SANS

domain_stats.py a web api for SEIM phishing hunts , (Tue, Jan 17th)

17 Jan 2017

Last year, over the Thanksgiving break, Justin Henderson and I worked ona tool to provide a web A ...

ISC Stormcast For Tuesday, January 17th 2017 https://isc.sans.edu/podcastdetail.html?id=5333, (Mon, Jan 16th)

16 Jan 2017

...

Whitelisting File Extensions in Apache, (Sun, Jan 15th)

16 Jan 2017

Last week, Xavier published a great Old posts >>

ISC Stormcast For Monday, January 16th 2017 https://isc.sans.edu/podcastdetail.html?id=5331, (Sun, Jan 15th)

15 Jan 2017

...

Backup Files Are Good but Can Be Evil, (Sat, Jan 14th)

14 Jan 2017

Since we started to work with computers, we always heard the following advice: Make backups!. Eve ...

Who's Attacking Me?, (Fri, Jan 13th)

13 Jan 2017

I started to play with a nice reconnaissance tool that could be helpful in many cases - offensive ...

ISC Stormcast For Friday, January 13th 2017 https://isc.sans.edu/podcastdetail.html?id=5329, (Fri, Jan 13th)

13 Jan 2017

...

System Resource Utilization Monitor, (Thu, Jan 12th)

12 Jan 2017

The attackers have come and gone and youare left behind to clean up the mess. You arrive on site ...

ISC Stormcast For Thursday, January 12th 2017 https://isc.sans.edu/podcastdetail.html?id=5327, (Thu, Jan 12th)

12 Jan 2017

...

Some tools updates, (Thu, Jan 12th)

12 Jan 2017

A coupleof tools were updated and release today.

Network Miner was updated ...


Sophos

Advice to Donald Trump: think before you tweet

17 Jan 2017

The president-elect is famous for his unbridled approach to Twitter - but how much of a security risk are his tweets?

News in brief: Snowden supporters petition Obama; iOS Onion browser now free; bank bans WhatsApp

16 Jan 2017

Your round-up of some of the other stories in the news today

Ukraine power outages ‘the work of cyberattackers’, warn experts

16 Jan 2017

Observers raise fears that attackers are using Ukraine as a 'playground' before raising the stakes

Spora ransomware goes freemium with four different payment options

16 Jan 2017

The Spora ransomware will unscramble two files for free, some files for $30, all files for $120 and provide "immunity' for $50.

WhatsApp ‘backdoor’ turns out to be known design feature

16 Jan 2017

Maker of WhatsApp's protocol moves to reassure users by clarifying how key pairs work

Trump picks hackable Rudy Giuliani as cybersecurity advisor

16 Jan 2017

Former NYC mayor's corporate websites taken down after experts pointed out security flaws

Obama administration signs off on wider data-sharing for NSA

16 Jan 2017

Activists fear move could threaten the privacy of Americans, but others point out it could limit Trump's ability to make things worse

Monday review – the hot 27 stories of the week

16 Jan 2017

From Amazon phishing scams and the bank email slip-up that leaked 60,000 account details to the Mongo DB databases held to ransom, and more!

Old posts >>

News in brief: new browser launched; social network closes down; cyberattack on health provider

13 Jan 2017

Your daily round-up of some of the other stories in the news

Tor users at risk of being unmasked by ultrasound tracking

13 Jan 2017

Researcher demonstrates how sound outside human hearing could be used by law enforcement - or by more sinister actors


TrendMicro

Practical Android Debugging Via KGDB

16 Jan 2017

Kernel debugging gives security researchers a tool to monitor and control a device under analysis. On desktop platforms such as Windows, macOS, and Linux, this is easy to perform. However, it is more difficult to do kernel debugging on Android devices such as the Google Nexus 6P . In this post, I describe a method to perform kernel debugging on the Nexus 6P and the Google Pixel, without the need for any specialized hardware.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Practical Android Debugging Via KGDB

Old posts >>

How Cyber Propaganda Influenced Politics in 2016

12 Jan 2017

Throughout history, politically motivated threat actors have been interested in changing the public opinion to reach their goals. In recent years the popularity of the Internet gave these threat actors new tools. Not only do they make use of social media to spin the news, spread rumors and fake news, but they also actively hack into political organizations.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

How Cyber Propaganda Influenced Politics in 2016

CTO Insights: The General Data Protection Regulation (GDPR) Is Coming, What Now?

12 Jan 2017

Based on the incidents we saw in 2016, I recommend that organizations enter 2017 with caution. From the growth of Business Email Compromise (BEC) attacks to cybercriminals using more effective ways to exploit Internet of Things (IoT) devices, these security issues should serve as a reminder for businesses and individuals to be more vigilant. One of the most pressing matters that a lot of organizations need to pay attention to, however, is the forthcoming General Data Protection Regulation (GDPR). The new set of rules is designed to harmonize data protection across all EU member states and bring in a number of key components that will directly impact businesses—even businesses outside Europe.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

CTO Insights: The General Data Protection Regulation (GDPR) Is Coming, What Now?

The Eye of the Storm: A Look at EyePyramid, the Malware Supposedly Used in High-Profile Hacks in Italy

12 Jan 2017

Two Italian citizens were arrested last Tuesday by Italian authorities (in cooperation with the FBI) for exfiltrating sensitive data from high-profile Italian targets. Private and public Italian citizens, including those holding key positions in the state, were the subject of an effective spear-phishing campaign that reportedly served a malware, codenamed EyePyramid, as a malicious attachment. This malware has been used to successfully exfiltrate over 87 gigabytes worth of data including usernames, passwords, browsing data, and filesystem content.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

The Eye of the Storm: A Look at EyePyramid, the Malware Supposedly Used in High-Profile Hacks in Italy

Patch Tuesday of January 2017: Microsoft Releases Four Bulletins, One Rated Critical

11 Jan 2017

Microsoft begins its monthly set of bulletins for 2017 with relatively few bulletins released in January. Four security bulletins make up this month’s Patch Tuesday—one of which is rated Critical to address vulnerabilities seen in Adobe Flash Player while the other three are tagged as Important to patch vulnerabilities in Microsoft Office, Edge, and the Local Security Authority Subsystem Service (LSASS).

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Patch Tuesday of January 2017: Microsoft Releases Four Bulletins, One Rated Critical

Recent Spam Runs in Germany Show How Threats Intend to Stay in the Game

30 Dec 2016

In early December, GoldenEye ransomware  (detected by Trend Micro as RANSOM_GOLDENEYE.A) was observed targeting German-speaking users—particularly those belonging to the human resource department. GoldenEye, a relabeled version of the Petya (RANSOM_PETYA) and Mischa (RANSOM_MISCHA) ransomware combo, not only kept to the James Bond theme of its earlier iteration, but also its attack vector.

Given ransomware’s likely outlook to reach a plateau, persistence in the threat landscape and diversification of target victims are the names of the game. GoldenEye exemplifies bad guys trying to gain scale, leverage, and profit with rehashed malware.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Recent Spam Runs in Germany Show How Threats Intend to Stay in the Game

Updated Sundown Exploit Kit Uses Steganography

29 Dec 2016

This year has seen a big shift in the exploit kit landscape, with many of the bigger players unexpectedly dropping out of action. The Nuclear exploit kit operations started dwindling in May, Angler disappeared around the same time Russia’s Federal Security Service made nearly 50 arrests last June, and then in September Neutrino reportedly went private and shifted focus to select clientele only. Now, the most prominent exploit kits in circulation are RIG and Sundown. Both gained prominence shortly after Neutrino dropped out of active circulation.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Updated Sundown Exploit Kit Uses Steganography

Alice: A Lightweight, Compact, No-Nonsense ATM Malware

20 Dec 2016

Trend Micro has discovered a new family of ATM malware called Alice, which is the most stripped down ATM malware family we have ever encountered. Unlike other ATM malware families, Alice cannot be controlled via the numeric pad of ATMs; neither does it have information stealing features. It is meant solely to empty the safe of ATMs. We detect this new malware family as BKDR_ALICE.A.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Alice: A Lightweight, Compact, No-Nonsense ATM Malware

Fake Apps Take Advantage of Super Mario Run Release

20 Dec 2016

Earlier this year, we talked about how cybercriminals took advantage of the popularity of Pokemon Go to launch their own malicious apps. As 2016 comes to a close, we observe the same thing happening to another of Nintendo's game properties: Super Mario.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Fake Apps Take Advantage of Super Mario Run Release

Mobile Ransomware: How to Protect Against It

15 Dec 2016

In our previous post, we looked at how malware can lock devices, as well as the scare tactics used to convince victims to pay the ransom. Now that we know what bad guys can do, we'll discuss the detection and mitigation techniques that security vendors can use to stop them. By sharing these details with other researchers, we hope to improve the industry's collective knowledge on mobile ransomware mitigation.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Mobile Ransomware: How to Protect Against It


Kaspersky

Old posts >>

The “EyePyramid” attacks

12 Jan 2017

On January 10, 2017, a court order was declassified by the Italian police, in regards to a chain of cyberattacks directed at top Italian government members and institutions. The attacks leveraged a malware named "EyePyramid" to target a dozen politicians, bankers, prominent freemasons and law enforcement personalities in Italy.

Holiday 2016 financial cyberthreats overview

11 Jan 2017

Last November we conducted a brief analysis of the threat landscape over the holiday period – from October to December in 2014 and 2015. And we made the following prognosis: the same holiday period in 2016 will see a spike in cyberattacks. Now that the holidays are over, it is time to find out how accurate that prediction was.

How to hunt for rare malware

09 Jan 2017

At SAS 2017, Global Director of GReAT Costin Raiu and Principal Security Researchers Vitaly Kamluk and Sergey Mineev will provide Yara training for incident response specialists and malware researchers, who need an effective arsenal for finding malware.

Update from the chaos – 33c3 in Hamburg

29 Dec 2016

Every year, the Chaos Communication Congress summons hackers from around the globe, this time again in Hamburg. The four days between Christmas and New year are packed with talks, workshops and events all over the location at the CCH.

One-stop-shop: Server steals data then offers it for sale

29 Dec 2016

While intercepting traffic from a number of infected machines that showed signs of Remote Admin Tool malware known as HawkEye, we stumbled upon an interesting domain. It was registered to a command and control server (C2) which held stolen keylog data from HawkEye RAT victims, but was also being used as a one-stop-shop for purchasing hacking goods.

Switcher: Android joins the ‘attack-the-router’ club

28 Dec 2016

Recently, in our never-ending quest to protect the world from malware, we found a misbehaving Android trojan. Although malware targeting the Android OS stopped being a novelty quite some time ago, this trojan is quite unique. Instead of attacking a user, it attacks the Wi-Fi network the user is connected to, or, to be precise, the wireless router that serves the network.

Is Mirai Really as Black as It’s Being Painted?

22 Dec 2016

The Mirai botnet, which is made up of IoT devices and which was involved in DDoS attacks whose scale broke all possible records, has been extensively covered by the mass media. Given that the botnet's source code has been made publicly available and that the Internet of Things trend is on the rise, no decline in IoT botnet activity should be expected in the near future.

Notes from HITCON Pacific 2016

20 Dec 2016

Hacks in Taiwan Conference (HITCON) Pacific 2016 was held in Taipei city, Taiwan from the 27th of November to the 3rd of December this year. The concept of this event is about "The Fifth Domain: Cyber | Homeland Security".

The banker that encrypted files

19 Dec 2016

Many mobile bankers can block a device in order to extort money from its user. But we have discovered a modification of the mobile banking Trojan Trojan-Banker.AndroidOS.Faketoken that went even further – it can encrypt user data. In addition to that, this modification is attacking more than 2,000 financial apps around the world.

Kaspersky Security Bulletin 2016. Review of the year. Overall statistics for 2016

14 Dec 2016

2016 was a tense and turbulent year in cyberspace – from the massive IoT botnets and ransomware to targeted cyberespionage attacks, financial theft, ‘hacktivism’ and more. Kaspersky Lab’s Review of the Year and Statistics provide a detailed review – you can read the Executive Summary here.


ThreatPost

White House Approves New Rules for Sharing of Raw Intelligence Data

16 Jan 2017

New rules signed by the president last week change the way the NSA is able to share raw intelligence data with other intelligence community agencies.

Old posts >>

WhatsApp Says ‘Backdoor’ Claim Bogus

13 Jan 2017

Claims of a security hole in WhatsApp’s messenger app were shot down by WhatsApp, which called the allegations false.

Google’s Key Transparency Simplifies Public Key Lookups

13 Jan 2017

Google has taken a big step toward simplifying public key lookups at Internet scale with the release to open source on Thursday of Key Transparency.

Threatpost News Wrap, January 13, 2017

13 Jan 2017

The news of the week is discussed, including the ShadowBrokers' farewell, GoDaddy's buggy domain validation issue, MongoDB ransoms, and the latest with St. Jude Medical.

Marie Moe on Medical Device Security

12 Jan 2017

Mike Mimoso talks to Marie Moe, a research scientist at SINTEF of Norway, about her personal and emotional connection to medical device security.

ShadowBrokers Bid Farewell, Close Doors

12 Jan 2017

The ShadowBrokers today ended their operations, saying they would no longer leak Equation Group exploits.

WordPress 4.7.1 Fixes CSRF, XSS, PHPMailer Vulnerabilities

12 Jan 2017

A new WordPress update, pushed this week, resolves eight security issues, including a handful of XSS and CSRF bugs.

Buggy Domain Validation Forces GoDaddy to Revoke Certs

11 Jan 2017

A bug in GoDaddy's domain validation process forced the registrar to revoke SSL certificates and reissue certs for more than 6,000 customers.

Cloudflare Shares National Security Letter It Received in 2013

11 Jan 2017

Cloudflare on Tuesday was finally able to post a National Security Letter it received from the FBI back in 2013.

ShadowBrokers Selling Windows Exploits, Attack Tools

11 Jan 2017

The ShadowBrokers are selling a cache of Windows exploits and attack tools for 750 Bitcoin.


Symantec

Old posts >>

Microsoft Patch Tuesday – January 2017

10 Jan 2017

This month the vendor has released four bulletins, one of which is rated Critical.

Read More

Airport boarding gate display leaks booking codes, puts passenger data at risk

10 Jan 2017

Attackers could gain full control over passenger bookings, cancel flights, and steal sensitive information with leaked booking codes.

Read More

Latest Intelligence for December 2016

06 Jan 2017

The number of web attacks blocked per day were up by almost 100,000, and Symantec helps law enforcement crack down on cybercrime.

Read More

Bayrob: Three suspects extradited to face charges in US

16 Dec 2016

Symantec’s assistance paves way for long-running FBI investigation into gang that stole up to $35 million from victims.

Read More

Latest Intelligence for November 2016

14 Dec 2016

Email malware nearly doubles to one in 85 emails and spam rate rises for third month in a row.

Read More

Microsoft Patch Tuesday – December 2016

13 Dec 2016

This month the vendor is releasing 12 bulletins, six of which are rated Critical.

Read More

PowerShell threats surge: 95.4 percent of analyzed scripts were malicious

08 Dec 2016

Symantec analyzed 111 threat families that use PowerShell, finding that they leverage the framework to download payloads and traverse through networks.

Read More

Avalanche malware network hit with law enforcement takedown

01 Dec 2016

Symantec plays part in takedown of the Avalanche malware-hosting network.

Read More

Shamoon: Back from the dead and destructive as ever

30 Nov 2016

Malware hit targets in Saudi Arabia and was configured to wipe disks on November 17.

Read More

Mirai: New wave of IoT botnet attacks hits Germany

29 Nov 2016

New variant of malware used in attacks that knocked 900,000 home internet users offline.

Read More

Gatak: Healthcare organizations in the crosshairs

21 Nov 2016

Mysterious threat group infects organizations using malicious key generators for pirated software.

Read More

Android banking malware whitelists itself to stay connected with attackers

17 Nov 2016

New Android.Fakebank.B variants use social engineering to bypass a battery-saving process and stay active in the background.

Read More

Latest Intelligence for October 2016

10 Nov 2016

Number of new malware variants rises to over 96 million and global spam hits highest rate in nearly a year.

Read More

New BEC scams seek to build trust first, request wire transfer later

09 Nov 2016

Business email compromise scammers have gradually changed their tactics to improve their scam success rate.

Read More

Microsoft Patch Tuesday – November 2016

08 Nov 2016

This month the vendor is releasing 14 bulletins, six of which are rated Critical.

Read More

Mirai: what you need to know about the botnet behind recent major DDoS attacks

27 Oct 2016

Botnet has grown by exploiting weak security on a range of IoT devices.

Read More

Android ransomware gets around auto-start restrictions by pretending to be a launcher

27 Oct 2016

The latest Android.Lockscreen variants declare their activity as part of the launcher category to get around Android's security restrictions.

Read More

Flash Player zero-day being exploited in targeted attacks

27 Oct 2016

Adobe patches vulnerability (CVE-2016-7855) which was being used in a limited number of targeted attacks.

Read More

Tech support scams increasing in complexity

26 Oct 2016

Tech support scammers have begun using code obfuscation to avoid detection.

Read More

Attackers use Discord VoIP chat servers to host NanoCore, njRAT, SpyRAT

20 Oct 2016

Malicious actors are abusing a free VoIP service for gamers to distribute remote access Trojans, as well as infostealers and downloaders.

Read More


F-Secure

Noun: Sockpuppet

16 Jan 2017

An Internet sockpuppet, according to Google, is “a false online identity, typically created by a person or group in order to promote their own opinions or views.” Sockpuppets are nothing particularly new… they go back as far as USENET. But it feels that recently, sockpuppetry has reached new heights. Twitter is an easy place to […]

Old posts >>

F-Secure Vulnerability Reward Program Update

10 Jan 2017

A message from Calvin, a security vulnerability expert and member of our Anti-Malware Unit. The AMU team has a customer care/support focus. Happy New Year to all you readers out there! A year has passed since we launched our F-Secure Vulnerability Reward Program (bug bounty) and time really flies. Here’s a snapshot of what we’ve […]

What’s The Deal With Digital Forensics, Incident Response, And Attribution?

21 Dec 2016

After several high-profile cyber attacks made big news headlines this year, it’s become evident to me, through online commentary, that there’s some confusion in the public space about how incident response services are utilized, how attribution is performed, and how law enforcement’s role fits into cyber crime investigations. I’m hoping this article helps to clear […]

On Botting, Cheating, And DDoSers

07 Dec 2016

On November 10th 2016 Blizzard enacted a “ban wave” on thousands of World of Warcraft accounts for “botting”, a term widely used to describe using third party programs to automate gameplay. Technically it wasn’t a “ban wave” – the accounts in question received between 6 and 24 month suspensions based on how often they’d been […]

A Joint Centre To Combat Hybrid Warfare Threats

24 Nov 2016

Helsinki will host a new centre focused on curbing the growing threat of hybrid warfare according to recent reports. Disinformation and fake news is considered “hybrid warfare” in this context. The proposed annual budget is reportedly estimated at two million euros. I think… they’re gonna need a bigger boat. Fighting against hybrid warfare disinformation will […]

Yahoo! Voice Call 2FA Fail

17 Nov 2016

Netflix recently fixed an account takeover vulnerability involving automated phone calls and caller ID spoofing. The issue? An attacker could use Netflix’s “forgot email/password” feature to reset an account’s password by directing the reset code to a voice call. In order to force the code to voice mail, the attacker would need to call the […]

What’s The Deal With “Next Gen”?

16 Nov 2016

We’re frequently asked about “Next Gen” antivirus companies, which is not surprising. They’ve been making a lot of noise and bold claims during the last couple of years (so, basically, since they were founded). So let’s take a look at what they’re all about. Coopetition in the AV industry But before getting into what “Next […]

A RAT For The US Presidential Elections

10 Nov 2016

A day before the controversial United States Presidential elections, an email was distributed to inform the recipients of a possible attack during election day as mentioned in a manifesto, allegedly from the ISIS terrorist group, entitled “The Murtadd Vote”. The email was supposedly sent by the head of a US-based terrorist monitoring group. The message […]

How To Vet URL Shorteners #2016CampaignEdition

31 Oct 2016

John Podesta, the Chairman of Hillary Clinton’s 2016 presidential campaign, allowed his Gmail account to be compromised in March 2016. And as a consequence, his correspondence has been in the news throughout the month of October. Recently, the March 2016 phishing message itself was published. Do you notice anything odd about the message? The very […]

CSS Disclosure: tar Extract Pathname Bypass

27 Oct 2016

T2’16 Infosec Conference kicked off this morning in Helsinki. And to celebrate this, F-Secure CSS security consultant Harry Sintonen has a vulnerability disclosure to publish. See below for more info. tar Extract Pathname Bypass Full Disclosure: POINTYFEATHER / tar Extract Pathname Bypass (CVE-2016-6321) Tagged: CSS, Disclosure, Kyb3r, tar, Vulnerability

Hacking An Election Is Hard. Why Not Pwn The Messenger Instead?

26 Oct 2016

Election day USA, November 8th, is nigh. US elections (during a presidential election year) are a massive affair comprising federal, state, and local candidates for all sorts of elected positions: president, governors, senators, representatives, judges, state and county commissioners, et cetera. They are organized and run at the county level. There are 3,144 counties and […]

Fun With Internet Metadata (AKA The Deep Web)

21 Oct 2016

Our Cyber Security Services (CSS) division spend a fair amount of time working with companies on threat assessments. They’ve been doing this stuff for several years, and during that time, they developed some useful tools to make their jobs easier. One of those tools is Riddler. It’s a web crawler that makes Internet metadata available via […]

What’s The Deal With Non-Signature-Based Anti-Malware Solutions?

17 Oct 2016

Gartner recently published an insightful report entitled “The Real Value of a Non-Signature-Based Anti-Malware Solution to Your Organization”. In this report, it discusses the ways in which non-signature technologies can be used to augment an organization’s endpoint protection strategy. Let’s take a look at how Gartner has defined non-signature malware detection solutions. Here’s a clip directly […]

Definitely Not Cerber

20 Sep 2016

At the beginning of last week we noticed a spam campaign delivering a double zipped JScript file. The campaign started on September 8th. The email had the subject line of “RE: [name of recipient]” with an empty body, and an attached zip file named “[recipient name][a-z]{4}.zip”. The characteristics of the mail, naming of the attached item, […]

Seriously, Put Away The Foil

15 Sep 2016

I was scanning the headlines this morning, as I do, and came across this article by YLE Uutiset (News). — “Finnish police: Keep your car keys in the fridge” From YLE’s article: “These so-called smart keys work by emitting a signal when the driver touches the door handle. The lock opens when it recognises the […]

0ld 5ch00l MBR Malware

07 Sep 2016

I recently installed Audacity, an open source audio editor… And while verifying the current version to download, I came across an interesting security notification. Before I read the details, I fully expected to discover yet another case of some crypto-ransomware group hijacking and trojanizing an application installer. But not so! Audacity’s download partner was infiltrated […]

What’s The Deal With Machine Learning?

26 Aug 2016

We’ve recently received quite a few questions regarding the use of machine learning techniques in cyber security. I figured it was time for a blog post. Interestingly, while I was writing this post, we got asked even more questions, so the timing couldn’t be better. It seems that there are quite a few companies out […]

Coming Soon: iOS 10

19 Aug 2016

I’ve been testing iOS 10 Beta for several weeks (on a secondary iPad mini 2 of mine) and so far, so good. I’m enjoying Swift Playgrounds and looking forward to the final release. Most of the changes I’ve noticed have been surface (i.e., UI) changes. But today I read an interesting blog post by @nabla_c0d3, […]

Got Ransomware? Negotiate

10 Aug 2016

ICYMI: we recently published a customer service study of various crypto-ransomware families. Communication being a crucial element of ransomware schemes, we decided to put it to a comparative test. The biggest takeaway? If you find yourself compromised – negotiate. You have little to lose, the majority of extortionists appear to be willing work with their […]

NanHaiShu: RATing the South China Sea

04 Aug 2016

Since last year, we have been following a threat that we refer to as NanHaiShu, which is a Remote Access Trojan. The threat actors behind this malware target government and private-sector organizations that were directly or indirectly involved in the international territorial dispute centering on the South China Sea. Hence, the name nán hǎi shǔ […]