SANS

Old posts >>

Decrypting malicious PDFs with the key, (Mon, Jan 15th)

15 Jan 2018

Sometimes malicious documents are encrypted, like PDFs. If you know the user password, you can use a tool like QPDF to decrypt it. If it&#;x26;#;39;s encypted for DRM (with an owner password), QPDF can decrypt it without you knowing the owner password.

Peeking into Excel files, (Sun, Jan 14th)

14 Jan 2018

Since late 2014, malicious Office documents with macros appeared in the wild again. Malware authors don&#;x26;#;39;t always rely on VBA macros to execute their payload, exploits and feature abuse are part of their bag of tricks too.

Flaw in Intel's Active Management Technology (AMT), (Sat, Jan 13th)

13 Jan 2018

It has been a rough week for Intel. Several media outlets are are reporting that researchers at F-Secure hav&#;x26;#;xc2;&#;x26;#;xa0;discovered a flaw in Intel&#;x26;#;39;s Active Management Technology (AMT) which is in most&#;x26;#;xc2;&#;x26;#;xa0;business laptops. AMT is the technology which is used by corporations to remotely manage their&#;x26;#;xc2;&#;x26;#;xa0; deployed laptops.

Those pesky registry keys required by critical security patches, (Fri, Jan 12th)

12 Jan 2018

With the “storm” around Meldown and Spectre slowly winding down, I would like to remind everyone on registry changes that are required by the latest patches released by Microsoft.

Mining or Nothing!, (Thu, Jan 11th)

11 Jan 2018

Cryptocurrencies mining has been a trending attack for a few weeks. Our idling CPUs are now targeted by bad guys who are looked to generate some extra revenue by abusing our resources. Other fellow handlers already posted diaries about this topic. Renato found a campaign based on a WebLogic exploit[1] and Jim detected a peak of activity on port %%port:3333%%[2]. Yesterday, while reviewed alerts generated by my hunting scripts, I found an interesting snippet of code on Pastebin. Here is a copy of the script with some added comments in blue:


Sophos

It’s raining fake missiles: Japan follows Hawaii with mistaken alert

16 Jan 2018

First the US state of Hawaii; now Japanese broadcaster NHK has issued an erroneous warning about a North Korean missile attack.

FBI expert calls Apple ‘jerks’ as encryption tension simmers

16 Jan 2018

Apple has been called many things in its time but never, as far as anyone can remember, “jerks” by an FBI employee speaking at a public conference.

Man charged over fatal “Call of Duty” SWATting

16 Jan 2018

Gamer Tyler Barriss allegedly made the hoax emergency call, that ended with the death of an innocent man, over a $1.50 video game wager.

Hawaii missile alert triggered by one wrong click

16 Jan 2018

The false alarm about a missile was too easy to make and too hard to stop

Old posts >>

Netflix phishing campaign goes after your login, credit card, mugshot and ID

15 Jan 2018

Netflix phishing campaign goes for login, credit card, mugshot and ID

House votes for six more years of warrantless surveillance

15 Jan 2018

If you’re a member of the US “intelligence community” Thursday was a great day for homeland security. Less so if you're a privacy advocate.

Typosquatting and the risks of one wrong keystroke

15 Jan 2018

It's easy to do – you quickly type a URL you use every day and, in your haste, you accidentally swap, add, or delete a single letter and hit enter. Next thing you know you're on a typosquatting website.

How to set up 2FA on your Facebook account

15 Jan 2018

As Facebook continues to embed itself into the fabric of our social and online lives - or, perhaps it's more correct to say, as we let Facebook continue to embed itself in our lives - it's increasingly important that we keep our accounts safe from unauthorized use.

More SCADA app vulnerabilities found

15 Jan 2018

A big motivation for pulling software apart to find security flaws is the idealistic hope that developers will get the message and do a better job next time. But what happens if they don’t?

iPhone’s Apple Health data used as evidence in murder trial

15 Jan 2018

The data showed the suspect twice "climbed stairs": what investigators said was altitude changes as the body was dragged down to a riverbank.


TrendMicro

UK Conviction Arises out of Trend Micro and NCA Partnership

16 Jan 2018

On January 15, Goncalo Esteves from Essex, UK plead guilty on 3 charges of computer offenses under UK law:

  • 2 charges against Section 3A of the Computer Misuse Act 1990 (Making/adapting/supplying an article intended for use/to assist in commission of section 1 or 3 Computer Misuse offense)
  • 1 charge against Section 327(1) and Section 334 Proceeds of Crime Act 2002 (Concealing/disguising/converting/transferring/removing criminal property)

This marks the result of a collaborative investigation that Trend Micro and the National Crime Agency (NCA) in the United Kingdom initiated back in 2015, when the two organizations signed a Memorandum of Understanding (MOU) to work together in the fight against cybercrime. This collaboration is not restricted to this case alone, with Trend Micro actively continuing to assist the UK, as well as other international law enforcement partners, in their fight against cybercrime.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

UK Conviction Arises out of Trend Micro and NCA Partnership

Old posts >>

New KillDisk Variant Hits Financial Organizations in Latin America

15 Jan 2018

We came across a new variant of the disk-wiping KillDisk targeting financial organizations in Latin America. Trend Micro detects it as TROJ_KILLDISK.IUB. Trend Micro™ Deep Discovery™ proactively blocks any intrusions or attacks associated with this threat. Initial analysis (which is still ongoing) reveals that it may be a component of another payload, or part of a bigger attack. We are still analyzing this new KillDisk variant and we will update this post as we uncover more details about this threat.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

New KillDisk Variant Hits Financial Organizations in Latin America

Update on Pawn Storm: New Targets and Politically Motivated Campaigns

12 Jan 2018

The active espionage actor group Pawn Storm didn’t shy away from continuing their brazen attacks in the second half of 2017. Pawn Storm's attacks usually are not isolated incidents. We can often relate them to earlier attacks by carefully looking at the technical indicators and motives.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Update on Pawn Storm: New Targets and Politically Motivated Campaigns

New Mobile Malware Uses Layered Obfuscation and Targets Russian Banks

10 Jan 2018

Last year, we saw the Fanta SDK malware target Russian bank Sberbank users and employ unique defensive measures. Now, another bank malware family has appeared, targeting even more Russian banks while using new and evolved obfuscation techniques. This family is named FakeBank, and so far the related samples we have collected number in the thousands. These samples show that the malware targets not only Sberbank, but also other Russian banks like Letobank and the VTB24 bank.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

New Mobile Malware Uses Layered Obfuscation and Targets Russian Banks

January’s Patch Tuesday Fixes 56 Security Issues, Including Meltdown and Spectre

10 Jan 2018

This year’s first Patch Tuesday is a busy one. Microsoft released 56 updates that include patches for the Meltdown and Spectre vulnerabilities. The patches also addressed security issues in Windows OS, Internet Explorer, Edge, Office, ChakraCore, ASP.NET, and .NET Framework. Sixteen were rated critical and 38 important, 20 of which can result in remote code execution (RCE).

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

January’s Patch Tuesday Fixes 56 Security Issues, Including Meltdown and Spectre

First Kotlin-Developed Malicious App Signs Users Up for Premium SMS Services

09 Jan 2018

We spotted a malicious app (detected by Trend Micro as ANDROIDOS_BKOTKLIND.HRX) that appears to be the first developed using Kotlin—an open-source programming language for modern multiplatform applications. The samples we found on Google Play posed as Swift Cleaner, a utility tool that cleans and optimizes Android devices. The malicious app, which has 1,000-5,000 installs as of writing, is capable of remote command execution, information theft, SMS sending, URL forwarding, and click ad fraud. It can also sign up users for premium SMS subscription services without their permission.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

First Kotlin-Developed Malicious App Signs Users Up for Premium SMS Services

When Speculation Is Risky: Understanding Meltdown and Spectre

05 Jan 2018

For several days, rumors circulated about a serious vulnerability in Intel processors. It wasn’t until January 3 that the official disclosure of the Meltdown and Spectre vulnerabilities was made, and it became clear how serious the problems were. To summarize, Meltdown and Spectre both allow malicious code to read memory that they would normally not have permission to.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

When Speculation Is Risky: Understanding Meltdown and Spectre

Apps Disguised as Security Tools Bombard Users With Ads and Track Users’ Location

03 Jan 2018

In early December, we found a total of 36 apps on Google Play that executed unwanted behavior. These apps posed as useful security tools under the names Security Defender, Security Keeper, Smart Security, Advanced Boost, and more. They also advertised a variety of capabilities: scanning, cleaning junk, saving battery, cooling the CPU, locking apps, as well as message security, WiFi security, and so on. The apps were actually able to perform these simple tasks, but they also secretly harvested user data, tracked user location, and aggressively pushed advertisements.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Apps Disguised as Security Tools Bombard Users With Ads and Track Users’ Location

The Need for Better Built-in Security in IoT Devices

27 Dec 2017

As manufacturers develop Internet of Things (IoT) devices that integrate with widely popular internet-based applications, more and more users see the value in purchasing such devices. Ease of integration becomes an incentive for users to consider adding these products to their network of devices. But while the ease of use can be enticing, these products can also be susceptible to security issues that could introduce far-reaching problems.

To see just how safe and secure IoT devices are and to what extent an attacker can manipulate an IoT device, we tested the built-in security of a particular IoT device type — internet-connected speakers.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

The Need for Better Built-in Security in IoT Devices

Janus Android App Signature Bypass Allows Attackers to Modify Legitimate Apps

26 Dec 2017

Android’s regular security update for December 2017 included a fix for a serious vulnerability that could allow attackers to modify installed apps without affecting their signature. This would allow an attacker to gain access to the affected device (indirectly). First found by researchers in July, this vulnerability (designated as CVE-2017-13156, and also called the Janus vulnerability) affects versions of Android from 5.1.1 to 8.0; approximately 74% of all Android devices have these versions installed.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Janus Android App Signature Bypass Allows Attackers to Modify Legitimate Apps


Kaspersky

Skygofree: Following in the footsteps of HackingTeam

16 Jan 2018

At the beginning of October 2017, we discovered new Android spyware with several features previously unseen in the wild. In the course of further research, we found a number of related samples that point to a long-term development process. We believe the initial versions of this malware were created at least three years ago.

Old posts >>

Happy IR in the New Year!

28 Dec 2017

In IR cases we use a very simple script that is uploaded to every Windows computer in the corporate network to collect logs, NTFS data, entries from the Windows registry and strings from the binary files to find out how exactly the attackers were moving through the network. It’s holiday season and it is our pleasure to share this script with you.

Nhash: petty pranks with big finances

21 Dec 2017

In an earlier publication we noted that cybercriminals were making use of social engineering to install this sort of software on users’ computers. This time, we’d like to dwell more on how exactly the computers of gullible users start working for cybercriminals.

Travle aka PYLOT backdoor hits Russian-speaking targets

19 Dec 2017

At the end of September, Palo Alto released a report on Unit42 activity where they – among other things – talked about PYLOT malware. We have been detecting attacks that have employed the use of this backdoor since at least 2015 and refer to it as Travle. Coincidentally, KL was recently involved in an investigation of a successful attack where Travle was detected, during which we conducted a deep analysis of this malware.

Jack of all trades

18 Dec 2017

Among this array of threats we found a rather interesting sample – Trojan.AndroidOS.Loapi. This Trojan boasts a complicated modular architecture that means it can conduct a variety of malicious activities: mine cryptocurrencies, annoy users with constant ads, launch DDoS attacks from the affected device and much more.

Kaspersky Security Bulletin. Overall statistics for 2017

14 Dec 2017

In 2017, Kaspersky Lab’s web antivirus detected 15 714 700 unique malicious objects (scripts, exploits, executable files, etc.) and 199 455 606 unique URLs were recognized as malicious by web antivirus components. Kaspersky Lab solutions detected and repelled 1 188 728 338 malicious attacks launched from online resources located in 206 countries all over the world.

Still Stealing

12 Dec 2017

Two years ago we published a blogpost about a popular malware that was being distributed from the Google Play Store. In October and November 2017 we found 85 new malicious apps on Google Play that are stealing credentials for VK.com

Cybercriminals vs financial institutions in 2018: what to expect

06 Dec 2017

During past few years, the number and quality of attacks aimed financial sector organizations has continuously grown. The financial institutions that have not already thought about cyber security, will soon face the consequences of hacker attacks.

Kaspersky Security Bulletin: Review of the Year 2017

05 Dec 2017

The end of the year is a good time to take stock of the main cyberthreat incidents that took place over the preceding 12 months or so. To reflect on the impact these events had on organizations and individuals, and consider what they could mean for the overall evolution of the threat landscape.

Kaspersky Security Bulletin: Story of the year 2017

28 Nov 2017

Welcome to ransomware in 2017 – the year global enterprises and industrial systems were added to the ever-growing list of victims, and targeted attackers started taking a serious interest in the threat. It was also a year of consistently high attack numbers, but limited innovation.


ThreatPost

Google Chrome Once Again Target of Malicious Extensions

16 Jan 2018

Researchers at ICEBRG found four malicious extensions in the official Google Chrome store that affected more than 500,000 users.

Lenovo Patches Networking OS Vulnerability Dating Back to 2004

16 Jan 2018

A bug in Lenovo’s Enterprise Networking Operating System could allow an attacker to launch an authentication bypass attack.

Old posts >>

Intel AMT Loophole Allows Hackers to Gain Control of Some PCs in Under a Minute

12 Jan 2018

Researchers say an unprotected Management Engine BIOS Extension can allow an attacker the ability to configure Intel’s AMT feature for remote access by a hacker.

Apps Exposing Children to Porn Ads Booted From Google Play

12 Jan 2018

Researchers identified 60 apps on Google Play infected with AdultSwine malware that in some cases displayed graphic adult-themed ads on apps intended for children.

House Votes to Reauthorize Controversial Spy Provision, Section 702

11 Jan 2018

The U.S. House of Representatives voted to renew U.S. spy provisions, extending the powers of the NSA to collect internet communications for another six years.

WhatsApp Downplays Damage of a Group Invite Bug

11 Jan 2018

WhatsApp said that claims that infiltrators can add themselves to an encrypted group chat without being noticed is incorrect.

FBI Director Calls Smartphone Encryption an ‘Urgent Public Safety Issue’

10 Jan 2018

The debate over the government's authority to access private encrypted data on digital devices was amplified when the Federal Bureau of Investigation Director Christopher Wray called unbreakable encryption an 'urgent public safety issue.'

Microsoft January Patch Tuesday Update Fixes 16 Critical Bugs

09 Jan 2018

Thanks to Meltdown and Spectre, January has already been an extremely busy month of patching for Microsoft.

Anti-Virus Updates Required Ahead of Microsoft’s Meltdown, Spectre Patches

09 Jan 2018

Microsoft is pausing the rollout of Windows Meltdown and Spectre patches until hosted anti-virus software vendors confirms no unsupported Windows kernel calls via the addition of a registry key on PCs.

Apple Releases Spectre Patches for Safari, macOS and iOS

08 Jan 2018

Apple releases patches addressing the Spectre vulnerability impacting its macOS, iPhone, iPad and iPod touch.


Symantec

Old posts >>

Latest Intelligence for October 2017

10 Nov 2017

Symantec research shows users to be twice as likely to encounter threats through email as any other infection vector, and the spam rate declines slightly for the second month in a row.

Read More

Sowbug: Cyber espionage group targets South American and Southeast Asian governments

07 Nov 2017

Group uses custom Felismus malware and has a particular interest in South American foreign policy.

Read More

Ramnit worm: Still turning up in unlikely places

27 Oct 2017

Over 90 Ramnit-infected apps removed from Google Play.

Read More

BadRabbit: New strain of ransomware hits Russia and Ukraine

25 Oct 2017

BadRabbit is self-propagating and has many similarities to the June 2017 Petya / NotPetya outbreak.

Read More

Android malware on Google Play adds devices to botnet

18 Oct 2017

Symantec has found eight apps infected with the Sockbot malware on Google Play that can add compromised devices to a botnet and potentially perform DDoS attacks.

Read More

Necurs attackers now want to see your desktop

17 Oct 2017

The Necurs botnet is back again, this time spreading a downloader that takes screen grabs of victims’ desktops and reports encountered errors back to the attackers.

Read More

KRACKs: What you need to know about the new Wi-Fi encryption vulnerabilities

16 Oct 2017

Wi-Fi security under threat from newly discovered WPA2 vulnerabilities

Read More

Microsoft Patch Tuesday – October 2017

11 Oct 2017

This month the vendor has patched 62 vulnerabilities, 27 of which are rated Critical.

Read More

Latest Intelligence for September 2017

06 Oct 2017

September saw Symantec uncover new activity by the Dragonfly group, and the start of several new Locky spam campaigns.

Read More

Users encounter threats through email twice as often as other infection vectors

04 Oct 2017

The latest ISTR special report, Email Threats 2017, casts a light on a threat landscape where attackers are actively spreading malicious threats, BEC scams, and a variety of spam through email.

Read More

Latest Intelligence for August 2017

08 Sep 2017

August saw increases in the malware and spam rates, and new phishing warnings from the IRS

Read More

Dragonfly: Western energy sector targeted by sophisticated attack group

06 Sep 2017

Resurgence in energy sector attacks, with the potential for sabotage, linked to re-emergence of Dragonfly cyber espionage group

Read More

Businesses most at risk from new breed of ransomware

30 Aug 2017

The ransomware landscape has shifted dramatically in 2017 and organizations bore the brunt of the damage caused by new, self-propagating threats such as WannaCry and Petya.

Read More

Mobile malware factories: Android apps for creating ransomware

24 Aug 2017

Mobile ransomware can now be created automatically without the need to write code.

Read More

Microsoft Patch Tuesday – August 2017

09 Aug 2017

This month the vendor has patched 48 vulnerabilities, 26 of which are rated Critical.

Read More

Latest Intelligence for July 2017

04 Aug 2017

Email malware rate continues to increase and WannaCry, Petya inspire other threats to add self-spreading components.

Read More

Attackers are increasingly living off the land

12 Jul 2017

The use of fileless threats and dual-use tools by attackers is becoming more common.

Read More

Microsoft Patch Tuesday – July 2017

12 Jul 2017

This month the vendor has patched 54 vulnerabilities, 19 of which are rated Critical.

Read More

Latest Intelligence for June 2017

11 Jul 2017

The chaos causing Petya outbreak and an increase in phishing emails for the third month in a row.

Read More

Petya ransomware outbreak: Here’s what you need to know

27 Jun 2017

Petya ransomware impacting large organizations in multiple countries

Read More


F-Secure

Old posts >>

Further Analysis Of The Finnish Themed Twitter Botnet

12 Jan 2018

In a blog post I published yesterday, I detailed the methodology I have been using to discover “Finnish themed” Twitter accounts that are most likely being programmatically created. In my previous post, I called them “bots”, but for the sake of clarity, let’s refer to them as “suspicious accounts”. These suspicious accounts all follow a […]

Someone Is Building A Finnish-Themed Twitter Botnet

11 Jan 2018

Finland will hold a presidential election on the 28th January 2018. Campaigning just started, and candidates are being regularly interviewed by the press and on the TV. In a recent interview, one of the presidential candidates, Pekka Haavisto, mentioned that both his Twitter account, and the account of the current Finnish president, Sauli Niinistö had […]

Some Notes On Meltdown And Spectre

09 Jan 2018

The recently disclosed Meltdown and Spectre vulnerabilities can be viewed as privilege escalation attacks that allow an attacker to read data from memory locations that aren’t meant to be accessible. Neither of these vulnerabilities allow for code execution. However, exploits based on these vulnerabilities could allow an adversary to obtain sensitive information from memory (such […]

Don’t Let An Auto-Elevating Bot Spoil Your Christmas

18 Dec 2017

Ho ho ho! Christmas is coming, and for many people it’s time to do some online shopping. Authors of banking Trojans are well aware of this yearly phenomenon, so it shouldn’t come as a surprise that some of them have been hard at work preparing some nasty surprises for this shopping season. And that’s exactly […]

Necurs’ Business Is Booming In A New Partnership With Scarab Ransomware

23 Nov 2017

Necurs’ spam botnet business is doing well as it is seemingly acquiring new customers. The Necurs botnet is the biggest deliverer of spam with 5 to 6 million infected hosts online monthly, and is responsible for the biggest single malware spam campaigns. Its service model provides the whole infection chain: from spam emails with malicious […]

RickRolled by none other than IoTReaper

03 Nov 2017

IoT_Reaper overview IoT_Reaper, or the Reaper in short, is a Linux bot targeting embedded devices like webcams and home router boxes. Reaper is somewhat loosely based on the Mirai source code, but instead of using a set of admin credentials, the Reaper tries to exploit device HTTP control interfaces. It uses a range of vulnerabilities […]

Facebook Phishing Targeted iOS and Android Users from Germany, Sweden and Finland

30 Oct 2017

Two weeks ago, a co-worker received a message in Facebook Messenger from his friend. Based on the message, it seemed that the sender was telling the recipient that he was part of a video in order to lure him into clicking it. The shortened link was initially redirecting to Youtube.com, but was later on changed […]

The big difference with Bad Rabbit

27 Oct 2017

Bad Rabbit is the new bunny on the ransomware scene. While the security community has concentrated mainly on the similarities between Bad Rabbit and EternalPetya, there’s one notable difference which has not yet gotten too much attention. The difference is that Bad Rabbit’s disk encryption works. EternalPetya re-used the custom disk encryption method from the […]

Following The Bad Rabbit

26 Oct 2017

On October 24th, media outlets reported on an outbreak of ransomware affecting various organizations in Eastern Europe, mainly in Russia and Ukraine. Identified as “Bad Rabbit”, initial reports about the ransomware drew comparisons with the WannaCry and NotPetya (EternalPetya) attacks from earlier this year. Though F-Secure hasn’t yet received any reports of infections from our […]

Twitter Forensics From The 2017 German Election

25 Sep 2017

Over the past month, I’ve pointed Twitter analytics scripts at a set of search terms relevant to the German elections in order to study trends and look for interference. Germans aren’t all that into Twitter. During European waking hours Tweets in German make up less than 0.5% of all Tweets published. Over the last month, […]

TrickBot In The Nordics, Episode II

14 Sep 2017

The banking trojan TrickBot is not retired yet. Not in the least. In a seemingly never ending series of spam campaigns – not via the Necurs botnet this time – we’ve spotted mails written in Norwegian that appear to be sent by DNB, Norway’s largest bank. The mail wants the recipient to believe that they […]

Working Around Twitter API Restrictions To Identify Bots

31 Aug 2017

Twitter is by far the easiest social media platform to work with programmatically. The Twitter API provides developers with a clean and simple interface to query Twitter’s objects (Tweets, users, timelines, etc.) and bindings to this API exist for many languages. As an example, I’ve been using Tweepy to write Python scripts that work with Twitter data. […]

Trump Hating South Americans Hacked HBO

24 Aug 2017

Last week – I read the message “Mr. Smith” reportedly sent to HBO… and it brought up a few questions. And also, it offered some “answers” to questions that I’m often asked. Questions such as “how much money do cyber criminals make?” Here’s the start of the message. First, let’s examine Mr. Smith and his […]

Break your own product, and break it hard

19 Jul 2017

Hello readers, I am Andrea Barisani, founder of Inverse Path, which is now part of F-Secure. I lead the Hardware Security consulting team within F-Secure’s Cyber Security Services. You may have heard of our USB armory product, an innovative compact computer for security applications that is 100% open hardware, open source and Made in Italy. […]

Retefe Banking Trojan Targets Both Windows And Mac Users

14 Jul 2017

Based on our telemetry, customers (mainly in the region of Switzerland and Germany) are being targeted by a Retefe banking trojan campaign which uses both Windows and macOS-based attachments. Its massive spam run started earlier this week and peaked yesterday afternoon (Helsinki time). TrendMicro did a nice writeup on this threat earlier this week. The […]

How EternalPetya Encrypts Files In User Mode

04 Jul 2017

On Thursday of last week (June 29th 2017), just after writing about EternalPetya, we discovered that the user-mode file encryption-decryption mechanism would be functional, provided a victim could obtain the correct key from the malware’s author. Here’s a description of how that mechanism works. EternalPetya malware uses the standard Win32 crypto API to encrypt data. […]

What Good Is A Not For Profit (Eternal) Petya?

30 Jun 2017

Following up on our post from yesterday, as an intellectual thought experiment, let’s take the position that there’s something to the idea of (Eternal) Petya not being motivated by money/profit. Let’s also just go ahead and imagine that it’s been developed by a nation state. In my mind, it raises the following question: WTF WHY? […]

(Eternal) Petya From A Developer’s Perspective

30 Jun 2017

In our previous post about Petya, we speculated that the short-cuts, design flaws, and non-functional mechanisms observed in the  malware could have arisen due to it being developed under a tight deadline. I’d now like to elaborate a little on what we meant by that. As a recap, this is what the latest version of Petya […]

Petya: “I Want To Believe”

29 Jun 2017

There’s been a lot of speculation and conjecture around this “Petya” outbreak. A great deal of it seems to have been fueled by confirmation bias (to us, at least). Many things about this malware don’t add up (at first glance). But it wouldn’t be the first time that’s happened. And yet everyone seems to have […]

Processing Quote Tweets With Twitter API

23 Jun 2017

I’ve been writing scripts to process Twitter streaming data via the Twitter API. One of those scripts looks for patterns in metadata and associations between accounts, as streaming data arrives. The script processes retweets, and I decided to add functionality to also process quote Tweets. Retweets “echo” the original by embedding a copy of the […]


McAfee

Old posts >>

North Korean Defectors and Journalists Targeted Using Social Networks and KakaoTalk

11 Jan 2018

Recently, South Korean media wrote about North Korean refugees and journalists being targeted by unknown actors using KakaoTalk (a popular chat app in South Korea) and other social network services (such as Facebook) to send links to install malware on victims’ devices. This method shows that attackers are always looking for different ways to deliver …

The post North Korean Defectors and Journalists Targeted Using Social Networks and KakaoTalk appeared first on McAfee Blogs.

Malicious Document Targets Pyeongchang Olympics

06 Jan 2018

McAfee Advanced Threat Research analysts have discovered a campaign targeting organizations involved with the Pyeongchang Olympics. Attached in an email was a malicious Microsoft Word document with the original file name 농식품부, 평창 동계올림픽 대비 축산악취 방지대책 관련기관 회의 개최.doc (“Organized by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics”). The primary target of …

The post Malicious Document Targets Pyeongchang Olympics appeared first on McAfee Blogs.

Decyphering the Noise Around ‘Meltdown’ and ‘Spectre’

04 Jan 2018

The McAfee Advanced Threat Research (ATR) Team has closely followed the attack techniques that have been named Meltdown and Spectre throughout the lead-up to their announcement on January 3. In this post, McAfee ATR offers a simple and concise overview of these issues, to separate fact from fiction, and to provide insight into McAfee’s capabilities …

The post Decyphering the Noise Around ‘Meltdown’ and ‘Spectre’ appeared first on McAfee Blogs.

McAfee Labs Advanced Threat Research Aids Arrest of Suspected Cybercrime Gang Linked to Top Malware CTB Locker

20 Dec 2017

In our recent research, we interviewed the actors behind ransomware campaigns. One of the interesting findings was cybercriminals seemed to have a sense of absolute safety when conducting criminal operations. Cybercrime is an area of crime like no other, perceived as low-risk with high returns, which contributes greatly to its rapid growth.

The post McAfee Labs Advanced Threat Research Aids Arrest of Suspected Cybercrime Gang Linked to Top Malware CTB Locker appeared first on McAfee Blogs.

Operation Dragonfly Analysis Suggests Links to Earlier Attacks

18 Dec 2017

On September 6, Symantec published details of the Dragonfly campaign, which targeted dozens of energy companies throughout 2017. This attack was effectively Dragonfly 2.0, an update to a campaign that began in 2014. Moving beyond our 2014 analysis of Dragonfly, our current focus looks at the attack’s indicators to determine whether we can glean any …

The post Operation Dragonfly Analysis Suggests Links to Earlier Attacks appeared first on McAfee Blogs.

Looking Into the World of Ransomware Actors Reveals Some Surprises

18 Dec 2017

During the preparations for our keynotes at McAfee’s recent MPOWER conference, we brainstormed a few topics we wanted to share with the audience. Ransomware was definitely on our agenda, but so much has already been said and written on the subject. What could we add that would be interesting? We hit on the angle: to …

The post Looking Into the World of Ransomware Actors Reveals Some Surprises appeared first on McAfee Blogs.

McAfee Labs Reports All-Time Highs for Malware in Latest Count

18 Dec 2017

In the third quarter of 2017, McAfee Labs reports all-time highs of new and total malware. What is causing the increasing numbers of malware that are submitted to us at an average rate of four new malware samples per second? One major trend that continues in Q3 is the abuse of Microsoft Office–related exploits and …

The post McAfee Labs Reports All-Time Highs for Malware in Latest Count appeared first on McAfee Blogs.

Chinese Cybercriminals Develop Lucrative Hacking Services

13 Dec 2017

Underground cybercrime profits in China have likely already exceeded US$15.1 billion (100 billion Chinese yuan); caused more than $13.8 billion (91.5 billion yuan) worth of damage relating to data loss, identity theft, and fraud; and will grow at an even faster pace as underground hackers expand international business operations to increasingly target foreign businesses, according …

The post Chinese Cybercriminals Develop Lucrative Hacking Services appeared first on McAfee Blogs.

Emotet Downloader Trojan Returns in Force

06 Dec 2017

During the past couple of days, we have seen an increase in activity from Emotet. This Trojan downloader spreads by emails that lure victims into downloading a Word document, which contains macros that after executing employ PowerShell to download a malicious payload. We have observed Emotet downloading a variety of payloads, including ransomware, Dridex, Trickbot, …

The post Emotet Downloader Trojan Returns in Force appeared first on McAfee Blogs.

‘McAfee Labs 2018 Threats Predictions Report’ Previews Five Cybersecurity Trends

29 Nov 2017

Welcome to the McAfee Labs 2018 Threats Predictions Report. We find ourselves in a highly volatile stage of cybersecurity, with new devices, new risks, and new threats appearing every day. In this edition, we have polled thought leaders from McAfee Labs and the Office of the CTO. They offer their views on a wide range of threats, including machine learning, ransomware, serverless apps, and privacy issues.

The post ‘McAfee Labs 2018 Threats Predictions Report’ Previews Five Cybersecurity Trends appeared first on McAfee Blogs.

Should I Worry About AVGater, Which Exploits Some Security Products?

28 Nov 2017

On November 10, a researcher reported the vulnerability AVGater, which affects some antimalware products. The vulnerability allows a user without administrative privileges to restore a quarantined file in a user’s defined location. After internal reviews and with confirmation from the author of the blog, McAfee believes no McAfee products are affected by the privilege escalation …

The post Should I Worry About AVGater, Which Exploits Some Security Products? appeared first on McAfee Blogs.

Don’t Substitute CVSS for Risk: Scoring System Inflates Importance of CVE-2017-3735

24 Nov 2017

I am a wry observer of vulnerability announcements. CVE-2017-3735—which can allow a small buffer overread in an X.509 certificate—presents an excellent example of the limitations of the Common Vulnerability Scoring System (CVSS). This scoring system is the de facto security industry standard for calculating and exchanging information about the severity of vulnerabilities. The problem is …

The post Don’t Substitute CVSS for Risk: Scoring System Inflates Importance of CVE-2017-3735 appeared first on McAfee Blogs.

Malware Mines, Steals Cryptocurrencies From Victims

22 Nov 2017

How’s your Bitcoin balance? Interested in earning more? The value of cybercurrency is going up. One way to increase your holdings is by “mining,” which is legal as long as it is done with the proper permissions. Using your own mining equipment or establishing a formal agreement for outsourcing are two methods. Hardware vendors such …

The post Malware Mines, Steals Cryptocurrencies From Victims appeared first on McAfee Blogs.

Lazarus Cybercrime Group Moves to Mobile Platform

20 Nov 2017

When it comes to describing cyberattacks, the word sophisticated is used a lot. Whether to explain yet another “advanced” campaign by a threat actor group hoping to steal information or disrupt computer systems, it seems the precursor to any analysis is to call it sophisticated. Yet the modus operandi for many of these groups is …

The post Lazarus Cybercrime Group Moves to Mobile Platform appeared first on McAfee Blogs.

Android Malware Appears Linked to Lazarus Cybercrime Group

20 Nov 2017

The McAfee Mobile Research team recently examined a new threat, Android malware that contains a backdoor file in the executable and linkable format (ELF). The ELF file is similar to several executables that have been reported to belong to the Lazarus cybercrime group. (For more on Lazarus, read this post from our Advanced Threat Research …

The post Android Malware Appears Linked to Lazarus Cybercrime Group appeared first on McAfee Blogs.

IoT Devices: The Gift that Keeps on Giving… to Hackers

16 Nov 2017

McAfee Advanced Threat Research on Most Hackable Gifts You’ve probably noticed the recent increase in Internet connected drones, digital assistants, toys, appliances and other devices hitting the market and maybe even showing up in your own home. The sale of these “Internet-of-Things” (IoT) devices is expected to reach 600 million units this year and, unfortunately, …

The post IoT Devices: The Gift that Keeps on Giving… to Hackers appeared first on McAfee Blogs.

New Android Malware Found in 144 GooglePlay Apps

14 Nov 2017

McAfee’s Mobile Research team has found a new Android malware in 144 “Trojanized” applications on Google Play. We named this threat Grabos because we found this string in several elements of the code, including variable and method names. Grabos was initially found in the Android application “Aristotle Music audio player 2017,” which claimed to be …

The post New Android Malware Found in 144 GooglePlay Apps appeared first on McAfee Blogs.

Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack

07 Nov 2017

During our monitoring of activities around the APT28 threat group, McAfee Advanced Threat Research analysts identified a malicious Word document that appears to leverage the Microsoft Office Dynamic Data Exchange (DDE) technique that has been previously reported by Advanced Threat Research. This document likely marks the first observed use of this technique by APT28. The …

The post Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack appeared first on McAfee Blogs.

Self-Signed Certificates Can Be Secure, So Why Ban Them?

03 Nov 2017

In many organizations the use of self-signed certificates is forbidden by policy. Organizations may ban the use of self-signed certificates for several reasons: It is trivially easy to generate a certificate’s key pair without reasonable entropy, to fail protect the private key of the key pair appropriately to its use, to poorly validate the certificate …

The post Self-Signed Certificates Can Be Secure, So Why Ban Them? appeared first on McAfee Blogs.

Pirate Versions of Popular Apps Infiltrate Google Play via Virtualization

01 Nov 2017

The McAfee Mobile Research team recently found pirated applications of popular apps distributed on the Google Play store. A pirated app is one distributed usually outside of the official store as a free version of a legitimate app. Paid legitimate applications are leading targets of pirated versions. In this case, however, we found pirated copies …

The post Pirate Versions of Popular Apps Infiltrate Google Play via Virtualization appeared first on McAfee Blogs.

Expiro Malware Is Back and Even Harder to Remove

31 Oct 2017

File infector malware adds malicious code to current files. This makes removal tricky because deleting infections results in the loss of legitimate files. Although file infectors were more popular in the 1990s and early 2000s, they still pose a significant threat. The complex disinfection process is usually leveraged by malware authors to ensure systems stay …

The post Expiro Malware Is Back and Even Harder to Remove appeared first on McAfee Blogs.

Configuring McAfee ENS and VSE to Prevent Macroless Code Execution in Office Apps

27 Oct 2017

Microsoft Office macros are a popular method of distributing malware. Users can defend themselves against macro attacks by disabling macros. McAfee Labs has now seen a new attack technique using a feature of Office applications that help create dynamic reports. In this post we will explain this technique and offer a method to prevent the …

The post Configuring McAfee ENS and VSE to Prevent Macroless Code Execution in Office Apps appeared first on McAfee Blogs.

Code Execution Technique Takes Advantage of Dynamic Data Exchange

27 Oct 2017

Email phishing campaigns are a popular social engineering technique among hackers. The idea is simple: Craft an email that looks enticing to users and convince them to click on a malicious link or open a malicious attachment. Weight-loss and other health-related phishing emails are common. Package deliveries, bank notices and, in the case of spear …

The post Code Execution Technique Takes Advantage of Dynamic Data Exchange appeared first on McAfee Blogs.

Analyzing Microsoft Office Zero-Day Exploit CVE-2017-11826: Memory Corruption Vulnerability

26 Oct 2017

McAfee Labs has performed frequent analyses of Office-related threats over the years: In 2015, we presented research on the Office OLE mechanism; in 2016 at the BlueHat conference, we looked at the high-level attack surface of Office; and this year at the SYSCAN360 Seattle conference, we presented deep research on the critical Office “Moniker” zero-day vulnerabilities. …

The post Analyzing Microsoft Office Zero-Day Exploit CVE-2017-11826: Memory Corruption Vulnerability appeared first on McAfee Blogs.

‘BadRabbit’ Ransomware Burrows Into Russia, Ukraine

24 Oct 2017

This post was researched and written by Christiaan Beek, Tim Hux, David Marcus, Charles McFarland, Douglas McKee, and Raj Samani. McAfee is currently investigating a ransomware campaign known as BadRabbit, which initially infected targets in Russia and the Ukraine. We are also investigating reports of infected systems in Germany, Turkey, and Bulgaria and will provide updates …

The post ‘BadRabbit’ Ransomware Burrows Into Russia, Ukraine appeared first on McAfee Blogs.

KRACKs: Five Observations on WPA Authentication Vulnerability

23 Oct 2017

KRACKs are in the news. McAfee has already discussed these key reinstallation attacks that affect Wi-Fi setups in two posts: “KRACKs Against Wi-Fi Serious But Not End of the World” “How KRACK Threatens Wi-Fi’s Security Underpinnings and What It Means for You” Here are five observations that offer an easy-to-digest summary: Don’t panic! Remember this …

The post KRACKs: Five Observations on WPA Authentication Vulnerability appeared first on McAfee Blogs.

ROCA: Which Key-Pair Attacks Are Credible?

20 Oct 2017

In the past two weeks, we have seen two big encryption issues arise: key reinstallation attacks, called KRACKs; and “Return of Coppersmith’s Attack,” called ROCA. Many CEOs, CIOs, and CISO/CSOs are asking, as they must, “Are we protected?” and “What’s our exposure?” Security architects are scurrying about to identify reasonable responses that can be presented …

The post ROCA: Which Key-Pair Attacks Are Credible? appeared first on McAfee Blogs.

KRACKs Against Wi-Fi Serious But Not End of the World

18 Oct 2017

On October 12, researcher Mathy Vanhoef announced a set of Wi-Fi attacks that he named KRACKs, for key reinstallation attacks. These attack scenarios are against the WPA2 authentication and encryption key establishment portions of the most recent set of protocols. The technique is through key reinstallation. The attack can potentially allow attackers to send attacker …

The post KRACKs Against Wi-Fi Serious But Not End of the World appeared first on McAfee Blogs.

Tips for Effective Threat Hunting

18 Oct 2017

In May, McAfee surveyed more than 700 IT and security professionals around the world to better understand how threat hunting is used in organizations and how they hope to enhance their threat hunting capabilities. You can read the full study: Disrupting the Disruptors, Art or Science? Understanding the role of threat hunters and continuing evolution …

The post Tips for Effective Threat Hunting appeared first on McAfee Blogs.

Taiwan Bank Heist and the Role of Pseudo Ransomware

12 Oct 2017

Widespread reports claim the Far Eastern International Bank in Taiwan has become a victim of hacking. The attacks demonstrate the global nature of cybercrime, with the cybercriminals attempting to wire US$60 million to destinations such as Sri Lanka, Cambodia, and the United States.

The post Taiwan Bank Heist and the Role of Pseudo Ransomware appeared first on McAfee Blogs.

Staying Anonymous on the Blockchain: Concerns and Techniques

11 Oct 2017

With Bitcoin at one point valued at more than $5,000 per unit, cryptocurrencies have excited a lot of interest from individuals, businesses, and hackers. One of the selling points of Bitcoin and others of its type is anonymity. Yet there are concerns that online currency transactions may not be as anonymous as many wish. In …

The post Staying Anonymous on the Blockchain: Concerns and Techniques appeared first on McAfee Blogs.

Linux Kernel Vulnerability Can Lead to Privilege Escalation: Analyzing CVE-2017-1000112

02 Oct 2017

A memory corruption bug in UDP fragmentation offload (UFO) code inside the Linux kernel can lead to local privilege escalation. In this post we will examine this vulnerability and its accompanying exploit. Although this bug affects both IPv4 and IPv6 code paths, we analyzed only IPv4 code running on vulnerable kernel version 4.8.0 of Ubuntu …

The post Linux Kernel Vulnerability Can Lead to Privilege Escalation: Analyzing CVE-2017-1000112 appeared first on McAfee Blogs.

McAfee Labs: Faceliker Surge Manipulates Facebook “Likes” to Promote News, Other Content

26 Sep 2017

Criminals excel in manipulating the trust within human relationships, particularly as individuals project themselves into digital realms such as social media. We see it in phishing messages, which fool us into clicking on a malicious weblink from what appears to be a benign organization with which we do business. We also see it in the …

The post McAfee Labs: Faceliker Surge Manipulates Facebook “Likes” to Promote News, Other Content appeared first on McAfee Blogs.

McAfee Labs Threats Report Explores WannaCry/Petya, Threat Hunting, Script-Based Malware

26 Sep 2017

Today we published the McAfee Labs Threats Report: September 2017. This quarter’s report shows off a new design. We hope you will find it attractive as well as informative.

The post McAfee Labs Threats Report Explores WannaCry/Petya, Threat Hunting, Script-Based Malware appeared first on McAfee Blogs.

Apache Struts at REST: Analyzing Remote Code Execution Vulnerability CVE-2017-9805

22 Sep 2017

Apache Struts, an open-source web development framework, is prone to vulnerabilities. We wrote about CVE-2017-9791 in July. The latest is CVE-2017-9805, another remote code execution flaw actively being exploited, according to reports. This vulnerability affects the Struts plug-in Representational State Transfer (REST). Apache has updated Struts with Version 2.5.13 to fix this issue. In this post …

The post Apache Struts at REST: Analyzing Remote Code Execution Vulnerability CVE-2017-9805 appeared first on McAfee Blogs.

Microsoft Kills Potential Remote Code Execution Vulnerability in Office (CVE-2017-8630)

21 Sep 2017

Recently the McAfee IPS Research Team informed Microsoft about a potential remote code execution vulnerability in Office 2016 that McAfee discovered in March. Microsoft released a patch for this vulnerability this week with CVE-2017-8630. In this post, we will briefly discuss the vulnerability and its exploitability. The Problem While auditing PowerPoint, we came across an …

The post Microsoft Kills Potential Remote Code Execution Vulnerability in Office (CVE-2017-8630) appeared first on McAfee Blogs.

Android Click-Fraud App Repurposed as DDoS Botnet

12 Sep 2017

The McAfee Mobile Research Team tracks the behavior of Android click-fraud apps. We have detected multiple implementations, including recent examples on Google Play in 2016 and Clicker.BN last month. These threats are characterized by a common behavior: They appear innocuous but in the background they perform HTTP requests (simulating clicks) on paid “advertainment” to make …

The post Android Click-Fraud App Repurposed as DDoS Botnet appeared first on McAfee Blogs.

Emotet Trojan Acts as Loader, Spreads Automatically

01 Sep 2017

Since the middle of July, McAfee has observed new updates of the Emotet, a Trojan that was first discovered in 2014. This malware harvests banking credentials. Early variants used Outlook contact harvesting to spread via malicious spam. The latest variants act as loaders and use several mechanisms to spread over the network and send spam …

The post Emotet Trojan Acts as Loader, Spreads Automatically appeared first on McAfee Blogs.

Android Banking Trojan MoqHao Spreading via SMS Phishing in South Korea

28 Aug 2017

Last month, a number of users started posting on South Korean sites screenshots of suspicious SMS messages phishing texts (also known as smishing) to lure them into clicking on shortened URLs. For example, the following message asks the user to click on the link to check if a private picture has been leaked: Figure 1: …

The post Android Banking Trojan MoqHao Spreading via SMS Phishing in South Korea appeared first on McAfee Blogs.

Android Click-Fraud Apps Briefly Return to Google Play

25 Aug 2017

Click-fraud apps frequently appear on Google Play and third-party markets. They are sometimes hard to identify because the malicious behavior that simulates clicks is similar to the behavior of many legitimate applications (using common API calls and permissions). Further, part of the malicious code does not reside in the original malware and comes from a …

The post Android Click-Fraud Apps Briefly Return to Google Play appeared first on McAfee Blogs.

Smishing Campaign Steals Banking Credentials in U.S.

14 Aug 2017

The McAfee Mobile Research team recently found an active smishing campaign, using SMS messages, that targets online banking users in the United States. The messages attempt to scare victims with a notice that the bank account will be soon closed and that the user must immediately click a malicious URL: Figure 1: Phishing SMS message. …

The post Smishing Campaign Steals Banking Credentials in U.S. appeared first on McAfee Blogs.

DEFCON – Connected Car Security

02 Aug 2017

Sometime in the distant past, that thing in your driveway was a car.  However, the “connected car is already the third-fastest growing technological device after phones and tablets.”  The days when a Haynes manual, a tool kit, and a free afternoon/week to work on the car are fast becoming a distant memory. Our connected cars …

The post DEFCON – Connected Car Security appeared first on McAfee Blogs.

Analyzing CVE-2017-0190: WMF Flaws Can Lead to Data Theft, Code Execution

26 Jul 2017

CVE-2017-0190 is a recently patched vulnerability related to Windows metafiles (WMFs), a portable image format mainly used by 16-bit Windows applications. Recently we have seen an increase in the number of vulnerabilities related to WMFs and EMFs (enhanced metafiles) in the GDI32 library. Most often, these vulnerabilities lead to sensitive information disclosure from the process …

The post Analyzing CVE-2017-0190: WMF Flaws Can Lead to Data Theft, Code Execution appeared first on McAfee Blogs.

NoMoreRansom – One year on!

25 Jul 2017

One year on. It is fair to say that the No More Ransom project not only exceeded our expectations, but simply blew these initial expectations out of the water. A collaboration between six partners (McAfee, EC3, Dutch Police, Kaspersky Lab, AWS and Barracuda) has now grown to include more than 100 partners across the public and private sector. We often hear people talk about Public-Private Partnerships, but here is a true example of that commitment in action.

The post NoMoreRansom – One year on! appeared first on McAfee Blogs.

Darknet Markets Will Outlive AlphaBay and Hansa Takedowns

20 Jul 2017

On June 20, law enforcement took over the Hansa marketplace after investigations that began in 2016. On July 5, police in Thailand arrested Alexandre Cazes, alleged to be the operator of the large underground market AlphaBay. These efforts have taken two of the largest darknet markets offline. AlphaBay, and later Hansa, was one of many …

The post Darknet Markets Will Outlive AlphaBay and Hansa Takedowns appeared first on McAfee Blogs.

Analyzing CVE-2017-9791: Apache Struts Vulnerability Can Lead to Remote Code Execution

19 Jul 2017

Apache Struts is a model-view-controller framework for creating Java web applications. Struts has suffered from a couple of vulnerabilities using the technique of object-graph navigation language (OGNL) injection. OGNL is an expression language that allows the setting of object properties and execution of various methods of Java classes. OGNL can be used maliciously to perform …

The post Analyzing CVE-2017-9791: Apache Struts Vulnerability Can Lead to Remote Code Execution appeared first on McAfee Blogs.

Analyzing a Patch of a Virtual Machine Escape on VMware

17 Jul 2017

A virtual machine is a completely isolated guest operating system installation within a normal host operating system. Virtual machine escape is the process of breaking out of a virtual machine and interacting with the host operating system, which can lead to infections and malware execution. VMware escapes demonstrated at the most recent PwnFest, organized by …

The post Analyzing a Patch of a Virtual Machine Escape on VMware appeared first on McAfee Blogs.

LeakerLocker: Mobile Ransomware Acts Without Encryption

07 Jul 2017

We recently found on Google Play a type of mobile ransomware that does not encrypt files. This malware extorts a payment to prevent the attacker from spreading a victim’s private information. LeakerLocker claims to have made an unauthorized backup of a phone’s sensitive information that could be leaked to a user’s contacts unless it receives …

The post LeakerLocker: Mobile Ransomware Acts Without Encryption appeared first on McAfee Blogs.

Petya More Effective at Destruction Than as Ransomware

01 Jul 2017

At the beginning of the recent Petya malware campaign, the world was quick to exclaim this attack was ransomware. Now, with time to analyze the facts and make comparisons to other ransomware campaigns, this Petya attack does not look so much like ransomware. To back up this claim, let’s examine three other well-known ransomware campaigns: …

The post Petya More Effective at Destruction Than as Ransomware appeared first on McAfee Blogs.

How to Protect Against Petya Ransomware in a McAfee Environment

28 Jun 2017

A new variant of the ransomware Petya (also called Petrwrap) began spreading around the world on June 27. Petya is ransomware that exploits the vulnerability CVE-2017-0144 in Microsoft’s implementation of the Server Message Block protocol. This ransomware encrypts the master boot records of infected Windows computers, making the machines unusable.

The post How to Protect Against Petya Ransomware in a McAfee Environment appeared first on McAfee Blogs.

New Variant of Petya Ransomware Spreading Like Wildfire

27 Jun 2017

The world woke up today to another ransomware outbreak wreaking havoc throughout companies’ networks. This time, the family causing the fuss is Ransomware Petya, a nasty variant that encrypts files and the computer’s master boot record (MBR), rendering the machine unusable.

The post New Variant of Petya Ransomware Spreading Like Wildfire appeared first on McAfee Blogs.

‘McAfee Labs Threats Report’ Explores Malware Evasion Techniques, Digital Steganography, Password-Stealer Fareit

20 Jun 2017

We got a little carried away in the McAfee Labs Threats Report: June 2017, published today. This quarter’s report has expanded to a rather hefty 83 pages! It contains three highly educational topics, in addition to the usual set of threats statistics: We broadly examine evasion techniques and how malware authors use them to accomplish …

The post ‘McAfee Labs Threats Report’ Explores Malware Evasion Techniques, Digital Steganography, Password-Stealer Fareit appeared first on McAfee Blogs.

McAfee Discovers Pinkslipbot Exploiting Infected Machines as Control Servers; Releases Free Tool to Detect, Disable Trojan

16 Jun 2017

McAfee Labs has discovered that banking malware Pinkslipbot (also known as QakBot/QBot) has used infected machines as control servers since April 2016, even after its capability to steal personal and financial data from the infected machine has been removed by a security product. These include home users whose computers are usually behind a network address …

The post McAfee Discovers Pinkslipbot Exploiting Infected Machines as Control Servers; Releases Free Tool to Detect, Disable Trojan appeared first on McAfee Blogs.

Is WannaCry Really Ransomware?

08 Jun 2017

Ransomware follows a relatively simple model: data is encrypted, the victim pays, data is decrypted. At least that is what those who create ransomware want you to believe. This was also our assumption when we began our analysis of WannaCry—that those behind the campaign would decrypt victims’ data once they received payment. However, for a campaign with incredibly effective propagation techniques, reasonable key and data management, and a working anonymous communication fabric with Bitcoin payments, we found a major flaw: The WannaCry attackers appear to be unable to determine which users have paid the ransom and they cannot decrypt on a per-user basis.

The post Is WannaCry Really Ransomware? appeared first on McAfee Blogs.

Misuse of DocuSign Email Addresses Leads to Phishing Campaign

01 Jun 2017

DocuSign, which provides electronic signatures and digital transaction management, reported that email addresses were stolen by an unknown party on May 15. Although the company confirmed that no personal information was shared, DocuSign has reported that a malicious third party gained temporary access to a separate, non-core system that allows it to communicate service-related announcements to …

The post Misuse of DocuSign Email Addresses Leads to Phishing Campaign appeared first on McAfee Blogs.

Fake WannaCry ‘Protectors’ Emerge on Google Play

23 May 2017

Are Android devices affected by the self-propagating ransomware WannaCry? No—because this threat exploits a vulnerability in Microsoft Windows. This malware cannot harm mobile systems. Nonetheless, some developers are taking advantage of the uproar and possible confusion to promote apps that promise to protect Android devices. While searching for “WannaCry” on GooglePlay we found several new …

The post Fake WannaCry ‘Protectors’ Emerge on Google Play appeared first on McAfee Blogs.

How to Protect Against WannaCry Ransomware in a McAfee Environment

18 May 2017

WannaCry is a ransomware family targeting Microsoft Windows. On Friday May 12, a large cyberattack based on this threat was launched. At this time, it is estimated that more than 250,000 computers in 150 countries have been infected, each demanding a ransom payment.

The post How to Protect Against WannaCry Ransomware in a McAfee Environment appeared first on McAfee Blogs.

Adylkuzz CoinMiner Spreading Like WannaCry

17 May 2017

The last few days have been very busy for security teams all around the globe due to the nasty ransomware WannaCry, which spread widely using an exploit for a Server Message Block v1 vulnerability (MS17-010) leaked by the ShadowBroker team a few weeks ago. We have reported on this malware in our previous blog and …

The post Adylkuzz CoinMiner Spreading Like WannaCry appeared first on McAfee Blogs.

Analysis of Chrysaor Keylogging Mechanism Shows Power of Simple Malicious Code

15 May 2017

Many attacks on mobile devices use social engineering to initially infect a victim’s system. They download malware and elevate privileges by exploiting vulnerabilities. Mobile malware often uses persistence mechanisms to hide and monitor the victim’s behavior. Unlike personal computers, mobile devices are used more often by their owners, and carry sensitive information such as phone …

The post Analysis of Chrysaor Keylogging Mechanism Shows Power of Simple Malicious Code appeared first on McAfee Blogs.

Further Analysis of WannaCry Ransomware

14 May 2017

McAfee Labs has closely monitored the activity around the ransomware WannaCry. Many sources have reported on this attack and its behavior, including this post by McAfee’s Raj Samani and Christiaan Beek and this post by Steve Grobman. In the last 24 hours, we have learned more about this malware. These findings mainly concern the malware’s …

The post Further Analysis of WannaCry Ransomware appeared first on McAfee Blogs.

WannaCry: The Old Worms and the New

13 May 2017

The morning of Friday, May 12 multiple sources in Spain began reporting an outbreak of the ransomware now identified as WannaCry. Upon learning of these incidents, McAfee immediately began working to analyze samples of the ransomware and develop mitigation guidance and detection updates for its customers. By Friday afternoon, McAfee’s Global Threat Intelligence system was …

The post WannaCry: The Old Worms and the New appeared first on McAfee Blogs.

An Analysis of the WannaCry Ransomware Outbreak

12 May 2017

Charles McFarland was a coauthor of this blog. Over the course of Friday, May 12 we received multiple reports of organizations across multiple verticals being victim to a ransomware attack. By Friday afternoon, McAfee’s Global Threat Intelligence system was updated to identify all known WannaCry samples and the company had delivered DAT signature updates to …

The post An Analysis of the WannaCry Ransomware Outbreak appeared first on McAfee Blogs.

Vulnerable OpenSSL Handshake Renegotiation Can Trigger Denial of Service

09 May 2017

OpenSSL, the popular general-purpose cryptographic library that implements SSL/TLS protocols for web authentication, has recently suffered from several vulnerabilities. We have written about “CVE-2017-3731: Truncated Packets Can Cause Denial of Service in OpenSSL” and “SSL Death Alert (CVE-2016-8610) Can Cause Denial of Service to OpenSSL Servers” among others. Today we examine the high-severity bug CVE-2017-3733, …

The post Vulnerable OpenSSL Handshake Renegotiation Can Trigger Denial of Service appeared first on McAfee Blogs.

Mirai, BrickerBot, Hajime Attack a Common IoT Weakness

03 May 2017

We know that devices in the Internet of Things make enticing targets for attack. They are often insecure and can act as open windows into trusted networks. Cybercriminals are capitalizing on that more and more each day, gathering hundreds of thousands of insecure IoT devices into giant botnets. Remember what happened last fall when Mirai …

The post Mirai, BrickerBot, Hajime Attack a Common IoT Weakness appeared first on McAfee Blogs.

Cerber Ransomware Evades Detection With Many Components

03 May 2017

Cerber is a quickly evolving type of malware called crypto-ransomware. Cerber encrypts files on an infected computer and demands a ransom to restore them. (Read more about Cerber in this post.) Cerber ransomware first appeared in early 2016 and remains hard to detect. It uses multicomponent behavior (installing several malicious files on the victim’s machine) …

The post Cerber Ransomware Evades Detection With Many Components appeared first on McAfee Blogs.

Banned Chinese Qvod Lives on in Malicious Fakes

02 May 2017

Qvod used to be a popular video player and developer in China. Due to piracy allegations and a threatened fine, the company went out of business in 2014. In spite of this, we have recently seen a number of malicious fake versions of Qvod. One common feature of these malicious apps is to disguise their …

The post Banned Chinese Qvod Lives on in Malicious Fakes appeared first on McAfee Blogs.

Mirai Botnet Creates Army of IoT Orcs

20 Apr 2017

This post was based on analysis by Yashashree Gund and RaviKant Tiwari. There is a lot of speculation in the news about surveillance from home appliances, personal electronics, or other Internet of Things (IoT) devices. Although some statements may be hyperbole, we know that these devices, in homes and offices, are being compromised and used …

The post Mirai Botnet Creates Army of IoT Orcs appeared first on McAfee Blogs.

Critical Office Zero-Day Attacks Detected in the Wild

07 Apr 2017

At McAfee, we have put significant efforts in hunting attacks such as advanced persistent threats and “zero days.” Yesterday, we observed suspicious activities from some samples. After quick but in-depth research, this morning we have confirmed these samples are exploiting a vulnerability in Microsoft Windows and Office that is not yet patched. This blog post …

The post Critical Office Zero-Day Attacks Detected in the Wild appeared first on McAfee Blogs.

McAfee Labs Threats Report Explores Threat Intelligence Sharing and Mirai, the IoT Botnet

06 Apr 2017

In the McAfee Labs Threats Report: April 2017, published today, we explore two key topics. Following an announcement by the Cyber Threat Alliance of its formal incorporation and the release of a threat intelligence sharing platform, we provide some perspective about threat intelligence sharing. The story provides a detailed analysis of the background and drivers of …

The post McAfee Labs Threats Report Explores Threat Intelligence Sharing and Mirai, the IoT Botnet appeared first on McAfee Blogs.

Ransomware Families Use NSIS Installers to Avoid Detection, Analysis

28 Mar 2017

Malware families are constantly seeking new ways to hide their code, thwart replication, and avoid detection. A recent trend for the delivery of ransomware is the use of the Nullsoft Scriptable Install System (NSIS) with an encrypted payload. The list of the most common families using this technique is diverse and includes Cerber, Locky, Teerac, Crysis, …

The post Ransomware Families Use NSIS Installers to Avoid Detection, Analysis appeared first on McAfee Blogs.

Analyzing a Fresh Variant of the Dorkbot Botnet

09 Mar 2017

At McAfee Labs, we have recently observed a new variant of the Dorkbot botnet. Dorkbot is a well-known bot, famous for its various capabilities including backdoor, password stealing, and other malicious behavior. Dorkbot relies on social networking as its infection vector. In this post, we offer our analysis of this new variant. The malware downloads …

The post Analyzing a Fresh Variant of the Dorkbot Botnet appeared first on McAfee Blogs.

CHIPSEC Support Against Vault 7 Disclosure Scanning

09 Mar 2017

Following recent WikiLeaks Vault 7 disclosures, including details regarding firmware vulnerabilities, there has been significant concern regarding the integrity of devices and operating systems used within society. As part of our commitment to provide technology that can preserve the integrity of devices we rely upon, we have developed a simple module for the CHIPSEC framework …

The post CHIPSEC Support Against Vault 7 Disclosure Scanning appeared first on McAfee Blogs.

Analyzing CVE-2017-3731: Truncated Packets Can Cause Denial of Service in OpenSSL

08 Mar 2017

OpenSSL is a popular open-source library for SSL and is used by various software and companies across the world. In January, OpenSSL released an update that fixed multiple vulnerabilities. One of them is CVE-2017-3731, which can cause a denial of service due to a crash. McAfee Labs analyzed this vulnerability to provide detection for customers.  …

The post Analyzing CVE-2017-3731: Truncated Packets Can Cause Denial of Service in OpenSSL appeared first on McAfee Blogs.

Spora Ransomware Infects ‘Offline’—Without Talking to Control Server

22 Feb 2017

Spora is a ransomware family that encrypts victims’ files and demands money to decrypt the files. It has infected many computers in a short time due to a huge spam campaign. It has a very special feature—to work offline. Propagation vector The spam campaign carries a .zip file, which contains an HTA (HTML Application) file to …

The post Spora Ransomware Infects ‘Offline’—Without Talking to Control Server appeared first on McAfee Blogs.

Macro Malware Targets Macs

14 Feb 2017

Macro malware has been spreading for years. New techniques arise all the time to hide malicious code and thus increase the difficulty of analysis. However, just targeting Microsoft Windows no longer seems to be enough for the malware authors. The Mac appears to be the new challenge, and attackers appear to be rising to this …

The post Macro Malware Targets Macs appeared first on McAfee Blogs.

The Cyber Threat Alliance Steps Up to Boost Protection

14 Feb 2017

With each new cyber threat report, we learn about the increasing volume of new, complex threats appearing across a myriad of server systems, networking equipment, personal computing platforms, and IoT devices. We also read about the real-world challenges that information security professionals face when attempting to identify, scope, and prioritize security events generated by their …

The post The Cyber Threat Alliance Steps Up to Boost Protection appeared first on McAfee Blogs.

Analyzing KillDisk Ransomware, Part 2: Variants and Screen Unlocking

14 Feb 2017

At McAfee Labs we recently analyzed the ransomware KillDisk. In part 1 of this analysis, we discussed the basics of the malware and its whitelisting to protect itself. In this part, we will provide more information about the malware’s internals, this variant, and steps to unlock the ransomware lock screen. Variant 1. This variant seems to be inspired by …

The post Analyzing KillDisk Ransomware, Part 2: Variants and Screen Unlocking appeared first on McAfee Blogs.

Intel Security Launches ‘Threat Landscape Dashboard’

10 Feb 2017

Every week, we read in the news of another breach or targeted campaign, as more patches are released to protect against the next strain of sophisticated malware. For the administrators responsible for safeguarding a company’s systems, networks, and digital information, keeping up is an overwhelming task, made doubly difficult because it is often hard to …

The post Intel Security Launches ‘Threat Landscape Dashboard’ appeared first on McAfee Blogs.

Analyzing CVE-2016-9311: NTPD Vulnerability Can Lead to Denial of Service

03 Feb 2017

The network time protocol synchronizes time across various devices on a network. The network time protocol daemon (NTPD) is an open-source implementation of this protocol. In the last couple of months, a number of vulnerabilities have been reported in NTPD. One is CVE-2016-9311, which can cause a crash leading to a denial of service. We …

The post Analyzing CVE-2016-9311: NTPD Vulnerability Can Lead to Denial of Service appeared first on McAfee Blogs.

Spotlight on Shamoon

27 Jan 2017

Our analysis this month has pointed to Shamoon emerging in the Middle East. We have recently seen a number of similarities that we had highlighted in our earlier blogs (on mcafee.com). The campaign continues to target organizations in the Middle East from a variety of verticals. Reports suggest that a further 15 disk-wiping Shamoon incidents …

The post Spotlight on Shamoon appeared first on McAfee Blogs.

With Release of Windows 10, Questions About BitLocker Arise Again

26 Jan 2017

This post was written by Ted Pan. For those of you who were around during the original release of Microsoft’s BitLocker, previously known as Secure Startup, you will remember that it was meant to completely eliminate the necessity for third-party security software. Yes, BitLocker was going to secure our machines against all forms of attack …

The post With Release of Windows 10, Questions About BitLocker Arise Again appeared first on McAfee Blogs.

Analyzing KillDisk Ransomware, Part 1: Whitelisting

20 Jan 2017

At McAfee Labs we recently analyzed the ransomware KillDisk. We will share our analysis in two parts: the first, this article, contains general information about the malware and its whitelisting technique; the second part will appear soon with an analysis of its variants and techniques, including how to unlock the locked screen in an infected …

The post Analyzing KillDisk Ransomware, Part 1: Whitelisting appeared first on McAfee Blogs.

Stopping Malware With a Fake Virtual Machine

19 Jan 2017

As we explained in a previous post, some advanced malware can detect a virtual environment such as a sandbox to avoid detection and analysis. Some threats can also detect monitoring tools used for malware analysis. Often such malware will not execute or change their behavior to appear harmless. Because some malware uses these tactics, planting …

The post Stopping Malware With a Fake Virtual Machine appeared first on McAfee Blogs.

Trojanized Photo App on Google Play Signs Up Users for Premium Services

13 Jan 2017

Mobile apps usually have names that give some indication of their function. In one recent case, however, we found a misnamed app that turned out to be malicious. Every Android app has an ID value, commonly known as the package name, to uniquely identify it on a device and in Google Play. Most package names …

The post Trojanized Photo App on Google Play Signs Up Users for Premium Services appeared first on McAfee Blogs.

Turkish Instagram Password Stealers Found on Google Play

12 Jan 2017

McAfee’s mobile malware research team has found several Instagram password stealers on the Google Play store. (Google has since removed the apps.) These malware are distributed as utilities and tools for analyzing access and automating the following of Instagram accounts. The main targets of the malware are Turkish Instagram users. The malware lead victims to …

The post Turkish Instagram Password Stealers Found on Google Play appeared first on McAfee Blogs.

Top Tips for Securing Home Cameras

05 Jan 2017

Installing a home surveillance camera system can add great benefits but also may introduce new risks to privacy and network security. The goal is to increase your security and peace of mind, while avoiding cybersecurity threats. Here are three tips to consider when purchasing, installing, and configuring your new home camera system. The risks Home …

The post Top Tips for Securing Home Cameras appeared first on McAfee Blogs.

Digging Into a Windows Kernel Privilege Escalation Vulnerability: CVE-2016-7255

30 Dec 2016

The Windows kernel privilege escalation vulnerability CVE-2016-7255 has received a lot of media attention. On November’s Patch Tuesday, Microsoft released a fix for this vulnerability as part of bulletin MS16-135. CVE-2016-7255 was used to perform a targeted attack and a sample was found in the wild, according to Microsoft. Google and Microsoft have already confirmed …

The post Digging Into a Windows Kernel Privilege Escalation Vulnerability: CVE-2016-7255 appeared first on McAfee Blogs.

Next Targets for Cybercriminals: the Long Term (Part 2)

27 Dec 2016

In the previous post in this series, I outlined how cybercriminals will use the holiday season to victimize unwary consumers and target businesses. They will also dive deeper into leveraging devices connected to the Internet of Things (IoT). The long-term outlook expands their reach to more bold and potentially more lucrative pastures. Rise of blockchain …

The post Next Targets for Cybercriminals: the Long Term (Part 2) appeared first on McAfee Blogs.

Next Targets for Cybercriminals: the Short Term (Part 1)

25 Dec 2016

  Knowing what cybercriminals are targeting today is easy. Their attacks are loud, impactful, and have the elegance of a herd of bulls crashing through a china shop. The tougher challenge is figuring out where they will take aim tomorrow. Knowing where cyber threats will arise gives us the necessary insights to remain one step …

The post Next Targets for Cybercriminals: the Short Term (Part 1) appeared first on McAfee Blogs.

Floki Bot a Sensation With International Cybercriminals

23 Dec 2016

Floki Bot, new financial malware, is popular with English-, Portuguese-, and Russian-speaking underground criminal markets, winning over cybercriminals with new features and functionality. It is currently in use by a number of cybercrime groups around the world and is sold on the dark market for about US$1,000, according to Flashpoint and Cisco Talos. Improvements abound …

The post Floki Bot a Sensation With International Cybercriminals appeared first on McAfee Blogs.

Did You Forget to Patch Your IP Camera?

21 Dec 2016

IP cameras are usually “purchase, install, and don’t touch” devices. But in the current climate of cyberattacks, they now require regular updates and patches. Otherwise your security tool may be hacked, leak video, or join a cybercriminal botnet without your knowing. IP cameras are targets Like all Internet-connected devices, IP cameras are at risk of …

The post Did You Forget to Patch Your IP Camera? appeared first on McAfee Blogs.

An Overview of Malware Self-Defense and Protection

19 Dec 2016

Many malware authors spend a great deal of time and effort to develop complex code. Their success depends on a threat’s remaining undetected and avoiding sandbox analysis, antivirus efforts, or malware analysts. This post offers an overview of the mechanisms used by malware to evade detection. If malware is detected quickly, it has little time …

The post An Overview of Malware Self-Defense and Protection appeared first on McAfee Blogs.

‘Popcorn Time’ Ransomware Sure to Cause Indigestion

19 Dec 2016

In early December the new ransomware “Popcorn Time” was discovered. It gives the victim the option of paying the ransom or infecting two other individuals and getting them to pay. “Popcorn Time” is a legitimate application for streaming movies and series. The ransom note gives the victim seven days to choose either option or the …

The post ‘Popcorn Time’ Ransomware Sure to Cause Indigestion appeared first on McAfee Blogs.

‘SSL Death Alert’ (CVE-2016-8610) Can Cause Denial of Service to OpenSSL Servers

14 Dec 2016

Recently we noticed a security patch has been published for the OpenSSL vulnerability called SSL Death Alert. As with other serious security vulnerabilities, this one grabbed our attention because the discoverer of the vulnerability says that it may cause a denial of service to an OpenSSL web server. To better protect our customers from this …

The post ‘SSL Death Alert’ (CVE-2016-8610) Can Cause Denial of Service to OpenSSL Servers appeared first on McAfee Blogs.

McAfee Labs December Threats Report Explores Many Facets of Deception

13 Dec 2016

In the McAfee Labs Threats Report: December 2016 published today, we write about three seemingly disparate topics. However, on closer inspection, they have a common thread. All discuss deception in one way or another, whether ways in which ransomware authors have enhanced their code to sidestep sandboxes, how Trojans infect legitimate code to appear benign, …

The post McAfee Labs December Threats Report Explores Many Facets of Deception appeared first on McAfee Blogs.

“Trojanization” of Legit Apps on the Rise

13 Dec 2016

McAfee today released its McAfee Labs Threats Report: December 2016. The report’s third key topic illustrates how attackers are creating difficult-to-detect malware by infecting legitimate code with Trojans and leveraging that legitimacy to remain hidden as long as possible. Author Craig Schmugar of McAfee Labs also recommends policies and procedures that will help protect against …

The post “Trojanization” of Legit Apps on the Rise appeared first on McAfee Blogs.

2016: A Year at Ransom

13 Dec 2016

This week’s McAfee Labs Threats Report: December 2016 provides an overview of how ransomware has evolved over the course of 2016, and how the industry has responded. Through the end of Q3, the number of new ransomware samples this year totaled 3,860,603, an increase of 80% since the beginning of the year. Beyond volume, ransomware exhibited notable …

The post 2016: A Year at Ransom appeared first on McAfee Blogs.

How to Protect Against OpenSSL 1.1.0a Vulnerability CVE-2016-6309

13 Dec 2016

Recently the OpenSSL security library gained a fix for a critical security issue (CVE-2016-6309) that affects OpenSSL Version 1.1.0a. The remote attackers can cause the OpenSSL server to crash, or execute arbitrary code on it, by simply sending a handshake packet with a message larger than 16KB. To defend against these attacks we analyzed the …

The post How to Protect Against OpenSSL 1.1.0a Vulnerability CVE-2016-6309 appeared first on McAfee Blogs.

Shamoon Rebooted in Middle East, Part 2

09 Dec 2016

Last week we provided some initial analysis on recent attacks targeting organizations in the Middle East.  The attack has hallmarks of the Shamoon campaign of 2012. We now have additional data related to the components used within the new campaign, which has three distinct components: dropper, wiper, and wiper driver. The language of these three …

The post Shamoon Rebooted in Middle East, Part 2 appeared first on McAfee Blogs.

Farewell to the SHA-1 Hash Algorithm

01 Dec 2016

Rest in peace SHA-1. Like all security controls, they are valuable only for a certain time. SHA-1, a legacy hashing algorithm once used heavily in secure web browsing, has outlived its usefulness; it is time for its permanent retirement. Microsoft, Mozilla, and Google just announced they will finally drop all support for SHA-1 early next …

The post Farewell to the SHA-1 Hash Algorithm appeared first on McAfee Blogs.

Shamoon Rebooted?

29 Nov 2016

We have recently received notifications and samples from impacted organizations in the Middle East that have hallmarks of the Shamoon campaign from 2012. The main component of these attacks was the usage of a wiper component that, once activated, destroyed the hard disks of infected machines. The initial infection vector for the recent attacks is …

The post Shamoon Rebooted? appeared first on McAfee Blogs.

Big, Hard-to-Solve Problems

29 Nov 2016

Improving the Lifecycle of Threat Defense Effectiveness When a new security tool or technique is released, Version 1.0 is usually pretty effective, and successive versions get even better with real-world scenarios and user feedback. Eventually, the bad guys realize that this new thing is causing them real problems, so they start looking for ways over, …

The post Big, Hard-to-Solve Problems appeared first on McAfee Blogs.

‘McAfee Labs 2017 Threats Predictions’ Report Zeroes In on Cloud and IoT Threats

29 Nov 2016

In the McAfee Labs 2017 Threats Predictions report, published today, we cover a lot of ground but focus particularly on two areas that will impact IT security for years to come: threats to the cloud and the Internet of Things. The report kicks off with a big-picture examination of difficult-to-solve problems in cyber security and …

The post ‘McAfee Labs 2017 Threats Predictions’ Report Zeroes In on Cloud and IoT Threats appeared first on McAfee Blogs.

You Can Outsource the Work, but You Cannot Outsource the Risk

29 Nov 2016

Threats, Regulations, and Vendor Responses to Risks in the Cloud As more companies get comfortable with cloud services, trust and usage will go up, and that will inevitably attract the attention of cybercriminals. Although an increasing array of sensitive and confidential data is moving to cloud storage and processing, we expect that most businesses will …

The post You Can Outsource the Work, but You Cannot Outsource the Risk appeared first on McAfee Blogs.

Welcome to the Wild West, Again!

29 Nov 2016

Threats, Regulations, and Vendor Responses to Risks in the Internet of Things The Wild West, a place of exaggerated lawlessness in the United States during the 1800s, has returned once again as a metaphor for the Internet of Things (IoT). Driven by similar issues of exploration, homesteading, and prospecting for riches, IoT devices are becoming …

The post Welcome to the Wild West, Again! appeared first on McAfee Blogs.

Upcoming McAfee Webcast on McAfee Labs 2017 Threats Predictions Moderated by McAfee CTO Raj Samani

23 Nov 2016

McAfee Labs 2017 Threats Predictions The cyberattack surface is growing faster than ever before, driven by trends and technologies like the cloud and the Internet of Things (IoT). As the digital landscape evolves, so will threats. What can we expect a year from now—or four years from now? Prepare for the future by attending the …

The post Upcoming McAfee Webcast on McAfee Labs 2017 Threats Predictions Moderated by McAfee CTO Raj Samani appeared first on McAfee Blogs.

Worms Could Spread Like Zombies via Internet of Things

21 Nov 2016

Security researchers recently created a proof-of-concept attack against Internet-connected lightbulbs, causing breached devices to infect their neighbors. The propagation continues and spreads itself across the community. This hack highlights the insecurity in one of many Internet of Things (IoT) network protocols. Researchers say the worm, which currently targets Philips Hue lightbulbs, can set off a …

The post Worms Could Spread Like Zombies via Internet of Things appeared first on McAfee Blogs.

More Capable IoT Botnets to Emerge as the ‘Pros’ Enter the Fray

09 Nov 2016

On the heels of severe distributed denial of service (DDoS) attacks, we see new botnets emerging that are powered by the Internet of Things (IoT). There are already hundreds of such botnets in the underground hacking ecosystem, from which services, code, and specific attacks can be purchased or acquired. New botnets are being developed to …

The post More Capable IoT Botnets to Emerge as the ‘Pros’ Enter the Fray appeared first on McAfee Blogs.

Talking About Cyber Risks Educates the Community

07 Nov 2016

In the last 12 months, we have seen an unprecedented number of cyberattacks occur or come to light. Sophisticated attacks against governments, businesses, consumers, and the pillars of the Internet itself. The future appears to be fraught with runaway risks. Can security tame data breaches, ransomware, massive denial of service assaults, cyber theft, and attacks against autonomous and …

The post Talking About Cyber Risks Educates the Community appeared first on McAfee Blogs.

Cerber Ransomware Now Hunts for Databases

04 Nov 2016

Cerber is one of the most popular ransomware packages. It has upgraded itself to also target databases. It is available for purchase as a service (ransomware as a service) on the “dark net” as part of an affiliate program. Cerber is part of a turnkey service in which clients share 40% of their profits with …

The post Cerber Ransomware Now Hunts for Databases appeared first on McAfee Blogs.

Top 5 Things to Know About Recent IoT Attacks

02 Nov 2016

Recent Internet attacks have resulted in several popular sites becoming unreachable. The list includes Twitter, Etsy, Spotify, Airbnb, Github, and The New York Times. These incidents have brought to light a new threat to online services: botnets powered by the Internet of Things (IoT). Distributed denial of service (DDoS) attacks have been commonplace for more …

The post Top 5 Things to Know About Recent IoT Attacks appeared first on McAfee Blogs.

The Latest IoT Device I Do Not Want Hacked

01 Nov 2016

What if someone hacked this remotely controlled semiautonomous tractor? I am a cybersecurity guy and a huge fan of technology. One of the challenges we face in the security industry is the growth of the Internet of Things (IoT). IoT is about connecting everyday objects to the Internet. It might be a toaster, alarm clock, …

The post The Latest IoT Device I Do Not Want Hacked appeared first on McAfee Blogs.

A ‘Second Economy’ Prognosis for Health Care Cybersecurity

26 Oct 2016

McAfee CTO Steve Grobman has pointed out that gaining the upper hand in cybersecurity requires that we extend our thinking beyond the physical economy of money, assets, goods, and services to a Second Economy defined by the currencies of trust, time, and money. As in other industries, health care is working toward maximizing efficiencies, containing …

The post A ‘Second Economy’ Prognosis for Health Care Cybersecurity appeared first on McAfee Blogs.

How ‘Weaponized’ Medical Data Could Be as Damaging as Clinton’s Emails or Trump’s Videos

26 Oct 2016

The 2016 presidential election in the United States will be remembered for a great many things. Never before in US history has the disclosure or nondisclosure of personal information figured so prominently in public debate. Never before has the ability to compromise and disclose personal information been used as a political weapon to damage the …

The post How ‘Weaponized’ Medical Data Could Be as Damaging as Clinton’s Emails or Trump’s Videos appeared first on McAfee Blogs.

How to Secure the Future of the Internet of Things

22 Oct 2016

The world of security for the Internet of Things just became more complex. IoT devices are no longer a potential threat to their owners; now they pose a significant threat to everything connected to the Internet. The old IoT security problem For the past year, the cybersecurity and IoT communities have been at odds regarding …

The post How to Secure the Future of the Internet of Things appeared first on McAfee Blogs.

Unfolding the Mystery of Cerber Ransomware’s Random File Extension

20 Oct 2016

In an earlier blog, we discussed the evolution of the popular Cerber ransomware from Version 1 to 2. Recently we came across two newer versions of Cerber (we’ll call them Versions 3 and X). Cerber 3 has few changes but Version X has some new behavior that caught our attention. (We call this version X, …

The post Unfolding the Mystery of Cerber Ransomware’s Random File Extension appeared first on McAfee Blogs.

Password-Protected Attachment Serves Ransomware

18 Oct 2016

Attacks by macro malware carrying ransomware are growing, as we have recently reported. Since early March we have seen macro malware using high-obfuscation algorithms to hide itself from static and traditional antimalware detection techniques. Macro malware continues to evolve and use new tricks to evade detection. In addition to these evasion techniques, McAfee Labs researchers have …

The post Password-Protected Attachment Serves Ransomware appeared first on McAfee Blogs.

No More Ransom Adds Law Enforcement Partners From 13 Countries

17 Oct 2016

  Intel Security and Kaspersky Labs today announced that 13 law enforcement agencies have joined No More Ransom, a partnership between cybersecurity industry and law enforcement organizations to provide ransomware victims education and decryption tools through www.nomoreransom.org. Intel Security, Kaspersky Labs, Dutch National Police, and Europol will be joined by members from Bosnia and Herzegovina, …

The post No More Ransom Adds Law Enforcement Partners From 13 Countries appeared first on McAfee Blogs.

Ransomware Variant XTBL Another Example of Popular Malware

17 Oct 2016

We have seen a huge increase in ransomware during the past couple of years. At McAfee Labs we have recently received a sample of the low-profile XTBL, a ransomware family that encrypts files and demands ransom from its victims to decrypt the files. Like other ransomware variants, XTBL propagates through a wide range of spam campaigns. Attackers …

The post Ransomware Variant XTBL Another Example of Popular Malware appeared first on McAfee Blogs.

Android Banking Trojan Asks for Selfie With Your ID

14 Oct 2016

In the first half of 2016 we noticed that Android banking Trojans had started to improve their phishing overlays on legitimate financial apps to ask for more information. Victims were requested to provide “Mother’s Maiden Name,” “Father’s Middle Name,” “Maternal Grandmothers Name,” or a “Memorable Word.” Attackers used that data to respond to security questions and obtain …

The post Android Banking Trojan Asks for Selfie With Your ID appeared first on McAfee Blogs.

Everyone Loves Selfies, Including Malware!

13 Oct 2016

I was talking with some of my coworkers the other day about why I wanted to jump to the larger iPhone 7 Plus.  For me it came down to the camera.  I travel a lot for work and even though photography is something of a hobby of mine, I don’t always have my “good camera” …

The post Everyone Loves Selfies, Including Malware! appeared first on McAfee Blogs.

New Security Reality for Internet of Things

04 Oct 2016

  Recent distributed denial of service (DDoS) attacks are forcing a shift in how we think about the Internet of Things (IoT). The dangers are expanding as attackers are taking advantage of billions of IoT devices, conscripting them into their botnet armies for massive DDoS attacks.   Nontraditional risks The estimates vary, but they suggest between …

The post New Security Reality for Internet of Things appeared first on McAfee Blogs.

CTO Q&A: Campaign Hacks, Yahoo! and Clinton-Trump

03 Oct 2016

Over the last several days, we’ve seen headlines on potential cyberattacks on state voter registries, cybersecurity front and center in the Clinton-Trump presidential debate, and new revelations into the Yahoo! cyber-breach that appears to have compromised more than 500 million user accounts. McAfee CTO Steve Grobman fielded a number of questions on these events and …

The post CTO Q&A: Campaign Hacks, Yahoo! and Clinton-Trump appeared first on McAfee Blogs.

Sharing Cybersecurity Threat Intelligence Is the Only Way We Win

30 Sep 2016

Cybersecurity is a team sport. The bad guys share information, expertise, and code as they help one another. The good guys must do the same to keep pace. Sharing threat intelligence is a key aspect in which the knowledge gained by the owners of sensor networks can share data with the security analysis community.  This generosity …

The post Sharing Cybersecurity Threat Intelligence Is the Only Way We Win appeared first on McAfee Blogs.

Macro Malware Employs Advanced Sandbox-Evasion Techniques

29 Sep 2016

During the past couple of weeks, McAfee Labs has observed a new variant of macro malware. With this variant when we click on a doc file, we see the message “This document is protected against unauthorized use. Enable Editing and Enable Content to read content” along with a request to enable macros. If a user clicks …

The post Macro Malware Employs Advanced Sandbox-Evasion Techniques appeared first on McAfee Blogs.

How Can We Stop ‘ROP’ Cyberattacks?

28 Sep 2016

IBM recently announced a software-oriented solution to help eradicate attacks by return-oriented programming (ROP) malware. ROP malware is a significant and growing problem in the industry. Crafty hackers will use snippets of code from other trusted programs and stitch them together to create their attacks. This method has become a very popular and effective technique for …

The post How Can We Stop ‘ROP’ Cyberattacks? appeared first on McAfee Blogs.

‘McAfee Labs Threats Report’ Offers Primer on Security Data Science, Analytics, Big Data, Machine Learning

28 Sep 2016

Analytics, big data, automation, and machine learning are all terms we use when talking about the future of cybersecurity. As the volume of security data increases, data science will become an important weapon to disrupt adversaries. Too often, these terms are used as synonyms, but they refer to different parts of the domain of data …

The post ‘McAfee Labs Threats Report’ Offers Primer on Security Data Science, Analytics, Big Data, Machine Learning appeared first on McAfee Blogs.

‘McAfee Labs Threats Report’ Delves Into Dangers of Data Loss

26 Sep 2016

Data is leaking out of your organization: accidentally or intentionally, by internals or externals, physically or electronically. During the past year, we have performed extensive research to identify what data is being targeted, who is taking it, how they are getting it out, and the best practices to reduce your exposure to data loss. We …

The post ‘McAfee Labs Threats Report’ Delves Into Dangers of Data Loss appeared first on McAfee Blogs.

‘McAfee Labs Threats Report’ Examines Whether Ransomware Is Coming to a Hospital Near You

23 Sep 2016

Delivering uninterrupted services with immediate access to information is not an easy task. Doing it with legacy systems, a fragmented workforce, and inconsistent security is a monumental job. Unfortunately, this is the state of many hospitals, leading the criminal underground to their back doors. Ransomware attackers have shifted focus, moving from consumers to organizations with …

The post ‘McAfee Labs Threats Report’ Examines Whether Ransomware Is Coming to a Hospital Near You appeared first on McAfee Blogs.

Hardware Hack Bypasses iPhone PIN Security Counter

22 Sep 2016

A security researcher from the University of Cambridge has found a way to hack the iPhone NAND memory hardware to sufficiently bypass an important security feature, allowing a brute-force attack against the passcode lock of an iPhone 5C. This is the same lock that stymied the FBI as part of the highly publicized privacy case in …

The post Hardware Hack Bypasses iPhone PIN Security Counter appeared first on McAfee Blogs.

Unregulated at Any Speed: DoT’s Cybersecurity Policy for Self-Driving Cars

21 Sep 2016

Despite headlines, hype, and hysteria, US government rightly chooses cybersecurity guidance over regulation. The Obama administration today unveiled its long-awaited safety policy for self-driving or automated vehicles (AVs). Despite the recent tragic death of a passenger travelling in a Tesla-built AV, and persistent discussions of spectacular cyber-sabotage scenarios, the government chose a wise, sober course …

The post Unregulated at Any Speed: DoT’s Cybersecurity Policy for Self-Driving Cars appeared first on McAfee Blogs.

Cryptocurrencies a Target for Cybercriminals, Part 2: Social Platforms Come Next

19 Sep 2016

One target of cybercriminals is cryptocurrencies, which hold tremendous wealth but are largely anonymous. This limits the attack surface mostly to avenues requiring complex technical approaches. Always preferring the path of least resistance, many fraudsters and online thieves prefer to target people rather than systems. This is the second of two posts on threats to …

The post Cryptocurrencies a Target for Cybercriminals, Part 2: Social Platforms Come Next appeared first on McAfee Blogs.

Locky Ransomware Hides Inside Packed .DLL

16 Sep 2016

McAfee Labs has seen a huge increase in Locky ransomware in recent months (discussed in an earlier blog). Locky is aggressively distributed via a JavaScript-based downloader sent as an attachment in spam emails. Since its first variant Locky has taken advantage of compromised domains to download its malicious executable. Recently it has downloaded a malicious dynamic link …

The post Locky Ransomware Hides Inside Packed .DLL appeared first on McAfee Blogs.

Cryptocurrencies a Target for Cybercriminals, Part 1: the Risks of Innovation

14 Sep 2016

All cryptocurrencies are a target for cybercriminals. Anywhere there is value, criminals, fraudsters, and charlatans will soon follow. Call it the Willie Sutton principle. Sutton, a famous bank robber in the 1920s–30s, was asked why he robbed banks. His reply was “Because that’s where the money is.” The simplicity rings true. That same age-old principle …

The post Cryptocurrencies a Target for Cybercriminals, Part 1: the Risks of Innovation appeared first on McAfee Blogs.

The Quarterly Threats Report: What Does It Mean for You?

14 Sep 2016

The latest edition of the Quarterly Threats Report (QTR) was released this week by McAfee Labs.  If you’re not familiar with them, McAfee Labs is our research organization tasked with researching all the latest threats that people are seeing out there in the wild as well as looking as trends that help indicate what the …

The post The Quarterly Threats Report: What Does It Mean for You? appeared first on McAfee Blogs.

Machine Learning, the Unsung Hero in the Latest ‘Threats Report’

14 Sep 2016

The story about ransomware in hospitals in our newly published McAfee Labs Threats Report: September 2016 will probably garner most of the media’s attention, but I think the most interesting story in the report is about machine learning. Here’s why. McAfee has used machine learning in our classification models since the mid-2000s. Initially, we employed …

The post Machine Learning, the Unsung Hero in the Latest ‘Threats Report’ appeared first on McAfee Blogs.

Malware Hides in Installer to Avoid Detection

25 Aug 2016

At McAfee Labs we recently observed various threat families using the Nullsoft Scriptable Install System (NSIS). This practice is not new, but our analysis shows that several malware families are employing the same technique to hide their packed executable code. Usually every malware family uses its own polymorphic packers to obfuscate its payload. In this …

The post Malware Hides in Installer to Avoid Detection appeared first on McAfee Blogs.

Improve Protection Against Cyberattacks Through Shared Threat Intelligence

25 Aug 2016

At the RSA Conference 2016 in San Francisco, Chris Young, GM and SVP of McAfee, said that one of the best ways to improve response time to attacks and overall awareness of attacks and adversaries is through the timely sharing of threat intelligence. He also talked about McAfee’s responsibility as a leading security vendor to …

The post Improve Protection Against Cyberattacks Through Shared Threat Intelligence appeared first on McAfee Blogs.

‘Wildfire’ Ransomware Extinguished by Tool From NoMoreRansom; Unlock Files for Free

23 Aug 2016

McAfee and Kaspersky Lab, partners in the project NoMoreRansom, are pleased to announce today the availability of a decryption tool for victims of the Wildfire variant of ransomware. This tool is available following successful collaboration with the Dutch police and the European Cybercrime Centre. This strong public-private partnership has led to the seizure of criminal …

The post ‘Wildfire’ Ransomware Extinguished by Tool From NoMoreRansom; Unlock Files for Free appeared first on McAfee Blogs.

Cerber Ransomware Updates Configuration File

16 Aug 2016

McAfee Labs has recently analyzed Version 2 of Cerber, one of the leading ransomware programs. Cerber infects systems via social media tricks such as spam email with malicious links or documents, malvertising campaigns, exploits of vulnerable websites, and also takes advantages of exploit kits like Angler, Nuclear, and others. During our analysis of the new …

The post Cerber Ransomware Updates Configuration File appeared first on McAfee Blogs.

Bing.VC Hijacks Browsers Using Legitimate Applications

10 Aug 2016

Browser hijackers are a type of malware that modifies a web browser’s settings without the user’s permission. Generally a browser hijacker injects unwanted advertising into the browser. It replaces the home page or search page with its own. It also steals cookies and can install a keylogger to fetch other sensitive information. McAfee Labs has recently …

The post Bing.VC Hijacks Browsers Using Legitimate Applications appeared first on McAfee Blogs.

Obfuscated Malware Discovered on Google Play

10 Aug 2016

The McAfee Labs Mobile Malware Research team found early this week on Google Play a set of malware published by the developer account ValerySoftware: Each one of these apps have been downloaded and installed up to 500 times, which means up to 3,000 devices could be infected by this threat. Some characteristics of this malware: …

The post Obfuscated Malware Discovered on Google Play appeared first on McAfee Blogs.

Banload Trojan Targets Brazilians With Malware Downloads

09 Aug 2016

McAfee Labs has recently encountered new variants of the Banload Trojan. Banload has been around since the last decade. This malware generally arrives on a victim’s system through a spam email containing an archived file or bundled software as an attachment. In a few cases, this malware may also be dropped by other malware or …

The post Banload Trojan Targets Brazilians With Malware Downloads appeared first on McAfee Blogs.

‘Cat-Loving’ Mobile Ransomware Operates With Control Panel

08 Aug 2016

Recently the McAfee Labs Mobile Malware Research team found a sample of ransomware for Android with botnet capabilities and a web-based control panel service. The malware is running on a legitimate cloud service provider. The payload of this malware can encrypt a victim’s files, steal SMS messages, and block access to the device. In this …

The post ‘Cat-Loving’ Mobile Ransomware Operates With Control Panel appeared first on McAfee Blogs.

Setting Up HTTPS for Google App Engine Applications

08 Aug 2016

Thursday, we posted advice on creating a custom domain name for an application developed with Google’s App Engine. In this post, we will learn how to add SSL support and force the App Engine application to use only SSL. Start by obtaining an SSL certificate for your domain from an authorized certificate authority. Consider following …

The post Setting Up HTTPS for Google App Engine Applications appeared first on McAfee Blogs.

Creating a Custom Domain Name with a Google App Engine Application

05 Aug 2016

Google’s App Engine is a Platform as a Service (PaaS) for developers that provides features and frameworks to quickly and easily build scalable web applications. Developers can create applications and deploy them to the App Engine. When a web application is created using the App Engine, the application is assigned a unique project ID. Developers …

The post Creating a Custom Domain Name with a Google App Engine Application appeared first on McAfee Blogs.

Active iOS Smishing Campaign Stealing Apple Credentials

29 Jul 2016

McAfee Mobile Research recently found an active phishing campaign targeting iOS users via SMS messages. The message tells users that their Apple accounts have been temporarily locked to trick them into accessing a phishing site and steal the real Apple credentials. Here is an example of an SMS message from this campaign: The message pretends to be an …

The post Active iOS Smishing Campaign Stealing Apple Credentials appeared first on McAfee Blogs.

Taking Steps to Fight Back Against Ransomware

27 Jul 2016

Ransomware is an attack in which malware encrypts files and extorts money from victims. It has become a favorite among cybercriminals because it is easy to develop, simple to execute, and does a very good job of compelling users to pay to regain access to their precious files or systems. Almost anyone and every business …

The post Taking Steps to Fight Back Against Ransomware appeared first on McAfee Blogs.

Trojanized Propaganda App Uses Twitter to Infect, Spy on Terrorist Sympathizers

26 Jul 2016

The Mobile Malware Research Team of McAfee has discovered in recent weeks a number of new threats in the Middle East. In May, we uncovered a spying campaign targeting cybersecurity professionals in Saudi Arabia. This week, the team exposed a strain of spyware targeting another specific group of mobile users: individuals with possible sympathies toward terrorist …

The post Trojanized Propaganda App Uses Twitter to Infect, Spy on Terrorist Sympathizers appeared first on McAfee Blogs.

No More Ransom: A New Initiative to Battle Ransomware

25 Jul 2016

Ransomware has seen a huge increase over the past couple of years.  According to our June Quarterly Threats Report, there was a 113% increase in ransomware over the past year.  However, the real indicator for me has been an increase in questions about ransomware I get from people once they find out I work forMcAfee.  …

The post No More Ransom: A New Initiative to Battle Ransomware appeared first on McAfee Blogs.


© dedoLa 2010-2017