cyberattacks, they now require regular updates and patches. Otherwise your security tool may be hacked, leak video, or join a cybercriminal botnet without your knowing. IP cameras are targets Like all Internet-connected devices, IP cameras are at risk of …

The post Did You Forget to Patch Your IP Camera? appeared first on McAfee Blogs.

An Overview of Malware Self-Defense and Protection

19 Dec 2016

Many malware authors spend a great deal of time and effort to develop complex code. Their success depends on a threat’s remaining undetected and avoiding sandbox analysis, antivirus efforts, or malware analysts. This post offers an overview of the mechanisms used by malware to evade detection. If malware is detected quickly, it has little time …

The post An Overview of Malware Self-Defense and Protection appeared first on McAfee Blogs.

‘Popcorn Time’ Ransomware Sure to Cause Indigestion

19 Dec 2016

In early December the new ransomware “Popcorn Time” was discovered. It gives the victim the option of paying the ransom or infecting two other individuals and getting them to pay. “Popcorn Time” is a legitimate application for streaming movies and series. The ransom note gives the victim seven days to choose either option or the …

The post ‘Popcorn Time’ Ransomware Sure to Cause Indigestion appeared first on McAfee Blogs.

‘SSL Death Alert’ (CVE-2016-8610) Can Cause Denial of Service to OpenSSL Servers

14 Dec 2016

Recently we noticed a security patch has been published for the OpenSSL vulnerability called SSL Death Alert. As with other serious security vulnerabilities, this one grabbed our attention because the discoverer of the vulnerability says that it may cause a denial of service to an OpenSSL web server. To better protect our customers from this …

The post ‘SSL Death Alert’ (CVE-2016-8610) Can Cause Denial of Service to OpenSSL Servers appeared first on McAfee Blogs.

“Trojanization” of Legit Apps on the Rise

13 Dec 2016

Intel Security today released its McAfee Labs Threats Report: December 2016. The report’s third key topic illustrates how attackers are creating difficult-to-detect malware by infecting legitimate code with Trojans and leveraging that legitimacy to remain hidden as long as possible. Author Craig Schmugar of McAfee Labs also recommends policies and procedures that will help protect …

The post “Trojanization” of Legit Apps on the Rise appeared first on McAfee Blogs.

McAfee Labs December Threats Report Explores Many Facets of Deception

13 Dec 2016

In the McAfee Labs Threats Report: December 2016 published today, we write about three seemingly disparate topics. However, on closer inspection, they have a common thread. All discuss deception in one way or another, whether ways in which ransomware authors have enhanced their code to sidestep sandboxes, how Trojans infect legitimate code to appear benign, …

The post McAfee Labs December Threats Report Explores Many Facets of Deception appeared first on McAfee Blogs.

Do You Need to Pull Up Your SOCs?

13 Dec 2016

This week’s McAfee Labs Threats Report: December 2016 revealed the results of a survey gauging the state of the security operations center (SOC). The following is an excerpt from this article. A few years ago, dedicated SOCs seemed to be going the way of the dinosaur—the era of big rooms with big monitors and teams …

The post Do You Need to Pull Up Your SOCs? appeared first on McAfee Blogs.

2016: A Year at Ransom

13 Dec 2016

This week’s McAfee Labs Threats Report: December 2016 provides an overview of how ransomware has evolved over the course of 2016, and how the industry has responded. Through the end of Q3, the number of new ransomware samples this year totaled 3,860,603, an increase of 80% since the beginning of the year. Beyond volume, ransomware exhibited notable …

The post 2016: A Year at Ransom appeared first on McAfee Blogs.

How to Protect Against OpenSSL 1.1.0a Vulnerability CVE-2016-6309

13 Dec 2016

Recently the OpenSSL security library gained a fix for a critical security issue (CVE-2016-6309) that affects OpenSSL Version 1.1.0a. The remote attackers can cause the OpenSSL server to crash, or execute arbitrary code on it, by simply sending a handshake packet with a message larger than 16KB. To defend against these attacks we analyzed the …

The post How to Protect Against OpenSSL 1.1.0a Vulnerability CVE-2016-6309 appeared first on McAfee Blogs.

Shamoon Rebooted in Middle East, Part 2

09 Dec 2016

Last week we provided some initial analysis on recent attacks targeting organizations in the Middle East.  The attack has hallmarks of the Shamoon campaign of 2012. We now have additional data related to the components used within the new campaign, which has three distinct components: dropper, wiper, and wiper driver. The language of these three …

The post Shamoon Rebooted in Middle East, Part 2 appeared first on McAfee Blogs.

Farewell to the SHA-1 Hash Algorithm

01 Dec 2016

Rest in peace SHA-1. Like all security controls, they are valuable only for a certain time. SHA-1, a legacy hashing algorithm once used heavily in secure web browsing, has outlived its usefulness; it is time for its permanent retirement. Microsoft, Mozilla, and Google just announced they will finally drop all support for SHA-1 early next …

The post Farewell to the SHA-1 Hash Algorithm appeared first on McAfee Blogs.

Shamoon Rebooted?

29 Nov 2016

We have recently received notifications and samples from impacted organizations in the Middle East that have hallmarks of the Shamoon campaign from 2012. The main component of these attacks was the usage of a wiper component that, once activated, destroyed the hard disks of infected machines. The initial infection vector for the recent attacks is …

The post Shamoon Rebooted? appeared first on McAfee Blogs.

Big, Hard-to-Solve Problems

29 Nov 2016

Improving the Lifecycle of Threat Defense Effectiveness When a new security tool or technique is released, Version 1.0 is usually pretty effective, and successive versions get even better with real-world scenarios and user feedback. Eventually, the bad guys realize that this new thing is causing them real problems, so they start looking for ways over, …

The post Big, Hard-to-Solve Problems appeared first on McAfee Blogs.

‘McAfee Labs 2017 Threats Predictions’ Report Zeroes In on Cloud and IoT Threats

29 Nov 2016

In the McAfee Labs 2017 Threats Predictions report, published today, we cover a lot of ground but focus particularly on two areas that will impact IT security for years to come: threats to the cloud and the Internet of Things. The report kicks off with a big-picture examination of difficult-to-solve problems in cyber security and …

The post ‘McAfee Labs 2017 Threats Predictions’ Report Zeroes In on Cloud and IoT Threats appeared first on McAfee Blogs.

You Can Outsource the Work, but You Cannot Outsource the Risk

29 Nov 2016

Threats, Regulations, and Vendor Responses to Risks in the Cloud As more companies get comfortable with cloud services, trust and usage will go up, and that will inevitably attract the attention of cybercriminals. Although an increasing array of sensitive and confidential data is moving to cloud storage and processing, we expect that most businesses will …

The post You Can Outsource the Work, but You Cannot Outsource the Risk appeared first on McAfee Blogs.

Welcome to the Wild West, Again!

29 Nov 2016

Threats, Regulations, and Vendor Responses to Risks in the Internet of Things The Wild West, a place of exaggerated lawlessness in the United States during the 1800s, has returned once again as a metaphor for the Internet of Things (IoT). Driven by similar issues of exploration, homesteading, and prospecting for riches, IoT devices are becoming …

The post Welcome to the Wild West, Again! appeared first on McAfee Blogs.

Upcoming Intel Security Webcast on McAfee Labs 2017 Threats Predictions Moderated by Intel Security CTO Raj Samani

23 Nov 2016

McAfee Labs 2017 Threats Predictions The cyberattack surface is growing faster than ever before, driven by trends and technologies like the cloud and the Internet of Things (IoT). As the digital landscape evolves, so will threats. What can we expect a year from now—or four years from now? Prepare for the future by attending the …

The post Upcoming Intel Security Webcast on McAfee Labs 2017 Threats Predictions Moderated by Intel Security CTO Raj Samani appeared first on McAfee Blogs.

Worms Could Spread Like Zombies via Internet of Things

21 Nov 2016

Security researchers recently created a proof-of-concept attack against Internet-connected lightbulbs, causing breached devices to infect their neighbors. The propagation continues and spreads itself across the community. This hack highlights the insecurity in one of many Internet of Things (IoT) network protocols. Researchers say the worm, which currently targets Philips Hue lightbulbs, can set off a …

The post Worms Could Spread Like Zombies via Internet of Things appeared first on McAfee Blogs.

More Capable IoT Botnets to Emerge as the ‘Pros’ Enter the Fray

09 Nov 2016

On the heels of severe distributed denial of service (DDoS) attacks, we see new botnets emerging that are powered by the Internet of Things (IoT). There are already hundreds of such botnets in the underground hacking ecosystem, from which services, code, and specific attacks can be purchased or acquired. New botnets are being developed to …

The post More Capable IoT Botnets to Emerge as the ‘Pros’ Enter the Fray appeared first on McAfee Blogs.

Talking About Cyber Risks Educates the Community

07 Nov 2016

In the last 12 months, we have seen an unprecedented number of cyberattacks occur or come to light. Sophisticated attacks against governments, businesses, consumers, and the pillars of the Internet itself. The future appears to be fraught with runaway risks. Can security tame data breaches, ransomware, massive denial of service assaults, cyber theft, and attacks against autonomous and …

The post Talking About Cyber Risks Educates the Community appeared first on McAfee Blogs.

Cerber Ransomware Now Hunts for Databases

04 Nov 2016

Cerber is one of the most popular ransomware packages. It has upgraded itself to also target databases. It is available for purchase as a service (ransomware as a service) on the “dark net” as part of an affiliate program. Cerber is part of a turnkey service in which clients share 40% of their profits with …

The post Cerber Ransomware Now Hunts for Databases appeared first on McAfee Blogs.

Top 5 Things to Know About Recent IoT Attacks

02 Nov 2016

Recent Internet attacks have resulted in several popular sites becoming unreachable. The list includes Twitter, Etsy, Spotify, Airbnb, Github, and The New York Times. These incidents have brought to light a new threat to online services: botnets powered by the Internet of Things (IoT). Distributed denial of service (DDoS) attacks have been commonplace for more …

The post Top 5 Things to Know About Recent IoT Attacks appeared first on McAfee Blogs.

The Latest IoT Device I Do Not Want Hacked

01 Nov 2016

What if someone hacked this remotely controlled semiautonomous tractor? I am a cybersecurity guy and a huge fan of technology. One of the challenges we face in the security industry is the growth of the Internet of Things (IoT). IoT is about connecting everyday objects to the Internet. It might be a toaster, alarm clock, …

The post The Latest IoT Device I Do Not Want Hacked appeared first on McAfee Blogs.

A ‘Second Economy’ Prognosis for Health Care Cybersecurity

26 Oct 2016

Intel Security CTO Steve Grobman has pointed out that gaining the upper hand in cybersecurity requires that we extend our thinking beyond the physical economy of money, assets, goods, and services to a Second Economy defined by the currencies of trust, time, and money. As in other industries, health care is working toward maximizing efficiencies, …

The post A ‘Second Economy’ Prognosis for Health Care Cybersecurity appeared first on McAfee Blogs.

How ‘Weaponized’ Medical Data Could Be as Damaging as Clinton’s Emails or Trump’s Videos

26 Oct 2016

The 2016 presidential election in the United States will be remembered for a great many things. Never before in US history has the disclosure or nondisclosure of personal information figured so prominently in public debate. Never before has the ability to compromise and disclose personal information been used as a political weapon to damage the …

The post How ‘Weaponized’ Medical Data Could Be as Damaging as Clinton’s Emails or Trump’s Videos appeared first on McAfee Blogs.

How to Secure the Future of the Internet of Things

22 Oct 2016

The world of security for the Internet of Things just became more complex. IoT devices are no longer a potential threat to their owners; now they pose a significant threat to everything connected to the Internet. The old IoT security problem For the past year, the cybersecurity and IoT communities have been at odds regarding …

The post How to Secure the Future of the Internet of Things appeared first on McAfee Blogs.

Unfolding the Mystery of Cerber Ransomware’s Random File Extension

20 Oct 2016

In an earlier blog, we discussed the evolution of the popular Cerber ransomware from Version 1 to 2. Recently we came across two newer versions of Cerber (we’ll call them Versions 3 and X). Cerber 3 has few changes but Version X has some new behavior that caught our attention. (We call this version X, …

The post Unfolding the Mystery of Cerber Ransomware’s Random File Extension appeared first on McAfee Blogs.

Password-Protected Attachment Serves Ransomware

18 Oct 2016

Attacks by macro malware carrying ransomware are growing, as we have recently reported. Since early March we have seen macro malware using high-obfuscation algorithms to hide itself from static and traditional antimalware detection techniques. Macro malware continues to evolve and use new tricks to evade detection. In addition to these evasion techniques, McAfee Labs researchers have …

The post Password-Protected Attachment Serves Ransomware appeared first on McAfee Blogs.

How to: Testing Android Application Security, Part 4

17 Oct 2016

One of the best ways to develop secure Android applications is to engage in penetration (pen) testing, in effect trying to break into your application just as an attacker might do. This is the fourth in a series of posts on pen testing Android applications. In the first we set up the testing environment and captured traffic. In …

The post How to: Testing Android Application Security, Part 4 appeared first on McAfee Blogs.

No More Ransom Adds Law Enforcement Partners From 13 Countries

17 Oct 2016

  Intel Security and Kaspersky Labs today announced that 13 law enforcement agencies have joined No More Ransom, a partnership between cybersecurity industry and law enforcement organizations to provide ransomware victims education and decryption tools through www.nomoreransom.org. Intel Security, Kaspersky Labs, Dutch National Police, and Europol will be joined by members from Bosnia and Herzegovina, …

The post No More Ransom Adds Law Enforcement Partners From 13 Countries appeared first on McAfee Blogs.

Ransomware Variant XTBL Another Example of Popular Malware

17 Oct 2016

We have seen a huge increase in ransomware during the past couple of years. At McAfee Labs we have recently received a sample of the low-profile XTBL, a ransomware family that encrypts files and demands ransom from its victims to decrypt the files. Like other ransomware variants, XTBL propagates through a wide range of spam campaigns. Attackers …

The post Ransomware Variant XTBL Another Example of Popular Malware appeared first on McAfee Blogs.

Android Banking Trojan Asks for Selfie With Your ID

14 Oct 2016

In the first half of 2016 we noticed that Android banking Trojans had started to improve their phishing overlays on legitimate financial apps to ask for more information. Victims were requested to provide “Mother’s Maiden Name,” “Father’s Middle Name,” “Maternal Grandmothers Name,” or a “Memorable Word.” Attackers used that data to respond to security questions and obtain …

The post Android Banking Trojan Asks for Selfie With Your ID appeared first on McAfee Blogs.

Everyone Loves Selfies, Including Malware!

13 Oct 2016

I was talking with some of my coworkers the other day about why I wanted to jump to the larger iPhone 7 Plus.  For me it came down to the camera.  I travel a lot for work and even though photography is something of a hobby of mine, I don’t always have my “good camera” …

The post Everyone Loves Selfies, Including Malware! appeared first on McAfee Blogs.

New Security Reality for Internet of Things

04 Oct 2016

  Recent distributed denial of service (DDoS) attacks are forcing a shift in how we think about the Internet of Things (IoT). The dangers are expanding as attackers are taking advantage of billions of IoT devices, conscripting them into their botnet armies for massive DDoS attacks.   Nontraditional risks The estimates vary, but they suggest between …

The post New Security Reality for Internet of Things appeared first on McAfee Blogs.

CTO Q&A: Campaign Hacks, Yahoo! and Clinton-Trump

03 Oct 2016

Over the last several days, we’ve seen headlines on potential cyberattacks on state voter registries, cybersecurity front and center in the Clinton-Trump presidential debate, and new revelations into the Yahoo! cyber-breach that appears to have compromised more than 500 million user accounts. Intel Security CTO Steve Grobman fielded a number of questions on these events …

The post CTO Q&A: Campaign Hacks, Yahoo! and Clinton-Trump appeared first on McAfee Blogs.

Sharing Cybersecurity Threat Intelligence Is the Only Way We Win

30 Sep 2016

Cybersecurity is a team sport. The bad guys share information, expertise, and code as they help one another. The good guys must do the same to keep pace. Sharing threat intelligence is a key aspect in which the knowledge gained by the owners of sensor networks can share data with the security analysis community.  This generosity …

The post Sharing Cybersecurity Threat Intelligence Is the Only Way We Win appeared first on McAfee Blogs.

Macro Malware Employs Advanced Sandbox-Evasion Techniques

29 Sep 2016

During the past couple of weeks, McAfee Labs has observed a new variant of macro malware. With this variant when we click on a doc file, we see the message “This document is protected against unauthorized use. Enable Editing and Enable Content to read content” along with a request to enable macros. If a user clicks …

The post Macro Malware Employs Advanced Sandbox-Evasion Techniques appeared first on McAfee Blogs.

How Can We Stop ‘ROP’ Cyberattacks?

28 Sep 2016

IBM recently announced a software-oriented solution to help eradicate attacks by return-oriented programming (ROP) malware. ROP malware is a significant and growing problem in the industry. Crafty hackers will use snippets of code from other trusted programs and stitch them together to create their attacks. This method has become a very popular and effective technique for …

The post How Can We Stop ‘ROP’ Cyberattacks? appeared first on McAfee Blogs.

‘McAfee Labs Threats Report’ Offers Primer on Security Data Science, Analytics, Big Data, Machine Learning

28 Sep 2016

Analytics, big data, automation, and machine learning are all terms we use when talking about the future of cybersecurity. As the volume of security data increases, data science will become an important weapon to disrupt adversaries. Too often, these terms are used as synonyms, but they refer to different parts of the domain of data …

The post ‘McAfee Labs Threats Report’ Offers Primer on Security Data Science, Analytics, Big Data, Machine Learning appeared first on McAfee Blogs.

‘McAfee Labs Threats Report’ Delves Into Dangers of Data Loss

26 Sep 2016

Data is leaking out of your organization: accidentally or intentionally, by internals or externals, physically or electronically. During the past year, we have performed extensive research to identify what data is being targeted, who is taking it, how they are getting it out, and the best practices to reduce your exposure to data loss. We …

The post ‘McAfee Labs Threats Report’ Delves Into Dangers of Data Loss appeared first on McAfee Blogs.

‘McAfee Labs Threats Report’ Examines Whether Ransomware Is Coming to a Hospital Near You

23 Sep 2016

Delivering uninterrupted services with immediate access to information is not an easy task. Doing it with legacy systems, a fragmented workforce, and inconsistent security is a monumental job. Unfortunately, this is the state of many hospitals, leading the criminal underground to their back doors. Ransomware attackers have shifted focus, moving from consumers to organizations with …

The post ‘McAfee Labs Threats Report’ Examines Whether Ransomware Is Coming to a Hospital Near You appeared first on McAfee Blogs.

Hardware Hack Bypasses iPhone PIN Security Counter

22 Sep 2016

A security researcher from the University of Cambridge has found a way to hack the iPhone NAND memory hardware to sufficiently bypass an important security feature, allowing a brute-force attack against the passcode lock of an iPhone 5C. This is the same lock that stymied the FBI as part of the highly publicized privacy case in …

The post Hardware Hack Bypasses iPhone PIN Security Counter appeared first on McAfee Blogs.

Unregulated at Any Speed: DoT’s Cybersecurity Policy for Self-Driving Cars

21 Sep 2016

Despite headlines, hype, and hysteria, US government rightly chooses cybersecurity guidance over regulation. The Obama administration today unveiled its long-awaited safety policy for self-driving or automated vehicles (AVs). Despite the recent tragic death of a passenger travelling in a Tesla-built AV, and persistent discussions of spectacular cyber-sabotage scenarios, the government chose a wise, sober course …

The post Unregulated at Any Speed: DoT’s Cybersecurity Policy for Self-Driving Cars appeared first on McAfee Blogs.

Cryptocurrencies a Target for Cybercriminals, Part 2: Social Platforms Come Next

19 Sep 2016

One target of cybercriminals is cryptocurrencies, which hold tremendous wealth but are largely anonymous. This limits the attack surface mostly to avenues requiring complex technical approaches. Always preferring the path of least resistance, many fraudsters and online thieves prefer to target people rather than systems. This is the second of two posts on threats to …

The post Cryptocurrencies a Target for Cybercriminals, Part 2: Social Platforms Come Next appeared first on McAfee Blogs.

Locky Ransomware Hides Inside Packed .DLL

16 Sep 2016

McAfee Labs has seen a huge increase in Locky ransomware in recent months (discussed in an earlier blog). Locky is aggressively distributed via a JavaScript-based downloader sent as an attachment in spam emails. Since its first variant Locky has taken advantage of compromised domains to download its malicious executable. Recently it has downloaded a malicious dynamic link …

The post Locky Ransomware Hides Inside Packed .DLL appeared first on McAfee Blogs.

Cryptocurrencies a Target for Cybercriminals, Part 1: the Risks of Innovation

14 Sep 2016

All cryptocurrencies are a target for cybercriminals. Anywhere there is value, criminals, fraudsters, and charlatans will soon follow. Call it the Willie Sutton principle. Sutton, a famous bank robber in the 1920s–30s, was asked why he robbed banks. His reply was “Because that’s where the money is.” The simplicity rings true. That same age-old principle …

The post Cryptocurrencies a Target for Cybercriminals, Part 1: the Risks of Innovation appeared first on McAfee Blogs.

The Quarterly Threats Report: What Does It Mean for You?

14 Sep 2016

The latest edition of the Quarterly Threats Report (QTR) was released this week by McAfee Labs.  If you’re not familiar with them, McAfee Labs is our research organization tasked with researching all the latest threats that people are seeing out there in the wild as well as looking as trends that help indicate what the …

The post The Quarterly Threats Report: What Does It Mean for You? appeared first on McAfee Blogs.

Machine Learning, the Unsung Hero in the Latest ‘Threats Report’

14 Sep 2016

The story about ransomware in hospitals in our newly published McAfee Labs Threats Report: September 2016 will probably garner most of the media’s attention, but I think the most interesting story in the report is about machine learning. Here’s why. Intel Security has used machine learning in our classification models since the mid-2000s. Initially, we …

The post Machine Learning, the Unsung Hero in the Latest ‘Threats Report’ appeared first on McAfee Blogs.

Malware Hides in Installer to Avoid Detection

25 Aug 2016

At McAfee Labs we recently observed various threat families using the Nullsoft Scriptable Install System (NSIS). This practice is not new, but our analysis shows that several malware families are employing the same technique to hide their packed executable code. Usually every malware family uses its own polymorphic packers to obfuscate its payload. In this …

The post Malware Hides in Installer to Avoid Detection appeared first on McAfee Blogs.

Improve Protection Against Cyberattacks Through Shared Threat Intelligence

25 Aug 2016

At the RSA Conference 2016 in San Francisco, Chris Young, GM and SVP of Intel Security, said that one of the best ways to improve response time to attacks and overall awareness of attacks and adversaries is through the timely sharing of threat intelligence. He also talked about Intel Security’s responsibility as a leading security …

The post Improve Protection Against Cyberattacks Through Shared Threat Intelligence appeared first on McAfee Blogs.

‘Wildfire’ Ransomware Extinguished by Tool From NoMoreRansom; Unlock Files for Free

23 Aug 2016

Intel Security and Kaspersky Lab, partners in the project NoMoreRansom, are pleased to announce today the availability of a decryption tool for victims of the Wildfire variant of ransomware. This tool is available following successful collaboration with the Dutch police and the European Cybercrime Centre. This strong public-private partnership has led to the seizure of …

The post ‘Wildfire’ Ransomware Extinguished by Tool From NoMoreRansom; Unlock Files for Free appeared first on McAfee Blogs.

Cerber Ransomware Updates Configuration File

16 Aug 2016

McAfee Labs has recently analyzed Version 2 of Cerber, one of the leading ransomware programs. Cerber infects systems via social media tricks such as spam email with malicious links or documents, malvertising campaigns, exploits of vulnerable websites, and also takes advantages of exploit kits like Angler, Nuclear, and others. During our analysis of the new …

The post Cerber Ransomware Updates Configuration File appeared first on McAfee Blogs.

Bing.VC Hijacks Browsers Using Legitimate Applications

10 Aug 2016

Browser hijackers are a type of malware that modifies a web browser’s settings without the user’s permission. Generally a browser hijacker injects unwanted advertising into the browser. It replaces the home page or search page with its own. It also steals cookies and can install a keylogger to fetch other sensitive information. McAfee Labs has recently …

The post Bing.VC Hijacks Browsers Using Legitimate Applications appeared first on McAfee Blogs.

Obfuscated Malware Discovered on Google Play

10 Aug 2016

The McAfee Labs Mobile Malware Research team found early this week on Google Play a set of malware published by the developer account ValerySoftware: Each one of these apps have been downloaded and installed up to 500 times, which means up to 3,000 devices could be infected by this threat. Some characteristics of this malware: …

The post Obfuscated Malware Discovered on Google Play appeared first on McAfee Blogs.

Banload Trojan Targets Brazilians With Malware Downloads

09 Aug 2016

McAfee Labs has recently encountered new variants of the Banload Trojan. Banload has been around since the last decade. This malware generally arrives on a victim’s system through a spam email containing an archived file or bundled software as an attachment. In a few cases, this malware may also be dropped by other malware or …

The post Banload Trojan Targets Brazilians With Malware Downloads appeared first on McAfee Blogs.

‘Cat-Loving’ Mobile Ransomware Operates With Control Panel

08 Aug 2016

Recently the McAfee Labs Mobile Malware Research team found a sample of ransomware for Android with botnet capabilities and a web-based control panel service. The malware is running on a legitimate cloud service provider. The payload of this malware can encrypt a victim’s files, steal SMS messages, and block access to the device. In this …

The post ‘Cat-Loving’ Mobile Ransomware Operates With Control Panel appeared first on McAfee Blogs.

Setting Up HTTPS for Google App Engine Applications

08 Aug 2016

Thursday, we posted advice on creating a custom domain name for an application developed with Google’s App Engine. In this post, we will learn how to add SSL support and force the App Engine application to use only SSL. Start by obtaining an SSL certificate for your domain from an authorized certificate authority. Consider following …

The post Setting Up HTTPS for Google App Engine Applications appeared first on McAfee Blogs.

Creating a Custom Domain Name with a Google App Engine Application

05 Aug 2016

Google’s App Engine is a Platform as a Service (PaaS) for developers that provides features and frameworks to quickly and easily build scalable web applications. Developers can create applications and deploy them to the App Engine. When a web application is created using the App Engine, the application is assigned a unique project ID. Developers …

The post Creating a Custom Domain Name with a Google App Engine Application appeared first on McAfee Blogs.

Active iOS Smishing Campaign Stealing Apple Credentials

29 Jul 2016

Intel Security Mobile Research recently found an active phishing campaign targeting iOS users via SMS messages. The message tells users that their Apple accounts have been temporarily locked to trick them into accessing a phishing site and steal the real Apple credentials. Here is an example of an SMS message from this campaign: The message pretends to be …

The post Active iOS Smishing Campaign Stealing Apple Credentials appeared first on McAfee Blogs.

Taking Steps to Fight Back Against Ransomware

27 Jul 2016

Ransomware is an attack in which malware encrypts files and extorts money from victims. It has become a favorite among cybercriminals because it is easy to develop, simple to execute, and does a very good job of compelling users to pay to regain access to their precious files or systems. Almost anyone and every business …

The post Taking Steps to Fight Back Against Ransomware appeared first on McAfee Blogs.

Trojanized Propaganda App Uses Twitter to Infect, Spy on Terrorist Sympathizers

26 Jul 2016

The Mobile Malware Research Team of Intel Security has discovered in recent weeks a number of new threats in the Middle East. In May, we uncovered a spying campaign targeting cybersecurity professionals in Saudi Arabia. This week, the team exposed a strain of spyware targeting another specific group of mobile users: individuals with possible sympathies toward …

The post Trojanized Propaganda App Uses Twitter to Infect, Spy on Terrorist Sympathizers appeared first on McAfee Blogs.

No More Ransom: A New Initiative to Battle Ransomware

25 Jul 2016

Ransomware has seen a huge increase over the past couple of years.  According to our June Quarterly Threats Report, there was a 113% increase in ransomware over the past year.  However, the real indicator for me has been an increase in questions about ransomware I get from people once they find out I work for …

The post No More Ransom: A New Initiative to Battle Ransomware appeared first on McAfee Blogs.

Intel Security Teams With Industry, Law Enforcement to Thwart ‘Shade’ Ransomware

25 Jul 2016

Intel Security, Europol, Kaspersky Lab, and Dutch police have taken down the Shade ransomware botnet and captured encryption keys to unlock victims’ systems. Although we talk a great deal of the value of public-private partnerships in the fight against cybercrime, few events in the cybersecurity field are more inspiring than seeing such collaboration in action and …

The post Intel Security Teams With Industry, Law Enforcement to Thwart ‘Shade’ Ransomware appeared first on McAfee Blogs.

Phishing Attacks Employ Old but Effective Password Stealer

21 Jul 2016

A few months ago we received a sample from a customer that turned out to be a password stealer (PWS). One thing about this malware stood out: the subdirectory used in the access panel URL. It contained the string “***=**U=TEAM” (which we have obfuscated). Our investigations lead us to believe this may be a case of industrial …

The post Phishing Attacks Employ Old but Effective Password Stealer appeared first on McAfee Blogs.

Patch Now: Simple Office ‘Protected View’ Bypass Could Have Big Impact

12 Jul 2016

Protected View is a security feature of Microsoft Office. According to research from MWR Labs, Protected View mode is a strong application-level sandbox. In a real-world attack scenario, Office documents from the Internet, such as downloaded documents from browsers (Chrome, Edge, Internet Explorer), or attachments received on emails clients (such as Outlook), are opened by default in …

The post Patch Now: Simple Office ‘Protected View’ Bypass Could Have Big Impact appeared first on McAfee Blogs.

Trojanized Pokémon GO Android App Found in the Wild

08 Jul 2016

Pokémon GO is a new mobile game that allows fans to “catch” Pokemons in the real world using augmented reality and their smartphones capabilities such as location technology and built-in cameras. The game was released on July 6 on both the Apple App Store and Google Play but only in Australia, New Zealand, and one day …

The post Trojanized Pokémon GO Android App Found in the Wild appeared first on McAfee Blogs.

Business Email Compromise Hurts Your Organization

06 Jul 2016

As many workers do today, you probably get emails from your boss asking you to perform various tasks. You may also get unusual requests under unusual circumstances—perhaps to put out a fire for a big client or to impress a potential customer. Sometimes in haste you don’t follow standard procedures. But that makes you vulnerable …

The post Business Email Compromise Hurts Your Organization appeared first on McAfee Blogs.

June #SecChat Recap: Findings from the 2016 Verizon DBIR

30 Jun 2016

This year’s highly anticipated Verizon 2016 Data Breach Investigations Report (Verizon DBIR) analyzed cybersecurity findings from 100,000 incidents and 2,260 confirmed breaches, taking a deep dive into popular attack types and threats in 2015. During our June Twitter #SecChat, we discussed findings from the report, and examined prominent threats and their impact on industries. Participating …

The post June #SecChat Recap: Findings from the 2016 Verizon DBIR appeared first on McAfee Blogs.

Security Best Practices for Azure App Service Web Apps, Part 4

24 Jun 2016

Microsoft’s Azure App Service is a fully managed Platform as a Service for developers that provides features and frameworks to quickly and easily build apps for any platform and any device. In spite of its ease of use, developers still need to keep security in mind because Azure will not take care of every aspect of security. …

The post Security Best Practices for Azure App Service Web Apps, Part 4 appeared first on McAfee Blogs.

Macro Malware Adds Tricks, Uses MaxMind to Avoid Detection

21 Jun 2016

Macro malware continues to evolve and use new tricks to evade detection. This threat is responsible for downloading malicious Trojans such as Dridex and ransomware such as Locky. Recently McAfee Labs has encountered a new variant of macro malware that uses new techniques to avoid executing in an undesirable environment. With this variant when we …

The post Macro Malware Adds Tricks, Uses MaxMind to Avoid Detection appeared first on McAfee Blogs.

JavaScript-PHP Joint Exercise Delivers Nemucod Ransomware

21 Jun 2016

The ransomware Nemucod has been very prevalent in the last few months. Nemucod’s habit of frequently changing its delivery mechanism and infection vector to evade detection makes this threat very challenging to security researchers. Recently, we observed in the wild a new variant of Nemucod that shows another change. This variant downloads a PHP file along …

The post JavaScript-PHP Joint Exercise Delivers Nemucod Ransomware appeared first on McAfee Blogs.

Microsoft’s June Patch Kills Potential CFG Bypass

16 Jun 2016

After applying Microsoft’s June patch, we noticed some interesting changes that prevent a security bypass of Windows’ Control Flow Guard (CFG). The changes are in the Shader JIT compiler of the Windows Advanced Rasterization Platform (WARP) module (d3d10warp.dll). The Shader JIT compiler could formerly be used to create a CFG bypass. CFG is known to …

The post Microsoft’s June Patch Kills Potential CFG Bypass appeared first on McAfee Blogs.

Intel Innovates to Stop Cyberattacks

16 Jun 2016

Intel, in partnership with Microsoft, has published a technology preview, showing how innovation in silicon architecture can help protect against advanced code-reuse attack techniques. This is an example of how brilliant minds across the industry can think long term to address cybersecurity problems through improvements in hardware. Key components, such as the central processing unit, …

The post Intel Innovates to Stop Cyberattacks appeared first on McAfee Blogs.

Mobile App Collusion Highlights McAfee Labs Threats Report

14 Jun 2016

I would be lost without my smartphone and its many convenient features. I look at my calendar and click to schedule an online meeting, inviting attendees from my contact list. I use my airline app to make sure my flight is on time and click to check the weather at my destination. I pick a …

The post Mobile App Collusion Highlights McAfee Labs Threats Report appeared first on McAfee Blogs.

‘Thrones’ Jon Snow Appears to Employ Neutrino Exploit Kit

10 Jun 2016

This blog post was written by Kalpesh Mantri. You read that right. Jon Snow appears to be back from the dead. That would make “Game of Thrones” fans happy, but unfortunately this Jon Snow is not the same character. This John (with an h) Snow is related to Neutrino exploit kits, one of the commonly used …

The post ‘Thrones’ Jon Snow Appears to Employ Neutrino Exploit Kit appeared first on McAfee Blogs.

Experts Discuss the 2016 Verizon DBIR: June #SecChat

10 Jun 2016

Cybersecurity in 2016 has been full of sensational headlines. Ransomware has shut down multiple hospitals, millions of credentials have been pilfered, and countless companies have had their records stolen using phishing tactics. But is it really accurate to judge the state of the industry by headlines alone? What if we took a more analytical approach …

The post Experts Discuss the 2016 Verizon DBIR: June #SecChat appeared first on McAfee Blogs.

Zcrypt Expands Reach as ‘Virus Ransomware’

08 Jun 2016

Intel Security has recently seen a new kind of ransomware–Zcrypt—that can self-replicate. This “virus ransomware” arrives via email in a malicious attachment or by usurping an Adobe Flash Player installation. The malware copies itself onto removable drives to infect other machines. Zcrypt uses the Nullsoft Scriptable Install System, which works like a Zip file, decompressing …

The post Zcrypt Expands Reach as ‘Virus Ransomware’ appeared first on McAfee Blogs.

Threat Actors Employ COM Technology in Shellcode to Evade Detection

06 Jun 2016

COM (Component Object Model) is a technology in Microsoft Windows that enables software components to communicate with each other; it is one of the fundamental architectures in Windows. From the security point of view, several “features” built into COM have lead to many security vulnerabilities. These features include ActiveX (an Internet Explorer plug-in technology), the …

The post Threat Actors Employ COM Technology in Shellcode to Evade Detection appeared first on McAfee Blogs.

Locky Ransomware Hides Under Multiple Obfuscated Layers of JavaScript

06 Jun 2016

This post was prepared with the invaluable assistance of Rahamathulla Hussain and Girish Kulkarni. During the last couple of weeks, McAfee Labs has observed a huge increase in spam related to Locky, a new ransomware threat spread via spam campaigns. The contents of the spam email are carefully crafted to lure victims using social engineering …

The post Locky Ransomware Hides Under Multiple Obfuscated Layers of JavaScript appeared first on McAfee Blogs.

Trillium Exploit Kit Update Offers ‘Security Tips’

02 Jun 2016

McAfee Labs has previously blogged about the Trillium Exploit Kit Version 3.0, which is commonly used to create and distribute malware. Last week, Version 4.0 appeared on several underground forums. We have analyzed the new version of the tool and it contains new functionality. These include: PDF downloader Password generator Security tips PDF downloader The user …

The post Trillium Exploit Kit Update Offers ‘Security Tips’ appeared first on McAfee Blogs.

Android Spyware Targets Security Job Seekers in Saudi Arabia

31 May 2016

The Middle East is the new Wild West of mobile malware, especially for targeted attacks and intelligence gathering campaigns. During the past few years, Intel Security Mobile Research has monitored and reported on several countries in the region and has found an alarming increase in campaigns using mobile malware for not only disruption and hacktivism …

The post Android Spyware Targets Security Job Seekers in Saudi Arabia appeared first on McAfee Blogs.

Seeing Through Darkleech Obfuscation: a Quick Hack to Iframes

27 May 2016

This blog post was written by Kalpesh Mantri. Darkleech is an Apache module on the dark web that distributes malware. This tool, which appeared in 2012, was first used to infect many Apache servers and later sites running Microsoft IIS. The campaign infecting IIS sites was named pseudo-Darkleech because it resembles the Apache infector module. (In this …

The post Seeing Through Darkleech Obfuscation: a Quick Hack to Iframes appeared first on McAfee Blogs.

Android Banking Trojan ‘SpyLocker’ Targets More Banks in Europe

26 May 2016

Since the discovery of the Android banking Trojan SpyLocker, Intel Security has closely monitored this threat. SpyLocker first appeared disguised as Adobe Flash Player and targeted customers of banks in Australia, New Zealand, and Turkey. Recently we have found that the distribution method for this malware has changed. In addition to employing malicious websites that …

The post Android Banking Trojan ‘SpyLocker’ Targets More Banks in Europe appeared first on McAfee Blogs.

Which Cybersecurity Data Should You Trust?

24 May 2016

  Limitations of security data We are constantly battered by cybersecurity data, reports, and marketing collateral—and we shouldn’t treat all of this information equally. Security data has inherent limitations and biases, which result in varying value and relevance in how it should be applied. It is important to understand which data is significant and how best to …

The post Which Cybersecurity Data Should You Trust? appeared first on McAfee Blogs.

ISAO Group Hosts Productive 3rd Public Meeting

24 May 2016

This post first appeared at Policy@Intel. The Information Sharing and Analysis Organization Standards Organization (ISAO SO) held its Third Public Forum on May 18–19 in Anaheim, California. More than 100 participants from academia, government, and industry sectors, including multiple participants from Intel, assembled to discuss the initial drafts recently published by the ISAO SO and …

The post ISAO Group Hosts Productive 3rd Public Meeting appeared first on McAfee Blogs.

Malware Mystery: JS/Nemucod Downloads Legitimate Installer

21 May 2016

JS/Nemucod is the detection name given to a family of malicious JavaScript downloaders that have appeared in spam campaigns since last year. They usually arrive as an email attachment, embedded in a ZIP archive, and pretend to be an invoice, a delivery notice, a resume, anything that may seem harmless and can be used as a social engineering …

The post Malware Mystery: JS/Nemucod Downloads Legitimate Installer appeared first on McAfee Blogs.

Attacks on SWIFT Banking System Benefit From Insider Knowledge

20 May 2016

In recent months, we’ve seen headlines about the compromise of a bank in Bangladesh from which cybercriminals attempted to steal US$951 million. The malware they used was able to manipulate and read unique messages from SWIFT (Society for Worldwide Interbank Financial Telecommunication), as well as adjust balances and send details to a remote control server. …

The post Attacks on SWIFT Banking System Benefit From Insider Knowledge appeared first on McAfee Blogs.

5 Steps to Enhance Security of Cloud Applications

18 May 2016

When you move applications to the cloud, the attack surface changes while the vulnerabilities at application, database, and network level persist. To address these issues, securing the cloud perimeter, preventing unauthorized access, and protecting data is crucial. The first step is to reduce the attack surface. Run a port scan specific to an instance IP and lock …

The post 5 Steps to Enhance Security of Cloud Applications appeared first on McAfee Blogs.

Can Zealous Security Cause Harm?

17 May 2016

Good security requires balancing risks, costs, and usability. Too much or too little of each can be unhealthy and lead to unintended consequences. We are entering an era where the risks of connected technology can exceed the inconveniences of interrupted online services or the release of sensitive data. Failures can create life-safety issues and major …

The post Can Zealous Security Cause Harm? appeared first on McAfee Blogs.

Sex Sells: Looking at Android Adult Adware Apps

13 May 2016

Advertising is one of the primary methods to generate money from mobile devices. Ads can be displayed in the browser when you visit a specific website or can appear in free apps. In the case of mobile apps, the developer must select a theme that attracts many users to increase revenues. There is probably no …

The post Sex Sells: Looking at Android Adult Adware Apps appeared first on McAfee Blogs.

Key Lessons From Verizon’s ‘2016 Data Breach Investigations Report’

12 May 2016

The annual Data Breach Investigations Report (DBIR) is out and reinforces the value of well-established cybersecurity practices. The good folks at Verizon have once again published one of the most respected annual reports in the security industry. The report sets itself apart with the authors intentionally avoiding unreliable “survey” data and instead striving to communicate …

The post Key Lessons From Verizon’s ‘2016 Data Breach Investigations Report’ appeared first on McAfee Blogs.

Server-Side Request Forgery Takes Advantage of Vulnerable App Servers

12 May 2016

Server-side request forgery is an attack in which an attacker can force a vulnerable server to trigger malicious requests to third-party servers and or to internal resources. This vulnerability can then be leveraged to launch specific attacks such as a cross-site port attack, service enumeration, and various other attacks. This ability makes server-side request forgery …

The post Server-Side Request Forgery Takes Advantage of Vulnerable App Servers appeared first on McAfee Blogs.

Current Campaign Delivers Hundreds of Thousands of Polymorphic Ransomware

10 May 2016

You might have been getting out of bed when attackers started sending hundreds of thousands of fake invoices the morning of April 27. Between 5:45 am and 11 am Pacific time, the first phase of the operation was steamrolling along. The invoices sent with fake .rtf files attached were in no way legitimate. In McAfee …

The post Current Campaign Delivers Hundreds of Thousands of Polymorphic Ransomware appeared first on McAfee Blogs.

Android Malware Clicker.G!Gen Found on Google Play

04 May 2016

Recently the Mobile Malware Research Team of Intel Security found on Google Play a new campaign of Android/Clicker.G in dozens of published malicious apps. This threat targets Russians but the apps are accessible worldwide. The attackers lure their victims with apps associated with health care, sports, food, games, and many other topics. Some of the …

The post Android Malware Clicker.G!Gen Found on Google Play appeared first on McAfee Blogs.

The Morning After: What Happens to Data Post-Breach?

02 May 2016

This post first appeared on the security website Dark Reading. We need consumers and businesses to not simply shrug off data breaches but to take active measures to protect their data. We are hopeful that new insights will provide a compelling answer to the question “So what?” No company is bulletproof when it comes to …

The post The Morning After: What Happens to Data Post-Breach? appeared first on McAfee Blogs.

Fake Android Update Delivers SMS, Click Fraud in Europe

29 Apr 2016

Intel Security Mobile Research has been monitoring a mobile malware campaign targeting users in Germany, France, and Russia since the beginning of the year. Several users have complained in forums and social networks about a suspicious file with the name Android_Update_6.apk being automatically downloaded when a website is loaded. Recently a user tweeted that one …

The post Fake Android Update Delivers SMS, Click Fraud in Europe appeared first on McAfee Blogs.

CVE-2016-0018: DLL Planting Leads to a Remote Code Execution Vulnerability

27 Apr 2016

DLL planting, also known as DLL side loading, is a popular attack technique today. If we take a look at the list of advisories Microsoft has recently published, it is clear that a large number of vulnerabilities encompass DLL planting. We have seen many targeted attacks that abuse Windows OLE in many ways. At BlackHat USA 2015, an …

The post CVE-2016-0018: DLL Planting Leads to a Remote Code Execution Vulnerability appeared first on McAfee Blogs.

Malware Takes Advantage of Windows ‘God Mode’

27 Apr 2016

Microsoft Windows has hidden an Easter Egg since Windows Vista. It allows users to create a specially named folder that acts as a shortcut to Windows settings and special folders, such as control panels, My Computer, or the printers folder. This “God Mode” can come in handy for admins, but attackers are now using this undocumented feature for evil …

The post Malware Takes Advantage of Windows ‘God Mode’ appeared first on McAfee Blogs.

Macro Malware Employs Advanced Obfuscation to Avoid Detection

26 Apr 2016

Attacks by macro malware carrying ransomware are growing, as we have recently reported on Blog Central here and here. Now McAfee Labs researchers have witnessed a new variant of macro malware that employs fudging techniques such as virtual machine awareness, sandbox awareness, and more. Since early March we have seen macro malware using high-obfuscation algorithms to protect itself …

The post Macro Malware Employs Advanced Obfuscation to Avoid Detection appeared first on McAfee Blogs.

Unsubscribing From Unwanted Email Carries Risks

18 Apr 2016

We all receive loads of unwanted email solicitations, warnings, and advertisements. The number can be overwhelming to the point of obnoxiousness. Some days it feels like an unending barrage of distracting deliveries that require a constant scrubbing of my inbox. Beyond being frustrating, there are risks. In addition to the desired and legitimate uses of email, …

The post Unsubscribing From Unwanted Email Carries Risks appeared first on McAfee Blogs.

CVE-2016-0153: Microsoft Patches Possible OLE Typo

14 Apr 2016

Recently McAfee Labs discovered an interesting bug in Windows’ OLE implementation, which Microsoft patched this week. Now that the patch is available, we can discuss this vulnerability, which resides in the OleRegEnumVerbs() function of ole32.dll. During our research we found that a stack corruption vulnerability in ole32!OleRegEnumVerbs can be triggered if we embed any OLE1 …

The post CVE-2016-0153: Microsoft Patches Possible OLE Typo appeared first on McAfee Blogs.

When It Comes To Cyberthreat Intelligence, Sharing Is Caring

13 Apr 2016

This blog was originally posted at Dark Reading on March 31. Shared cyberthreat intelligence will soon be a critical component of security operations, enabling organizations to better protect their digital assets and respond more quickly to emerging threats. On March 17, the US Department of Homeland Security announced the deployment of the Automated Indicator Sharing …

The post When It Comes To Cyberthreat Intelligence, Sharing Is Caring appeared first on McAfee Blogs.

Convergence and the Future of Cyber Security

12 Apr 2016

CSE 2016 Future of Cyber Security by Matthew Rosenquist from Matthew Rosenquist The security industry is changing. Technology innovation is eroding the distance between the roles and responsibilities of traditionally independent physical and cyber security teams. Modern physical security tools now rely heavily on networks, clouds, firmware, and software—which puts them at risk of cyber …

The post Convergence and the Future of Cyber Security appeared first on McAfee Blogs.

DHS Accelerates Information Sharing Standards Effort; Intel to Chair Working Group

29 Mar 2016

This post first appeared at Policy@Intel on March 9. In an effort to accelerate cyber information sharing, and in response to a presidential executive order, the Department of Homeland Security recently announced the formation of the Information Sharing and Analysis Organization (ISAO) Standards Organization. The organization comprises six working groups, and I’ve been appointed chair …

The post DHS Accelerates Information Sharing Standards Effort; Intel to Chair Working Group appeared first on McAfee Blogs.

McAfee Labs Unlocks LeChiffre Ransomware

28 Mar 2016

At McAfee Labs we recently received a low-profile ransomware called LeChiffre. Unlike ransomware that is distributed by a spam campaign or downloaded by other malware, this sample needs to be run manually on a victim’s machine to encrypt files. As we analyzed this ransomware, we found that we could unlock all LeChiffre-encrypted files without having to pay …

The post McAfee Labs Unlocks LeChiffre Ransomware appeared first on McAfee Blogs.

W97M Downloader Serves Vawtrak Malware

23 Mar 2016

McAfee Labs recently found a variant of the W97M macro malware downloader that runs the Vawtrak malware. Although W97M usually employs Microsoft Office documents to run malicious Visual Basic scripts that download and run malware, this instance of W97M contains an embedded executable that is dropped onto the file system using a malicious macro. W97M …

The post W97M Downloader Serves Vawtrak Malware appeared first on McAfee Blogs.

McAfee Labs Threats Report Discusses Cyber Threat Intelligence Sharing and More

22 Mar 2016

During keynote presentations at the RSA Conference 2016 in early March, Chris Young from Intel Security, Mark McLaughlin from Palo Alto Networks, and Michael Brown from Symantec discussed the need to share cyber threat intelligence (CTI). There were also a half-dozen conference sessions that examined this important topic. Young made the point that sharing CTI …

The post McAfee Labs Threats Report Discusses Cyber Threat Intelligence Sharing and More appeared first on McAfee Blogs.

Cybersecurity Suffers Due to Human Resources Challenges

21 Mar 2016

The cybersecurity industry is in a state of disrepair. Growing human resource problems put the efforts to secure technology at risk, due to insufficient staffing, skills, and diversity. The need for talent is skyrocketing, but there are not enough qualified workers to meet current or future demands. By 2017 prospective hiring organizations may have upwards …

The post Cybersecurity Suffers Due to Human Resources Challenges appeared first on McAfee Blogs.

5G Networks Pose Cyber Risks, Opportunities

18 Mar 2016

Fifth-generation networking (5G) holds the potential for a massive immersion of technology into the lives of people and businesses. It is an evolution of technology that could allow enough bandwidth for 50 billion smart devices, driving toward a world in which everything that computes will be connected. Such transformative technology opens great opportunities, but also presents new …

The post 5G Networks Pose Cyber Risks, Opportunities appeared first on McAfee Blogs.

Hacktivists Turn to Phishing to Fund Their Causes

16 Mar 2016

At Intel Security we recently observed a phishing campaign targeting Apple account holders. The link directed the user to a compromised WordPress site used to serve the fake Apple ID login page. Users are asked to log in with their Apple IDs, and then are requested to update billing information and credit card details. In the following …

The post Hacktivists Turn to Phishing to Fund Their Causes appeared first on McAfee Blogs.

Report Highlights Enterprise Biometric Vulnerabilities, Opportunities

16 Mar 2016

Authentication in the modern enterprise is becoming more difficult. The risks are rising, but adding more security controls can impede workers and are difficult to integrate into legacy systems. Biometrics may be a better path to improve security while not adversely impacting the user experience. But there are risks; biometric systems are not without vulnerabilities …

The post Report Highlights Enterprise Biometric Vulnerabilities, Opportunities appeared first on McAfee Blogs.

TeslaCrypt Ransomware Arrives via Neutrino Exploit Kit

15 Mar 2016

This post was written by Sriram P. and Varadharajan Krishnasamy. TeslaCrypt is a ransomware family that encrypts files and extorts money from its victims to decrypt the files. Similar to other ransomware variants, TeslaCrypt propagates through a wide range of spam campaigns and is also downloaded with the help of other malware: W97M/Downloader JS/Nemucod Angler exploit kit …

The post TeslaCrypt Ransomware Arrives via Neutrino Exploit Kit appeared first on McAfee Blogs.

Sensitive California Student Information to Be Released to Nonprofit

14 Mar 2016

The US District Court of California (Eastern district) has issued an order requiring the California Department of Education (CDE) to produce data to the plaintiffs in a lawsuit involving allegations that the CDE failed to provide adequate services to children with disabilities. The data in question will include information on all children, kindergarten through high …

The post Sensitive California Student Information to Be Released to Nonprofit appeared first on McAfee Blogs.

Criminals are Getting Excited for Tax Filing Season

11 Mar 2016

Cybercriminals are plotting to take advantage of tax season, by fraudulently impersonating consumers and scamming Americans. For the citizens of the United States, tax season is upon us, during which we diligently file our annual tax returns with the US Internal Revenue Service (IRS). A big problem, however, is that, in this digital age of …

The post Criminals are Getting Excited for Tax Filing Season appeared first on McAfee Blogs.

Macro Malware Associated With Dridex Finds New Ways to Hide

08 Mar 2016

Macro malware is on the upswing and cybercriminals are always searching for new ways to deceive users and evade detection. McAfee Labs recently discovered a W97M/Downloader variant that uses a new technique to obfuscate its malicious intentions. Almost one year ago, we discovered Microsoft Office XML documents containing compressed MSO ActiveMime objects. These objects extract an encrypted OLE …

The post Macro Malware Associated With Dridex Finds New Ways to Hide appeared first on McAfee Blogs.

Locky Ransomware on Rampage With JavaScript Downloader

08 Mar 2016

Locky is a ransomware family that encrypts victims’ files and demands money to decrypt the files. It has infected many computers in a short time due to a huge spam campaign. Propagation vector                                                                                   Locky ransomware propagates onto victims’ systems through a widespread spam campaign using an attached Microsoft Word document with maliciously crafted macros. Recently, however, the …

The post Locky Ransomware on Rampage With JavaScript Downloader appeared first on McAfee Blogs.

Trillium Toolkit Leads to Widespread Malware

04 Mar 2016

Any aspiring cybercriminal can buy one of many malicious toolkits to craft a downloader and distribute malware. After a time these downloaders are leaked to forums and other download sites and become available to the masses. This is often when we see a spike in their use. The toolkit Trillium Security MultiSploit Tool v3 was cracked last week …

The post Trillium Toolkit Leads to Widespread Malware appeared first on McAfee Blogs.

A Future Beyond Mobile Devices; Trusting the Promises of Mobile World Congress

03 Mar 2016

More than 100,000 people descended upon Mobile World Congress (MWC) last week to watch experts from around the world discuss and share their views of what the future has in store for “mobile.” After four days at the event, what became obvious to me is that we have certainly progressed from the days when a …

The post A Future Beyond Mobile Devices; Trusting the Promises of Mobile World Congress appeared first on McAfee Blogs.

Targeted Ransomware No Longer a Future Threat

01 Mar 2016

This post was written by Christiaan Beek and Andrew Furtak. In 2015, Intel Security investigated a ransomware campaign that targeted the financial sector of a certain country. This was the first time we had observed ransomware targeting a particular sector. The infection vector in that case involved a phishing campaign directed at multiple financial institutions. …

The post Targeted Ransomware No Longer a Future Threat appeared first on McAfee Blogs.

Malicious Forums Turn Amateur Hackers Into Cybercriminals

25 Feb 2016

Security researchers are aware of forums that offer downloads of malicious software such as keyloggers and remote access tools. Some inexperienced hackers may visit these forums and decide to chase the money and create a malicious agenda. The following is a snippet from a popular hacking forum. We recently received a submission with the filename 17_02_16~_HKL_Purchase_Order.ace. This …

The post Malicious Forums Turn Amateur Hackers Into Cybercriminals appeared first on McAfee Blogs.

Mobile World Congress: a Microcosm of a Hyper-Connected Future

24 Feb 2016

Mobile World Congress 2016 has given us a glimpse into the innovations that will hit our stores this year. From the looks of things we will get much more than just thinner handsets. Many phone manufacturers have flooded the event with gadgets and accessories that can be bundled with phones. These include virtual reality headsets, …

The post Mobile World Congress: a Microcosm of a Hyper-Connected Future appeared first on McAfee Blogs.

Nivdort: Data-Stealing Trojan Arrives via Spam

18 Feb 2016

During the past couple of weeks, McAfee Labs has observed a huge increase in spam related to Nivdort, a malicious file that usually arrives as a .zip attachment and tries to download other malware. This malware can steal a victim’s credentials, including personal details related to online shopping, banking, and other social networking websites. Nivdort’s spam …

The post Nivdort: Data-Stealing Trojan Arrives via Spam appeared first on McAfee Blogs.