SANS

Old posts >>

Failed Malspam: Recovering The Password, (Mon, Jul 26th)

26 Jul 2021

Jan&#;x26;#;39;s diary entry "One way to fail at malspam - give recipients the wrong password for an encrypted attachment" got my attention: it&#;x26;#;39;s an opportunity for me to do some password cracking :-) I asked Jan for the sample.

Wireshark 3.4.7 Released, (Sun, Jul 25th)

25 Jul 2021

Wireshark version 3.4.7 was released.

Active Directory Certificate Services (ADCS - PKI) domain admin vulnerability, (Sat, Jul 24th)

24 Jul 2021

Phew, this was a really bad week for Microsoft (and a lot of reading for all of us). And just when we thought that the fiasco with the SAM hive was over, a new vulnerability popped up, which is much, much more dangerous unfortunately – it allows a user to completely take over a Windows domain that has the ADCS service running. And those are probably running in majority of enterprises.

Agent.Tesla Dropped via a .daa Image and Talking to Telegram, (Sat, Jul 24th)

24 Jul 2021

A few days ago, I found an interesting file delivered by email (why change a winning combination?). The file has a nice extension: “.daa” (Direct Access Archive). We already reported such files in 2019 and Didier wrote a diary[1] about them. Default Windows installation, can't process “.daa” files, you need a specific tool to open them (like PowerISO). I converted the archive into an ISO file and extracted the PE file inside it.

Uncovering Shenanigans in an IP Address Block via Hurricane Electric's BGP Toolkit (II), (Fri, Jul 23rd)

23 Jul 2021

Today&#;x26;#;xe2;&#;x26;#;x80;&#;x26;#;x99;s diary revisits hunting for dodgy domains via Hurricane Electric&#;x26;#;39;s BGP Toolkit [1]. This was previously done in an earlier diary [2], and I plan to do this occasionally to share potential or identified threats so that readers can be aware of them.


Sophos

Apple emergency zero-day fix for iPhones and Macs – get it now!

27 Jul 2021

You're probably expecting us to say, "Patch early, patch often." And that is EXACTLY what we're saying!

Old posts >>

Windows “PetitPotam” network attack – how to protect against it

26 Jul 2021

A cute name but an annoying and potentially damaging attack. Here's what to do.

US court gets UK Twitter hack suspect arrested in Spain

23 Jul 2021

O, what a tangled web we weave/When first we practise to deceive!

S3 Ep42: Viruses, Nightmares, patches, rewards and scammers [Podcast]

22 Jul 2021

Latest episode - listen now!

Windows “HiveNightmare” bug could leak passwords – here’s what to do!

21 Jul 2021

Windows "hives" contain registry data, some of it secret. The nightmare is that these files aren't properly protected against snooping.

Apple iPhone patches are out – no news if recent Wi-Fi bug is fixed

20 Jul 2021

Remember that weird iPhone Wi-Fi bug from a week or so ago? Let's hope this update patches it!

S3 Ep41: Crashing iPhones, PrintNightmares, and Code Red memories [Podcast]

19 Jul 2021

Latest episode - listen now!

More PrintNightmare: “We TOLD you not to turn the Print Spooler back on!”

16 Jul 2021

The PrintNightmare continues. So does our advice, even though it stops your printer working.

Want to earn $10 million? Snitch on a cybercrook!

16 Jul 2021

Will going after the big guns help to discourage and disrupt the rest of the cybercrime ecosystem? Have your say...

The Code Red worm 20 years on – what have we learned?

15 Jul 2021

"It was 20 years ago today..." that we learned a few lessons that are well worth revisiting!


TrendMicro

Newark Releases Latest Global IoT Trends Report

27 Jul 2021

The latest trend report also said that security concerns negatively impact the adoption of IoT technologies and the growth of Industry 4.0

New Collaboration with Adobe and MAPP

27 Jul 2021

Collaboration with industry partners is helping secure the digital world by distributing Trend Micro vulnerability information to security vendors more quickly so they can enhance protection for their customers.

Threat Actors Exploit Misconfigured Apache Hadoop YARN

27 Jul 2021

We look into how threat actors are exploiting Apache Hadoop YARN, a part of the Hadoop framework that is responsible for executing tasks on the cluster. This analysis covers the payloads deployed, the tactics used in the attacks, and basic recommendations for strengthening cloud security.

Old posts >>

#LetsTalkSecurity: The New Digital Normal

26 Jul 2021

Let's Talk Security: Season 02 // Episode 03: Host, Rik Ferguson, interviews Founder & CEO of MyConnectedHealth, Tyler Cohen Wood. Together they discuss the new digital normal.

5GAA & Global Certification Forum Connect on New Cert.

26 Jul 2021

The Global Certification Forum (GCF) and the 5G Automotive Association (5GAA) announced their collaboration on a new program that will support the drive for interoperability, reliability, and safety of up and coming C-V2X systems.

A Cloud Migration Strategy with Security Embedded

26 Jul 2021

Learn how to build a cloud migration strategy that keeps security in mind.

This Week in Security News - July 23, 2021

23 Jul 2021

StrongPity APT Group Deploys Android Malware for the First Time and STIX Cyberthreat Sharing Standards Approved

Updated XCSSET Malware Targets Telegram, Other Apps

22 Jul 2021

In our last update on the XCSSET campaign, we updated some of its features targeting latest macOS 11 (Big Sur). Since then, the campaign added more features to its toolset, which we have continually monitored. We have also discovered the mechanism used to steal information from various apps, a behavior that has been present since we first discussed XCSSET.

Respect in Security: Anti-Harrassment Initiative

22 Jul 2021

Respect in Security aims to make a concrete difference to the levels of abuse and harassment that are unfortunately all too common in our industry.

Reduce Instances of Covid-19 Phishing Email Attacks

21 Jul 2021

The Covid-19 pandemic has created an unlimited supply of news and topics for cybercriminals to utilize in their attacks, as well as major organizations to spoof. Learn what your organization can do to combat these timely threats.

StrongPity APT Group Deploys Android Malware for the First Time

21 Jul 2021

We recently conducted an investigation into a malicious Android malware sample, which we believe can be attributed to the StrongPity APT group, that was posted on the Syrian e-Gov website. To the best of our knowledge, this is the first time that the group has been publicly observed using malicious Android applications as part of its attacks.

Prevent Cyber Risk as a Managed Service Provider (MSP)

20 Jul 2021

MSPs – Say no to the next Ransomware! Protect your Business 24x7 with Trend Micro’s security analysts

This Week in Security News - July 16, 2021

16 Jul 2021

Trends and Shifts in the Underground N-Day Exploit Market and Scams Make Getting Verified on Social Media a Minefield.

Main Considerations for Securing Enterprise 5G Networks

15 Jul 2021

5G brings countless benefits to enterprises through its scalability, speed, and connectivity. However, these very same features might actually amplify the damage caused by threats if they do infiltrate systems. Security should be a prime concern for enterprises that use 5G networks.

Tesla “Recalls” Vehicles in China due to Safety Glitch

14 Jul 2021

The recall affects over 200,000 Models 3 and Y vehicles

With 5G coming, it’s time to plug security gaps

14 Jul 2021

With 5G introducing new risks, many are finding they don’t have the visibility, tooling or resources to manage such networks securely.

July Patch Tuesday: DNS Server, Exchange Server Vulnerabilities Cause Problems

13 Jul 2021

After two relatively quiet months, July has proven to be another busy month for Microsoft security bulletins. A total of 117 bulletins were issued for various security vulnerabilities fixed in the July Patch Tuesday cycle.

The Underground Exploit Market and the Importance of Virtual Patching

13 Jul 2021

Over the past two calendar years, we conducted research on the underground exploit market to learn more about the life cycle of exploits, the kinds of buyers and sellers who transact, and the business models that are in effect in the underground.

Survey: Phishing & Ransomware Attacks are Top Concerns

12 Jul 2021

Ransomware and phishing attacks will continue to be utilized and will likely see increases in their usage by malicious actors in targeting their victims. Learnings and recommendations from report to improve your prevention and response to these threats.

ETSI Publishes IoT Testing Specs for MQTT, COAP

12 Jul 2021

On June 25, 2021, ETSI released its new IoT Testing Specifications completed by the organization’s committee on Methods for Testing and Specifications. The documents contain seven standards addressing the testing of the IoT MQ Telemetry Transport (MQTT) and Constrained Application Protocol (CoAP) protocols and the foundational security IoT-Profile.

#NoFilter: Exposing the Tactics of Instagram Account Hackers

12 Jul 2021

What tactics do Instagram account hackers use? What do these cybercriminals do with stolen accounts? How can users protect their accounts? We look into Instagram account hacking incidents from a security researcher’s perspective and share recommendations for users of Instagram and other social media platforms.

Summer of Cybercrime Continues: What To Do

9 Jul 2021

We recently coined this as the Summer of Cybercrime. Major ransomware attacks continue to hit companies globally. The attacks can cause significant damage, from a financial, reputation and productivity standpoint.

This Week in Security News - July 9, 2021

9 Jul 2021

Kaseya hit with ransomware attack and top 3 mobile threat takeaways from MWC

BIOPASS RAT: New Malware Sniffs Victims via Live Streaming

9 Jul 2021

We discovered a new malware that targets online gambling companies in China via a watering hole attack, in which visitors are tricked into downloading a malware loader disguised as a legitimate installer for well-known apps such as Adobe Flash Player or Microsoft Silverlight.

Threats Ride on the Covid-19 Vaccination Wave

8 Jul 2021

We continue monitoring cybercriminals and threats that abuse the pandemic. In this update, we detail trends in malicious activities and deployments that exploit vaccination developments and processes worldwide.

How to navigate open source licensing risks

8 Jul 2021

Vulnerabilities aren't the only risk that comes with open source software use. Learn how you can best mitigate licensing risks to ensure your team is meeting all legal requirements while building with open source code.

Tracking Cobalt Strike: A Trend Micro Vision One Investigation

5 Jul 2021

Cobalt Strike is a well-known beacon or post-exploitation tool that has been linked to several ransomware campaigns. This report focuses on the process of uncovering its tracks in order to fully contain and remove a malware infection.

IT Management Platform Kaseya Hit With Sodinokibi/REvil Ransomware Attack

4 Jul 2021

Kaseya has been hit with a REvil (aka Sodinokibi) ransomware attack at the dawn of the Fourth of July weekend. The attack was geared toward their on-premises VSA product.

This Week in Security News July 2, 2021

2 Jul 2021

Nefilim ransomware attack through a MITRE Att&ck lens and PoC exploit circulating for critical Windows Print Spooler bug, and more.

PurpleFox Using WPAD to Target Indonesian Users

1 Jul 2021

The PurpleFox Exploit Kit is now being distributed via WPAD attacks targeting Indonesian users.

Top Countries With ICS Endpoint Malware Detections

30 Jun 2021

The Trend Micro research paper, "2020 Report on Threats Affecting ICS Endpoints,” presents findings on ICS endpoints and the threats that plague them. From these findings, we rounded up the list of the top ten countries with the most malware and grayware detections.

Best Practices for Social Media Security

29 Jun 2021

Social media is a double-edged sword, and as we celebrate #SocialMediaDay, let’s remember to use best security practices to keep us safe from malicious actors who abuse the platforms.

Still Leading In Endpoint And Cloud Workload Security

29 Jun 2021

Cloud workload security and endpoint protection are key to managing security risk. Two new independent IDC reports help CISOs consider their strategic partner options.

Secure Secrets: Managing Authentication Credentials

29 Jun 2021

Secret management plays an important role in keeping essential information secure and out of threat actors’ reach. We discuss what secrets are and how to store them securely.

#LetsTalkSecurity: Adapt or Die

28 Jun 2021

Let's Talk Security: Season 02 // Episode 02: Host, Rik Ferguson, interviews Forrester Analyst, Allie Mellen. Together they discuss to adapt or die.

Nefilim Ransomware Attack Through a MITRE Att&ck Lens

28 Jun 2021

Follow the story of Company X as they suffer an attack from the notorious modern ransomware family, Nefilim, and their affiliates, to learn how you can better mitigate against the common tactic and techniques used in these attacks.

This Week in Security News June 25, 2021

25 Jun 2021

Fake DarkSide campaign targets energy and food sectors and Tulsa police-citation data leaked by Conti Gang

Build a Complete Cloud Visibility Strategy

25 Jun 2021

Trend Micro Cloud One + New Relic come together to offer complete cloud visibility

Are Tax Breaks Encouraging Ransom Payments?

24 Jun 2021

Why tax deductions for ransom payments send the wrong signals to threat actors and their victims

Consolidate For A Secure Digital Transformation

22 Jun 2021

The expedited move to digital transformation has been a lifeline for organizations during the pandemic. Now that these investments have been made, what’s next to continue to drive operational improvements?

NukeSped Copies Fileless Code From Bundlore, Leaves It Unused

22 Jun 2021

While investigating samples of NukeSped, a remote access trojan (RAT), Trend Micro came across several Bundlore adware samples using the same fileless routine that was spotted in NukeSped.

Security Resources Now on AWS CloudFormation Templates

21 Jun 2021

Trend Micro is helping customers natively deploy Infrastructure as Code (IaC) resources for security the same way as cloud native infrastructure in collaboration with AWS CloudFormation.

This Week in Security News June 18, 2021

18 Jun 2021

Bash ransomware targets Linux Distributions and Trend Micro touts zero trust risk insights

Fake DarkSide Campaign Targets Energy and Food Sectors

18 Jun 2021

Threat actors behind a recent campaign pose as DarkSide in a bid to deceive targets into paying ransom.

Employee Excellence within Trend Micro

17 Jun 2021

The team behind a company is the reason for its success. At Trend Micro, we are proud to have a team filled with intelligent individuals who foster innovation to solve tomorrow's challenges to secure our digital world today.

Bash Ransomware DarkRadiation Targets Red Hat- and Debian-based Linux Distributions

17 Jun 2021

We investigate how certain hacking tools are used to move laterally on victims’ networks to deploy ransomware. These tools contain reconnaissance/spreader scripts, exploits for Red Hat and CentOS, binary injectors, and more. In this blog, we focus on analyzing the worm and ransomware script.

Amazon Prime Day: Big Sales, Big Scams

17 Jun 2021

For many people, major online shopping events such as the annual Amazon Prime day — which falls on June 21 this year — presents a unique opportunity to purchase goods at heavily discounted prices. However, shoppers are not the only ones looking to benefit — cybercriminals are also looking to prey on unsuspecting victims via social engineering and other kinds of scams.

Is this the “Summer of Cybercrime”?

16 Jun 2021

Summer is just around the corner, and malicious actors don’t seem to be planning a vacation as cybercrime continues to ramp up. Learn some security recommendation you can implement to help minimize the risk of compromise.

An Expert Discussion on Zero Trust

15 Jun 2021

Zero Trust is the key strategy moving forward to secure the always changing hybrid workplace. Listen in as two of our industry experts discuss how risk insights are key component of Zero Trust security.

This Week in Security News June 11, 2021

11 Jun 2021

The post-pandemic security landscape and the banning of ransomware payments could create new crisis situations

How Enterprises can Deflect Million-Dollar Ransomware Demands

11 Jun 2021

Blue-chip businesses are not the only ones that have been hit hard by the recent ransomware strikes. We outline some best practices and countermeasures to avert any shakedowns at the hands of cybercriminals.

Trend Micro and JC3 Study on Fraud, Phishing Targeting Japanese Users

11 Jun 2021

This blog details the aspects of two major phishing fraud groups identified from the research and analysis. This study was also announced via separate press releases from Trend Micro Incorporated and JC3.

#LetsTalkSecurity: Transformational Security

9 Jun 2021

Let's Talk Security: Season 02 // Episode 01: Host, Rik Ferguson, interviews Business Information Security Officer from S&P Global Ratings, Alyssa Miller. Together they discuss transformational security.

The U.S. EO on Ransomware: What Does it Mean? – Part 2

8 Jun 2021

The White House is urging companies to do more to stem the tide of ransomware attacks now that they are starting to impact critical infrastructure and supply chains. It is a good start, but what will be the implication of this to U.S. businesses?

June Patch Tuesday: Internet Explorer Finally Laid to Rest

8 Jun 2021

The June 2021 Patch Tuesday cycle offers good news to both IT and website administrators.

Looking Ahead: The Post-Pandemic Security Landscape

7 Jun 2021

One year into the pandemic, our team at Trend Micro discussed the lasting impact that Covid-19 will have on people’s way of life and what a post-pandemic “new normal” might look like.

This Week in Security News June 4, 2021

4 Jun 2021

Cyberattack hits JBS meat works in Australia, North America and DarkSide Targets Virtual Machines

CVE-2021-30724: CVMServer Vulnerability in macOS and iOS

3 Jun 2021

We discovered a vulnerability in macOS, iOS, and iPadOS rooted in the CVMServer. The vulnerability, labeled CVE-2021-30724, can allow threat actors to escalate their privilege if exploited.

Preventing Multi-layered Cybersecurity Threats

2 Jun 2021

It’s 2021, and this rapidly evolving threat landscape requires partnership with a trusted cybersecurity expert, who can provide protection across distributed endpoints, networks, cloud infrastructure, and hybrid environments.

This Week in Security News - May 28, 2021

28 May 2021

Nearly 50,000 IPs Compromised in Worm-like TeamTNT Attack and Misconfigurations are the Biggest Threat to Cloud Security

DarkSide on Linux: Virtual Machines Targeted

28 May 2021

We focus on the behavior of the DarkSide variant that targets Linux. We discuss how it targets virtual machine-related files on VMware ESXI servers, parses its embedded configuration, kills virtual machines (VMs), encrypts files on the infected machine, collects system information, and sends it to the remote server.

Threats From a Compromised 4G/5G Campus Network

27 May 2021

5G acts as a catalyst for change for industrial environments. One part of its deployment is the 4G/5G campus network for some organizations. In our research we delve into the security risks and implications of this technology.

Manage Open Source Code Security Risks

27 May 2021

Open source code is in the vast majority of commercial softwares today. Learn best practices to mitigate the unique risks that accompany its use.

Personal & Professional Challenges Facing SecOps Teams

25 May 2021

On the frontline: revealing the personal and professional challenges facing SecOps teams. New research shows that security teams are struggling with overwhelming workloads, and organizations are lacking the solution.

TeamTNT Targets Kubernetes, Nearly 50,000 IPs Compromised in Worm-like Attack

25 May 2021

We have found and confirmed close to 50,000 IPs compromised by this attack perpetrated by TeamTNT across multiple clusters. Several IPs were repeatedly exploited during the timeframe of the episode, occurring between March and May.

This Week in Security News May 21, 2021

21 May 2021

ZDI Tops Omdia Vulnerability Disclosures Again and Robots May Take Over Cybercrime by 2030

Open Source Vulnerabilities Converging DevOps & SecOps

20 May 2021

Open Source Vulnerabilities can be challenging to the already strained DevOps and SecOps relationship. Learn how increased visibility from the right can help prevent and close the long-standing cultural gap between the teams.

ZDI Tops Omdia Vulnerability Disclosures Again

19 May 2021

The Trend Micro Zero Day Initiative (ZDI) again dominated the number of disclosed vulnerabilities for the 13th year in a row based on Omdia’s research into the vulnerability disclosure market. Read More.

TeamTNT’s Extended Credential Harvester Targets Cloud Services, Other Software

18 May 2021

We found new evidence that the cybercriminal group TeamTNT has extended its credential harvesting capabilities to include multiple cloud and non-cloud services.

Stop Ransomware Groups Who Weaponize Legitimate Tools

17 May 2021

The ongoing game of cat and mouse – cybercriminals vs security teams – continues with the latest evolution in ransomware.

This Week in Security News May 14, 2021

14 May 2021

May Patch Tuesday Offers Relative Respite and What We Know About DarkSide Ransomware and the US Pipeline Attack

The Cybersecurity Executive Order: What does it mean?

14 May 2021

While much of the EO may not be new or bold concepts, the potential for long term impact to federal cybersecurity is high and immediate.

What We Know About the DarkSide Ransomware and the US Pipeline Attack

12 May 2021

Trend Micro Research found dozens of DarkSide ransomware samples in the wild and investigated how the ransomware group operates and what organizations it typically targets. 

May Patch Tuesday Offers Relative Respite

11 May 2021

Compared to the previous months of 2021, this month’s Patch Tuesday cycle is a slight lull. Only 55 vulnerabilities were fixed this month, with only four of these classified as Critical.

Open source protection that security teams will love

10 May 2021

Open source code is the gateway to quick application deployment – see how Trend Micro and Snyk have partnered up to create developer-friendly security for your open source components

Tips to avoid the new wave of ransomware attacks

10 May 2021

There have been a lot of changes in ransomware over time. We want to help you protect your organization from this growing attack trend.

This Week in Security News May 7, 2021

7 May 2021

New Panda Stealer Targets Cryptocurrency Wallets and Apple Releases Urgent Security Patches for Zero-Day Bugs

Physical Datacenter Security and Threat Mitigation

7 May 2021

Physical security may have more of an impact on cloud operations than you think

Proxylogon: A Coinminer, a Ransomware, and a Botnet Join the Party

6 May 2021

Our telemetry showed three malware families taking advantage of the ProxyLogon vulnerability beginning in March: the coinminer LemonDuck was sighted first, quickly followed by the ransomware BlackKingdom, then the Prometei botnet.

Mutated Scams: How to Protect Yourself from Pandemic-Fueled Cyberfraud

5 May 2021

Scammers took advantage of the surge in online activity during the pandemic, targeting businesses and buyers that were settling into new ways of transacting.

MITRE ATT&CK for Containers: Why It Matters

4 May 2021

The complexity of containers demands something to make sense of it all. Builders, operations teams and security teams need a single language to understand the risk associated with containers.

New Panda Stealer Targets Cryptocurrency Wallets

4 May 2021

In early April, we observed a new information stealer called Panda Stealer being delivered via spam emails. Based on Trend Micro's telemetry, United States, Australia, Japan, and Germany were among the most affected countries during a recent spam wave.

This Week in Security News - April 30, 2021

30 Apr 2021

Hacktivism’s reemergence explained and Hello ransomware uses updated China Chopper web shell

How Cybercriminals Abuse OpenBullet for Credential Stuffing

30 Apr 2021

In this blog, we detail how cybercriminals exploit OpenBullet, a legitimate web-testing software, to brute-force their way into targeted accounts.

How Trend Micro Helps Manage Exploited Vulnerabilities

28 Apr 2021

As technological innovations evolve, protecting companies from cyber threats tomorrow secures their businesses today. Read how Trend Micro protects customers from vulnerability exploits by blocking them as early as possible.

Water Pamola Attacked Online Shops Via Malicious Orders

28 Apr 2021

Since 2019, we have been tracking a threat campaign we dubbed as “Water Pamola.” The campaign initially compromised e-commerce online shops in Japan, Australia, and European countries via spam emails with malicious attachments.

Weaponized Deepfakes Are Getting Closer to Reality

28 Apr 2021

The first malicious use of video deepfakes may have been observed, making one of Trend Micro’s long-standing predictions a looming reality.

Hello Ransomware Uses Updated China Chopper Web Shell, SharePoint Vulnerability

27 Apr 2021

We discuss the technical features of a Hello ransomware attack, including its exploitation of CVE-2019-0604 and the use of a modified version of the China Chopper web shell.

This Week in Security News - April 23, 2021

23 Apr 2021

XCSSET Quickly Adapts to Macs and Babuk Ransomware Gang Claims Decryptor Repaired

Trend Micro Encourages Patching Of Old Vulnerability

22 Apr 2021

Trend Micro released several patches last year to address known vulnerabilities. Since that time, an attempt was observed to leverage one of these vulnerabilities in a single unpatched customer system.

Tor-Based Botnet Malware Targets Linux Systems, Abuses Cloud Management Tools

22 Apr 2021

We found a botnet malware campaign targeting Linux systems, abusing the Tor network for proxies, and exploiting cloud infrastructure management tools for intrusion.

The Storybook Approach to MITRE ATT&CK

20 Apr 2021

Read this year’s MITRE Engenuity ATT&CK Evaluations story, which simulates techniques associated with notorious threat groups Carbanak and FIN7 to test solutions' ability to detect and stop APT & Targeted Attacks.

Carbanak and FIN7 Attack Techniques

20 Apr 2021

What happens in Carbanak and FIN7 attacks? Here are some techniques used by these financially motivated threat groups that target banks, retail stores, and other establishments.

Could the Microsoft Exchange breach be stopped?

16 Apr 2021

A look at the latest Microsoft zero-day exploits and how Trend Micro could help protect you.

This Week in Security News - April 16, 2021

16 Apr 2021

April Patch Tuesday Sets Record High for 2021 and Fed Warns Cyber Threats Pose Danger to U.S Economy

XCSSET Quickly Adapts to macOS 11 and M1-based Macs

16 Apr 2021

This latest update details our new research on XCSSET, including the ways in which it has adapted itself to work on both ARM64 and x86_x64 Macs.

Cyber-insurers Endorse Cloud Security Platform

15 Apr 2021

With so many vendors in the market, the Marsh initiative has created the Cyber Catalyst to help IT buyers find the right option for them.

Celebrating 3 years of the Cybersecurity Tech Accord

14 Apr 2021

Cybersecurity Tech Accords has grown significantly in the past 3 years, today having 150 signatories across 5 continents, united in the fight against cybercrime.

April Patch Tuesday Sets Record High for 2021

13 Apr 2021

April’s Patch Tuesday fixes 114 vulnerabilities in various Microsoft products, a slight increase from March’s 89. This is the most vulnerabilities fixed in a month for 2021 to date, as well as a slight increase from the same month last year.

HTTPS over HTTP: A Supply Chain Attack on Azure DevOps Server 2020

13 Apr 2021

We provide the technical details of a supply chain attack on an improperly configured Azure DevOps Server 2020, specifically in the continuous integration and continuous delivery (CI/CD) Pipeline Agent communicating without TLS.


Kaspersky

Old posts >>

Managed Detection and Response in Q4 2020

21 Jul 2021

During the reported period, our MDR processed approximately 65 000 alerts, followed by an investigation that resulted in 1 506 incidents reported to customers, approximately 93% of which were mapped to the MITRE ATT&CK framework.

Arrests of members of Tetrade seed groups Grandoreiro and Melcoz

14 Jul 2021

Spain’s Ministry of the Interior has announced the arrest of 16 individuals connected to the Grandoreiro and Melcoz cybercrime groups. Both are originally from Brazil and form part of the Tetrade umbrella, operating for a few years now in Latin America and Western Europe.

LuminousMoth APT: Sweeping attacks for the chosen few

14 Jul 2021

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

Quick look at CVE-2021-1675 & CVE-2021-34527 (aka PrintNightmare)

08 Jul 2021

Last week Microsoft warned Windows users about vulnerabilities in the Windows Print Spooler service – CVE-2021-1675 and CVE-2021-34527 (also known as PrintNightmare). We are closely monitoring the situation and improving generic detection of these vulnerabilities.

WildPressure targets the macOS platform

07 Jul 2021

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

REvil ransomware attack against MSPs and its clients around the world

05 Jul 2021

An attack perpetrated by REvil aka Sodinokibi ransomware gang against Managed Service Providers (MSPs) and their clients was discovered on July 2. Some of the victims reportedly have been compromised a popular MSP software which led to encryption of their customers.

Do cybercriminals play cyber games in quarantine? A look one year later

01 Jul 2021

Last year, we took a look at how the pandemic influenced the threat landscape for gamers and the gaming industry. One year later, online gamers are even more active, and cybercriminals continue to exploit this.

Remote dating: How do the apps safeguard our data?

29 Jun 2021

The pandemic and the restrictions that came with it have led to an increase in the popularity of dating apps. But what about their security?

Detecting unknown threats: a honeypot how-to

28 Jun 2021

Dan Demeter, Senior Security Researcher with Kaspersky's Global Research and Analysis Team and head of Kaspersky's Honeypot project, explains what honeypots are, why they're recommended for catching external threats, and how you can set up your own simple SSH-honeypot.

Malicious spam campaigns delivering banking Trojans

24 Jun 2021

In mid-March 2021, we observed two new spam campaigns delivering banking Trojans. The payload in most cases was IcedID, but we have also seen a few QBot (aka QakBot) samples.


ThreatPost

No More Ransom Saves Victims Nearly €1 billion Over 5 Years

27 Jul 2021

No More Ransom is collecting decryptors so ransomware victims don’t have to pay to get their data back and attackers don’t get rich.

Zimbra Server Bugs Could Lead to Email Plundering

27 Jul 2021

Two bugs, now patched except in older versions, could be chained to allow attackers to hijack Zimbra server by simply sending a malicious email.

Three Zero-Day Bugs Plague Kaseya Unitrends Backup Servers

27 Jul 2021

The unpatched flaws include RCE and authenticated privilege escalation on the client-side: Just the latest woe for the ransomware-walloped MSP.

Apple Patches Actively Exploited Zero-Day in iOS, MacOS

27 Jul 2021

Company urges iPhone, iPad and Mac users to install updates to fix a critical memory corruption flaw that can allow for attackers to take over a system.

Old posts >>

Podcast: IoT Piranhas Are Swarming Industrial Controls

26 Jul 2021

Enormous botnets of IoT devices are going after decades-old legacy systems that are rife in systems that control crucial infrastructure.

Babuk Ransomware Gang Ransomed, New Forum Stuffed With Porn

26 Jul 2021

A comment spammer flooded Babuk’s new ransomware forum with gay orgy porn GIFs and demanded $5K in bitcoin.

Microsoft Rushes Fix for ‘PetitPotam’ Attack PoC

26 Jul 2021

Microsoft releases mitigations for a Windows NT LAN Manager exploit that forces remote Windows systems to reveal password hashes that can be easily cracked.

Malware Makers Using ‘Exotic’ Programming Languages

26 Jul 2021

Sprechen Sie Rust? Polyglot malware authors are increasingly using obscure programming languages to evade detection.

The True Impact of Ransomware Attacks

26 Jul 2021

Keeper’s research reveals that in addition to knocking systems offline, ransomware attacks degrade productivity, cause organizations to incur significant indirect costs, and mar their reputations.

Discord CDN and API Abuses Drive Wave of Malware Detections

23 Jul 2021

Targets of Discord malware expand far beyond gamers.


PaloAlto

THOR: Previously Unseen PlugX Variant Deployed During Microsoft Exchange Server Attacks by PKPLUG Group

27 Jul 2021

We provide a technical overview of the previously unseen PlugX variant THOR, indicators of compromise and a new tool for payload decryption.

The post THOR: Previously Unseen PlugX Variant Deployed During Microsoft Exchange Server Attacks by PKPLUG Group appeared first on Unit42.

Old posts >>

Evade Sandboxes With a Single Bit – the Trap Flag

19 Jul 2021

Unit 42 has discovered a specific single bit (Trap Flag) in the Intel CPU register that can be abused by malware to evade sandbox detection.

The post Evade Sandboxes With a Single Bit – the Trap Flag appeared first on Unit42.

Mespinoza Ransomware Gang Calls Victims “Partners,” Attacks with Gasket, "MagicSocks" Tools

15 Jul 2021

The Gasket and MagicSocks tools were used in an attack that delivered the Mespinoza ransomware (also known as PYSA)...other tools were discovered to facilitate latter parts of the attacks.

The post Mespinoza Ransomware Gang Calls Victims “Partners,” Attacks with Gasket, "MagicSocks" Tools appeared first on Unit42.

Threat Brief: Windows Print Spooler RCE Vulnerability (CVE-2021-34527 AKA PrintNightmare)

14 Jul 2021

We share details of and mitigation actions for a Windows Print Spooler RCE vulnerability, CVE-2021-34527, also known as PrintNightmare.

The post Threat Brief: Windows Print Spooler RCE Vulnerability (CVE-2021-34527 AKA PrintNightmare) appeared first on Unit42.

Understanding REvil: The Ransomware Gang Behind the Kaseya VSA Attack

06 Jul 2021

Ransomware cases worked by Unit 42 consultants in the first six months of 2021 reveal insights into the preferred tactics of REvil threat actors.

The post Understanding REvil: The Ransomware Gang Behind the Kaseya VSA Attack appeared first on Unit42.

Threat Brief: Kaseya VSA Ransomware Attack

03 Jul 2021

On July 2, attackers reportedly launched attacks against users of the Kaseya VSA remote monitoring and management software as well as customers of multiple managed service providers (MSPs) that use the software. They used access to the VSA software to deploy ransomware associated with the REvil/Sodinokibi ransomware-as-a-service group, according to reports.

The post Threat Brief: Kaseya VSA Ransomware Attack appeared first on Unit42.

Network Attack Trends: February-April 2021

01 Jul 2021

Network attack trends for February-April 2021 include a continued focus from attackers on high-impact, low-effort attacks.

The post Network Attack Trends: February-April 2021 appeared first on Unit42.

Conti Ransomware Gang: An Overview

18 Jun 2021

Conti ransomware stands out as one of the most ruthless of the dozens of ransomware gangs that we follow. Learn about their TTPs and how to mitigate.

The post Conti Ransomware Gang: An Overview appeared first on Unit42.

Matanbuchus: Malware-as-a-Service with Demonic Intentions

16 Jun 2021

Matanbuchus Loader is a new malware-as-a-service created by a threat actor who references demonic themes in software and usernames.

The post Matanbuchus: Malware-as-a-Service with Demonic Intentions appeared first on Unit42.

Prometheus Ransomware Gang: A Group of REvil?

09 Jun 2021

Prometheus is a new player in the ransomware world that uses similar malware and tactics to ransomware veteran Thanos.

The post Prometheus Ransomware Gang: A Group of REvil? appeared first on Unit42.

TeamTNT Using WatchDog TTPs to Expand Its Cryptojacking Footprint

08 Jun 2021

We have identified indicators traditionally pointing to WatchDog operations being used by the TeamTNT cryptojacking group.

The post TeamTNT Using WatchDog TTPs to Expand Its Cryptojacking Footprint appeared first on Unit42.

Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments

07 Jun 2021

The main purpose of Siloscape is to open a backdoor into poorly configured Kubernetes clusters in order to run malicious containers.

The post Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments appeared first on Unit42.

TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations

04 Jun 2021

TeamTNT is targeting the credentials of 16 additional applications for the purpose of enumerating cloud environments and infiltrating organizations.

The post TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations appeared first on Unit42.

Docker Honeypot Reveals Cryptojacking as Most Common Cloud Threat

27 May 2021

A Docker honeypot captured 33 types of attacks over a total of 850 attempts. Here’s what we learned about the cloud threat landscape.

The post Docker Honeypot Reveals Cryptojacking as Most Common Cloud Threat appeared first on Unit42.

What Can You Learn From a “Wiped” Computer With Digital Forensics?

27 May 2021

We look at how digital forensics can be used to determine the extent to which data has been wiped, as well as to recover digital evidence.

The post What Can You Learn From a “Wiped” Computer With Digital Forensics? appeared first on Unit42.


F-Secure

Old posts >>


McAfee

Old posts >>

Fighting new Ransomware Techniques with McAfee’s Latest Innovations

20 Jul 2021

In 2021 ransomware attacks have been dominant among the bigger cyber security stories. Hence, I was not surprised to see that McAfee’s June 2021 Threat report is primarily focused on this topic. This report provides a large range of statistics using the McAfee data lake behind MVISION Insights, including the Top MITRE ATT&CK Techniques. In […]

The post Fighting new Ransomware Techniques with McAfee’s Latest Innovations appeared first on McAfee Blogs.

An Overall Philosophy on the Use of Critical Threat Intelligence

16 Jul 2021

The overarching threat facing cyber organizations today is a highly skilled asymmetric enemy, well-funded and resolute in his task and purpose.   You never can exactly tell how they will come at you, but come they will.  It’s no different than fighting a kinetic foe in that, before you fight, you must choose your ground and […]

The post An Overall Philosophy on the Use of Critical Threat Intelligence appeared first on McAfee Blogs.

REvil Ransomware Uses DLL Sideloading

16 Jul 2021

This blog was written byVaradharajan Krishnasamy, Karthickkumar, Sakshi Jaiswal Introduction Ransomware attacks are one of the most common cyber-attacks among organizations; due to an increase in Ransomware-as-a-service (RaaS) on the black market. RaaS provides readily available ransomware to cyber criminals and is an effective way for attackers to deploy a variety of ransomware in a […]

The post REvil Ransomware Uses DLL Sideloading appeared first on McAfee Blogs.

Hancitor Making Use of Cookies to Prevent URL Scraping

08 Jul 2021

Consejos para protegerte de quienes intentan hackear tus correos electrónicos

This blog was written by Vallabh Chole & Oliver Devane Over the years, the cybersecurity industry has seen many threats get taken down, such as the Emotet takedown in January 2021. It doesn’t usually take long for another threat to attempt to fill the gap left by the takedown. Hancitor is one such threat. Like […]

The post Hancitor Making Use of Cookies to Prevent URL Scraping appeared first on McAfee Blogs.

Zloader With a New Infection Technique

08 Jul 2021

This blog was written by Kiran Raj & Kishan N. Introduction In the last few years, Microsoft Office macro malware using social engineering as a means for malware infection has been a dominant part of the threat landscape. Malware authors continue to evolve their techniques to evade detection. These techniques involve utilizing macro obfuscation, DDE, […]

The post Zloader With a New Infection Technique appeared first on McAfee Blogs.

New Ryuk Ransomware Sample Targets Webservers

07 Jul 2021

Executive Summary Ryuk is a ransomware that encrypts a victim’s files and requests payment in Bitcoin cryptocurrency to release the keys used for encryption. Ryuk is used exclusively in targeted ransomware attacks. Ryuk was first observed in August 2018 during a campaign that targeted several enterprises. Analysis of the initial versions of the ransomware revealed […]

The post New Ryuk Ransomware Sample Targets Webservers appeared first on McAfee Blogs.

Fuzzing ImageMagick and Digging Deeper into CVE-2020-27829

30 Jun 2021

Introduction: ImageMagick is a hugely popular open source software that is used in lot of systems around the world. It is available for the Windows, Linux, MacOS platforms as well as Android and iOS. It is used for editing, creating or converting various digital image formats and supports various formats like PNG, JPEG, WEBP, TIFF, […]

The post Fuzzing ImageMagick and Digging Deeper into CVE-2020-27829 appeared first on McAfee Blogs.

Analyzing CVE-2021-1665 – Remote Code Execution Vulnerability in Windows GDI+

28 Jun 2021

Consejos para protegerte de quienes intentan hackear tus correos electrónicos

Introduction Microsoft Windows Graphics Device Interface+, also known as GDI+, allows various applications to use different graphics functionality on video displays as well as printers. Windows applications don’t directly access graphics hardware such as device drivers, but they interact with GDI, which in turn then interacts with device drivers. In this way, there is an […]

The post Analyzing CVE-2021-1665 – Remote Code Execution Vulnerability in Windows GDI+ appeared first on McAfee Blogs.

McAfee Labs Report Highlights Ransomware Threats

24 Jun 2021

The McAfee Advanced Threat Research team today published the McAfee Labs Threats Report: June 2021. In this edition we introduce additional context into the biggest stories dominating the year thus far including recent ransomware attacks. While the topic itself is not new, there is no question that the threat is now truly mainstream. This Threats […]

The post McAfee Labs Report Highlights Ransomware Threats appeared first on McAfee Blogs.

A New Program for Your Peloton – Whether You Like It or Not

16 Jun 2021

Connected Fitness

Executive Summary  The McAfee Advanced Threat Research team (ATR) is committed to uncovering security issues in both software and hardware to help developers provide safer products for businesses and consumers. As security researchers, something that we always try to establish before looking at a target is what our scope should be. More specifically, we often assume well-vetted technologies like network stacks or the OS layers are […]

The post A New Program for Your Peloton – Whether You Like It or Not appeared first on McAfee Blogs.

Are Virtual Machines the New Gold for Cyber Criminals?

10 Jun 2021

AI Cyber Security

Introduction Virtualization technology has been an IT cornerstone for organization for years now. It revolutionized the way organizations can scale up IT systems in a heartbeat, allowing then to be more agile as opposed to investing into dedicated “bare-metal” hardware. To the outside untrained eye, it might seem that there are different machines on the […]

The post Are Virtual Machines the New Gold for Cyber Criminals? appeared first on McAfee Blogs.

Scammers Impersonating Windows Defender to Push Malicious Windows Apps

17 May 2021

Summary points: Scammers are increasingly using Windows Push Notifications to impersonate legitimate alerts Recent campaigns pose as a Windows Defender Update Victims end up allowing the installation of a malicious Windows Application that targets user and system information Browser push notifications can highly resemble Windows system notifications.  As recently discussed, scammers are abusing push notifications […]

The post Scammers Impersonating Windows Defender to Push Malicious Windows Apps appeared first on McAfee Blogs.

DarkSide Ransomware Victims Sold Short

14 May 2021

How to check for viruses

Over the past week we have seen a considerable body of work focusing on DarkSide, the ransomware responsible for the recent gas pipeline shutdown. Many of the excellent technical write-ups will detail how it operates an affiliate model that supports others to be involved within the ransomware business model (in addition to the developers). While […]

The post DarkSide Ransomware Victims Sold Short appeared first on McAfee Blogs.

Major HTTP Vulnerability in Windows Could Lead to Wormable Exploit

12 May 2021

AI Cyber Security

Today, Microsoft released a highly critical vulnerability (CVE-2021-31166) in its web server http.sys. This product is a Windows-only HTTP server which can be run standalone or in conjunction with IIS (Internet Information Services) and is used to broker internet traffic via HTTP network requests. The vulnerability is very similar to CVE-2015-1635, another Microsoft vulnerability in […]

The post Major HTTP Vulnerability in Windows Could Lead to Wormable Exploit appeared first on McAfee Blogs.

“Fool’s Gold”: Questionable Vaccines, Bogus Results, and Forged Cards

11 May 2021

Preface Countries all over the world are racing to achieve so-called herd immunity against COVID-19 by vaccinating their populations. From the initial lockdown to the cancellation of events and the prohibition of business travel, to the reopening of restaurants, and relaxation of COVID restrictions on outdoor gatherings, the vaccine rollout has played a critical role […]

The post “Fool’s Gold”: Questionable Vaccines, Bogus Results, and Forged Cards appeared first on McAfee Blogs.

Roaming Mantis Amplifies Smishing Campaign with OS-Specific Android Malware

05 May 2021

Quel antivirus choisir ?

The Roaming Mantis smishing campaign has been impersonating a logistics company to steal SMS messages and contact lists from Asian Android users since 2018. In the second half of 2020, the campaign improved its effectiveness by adopting dynamic DNS services and spreading messages with phishing URLs that infected victims with the fake Chrome application MoqHao. […]

The post Roaming Mantis Amplifies Smishing Campaign with OS-Specific Android Malware appeared first on McAfee Blogs.

How to Stop the Popups

05 May 2021

McAfee is tracking an increase in the use of deceptive popups that mislead some users into taking action, while annoying many others.  A significant portion is attributed to browser-based push notifications, and while there are a couple of simple steps users can take to prevent and remediate the situation, there is also some confusion about […]

The post How to Stop the Popups appeared first on McAfee Blogs.

Steps to Discover Hidden Threat from Phishing Email

05 May 2021

coin miners

Introduction Email is one of the primary ways of communication in the modern world. We use email to receive notifications about our online shopping, financial transaction, credit card e-statements, one-time passwords to authenticate registration processes, application for jobs, auditions, school admissions and many other purposes. Since many people around the globe depend on electronic mail […]

The post Steps to Discover Hidden Threat from Phishing Email appeared first on McAfee Blogs.

Access Token Theft and Manipulation Attacks – A Door to Local Privilege Escalation

20 Apr 2021

how to run a virus scan

Executive Summary Many malware attacks designed to inflict damage on a network are armed with lateral movement capabilities. Post initial infection, such malware would usually need to perform a higher privileged task or execute a privileged command on the compromised system to be able to further enumerate the infection targets and compromise more systems on […]

The post Access Token Theft and Manipulation Attacks – A Door to Local Privilege Escalation appeared first on McAfee Blogs.

Clever Billing Fraud Applications on Google Play: Etinu

19 Apr 2021

Saibāsekyuriti

A new wave of fraudulent apps has made its way to the Google Play store, targeting Android users in Southwest Asia and the Arabian Peninsula as well—to the tune of more than 700,000 downloads before detection by McAfee Mobile Research and co-operation with Google to remove the apps. Figure 1. Infected Apps on Google Play […]

The post Clever Billing Fraud Applications on Google Play: Etinu appeared first on McAfee Blogs.

McAfee Labs Report Reveals Latest COVID-19 Threats and Malware Surges

13 Apr 2021

The McAfee Advanced Threat Research team today published the McAfee Labs Threats Report: April 2021. In this edition, we present new findings in our traditional threat statistical categories – as well as our usual malware, sectors, and vectors – imparted in a new, enhanced digital presentation that’s more easily consumed and interpreted. Historically, our reports […]

The post McAfee Labs Report Reveals Latest COVID-19 Threats and Malware Surges appeared first on McAfee Blogs.

BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain

12 Apr 2021

How to check for viruses

Recently, the McAfee Mobile Research Team uncovered several new variants of the Android malware family BRATA being distributed in Google Play, ironically posing as app security scanners. These malicious apps urge users to update Chrome, WhatsApp, or a PDF reader, yet instead of updating the app in question, they take full control of the device […]

The post BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain appeared first on McAfee Blogs.

McAfee ATR Threat Report: A Quick Primer on Cuba Ransomware

06 Apr 2021

Executive Summary  Cuba ransomware is an older ransomware, that has recently undergone some development. The actors have incorporated the leaking of victim data to increase its impact and revenue, much like we have seen recently with other major ransomware campaigns.  In our analysis, we observed that the attackers had access to the network before the infection and were able to collect specific information […]

The post McAfee ATR Threat Report: A Quick Primer on Cuba Ransomware appeared first on McAfee Blogs.

McAfee Defender’s Blog: Cuba Ransomware Campaign

06 Apr 2021

Cuba Ransomware Overview Over the past year, we have seen ransomware attackers change the way they have responded to organizations that have either chosen to not pay the ransom or have recovered their data via some other means. At the end of the day, fighting ransomware has resulted in the bad actors’ loss of revenue. […]

The post McAfee Defender’s Blog: Cuba Ransomware Campaign appeared first on McAfee Blogs.

McAfee Defenders Blog: Reality Check for your Defenses

31 Mar 2021

How to check for viruses

Welcome to reality Ever since I started working in IT Security more than 10 years ago, I wondered, what helps defend against malware the best? This simple question does not stand on its own, as there are several follow-up questions to that: How is malware defined? Are we focusing solely on Viruses and Trojans, or […]

The post McAfee Defenders Blog: Reality Check for your Defenses appeared first on McAfee Blogs.

Netop Vision Pro – Distance Learning Software is 20/20 in Hindsight

22 Mar 2021

The McAfee Labs Advanced Threat Research team is committed to uncovering security issues in both software and hardware to help developers provide safer products for businesses and consumers. We recently investigated software installed on computers used in K-12 school districts. The focus of this blog is on Netop Vision Pro produced by Netop. Our research […]

The post Netop Vision Pro – Distance Learning Software is 20/20 in Hindsight appeared first on McAfee Blogs.

McAfee Defender’s Blog: Operation Dianxun

16 Mar 2021

Operation Dianxun Overview In a recent report the McAfee Advanced Threat Research (ATR) Strategic Intelligence team disclosed an espionage campaign, targeting telecommunication companies, named Operation Diànxùn. The tactics, techniques and procedures (TTPs) used in the attack are like those observed in earlier campaigns publicly attributed to the threat actors RedDelta and Mustang Panda. Most probably […]

The post McAfee Defender’s Blog: Operation Dianxun appeared first on McAfee Blogs.

Operation Diànxùn: Cyberespionage Campaign Targeting Telecommunication Companies

16 Mar 2021

how to run a virus scan

In this report the McAfee Advanced Threat Research (ATR) Strategic Intelligence team details an espionage campaign, targeting telecommunication companies, dubbed Operation Diànxùn. In this attack, we discovered malware using similar tactics, techniques and procedures (TTPs) to those observed in earlier campaigns publicly attributed to the threat actors RedDelta and Mustang Panda. While the initial vector […]

The post Operation Diànxùn: Cyberespionage Campaign Targeting Telecommunication Companies appeared first on McAfee Blogs.

Seven Windows Wonders – Critical Vulnerabilities in DNS Dynamic Updates

09 Mar 2021

how to run a virus scan

Overview For the March 2021 Patch Tuesday, Microsoft released a set of seven DNS vulnerabilities. Five of the vulnerabilities are remote code execution (RCE) with critical CVSS (Common Vulnerability Scoring Standard) scores of 9.8, while the remaining two are denial of service (DoS). Microsoft shared detection guidance and proofs of concept with MAPP members for […]

The post Seven Windows Wonders – Critical Vulnerabilities in DNS Dynamic Updates appeared first on McAfee Blogs.

McAfee ATR Thinks in Graphs

08 Mar 2021

0. Introduction John Lambert, a distinguished researcher specializing in threat intelligence at Microsoft, once said these words that changed perspectives: “Defenders think in lists. Attackers think in graphs.” This is true and, while it remains that way, attackers will win most of the time. However, the true power of graphs does not only reside in […]

The post McAfee ATR Thinks in Graphs appeared first on McAfee Blogs.

Babuk Ransomware

24 Feb 2021

Executive Summary Babuk ransomware is a new ransomware threat discovered in 2021 that has impacted at least five big enterprises, with one already paying the criminals $85,000 after negotiations. As with other variants, this ransomware is deployed in the network of enterprises that the criminals carefully target and compromise. Using MVISION Insights, McAfee was able […]

The post Babuk Ransomware appeared first on McAfee Blogs.

Beyond Clubhouse: Vulnerable Agora SDKs Still in Widespread Use

19 Feb 2021

Mobile Conferencing Apps Carry Risks

On February 17th, 2021, McAfee disclosed findings based on a 10-month long disclosure process with major video conferencing vendor Agora, Inc.  As we disclosed the findings to Agora in April 2020, this lengthy disclosure timeline represents a nonstandard process for McAfee but was a joint agreement with the vendor to allow sufficient time for the […]

The post Beyond Clubhouse: Vulnerable Agora SDKs Still in Widespread Use appeared first on McAfee Blogs.

Don’t Call Us We’ll Call You: McAfee ATR Finds Vulnerability in Agora Video SDK

17 Feb 2021

texting slang

The McAfee Advanced Threat Research (ATR) team is committed to uncovering security issues in both software and hardware to help developers provide safer products for businesses and consumers. We recently investigated and published several findings on a personal robot called “temi”, which can be read about in detail here. A byproduct of our robotic research was […]

The post Don’t Call Us We’ll Call You: McAfee ATR Finds Vulnerability in Agora Video SDK appeared first on McAfee Blogs.

Researchers Follow the Breadcrumbs: The Latest Vulnerabilities in Windows’ Network Stack

09 Feb 2021

data breach

The concept of a trail of breadcrumbs in the offensive security community is nothing new; for many years, researchers on both sides of the ethical spectrum have followed the compass based on industry-wide security findings, often leading to groundbreaking discoveries in both legacy and modern codebases alike. This happened in countless instances, from Java to […]

The post Researchers Follow the Breadcrumbs: The Latest Vulnerabilities in Windows’ Network Stack appeared first on McAfee Blogs.

McAfee ATR Launches Education-Inspired Capture the Flag Contest!

27 Jan 2021

McAfee’s Advanced Threat Research team just completed its second annual capture the flag (CTF) contest for internal employees. Based on tremendous internal feedback, we’ve decided to open it up to the public, starting with a set of challenges we designed in 2019.   We’ve done our best to minimize guesswork and gimmicks and instead of flashy graphics and games, we’ve distilled the kind of problems […]

The post McAfee ATR Launches Education-Inspired Capture the Flag Contest! appeared first on McAfee Blogs.

Two Pink Lines

15 Jan 2021

Depending on your life experiences, the phrase (or country song by Eric Church) “two pink lines” may bring up a wide range of powerful emotions.    I suspect, like many fathers and expecting fathers, I will never forget the moment I found out my wife was pregnant.  You might recall what you were doing, or where […]

The post Two Pink Lines appeared first on McAfee Blogs.

A Year in Review: Threat Landscape for 2020

14 Jan 2021

As we gratefully move forward into the year 2021, we have to recognise that 2020 was as tumultuous in the digital realm as it has in the physical world. From low level fraudsters leveraging the pandemic as a vehicle to trick victims into parting with money for non-existent PPE, to more capable actors using malware […]

The post A Year in Review: Threat Landscape for 2020 appeared first on McAfee Blogs.

2021 Threat Predictions Report

13 Jan 2021

The December 2020 revelations around the SUNBURST campaigns exploiting the SolarWinds Orion platform have revealed a new attack vector – the supply chain – that will continue to be exploited. The ever-increasing use of connected devices, apps and web services in our homes will also make us more susceptible to digital home break-ins. This threat […]

The post 2021 Threat Predictions Report appeared first on McAfee Blogs.

How A Device to Cloud Architecture Defends Against the SolarWinds Supply Chain Compromise

21 Dec 2020

In a blog post released 13 Dec 2020, FireEye disclosed that threat actors compromised SolarWinds’s Orion IT monitoring and management software with a trojanized version of SoalrWinds.Orion.Core.BusinessLayer.dll delivered as part of a digitally-signed Windows Installer Patch. The trojanized file delivers a backdoor, dubbed SUNBURST by FireEye (and Solorigate by Microsoft), that communicates to third-party servers for […]

The post How A Device to Cloud Architecture Defends Against the SolarWinds Supply Chain Compromise appeared first on McAfee Blogs.

Additional Analysis into the SUNBURST Backdoor

17 Dec 2020

Executive Summary There has been considerable focus on the recent disclosures associated with SolarWinds, and while existing analysis on the broader campaign has resulted in detection against specific IoCs associated with the Sunburst trojan, the focus within the Advanced Threat Research (ATR) team has been to determine the possibility of additional persistence measures. Our analysis […]

The post Additional Analysis into the SUNBURST Backdoor appeared first on McAfee Blogs.

SUNBURST Malware and SolarWinds Supply Chain Compromise

16 Dec 2020

Part I of II Situation In a blog post released 13 Dec 2020, FireEye disclosed that threat actors compromised SolarWinds’s Orion IT monitoring and management software with a trojanized version of SolarWinds.Orion.Core.BusinessLayer.dll. The trojanized file delivers the SUNBURST malware through a backdoor as part of a digitally-signed Windows Installer Patch. Use of a Compromised Software […]

The post SUNBURST Malware and SolarWinds Supply Chain Compromise appeared first on McAfee Blogs.

CVE-2020-17051: Remote kernel heap overflow in NFSv3 Windows Server

10 Nov 2020

CVSS Score: 9.8  Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C  Overview  Microsoft released a patch today for a critical vulnerability (CVE-2020-17051) in the Windows NFSv3 (Network File System) server. NFS is typically used in heterogenous environments of Windows and Unix/Linux for file sharing. The vulnerability can be reproduced to cause an immediate BSOD (Blue Screen of Death) within the nfssvr.sys driver. Interestingly, the November patches from Microsoft also include a remote kernel data read […]

The post CVE-2020-17051: Remote kernel heap overflow in NFSv3 Windows Server appeared first on McAfee Blogs.

Operation North Star: Behind The Scenes

05 Nov 2020

Executive Summary It is rare to be provided an inside view on how major cyber espionage campaigns are conducted within the digital realm. The only transparency afforded is a limited view of victims, a malware sample, and perhaps the IP addresses of historical command and control (C2) infrastructure. The Operation North Star campaign we detailed […]

The post Operation North Star: Behind The Scenes appeared first on McAfee Blogs.

Operation North Star: Summary Of Our Latest Analysis

05 Nov 2020

McAfee’s Advanced Threat Research (ATR) today released research that uncovers previously undiscovered information on how Operation North Star evaluated its prospective victims and launched attacks on organizations in Australia, India, Israel and Russia, including defense contractors based in India and Russia. McAfee’s initial research into Operation North Star revealed a campaign that used social media […]

The post Operation North Star: Summary Of Our Latest Analysis appeared first on McAfee Blogs.

McAfee Labs Report Reveals Continuing Surge of COVID-19 Threats and Malware

05 Nov 2020

The McAfee Advanced Threat Research team today published the McAfee Labs Threats Report: November 2020. In this edition, we follow our preceding McAfee Labs COVID-19 Threats Report with more research and data designed to help you better protect your enterprise’s productivity and viability during challenging times. What a year so far! The first quarter of […]

The post McAfee Labs Report Reveals Continuing Surge of COVID-19 Threats and Malware appeared first on McAfee Blogs.

CVE-2020-16898: “Bad Neighbor”

13 Oct 2020

CVE-2020-16898: “Bad Neighbor” CVSS Score: 8.8 Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C Overview Today, Microsoft announced a critical vulnerability in the Windows IPv6 stack, which allows an attacker to send maliciously crafted packets to potentially execute arbitrary code on a remote system. The proof-of-concept shared with MAPP (Microsoft Active Protection Program) members is both extremely simple and perfectly reliable. It results […]

The post CVE-2020-16898: “Bad Neighbor” appeared first on McAfee Blogs.

Our Experiences Participating in Microsoft’s Azure Sphere Bounty Program

06 Oct 2020

From June to August, part of the McAfee Advanced Threat Research (ATR) team participated in Microsoft’s Azure Sphere Research Challenge.  Our research resulted in reporting multiple vulnerabilities classified by Microsoft as “important” or “critical” in the platform that, to date, have qualified for over $160,000 USD in bounty awards scheduled to be contributed to the ACLU ($100,000), St. Jude’s Children’s Research Hospital ($50,000) and PDX Hackerspace (approximately $20,000). With these contributions, we hope to support and give […]

The post Our Experiences Participating in Microsoft’s Azure Sphere Bounty Program appeared first on McAfee Blogs.

Securing Space 4.0 – One Small Step or a Giant Leap? Part 1

01 Oct 2020

McAfee Advanced Threat Research (ATR) is collaborating with Cork Institute of Technology (CIT) and its Blackrock Castle Observatory (BCO) and the National Space Center (NSC) in Cork, Ireland The essence of Space 4.0 is the introduction of smaller, cheaper, faster-to-the-market satellites in low-earth-orbit into the value chain and the exploitation of the data they provide. […]

The post Securing Space 4.0 – One Small Step or a Giant Leap? Part 1 appeared first on McAfee Blogs.

Securing Space 4.0 – One Small Step or a Giant Leap? Part 2

01 Oct 2020

McAfee Advanced Threat Research (ATR) is collaborating with Cork Institute of Technology (CIT) and its Blackrock Castle Observatory (BCO) and the National Space Center in Cork, Ireland In the first of this two-part blog series we introduced Space 4.0, its data value and how it looks set to become the next battleground in the defense […]

The post Securing Space 4.0 – One Small Step or a Giant Leap? Part 2 appeared first on McAfee Blogs.

Vulnerability Discovery in Open Source Libraries: Analyzing CVE-2020-11863

01 Sep 2020

Open Source projects are the building blocks of any software development process. As we indicated in our previous blog, as more and more products use open source code, the increase in the overall attack surface is inevitable, especially when open source code is not audited before use. Hence it is recommended to thoroughly test it […]

The post Vulnerability Discovery in Open Source Libraries: Analyzing CVE-2020-11863 appeared first on McAfee Blogs.

On Drovorub: Linux Kernel Security Best Practices

13 Aug 2020

Intro In a U.S. government cyber security advisory released today, the National Security Agency and Federal Bureau of Investigation warn of a previously undisclosed piece of Linux rootkit malware called Drovorub and attribute the threat to malicious actor APT28. The report is incredibly detailed and proposes several complementary detection techniques to effectively identify Drovorub malware […]

The post On Drovorub: Linux Kernel Security Best Practices appeared first on McAfee Blogs.

Vulnerability Discovery in Open Source Libraries Part 1: Tools of the Trade

12 Aug 2020

Executive Summary Open source has become the foundation for modern software development. Vendors use open source software to stay competitive and improve the speed, quality, and cost of the development process. At the same time, it is critical to maintain and audit open source libraries used in products as they can expose a significant volume […]

The post Vulnerability Discovery in Open Source Libraries Part 1: Tools of the Trade appeared first on McAfee Blogs.

Robot Character Analysis Reveals Trust Issues

06 Aug 2020

Retired Marine fighter pilot and Top Gun instructor Dave Berke said “Every single thing you do in your life, every decision you make, is an OODA Loop.” OODA Loop? Observe–Orient–Decide–Act, the “OODA Loop” was originally developed by United States Air Force Colonel John Boyd and outlines that fundamentally all actions are first based on observations.  […]

The post Robot Character Analysis Reveals Trust Issues appeared first on McAfee Blogs.

Call an Exorcist! My Robot’s Possessed!

06 Aug 2020

Overview As part of our continued goal of helping developers provide safer products for businesses and consumers, we here at McAfee Advanced Threat Research (ATR) recently investigated temi, a teleconference robot produced by Robotemi Global Ltd. Our research led us to discover four separate vulnerabilities in the temi robot, which this paper will describe in […]

The post Call an Exorcist! My Robot’s Possessed! appeared first on McAfee Blogs.

Dopple-ganging up on Facial Recognition Systems

05 Aug 2020

Co-authored with Jesse Chick, OSU Senior and Former McAfee Intern, Primary Researcher. Special thanks to Dr. Catherine Huang, McAfee Advanced Analytics Team Special thanks to Kyle Baldes, Former McAfee Intern “Face” the Facts There are 7.6 Billion people in the world. That’s a huge number! In fact, if we all stood shoulder to shoulder on […]

The post Dopple-ganging up on Facial Recognition Systems appeared first on McAfee Blogs.

Ripple20 Critical Vulnerabilities – Detection Logic and Signatures

05 Aug 2020

This document has been prepared by McAfee Advanced Threat Research in collaboration with JSOF who discovered and responsibly disclosed the vulnerabilities. It is intended to serve as a joint research effort to produce valuable insights for network administrators and security personnel, looking to further understand these vulnerabilities to defend against exploitation. The signatures produced here […]

The post Ripple20 Critical Vulnerabilities – Detection Logic and Signatures appeared first on McAfee Blogs.

McAfee Defender’s Blog: NetWalker

03 Aug 2020

Building Adaptable Security Architecture Against NetWalker NetWalker Overview The NetWalker ransomware, initially known as Mailto, was first detected in August 2019. Since then, new variants were discovered throughout 2019 and the beginning of 2020, with a strong uptick noticed in March of this year. NetWalker has noticeably evolved to a more stable and robust ransomware-as-a-service […]

The post McAfee Defender’s Blog: NetWalker appeared first on McAfee Blogs.

Take a “NetWalk” on the Wild Side

03 Aug 2020

How to check for viruses

Executive Summary The NetWalker ransomware, initially known as Mailto, was first detected in August 2019. Since then, new variants were discovered throughout 2019 and the beginning of 2020, with a strong uptick noticed in March of this year. NetWalker has noticeably evolved to a more stable and robust ransomware-as-a-service (RaaS) model, and our research suggests […]

The post Take a “NetWalk” on the Wild Side appeared first on McAfee Blogs.

Operation (노스 스타) North Star A Job Offer That’s Too Good to be True?

30 Jul 2020

Executive Summary We are in the midst of an economic slump [1], with more candidates than there are jobs, something that has been leveraged by malicious actors to lure unwitting victims into opening documents laden with malware. While the prevalence of attacks during this unprecedented time has been largely carried out by low-level fraudsters, the […]

The post Operation (노스 스타) North Star A Job Offer That’s Too Good to be True? appeared first on McAfee Blogs.

McAfee Defender’s Blog: Operation North Star Campaign

30 Jul 2020

Building Adaptable Security Architecture Against the Operation North Star Campaign Operation North Star Overview Over the last few months, we have seen attackers take advantage of the pandemic as a cover to launch cyberattacks. One such example is a campaign that McAfee Advanced Threat Research (ATR) observed as an increase in malicious cyber activity targeting […]

The post McAfee Defender’s Blog: Operation North Star Campaign appeared first on McAfee Blogs.

Six Hundred Million Reasons to Celebrate: No More Ransom Turns FOUR!!

27 Jul 2020

Happy Birthday! Today we mark the fourth anniversary of the NoMoreRansom initiative with over 4.2 million visitors, from 188 countries, stopping an estimated $632 million in ransom demands from ending up in criminals’ pockets. It would be fair to say that the initiative, which started in a small meeting room in the Hague, has been […]

The post Six Hundred Million Reasons to Celebrate: No More Ransom Turns FOUR!! appeared first on McAfee Blogs.

Hunting for Blues – the WSL Plan 9 Protocol BSOD

23 Jul 2020

Windows Subsystem for Linux Plan 9 Protocol Research Overview This is the final blog in the McAfee research series trilogy on the Windows Subsystem for Linux (WSL) implementation – see The Twin Journey (part 1) and Knock, Knock–Who’s There (part 2). The previous research discussed file evasion attacks when the Microsoft P9 server can be […]

The post Hunting for Blues – the WSL Plan 9 Protocol BSOD appeared first on McAfee Blogs.

McAfee COVID-19 Report Reveals Pandemic Threat Evolution

22 Jul 2020

The McAfee Advanced Threat Research team today published the McAfee® Labs COVID-19 Threats Report, July 2020. In this “Special Edition” threat report, we delve deep into the COVID-19 related attacks observed by our McAfee Advanced Threats Research and McAfee Labs teams in the first quarter of 2020 and the early months of the pandemic. What […]

The post McAfee COVID-19 Report Reveals Pandemic Threat Evolution appeared first on McAfee Blogs.

Ripple20 Vulnerability Mitigation Best Practices

22 Jun 2020

On June 16th, the Department of Homeland Security and CISA ICS-CERT issued a critical security advisory warning covering multiple newly discovered vulnerabilities affecting Internet-connected devices manufactured by multiple vendors. This set of 19 vulnerabilities in a low-level TCP/IP software library developed by Treck has been dubbed “Ripple20” by researchers from JSOF. A networking stack is a software component […]

The post Ripple20 Vulnerability Mitigation Best Practices appeared first on McAfee Blogs.

My Adventures Hacking the iParcelBox

18 Jun 2020

In 2019, McAfee Advanced Threat Research (ATR) disclosed a vulnerability in a product called BoxLock. Sometime after this, the CEO of iParcelBox, a U.K. company, reached out to us and offered to send a few of their products to test. While this isn’t the typical M.O. for our research we applaud the company for being […]

The post My Adventures Hacking the iParcelBox appeared first on McAfee Blogs.

What’s in the Box? Part II: Hacking the iParcelBox

18 Jun 2020

Package delivery is just one of those things we take for granted these days. This is especially true in the age of Coronavirus, where e-commerce and at-home deliveries make up a growing portion of consumer buying habits. In 2019, McAfee Advanced Threat Research (ATR) conducted a vulnerability research project on a secure home package delivery […]

The post What’s in the Box? Part II: Hacking the iParcelBox appeared first on McAfee Blogs.

RagnarLocker Ransomware Threatens to Release Confidential Information

09 Jun 2020

Ransomware

EXECUTIVE SUMMARY The RagnarLocker ransomware first appeared in the wild at the end of December 2019 as part of a campaign against compromised networks targeted by its operators. The ransomware code is small (only 48kb after the protection in its custom packer is removed) and coded in a high programming language (C/C++). Like all ransomware, […]

The post RagnarLocker Ransomware Threatens to Release Confidential Information appeared first on McAfee Blogs.

OneDrive Phishing Awareness

08 Jun 2020

There are number of ways scammers use to target personal information and, currently, one example is, they are taking advantage of the fear around the virus pandemic, sending phishing and scam emails to Microsoft OneDrive users, trying to profit from Coronavirus/COVID-19. They will pretend to be emailing from government, consulting, or charitable organizations to steal […]

The post OneDrive Phishing Awareness appeared first on McAfee Blogs.

How To Use McAfee ATP to Protect Against Emotet, LemonDuck and PowerMiner

19 May 2020

Introduction This blog describes how McAfee ATP (Adaptive Threat Protection) rules are used within McAfee Endpoint Security products. It will help you understand how ATP Rules work and how you can utilize them to prevent infections from prevalent malware families such as Emotet, LemonDuck and PowerMiner. Please read through the recommendation section to effectively utilize […]

The post How To Use McAfee ATP to Protect Against Emotet, LemonDuck and PowerMiner appeared first on McAfee Blogs.

ENS 10.7 Rolls Back the Curtain on Ransomware

07 May 2020

Ransomware protection and incident response is a constant battle for IT, security engineers and analysts under normal circumstances, but with the number of people working from home during the COVID-19 pandemic that challenge reaches new heights. How do you ensure an equivalent level of adaptable malware protection on or off the corporate network? How do […]

The post ENS 10.7 Rolls Back the Curtain on Ransomware appeared first on McAfee Blogs.

Cybercriminals Actively Exploiting RDP to Target Remote Organizations

07 May 2020

The COVID-19 pandemic has prompted many companies to enable their employees to work remotely and, in a large number of cases, on a global scale. A key component of enabling remote work and allowing employees to access internal corporate resources remotely is Remote Desktop Protocol (RDP), which allows communication with a remote system. In order […]

The post Cybercriminals Actively Exploiting RDP to Target Remote Organizations appeared first on McAfee Blogs.

COVID-19 – Malware Makes Hay During a Pandemic

07 May 2020

Special thanks to Prajwala Rao, Oliver Devane, Shannon Cole, Ankit Goel and members of Malware Research for their contribution and monitoring of related threats As COVID-19 continues to spread across the world, it is no surprise that malware authors are exploiting the pandemic. McAfee recently released blogs around Covid-19 related threats – Staying safe while […]

The post COVID-19 – Malware Makes Hay During a Pandemic appeared first on McAfee Blogs.

Tales From the Trenches; a Lockbit Ransomware Story

01 May 2020

Co-authored by Marc RiveroLopez. In collaboration with Northwave As we highlighted previously across two blogs, targeted ransomware attacks have increased massively over the past months. In our first article, we discussed the growing pattern of targeted ransomware attacks where the primary infection stage is often an info-stealer kind of malware used to gain credentials/access to determine […]

The post Tales From the Trenches; a Lockbit Ransomware Story appeared first on McAfee Blogs.

MalBus Actor Changed Market from Google Play to ONE Store

09 Apr 2020

McAfee Mobile Research team has found another variant of MalBus on an education application, developed by a South Korean developer. In the previous Malbus case, the author distributed the malware through Google Play, but new variants are distributed via the ONE Store in much the same way. ONE Store is a joint venture by the […]

The post MalBus Actor Changed Market from Google Play to ONE Store appeared first on McAfee Blogs.

Transitioning to a Mass Remote Workforce – We Must Verify Before Trusting

07 Apr 2020

While not a new practice, the sheer volume of people required to adhere to social distancing best practices means we now have a mass workforce working remotely. Most enterprises and SMBs can support working remotely today but many IT departments are not equipped to scale to the numbers currently required. In this blog we discuss […]

The post Transitioning to a Mass Remote Workforce – We Must Verify Before Trusting appeared first on McAfee Blogs.

COVID-19 Threat Update – now includes Blood for Sale

07 Apr 2020

Although the use of global events as a vehicle to drive digital crime is hardly surprising, the current outbreak of COVID-19 has revealed a multitude of vectors, including one in particular that is somewhat out of the ordinary. In a sea of offers for face masks, a recent posting on a dark web forum reveals […]

The post COVID-19 Threat Update – now includes Blood for Sale appeared first on McAfee Blogs.

Nemty Ransomware – Learning by Doing

02 Apr 2020

Executive Summary The McAfee Advanced Threat Research Team (ATR) observed a new ransomware family named ‘Nemty’ on 20 August 2019. We are in an era where ransomware developers face multiple struggles, from the great work done by the security community to protect against their malware, to initiatives such as the No More Ransom project that […]

The post Nemty Ransomware – Learning by Doing appeared first on McAfee Blogs.

Ransomware Maze

26 Mar 2020

EXECUTIVE SUMMARY The Maze ransomware, previously known in the community as “ChaCha ransomware”, was discovered on May the 29th 2019 by Jerome Segura[1]. The main goal of the ransomware is to crypt all files that it can in an infected system and then demand a ransom to recover the files. However, the most important characteristic […]

The post Ransomware Maze appeared first on McAfee Blogs.

Staying Safe While Working Remotely

18 Mar 2020

Special thanks to Tim Hux and Sorcha Healy for their assistance. The demand for remote working as a result of the COVID-19 pandemic will invariably place pressures on organizations to ensure the availability of corporate resources in geographic locations outside of corporate control. Such demands go beyond the provision of additional capacity, with potentially remote […]

The post Staying Safe While Working Remotely appeared first on McAfee Blogs.

SMBGhost – Analysis of CVE-2020-0796

13 Mar 2020

The Vulnerability The latest vulnerability in SMBv3 is a “wormable” vulnerability given its potential ability to replicate or spread over network shares using the latest version of the protocol (SMB 3.1.1). As of this writing, Microsoft have just released a patch for CVE-2020-0796 on the morning of March 12th. The bug was introduced very recently, […]

The post SMBGhost – Analysis of CVE-2020-0796 appeared first on McAfee Blogs.

Android/LeifAccess.A is the Silent Fake Reviewer Trojan

04 Mar 2020

The McAfee Mobile Research team has identified an Android malware family dubbed Android/LeifAccess.A that has been active since May 2019. This trojan was discovered globally with localized versions but  has a much higher prevalence in the USA and Brazil. As part of the payload, this trojan can abuse OAuth leveraging accessibility services to automatically create […]

The post Android/LeifAccess.A is the Silent Fake Reviewer Trojan appeared first on McAfee Blogs.

Multi-tricks HiddenAds Malware

04 Mar 2020

Thousands of HiddenAds Trojan Apps Masquerade as Google Play Apps The McAfee mobile research team has recently discovered a new variant of the HiddenAds Trojan. HiddenAds Trojan is an adware app used to display advertising and collect user data for marketing. The goal of such apps is to generate revenue by redirecting users to advertisements. […]

The post Multi-tricks HiddenAds Malware appeared first on McAfee Blogs.

CSI: Evidence Indicators for Targeted Ransomware Attacks – Part II

20 Feb 2020

In our first article we discussed the growing pattern of targeted ransomware attacks where the first infection stage is often an info-stealer kind of malware used to gain credentials/access to determine if the target would be valuable for a ransomware attack. In this second part we will pick up where we left off: the attacker […]

The post CSI: Evidence Indicators for Targeted Ransomware Attacks – Part II appeared first on McAfee Blogs.

Model Hacking ADAS to Pave Safer Roads for Autonomous Vehicles

19 Feb 2020

The last several years have been fascinating for those of us who have been eagerly observing the steady move towards autonomous driving. While semi-autonomous vehicles have existed for many years, the vision of fleets of fully autonomous vehicles operating as a single connected entity is very much still a thing of the future. However, the […]

The post Model Hacking ADAS to Pave Safer Roads for Autonomous Vehicles appeared first on McAfee Blogs.

Introduction and Application of Model Hacking

19 Feb 2020

Catherine Huang, Ph.D., and Shivangee Trivedi contributed to this blog. The term “Adversarial Machine Learning” (AML) is a mouthful!  The term describes a research field regarding the study and design of adversarial attacks targeting Artificial Intelligence (AI) models and features.  Even this simple definition can send the most knowledgeable security practitioner running!  We’ve coined the […]

The post Introduction and Application of Model Hacking appeared first on McAfee Blogs.

CSI: Evidence Indicators for Targeted Ransomware Attacks – Part I

12 Feb 2020

malware

For many years now I have been working and teaching in the field of digital forensics, malware analysis and threat intelligence. During one of the classes we always talk about Lockard’s exchange principle: “with contact between two items, there will be an exchange”. If we translate that to the digital world: “when an adversary breaches […]

The post CSI: Evidence Indicators for Targeted Ransomware Attacks – Part I appeared first on McAfee Blogs.

Knock, Knock – Who’s There?

11 Feb 2020

A Windows Linux Subsystem Interop Analysis Following our research from Evil Twins and Windows Linux Subsystem, interoperability between different WSL versions was something that caught our attention. The protocol and mechanism to do file management from/to WSL is a must for Blue and Red Teams whose research will provide new ways to execute known techniques […]

The post Knock, Knock – Who’s There? appeared first on McAfee Blogs.

How Chinese Cybercriminals Use Business Playbook to Revamp Underground

11 Feb 2020

Preface Because of its longevity and technical sophistication, the Russian cybercriminal underground has long been the benchmark for threat researchers focused on studying cybercrime tactics and techniques; there is a plethora of publications dedicated to analyzing its economy and hacking forums. However, only a handful of studies have centered on the emerging threats and trends […]

The post How Chinese Cybercriminals Use Business Playbook to Revamp Underground appeared first on McAfee Blogs.

Intelligence in the Enterprise

11 Feb 2020

Intelligence became an integral military discipline centuries ago. More recently, this practice evolved into what is called Intelligence Preparation of the Battlefield, or IPB. In both military and civilian agencies, the discipline uses information collection followed by analysis to provide guidance and direction to operators making tactical or organizational decisions. Used strategically, this type of intelligence puts an organization in […]

The post Intelligence in the Enterprise appeared first on McAfee Blogs.

U.S. Battleground County Website Security Survey

04 Feb 2020

Today McAfee released the results of a survey of county websites and county election administration websites in the 13 states projected as battleground states in the 2020 U.S. presidential elections. We found that significant majorities of these websites lacked the official government .GOV website validation and HTTPS website security measures to prevent malicious actors from […]

The post U.S. Battleground County Website Security Survey appeared first on McAfee Blogs.

An Inside Look into Microsoft Rich Text Format and OLE Exploits

24 Jan 2020

There has been a dramatic shift in the platforms targeted by attackers over the past few years. Up until 2016, browsers tended to be the most common attack vector to exploit and infect machines but now Microsoft Office applications are preferred, according to a report published here during March 2019. Increasing use of Microsoft Office […]

The post An Inside Look into Microsoft Rich Text Format and OLE Exploits appeared first on McAfee Blogs.

CurveBall – An Unimaginative Pun but a Devastating Bug

18 Jan 2020

Enterprise customers looking for information on defending against Curveball can find information here. 2020 came in with a bang this year, and it wasn’t from the record-setting number of fireworks on display around the world to celebrate the new year. Instead, just over two weeks into the decade, the security world was rocked by a […]

The post CurveBall – An Unimaginative Pun but a Devastating Bug appeared first on McAfee Blogs.

What CVE-2020-0601 Teaches Us About Microsoft’s TLS Certificate Verification Process

17 Jan 2020

By: Jan Schnellbächer and Martin Stecher, McAfee Germany GmbH This week security researches around the world were very busy working on Microsoft’s major crypto-spoofing vulnerability (CVE-2020-0601) otherwise known as Curveball. The majority of research went into attacks with malicious binaries that are signed with a spoofed Certificate Authority (CA) which unpatched Win10 systems would in […]

The post What CVE-2020-0601 Teaches Us About Microsoft’s TLS Certificate Verification Process appeared first on McAfee Blogs.

Iran Cyber Threat Update

08 Jan 2020

Recent political tensions in the Middle East region have led to significant speculation of increased cyber-related activities. McAfee is on a heightened state of alert to monitor the evolving threats and rapidly implement coverage across all McAfee products as intelligence becomes available. Known campaigns associated with the threat actors from this region were integrated into […]

The post Iran Cyber Threat Update appeared first on McAfee Blogs.

We Be Jammin’ – Bypassing Chamberlain myQ Garage Doors

07 Jan 2020

The idea of controlling your garage door remotely and verifying that everything is secure at home, or having packages delivered directly into your garage is enticing for many people. The convenience that many of these IOT devices provide often persuades consumers away from thinking about the possible security concerns. McAfee Advanced Threat Research recently investigated […]

The post We Be Jammin’ – Bypassing Chamberlain myQ Garage Doors appeared first on McAfee Blogs.

The Cloning of The Ring – Who Can Unlock Your Door?

07 Jan 2020

Steve Povolny contributed to this report. McAfee’s Advanced Threat Research team performs security analysis of products and technologies across nearly every industry vertical. Special interest in the consumer space and Internet of Things (IoT) led to the discovery of an insecure design with the McLear NFC Ring a household access control device. The NFC Ring […]

The post The Cloning of The Ring – Who Can Unlock Your Door? appeared first on McAfee Blogs.

The Tradeoff Between Convenience and Security – A Balancing Act for Consumers and Manufacturers

07 Jan 2020

This week McAfee Advanced Threat Research (ATR) published new findings, uncovering security flaws in two popular IoT devices: a connected garage door opener and a “smart” ring, which, amongst many uses, utilizes near field communication (NFC) to open door locks. I’d like to use these cases as examples of a growing concern in the area […]

The post The Tradeoff Between Convenience and Security – A Balancing Act for Consumers and Manufacturers appeared first on McAfee Blogs.

Top Tips to Spot Tech Support Scams

12 Dec 2019

There are number of ways scammers use to target your money or personal details.  These scams include support sites for services such as Office365, iCloud, Gmail, etc. They will charge you for the service and steal your credit card details. Software activation scam sites will steal your activation code and they may resell it at a […]

The post Top Tips to Spot Tech Support Scams appeared first on McAfee Blogs.

Analysis of LooCipher, a New Ransomware Family Observed This Year

05 Dec 2019

Co-authored by Marc RiveroLopez. Initial Discovery This year seems to again be the year for ransomware. Notorious attacks were made using ransomware and new families are being detected almost on a weekly basis. The McAfee ATR team has now analyzed a new ransomware family with some special features we would like to showcase. LooCipher represents […]

The post Analysis of LooCipher, a New Ransomware Family Observed This Year appeared first on McAfee Blogs.

McAfee Labs 2020 Threats Predictions Report

05 Dec 2019

With 2019’s headlines of ransomware, malware, and RDP attacks almost behind us, we shift our focus to the cybercrime threats ahead. Cybercriminals are increasing the complexity and volume of their attacks and campaigns, always looking for ways to stay one step ahead of cybersecurity practices – and more often using the world’s evolving technology against […]

The post McAfee Labs 2020 Threats Predictions Report appeared first on McAfee Blogs.

Spanish MSSP Targeted by BitPaymer Ransomware

08 Nov 2019

Co-authored by Marc RiveroLopez Initial Discovery This week the news hit that several companies in Spain were hit by a ransomware attack. Ransomware attacks themselves are not new but, by interacting with one of the cases in Spain, we want to highlight in this blog how well prepared and targeted an attack can be and […]

The post Spanish MSSP Targeted by BitPaymer Ransomware appeared first on McAfee Blogs.

Buran Ransomware; the Evolution of VegaLocker

05 Nov 2019

McAfee’s Advanced Threat Research Team observed how a new ransomware family named ‘Buran’ appeared in May 2019. Buran works as a RaaS model like other ransomware families such as REVil, GandCrab (now defunct), Phobos, etc. The author(s) take 25% of the income earned by affiliates, instead of the 30% – 40%, numbers from notorious malware […]

The post Buran Ransomware; the Evolution of VegaLocker appeared first on McAfee Blogs.

Office 365 Users Targeted by Voicemail Scam Pages

31 Oct 2019

Over the past few weeks McAfee Labs has been observing a new phishing campaign using a fake voicemail message to lure victims into entering their Office 365 email credentials. At first, we believed that only one phishing kit was being used to harvest the user’s credentials. However, during our investigation, we found three different malicious […]

The post Office 365 Users Targeted by Voicemail Scam Pages appeared first on McAfee Blogs.

Did You Check Your Quarantine?!

28 Oct 2019

A cost-effective way to detect targeted attacks in your enterprise While it is easy to get caught up in the many waves of new and exciting protection strategies, we have recently discovered an interesting approach to detect a targeted attack and the related actor(s). Quite surprisingly, a big part of the solution already exists in […]

The post Did You Check Your Quarantine?! appeared first on McAfee Blogs.

Using Expert Rules in ENS to Prevent Malicious Exploits

25 Oct 2019

Expert Rules are text-based custom rules that can be created in the Exploit Prevention policy in ENS Threat Prevention 10.5.3+. Expert Rules provide additional parameters and allow much more flexibility than the custom rules that can be created in the Access Protection policy. It also allows system administration to control / monitor an endpoint system […]

The post Using Expert Rules in ENS to Prevent Malicious Exploits appeared first on McAfee Blogs.

McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo

21 Oct 2019

Episode 4: Crescendo This is the final installment of the McAfee Advanced Threat Research (ATR) analysis of Sodinokibi and its connections to GandGrab, the most prolific Ransomware-as-a-Service (RaaS) Campaign of 2018 and mid 2019. In this final episode of our series we will zoom in on the operations, techniques and tools used by different affiliate […]

The post McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Crescendo appeared first on McAfee Blogs.

McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Follow The Money

14 Oct 2019

Episode 3: Follow the Money This is the third installment of the McAfee Advanced Threat Research (ATR) analysis of Sodinokibi and its connections to GandCrab, the most prolific Ransomware-as-a-Service (RaaS) Campaign of 2018 and mid 2019. The Talking Heads once sang “We’re on a road to nowhere.” This expresses how challenging it can be when […]

The post McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – Follow The Money appeared first on McAfee Blogs.

McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – The All-Stars

02 Oct 2019

Episode 2: The All-Stars Analyzing Affiliate Structures in Ransomware-as-a-Service Campaigns This is the second installment of the McAfee Advanced Threat Research (ATR) analysis of Sodinokibi and its connections to GandGrab, the most prolific Ransomware-as-a-Service (RaaS) Campaign of 2018 and mid-2019. GandCrab announced its retirement at the end of May. Since then, a new RaaS family […]

The post McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – The All-Stars appeared first on McAfee Blogs.

McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us

02 Oct 2019

Episode 1: What the Code Tells Us McAfee’s Advanced Threat Research team (ATR) observed a new ransomware family in the wild, dubbed Sodinokibi (or REvil), at the end of April 2019. Around this same time, the GandCrab ransomware crew announced they would shut down their operations. Coincidence? Or is there more to the story? In […]

The post McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us appeared first on McAfee Blogs.

How Visiting a Trusted Site Could Infect Your Employees

10 Sep 2019

The Artful and Dangerous Dynamics of Watering Hole Attacks A group of researchers recently published findings of an exploitation of multiple iPhone vulnerabilities using websites to infect final targets. The key concept behind this type of attack is the use of trusted websites as an intermediate platform to attack others, and it’s defined as a watering hole […]

The post How Visiting a Trusted Site Could Infect Your Employees appeared first on McAfee Blogs.

Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study

09 Sep 2019

Executive Summary Malware evasion techniques are widely used to circumvent detection as well as analysis and understanding. One of the dominant categories of evasion is anti-sandbox detection, simply because today’s sandboxes are becoming the fastest and easiest way to have an overview of the threat. Many companies use these kinds of systems to detonate malicious […]

The post Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study appeared first on McAfee Blogs.

Apple iOS Attack Underscores Importance of Threat Research

04 Sep 2019

The recent discovery of exploit chains targeting Apple iOS is the latest example of how cybercriminals can successfully operate malicious campaigns, undetected, through the use of zero-day vulnerabilities. In this scenario, a threat actor or actors operated multiple compromised websites, using at least one or more zero-day vulnerabilities and numerous unique exploit chains and known vulnerabilities to […]

The post Apple iOS Attack Underscores Importance of Threat Research appeared first on McAfee Blogs.

Analyzing and Identifying Issues with the Microsoft Patch for CVE-2018-8423

28 Aug 2019

Introduction As of July 2019, Microsoft has fixed around 43 bugs in the Jet Database Engine. McAfee has reported a couple of bugs and, so far, we have received 10 CVE’s from Microsoft. In our previous post, we discussed the root cause of CVE-2018-8423. While analyzing this CVE and patch from Microsoft, we found that […]

The post Analyzing and Identifying Issues with the Microsoft Patch for CVE-2018-8423 appeared first on McAfee Blogs.

The Twin Journey, Part 3: I’m Not a Twin, Can’t You See my Whitespace at the End?

13 Aug 2019

In this series of 3 blogs (you can find part 1 here, and part 2 here), so far we have understood the implications of promoting files to “Evil Twins” where they can be created and remain in the system as different entities once case sensitiveness is enabled, and some issues that could be raised by […]

The post The Twin Journey, Part 3: I’m Not a Twin, Can’t You See my Whitespace at the End? appeared first on McAfee Blogs.

McAfee AMSI Integration Protects Against Malicious Scripts

12 Aug 2019

Following on from the McAfee Protects against suspicious email attachments blog, this blog describes how the AMSI (Antimalware Scan Interface) is used within the various McAfee Endpoint products. The AMSI scanner within McAfee ENS 10.6 has already detected over 650,000 pieces of Malware since the start of 2019. This blog will help show you how […]

The post McAfee AMSI Integration Protects Against Malicious Scripts appeared first on McAfee Blogs.

From Building Control to Damage Control: A Case Study in Industrial Security Featuring Delta’s enteliBUS Manager

09 Aug 2019

Management. Control. It seems that you can’t stick five people in a room together without one of them trying to order the others around. This tendency towards centralized authority is not without reason, however – it is often more efficient to have one person, or thing, calling the shots. For an example of the latter, […]

The post From Building Control to Damage Control: A Case Study in Industrial Security Featuring Delta’s enteliBUS Manager appeared first on McAfee Blogs.

HVACking: Understanding the Delta Between Security and Reality

09 Aug 2019

The McAfee Labs Advanced Threat Research team is committed to uncovering security issues in both software and hardware to help developers provide safer products for businesses and consumers. We recently investigated an industrial control system (ICS) produced by Delta Controls. The product, called “enteliBUS Manager”, is used for several applications, including building management. Our research […]

The post HVACking: Understanding the Delta Between Security and Reality appeared first on McAfee Blogs.

Avaya Deskphone: Decade-Old Vulnerability Found in Phone’s Firmware

08 Aug 2019

Avaya is the second largest VOIP solution provider (source) with an install base covering 90% of the Fortune 100 companies (source), with products targeting a wide spectrum of customers, from small business and midmarket, to large corporations. As part of the ongoing McAfee Advanced Threat Research effort into researching critical vulnerabilities in widely deployed software […]

The post Avaya Deskphone: Decade-Old Vulnerability Found in Phone’s Firmware appeared first on McAfee Blogs.

MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play

07 Aug 2019

The McAfee mobile research team has found a new type of Android malware for the MoqHao phishing campaign (a.k.a. XLoader and Roaming Mantis) targeting Korean and Japanese users. A series of attack campaigns are still active, mainly targeting Japanese users. The new spyware has very different payloads from the existing MoqHao samples. However, we found […]

The post MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play appeared first on McAfee Blogs.

The Twin Journey, Part 2: Evil Twins in a Case In-sensitive Land

06 Aug 2019

In the first of this 3-part blog series, we covered the implications of promoting files to “Evil Twins” where they can be created and remain in the system as different entities once case sensitiveness is enabled. In this 2nd post we try to abuse applications that do not work well with CS changes, abusing years […]

The post The Twin Journey, Part 2: Evil Twins in a Case In-sensitive Land appeared first on McAfee Blogs.

DHCP Client Remote Code Execution Vulnerability Demystified

02 Aug 2019

CVE-2019-0547 CVE-2019-0547 was the first vulnerability patched by Microsoft this year. The dynamic link library, dhcpcore.dll, which is responsible for DHCP client services in a system, is vulnerable to malicious DHCP reply packets. This vulnerability allows remote code execution if the user tries to connect to a network with a rogue DHCP Server, hence making […]

The post DHCP Client Remote Code Execution Vulnerability Demystified appeared first on McAfee Blogs.

Clop Ransomware

01 Aug 2019

This new ransomware was discovered by Michael Gillespie on 8 February 2019 and it is still improving over time. This blog will explain the technical details and share information about how this new ransomware family is working. There are some variants of the Clop ransomware but in this report, we will focus on the main […]

The post Clop Ransomware appeared first on McAfee Blogs.

The Twin Journey, Part 1

31 Jul 2019

Summary and Introduction: The recent changes in Windows 10, aiming to add case sensitivity (CS) at directory level, have prompted our curiosity to investigate the potential to use CS as a mean of obfuscation or WYSINWYG (What You See is NOT What you Get). While CS was our entry point, we then ventured into other […]

The post The Twin Journey, Part 1 appeared first on McAfee Blogs.

Jet Database Engine Flaw May Lead to Exploitation: Analyzing CVE-2018-8423

30 Jul 2019

In September 2018, the Zero Day Initiative published a proof of concept for a vulnerability in Microsoft’s Jet Database Engine. Microsoft released a patch in October 2018. We investigated this flaw at that time to protect our customers. We were able to find some issues with the patch and reported that to Microsoft, which resulted […]

The post Jet Database Engine Flaw May Lead to Exploitation: Analyzing CVE-2018-8423 appeared first on McAfee Blogs.

What Is Mshta, How Can It Be Used and How to Protect Against It

29 Jul 2019

The not-so Usual Suspects There is a growing trend for attackers to more heavily utilize tools that already exist on a system rather than relying totally on their own custom malware. Using .hta files or its partner in crime, mshta.exe, is an alternative to using macro enabled document for attacks and has been around a […]

The post What Is Mshta, How Can It Be Used and How to Protect Against It appeared first on McAfee Blogs.

Examining the Link Between TLD Prices and Abuse

26 Jul 2019

This blog was written by Charlie Feng. Briefing Over the years, McAfee researchers have observed that certain new top-level Domains (TLDs) are more likely to be abused by cyber criminals for malicious activities than others. Our investigations reveal a negative relationship between the likelihood for abuse and registration price of some TLDs, as reported by […]

The post Examining the Link Between TLD Prices and Abuse appeared first on McAfee Blogs.

No More Ransom Blows Out Three Birthday Candles Today

26 Jul 2019

Collaborative Initiative Celebrates Helping More Than 200,000 Victims and Preventing More Than 100 million USD From Falling into Criminal Hands Three years ago, on this exact day, the public and private sectors drew a line in the sand against ransomware. At that time, ransomware was becoming one of the most prevalent cyber threats globally. We […]

The post No More Ransom Blows Out Three Birthday Candles Today appeared first on McAfee Blogs.

Demystifying Blockchain: Sifting Through Benefits, Examples and Choices

23 Jul 2019

You have likely heard that blockchain will disrupt everything from banking to retail to identity management and more. You may have seen commercials for IBM touting the supply chain tracking benefits of blockchain.[i]  It appears nearly every industry is investing in, adopting, or implementing blockchain. Someone has probably told you that blockchain can completely transform […]

The post Demystifying Blockchain: Sifting Through Benefits, Examples and Choices appeared first on McAfee Blogs.

McAfee ATR Aids Police in Arrest of Rubella & Dryad Office Macro Builder

17 Jul 2019

Everyday thousands of people receive emails with malicious attachments in their email inbox. Disguised as a missed payment or an invoice, a cybercriminal sender tries to entice a victim to open the document and enable the embedded macro. This macro then proceeds to pull in a whole array of nastiness and infect a victim’s machine. […]

The post McAfee ATR Aids Police in Arrest of Rubella & Dryad Office Macro Builder appeared first on McAfee Blogs.

16Shop Now Targets Amazon

12 Jul 2019

Since early November 2018 McAfee Labs have observed a phishing kit, dubbed 16Shop, being used by malicious actors to target Apple account holders in the United States and Japan. Typically, the victims receive an email with a pdf file attached. An example of the message within the email is shown below, with an accompanying translation: […]

The post 16Shop Now Targets Amazon appeared first on McAfee Blogs.

RDP Security Explained

24 Jun 2019

RDP on the Radar Recently, McAfee released a blog related to the wormable RDP vulnerability referred to as CVE-2019-0708 or “Bluekeep.” The blog highlights a particular vulnerability in RDP which was deemed critical by Microsoft due to the fact that it exploitable over a network connection without authentication. These attributes make it particularly ‘wormable’ – […]

The post RDP Security Explained appeared first on McAfee Blogs.

Why Process Reimaging Matters

20 Jun 2019

As this blog goes live, Eoin Carroll will be stepping off the stage at Hack in Paris having detailed the latest McAfee Advanced Threat Research (ATR) findings on Process Reimaging.  Admittedly, this technique probably lacks a catchy name, but be under no illusion the technique is significant and is worth paying very close attention to. […]

The post Why Process Reimaging Matters appeared first on McAfee Blogs.

In NTDLL I Trust – Process Reimaging and Endpoint Security Solution Bypass

20 Jun 2019

Process Reimaging Overview The Windows Operating System has inconsistencies in how it determines process image FILE_OBJECT locations, which impacts non-EDR (Endpoint Detection and Response) Endpoint Security Solution’s (such as Microsoft Defender Realtime Protection), ability to detect the correct binaries loaded in malicious processes. This inconsistency has led McAfee’s Advanced Threat Research to develop a new […]

The post In NTDLL I Trust – Process Reimaging and Endpoint Security Solution Bypass appeared first on McAfee Blogs.

Mr. Coffee with WeMo: Double Roast

30 May 2019

McAfee Advanced Threat Research recently released a blog detailing a vulnerability in the Mr. Coffee Coffee Maker with WeMo. Please refer to the earlier blog to catch up with the processes and techniques I used to investigate and ultimately compromise this smart coffee maker. While researching the device, there was always one attack vector that […]

The post Mr. Coffee with WeMo: Double Roast appeared first on McAfee Blogs.

Cryptocurrency Laundering Service, BestMixer.io, Taken Down by Law Enforcement

22 May 2019

A much overlooked but essential part in financially motivated (cyber)crime is making sure that the origins of criminal funds are obfuscated or made to appear legitimate, a process known as money laundering. ’Cleaning’ money in this way allows the criminal to spend their loot with less chance of being caught. In the physical world, for […]

The post Cryptocurrency Laundering Service, BestMixer.io, Taken Down by Law Enforcement appeared first on McAfee Blogs.

RDP Stands for “Really DO Patch!” – Understanding the Wormable RDP Vulnerability CVE-2019-0708

21 May 2019

During Microsoft’s May Patch Tuesday cycle, a security advisory was released for a vulnerability in the Remote Desktop Protocol (RDP). What was unique in this particular patch cycle was that Microsoft produced a fix for Windows XP and several other operating systems, which have not been supported for security updates in years. So why the […]

The post RDP Stands for “Really DO Patch!” – Understanding the Wormable RDP Vulnerability CVE-2019-0708 appeared first on McAfee Blogs.

LockerGoga Ransomware Family Used in Targeted Attacks

29 Apr 2019

Co-authored by Marc RiveroLopez. Initial discovery Once again, we have seen a significant new ransomware family in the news. LockerGoga, which adds new features to the tried and true formula of encrypting victims’ files and asking for payment to decrypt them, has gained notoriety for the targets it has affected. In this blog, we will […]

The post LockerGoga Ransomware Family Used in Targeted Attacks appeared first on McAfee Blogs.

IoT Zero-Days – Is Belkin WeMo Smart Plug the Next Malware Target?

18 Apr 2019

Effective malware is typically developed with intention, targeting specific victims using either known or unknown vulnerabilities to achieve its primary functions. In this blog, we will explore a vulnerability submitted by McAfee Advanced Threat Research (ATR) and investigate a piece of malware that recently incorporated similar vulnerabilities. The takeaway from this blog is the increasing […]

The post IoT Zero-Days – Is Belkin WeMo Smart Plug the Next Malware Target? appeared first on McAfee Blogs.

Analysis of a Chrome Zero Day: CVE-2019-5786

20 Mar 2019

1. Introduction On March 1st, Google published an advisory [1] for a use-after-free in the Chrome implementation of the FileReader API (CVE 2019-5786). Clement Lecigne from Google Threat Analysis Group reported the bug as being exploited in the wild and targeting Windows 7, 32-bit platforms. The exploit leads to code execution in the Renderer process, […]

The post Analysis of a Chrome Zero Day: CVE-2019-5786 appeared first on McAfee Blogs.

Attackers Exploiting WinRAR UNACEV2.DLL Vulnerability (CVE-2018-20250)

14 Mar 2019

Earlier this month Check Point Research reported discovery of a 19 year old code execution vulnerability in the wildly popular WinRAR compression tool. Rarlab reports that that are over 500 million users of this program. While a patched version, 5.70, was released on February 26, attackers are releasing exploits in an effort to reach vulnerable […]

The post Attackers Exploiting WinRAR UNACEV2.DLL Vulnerability (CVE-2018-20250) appeared first on McAfee Blogs.

McAfee Protects Against Suspicious Email Attachments

04 Mar 2019

Email remains a top vector for attackers.  Over the years, defenses have evolved, and policy-based protections have become standard for email clients such as Microsoft Outlook and Microsoft Mail.  Such policies are highly effective, but only if they are maintained as attacker’s keep changing their tactics to evade defenses.  For this reason, McAfee endpoint products […]

The post McAfee Protects Against Suspicious Email Attachments appeared first on McAfee Blogs.

JAVA-VBS Joint Exercise Delivers RAT

01 Mar 2019

The Adwind remote administration tool (RAT) is a Java-based backdoor Trojan that targets various platforms supporting Java files. For an infection to occur, the user must typically execute the malware by double-clicking on the .jar file that usually arrives as an email attachment. Generally, infection begins if the user has the Java Runtime Environment installed. […]

The post JAVA-VBS Joint Exercise Delivers RAT appeared first on McAfee Blogs.

Your Smart Coffee Maker is Brewing Up Trouble

25 Feb 2019

IOT devices are notoriously insecure and this claim can be backed up with a laundry list of examples. With more devices “needing” to connect to the internet, the possibility of your WiFi enabled toaster getting hacked and tweeting out your credit card number is, amazingly, no longer a joke. With that in mind, I began […]

The post Your Smart Coffee Maker is Brewing Up Trouble appeared first on McAfee Blogs.

What’s in the Box?

25 Feb 2019

2018 was another record-setting year in the continuing trend for consumer online shopping.  With an increase in technology and efficiency, and a decrease in cost and shipping time, consumers have clearly made a statement that shopping online is their preferred method. Chart depicting growth of online, web-influenced and offline sales by year.1 In direct correlation […]

The post What’s in the Box? appeared first on McAfee Blogs.

Ryuk, Exploring the Human Connection

20 Feb 2019

In collaboration with Bill Siegel and Alex Holdtman from Coveware.   At the beginning of 2019, McAfee ATR published an article describing how the hasty attribution of Ryuk ransomware to North Korea was missing the point. Since then, collective industry peers discovered additional technical details on Ryuk’s inner workings, the overlap between Ryuk and Hermes2.1, […]

The post Ryuk, Exploring the Human Connection appeared first on McAfee Blogs.

MalBus: Popular South Korean Bus App Series in Google Play Found Dropping Malware After 5 Years of Development

04 Feb 2019

McAfee’s Mobile Research team recently learned of a new malicious Android application masquerading as a plugin for a transportation application series developed by a South Korean developer. The series provides a range of information for each region of South Korea, such as bus stop locations, bus arrival times and so on. There are a total […]

The post MalBus: Popular South Korean Bus App Series in Google Play Found Dropping Malware After 5 Years of Development appeared first on McAfee Blogs.

Happy New Year 2019! Anatova is here!

22 Jan 2019

During our continuous hunt for new threats, we discovered a new ransomware family we call Anatova (based on the name of the ransom note). Anatova was discovered in a private peer-to-peer (p2p) network. After initial analysis, and making sure that our customers are protected, we decided to make this discovery public. Our telemetry showed that […]

The post Happy New Year 2019! Anatova is here! appeared first on McAfee Blogs.

IE Scripting Flaw Still a Threat to Unpatched Systems: Analyzing CVE-2018-8653

10 Jan 2019

Microsoft recently patched a critical flaw in Internet Explorer’s scripting engine that could lead to remote code execution. The vulnerability is being exploited in the wild and was originally reported by a researcher from Google’s Threat Analysis Group. Microsoft released an out-of-band patch to fix the vulnerability before the normal patch cycle. McAfee products received […]

The post IE Scripting Flaw Still a Threat to Unpatched Systems: Analyzing CVE-2018-8653 appeared first on McAfee Blogs.

Ryuk Ransomware Attack: Rush to Attribution Misses the Point

09 Jan 2019

Senior analyst Ryan Sherstobitoff contributed to this report. During the past week, an outbreak of Ryuk ransomware that impeded newspaper printing services in the United States has garnered a lot of attention. To determine who was behind the attack many have cited past research that compares code from Ryuk with the older ransomware Hermes to […]

The post Ryuk Ransomware Attack: Rush to Attribution Misses the Point appeared first on McAfee Blogs.

Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems

19 Dec 2018

Last week the McAfee Advanced Threat Research team posted an analysis of a new wave of Shamoon “wiper” malware attacks that struck several companies in the Middle East and Europe. In that analysis we discussed one difference to previous Shamoon campaigns. The latest version has a modular approach that allows the wiper to be used […]

The post Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems appeared first on McAfee Blogs.