Monthly Archives: July 2020

Why is Dynamic Analysis an Important Part of Your AppSec Mix?

By now, most are familiar with the concept of DevSecOps. With DevSecOps, application security (AppSec) is moved to the beginning of the software development lifecycle (SDLC). By scanning earlier in the SDLC, you are able to find and fix flaws earlier. This can result in significant time and cost savings. Most organizations understand the importance of static analysis, which scans for flaws during development, but dynamic application security testing (DAST) is just as important.

Unlike static analysis, DAST scans for flaws during runtime. It???s able to detect configuration errors and validate vulnerabilities found through other AppSec testing techniques. It???s vital to scan your applications in runtime because the vulnerabilities found are not just theoretical, they are proven to be exploitable. This means that the likelihood of a false positive with DAST is very low.

How does DAST work?

DAST interacts with the application like an attacker. It starts by performing a crawl to understand the application???s architecture, including links, text, form fills, and other page elements that a user could potentially interact with. It also picks up on attack points that are less visible to the user, such as header values, cookies, and URL parameters. The scanner then audits the objects and attributes discovered by the crawl and sends attacks ??? like Cross-Site Scripting and SQL Injection ??? to the objects/attributes to see if they have any exploitable vulnerabilities.

What are the benefits of Veracode???s DAST solution?

Veracode???s DAST solution, dynamic analysis, can be easily automated, provides accurate and actionable results, and returns results in a timely manner. This is very beneficial for both security professionals and developers because it doesn???t add extra work for developers, and it isn???t a time-consuming scan that will significantly slow-down time to deployment. In fact, 65 percent of our dynamic analysis scans finish in five hours, and 70 percent finish in eight hours. Best of all? Our false positive rate is less than one percent, so developers can start on remediation right away.

What is an AppSec mix and why is it important?

No two scans types are created equal. They are all designed with a different area of focus, along with various speeds and costs. For example, if you only use static analysis and dynamic analysis, you won???t uncover third-party vulnerabilities. If you only use penetration testing, you won???t be able to automate the process which will slow down your time to deployment and cost a substantial amount of money. A major benefit of Veracode is that all of our solutions are on one platform. So whichever scan types you decide to add to your AppSec program, it will be cost-efficient and low maintenance, and you will have a cohesive reporting toolset that shows your security posture in one place.


For more information on Veracode???s Dynamic Analysis, including common challenges associated with production scanning and how to find the right mix of assessment types, download our technical whitepaper. ツ?


Source Code Leak – What We Learned and How You Can Protect Your IP

This week we learned about a leak of source code from 50 prominent companies, posted by a Swiss IT consultant. These come after another recent leak of source code from Nintendo, prompting us to comment on the issue of IP protection and secure development pipelines.  

The latest leak appears to stem primarily from a misconfiguration of SonarQube, an open-source tool for static code analysis, which allows developers to audit their code for bugs and vulnerabilities prior to deployment.  

Our own assessment found that SonarQube communicates on port 9000, which was likely misconfigured to be open to the internet for the breached companies, allowing researchers to gain access and discover the data now exposed in the leak.   

A search for SonarQube on the popular IoT search engine Shodan allows anyone to discover ports used by common software such as this. With this information so easily available, ports unintentionally left open can introduce a wide swath of intrusion attempts.  

Several of the source code repositories also contained hard-coded credentials, which open the door to accessing other resources and expansion of the breach. It is a best practice to never commit code with hard-coded/plaintext credentials to your repositories.   

How You Can Protect Your IP  

Mistakes like misconfiguration and accidental credential exposure will happen in the development process, which is where InfoSec teams need to step in. Auditing infrastructure code both prior to deployment and continuously in production is essential for companies practicing DevOps and CI/CD.  

Our solution to this problem is MVISION Cloud, the multi-cloud security platform for enterprises to protect their data, prevent threats, and maintain secure deployments for their cloud-native apps.  

Audit Cloud Accounts for Misconfiguration 

With MVISION Cloud InfoSec teams can monitor their company’s public cloud accounts, like AWS, Azure, or GCP, for configuration mistakes that may expose sensitive data. In the example below, MVISION Cloud discovered that a resource in AWS EC2 was configured with Unrestricted Access to ports other than 80/443, opening up potential breach scenarios like we saw with the source code leak.  

Scan Application Code for Vulnerabilities  

Companies with active container deployments should take this one step further, auditing not only for misconfigurations but also CVEs in their container images. In the example below, MVISION Cloud discovered that one container image contained 219 code vulnerabilities, many of which could be exploited in an attack.  

Scan Repositories for Hard-Coded Credentials and Secret Keys 

To mitigate the risk of credential or secret key exposure, within MVISION Cloud you can easily scan your repositories for specific data types and take multiple levels of action. Below we’ve set up a policy to scan Bitbucket and Github with our Data Loss Prevention (DLP) data identifiers for AWS Keys and Passwords. With Passwords, we are using keyword validation, meaning we will only trigger an incident if a keyword like pwd, p, or password is nearby. We’ve chosen the least disruptive action here – notifying the end user to remediate themselves, however the option to delete the data is also available.   

The speed of DevOps is allowing companies to innovate quickly, but without security audits built into the pipeline, misconfigurations and vulnerable code can go unnoticed and expose data in a breach. We strongly encourage the movement from DevOps to DevSecOps, building this audit process into the standard practice of application development. 

For more on how MVISION Cloud can enable you to implement a DevSecOps practice, get in touch with us today.  

The post Source Code Leak – What We Learned and How You Can Protect Your IP appeared first on McAfee Blogs.

Cybersecurity Best Practices for SMB IT

It’s time to recalibrate your thinking if you believe your enterprise is safe from hackers because your business is considered small. Yes, system incursions upon the likes of Microsoft, Estee Lauder and T-Mobile get the lion’s share of media attention, however cybercriminals hungrily eye higher-volume smaller targets as well. Making them all the more appetizing is the complacency many small business owners have when it comes to network security.

With that in mind, let’s take a look at some cybersecurity best practices for SMB IT.

  1. Take It Seriously

Sure, this might sound like something that doesn’t need to be said, but a surprising number of data breaches occur because people neglect to treat security as a priority. Employees get lazy about scrutinizing emails and text messages carefully before opening links and attachments. Passwords go unchanged for years because they’re easy to remember. Access codes are shared among “trusted” employees. First and foremost, cybersecurity should be afforded the respect it deserves because ignoring it can shut a company down altogether.

  1. Carry Cyber Insurance

It’s important to operate from the mindset of what will happen when your system is attacked, as opposed to if. This makes carrying a cyber insurance policy with a reputable carrier a good idea. In addition to providing vital financial assistance in the wake of a data breach, cyber insurers scrutinize your security arrangements before agreeing to issue a policy. In other words, they look for ways to infiltrate your network and show you how to plug those gaps before they cover you.

  1. Employ Multi Factor Authentication (MFA)

This one goes somewhat hand in hand with number one above. Prioritizing convenience over security can leave your system open to infiltrators. While requiring multi-factor authentication before permitting access to your network does mean users must take additional steps, it also introduces another hurdle of protection over which interlopers must leap. Compromised, reused and weak passwords are responsible for 81 percent of hacking related breaches. MFA is one of the easiest and most effective measures you can take to ramp up enterprise cybersecurity.

  1. Implement and Enforce a Bring Your Own Device Policy

The Internet of Things has given rise to a plethora of endpoint devices, many of which represent a potential point of entry to your network. This must be addressed head-on. Forbid — and take steps to prevent — the storage of sensitive data on personal devices. Permit access to sensitive information only through an encrypted VPN. Employee owned devices should be granted guest access only over the internet. And, devise and implement an emergency response plan of the steps to take when an employee loses a device. The more endpoints are accessing your network, the more important it is to take cloud and on-premises network security seriously.

  1. ABU — Always Be Updating

Next to weak passwords, old software is another leading cause of data breaches. We know you’ve heard it hundreds of times before, but that should render it all the more important in your mind. Install software updates the moment they become available. This is especially critical for security, web server, and operating system software. Each new version of these contains updated anti-virus and anti-malware coding, typically in response to the latest breach. In other words, hackers find ways in and programmers lock those doors as soon as they become aware of them. Ignoring updates leaves your system vulnerable to people who are aware of those portals.

Always be updating.

These are five of the simplest ways to protect your network. Even better, they can be implemented at minimal cost. Being small is no guarantee criminals will overlook your business. Implementing these cyber security best practices for SMB IT helps prevent your company from being viewed as low hanging fruit, encouraging hackers to look for an easier target.

The post Cybersecurity Best Practices for SMB IT appeared first on Hacker Combat.

Data Security: How HIPAA Rules Affect Your Organization

Every organization has to ensure that all of its data is stored securely and that any possibility of data leaks or information theft are minimized as much as possible. Healthcare providers must also ensure that they comply with the Health Insurance Portability and Accountability Act (HIPAA). Here are some of the ways in which HIPAA rules can affect your practice and steps you can take to ensure you comply.


The two fundamental components of HIPAA are the Privacy Rule and Security Rule. The key aspects of HIPAA’s Privacy Rule relate to who can have access to personal health information (PHI), how it is used and disclosed. Policies and procedures should be implemented to ensure that only the minimum information necessary is disclosed and that written patient authorization is obtained prior to their information being disclosed. Failing to follow the HIPAA Privacy Rule can lead to civil and even criminal penalties. The HIPAA Security Rule requires that all ePHI which is created, sent or received be kept confidential, that data integrity is maintained and that data is available when needed.

Safe Storage Of Electronic Records

Most patient healthcare information is now stored digitally, making it easier for clinical data to be access between providers. However, this data is still subject to the same HIPAA rules. It may include information about the patient’s medications, medical history and billing information. Crucially, this means that all electronic health records need to be stored securely and that adequate security measures need to be in place to prevent improper access.

Adequate Encryption

It is essential that safeguards are put in place to ensure that security threats and breaches are minimized.

One of the most important safeguards to implement is secure encryption of data. To ensure maximum security, it’s essential that you use software that encrypts the data when you back up health records. The same applies to any platforms you may use to transfer patient information with other healthcare professionals or patients themselves.

Prevention Of Data Breaches

Whenever anyone without authorization accesses personal health information, this is considered a data breach. This may be a hacker, a member of the team with malicious intent or just a curious employee. Organizations need to take steps to protect patient information from being improperly accessed, as far as they reasonably can, to prevent avoidable data breaches. Whenever a data breach is discovered, it is imperative that the organization provides a breach notification, as specified in by the HIPAA Breach Notification Rule.

Safeguard Against Cyber-Attacks

Organizations also need to ensure that they have adequate safeguards in place to protect against ransomware and cyber-attacks. Ransomware attacks involve malicious software encrypting the data on a computer or network and denying access to the data until a ransom payment has been made.

Healthcare providers are particularly vulnerable to ransomware and cyber-attacks.  Most of these attacks aim to steal electronic healthcare data which can then be sold on. The best strategy to ensure you can recover from any sort of cyber-attack is to have offline backups. You also need to ensure that any data kept on the cloud is stored securely. You risk fines, damage to your reputation and even poor healthcare outcomes if you don’t have proper security in place.

Safeguarding Public Health

Whilst individual privacy must always be adhered to, there are instances in which PHI can be released en masse. These will be specific instances which impact on public safety. For example, any situation which requires disease or death to be identified, monitored and responded to. Other situations include terrorism, surveillance, outbreak investigation and research. You need to be clear about what information can be disseminated and used in each case.


In order to ensure that you and your business associates are complying with HIPAA and properly and securely protecting PHI, you need to minimize the risk of any health information becoming compromised, improperly disclosed or stolen and encrypted. Ensure that you have the latest security management initiatives in place in order to protect your digital platforms and ensure that patient information remains secure and uncompromised.

Beatrix Potter is a cybersecurity writer at Essay Services website. 

The post Data Security: How HIPAA Rules Affect Your Organization appeared first on CyberDB.

Smartphone Alternatives for Free-Ranging Kids

Child using smartphone

Smartphone Alternatives for Free-Ranging Kids

A popular topic in our blogs is “when to buy a child a smartphone,” and for good reason. It’s an important conversation, one that calls for plenty of research and reflection as you look to balance the risks and rewards of giving your child a smartphone. Maybe you’ve already arrived at your answer and decided that your child isn’t ready—yet you still like the idea of using technology to keep in touch with your kiddo. If so, you still have options.

Why is smartphone ownership for children on the rise?

And that’s the thing. We want to keep in touch with our kids. We’ve seen studies and heard anecdotal references time and time again: one of the top reasons parents give a child a smartphone is “to stay in touch.” Whatever the reason parents cite, smartphone ownership by young users is on the rise. According to recent research from Common Sense Media, 19% of eight-year-olds in the U.S. owned a smartphone in 2019, compared to just 11% in 2015. (Nearly double!) Looking at older tweens, 69% of twelve-year-olds owned one, whereas that number was just 41% in 2015.

As these numbers rise, it begs some questions about how families can benefit from giving a smartphone to a child, particularly a younger one. One thought that quickly comes to mind is that families have a lot to juggle with jobs, school, activities, play dates, and so forth all in the mix. Smartphones help us keep on top of it all. With texting, calls, calendars, and GPS, it seems to offer some easy answers when it comes to keeping organized and on schedule. Likewise, the reality is that we have households where parents work multiple jobs or keep hours that go outside the regular 9-to-5, which makes staying connected that much more important, to the degree that it’s a near necessity.

Another thought around the rise of young smartphone owners is around a desire to help our kids become more independent, or at least semi-independent with some supervision. Maybe that’s letting them walk to school or a friend’s house, all with the reassurance that you can track where they are with GPS and feel good knowing they can get in touch with you quickly if they need to (and vice-versa). 

Free-Range Parenting and Smartphone Technology

Taking that approach a step further is the re-invigorated notion of “free-range parenting,” which harkens back to the days of the 70’s, 80’s and even earlier when kids were simply sent out of the house to go roam around the neighborhood and playgrounds with friends until suppertime. The pros and cons of allowing your child to explore their world more freely and to do so with less direct supervision is a conversation unto itself. Local laws vary, as do family situations, not to mention a child’s age and overall level of preparedness. So while free-range parenting is a snappy phrase, it’s a rather complex topic. I don’t bring it up glibly. Yet, it’s a conversation that’s been making the rounds in parenting blogs in recent years. Now, with how pervasive smartphone ownership has become, the conversation gets that much more interesting. But is a smartphone really the best tool here?

The flipside is that a smartphone, for all its benefits, like instant messaging, texting, location tracking, family calendars, and good old phone calls, obviously has its drawbacks when they’re in the hands of young kids. A smartphone an open door to the broader internet—social media, games, endless hours of videos, not to mention content that you know is not appropriate for them. It’s a world that no child should be thrown into cold. Just like learning to walk, it should be entered gradually, in baby steps. 

Stay in Touch without the Smartphone

And thankfully there are devices that are built just for that, while still giving families the means “to stay in touch” without introducing the risks of the internet to young children at too soon an age. In short, you don’t need a smartphone to get all the benefits of a smartphone, at least when it comes to keeping tabs on your children. 

What follows are a few options you can check out and research for yourself. Know that I’m not personally endorsing or recommending any particular brand, device, or phone here. My aim is to give you a nudge into an initial direction with a quick overview of what’s out there so that you can make a choice that works great for your family. Let’s take a look:

Flip Phones

The trusty flip phone. Rugged. Low-cost. Long battery life. Together, that makes them a fine option for kids. The options for them are quite broad, where you can get phones that are essentially just phones and nothing else, to other models that include cameras, push-to-talk walkie-talkie communications, and slide-out keyboards for texting. Doing a little research online will turn up numerous lists of the “best” flip phones and give you a strong idea of which one has the features you want (and don’t want) for your child.

Cellular and Wi-Fi Walkie-Talkies

An interesting and relatively recent entry into the “just for kids” phone market is the relay phone. In actuality, the relay looks more like a small speaker that’s the size of a standard sticky note and the width of an ice cream sandwich, which is quite practical. Kids can clip it on to their backpack, pop it in their pocket, or wear it on an armband. With a big button in the center, it gives kids a screen-free, push-to-talk phone that works with cellular and Wi-Fi networks. The other great feature for parents and their free-ranging kids is the combination of GPS tracking and geofencing. This way, you can always know where your children are and get alerts if they stray from the geofenced area you prescribe (like a few blocks around your home or a route to and from school). Additionally, it includes SOS emergency alerts, where five quick taps of the button will send an instant notification.

Smart Watches for Kids

Similar to the above, the U.S. mobile carrier Verizon offers a smart watch for children called the GizmoWatch2. At first glance, it looks like many other smart watches on the market but with a twist: you can load it with up to 10 contacts that you approve, so your child can text or call them with the push of a button. And like the relay phone, it also has GPS technology that allows you to instantly locate your child and get alerts when they step outside of their geofenced area. Other features include a step counter, tasks and reminders, plus a calendar function for setting a schedule. And yes, it’s a watch too. Pretty convenient, as it’s simply something that your child can wear.

For families in the EU, XPLORA offers a range of smart watches for kids that are currently available for online shopping in UK, Germany, Spain, France and Poland, and in selected retail stores. Another option for UK families is the Vodaphone V-Kids Watch, which offers GPS tracking, voice messaging, and an SOS button as well.

First Phones for Kids

On the more fully featured side, Gabb Wireless offers a phone and network made for young users. The look and feel of this device is more like a smartphone, yet the functionality and apps are narrowed down to the basics. It includes messaging, a camera, and things like a calculator, voice recorder, and calendar. What’s missing are social media apps, games, and internet browsing (and everything that comes with that). It’s available in the lower 48 states of the U.S. (for now).

Giving Your Child an “Old” Smartphone

One option for parents is to give a child an old smartphone, say a phone that might be otherwise destined for a swap at the mobile phone shop, and to “dumb it down” by removing everything but the most essential of apps. However, as you are certainly aware, kids are smart. And curious. Count on them figuring out how to make that dumb phone smart again by reloading apps on their own. One more thing to keep in mind is that your old data and passwords may be on this phone, so you’d want to reset your phone completely, like back to the original factory settings, to avoid any access or data issues. You’d also want to pick up antivirus for your iOS or Android phone and apply some parental controls to it as well. 

So while this route may feel like you’re getting some extra mileage out of a phone and giving your child the means to stay in touch, know that it comes with those risks. With that, I don’t recommend this for the younger ones in your life.

Thinking Twice About Smartphones for Kids

Just as you want to monitor where your child is and what they’re doing out in the neighborhood, the same holds true for the internet. That’s a good a reason as any to put some serious thought before you put a smartphone in your child’s hands. As we’ve seen, the good news is that you don’t need a smartphone to keep in touch with your child. Yet more reassuring is that mobile carriers and technology companies are paying attention to the concerns that parents have and creating products that address them. Research your options and be sure to share what you find with other parents. You may start something special in your circle of friends.  

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.


The post Smartphone Alternatives for Free-Ranging Kids appeared first on McAfee Blogs.

Women in Sales Part 2: Skilling up for a Career in Cybersecurity Sales

McAfee fosters an inclusive environment where we value varied life experiences. To showcase women who are making an impact and inspire otherswe launched our Women in Sales Series. 

In Part 1McAfee women described industry opportunities and how they continue to break boundaries to develop rewarding careers. 

Here in Part 2, we introduce women whose unique past experiences helped shape their career paths. They share critical skills for success and words of encouragement for those considering a career in sales. 

Practice clear c
ommunication and collaboration: “In a sales role, you constantly communicate with customers to help them achieve their desired outcomes with evolving solutions. We need people who can maintain relationships while demonstrating their relevance to stakeholders, C-level and highly technical engineer roles. My more successful peers are those who can navigate through various layers of organizational complexity because they know it takes dedication and expertise from everyone on the team to close deals. Keeping team members informed and constantly collaborating is critical throughout every step of the sales process.” 

 Amy, Enterprise Sales, Charlotte, North Carolina 

Be confident and take the leap: My experience started in IT after I graduated from college. Later, I joined technical support at McAfee and was asked if I was interested in a sales engineering role. I didn’t have the experience but was excited to try something new and made the decision to leap into a sales career. My experience in technical support helped me get up to speed in sales engineering, and I love it.”  

— Carine, Presales/Sales Engineering, Plano, Texas 

Build relationships and know the business:
If you’re focused and determined, you can succeed in sales. The most challenging part for me was picking up the sales piece as I already had a technical background. If you want to get into presales, half is relating to people and building strong relationships with the customer. The other half is engineering, and here, you need to learn enough of everything to hold knowledgeable conversations. Investigating resources quickly to source answers for the customer is also important. Be confident in yourself and your abilities.” 

— Elizabeth, Presales/Sales Engineering, Plano, Texas 

Find your passion, then network: “I’ve found a degree in psychology handy in a sales career. It is easier for me to engage with people, read a situation and build rapport. With some experience, I saw a future in sales and carved out my career path. I thought the life of a field sales rep was exciting  greater earnings, more flexibility and so on. Once I knew I had found my path, I looked for opportunities to network with sales executives, get exposure and learn from them. Networking enabled me to build a name for myself and a personal brand.” 

— Kate, Enterprise Sales – Federal, Washington, DC 


Leverage your transferable skills: “I previously worked in real estate designing high rise office buildings. I eventually wanted to try a different field. My presentation and project management skills were transferable, so I changed industries to telecom and began as a technical trainer. I eventually moved into a sales engineering role here at McAfee and am currently in a sales architect role.” 

— Melissa, Presales/Sales Engineering, Plano, Texas 

Understand the customer’s needs: “Sales is about cultivating relationships, understanding the customers’ needs and finding the best solution for them. These are the essential skills when considering a career in sales. You’ll never know if you can be successful if you don’t attempt it.  

— Marta, Inside Sales, Cork, Ireland 

Build a social platform and know when to speak up
: “Look at your collective skillset and see how you can leverage it for sales. Be sure to showcase it on your resume and social channels like LinkedIn. Then network, network, network. Have a few good mentors in your corner who can make some connections for you internally and externally. But remember, are responsible for your career  you must speak up and make sure your career goals and desired career path are known by leadership.” 

— Paige, Sales Operations, Plano, Texas 

Spend time on people
: “When I first began my career in sales operations, it helped me immensely to try and understand other’s points of view. You cannot find success in a vacuum and people are complex. My advice is to take time to understand people. Then, with dedication and hard work, the value you add will show through.” 

— Preet, Sales Operations, Plano, Texas

Speak the language
: “Presales is a bridge that links the technical to the sale, which means you need to understand two languages: technical and business. It is challenging, but also very exciting. For those looking to enter the industry, I recommend you leverage social media and connect with people to tap into their wisdom. This is how I found my current position. 

— Sandra, Presales/Sales Engineering, Sydney, Australia

Understand your team and global partners: “Go for it! The sales industry is unlike any other. A sales role offers an opportunity for anyone with a willingness to put in the work. In my position, there are two key indicators  for success  understanding what motivates my team and navigating the nuances of interacting with diverse, global partners. 

— Sophie, Sales Project Management, Cork, Ireland 

It takes not only the range of talent these women bring to the table, but also passion, motivation and courage to thrive. 
Next week, meet more McAfee women in sales who will provide their perspectives on traits needed for a successful career in cybersecurity sales.  

Interested in joining a company that supports inclusion and belonging? Search our jobsSubscribe to job alerts.

The post Women in Sales Part 2: Skilling up for a Career in Cybersecurity Sales appeared first on McAfee Blogs.

Obscured by Clouds: Insights into Office 365 Attacks and How Mandiant Managed Defense Investigates

With Business Email Compromises (BECs) showing no signs of slowing down, it is becoming increasingly important for security analysts to understand Office 365 (O365) breaches and how to properly investigate them. This blog post is for those who have yet to dip their toes into the waters of an O365 BEC, providing a crash course on Microsoft’s cloud productivity suite and its assortment of logs and data sources useful to investigators. We’ll also go over common attacker tactics we’ve observed while responding to BECs and provide insight into how Mandiant Managed Defense analysts approach these investigations at our customers using PowerShell and the FireEye Helix platform.

Office 365

Office 365 is Microsoft’s cloud-based subscription service for the Microsoft Office suite. It is built from dozens of applications tightly embedded into the lives of today’s workforce, including:

  • Exchange Online, for emails
  • SharePoint, for intranet portals and document sharing
  • Teams and Skype for Business, for instant messaging
  • OneDrive, for file sharing
  • Microsoft Stream, for recorded meetings and presentations

As more and more organizations decide to adopt Microsoft’s cloud-based offering to meet their needs, unauthorized access to these O365 environments, or tenants in Microsoft’s parlance, has become increasingly lucrative to motivated attackers. The current high adoption rate of O365 means that attackers are getting plenty of hands on experience with using and abusing the platform. While many tactics have remained largely unchanged in the years since we’ve first observed them, we’ve also witnessed the evolution of techniques that are effective against even security-conscious users.

In general, the O365 compromises we’ve responded to have fallen into two categories:

  • Business Email Compromises (BECs)
  • APT or state-sponsored intrusions

Based on our experience, BECs are a common threat to any organization's O365 tenant. The term “BEC” typically refers to a type of fraud committed by financially motivated attackers. BEC actors heavily rely on social engineering to carry out their schemes, ultimately defrauding organizations and even personnel.

One common BEC scheme involves compromising a C-suite executive’s account via phishing. Once the victim unwittingly enters their credentials into a web form masquerading as the legitimate Office 365 login portal, attackers log in and instruct others in the organization to conduct a wire transfer, perhaps under the guise of an upcoming acquisition that has yet to be publicly announced. However, we’ve also observed more effective schemes where attackers compromise those in financial positions and patiently wait until an email correspondence has begun about a due payment. Attackers seize this opportunity by sending a doctored invoice (sometimes based on a legitimate invoice that had been stolen earlier) on behalf of the compromised user to another victim responsible for making payments. These emails are typically hidden from the compromised user due to attacker-created Outlook mailbox rules. Often times, by the time the scheme is inevitably discovered and understood days or weeks later, the money is unrecoverable—highlighting the importance of contacting law enforcement immediately if you’ve fallen victim to a fraud.

The personal finances of staff aren’t off limits to attackers either. We’ve observed several cases of W-2 scams, in which attackers send a request to HR for W-2 information from the victim’s account. Once obtained, this personally identifiable information is later used to conduct tax fraud.

Conversely, APT intrusions are typically more sophisticated and are conducted by state-sponsored threat actors. Rather than for financial gain, APT actors are usually tasked to compromise O365 tenants for purposes of espionage, data theft, or destruction. Given the wealth of sensitive information housed in any given organization’s O365 tenant, APT actors may not even need to touch a single endpoint to complete their mission, sidestepping the many security controls organizations have implemented and invested in.

O365 Logs and Data Sources

In this section, we’ll touch on the multitude of logs and portals containing forensic data relevant to an O365 investigation.

Before we can begin investigating an O365 case, we’ll work with our clients to get an “Investigator” account provisioned with the roles required to obtain the forensic data we need. For the purposes of this blog post, we’ll quickly list the roles needed for an Investigator account, but during an active Managed Defense investigation, a designated Managed Defense consultant will provide further guidance on account provisioning.

At a minimum, the Investigator account should have the following roles:

Exchange Admin Roles

  • View-only audit logs
  • View-only configuration
  • View-only recipients
  • Mailbox Search
  • Message Tracking

eDiscovery Rights

  • eDiscovery Manager role

Azure Active Directory Roles

  • Global Reader

Unified Audit Log (UAL)

The Unified Audit Log records activity from various applications within the Office 365 suite, and can be considered O365’s main log source. Entries in the UAL are stored in JSON format. We recommend using the PowerShell cmdlet Search-UnifiedAuditLog to query the UAL as it allows for greater flexibility, though it can also be acquired from the Office 365 Security & Compliance Center located at In order to leverage this log source (and the Admin Audit Log), ensure that the Audit Log Search feature is enabled.

The UAL has a few nuances that are important to consider. While it provides a good high-level summary of activity across various O365 applications, it won’t log comprehensive mailbox activity (for that, acquire the Mailbox Audit Log). Furthermore, the UAL has a few limitations, namely:

  • Results to a single query are limited to 5000 results
  • Only 90 days of activity are retained
  • Events may take up to 24 hours before they are searchable

Mailbox Audit Log (MAL)

The Mailbox Audit Log, part of Exchange Online, will capture additional actions performed against objects within a mailbox. As such, it’s a good idea acquire and analyze the MAL for each affected user account with the PowerShell cmdlet Search-MailboxAuditLog. Note that entries in the MAL will be retained for 90 days (by default) and timestamps will be based on the user’s local time zone. The MAL’s retention time can always be increased with the PowerShell cmdlet Set-Mailbox along with the AuditLogAgeLimit parameter.

At the time of writing this post, Microsoft has recently released information about enhanced auditing functionality that gives investigators insight into which emails were accessed by attackers. This level of logging for regular user accounts is only available for organizations with an Office 365 E5 subscription. Once Advanced Auditing is enabled, mail access activity will be logged under the MailItemsAccessed operation in both the UAL and MAL.

Administrator Audit Log

If the Audit Log Search feature is enabled, this supplemental data source logs all PowerShell administrative cmdlets (including command-line arguments) executed by administrators. If you suspect that an administrator account was compromised, don’t overlook this log! The PowerShell cmdlet Search-AdminAuditLog is used to query these logs, but note that the Audit Log Search feature must be enabled and the same 90 day retention limit will be in place.

Azure AD Logs

Azure AD logs can be accessed from the Azure portal ( under the Azure Active Directory service. Azure AD Sign-in logs contain detailed information about how authentications occur and O365 application usage. Azure AD audit logs are also a valuable source of information, containing records of password resets, account creations, role modifications, OAuth grants, and more that could be indicative of suspicious activity. Note that Azure AD logs are only available for 30 days.

Cloud App Security Portal

For cases where OAuth abuse has been observed, information about cloud applications can be found in Microsoft’s Cloud App Security portal ( Access to this portal requires an E5 license or a standalone Cloud App license. For more background on OAuth abuse, be sure to check out our blog post:  Shining a Light on OAuth Abuse with PwnAuth.

Message Traces

Message traces record the emails sent and received by a user. During an investigation, run reports on any email addresses of interest. The message trace report will contain detailed mail flow information as well as subject lines, original client IP addresses, and message sizes. Message traces are useful for identifying emails sent by attackers from compromised accounts, and can also aid in identifying initial phishing emails if phishing was used for initial access. To obtain the actual emails, use the Content Search tool.

Only the past 10 days of activity is available with the Get-MessageTrace PowerShell cmdlet. Historical searches for older messages can be run with the Get-HistoricalSearch cmdlet (up to 90 days by default), but historical searches typically take hours for the report to be available. Historical reports can also be generated within the Security and Compliance Center.

eDiscovery Content Searches

The Content Search tool allows investigators to query for emails, documents, and instant message conversations stored in an Office 365 tenant. We frequently run Content Search queries to find and acquire copies of emails sent by attackers. Content searches are limited to what has been indexed by Microsoft, so recent activity may not immediately appear. Additionally, only the most recent 1000 items will be shown in the preview pane.

Anatomy of an O365 BEC

As mentioned earlier, BECs are one of the more prevalent threats to O365 tenants seen by Managed Defense today. Sometimes, Mandiant analysts respond to several BEC cases at our customers within the same week. With this frontline experience, we’ve compiled a list of commonly observed tactics and techniques to advise our readers about the types of activities one should anticipate. Please note that this is by no means a comprehensive list of O365 attacks, rather a focus on the usual routes we’ve seen BEC actors take to accomplish their objective.

Phase 1: Initial Compromise

  • Phishing: Emails with links to credential harvesting forms sent to victims, sometimes from the account of a compromised business partner.
  • Brute force: A large dictionary of passwords attempted against an account of interest.
  • Password spray: A dictionary of commonly used passwords attempted against a list of known user accounts.
  • Access to credential dump: Valid credentials used from a previous compromise of the user.
  • MFA bypasses: Use of mail clients leveraging legacy authentication protocols (e.g. IMAP/POP), which bypass MFA policies. Attackers may also spam push notifications to the victim by repeatedly attempting to log in, eventually leading to the victim mistakenly accepting the prompt.

Phase 2: Establish Foothold

  • More phishing: Additional phishing lures sent to internal/external contacts from Outlook’s global address list.
  • More credible lures: New phishing lures uploaded to the compromised user's OneDrive or SharePoint account and shared with the victim’s coworkers.
  • SMTP forwarding: SMTP forwarding enabled in the victim’s mailbox to forward all email to an external address.
  • Forwarding mailbox rules: Mailbox rules created to forward all or certain mail to an external address.
  • Mail client usage: Outlook or third-party mail clients used by attackers. Mail will continue to sync for a short while after a password reset occurs.

Phase 3: Evasion

  • Evasive mailbox rules: Mailbox rules created to delete mail or move some or all incoming mail to uncommonly used folders in Outlook, such as “RSS Subscriptions”.
  • Manual evasion: Manual deletion of incoming and sent mail. Attackers may forego mailbox rules entirely.
  • Mail forwarding: Attackers accessing emails without logging in if a mechanism to forward mail to an external address was set up earlier.
  • Mail client usage: Outlook or third-party mail clients used by attackers. Mail can be synced locally to the attacker’s machine and accessed later.
  • VPN usage: VPN servers, sometimes with similar geolocations to their victims, used in an attempt to avoid detection and evade conditional access policies.

Phase 4: Internal Reconnaissance

  • Outlook searching: The victim’s mailbox queried by attackers for emails of interest. While not recorded in audit logs, it may be available to export if it was not deleted by attackers.
  • O365 searching: Searches conducted within SharePoint and other O365 applications for content of interest. While not recorded in audit logs, SharePoint and OneDrive file interactions are recorded in the UAL.
  • Mail client usage: Outlook or third-party mail clients used by attackers. Mail can be synced locally to the attacker’s machine and accessed later.

Phase 5: Complete Mission

  • Direct deposit update: A request sent to the HR department to update the victim’s direct deposit information, redirecting payment to the BEC actor.
  • W-2 scam: A request sent to the HR department for W-2 forms, used to harvest PII for tax fraud.
  • Wire transfer: A wire transfer requested for an unpaid invoice, upcoming M&A, charities, etc.
  • Third-party account abuse: Abuse of the compromised user’s privileged access to third-party accounts and services, such as access to a corporate rewards site.

How Managed Defense Responds to O365 BECs

In this section, we’re going to walk through how Managed Defense investigates a typical O365 BEC case.

Many of the steps in our investigation rely on querying for logs with PowerShell. To do this, first establish a remote PowerShell session to Exchange Online. The following Microsoft documentation provides guidance on two methods to do this:

Broad Scoping

We start our investigations off by running broad queries against the Unified Audit Log (UAL) for suspicious activity. We’ll review OAuth activity too, which is especially important if something more nefarious than a financially motivated BEC is suspected. Any FireEye gear available to us—such as FireEye Helix and Email Security—will be leveraged to augment the data available to us from Office 365. 

The following are a few initial scoping queries we’d typically run at the beginning of a Managed Defense engagement.

Scoping Recent Mailbox Rule Activity

Even in large tenants, pulling back all recent mailbox rule activity doesn’t typically produce an unmanageable number of results, and attacker-created rules tend to stand out from the rest of the noise.

Querying UAL for all mailbox rule activity in Helix:

class=ms_office365 action:[New-InboxRule, Set-InboxRule, Enable-InboxRule] | table [createdtime, action, username, srcipv4, srcregion, parameters, rawmsg]

Query UAL for new mail rule activity in PowerShell:

Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-90) -EndDate (Get-Date) -ResultSize 5000 -Operations "New-InboxRule","Set-InboxRule","Enable-InboxRule" | Export-CSV \path\to\file.csv –NoTypeInformation -Encoding utf8

Scoping SMTP Forwarding Activity

SMTP forwarding is sometimes overlooked because it appears under a UAL operation separate from mailbox rules. This query looks for the Set-Mailbox operation containing a parameter to forward mail over SMTP, indicative of automatic forwarding being enabled from OWA.

Querying UAL for SMTP forwarding in Helix:

class=ms_office365 action=Set-Mailbox rawmsg:ForwardingSmtpAddress | table [createdtime, action, username, srcipv4, srcregion, parameters, rawmsg]

Querying UAL for SMTP forwarding in PowerShell:

Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-90) -EndDate (Get-Date) -ResultSize 5000 -FreeText "ForwardingSmtpAddress" | Export-CSV \path\to\file.csv –NoTypeInformation -Encoding utf8

Analyze Compromised Users Logs

After we’ve finished scoping the tenant, we’ll turn our attention to the individual users believed to be involved in the compromise. We’ll acquire all relevant O365 logs for the identified compromised user(s) - this includes the user's UAL, Mailbox Audit Log (MAL), and Admin audit log (if the user is an administrator). We’ll review these logs for anomalous account activity and assemble a list of attacker IP addresses and User-Agents strings. We’ll use this list to further scope the tenant.

O365 investigations rely heavily on anomaly detection. Many times, the BEC actor may even be active at the same time as the user. In order to accurately differentiate between legitimate user activity and attacker activity within a compromised account, it's recommended to pull back as much data as possible to use as a reference for legitimate activity. Using the Helix query transforms groupby < [srccountry,srcregion], groupby < useragent and groupby < srcipv4 , which highlight the least common geolocations, User Agent strings, and IP addresses, can also assist in identifying anomalies in results.

Querying UAL for a user in Helix:

class=ms_office365 | table [createdtime, action, username, srcipv4, srccountry, srcregion, useragent, rawmsg] | groupby < [srccountry,srcregion]

Querying UAL for a user in PowerShell:

Search-UnifiedAuditLog -StartDate mm/dd/yyyy -EndDate (Get-Date) -ResultSize 5000 -UserIds | Export-CSV \path\to\file.csv –NoTypeInformation -Encoding utf8

Querying MAL for a user in PowerShell:

Search-MailboxAuditLog -Identity -LogonTypes Owner,Delegate,Admin -ShowDetails -StartDate (Get-Date).AddDays(-90) -EndDate (Get-Date) | Export-CSV \path\to\file.csv –NoTypeInformation -Encoding utf8

Querying Admin Audit Log for all events within a certain date in PowerShell:

Search-AdminAuditLog -StartDate mm/dd/yyyy -EndDate mm/dd/yyyy | Export-CSV \path\to\file.csv –NoTypeInformation -Encoding utf8

Query UAL with New Leads

Now that we’ve built a list of suspicious IP addresses (or even entire CIDR ranges) and User-Agent strings, we’ll run new queries against the entire UAL to try to identify other compromised user accounts. We’ll repeat this step and the previous step for each newly identified user account.

One advantage to using FireEye Helix platform over PowerShell is that we can query entire CIDR ranges. This is helpful when we observe attackers coming from a VPN or ISP that dynamically assigns IP addresses within the same address block.

Queries for attacker User-Agent strings usually generate more noise to sift through than IP address searches. In practice, User-Agent queries are only beneficial if the attackers are using an uncommon browser or version of a browser. Due to limitations of the Search-UnifiedAuditLog cmdlet, we’ve had the most success using the FreeText parameter and searching for simple strings.

In Helix:

class=ms_office365 (srcipv4:[,] OR useragent:Opera) | table [createdtime, action, username, srcipv4, srccountry, srcregion, useragent, rawmsg] | groupby username

Querying the UAL for IPs and user agents in PowerShell:

Search-UnifiedAuditLog -StartDate mm/dd/yyyy -EndDate (Get-Date) -ResultSize 5000 -IPAddresses, | Export-CSV \path\to\file.csv –NoTypeInformation -Encoding utf8
Search-UnifiedAuditLog -StartDate mm/dd/yyyy -EndDate (Get-Date) -ResultSize 5000 -FreeText "Opera" | Export-CSV \path\to\file.csv –NoTypeInformation -Encoding utf8

Analyze Message Traces

We’ll use PowerShell to query message traces for the compromised users we’ve identified. If the email was sent within the past 10 days, use the Get-MessageTrace cmdlet, which immediately returns results and allows teams to query IP addresses. For older emails, use the Start-HistoricalSearch cmdlet and download the report later from the Mail Flow section of the Security & Compliance center.

Querying for the last 10 days of mail sent by the victim in PowerShell:

Get-MessageTrace -StartDate (Get-Date).AddDays(-10) -EndDate (Get-Date) -SenderAddress | Select-Object Received, SenderAddress, RecipientAddress, Subject, Status, FromIP, Size, MessageID | Export-CSV \path\to\file.csv –NoTypeInformation -Encoding utf8

Querying for older emails (up to 90 days) in PowerShell:

Start-HistoricalSearch -ReportTitle "Mandiant O365 investigation" -StartDate mm/dd/yyyy -EndDate mm/dd/yyyy -ReportType MessageTraceDetail -SenderAddress

As Message Trace results are reviewed, attention should be given to IP addresses to determine which emails were sent by attackers. If phishing was the suspected initial compromise vector, it’s a good idea to also query for incoming mail received within a few days prior to the first compromise date and look for suspicious sender addresses and/or subject lines.

Acquire Emails of Interest

With our list of suspicious emails identified from message traces, we’ll use the Content Search tool available in the Office 365 Security and Compliance Center acquire the email body and learn what domains were used in phishing lures (if phishing was present). Content Searches are performed by using a straightforward GUI, and the results can either be previewed in the browser, downloaded individually as EML files, or downloaded in bulk as PST files.

Final Scoping

At this point of our investigation, the BEC should be sufficiently scoped within the tenant. To ensure any follow-on activity hasn’t occurred, we’ll take all of the attack indicators and perform our final queries across the UAL.

With that said, there are still edge cases in which attacker activity wouldn’t appear in O365 logs. For example, perhaps an additional user has submitted their credentials to a phishing page, but the attackers haven’t used them to log in yet. To ensure we don’t miss this activity, we’ll perform additional scoping across available network logs, specifically for IP addresses and domains related to the attacker’s phishing infrastructure. We’ll also leverage other FireEye products, such as the Endpoint Security platform, to search for phishing domains present on a host’s web browser history.


Unauthorized access to O365 tenant doesn’t just pose a threat to an organization, but also to its staff and business partners. Organizations without enhanced security controls in O365 are at the greatest risk of experiencing a BEC. However, as multi factor-authentication becomes more and more commonplace, we’ve witnessed an increase of MFA bypass attempts performed by increasingly proficient attackers.

It’s important to remember that social engineering plays a primary role throughout a BEC. Ensure that users are trained on how to identify credential harvesting forms, a common compromise vector. When in the midst of a BEC compromise, teams may want to promptly alert personnel in HR and finance-related roles to exercise extra caution when processing requests related to banking or wire transfers while the investigation is in progress.

The examples covered in this blog post are just a sample of what Managed Defense performs while investigating an Office 365 compromise. To take a proactive approach at preventing BECs, make sure the following best practices are implemented in a O365 tenant. Additionally, FireEye Email Security offers protections against phishing and the Helix platform’s O365 ruleset can alert on anomalous activity as soon as it happens.

Recommended Best Practices

  • Ensure mailbox audit logging is enabled on all accounts
  • Disable Legacy Authentication protocols
  • Enable multi-factor authentication (MFA)
  • Enforce strong passwords and a password expiration policy
  • Forward O365 audit logs to a centralized logging platform for extended retention
  • Enforce an account lockout policy in Azure/on-premise Active Directory
  • Restrict mail forwarding to external domains


Special thanks to Doug Bienstock, Glenn Edwards, Josh Madeley, and Tim Martin for their research and assistance on the topic.

What is a McAfee Internship Like? 10 Interns Share Perspectives

At McAfee, we foster meaningful internship experiences within our fast-paced world of cybersecurity We know it’s the next generation that will build tomorrow’s technology solutions. McAfee interns make substantial contributions and are valued as global team membersjoining our mission to protect all that matters. 

This year, McAfee took the intern experience virtual due to the global pandemic. While not our typical experience, this year’s interns continue to thrive. To celebrate National Intern Day, we asked our interns around the world to share insights gained from their experiences.

My new colleagues and leaders have helped me transition from college life to my full-time internship at McAfeeThe people I work with put the customer at the core and are driven to provide the best quality security software. Since day one, I’ve always felt part of the McAfee family.” 

Aaron, QA Engineering and Software Development Intern, Cork


I was interested in McAfee because of the culture. I wanted to work at a place where I was treated well. Everyone is willing to step in and help you get back on the right track. I’ve had to adapt to an online internship environment, but I’m being equipped well to learn and do my work, and I’m really grateful to still have this opportunity. 

Benaisha, Finance Intern, Plano


I was interested in interning a second year at McAfee because of the company’s values and workplace practices. I also enjoyed working in a positive and constructive atmosphere—it’s important to work for a company that wants to help you grow. Ive been able to collaborate and work with people from all over the globe and increase my communication skillsMy biggest takeaway is to never limit yourself and always be openminded in your career field. Today, I’m confident in my capabilities because of the exposure McAfee has given me. 

Blair, People Success Intern, Plano

The current times have made me appreciate how important communication and great teamwork truly is. My colleagues have been excellent mentors and are always available when I have questions. During my time at McAfee, I have taken on the responsibility of QA Lead on a project and have become involved with employee resource groups, including the Women in Security (WISE) Community and Cork Culture Club. 

Deirdre, QA Engineering and Software Development Intern, Cork

“McAfee provided a platform where I
truly feel engaged by various aspects of technology. Most importantly, my work involving foundations for security and data exchange layer has enhanced the quality of my programming. am now more comfortable with the organizational structure, seeking appropriate information and obtaining specific knowledge for responsible project ownership. I am greatly inspired by the vast, positive response by my team in creating an overall environment which fosters growth and career development.” 

Divya, Technical Intern, Bangalore

When I visited the Córdoba site on a college trip, I liked what my eyes sawa very comfortable workplace environment to grow professionally. I viewed this internship as an opportunity to gain experience and knowledge alongside the best professionals in the field. I am learning new technologies, new work approachesinteracting with other professionals and working together as a team, as well as improving my English and living the McAfee Values.” 

Emiliano, Undergraduate Technical InternCórdoba

“I’m learning how the cloud computing industry is actively changing our world. My McAfee team has helped broaden my understanding of computer networking/provisioning, building on what I’ve learned at my university and filling in the gaps. 
This experience has been incredible because we are constantly learning new technologies as a team. Thank you, McAfee, for continuing your internship program during the pandemic.”

Francisco, DevOps Engineer Intern, Santa Clara


 “I wanted to learn more about the ever-evolving cybersecurity world, which is applicable to any and every field or industry. This internship has allowed me to gain knowledge about the private sector while also fulfilling my interest in law. I’ve learned attention to detail and how the ability to effectively negotiate is essential. All the contracts and agreements that are processed through our team are highly important to the business. This is the most impactful and meaningful internship I’ve had in my entire college career. McAfee’s culture is inclusive — and even though I’m an undergraduate intern who is here for a short time, I really feel part of the team.” 

Gia, Public Sector Legal Intern, Reston


McAfee became one of the top companies on my list during my time in an internship program at school as I learned about our products and mission. I wanted to learn more about cybersecurity and to expand my horizons. I have the opportunity to help maintain and improve the system of testing environments for engineers across McAfee. The people I work with regularly provide feedback, guidance and are extremely helpful. McAfee is truly a great place to work, to learn, and more importantly, it’s filled with amazing and talented individuals. Im extremely grateful for the opportunity and thankful to have this incredible experience.”  

Jeff, Software Development Engineering Intern, Hillsboro

“I’m gaining skills and experiences I cannot learn in school. While working on different projects, I’ve been able to familiarize myself with existing UI patterns, work with product managers and engineers to gauge the feasibility of my solutions, receive feedback, iterate on my designs and learn from an amazing community of people.”

Katie, UX Design Intern, Santa Clara

@LifeAtMcAfee on Instagram and @McAfee on Twitterto see what working at McAfee is all about. Interested in a new career opportunity at McAfeeExplore our careers. 

The post What is a McAfee Internship Like? 10 Interns Share Perspectives appeared first on McAfee Blogs.

Security is a Feeling- With the McAfee #SecureMyLife RT2Win Sweepstakes!

Security is a Feeling-  Share it with the McAfee #SecureMyLife RT2Win Sweepstakes!

The word ‘security’ means something unique to everyone. Security is a feeling, an emotion, a sense of belonging and place: It could be the feeling of cuddling as a family in a pillow fort, making sure your house is locked at night, or always having a smartphone in your pocket for directions or an emergency.

Though our digital devices are convenient, they can also be cause for possible security concerns due to overlooked weaknesses. Check out the latest research from the McAfee team for more information.

While all this dazzling technology has its appeal, we here at McAfee understand the importance of creating new security solutions for those who want to live their connected lives with confidence.

In fact, to celebrate the latest innovations, we’re giving two [2] lucky people the chance to win an Amazon gift card. Not a customer? Not a problem!  Simply retweet one of our contest tweets with the required hashtag between August 3rd, 2020 – August 16th 2020 for your chance to win. Follow the instructions below to enter, and good luck!

#RT2Win Sweepstakes Official Rules

  • To enter, go to, and find the #RT2Win sweepstakes tweet.
  • There will be four [4] sweepstakes tweets will be released at the following schedule including the hashtags: #RT2Win #Sweepstakes AND #SecureMyLife
    • Monday, August 3, 2020 at 9:05AM PST
    • Thursday, August 6, 2020 at 9:05AM PST
    • Monday, August 10, 2020 at 9:05AM PST
    • Thursday, August 13, 2020 at 9:05AM PST
  • Retweet the sweepstakes tweet released on the above date before 11:59PM PST, from your own handle. The #RT2Win, #Sweepstakes AND #SecureMyLife hashtags must be included to be entered.
  • Sweepstakes will end on Monday August16, 2020  at 11:59pm PT. All entries must be made before that date and time.
  • Winners will be notified on Wednesday August 19, 2020 via Twitter direct message.
  • Limit one entry per person.

     1. How to Win:

Retweet one of our contest tweets on @McAfee_Home that include ““#RT2Win, #Sweepstakes, and #SecureMyLife” for a chance at an Amazon Gift card. Two [2] winners will be selected by  10:00 AM PT August 19, 2020, for a total of two [2] winners. Winners will be notified by direct message on Twitter. For full Sweepstakes details, please see the Terms and Conditions, below.

McAfee #SecureMyLife    RT2Win   Sweepstakes Terms and Conditions

     2. How to Enter: 

No purchase necessary. A purchase will not increase your chances of winning. McAfee’s #RT2Win  Sweepstakes will be conducted from August 3rd through August 16th. All entries for each day of the #SecureMyLife  RT2Win Sweepstakes must be received during the time allotted for the #RT2Win   Sweepstakes. Pacific Daylight Time shall control the McAfee RT2Win Sweepstakes. The #SecureMyLife RT2Win Sweepstakes duration is as follows:

#RT2Win   Sweepstakes:

  • Begins: Monday, August 3rd, 2020 at 7:00am PST
  • Ends: Sunday, August 16, 2020 at 11:59 PST
    • Opportunity 1: Monday, August 3, 2020 at 9:05AM PST
    • Opportunity 2: Thursday, August 6, 2020 at 9:05AM PST
    • Opportunity 3: Monday, August 10, 2020 at 9:05AM PST
    • Opportunity 4: Thursday, August 13, 2020 at 9:05AM PST
  • Winners will be announced: by 10:00AM PST August 19, 2020

For the #SecureMyLife RT2Win Sweepstakes, participants must complete the following steps during the time allotted for the #SecureMyLifeSecureMyLife RT2Win Sweepstakes:

  1. Find the sweepstakes tweet of the day posted on @McAfee_Home which will include the hashtags: #SecureMyLife, #RT2Win and #Sweepstakes.
  2. Retweet the sweepstakes tweet of the day and make sure it includes the #McAfee, #SecureMyLife, #RT2Win and #Sweepstakes hashtags.
    1. Note: Tweets that do not contain the #SecureMyLife, #RT2Win and #Sweepstakes hashtags will not be considered for entry.
  3. Limit one entry per person. 

Two (2) winners will be chosen for the #McAfee #SecureMyLife Sweepstakes tweet from the viable pool of entries that retweeted and included #. McAfee and the McAfee social team will select winners at random from among the viable entries. The winners will be announced and privately messaged on August 19, 2020 on the @McAfee_Home Twitter handle. No other method of entry will be accepted besides Twitter. Only one entry per user is allowed, per Sweepstakes. SWEEPSTAKES IS IN NO WAY SPONSORED, ENDORSED, ADMINISTERED BY, OR ASSOCIATED WITH TWITTER, INC. 

     3. Eligibility: 

McAfee’s #RT2Win   Sweepstakes is open to all legal residents of the 50 United States who are 18 years of age or older on the dates of the #SecureMyLifeSecureMyLife RT2Win Sweepstakes begins and live in a jurisdiction where this prize and #SecureMyLifeSecureMyLife RT2Win  Sweepstakes are not prohibited. Employees of Sponsor and its subsidiaries, affiliates, prize suppliers, and advertising and promotional agencies, their immediate families (spouses, parents, children, and siblings and their spouses), and individuals living in the same household as such employees are ineligible.

     4. Winner Selection:

Winners will be selected from the eligible entries received during the days of the #SecureMyLifeSecureMyLife RT2Win   Sweepstakes periods. Sponsor will select the names of two [2] potential winners of the prizes in a random drawing from among all eligible submissions at the address listed below. The odds of winning depend on the number of eligible entries received. By participating, entrants agree to be bound by the Official #SecureMyLifeSecureMyLife RT2Win Sweepstakes Rules and the decisions of the coordinators, which shall be final and binding in all respects.

     5.Winner Notification: 

Each winner will be notified via direct message (“DM”) on by August 19, 2020. Prize winners may be required to sign an Affidavit of Eligibility and Liability/Publicity Release (where permitted by law) to be returned within ten (10) days of written notification, or prize may be forfeited and an alternate winner selected. If a prize notification is returned as unclaimed or undeliverable to a potential winner, if potential winner cannot be reached within twenty four (24) hours from the first DM notification attempt, or if potential winner fails to return requisite document within the specified time period, or if a potential winner is not in compliance with these Official Rules, then such person shall be disqualified and, at Sponsor’s sole discretion, an alternate winner may be selected for the prize at issue based on the winner selection process described above.

     6. Prizes: 

The prizes for the #SecureMyLifeRT2Win Sweepstakes are two [2] $100 Amazon e-gift cards  (approximate retail value “ARV” of the prize is $100   USD; the total ARV of all gift cards is $200 USD). Entrants agree that Sponsor has the sole right to determine the winners of the #SecureMyLifeRT2Win   Sweepstakes and all matters or disputes arising from the #SecureMyLife RT2Win Sweepstakes and that its determination is final and binding. There are no prize substitutions, transfers or cash equivalents permitted except at the sole discretion of Sponsor. Sponsor will not replace any lost or stolen prizes. Sponsor is not responsible for delays in prize delivery beyond its control. All other expenses and items not specifically mentioned in these Official Rules are not included and are the prize winners’ sole responsibility.

      7. General Conditions: 

Entrants agree that by entering they agree to be bound by these rules. All federal, state, and local taxes, fees, and surcharges on prize packages are the sole responsibility of the prizewinner. Sponsor is not responsible for incorrect or inaccurate entry information, whether caused by any of the equipment or programming associated with or utilized in the #SecureMyLifeRT2Win Sweepstakes, or by any technical or human error, which may occur in the processing of the #SecureMyLifeRT2Win Sweepstakes entries. By entering, participants release and hold harmless Sponsor and its respective parents, subsidiaries, affiliates, directors, officers, employees, attorneys, agents, and representatives from any and all liability for any injuries, loss, claim, action, demand, or damage of any kind arising from or in connection with the #SecureMyLifeRT2Win   Sweepstakes, any prize won, any misuse or malfunction of any prize awarded, participation in any #SecureMyLifeRT2Win   Sweepstakes -related activity, or participation in the #SecureMyLifeRT2Win  Sweepstakes. Except for applicable manufacturer’s standard warranties, the prizes are awarded “AS IS” and WITHOUT WARRANTY OF ANY KIND, express or implied (including any implied warranty of merchantability or fitness for a particular purpose).

If participating in this Sweepstakes via your mobile device (which service may only be available via select devices and participating wireless carriers and is not required to enter), you may be charged for standard data use from your mobile device according to the terms in your wireless service provider’s data plan.  Normal airtime and carrier charges and other charges may apply to data use and will be billed on your wireless device bill or deducted from your pre-paid balance.  Wireless carrier rates vary, so you should contact your wireless carrier for information on your specific data plan.

      8. Limitations of Liability; Releases:

By entering the Sweepstakes, you release Sponsor and all Released Parties from any liability whatsoever, and waive any and all causes of action, related to any claims, costs, injuries, losses, or damages of any kind arising out of or in connection with the Sweepstakes or delivery, misdelivery, acceptance, possession, use of or inability to use any prize (including claims, costs, injuries, losses and damages related to rights of publicity or privacy, defamation or portrayal in a false light, whether intentional or unintentional), whether under a theory of contract, tort (including negligence), warranty or other theory.

To the fullest extent permitted by applicable law, in no event will the sponsor or the released parties be liable for any special, indirect, incidental, or consequential damages, including loss of use, loss of profits or loss of data, whether in an action in contract, tort (including, negligence) or otherwise, arising out of or in any way connected to your participation in the sweepstakes or use or inability to use any equipment provided for use in the sweepstakes or any prize, even if a released party has been advised of the possibility of such damages.

  1. To the fullest extent permitted by applicable law, in no event will the aggregate liability of the released parties (jointly) arising out of or relating to your participation in the sweepstakes or use of or inability to use any equipment provided for use in the sweepstakes or any prize exceed $10. The limitations set forth in this section will not exclude or limit liability for personal injury or property damage caused by products rented from the sponsor, or for the released parties’ gross negligence, intentional misconduct, or for fraud.

     2. Use of Use of Winner’s Name, Likeness, etc.: Except where prohibited by law, entry into the Sweepstakes constitutes permission to use           your name, hometown, aural and visual likeness and prize information for advertising, marketing, and promotional purposes without               further permission or compensation (including in a public-facing winner list).  As a condition of being awarded any prize, except where           prohibited by law, winner may be required to execute a consent to the use of their name, hometown, aural and visual likeness and prize           information for advertising, marketing, and promotional purposes without further permission or compensation.

         By entering this  sweepstakes, you consent to being contacted by Sponsor for any purpose in connection with this Sweepstakes.

      9. Prize Forfeiture:

If winner cannot be notified, does not respond to notification, does not meet eligibility requirements, or otherwise does not comply with these prize #SecureMyLifeRT2Win   Sweepstakes rules, then the winner will forfeit the prize and an alternate winner will be selected from remaining eligible entry forms for each #SecureMyLifeRT2Win  Sweepstakes.

     10.Dispute Resolution:

Entrants agree that Sponsor has the sole right to determine the winners of the #SecureMyLifeRT2Win Sweepstakes and all matters or disputes arising from the #SecureMyLifeRT2Win   Sweepstakes and that its determination is final and binding. There are no prize substitutions, transfers or cash equivalents permitted except at the sole discretion of Sponsor.

     11. Governing Law & Disputes:

Each entrant agrees that any disputes, claims, and causes of action arising out of or connected with this sweepstakes or any prize awarded will be resolved individually, without resort to any form of class action and these rules will be construed in accordance with the laws, jurisdiction, and venue of New York.

     12.Privacy Notice: 

Personal information obtained in connection with this prize McAfee Day #RT2Win Sweepstakes will be handled in accordance policy set forth at McAfee Privacy Policy.

  1. Winner List; Rules Request: For a copy of the winner list, send a stamped, self-addressed, business-size envelope for arrival after January 10th 2020 and before August 16th 2021 to the address listed below, Attn: #RT2Win Sweepstakes.  To obtain a copy of these Official Rules, visit this link or send a stamped, self-addressed business-size envelope to the address listed in below, Attn: Consumer Content Marketing. VT residents may omit return postage.
  2. Intellectual Property Notice: McAfee and the McAfee logo are registered trademarks of McAfee, LLC. The Sweepstakes and all accompanying materials are copyright © 2018 by McAfee, LLC.  All rights reserved.
  3. Sponsor: McAfee, LLC, Corporate Headquarters 2821 Mission College Blvd. Santa Clara, CA 95054 USA

The post Security is a Feeling- With the McAfee #SecureMyLife RT2Win Sweepstakes! appeared first on McAfee Blogs.

Can Macs get Viruses?

Can Macs get viruses?

In addition to their ability to work seamlessly with Apple devices, many users prefer Mac computers because of their perceived “inherent” security features. Apple also notifies users of periodic updates to make sure that every generation of Apple product has the most secure software version. And while Apple does go to great lengths to keep its devices safe by making it difficult to download any/all software foreign to its official Apple application store, this does NOT mean your Mac is immune to all computer viruses.

What is a virus?

A virus is any piece of malicious software that invades your computer system, then copies itself. They can also then spread to other systems. This could result in stolen personal information or financial data, corrupted files, or crypto-hijacking. Here are some of the common viruses that infect Apple devices, and some of the best ways to protect your computer from them.


CookieMiner is malware that captures Chrome browser authentication cookies primarily associated with cryptocurrency exchanges. The sophisticated CookieMiner code bypasses strict security protocols of both Apple and cryptocurrency exchanges by stealing information such as passwords, usernames, and other login credential data. It can even capture backed-up data from iTunes accounts that can be used to open cryptocurrency wallets and then steal cryptocurrencies such as Bitcoin, Ethereum, and XRP. Stealing valuable cryptocurrency isn’t enough for CookieMiner hackers, however, as they also use this malware to load cryptocurrency mining software onto MacBooks to mine Koto, a little-known Japanese cryptocurrency.

Besides a significantly lighter cyber wallet, there are some other clues that your Mac may be infected by the CookieMiner virus. As a cryptocurrency miner, CookieMiner uses a significant amount of a CPU’s processing power and therefore, infected Macs will be slow to complete even basic computing tasks. You may also notice that other software applications on your Mac don’t work as well as they should or stop working completely, or tour Mac could also overheat.

OSX/Dok… Next Generation

OSX/Dok is malware that commandeers data traffic entering and leaving a Mac computer without your knowledge. It reroutes this traffic through a bogus proxy server to then obtain access to all your communications. The malware is able to counter Apple’s security because it’s signed by a legitimate developer certificate that validates its authenticity. Through OSX/Dok, a hacker even has access to data that moves through SSL-TLS encrypted connections such as banking information. This is especially troubling since Apple devices such as iPhones, iPads, and MacBooks are commonly synced to operate together.

While the original version of OSX/Dok was thwarted when Apple disabled its associated developer certificate, later versions have popped up using different developer certificates. Apple devices are vulnerable to this malware mainly when users are duped to download files through email phishing scams. Once the software is installed on your computer, it immediately takes over critical operations. Users then most often see a message that the system has detected a security issue. The malware prompts users to install an update, and it then locks up all operations until the user submits a password to install it. After obtaining the password, the malware then has full administrative privileges to take control of the device.


Crossrider is a variant on the OSX/Shlayer malware and uses a fake Adobe Flash player installer to dump other pieces of malicious code onto your Apple devices. Users mistakenly download the fake installer when they’re sent a message to update Adobe Flash player. If you follow the link, you’ll mistakenly download the fake installer instead of the real update from the Adobe website. The fake installer message will then prompt you to submit your password so that the software can make changes to your system and install the program.

Advanced Mac Cleaner, Chumsearch Safari Extension, and MyShopCoupon+ are some of the items that are installed through the fake Adobe Flash player installer. While MyShopCoupon+ and Chumsearch Safari Extension do cause minor annoyances to users, Advanced Mac Cleaner can cost you much more if you’re not careful. Advanced Mac Cleaner appears to run a security scan of your system and identifies several issues. It then asks the user to pay $107 to activate the program’s clean-up feature.

Macros Viruses… From Microsoft Word

Macro viruses used to be a problem that only PC users face. Macros are pieces of code that programmers embed within applications to automate routine tasks. The code, which is written in Visual Basic, can be used to hijack applications and do harm when users open popular Microsoft Office products such as Word, Excel, or Project. Visual Basic commands in macros can result in deleted or corrupted files. When you use Word to open an infected file, Word catches the virus and passes it on to every Word document that you subsequently create.

Apple disabled macro support in its early versions of Office for Mac, but it recently allowed macros to be supported in its later versions of both Word and Excel. But Mac users still have some protection against macros viruses since Apple doesn’t allow macros to be automatically enabled by default.


MShelper is a cryptocurrency mining malware that allows a hacker to help himself to your computer’s processing capabilities in order to steal cryptocurrency. Hackers also develop this malware to display advertisements on the screens of popular browsers such as Mozilla, Chrome, and Firefox. Cybersecurity experts contend that MShelper infects computers when users download files of dubious origins. Some signs that your computer has been infected by MShelper include lowered battery life, fast-spinning fans, overheating, and increased noise.

Since crypto mining software takes a great deal of CPU power, it’s not hard to spot if MShelper is on your Mac. Click on the CPU tab under Activity Monitor on your computer. If MShelper has infected your MacBook, it’ll show up at the top of the list of applications with an extremely high CPU usage.


OSX/MaMi is malware that allows hackers to capture sensitive information by redirecting data traffic through malicious servers. Through OSX/MaMi, hackers hijack Domain Name System (DNS) servers and change the DNS settings on your Mac. This malware allows attackers to perform many harmful tasks such as stealing login credentials, uploading and downloading files, and spying on your internet traffic.

While OSX/MaMi is nearly undetectable, experts say that it’s not yet been used to target Mac users on a widespread basis. Victims of this malware encounter it through targeted email phishing scams. A sign that your Mac has been infected by OSX/MaMi is a change in its DNS settings. A MacBook infected with this malware often shows these two addresses: and

Tips for Safeguarding Macs Against Malware

While Apple does an amazing job of guarding Macs against common security threats, it just can’t stop every determined hacker who looks at its devices as a challenge.

Here are some top tips for shoring up security for your Mac:

  • Avoid opening spam emails and attachments.
  • Don’t download questionable files.
  • Install ad-blocking applications.
  • Create frequent system backups (Time Machine).
  • Install the latest OS and application updates.
  • Manage data.
  • Install a security suite (Antivirus, firewall, browser destination monitoring).
  • User VPN software when connected to public or untrusted networks.

Stay protected

Subscribing to a comprehensive security suite service is one of the most effective steps that you can take to safeguard your Apple devices, financial information, and privacy while online. McAfee partners with industry, IT experts, and the user community to deliver the most powerful cybersecurity solutions on the market.

Check more information about our latest security products.






The post Can Macs get Viruses? appeared first on McAfee Blogs.

Understanding Trojan Viruses and How to Get Rid of Them

Working from home

Understanding Trojan Viruses and How to Get Rid of Them

Basic online scenario—You log onto your computer and notice that something’s just not right, but you can’t quite put your finger on it. Something just seems…a bit off. If you’ve found yourself in this situation, or even thinking you are, there’s a real possibility you could have a Trojan virus on your computer.

Trojan viruses can not only steal your most personal information, they also put you at risk for identity theft and other serious cybercrimes. In this post, we’ll examine what Trojan viruses are, and where they come from. We’ll also cover how you can protect yourself and get rid of viruses so you can stay safe and maintain peace of mind online.

What Trojan Viruses Do

Trojan viruses are a type of malware that invade your computer disguised as a real, operational programs. Once a trojan is inside your system, it can perform destructive actions before you even know it’s there. Once inside, some trojans sit idly on your computer and wait for further instructions from its host hacker, but others begin their malicious activity right from the start.

Some trojans download additional malware onto your computer and then bypass your security settings while others try to actively disable your antivirus software. Some Trojans hijack your computer and make it part of a criminal DDoS (Distributed Denial of Service) network.

How to Remove a Trojan Virus

Before you discover all the places a Trojan can invade your computer, let’s first learn how to get rid of them. You can remove some Trojans by disabling startup items on your computer which don’t come from trusted sources. For the best results, first reboot your device into safe mode so that the virus can’t stop you from removing it.

Please carefully ensure you know which specific programs you’re removing because you could slow, disable or cripple your system if you remove basic programs your computer needs to function. Installing and using a trusted antivirus solution is also one of the top ways to get rid of trojans. An effective antivirus program searches for valid trust and app behavior, as well as trojan signatures in files in order to detect, isolate and then promptly remove them. In addition to spotting known trojans, the McAfee antivirus program can identify new trojans by detecting suspicious activity inside any and all of your applications.

Where Trojan Viruses Come From

This section takes a closer look at the places you are the most vulnerable to a Trojan virus attack. While all trojans look like normal programs, they need a way to get your attention before you unknowingly install them on your system. Trojan viruses are different from other types of malware because they trick you into installing them yourself. You will think that the Trojan is a game or music file, and the file you download will likely work like normal so that you don’t know it’s a Trojan. But it will also install the harmful virus on your computer in the background. Be careful when you get files from the following sources. Many users install trojans from file-sharing websites and fake email attachments. You can also get attacked from spoofed chat messages, infected websites, hacked networks and more.

File-Sharing Sites

Almost everyone who is at least a little tech savvy occasionally uses file-sharing websites. File-sharing websites include torrent websites and other sites that allow users to share their files, and this concept is appealing for a variety of reasons. First, it allows people to get premium software without paying the retail price. The problem though, is that file-sharing sites are also extremely attractive to hackers who want to find an easy way inside your system.

For example, a hacker uploads a cracked copy of a popular software to a torrent website for free download, then waits for potential victims to instantly download it… but the cracked software has a hidden trojan virus that allows the hacker to control your computer.

Trojan viruses can also come in the popular forms of music files, games and numerous other  applications.

Email Attachments

Fake email attachments are another common way people find themselves infected with trojan viruses. For example, a hacker sends you an email with an attachment, hoping you’ll instantly click on it, so that you become infected instantly upon opening it. Many hackers send generic emails to as many people as possible. Others go after specific people or businesses which they’ve targeted.

In targeted cases, a hacker sends a fake email that looks as if it came from someone you know. The email could contain a Word document or something you consider “safe”, but the virus infects your computer the second you open the attachment. The easiest way to protect yourself from this targeted attack is by calling the sender—before opening the attachment—to make sure they’re the one who sent this specific attachment.

Spoofed Messages

A countless number of popular programs and useful applications allow you to chat with others from your desktop. Bur regardless of if you use such software for business or personal connections, you are at risk of trojan infection unless you know how to protect yourself.

Hackers “spoof” a message so that it looks like it came from someone you trust. In addition to spoofing, hackers also create similar usernames and hope you don’t notice, or aren’t paying attention to, the slight differences. Like with fake emails, the hacker is sending you a trojan-infected file or application.

Infected Websites

Many hackers target websites instead of individual users. They find weaknesses in unsecured websites which allow them to upload files or, in some cases, even take over the entire website. When this type of site hijacking happens, the hacker can then use the website to redirect you to other sites.

The hacker can compromise the entire website and redirect your downloads to a malicious server that contains the trojan. Using only trusted, well-known websites is one way to reduce your odds of falling into that trap, but a good antivirus program can also help detect infected and hacked sites.

Hacked Wi-Fi Networks

Hacked Wi-Fi networks are also a common source of trojans and other malware. A hacker can create a fake “hotspot” network that looks exactly like the one you’re trying to connect to. When you connect to this fake network by mistake, however, the hacker can then redirect you to fake websites that look so real that even experts have trouble spotting the difference. These fake websites contain browser exploits that redirect any file you try downloading.

Final Thoughts

Trojans can infect your computer and cause enormous problems before you even know what happened. Once a trojan gets onto your system, it can monitor your keyboard, install additional malware and cause a variety of other problems you simply don’t want to face. Luckily, most Trojans are generic and easy to handle if you follow this proven process.

Unverified startup items and suspicious programs can act as gateways for trojans to install harmful code in your computer and other devices. If you notice any new programs running on your system that you did not install, it could be a trojan. Try removing the program and restarting your computer to see if your computer’s performance improves.

Remove Trojans by taking the following steps:

Removing Trojans is a great way to safeguard your computer and privacy, but you must also take steps to avoid them in the future:

  • Setup cloud accounts using email addresses that offers account recovery support. Accounts from ISP’s or paid services.
  • In the case of Apple, you can request assistance to help recover an account (Gmail and/or yahoo accounts can’t be recovered as they can’t confirm ownership)
  • Use VPNs on Public Wi-Fi
  • Call the Sender Before Opening Email Attachments
  • Use an Antivirus Solution With Real-Time Protection

Stay protected

The cyberthreat landscape is always changing and evolving. Hackers are always looking for new ways to break into computers and servers, so you must stay updated on the latest threats, and using a proven antivirus solution is always a smart bet. These steps will not only safeguard your devices, they’ll also give you peace of mind while online.

The post Understanding Trojan Viruses and How to Get Rid of Them appeared first on McAfee Blogs.

How to Wipe Out a Computer Virus

How to Wipe Out a Computer Virus

In this article, you’ll learn some of the signs that you may have a computer virus, and you’ll learn tips for effectively removing them. While some of these malicious programs are little more than a nuisance, many others can effectively steal your most personal, private and sensitive  information. In this article, you’ll learn some of the signs that you may have a computer virus, and you’ll learn tips for effectively removing them.

What is a computer virus?

First off, computer viruses can take many different forms. In general terms, these viral programs are any unwanted bit of code designed for the purpose of invading and disrupting your computer. But much like a biological virus, computer viruses invade, replicate themselves, and then try to get into other systems. Some viruses may only affect your internet browser. Others  are even more harmful. The rootkit virus type, however, digs deep into the internal controls of your system. Trojan viruses sneak onto your device disguised as programs that seem legitimate.

Signs of a Virus

A sudden slowdown may be the first sign that you have a virus, and you may notice that programs which used to load quickly take longer and longer to load. You may also receive multiple error messages about programs becoming unresponsive. In this case, the virus is using the processing power of your own computer system, and consequently other programs are having trouble running at the same time.

Some viruses and malware only affect certain parts of your system. For example, you could discover that the home page of your browser has changed without your knowledge. You may also have trouble logging onto antivirus and antimalware sites, or if/when a virus gets into your email program, you may start to hear from your contacts about strange emails coming from your computer.

How does a virus get on your computer?

Computer viruses have been around for about as long as personal computers, and virus programmers understand that human error is always the easiest way to install a virus. Therefore, while strong antivirus programs can effectively prevent most computerized threats, they cannot stop a user from clicking the wrong link or installing compromised software on  their own system. When you download programs or data from an unfamiliar site, remember that you may also be unknowingly accepting a viral program onto your system. Links in malicious emails can also start an automatic download.

And new viruses come online all the time. The experts at McAfee are constantly learning about new malicious programs and then developing solutions. If however, you do not regularly update your virus definitions, a harmful program may still be able to sneak by your defensive software.

Removing a Computer Virus

Removing a computer virus manually is a complex process. Viruses may install themselves in several different parts of your system. If you do not completely eliminate the program, it may also reinstall itself at the next system reboot. In some cases, viruses play nasty tricks like invading the registry of a Windows system. Removing the wrong line in this database can then cause the entire system to fail. The easiest way to remove viruses is by using an antivirus program designed to clean your system safely. If a virus is already on your computer, however, you may need to run this program under very specific conditions.

Remove New Programs

If you’re lucky, the virus may just be sitting in a program you recently installed. On both Windows and Mac, you will want to uninstall recent apps and then remove new browser extensions. If you remove these programs and your computer promptly runs smoothly, you can breathe a sigh of relief. Of course you should still run a virus scan to make certain that your system is clean. You will also want to restart the computer to determine whether the malicious program reinstalls itself. If malicious messages pop up from the same program again, it points to a deeper infection.

Removing a Virus from a Windows Computer

In Windows computers, the virus removal process begins by booting up the computer in Safe mode. In this mode, your computer starts with only essential programs running. This prevents a viral program from starting up and blocking your antiviral scans. In older versions of Windows, you can access this mode by pressing the F8 button during the startup process.

In Windows 10, the process of opening in Safe mode is slightly more involved:

  1. Press the Windows button and click on Settings.
  2. Go to Update & Security and choose Recovery.
  3. Choose Restart Now under Advanced Startup.
    Your system will restart, but a new option screen will appear.
  4. Choose Troubleshoot.
  5. Go to Advanced Options and choose Startup Settings.
  6. Choose Enable Safe Mode.

Once your system restarts in safe mode, you will be able to run an on-demand viral scan. Because the number of viruses is always increasing, you may find it helpful to run several different scanning programs to catch any newer virus. It is important to use antiviral programs from reputable vendors so that you do not make the problem worse.

You should also follow these best practices:

• Backup your critical data
• Clean up temporary files and cached content
• Uninstall any/all applications no longer in use
• Update OS and remaining applications
• Check startup apps, disable unneeded apps
• Run the MMC (see above)
• Run a full Scan of the system

Removing a Virus from a Mac

For Mac computers, entering Safe mode is an even simpler process.

All you need to do is hold the shift button while the system boots up. If you’ve done this properly, you will see a “Safe Boot” message (Apple support content HT201262) on the login window. From there, you’ll run your virus removal programs and clean your system.  For both Windows computers and Macs, you will want to run your virus scan multiple times to assure that the system is clean.

Seek Professional Help

If you’ve gone through this process but are still struggling with a virus, you may need to call in a professional to clean your computer. For example, with McAfee Virus Removal Service, a security expert can remove stubborn viruses from your computer using a remote connection.

Avoiding Computer Viruses

The easiest way to remove computer viruses from your life is to avoid them in the first place.

It is vitally important to keep your system secure by following safe, Best Practices:

• Maintain backups of your data
• Clean up temporary files and cached content
• Uninstall application no longer used
• Update OS and remaining applications
• Check startup apps, disable unneeded apps
• Verify Security subscription status
• Confirm Security software is up to date.
• Use trusted sources: Do not download software from a source you do not recognize. Do not run unsolicited programs.

And always Surf Safely using these tips:

• Use the WebAdvisor browser extension.
• Use VPN software while using untrusted networks.
• Use a password manager.
• Refrain from using the same usernames and password for web pages especially financial or shopping sites.
• Setup cloud accounts using email addresses that offer account recovery support, accounts from ISP’s or paid services.
• With Apple, you can request account recovery assistance (Gmail or yahoo accounts can’t be recovered as they can’t confirm ownership).

Stay Protected

Professional security software is always a smart long-term investment in your computer system. You can keep both your data and identity safe while maintaining system performance. With the right program running in the background, your system will be ready to handle any and all of the threats inside your digital world.

The post How to Wipe Out a Computer Virus appeared first on McAfee Blogs.

Is Your Smart Home Vulnerable to a Hack Attack?

Is Your Smart Home Vulnerable to a Hack Attack?

Your smart home device creates a computer network which can function as your incredibly convenient garage door opener, appliance manager, lighting designer, In-House DJ, and even security system supervisor, among many other selected duties. Yet cybersecurity experts frequently caution that this ultra-convenient home network provided through your smart devices may be vulnerable to malicious hackers looking to gain access to your home, and your most private information. In addition, the considers hacking of your smart devices as a backdoor to your most important information.

So while this is certainly an unfortunately real possibility, taking the time to use a few tips in this article can go a long way to stopping hackers before they start, and keeping your smart home devices safe and secure.

Can smart home devices be hacked?

The short answer is, unfortunately, yes. Along with the widespread popularity of smart home devices, a recent trend in hackers using IoT technology to spy on businesses, launch attacks, and deliver malware to your home network is a modern reality that users need to be fully aware of when setting up their smart home systems.

What can I expect if my smart devices get hacked?

With a physical home break-in, alert neighbors may notice and call the police, but a hacker has the advantage of working in secret. With access to your private information, savvy hackers may be able to steal sensitive information, or — in a worst case scenario — commit identity theft that can cause financial fallout. When you consider the array of smart toys and gadgets that provide electronic entertainment, education, communication and convenience for your family, you may also discover a number of vulnerabilities that hackers can exploit to break-in to your home.

Where do the biggest home threats exist?

Because of their 24/7 potential access, smart devices which you run continuously—thermostat, lighting, security, et al. — may pose more risk than those which you only use on occasion. Hack attacks on your home office computer, or router are likely the most vulnerable, but your living and bedroom may also contain any number of smart gadgets that a sharp hacker may attempt to exploit as well. Your smart TV, tablet, cell phones, alarm clocks, watches, sleep monitors and streaming gadgets can also make your bedroom a relatively open opportunity for hackers.

Both your living room and kitchen—smart TV’s, tablets, refrigerators, coffee machines, ovens, etc. — also offer connections which are easy to ignore when it comes to cybersecurity. And when assessing potential threats, do not neglect your children’s playroom with its smart toys, tablets or baby monitors. Be sharp and consider that any smart device can offer an opening.

Does hacking pose a severe threat?

Short answer? It does. The potential risk should reasonably grab your attention when you understand that all your smart devices have a direct connection to your smartphone, or even the internet. Awareness of this situation should sharpen your understanding of exactly how much effort goes into hacking attempts to break into the interconnected network that links your smart devices.

Does a password protect my smart devices from hacking?

The Cybersecurity and Infrastructure Security Agency (CISA) offers specific guidelines on the best ways to protect your identity and possessions from the intrusive and persistent efforts of hackers. The guidelines apply to devices that connect to each other and to the internet, providing stringent guidance.

As a savvy computer user, you probably know that each device has a factory default password. What you may not know, however, is that you must change this default password. Always take the time to change default passwords, and make sure to create long, unique passwords that can best defeat any efforts to crack them.

What are some practical things I can do to secure my smart devices?

Remember that while it may take some extra effort to create a second Wi-Fi network dedicated to your smart devices, this effort will provide significant benefits. You can help confine any network intrusions to a separate network that does not have access to your bank, or private, sensitive financial information. And these simple steps can also make a significant difference in protecting your smart home systems:

  • Thoroughly research the device brand then choose one that has a proven security track record.
  • Keep the product software up-to-date. Always set your device to auto-update if possible so you always run the latest, safest software.
  • Most every device will come with a factory default password. Remember to take the time to go in and create a long and unique password for each device.
  • Choose the privacy settings that you’re comfortable with, instead of the blanket permissions that come with the devices.
  • Unplug any/every smart gadget when not in use.
  • Install cloud-integrated antivirus software for your router that protects every electronic device in your home.

Stay protected

When you actively participate in creating your home’s security profile, you take ownership that generates interest, knowledge, and ultimately, security. Stay a step ahead by staying informed, and your smart home can remain a smart choice!

The post Is Your Smart Home Vulnerable to a Hack Attack? appeared first on McAfee Blogs.

Announcing Veracode Security Labs Community Edition

We recently partnered with Enterprise Strategy Group (ESG) to survey software development and security professionals about modern application development and how applications are tested for security. The soon-to-be-announced survey found that 53% of organizations provide security training for developers less than once a year, which is woefully inadequate for the rapid pace of change in software development. At the same time, 41% say that it???s up to security analysts to educate developers to try to prevent them from introducing significant security issues. So, where???s the disconnect?

Communication breakdowns and misaligned training priorities between security and development teams are part of the problem. As developers are being asked to ???Shift Left??? to take on more responsibility for secure code earlier in the software development lifecycle, it???s increasingly more important for developers to get the training they need to not just create world-class applications ??? ones that have security designed in from the beginning.

Enterprise-grade tools for all developers

Veracode Security Labs Enterprise Edition is perfect for engineering teams, but we wanted every individual developer to have access to the same quality of training, from casual hobbyists to professionals interested in improving their secure coding skills. I???m excited to announce Veracode Security Labs Community Edition, where developers worldwide can hack and patch real applications to learn the latest tactics and security best practices with guidance while exploring actual code on their own time; and it???s free!

With Veracode Security Labs Community Edition, you now have the tools you need to close any gaps in security knowledge that are holding you back. It???s a module that fits within the Veracode Developer Training product family, featuring tools and robust programs built with interactivity in mind so that developers can get their hands on a practical training tool at a moment???s notice.

Here are the differences between the Community Edition and Enterprise Edition:

Security Labs Editions???

While the Enterprise Edition has features that support the efforts of development teams with full compliance-based curricula, rollout strategies, and progress reporting, the Community Edition offers selected topics and one-off labs for individuals who are looking to strengthen their security knowledge. Though there are differences that enable scalability for organizations and teams, the benefits for individual developers remain the same:

  • The ability to exploit and remediate real-world vulnerabilities to learn what to look for in insecure code.
  • Fast and relevant remediation guidance in the context of the most popular programming languages.
  • Easy and fun hands-on training that provides professional growth.
  • Improved security knowledge while building confidence through interactive trial and error.

When you practice breaking and fixing real applications using real vulnerabilities, you become a sharper, more efficient developer ??? especially with a variety of challenges to choose from as you go. We plan to expand the number of labs and challenges over time but initially, the Community Edition will cover topics ranging from beginner to advanced, including:

  • Common ReactJS pitfalls
  • Bash terminal usage
  • HTTP header injection
  • Replay attacks
  • Mass assignment flaws

How it works

Choose a lab to get started.

Community Edition Labs ???

Access the live terminal session to connectツ?to a containerized environment where the vulnerable application is running.


Use the code editor to find the vulnerability and patch it.

Code Editor???

When it comes to closing gaps and realigning priorities, education is key ??? but it isn???t one-size-fits-all. Whether you want to enroll your entire team of developers into a customizable training program or you???re looking into developer education as a pathway for individual growth, Veracode Security Labs helps level the playing field by ensuring everyone is on the same page about critical security issues in software development.

Get started with Veracode Security Labs Community Edition today. Sign up here.ツ?

Webcast: Atomic Purple Team Framework and Life Cycle

Jordan Drysdale & Kent Ickler // Jordan and Kent are back again to continue strengthening organizations’ information security human capital (That’s all you folks!). Organization Leadership and Security Practitioners can gain understanding on the potential designed-to-fail Purple Teams initiatives never reached their full potential. The Duo reviews how systemic organizational career pathing created an insoluble […]

The post Webcast: Atomic Purple Team Framework and Life Cycle appeared first on Black Hills Information Security.

Operation (노스 스타) North Star A Job Offer That’s Too Good to be True?

Executive Summary

We are in the midst of an economic slump [1], with more candidates than there are jobs, something that has been leveraged by malicious actors to lure unwitting victims into opening documents laden with malware. While the prevalence of attacks during this unprecedented time has been largely carried out by low-level fraudsters, the more capable threat actors have also used this crisis as an opportunity to hide in plain sight.

One such example is a campaign that McAfee Advanced Threat Research (ATR) observed as an increase in malicious cyber activity targeting the Aerospace & Defense industry. In this 2020 campaign McAfee ATR discovered a series of malicious documents containing job postings taken from leading defense contractors to be used as lures, in a very targeted fashion. These malicious documents were intended to be sent to victims in order to install a data gathering implant. The victimology of these campaigns is not clear at this time, however based on the job descriptions, they appear to be targeting people with skills and experience relating to the content in the lure documents. The campaign appears to be similar to activity reported elsewhere by the industry, however upon further analysis the implants and lure documents in this campaign are distinctly different [2], thus we can conclude this research is part of a different activity set. This campaign is utilizing compromised infrastructure from multiple European countries to host its command and control infrastructure and distribute implants to the victims it targets.

This type of campaign has appeared before in 2017 and 2019 using similar methods with the goal of gathering intelligence surrounding key military and defense technologies [3]. The 2017 campaign also used lure documents with job postings from leading defense contractors; this operation was targeting individuals employed by defense contractors used in the lures. Based on some of the insight gained from spear phishing emails, the mission of that campaign was to gather data around certain projects being developed by their employers.

The Techniques, Tactics and Procedures (TTPs) of the 2020 activity are very similar to those previous campaigns operating under the same modus operandi that we observed in 2017 and 2019. From our analysis, this appears a continuation of the 2019 campaign, given numerous similarities observed. These similarities are present in both the Visual Basic code used to execute the implant and some of the core functionality that exists between the 2019 and 2020 implants.

Thus, the indicators from the 2020 campaign point to previous activity from 2017 and 2019 that was previously attributed to the threat actor group known as Hidden Cobra [4]. Hidden Cobra is an umbrella term used to refer to threat groups attributed to North Korea by the U.S Government [1]. Hidden Cobra consists of threat activity from groups the industry labels as Lazarus, Kimsuky, KONNI and APT37. The cyber offensive programs attributed to these groups, targeting organizations around the world, have been documented for years. Their goals have ranged from gathering data around military technologies to crypto currency theft from leading exchanges.

Our analysis indicates that one of the purposes of the activity in 2020 was to install data gathering implants on victims’ machines. These DLL implants were intended to gather basic information from the victims’ machines with the purpose of victim identification. The data collected from the target machine could be useful in classifying the value of the target. McAfee ATR noticed several different types of implants were used by the adversary in the 2020 campaigns.

These campaigns impact the security of South Korea and foreign nations with malicious cyber campaigns. In this blog McAfee ATR analyzes multiple campaigns conducted in the first part of 2020.

Finally, we see the adversary expanding the false job recruitment campaign to other sectors outside of defense and aerospace, such as a document masquerading as a finance position for a leading animation studio.

In this blog we will cover:

Target of Interest – Defense & Aerospace Campaign

This is not the first time that we have observed threat actors using the defense and aerospace industry as lures in malicious documents. In 2017 and 2019, there were efforts to send malicious documents to targets that contained job postings for positions at leading defense contractors3

The objective of these campaigns was to gather information on specific programs and technologies. Like the 2017 campaign, the 2020 campaign also utilized legitimate job postings from several leading defense and aerospace organizations. In the 2020 campaign that McAfee ATR observed, some of the same defense contractors from the 2017 operation were again used as lures in malicious documents.

This new activity noted in 2020 uses similar Techniques, Tactics and Procedures (TTPs) to those seen in a 2017 campaign that targeted individuals in the Defense Industrial Base (DIB). The 2017 activity was included in an indictment by the US government and attributed to the Hidden Cobra threat group4

Attack Overview


Phase One: Initial Contact

This recent campaign used malicious documents to install malware on the targeted system using a template injection attack. This technique allows a weaponized document to download an external Word template containing macros that will be executed. This is a known trick used to bypass static malicious document analysis, as well as detection, as the macros are embedded in the downloaded template.

Further, these malicious Word documents contained content related to legitimate jobs at these leading defense contractors. All three organizations have active defense contracts of varying size and scope with the US government.

The timeline for these documents, that were sent to an unknown number of targets, ran between 31 March and 18 May 2020.

Document creation timeline

Malign documents were the main entry point for introducing malicious code into the victim’s environment. These documents contained job descriptions from defense, aerospace and other sectors as a lure. The objective would be to send these documents to a victim’s email with the intention they open, view and ultimately execute the payload.

As we mentioned, the adversary used a technique called template injection. When a document contains the .docx extension, in our case, it means that we are dealing with the Open Office XML standard. A .docx file is a zip file containing multiple parts. Using the template injection technique, the adversary puts a link towards the template file in one of the .XML files, for example the link is in settings.xml.rels while the external oleobject load is in document.xml.rels. The link will load a template file (DOTM) from a remote server. This is a clever technique we observe being used by multiple adversaries [5] and is intended to make a document appear to be clean initially, only to subsequently load malware. Some of these template files are renamed as JPEG files when hosted on a remote server to avoid any suspicion and bypass detection. These template files contain Visual Basic macro code, that will load a DLL implant onto the victim’s system. Current McAfee technologies currently protect against this threat.

We mentioned earlier that docx files (like xlsx and pptx) are part of the OOXML standard. The document defining this standard[6], describes the syntax and values that can be used as an  example. An interesting file to look at is the ‘settings.xml’ file that can be discovered in the ‘Word’ container of the docx zip file. This file contains settings with regards to language, markup and more. First, we extracted all the data from the settings.xml files and started to compare. All the documents below contained the same language values:


The XML file ends with a GUID value that starts with the value “w15”.

Example: w15:val=”{932E534D-8C12-4996-B261-816995D50C69}”/></w:settings>

According to the Microsoft documentation, w15 defines the PersistentDocumentId Class. When the object is serialized out as xml, its qualified name is w15:docId. The 128-bit GUID is set as an ST_Guid attribute which, according to the Microsoft documentation, refers to a unique token. The used class generates a GUID for use as the DocID and generates the associated key. The client stores the GUID in that structure and persists in the doc file. If, for example, we would create a document and would “Save As”, the w15:docId GUID would persist across to the newly created document. What would that mean for our list above? Documents with the same GUID value need to be placed in chronological order and then we can state the earliest document is the root for the rest, for example:

What we can say from above table is that ‘_IFG_536R.docx” was the first document we observed and that later documents with the same docID value were created from the same base document.

To add to this assertion; in the settings.xml file the value “rsid” (Revision Identifier for Style Definition) can be found. According to Microsoft’s documentation: “This element specifies a unique four-digit number which shall be used to determine the editing session in which this style definition was last modified. This value shall follow this following constraint: All document elements which specify the same rsid* values shall correspond to changes made during the same editing session. An editing session is defined as the period of editing which takes place between any two subsequent save actions.”

Let’s start with the rsid element values from “*_IFG_536R.docx”:

And compare with the rsid element values from “*_PMS.docx”:

The rsid elements are identical for the first four editing sessions for both documents. This indicates that these documents, although they are now separate, originated from the same document.

Digging into more values and metadata (we are aware they can be manipulated), we created the following overview in chronological order based on the creation date:

When we zoom in on the DocID “932E534d(..) we read the value of a template file in the XML code: “Single spaced (blank).dotx” – this template name seems to be used by multiple “Author” names. The revision number indicates the possible changes in the document.

Note: the documents in the table with “No DocID” were the “dotm” files containing the macros/payload.

All files were created with Word 2016 and had both the English and Korean languages installed. This analysis into the metadata indicates that there is a high confidence that the malicious documents were created from a common root document.

Document Templates

There were several documents flagged as non-malicious discovered during our investigation. At first glance they did not seem important or related at all, but deeper investigation revealed how they were connected. These documents played a role in building the final malicious documents that ultimately got sent to the victims. Further analysis of these documents, based on metadata information, indicated that they contained relationships to the primary documents created by the adversary.

Two PDF files (***_SPE_LEOS and ***_HPC_SE) with aerospace & defense industry themed images, created via the Microsoft Print to PDF service, were submitted along with ***_ECS_EPM.docx. The naming convention of these PDF files was very similar to the malicious documents used. The name includes abbreviations for positions at the defense contractor much like the malicious documents. The Microsoft Print to PDF service enables content from a Microsoft Word document be printed to PDF directly. In this case these two PDF files were generated from an original Microsoft Word document with the author ‘HOME’. The author ‘HOME’ appeared in multiple malicious documents containing job descriptions related to aerospace, defense and the entertainment industry. The PDFs were discovered in an archive file indicating that LinkedIn may have been a possible vector utilized by the adversaries to target victims. This is a similar vector as to what has been observed in a campaign reported by industry[7], however as mentioned earlier the research covered in this blog is part of a different activity set.

Metadata from PDF file submitted with ***_ECS_EPM.docx in archive with context fake LinkedIn

Visual Basic Macro Code

Digging into the remote template files reveals some additional insight concerning the structure of the macro code. The second stage remote document template files contain Visual Basic macro code designed to extract a double base64 encoded DLL implant. The content is all encoded in UserForm1 in the remote DOTM file that is extracted by the macro code.

Macro code (17.dotm) for extracting embedded DLL

Further, the code will also extract the embedded decoy document (a clean document containing the job description) to display to the victim.

Code (17.dotm) to extract clean decoy document

Macro code (******_dds_log.jpg) executed upon auto execution

Phase Two: Dropping Malicious DLLs

The adversary used malicious DLL files, delivered through stage 2 malicious documents, to spy on targets. Those malicious documents were designed to drop DLL implants on the victim’s machine to collect initial intelligence. In this campaign the adversary was utilizing patched SQL Lite DLLs to gather basic information from its targets. These DLLs were modified to include malicious code to be executed on the victim’s machine when they’re invoked under certain circumstances. The purpose of these DLLs is/was to gather machine information from infected victims that could be used to further identify more interesting targets.

The first stage document sent to targeted victims contained an embedded link that downloaded the remote document template.

Embedded link contained within Word/_rels/settings.xml.rels

The DOTM (Office template filetype) files are responsible for loading the patched DLLs onto the victim’s machine to collect and gather data. These DOTM files are created with DLL files  encoded directly into the structure of the file. These DOTM files exist on remote servers compromised by the adversary; the first stage document contains an embedded link that refers to the location of this file. When the victim opens the document, the remote DOTM file that contains a Visual Basic macro code to load malicious DLLs, is loaded. Based on our analysis, these DLLs were first seen on 20 April 2020 and, to our knowledge based on age and prevalence data, these implants have been customized for this attack.

The workflow of the attack can be represented by the following image:

To identify the malicious DLLs that will load or download the final implant, we extracted from the Office files found in the triage phase, the following DLL files:

SHA256 Original File name Compile Date


wsuser.db 4/24/2020


unknown 4/24/2020


onenote.db 4/01/2020
48b8486979973656a15ca902b7bb973ee5cde9a59e2f3da53c86102d48d7dad8 onenote.db 4/01/2020


wsuser.db 4/24/2020

These DLL files are patched versions from goodware libraries, like the SQLITE library found in our analysis, and are loaded via a VBScript contained within the DOTM files that loads a double Base64 encoded DLL as described in this analysis. The DLL is encoded in UserForm1 (contained within the Microsoft Word macro) and the primary macro code is responsible for extracting and decoded the DLL implant.

DOTM Document Structure

Implant DLLs encoded in UserForm1

From our analysis, we could verify how the DLLs used in the third stage were legitimate software with a malicious implant inside that would be enabled every time a specific function was called with a set of parameters.

Analyzing the sample statically, it was possible to extract the legitimate software used to store the implant, for example, one of the DLL files extracted from the DOTM files was a patched SQLITE library. If we compare the original library within the extracted DLL, we can spot lot of similarities across the two samples:

Legitimate library to the left, malicious library to the right

As mentioned, the patched DLL and the original SQLITE library share a lot of code:

Both DLLs share a lot of code internally

The first DLL stage needs certain parameters in order to be enabled and launched in the system. The macro code of the Office files we analyzed, contained part of these parameters:

Information found in the pcode of the document

The data found in the VBA macro had the following details:

  • 32-bit keys that mimic a Windows SID
    • The first parameter belongs to the decryption key used to start the malicious activity.
    • This could be chosen by the author to make the value more realistic
  • Campaign ID

DLL Workflow

The analysis of the DLL extracted from the ‘docm’ files (the 2nd stage of the infection) revealed  the existence of two types of operation for these DLLs:

DLL direct execution:

  • The DLL unpacks a new payload in the system.

Drive-by DLLs:

  • The DLL downloads a new DLL implant from a remote server delivering an additional DLL payload into the system.

For both methods, the implant starts collecting the target information and then contacts the command and control (C2) server

We focused our analysis into the DLLs files that are unpacked into the system.

Implant Analysis

The DLL implant will be executed after the user interacts by opening the Office file. As we explained, the p-code of the VBA macro contains parts of the parameters needed to execute the implant into the system.

The new DLL implant file will be unpacked (depending of the campaign ID) inside a folder inside the AppData folder of the user in execution:


The DLL file, must be launched with 5 different parameters if we want to observe the malicious connection within the C2 domain; in our analysis we observed how the DLL was launched with the following command line:

C:\Windows\System32\rundll32.exe “C:\Users\user\AppData\Local\Microsoft\Notice\wsdts.db”, sqlite3_steps S-6-81-3811-75432205-060098-6872 0 0 61 1

The required parameters to launch the malicious implant are:

Parameter number Description
1 Decryption key
2 Unused value, hardcoded in the DLL
3 Unused value, hardcoded in the DLL
4 Campaign identifier
5 Unused value, hardcoded in the DLL


As we explained, the implants are patched SQLITE files and that is why we could find additional functions that are used to launch the malicious implant, executing the binary with certain parameters. It is necessary to use a specific export ‘sqlite3_steps’ plus the parameters mentioned before.

Analyzing the code statically we could observe that the payload only checks 2 of these 5 parameters but all of them must be present in order to execute the implant:

sqlite malicious function

Phase Three: Network Evasion Techniques

Attackers are always trying to remain undetected in their intrusions which is why it is common to observe techniques such as mimicking the same User-Agent that is present in the system, in order to remain under the radar. Using the same User-Agent string from the victim’s web browser configurations, for example, will help avoid network-based detection systems from flagging outgoing traffic as suspicious. In this case, we observed how, through the use of the Windows API ObtainUserAgentString, the attacker obtained the User-Agent and used the value to connect to the command and control server:

If the implant cannot detect the User-Agent in the system, it will use the default Mozilla User-Agent instead:

Running the sample dynamically and intercepting the TLS traffic, we could see the connection to the command and control server:

Unfortunately, during our analysis, the C2 was not active which limited our ability for further analysis.

The data sent to the C2 channel contains the following information:

Parameter Description
C2 C2 configured for that campaign
ned Campaign identifier
key 1 AES key used to communicate with the C2
key 2 AES key used to communicate with the C2
sample identifier Sample identifier sent to the C2 server
gl Size value sent to the C2 server
hl Unknown parameter always set to 0

We could find at least 5 different campaign IDs in our analysis, which suggests that the analysis in this document is merely the tip of the iceberg:

Dotx file Campaign ID
61.dotm 0
17.dotm 17
43.dotm 43
83878C91171338902E0FE0FB97A8C47A.dotm 204
******_dds_log 100

Phase Four: Persistence

In our analysis we could observe how the adversary ensures persistence by delivering an LNK file into the startup folder

The value of this persistent LNK file is hardcoded inside every sample:

Dynamically, and through the Windows APIs NtCreateFile and NtWriteFile, the LNK is written in the startup folder. The LNK file contains the path to execute the DLL file with the required parameters.

Additional Lures: Relationship to 2020 Diplomatic and Political Campaign

Further investigation into the 2020 campaign activity revealed additional links indicating the adversary was using domestic South Korean politics as lures. The adversary created several documents in the Korean language using the same techniques as the ones seen in the defense industry lures. One notable document, with the title US-ROK Relations and Diplomatic Security in both Korean and English, appeared on 6 April 2020 with the document author JangSY.

US-ROK Relation and Diplomatic Security

The document was hosted on the file sharing site hxxps:// and contained an embedded link referring to a remote DOTM file hosted on another file sharing site ( The BASE64 coded value MzBfMjA1Njc0ODhf is a unique identifier for the user associated with the file sharing platform

A related document discovered with the title test.docx indicated that the adversary began testing these documents in early April 2020. This document contained the same content as the above but was designed to test the downloading of the remote template file by hosting it on a private IP address. The document that utilized pubmaterial.dotm for its remote template also made requests to the URL hxxp://

This domain ( is connected to numerous other Korean language malicious documents that also appeared in 2020 including documents related to political or diplomatic relations. One such document (81249fe1b8869241374966335fd912c3e0e64827) was using the 21st National Assembly Election as part of the title, potentially indicating those interested in politics in South Korea were a target. For example, another document (16d421807502a0b2429160e0bd960fa57f37efc4) used the name of an individual, director Jae-chun Lee. It also shared the same metadata.

The original author of these documents was listed as Seong Jin Lee according to the embedded metadata information. However, the last modification author (Robot Karll) used by the adversary during document template creation is unique to this set of malicious documents. Further, these documents contain political lures pertaining to South Korean domestic policy that suggests that the targets of these documents also spoke Korean.

Relationship to 2019 Falsified Job Recruitment Campaign

A short-lived campaign from 2019 using India’s aerospace industry as a lure used what appears to be very similar methods to this latest campaign using the defense industry in 2020. Some of the TTPs from the 2020 campaign match that of the operation in late 2019. The activity from 2019 has also been attributed to Hidden Cobra by industry reporting.

The campaign from October 2019 also used aerospace and defense as a lure, using copies of legitimate jobs just like we observed with the 2020 campaign. However, this campaign was isolated to the Indian defense sector and from our knowledge did not expand beyond this. This document also contained a job posting for a leading aeronautics company in India; this company is focused on aerospace and defense systems. This targeting aligns with the 2020 operation and our analysis reveals that the DLLs used in this campaign were also modified SQL Lite DLLs.

Based on our analysis, several variants of the implant were created in the October 2019 timeframe, indicating the possibility of additional malicious documents.

Sha1 Compile Date File Name
f3847f5de342632f8f9e2901f16b7127472493ae 10/12/2019 MFC_dll.DLL
659c854bbdefe692ee8c52761e7a8c7ee35aa56c 10/12/2019 MFC_dll.DLL
35577959f79966b01f520e2f0283969155b8f8d7 10/12/2019 MFC_dll.DLL
975ae81997e6cd8c8a3901308d33c868f23e638f 10/12/2019 MFC_dll.DLL


One notable difference with the 2019 campaign is the main malicious document contained the implant payload, unlike the 2020 campaign that relied on the Microsoft Office remote template injection technique. Even though the technique is different, we did observe likenesses as we began to dissect the remote template document. There are some key similarities within the VBA code embedded in the documents. Below we see the 2019 (left) and 2020 (right) side-by-side comparison of two essential functions, that closely match each other, within the VBA code that extracts/drops/executes the payload.

VBA code of 13c47e19182454efa60890656244ee11c76b4904 (left) and acefc63a2ddbbf24157fc102c6a11d6f27cc777d (right)

The VBA macro drops the first payload of thumbnail.db at the filepath, which resembles the filepath used in 2020.

The VB code also passes the decryption key over to the DLL payload, thumbnail.db. Below you can see the code within thumbnail.db accepting those parameters.

Unpacked thumbnail.db bff1d06b9ef381166de55959d73ff93b

What is interesting is the structure in which this information is being passed over. This 2019 sample is identical to what we documented within the 2020 campaign.

Another resemblance discovered was the position of the .dll implant existing in the exact same location for both 2019 and 2020 samples; “o” field under “UserForms1”.

“o” field of 13c47e19182454efa60890656244ee11c76b4904

All 2020 .dotm IoCs contain the same .dll implant within the “o” field under “UserForms1”, however, to not overwhelm this write-up with separate screenshots, only one sample is depicted below. Here you can see the parallel between both 2019 and 2020 “o” sections.

“o” field of acefc63a2ddbbf24157fc102c6a11d6f27cc777d

Another similarity is the encoding of double base64, though in the spirit of competing hypothesis, we did want to note that other adversaries may also use this type of encoding. However, when you couple these similarities with the same lure of an Indian defense contractor, the pendulum starts to lean more to one side of a possible common author between both campaigns. This may indicate another technique being added to the adversary’s arsenal of attack vectors.

One method to keep the campaign dynamic and more difficult to detect is hosting implant code remotely. There is one disadvantage of embedding an implant within a document sent to a victim; the implant code could be detected before the document even reaches the victim’s inbox. Hosting it remotely enables the implant to be easily switched out with new capabilities without running the risk of the document being classified as malicious.

**-HAL-MANAGER.doc UserForm1 with double base64 encoded DLL

17.DOTM UserForm1 with double base64 encoded DLL from ******_DSS_SE.docx

According to a code similarity analysis, the implant embedded in **-HAL-Manager.doc contains some similarities to the implants from the 2020 campaign. However, we believe that the implant utilized in the 2019 campaign associated with **-Hal-Manager.doc may be another component. First, besides the evident similarities in the Visual Basic macro code and the method for encoding (double base64) there are some functional level similarities. The DLL file is run in a way with similar parameters.

DLL execution code **-Hal-Manager.doc implant

DLL execution code 2020 implant

Campaign Context: Victimology

The victimology is not exactly known due to the lack of spear phishing emails uncovered; however, we can obtain some insight from the analysis of telemetry information and lure document context. The lure documents contained job descriptions for engineering and project management positions in relationship to active defense contracts. The individuals receiving these documents in a targeted spear phishing campaign were likely to have an interest in the content within these lure documents, as we have observed in previous campaigns, as well as some knowledge or relationship to the defense industry.

Infrastructure Insights

Our analysis of the 2019 and 2020 campaigns reveals some interesting insight into the command and control infrastructure behind them, including domains hosted in Italy and the United States. During our investigation we observed a pattern of using legitimate domains to host command and control code. This is beneficial to the adversary as most organizations do not block trusted websites, which allows for the potential bypass of security controls. The adversary took the effort to compromise the domains prior to launching the actual campaign. Further, both 2019 and 2020 job recruitment campaigns shared the same command and control server hosted at

The domain with its various sub-domains have been used by Hidden Cobra in 2020. The domains identified to be used in various operations in 2020 falling under the domain are:


Some of these campaigns use similar methods as the 2020 defense industry campaign:

  • Malicious document with the title European External Action Service [8]
  • Document with Korean language title 비건 미국무부 부장관 서신doc (U.S. Department of State Secretary of State Correspondence 20200302.doc).

Techniques, Tactics and Procedures (TTPS)

The TTPs of this campaign align with those of previous Hidden Cobra operations from 2017 using the same defense contractors as lures. The 2017 campaign also utilized malicious Microsoft Word documents containing job postings relating to certain technologies such as job descriptions for engineering and project management positions involving aerospace and military surveillance programs. These job descriptions are legitimate and taken directly from the defense contractor’s website. The exploitation method used in this campaign relies upon a remote Office template injection method, a technique that we have seen state actors use recently.

However, it is not uncommon to use tools such as EvilClippy to manipulate the behavior of Microsoft Office documents. For example, threat actors can use pre-built kits to manipulate clean documents and embed malicious elements; this saves time and effort. This method will generate a consistent format that can be used throughout campaigns. As a result, we have observed a consistency with how some of the malicious elements are embedded into the documents (i.e. double base64 encoded payload). Further mapping these techniques across the MITRE ATT&CK framework enables us to visualize different techniques the adversary used to exploit their victims.

MITRE ATT&CK mapping for malicious documents

These Microsoft Office templates are hosted on a command and control server and the downloaded link is embedded in the first stage malicious document.

The job postings from these lure documents are positions for work with specific US defense programs and groups:

  • F-22 Fighter Jet Program
  • Defense, Space and Security (DSS)
  • Photovoltaics for space solar cells
  • Aeronautics Integrated Fighter Group
  • Military aircraft modernization programs

Like previous operations, the adversary is using these lures to target individuals, likely posing as a recruiter or someone involved in recruitment. Some of the job postings we have observed:

  • Senior Design Engineer
  • System Engineer

Professional networks such as LinkedIn could be a place used to deliver these types of job descriptions.

Defensive Architecture Recommendations

Defeating the tactics, techniques and procedures utilized in this campaign requires a defense in depth security architecture that can prevent or detect the attack in the early stages. The key controls in this case would include the following:

  1. Threat Intelligence Research and Response Program. Its critical to keep up with the latest Adversary Campaigns targeting your specific vertical. A robust threat response process can then ensure that controls are adaptable to the TTPs and, in this case, create heightened awareness
  2. Security Awareness and Readiness Program. The attackers leveraged spear-phishing with well-crafted lures that would be very difficult to detect initially by protective technology. Well-trained and ready users, informed with the latest threat intelligence on adversary activity, are the first line of defense.
  3. End User Device Security. Adaptable endpoint security is critical to stopping this type of attack early, especially for users working from home and not behind the enterprise web proxy or other layered defensive capability. Stopping or detecting the first two stages of infection requires an endpoint security capability of identifying file-less malware, particularly malicious Office documents and persistence techniques that leverage start-up folder modification.
  4. Web Proxy. A secure web gateway is an essential part of enterprise security architecture and, in this scenario, can restrict access to malicious web sites and block access to the command and control sites.
  5. Sec Ops – Endpoint Detection and Response (EDR) can be used to detect techniques most likely in stages 1, 2 or 4. Additionally, EDR can be used to search for the initial documents and other indicators provided through threat analysis.

For further information on how McAfee Endpoint Protection and EDR can prevent or detect some of the techniques used in this campaign, especially use of malicious Office documents, please refer to these previous blogs and webinar:

Indicators of Compromise

SHA256 File Name
322aa22163954ff3ff017014e357b756942a2a762f1c55455c83fd594e844fdd ******_DSS_SE.docx


a3eca35d14b0e020444186a5faaba5997994a47af08580521f808b1bb83d6063 ******_PMS.docx


d1e2a9367338d185ef477acc4d91ad45f5e6a7d11936c3eb4be463ae0b119185 ***_JD_2020.docx
ecbe46ca324096fd5e35729f39fa3bda9226bbefd6286d53e61b1be56a36de5b ***_2020_JD_SDE.docx
40fbac7a241bea412734134394ca81c0090698cf0689f2b67c54aa66b7e04670 83878C91171338902E0FE0FB97A8C47A.dotm
6a3446b8a47f0ab4f536015218b22653fff8b18c595fbc5b0c09d857eba7c7a1 ******_AERO_GS.docx
df5536c254a5d9ac626dbff7525de8301729807433d377db807ce3d8bc7c3ffe **_IFG_536R.docx
1b0c82e71a53300c969da61b085c8ce623202722cf3fa2d79160dac16642303f 43.dotm
d7ef8935437d61c975feb2bd826d018373df099047c33ad7305585774a272625 17.dotm
49724ee7a6baf421ac5a2a3c93d32e796e2a33d7d75bbfc02239fc9f4e3a41e0 Senior_Design_Engineer.docx


66e5371c3da7dc9a80fb4c0fabfa23a30d82650c434eec86a95b6e239eccab88 61.dotm
7933716892e0d6053057f5f2df0ccadf5b06dc739fea79ee533dd0cec98ca971 ******_spectrolab.docx
43b6b0af744124da5147aba81a98bc7188718d5d205acf929affab016407d592 ***_ECS_EPM.docx
70f66e3131cfbda4d2b82ce9325fed79e1b3c7186bdbb5478f8cbd49b965a120 ******_dds_log.jpg
adcdbec0b92da0a39377f5ab95ffe9b6da9682faaa210abcaaa5bd51c827a9e1 21 국회의원 선거 관련.docx
dbbdcc944c4bf4baea92d1c1108e055a7ba119e97ed97f7459278f1491721d02 외교문서 관련(이재춘국장).docx




In summary, ATR has been tracking a targeted campaign focusing on the aerospace and defense industries using false job descriptions. This campaign looks very similar, based on shared TTPs, with a campaign that occurred in 2017 that also targeted some of the same industry. This campaign began early April 2020 with the latest activity in mid-June. The campaign’s objective is to collect information from individuals connected to the industries in the job descriptions.

Additionally, our forensic research into the malicious documents show they were created by the same adversary, using Korean and English language systems. Further, discovery of legitimate template files used to build these documents also sheds light on some of the initial research put into the development of this campaign. While McAfee ATR has observed these techniques before, in previous campaigns in 2017 and 2019 using the same TTPs, we can conclude there has been an increase in activity in 2020.

McAfee detects these threats as

  • Trojan-FRVP!2373982CDABA
  • Generic Dropper.aou
  • Trojan-FSGY!3C6009D4D7B2
  • Trojan-FRVP!CEE70135CBB1
  • W97M/Downloader.cxu
  • Trojan-FRVP!63178C414AF9
  • Trojan-FRVP!AF83AD63D2E3
  • RDN/Generic Downloader.x
  • W97M/Downloader.bjp
  • W97M/MacroLess.y

NSP customers will have new signatures added to the “HTTP: Microsoft Office OLE Arbitrary Code Execution Vulnerability (CVE-2017-0199)” attack name. The updated attack is part of our latest NSP sigset release: sigset released on 28th July 2020.The KB details can be found here: KB55446






[5] – Gamaredon Group




The post Operation (노스 스타) North Star A Job Offer That’s Too Good to be True? appeared first on McAfee Blogs.

McAfee Defender’s Blog: Operation North Star Campaign

Building Adaptable Security Architecture Against the Operation North Star Campaign

Operation North Star Overview

Over the last few months, we have seen attackers take advantage of the pandemic as a cover to launch cyberattacks. One such example is a campaign that McAfee Advanced Threat Research (ATR) observed as an increase in malicious cyber activity targeting the Aerospace & Defense industry. In this campaign McAfee ATR discovered a series of malicious documents containing job postings taken from leading defense contractors to be used as lures, in a very targeted fashion. This type of campaign has appeared before, in 2017 and 2019 using similar techniques, but the 2020 campaign has some distinct differences in implants, infrastructure and spear phishing lures. For a more detailed analysis of this campaign please see the McAfee ATR blog.

This blog is focused on how to build an adaptable security architecture to increase your resilience against these types of attacks and specifically, how McAfee’s portfolio delivers the capability to prevent, detect and respond against the tactics and techniques used in the Operation North Star campaign.

Gathering Intelligence on Operation North Star

As always, building adaptable defensive architecture starts with intelligence. In most organizations, the Security Operations team is responsible for threat intelligence analysis, as well as threat and incident response. McAfee Insights is a great tool for the threat intel analyst and threat responder. The Insights Dashboard identifies prevalence and severity of emerging threats across the globe which enables the Security Operations Center (SOC) to prioritize threat response actions and gather relevant cyber threat intelligence (CTI) associated with the threat, in this case the Operation North Star campaign. The CTI is provided in the form of technical Indicators of Compromise (IOCs) as well as MITRE ATT&CK framework tactics and techniques. As a threat intel analyst or responder, you can drill down to gather more specific information on Operation North Star, such as prevalence and links to other sources of information. You can further drill down to gather more specific actionable intelligence such as indicators of compromise and tactics/techniques aligned to the MITRE ATT&CK framework.

From the McAfee ATR blog, you can see that Operation North Star leverages tactics and techniques common to other APT campaigns, such as spear phishing for Initial Access, exploited system tools and signed binaries, modification of Registry Keys/Startup folder for persistence and encoded traffic for command and control.

Defensive Architecture Overview

Today’s digital enterprise is a hybrid environment of on-premise systems and cloud services with multiple entry points for attacks like Operation North Star. The work from home operating model forced by COVID-19 has only expanded the attack surface and increased risk for successful spear phishing attacks if organizations did not adapt their security posture and increase training for remote workers. Mitigating the risk of attacks like Operation North Star requires a security architecture with the right controls at the device, on the network and in security operations (sec ops). The Center for Internet Security (CIS) Top 20 Cyber Security Controls provides a good guide to build that architecture. The following outlines the key security controls needed at each layer of the architecture to protect your enterprise against Operation North Star tactics and techniques.

Initial Access Stage Defensive Overview

According to Threat Intelligence and Research, the initial access is performed either through vulnerability exploitation or spear phishing attachments. As attackers can quickly change spear phishing attachments or link locations, it is important to have layered defenses that include user awareness training and response procedures, intelligence and behavior-based malware defenses on email systems, web proxy and endpoint systems, and finally sec ops playbooks for early detection and response against suspicious email attachments or other phishing techniques The following chart summarizes the controls expected to have the most effect against initial stage techniques and the McAfee solutions to implement those controls where possible.

MITRE Tactic MITRE Techniques CSC Controls McAfee Capability
Initial Access Spear Phishing Attachments (T1566.001) CSC 7 – Email and Web Browser Protection

CSC 8 – Malware Defenses

CSC 17 – User Awareness

Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection,

Web Gateway (MWG), Advanced Threat Defense, Web Gateway Cloud Service (WGCS)

Initial Access Spear Phishing Link (T1566.002) CSC 7 – Email and Web Browser Protection

CSC 8 – Malware Defenses

CSC 17 – User Awareness

Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection,

Web Gateway (MWG), Advanced Threat Defense, Web Gateway Cloud Service (WGCS)

Initial Access Spear Phishing (T1566.003) Service CSC 7 – Email and Web Browser Protection

CSC 8 – Malware Defenses

CSC 17 – User Awareness

Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection,

Web Gateway (MWG), Advanced Threat Defense, Web Gateway Cloud Service (WGCS)

For additional information on how McAfee can protect against suspicious email attachments, review this additional blog post.

Exploitation Stage Defensive Overview

The exploitation stage is where the attacker gains access to the target system. Protection against Operation North Star at this stage is heavily dependent on adaptable anti-malware on both end user devices and servers, restriction of application execution, and security operations tools like endpoint detection and response sensors.

McAfee Endpoint Security 10.7 provides a defense in depth capability including signatures and threat intelligence to cover known bad indicators or programs, as well as machine-learning and behavior-based protection to reduce the attack surface against Operation North Star and detect new exploitation attack techniques. This attack leverages weaponized documents with links to external template files on a remote server. McAfee Threat Prevention and Adaptive Threat Protection modules protect against these techniques.

Additionally, MVISION EDR provides proactive detection capability on Execution and Defensive Evasion techniques identified in the exploit stage analysis. Please read further to see MVISION EDR in action against Operation North Star.

The following chart summarizes the critical security controls expected to have the most effect against exploitation stage techniques and the McAfee solutions to implement those controls where possible.

MITRE Tactic MITRE Techniques CSC Controls McAfee Portfolio Mitigation
Execution User Execution (T1204) CSC 5 Secure Configuration

CSC 8 Malware Defenses

CSC 17 Security Awareness

Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection, Application Control (MAC), Web Gateway and Network Security Platform
Execution Command and Scripting Interpreter (T1059)


CSC 5 Secure Configuration

CSC 8 Malware Defenses

Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection, Application Control (MAC), MVISION EDR
Execution Shared Modules (T1129) CSC 5 Secure Configuration

CSC 8 Malware Defenses

Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection, Application Control (MAC)
Persistence Boot or Autologon Execution (T1547) CSC 5 Secure Configuration

CSC 8 Malware Defenses

Endpoint Security Platform 10.7 Threat Prevention, MVISION EDR
Defensive Evasion Template Injection (T1221) CSC 5 Secure Configuration

CSC 8 Malware Defenses

Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection, MVISION EDR
Defensive Evasion Signed Binary Proxy Execution (T1218) CSC 4 Control Admin Privileges

CSC 5 Secure Configuration

CSC 8 Malware Defenses

Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection, Application Control, MVISION EDR
Defensive Evasion Deobfuscate/Decode Files or Information (T1027)


CSC 5 Secure Configuration

CSC 8 Malware Defenses

Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection, MVISION EDR

For more information on how McAfee Endpoint Security 10.7 can prevent some of the techniques used in the Operation North Star exploit stage, review this additional blog post.

Impact Stage Defensive Overview

The impact stage is where the attacker encrypts the target system, data and perhaps moves laterally to other systems on the network. Protection at this stage is heavily dependent on adaptable anti-malware on both end user devices and servers, network controls and security operation’s capability to monitor logs for anomalies in privileged access or network traffic. The following chart summarizes the controls expected to have the most effect against impact stage techniques and the McAfee solutions to implement those controls where possible.

MITRE Tactic MITRE Techniques CSC Controls McAfee Portfolio Mitigation
Discovery Account Discovery (T1087) CSC 4 Control Use of Admin Privileges

CSC 5 Secure Configuration

CSC 6 Log Analysis

MVISION EDR, MVISION Cloud, Cloud Workload Protection
Discovery System Information Discovery (T1082) CSC 4 Control Use of Admin Privileges

CSC 5 Secure Configuration

CSC 6 Log Analysis

MVISION EDR, MVISION Cloud, Cloud Workload Protection
Discovery System Owner/User Discovery (T1033) CSC 4 Control Use of Admin Privileges

CSC 5 Secure Configuration

CSC 6 Log Analysis

MVISION EDR, MVISION Cloud, Cloud Workload Protection
Command and Control Encrypted Channel (T1573) CSC 8 Malware Defenses

CSC 12 Boundary Defenses

Web Gateway, Network Security Platform

Hunting for Operation North Star Indicators

As a threat intel analyst or hunter, you might want to quickly scan your systems for any indicators you received on Operation North Star. Of course, you can do that manually by downloading a list of indicators and searching with available tools. However, if you have MVISION EDR and Insights, you can do that right from the console, saving precious time. Hunting the attacker can be a game of inches so every second counts. Of course, if you found infected systems or systems with indicators, you can take action to contain and start an investigation for incident response immediately from the MVISION EDR console.

Proactively Detecting Operation North Star Techniques

Many of the exploit stage techniques in this attack use legitimate Windows processes and applications to either exploit or avoid detection. We demonstrated above how the Endpoint Protection Platform can disrupt the weaponized documents but, by using MVISION EDR, you can get more visibility. As security analysts, we want to focus on suspicious techniques used by winword.exe as this attack leverages weaponized documents. On MVISION EDR we got the first threat detection on the monitoring dashboard for WINWORD.EXE at a Medium Risk.

The dashboard also provides a detailed look at the process activity which, in this case, is the attempt to perform the template injection.


We also received 2 alerts due to the rundll32 usage:

1)            Loaded non-common file with specified parameters via rundll32 utility

2)            Suspicious process would have been cleaned by Endpoint Protection (in observe mode)

Monitoring or Reporting on Operation North Star Events

Events from McAfee Endpoint Protection and Web Gateway play a key role in Lazarus incident and threat response. McAfee ePO centralizes event collection from all managed endpoint systems. As a threat responder, you may want to create a dashboard for Lazarus-related threat events to understand current exposure. Here is a list (not exhaustive) of Lazarus-related threat events as reported by McAfee Endpoint Protection Platform (Threat Prevention module), with On-Access Scan and Global Threat Intelligence enabled, and McAfee Web Gateway with Global Threat Intelligence enabled as well.

McAfee Endpoint Threat Prevention Events
Generic Generic Dropper.aou
RDN/Generic PWS.y W97M/Downloader.cxz
Trojan-FRVP!2373982CDABA Trojan-FRVP!AF83AD63D2E3
Generic Dropper.aou W97M/Downloader.bjp
Trojan-FSGY!3C6009D4D7B2 W97M/MacroLess.y
Trojan-FRVP!CEE70135CBB1 Artemis!9FD35BAD075C
W97M/Downloader.cxu RDN/Generic.dx
Trojan-FRVP!63178C414AF9 Artemis!0493F4062899 Artemis!25B37C971FD7


McAfee Web Gateway Events
Generic W97M/Downloader.cxz
RDN/Generic PWS.y BehavesLike.Downloader.dc
Trojan-FRVP!2373982CDABA W97M/MacroLess.y
Trojan-FSGY!3C6009D4D7B2 BehavesLike.Win32.Dropper.hc
BehavesLike.Downloader.dc Artemis


To defeat targeted threat campaigns, defenders must collaborate internally and externally to build an adaptive security architecture which will make it harder for threat actors to succeed and build resilience in the business. This blog highlights how to use McAfee’s security solutions to prevent, detect and respond to Operation North Star and attackers using similar techniques.

McAfee ATR is actively monitoring this campaign and will continue to update McAfee Insights and its social networking channels with new and current information. Want to stay ahead of the adversaries? Check out McAfee Insights for more information.

The post McAfee Defender’s Blog: Operation North Star Campaign appeared first on McAfee Blogs.

How to Keep Your Data Safe From the Latest Phishing Scam

As users, we’ll do just about anything to ensure that our devices run as efficiently as possible. This includes renewing subscriptions to online services we use daily. However, cybercriminals often take advantage of these tendencies as part of their malicious schemes. We saw this in action this week, as Tech Republic recounted two recent phishing attacks impersonating a software subscription company using a “subscription renewal” scam to trap unsuspecting users into giving up their personal and financial information.

How These Phishing Scams Work

These sneaky phishing scams all begin with an email sent to the victim’s inbox containing fraudulent links. The first one is hosted on a fake web domain, which is registered by the website builder Wix – meaning just about anyone could have created the illicit link. The scammer sends out an email telling the user that the software has an updated brand name and that they should renew their subscription to the platform by a certain due date. The email contains a link that says, “Click to Renew,” taking the victim to a submission form requesting sensitive information, including their name, address, and credit card number.

Then there’s the second but similar campaign, which also warns the recipient that their subscription has expired and needs to be renewed by a certain date. However, the link contained in this phishing email is to an actual PayPal page that prompts them to enter their payment details. This sneaky tactic is likely to trip up unsuspecting users since the real subscription service does accept PayPal. However, the payment page on a user’s real account page would not redirect them to the PayPal site, as this phishing scam does.

Protect Your Personal Data

In both schemes, the scammers attempt to harvest either the victims’ software subscription credentials or PayPal credentials by stating that the victim must renew before a specific date. Hackers tend to trick consumers by creating a sense of urgency, as tech-savvy users like you and I consider device software to be an essential part of our everyday lives. Luckily, there are steps that we can take to continue to live our lives free from worry. To avoid the digital drama that comes with phishing scams, follow these tips:

Go directly to the source

Be skeptical of emails or text messages claiming to be from organizations with peculiar asks or information that seems too good to be true. Instead of clicking on a link within the email or text, it’s best to go straight to the organization’s website or contact customer service.

Be cautious of emails asking you to act

If you receive an email or text asking you to take a certain action or download software, don’t click on anything within the message. Instead, go straight to the organization’s website. This will prevent you from downloading malicious content from phishing links.

Hover over links to see and verify the URL

If someone sends you a message with a link, hover over the link without actually clicking on it. This will allow you to see a link preview. If the URL looks suspicious, don’t interact with it and delete the message altogether.

Stay updated

To stay updated on all things McAfee  and on top of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post How to Keep Your Data Safe From the Latest Phishing Scam appeared first on McAfee Blogs.

‘Ghostwriter’ Influence Campaign: Unknown Actors Leverage Website Compromises and Fabricated Content to Push Narratives Aligned With Russian Security Interests

Mandiant Threat Intelligence has tied together several information operations that we assess with moderate confidence comprise part of a broader influence campaign—ongoing since at least March 2017—aligned with Russian security interests. The operations have primarily targeted audiences in Lithuania, Latvia, and Poland with narratives critical of the North Atlantic Treaty Organization’s (NATO) presence in Eastern Europe, occasionally leveraging other themes such as anti-U.S. and COVID-19-related narratives as part of this broader anti-NATO agenda. We have dubbed this campaign “Ghostwriter.”

Many, though not all of the incidents we suspect to be part of the Ghostwriter campaign, appear to have leveraged website compromises or spoofed email accounts to disseminate fabricated content, including falsified news articles, quotes, correspondence and other documents designed to appear as coming from military officials and political figures in the target countries.

This falsified content has been referenced as source material in articles and op-eds authored by at least 14 inauthentic personas posing as locals, journalists and analysts within those countries. These articles and op-eds, primarily written in English, have been consistently published to a core set of third-party websites that appear to accept user-submitted content, most notably,, and the pro-Russian site, among others, as well as to suspected Ghostwriter-affiliated blogs.

Some of these incidents and personas have received public attention from researchers, foreign news outlets, or government entities in Lithuania and Poland, but have not been tied to a broader activity set. Others have received little attention and remain relatively obscure. Mandiant Threat Intelligence has independently discovered several Ghostwriter personas and identified additional incidents involving some of those personas previously exposed.

We believe the assets and operations discussed in this report are for the first time being collectively tied together and assessed to comprise part of a larger, concerted and ongoing influence campaign.

Read the report today to learn more.

How To Keep Your Mac Secure Even If You Use Public Wi-Fi

Taking a moment to bolster up your Mac security is always a smart move. It becomes absolutely essential if you regularly access public networks, be it in your campus or your favorite cafe. 

The internet is vast and can sometimes be unsavory. There are plenty of hackers and malicious bots out there trying to steal your information. But never fear! We are here to give you a few easy tips to make sure your MacOS remains impenetrable. 

Public Wi-Fi Threats

Before moving on to the solutions, you should know what kind of security issues come from using public wi-fi. Here are some of the risks.

Unencrypted Networks

Encryption ensures that the information passed between your device and the router stays secure by using a code. However, most routers have encryption turned off as a default factory setting, and unless an IT professional has set up the public network, it might be unencrypted and vulnerable.

Malware Distribution

If you have a software vulnerability, it might get targeted while on public wi-fi. Hackers often try to exploit these breaches by slipping in malware designed for that specific vulnerability. 

Man-in-the-Middle attacks

Man-in-the-Middle (MitM) attacks are one of the most common threats that plague public networks. When you connect to the internet, data is sent from your device to the website. Hackers use security vulnerabilities to step in between and alter the information as it passes through. 

Packet Sniffing

When you log into an unencrypted wi-fi network, hackers can potentially intercept and read any information, including your login credentials. This digital eavesdropping is called packet sniffing.

Malicious Hotspots 

You might log in to a wi-fi with a  familiar name, only to find out later that it was a malicious hotspot mimicking another network. Your software might not always spot the difference if both of these networks are named the same.

How to Protect Your Mac?

The security risks of public wi-fi are substantial. But that does not mean you have to swear off public networks altogether. Here are a few steps to ensure you can freely roam around the internet without worry.

Use a VPN

Using a VPN can solve most of your security issues. VPN creates an encrypted tunnel connecting your Mac to an off-site VPN host or provider.  A good VPN will ensure that all information between your computer and the internet is safe even when you log in to a public WiFi.

There are plenty of VPN providers to choose from. But be aware of its encryption capabilities before you choose. Most ‘Free VPNs’ are unreliable and tend to inject advertisements on top of web pages you may visit. A trusted VPN provider like MacKeeper will hide what you browse and from where. You can read reviews on MacUpdate about this tool.

If you do not prefer VPN then there are still a few steps you can take to minimize the risks.

  • Always make sure that the website you visit starts with ‘https://’.  This means that the website is taking measures to secure the transfer of data between your Mac and the website through some form of encryption.
  • Be sure of the network you are logging into. There are plenty of free-to-use wi-fi hotspots trying to lure unsuspecting users into giving up their information. Avoid connecting to unknown networks.
  • Avoid sensitive sites while on public networks. Even with https:// encryptions it is best not to log in to social media sites or purchasing sites where you have to input your card details. Wait till you have access to your secure private wifi before you log in to such sites. 


The default Mac firewall can be a bit annoying with its constant notifications for permissions. But it is very useful when you are logging into a public network. But you need to configure it properly. 

You have to go to System Preferences and select the Security and Privacy icon. You can alternatively search for ‘firewall’ using the search box in the System Preferences window. Once you find the firewall settings turn it on.  

If your firewall is locked then you have to unlock it by entering your admin password after you click the lock icon in the lower-left corner of the window. After turning it on click the Firewall Options and select “Block all incoming connections” from the drop-down menu. 

This will limit certain functions like file sharing but it will also reduce the threats of an outside attack while on public WiFi. You switch the firewall off when you are on a private network.  

You can also opt for other trusted Mac firewall providers. Usually, these are more elaborate in design and offer a range of functions. Security software like MacKeeper features ID theft guard and ad blockers along with encryption. 

Encrypt Email Passwords

Some of the mail service providers do not by-default encrypt your passwords. This means that anyone intercepting your information can view your passwords as plain text. Make sure that your email client is configured to use SSL while connecting to the mail server. You can with your email provider for the configuration procedure. If your email client does not provide SSL, then do not access it while on a public wi-fi.

Better DNS

When you search for any website, your Mac contacts a Domain Name System (DNS) to find that website. The DNS server connects your Mac to the IP address that hosts the webpage you are looking for. This process only takes a fraction of a second. 

You should configure your Mac to connect a reliable and fast DNS server that filters out malware, botnets and other malicious websites that attempt to infect your Mac. There are plenty of options when choosing a DNS service. The setup instructions are specific to the service providers.

Bottom Line

Public WiFi comes with its own risks. With just the basic protection enabled, try to avoid using sensitive information like credit card details while logged on to a public network. And always log out when you are not using the internet.  But if you follow these tips and get a trusted internet security provider then public wifi can be just as safe as any network.

About author:

Naomi Stone (<a href=””>@Naomi99Stone</a>) is a cybersecurity enthusiast and Mac aficionado. She’s passionate about covering topics like Mac cybersecurity, Mac tips & hacks, Mac’s how-to guides. She is a contributor to Cyber Experts and Cybers Guards.

The post How To Keep Your Mac Secure Even If You Use Public Wi-Fi appeared first on CyberDB.

Keeping Consumer Data Safe

Every day on popular eCommerce sites, millions upon millions of people are entering valuable information. Their names, their credit card information, their addresses, and more all being uploaded in rapid quantities. All this sensitive info, especially in regards to payment profiles, has since become the target for malicious cyber attacks and hacking schemes. For businesses implementing their online payment systems, how can they ensure that consumer data is kept safe?

What does Cyber Attacks Look Like

Hackers typically target valuable data in order to steal money and are usually able to do it before the customers even realize that something is amiss. There are all sorts of ways hackers can access information, like sending malicious code to websites that intercept payments or using bots to guess millions of combinations of letters and numbers to access user accounts. Some hackers won’t even stop at individual users but target a website’s entire back-end database. While these attacks are relentless, there are thankfully several things most businesses do in order to keep sensitive information out of criminal hands.

Ways to Keep Data Secure

There are a lot of methods employed by businesses that keep personal data protected. With these methods, even the most persistent hackers find it impossible to break through and steal data. Data encryption is one leading method. Here data is encoded in such a way that it’s incomprehensible to anyone besides the holder of the key to decrypt it. Encryption uses algorithms to scramble data and obscure it from any prying eyes. Many organizations also make use of SSL certificates to encrypt payment information while it’s in transit.

Frequent updates and use of antivirus or anti-malware software are common practices among businesses. With viruses getting more advanced and hackers finding new methods to work their way into systems, most companies apply frequent updates and patches to all their software offerings and services. These updates not only provide increased stability, new features, and faster operation but offer an increase in security as well. Some businesses even hire ethical hackers to try and break into their own systems so that solutions can be uncovered.

There are also many legal guidelines for businesses to follow that work in tandem with keeping consumer data safe. For example, the Children’s Online Privacy Protection Act prohibits the gathering of data for kids under 13, keeping their sensitive information offline entirely. For other types of data, The California Consumer Privacy Act, and the General Data Protection Regulation (GDPR) set guidelines for the collection and management of personal information. Depending on local laws, there are several regulations just like these that work to keep data in good hands. Some online services like Magento 2 GDPR Extension will even allow online stores to change their processing methods to stay GDPR and CCPA compliant.

While it’s a sad fact online cyber-attacks may never truly go away, we can rest assured that businesses have a wide variety of tools at their disposal to make the internet and their marketplaces safe for all users.

The post Keeping Consumer Data Safe appeared first on Hacker Combat.

How Do Random Number Generators Work?

In a real-world casino, random chance plays a huge part in ensuring that games are fair. If neither the player nor the house can predict which card will be drawn next, or where the ball will stop on a roulette wheel, then the games are unpredictable, and therefore fair. Whilst relying on the laws of physics, or the near-infinite number of combinations that a deck of cards can be arranged into is easy in real life, when it comes to online casinos, things aren’t so simple.

The problem is that making something truly random is really quite difficult. Humans are very bad at creating random combinations, and computer programs need to base any number that they generate on an already existing set of data and human input, so how does the casino industry do it?

Random Number Generators

Random number generators (RNGs) are the subject of many essays and scientific papers, but to put it simply, they work by starting with a number, known as a seed number, and perform a different mathematical problem on that number every time a new random number needs to be generated. Simple, right? Not quite. The seed number can often be over 200,000 digits long, and can change every second, making hacking extremely difficult, if not impossible. The original seed number and the algorithm used to generate the math problem are kept top secret, so whilst there is technically a pattern, without both of those pieces of information, the system is as good as totally random.

The Real World Applications of RNGs

Ok, so now we have a very long string of digits that after having a math problem applied to them, become another number, how does this affect what happens when you play any of the variety of betting games at Paddy Power? Each outcome in each game, whether you’re rolling a virtual dice, or pulling the lever on any one of the many virtual slot machines, is assigned a number from the RNG. So maybe a pair of sixes in a dice game corresponds to 673,467,527,656,14 or 8 Black on a roulette wheel to 574,862,745,879. The mathematical algorithm is different for every game and ensures that the numerical outcome always lines up with a possible outcome in the game.

Who Keeps Everything in Check?

In principle, RNGs sound great so far, but to ensure that the programs and algorithms are fair and legitimate, third-party organisations have to inspect and approve RNGs in order to keep players safe. In the EU, this is the Gambling Commission, whilst in the US, the authority varies by state, but in all cases, they ensure that RNGs meet a variety of criteria to be ‘acceptably random’. Indeed, there are organisations that constantly review systems to ensure that they are operating to the best of their ability. Regardless, legitimate gambling websites will display the contact details of these authorities and make their certificates available to be publicly viewed.

So next time you take part in an online casino game, you’ll have a better understanding of how these games work and know that you’re in the safe, fair hands of a randomly-generated string of digits!

The post How Do Random Number Generators Work? appeared first on Hacker Combat.

How Internet Security Evolved in Tandem with iGaming

For a non-biological entity, the internet is an area filled with constant and unstoppable evolution. From the hardware which backs it to the software systems it carries, nothing in this arena stays the same for long. One of the most major forms these changes take is seen in the world of security.

While there are many fields in which this battle is fought, by focusing on just one it can be possible to track greater trends in the online security environment. For the sake of this article, we want to use online bingo as an example. A simple game to play on the surface, it’s a world in which the real developments run surprisingly deep. Staying steady over the years, the invisible parts of such games are top of the class. But how did we get here?

A Change in Browsers

As this article by Popular Mechanics on Netscape Navigator can tell you, the earliest web browsers were incredibly simple. In some cases, the first browsers even had the option to disable all images from loading, to save on data costs. The problem with these browsers was that patches were few and far between, and limited expertise in developer security meant that malware was a constant concern.

my old naigator
My Old Navigator” (CC BY 2.0) by OiMax

This could have been problematic for the first browser bingo games, which appeared as early as 1996. To combat this issue, very specific locks were put into which browsers could access the first bingo offerings. Simply put, if a browser didn’t have the latest security tech, it wasn’t supported.

Over time, this security concern aided in the rise of online bingo which moved away from direct browser integration. Instead, many bingo games relied on downloadable clients from online casinos, which were much more tightly controlled, doing things many websites at the time couldn’t. These remained a standard for ages, only seeing significant abandonment recently.

The Modern Age

In the last few years, arguable the biggest change in online bingo gaming has come from improvements in HTML and related web technologies. HTML5, as a much more flexible system than its predecessors, has paved the way for bingo games to head back to browsers en force.

Take, for example, the games on Bingo Betfair online in UK areas. Thanks to modern tech, games like Housey Bingo and House of Mirrors are not just entirely safe on major websites, but they also run far faster and look far better than any old bingo games could. Not simply due to convenience, this change was also a matter of necessity.

Most online games used to operate within the system of Adobe Flash, which was the standard for many years. Yet Flash’s inbuilt limitations, including a growing potential for security flaws, put it on a road to obsolescence, as Time explains. This proved to major hurdle for some forms of entertainment, acting as a danger to online software without a proactive approach. Like most online casino games, bingo abandoned this system some time ago, but many still haven’t.

museum computer
Museum Computer” (CC BY 2.0) by Rd. Vortex

While just illustrating one small slice of the greater internet security landscape, online bingo points out some of the most major issues which occurred, and how they have been combatted. Sometimes, better security meant being demanding of browser standards, where other times it meant abandoning these systems entirely. Today, however, with systems as strict and advanced as they are, security and flexibility within browsers are the best they’ve ever been. Whatever might come next, if the past is any indication, bingo will reflect the best the web has to offer.

The post How Internet Security Evolved in Tandem with iGaming appeared first on Hacker Combat.

Ransomware attack on Garmin thought to be the work of ‘Evil Corp’

Russian cybercrime gang is believed to be responsible for taking Garmin services offline

A ransomware attack that took the GPS and smartwatch business Garmin entirely offline for more than three days is believed to have been carried out by a Russian cybercriminal gang which calls itself “Evil Corp”.

Garmin began to restore services to customers on Monday morning, after being held hostage for a reported ransom of $10m, although some services were still operating with limited functionality.

Ransomware is the most common form of criminal malware currently in use. Targets are commonly infected through malicious emails, which may trick them into downloading and running the software, or through exploiting vulnerabilities in other software such as Adobe Flash. When the ransomware program is activated, it encrypts the user’s hard drive with a single use encryption key, before flashing up a message asking for ransom, typically in the form of a payment in the cryptocurrency Bitcoin.

Related: Garmin down: how to still get your activities on to Strava

Continue reading...

Six Hundred Million Reasons to Celebrate: No More Ransom Turns FOUR!!

Happy Birthday! Today we mark the fourth anniversary of the NoMoreRansom initiative with over 4.2 million visitors, from 188 countries, stopping an estimated $632 million in ransom demands from ending up in criminals’ pockets. It would be fair to say that the initiative, which started in a small meeting room in the Hague, has been integral for so many in the perpetual fight against cybercriminals.

Powered by the contributions of its 163 partners the portal, which is available in 36 languages, has added 28 tools in the past year and can now decrypt 140 different types of ransomware infection. To think, just four years ago we started with only a handful of decryptors and partners. That speaks volumes to the commitment by all members to collaborate and work together to give victims a third option; #DontPay.

All this hard work took place in an ever-changing cybercriminal landscape; during those four years ransomware criminals shifted their tactics from “spray and pay”, mostly aimed at consumers, to highly organized crime groups actively seeking to paralyze complete organizations and extort them for astronomical amounts of money.

These challenges have not discouraged NoMoreRansom and its partners; on the contrary, having a strong public private partnership between Law Enforcement and the Private sector has proven essential in several (ongoing) investigations. Without a doubt, we will be the first to admit that fighting ransomware has not been easy but that should not stop us from doing things that are hard.

We are delighted to continue supporting this initiative and play our part in fighting this global problem. However, we have to stress that the fight against ransomware is far from over, in fact we need more collaborative initiatives to combat the rise in malicious activity.  Also, there are still many individuals and organizations that do not even know about NoMoreRansom. Even within the information security industry there are those who have not heard about the availability of free decryption tools.

Please share the message: #DontPay #NoMoreRansom

The post Six Hundred Million Reasons to Celebrate: No More Ransom Turns FOUR!! appeared first on McAfee Blogs.

Introducing MITRE ATT&CK in MVISION Cloud: Defend with Precision

The latest innovation in MVISION Cloud, the multi-cloud security platform for enterprise, introduces MITRE ATT&CK into the workflow for SOC analysts to investigate cloud threats and security managers to defend against future attacks with precision.

Most enterprises use over 1,500 cloud services, generating millions of events, from login, to file share, to download and an infinite number of actions meant for productivity yet exploited by adversaries. Until now, hunting for adversary activity within that haystack has been an arduous effort, with so much noise that many data breaches have gone unnoticed until it is too late.

MVISION Cloud takes a multi-layered approach to cloud threat investigation that can speed your time to detect adversary activity in your cloud services, identify gaps, and implement targeted changes to your policy and configuration.

First, the haystack of events is processed continuously against a baseline of known good behavior by User and Entity Behavior Analytics (UEBA) to identify the anomalies and actual threats in your environment, assessing behavior across multiple services and accounts.

Events processed by UEBA determined to be a compromised account

Events processed by UEBA determined to be a compromised account 

This takes your investigation process down to a manageable quantity of incidents. With this release, those incidents are now in the same language as the rest of the SOC – MITRE ATT&CK. Each cloud security incident is mapped to ATT&CK tactics and techniques, showing you adversary activity currently being executed in your environment.  

Multi-cloud MITRE ATT&CK view of adversary activity in MVISION Cloud

Multi-cloud MITRE ATT&CK view of adversary activity in MVISION Cloud 

You have three views within MVISION Cloud:  

  • Retrospective: viewing all adversary techniques that have already occurred in your environment 
  • Proactive: viewing attacks in progress, that you can take action to stop  
  • Full kill-chain: viewing a combination of incidents, anomalies, threats, and vulnerabilities into a holistic string of infractions.  

Multiple teams in your organization benefit from this addition to MVISION Cloud:  

  • SecOps Teams Advance from Reactive to Proactive: McAfee MVISION Cloud allows analysts to visualize not only executed threats in the ATT&CK framework, but also potential attacks they can stop across multiple Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) environments 
  • SecOps Teams Break Silos: SecOps teams can now bring pre-filtered cloud security incidents into their Security Information Event Management (SIEM)/Security Orchestration, Automation and Response (SOAR) platforms via API, mapped to the same ATT&CK framework they use for endpoint and network threat investigation  
  • Security Managers Defend with Precision: McAfee MVISION Cloud now takes Cloud Security Posture Management (CSPM) to a new level, providing security managers with cloud service configuration recommendations for SaaS, PaaS and IaaS environments, which address specific ATT&CK adversary techniques 

With McAfee, threat investigation isn’t just for one environment – it is for all of your environments, from cloud to endpoint and your analytics platforms. With McAfee MVISION CloudMVISION EDRand MVISION Insights, your enterprise has an extended detection and response (XDR) platform for the heterogenous attacks you face today.

Cloud Threat Investigation 101: Hunting with MITRE ATT&CK

The leading SecOps teams use MITRE ATT&CK. Now, Cloud threat investigation speaks the same language with ATT&CK built into MVISION Cloud, unlocking new, precise methods for Cloud defense.

Download Now

The post Introducing MITRE ATT&CK in MVISION Cloud: Defend with Precision appeared first on McAfee Blogs.

NIST Launches Studies into Masks’ Effect on Face Recognition Software

Now that so many of us are covering our faces to help reduce the spread of COVID-19, how well do face recognition algorithms identify people wearing masks? The answer, according to a preliminary study by the National Institute of Standards and Technology (NIST), is with great difficulty. Even the best of the 89 commercial facial recognition algorithms tested had error rates between 5% and 50% in matching digitally applied face masks with photos of the same person without a mask. The results were published today as a NIST Interagency Report (NISTIR 8311), the first in a planned series from NIST

NICE Released the Summer 2020 eNewsletter

The Summer 2020 NICE eNewsletter has been published to provide subscribers information on academic, industry, and government developments related to the National Initiative for Cybersecurity Education (NICE), updates from key NICE programs, projects, the NICE Working Group, and other important news. To help increase the visibility of NICE, the NICE Program Office will issue regular eNewsletters that feature spotlight articles on academic, industry, and government developments related to NICE, updates from key NICE programs, projects, the NICE Working Group, and other important news. For

PSCR 2020: The Digital Experience

Since 2010, PSCR has held an annual Stakeholder Meeting to receive direct input, guidance, and feedback from public safety stakeholders across sectors. This information exchange has been invaluable to the success of the PSCR program and advancement of public safety communications technologies. That's why, in 2020, as part of our ongoing commitment to transparency, PSCR is developing a digital experience for sharing out yearly research updates. This new, virtual format will ensure stakeholders receive the cutting-edge updates they expect from PSCR delivered to wherever they are. When you claim

Virtually Impossible to Miss McAfee at Black Hat 2020

Black Hat 2020 is going virtual this year, providing attendees with the latest security research, development, and trends. Every year McAfee presents our latest security research and this year promises to be innovative and informative! You can expect insightful new findings from the McAfee Advanced Threat Research team. Also join us at the virtual booth to shift your cybersecurity left with new SOC solutions and check out McAfee’s advanced device-to-cloud security solutions.

Here’s where you can see McAfee in action online August 1-6:

What should attendees expect from McAfee at Black Hat USA?

Chief Scientist and McAfee Fellow, Raj Samani spoke with Black Hat in an executive spotlight interview saying “Every year we present our latest security research and this year promises to be out of this world!! Ahem… I don’t want to give too much away but you can expect some tremendous new findings from the McAfee Advanced Threat Research team. Also, get ready for more SOC options from McAfee with a unique solution that shifts cybersecurity left, as well as even more advanced device to cloud protection.”

Read the full interview here.

Session Title: Balancing The Tug of War: How CIOs and CISOs Can Partner for Better IT

Wednesday, August 5, 10am – 10:20am PT

Speakers: McAfee CIO Scott Howitt, and CISO Arve Kjoelen

The rapid evolution of the digital world has driven great technology innovation and  spawned growth in cyberthreats that range from the annoying to the catastrophic. In today’s IT environment both CIOs and CISOs are integral to the success of any organization. Historically, there has been tension between the two as they both work to balance the needs of the organization to stay on top of technology while securely implementing tools.

These roles are interdependent, since the CIO relies upon the CISO for advice, guidance and risk evaluation while the CISO depends on the CIO for support and infrastructure resources. They must work together with a holistic, integrated approach that empowers every business department within the organization with a clear vision. Information security is no longer an IT support issue, but a strategic business responsibility. Both IT executives must share common goals for security and IT operations to be successful.

In this session, McAfee CIO Scott Howitt, and CISO Arve Kjoelen will explore the tension between these key roles, how to utilize the positive and alleviate the negative effects of that tension and offer practical advice on how CIOs and CISOs can most effectively work together to ensure the needs of the organization are securely met.

Session Title: “Model Hack the Planet” – A New Frontier in Threat Research for Intelligent Systems

Session Available: Wednesday, August 5, 8:30amPT,  ends Thursday, August 6, 4:30PM PT

Speaker: Steve Povolny, Head of McAfee Advanced Threat Research, McAfee

The leading edge of analytic technologies presents a new frontier to security researchers. To address this expanding attack surface, researchers are partnering with data scientists to “model hack,” exposing weaknesses in machine learning models — before attackers do. This talk covers the state of model hacking, introducing new research and progress being made to address issues.

Virtual Expo

Visit the McAfee virtual booth, watch our demo videos, and tweet for a chance to win a gift certificate. (There will be one winner per demo station, who will be randomly selected at the end of the day.)

Be sure to follow @McAfee for real-time updates from the show throughout the week.




The post Virtually Impossible to Miss McAfee at Black Hat 2020 appeared first on McAfee Blogs.

Smartwatch maker Garmin hit by outages after ransomware attack

US company forced to shut down call centres, website and some other online services

Garmin has been forced to shut down its call centres, website and some other online services after a ransomware attack encrypted the smartwatch maker’s internal network and some production systems.

The US company shut down services including the official Garmin website and all customer services, including phone lines, online chat and email.

Related: The five: ransomware attacks

Ransomware is the most common form of criminal malware currently in use. Targets are commonly infected through malicious emails, which may trick them into downloading and running the software, or through exploiting vulnerabilities in other software such as Adobe Flash. When the ransomware program is activated, it encrypts the user’s hard drive with a single use encryption key, before flashing up a message asking for ransom, typically in the form of a payment in the cryptocurrency Bitcoin.

Continue reading...

Women in Sales Part 1: Opportunities for Women Across Cybersecurity Sales

Collaborative, inclusive teams are what redefine cybersecurity solutions for every aspect of our connected world. At McAfee, women are making a significant impact in cybersecurity, including all aspects of sales.  

Executive vice president of global sales and marketing, Lynne Doherty, shares her perspective on the importance of inclusion and leads us into the start of our Women in Sales series: “Fostering inclusion and diversity remains a key ingredient for business success. With the vast benefits to successfully hiring and retaining a workforce shaped by different perspectives, it is predicted that 75 percent of businesses with diverse frontline decision-making teams will exceed their financial targets through 2022. [Gartner, 2019] – Thus proving that inclusion and diversity isn’t just good for company culture, it’s good for business.

“Today, businesses recognize work remains to diversify technology sales. A part of that effort includes a focus on increasing gender diversity right here at McAfee. Opportunities exist for women of varying skillsets and interests across our global sales organization — from sales operations, inside sales, field sales and channel sales to sales engineering.

“Below, meet some of the talented women in sales who have succeeded at McAfee. In this first feature, women share their perspectives on how they continue to break boundaries and achieve success in tech sales.”

Meet McAfee’s Women in Sales

“As women, we have been gaining much more space in the professional world, and companies like McAfee are where we are increasingly more relevant. The sector is evolving, and the market and opportunities are growing. As long as women continue to prepare themselves, starting from time spent in school, and understand that this is a good opportunity to develop, we will improve the statistics. McAfee is a company that promotes (women in management) and it shows, even in the selection processes. I really appreciate this at McAfee.”

— Andrea, Enterprise Sales, Bogotá, Colombia

“Many women think you have to be technical to be in tech sales and that isn’t true. I came to McAfee understanding sales and relationship management. Since being here, I’ve focused on upping my security and technology knowledge. I’ve found not being too technical allows me to listen more to the customer and focus on the desired business outcome. Often, the engineers can get deep into the technology, but I think it’s important to be the intermediary; I stay in the ‘forest’ not the trees.”

—Ashley, Consumer Sales, Richmond, Virginia

“We need to ensure women have the confidence to apply for the roles within IT. I encourage women to move outside your comfort zone and shrug off stigmas. We are more than entitled to sit at this table.”

—Eadaoin, Inside Sales, Cork, Ireland

“In the corporate world, women face challenges from many different angles. Often, I may be the only woman in a room or on my teams, but my advice would be to remain confident and not to second guess your position or authority. While I may be the only woman many times, I also am often the only woman of color, which makes it even more important we continue to advocate for representation. Diversity comes in all forms and quite frankly is necessary because it brings a unique value to a team. At the start of my career, I learned the importance of demonstrating my skills and that I shouldn’t shy away, hold back or “wait for my turn” which has been advantageous when an opportunity presents itself.”

—Jardin, Inside Sales, Plano, Texas

“Sales has changed considerably in the 20 years I’ve worked in tech.  In an early role, I was told a man would never buy from a woman. I was inspired to prove that wrong. These days the environment is entirely different. McAfee, like many companies, has zero tolerance for such conduct or mindset. The culture is positive, inclusive and one where anyone can succeed. Each of us has a responsibility to show future generations that cybersecurity is a great career option for all.”

—Katie, Enterprise Sales, Cheltenham, England

“I see the two primary challenges for women in tech sales as perception and awareness. There is a traditional view that you must be technical to work in technology. I‘m not naturally technical, and I always assumed you had to have a technical background like coding or programming. And, that is not the case so. You can learn technology if you have all the other skills that make a great salesperson.”

—Krista, Enterprise Sales, Detroit, Michigan

“In terms of numbers, while we’re making progress, I’d love for us to see more women in tech, especially in sales. This is why mentoring, sponsorship and support for women in sales is so important – whether as the customer or the vendor. When you and your customer have things in common like gender, culture and experience it helps to strengthen the relationship and sales process.”

—Kristol, Inside Sales, Plano, Texas

“In my previous experiences, I’ve been one of the only women at the table. I would tell women not to get discouraged by this; it is about finding the right company for you. Find what makes you happy to get up every day to be part of it.”

—Paige, Sales Operations, Plano, Texas

“Historically, I was the only woman in the room, but things have definitely changed! Women may too quickly dismiss technology as a career, but in sales, it’s all about finding a solution for your customer, and women have amazing skillsets to do that.”

—Brenda, Consumer Sales, Vancouver, British Columbia

Learn more about how McAfee women in our sales organization leverage their skillsets for a successful career in our upcoming blog.

Interested in joining a company that supports inclusion and belonging? Search our jobs. Subscribe to Job Alerts.

The post Women in Sales Part 1: Opportunities for Women Across Cybersecurity Sales appeared first on McAfee Blogs.

Hunting for Blues – the WSL Plan 9 Protocol BSOD

Windows Subsystem for Linux Plan 9 Protocol Research Overview

This is the final blog in the McAfee research series trilogy on the Windows Subsystem for Linux (WSL) implementation – see The Twin Journey (part 1) and Knock, Knock–Who’s There (part 2). The previous research discussed file evasion attacks when the Microsoft P9 server can be hijacked with a malicious P9 (Plan 9 File System Protocol) server. Since Windows 10 version 1903, it is possible to access Linux files from Windows by using the P9 protocol. The Windows 10 operating system comes with the P9 server as part of the WSL install so that it can communicate with a Linux filesystem. In this research we explore the P9 protocol implementation within the Windows kernel and whether we could execute code in it from a malicious P9 server. We created a malicious P9 server by hijacking the Microsoft P9 server and replacing it with code we can control.

In a typical attack scenario, we discovered that if WSL is enabled on Windows 10, then a non-privileged local attacker can hijack the WSL P9 communication channel to cause a local Denial of Service (DoS) or Blue Screen of Death (BSOD) in the Windows kernel. It is not possible to achieve escalation of privilege (EoP) within the Windows kernel due to this vulnerability; the BSOD appears to be as designed by Microsoft within their legitimate fail flow, if malformed P9 server communication packets are received by the Windows kernel. A non-privileged user should not be able to BSOD the Windows kernel, from a local or remote perspective. If WSL is not enabled (disabled by default on Windows 10), the attack can still be executed but requires the attacker to be a privileged user to enable WSL as a pre-requisite.

There have recently been some critical, wormable protocol vulnerabilities within the RDP and SMB protocols in the form of Bluekeep and SMBGhost. Remotely exploitable vulnerabilities are very high risk if they are wormable as they can spread across systems without any user interaction. Local vulnerabilities are lower risk since an attacker must first have a presence on the system; in this case they must have a malicious P9 server executing. The P9 protocol implementation runs locally within the Windows kernel so the objective, as with most local vulnerability hunting, is to find a vulnerability that allows an escalation of privilege (EoP).

In this blog we do a deep dive into the protocol implementation and vulnerability hunting process. There is no risk to WSL users from this research, which has been shared with and validated by Microsoft. We hope this research will help improve understanding of the WSL P9 communications stack and that additional research would be more fruitful further up the stack.

There have been some exploits on WSL such as here and here but there appears to be no documented research of the P9 protocol implementation other than this.

P9 Protocol Overview

The Plan 9 File System Protocol server allows a client to navigate its file system to create, remove, read and write files. The client sends requests (T-messages) to the server and the server responds with R-messages. The P9 protocol has a header consisting of size, type and tag fields which is followed by a message type field depending on the request from the client. The R-message type sent by the server must match the T-message type initiated from the client. The maximum connection size for the data transfer is decided by the client during connection setup; in our analysis below, it is 0x10000 bytes.

P9 protocol header followed by message type union (we have only included the subset of P9 message types which are of interest for vulnerability research):

struct P9Packet {

u32                         size;

u8                           type;

u16                         tag;

union {

struct p9_rversion rversion;

struct p9_rread rread;

struct p9_rreaddir rreaddir;

struct p9_rwalk rwalk;

} u

} P9Packet

The P9 T-message and corresponding R-message numbers for the types we are interested in (the R-message is always T-message+1):

enum p9_msg_t {



P9_TVERSION = 100,

P9_RVERSION = 101,

P9_TWALK = 110,

P9_RWALK = 111,

P9_TREAD = 116,

P9_RREAD = 117,


At the message type layer, which follows the P9 protocol header, you can see the fields, which are of variable size, highlighted below:

struct p9_rwalk {

u16 nwqid;

struct p9_qid wqids[P9_MAXWELEM];



struct p9_rread {

u32 count;

u8 *data;



struct p9_rreaddir {

u32 count;

u8 *data;



struct p9_rversion {

u32 msize;

struct p9_str version;



struct p9_str {

u16 len;

char *str;


Based on the packet structure of the P9 protocol we need to hunt for message type confusion and memory corruption vulnerabilities such as out of bounds read/write.

So, what will a packet structure look like in memory? Figure 1 shows the protocol header and message type memory layout from WinDbg. The message size (msize) is negotiated to 0x10000 and the version string is “9P2000.W”.

Figure 1. P9 packet for rversion message type

Windows WSL P9 Communication Stack and Data Structures

Figure 2. Windows Plan 9 File System Protocol Implementation within WSL

The p9rdr.sys network mini-redirector driver registers the “\\Device\\P9Rdr” device with the Redirected Drive Buffering Subsystem (RDBSS) using the RxRegisterMinirdr API as part of the p9rdr DriverEntry routine. During this registration, the following P9 APIs or driver routines are exposed to the RDBSS:
























The p9rdr driver is not directly accessible from user mode using the DeviceIoControl API and all calls must go through the RDBSS.

As seen in Figure 2, when a user navigates to the WSL share at “\\wsl$” from Explorer, the RDBSS driver calls into the P9 driver through the previously registered APIs.

DIOD is a file server implementation, that we modified to be a “malicious” P9 server, where we claim the “fsserver” socket name prior to the Windows OS in a form of squatting attack. Once we replaced the Microsoft P9 server with the DIOD server, we modified the “np_req_respond” function (explained in the fuzzing constraints section) so that we could control P9 packets to send malicious responses to the Windows kernel. Our malicious P9 server and socket hijacking have been explained in detail here.

So now we know how data travels from Explorer to the P9 driver but how does the P9 driver communicate with the malicious P9 server? They communicate over AF_UNIX sockets.

There are two important data structures used for controlling data flow within the P9 driver called P9Client and P9Exchange.

The P9Client and P9Exchange data structures, when reverse engineered to the fields relevant to this research, look like the following (fields not relevant to this analysis have been labelled as UINT64 for alignment):

typedef struct P9Client {
PVOID * WskTransport_vftable
PVOID * GlobalDevice
UNINT64 RunRef
WskSocket *WskData
PVOID *MidExchangeMgr_vftable
PVOID **WskTransport_vftable
PVOID **MidExchangeMgr_vftable
P9Packet *P9PacketStart
UINT64 MaxConnectionSize
UINT64 Rmessage_size
P9Packet *P9PacketEnd
PVOID * Session_ReconnectCallback
PVOID ** WskTransport_vftable
} P9Client

P9Client data structure memory layout in WinDbg:

typedef struct P9Exchange {
P9Client *P9Client
UINT64 Tmessage_type
PVOID *Lambda_PTR1
PVOID *Lambda_PTR2
PRX_CONTEXT *RxContextUINT64 Tmessage_size
} P9Exchange

The P9Exchange data structure layout in WinDbg:

To communicate with the P9 server, the P9 driver creates an I/O request packet (IRP) to receive data from the Winsock Kernel (WSK). An important point to note is that the Memory Descriptor List (MDL) used to hold the data passed between the P9 server and Windows kernel P9 client is 0x10000 bytes (the max connection size mentioned earlier).

virtual long WskTransport::Receive(){

UNINT64 MaxConnectionSize = 0x10000;

P9_IRP_OBJECT = RxCeAllocateIrpWithMDL(2, 0, 0i64);

P9_MDL = IoAllocateMdl(P9Client->P9PacketStart, MaxConnectionSize, 0, 0, 0i64);
void MmBuildMdlForNonPagedPool(P9_MDL);
P9_IRP_OBJECT->IoStackLocation->Parameters->MDL = &P9_MDL;

P9_IRP_OBJECT->IoStackLocation->Parameters->P9Client = &P9Client;

P9_IRP_OBJECT->IoStackLocation->Parameters->DataPath = &P9Client::ReceiveCallback;
P9_IRP_OBJECT->IoStackLocation->CompletionRoutine = p9fs::WskTransport::SendReceiveComplete
WskProAPIReceive (*WskSocket, *P9_MDL, 0, *P9_IRP_OBJECT);

The MDL is mapped to the P9PacketStart field address within the P9Client data structure.

On IRP completion, the WskTransport::SendReceiveComplete completion routine is called to retrieve the P9Client structure from the IRP to process the P9 packet response from the server:

int static WskTransport::SendreceiveComplete(IRP *P9_IRP_OBJECT){

P9Client = &P9_IRP_OBJECT->IoStackLocation->Parameters->P9Client;

P9Client::ReceiveCallback(P9Client* P9Client);


The P9Client data structure is used within an IRP to receive the R-message data but what is the purpose of the P9Exchange data structure?

  1. When the P9 driver sends a T-message to the server, it must create an exchange so that it can track the state between the message type sent (T-message) and that returned by the server (R-Message).
  2. It contains lambda functions to execute on the specific message type. The Tmessage_type field within the P9Exchange data structure ensures that the server can only send R-messages to the same T-message type it received from the P9 driver.
  3. PRX_CONTEXT * RxContext structure is used to transfer data between Explorer and the p9rdr driver via the RDBSS driver.

The flow of a WALK T-message can be seen below:

Within the P9Client::CreateExchange function, the MidExchangeManager::RegisterExchange is responsible for registering the P9Exchange data structure with the RDBSS using a multiplex ID (MID) to distinguish between concurrent server and client requests.

MidExchangeManager::RegisterExchange (*P9Client, *P9Exchange){

NTSTATUS RxAssociateContextWithMid (PRX_MID_ATLAS P9Client->RDBSS, PVOID P9Exchange, PUSHORT NewMid);


The important fields within the P9Client and P9Exchange data structures which we will discuss further during the analysis:

  1. PClient->MaxConnectionSize – set at the start of the connection and cannot be controlled by an attacker
  2. P9Client->P9PacketStart – points to P9 packet received and can be fully controlled by an attacker
  3. P9Client->Rmessage_size –can be fully controlled by an attacker
  4. P9Exchange->Tmessage_type – set during T-message creation and cannot be controlled by an attacker
  5. P9Exchange->RxContext – used to pass data from P9 driver through the RDBSS to Explorer

Now that we know how the protocol works within the Windows kernel, the next stage is vulnerability hunting.

Windows Kernel P9 Server Vulnerability Hunting

P9 Packet Processing Logic

From a vulnerability perspective we want to audit the Windows kernel logic within p9rdr.sys, responsible for parsing traffic from the malicious P9 server. Figure 3 shows the source of the P9 packet and the sink, or where the packet processing completes within the p9rdr driver.

Figure 3. Windows Kernel Processing layers for the P9 protocol malicious server response parsing

Now that we have identified the code for parsing the P9 protocol message types of interest we need to audit the code for message type confusion and memory corruption vulnerabilities such as out of bounds read/write and overflows.

Fuzzing constraints

There were a number of constraints which made deploying automated fuzzing logic difficult:

  1. The R-message type sent from the malicious P9 server must match the T-message type sent by the Windows kernel
  2. Timeouts in higher layers of the WSL stack

The above challenges could, however, be overcome but since the protocol is relatively simple we decided to focus on reversing the processing logic validation. To verify the processing logic validation, we created some manual fuzzing capability within the malicious P9 server to test the variable length packet field boundaries identified from the protocol overview.

Below is an example RREAD R-message type which sends a malicious P9 packet in response to an RREAD T-message where we control the count and data variable length fields.



np_req_respond(Npreq *req, Npfcall *rc)





u32 count = 0xFFFFFFFF;

Npfcall *fake_rc;

u8 *data = malloc(0xFFF0);

memset(data, “A”, 0xFFF0);


if (!(fake_rc = np_alloc_rread1(count)))

return NULL;

if (fake_rc->

memmove(fake_rc->, data, count);


if(rc->type == 0x75){

fprintf (stderr, “RREAD Packet Reply”);

req->rcall = fake_rc;



req->rcall =rc;


if (req->state == REQ_NORMAL) {

np_set_tag(req->rcall, req->tag);





Validation Checks

The data passed to the P9 driver is contained within a connection memory allocation of 0x10000 bytes (P9Client->P9PacketStart) and most of the processing is done within this memory allocation, with two exceptions where memmove is called within the P9Client::FillData and P9Client::Lambda_2275 functions (discussed below).

A message-type confusion attack is not possible since the P9Exchange data structure tracks the R-message to its corresponding T-message type.

In addition, the P9 driver uses a span reader to process message type fields of static length. The P9Exchange structure stores the message type which is used to determine the number of fields within a message during processing.

While we can control the P9 packet size we cannot control the P9Client->MaxConnectionSize which means messages greater than or equal to 0x10000 will be dropped.

All variable size field checks within the message type layer of the protocol are checked against the P9Packet size field ensuring that a malicious field will not result in out of bounds read or write access outside of the 0x10000 connection memory allocation.

The processing logic functions identified previously were reverse engineered to understand the validation on the protocol’s fields, with specific focus on the variable length fields within message types rversion, rwalk and rread.

By importing the P9Client and P9Exchange data structures into IDA Pro, the reverse engineering process relatively straight forward to understand the packet validation logic. The functions below have been reversed to the level required for understanding the validation and are not representative of the entire function code base.

P9Client::ReceiveCallback validates that the Rmessage_size does not exceed the max connection size of 0x10000

void P9Client::ReceiveCallback ( P9Client *P9Client){
struct p9packet;uint64 MaxConnectionSize;uint64 Rmessage_size;MaxConnectionSize = P9Client-> MaxConnectionSize;
Rmessage_size = P9Client->Rmessage_size;if(MaxConnectionSize) {
P9Packet = (struct p9packet *) P9Client-> P9PacketStart;if (MaxConnectionSize < 0 || !P9Packet) terminate(P9Packet);}if (Rmessage_size >=0 && P9Client->MaxConnectionSize >= Rmessage_size)
P9Client::HandleReply (*P9Client)
} else{



P9Client::HandleReply – there are multiple local DoS here which result in a Blue Screen Of Death (BSOD) depending on the size of P9Client->Rmessage_size and P9Client->P9PacketEnd->size, e.g. when P9Client->P9PacketEnd->size is zero terminate() is called which is BSOD.

void P9Client::HandleReply(P9Client *P9Client){

uint64 P9PacketHeaderSize = 7;

uint64 Rmessage_size = P9Client->Rmessage_size;

if (Rmessage_size >=7){

P9PacketEnd = P9Client->P9PacketEnd;

if(!P9PacketEnd) break;

uint64 P9PacketSize = P9Client->P9PacketEnd->size;
if (P9PacketSize > P9Client->MaxConnectionSize); HandleIoError();

if (Rmessage_size < P9PacketSize); P9Client::FillData();

if(Rmessage_size < 4) terminate(); // checking a P9 header size field exists in packet

if(Rmessage_size > 5) fastfail(); // checking a P9 header type field exists in packet

int message_type = P9PacketEnd->type;

if(Rmessage_size < 7) fastfail(); // checking a P9 header tag field exists in packet

uint64 tag = P9PacketEnd->tag;

uint64 P9message_size = P9PacketSize – P9PacketHeaderSize; //getting size of message

if (Rmessage_size – 7 < 0) terminate(); // checking message layer exists after P9 header

if (Rmessage_size – 7 < P9message_size); terminate();  //BSOD here as when set P9PacketSize = 0 then subtracting 7 wraps around so P9message_size becomes greater than Rmessage_size.

void P9Client::ProcessReply(P9Client *P9Client, Rmessage_type, tag, &P9message_size);



else {



P9Client::FillData – we cannot reach this function with a large Rmessage_size to force an out of bounds write.

int P9Client::FillData (P9Client *P9Client){
uint64 Rmessage_size = P9Client-> Rmessage_size;uint_ptr P9PacketEnd = P9Client->P9PacketEnd;
uint_ptr P9PacketStart = P9Client->P9PacketStart;if (P9PacketEnd != P9PacketStart) {
memmove (P9PacketStart, P9PacketEnd, Rmessage_size);

ProcessReply checks the R-message type with that from the T-message within the P9Exchange data structure.

void P9Client::ProcessReply(P9Client *P9Client, Rmessage_type, tag, &P9message_size){
P9Exchange *P9Exchange = MidExchangeManager::FindAndRemove(*P9Client, &P9Exchange);if (P9Packet->tag > 0) {
int message_type_size = GetMessageSize (P9Exchange->Tmessage_type);
if (P9message_size >= message_type_size) {int rmessage_type = P9Exchange->MessageType;int rmessage_type = rmessage_type +1;}
if(rmessage_type > 72){
Switch (MessageType){
case 100:
P9Client::ProcessVersionReply(P9Client *P9Client, P9Exchange, &P9message_size);
case 110:
P9Client::ProcessWalkreply(Rmessage_type, P9Exchange, &P9message_size);}
}else {
P9Client::ProcessReadReply(rmessage_type, P9Exchange, &P9message_size);

During the P9Client::ProcessReply function it calls MidExchangeManager::FindAndRemove to fetch the P9Exchange data structure associated with the R-messages corresponding T-message.

MidExchangeManager::FindAndRemove (*P9Client, &P9Exchange){

NTSTATUS RxMapAndDissociateMidFromContext(PRX_MID_ATLAS P9Client->RDBSS_RxContext, USHORT Mid, &P9Exchange);


ProcessVersionReply checks the version sent by Client “P92000.L” which is 8 characters and checks the same length on return so the rversionlen does not affect the tryString function.

void P9Client::ProcessVersionReply (*P9Client, *P9Exchange, & P9message_size) {

char * rversion;
int rversionlen = 0;

rversion = P9Client->P9PacketStart.u.rversion->version->str;

rversionlen = P9Client->P9PacketStart.u.rversion->version->len;

tryString (messagesize, &rversion)

strcmp (Tversion, Rversion);

ProcessWalkReply checks that the total number of rwalk structures does not exceed the P9message_size

void P9Client::ProcessWalkReply(rmessage_type, *P9Exchange, &P9message_size){

uint16 nwqid = p9packet.rwalk.nwqid;

uint64 rwalkpacket_size = &P9message_size – 2; // 2 bytes of rwalk header for nwqid field

unit_ptr rwalkpacketstart = &P9Client->P9PacketStart.u.rwalk->wqids;
uint64 error_code = 0x0C0000186;
uint64 rwalk_message_size = nwqid * 13; // 0xd is size of an rwalk struct

if (rwalk_message_size <= P9message_size) {

P9Exchange->Lambda_8972 (int, nwqid, &rwalk_message_size, P9Exchange-> RxContext, & rwalkpacketstart); // Lambda_8972 is Lambda_PTR1 for rwalk message type

} else {

P9Exchange->P9Client::SyncContextErrorCallback (error_code, P9Exchange-> RxContext) // SyncContextErrorCallback is Lambda_PTR2 for rwalk message type


ProcessReadReply checks the size of the count field does not exceed 0x8000 and writes it into an MDL within P9Exchange-> RxContext to pass back up the RDBSS stack to view file contents within Explorer.

void P9Client::ProcessReadReply (rmessage_type, *P9Exchange, &P9message_size){
unint64 count = P9Client->P9PacketStart.u.rread->count;
P9Exchange->Lambda_2275 (count, P9Exchange-> RxContext, &P9message_size);}


Lambda_2275 (count, P9Exchange-> RxContext, &P9message_size) {

uint64 maxsize = P9Exchange-> RxContext+offset; //max_size = 0x8000

unint64 MDL = P9Exchange-> RxContext+offset;

if (count > maxsize) terminate();

memmove (&MDL, P9Client->P9PacketStart.u.rread->data, count);



Through this research, we discovered a local Denial of Service (DoS) within the Windows kernel implementation of the P9 protocol. As explained, the vulnerability cannot be exploited to gain code execution within the Windows kernel so there is no risk to users from this specific vulnerability. As a pre-requisite to malicious P9 server attacks, an attacker must hijack the P9 server socket “fsserver”. Therefore, we can mitigate this attack by detecting and preventing hijacking of the socket “fsserver”. McAfee MVISION Endpoint and EDR can detect and prevent coverage against P9 server socket “fsserver” hijacking which you can read more about here.

We hope this research provides insights into the following:

  1. The vulnerability hunting process for new features such as the WSL P9 protocol on the Windows 10 OS
  2. Provide support for future research higher up the WSL communications stack which increases in complexity due to the implementation of a virtual Linux file system on Windows
  3. The value of McAfee Advanced Threat Research (ATR) working closely with our product and innovation teams to provide protection for our customers

Finally, a special thanks to Leandro Costantino and Cedric Cochin for their initial Windows 10 WSL P9 server research.

The post Hunting for Blues – the WSL Plan 9 Protocol BSOD appeared first on McAfee Blogs.

Speed or Security? We Say Speed AND Security

“Security software slows down my PC.”

We often hear this sentiment when users talk about malware protection. While people recognize the value of computer security, most get frustrated if the software bogs down their device. I mean, I myself become frustrated when I’m trying to crunch numbers and I’m suddenly greeted with an hourglass!

While this may happen with some online safety products, McAfee’s security suites are as light as they get. We understand that while consumers need malware protection, it shouldn’t come at the price of device performance. So, we put our products to the test – AV-TEST and AV-Comparatives to be exact – to show users that they can stay secure without interrupting their digital lives with slow software.*

*AV-Test Results

*AV-Comparatives Results

Testing the Relationship Between Security and Speed

Modern tech users are multitaskers at heart. We need our devices to run all of our favorite programs efficiently, from email to photo editing apps to music streaming services. Security software is another program we need to run – one we’re worried will slow down the rest. So how can we be sure that our PC performance won’t be poorly impacted? Answer: measure it.

To measure how much impact malware protection has on PC performance, some independent test labs include performance impact benchmarks in their security product tests. The most well-known of these test labs are AV-TEST, which is based in Germany, and the Austria-based AV-Comparatives. These independent labs are among the most reputable and well-known anti-malware test labs in the world.

These organizations work by testing and evaluating a number of security products and the impact they have on PC performance. The AV-TEST lab evaluates the latest versions of various security products and measures the average impact of the product on computer speed. On the other hand, AV-Comparatives uses low-end computers and mimics users’ daily usage as much as possible, focusing on activities like copying files, installing and uninstalling applications, launching applications, downloading files, and browsing websites. Based on these tests’ results, products are graded in award levels ranging from ADVANCED+ (the highest ranking) to STANDARD (the lowest ranking).

So, how does McAfee stand up to the competition? Since May 2018, McAfee has consistently received the highest score in all performance tests. As a result McAfee® Total Protection was awarded the ‘2019 Performance Award’ by AV-TEST in March 2020. Additionally, McAfee has achieved the ADVANCED+ ranking continuously since October 2016. In other words, McAfee Total Protection is one of the fastest and lightest products on the market. With results like these, I have to toot our own horn!

How Do These Results Impact Our Day-To-Day Lives?

During the WFH era, users are more reliant on devices than ever before. They need to work quickly and safely, without worrying about online threats. Especially since today’s malware comes in many forms, adapting to new technological advancements and the behaviors of tech-savvy consumers who use them. In fact, hackers often pair their threats to whatever is present in consumers’ lives – so lately we’ve seen malware attacks emerge via COVID-related phishing emails or known device or app vulnerabilities.

What Else Helps with McAfee’s Performance Results?

McAfee Total Protection comes with PC Boost features, which benefit both productivity and entertainment by automatically giving more horsepower to apps you are actively working in and by pausing annoying auto-play videos in your browser. While these additions don’t specifically factor into the aforementioned test results, these automated tools help your computer run faster and more efficiently.

By leveraging a comprehensive solution like McAfee Total Protection, users can ultimately be more efficient with their time online, whether that’s crunching numbers, playing games, or running multiple apps at once. And let’s face it – when our devices make us feel empowered, our digital lives are better.

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Speed or Security? We Say Speed AND Security appeared first on McAfee Blogs.

Towards native security defenses for the web ecosystem

With the recent launch of Chrome 83, and the upcoming release of Mozilla Firefox 79, web developers are gaining powerful new security mechanisms to protect their applications from common web vulnerabilities. In this post we share how our Information Security Engineering team is deploying Trusted Types, Content Security Policy, Fetch Metadata Request Headers and the Cross-Origin Opener Policy across Google to help guide and inspire other developers to similarly adopt these features to protect their applications.


Since the advent of modern web applications, such as email clients or document editors accessible in your browser, developers have been dealing with common web vulnerabilities which may allow user data to fall prey to attackers. While the web platform provides robust isolation for the underlying operating system, the isolation between web applications themselves is a different story. Issues such as XSS, CSRF and cross-site leaks have become unfortunate facets of web development, affecting almost every website at some point in time.

These vulnerabilities are unintended consequences of some of the web's most wonderful characteristics: composability, openness, and ease of development. Simply put, the original vision of the web as a mesh of interconnected documents did not anticipate the creation of a vibrant ecosystem of web applications handling private data for billions of people across the globe. Consequently, the security capabilities of the web platform meant to help developers safeguard their users' data have evolved slowly and provided only partial protections from common flaws.

Web developers have traditionally compensated for the platform's shortcomings by building additional security engineering tools and processes to protect their applications from common flaws; such infrastructure has often proven costly to develop and maintain. As the web continues to change to offer developers more impressive capabilities, and web applications become more critical to our lives, we find ourselves in increasing need of more powerful, all-encompassing security mechanisms built directly into the web platform.

Over the past two years, browser makers and security engineers from Google and other companies have collaborated on the design and implementation of several major security features to defend against common web flaws. These mechanisms, which we focus on in this post, protect against injections and offer isolation capabilities, addressing two major, long-standing sources of insecurity on the web.

Injection Vulnerabilities

In the design of systems, mixing code and data is one of the canonical security anti-patterns, causing software vulnerabilities as far back as in the 1980s. It is the root cause of vulnerabilities such as SQL injection and command injection, allowing the compromise of databases and application servers.

On the web, application code has historically been intertwined with page data. HTML markup such as <script> elements or event handler attributes (onclick or onload) allow JavaScript execution; even the familiar URL can carry code and result in script execution when navigating to a javascript: link. While sometimes convenient, the upshot of this design is that – unless the application takes care to protect itself – data used to compose an HTML page can easily inject unwanted scripts and take control of the application in the user's browser.

Addressing this problem in a principled manner requires allowing the application to separate its data from code; this can be done by enabling two new security features: Trusted Types and Content Security Policy based on script nonces.

Trusted Types
Main article: by Krzysztof Kotowicz

JavaScript functions used by developers to build web applications often rely on parsing arbitrary structure out of strings. A string which seems to contain data can be turned directly into code when passed to a common API, such as innerHTML. This is the root cause of most DOM-based XSS vulnerabilities.

Trusted Types make JavaScript code safe-by-default by restricting risky operations, such as generating HTML or creating scripts, to require a special object – a Trusted Type. The browser will ensure that any use of dangerous DOM functions is allowed only if the right object is provided to the function. As long as an application produces these objects safely in a central Trusted Types policy, it will be free of DOM-based XSS bugs.

You can enable Trusted Types by setting the following response header:
We have recently launched Trusted Types for all users of My Google Activity and are working with dozens of product teams across Google as well as JavaScript framework owners to make their code support this important safety mechanism.

Trusted Types are supported in Chrome 83 and other Chromium-based browsers, and a polyfill is available for other user agents.

Content Security Policy based on script nonces
Main article: Reshaping web defenses with strict Content Security Policy

Content Security Policy (CSP) allows developers to require every <script> on the page to contain a secret value unknown to attackers. The script nonce attribute, set to an unpredictable number for every page load, acts as a guarantee that a given script is under the control of the application: even if part of the page is injected by an attacker, the browser will refuse to execute any injected script which doesn't identify itself with the correct nonce. This mitigates the impact of any server-side injection bugs, such as reflected XSS and stored XSS.

CSP can be enabled by setting the following HTTP response header:
This header requires all scripts in your HTML templating system to include a nonce attribute with a value matching the one in the response header:
Our CSP Evaluator tool can help you configure a strong policy. To help deploy a production-quality CSP in your application, check out this presentation and the documentation on

Since the initial launch of CSP at Google, we have deployed strong policies on 75% of outgoing traffic from our applications, including in our flagship products such as GMail and Google Docs & Drive. CSP has mitigated the exploitation of over 30 high-risk XSS flaws across Google in the past two years.

Nonce-based CSP is supported in Chrome, Firefox, Microsoft Edge and other Chromium-based browsers. Partial support for this variant of CSP is also available in Safari.

Isolation Capabilities

Many kinds of web flaws are exploited by an attacker's site forcing an unwanted interaction with another web application. Preventing these issues requires browsers to offer new mechanisms to allow applications to restrict such behaviors. Fetch Metadata Request Headers enable building server-side restrictions when processing incoming HTTP requests; the Cross-Origin Opener Policy is a client-side mechanism which protects the application's windows from unwanted DOM interactions.

Fetch Metadata Request Headers
Main article: by Lukas Weichselbaum

A common cause of web security problems is that applications don't receive information about the source of a given HTTP request, and thus aren't able to distinguish benign self-initiated web traffic from unwanted requests sent by other websites. This leads to vulnerabilities such as cross-site request forgery (CSRF) and web-based information leaks (XS-leaks).

Fetch Metadata headers, which the browser attaches to outgoing HTTP requests, solve this problem by providing the application with trustworthy information about the provenance of requests sent to the server: the source of the request, its type (for example, whether it's a navigation or resource request), and other security-relevant metadata.

By checking the values of these new HTTP headers (Sec-Fetch-Site, Sec-Fetch-Mode and Sec-Fetch-Dest), applications can build flexible server-side logic to reject untrusted requests, similar to the following:
We provided a detailed explanation of this logic and adoption considerations at Importantly, Fetch Metadata can both complement and facilitate the adoption of Cross-Origin Resource Policy which offers client-side protection against unexpected subresource loads; this header is described in detail at

At Google, we've enabled restrictions using Fetch Metadata headers in several major products such as Google Photos, and are following up with a large-scale rollout across our application ecosystem.

Fetch Metadata headers are currently sent by Chrome and Chromium-based browsers and are available in development versions of Firefox.

Cross-Origin Opener Policy
Main article: by Eiji Kitamura

By default, the web permits some interactions with browser windows belonging to another application: any site can open a pop-up to your webmail client and send it messages via the postMessage API, navigate it to another URL, or obtain information about its frames. All of these capabilities can lead to information leak vulnerabilities:
Cross-Origin Opener Policy (COOP) allows you to lock down your application to prevent such interactions. To enable COOP in your application, set the following HTTP response header:
If your application opens other sites as pop-ups, you may need to set the header value to same-origin-allow-popups instead; see this document for details.

We are currently testing Cross-Origin Opener Policy in several Google applications, and we're looking forward to enabling it broadly in the coming months.

COOP is available starting in Chrome 83 and in Firefox 79.

The Future

Creating a strong and vibrant web requires developers to be able to guarantee the safety of their users' data. Adding security mechanisms to the web platform – building them directly into browsers – is an important step forward for the ecosystem: browsers can help developers understand and control aspects of their sites which affect their security posture. As users update to recent versions of their favorite browsers, they will gain protections from many of the security flaws that have affected web applications in the past.

While the security features described in this post are not a panacea, they offer fundamental building blocks that help developers build secure web applications. We're excited about the continued deployment of these mechanisms across Google, and we're looking forward to collaborating with browser makers and the web standards community to improve them in the future.

For more information about web security mechanisms and the bugs they prevent, see the Securing Web Apps with Modern Platform Features Google I/O talk (video).

What to Do When Your Social Media Account Gets Hacked

You log in to your favorite social media site and notice a string of posts or messages definitely not posted by you. Or, you get a message that your account password has been changed, without your knowledge. It hits you that your account may have been hacked. What do you do? 

This is a timely question considering that social media breaches have been on the rise. A recent survey revealed that 22% of internet users said that their online accounts have been hacked at least once, while 14% reported they were hacked more than once. 

So, how should you respond if you find yourself in a social media predicament such as this? Your first move—and a crucial one—is to change your password right away and notify your connections that your account may have been compromised. This way, your friends know not to click on any suspicious posts or messages that appear to be coming from you because they might contain malware or phishing attempts. But that’s not all. There may be other hidden threats to having your social media account hacked. 

The risks associated with a hacker poking around your social media have a lot to do with how much personal information you share. Does your account include personal information that could be used to steal your identity, or guess your security questions on other accounts? 

These could include your date of birth, address, hometown, or names of family members and pets. Just remember, even if you keep your profile locked down with strong privacy settings, once the hacker logs in as you, everything you have posted is up for grabs. 

You should also consider whether the password for the compromised account is being used on any of your other accounts, because if so, you should change those as well. A clever hacker could easily try your email address and known password on a variety of sites to see if they can log in as you, including on banking sites. 

Next, you have to address the fact that your account could have been used to spread scams or malware. Hackers often infect accounts so they can profit off clicks using adware, or steal even more valuable information from you and your contacts. 

You may have already seen the scam for “discount  sunglasses that plagued Facebook a couple of years ago, and recently took over Instagram. This piece of malware posts phony ads to the infected user’s account, and then tags their friends in the post. Because the posts appear in a trusted friend’s feed, users are often tricked into clicking on it, which in turn compromises their own account. 

So, in addition to warning your contacts not to click on suspicious messages that may have been sent using your account, you should flag the messages as scams to the social media site, and delete them from your profile page. 

Finally, you’ll want to check to see if there are any new apps or games installed to your account that you didn’t download. If so, delete them since they may be another attempt to compromise your account. 

Now that you know what do to after a social media account is hacked, here’s how to prevent it from happening in the first place. 

How to Keep Your Social Accounts Secure 

  • Don’t click on suspicious messages or links, even if they appear to be posted by someone you know. 
  • Flag any scam posts or messages you encounter on social media to the respective platform, so they can help stop the threat from spreading. 
  • Use unique, complex passwords for all your accounts. Use a password generator to help you create strong passwords and a password manager can help store them.  
  • If the site offers multi-factor authentication, use it, and choose the highest privacy setting available. 
  • Avoid posting any identity information or personal details that might allow a hacker to guess your security questions. 
  • Don’t log in to your social accounts while using public Wi-Fi, since these networks are often unsecured and your information could be stolen. 
  • Always use comprehensive security software that can keep you protected from the latest threats. 
  • Keep up-to-date on the latest scams and malware threats.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook. 

The post What to Do When Your Social Media Account Gets Hacked appeared first on McAfee Blogs.

NIST’s Post-Quantum Cryptography Program Enters ‘Selection Round’

The race to protect sensitive electronic information against the threat of quantum computers has entered the home stretch. After spending more than three years examining new approaches to encryption and data protection that could defeat an assault from a quantum computer, the National Institute of Standards and Technology (NIST) has winnowed the 69 submissions it initially received down to a final group of 15. NIST has now begun the third round of public review. This “selection round” will help the agency decide on the small subset of these algorithms that will form the core of the first post

Staying Home? McAfee Report Shows Malware May Come Knocking

It’s no secret that COVID-19 continues to reshape the way we live our everyday lives. With each passing day, we become more reliant on our devices to stay connected with friends and family, move our professional work forward, participate in distance learning, or keep ourselves entertained.

Unfortunately, hackers are all too aware of these habits. In fact, findings from “McAfee’s COVID-19 Threat Report: July 2020” have shown how criminals pair threats to whatever is present in consumers’ lives – specifically targeting pandemic-related industries, device habits, behaviors, and more with new malware strains.

A Day in the Life of Today’s Consumer

The day in the life of today’s consumer involves a lot of internet time.

Back in March, users first transitioned from in-office to work from home to promote social distancing. As a result, they conduct their 9-to-5 from their personal living space. But with such a rushed transition, some of these workers aren’t trained on how the change impacts their online security and could be potentially working on unsecured Wi-Fi.

Working professionals aren’t the only ones who have had to adapt to a new remote environment. Students have also made the transition to distance learning, moving from in-person course work to virtual classrooms. But as more students continue their curriculum from home and online activity increases, they become more reliant on digital platforms, such as video conferencing, that have now caught the eye of hackers.

When these professionals or students are done for the day, they then turn to some safe ways to unwind. To keep entertained, users have turned to online gaming, shopping, podcasts, social media, and TV streaming for fun – with the latter experiencing a 12% increase in viewing time in the third week of March alone.

More Online Activity, More Opportunities for Cyberattacks

As it turns out, this increase in online activity has given hackers plenty of new avenues to exploit, almost all of which are pandemic-related. First and foremost, hackers have targeted attacks at those that feel the impacts of COVID-19 most directly, AKA the public sector. As McAfee research discovered, incidents have increased during Q1 2020 within the public sector by 73%, individuals by 59%, education by 33%, and manufacturing by 44%.

Additionally, McAfee Labs saw an average of 375 new threats per minute and a surge of cybercriminal exploits through COVID-19 themed malicious apps, phishing campaigns, malware, and more during the first quarter of this year. Specifically, McAfee researchers discovered campaigns using pandemic-related subject lines – including testing, treatments, cures, and remote work topics. Criminals are using this sneaky tactic to lure targets into clicking on a malicious link, downloading a file, or viewing a PDF, resulting in the user’s device becoming infected with malware.

The Rise of Malware

Speaking of malware – according to the latest McAfee COVID-19 Threat Report, total malware increased by 27% over the past four quarters and new Mac OS malware samples increased by 51%. New mobile malware also increased by a whopping 71%, with total mobile malware increasing almost 12% over the past four quarters. As for IoT devices, new malware samples increased by nearly 58%, with total IoT malware growing 82% over the past few quarters.

Mask Your Digital Life

During this time of uncertainty, it can be difficult to decipher what is fact from fiction, to successfully identify a malicious scheme and stop it in its tracks. However, consumers can help protect their digital lives by following security best practices, now and in the future. Here’s what you can do to safeguard your security and remain worry-free:

Stay updated on the latest threats

To track malicious pandemic-related campaigns, McAfee Advanced Programs Group (APG) has published a COVID-19 Threat Dashboard, which includes top threats leveraging the pandemic, most targeted verticals and countries, and most utilized threat types and volume over time. The dashboard is updated daily at 4pm ET.

Beware of messages from unknown users

If you receive a text, email, social media message, or phone call from an unknown user regarding the pandemic, it’s best to proceed with caution and avoid interacting with the message altogether.

Use a VPN

Avoid hackers infiltrating your network by using a VPN, which allows you to send and receive data while encrypting – or scrambling – your information so others can’t read it. By helping to protect your network, VPNs also prevent hackers from accessing other devices (work or personal) connected to your Wi-Fi.

Use a comprehensive security solution

Use a robust security software like McAfee® Total Protection, which helps to defend your entire family from the latest threats and malware while providing safe web browsing.

Stay updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Staying Home? McAfee Report Shows Malware May Come Knocking appeared first on McAfee Blogs.

McAfee COVID-19 Report Reveals Pandemic Threat Evolution

The McAfee Advanced Threat Research team today published the McAfee® Labs COVID-19 Threats Report, July 2020.

In this “Special Edition” threat report, we delve deep into the COVID-19 related attacks observed by our McAfee Advanced Threats Research and McAfee Labs teams in the first quarter of 2020 and the early months of the pandemic.

What started as a trickle of phishing campaigns and the occasional malicious app quickly turned to thousands of malicious URLs and more-than-capable threat actors leveraging our thirst for more information as an entry mechanism into systems across the world.

Thus far, the dominant themes of the 2020 threat landscape have been cybercriminal’s quick adaptation to exploit the pandemic and the considerable impact cyberattacks have had. For example, many ransomware attacks have escalated into data breaches as cybercriminals up the ante by leaking sensitive, often regulated, data, regardless of whether victims have paid the ransom.

Some of the other significant threat findings in our COVID-19 report include:

  • Average of 375 threats per minute in Q1 2020
  • Nearly 47% of all publicly disclosed security incidents took place in the United States
  • New PowerShell Malware increased drastically
  • Disclosed incidents largely targeted Public, Individual, and Education sectors

In a first, we also have made available a COVID-19 dashboard to complement this threat report and extend its impact beyond the publication date. Timeliness is a challenge for publishing any threat report, but through the development of MVISION Insights our threat reports will include a link to another live dashboard tracking the world’s top threats. We will also make available the IOCs, Yara rules, and mapping to the MITRE ATT&CK framework as part of our continuing commitment to sharing our actionable intelligence. I hope these McAfee resources will be useful to you, the reader.

As we head into the second half of the year, we must consider how the threat landscape has changed when we address and define each attack. Simply assigning a technical descriptor or reverting to the same attack classifications fail to communicate the impact such campaigns have on the broader society.

All too often, we are called into investigations where businesses have been halted, or victims have lost considerable sums of money. While we all have had to contend with pandemic lockdown, criminals of all manner of capability have had a field day.

We hope you enjoy these new threat report approaches, and moreover we would appreciate you sharing these findings far and wide. These tools and insights could be the difference between a business remaining operational or having to shut its doors at a time when we have enough challenges to contend with.


The post McAfee COVID-19 Report Reveals Pandemic Threat Evolution appeared first on McAfee Blogs.

Building the Federal Profile For IoT Device Cybersecurity: Next Steps for Securing Federal Systems

RECORDING: Captioning will be available by Monday, August 3, 2020. On July 22-23, NIST will host a virtual-only event, Building the Federal Profile For IoT Device Cybersecurity: Next Steps for Securing Federal Systems. NIST leveraged the Core Baseline established in NISTIR 8259A and analyzed the controls found in NIST SP 800-53 to develop a catalog of key IoT device cybersecurity capabilities and supporting non-technical manufacturer capabilities and associated IoT device customer controls. This catalog is a critical building block for establishing a federal profile of the Core Baseline (

Unique Threats to Operational Technology and Cyber Physical Systems

In this latest episode of our Eye on Security podcast, I talk all about the world of operational technology (OT) and cyber physical systems with one of our foremost experts on the topic: Nathan Brubaker, Senior Manager of Analysis for Mandiant Threat Intelligence.

Nathan kicked off our chat by explaining what exactly we mean when we use the term ‘cyber physical.’ We then turned our attention to related threats. As it turns out, there are far less attempts by attackers to target these systems than one might believe. Nathan went on to discuss some of the fundamental differences between OT and information technology (IT) systems, and then explained how OT is becoming more similar to IT, which makes OT systems more vulnerable to compromise. Fortunately, even though OT security typically lags behind that of IT systems, it’s definitely moving in the right direction.

Listen to the podcast today, and check out the following blog posts referenced by Nathan during the episode:

Strong Password Ideas to Keep Your Information Safe

Strong Passwords

Strong Password Ideas to Keep Your Information Safe

Password protection is one of the most common security protocols available. By creating a unique password, you are both proving your identity and keeping your personal information safer. However, when every account you have requires a separate password, it can be an overwhelming task. While you should be concerned about the safety of your data, you also want to avoid the frustration of forgetting your password and being blocked from the information you need. However, the benefits of using strong, unique passwords outweigh the occasional inconvenience.

Benefits of Strong Passwords

The main benefit of a strong password is security. Hackers work quickly when they are trying to access accounts. They want to steal as much information as they can in as short a time as possible. This makes an account with a strong password less inviting because cracking the code is much more involved.

A strong password also limits the damage that hackers can do to your personal accounts. A common strategy involves cracking the passwords of less secure sites with limited personal information. The hackers hope that they can use the password from your gym membership app to access information in your online banking account. Strong password protection prevents this situation.

Common Poor Password Practices

When someone is registering an online account, it can be tempting to blaze through the password process. In order to move quickly, there are several poor password practices that people employ.

  • Simple passwords: Password-cracking programs start by entering obvious combinations. These are passwords where the user puts no thought into the code such as “password” or “1234567”.
  • Repeated passwords: You may think you have such an unbreakable password that you want to use it for all of your accounts. However, this means that if hackers compromise one of your accounts, all of your other accounts are vulnerable.
  • Personal information: The number combinations that you are apt to remember easily are the ones that hackers can find. You may have put your birthday or graduation year on public display in a social media account. Your dog’s name may be unusual, but if you share information about your canine friend with the world, its name is a weak password.

The Meaning of a Strong Password

A password is considered strong when it is difficult for a hacker to crack it quickly. Sophisticated algorithms can run through many password combinations in a short time. A password that is long, complex and unique will discourage attempts to break into your accounts.

  • Long: The combinations that protect your accounts should be long enough that it would be difficult for a computer program to run through all the possible configurations. The four-digit pin on a bank card has 10,000 possible combinations. This might take some time for a human being to crack, but a computer program with unlimited tries could break it in a few seconds. If you were only using numbers, every character in your password would raise the possible combinations by a power of 10. To stump the algorithms, you want a password that is a minimum of 12 characters long.
  • Complex: To increase the challenge of your password, it should have a combination of uppercase letters, lowercase letters, symbols and numbers. Hacking algorithms look for word and number patterns. By mixing the types of characters, you will break the pattern and keep your information safe.
  • Unique: If you have been reusing your passwords, it is time for you to start the work of changing them. Every one of your accounts should have its own password. At the very least, make certain that you have not reused passwords for your financial institutions, social media accounts and any work-related accounts.

Creating a Layered Password

If you want a password that is memorable but strong, you can easily turn a phrase into a layered, complex password. In this process, it is important to note that you should not use personal information that is available online as part of your phrase.

  • Pick a phrase that is memorable for you: It should not be a phrase you commonly use on social media accounts. If you are an avid runner you might choose a phrase like, “Running 26.2 Rocks!”
  • Replace letters with numbers and symbols: Remove the spaces. Then, you can put symbols and numbers in the place of some of the letters. Runn1ng26.2R0ck$!
  • Include a mix of letter cases: Finally, you want both lower and uppercase letters that are not in a clear pattern. Algorithms know how to look for common patterns like camelCase or PascalCase. Runn1NG26.2R0cK$!

Now, you have a password that you can remember while challenging the algorithms hackers use.

Employing a Password Manager

When you consider the number of accounts you need to protect, coming up with a properly layered password is a time-consuming task. Even if you are able to decide on a memorable phrase, there are just too many accounts that need passwords. A password manager is a helpful tool to keep you safe while you are online. It acts as a database for all of your passwords. Each time you create a new code, it stores it so that you can automatically enter it later. You only need to remember a single password to access the tools of your manager.

Most managers can also do the work of creating complex, layered passwords for your accounts. These will be a string of random numbers, letters and characters. They will not be memorable, but you are relying on the manager to do the memorizing. These machine-generated passwords are especially helpful for accounts you rarely access or that do not hold significant information.

Maintaining an Offline Password List

For critical accounts like your bank account or a work-related account, it can be helpful to keep an offline list of your passwords. Complex passwords are meant to be difficult to remember. You may recall the phrase but not all the detailed changes that make it layered. Keeping a document on a zip drive or even in a physical paper file or journal will allow you to access your information if your hardware fails or you are switching to a new system.

Keeping the Whole System Safe

Cracking passwords is just one of the strategies hackers use to steal information. In addition to using strong passwords, it is important to employ comprehensive security software. Strong passwords will help protect your online accounts. Strong overall security will keep your hardware and network safe from danger.

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Strong Password Ideas to Keep Your Information Safe appeared first on McAfee Blogs.

 Ways to Strengthen Your Family’s Digital and Mental Wellbeing

mental wellbeing

There’s a lot that feels out of control right now. City and school re-openings are in limbo, and life for many still feels upended. But one thing we can control is our efforts to safeguard our family’s digital and mental health.

Both adults and kids use television, tablets, and smartphones more these days for both school and entertainment. According to a study by Axios, children’s screen time during the pandemic is surging by as much 50 to 60 percent putting screen time for children 12 and younger at nearly five hours or more per day. Another study in the Journal of Medical Internet Research indicates people’s mental health has worsened during the Coronavirus.

Priority: Family Wellbeing

It’s clear this season has impacted all ages in myriad ways and put the spotlight on the importance of digital and mental health. Here are some resources and tips to help strengthen both.

Keep structure in-tact. Experts agree that establishing a daily structure is the best way to keep family life as healthy as possible right now. Scheduling set times for learning, chores, exercise, mealtimes, screen time, and connecting with peers in online hangouts, is essential. Safe Online: Establishing structure may be easier with software that also helps limit screen time, monitor activity, and filter apps and websites.DigitalWellbeing

Clarify the news. Kids pick up on everything, both true and untrue. They often collect bits and pieces of “news” from TV, overhearing adults, or fragments of stories from peers, all of which can increase anxiety. Safe Online: Parents can help ease the fear caused by misinformation by (age-appropriately) updating children with facts on current events and helping them understand the context of what they see online or on television. 

Encourage connection. Social distancing does not mean social isolation. If your child seems lonely or isolated, help pull them back into the mix. If they can’t meet in a safe, socially-distanced setting with friends face-to-face, allow extra time on Messenger Rooms or Zoom to group chat with peers or relatives. Safe Online: Keep kids safe by using privacy settings in video apps and always supervise young children. 

Keep device use in check. Yes, we’re all on devices more, but that doesn’t greenlight a device-free for all. Balance (pandemic or not) is always the aim of managing digital and mental health. Consider putting away devices during mealtime, before bedtime, and even challenge each other to go phone and screen-free one full day a week. Safe Online: Check your phone usage stats on your devices daily or use software to track it for you. 

Get moving. Squeezing in even 15-30 minutes of exercise a day alters our biochemical and hormonal balance and reduces mood swings, fatigue, anxiety, and feelings of hopelessness. Safe Online: If you use mobile fitness apps, maximize your privacy settings, read app terms to understand how the app tracks your health data.

Parent self-care. “You can’t pour from an empty cup,” is a simple but powerful sentiment these days. Unplugging, turning off the news, and resting or meditating can turn a stressful day around. Safe Online: Minimize scrolling mindlessly online or engaging in online conflict. Modeling balanced digital habits is self-care and is a powerful way to help your child do the same. 

Family Resources Online

Consider online resources. To meet the demand of families at home, most insurance plans now offer online counseling. Also, surprisingly, Instagram is becoming a mental health hub. As worry continues around finances, job loss, health, and the impact of isolation, meeting with a counselor or therapist 1-1 online may be an easy, useful solution. To get started, do a hashtag search for #FamilyCounseling #Marriage #Counselling #Therapy #Stress #Anxiety or a profile search with the same keywords. Safe Online: Vet online counselors and therapists to make sure they are licensed and not part of an online scam.

MHA resources. Mental Health America has compiled an impressive range of resources and information for people in need of services such as domestic and child abuse, drug and alcohol issues, financial issues, suicide, depression, and LGBTQ issues. The site houses endless blogs and on-demand webinars specific to Coronavirus and family mental health issues.

As this season of uncertainty continues, it’s important to remember you are not alone. Everyone is feeling all the feelings, and no one has things like structure and balance mastered. But, we’re all getting wiser each day simply by committing to protecting the things that matter most.

The post  Ways to Strengthen Your Family’s Digital and Mental Wellbeing appeared first on McAfee Blogs.

The Schrems II Decision: The Day After

This blog is for information purposes only and it does not constitute legal advice or advice on how to achieve operational privacy and security or compliance with laws or regulations.

The European Court of Justice (“CJEU”) yesterday invalidated the Privacy Shield, an agreement between the European data regulators and the U.S. Chamber of Commerce created in 2016 that allows businesses in the European Union to transfer data to the U.S.  The Court said Privacy Shield, which is used by more than 5,000 companies (though not McAfee), does not comply with European privacy rights.

The decision is seen as one of the most important international privacy cases in recent history and arose from a complaint against Facebook brought to the Irish Data Protection Commissioner by Max Schrems.

Schrems has been challenging the transfer of his data (and the data of EU citizens generally) to the United States by Facebook, which has its European base in Ireland. His first case (“Schrems I”) led the Court in 2015 to invalidate the Safe Harbor arrangement, a prior arrangement governing that data transfers from the EU to the US. The Safe Harbor scheme was replaced by the EU-US Privacy Shield on July 12, 2016, in response to the case.

The Court gave two major reasons for its decision (“Schrems II”) that the European Commission was wrong to say the Privacy Shield adequately protected the data of EU residents.  The Court said that

  • S. surveillance programs are not limited to what is strictly necessary and proportional and hence do not meet the requirements of Article 52 of the EU Charter on Fundamental Rights;
  • EU data subjects lack actionable judicial redress with regards to U.S. surveillance, and, therefore, do not have a right to an effective remedy in the U.S., as required by Article 47 of the EU Charter.

Additionally, the CJEU ruled that:

  • Standard Contractual Clauses (“SCCs”), which are currently being reviewed by the European Commission, and Binding Corporate Rules (“BCRs”) remain valid mechanisms for transferring data outside of the European Union;
  • BUT companies must verify, on a case-by-case basis, whether the law in the recipient country ensures adequate protection, under EU law, for personal data transferred under SCCs and, where it doesn’t companies must provide additional safeguards or suspend transfers. The ruling placed the same requirement on EU data protection authorities to suspend such transfers on a case-by-case basis where equivalent protection cannot be ensured.

We’ve been starting hearing some myths that need debunking:

  • Myth 1: Keeping data in Europe is the ONE solution. Well no, it isn’t. The internet is Global, the Cloud is global and data localization may not prevent the application of the U.S.’s Cloud Act;
  • Myth 2: The U.S. will need to change its laws: Not so fast! This may help,  but will take some time, and to meet what the Court wants will require changes both to the Patriot Act and a new recourse means – no small ask of a U.S. Congress when the House and the Senate are working well together, much less in the middle of a pandemic with a lot of political divisiveness;
  • Myth 3: This only concerns the U.S. Nope, government surveillance (and secretive surveillance) exists almost everywhere – and is necessary, including in the European Union and in some of the jurisdictions that the EU has said have adequate protections.  This ruling could open the door for many uncomfortable conversations with jurisdictions that have thought they were safe in the past.
  • Myth 4: The ruling says that European companies must stop using U.S. service providers, especially Cloud service providers. No, that’s again bashing multinational corporations which abide by the strictest security standards.

From a practical standpoint, what are the changes?

  • Companies that used to transfer data under the Privacy Shield should consider signing SCCs and may want to think about a project to put in place BCRs;
  • SCCs may need to be amended to add additional language so to provide additional safeguards when faced with access requests by public authorities around the world.

What does this mean for McAfee customers? McAfee is committed to adhering to the applicable laws.  We are glad to sign SCCs with customers.  We have done a lot of work to make sure that our products were ready for the GDPR, and continue to track the regulatory and judicial changes.  We’re glad to talk to you about this and other issues, contact us here.


The post The Schrems II Decision: The Day After appeared first on McAfee Blogs.

Create Strong Passwords with a Password Generator

Create Strong Passwords with a Password Generator

Whether you use the internet for several hours every day or only browse it on occasion, you have likely created numerous accounts on streaming services, financial services, and online storefronts like Amazon. Many of these accounts contain highly sensitive information. Hackers can get into online accounts and computers by guessing passwords, which means that your personal information would be available to them if you use a weak password.

To effectively protect your accounts from being hacked, it’s important that you have a strong password with each account that you create. However, it can be difficult to think of the perfect password that will keep your account safe from any hacker. To that end, there are many ways to create strong passwords, the primary of which is through a password generator. This article goes into detail about the importance of using good passwords and how to create them.

Importance of Having a Strong Password

Whenever you purchase an item online, you will be required to enter some financial information, which can include your bank account or credit card number. Many individuals may make the mistake of saving their financial information to the account because of how convenient it is. When you need to purchase an item in the future, you won’t need to go through the hassle of reentering your credit card information. The problem with saving your financial info to your account is that hackers who get into your account will have automatic access to the information at hand.

Website Security Measures Also Benefit from Strong Passwords

While website security has become increasingly strong over the past decade or so, the security measures that a site owner takes don’t matter if a hacker is able to get into your account by guessing your password, which is why it’s essential that you create a strong password that will hold up to hacking attempts.

Weak Passwords can Lead to Many Problems

Without a strong password, you run the risk of experiencing identity theft or financial fraud, both of which can significantly damage your finances and livelihood if the issue isn’t corrected immediately. Keep in mind that some of the more popular passwords in the country include 123456, password, 111111, qwerty, and abc123. Because of how popular these passwords are, they are some of the first that hackers will use to attempt to get into an account.

Hackers Can Control Your Entire Account

Once a hacker has breached your account, they can do a variety of things. The primary of which involves aquiring financial information that can be found in your account. These individuals can also choose to make purchases with this account or send in requests for new credit cards under your name. Along with stealing your own money, it’s possible for hackers to ruin your credit, which could take years to remedy.

Hackers Could Breach Your Computer

It’s important to understand that hackers can also get into your computer. Though more difficult, hackers can access documents and personal information on your computer if they are able to guess the password to your operating system. Many people store the passwords that they use in a document that’s stored on their computer, which is done with the belief that a hacker will never get into the computer itself. In the event that a hacker gains access to your device, they would be able to read the document where your passwords are stored. While having a strong password doesn’t eliminate the possibility of being hacked, it will make it much more difficult for someone to gain access to your computer or online accounts.

Using a Password Generator

If you need to store important personal or financial information online or on your computer, it’s essential that you pair your devices and accounts with strong passwords that will hold up to hacking attempts. Even though you can create lengthy and strong passwords without any assistance, keep in mind that the average U.S. citizen has around 25-30 accounts that passwords are needed for. Attempting to identify the perfect password on your own and for each account that you create can be a time-consuming and laborious process. Password generators are designed to instantly provide you with passwords that should be very difficult to guess.

How Password Generators Work

While every password generator is somewhat unique, the best generators are ones that provide you with options on what you would like to include in the password. The majority of password generators will automatically create passwords that are at least 15 characters long, consist of symbols and numbers, and include uppercase and lowercase letters. However, certain generators also provide users with the ability to exclude similar and ambiguous characters from the password that’s generated. Once you have generated a password, all that’s left is for you to input it into the account you’re currently creating. Password generators are simple to use and can make your life easier as you attempt to keep your personal information safe and secure.

Extra Features to Look For in Password Generator

Password generators can come with many extra features that could prove helpful in keeping your accounts and computer secure. For instance, some services provide users with a master password, which means that all of your passwords and secure information are kept under a single password that only you know. Some tools also allow users to set the exact length of the password, which could consist of anywhere from 8-100 characters. Additional features to be on the lookout for include unlimited password storage, 24/7 support, and custom security controls.

McAfee True Key Features

One potential password manager and generator you can use is McAfee True Key, which is designed to create very lengthy and strong passwords. Some of the core features of this particular tool include local data encryption, the support of numerous browsers, syncing across PC, Mac, iOS, and Android devices, and many different methods for signing in. For instance, you could pair the True Key app with the fingerprint reader on your device. You can also use the app to import any stored passwords from your browser.

How to Create a Strong Password

There are a myriad of things that you can do to create a strong password, the easiest of which is to use a password generator that will automatically provide you with a randomized password that will hold up well to hackers. While using a password generator is the most convenient option for creating a strong password, there are some additional tips and guidelines that you should keep in mind.

Primary Guidelines for Creating a Great Password

The main guidelines to keep in mind when creating a strong password include:

  • Make sure that your password is at least 7-8 characters long
  • Make sure that you never use a word or symbol for your password that can easily be found on any of your social media pages
  • Change each password you use at an interval or 90 days or less, which should also be done for any strong passwords you use
  • Use a combination of numbers, special characters, uppercase letters, and lowercase letters
  • Don’t use the same password for numerous accounts, which heightens the possibility that a breach into one of your accounts could lead to several accounts being compromised
  • Never write down your password on a piece of paper, which only serves to heighten the possibility of the password being seen by another individual and copied down
  • Consider using numbers and letters for your password that have no identifiable patterns within

Stay protected

Passwords are essential for security and can help you keep your computer and online accounts safe from hackers. While financial fraud and cases of stolen identity may be able to be corrected without any lasting damage to your bank account or credit score, the hassle that comes with contacting banking institutions and fixing any issues pertaining to the hack is more than it’s worth. Even though the aforementioned tips should assist you in creating a strong password, it’s highly recommended that you use a password generator instead, which ensures that mistakes are avoided completely and that the passwords you use are secure.

The post Create Strong Passwords with a Password Generator appeared first on McAfee Blogs.

Twitter Hack & Scam

What Happened?
Twitter confirmed 130 celebrity Twitter accounts were targeted in the cyberattack on Wednesday 15th July, with 45 successfully compromised. The hacked Twitter accounts included high profile individuals such as Barack Obama, Elon Musk, Kanye West, Bill Gates, Jeff Bezos, Warren Buffett, Kim Kardashian, and Joe Biden. Their accounts were used to send a tweet to scam Bitcoin out of their millions of followers.

Twitter confirms internal tools used in bitcoin-promoting attack ...
Scam Social Engineering Tweet sent from Bill Gates' Twitter Account
Twitter quickly reacted to the hack by taking an unprecedented step of temporarily preventing all verified users from tweeting, including yours truly; I was trying to warn people about the attack but my tweets were repeatedly prevented from posting. Before the scam tweets were taken down more than £80,000 ($100,000) was sent to the scam Tweet's advertised Bitcoin address. The FBI is investigating the incident.

How the Twitter Accounts were Compromised
Twitter said hackers had targeted employees with access to its internal systems and "used this access to take control of many highly-visible (including verified) accounts and Tweet on their behalf".  A report by security researcher firm HudsonRock said an advert appeared on a dark web hacker's forum earlier in the week, which offered a service to takeover any Twitter account. The seller said they were able to achieve this by being able to change any Twitter account's linked email address. 

The seller was a group or individual that managed to hack their way into Twitter's backend systems, probably by social engineering Twitter's staff, to gain full administration rights at Twitter. This enabled them to provide their buyers with the opportunity to control any Twitter account and to write those accounts' tweets. Hence this nefarious service being bought and then used to acquire Bitcoin via scam messages.
Hackers posted the view from the Twitter control panel
Security researchers at Hudson Rock spotted Twitter Hack advertisement
Additional Impact?
It is not yet clear whether the hacker(s) stole the Direct Messages (private messages) of the high profile Twitters users, such messages could be used to cause embarrassment and for cyber extortion.  The attack appears to be a quick 'smash and grab' money maker, by both the seller to make a quick buck and by the buyer, who used the service to quickly obtain £80k worth of Bitcoin, rather than anything more sinister or sophisticated. 

Update as of 18th July 2020
Twitter confirmed the perpetrators used its administration tools to orchestrate the attack and had downloaded data from up to eight of the accounts involved, but said none of these accounts was "verified" high profile accounts.  

A New York Times article suggested at least two of the attackers are from England. The attackers successfully manipulated a small number of employees and used their credentials to access Twitter's internal systems

Twitter's statement said "The attackers successfully manipulated a small number of employees and used their credentials to access Twitter's internal systems. We are continuing our investigation of this incident, working with law enforcement, and determining longer-term actions we should take to improve the security of our systems. We're embarrassed, we're disappointed, and more than anything, we're sorry."

Facts Twitter confirmed
  • Attackers were not able to view previous account passwords, as those are not stored in plain text or available through the tools used in the attack.
  • Attackers were able to view personal information including email addresses and phone numbers, which are displayed to some users of our internal support tools.
  • In cases where an account was taken over by the attacker, they may have been able to view additional information. Forensic investigation of these activities is still ongoing.
What the Experts Think
Nigel Thorpe, technical director at SecureAge said the latest Twitter hack exposes the identity and access management vulnerability and the risk of administrator accounts being compromised, leaving data vulnerable. It appears that cybercriminals gained access to Twitter's internal network, then used an admin tool to control the user accounts of prominent individuals and organisations to post fraudulent messages. Using social engineering to gain access to Twitter staff accounts, giving access to data stored in the network.

This incident illustrates the loophole with identity and access management such that if a user account is compromised, data is left unprotected. This loophole can be closed by taking a data-centric approach to security, where information is automatically protected, with authenticated encryption built right into the data. This means that even unencrypted files, when changed or moved, will immediately be encrypted so that, if stolen, they will appear to be garbage to the thief.

A compromised user account still has access to data, but it remains encrypted all the time, even when in use. When copied from its ‘safe’, access-controlled location - even if that's outside the organisation - the data remains encrypted and therefore useless. No ransom, no embarrassing disclosures, no legal action.

Liviu Arsene, Global Cybersecurity Researcher at Bitdefender said with attackers successfully compromising high-profile Twitter accounts that potentially also had two-factor authentication can only point to a coordinated cyberattack at Twitter’s employees and systems. It’s likely this could be a result of attackers exploiting the work-from-home context, in which employees are far more likely to fall prey to scams and spearphishing emails that end up compromising devices and ultimately company systems.

This high-profile Twitter breach could be the result of a spray-and-pray spear-phishing campaign that landed some opportunistic cybercriminals the could potentially be the hack of the year for Twitter. They could have done potentially far more damage. Instead, by delivering a simple Bitcoin scam, we could be looking at attackers that wanted to quickly monetize their access, instead of a highly coordinated and sophisticated operation performed by an APT group.

If this is the case, it’s likely that more companies could potentially be breached as a result of cybercriminals phishing employees. With 50% of organizations not having a plan for supporting and quickly migrating employees and infrastructure to full remote work, we’re probably going to see more data breaches that either exploit employee negligence or infrastructure misconfigurations left behind during the work from home transition.

While large organizations may have strong perimeter security defences, security professionals mostly worry that a potential breach could occur because of attackers exploiting the weakest link in the cybersecurity chain: the human component.

Tony Pepper, CEO of Egress said Twitter has suffered a co-ordinated attack targeting its employees "with access to internal systems and tools" is deeply concerning. However, screenshots obtained from two sources who took over accounts which suggest that this breach was caused by an intentionally malicious insider adds an additional layer of concern and complexity to this saga.

In our 2020 Insider Data Breach, we found that 75% of IT leaders surveyed believe employees have put data at risk intentionally in the past year and this latest breach seems to bear out those beliefs.

So, what can security professionals do to prevent this risk and keep sensitive data out of the reach of malicious threat actors? Organisations have an opportunity to do more by understanding the ‘human layer’ of security, including breach personas and where different risks lie. Technology needs to do more by providing insight into how sensitive data in the organisation is being handled and identifying risks, including human-activated threats.

By spotting the characteristics of a potentially malicious insider and being aware of what they are susceptible to and motivated by, organisations can put the tactics, techniques, and technology in place to mitigate the risk.

US judge: WhatsApp lawsuit against Israeli spyware firm NSO can proceed

NSO Group was sued last year by messaging app owned by Facebook

An Israeli company whose spyware has been used to target journalists in India, politicians in Spain, and human rights activists in Morocco may soon be forced to divulge information about its government clients and practices after a judge in California ruled that a lawsuit against the company could proceed.

NSO Group was sued by WhatsApp, which is owned by Facebook, last year, after the popular messaging app accused the company of sending malware to 1,400 of its users over a two-week period and targeting their mobile phones.

Continue reading...

capa: Automatically Identify Malware Capabilities

capa is the FLARE team’s newest open-source tool for analyzing malicious programs. Our tool provides a framework for the community to encode, recognize, and share behaviors that we’ve seen in malware. Regardless of your background, when you use capa, you invoke decades of cumulative reverse engineering experience to figure out what a program does. In this post you will learn how capa works, how to install and use the tool, and why you should integrate it into your triage workflow starting today.


Effective analysts can quickly understand and prioritize unknown files in investigations. However, determining if a program is malicious, the role it plays during an attack, and its potential capabilities requires at least basic malware analysis skills. And often, it takes an experienced reverse engineer to recover a file’s complete functionality and guess at the author’s intent.

Malware experts can quickly triage unknown binaries to gain first insights and guide further analysis steps. Less experienced analysts, on the other hand, oftentimes don’t know what to look for and have trouble distinguishing the usual from the unusual. Unfortunately, common tools like strings / FLOSS or PE viewers display the lowest level of detail, burdening their users to combine and interpret data points.

Malware Triage 01-01

To illustrate this, let us look at Lab 01-01 from Practical Malware Analysis (PMA) available here. Our goal is to understand the program’s functionality. Figure 1 shows the file’s strings and import table with interesting values highlighted.

Figure 1: Interesting strings and import information of example malware from PMA Lab 1-1

With this data, reverse engineers can hypothesize about the strings and imported API functions to guess at the program’s functionality—but no more. The sample may create a mutex, start a process, or communicate over the network—potentially to IP address The Winsock (WS2_32) imports make us think about network functionality, but the names are not available here because they are, as is common, imported by ordinal.

Dynamically analyzing this sample can confirm or disprove initial suspicions and reveal additional functionality. However, sandbox reports or dynamic analysis tools are limited to capturing behavior from the exercised code paths. This, for example, excludes any functionality triggered after a successful connection to the command and control (C2) server. We don’t usually recommend analyzing malware with a live Internet connection.

To really understand this file, we need to reverse engineer it. Figure 2 shows IDA Pro’s decompilation of the program’s main function. While we use the decompilation instead of disassembly to simplify our explanation, similar concepts apply to both representations.

Figure 2: Key functionality in the decompiled main function of PMA Lab 1-1

With a basic understanding of programming and the Windows API, we observe the following functionality. The malware:

  • creates a mutex to ensure only one instance is running
  • creates a TCP socket; indicated by the constants 2 = AF_INET, 1 = SOCK_STREAM, and 6 = IPPROTO_TCP
  • connects to IP address on port 80
  • sends and receives data
  • compares received data to the strings sleep and exec
  • creates a new process

Although not every code path may execute on each run, we say that the malware has the capability to execute these behaviors. And, by combining the individual conclusions, we can reason that the malware is a backdoor that can run an arbitrary program specified by a hard-coded C2 server. This high-level conclusion enables us to scope an investigation and decide how to respond to the threat.

Automating Capability Identification

Of course, malware analysis is rarely as straight forward. The artifacts of intent may be spread through a binary that contains hundreds or thousands of functions. Furthermore, reverse engineering has a fairly steep learning curve and requires solid understanding of many low-level concepts such as assembly language and operating system internals.

However, with enough practice, we can recognize capabilities in programs simply from repetitive patterns of API calls, strings, constants, and other features. With capa, we demonstrate that some of our key analysis conclusions are actually feasible to perform automatically. The tool provides a common yet flexible way to codify expert knowledge and make it available to the entire community. When you run capa, it recognizes features and patterns as a human might, producing high-level conclusions that can drive subsequent investigative steps. For example, when capa recognizes the ability for unencrypted HTTP communication, this might be the hint you need to pivot into proxy logs or other network traces.

Introducing capa

When we run capa against our example program, the tool output in Figure 3 almost speaks for itself. The main table shows all identified capabilities in this sample, with each entry on the left describing a capability. The associated namespace on the right helps to group related capabilities. capa did a fantastic job and described all the program capabilities we’ve discussed in the previous section.

Figure 3: capa analysis of PMA Lab 1-1

We find that capa often provides surprisingly good results. That’s why we want capa to always be able to show the evidence used to identify a capability. Figure 4 shows capa’s detailed output for the “create TCP socket” conclusion. Here, we can inspect the exact locations in the binary where capa found the relevant features. We’ll see the syntax of rules a bit later – in the meantime, we can surmise that they’re made up of a logic tree combining low level features.

Figure 4: Feature match details for "create TCP socket" rule in example malware

How capa Works

capa consists of two main components that algorithmically triage unknown programs. First, a code analysis engine extracts features from files, such as strings, disassembly, and control flow. Second, a logic engine finds combinations of features that are expressed in a common rule format. When the logic engine finds a match, capa reports on the capability described by the rule.

Feature Extraction

The code analysis engine extracts low-level features from programs. All the features are consistent with what a human might recognize, such as strings or numbers, and enable capa to explain its work. These features typically fall into two large categories: file features and disassembly features.

File features are extracted from the raw file data and its structure, e.g. the PE file header. This is information that you might notice by scrolling across the entire file. Besides the above discussed strings and imported APIs, these include exported function and section names.

Disassembly features are extracted from an advanced static analysis of a file – this means disassembling and reconstructing control flow. Figure 5 shows selected disassembly features including API calls, instruction mnemonics, numbers, and string references.

Figure 5: Examples of file features in a disassembled code segment of PMA Lab 1-1

Because the advanced analysis can distinguish between functions and other scopes in a program, capa can apply its logic at an appropriate level of detail. For example, it doesn’t get confused when unrelated APIs are used in different functions since capa rules can specify that they should be matched against each function independently.

We’ve designed capa with flexible and extendable feature extraction in mind. Additional code analysis backends can be integrated easily. Currently, the capa standalone version relies on the vivisect analysis framework. If you’re using IDA Pro, you can also run capa using the IDAPython backend. Note that sometimes differences among code analysis engines may result in divergent feature sets and hence different results. Fortunately, this usually isn’t a serious problem in practice.

capa Rules

A capa rule uses a structured combination of features to describe a capability that may be implemented in a program. If all required features are present, capa concludes that the program contains the capability.

capa rules are YAML documents that contain metadata and a tree of statements to express their logic. Among other things, the rule language supports logical operators and counting. In Figure 6, the “create TCP socket” rule says that the numbers 6, 1, and 2, and calls to either of the API functions socket or WSASocket must be present in the scope of a single basic block. Basic blocks group assembly code at a very low level making them an ideal place to match tightly related code segments. Besides within basic blocks, capa supports matching at the function and the file level. The function scope ties together all features in a disassembled function, while the file scope contains all features across the entire file.

Figure 6: capa rule logic to identify TCP socket creation

Figure 7 highlights the rule metadata that enables capa to display high-level, meaningful results to its users. The rule name describes the identified capability while the namespace associates it with a technique or analysis category. We already saw the name and namespace in the capability table of capa’s output. The metadata section can also include fields like author or examples. We use examples to reference files and offsets where we know a capability to be present, enabling unit testing and validation of every rule. Moreover, capa rules serve as great documentation for behaviors seen in real-world malware, so feel free to keep a copy around as a reference. In a future post we will discuss other meta information, including capa’s support for the ATT&CK and the Malware Behavior Catalog frameworks.

Figure 7: Rule meta information


To make using capa as easy as possible, we provide standalone executables for Windows, Linux, and OSX. The tool is written in Python and the source code is available on our GitHub. Additional and up-to-date installation instructions are available in the capa repository.

Newer versions of FLARE-VM (available on GitHub) include capa as well.


To identify capabilities in a program run capa and specify the input file:

$ capa suspicious.exe

capa supports Windows PE files (EXE, DLL, SYS) and shellcode. To run capa on a shellcode file you must explicitly specify the file format and architecture, for example to analyze 32-bit shellcode:

  • $ capa -f sc32 shellcode.bin

To obtain detailed information on identified capabilities, capa supports two additional verbosity levels. To get the most detailed output on where and why capa matched on rules use the very verbose option:

  • $ capa -vv suspicious.exe

If you only want to focus on specific rules you can use the tag option to filter on fields in the rule meta section:

  • $ capa -t "create TCP socket" suspicious.exe

Display capa’s help to see all supported options and consolidate the documentation:

  • $ capa -h


We hope that capa brings value to the community and encourage any type of contribution. Your feedback, ideas, and pull requests are very welcome. The contributing document is a great starting point.

Rules are the foundation of capa’s identification algorithm. We want to make it easy and fun to write them. If you have any rule ideas, please open an issue or even better submit a pull request to capa-rules. This way, everyone can benefit from the collective knowledge of our malware analysis community.

To separate our work and discussions between the capa source code and the supported rules, we use a second GitHub repository for all rules that come embedded within capa. The capa main repository embeds the rule repository as a git submodule. Please refer to the rules repository for further details, including the rule format documentation.


In this blog post we have introduced the FLARE team’s newest contribution to the malware analysis community. capa is an open-source framework to encode, recognize, and share behaviors seen in malware. We think that the community needs this type of tool to fight back against the volume of malware that we encounter during investigations, hunting, and triage. Regardless of your background, when you use capa, you invoke decades of cumulative experience to figure out what a program does.

Try out capa in your next malware analysis. The tool is extremely easy to use and can provide valuable information for forensic analysts, incident responders, and reverse engineers. If you enjoy the tool, run into issues using it, or have any other comments, please contact us via the projects GitHub page.

Spanish deputy PM urges investigation into Catalan spyware claims

Exclusive: Pablo Iglesias calls alleged targeting of independence movement figures unacceptable

The Spanish deputy prime minister, Pablo Iglesias, has become the most senior political figure to call for a parliamentary investigation into the use of spyware to target prominent members of the Catalan independence movement, saying such practices are “unacceptable in a democracy”.

A joint investigation this week by the Guardian and El País has revealed that Roger Torrent, the speaker of the Catalan parliament, and former regional foreign minister Ernest Maragall are among at least four pro-independence activists who have been targeted using Israeli spyware that its makers said is sold only to governments.

Continue reading...

I Did Not Write This Book

Fake Book
Fake Book 

Someone published a "book" on Amazon and claimed that I wrote it! I had NOTHING to do with this. I am working with Amazon now to remove it, or at least remove my name. Stay away from this garbage!

Update: Thankfully, within a day or so of this post, the true author of this work removed it from Amazon. It has not returned, at least as far as I have seen.

Introducing PhishingKitTracker

If you are a security researcher or even a passionate about how attackers implement phishing you will find yourself to look for phishing kits. A phishing kit is not a phishing builder, but a real implementation (actually re-implementation) of a third party website built to lure your victim. Initially attackers use a phishing builder to “clone” the original web site but after that they introduce – in the fresh re-generate website – interesting ad-dons such as for example: evasion techniques (in order to evade to phishing detectors), targeted elements (in order to targetize the victims), fast re-directors ( to follows the attack chain into the original web-site or to a relay to try to infect you) and sometimes exploit-kits to try to exploit your browser before letting you go.

Credit: Alen Pavlovic (here)


There are places where you can buy PhishingKits, for example BleepingComputer wrote a great article on that here, but if you want to get them for free in order to study attack schema and Kit-composition you don’t’ find collections for free. So I decided to share my PhishingKit Tracker, updated automatically by my backend engine every day for study and research purposes.

You can find it HERE (PhishingKitTracker github repo)


This repository holds a collection of Phishing Kits used by criminals to steal user information. Almost every file into the raw folder is malicious so I strongly recommend you to neither open these files, nor misuse the code to prank your friends. Playing with these kits may lead to irreversible consequences which may affect anything from personal data to passwords and banking information.

I am not responsible for any damage caused by the malware inside my repository and your negligence in general.

NB: Large File System Hahead

PhishingKitTracker is stored into Git Large File System (git-lfs) due to the big amount of data tracked. You should install git-lfs before cloning this repository.

RAW Data

In raw folder are tracked the Phishing Kits in the original format. No manipulation are involved in that data. A backend script goes over malicious harvested websites (harvesting from common sources) and checks if Phishing Kits are in there. In a positive case (if a PhishingKit is found) the resulting file is downloaded and instantly added to that folder. This folder is tracked by using Git Large File System since many files are bigger than 100MB. The “RAW Data” is a quite unexplored land, you would find many interesting topics with high probability. Please remember to cite that work if you find something from here, it would be very appreciated.


In stats folder are maintained two up-to-date files:

  1. files_name it holds the frequency of the found file-names associate with kits. In other words every phishing kit is saved on the phishing host with a name. filke_name keeps track about every file names and its frequency. If you are wondering why am I not tracking hashes, is because phishing kits are big compressed archives, so it would make no sense at this stage since they always differ each other (but check in src folder for additional information)
  2. sites hols the frequency of the hosting domain names. In other words where the phishing kit was found. No duplicates are tracked by meaning that the frequency and the file names are unique. So for example if you see something like: 3 it means that in have been found three different Phishing Kits over time.

Both of these files have been generate by simple bash scripts like:

  • ls raw/ | cut -d'_' -f1 | uniq -c | sort -bgr > stats/sites.txt
  • ls raw/ | cut -d'_' -f2 | uniq -c | sort -bgr > stats/files_name.txt

these scripts are run on every commit making files inline with the raw folder.

On the other side a file called similarity.csv is provided with a tremendous delay due to the vast amount of time in generating it. That file provides the similarity between the tracked Phishing Kits. It’s a simple CSV file so that you can import it on your favorite spreadsheet and make graphs, statistics or manipulate it in the way you prefer.


The similarity structure is like the following one: FileA,FileB,SimilarityAVG,SimilarityMin,SimilarityMax where:

  • FileA is PhishingKit which is considered in that analysis.
  • FileB is the PhishingKit to be compared to PhishingKit FileA
  • SimilarityAVG is the Average in similarity. That average is calculated by computing the similarity check to every single (interesting) file in the PhishingKit archive (FileA) to every single (interesting) file in the PhishingKit archive to be compared (FileB)
  • SimilarityMin is the lowest similarity value found between PhishingKitA and PhishingKitB
  • SimilarityMax is the highest similarity value found between PhishingKitA and PhishingKitB

If you want to generate similarity.csv by your own I provide a simple and dirty script into the src folder. So far it has several limitations (for example it computes ZIP only files). please make pull requests for improving and empower it. Each contribute would be very helpful.


Please check those variables ( and change them at your will.

EXTENSION_FOR_ANALYSIS = ['.html','.js','.vbs','.xls','.xlsm','.doc','.docm', '.ps1']
OUTPUT_FILE =  'similarity.csv'                                                 
RAW_FOLDER = '/tmp/raw/'                                                        
TEMP_FOLDER = '/tmp/tt'     

Once you’ve changed them you can run the script and take a long rest. It will navigate through the RAW_FOLDER, grab the .zip files and tries to compute code similarity between them. At the very end it will save results into OUTPUT_FILE. From now you can import such a a file into your favorite spreadsheet processor and elaborate the code similarity.

So far the python script is able to only compare zip tracked phishingkit, for different compressed format it’s still work in progress.

NB: The Python script is in a super early stage of development. Please help to improve it.

How to contribute

Introducing the walking script for different compression formats. In other words if you want to contribute you can write a new section such as the following one ( but for different compression extensions such as: .tar.gz, .tar, .rar. /7z and so on and so forth.

# Extracts Zip files based on EXTENSION_FOR_ANALYSIS. It returns the etire file
# path for future works
def extractZipAndReturnsIntereistingFiles(file_to_extract):
    interesting_files = []
    n_interesting_files = []
        with ZipFile(file_to_extract, 'r') as zipObj:
            listOfFileNames = zipObj.namelist()
            for fileName in listOfFileNames:
                for ext in EXTENSION_FOR_ANALYSIS:
                    if fileName.endswith(ext):
                            zipObj.extract(fileName, TEMP_FOLDER)
                            interesting_files.append(os.path.join(TEMP_FOLDER, fileName))
                        except Exception as e:
                        n_interesting_files.append(os.path.join(TEMP_FOLDER, fileName))
    except Exception as e :
        return interesting_files
    return interesting_files

One more way to contribute is to make the comparison loop smarter and quicker. You might decide to parallelized task by forking and spawning more process or by changing the way I use multi-threading in this quick and dirty statistic script. In conclusion every working pull is welcomed.

Cite the Phishing Kit

@misc{ MR,
       author = "Marco Ramilli",
       title = "Phishing Kits Tracker",
       year = "2020",
       url = "",
       note = "[Online; July 2020]"

NICE Webinar: What’s New – Revisions to the NICE Framework

The PowerPoint slides used during this webinar can be downloaded here. Speakers: Matthew Smith Strategic Advisor Huntington Ingalls Industries Pam Frugoli O*NET and Competency Model Team Lead U.S. Department of Labor Matt Isnor Program Lead, Cyberspace Workforce Development U.S. Department of Defense Lisa Dorr Senior Talent Management Strategist Office of the Chief Human Capital Officer Department of Homeland Security Ken Vrooman Senior Advisor Cyber Defense Education and Training, CISA Synopsis: The NICE Cybersecurity Workforce Framework (NICE Framework) was published as NIST Special

The Texas Cybersecurity Act: What You Need to Know

Texas passed House Bill 8 relating to cybersecurity for state agency information resources. The bill sets mandatory practices for state agencies, institutes continuous monitoring and auditing of network systems, adds protections for student data privacy, and updates the penalties for cybercrimes.

As Texas House Speaker, Joe Straus, commented, state agencies are now expected to be ???good stewards of private data.??? There is a cybersecurity council that oversees the state agencies to ensure that the agencies are following all new requirements and researching and reporting back on cybersecurity threats on a regular basis. Cybersecurity practices are now considered by the Sunset Advisory Commission, an agency of the Texas Legislature, when determining whether to reform, continue, or abolish a Texas state agency.

The bill also requires the Department of Information Resources, or DIR, to implement a five-year plan to address cybersecurity risks. The DIR will establish an information sharing and analysis center (ISAC) to share news regarding cybersecurity threats, best practices, and remediation advice. It will also provide mandatory training for state agencies.

According to Texas Government Code ツァ 2054.515(a-b), state agencies are now required to ???conduct an information security assessment of the agency???s network systems, data storage systems, data security measures, and information resources vulnerabilities at least once every two years and to report the results to the DIR.??? State agencies are also required to submit a data security plan and show proof of penetration tests of their website and mobile applications every other year. Colleges and Universities in Texas are also required to protect the confidentiality of information on their website or mobile applications. If an agency or institution experiences a data breach, they are mandated to inform all affected parties of the incident.ツ?

Lastly, the Texas secretary of state is required to test the election infrastructure for vulnerabilities and report back on findings. The findings need to be made publicly available.

For more information on the Texas Cybersecurity Act, please download House Bill 8 or read the synopsis provided by the Texas Comptroller.ツ?ツ?

Veracode can help.

If you are a state agency or educational institution operating in Texas, Veracode can provide you with the application security testing tools necessary to remain compliant with state regulations. As Nikki Veit, Director of Application Development for the State of Missouri expressed, ???When we first started scanning, there were a lot of non-compliant applications. But Veracode was really easy to use, and developers were able to go in and scan early and often. In the first eight months, we had 18,000 flaws fixed. It was just phenomenal.???

Check out our success story for the State of Missouri to see how we helped them scale an AppSec program across 365 applications and 14 state agencies.

Financially Motivated Actors Are Expanding Access Into OT: Analysis of Kill Lists That Include OT Processes Used With Seven Malware Families

Mandiant Threat Intelligence has researched and written extensively on the increasing financially motivated threat activity directly impacting operational technology (OT) networks. Some of this research is available in our previous blog posts on industrial post-compromise ransomware and FireEye's approach to OT security. While most of the actors behind this activity likely do not differentiate between IT and OT or have a particular interest in OT assets, they are driven by the goal of making money and have demonstrated the skills needed to operate in these networks. For example, the shift to post-compromise ransomware deployment highlights the actors’ ability to adapt to more complex environments.

In this blog post we look further into this trend by examining two different process kill lists containing OT processes which we have observed deployed alongside a variety of ransomware samples and families. We think it is likely that these lists were the result of coincidental asset scanning in victim organizations and not specific targeting of OT. While this judgement may initially seem like good news to defenders, this activity still indicates that multiple, very prolific, financially motivated threat actors are active inside organizations’ OT—based on the contents of these process kill lists—with the intent of profiting from the ransom of stolen information and disrupted services.

Two Unique Process Kill Lists Deployed Alongside Seven Ransomware Families Include OT Processes

Threat actors often deploy process kill lists alongside or as part of ransomware to terminate anti-virus products, stop alternative detection mechanisms, and remove file locks to ensure critical data is encrypted. As a result, the deployment of these lists increases the likelihood of a successful attack (MITRE ATT&CK T1489). In post compromise ransomware attacks, attackers regularly tailor the lists to include processes that are relevant to the victim’s environment. By stopping these processes, the attacker makes sure to encrypt data from critical systems, which may remain unaffected if the process is currently in use. As the likelihood of crippling critical systems increases, the target is more likely to suffer impacts on its physical production.

First Process Kill List Has Been Leveraged By At Least Six Ransomware Families

Mandiant identified samples of at least six ransomware families (DoppelPaymer, LockerGoga, Maze, MegaCortex, Nefilim and SNAKEHOSE)—all of which have been associated with high-profile incidents impacting industrial organizations over the past two years—that have leveraged a common process kill list containing 1,000+ processes. The list, which we briefly discussed in an earlier blog post from February 2020, includes a couple dozen processes related to OT executables—mainly from General Electric Proficy, a suite used for historians and human-machine interfaces (HMIs). We note, that while the inclusion of these processes in this kill list could result in limited loss of view of historical process data, it is not likely to directly impact the operator’s ability to control the physical process itself.

Figure 1: Snippets from “kill.bat” deployed alongside LockerGoga (L) and MegaCortex process kill list (R)

The earliest iteration we identified of the shared kill list was a batch script deployed alongside LockerGoga (MD5: 34187a34d0a3c5d63016c26346371b54) in January 2019 (Figure 1). Other iterations of the list we have observed are also hardcoded directly into the ransomware binaries. The different techniques used to deploy the process kill list, the use of different malware families, and slight variations between each list iteration (mainly typos in the processes, e.g.: a2guard.exea2start.exe; nexe; proficyclient.exe) indicate that likely more than one actor had access to the true source of the process kill list. This source could be for example a post of processes shared on a dark web forum, or an independent actor sharing the compiled list with other actors.

We think it is likely that the OT processes identified in this list simply represent the coincidental output of automated process collection from victim environment(s) and not a targeted effort to impact OT. This is supported by the relatively limited and specific selection of OT-related processes, rather than a broader selection of many vendors and OT-related processes that would have been suggestive of targeted external research. Regardless, this does not downplay the significance of the inclusion of OT processes in the list, as it suggests that sophisticated financially motivated actors, such as FIN6, have had at least some visibility into a victim’s OT network. As a result, the actors were able to tailor their malware to impact those systems, without the explicit intent to target OT assets.

Most types of ransomware attacks in OT environments will result in the disruption of services and a temporary loss of view into current and historical process data. However, OT environments impacted by a ransomware that leverages this kill list and happen to be running one or more of the processes used by the initial victim(s)—and therefore are included on the list—may face additional impacts. For example, historian databases would be more likely to be encrypted, possibly resulting in loss of historical data. Other impacts could include gaps in the collection of process data corresponding to the duration of the outage and temporary loss of access to licensing rights for critical services.

Second List Deployed Alongside CLOP Ransomware Sample Has a Higher Chance of Impacting OT Systems

Mandiant analyzed a second, entirely unrelated sample of ransomware (MD5: 3b980d2af222ec909b948b6bbdd46319) from the CLOP family with a hardcoded list for enumeration and termination of processes that includes a number of OT strings. The list contains over 1,425 processes, from which at least 150 belong to OT-related software suites (Figure 2 and Appendix).

Based on our analysis, the CLOP malware family’s process kill list has grown over time possibly as more processes are scanned during different compromises. While we do not currently hold enough information to describe the exact mechanism used by the actor to grow the list, it appears to have resulted from actor reconnaissance across multiple victims. We have observed the threat actor employing process discovery procedures, including running the tasklist utility. This indicates that the actor scanned for processes in at least one victim’s OT network(s) before deploying the ransomware.

Figure 2: Subset of processes in observed CLOP sample

CLOP is also interesting as we have only observed a single unique and very prolific financially motivated threat actor leveraging the malware family. The group, who has been active since at least 2016 and potentially as early as 2014, is known for operating large phishing campaigns to distribute malware and typically monetizes intrusions through ransomware deployment. As highlighted by their versatility and long history in financially motivated intrusions, the actor’s activity in OT networks is likely no more than an additional step in the process for monetization. However, the financial motivations of the actor again do not imply low risk to OT. Instead, our analysis of the CLOP sample’s kill list indicates that the included processes actually have greater potential to disrupt OT systems than those included in the shared list described above.

Unlike the first kill list, the CLOP sample includes a list of processes that, if stopped, may directly impact the operator’s ability to both visualize and control production. This is especially true in the case of some included processes that support HMI and PLC supervision. Some of the OT processes present in the CLOP sample are related to the following products:






SCADA system, common for process control and automation.



Software for PC-based process control and automation.

National Instruments

Data Acquisition Software (DAQ)

Software used to acquire data from sensors and conditioning devices.


KEPServer EX

Software platform that collects information from industrial devices and sends the output to SCADA applications.

OPC Unified Architecture (OPC-UA)


Communication protocol for data acquisition and exchange between industrial equipment and enterprise systems. 

Table 1: Examples of products related to OT processes included in identified CLOP kill list

While it is likely the physical processes this software controls would continue to operate even if the software processes were terminated unexpectedly, stopping the software processes included in the CLOP sample’s kill list could result in the loss of view/control over those physical processes due to the inability of operators to interact with the equipment. This can be caused not only by the ransomware’s disruption of intermediary systems, but also by the loss of access to relevant files on HMIs/EWS required for the operation of process control and monitoring software–for example configurations or project files. This could prolong the mean time to recovery (MTTR) of impacted environments without offline backups. In the CLOP sample list, we also identified specialized processes for software application design and testing that may also become corrupted at the time of encryption.

Process Kill Lists Are Just An Observable Indicating Broader Financially Motivated Interest In OT

Financially motivated threat actors leverage a large variety of tactics and techniques to obtain data that they can later use to generate profits. While financial actors have historically posed little to no threat to OT systems, the recent uptick in ransomware and extortion incidents highlights that industrial operations are increasingly at risk. Although we have not observed any financially motivated actors explicitly targeting OT systems, our research into process kill lists deployed with or alongside ransomware samples shows that at least two sophisticated financial actors have expanded their access into OT networks during their regular intrusions.

This increasing exposure of OT to financially motivated threat activity is no surprise, given that TTPs used by cybercriminals increasingly resemble those employed by sophisticated actors. We have consistently conveyed this message since at least 2018, when we publicly discussed the commodity and custom IT tools leveraged by the TRITON attacker while traversing through its targets’ networks (Figure 3). The likelihood of financially motivated actors impacting OT while seeking to monetize intrusions will continue to rise for the following reasons:

Figure 3: TTPs seen across both IT and OT incidents

  • Financially-motivated threat actors moving to a post-compromise ransomware model will continue to evolve and find ways to reach the most critical systems of organizations as part of their mission of monetization. As these actors are mainly driven by profits, they are not likely to differentiate between IT and OT assets.
  • OT organizations will continue to struggle to evolve at the same pace as cyber criminals. As a result, small weaknesses such as misconfigurations, exposed vulnerabilities or improper segmentation will be enough for financial actors to gain access to networks in their attempts to profit from intrusions.
  • As the market for OT solutions continues to incorporate IT services and features into broadly adopted products, we expect the convergence of technologies to result in a broader attack surface for financial threat actors to target.
  • The TTPs employed by both financial and sophisticated nation-state actors often rely on intermediary systems as stepping stones through intrusions. As a result, the skills of both groups hold similar potential of reaching OT systems even when financial groups may only do so coincidentally or as part of their monetization strategy.


As OT networks continue to become more accessible to threat actors of all motivations, security threats that have historically impacted primarily IT are becoming more commonplace. This normalization of OT as just another network from the threat actor perspective is problematic for defenders for many of the reasons discussed above. This recent threat activity should be taken as a wake-up call for two main reasons: the various security challenges commonly faced by organizations to protect OT networks, and the significant consequences that may arise from security compromises even when they are not explicitly designed to target production systems. Asset owners need to look at OT security with the mindset that it is not if you will have a breach, but when. This shift in thinking will allow defenders to better prepare to respond when an incident does happen, and can help reduce the impact of an incident by orders of magnitude.   

Appendix: Selection Of OT Processes From CLOP Kill List

Process Name



Atlas Copco


























Inray Industriesoftware


Inray Industriesoftware












National Instruments


National Instruments


National Instruments


National Instruments


National Instruments


National Instruments


National Instruments


National Instruments


National Instruments


National Instruments


National Instruments


National Instruments


National Instruments


National Instruments


National Instruments


National Instruments








Possibly Siemens














Rockwell Automation or National Instruments

























































































































































































































Devices and Distancing: What Digital Data Says About Life From Home

Devices and Distancing: What Digital Data Says About Life From Home

With millions of us keeping life closer to home in these past months, what can our devices and apps tell us about how we’ve passed that time? Plenty.

Usage stats, location data, app downloads, and daily active users, all drawn from anonymized data, are all common statistics that get reported on a regular basis. What makes them particularly insightful this year is to see how they’ve increased, decreased, or remained steady as nations and communities have put distancing measures in place. How are we living differently and what role are our devices playing in them?

That’s a rather large question, and different data sets, measurements, and methodologies will point to different insights. However, looking at a few of them together can help us associate some figures with the way our day-to-day experience has changed and continues to evolve.

Our own data shows people are using their desktop and laptop computers more

Using the McAfee PC app, which is always running and protecting (our customers) people  in the background, we’re able to look at general PC use. The inference here is that increased use of a desktop or laptop PC (especially during weekdays) indicates an uptick in people engaging in remote work, learning, or play. Our figures are drawn from pseudonymized or anonymized device records aggregated to a country level, with at least 1,000 devices counted.

What did our numbers specifically show? You can visit our Safer Together page and take a country-by-country view of the data, which starts in February. (See our interactive heat map at the bottom of the page.) A quick capsule summary of select nations is below:

PC Usage by Month

Unsurprisingly, the most marked jump in home PC use occurs during the stretch that measures March to April, which marks the period when stay at home guidance rolled into place for many. From there, those increases held relatively steady. Looking at the change from April to May, it appears that people largely stayed at home as well.

Beyond that, June’s week-by-week trends saw usage in Australia and India both increase steadily. The U.S., UK, and Germany also trended upward overall, while France and Italy trended downward.

Other apps and technologies point to other trends

Dating apps saw a big spike in downloads and usage during the same stretch of time. According to dating app Bumble, the end of March saw an 84% increase in the number of its video calls and voice chats. On March 29th, the Tinder dating app reported the highest number of swipes ever in one day up to that point—some 3 billion. As we shared in an article earlier this year about safely dating from home, perhaps this shouldn’t come as any surprise because dating apps are designed to bring people together. In periods of isolation, it follows that people would use them to reach out and make connections where they can.

There’ve been plenty of similar stories (and some surprises) in the news in recent weeks, as various firms, publications, and service providers share the some of the digital trends they’ve spotted, such as:

  • In April, online analysis firm Apptopia reported a marked decrease in mobile phone screen time and an increase in time on desktop browsers as people switched to bigger screens. They also tracked a major spike in the download of home improvement retailer apps in the U.S., such as Lowe’s, Home Depot, and Menards—up 69% year-over-year.
  • PC Magazine reports that internet usage surged 47% in January-March of this year. One statistic that underscores this increase is the percentage of people who consume more than 1TB of data in a month. This went from 4.2% of subscribers in the start of 2019 to 10% in the first quarter of 2020. That’s a more than 2x increase in so-called power users.
  • The same report shared further insights, such as collaboration tool Microsoft Teams setting a record for 2.7 billion meeting minutes in a single day and collaboration platform Slack seeing an 80% increase in paid customers over the previous quarter. Likewise, video conferencing tool Zoom saw its daily participants increase by 2,900% in the quarter compared to December 2019.
  • OpenTable, which provides online restaurant reservations across nearly 60,000 restaurants globally and seats 134 million diners monthly, have put out their own data as well. Their “State of the Restaurant Industry” figures offer few surprises as to hard-hit restaurants around the world have been. By making week-to-week comparisons between 2019 and 2020, it shows that seatings in early June are down roughly 75% globally compared to last year. Later in the month, they are still down 63% compared to the time same last year as well.


Looking ahead: more working from home?

While these statistics each provide their own snapshot of life during lockdown in retrospective, what remains to be seen is how the time we’ve spent at home will shape the way we work, learn, socialize, and entertain ourselves in the months to come. At least right now, it seems that people are wanting or expecting to see change. A new study from McAfee surveyed 1,000 working adults in the U.S. between the ages of 18 and 74 in May 2020 and found that nearly half (47%) of employees do not want to go back to working how they were before stay-at-home measures were put in place.

However that plays out in the future, it’s important to protect ourselves today while we continue to rely on our devices so heavily. Comprehensive security protection, like McAfee Total Protection, can help protect devices against malware, phishing attacks, and other threats. Additionally, it includes McAfee WebAdvisor that can help identify malicious websites.

And one last stat: according to Nielsen, there was an 85% increase in American streaming rates in the first three weeks of March this year compared to March 2019 reports. Again, no surprise. Yet one thing to be on the lookout for are phishing and malware attacks associated with movies and shows that are offered for a “free” stream or download. It’s a common method of attack, and we’ve compiled our Top 10 U.S. List of TV and Movie Titles That Could Lead You to a Dangerous Download. Give the article a look. Not only does it name the titles, it offers you great advice for keeping safe.

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.


The post Devices and Distancing: What Digital Data Says About Life From Home appeared first on McAfee Blogs.

How to Adopt a Work-from-Home Mindset

By: Paige, Change Management Manager, Plano, TX, United States

In the last few months, navigating through the pandemic has yielded changes in every aspect of our daily lives.  Because of COVID-19, many companies have suddenly moved to full remote work. My husband and I received news about this and school closings while our family was on spring break.

As you guessed, we weren’t exactly ready to dive into all the rapid changes—even as seasoned remote workers. Being an active member of McAfee’s Virtual Culture Club (VCC), a group that brings global remote team members together, I made sure to incorporate what I’ve learned from these connections.

Now that I’ve spent significant time managing work and three boys from home, here are my four remote work adoption tips for parents who are also playing educator like me.

Tip No. #1: Schedule Breaks

Before the pandemic, I preferred to work through lunch, so I could attend my children’s soccer and tennis games, volunteer or take over for my husband who manages school pickup, starts the kids on homework and prepares dinner. We had a pretty good routine and it worked well for us.

In our new norm, there is no such thing as a routine anymore. We had to become comfortable with that. In my work schedule, meetings with varied times are constant for me since my role supports business in different places around the globe. At the start of the pandemic, our children transitioned to online classes, which also occur at different times and days each week.

The change in routine and moving schedules took a while to become familiar with. I had to start blocking out time to fit in preparing lunch for the kids, eating meals and making time for a short walk around the neighborhood to get out and feel the sun. Once I started doing that, I felt so much lighter.

Plan breaks away from your computer and make space to get energy out with your family.

Tip No. #2: Allow Your Professional and Personal Life to Collide

Our professional and personal lives occupy the same space now. I believe you can still manage both successfully. Though having a dedicated office space to work is necessary, I encourage you to let your kids pull up a chair to draw, craft or even read a book alongside you. This will help reduce any pressure you may have about balancing your time as a parent. Sometimes, our children just want to be near us.

Recently, McAfee hosted an Online Safety Session series virtually on Facebook, where cybersecurity experts shared knowledge and best practices with parents, teachers and kids to stay safe online. I was able to invite my oldest child to sit next to me, so we could watch it together. It was a win-win—a learning opportunity for her, a way to inspire them with my career space and a chance to spend time together.

When possible, find opportunities to break up your work day with positive family interactions.

Tip No. #3: Sprinkle in a Little Joy

A few months ago, my youngest child, who is a preschooler, started to practice writing on sticky notes and handing them to me while I was working. I’d smile, thank him and put the notes to the side of my laptop. Dissatisfied with my placement, he would quickly put the note on top of my laptop and made sure it stayed on there with extra tape every time I stepped away. Now, every time I close my laptop and see his note, it brings me great joy.

There are many ways to add joy in your day when you work from home:

  • Take a selfie with something that caught your attention on your lunch walks and send it to your team
  • Treat yourself to a food delivery you’re craving with no judgment
  • Play your favorite song loudly between meetings

Make time for the smallest joys that makes you happy every day.

Tip. No. 4: Remember: Change is Hard, Empathy isn’t

As a change manager, I know firsthand that change is hard. Change is expected. And throughout my career experiences, I’ve learned that change is constant. It’s also okay to feel what you are feeling. We need to have grace for one another when there is an occasional interruption from kids or even pets. If you can be a great worker in the office, you can be a great worker at home.

During video conference calls, sometimes my kids enjoy making cameo appearances so they can see my teammates. My teammates, and especially my leader, always reassure me, “Paige, do not worry about it. It’s totally fine.” Now, when we have extra time at the end of a team meeting, we introduce our kids, pets or partners.

Remember, we are all in this together, globally. We are all adjusting.

If you’re looking at new opportunities in a thriving culture that will provide you with balance and flexibility, search McAfee’s current openings.

The post How to Adopt a Work-from-Home Mindset appeared first on McAfee Blogs.

What Does it Take to be a Rockstar Developer?

If there???s one thing you need to value as you move through your career as a modern software developer, it???s the importance of security. With application layers increasing and the shift left movement bringing security into the picture earlier on the development process, security should be top of mind for every developer working to write and compile successful code.

But many developers leave school without the security knowledge they need to write secure code ??? something nearly 80 percent of developers from our DevSecOps Global Skills Survey can attest to. As with any profession, there???s always room to learn and grow on the job, especially in software development where projects move at the speed of ???I need that fixed yesterday.??? To be a rockstar developer in today???s world, you have to be fast to fix flaws, smart about your prioritization, and quick to release secure software your customers can count on.

For most organizations, hitting tight deployment deadlines without compromising security means shifting scans left in the software development lifecycle (SDLC) by integrating security into the IDE with fast feedback that helps developers learn as they write their code. It also involves bolstering development team members who are passionate about the health of their code and focusing on educating the entire organization about the importance of security.

Treating security as an afterthought is no longer an option, and as a dynamic developer, it???s something you can help change. Shifting security left lessens the risk of needing to fix found flaws down the road (which can cost your business a pretty penny). But there???s a lot that can be done, both by developers and security leadership, to trickle knowledge down and bridge the gap that so often leaves team members siloed. ツ?ツ?

Whether you???re just starting out as a more junior-level developer or you???re wondering how you can take your established career to the next level, there are eight key things that you can do to enhance your security skills ??? from hands-on learning courses to thinking like an attacker and becoming a security champion on your team. Read on:

By arming yourself with the knowledge you need to write more secure code and becoming a security champion you???ll be a more dynamic developer who can help facilitate coding and scanning needs during production, and you???ll stand out as a leader on your team who takes the health of your applications seriously.

Ready to help your organization shift left by unifying security and development? Browse the developer resources section of the Veracode Community to gain more insight into secure coding and help improve your organization???s application security by becoming a rockstar developer.ツ?

Your 30-60-90 Day AppSec Plan

Your stakeholders have signed off on an application security program, you???ve selected a vendor ??ヲ ツ?but now what? There is no detailed handbook or instruction manual for getting started because every organization is different. You need to formulate your own plan to make sure the program meets the individual needs of your organization.

But that doesn???t mean that there aren???t tips or suggestions to help get your wheels turning. One good place to start is the Veracode Community, where developers and security practitioners can ask questions and solicit feedback from Veracode employees or fellow Community members. On Tuesdays, the Community gives customers a ???Tip??? or advice from an industry expert on a particular topic. One of the recent tips was a 30-60-90-day road map with recommended goals and steps to consider when rolling out an AppSec Program.


In the first 30 days, some of the proposed first steps include training key members of the AppSec team, prioritizing applications for scans, and defining what a successful AppSec program looks like at your organization. The map even provides some examples of metrics that you can use to measure the success of your program.


By 60 days, you should have your development team fully onboarded. In fact, they should be ready to start some basic scans. The key to success during month two is to make sure that developers and security professionals have a strong feedback loop and a positive working relationship. That way, when developers start scanning, security practitioners will feel comfortable and confident that developers have security measures top of mind, and developers will feel comfortable going to security with remediation questions.

In a recent Veracode Community post on best practices for strengthening the developer and security practitioner???s relationship, several community members weighed in on what has worked at their organization. Mwaldis335267ツ?argued for integrating AppSec testing tools into developers??? existing processes to make testing more convenient. Mark Merkow of HealthEquityツ?pointed out that ???before releasing tools and confounding processes to development teams, it's essential that every team member clearly understands the reasoning and the intent of using AppSec tools/processes.???

Toward the end of the third month, you should have integrations set up and you should be ready to review the current progress of your AppSec program. Some questions you should be asking the team on day 90 include:

  • Are there any additional developers that need to be onboarded?
  • Are there any new apps that need to be scanned?
  • How are the teams handling the current policies? Do any need to be changed?
  • How long should we be giving developers to remediate flaws?

By reading through the road map and considering the goals and steps, you should be able to get started on your journey. However, if you have questions or need support throughout the process, you can always reach out to your Veracode SPM or ask a question on the Veracode Community

Returning to the Workplace and the Ongoing Threat of Phishing Attacks

Guest post by Richard Hahn, Consulting Manager, Sungard Availability Services

According to the Office of National Statistics (ONS), approximately 14.2 million people (44% of the total number of working adults) have worked from home during the coronavirus pandemic. To put these figures into perspective, this number stood at around 1.7 million in 2019, representing just 5% of the total working population.

While these statistics are unsurprising, it’s clear that the paradigm of working from home every day was sudden and significant. Few businesses can claim to have anticipated such a scenario, nor to have had the business continuity planning capabilities to contend with its consequences. For example, one of the biggest cybersecurity trends to have emerged in recent weeks is a surge in phishing attacks targeting remote workers.

As will be described in this article, phishing thrives on isolation, uncertainty and periods of change, which have all been common characteristics of the working world recently. Accordingly, Google has reported a 350% cent increase in phishing attacks from January to March of this year. 
Education is the First Line of Defence against Phishing Attacks
Now that organisations are beginning to transition back to former work settings, social distancing will mean that change and uncertainty will continue to be a significant factor. During this time, it is imperative that all workers are aware not only of how phishing attacks work, but also the impact that it can have on an organisation’s reputation, it’s the bottom line, and, crucially, the continuity of the business overall. Here are some key pieces of advice for staying secure under these circumstances.

1. Phishing Attacks are Socially Engineered
The anatomy of an effective phishing attack is rooted more in social engineering than technology. Phishing messages try to trick individuals into taking an action, such as clicking on a link or providing personal information, by offering scenarios of financial gains or ramifications, or the potential of work disruption or playing into a personal panic.

However, phishing messages typically have tell-tale signs that can – and should – give users pause. Attempts to obfuscate the sender, poor spelling and grammar, and malicious attachments are a few of the classic signs that the message is not genuine.

Phishing attack messages that have the highest response rates are often related to time-bound events, such as open enrolment periods or satisfaction surveys. Some other common phishing message themes include unpaid invoices, confirming personal information and problems with logins.

Before acting, think about what is being asked. For example, phishing attacks may take advantage of the fact that many workers are currently anticipating updates from their employers about returning to the workplace. The email may ask users to log in to a new system designed to allocate socially distant spaces within the workspace upon their return. This tactic exploits the user’s often unconscious confirmation bias, not only impersonating their employer but also taking advantage of their expectations around returning to work and acknowledgement of social distancing.
If unsure whether it might be a malicious message, encourage staff to ask a colleague or the IT team to analyse the message (including the full Simple Mail Transfer Protocol (SMTP) information).

2. Attackers Use a Diverse Portfolio of Tactics
Attackers often attempt to impersonate a known person or entity to obtain private information or to carry out an action. This is also known as pretexting and is commonly executed by crafting a fraudulent email or text message to execute an action that is not part of the standard process.

One example is calling the service desk and pretending to be a valid user to get a password reset. Another ruse attackers frequently take advantage of is an out-of-band wire transfer or an invoice payment for a critical vendor. Small companies have traditionally been the targets, but larger companies are increasingly being targeted.

Organisations must understand that pretexting is considered fraud and is often not covered by cyber insurance policies. Therefore, it’s critical that organisations design effective business processes with oversight so there are no single points of approval or execution, and stick to them. While it may be tempting to bypass processes, such as accounts payable or IT procurement, businesses can’t afford to let their guard down – especially when large numbers of workers are logging on remotely as is the case for so many today.

3. Education is the First Line of Defence
Phishing is often discussed within the cybersecurity space, but the conversations typically don’t involve intent and rigour.

The common compliance measure usually involves in-person or virtual annual training, along with some other method of education, such as hanging posters around the workplace. This approach pre-dates highly connected computing environments and doesn’t address the urgency needed for the current threat landscape or pattern of working experienced by so many in 2020.

Organisations must conduct security awareness education with the same decisiveness and gravity that other industries do with safety training. For example, it’s not uncommon for drivers in the commercial trucking and transport sector to take monthly training modules, or for managers to participate in quarterly safety meetings.

Planning for the New Normal
The main priority for organisations moving forward is to be more proactive about implementing, practising and testing cyber hygiene from the ground up. There’s much more in the way of fundamental change on the horizon which opens organisations up to a diverse and complex threat landscape. 

At the same time, bad actors will constantly be on the lookout for opportunities to take advantage of the chaos. By paying attention to the signs, looking out for pretexting and emphasising regular training, companies can better fend off future phishing attacks.

Investing time and resources into regularly training and educating staff on information security awareness and current cyber threats is critical in building resilience in the ‘new normal’ of the post-COVID-19 working world. A crippling cyberattack is always just around the corner, but by establishing plans and capabilities that reduce risk and prevent data loss, leakage or offline systems from disrupting business continuity, the chances of survival rise exponentially. 

New Forrester Report: Build a Developer Security Champions Program

We know firsthand how critical it is for developers and security professionals to have a great working relationship. That extends beyond simply communicating well; for your DevSecOps program to come together so that you can secure your applications, you need to break down silos and improve security knowledge across the board.

Recently, Forrester published a report on this very topic that digs into the challenges organizations like yours face when standing up programs to support security and developer needs. The report, ???Build A Developer Security Champions Program,??? lays the groundwork for standing up a successful program that lasts and improves the health of your application security (AppSec). Key takeaways from the report highlight:

  • The importance of embedding AppSec where developers need it most
  • The need for executive sponsorship and funding for your program
  • Five critical steps to consider when building a program

And according to Forrester, those five steps ??? which cover everything from making the case to stakeholders to training your champions and showing support when they improve their skills ??? are critical to launching an effective security champions program.ツ?ツ?

Security champions: defined

In the report, Forrester defines security champions as follows: ???Extended members of the security team that work in various roles across the organization that translate security-speak into a language that everyone can understand.??? It???s about empowering your developers to become the influencers on their teams, closing information gaps, and escalating issues or concerns to the right people, at the right time.

With an established program in place that has the right tools, solutions, and resources plugged into the right processes, you???ll have an easier time scaling security knowledge within your organization. As Forrester points out, developers in well-rounded security champions programs may even go on to become great security leaders of their own down the road.

Your security team will then have a bridge in place to work directly with developers on prioritizing which flaws to remediate, furthering education on both sides of the aisle, offering more support, and measuring effectiveness.

That has a domino effect: efforts like remediation prioritization can help your developers cut down the risk of security debt by catching and remediating high-severity flaws. It???s especially impactful when you integrate hands-on training tools like Veracode Security Labs that equip developers to tackle modern threats impacting their code.

Want to learn more about setting up a security champions program of your own? Read the full report from Forrester here.

Understand the Past to Shape the Future of AppSec

It can sometimes feel like development and security teams are working toward two separate goals. Both developers and security professionals are supposed to be working toward timely, secure releases, but in reality, developers tend to prioritize speed and function, and security professionals prioritize security measures. How can you unify the teams and focus them on shared goals? A little history can help.

Several decades ago, software deployment followed a waterfall approach with releases every six months. But as the world became increasingly digital, biannual releases were no longer fast enough. Organizations moved to an agile approach, releasing weekly or monthly. And today, with continuous integration (CI) and continuous delivery (CD) processes, releases are daily, hourly, or even by the minute.

With the increase in release frequency comes an increase in security threats. To combat these threats, security regulators instituted more stringent compliance requirements and penalties. These requirements have placed added stress on security professionals ??? who are already facing staffing shortages and pressure associated with multiple releases a day.

To aid the security shortage, many companies moved the responsibility of securing code to developers. Developers agreed to take on the additional responsibility and, initially, security improved. But as DevOps continues to mature, and the speed of releases continues to increase, developers have placed security on the backburner in favor of speed.

Why are they prioritizing speed? There are several reasons. First, at most organizations, the developer???s performance is directly tied to the speed of releases. Second, the majority of developers don???t have the necessary tools or training to write secure code or to remediate flaws.ツ?

So how can you encourage developers to not just prioritize speed, but to also prioritize security? The key to success is making sure that security measures are fast and easy to implement. How can you achieve this? Build security measures into the developers??? existing processes so that scans don???t slow them down. You also need to enable developers with tools and resources to write secure code in order to reduce the number of issues from the start. And you need to scale your program, building and maintaining the AppSec infrastructure and cost model to meet ever-increasing demand. Lastly, you need to set the precedent with developers that security is an expected outcome, not just speed.

By following these steps, security will start concentrating on ways to speed up their processes and developers will have an easier time implementing security.

To learn more about the evolution of software deployments and the effect on developers and security professionals, check out our interactive infographic, Is Application Security an Expected Outcome for You ... Or Does it Take a Backseat to Application Innovation?

Time to Get Proactive About Threat Hunting

When I think about the many challenges that threat hunters face nowadays, trust me when I say that I feel their pain. Early in my career, I was a Security Engineer in a SOC who scrambled into action upon receiving the proverbial midnight call about aincident.  

The system I was part of wasn’t perfect as we always were one step behind our adversaries. Still, we still held the line by deploying an assortment of security technologies to minimize any damage. Enterprises essentially adopted a reactive “whack-a-mole” approach, where defenders would address one-off vulnerabilities as they popped up. But we face a new cyber security landscape that makes it clear we need to adopt a new, more proactive approach to threat hunting. 

Are We a Target? 

In the past, cyber security was generally treated as an afterthought by senior management. No longer. Company boards are finally attuned to the grave challenge that cyber security poses to their businesses. While boards are willing to make cyber security investments, they also want to make sure they’re getting the maximum return from investments in the tools that CISOs say they need.   

However, they’re not going to be patient if their cyber security strategy still rests upon waiting for the next phishing email to infect the network before defenders start to swing into action. Enterprises don’t have the luxury, especially not in the current threat landscape where they are being targeted by cohorts of increasingly sophisticated attackers. This has implications for everyone involved in the enterprise cyber security chain – from the CISO to the most junior analyst on the SOC team.  

Threat hunters must be able to synthesize external threat feeds and data into useful context to know whether the organization is a target. And they also need actionable information to take steps that bolster the organization’s overall security posture  this can involve anything from ordering a general lockdown to tweaking policies that better secure end points or the web gateway.   

Unfortunately, this proactive capacity still remains out of reach for most companies. Fewer than 20% of breaches are getting stopped in a timely fashion because threat hunters lack the tools that might supply the kind of timely, actionable context I’m talking about. 

Boards aren’t going to be patient if their threat hunting approach is the equivalent of calling in the firemen only after the blaze starts. The organization needs to know ahead of time what’s happening in their cyber neighborhood, not after the fact. 

The Rise of the Strategic Threat Hunter 

That puts added pressure on threat hunters to get ahead of the problem before it’s a problemAs the average cost of data breaches continues to climb, tomuch is at risk by keeping the status quo. Remediation and resolution after the fact no longer cuts it. But ithreat hunters know ahead of time who is being targeted and what endpoints are going to be impactedthat’s a game-changer. At that point, they can take proactive measures to protect their organizations. 

At McAfee, our portfolio of technologies not only extends protection across all endpoints and the cloud but also streamlines the process of investigation, allowing threat hunters to drill down across vectors, industries and regions. We cross-correlate known campaigns using industry and geographical threat activity with an organization’s own endpoint security posture derived from its security telemetry.   

That’s a major boon for threat hunters who now can glean accurate insights into the potential constellation of potential security risks. They no longer need to manually pick through disparate pieces of data, separating out false positives from real indications of trouble. So, instead of wasting precious time on busy work, they apply their talents to the task of finding the most effective way to deal with incoming threats.  

Even on a good day, the threat hunter’s job is hard enough. Without the necessary information to help understand the bigger picture, it looks more like Mission Impossible. But with a recently announced, uniquely, proactive, MVISION Insights in hand, threat hunters can finally flip the script to take the fight to the bad guys. Remember: the best defense is always a good offense. 

Check it out—our Chief Scientist Raj Samani weighs on MVISION Insights. 

The post Time to Get Proactive About Threat Hunting appeared first on McAfee Blogs.

SCANdalous! (External Detection Using Network Scan Data and Automation)

Real Quick

In case you’re thrown by that fantastic title, our lawyers made us change the name of this project so we wouldn’t get sued. SCANdalous—a.k.a. Scannah Montana a.k.a. Scanny McScanface a.k.a. “Scan I Kick It? (Yes You Scan)”—had another name before today that, for legal reasons, we’re keeping to ourselves. A special thanks to our legal team who is always looking out for us, this blog post would be a lot less fun without them. Strap in folks.


Advanced Practices is known for using primary source data obtained through Mandiant Incident Response, Managed Defense, and product telemetry across thousands of FireEye clients. Regular, first-hand observations of threat actors afford us opportunities to learn intimate details of their modus operandi. While our visibility from organic data is vast, we also derive value from third-party data sources. By looking outwards, we extend our visibility beyond our clients’ environments and shorten the time it takes to detect adversaries in the wild—often before they initiate intrusions against our clients.

In October 2019, Aaron Stephens gave his “Scan’t Touch This” talk at the annual FireEye Cyber Defense Summit (slides available on his Github). He discussed using network scan data for external detection and provided examples of how to profile command and control (C2) servers for various post-exploitation frameworks used by criminal and intelligence organizations alike. However, manual application of those techniques doesn’t scale. It may work if your role focuses on one or two groups, but Advanced Practices’ scope is much broader. We needed a solution that would enable us to track thousands of groups, malware families and profiles. In this blog post we’d like to talk about that journey, highlight some wins, and for the first time publicly, introduce the project behind it all: SCANdalous.

Pre-SCANdalous Case Studies

Prior to any sort of system or automation, our team used traditional profiling methodologies to manually identify servers of interest. The following are some examples. The success we found in these case studies served as the primary motivation for SCANdalous.

APT39 SSH Tunneling

After observing APT39 in a series of intrusions, we determined they frequently created Secure Shell (SSH) tunnels with PuTTY Link to forward Remote Desktop Protocol connections to internal hosts within the target environment. Additionally, they preferred using BitVise SSH servers listening on port 443. Finally, they were using servers hosted by WorldStream B.V.

Independent isolation of any one of these characteristics would produce a lot of unrelated servers; however, the aggregation of characteristics provided a strong signal for newly established infrastructure of interest. We used this established profile and others to illuminate dozens of servers we later attributed to APT39, often before they were used against a target.


In February 2018, an independent researcher shared a sample of what would later be named QUADAGENT. We had not observed it in an intrusion yet; however, by analyzing the characteristics of the C2, we were able to develop a strong profile of the servers to track over time. For example, our team identified the server 185.161.208\.37 and domain rdppath\.com within hours of it being established. A week later, we identified a QUADAGENT dropper with the previously identified C2. Additional examples of QUADAGENT are depicted in Figure 1.

Figure 1: QUADAGENT C2 servers in the Shodan user interface

Five days after the QUADAGENT dropper was identified, Mandiant was engaged by a victim that was targeted via the same C2. This activity was later attributed to APT34. During the investigation, Mandiant uncovered APT34 using RULER.HOMEPAGE. This was the first time our consultants observed the tool and technique used in the wild by a real threat actor. Our team developed a profile of servers hosting HOMEPAGE payloads and began tracking their deployment in the wild. Figure 2 shows a timeline of QUADAGENT C2 servers discovered between February and November of 2018.

Figure 2: Timeline of QUADAGENT C2 servers discovered throughout 2018


A month after that aforementioned intrusion, Managed Defense discovered a threat actor using RULER.HOMEPAGE to download and execute POSHC2. All the RULER.HOMEPAGE servers were previously identified due to our efforts. Our team developed a profile for POSHC2 and began tracking their deployment in the wild. The threat actor pivoted to a novel PowerShell backdoor, POWERTON. Our team repeated our workflow and began illuminating those C2 servers as well. This activity was later attributed to APT33 and was documented in our OVERRULED post.


Scanner, Better, Faster, Stronger

Our use of scan data was proving wildly successful, and we wanted to use more of it, but we needed to innovate. How could we leverage this dataset and methodology to track not one or two, but dozens of active groups that we observe across our solutions and services? Even if every member of Advanced Practices was dedicated to external detection, we would still not have enough time or resources to keep up with the amount of manual work required. But that’s the key word: Manual. Our workflow consumed hours of individual analyst actions, and we had to change that. This was the beginning of SCANdalous: An automated system for external detection using third-party network scan data.

A couple of nice things about computers: They’re great at multitasking, and they don’t forget. The tasks that were taking us hours to do—if we had time, and if we remembered to do them every day—were now taking SCANdalous minutes if not seconds. This not only afforded us additional time for analysis, it gave us the capability to expand our scope. Now we not only look for specific groups, we also search for common malware, tools and frameworks in general. We deploy weak signals (or broad signatures) for software that isn’t inherently bad, but is often used by threat actors.

Our external detection was further improved by automating additional collection tasks, executed by SCANdalous upon a discovery—we call them follow-on actions. For example, if an interesting open directory is identified, acquire certain files. These actions ensure the team never misses an opportunity during “non-working hours.” If SCANdalous finds something interesting on a weekend or holiday, we know it will perform the time-sensitive tasks against the server and in defense of our clients.

The data we collect not only helps us track things we aren’t seeing at our clients, it allows us to provide timely and historical context to our incident responders and security analysts. Taking observations from Mandiant Incident Response or Managed Defense and distilling them into knowledge we can carry forward has always been our bread and butter. Now, with SCANdalous in the mix, we can project that knowledge out onto the Internet as a whole.

Collection Metrics

Looking back on where we started with our manual efforts, we’re pleased to see how far this project has come, and is perhaps best illustrated by examining the numbers. Today (and as we write these continue to grow), SCANdalous holds over five thousand signatures across multiple sources, covering dozens of named malware families and threat groups. Since its inception, SCANdalous has produced over two million hits. Every single one of those, a piece of contextualized data that helps our team make analytical decisions. Of course, raw volume isn’t everything, so let’s dive a little deeper.

When an analyst discovers that an IP address has been used by an adversary against a named organization, they denote that usage in our knowledge store. While the time at which this observation occurs does not always correlate with when it was used in an intrusion, knowing when we became aware of that use is still valuable. We can cross-reference these times with data from SCANdalous to help us understand the impact of our external detection.

Looking at the IP addresses marked by an analyst as observed at a client in the last year, we find that 21.7% (more than one in five) were also found by SCANdalous. Of that fifth, SCANdalous has an average lead time of 47 days. If we only consider the IP addresses that SCANdalous found first, the average lead time jumps to 106 days. Going even deeper and examining this data month-to-month, we find a steady upward trend in the percentage of IP addresses identified by SCANdalous before being observed at a client (Figure 3).

Figure 3: Percentage of IP addresses found by SCANdalous before being marked as observed at a client by a FireEye analyst

A similar pattern can be seen for SCANdalous’ average lead time over the same data (Figure 4).

Figure 4: Average lead time in days for SCANdalous over the same data shown in Figure 3

As we continue to create signatures and increase our external detection efforts, we can see from these numbers that the effectiveness and value of the resulting data grow as well.

SCANdalous Case Studies

Today in Advanced Practices, SCANdalous is a core element of our external detection work. It has provided us with a new lens through which we can observe threat activity on a scale and scope beyond our organic data, and enriches our workflows in support of Mandiant. Here are a few of our favorite examples:


In early 2019, SCANdalous identified a Cobalt Strike C2 server that we were able to associate with FIN6. Four hours later, the server was used to target a Managed Defense client, as discussed in our blog post, Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware.


In late 2019, SCANdalous identified a BOOSTWRITE C2 server and automatically acquired keying material that was later used to decrypt files found in a FIN7 intrusion worked by Mandiant consultants, as discussed in our blog post, Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques.

UNC1878 (financially motivated)

Some of you may also remember our recent blog post on UNC1878. It serves as a great case study for how we grow an initial observation into a larger set of data, and then use that knowledge to find more activity across our offerings. Much of the early work that went into tracking that activity (see the section titled “Expansion”) happened via SCANdalous. The quick response from Managed Defense gave us just enough information to build a profile of the C2 and let our automated system take it from there. Over the next couple months, SCANdalous identified numerous servers matching UNC1878’s profile. This allowed us to not only analyze and attribute new network infrastructure, it also helped us observe when and how they were changing their operations over time.


There are hundreds more stories to tell, but the point is the same. When we find value in an analytical workflow, we ask ourselves how we can do it better and faster. The automation we build into our tools allows us to not only accomplish more of the work we were doing manually, it enables us to work on things we never could before. Of course, the conversion doesn’t happen all at once. Like all good things, we made a lot of incremental improvements over time to get where we are today, and we’re still finding ways to make more. Continuing to innovate is how we keep moving forward – as Advanced Practices, as FireEye, and as an industry.

Example Signatures

The following are example Shodan queries; however, any source of scan data can be used.

Used to Identify APT39 C2 Servers

  • product:“bitvise” port:“443” org:“WorldStream B.V.”

Used to Identify QUADAGENT C2 Servers

  • “PHP/7.2.0beta2”


  • html:“clsid:0006F063-0000-0000-C000-000000000046”

Online Banking—Simple Steps to Protect Yourself from Bank Fraud

Online Banking—Simple Steps to Protect Yourself from Bank Fraud

Even if you’re not big on online banking, online banking is big on you. Online banking is well on its way to becoming a cornerstone of the banking experience overall. More and more transactions occur over the internet rather than at a teller’s window, and nearly every account has a username, password, and PIN associated with it. Whether you use online banking regularly or sparingly, you can protect yourself from being the victim of fraud by following a few straightforward steps.

Online banking is growing, and here to stay

First off, online banking is no longer a novelty. It hasn’t been for some time. In fact, it’s now an expectation. As recently as 2018, a global survey from Deloitte found that 73% of consumers use online banking at least once a month and 59% of respondents use mobile banking apps—a number which has only increased since then. Looking yet more broadly, the country of Sweden is on track to become the world’s first cashless society by 2023. While the rest of the world may not be scrambling to forgo cash altogether, we can look at point-of-sale data and see that more and more people are going cashless with even their smallest of transactions.

Here’s how you can protect yourself from online banking fraud

There’s no doubt about it. We live in a world where banking, shopping, and payments revolve around a username and password. That’s quite a bit to take in, particularly if your first experiences with banking involved walking into a branch, getting a paper passbook, and maybe even a free toaster for opening an account.

So, how do you protect yourself? Consider the following:

Use a strong password—and a password manager to keep them straight

Start here. Passwords are your first line of defense. However, one thing that can be a headache is the number of passwords we have to juggle—a number that seems like it’s growing every day. Look around online and you’ll see multiple studies and articles stating that the average person has upwards of 80 to manage. Even if you have just a small percentage of those, strongly consider using a password manager. A good choice will generate strong, unique passwords for each of your accounts and store them securely for you.

In general, don’t use simple passwords that people can guess or easily glean from other sources (like your birthday, your child’s birthday, the name of your pet, and so on). Additionally, make them unique. Don’t repeat their use from account to account. That’s a quick way to see one hack lead to many others.

Use two-factor authentication to protect your accounts

What exactly is two-factor authentication? It’s an extra layer of defense for your accounts. In practice, it means that in addition to providing a password, you also receive a special one-time-use code to access your account. That code may be sent to you via email or to your phone by text. In some cases, you can also receive that code by a call to your phone. Basically, two-factor authentication combines two things: something you know, like your password; and something you have, like your smartphone. Together, that makes it tougher for scammers to hack into your accounts.

Two-factor authentication is practically a standard, so much so that you already might be using it right now when you bank or use certain accounts. If not, you can see if your bank offers it as an option in your settings the next time you log in. Or, you can contact your bank for help to get it set up.

Avoid phishing attacks: Look at your email inbox with a skeptical eye

Phishing is a popular way for crooks to steal personal information by way of email, where a crook will look to phish (“fish”) personal and financial information out of you. No two phishing emails look alike. They can range from a request from a stranger posing as a lawyer who wants you to assist with a bank transfer—to an announcement about (phony) lottery winnings, “Just send us your bank information and we’ll send your prize to you!” Those are a couple of classics. However, phishing emails have become much more sophisticated in recent years. Now, slicker hackers will pose as banks, online stories, and credit card companies, often using well-designed emails that look almost the same as the genuine article.

Of course, those emails are fakes. The links they embed in those emails lead you to them—not the legitimate organization that they claim to be—for the purpose of stealing personal info or directing a payment their way. Telltale signs are if the phishing email is sent from an address that slightly alters the brand name or adds to it by simply tacking extra language at the end of it. If you get one of these emails, don’t click any of the links. Contact the institute in question yourself using a phone number or address posted on their official website. This is a good rule of thumb in general. The best avenue of communication is the one you’ve used and trusted before.

Be skeptical about calls as well. Fraudsters use the phone too.

It may seem a little traditional, yet criminals still like to use the phone. In fact, they rely on the fact that many still view the phone as a trusted line of communication. This is known as “vishing,” which is short for “voice phishing.” The aim is the same as it is with phishing. The fraudster is looking to lure you into a bogus financial transaction or attempting to steal information, whether that’s financial, personal, or both. They may call you directly, posing as your bank or even as Microsoft tech support, or they may send you a text or email that directs you to call their number.

For example, a crook may call and introduce themselves as being part of your bank or credit card company with the word that “there are questions about your account” or something similar. In these cases, politely hang up. Next, call your bank or credit card company to follow up on your own. If the initial call was legitimate, you’ll quickly find out and can handle the issue properly. If you get a call from a scammer, they can be very persuasive. Remember, though. You’re in charge. You can absolutely hang up and then follow up using a phone number you trust.

Steer clear of financial transactions on public Wi-Fi in cafes, hotels, and libraries

There’s a good reason not to use public Wi-Fi: it’s not private. They’re public networks, and that means they’re unsecured and shared by everyone who’s using it, which allows hackers to read any data passing along it like an open book. That includes your accounts and passwords if you’re doing any banking or shopping on it. The best advice here is to wait and handle those things at home if possible. (Or connect to the public Wi-Fi with a VPN service, which we’ll cover just below in a moment.)
If not, you can always use your smartphone’s data connection to create a personal hotspot for your laptop, which will be far more secure. Another option is to simply use your smartphone alone. With a combination of your phone’s data connection and an app from your bank, you can take care of business that way instead of using public Wi-Fi. That said, be aware of your physical surroundings too. Make sure no one is looking over your shoulder!

Protecting your banking and finances even further

Some basic digital hygiene will go a long way toward protecting you even more—not just your banking and finances, but all the things you do online as well. The following quick list can help:
Update your software – That includes the operating system of your computers, smartphones, and tablets, along with the apps that are on them. Many updates include security upgrades and fixes that make it tougher for hackers to launch an attack.
Lock up – Your computers, smartphones, and tablets will have a way of locking them with a PIN, a password, your fingerprint, or your face. Take advantage of that protection, which is particularly important if your device is lost or stolen.
Use security softwareProtecting your devices with comprehensive security software will defend you against the latest virus, malware, spyware and ransomware attacks plus further protect your privacy and identity.
Consider connecting with a VPN – also known as a “virtual private network,” a VPN helps you stay safer with bank-grade encryption and private browsing. It’s a particularly excellent option if you find yourself needing to use public Wi-Fi because a VPN effectively makes a public network private.
Check your credit report – this is an important thing to do in today’s password- and digital-driven world. Doing so will uncover any inconsistencies or outright instances of fraud and put you on the path to setting them straight. In the U.S., you can do this for free once a year. Just drop by the FTC website for details on your free credit report.

Stay Updated

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Online Banking—Simple Steps to Protect Yourself from Bank Fraud appeared first on McAfee Blogs.

Quality Conundrum: Relying on QA Tools Alone Increases Risk

Quality assurance, or QA, is one of the go-to solutions for organizations looking to enhance their application security (AppSec). But alone, they don???t provide enough coverage and can give your team a false sense of security that comes back to haunt you during audits, or worse: after a breach. QA tools are only the tip of the iceberg when it comes to flagging and remediating flaws that leave your applications vulnerable to attacks.

Why doesn???t QA deliver what you need without requiring more scanning, testing, and remediation solutions? Solutions that are sold solo are often lower quality and lack essential features. For example, some QA tools don???t scan for cryptographic flaws or offer backdoor checks, leaving your code vulnerable to common vulnerabilities and bugs.

And some QA tools have higher than average false-positive rates, which can create unnecessary bottlenecks in the development process, especially if you???re only using a QA tool. Veracode???s false positive rate for Static Analysis is an industry-leading 1.1 percent ??? which helps our customers speed up their DevSecOps programs by not holding them back with false alarms.

Software Engineer and author Steve Maguire said it best: ???Don???t fix bugs later; fix them now.??? Organizations looking to up their security game should focus on speed, accessibility, efficiency, and breadth of security coverage, with customization and automation available to tailor AppSec programs to specific business needs. That means less time spent fixing found flaws closer to (or after) deployment, which QA can???t (and shouldn???t) do alone.

Covering your bases with the right solutions

Beating the quality conundrum is all about having the right tools in the right place, and QA simply can???t cover all the bases when it comes to security.

Effective AppSec tools go beyond simply assessing the severity of vulnerabilities and provide clear guidance on how to fix said flaws with remediation tips and training. Putting in the effort sooner rather than later will save time ??? and money ??? as risk is lowered closer to deployment with frequent scanning and education earlier on.

QA tools don???t hold up against Common Weakness Enumeration categories, or CWEs that cover software weaknesses and vulnerabilities. When examining a leading competitor, we found that over half of CWEs found by Veracode were missed by the competition???s QA tool and that a mere 5 percent of the QA tool???s rules even covered vulnerabilities. That, coupled with higher than average false-positive rates, means development and security teams will either miss dangerous flaws or spend an excessive amount of time digging through false flags if they rely on QA tools alone.

A quick and comprehensive assessment

We know that some QA tools rely on ???Security Hotspots??? when they have a lack of true vulnerability checking tools. ???Security Hotspots,??? or code areas that have a higher likelihood of containing security flaws, are important to acknowledge ??? but QA tools simply don???t test the code to see if it contains a security bug or vulnerability. To maintain greater control over the security health of your applications, you need solutions that detect vulnerabilities throughout the development process quickly and efficiently with a clear path to remediation.

Effective application security goes beyond QA to provide a comprehensive assessment of the application???s landscape and the risks it brings to the table. Veracode???s testing types cover the entire SDLC, with features like automated feedback that speed developers up instead of slowing them down. The proof is in the numbers: Veracode???s IDE Scan provides feedback instantly while the Pipeline Scan takes about 90 seconds, and the Policy Scan about 8 minutes on average.

Solutions that satisfy compliance

It isn???t enough to just have capable tools in your arsenal ??? you need to be able to prove that they???re working. Some of that proof falls on auditing and compliance needs, which is another area where QA solutions simply fall short. These tools rely on the developers themselves to mark issues and flaws as ???reviewed??? and then close them with little to no supervision.

As auditors typically want independent verification of results, that won???t do for most organizations. Veracode???s low false-positive rate, coupled with internal workflows involving security checks, takes a lot of the guessing (and risk) out of the review process.

Reporting is another essential feature for application security solutions, as it helps security teams set clear goals and developers stay on track with remediation guidance so the whole team can maintain compliance. If your QA tool doesn???t deliver clear reports on high-severity vulnerabilities and bugs, your team will miss out on retrospective data that can help guide future security decisions.

QA solutions may provide some peace of mind, but they don???t go the extra mile in helping developers remediate flaws and reduce risk and can introduce higher rates of false positives that slow everything down. Instead, look for an AppSec solution that integrates seamlessly, works quickly, provides accurate results, and guides developers towards remediation. If you do, you???re leaving less room for risk and more room for innovation as your development and security teams to focus on producing quality code.

To learn more, watch a short demo video of the Veracode solution.

iPhone Hacks: What You Need to Know About Mobile Security

Guest Post by Jennifer Bell

Learn How Hackers Steal and Exploit Information to Ensure This Doesn’t Happen to You 

Cybersecurity is an important topic to know and understand in order to keep your information safe and secure. Even more specifically, it’s important to know and understand mobile security as well. Mobile security, especially with iPhones, is crucial as hackers are becoming smarter and more creative when it comes to iCloud hacks. Apple has partnered with network hardware and insurance companies such as Cisco and Aon to provide security against data breaches; but how can you ensure that even with these Apple partnerships that your iPhone is secure and protected against hackers? Here are the most common ways that hackers get into iPhones to steal or exploit personal information, keep these points in mind to best protect yourself from mobile security hacks.

Poor Passwords
Often, poor password choices or poor password management allows hackers to easily hack into iPhones and other Apple products. Hackers are skilled at obtaining Apple IDs and passwords using phishing scams which are attempts to obtain personal data and information by posing as credible and trustworthy electronic entities. Here are some tips to protect your password from hackers and phishing scams:

  • Set up two-factor authentication for your Apple account 
  • Choose passwords that have no significant personal meaning; such as birthdays or names of family or pets. Hackers can easily do their research and make educated guesses as to what a password maybe 
  • Back up information in other places besides just the iCloud 
  • Change all passwords if even just one account is hacked 
Untrustworthy Websites
One of the most common ways that hackers make their way into iPhones and other Apple products is by using websites that are not credible. These websites either have holes in the software that allows hackers to get into an iPhone or, they use websites to ask for personal information such as credit card information or contact information. How do you know if a website is credible?
  • Ask yourself, does this website look trustworthy? Have I ever heard of it? Does it make sense for it to be asking me these questions? 
  • Use a secure middle layer payment option for purchases. Using PayPal or Visa Checkout is a great way to make payments online because the payment is not directly connected to any of your bank information 
  • Don’t open emails or any attachments that link you to a website if it comes from an untrusted sender 
  • Look up websites if you haven't ever heard of them. If the website is untrustworthy, it’s likely that people have been scammed or hacked on there before and have shared/posted their story 
Public WiFi Networks
Hackers have been known to gain access to iPhones using WiFi spoofing which is creating a WiFi network that doesn’t require a password and seems like a trustworthy network. Computer forensic services have also discovered that if your iPhone is set up to automatically connect to WiFi, your iPhone will automatically sync up to a spoofed WiFi network and will open your phone up to hackers without you knowing. Avoiding public WiFi networks can potentially save your iPhone from hackers; similarly, avoid public hotspots for the same reason. 

Protect Your iPhone From Cyberattacks
Hackers are becoming more and more knowledgeable when it comes to stealing and exploiting people’s personal information found on their iPhones. Keep these points in mind and remember to keep your iPhone’s software up to date; these things can ultimately secure your personal information and save you from falling victim to hackers’ harsh motives.

About the Author 

Jennifer Bell is a freelance writer, blogger, dog-enthusiast and avid beachgoer operating out of Southern New Jersey

The Cyber Security Guide For Small Business Owners

Cybercrime isn’t limited to large corporations or wealthy individuals; it also targets small businesses. According to the U.S. Congressional Small Business Committee, a significant amount of cyber-attacks targeted businesses with less than 100 workers. A related study by the SMB CyberSecurity Report established that 50% of SMBs had experienced a security breach in the past.

The reason small businesses are targeted more than large corporations is that they’ve vulnerabilities in their networks. This means it’s easier to breach the networks of small businesses than it’s to penetrate large corporations. Small businesses don’t allocate sufficient time and funds to secure their networks. They also lack expert personnel, have outdated security programs, and fail to secure their endpoints. The following are some of the basic cybersecurity best practices for small businesses.

Use a Firewall

Setting up a firewall is one of the basic ways of defending your business against a cyber-attack. The Federal Communications Commission urges small businesses to have firewalls to prevent data breaches. Some organizations have a standard firewall and an internal firewall for additional protection. Employees working remotely should also set up firewalls on their home networks.

Put Your Cybersecurity Policies In Writing

When it comes to cybersecurity, it’s advisable to put your policies in writing. To get started, you can attend online training through the Small Business Administration Cybersecurity portal. You can get help with drafting your policies from the FCC’s Cyberplanner 2.0. Alternatively, you can request a comprehensive toolkit for cybersecurity best practices through the C3 Voluntary Program for Small Businesses.

Use The CIA Model

When it comes to establishing cybersecurity policies, you should use the CIA model to guide you. This model helps keep your business secure by protecting your data. The elements of this model are Confidentiality, Integrity, and Availability. First, you should make sure information can’t be accessed by unauthorized personnel. You can do this by encrypting the information.

Secondly, you need to protect data and systems from being altered by unauthorized personnel. This means you should ensure that the information is unchanged from the time you create it to the time it reaches the end-user. Lastly, ensure authorized personnel have access to information when they need it and that you update your applications whenever necessary.

Train Employees In Cyber Security Measures

After you have established security policies, the next step is to train your employees on how to incorporate these measures. For example, you should train your employees on how to create strong passwords. It would help if you also established rules that penalize employees for violating the business’s Cybersecurity policies. Make ground rules on how to manage and protect client data and other important information. For example, you may establish rules that all machines should have the latest security software, operating system, and web browser to guard against malware, viruses, and online threats.

Device a Plan For Mobile Devices

According to Tech Pro Research 2016 BYOD, 59% of businesses allow BYOD. There’s a high surge in the use of wearables like wireless fitness trackers and smartwatches. For this reason, small businesses should establish BYOD policies that emphasize the need for security precautions. Norton by Symantec also urges small businesses to encourage employees to set automatic updates and use a strong password policy for mobile devices that are tapping into the company’s network.

Back up Your Data Regularly

You may still be breached after observing all the necessary security measures. This is why you need to back up data regularly. You also need to back up data that is kept in the cloud because those servers could also be compromised. Store your backups in a safe place to guard against fire outbreaks and floods. Make sure your backups are up to date.

Apply Multifactor Identification

No matter how secure you think you’re, mistakes are inevitable. An employee can make a mistake that leaves your network vulnerable. Using the multifactor identification settings provides an additional layer of protection to your network. You can use employees’ phone numbers because it would be unlikely for a cybercriminal to have both the pin code and the password.

Secure Your Wi-Fi Network

If your business has a Wi-Fi network, you need to secure it. Encrypt and hide the Wi-Fi network, so it’s not accessed by unauthorized personnel. To hide the network, set up a wireless access point to prevent it from broadcasting the name of the network, also called the Service Set Identifier (SSID). Protect access to the router using a password. 


Many businesses downplay the threat of cybercriminals, arguing that they don’t have significant assets or that their data is not worth a security breach. However, cybercriminals target the weak networks of small businesses more than the heavily secured networks of large organizations. For this reason, it’s important to observe cybersecurity practices to ensure your business and clients are secured from cyber thieves. The above measures will help you tighten the data security of your organization, making it more difficult for hackers to breach your systems.

The post The Cyber Security Guide For Small Business Owners appeared first on CyberDB.

What is the Risk Management Framework (RMF)? A standardized security framework

The Risk Management Framework (RMF) was developed and published by the National Institute of Standards and Technology (NIST) in 2010 and later adopted by the Department of Defense (DoD) to act as criteria for strengthening and standardizing the risk management process of information security organizations. The framework can be used by nearly any company interested in bolstering cybersecurity and risk management.

Risk management is means for protecting organizational assets and systems by implementing security controls that support early risk detection and resolution. The RMF achieves this by helping companies bring more structure and oversight to the system development life cycle by integrating cybersecurity and risk management into the early stages of the system development process.

To read this article in full, please click here

Mind the Gaps! The Requisite Mindset to Stay Ahead of Cybersecurity Threats

Guest Post by Matt Cable, VP Solutions Architects & MD Europe, Certes Networks

At the end of 2019, it was reported that the number of unfilled global IT security positions had reached over four million professionals, up from almost three million at the same time the previous year. This included 561,000 in North America and a staggering 2.6 million in APAC. The cybersecurity industry clearly has some gaps to fill.

But it’s not just the number of open positions that presents an issue. Research also shows that nearly half of firms are unable to carry out the basic tasks outlined in the UK government’s Cyber Essentials scheme, such as setting up firewalls, storing data and removing malware. Although this figure has improved since 2018, it is still far too high and is a growing concern.

To compound matters, the disruption of COVID-19 this year has triggered a larger volume of attack vectors, with more employees working from home without sufficient security protocols and cyber attackers willingly using this to their advantage.

Evidentially, ensuring cybersecurity employees and teams have the right skills to keep both their organisations and their data safe, is essential. However, as Matt Cable, VP Solutions Architects & MD Europe, Certes Networks explains, as well as ensuring they have access to the right skills, organisations should also embrace a mindset of continuously identifying - and closing - gaps in their cybersecurity posture to ensure the organisation is as secure as it can be.

Infrastructure security versus infrastructure connectivity
There is a big misconception within cybersecurity teams that all members of the team can mitigate any cyber threat that comes their way. However, in practice, this often isn’t the case. There is repeatedly a lack of clarity between infrastructure security and infrastructure connectivity, with organisations assuming that because a member of the team is skilled in one area, they will automatically be skilled in the other.

What organisations are currently missing is a person, or team, within the company whose sole responsibility is looking at the security posture; not just at a high level, but also taking a deep dive into the infrastructure and identifying gaps, pain points and vulnerabilities. By assessing whether teams are truly focusing their efforts in the right places, tangible, outcomes-driven changes can really be made and organisations can then work towards understanding if they currently do possess the right skills to address the challenges.

This task should be a group effort: the entire IT and security team should be encouraged to look at the current situation and really analyse how secure the organisation truly is. Where is the majority of the team’s time being devoted? How could certain aspects of cybersecurity be better understood? Is the current team able to carry out penetration testing or patch management? Or, as an alternative to hiring a new member of the team, the CISO could consider sourcing a security partner who can provide these services, recognising that the skill sets cannot be developed within the organisation itself, and instead utilising external expertise.

It’s not what you know, it’s what you don’t know
The pace of change in cybersecurity means that organisations must accept they will not always be positioned to combat every single attack. Whilst on one day an organisation might consider its network to be secure, a new ransomware attack or the introduction of a new man-in-the-middle threat could quickly highlight a previously unknown vulnerability. Quite often, an organisation will not have known that it had vulnerabilities until it was too late.

By understanding that there will always be a new gap to fill and continuously assessing if the team has the right skills - either in-house or outsourced - to combat it, organisations can become much better prepared. If a CISO simply accepts the current secure state of its security posture as static and untouchable, the organisation will open itself up as a target of many forms of new attack vectors. Instead, accepting that cybersecurity is constantly changing and therefore questioning and testing each component of the security architecture on a regular basis means that security teams - with the help of security partners - will never be caught off guard.

Maintaining the right cybersecurity posture requires not just the right skills, but a mindset of constant innovation and assessment. Now, more than ever, organisations need to stay vigilant and identify the gaps that could cause devastating repercussions if left unfilled.

How to Embed a Positive Security Culture in the COVID-19 Remote Working ‘New Normal’

Guest Post by the information security experts at Security Risk Management Ltd

If promoting a positive company-wide security culture had been a challenge before the Covid-19 pandemic, that challenge has just become a whole lot more difficult. That is because the widespread move to remote working has added another layer of vulnerability. It is not simply a question of sharing office systems across a range of settings and the fact that some are using home computers (frequently shared with personal accounts); instead, it is that individuals are now one step removed from the reach of those responsible for in-house information security, usually the Chief Information Security Officers (CISOs), and the organisation’s security protocols.

This fact has not been wasted on ever-opportunistic hackers

Email phishing attacks target individuals, often persuading them to check or type passwords on malicious domains that appear to be legitimate. Researchers have found a 600 per cent increase in the number of phishing emails worldwide this year, frequently using Coronavirus-related themes to target individuals and businesses. These are not always easy to spot, including email headings like ‘revised vacation and sick time policy’ or ‘important message from HR’. It is easy to see how a lone worker could fall into the trap.

The sharp rise in this type of attack reflects what hackers already know: that the human element of an organisation’s security is the weakest link. Of course, best practice network security relies on a number of elements but perhaps the hardest to establish is a positive security culture. CISOs have, however, struggled with this, even before the Covid-19 pandemic changed business practices. A survey of CISOs by ClubCISO reported that 49 per cent felt that organisational culture was already a block to them achieving their security objectives.

In a world where remote working has become the ‘new normal’, effectively engaging individuals is more important than ever. Understanding protocols and providing easy-to-understand training and awareness are crucial for every single user of a network system and this needs to be prioritised in the current climate. But it is equally important that employees feel able to report suspicious activity quickly and in full without fearing blame or repercussions. Without this element of positive security culture, the security policy could fail because employees will be reluctant to highlight suspicious activity, with potentially devastating consequences.

Effective Information Security Management
In the traditional setup, the CISO or ISM would be responsible for network security. Based on an office, they manage the protocols and policies for everything from regulatory and legal compliance to staff training and breach notification. Yet, with little time for preparation, many will be challenged, perhaps lacking the immediate knowledge or experience of how to translate these to the complexities of employees working from home offices.

This is not necessarily bad news but presents an opportunity for positive change. Now we are becoming used to the fact that employees no longer need to be office-based, we can take a step back and ask if the CISO actually needs to be resident within the bricks and mortar of an organisation? Would an outsourced (or virtual) CISO model not be equally well suited – if not better suited - to the ‘new normal’ of remote working?

Virtual CISOs are highly skilled professional teams, drawing on a wealth of experience, working with organisations to meet all the requirements of the CISO function. Individually assigned team members work remotely with an organisation, overseeing network security at all levels; from board-level engagement and compliance to effectively embedding a company-wide positive security culture.

It is also worth noting that they can be used for as much or as little as required, simply advising the resident CISO on strategy or developing and implementing the whole policy. Yet this best-practice alternative does not cost the earth. In fact, it is likely to cost significantly less than the traditional model, while delivering a service which is ideally suited to remote working.

8 Types of Security Threats to the IoT


The IoT industry is currently booming at a rapid scale, allowing for insights backed by data to provide value to industries and enterprises. For instance, in supply chain, IoT is helping track the exact locations and condition of the cargo shipments to ensure that goods in transportation safely reach their destination. In agricultural sector, IoT devices help farmers to monitor changes in weather near crop fields to enhance labor, harvest health and water usage. Travel industry is making use of IoT sensors to notify on-arrival passengers when their luggage reaches the airport.

These and many more opportunities offered by IoT are making our lives easier and provide us with limitless services to enable increased work productivity and efficiency. However, its adoption is still not as widespread as anticipated. The reason is the security obstacles associated with IoT devices. In the year 2018, according to a survey by Bain & Company, security was the top reason for industrial and enterprise respondents to not adopt IoT technology. These security challenges can be overcome, but to understand how to do that, it’s important to first know what these challenges are.

Let us look at some of the many security threats faced by the Internet of Things.

  1. Radio Frequency (RF) Jamming

Hackers can use radio jamming to block wireless IoT devices by interfering with wireless communications to hinder their functionality. This can be done by getting hold of an RF Jammer, causing IoT devices to limit their communication ability by losing connectivity. For instance, residential and commercial wireless security alarms that are connected over a cellular network can be easily jammed and enable an intruder to break in without the knowledge of the security provider.

  • Distributed Denial of Service (DDoS) Attacks

A DDoS attack happens when all network devices are precariously made to send limitless messages that eventually cause congestion in the IoT network shut it down. Cyber criminals use DDoS attacks to control numerous compromised devices, thus preventing important information from reaching its destination.

  • Privacy Leakage

An unsecured IoT device that leaks its IP address, if identified by a hacker, can be misused to point to any location. It is recommended that IoT connections should be secured using Virtual Private Networks (VPNs). Just as an Internet Service Provider’s network can be secured by  installing VPN on a router to encrypt all traffic passing through (see HughesNet Internet for the best satellite internet services), the same can be applied to an IoT device to ensure that your IP is private and your smart network is protected.

  • Network Hacks

A network hack takes place when an IoT device is compromised through the network that it is connected to. This kind of security breach allows a hacker to access and control the device. For instance, they can gain control of the thermostat of an industrial furnace and start a fire or cause an autonomous vehicle to crash by controlling its driving.

  • Home Intrusion

This is one of the reasons why smart homes are not ideally seen as a reality and adapted far and wide till now. It is also one of the scariest scenarios which can turn a device meant for an individual customer’s convenience into a major threat to their home privacy. Unsecured IoT devices that are shipped to a user with default username as ‘admin’ and password as ‘12345’ are very vulnerable to home intrusion. This can not only be used in planned burglaries but also invades complete privacy of a residential household. This is why it’s very important to secure a device’s credentials and connect them through a VPN.

  • Lack of Device Updates

Companies are manufacturing IoT devices at an increasing rate due to the growing demand. However, since their focus is on production and competition, manufacturers are not very careful with handling IoT device-related risks and security issues. Many of the devices in the market do not have considerable security updates, and some of them are never updated at all. Even if a device initially caters to security requirements, it becomes insecure and vulnerable after the emergence of new technologies and new cyber security challenges, making it more prone to cyber-attacks, especially if it is not updated.

Some manufacturers deliver Over the Air (OTA) firmware updates but stop doing that once they start working on next generation devices, thus leaving the older devices exposed to security threats. 

  • Unsafe Communication

Most of the IoT devices do not encrypt messages while communicating over a network, which makes it one of the biggest security challenges of IoT. To prevent from intrusion, companies need to secure and encrypt their communication between cloud services and devices. Using transport encryption and standards such as TLS can ensure safe communication. Also, device isolation using different networks can ensure a secure private communication.

  • Difficulty in Determining a Device’s Compromised Status

Another one of the challenges of an IoT device is that it is very hard to ascertain if a device is hacked or not.  Especially when there are a large number of IoT devices, it gets very difficult to monitor the security status of all the devices. This is because IoT devices need services, apps and protocols to communicate; and with more devices, it’s becoming unmanageable to find out which of them are compromised. As a result, many such hacked devices continue to work without the user’s knowledge and their data and privacy keeps getting compromised.

The Bottom Line

There is no doubt that IoT promises a change that can bring more convenience to our lives and is destined to get bigger with time. However, the bigger it is going to get, the more headaches it will progressively carry along with itself as the accompanying IoT trends and threats also get bigger. This can only be overcome if device manufacturers and IoT industry stakeholders take security seriously and make it a top priority instead of joining a competitive race towards more production and short-term profits.

The post 8 Types of Security Threats to the IoT appeared first on CyberDB.

We’re Named 2020 Gartner Peer Insights Customers’ Choice for Enterprise DLP

The McAfee team is very proud to announce today that, for the second time in a row1, McAfee was named a Gartner Peer Insights Customers’ Choice for Enterprise Data Loss Prevention for its McAfee Data Loss Prevention Solution. We see the recognition as an historic landmark for McAfee because it represents a trifecta of Gartner distinction this year: We now were named a 2020 Gartner Peer Insight Customers’ Choice for the three McAfee products that are integrated to make up the innovative cloud-native McAfee MVISION Unified Cloud platform: McAfee MVISION Cloud Access Security Broker, McAfee Secure Web Gateway, and McAfee Data Loss Prevention. McAfee Unified Cloud is a framework for implementing a Secure Access Service Edge (SASE) architecture and a safe way to accelerate digital transformation with cloud services, enable cloud and internet access from any device, and allow ultimate workforce productivity.


In its announcement, Gartner explains, “The Gartner Peer Insights Customers’ Choice is a recognition of vendors in this market by verified end-user professionals, taking into account both the number of reviews and the overall user ratings.” To ensure fair evaluation, Gartner maintains rigorous criteria for recognizing vendors with a high customer satisfaction rate.

For this distinction, a vendor must have a minimum of 50+ published reviews with an average overall rating of 4.3 stars or higher. McAfee received 75 reviews and an overall 4.3 rating out of 5, as of 31 May 2020, accordingly.

Here are some quotes from customers that contributed to this distinction:

“Great Product, Broad Protection, Easy to Use.”

 “McAfee DLP offers broad coverage of protection. The product is easy to deploy and use. We have deployed the solution to 100K+ endpoint devices with minimum issues. DLP rules are easy to configure. Integration with other vendor products is smooth.

Manager Cybersecurity, Security & Risk Management, in Transportation Industry: Read full review here

“Implementation Is Easy and It Provides Universal Data Protection Across Endpoints.”

“McAfee DLP is the best solution for Data Loss Prevention tool. It has a lot of features to safeguard the sensitive data. It has ability to connect and synchronize on-premises DLP and cloud DLP policies with single administrative portal and lots of other features like integration with third party tool for analytics which helps the InfoSec teams to safeguard the data and view the details of every endpoints.”

Programmer Analyst, Applications, Finance Industry : Read full review here

To learn more about this distinction, or to read the reviews written about our products by the IT professionals who use them, please visit Gartner Peer Insights’ Customers’ Choice announcement for Enterprise Data Loss Prevention. To all of our customers who submitted reviews, thank you! These reviews mold our products and our customer journey, and we look forward to building on the experience that earned us this distinction!

1McAfee was named a Gartner Peer Insights Customers’ Choice in 2018 and 2020; Gartner did not have one for the Enterprise DLP category in 2019.

The GARTNER PEER INSIGHTS CUSTOMERS’ CHOICE badge is a trademark and service mark of Gartner, Inc., and/or its affiliates, and is used herein with permission. All rights reserved. Gartner Peer Insights Customers’ Choice constitute the subjective opinions of individual end-user reviews, ratings, and data applied against a documented methodology; they neither represent the views of, nor constitute an endorsement by, Gartner or its affiliate.

The post We’re Named 2020 Gartner Peer Insights Customers’ Choice for Enterprise DLP appeared first on McAfee Blogs.

Configuring a Windows Domain to Dynamically Analyze an Obfuscated Lateral Movement Tool

We recently encountered a large obfuscated malware sample that offered several interesting analysis challenges. It used virtualization that prevented us from producing a fully-deobfuscated memory dump for static analysis. Statically analyzing a large virtualized sample can take anywhere from several days to several weeks. Bypassing this time-consuming step presented an opportunity for collaboration between the FLARE reverse engineering team and the Mandiant consulting team which ultimately saved many hours of difficult reverse engineering.

We suspected the sample to be a lateral movement tool, so we needed an appropriate environment for dynamic analysis. Configuring the environment proved to be essential, and we want to empower other analysts who encounter samples that leverage a domain. Here we will explain the process of setting up a virtualized Windows domain to run the malware, as well as the analysis techniques we used to confirm some of the malware functionality.

Preliminary Analysis

When analyzing a new malware sample, we begin with basic static analysis, where we can often get an idea of what type of sample it is and what it’s capabilities might be. We can use this to inform the subsequent stages of the analysis process and focus on the relevant data. We begin with a Portable Executable analysis tool such as CFF Explorer. In this case, we found that the sample is quite large at 6.64 MB. This usually indicates that the sample includes statically linked libraries such as Boost or OpenSSL, which can make analysis difficult.

Additionally, we noticed that the import table includes eight dynamically linked DLLs with only one imported function each as shown in Figure 1. This is a common technique used by packers and obfuscators to import DLLs that can later be used for runtime linking, without exposing the actual APIs used by the malware.

Figure 1: Suspicious imports

Our strings analysis confirmed our suspicion that the malware would be difficult to analyze statically. Because the file is so large, there were over 75,000 strings to consider. We used StringSifter to rank the strings according to relevance to malware analysis, but we did not identify anything useful. Figure 2 shows the most relevant strings according to StringSifter.

Figure 2: StringSifter output

When we encounter these types of obstacles, we can often turn to dynamic analysis to reveal the malware's behavior. In this case, our basic dynamic analysis provided hope. Upon execution the sample printed a usage statement:

Usage: evil.exe [/P:str] [/S[:str]] [/B:str] [/F:str] [/C] [/L:str] [/H:str] [/T:int] [/E:int] [/R]
   /P:str -- path to payload file.
   /S[:str] -- share for reverse copy.
   /B:str -- path to file to load settings from.
   /F:str -- write log to specified file.
   /C -- write log to console.
   /L:str -- path to file with host list.
   /H:str -- host name to process.
   /T:int -- maximum number of concurrent threads.
   /E:int -- number of seconds to delay before payload deletion (set to 0 to avoid remove).
   /R -- remove payload from hosts (/P and /S will be ignored).
If /S specifed without value, random name will be used.
/L and /H can be combined and specified more than once. At least one must present.
/B will be processed after all other flags and will override any specified values (if any).
All parameters are case sensetive.

Figure 3: Usage statement

We attempted to unpack the sample by suspending the process and dumping the memory. This proved difficult as the malware exited almost instantly and deleted itself. We eventually managed to produce a partially-unpacked memory dump by using the commands in Figure 4.

sleep 2 && evil.exe /P:"C:\Windows\System32\calc.exe" /E:1000 /F:log.txt /H:some_host

Figure 4: Commands executed to run binary

We chose an arbitrary payload file and a large interval for payload deletion. We also provided a log filename and a hostname for payload execution. These parameters were designed to force a slower execution time so we could suspend the process before it terminated.

We used Process Dump to produce a memory snapshot after the two second delay. Unfortunately, virtualization still hindered static analysis and our sample remained mostly obfuscated, but we did manage to extract some strings which provided the breakthrough we needed.

Figure 5 shows some of the interesting strings we encountered that were not present in the original binary.

schtasks.exe /create /tn "%s" /tr "%s" /s "%s" /sc onstart /ru system /f
schtasks.exe /run /tn "%s" /s "%s"
schtasks.exe /delete /tn "%s" /s "%s" /f
Payload direct-copied
Payload reverse-copied
Payload removed
Task created
Task executed
Task deleted
SM opened
Service created
Service started
Service stopped
Service removed
Total hosts: %d, Threads: %d
Share "%s" created, path "%s"
Share "%s" removed
Error at hooking API "%S"
Dumping first %d bytes:

Figure 5: Strings output from memory dump

Based on the analysis thus far, we suspected remote system access. However, we were unable to confirm our suspicions without providing an environment for lateral movement. To expedite analysis, we created a virtualized Windows domain.

This requires some configuration, so we have documented the process here to aid others when using this analysis technique.

Building a Test Environment

In the test environment, make sure to have clean Windows 10 and Windows Server 2016 (Desktop Experience) virtual machines installed. We recommend creating two Windows Server 2016 machines so the Domain Controller can be separated from the other test systems.

In VMware Virtual Network Editor on the host system, create a custom network with the following settings:

  • Under VMNet Information, select the “Host-only” radio button.
  • Ensure that “Connect a host virtual adapter” is disabled to prevent connection to the outside world.
  • Ensure that the “Use local DHCP service” option is disabled if static IP addresses will be used.

This is demonstrated in Figure 6.

Figure 6: Virtual network adapter configuration

Then, configure the guests’ network adapters to connect to this network.

  • Configure hostnames and static IP addresses for the virtual machines.
  • Choose the domain controller IP as the default gateway and DNS server for all guests. 

We used the system configurations shown in Figure 7.

Figure 7: Example system configurations

Once everything is configured, begin by installing Active Directory Domain Services and DNS Server roles onto the designated domain controller server. This can be done by selecting the options shown in Figure 8 via the Windows Server Manager application. The default settings can be used throughout the dialog as roles are added.

Figure 8: Roles needed on domain controller

Once the roles are installed, run the promotion operation as demonstrated in Figure 9. The promotion option is accessible through the notifications menu (flag icon) once the Active Directory Domain Services role is added to the server. Add a new forest with a fully qualified root domain name such as testdomain.local. Other options may be left as default. Once the promotion process is complete, reboot the system.

Figure 9: Promoting system to domain controller in Server Manager

Once the domain controller is promoted, create a test user account via Active Directory Users and Computers on the domain controller. An example is shown in Figure 10.

Figure 10: Test user account

Once the test account is created, proceed to join the other systems on the virtual network to the domain. This can be done through Advanced System Settings as shown in Figure 11. Use the test account credentials to join the system to the domain.

Figure 11: Configure the domain name for each guest

Once all systems are joined to the domain, verify that each system can ping the other systems. We recommend disabling the Windows Firewall in the test environment to ensure that each system can access all available services of another system in the test environment.

Give the test account administrative rights on all test systems. This can be done by modifying the local administrator group on each system manually with the command shown in Figure 12 or automated through a Group Policy Object (GPO).

net localgroup administrators sa_jdoe /ADD

Figure 12: Command to add user to local administrators group

Dynamic Analysis on the Domain

At this point, we were ready to begin our dynamic analysis. We prepared our test environment by installing and launching Wireshark and Process Monitor. We took snapshots of all three guests and ran the malware in the context of the test domain account on the client as shown in Figure 13.

evil.exe /P:"C:\Windows\System32\calc.exe" /L:hostnames.txt /F:log.txt /S /C

Figure 13: Command used to run the malware

We populated the hostnames.txt file with the following line-delimited hostnames as demonstrated in Figure 14.


Figure 14: File contents of hostnames.txt

Packet Capture Analysis

Upon analyzing the traffic in the packet capture, we identified SMB connections to each system in the host list. Before the SMB handshake completed, Kerberos tickets were requested. A ticket granting ticket (TGT) was requested for the user, and service tickets were requested for each server as seen in Figure 15. To learn more about the Kerberos authentication protocol, please see our recent blog post that introduces the protocol along with a new Mandiant Red Team tool.

Figure 15: Kerberos authentication process

The malware accessed the C$ share over SMB and wrote the file C:\Windows\swaqp.exe. It then used RPC to launch SVCCTL, which is used to register and launch services. SVCCTL created the swaqpd service. The service was used to execute the payload and then was subsequently deleted. Finally, the file was deleted, and no additional activity was observed. The traffic is shown in Figure 16.

Figure 16: Malware behavior observed in packet capture

Our analysis of the malware behavior with Process Monitor confirmed this observation. We then proceeded to run the malware with different command line options and environments. Combined with our static analysis, we were able to determine with confidence the malware capabilities, which include copying a payload to a remote host, installing and running a service, and deleting the evidence afterward.


Static analysis of a large, obfuscated sample can take dozens of hours. Dynamic analysis can provide an alternate solution, but it requires the analyst to predict and simulate a proper execution environment. In this case we were able to combine our basic analysis fundamentals with a virtualized Windows domain to get the job done. We leveraged the diverse skills available to FireEye by combining FLARE reverse engineering expertise with Mandiant consulting and Red Team experience. This combination reduced analysis time to several hours. We supported an active incident response investigation by quickly extracting the necessary indicators from the compromised host. We hope that sharing this experience can assist others in building their own environment for lateral movement analysis.

NIST Kick-Starts ‘Threshold Cryptography’ Development Effort

A new publication by cryptography experts at the National Institute of Standards and Technology (NIST) proposes the direction the technical agency will take to develop a more secure approach to encryption. This approach, called threshold cryptography, could overcome some of the limitations of conventional methods for protecting sensitive transactions and data. The document, released today in a final version as NIST Roadmap Toward Criteria for Threshold Schemes for Cryptographic Primitives (NISTIR 8214A), offers an outline for developing a new way to implement the cryptographic tools that

Cyber Threats Trends 6 Months Of Findings

After six months from Cyber Threats Trends launch it’s time to check its main findings. When I decided to develop my own Cyber Threats Observatory I was not sure about its effectiveness and I was even more skeptical about the real usage from international cybersecurity communities. Fortunately many students, researchers and professionals used such a data to write thesis, papers and researches. Many of them cited my work (by adding a link in footnotes or in the reference section), other just dropped a “thank you email”. This was enough for me to decide to mantain Cyber Threats Trends for additional six months. Performing data collection, data analysis and data classification requires a quite expensive back-end, so it needs to be useful for somebody otherwise it would make no sense to maintain such a dedicated infrastructure.

But now let’s take a looks to what it was able to find during the past six months.

Malware Families

The most seen Malware families from January 2020 to June 2020 (6 months of activity) are the following ones:
GrandCrab ~3%
Upatre ~1,9% (!!)
Emotet ~1,8%
TrickBot ~1,25%
It looks like be inline with many available statistics and reports from the 2020 with the only exception on Upatre, which looks like super out of topic in 2020, but I have mostly discussed it here, so today I am quite confident it’s not a wrong classification. Many other families have been seen according to the following graph, but they will not be discussed in the current post.

Malware Families

Looking at the distribution of the top malware families we might focus on figure-out if some temporal pattern would emerge. The following image shows the GrandCarb family distribution over time. It is interesting to see that GrandCrab was mostly active during the last two weeks of March reaching its top detection rate on 2020-03-31 within a delicious frequency rate about 138 unique “findings” in that single day. Contrary it looks like to be less used during the months of May and June 2020.

GandCrab was a Ransomware-as-a-Service (RaaS) emerged in January 28, 2018, managed by a criminal organization known to be confident and vocal, while running a rapidly evolving ransomware campaign. Through their aggressive, albeit unusual, marketing strategies and constant recruitment of affiliates, they were able to globally distribute a high volume of their malware.

From Malpedia

Looking at pattern-wise we might agree there is a kind of frequency inside of it. If you group the date by weeks you might find that GrandCrab is mostly used twice per month. If you consider a “top” (the biggest local maximum detection rate) as the campaign launching day and the following local maximum tops in detection rate (in other words the shorter “tops” or the local maximums) as physiological campaign adjustments, it looks like attackers would take two weeks to harvest profit from previous launched campaign and to prepare new artifacts for the following one.

GrandCrab Ditribution over time

The following graph shows the Upatre family distribution over the past six months.

First discovered in 2013, Upatre is primarily a downloader tool responsible for delivering additional trojans onto the victim host. It is most well-known for being tied with the Dyre banking trojan, with a peak of over 250,000 Upatre infections per month delivering Dyre back in July 2015. In November 2015 however, an organization thought to be associated with the Dyre operation was raided, and subsequently the usage of Upatre delivering Dyre dropped dramatically, to less than 600 per month by January 2016.

From Paloalto Unit42

This is a very interesting graph because Upatre was not longer used since years (I bet since 2016). However it looks like attackers recovered it and re-started to use it from April 2020. Grouping by date you would appreciate a 3 days rhythm meaning that from one “attack wave” to another one it would take an average of 3 days. I will perform additional check on that, but static rules are perfectly matching what we are seeing int the upatre graph.

Upatre Distribution over time

Moving one TrickBot, the following image shows its distribution over time. TrickBot was mostly active during the first months of 2020 in a constant and linear way, while from March to April 2020 it experienced a quite significant speedup. Due to covid thematic campaigns Cyber Threats Trends recorded more TrickBot as never before in such time frame.

A financial Trojan believed to be a derivative of Dyre: the bot uses very similar code, web injects, and operational tactics. Has multiple modules including VNC and Socks5 Proxy. Uses SSL for C2 communication.

From Malpedia
TrickBot Distribution over time

The following image shows the Emotet Distribution over time. As plausible the Emotet’s distribution follows the TrickBot one. Even if it is not clear the relationship between TrickBot folks and Emotet folks, we are quite accustomed to see these frameworks closely delivered in common campaigns, like for example few months ago when we experienced a lot of Ryuk (ransomware) distribution using Emotet + TrickBot.

While Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.

From Malpedia
Emotet Distribution

Some indicators, such as the detection rate in January and the detection rate in June show to us that Emotet is used on these specific months even without TrickBot and it might suggest a different attack delivery procedure highlighting a different threat actor. In other words, comparing TrickBot and Emomet we observe that there are mainly two groups: a group which delivers TrickBot and Emotet together (such as the Ryuk ransom group) and a group which uses Emotet without TrickBot.

Carrier Distribution

Excluding the file type exe, which is the most analyzed file extension in the dropper panorama, we continue to observe many office files as the main Malware carrier. For example Microsoft Word Document within MACRO files are the most observed Malware carrier followed by PDF documents and CDF contents. While PowerShell files are still one of the most emerging threats we have not observed vast amount of Malware delivery on such carrier so far, but we see a revamping in the ancient Microsoft Excel Macro 4.0 as obfuscation technique.

Frequency no EXE

Still quite interesting how that statistics change over time. Indeed PDF and OLE objects are still the most used during the analyzed period of time. Even CDF document are quite common while simple scripts such as “VBscript” of Javascript are slowly decelerate their presence in international statistics.


Developing Cyber Threats Trends has been a great journey ! I had many sleepless nights and additional costs due to a quite big backend network (especially “database speaking”) but I had the opportunity to collect super interesting data and to increase knowledge on malware statistics and on developing distributed systems. Moreover it turned out being a quite useful data collection and trend analysis tool for quite few people out there ! I would definitely keep it on collecting more data !

Messenger Rooms: New Video Chat Option is Fun But Has Risks

Messenger Rooms

Messenger RoomsOne of the many things we’ve learned during this season of being homebound is that video chats with friends can save the day. One of the newest channels for video chatting is Messenger Rooms. While the new Facebook feature isn’t groundbreaking in terms of how it works, it’s the ability to pull together a big group of friends spontaneously that may make this a popular digital hangout for kids.

The Basics

Messenger Rooms functions similarly to the popular video conferencing app Zoom. The exception: There’s no need for users (or guests) to download a new app, create an account, or send out pre-planned meeting invites.

Messenger Rooms is simple. One person sets up a Messenger Room, that Room is assigned a URL, the organizer sends his or her friends that link, and those friends can instantly click it and be in the room. With so many families still opting to avoid large gatherings, Rooms may be the next best way to socialize in the most organic, pre-pandemic way.

The app makes it easy to watch movies together since one user screen can be pinned to the top of the chat for shared viewing. Kids can also have game nights, birthday parties, organize workout and study groups, or have a “squad hangout” as the Room title options call out (see graphic, below).

The Fun 

A few specific features may make Messenger Rooms appealing to kids. First, it’s easy to drop friends a link and be together almost instantly in a private room. Messenger Rooms is free, doesn’t have time limits, and up to 50 friends can get together in one room — from anywhere in the world. Kids joining a Room from their mobile app can apply quirky filters to their backgrounds or faces, which brings in the creativity element they get from Instagram Stories and Snapchat.

The Risks

Privacy. So far, privacy seems to be the biggest concern being raised and here’s why. Messenger Rooms, like Facebook, collects metadata from users — including guests without Facebook accounts. Metadata may include the people you talk with, at what times, and how often, all of which can be shared with a third party. Also, Messenger Rooms, while it does not record calls (like Zoom), lacks end-to-end encryption, which makes the channel vulnerable to hackers and compromises private conversations.

Troublemakers. Live chat rooms are not password-protected, so if a Room organizer decides to make a Room public or fails to lock a room they intended to be private, anyone can pop in and do anything. Much like the Zoom bombers emerging, anyone could crash a meeting with racial rants or graphic content. A link to a room can also be shared with others by anyone who has the link.

Cyberbullying. As with any app, conflicts can arise as can cyberbullying or harassment.

The Conversation

If you notice your kids using Messenger Rooms, you may consider having a few conversations that highlight the risks.

  • Privacy settings. If you organize a Room, lock it to keep unwanted people from crashing your meet up.
  • Nothing is private. Messenger Rooms isn’t encrypted, so it’s not the place to have private conversations or share sensitive content. Note: The internet in any form isn’t the place to share any personal content. Anything exchanged online — even a “private” text between two people — is vulnerable to hackers, device theft, or the possibility of a relationship falling out.
  • Nothing is free. Remind your children that services online are free for a reason. There is always an exchange: Free use for data. Be aware that profile information and bits of a conversation could be mined and used by a third party. To understand better how data is collected, Facebook’s help center or data policy.
  • Lock your room. Unless your child adjusts his or her preferences, it will be open to anyone that person is friends with on Facebook who will see the public Room at the top of their newsfeed. That means lovable Uncle Pete may mistakenly stumble into your daughter’s “squad” rant unless the Room is locked.
  • Report and block. If an unwanted person disrupts a Room kids can block the user and report it to Facebook.
  • Age-appropriate options. For kids under 13 (Facebook age requirement), there’s Messenger Kids, a Facebook feature that allows younger kids to video call with friends in a parentally-supervised room. It’s a great tool for teaching kids safe, online practices before they use the real thing.

To stay ahead of the digital hangouts available to kids, visit McAfee Consumer Family Safety blogs each week. You may also consider monitoring your child’s devices with parental controls designed to filter content, monitor screen time, and track new apps.

The post Messenger Rooms: New Video Chat Option is Fun But Has Risks appeared first on McAfee Blogs.

How to Protect Your Privacy From Tracking Apps

Working from home

Apps – what would life be without them? Imagine opening a brand-new browser tab every time you wanted to check your email, access photos, connect with friends on social media, or even pay your bills online.

Apps have greatly enhanced the way consumers interact with and complete tasks on their mobile devices. But what many consumers don’t realize is that they are tracked by many of the apps they know and use daily. Tracking can stem from a variety of platforms, however one type in particular has brought this issue even more into the forefront: contact tracing apps, which can help slow the spread of COVID-19.

What Are Contact Tracing Apps?

According to MIT Technology Review, technologists have been working to build contact tracing apps and systems to identify and notify those who have come in contact with a virus carrier. Tech giants and public health authorities worldwide have quickly signed up to build the application programming interfaces (APIs) and apps necessary to support this project’s scale. However, many users are skeptical that they know very little about these apps, what data is collected, and who this data is shared with.

The success of these contact tracing apps rests on user participation. However, for these apps to make a real impact, developers must overcome potential privacy and security risks to assure individuals their data will only be used to fight the virus’ spread.

The Impact of Contact Tracing Technology

According to Health IT Security, the American Civil Liberties Union and the Electronic Frontier Foundation released reports outlining potential privacy and security risks developers should consider when building APIs and drafting privacy policies. Some of these risks include geo-location tracking or tracking a device’s location in real-time.

Then there’s user behavior to keep in mind. Some individuals may not understand the extent of the information they share with an app, while others are uneasy about the idea that the government – or a hacker – could easily access their whereabouts. What’s more, users are concerned that data collection will fail to end after the pandemic and authorities will use it in the future for unwarranted public surveillance.

While the privacy concerns around contact tracing apps are genuine, it’s also important to consider how this technology could greatly benefit public health. Although the privacy protection instilled in some apps is still a work-in-progress, some technologies have successfully contact traced without putting users’ privacy at risk. For example, Singapore’s app TraceTogether only collects and gathers data at the point that someone 1) is confirmed to have COVID-19 and 2) consents to the scraping of that data. From there, the data is anonymized, encrypted, and doesn’t reveal the identity of the infected user or the person that may have come in contact with them. What’s more, the data is deleted automatically after 21 days. By employing a thoughtful approach to contact tracing, positive strides can be made towards stopping the virus’s spread without risking user privacy.

How to Stay Secure

As a consumer living in a world riddled with uncertainty, you can take steps to help protect your digital life. When it comes to the rise of contact tracing technology and other apps you may use, here are some tips to consider to help safeguard your private information.

Understand and read the terms

Because this technology is relatively new, there is much to consider if you’re thinking about downloading a contact tracing app. Consumers can protect their privacy by reading the Privacy Policy and Terms of Service so they can know just what they’re dealing with.

Update your settings

If you’re concerned about an app having permission to access your location, photos, or other data, check your settings to see which apps have access to this information. Change permissions by either deleting the app or changing your settings on your device.

Consider other options

If you are not comfortable downloading a contact tracing app on your device but would like to be informed of the virus’ spread, you can visit the CDC’s website for COVID-19 cases, which can be narrowed down by state and county.

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post How to Protect Your Privacy From Tracking Apps appeared first on McAfee Blogs.

How to Keep Your Celebrations Happening – Virtually & Safely!

2020 has certainly been the year of the ‘new normal’. Our new life in which we stay home and socially distance has affected the way we work and learn but just as importantly, the way we celebrate!

Without a doubt, the video call saved the day while we all stayed home and socially distanced. Work meetings continued and learning at home still happened thanks to this wonderful technology. And while some people used video calls to remain in touch with family and friends, this remarkable technology also helped many people worldwide continue to celebrate life’s important milestones such as school and university graduations; weddings and, even the celebration of life at funerals.

Graduating Virtually

One of my oldest friends has two daughters who have just virtually graduated from their high school and university. Before each occasion, the girls were sent their cap and gown and their graduation certificates via the post. On the day of each event, the girls donned their specially purchased dresses – which were purchased long before ‘lockdown’ (along with their cap and gown) – and participated in the ceremony via video call. Dressed to the 9’s, their immediate family also watched the ceremony and witnessed their daughter (and sister) officially graduate.

While there wasn’t perhaps the same sense of camaraderie as if their cohort had graduated together in person, the video call was definitely the next best thing. It allowed them to see their friends, receive the public accolades they both so deserved and, most importantly, it provided a sense of completion and closure that allowed them to start thinking about their next phase in life.

Virtual Weddings

Within weeks of lockdown, the virtual wedding industry was well established. Companies such as Simply Eloped were offering virtual wedding packages that provided planning assistance, a virtual ceremony emcee, advice on acquiring a license and tech support. Specialised tech companies were also offering to coordinate weddings on video calling apps and manage guests on multiple devices.

And if you are getting married, of course you need photography so virtual photographers became a thing as did customised wedding backdrops providers and virtual live musicians to entertain your guests. If there was ever an example of an industry that mastered the art of pivoting, it was definitely the wedding industry!

Celebrating the End Of A Life – Virtually

Probably one of the hardest milestones to miss in person during lockdown was the celebration of life – the funeral. Around the world, many countries limited attendees at funerals to as low as 10 to ensure social distancing which meant live streaming the service became the next best option.

Specialised funeral live streaming companies such as OneRoom sprung up allowing family and friends the opportunity for a private farewell even if they couldn’t attend in person.  While a funeral service is an important way to remember and celebrate the life of the recently deceased, it is also an important part of the grieving process. I have several friends who lost treasured family members during the lockdown period who were very comforted by having the option to have a copy of the live-streamed service which they could watch several times.

If there’s ever a time to be grateful for the power of technology (and video calls) it’s now! I just can’t imagine how we have all survived the isolation without being able to stay in touch and see the faces of family and friends! But just like every aspect of online life, video calling apps are fantastic when used sensibly but they do also carry some risks. Here are my top tips to ensure that you can safely celebrate life’s milestones online:

  1. Don’t Share Links to Video Calls

Whether it’s a wedding ceremony, baby shower, meeting with a virtual photographer or a funeral service, sharing links to video calls means you are essentially extending the invitation to anyone who gets their hands on the link. Not only does this compromise the privacy of everyone involved but video call ‘bombers’ have been known use threatening and intimidating language which could be very unsettling.

  1. Keep Your Personal Meeting ID Tight!

Some video calling apps allocate each user a PMI or personal meeting ID. Your PMI is basically one continuous meeting so anyone that has access to it can enter any of your future meetings or gatherings. Always generate a random meeting ID for any events where you don’t truly know your invitees.

  1. Video Calls Can Be Recorded

Don’t forget that video calls can be recorded. Even though a video call may feel like real life – it is not! So, if you are celebrating hard at your friend’s wedding, be mindful that your ‘high-energy’ behaviour may be recorded on camera!!

While ‘lockdown life’ may almost be over for some of us, many experts believe ‘social distancing’ will be a way of life for some time. So, if you have an important celebration on your radar, don’t despair – a well-planned virtual celebration can definitely be worthwhile and will be a great story to pass down to future generations!

Happy Virtual Celebrating!

Alex xx

The post How to Keep Your Celebrations Happening – Virtually & Safely! appeared first on McAfee Blogs.

Cyber Security Roundup for July 2020

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, June 2020.

Australian Prime Minister Scott Morrison announced a sophisticated nation-state actor is causing increasing havoc by attacking the country’s government, corporate institutions, and his country's critical infrastructure operators. He said, “We know it is a sophisticated state-based cyber actor because of the scale and nature of the targeting and the tradecraft used". While Morrison didn't actually name the specific country responsible in his statement, Reuters said its sources confirmed China was the culprit.  Political t
ensions have ramped up between Australia and China in recent months after Australia called for an investigation into China’s handling of the COVID-19 pandemic. China then reacted by placing tariffs on Australian exports and banning shipments of beef from Australia.

Why am I leading a UK cybersecurity blog with an Australian cyberattacks story? Well, it is because the UK might well be next in the cross-hairs of China's sophisticated cyber army, after the UK Governance stance on using Huawei in 5G infrastructure significantly soured last month. And also due to the increasing political pressure applied by the UK government on the Chinese government following their introduction of a controversial new security law in Hong Kong.

Increased UK Huawei Tensions in June 2020
While the Australian PM righty suggested their nation-state threat actor was sophisticated, the cyberattacks they described aren't so sophisticated. Their attackers engaged in spear-phishing campaigns designed to trick email recipients into clicking a link leading to a malicious files or credential harvesting page, opening malicious attachments or granting Office 365 OAuth tokens to the actors.  This is the same MO of cyber attacks orchestrated by the cybercriminals fraternity on a daily basis. The Australian government statement advises organisations to patch their internet-facing devices, including web and email servers and to use multifactor authentication. All good advise, in fact, all essential good practice for all organisations to adopt no matter their threat actor landscape.

Away from the international cyber warfare scene, a coalition led by security companies is urging the UK government to revamp the much-dated Computer Misuse Act. The UK's 'anti-hacking' law is 30 years old, so written well before the internet took root in our digital society, so is not really suitable for prosecuting for modern cybercriminals, they tend to be prosecuted under financial crime and fraud laws. The coalition is calling for a change in the law includes the NCC Group, F-Secure, techUK, McAfee and Trend Micro. They argue section 1 of the Act prohibits the unauthorised access to any programme or data held in any computer and has not kept pace with advances in technology. In their letter to PM they said "With the advent of modern threat intelligence research, defensive cyber activities often involve the scanning and interrogation of compromised victims and criminals systems to lessen the impact of attacks and prevent future incidents. In these cases, criminals are obviously very unlikely to explicitly authorise such access."

Since launching a 'Suspicious Email Reporting Service' in April 2020, the UK National Cyber Security Centre (NCSC) announced it has now received one million reports, receiving around 16,500 emails a day. NCSC Chief Executive Officer Ciaran Martin called the number of reports a “milestone” and “a testament to the vigilance of the British public". I think the email reporting service is another fantastic free service provided by NCSC (i.e. UK Gov) to UK citizens, so one thing the UK government is definitely getting right in the cybersecurity space at the moment.

Zoom announced it will extend 'optional' end-to-end encryption (E2EE) to free users. It is not certain when exactly Zoom's free E2EE will commence or whether it will be defaulted as on, given the Zoom CEO said, “We plan to begin early beta of the E2EE feature in July 2020.” Still good to see the much security criticised Zoom is continuing to bolstering its security, and also by appointing a seasoned Chief Information Security Officer from Salesforce.

Some men just want to watch the world burn...
With the recent uptick in ransomware, phishing, unsecured cloud buckets and massive data breaches dominating the media headlines over the past couple of years, you could be forgiven for forgetting about the threat posed by Distributed-Denial-of-Service (DDoS) attacks. So then, a timely reminder that some threat actors have vast botnets as their disposal for orchestrating huge DDoS attacks after Amazon reported thwarting the biggest ever DDoS attack, and a European bank suffered the biggest ever PPS DDoS attack. The motives of these colossal DDoS attacks are unclear, I guess some men just want to watch the world burn.
Quote from Batman butler Alfred (Michael Caine), The Dark Knight

    Best Practices for Adapting to a Remote Work Lifestyle 

    As our world continues to evolve, we have been forced to adapt accordingly. Navigating change can be difficult for many, so here are useful tips McAfee team members have been using to improve productivity, stay healthy and help customers stay digitally secure during the pandemic. 

    Productivity Hacks

    Applying simple hacks to your routine and environment can help you stay productive. Create a workspace separate from your living space if you can. One tip is to get ready and get dressed as if you were going to the office. You’ll be prepared for that video conference when you feel put together. Recreating the “comforts of office” at home with accessories like a good mouse/keyboard set, external monitor, chair and even an office plant can go a long way. When you’re done for the day, close your laptop to reinforce the separation between work and your personal life. 

    While some can seamlessly continue normal workday hours, many need to juggle between being a home school principal and master chef de cuisine before being able to look at emails. Try to find a balanced routine that works for your needs—and don’t be afraid to change it. 

    Ways to Focus on Wellbeing and Stay Active at Home

    Many athletic and health companies have brought their classes and routines online for free so people can stay active. The exercises range in intensity and function so you can easily find something that works for you. Whether you prefer a heart-racing, 20-minute HIIT cardio workout, or a decompressing 40-minute yoga session (or both, depending on what the day brings!), there are plenty of options for staying active indoors. These exercises can also be a family bonding activity to stay active together. Additionally, meditation apps have started offering free services to help improve mental wellbeing. 

    Experimenting in the kitchen may also inspire some creative, healthy cooking. With many restaurants expanding to pickup and delivery models, now is a great time to support local businesses and to try that place you’ve previously set your sights on.

    Be sure to stay in touch with your community, friends and family. Check up on others via text, call, or video to see how they’re doing and spend virtual time together. This applies equally to teammates. Encouraging remote lunches and social hours helps everyone stay connected and motivated. 

    Tips for Staying Digitally Secure

    As you’re spending more time online, and possibly seeing more devices connected to your network, it’s a good idea to re-evaluate your home’s digital privacy and security. For starters, consider strengthening your network and internet passwords. Talk to your kids about cybercrime to make sure they remember to practice digital hygiene as they connect online for classes and socialize with friends. 

    As our external environment changes, so too does the digital threat landscape. When in doubt, connect to a VPN to help keep your personal data and financial transactions safe from prying eyes. Consider using a safe browser extension to help identify illegitimate websites, especially when shopping for supplies or staying up to date on the news. Pairing security tools with best practices can help keep you and your family safer online. 

    Find Balance by Building in Hobbies

    There is no shortage of indoor entertainment options, including video games, online board games and TV shows. Even some museums and zoos have made tours available online. Picking up a new hobby, book or new language could be a great way to keep your mind active. Above all, we encourage you to take care of yourself and your family. 

    Building hobbies and leisurely activities into your daily routine can help bring structure to your routine. Here is how our team member, Lily, is finding balance while working to keep you safe online:

    “Transitioning to working from home full-time has taught me the need to establish a routine and stick to itto ensure I’m exercising, setting work hours and taking breaks. Trying to establish a routine during the first couple of weeks was a challenge at first, but now I feel more balanced. Another good tip is to always keep healthy snacks and water at your work station!” 

    Want to work for a company that values employee wellbeing and helps you reach greater heights? Check out McAfee’s latest opportunities. 

    The post Best Practices for Adapting to a Remote Work Lifestyle  appeared first on McAfee Blogs.

    Multi-Cloud Environment Challenges for Government Agencies

    Between January and April of this year, the government sector saw a 45% increase in enterprise cloud use, and as the work-from-home norm continues, socially distanced teamwork will require even more cloud-based collaboration services.

    Hybrid and multi-cloud architectures can offer government agencies the flexibility, enhanced security and capacity needed to achieve what they need for modernizing now and into the future. Yet many questions remain surrounding the implementation of multi- and hybrid-cloud architectures. Adopting a cloud-smart approach across an agency’s infrastructure is a complex process with corresponding challenges for federal CISOs.

    I recently had the opportunity to sit with several public and private sector leaders in cloud technology to discuss these issues at the Securing the Complex Ecosystem of Hybrid Cloud webinar, organized by the Center for Public Policy Innovation (CPPI) and Homeland Security Dialogue Forum (HSDF).

    Everyone agreed that although the technological infrastructure supporting hybrid and multi-cloud environments has made significant advancements in recent years, there is still much work ahead to ensure government agencies are operating with advanced security.

    There are three key concepts for federal CISOs to consider as they develop multi- and hybrid-cloud implementation strategies:

    1. There is no one-size-fits-all hybrid environment

    Organizations have adopted various capabilities that have unique gaps that must be filled. A clear system for how organizations can successfully fill these gaps will take time to develop. That being said, there is no one-size-fits-all hybrid or multi-cloud environment technology for groups looking to implement a cloud approach across their infrastructure.

    1. Zero-trust will continue to evolve in terms of its definition

    Zero-trust has been around for quite some time and will continue to grow in terms of its definition. In concept, zero-trust is an approach that requires an organization to complete a thorough inspection of its existing architecture. It is not one specific technology; it is a capability set that must be applied to all areas of an organization’s infrastructure to achieve a hybrid or multi-cloud environment. 

    1. Strategies for data protection must have a cohesive enforcement policy

    A consistent enforcement policy is key in maintaining an easily recognizable strategy for data protection and threat management. Conditional and contextual access to data is critical for organizations to fully accomplish cloud-based collaboration across teams.

    Successful integration of a multi-cloud environment poses real challenges for all sectors, particularly for enterprises as large and complex as the federal government. Managing security across different cloud environments can be overwhelmingly complicated for IT staff, which is why they need tools that can automate their tasks and provide continued protection of sensitive information wherever it goes inside or outside the cloud.

    At McAfee, we’ve been dedicating ourselves to solving these problems. We are excited that McAfee’s MVISION Cloud has been recognized as the first cloud access security broker (CASB) with FedRAMP High authorization. Additionally, we’ve been awarded an Other Transaction Authority by the Defense Innovation Unit to prototype a Secure Cloud Management Platform through McAfee’s MVISION Unified Cloud Edge (UCE) cybersecurity solution.

    We look forward to engaging in more strategic discussions with our partners in the private and public sectors to not only discuss but also help solve the security challenges of federal cloud adoption.

    The post Multi-Cloud Environment Challenges for Government Agencies appeared first on McAfee Blogs.

    Ellie Mae turns to AI for autonomous threat hunting

    In the information security field, bad actors have the advantage: They play proactive offense while security is generally reactive in defense. To take a more proactive footing, some organizations have been adopting threat intelligence, a security practice that involves sifting through data to identify advanced persistent threats (APTs) before attacks occur. Firms such as Ellie Mae, which provides a cloud-based platform that processes about 44 percent of mortgage applications in the U.S., have taken threat intelligence a step further by leveraging predictive analytics to deploy autonomous threat hunting.

    To read this article in full, please click here