Author Archives: Jon Clay (Global Threat Communications)

How Do Threats Align With Detection And Solutions?

There are many different threats targeting many different areas of a corporate network. Have you ever wondered how those threats are stopped? What threats impact which areas of a network? What technology detects and blocks those threats? I wanted to build an interactive graphic to answer those questions.

This interactive infographic can help you understand the full ecosystem of how security works across your network, because just learning about the different threats is not enough. People need to also understand how to detect these threats and ultimately what solutions they can utilize in the different areas of their network to protect themselves and their systems and data. Now you can do all of this in one graphic that will lead you through the whole journey of discovery.

As you can see in the above graphic, the user can select different areas of their network and within each area, you can dive into the different threats targeting that area. Each threat links to our Glossary of Terms with a definition. Below you see the different threats targeting email.

As you select each threat, a pop-up window will show you all the different technologies used to detect this threat. For each technology, you can mouse over the link and a pop-up will explain how that technology works.

Finally, you will also have links to the different Trend Micro solutions that use these technologies to protect your organization from specific threats. This interactive graphic can give you a nice way to link threats to detection/protection technologies to solutions and hopefully will help you better understand the extensive breadth of capabilities to protect your organization. Go ahead and spend some time using this interactive infographic and feel free to share with your friends and colleagues.


The post How Do Threats Align With Detection And Solutions? appeared first on .

This Week in Security News: Phishing Campaigns and a Biometric Data Breach

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about ever-increasing amounts of phishing campaigns and how Trend Micro caught 2.4 million attacks of this type — a 59% increase from 1.5 million in the second half of 2018. Also, read millions of sensitive biometric records were found exposed in a massive data breach involving a major biometric security platform.

Read on:

August Patch Tuesday: Update Fixes ‘Wormable’ Flaws in Remote Desktop Services, VBScript Gets Disabled by Default

Microsoft released updates to patch 93 CVEs, along with two advisories, in this month’s Patch Tuesday. The bulletin patches issues in Azure DevOps Server, Internet Explorer, Microsoft Office, Microsoft Windows, Visual Studio and more. The patches address 29 vulnerabilities rated Critical and 64 that were rated Important, and a total of 21 CVEs were disclosed through the Zero Day Initiative (ZDI) program.

Over 27.8M Records Exposed in BioStar 2 Data Breach

About 23 GB worth of data consisting of 27.8 million sensitive biometric records were found exposed in a massive data breach involving biometric security platform BioStar 2, which provides thousands of companies with biometrics security in order to restrict access to buildings and other private areas.

New Tech: Trend Micro Inserts ‘X’ Factor Into ‘EDR’ – Endpoint Detection and Response

While endpoint detection and response (EDR) is one of the most significant advancements made by endpoint security vendors in the past six years, enterprises need more. Trend’s COO Kevin Simzer discusses these needs and Trend Micro’s new solution to meet them: XDR.

Report: Huge Increase in Ransomware Attacks on Businesses

According to a report by Malwarebytes, there has been a 363% year-over-year increase in the first half of the year. Aside from businesses, there has also been a greater number of ransomware attacks targeting different public sectors and local governments since the start of 2019.

Hackers Can Turn Everyday Weapons into Acoustic Cyberweapons

A researcher found that writing custom malware that can induce embedded speakers to emit inaudible frequencies at high intensity or blast out audible sounds at high volume. Those aural barrages can potentially harm human hearing, cause tinnitus or have psychological effects and highlight the potential for acoustic malware to be distributed and controlled through remote access attacks.

Cyberattack Lateral Movement Explained

Trend Micro’s VP of Cloud Research, Mark Nunnikhoven, explains the concept of lateral movement, which refers to the techniques cyber attackers use to progressively move through a network post-breach as they search for the key data and assets that are ultimately the target of their attack campaigns.

Cloud Atlas Group Updates Infection Chain with Polymorphic Malware to Evade Detection

Recently observed by security researchers, this malware campaign uses a polymorphic HTML application (HTA) and a polymorphic backdoor to evade detection. As in its previous iteration, the threat routine begins with phishing emails to high-value targets.

BGP Hijackings Take on New Meaning in Cybersecurity Climate

The Border Gateway Protocol is vulnerable to malicious actors — and as of right now, little can be done about it from a security perspective, although there have been attempts to make it more reliable. Trend Micro’s Mark Nunnikhoven, VP of cloud research, discusses BGP’s reliability and threat risk.

The Rising Tide of Credential Phishing: 2.4 Million Attacks Blocked by Trend Micro Cloud App Security in 2019 1H

Credential phishing continues to be a bane for organizations. In the first half of 2019, the Trend Micro™ Cloud App Security™ solution caught 2.4 million attacks of this type — a 59% increase from 1.5 million in the second half of 2018.

Securing the Industrial Internet of Things: Protecting Energy, Water and Oil Infrastructures

Given the expected expansion of industrial internet of things (IIoT), this guide discusses the possible security risks, threats, and scenarios that cybercriminals can abuse to compromise the energy, water, and oil industries. Also included are recommendations on how to defend against these attacks based on Trend Micro (TM) research.

Anatomy of an Attack: How Coinbase was Targeted with Emails Booby-Trapped with Firefox Zero-Days

Coinbase’s chief information security officer published an incident report covering the recent attack on the cryptocurrency exchange, revealing a phishing campaign of surprising sophistication. The thwarted attack began with email messages on May 30 to more than a dozen Coinbase employees that appeared to be from Gregory Harris, a research grant administrator at the University of Cambridge in the UK.

Back-to-Back Campaigns: Neko, Mirai, and Bashlite Malware Variants Use Various Exploits to Target Several Routers, Devices

Within a span of three weeks, our telemetry uncovered three notable malware variants of Neko, Mirai, and Bashlite. These malware variants enlist infected routers to botnets that are capable of launching distributed denial of service (DDoS) attacks.

Analysis: New Remcos RAT Arrives Via Phishing Email

In July, our researchers came across a phishing email purporting to be a new order notification, which contained a malicious attachment that leads to the remote access tool Remcos RAT. This attack delivers Remcos using an AutoIt wrapper that incorporates various obfuscation and anti-debugging techniques to evade detection, which is a common method for distributing known malware.

Are you up to speed on our recommendations to avoid possible security risks, threats, and scenarios that cybercriminals can abuse to compromise the energy, water, and oil industries? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Phishing Campaigns and a Biometric Data Breach appeared first on .

XDR Needs Network Data and Here’s Why

As we’ve discussed in previous blogs, XDR is a better way to detect attacks within a network since it is able to coordinate and collaborate threat intelligence and data across multiple threat vectors, including endpoint (including mobile and IIoT), server, network, messaging, web, and cloud. In this blog I want to discuss an area of the attack sequence that can help organizations identify an attack, and that is the lateral movement.

Malicious actors, once in an organization’s network, will need to move beyond their initial infection location to other parts of the network, seeking out areas that hold the data or critical systems they wish to utilize. Whether that is the data center, an OT network, or finding critical business systems to support their criminal or destructive intent. There are a number of ways lateral movement is performed, but the key is to hide and remove evidence of their presence.

Initially they will look to scan the internal network using similar scanning tools used by admins to identify what systems are available to them. Hacking tools and keyloggers will be used to steal user accounts and passwords to obtain legitimate user credentials within systems. More tools will typically be downloaded using the command & control infrastructure to help with their attack. After obtaining more powerful user accounts, the attacker can laterally move to other systems and use “normal” tools to perform other activities. These activities may be difficult to identify for defenders due to the use of these things like:

  1. PSEXEC to execute a program from remote system
  2. Schedule a remote task to execute back door or malicious code
  3. RDP or net use to connect to other hosts
  4. Leverage WMI for fileless intrusion
  5. Execute Powershell script for fileless intrusion
  6. Utilize exploits targeting unpatched systems for known vulnerabilities
  7. Execute normal tool like Bitlocker, to encrypt customer data like ransomware did. But normal tools will not detect by antivirus system.


This is where adding network intelligence to an XDR and correlating with other intelligence from different areas of the network can be most beneficial. An XDR that supports advanced detection capabilities can identify correlate data across areas to identify events that would otherwise go unnoticed.

Additionally, in many attacks the malicious actors are removing their tracks once finished with that area, so having the ability to capture and keep intelligence can help with root cause analysis and correlate the different disparate components of an attack. This correlation allows an organization to put the pieces of the attack puzzle together to see the full picture.

Some recent RYUK ransomware attacks are a good example. In these attacks, attackers utilized the Eternal Blue exploit and harvested credentials as they moved across the environment, and then used existing system tools to kill security services within machines to hide their presence. In both cases the intelligence coming from endpoints, servers, and the network allowed researchers to identify the attack chain and all the components used within the attack.

Most attacks today, including ransomware, are utilizing lateral movement. Including detection of this as part of an overall XDR platform will improve the prevention, detection, and remediation of sophisticated attacks on an organization.

Stay tuned for more upcoming blogs on how XDR will help improve our overall security strategy moving forward.

The post XDR Needs Network Data and Here’s Why appeared first on .

This Week in Security News: Ransomware Campaigns and Cryptocurrency Miners

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about three different ransomware campaigns that caused havoc in different public sectors. Also, read how threat actors are infecting vulnerable Linux servers with a cryptocurrency miner.

Read on:

Will XDR Improve Security?

XDR is the expansion of Endpoint Detection & Response (EDR) to include other areas of a network beyond endpoint, allowing an organization to get visibility into the entire attack lifecycle. This includes infiltration, lateral movement, and exfiltration to improve protection of critical systems.

Windows Server 2008 End of Support: Are you Prepared?

Windows Server 2008 and Server 2008 R2 will soon reach end of support on January 14, 2020 and organizations must prepare to deal with missing security updates, compliance issues, defending against malware and other non-security bugs.

Seattle Woman Charged in Capital One Breach May Have Data from Other Companies

A Seattle woman named Paige Thompson who is charged with taking data on more than 100 million customers from Capital One is reportedly a former Amazon Web Services systems engineer who may have accessed data from more companies.

Keeping a Hidden Identity: Mirai C&Cs in Tor Network

Trend Micro found a new Mirai sample that, like previous Mirai variants, allows attackers to use infected IoT devices for distributed denial of service (DDoS) attacks. Compared to previous variants, however, cybercriminals placed the command and control (C&C) server in the Tor network for anonymity.

DHS Warning: Small Planes Vulnerable to Cyberattack Through CAN Bus Component

The US Department of Homeland Security’s cybersecurity unit (CISA) announced that a vulnerability found in the Controller Area Network (CAN) of small planes could alter an aircraft’s telemetry if physically accessed by an attacker.

Black Hat 2019: 2020 Election Fraud Worries Attendees

More than 60 percent of cybersecurity experts say it is likely that hacking of voting machines will affect the next U.S. election, and they think that Russian cyber initiatives will specifically have a significant impact on the U.S. presidential election in 2020.

Everything is Software: The Consequences of Software Permeating Our World

The evolution and widespread adoption of sophisticated software is helping many industries become more efficient and productive, but also opens enterprises to additional threats. Having a proper defense is essential for those who are reliant on software, which includes implementing updates, proper patching and multi-layered security.

Inside the Smart Home: IoT Device Threats and Attack Scenarios

Smart home devices connected to the internet of things have revolutionized home living, but they have also given rise to new complications for home security. Trend Micro gives an overview of possible attack scenarios for various smart home devices and suggests security solutions for each.

Increasing Workload, Lack of Visibility, and Threat Hunting Challenges Cited as Top Concerns in SOCs

The Ponemon Institute’s survey of IT and IT security practitioners found that 58% of respondents have given their security operation center’s (SOC) effectiveness a low rating. Reasons cited are the lack of visibility into network traffic, lack of timely remediation, complexity, and lack of skilled personnel.

Fake Tech-Support Scams on Twitter Could Cost You, Study Warns

A report from Trend Micro detailed some of the latest ways cybercriminals are using Twitter to defraud users of their cash. It analyzed Twitter data over a three-day period in February and found criminals are gaming search engine results to lure more victims.

Risks Under the Radar: Understanding Fileless Threats

Fileless threats take advantage of a machine’s built-in tools and applications for attacks, essentially turning the system against itself. They leave no identifiable signature that could trigger traditional security software detection, allowing them to bypass standard security mechanisms.

Three Ransomware Campaigns Cause Problems in Different Public Sectors

Among the ransomware attacks from last week, three caused notable disruptions on institutions from different public sectors — energy, education, and law enforcement. Trend Micro shares insights into these attacks and gives advice on how to best defend against ransomware.

Louisiana Declares State of Emergency Due to Ransomware Attack

John Bel Edwards, Governor of Louisiana, has issued a state of emergency after a wave of ransomware attacks hit school districts. The Emergency Declaration allows Louisiana’s cybersecurity experts to assist local governments in securing their networks systems.

Watchbog Exploits Jira and Exim Vulnerabilities to Infect Linux Servers With Cryptocurrency Miner

Threat actors are targeting Linux servers with vulnerable software, namely the software development and project management tool Jira and the message transfer agent Exim, using a variant of the Watchbog trojan, which drops a Monero miner to expand their botnet operations. 

Are you prepared for Windows Server 2008 to reach end of support in January 2020? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Ransomware Campaigns and Cryptocurrency Miners appeared first on .

Will XDR Improve Security?

Cybercriminals and malicious hackers have been shifting their tactics, techniques, and procedures (TTPs) to improve their ability to infiltrate an organization and stay under the radar of security professionals and solutions. Moving to more targeted attack methods appears to be a mainstay among threat actors, which requires organizations to improve their visibility into the entire attack lifecycle. Gone are the days in which these attacks only target the endpoint, and as such, an expanded connected threat defense is paramount.

Many organizations have been adopting EDR (Endpoint Detection & Response) as a way to obtain more data about attacks on the endpoint. But as we’ve seen with even ransomware actors, the endpoint is being targeted less. Rather, attacks are laterally moving within an organization to find critical systems that will allow them to increase their chance of the organization paying the ransom. (See my recent webinar on trends in ransomware.)

This means the actors behind many financially motivated and targeted attacks will move across the network, and their tracks will be left in other areas of their network, not just on the endpoint. Expanding EDR to include other areas is the definition of XDR. The X could be network data, email or web data, data from cloud instances, and others. This would allow an organization to get visibility into the entire attack lifecycle, including infiltration, lateral movement, and exfiltration. This will improve the organization’s ability to prevent critical data exfiltration or the compromise of critical systems within their network.

The ability to do this requires a number of key components:

  1. A security vendor who has solutions across the entire network, including cloud, gateway (email & web), network, server, endpoint (includes mobile), and IoT/IIoT
  2. Support for threat intelligence and data analytics. This should be as automated as possible and should include 3rd party threat intelligence (i.e. CERT, ISAC, ISAO feeds)
  3. History of expertise in correlating multiple threat vectors and the use of AI and Machine Learning

This will require a major shift from traditional security practices, as many organizations have supported a best-of-breed approach, utilizing multiple vendors (some say 50-100 security applications on average within a large enterprise). Instead, the future is moving to a more consolidated approach with fewer vendors. Having multiple vendors for different areas of security results in silos and segmentation due to a lack of integration across the security industry, but XDR could bring a shift in this practice as they include more support for 3rd party intelligence feeds.

Trend Micro has been innovating for 30 years and our breadth of security products allows us to successfully build an XDR solution. Also, our almost 15 years of investing in and building AI/Machine Learning technologies into our backend and frontend products will allow us to have the data analytics piece covered. Lastly, we have an extensive array of global threat intelligence that will allow us to ensure we can proactively detect and protect our customers.

Stay tuned for more information about this topic in upcoming blogs.

The post Will XDR Improve Security? appeared first on .

This Week in Security News: Unpatched Systems and Lateral Phishing

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about an attack against Elasticsearch that delivers backdoors as its payload. Additionally, read how cybercriminals are turning to hijacked accounts to perform lateral phishing attacks on organizations.

Read on:

Multistage Attack Delivers BillGates/Setag Backdoor, Can Turn Elasticsearch Databases into DDoS Botnet ‘Zombies’

Trend Micro spotted another attack against Elasticsearch that deviates from the usual profit-driven motive by delivering backdoors as its payload. These threats can turn affected targets into botnet zombies used in distributed-denial-of-service (DDoS) attacks.

Trend Micro Approved as an SLP Plus Endpoint Security Vendor

Trend Micro announced its endpoint security products are available for purchase via the California Software Licensing Program (SLP) Plus vehicle. This means government agencies don’t have to carry out a formal proof-of-concept or RFP to purchase, which will shorten sales cycles and ensure they benefit from security sooner.

Old Tools for New Money: URL Spreading Shellbot and XMRig Using 17-Year-Old XHide

Trend Micro detected a threat that propagates by scanning for open ports and brute forcing weak credentials, installing a Monero cryptocurrency miner and a Perl-based IRC backdoor that is capable of scanning for open ports, downloading files, executing UDP floods, and remotely executing shell commands. The miner process is hidden using XHide Process Faker, a 17-year old open source tool used to fake the name of a process.

Zuckerberg Promises ‘Completely New Standard’ for Privacy Following FTC Fine

The Federal Trade Commission formally approved a record $5 billion settlement with Facebook over the company’s privacy policies, requiring the company to establish a new board committee on privacy and making CEO Mark Zuckerberg report each quarter to the FTC on how the company is taking steps to protect consumer privacy.

Hackers Exploit ERP App Flaw for Fraudulent Accounts in 62 Colleges, Universities

The U.S. Department of Education released a security alert after 62 higher education institutions were reportedly infiltrated via Ellucian, an enterprise resource planning web app, and the attackers hijacked students’ IDs to create fraudulent accounts.

Equifax Exposed 150 Million Americans’ Personal Data. Now it Will Pay Up to $700 million

Equifax Inc. has reached a deal to pay up to $700 million to a slew of state and federal regulators to settle probes stemming from a 2017 data breach that exposed nearly 150 million Americans’ Social Security numbers and other sensitive personal information.

Cybercriminals Going After Office 365 Administrators, Using Hijacked Accounts to Perform Phishing Attacks

Cybercriminals have recently been sending phishing emails specifically targeting Microsoft Office 365 administrators to gain administrative control over an organization’s Office 365 domain and accounts. Additionally, they’ve been turning to hijacked accounts to perform phishing attacks — a technique called lateral phishing.

Cybercrime and Exploits: Attacks on Unpatched Systems

Cybercriminals exploiting unpatched system vulnerabilities continue to be one of the top reasons enterprises suffer unauthorized intrusions. Trend Micro compiled some of the most destructive cyberattacks and data breaches over the past few years, showing the that failing to patch systems with the latest security updates can inflict a costly amount of damage, making the time it takes to patch systems worth it.

A Hacker Broke into Bulgaria’s Tax System and Stole the Details of Every Working Adult in the Country

A hacker broke into Bulgaria’s largest tax database and stole the financial details of every working adult in the country before releasing them online. In their search for the perpetrator, police arrested 20-year-old Kristian Boykov charging him with committing a computer crime against critical infrastructure.

FIN8 Reemerges with New PoS Malware Badhatch

Security researchers found threat group FIN8 reappearing after two years with a new point-of-sale (PoS) malware named Badhatch, which is designed to steal credit card information. Badhatch features capabilities that allow it to scan for victim networks, provide attackers with remote access, install a backdoor, and deliver other modified malware payloads such as PoSlurp and ShellTea.

Do you trust organizations to patch system vulnerabilities in a timely manner? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Unpatched Systems and Lateral Phishing appeared first on .

This Week in Security News: Spam Campaigns and Mobile Malware

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about a mobile malware that infects Android devices by exploiting the vulnerabilities found within the operating system. Also, read about a recent spam campaign that targets entities using a disposable email address service for its command and control server.

Read on:

iOS URL Scheme Susceptible to Hijacking

Abuse of Apple’s URL Scheme, a feature that allows developers to launch apps on an iOS device through URLs, can potentially result in the loss of privacy, bill fraud, exposure to pop-up ads and more.

Spam Campaign Targets Colombian Entities with Custom-made ‘Proyecto RAT,’ Uses Email Service YOPmail for C&C

Trend Micro observed a recent spam campaign that targets Colombian entities using YOPmail, a disposable email address service, for its command and control server (C&C). The payload, written in Visual Basic 6, is a customized version of a remote access tool called “Proyecto RAT.”

 Trend Micro’s Deep Security as a Service Now Available on the Microsoft Azure Marketplace

Trend Micro announced the availability of its cloud solution Deep Security as a Service on the Microsoft Azure Marketplace, enabling organizations to combine the benefits of security software-as-a-service with the convenience of consolidated cloud billing and usage-based, metered pricing.

SLUB Gets Rid of GitHub, Intensifies Slack Use

Trend Micro discovered a new version of the SLUB malware that has stopped using GitHub to communicate, heavily using Slack instead via two free workspaces that Slack has since shut down.

Jenkins Admins: Relying on Default Settings Could Put Master at Risk of Remote Code Execution Attacks

Trend Micro observed that a Jenkins user account with less privilege can gain administrator rights over the automation server if jobs are built on the master machine (i.e. the main Jenkins server), a setup enabled by default.

 FTC Approves Roughly $5 Billion Facebook Settlement

The Federal Trade Commission has endorsed a roughly $5 billion settlement with Facebook over a long-running probe into the tech giant’s privacy violations such as the Cambridge Analytica scandal, causing immediate concern from some politicians.

 GandCrab Threat Actors Possibly Behind Sodinokibi Ransomware

Various security researchers reported that the ransomware-as-a-service (RaaS) threat actors behind GandCrab might be responsible for releasing a more advanced ransomware variant called Sodinokibi.

Agent Smith Malware Infecting Android Apps, Devices for Adware

Agent Smith, a new kind of mobile malware, has been found infecting Android devices by exploiting the vulnerabilities found within the operating system (OS) to replace installed apps with malicious versions without the user knowing.

 Sprint Says Hackers Breached Customer Accounts Via Samsung Website

US mobile network operator Sprint said hackers broke into an unknown number of customer accounts via the “add a line” website, giving them access to personal information such as phone numbers, account numbers, billing addresses and more.

Report: Average BEC Attacks Per Month Increased by 120% from 2016 to 2018

According to the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN), the total amount that cybercriminals attempted to steal via business email compromise (BEC) scams rose to an average of $301 million per month — a substantial increase from the $110 million monthly average in 2016.

U.S. Mayors Take Stand Against Ransomware Payments

As ransomware becomes an increasing problem for local governments with 22 attacks in 2019 alone, U.S. mayors took a firm stand against paying ransom to hackers in their resolutions at the U.S. Conference of Mayors.

 Another 2.2 Million Patients Affected by AMCA Data Breach

Clinical Pathology Laboratories (CPL) says 2.2 million patients may have had their names, addresses, phone numbers, and other personal information stolen because of the AMCA data breach.

Fake Invoices Used by BEC Scammers to Defraud Griffin City, Georgia of Over US$800,000

The government of the City of Griffin, Georgia lost over $800,000 to a business email compromise (BEC) scam when BEC operators posed as its vendor P.F. Moon to reroute funds in two separate transactions to a fraudulent bank account.

Cloud-Based IoT Solutions: Responding to Traditional Limits and Security Concerns

In the face of challenges brought about by the expansion of the Internet of Things (IoT) – a trend that is expected to be amplified in the 5G era – many organizations have turned to cloud-based IoT solutions that can respond to organizations’ needs when it comes to integration, processing, scalability and security.

Were you surprised by the increase in business email compromise attempts from 2016 to 2018? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Spam Campaigns and Mobile Malware appeared first on .

This Week in Security News: Banking Malware and Phishing Campaigns

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about the banking malware Anubis that has been retooled for use in fresh attack waves. Also, read about a new phishing campaign that uses OneNote audio recordings to fool email recipients.

Read on:

New Miori Variant Uses Unique Protocol to Communicate with C&C

A Mirai variant called Miori recently reappeared, though it has departed from the usual binary-based protocol and instead uses a text-based protocol to communicate with its command-and-control (C&C) server.

Anubis Android Malware Returns with Over 17,000 Samples

The attacker behind the malware Anubis has retooled it, changing its use from cyberespionage to banking malware, combining information theft and ransomware-like routines. Trend Micro recently discovered 17,490 new samples of Anubis on two related servers.  

DevOps Will Fail Unless Security and Developer Teams Communicate Better

According to a Trend Micro survey of IT leaders, DevOps initiatives have become important for 74 percent of organizations over the past year, but communication must improve for DevOps to be successful.

July’s Patch Tuesday Fixes Critical Flaws in Microsoft Edge and Internet Explorer, Including 2 Exploited Vulnerabilities

Microsoft’s July Patch Tuesday release includes updates for almost 80 vulnerabilities, along with two advisories. Other flaws in Azure Automation, Docker, DirectWrite, DirectX, SymCrypt, Windows DNS Server, and Windows GDI have also been resolved.

Nexus Repository Manager Vulnerabilities CVE-2019-9629 and CVE-2019-9630 Could Expose Private Artifacts

Two vulnerabilities were uncovered in Sonatype’s Nexus Repository Manager (NXRM), an open-source governance platform used by DevOps professionals for component management. The vulnerabilities result from the poor configuration of the repository manager’s default settings.

British Airways Faces Record £183m Fine for Data Breach

British Airways is facing a record fine of £183m for last year’s breach of its security systems when details of about 500,000 customers were harvested by attackers through a fraudulent site.

Powload Loads Up on Evasion Techniques

By sifting through six months’ worth of data covering over 50,000 samples from the Trend Micro Smart Protection Network infrastructure, Trend Micro gained insight into how Powload, a cybercrime staple, has incorporated new techniques to increase its effectiveness, especially in its ability to hide from detection.

Microsoft Discovers Fileless Malware Campaign Dropping Astaroth Info Stealer

The Microsoft Defender ATP Research Team released a report covering a malware campaign that dropped the Astaroth trojan into the memory of infected computers by using fileless distribution techniques to hide its activities from security solutions.

New Phishing Campaign Uses OneNote Audio to Lure Users to Fake Microsoft Login Page

In a new phishing campaign reported by Bleeping Computer, audio recordings purportedly shared via OneNote were used as a lure to lead email recipients to a fake Microsoft login page that steals user account credentials.

Zoom Flaw Turns Mac Cam into Spy Cam

A security researcher has found a flaw in the popular video conferencing app Zoom that allows any website to forcibly join a user to a Zoom call, with their video camera activated, without a user’s permission.

New Godlua Backdoor Found Abusing DNS Over HTTPS (DoH) Protocol

A newly discovered backdoor malware dubbed Godlua was discovered conducting DDoS attacks on outdated Linux systems through a vulnerability in the Atlassian Confluence Server.

Where Will Ransomware Go in The Second Half Of 2019?

Based on the latest trends, Trend Micro predicts the threat of ransomware will grow in the second half of 2019 and will continue to shift and change over the coming years.

Migrating Network Protection to the Cloud with Confidence

Trend Micro’s Cloud Network Protection is the first transparent, in-line network security offering for AWS customers: simple to deploy and manage, cloud-ready and leveraging industry leading expertise in network threat protection.

Marriott Faces $123 Million GDPR Fine in the UK for Last Year’s Data Breach

The UK’s Information Commissioner’s Office (ICO) intends to impose a fine of £99,200,396 ($123,705,870) on international hotel chain Marriott for last year’s data breach that impacted 383 million people.

eCh0raix Ransomware Found Targeting QNAP Network-Attached Storage Devices

A newly uncovered ransomware family called eCh0raix, designed for targeted ransomware attacks similar to how Ryuk or LockerGoga were used, is now targeting QNAP network-attached storage (NAS) devices.

Which newly discovered ransomware did you find most interesting this week? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.


The post This Week in Security News: Banking Malware and Phishing Campaigns appeared first on .

Where Will Ransomware Go In The Second Half Of 2019?

Ransomware has been an evolutionary malware family that continues to shift and change over the years. From the first fakeAV, to police ransomware, to the now oft-used crypto-ransomware, this threat just will not go away. Based on the latest trends, we predict this threat will grow in the second half of this year.

At Trend Micro, we’ve been following and tracking the data around ransomware for years. Here are some of the changes we’ve been seeing:


Year-Over-Year Ransomware Detections from Trend Micro™ Smart Protection Network™

2016 1,078,091,703
2017 631,128,278
2018 55,470,005
2019 (Jan to May) 43,854,210

Year-Over-Year Number of New Ransomware Families

2016 247
2017 327
2018 222
2019 (Jan to May) 44

You can see that ransomware actors were very busy in 2016 and 2017 both in launching attacks and in the development of new families and variants of ransomware. In 2018, we had a drop in both figures, which could be due to a number of factors:

  1. Improved practices within organizations to recover from attacks (i.e. backup and recovery)
  2. Improved detection technologies within the security industry (i.e. machine learning can proactively detect new families and variants)

However, in the first half of 2019 we have seen in the news some very high profile attacks against organizations with successful ransomware causing some victims to pay high ransom amounts or taking weeks to months to recover from the attacks. These attacks have shown that we still need to be very vigilant in protecting networks against this threat.

Trend Micro publishes a predictions report each year to help organizations understand what might occur, and while we did this for 2019, I would like to give you some ideas on where ransomware might go in the second half of 2019 as this threat seems to change very often. Let’s look at the different areas of the ransomware attack lifecycle and what we may see for the rest of the year.

Identifying a Victim

Ransomware actors are being much more targeted in their selection of victims they want to attack. This is due to the above 2 reasons behind why we saw ransomware drop in 2018. In response, actors are looking to target those organizations that are more likely to fall for an attack, but also those who are more likely to pay a higher ransomware. In the first half of 2019, you can see the industries we saw targeted most:

Government, manufacturing, and healthcare are the top 3 industries actors seem to be targeting more than any other. Ransomware actors will also do open source intelligence (OSINT) about each targeted victim to build a profile of them to identify the best way to successfully attack them. There are a number of reasons for this selection and OSINT process:

  • Understand the organization’s business model and how affecting their critical systems could cause them public reputational damage
  • If they have critical systems that can be isolated by ransomware then they are more likely to pay the ransom
  • Whether their security posture and processes are adequate or can be taken advantage of

In the second half of 2019, actors will look to diversify into more industries that have critical business systems that could be compromised. This might include the legal, energy and critical infrastructure, transportation, and distribution industries.

Once they decide on a victim, they will then identify the ways to initially infect the organizations. This is the area that most changes based on the actors behind this threat.

Initial Infection

A number of shifts have occurred in this area over time, and this will likely continue to change. Recently we’ve seen the actors using phishing, malvertising, malicious webpages, exploits and exploit kits to infect an organization. We will continue to see them look to initially infect and organization through their employees, as this still appears to be their best option. But, in the second half of 2019 I see the following scenario occurring:

  1. Ransomware actors will improve their ability to craft socially engineered attacks against employees through their OSINT gathering.
  2. We will see increased use of stolen credentials (i.e. RDP account credentials) that are sold in the underground.
  3. Manual lateral movement and the use of hacking tools will allow the actors to find the critical systems they need to compromise to make attacks successful.

Obfuscation Techniques

As mentioned above, ransomware has been detected more effectively recently due to advances in machine learning and behavior monitoring technologies deployed across the network. As such, the actors have to improve their obfuscation of the malware to ensure it cannot be detected by today’s security applications.

We’ve been seeing improved anti-sandbox, anti-machine learning, fileless, and other techniques used in the past, and moving forward we will see advances in all of these areas. The use of compromised legitimate software, including those from security vendors themselves, will also continue as a method to circumvent security measures. As we saw recently with a compromised MSP, one company’s direct access to multiple organization’s networks can also be leveraged for attacks. Stolen certificates will also be used to sign malware to make it look legitimate.

I expect ransomware actors will continue to target high value, high quality victims in 2H’19, and as such, all organizations need to be vigilant in protecting against this threat. Unless we can ensure no ransoms are paid, we will see this threat persist. Improving your organization’s ability to detect, respond, and recover from any ransomware will help us minimize this threat moving forward.  For more information on the latest trends in ransomware, you can watch my June 2019 Threat Webinar Series that covers the recent trends in ransomware.

Trend Micro will publish our 2020 predictions report later this year, but until then, stay rigorous in your defense against ransomware.

The post Where Will Ransomware Go In The Second Half Of 2019? appeared first on .

This Week in Security News: Malvertising and Internet of Things Malware

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about a new Internet of Things malware that’s bricked thousands of devices. Also, read about a ransomware family that’s using malvertising to direct victims to a RIG exploit kit.

Read on:


Shadowgate Returns to Worldwide Operations with Evolved Greenflash Sundown Exploit Kit

After almost two years of sporadic restricted activity, the ShadowGate campaign has started delivering cryptocurrency miners with a newly upgraded version of the Greenflash Sundown exploit kit, which has been spotted targeting global victims after primarily operating in Asia. 

Silex Malware Bricks IoT Devices with Weak Passwords

A new Internet of Things malware called Silex only operated for about a day, though it has already managed to quickly spread and wipe devices’ firmware, bricking thousands of IoT devices. 

Top Takeaways from AWS Security Chief Stephen Schmidt at re:Inforce 2019

Steven Schmidt’s keynote address at AWS re:Inforce touched on the current state of cloud security, building a security culture, tactical security tips and a road map of where the industry and technology are headed. 

AWS re:Inforce Warm-Up Episode

Mark Nunnikhoven gives key predictions and insights into trends at AWS re:Inforce, security in the top three major public cloud providers and the evolution of the cloud industry as a whole. 

Dell Urges Millions of Users to Patch Vulnerability in SupportAssist Tool

Dell released a security advisory that implored customers to update the vulnerable SupportAssist application in both business and home machines. The privilege escalation vulnerability can give hackers access to sensitive information and control over millions of Dell computers running Windows.

HTTPS Protocol Now Used in 58% of Phishing Websites

According to the Q1 2019 report from the Anti-Phishing Working Group (APWG), the Hypertext Transfer Protocol Secure (HTTPS) protocol tactic has been on the rise in phishing attacks, now used in 58% of phishing websites.  

Federal Cybersecurity Defenses are Critical Failures, Senate Report Warns

A 10-month review of 10 years of inspector general reports revealed that several Federal agencies responsible for safeguarding millions of Americans’ security, public safety and personal data have failed to apply even basic defenses to cyberattacks.

Kubernetes Vulnerability CVE-2019-11246 Discovered Due to Incomplete Updates from a Previous Flaw

Kubernetes announced the discovery of a high-severity vulnerability that, if exploited, could lead to a directory traversal that allows an attacker to use a malicious container to create or replace files in a user’s workstation. 

The IIoT Attack Surface: Threats and Security Solutions

Many manufacturing factories and energy plants have hundreds of IIoT devices that help streamline operations, but those facilities now also have to defend against new threats that take advantage of attack vectors and weaknesses in the technology. 

Facebook’s Bid to Quash Data Breach Lawsuit Dismissed by Judge

Facebook has failed in its attempt to prevent a lawsuit over a data breach impacting close to 30 million users from going to trial. A federal appeals court in San Francisco rejected the social media giant’s request to dismiss the court case out of hand.

Sodinokibi Ransomware Group Adds Malvertising as Delivery Technique

Attackers behind a ransomware family called Sodinokibi have used a variety of delivery vectors since April: malicious spam, vulnerable servers, managed server providers (MSPs) and now malvertising. The malicious advertisements were on the PopCash ad network, and certain conditions would redirect users to the RIG exploit kit. 

CVE-2019-8635: Double Free Vulnerability in Apple macOS Lets Attackers Escalate System Privileges and Execute Arbitrary Code

Trend Micro discovered and disclosed a double free vulnerability in macOS that, if successfully exploited, can allow an attacker to implement privilege escalation and execute malicious code on the system with root privileges.

Using Whitelisting to Remediate an RCE Vulnerability (CVE-2019-2729) in Oracle WebLogic

Trend Micro took a closer look at Oracle’s recent vulnerability CVE-2019-2729 to see how this class of vulnerability has been remediated — particularly via blacklisting or whitelisting — and why it has become a recurring security issue.

95,000 Delawareans Impacted in Data Breach that Lasted Nearly Nine Years

The personal data of roughly 95,000 Delawareans may have been compromised in a nine-year security breach at Dominion National, a large vision and dental insurer, according to Delaware’s Department of Insurance.

Do you feel that the IoT devices in your home are well-protected against cyberattacks? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay. 

The post This Week in Security News: Malvertising and Internet of Things Malware appeared first on .

This Week in Security News: Cyberespionage Campaigns and Botnet Malware

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about a cyberespionage campaign targeting Middle Eastern countries and a botnet malware that infiltrates containers via exposed Docker APIs.

Read on:

Hackers Are After Your Personal Data – Here’s How to Stop Them

The latest FBI Internet Crime Complaint Center (IC3) report paints an accurate picture of the scale of online threats and shows that consumers need to take urgent steps to protect their most sensitive identity and financial data from online attackers.

Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East

Trend Micro uncovered a cyberespionage campaign targeting Middle Eastern countries and named it “Bouncing Golf” based on the malware’s code in the package named “golf.” 

Trend Micro Partners with VIVOTEK to Enhance IP Cameras Security

Trend Micro announced it has blocked 5 million attempted cyberattacks against IP cameras in just five months. Through its strategic partnership with VIVOTEK, Trend Micro’s IoT security solutions are embedded in globally deployed IP cameras to provide superior protection.

AESDDoS Botnet Malware Infiltrates Containers via Exposed Docker APIs

Trend Micro details an attack type where an API misconfiguration in the open-source version of the popular DevOps tool Docker Engine-Community allows attackers to infiltrate containers and run a variant of the Linux botnet malware AESDDoS.

Ransomware Repercussions: Baltimore County Sewer Charges, 2 Medical Services Temporarily Suspended

A ransomware attack in May prevented the Baltimore City and County governments from mailing the annual water and sewage tax bills to its residents due to unverifiable accounts of abnormally low or no water consumption in 2018. 

Hackers Have Carried Out 12 Billion Attacks Against Gaming Sites in 17 Months

Hackers have targeted the gaming industry by carrying out 12 billion credential stuffing attacks against gaming websites in 17 months, according to a new report by internet delivery and cloud services company Akamai. 

Critical Linux and FreeBSD Vulnerabilities Found by Netflix, Including One That Induces Kernel Panic

A Netflix researcher uncovered four critical vulnerabilities within the TCP implementations on Linux and FreeBSD kernels that are related to the minimum segment size (MSS) and TCP Selective Acknowledgement (SACK) capabilities. 

New Oracle WebLogic Zero-day Vulnerability Allows Remote Attacks Without Authentication

Oracle published an out-of-band security alert advisory on CVE-2019-2729, a zero-day deserialization vulnerability that could allow remote attackers to execute arbitrary code on targeted servers.

Xenotime, Hacking Group Behind Triton, Found Probing Industrial Control Systems of Power Grids in the US

The hacking group, Xenotime, behind intrusions targeting facilities in oil and gas industries has started probing industrial control systems (ICSs) of power grids in the U.S. and the Asia-Pacific region, researchers reported.

Data Breach Forces Medical Debt Collector AMCA to File for Bankruptcy Protection

US medical bill and debt collector American Medical Collection Agency (AMCA) has filed for bankruptcy protection in the aftermath of a disastrous data breach that resulted in the theft of information from clients including Quest Diagnostics, LabCorp, BioReference Laboratories and more.

Cryptocurrency Mining Botnet Arrives Through ADB and Spreads Through SSH

Trend Micro observed a new cryptocurrency mining botnet that arrives via open ADB (Android Debug Bridge) ports and can spread from an infected host to any system that has had a previous SSH connection with the host.

Hacker Groups Pounce on Millions of Vulnerable Exim Servers

Multiple groups are launching attacks against exposed Exim mail servers, trying to exploit a vulnerability that could give them permanent root access.

Florida City to Pay $600K Ransom to Hacker Who Seized Computer Systems Weeks Ago

Riviera Beach is paying $600,000 in Bitcoins to a hacker who took over local government computers after an employee clicked on a malicious email link three weeks ago.

Are you up-to-date on the best ways to lower the risk of hackers accessing your personal data? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Cyberespionage Campaigns and Botnet Malware appeared first on .