Daily Archives: January 9, 2019

Global DNS Hijacking Campaign: DNS Record Manipulation at Scale


FireEye’s Mandiant Incident Response and Intelligence teams have identified a wave of DNS hijacking that has affected dozens of domains belonging to government, telecommunications and internet infrastructure entities across the Middle East and North Africa, Europe and North America. While we do not currently link this activity to any tracked group, initial research suggests the actor or actors responsible have a nexus to Iran. This campaign has targeted victims across the globe on an almost unprecedented scale, with a high degree of success. We have been tracking this activity for several months, mapping and understanding the innovative tactics, techniques and procedures (TTPs) deployed by the attacker. We have also worked closely with victims, security organizations, and law enforcement agencies where possible to reduce the impact of the attacks and/or prevent further compromises.

While this campaign employs some traditional tactics, it is differentiated from other Iranian activity we have seen by leveraging DNS hijacking at scale. The attacker uses this technique for their initial foothold, which can then be exploited in a variety of ways. In this blog post, we detail the three different ways we have seen DNS records be manipulated to enable victim compromises. Technique 1, involving the creation of a Let's Encrypt certificate and changing the A record, was previously documented by Cisco’s TALOS team. The activity described in their blog post is a subset of the activity we have observed.

Initial Research Suggests Iranian Sponsorship

Attribution analysis for this activity is ongoing. While the DNS record manipulations described in this post are noteworthy and sophisticated, they may not be exclusive to a single threat actor as the activity spans disparate timeframes, infrastructure, and service providers.

  • Multiple clusters of this activity have been active from January 2017 to January 2019.
  • There are multiple, nonoverlapping clusters of actor-controlled domains and IPs used in this activity.
  • A wide range of providers were chosen for encryption certificates and VPS hosts.

Preliminary technical evidence allows us to assess with moderate confidence that this activity is conducted by persons based in Iran and that the activity aligns with Iranian government interests.

  • FireEye Intelligence identified access from Iranian IPs to machines used to intercept, record and forward network traffic. While geolocation of an IP address is a weak indicator, these IP addresses were previously observed during the response to an intrusion attributed to Iranian cyber espionage actors.
  • The entities targeted by this group include Middle Eastern governments whose confidential information would be of interest to the Iranian government and have relatively little financial value.


The following examples use victim[.]com to stand in for the victim domain, and private IP addresses to stand in for the actor controlled IP addresses.

Technique 1 – DNS A Records

The first method exploited by the attacker is altering DNS A Records, as seen in Figure 1.

Figure 1: DNS A Record

  1. The attacker logs into PXY1, a Proxy box used to conduct non-attributed browsing and as a jumpbox to other infrastructure.
  2. The attacker logs into the DNS provider’s administration panel, utilising previously compromised credentials.
  3. The A record (e.g. mail[.]victim[.]com) is currently pointing to
  4. The attacker changes the A record and points it to (OP1).
  5. The attacker logs in from PXY1 to OP1.
    • A proxy is implemented to listen on all open ports, mirroring mail[.]victim[.]com.
    • A load balancer points to [mail[.]victim[.]com] to pass through user traffic.
  6. certbot is used to create a Let’s Encrypt certificate for mail[.]victim[.]com
    • We have observed multiple Domain Control Validation providers being utilised as part of this campaign.
  7. A user now visits mail[.]victim[.]com and is directed to OP1. The Let’s Encrypt certificate allows the browsers to establish a connection without any certificate errors as Let's Encrypt Authority X3 is trusted. The connection is forwarded to the load balancer which establishes the connection with the real mail[.]victim[.]com. The user is not aware of any changes and may only notice a slight delay.
  8. The username, password and domain credentials are harvested and stored.
Technique 2 – DNS NS Records

The second method exploited by the attacker involved altering DNS NS Records, as seen in Figure 2.

Figure 2: DNS NS Record

  1. The attacker again logs into PXY1.
  2. This time, however, the attacker exploits a previously compromised registrar or ccTLD.
  3. The nameserver record ns1[.]victim[.]com is currently set to The attacker changes the NS record and points it to ns1[.]baddomain[.]com []. That nameserver will respond with the IP (OP1) when mail[.]victim[.]com is requested, but with the original IP if it is www[.]victim[.]com.
  4. The attacker logs in from PXY1 to OP1.
    • A proxy is implemented to listen on all open ports, mirroring mail[.]victim[.]com.
    • A load balancer points to [mail[.]victim[.]com] to pass through user traffic.
  5. certbot is used to create a Let’s Encrypt certificate for mail[.]victim[.]com.
    • We have observed multiple Domain Control Validation providers being utilised during this campaign.
  6. A user visits mail[.]victim[.]com and is directed to OP1. The Let’s Encrypt certificate allows browsers to establish a connection without any certificate errors as Let's Encrypt Authority X3 is trusted. The connection is forwarded to the load balancer which establishes the connection with the real mail[.]victim[.]com. The user is not aware of any changes and may only notice a slight delay.
  7. The username, password and domain credentials are harvested and stored.
Technique 3 – DNS Redirector

The attacker has also been observed using a third technique in conjunction with either Figure 1 or Figure 2 above. This involves a DNS Redirector, as seen in Figure 3.

Figure 3: DNS Operational box

The DNS Redirector is an attacker operations box which responds to DNS requests.

  1. A DNS request for mail[.]victim[.]com is sent to OP2 (based on previously altered A Record or NS Record).
  2. If the domain is part of victim[.]com zone, OP2 responds with an attacker-controlled IP address, and the user is re-directed to the attacker-controlled infrastructure.
  3. If the domain is not part of the victim.com zone (e.g. google[.]com), OP2 makes a DNS request to a legitimate DNS to get the IP address and the legitimate IP address is returned to the user.


A large number of organizations have been affected by this pattern of DNS record manipulation and fraudulent SSL certificates. They include telecoms and ISP providers, internet infrastructure providers, government and sensitive commercial entities.

Root Cause Still Under Investigation

It is difficult to identify a single intrusion vector for each record change, and it is possible that the actor, or actors are using multiple techniques to gain an initial foothold into each of the targets described above. FireEye intelligence customers have received previous reports describing sophisticated phishing attacks used by one actor that also conducts DNS record manipulation. Additionally, while the precise mechanism by which the DNS records were changed is unknown, we believe that at least some records were changed by compromising a victim’s domain registrar account.

Prevention Tactics

This type of attack is difficult to defend against, because valuable information can be stolen, even if an attacker is never able to get direct access to your organization’s network. Some steps to harden your organization include:

  1. Implement multi-factor authentication on your domain’s administration portal.
  2. Validate A and NS record changes.
  3. Search for SSL certificates related to your domain and revoke any malicious certificates.
  4. Validate the source IPs in OWA/Exchange logs.
  5. Conduct an internal investigation to assess if attackers gained access to your environment.


This DNS hijacking, and the scale at which it has been exploited, showcases the continuing evolution in tactics from Iran-based actors. This is an overview of one set of TTPs that we recently observed affecting multiple entities. We are highlighting it now so that potential targets can take appropriate defensive action.

2019 is Here – Have You Made Any Digital Parenting Resolutions for The Year?

Hello parents! Welcome to 2019. I have a hunch you are feeling all charged up and ready to start the new year on a positive note. Are your resolutions for the year ready? Take a minute and check- have you included any digital parenting resolutions in your list? If yes, great! If no, worry not, McAfee Cybermum is here for you.

Parenting is not an easy job and the rapid progress of technology has added to it. In addition to teaching your kids values and life skills for the real world, you have to now do the same for the digital world too. At times, you don’t know whether you are doing too much or not enough; given the digital immigrants that we are- we have no resources to draw from. There is little time to step back and reflect over one’s own parenting style, leading to doubts and guilt. Wouldn’t it be lovely therefore if there was a ready reckoner on the subject?

Sharing my list of digital parenting resolutions with you. They are broadly aimed at helping us be more involved and evolved digital parents who are empowered to guide kids in the digital world. Feel free to add, delete or customize as per your family’s needs. Always keep in mind that each family is different, in terms of values and environment; and each child is different, in terms of ability and maturity.

Parents, presenting to you My Digital Parenting Resolution List for 2019:

  • Focus on digital media balance: There are several devices at home these days. The collective time spent working on a laptop, reading from an e-book and browsing social media on tabs or phones is considerable. To a young child, who can’t differentiate between work and pleasure, it may look like you can’t stay off digital devices the whole day and they may follow suit. You have to therefore fix your online schedule and practice digital balance.
  • Focus on having a positive digital media presence: What many parents fail to realize is that all social media users are media content creators and consumers. Each user is a newsmaker who can use digital media to create and share content, either negative or positive. As a consumer, a gullible user may accept the content as truth, without verifying. Fake news is rampant, and parents need to impress the need for fact-checking upon the kids.
  • Focus on values like empathy and mercy: The digital world brings the world to your homes and you connect with both strangers and acquaintances. There is therefore a greater need for kindness, tolerance and empathy. Posts may go viral and cause trouble or lead to cyberbullying. Children need to learn the importance of kindness and forgiveness to keep their digital world clean and happy. Parents can set an example by displaying these virtues in the real and the digital world.
  • Focus on self-control: One of the biggest issues nuclear families face today is that of work-life balance. Too many hours spent working, can lead to parents feeling guilty, who then try to compensate by gifting them expensive gifts. Set up a routine for games, chat and story time with kids to make up for long hours of absence.
  • Focus on being the perfect role model: As we know, children copy their parents. It’s like being a celebrity with the camera rolling 24/7. Modify your speech, actions, and digital actions so that children have the right guidance for their online behavior.
  • Focus on listening more: Parents generally tend to preach rather than listen. Plan to listen well in 2019. You will come to know a lot about your child’s life, aspirations and concerns if you do. The bonus is, they too will pay attention to you and your advice.
  • Focus on general health: You want your child to be healthy and active, right? The be the perfect role model, Exercise daily and play some games with your kids. Your kids too will then develop the same disciplined outlook towards health and sports. A healthy, active family usually prefer games to digital devices.
  • Focus on monitoring digital footprints and reputation: As your kids grow up, talk to them about the importance of exercising the right behavior online and the consequences of a poor digital reputation on academic and job prospects. Use examples from social media to differentiate between a desirable and an avoidable post or photo. Discuss what should be kept private and what can be shared.
  • Focus on cybersafety and privacy: With the rise in data breaches and ID theft via phishing attacks, it is imperative to discuss cyber safety regularly at home. Insist on the use of secured devices and scanning of every external device before use. Also, educate your children about malware and how apps, links and attachments are used to share them.
  • Focus on the monitoring and extent of parental supervision online: Though your children will have no problems with the installation of security tools like McAfee Total Protection, parental control is another matter altogether. Here, your diplomatic approach will stand in good stead. Share your concerns about strangers and cyber criminals and establish that you plan to monitor their online lives till they are mature enough to tackle issues themselves. Ensure that they understand you don’t mean to pry but protect

Start the year on a positive note. Take charge of your family’s digital life. Plan your parenting schedule, just like you plan your day. And yes, Happy New Year!!!


The post 2019 is Here – Have You Made Any Digital Parenting Resolutions for The Year? appeared first on McAfee Blogs.

Ryuk Ransomware Attack: Rush to Attribution Misses the Point

Senior analyst Ryan Sherstobitoff contributed to this report.

During the past week, an outbreak of Ryuk ransomware that impeded newspaper printing services in the United States has garnered a lot of attention. To determine who was behind the attack many have cited past research that compares code from Ryuk with the older ransomware Hermes to link the attack to North Korea. Determining attribution was largely based on the fact that the Hermes ransomware has been used in the past by North Korean actors, and code blocks in Ryuk are similar to those in Hermes.

The McAfee Advanced Threat Research team has investigated this incident and determined how the malware works, how the attackers operate, and how to detect it. Based on the technical indicators, known cybercriminal characteristics, and evidence discovered on the dark web, our hypothesis is that the Ryuk attacks may not necessarily be backed by a nation-state, but rather share the hallmarks of a cybercrime operation.

How McAfee approaches attribution

Attribution is a critical part of any cybercrime investigation. However, technical evidence is often not enough to positively identify who is behind an attack because it does not provide all the pieces of the puzzle. Artifacts do not all appear at once; a new piece of evidence unearthed years after an attack can shine a different light on an investigation and introduce new challenges to current assumptions.

Ryuk attack: putting the pieces together

In October 2017, we investigated an attack on a Taiwanese bank. We discovered the actors used a clever tactic to distract the IT staff: a ransomware outbreak timed for the same moment that the thieves were stealing money. We used the term pseudo-ransomware to describe this attack. The malware was Hermes version 2.1.

One of the functions we often see in ransomware samples is that they will not execute if the victim’s system language is one of the following:

  • 419 (Russian)
  • 422 (Ukrainian)
  • 423 (Belarusian)

That was October 2017. Searching earlier events, we noticed a posting from August 2017 in an underground forum in which a Russian-speaking actor offered the malware kit Hermes 2.1 ransomware:

What if the actor who attacked the Taiwanese bank simply bought a copy of Hermes and added it to the campaign to cause the distraction? Why go to the trouble to build something, when the actor can just buy the perfect distraction in an underground forum?

In the same underground forum thread we found a post from October 22, 2018, mentioning Ryuk.

This post contains a link to an article in the Russian security magazine Xakep.ru (“Hacker”) discussing the emergence of Ryuk and how it was first discovered by MalwareHunterTeam in August 2018. This first appearance came well before last week’s attack on newspaper printing services.

Manga connection

Ryuk, according to Wikipedia, refers to a Japanese manga character from the series “Death Note.” Ryuk apparently drops a death note, a fitting name for ransomware that drops ransom notes.

Ransomware is typically named by its cybercriminal developer, as opposed to the naming of state-sponsored malware, which is mostly is done by the security industry. It seems the criminals behind Ryuk are into manga.

The use of manga character names and references is common in the cybercriminal scene. We often come across manga-inspired nicknames and avatars in underground forums.

Technical indicators

Looking at research from our industry peers comparing Ryuk and Hermes, we notice that the functionalities are generally equal. We agree that the actors behind Ryuk have access to the Hermes source code.

Let’s dive a bit deeper into Ryuk and compare samples over the last couple of months regarding compilation times and the presence of program database (PDB) paths:

We can see the PDB paths are almost identical. When we compare samples from August and December 2018 and focus on the checksum values of the executables’ rich headers, they are also identical.

From a call-flow perspective, we notice the similarities and evolution of the code:

The Hermes 2.1 ransomware kit, renamed and redistributed as Ryuk.

The author and seller of Hermes 2.1 emphasizes that he is selling is a kit and not a service. This suggests that a buyer of the kit must do some fine tuning by setting up a distribution method (spam, exploit kit, or RDP, for example) and infrastructure to make Hermes work effectively. If changing a name and ransom note are part of these tuning options, then it is likely that Ryuk is an altered version Hermes 2.1.

Attribution: analyzing competing hypotheses

In the race to determine who is behind an attack, research facts (the What and How questions) are often put aside to focus on attribution (the Who question). Who did it? This pursuit is understandable yet fundamentally flawed. Attribution is crucial, but there will always be unanswered questions. Our approach focuses on answering the What and How questions by analyzing the malware, the infrastructure involved, and the incident response performed at the victim’s site.

Our approach is always to analyze competing hypotheses. When investigating an incident, we form several views and compare all the artifacts to support these hypotheses. We try not only to seek verifying evidence but also actively try to find evidence that falsifies a hypothesis. Keeping our eyes open for falsifying facts and constantly questioning our results are essential steps to avoid conformation bias. By following this method, we find the strongest hypothesis is not the one with the most verifying evidence, but the one with the least falsifying evidence.

Examining competing hypotheses is a scientific approach to investigating cyber incidents. It may not help with the race to attribution, but it ensures the output is based on available evidence.

The most likely hypothesis in the Ryuk case is that of a cybercrime operation developed from a tool kit offered by a Russian-speaking actor. From the evidence, we see sample similarities over the past several months that indicate a tool kit is being used. The actors have targeted several sectors and have asked a high ransom, 500 Bitcoin. Who is responsible? We do not know. But we do know how the malware works, how the attackers operate, and how to detect the threat. That analysis is essential because it allows us to serve our customers.

The post Ryuk Ransomware Attack: Rush to Attribution Misses the Point appeared first on McAfee Blogs.

Google Public DNS now supports DNS-over-TLS

Google Public DNS is the world’s largest public Domain Name Service (DNS) recursive resolver, allowing anyone to convert Internet domain names like www.example.com into Internet addresses needed by an email application or web browser. Just as your search queries can expose sensitive information, the domains you lookup via DNS can also be sensitive. Starting today, users can secure queries between their devices and Google Public DNS with DNS-over-TLS, preserving their privacy and integrity.

The DNS environment has changed for the better since we launched Google Public DNS over eight years ago. Back then, as today, part of Google Public DNS’ mission has been to improve the security and accuracy of DNS for users all over the world. But today, there is an increased awareness of the need to protect users’ communication with their DNS resolvers against forged responses and safeguard their privacy from network surveillance. The DNS-over-TLS protocol specifies a standard way to provide security and privacy for DNS traffic between users and their resolvers. Now users can secure their connections to Google Public DNS with TLS, the same technology that protects their HTTPS web connections.

We implemented the DNS-over-TLS specification along with the RFC 7766 recommendations to minimize the overhead of using TLS. These include support for TLS 1.3 (for faster connections and improved security), TCP fast open, and pipelining of multiple queries and out-of-order responses over a single connection. All of this is deployed with Google’s serving infrastructure which provides reliable and scalable management for DNS-over-TLS connections.

Use DNS-over-TLS today

Android 9 (Pie) device users can use DNS-over-TLS today. For configuration instructions for Android and other systems, please see the documentation. Advanced Linux users can use the stubby resolver from dnsprivacy.org to talk to Google’s DNS-over-TLS service.

If you have a problem with Google Public DNS-over-TLS, you can create an issue on our tracker or ask on our discussion group. As always, please provide as much information as possible to help us investigate the problem!

HHS Publishes Healthcare Cyber Security Guidelines Based on NIST CSF

New HHS publication outlines top cyber threats & best practices for healthcare industry Noting that cyber security is “the responsibility of every health care professional, from data entry specialists to physicians to board members,” the U.S. Department of Health and Human Services (HHS) has published Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP).… Read More

The post HHS Publishes Healthcare Cyber Security Guidelines Based on NIST CSF appeared first on .

Preventing Cryptojacking Malware with McAfee WebAdvisor’s New Cryptojacking Blocker

By now, you’ve probably heard of cryptocurrency, but you may not know exactly what it is. To put it simply, cryptocurrencies are virtual currencies that have actual monetary value in today’s world. They are limited entries of transactions into a single database, or public ledger, that can’t be changed without fulfilling certain conditions. These transactions are verified and added to the public ledger through cryptocurrency mining. Cryptocurrency miners try to make money by compiling these transactions into blocks and solving complicated mathematical problems to compete with other miners for the cryptocurrency. While this process of mining for cryptocurrencies can be lucrative, it requires large amounts of computing power.

Unfortunately, the need for massive amounts of hardware has provoked cybercriminals to participate in cryptojacking, a method of using malware to exploit victims’ computers to mine for cryptocurrencies. Cybercrooks spread cryptojacking malware through sketchy mobile apps, flawed software, and malware-infected ads. They can even cryptojack your device during a browsing session while you’re perusing a website that appears completely harmless. Once a user’s device becomes infected, the malware drains the device’s CPU, causing the user’s computer fan to be loud while the malware mines for cryptocurrencies in the background. Unfortunately, symptoms of cryptojacking are usually pretty subtle, with poor device performance being one of the few signs of its presence.

Thankfully, McAfee WebAdvisor is here to help. This security solution, which helps block users from malware and phishing attempts, now includes Cryptojacking Blocker. This enhancement is a Windows-based browser add-on available for Google Chrome that helps stop malicious websites from mining for cryptocurrency. So far, our direct and retail McAfee WebAdvisor customers have already started receiving the update that adds Cryptojacking Blocker to their product, and the customers who have WebAdvisor through other partners should begin to see this update roll out during Q1. The same thing goes for those who own McAfee LiveSafe and McAfee Total Protection. Additionally, we’re aiming to add support for Firefox in the coming months. And if you don’t already have WebAdvisor, you can download it for free on our website, with Cryptojacking Blocker included in your download.

In addition to using a security solution like McAfee WebAdvisor, here are some other general tips to help you stay safe online:

  • Create a strong, unique password. Although it may be easier to remember, reusing passwords across multiple accounts puts all of your data at risk even if just one of your accounts is breached. Choosing a complex password for each individual online account will act as a stronger first line of defense. You can also use a password manager so all of your credentials are consolidated into one place.
  • Be careful where you click. If you come across a website that seems sketchy or notice that the URL address looks odd, avoid interacting with the site entirely. Stick to browsing websites you know are reputable.
  • Update, update, update! Cybercriminals can take advantage of old software to spread cryptojacking malware. Keeping your software updated with the latest patches and security fixes can help you combat this threat.

And, as always, to stay on top of the latest consumer and mobile security threats, be sure to follow @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Preventing Cryptojacking Malware with McAfee WebAdvisor’s New Cryptojacking Blocker appeared first on McAfee Blogs.

2018 in Cybersecurity Review: What Happened and What the Future Brings (Part 2)

In part 1 of this retrospective, we took stock of what happened in the first 6 months of 2018 and what we had to learn in terms of cybersecurity and privacy. Now, we review the second part of the year and inventory the most relevant insights and actionable advice.

Got anything else to add? Drop us a line.

July in cybersecurity review

The bad news:

This summer was more hot than usual for health care companies, with two of them losing incredible amounts of data and funds to malware attacks.

The same SamSam ransomware that hit the city of Atlanta and caused damages upwards of $10 million encrypted the machines of LabCorp, a major lab services provider.

In Canada, CarePartners found the medical histories and contact information of 80,000 of its patients stolen in a massive data breach and held for ransom. Some of those patients even had active credit card numbers and expiry dates on file.

“The attackers told CBC News in an encrypted message that they discovered vulnerable software on CarePartners’ network that had not been updated in two years “by chance,” and were able to exploit those vulnerabilities and weak passwords to remove hundreds of gigabytes “completely unnoticed,” highlighted a CBS News report.

The good news:

In July, Google took us all by surprise by announcing the end of phishing. Well, at least among Google’s ranks. The company reported it completely eliminated phishing among its employees by switching to physical keys for 2-factor authentication.

google titan security key

For those who missed this news, a physical key is simply a USB device that works the same as the codes online services text you or provide for you as an extra security layer after the password. With a physical key, to log in you input your password, then connect the device and it will authenticate you instead of that code.


Why are physical keys better? Well, baring the hassle of having to buy a device, they work with most services and completely eliminate hackers’ ability to hijack your SMS messages to intercept the code.
Click To Tweet

That’s an easy thing to do for them and that’s why we always recommend using a dedicated app for 2FA, not SMS-based codes. Furthermore, with physical keys, you eliminate the hassle of having to open an app every time and putting in the unique code.

August in cybersecurity review

The bad news:

August kicked off with another big profile ransomware attack. A WannaCry strain hit TSMC (Taiwan Semiconductor Manufacturing Co.), one of Apple’s biggest suppliers of components for iPhones, Apple Watches and iPads.

TSMC traced the incident to a supplier who connected an infected device to a computer, without scanning it beforehand, which caused the ransomware to spread until it took down three plants.

Oh yes, and the Alaskan borough of Matanuska-Susitna was, as this outlet put it, “cast back to the dark ages” after BitPaymer ransomware took out almost 500 workstations and 120 out of 150 servers.

If ransomware wasn’t enough, the organization was also under fire from an external attacker, which gained access to the network and deployed the Emotet banking trojan. Everything from email to phones, doors and payment systems went down, which forced employees to actually pull out typewriters and pens to write receipts by hand.

“In 35 years in the business, this is the worst I’ve seen. It’s meant to disrupt our way of life,” said Eric Wyatt, the orgs’ IT director.

The good news:

While things were pretty dire during summer’s last month, there was one great thing that happened.

Apple removed Onavo Protect, a Facebook-owned VPN, from its app store. What for? Data collection, obviously. Apple wasted no time to tell Facebook that its Onavo Protect violated the App Store Guidelines, which specifically try to stop app developers from farming user data then selling it to third parties.

Why a VPN though?

Because Onavo Protect did more than just reroute users’ traffic to a Facebook-owned website, it also “improved” its service by “analyzing your use of websites, apps, and data.” It was a ham-fisted attempt by Facebook to collect even more information from those who, in theory, care about privacy. Fortunately, Apple continued their strategy of protecting user privacy and data security in their ecosystem.

As for Google, the company allowed the Onavo Protect to be available for download.


If you truly care about privacy, not just accessing region-locked services or content, do your research on the VPN provider you pick. Otherwise, you’re paying for nothing, as some VPN services actually collect your data and sell it to third parties.

We put together a few tips on this here.

September in cybersecurity review

The bad news:

Summer ended with a big headache for 380,000 British Airways customers, after the company announced that, between August 21 and September 5, booking transactions were compromised in an attack.

Basic information like names and addresses were stolen but the travelers’ problems didn’t end there, because hackers also took off with payment card details. How did this happen?

The hackers performed a cross-site scripting attack which involves them targeting an unsecured web page component and injecting malicious Javascript code to hijack personal information.

Anyone who visited the baggage claim information page had their information stolen once they eventually used the payment form.

The good news:

After what seemed like endless months of waiting for perpetrators to be caught, the US Department of Justice announced that it had finally charged one of the hackers involved in the WannaCry attack.


The fact that the hacker in question is North Korean and belongs to an organization also blamed for the massive Sony Breach and an $81 million robbery should surprise no one.  The positive takeaway here is that authorities managed to create a damning paper trail between the individual and the North Korean government, eliminating any doubt that WannaCry was a state-sponsored attack.

“The insight into how an adversary like this works can help defenders plan on what they might be up to,” explained Ben Read, senior manager of cyberespionage analysis at FireEye in a Wired article covering the event.


The old “cybersecurity is a high-stake cat and mouse game” line comes to mind. This two news from September really do put into perspective hackers’ creativity (here is how they change tactics during attacks) and the challenges of apprehending them.

October in cybersecurity review

The bad news:

October showed that old tactics still work for new attacks.

Cyrptomining malware might be a 2018 “novelty”, but fake updates and installers are old as dirt. Combine them and you get fake Adobe installers that really do install a new version of Flash but also sneak a crypto jacking script that will enslave your PC to mine for the cryptocurrency.

We explained in this piece what cryptojacking really means, how you can secure your devices against it and what you need to be aware of. If you know the basics, it’s easier to avoid even more advanced attacks.

The good news:

The best news in October comes from Google, which released an important privacy app for all Android phones made in the last 7 years.

Called Intra, the free app encrypts Domain Name System (DNS) connections on mobile and covers an important gap in privacy measures.

In the past, visiting HTTPS-only websites is essential but still not totally private, as DNS is usually unencrypted and can be hijacked in order to steal your information. For journalists and other people operating in dangerous, surveillance-heavy areas, this tool is extremely valuable, as it protects from “DNS manipulation, a type of cyber attack used to block access to news sites, social media platforms, and messaging apps.”


If you have an older smartphone running Android, Intra is a free download.

If you have a newer Android device running Android 9 Pie, you can control these settings by going to this path: Settings > Network & Internet > Advanced > Private DNS.

To avoid cryptojacking, the most basic of measures would be to either make sure you’re downloading patches and software from the official site or simply use a trusted software installer that makes sure updates are legitimate and deployed immediately.

November in cybersecurity review

The bad news:

Japan’s cybersecurity minister said point blank that he had never used a computer. He also revealed that, since the age of 25, he has “instructed” his employees and secretaries to use computers on his behalf.


Seeing how November 30 was Computer Security Day and security experts around the world took to social media to share helpful cybersecurity tips, we hope at least Mr. Sakurada’s employees and secretaries took note.

In any case, the incident did not do wonders for public confidence in how the Government approaches data security.

The good news:

The last few days of November saw a major, yet funny hacking incident. One user was inspired by how many unsecured printers he found using a popular security tool and decided to start a funny awareness campaign. He sent out this message to be printed on those unsecured devices and, at the same time, promote his favorite streamer with hilarious results.




Cases like Japan’s questionable leadership make it even more necessary to learn cybersecurity basics yourself and protect your valuable information. Don’t have time to go hunting for that knowledge?

This quick course delivers one easily doable (and memorable!) security tip in your inbox every day, for a whole year.

We’re classifying the Pewdiepie event as good news because the hacker in question only wanted to spread awareness over insecure IoT devices.

Even better, they did it by tying into the humongous popularity of an Internet influencer, reaching a lot of people who otherwise wouldn’t have been exposed to good security practices.
With so many troublesome reports and devices hijacked for nefarious purposes, old-fashioned pranks like these seem like a breath of fresh air.

Curious to find out what can happen with insecure devices? We explained more here.

December 2018 in cybersecurity review

The bad news:

As 2018 was hurtling to the finish line, there was a massive Google+ data breach (resist the urge to roll your eyes), a massive Quora hack (another major service compromised) and bitcoin scams evolving into bomb threats (we told you hackers are creative!).

SplashData released again a list of the most common passwords in the world and how they changed compared to last year, showing just how lax users are when it comes to protecting their own devices and accounts.

  1. 123456 Unchanged
  2. password Unchanged
  3. 123456789 Up 3
  4. 12345678 Down 1
  5. 12345 Unchanged
  6. 111111 New
  7. 1234567 Up 1
  8. sunshine New
  9. qwerty Down 5
  10. iloveyou Unchanged

At least two-factor authentication is more widespread nowadays, with services forcing users to rely more than a single password on, so the list above might not spell doom like in the past years. You could also smile at so many I love yous that unlock devices if you’re feeling optimistic.

However, good password practices are mandatory, so try to be a bit more creative with them or use a password manager.

The good news:

Though the weather report for security was frightful in 2018, privacy-oriented Mozilla (mother company of Firefox, one of the browsers we highly recommend) managed to send out a very valuable message to its user base and beyond.

Just in time for the holiday bonanza, when Christmas scams and other dangers multiply exponentially, Mozilla released a holiday shopping guide named “Privacy Not Included.

Not only is it useful on its own, showing the trendiest gadgets if you’re looking for a gift, but it also brings security and privacy front and center, pinpointing the IoT and smart devices insecure by design.


No doubt about it, 2018 has not been an easy year, not for regular users and not for businesses.

Just how many data breaches happened?

This handy visualization tool will probably burn itself on your eyelids. Hopefully, it will also kick you into gear and consider spending a bit of time to review the information you share with services.

biggest data breaches 2018-min

This AI-powered tool can go into the legalese of privacy policies and give you a much better overview of what happens to your data.

You should also consider getting the right online security so your digital life won’t besieged by malware, cryptojacking, phishing, and other major threats.

We put together these guides for you, so take the opportunity to step into a more secure, more private 2019:

Do you have any other recommendations and tools for data privacy and security? Feel free to share below.


The post 2018 in Cybersecurity Review: What Happened and What the Future Brings (Part 2) appeared first on Heimdal Security Blog.