SANS

Jaff ransomware gets a makeover, (Wed, May 24th)

24 May 2017

Introduction

Since 2017-05-11, a new ransomware named Jaff has been distributed through malicious spam (malspam) from the Necurs botnet. This malspam uses PDF attachments with embedded Word documents containing malicious macros. border-width:2px" />
Shown above: Flow chart for this infection chain.

Prior to Jaff, weve seen waves of malspam using the same PDF attachment/embedded Word doc scheme to push Locky ransomware. Prior to that, this type of malspam was pushing Dridex.

With all the recent news about WannaCry ransomware, people might forget Jaff is an ongoing threat. Worse yet, some people might not know about it at all since its debut about 2 weeks ago. Jaff has already gotten a makeover, so an infected host looks noticeably different now. With that in mind, todays diary reviews a wave of malspam pushing Jaff ransomware from Tuesday 2017-05-23.

The emails

This specific wave of malspam used a fake invoice theme. It started on Tuesday 2017-05-23 as early as 13:22 UTC and lasted until sometime after 20:00 UTC. I collected 20 emails for today border-width:2px" />
Shown above: border-width:2px" />
Shown above: border-width:2px" />
Shown above: Screenshot from one of the emails.

As stated earlier, these emails all have PDF attachments, and each one contains an embedded Word document. border-width:2px" />
Shown above: border-width:2px" />
Shown above: The embedded Word document with malicious macros.

The traffic

Follow the entire infection chain, and youll see minimal network traffic compared to other types of malware. The Word macros generate an initial URL to download an encoded Jaff binary, then we see one other URL for post-infection callback from an infected host. The initial HTTP request for Jaff returns an encoded binary thats been XORed with the ASCII string I6cqcYo7wQ. Post-infection traffic merely returns the string Created border-width:2px" />
Shown above: border-width:2px" />
Shown above: border-width:2px" />
Shown above: border-width:2px" />
Shown above: Alerts on the traffic using Security Onion with Suricata and the EmergingThreats Open ruleset.

The infected Windows host

The encoded binary from this wave of malspam was stored to the users AppData\Local\Temp directory as lodockap8. Then it was decoded and stored as levinsky8.exe in the same directory. border-width:2px" />
Shown above: The users AppData\Local\Temp directory from an infected host on 2017-05-23.

On Tuesday 2017-05-23, Jaff ransomware had a makeover. border-width:2px" />
Shown above: border-width:2px" />
Shown above: Desktop of a Windows host infected with a Jaff ransomware sample from 2017-05-23.

Encrypted files had been previously appended with the .jaff file extension. On Tuesday 2017-05-23, encrypted files from my infected host were appended with a .wlu file extension. border-width:2px" />
Shown above: Jaff decryptor from a Windows host infected on 2017-05-23.

Indicators of Compromise (IoCs)

The following are examples of email subject lines and attachment names from Tuesday 2017-05-23:

  • Subject: Invoice(00-5523) -- Attachment name: 68-5182.pdf
  • Subject: Invoice(00-5832) -- Attachment name: 72-6353.pdf
  • Subject: Invoice(08-4031) -- Attachment name: 28-3137.pdf
  • Subject: Invoice(09-5337) -- Attachment name: 98-9897.pdf
  • Subject: Invoice(19-9273) -- Attachment name: 68-6414.pdf
  • Subject: Invoice(23-0458) -- Attachment name: 53-3366.pdf
  • Subject: Invoice(27-7813) -- Attachment name: 95-1750.pdf
  • Subject: Invoice(28-3137) -- Attachment name: 68-4200.pdf
  • Subject: Invoice(53-3366) -- Attachment name: 61-7808.pdf
  • Subject: Invoice(54-9434) -- Attachment name: 78-8672.pdf
  • Subject: Invoice(61-7808) -- Attachment name: 00-5832.pdf
  • Subject: Invoice(68-4200) -- Attachment name: 98-3753.pdf
  • Subject: Invoice(68-5182) -- Attachment name: 54-9434.pdf
  • Subject: Invoice(68-6414) -- Attachment name: 27-7813.pdf
  • Subject: Invoice(72-6353) -- Attachment name: 08-4031.pdf
  • Subject: Invoice(78-8672) -- Attachment name: 23-0458.pdf
  • Subject: Invoice(88-6908) -- Attachment name: 19-9273.pdf
  • Subject: Invoice(95-1750) -- Attachment name: 00-5523.pdf
  • Subject: Invoice(98-3753) -- Attachment name: 88-6908.pdf
  • Subject: Invoice(98-9897) -- Attachment name: 09-5337.pdf

The following are examples of spoofed email senders from Tuesday 2017-05-23:

  • ALISA PICKARD ALISA.PICKARD@ADAMSINSTALLATIONS.CO.UK
  • ALYSSA BUTLING ALYSSA.BUTLING@MATTRICHLING.COM
  • CAROLYN BOSTON CAROLYN.BOSTON@FLORIN.FR
  • DENIS SENIOR DENIS.SENIOR@INFOTEC.NO
  • DUSTY HAMMOND DUSTY.HAMMOND@EASTWELLIRONWORKS.CO.UK
  • ELAINE BARKER ELAINE.BARKER@SCHIONNINGDEVELOPMENT.DK
  • FREDRIC RALLI FREDRIC.RALLI@RVAGROCERYSHOPPER.COM
  • GENA CLYDE GENA.CLYDE@CORTE.CH
  • HERMINIA UREN HERMINIA.UREN@BIGBOYPUZZLES.COM
  • JENNA LAMPET JENNA.LAMPET@ALIF-INTERNATIONAL.COM
  • LILLIE TRAVERS LILLIE.TRAVERS@CHANGEAGENTS.BIZ
  • LUPE FERN LUPE.FERN@DWTAXPREP.COM
  • MEAGAN FALKENBERG MEAGAN.FALKENBERG@MIKEPRICE.INFO
  • MICAH HOG MICAH.HOG@SBINFRACON.COM
  • MOLLIE BOSCAWEN MOLLIE.BOSCAWEN@STRAYFAMILY.COM
  • ROBIN PETER ROBIN.PETER@JUSTPLUMBIT.CO.UK
  • SILVIA GASKIN SILVIA.GASKIN@RSDRUKKERIJ.NL
  • TONY SCOWBY TONY.SCOWBY@RELATIVITYCOMPUTING.COM
  • VICKY GILLESPIE VICKY.GILLESPIE@CASAXALTEVA.ORG
  • VIOLET BAGBY VIOLET.BAGBY@JAMES-FOLEY.CO.UK

The following are examples of SHA256 hashes for the PDF attachments from Tuesday 2017-05-23:

  • 0218178eec35acad7909a413d94d84ae3d465a6ea37e932093ec4c7a9b6a7394
  • 0a326eb9a416f039be104bb5f199b7f3442515f88bd5c7ad1492b1721c174b8e
  • 21da9eeded9581f6f032dea0f21b45aa096b0330ddacbb8a7a3942a2026cc8ca
  • 4458f43127bb514b19c45e086d48aba34bf31baf1793e3d0611897c2ff591843
  • 66320f4e85e3d6bd46cf00da43ca421e4d50c2218cb57238abb2fb93bef37311
  • 7dd248652f2b42f3e1ad828e686c8ba458b6bb5b06cea46606ceccdd6b6e823c
  • 8a474cdd4c03dd4a6ba6ad8945bf22f74f2f41830203f846d5437f02292bb037
  • 956e43ece563fd46e6995fae75a0015559f0a63af5059290a40c64b906be5b9b
  • 9beb67a68396375f14099055b712e22673c9a1d307a76125186127e289ab41a2
  • b2b9c02080ae6fbe1845c779e31b5f6014ec20db74d21bd9dd02c444a0d0dd9b
  • c126e731c1c43d52b52a44567de45796147aca1b331567ed706bf21b6be936b4
  • cde2ff070e86bc1d72642cb3a48299080395f1df554e948fd6e8522579dfe861
  • daf01a1f7e34e0d47ecdfcef5d27b2f7a8b096b4e6bc67fb805d4da59b932411
  • e477300e8f8954ee95451425035c7994b984d8bc1f77b4ccf2a982bb980806fe

The following are examples of SHA256 hashes and file names for the embedded word documents from Tuesday 2017-05-23:

  • 084ee31e69053e66fafe6e1c2a69ffec015f95801ce6020f7765c56d6f3c23ff - PQQIDNQM.docm
  • 0855061389b62ec6a9b95552357ff7571ae5c034b304978a533c6cba06c3f9e8 - GYTKPVM.docm
  • 1f2598dc7a7b8f84307d8c2fa41f5550c320f8192cd41e50b47570d3836e6fcc - RNJSMOVS.docm
  • 2dbf9e1c412aa1ffd32a91043642eb9cc80772c87dbbce3dd098c57d917277fb - DLDD7LH.docm
  • 3f95a7eeb1965193a4e92862c10897e04708b37b793b8e45f890d019358214c0 - DC2ZPQ.docm
  • 56cd249ff82e9bb96a73262090bc6a299ead64d6c75161520e745c2066f22430 - KAR6WLU.docm
  • 795d8312749c122fa10a93c9f3aa1c0f4ffc081714c0ddb66c141334f8ef0633 - M4SQLA2.docm
  • 8906d10a48487d8240bddd0c0cb5c076e88104c86bdf871b0143d74b6df3cc98 - NQBCXP4.docm
  • 91aa966e837c4144a1294aa912a2162397f3a6df98cf336891d234e267cd919f - RNOHLIAFU.docm
  • 933fcc1bf90716abf7c4eaf29b520d2276df895fb4dd5a76be2a55028a4da94e - PCHLUPL.docm
  • a98782bd10004bef221e58abcecc0de81747e97910b8bbaabfa0b6b30a93b66b - Q1DOEY13.docm
  • ae244ca170b6ddc285da0598d9e108713b738034119bae09eaa69b0c5d7635f8 - TH1DZZPT.docm
  • bc0b2fbe4225e544c6c9935171a7d6162bc611a82d0c6a5f3d62a3f5df71cf8c - OLZNKWSOW.docm
  • c702deaa2fe03f188a670d46401e7db71628e74b0e5e2718a19e2944282e05cd - VUG3FBFO.docm

The following is the sample of Jaff ransomware I saw on Tuesday 2017-05-23:

The following are URLs generated by malicious macros from the embedded Word documents. Theyre used to download the encoded Jaff ransomware binary:

  • billiginurlaub.com - GET /fgJds2U
  • david-faber.de - GET /fgJds2U
  • elateplaza.com - GET /fgJds2U
  • electron-trade.ru - GET /fgJds2U
  • fjjslyw.com - GET /fgJds2U
  • hr991.com - GET /fgJds2U
  • jinyuxuan.de - GET /fgJds2U
  • khaosoklake.com - GET /fgJds2U
  • minnessotaswordfishh.com - GET /af/fgJds2U
  • oliverkuo.com.au - GET /fgJds2U
  • pcflame.com.au - GET /fgJds2U
  • tdtuusula.com - GET /fgJds2U
  • williams-fitness.com - GET /fgJds2U

The following is post-infection traffic from my infected Windows host:

  • 185.109.147.122 port 80 - maximusstafastoriesticks.info - GET /a5/
  • rktazuzi7hbln7sy.onion (tor domain for the decryption instructions)

Final words

Much of this malspam is easy to spot among the daily deluge of spam most organizations receive. However, this PDF attachment/embedded Word doc scheme is likely an attempt to bypass spam filtering.

As always, if your organization follows best security practices, youre not likely to get infected. For example, software restriction policies that deny binary execution in certain Windows directories can easily stop this infection chain. Even without software restriction policies, the intended victim receives warnings from both Adobe reader and Microsoft Word during the infection process.

So why do we continue to see this malspam on a near-daily basis? I suppose as long as its profitable for the criminals behind it, well continue to see this type of malspam. If anyone knows someone whos been infected with Jaff ransomware, feel free to share your story in the comments section.

Emails, malware samples, and pcaps associated with the 2017-05-23 Jaff ransomware malspam can be found here.

---
Brad Duncan
brad [at] malware-traffic-analysis.net

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

What did we Learn from WannaCry? - Oh Wait, We Already Knew That!, (Tue, May 23rd)

23 May 2017

In the aftermath of last weeks excitement over the WannaCry malware, Ive had a lot of lessons learned meetings with clients. The results are exactly what youd expect, but in some cases came as a surprise to the organizations we met with.
There was a whole outcry about not victim shaming during and after this outbreak, and I get that, but in most cases infections were process failures that the IT group didnt know they had, these lessons learned sessions have contributed to improving the situation at many organizations.

The short list is below - affected companies had one or more of the issues below:


1/ Patch
Plain and simple, when vendor patches come out, apply them. In a lot of cases, Patch Tuesday means Reboot Wednesday for a lot of organizations, or worst case Reboot Saturday. If you dont have a test the patches process, then in a lot of cases simply waiting a day or two (to let all the early birds test them for you) will do the job. If you do have a test process, in todays world it truly needs to take 7 days or less.
There are some hosts that you wont be patching. The million dollar MRI machine, the IV pump or the 20 ton punch press in the factory for instance. But you know about those, and youve segmented them away (in an appropriate way) from the internet and your production assets. This outbreak wasnt about those assets, what got hammered by Wannacry was the actual workstations and servers, the hospital stations in admitting and emergency room, the tablet that the nurse enters your stats into and so on. Normal user workstations that either werent patched, or were still running Windows XP.

That being said, there are always some hosts that can be patched, but cant be patched regularly. The host thats running active military operations for instance, or the host thats running the callcenter for flood/rescue operations, e-health or suicide hotline. But you cant give just up on those - in most cases there is redundancy in place so that you can update half of those clusters at a time. If there isnt, you do still need to somehow get them updated on a regular schedule.

Lesson learned? If your patch cycle is longer than a week, in todays world you need to revisit your process and somehow shorten it up. Document your exceptions, put something in to mitigate that risk (network segmentation is a common one), and get Sr Management to sign off on the risk and the mitigation.

2/ Unknown Assets are waiting to Ambush You

A factor in this last attack were hosts that werent in ITs inventory. In my group of clients, what this meant was hosts controlling billboards or TVs running ads in customer service areas (the menu board at the coffee shop, the screen telling you about retirement funds where you wait in line at the bank and so on). If this had been a linux worm, wed be talking about projectors, TVs and access points today.

One and all, I pointed those folks back to the Critical Controls list (https://www.cisecurity.org/controls/ ). In plain english, the first item is know whats on your network and the second item is know what is running on whats on your network.

If you dont have a complete picture of these two, you will always be exposed to whatever new malware (or old malware) that tests the locks at your organization.

3/ Watch the News.
.... And I dont mean the news on TV. Your vendors (in this case Microsoft) have news feeds, and there are a ton of security-related news sites, podcasts and feeds (this site is one of those, our StormCast podcast is another). Folks that watch the news knew about this issue starting back in 2015, when Microsoft started advising us to disable SMB1, then again last year (2016) when Microsoft posted their Were Pleading with you, PLEASE disable SMB1 post. We knew specifically about the vulnerabilities used by Wannacry in January when the Shadowbrokers dump happened, we knew again when the patches were released in March, and we knew (again, much more specifically) when those tools went live in April. In short, we were TOLD that this was coming, by the time this was on the TV media, this was very old news.

4/ Segment your network, use host firewalls
In most networks, workstation A does not need SMB access to workstation B. Neither of them need SMB access to the mail server or the SQL host. They do need that access to the SMB based shares on the file and print servers though. If you must have SMB version 1 at all, then you have some other significant issues to look at.
Really what this boils down to is the Critical Controls again. Know what services are needed by who, and permit that. Set up deny rules on the network or on host firewalls for the things that people dont need - or best case, set up denies for everything else. I do realize that this is not 100% practical. For instance, denying SMB between workstations is a tough one to implement, since most admin tools need that same protocol. Many organizations only allow SMB to workstations from server or management subnets, and that seems to work really nicely for them. Its tough to get sign-off on that sort of restriction, management often will see this as a drastic measure.

Disabling SMB1 should have happened months ago, if not year(s) ago.

5/ Have Backups
Many clients found out *after* they were infected by Wannacry that their users were storing data locally. Dont be that company - either enforce central data storage, or make sure your users local data is backed up somehow. Getting users to sign off that their local data is ephemeral only, that its not guaranteed to be there after a security event is good advice, but after said security event IT generally finds out that even with that signoff, everyone in the organization still holds them responsible.

All to often, backups fall on the shoulders of the most Jr staff in IT. Sometimes that works out really well, but all to often it means that backups arent tested, restores fail (we call that backing up air), or critical data is missed.

Best just to back it your data (all your data) and be done with it.

6/ Have a Plan

You cant plan for everything, but everyone should have had a plan for the aftermath of Wannacry. The remediation for this malware was the classic nuke from orbit - wipe the workstations drives, re-image and move on. This process should be crystal-clear, and the team of folks responsible to deliver on this plan should be similarly clear.

I had a number of clients who even a week after infection were still building their recovery process, while they were recovering. If you dont have an Incident Response Plan that includes widespread workstation re-imaging, its likely time to revisit your IR plan!

7/ Security is not an IT thing
Security of the assets of the company are not just an IT thing, theyre a company thing. Sr Management doesnt always realize this, but this week is a good time to re-enforce this concept. Failing on securing your workstations, servers, network and especially your data can knock a company offline, either for hours, days, or forever. Putting this on the shoulders of the IT group alone isnt fair, as the budget and staffing approvals for this responsibility is often out of their hands.

Looking back over this list, it comes down to: Patch, Inventory, Keep tabs on Vendor and Industry news, Segment your network, Backup, and have an IR plan. No shame and no finger-pointing, but weve all known this for 10-15-20 years (or more) - this was stuff we did in the 80s back when I started, and weve been doing since the 60s. This is not a new list - weve been at this 50 years or more, we should know this by now. But from what was on TV this past week, I guess we need a refresher?

Have I missed anything? Please use our comment form if we need to add to this list!

===============
Rob VandenBrink
Compugen

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

ISC Stormcast For Tuesday, May 23rd 2017 https://isc.sans.edu/podcastdetail.html?id=5512, (Tue, May 23rd)

23 May 2017

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Old posts >>

Investigating Sites After They are Gone; And a Case of Uber Phishing With SSL, (Mon, May 22nd)

22 May 2017

A reader sent us an interesting find of a phishing site that is going after Uber credentials. Uber credentials are often stolen and resold to obtain free rides. One method the credentials are stolen is phishing. The latest example is using convincing looking Uber receipt emails. These emails feature a prominent link to uberdisputes.com.

Uberdisputes.com then requests the users Uber credentials to log in. Overall, the site uses the expected Uber layout. But more: The site uses a valid SSL certificate.

Turns out that the site was hosted behind a Cloudflare proxy. Cloudflare does issue free SSL certificates, and just like most certificate authorities, it only requires proof of domain ownership to obtain this service. This does make it more difficult to distinguish a fake site from the real thing.

Now by the time I started to investigate this, the original site was already taken down. But there was still some evidence left to see what happened. First of all, passive DNS databases did record the IP address of the site, which pointed to Cloudflare. Secondly, when searching certificate transparency logs, it was clear that a certificate for this site was issued to Cloudflare. Like for all Cloudflare certificates, the certificate was valid for a long list of hostnames hosted by Cloudflare. Sadly, it looks like whois history sites like Domaintools have no record of the site, so we do not know when it was exactly registered, but likely just before the domain started to get used.

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute
STI|Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

ISC Stormcast For Monday, May 22nd 2017 https://isc.sans.edu/podcastdetail.html?id=5510, (Mon, May 22nd)

22 May 2017

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Typosquatting: Awareness and Hunting, (Sat, May 20th)

20 May 2017

Typosquatting has been used for years to lure victims You receive an email or visit an URL with a domain name which looks like the official one. Typosquatting is the art of swapping, replacing, adding or omitting some letters to make a domain looking like the official one. The problem is that the human brain will correct automatically what you see and you think that you visit the right site. I remember that the oldest example of typosquatting that I saw was mircosoft.com. Be honest, at the first time, you read microsoft.com right? This domain was registered in 1997 butit has been taken back by Microsoft for a while. Longer is your domain name, more you have available combinations of letters to generate fake domains. Sometimes its difficult to detect rogue domains due to the font used to display them. Anl looks like a 1 or a 0 looks like an O.

Yesterday, I found a nice phishing email related to DHL (the worldwide courier company). The message was classic: DHL claims that somebody passed by your home and nobody was present. But this time, it was not a simple phishing page trying to collect credentials, there was a link to a ZIP file. The archive contained a malicious HTA file that downloaded a PE file[1] and executed it. Lets put the malware aside and focus on the domain name that was used: dhll.com(with a double L).

A quick check reveals that this domain is hopefully owned by DHL (not DHL Express but the Deutsche Post DHL padding:5px 10px"> Domain Name: dhll.com Registry Domain ID: 123181256_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.markmonitor.com Registrar URL: http://www.markmonitor.com Updated Date: 2016-09-23T04:00:10-0700 Creation Date: 2004-06-22T00:00:00-0700 Registrar Registration Expiration Date: 2017-06-22T00:00:00-0700 Registrar: MarkMonitor, Inc. Registrar IANA ID: 292 Registrar Abuse Contact Email: abusecomplaints@markmonitor.com Registrar Abuse Contact Phone: +1.2083895740 Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited) Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited) Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited) Registry Registrant ID: Registrant Name: Deutsche Post AG Registrant Organization: Deutsche Post AG Registrant Street: Charles-de-Gaulle-Strasse 20 Registrant City: Bonn Registrant State/Province: - Registrant Postal Code: 53113 Registrant Country: DE Registrant Phone: +49.22818296701 Registrant Phone Ext: Registrant Fax: +49.22818296798 Registrant Fax Ext: Registrant Email: domains@deutschepost.de Registry Admin ID:Admin Name: Domain Administrator Admin Organization: Deutsche Post AG Admin Street: Charles-de-Gaulle-Strasse 20 Admin City: Bon Admin State/Province: - Admin Postal Code: 53113 Admin Country: DE Admin Phone: +49.22818296701Admin Phone Ext: Admin Fax: +49.22818296798 Admin Fax Ext: Admin Email: admincontact.domain@deutschepost.de Registry Tech ID: Tech Name: Technical Administrator Tech Organization: DHL Tech Street: 8701 East Hartford Drive Tech City: Scottsdale Tech State/Province: AZ Tech Postal Code: 85255 Tech Country: US Tech Phone: +1.4089616666 Tech Phone Ext: Tech Fax: - Tech Fax Ext: Tech Email: netmaster@dhl.com Name Server: ns4.dhl.com Name Server: ns6.dhl.com DNSSEC: unsigned

The zone dhll.com is also hosted on the DHL name servers. Thats a good point that DHL registered potentially malicious domains but... if you do this, dont only park the domain, go further and really use it! Its not because the domain has been registered by the official company that bad guys cannot abuse it to send spoofed emails.

First point: dhll.com or www.dhll.com donot resolve to an IP address. If you register such domains, create a website and make them pointto it and log whos visiting the fake page. You can display an awareness message or just redirect to the official site. This will also prevent your customers to land on a potentially malicious site and improve their experience with you.

The second point is related to the MX records. No MX records were defined for the dhll.com domain. Like with the web traffic, build a spam trap to collect all messages that are sent to *@dhll.com.By doing this, you will capturetraffic potentially interesting and you will be able to detect if the domain is used in a campaign (ex: you will catchall the non-delivery receipts in the spam trap.

Finally, addan SPF[2] record for the domain. This will reduce the amount of spam and phishing campaigns.

To conclude, registering domain names derived from your companys name is the first step but dont just park them and use them for hunting and awareness!

A quick reminder about the tool dnstwist[3] which is helpful padding:5px 10px"> # docker run -it --rm jrottenberg/dnstwist --ssdeep --mxcheck --geoip dhl.com _ _ _ _ __| |_ __ ___| |___ _(_)___| |_ / _` | _ \/ __| __\ \ /\ / / / __| __| | (_| | | | \__ \ |_ \ V V /| \__ \ |_ \__,_|_| |_|___/\__| \_/\_/ |_|___/\__| {1.01} Fetching content from: http://dhl.com ... 200 OK (396.3 Kbytes) Processing 56 domain variants ................ 48 hits (85%) Original* dhl.com 199.40.253.33/United States NS:ns4.dhl.com MX:mx1.dhl.iphmx.com SSDEEP:100% Bitsquatting ehl.com 45.33.14.247 NS:pdns03.domaincontrol.com MX:smtp.secureserver.net Bitsquatting fhl.com - Bitsquatting lhl.com - Bitsquatting thl.com 50.57.5.162/United States NS:dns1.name-services.com MX:us-smtp-inbound-1.mimecast.com Bitsquatting dil.com 72.52.4.119/United States NS:ns1.sedoparking.com MX:localhost Bitsquatting djl.com 117.18.11.145/Hong Kong NS:ns1.monikerdns.net Bitsquatting dll.com 68.178.254.85/United States NS:ns43.domaincontrol.com MX:smtp.secureserver.net Bitsquatting dxl.com 69.74.234.98/United States NS:ns59.worldnic.com SPYING-MX:dxl-com.mail.protection.outlook.com Bitsquatting dhm.com 192.241.215.84/United States NS:ns19.worldnic.com MX:dhm.com Bitsquatting dhn.com 62.129.139.241/Netherlands NS:pdns07.domaincontrol.com MX:smtp.secureserver.net Bitsquatting dhh.com 103.241.230.134/India NS:dns1.iidns.com Bitsquatting dhd.com NS:ns-west.cerf.net MX:dhd-com.mail.protection.outlook.com Homoglyph bhl.com 206.188.192.219/United States NS:ns79.worldnic.com SPYING-MX:bhl-com.mail.protection.outlook.com Homoglyph dhi.com 199.36.188.56/United States NS:ns10.dnsmadeeasy.com Homoglyph clhl.com 209.61.212.154/United States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com Homoglyph dlhl.com 209.61.212.154/United States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com Homoglyph dihl.com 209.61.212.154/United States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com Homoglyph dh1.com 208.91.197.27/Virgin Islands NS:ns43.worldnic.com SPYING-MX:p.webcom.ctmail.com Hyphenation d-hl.com 104.24.124.134/United States 2400:cb00:2048:1::6818:7c86 NS:fiona.ns.cloudflare.com MX:mx1.emailowl.com Hyphenation dh-l.com 72.52.4.119/United States NS:ns1.sedoparking.com MX:localhost Insertion duhl.com 209.61.212.154/United States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com Insertion dhul.com 82.194.88.4/Spain NS:ns1.dominioabsoluto.com Insertion djhl.com 47.89.24.50/Canada NS:f1g1ns1.dnspod.net Insertion dhjl.com - Insertion dnhl.com 209.61.212.154/United States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com Insertion dhnl.com 209.61.212.154/United States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com Insertion dbhl.com 209.61.212.154/United States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com Insertion dhbl.com 209.61.212.154/United States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com Insertion dghl.com 209.61.212.154/United States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com Insertion dhgl.com 209.61.212.161/United States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com Insertion dyhl.com NS:dns17.hichina.com MX:mxbiz1.qq.com Insertion dhyl.com - Omission dl.com 104.247.212.218 NS:ns1.gridhost.com SPYING-MX:mail.b-io.co Omission dh.com 54.204.28.210/United States NS:a5-67.akam.net SPYING-MX:mx1.dhltd.iphmx.com Omission hl.com 107.154.105.117/United States NS:ns57.domaincontrol.com MX:mail0.hl.com Repetition ddhl.com 180.149.253.156/Hong Kong NS:ns11.domaincontrol.com SPYING-MX:ddhl-com.mail.protection.outlook.com Repetition dhll.com - Repetition dhhl.com 209.61.212.154/United States NS:ns1.dnsnameservice.com MX:smtp.getontheweb.com Replacement rhl.com 107.161.31.165/United States NS:ns1.hungerhost.com MX:mx.spamexperts.com Replacement chl.com 216.222.148.100 NS:nameserver.ttec.com MX:smtp2.mx.ttec.com Replacement xhl.com 69.172.201.153/United States NS:ns1.uniregistrymarket.link Replacement shl.com 69.171.27.23/United States NS:eu-sdns-01.shl.com SPYING-MX:mxa-0016ba01.gslb.pphosted.com Replacement dul.com 62.129.139.241/Netherlands NS:pdns01.domaincontrol.com MX:smtp.secureserver.net Replacement dnl.com - Replacement dbl.com 198.173.111.6/United States NS:ns53.worldnic.com SPYING-MX:p.webcom.ctmail.com Replacement dgl.com 216.107.145.5 NS:ns62.downtownhost.com MX:dgl.com Replacement dyl.com 99.198.109.164/United States NS:ns-1768.awsdns-29.co.uk MX:mail.dyl.com Replacement dhk.com 98.191.212.87/United States NS:ns1.dhk.com MX:dhk.com.us.emailservice.io Replacement dho.com 75.126.101.248/United States NS:ns1bqx.name.com Replacement dhp.com 199.4.150.5/United States NS:dhp.com MX:mailhub.dhp.com Subdomain d.hl.com - Subdomain dh.l.com - Transposition hdl.com 216.51.232.170/United States NS:ns1.systemdns.com MX:aspmx.l.google.com Transposition dlh.com 212.130.57.148/Denmark NS:ns1.ascio.net SPYING-MX:mail.dlh.com Various wwwdhl.com 199.41.238.47/United States NS:ns.deutschepost.de

[1]https://www.virustotal.com/en/file/f438ba968d6f086183f3ca86c3c1330b4c933d97134cb53996eb41e4eceecf53/analysis/
[2]https://support.google.com/a/answer/33786?hl=en
[3]https://github.com/elceef/dnstwist

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

ISC Stormcast For Friday, May 19th 2017 https://isc.sans.edu/podcastdetail.html?id=5508, (Fri, May 19th)

19 May 2017

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

My Little CVE Bot, (Thu, May 18th)

18 May 2017

The massive spread of the WannaCry ransomware last Friday was another good proof that many organisations still fail to patch their systems. Everybody admits that patching is a boring task. They are many constraints that make this process very difficult to implement and... apply!Thats why any help is welcome to know what to patch and when. This is the key:

  • What to patch? What are the applications/appliancesthat are deployed in your infrastructure?
  • When to patch? When are new vulnerabilities discovered?

The classification of vulnerabilities is based on the CVE (or Common Vulnerabilities and Exposures) standard maintained by mitre.org[1]. To explain briefly, when a security researcher or a security firm finds a new vulnerability, a CVE number is assigned to it (CVE-YYYY-NNNNN). The CVE contains all the details of the vulnerability (which application/system is affected, the severity and many more information). As an example, the vulnerability exploited by WannaCry was %%cve:2017-0143%%.

Those CVE are stored in open databases and many organisations are using them and provide online services like cvedetails.com[2]. There are plenty of them that offer almost all the same features but they don width:700px" />

Based on cve-search, I can provide details about new CVEs to my customers or any other organisationsjust by querying the database. Indeed, reading the daily flow of CVE is difficult and useless for many people. They have to focus on what affect them. To help them, Im using a quick padding:5px 10px"> email_contact | days_to_check | output_format | product_definition [ | product_definition ] ...

The script will parse this config file and search for new CVE for each product definition. Results will be sent via email to the specified address.

As I width:700px" />

Of course, the main requirement is to know what you are using on your infrastructure. The information used in the config file describes the products is based on the CPE standard[6] which categorisesapplications, operating systems and hardware devices. This information can be found byNmap. An alternative is touse the following tool on your own network (only!): cve-scan[7]. It scans hosts and searches for vulnerabilities in thecve-search database.

My script is available on my GitHubrepository[5].

[1]https://cve.mitre.org
[2]http://www.cvedetails.com/
[3]https://github.com/cve-search/cve-search
[4]https://hub.docker.com/r/rootshell/cvesearch/
[5]https://github.com/xme/toolbox
[6]http://cpe.mitre.org/
[7]https://github.com/NorthernSec/cve-scan

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

ISC Stormcast For Thursday, May 18th 2017 https://isc.sans.edu/podcastdetail.html?id=5506, (Thu, May 18th)

18 May 2017

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.


Sophos

News in brief: Dubai launches its first robocops; Samsung woes over iris recognition; IoT security criticised

23 May 2017

Your daily round-up of some of the other stories in the news

Digital watermark leads police straight to Bollywood pirates

23 May 2017

Digital signing led police to the would-be extortionists - a welcome turnaround for the movie industry after a run of thefts

Man jailed for stealing images and details from more than 50 women

23 May 2017

When someone like this is caught and jailed it's a sobering reminder to check our own digital footprint - here are some tips to help you secure your information

Warning after WannaCry sets off fake BT phishing attack

23 May 2017

It's a sad fact that we end up seeing warnings about warnings in the aftermath of a major cybersecurity event

Old posts >>

News in brief: Bitcoin price bubbles up; Uber uses AI to boost its take; WannaCry ‘hero’ censures tabloids

22 May 2017

Your daily round-up of some of the other stories in the news

Yes, Geek Squad can search your files and hand you over to the police

22 May 2017

Judge rules images found on a defendant's hard drive inadmissible - but bats away contention that he had an expectation of privacy when he passed his PC to Geek Squad

After WannaCry, EternalRocks digs deeper into the NSA’s exploit toolbox

22 May 2017

WannaCry may be behind us, but fears that the crooks might create new malware from the NSA's stash of exploits seem to be coming true

Judge demands cellphone passwords from social media star

22 May 2017

Hencha Voigt and her partner Wesley Victor were unable to unlock their phones despite the judge's order - and the case highlights some inconsistencies in the law

GDPR is just a year away: here’s what you need to know

22 May 2017

Time is running out - are you ready for GDPR? We've got some guidance for you

What does Twitter think you’re interested in? Now you can find out

22 May 2017

Twitter has tweaked its settings so that you can see what it thinks you're interested in so that advertisers can target you


TrendMicro

Old posts >>

Android Security Bulletin Tackles Additional Critical Mediaserver Issues

19 May 2017

Google released their security bulletin for May, which once again tackles Critical vulnerabilities in Android’s Mediaserver component, a prevailing theme for the past few bulletins.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Android Security Bulletin Tackles Additional Critical Mediaserver Issues

Will Astrum Fill the Vacuum in the Exploit Kit Landscape?

18 May 2017

The decline of exploit kit activity—particularly from well-known exploit kits like Magnitude, Nuclear, Neutrino, and Rig during the latter half of 2016—doesn’t mean exploit kits are throwing in the towel just yet. This is the case with Astrum (also known as Stagano), an old and seemingly reticent exploit kit we observed to have been updated multiple times as of late.

Astrum’s recent activities feature several upgrades and shows how it's starting to move away from the more established malware mentioned above. It appears these changes were done to lay the groundwork for future campaigns, and possibly to broaden its use. With a modus operandi that deters analysis and forensics by abusing the Diffie-Hellman key exchange, it appears Astrum is throwing down the gauntlet.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Will Astrum Fill the Vacuum in the Exploit Kit Landscape?

After WannaCry, UIWIX Ransomware and Monero-Mining Malware Follow Suit

17 May 2017

WannaCry ransomware’s outbreak during the weekend was mitigated by having its kill switch domain registered. It was only a matter of time, however, for other cybercriminals to follow suit. Case in point: the emergence of UIWIX ransomware (detected by Trend Micro as RANSOM_UIWIX.A) and one notable Trojan our sensors detected.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

After WannaCry, UIWIX Ransomware and Monero-Mining Malware Follow Suit

Massive WannaCry/Wcry Ransomware Attack Hits Various Countries

12 May 2017

Earlier this year, two separate security risks were brought to light: CVE-2017-0144, a vulnerability in the SMB Server that could allow remote code execution that was fixed in March, and WannaCry/Wcry, a relatively new ransomware family that spread via Dropbox URLs in late April. These two threats have now been combined, resulting in one of the most serious ransomware attacks to hit users across the globe.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Massive WannaCry/Wcry Ransomware Attack Hits Various Countries

PUA Operation Spreads Thousands of Explicit Apps in the Wild and on Legitimate App Stores

12 May 2017

One of the most popular ways to make money online is through pornography—whether through legitimate distribution or different online scams. Last year we detected a new variant of the Marcher Trojan targeting users through porn sites, and the year before that popular porn apps were used as lures to compromise millions of mobile users in...

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

PUA Operation Spreads Thousands of Explicit Apps in the Wild and on Legitimate App Stores

Microsoft Addresses Zero-Day Vulnerability Ahead of Patch Tuesday

10 May 2017

Microsoft addresses a zero-day vulnerability that exploits the Microsoft Malware Protection Engine before May's Patch Tuesday.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Microsoft Addresses Zero-Day Vulnerability Ahead of Patch Tuesday

Persirai: New Internet of Things (IoT) Botnet Targets IP Cameras

09 May 2017

A new Internet of Things (IoT) botnet called Persirai has been discovered targeting over 1,000 Internet Protocol (IP) Camera models based on various Original Equipment Manufacturer (OEM) products. This development comes on the heels of Mirai—an open-source backdoor malware that caused some of the most notable incidents of 2016 via Distributed Denial-of-Service (DDoS) attacks that compromised IoT devices such as Digital Video Recorders (DVRs) and CCTV cameras—as well as the Hajime botnet.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Persirai: New Internet of Things (IoT) Botnet Targets IP Cameras

iPhone Phishing Scam Crosses Over Physical Crime

05 May 2017

Last late April a friend of mine had his iPhone stolen in the streets—an unfortunately familiar occurrence in big, metropolitan areas in countries like Brazil. He managed to buy a new one, but kept the same number for convenience. Nothing appeared to be out of the ordinary at first—until he realized the thief changed his Facebook password.

Fortunately, he was able to recover and update it, as his phone number was tied to his Facebook account. But a pickpocket accessing his victim’s Facebook account is quite unusual. After all, why would a crook be interested with his victim’s Facebook account for when the goal is usually to use or sell the stolen device? It didn’t stop there; a day after, my friend curiously received a phishing SMS message on his new phone.

What’s interesting here is the blurred line between traditional felony and cybercrime—in particular, the apparent teamwork between crooks and cybercriminals that results in further—possibly more sophisticated—attacks.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

iPhone Phishing Scam Crosses Over Physical Crime

Compromising Industrial Robots: The Fallacy of Industrial Routers in the Industry 4.0 Ecosystem

03 May 2017

The increased connectivity of computer and robot systems in the industry 4.0. ecosystem, is, and will be exposing robots to cyber attacks in the future. Indeed, industrial robots—originally conceived to be isolated—have evolved, and are now exposed to corporate networks and the internet.

While this provides synergy effects and higher efficiency in production, the security posture is not on par. In our latest report Rogue Robots: Testing the Limits of an Industrial Robot’s Security we analyzed how easily an industrial grade robot could be actually ”hacked”. We demonstrated how easily an attacker is able to alter an industrial robot’s accuracy without changing the program code so that that minor defects can be (maliciously) introduced into work pieces. Needless to say, defective products can have repercussions on the production floor and, depending on the security and QA practices of the target factory, may have some financial consequences down the line.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Compromising Industrial Robots: The Fallacy of Industrial Routers in the Industry 4.0 Ecosystem

Cerber Version 6 Shows How Far the Ransomware Has Come (and How Far it’ll Go)

02 May 2017

Cerber set itself apart from other file-encrypting malware when its developers commoditized the malware, adopting a business model where fellow cybercriminals can buy the ransomware as a service. The developers earn through commissions—as much as 40%—for every ransom paid by the victim. Coupled with persistence, Cerber turned into a cybercriminal goldmine that reportedly earned its developers $200,000 in commissions in a month alone last year.

Being lucrative and customizable for affiliates, it’s no wonder that Cerber spawned various iterations. Our coverage of unique Cerber samples—based on feedback from Smart Protection Network™—shows enterprises and individual users alike are taking the brunt, with the U.S. accounting for much of Cerber’s impact. We’ve also observed Cerber’s adverse impact among organizations in education, manufacturing, public sector, technology, healthcare, energy, and transportation industries.

A reflection of how far Cerber has come in the threat landscape—and how far it’ll go—is Cerber Version 6, the ransomware’s latest version we’ve uncovered and monitored since early April this year. It sports multipart arrival vectors and refashioned file encryption routines, along with defense mechanisms that include anti-sandbox and anti-AV techniques.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Cerber Version 6 Shows How Far the Ransomware Has Come (and How Far it’ll Go)


Kaspersky

Old posts >>

IT threat evolution Q1 2017. Statistics

22 May 2017

According to KSN data, Kaspersky Lab solutions detected and repelled 479,528,279 malicious attacks from online resources located in 190 countries all over the world. File antivirus detected a total of 174,989,956 unique malicious and potentially unwanted objects.

IT threat evolution Q1 2017

19 May 2017

We’ve become accustomed to seeing a steady stream of security breaches month after month; and this quarter has been no exception, including attacks on Barts Health Trust, Sports Direct, Intercontinental Hotels Group and ABTA.

WannaCry and Lazarus Group – the missing link?

15 May 2017

Moments ago, Neel Mehta, a researcher at Google posted a mysterious message on Twitter. The cryptic message in fact refers to similarity between samples that have shared code between themselves. The two samples Neel refers to post are a Wannacry cryptor sample and a Lazarus APT group sample.

WannaCry FAQ: What you need to know today

15 May 2017

Friday May 12th marked the start of the dizzying madness that has been ‘WannaCry’, the largest ransomware infection in history. Defenders have been running around trying to understand the malware’s capabilities. In the process, a lot of wires have gotten crossed and we figured it’s time to sit down and set the record straight on what we know, what we wish we knew, and what the near future might hold for us going forward.

Ztorg: money for infecting your smartphone

15 May 2017

This research started when we discovered an infected Pokémon GO guide in Google Play. We detected the malware as Trojan.AndroidOS.Ztorg.ad. After some searching, I found some other similar infected apps that were being distributed from the Google Play Store. After I started tracking these infected apps, two things struck me – how rapidly they became popular and the comments in the user review sections.

BSides Denver 2017

13 May 2017

Everyone loves a decent security conference, and BSides Denver provides one with space to breathe. Folks in sunny Colorado looking for a fine local gathering found talks on advanced social engineering, APT herding, securing smart cities and more.

WannaCry ransomware used in widespread attacks all over the world

12 May 2017

Earlier today, our products detected and successfully blocked a large number of ransomware attacks around the world. In these attacks, data is encrypted with the extension “.WCRY” added to the filenames. Our analysis indicates the attack, dubbed “WannaCry”, is initiated through an SMBv2 remote code execution in Microsoft Windows.

DDOS attacks in Q1 2017

11 May 2017

Although the first quarter of 2017 was rather quiet compared to the previous reporting period, there were a few interesting developments. Despite the growing popularity of IoT botnets, Windows-based bots accounted for 59.81% of all attacks. Meanwhile, complex attacks that can only be repelled with sophisticated protection mechanisms are becoming more frequent.

False Positives: Why Vendors Should Lower Their Rates and How We Achieved the Best Results

10 May 2017

In pursuit of a high cyberthreat detection rate, the some developers of cybersecurity solutions neglect the subject matter of false positives, and unfairly so. Regretfully, only then does the idea dawn on these developers that high-quality protection from cyberthreats involves not only prevention but also a low false-positive rate.

Clash of Greed

04 May 2017

Yet, the more popular game is, the higher the probability that fraudsters will be looking to make a fortune on that popularity by, for example, organizing phishing attacks on the player base. Those phishing attacks, though always quite similar in their nature, are very competently planned.


ThreatPost

Subtitle Hack Leaves 200 Million Vulnerable to Remote Code Execution

23 May 2017

Attackers can remotely execute code on targeted systems via specially crafted subtitle files for videos.

Google Elevates Security in Android O

23 May 2017

Android O, due in the third quarter, figures to elevate the security of the mobile OS with new features focused on improved third-party patching, a new permission model and hardening of existing features.

Yahoo Retires ImageMagick After Bugs Leak Server Memory

23 May 2017

Researcher Chris Evans reported a new bug and showed how also used a previously known flaw in ImageMagick to leak Yahoo server data and steal images and authentication secrets.

Apple Receives First National Security Letter, Reports Spike in Requests for Data

23 May 2017

Apple revealed this week that it received at least one National Security Letter from the U.S. government for user data during the last six months of 2016

Old posts >>

Trump’s Cybersecurity Boss Talks Priorities

22 May 2017

The country's top cybersecurity boss said the country is headed the wrong way when it comes to cybersecurity.

Verizon Patches XSS Issues in its Messaging Client

22 May 2017

Verizon patched late last year persistent- DOM-based cross-site scripting vulnerabilities in its Message+ messaging client that could allow an attacker to control a user's session.

EternalRocks Worm Spreads Seven NSA SMB Exploits

22 May 2017

A worm called EternalRocks has been spreading seven Windows SMB exploits leaked by the ShadowBrokers, including EternalBlue, which was used to spread WannaCry.

Jaya Baloo on WannaCry and Defending Against Advanced Attacks

22 May 2017

Jaya Baloo, CISO of KPN, the Netherlands’ leading telecommunications provider, talks to Mike Mimoso about the WannaCry ransomware outbreak and how large network providers and enterprises must contend with advanced attacks.

Terror Exploit Kit Evolves Into Larger Threat

19 May 2017

The Terror exploit kit has matured into a greater threat and carefully crafts attacks based on a user's browser environment.

Available Tools Making Dent in WannaCry Encryption

19 May 2017

Tools are beginning to emerge that can be used to begin the process of recovering files encrypted by WannaCry on some Windows systems.


Symantec

Old posts >>

WannaCry: Ransomware attacks show strong links to Lazarus group

22 May 2017

Similarities in code and infrastructure indicate close connection to group that was linked to Sony Pictures and Bangladesh Bank attacks

Read More

Adylkuzz Cryptocurrency Miner Is Not The Next WannaCry

17 May 2017

Adylkuzz impact and prevalence is much lower than WannaCry

Read More

What you need to know about the WannaCry Ransomware

15 May 2017

The WannaCry ransomware struck across the globe in May 2017. Learn how this ransomware attack spread and how to protect your network from similar attacks.

Read More

Latest Intelligence for April 2017

10 May 2017

Number of web attacks blocked by Symantec rises to more than 1 million per day and Longhorn cyber espionage group linked to malware detailed in Vault 7 leak.

Read More

Microsoft Patch Tuesday – May 2017

10 May 2017

This month the vendor has released 56 vulnerabilities, 17 of which are rated Critical.

Read More

Hajime worm battles Mirai for control of the Internet of Things

18 Apr 2017

The Hajime worm appears to be the work of a white hat hacker attempting to wrestle control of IoT devices from Mirai and other malicious threats.

Read More

Latest Intelligence for March 2017

14 Apr 2017

Number of blocked web attacks increases to highest level since July 2016 and Necurs botnet returns with new spam campaigns.

Read More

Android O no! Android O causes problems for mobile ransomware developers

12 Apr 2017

Changes in Google’s newest mobile OS will impact the functionality of many Android ransomware threats.

Read More

Microsoft Patch Tuesday – April 2017

11 Apr 2017

This month the vendor has released 44 vulnerabilities, 13 of which are rated Critical.

Read More

Kelihos/Waledac: US law enforcement hits botnet with major takedown

11 Apr 2017

Alleged botnet operator arrested in Spain, faces multiple charges in the US.

Read More

Longhorn: Tools used by cyberespionage group linked to Vault 7

10 Apr 2017

First evidence linking Vault 7 tools to known cyberattacks.

Read More

Free Nintendo Switch emulators are fake

30 Mar 2017

Fake emulators for newly released Nintendo console used as bait to get users to fill out survey scams and download potentially unwanted applications.

Read More

Necurs: Mass mailing botnet returns with new wave of spam campaigns

28 Mar 2017

Unexplained three-month absence resulted in a seven-fold decrease in rate of emails containing malware.

Read More

Personalized spam campaign targets Germany

20 Mar 2017

A new spam campaign targeting German users uses victims’ real details and installs banking malware on compromised computers.

Read More

Microsoft Patch Tuesday – March 2017

14 Mar 2017

This month the vendor is releasing 18 bulletins, nine of which are rated Critical.

Read More

Spam campaign targets financial institutions with fake security software

13 Mar 2017

Emails claim to be from HSBC and ask recipients to install fake Rapport security software.

Read More

Latest Intelligence for February 2017

10 Mar 2017

Number of new malware variants reaches highest level since October 2016 and Symantec uncovers a wider campaign carried out by Shamoon attackers.

Read More

Shamoon: Multi-staged destructive attacks limited to specific targets

27 Feb 2017

Recent attacks involving the destructive malware Shamoon appear to be part of a much wider campaign in the Middle East and beyond.

Read More

Android ransomware requires victim to speak unlock code

22 Feb 2017

Latest Android.Lockdroid.E variant uses speech recognition instead of typing for unlock code input.

Read More

Symantec and other industry leaders announce expanded Cyber Threat Alliance

14 Feb 2017

Cybersecurity consortium formally establishes rapid security intelligence sharing system to combat cybercrime and advanced attacks.

Read More


F-Secure

Old posts >>

WannaCry, Party Like It’s 2003

15 May 2017

Let’s take a moment to collect what we know about WannaCry (W32/WCry) and what we can learn from it. When looked at from a technical perspective, WCry (in its two binary components) has the following properties. Comprised of two Windows binaries. mssecsvc.exe: a worm that handles spreading and drops the payload. tasksche.exe: a ransomware trojan […]

WCry: Knowns And Unknowns

13 May 2017

WCry, WannaCry, Wana Decrypt0r. I’m sure at this point you’ve heard something about what the industry has dubbed the largest crypto ransomware outbreak in history. Following its debut yesterday afternoon, a lot of facts have been flying around. Here’s what we know, and don’t know. WCry has currently made a measly $25,000 They now made […]

OSINT For Fun And Profit: #Presidentielle2017 Edition

11 May 2017

As I mentioned in a previous post, I’m writing scripts designed to analyze patterns in Twitter streams. One of the goals of my research is to follow Twitter activity around a newsworthy event, such as an election. For example, last weekend France went to the polls to vote for a new president. And so I […]

Unicode Phishing Domains Rediscovered

26 Apr 2017

There is a variant of phishing attack that nowadays is receiving much attention in the security community. It’s called IDN homograph attack and it takes advantage of the fact that many different Unicode characters look alike. The use of Unicode in domain names makes it easier to spoof websites as the visual representation of an […]

F-Secure XFENCE (Little Flocker)

25 Apr 2017

I use Macs both at home and at work, and as a nerd, I enjoy using interesting stand-alone tools and apps to keep my environment secure. Some of my favorites are knockknock, ransomwhere?, and taskexplorer, from the objective-see website. I’ve also been recently playing around with (and enjoying)  Monitor.app from FireEye. When I heard that […]

Ransomware Timeline: 2010 – 2017

18 Apr 2017

I’ve seen numerous compliments for this graphic by Micke, so… here’s a high-res version. Enjoy! Source: State of Cyber Security 2017 Tagged: Ransomware, Th3 Cyb3r, Threat Report

The Callisto Group

13 Apr 2017

We’ve published a White Paper today titled: The Callisto Group. And who/what is the Callisto Group? A good question, here’s the paper’s summary. Heavy use of spear phishing, and malicious attachments sent via legitimate, but compromised, email accounts. Don’t click “OK”. Tagged: APT, Callisto Group, Th3 Cyb3r, White Paper

OSINT For Fun & Profit: @realDonaldTrump Edition

10 Apr 2017

I’ve just started experimenting with Tweepy to write a series of scripts attempting to identify Twitter bots and sockpuppet rings. It’s been a while since I last played around with this kind of stuff, so I decided to start by writing a couple of small test scripts. In order to properly test it, I needed to point […]

“Cloud Hopper” Example Of Upstream Attack

05 Apr 2017

There’s news today of a BAE/PWC report detailing a Chinese-based hacking group campaign dubbed “Operation Cloud Hopper”. Chinese Group Is Hacking Cloud Providers to Reach Into Secure Enterprise Networks https://t.co/Le4E4Se2Hc pic.twitter.com/adpDyWYa6C — News from the Lab (@FSLabs) April 5, 2017 This operation is what’s known as an upstream attack, a method of compromise that we […]

Massive Dridex Spam Runs, Targeting UK

31 Mar 2017

Yesterday, between 9:00 and midnight GMT, we observed three massive malware spam runs. The magnitude clearly stood out the average daily amount of spam with attachments. The campaigns were largely sent to accounts with email address in the co.uk TLD. The first run, with subject lines such as “Your Booking 938721” (numbers vary) started at […]

Real-Time Location Sharing Redux

23 Mar 2017

Google announced on Wednesday that it will soon add real-time location sharing to Google Maps. The feature set appears to be very reminiscent of Google Latitude, which was introduced (way back) in 2009. Location sharing will undoubtedly be a popular option for many, but, it may come with OPSEC considerations for others. Here’s what I wrote about […]

It’s Not New To Us

22 Mar 2017

A Turkish hacking group is reportedly attempting to extort Apple over a compromised cache of iCloud account data. This activity is on the heels of last week’s Turkish related Twitter account hacks via a service called Twitter Counter. And that brings to mind this article (by Andy)… OVER THE PAST FEW YEARS, you’ve probably heard […]

FAQ Related To CIA WikiLeaks Docs

09 Mar 2017

We’ve been asked numerous questions about WikiLeaks’ March 7th CIA document dump. Did the news surprise you? No. Spies spy. And that spies use hacking tools… is expected. (“Q” does cyber these days.) Does this mean that the CIA will have to start over and rebuild a completely new set of tools? Does it need […]

Apple, Google, And The CIA

09 Mar 2017

Apple and Google have issued statements to the media regarding WikiLeaks’ March 7th publication of CIA documents. Here’s Apple’s statement via BuzzFeed News. According to Apple, its “products and software are designed to quickly get security updates” to its customers. So, just how well does that statement hold up to what we see in-the-wild? Well, […]

Taking Poika Out On The Town: 2017

03 Mar 2017

AV-Test has awarded F-Secure Client Security with Best Protection 2016! And as tradition dictates, we took it on a tour of Helsinki. As a reminder, AV-Test’s Best Protection award is based on continuous real-world testing, over the entire year, against the most reliable and well-trusted endpoint protection vendors on the market. We’re proud to have, once […]

Reflash Flash Research Framework

23 Feb 2017

Jarkko Turkulainen, a Senior Researcher on our Threat Intelligence team, has (today!) publicly released a research tool called Reflash. It’s a proof-of-concept framework for analyzing Adobe Flash files. It produces an SQL database of Flash VM stack trace by injecting dynamically generated instrumentation to Flash files. The SQL database can later be analyzed with various […]

Bitcoin Friction Is Ransomware’s Only Constraint

22 Feb 2017

In January 2017, I began tracking the “customer portal” of an innovative new family of crypto-ransomware called Spora. Among its innovations are a dedicated domain (spora.biz, spora.bz, et cetera) running a Tor web proxy, HTTPS support, an initially lower extortion demand, and tiered pricing with options to unencrypt individual files (up to 25Mb in size) […]

F-Secure Does Cyber Security

15 Feb 2017

For more than 10 years, we’ve released an annual report/summary featuring observations, research, and malware trends. And in past years, this publication has included the word “threat” in its title. But no more! There are rather significant changes this year in our… State of Cyber Security. The new title reflects a change in the type […]

“F-Secure does red teaming?”

08 Feb 2017

On June 2nd 2015, F-Secure announced via a press release its acquisition of the Danish Cyber Security firm, nSense. That press release contained the following snippet: “the combined portfolio will allow F-Secure to provide top-tier incident response and forensic expertise, comprehensive vulnerability assessment, and threat intelligence and security management services to enterprises and businesses with […]

Noun: Confirmation Bias

01 Feb 2017

Confirmation bias, according to Google, is “the tendency to interpret new evidence as confirmation of one’s existing beliefs or theories.” Technology… potentially opens up a vast new realm of evidence, and that, if not very carefully analyzed, risks feeding confirmation bias. Last Friday, Journal News reported that a man from Middletown, Ohio was charged with […]


McAfee

Fake WannaCry ‘Protectors’ Emerge on Google Play

23 May 2017

Are Android devices affected by the self-propagating ransomware WannaCry? No—because this threat exploits a vulnerability in Microsoft Windows. This malware cannot harm mobile systems. Nonetheless, some developers are taking advantage of the uproar and possible confusion to promote apps that promise to protect Android devices. While searching for “WannaCry” on GooglePlay we found several new …

The post Fake WannaCry ‘Protectors’ Emerge on Google Play appeared first on McAfee Blogs.

Old posts >>

How to Protect Against WannaCry Ransomware in a McAfee Environment

18 May 2017

WannaCry is a ransomware family targeting Microsoft Windows. On Friday May 12, a large cyberattack based on this threat was launched. At this time, it is estimated that more than 250,000 computers in 150 countries have been infected, each demanding a ransom payment. The initial attack vector is unclear, but an aggressive worm helps spread …

The post How to Protect Against WannaCry Ransomware in a McAfee Environment appeared first on McAfee Blogs.

Adylkuzz CoinMiner Spreading Like WannaCry

17 May 2017

The last few days have been very busy for security teams all around the globe due to the nasty ransomware WannaCry, which spread widely using an exploit for a Server Message Block v1 vulnerability (MS17-010) leaked by the ShadowBroker team a few weeks ago. We have reported on this malware in our previous blog and …

The post Adylkuzz CoinMiner Spreading Like WannaCry appeared first on McAfee Blogs.

Analysis of Chrysaor Keylogging Mechanism Shows Power of Simple Malicious Code

15 May 2017

Many attacks on mobile devices use social engineering to initially infect a victim’s system. They download malware and elevate privileges by exploiting vulnerabilities. Mobile malware often uses persistence mechanisms to hide and monitor the victim’s behavior. Unlike personal computers, mobile devices are used more often by their owners, and carry sensitive information such as phone …

The post Analysis of Chrysaor Keylogging Mechanism Shows Power of Simple Malicious Code appeared first on McAfee Blogs.

Further Analysis of WannaCry Ransomware

14 May 2017

McAfee Labs has closely monitored the activity around the ransomware WannaCry. Many sources have reported on this attack and its behavior, including this post by McAfee’s Raj Samani and Christiaan Beek and this post by Steve Grobman. In the last 24 hours, we have learned more about this malware. These findings mainly concern the malware’s …

The post Further Analysis of WannaCry Ransomware appeared first on McAfee Blogs.

WannaCry: The Old Worms and the New

13 May 2017

The morning of Friday, May 12 multiple sources in Spain began reporting an outbreak of the ransomware now identified as WannaCry. Upon learning of these incidents, McAfee immediately began working to analyze samples of the ransomware and develop mitigation guidance and detection updates for its customers. By Friday afternoon, McAfee’s Global Threat Intelligence system was …

The post WannaCry: The Old Worms and the New appeared first on McAfee Blogs.

An Analysis of the WannaCry Ransomware Outbreak

12 May 2017

Charles McFarland was a coauthor of this blog. Over the course of Friday, May 12 we received multiple reports of organizations across multiple verticals being victim to a ransomware attack. By Friday afternoon, McAfee’s Global Threat Intelligence system was updated to identify all known WannaCry samples and the company had delivered DAT signature updates to …

The post An Analysis of the WannaCry Ransomware Outbreak appeared first on McAfee Blogs.

Vulnerable OpenSSL Handshake Renegotiation Can Trigger Denial of Service

09 May 2017

OpenSSL, the popular general-purpose cryptographic library that implements SSL/TLS protocols for web authentication, has recently suffered from several vulnerabilities. We have written about “CVE-2017-3731: Truncated Packets Can Cause Denial of Service in OpenSSL” and “SSL Death Alert (CVE-2016-8610) Can Cause Denial of Service to OpenSSL Servers” among others. Today we examine the high-severity bug CVE-2017-3733, …

The post Vulnerable OpenSSL Handshake Renegotiation Can Trigger Denial of Service appeared first on McAfee Blogs.

Mirai, BrickerBot, Hajime Attack a Common IoT Weakness

03 May 2017

We know that devices in the Internet of Things make enticing targets for attack. They are often insecure and can act as open windows into trusted networks. Cybercriminals are capitalizing on that more and more each day, gathering hundreds of thousands of insecure IoT devices into giant botnets. Remember what happened last fall when Mirai …

The post Mirai, BrickerBot, Hajime Attack a Common IoT Weakness appeared first on McAfee Blogs.

Cerber Ransomware Evades Detection With Many Components

03 May 2017

Cerber is a quickly evolving type of malware called crypto-ransomware. Cerber encrypts files on an infected computer and demands a ransom to restore them. (Read more about Cerber in this post.) Cerber ransomware first appeared in early 2016 and remains hard to detect. It uses multicomponent behavior (installing several malicious files on the victim’s machine) …

The post Cerber Ransomware Evades Detection With Many Components appeared first on McAfee Blogs.

Banned Chinese Qvod Lives on in Malicious Fakes

02 May 2017

Qvod used to be a popular video player and developer in China. Due to piracy allegations and a threatened fine, the company went out of business in 2014. In spite of this, we have recently seen a number of malicious fake versions of Qvod. One common feature of these malicious apps is to disguise their …

The post Banned Chinese Qvod Lives on in Malicious Fakes appeared first on McAfee Blogs.

Mirai Botnet Creates Army of IoT Orcs

20 Apr 2017

This post was based on analysis by Yashashree Gund and RaviKant Tiwari. There is a lot of speculation in the news about surveillance from home appliances, personal electronics, or other Internet of Things (IoT) devices. Although some statements may be hyperbole, we know that these devices, in homes and offices, are being compromised and used …

The post Mirai Botnet Creates Army of IoT Orcs appeared first on McAfee Blogs.

Critical Office Zero-Day Attacks Detected in the Wild

07 Apr 2017

At McAfee, we have put significant efforts in hunting attacks such as advanced persistent threats and “zero days.” Yesterday, we observed suspicious activities from some samples. After quick but in-depth research, this morning we have confirmed these samples are exploiting a vulnerability in Microsoft Windows and Office that is not yet patched. This blog post …

The post Critical Office Zero-Day Attacks Detected in the Wild appeared first on McAfee Blogs.

McAfee Labs Threats Report Explores Threat Intelligence Sharing and Mirai, the IoT Botnet

06 Apr 2017

In the McAfee Labs Threats Report: April 2017, published today, we explore two key topics. Following an announcement by the Cyber Threat Alliance of its formal incorporation and the release of a threat intelligence sharing platform, we provide some perspective about threat intelligence sharing. The story provides a detailed analysis of the background and drivers of …

The post McAfee Labs Threats Report Explores Threat Intelligence Sharing and Mirai, the IoT Botnet appeared first on McAfee Blogs.

Ransomware Families Use NSIS Installers to Avoid Detection, Analysis

28 Mar 2017

Malware families are constantly seeking new ways to hide their code, thwart replication, and avoid detection. A recent trend for the delivery of ransomware is the use of the Nullsoft Scriptable Install System (NSIS) with an encrypted payload. The list of the most common families using this technique is diverse and includes Cerber, Locky, Teerac, Crysis, …

The post Ransomware Families Use NSIS Installers to Avoid Detection, Analysis appeared first on McAfee Blogs.

Analyzing a Fresh Variant of the Dorkbot Botnet

09 Mar 2017

At McAfee Labs, we have recently observed a new variant of the Dorkbot botnet. Dorkbot is a well-known bot, famous for its various capabilities including backdoor, password stealing, and other malicious behavior. Dorkbot relies on social networking as its infection vector. In this post, we offer our analysis of this new variant. The malware downloads …

The post Analyzing a Fresh Variant of the Dorkbot Botnet appeared first on McAfee Blogs.

CHIPSEC Support Against Vault 7 Disclosure Scanning

09 Mar 2017

Following recent WikiLeaks Vault 7 disclosures, including details regarding firmware vulnerabilities, there has been significant concern regarding the integrity of devices and operating systems used within society. As part of our commitment to provide technology that can preserve the integrity of devices we rely upon, we have developed a simple module for the CHIPSEC framework …

The post CHIPSEC Support Against Vault 7 Disclosure Scanning appeared first on McAfee Blogs.

Analyzing CVE-2017-3731: Truncated Packets Can Cause Denial of Service in OpenSSL

08 Mar 2017

OpenSSL is a popular open-source library for SSL and is used by various software and companies across the world. In January, OpenSSL released an update that fixed multiple vulnerabilities. One of them is CVE-2017-3731, which can cause a denial of service due to a crash. McAfee Labs analyzed this vulnerability to provide detection for customers.  …

The post Analyzing CVE-2017-3731: Truncated Packets Can Cause Denial of Service in OpenSSL appeared first on McAfee Blogs.

Spora Ransomware Infects ‘Offline’—Without Talking to Control Server

22 Feb 2017

Spora is a ransomware family that encrypts victims’ files and demands money to decrypt the files. It has infected many computers in a short time due to a huge spam campaign. It has a very special feature—to work offline. Propagation vector The spam campaign carries a .zip file, which contains an HTA (HTML Application) file to …

The post Spora Ransomware Infects ‘Offline’—Without Talking to Control Server appeared first on McAfee Blogs.

Macro Malware Targets Macs

14 Feb 2017

Macro malware has been spreading for years. New techniques arise all the time to hide malicious code and thus increase the difficulty of analysis. However, just targeting Microsoft Windows no longer seems to be enough for the malware authors. The Mac appears to be the new challenge, and attackers appear to be rising to this …

The post Macro Malware Targets Macs appeared first on McAfee Blogs.

The Cyber Threat Alliance Steps Up to Boost Protection

14 Feb 2017

With each new cyber threat report, we learn about the increasing volume of new, complex threats appearing across a myriad of server systems, networking equipment, personal computing platforms, and IoT devices. We also read about the real-world challenges that information security professionals face when attempting to identify, scope, and prioritize security events generated by their …

The post The Cyber Threat Alliance Steps Up to Boost Protection appeared first on McAfee Blogs.

Analyzing KillDisk Ransomware, Part 2: Variants and Screen Unlocking

14 Feb 2017

At McAfee Labs we recently analyzed the ransomware KillDisk. In part 1 of this analysis, we discussed the basics of the malware and its whitelisting to protect itself. In this part, we will provide more information about the malware’s internals, this variant, and steps to unlock the ransomware lock screen. Variant 1. This variant seems to be inspired by …

The post Analyzing KillDisk Ransomware, Part 2: Variants and Screen Unlocking appeared first on McAfee Blogs.

Intel Security Launches ‘Threat Landscape Dashboard’

10 Feb 2017

Every week, we read in the news of another breach or targeted campaign, as more patches are released to protect against the next strain of sophisticated malware. For the administrators responsible for safeguarding a company’s systems, networks, and digital information, keeping up is an overwhelming task, made doubly difficult because it is often hard to …

The post Intel Security Launches ‘Threat Landscape Dashboard’ appeared first on McAfee Blogs.

Analyzing CVE-2016-9311: NTPD Vulnerability Can Lead to Denial of Service

03 Feb 2017

The network time protocol synchronizes time across various devices on a network. The network time protocol daemon (NTPD) is an open-source implementation of this protocol. In the last couple of months, a number of vulnerabilities have been reported in NTPD. One is CVE-2016-9311, which can cause a crash leading to a denial of service. We …

The post Analyzing CVE-2016-9311: NTPD Vulnerability Can Lead to Denial of Service appeared first on McAfee Blogs.

Spotlight on Shamoon

27 Jan 2017

Our analysis this month has pointed to Shamoon emerging in the Middle East. We have recently seen a number of similarities that we had highlighted in our earlier blogs (on mcafee.com). The campaign continues to target organizations in the Middle East from a variety of verticals. Reports suggest that a further 15 disk-wiping Shamoon incidents …

The post Spotlight on Shamoon appeared first on McAfee Blogs.

With Release of Windows 10, Questions About BitLocker Arise Again

26 Jan 2017

This post was written by Ted Pan. For those of you who were around during the original release of Microsoft’s BitLocker, previously known as Secure Startup, you will remember that it was meant to completely eliminate the necessity for third-party security software. Yes, BitLocker was going to secure our machines against all forms of attack …

The post With Release of Windows 10, Questions About BitLocker Arise Again appeared first on McAfee Blogs.

Analyzing KillDisk Ransomware, Part 1: Whitelisting

20 Jan 2017

At McAfee Labs we recently analyzed the ransomware KillDisk. We will share our analysis in two parts: the first, this article, contains general information about the malware and its whitelisting technique; the second part will appear soon with an analysis of its variants and techniques, including how to unlock the locked screen in an infected …

The post Analyzing KillDisk Ransomware, Part 1: Whitelisting appeared first on McAfee Blogs.

Stopping Malware With a Fake Virtual Machine

19 Jan 2017

As we explained in a previous post, some advanced malware can detect a virtual environment such as a sandbox to avoid detection and analysis. Some threats can also detect monitoring tools used for malware analysis. Often such malware will not execute or change their behavior to appear harmless. Because some malware uses these tactics, planting …

The post Stopping Malware With a Fake Virtual Machine appeared first on McAfee Blogs.

Trojanized Photo App on Google Play Signs Up Users for Premium Services

13 Jan 2017

Mobile apps usually have names that give some indication of their function. In one recent case, however, we found a misnamed app that turned out to be malicious. Every Android app has an ID value, commonly known as the package name, to uniquely identify it on a device and in Google Play. Most package names …

The post Trojanized Photo App on Google Play Signs Up Users for Premium Services appeared first on McAfee Blogs.

Turkish Instagram Password Stealers Found on Google Play

12 Jan 2017

Intel Security’s mobile malware research team has found several Instagram password stealers on the Google Play store. (Google has since removed the apps.) These malware are distributed as utilities and tools for analyzing access and automating the following of Instagram accounts. The main targets of the malware are Turkish Instagram users. The malware lead victims …

The post Turkish Instagram Password Stealers Found on Google Play appeared first on McAfee Blogs.

Top Tips for Securing Home Cameras

05 Jan 2017

Installing a home surveillance camera system can add great benefits but also may introduce new risks to privacy and network security. The goal is to increase your security and peace of mind, while avoiding cybersecurity threats. Here are three tips to consider when purchasing, installing, and configuring your new home camera system. The risks Home …

The post Top Tips for Securing Home Cameras appeared first on McAfee Blogs.

2016 restera dans les annales comme «l’année du ransomware»

04 Jan 2017

L’année 2016 a mis en évidence une forte recrudescence des menaces de type ransomware et la nécessité de mettre en place une architecture de sécurité avancée. L’émergence du bitcoin a permis d’anonymiser les transactions. Il joue un rôle important dans l’essor des attaques de ransomware. Certains ransomwares sont capables de détecter et de contourner les environnements …

The post 2016 restera dans les annales comme «l’année du ransomware» appeared first on McAfee Blogs.

Digging Into a Windows Kernel Privilege Escalation Vulnerability: CVE-2016-7255

30 Dec 2016

The Windows kernel privilege escalation vulnerability CVE-2016-7255 has received a lot of media attention. On November’s Patch Tuesday, Microsoft released a fix for this vulnerability as part of bulletin MS16-135. CVE-2016-7255 was used to perform a targeted attack and a sample was found in the wild, according to Microsoft. Google and Microsoft have already confirmed …

The post Digging Into a Windows Kernel Privilege Escalation Vulnerability: CVE-2016-7255 appeared first on McAfee Blogs.

Next Targets for Cybercriminals: the Long Term (Part 2)

27 Dec 2016

In the previous post in this series, I outlined how cybercriminals will use the holiday season to victimize unwary consumers and target businesses. They will also dive deeper into leveraging devices connected to the Internet of Things (IoT). The long-term outlook expands their reach to more bold and potentially more lucrative pastures. Rise of blockchain …

The post Next Targets for Cybercriminals: the Long Term (Part 2) appeared first on McAfee Blogs.

Next Targets for Cybercriminals: the Short Term (Part 1)

25 Dec 2016

  Knowing what cybercriminals are targeting today is easy. Their attacks are loud, impactful, and have the elegance of a herd of bulls crashing through a china shop. The tougher challenge is figuring out where they will take aim tomorrow. Knowing where cyber threats will arise gives us the necessary insights to remain one step …

The post Next Targets for Cybercriminals: the Short Term (Part 1) appeared first on McAfee Blogs.

Floki Bot a Sensation With International Cybercriminals

23 Dec 2016

Floki Bot, new financial malware, is popular with English-, Portuguese-, and Russian-speaking underground criminal markets, winning over cybercriminals with new features and functionality. It is currently in use by a number of cybercrime groups around the world and is sold on the dark market for about US$1,000, according to Flashpoint and Cisco Talos. Improvements abound …

The post Floki Bot a Sensation With International Cybercriminals appeared first on McAfee Blogs.

Did You Forget to Patch Your IP Camera?

21 Dec 2016

IP cameras are usually “purchase, install, and don’t touch” devices. But in the current climate of cyberattacks, they now require regular updates and patches. Otherwise your security tool may be hacked, leak video, or join a cybercriminal botnet without your knowing. IP cameras are targets Like all Internet-connected devices, IP cameras are at risk of …

The post Did You Forget to Patch Your IP Camera? appeared first on McAfee Blogs.

An Overview of Malware Self-Defense and Protection

19 Dec 2016

Many malware authors spend a great deal of time and effort to develop complex code. Their success depends on a threat’s remaining undetected and avoiding sandbox analysis, antivirus efforts, or malware analysts. This post offers an overview of the mechanisms used by malware to evade detection. If malware is detected quickly, it has little time …

The post An Overview of Malware Self-Defense and Protection appeared first on McAfee Blogs.

‘Popcorn Time’ Ransomware Sure to Cause Indigestion

19 Dec 2016

In early December the new ransomware “Popcorn Time” was discovered. It gives the victim the option of paying the ransom or infecting two other individuals and getting them to pay. “Popcorn Time” is a legitimate application for streaming movies and series. The ransom note gives the victim seven days to choose either option or the …

The post ‘Popcorn Time’ Ransomware Sure to Cause Indigestion appeared first on McAfee Blogs.

‘SSL Death Alert’ (CVE-2016-8610) Can Cause Denial of Service to OpenSSL Servers

14 Dec 2016

Recently we noticed a security patch has been published for the OpenSSL vulnerability called SSL Death Alert. As with other serious security vulnerabilities, this one grabbed our attention because the discoverer of the vulnerability says that it may cause a denial of service to an OpenSSL web server. To better protect our customers from this …

The post ‘SSL Death Alert’ (CVE-2016-8610) Can Cause Denial of Service to OpenSSL Servers appeared first on McAfee Blogs.

“Trojanization” of Legit Apps on the Rise

13 Dec 2016

Intel Security today released its McAfee Labs Threats Report: December 2016. The report’s third key topic illustrates how attackers are creating difficult-to-detect malware by infecting legitimate code with Trojans and leveraging that legitimacy to remain hidden as long as possible. Author Craig Schmugar of McAfee Labs also recommends policies and procedures that will help protect …

The post “Trojanization” of Legit Apps on the Rise appeared first on McAfee Blogs.

McAfee Labs December Threats Report Explores Many Facets of Deception

13 Dec 2016

In the McAfee Labs Threats Report: December 2016 published today, we write about three seemingly disparate topics. However, on closer inspection, they have a common thread. All discuss deception in one way or another, whether ways in which ransomware authors have enhanced their code to sidestep sandboxes, how Trojans infect legitimate code to appear benign, …

The post McAfee Labs December Threats Report Explores Many Facets of Deception appeared first on McAfee Blogs.

Do You Need to Pull Up Your SOCs?

13 Dec 2016

This week’s McAfee Labs Threats Report: December 2016 revealed the results of a survey gauging the state of the security operations center (SOC). The following is an excerpt from this article. A few years ago, dedicated SOCs seemed to be going the way of the dinosaur—the era of big rooms with big monitors and teams …

The post Do You Need to Pull Up Your SOCs? appeared first on McAfee Blogs.

2016: A Year at Ransom

13 Dec 2016

This week’s McAfee Labs Threats Report: December 2016 provides an overview of how ransomware has evolved over the course of 2016, and how the industry has responded. Through the end of Q3, the number of new ransomware samples this year totaled 3,860,603, an increase of 80% since the beginning of the year. Beyond volume, ransomware exhibited notable …

The post 2016: A Year at Ransom appeared first on McAfee Blogs.

How to Protect Against OpenSSL 1.1.0a Vulnerability CVE-2016-6309

13 Dec 2016

Recently the OpenSSL security library gained a fix for a critical security issue (CVE-2016-6309) that affects OpenSSL Version 1.1.0a. The remote attackers can cause the OpenSSL server to crash, or execute arbitrary code on it, by simply sending a handshake packet with a message larger than 16KB. To defend against these attacks we analyzed the …

The post How to Protect Against OpenSSL 1.1.0a Vulnerability CVE-2016-6309 appeared first on McAfee Blogs.

Shamoon Rebooted in Middle East, Part 2

09 Dec 2016

Last week we provided some initial analysis on recent attacks targeting organizations in the Middle East.  The attack has hallmarks of the Shamoon campaign of 2012. We now have additional data related to the components used within the new campaign, which has three distinct components: dropper, wiper, and wiper driver. The language of these three …

The post Shamoon Rebooted in Middle East, Part 2 appeared first on McAfee Blogs.

Farewell to the SHA-1 Hash Algorithm

01 Dec 2016

Rest in peace SHA-1. Like all security controls, they are valuable only for a certain time. SHA-1, a legacy hashing algorithm once used heavily in secure web browsing, has outlived its usefulness; it is time for its permanent retirement. Microsoft, Mozilla, and Google just announced they will finally drop all support for SHA-1 early next …

The post Farewell to the SHA-1 Hash Algorithm appeared first on McAfee Blogs.

Shamoon Rebooted?

29 Nov 2016

We have recently received notifications and samples from impacted organizations in the Middle East that have hallmarks of the Shamoon campaign from 2012. The main component of these attacks was the usage of a wiper component that, once activated, destroyed the hard disks of infected machines. The initial infection vector for the recent attacks is …

The post Shamoon Rebooted? appeared first on McAfee Blogs.

Big, Hard-to-Solve Problems

29 Nov 2016

Improving the Lifecycle of Threat Defense Effectiveness When a new security tool or technique is released, Version 1.0 is usually pretty effective, and successive versions get even better with real-world scenarios and user feedback. Eventually, the bad guys realize that this new thing is causing them real problems, so they start looking for ways over, …

The post Big, Hard-to-Solve Problems appeared first on McAfee Blogs.

‘McAfee Labs 2017 Threats Predictions’ Report Zeroes In on Cloud and IoT Threats

29 Nov 2016

In the McAfee Labs 2017 Threats Predictions report, published today, we cover a lot of ground but focus particularly on two areas that will impact IT security for years to come: threats to the cloud and the Internet of Things. The report kicks off with a big-picture examination of difficult-to-solve problems in cyber security and …

The post ‘McAfee Labs 2017 Threats Predictions’ Report Zeroes In on Cloud and IoT Threats appeared first on McAfee Blogs.

You Can Outsource the Work, but You Cannot Outsource the Risk

29 Nov 2016

Threats, Regulations, and Vendor Responses to Risks in the Cloud As more companies get comfortable with cloud services, trust and usage will go up, and that will inevitably attract the attention of cybercriminals. Although an increasing array of sensitive and confidential data is moving to cloud storage and processing, we expect that most businesses will …

The post You Can Outsource the Work, but You Cannot Outsource the Risk appeared first on McAfee Blogs.

Welcome to the Wild West, Again!

29 Nov 2016

Threats, Regulations, and Vendor Responses to Risks in the Internet of Things The Wild West, a place of exaggerated lawlessness in the United States during the 1800s, has returned once again as a metaphor for the Internet of Things (IoT). Driven by similar issues of exploration, homesteading, and prospecting for riches, IoT devices are becoming …

The post Welcome to the Wild West, Again! appeared first on McAfee Blogs.

Upcoming Intel Security Webcast on McAfee Labs 2017 Threats Predictions Moderated by Intel Security CTO Raj Samani

23 Nov 2016

McAfee Labs 2017 Threats Predictions The cyberattack surface is growing faster than ever before, driven by trends and technologies like the cloud and the Internet of Things (IoT). As the digital landscape evolves, so will threats. What can we expect a year from now—or four years from now? Prepare for the future by attending the …

The post Upcoming Intel Security Webcast on McAfee Labs 2017 Threats Predictions Moderated by Intel Security CTO Raj Samani appeared first on McAfee Blogs.

Worms Could Spread Like Zombies via Internet of Things

21 Nov 2016

Security researchers recently created a proof-of-concept attack against Internet-connected lightbulbs, causing breached devices to infect their neighbors. The propagation continues and spreads itself across the community. This hack highlights the insecurity in one of many Internet of Things (IoT) network protocols. Researchers say the worm, which currently targets Philips Hue lightbulbs, can set off a …

The post Worms Could Spread Like Zombies via Internet of Things appeared first on McAfee Blogs.

More Capable IoT Botnets to Emerge as the ‘Pros’ Enter the Fray

09 Nov 2016

On the heels of severe distributed denial of service (DDoS) attacks, we see new botnets emerging that are powered by the Internet of Things (IoT). There are already hundreds of such botnets in the underground hacking ecosystem, from which services, code, and specific attacks can be purchased or acquired. New botnets are being developed to …

The post More Capable IoT Botnets to Emerge as the ‘Pros’ Enter the Fray appeared first on McAfee Blogs.

Talking About Cyber Risks Educates the Community

07 Nov 2016

In the last 12 months, we have seen an unprecedented number of cyberattacks occur or come to light. Sophisticated attacks against governments, businesses, consumers, and the pillars of the Internet itself. The future appears to be fraught with runaway risks. Can security tame data breaches, ransomware, massive denial of service assaults, cyber theft, and attacks against autonomous and …

The post Talking About Cyber Risks Educates the Community appeared first on McAfee Blogs.

Cerber Ransomware Now Hunts for Databases

04 Nov 2016

Cerber is one of the most popular ransomware packages. It has upgraded itself to also target databases. It is available for purchase as a service (ransomware as a service) on the “dark net” as part of an affiliate program. Cerber is part of a turnkey service in which clients share 40% of their profits with …

The post Cerber Ransomware Now Hunts for Databases appeared first on McAfee Blogs.

Top 5 Things to Know About Recent IoT Attacks

02 Nov 2016

Recent Internet attacks have resulted in several popular sites becoming unreachable. The list includes Twitter, Etsy, Spotify, Airbnb, Github, and The New York Times. These incidents have brought to light a new threat to online services: botnets powered by the Internet of Things (IoT). Distributed denial of service (DDoS) attacks have been commonplace for more …

The post Top 5 Things to Know About Recent IoT Attacks appeared first on McAfee Blogs.

The Latest IoT Device I Do Not Want Hacked

01 Nov 2016

What if someone hacked this remotely controlled semiautonomous tractor? I am a cybersecurity guy and a huge fan of technology. One of the challenges we face in the security industry is the growth of the Internet of Things (IoT). IoT is about connecting everyday objects to the Internet. It might be a toaster, alarm clock, …

The post The Latest IoT Device I Do Not Want Hacked appeared first on McAfee Blogs.

A ‘Second Economy’ Prognosis for Health Care Cybersecurity

26 Oct 2016

Intel Security CTO Steve Grobman has pointed out that gaining the upper hand in cybersecurity requires that we extend our thinking beyond the physical economy of money, assets, goods, and services to a Second Economy defined by the currencies of trust, time, and money. As in other industries, health care is working toward maximizing efficiencies, …

The post A ‘Second Economy’ Prognosis for Health Care Cybersecurity appeared first on McAfee Blogs.

How ‘Weaponized’ Medical Data Could Be as Damaging as Clinton’s Emails or Trump’s Videos

26 Oct 2016

The 2016 presidential election in the United States will be remembered for a great many things. Never before in US history has the disclosure or nondisclosure of personal information figured so prominently in public debate. Never before has the ability to compromise and disclose personal information been used as a political weapon to damage the …

The post How ‘Weaponized’ Medical Data Could Be as Damaging as Clinton’s Emails or Trump’s Videos appeared first on McAfee Blogs.

How to Secure the Future of the Internet of Things

22 Oct 2016

The world of security for the Internet of Things just became more complex. IoT devices are no longer a potential threat to their owners; now they pose a significant threat to everything connected to the Internet. The old IoT security problem For the past year, the cybersecurity and IoT communities have been at odds regarding …

The post How to Secure the Future of the Internet of Things appeared first on McAfee Blogs.

Unfolding the Mystery of Cerber Ransomware’s Random File Extension

20 Oct 2016

In an earlier blog, we discussed the evolution of the popular Cerber ransomware from Version 1 to 2. Recently we came across two newer versions of Cerber (we’ll call them Versions 3 and X). Cerber 3 has few changes but Version X has some new behavior that caught our attention. (We call this version X, …

The post Unfolding the Mystery of Cerber Ransomware’s Random File Extension appeared first on McAfee Blogs.

Password-Protected Attachment Serves Ransomware

18 Oct 2016

Attacks by macro malware carrying ransomware are growing, as we have recently reported. Since early March we have seen macro malware using high-obfuscation algorithms to hide itself from static and traditional antimalware detection techniques. Macro malware continues to evolve and use new tricks to evade detection. In addition to these evasion techniques, McAfee Labs researchers have …

The post Password-Protected Attachment Serves Ransomware appeared first on McAfee Blogs.

No More Ransom Adds Law Enforcement Partners From 13 Countries

17 Oct 2016

  Intel Security and Kaspersky Labs today announced that 13 law enforcement agencies have joined No More Ransom, a partnership between cybersecurity industry and law enforcement organizations to provide ransomware victims education and decryption tools through www.nomoreransom.org. Intel Security, Kaspersky Labs, Dutch National Police, and Europol will be joined by members from Bosnia and Herzegovina, …

The post No More Ransom Adds Law Enforcement Partners From 13 Countries appeared first on McAfee Blogs.

Ransomware Variant XTBL Another Example of Popular Malware

17 Oct 2016

We have seen a huge increase in ransomware during the past couple of years. At McAfee Labs we have recently received a sample of the low-profile XTBL, a ransomware family that encrypts files and demands ransom from its victims to decrypt the files. Like other ransomware variants, XTBL propagates through a wide range of spam campaigns. Attackers …

The post Ransomware Variant XTBL Another Example of Popular Malware appeared first on McAfee Blogs.

Android Banking Trojan Asks for Selfie With Your ID

14 Oct 2016

In the first half of 2016 we noticed that Android banking Trojans had started to improve their phishing overlays on legitimate financial apps to ask for more information. Victims were requested to provide “Mother’s Maiden Name,” “Father’s Middle Name,” “Maternal Grandmothers Name,” or a “Memorable Word.” Attackers used that data to respond to security questions and obtain …

The post Android Banking Trojan Asks for Selfie With Your ID appeared first on McAfee Blogs.

Everyone Loves Selfies, Including Malware!

13 Oct 2016

I was talking with some of my coworkers the other day about why I wanted to jump to the larger iPhone 7 Plus.  For me it came down to the camera.  I travel a lot for work and even though photography is something of a hobby of mine, I don’t always have my “good camera” …

The post Everyone Loves Selfies, Including Malware! appeared first on McAfee Blogs.

New Security Reality for Internet of Things

04 Oct 2016

  Recent distributed denial of service (DDoS) attacks are forcing a shift in how we think about the Internet of Things (IoT). The dangers are expanding as attackers are taking advantage of billions of IoT devices, conscripting them into their botnet armies for massive DDoS attacks.   Nontraditional risks The estimates vary, but they suggest between …

The post New Security Reality for Internet of Things appeared first on McAfee Blogs.

CTO Q&A: Campaign Hacks, Yahoo! and Clinton-Trump

03 Oct 2016

Over the last several days, we’ve seen headlines on potential cyberattacks on state voter registries, cybersecurity front and center in the Clinton-Trump presidential debate, and new revelations into the Yahoo! cyber-breach that appears to have compromised more than 500 million user accounts. Intel Security CTO Steve Grobman fielded a number of questions on these events …

The post CTO Q&A: Campaign Hacks, Yahoo! and Clinton-Trump appeared first on McAfee Blogs.

Sharing Cybersecurity Threat Intelligence Is the Only Way We Win

30 Sep 2016

Cybersecurity is a team sport. The bad guys share information, expertise, and code as they help one another. The good guys must do the same to keep pace. Sharing threat intelligence is a key aspect in which the knowledge gained by the owners of sensor networks can share data with the security analysis community.  This generosity …

The post Sharing Cybersecurity Threat Intelligence Is the Only Way We Win appeared first on McAfee Blogs.

Macro Malware Employs Advanced Sandbox-Evasion Techniques

29 Sep 2016

During the past couple of weeks, McAfee Labs has observed a new variant of macro malware. With this variant when we click on a doc file, we see the message “This document is protected against unauthorized use. Enable Editing and Enable Content to read content” along with a request to enable macros. If a user clicks …

The post Macro Malware Employs Advanced Sandbox-Evasion Techniques appeared first on McAfee Blogs.

How Can We Stop ‘ROP’ Cyberattacks?

28 Sep 2016

IBM recently announced a software-oriented solution to help eradicate attacks by return-oriented programming (ROP) malware. ROP malware is a significant and growing problem in the industry. Crafty hackers will use snippets of code from other trusted programs and stitch them together to create their attacks. This method has become a very popular and effective technique for …

The post How Can We Stop ‘ROP’ Cyberattacks? appeared first on McAfee Blogs.

‘McAfee Labs Threats Report’ Offers Primer on Security Data Science, Analytics, Big Data, Machine Learning

28 Sep 2016

Analytics, big data, automation, and machine learning are all terms we use when talking about the future of cybersecurity. As the volume of security data increases, data science will become an important weapon to disrupt adversaries. Too often, these terms are used as synonyms, but they refer to different parts of the domain of data …

The post ‘McAfee Labs Threats Report’ Offers Primer on Security Data Science, Analytics, Big Data, Machine Learning appeared first on McAfee Blogs.

‘McAfee Labs Threats Report’ Delves Into Dangers of Data Loss

26 Sep 2016

Data is leaking out of your organization: accidentally or intentionally, by internals or externals, physically or electronically. During the past year, we have performed extensive research to identify what data is being targeted, who is taking it, how they are getting it out, and the best practices to reduce your exposure to data loss. We …

The post ‘McAfee Labs Threats Report’ Delves Into Dangers of Data Loss appeared first on McAfee Blogs.

‘McAfee Labs Threats Report’ Examines Whether Ransomware Is Coming to a Hospital Near You

23 Sep 2016

Delivering uninterrupted services with immediate access to information is not an easy task. Doing it with legacy systems, a fragmented workforce, and inconsistent security is a monumental job. Unfortunately, this is the state of many hospitals, leading the criminal underground to their back doors. Ransomware attackers have shifted focus, moving from consumers to organizations with …

The post ‘McAfee Labs Threats Report’ Examines Whether Ransomware Is Coming to a Hospital Near You appeared first on McAfee Blogs.

Hardware Hack Bypasses iPhone PIN Security Counter

22 Sep 2016

A security researcher from the University of Cambridge has found a way to hack the iPhone NAND memory hardware to sufficiently bypass an important security feature, allowing a brute-force attack against the passcode lock of an iPhone 5C. This is the same lock that stymied the FBI as part of the highly publicized privacy case in …

The post Hardware Hack Bypasses iPhone PIN Security Counter appeared first on McAfee Blogs.

Unregulated at Any Speed: DoT’s Cybersecurity Policy for Self-Driving Cars

21 Sep 2016

Despite headlines, hype, and hysteria, US government rightly chooses cybersecurity guidance over regulation. The Obama administration today unveiled its long-awaited safety policy for self-driving or automated vehicles (AVs). Despite the recent tragic death of a passenger travelling in a Tesla-built AV, and persistent discussions of spectacular cyber-sabotage scenarios, the government chose a wise, sober course …

The post Unregulated at Any Speed: DoT’s Cybersecurity Policy for Self-Driving Cars appeared first on McAfee Blogs.

Cryptocurrencies a Target for Cybercriminals, Part 2: Social Platforms Come Next

19 Sep 2016

One target of cybercriminals is cryptocurrencies, which hold tremendous wealth but are largely anonymous. This limits the attack surface mostly to avenues requiring complex technical approaches. Always preferring the path of least resistance, many fraudsters and online thieves prefer to target people rather than systems. This is the second of two posts on threats to …

The post Cryptocurrencies a Target for Cybercriminals, Part 2: Social Platforms Come Next appeared first on McAfee Blogs.

Locky Ransomware Hides Inside Packed .DLL

16 Sep 2016

McAfee Labs has seen a huge increase in Locky ransomware in recent months (discussed in an earlier blog). Locky is aggressively distributed via a JavaScript-based downloader sent as an attachment in spam emails. Since its first variant Locky has taken advantage of compromised domains to download its malicious executable. Recently it has downloaded a malicious dynamic link …

The post Locky Ransomware Hides Inside Packed .DLL appeared first on McAfee Blogs.

Cryptocurrencies a Target for Cybercriminals, Part 1: the Risks of Innovation

14 Sep 2016

All cryptocurrencies are a target for cybercriminals. Anywhere there is value, criminals, fraudsters, and charlatans will soon follow. Call it the Willie Sutton principle. Sutton, a famous bank robber in the 1920s–30s, was asked why he robbed banks. His reply was “Because that’s where the money is.” The simplicity rings true. That same age-old principle …

The post Cryptocurrencies a Target for Cybercriminals, Part 1: the Risks of Innovation appeared first on McAfee Blogs.

The Quarterly Threats Report: What Does It Mean for You?

14 Sep 2016

The latest edition of the Quarterly Threats Report (QTR) was released this week by McAfee Labs.  If you’re not familiar with them, McAfee Labs is our research organization tasked with researching all the latest threats that people are seeing out there in the wild as well as looking as trends that help indicate what the …

The post The Quarterly Threats Report: What Does It Mean for You? appeared first on McAfee Blogs.

Machine Learning, the Unsung Hero in the Latest ‘Threats Report’

14 Sep 2016

The story about ransomware in hospitals in our newly published McAfee Labs Threats Report: September 2016 will probably garner most of the media’s attention, but I think the most interesting story in the report is about machine learning. Here’s why. Intel Security has used machine learning in our classification models since the mid-2000s. Initially, we …

The post Machine Learning, the Unsung Hero in the Latest ‘Threats Report’ appeared first on McAfee Blogs.

Malware Hides in Installer to Avoid Detection

25 Aug 2016

At McAfee Labs we recently observed various threat families using the Nullsoft Scriptable Install System (NSIS). This practice is not new, but our analysis shows that several malware families are employing the same technique to hide their packed executable code. Usually every malware family uses its own polymorphic packers to obfuscate its payload. In this …

The post Malware Hides in Installer to Avoid Detection appeared first on McAfee Blogs.

Improve Protection Against Cyberattacks Through Shared Threat Intelligence

25 Aug 2016

At the RSA Conference 2016 in San Francisco, Chris Young, GM and SVP of Intel Security, said that one of the best ways to improve response time to attacks and overall awareness of attacks and adversaries is through the timely sharing of threat intelligence. He also talked about Intel Security’s responsibility as a leading security …

The post Improve Protection Against Cyberattacks Through Shared Threat Intelligence appeared first on McAfee Blogs.

‘Wildfire’ Ransomware Extinguished by Tool From NoMoreRansom; Unlock Files for Free

23 Aug 2016

Intel Security and Kaspersky Lab, partners in the project NoMoreRansom, are pleased to announce today the availability of a decryption tool for victims of the Wildfire variant of ransomware. This tool is available following successful collaboration with the Dutch police and the European Cybercrime Centre. This strong public-private partnership has led to the seizure of …

The post ‘Wildfire’ Ransomware Extinguished by Tool From NoMoreRansom; Unlock Files for Free appeared first on McAfee Blogs.

Cerber Ransomware Updates Configuration File

16 Aug 2016

McAfee Labs has recently analyzed Version 2 of Cerber, one of the leading ransomware programs. Cerber infects systems via social media tricks such as spam email with malicious links or documents, malvertising campaigns, exploits of vulnerable websites, and also takes advantages of exploit kits like Angler, Nuclear, and others. During our analysis of the new …

The post Cerber Ransomware Updates Configuration File appeared first on McAfee Blogs.

Bing.VC Hijacks Browsers Using Legitimate Applications

10 Aug 2016

Browser hijackers are a type of malware that modifies a web browser’s settings without the user’s permission. Generally a browser hijacker injects unwanted advertising into the browser. It replaces the home page or search page with its own. It also steals cookies and can install a keylogger to fetch other sensitive information. McAfee Labs has recently …

The post Bing.VC Hijacks Browsers Using Legitimate Applications appeared first on McAfee Blogs.

Obfuscated Malware Discovered on Google Play

10 Aug 2016

The McAfee Labs Mobile Malware Research team found early this week on Google Play a set of malware published by the developer account ValerySoftware: Each one of these apps have been downloaded and installed up to 500 times, which means up to 3,000 devices could be infected by this threat. Some characteristics of this malware: …

The post Obfuscated Malware Discovered on Google Play appeared first on McAfee Blogs.

Banload Trojan Targets Brazilians With Malware Downloads

09 Aug 2016

McAfee Labs has recently encountered new variants of the Banload Trojan. Banload has been around since the last decade. This malware generally arrives on a victim’s system through a spam email containing an archived file or bundled software as an attachment. In a few cases, this malware may also be dropped by other malware or …

The post Banload Trojan Targets Brazilians With Malware Downloads appeared first on McAfee Blogs.

‘Cat-Loving’ Mobile Ransomware Operates With Control Panel

08 Aug 2016

Recently the McAfee Labs Mobile Malware Research team found a sample of ransomware for Android with botnet capabilities and a web-based control panel service. The malware is running on a legitimate cloud service provider. The payload of this malware can encrypt a victim’s files, steal SMS messages, and block access to the device. In this …

The post ‘Cat-Loving’ Mobile Ransomware Operates With Control Panel appeared first on McAfee Blogs.

Setting Up HTTPS for Google App Engine Applications

08 Aug 2016

Thursday, we posted advice on creating a custom domain name for an application developed with Google’s App Engine. In this post, we will learn how to add SSL support and force the App Engine application to use only SSL. Start by obtaining an SSL certificate for your domain from an authorized certificate authority. Consider following …

The post Setting Up HTTPS for Google App Engine Applications appeared first on McAfee Blogs.

Creating a Custom Domain Name with a Google App Engine Application

05 Aug 2016

Google’s App Engine is a Platform as a Service (PaaS) for developers that provides features and frameworks to quickly and easily build scalable web applications. Developers can create applications and deploy them to the App Engine. When a web application is created using the App Engine, the application is assigned a unique project ID. Developers …

The post Creating a Custom Domain Name with a Google App Engine Application appeared first on McAfee Blogs.

Active iOS Smishing Campaign Stealing Apple Credentials

29 Jul 2016

Intel Security Mobile Research recently found an active phishing campaign targeting iOS users via SMS messages. The message tells users that their Apple accounts have been temporarily locked to trick them into accessing a phishing site and steal the real Apple credentials. Here is an example of an SMS message from this campaign: The message pretends to be …

The post Active iOS Smishing Campaign Stealing Apple Credentials appeared first on McAfee Blogs.

Taking Steps to Fight Back Against Ransomware

27 Jul 2016

Ransomware is an attack in which malware encrypts files and extorts money from victims. It has become a favorite among cybercriminals because it is easy to develop, simple to execute, and does a very good job of compelling users to pay to regain access to their precious files or systems. Almost anyone and every business …

The post Taking Steps to Fight Back Against Ransomware appeared first on McAfee Blogs.

Trojanized Propaganda App Uses Twitter to Infect, Spy on Terrorist Sympathizers

26 Jul 2016

The Mobile Malware Research Team of Intel Security has discovered in recent weeks a number of new threats in the Middle East. In May, we uncovered a spying campaign targeting cybersecurity professionals in Saudi Arabia. This week, the team exposed a strain of spyware targeting another specific group of mobile users: individuals with possible sympathies toward …

The post Trojanized Propaganda App Uses Twitter to Infect, Spy on Terrorist Sympathizers appeared first on McAfee Blogs.

No More Ransom: A New Initiative to Battle Ransomware

25 Jul 2016

Ransomware has seen a huge increase over the past couple of years.  According to our June Quarterly Threats Report, there was a 113% increase in ransomware over the past year.  However, the real indicator for me has been an increase in questions about ransomware I get from people once they find out I work for …

The post No More Ransom: A New Initiative to Battle Ransomware appeared first on McAfee Blogs.

Intel Security Teams With Industry, Law Enforcement to Thwart ‘Shade’ Ransomware

25 Jul 2016

Intel Security, Europol, Kaspersky Lab, and Dutch police have taken down the Shade ransomware botnet and captured encryption keys to unlock victims’ systems. Although we talk a great deal of the value of public-private partnerships in the fight against cybercrime, few events in the cybersecurity field are more inspiring than seeing such collaboration in action and …

The post Intel Security Teams With Industry, Law Enforcement to Thwart ‘Shade’ Ransomware appeared first on McAfee Blogs.

Phishing Attacks Employ Old but Effective Password Stealer

21 Jul 2016

A few months ago we received a sample from a customer that turned out to be a password stealer (PWS). One thing about this malware stood out: the subdirectory used in the access panel URL. It contained the string “***=**U=TEAM” (which we have obfuscated). Our investigations lead us to believe this may be a case of industrial …

The post Phishing Attacks Employ Old but Effective Password Stealer appeared first on McAfee Blogs.

Patch Now: Simple Office ‘Protected View’ Bypass Could Have Big Impact

12 Jul 2016

Protected View is a security feature of Microsoft Office. According to research from MWR Labs, Protected View mode is a strong application-level sandbox. In a real-world attack scenario, Office documents from the Internet, such as downloaded documents from browsers (Chrome, Edge, Internet Explorer), or attachments received on emails clients (such as Outlook), are opened by default in …

The post Patch Now: Simple Office ‘Protected View’ Bypass Could Have Big Impact appeared first on McAfee Blogs.

Trojanized Pokémon GO Android App Found in the Wild

08 Jul 2016

Pokémon GO is a new mobile game that allows fans to “catch” Pokemons in the real world using augmented reality and their smartphones capabilities such as location technology and built-in cameras. The game was released on July 6 on both the Apple App Store and Google Play but only in Australia, New Zealand, and one day …

The post Trojanized Pokémon GO Android App Found in the Wild appeared first on McAfee Blogs.

Business Email Compromise Hurts Your Organization

06 Jul 2016

As many workers do today, you probably get emails from your boss asking you to perform various tasks. You may also get unusual requests under unusual circumstances—perhaps to put out a fire for a big client or to impress a potential customer. Sometimes in haste you don’t follow standard procedures. But that makes you vulnerable …

The post Business Email Compromise Hurts Your Organization appeared first on McAfee Blogs.

June #SecChat Recap: Findings from the 2016 Verizon DBIR

30 Jun 2016

This year’s highly anticipated Verizon 2016 Data Breach Investigations Report (Verizon DBIR) analyzed cybersecurity findings from 100,000 incidents and 2,260 confirmed breaches, taking a deep dive into popular attack types and threats in 2015. During our June Twitter #SecChat, we discussed findings from the report, and examined prominent threats and their impact on industries. Participating …

The post June #SecChat Recap: Findings from the 2016 Verizon DBIR appeared first on McAfee Blogs.

Security Best Practices for Azure App Service Web Apps, Part 4

24 Jun 2016

Microsoft’s Azure App Service is a fully managed Platform as a Service for developers that provides features and frameworks to quickly and easily build apps for any platform and any device. In spite of its ease of use, developers still need to keep security in mind because Azure will not take care of every aspect of security. …

The post Security Best Practices for Azure App Service Web Apps, Part 4 appeared first on McAfee Blogs.

Macro Malware Adds Tricks, Uses MaxMind to Avoid Detection

21 Jun 2016

Macro malware continues to evolve and use new tricks to evade detection. This threat is responsible for downloading malicious Trojans such as Dridex and ransomware such as Locky. Recently McAfee Labs has encountered a new variant of macro malware that uses new techniques to avoid executing in an undesirable environment. With this variant when we …

The post Macro Malware Adds Tricks, Uses MaxMind to Avoid Detection appeared first on McAfee Blogs.

JavaScript-PHP Joint Exercise Delivers Nemucod Ransomware

21 Jun 2016

The ransomware Nemucod has been very prevalent in the last few months. Nemucod’s habit of frequently changing its delivery mechanism and infection vector to evade detection makes this threat very challenging to security researchers. Recently, we observed in the wild a new variant of Nemucod that shows another change. This variant downloads a PHP file along …

The post JavaScript-PHP Joint Exercise Delivers Nemucod Ransomware appeared first on McAfee Blogs.

Microsoft’s June Patch Kills Potential CFG Bypass

16 Jun 2016

After applying Microsoft’s June patch, we noticed some interesting changes that prevent a security bypass of Windows’ Control Flow Guard (CFG). The changes are in the Shader JIT compiler of the Windows Advanced Rasterization Platform (WARP) module (d3d10warp.dll). The Shader JIT compiler could formerly be used to create a CFG bypass. CFG is known to …

The post Microsoft’s June Patch Kills Potential CFG Bypass appeared first on McAfee Blogs.

Intel Innovates to Stop Cyberattacks

16 Jun 2016

Intel, in partnership with Microsoft, has published a technology preview, showing how innovation in silicon architecture can help protect against advanced code-reuse attack techniques. This is an example of how brilliant minds across the industry can think long term to address cybersecurity problems through improvements in hardware. Key components, such as the central processing unit, …

The post Intel Innovates to Stop Cyberattacks appeared first on McAfee Blogs.

Mobile App Collusion Highlights McAfee Labs Threats Report

14 Jun 2016

I would be lost without my smartphone and its many convenient features. I look at my calendar and click to schedule an online meeting, inviting attendees from my contact list. I use my airline app to make sure my flight is on time and click to check the weather at my destination. I pick a …

The post Mobile App Collusion Highlights McAfee Labs Threats Report appeared first on McAfee Blogs.

‘Thrones’ Jon Snow Appears to Employ Neutrino Exploit Kit

10 Jun 2016

This blog post was written by Kalpesh Mantri. You read that right. Jon Snow appears to be back from the dead. That would make “Game of Thrones” fans happy, but unfortunately this Jon Snow is not the same character. This John (with an h) Snow is related to Neutrino exploit kits, one of the commonly used …

The post ‘Thrones’ Jon Snow Appears to Employ Neutrino Exploit Kit appeared first on McAfee Blogs.

Experts Discuss the 2016 Verizon DBIR: June #SecChat

10 Jun 2016

Cybersecurity in 2016 has been full of sensational headlines. Ransomware has shut down multiple hospitals, millions of credentials have been pilfered, and countless companies have had their records stolen using phishing tactics. But is it really accurate to judge the state of the industry by headlines alone? What if we took a more analytical approach …

The post Experts Discuss the 2016 Verizon DBIR: June #SecChat appeared first on McAfee Blogs.

Zcrypt Expands Reach as ‘Virus Ransomware’

08 Jun 2016

Intel Security has recently seen a new kind of ransomware–Zcrypt—that can self-replicate. This “virus ransomware” arrives via email in a malicious attachment or by usurping an Adobe Flash Player installation. The malware copies itself onto removable drives to infect other machines. Zcrypt uses the Nullsoft Scriptable Install System, which works like a Zip file, decompressing …

The post Zcrypt Expands Reach as ‘Virus Ransomware’ appeared first on McAfee Blogs.

Threat Actors Employ COM Technology in Shellcode to Evade Detection

06 Jun 2016

COM (Component Object Model) is a technology in Microsoft Windows that enables software components to communicate with each other; it is one of the fundamental architectures in Windows. From the security point of view, several “features” built into COM have lead to many security vulnerabilities. These features include ActiveX (an Internet Explorer plug-in technology), the …

The post Threat Actors Employ COM Technology in Shellcode to Evade Detection appeared first on McAfee Blogs.

Locky Ransomware Hides Under Multiple Obfuscated Layers of JavaScript

06 Jun 2016

This post was prepared with the invaluable assistance of Rahamathulla Hussain and Girish Kulkarni. During the last couple of weeks, McAfee Labs has observed a huge increase in spam related to Locky, a new ransomware threat spread via spam campaigns. The contents of the spam email are carefully crafted to lure victims using social engineering …

The post Locky Ransomware Hides Under Multiple Obfuscated Layers of JavaScript appeared first on McAfee Blogs.

Trillium Exploit Kit Update Offers ‘Security Tips’

02 Jun 2016

McAfee Labs has previously blogged about the Trillium Exploit Kit Version 3.0, which is commonly used to create and distribute malware. Last week, Version 4.0 appeared on several underground forums. We have analyzed the new version of the tool and it contains new functionality. These include: PDF downloader Password generator Security tips PDF downloader The user …

The post Trillium Exploit Kit Update Offers ‘Security Tips’ appeared first on McAfee Blogs.

Android Spyware Targets Security Job Seekers in Saudi Arabia

31 May 2016

The Middle East is the new Wild West of mobile malware, especially for targeted attacks and intelligence gathering campaigns. During the past few years, Intel Security Mobile Research has monitored and reported on several countries in the region and has found an alarming increase in campaigns using mobile malware for not only disruption and hacktivism …

The post Android Spyware Targets Security Job Seekers in Saudi Arabia appeared first on McAfee Blogs.

Seeing Through Darkleech Obfuscation: a Quick Hack to Iframes

27 May 2016

This blog post was written by Kalpesh Mantri. Darkleech is an Apache module on the dark web that distributes malware. This tool, which appeared in 2012, was first used to infect many Apache servers and later sites running Microsoft IIS. The campaign infecting IIS sites was named pseudo-Darkleech because it resembles the Apache infector module. (In this …

The post Seeing Through Darkleech Obfuscation: a Quick Hack to Iframes appeared first on McAfee Blogs.

Android Banking Trojan ‘SpyLocker’ Targets More Banks in Europe

26 May 2016

Since the discovery of the Android banking Trojan SpyLocker, Intel Security has closely monitored this threat. SpyLocker first appeared disguised as Adobe Flash Player and targeted customers of banks in Australia, New Zealand, and Turkey. Recently we have found that the distribution method for this malware has changed. In addition to employing malicious websites that …

The post Android Banking Trojan ‘SpyLocker’ Targets More Banks in Europe appeared first on McAfee Blogs.

Which Cybersecurity Data Should You Trust?

24 May 2016

  Limitations of security data We are constantly battered by cybersecurity data, reports, and marketing collateral—and we shouldn’t treat all of this information equally. Security data has inherent limitations and biases, which result in varying value and relevance in how it should be applied. It is important to understand which data is significant and how best to …

The post Which Cybersecurity Data Should You Trust? appeared first on McAfee Blogs.

ISAO Group Hosts Productive 3rd Public Meeting

24 May 2016

This post first appeared at Policy@Intel. The Information Sharing and Analysis Organization Standards Organization (ISAO SO) held its Third Public Forum on May 18–19 in Anaheim, California. More than 100 participants from academia, government, and industry sectors, including multiple participants from Intel, assembled to discuss the initial drafts recently published by the ISAO SO and …

The post ISAO Group Hosts Productive 3rd Public Meeting appeared first on McAfee Blogs.

Malware Mystery: JS/Nemucod Downloads Legitimate Installer

21 May 2016

JS/Nemucod is the detection name given to a family of malicious JavaScript downloaders that have appeared in spam campaigns since last year. They usually arrive as an email attachment, embedded in a ZIP archive, and pretend to be an invoice, a delivery notice, a resume, anything that may seem harmless and can be used as a social engineering …

The post Malware Mystery: JS/Nemucod Downloads Legitimate Installer appeared first on McAfee Blogs.

Attacks on SWIFT Banking System Benefit From Insider Knowledge

20 May 2016

In recent months, we’ve seen headlines about the compromise of a bank in Bangladesh from which cybercriminals attempted to steal US$951 million. The malware they used was able to manipulate and read unique messages from SWIFT (Society for Worldwide Interbank Financial Telecommunication), as well as adjust balances and send details to a remote control server. …

The post Attacks on SWIFT Banking System Benefit From Insider Knowledge appeared first on McAfee Blogs.

5 Steps to Enhance Security of Cloud Applications

18 May 2016

When you move applications to the cloud, the attack surface changes while the vulnerabilities at application, database, and network level persist. To address these issues, securing the cloud perimeter, preventing unauthorized access, and protecting data is crucial. The first step is to reduce the attack surface. Run a port scan specific to an instance IP and lock …

The post 5 Steps to Enhance Security of Cloud Applications appeared first on McAfee Blogs.

Can Zealous Security Cause Harm?

17 May 2016

Good security requires balancing risks, costs, and usability. Too much or too little of each can be unhealthy and lead to unintended consequences. We are entering an era where the risks of connected technology can exceed the inconveniences of interrupted online services or the release of sensitive data. Failures can create life-safety issues and major …

The post Can Zealous Security Cause Harm? appeared first on McAfee Blogs.

Sex Sells: Looking at Android Adult Adware Apps

13 May 2016

Advertising is one of the primary methods to generate money from mobile devices. Ads can be displayed in the browser when you visit a specific website or can appear in free apps. In the case of mobile apps, the developer must select a theme that attracts many users to increase revenues. There is probably no …

The post Sex Sells: Looking at Android Adult Adware Apps appeared first on McAfee Blogs.

Key Lessons From Verizon’s ‘2016 Data Breach Investigations Report’

12 May 2016

The annual Data Breach Investigations Report (DBIR) is out and reinforces the value of well-established cybersecurity practices. The good folks at Verizon have once again published one of the most respected annual reports in the security industry. The report sets itself apart with the authors intentionally avoiding unreliable “survey” data and instead striving to communicate …

The post Key Lessons From Verizon’s ‘2016 Data Breach Investigations Report’ appeared first on McAfee Blogs.

Server-Side Request Forgery Takes Advantage of Vulnerable App Servers

12 May 2016

Server-side request forgery is an attack in which an attacker can force a vulnerable server to trigger malicious requests to third-party servers and or to internal resources. This vulnerability can then be leveraged to launch specific attacks such as a cross-site port attack, service enumeration, and various other attacks. This ability makes server-side request forgery …

The post Server-Side Request Forgery Takes Advantage of Vulnerable App Servers appeared first on McAfee Blogs.

Current Campaign Delivers Hundreds of Thousands of Polymorphic Ransomware

10 May 2016

You might have been getting out of bed when attackers started sending hundreds of thousands of fake invoices the morning of April 27. Between 5:45 am and 11 am Pacific time, the first phase of the operation was steamrolling along. The invoices sent with fake .rtf files attached were in no way legitimate. In McAfee …

The post Current Campaign Delivers Hundreds of Thousands of Polymorphic Ransomware appeared first on McAfee Blogs.

Android Malware Clicker.G!Gen Found on Google Play

04 May 2016

Recently the Mobile Malware Research Team of Intel Security found on Google Play a new campaign of Android/Clicker.G in dozens of published malicious apps. This threat targets Russians but the apps are accessible worldwide. The attackers lure their victims with apps associated with health care, sports, food, games, and many other topics. Some of the …

The post Android Malware Clicker.G!Gen Found on Google Play appeared first on McAfee Blogs.

The Morning After: What Happens to Data Post-Breach?

02 May 2016

This post first appeared on the security website Dark Reading. We need consumers and businesses to not simply shrug off data breaches but to take active measures to protect their data. We are hopeful that new insights will provide a compelling answer to the question “So what?” No company is bulletproof when it comes to …

The post The Morning After: What Happens to Data Post-Breach? appeared first on McAfee Blogs.

Fake Android Update Delivers SMS, Click Fraud in Europe

29 Apr 2016

Intel Security Mobile Research has been monitoring a mobile malware campaign targeting users in Germany, France, and Russia since the beginning of the year. Several users have complained in forums and social networks about a suspicious file with the name Android_Update_6.apk being automatically downloaded when a website is loaded. Recently a user tweeted that one …

The post Fake Android Update Delivers SMS, Click Fraud in Europe appeared first on McAfee Blogs.

CVE-2016-0018: DLL Planting Leads to a Remote Code Execution Vulnerability

27 Apr 2016

DLL planting, also known as DLL side loading, is a popular attack technique today. If we take a look at the list of advisories Microsoft has recently published, it is clear that a large number of vulnerabilities encompass DLL planting. We have seen many targeted attacks that abuse Windows OLE in many ways. At BlackHat USA 2015, an …

The post CVE-2016-0018: DLL Planting Leads to a Remote Code Execution Vulnerability appeared first on McAfee Blogs.

Malware Takes Advantage of Windows ‘God Mode’

27 Apr 2016

Microsoft Windows has hidden an Easter Egg since Windows Vista. It allows users to create a specially named folder that acts as a shortcut to Windows settings and special folders, such as control panels, My Computer, or the printers folder. This “God Mode” can come in handy for admins, but attackers are now using this undocumented feature for evil …

The post Malware Takes Advantage of Windows ‘God Mode’ appeared first on McAfee Blogs.

Macro Malware Employs Advanced Obfuscation to Avoid Detection

26 Apr 2016

Attacks by macro malware carrying ransomware are growing, as we have recently reported on Blog Central here and here. Now McAfee Labs researchers have witnessed a new variant of macro malware that employs fudging techniques such as virtual machine awareness, sandbox awareness, and more. Since early March we have seen macro malware using high-obfuscation algorithms to protect itself …

The post Macro Malware Employs Advanced Obfuscation to Avoid Detection appeared first on McAfee Blogs.

Unsubscribing From Unwanted Email Carries Risks

18 Apr 2016

We all receive loads of unwanted email solicitations, warnings, and advertisements. The number can be overwhelming to the point of obnoxiousness. Some days it feels like an unending barrage of distracting deliveries that require a constant scrubbing of my inbox. Beyond being frustrating, there are risks. In addition to the desired and legitimate uses of email, …

The post Unsubscribing From Unwanted Email Carries Risks appeared first on McAfee Blogs.

CVE-2016-0153: Microsoft Patches Possible OLE Typo

14 Apr 2016

Recently McAfee Labs discovered an interesting bug in Windows’ OLE implementation, which Microsoft patched this week. Now that the patch is available, we can discuss this vulnerability, which resides in the OleRegEnumVerbs() function of ole32.dll. During our research we found that a stack corruption vulnerability in ole32!OleRegEnumVerbs can be triggered if we embed any OLE1 …

The post CVE-2016-0153: Microsoft Patches Possible OLE Typo appeared first on McAfee Blogs.

When It Comes To Cyberthreat Intelligence, Sharing Is Caring

13 Apr 2016

This blog was originally posted at Dark Reading on March 31. Shared cyberthreat intelligence will soon be a critical component of security operations, enabling organizations to better protect their digital assets and respond more quickly to emerging threats. On March 17, the US Department of Homeland Security announced the deployment of the Automated Indicator Sharing …

The post When It Comes To Cyberthreat Intelligence, Sharing Is Caring appeared first on McAfee Blogs.

Convergence and the Future of Cyber Security

12 Apr 2016

CSE 2016 Future of Cyber Security by Matthew Rosenquist from Matthew Rosenquist The security industry is changing. Technology innovation is eroding the distance between the roles and responsibilities of traditionally independent physical and cyber security teams. Modern physical security tools now rely heavily on networks, clouds, firmware, and software—which puts them at risk of cyber …

The post Convergence and the Future of Cyber Security appeared first on McAfee Blogs.

DHS Accelerates Information Sharing Standards Effort; Intel to Chair Working Group

29 Mar 2016

This post first appeared at Policy@Intel on March 9. In an effort to accelerate cyber information sharing, and in response to a presidential executive order, the Department of Homeland Security recently announced the formation of the Information Sharing and Analysis Organization (ISAO) Standards Organization. The organization comprises six working groups, and I’ve been appointed chair …

The post DHS Accelerates Information Sharing Standards Effort; Intel to Chair Working Group appeared first on McAfee Blogs.

McAfee Labs Unlocks LeChiffre Ransomware

28 Mar 2016

At McAfee Labs we recently received a low-profile ransomware called LeChiffre. Unlike ransomware that is distributed by a spam campaign or downloaded by other malware, this sample needs to be run manually on a victim’s machine to encrypt files. As we analyzed this ransomware, we found that we could unlock all LeChiffre-encrypted files without having to pay …

The post McAfee Labs Unlocks LeChiffre Ransomware appeared first on McAfee Blogs.

W97M Downloader Serves Vawtrak Malware

23 Mar 2016

McAfee Labs recently found a variant of the W97M macro malware downloader that runs the Vawtrak malware. Although W97M usually employs Microsoft Office documents to run malicious Visual Basic scripts that download and run malware, this instance of W97M contains an embedded executable that is dropped onto the file system using a malicious macro. W97M …

The post W97M Downloader Serves Vawtrak Malware appeared first on McAfee Blogs.

McAfee Labs Threats Report Discusses Cyber Threat Intelligence Sharing and More

22 Mar 2016

During keynote presentations at the RSA Conference 2016 in early March, Chris Young from Intel Security, Mark McLaughlin from Palo Alto Networks, and Michael Brown from Symantec discussed the need to share cyber threat intelligence (CTI). There were also a half-dozen conference sessions that examined this important topic. Young made the point that sharing CTI …

The post McAfee Labs Threats Report Discusses Cyber Threat Intelligence Sharing and More appeared first on McAfee Blogs.

Cybersecurity Suffers Due to Human Resources Challenges

21 Mar 2016

The cybersecurity industry is in a state of disrepair. Growing human resource problems put the efforts to secure technology at risk, due to insufficient staffing, skills, and diversity. The need for talent is skyrocketing, but there are not enough qualified workers to meet current or future demands. By 2017 prospective hiring organizations may have upwards …

The post Cybersecurity Suffers Due to Human Resources Challenges appeared first on McAfee Blogs.

5G Networks Pose Cyber Risks, Opportunities

18 Mar 2016

Fifth-generation networking (5G) holds the potential for a massive immersion of technology into the lives of people and businesses. It is an evolution of technology that could allow enough bandwidth for 50 billion smart devices, driving toward a world in which everything that computes will be connected. Such transformative technology opens great opportunities, but also presents new …

The post 5G Networks Pose Cyber Risks, Opportunities appeared first on McAfee Blogs.

Hacktivists Turn to Phishing to Fund Their Causes

16 Mar 2016

At Intel Security we recently observed a phishing campaign targeting Apple account holders. The link directed the user to a compromised WordPress site used to serve the fake Apple ID login page. Users are asked to log in with their Apple IDs, and then are requested to update billing information and credit card details. In the following …

The post Hacktivists Turn to Phishing to Fund Their Causes appeared first on McAfee Blogs.

Report Highlights Enterprise Biometric Vulnerabilities, Opportunities

16 Mar 2016

Authentication in the modern enterprise is becoming more difficult. The risks are rising, but adding more security controls can impede workers and are difficult to integrate into legacy systems. Biometrics may be a better path to improve security while not adversely impacting the user experience. But there are risks; biometric systems are not without vulnerabilities …

The post Report Highlights Enterprise Biometric Vulnerabilities, Opportunities appeared first on McAfee Blogs.

TeslaCrypt Ransomware Arrives via Neutrino Exploit Kit

15 Mar 2016

This post was written by Sriram P. and Varadharajan Krishnasamy. TeslaCrypt is a ransomware family that encrypts files and extorts money from its victims to decrypt the files. Similar to other ransomware variants, TeslaCrypt propagates through a wide range of spam campaigns and is also downloaded with the help of other malware: W97M/Downloader JS/Nemucod Angler exploit kit …

The post TeslaCrypt Ransomware Arrives via Neutrino Exploit Kit appeared first on McAfee Blogs.

Sensitive California Student Information to Be Released to Nonprofit

14 Mar 2016

The US District Court of California (Eastern district) has issued an order requiring the California Department of Education (CDE) to produce data to the plaintiffs in a lawsuit involving allegations that the CDE failed to provide adequate services to children with disabilities. The data in question will include information on all children, kindergarten through high …

The post Sensitive California Student Information to Be Released to Nonprofit appeared first on McAfee Blogs.

Criminals are Getting Excited for Tax Filing Season

11 Mar 2016

Cybercriminals are plotting to take advantage of tax season, by fraudulently impersonating consumers and scamming Americans. For the citizens of the United States, tax season is upon us, during which we diligently file our annual tax returns with the US Internal Revenue Service (IRS). A big problem, however, is that, in this digital age of …

The post Criminals are Getting Excited for Tax Filing Season appeared first on McAfee Blogs.

Macro Malware Associated With Dridex Finds New Ways to Hide

08 Mar 2016

Macro malware is on the upswing and cybercriminals are always searching for new ways to deceive users and evade detection. McAfee Labs recently discovered a W97M/Downloader variant that uses a new technique to obfuscate its malicious intentions. Almost one year ago, we discovered Microsoft Office XML documents containing compressed MSO ActiveMime objects. These objects extract an encrypted OLE …

The post Macro Malware Associated With Dridex Finds New Ways to Hide appeared first on McAfee Blogs.