SANS

Back to Basics: Writing Change Requests in Natural Language, (Mon, Sep 25th)

25 Sep 2017

Back to Basics

Old posts >>

Forensic use of mount --bind, (Sun, Sep 24th)

24 Sep 2017

In my previous diary, I mentioned a recent case that led me to write mac-robber.py. In that case, I mentioned that I needed to build a filesystem timeline and wanted to collect hashes because I suspected there were multiple copies of some possible malware scattered around the disk. The biggest issue I had was that hashing the files requires reading them which would update the access times, something I really did not want to do. So, I decided to use a trick on a live system that I had employed occasionally in the past when I got a tar file rather than a disk image of, say, a directory from a SAN or NAS. For those of you who aren&#;x26;#;39;t aware, on Linux, you can use the mount command to essentially link a directory to another location in the directory tree. In the screenshot below, you can see the results of df -h and mount on one of my test VMs.

What is the State of Your Union? , (Fri, Sep 22nd)

22 Sep 2017

Regularly the President of the United States delivers the State of the Union address. This practice "fulfills rules in Article II, Section 3 of the U.S. Constitution, requiring the President to periodically give Congress information on the "state of the union” and recommend any measures that he believes are necessary and expedient.".

Malspam pushing Word documents with Hancitor malware, (Fri, Sep 22nd)

22 Sep 2017

Introduction

Emails threatening DDoS allegedly from Phantom Squad, (Thu, Sep 21st)

21 Sep 2017

Introduction

Email attachment using CVE-2017-8759 exploit targets Argentina, (Thu, Sep 21st)

21 Sep 2017

Introduction


Sophos

The software flaw that could beam out passwords by DNS

25 Sep 2017

iTerm2 was trying to be helpful.

News in brief: New IoT grief; Old patch lessons; Older voting tech

25 Sep 2017

Your daily round-up of some of the other stories in the news

Joomla 3.8 fixes serious LDAP authentication issue, update now

25 Sep 2017

The bug allows the extraction of an affected site's credentials "in seconds"

No, Facebook spies aren’t secretly “following me”, it’s a hoax

25 Sep 2017

Typing "Facebook security" into your block list won't reveal their names

Monday review – Adobe botches, Apache bleeds and Equifax blunders

25 Sep 2017

From Apache bleeding to Equifax shooting itself in the foot. Again.

Old posts >>

Adobe security team posts public key – together with private key

23 Sep 2017

If you generate an encryption keypair and you get a public key and a private key, which one do you think you should keep to yourself?

Tracking phones without a warrant ruled unconstitutional

22 Sep 2017

'Stingray use without a warrant violates 4th Amendment'

Cryptomining or online ads – which one floats your boat? [VIDEO]

22 Sep 2017

Is cryptomining in the background better than ads in the foreground as a way of earning money to "pay" for free sites?

News in brief: DDoS threat spam; Army logic bomber; Viacom leak

22 Sep 2017

Your daily round-up of some of the other stories in the news

Using infrared cameras to break out of air-gapped networks

22 Sep 2017

Invisible data exfiltration from isolated networks


TrendMicro

ZNIU: First Android Malware to Exploit Dirty COW Vulnerability

25 Sep 2017

The Linux vulnerability called Dirty COW (CVE-2016-5195) was first disclosed to the public in 2016. The vulnerability was discovered in upstream Linux platforms such as Redhat, and Android, which kernel is based on Linux. It is categorized as a serious privilege escalation flaw that allows an attacker to gain root access on the targeted system. Dirty COW attacks on Android has been silent since its discovery, perhaps because it took attackers some time to build a stable exploit for major devices. Almost a year later, Trend Micro researchers captured samples of ZNIU (detected as AndroidOS_ZNIU)—the first malware family to exploit the vulnerability on the Android platform.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

ZNIU: First Android Malware to Exploit Dirty COW Vulnerability

Old posts >>

EITest Campaign Uses Tech Support Scams to Deliver Coinhive’s Monero Miner

22 Sep 2017

We’ve uncovered the notorious EITest campaign delivering a JavaScript (JS) cryptocurrency miner (detected by Trend Micro as HKTL_COINMINE) using tech support scams as a social engineering lure. These are fraud activities impersonating legitimate technical support services, conning unwitting victims to avail/pay for these services (or hand out financial data), by scaring them that their machine has been infected with malware, for instance.

The EITest campaign’s main arsenal is compromised websites. Its activity can be traced to as early as 2014 and once used the Angler exploit kit to deliver ransomware. Starting January 2017, it has eschewed exploit kits in favor of “HoeflerText” (a popular font) phishing attacks or  . In a month, we identified 990 compromised websites injected with a malicious script that diverts the would-be victim to a website related to the tech support scam. Of late, though, the campaign has added the Coinhive JS miner into ongoing attacks, turning the victim’s computer into a Monero cryptocurrency miner. Analysis also revealed that this JS cryptocurrency miner is the same “Coinhive” JS miner found embedded in The Pirate Bay’s website.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

EITest Campaign Uses Tech Support Scams to Deliver Coinhive’s Monero Miner

OptionsBleed – The Apache HTTP Server Now Bleeds

22 Sep 2017

A new vulnerability in the Apache HTTP server was found recently. Designated as CVE-2017-9798, this vulnerability lies in how Apache handles certain settings in its configuration files, resulting in memory leaks. This vulnerability is named OptionsBleed, based on its similarities with the Heartbleed vulnerability. Patches to Apache are now available.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

OptionsBleed – The Apache HTTP Server Now Bleeds

a-PATCH-e: Struts Vulnerabilities Run Rampant

21 Sep 2017

Equifax confirmed the attack vector used in its data breach to be CVE-2017-5638, a vulnerability patched last March 2017 via S2-045. The vulnerability was exploited to gain unauthorized access to highly sensitive data of approximately 143 million U.S. and 400,000 U.K. customers, as well as 100,000 Canadian consumers. This vulnerability was first disclosed in March, almost immediately followed by publicly available POCs, weaponized exploits, and scanners produced by third parties.

Trend Micro observed thousands of filter events via our intrusion prevention solutions against the filters for this vulnerability since March, and these exploits or enumeration attempts are still being seen. It’s worth noting that Trend Micro customers can leverage these filters to provide a highly effective virtual patch to address critical Apache Struts vulnerabilities until actual software updates are deployed to secure the system.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

a-PATCH-e: Struts Vulnerabilities Run Rampant

New RETADUP Variants Hit South America, Turn To Cryptocurrency Mining

20 Sep 2017

Several months ago, we discovered and exposed RETADUP malware in Israeli hospitals. We also learned that an Android malware known as “GhostCtrl” was stored in their infrastructure, which might be used for cyberespionage or cybercrime.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

New RETADUP Variants Hit South America, Turn To Cryptocurrency Mining

Locky Ransomware Pushed Alongside FakeGlobe in Upgraded Spam Campaigns

18 Sep 2017

In the beginning of September, a sizeable spam campaign was detected distributing a new Locky variant. Locky is a notorious ransomware that was first detected in the early months of 2016 and has continued to evolve and spread through different methods, particularly spam mail. A thorough look at samples from recent campaigns shows that cybercriminals are using sophisticated distribution methods, affecting users in more than 70 countries.

In the specific campaigns discussed below, both Locky and the ransomware FakeGlobe were being distributed—but the two were rotated. The cybercriminals behind the campaign designed it so that clicking on a link from the spam email might deliver Locky one hour, and then FakeGlobe the next. This makes re-infection a distinct possibility, as victims infected with one ransomware are still vulnerable to the next one in the rotation.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Locky Ransomware Pushed Alongside FakeGlobe in Upgraded Spam Campaigns

iXintpwn/YJSNPI Abuses iOS’s Config Profile, can Crash Devices

18 Sep 2017

While iOS devices generally see relatively fewer threats because of the platform's walled garden approach in terms of how apps are installed, it’s not entirely unbreachable. We saw a number of threats that successfully scaled the walls in 2016, from those that abused enterprise certificates to ones that exploited vulnerabilities to curtail Apple’s stringent control over its platforms.

This is further exemplified by iXintpwn/YJSNPI (detected by Trend Micro as TROJ_YJSNPI.A), a malicious profile that can render the iOS device unresponsive. It was part of the remnants of the work of a Japanese script kiddie who was arrested in early June this year.

While iXintpwn/YJSNPI seems currently concentrated in Japan, it won't surprise anyone if it spreads beyond the country given how it proliferated in social media.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

iXintpwn/YJSNPI Abuses iOS’s Config Profile, can Crash Devices

Advisory: BlueBorne Reportedly Affects Billions of Bluetooth-Enabled Devices

15 Sep 2017

BlueBorne is a set of vulnerabilities affecting the implementation of Bluetooth in iOS, Android, Linux, Windows and Mac OS* devices. According to the researchers who uncovered them, BlueBorne affects around 5.3 billion Bluetooth-enabled devices. The immediate mitigation for BlueBorne is to patch the device, if there’s any available, or to switch off the device's Bluetooth connection if not needed.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Advisory: BlueBorne Reportedly Affects Billions of Bluetooth-Enabled Devices

Hangul Word Processor and PostScript Abused Via Malicious Attachments

14 Sep 2017

The Hangul Word Processor (HWP) is a word processing application which is fairly popular in South Korea. It possesses the ability to run PostScript code, which is a language originally used for printing and desktop publishing, although it is a fully capable language. Unfortunately, this ability is now being exploited in attacks involving malicious attachments.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Hangul Word Processor and PostScript Abused Via Malicious Attachments

BankBot Found on Google Play and Targets Ten New UAE Banking Apps

13 Sep 2017

The Android-targeting BankBot malware (all variants detected by Trend Micro as ANDROIDOS_BANKBOT) first surfaced January of this year and is reportedly the improved version of an unnamed open source banking malware that was leaked in an underground hacking forum. BankBot is particularly risky because it disguises itself as legitimate banking apps, typically using fake overlay screens to mimic existing banking apps and steal user credentials. BankBot is also capable of hijacking and intercepting SMS messages, which means that it can bypass SMS-based 2-factor authentication.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

BankBot Found on Google Play and Targets Ten New UAE Banking Apps


Kaspersky

Old posts >>

A Modern Hypervisor as a Basis for a Sandbox

19 Sep 2017

In the field of information security, sandboxes are used to isolate an insecure external environment from a secure internal environment (or vice versa), to protect against the exploitation of vulnerabilities, and to analyze malicious code. At Kaspersky Lab, we have several sandboxes, we will look at just one of them that was customized to serve the needs of a specific product and became the basis of Kaspersky Anti Targeted Attack Platform.

An (un)documented Word feature abused by attackers

18 Sep 2017

A little while back we were investigating the malicious activities of the Freakyshelly targeted attack and came across spear phishing emails that had some interesting documents attached to them. They were in OLE2 format and contained no macros, exploits or any other active content.

Connected Medicine and Its Diagnosis

13 Sep 2017

Results that had been obtained during research that we discussed in a previous article called for a more detailed analysis of the security problem, but now from within medical institutions (with the consent of their owners, of course). The analysis allowed us to work on mistakes and give a series of recommendations for IT experts who service medical infrastructure.

Miners on the Rise

12 Sep 2017

Over the last month alone, we have detected several large botnets designed to profit from concealed crypto mining. We have also observed growing numbers of attempts to install miners on servers owned by organizations. When these attempts are successful, the companies’ business processes suffer because data processing speeds fall substantially.

Satoshi Bomb

07 Sep 2017

Let us discuss what defines the profitability of bitcoin mining, what principles for mining speed adaptation were initially embedded into it, and why these principles can lead to the failure of the cryptocurrency in the long run.

Dissecting the Chrome Extension Facebook malware

31 Aug 2017

The Facebook malware that spread last week was dissected in a collaboration with Kaspersky Lab and Detectify. We were able to get help from the involved companies and cloud services to quickly shut down parts of the attack to mitigate it as fast as possible.

Introducing WhiteBear

30 Aug 2017

As a part of our Kaspersky APT Intelligence Reporting subscription, customers received an update in mid-February 2017 on some interesting APT activity that we called WhiteBear. It is a parallel project or second stage of the Skipper Turla cluster of activity documented in another private report. Like previous Turla activity, WhiteBear leverages compromised websites and hijacked satellite connections for command and control (C2) infrastructure.

Jimmy Nukebot: from Neutrino with love

29 Aug 2017

In one of our previous articles, we analyzed the NeutrinoPOS banker as an example of a constantly evolving malware family. A week after publication, this Neutrino modification delivered up a new malicious program classified by Kaspersky Lab as Trojan-Banker.Win32.Jimmy.

Neutralization reaction

25 Aug 2017

Corporate information security services often turn out to be unprepared: their employees underestimate the speed, secrecy and efficiency of modern cyberattacks and do not recognize how ineffective the old approaches to security are. And if there is no clear understanding of what sort of incident it is, an attack cannot be repelled. We hope that our recommendations about identifying incidents and responding to them will help information security specialists create a solid foundation for reliable multi-level business protection.

WAP-billing Trojan-Clickers on rise

24 Aug 2017

During the preparation of the “IT threat evolution Q2 2017” report I found several common Trojans that were stealing money from users using WAP-billing. We hadn’t seen any Trojans like this in a while, but several of them appeared out of nowhere. Most of them had been under development since the end of 2016 / the beginning of 2017, but their prevalence increased only in the second half of Q2 2017. Therefore, I decided to take a closer look at these Trojans.


ThreatPost

Deloitte: ‘Very Few Clients’ Impacted by Cyber Attack

25 Sep 2017

Deloitte, one of the "big four" global accounting firms, admitted it fell victim to a cyber attack last year but downplayed the incident on Monday saying it only affected a few of its high profile clients.

Android Lockscreen Patterns Less Secure Than PINs

25 Sep 2017

Researchers settle PIN versus pattern debate with study that proves a low-tech hack makes cracking an unlock screen simple.

Chris Vickery on Amazon S3 Data Leaks

25 Sep 2017

Mike Mimoso talks to Chris Vickery of Upguard of the recent rash of Amazon S3 data leaks.

Adobe Private PGP Key Leak a Blunder, But It Could Have Been Worse

25 Sep 2017

Adobe suffered at a minimum a PR black eye on Friday when one of its private PGP keys was inadvertently published to its Product Incident Security Response Team (PSIRT) blog.

Old posts >>

Verizon Wireless Internal Credentials, Infrastructure Details Exposed in Amazon S3 Bucket

22 Sep 2017

Verizon is the latest company to leak confidential data through an exposed Amazon S3 bucket.

EternalBlue Exploit Used in Retefe Banking Trojan Campaign

22 Sep 2017

Banking Trojan Retefe is adopting new WannaCry tricks, adding an EternalBlue module to propagate the malware.

2016 SEC Hack May Have Benefited Insider Trading

22 Sep 2017

The U.S. Securities and Exchange Commission said this week that hackers managed to infiltrate one of its systems last year, something that likely facilitated insider trading.

Samba Update Patches Two SMB-Related MiTM Bugs

22 Sep 2017

Samba released three security updates, including two related to SMB connections that could be abused by an attacker already on the network to hijack connections and manipulate traffic or data sent from a client.

What’s New In Android 8.0 Oreo Security

22 Sep 2017

Google’s Android security team has turned a corner with 8.0 Oreo, reducing the attack surface, compartmentalizing components and beefing up protection against rogue apps.

Threatpost News Wrap, September 22, 2017

22 Sep 2017

The Equifax data breach saga so far, a Google HTTPS warnings paper, cryptocurrency mining at the Pirate Bay, and bringing machine learning to passwords are all discussed.


Symantec

Old posts >>

Latest Intelligence for August 2017

08 Sep 2017

August saw increases in the malware and spam rates, and new phishing warnings from the IRS

Read More

Dragonfly: Western energy sector targeted by sophisticated attack group

06 Sep 2017

Resurgence in energy sector attacks, with the potential for sabotage, linked to re-emergence of Dragonfly cyber espionage group

Read More

Businesses most at risk from new breed of ransomware

30 Aug 2017

The ransomware landscape has shifted dramatically in 2017 and organizations bore the brunt of the damage caused by new, self-propagating threats such as WannaCry and Petya.

Read More

Mobile malware factories: Android apps for creating ransomware

24 Aug 2017

Mobile ransomware can now be created automatically without the need to write code.

Read More

Microsoft Patch Tuesday – August 2017

09 Aug 2017

This month the vendor has patched 48 vulnerabilities, 26 of which are rated Critical.

Read More

Latest Intelligence for July 2017

04 Aug 2017

Email malware rate continues to increase and WannaCry, Petya inspire other threats to add self-spreading components.

Read More

Attackers are increasingly living off the land

12 Jul 2017

The use of fileless threats and dual-use tools by attackers is becoming more common.

Read More

Microsoft Patch Tuesday – July 2017

12 Jul 2017

This month the vendor has patched 54 vulnerabilities, 19 of which are rated Critical.

Read More

Latest Intelligence for June 2017

11 Jul 2017

The chaos causing Petya outbreak and an increase in phishing emails for the third month in a row.

Read More

Petya ransomware outbreak: Here’s what you need to know

27 Jun 2017

Petya ransomware impacting large organizations in multiple countries

Read More

Microsoft Patch Tuesday – June 2017

14 Jun 2017

This month the vendor has patched 94 vulnerabilities, 18 of which are rated Critical.

Read More

Latest Intelligence for May 2017

13 Jun 2017

The WannaCry outbreak dominated the news cycle, while the phishing rate reached a high for 2017.

Read More

Criminals increasingly using malvertising to direct victims to exploit kits

06 Jun 2017

Once popular exploit kit redirection campaigns see a significant decline as redirection through malvertising increases

Read More

Financial malware more than twice as prevalent as ransomware

01 Jun 2017

Three Trojans dominated the financial threat landscape in 2016 and attackers increased their focus on corporate finance departments

Read More

Bachosens: Highly-skilled petty cyber criminal with lofty ambitions targeting large organizations

31 May 2017

Eastern Europe based attacker’s advanced malware bears comparison with that used by nation-state actors, but basic missteps indicate a threat actor who is skilled but lacking in expertise

Read More

WannaCry: Ransomware attacks show strong links to Lazarus group

22 May 2017

Similarities in code and infrastructure indicate close connection to group that was linked to Sony Pictures and Bangladesh Bank attacks

Read More

Adylkuzz Cryptocurrency Miner Is Not The Next WannaCry

17 May 2017

Adylkuzz impact and prevalence is much lower than WannaCry

Read More

What you need to know about the WannaCry Ransomware

12 May 2017

The WannaCry ransomware struck across the globe in May 2017. Learn how this ransomware attack spread and how to protect your network from similar attacks.

Read More

Latest Intelligence for April 2017

10 May 2017

Number of web attacks blocked by Symantec rises to more than 1 million per day and Longhorn cyber espionage group linked to malware detailed in Vault 7 leak.

Read More

Microsoft Patch Tuesday – May 2017

10 May 2017

This month the vendor has patched 56 vulnerabilities, 17 of which are rated Critical.

Read More


F-Secure

Twitter Forensics From The 2017 German Election

25 Sep 2017

Over the past month, I’ve pointed Twitter analytics scripts at a set of search terms relevant to the German elections in order to study trends and look for interference. Germans aren’t all that into Twitter. During European waking hours Tweets in German make up less than 0.5% of all Tweets published. Over the last month, […]

Old posts >>

TrickBot In The Nordics, Episode II

14 Sep 2017

The banking trojan TrickBot is not retired yet. Not in the least. In a seemingly never ending series of spam campaigns – not via the Necurs botnet this time – we’ve spotted mails written in Norwegian that appear to be sent by DNB, Norway’s largest bank. The mail wants the recipient to believe that they […]

Working Around Twitter API Restrictions To Identify Bots

31 Aug 2017

Twitter is by far the easiest social media platform to work with programmatically. The Twitter API provides developers with a clean and simple interface to query Twitter’s objects (Tweets, users, timelines, etc.) and bindings to this API exist for many languages. As an example, I’ve been using Tweepy to write Python scripts that work with Twitter data. […]

Trump Hating South Americans Hacked HBO

24 Aug 2017

Last week – I read the message “Mr. Smith” reportedly sent to HBO… and it brought up a few questions. And also, it offered some “answers” to questions that I’m often asked. Questions such as “how much money do cyber criminals make?” Here’s the start of the message. First, let’s examine Mr. Smith and his […]

Break your own product, and break it hard

19 Jul 2017

Hello readers, I am Andrea Barisani, founder of Inverse Path, which is now part of F-Secure. I lead the Hardware Security consulting team within F-Secure’s Cyber Security Services. You may have heard of our USB armory product, an innovative compact computer for security applications that is 100% open hardware, open source and Made in Italy. […]

Retefe Banking Trojan Targets Both Windows And Mac Users

14 Jul 2017

Based on our telemetry, customers (mainly in the region of Switzerland and Germany) are being targeted by a Retefe banking trojan campaign which uses both Windows and macOS-based attachments. Its massive spam run started earlier this week and peaked yesterday afternoon (Helsinki time). TrendMicro did a nice writeup on this threat earlier this week. The […]

How EternalPetya Encrypts Files In User Mode

04 Jul 2017

On Thursday of last week (June 29th 2017), just after writing about EternalPetya, we discovered that the user-mode file encryption-decryption mechanism would be functional, provided a victim could obtain the correct key from the malware’s author. Here’s a description of how that mechanism works. EternalPetya malware uses the standard Win32 crypto API to encrypt data. […]

What Good Is A Not For Profit (Eternal) Petya?

30 Jun 2017

Following up on our post from yesterday, as an intellectual thought experiment, let’s take the position that there’s something to the idea of (Eternal) Petya not being motivated by money/profit. Let’s also just go ahead and imagine that it’s been developed by a nation state. In my mind, it raises the following question: WTF WHY? […]

(Eternal) Petya From A Developer’s Perspective

30 Jun 2017

In our previous post about Petya, we speculated that the short-cuts, design flaws, and non-functional mechanisms observed in the  malware could have arisen due to it being developed under a tight deadline. I’d now like to elaborate a little on what we meant by that. As a recap, this is what the latest version of Petya […]

Petya: “I Want To Believe”

29 Jun 2017

There’s been a lot of speculation and conjecture around this “Petya” outbreak. A great deal of it seems to have been fueled by confirmation bias (to us, at least). Many things about this malware don’t add up (at first glance). But it wouldn’t be the first time that’s happened. And yet everyone seems to have […]

Processing Quote Tweets With Twitter API

23 Jun 2017

I’ve been writing scripts to process Twitter streaming data via the Twitter API. One of those scripts looks for patterns in metadata and associations between accounts, as streaming data arrives. The script processes retweets, and I decided to add functionality to also process quote Tweets. Retweets “echo” the original by embedding a copy of the […]

Super Awesome Fuzzing, Part One

22 Jun 2017

An informative guide on using AFL and libFuzzer. Posted on behalf of Atte Kettunen (Software Security Expert) & Eero Kurimo (Lead Software Engineer) – Security Research and Technologies. The point of security software is to make a system more secure. When developing software, one definitely doesn’t want to introduce new points of failure, or to […]

TrickBot Goes Nordic… Once In A While

13 Jun 2017

We’ve been monitoring the banking trojan TrickBot since its appearance last summer. During the past few months, the malware underwent several internal changes and improvements, such as more generic info-stealing, support for Microsoft Edge, and encryption/randomization techniques to make analysis and detection more difficult. Unlike the very fast expansion of banks targeted during the first […]

OSINT For Fun And Profit: Hung Parliament Edition

09 Jun 2017

The 2017 UK general election just concluded, with the Conservatives gaining the most votes out of all political parties. But they didn’t win enough seats to secure a majority. The result is a hung parliament. Both the Labour and Conservative parties gained voters compared to the previous general election. Some of those wins came from […]

Why Is Somebody Creating An Army Of Twitter Bots?

02 Jun 2017

There’s been some speculation this week regarding Donald Trump’s Twitter account. Why? Because its follower count “dramatically” increased (according to reports) due to a bunch of bots. Since Twitter analytics are my thing at the moment, I decided to do some digging. Sean examined some of Trump’s new followers and found they had something in […]

Now Hiring: Developers, Researchers, Data Scientists

31 May 2017

We’re hiring right now, and if you check out our careers page, you’ll find over 30 new positions ranging from marketing (meh) to malware analysis (woot!). A select number of these new positions are in F-Secure Labs. If you’re on the lookout for a job in cyber security, you might find one of these jobs […]

WannaCry, Party Like It’s 2003

15 May 2017

Let’s take a moment to collect what we know about WannaCry (W32/WCry) and what we can learn from it. When looked at from a technical perspective, WCry (in its two binary components) has the following properties. Comprised of two Windows binaries. mssecsvc.exe: a worm that handles spreading and drops the payload. tasksche.exe: a ransomware trojan […]

WCry: Knowns And Unknowns

13 May 2017

WCry, WannaCry, Wana Decrypt0r. I’m sure at this point you’ve heard something about what the industry has dubbed the largest crypto ransomware outbreak in history. Following its debut yesterday afternoon, a lot of facts have been flying around. Here’s what we know, and don’t know. WCry has currently made a measly $25,000 They now made […]

OSINT For Fun And Profit: #Presidentielle2017 Edition

11 May 2017

As I mentioned in a previous post, I’m writing scripts designed to analyze patterns in Twitter streams. One of the goals of my research is to follow Twitter activity around a newsworthy event, such as an election. For example, last weekend France went to the polls to vote for a new president. And so I […]

Unicode Phishing Domains Rediscovered

26 Apr 2017

There is a variant of phishing attack that nowadays is receiving much attention in the security community. It’s called IDN homograph attack and it takes advantage of the fact that many different Unicode characters look alike. The use of Unicode in domain names makes it easier to spoof websites as the visual representation of an […]


McAfee

McAfee Labs Threats Report Explores WannaCry/Petya, Threat Hunting, Script-Based Malware

26 Sep 2017

Today we published the McAfee Labs Threats Report: September 2017. This quarter’s report shows off a new design. We hope you will find it attractive as well as informative. The report contains three highly educational topics, in addition to the usual set of threats statistics: Earlier this year, WannaCry malware infected more than 300,000 computers …

The post McAfee Labs Threats Report Explores WannaCry/Petya, Threat Hunting, Script-Based Malware appeared first on McAfee Blogs.

Old posts >>

Apache Struts at REST: Analyzing Remote Code Execution Vulnerability CVE-2017-9805

22 Sep 2017

Apache Struts, an open-source web development framework, is prone to vulnerabilities. We wrote about CVE-2017-9791 in July. The latest is CVE-2017-9805, another remote code execution flaw actively being exploited, according to reports. This vulnerability affects the Struts plug-in Representational State Transfer (REST). Apache has updated Struts with Version 2.5.13 to fix this issue. In this post …

The post Apache Struts at REST: Analyzing Remote Code Execution Vulnerability CVE-2017-9805 appeared first on McAfee Blogs.

Microsoft Kills Potential Remote Code Execution Vulnerability in Office (CVE-2017-8630)

21 Sep 2017

Recently the McAfee IPS Research Team informed Microsoft about a potential remote code execution vulnerability in Office 2016 that McAfee discovered in March. Microsoft released a patch for this vulnerability this week with CVE-2017-8630. In this post, we will briefly discuss the vulnerability and its exploitability. The Problem While auditing PowerPoint, we came across an …

The post Microsoft Kills Potential Remote Code Execution Vulnerability in Office (CVE-2017-8630) appeared first on McAfee Blogs.

Android Click-Fraud App Repurposed as DDoS Botnet

12 Sep 2017

The McAfee Mobile Research Team tracks the behavior of Android click-fraud apps. We have detected multiple implementations, including recent examples on Google Play in 2016 and Clicker.BN last month. These threats are characterized by a common behavior: They appear innocuous but in the background they perform HTTP requests (simulating clicks) on paid “advertainment” to make …

The post Android Click-Fraud App Repurposed as DDoS Botnet appeared first on McAfee Blogs.

Emotet Trojan Acts as Loader, Spreads Automatically

01 Sep 2017

Since the middle of July, McAfee has observed new updates of the Emotet, a Trojan that was first discovered in 2014. This malware harvests banking credentials. Early variants used Outlook contact harvesting to spread via malicious spam. The latest variants act as loaders and use several mechanisms to spread over the network and send spam …

The post Emotet Trojan Acts as Loader, Spreads Automatically appeared first on McAfee Blogs.

Android Banking Trojan MoqHao Spreading via SMS Phishing in South Korea

28 Aug 2017

Last month, a number of users started posting on South Korean sites screenshots of suspicious SMS messages phishing texts (also known as smishing) to lure them into clicking on shortened URLs. For example, the following message asks the user to click on the link to check if a private picture has been leaked: Figure 1: …

The post Android Banking Trojan MoqHao Spreading via SMS Phishing in South Korea appeared first on McAfee Blogs.

Android Click-Fraud Apps Briefly Return to Google Play

25 Aug 2017

Click-fraud apps frequently appear on Google Play and third-party markets. They are sometimes hard to identify because the malicious behavior that simulates clicks is similar to the behavior of many legitimate applications (using common API calls and permissions). Further, part of the malicious code does not reside in the original malware and comes from a …

The post Android Click-Fraud Apps Briefly Return to Google Play appeared first on McAfee Blogs.

Smishing Campaign Steals Banking Credentials in U.S.

14 Aug 2017

The McAfee Mobile Research team recently found an active smishing campaign, using SMS messages, that targets online banking users in the United States. The messages attempt to scare victims with a notice that the bank account will be soon closed and that the user must immediately click a malicious URL: Figure 1: Phishing SMS message. …

The post Smishing Campaign Steals Banking Credentials in U.S. appeared first on McAfee Blogs.

DEFCON – Connected Car Security

02 Aug 2017

Sometime in the distant past, that thing in your driveway was a car.  According to Intel however, the “connected car is already the third-fastest growing technological device after phones and tablets.”  The days when a Haynes manual, a tool kit, and a free afternoon/week to work on the car are fast becoming a distant memory. …

The post DEFCON – Connected Car Security appeared first on McAfee Blogs.

Analyzing CVE-2017-0190: WMF Flaws Can Lead to Data Theft, Code Execution

26 Jul 2017

CVE-2017-0190 is a recently patched vulnerability related to Windows metafiles (WMFs), a portable image format mainly used by 16-bit Windows applications. Recently we have seen an increase in the number of vulnerabilities related to WMFs and EMFs (enhanced metafiles) in the GDI32 library. Most often, these vulnerabilities lead to sensitive information disclosure from the process …

The post Analyzing CVE-2017-0190: WMF Flaws Can Lead to Data Theft, Code Execution appeared first on McAfee Blogs.

NoMoreRansom – One year on!

25 Jul 2017

One year on. It is fair to say that the No More Ransom project not only exceeded our expectations, but simply blew these initial expectations out of the water. A collaboration between six partners (McAfee, EC3, Dutch Police, Kaspersky Lab, AWS and Barracuda) has now grown to include more than 100 partners across the public and private sector. We often hear people talk about Public-Private Partnerships, but here is a true example of that commitment in action.

The post NoMoreRansom – One year on! appeared first on McAfee Blogs.

Darknet Markets Will Outlive AlphaBay and Hansa Takedowns

20 Jul 2017

On June 20, law enforcement took over the Hansa marketplace after investigations that began in 2016. On July 5, police in Thailand arrested Alexandre Cazes, alleged to be the operator of the large underground market AlphaBay. These efforts have taken two of the largest darknet markets offline. AlphaBay, and later Hansa, was one of many …

The post Darknet Markets Will Outlive AlphaBay and Hansa Takedowns appeared first on McAfee Blogs.

Analyzing CVE-2017-9791: Apache Struts Vulnerability Can Lead to Remote Code Execution

19 Jul 2017

Apache Struts is a model-view-controller framework for creating Java web applications. Struts has suffered from a couple of vulnerabilities using the technique of object-graph navigation language (OGNL) injection. OGNL is an expression language that allows the setting of object properties and execution of various methods of Java classes. OGNL can be used maliciously to perform …

The post Analyzing CVE-2017-9791: Apache Struts Vulnerability Can Lead to Remote Code Execution appeared first on McAfee Blogs.

Analyzing a Patch of a Virtual Machine Escape on VMware

17 Jul 2017

A virtual machine is a completely isolated guest operating system installation within a normal host operating system. Virtual machine escape is the process of breaking out of a virtual machine and interacting with the host operating system, which can lead to infections and malware execution. VMware escapes demonstrated at the most recent PwnFest, organized by …

The post Analyzing a Patch of a Virtual Machine Escape on VMware appeared first on McAfee Blogs.

LeakerLocker: Mobile Ransomware Acts Without Encryption

07 Jul 2017

We recently found on Google Play a type of mobile ransomware that does not encrypt files. This malware extorts a payment to prevent the attacker from spreading a victim’s private information. LeakerLocker claims to have made an unauthorized backup of a phone’s sensitive information that could be leaked to a user’s contacts unless it receives …

The post LeakerLocker: Mobile Ransomware Acts Without Encryption appeared first on McAfee Blogs.

Petya More Effective at Destruction Than as Ransomware

01 Jul 2017

At the beginning of the recent Petya malware campaign, the world was quick to exclaim this attack was ransomware. Now, with time to analyze the facts and make comparisons to other ransomware campaigns, this Petya attack does not look so much like ransomware. To back up this claim, let’s examine three other well-known ransomware campaigns: …

The post Petya More Effective at Destruction Than as Ransomware appeared first on McAfee Blogs.

How to Protect Against Petya Ransomware in a McAfee Environment

28 Jun 2017

A new variant of the ransomware Petya (also called Petrwrap) began spreading around the world on June 27. Petya is ransomware that exploits the vulnerability CVE-2017-0144 in Microsoft’s implementation of the Server Message Block protocol. This ransomware encrypts the master boot records of infected Windows computers, making the machines unusable.

The post How to Protect Against Petya Ransomware in a McAfee Environment appeared first on McAfee Blogs.

New Variant of Petya Ransomware Spreading Like Wildfire

27 Jun 2017

The world woke up today to another ransomware outbreak wreaking havoc throughout companies’ networks. This time, the family causing the fuss is Ransomware Petya, a nasty variant that encrypts files and the computer’s master boot record (MBR), rendering the machine unusable.

The post New Variant of Petya Ransomware Spreading Like Wildfire appeared first on McAfee Blogs.

‘McAfee Labs Threats Report’ Explores Malware Evasion Techniques, Digital Steganography, Password-Stealer Fareit

20 Jun 2017

We got a little carried away in the McAfee Labs Threats Report: June 2017, published today. This quarter’s report has expanded to a rather hefty 83 pages! It contains three highly educational topics, in addition to the usual set of threats statistics: We broadly examine evasion techniques and how malware authors use them to accomplish …

The post ‘McAfee Labs Threats Report’ Explores Malware Evasion Techniques, Digital Steganography, Password-Stealer Fareit appeared first on McAfee Blogs.

McAfee Discovers Pinkslipbot Exploiting Infected Machines as Control Servers; Releases Free Tool to Detect, Disable Trojan

16 Jun 2017

McAfee Labs has discovered that banking malware Pinkslipbot (also known as QakBot/QBot) has used infected machines as control servers since April 2016, even after its capability to steal personal and financial data from the infected machine has been removed by a security product. These include home users whose computers are usually behind a network address …

The post McAfee Discovers Pinkslipbot Exploiting Infected Machines as Control Servers; Releases Free Tool to Detect, Disable Trojan appeared first on McAfee Blogs.

Is WannaCry Really Ransomware?

08 Jun 2017

Ransomware follows a relatively simple model: data is encrypted, the victim pays, data is decrypted. At least that is what those who create ransomware want you to believe. This was also our assumption when we began our analysis of WannaCry—that those behind the campaign would decrypt victims’ data once they received payment. However, for a campaign with incredibly effective propagation techniques, reasonable key and data management, and a working anonymous communication fabric with Bitcoin payments, we found a major flaw: The WannaCry attackers appear to be unable to determine which users have paid the ransom and they cannot decrypt on a per-user basis.

The post Is WannaCry Really Ransomware? appeared first on McAfee Blogs.

Misuse of DocuSign Email Addresses Leads to Phishing Campaign

01 Jun 2017

DocuSign, which provides electronic signatures and digital transaction management, reported that email addresses were stolen by an unknown party on May 15. Although the company confirmed that no personal information was shared, DocuSign has reported that a malicious third party gained temporary access to a separate, non-core system that allows it to communicate service-related announcements to …

The post Misuse of DocuSign Email Addresses Leads to Phishing Campaign appeared first on McAfee Blogs.

Fake WannaCry ‘Protectors’ Emerge on Google Play

23 May 2017

Are Android devices affected by the self-propagating ransomware WannaCry? No—because this threat exploits a vulnerability in Microsoft Windows. This malware cannot harm mobile systems. Nonetheless, some developers are taking advantage of the uproar and possible confusion to promote apps that promise to protect Android devices. While searching for “WannaCry” on GooglePlay we found several new …

The post Fake WannaCry ‘Protectors’ Emerge on Google Play appeared first on McAfee Blogs.

How to Protect Against WannaCry Ransomware in a McAfee Environment

18 May 2017

WannaCry is a ransomware family targeting Microsoft Windows. On Friday May 12, a large cyberattack based on this threat was launched. At this time, it is estimated that more than 250,000 computers in 150 countries have been infected, each demanding a ransom payment.

The post How to Protect Against WannaCry Ransomware in a McAfee Environment appeared first on McAfee Blogs.

Adylkuzz CoinMiner Spreading Like WannaCry

17 May 2017

The last few days have been very busy for security teams all around the globe due to the nasty ransomware WannaCry, which spread widely using an exploit for a Server Message Block v1 vulnerability (MS17-010) leaked by the ShadowBroker team a few weeks ago. We have reported on this malware in our previous blog and …

The post Adylkuzz CoinMiner Spreading Like WannaCry appeared first on McAfee Blogs.

Analysis of Chrysaor Keylogging Mechanism Shows Power of Simple Malicious Code

15 May 2017

Many attacks on mobile devices use social engineering to initially infect a victim’s system. They download malware and elevate privileges by exploiting vulnerabilities. Mobile malware often uses persistence mechanisms to hide and monitor the victim’s behavior. Unlike personal computers, mobile devices are used more often by their owners, and carry sensitive information such as phone …

The post Analysis of Chrysaor Keylogging Mechanism Shows Power of Simple Malicious Code appeared first on McAfee Blogs.

Further Analysis of WannaCry Ransomware

14 May 2017

McAfee Labs has closely monitored the activity around the ransomware WannaCry. Many sources have reported on this attack and its behavior, including this post by McAfee’s Raj Samani and Christiaan Beek and this post by Steve Grobman. In the last 24 hours, we have learned more about this malware. These findings mainly concern the malware’s …

The post Further Analysis of WannaCry Ransomware appeared first on McAfee Blogs.

WannaCry: The Old Worms and the New

13 May 2017

The morning of Friday, May 12 multiple sources in Spain began reporting an outbreak of the ransomware now identified as WannaCry. Upon learning of these incidents, McAfee immediately began working to analyze samples of the ransomware and develop mitigation guidance and detection updates for its customers. By Friday afternoon, McAfee’s Global Threat Intelligence system was …

The post WannaCry: The Old Worms and the New appeared first on McAfee Blogs.

An Analysis of the WannaCry Ransomware Outbreak

12 May 2017

Charles McFarland was a coauthor of this blog. Over the course of Friday, May 12 we received multiple reports of organizations across multiple verticals being victim to a ransomware attack. By Friday afternoon, McAfee’s Global Threat Intelligence system was updated to identify all known WannaCry samples and the company had delivered DAT signature updates to …

The post An Analysis of the WannaCry Ransomware Outbreak appeared first on McAfee Blogs.

Vulnerable OpenSSL Handshake Renegotiation Can Trigger Denial of Service

09 May 2017

OpenSSL, the popular general-purpose cryptographic library that implements SSL/TLS protocols for web authentication, has recently suffered from several vulnerabilities. We have written about “CVE-2017-3731: Truncated Packets Can Cause Denial of Service in OpenSSL” and “SSL Death Alert (CVE-2016-8610) Can Cause Denial of Service to OpenSSL Servers” among others. Today we examine the high-severity bug CVE-2017-3733, …

The post Vulnerable OpenSSL Handshake Renegotiation Can Trigger Denial of Service appeared first on McAfee Blogs.

Mirai, BrickerBot, Hajime Attack a Common IoT Weakness

03 May 2017

We know that devices in the Internet of Things make enticing targets for attack. They are often insecure and can act as open windows into trusted networks. Cybercriminals are capitalizing on that more and more each day, gathering hundreds of thousands of insecure IoT devices into giant botnets. Remember what happened last fall when Mirai …

The post Mirai, BrickerBot, Hajime Attack a Common IoT Weakness appeared first on McAfee Blogs.

Cerber Ransomware Evades Detection With Many Components

03 May 2017

Cerber is a quickly evolving type of malware called crypto-ransomware. Cerber encrypts files on an infected computer and demands a ransom to restore them. (Read more about Cerber in this post.) Cerber ransomware first appeared in early 2016 and remains hard to detect. It uses multicomponent behavior (installing several malicious files on the victim’s machine) …

The post Cerber Ransomware Evades Detection With Many Components appeared first on McAfee Blogs.

Banned Chinese Qvod Lives on in Malicious Fakes

02 May 2017

Qvod used to be a popular video player and developer in China. Due to piracy allegations and a threatened fine, the company went out of business in 2014. In spite of this, we have recently seen a number of malicious fake versions of Qvod. One common feature of these malicious apps is to disguise their …

The post Banned Chinese Qvod Lives on in Malicious Fakes appeared first on McAfee Blogs.

Mirai Botnet Creates Army of IoT Orcs

20 Apr 2017

This post was based on analysis by Yashashree Gund and RaviKant Tiwari. There is a lot of speculation in the news about surveillance from home appliances, personal electronics, or other Internet of Things (IoT) devices. Although some statements may be hyperbole, we know that these devices, in homes and offices, are being compromised and used …

The post Mirai Botnet Creates Army of IoT Orcs appeared first on McAfee Blogs.

Critical Office Zero-Day Attacks Detected in the Wild

07 Apr 2017

At McAfee, we have put significant efforts in hunting attacks such as advanced persistent threats and “zero days.” Yesterday, we observed suspicious activities from some samples. After quick but in-depth research, this morning we have confirmed these samples are exploiting a vulnerability in Microsoft Windows and Office that is not yet patched. This blog post …

The post Critical Office Zero-Day Attacks Detected in the Wild appeared first on McAfee Blogs.

McAfee Labs Threats Report Explores Threat Intelligence Sharing and Mirai, the IoT Botnet

06 Apr 2017

In the McAfee Labs Threats Report: April 2017, published today, we explore two key topics. Following an announcement by the Cyber Threat Alliance of its formal incorporation and the release of a threat intelligence sharing platform, we provide some perspective about threat intelligence sharing. The story provides a detailed analysis of the background and drivers of …

The post McAfee Labs Threats Report Explores Threat Intelligence Sharing and Mirai, the IoT Botnet appeared first on McAfee Blogs.

Ransomware Families Use NSIS Installers to Avoid Detection, Analysis

28 Mar 2017

Malware families are constantly seeking new ways to hide their code, thwart replication, and avoid detection. A recent trend for the delivery of ransomware is the use of the Nullsoft Scriptable Install System (NSIS) with an encrypted payload. The list of the most common families using this technique is diverse and includes Cerber, Locky, Teerac, Crysis, …

The post Ransomware Families Use NSIS Installers to Avoid Detection, Analysis appeared first on McAfee Blogs.

Analyzing a Fresh Variant of the Dorkbot Botnet

09 Mar 2017

At McAfee Labs, we have recently observed a new variant of the Dorkbot botnet. Dorkbot is a well-known bot, famous for its various capabilities including backdoor, password stealing, and other malicious behavior. Dorkbot relies on social networking as its infection vector. In this post, we offer our analysis of this new variant. The malware downloads …

The post Analyzing a Fresh Variant of the Dorkbot Botnet appeared first on McAfee Blogs.

CHIPSEC Support Against Vault 7 Disclosure Scanning

09 Mar 2017

Following recent WikiLeaks Vault 7 disclosures, including details regarding firmware vulnerabilities, there has been significant concern regarding the integrity of devices and operating systems used within society. As part of our commitment to provide technology that can preserve the integrity of devices we rely upon, we have developed a simple module for the CHIPSEC framework …

The post CHIPSEC Support Against Vault 7 Disclosure Scanning appeared first on McAfee Blogs.

Analyzing CVE-2017-3731: Truncated Packets Can Cause Denial of Service in OpenSSL

08 Mar 2017

OpenSSL is a popular open-source library for SSL and is used by various software and companies across the world. In January, OpenSSL released an update that fixed multiple vulnerabilities. One of them is CVE-2017-3731, which can cause a denial of service due to a crash. McAfee Labs analyzed this vulnerability to provide detection for customers.  …

The post Analyzing CVE-2017-3731: Truncated Packets Can Cause Denial of Service in OpenSSL appeared first on McAfee Blogs.

Spora Ransomware Infects ‘Offline’—Without Talking to Control Server

22 Feb 2017

Spora is a ransomware family that encrypts victims’ files and demands money to decrypt the files. It has infected many computers in a short time due to a huge spam campaign. It has a very special feature—to work offline. Propagation vector The spam campaign carries a .zip file, which contains an HTA (HTML Application) file to …

The post Spora Ransomware Infects ‘Offline’—Without Talking to Control Server appeared first on McAfee Blogs.

Macro Malware Targets Macs

14 Feb 2017

Macro malware has been spreading for years. New techniques arise all the time to hide malicious code and thus increase the difficulty of analysis. However, just targeting Microsoft Windows no longer seems to be enough for the malware authors. The Mac appears to be the new challenge, and attackers appear to be rising to this …

The post Macro Malware Targets Macs appeared first on McAfee Blogs.

The Cyber Threat Alliance Steps Up to Boost Protection

14 Feb 2017

With each new cyber threat report, we learn about the increasing volume of new, complex threats appearing across a myriad of server systems, networking equipment, personal computing platforms, and IoT devices. We also read about the real-world challenges that information security professionals face when attempting to identify, scope, and prioritize security events generated by their …

The post The Cyber Threat Alliance Steps Up to Boost Protection appeared first on McAfee Blogs.

Analyzing KillDisk Ransomware, Part 2: Variants and Screen Unlocking

14 Feb 2017

At McAfee Labs we recently analyzed the ransomware KillDisk. In part 1 of this analysis, we discussed the basics of the malware and its whitelisting to protect itself. In this part, we will provide more information about the malware’s internals, this variant, and steps to unlock the ransomware lock screen. Variant 1. This variant seems to be inspired by …

The post Analyzing KillDisk Ransomware, Part 2: Variants and Screen Unlocking appeared first on McAfee Blogs.

Intel Security Launches ‘Threat Landscape Dashboard’

10 Feb 2017

Every week, we read in the news of another breach or targeted campaign, as more patches are released to protect against the next strain of sophisticated malware. For the administrators responsible for safeguarding a company’s systems, networks, and digital information, keeping up is an overwhelming task, made doubly difficult because it is often hard to …

The post Intel Security Launches ‘Threat Landscape Dashboard’ appeared first on McAfee Blogs.

Analyzing CVE-2016-9311: NTPD Vulnerability Can Lead to Denial of Service

03 Feb 2017

The network time protocol synchronizes time across various devices on a network. The network time protocol daemon (NTPD) is an open-source implementation of this protocol. In the last couple of months, a number of vulnerabilities have been reported in NTPD. One is CVE-2016-9311, which can cause a crash leading to a denial of service. We …

The post Analyzing CVE-2016-9311: NTPD Vulnerability Can Lead to Denial of Service appeared first on McAfee Blogs.

Spotlight on Shamoon

27 Jan 2017

Our analysis this month has pointed to Shamoon emerging in the Middle East. We have recently seen a number of similarities that we had highlighted in our earlier blogs (on mcafee.com). The campaign continues to target organizations in the Middle East from a variety of verticals. Reports suggest that a further 15 disk-wiping Shamoon incidents …

The post Spotlight on Shamoon appeared first on McAfee Blogs.

With Release of Windows 10, Questions About BitLocker Arise Again

26 Jan 2017

This post was written by Ted Pan. For those of you who were around during the original release of Microsoft’s BitLocker, previously known as Secure Startup, you will remember that it was meant to completely eliminate the necessity for third-party security software. Yes, BitLocker was going to secure our machines against all forms of attack …

The post With Release of Windows 10, Questions About BitLocker Arise Again appeared first on McAfee Blogs.

Analyzing KillDisk Ransomware, Part 1: Whitelisting

20 Jan 2017

At McAfee Labs we recently analyzed the ransomware KillDisk. We will share our analysis in two parts: the first, this article, contains general information about the malware and its whitelisting technique; the second part will appear soon with an analysis of its variants and techniques, including how to unlock the locked screen in an infected …

The post Analyzing KillDisk Ransomware, Part 1: Whitelisting appeared first on McAfee Blogs.

Stopping Malware With a Fake Virtual Machine

19 Jan 2017

As we explained in a previous post, some advanced malware can detect a virtual environment such as a sandbox to avoid detection and analysis. Some threats can also detect monitoring tools used for malware analysis. Often such malware will not execute or change their behavior to appear harmless. Because some malware uses these tactics, planting …

The post Stopping Malware With a Fake Virtual Machine appeared first on McAfee Blogs.

Trojanized Photo App on Google Play Signs Up Users for Premium Services

13 Jan 2017

Mobile apps usually have names that give some indication of their function. In one recent case, however, we found a misnamed app that turned out to be malicious. Every Android app has an ID value, commonly known as the package name, to uniquely identify it on a device and in Google Play. Most package names …

The post Trojanized Photo App on Google Play Signs Up Users for Premium Services appeared first on McAfee Blogs.

Turkish Instagram Password Stealers Found on Google Play

12 Jan 2017

Intel Security’s mobile malware research team has found several Instagram password stealers on the Google Play store. (Google has since removed the apps.) These malware are distributed as utilities and tools for analyzing access and automating the following of Instagram accounts. The main targets of the malware are Turkish Instagram users. The malware lead victims …

The post Turkish Instagram Password Stealers Found on Google Play appeared first on McAfee Blogs.

Top Tips for Securing Home Cameras

05 Jan 2017

Installing a home surveillance camera system can add great benefits but also may introduce new risks to privacy and network security. The goal is to increase your security and peace of mind, while avoiding cybersecurity threats. Here are three tips to consider when purchasing, installing, and configuring your new home camera system. The risks Home …

The post Top Tips for Securing Home Cameras appeared first on McAfee Blogs.

Digging Into a Windows Kernel Privilege Escalation Vulnerability: CVE-2016-7255

30 Dec 2016

The Windows kernel privilege escalation vulnerability CVE-2016-7255 has received a lot of media attention. On November’s Patch Tuesday, Microsoft released a fix for this vulnerability as part of bulletin MS16-135. CVE-2016-7255 was used to perform a targeted attack and a sample was found in the wild, according to Microsoft. Google and Microsoft have already confirmed …

The post Digging Into a Windows Kernel Privilege Escalation Vulnerability: CVE-2016-7255 appeared first on McAfee Blogs.

Next Targets for Cybercriminals: the Long Term (Part 2)

27 Dec 2016

In the previous post in this series, I outlined how cybercriminals will use the holiday season to victimize unwary consumers and target businesses. They will also dive deeper into leveraging devices connected to the Internet of Things (IoT). The long-term outlook expands their reach to more bold and potentially more lucrative pastures. Rise of blockchain …

The post Next Targets for Cybercriminals: the Long Term (Part 2) appeared first on McAfee Blogs.

Next Targets for Cybercriminals: the Short Term (Part 1)

25 Dec 2016

  Knowing what cybercriminals are targeting today is easy. Their attacks are loud, impactful, and have the elegance of a herd of bulls crashing through a china shop. The tougher challenge is figuring out where they will take aim tomorrow. Knowing where cyber threats will arise gives us the necessary insights to remain one step …

The post Next Targets for Cybercriminals: the Short Term (Part 1) appeared first on McAfee Blogs.

Floki Bot a Sensation With International Cybercriminals

23 Dec 2016

Floki Bot, new financial malware, is popular with English-, Portuguese-, and Russian-speaking underground criminal markets, winning over cybercriminals with new features and functionality. It is currently in use by a number of cybercrime groups around the world and is sold on the dark market for about US$1,000, according to Flashpoint and Cisco Talos. Improvements abound …

The post Floki Bot a Sensation With International Cybercriminals appeared first on McAfee Blogs.

Did You Forget to Patch Your IP Camera?

21 Dec 2016

IP cameras are usually “purchase, install, and don’t touch” devices. But in the current climate of cyberattacks, they now require regular updates and patches. Otherwise your security tool may be hacked, leak video, or join a cybercriminal botnet without your knowing. IP cameras are targets Like all Internet-connected devices, IP cameras are at risk of …

The post Did You Forget to Patch Your IP Camera? appeared first on McAfee Blogs.

An Overview of Malware Self-Defense and Protection

19 Dec 2016

Many malware authors spend a great deal of time and effort to develop complex code. Their success depends on a threat’s remaining undetected and avoiding sandbox analysis, antivirus efforts, or malware analysts. This post offers an overview of the mechanisms used by malware to evade detection. If malware is detected quickly, it has little time …

The post An Overview of Malware Self-Defense and Protection appeared first on McAfee Blogs.

‘Popcorn Time’ Ransomware Sure to Cause Indigestion

19 Dec 2016

In early December the new ransomware “Popcorn Time” was discovered. It gives the victim the option of paying the ransom or infecting two other individuals and getting them to pay. “Popcorn Time” is a legitimate application for streaming movies and series. The ransom note gives the victim seven days to choose either option or the …

The post ‘Popcorn Time’ Ransomware Sure to Cause Indigestion appeared first on McAfee Blogs.

‘SSL Death Alert’ (CVE-2016-8610) Can Cause Denial of Service to OpenSSL Servers

14 Dec 2016

Recently we noticed a security patch has been published for the OpenSSL vulnerability called SSL Death Alert. As with other serious security vulnerabilities, this one grabbed our attention because the discoverer of the vulnerability says that it may cause a denial of service to an OpenSSL web server. To better protect our customers from this …

The post ‘SSL Death Alert’ (CVE-2016-8610) Can Cause Denial of Service to OpenSSL Servers appeared first on McAfee Blogs.

“Trojanization” of Legit Apps on the Rise

13 Dec 2016

Intel Security today released its McAfee Labs Threats Report: December 2016. The report’s third key topic illustrates how attackers are creating difficult-to-detect malware by infecting legitimate code with Trojans and leveraging that legitimacy to remain hidden as long as possible. Author Craig Schmugar of McAfee Labs also recommends policies and procedures that will help protect …

The post “Trojanization” of Legit Apps on the Rise appeared first on McAfee Blogs.

McAfee Labs December Threats Report Explores Many Facets of Deception

13 Dec 2016

In the McAfee Labs Threats Report: December 2016 published today, we write about three seemingly disparate topics. However, on closer inspection, they have a common thread. All discuss deception in one way or another, whether ways in which ransomware authors have enhanced their code to sidestep sandboxes, how Trojans infect legitimate code to appear benign, …

The post McAfee Labs December Threats Report Explores Many Facets of Deception appeared first on McAfee Blogs.

2016: A Year at Ransom

13 Dec 2016

This week’s McAfee Labs Threats Report: December 2016 provides an overview of how ransomware has evolved over the course of 2016, and how the industry has responded. Through the end of Q3, the number of new ransomware samples this year totaled 3,860,603, an increase of 80% since the beginning of the year. Beyond volume, ransomware exhibited notable …

The post 2016: A Year at Ransom appeared first on McAfee Blogs.

How to Protect Against OpenSSL 1.1.0a Vulnerability CVE-2016-6309

13 Dec 2016

Recently the OpenSSL security library gained a fix for a critical security issue (CVE-2016-6309) that affects OpenSSL Version 1.1.0a. The remote attackers can cause the OpenSSL server to crash, or execute arbitrary code on it, by simply sending a handshake packet with a message larger than 16KB. To defend against these attacks we analyzed the …

The post How to Protect Against OpenSSL 1.1.0a Vulnerability CVE-2016-6309 appeared first on McAfee Blogs.

Shamoon Rebooted in Middle East, Part 2

09 Dec 2016

Last week we provided some initial analysis on recent attacks targeting organizations in the Middle East.  The attack has hallmarks of the Shamoon campaign of 2012. We now have additional data related to the components used within the new campaign, which has three distinct components: dropper, wiper, and wiper driver. The language of these three …

The post Shamoon Rebooted in Middle East, Part 2 appeared first on McAfee Blogs.

Farewell to the SHA-1 Hash Algorithm

01 Dec 2016

Rest in peace SHA-1. Like all security controls, they are valuable only for a certain time. SHA-1, a legacy hashing algorithm once used heavily in secure web browsing, has outlived its usefulness; it is time for its permanent retirement. Microsoft, Mozilla, and Google just announced they will finally drop all support for SHA-1 early next …

The post Farewell to the SHA-1 Hash Algorithm appeared first on McAfee Blogs.

Shamoon Rebooted?

29 Nov 2016

We have recently received notifications and samples from impacted organizations in the Middle East that have hallmarks of the Shamoon campaign from 2012. The main component of these attacks was the usage of a wiper component that, once activated, destroyed the hard disks of infected machines. The initial infection vector for the recent attacks is …

The post Shamoon Rebooted? appeared first on McAfee Blogs.

Big, Hard-to-Solve Problems

29 Nov 2016

Improving the Lifecycle of Threat Defense Effectiveness When a new security tool or technique is released, Version 1.0 is usually pretty effective, and successive versions get even better with real-world scenarios and user feedback. Eventually, the bad guys realize that this new thing is causing them real problems, so they start looking for ways over, …

The post Big, Hard-to-Solve Problems appeared first on McAfee Blogs.

‘McAfee Labs 2017 Threats Predictions’ Report Zeroes In on Cloud and IoT Threats

29 Nov 2016

In the McAfee Labs 2017 Threats Predictions report, published today, we cover a lot of ground but focus particularly on two areas that will impact IT security for years to come: threats to the cloud and the Internet of Things. The report kicks off with a big-picture examination of difficult-to-solve problems in cyber security and …

The post ‘McAfee Labs 2017 Threats Predictions’ Report Zeroes In on Cloud and IoT Threats appeared first on McAfee Blogs.

You Can Outsource the Work, but You Cannot Outsource the Risk

29 Nov 2016

Threats, Regulations, and Vendor Responses to Risks in the Cloud As more companies get comfortable with cloud services, trust and usage will go up, and that will inevitably attract the attention of cybercriminals. Although an increasing array of sensitive and confidential data is moving to cloud storage and processing, we expect that most businesses will …

The post You Can Outsource the Work, but You Cannot Outsource the Risk appeared first on McAfee Blogs.

Welcome to the Wild West, Again!

29 Nov 2016

Threats, Regulations, and Vendor Responses to Risks in the Internet of Things The Wild West, a place of exaggerated lawlessness in the United States during the 1800s, has returned once again as a metaphor for the Internet of Things (IoT). Driven by similar issues of exploration, homesteading, and prospecting for riches, IoT devices are becoming …

The post Welcome to the Wild West, Again! appeared first on McAfee Blogs.

Upcoming Intel Security Webcast on McAfee Labs 2017 Threats Predictions Moderated by Intel Security CTO Raj Samani

23 Nov 2016

McAfee Labs 2017 Threats Predictions The cyberattack surface is growing faster than ever before, driven by trends and technologies like the cloud and the Internet of Things (IoT). As the digital landscape evolves, so will threats. What can we expect a year from now—or four years from now? Prepare for the future by attending the …

The post Upcoming Intel Security Webcast on McAfee Labs 2017 Threats Predictions Moderated by Intel Security CTO Raj Samani appeared first on McAfee Blogs.

Worms Could Spread Like Zombies via Internet of Things

21 Nov 2016

Security researchers recently created a proof-of-concept attack against Internet-connected lightbulbs, causing breached devices to infect their neighbors. The propagation continues and spreads itself across the community. This hack highlights the insecurity in one of many Internet of Things (IoT) network protocols. Researchers say the worm, which currently targets Philips Hue lightbulbs, can set off a …

The post Worms Could Spread Like Zombies via Internet of Things appeared first on McAfee Blogs.

More Capable IoT Botnets to Emerge as the ‘Pros’ Enter the Fray

09 Nov 2016

On the heels of severe distributed denial of service (DDoS) attacks, we see new botnets emerging that are powered by the Internet of Things (IoT). There are already hundreds of such botnets in the underground hacking ecosystem, from which services, code, and specific attacks can be purchased or acquired. New botnets are being developed to …

The post More Capable IoT Botnets to Emerge as the ‘Pros’ Enter the Fray appeared first on McAfee Blogs.

Talking About Cyber Risks Educates the Community

07 Nov 2016

In the last 12 months, we have seen an unprecedented number of cyberattacks occur or come to light. Sophisticated attacks against governments, businesses, consumers, and the pillars of the Internet itself. The future appears to be fraught with runaway risks. Can security tame data breaches, ransomware, massive denial of service assaults, cyber theft, and attacks against autonomous and …

The post Talking About Cyber Risks Educates the Community appeared first on McAfee Blogs.

Cerber Ransomware Now Hunts for Databases

04 Nov 2016

Cerber is one of the most popular ransomware packages. It has upgraded itself to also target databases. It is available for purchase as a service (ransomware as a service) on the “dark net” as part of an affiliate program. Cerber is part of a turnkey service in which clients share 40% of their profits with …

The post Cerber Ransomware Now Hunts for Databases appeared first on McAfee Blogs.

Top 5 Things to Know About Recent IoT Attacks

02 Nov 2016

Recent Internet attacks have resulted in several popular sites becoming unreachable. The list includes Twitter, Etsy, Spotify, Airbnb, Github, and The New York Times. These incidents have brought to light a new threat to online services: botnets powered by the Internet of Things (IoT). Distributed denial of service (DDoS) attacks have been commonplace for more …

The post Top 5 Things to Know About Recent IoT Attacks appeared first on McAfee Blogs.

The Latest IoT Device I Do Not Want Hacked

01 Nov 2016

What if someone hacked this remotely controlled semiautonomous tractor? I am a cybersecurity guy and a huge fan of technology. One of the challenges we face in the security industry is the growth of the Internet of Things (IoT). IoT is about connecting everyday objects to the Internet. It might be a toaster, alarm clock, …

The post The Latest IoT Device I Do Not Want Hacked appeared first on McAfee Blogs.

A ‘Second Economy’ Prognosis for Health Care Cybersecurity

26 Oct 2016

Intel Security CTO Steve Grobman has pointed out that gaining the upper hand in cybersecurity requires that we extend our thinking beyond the physical economy of money, assets, goods, and services to a Second Economy defined by the currencies of trust, time, and money. As in other industries, health care is working toward maximizing efficiencies, …

The post A ‘Second Economy’ Prognosis for Health Care Cybersecurity appeared first on McAfee Blogs.

How ‘Weaponized’ Medical Data Could Be as Damaging as Clinton’s Emails or Trump’s Videos

26 Oct 2016

The 2016 presidential election in the United States will be remembered for a great many things. Never before in US history has the disclosure or nondisclosure of personal information figured so prominently in public debate. Never before has the ability to compromise and disclose personal information been used as a political weapon to damage the …

The post How ‘Weaponized’ Medical Data Could Be as Damaging as Clinton’s Emails or Trump’s Videos appeared first on McAfee Blogs.

How to Secure the Future of the Internet of Things

22 Oct 2016

The world of security for the Internet of Things just became more complex. IoT devices are no longer a potential threat to their owners; now they pose a significant threat to everything connected to the Internet. The old IoT security problem For the past year, the cybersecurity and IoT communities have been at odds regarding …

The post How to Secure the Future of the Internet of Things appeared first on McAfee Blogs.

Unfolding the Mystery of Cerber Ransomware’s Random File Extension

20 Oct 2016

In an earlier blog, we discussed the evolution of the popular Cerber ransomware from Version 1 to 2. Recently we came across two newer versions of Cerber (we’ll call them Versions 3 and X). Cerber 3 has few changes but Version X has some new behavior that caught our attention. (We call this version X, …

The post Unfolding the Mystery of Cerber Ransomware’s Random File Extension appeared first on McAfee Blogs.

Password-Protected Attachment Serves Ransomware

18 Oct 2016

Attacks by macro malware carrying ransomware are growing, as we have recently reported. Since early March we have seen macro malware using high-obfuscation algorithms to hide itself from static and traditional antimalware detection techniques. Macro malware continues to evolve and use new tricks to evade detection. In addition to these evasion techniques, McAfee Labs researchers have …

The post Password-Protected Attachment Serves Ransomware appeared first on McAfee Blogs.

No More Ransom Adds Law Enforcement Partners From 13 Countries

17 Oct 2016

  Intel Security and Kaspersky Labs today announced that 13 law enforcement agencies have joined No More Ransom, a partnership between cybersecurity industry and law enforcement organizations to provide ransomware victims education and decryption tools through www.nomoreransom.org. Intel Security, Kaspersky Labs, Dutch National Police, and Europol will be joined by members from Bosnia and Herzegovina, …

The post No More Ransom Adds Law Enforcement Partners From 13 Countries appeared first on McAfee Blogs.

Ransomware Variant XTBL Another Example of Popular Malware

17 Oct 2016

We have seen a huge increase in ransomware during the past couple of years. At McAfee Labs we have recently received a sample of the low-profile XTBL, a ransomware family that encrypts files and demands ransom from its victims to decrypt the files. Like other ransomware variants, XTBL propagates through a wide range of spam campaigns. Attackers …

The post Ransomware Variant XTBL Another Example of Popular Malware appeared first on McAfee Blogs.

Android Banking Trojan Asks for Selfie With Your ID

14 Oct 2016

In the first half of 2016 we noticed that Android banking Trojans had started to improve their phishing overlays on legitimate financial apps to ask for more information. Victims were requested to provide “Mother’s Maiden Name,” “Father’s Middle Name,” “Maternal Grandmothers Name,” or a “Memorable Word.” Attackers used that data to respond to security questions and obtain …

The post Android Banking Trojan Asks for Selfie With Your ID appeared first on McAfee Blogs.

Everyone Loves Selfies, Including Malware!

13 Oct 2016

I was talking with some of my coworkers the other day about why I wanted to jump to the larger iPhone 7 Plus.  For me it came down to the camera.  I travel a lot for work and even though photography is something of a hobby of mine, I don’t always have my “good camera” …

The post Everyone Loves Selfies, Including Malware! appeared first on McAfee Blogs.

New Security Reality for Internet of Things

04 Oct 2016

  Recent distributed denial of service (DDoS) attacks are forcing a shift in how we think about the Internet of Things (IoT). The dangers are expanding as attackers are taking advantage of billions of IoT devices, conscripting them into their botnet armies for massive DDoS attacks.   Nontraditional risks The estimates vary, but they suggest between …

The post New Security Reality for Internet of Things appeared first on McAfee Blogs.

CTO Q&A: Campaign Hacks, Yahoo! and Clinton-Trump

03 Oct 2016

Over the last several days, we’ve seen headlines on potential cyberattacks on state voter registries, cybersecurity front and center in the Clinton-Trump presidential debate, and new revelations into the Yahoo! cyber-breach that appears to have compromised more than 500 million user accounts. Intel Security CTO Steve Grobman fielded a number of questions on these events …

The post CTO Q&A: Campaign Hacks, Yahoo! and Clinton-Trump appeared first on McAfee Blogs.

Sharing Cybersecurity Threat Intelligence Is the Only Way We Win

30 Sep 2016

Cybersecurity is a team sport. The bad guys share information, expertise, and code as they help one another. The good guys must do the same to keep pace. Sharing threat intelligence is a key aspect in which the knowledge gained by the owners of sensor networks can share data with the security analysis community.  This generosity …

The post Sharing Cybersecurity Threat Intelligence Is the Only Way We Win appeared first on McAfee Blogs.

Macro Malware Employs Advanced Sandbox-Evasion Techniques

29 Sep 2016

During the past couple of weeks, McAfee Labs has observed a new variant of macro malware. With this variant when we click on a doc file, we see the message “This document is protected against unauthorized use. Enable Editing and Enable Content to read content” along with a request to enable macros. If a user clicks …

The post Macro Malware Employs Advanced Sandbox-Evasion Techniques appeared first on McAfee Blogs.

How Can We Stop ‘ROP’ Cyberattacks?

28 Sep 2016

IBM recently announced a software-oriented solution to help eradicate attacks by return-oriented programming (ROP) malware. ROP malware is a significant and growing problem in the industry. Crafty hackers will use snippets of code from other trusted programs and stitch them together to create their attacks. This method has become a very popular and effective technique for …

The post How Can We Stop ‘ROP’ Cyberattacks? appeared first on McAfee Blogs.

‘McAfee Labs Threats Report’ Offers Primer on Security Data Science, Analytics, Big Data, Machine Learning

28 Sep 2016

Analytics, big data, automation, and machine learning are all terms we use when talking about the future of cybersecurity. As the volume of security data increases, data science will become an important weapon to disrupt adversaries. Too often, these terms are used as synonyms, but they refer to different parts of the domain of data …

The post ‘McAfee Labs Threats Report’ Offers Primer on Security Data Science, Analytics, Big Data, Machine Learning appeared first on McAfee Blogs.

‘McAfee Labs Threats Report’ Delves Into Dangers of Data Loss

26 Sep 2016

Data is leaking out of your organization: accidentally or intentionally, by internals or externals, physically or electronically. During the past year, we have performed extensive research to identify what data is being targeted, who is taking it, how they are getting it out, and the best practices to reduce your exposure to data loss. We …

The post ‘McAfee Labs Threats Report’ Delves Into Dangers of Data Loss appeared first on McAfee Blogs.

‘McAfee Labs Threats Report’ Examines Whether Ransomware Is Coming to a Hospital Near You

23 Sep 2016

Delivering uninterrupted services with immediate access to information is not an easy task. Doing it with legacy systems, a fragmented workforce, and inconsistent security is a monumental job. Unfortunately, this is the state of many hospitals, leading the criminal underground to their back doors. Ransomware attackers have shifted focus, moving from consumers to organizations with …

The post ‘McAfee Labs Threats Report’ Examines Whether Ransomware Is Coming to a Hospital Near You appeared first on McAfee Blogs.

Hardware Hack Bypasses iPhone PIN Security Counter

22 Sep 2016

A security researcher from the University of Cambridge has found a way to hack the iPhone NAND memory hardware to sufficiently bypass an important security feature, allowing a brute-force attack against the passcode lock of an iPhone 5C. This is the same lock that stymied the FBI as part of the highly publicized privacy case in …

The post Hardware Hack Bypasses iPhone PIN Security Counter appeared first on McAfee Blogs.

Unregulated at Any Speed: DoT’s Cybersecurity Policy for Self-Driving Cars

21 Sep 2016

Despite headlines, hype, and hysteria, US government rightly chooses cybersecurity guidance over regulation. The Obama administration today unveiled its long-awaited safety policy for self-driving or automated vehicles (AVs). Despite the recent tragic death of a passenger travelling in a Tesla-built AV, and persistent discussions of spectacular cyber-sabotage scenarios, the government chose a wise, sober course …

The post Unregulated at Any Speed: DoT’s Cybersecurity Policy for Self-Driving Cars appeared first on McAfee Blogs.

Cryptocurrencies a Target for Cybercriminals, Part 2: Social Platforms Come Next

19 Sep 2016

One target of cybercriminals is cryptocurrencies, which hold tremendous wealth but are largely anonymous. This limits the attack surface mostly to avenues requiring complex technical approaches. Always preferring the path of least resistance, many fraudsters and online thieves prefer to target people rather than systems. This is the second of two posts on threats to …

The post Cryptocurrencies a Target for Cybercriminals, Part 2: Social Platforms Come Next appeared first on McAfee Blogs.

Locky Ransomware Hides Inside Packed .DLL

16 Sep 2016

McAfee Labs has seen a huge increase in Locky ransomware in recent months (discussed in an earlier blog). Locky is aggressively distributed via a JavaScript-based downloader sent as an attachment in spam emails. Since its first variant Locky has taken advantage of compromised domains to download its malicious executable. Recently it has downloaded a malicious dynamic link …

The post Locky Ransomware Hides Inside Packed .DLL appeared first on McAfee Blogs.

Cryptocurrencies a Target for Cybercriminals, Part 1: the Risks of Innovation

14 Sep 2016

All cryptocurrencies are a target for cybercriminals. Anywhere there is value, criminals, fraudsters, and charlatans will soon follow. Call it the Willie Sutton principle. Sutton, a famous bank robber in the 1920s–30s, was asked why he robbed banks. His reply was “Because that’s where the money is.” The simplicity rings true. That same age-old principle …

The post Cryptocurrencies a Target for Cybercriminals, Part 1: the Risks of Innovation appeared first on McAfee Blogs.

The Quarterly Threats Report: What Does It Mean for You?

14 Sep 2016

The latest edition of the Quarterly Threats Report (QTR) was released this week by McAfee Labs.  If you’re not familiar with them, McAfee Labs is our research organization tasked with researching all the latest threats that people are seeing out there in the wild as well as looking as trends that help indicate what the …

The post The Quarterly Threats Report: What Does It Mean for You? appeared first on McAfee Blogs.

Machine Learning, the Unsung Hero in the Latest ‘Threats Report’

14 Sep 2016

The story about ransomware in hospitals in our newly published McAfee Labs Threats Report: September 2016 will probably garner most of the media’s attention, but I think the most interesting story in the report is about machine learning. Here’s why. Intel Security has used machine learning in our classification models since the mid-2000s. Initially, we …

The post Machine Learning, the Unsung Hero in the Latest ‘Threats Report’ appeared first on McAfee Blogs.

Malware Hides in Installer to Avoid Detection

25 Aug 2016

At McAfee Labs we recently observed various threat families using the Nullsoft Scriptable Install System (NSIS). This practice is not new, but our analysis shows that several malware families are employing the same technique to hide their packed executable code. Usually every malware family uses its own polymorphic packers to obfuscate its payload. In this …

The post Malware Hides in Installer to Avoid Detection appeared first on McAfee Blogs.

Improve Protection Against Cyberattacks Through Shared Threat Intelligence

25 Aug 2016

At the RSA Conference 2016 in San Francisco, Chris Young, GM and SVP of Intel Security, said that one of the best ways to improve response time to attacks and overall awareness of attacks and adversaries is through the timely sharing of threat intelligence. He also talked about Intel Security’s responsibility as a leading security …

The post Improve Protection Against Cyberattacks Through Shared Threat Intelligence appeared first on McAfee Blogs.

‘Wildfire’ Ransomware Extinguished by Tool From NoMoreRansom; Unlock Files for Free

23 Aug 2016

Intel Security and Kaspersky Lab, partners in the project NoMoreRansom, are pleased to announce today the availability of a decryption tool for victims of the Wildfire variant of ransomware. This tool is available following successful collaboration with the Dutch police and the European Cybercrime Centre. This strong public-private partnership has led to the seizure of …

The post ‘Wildfire’ Ransomware Extinguished by Tool From NoMoreRansom; Unlock Files for Free appeared first on McAfee Blogs.

Cerber Ransomware Updates Configuration File

16 Aug 2016

McAfee Labs has recently analyzed Version 2 of Cerber, one of the leading ransomware programs. Cerber infects systems via social media tricks such as spam email with malicious links or documents, malvertising campaigns, exploits of vulnerable websites, and also takes advantages of exploit kits like Angler, Nuclear, and others. During our analysis of the new …

The post Cerber Ransomware Updates Configuration File appeared first on McAfee Blogs.

Bing.VC Hijacks Browsers Using Legitimate Applications

10 Aug 2016

Browser hijackers are a type of malware that modifies a web browser’s settings without the user’s permission. Generally a browser hijacker injects unwanted advertising into the browser. It replaces the home page or search page with its own. It also steals cookies and can install a keylogger to fetch other sensitive information. McAfee Labs has recently …

The post Bing.VC Hijacks Browsers Using Legitimate Applications appeared first on McAfee Blogs.

Obfuscated Malware Discovered on Google Play

10 Aug 2016

The McAfee Labs Mobile Malware Research team found early this week on Google Play a set of malware published by the developer account ValerySoftware: Each one of these apps have been downloaded and installed up to 500 times, which means up to 3,000 devices could be infected by this threat. Some characteristics of this malware: …

The post Obfuscated Malware Discovered on Google Play appeared first on McAfee Blogs.

Banload Trojan Targets Brazilians With Malware Downloads

09 Aug 2016

McAfee Labs has recently encountered new variants of the Banload Trojan. Banload has been around since the last decade. This malware generally arrives on a victim’s system through a spam email containing an archived file or bundled software as an attachment. In a few cases, this malware may also be dropped by other malware or …

The post Banload Trojan Targets Brazilians With Malware Downloads appeared first on McAfee Blogs.

‘Cat-Loving’ Mobile Ransomware Operates With Control Panel

08 Aug 2016

Recently the McAfee Labs Mobile Malware Research team found a sample of ransomware for Android with botnet capabilities and a web-based control panel service. The malware is running on a legitimate cloud service provider. The payload of this malware can encrypt a victim’s files, steal SMS messages, and block access to the device. In this …

The post ‘Cat-Loving’ Mobile Ransomware Operates With Control Panel appeared first on McAfee Blogs.

Setting Up HTTPS for Google App Engine Applications

08 Aug 2016

Thursday, we posted advice on creating a custom domain name for an application developed with Google’s App Engine. In this post, we will learn how to add SSL support and force the App Engine application to use only SSL. Start by obtaining an SSL certificate for your domain from an authorized certificate authority. Consider following …

The post Setting Up HTTPS for Google App Engine Applications appeared first on McAfee Blogs.

Creating a Custom Domain Name with a Google App Engine Application

05 Aug 2016

Google’s App Engine is a Platform as a Service (PaaS) for developers that provides features and frameworks to quickly and easily build scalable web applications. Developers can create applications and deploy them to the App Engine. When a web application is created using the App Engine, the application is assigned a unique project ID. Developers …

The post Creating a Custom Domain Name with a Google App Engine Application appeared first on McAfee Blogs.

Active iOS Smishing Campaign Stealing Apple Credentials

29 Jul 2016

Intel Security Mobile Research recently found an active phishing campaign targeting iOS users via SMS messages. The message tells users that their Apple accounts have been temporarily locked to trick them into accessing a phishing site and steal the real Apple credentials. Here is an example of an SMS message from this campaign: The message pretends to be …

The post Active iOS Smishing Campaign Stealing Apple Credentials appeared first on McAfee Blogs.

Taking Steps to Fight Back Against Ransomware

27 Jul 2016

Ransomware is an attack in which malware encrypts files and extorts money from victims. It has become a favorite among cybercriminals because it is easy to develop, simple to execute, and does a very good job of compelling users to pay to regain access to their precious files or systems. Almost anyone and every business …

The post Taking Steps to Fight Back Against Ransomware appeared first on McAfee Blogs.

Trojanized Propaganda App Uses Twitter to Infect, Spy on Terrorist Sympathizers

26 Jul 2016

The Mobile Malware Research Team of Intel Security has discovered in recent weeks a number of new threats in the Middle East. In May, we uncovered a spying campaign targeting cybersecurity professionals in Saudi Arabia. This week, the team exposed a strain of spyware targeting another specific group of mobile users: individuals with possible sympathies toward …

The post Trojanized Propaganda App Uses Twitter to Infect, Spy on Terrorist Sympathizers appeared first on McAfee Blogs.

No More Ransom: A New Initiative to Battle Ransomware

25 Jul 2016

Ransomware has seen a huge increase over the past couple of years.  According to our June Quarterly Threats Report, there was a 113% increase in ransomware over the past year.  However, the real indicator for me has been an increase in questions about ransomware I get from people once they find out I work for …

The post No More Ransom: A New Initiative to Battle Ransomware appeared first on McAfee Blogs.

Intel Security Teams With Industry, Law Enforcement to Thwart ‘Shade’ Ransomware

25 Jul 2016

Intel Security, Europol, Kaspersky Lab, and Dutch police have taken down the Shade ransomware botnet and captured encryption keys to unlock victims’ systems. Although we talk a great deal of the value of public-private partnerships in the fight against cybercrime, few events in the cybersecurity field are more inspiring than seeing such collaboration in action and …

The post Intel Security Teams With Industry, Law Enforcement to Thwart ‘Shade’ Ransomware appeared first on McAfee Blogs.

Phishing Attacks Employ Old but Effective Password Stealer

21 Jul 2016

A few months ago we received a sample from a customer that turned out to be a password stealer (PWS). One thing about this malware stood out: the subdirectory used in the access panel URL. It contained the string “***=**U=TEAM” (which we have obfuscated). Our investigations lead us to believe this may be a case of industrial …

The post Phishing Attacks Employ Old but Effective Password Stealer appeared first on McAfee Blogs.

Patch Now: Simple Office ‘Protected View’ Bypass Could Have Big Impact

12 Jul 2016

Protected View is a security feature of Microsoft Office. According to research from MWR Labs, Protected View mode is a strong application-level sandbox. In a real-world attack scenario, Office documents from the Internet, such as downloaded documents from browsers (Chrome, Edge, Internet Explorer), or attachments received on emails clients (such as Outlook), are opened by default in …

The post Patch Now: Simple Office ‘Protected View’ Bypass Could Have Big Impact appeared first on McAfee Blogs.

Trojanized Pokémon GO Android App Found in the Wild

08 Jul 2016

Pokémon GO is a new mobile game that allows fans to “catch” Pokemons in the real world using augmented reality and their smartphones capabilities such as location technology and built-in cameras. The game was released on July 6 on both the Apple App Store and Google Play but only in Australia, New Zealand, and one day …

The post Trojanized Pokémon GO Android App Found in the Wild appeared first on McAfee Blogs.

Business Email Compromise Hurts Your Organization

06 Jul 2016

As many workers do today, you probably get emails from your boss asking you to perform various tasks. You may also get unusual requests under unusual circumstances—perhaps to put out a fire for a big client or to impress a potential customer. Sometimes in haste you don’t follow standard procedures. But that makes you vulnerable …

The post Business Email Compromise Hurts Your Organization appeared first on McAfee Blogs.

June #SecChat Recap: Findings from the 2016 Verizon DBIR

30 Jun 2016

This year’s highly anticipated Verizon 2016 Data Breach Investigations Report (Verizon DBIR) analyzed cybersecurity findings from 100,000 incidents and 2,260 confirmed breaches, taking a deep dive into popular attack types and threats in 2015. During our June Twitter #SecChat, we discussed findings from the report, and examined prominent threats and their impact on industries. Participating …

The post June #SecChat Recap: Findings from the 2016 Verizon DBIR appeared first on McAfee Blogs.

Security Best Practices for Azure App Service Web Apps, Part 4

24 Jun 2016

Microsoft’s Azure App Service is a fully managed Platform as a Service for developers that provides features and frameworks to quickly and easily build apps for any platform and any device. In spite of its ease of use, developers still need to keep security in mind because Azure will not take care of every aspect of security. …

The post Security Best Practices for Azure App Service Web Apps, Part 4 appeared first on McAfee Blogs.

Macro Malware Adds Tricks, Uses MaxMind to Avoid Detection

21 Jun 2016

Macro malware continues to evolve and use new tricks to evade detection. This threat is responsible for downloading malicious Trojans such as Dridex and ransomware such as Locky. Recently McAfee Labs has encountered a new variant of macro malware that uses new techniques to avoid executing in an undesirable environment. With this variant when we …

The post Macro Malware Adds Tricks, Uses MaxMind to Avoid Detection appeared first on McAfee Blogs.

JavaScript-PHP Joint Exercise Delivers Nemucod Ransomware

21 Jun 2016

The ransomware Nemucod has been very prevalent in the last few months. Nemucod’s habit of frequently changing its delivery mechanism and infection vector to evade detection makes this threat very challenging to security researchers. Recently, we observed in the wild a new variant of Nemucod that shows another change. This variant downloads a PHP file along …

The post JavaScript-PHP Joint Exercise Delivers Nemucod Ransomware appeared first on McAfee Blogs.

Microsoft’s June Patch Kills Potential CFG Bypass

16 Jun 2016

After applying Microsoft’s June patch, we noticed some interesting changes that prevent a security bypass of Windows’ Control Flow Guard (CFG). The changes are in the Shader JIT compiler of the Windows Advanced Rasterization Platform (WARP) module (d3d10warp.dll). The Shader JIT compiler could formerly be used to create a CFG bypass. CFG is known to …

The post Microsoft’s June Patch Kills Potential CFG Bypass appeared first on McAfee Blogs.

Intel Innovates to Stop Cyberattacks

16 Jun 2016

Intel, in partnership with Microsoft, has published a technology preview, showing how innovation in silicon architecture can help protect against advanced code-reuse attack techniques. This is an example of how brilliant minds across the industry can think long term to address cybersecurity problems through improvements in hardware. Key components, such as the central processing unit, …

The post Intel Innovates to Stop Cyberattacks appeared first on McAfee Blogs.

Mobile App Collusion Highlights McAfee Labs Threats Report

14 Jun 2016

I would be lost without my smartphone and its many convenient features. I look at my calendar and click to schedule an online meeting, inviting attendees from my contact list. I use my airline app to make sure my flight is on time and click to check the weather at my destination. I pick a …

The post Mobile App Collusion Highlights McAfee Labs Threats Report appeared first on McAfee Blogs.

‘Thrones’ Jon Snow Appears to Employ Neutrino Exploit Kit

10 Jun 2016

This blog post was written by Kalpesh Mantri. You read that right. Jon Snow appears to be back from the dead. That would make “Game of Thrones” fans happy, but unfortunately this Jon Snow is not the same character. This John (with an h) Snow is related to Neutrino exploit kits, one of the commonly used …

The post ‘Thrones’ Jon Snow Appears to Employ Neutrino Exploit Kit appeared first on McAfee Blogs.

Experts Discuss the 2016 Verizon DBIR: June #SecChat

10 Jun 2016

Cybersecurity in 2016 has been full of sensational headlines. Ransomware has shut down multiple hospitals, millions of credentials have been pilfered, and countless companies have had their records stolen using phishing tactics. But is it really accurate to judge the state of the industry by headlines alone? What if we took a more analytical approach …

The post Experts Discuss the 2016 Verizon DBIR: June #SecChat appeared first on McAfee Blogs.

Zcrypt Expands Reach as ‘Virus Ransomware’

08 Jun 2016

Intel Security has recently seen a new kind of ransomware–Zcrypt—that can self-replicate. This “virus ransomware” arrives via email in a malicious attachment or by usurping an Adobe Flash Player installation. The malware copies itself onto removable drives to infect other machines. Zcrypt uses the Nullsoft Scriptable Install System, which works like a Zip file, decompressing …

The post Zcrypt Expands Reach as ‘Virus Ransomware’ appeared first on McAfee Blogs.

Threat Actors Employ COM Technology in Shellcode to Evade Detection

06 Jun 2016

COM (Component Object Model) is a technology in Microsoft Windows that enables software components to communicate with each other; it is one of the fundamental architectures in Windows. From the security point of view, several “features” built into COM have lead to many security vulnerabilities. These features include ActiveX (an Internet Explorer plug-in technology), the …

The post Threat Actors Employ COM Technology in Shellcode to Evade Detection appeared first on McAfee Blogs.

Locky Ransomware Hides Under Multiple Obfuscated Layers of JavaScript

06 Jun 2016

This post was prepared with the invaluable assistance of Rahamathulla Hussain and Girish Kulkarni. During the last couple of weeks, McAfee Labs has observed a huge increase in spam related to Locky, a new ransomware threat spread via spam campaigns. The contents of the spam email are carefully crafted to lure victims using social engineering …

The post Locky Ransomware Hides Under Multiple Obfuscated Layers of JavaScript appeared first on McAfee Blogs.

Trillium Exploit Kit Update Offers ‘Security Tips’

02 Jun 2016

McAfee Labs has previously blogged about the Trillium Exploit Kit Version 3.0, which is commonly used to create and distribute malware. Last week, Version 4.0 appeared on several underground forums. We have analyzed the new version of the tool and it contains new functionality. These include: PDF downloader Password generator Security tips PDF downloader The user …

The post Trillium Exploit Kit Update Offers ‘Security Tips’ appeared first on McAfee Blogs.

Android Spyware Targets Security Job Seekers in Saudi Arabia

31 May 2016

The Middle East is the new Wild West of mobile malware, especially for targeted attacks and intelligence gathering campaigns. During the past few years, Intel Security Mobile Research has monitored and reported on several countries in the region and has found an alarming increase in campaigns using mobile malware for not only disruption and hacktivism …

The post Android Spyware Targets Security Job Seekers in Saudi Arabia appeared first on McAfee Blogs.

Seeing Through Darkleech Obfuscation: a Quick Hack to Iframes

27 May 2016

This blog post was written by Kalpesh Mantri. Darkleech is an Apache module on the dark web that distributes malware. This tool, which appeared in 2012, was first used to infect many Apache servers and later sites running Microsoft IIS. The campaign infecting IIS sites was named pseudo-Darkleech because it resembles the Apache infector module. (In this …

The post Seeing Through Darkleech Obfuscation: a Quick Hack to Iframes appeared first on McAfee Blogs.

Android Banking Trojan ‘SpyLocker’ Targets More Banks in Europe

26 May 2016

Since the discovery of the Android banking Trojan SpyLocker, Intel Security has closely monitored this threat. SpyLocker first appeared disguised as Adobe Flash Player and targeted customers of banks in Australia, New Zealand, and Turkey. Recently we have found that the distribution method for this malware has changed. In addition to employing malicious websites that …

The post Android Banking Trojan ‘SpyLocker’ Targets More Banks in Europe appeared first on McAfee Blogs.

Which Cybersecurity Data Should You Trust?

24 May 2016

  Limitations of security data We are constantly battered by cybersecurity data, reports, and marketing collateral—and we shouldn’t treat all of this information equally. Security data has inherent limitations and biases, which result in varying value and relevance in how it should be applied. It is important to understand which data is significant and how best to …

The post Which Cybersecurity Data Should You Trust? appeared first on McAfee Blogs.

ISAO Group Hosts Productive 3rd Public Meeting

24 May 2016

This post first appeared at Policy@Intel. The Information Sharing and Analysis Organization Standards Organization (ISAO SO) held its Third Public Forum on May 18–19 in Anaheim, California. More than 100 participants from academia, government, and industry sectors, including multiple participants from Intel, assembled to discuss the initial drafts recently published by the ISAO SO and …

The post ISAO Group Hosts Productive 3rd Public Meeting appeared first on McAfee Blogs.

Malware Mystery: JS/Nemucod Downloads Legitimate Installer

21 May 2016

JS/Nemucod is the detection name given to a family of malicious JavaScript downloaders that have appeared in spam campaigns since last year. They usually arrive as an email attachment, embedded in a ZIP archive, and pretend to be an invoice, a delivery notice, a resume, anything that may seem harmless and can be used as a social engineering …

The post Malware Mystery: JS/Nemucod Downloads Legitimate Installer appeared first on McAfee Blogs.

Attacks on SWIFT Banking System Benefit From Insider Knowledge

20 May 2016

In recent months, we’ve seen headlines about the compromise of a bank in Bangladesh from which cybercriminals attempted to steal US$951 million. The malware they used was able to manipulate and read unique messages from SWIFT (Society for Worldwide Interbank Financial Telecommunication), as well as adjust balances and send details to a remote control server. …

The post Attacks on SWIFT Banking System Benefit From Insider Knowledge appeared first on McAfee Blogs.

5 Steps to Enhance Security of Cloud Applications

18 May 2016

When you move applications to the cloud, the attack surface changes while the vulnerabilities at application, database, and network level persist. To address these issues, securing the cloud perimeter, preventing unauthorized access, and protecting data is crucial. The first step is to reduce the attack surface. Run a port scan specific to an instance IP and lock …

The post 5 Steps to Enhance Security of Cloud Applications appeared first on McAfee Blogs.

Can Zealous Security Cause Harm?

17 May 2016

Good security requires balancing risks, costs, and usability. Too much or too little of each can be unhealthy and lead to unintended consequences. We are entering an era where the risks of connected technology can exceed the inconveniences of interrupted online services or the release of sensitive data. Failures can create life-safety issues and major …

The post Can Zealous Security Cause Harm? appeared first on McAfee Blogs.

Sex Sells: Looking at Android Adult Adware Apps

13 May 2016

Advertising is one of the primary methods to generate money from mobile devices. Ads can be displayed in the browser when you visit a specific website or can appear in free apps. In the case of mobile apps, the developer must select a theme that attracts many users to increase revenues. There is probably no …

The post Sex Sells: Looking at Android Adult Adware Apps appeared first on McAfee Blogs.

Key Lessons From Verizon’s ‘2016 Data Breach Investigations Report’

12 May 2016

The annual Data Breach Investigations Report (DBIR) is out and reinforces the value of well-established cybersecurity practices. The good folks at Verizon have once again published one of the most respected annual reports in the security industry. The report sets itself apart with the authors intentionally avoiding unreliable “survey” data and instead striving to communicate …

The post Key Lessons From Verizon’s ‘2016 Data Breach Investigations Report’ appeared first on McAfee Blogs.

Server-Side Request Forgery Takes Advantage of Vulnerable App Servers

12 May 2016

Server-side request forgery is an attack in which an attacker can force a vulnerable server to trigger malicious requests to third-party servers and or to internal resources. This vulnerability can then be leveraged to launch specific attacks such as a cross-site port attack, service enumeration, and various other attacks. This ability makes server-side request forgery …

The post Server-Side Request Forgery Takes Advantage of Vulnerable App Servers appeared first on McAfee Blogs.

Current Campaign Delivers Hundreds of Thousands of Polymorphic Ransomware

10 May 2016

You might have been getting out of bed when attackers started sending hundreds of thousands of fake invoices the morning of April 27. Between 5:45 am and 11 am Pacific time, the first phase of the operation was steamrolling along. The invoices sent with fake .rtf files attached were in no way legitimate. In McAfee …

The post Current Campaign Delivers Hundreds of Thousands of Polymorphic Ransomware appeared first on McAfee Blogs.

Android Malware Clicker.G!Gen Found on Google Play

04 May 2016

Recently the Mobile Malware Research Team of McAfee found on Google Play a new campaign of Android/Clicker.G in dozens of published malicious apps. This threat targets Russians but the apps are accessible worldwide. The attackers lure their victims with apps associated with health care, sports, food, games, and many other topics. Some of the apps …

The post Android Malware Clicker.G!Gen Found on Google Play appeared first on McAfee Blogs.

The Morning After: What Happens to Data Post-Breach?

02 May 2016

This post first appeared on the security website Dark Reading. We need consumers and businesses to not simply shrug off data breaches but to take active measures to protect their data. We are hopeful that new insights will provide a compelling answer to the question “So what?” No company is bulletproof when it comes to …

The post The Morning After: What Happens to Data Post-Breach? appeared first on McAfee Blogs.


© dedoLa 2010-2017