SANS

Maldocs: Protection Passwords, (Sun, Feb 28th)

28 Feb 2021

In diary entry "Unprotecting Malicious Documents For Inspection" I explain how to deal with protected malicious Excel documents by removing the protection passwords.

Old posts >>

Pretending to be an Outlook Version Update, (Fri, Feb 26th)

27 Feb 2021

I received this phishing email yesterday that seemed very strange with this short and urgent message:

So where did those Satori attacks come from?, (Thu, Feb 25th)

26 Feb 2021

Last week I posted about a new Satori variant scanning on TCP port 26 that I was picking up in my honeypots. Things have slowed down a bit, but levels are still above where they had been since mid-July 2020 on %%port:26%%.

Forensicating Azure VMs, (Thu, Feb 25th)

25 Feb 2021

With more and more workloads migrating to "the Cloud", we see post-breach forensic investigations also increasingly moving from on-premises to remote instances. If we are lucky and the installation is well engineered, we will encounter a "managed" virtual machine setup, where a forensic agent or EDR (endpoint detection & response) product is pre-installed on our affected VM. Alas, in my experience, this so far seems to be the exception rather than the norm. It almost feels like some lessons learned in the past two decades about EDR have been thrown out again, just because ... "Cloud".

Malspam pushes GuLoader for Remcos RAT, (Wed, Feb 24th)

24 Feb 2021

Introduction


Sophos

Naked Security Live – Beware copyright scams

01 Mar 2021

Here's the latest Naked Security Live talk - watch now!

Old posts >>

S3 Ep21: Cryptomining clampdown, the 100-ton man, and ScamClub ads [Podcast]

25 Feb 2021

Latest episode - listen now!

Keybase secure messaging fixes photo-leaking bug – patch now!

23 Feb 2021

It's a bit like Snapchat all over again - but this bug was quickly fixed.

Nvidia announces official “anti-cryptomining” software drivers

22 Feb 2021

"It's a DoS, Jim, but not as we know it."

Naked Security Live – How to calculate important things using a computer

22 Feb 2021

Here's the latest Naked Security Live talk - watch now!

The massive coronavirus IT blunder with a funny side

19 Feb 2021

He was either the smallest person who has ever lived, by an order of magnitude, or the heaviest person ever known, by two of them.

S3 Ep20: Corporate megahacking, true love gone bad, and tax grabs [Podcast]

18 Feb 2021

Latest episode, listen now! (Includes special gardening safety section at no extra charge!)

US names three North Koreans in laundry list of cybercrime charges

18 Feb 2021

Trio alleged to have been at it for more than a decade, and to have made off with well over a billion dollars.

“ScamClub” gang outed for exploiting iPhone browser bug to spew ads

17 Feb 2021

Stay away from popup surveys that want personal data. Tell your friends...

Romance scams at all-time high: here’s what you need to know

16 Feb 2021

It's heartbreaking to get sucked into a romance scam, or to watch a friend or family member getting sucked in. Here's what to do...


TrendMicro

Old posts >>

This Week in Security News - Feb, 26, 2021

26 Feb 2021

Trend Micro 2020 Annual Cybersecurity Report and More Than 6,700 VMware Servers Exposed Online and Vulnerable to Major New Bug

Security Risks for Audio-centric Social Media Apps

24 Feb 2021

Use of audio-only social media apps has been steadily capturing the interest of more users but just like any other technology, apps like these are not immune from security risks.

Here we go again with “Next-Gen”

24 Feb 2021

The new center square on the XDR buzzword bingo card.

An Analysis of the Nefilim Ransomware

23 Feb 2021

Nefilim is known for its double extortion capabilities and notable attacks in 2020. We give an overview of its techniques and tools in this entry.

Gauging LoRaWAN Communication Security with LoraPWN

19 Feb 2021

This second part of our series on LoRaWAN will discuss the security of LoRaWAN communication and possible attacks on vulnerabilities. We also dive into the comprehensive testing environment used to assess this issue: specific optimization techniques with software-defined radio (SDR), and the tool we created to help decode LoRaWAN packets.

This Week in Security News - Feb. 19, 2021

19 Feb 2021

Cybersecurity Risks of Connected Cars and SHAREit Flaw Could Lead to Remote Code Execution

This Week in Security News - Feb. 12, 2021

12 Feb 2021

Trend Micro Launches New XDR Platform and Threat Actors Now Target Docker via Container Escape Features

February Patch Tuesday Fixes 11 Critical Bugs

10 Feb 2021

Microsoft fixed 56 vulnerabilities - 11 of them rated Critical - in the February Patch Tuesday cycle.

Threat Actors Now Target Docker via Container Escape Features

9 Feb 2021

We provide a technical analysis of a container abuse attack that features a payload that’s specifically crafted to be able to escape privileged Docker containers.

This Week in Security News - Feb. 5, 2021

5 Feb 2021

Second SolarWinds Attack Group Breaks into USDA Payroll and Understanding Cloud Misconfigurations

New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker

5 Feb 2021

In this entry, we give an overview of new ransomware discoveries. This includes a new ransomware family dubbed Seth-Locker, and developments in the variants Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker.

Splunk integration partnership with Trend Micro 2021

4 Feb 2021

Customers first: building out our Splunk partnership for a more secure 2021

Understanding Cloud Misconfigurations — With Pizza and Lego

3 Feb 2021

We discuss how common cloud misconfigurations can lead to cybersecurity problems – using two classic favorites – and how to mitigate them.

Finding and Decoding Multi-Step Obfuscated Malware

2 Feb 2021

Our investigation of an unusual DNS query by a command-line tool leads us to the discovery of a multi-step obfuscated malware.

XDR: Up-Leveling Security Integration

1 Feb 2021

Guest Blog, sponsored by Trend Micro - IDC analyst, Michael Suby, explains the importance of upgrading XDR security integrations.

Chopper ASPX Web Shell Used in Targeted Attack

29 Jan 2021

We dissect a targeted attack that made use of the Chopper ASPX web shell (Backdoor.ASP.WEBSHELL.UWMANA).

This Week in Security News - Jan. 29, 2021

29 Jan 2021

Welcome to our weekly roundup, where we share what you need to know about cybersecurity news and events that happened over the past few days.

Post Office Phishing Hits Credit Card Users in 26 Countries

28 Jan 2021

Trend Micro has been tracking a wide-spread phishing campaign since last year. The campaign distributors attempt to steal people’s credit card number by sending phishing emails related to deliveries from national postal systems.

12 Tips to Help Keep Your Data Private

28 Jan 2021

On data privacy day, we would like to share some helpful tips in order for you to keep your data to yourself.

Low Powered and High Risk: Possible Attacks on LoRaWAN Devices

26 Jan 2021

Long Range Wide Area Network (LoRaWAN) devices have been hacking targets for quite some time. We dive into attacks that malicious actors can use against vulnerable LoRaWAN devices, and review the state of LoRaWAN security. This is the first in a three-part series.

Examining A Sodinokibi Attack

26 Jan 2021

Sodinokibi was behind several notable attacks last year. In this entry, we describe its attack process using some of the examples we encountered.

Fake Office 365 Used for Phishing Attacks on C-Suite Targets

25 Jan 2021

We have been following an evolving phishing campaign that targets high-ranking company executives since 2019, reusing compromised credentials and URLs to target more.

This Week in Security News - Jan. 22, 2021

22 Jan 2021

Routers Still Compromised Two Years After VPNFilter’s Discovery and Malwarebytes Says Some of its Emails Were Breached by SolarWinds Hackers

Investigation into PlugX Uncovers Unique APT Technique

20 Jan 2021

Through the Apex One with Endpoint Sensor (iES), we discovered an APT attack wherein an attacker utilized sophisticated techniques in an attempt to exfiltrate sensitive information from a company.

VPNFilter Two Years Later: Routers Still Compromised

19 Jan 2021

We look into VPNFilter, an IoT botnet discovered over two years ago, to see why there are still routers infected by the malware and what else can be done to minimize its potential risks.

This Week in Security News - Jan. 15, 2021

15 Jan 2021

January Patch Tuesday Repairs Critical MS Defender RCE Bug and Authorities Take Down World's Largest Illegal Dark Web Marketplace

The Top Worry In Cloud Security for 2021

13 Jan 2021

The cloud is an environment full of potential, providing easy access to technologies that weren’t available a decade ago. However, its not always as sunny as it seems. Continue on to read about the top worry in cloud security for the upcoming year.

January Patch Tuesday Repairs Critical MS Defender RCE Bug

13 Jan 2021

Microsoft welcomed the first month of 2021 with a total of 83 security updates — which is an uptick from December’s relatively lighter list.

This Week in Security News - Jan 8, 2021

8 Jan 2021

Investigation Launched into Role of JetBrains Product in SolarWinds Hack and TeamTNT Now Deploying DDoS-Capable IRC Bot TNTbotinger

Malicious Shell Script Steals Cloud Credentials

8 Jan 2021

In past cryptocurrency mining attacks, malicious shell scrips were typically used as downloaders. However, recent cases show that they now serve other purposes such as stealing sensitive data.

Expanding Range and Improving Speed: A RansomExx Approach

6 Jan 2021

RansomExx is a ransomware variant responsible for several high-profile attacks in 2020. We take a look at its current techniques which include the use of trojanized software to deliver malicious payloads and an overall short and fast attack.

An Overview of the DoppelPaymer Ransomware

5 Jan 2021

In early December 2020, the FBI issued a warning regarding DoppelPaymer, a ransomware family that first appeared in 2019. Its activities continued throughout 2020, including incidents that left its victims struggling to properly carry out their operations.

Earth Wendigo Injects JavaScript Backdoor to Service Worker for Mailbox Exfiltration

5 Jan 2021

We discovered a new campaign we named Earth Wendigo that has been targeting several organizations in Taiwan - since May 2019, aiming to exfiltrate emails from targeted organizations via the injection of JavaScript backdoors to a webmail system that is widely used in Taiwan.

How to Protect Your Kid’s Privacy While At-Home Learning

22 Dec 2020

Many kids now have school-supplied computer equipment away from the school network. However, with this come privacy and security concerns. Some are easy to avoid, but others need some modifications to ensure safety.

This Week in Security News - Dec. 18, 2020

18 Dec 2020

Pawn Storm Employs Lack of Sophistication as a Strategy and SolarWinds Says Affected Enterprises Must Use Hot Patches and Isolate Compromised Gear

TeamTNT Now Deploying DDoS-Capable IRC Bot TNTbotinger

18 Dec 2020

We discuss TeamTNT’s latest attack, which involves the use of the group’s own IRC (Internet Relay Chat) bot. The IRC bot is called TNTbotinger and is capable of distributed denial of service (DDoS).

Credential Stealer Targets US, Canadian Bank Customers

17 Dec 2020

We discovered a campaign that distributed a credential stealer, and its main code components are written in AutoHotkey (AHK).

Pawn Storm’s Lack of Sophistication as a Strategy

17 Dec 2020

In this entry we share Pawn Storm's recent activities, focusing on their use of some simple methods that typically won't get associated with APT groups.

Backdoors Are Hard to Spot, But Not Who Is Using Them

16 Dec 2020

Cybersecurity people have been generally outspoken that backdoors are bad.

Managing Risk While Your ITSM Is Down

16 Dec 2020

A lot of the risk managed in companies is done by non-security products.

Overview of Recent Sunburst Targeted Attacks

15 Dec 2020

Various sources have recently disclosed a sophisticated attack that hit organizations via the supply chain via a compromised network monitoring program. This post discusses what the Sunburst backdoor is and what you can do now to mitigate this threat.

Who is the Threat Actor Behind Operation Earth Kitsune?

15 Dec 2020

Recently, we uncovered the Operation Earth Kitsune campaign and published a detailed analysis of its tactics, techniques, and procedures (TTPs). While analyzing the technical details of this malware, which includes two new espionage backdoors, we noticed striking similarities to other malware attributed to the threat actor known as APT37, also known as Reaper or Group 123.

The Secret to Cloud Security Is...

14 Dec 2020

...Trend Micro experts have their answers!

Five Tips to Help You Avoid Holiday Shopping Scams

14 Dec 2020

The holiday shopping season is upon us and because we’re in the middle of a pandemic, consumers are expected to spend more time doing their shopping online. Here's what to look for to avoid falling victim to an online scam.

Egregor Ransomware Launches String of High-Profile Attacks to End 2020

14 Dec 2020

A sophisticated piece of ransomware that first surfaced around September 2020, Egregor has since been involved in a number of high-profile attacks, including attacks that were launched against major retailers and other organizations.

Investigating the Gootkit Loader

11 Dec 2020

Gootkit has been tied to Cobalt Strike as well as other ransomware attacks in the past. Some of these recent victims later suffered SunCrypt ransomware attacks, although it is unclear if this was because of the Gootkit threat actor or if access was sold to other threat actors.

Cost of Holiday Shopping

10 Dec 2020

Calculate Your Purchase Risk Using This Fact-Based Formula.

Enhancing FortiSOAR with Trend Micro Endpoint Security

10 Dec 2020

Trend Micro have been proudly protecting customers from cyber-threats for over three decades, allowing them to consistently respond quickly to threats and protect their businesses from attack with high confidence.

Extending the value of XDR with our industry partners

10 Dec 2020

At Trend Micro we’ve been protecting our customers from cyber-threats for over three decades, and we’ve become pretty good at it.

SideWinder Uses South Asian Issues for Spear Phishing, Mobile Attacks

9 Dec 2020

While tracking the activities of the SideWinder group, we identified a server used to deliver a malicious LNK file and host multiple credential phishing pages. In addition, we also found multiple Android APK files on their phishing server.

December Patch Tuesday Fixes Exchange, SMB

9 Dec 2020

The last set of updates for the year includes 58 patches for the Microsoft Office suite.

Takeaways from Trend Micro's 2021 Security Predictions

8 Dec 2020

The onset of the new decade has challenged the cybersecurity sector — and industries as a whole. What will change? We identify some of the drivers that will underpin organizations’ priorities in 2021.

This Week in Security News - Dec. 4, 2020

4 Dec 2020

MacOS Users Targeted by OceanLotus Backdoor and Trend Micro’s Cyber Risk Index Goes Global

Network Security in the Cloud

4 Dec 2020

The events of 2020 have confirmed what most technology leaders across the country already know: cloud computing is the key to driving business agility and unlocking value.

Scammers Use Home Addresses of Targets in France

3 Dec 2020

A recent phishing scam uses the name of a retail company to target users from France. The scheme employs a more targeted social engineering technique as it features each target's actual home address and phone number.

From Geost to Locker: Monitoring the Evolution of Android Malware Obfuscation

3 Dec 2020

We looked into the evolution of an Android malware's obfuscation methods through samples nearly a year apart, Geost and Locker. Adding context to this discussion is the discovery that the authors of the malware used an external obfuscation service.

The 2020 Cyber Risk Index Goes Global

2 Dec 2020

I’m excited this year to share the most recent version of the Trend Micro Cyber Risk Index (CRI), which we started 3 years ago.

How To Secure Slack for Remote Teams and Work from Home Employees

2 Dec 2020

Cloud-based Slack has become an integral part of many teams’ daily functions and interactions. But with all the corporate data and potentially confidential information being shared via Slack, have you stopped to think about its security?

The Impact of Modern Ransomware on Manufacturing Networks

1 Dec 2020

Ransomware threats have disrupted the manufacturing industry significantly in 2020. In a disturbing trend during the third quarter of the year, attackers appeared to be singling out manufacturing organizations as a victim of choice in their ransomware operations.

This Week in Security News: Trend Micro Announces Cloud One – Application Security and New US IoT Law Aims to Improve Edge Device Security

27 Nov 2020

This week, learn about Trend Micro’s latest cloud security offering, Cloud One – Application Security. Also, read about the new IoT law passed in the U.S. to help ward off advanced threats and provide greater security in IoT devices.

New MacOS Backdoor Connected to OceanLotus Surfaces

27 Nov 2020

We recently discovered a new backdoor we believe to be related to the OceanLotus group. Some of the updates of this new variant include new behavior and domain names.

How a ransomware attack could affect retailers

25 Nov 2020

Cybercriminals have recently been focusing their efforts on the retail industry, launching ransomware-based attacks that could prove disastrous for businesses if it disrupts their operations during important shopping seasons.

Analysis of Kinsing Malware's Use of Rootkit

24 Nov 2020

Several shell scripts accompany Kinsing. These shell scripts are responsible for downloading and installing, removing, and uninstalling various resource-intensive services and processes. This blog post focuses on the role of the rootkit component.

Weaponizing Open Source Software for Targeted Attacks

20 Nov 2020

How are open-source software trojanized? How can we detect them? To answer these questions, let us walk through a recent investigation we conducted that involved this file type.

This Week in Security News - November 19

19 Nov 2020

Cybercrime Moves to the Cloud to Accelerate Attacks Amid Data Glut and Trend Micro Announces Free Web-Based Tool

The Dangers of AI and ML in the Hands of Cybercriminals

19 Nov 2020

We delve into the many ways that cybercriminals abuse ML and AI presently and how they could exploit these technologies for ill gain in the future.

CVE-2020-17053: Use-After-Free IE Vulnerability

17 Nov 2020

We analyze how CVE-2020-17053 was found and how it works.

Identify Misinformation and Scams with Trend Micro Check

17 Nov 2020

In the Digital Age, we’re constantly bombarded with information from many sources on the internet, both good and bad.

How to Secure Your Mac and Make It Run Faster

17 Nov 2020

There’s an old myth still in circulation that Macs are invulnerable to hackers and cybercriminals—but is it true? The short answer is no.

Attackers are using the cloud, too. Here’s what you need to know.

16 Nov 2020

There’s a lot of buzz around the cloud, and the attention is deserved. Leveraging the cloud can optimize resources, save time, increase automation, and take some of the security responsibility out of your hands.

This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs

13 Nov 2020

Welcome to our weekly roundup, where we share what you need to know about cybersecurity news and events that happened over the past few days.

Defense in Depth, Layered Security in the Cloud

12 Nov 2020

Thought leadership piece on the evolution of network security into how it manifests itself today, discussion of how network security has looked up until now, and how the future of network looks.

November Patch Tuesday Fixes Exchange, NFS Vulns

11 Nov 2020

Comparing to last month’s update, which saw a noticeable drop to over 80 fixes, the total number of patches for this month increased again, with over a hundred patches released.

An Old Joker’s New Tricks: Using Github To Hide Its Payload

9 Nov 2020

We recently detected a new version of the persistent mobile malware Joker on a sample on Google Play. This updated version utilizes Github pages and repositories in an attempt to evade detection.

This Week in Security News: US Cyber Command Exposes New Russian Malware and REvil Ransomware Gang 'Acquires' KPOT Malware

6 Nov 2020

Welcome to our weekly roundup, where we share what you need to know about cybersecurity news and events that happened over the past few days.

What are the best options for cybersecurity protection for small businesses?

2 Nov 2020

For Brad Bell and Mike Lenz, providing the best cybersecurity protection for their company’s hundreds of small business clients is critical.

Encouraging the next generation of cybersecurity stars to join the industry

2 Nov 2020

At Trend Micro, we’ve always had a passion for education and a desire to grow the cybersecurity industry with talented, dedicated professionals.

This Week in Security News - October 30, 2020

30 Oct 2020

Trend Micro Researcher Uncover Two Espionage Backdoors Associated with Operation Earth Kitsune and Trickbot and Ransomware Attackers Plan Big Hit on U.S. Hospitals

Operation Earth Kitsune: A Dance of Two New Backdoors

28 Oct 2020

We uncovered two new espionage backdoors associated with Operation Earth Kitsune: agfSpy and dneSpy. This post provides details about these malware types, including the relationship between them and their command and control (C&C) servers

Trend Micro HouseCall for Home Networks

27 Oct 2020

Remember when only desktop computers in our homes had connections to the internet? Thanks to the latest developments in smart device technology, almost everything now can be connected— security cameras, smart TVs, gaming consoles, and network storage, to name just a few.

This Week in Security News: Watering Hole Campaign Operation Earth Kitsune Spying on Users’ Systems and Fancy Bear Imposters Are on a Hacking Extortion Spree

23 Oct 2020

This week, learn about a watering hole campaign Trend Micro dubbed ‘Operation Earth Kitsune’ that is spying on users’ systems through compromised websites. Also, read about how APT groups are threatening DDoS attacks against victims if they don’t send them bitcoin.

Cybersecurity, Here to Stay?

20 Oct 2020

I get asked why we can’t stop cybercrime with all the new technologies like artificial intelligence and machine learning that can detect in real-time new cyber threats. As I think about this, I always go back to the human factor and the fact that physical crime still hasn’t been wiped out. Physical crime has been around for a very long time, and we still need law enforcement to keep us safe from criminals who prey upon their victims.

Future Imperfect

19 Oct 2020

All the way back in 2012, Trend Micro was lucky enough to be asked to participate in a very exciting research project initiated under the auspices of the International Cyber Security Protection Alliance (ICSPA) on which I worked alongside experts from Europol’s European Cyber Crime Centre (EC3) led by Dr. Victoria Baines.

Just leave that Docker API on the front porch, no one will steal it

19 Oct 2020

The global rush to move resources and infrastructure to the cloud as a result of Covid-19 has moved the attack surface from on-premise environments to the cloud.

This Week in Security News: Cybercriminals Use Stolen Data and Hacking Tools

16 Oct 2020

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days.

Becoming an advocate for gender diversity: five steps that could shape your journey

14 Oct 2020

How to help bridge the industry's diversity gap

Smaller October Patch Tuesday Fixes TCP/IP, RDP Bugs

14 Oct 2020

Microsoft's Patch Tuesday update for October has a relatively smaller number of patches. After a few months where the number of bug fixes exceeded the 100-mark, October’s round of updates stood at 87, containing fixes for eleven that were rated as Critical.

VirusTotal Now Supports Trend Micro ELF Hash

13 Oct 2020

Trend Micro ELF Hash (aka telfhash) is now officially supported on VirusTotal! Here's a guide on how malware researchers can use this clustering algorithm to pivot from one malware sample to another.

Metasploit Shellcodes Attack Exposed Docker APIs

12 Oct 2020

We recently observed an interesting payload deployment using the Metasploit Framework (MSF) against exposed Docker APIs.

This Week in Security News: A Look Inside the Bulletproof Hosting Business and Amazon Prime Day Spurs Spike in Phishing, Fraud Attacks

9 Oct 2020

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days.

ContentProvider Path Traversal Flaw on ESC App Reveals Info

9 Oct 2020

A flaw in how path traversal was coded in the health app led to possible data leakage.

Transforming IoT Monitoring Data into Threat Defense

8 Oct 2020

In this article, we feature data gathered from our continuous monitoring of C&C servers of botnets such as Mirai and Bashlite. We also share how this data is used to bolster the protection of IoT devices.

French companies Under Attack from Clever BEC Scam

6 Oct 2020

A new BEC campaign that uses some clever social engineering techniques was launched against a number of French companies across different industries.

Threat Research & XDR Combine to Stop Cybercrime

6 Oct 2020

Sophisticated threat actors are best met by sophisticated defenses.

This Week in Security News

2 Oct 2020

Linkury Adware Caught Distributing Full-Blown Malware and Cross-Platform Modular Glupteba Malware Uses ManageX

Windows XP Source Code Leaked… So What?

1 Oct 2020

The recent news that XP source code has been made publicly available has been met with varied response.

Cross-Platform / Modular Glupteba Malware Uses ManageX

29 Sep 2020

This entry features the analysis of a variant of Glupteba, emphasizing the modularity and the cross-platform features of the malware as seen through the examination of its code. Notable in this variant is the use of ManageX.

This Week in Security News: Cybercriminals Distribute Backdoor with VPN Installer and New 'Alien' Malware can Steal Passwords from 226 Android Apps

24 Sep 2020

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days.

The Evolution of Malicious Shell Scripts

23 Sep 2020

We take note of the ways shell scripts have changed in the hands of cybercriminals and how it can be employed in the development of malware payloads in malicious routines.

Exploitable Flaws Found in Facial Recognition Devices

22 Sep 2020

To gain a more nuanced understanding of the security issues present in facial recognition devices, we analyzed the security of four different models. Our case studies show how these devices can be misused by malicious attackers.


Kaspersky

Mobile malware evolution 2020

01 Mar 2021

In 2020, Kaspersky mobile products and technologies detected 156,710 new mobile banking Trojans and 20,708 new mobile ransomware Trojans.

Old posts >>

The state of stalkerware in 2020

26 Feb 2021

The 2020 data shows that the stalkerware situation has not improved much: the number of affected people is still high. A total of 53,870 unique users were affected globally by stalkerware in 2020.

Lazarus targets defense industry with ThreatNeedle

25 Feb 2021

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

DDoS attacks in Q4 2020

16 Feb 2021

Q4 2020 in terms of DDoS attacks: DDoS market fall, bitcion rise, careful prognoses.

Spam and phishing in 2020

15 Feb 2021

COVID-19 spam, corporate phishing, fake videoconferences and other trends and figures of 2020.

How kids coped with COVID-hit winter holidays

04 Feb 2021

We analyzed and categorized the most popular websites and search queries over the festive period (December 20, 2020 — January 10, 2021) to find out how kids compensated for the lack of outdoor winter entertainment.

Privacy predictions for 2021

28 Jan 2021

With privacy more often than not being traded for convenience, we believe that for many 2020 has fundamentally changed how much privacy people are willing to sacrifice in exchange for security and access to digital services.

Sunburst backdoor – code overlaps with Kazuar

11 Jan 2021

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Digital Footprint Intelligence Report

29 Dec 2020

The Digital Footprint Intelligence Service announces the results of research on the digital footprints of governmental, financial and industrial organizations for countries in the Middle East region.

How we protect our users against the Sunburst backdoor

23 Dec 2020

The detection logic has been improved in all our solutions to ensure our customers protection. We continue to investigate cyberattack on SolarWinds and we will add additional detection once they are required.


ThreatPost

Firewall Vendor Patches Critical Auth Bypass Flaw

01 Mar 2021

Cybersecurity firm Genua fixes a critical flaw in its GenuGate High Resistance Firewall, allowing attackers to log in as root users.

Old posts >>

Amazon Dismisses Claims Alexa ‘Skills’ Can Bypass Security Vetting Process

26 Feb 2021

Researchers found a number of privacy and security issues in Amazon's Alexa skill vetting process, which could lead to attackers stealing data or launching phishing attacks.

Stalkerware Volumes Remain Concerningly High, Despite Bans

26 Feb 2021

COVID-19 impacted volumes for the year, but the U.S. moved into third place on the list of countries most infected by stalkerware.

Lazarus Targets Defense Companies with ThreatNeedle Malware

26 Feb 2021

A spear-phishing campaigned linked to a North Korean APT uses “NukeSped” malware in cyberespionage attacks against defense companies.

Yeezy Fans Face Sneaker-Bot Armies for Boost ‘Sun’ Release

26 Feb 2021

Sneaker bots ready to scoop up the new Yeezy Boost 700 “Sun” shoes to resell at a huge markup.

Malware Gangs Partner Up in Double-Punch Security Threat

26 Feb 2021

From TrickBot to Ryuk, more malware cybercriminal groups are putting their heads together when attacking businesses.

Podcast: Ransomware Attacks Exploded in Q4 2020

26 Feb 2021

Researchers said they saw a seven-times increase in ransomware activity in the fourth quarter of 2020, across various families – from Ryuk to Egregor.

Protecting Sensitive Cardholder Data in Today’s Hyper-Connected World

26 Feb 2021

Retailers that lacked significant digital presence pre-COVID are now reaching new audiences through e-commerce sites that are accessible anytime, from anywhere, on any device.

Cyberattacks Launch Against Vietnamese Human-Rights Activists

25 Feb 2021

Vietnam joins the ranks of governments using spyware to crack down on human-rights defenders.

Health Website Leaks 8 Million COVID-19 Test Results

25 Feb 2021

A teenaged ethical hacker discovered a flawed endpoint associated with a health-department website in the state of Bengal, which exposed personally identifiable information related to test results.


PaloAlto

Old posts >>

IronNetInjector: Turla’s New Malware Loading Tool

19 Feb 2021

IronPython has been used for malicious purposes before, but in its new malware loading tool IronNetInjector, threat group Turla uses it in a new way.

The post IronNetInjector: Turla’s New Malware Loading Tool appeared first on Unit42.

WatchDog: Exposing a Cryptojacking Campaign That’s Operated for Two Years

17 Feb 2021

The WatchDog mining operation is one of the largest and longest-lasting Monero cryptojacking operations known to exist.

The post WatchDog: Exposing a Cryptojacking Campaign That’s Operated for Two Years appeared first on Unit42.

Threat Brief: Windows IPv4 and IPv6 Stack Vulnerabilities (CVE-2021-24074, CVE-2021-24086 and CVE-2021-24094)

09 Feb 2021

We provide an overview of CVE-2021-24086, CVE-2021-24094 and CVE-2021-24074 and offer strategies for mitigation with Palo Alto Networks products.

The post Threat Brief: Windows IPv4 and IPv6 Stack Vulnerabilities (CVE-2021-24074, CVE-2021-24086 and CVE-2021-24094) appeared first on Unit42.

BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech

09 Feb 2021

The novel Chinese shellcode "BendyBear" is one of the most sophisticated, well-engineered and difficult-to-detect samples employed by an APT.

The post BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech appeared first on Unit42.

Exploits in the Wild for WordPress File Manager RCE Vulnerability (CVE-2020-25213)

05 Feb 2021

We observed an exploit of the WordPress File Manager RCE vulnerability CVE-2020-25213, which was used to install Kinsing, a malicious cryptominer.

The post Exploits in the Wild for WordPress File Manager RCE Vulnerability (CVE-2020-25213) appeared first on Unit42.

Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes

03 Feb 2021

Hildegard is a new malware campaign believed to originate from TeamTNT. It targets Kubernetes clusters and launches cryptojacking operations.

The post Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes appeared first on Unit42.

Pro-Ocean: Rocke Group’s New Cryptojacking Malware

28 Jan 2021

Pro-Ocean is a revised version of cloud-targeted cryptojacking malware, which now includes new and improved rootkit and worm capabilities.

The post Pro-Ocean: Rocke Group’s New Cryptojacking Malware appeared first on Unit42.

Network Attack Trends: Internet of Threats

22 Jan 2021

Unit 42 researchers identify recent network attack trends and analyze vulnerabilities and exploits currently popular with attackers.

The post Network Attack Trends: Internet of Threats appeared first on Unit42.

Wireshark Tutorial: Examining Emotet Infection Traffic

19 Jan 2021

This Wireshark tutorial reviews recent Emotet activity and provides some tips on identifying this malware based on examining Emotet infection traffic.

The post Wireshark Tutorial: Examining Emotet Infection Traffic appeared first on Unit42.

Open Source Tool Release: Gaining Novel AWS Access With EBS Direct APIs

12 Jan 2021

We evaluate AWS EBS Direct APIs for defense and DFIR, and cover security considerations. We also release supporting open source tools.

The post Open Source Tool Release: Gaining Novel AWS Access With EBS Direct APIs appeared first on Unit42.

xHunt Campaign: New BumbleBee Webshell and SSH Tunnels Used for Lateral Movement

11 Jan 2021

The BumbleBee webshell is used by the xHunt Campaign to upload and download files to a compromised server and to move laterally on the network.

The post xHunt Campaign: New BumbleBee Webshell and SSH Tunnels Used for Lateral Movement appeared first on Unit42.

TA551: Email Attack Campaign Switches from Valak to IcedID

07 Jan 2021

We continue to monitor the email attack campaign TA551, AKA Shathak, which has recently pushed IcedID, a family of information-stealing malware.

The post TA551: Email Attack Campaign Switches from Valak to IcedID appeared first on Unit42.

The History of DNS Vulnerabilities and the Cloud

28 Dec 2020

We review the history of DNS vulnerabilities, particularly DNS cache poisoning, examining both past vulnerabilities and more advanced attacks.

The post The History of DNS Vulnerabilities and the Cloud appeared first on Unit42.

SolarStorm Supply Chain Attack Timeline

23 Dec 2020

The SolarStorm timeline summarized here is based on the information available to us and our direct experience defending against this threat.

The post SolarStorm Supply Chain Attack Timeline appeared first on Unit42.

Protecting Against an Unfixed Kubernetes Man-in-the-Middle Vulnerability (CVE-2020-8554)

21 Dec 2020

A currently unpatched, medium-severity issue affecting all Kubernetes versions, CVE-2020-8554 can be mitigated in several ways.

The post Protecting Against an Unfixed Kubernetes Man-in-the-Middle Vulnerability (CVE-2020-8554) appeared first on Unit42.


F-Secure

Old posts >>


McAfee

Old posts >>

Babuk Ransomware

24 Feb 2021

Executive Summary Babuk ransomware is a new ransomware threat discovered in 2021 that has impacted at least five big enterprises, with one already paying the criminals $85,000 after negotiations. As with other variants, this ransomware is deployed in the network of enterprises that the criminals carefully target and compromise. Using MVISION Insights, McAfee was able […]

The post Babuk Ransomware appeared first on McAfee Blogs.

Beyond Clubhouse: Vulnerable Agora SDKs Still in Widespread Use

19 Feb 2021

Mobile Conferencing Apps Carry Risks

On February 17th, 2021, McAfee disclosed findings based on a 10-month long disclosure process with major video conferencing vendor Agora, Inc.  As we disclosed the findings to Agora in April 2020, this lengthy disclosure timeline represents a nonstandard process for McAfee but was a joint agreement with the vendor to allow sufficient time for the […]

The post Beyond Clubhouse: Vulnerable Agora SDKs Still in Widespread Use appeared first on McAfee Blogs.

Don’t Call Us We’ll Call You: McAfee ATR Finds Vulnerability in Agora Video SDK

17 Feb 2021

texting slang

The McAfee Advanced Threat Research (ATR) team is committed to uncovering security issues in both software and hardware to help developers provide safer products for businesses and consumers. We recently investigated and published several findings on a personal robot called “temi”, which can be read about in detail here. A byproduct of our robotic research was […]

The post Don’t Call Us We’ll Call You: McAfee ATR Finds Vulnerability in Agora Video SDK appeared first on McAfee Blogs.

Researchers Follow the Breadcrumbs: The Latest Vulnerabilities in Windows’ Network Stack

09 Feb 2021

data breach

The concept of a trail of breadcrumbs in the offensive security community is nothing new; for many years, researchers on both sides of the ethical spectrum have followed the compass based on industry-wide security findings, often leading to groundbreaking discoveries in both legacy and modern codebases alike. This happened in countless instances, from Java to […]

The post Researchers Follow the Breadcrumbs: The Latest Vulnerabilities in Windows’ Network Stack appeared first on McAfee Blogs.

McAfee ATR Launches Education-Inspired Capture the Flag Contest!

27 Jan 2021

McAfee’s Advanced Threat Research team just completed its second annual capture the flag (CTF) contest for internal employees. Based on tremendous internal feedback, we’ve decided to open it up to the public, starting with a set of challenges we designed in 2019.   We’ve done our best to minimize guesswork and gimmicks and instead of flashy graphics and games, we’ve distilled the kind of problems […]

The post McAfee ATR Launches Education-Inspired Capture the Flag Contest! appeared first on McAfee Blogs.

Two Pink Lines

15 Jan 2021

Depending on your life experiences, the phrase (or country song by Eric Church) “two pink lines” may bring up a wide range of powerful emotions.    I suspect, like many fathers and expecting fathers, I will never forget the moment I found out my wife was pregnant.  You might recall what you were doing, or where […]

The post Two Pink Lines appeared first on McAfee Blogs.

A Year in Review: Threat Landscape for 2020

14 Jan 2021

As we gratefully move forward into the year 2021, we have to recognise that 2020 was as tumultuous in the digital realm as it has in the physical world. From low level fraudsters leveraging the pandemic as a vehicle to trick victims into parting with money for non-existent PPE, to more capable actors using malware […]

The post A Year in Review: Threat Landscape for 2020 appeared first on McAfee Blogs.

2021 Threat Predictions Report

13 Jan 2021

The December 2020 revelations around the SUNBURST campaigns exploiting the SolarWinds Orion platform have revealed a new attack vector – the supply chain – that will continue to be exploited. The ever-increasing use of connected devices, apps and web services in our homes will also make us more susceptible to digital home break-ins. This threat […]

The post 2021 Threat Predictions Report appeared first on McAfee Blogs.

How A Device to Cloud Architecture Defends Against the SolarWinds Supply Chain Compromise

21 Dec 2020

In a blog post released 13 Dec 2020, FireEye disclosed that threat actors compromised SolarWinds’s Orion IT monitoring and management software with a trojanized version of SoalrWinds.Orion.Core.BusinessLayer.dll delivered as part of a digitally-signed Windows Installer Patch. The trojanized file delivers a backdoor, dubbed SUNBURST by FireEye (and Solorigate by Microsoft), that communicates to third-party servers for […]

The post How A Device to Cloud Architecture Defends Against the SolarWinds Supply Chain Compromise appeared first on McAfee Blogs.

Additional Analysis into the SUNBURST Backdoor

17 Dec 2020

Executive Summary There has been considerable focus on the recent disclosures associated with SolarWinds, and while existing analysis on the broader campaign has resulted in detection against specific IoCs associated with the Sunburst trojan, the focus within the Advanced Threat Research (ATR) team has been to determine the possibility of additional persistence measures. Our analysis […]

The post Additional Analysis into the SUNBURST Backdoor appeared first on McAfee Blogs.

SUNBURST Malware and SolarWinds Supply Chain Compromise

16 Dec 2020

Part I of II Situation In a blog post released 13 Dec 2020, FireEye disclosed that threat actors compromised SolarWinds’s Orion IT monitoring and management software with a trojanized version of SoalrWinds.Orion.Core.BusinessLayer.dll. The trojanized file delivers the SUNBURST malware through a backdoor as part of a digitally-signed Windows Installer Patch. Use of a Compromised Software Supply […]

The post SUNBURST Malware and SolarWinds Supply Chain Compromise appeared first on McAfee Blogs.

CVE-2020-17051: Remote kernel heap overflow in NFSv3 Windows Server

10 Nov 2020

CVSS Score: 9.8  Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C  Overview  Microsoft released a patch today for a critical vulnerability (CVE-2020-17051) in the Windows NFSv3 (Network File System) server. NFS is typically used in heterogenous environments of Windows and Unix/Linux for file sharing. The vulnerability can be reproduced to cause an immediate BSOD (Blue Screen of Death) within the nfssvr.sys driver. Interestingly, the November patches from Microsoft also include a remote kernel data read […]

The post CVE-2020-17051: Remote kernel heap overflow in NFSv3 Windows Server appeared first on McAfee Blogs.

Operation North Star: Behind The Scenes

05 Nov 2020

Executive Summary It is rare to be provided an inside view on how major cyber espionage campaigns are conducted within the digital realm. The only transparency afforded is a limited view of victims, a malware sample, and perhaps the IP addresses of historical command and control (C2) infrastructure. The Operation North Star campaign we detailed […]

The post Operation North Star: Behind The Scenes appeared first on McAfee Blogs.

Operation North Star: Summary Of Our Latest Analysis

05 Nov 2020

McAfee’s Advanced Threat Research (ATR) today released research that uncovers previously undiscovered information on how Operation North Star evaluated its prospective victims and launched attacks on organizations in Australia, India, Israel and Russia, including defense contractors based in India and Russia. McAfee’s initial research into Operation North Star revealed a campaign that used social media […]

The post Operation North Star: Summary Of Our Latest Analysis appeared first on McAfee Blogs.

McAfee Labs Report Reveals Continuing Surge of COVID-19 Threats and Malware

05 Nov 2020

The McAfee Advanced Threat Research team today published the McAfee Labs Threats Report: November 2020. In this edition, we follow our preceding McAfee Labs COVID-19 Threats Report with more research and data designed to help you better protect your enterprise’s productivity and viability during challenging times. What a year so far! The first quarter of […]

The post McAfee Labs Report Reveals Continuing Surge of COVID-19 Threats and Malware appeared first on McAfee Blogs.

CVE-2020-16898: “Bad Neighbor”

13 Oct 2020

CVE-2020-16898: “Bad Neighbor” CVSS Score: 8.8 Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C Overview Today, Microsoft announced a critical vulnerability in the Windows IPv6 stack, which allows an attacker to send maliciously crafted packets to potentially execute arbitrary code on a remote system. The proof-of-concept shared with MAPP (Microsoft Active Protection Program) members is both extremely simple and perfectly reliable. It results […]

The post CVE-2020-16898: “Bad Neighbor” appeared first on McAfee Blogs.

Our Experiences Participating in Microsoft’s Azure Sphere Bounty Program

06 Oct 2020

From June to August, part of the McAfee Advanced Threat Research (ATR) team participated in Microsoft’s Azure Sphere Research Challenge.  Our research resulted in reporting multiple vulnerabilities classified by Microsoft as “important” or “critical” in the platform that, to date, have qualified for over $160,000 USD in bounty awards scheduled to be contributed to the ACLU ($100,000), St. Jude’s Children’s Research Hospital ($50,000) and PDX Hackerspace (approximately $20,000). With these contributions, we hope to support and give […]

The post Our Experiences Participating in Microsoft’s Azure Sphere Bounty Program appeared first on McAfee Blogs.

Securing Space 4.0 – One Small Step or a Giant Leap? Part 1

01 Oct 2020

McAfee Advanced Threat Research (ATR) is collaborating with Cork Institute of Technology (CIT) and its Blackrock Castle Observatory (BCO) and the National Space Center (NSC) in Cork, Ireland The essence of Space 4.0 is the introduction of smaller, cheaper, faster-to-the-market satellites in low-earth-orbit into the value chain and the exploitation of the data they provide. […]

The post Securing Space 4.0 – One Small Step or a Giant Leap? Part 1 appeared first on McAfee Blogs.

Securing Space 4.0 – One Small Step or a Giant Leap? Part 2

01 Oct 2020

McAfee Advanced Threat Research (ATR) is collaborating with Cork Institute of Technology (CIT) and its Blackrock Castle Observatory (BCO) and the National Space Center in Cork, Ireland In the first of this two-part blog series we introduced Space 4.0, its data value and how it looks set to become the next battleground in the defense […]

The post Securing Space 4.0 – One Small Step or a Giant Leap? Part 2 appeared first on McAfee Blogs.

Vulnerability Discovery in Open Source Libraries: Analyzing CVE-2020-11863

01 Sep 2020

Open Source projects are the building blocks of any software development process. As we indicated in our previous blog, as more and more products use open source code, the increase in the overall attack surface is inevitable, especially when open source code is not audited before use. Hence it is recommended to thoroughly test it […]

The post Vulnerability Discovery in Open Source Libraries: Analyzing CVE-2020-11863 appeared first on McAfee Blogs.

On Drovorub: Linux Kernel Security Best Practices

13 Aug 2020

Intro In a U.S. government cyber security advisory released today, the National Security Agency and Federal Bureau of Investigation warn of a previously undisclosed piece of Linux rootkit malware called Drovorub and attribute the threat to malicious actor APT28. The report is incredibly detailed and proposes several complementary detection techniques to effectively identify Drovorub malware […]

The post On Drovorub: Linux Kernel Security Best Practices appeared first on McAfee Blogs.

Vulnerability Discovery in Open Source Libraries Part 1: Tools of the Trade

12 Aug 2020

Executive Summary Open source has become the foundation for modern software development. Vendors use open source software to stay competitive and improve the speed, quality, and cost of the development process. At the same time, it is critical to maintain and audit open source libraries used in products as they can expose a significant volume […]

The post Vulnerability Discovery in Open Source Libraries Part 1: Tools of the Trade appeared first on McAfee Blogs.

Robot Character Analysis Reveals Trust Issues

06 Aug 2020

Retired Marine fighter pilot and Top Gun instructor Dave Berke said “Every single thing you do in your life, every decision you make, is an OODA Loop.” OODA Loop? Observe–Orient–Decide–Act, the “OODA Loop” was originally developed by United States Air Force Colonel John Boyd and outlines that fundamentally all actions are first based on observations.  […]

The post Robot Character Analysis Reveals Trust Issues appeared first on McAfee Blogs.

Call an Exorcist! My Robot’s Possessed!

06 Aug 2020

Overview As part of our continued goal of helping developers provide safer products for businesses and consumers, we here at McAfee Advanced Threat Research (ATR) recently investigated temi, a teleconference robot produced by Robotemi Global Ltd. Our research led us to discover four separate vulnerabilities in the temi robot, which this paper will describe in […]

The post Call an Exorcist! My Robot’s Possessed! appeared first on McAfee Blogs.

Dopple-ganging up on Facial Recognition Systems

05 Aug 2020

Co-authored with Jesse Chick, OSU Senior and Former McAfee Intern, Primary Researcher. Special thanks to Dr. Catherine Huang, McAfee Advanced Analytics Team Special thanks to Kyle Baldes, Former McAfee Intern “Face” the Facts There are 7.6 Billion people in the world. That’s a huge number! In fact, if we all stood shoulder to shoulder on […]

The post Dopple-ganging up on Facial Recognition Systems appeared first on McAfee Blogs.

Ripple20 Critical Vulnerabilities – Detection Logic and Signatures

05 Aug 2020

This document has been prepared by McAfee Advanced Threat Research in collaboration with JSOF who discovered and responsibly disclosed the vulnerabilities. It is intended to serve as a joint research effort to produce valuable insights for network administrators and security personnel, looking to further understand these vulnerabilities to defend against exploitation. The signatures produced here […]

The post Ripple20 Critical Vulnerabilities – Detection Logic and Signatures appeared first on McAfee Blogs.

McAfee Defender’s Blog: NetWalker

03 Aug 2020

Building Adaptable Security Architecture Against NetWalker NetWalker Overview The NetWalker ransomware, initially known as Mailto, was first detected in August 2019. Since then, new variants were discovered throughout 2019 and the beginning of 2020, with a strong uptick noticed in March of this year. NetWalker has noticeably evolved to a more stable and robust ransomware-as-a-service […]

The post McAfee Defender’s Blog: NetWalker appeared first on McAfee Blogs.

Take a “NetWalk” on the Wild Side

03 Aug 2020

ウイルススキャン Uirususukyan

Executive Summary The NetWalker ransomware, initially known as Mailto, was first detected in August 2019. Since then, new variants were discovered throughout 2019 and the beginning of 2020, with a strong uptick noticed in March of this year. NetWalker has noticeably evolved to a more stable and robust ransomware-as-a-service (RaaS) model, and our research suggests […]

The post Take a “NetWalk” on the Wild Side appeared first on McAfee Blogs.

Operation (노스 스타) North Star A Job Offer That’s Too Good to be True?

30 Jul 2020

Executive Summary We are in the midst of an economic slump [1], with more candidates than there are jobs, something that has been leveraged by malicious actors to lure unwitting victims into opening documents laden with malware. While the prevalence of attacks during this unprecedented time has been largely carried out by low-level fraudsters, the […]

The post Operation (노스 스타) North Star A Job Offer That’s Too Good to be True? appeared first on McAfee Blogs.

McAfee Defender’s Blog: Operation North Star Campaign

30 Jul 2020

Building Adaptable Security Architecture Against the Operation North Star Campaign Operation North Star Overview Over the last few months, we have seen attackers take advantage of the pandemic as a cover to launch cyberattacks. One such example is a campaign that McAfee Advanced Threat Research (ATR) observed as an increase in malicious cyber activity targeting […]

The post McAfee Defender’s Blog: Operation North Star Campaign appeared first on McAfee Blogs.

Six Hundred Million Reasons to Celebrate: No More Ransom Turns FOUR!!

27 Jul 2020

Happy Birthday! Today we mark the fourth anniversary of the NoMoreRansom initiative with over 4.2 million visitors, from 188 countries, stopping an estimated $632 million in ransom demands from ending up in criminals’ pockets. It would be fair to say that the initiative, which started in a small meeting room in the Hague, has been […]

The post Six Hundred Million Reasons to Celebrate: No More Ransom Turns FOUR!! appeared first on McAfee Blogs.

Hunting for Blues – the WSL Plan 9 Protocol BSOD

23 Jul 2020

Windows Subsystem for Linux Plan 9 Protocol Research Overview This is the final blog in the McAfee research series trilogy on the Windows Subsystem for Linux (WSL) implementation – see The Twin Journey (part 1) and Knock, Knock–Who’s There (part 2). The previous research discussed file evasion attacks when the Microsoft P9 server can be […]

The post Hunting for Blues – the WSL Plan 9 Protocol BSOD appeared first on McAfee Blogs.

McAfee COVID-19 Report Reveals Pandemic Threat Evolution

22 Jul 2020

The McAfee Advanced Threat Research team today published the McAfee® Labs COVID-19 Threats Report, July 2020. In this “Special Edition” threat report, we delve deep into the COVID-19 related attacks observed by our McAfee Advanced Threats Research and McAfee Labs teams in the first quarter of 2020 and the early months of the pandemic. What […]

The post McAfee COVID-19 Report Reveals Pandemic Threat Evolution appeared first on McAfee Blogs.

Ripple20 Vulnerability Mitigation Best Practices

22 Jun 2020

On June 16th, the Department of Homeland Security and CISA ICS-CERT issued a critical security advisory warning covering multiple newly discovered vulnerabilities affecting Internet-connected devices manufactured by multiple vendors. This set of 19 vulnerabilities in a low-level TCP/IP software library developed by Treck has been dubbed “Ripple20” by researchers from JSOF. A networking stack is a software component […]

The post Ripple20 Vulnerability Mitigation Best Practices appeared first on McAfee Blogs.

My Adventures Hacking the iParcelBox

18 Jun 2020

In 2019, McAfee Advanced Threat Research (ATR) disclosed a vulnerability in a product called BoxLock. Sometime after this, the CEO of iParcelBox, a U.K. company, reached out to us and offered to send a few of their products to test. While this isn’t the typical M.O. for our research we applaud the company for being […]

The post My Adventures Hacking the iParcelBox appeared first on McAfee Blogs.

What’s in the Box? Part II: Hacking the iParcelBox

18 Jun 2020

Package delivery is just one of those things we take for granted these days. This is especially true in the age of Coronavirus, where e-commerce and at-home deliveries make up a growing portion of consumer buying habits. In 2019, McAfee Advanced Threat Research (ATR) conducted a vulnerability research project on a secure home package delivery […]

The post What’s in the Box? Part II: Hacking the iParcelBox appeared first on McAfee Blogs.

RagnarLocker Ransomware Threatens to Release Confidential Information

09 Jun 2020

EXECUTIVE SUMMARY The RagnarLocker ransomware first appeared in the wild at the end of December 2019 as part of a campaign against compromised networks targeted by its operators. The ransomware code is small (only 48kb after the protection in its custom packer is removed) and coded in a high programming language (C/C++). Like all ransomware, […]

The post RagnarLocker Ransomware Threatens to Release Confidential Information appeared first on McAfee Blogs.

OneDrive Phishing Awareness

08 Jun 2020

There are number of ways scammers use to target personal information and, currently, one example is, they are taking advantage of the fear around the virus pandemic, sending phishing and scam emails to Microsoft OneDrive users, trying to profit from Coronavirus/COVID-19. They will pretend to be emailing from government, consulting, or charitable organizations to steal […]

The post OneDrive Phishing Awareness appeared first on McAfee Blogs.

How To Use McAfee ATP to Protect Against Emotet, LemonDuck and PowerMiner

19 May 2020

Introduction This blog describes how McAfee ATP (Adaptive Threat Protection) rules are used within McAfee Endpoint Security products. It will help you understand how ATP Rules work and how you can utilize them to prevent infections from prevalent malware families such as Emotet, LemonDuck and PowerMiner. Please read through the recommendation section to effectively utilize […]

The post How To Use McAfee ATP to Protect Against Emotet, LemonDuck and PowerMiner appeared first on McAfee Blogs.

ENS 10.7 Rolls Back the Curtain on Ransomware

07 May 2020

Ransomware protection and incident response is a constant battle for IT, security engineers and analysts under normal circumstances, but with the number of people working from home during the COVID-19 pandemic that challenge reaches new heights. How do you ensure an equivalent level of adaptable malware protection on or off the corporate network? How do […]

The post ENS 10.7 Rolls Back the Curtain on Ransomware appeared first on McAfee Blogs.

Cybercriminals Actively Exploiting RDP to Target Remote Organizations

07 May 2020

The COVID-19 pandemic has prompted many companies to enable their employees to work remotely and, in a large number of cases, on a global scale. A key component of enabling remote work and allowing employees to access internal corporate resources remotely is Remote Desktop Protocol (RDP), which allows communication with a remote system. In order […]

The post Cybercriminals Actively Exploiting RDP to Target Remote Organizations appeared first on McAfee Blogs.

COVID-19 – Malware Makes Hay During a Pandemic

07 May 2020

Special thanks to Prajwala Rao, Oliver Devane, Shannon Cole, Ankit Goel and members of Malware Research for their contribution and monitoring of related threats As COVID-19 continues to spread across the world, it is no surprise that malware authors are exploiting the pandemic. McAfee recently released blogs around Covid-19 related threats – Staying safe while […]

The post COVID-19 – Malware Makes Hay During a Pandemic appeared first on McAfee Blogs.

Tales From the Trenches; a Lockbit Ransomware Story

01 May 2020

Co-authored by Marc RiveroLopez. In collaboration with Northwave As we highlighted previously across two blogs, targeted ransomware attacks have increased massively over the past months. In our first article, we discussed the growing pattern of targeted ransomware attacks where the primary infection stage is often an info-stealer kind of malware used to gain credentials/access to determine […]

The post Tales From the Trenches; a Lockbit Ransomware Story appeared first on McAfee Blogs.

MalBus Actor Changed Market from Google Play to ONE Store

09 Apr 2020

McAfee Mobile Research team has found another variant of MalBus on an education application, developed by a South Korean developer. In the previous Malbus case, the author distributed the malware through Google Play, but new variants are distributed via the ONE Store in much the same way. ONE Store is a joint venture by the […]

The post MalBus Actor Changed Market from Google Play to ONE Store appeared first on McAfee Blogs.

Transitioning to a Mass Remote Workforce – We Must Verify Before Trusting

07 Apr 2020

While not a new practice, the sheer volume of people required to adhere to social distancing best practices means we now have a mass workforce working remotely. Most enterprises and SMBs can support working remotely today but many IT departments are not equipped to scale to the numbers currently required. In this blog we discuss […]

The post Transitioning to a Mass Remote Workforce – We Must Verify Before Trusting appeared first on McAfee Blogs.

COVID-19 Threat Update – now includes Blood for Sale

07 Apr 2020

Although the use of global events as a vehicle to drive digital crime is hardly surprising, the current outbreak of COVID-19 has revealed a multitude of vectors, including one in particular that is somewhat out of the ordinary. In a sea of offers for face masks, a recent posting on a dark web forum reveals […]

The post COVID-19 Threat Update – now includes Blood for Sale appeared first on McAfee Blogs.

Nemty Ransomware – Learning by Doing

02 Apr 2020

Executive Summary The McAfee Advanced Threat Research Team (ATR) observed a new ransomware family named ‘Nemty’ on 20 August 2019. We are in an era where ransomware developers face multiple struggles, from the great work done by the security community to protect against their malware, to initiatives such as the No More Ransom project that […]

The post Nemty Ransomware – Learning by Doing appeared first on McAfee Blogs.

Ransomware Maze

26 Mar 2020

EXECUTIVE SUMMARY The Maze ransomware, previously known in the community as “ChaCha ransomware”, was discovered on May the 29th 2019 by Jerome Segura[1]. The main goal of the ransomware is to crypt all files that it can in an infected system and then demand a ransom to recover the files. However, the most important characteristic […]

The post Ransomware Maze appeared first on McAfee Blogs.

Staying Safe While Working Remotely

18 Mar 2020

Special thanks to Tim Hux and Sorcha Healy for their assistance. The demand for remote working as a result of the COVID-19 pandemic will invariably place pressures on organizations to ensure the availability of corporate resources in geographic locations outside of corporate control. Such demands go beyond the provision of additional capacity, with potentially remote […]

The post Staying Safe While Working Remotely appeared first on McAfee Blogs.

SMBGhost – Analysis of CVE-2020-0796

13 Mar 2020

The Vulnerability The latest vulnerability in SMBv3 is a “wormable” vulnerability given its potential ability to replicate or spread over network shares using the latest version of the protocol (SMB 3.1.1). As of this writing, Microsoft have just released a patch for CVE-2020-0796 on the morning of March 12th. The bug was introduced very recently, […]

The post SMBGhost – Analysis of CVE-2020-0796 appeared first on McAfee Blogs.

Android/LeifAccess.A is the Silent Fake Reviewer Trojan

04 Mar 2020

The McAfee Mobile Research team has identified an Android malware family dubbed Android/LeifAccess.A that has been active since May 2019. This trojan was discovered globally with localized versions but  has a much higher prevalence in the USA and Brazil. As part of the payload, this trojan can abuse OAuth leveraging accessibility services to automatically create […]

The post Android/LeifAccess.A is the Silent Fake Reviewer Trojan appeared first on McAfee Blogs.

Multi-tricks HiddenAds Malware

04 Mar 2020

Thousands of HiddenAds Trojan Apps Masquerade as Google Play Apps The McAfee mobile research team has recently discovered a new variant of the HiddenAds Trojan. HiddenAds Trojan is an adware app used to display advertising and collect user data for marketing. The goal of such apps is to generate revenue by redirecting users to advertisements. […]

The post Multi-tricks HiddenAds Malware appeared first on McAfee Blogs.

CSI: Evidence Indicators for Targeted Ransomware Attacks – Part II

20 Feb 2020

In our first article we discussed the growing pattern of targeted ransomware attacks where the first infection stage is often an info-stealer kind of malware used to gain credentials/access to determine if the target would be valuable for a ransomware attack. In this second part we will pick up where we left off: the attacker […]

The post CSI: Evidence Indicators for Targeted Ransomware Attacks – Part II appeared first on McAfee Blogs.

Model Hacking ADAS to Pave Safer Roads for Autonomous Vehicles

19 Feb 2020

The last several years have been fascinating for those of us who have been eagerly observing the steady move towards autonomous driving. While semi-autonomous vehicles have existed for many years, the vision of fleets of fully autonomous vehicles operating as a single connected entity is very much still a thing of the future. However, the […]

The post Model Hacking ADAS to Pave Safer Roads for Autonomous Vehicles appeared first on McAfee Blogs.

Introduction and Application of Model Hacking

19 Feb 2020

Catherine Huang, Ph.D., and Shivangee Trivedi contributed to this blog. The term “Adversarial Machine Learning” (AML) is a mouthful!  The term describes a research field regarding the study and design of adversarial attacks targeting Artificial Intelligence (AI) models and features.  Even this simple definition can send the most knowledgeable security practitioner running!  We’ve coined the […]

The post Introduction and Application of Model Hacking appeared first on McAfee Blogs.

CSI: Evidence Indicators for Targeted Ransomware Attacks – Part I

12 Feb 2020

malware

For many years now I have been working and teaching in the field of digital forensics, malware analysis and threat intelligence. During one of the classes we always talk about Lockard’s exchange principle: “with contact between two items, there will be an exchange”. If we translate that to the digital world: “when an adversary breaches […]

The post CSI: Evidence Indicators for Targeted Ransomware Attacks – Part I appeared first on McAfee Blogs.

Knock, Knock – Who’s There?

11 Feb 2020

A Windows Linux Subsystem Interop Analysis Following our research from Evil Twins and Windows Linux Subsystem, interoperability between different WSL versions was something that caught our attention. The protocol and mechanism to do file management from/to WSL is a must for Blue and Red Teams whose research will provide new ways to execute known techniques […]

The post Knock, Knock – Who’s There? appeared first on McAfee Blogs.

How Chinese Cybercriminals Use Business Playbook to Revamp Underground

11 Feb 2020

Preface Because of its longevity and technical sophistication, the Russian cybercriminal underground has long been the benchmark for threat researchers focused on studying cybercrime tactics and techniques; there is a plethora of publications dedicated to analyzing its economy and hacking forums. However, only a handful of studies have centered on the emerging threats and trends […]

The post How Chinese Cybercriminals Use Business Playbook to Revamp Underground appeared first on McAfee Blogs.

Intelligence in the Enterprise

11 Feb 2020

Intelligence became an integral military discipline centuries ago. More recently, this practice evolved into what is called Intelligence Preparation of the Battlefield, or IPB. In both military and civilian agencies, the discipline uses information collection followed by analysis to provide guidance and direction to operators making tactical or organizational decisions. Used strategically, this type of intelligence puts an organization in […]

The post Intelligence in the Enterprise appeared first on McAfee Blogs.

U.S. Battleground County Website Security Survey

04 Feb 2020

Today McAfee released the results of a survey of county websites and county election administration websites in the 13 states projected as battleground states in the 2020 U.S. presidential elections. We found that significant majorities of these websites lacked the official government .GOV website validation and HTTPS website security measures to prevent malicious actors from […]

The post U.S. Battleground County Website Security Survey appeared first on McAfee Blogs.

An Inside Look into Microsoft Rich Text Format and OLE Exploits

24 Jan 2020

There has been a dramatic shift in the platforms targeted by attackers over the past few years. Up until 2016, browsers tended to be the most common attack vector to exploit and infect machines but now Microsoft Office applications are preferred, according to a report published here during March 2019. Increasing use of Microsoft Office […]

The post An Inside Look into Microsoft Rich Text Format and OLE Exploits appeared first on McAfee Blogs.

CurveBall – An Unimaginative Pun but a Devastating Bug

18 Jan 2020

Enterprise customers looking for information on defending against Curveball can find information here. 2020 came in with a bang this year, and it wasn’t from the record-setting number of fireworks on display around the world to celebrate the new year. Instead, just over two weeks into the decade, the security world was rocked by a […]

The post CurveBall – An Unimaginative Pun but a Devastating Bug appeared first on McAfee Blogs.

What CVE-2020-0601 Teaches Us About Microsoft’s TLS Certificate Verification Process

17 Jan 2020

By: Jan Schnellbächer and Martin Stecher, McAfee Germany GmbH This week security researches around the world were very busy working on Microsoft’s major crypto-spoofing vulnerability (CVE-2020-0601) otherwise known as Curveball. The majority of research went into attacks with malicious binaries that are signed with a spoofed Certificate Authority (CA) which unpatched Win10 systems would in […]

The post What CVE-2020-0601 Teaches Us About Microsoft’s TLS Certificate Verification Process appeared first on McAfee Blogs.

Iran Cyber Threat Update

08 Jan 2020

Recent political tensions in the Middle East region have led to significant speculation of increased cyber-related activities. McAfee is on a heightened state of alert to monitor the evolving threats and rapidly implement coverage across all McAfee products as intelligence becomes available. Known campaigns associated with the threat actors from this region were integrated into […]

The post Iran Cyber Threat Update appeared first on McAfee Blogs.

We Be Jammin’ – Bypassing Chamberlain myQ Garage Doors

07 Jan 2020

The idea of controlling your garage door remotely and verifying that everything is secure at home, or having packages delivered directly into your garage is enticing for many people. The convenience that many of these IOT devices provide often persuades consumers away from thinking about the possible security concerns. McAfee Advanced Threat Research recently investigated […]

The post We Be Jammin’ – Bypassing Chamberlain myQ Garage Doors appeared first on McAfee Blogs.

The Cloning of The Ring – Who Can Unlock Your Door?

07 Jan 2020

Steve Povolny contributed to this report. McAfee’s Advanced Threat Research team performs security analysis of products and technologies across nearly every industry vertical. Special interest in the consumer space and Internet of Things (IoT) led to the discovery of an insecure design with the McLear NFC Ring a household access control device. The NFC Ring […]

The post The Cloning of The Ring – Who Can Unlock Your Door? appeared first on McAfee Blogs.

The Tradeoff Between Convenience and Security – A Balancing Act for Consumers and Manufacturers

07 Jan 2020

This week McAfee Advanced Threat Research (ATR) published new findings, uncovering security flaws in two popular IoT devices: a connected garage door opener and a “smart” ring, which, amongst many uses, utilizes near field communication (NFC) to open door locks. I’d like to use these cases as examples of a growing concern in the area […]

The post The Tradeoff Between Convenience and Security – A Balancing Act for Consumers and Manufacturers appeared first on McAfee Blogs.

Top Tips to Spot Tech Support Scams

12 Dec 2019

There are number of ways scammers use to target your money or personal details.  These scams include support sites for services such as Office365, iCloud, Gmail, etc. They will charge you for the service and steal your credit card details. Software activation scam sites will steal your activation code and they may resell it at a […]

The post Top Tips to Spot Tech Support Scams appeared first on McAfee Blogs.

Analysis of LooCipher, a New Ransomware Family Observed This Year

05 Dec 2019

Co-authored by Marc RiveroLopez. Initial Discovery This year seems to again be the year for ransomware. Notorious attacks were made using ransomware and new families are being detected almost on a weekly basis. The McAfee ATR team has now analyzed a new ransomware family with some special features we would like to showcase. LooCipher represents […]

The post Analysis of LooCipher, a New Ransomware Family Observed This Year appeared first on McAfee Blogs.

McAfee Labs 2020 Threats Predictions Report

05 Dec 2019

With 2019’s headlines of ransomware, malware, and RDP attacks almost behind us, we shift our focus to the cybercrime threats ahead. Cybercriminals are increasing the complexity and volume of their attacks and campaigns, always looking for ways to stay one step ahead of cybersecurity practices – and more often using the world’s evolving technology against […]

The post McAfee Labs 2020 Threats Predictions Report appeared first on McAfee Blogs.

Spanish MSSP Targeted by BitPaymer Ransomware

08 Nov 2019

Co-authored by Marc RiveroLopez Initial Discovery This week the news hit that several companies in Spain were hit by a ransomware attack. Ransomware attacks themselves are not new but, by interacting with one of the cases in Spain, we want to highlight in this blog how well prepared and targeted an attack can be and […]

The post Spanish MSSP Targeted by BitPaymer Ransomware appeared first on McAfee Blogs.

Buran Ransomware; the Evolution of VegaLocker

05 Nov 2019

McAfee’s Advanced Threat Research Team observed how a new ransomware family named ‘Buran’ appeared in May 2019. Buran works as a RaaS model like other ransomware families such as REVil, GandCrab (now defunct), Phobos, etc. The author(s) take 25% of the income earned by affiliates, instead of the 30% – 40%, numbers from notorious malware […]

The post Buran Ransomware; the Evolution of VegaLocker appeared first on McAfee Blogs.

Office 365 Users Targeted by Voicemail Scam Pages

31 Oct 2019

Over the past few weeks McAfee Labs has been observing a new phishing campaign using a fake voicemail message to lure victims into entering their Office 365 email credentials. At first, we believed that only one phishing kit was being used to harvest the user’s credentials. However, during our investigation, we found three different malicious […]

The post Office 365 Users Targeted by Voicemail Scam Pages appeared first on McAfee Blogs.

Did You Check Your Quarantine?!

28 Oct 2019

A cost-effective way to detect targeted attacks in your enterprise While it is easy to get caught up in the many waves of new and exciting protection strategies, we have recently discovered an interesting approach to detect a targeted attack and the related actor(s). Quite surprisingly, a big part of the solution already exists in […]

The post Did You Check Your Quarantine?! appeared first on McAfee Blogs.

Using Expert Rules in ENS to Prevent Malicious Exploits

25 Oct 2019

Expert Rules are text-based custom rules that can be created in the Exploit Prevention policy in ENS Threat Prevention 10.5.3+. Expert Rules provide additional parameters and allow much more flexibility than the custom rules that can be created in the Access Protection policy. It also allows system administration to control / monitor an endpoint system […]

The post Using Expert Rules in ENS to Prevent Malicious Exploits appeared first on McAfee Blogs.

McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo

21 Oct 2019

Episode 4: Crescendo This is the final installment of the McAfee Advanced Threat Research (ATR) analysis of Sodinokibi and its connections to GandGrab, the most prolific Ransomware-as-a-Service (RaaS) Campaign of 2018 and mid 2019. In this final episode of our series we will zoom in on the operations, techniques and tools used by different affiliate […]

The post McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo appeared first on McAfee Blogs.

McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Follow The Money

14 Oct 2019

Episode 3: Follow the Money This is the third installment of the McAfee Advanced Threat Research (ATR) analysis of Sodinokibi and its connections to GandCrab, the most prolific Ransomware-as-a-Service (RaaS) Campaign of 2018 and mid 2019. The Talking Heads once sang “We’re on a road to nowhere.” This expresses how challenging it can be when […]

The post McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Follow The Money appeared first on McAfee Blogs.

McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – The All-Stars

02 Oct 2019

Episode 2: The All-Stars Analyzing Affiliate Structures in Ransomware-as-a-Service Campaigns This is the second installment of the McAfee Advanced Threat Research (ATR) analysis of Sodinokibi and its connections to GandGrab, the most prolific Ransomware-as-a-Service (RaaS) Campaign of 2018 and mid-2019. GandCrab announced its retirement at the end of May. Since then, a new RaaS family […]

The post McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – The All-Stars appeared first on McAfee Blogs.

McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us

02 Oct 2019

Episode 1: What the Code Tells Us McAfee’s Advanced Threat Research team (ATR) observed a new ransomware family in the wild, dubbed Sodinokibi (or REvil), at the end of April 2019. Around this same time, the GandCrab ransomware crew announced they would shut down their operations. Coincidence? Or is there more to the story? In […]

The post McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us appeared first on McAfee Blogs.

How Visiting a Trusted Site Could Infect Your Employees

10 Sep 2019

The Artful and Dangerous Dynamics of Watering Hole Attacks A group of researchers recently published findings of an exploitation of multiple iPhone vulnerabilities using websites to infect final targets. The key concept behind this type of attack is the use of trusted websites as an intermediate platform to attack others, and it’s defined as a watering hole […]

The post How Visiting a Trusted Site Could Infect Your Employees appeared first on McAfee Blogs.

Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study

09 Sep 2019

Executive Summary Malware evasion techniques are widely used to circumvent detection as well as analysis and understanding. One of the dominant categories of evasion is anti-sandbox detection, simply because today’s sandboxes are becoming the fastest and easiest way to have an overview of the threat. Many companies use these kinds of systems to detonate malicious […]

The post Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study appeared first on McAfee Blogs.

Apple iOS Attack Underscores Importance of Threat Research

04 Sep 2019

The recent discovery of exploit chains targeting Apple iOS is the latest example of how cybercriminals can successfully operate malicious campaigns, undetected, through the use of zero-day vulnerabilities. In this scenario, a threat actor or actors operated multiple compromised websites, using at least one or more zero-day vulnerabilities and numerous unique exploit chains and known vulnerabilities to […]

The post Apple iOS Attack Underscores Importance of Threat Research appeared first on McAfee Blogs.

Analyzing and Identifying Issues with the Microsoft Patch for CVE-2018-8423

28 Aug 2019

Introduction As of July 2019, Microsoft has fixed around 43 bugs in the Jet Database Engine. McAfee has reported a couple of bugs and, so far, we have received 10 CVE’s from Microsoft. In our previous post, we discussed the root cause of CVE-2018-8423. While analyzing this CVE and patch from Microsoft, we found that […]

The post Analyzing and Identifying Issues with the Microsoft Patch for CVE-2018-8423 appeared first on McAfee Blogs.

The Twin Journey, Part 3: I’m Not a Twin, Can’t You See my Whitespace at the End?

13 Aug 2019

In this series of 3 blogs (you can find part 1 here, and part 2 here), so far we have understood the implications of promoting files to “Evil Twins” where they can be created and remain in the system as different entities once case sensitiveness is enabled, and some issues that could be raised by […]

The post The Twin Journey, Part 3: I’m Not a Twin, Can’t You See my Whitespace at the End? appeared first on McAfee Blogs.

McAfee AMSI Integration Protects Against Malicious Scripts

12 Aug 2019

Following on from the McAfee Protects against suspicious email attachments blog, this blog describes how the AMSI (Antimalware Scan Interface) is used within the various McAfee Endpoint products. The AMSI scanner within McAfee ENS 10.6 has already detected over 650,000 pieces of Malware since the start of 2019. This blog will help show you how […]

The post McAfee AMSI Integration Protects Against Malicious Scripts appeared first on McAfee Blogs.

From Building Control to Damage Control: A Case Study in Industrial Security Featuring Delta’s enteliBUS Manager

09 Aug 2019

Management. Control. It seems that you can’t stick five people in a room together without one of them trying to order the others around. This tendency towards centralized authority is not without reason, however – it is often more efficient to have one person, or thing, calling the shots. For an example of the latter, […]

The post From Building Control to Damage Control: A Case Study in Industrial Security Featuring Delta’s enteliBUS Manager appeared first on McAfee Blogs.

HVACking: Understanding the Delta Between Security and Reality

09 Aug 2019

The McAfee Labs Advanced Threat Research team is committed to uncovering security issues in both software and hardware to help developers provide safer products for businesses and consumers. We recently investigated an industrial control system (ICS) produced by Delta Controls. The product, called “enteliBUS Manager”, is used for several applications, including building management. Our research […]

The post HVACking: Understanding the Delta Between Security and Reality appeared first on McAfee Blogs.

Avaya Deskphone: Decade-Old Vulnerability Found in Phone’s Firmware

08 Aug 2019

Avaya is the second largest VOIP solution provider (source) with an install base covering 90% of the Fortune 100 companies (source), with products targeting a wide spectrum of customers, from small business and midmarket, to large corporations. As part of the ongoing McAfee Advanced Threat Research effort into researching critical vulnerabilities in widely deployed software […]

The post Avaya Deskphone: Decade-Old Vulnerability Found in Phone’s Firmware appeared first on McAfee Blogs.

MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play

07 Aug 2019

The McAfee mobile research team has found a new type of Android malware for the MoqHao phishing campaign (a.k.a. XLoader and Roaming Mantis) targeting Korean and Japanese users. A series of attack campaigns are still active, mainly targeting Japanese users. The new spyware has very different payloads from the existing MoqHao samples. However, we found […]

The post MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play appeared first on McAfee Blogs.

The Twin Journey, Part 2: Evil Twins in a Case In-sensitive Land

06 Aug 2019

In the first of this 3-part blog series, we covered the implications of promoting files to “Evil Twins” where they can be created and remain in the system as different entities once case sensitiveness is enabled. In this 2nd post we try to abuse applications that do not work well with CS changes, abusing years […]

The post The Twin Journey, Part 2: Evil Twins in a Case In-sensitive Land appeared first on McAfee Blogs.

DHCP Client Remote Code Execution Vulnerability Demystified

02 Aug 2019

CVE-2019-0547 CVE-2019-0547 was the first vulnerability patched by Microsoft this year. The dynamic link library, dhcpcore.dll, which is responsible for DHCP client services in a system, is vulnerable to malicious DHCP reply packets. This vulnerability allows remote code execution if the user tries to connect to a network with a rogue DHCP Server, hence making […]

The post DHCP Client Remote Code Execution Vulnerability Demystified appeared first on McAfee Blogs.

Clop Ransomware

01 Aug 2019

This new ransomware was discovered by Michael Gillespie on 8 February 2019 and it is still improving over time. This blog will explain the technical details and share information about how this new ransomware family is working. There are some variants of the Clop ransomware but in this report, we will focus on the main […]

The post Clop Ransomware appeared first on McAfee Blogs.

The Twin Journey, Part 1

31 Jul 2019

Summary and Introduction: The recent changes in Windows 10, aiming to add case sensitivity (CS) at directory level, have prompted our curiosity to investigate the potential to use CS as a mean of obfuscation or WYSINWYG (What You See is NOT What you Get). While CS was our entry point, we then ventured into other […]

The post The Twin Journey, Part 1 appeared first on McAfee Blogs.

Jet Database Engine Flaw May Lead to Exploitation: Analyzing CVE-2018-8423

30 Jul 2019

In September 2018, the Zero Day Initiative published a proof of concept for a vulnerability in Microsoft’s Jet Database Engine. Microsoft released a patch in October 2018. We investigated this flaw at that time to protect our customers. We were able to find some issues with the patch and reported that to Microsoft, which resulted […]

The post Jet Database Engine Flaw May Lead to Exploitation: Analyzing CVE-2018-8423 appeared first on McAfee Blogs.

What Is Mshta, How Can It Be Used and How to Protect Against It

29 Jul 2019

The not-so Usual Suspects There is a growing trend for attackers to more heavily utilize tools that already exist on a system rather than relying totally on their own custom malware. Using .hta files or its partner in crime, mshta.exe, is an alternative to using macro enabled document for attacks and has been around a […]

The post What Is Mshta, How Can It Be Used and How to Protect Against It appeared first on McAfee Blogs.

Examining the Link Between TLD Prices and Abuse

26 Jul 2019

This blog was written by Charlie Feng. Briefing Over the years, McAfee researchers have observed that certain new top-level Domains (TLDs) are more likely to be abused by cyber criminals for malicious activities than others. Our investigations reveal a negative relationship between the likelihood for abuse and registration price of some TLDs, as reported by […]

The post Examining the Link Between TLD Prices and Abuse appeared first on McAfee Blogs.

No More Ransom Blows Out Three Birthday Candles Today

26 Jul 2019

Collaborative Initiative Celebrates Helping More Than 200,000 Victims and Preventing More Than 100 million USD From Falling into Criminal Hands Three years ago, on this exact day, the public and private sectors drew a line in the sand against ransomware. At that time, ransomware was becoming one of the most prevalent cyber threats globally. We […]

The post No More Ransom Blows Out Three Birthday Candles Today appeared first on McAfee Blogs.

Demystifying Blockchain: Sifting Through Benefits, Examples and Choices

23 Jul 2019

You have likely heard that blockchain will disrupt everything from banking to retail to identity management and more. You may have seen commercials for IBM touting the supply chain tracking benefits of blockchain.[i]  It appears nearly every industry is investing in, adopting, or implementing blockchain. Someone has probably told you that blockchain can completely transform […]

The post Demystifying Blockchain: Sifting Through Benefits, Examples and Choices appeared first on McAfee Blogs.

McAfee ATR Aids Police in Arrest of Rubella & Dryad Office Macro Builder

17 Jul 2019

Everyday thousands of people receive emails with malicious attachments in their email inbox. Disguised as a missed payment or an invoice, a cybercriminal sender tries to entice a victim to open the document and enable the embedded macro. This macro then proceeds to pull in a whole array of nastiness and infect a victim’s machine. […]

The post McAfee ATR Aids Police in Arrest of Rubella & Dryad Office Macro Builder appeared first on McAfee Blogs.

16Shop Now Targets Amazon

12 Jul 2019

Since early November 2018 McAfee Labs have observed a phishing kit, dubbed 16Shop, being used by malicious actors to target Apple account holders in the United States and Japan. Typically, the victims receive an email with a pdf file attached. An example of the message within the email is shown below, with an accompanying translation: […]

The post 16Shop Now Targets Amazon appeared first on McAfee Blogs.

RDP Security Explained

24 Jun 2019

RDP on the Radar Recently, McAfee released a blog related to the wormable RDP vulnerability referred to as CVE-2019-0708 or “Bluekeep.” The blog highlights a particular vulnerability in RDP which was deemed critical by Microsoft due to the fact that it exploitable over a network connection without authentication. These attributes make it particularly ‘wormable’ – […]

The post RDP Security Explained appeared first on McAfee Blogs.

Why Process Reimaging Matters

20 Jun 2019

As this blog goes live, Eoin Carroll will be stepping off the stage at Hack in Paris having detailed the latest McAfee Advanced Threat Research (ATR) findings on Process Reimaging.  Admittedly, this technique probably lacks a catchy name, but be under no illusion the technique is significant and is worth paying very close attention to. […]

The post Why Process Reimaging Matters appeared first on McAfee Blogs.

In NTDLL I Trust – Process Reimaging and Endpoint Security Solution Bypass

20 Jun 2019

Process Reimaging Overview The Windows Operating System has inconsistencies in how it determines process image FILE_OBJECT locations, which impacts non-EDR (Endpoint Detection and Response) Endpoint Security Solution’s (such as Microsoft Defender Realtime Protection), ability to detect the correct binaries loaded in malicious processes. This inconsistency has led McAfee’s Advanced Threat Research to develop a new […]

The post In NTDLL I Trust – Process Reimaging and Endpoint Security Solution Bypass appeared first on McAfee Blogs.

Mr. Coffee with WeMo: Double Roast

30 May 2019

McAfee Advanced Threat Research recently released a blog detailing a vulnerability in the Mr. Coffee Coffee Maker with WeMo. Please refer to the earlier blog to catch up with the processes and techniques I used to investigate and ultimately compromise this smart coffee maker. While researching the device, there was always one attack vector that […]

The post Mr. Coffee with WeMo: Double Roast appeared first on McAfee Blogs.

Cryptocurrency Laundering Service, BestMixer.io, Taken Down by Law Enforcement

22 May 2019

A much overlooked but essential part in financially motivated (cyber)crime is making sure that the origins of criminal funds are obfuscated or made to appear legitimate, a process known as money laundering. ’Cleaning’ money in this way allows the criminal to spend their loot with less chance of being caught. In the physical world, for […]

The post Cryptocurrency Laundering Service, BestMixer.io, Taken Down by Law Enforcement appeared first on McAfee Blogs.

RDP Stands for “Really DO Patch!” – Understanding the Wormable RDP Vulnerability CVE-2019-0708

21 May 2019

During Microsoft’s May Patch Tuesday cycle, a security advisory was released for a vulnerability in the Remote Desktop Protocol (RDP). What was unique in this particular patch cycle was that Microsoft produced a fix for Windows XP and several other operating systems, which have not been supported for security updates in years. So why the […]

The post RDP Stands for “Really DO Patch!” – Understanding the Wormable RDP Vulnerability CVE-2019-0708 appeared first on McAfee Blogs.

LockerGoga Ransomware Family Used in Targeted Attacks

29 Apr 2019

Co-authored by Marc RiveroLopez. Initial discovery Once again, we have seen a significant new ransomware family in the news. LockerGoga, which adds new features to the tried and true formula of encrypting victims’ files and asking for payment to decrypt them, has gained notoriety for the targets it has affected. In this blog, we will […]

The post LockerGoga Ransomware Family Used in Targeted Attacks appeared first on McAfee Blogs.

IoT Zero-Days – Is Belkin WeMo Smart Plug the Next Malware Target?

18 Apr 2019

Effective malware is typically developed with intention, targeting specific victims using either known or unknown vulnerabilities to achieve its primary functions. In this blog, we will explore a vulnerability submitted by McAfee Advanced Threat Research (ATR) and investigate a piece of malware that recently incorporated similar vulnerabilities. The takeaway from this blog is the increasing […]

The post IoT Zero-Days – Is Belkin WeMo Smart Plug the Next Malware Target? appeared first on McAfee Blogs.

Analysis of a Chrome Zero Day: CVE-2019-5786

20 Mar 2019

1. Introduction On March 1st, Google published an advisory [1] for a use-after-free in the Chrome implementation of the FileReader API (CVE 2019-5786). Clement Lecigne from Google Threat Analysis Group reported the bug as being exploited in the wild and targeting Windows 7, 32-bit platforms. The exploit leads to code execution in the Renderer process, […]

The post Analysis of a Chrome Zero Day: CVE-2019-5786 appeared first on McAfee Blogs.

Attackers Exploiting WinRAR UNACEV2.DLL Vulnerability (CVE-2018-20250)

14 Mar 2019

Earlier this month Check Point Research reported discovery of a 19 year old code execution vulnerability in the wildly popular WinRAR compression tool. Rarlab reports that that are over 500 million users of this program. While a patched version, 5.70, was released on February 26, attackers are releasing exploits in an effort to reach vulnerable […]

The post Attackers Exploiting WinRAR UNACEV2.DLL Vulnerability (CVE-2018-20250) appeared first on McAfee Blogs.

McAfee Protects Against Suspicious Email Attachments

04 Mar 2019

Email remains a top vector for attackers.  Over the years, defenses have evolved, and policy-based protections have become standard for email clients such as Microsoft Outlook and Microsoft Mail.  Such policies are highly effective, but only if they are maintained as attacker’s keep changing their tactics to evade defenses.  For this reason, McAfee endpoint products […]

The post McAfee Protects Against Suspicious Email Attachments appeared first on McAfee Blogs.

JAVA-VBS Joint Exercise Delivers RAT

01 Mar 2019

The Adwind remote administration tool (RAT) is a Java-based backdoor Trojan that targets various platforms supporting Java files. For an infection to occur, the user must typically execute the malware by double-clicking on the .jar file that usually arrives as an email attachment. Generally, infection begins if the user has the Java Runtime Environment installed. […]

The post JAVA-VBS Joint Exercise Delivers RAT appeared first on McAfee Blogs.

Your Smart Coffee Maker is Brewing Up Trouble

25 Feb 2019

IOT devices are notoriously insecure and this claim can be backed up with a laundry list of examples. With more devices “needing” to connect to the internet, the possibility of your WiFi enabled toaster getting hacked and tweeting out your credit card number is, amazingly, no longer a joke. With that in mind, I began […]

The post Your Smart Coffee Maker is Brewing Up Trouble appeared first on McAfee Blogs.

What’s in the Box?

25 Feb 2019

2018 was another record-setting year in the continuing trend for consumer online shopping.  With an increase in technology and efficiency, and a decrease in cost and shipping time, consumers have clearly made a statement that shopping online is their preferred method. Chart depicting growth of online, web-influenced and offline sales by year.1 In direct correlation […]

The post What’s in the Box? appeared first on McAfee Blogs.

Ryuk, Exploring the Human Connection

20 Feb 2019

In collaboration with Bill Siegel and Alex Holdtman from Coveware.   At the beginning of 2019, McAfee ATR published an article describing how the hasty attribution of Ryuk ransomware to North Korea was missing the point. Since then, collective industry peers discovered additional technical details on Ryuk’s inner workings, the overlap between Ryuk and Hermes2.1, […]

The post Ryuk, Exploring the Human Connection appeared first on McAfee Blogs.

MalBus: Popular South Korean Bus App Series in Google Play Found Dropping Malware After 5 Years of Development

04 Feb 2019

McAfee’s Mobile Research team recently learned of a new malicious Android application masquerading as a plugin for a transportation application series developed by a South Korean developer. The series provides a range of information for each region of South Korea, such as bus stop locations, bus arrival times and so on. There are a total […]

The post MalBus: Popular South Korean Bus App Series in Google Play Found Dropping Malware After 5 Years of Development appeared first on McAfee Blogs.

Happy New Year 2019! Anatova is here!

22 Jan 2019

During our continuous hunt for new threats, we discovered a new ransomware family we call Anatova (based on the name of the ransom note). Anatova was discovered in a private peer-to-peer (p2p) network. After initial analysis, and making sure that our customers are protected, we decided to make this discovery public. Our telemetry showed that […]

The post Happy New Year 2019! Anatova is here! appeared first on McAfee Blogs.

IE Scripting Flaw Still a Threat to Unpatched Systems: Analyzing CVE-2018-8653

10 Jan 2019

Microsoft recently patched a critical flaw in Internet Explorer’s scripting engine that could lead to remote code execution. The vulnerability is being exploited in the wild and was originally reported by a researcher from Google’s Threat Analysis Group. Microsoft released an out-of-band patch to fix the vulnerability before the normal patch cycle. McAfee products received […]

The post IE Scripting Flaw Still a Threat to Unpatched Systems: Analyzing CVE-2018-8653 appeared first on McAfee Blogs.

Ryuk Ransomware Attack: Rush to Attribution Misses the Point

09 Jan 2019

Senior analyst Ryan Sherstobitoff contributed to this report. During the past week, an outbreak of Ryuk ransomware that impeded newspaper printing services in the United States has garnered a lot of attention. To determine who was behind the attack many have cited past research that compares code from Ryuk with the older ransomware Hermes to […]

The post Ryuk Ransomware Attack: Rush to Attribution Misses the Point appeared first on McAfee Blogs.

Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems

19 Dec 2018

Last week the McAfee Advanced Threat Research team posted an analysis of a new wave of Shamoon “wiper” malware attacks that struck several companies in the Middle East and Europe. In that analysis we discussed one difference to previous Shamoon campaigns. The latest version has a modular approach that allows the wiper to be used […]

The post Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems appeared first on McAfee Blogs.

McAfee Labs Threats Report Examines Cybercriminal Underground, IoT Malware, Other Threats

19 Dec 2018

The McAfee Advanced Threat Research team today published the McAfee® Labs Threats Report, December 2018. In this edition, we highlight the notable investigative research and trends in threats statistics and observations gathered by the McAfee Advanced Threat Research and McAfee Labs teams in Q3 of 2018. We are very excited to present to you new […]

The post McAfee Labs Threats Report Examines Cybercriminal Underground, IoT Malware, Other Threats appeared first on McAfee Blogs.

Shamoon Returns to Wipe Systems in Middle East, Europe

14 Dec 2018

Destructive malware has been employed by adversaries for years. Usually such attacks are carefully targeted and can be motivated by ideology, politics, or even financial aims. Destructive attacks have a critical impact on businesses, causing the loss of data or crippling business operations. When a company is impacted, the damage can be significant. Restoration can […]

The post Shamoon Returns to Wipe Systems in Middle East, Europe appeared first on McAfee Blogs.

‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure

12 Dec 2018

This post was written with contributions from the McAfee Advanced Threat Research team.   The McAfee Advanced Threat Research team and McAfee Labs Malware Operations Group have discovered a new global campaign targeting nuclear, defense, energy, and financial companies, based on McAfee® Global Threat Intelligence. This campaign, Operation Sharpshooter, leverages an in-memory implant to download […]

The post ‘Operation Sharpshooter’ Targets Global Defense, Critical Infrastructure appeared first on McAfee Blogs.

Pay-Per-Install Company Deceptively Floods Market with Unwanted Programs

04 Dec 2018

For the past 18 months, McAfee Labs has been investigating a pay-per-install developer, WakeNet AB, responsible for spreading prevalent adware such as Adware-Wajam and Linkury. This developer has been active for almost 20 years and recently has used increasingly deceptive techniques to convince users to execute its installers. Our report is now available online. During […]

The post Pay-Per-Install Company Deceptively Floods Market with Unwanted Programs appeared first on McAfee Blogs.

McAfee Labs 2019 Threats Predictions Report

29 Nov 2018

Our predictions for 2019 move away from simply providing an assessment on the rise or fall of a particular threat, and instead focus on current rumblings we see in the cybercriminal underground that we expect to grow into trends and subsequently threats in the wild.

The post McAfee Labs 2019 Threats Predictions Report appeared first on McAfee Blogs.

WebCobra Malware Uses Victims’ Computers to Mine Cryptocurrency

13 Nov 2018

McAfee Labs researchers have discovered new Russian malware, dubbed WebCobra, which harnesses victims’ computing power to mine for cryptocurrencies.

The post WebCobra Malware Uses Victims’ Computers to Mine Cryptocurrency appeared first on McAfee Blogs.

Triton Malware Spearheads Latest Attacks on Industrial Systems

08 Nov 2018

Malware that attacks industrial control systems (ICS), such as the Stuxnet campaign in 2010, is a serious threat. This class of cyber sabotage can spy on, disrupt, or destroy systems that manage large-scale industrial processes. An essential danger in this threat is that it moves from mere digital damage to risking human lives.

The post Triton Malware Spearheads Latest Attacks on Industrial Systems appeared first on McAfee Blogs.

Fallout Exploit Kit Releases the Kraken Ransomware on Its Victims

30 Oct 2018

Alexandr Solad and Daniel Hatheway of Recorded Future are coauthors of this post. Read Recorded Future’s version of this analysis.  Rising from the deep, Kraken Cryptor ransomware has had a notable development path in recent months. The first signs of Kraken came in mid-August on a popular underground forum. In mid-September it was reported that […]

The post Fallout Exploit Kit Releases the Kraken Ransomware on Its Victims appeared first on McAfee Blogs.

Android/TimpDoor Turns Mobile Devices Into Hidden Proxies

24 Oct 2018

The McAfee Mobile Research team recently found an active phishing campaign using text messages (SMS) that tricks users into downloading and installing a fake voice-message app which allows cybercriminals to use infected devices as network proxies without users’ knowledge. If the fake application is installed, a background service starts a Socks proxy that redirects all […]

The post Android/TimpDoor Turns Mobile Devices Into Hidden Proxies appeared first on McAfee Blogs.

‘Operation Oceansalt’ Delivers Wave After Wave

18 Oct 2018

In the latest findings from the McAfee Advanced Threat Research team, we examine an adversary that was not content with a single campaign, but launched five distinct waves adapted to their separate targets.

The post ‘Operation Oceansalt’ Delivers Wave After Wave appeared first on McAfee Blogs.

Ransomware GandCrab Version 5 Partners With Crypter Service for Obfuscation

10 Oct 2018

The GandCrab ransomware, which first appeared in January, has been updated rapidly during its short life, with Version 5.0.2 appearing this month. In this post we will examine the latest version and how the authors have improved the code (and in some cases have made mistakes). McAfee gateway and endpoint products are able to protect […]

The post Ransomware GandCrab Version 5 Partners With Crypter Service for Obfuscation appeared first on McAfee Blogs.

When the Digital Impacts the Physical

09 Oct 2018

Cyberattacks have always been, well, cyber. Their immediate effects were on our data, our digital information, and our devices…until they weren’t. The interconnected nature of the world and the way it’s built in 2018 has brought us exciting and revolutionary innovations, but it has also been leveraged by hackers to extend the impact of a […]

The post When the Digital Impacts the Physical appeared first on McAfee Blogs.

‘McAfee Labs Threats Report’ Highlights Cryptojacking, Blockchain, Mobile Security Issues

25 Sep 2018

As we look over some of the key issues from the newly released McAfee Labs Threats Report, we read terms such as voice assistant, blockchain, billing fraud, and cryptojacking.

The post ‘McAfee Labs Threats Report’ Highlights Cryptojacking, Blockchain, Mobile Security Issues appeared first on McAfee Blogs.

Cyber Threat Alliance Releases Analysis of Illicit Cryptocurrency Mining

19 Sep 2018

In response to the explosive increase in cryptomining campaigns in Q4 2017, the Cyber Threat Alliance has formed a cryptomining subcommittee to assess the threat.

The post Cyber Threat Alliance Releases Analysis of Illicit Cryptocurrency Mining appeared first on McAfee Blogs.

Political Figures Differ Online: Names of Trump, Obama, Merkel Attached to Ransomware Campaigns

18 Sep 2018

Politics and ransomware. No, it’s not a lost single from the Oasis back catalogue, but in fact a relatively recent tactic by ransomware developers looking to exploit the profiles of major politicians to install ransomware on victims’ computers. Donald Trump, Angela Merkel, and now Barack Obama all serve as lures for the unsuspecting. Despite its […]

The post Political Figures Differ Online: Names of Trump, Obama, Merkel Attached to Ransomware Campaigns appeared first on McAfee Blogs.

McAfee Opens State-of-the-Art Security Research Lab in Oregon

22 Aug 2018

Today we are pleased to announce the grand opening of our dedicated research lab in the Hillsboro, Oregon, office near Portland.

The post McAfee Opens State-of-the-Art Security Research Lab in Oregon appeared first on McAfee Blogs.

‘Insight’ into Home Automation Reveals Vulnerability in Simple IoT Product

21 Aug 2018

Eoin Carroll, Charles McFarland, Kevin McGrath, and Mark Bereza contributed to this report.  The Internet of Things promises to make our lives easier. Want to remotely turn lights and appliances on and off and monitor them online? A “smart plug,” a Wi-Fi–connected electric outlet, is one simple method. But IoT devices can turn into attack […]

The post ‘Insight’ into Home Automation Reveals Vulnerability in Simple IoT Product appeared first on McAfee Blogs.

McAfee ePO Platform Gains Insight Into Threat Research

14 Aug 2018

The latest update to the McAfee® ePolicy Orchestrator® platform offers a new add-in to provide insight into the latest analysis carried out by McAfee Labs and the Advanced Threat Research team.

The post McAfee ePO Platform Gains Insight Into Threat Research appeared first on McAfee Blogs.

Microsoft Cortana Allows Browser Navigation Without Login: CVE-2018-8253

14 Aug 2018

A locked Windows 10 device with Cortana enabled on the lock screen allows an attacker with physical access to the device to do two kinds of unauthorized browsing.

The post Microsoft Cortana Allows Browser Navigation Without Login: CVE-2018-8253 appeared first on McAfee Blogs.

80 to 0 in Under 5 Seconds: Falsifying a Medical Patient’s Vitals

12 Aug 2018

Telemedicine visit

With the explosion of growth in technology and its influence on our lives, we have become increasingly dependent on it. The medical field is no exception: Medical professionals trust technology to provide them with accurate information and base life-changing decisions on this data.

The post 80 to 0 in Under 5 Seconds: Falsifying a Medical Patient’s Vitals appeared first on McAfee Blogs.

Examining Code Reuse Reveals Undiscovered Links Among North Korea’s Malware Families

09 Aug 2018

Attacks from the online groups Lazarus, Silent Chollima, Group 123, Hidden Cobra, DarkSeoul, Blockbuster, Operation Troy, and 10 Days of Rain are believed to have come from North Korea. But how can we know with certainty?

The post Examining Code Reuse Reveals Undiscovered Links Among North Korea’s Malware Families appeared first on McAfee Blogs.

GandCrab Ransomware Puts the Pinch on Victims

31 Jul 2018

Update: On August 9 we added our analysis of Versions 4.2.1 and 4.3.  The GandCrab ransomware first appeared in January and has been updated rapidly during its short life. It is the leading ransomware threat. The McAfee Advanced Threat Research team has reverse engineered Versions 4.0 through 4.3 of the malware. The first versions (1.0 […]

The post GandCrab Ransomware Puts the Pinch on Victims appeared first on McAfee Blogs.

CactusTorch Fileless Threat Abuses .NET to Infect Victims

26 Jul 2018

McAfee Labs has noticed a significant shift by some actors toward using trusted Windows executables, rather than external malware, to attack systems. One of the most popular techniques is a “fileless” attack. Because these attacks are launched through reputable executables, they are hard to detect. Both consumers and corporate users can fall victim to this […]

The post CactusTorch Fileless Threat Abuses .NET to Infect Victims appeared first on McAfee Blogs.

What Drives a Ransomware Criminal? CoinVault Developers Convicted

13 Jul 2018

How often do we get a chance to learn what goes on in the minds of cybercriminals? Two members of McAfee’s Advanced Threat Research team recently did, as they attended a court case against two cybercriminal brothers. The brothers, Dennis and Melvin, faced a judge in Rotterdam, in the Netherlands. This case was one of […]

The post What Drives a Ransomware Criminal? CoinVault Developers Convicted appeared first on McAfee Blogs.

Google Play Users Risk a Yellow Card With Android/FoulGoal.A

12 Jul 2018

This blog post was co-written by Irfan Asrar. English soccer fans have enthusiastically enjoyed the team’s current run in the World Cup, as the tune “Three Lions” plays in their heads, while hoping to end 52 years of hurt. Meanwhile a recent spyware campaign distributed on Google Play has hurt fans of the beautiful game […]

The post Google Play Users Risk a Yellow Card With Android/FoulGoal.A appeared first on McAfee Blogs.

Organizations Leave Backdoors Open to Cheap Remote Desktop Protocol Attacks

11 Jul 2018

While researching underground hacker marketplaces, the McAfee Advanced Threat Research team has discovered that access linked to security and building automation systems of a major international airport could be bought for only US$10.

The post Organizations Leave Backdoors Open to Cheap Remote Desktop Protocol Attacks appeared first on McAfee Blogs.

Cybercrime in the Spotlight: How Crooks Capitalize on Cultural Events

03 Jul 2018

Every four years, everyone’s head around the globe turns toward the television. The Olympics, the World Cup – world events like these have all eyes viewing friendly competition between nations. Operating under such a big spotlight, these events have been heavily guarded by physical security to ensure no participants or attendees are harmed. But what about […]

The post Cybercrime in the Spotlight: How Crooks Capitalize on Cultural Events appeared first on McAfee Blogs.

AsiaHitGroup Returns With New Billing-Fraud Campaign

28 Jun 2018

Are you tired yet of the music track “Despacito”? If you downloaded this ringtone app from Google Play, chances are your answer is a resounding Yes. But it gets worse: The McAfee Mobile Research team recently found 15 apps on Google Play that were uploaded by the AsiaHitGroup Gang. The ringtone app was one of […]

The post AsiaHitGroup Returns With New Billing-Fraud Campaign appeared first on McAfee Blogs.

AsiaHitGroup Gang Again Sneaks Billing-Fraud Apps Onto Google Play

28 Jun 2018

The McAfee Mobile Research team has found a new billing-fraud campaign of at least 15 apps published in 2018 on Google Play. Toll fraud (which includes WAP billing fraud) is a leading category of potentially harmful apps on Google Play, according to the report Android Security 2017 Year in Review. This new campaign demonstrates that […]

The post AsiaHitGroup Gang Again Sneaks Billing-Fraud Apps Onto Google Play appeared first on McAfee Blogs.

‘McAfee Labs Threats Report’ Spotlights Innovative Attack Techniques, Cryptocurrency Mining, Multisector Attacks

27 Jun 2018

In the McAfee Labs Threats Report June 2018, published today, we share investigative research and threat statistics gathered by the McAfee Advanced Threat Research and McAfee Labs teams in Q1 of this year.

The post ‘McAfee Labs Threats Report’ Spotlights Innovative Attack Techniques, Cryptocurrency Mining, Multisector Attacks appeared first on McAfee Blogs.