Daily Archives: November 6, 2020

Threat Roundup for October 30 to November 6

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between October 30 and November 6. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.

As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.

Read More


20201106-tru.json  – this is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

The future of security operations

“Computers make excellent and efficient servants, but I have no wish to serve under them.”

The Star Trek fans amongst our readers may well recognise that Spock quote.  And it’s a line that I thought of whilst I was chatting to my latest guest on the Security Stories podcast, Gabriel Gumbs, Chief Innovation Officer at Spirion.

Gabe’s role is to lead the charge on where data security is going next, including how organizations can manage the risk of sensitive data, and how security operations centres will evolve to become even more privacy centric (he lovingly referred to it as the ‘SPOC’, hence the Star Trek reference).

During the podcast we also chat about Gabe’s career trajectory, from hacking portable devices at school. We also talk about how he’s been able to overcome personal fears of speaking in public.

Security Stories podcast
Security Stories Podcast

Also in this episode, we welcome Nigel Houghton from Talos and Wolf Goerlich, one of our advisory CISOs for Duo Security at Cisco, to talk about the impact COVID-19 has had on security operations and how teams can adapt in the future.

We also learn how Talos was able to transform itself into a entirely remote workforce in March, and the technical and non technical challenges that arose from that.  Finally Wolf talks about how organizations can modernise their security defences and take the path to passwordless.

To learn more about the path to passwordless, do have a read of Wolf’s paper ‘Passwordless: The Future of Authentication’

Episode time stamps

0.00 Intro
01:59  Interview with Gabriel Gumbs
32:47  Discuss on the future of security operations with Nigel Houghton and Wolf Goerlich
74:01  Closing remarks

Play the episode

You can listen to this podcast on Apple PodcastsSpotifyGoogle Podcasts, or wherever you normally get your podcasts from! You can also listen right here and now:

More episodes

If you missed any of the topics we covered on Security Stories in October, here’s a quick recap, and the links to listen:

Taking the unconventional career path, with guests Curtis Simpson, Mitch Neff and Corien Vermaak:

Discussions on why diverse representation matters in cybersecurity, with Leticia Gammill, Matt Watchinski and Mike Hanley:

The roots of online political disinformation campaigns, with Theresa Payton and Nick Biasini:

Business VOIP phone systems are being hacked for profit worldwide. Is yours secure?

Security researchers have uncovered an organised gang of cybercriminals who are compromising the VOIP phone systems of over 1000 organisations worldwide. Check Point has identified a malicious campaign that has targeted a critical vulnerability in the Sangoma PBX open-source GUI, used to manage installations of Asterisk - the world's most popular VOIP phone system for businesses. Read more in my article on the Bitdefender Business Insights blog.

Secure Network Analytics (Stealthwatch): Then, Now, and Beyond

Part 1: In the Beginning


Secure Network Analytics (formerly Stealthwatch) was recently recognized as the industry leader in Network Detection and Response (NDR). This product journey began in 2001, and through the years, we have had to innovate to remain a leader. Yes, I said 2001. A time when we were still imaging machines from optical drives, Windows XP had just shipped, before the social media boom and maybe even before some of you readers were born. In so many ways, things are different today than they were back then but the product’s primary objective has never changed;  “To analyze network behavior in order to identify threats and malicious activity and direct it to the most effective response.”

It all began in 2000 where a Georgia Institute of Technology professor, Dr. John Copeland founded a company called Lancope. It was his vision that would inspire others and ultimately lead to where we are today. Along the way, there were some significant battles we had to fight and hold our ground.  Some of these were strategic bets that would later pay off.

Dr. Copeland founded Lancope upon the discovery of “probing” on his home computer through odd bursts of data in the fall of 1999. Recognizing that these data bursts had malicious intent and could traverse a firewall, Dr. Copeland invented “Flow-based Analysis” to derive the probability that a conversation between two hosts was malicious. The clever thing about Flow-based analysis is that it involves the statistical analysis of counts built from packet headers alone. At the time, this meant the solution could operate at higher packet rates that IDP/IPS alternatives of the day.

Using Flow-based analysis was a natural fit for NetFlow, and it allowed us to scale across the entire network to provided unprecedented breadth of security visibility. However, one argument we needed to address was “Why are we using NetFlow? NetFlow was not meant to be used for security!”  NetFlow was introduced by Cisco in 1996 and was superseded by Internet Protocol Flow Information eXport (IPFIX) in 2008 (rfc5101/rfc5102).  We trained our analytics on it because we knew that if we were right, instead of having visibility where we could deploy sensors, the network itself would become our sensor!

The next argument we needed to overcome was “You can’t do real network security detection without Deep Packet Inspection!” Because we did not depend on Deep Packet Inspection, industry experts would argue that we cannot detect threats with NetFlow/IPFIX alone. To understand the validity of this argument, you needed to go back to a time where network encryption was used sparingly. Most of the network was largely operating in the clear – I know it sounds insane, but these were simpler times. The use of SSL and TLS was not widespread and setting up a site-to-site VPN took a network genius. We knew that it would be only a matter of time before Deep Packet Inspection would become a thing of the past. Today, even if you were to capture all the packets, well over 90% of it would be encrypted and opaque to direct inspection. Let me be clear, if DPI was available, we would use it, but we did not depend on it for our security analytical outcomes. This put us in a very strong position because our machine learning algorithms would not be affected by the pervasive use of network encryption. So once again, we made a very important strategic bet for the reality of today.

As Lancope became more and more successful within the larger global 2000 enterprises, we quickly learned that we needed to add integrations that would allow us to perform analytics from multiple centricities. We felt that there might be cases where customers want to view the results by device, or by application, or by user. A device-centric question would be “What has this device communicated with in the past 30 days?” A user-centric question would be “What has the user alice01 done on my network in the past 30 days?” To add in this user-centricity, we needed to integrate with an authoritative source for that data.  At the time, Cisco offered the “Identity Services Engine” or ISE for short. Integrating Secure Network Analytics with ISE meant that we could now offer device and user-centric analytics when it came to the behavior we observed across a customer’s network. ISE would also lay the groundwork for safe and secure automated responses.  If a threat actor was active on a part of the network, Secure Network Analytics could signal to ISE to isolate that device or user. All of this functionality back 10+ years ago would begin to define what is now the extended detection and response (XDR) market today.


With 10 years in market with Secure Network Analytics, Lancope and Cisco established a strong partnership. The two companies were a match made in heaven due to the fact that Secure Network Analytics did network behavioral analysis and the network is where computers behave. Secure Network Analytics is now an essential part of the “Network as a Sensor” concept and customers consider it a pivotal part of their security program. Up until 2011, threat actors were breaking into your networks and thus the appropriate detection was in place, but something was changing.  Attackers weren’t breaking in anymore, they were simply logging in and operating in your network as someone you trusted! Those traditional detection methods were no longer effective because no alarm bells would be triggered. It was now all about detecting when an application, device, or user started to behave in a way that was suspect and Secure Network Analytics was in the right place at the right time.

In the next part to the series, we will take a look at how things changed after being acquired by Cisco in December of 2015. After that, we will look into the future and talk about what’s to come!

Cyber News Rundown: Maze Ransomware Shuts Down

Reading Time: ~ 2 min.

Maze Ransomware Group Ends Operations

A press release issued this week announced the end of the Maze ransomware group’s data theft operations. In the release, the Maze authors revealed their motives behind one of the most successful ransomware campaigns to date, and why they chose to finally shut down their massive project. It also stated the Maze team was working to expose the major security holes key industries fail to address, though their methods created many victims.  

Magecart Targets International Gold Retailer

Nearly three months after a data breach caused by a Magecart attack struck the international precious metals retailer, JM Bullion has finally released an official statement to customers. After identifying unauthorized activity on their systems in the mid-July, the company went on to find that their systems had been compromised since February by Magecart payment card-skimming software. The company has yet to acknowledge why took so long to discover the breach or why it failed to follow GDPR regulations by immediately contacting affected customers.

Ryuk Remains Top Player Throughout 2020

With ransomware continuing its stay at the top of the cyberthreat throne, Ryuk variants have been responsible for over a third of all ransomware attacks in 2020 alone or roughly 67 million attacks. Ryuk has been around for over two years, but found much greater success this year after being found responsible for only 5,100 attacks in 2019. Ransomware attacks grew 40 percent over last year, to nearly 200 million as of Q3.

Cannabis Site Leaves Database Exposed

An unsecured database belonging to cannabis website GrowDiaries and housing over 3.4 million user records was found to be accessible last month. The data included 1.4 million user passwords that were encrypted using MD5 hashing, which is known to be easily unlocked by cybercriminals. Nearly a week after being informed of the database GrowDiaries properly secured it from public access, though it remains unclear how long it was accessible or who accessed it during that time.

Mattel Reveals Ransomware Attack

Following a July ransomware attack, Mattel has finally issued an official statement regarding the overall damage. The company has confirmed that no data was stolen during the attack, which was quickly identified by their security, and many systems were taken offline to prevent any damage or theft occured. The ransomware attack was likely perpetrated by TrickBot, as it’s known for concentrating on large organizations and leaving them exposed for some encrypting variant to follow.

The post Cyber News Rundown: Maze Ransomware Shuts Down appeared first on Webroot Blog.

This Week in Security News: US Cyber Command Exposes New Russian Malware and REvil Ransomware Gang ‘Acquires’ KPOT Malware

Welcome to our weekly roundup, where we share what you need to know about cybersecurity news and events that happened over the past few days. This week, learn about eight new malware samples that were developed and deployed by Russian hackers in recent attacks. Also, read about how the operators of the REvil ransomware strain have “acquired” the source code of the KPOT trojan in an auction held on a hacker forum last month.

Read on:

Beware a New Google Drive Scam Landing in Inboxes

Scammers just found a new phishing lure to play with: Google Drive. A flaw in Drive is being exploited to send out seemingly legitimate emails and push notifications from Google that, if opened, could land people on malicious websites. The smartest part of the scam is that the emails and notifications it generates come directly from Google.

What Are the Best Options for Cybersecurity Protection for Small Businesses?

For Workplace IT, providing the best cybersecurity protection for their company’s hundreds of small business clients is critical. Workplace IT relies exclusively on Trend Micro to ensure that its customers have the best cybersecurity protection available. Partnering with one security vendor makes it easy for the company to focus on other issues, knowing that security is handled comprehensively and consistently.

REvil Ransomware Gang ‘Acquires’ KPOT Malware

The operators of the REvil ransomware strain have “acquired” the source code of the KPOT trojan in an auction held on a hacker forum last month. The sale took place after the KPOT malware author decided to auction off the code, desiring to move off to other projects, and was organized as a public auction on a private underground hacking forum for Russian-speaking cyber-criminals.

Encouraging the Next Generation of Cybersecurity Stars to Join the Industry

At its core, Trend Micro has a passion for education and a desire to grow the cybersecurity industry with talented, dedicated professionals. The two are closely linked: If we can introduce cyber skills into schools at an earlier age, then more young people will be encouraged to start a career in cybersecurity. That’s why Trend Micro is running a new virtual event for university students in November, during NIST NICE Cybersecurity Career Awareness Week.

Cybersecurity Threats to Corporate America are Present Now ‘More Than Ever,’ SEC Chair Says

Securities and Exchange Commission (SEC) Chairman Jay Clayton is telling corporate America it needs to be more vigilant on security. In an interview with CNBC, Clayton stressed that significant cybersecurity threats remain, despite the ongoing coronavirus pandemic and election season. In October alone, the Cybersecurity and Infrastructure Security Agency (CISA) put out 30 cyber alerts across various industries and business sizes, as well as consumers.

US Cyber Command Exposes New Russian Malware

US Cyber Command has exposed eight new malware samples that were developed and deployed by Russian hackers in recent attacks. Six of the eight samples are for the ComRAT malware (used by the Turla hacking group), while the other two are samples for the Zebrocy malware (used by the APT28 hacking group).

SaltStack Discloses Critical Vulnerabilities, Urges Patching

SaltStack disclosed three new vulnerabilities, two of which are assessed to be critical, and is urging users to patch immediately. In an advisory, the organization announced it released a security update to address the vulnerabilities. While two vulnerabilities were discovered and submitted by “KPC” of Trend Micro’s Zero Day Initiative (ZDI), the advisory does not say how CVE-2020-25592 was found. Dustin Childs, ZDI communications manager, said they reported it to SaltStack privately in late August.

New Data Shows Just How Badly Home Users Overestimate IoT Security

A new survey from the National Cyber Security Alliance (NCSA) shows adult workers vastly overestimate the security of the internet devices in their homes. The survey polled 1,000 adults – 500 aged 18-34 and 500 aged 50-75 – and found that the overwhelming majority of both believed the internet of things (IoT) devices they owned were secure.

Over 23,000 Hacked Databases Shared Over Telegram and Discord

It was reported that over 50GB of data from 23,000 hacked databases have been shared by hackers across Telegram channels and two hacking forums. A total of 23,618 databases were able to be downloaded through the Mega file hosting service, amounting to a dataset of around 13 billion personal files. The link was later taken down following abuse reports but there are fears that the data has entered the public domain.

Deloitte’s ‘Test Your Hacker IQ’ Site Fails Itself After Exposing Database Username, Password in Config File

A website created for global consultancy Deloitte to quiz people on knowledge of hacking tactics has proven itself vulnerable to hacking. The site, found at the insecure non-HTTPS URL http://deloittehackeriq.com/, makes its YAML configuration file publicly accessible. And within the file, in cleartext, is the username and password for the site’s mySQL database.

Toymaker Mattel Hit by Ransomware Attack

Top toymaker Mattel revealed it was a victim of a ransomware attack that successfully encrypted some data and temporarily crippled a limited number of business functions. The disclosure was part of a U.S. Securities Exchange Commission (SEC) disclosure filed in late October. Mattel reported the attack occurred on July 28, 2020 and that, for the most part, it was mitigated quickly and had a minimal impact on the company.

Spike in Emotet Activity Could Mean Big Payday for Ransomware Gangs

There’s been a massive increase in Emotet attacks and cyber criminals are taking advantage of machines compromised by the malware to launch more malware infections as well as ransomware campaigns. The October 2020 HP-Bromium Threat Insights Report reports a 1,200% increase in Emotet detections from July to September compared to the previous three months.

How do you secure your IoT devices at home?  Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: US Cyber Command Exposes New Russian Malware and REvil Ransomware Gang ‘Acquires’ KPOT Malware appeared first on .

Hospitals need to practice their security hygiene just like handwashing

Three federal agencies – the FBI and the Departments of Homeland Security and Health and Human Services – issued a security alert for hospitals last week that they have credible evidence of an increased and imminent cybercrime threat to U.S. hospitals and health systems. The call to action is for the entities to protect their network infrastructure from these threats immediately.

Last week, ransomware hit six hospitals that took their systems down. These six hospitals have openly shared the incident, but we do not know how many other hospitals were also affected.

To read this article in full, please click here

Ransomware Gangs Not Honoring Ransom Payments for Stolen Data

Security researchers observed that multiple ransomware gangs are not honoring the ransom payments received from victims for their stolen data. In its Quarterly Ransomware Report for Q3 2020, Coveware revealed that almost 50% of crypto-malware cases involved the threat to publish unencrypted data stolen from victims in addition to the use of encryption to render […]… Read More

The post Ransomware Gangs Not Honoring Ransom Payments for Stolen Data appeared first on The State of Security.

Detecting Phishing Emails

Research paper: Rick Wash, “How Experts Detect Phishing Scam Emails“:

Abstract: Phishing scam emails are emails that pretend to be something they are not in order to get the recipient of the email to undertake some action they normally would not. While technical protections against phishing reduce the number of phishing emails received, they are not perfect and phishing remains one of the largest sources of security risk in technology and communication systems. To better understand the cognitive process that end users can use to identify phishing messages, I interviewed 21 IT experts about instances where they successfully identified emails as phishing in their own inboxes. IT experts naturally follow a three-stage process for identifying phishing emails. In the first stage, the email recipient tries to make sense of the email, and understand how it relates to other things in their life. As they do this, they notice discrepancies: little things that are “off” about the email. As the recipient notices more discrepancies, they feel a need for an alternative explanation for the email. At some point, some feature of the email — usually, the presence of a link requesting an action — triggers them to recognize that phishing is a possible alternative explanation. At this point, they become suspicious (stage two) and investigate the email by looking for technical details that can conclusively identify the email as phishing. Once they find such information, then they move to stage three and deal with the email by deleting it or reporting it. I discuss ways this process can fail, and implications for improving training of end users about phishing.

Update Your iOS Devices Now — 3 Actively Exploited 0-Days Discovered

Apple on Thursday released multiple security updates to patch three zero-day vulnerabilities that were revealed as being actively exploited in the wild. Rolled out as part of its iOS, iPadOS, macOS, and watchOS updates, the flaws reside in the FontParser component and the kernel, allowing adversaries to remotely execute arbitrary code and run malicious programs with kernel-level privileges. The

North Korean Hackers Used ‘Torisma’ Spyware in Job Offers-based Attacks

A cyberespionage campaign aimed at aerospace and defense sectors in order to install data gathering implants on victims' machines for purposes of surveillance and data exfiltration may have been more sophisticated than previously thought. The attacks, which targeted IP-addresses belonging to internet service providers (ISPs) in Australia, Israel, Russia, and defense contractors based in Russia