Daily Archives: May 6, 2020

ENS 10.7 Rolls Back the Curtain on Ransomware

Ransomware protection and incident response is a constant battle for IT, security engineers and analysts under normal circumstances, but with the number of people working from home during the COVID-19 pandemic that challenge reaches new heights. How do you ensure an equivalent level of adaptable malware protection on or off the corporate network? How do you enable remote services securely? How long will it take you to recover remote end user systems and data encrypted by ransomware?

As remote workers and IT engineers increasingly use Remote Desktop Protocol (RDP) to access internal resources, attackers are finding more weaknesses to exploit. Attackers are exploiting weak authentication or security controls and even resorting to buying RDP passwords in the underground markets. Exploiting these weaknesses can give an attacker admin access and an easy path to install ransomware or other types of malware, then find their way around the corporate network. To see some examples of how attackers are exploiting RDP weaknesses, check out additional blog posts from McAfee Advanced Threat Research (ATR)

In this blog, we will show how you can leverage Endpoint Security or ENS, McAfee’s Endpoint Protection Platform (EPP), led by some of the new capabilities in ENS 10.7 and MVISION Endpoint Detection and Response (EDR), to do just that.

ENS 10.7, with Threat Prevention, Firewall, Web Control and Adaptive Threat Protection modules backed up by Global Threat Intelligence (GTI) provides adaptable, defense in depth capability against the techniques used in targeted ransomware attacks. For more examples of these techniques, see McAfee ATR’s recent blog on LockBit. Pairing ENS 10.7 with MVISION EDR gives the SOC analysts a powerful toolset to quickly identify attempts to steal credentials and lateral move further into the network.

Finally, McAfee ePolicy Orchestrator (ePO) provides a central management console for endpoint security policy, event collection and reporting on your protected systems on or off the corporate network. Let’s explore some of the key defensive steps you can take to lower your risk against targeted ransomware.

Prevent Initial Access with Threat Prevention

The Endpoint Security Threat Prevention module contains several capabilities including signature scanning and exploit prevention through behavior blocking and reputation analysis, to prevent an attacker gaining access to the system. The first step is to ensure you have the minimum level of security in place. This includes following best practice for on-access and on-demand scanning policies, up to date DAT Files and Engine, and Exploit Prevention content, as well as Global Threat Intelligence access enabled. Targeted ransomware attacks may also leverage file-less exploit techniques which could bypass file-based signature scans and reputation checks. Exploit Prevention rules can be configured to either log or block PowerShell behavior.

However, PowerShell is a legitimate system administration tool and we recommend a period of observation and testing before setting any of these rules to block. For some best practice, you can review this guide as a starting point or check with support for the latest documents.

Restrict RDP as an Initial Attack Vector with Endpoint Security Firewall

If RDP is needed to access internal resources on a server or to troubleshoot a remote system, the best practice is to restrict access to the service using a firewall. This will prevent attackers from leveraging RDP as the initial access vector. ENS 10.7 contains a stateful firewall fully managed via McAfee ePolicy Orchestrator (ePO). You can create policies to restrict RDP access to a remote client to only authorized IP addresses, restrict outbound usage to prevent lateral movement by RDP or block access to that port altogether. Here is an example configuration to restrict inbound access to a remote system on RDP.

  1. Open your Firewall Rules policy and locate the default rule under Network Tools.

  1. If you are using a non-standard port for RDP adjust the local port for this rule appropriately.
  2. Modify the rule by adding authorized IP addresses as remote networks (these are the remote addresses authorized to connect to your endpoints).

  1. Save the changes and apply the policy to endpoints to restrict RDP access.

For additional security create an identical rule but set to block rather than allow, position it below the above rule, and remove the remote IP addresses (so that it applies to all RDP connections not matching the above rule).

  1. Set this rule as an intrusion so that it logs all denied events and forwards them to ePO.

Security analysts in the SOC can then monitor and report on unauthorized access attempts through ePO dashboards. The event logs are useful for early warning, trend analysis and for threat detection and response.

You can find more information on Endpoint Security firewall features here.

Prevent Access to Malicious Websites with Web Control

Attackers often leverage watering holes and spear phishing with links to malicious sites to gain initial access or further infiltrate the network. When a user is on the corporate network, they are often behind a Web Proxy like McAfee Web Gateway. However, many of your mobile clients are going direct to the internet and not through the corporate VPN. This creates more exposure to web-based threats. The Endpoint Security Web Control module monitors web searching and browsing activity on client computers and protects against threats on webpages and in file downloads.

You use McAfee ePO to deploy and manage Web Control on client systems. Settings control access to sites based on their safety rating, reputation from Global Threat Intelligence, the type of content they contain, and their URL or domain name. The configuration settings allow you to adjust sensitivity to be more or less restrictive based on your risk appetite.

If you are a McAfee Web Gateway or Web Gateway Cloud Service customer, you should use McAfee Client Proxy (MCP). MCP works with Web Control to route traffic to the right proxy and provide a defense in depth capability for web protection for users on or off the corporate network.

The above are just a few examples of using Endpoint Security Threat Prevention, Web Control and Firewall to restrict initial attack vectors. To learn more about Endpoint Security best practice to restrict initial entry vectors, visit here.

Let’s look at a few more important steps to protect systems against targeted ransomware.

Lockdown the Security Crown Jewels

If an attacker gets on the system through RDP stolen accounts or vulnerability, they may try to modify, delete or disable security software. In ePO, you should ensure that Self Protection is ON to prevent McAfee services and files on the endpoint or server system from being stopped or modified.

Ensure that ENS is configured to require a password for uninstallation.

 

Security analysts should be on high alert for any system that has Self Protection disabled. ePO contains a default query entitled Endpoint Security: Self Protection Compliance Status which can be used to populate a continuous monitoring dashboard or be packaged into a daily report.

Disrupt and Visualize Attacker Behavior with Adaptive Threat Protection (ATP)

ATP adds several more capabilities, such as machine-learning, threat intelligence, script-scanning and application behavior analysis, to disrupt targeted attack techniques including file-based or file-less attacks.

ATP identifies threats by observing suspicious behaviors and activities. When ATP determines that the context of an execution is malicious, it blocks the malicious activity, and if necessary, remediates (see Enhanced Remediation section below). How does this work? The Real Protect scanner inspects suspicious activities on client systems and uses machine-learning techniques to detect malicious patterns. The Real Protect scanner can scan a network-streamed script, determine if it is malicious, and if necessary, stop the script. Real Protect script scanning integrates with AMSI to protect against non-browser-based scripts, such as PowerShell, JavaScript, and VBScript.

For more information on how ATP remediates threats please review the product guide here.

One of the newest features of ENS 10.7 is the Story Graph. The Story Graph provides a visual representation of threat detections. Below is an example from a simulated file-less attack scenario where a Word document, delivered through spear-phishing, leverages a macro and PowerShell to provide command and control, then elevate privileges and perform lateral movement.

The visualization provides a timeline analysis and context around the event. It correctly captured the attack behavior including the communication to an external attacker IP address. With this visualization, an administrator or security analyst can quickly determine malicious behavior was stopped by ATP, preventing the follow-up activity intended by the attacker. The additional context, such as the originating process and a download IP address, can then be used for further investigations using other log sources, for example. It is important to note that in this example, if the Threat Prevention module as described above was set to block all PowerShell behavior, this attack would have been stopped earlier in the chain. Please read further to see what this attack scenario looks like in MVISION EDR.

For more information on how ATP protects against file-less attacks visit here.

Using a Word document and PowerShell is just one example of masquerading attacks in common files. For more examples of these techniques, see the ATR blog on LockBit ransomware.

ATP Brings Automatic File Recovery with Enhanced Remediation

If you have ever seen a ransom note, like the one from Wanna Decryptor below, you will know how big an issue it can be. It will cost you time, money and most likely lead to loss of data.

If this happens on a remote user system, it will lead to extended downtime, frustrated users and present significant challenges for recovery.

One of the new capabilities in ENS 10.7 is Enhanced Remediation. This feature monitors any process with an unknown reputation and backs up changes made by those processes. If the processes exhibit malicious behavior as determined by machine-learning analysis and reputation, enhanced remediation automatically rolls back those changes made to the system and documents to a previous state.

You can see how files impacted by ransomware can be restored through Enhanced Remediation in this video.

Enhanced Remediation requires that ATP is enabled and policies for Dynamic Application Containment are configured. Real Protect Dynamic scanning must also be enabled on the system. Real Protect Dynamic leverages machine learning in the cloud to identify suspicious behavior and is needed to determine a file reputation which is used to trigger an enhanced remediation action.

For information on how to configure ATP, please review the product guide here. For more best practices on tuning Dynamic Application Containment rules, please review the knowledge base article here.

Once policies are established, ensure that you enable “Enhanced Remediation” and “Monitor and remediate deleted and changed files”

If a file is convicted by Real Protect Dynamic and Enhanced Remediation is enabled with the settings above, then recovery happens automatically. The setting “Monitor and remediate deleted or changed files” must be enabled to ensure any files modified by the ransomware are restored to the previous state.

For more information on how Enhanced Remediation works, please review the product guide here.

Continuous Monitoring with ePO Protection Workspace

Now that you have protection controls in place with Threat Prevention and Adaptive Threat Protection, you can monitor using the Compliance Dashboard in ePO to ensure all managed clients stay up to date.

In addition, events triggered by ATP can be sent to ePO. SOC analysts should monitor these events and use the Story Graph as well for additional investigative capability. For more information on reporting and querying events in ePO, please review the product guide here.

Proactive Monitoring and Hunting with MVISION EDR

One of the first questions a threat hunter needs to answer when a new threat is discovered is “are we exposed?” For example, you may have a policy that already prohibits or restricts RDP but how do you know it is enforced on every endpoint? With MVISION EDR, you can perform a real time search across all managed systems to see what is happening right now. The screenshot below shows a Real-time Search to verify if RDP is enabled or disabled on a system. This provides a view into systems potentially at risk and can also be useful context as part of an investigation.

Real-time Search can also identify systems with active connections on RDP…

MVISION EDR also maintains a history of network connections inbound and outbound from the client. Performing an historical search for network traffic could identify systems that actively communicated on port 3389 to unauthorized addresses, potentially detecting attempts at exploitation.

For a security analyst, EDR providers several benefits to accelerate threat detection and response. For more information on those benefits please review the product guide here. In our simulated file-less attack scenario described above, the story graph revealed a PowerShell connection to an external IP address. Suppose an alert ePO administrator created a ticket for further investigation. A first step by the analyst might be a search for the network activity.

Real-time Search in EDR of that network activity looks like this…

An historical search for the same PowerShell activity in EDR now reveals the encoded commands used in the initial entry vector…

EDR also enables proactive monitoring by a security analyst. The Monitoring Dashboard helps the analyst in the SOC quickly triage suspicious behavior. In this case, the attack leveraged Word and PowerShell to gain access and raise privileges. The attack scenario triggered a number of high threats and provides a lot of context for the analyst to make a quick determination that an attack has been attempted, requiring further action…

Our research into targeted ransomware attacks reveals that if an attacker successfully exploits a client, their next actions involve privilege escalation and lateral movement (see our blog on LockBit). Again, you can use MVISION EDR to quickly detect these techniques.

The Alerting Dashboard in EDR will help you quickly identify attempts at privilege escalation and other attack techniques as defined by the MITRE ATT&CK framework.

Lateral movement is usually the next step and that can involve many different techniques. Again, the Alerting Dashboard identifies lateral movement techniques with details into the specific activity that triggered the alert.

Conclusion

Ransomware and RDP are a dangerous combination. Protecting your remote end users requires a good, secure baseline configuration of Endpoint Security with a Firewall and Self Protection enabled and access to adaptable capability such as Adaptive Threat Protection with Enhanced Remediation. The Enhanced Remediation feature is only available starting in version ENS 10.7, so if you are running older versions of ENS or even VSE (yikes), then it is time to upgrade.

However, stopping targeted ransomware from having an impact on the business requires more than prevention. Both ePO and EDR provide the capability for proactive detection, faster investigations and continuous hunting.

Finally, adaptability requires threat intelligence. McAfee Advanced Threat Researchers and Labs are actively monitoring the threat landscape and continuously updating McAfee Global Threat Intelligence systems. Make sure your Endpoint Security and other McAfee products are using GTI for the latest protection.

For more information on targeted ransomware attacks and techniques, see ATR Blog.

For more details about how to securing RDP access in general, you can refer to a previous McAfee blog.

The post ENS 10.7 Rolls Back the Curtain on Ransomware appeared first on McAfee Blogs.

Cybercriminals Actively Exploiting RDP to Target Remote Organizations

The COVID-19 pandemic has prompted many companies to enable their employees to work remotely and, in a large number of cases, on a global scale. A key component of enabling remote work and allowing employees to access internal corporate resources remotely is Remote Desktop Protocol (RDP), which allows communication with a remote system. In order to maintain business continuity, it is very likely that many organizations brought systems online quickly with minimal security checks in place, giving attackers the opportunity to enter them with ease.

RDP is a Microsoft protocol running on port 3389 that can be utilized by users requiring remote access to internal systems. Most of the time, RDP runs on Windows servers and hosts services such as web servers or file servers, for example. In some cases, it is also connected to industrial control systems.

RDP ports are often exposed to the Internet, which makes them particularly interesting for attackers. In fact, accessing an RDP box can allow an attacker access to an entire network, which can generally be used as an entry point for spreading malware, or other criminal activities.

As it can be such a powerful entry vector, McAfee Advanced Threat Research (ATR) has observed many underground markets emerge, offering RPD credentials at relatively low cost. For example, McAfee ATR uncovered access linked to a major international airport that could be bought for only US$10. Since March 2020, the number of exposed RDP ports have increased considerably.

McAfee Advanced Threat Research and the security industry have been aware of the risk of exposed RDP for many years and will continue to raise awareness as part of our global threat monitoring.

In this blog, we will discuss the risks of exposing the RDP protocol and the associated misconfigurations.

RDP Statistics

The number of RDP ports exposed to the Internet has grown quickly, from roughly three million in January 2020 to more than four and a half million in March. A simple search on Shodan reveals the number of RDP ports exposed to the Internet by country.

 

It is interesting to note that the number of RDP systems exposed is much higher for China and the United States.

Most of the compromised systems using RDP are running Windows Server but we also notice other operating systems, such as Windows 7.

For attackers, access to a remote system can allow them to perform several criminal actions such as:

  • Spreading spam: Using a legitimate system for sending spam is very convenient. Some systems are sold especially for this purpose.
  • Spreading malware: A compromised system provides a ready-to-use machine for easily distributing malware, or even pivoting to the internal network. Many ransomware authors use this vector to target organizations around the world. Another criminal option would be to implant a cryptominer.
  • Using the compromised box as their own: Cybercriminals also use remotely compromised systems to hide their tracks by, for example, compiling their tools on the machine.
  • Abuse: The remote system can also be used to carry out additional fraud such as identity theft or the collection of personal information.

This recent increase in the number of systems using RDP over the Internet has also influenced the underground. McAfee ATR has noticed an increase in both the number of attacks against RDP ports and in the volume of RDP credentials sold on underground markets.

As observed on Shodan, the number of exposed systems is higher for China (37% of total) and the United States (37% of total), so it is interesting to note that the number of stolen RDP credentials from the US (4% of the total) for sale is comparatively much lower than other nations. We believe this may be because the actors behind the market sometimes hold back RDP credentials without publishing their whole list.

How are Attackers Breaching Remote Systems?

Weak passwords remain one of the common points of entry. Attackers can easily use brute force attacks to gain access. In the below image we see the 20 most used passwords in RDP. We built this list based on information on weak passwords shared by a friendly Law Enforcement Agency from taken down RDP shops.

The diagram below demonstrates the number of compromised systems using the top 10 passwords. What is most shocking is the large number of vulnerable RDP systems that did not even have a password.

The RDP protocol also suffers from vulnerabilities and needs patching. Last year, we explained in detail the workings of the BlueKeep vulnerability that affects reserved channel 31, which is part of the protocol functionality, to allow remote code execution.

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rdp-stands-for-really-do-patch-understanding-the-wormable-rdp-vulnerability-cve-2019-0708/

In early January, additional flaws related to Remote Desktop Gateway were also patched:

These two vulnerabilities are similar to the BlueKeep vulnerability and allow remote code execution by sending a specially crafted request. We have not yet observed this vulnerability exploited in the wild.

To secure the RDP protocol, the following checklist can be a good starting point:

  • Do not allow RDP connections over the open Internet
  • Use complex passwords as well as multi-factor authentication
  • Lock out users and block or timeout IPs that have too many failed logon attempts
  • Use an RDP gateway
  • Limit Domain Admin account access
  • Minimize the number of local admins
  • Use a firewall to restrict access
  • Enable restricted Admin mode
  • Enable Network Level Authentication (NLA)
  • Ensure that local administrator accounts are unique and restrict the users who can logon using RDP
  • Consider placement within the network
  • Consider using an account-naming convention that does not reveal organizational information

For more details about how to secure RDP access, you can refer to our previous blog (https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rdp-security-explained/)

Conclusion

As we discussed, RDP remains one of the most used vectors to breach into organizations. For attackers, this is a simple solution to quickly perform malicious activities such as malware, spam spreading or other types of crime.

There is currently a whole business around RDP on the underground market and the current situation has amplified this behavior. To stay protected, it is essential to follow best security practices, starting with the basics, such as using strong passwords and patching vulnerabilities.

McAfee ATR is actively monitoring threats and will continue to update you on this blog and its social networking channels.

The post Cybercriminals Actively Exploiting RDP to Target Remote Organizations appeared first on McAfee Blogs.

McAfee Surveys Cyber-Threats in the Age of Coronavirus

Change is a constant in technology, and the greatest changes are often driven by major events that fundamentally reshape how people work and conduct business. In the Age of Coronavirus, more than ever, technology and cybersecurity must keep pace with disruption and change, adapt to adversity, and even accelerate their development wherever possible.

The enormous increase in remote work over the last couple of months has placed new pressure on organizations to ensure that employees working from home can access corporate resources from outside corporate-controlled offices and infrastructure. Simultaneously, cybercriminals are seeking to gain from the strain this places on technologies, business procedures, and processes. A critical and effective vector for these adversaries exploiting the health and economic concerns created by the pandemic.

This week, McAfee Labs released a report entitled COVID-19: Malware Makes Hay During a Pandemic to highlight the last few months of pandemic-themed threat landscape activity. The threats typically leverage a phishing email delivery method, with Coronavirus themes and messages developed to lure employees and family members into engaging with and enabling threats to gain a foothold on their systems.

Once established, that foothold can allow cyber adversaries to download malware used to steal corporate usernames and passwords, data, monitor employee user activity, capture user keystrokes, track network traffic and browser activity, and infiltrate networks and cloud services beyond the home. They can impersonate their victim to send emails from the infected machines to propagate themselves on numerous other systems. In the case of ransomware, they could encrypt system files and refuse to decrypt them until the victim sends them a ransom payment.

Below is a summary of some of the cyber threats McAfee has observed since the COVID pandemic has emerged:

Phishing and Trojans: In January, McAfee observed the emergence of a phishing campaign using a strain of the Ursnif banking Trojan commonly used to steal usernames, passwords and user behavior information. As bait, the phishing emails used pandemic-themed messaging and a Microsoft Office document with “COVID-19” in its filename to lure users into opening the attachment and releasing the malware onto their computers.

Beginning in February, McAfee observed another campaign leveraging phishing emails referencing the terms “COVID-19” and “Coronavirus” to entice users to click on links or attachments that then downloaded the information-stealing Fareit Trojan onto their computers.

Example Fareit Emails:

 

 

Bogus SBA Loan Emails: Beginning in late March, a phishing campaign used emails claiming to originate from the U.S. Government Small Business Administration (SBA). These emails appeared to offer small businesses information and guidance on how to apply for SBA loans. In fact, they were a mechanism for infecting unsuspecting small business owners with the information-stealing Remcos Remote Access Tool (RAT).

Scam COVID-19 Tests: In March, cybercriminals distributed phishing emails appearing to originate from organizations offering COVID-19 testing. Users were prompted to open an attached document, which would then download the information stealing Trickbot malware.

Scam Antibody Research & Treatment: By late March, McAfee began to see COVID-19-themed phishing campaigns using a strain of the Emotet Trojan to infect users’ systems. One version of this email promises to provide information on Coronavirus antibody research and new treatments for the disease. Once established on the victim’s system, Emotet can do a number of things on the system but it is almost always programmed to propagate itself by sending large numbers of spam emails to other user’s systems.

Precautionary Measures: April saw the emergence of phishing email campaigns using subject lines such as “COVID-19 Urgent Precaution Measures” to distribute the NanoCore Remote Access Tool (RAT) for exfiltration of valuable information.

Fake John Hopkins Infection Map: April also saw cybercriminals use phishing emails to promote a fake website featuring a global Coronavirus infection map appearing to provide data from John Hopkins CSSE. Unfortunately, those same emails were used to infect inquisitive users with a strain of information stealing Azorult malware.

Bogus Insurance Invoices: Mid-April also saw cybercriminals use COVID-19-themed emails from a bogus insurance company to infect users’ systems with fake invoice attachments carrying the Hancitor malware.

COVID-19 Ransomware.: March saw the emergence of Ransomware-GVZ, a Coronavirus-themed ransomware campaign. Ransomware-GVZ displays a “ransom note” message demanding payment in return for decrypting their systems and the precious personal and corporate data they contain.

By mid-April, another ransomware campaign joined the fray, this time using a strain of Netwalker ransomware to infect users via a malicious file named “CORONAVIRUS_COVID-19.vbs”.

Spam & Scam: Finally, beyond malware, McAfee has detected thousands of COVID-19-themed spam emails and websites scamming victims seeking to purchase medical supplies such as testing kits, face masks, and other protective gear. Over the first 13 weeks of the pandemic, McAfee saw the number of bogus websites increase from 1,600 a few weeks ago to over 39,000.

Takeaways

Cybercriminals will always seek to create ever more sophisticated and opportunistic attacks.  Remote work paradigms create new opportunities and require new defense mechanisms and practices. This week’s report illustrates the importance of maintaining strong cybersecurity defenses regardless of whether employees are in traditional office or home-office environments. We must formulate the right combination of technology and education to make that happen.

Organizations need to defend against cyber-threats at home with data protection solutions capable of preventing intellectual property and other forms of sensitive data from being stolen. McAfee is focused on helping address these challenges with its Unified Cloud Edge and CASB solutions that are inherently focused on protecting both mobile and traditional devices from threats and data theft.  Additionally, modern endpoint and EDR capabilities are capable of detecting a wide range of threats that place the user and their organization at risk.

The future is uncertain, change and disruption are inevitable, and our adversaries are determined in their drive to exploit us at work, no matter where that may be. We must rise to the challenge of pushing technology forward, adapting, and developing stronger cyber defenses to ensure that the “future of work” is a secure one.

Please see this week’s “COVID-19: Malware Makes Hay During a Pandemic” report for our summary of COVID-19-related McAfee threat research.

The post McAfee Surveys Cyber-Threats in the Age of Coronavirus appeared first on McAfee Blogs.

COVID-19 – Malware Makes Hay During a Pandemic

Special thanks to Prajwala Rao, Oliver Devane, Shannon Cole, Ankit Goel and members of Malware Research for their contribution and monitoring of related threats

As COVID-19 continues to spread across the world, it is no surprise that malware authors are exploiting the pandemic. McAfee recently released blogs around Covid-19 related threats – Staying safe while working remotely, COVID-19 Threat Update Now Includes Blood for Sale and Transitioning to a Mass Remote Workforce. The first discusses how attackers would like to leverage this pandemic as an opportunity to attack organizations, the second gives a preview of attackers playing on the fears of the general public grappling to get a hold of a cure, help manage this illness and stay safe while the third gives some direction to organizations on how to verify their security controls. In this blog we continue to discuss COVID-19 themed attacks and how to stay vigilant.

The weeks of quarantine have forced individuals and organizations to quickly adapt to a work from home model. A lot more time is spent indoors and online and there continues to be anxiety around when normalcy will be restored. For now, we continue to deal with a barrage of news articles around the pandemic, managing supply and demand of household goods in stores and online, and a shortage of medical supplies such as preventative masks, gloves and sanitizer. These are trying times for us and a feast for fear mongering malware criminals.

Over the last few months of 2020, McAfee researchers have been hard at work during this time to keep our customers safe by more directed monitoring and adaptation of our detection stack to better manage the COVID-19 threat landscape. This is not intended to be an exhaustive report due to the scope of a continually evolving landscape for COVID-19; therefore, we cover a subset of threats directed towards malware, spam and malicious/scam URL campaigns.

This blog serves to remind customers to utilize the various levers present in our endpoint product and our expanded portfolio such as McAfee’s Unified Cloud Edge. Please read our recommendation section and view our IOC section (partial IOC list based on this article), expert rules section (covers few tactics based on this article). McAfee utilizes several internal and external sourcing techniques for malware harvesting including collaboration with other industry partners as part of the Cyber Threat Alliance.

Table of contents:

Timeline

The timeline below shows a subset of prevalent malware families observed in our spam traps with references to COVID-19/Coronavirus. The malware shown in this timeline have been chosen due to their capacity for damage (such as ransomware) or their ability to propagate (Emotet for spam, or other worm like activities).

A weekly distribution of all known COVID related IOCs per week is shown below.

 

Malware

This section covers a subset of the Malware families included in the timeline above and shows the various IOCs that referenced the virus. For a more comprehensive list of IOCs please refer to the IOC section.

Ursnif

The first threat we observed taking advantage of the pandemic was Ursnif. Ursnif is a banking Trojan aimed to steal banking credentials and has been evolving to become more powerful. Ursnif collects system activities of the victims, record keystrokes, as well as keep track of network traffic and browser activity.

We have observed Ursnif using the COVID-19 filename to entice users since January 2020.

 

On executing the VBS file it drops a dll in C:\Programdata\FxrPLxT.dll and executes the .dll with rundll32.exe. The dll is injected into iexplorer.exe and communicates with its C&C server using http get requests.

IOCs

Type IOC Comment
Sha256 e82d49c11057f5c222a440f05daf9a53e860455dc01b141e072de525c2c74fb3 Filename: Coronavirus_disease_COVID-19__194778526200471.vbs
Sha256 8bcdf1fbc8cee1058ccb5510df49b268dbfce541cfc4c83e135b41e7dd150e8d Ursnif dll

 

MITRE ATT&CK™ MATRIX:

Technique ID Tactic Technique details
T1059 Execution Command-Line Interface
T1129 Execution Execution through Module Load
T1085 Defense Evasion, Execution Rundll32
T1060 Persistence Registry Run Keys / Startup Folder
T1055 Defense Evasion, Privilege Escalation Process Injection

 

Fareit

Fareit is an information stealer that steals data from web browsers, FTP programs, email clients and over a hundred different software tools installed on the infected machine. We have observed several Fareit phishing emails with the COVID/Coronavirus name. A few of them are shown below.

Fareit Spam 1:

IOCs

Type IOC Comment
Sha256 da1443a25f433e23a43d35d50328a4f935d3cce840f1e3cca99b6bd6d49ed6a7 Dropped Binary
Sha256 9f4bb022b49bd6ba0766e9408139648d2ddfe2f0dd5ca14644e5bdb2982b5e40 Email

 

MITRE ATT&CK™ MATRIX:

Technique ID Technique Technique details
T1193 Initial Access Spear phishing Attachment
T1106 Execution Execution through API
T1130 Defense Evasion Install Root Certificate
T1081 Credential Access Credentials in Files
T101 Discovery Query Registry

 

Fareit Spam 2:

IOCs

Type IOC Comment
Sha256  2faf0ef9901b80a05ed77fc20b55e89dc0e1a23ae86dc19966881a00704e5846 Attachment
Sha256 38a511b9224705bfea131c1f77b3bb233478e2a1d9bd3bf99a7933dbe11dbe3c Email

 

MITRE ATT&CK™ MATRIX:

Technique ID Technique Technique details
T1193 Initial Access Spear phishing Attachment
T1106 Execution Execution through API
T1130 Defense Evasion Install Root Certificate
T1081 Credential Access Credentials in Files
T1012 Discovery Query Registry
T1071 C & C Standard Application Layer Protocol

 

Fareit Spam 3:

IOCs

Type IOC Comment
Sha256 11a834cda4a55c8adb663fbcdd4b1f1018715dd737d3089a731b9840b77e5e76 Dropped Binary
Sha256 45c6440bdd7b49023bb42f9661caae3b12b579dfd5ae9e64421923ef452a0faf Email
Sha256 095bfab52666648ff4d2636a3718a28eab4d99a6c178a8c7912197221dd1d195 Email

 

MITRE ATT&CK™ MATRIX:

Technique ID Technique Technique details
T1193 Initial Access Spear phishing Attachment
T1106, T1204 Execution Execution through API, User Execution
T1060 Persistence Registry Run Keys / Startup Folder
T1130 Defense Evasion Install Root Certificate
T1081 Credential Access Credentials in Files
T1012 Discovery Query Registry
T1114 Collection Email Collection

 

Fareit Spam 4:

IOCs

Type IOC Comment
Sha256 f8e041bed93783bbd5966bfba6273fe7183464035ea54fe1d59ff85a679b3e3e Dropped Binary
Sha256 9e17f5e70c30ead347b68841fa137015d713269add98f0257fb30cc6afdea4fe Attachment
Sha256 ada05f3f0a00dd2acac91e24eb46a1e719fb08838145d9ae7209b5b7bba52c67 Email

 

MITRE ATT&CK™ MATRIX:

Technique ID Technique Technique details
T1193 Initial Access Spear phishing Attachment
T1204 Execution User Execution
T1071 Command and Control Standard Application layer Protocol

 

COVID-19 Ransomware

It was no surprise that a new Ransomware family appeared on the scene. Once executed, Ransomware-GVZ will delete shadow copies with vssadmin and then proceed to encrypt all non-pe file types.  Once a whole folder has been encrypted the ransom note file below is created.

Ransomware-GVZ will also create a lock screen component so that when the machine is rebooted the following message is displayed.

 

IOCs

Type IOC Type
Sha256 3299f07bc0711b3587fe8a1c6bf3ee6bcbc14cb775f64b28a61d72ebcb8968d3 Binary

 

MITRE ATT&CK™ MATRIX:

Technique ID Tactic Technique details
T1486 Impact Data Encrypted for Impact
T1083 Discovery File and Directory Discovery
T1490 Impact Inhibit System Recovery

 

Emotet

Emotet is another prevalent threat distributed via phishing emails. We observed the following email being distributed which translated to English is:

Subject: 

Break !!! COVID-19 solution announced by WHO at the end How a total control method is discovered

Email Body:  

As published in the newsletter of the World Health Organization 3/17/2020 7:40:21 a.m. A new collaborative study identified and studied antibodies to the COVID-19 virus which could be used to design effective universal therapies against many different species of COVID-19 viruses. The results have recently been published in Nature Microbiology.

These are based on natural activities and how heat helped inhibit the virus from growing.

The COVID-19 virus causes a serious disease with high mortality badgers in humans. Several strategies have been developed to treat COVID-19 virus infection, including ZMapp, which has proven effective in non-human primates and has been used below compassionate treatment protocols in humans …

 

Please download the full text in the attached document …

Also share with all contacts to ensure quick epidermal control.

The email contains a zipped Emotet executable which once executed will use the process hollowing technique to inject into regasm.exe. It will then contact its C&C server and being to send spam email out.

IOCs

Type IOC Comment
Sha256 ca70837758e2d70a91fae20396dfd80f93597d4e606758a02642ac784324eee6 Attachment
Sha256 702feb680c17b00111c037191f51b9dad1b55db006d9337e883ca48a839e8775 Email

 

MITRE ATT&CK™ MATRIX:

Technique ID Tactic Technique details
T1121 Defense Evasion, Execution Regsvcs/Regasm
T1093 Defense Evasion Process Hollowing

Azorult

Azorult is a malware that steals data from victim’s machine which includes username, passwords, cryptocurrencies, browsing history and cookies. It also can download additional malware onto the victim’s machine. What sets Azorult apart from the other Malware described in this report, is that the creators of Azorult created a fake Coronavirus infection map website (corona-virus-map[.]com). The fake website appears as below:

IOCs

Type IOC Comment
Sha256 c40a712cf1eec59efac42daada5d79c7c3a1e8ed5fbb9315bfb26b58c79bb7a2 Jar file from domain
URL H**p://corona-virus-map.net/map.jar
Sha256 63fcf6b19ac3a6a232075f65b4b58d69cfd4e7f396f573d4da46aaf210f82564 Dropped Binary

 

MITRE ATT&CK™ MATRIX:

Technique ID Technique Technique details
T1059 Execution Command-Line Interface
T1012 Discovery Query Registry

 

NetWalker

Another Ransomware which has leveraged COVID-19 is Netwalker. The Ransomware used the filename “CORONAVIRUS_COVID-19.vbs” to trick users into executing it. The VBS file contained the embedded Ransomware payload.

On execution of vbscript, the Ransomware is dropped in “C:\Users\<UserName>\AppData\Local\Temp\qeSw.exe” and executes it.

It Deletes the shadow copies from the machine with vssadmin.exe to make file recovery more difficult.

Below shows the Obfuscated vbscript

The ransomware iterates through the folders of the infected machine and encrypts the files. Once encrypted the file extension is changed to <filename>.1fd385. A ransom note is also dropped in each folder where files were encrypted. This note is shown below.

IOCs

Type IOC Comment
Sha256 9f9027b5db5c408ee43ef2a7c7dd1aecbdb244ef6b16d9aafb599e8c40368967 CORONAVIRUS_COVID-19.vbs
Sha256 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160 Dropped Binary

 

MITRE ATT&CK™ MATRIX:

Technique ID Tactic Technique details
T1204 Execution User Execution
T1064 Execution Scripting
T1106 Execution Execution through API
T1490 Impact Inhibit System Recovery
T1486 Impact Data Encrypted for Impact

 

 

Nanocore RAT

NanoCore is a Remote Access Trojan (RAT) and its highly customizable plugins allows attackers to tailor its functionality to their needs. This RAT is also found to be using COVID-19 to distribute itself by using email subjects such as “Covid-19 Urgent Precaution Measures”.

IOCs

Type IOC Comment
Sha256 ca93f60e6d39a91381b26c1dd4d81b7e352aa3712a965a15f0d5eddb565a4730 Dropped Binary
Sha256 89b2324756b04df27036c59d7aaaeef384c5bfc98ec7141ce01a1309129cdf9f Iso Attachment
Sha256 4b523168b86eafe41acf65834c1287677e15fd04f77fea3d0b662183ecee8fd0 Email

 

MITRE ATT&CK™ MATRIX:

Technique ID Technique Technique details
T1193 Initial Access Spear phishing Attachment
T1053 Execution Scheduled Task
T1060 Persistence Registry Run Keys / Startup Folder
T1143 Defense Evasion Hidden Window
T1036 Defense Evasion Masquerading
T1497 Defense Evasion Virtualization/Sandbox Evasion
T1012 Discovery Query Registry
T1124 Discovery System Time Discovery
T1065 Command and Control Uncommonly Used Port

 

 

Hancitor

Hancitor trojan has also uses COVID–19 themes to spread itself by posing as an email from insurance company. The email contains a link to download a fake invoice which downloads a VBS file.

On executing the VBS, the Hancitor dll temp_adobe_123452643.txt is created in the %AppData/Local/Temp folder. The DLL is executed using the Regsvr32.exe and then begins to communicate with its C&C.

 

IOCs

Type IOC Comment
Sha256 2f87dd075fc12c2b6b15a1eb5ca209ba056bb6aa2feaf3518163192a17a7a3 Downloaded Binary
Sha256 0caef2718bc7130314b7f08559beba53ccf00e5ee5aba49523fb83e1d6a2a347 Downloaded Binary
Sha256 375d196227d62a95f82cf9c20657449ebea1b512d4cb19cdfe9eb8f102dd9fa Downloaded Binary
Sha256 0b8800734669aa7dbc6e67f93e268d827b5e67d4f30e33734169ddc93a026 Downloaded Binary
Sha256 9c40426f157a4b684047a428428f882618d07dc5154cf1bf89da5875a00d69c Email

 

MITRE ATT&CK™ MATRIX:

Technique ID Technique Technique details
T1192 Initial Access Spear phishing Link
T1064 Execution Scripting
T1117 Execution Regsvr32
T1071 Command and Contro Standard Application layer

Protocol

 

Heat Map

This detection heat map shows a snapshot of the various countries where McAfee has observed a detection for known IOC’s since mid-January. We have observed detections in almost all the countries which have been impacted by the COVID-19 pandemic.

Spam

There have been thousands of COVID-19-themed spam emails sent daily. They range from medical supply scams to extortion. Below are a few examples of the ones we have observed.

 

URL

We have observed the number of Malicious URLs with references to COVID-19 and Coronavirus spike in the last few weeks. The numbers increased from 1,600 a few weeks ago to over 39,000 in week 13. This highlights the importance of being vigilant when clicking on links and accessing websites as the number of malicious sites is increasing exponentially.

 

Here are examples of malicious websites we have. False advertising is a common practice during such pandemics. At the time of this writing, there aren’t any quick testing kits available. Also testing is initiated by health care providers and therefore it is important to educate yourself and others around you to not buy into scams.

The following is an example of a fake website which offers Coronavirus testing services.

Face masks have been in high demand and in many places have run out. Additionally, there has been a shortage of masks even with the health care community. At times of panic and shortage, it is common for spammers to send out links to fake sites claiming to have medical supplies equipment. Here is a screenshot of fake online shop selling face masks.

GTI provides categorization and classification of links serving malware, phishing, scamming etc. McAfee products leverage GTI for URL protection. Also, McAfee’s Unified Cloud Edge provides secure access and expands your capabilities for URL protection.

Read about an example of one McAfee researcher is giving back by 3D printing masks and shields.

IOCs

Below is a partial list of IOCs we have observed in the field which have taken advantage of the Covid-19 outbreak. The IOCs in this section are a subset of those detected by McAfee’s solutions. We have broader coverage provided by our GTI Cloud, gateway, ATP and other products in our portfolio.

Type Value
SHA256 2ec4d4c384fe93bbe24f9a6e2451ba7f9c179ff8d18494c35ed1e92fe129e7fa
SHA256 7e52f7a7645ea5495196d482f7630e5b3cd277576d0faf1447d130224f937b05
SHA256 69724a9bd8033bd16647bc9aea41d5fe9fb7f7a83c5d6fbfb439d21b7b9f53f6
SHA256 f92fecc6e4656652d66d1e63f29de8bfc09ea6537cf2c4dd01579dc909ba0113
SHA256 a5ab358d5ab14b81df2d37aedf52716b5020ab45da472dedc8b8330d129d70bf
SHA256 8028f988c145b98ddd4663d3b5ec00435327026a8533924f7b8320c32737acf4
SHA256 aab93bf5bb0e89a96f93a5340808a7fa2cebf4756bd45d4ff5d1e6c8bdccf75d
SHA256 2e93fe77fafd705e6ca2f61f24e24a224af2490e0a3640ed53a17ea4bf993ec8
SHA256 f850f746f1a5f52d3de1cbbc510b578899fc8f9db17df7b30e1f9967beb0cf71
SHA256 dd78b0ecc659c4a8baf4ea81e676b1175f609f8a7bba7b2d09b69d1843c182cb
SHA256 e352c07b12ef694b97a4a8dbef754fc38e9a528d581b9c37eabe43f384a8a519
SHA256 e82d49c11057f5c222a440f05daf9a53e860455dc01b141e072de525c2c74fb3
SHA256 8bcdf1fbc8cee1058ccb5510df49b268dbfce541cfc4c83e135b41e7dd150e8d
SHA256 95489af84596a21b6fcca078ed10746a32e974a84d0daed28cc56e77c38cc5a8
SHA256 002c9e0578a8b76f626e59b755a8aac18b5d048f1cc76e2c12f68bc3dd18b124
SHA256 da1443a25f433e23a43d35d50328a4f935d3cce840f1e3cca99b6bd6d49ed6a7
SHA256 08c1aca51ae6917ed138ec70cc7768b935d13fbd743e85191877006626fdc530
SHA256 a9864b548d71c95333efd81d9fb000347bc715c7430e24f37f5bbbde4f2adf39
SHA256 8deba9fb53096d6ea5e2090b662244293829096eee03d06108deb15e496a807e
SHA256 c3477ca9a51e9eb1a93188fe2bd412830163f44b0954573d225736c530dd5fd2
SHA256 3e6166a6961bc7c23d316ea9bca87d8287a4044865c3e73064054e805ef5ca1a
SHA256 11a834cda4a55c8adb663fbcdd4b1f1018715dd737d3089a731b9840b77e5e76
SHA256 bc03c23a46a545addd1831e133b74bd2e62eb920041f18a23ec9719ea052e642
SHA256 8075381d210f7e79ee387927b7d6d690521c01ba6d835d07c4e8f023b3c164ce
SHA256 75d7d989deea561443c1c204ad22537d0c131f57820594ab5f07baba16dbc58b
SHA256 0cc54663439a55191b77e0735b7460a7435dc01542e910d75eae20ce7bb513e5
SHA256 c40a712cf1eec59efac42daada5d79c7c3a1e8ed5fbb9315bfb26b58c79bb7a2
SHA256 63fcf6b19ac3a6a232075f65b4b58d69cfd4e7f396f573d4da46aaf210f82564
SHA256 ca93f60e6d39a91381b26c1dd4d81b7e352aa3712a965a15f0d5eddb565a4730
SHA256 9f9027b5db5c408ee43ef2a7c7dd1aecbdb244ef6b16d9aafb599e8c40368967
SHA256 8639825230d5504fd8126ed55b2d7aeb72944ffe17e762801aab8d4f8f880160
SHA256 0caef2718bc7130314b7f08559beba53ccf00e5ee5aba49523fb83e1d6a2a347
SHA256 375d196227d62a95f82cf9c20657449ebea1b512d4cb19cdfe9eb8f102dd9fae
SHA256 0b8800734669aa7dbc6e67f93e268d827b5e67d4f30e33734169ddc93a026d2e
SHA256 12f87dd075fc12c2b6b15a1eb5ca209ba056bb6aa2feaf3518163192a17a7a3b
SHA256 f8e041bed93783bbd5966bfba6273fe7183464035ea54fe1d59ff85a679b3e3e
SHA256 ca93f60e6d39a91381b26c1dd4d81b7e352aa3712a965a15f0d5eddb565a4730
SHA256 da1443a25f433e23a43d35d50328a4f935d3cce840f1e3cca99b6bd6d49ed6a7
SHA256 3386dc7dc67edd5e84244376b6067e3767e914a1cc1fc7fd790a6aa68750a824
SHA256 3fc33b537fb38e1f586ddb3ebbbe152458dcde336c2f26da81d756e290b5ef00
SHA256 7cbcad4d6e9ad8438e5febd3830bff9aef4729b98d23935ad7f9e6d290272732
SHA256 0a84308348fee6bbfe64a9ef23bb9c32cb319bcdf5cf78ddfda4a83dadea4b8e
SHA256 ba4297978b6a6b5fe2b66c32ead47bbd1f2e2f549beed5cd727eb9ae3fed6b6a
SHA256 c9d3c250ab6d8535b7a4114a1e9545f0b9bc24e4e277640c59b7555f38727885
SHA256 37354a04f6d423809602e198e590469173cc8e930cc7fdd4da2c2072977251e9
SHA256 3a7a8518b41dd6c05289a08974c95a0038be4e5d1b0588edfd0589fcf22b0c8f
SHA256 ea3a0a223474592635d1fb7a0731dd28a96381ad2562e3e064f70e2d4830c39d
SHA256 140da6b610a45f84c6438207ab11942d79eb37831551810f87baae80cfff4593
SHA256 2c9c1e04d806ad8890dd6bf4477efb4ea6c78b8185a9996876bcaea568a04e70
SHA256 8a724fc60bde738694779751d6c63a7ed1caa03518b8f26b9acb36d5c1b29930
SHA256 d765980228492758a11e534e45924311aef681cb5859f701cd457b6b871c2d06
SHA256 d8183919d675978d58cd1f134768f88adeea9ce53b167c917e54fff855c6d9f9
SHA256 ac416780fa4aa340fff2787e630351c5813faceb823424817eb10e82254b785d
SHA256 3cd099efe4cb426fdc6276380c224b5478d0841c5c44d2c0a088d039d529d258
SHA256 c135f36d3346699e6d2bf9f5f5f638fd9475c0b12144a15a0652b8f1ebb25c12
SHA256 49cfa1b3cbe2bf97079c0dd0a9f604e3f2e7d9fbb6d41128a9889e068aa884f6
SHA256 5e20a0ab563950eab76c023101b1dd374becac2a5149a74320b23b59a7f16256
SHA256 7a9f249978c959e1f11f2992a8ce4a70ba333c8dbdc2638c780bbbe62de4808e
SHA256 c6dc408d60c2354a13e835bf826300a6d5258b72b8826e8c46d946cbc1f0b455
SHA256 b04584ee8b3ba565541cb0f4d8787ed6e8942b6bdec5b1acdc03488b93aeb3cb
SHA256 b283e4f841e328f0cc12ebdf76aafb819ebadba7df863681994b69697731cf96
SHA256 adde95e8813ca27d88923bd091ca2166553a7b904173ef7a2c04bb3ddf8b14a9
SHA256 bf178911f2c063c9592020652dc22076d02ca87d14a7ed7862074d334470ae32
SHA256 3981d933de93f55641fdf8cfe980e40a0bf52ce8b022735e8ebc4f08cbb19104
SHA256 aa6ceb17ced471e1695c99c0718bc24c710311f0daa256cb0783d82218d772c9
SHA256 f7209d1099c75acccbef29450271d821fd78ad52176f07aa8a93a9e61e9eaa7f
SHA256 eab14b1bfa737644f14f7bb7ace007d418230285364e168e35bd718a6517b316
SHA256 b34f4ec4ae8d66b030f547efe3acc2a71c9ab564f78aac68719ec91dab613bb3
SHA256 006dc4ebf2c47becdc58491162728990147717a0d9dd76fefa9b7eb83937c60b
SHA256 e17dca7c2c05139fc81302e76e0e9aaa29368b60cb147208cbcb5c8df113f6f6
SHA256 2e47f37bef4dea338e366ce30fe54888e5aaa2d47a5c0db4a3c3e9e5c25f8ace
SHA256 21182b7834a7e13033be7b370a68b3d3639f4cae12fe80e2a908404cbd4cd324
SHA256 46f81af256c630969f55554ea832037bc64df4374ec0f06ac83a1c4b89869314
SHA256 89a0147dec8d6838f14815b577ae41dbcf54953c66e7f5f999ab91fea6ec08fa
SHA256 2f3ee4688a31c8d249b8426f46e392d9c55b85bfad9fb31fb362eb32d38bd9b3
SHA256 f2a2bea86ce1a4803345b4aa46824c25d383a0b40b10bb69e528c72305552a2a
SHA256 698eb726345c71eca7b4a531bfa76ab6e86ef100f943a727fb5866a84ec79289
SHA256 92af9c8c539ff9f99f79cce8453b1c483d117c095e2e0ffe384d96e35f72dc8b
SHA256 7cf8f24d7e8b1e2f63bfa7a18cd420a03fff44126e80aed8cb90fba3c4e986ac
SHA256 1e4b01e3e146ff01a3782b01680a5165432af556331d599ec6ad35b4983b216f
SHA256 cba1c3070f76e1a2705afee16bd987b6a8ffa45900cab8cf3b307f60a7b89ac9
SHA256 e32cca6446f2ddd8430400b16fc171ab3163cf8222669d7d9144e9c85904d5f5
SHA256 8c0a8d6876a6c7fe44962883561d9f48615ee67f4544872ec98f47edcf516509
SHA256 a080d763c60efd4ef2781ad3090c997d1092ac726707366d92d647f26ee2965f
SHA256 9d58ca5383fef5dc837ca9d4251d247bed4ead4a6b90a9aae30568be80e20543
SHA256 345d8b4c0479d97440926471c2a8bed43162a3d75be12422c1c410f5ec90acd9
SHA256 39c17475bdb019010453085830e7f8aa1ef41ca182982491306fcf75166b8e08
SHA256 bdcef0f16c70086414ff95b69fdbbe7eb0c9814308d3d60143b6c04dfc077257
SHA256 7a97fc7bdd0ad4ef4453c2e52dd8f44dee9b4e91ff3b5518e311ef1ebac3b667
SHA256 2437ef90b60cf3d6bd0c3eebf3f41ed1e403bc31b024b52b0f41ec648d80a583
SHA256 a537c75de9a95be0c071fd6437cbaf3696752f02c3cd5afa1c9cc47c4c755f75
SHA256 9367f3ea7460ae40ca69d41398327f97136a93656ef5fad1285a0b82f81522a4
SHA256 78cf7ea3c1da98941e164f4ac3f75b57e9bce11467bc5a6c6877846f1adcf150
SHA256 e55efa92d87484cf6b251f2302a0c0c7650acd7ea658bf9997bf761b64fe472a
SHA256 51f0e9b151bde97ebeb813d6eed8a11f02551a6530049f53dc29fc1a20b6699d
SHA256 e382ee1ce9d99f4e8e18833bac121c14ee2e5dc29a8b5382ca5b4eda9db7f1aa
SHA256 e250d977e47e7809086dd35a2767f9ef557591dd00e9ce96ef4071e4f0d8c670
SHA256 50a3bea4b9686bcf5cac144d4fc18aa178f66c8368205f9065cd1d9a2c41f026
SHA256 722a60dfd59a595daa487f2fb759ef6f9ccaabcdf20605d5ae9450cba4a9b9b2
SHA256 1c3532d143212078e204d0f81a782deacd58e8f0e7253472e0509491fd1e5201
SHA256 980de93ad93ecaabc048c9fcc9d62e43eeb32f216c4177963cf1bd94ad53074b
SHA256 a286e3be694b9525530ec6a65b71a8a91e04042c3471e8a9e440f503fe8ce995
SHA256 dbcef5c217a027b8e29b1b750c42a066650820a129543f19364bcb64ac83bc07
SHA256 80f8877406e899c6274331aa991b8d1f4f087e3233c36d39fbaebb729c294899
SHA256 32753598f94412fe3dc382dc12dcf2edf7881d9f07814c82aeec36481b9362b5
SHA256 0fdc97da1c297e6fef93910008fc5c47cbdcd3e2987bc163467b34f56de112ff
SHA256 501cc107e410b245d1b95b64ae0afdae758375b4b3724acfda44041bad963232
SHA256 31cb82cd750af6af9ecf369fd26d47dc913f6b56be6ea12b10fe6dd90ef1b5df
SHA256 da87521ecc146a92a7460a81ebb5ca286450f94c8c9af2a4b3c6c8a180d421c5
SHA256 2bcd35bfb7e4dbdbbf64fce5011199947794425093be7bc74829bfeadb89f0a3
SHA256 90c3d8d13ea151bce21a1f4b842d0ed4eaff09842b23311b2326cf63957fc2b2
SHA256 257afe9f4d7b282b1c0b2f3ebb7e1e80e96c8e0214f1b80ea2b7b636a4e7747d
SHA256 587840d28f2585dd5207731d7fda86a0966c82fa592a26f9148b2de45526db55
SHA256 80ee20c604d5d4b51a30dc21da271651f3c085c40281e3ff3e2ee0175d2ca98d
SHA256 11b4519b76957b0758381f8e19c5e15d8744f7974716642aeb586c615dde38fa
SHA256 6c34cca35d98e464c2f74abd9be670c7f8f707f37cd3f0fd4746c49f8fcf6b07
SHA256 0a8aa3f413a8989bb89599dfc2404f7d34dfbb2e3ce26e900d228e9e8c8908b8
SHA256 c57fa2a5d1a65a687f309f23ca3cfc6721d382b06cf894ee5cd01931bbc17a46
SHA256 9f27a826b4b873c9ea23e023f54d5291a50004d67dd5fe64d1f8c8e8b51b74e3
SHA256 2037c7cc809ed3eddd1338d2bec6266cdb449dbf8ff3510fd360a08d229d4f40
SHA256 8f91d27d3a59c08ab4c453b2679f4620696ba67c56280a4c3757368acb20aad3
SHA256 e8221acccdb8381b5da25a1f61f49dda86b861b52fafe54629396ed1e3346282
SHA256 dc66811ce189240c510733be9e1a2175079dddb80ebf02faaa044fce1f7134d0
SHA256 5b7db5046ba22a6242d5ff6e8f538ad43bba53810117d5eb8f023215aad26e6b
SHA256 f6879431b901df789082452c1c4ffa29e857d247886e421df6dda5fb3d81ca5e
SHA256 4a272dd4a5c6261e983d667dd676875054dd4a4ea11620f16c553fcfd2c44861
SHA256 cc2507ddd53a6f00265f3be51d7217def786914bd1d700ec3c74a2a7107b3476
SHA256 9e4cb963e509fbde6de003a81a3e19cfc703be1c41d20f4b094a0fa89d6ad02c
SHA256 b14d70827d5d668aeb31e94be512fea9fb38ead8ec12cdf7617616801c76b6e9
SHA256 b49c9eba58537f8d856daded80bc9493a83c508d73423b98686d4e8b232d61c3
SHA256 4c9e35f3d5f555dda5f4373cf23fbb289c6067c70841be7022ba6da62e49cccb
SHA256 acec0bb9d9bd199d3e6a77b763cebee8f67275996d3c55af8c617fef76f2e87f
SHA256 7cbcad4d6e9ad8438e5febd3830bff9aef4729b98d23935ad7f9e6d290272732
SHA256 c9c0180eba2a712f1aba1303b90cbf12c1117451ce13b68715931abc437b10cd
SHA256 c322d10ef3aa532d4625f1c2589eae0f723208db37a7c7e81e4f07e36c3a537e
SHA256 3c756d761e89a0ea1216e2b7e57250ac76a80d5fe4f072e3b4b372e609ece74e
SHA256 2a42f500d019a64970e1c63d48eefa27727f80fe0a5b13625e0e72a6ec98b968
SHA256 679a8519587909f655bacea438168cbb4c03434aede9913d9a3a637c55a0eae7
SHA256 e9766b6129d9e1d59b92c4313d704e8cdc1a9b38905021efcac334cdd451e617
SHA256 80392bebe21245128e3353eec7f499bdc5550e67501eceebf21985644d146768
SHA256 215c72df44fe8e564d24f4d9930c27409e7f76e2045c67940cdcecdbdbd3b04f
SHA256 9e12094c15f59d68ad17e5ed42ebb85e5b41f4258823b7b5c7472bdff21e6cee
SHA256 1c98a36229b878bae15985c1ae0ff96e42f36fa06359323f205e18431d780a3b
SHA256 e9621840e1bfaf16eaee37e2d1e9d1f0032158a09e638eaebff6d8626d47c95a
SHA256 c51658ed15a09e9d8759c9fbf24665d6f0101a19a2a147e06d58571d05266d0a
SHA256 5187c9a84f5e69ba4b08538c3f5e7432e7b45ac84dec456ea07325ff5e94319a
SHA256 ddb24e0a38ba9194fe299e351e54facb2cca9e6011db2f5242210284df91f900
SHA256 69724a9bd8033bd16647bc9aea41d5fe9fb7f7a83c5d6fbfb439d21b7b9f53f6
SHA256 d7f15f750cceeb9e28e412f278949f183f98aeb65fe99731b2340c8f1c008465
SHA256 238fa49ed966cb746bffee3e7ca95b4a9db3bb0f897b8fd8ae560f9080749a82
SHA256 69724a9bd8033bd16647bc9aea41d5fe9fb7f7a83c5d6fbfb439d21b7b9f53f6
SHA256 f92fecc6e4656652d66d1e63f29de8bfc09ea6537cf2c4dd01579dc909ba0113
SHA256 5b12f8d817b5f98eb51ef675d5f31d3d1e34bf06befba424f08a5b28ce98d45a
SHA256 3b701eac4e3a73aec109120c97102c17edf88a20d1883dd5eef6db60d52b8d92
SHA256 b49c9eba58537f8d856daded80bc9493a83c508d73423b98686d4e8b232d61c3
SHA256 acec0bb9d9bd199d3e6a77b763cebee8f67275996d3c55af8c617fef76f2e87f
SHA256 4c9e35f3d5f555dda5f4373cf23fbb289c6067c70841be7022ba6da62e49cccb
URL https[:]//onedrive[.]live[.]com/download?cid=265DAF943BE0D06F&resid=265DAF943BE0D06F%21171&authkey=AMI1YV6jNxclaec
URL http[:]//popeorigin[.]pw
URL http[:]//dewakartu[.]info/wp-includes/BRVMFYvIR/
URL http[:]//drhuzaifa[.]com/wp-includes/2i48k7-evv28gw-205510/
URL http[:]//dewarejeki[.]info/wp-includes/up58jauc-pum2w-630352/
URL http[:]//rasmus-plius[.]tomasjs[.]com/wp-admin/KfesPCcG/
URL http[:]//easytogets[.]com/xfxvqq/UxbKAbm/
URL https[:]//cloud-security[.]ggpht[.]ml
URL http[:]//secure[.]zenithglobalplc[.]com/assets/plugins/bootstrap-wizard/system_x64[.]exe
URL http[:]//motivation[.]neighboring[.]site/01/index[.]php
URL https[:]//onedrive[.]live[.]com/download?cid=265DAF943BE0D06F&resid=

265DAF943BE0D06F%21171&authkey=AMI1YV6jNxclaec

URL http[:]//tailuong[.]com[.]vn/[.]xxx/playbook/onelove/fre[.]php
URL https[:]//www[.]onetimeroma[.]com/lost/rockstar[.]php
URL https[:]//www[.]chapeauartgallery[.]com/SUPPORTS/locals[.]php
URL http[:]//www[.]discusshoops[.]com/DISQUS[.]php
URL https[:]//chomyflozy[.]duckdns[.]org
URL http[:]//www[.]slacktracks[.]info/e12/?LJfxZ=hO3hBkxu1F/QQoVtLv3IhDwCcknmtRcJonnhtJ3R0BM0GC3rHSS1kgq0DEskVYHjDJX+/Q==&Vp8h=cz7tTz9p-90h4gt
URL http[:]//www[.]webfeatusa[.]net/e12/?LJfxZ=1CbYOqydIT70m9XPNsNZ3X3NgDEVQnw/rRrz+k+vF8uL+qJ4J3WKysbsjxdZCzgGrC1++w==&Vp8h=cz7tTz9p90h4gt&sql=1
URL http[:]//www[.]makeupprimerspray[.]com/e12/?LJfxZ=NSQopDdawCOOQSyQXUSgSx+w/7t91r6e8z0AUnmVGKAxI+P615MDhQgbvUIoIJuh35rtRQ==&Vp8h=cz7tTz9p90h4gt&sql=1
URL http[:]//mercadosonntag[.]com[.]br/sK2vbV3
URL https[:]//corona-virus-map[.]net/map[.]jar
URL http[:]//corona-virus-map[.]com
URL http[:]//arinnnnnnnn[.]ddns[.]net
URL http[:]//tailuong[.]com[.]vn/[.]xxx/playbook/onelove/fre[.]php
URL http[:]//bralibuda[.]com/4/forum.php
URL http[:]//greferezud[.]com/4/forum[.]php
URL http[:]//deraelous[.]com/4/forum[.]php
URL http[:]//bslines[.]xyz/copy/five/fre[.]php
URL http[:]//dewakartu[.]info/wp-includes/BRVMFYvIR/
URL http[:]//dewarejeki[.]info/wp-includes/up58jauc-pum2w-630352/
URL https[:]//healing-yui223[.]com/cgi-sys/suspendedpage[.]cgi
URL http[:]//109[.]236[.]109[.]159/vnx8v
URL http[:]//www[.]drhuzaifa[.]com/wp-includes/2i48k7-evv28gw-205510/
URL http[:]//85[.]96[.]49[.]152/6oU9ipBIjTSU1
URL https[:]//urbanandruraldesign[.]com[.]au/cdcgov/files/
URL http[:]//198[.]23[.]200[.]241/~power13/.xoiaspxo/fre.php
URL http[:]//helpvan[.]su/
URL http[:]//erasmus-plius[.]tomasjs[.]com/wp-admin/KfesPCcG/
URL https[:]//share[.]dmca[.]gripe/jUuWPW6ONwL1Wkux[.]bin
URL https[:]//gocycle[.]com[.]au/cdcgov/files/
URL https[:]//onthefx[.]com/cd[.]php
URL http[:]//186[.]10[.]98[.]177/faHtH2y
URL http[:]//dewakartu[.]info/wp-includes/BRVMFYvIR/
URL http[:]//drhuzaifa[.]com/wp-includes/2i48k7-evv28gw-205510/
URL http[:]//dewarejeki[.]info/wp-includes/up58jauc-pum2w-630352/
URL http[:]//erasmus-plius[.]tomasjs[.]com/wp-admin/KfesPCcG/
URL http[:]//easytogets[.]com/xfxvqq/UXbKAbm/
URL http[:]//dw[.]adyboh[.]com
URL http[:]//wy[.]adyboh[.]com
URL http[:]//feb[.]kkooppt[.]com
URL http[:]//compdate[.]my03[.]com
URL http[:]//jocoly[.]esvnpe[.]com
URL http[:]//bmy[.]hqoohoa[.]com
URL http[:]//bur[.]vueleslie[.]com
URL http[:]//wind[.]windmilldrops[.]com
URL http[:]//vahlallha[.]duckdns[.]org
URL http[:]//cloud-security[.]ggpht[.]ml
URL http[:]//kbfvzoboss[.]bid

 

Recommendation

This section contains some recommendations which we encourage you to follow. In addition, please also read the following blog also provides some guidance for organizations that have a workforce working remotely and about how McAfee Unified Cloud Edge can help.

Software Updates

As with all our publications, we encourage all our customers to keep their McAfee software up to date. This ensures that you will have the latest signatures and rules to help protect against similar threats to the ones mentioned in this report.

We also recommend installing the latest OS patches, VPN Patches and all other software updates on your machine. In addition we highly recommend utilizing SASE solutions such as McAfee’s Unified Cloud Edge.

Spotting Spam/Phishing emails

The best way to protect yourself is to not open unsolicited emails as malicious files are often distributed via email with the use of attachments or links. To help identify malicious emails, please read this blog: How to Spot Phishing Lures

Global Threat Intelligence (GTI)

McAfee GTI uses heuristics and file reputations checks on suspicious files through on-access scanning and on-demand scanning. This can provide near real time protection. The following KB Article contains the steps for changing the GTI sensitivity level on McAfee products.

You can configure the sensitivity level that McAfee GTI uses when it determines if a detected sample is malware. The McAfee GTI sensitivity level is set to Medium by default. Configure the sensitivity level for each scanner in the On-Access Scan and On-Demand Scan settings.

Sensitivity Level:

  • Very low — High confidence detections. Less aggressive GTI Setting, also least FP prone.
  • Low — This setting is the minimum recommendation for systems with a strong security footprint.
  • Medium — default setting on most products.
  • High — Use this setting for deployment to systems or areas which are regularly infected.
  • Very high — Most aggressive. Detections found with this level are presumed malicious but haven’t been fully tested. McAfee recommends using this level for systems that require highest security but may also result in higher false positive rate.

Endpoint Security (ENS) Product

ENS is our Endpoint Security product and provides a broad range of default protection, self-help protection and detection abilities.

Expert Rules

Expert Rules are text-based custom rules that can be created in the Exploit Prevention policy in ENS Threat Prevention 10.5.3 and above.

Expert Rules provide additional parameters and allow much more flexibility than the custom rules that can be created in the Access Protection policy. It also allows system administration to control / monitor an endpoint system at a very granular level. This is a very useful toolkit for administrators and SOC’s and allow quick creation and deployment of powerful extensions to detect and protect ability. You can author monitoring and blocking for processes, files, memory injection, module load and unload events, etc.

We recommend reading the following blog which describes how to use Expert Rules and gives some good examples which would help block potentially malicious activity.

 

Here are some examples of quick expert rules you can formulate to utilize at your endpoint against Covid-19 related threats

Example Rule – 1

The following rule helps block archived corona named executables accessed from inside archived email attachments

Rule {

Process {

Include OBJECT_NAME { -v “**” }

}

Target {

Match PROCESS {

Include OBJECT_NAME { -v “**\\appdata\\Local\\temp\\Rar*\\*corona*.exe” }

Include OBJECT_NAME { -v “**\\appdata\\Local\\temp\\Rar*\\*covid*.exe” }

Include -access “CREATE”

}

}

}

 

Example Rule – 2

The following rule helps block COVID named document containing macros accessed from email attachments or downloaded locations

Rule {

Process {

Include OBJECT_NAME { -v “**\\winword.exe” }

Include PROCESS_CMD_LINE { -v “**corona**” }

Include PROCESS_CMD_LINE { -v “**covid**” }

}

Target {

Match SECTION {

Include OBJECT_NAME { -v “**\\vbe7.dll” }

Include OBJECT_NAME { -v “**\\vbe7intl.dll” }

}

}

}

 

Example Rule – 3

The following Expert rule prevents certain version of Foobar Communication software from executing.

Rule {

Process {

Include OBJECT_NAME { -v “**” }

}

Target {

Match PROCESS {

Include DESCRIPTION { -v “FooBar Communications ” }

Include VERSION { -v “4,5,**” }

Include -access “CREATE”

 

}

}

}

 

Expert rules are flexible that the SOC analyst / author can test the rules in report only mode and then check for potential falses in the environment. Finally, they can be turned on to block mode.

JTI Rules

JTI Rules are released fortnightly and they target suspicious process chains and command-line threats. They also additionally detect suspicious files based on locations / characteristics. From the collection of JTI rules, we recommend turning on the few of Evaluate or HighOn rules for advanced threat protection. These rules can be turned default on from the EPO console.

  • Protection from suspicious Command line parameters where malware invokes PowerShell with command-line parameters for malicious activities. This rule is identifiable in the EPO console with the rule id 262.
    • Rule:262 – Identify suspicious command parameter execution for Security rule group assignments
  • Protection from malware launching suspicious command-line based script applications like WScript, CScript, and PowerShell. This rule is identifiable in the EPO console with the rule id 320.
    • Rule:320 – Prevent cmd.exe from launching other script interpreters such as CScript or PowerShell by default only in Security rule group assignments
  • Protection from files being executed from non-standard locations like \windows\fonts or \windows\resources location. This rule also protects spawning of wmiprvse.exe from suspicious process’s like foobar.exe, etc. This rule is identifiable in the EPO console with the rule id 238
    • Rule 238 – Identify abuse of common process’s spawned from non-standard locations

Fortnightly released JTI rules are normally released in Evaluate or HighOn setting. We recommend EPO admins to go through the release notes of the product and enable rules that suits their environment.

Enable AMSI

AMSI by default is set to observe mode. We recommend changing this to block mode as it will detect a vast majority of threats which are often email based such a JavaScript downloaders.

Please read this blog to find out more about AMSI and which threats it helps detect.

Suspicious Email attachment detection

As shown in this report, Email remains a top vector for attackers.  McAfee endpoint products use a combination of product features and content for increased agility.  In McAfee Endpoint Security (ENS) 10.5 and above, such protection is enabled via the ‘Detect suspicious email attachments’ option and maintained through DAT content.  This capability goes beyond the level of protection offered by email clients by not only blocking applications and scripts, but also a variety of threat types in their native form, as well as those compressed and contained within archives and other formats.

For a guide on how to enable this please read this blog: McAfee Protects Against Suspicious Email Attachements

ATP (Adaptive Threat Protection)

McAfee ATP (Adaptive Threat Protection) utilizes Machine Learning via our Real Protect Module. This provides pre and post execution monitoring of threats using ML models that are deployed locally and in the cloud. In addition, ATP provides and additional layer of protection with advanced rules for threat evaluation based on static and behavioral features.

We recommend enabling Real Protect at the default settings at the minimum. ATP rules come in three forms: Evaluate, DefaultOn and HighOn.

  • Evaluate rules are tested in the field by McAfee to determine if they are robust enough to detect malicious activity. They do not block by default but log activity in the ATP log. Such rules can be enabled by administrators via EPO to Block. McAfee researchers on a regular basis analyze performance of such rules and make modifications to promote them to DefaultOn (Rule Assignment to Balanced (default)) or HighOn (Rule Assignment to Security). Prior to manual enablement for Block mode, it is recommended that you observe triggers via the ATP logs to ensure they suite your environment.
  • DefaultOn rules are high confidence rules that block by default within ENS ATP and MVISION Endpoint. They can be turned off if required by administrators from within EPO.
  • HighOn rules detect behavior that is known to be malicious but may have some overlap with non-malicious applications. These rules work as Evaluate in balanced posture but act as DefaultOn in Security posture. Administrators are encouraged to utilize this setting to during high malware activity events for monitoring and default blocking.

For details on Rule descriptions, security posture and settings please refer this KB Article: https://kc.mcafee.com/corporate/index?page=content&id=KB82925

Unified Cloud Edge

Get a SASE (Secure Access Service Edge) architected web protection solution like McAfee’s Unified Cloud Edge. This delivers anytime/anywhere protection (like WFH scenarios) for web traffic, cloud-native and cloud-to-cloud traffic – whether you’re on a VPN, or directly connected to the internet. As an example, even if you access a link from a malicious email or visit a hostile site in a non-VPN setting, you will continue to benefit from our GTI and cloud-based threat to protect against malicious sites and downloads. Unified Cloud Edge can expand your capabilities for URL protection by providing the following:

  1. Malicious URL – blocked via GTI and URL
  2. Block any download from a benign URL (example: onedrive.live.com) – possible to block via tenant restrictions. For example: corporate Onedrive permitted, personal (live.com) or other companies blocked.
  3. Malicious download – blocked by the cloud gateway file engines, including AV, GAM, and GTI.
  4. 3rd party Malicious upload (placing a payload in an open share on the company Onedrive) – blocked via API-based scanning of the corporate sanctioned services, same AV/GAM/GTI layers of inspection.

MVISION Unified Cloud Edge protects data from device to cloud and prevents cloud-native threats that are invisible to the corporate network. This creates a secure environment for the adoption of cloud services, enabling cloud access from any device and allowing ultimate workforce productivity.

Conclusion

As you can see from this report, there are various threats which are taking advantage of this pandemic. We will continue to enable our customers to use our recommendations to remain safe during this challenging time. Be extra vigilant online and stay safe and healthy always!

As we continually provide recommendations based on current data, we encourage regular reading of McAfee blogs where you will find regular updates on threat patterns and protection information.

The post COVID-19 – Malware Makes Hay During a Pandemic appeared first on McAfee Blogs.

World Password Day 2020

Are Your Password Habits Keeping You Safe Online?

Learning how to navigate our entire lives online has definitely been a steep learning curve for many of us over the last few weeks. Whether it’s working from home, helping our kids learn from home, conducting ‘wine time’ from home or even doing our Zumba classes from home – it’s essential now more than ever that we are doing this safely. And one of the most powerful yet simple ways we can ‘sure-up’ our online safety is by being smart with our passwords.

World Password Day – Take A Minute To Check Your Approach

Today is World Password Day – the perfect opportunity to ensure we are doing all we can to manage our online logins. It’s quite unsettling to think that one of the easiest ways for cybercriminals to get their hands on the sensitive information we store in our online accounts is through our passwords.

Passwords act like a key to our digital identity. Not only do they allow us to bank, shop, work, learn, date and socialise online but they also protect us as well. Strong, complex passwords ensure all the information we store online (aka our digital assets) are protected which is essential for our privacy and financial and personal security.

So, let’s use this annual event to make sure we are doing all we can to lock down our precious online data by managing our passwords properly.

Same Password For Every Account? – Rookie Error

If I had to count up all my online accounts on my fingers and toes, I would quickly run out of body parts! With so many logins to remember, many of us end of using the same password for every account. And while that might seem so practical it, in fact, makes us very vulnerable. Just think about this scenario: if you become the victim of an online scam and the password to one of your online accounts is stolen, then a cybercriminal can then use this same password to access all your online accounts.

So, before you know it, a cybercriminal can access your emails, bank accounts, online shopping accounts – that may have stored credit cards, private photo and video files.

What You Can Do TODAY to Ensure your Password Habits are Keeping you Safe

Yes, we are all human which means we are going to take shortcuts. I get it! I love shortcuts – I’m a fan of using pasta sauce from the jar! But if there’s one area where shortcuts should NOT be used it’s with passwords. So, here are my top suggestions on how you can stop your private online data falling into the wrong hands and block cybercriminals at the very first point of entry.

  1. Commit to NOT Using Common Passwords

If your password is ‘123456’ then you need to change it now. The UK’s National Cyber Safety Centre showed in a survey last year that this is the most commonly used password. In fact, in the eight years since I’ve been doing this job, this password has annually topped surveys.

Passwords are the gateway to our digital lives. To avoid giving the wrong people access to your accounts, make sure you create strong and unique passwords. This means including numbers, lowercase and uppercase letters and symbols. The more complex your password, the more difficult it is to crack. Why not create a nonsensical phrase or sentence? And always avoid using simple personal details within your password altogether. Your date of birth, middle name or pet names are things cybercriminals can trace through your social media accounts.

  1. Same Password For Every Account? Think Again

The idea of having one password across all online accounts is alluring because let’s admit it…we’ve all been locked out of an account after failing to remember the password! While having one password to remember for all accounts seems to make life easier, it increases the risk of your vital online data being compromised at once across different accounts. So, ensure that your logins are unique for every account to avoid having all your accounts becoming vulnerable in case you are hacked.

  1. ALWAYS Select Multi-Factor Authentication

Wherever possible, embrace multifactor authentication (MFA) for online accounts. MFA is a security system that requires more than one way of identification before gaining access to an account. Most commonly, it involves a security code sent to your smartphone, security questions or even a fingerprint, on top of the password. An extra layer of defence to stop sham access to vital online data? Yes please!

  1. Give Your Passwords a Health Check

What better way to check the health of your passwords than to see whether they’ve been compromised in a data breach. The website www.haveibeenpwned.com.au is an effective way to check whether a cybercriminal has discovered your passwords. If yes, give your passwords an overhaul and change them wherever they are used to safeguard your data.

  1. Employ A Password Manager

If you are currently feeling a tad overwhelmed at the thought of creating and managing unique passwords for your multiple online accounts, do not stress – I have a solution – a password manager. This marvellous software program will create random and complex passwords for each of your accounts and store them securely which means you don’t need to! All you need to do is remember the master password!! When choosing a password manager, ensure it uses multi-factor authentication to identify you eg facial recognition, fingerprint and a password.

If you have a spare 30 minutes today then please take the time to give your password habits an overhaul. I know we are all so flat out juggling work and kids at the moment but a careless approach to password security is no different to a careless approach to home security. So, get your passwords working for you so you can continue living your life online – especially Friday night ‘virtual drinks’!!

 

 

The post World Password Day 2020 appeared first on McAfee Blogs.

Personal and Professional Development From Home

Personal and Professional Development from Home

Like so many of us, I’m doing my best to look forward. While everyone’s situation is different from family to family, community to community, and even from country to country, one thing I hope is that you have the chance to look forward too—like what you want your life to look like once we’ve moved past the days we’re in right now.

That’s what inspired this article. I wanted to share some online resources that can help you take this time to do something for yourself and pursue some degree of personal or professional development if you can. After all, if we can work it in, now’s the time for a little self-improvement.

For me, I’m diving into subject matter that largely takes me outside of technology and my daily work. One of my favorites right now is gardening. I’m taking a Master Class on gardening from Ron Finley, a man who started planting vegetables in the dirt parking strip outside his home in South Central Los Angeles. At first, Ron was cited for gardening without a permit. After that, he got the local laws changed so that public planting could not only continue but also thrive. In short order, his urban gardening readily turned into a movement based on the idea that everyone in every community can grow their own healthy food.

The class is absolutely inspiring, as is seeing Ron do things like turn an old dresser drawer into a garden. He has plenty of tricks like that he can show you. And I can tell you this—I certainly look at my garden (and what I’m eating!) through new eyes now thanks to him.

Along those lines, I’ve put together a few resources for those of you who want to pursue something that’s always interested you or something new altogether. Once you start researching all the personal and professional development options available, you’ll see plenty of opportunities—and ways to look at your world through new eyes too.

Free Classes from Open Culture

First off, Open Culture is an amazing resource overall. It got its start about 14 years ago with the mission of scouring the web for high-quality educational and cultural resources, all of them free. Today, it’s a massive curation effort packed with hundreds, and even thousands, of movies, lectures, eBooks, videos, university courses, audio books, and so much more across numerous collections. Again, all free.

For example, the page dedicated to 1,500 Free Online Courses from Top Universities is everything you’d expect it to be. And then some. The categories range from Art & Art History to Writing & Journalism, with Business, Economics, Literature, Psychology, and more in between. If picking up a new language or dusting off an old one that’s been on the shelf since your high school days is on your mind, they also have links to learn 48 different languages. In addition, Open Culture keeps a growing list of dozens of free textbooks as well.

University-Led Learning

Numerous higher learning institutions have offered free coursework online for some time now. They’re an outstanding resource for personal enrichment, with lectures, projects, and materials often drawn straight from campus classrooms. For example:

Open Yale Courses

Open Yale Courses offers “a full set of class lectures produced in high-quality video accompanied by such other course materials as syllabi, suggested readings, and problem sets.” Classes range from history and econ to literature and psychology.

Stanford University

Stanford University offers free courses as well and on an interesting blend of topics. If you’re interested in “Child Nutrition and Cooking” or an “Introduction to the Internet of Things,” Stanford’s free course catalog is a great place to start.

Open Learn

Open Learn courses are part of a platform created by the UK’s The Open University as part of its Royal Charter commitment to support the wellbeing of the community. Here you’ll find thousands of resources spread across eight broad categories.

edX

edX has more than 2,800 online courses from roughly 140 institutions across the globe—including MIT, Harvard, UC Berkeley, Boston University, the University of Edinburgh, the University of Tokyo, and Oxford to name a few. Many classes are free, and some offer a formal certificate of completion for a fee.

Mixes of Free and Paid Learning

Udemy

Udemy has 100,000 online courses. While the emphasis is on paid content, simply filter your search for “free” items and you’ll find numerous options there.

Coursera

Coursera provides free courses from university and industry partners with access to on-demand video lectures, homework exercises, and community discussion forums. Degrees and certificates are available through their paid options as well.

iTunes U

iTunes U provides yet another learning opportunity for iPhone, iPad, and iPod Touch users. While the app is designed to help teachers create lesson plans and collaborate with students, it’s also great for the rest of us too., It offers free access to a large collection of free educational content in “public courses from leading schools, universities, museums, and cultural institutions.”

Codecademy

Codecademy focuses on web development, programming and computer science, and data science. It has a free option for a limited number of classes, plus a paid monthly membership offers more content and guidance. As of this writing, a free trial membership is available.

Big ideas for small business

Maybe you’re taking this opportunity to launch a little side business or you’re looking to brush up on some business skills in general. If so, you can visit the U.S. Small Business Administration Learning Center, which is packed with great content that covers broad business topics. Although some of the content is specific to the U.S., plenty of it can benefit all—such as articles on business planning, social media marketing, and other programs for mastering daily operations.

Learn Safely Online

As always, give your security a good look as you embark on any classwork online. My recent article, “How to Stay Secure While Distance Learning” offers some great advice for university students, yet it certainly applies to the rest of us too as we learn online. Also, consider using protection that keeps you safer while doing your reading and researching online. That’ll help you go about your studies without worrying about sketchy links, misclicks, typos, or bad downloads that could land you on a malicious site or drop adware, spyware, or viruses on your device.

Stay Updated

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Personal and Professional Development From Home appeared first on McAfee Blogs.

How to Ace Your Video Interview: Job Hunting From Home

How to Ace Your Video Interview: Job Hunting from Home, Part Two  

So, it’s game day. Your online video interview is about to begin, and you’re feeling good. Okay, so maybe there are just a few nerves, but you know you’ve got this. The space you’ve set up for your call is all in order and your technology is ready to go. You’ve prepped for this moment and it shows.

In my last article, we covered the pre-game day basics to get your location and technology ready for an online interview. Here, we’ll talk about the interview itself. Once again, I caught up with Shawn Hutcherson, our Lead Talent Acquisition Partner here at McAfee, for his insight and experience as a person who’s conducted numerous interviews online.

And here’s the good news: while a video interview may be new to you, plenty of what happens in a good face-to-face interview happens in a good video interview too. We’ll cover exactly that, along with a number of pointers that are specific to video interviews—so you can absolutely ace yours.

Prior to the Interview:

As always, the foundation of a good interview is built upon how you prepare. So much of what you’ll see here should look comfortingly familiar. There are a few new wrinkles to consider with a video interview, just as you’d expect, so here’s a quick rundown of things you can do in the days, and moments, leading up to your call:

Check up on company news.

Did the company have a recent product release, a change in management, or make any other noteworthy moves? You’ll want to know about any such news as it may reshape your understanding of the company and help form some good questions to ask. In either case, it’s a chance to show an interviewer that you’ve done your homework.

Look up your interviewer(s) on LinkedIn.

Aside with providing you some background, it’s also a way to spot common interests that make for easy icebreakers. Likewise, a little familiarity can make for a smoother conversation in the long run if you spot other things like shared experiences and mutual acquaintances.

Grab a pad of paper and fill it up with a few questions.

Having questions prepared shows interest on your part, and you can also jot down any items of interest that came up in your research. Be ready to have this at your side during your interview. Keeping it all together in a nice folio or binder will look extra-sharp too.

“Don’t change anything on game day.”

More plainly, keep to your regular everyday routine. If you drink two cups of coffee in the morning, stick with two. No need to “amp up” with that extra cup. You know your daily rhythm and what keeps you feeling good, so stick with it. Also, it’s a good idea to keep a bottle of water handy. You’ll be chatting for a while, so keep hydrated.

Clear your computer desktop.

Another thing to keep in mind is to close unnecessary apps, browser windows, or anything else that could create a distraction of any kind. For example, any apps that might pop up an alert or notification on your computer desktop, like an email or chat app, should be closed. Likewise, close browser windows so that you don’t share any of them by accident—such as your social media feed, any sensitive information, and so forth.

Check your space.

Look around the room for other things that could interrupt the call in any way. Put your phone on silent (and make sure it’s charged if you need to quickly switch the interview over to a phone call instead). Turn off any loud fans or other appliances that could create background noise. Also check in with your family or roommates one last time and let them know that you’re heading into your interview and when you expect to be done.

Have a backup plan.

So, let’s say the internet connection is sort of lousy or the two of you experience some sort of technical glitch. Have phone numbers handy—and perhaps a draft email ready to go for such situations. Last-minute emails written hastily in the wake of a dropped session can be prone to typos. A professionally written email will go a long way.

A Quick Word on How to Dress for a Video Interview

Granted, working from home may have us dressing far more informally than we ever would in the office, even on the most casual of “Casual Fridays,” so this is a good opportunity to revisit the notion of how to dress for a video interview. The answer is much the same as any other interview as you’ve had before: dress one step above where you think people would normally dress at that employer. For example, at McAfee, we have a pretty relaxed culture, so a smart “business casual” look for an interview works great for us. If the employer is more formal, proper business attire is the way to go. And if you have a favorite shirt, dress, or earrings wear them. Overall, the best advice is, “Look good, feel good, play good.” When you’re dressed comfortably and for the occasion, a great conversation can come rather naturally.

During the Interview

An old interview axiom is to show up early. The same applies here. Click on that link your interviewer provided a good 10 to 15 minutes early and put yourself on mute. This way, you can address any glitches with plenty of time to spare—like, “Oh, this link isn’t actually working. I’d better shoot off an email or text to get that straightened out.”

So let’s say you connect without a hitch. The camera’s on and your live, here are a few things to keep in mind:

Build a rapport.

In virtual situations, it’s easy to feel like you have to get right down to business. Actually, this is your chance to settle in. It’s absolutely okay to ask, “How are you doing today?” or chat about your families or how you’ve been spending your time for a bit. Think back to that LinkedIn search you did. You may have mutual friends or interests. Bring them up.

Feel free to share.

If you’re doing this at home, there’s absolutely no need to apologize for that. Lean into it with something like, “Glad to be here! And hey, just so you know, I have a parakeet and a shih tzu, so there may be a little noise in the background.” And who knows, you’re interviewer may have a parakeet and a shih tzu too—or some other pets or family in the background. So really, this is another opportunity to connect.

Keep up that eye contact.

This is another tricky mannerism to master in a virtual situation but try to imagine as if the interviewer is in the room with you. That could be a coffee house or a comfortable conference room. Keep your attention on the person and face the screen so that you maintain eye contact. After all, no one wants to see you turn your head and talk to your earlobe.

Remember those non-verbal cues.

Related to the above, a great deal of our communication comes across non-verbally. Smile when you speak if it feels right and nod as you listen. Posture, just like in a face-to-face interview, is important too. Sit straight, yet comfortably, and feel free to lean in and back again with the natural flow of conversation.

Give yourselves some space.

Another pitfall of virtual conversations are long monologues. Ever been on a lousy conference call where someone fails to pause and let others talk? Or how about when people step on each other’s sentences? You can avoid faux pas like those by interjecting simple open-ended questions into the conversation. Doing so will give your interviewer a chance to show they understand what you’ve conveyed. Also, their answer can lead you into the next topic.

Ask questions in return.

Remember that note pad? Refer to your questions there and actively take notes as you go. This works in your favor a few ways. First off, it showcases your preparedness and that you’re fully engaged in the conversation. Also, it looks and feels natural—far more than sitting relatively idle in a chair for 30, 45, or even a full 60 minutes.

Control what you can.

There’s a fair chance something unexpected will come up. Your grade-schooler may let out a big shout after he drops a jar of peanut butter on his big toe. Your dog may strut in and let you know that it’s time for her walk. While you can’t control these things, you can control your reaction. That’s a strong indicator of how you handle little challenges. See such moments for what they are: a good opportunity. You can turn it into a positive by showing how adaptable and flexible you are.

Getting to know the person on the other end.

As you can see, the video interview shares a great deal with the interviews you’ve had before. Aside from the unique aspects of video job interviews we shared here, there’s something else to keep in mind right now: everyone’s situation is a little different today.

For example, the city you’re in may have rather relaxed rules around social distancing. However, the person you’re speaking with may be weeks into shelter in place restrictions. Before you hop onto that video interview, spend a few moments to empathize with what life may be like for that person right now and keep in mind how their life may be impacted. Also, see this conversation as an opportunity to improve your situation—just like nearly any interview is. Take it for that and focus on the positives.

Last up, a video interview has the similar rewards and challenges for the interviewer. Maybe their shih tzu will chime in during your chat. Or you may hear their kids break out into an impromptu soccer game with a ball of crumpled-up tinfoil. And that’s great! Just as interviewers are getting a glimpse into your world, you’re getting a glimpse into theirs as well. Like you, they’re grateful for the technology that allows us to work together in new ways, develop ourselves professionally, and simply get some face-to-face time with new people.

If you’re job hunting from home or know someone who is, I hope these insights have you feeling a little better about the prospect of a video interview—particularly if the whole thing is new to you. The changes we’re all facing right now are very much on my mind, as are the people and families who’ve had to add the pressure of a job search on top of it all. Once again, check out the Investopedia article on working and job searching from home that. I referenced it in my first job hunting article and a good portion of it presents an excellent overview of which roles and which firms are particularly WFH-friendly. My hope is that together these articles are of some help, whether for you or your friends and family who are on the hunt. And remember, we’re hiring too!

Stay Updated:

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

 

 

The post How to Ace Your Video Interview: Job Hunting From Home appeared first on McAfee Blogs.

Setting the Stage for Your Video Interview: Job Hunting From Home

family device security

If you’ve lined up your first video interview, or just new to the whole idea in general, how do you get started? And how do you prepare for such a thing? In this article, we’ll cover the basics that will help you set the stage—and take a quick look at the types of businesses that are hiring too.

For years now, the number of people working from home has been on the rise. Whether that entails “WFH” one day a week or practically the whole week, there’s been a 44% growth in remote work over the last five years. Now, with so many businesses requiring their employees to temporarily work from home, that number is unquestionably reaching new heights. How that plays out in the long term remains to be seen. Yet there’s another dimension to working from home that doesn’t get talked about all that often: job hunting from home.

That’s been on my mind in particular right now, particularly as we and many of our friends and partners in the industry have people working from home—and who’re still actively hiring right now. Likewise, the people who are looking for work are even moreso on my mind. So I caught up with Shawn Hutcherson, our Lead Talent Acquisition Partner here at McAfee, to get his take on remote hiring so that people can get a leg up on this style of interviewing if it’s new to them or if they simply want a refresher.

Shawn had plenty of great insight and advice, so much so that we’re going to spread it out across two articles. In this one, we’ll focus on getting your tech and your space ready for the interview. In the second article, we’ll cover the interview itself, like what interviewers are looking for and great ways you can show off great form when you’re in the midst of your conversation.

Job Hunting from Home: Where to Start

As said, employers have caught onto the trend—and the recent need—to embrace remote work. That’s taken many forms, yet suffice it to say that more employers are interviewing candidates by way of video interviews. The benefits are many. Among them, it allows both employers and candidates to look beyond their own backyard and do so in an efficient way, particularly during the early “getting to know you” stages of the interview process. And now, it allows companies and organizations to keep hiring even if their physical offices are temporarily closed, which is great news for job seekers.

So, if you’ve lined up your first video interview, or just new to the whole idea in general, how do you get started? And how do you prepare for such a thing? Here’s what Shawn and I talked about.

Pick Your Device of Choice

Start off in your comfort zone. Pick the best device that’s best for you, the one that you’re familiar with. Chances are that’s your computer or laptop. This way, you’ll be in a familiar space when it comes to configuring your device for a video interview—like the microphone levels, speaker volume, camera settings, and simply navigating around.

Here, you can run a few tests to get everything set up the way you like. Some people opt to use their smartphone earbuds or wireless headphones for video calls, which can help prevent audio feedback loops that happen when a computer microphone picks up the audio from its speakers (like in a bad high school assembly). This is often fine, particularly if it gives you and your interviewer the best audio quality. However, avoid using a larger headset and microphone combo, like gamer headsets, simply because they can be distracting.

As for cameras, many laptops have them built in as a standard feature. If that’s not the case for you, or if you have a desktop computer without a camera, there are several inexpensive options. If you’re shopping around, do a little research. There are plenty of reputable sites that provide mini-reviews, pricing overviews, and give you a sense for where you can make your purchase right now. And of course, when you get your camera, don’t wait until interview day to install it.

Make Sure Your Technology is Secure

This is basic hygiene. Start off by ensuring that your device (and all your connected devices while you’re at it) has a comprehensive security solution in place. Given that you’re relying so heavily on your devices while you’re working from home, you’ll want to know that you’re protected against malware, viruses, and phishing attacks. You’ll also benefit from other features that help you manage your passwords, protect your identity, safeguard your privacy, and more.

Pick the Location for Your Interview

Set the stage. Treat your interview space like a movie location. First off, you’ll want to pick a space where there will be no interruptions or distracting noises. (Or at least fewer interruptions and distracting noises.) It’s also good to let others in your home when your interview is and how long it will run so they can help keep things as quiet as possible for you. More broadly, think about your “set.” In addition to picking a quiet space, take a look at the lighting in the room where you’ll be. Diffused light that doesn’t cast any strange shadows is best, such as natural light or overhead lighting.

Just like a director, think about your camera angle. In effect, the camera is the way you’ll make eye contact with the interviewer. Make sure that the camera is eye level with you so that it appears that you’re making eye contact with the person from the same height. Nothing feels more off-putting for an interviewer than a camera angle that appears to have you looking down at them (and with them looking up your nose in return).

Test Your Setup

Well in advance of your interview, do a dry run with a friend or a family member using a conferencing tool that you can trust. This will give you a chance to make yourself familiar with the equipment you’re using. For example, you can check your microphone and speakers so that you can hear clearly and speak at a good volume without any issues. Next, turn around and look at your backdrop. Choose a view that’s not distracting, and if you need to give your space a quick tidy to make it look presentable go ahead and do that too. A good backdrop will show off your professionalism and that you’re taking the interview seriously. Ask your friend for feedback too.

As for software, interviewers will generally send you an invite with a link for the video conference room you’ll be using. Be aware that your computer may not have that software installed, so take the opportunity to click the link and see if your computer prompts you for an install. Likewise, some video conferencing tools don’t require a software install at all. They simply use a web browser. Best to get this squared away well before your interview so that there are no day-of surprises. You’ll also want to log in a few minutes early just before your actual interview, again to nip any pesky issues in the bud before showtime.

Have a Backup Plan

Glitches happen. Your internet can go out. Your interviewer’s internet can go out. Software may not co-operate. Or you might have an urgent family matter that requires your attention right away. Any number of things can occur on the day of the interview that may be out of your control. However, you can plan for them. In advance of the interview, share a backup plan with your interviewer. Swap phone numbers so that you can switch to a call or get in touch with each other quickly if an issue pops up. Consider this part of your interview prep. A good employer will recognize the planning and foresight you’re putting into the interview, which can reflect well on you.

So, Who’s hiring?

As we saw at the start of the article, working from home has been on an upward swing for some time now. Businesses are finding ways of supporting more and more roles from home as technology continues to improve—and as they see the benefits of remote working in terms of lower overhead and happier, more productive employees who stick around longer thanks to the flexibility of working from home to some extent or other.

For more specifics in helping with your job hunt, I recently came across an article from Investopedia about working from home that also touches on the job search aspect as well. It presents an excellent overview of which roles and which firms are particularly WFH-friendly. It also offers up some solid general advice about working from home and for avoiding employment scams, as unfortunately there are crooks who’re more than happy to take advantage of our collective “from home” situation right now.

And yes, we’re hiring too. Feel free to drop by and check out our listings as well!

Next up in our second half of this article—game day. Your actual interview. I’m looking forward to sharing plenty more that’ll help you prepare for an outstanding call.

 

Stay Updated

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

The post Setting the Stage for Your Video Interview: Job Hunting From Home appeared first on McAfee Blogs.

How to gain 24/7 detection and response coverage with Microsoft Defender ATP

This blog post is part of the Microsoft Intelligence Security Association guest blog series. To learn more about MISA, go here.

Whether you’re a security team of one or a dozen, detecting and stopping threats around the clock is a challenge. Security incidents don’t happen exclusively during business hours: attackers often wait until the late hours of the night to breach an environment.

At Red Canary, we work with security teams of all shapes and sizes to improve detection and response capabilities. Our Security Operations Team investigates threats in customer environments 24/7/365, removes false positives, and delivers confirmed threats with context. We’ve seen teams run into a wide range of issues when trying to establish after-hours coverage on their own, including:

  • For global enterprises, around-the-clock monitoring can significantly increase the pressure on a U.S.–based security team. If you have personnel around the world, a security team in a single time zone isn’t sufficient to cover the times that computing assets are used in those environments.
  • In smaller companies that don’t have global operations, the security team is more likely to be understaffed and unable to handle 24/7 security monitoring without stressful on-call schedules.
  • For the security teams of one, being “out of office” is a foreign concept. You’re always on. And you need to set up some way to monitor the enterprise while you’re away.

Microsoft Defender Advanced Threat Protection (ATP) is an industry leading endpoint security solution that’s built into Windows with extended capabilities to Mac and Linux servers. Red Canary unlocks the telemetry delivered from Microsoft Defender ATP and investigates every alert, enabling you to immediately increase your detection coverage and waste no time with false positives.

Here’s how those who haven’t started with Red Canary yet can answer the question, “How can I support my 24/7 security needs with Microsoft Defender ATP?”

No matter how big your security team is, the most important first step is notifying the right people based on an on-call schedule. In this post, we’ll describe two different ways of getting Microsoft Defender ATP alerts to your team 24×7 and how Red Canary has implemented this for our customers.

Basic 24/7 via email

Microsoft Defender Security Center allows you to send all Microsoft Defender ATP alerts to an email address. You can set up email alerts under Settings → Alert notifications.

MISA1

Email notification settings in Microsoft Defender Security Center.

These emails will be sent to your team and should be monitored for high severity situations after-hours.

If sent to a ticketing system, these emails can trigger tickets or after-hours pages to be created for your security team. We recommend limiting the alerts to medium and high severity so that you won’t be bothered for informational or low alerts.

MISA2

Setting up alert emails in Microsoft Defender ATP to be sent to a ticketing system.

Now any future alerts will create a new ticket in your ticketing system where you can assign security team members to on-call rotations and notify on-call personnel of new alerts (if supported). Once the notification is received by on-call personnel, they would then log into Microsoft Defender’s Security Center for further investigation and triage. 

Enhanced 24/7 via APIs

What if you want to ingest alerts to a system that doesn’t use email? You can do this by using the Microsoft Defender ATP APIs. First, you’ll need to have an authentication token. You can get the token like we do here:

MISA3

API call to retrieve authentication token.

Once you’ve stored the authentication token you can use it to poll the Microsoft Defender ATP API and retrieve alerts from Microsoft Defender ATP. Here’s an example of the code to pull new alerts.

MISA4

API call to retrieve alerts from Microsoft Defender ATP.

The API only returns a subset of the data associated with each alert. Here’s an example of what you might receive.

MISA5

Example of a Microsoft Defender ATP alert returned from the API.

You can then take this data and ingest it into any of your internal tools. You can learn more about how to access Microsoft Defender ATP APIs in the documentation. Please note, the limited information included in an alert email or API response is not enough to triage the behavior. You will still need to log into the Microsoft Defender Security Center to find out what happened and take appropriate action.

24/7 with Red Canary

By enabling Red Canary, you supercharge your Microsoft Defender ATP deployment by adding a proven 24×7 security operations team who are masters at finding and stopping threats, and an automation platform to quickly remediate and get back to business.

Red Canary continuously ingests all of the raw telemetry generated from your instance of Microsoft Defender ATP as the foundation for our service. We also ingest and monitor Microsoft Defender ATP alerts. We then apply thousands of our own proprietary analytics to identify potential threats that are sent 24/7 to a Red Canary detection engineer for review.

Here’s an overview of the process (to go behind the scenes of these operations check out our detection engineering blog series):

MISA6

Managed detection and response with Red Canary.

Red Canary is monitoring your Microsoft Defender ATP telemetry and alerts. If anything is a confirmed threat, our team creates a detection and sends it to you using a built-in automation framework that supports email, SMS, phone, Microsoft Teams/Slack, and more. Below is an example of what one of those detections might look like.

MISA7

Red Canary confirms threats and prioritizes them so you know what to focus on.

At the top of the detection timeline you’ll receive a short description of what happened. The threat has already been examined by a team of detection engineers from Red Canary’s Cyber Incident Response Team (CIRT), so you don’t have to worry about triage or investigation. As you scroll down, you can quickly see the results of the investigation that Red Canary’s senior detection engineers have done on your behalf, including detailed notes that provide context to what’s happening in your environment:

MISA8

Notes from Red Canary senior detection engineers (in light blue) provide valuable context.

You’re only notified of true threats and not false positives. This means you can focus on responding rather than digging through data to figure out what happened.

What if you don’t want to be woken up, you’re truly unavailable, or you just want bad stuff immediately dealt with? Use Red Canary’s automation to handle remediation on the fly. You and your team can create playbooks in your Red Canary portal to respond to threats immediately, even if you’re unavailable.

MISA9

Red Canary automation playbook.

This playbook allows you to isolate the endpoint (using the Machine Action resource type in the Microsoft Defender ATP APIs) if Red Canary identifies suspicious activity. You also have the option to set up Automate playbooks that depend on an hourly schedule. For example, you may want to approve endpoint isolation during normal work hours, but use automatic isolation overnight:

MISA10

Red Canary Automate playbook to automatically remediate a detection.

Getting started with Red Canary

Whether you’ve been using Microsoft Defender ATP since it’s preview releases or if you’re just getting started, Red Canary is the fastest way to accelerate your security operations program. Immediate onboarding, increased detection coverage, and a 24/7 CIRT team are all at your fingertips.

Terence Jackson, CISO at Thycotic and Microsoft Defender ATP user, describes what it’s like working with Red Canary:

“I have a small team that has to protect a pretty large footprint. I know the importance of detecting, preventing, and stopping problems at the entry point, which is typically the endpoint. We have our corporate users but then we also have SaaS customers we have to protect. Currently my team tackles both, so for me it’s simply having a trusted partner that can take the day-to-day hunting/triage/elimination of false positives and only provide actionable alerts/intel, which frees my team up to do other critical stuff.”

Red Canary is the fastest way to enhance your detection coverage from Microsoft Defender ATP so you know exactly when and where to respond.

Contact us to see a demo and learn more.

The post How to gain 24/7 detection and response coverage with Microsoft Defender ATP appeared first on Microsoft Security.

The Guardian view on an NHS coronavirus app: it must do no harm | Editorial

Smartphones can be used to digitally trace Covid-19. But not if the public don’t download an app over privacy fears – or find it won’t work on their device

The idea of the NHS tracing app is to enable smartphones to track users and tell them whether they interacted with someone who had Covid-19. Yet this will work only if large proportions of the population download the app. No matter how smart a solution may appear, mass consent is required. That will not be easy. Ministers and officials have failed to address the trade-offs between health and privacy by being ambiguous about the app’s safeguards.

Instead of offering cast-iron guarantees about the length of time for which data would be held; who can access it; and the level of anonymity afforded, we have had opacity and obfuscation. It is true that we are dealing with uncertainties. But without absolute clarity about privacy the public is unlikely to take up the app with the appropriate gusto.

Continue reading...

Online Scam Awareness: Staying Safer in Uncertain Times

Online Scams

Online Scam Awareness: Staying Safer in Uncertain Times

As we adjust to a changed world, bad actors are also changing the tactics they use to take advantage of people. You may have already encountered schemes that leverage fear and anxiety to make you click, buy, or respond to malicious communications. Fortunately, a little awareness is all it takes to recognize the scams below and protect yourself and your family.

Phishing Emails

Our new normal means that many face-to-face transactions have moved to email.  We are now relying on email for daily communications from schools, updates from our local businesses and so much more. Armed with this knowledge, online scammers are creating emails capitalizing on sensitive and relevant topics to lure you to hand over personal information.

Stimulus Check

A very topical scam today takes the form of a phony message from the government, or the IRS, asking you to submit personal information or file a tax form to receive a government stimulus check which can lead to identity theft. The government does not send email communications.

Health Alerts

Another popular scam plays on a sensitive topic today, our health. Examples of this include emails masked as coming from a reputable health organization, such as the CDC, asking you to “click on a link to see health news in your area”. The link could download dangerous malware to your device.

Working From Home

While many of us are working from home now, we are seeing fraudsters take advantage of this through efforts like the “CEO Scam” where they spoof the email address of someone in your workplace with a position of power.  Emails from this spoofed account typically include work-from-home policies or safety precautions and ask you to download an attached policy sheet, which may contain malware.

Delivery Notices

We are all relying on home deliveries more than ever now.  Recent scams send a warning that your order or account is on “hold” until you verify some details, or that you need to click on an attachment to see the delivery time. Often they will spoof popular e-commerce sites, like FedEx or Amazon and deliver malware straight to your inbox.

Social media scams 

Be wary of social media platforms. Scammers are using these outlets to advertise phony cures, medical equipment in bulk, and other schemes not unlike the ones used in the phishing emails above.

Fake E-Commerce sites

Hundreds of new e-commerce sites have been popping up offering everything from hard-to-find products, medical equipment, and more Some are legitimate middlemen hoping to turn a quick profit, but others are fake websites looking to collect your personal and financial information.

Protect yourself with these 5 tips

  • Learn to spot suspicious emails: Check the email address by hovering over it with your mouse. Does the extension on the address match the company the email represents? Other red flags to look for are typos, grammatical errors and the use of generic greetings such as “Dear Sir”.
  • If you get what appears to be a suspicious request from someone at work, a friend, or family member, verify the message with that person directly before opening or responding.
  • If you are looking for health or financial information online, stick to reputable sources such as state and government websites and the CDC. Never respond to unsolicited emails or click on included links.
  • When shopping or browsing online, go directly to reputable websites, instead of clicking on questionable ads, links or emails.
  • Ensure that you continue to update your security solutions across all devices. This will help protect devices against malware, phishing attacks, and other threats, as well as help identify malicious websites when browsing.

 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Online Scam Awareness: Staying Safer in Uncertain Times appeared first on McAfee Blogs.

Europe’s Largest Private Hospital Operator Fresenius Hit by Ransomware

Fresenius, Europe’s largest private hospital operator and a major provider of dialysis products and services that are in such high demand thanks to the COVID-19 pandemic, has been hit in a ransomware cyber attack on its technology systems. The company said the incident has limited some of its operations, but that patient care continues.

Based in Germany, the Fresenius Group includes four independent businesses: Fresenius Medical Care, a leading provider of care to those suffering from kidney failure; Fresenius Helios, Europe’s largest private hospital operator (according to the company’s Web site); Fresenius Kabi, which supplies pharmaceutical drugs and medical devices; and Fresenius Vamed, which manages healthcare facilities.

Overall, Fresenius employs nearly 300,000 people across more than 100 countries, and is ranked 258th on the Forbes Global 2000. The company provides products and services for dialysis, hospitals, and inpatient and outpatient care, with nearly 40 percent of the market share for dialysis in the United States. This is worrisome because COVID-19 causes many patients to experience kidney failure, which has led to a shortage of dialysis machines and supplies.

On Tuesday, a KrebsOnSecurity reader who asked to remain anonymous said a relative working for Fresenius Kabi’s U.S. operations reported that computers in his company’s building had been roped off, and that a cyber attack had affected every part of the company’s operations around the globe.

The reader said the apparent culprit was the Snake ransomware, a relatively new strain first detailed earlier this year that is being used to shake down large businesses, holding their IT systems and data hostage in exchange for payment in a digital currency such as bitcoin.

Fresenius spokesperson Matt Kuhn confirmed the company was struggling with a computer virus outbreak.

“I can confirm that Fresenius’ IT security detected a computer virus on company computers,” Kuhn said in a written statement shared with KrebsOnSecurity. “As a precautionary measure in accordance with our security protocol drawn up for such cases, steps have been taken to prevent further spread. We have also informed the relevant investigating authorities and while some functions within the company are currently limited, patient care continues. Our IT experts are continuing to work on solving the problem as quickly as possible and ensuring that operations run as smoothly as possible.”

The assault on Fresenius comes amid increasingly targeted attacks against healthcare providers on the front lines of responding to the COVID-19 pandemic. In April, the international police organization INTERPOL warned it “has detected a significant increase in the number of attempted ransomware attacks against key organizations and infrastructure engaged in the virus response. Cybercriminals are using ransomware to hold hospitals and medical services digitally hostage, preventing them from accessing vital files and systems until a ransom is paid.

On Tuesday, the Department of Homeland Security‘s Cybersecurity and Infrastructure Security Agency (CISA) issued an alert along with the U.K.’s National Cyber Security Centre warning that so-called “advanced persistent threat” groups — state-sponsored hacking teams — are actively targeting organizations involved in both national and international COVID-19 responses.

“APT actors frequently target organizations in order to collect bulk personal information, intellectual property, and intelligence that aligns with national priorities,” the alert reads. “The pandemic has likely raised additional interest for APT actors to gather information related to COVID-19. For example, actors may seek to obtain intelligence on national and international healthcare policy, or acquire sensitive data on COVID-19-related research.”

Once considered by many to be isolated extortion attacks, ransomware infestations have become de facto data breaches for many victim companies. That’s because some of the more active ransomware gangs have taken to downloading reams of data from targets before launching the ransomware inside their systems. Some or all of this data is then published on victim-shaming sites set up by the ransomware gangs as a way to pressure victim companies into paying up.

Security researchers say the Snake ransomware is somewhat unique in that it seeks to identify IT processes tied to enterprise management tools and large-scale industrial control systems (ICS), such as production and manufacturing networks.

While some ransomware groups targeting businesses have publicly pledged not to single out healthcare providers for the duration of the pandemic, attacks on medical care facilities have continued nonetheless. In late April, Parkview Medical Center in Pueblo, Colo. was hit in a ransomware attack that reportedly rendered inoperable the hospital’s system for storing patient information.

Fresenius declined to answer questions about specifics of the attack, saying it does not provide detailed information or comments on IT security matters. It remains unclear whether the company will pay a ransom demand to recover from the infection. But if it does so, it may not be the first time: According to my reader source, Fresenius paid $1.5 million to resolve a previous ransomware infection.

“This new attack is on a far greater scale, though,” the reader said.

Update, May 7, 11:44 a.m. ET: Lawrence Abrams over at Bleeping Computer says the attack on Fresenius appears to be part of a larger campaign by the Snake ransomware crooks that kicked into high gear over the past few days. The report notes that Snake also siphons unencrypted files before encrypting computers on a network, and that victims are given roughly 48 hours to pay up or see their internal files posted online for all to access.

Facebook Launches ‘Discover,’ A Secure Proxy to Browse the Internet for Free

More than six years after Facebook launched its ambitious Free Basics program to bring the Internet to the masses, the social network is back at it again with a new zero-rating initiative called Discover. The service, available as a mobile web and Android app, allows users to browse the Internet using free daily data caps. Facebook Discover is currently being tested in Peru in partnership

Keep Your Data Safe, Get A Glimpse Of Basic WordPress Security Issues

Are you aware of the fact that WordPress’s market share is nearly 35% of all the websites across the globe? In addition to this, about 75,000,000 sites are running on this software. Yes, it is a vast number, and now you can make an estimate about the responsibilities on WordPress, to keep every site safe. It is one of the most used software in the market; it is decidedly more comfortable for hackers to break the sites made with it. Even a single liability can cause colossal damage.

Therefore one must learn about WordPress security issues to avoid any such problem. The goal of the hackers is visible, which is using the site maliciously. Hence, you must gather the ways to keep your website away from their sight. 

Undoubtedly there are several possibilities of the hack, but you should focus on how to make your site secure. The best way to get the solution is by analyzing the problem first. Therefore here are some of the very primary and essential WordPress security issues that you must jot down.

Common WordPress Security Issues To Determine

Brute Force Attacks

One of the usual ways that a hacker can adopt to enter your site is by trying the WordPress brute force attacks. Yes, it is a technique to break the security of your website. In this method, the hacker attempts to enter random usernames and password combinations until the right one hits it. The hacker inserts combinations repeatedly until a correct combination is exposed. Hence, it is one of the easiest yet old ways to have control over your login page of the site.

You might wonder that there are certain limits of entering the combinations for login. But, here is one big loophole that WordPress, unfortunately, does not login attempts. Therefore it paves a path for the attackers to exploit your site by brute force method.

Furthermore, one more thing that you must learn here is that even if the hacker fails to enter your site by brute force attack, it still harms your website. Yes, if one will keep on inserting the combinations, ultimately, your site becomes slower. There are chances that some hosts might hang up your account.

Malware

Be it a large scale or a small business, everyone needs to be careful from these fundamental WordPress security issues. One more problem that you can face with the safety of your website made with WordPress it Malware. Yes, it is a kind of malicious software that is there to get unauthorized entree to a website. The motive behind this illegal activity is to breach the sensitive data from the site.

If your site gets hacked, then there are chances that someone has injected Malware into the files and folder. The best way to find this out is bb determining any changes to the data. In case you spot Malware on your site, take a look at lately reformed files.

However, there are many Malware out there, but you do not need to panic. You can relax because WordPress is not vulnerable to all of them. Few of the malware infections that you must note down and have to keep away are:

  • Malicious redirects
  • Drive-by downloads
  • Pharma hacks
  • Backdoors

These were some of the infections that can harm your site. Further, you can also conveniently identify these Malware’s, and then clean up from your site’s files. You can eradicate them manually, and later install a new version of WordPress.

Cross-Site Scripting (XSS)

If you are still unaware of the evil that is causing 84% of all safety vulnerabilities on the entire internet, then you must learn that it is the Cross-Site Scripting or XSS attacks. Yes, it is real and unfortunate that the WordPress plugins face this vulnerability the most. It is a type of attack in which the hacker injects malicious scripts on the site.

The primary mechanism of Cross-Site Scripting starts form the hacker finding a way to get a victim to loads pages on the web that is insecure and malicious. These unsafe pages are the javascript scripts. Moreover, these scripts start to load very cleverly without the knowledge of the user. 

Such kind of attacks execution takes place to execute WordPress security breach.

SQL Injections

SQL Injection happens when a hacker gets access to your database. Yes, your WordPress website requires a MySQL database to operate. So, if a hacker finds a way out to get into it, you are at risk. 

Further, with the use of SQL injection, a hacker can make a new admin-level user account by merely doing WordPress signup. It can give full access to your website. On top of it, these hackers can inject a new file to your database, which can disguise your users, which enhances the WordPress security risks.

Conclusion

These were some of the WordPress security issues that you need to understand if you want to tackle the hacks.

The post Keep Your Data Safe, Get A Glimpse Of Basic WordPress Security Issues appeared first on .

Webcast: Free Tools! How to Use Developer Tools and Javascript in Webapp Pentests

I like webapps, don’t you? Webapps have got to be the best way to learn about security. Why? Because they’re self-contained and so very transparent. You don’t need a big ol’ lab before you can play with them. You can run them in a single tiny VM or even tiny-er Docker image on your laptop. […]

The post Webcast: Free Tools! How to Use Developer Tools and Javascript in Webapp Pentests appeared first on Black Hills Information Security.

NICE Released the Spring 2020 eNewsletter

The Spring 2020 NICE eNewsletter has been published to provide subscribers information on academic, industry, and government developments related to the National Initiative for Cybersecurity Education (NICE), updates from key NICE programs, projects, the NICE Working Group, and other important news. To help increase the visibility of NICE, the NICE Program Office will issue regular eNewsletters that feature spotlight articles on academic, industry, and government developments related to NICE, updates from key NICE programs, projects, the NICE Working Group, and other important news. For

Hackers Breach LineageOS, Ghost, DigiCert Servers Using SaltStack Vulnerability

Days after cybersecurity researchers sounded the alarm over two critical vulnerabilities in the SaltStack configuration framework, a hacking campaign has already begun exploiting the flaws to breach servers of LineageOS, Ghost, and DigiCert. Tracked as CVE-2020-11651 and CVE-2020-11652, the disclosed flaws could allow an adversary to execute arbitrary code on remote servers deployed in data

World Password Day: Using a Passphrase to Strengthen Your Security

Human nature has shown that people re-use passwords, at least for non-work accounts that aren’t requiring quarterly changes. How can it affect your current security that you’ve reused an old password or passphrase from 2012? Surprisingly, quite a lot. Hashed passwords and the plain text equivalent from a breached site can be paired with your […]… Read More

The post World Password Day: Using a Passphrase to Strengthen Your Security appeared first on The State of Security.

The MITRE ATT&CK Framework: Discovery

The Discovery tactic is one which is difficult to defend against. It has a lot of similarities to the Reconnaissance stage of the Lockheed Martin Cyber Kill Chain. There are certain aspects of an organization which need to be exposed in order to operate a business. In fact, all of the techniques at this time […]… Read More

The post The MITRE ATT&CK Framework: Discovery appeared first on The State of Security.