Author Archives: Jon Clay (Global Threat Communications)

This Week in Security News: Watering Hole Campaign Operation Earth Kitsune Spying on Users’ Systems and Fancy Bear Imposters Are on a Hacking Extortion Spree

week in security

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about a watering hole campaign Trend Micro dubbed ‘Operation Earth Kitsune’ that is spying on users’ systems through compromised websites. Also, read about how APT groups are threatening DDoS attacks against victims if they don’t send them bitcoin.

Read on:

Fancy Bear Imposters Are on a Hacking Extortion Spree

Radware recently published extortion notes that were sent to a variety of companies globally. The senders purport to be from the North Korean government hackers Lazarus Group, or APT38, and Russian state-backed hackers Fancy Bear, or APT28. The notes threaten that if the target doesn’t send bitcoin, powerful distributed denial of service (DDoS) attacks will be launched against the victim. Robert McArdle, Trend Micro’s director of our Forward-Looking Threat Research (FTR) team, comments on DDoS as an extortion method.

A Ride on Taiwan’s Self-Driving Bus

The self-driving bus is now being tested on the streets of downtown Taipei and more autonomous buses are being deployed in other places, including Germany, Japan and Canada. Since connected cars are still a relatively new technology, the dangers of these vehicles are unknown and mostly speculated. In this article, Trend Micro discusses potential security implications of these connected vehicles.

 U.S. Charges Russian Intelligence Officers in Major Cyberattacks

This week, the Justice Department unsealed charges accusing six Russian military intelligence officers of an aggressive worldwide hacking campaign that caused mass disruption and cost billions of dollars by attacking targets like a French presidential election, the electricity grid in Ukraine and the opening ceremony of the 2018 Winter Olympics.

 Operation Earth Kitsune: Tracking SLUB’s Current Operations

A watering hole campaign that Trend Micro has dubbed as Operation Earth Kitsune is spying on users’ systems through compromised websites. Using SLUB and two new malware variants, the attacks exploit vulnerabilities including those of Google Chrome and Internet Explorer.

Cybersecurity Company Finds Hacker Selling Info on 186 Million U.S. Voters

Trustwave says it found a hacker selling personally identifying information of more than 200 million Americans, including the voter registration data of 186 million. The revelation underscored how vulnerable Americans are to email targeting by criminals and foreign adversaries, even as U.S. officials announced that Iran and Russia had obtained voter registration data and email addresses with an eye toward interfering in the 2020 election.

Future Imperfect

In 2012, Trend Micro, the International Cyber Security Protection Alliance (ICSPA) and Europol’s European Cyber Crime Centre (EC3) collaborated on a white paper that imagined the technological advances of the coming 8 years, the societal and behavioral changes they may bring and the opportunities for malfeasance they could present. As we enter the 2020s, we now have the opportunity to objectively review the project against a number of success factors.

WordPress Deploys Forced Security Update for Dangerous Bug in Popular Plugin

WordPress sites running Loginizer, one of today’s most popular WordPress plugins with an install base of over one million sites, were forcibly updated this week to Loginizer version 1.6.4. This version contained a security fix for a dangerous SQL injection bug that could have allowed hackers to take over WordPress sites running older versions of the Loginizer plugin.

Just Leave That Docker API on the Front Porch, No One Will Steal It

Recently, a new type of Linux malware named “DOKI” has been discovered exploiting publicly accessible Docker API’s hosted in all major cloud providers. The manner in which threat actors are gaining access to container environments is a previously discovered technique, but the DOKI malware is something that has not been documented until now.

Adobe Fixes 16 Critical Code-Execution Bugs Across Portfolio

Adobe has released 18 out-of-band security patches in 10 different software packages, including fixes for critical vulnerabilities that stretch across its product suite. Two of the issues are out-of-bounds read flaws, (CVE-2020-24409, CVE-2020-24410); one is an out-of-bounds write bug (CVE-2020-24411). Tran Van Khang, working with Trend Micro Zero Day Initiative, is credited for the discoveries.

US Treasury Department Ban on Ransomware Payments Puts Victims in Tough Position

This month, the US Treasury Department’s Office of Foreign Assets Control (OFAC) warned organizations making ransomware payments that they risk violating economic sanctions imposed by the government against cybercriminal groups or state-sponsored hackers. The advisory has the potential to disrupt the ransomware monetization model, but also puts victims, their insurers and incident response providers in a tough situation.

What are your thoughts on the sanctions imposed by the government against cybercriminal groups or state-sponsored hackers?  Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Watering Hole Campaign Operation Earth Kitsune Spying on Users’ Systems and Fancy Bear Imposters Are on a Hacking Extortion Spree appeared first on .

This Week in Security News: Cybercriminals Use Stolen Data and Hacking Tools as Prizes in Poker Games and Rap Battles and VirusTotal Now Supports Trend Micro ELF Hash

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how cybercriminals are passing the time during the COVID-19 pandemic with online poker games, where the prizes include stolen data. Also, read about how VirusTotal now supports Trend Micro ELF Hash (aka telfhash).

 

Read on:

Cybercriminals Use Stolen Data and Hacking Tools as Prizes in Poker Games and Rap Battles

Cybercriminals have put their own spin on passing time during the COVID-19 lockdown with online rap battles, poker tournaments, poem contests, and in-person sport tournaments. The twist is that the prize for winning these competitions is sometimes stolen data and tools to make cybercrime easier, according to new research from Trend Micro.

Becoming an Advocate for Gender Diversity: Five Steps that Could Shape Your Journey

Sanjay Mehta, senior vice president at Trend Micro, was recently named a new board member at Girls In Tech—a noted non-profit and Trend Micro partner working tirelessly to enhance the engagement, education, and empowerment of women in technology. In this blog, Sanjay shares five steps that you can use to become an ally for diversity in the workplace.

October Patch Tuesday: Microsoft Patches Critical, Wormable RCE Bug

In this month’s Patch Tuesday update, Microsoft pushed out fixes for 87 security vulnerabilities – 11 of them critical – and one of those is potentially wormable. There are also six bugs that were previously unpatched but publicly disclosed, which could give cybercriminals a leg up — and in fact at least one public exploit is already circulating for this group.

VirusTotal Now Supports Trend Micro ELF Hash

To help IoT and Linux malware researchers investigate attacks containing Executable and Linkable Format (ELF) files, Trend Micro created telfhash, an open-source clustering algorithm that helps cluster Linux IoT malware samples. VirusTotal has always been a valuable tool for threat research and now, with telfhash, users of the VirusTotal Intelligence platform can pivot from one ELF file to others.

New Emotet Attacks Use Fake Windows Update Lures

File attachments sent in recent Emotet campaigns show a message claiming to be from the Windows Update service, telling users that the Office app needs to be updated. Naturally, this must be done by clicking the Enable Editing button. According to the Cryptolaemus group, since yesterday, these Emotet lures have been spammed in massive numbers to users located all over the world.

Metasploit Shellcodes Attack Exposed Docker APIs

Trend Micro recently observed an interesting payload deployment using the Metasploit Framework (MSF) against exposed Docker APIs. The attack involves the deployment of Metasploit’s shellcode as a payload, and researchers said this is the first attack they’ve seen using MSF against Docker. It also uses a small, vulnerability-free base image in order for the attack to proceed in a fast and stealthy manner.

Barnes & Noble Warns Customers It Has Been Hacked, Customer Data May Have Been Accessed

American bookselling giant Barnes & Noble is contacting customers via email, warning them that its network was breached by hackers, and that sensitive information about shoppers may have been accessed. In the email to customers, Barnes & Noble says that it became aware that it had fallen victim to a cybersecurity attack on Saturday, October 10th.

ContentProvider Path Traversal Flaw on ESC App Reveals Info

Trend Micro researchers found ContentProvider path traversal vulnerabilities in three apps on the Google Play store, one of which had more than 5 million installs. The three applications include a keyboard customization app, a shopping app from a popular department store, and the app for the European Society of Cardiology (ESC). Fortunately, the keyboard and department store apps have both been patched by developers. However, as of writing this blog, the ESC app is still active.

Carnival Corp. Ransomware Attack Affects Three Cruise Lines

Hackers accessed personal information of guests, employees and crew of three cruise line brands and the casino operations of Carnival Corp. in a ransomware attack the company suffered on Aug. 15, officials have confirmed. Carnival Cruise Line, Holland America Line and Seabourn were the brands affected by the attack, which Carnival said they’re still investigating in an update on the situation this week.

Docker Content Trust: What It Is and How It Secures Container Images

Docker Content Trust allows users to deploy images to a cluster or swarm confidently and verify that they are the images you expect them to be. In this blog from Trend Micro, learn how Docker Content Trust works, how to enable it, steps that can be taken to automate trust validation in the continuous integration and continuous deployment (CI/CD) pipeline and limitations of the system.

Twitter Hackers Posed as IT Workers to Trick Employees, NY Probe Finds

A simple phone scam was the key first step in the Twitter hack that took over dozens of high-profile accounts this summer, New York regulators say. The hackers responsible for the July 15 attack called Twitter employees posing as company IT workers and tricked them into giving up their login credentials for the social network’s internal tools, the state’s Department of Financial Services said.

What is a DDoS Attack? Everything You Need to Know About Distributed Denial-of-Service Attacks and How to Protect Against Them

A distributed denial-of-service (DDoS) attack sees an attacker flooding the network or servers of the victim with a wave of internet traffic so big that their infrastructure is overwhelmed by the number of requests for access, slowing down services or taking them fully offline and preventing legitimate users from accessing the service at all. DDoS attacks are one of the crudest forms of cyberattacks, but they’re also one of the most powerful and can be difficult to stop.

Cyberattack on London Council Still Having ‘Significant Impact’

Hackney Council in London has said that a cyberattack earlier this week is continuing to have a “significant impact” on its services. Earlier this week, the north London council said it had been the target of a serious cyberattack, which was affecting many of its services and IT systems.

 

Surprised by the new Emotet attack?  Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Cybercriminals Use Stolen Data and Hacking Tools as Prizes in Poker Games and Rap Battles and VirusTotal Now Supports Trend Micro ELF Hash appeared first on .

This Week in Security News: A Look Inside the Bulletproof Hosting Business and Amazon Prime Day Spurs Spike in Phishing, Fraud Attacks

week in security

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how cybercriminals secure their assets and survive in the business in a new Trend Micro report. Also, read about a how cybercriminals are tapping into Amazon’s Prime Day with phishing and malicious websites that are fraudulently using the Amazon brand.

Read on:

French Companies Under Attack from Clever BEC Scam

Trend Micro researchers observed a new modus operandi involving a clever BEC campaign that uses social engineering to target French companies. Malicious actors impersonated a French company in the metal fabrication industry that provides services to several organizations. They then registered a domain very similar to the legitimate one used by the business and used it to send emails to their targets. 

Amazon Prime Day Spurs Spike in Phishing, Fraud Attacks

Cybercriminals are tapping into Amazon’s annual Prime Day with researchers warning of a recent spike in phishing and malicious websites that are fraudulently using the Amazon brand. There has been a spike in the number of new monthly phishing and fraudulent sites created using the Amazon brand since August, the most significant since the COVID-19 pandemic forced people indoors in March.

CSO Insights: DataBank’s Mark Houpt on Looking Beyond Securing Infrastructures in the New Normal

The big move to working remotely wasn’t completely difficult for Mark Houpt, CISO at DataBank. After all, he has been doing so since before COVID-19. However, when the pandemic hit, DataBank, like many other companies across the globe, had to help most of their employees transition securely and smoothly to virtual work. Read up on the several important security considerations this experience highlighted.

240+ Android Apps Caught Showing Out-of-Context Ads

This summer, Google removed more than 240 Android applications from the Play Store for showing out-of-context ads and breaking a newly introduced Google policy against this type of intrusive advertising. Out-of-context ads are mobile ads that are shown outside an app’s normal container and appear as pop-ups or as full-screen ads.

Safe and Smart Connections: Securing IoT Networks for Remote Setups

As a result of our work-from-home (WFH) arrangements, there is an increased demand on networks as remote operations have created greater dependence on the IoT. Subsequently, now is a good time to re-examine the security of your network. Rather than only focusing on securing individual devices that can compromise a network, users should also secure the network to minimize threats across several devices.

Inside the Bulletproof Hosting Business

The use of underground infrastructure is inherent to the modus operandi of a cybercriminal. In Trend Micro’s Underground Hosting series, it differentiates how cybercrime goods are sold in marketplaces and what kinds of services are offered. In this final part of the Underground Hosting report series, Trend Micro explores the methods criminals employ to secure their assets and survive in the business.

Comcast Voice Remote Control Could be Turned into Spying Tool

The Comcast XR11 voice remote controller was recently found to be vulnerable and could be turned into a spying tool that eavesdrops on users. Discovered by researchers at Guardicore, the attack has been named WarezTheRemote and is said to be a very serious threat, considering that the remote is used for over 18 million devices across the U.S.

Transforming IoT Monitoring Data into Threat Defense

In the first half of 2020, there was a 70% increase in inbound attacks on devices and routers compared to the second half of 2019, which included attacks on IoT systems. To protect customers effectively by continuously monitoring trends in IoT attacks, Trend Micro examined Mirai and Bashlite (aka Qbot), two notorious IoT botnet malware types, and shares the figures relating to these botnets’ command and control (C&C) servers, IP addresses, and C&C commands.

Russia’s Fancy Bear Hackers Likely Penetrated a Federal Agency

Last week the Cybersecurity and Infrastructure Security Agency published an advisory that hackers had penetrated a US federal agency. Now, clues uncovered by a researcher at cybersecurity firm Dragos and an FBI notification to hacking victims obtained by WIRED in July suggest that it was Fancy Bear, a team of hackers working for Russia’s GRU also known as APT28.

Threat Research & XDR Combine to Stop Cybercrime

Like legitimate businesses across the globe seeking to improve their information security and protect their network infrastructure, cybercriminal businesses take similar precautions. Trend Micro Research released the final report in a series focused on this part of cybercriminal business: Underground hosting providers. Based on the report, it’s clear that understanding both the criminal business and the attacks themselves better prepares defenders and investigators to identify and eliminate threats.

Researchers Find Vulnerabilities in Microsoft Azure Cloud Service

As businesses are increasingly migrating to the cloud, securing the infrastructure has never been more important. According to research by Paul Litvak of Intezer Labs, two security flaws in Microsoft’s Azure App Services could have enabled a bad actor to carry out server-side request forgery (SSRF) attacks or execute arbitrary code and take over the administration server.

Cyber Security Awareness: A Critical Checklist

October 2020 marks the 17th year of National Cybersecurity Awareness Month, where users and organizations are encouraged to increase awareness of cybersecurity issues. To help raise awareness, Trend Micro’s Consumer Division breaks down of the security issues you should be aware of and shares tips about how you can protect yourself and your family while working, learning, or gaming at home.

The Basics of Keeping Kubernetes Cluster Secure: Worker Nodes and Related Components

In part one of this blog series, Trend Micro talked about the different ways developers can protect control plane components, including Kube API server configurations, RBAC authorization, and limitations in the communication between pods through network policies. In this second part, Trend Micro focuses on best practices that developers can implement to protect worker nodes and their components.

Are you surprised that Comcast voice activated remote controllers could be turned into a spying tool?  Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: A Look Inside the Bulletproof Hosting Business and Amazon Prime Day Spurs Spike in Phishing, Fraud Attacks appeared first on .

This Week in Security News: Linkury Adware Caught Distributing Full-Blown Malware and Cross-Platform Modular Glupteba Malware Uses ManageX

week in security

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how an adware family known primarily for distributing browser hijackers, Linkury, has been caught distributing malware. Also, read about a newly uncovered strain of the Glupteba trojan.

 

Read on:

Cross-Platform Modular Glupteba Malware Uses ManageX

Trend Micro recently encountered a variant of the Glupteba trojan and reported its attacks on MikroTik routers and updates on its command and control (C&C) servers. The use of ManageX, a type of modular adware that Trend Micro has recently analyzed, is notable in this newly uncovered strain as it aims to emphasize the modularity and the cross-platform features of Glupteba as seen through its code analysis.

Phishing Attack Targets Microsoft 365 Users with Netflix & Amazon Lures

Security researchers have been tracking a phishing campaign that abuses Microsoft Office 365 third-party application access to obtain specific resources from victims’ accounts. The attacker, dubbed TA2552, mostly uses Spanish-language lures and a narrow range of themes and brands. These attacks have targeted organizations with a global presence but seem to choose victims who likely speak Spanish, according to a report from Proofpoint researchers.

New Report Suggests the Bug Bounty Business is Recession-Proof

A new report from HackerOne presents data suggesting that the bug bounty business might be recession-proof, citing increases in hacker registrations, monthly vulnerability disclosures and payouts during a pandemic-induced economic downturn. Brian Gorenc, senior director of vulnerability research and director of Trend Micro’s Zero Day Initiative program, shared that he’s seen bug bounty activity increase with ZDI publishing 1,045 vulnerability advisories in all of 2019 and 1,235 already in 2020.

Identity Fraud: How to Protect Your Identity Data, Accounts and Money During the Coronavirus Crisis

We’ve all been spending more time online since the pandemic hit, and as a result we’re sharing more personal and financial information online with each other and with organizations. Unfortunately, as ever, there are bad guys around every digital corner looking for this. Personally identifiable information (PII) is the currency of internet crime, and cyber-criminals will do whatever they can to get it.

Linkury Adware Caught Distributing Full-Blown Malware

An adware family known primarily for distributing browser hijackers has been caught distributing malware, security researchers said at the Virus Bulletin 2020 security conference. Its main method of distribution is the SafeFinder widget, a browser extension ironically advertised as a way to perform safe searches on the internet. K7 researchers say that in recent cases they analyzed, the SafeFinder widget has now also begun installing legitimate malware, such as the Socelars and Kpot infostealer trojans.

Chinese APT Group Targets Media, Finance, and Electronics Sectors

Cybersecurity researchers have uncovered a new espionage campaign targeting media, construction, engineering, electronics, and finance sectors in Japan, Taiwan, the U.S. and China. Linking the attacks to Palmerworm (aka BlackTech), likely a China-based advanced persistent threat (APT), the first wave of activity associated with this campaign began last year in August 2019.

InterPlanetary Storm Botnet Infects 13K Mac, Android Devices

A new variant of the InterPlanetary Storm malware has been discovered, which comes with fresh detection-evasion tactics and now targets Mac and Android devices (in addition to Windows and Linux, which were targeted by previous variants of the malware). Researchers say the malware is building a botnet with a current estimated 13,500 infected machines across 84 countries worldwide – and that number continues to grow.

More Americans Share Social Security, Financial and Medical Information than Before the Pandemic

A new survey has shown that consumer willingness to share more sensitive data – social security numbers, financial information and medical information – is greater in 2020 than in both 2018 and 2019. According to the NYC-based scientific research foundation ARF’s (Advertising Research Foundation) third annual privacy study, contact tracing is considered a key weapon in the fight against COVID-19.

Do you feel like you are more willing to share sensitive information online since the pandemic began? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Linkury Adware Caught Distributing Full-Blown Malware and Cross-Platform Modular Glupteba Malware Uses ManageX appeared first on .

This Week in Security News: Cybercriminals Distribute Backdoor with VPN Installer and New ‘Alien’ Malware can Steal Passwords from 226 Android Apps

 

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how threat actors are bundling Windscribe VPN installers with backdoors. Also, read about a new strain of Android malware that comes with a wide array of features allowing it to steal credentials from 226 applications.

 

 

Read on:

 

Windows Backdoor Masquerading as VPN App Installer

This article discusses findings covered in a recent blog from Trend Micro where company researchers warn that Windows users looking to install a VPN app are in danger of downloading one that’s been bundled with a backdoor. The trojanized package in this specific case is the Windows installer for Windscribe VPN and contains the Bladabindi backdoor.

The Evolution of Malicious Shell Scripts

The Unix-programming community commonly uses shell scripts as a simple way to execute multiple Linux commands within a single file. Many users do this as part of a regular operational workload manipulating files, executing programs and printing text. However, as a shell interpreter is available in every Unix machine, it is also an interesting and dynamic tool abused by malicious actors.

Microsoft Says It Detected Active Attacks Leveraging Zerologon Vulnerability

Hackers are actively exploiting the Zerologon vulnerability in real-world attacks, Microsoft’s security intelligence team said on Thursday morning. The attacks were expected to happen, according to security industry experts. Multiple versions of weaponized proof-of-concept exploit code have been published online in freely downloadable form since details about the Zerologon vulnerability were revealed on September 14 by Dutch security firm Secura BV.

Stretched and Stressed: Best Practices for Protecting Security Workers’ Mental Health

Security work is stressful under the best of circumstances, but remote work presents its own challenges. In this article, learn how savvy security leaders can best support their teams today — wherever they’re working. Trend Micro’s senior director of HR for the Americas, Bob Kedrosky, weighs in on how Trend Micro is supporting its remote workers.

Exploitable Flaws Found in Facial Recognition Devices

To gain a more nuanced understanding of the security issues present in facial recognition devices, Trend Micro analyzed the security of four different models: ZKTeco FaceDepot-7B, Hikvision DS-K1T606MF, Telpo TPS980 and Megvii Koala. Trend Micro’s case studies show how these devices can be misused by malicious attackers.

New ‘Alien’ Malware Can Steal Passwords from 226 Android Apps

Security researchers have discovered and analyzed a new strain of Android malware that comes with a wide array of features allowing it to steal credentials from 226 applications. Named Alien, this new trojan has been active since the start of the year and has been offered as a Malware-as-a-Service (MaaS) offering on underground hacking forums.

Government Software Provider Tyler Technologies Hit by Possible Ransomware Attack

Tyler Technologies, a Texas-based provider of software and services for the U.S. government, started informing customers this week of a security incident that is believed to have involved a piece of ransomware. Tyler’s website is currently unavailable and in emails sent out to customers the company said its internal phone and IT systems were accessed without authorization by an “unknown third party.”

U.S. Justice Department Charges APT41 Hackers Over Global Cyberattacks

On September 16, 2020, the United States Justice Department announced that it was charging five Chinese citizens with hacking crimes committed against over 100 institutions in the United States and abroad. The global hacking campaign went after a diverse range of targets, from video game companies and telecommunications enterprises to universities and non-profit organizations. The five individuals were reportedly connected to the hacking group known as APT41.

Phishers are Targeting Employees with Fake GDPR Compliance Reminders

Phishers are using a bogus GDPR compliance reminder to trick recipients – employees of businesses across several industry verticals – into handing over their email login credentials. In this evolving campaign, the attackers targeted mostly email addresses they could glean from company websites and, to a lesser extent, emails of people who are high in the organization’s hierarchy.

Mispadu Banking Trojan Resurfaces

Recent spam campaigns leading to the URSA/Mispadu banking trojan have been uncovered, as reported by malware analyst Pedro Tavares in a Twitter post and by Seguranca Informatica in a blog post. Mispadu malware steals credentials from users’ systems. This attack targets systems with Spanish and Portuguese as system languages.

A Blind Spot in ICS Security: The Protocol Gateway Part 3: What ICS Security Administrators Can Do

In this blog series, Trend Micro analyzes the impacts of the serious vulnerabilities detected in the protocol gateways that are essential when shifting to smart factories and discusses the security countermeasures that security administrators in those factories must take. In the final part of this series, Trend Micro describes a stealth attack method that abuses a vulnerability as well as informs readers of a vital point of security measures required for the future ICS environment.

Major Instagram App Bug Could’ve Given Hackers Remote Access to Your Phone

Check Point researchers disclosed details about a critical vulnerability in Instagram’s Android app that could have allowed remote attackers to take control over a targeted device just by sending victims a specially crafted image. The flaw lets attackers perform actions on behalf of the user within the Instagram app, including spying on victim’s private messages and deleting or posting photos from their accounts, as well as execute arbitrary code on the device.

Addressing Threats Like Ryuk via Trend Micro XDR

Ryuk has recently been one of the most noteworthy ransomware families and is perhaps the best representation of the new paradigm in ransomware attacks where malicious actors go for quality over sheer quantity. In 2019, the Trend Micro™ Managed XDR and Incident Response teams investigated an incident concerning a Trend Micro customer that was infected with the Ryuk ransomware.

What are your thoughts on the Android Instagram app bug that could allow remote access to user’s phones? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Cybercriminals Distribute Backdoor with VPN Installer and New ‘Alien’ Malware can Steal Passwords from 226 Android Apps appeared first on .

This Week in Security News: AWS Outposts Ready Launches With 32 Validated Partners and Staples Hit by a Data Breach

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about how solutions from 32 Amazon Web Services partners – including Trend Micro – are now available for AWS customers to use with their deployments of AWS Outposts. Also, read about a data breach at U.S. office-supply retailer Staples.

 

Read on:

Boosting Impact for Profit: Evolving Ransomware Techniques for Targeted Attacks

As described in Trend Micro’s 2020 Midyear Roundup, the numbers pertaining to ransomware no longer tell the full story. While the number of infections, company disclosures, and ransomware families has gone down, the estimated amount of money exchanged for the retrieval of encrypted data has steadily gone up. By going after institutions and companies with the urgent need to retrieve their data and get their systems running again, cybercriminals are able to demand exorbitant amounts of ransom.

AWS Outposts Ready Launches with 32 Validated Partners

Solutions from 32 Amazon Web Services partners, including Trend Micro, are available now for AWS customers to use with their deployments of AWS Outposts, the on-premises version of the industry’s leading public cloud.

Analysis of a Convoluted Attack Chain Involving Ngrok

The Trend Micro Managed XDR team recently handled an incident involving one of Trend Micro’s customers. The incident revealed how a malicious actor incorporated certain techniques into an attack, making it more difficult for blue teams and security researchers alike to analyze the chain of events in a clean and easily understandable manner. In this blog, Trend Micro further analyzes the attack.

39% of Employees Access Corporate Data on Personal Devices

A large proportion of employees are using their own devices to access data belonging to their company, according to a new study by Trend Micro. Researchers found that 39% of workers use personal smartphones, tablets, and laptops to access corporate data, often via services and applications hosted in the cloud.

A Blind Spot in ICS Security: The Protocol Gateway Part 2: Vulnerability Allowing Stealth Attacks on Industrial Control Systems

In this blog series, Trend Micro analyzes the impacts of the serious vulnerabilities detected in the protocol gateways and shares the security countermeasures that security administrators in smart factories must take. In the second part of this series, Trend Micro presents an overview of the verification methods, results of this research, and describes “flaws in the protocol conversion function,” one of the security risks revealed through Trend Micro’s experiments.

Staples Hit by Data Breach: What to Do Now

U.S. office-supply retailer Staples says its recent data breach affected fewer than 2,500 customers. Australian security researcher Troy Hunt, who runs the HaveIBeenPwned website, used his Twitter account to post a copy of an email message sent to an unknown number of Staples online customers.

“Zerologon” and the Value of Virtual Patching

A new CVE was released recently that has made quite a few headlines – CVE-2020-1472, also known as Zerologon. This CVE can allow an attacker to take advantage of the cryptographic algorithm used in the Netlogon authentication process and impersonate the identity of any computer when trying to authenticate against the domain controller.

Billions of Devices Vulnerable to New ‘BLESA’ Bluetooth Security Flaw

Billions of smartphones, tablets, laptops, and IoT devices are using Bluetooth software stacks that are vulnerable to a new security flaw disclosed this summer. Named BLESA (Bluetooth Low Energy Spoofing Attack), the vulnerability impacts devices running the Bluetooth Low Energy (BLE) protocol. BLE is a slimmer version of the original Bluetooth (Classic) standard but designed to conserve battery power while keeping Bluetooth connections alive as long as possible.

California Elementary Kids Kicked Off Online Learning by Ransomware

As students head back to the classroom, the wave of ransomware attacks against schools is continuing. The latest is a strike against a California school district that closed down remote learning for 6,000 elementary school students, according to city officials. The cyberattack, against the Newhall School District in Valencia, affected all distance learning across 10 different grade schools.

Mobile Messengers Expose Billions of Users to Privacy Attacks

When installing a mobile messenger like WhatsApp, new users can instantly start texting existing contacts based on the phone numbers stored on their device. For this to happen, users must grant the app permission to access and regularly upload their address book to company servers in a process called mobile contact discovery. A new research study shows that currently deployed contact discovery services severely threaten the privacy of billions of users.

Should employees be able to access company data via their personal devices? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: AWS Outposts Ready Launches With 32 Validated Partners and Staples Hit by a Data Breach appeared first on .

This Week in Security News: Microsoft Fixes 129 Vulnerabilities for September’s Patch Tuesday and Trend Micro’s XDR Offerings Simplify and Optimize Detection and Response

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, read about this month’s Patch Tuesday update from Microsoft. Also, learn about Trend Micro’s Worry-Free XDR: a new version of its XDR platform designed to extend the power of correlated detection and response beyond the endpoint for smaller businesses.

Read on:

Exposed Docker Server Abused to Drop Cryptominer, DDoS Bot

Malicious actors continue to target environments running Docker containers. Trend Micro recently encountered an attack that drops both a malicious cryptocurrency miner and a distributed denial-of-service (DDoS) bot on a Docker container built using Alpine Linux as its base image. A similar attack was also reported by Trend Micro in May; in that previous attack, threat actors created a malicious Alpine Linux container to also host a malicious cryptocurrency miner and a DDoS bot.

Microsoft Fixes 129 Vulnerabilities for September’s Patch Tuesday

Microsoft released patches for 129 CVEs (common vulnerabilities and exposures) as part of its monthly Patch Tuesday rollout. Dustin Childs from Trend Micro’s Zero Day Initiative shared that this marks seven consecutive months of more than 110 bugs fixed and brings the yearly total close to 1,000.

Purple Fox EK Relies on Cloudflare for Stability

A year ago, Trend Micro talked about Purple Fox malware being delivered by the Rig exploit kit. Malwarebytes later found evidence that it had its own delivery mechanism, and thus named it the Purple Fox exploit kit. Trend Micro recently found a spike in the Purple Fox exploit kit with improved delivering tactics in our telemetry. Some of the improvements include use of full HTTPS infrastructure based on Cloudflare as frontend, fully encrypted landing page, and disguised redirection.

New Raccoon Attack Could Let Attackers Break SSL/TLS Encryption

A group of researchers has detailed a new timing vulnerability in Transport Layer Security (TLS) protocol that could potentially allow an attacker to break the encryption and read sensitive communication under specific conditions. Dubbed “Raccoon Attack,” the server-side attack exploits a side-channel in the cryptographic protocol (versions 1.2 and lower) to extract the shared secret key used for secure communications between two parties.

War of Linux Cryptocurrency Miners: A Battle for Resources

The Linux ecosystem is regarded as more secure and reliable than other operating systems, which possibly explains why Google, NASA, and the US Department of Defense (DoD) utilize it for their online infrastructures and systems. Unfortunately, the adoption of Linux systems is also an attractive target for cybercriminals. In this blog, learn about the ruthless battle for computing power among the different cryptocurrency-mining malware that target Linux systems. 

Trend Micro’s XDR Offerings Simplify and Optimize Detection and Response

Trend Micro announced Worry-Free XDR is a new version of its XDR platform designed to extend the power of correlated detection and response beyond the endpoint for smaller businesses. This unmatched channel offering is available now as a standalone or managed solution tailored for SMBs.

Securing Enterprise Security: How to Manage the New Generation of Access Control Devices

Enterprises are increasingly deploying contactless security solutions to control access to their spaces, especially now in the midst of a pandemic. These solutions mostly rely on devices that use facial recognition to manage entry to enterprise premises in an effective and efficient manner. Considering that these access control devices are the first line of defense for employees and assets on enterprise premises, Trend Micro set out to test the security of the devices and to find out whether they are susceptible to cyber as well as physical attacks.

Zeppelin Ransomware Returns with New Trojan on Board

The Zeppelin ransomware has sailed back into relevance, after a hiatus of several months. A wave of attacks were spotted in August by Juniper Threatlab researchers, making use of a new trojan downloader. These, like an initial Zeppelin wave observed in late 2019, start with phishing emails with Microsoft Word attachments (themed as “invoices”) that have malicious macros on board. Once a user enables macros, the infection process starts.

Published New Ebook: Strategic Investment to Secure Smart Factories

Security is undergoing a digital transformation in the manufacturing industry. As the fusion of the cyber world and the physical world progresses, various security issues are mounting. Manufacturing executives must view security as a management issue, not as a system issue. Trend Micro has published an ebook that focuses on security issues in the convergence of IT and OT.

Ransomware Accounted for 41% of All Cyber Insurance Claims in H1 2020

Ransomware incidents have accounted for 41% of cyber insurance claims filed in the first half of 2020, according to a report published today by Coalition, one of the largest providers of cyber insurance services in North America. The high number of claims comes to confirm previous reports from multiple cybersecurity firms that ransomware is one of today’s most prevalent and destructive threats.

What do you think about the Zeppelin ransomware attacks and the rise in ransomware overall? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

The post This Week in Security News: Microsoft Fixes 129 Vulnerabilities for September’s Patch Tuesday and Trend Micro’s XDR Offerings Simplify and Optimize Detection and Response appeared first on .

1H 2020 Cyber Security Defined by Covid-19 Pandemic

When we published our 2020 Predictions report in December, we didn’t realize there was a global pandemic brewing that would give cybercriminals an almost daily news cycle to take advantage of in their attacks against people and organizations around the world. Malicious actors have always taken advantage of big news to use as lures for socially engineered threats, but these events tend to be fairly short news cycles.

When Covid-19 started making headlines in early 2020, we started seeing new threats using this in the attacks. As you see below, April was the peak month for email-based Covid-19 related threats.

The same was true for phishing URLs related to Covid-19, but for files using Covid-19 in their naming convention, the peak month in the first half was June.

Impact on Cybercrime

The constant 24×7 news around cases, cures and vaccines makes this pandemic unique for cybercriminals. Also, the shift to remote working and the challenges posed to supply chains all gave cybercriminals new content they could use as lures to entice victims into infecting themselves.

As we’ve seen for many years now, email-based threats were the most used threat vector by malicious actors, which makes sense as the number one infection vector to penetrate an organization’s network is to use a socially engineered email against an employee.

We even saw malicious mobile apps being developed using Covid-19 as a lure, as you see below.

In this case it was supporting potential cures for the virus, which many people would have wanted.

Other Highlights in 1H 2020

While Covid-19 dominated the threat landscape in the 1H 2020, it wasn’t the only thing that defined it. Ransomware actors continued their attacks against organizations, but as we’ve been seeing over the past year, they’ve become much more selective in their victims. The spray and pray model using spam has been shifted to a more targeted approach, similar to how nation-state actors and APT groups perform their attacks. Two things showcase this trend:

  1. The number of ransomware detections has dropped significantly from 1H 2019 to 1H 2020, showing that ransomware actors are not looking for broad infection numbers.

 

 

2. The ransom amounts have increased significantly over the years, showing ransomware actors are selecting their victims around how much they feel they can extort them for and whether they are more likely to pay a ransom.

 

Home network attacks are another interesting aspect of the threat landscape in the first half of this year. We have millions of home routers around the world that give us threat data on events coming into and out of home networks.

Threat actors are taking advantage of more remote workers by launching more attacks against these home networks. As you see below, the first half of 2020 saw a marked increase in attacks.

Many of these attacks are brute force login attempts as actors try to obtain login credentials for routers and devices within the home network, which can allow them to do further damage.

The above are only a small number of security events and trends we saw in just six months of 2020. Our full roundup of the security landscape so far this year is detailed out in our security roundup report – Securing the Pandemic-Disrupted Workplace. You can read about all we found to help prepare for many of the threats we will continue to see for the rest of the year.

The post 1H 2020 Cyber Security Defined by Covid-19 Pandemic appeared first on .