Daily Archives: January 11, 2019

That’s a Wrap! Read the Top Technology Takeaways From CES 2019

The sun has finally set on The International Consumer Electronics Show (CES) in Las Vegas. Every year, practically everyone in the consumer electronics industry comes from all over to show off the latest and greatest cutting-edge innovations in technology. From flying taxis, self-driving suitcases, and robots that will fold your laundry, CES 2019 did not disappoint. Here are some of my main takeaways from the event:

5G is the future

It seems that anyone and everyone who attended the event was talking about 5G. However, there wasn’t exactly a definitive answer to when the service would be available to consumers. According to Forbes, 5G is an abbreviation that stands for the fifth generation of the cellular wireless transmission. And while many companies at CES discussed 5G, the number of products that are actually capable of tapping into the network is minimal. This doesn’t mean we shouldn’t get excited about 5G. The faster connection, speed, and responsiveness of the 5G network will help enable IoT, autonomous driving, and technology that hasn’t even been invented yet.

Gaming gets an upgrade

Gamers everywhere are sure to enjoy the exciting new gadgets that launched this year. From wireless charging grips for the Nintendo Switch to curved monitors for better peripheral vision, tech companies across the board seemed to be creating products to better the gaming experience. In addition to products that are enhancing gamer’s capabilities, we also saw gaming products that are bringing the digital world closer to reality. For example, Holoride partnered with Disney and Audi to create a Guardians of the Galaxy virtual reality (VR) experience for car passengers that mimics the movements of the vehicle.

Optimized IoT devices, AI-driven assistants

This year’s event was colored with tons of new smart home and health IoT technology. Although smart home technology made a big splash at last year’s show, CES 2019 focused on bringing more integrated smart home products to consumers. For example, the AtmosControl touch panel acts as a simplified universal remote so consumers can control all of their gadgets from a single interface. We also saw the Bowflex Intelligent Max, a platform that allows consumers to download an app to complete Bowflex’s fitness assessment and adjust their workout plan based on the results.

Voice assistants seemed to dominate this year’s show, as well. Google and Amazon upped the ante with their use of improved AI technology for the Google Assistant and Amazon Alexa. Not only has Google brought Google Assistant to Google Maps, but they’ve also created a Google Assistant Interpreter Mode that works in more than 20 languages. Not to be shown up, Amazon announced some pretty intriguing Alexa-enabled products as well, including the Ring Door View Cam, a smart shower system called U by Moen, and the Numi 2.0 Intelligent Toilet.

The takeoff of autonomous vehicles

Not only did AI guide new innovations in IoT device technology, but it also paved the way for some futuristic upgrades to vehicles. Mercedes showcased their self-driving car called the Vision Urbanetic, an AI-powered concept vehicle that can hold up to 12 people. BMW created a rider-less motorcycle designed to gather data on how to make motorcycles safer on the road. And we can’t forget about Uber’s futuristic flying taxi, created in partnership with Bell Nexus, and expected to take flight in 2020.

Cybersecurity’s role in the evolving technological landscape

At McAfee, we understand the importance of securing all of these newfangled IoT gadgets that make their way into consumers’ homes. To do this, we announced the launch of Secure Home Platform voice commands for the Google Assistant, allowing users to keep track of their entire network through one interface.

To reflect the upgrades in gaming technology, we also launched the beta mode of McAfee Gamer Security. Many antivirus solutions are notorious for slowing down PCs, which can really hinder the gaming experience. This security solution, designed for PC gamers, provides a light but mighty layer of protection that optimizes users’ computing resources.

If there’s one thing we took away from this year’s event, it’s that technological innovations won’t be slowing down any time soon. With all of these new advancements and greater connectivity comes the need for increased cybersecurity protection. All in all, CES 2019 showed us that as software and hardware continues to improve and develop, cybersecurity will also adapt to the needs of everyday consumers.

Stay on top of the latest consumer and mobile security threats by following @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post That’s a Wrap! Read the Top Technology Takeaways From CES 2019 appeared first on McAfee Blogs.

Moving to marcoramilli.com

After more then 10 years on this amazing platform I decided to move forward to a professional blogging platform. I've reached hundred of  thousands of awesome professionals getting thousands of readers per day. I need a more sophisticated platform able to manage contents and graphically flexible enough to allow my new contents on cybersecurity.

I've set up a simple client meta-redirect-field so that your browser would automatically redirect to my new domain (https://marcoramilli.com). If your plugins block my "redirector" please visit www.marcoramilli.com for fresh new content. If you are a "feed reader" or an "email reader" please update your feeds/email to new my address.

See you on my new web corner and thank you for following me !

PHA Family Highlights: Zen and its cousins

Posted by Lukasz Siewierski, Android Security & Privacy Team
Google Play Protect detects Potentially Harmful Applications (PHAs) which Google Play Protect defines as any mobile app that poses a potential security risk to users or to user data—commonly referred to as "malware." in a variety of ways, such as static analysis, dynamic analysis, and machine learning. While our systems are great at automatically detecting and protecting against PHAs, we believe the best security comes from the combination of automated scanning and skilled human review.
With this blog series we will be sharing our research analysis with the research and broader security community, starting with the PHA family, Zen. Zen uses root permissions on a device to automatically enable a service that creates fake Google accounts. These accounts are created by abusing accessibility services. Zen apps gain access to root permissions from a rooting trojan in its infection chain. In this blog post, we do not differentiate between the rooting component and the component that abuses root: we refer to them interchangeably as Zen. We also describe apps that we think are coming from the same author or a group of authors. All of the PHAs that are mentioned in this blog post were detected and removed by Google Play Protect.


Uncovering PHAs takes a lot of detective work and unraveling the mystery of how they're possibly connected to other apps takes even more. PHA authors usually try to hide their tracks, so attribution is difficult. Sometimes, we can attribute different apps to the same author based on a small, unique pieces of evidence that suggest similarity, such as a repetition of an exceptionally rare code snippet, asset, or a particular string in the debug logs. Every once in a while, authors leave behind a trace that allows us to attribute not only similar apps, but also multiple different PHA families to the same group or person.
However, the actual timeline of the creation of different variants is unclear. In April 2013, we saw the first sample, which made heavy use of dynamic code loading (i.e., fetching executable code from remote sources after the initial app is installed). Dynamic code loading makes it impossible to state what kind of PHA it was. This sample displayed ads from various sources. More recent variants blend rooting capabilities and click fraud. As rooting exploits on Android become less prevalent and lucrative, PHA authors adapt their abuse or monetization strategy to focus on tactics like click fraud.
This post doesn't follow the chronological evolution of Zen, but instead covers relevant samples from least to most complex.

Apps with a custom-made advertisement SDK

The simplest PHA from the author's portfolio used a specially crafted advertisement SDK to create a proxy for all ads-related network traffic. By proxying all requests through a custom server, the real source of ads is opaque. This example shows one possible implementation of this technique.

This approach allows the authors to combine ads from third-party advertising networks with ads they created for their own apps. It may even allow them to sell ad space directly to application developers. The advertisement SDK also collects statistics about clicks and impressions to make it easier to track revenue. Selling the ad traffic directly or displaying ads from other sources in a very large volume can provide direct profit to the app author from the advertisers.
We have seen two types of apps that use this custom-made SDK. The first are games of very low quality that mimic the experience of popular mobile games. While the counterfeit games claim to provide similar functionality to the popular apps, they are simply used to display ads through a custom advertisement SDK.
The second type of apps reveals an evolution in the author's tactics. Instead of implementing very basic gameplay, the authors pirated and repackaged the original game in their app and bundled with it their advertisement SDK. The only noticeable difference is the game has more ads, including ads on the very first screen.
In all cases, the ads are used to convince users to install other apps from different developer accounts, but written by the same group. Those apps use the same techniques to monetize their actions.

Click fraud apps

The authors' tactics evolved from advertisement spam to real PHA (Click Fraud). Click fraud PHAs simulate user clicks on ads instead of simply displaying ads and waiting for users to click them. This allows the PHA authors to monetize their apps more effectively than through regular advertising. This behavior negatively impacts advertisement networks and their clients because advertising budget is spent without acquiring real customers, and impacts user experience by consuming their data plan resources.
The click fraud PHA requests a URL to the advertising network directly instead of proxying it through an additional SDK. The command & control server (C&C server) returns the URL to click along with a very long list of additional parameters in JSON format. After rendering the ad on the screen, the app tries to identify the part of the advertisement website to click. If that part is found, the app loads Javascript snippets from the JSON parameters to click a button or other HTML element, simulating a real user click. Because a user interacting with an ad often leads to a higher chance of the user purchasing something, ad networks often "pay per click" to developers who host their ads. Therefore, by simulating fraudulent clicks, these developers are making money without requiring a user to click on an advertisement.
This example code shows a JSON reply returned by the C&C server. It has been shortened for brevity.
"data": [{
"id": "107",
"url": "<ayud_url>",
"click_type": "2",
"keywords_js": [{
"keyword": "<a class=\"show_hide btnnext\"",
"js": "javascript:window:document.getElementsByClassName(\"show_hide btnnext\")[0].click();",
"keyword": "value=\"Subscribe\" id=\"sub-click\"",
"js": "javascript:window:document.getElementById(\"sub-click\").click();"
Based on this JSON reply, the app looks for an HTML snippet that corresponds to the active element (show_hide btnnext) and, if found, the Javascript snippet tries to perform a click() method on it.

Rooting trojans

The Zen authors have also created a rooting trojan. Using a publicly available rooting framework, the PHA attempts to root devices and gain persistence on them by reinstalling itself on the system partition of rooted device. Installing apps on the system partition makes it harder for the user to remove the app.
This technique only works for unpatched devices running Android 4.3 or lower. Devices running Android 4.4 and higher are protected by Verified Boot.
Zen's rooting trojan apps target a specific device model with a very specific system image. After achieving root access the app tries to replace the framework.jar file on the system partition. Replicating framework.jar allows the app to intercept and modify the behavior of the Android standard API. In particular, these apps try to add an additional method called statistics() into the Activity class. When inserted, this method runs every time any Activity object in any Android app is created. This happens all the time in regular Android apps, as Activity is one of the fundamental Android UI elements. The only purpose of this method is to connect to the C&C server.

The Zen trojan

After achieving persistence, the trojan downloads additional payloads, including another trojan called Zen. Zen requires root to work correctly on the Android operating system.
The Zen trojan uses its root privileges to turn on accessibility service (a service used to allow Android users with disabilities to use their devices) for itself by writing to a system-wide setting value enabled_accessibility_services. Zen doesn't even check for the root privilege: it just assumes it has it. This leads us to believe that Zen is just part of a larger infection chain. The trojan implements three accessibility services directed at different Android API levels and uses these accessibility services, chosen by checking the operating system version, to create new Google accounts. This is done by opening the Google account creation process and parsing the current view. The app then clicks the appropriate buttons, scrollbars, and other UI elements to go through account sign-up without user intervention.
During the account sign-up process, Google may flag the account creation attempt as suspicious and prompt the app to solve a CAPTCHA. To get around this, the app then uses its root privilege to inject code into the Setup Wizard, extract the CAPTCHA image, and sends it to a remote server to try to solve the CAPTCHA. It is unclear if the remote server is capable of solving the CAPTCHA image automatically or if this is done manually by a human in the background. After the server returns the solution, the app enters it into the appropriate text field to complete the CAPTCHA challenge.
The Zen trojan does not implement any kind of obfuscation except for one string that is encoded using Base64 encoding. It's one of the strings - "How you'll sign in" - that it looks for during the account creation process. The code snippet below shows part of the screen parsing process.
if (!title.containsKey("Enter the code")) { 
if (!title.containsKey("Basic information")) {
if (!title.containsKey(new String(android.util.Base64.decode("SG93IHlvdeKAmWxsIHNpZ24gaW4=".getBytes(), 0)))) {
if (!title.containsKey("Create password")) {
if (!title.containsKey("Add phone number")) {

Apart from injecting code to read the CAPTCHA, the app also injects its own code into the system_server process, which requires root privileges. This indicates that the app tries to hide itself from any anti-PHA systems that look for a specific app process name or does not have the ability to scan the memory of the system_server process.
The app also creates hooks to prevent the phone from rebooting, going to sleep or allowing the user from pressing hardware buttons during the account creation process. These hooks are created using the root access and a custom native code called Lmt_INJECT, although the algorithm for this is well known.
First, the app has to turn off SELinux protection. Then the app finds a process id value for the process it wants to inject with code. This is done using a series of syscalls as outlined below. The "source process" refers to the Zen trojan running as root, while the "target process" refers to the process to which the code is injected and [pid] refers to the target process pid value.
  1. The source process checks the mapping between a process id and a process name. This is done by reading the /proc/[pid]/cmdline file.
    This very first step fails in Android 7.0 and higher, even with a root permission. The /proc filesystem is now mounted with a hidepid=2 parameter, which means that the process cannot access other process /proc/[pid] directory.
  2. A ptrace_attach syscall is called. This allows the source process to trace the target.
  3. The source process looks at its own memory to calculate the offset between the beginning of the libc library and the mmap address.
  4. The source process reads /proc/[pid]/maps to find where libc is located in the target process memory. By adding the previously calculated offset, it can get the address of the mmap function in the target process memory.
  5. The source process tries to determine the location of dlopen, dlsym, and dlclose functions in the target process. It uses the same technique as it used to determine the offset to the mmap function.
  6. The source process writes the native shellcode into the memory region allocated by mmap. Additionally, it also writes addresses of dlopen, dlsym, and dlclose into the same region, so that they can be used by the shellcode. Shellcode simply uses dlopen to open a .so file within the target process and then dlsym to find a symbol in that file and run it.
  7. The source process changes the registers in the target process so that PC register points directly to the shellcode. This is done using the ptrace syscall.
This diagram illustrates the whole process.


PHA authors go to great lengths to come up with increasingly clever ways to monetize their apps.
Zen family PHA authors exhibit a wide range of techniques, from simply inserting an advertising SDK to a sophisticated trojan. The app that resulted in the largest number of affected users was the click fraud version, which was installed over 170,000 times at its peak in February 2018. The most affected countries were India, Brazil, and Indonesia. In most cases, these click fraud apps were uninstalled by the users, probably due to the low quality of the apps.
If Google Play Protect detects one of these apps, Google Play Protect will show a warning to users.
We are constantly on the lookout for new threats and we are expanding our protections. Every device with Google Play includes Google Play Protect and all apps on Google Play are automatically and periodically scanned by our solutions.
You can check the status of Google Play Protect on your device:
  1. Open your Android device's Google Play Store app.
  2. Tap Menu>Play Protect.
  3. Look for information about the status of your device.

Hashes of samples

Type Package name SHA256 digest
Custom ads com.targetshoot.zombieapocalypse.sniper.zombieshootinggame 5d98d8a7a012a858f0fa4cf8d2ed3d5a82937b1a98ea2703d440307c63c6c928
Click fraud com.counterterrorist.cs.elite.combat.shootinggame 84672fb2f228ec749d3c3c1cb168a1c31f544970fd29136bea2a5b2cefac6d04
Rooting trojan com.android.world.news bd233c1f5c477b0cc15d7f84392dab3a7a598243efa3154304327ff4580ae213
Zen trojan com.lmt.register eb12cd65589cbc6f9d3563576c304273cb6a78072b0c20a155a0951370476d8d

Apache Struts Commons FileUpload Library Remote Code Execution Vulnerability Affecting Cisco Products: November 2018

On November 5, 2018, the Apache Struts Team released a security announcement urging an upgrade of the Commons FileUpload library to version 1.3.3 on systems using Struts 2.3.36 or earlier releases. Systems using earlier versions of this library may be exposed to attacks that could allow execution of arbitrary code or modifications of files on the system. The issue is caused by a previously reported vulnerability of the Apache Commons FileUpload library, assigned to CVE-2016-1000031.

The vulnerability is due to insufficient validation of user-supplied input by the affected software. An attacker could exploit this vulnerability by submitting crafted data to an affected system. A successful exploit could allow the attacker to execute arbitrary code or manipulate files on the targeted system.

This advisory is available at the following link:

Security Impact Rating: Critical
CVE: CVE-2016-1000031

Threat Actor “Cold River”: Network Traffic Analysis and a Deep Dive on Agent Drable

Executive Summary

While reviewing some network anomalies, we recently uncovered Cold River, a sophisticated threat actor making malicious use of DNS tunneling for command and control activities. We have been able to decode the raw traffic in command and control, find sophisticated lure documents used in the campaign, connect other previously unknown samples, and associate a number of legitimate organizations whose infrastructure is referenced and used in the campaign.

The campaign targets Middle Eastern organizations largely from the Lebanon and United Arab Emirates, though, Indian and Canadian companies with interests in those Middle Eastern countries are also targeted. There are new TTPs used in this attack – for example Agent_Drable is leveraging the Django python framework for command and control infrastructure, the technical details of which are outlined later in the blog.

We are not sure which threat actor or proxy of a threat actor is behind the campaign. This campaign is using previously undiscovered toolcraft and we speculate that right-to-left languages used has influenced the hardcoded string “Agent_Drable” name into the implant used in the campaign. It references a 2007 conflict of the Lebanese army at the “Nahr Elbard” Palestinian Refugee camp, which is a transliteration of Nahr el bared. The English translation of Nahr Elbard is “Cold River.”

In short, “Cold River” is a sophisticated threat that utilizes DNS subdomain hijacking, certificate spoofing, and covert tunneled command and control traffic in combination with complex and convincing lure documents and custom implants.

Note: the campaign described in this blog post has been also covered by Talos and CERT-OPMD, whereas the underpinning DNS hijacking attacks have been recently described in detail by FireEye in this article.

MalDoc Droppers

Two malicious word documents were found, differing only in the decoy content (same VBA macro, same payload). The first sample is an empty document but is weaponized (Figure 1).

Figure 1: Screenshot of the weaponized empty document, (sha1: 1f007ab17b62cca88a5681f02089ab33adc10eec)

Figure 1: Screenshot of the weaponized empty document, sha1: 1f007ab17b62cca88a5681f02089ab33adc10eec

The second one is a legitimate HR document from the SUNCOR company to which they added the malicious payload and VBA macro (Figure 2).

Figure 2: Screenshot of the HR document from Suncor, (sha1: 9ea865e000e3e15cec15efc466801bb181ba40a1)

Figure 2: Screenshot of the HR document from Suncor, sha1: 9ea865e000e3e15cec15efc466801bb181ba40a1

While gathering open intelligence about the callback domain 0ffice36o[.]com we found a reference to a potential linked document from Twitter (see Figure 3); although that document did not contain the same payload. The person behind this Twitter account may have attached the wrong document.

Figure 3: Tweet referencing a third document: https://twitter.com/KorbenD_Intel/status/1053037793012781061

The timestamps listed in Table 1 tend to confirm the hypothesis that the Suncor document is a legitimate document which was weaponized: the creation date is old enough, and the last save matches the timeframe of the campaign. The empty document is most likely the one used to test the macro or to deliver the payload in an environment not related to Suncor.

SHA1 Description Creation Time Last Saved Time
1f007ab17b62cca88a5681f02089ab33adc10eec Empty doc 2018-10-05 07:10:00 2018-10-15 02:59:00
9ea865e000e3e15cec15efc466801bb181ba40a1 Suncor decoy 2012-06-07 18:25:00 2018-10-15 22:22:00

Table 1: Malicious documents and related metadata.

For a more global timeline of the document and their payload, please refer to Figure 4.

Behavior Analysis

Regarding the VBA macro, it stays basic but efficient. The macro is split into two components, one executing when the document is opened and the other at document close. The actual payload is not stored directly into the VBA code, but instead hidden in a form within the document.

When opening the Suncor document, macro execution must be enabled by the user to actually see its content. This makes the macro activation part appear legitimate to an average user. The only additional obfuscation taking place is the use of string concatenation, such as “t” & “mp“, “Microsoft.XML” & “DOM“, “userp” & “rofile“, etc.

The malicious macro contains some basic anti-sandboxing code, checking to see if a mouse is available on the computer using the API Application.MouseAvailable. Overall, the logic of the macro is the following:

At document opening:

  • Check if Environ("userprofile")\.oracleServices\svshost_serv.exe exists.
  • If yes, stop. If no, continue.
  • Create the directory Environ("userprofile")\.oracleServices if it does not exist.
  • Fetch the base64 encoded payload stored in UserForm1.Label1.Caption.
  • Decode and write it into Environ("userprofile")\.oracleServices\svshost_serv.doc.
  • Reveal the document content.

At document close:

  • Rename the dropped “svshost_serv.doc” file as “svshost_serv.exe”.
  • Create a scheduled task that runs the EXE file every minute, named “chrome updater”.

A last interesting thing to note is that the part of the code setting up the scheduled task is copied from an online resource1.

Payloads and CnC Communication

We found two related payloads, shown in Table 2. The main difference between the two payloads is that one of them has some event logging capabilities, making it easier to determine the actual intention of the implant; most likely it was an early development or debug version. The sample actually packaged inside the Suncor documents was stripped of this functionality.

SHA1 Description Compilation Timestamp
1c1fbda6ffc4d19be63a630bd2483f3d2f7aa1f5 Payload with logs information 2018-09-03 16:57:26 UTC
1022620da25db2497dc237adedb53755e6b859e3 Payload without logs information 2018-09-15 02:31:15 UTC

Table 2: the Agent_Drable payloads.

One interesting string found inside the binary is “AgentDrable.exe“. This name is written in the DLL Name entry of the Export directory inside the PE header. It will reappear in different parts of this campaign, such as the infrastructure configuration. We can assume with confidence that this is the name given to this implant by the threat actor. There is very little evidence referencing AgentDrable outside of recent submissions to a few analysis portals. One hypothesis is that it would be the name “Elbard” reversed.

Compilation timestamps of the two samples are interesting as well. One has to be fully aware that timestamps can easily be falsified, however, these can be found in multiple places across the binaries (Debug directory, File header) and are coherent with the other events of the campaign. We placed all the dropper and payloads timestamps in Figure 4.

Figure 4: Note that the creation timestamp of WORD_1 is omitted, being way further back in time (2012).

One interesting fact is the compilation timestamp of the dropped sample without logs, which matches the last save time of the two word documents in which the dropped file was embedded. Meaning that they likely compiled the last version of their implant and directly weaponized the document for delivery.

Both malicious documents were submitted to VirusTotal from Lebanon just a few days later. Overall this timeline provides a coherent story and suggests that none of the timestamps were altered by the attackers. This completes the overview of the campaign deployment; we will provide additional insight as we compare this with the evolution of the attackers command and control infrastructure.

Dropped Executable – Behavior Analysis

The primary function of the dropped payload is to operate as a reconnaissance tool. There are no advanced functionalities implemented inside the binary (no screen capture or keylogger, for example). This file’s main functions are:

  • Running commands from CnC and returning the output
  • File download and execution
  • File exfiltration

One IP and one domain name are hardcoded inside the binary, as well as a user agent:

  • 0ffice36o[.]com (clearly mimicking the legitimate office360[.]com)
  • 185.161.211[.]72
  • Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko

The implant has two main ways of communicating with a CnC: (1) DNS requests, and (2) HTTP(S) GET/POST. The first execution defaults to DNS communication then, based on the commands received, it may switch to HTTP.

The binary is executed every minute thanks to a scheduled task created by the malicious document. At the beginning of every run, it creates the following subdirectories if they do not exist:

  • .\Apps
  • .\Uploads
  • .\Downloads

Directories “Uploads” and “Downloads” act exactly according to their name. Any executable located in the “Apps” directory will run each time the dropper implant is executed.

All the configuration data is handled using JSON and the cJSON library. Key names are generic, using one or two letters (‘a’, ‘m’, ‘ul’, …) but we managed to get a comprehensive listing as shown in Table 3. The configuration is stored in the file “Configure.txt” and retrieved at the beginning of every execution.

Parameter Name Comment
a Execution mode (DNS/HTTP)
m Max query length, used to split long DNS queries into multiple shorter ones
f Phase
c DNS counter
h Home path, where the subdirectories and config file are created
u HTTP CnC resource path
s HTTP CnC IP address
d DNS CnC domain
p HTTP CnC port number
l Connection type, HTTP or HTTPS
i Victim ID (2 chars)
k Custom base64 alphabet

Table 3: JSON configuration parameters (list not exhaustive).

In order to communicate with the DNS CnC, the sample performs DNS queries of specially crafted subdomains. For example, here are some DNS queries from different victims:

  • crzugfdhsmrqgq4hy000.0ffice36o[.]com
  • gyc3gfmhomrqgq4hy.0ffice36o[.]com
  • svg4gf2ugmrqgq4hy.0ffice36o[.]com
  • Hnahgfmg4mrqgq4hy.0ffice36o[.]com
  • 6ghzGF2UGMD4JI2VOR2TGVKEUTKF.0ffice36o[.]com

The subdomains follow a specific schema: they are made of 4 random alphadecimal chars and a base32 encoded payload. When applied to the domains listed above we get:

Subdomain Plain text
crzugfdhsmrqgq4hy000 1Fy2048|
gyc3gfmhomrqgq4hy 1Xw2048|
svg4gf2ugmrqgq4hy 1uC2048|

These three first plain texts differ only by two letters: Fy / Xw / uC. It is an ID generated by the sample, that allows the CnC to identify the source of a request. It is generated from the username and/or hostname, and thus stays consistent between implant executions. The same ID is used during HTTP communications.

While in DNS mode, the implant communicates with the CnC exclusively through these crafted subdomains and gets its command by interpreting the IP addresses returned. The HTTP communication mode is a bit more advanced: requests and answers from the implant respectively use GET and POST methods. By default, the sample builds the URL http://[CNC_IP]/[RESOURCE_PATH]?id=[ID] where:

Parameter Default Value Note
CNC_IP 185.161.211[.]72 This IP can be updated
RESOURCE_PATH /index.html This path can be updated
ID Fy This ID is constant for a given infection

The hardcoded CnC IP stored in the binaries was offline at the time of the analysis. We were able to find another active CnC hosted at 185.20.184[.]138. Figure 5 shows what the page looks like when accessed through a web browser.

Figure 5: The fake Wikipedia page.

The CnC commands are hidden inside HTML comments or within specific tags and encoded using a custom base64 alphabet. Below is an excerpt of the source code of the page, showing the encoded data.

Once decoded, they give the following JSON object from which the commands are extracted:

These commands show the typical steps that an attacker would take to perform host reconnaissance before proceeding with the intrusion. The full list of tags containing instructions or commands is in Table 4.

Tag Description
<!--[DATA]--> Base64 encoded JSON content
<link href="[DATA]"> Resource path from which a download must occur
<form action="[DATA]" Resource path on which the POST answers should be performed

Table 4: List of the tags that are extracted from the page.

The HTTP CnC is powered by a Django framework with debug mode activated. Thanks to that misconfiguration, it is possible to gather some additional pieces of information that can be used to map their whole infrastructure. Table 5 lists all the endpoints available.

Path Description
/index.html (GET) Retrieves commands and generic conf params
/Client/Login (GET) Retrieves the custom b64 alphabet used to encode data
/Client/Upload (POST) Upload exfiltrated data or command results
^\.well\-known\/acme\-challenge\/(?P<path>.*)$ Used to generate let’s encrypt certificates

Table 5: List of all available endpoints.

Besides all the resource paths, the debug mode leaked all of the environment variables and some Django internal settings. The most interesting values are listed in Tables 6 and 7 (the full list is available upon request):

Var Name Value Comment
PWD /root/relayHttps Interesting directory name
PATH_INFO /static/backup.zip Password protected backup of the database
SHELL /usr/bin/zsh
SSH_CLIENT 194.9.177[.]22 53190 22 Leaked IP of their VPN server

Table 6: Environment variables leaked due to a misconfigured Django instance.

Var Name  Value Comment
LOGIN_URL  /accounts/login/
MAGIC_WORD microsoft Unknown
DATABASES /root/relayHttps/db.sqlite3
SERVER_URL https://185.20.184[.]157 Leaked IP, unknown usage

Table 7: Settings leaked due to a misconfigured Django instance.

Once again we can find a mention to the “drable” monicker, this time as part of one of the queries used to fetch data from the underlying database:

SELECT COUNT(*) AS "__count" FROM "Client_drable"
WHERE "Client_drable"."relay_id" = %s


Thanks to the data leaked by the CnC and additional passive DNS data, we were able to identify with high confidence, multiple hosts which belong to the campaign infrastructure. One interesting fact is they are all part of the same autonomous system, Serverius N (AS 50673), and hosted by Deltahost. Furthermore, all the domain names were registered through NameSilo.

IP Description
185.161.211[.]72 Hardcoded HTTP CnC, not used at the time of the analysis.
185.20.187[.]8 Mostly used to generate Let’s Encrypt certificates. Port 443 still answers with memail.mea.com[.]lb. Port 444 has a “GlobalSign” certificate of memail.mea.com[.]lb.
185.20.184[.]138 Live HTTP CnC. Ports 80 and 443 return interesting Django debug info.
185.20.184[.]157 Unknown usage. Basic authentication protected page on port 7070 with https, cert CN is ” kerteros “. Port 8083 hosts a webserver , but only returns a blank page.
185.161.211[.]79 Hosted the HR phishing domains hr-suncor[.]com and hr-wipro[.]com, now redirect to the legitimate website.
194.9.177[.]22 Openconnect VPN used to reach the HTTP CnC.

By correlating these IP addresses with DNS resolutions (See timeline in Appendix A), we identified three domains that were most likely used to deliver the weaponized first stage documents:

  • hr-suncor[.]com
  • hr-wipro[.]com
  • files-sender[.]com

These similar looking domains names match well with the Suncor document template used in the attack. We have not found any specific document linked to Wipro yet. We also found suspicious DNS resolution from government AE and LB domain names pointing towards 185.20.187[.]8 for a short amount of time (~ 1 day each).

By cross-referencing this data with certificate generation records available on https://crt.sh, we conclude that the attackers managed to take over the DNS entries of these domains and generated multiple “Let’s encrypt” certificates allowing them to transparently intercept any TLS exchange.

Domain Certificate Redirection Dates
memail.mea.com[.]lb https://crt.sh/?id=923463758 2018-11-06
webmail.finance.gov[.]lb https://crt.sh/?id=922787406 2018-11-06
mail.apc.gov[.]ae https://crt.sh/?id=782678542 2018-09-23
mail.mgov[.]ae https://crt.sh/?id=750443611 2018-09-15
adpvpn.adpolice.gov[.]ae https://crt.sh/?id=741047630 2018-09-12


In summary, Cold River is a sophisticated threat actor making malicious use of DNS tunneling for command and control activities, compelling lure documents, and previously unknown implants. The campaign targets Middle Eastern organizations largely from the Lebanon and United Arab Emirates, though, Indian and Canadian companies with interests in those Middle Eastern countries may have also been targeted.

Cold River highlights the importance of detection diversity and contextualized threat intelligence. Without correlating Behavioral Intelligence and Network Traffic Analysis, the full scope of Cold River’s capabilities would go unseen, exposing victims to additional risk.

Indicators of Compromise

Droppers (maldocs)
9ea865e000e3e15cec15efc466801bb181ba40a1 (Suncor document)

1022620da25db2497dc237adedb53755e6b859e3 (Document Payload)
1c1fbda6ffc4d19be63a630bd2483f3d2f7aa1f5 (Writes logs)

IP addresses

Domain names

Certificates domain names

Generated certificates

User agent
Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko

Filesystem artifacts

Scheduled task
Name: “chrome updater”
Description: “chromium updater v 37.5.0”
Interval: 1 minute
Execution: “%userprofile%\.oracleServices\svshost_serv.exe”

Appendix A: DNS Resolution Timeline


1 https://www.experts-exchange.com/articles/11591/VBScript-and-Task-Scheduler-2-0-Creating-Scheduled-Tasks.html

The post Threat Actor “Cold River”: Network Traffic Analysis and a Deep Dive on Agent Drable appeared first on Lastline.

Luas data ransom: the hacker who cried wolf?

In a terrible start to the year for Irish tram firm Luas, their site was compromised a week ago and adorned with a stark ransom warning:

hacked site

Click to enlarge

You are hacked. Some time ago I wrote that you have serious security holes.

You didn’t reply.

The next time someone talks to you, press the reply button.

You must pay one bitcoin in five days. Otherwise I will publish all data and send emails to your users.

The message came with a Bitcoin address, and the defacement was quickly taken down.

Real threat or a blast of bluster?

Many observers questioned the legitimacy of this ransom threat. One Bitcoin is currently around 3,100 Euros. Luas aren’t exactly short of cash, so it wouldn’t be an issue for them to pay (not that we’d advise it). The general feeling was that either 3,100 Euros was a large sum of money to the attacker, or they just wanted the company to address the problem facing them without fuss.

As soon as the hack was announced, nervous customers wondered exactly what might be dumped into the ether should the ransom go unpaid. Names and addresses? Emails? Perhaps even payment data? However, this is where the hacker’s version of events starts to unravel. I’m not personally familiar with the website in question, and it’s currently still down, so I looked on Internet Archive.

A trip down memory lane

The site doesn’t appear to have any form of registration or login; it seems to be more of an information portal. Additionally, the one section that references payment—“Pay your standard fare notice”—leads to the payments site, which Luas pointed out hadn’t been compromised. The site read as follows:

The Luas website is undergoing restoration following a cyber-attack.

We wish to advise customers that the Tax Saver and Standard Fare Notice sites have NOT been compromised.

It’s worth noting the payments section hasn’t been taken offline, either.

The hacker who cried wolf?

We waited with baited breath as the ransom timer ticked down. Would we see a large blast of customer data popping up online? Or would the whole thing fall flat? If essential information such as logins and payment data hadn’t been grabbed, what exactly were we talking about here? Basic website metrics such as visitor stats or website referrers? What could this attacker possibly have grabbed while achieving what appears to have been a perfectly standard webpage defacement in all other respects?

The answer is, of course, “Nobody knows.”

The deadline has come, gone, and is now on vacation somewhere. Occasionally, it lets you know the weather is lovely and reminds you to put the bins out.

Absolutely none of which helps anybody who suspects they may have been caught up in this. Even more slightly surreal is the fact Luas said they’d contact anyone they thought may be affected, but there’s zero example of said contact on social media that I can find.

Customers: An update on the Luas cyberattack.

Luas technicians are still investigating it and are working to restore the site.

Luas has contacted the Commissioner for Data Protection and we have in accordance with best practice contacted everyone whose information may have been compromised.

This is absolutely not what normally happens, and at this point I’d usually be linking to a deluge of “you got me” posts. That’s the theory. The reality, currently, is nothing but a wave of silence.

This number is no longer available

Our suspicion here is that nothing customer related was taken and it was all a ransom-themed bluff to either grab some Bitcoin cash or attention, or perhaps both. If you’ve used any Luas site for any type of registration or payment, you’re probably fine.

Unless the site compromiser had a sudden change of heart, they were going to dump the data in public fashion instead of some hidden underground forum, but it hasn’t happened. People may call them “underground,” but the reality is data dumps don’t remain private for long.

No further updates are forthcoming from Luas, so it doesn’t appear they’ve been told their number is up either. All in all, we’d say cross some fingers and hope everything is coming up Milhouse.

While I try to remember if things coming up Milhouse is good or bad, here’s what you can do if you’re still worried you may be affected.

Data dump fallout tips

This isn’t just good advice for the Luas attack, but for any potential breach situation.

If you’re on Twitter, simply follow haveibeenpwned, a service maintained by security pro Troy Hunt. It will usually be one of the first places you’ll hear about any breach where data has been taken. After that, head over to the haveibeenpwned website and check if your emails have been included in any attacks. If they have, you’ll see a short summary of when it happened and what was taken. Note that you won’t see the stolen data.

Finally, you can register for alerts when any new breaches are added.

There’s really no need to go spelunking into the murky pools of hacker forums, looking in vain for a breach you may be on. Rest assured that if it’s happened, you’ll find out eventually—one way or another. At that point, it’s a case of changing your logins and applying whatever security steps are required to fix things up. Ransoms are always a major issue, whether from threats or infection files. If this story has any additional developments, we will of course update this post as to what anyone affected should do next.

The post Luas data ransom: the hacker who cried wolf? appeared first on Malwarebytes Labs.

Oculeus anti-fraud offering protects against telecom system abuse

When most enterprise companies worry about having their systems hacked by attackers, the main concern is for the enterprise networks. Few companies consider that their phone systems may be vulnerable to hacking resulting in costly toll fraud. Nevertheless, the practice of hacking into corporate PBX systems and injecting fraudulent calls over the network is causing billions of dollars in damage worldwide every year.

Enterprise companies use modern PBX (private branch exchange) systems to run their communications. A PBX switches calls between enterprise users on local lines while allowing all users to share a certain number of external phone lines. Modern PBX systems work on the Session Initiation Protocol (SIP), which is a signaling protocol used for initiating, maintaining, and terminating real-time sessions that include voice, video, and messaging applications.

To read this article in full, please click here

That Other Moscow: Sketchy LinkedIn Job Posts Mix US, Russian Locales

Bogus LinkedIn job postings for leading US organizations, including the US Army, the State of Florida and defense contractor General Dynamics, are popping up for Russian locales like St. Petersburg and Moscow, the firm Evolver has found. Is it AI-Gone-Wild, or is something more nefarious afoot?  Moscow, on the border between Idaho and Washington...

Read the whole entry... »

Related Stories

Amazon India fixes glitch that disclosed sellers’ details

E-commerce giant Amazon India reported the cybersecurity lapse only a month after it 'inadvertently disclosed' email addresses of its users. The tech giant has reported a data breach that spooked e-commerce users.
The technical glitch had accidentally disclosed the financial information of some sellers while others tried to download reports pertaining to merchant tax. Amazon India said the error has been addressed.

"On Sunday, some sellers who attempted to download merchant tax reports for the month of December 2018 experienced a technical issue. Our teams identified the issue and resolved it on priority and sellers were soon able to download the correct reports," Amazon India said.

Some merchants who were downloading their monthly sales report, which includes details of sales through Amazon, were instead provided with financial data of other sellers.
The tech giant, while confirming the security lapse on its part, said that the sellers are now able to download their own tax reports for the month of December 2018.
Amazon India, however, did not disclose the number of sellers who were affected by the data breach, according to Business Standard.

Lack of personal information

The cybersecurity lapse occurred only a month after the Washington-headquartered e-commerce giant leaked personal information such as names and email addresses of its users. Although Amazon admitted to "inadvertent data leak", it didn't disclose the names and numbers of the users who were affected.

While compromised personal data such as email, phone numbers and addresses are often illegally used by hackers in phishing scams, the leak of business data of the sellers/ traders is even more detrimental.

Not only does the information breach puts distrust among the sellers/users, but such security lapse could also affect the merchant's business by providing their sales/business data to rivals.

In India, there is no law in place that holds the e-commerce giants accountable for data leak. However, a bill is likely to be tabled in Parliament soon aiming to strengthen cybersecurity laws and penalise tech giants responsible for such lapses.

IDG Contributor Network: What is the dark web? How to access it and what you’ll find

The dark web is a part of the internet that isn't indexed by search engines. You've no doubt heard talk of the “dark web” as a hotbed of criminal activity — and it is. Researchers Daniel Moore and Thomas Rid of King's College in London classified the contents of 2,723 live dark web sites over a five-week period a couple of years ago and found that 57 percent host illicit material. 

You can buy credit card numbers, all manner of drugs, guns, counterfeit money, stolen subscription credentials, hacked Netflix accounts and software that helps you break into other people’s computers. Buy login credentials to a $50,000 Bank of America account for $500. Get $3,000 in counterfeit $20 bills for $600. Buy seven prepaid debit cards, each with a $2,500 balance, for $500 (express shipping included). A “lifetime” Netflix premium account goes for $6. You can hire hackers to attack computers for you. You can buy usernames and passwords.

To read this article in full, please click here

The Shifting Risk Profile in Serverless Architecture

Technology is as diverse and advanced as ever, but as tech evolves, so must the way we secure it from potential threats. Serverless architecture, i.e. AWS Lambda, is no exception. As the rapid adoption of this technology has naturally grown, the way we approach securing it has to shift. To dive into that shift, let’s explore the past and present of serverless architecture’s risk profile and the resulting implications for security.


For the first generation of cloud applications, we implemented “traditional” approaches to security. Often, this meant taking the familiar “Model-View-Controller” view to initially segment the application, and sometimes we even had the foresight to apply business logic separation to further secure the application.

But our cloud security model was not truly “cloud-native.”  That’s because our application security mechanisms assumed that traffic functioned in a specific way, with specific resources. Plus, our ability to inspect and secure that model relied on an intimate knowledge of how the application worked, and the full control of security resources between its layers. In short, we assumed full control of how the application layers were segmented, thus replicating our data center security in the cloud, giving up some of the economics and scale of the cloud in the process.

Figure 2. Simplified cloud application architecture separated by individual functions.


Now, when it comes to the latest generation of cloud applications, most leverage Platform-as-a-Service (PaaS) functions as an invaluable aid in the quest to reduce time-to-market. Essentially, this means getting back to the original value proposition for making the move to cloud in the first place.

And many leaders in the space are already making major headway when it comes to this reduction. Take Microsoft as an example, which cited a 67% reduction in time-to-market for their customer Quest Software by using Microsoft Azure services. Then there’s Oracle, which identified 50% reduction in time-to-market for their customer HEP Group using Oracle Cloud Platform services.

However, for applications built with Platform-as-a-Service, we have to think about risk differently. We must ask ourselves — how do we secure the application when many of the layers between the “blocks” of serverless functions are under cloud service provider (CSP) control and not your own?

Fortunately, there are a few things we can do. We can start by having the architecture of the application become a cornerstone of information security. From there, we must ask ourselves, do the elements relate to each other in a well understood, well-modeled way?  Have we considered how they can be induced to go wrong? Given that our instrumentation is our source of truth, we need to ensure that we’re always in the know when something does go wrong – which can be achieved through a combination of CSP and 3rd party tools.

Additionally, we need to look at how code is checked and deployed at scale and look for opportunities to complete side by side testing. Plus, we must always remember that DevOps, without answering basic security questions, can often unwittingly give away data in any release.

It can be hard to shoot a moving target. But if security strategy can keep pace with the shifting risk profile of serverless architecture, we can reap the benefits of cloud applications without worry. Then, serverless architecture will remain both seamless and secure.

The post The Shifting Risk Profile in Serverless Architecture appeared first on McAfee Blogs.

How to secure your cloud file storage with 5 simple tricks

File hosting / cloud storage services today are a dime a dozen. Players in this vertical constantly top each other with free storage offerings, business features, and custom plans, all designed to cater to every possible audience. But they all have one thing in common: the cloud.

Cloud storage is somewhat of a double-edged sword: it’s a convenient way to keep your entire fleet of devices in sync, but it can also spell disaster if someone finds the keys to your vault. Remember the celebrity nudes leak a few years ago? Yeah. You don’t want that ‘fappening’ to you. So it’s a good idea to remind ourselves that cloud storage services like iCloud, Dropbox and Google Drive are not impenetrable. Your vendor can only do so much to protect you. ‘The Fappening’ was mostly the result of those celebrities falling victim to phishing emails. So it’s important to enable extra safeguards to avoid falling victim to scams that steal your password. In this guide, we’ll look at five practices to secure your cloud content and keep your digital life away from prying eyes.

Step 1 – Verify your email and/or phone number

This may draw a resounding “d’oooh” from power users, but you’d be surprised how many people forget their login credentials, especially those who aren’t online 24/7. Checking and confirming your email address with your vendor also helps you recover a forgotten password, so consider this simple step a double-whammy. Most cloud services also let you change the email associated with your account so, if you want to start anew, look for the module that lets you tweak this setting. It’s typically located under “account settings” or “security.”

Dropbox offers the option to quickly change the email associated with your account

If you have a phone number associated with your account, verify that one as well, and remember to update it if you end up changing your number for any reason. It ensures you’re always reachable on another device for two-factor authentication, important notifications that may involve security matters, and other exceptional situations.

Step 2 – Review, add, or remove devices, browsers and linked apps

Most cloud services offer a handy list of all devices linked to your account. If you’re a longtime user, chances are you’ve swapped devices a few times over the years. So, don’t be surprised if the list names a Windows Vista machine, or your old BlackBerry Bold. While vendors do their best to monitor your account for suspicious activity, it’s a good idea to unlink any old devices you no longer use. The same goes for different web browsers associated with your account, or linked apps that integrate with the service. If you no longer use those apps, there’s no reason for your account to keep ties with them. Who’s to say they don’t suffer a breach one day and leak your credentials?

Devices associated with a Google Drive account
This is how iCloud displays your devices. Simply click on the device’s name for more options to manage them, including to disassociate one or more with your account (for example, if you’ve sold your phone to someone).
An example of linked apps in Dropbox

Step 3 – enable two-factor-authentication (2FA)

Two-factor-authentication, typically abbreviated as 2FA, adds another layer of security to your online accounts. It allows the service to verify that the person logging in is really you by asking you to confirm a code on another device that you own. Wonder when this comes in handy? The 2014 iCloud hack could have been almost entirely avoided had those celebs used 2FA.

So be sure to flip this switch on for every online service you have an account with, especially your cloud storage services. Most vendors today offer this option, and some even have it on by default. But for those services that don’t have 2FA enabled from the start, be sure to dig through the settings and turn it on. It’s a life saver!

iCloud asks to check your phone for a six-digit passcode

Step 4 – have good password hygiene

Yes, it’s a drag, but you should still do it. Data breaches are so common these days that it’s become a matter of when, not if, one of your online accounts gets compromised. And cloud accounts are easily the most sensitive ones. It’s also wise to use a strong password when you decide to change it. Use a combination of upper- and lower-case letters, numbers, as well as special characters (#$%*). And remember, eight characters is the absolute minimum by today’s standards.

If you don’t trust your memory with such a complex string of characters, perhaps it’s time you considered using a password manager. There’s no shortage of options out there. Plus, it’s advisable to use different passwords with different online accounts, in case your credentials end up for sale on the dark web following a breach.

Microsoft even offers a way to go password-less with its OneDrive file-hosting service. All you need to do is download the Authenticator app for iOS or Android. “It’s more convenient and more secure,” according to the software giant. OneDrive users can also tick a box and have Microsoft remind them to change their password once every 72 days.

Changing a password in OneDrive. Microsoft offers tips on how to set a strong password, as well as the option to get nagged from time to time to change it.

Step 5 – Always sign out!

The exclamation mark above is easily justified. ALWAYS sign out of your account when you access your file storage service in a web browser, especially on an external device. For instance, Dropbox stays logged in forever, even after you close the tab in your browser – a big oversight on behalf of a service with more than 500 million users. Nevertheless, end-users shoulder the responsibility of keeping their accounts secure. If someone else has access to your computer, whether at home or at work, they can easily peek into your private life with a few keystrokes and clicks. Maybe you have nothing to hide, but why would want someone peeking at your photos without you knowing? So remember to always hit that “sign out” button when you’re done.

Stay safe

These are just a few simple tricks to help you keep your digital life safe. We could mention other things as well, like choosing security questions and answers that can’t be easily guessed (for password recovery), or keeping an eye out for phishing scams that impersonate your cloud vendor. But as a rule of thumb, these five tips are all you need to stay on the safe side.

The folks at Apple prefer to keep iCloud users away from the technicalities and randomly trigger two-factor-authentication every now and then to verify that no one has hijacked your account. They even show you how to avoid phishing emails and other scams so you don’t mistakenly give someone the keys to your iCloud. Dropbox has a comprehensive security checkup module that lets you do most of the above in one shot. And Google and Microsoft offer handy “Authenticator” apps with their respective services (Google Drive and One Drive).

While businesses may be reluctant to store their intellectual property on remote servers, public clouds are nonetheless a decent option for regular users. So go ahead and apply these five tricks to your preferred cloud storage app or service. You’ll be glad you did. Stay safe out there!

This Week in Security News: Adware and Ransomware

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about an adware that disguised itself as different apps and monitors mobile devices. Also, learn more about the different ransomware attacks Trend Micro has been tracking.

Read on:

Adware Disguised as Game, TV, Remote Control Apps Infect 9 Million Google Play Users

This adware discovered by Trend Micro is capable of displaying full-screen ads, hiding itself, monitoring a device’s screen unlocking functionality, and running in the mobile device’s background. 

Reddit locks out users with poor password hygiene after spotting ‘unusual activity’

Some Redditors have been locked out of their accounts over a mysterious security problem that the internet forum’s admins have blamed on people reusing old passwords.

German Man Admits to Politician Data Breach

A 20-year-old man has admitted to police that he was behind the recent data breach that exposed the personal data and documents of almost 1,000 German politicians and public figures online. 

Tech Support Scams: What are They and How do I Stay Safe?

If you’re still unsure what tech support scams are, and how you can protect yourself, this handy guide will tell you everything you need to know.

Chubb Announces Key Cyber Security Trends to Watch in 2019

 As business decision-makers look to the year ahead, it is critical to address existing and new cyber security concerns. To help with that process, Chubb has launched its first annual cyber security predictions, which focus on the top risks in 2019 and beyond.

Millions of Android Users Tricked Into Downloading 85 Adware Apps From Google Play

Researchers at Trend Micro discovered 85 apps that were pushing adware designed to squeeze money out of around 9 million affected Android users. 

Ransomware MongoLock Immediately Deletes Files, Formats Backup Drives

Trend Micro has been following MongoLock ransomware attacks that demands a payment of 0.1 bitcoin from victims within 24 hours to retrieve the files allegedly saved in the cybercriminals’ servers. 

Samsung Phone Users Perturbed to Find They Can’t Delete Facebook

With consumers becoming more alert about their digital rights and privacy, Android phone users have begun to question Samsung’s deal to sell phones with a permanent version of Facebook.

JavaScript Malware in Spam Spreads Ransomware, Miners, Spyware, Worm

Trend Micro observed a sudden spike in JavaScript malware in more than 72,000 email samples that sourced and spread at least eight other kinds of malware beginning December 31, 2018. 

Kitchenware Companies Breached in Dual Attacks

OXO International, a maker of kitchen utensils, and Discountmugs.com, which sells a variety of kitchenware promotional materials, each reported attacks this week.

Do you think adware and ransomware will continue to be prominent cybersecurity issues this year? Why or why not? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Adware and Ransomware appeared first on .

Key Takeaways From SANS Report: Secure DevOps 2018: Fact or Fiction?

DevOps, with its focus on speed and incremental development, is changing the application security landscape. We’ve talked about this change a lot in the past couple years, and how security should fit into this picture. Now SANS is taking a look at how security actually is fitting into this DevOps picture in practice. In a recent survey, the sixth in a series of annual studies by SANS on security practices in software development, SANS for the first time explicitly focuses on DevOps.

They looked at how security fits into DevOps, where security risks are and how they are being managed, and the top success factors in implementing a Secure DevOps program.

The survey responses reveal both best practices and challenges of integrating security into DevOps. We include a few noteworthy points here.

Rate of security assessments is increasing

Organizations are increasing the rate of security assessments to keep pace with the new rate of software delivery.

Almost half (47 percent) of survey respondents report that their organizations are continuously deploying at least some apps directly to production. At the same time, the number of organizations assessing or testing the security of business-critical applications more than once per month has increased from 13 percent in 2017 to 24 percent in 2018, and those testing daily and continuously have almost doubled over the same period.

This is good news considering what our own recent research revealed about the security implications of frequently scanning code for security. Data collected for our most recent State of Software Security report found that there is a very strong correlation between how many times a year an organization scans and how quickly they address their vulnerabilities. Our data found that when apps are tested fewer than three times a year, flaws persist more than 3.5x longer than when organization can bump that up to seven to 12 scans annually. Once organizations are scanning more than 300 times per year, they’re able to shorten flaw persistence 11.5x across the intervals compared to applications that are only scanned one to three times per year.

Training on secure coding is key in DevOps

The survey asked respondents which application security tools, practices, or techniques they find most useful, and security training for engineers came out on top. Considering that, in a DevOps model, developers take ownership for security assessments with the security team taking on more of an oversight role, this response makes a lot of sense. As DevOps takes hold and security shifts further left in the development cycle, developers will need a solid understanding of both how to avoid introducing security vulnerabilities, but also how to efficiently remediate found vulnerabilities. We’ve seen this idea play out among our customer base; those that take advantage of eLearning on secure coding for development teams see a 19 percent improvement in fix rate over those that do not.

Fix rate is a management problem

According to 65 percent of the SANS survey respondents, corrective actions for found vulnerabilities are solely in the hands of developers. According to SANS, “This helps explain why vulnerabilities don’t always get fixed: Developers are forced into a difficult situation, under conflicting pressures to deliver changes quickly and cheaply, while also being held responsible for fixing vulnerabilities and other bugs.”

We’ve seen evidence of this trend in our own research. Our latest State of Software Security report found that vulnerabilities remain unaddressed for significant amounts of time. More than 70 percent of all flaws remain one month after discovery, and nearly 55 percent remain three months after discovery. One in four high and very high severity flaws are not addressed within 290 days of discovery.

What’s the solution to this “fixing” problem? Our VP of program management, Pejman Pourmousa, discussed this issue in a recent blog post. He emphasizes that although developers need to own security testing in a DevOps model, the security team can’t completely opt-out of the process; they play an important role in providing the guidance and support the development team needs in order to fix what they find. Part of that guidance stems from constructing smart policies. He stresses that application security policies should detail not only how often teams need to scan, and what scanning techniques to use, but also how long they have to fix certain flaws based on severity/criticality. In addition, security teams should build in remediation time between scans. Just scanning multiple times a day and pulling results into a tracking system is not useful if no one has the bandwidth to fix anything. You are better off setting a realistic scanning schedule (once a day) so developers have time to fix what they find. You can increase scan frequency as you become more secure and are passing policy on a regular basis.

Barriers, and enablers, of secure DevOps are not just technology

We’ve found that application security success lies just as much, if not more, with people than with technology, and this survey found the same.

The survey respondents reported that their biggest barriers to secure DevOps include shortage of skills, inadequate budgets, poor prioritization, lack of management buy-in—and the crushing weight of technical debt and security debt built up.

The top three factors that they reported contributing to secure DevOps success included:

Get survey report

Get the full survey results and analysis in the SANS report, Secure DevOps: Fact or Fiction?

Security Flaws & Fixes – W/E – 01/11/19

"Smart" LED Light Bulbs Leak Sensitive Data, Allow for Password Brute-Forcing (12/26/2018)
Researchers at Symantec have detected security issues in a remote-controlled, full-color LED light bulb that can be bought online, is easy to use and integrate with popular voice-activated smart assistants, and is a low-priced brand. In order to set up and use the light bulb to its full extent, the user has to install a smartphone app and create a free account. The light bulb will then be added to the local Wi-Fi network and can be controlled remotely through the Internet. While analyzing the network traffic, Symantec's team noticed that the smartphone application was mostly using plain HTTP requests to interact with the backend in the cloud and some of the unencrypted requests contained private information. Thus, anyone with access to the network could potentially sniff this traffic and brute-force the password hash. In addition, the application does not provide an option to change the password; once the user has chosen one, it is fixed. Equipped with this data, an attacker could log into the account and take over all of the user's light bulbs.

Acrobat and Reader Receive Adobe Security Updates (01/02/2019)
Adobe released updates for Acrobat and Reader for Windows and MacOS due to critical vulnerabilities. Successful exploitation could lead to arbitrary code execution in the context of the current user.

Adobe Pushes Out Updates for Flash Player, Other Products (01/08/2019)
Adobe has plugged an information disclosure hole in Digital Editions and a session token exposure bug in Connect. The vendor also released updates for Flash Player.

Advisory Posted for Yokogawa Vnet/IP Open Communication Driver (01/03/2019)
The Vnet/IP Open Communication Driver from Yokogawa is vulnerable to a resource management error, which could lead to a denial-of-service condition. The vendor recommends users of affected devices and versions update to the latest available release. The ICS-CERT has provided more information in its own advisory.

Authentication Bypass Issue Affects Hetronic Nova-M (01/03/2019)
An ICS-CERT advisory details an authentication bypass that was found in Hetronic's Nova-M transmitters and receivers. Successful exploitation of this vulnerability could allow unauthorized users to view commands, replay commands, control the device, or stop the device from running. Hetronic recommends that all Nova-M users update their radio transmitters to firmware version r161. Different firmware versions are available for the affected receivers.

CDC Continues Efforts to Improve Security to Its Systems, Information (12/26/2018)
Although the Centers for Disease Control (CDC) implemented technical controls and an information security program that were intended to safeguard the confidentiality, integrity, and availability of its systems and data, some issues remain and increased risks are possible. The Government Accountability Office (GAO) has periodically reviewed the CDC's efforts and a December report discusses the extent to which CDC has taken corrective actions. The GAO said that the CDC has implemented 102 of its prior 195 security recommendations and that the agency expects to implement more before September 2019.

Cisco Advisories Discuss Product Vulnerabilities (01/10/2019)
Multiple vulnerabilities in Cisco products have resulted in the vendor issuing more than 20 advisories. Among the most critical issues is a memory corruption denial-of-service condition in the vendor's Email Security Appliance.

Critical Vulnerabilities Fixed in Microsoft Windows, Server (01/08/2019)
The CERT Coordination Center (CERT/CC) has released information on vulnerabilities affecting versions of Microsoft Windows and Windows Server. A remote attacker could exploit these vulnerabilities to take control of an affected system. The Windows Kernel Transaction Manager is vulnerable to a race condition because it fails to properly handle objects in memory, which can result in local privilege escalation. Microsoft has posted security updates. Also, Windows DNS servers are vulnerable to heap overflow attacks, enabling unauthenticated attackers to send malicious requests to affected servers. Updates are available from Microsoft.

Google Secures Android with January Bulletin of Fixes (01/09/2019)
The Android operating system has received updates to resolve more than 20 vulnerabilities in Google's January release of security fixes. The most critical patch in the 2019-01-01security patch level is for a System remote code execution vulnerability. Regarding the 2019-01-05 security patch level, a critical vulnerability was alleviated in the Qualcomm closed-source component.

Guardzilla Home Surveillance System Lets Anyone View Footage (12/28/2018)
The Guardzilla Internet of Things-enabled home video surveillance system contains a shared Amazon Simple Storage Service credential used for storing saved video data. Because of this design, all users of the Guardzilla All-In-One Video Security System can access each other's saved home video, Rapid7 stated in an advisory. This hard-coded credential flaw was disclosed to Guardzilla but after 60 days and no notification of a fix, Rapid7 went public with details. Researchers at 0DayAllDayfound the vulnerability and released their own advisory.

Horner Automation's Cscape Affected by Improper Input Validation Vulnerability (12/26/2018)
An ICS-CERT advisory presents information regarding an improper input validation bug in Horner Automation's Cscape Control System Application programming software. The operation of any OCS device programmed with an affected version of Cscape is not compromised. Horner Automation recommends affected users update to the latest version of Cscape (Version 9.80 SP4).

Intel Boots Privilege Escalation Bug in PROSet/Wireless Wi-Fi Software (01/09/2019)
Intel released updates due to an escalation of privilege in its PROSet/Wireless Wi-Fi Software. The fixed version is

Intel Discloses Security Vulnerability (01/03/2019)
Intel has disclosed a security vulnerability that could allow an unauthorized party to "improperly gather sensitive data from many types of computing devices." These software analysis methods provide access from "many types of computing devices with different vendors' processors and operating systems."

Juniper Networks Releases Multiple Advisories and Updates (01/10/2019)
Juniper Networks posted 19 bulletins to address security issues across its product lines. Users of Juniper products should read the advisories and apply any updates that have been issued.

Mac Cleanup Utility Found Riddled with Vulnerabilities (01/03/2019)
Several vulnerabilities in MacPaw's CleanMyMac X software have been disclosed by the Cisco Talos team. Among the vulnerabilities are privilege escalation and denial-of-service bugs, but all issues have been resolved in version 4.2.0. CleanMyMac X is a cleanup application for Mac operating systems that allows users to free up extra space on their machines by scanning for unused or unnecessary files and deleting them.

Microsoft Patches Skype Bug that Exposed Pics, Other User Info (01/08/2019)
A bug in Skype for Android could have enabled an unauthenticated individual to review photos and contacts and open links in a browser, security researcher Florian Kunushevci warned. The bug, which was reported to Microsoft in October, has since been fixed.

Microsoft Releases First Monthly Security Batch of Fixes for 2019 (01/09/2019)
Microsoft released security fixes for its products, issuing patches for the Windows operating system and related software. The updates in this January batch include fixes for Internet Explorer, Edge, Office, SharePoint, .NET Framework, and Exchange. There are 49 updates in Microsoft's batch and the vendor has rated seven of those fixes to be critical.

Orange Livebox ADSL Modems Found Exposing Credentials (12/26/2018)
Security firm Bad Packets spotted an issue with Orange Livebox ADSL modems in which they enabled remote unauthenticated users to obtain the device's SSID and Wi-Fi password. Scans from Shodan determined that 19,490 devices were leaking their Wi-Fi credentials (SSID/password) in plaintext. Many of the devices found to be leaking their Wi-Fi password use the same password to administer the device (password reuse) or have not configured any custom password.

Rockwell Automation FactoryTalk Services Platform Has Critical Vulnerability (12/26/2018)
The FactoryTalk Services Platform from Rockwell Automation requires an update to avoid a heap-based buffer overflow condition, an ICS-CERT advisory states. Successful exploitation of this vulnerability could allow a remote attacker to diminish communications or cause a complete denial-of-service to the device.

SAP Releases 11 Updates on Security Patch Day (01/09/2019)
SAP's Security Patch Day consists of 11 security advisories, including two that are rated as "Hot News" or the most critical. These notifications address multiple vulnerabilities in Cloud Connector and an information disclosure in Landscape Management.

Scapy Tool Can Be Exploited to Cause DoS Condition (01/09/2019)
Two Imperva researchers discovered that Scapy, a packet manipulation tool written in Python and used by cybersecurity researchers and network engineers, is susceptible to a denial-of-service vulnerability. Scapy uses a heuristic algorithm to determine the type of network packet it is inspecting and because the algorithm relies on port numbers, the packet type can be spoofed. The vulnerability occurs when Scapy is tricked into thinking a network packet is a RADIUS packet. Although this bug was reported and patched, the current Scapy version (2.4.0) available from the Python pip repositories is susceptible to this attack.

Schneider Electric Updates Zelio Soft, Advises on IIoT Monitor (01/08/2019)
Schneider Electric posted a notification regarding a use-after-free vulnerability in Zelio Soft 2 v5.1 and prior versions. This issue can cause a remote code execution, but v5.2 provides a fix. A second advisory offers information regarding multiple vulnerabilities in the IIoT Monitor.

Security Bug Detected in Schneider Electric Pro-face GP-Pro EX (01/03/2019)
Schneider Electric's Pro-face GP-Pro EX contains an improper input validation bug, which could enable an attacker to modify code to launch an arbitrary executable upon launch of the program. Further information is available from an advisoryposted by the vendor and a separate advisory from the ICS-CERT.

Siemens Addresses Vulnerabilities Across Product Lines (01/08/2019)
Siemens has released more than 10 advisories to address security issues and flaws within its product lines. Among these issues are denial-of-service bugs in the vendor's S7-1500 CPU and SIMATIC S7-300 CPU, a heap overflow vulnerability across multiple product families, and multiple flaws in its industrial products.

Stack-Based Overflow Issue Found in Dokan File Driver (12/26/2018)
A system driver in the Dokan Open Source File System contains a stack-based buffer overflow, which could allow an attacker to gain elevated privileges on the host machine. Dokan, versions between and, are vulnerable. Further details are posted in an advisory from the CERT Coordination Center.

Unpatched Kernel Buffer Overflow Bug Detected in IBM Trusteer Rapport for MacOS (12/26/2018)
Trustwave reported a kernel based vulnerability in a driver bundled along with IBM Trusteer Rapport for MacOS. The vulnerability is a signedness bug leading to a kernel stack memory corruption issue in a call to memcpy. While Trustwave worked closely with IBM throughout the disclosure process, after 120 days a patch still was not made available. However, the bug can only be exploited locally. Those affected should verify that only authorized users can log in to those systems.

Upgrade Resolves Open Redirect in Schneider Electric's EcoStruxure (12/26/2018)
Schneider Electric's EcoStruxure, an Internet of Things-enabled architecture and platform, contains an open redirect vulnerability. Users are instructed to upgrade to a fixed version. Further information is available from an advisory posted by the ICS-CERT.

Windows MsiAdvertiseProduct Function Has Privilege Escalation Bug (12/26/2018)
An advisory warns that Microsoft Windows MsiAdvertiseProduct function contains a race-condition vulnerability, which can allow an authentication attacker to elevate privileges to read protected files. Exploit code for this vulnerability is publicly available. A fix or patch is not currently available, according to the Software Engineering Institute at Carnegie Mellon University.

Malware Watch – W/E – 01/11/19

Fake Fonts Used in Phishing Scam Targeting Major Bank (01/08/2019)
Proofpoint researchers observed a phishing kit with encoding utilized in a credential harvesting scheme impersonating a major retail bank. The technique appears to be unique due to its use of Web fonts to implement the encoding. By developing a phishing template that uses a custom Web font to deliver a substitution cypher, among other techniques, the criminals render well-crafted phishing pages.

Mobile Spyware Found Hidden in Google Play Apps (01/03/2019)
A spyware masquerading as a legitimate apps was discovered on Google Play by researchers at Trend Micro. Some of the malicious apps had been downloaded over 100,000 times. All six of the apps have been removed by Google. The malware, MobSTSPY, is capable of stealing information including user location, SMS conversations, call logs, and clipboard items

New Vidar Malware Pushes Out Vicious GandCrab Payload (01/09/2019)
A malicious advertising campaign is using the Vidar malware to steal information from browser histories and cryptocurrency wallets and capture instant messages and the GandCrab ransomware as the final payload. According to Malwarebytes, a malvertising chain leads to the Fallout exploit kit and Vidar, which was first described by a third-party researcher in December. It then serves up GandCrab as part of Vidar's loader feature.

NRSMiner Utilizes EternalBlue Exploit to Launch Attacks (01/03/2019)
A new version of the NRSMiner cryptominer, which uses the EternalBlue exploit to propagate to vulnerable systems within a local network, is actively spreading in Asia, the research team at F-Secure has reported. In addition to downloading a cryptocurrency miner onto an infected machine, NRSMiner can download updated modules and delete the files and services installed by its own previous versions. EternalBlue is one of the exploits that was stolen from the National Security Agency (NSA) by the Shadow Brokers and dumped publicly online.

Ryuk's December Attacks Possibly Connected to Cybercrime Gang (01/10/2019)
McAfee's team of researchers investigated the outbreak of the Ryuk ransomware that targeted newspaper printing services in late December. According to the group's assessment, the Ryuk attacks can likely be attributed to a cybercrime operation developed from a tool kit offered by a Russian-speaking actor.

Sednit/Fancy Bear/APT28 Spotted Using UEFI Rootkit (12/28/2018)
An ESET researcher discovered that the Sednit (also known as Sofacy, Fancy Bear, and APT28) threat group is using a rootkit that attacks the Windows Unified Extensible Firmware Interface (UEFI). In a Threatpost article, ESET's Fr‚d‚ric Vachon said, "UEFI rootkits have been researched and discussed heavily in the past few years, but sparse evidence has been presented of real campaigns actively trying to compromise systems at this level." The rootkit, LoJax, is a weaponized version of Absolute Software's LoJack laptop recovery software. LoJack enables computer users to access their stolen systems without alerting thieves so that they may physically retrieve their lifted laptops. However, LoJax takes advantage of bugs in the legitimate LoJack software. One vulnerability in particular "allowed Sednit to customize a single byte that contains the domain information for the legitimate software to connect to in order to download the recovery software," Vachon said. That byte contains Sednit's command and control domains for delivering a malicious payload. Vachon has warned that once a UEFI rootkit is loaded onto a machine, it's nearly impossible to remove. to customize a single byte that contains the domain information for the legitimate software to connect to in order to download the recovery software

TA505 Threat Group Introduces Two New Types of Malware to Hit Banking, Retail Sectors (01/10/2019)
The security team at Proofpoint has observed the threat actor TA505 using two types of malware: SevHelper, a backdoor, and a downloader dubbed FlawedGrace. ServHelper has two variants: one focused on remote desktop functions and a second that primarily functions as a downloader, which then pushes out FlawedGrace, a full-featured remote access Trojan. TA505 appears to be actively targeting banks, retail businesses, and restaurants as they distribute these malware families.

Trend Micro Finds Adware Masquerading as Legitimate Apps in Google Play (01/08/2019)
An active adware family has been spotted by Trend Micro's security team disguised as 85 game, TV, and remote control simulator apps on Google Play. This adware is capable of displaying full-screen ads, hiding itself, monitoring a device's screen unlocking functionality, and running in the mobile device's background. The apps had been downloaded nine million times in total. Google has since removed them from Play.

Trend Micro Identifies a New Mirai Variant Called Miori (12/26/2018)
A Mirai malware variant called "Miori" is being spread via a remote code execution vulnerability in the PHP framework ThinkPHP, Trend Micro has revealed. Upon execution, Miori will start Telnet to brute force other IP addresses and it listens in on port 42352 (TCP/UDP) for instructions from its command and control server.

CyberCrime – W/E – 01/11/19

Chinese Hackers Charged in Global APT10 Threat Campaigns (12/26/2018)
Two Chinese hackers associated with the APT10 cyber threat group have been indicted for their roles in global computer intrusion campaigns that have taken place since at least 2006, the Justice Department (DOJ) announced. The defendants, Zhu Hua and Zhang Shilong, were part of APT 10, a hacking collective associated with the Chinese government's intelligence service, used malware to gain access to computer networks and exfiltrate data over an extended period of time, and compromised managed security providers in at least a dozen countries. Among other things, Zhu and Zhang registered IT infrastructure that APT10 used for its intrusions and engaged in illegal hacking operations. Deputy Attorney General Rod J. Rosenstein said, "We hope the day will come when the defendants face justice under the rule of law in a federal courtroom."

Coinbase Freezes ETC Blockchain Following Double Spend Attack (01/09/2019)
Coinbase detected a deep chain reorganization with the Ethereum Classic (ETC) blockchain that included a double spend attack and has paused interactions with that blockchain. Approximately $500,000 USD was spent twice on January 5 and Coinbase halted send/receive interactions with the ETC blockchain to protect customer funds.

DNS Hijacking Enables Criminals to Gain Access, Abuse Various Entities Globally (01/10/2019)
FireEye's Mandiant team has identified a wave of DNS hijacking that has affected dozens of domains belonging to government, telecommunications and Internet infrastructure entities across the Middle East and North Africa, Europe and North America. The threat entity is thought to be connected to Iran and may consist of multiple actors. The attacker uses DNS hijacking to gain a foothold and then uses that method for further exploitation purposes.

Ransomware Attack Affects Some US Newspapers (01/02/2019)
The Ryuk ransomware is to blame for causing problems with the publication of newspapers distributed by Tribune Publishing. The company publishes various Tribune newspapers along with southern California versions of The Wall Street JournalThe New York Times, and the Baltimore Sun. Jeff Light, the San Diego Union-Tribune's editor and publisher, issued a statement that noted that many subscribers were without their newspapers on December 29 after the virus hit the computer systems controlling production. Digital replicas of certain newspapers were also affected.

Report: Kaspersky Responsible for Nabbing Alleged NSA Data Thief (01/10/2019)
Kaspersky Lab had a hand in the investigation that led to the arrest of former National Security Agency (NSA) contractor Harold Martin, who siphoned at least 50 TB of government data during a 20-year period, Politico has reported. The Moscow-based company notified the NSA after receiving Twitter messages that are now suspected to have come from Martin and requested to speak with Eugene Kaspersky, the vendor's founder and CEO. The messages arrived on August 13, 2016, just minutes prior to the massive online dump of NSA tools by the Shadow Brokers collective. Clues in the tweets led Kaspersky personnel to consider that Martin may have been part of the Shadow Brokers. Although Kaspersky Lab has declined to comment on its involvement in the investigation, two people close to the matter told Politico that the security firm gave the NSA the Twitter messages and evidence of the sender's identity. That information was provided to the FBI, which executed search warrants for Martin's home, property, and Twitter accounts. Martin was found to have a trove of classified information that had been taken from the NSA since 1996 and some of the materials contained the tools that were released by the Shadow Brokers, including surveillance exploits. Martin is scheduled to go to trial in June where he faces 20 counts of unauthorized and willful retention of national defense information.

Data Breaches – W/E – 01/11/19

500K People Affected by San Diego School District Data Breach (12/26/2018)
Personal data has been breached at the San Diego Unified School District in California. The district became aware of the breach in October, but the actual compromise occurred between January and November 1, according to a statement. The data file that had been viewed by unauthorized individuals contained information on students dating back to the 2008-09 school year, or more than 500,000 individuals. The district stated that phishing techniques which gathered log-in credentials for staff members caused the breach.

Bruegger's Bagels, Caribou Coffee Impacted by Data Breach (12/26/2018)
The parent company for Bruegger's Bagels and Caribou Coffee stated that the discovery of unusual activity on its network has revealed a data breach. While working with FireEye's Mandiant division, it was determined that the breach had taken place between August 28 and December 3 and that names and payment card data had been exposed. Up to 254 Caribou Coffee locations and 157 Bruegger's Bagels stores were potentially impacted, parent company Coffee and Bagels said.

Magecart Attack Causes Breach at OXO International (01/09/2019)
Home goods company OXO International was targeted by a breach that came to light on December 17, but took place on various dates between June 9, 2017 and October 16, 2018, according to a letter submitted to California's Office of the Attorney General. Personal information that had been entered on OXO's payment site has been compromised. Bleeping Computer has reported that the breach is the result of a Magecart attack, which involves the injection of malicious script into a site's checkout page so that payment data can be siphoned.

Marriott Starwood Breach Numbers Downgraded from 500 Million to 383 Million Affected (01/08/2019)
Although it was first thought that 500 million people had been affected by the November breach that impacted Marriott customers, the hotel company has said that the number is slightly less and that 383 million guests have had their data exposed. The breach affects guests who made reservations at a Starwood property on or before September 10, 2018. After a forensics evaluation, Marriott changed its original estimate of 500 million breached customers to 383 million. Marriott also said in a January 4 statement that 5.25 million unencrypted passport numbers and 20.3 million encrypted passport numbers were included in the information accessed by an unauthorized third-party.

Kubernetes: Kubelet API containerLogs endpoint

How to get the info that kube-hunter reports for open /containerLogs endpoint

| | Information | Exposed Container| Output logs from a   |                |
|               | Disclosure  | Logs             | running container    |                |
|               |             |                  | are using the        |                |
|               |             |                  | exposed              |                |
|               |             |                  | /containerLogs       |                |
|               |             |                  | endpoint             |                |

First step, grab the output from /runningpods/ example below:

You'll need the namespace, pod name and container name.

Thus given the below runningpods output:


turns into:


Kubernetes: Kubernetes Dashboard

Tesla was famously hacked for leaving this open and it's pretty rare to find it exposed externally now but useful to know what it is and what you can do with it.

Usually found on port 30000

kube-hunter finding for it:

| LOCATION              | CATEGORY      | VULNERABILITY        | DESCRIPTION          | EVIDENCE         |
|         | Remote Code   | Dashboard Exposed    | All oprations on the | nodes: pach-okta |
|                       | Execution     |                      | cluster are exposed  |                  |

Why do you care?  It has access to all pods and secrets within the cluster. So rather than using command line tools to get secrets or run code you can just do it in a web browser.

Screenshots of what it looks like:
viewing secrets




Chinese Hackers Pulled a Theft of $18.6 Million

The Indian subsidiary of Tecnimont SpA, headquartered in Milan, fall prey to a fraud wherein $18.6 million (INR 130 crore) were being stolen by a group of Chinese hackers.

Tecnimont SpA is involved in a wide array of businesses like energy, chemicals, and engineering, it operates in conjunction with the publicly traded blue-chip Italian group Maire Tecnimont, which did not categorize the heist as a cyber attack but a fraud and refused to comment any further.

 Referencing from the police complaints, the hackers sent emails to Tecnimont Pvt Ltd’s head via an email address that resembled that of Pierroberto Folgiero, CEO, they manipulated local managers into believing that the money was required for acquisition.

How did the hackers execute the theft?

Sources from Mumbai Police’s cybercrime unit indicated that the con gang from China organized a series of conference calls with the motive of exchanging views on a probable secretive and highly confidential acquisition in China.

During these phone conversations, various people are reported to be playing various roles varying from the group CEO, top lawyer to the senior executives of the company.

While doing so, the hackers manipulated the Indian head and made him believe that the money could not be sent from Italy because of some regulatory issues. After being convinced, he transferred the money in three transactions during a week in the month of November, dissecting the transactions a bit — $5.6 million, $9.4 million and $3.6 million.

The aforementioned are the three tranches in which the money was transferred from India to Hong Kong and was withdrawn within a few minutes of the transfer. Immediately after, the hackers attempted the fourth transaction but fortunately, the fraud had been identified by then and it finally was unveiled during company chairman Franco Ghiringhelli’s visit to India in December. The accounts into which the money was sent were opened via fake documents.

According to ET, the matter is being taken up for investigation by a Mumbai-based law firm and a Manhattan-based security firm ‘Kroll’. Meanwhile, assisting efforts are being made by MZM, a white-collar crime and dispute resolution law firm in India.

Expert’s take

Referenced from the remarks made by Zulfiquar Memon, managing partner of MZM Legal, “This is a very serious case of electronic fraud by a very highly skilled group of international criminals working with high-end technology,”

“We are working with the Mumbai Cyber Cell to investigate the matter and get to the bottom of this.”

Sourced from the statements given by Dhruv Phophalia, managing director, Alvarez & Marsal India, “In addition to masking email addresses, hackers in the past have used malware to penetrate and monitor email communications,”

“This enables them to gather information, learn writing styles and language used by a user in email communications and replicate them in the spoofed emails.” 

Using a Fake Hand to Defeat Hand-Vein Biometrics

Nice work:

One attraction of a vein based system over, say, a more traditional fingerprint system is that it may be typically harder for an attacker to learn how a user's veins are positioned under their skin, rather than lifting a fingerprint from a held object or high quality photograph, for example.

But with that said, Krissler and Albrecht first took photos of their vein patterns. They used a converted SLR camera with the infrared filter removed; this allowed them to see the pattern of the veins under the skin.

"It's enough to take photos from a distance of five meters, and it might work to go to a press conference and take photos of them," Krissler explained. In all, the pair took over 2,500 pictures to over 30 days to perfect the process and find an image that worked.

They then used that image to make a wax model of their hands which included the vein detail.

Slashdot thread.

Free Decryption Tool Created for PyLocky Ransomware Family

A researcher has created a free decryption tool which victims of the PyLocky ransomware family can use to recover their affected files. Mike Bautista, a security researcher at the Cisco Talos Intelligence Group, is responsible for developing the tool. Cisco Talos has made this utility freely available for download on GitHub. First reported on by […]… Read More

The post Free Decryption Tool Created for PyLocky Ransomware Family appeared first on The State of Security.

Here are The Internet Security Blogs You Should Follow Today [Updated 2019]

If you are concerned about your online security (and you should), it’s essential to know which are the best cybersecurity blogs that could help you stay informed about the most recent trends in the threat landscape.

The question then arises: Where can you find the best security blogs to learn and to gain more knowledge in the cybersecurity field? What security experts to follow so you can stay abreast of changes in this industry and how to better protect your digital assets? How can you make the difference between the real experts and the false ones?

That’s why we want to help and we’ve put together this list with all the cybersecurity blogs and websites that are worth following.

We’re aware that it isn’t perfect and will never be, so we’ll continue to keep this list updated as much as we can. There are probably so many other security blogs and experts that we have not included. More and more are launching every day.

Can you tell what other blogs should we add to this list and what you think about the current ones?

From small, independent researchers and experts, to the big names: security vendors, media giants, organizations or cybersecurity communities and organizations. The main criteria were how much can we benefit from their insights and knowledge.

Therefore, if you need best practices, how-to articles, online safety research or the latest security news and insights from researchers, start with this guide. Feel free to bookmark our article and access the following blogs/websites whenever you feel it’s necessary.


1. Krebs on Security

Brian Krebs is the man behind Krebs on Security. Being hacked himself in 2001, he starts to be personally interested in online security. He’s one of the well-known names in today’s security landscape. Krebs covers topics from the latest threats, privacy breaches, and cyber-criminals, as well as major security news and alerts. He’s also a book author.

2. Schneier on Security

Another cybersecurity blog that is worth reading on a daily basis is the one belonging to Bruce Schneier which is an internationally renowned security technologist, called a “security guru” by The Economist. He wrote books, hundreds of articles, essays and security papers on cybersecurity. At the same time, he is a known figure in the media.

The press recognizes him as an important voice for online security, not only for his knowledge on the matter but also because of how he expresses his opinions.

3. Tao Security

Tao Security is run by Richard Bejtlich, which is an advisor to the security ecosystem for the Treat Stack company and a former Chief Security Strategist at FireEye. He’s also an author of many books on the security topic. He started his career as a military intelligence officer at the Air Force Computer Emergency Response Team, Air Force Information Warfare Center and Air Intelligence Agency.

With an extensive background in the cyber-criminal world and familiar with malicious attacks on enterprise networks, he shares his experience on digital defense and network monitoring. Since a great number of network attacks come from China, he is specialized in Chinese online criminals.

4. Graham Cluley

Graham Cluley is one of the most known independent computer security analysts and public speakers. He’s been working in the industry since the early ‘90s. Started as a programmer, writing the first ever version of Dr. Solomon’s Anti-Virus Toolkit for Windows. Afterward, he had senior roles in Sophos and McAfee.

5. Troy Hunt

Troy Hunt is an Australian Microsoft Regional Director and Most Valuable Professional (MVP) for Developer Security. He travels the world speaking at events and giving training and advice to tech security professionals. He’s also an author of many top-rating courses on web security.

You surely heard about his project Have I Been Pwned?”, a free service that tells you if you’ve been compromised in a data breach.

6. Daniel Miessler

Daniel Miessler is a well-known cybersecurity expert and writer with 20 years in information security. His blog includes a collection of technical knowledge, industry insights, and opinions shared by Daniel on various topics. We recommend adding his blog on your reading list for valuable insights, and also follow him on Twitter.

7. Security Affairs

Security Affairs is a security blog written by Pierluigi Paganini, an ethical hacker, researcher, security evangelist, and analyst. On his blog, among the articles on security, you’ll also find regular interviews with hackers, useful cybersecurity In 2016, this blog was awarded as Best European Personal Security Blog

8. Architect Security 

This cybersecurity blog belongs to April C. Wright which is a speaker, teacher, community leader and hacker with more than 25 years experience in the information security industry. She teaches others how to use simple actions that can lead to a better and safer place.

9. Dark Reading

Dark Reading is a widely-read cyber security website that addresses professionals from the IT industry, security researchers, and technology specialists. They use their experience and knowledge to provide articles, recommendations, news and information on IT cybersecurity landscape.

10. CIO

CIO is the place where you find news, information technology articles, insights and analysis on major data breaches and online threats that put your online security at risk. Covering multiple aspects of world wide web, it provides in-depth, content-rich information for IT professionals and regular users.

11. CSO Online

CSO focuses on offering users the latest information and best practices in both technology and business, loss prevention, cybercriminal threats, and software vulnerabilities, malware and data breaches and many other useful tips and advice about cybersecurity.

12. PCMag’s Security Watch

Known for his direct and witty style, Neil Rubenking is PC Magazine’s Lead Analyst. He’s the man you have to listen if you search for technical advice on the main security solutions, from firewalls, antivirus, and antispam products to full security suites. You’ll also read in this cybersecurity blog detailed reports and sharp analysis of security programs, which should place him on your follow “cybersecurity blogs” list if you look for this type of information. He has also written several books.

13. Paul’s Security Weekly

This security blog was founded by Paul Asadoorian and brings you a wide range of topics from security news, useful technical articles, research studies to valuable information on hacking and cybercrime through different channels, from blog posts, videos to podcasts.

14. Forbes

This is one of the leading media company in the online environment and provides strong analysis, reliable tools, real-time reports for cybersecurity news and information on the latest online vulnerabilities.

15. SC Magazine

SC Magazine comes in the IT environment with technical information and data analysis to fight the present online security threats. Their site provides testing results for email security, mobile devices, cloud, and web security.

16. PCMag

Probably one of the most popular tech sites in the software industry, PC Mag offers readers lots of reviews and studies on the latest products for online security. For an objective analysis of a particular product you may be interested in, don’t forget to search for the dedicated article on this website.

17. The Hacker News

It is one of the biggest information security blogs and we recommend following it for the latest resources about hacking, technology, and security.

18. Security Week 

It’s one of those information security blogs you need to follow to stay informed about the latest security news, insights and analysis. You’ll also read opinions and insights from IT security experts around the world.

19. Ars Technica

Probably one of the oldest and top publications on technology. Its editorial mission is to be “technically savvy, up-to-date and more fun” than what was popular at the moment when it was founded.

20. Softpedia

Softpedia is a popular destination for software downloads but also covers tech topics and news. It was founded in 2001 by SoftNews NET SRL, a Romanian company.

21. The Last Watchdog 

It is one of those security blogs founded by the Pulitzer-winning journalist Byron V. Acohido which is a respected cybersecurity influencer, and The Last Watchdog is considered to be one of the top cybersecurity blogs. You’ll find personal opinions on cybersecurity, Q&A, useful podcasts or videos. 

22. Wired

One of the classical American online magazines reporting on technology and its role in culture, economy and politics, Wired approaches various topics on online privacy, cybercriminal threats, systems security and the latest security alerts.

23. Motherboard Vice

Vice’s Motherboard is an online magazine dedicated to technology, science, and humans. Lots of the data breaches in the past years were firstly announced by Motherboard and you should follow it.

24. Mashable

Mashable is a global media company, founded in 2005. They aim to be the leading media company for the Connected Generation and the voice of digital culture. We recommend following their cybersecurity category to read about all the latest news related to this field.

25. Techcrunch

TechCrunch is another leading media company focused on technology and breaking tech news, founded in the same year as Mashable and owned by AOL.

26. IT Pro Portal

It Pro Portal is one of the first tech websites from the UK, launched in 1999 and has grown to become one of UK’s leading resources on technology information. Here you’ll find tech products reviews, market analysis, cyber security news and many more.

27. Privacy Paradox from Lawfare

When law meets privacy – this is how we’d sum up “Privacy Paradox”, the subsection of The Lawfare Blog. Its authors take an unorthodox look at the law and policy of contemporary privacy.

28. The Register

The Register is another top online tech publication, with more than 9 million monthly unique visitors. You’ll find here independent news, views, and reviews on the latest in the IT industry and its security section brings the latest news from the industry.

29. TechRepublic

TechRepublic provides large resources for the online industry, such as blog articles, forums, technical papers, and security data. All the valuable information available on this cybersecurity blog will help IT professionals and technology leaders to come with the best decisions on their business processes. There are also useful resources such as white papers, eBooks, tools and more.

30. Zero Day

The Zero Day security blog is important for all the people part of the IT industry. This information security blog belongs to ZDNet and you should follow it to stay on top of the latest security analysis, software vulnerabilities, malware attacks, and network threats.

31. The Guardian Information Security Hub

Known for its quality articles on world news, Guardian also provides a section dedicated to information security for both companies and individuals. To stay up-to-date with the most recent articles and news on cybersecurity, make sure you follow this cybersecurity blog.

32. Help Net Security

Help Net Security is a popular independent site, focused on information security since 1998. You’ll find here the latest information and articles related to the IT industry, including experts’ opinion on the hottest topics, reviews, security events, and many more.

33. Techworld Security

Techworld is an industry leader in business technology publishing, published by IDG (International Data Group). The Security section is dedicated to analyzing the latest malware threats and zero-day exploits, including analysis and tutorials. You can find here other important topics and subjects, such as security articles, how-to documents or software reviews.

34. IT Security Guru

It is a site for cybersecurity community which offers daily and breaking IT security news, with opinions and analysis of this industry.

35. Network Computing

The content of the Network Computing cybersecurity blog focuses on cloud technology and enterprise infrastructure systems. Its published articles cover security solutions on how to deliver applications and services for an increasingly large threat environment in the business world, news and expert advice.

36. Infosecurity Magazine

With more than 10 years of experience, Infosecurity Magazine is an online magazine which covers not only security articles on popular topics but is also focused on security strategy and valuable insights for the online industry. You should follow it for its educational approach.

37. SANS Institute AppSec Blog

SANS Software Security provides training, certification, research and community initiatives that help IT specialists build secure applications.

38. Peerlyst

Peerlyst is a community for where cybersecurity professionals gather to discuss hot topics and exchange opinions on key subjects. As part of the community’s mission, the team is “working with people like you to help transcend the fragmented security market and create transparency”.

39. Europol 

While it’s not actually a cybersecurity blog, it is worth following and reading the newsroom section from the European Union Agency for Law Enforcement Cooperation (EUROPOL) and stay up to date with the latest press releases, news articles, blog entries, videos, and other content.

40. Electronic Frontier Foundation (EFF) 

The Electronic Frontier Foundation is the leading nonprofit organization defending civil liberties in the digital world which was founded in 1999. Its work is mainly focused on ensuring that rights and freedoms are enhanced and protected as our use of technology grows. You should read their information security blog for its high-quality content, comprehensive analysis, educational guides, and more.

41. Virus Bulletin

The Virus Bulletin blog is a must-read online source of reference for anyone concerned with computer security and online threat landscape. It covers the latest threats, new developments, and techniques in the security landscape, opinions from well-known members of the industry, and more.

42. StaySafeOnline

This security blog is powered by the National Cyber Security Alliance (NCSA)  organization and is a reliable online source that provides valuable information on how you can stay safe online, how to keep your business secure and many other useful tips and insights on privacy.

43. Security Boulevard

It is the home of the Security Bloggers Network (SBN) and an online community where you can find plenty of useful resources from fresh cybersecurity news, threats and data breaches to webinars, a library of security-related resources, and many other educational resources.

44. Bleeping Computer

Another fantastic resource is Bleeping Computer, a technical support website, and a self-education tool. Do read their cybersecurity guides, forums, tutorials and more.

45. IT Security

Here’s another useful information security resource where you can read about cybersecurity news, insights and experts’ opinions on topics related to the cybersecurity landscape.

46. GBHackers on Security

It is another great online resource where you can read about the latest hacking news, cybersecurity, technology updates, ransomware or malware. There’s also the place where you can find useful online courses and other interesting infosec resources.

47. BetaNews

Here’s another leading source of technology news and analysis you can follow to stay up to date with everything happening in cybersecurity.


48. State of Security

TripWire delivers advanced threat, security and compliance solutions to companies. State of Security is TripWire’s blog on cybersecurity and the place where you can read about the latest cybersecurity news, podcasts, videos, and many more useful resources. Multiple authors write on it about the constantly changing landscape of cybersecurity.

49. Naked Security

Naked Security is an award-winning newsroom that offers us news, opinions, advice, and research on computer security issues and the latest cyber threats. The blog belongs to the security company SOPHOS and there are topics from mobile security threats to operating systems or malware articles.

50. F-Secure Safe & Savvy Blog

Safe & Savvy is a cybersecurity blog from F-Secure, a company focused on online content and privacy protection issues. On this security blog you will find plenty of handy tips and tricks on security issues, how to keep your data safe and many other resources such as videos, infographics or reports.

51. Hot For Security

Another information security blog you should add to your list is the Hot For Security which belongs to Bitdefender security company. Bitdefender is one of the leading and most-known companies on online security solutions. On their blog, they cover various subjects related to cybersecurity and privacy, from Internet scams, online spam, and phishing detection, to malware and data-stealing software.

52. Malwarebytes Labs

The Malwarebytes cybersecurity blog includes articles that cover the latest malware threats and cybercriminal attempts from the online world. You can find their articles on categories, from cybercrime, exploits, hacking and malware analysis.

53. We Live Security

We Live Security, the Eset blog, is an online resource for cybersecurity articles and probably one of the best cybersecurity blogs providing a large network of security topics from emerging online threats to zero-day exploits.

54. ThreatPost

Threatpost is an independent news site where you can read a plethora of cybersecurity news and analysis to stay informed and safe, including useful videos, feature reports and many more.

55. Kaspersky Lab’s Securelist

Securelist is a security blog run by Kaspersky Lab which addresses a large audience, providing some of the best security subjects on cyber criminal activities and data-stealing malware. There is plenty of great cybersecurity information you’ll read here from malware, spam and phishing to statistics and an encyclopedia to search for definitions and learn new cyber sec terms.

56. Symantec Blogs

Symantec Blogs is an expanded blogging platform which belongs to one of the biggest providers of security solutions worldwide, Symantec. This information security blog offers users the latest security news, unparalleled analysis from experts on the online threats affecting businesses today,  articles on security threats, online criminals, data-stealing malware, system vulnerabilities, and many others.

57. Fox IT Security Blog

Fox-IT’s security blog is a very good source of information on online security, technology news and cybercrime defense. This security blog is owned by Fox-IT, a Dutch security firm that works with trusted partners in more than 35 countries.

58. Securosis

Securosis is a security research and advisory company that offers security services for companies and organizations. At the same time, you can find on their security blog some useful articles and insights on how you can better manage and protect your online data.

59. Google Online Security Blog

We couldn’t miss this one from our list! We are surrounded by Google products and services every day, from their search engine to web browser, so it’s normal to include their cybersecurity blog here. It is more than a reliable information security blog; it’s also a reference point on online security and privacy we need to acknowledge. Here you can also read the latest news and insights on how to keep users safe.

60. ZoneAlarm Cyber Security Blog

This cybersecurity blog is from ZoneAlarm, which is one of the well-known vendors of security products providing valuable information on malware defense and online security to protect millions of PC users. Using their experience on malware, this security blog publishes malware alerts, practical security tips and the latest news in the IT industry.

61. McAfee security blog

McAfee information security blog provides the latest tips and techniques from various security experts to keep you up-to-date with the latest malware trends in the online environment.

62. Microsoft Secure Blog

Starting January 2018, this is the place where you’ll find all the blogs from Microsoft. Here you’ll find technical information for Office 365, Microsoft Azure, and Windows, alongside product updates, cybersecurity guidance, industry trends, and more. You’ll also read great cybersecurity stories from the global team of Windows Defender researchers, engineers, and experts.

63. SpiderLabs Security Blog

Investigators and researchers at Trustwave cover the latest technology news on this cybersecurity blog. Gathering information from research and testing, they publish articles and security studies to fight online hackers and cyber-criminal threats.

64. Dell SecureWorks

SecureWorks is a company that provides information security services and became part of Dell in 2011 and branched off as a public organization in April 2016. Their cybersecurity blog provides the latest news and information for IT professionals and users that need to stay up-to-date with online threats and malware attacks.

65. Trend Micro Simply Security

Trend Micro Simply Security information security blog offers expert insights on cloud security, data safety, privacy protection, and threat intelligence. You’ll also find research and analysis, and the latest news on the cybersecurity industry.

66. ThreatTrack Security

ThreatTrack security blog keeps you up-to-date with the latest innovations and developments in the IT industry, from security exploits to software vulnerabilities and cyber-criminal attempts.

67. Sucuri Security 

This information security blog is held by the security company called Sucuri, which is managed by two highly passionate individuals in this industry, Daniel and Tony. It is a great online resource where you can learn about site security, emerging vulnerabilities, and web malware infections.

68. Comparitech 

This information security blog is from the company Comparitech Limited, which has the mission to help consumers make more savvy decisions when they subscribe to tech services such as VPNs, antivirus and security products, cloud backup, password managers and more. Read their blog to read more about VPN, privacy, information security and more.

69. AlienVault

It is a company security company focused on enabling all organizations to better detect and manage cyber attacks in the cloud. Their blog offers cybersecurity fresh news on the latest emerging global threats and actionable advice to simplify threat management and compliance.

70. Sensors Tech Forum

Another information security blog you should add on your list is Sensors Tech Forum, which is both an online security blog and a forum. Here you can read daily PC security news, ransomware and virus removal guides. The Sensors Tech team publishes useful guides that could help users get through the removal process of malware.

71. IT Governance UK

IT Governance is a leading global provider of IT governance, risk management and compliance solutions, with a focus on cyber resilience, data protection, and cybersecurity. On its cybersecurity blog, you’ll read plenty of useful articles on GDPR, online privacy,  as well as podcasts and toolkits.

72. Quick Heal Blog

This security blog belongs to Quick Heal TechnologiesmLtd., which is a pioneer of antivirus research and development in India. On the blog, you will find the latest IT security news, alerts and other useful tips.

73. ScienceSoft Blog

Another security blog that you should check out is this one from Science Soft, a US-based provider of IT consulting services and custom software development with over 29 years experience in information technology. The blog approaches a variety of security topics from Artificial Intelligence, Penetration Testing, Internet of Things, and many more.


Since the security and privacy landscape is changing constantly, so must we. That’s why we’re asking you to help us improve this article.

Let us know your thoughts in a comment below.

P.S. You can also follow our blog’s weekly roundup or our social profiles (especially Twitter), where we share the latest cybersecurity news.

Spend time with your family, not updating their apps!
Let THOR FREE Silently and automatically update software Close security gaps Works great with your favorite antivirus


Download Thor FREE

The post Here are The Internet Security Blogs You Should Follow Today [Updated 2019] appeared first on Heimdal Security Blog.

DDoSing Hospital Networks Landed This Hacktivist in Jail for Over 10 Years

A simple DDoS attack could land you in jail for 10 years or even more. A Massachusetts man has been sentenced to over 10 years in prison for launching DDoS attacks against the computer network of two healthcare organizations in 2014 to protest the treatment of a teenager at the centers. Beyond serving 121 months in prison, Martin Gottesfeld, 34, was also ordered by U.S. District Judge

Patches and data control: Keys to your organization’s security

emotet whitepaper patches

November 2018, Chile. The bank Consorcio de Chile discovers that it has become the victim of an advanced cyberattack, a dangerous and undesirable situation for any company. If we add to this the fact that the attack involved the Trojan known as the nightmare of global banking, and the fact that this particular nightmare managed to steal 2 million dollars from the bank’s funds, the outlook is extremely disheartening.

Download the Whitepaper

Analysis of EMOTET

The Trojan in question is called Emotet, and Chile is just the latest country on its list of victims—a list that already includes countries such as Germany, Switzerland and the United States. But what is Emotet, how does it spread, and what damage can it do?

Emotet is a polymorphic banking Trojan. Its main goal is to steal data such as user credentials, or to spy on network traffic. It is also frequently used to download other malware, including other banking Trojans.

The most common propagation method for this Trojan is email, whether via infected attachments or embedded URLs. One particularly dangerous feature of Emotet is that it takes over its victims’ email accounts. This helps to trick other users into downloading the Trojan onto their systems.

Emotet graphic

Once Emotet has infected a computer on a network, it uses the vulnerability EternalBlue to get to other endpoints on unpatched systems.

The most serious damage

The most serious consequences that an organization can experience as a result of an EMOTET attack include:

-Theft of personally identifiable information (PII).

-Leaking of financial and confidential information, which can be used for blackmail.

Theft of login credentials, making other accounts vulnerable

Long remediation periods for network administrators.

Loss of productivity of employees whose endpoints have to be isolated from the network

It is clear that this malware would be a serious danger for any company it managed to infiltrate. This is why at Panda Security, we recommend having the best preventative protection against any kind of malware, both known and unknown. This is what Panda Adaptive Defense does, since it stops all malware from running, as well as keeping endpoints updated.

In our whitepaper, Patches and data control: Keys to your organization’s security, you can find more information about the risks that this Trojan can entail, how it can get into your company, and how Panda can help you to avoid the most drastic damages.

Download the Whitepaper

The post Patches and data control: Keys to your organization’s security appeared first on Panda Security Mediacenter.

Women in identity management: 4 newcomers to watch

Digital Identity – just the phrase leaves you thinking this must be important; after all, our identity is about who we are and what we do. Digital identity is a big technology space too. It encompasses a variety of sectors including verification-as-a-service, consumer identity and access management (CIAM), cloud (SaaS) identity, transaction authentication, and the newest entrant – self-sovereign identity. The financial value of the identity space is massive. Identity verification-as-a-service alone has been predicted by McKinsey to be worth $20 billion by 2022.

To read this article in full, please click here