SANS

Old posts >>

Track naughty and nice binaries with Google Santa, (Wed, May 23rd)

23 May 2018

Santa is a binary white- or blacklisting daemon, being developed by the Google Macintosh Operations Team (largest contributor is Russel Hancox) for over 4 years now (not an official Google product!). Google Santa is being used by Google to protect and monitor their macOS machines internally, and has been called Santa because it keeps track of binaries that are naugthy or nice.

Malware Distributed via .slk Files, (Tue, May 22nd)

22 May 2018

Attackers are always trying to find new ways to infect computers by luring not only potential victims but also security controls like anti-virus products. Do you know what SYLK files are? SYmbolic LinK files (they use the .slk extension) are Microsoft files used to exchange data between applications, specifically spreadsheets[1]. In Windows environments, there are represented with an icon similar to Excel:

VMware Workstation and Fusion updates address signature bypass and multiple denial-of-service vulnerabilities https://www.vmware.com/security/advisories/VMSA-2018-0013.html, (Tue, May 22nd)

22 May 2018

Xavier Mertens (@xme)

VMware updates enable Hypervisor-Assisted Guest Mitigations for Speculative Store Bypass issue - https://www.vmware.com/security/advisories/VMSA-2018-0012.html, (Tue, May 22nd)

22 May 2018

-----------

Something Wicked this way comes, (Mon, May 21st)

21 May 2018

The latest Mirai-based botnet is Wicked. Unlike previous Mirai variants and sibilings, which compromised IoT devices with default credentials or brute forcing credentials, Wicked is targetting vulnerabilities contained in certain IoT devices.


Sophos

2 million stolen identities used to make fake net neutrality comments

24 May 2018

Most crucially, two of those identities were senators who are now demanding the FCC find out who's behind the bots and the identity theft.

Office 365 will automatically block Flash and Silverlight

24 May 2018

If you are one of the small number of Office 365 users who enjoyed embedding Flash, Shockwave or Silverlight content inside files, time is about to run out on your unusual pastime.

FBI admits to inflating number of crime-related devices it can’t crack

24 May 2018

Investigators can't get into 7,775 devices? Nah, the FBI admits: it's more like 1,200... or 2000... pending an audit, it's not really sure.

VPNFilter router malware – what to do? [VIDEO]

24 May 2018

Learn how to deal with the VPNFilter malware currently plaguing 500,000 home routers worldwide.

Old posts >>

VPNFilter – is a malware timebomb lurking on your router?

23 May 2018

A Cisco paper reports on zombie malware that has apparently infected more than 500,000 home routers.

Surprise! Student receives $36,000 Google bug bounty for RCE flaw

23 May 2018

What's the only thing better than a bug bounty reward? A bug bounty reward you weren't expecting. Especially one that's worth $36,337.

Google in court over ‘clandestine tracking’ of 4.4m iPhone users

23 May 2018

The search giant could be looking at a giant fine of up to $4.3b.

Server? What server? Site forgotten for 12 years attracts hacks, fines

22 May 2018

The University of Greenwich might not have noticed the website but hackers did.

TeenSafe phone monitoring app leaks teens’ iCloud logins in plaintext

22 May 2018

The "secure" monitoring app is used by over a million parents.

Please vote for Naked Security at the European Blogger Awards 2018!

22 May 2018

We've been nominated in 8 categories at the European Blogger Awards 2018... but we need your help to win!


TrendMicro

Malicious Edge and Chrome Extension Used to Deliver Backdoor

24 May 2018

We noticed a series of testing submissions in VirusTotal that apparently came from the same group of malware developers in Moldova, at least based on the filenames and the submissions' source. It appears they are working on a new malware that — based on how they were coded — is most likely intended to spread through spam emails embedded with malicious attachments.

The downloader malware's payload is what makes it notable. It delivers a version of the Revisit remote administration tool, which is used to hijack the infected system. More importantly, it also delivers a malicious extension that could serve as a backdoor, stealing information keyed in on browsers.

The post Malicious Edge and Chrome Extension Used to Deliver Backdoor appeared first on .

Old posts >>

Confucius Update: New Tools and Techniques, Further Connections with Patchwork

23 May 2018

We look into the latest tools and techniques used by Confucius, as the threat actor seems to have a new modus operandi, setting up two new websites and new payloads with which to compromise its targets.

The post Confucius Update: New Tools and Techniques, Further Connections with Patchwork appeared first on .

GPON Vulnerabilities Exploited for Mexico-based Mirai-like Scanning Activities

21 May 2018

We recently found similar Mirai-like scanning activity from Mexico with some being done via the exploitation of CVE-2018-10561 and CVE-2018-10562, two vulnerabilities that are specific to Gigabit Passive Optical Network (GPON)-based home routers.

The post GPON Vulnerabilities Exploited for Mexico-based Mirai-like Scanning Activities appeared first on .

Operators of Counter Antivirus Service Scan4You Convicted

16 May 2018

In May 2017, one of the biggest facilitators of cybercrime, Scan4You, went offline after the two main suspects, Ruslans Bondars and Jurijs Martisevs, were arrested in Latvia and extradited to the U.S. by the Federal Bureau of Investigation (FBI). In May 2018, the case against the Scan4You’s operators concluded in a Virginia federal courtroom.

The Trend Micro Forward-Looking Threat Research (FTR) team started to look into Scan4You's operations in 2012, and have been in close contact with FBI investigators assigned to the case since 2014. Our research on Scan4You spanned more than five years, passing some of our findings to the FBI until the service went offline.

The post Operators of Counter Antivirus Service Scan4You Convicted appeared first on .

Malicious Traffic in Port 7001 Surges as Cryptominers Target Patched 2017 Oracle WebLogic Vulnerability

11 May 2018

We observed a large spike in the number of devices scanning the internet for port 7001/TCP since April 27, 2018. Our analysis found that it's increased activity was caused by cybercriminals engaging in cryptomining via exploiting CVE-2017-10271. The flaw is a patched Oracle WebLogic WLS-WSAT vulnerability that can allow remote attackers to execute arbitrary code on unpatched servers. This marks the second time attackers abused CVE-2017-10271 for cryptomining purposes this year. In February, the vulnerability was exploited to deliver 64-bit and 32-bit variants of an XMRig Monero miner.

The post Malicious Traffic in Port 7001 Surges as Cryptominers Target Patched 2017 Oracle WebLogic Vulnerability appeared first on .

New Phishing Scam uses AES Encryption and Goes After Apple IDs

10 May 2018

by Jindrich Karasek Recent data breaches and privacy scares, along with the upcoming General Data Protection Regulation (GDPR) from the European Union, have triggered a change in the way companies handle their users’ data. As a result, many of them have been sending emails asking their users to update their profiles or proactively strengthen security....

The post New Phishing Scam uses AES Encryption and Goes After Apple IDs appeared first on .

Microsoft Patch Tuesday for May Includes Updates for Actively-Exploited Vulnerabilities

09 May 2018

For May 2018, Microsoft’s monthly release of security updates — also known as Patch Tuesday — addressed a number of vulnerabilities, most notably two vulnerabilities that were already actively exploited in attacks.

The post Microsoft Patch Tuesday for May Includes Updates for Actively-Exploited Vulnerabilities appeared first on .

Maikspy Spyware Poses as Adult Game, Targets Windows and Android Users

08 May 2018

We discovered a malware family called Maikspy — a multi-platform spyware that can steal users’ private data. The spyware targets Windows and Android users, and first posed as an adult game named after a popular U.S.-based adult film actress. Maikspy, which is an alias that combines the name of the adult film actress and spyware, has been around since 2016.

Multiple Twitter handles were found promoting the Maikspy-carrying adult games and sharing the malicious domain via short links.

The post Maikspy Spyware Poses as Adult Game, Targets Windows and Android Users appeared first on .

Cryptocurrency-Mining Malware Targeting IoT, Being Offered in the Underground

02 May 2018

Crime follows the money, as the saying goes, and once again, cybercriminals have acted accordingly. The underground is flooded with so many offerings of cryptocurrency malware that it must be hard for the criminals themselves to determine which is best. This kind of malware, also known as cryptomalware, has a clear goal, which is to make money out of cryptocurrency transactions. This can be achieved through two different methods: stealing cryptocurrency and mining cryptocurrency on victims’ devices surreptitiously (without the victims noticing), a process also known as cryptojacking. In this post, we discuss how these two methods work, and see whether devices connected to the internet of things (IoT), which are relatively underpowered, are being targeted.

The post Cryptocurrency-Mining Malware Targeting IoT, Being Offered in the Underground appeared first on .

Legitimate Application AnyDesk Bundled with New Ransomware Variant

01 May 2018

We recently discovered a new ransomware (Detected as RANSOM_BLACKHEART.THDBCAH), which drops and executes the legitimate tool known as AnyDesk alongside its malicious payload.

The post Legitimate Application AnyDesk Bundled with New Ransomware Variant appeared first on .


Kaspersky

VPNFilter EXIF to C2 mechanism analysed

24 May 2018

Our colleagues from Cisco Talos published their excellent analysis of VPNFilter, an IoT / router malware which exhibits some worrying characteristics. We’ve decided to look a bit into the C&C mechanism for the persistent malware payload.

Old posts >>

Backdoors in D-Link’s backyard

23 May 2018

If you want to make the world safer, start with the smart things in your home. Or, to be more specific, start with your router – the core of any home network as well as an interesting research object. And that router you got from your ISP as part of your internet contract is even more interesting when it comes to research.

Spam and phishing in Q1 2018

23 May 2018

The quarter's main topic, one that we will likely return to many times this year, is personal data. It remains one of the most sought-after wares in the world of information technology for app and service developers, owners of various agencies, and, of course, cybercriminals. Unfortunately, many users still fail to grasp the need to protect their personal information and don’t pay attention to who and how their data is transferred in social media.

I know where your pet is

22 May 2018

It would seem that no gadget has escaped the attention of hackers, yet there is one last bastion: "smart" devices for animals. For example, trackers to monitor their location.

Roaming Mantis dabbles in mining and phishing multilingually

18 May 2018

In May, while monitoring Roaming Mantis, aka MoqHao and XLoader, we observed significant changes in their M.O. The group’s activity expanded geographically and they broadened their attack/evasion methods. Their landing pages and malicious apk files now support 27 languages covering Europe and the Middle East.

IT threat evolution Q1 2018. Statistics

14 May 2018

According to KSN, Kaspersky Lab solutions blocked 796,806,112 attacks launched from online resources located in 194 countries across the globe.

IT threat evolution Q1 2018

14 May 2018

In January, we uncovered a sophisticated mobile implant Skygofree that provides attackers with remote control of infected Android devices. Network worm OlympicDestroyer attacked on the Olympic infrastructure just before the opening of the games in February.

OPC UA security analysis

10 May 2018

This article discusses our project that involved searching for vulnerabilities in implementations of the OPC UA protocol. We hope to draw the attention of vendors that develop software for industrial automation systems and the industrial IoT to problems associated with using such widely available technologies.

The King is dead. Long live the King!

09 May 2018

In late April 2018, a new zero-day vulnerability for Internet Explorer (IE) was found using our sandbox; more than two years since the last in the wild example (CVE-2016-0189). This particular vulnerability and subsequent exploit are interesting for many reasons.

SynAck targeted ransomware uses the Doppelgänging technique

07 May 2018

In April 2018, we spotted the first ransomware employing the Process Doppelgänging technique – SynAck ransomware. It should be noted that SynAck is not new, but a recently discovered sample caught our attention after it was found to be using Process Doppelgänging. Here we present the results of our investigation of this new SynAck variant.


ThreatPost

What Will GDPR’s Impact Be On U.S. Consumer Privacy?

24 May 2018

GDPR may be going in effect Friday, but U.S. citizens have a ways to go before seeing similar privacy regulations from the U.S government.

Intel’s ‘Virtual Fences’ Spectre Fix Won’t Protect Against Variant 4

24 May 2018

The new hardware-based protections Intel announced earlier in March it was embedding into new chips will only protect against Spectre and Meltdown – but not the newly disclosed Variant 4, sources said.

Amazon Comes Under Fire for Facial Recognition Platform

24 May 2018

Privacy advocates say facial recognition can be an agent of authoritarian surveillance; others say it's an invaluable tool to combat kidnapping, locate lost children and track down criminals on the run.

Old posts >>

Schneider Electric Patches XXE Vulnerability In Software

23 May 2018

Schneider Electric on Tuesday issued fixes for a vulnerability its SoMachine Basic software that could result in disclosure and retrieval of arbitrary data.

James Comey: FBI Faces Deep Tech-Related Questions

23 May 2018

Cloud migration and automated systems, data privacy and encryption all remain central issues for the FBI as it considers its mandate and role in the modern digital age.

Ahead of GDPR, Information Governance Comes into Its Own

23 May 2018

A full 98 percent of US enterprises have embarked on information governance (IG) projects, dramatically up from just 10 percent last year.

VPNFilter Malware Infects 500k Routers Including Linksys, MikroTik, NETGEAR

23 May 2018

Researchers warn of malware infecting 500,000 popular routers in a campaign mostly targeting the Ukraine, but also 54 other countries.

Researchers Say More Spectre-Related CPU Flaws On Horizon

22 May 2018

Yet another speculative execution side channel flaw has been disclosed in processors - and security experts warn that more may be out there.

Six Vulnerabilities Found in Dell EMC’s Disaster Recovery System, One Critical

22 May 2018

A pen-tester has found five vulnerabilities in Dell EMC RecoverPoint devices, including a critical RCE that could allow total system compromise.

Comcast Patches Router Bug That Leaked Some Wi-Fi Passwords

22 May 2018

A bug in Comcast’s activation website for its Xfinity routers leaked sensitive customer data.


Symantec

Old posts >>

Latest Intelligence for October 2017

10 Nov 2017

Symantec research shows users to be twice as likely to encounter threats through email as any other infection vector, and the spam rate declines slightly for the second month in a row.

Read More

Sowbug: Cyber espionage group targets South American and Southeast Asian governments

07 Nov 2017

Group uses custom Felismus malware and has a particular interest in South American foreign policy.

Read More

Ramnit worm: Still turning up in unlikely places

27 Oct 2017

Over 90 Ramnit-infected apps removed from Google Play.

Read More

BadRabbit: New strain of ransomware hits Russia and Ukraine

25 Oct 2017

BadRabbit is self-propagating and has many similarities to the June 2017 Petya / NotPetya outbreak.

Read More

Android malware on Google Play adds devices to botnet

18 Oct 2017

Symantec has found eight apps infected with the Sockbot malware on Google Play that can add compromised devices to a botnet and potentially perform DDoS attacks.

Read More

Necurs attackers now want to see your desktop

17 Oct 2017

The Necurs botnet is back again, this time spreading a downloader that takes screen grabs of victims’ desktops and reports encountered errors back to the attackers.

Read More

KRACKs: What you need to know about the new Wi-Fi encryption vulnerabilities

16 Oct 2017

Wi-Fi security under threat from newly discovered WPA2 vulnerabilities

Read More

Microsoft Patch Tuesday – October 2017

11 Oct 2017

This month the vendor has patched 62 vulnerabilities, 27 of which are rated Critical.

Read More

Latest Intelligence for September 2017

06 Oct 2017

September saw Symantec uncover new activity by the Dragonfly group, and the start of several new Locky spam campaigns.

Read More

Users encounter threats through email twice as often as other infection vectors

04 Oct 2017

The latest ISTR special report, Email Threats 2017, casts a light on a threat landscape where attackers are actively spreading malicious threats, BEC scams, and a variety of spam through email.

Read More

Latest Intelligence for August 2017

08 Sep 2017

August saw increases in the malware and spam rates, and new phishing warnings from the IRS

Read More

Dragonfly: Western energy sector targeted by sophisticated attack group

06 Sep 2017

Resurgence in energy sector attacks, with the potential for sabotage, linked to re-emergence of Dragonfly cyber espionage group

Read More

Businesses most at risk from new breed of ransomware

30 Aug 2017

The ransomware landscape has shifted dramatically in 2017 and organizations bore the brunt of the damage caused by new, self-propagating threats such as WannaCry and Petya.

Read More

Mobile malware factories: Android apps for creating ransomware

24 Aug 2017

Mobile ransomware can now be created automatically without the need to write code.

Read More

Microsoft Patch Tuesday – August 2017

09 Aug 2017

This month the vendor has patched 48 vulnerabilities, 26 of which are rated Critical.

Read More

Latest Intelligence for July 2017

04 Aug 2017

Email malware rate continues to increase and WannaCry, Petya inspire other threats to add self-spreading components.

Read More

Attackers are increasingly living off the land

12 Jul 2017

The use of fileless threats and dual-use tools by attackers is becoming more common.

Read More

Microsoft Patch Tuesday – July 2017

12 Jul 2017

This month the vendor has patched 54 vulnerabilities, 19 of which are rated Critical.

Read More

Latest Intelligence for June 2017

11 Jul 2017

The chaos causing Petya outbreak and an increase in phishing emails for the third month in a row.

Read More

Petya ransomware outbreak: Here’s what you need to know

27 Jun 2017

Petya ransomware impacting large organizations in multiple countries

Read More


F-Secure

Video: Creating Graph Visualizations With Gephi

24 May 2018

I wanted to create a how-to blog post about creating gephi visualizations, but I realized it’d probably need to include, like, a thousand embedded screenshots. So I made a video instead.

Old posts >>

Pr0nbots2: Revenge Of The Pr0nbots

04 May 2018

A month and a half ago I posted an article in which I uncovered a series of Twitter accounts advertising adult dating (read: scam) websites. If you haven’t read it yet, I recommend taking a look at it before reading this article, since I’ll refer back to it occasionally. To start with, let’s recap. In my […]

Marketing “Dirty Tinder” On Twitter

16 Mar 2018

About a week ago, a Tweet I was mentioned in received a dozen or so “likes” over a very short time period (about two minutes). I happened to be on my computer at the time, and quickly took a look at the accounts that generated those likes. They all followed a similar pattern. Here’s an […]

How To Get Twitter Follower Data Using Python And Tweepy

27 Feb 2018

In January 2018, I wrote a couple of blog posts outlining some analysis I’d performed on followers of popular Finnish Twitter profiles. A few people asked that I share the tools used to perform that research. Today, I’ll share a tool similar to the one I used to conduct that research, and at the same […]

Improving Caching Strategies With SSICLOPS

26 Feb 2018

F-Secure development teams participate in a variety of academic and industrial collaboration projects. Recently, we’ve been actively involved in a project codenamed SSICLOPS. This project has been running for three years, and has been a joint collaboration between ten industry partners and academic entities. Here’s the official description of the project. “The Scalable and Secure […]

Searching Twitter With Twarc

16 Feb 2018

Twarc makes it really easy to search Twitter via the API. Simply create a twarc object using your own API keys and then pass your search query into twarc’s search() function to get a stream of Tweet objects. Remember that, by default, the Twitter API will only return results from the last 7 days. However, […]

NLP Analysis Of Tweets Using Word2Vec And T-SNE

30 Jan 2018

In the context of some of the Twitter research I’ve been doing, I decided to try out a few natural language processing (NLP) techniques. So far, word2vec has produced perhaps the most meaningful results. Wikipedia describes word2vec very precisely: “Word2vec takes as its input a large corpus of text and produces a vector space, typically of several […]

NLP Analysis And Visualizations Of #presidentinvaalit2018

30 Jan 2018

During the lead-up to the January 2018 Finnish presidential elections, I collected a dataset consisting of raw Tweets gathered from search words related to the election. I then performed a series of natural language processing experiments on this raw data. The methodology, including all the code used, can be found in an accompanying blog post. […]

How To Get Tweets From A Twitter Account Using Python And Tweepy

26 Jan 2018

In this blog post, I’ll explain how to obtain data from a specified Twitter account using tweepy and Python. Let’s jump straight into the code! As usual, we’ll start off by importing dependencies. I’ll use the datetime and Counter modules later on to do some simple analysis tasks. from tweepy import OAuthHandler from tweepy import […]

How To Get Streaming Data From Twitter

17 Jan 2018

I occasionally receive requests to share my Twitter analysis tools. After a few recent requests, it finally occurred to me that it would make sense to create a series of articles that describe how to use Python and the Twitter API to perform basic analytical tasks. Teach a man to fish, and all that. In […]

Further Analysis Of The Finnish Themed Twitter Botnet

12 Jan 2018

In a blog post I published yesterday, I detailed the methodology I have been using to discover “Finnish themed” Twitter accounts that are most likely being programmatically created. In my previous post, I called them “bots”, but for the sake of clarity, let’s refer to them as “suspicious accounts”. These suspicious accounts all follow a […]

Someone Is Building A Finnish-Themed Twitter Botnet

11 Jan 2018

Finland will hold a presidential election on the 28th January 2018. Campaigning just started, and candidates are being regularly interviewed by the press and on the TV. In a recent interview, one of the presidential candidates, Pekka Haavisto, mentioned that both his Twitter account, and the account of the current Finnish president, Sauli Niinistö had […]

Some Notes On Meltdown And Spectre

09 Jan 2018

The recently disclosed Meltdown and Spectre vulnerabilities can be viewed as privilege escalation attacks that allow an attacker to read data from memory locations that aren’t meant to be accessible. Neither of these vulnerabilities allow for code execution. However, exploits based on these vulnerabilities could allow an adversary to obtain sensitive information from memory (such […]

Don’t Let An Auto-Elevating Bot Spoil Your Christmas

18 Dec 2017

Ho ho ho! Christmas is coming, and for many people it’s time to do some online shopping. Authors of banking Trojans are well aware of this yearly phenomenon, so it shouldn’t come as a surprise that some of them have been hard at work preparing some nasty surprises for this shopping season. And that’s exactly […]

Necurs’ Business Is Booming In A New Partnership With Scarab Ransomware

23 Nov 2017

Necurs’ spam botnet business is doing well as it is seemingly acquiring new customers. The Necurs botnet is the biggest deliverer of spam with 5 to 6 million infected hosts online monthly, and is responsible for the biggest single malware spam campaigns. Its service model provides the whole infection chain: from spam emails with malicious […]

RickRolled by none other than IoTReaper

03 Nov 2017

IoT_Reaper overview IoT_Reaper, or the Reaper in short, is a Linux bot targeting embedded devices like webcams and home router boxes. Reaper is somewhat loosely based on the Mirai source code, but instead of using a set of admin credentials, the Reaper tries to exploit device HTTP control interfaces. It uses a range of vulnerabilities […]

Facebook Phishing Targeted iOS and Android Users from Germany, Sweden and Finland

30 Oct 2017

Two weeks ago, a co-worker received a message in Facebook Messenger from his friend. Based on the message, it seemed that the sender was telling the recipient that he was part of a video in order to lure him into clicking it. The shortened link was initially redirecting to Youtube.com, but was later on changed […]

The big difference with Bad Rabbit

27 Oct 2017

Bad Rabbit is the new bunny on the ransomware scene. While the security community has concentrated mainly on the similarities between Bad Rabbit and EternalPetya, there’s one notable difference which has not yet gotten too much attention. The difference is that Bad Rabbit’s disk encryption works. EternalPetya re-used the custom disk encryption method from the […]

Following The Bad Rabbit

26 Oct 2017

On October 24th, media outlets reported on an outbreak of ransomware affecting various organizations in Eastern Europe, mainly in Russia and Ukraine. Identified as “Bad Rabbit”, initial reports about the ransomware drew comparisons with the WannaCry and NotPetya (EternalPetya) attacks from earlier this year. Though F-Secure hasn’t yet received any reports of infections from our […]

Twitter Forensics From The 2017 German Election

25 Sep 2017

Over the past month, I’ve pointed Twitter analytics scripts at a set of search terms relevant to the German elections in order to study trends and look for interference. Germans aren’t all that into Twitter. During European waking hours Tweets in German make up less than 0.5% of all Tweets published. Over the last month, […]


McAfee

Old posts >>

VPNFilter Botnet Targets Networking Devices

23 May 2018

VPNFilter is a botnet with capabilities to support both intelligence collection and destructive cyberattack operations. The Cisco Talos team recently notified members of the Cyber Threat Alliance (CTA) of its findings and published this blog. The malware is believed to target networking devices, although the malware’s initial infection vector is still unclear. Talos, which first …

The post VPNFilter Botnet Targets Networking Devices appeared first on McAfee Blogs.

It’s a Zoo Out There! Data Analysis of Alleged ZooPark Dump

21 May 2018

In early May, researchers disclosed a Mobile malware campaign by a group focused on Middle Eastern targets. This actor was found to be an evolving and sophisticated group using fake Android apps, namely Telegram, to trick users into installing malicious software. They have been active since 2015 and evolved over several campaigns into 2018. On …

The post It’s a Zoo Out There! Data Analysis of Alleged ZooPark Dump appeared first on McAfee Blogs.

Malware on Google Play Targets North Korean Defectors

17 May 2018

Earlier this year, McAfee researchers predicted in the McAfee Mobile Threat Report that we expect the number of targeted attacks on mobile devices to increase due to their ubiquitous growth combined with the sophisticated tactics used by malware authors.

The post Malware on Google Play Targets North Korean Defectors appeared first on McAfee Blogs.

Syn/Ack Unique Proactive Protection Technique

11 May 2018

McAfee’s Advanced Threat Research team has performed analysis on samples of Syn/Ack ransomware implementing Process Doppelgänging.  For those who are concerned about the potential impact of this ransomware but are currently unable to implement McAfee product protections, we have found a simple but interesting alternative method.  Prior to encryption and ransom, the malware first checks …

The post Syn/Ack Unique Proactive Protection Technique appeared first on McAfee Blogs.

McAfee Protects Against Doppelgänging Technique

11 May 2018

That adversaries adopt new techniques is a known fact. However, the speed they include new innovative techniques to bypass end-point security and or evade sandboxing appears to be at an ever-increasing pace. Indeed, adversary adoption is often faster than the InfoSec industry can implement and test effective countermeasures. For example, in December 2017, a tool …

The post McAfee Protects Against Doppelgänging Technique appeared first on McAfee Blogs.

Global Malware Campaign Pilfers Data from Critical Infrastructure, Entertainment, Finance, Health Care, and Other Industries

25 Apr 2018

McAfee Advanced Threat Research analysts have uncovered a global data reconnaissance campaign assaulting a wide number of industries including critical infrastructure, entertainment, finance, health care, and telecommunications. This campaign, dubbed Operation GhostSecret, leverages multiple implants, tools, and malware variants associated with the state-sponsored cyber group Hidden Cobra. The infrastructure currently remains active. (For an extensive …

The post Global Malware Campaign Pilfers Data from Critical Infrastructure, Entertainment, Finance, Health Care, and Other Industries appeared first on McAfee Blogs.

Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide

25 Apr 2018

McAfee Advanced Threat Research analysts have uncovered a global data reconnaissance campaign assaulting a wide number of industries including critical infrastructure, entertainment, finance, health care, and telecommunications. This campaign, dubbed Operation GhostSecret, leverages multiple implants, tools, and malware variants associated with the state-sponsored cyber group Hidden Cobra. The infrastructure currently remains active. In this post, …

The post Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide appeared first on McAfee Blogs.

Despite Decline in Use of Adobe Flash, Vulnerabilities Will Continue to Cause Concern

17 Apr 2018

This post was researched and written with the assistance of Tim Hux, Abhishek Karnik, Asheer Malhotra, and Steve Povolny McAfee Advanced Threat Research team analysts have studied Adobe Flash Player for years because it is a popular target for attacks. As always, we advise customers to remain current with McAfee’s latest DAT versions. In this …

The post Despite Decline in Use of Adobe Flash, Vulnerabilities Will Continue to Cause Concern appeared first on McAfee Blogs.

Cloud Clustering Vulnerable to Attacks

16 Apr 2018

The authors thank John Fokker and Marcelo CaroVargas for their contributions and insights. In our upcoming talk at the Cloud Security Alliance Summit at the RSA Conference, we will focus our attention on the insecurity of cloud deployments. We are interested in whether attackers can use compromised cloud infrastructure as viable backup resources as well …

The post Cloud Clustering Vulnerable to Attacks appeared first on McAfee Blogs.

Parasitic Coin Mining Creates Wealth, Destroys Systems

11 Apr 2018

The increasing popularity of cryptocurrencies has inspired some people to pursue coin mining, essentially making money online. (Mining is the processing of transactions in the digital currency system, in which new transactions are recorded in a digital ledger called the blockchain. Miners help to update the ledger to verify and collect new transactions to be …

The post Parasitic Coin Mining Creates Wealth, Destroys Systems appeared first on McAfee Blogs.

Today’s Connected Cars Vulnerable to Hacking, Malware

27 Mar 2018

The McAfee Advanced Threat Research team recently published an article about threats to automobiles on the French site JournalAuto.com. Connected cars are growing rapidly in number and represent the next big step in personal transportation.

The post Today’s Connected Cars Vulnerable to Hacking, Malware appeared first on McAfee Blogs.

Ransomware Takes Open-Source Path, Encrypts With GNU Privacy Guard

19 Mar 2018

McAfee Labs has recently observed a new variant of ransomware that relies on the open-source program GNU Privacy Guard (GnuPG) to encrypt data. GnuPG is a hybrid-encryption software program that uses a combination of conventional symmetric-key cryptography for speed and public-key cryptography to ease the secure key exchange. Although ransomware using GnuPG to encrypt files …

The post Ransomware Takes Open-Source Path, Encrypts With GNU Privacy Guard appeared first on McAfee Blogs.

Necurs Botnet Leads the World in Sending Spam Traffic

12 Mar 2018

In Q4 2017 we found that the Necurs and Gamut botnets comprised 97% of spam botnet traffic. (See the McAfee Labs Threats Report, March 2018.) Necurs (at 60%) is currently the world’s largest spam botnet. The infected computers operate in a peer-to-peer model, with limited communication between the nodes and the control servers. Cybercriminals can …

The post Necurs Botnet Leads the World in Sending Spam Traffic appeared first on McAfee Blogs.

‘McAfee Labs Threats Report’ Examines Cryptocurrency Hijacking, Ransomware, Fileless Malware

12 Mar 2018

Today McAfee published the McAfee Labs Threats Report: March 2018. The report looks into the growth and trends of new malware, ransomware, and other threats in Q4 2017. McAfee Labs saw on average eight new threat samples per second, and the increasing use of fileless malware attacks leveraging Microsoft PowerShell. The Q4 spike in Bitcoin value prompted cybercriminals to focus on cryptocurrency hijacking through a variety of methods, including malicious Android apps.

The post ‘McAfee Labs Threats Report’ Examines Cryptocurrency Hijacking, Ransomware, Fileless Malware appeared first on McAfee Blogs.

McAfee Researchers Find Poor Security Exposes Medical Data to Cybercriminals

12 Mar 2018

Those who have successfully gained access to medical data have been well rewarded for their efforts. One seller stated in an interview that “someone wanted to buy all the … records specifically,” claiming that the effort had netted US$100,000.

The post McAfee Researchers Find Poor Security Exposes Medical Data to Cybercriminals appeared first on McAfee Blogs.

McAfee Researchers Analyze Dark Side of Cryptocurrency Craze: Its Effect on Cybercrime

12 Mar 2018

In December 2017 Bitcoin values skyrocketed, peaking at the unprecedented amount of roughly US$19,000 per coin. Unsurprisingly, the market for cryptocurrencies exploded in response. Investors, companies, and even the public found a fresh interest in digital currencies. However, the exciting change in Bitcoin value did not just influence your average wealth seeker. It also influenced …

The post McAfee Researchers Analyze Dark Side of Cryptocurrency Craze: Its Effect on Cybercrime appeared first on McAfee Blogs.

Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant

08 Mar 2018

This post was prepared with contributions from Asheer Malhotra, Charles Crawford, and Jessica Saavedra-Morales.  On February 28, the McAfee Advanced Threat Research team discovered that the cybercrime group Hidden Cobra continues to target cryptocurrency and financial organizations. In this analysis, we observed the return of Hidden Cobra’s Bankshot malware implant surfacing in the Turkish financial …

The post Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant appeared first on McAfee Blogs.

How Hackers Bypassed an Adobe Flash Protection Mechanism

02 Mar 2018

The number of Flash Player exploits has recently declined, due to Adobe’s introduction of various measures to strengthen Flash’s security. Occasionally, however, an exploit still arises. On January 31, Kr-Cert reported a zero-day vulnerability, identified as CVE-2018-4878, being exploited in the field. (Adobe has released an update to fix this flaw.) We analyzed this vulnerability …

The post How Hackers Bypassed an Adobe Flash Protection Mechanism appeared first on McAfee Blogs.

McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups

02 Mar 2018

This post was written with contributions from Jessica Saavedra-Morales, Thomas Roccia, and Asheer Malhotra.  McAfee Advanced Threat Research analysts have discovered a new operation targeting humanitarian aid organizations and using North Korean political topics as bait to lure victims into opening malicious Microsoft Word documents. Our analysts have named this Operation Honeybee, based on the …

The post McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups appeared first on McAfee Blogs.

DDoS Attacks in the Netherlands Reveal Teen Gamers on Troublesome Path

22 Feb 2018

At the end of January, the Netherlands was plagued by distributed denial of service (DDoS) attacks targeting various financial institutions, tech sites, and the Dutch tax authorities. At the time of the attacks it was unclear who was responsible, and this led to speculation among security experts. Coincidentally, the attacks started a few days after …

The post DDoS Attacks in the Netherlands Reveal Teen Gamers on Troublesome Path appeared first on McAfee Blogs.

Free Ransomware Available on Dark Web

16 Feb 2018

The McAfee Advanced Threat Research team recently analyzed a ransomware-as-a-service threat that is available for free and without registration. This malware was first seen in July 2017 with the extension .shifr. It has now appeared in recent detections with the extension .cypher. Ransomware-as-a-Service Ransomware-as-a-service is a cybercrime economic model that allows malware developers to earn money …

The post Free Ransomware Available on Dark Web appeared first on McAfee Blogs.

Lazarus Resurfaces, Targets Global Banks and Bitcoin Users

12 Feb 2018

McAfee Advanced Threat Research (ATR) analysts have discovered an aggressive Bitcoin-stealing phishing campaign by the international cybercrime group Lazarus that uses sophisticated malware with long-term impact.

The post Lazarus Resurfaces, Targets Global Banks and Bitcoin Users appeared first on McAfee Blogs.

Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems

02 Feb 2018

McAfee Advanced Threat Research (ATR) recently released a report describing a fileless attack targeting organizations involved with the Pyeongchang Olympics. The attack used a PowerShell implant that established a channel to the attacker’s server to gather basic system-level data. What was not determined at that time was what occurred after the attacker gained access to the victim’s system.

The post Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems appeared first on McAfee Blogs.

Twitter Accounts of US Media Under Attack by Large Campaign

24 Jan 2018

A previously reported campaign purportedly carried out by Turkish hacker group “Ayyildiz Tim” targeting high-profile, verified Twitter accounts with the purpose of spreading Turkish political propaganda appears to have escalated within the last 24 hours. McAfee Advanced Threat Research has investigated the new events and discovered the following.

The post Twitter Accounts of US Media Under Attack by Large Campaign appeared first on McAfee Blogs.

North Korean Defectors and Journalists Targeted Using Social Networks and KakaoTalk

11 Jan 2018

Recently, South Korean media wrote about North Korean refugees and journalists being targeted by unknown actors using KakaoTalk (a popular chat app in South Korea) and other social network services (such as Facebook) to send links to install malware on victims’ devices. This method shows that attackers are always looking for different ways to deliver …

The post North Korean Defectors and Journalists Targeted Using Social Networks and KakaoTalk appeared first on McAfee Blogs.

Malicious Document Targets Pyeongchang Olympics

06 Jan 2018

McAfee Advanced Threat Research analysts have discovered a campaign targeting organizations involved with the Pyeongchang Olympics. Attached in an email was a malicious Microsoft Word document with the original file name 농식품부, 평창 동계올림픽 대비 축산악취 방지대책 관련기관 회의 개최.doc (“Organized by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics”). The primary target of …

The post Malicious Document Targets Pyeongchang Olympics appeared first on McAfee Blogs.

Decyphering the Noise Around ‘Meltdown’ and ‘Spectre’

04 Jan 2018

The McAfee Advanced Threat Research (ATR) Team has closely followed the attack techniques that have been named Meltdown and Spectre throughout the lead-up to their announcement on January 3. In this post, McAfee ATR offers a simple and concise overview of these issues, to separate fact from fiction, and to provide insight into McAfee’s capabilities …

The post Decyphering the Noise Around ‘Meltdown’ and ‘Spectre’ appeared first on McAfee Blogs.

McAfee Labs Advanced Threat Research Aids Arrest of Suspected Cybercrime Gang Linked to Top Malware CTB Locker

20 Dec 2017

In our recent research, we interviewed the actors behind ransomware campaigns. One of the interesting findings was cybercriminals seemed to have a sense of absolute safety when conducting criminal operations. Cybercrime is an area of crime like no other, perceived as low-risk with high returns, which contributes greatly to its rapid growth.

The post McAfee Labs Advanced Threat Research Aids Arrest of Suspected Cybercrime Gang Linked to Top Malware CTB Locker appeared first on McAfee Blogs.

Operation Dragonfly Analysis Suggests Links to Earlier Attacks

18 Dec 2017

On September 6, Symantec published details of the Dragonfly campaign, which targeted dozens of energy companies throughout 2017. This attack was effectively Dragonfly 2.0, an update to a campaign that began in 2014. Moving beyond our 2014 analysis of Dragonfly, our current focus looks at the attack’s indicators to determine whether we can glean any …

The post Operation Dragonfly Analysis Suggests Links to Earlier Attacks appeared first on McAfee Blogs.

Looking Into the World of Ransomware Actors Reveals Some Surprises

18 Dec 2017

During the preparations for our keynotes at McAfee’s recent MPOWER conference, we brainstormed a few topics we wanted to share with the audience. Ransomware was definitely on our agenda, but so much has already been said and written on the subject. What could we add that would be interesting? We hit on the angle: to …

The post Looking Into the World of Ransomware Actors Reveals Some Surprises appeared first on McAfee Blogs.

McAfee Labs Reports All-Time Highs for Malware in Latest Count

18 Dec 2017

In the third quarter of 2017, McAfee Labs reports all-time highs of new and total malware. What is causing the increasing numbers of malware that are submitted to us at an average rate of four new malware samples per second? One major trend that continues in Q3 is the abuse of Microsoft Office–related exploits and …

The post McAfee Labs Reports All-Time Highs for Malware in Latest Count appeared first on McAfee Blogs.

Chinese Cybercriminals Develop Lucrative Hacking Services

13 Dec 2017

Underground cybercrime profits in China have likely already exceeded US$15.1 billion (100 billion Chinese yuan); caused more than $13.8 billion (91.5 billion yuan) worth of damage relating to data loss, identity theft, and fraud; and will grow at an even faster pace as underground hackers expand international business operations to increasingly target foreign businesses, according …

The post Chinese Cybercriminals Develop Lucrative Hacking Services appeared first on McAfee Blogs.

Emotet Downloader Trojan Returns in Force

06 Dec 2017

During the past couple of days, we have seen an increase in activity from Emotet. This Trojan downloader spreads by emails that lure victims into downloading a Word document, which contains macros that after executing employ PowerShell to download a malicious payload. We have observed Emotet downloading a variety of payloads, including ransomware, Dridex, Trickbot, …

The post Emotet Downloader Trojan Returns in Force appeared first on McAfee Blogs.

‘McAfee Labs 2018 Threats Predictions Report’ Previews Five Cybersecurity Trends

29 Nov 2017

Welcome to the McAfee Labs 2018 Threats Predictions Report. We find ourselves in a highly volatile stage of cybersecurity, with new devices, new risks, and new threats appearing every day. In this edition, we have polled thought leaders from McAfee Labs and the Office of the CTO. They offer their views on a wide range of threats, including machine learning, ransomware, serverless apps, and privacy issues.

The post ‘McAfee Labs 2018 Threats Predictions Report’ Previews Five Cybersecurity Trends appeared first on McAfee Blogs.

Should I Worry About AVGater, Which Exploits Some Security Products?

28 Nov 2017

On November 10, a researcher reported the vulnerability AVGater, which affects some antimalware products. The vulnerability allows a user without administrative privileges to restore a quarantined file in a user’s defined location. After internal reviews and with confirmation from the author of the blog, McAfee believes no McAfee products are affected by the privilege escalation …

The post Should I Worry About AVGater, Which Exploits Some Security Products? appeared first on McAfee Blogs.

Don’t Substitute CVSS for Risk: Scoring System Inflates Importance of CVE-2017-3735

24 Nov 2017

I am a wry observer of vulnerability announcements. CVE-2017-3735—which can allow a small buffer overread in an X.509 certificate—presents an excellent example of the limitations of the Common Vulnerability Scoring System (CVSS). This scoring system is the de facto security industry standard for calculating and exchanging information about the severity of vulnerabilities. The problem is …

The post Don’t Substitute CVSS for Risk: Scoring System Inflates Importance of CVE-2017-3735 appeared first on McAfee Blogs.

Malware Mines, Steals Cryptocurrencies From Victims

22 Nov 2017

How’s your Bitcoin balance? Interested in earning more? The value of cybercurrency is going up. One way to increase your holdings is by “mining,” which is legal as long as it is done with the proper permissions. Using your own mining equipment or establishing a formal agreement for outsourcing are two methods. Hardware vendors such …

The post Malware Mines, Steals Cryptocurrencies From Victims appeared first on McAfee Blogs.

Lazarus Cybercrime Group Moves to Mobile Platform

20 Nov 2017

When it comes to describing cyberattacks, the word sophisticated is used a lot. Whether to explain yet another “advanced” campaign by a threat actor group hoping to steal information or disrupt computer systems, it seems the precursor to any analysis is to call it sophisticated. Yet the modus operandi for many of these groups is …

The post Lazarus Cybercrime Group Moves to Mobile Platform appeared first on McAfee Blogs.

Android Malware Appears Linked to Lazarus Cybercrime Group

20 Nov 2017

The McAfee Mobile Research team recently examined a new threat, Android malware that contains a backdoor file in the executable and linkable format (ELF). The ELF file is similar to several executables that have been reported to belong to the Lazarus cybercrime group. (For more on Lazarus, read this post from our Advanced Threat Research …

The post Android Malware Appears Linked to Lazarus Cybercrime Group appeared first on McAfee Blogs.

IoT Devices: The Gift that Keeps on Giving… to Hackers

16 Nov 2017

McAfee Advanced Threat Research on Most Hackable Gifts You’ve probably noticed the recent increase in Internet connected drones, digital assistants, toys, appliances and other devices hitting the market and maybe even showing up in your own home. The sale of these “Internet-of-Things” (IoT) devices is expected to reach 600 million units this year and, unfortunately, …

The post IoT Devices: The Gift that Keeps on Giving… to Hackers appeared first on McAfee Blogs.

New Android Malware Found in 144 GooglePlay Apps

14 Nov 2017

McAfee’s Mobile Research team has found a new Android malware in 144 “Trojanized” applications on Google Play. We named this threat Grabos because we found this string in several elements of the code, including variable and method names. Grabos was initially found in the Android application “Aristotle Music audio player 2017,” which claimed to be …

The post New Android Malware Found in 144 GooglePlay Apps appeared first on McAfee Blogs.

Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack

07 Nov 2017

During our monitoring of activities around the APT28 threat group, McAfee Advanced Threat Research analysts identified a malicious Word document that appears to leverage the Microsoft Office Dynamic Data Exchange (DDE) technique that has been previously reported by Advanced Threat Research. This document likely marks the first observed use of this technique by APT28. The …

The post Threat Group APT28 Slips Office Malware into Doc Citing NYC Terror Attack appeared first on McAfee Blogs.

Self-Signed Certificates Can Be Secure, So Why Ban Them?

03 Nov 2017

In many organizations the use of self-signed certificates is forbidden by policy. Organizations may ban the use of self-signed certificates for several reasons: It is trivially easy to generate a certificate’s key pair without reasonable entropy, to fail protect the private key of the key pair appropriately to its use, to poorly validate the certificate …

The post Self-Signed Certificates Can Be Secure, So Why Ban Them? appeared first on McAfee Blogs.

Pirate Versions of Popular Apps Infiltrate Google Play via Virtualization

01 Nov 2017

The McAfee Mobile Research team recently found pirated applications of popular apps distributed on the Google Play store. A pirated app is one distributed usually outside of the official store as a free version of a legitimate app. Paid legitimate applications are leading targets of pirated versions. In this case, however, we found pirated copies …

The post Pirate Versions of Popular Apps Infiltrate Google Play via Virtualization appeared first on McAfee Blogs.

Expiro Malware Is Back and Even Harder to Remove

31 Oct 2017

File infector malware adds malicious code to current files. This makes removal tricky because deleting infections results in the loss of legitimate files. Although file infectors were more popular in the 1990s and early 2000s, they still pose a significant threat. The complex disinfection process is usually leveraged by malware authors to ensure systems stay …

The post Expiro Malware Is Back and Even Harder to Remove appeared first on McAfee Blogs.

Configuring McAfee ENS and VSE to Prevent Macroless Code Execution in Office Apps

27 Oct 2017

Microsoft Office macros are a popular method of distributing malware. Users can defend themselves against macro attacks by disabling macros. McAfee Labs has now seen a new attack technique using a feature of Office applications that help create dynamic reports. In this post we will explain this technique and offer a method to prevent the …

The post Configuring McAfee ENS and VSE to Prevent Macroless Code Execution in Office Apps appeared first on McAfee Blogs.

Code Execution Technique Takes Advantage of Dynamic Data Exchange

27 Oct 2017

Email phishing campaigns are a popular social engineering technique among hackers. The idea is simple: Craft an email that looks enticing to users and convince them to click on a malicious link or open a malicious attachment. Weight-loss and other health-related phishing emails are common. Package deliveries, bank notices and, in the case of spear …

The post Code Execution Technique Takes Advantage of Dynamic Data Exchange appeared first on McAfee Blogs.

Analyzing Microsoft Office Zero-Day Exploit CVE-2017-11826: Memory Corruption Vulnerability

26 Oct 2017

McAfee Labs has performed frequent analyses of Office-related threats over the years: In 2015, we presented research on the Office OLE mechanism; in 2016 at the BlueHat conference, we looked at the high-level attack surface of Office; and this year at the SYSCAN360 Seattle conference, we presented deep research on the critical Office “Moniker” zero-day vulnerabilities. …

The post Analyzing Microsoft Office Zero-Day Exploit CVE-2017-11826: Memory Corruption Vulnerability appeared first on McAfee Blogs.

‘BadRabbit’ Ransomware Burrows Into Russia, Ukraine

24 Oct 2017

This post was researched and written by Christiaan Beek, Tim Hux, David Marcus, Charles McFarland, Douglas McKee, and Raj Samani. McAfee is currently investigating a ransomware campaign known as BadRabbit, which initially infected targets in Russia and the Ukraine. We are also investigating reports of infected systems in Germany, Turkey, and Bulgaria and will provide updates …

The post ‘BadRabbit’ Ransomware Burrows Into Russia, Ukraine appeared first on McAfee Blogs.

KRACKs: Five Observations on WPA Authentication Vulnerability

23 Oct 2017

KRACKs are in the news. McAfee has already discussed these key reinstallation attacks that affect Wi-Fi setups in two posts: “KRACKs Against Wi-Fi Serious But Not End of the World” “How KRACK Threatens Wi-Fi’s Security Underpinnings and What It Means for You” Here are five observations that offer an easy-to-digest summary: Don’t panic! Remember this …

The post KRACKs: Five Observations on WPA Authentication Vulnerability appeared first on McAfee Blogs.

ROCA: Which Key-Pair Attacks Are Credible?

20 Oct 2017

In the past two weeks, we have seen two big encryption issues arise: key reinstallation attacks, called KRACKs; and “Return of Coppersmith’s Attack,” called ROCA. Many CEOs, CIOs, and CISO/CSOs are asking, as they must, “Are we protected?” and “What’s our exposure?” Security architects are scurrying about to identify reasonable responses that can be presented …

The post ROCA: Which Key-Pair Attacks Are Credible? appeared first on McAfee Blogs.

KRACKs Against Wi-Fi Serious But Not End of the World

18 Oct 2017

On October 12, researcher Mathy Vanhoef announced a set of Wi-Fi attacks that he named KRACKs, for key reinstallation attacks. These attack scenarios are against the WPA2 authentication and encryption key establishment portions of the most recent set of protocols. The technique is through key reinstallation. The attack can potentially allow attackers to send attacker …

The post KRACKs Against Wi-Fi Serious But Not End of the World appeared first on McAfee Blogs.

Tips for Effective Threat Hunting

18 Oct 2017

In May, McAfee surveyed more than 700 IT and security professionals around the world to better understand how threat hunting is used in organizations and how they hope to enhance their threat hunting capabilities. You can read the full study: Disrupting the Disruptors, Art or Science? Understanding the role of threat hunters and continuing evolution …

The post Tips for Effective Threat Hunting appeared first on McAfee Blogs.

Taiwan Bank Heist and the Role of Pseudo Ransomware

12 Oct 2017

Widespread reports claim the Far Eastern International Bank in Taiwan has become a victim of hacking. The attacks demonstrate the global nature of cybercrime, with the cybercriminals attempting to wire US$60 million to destinations such as Sri Lanka, Cambodia, and the United States.

The post Taiwan Bank Heist and the Role of Pseudo Ransomware appeared first on McAfee Blogs.

Staying Anonymous on the Blockchain: Concerns and Techniques

11 Oct 2017

With Bitcoin at one point valued at more than $5,000 per unit, cryptocurrencies have excited a lot of interest from individuals, businesses, and hackers. One of the selling points of Bitcoin and others of its type is anonymity. Yet there are concerns that online currency transactions may not be as anonymous as many wish. In …

The post Staying Anonymous on the Blockchain: Concerns and Techniques appeared first on McAfee Blogs.

Linux Kernel Vulnerability Can Lead to Privilege Escalation: Analyzing CVE-2017-1000112

02 Oct 2017

This blog was written by Krishs Patil. A memory corruption bug in UDP fragmentation offload (UFO) code inside the Linux kernel can lead to local privilege escalation. In this post we will examine this vulnerability and its accompanying exploit. Although this bug affects both IPv4 and IPv6 code paths, we analyzed only IPv4 code running …

The post Linux Kernel Vulnerability Can Lead to Privilege Escalation: Analyzing CVE-2017-1000112 appeared first on McAfee Blogs.

McAfee Labs: Faceliker Surge Manipulates Facebook “Likes” to Promote News, Other Content

26 Sep 2017

Criminals excel in manipulating the trust within human relationships, particularly as individuals project themselves into digital realms such as social media. We see it in phishing messages, which fool us into clicking on a malicious weblink from what appears to be a benign organization with which we do business. We also see it in the …

The post McAfee Labs: Faceliker Surge Manipulates Facebook “Likes” to Promote News, Other Content appeared first on McAfee Blogs.

McAfee Labs Threats Report Explores WannaCry/Petya, Threat Hunting, Script-Based Malware

26 Sep 2017

Today we published the McAfee Labs Threats Report: September 2017. This quarter’s report shows off a new design. We hope you will find it attractive as well as informative.

The post McAfee Labs Threats Report Explores WannaCry/Petya, Threat Hunting, Script-Based Malware appeared first on McAfee Blogs.

Apache Struts at REST: Analyzing Remote Code Execution Vulnerability CVE-2017-9805

22 Sep 2017

Apache Struts, an open-source web development framework, is prone to vulnerabilities. We wrote about CVE-2017-9791 in July. The latest is CVE-2017-9805, another remote code execution flaw actively being exploited, according to reports. This vulnerability affects the Struts plug-in Representational State Transfer (REST). Apache has updated Struts with Version 2.5.13 to fix this issue. In this post …

The post Apache Struts at REST: Analyzing Remote Code Execution Vulnerability CVE-2017-9805 appeared first on McAfee Blogs.

Microsoft Kills Potential Remote Code Execution Vulnerability in Office (CVE-2017-8630)

21 Sep 2017

Recently the McAfee IPS Research Team informed Microsoft about a potential remote code execution vulnerability in Office 2016 that McAfee discovered in March. Microsoft released a patch for this vulnerability this week with CVE-2017-8630. In this post, we will briefly discuss the vulnerability and its exploitability. The Problem While auditing PowerPoint, we came across an …

The post Microsoft Kills Potential Remote Code Execution Vulnerability in Office (CVE-2017-8630) appeared first on McAfee Blogs.

Android Click-Fraud App Repurposed as DDoS Botnet

12 Sep 2017

The McAfee Mobile Research Team tracks the behavior of Android click-fraud apps. We have detected multiple implementations, including recent examples on Google Play in 2016 and Clicker.BN last month. These threats are characterized by a common behavior: They appear innocuous but in the background they perform HTTP requests (simulating clicks) on paid “advertainment” to make …

The post Android Click-Fraud App Repurposed as DDoS Botnet appeared first on McAfee Blogs.

Emotet Trojan Acts as Loader, Spreads Automatically

01 Sep 2017

Since the middle of July, McAfee has observed new updates of the Emotet, a Trojan that was first discovered in 2014. This malware harvests banking credentials. Early variants used Outlook contact harvesting to spread via malicious spam. The latest variants act as loaders and use several mechanisms to spread over the network and send spam …

The post Emotet Trojan Acts as Loader, Spreads Automatically appeared first on McAfee Blogs.

Android Banking Trojan MoqHao Spreading via SMS Phishing in South Korea

28 Aug 2017

Last month, a number of users started posting on South Korean sites screenshots of suspicious SMS messages phishing texts (also known as smishing) to lure them into clicking on shortened URLs. For example, the following message asks the user to click on the link to check if a private picture has been leaked: Figure 1: …

The post Android Banking Trojan MoqHao Spreading via SMS Phishing in South Korea appeared first on McAfee Blogs.

Android Click-Fraud Apps Briefly Return to Google Play

25 Aug 2017

Click-fraud apps frequently appear on Google Play and third-party markets. They are sometimes hard to identify because the malicious behavior that simulates clicks is similar to the behavior of many legitimate applications (using common API calls and permissions). Further, part of the malicious code does not reside in the original malware and comes from a …

The post Android Click-Fraud Apps Briefly Return to Google Play appeared first on McAfee Blogs.

Smishing Campaign Steals Banking Credentials in U.S.

14 Aug 2017

The McAfee Mobile Research team recently found an active smishing campaign, using SMS messages, that targets online banking users in the United States. The messages attempt to scare victims with a notice that the bank account will be soon closed and that the user must immediately click a malicious URL: Figure 1: Phishing SMS message. …

The post Smishing Campaign Steals Banking Credentials in U.S. appeared first on McAfee Blogs.

DEFCON – Connected Car Security

02 Aug 2017

Sometime in the distant past, that thing in your driveway was a car.  However, the “connected car is already the third-fastest growing technological device after phones and tablets.”  The days when a Haynes manual, a tool kit, and a free afternoon/week to work on the car are fast becoming a distant memory. Our connected cars …

The post DEFCON – Connected Car Security appeared first on McAfee Blogs.

Analyzing CVE-2017-0190: WMF Flaws Can Lead to Data Theft, Code Execution

26 Jul 2017

CVE-2017-0190 is a recently patched vulnerability related to Windows metafiles (WMFs), a portable image format mainly used by 16-bit Windows applications. Recently we have seen an increase in the number of vulnerabilities related to WMFs and EMFs (enhanced metafiles) in the GDI32 library. Most often, these vulnerabilities lead to sensitive information disclosure from the process …

The post Analyzing CVE-2017-0190: WMF Flaws Can Lead to Data Theft, Code Execution appeared first on McAfee Blogs.

NoMoreRansom – One year on!

25 Jul 2017

One year on. It is fair to say that the No More Ransom project not only exceeded our expectations, but simply blew these initial expectations out of the water. A collaboration between six partners (McAfee, EC3, Dutch Police, Kaspersky Lab, AWS and Barracuda) has now grown to include more than 100 partners across the public and private sector. We often hear people talk about Public-Private Partnerships, but here is a true example of that commitment in action.

The post NoMoreRansom – One year on! appeared first on McAfee Blogs.

Darknet Markets Will Outlive AlphaBay and Hansa Takedowns

20 Jul 2017

On June 20, law enforcement took over the Hansa marketplace after investigations that began in 2016. On July 5, police in Thailand arrested Alexandre Cazes, alleged to be the operator of the large underground market AlphaBay. These efforts have taken two of the largest darknet markets offline. AlphaBay, and later Hansa, was one of many …

The post Darknet Markets Will Outlive AlphaBay and Hansa Takedowns appeared first on McAfee Blogs.

Analyzing CVE-2017-9791: Apache Struts Vulnerability Can Lead to Remote Code Execution

19 Jul 2017

Apache Struts is a model-view-controller framework for creating Java web applications. Struts has suffered from a couple of vulnerabilities using the technique of object-graph navigation language (OGNL) injection. OGNL is an expression language that allows the setting of object properties and execution of various methods of Java classes. OGNL can be used maliciously to perform …

The post Analyzing CVE-2017-9791: Apache Struts Vulnerability Can Lead to Remote Code Execution appeared first on McAfee Blogs.

Analyzing a Patch of a Virtual Machine Escape on VMware

17 Jul 2017

A virtual machine is a completely isolated guest operating system installation within a normal host operating system. Virtual machine escape is the process of breaking out of a virtual machine and interacting with the host operating system, which can lead to infections and malware execution. VMware escapes demonstrated at the most recent PwnFest, organized by …

The post Analyzing a Patch of a Virtual Machine Escape on VMware appeared first on McAfee Blogs.

LeakerLocker: Mobile Ransomware Acts Without Encryption

07 Jul 2017

We recently found on Google Play a type of mobile ransomware that does not encrypt files. This malware extorts a payment to prevent the attacker from spreading a victim’s private information. LeakerLocker claims to have made an unauthorized backup of a phone’s sensitive information that could be leaked to a user’s contacts unless it receives …

The post LeakerLocker: Mobile Ransomware Acts Without Encryption appeared first on McAfee Blogs.

Petya More Effective at Destruction Than as Ransomware

01 Jul 2017

At the beginning of the recent Petya malware campaign, the world was quick to exclaim this attack was ransomware. Now, with time to analyze the facts and make comparisons to other ransomware campaigns, this Petya attack does not look so much like ransomware. To back up this claim, let’s examine three other well-known ransomware campaigns: …

The post Petya More Effective at Destruction Than as Ransomware appeared first on McAfee Blogs.

How to Protect Against Petya Ransomware in a McAfee Environment

28 Jun 2017

A new variant of the ransomware Petya (also called Petrwrap) began spreading around the world on June 27. Petya is ransomware that exploits the vulnerability CVE-2017-0144 in Microsoft’s implementation of the Server Message Block protocol. This ransomware encrypts the master boot records of infected Windows computers, making the machines unusable.

The post How to Protect Against Petya Ransomware in a McAfee Environment appeared first on McAfee Blogs.

New Variant of Petya Ransomware Spreading Like Wildfire

27 Jun 2017

The world woke up today to another ransomware outbreak wreaking havoc throughout companies’ networks. This time, the family causing the fuss is Ransomware Petya, a nasty variant that encrypts files and the computer’s master boot record (MBR), rendering the machine unusable.

The post New Variant of Petya Ransomware Spreading Like Wildfire appeared first on McAfee Blogs.

‘McAfee Labs Threats Report’ Explores Malware Evasion Techniques, Digital Steganography, Password-Stealer Fareit

20 Jun 2017

This blog post was written by Vincent Weafer. We got a little carried away in the McAfee Labs Threats Report: June 2017, published today. This quarter’s report has expanded to a rather hefty 83 pages! It contains three highly educational topics, in addition to the usual set of threats statistics: We broadly examine evasion techniques …

The post ‘McAfee Labs Threats Report’ Explores Malware Evasion Techniques, Digital Steganography, Password-Stealer Fareit appeared first on McAfee Blogs.

McAfee Discovers Pinkslipbot Exploiting Infected Machines as Control Servers; Releases Free Tool to Detect, Disable Trojan

16 Jun 2017

This blog was written by Sanchit Karve. McAfee Labs has discovered that banking malware Pinkslipbot (also known as QakBot/QBot) has used infected machines as control servers since April 2016, even after its capability to steal personal and financial data from the infected machine has been removed by a security product. These include home users whose …

The post McAfee Discovers Pinkslipbot Exploiting Infected Machines as Control Servers; Releases Free Tool to Detect, Disable Trojan appeared first on McAfee Blogs.

Is WannaCry Really Ransomware?

08 Jun 2017

Ransomware follows a relatively simple model: data is encrypted, the victim pays, data is decrypted. At least that is what those who create ransomware want you to believe. This was also our assumption when we began our analysis of WannaCry—that those behind the campaign would decrypt victims’ data once they received payment. However, for a campaign with incredibly effective propagation techniques, reasonable key and data management, and a working anonymous communication fabric with Bitcoin payments, we found a major flaw: The WannaCry attackers appear to be unable to determine which users have paid the ransom and they cannot decrypt on a per-user basis.

The post Is WannaCry Really Ransomware? appeared first on McAfee Blogs.

Misuse of DocuSign Email Addresses Leads to Phishing Campaign

01 Jun 2017

DocuSign, which provides electronic signatures and digital transaction management, reported that email addresses were stolen by an unknown party on May 15. Although the company confirmed that no personal information was shared, DocuSign has reported that a malicious third party gained temporary access to a separate, non-core system that allows it to communicate service-related announcements to …

The post Misuse of DocuSign Email Addresses Leads to Phishing Campaign appeared first on McAfee Blogs.

Fake WannaCry ‘Protectors’ Emerge on Google Play

23 May 2017

Are Android devices affected by the self-propagating ransomware WannaCry? No—because this threat exploits a vulnerability in Microsoft Windows. This malware cannot harm mobile systems. Nonetheless, some developers are taking advantage of the uproar and possible confusion to promote apps that promise to protect Android devices. While searching for “WannaCry” on GooglePlay we found several new …

The post Fake WannaCry ‘Protectors’ Emerge on Google Play appeared first on McAfee Blogs.

How to Protect Against WannaCry Ransomware in a McAfee Environment

18 May 2017

WannaCry is a ransomware family targeting Microsoft Windows. On Friday May 12, a large cyberattack based on this threat was launched. At this time, it is estimated that more than 250,000 computers in 150 countries have been infected, each demanding a ransom payment.

The post How to Protect Against WannaCry Ransomware in a McAfee Environment appeared first on McAfee Blogs.

Adylkuzz CoinMiner Spreading Like WannaCry

17 May 2017

The last few days have been very busy for security teams all around the globe due to the nasty ransomware WannaCry, which spread widely using an exploit for a Server Message Block v1 vulnerability (MS17-010) leaked by the ShadowBroker team a few weeks ago. We have reported on this malware in our previous blog and …

The post Adylkuzz CoinMiner Spreading Like WannaCry appeared first on McAfee Blogs.

Analysis of Chrysaor Keylogging Mechanism Shows Power of Simple Malicious Code

15 May 2017

Many attacks on mobile devices use social engineering to initially infect a victim’s system. They download malware and elevate privileges by exploiting vulnerabilities. Mobile malware often uses persistence mechanisms to hide and monitor the victim’s behavior. Unlike personal computers, mobile devices are used more often by their owners, and carry sensitive information such as phone …

The post Analysis of Chrysaor Keylogging Mechanism Shows Power of Simple Malicious Code appeared first on McAfee Blogs.

Further Analysis of WannaCry Ransomware

14 May 2017

McAfee Labs has closely monitored the activity around the ransomware WannaCry. Many sources have reported on this attack and its behavior, including this post by McAfee’s Raj Samani and Christiaan Beek and this post by Steve Grobman. In the last 24 hours, we have learned more about this malware. These findings mainly concern the malware’s …

The post Further Analysis of WannaCry Ransomware appeared first on McAfee Blogs.

WannaCry: The Old Worms and the New

13 May 2017

The morning of Friday, May 12 multiple sources in Spain began reporting an outbreak of the ransomware now identified as WannaCry. Upon learning of these incidents, McAfee immediately began working to analyze samples of the ransomware and develop mitigation guidance and detection updates for its customers. By Friday afternoon, McAfee’s Global Threat Intelligence system was …

The post WannaCry: The Old Worms and the New appeared first on McAfee Blogs.

An Analysis of the WannaCry Ransomware Outbreak

12 May 2017

Charles McFarland was a coauthor of this blog. Over the course of Friday, May 12 we received multiple reports of organizations across multiple verticals being victim to a ransomware attack. By Friday afternoon, McAfee’s Global Threat Intelligence system was updated to identify all known WannaCry samples and the company had delivered DAT signature updates to …

The post An Analysis of the WannaCry Ransomware Outbreak appeared first on McAfee Blogs.

Vulnerable OpenSSL Handshake Renegotiation Can Trigger Denial of Service

09 May 2017

OpenSSL, the popular general-purpose cryptographic library that implements SSL/TLS protocols for web authentication, has recently suffered from several vulnerabilities. We have written about “CVE-2017-3731: Truncated Packets Can Cause Denial of Service in OpenSSL” and “SSL Death Alert (CVE-2016-8610) Can Cause Denial of Service to OpenSSL Servers” among others. Today we examine the high-severity bug CVE-2017-3733, …

The post Vulnerable OpenSSL Handshake Renegotiation Can Trigger Denial of Service appeared first on McAfee Blogs.

Mirai, BrickerBot, Hajime Attack a Common IoT Weakness

03 May 2017

This blog post was written by Rick Simon. We know that devices in the Internet of Things make enticing targets for attack. They are often insecure and can act as open windows into trusted networks. Cybercriminals are capitalizing on that more and more each day, gathering hundreds of thousands of insecure IoT devices into giant …

The post Mirai, BrickerBot, Hajime Attack a Common IoT Weakness appeared first on McAfee Blogs.

Cerber Ransomware Evades Detection With Many Components

03 May 2017

This blog was co-written by Sapna Juneja. Cerber is a quickly evolving type of malware called crypto-ransomware. Cerber encrypts files on an infected computer and demands a ransom to restore them. (Read more about Cerber in this post.) Cerber ransomware first appeared in early 2016 and remains hard to detect. It uses multicomponent behavior (installing …

The post Cerber Ransomware Evades Detection With Many Components appeared first on McAfee Blogs.

Banned Chinese Qvod Lives on in Malicious Fakes

02 May 2017

Qvod used to be a popular video player and developer in China. Due to piracy allegations and a threatened fine, the company went out of business in 2014. In spite of this, we have recently seen a number of malicious fake versions of Qvod. One common feature of these malicious apps is to disguise their …

The post Banned Chinese Qvod Lives on in Malicious Fakes appeared first on McAfee Blogs.

Mirai Botnet Creates Army of IoT Orcs

20 Apr 2017

This post was based on analysis by Yashashree Gund and RaviKant Tiwari. There is a lot of speculation in the news about surveillance from home appliances, personal electronics, or other Internet of Things (IoT) devices. Although some statements may be hyperbole, we know that these devices, in homes and offices, are being compromised and used …

The post Mirai Botnet Creates Army of IoT Orcs appeared first on McAfee Blogs.

Critical Office Zero-Day Attacks Detected in the Wild

07 Apr 2017

At McAfee, we have put significant efforts in hunting attacks such as advanced persistent threats and “zero days.” Yesterday, we observed suspicious activities from some samples. After quick but in-depth research, this morning we have confirmed these samples are exploiting a vulnerability in Microsoft Windows and Office that is not yet patched. This blog post …

The post Critical Office Zero-Day Attacks Detected in the Wild appeared first on McAfee Blogs.

McAfee Labs Threats Report Explores Threat Intelligence Sharing and Mirai, the IoT Botnet

06 Apr 2017

This blog post was written by Vincent Weafer. In the McAfee Labs Threats Report: April 2017, published today, we explore two key topics. Following an announcement by the Cyber Threat Alliance of its formal incorporation and the release of a threat intelligence sharing platform, we provide some perspective about threat intelligence sharing. The story provides a …

The post McAfee Labs Threats Report Explores Threat Intelligence Sharing and Mirai, the IoT Botnet appeared first on McAfee Blogs.

Ransomware Families Use NSIS Installers to Avoid Detection, Analysis

28 Mar 2017

Malware families are constantly seeking new ways to hide their code, thwart replication, and avoid detection. A recent trend for the delivery of ransomware is the use of the Nullsoft Scriptable Install System (NSIS) with an encrypted payload. The list of the most common families using this technique is diverse and includes Cerber, Locky, Teerac, Crysis, …

The post Ransomware Families Use NSIS Installers to Avoid Detection, Analysis appeared first on McAfee Blogs.

Analyzing a Fresh Variant of the Dorkbot Botnet

09 Mar 2017

At McAfee Labs, we have recently observed a new variant of the Dorkbot botnet. Dorkbot is a well-known bot, famous for its various capabilities including backdoor, password stealing, and other malicious behavior. Dorkbot relies on social networking as its infection vector. In this post, we offer our analysis of this new variant. The malware downloads …

The post Analyzing a Fresh Variant of the Dorkbot Botnet appeared first on McAfee Blogs.

CHIPSEC Support Against Vault 7 Disclosure Scanning

09 Mar 2017

Following recent WikiLeaks Vault 7 disclosures, including details regarding firmware vulnerabilities, there has been significant concern regarding the integrity of devices and operating systems used within society. As part of our commitment to provide technology that can preserve the integrity of devices we rely upon, we have developed a simple module for the CHIPSEC framework …

The post CHIPSEC Support Against Vault 7 Disclosure Scanning appeared first on McAfee Blogs.

Analyzing CVE-2017-3731: Truncated Packets Can Cause Denial of Service in OpenSSL

08 Mar 2017

OpenSSL is a popular open-source library for SSL and is used by various software and companies across the world. In January, OpenSSL released an update that fixed multiple vulnerabilities. One of them is CVE-2017-3731, which can cause a denial of service due to a crash. McAfee Labs analyzed this vulnerability to provide detection for customers.  …

The post Analyzing CVE-2017-3731: Truncated Packets Can Cause Denial of Service in OpenSSL appeared first on McAfee Blogs.

Spora Ransomware Infects ‘Offline’—Without Talking to Control Server

22 Feb 2017

Spora is a ransomware family that encrypts victims’ files and demands money to decrypt the files. It has infected many computers in a short time due to a huge spam campaign. It has a very special feature—to work offline. Propagation vector The spam campaign carries a .zip file, which contains an HTA (HTML Application) file to …

The post Spora Ransomware Infects ‘Offline’—Without Talking to Control Server appeared first on McAfee Blogs.

Macro Malware Targets Macs

14 Feb 2017

Macro malware has been spreading for years. New techniques arise all the time to hide malicious code and thus increase the difficulty of analysis. However, just targeting Microsoft Windows no longer seems to be enough for the malware authors. The Mac appears to be the new challenge, and attackers appear to be rising to this …

The post Macro Malware Targets Macs appeared first on McAfee Blogs.

The Cyber Threat Alliance Steps Up to Boost Protection

14 Feb 2017

This blog post was written by Vincent Weafer. With each new cyber threat report, we learn about the increasing volume of new, complex threats appearing across a myriad of server systems, networking equipment, personal computing platforms, and IoT devices. We also read about the real-world challenges that information security professionals face when attempting to identify, …

The post The Cyber Threat Alliance Steps Up to Boost Protection appeared first on McAfee Blogs.

Analyzing KillDisk Ransomware, Part 2: Variants and Screen Unlocking

14 Feb 2017

At McAfee Labs we recently analyzed the ransomware KillDisk. In part 1 of this analysis, we discussed the basics of the malware and its whitelisting to protect itself. In this part, we will provide more information about the malware’s internals, this variant, and steps to unlock the ransomware lock screen. Variant 1. This variant seems to be inspired by …

The post Analyzing KillDisk Ransomware, Part 2: Variants and Screen Unlocking appeared first on McAfee Blogs.

McAfee Launches ‘Threat Landscape Dashboard’

10 Feb 2017

Every week, we read in the news of another breach or targeted campaign, as more patches are released to protect against the next strain of sophisticated malware. For the administrators responsible for safeguarding a company’s systems, networks, and digital information, keeping up is an overwhelming task, made doubly difficult because it is often hard to …

The post McAfee Launches ‘Threat Landscape Dashboard’ appeared first on McAfee Blogs.

Analyzing CVE-2016-9311: NTPD Vulnerability Can Lead to Denial of Service

03 Feb 2017

The network time protocol synchronizes time across various devices on a network. The network time protocol daemon (NTPD) is an open-source implementation of this protocol. In the last couple of months, a number of vulnerabilities have been reported in NTPD. One is CVE-2016-9311, which can cause a crash leading to a denial of service. We …

The post Analyzing CVE-2016-9311: NTPD Vulnerability Can Lead to Denial of Service appeared first on McAfee Blogs.

Spotlight on Shamoon

27 Jan 2017

Our analysis this month has pointed to Shamoon emerging in the Middle East. We have recently seen a number of similarities that we had highlighted in our earlier blogs (on mcafee.com). The campaign continues to target organizations in the Middle East from a variety of verticals. Reports suggest that a further 15 disk-wiping Shamoon incidents …

The post Spotlight on Shamoon appeared first on McAfee Blogs.

With Release of Windows 10, Questions About BitLocker Arise Again

26 Jan 2017

This post was written by Ted Pan. For those of you who were around during the original release of Microsoft’s BitLocker, previously known as Secure Startup, you will remember that it was meant to completely eliminate the necessity for third-party security software. Yes, BitLocker was going to secure our machines against all forms of attack …

The post With Release of Windows 10, Questions About BitLocker Arise Again appeared first on McAfee Blogs.

Analyzing KillDisk Ransomware, Part 1: Whitelisting

20 Jan 2017

At McAfee Labs we recently analyzed the ransomware KillDisk. We will share our analysis in two parts: the first, this article, contains general information about the malware and its whitelisting technique; the second part will appear soon with an analysis of its variants and techniques, including how to unlock the locked screen in an infected …

The post Analyzing KillDisk Ransomware, Part 1: Whitelisting appeared first on McAfee Blogs.

Stopping Malware With a Fake Virtual Machine

19 Jan 2017

As we explained in a previous post, some advanced malware can detect a virtual environment such as a sandbox to avoid detection and analysis. Some threats can also detect monitoring tools used for malware analysis. Often such malware will not execute or change their behavior to appear harmless. Because some malware uses these tactics, planting …

The post Stopping Malware With a Fake Virtual Machine appeared first on McAfee Blogs.

Trojanized Photo App on Google Play Signs Up Users for Premium Services

13 Jan 2017

Mobile apps usually have names that give some indication of their function. In one recent case, however, we found a misnamed app that turned out to be malicious. Every Android app has an ID value, commonly known as the package name, to uniquely identify it on a device and in Google Play. Most package names …

The post Trojanized Photo App on Google Play Signs Up Users for Premium Services appeared first on McAfee Blogs.

Turkish Instagram Password Stealers Found on Google Play

12 Jan 2017

McAfee’s mobile malware research team has found several Instagram password stealers on the Google Play store. (Google has since removed the apps.) These malware are distributed as utilities and tools for analyzing access and automating the following of Instagram accounts. The main targets of the malware are Turkish Instagram users. The malware lead victims to …

The post Turkish Instagram Password Stealers Found on Google Play appeared first on McAfee Blogs.

Top Tips for Securing Home Cameras

05 Jan 2017

Installing a home surveillance camera system can add great benefits but also may introduce new risks to privacy and network security. The goal is to increase your security and peace of mind, while avoiding cybersecurity threats. Here are three tips to consider when purchasing, installing, and configuring your new home camera system. The risks Home …

The post Top Tips for Securing Home Cameras appeared first on McAfee Blogs.

Digging Into a Windows Kernel Privilege Escalation Vulnerability: CVE-2016-7255

30 Dec 2016

This blog was written by Stanley Zhu. The Windows kernel privilege escalation vulnerability CVE-2016-7255 has received a lot of media attention. On November’s Patch Tuesday, Microsoft released a fix for this vulnerability as part of bulletin MS16-135. CVE-2016-7255 was used to perform a targeted attack and a sample was found in the wild, according to …

The post Digging Into a Windows Kernel Privilege Escalation Vulnerability: CVE-2016-7255 appeared first on McAfee Blogs.

Next Targets for Cybercriminals: the Long Term (Part 2)

27 Dec 2016

In the previous post in this series, I outlined how cybercriminals will use the holiday season to victimize unwary consumers and target businesses. They will also dive deeper into leveraging devices connected to the Internet of Things (IoT). The long-term outlook expands their reach to more bold and potentially more lucrative pastures. Rise of blockchain …

The post Next Targets for Cybercriminals: the Long Term (Part 2) appeared first on McAfee Blogs.

Next Targets for Cybercriminals: the Short Term (Part 1)

25 Dec 2016

  Knowing what cybercriminals are targeting today is easy. Their attacks are loud, impactful, and have the elegance of a herd of bulls crashing through a china shop. The tougher challenge is figuring out where they will take aim tomorrow. Knowing where cyber threats will arise gives us the necessary insights to remain one step …

The post Next Targets for Cybercriminals: the Short Term (Part 1) appeared first on McAfee Blogs.

Floki Bot a Sensation With International Cybercriminals

23 Dec 2016

Floki Bot, new financial malware, is popular with English-, Portuguese-, and Russian-speaking underground criminal markets, winning over cybercriminals with new features and functionality. It is currently in use by a number of cybercrime groups around the world and is sold on the dark market for about US$1,000, according to Flashpoint and Cisco Talos. Improvements abound …

The post Floki Bot a Sensation With International Cybercriminals appeared first on McAfee Blogs.

Did You Forget to Patch Your IP Camera?

21 Dec 2016

IP cameras are usually “purchase, install, and don’t touch” devices. But in the current climate of cyberattacks, they now require regular updates and patches. Otherwise your security tool may be hacked, leak video, or join a cybercriminal botnet without your knowing. IP cameras are targets Like all Internet-connected devices, IP cameras are at risk of …

The post Did You Forget to Patch Your IP Camera? appeared first on McAfee Blogs.

An Overview of Malware Self-Defense and Protection

19 Dec 2016

Many malware authors spend a great deal of time and effort to develop complex code. Their success depends on a threat’s remaining undetected and avoiding sandbox analysis, antivirus efforts, or malware analysts. This post offers an overview of the mechanisms used by malware to evade detection. If malware is detected quickly, it has little time …

The post An Overview of Malware Self-Defense and Protection appeared first on McAfee Blogs.

‘Popcorn Time’ Ransomware Sure to Cause Indigestion

19 Dec 2016

In early December the new ransomware “Popcorn Time” was discovered. It gives the victim the option of paying the ransom or infecting two other individuals and getting them to pay. “Popcorn Time” is a legitimate application for streaming movies and series. The ransom note gives the victim seven days to choose either option or the …

The post ‘Popcorn Time’ Ransomware Sure to Cause Indigestion appeared first on McAfee Blogs.

‘SSL Death Alert’ (CVE-2016-8610) Can Cause Denial of Service to OpenSSL Servers

14 Dec 2016

Recently we noticed a security patch has been published for the OpenSSL vulnerability called SSL Death Alert. As with other serious security vulnerabilities, this one grabbed our attention because the discoverer of the vulnerability says that it may cause a denial of service to an OpenSSL web server. To better protect our customers from this …

The post ‘SSL Death Alert’ (CVE-2016-8610) Can Cause Denial of Service to OpenSSL Servers appeared first on McAfee Blogs.

McAfee Labs December Threats Report Explores Many Facets of Deception

13 Dec 2016

This blog post was written by Vincent Weafer. In the McAfee Labs Threats Report: December 2016 published today, we write about three seemingly disparate topics. However, on closer inspection, they have a common thread. All discuss deception in one way or another, whether ways in which ransomware authors have enhanced their code to sidestep sandboxes, …

The post McAfee Labs December Threats Report Explores Many Facets of Deception appeared first on McAfee Blogs.

“Trojanization” of Legit Apps on the Rise

13 Dec 2016

McAfee today released its McAfee Labs Threats Report: December 2016. The report’s third key topic illustrates how attackers are creating difficult-to-detect malware by infecting legitimate code with Trojans and leveraging that legitimacy to remain hidden as long as possible. Author Craig Schmugar of McAfee Labs also recommends policies and procedures that will help protect against …

The post “Trojanization” of Legit Apps on the Rise appeared first on McAfee Blogs.

2016: A Year at Ransom

13 Dec 2016

This week’s McAfee Labs Threats Report: December 2016 provides an overview of how ransomware has evolved over the course of 2016, and how the industry has responded. Through the end of Q3, the number of new ransomware samples this year totaled 3,860,603, an increase of 80% since the beginning of the year. Beyond volume, ransomware exhibited notable …

The post 2016: A Year at Ransom appeared first on McAfee Blogs.

How to Protect Against OpenSSL 1.1.0a Vulnerability CVE-2016-6309

13 Dec 2016

Recently the OpenSSL security library gained a fix for a critical security issue (CVE-2016-6309) that affects OpenSSL Version 1.1.0a. The remote attackers can cause the OpenSSL server to crash, or execute arbitrary code on it, by simply sending a handshake packet with a message larger than 16KB. To defend against these attacks we analyzed the …

The post How to Protect Against OpenSSL 1.1.0a Vulnerability CVE-2016-6309 appeared first on McAfee Blogs.

Shamoon Rebooted in Middle East, Part 2

09 Dec 2016

Last week we provided some initial analysis on recent attacks targeting organizations in the Middle East.  The attack has hallmarks of the Shamoon campaign of 2012. We now have additional data related to the components used within the new campaign, which has three distinct components: dropper, wiper, and wiper driver. The language of these three …

The post Shamoon Rebooted in Middle East, Part 2 appeared first on McAfee Blogs.

Farewell to the SHA-1 Hash Algorithm

01 Dec 2016

Rest in peace SHA-1. Like all security controls, they are valuable only for a certain time. SHA-1, a legacy hashing algorithm once used heavily in secure web browsing, has outlived its usefulness; it is time for its permanent retirement. Microsoft, Mozilla, and Google just announced they will finally drop all support for SHA-1 early next …

The post Farewell to the SHA-1 Hash Algorithm appeared first on McAfee Blogs.

Shamoon Rebooted?

29 Nov 2016

We have recently received notifications and samples from impacted organizations in the Middle East that have hallmarks of the Shamoon campaign from 2012. The main component of these attacks was the usage of a wiper component that, once activated, destroyed the hard disks of infected machines. The initial infection vector for the recent attacks is …

The post Shamoon Rebooted? appeared first on McAfee Blogs.

Big, Hard-to-Solve Problems

29 Nov 2016

Improving the Lifecycle of Threat Defense Effectiveness When a new security tool or technique is released, Version 1.0 is usually pretty effective, and successive versions get even better with real-world scenarios and user feedback. Eventually, the bad guys realize that this new thing is causing them real problems, so they start looking for ways over, …

The post Big, Hard-to-Solve Problems appeared first on McAfee Blogs.

‘McAfee Labs 2017 Threats Predictions’ Report Zeroes In on Cloud and IoT Threats

29 Nov 2016

This blog post was written by Vincent Weafer. In the McAfee Labs 2017 Threats Predictions report, published today, we cover a lot of ground but focus particularly on two areas that will impact IT security for years to come: threats to the cloud and the Internet of Things. The report kicks off with a big-picture …

The post ‘McAfee Labs 2017 Threats Predictions’ Report Zeroes In on Cloud and IoT Threats appeared first on McAfee Blogs.

You Can Outsource the Work, but You Cannot Outsource the Risk

29 Nov 2016

Threats, Regulations, and Vendor Responses to Risks in the Cloud As more companies get comfortable with cloud services, trust and usage will go up, and that will inevitably attract the attention of cybercriminals. Although an increasing array of sensitive and confidential data is moving to cloud storage and processing, we expect that most businesses will …

The post You Can Outsource the Work, but You Cannot Outsource the Risk appeared first on McAfee Blogs.

Welcome to the Wild West, Again!

29 Nov 2016

Threats, Regulations, and Vendor Responses to Risks in the Internet of Things The Wild West, a place of exaggerated lawlessness in the United States during the 1800s, has returned once again as a metaphor for the Internet of Things (IoT). Driven by similar issues of exploration, homesteading, and prospecting for riches, IoT devices are becoming …

The post Welcome to the Wild West, Again! appeared first on McAfee Blogs.

Worms Could Spread Like Zombies via Internet of Things

21 Nov 2016

Security researchers recently created a proof-of-concept attack against Internet-connected lightbulbs, causing breached devices to infect their neighbors. The propagation continues and spreads itself across the community. This hack highlights the insecurity in one of many Internet of Things (IoT) network protocols. Researchers say the worm, which currently targets Philips Hue lightbulbs, can set off a …

The post Worms Could Spread Like Zombies via Internet of Things appeared first on McAfee Blogs.

More Capable IoT Botnets to Emerge as the ‘Pros’ Enter the Fray

09 Nov 2016

On the heels of severe distributed denial of service (DDoS) attacks, we see new botnets emerging that are powered by the Internet of Things (IoT). There are already hundreds of such botnets in the underground hacking ecosystem, from which services, code, and specific attacks can be purchased or acquired. New botnets are being developed to …

The post More Capable IoT Botnets to Emerge as the ‘Pros’ Enter the Fray appeared first on McAfee Blogs.

Talking About Cyber Risks Educates the Community

07 Nov 2016

In the last 12 months, we have seen an unprecedented number of cyberattacks occur or come to light. Sophisticated attacks against governments, businesses, consumers, and the pillars of the Internet itself. The future appears to be fraught with runaway risks. Can security tame data breaches, ransomware, massive denial of service assaults, cyber theft, and attacks against autonomous and …

The post Talking About Cyber Risks Educates the Community appeared first on McAfee Blogs.

Cerber Ransomware Now Hunts for Databases

04 Nov 2016

Cerber is one of the most popular ransomware packages. It has upgraded itself to also target databases. It is available for purchase as a service (ransomware as a service) on the “dark net” as part of an affiliate program. Cerber is part of a turnkey service in which clients share 40% of their profits with …

The post Cerber Ransomware Now Hunts for Databases appeared first on McAfee Blogs.

Top 5 Things to Know About Recent IoT Attacks

02 Nov 2016

Recent Internet attacks have resulted in several popular sites becoming unreachable. The list includes Twitter, Etsy, Spotify, Airbnb, Github, and The New York Times. These incidents have brought to light a new threat to online services: botnets powered by the Internet of Things (IoT). Distributed denial of service (DDoS) attacks have been commonplace for more …

The post Top 5 Things to Know About Recent IoT Attacks appeared first on McAfee Blogs.

The Latest IoT Device I Do Not Want Hacked

01 Nov 2016

What if someone hacked this remotely controlled semiautonomous tractor? I am a cybersecurity guy and a huge fan of technology. One of the challenges we face in the security industry is the growth of the Internet of Things (IoT). IoT is about connecting everyday objects to the Internet. It might be a toaster, alarm clock, …

The post The Latest IoT Device I Do Not Want Hacked appeared first on McAfee Blogs.

A ‘Second Economy’ Prognosis for Health Care Cybersecurity

26 Oct 2016

McAfee CTO Steve Grobman has pointed out that gaining the upper hand in cybersecurity requires that we extend our thinking beyond the physical economy of money, assets, goods, and services to a Second Economy defined by the currencies of trust, time, and money. As in other industries, health care is working toward maximizing efficiencies, containing …

The post A ‘Second Economy’ Prognosis for Health Care Cybersecurity appeared first on McAfee Blogs.

How ‘Weaponized’ Medical Data Could Be as Damaging as Clinton’s Emails or Trump’s Videos

26 Oct 2016

The 2016 presidential election in the United States will be remembered for a great many things. Never before in US history has the disclosure or nondisclosure of personal information figured so prominently in public debate. Never before has the ability to compromise and disclose personal information been used as a political weapon to damage the …

The post How ‘Weaponized’ Medical Data Could Be as Damaging as Clinton’s Emails or Trump’s Videos appeared first on McAfee Blogs.

How to Secure the Future of the Internet of Things

22 Oct 2016

The world of security for the Internet of Things just became more complex. IoT devices are no longer a potential threat to their owners; now they pose a significant threat to everything connected to the Internet. The old IoT security problem For the past year, the cybersecurity and IoT communities have been at odds regarding …

The post How to Secure the Future of the Internet of Things appeared first on McAfee Blogs.

Unfolding the Mystery of Cerber Ransomware’s Random File Extension

20 Oct 2016

In an earlier blog, we discussed the evolution of the popular Cerber ransomware from Version 1 to 2. Recently we came across two newer versions of Cerber (we’ll call them Versions 3 and X). Cerber 3 has few changes but Version X has some new behavior that caught our attention. (We call this version X, …

The post Unfolding the Mystery of Cerber Ransomware’s Random File Extension appeared first on McAfee Blogs.

Password-Protected Attachment Serves Ransomware

18 Oct 2016

Attacks by macro malware carrying ransomware are growing, as we have recently reported. Since early March we have seen macro malware using high-obfuscation algorithms to hide itself from static and traditional antimalware detection techniques. Macro malware continues to evolve and use new tricks to evade detection. In addition to these evasion techniques, McAfee Labs researchers have …

The post Password-Protected Attachment Serves Ransomware appeared first on McAfee Blogs.

Ransomware Variant XTBL Another Example of Popular Malware

17 Oct 2016

We have seen a huge increase in ransomware during the past couple of years. At McAfee Labs we have recently received a sample of the low-profile XTBL, a ransomware family that encrypts files and demands ransom from its victims to decrypt the files. Like other ransomware variants, XTBL propagates through a wide range of spam campaigns. Attackers …

The post Ransomware Variant XTBL Another Example of Popular Malware appeared first on McAfee Blogs.

Android Banking Trojan Asks for Selfie With Your ID

14 Oct 2016

In the first half of 2016 we noticed that Android banking Trojans had started to improve their phishing overlays on legitimate financial apps to ask for more information. Victims were requested to provide “Mother’s Maiden Name,” “Father’s Middle Name,” “Maternal Grandmothers Name,” or a “Memorable Word.” Attackers used that data to respond to security questions and obtain …

The post Android Banking Trojan Asks for Selfie With Your ID appeared first on McAfee Blogs.

Everyone Loves Selfies, Including Malware!

13 Oct 2016

This blog was written by Bruce Snell. I was talking with some of my coworkers the other day about why I wanted to jump to the larger iPhone 7 Plus.  For me it came down to the camera.  I travel a lot for work and even though photography is something of a hobby of mine, …

The post Everyone Loves Selfies, Including Malware! appeared first on McAfee Blogs.

New Security Reality for Internet of Things

04 Oct 2016

  Recent distributed denial of service (DDoS) attacks are forcing a shift in how we think about the Internet of Things (IoT). The dangers are expanding as attackers are taking advantage of billions of IoT devices, conscripting them into their botnet armies for massive DDoS attacks.   Nontraditional risks The estimates vary, but they suggest between …

The post New Security Reality for Internet of Things appeared first on McAfee Blogs.

CTO Q&A: Campaign Hacks, Yahoo! and Clinton-Trump

03 Oct 2016

Over the last several days, we’ve seen headlines on potential cyberattacks on state voter registries, cybersecurity front and center in the Clinton-Trump presidential debate, and new revelations into the Yahoo! cyber-breach that appears to have compromised more than 500 million user accounts. McAfee CTO Steve Grobman fielded a number of questions on these events and …

The post CTO Q&A: Campaign Hacks, Yahoo! and Clinton-Trump appeared first on McAfee Blogs.

Sharing Cybersecurity Threat Intelligence Is the Only Way We Win

30 Sep 2016

Cybersecurity is a team sport. The bad guys share information, expertise, and code as they help one another. The good guys must do the same to keep pace. Sharing threat intelligence is a key aspect in which the knowledge gained by the owners of sensor networks can share data with the security analysis community.  This generosity …

The post Sharing Cybersecurity Threat Intelligence Is the Only Way We Win appeared first on McAfee Blogs.

Macro Malware Employs Advanced Sandbox-Evasion Techniques

29 Sep 2016

During the past couple of weeks, McAfee Labs has observed a new variant of macro malware. With this variant when we click on a doc file, we see the message “This document is protected against unauthorized use. Enable Editing and Enable Content to read content” along with a request to enable macros. If a user clicks …

The post Macro Malware Employs Advanced Sandbox-Evasion Techniques appeared first on McAfee Blogs.

How Can We Stop ‘ROP’ Cyberattacks?

28 Sep 2016

IBM recently announced a software-oriented solution to help eradicate attacks by return-oriented programming (ROP) malware. ROP malware is a significant and growing problem in the industry. Crafty hackers will use snippets of code from other trusted programs and stitch them together to create their attacks. This method has become a very popular and effective technique for …

The post How Can We Stop ‘ROP’ Cyberattacks? appeared first on McAfee Blogs.

‘McAfee Labs Threats Report’ Offers Primer on Security Data Science, Analytics, Big Data, Machine Learning

28 Sep 2016

Analytics, big data, automation, and machine learning are all terms we use when talking about the future of cybersecurity. As the volume of security data increases, data science will become an important weapon to disrupt adversaries. Too often, these terms are used as synonyms, but they refer to different parts of the domain of data …

The post ‘McAfee Labs Threats Report’ Offers Primer on Security Data Science, Analytics, Big Data, Machine Learning appeared first on McAfee Blogs.

‘McAfee Labs Threats Report’ Delves Into Dangers of Data Loss

26 Sep 2016

This blog post was written by Rick Simon. Data is leaking out of your organization: accidentally or intentionally, by internals or externals, physically or electronically. During the past year, we have performed extensive research to identify what data is being targeted, who is taking it, how they are getting it out, and the best practices …

The post ‘McAfee Labs Threats Report’ Delves Into Dangers of Data Loss appeared first on McAfee Blogs.


© dedoLa 2010-2017