Category Archives: cyber security

Separ Infostealer Using “Living off the Land” Tactics to Target Businesses

The Separ infostealer is using what’s known as “Living off the Land” tactics to target businesses as part of an ongoing attack campaign. Digital security company Deep Instinct detected the campaign and observed that an infection begins when an employee at a business organization receives a phishing email. The email comes with an attached PDF […]… Read More

The post Separ Infostealer Using “Living off the Land” Tactics to Target Businesses appeared first on The State of Security.

Download Kali Linux 2019.1 with Metasploit 5.0

By Waqas

Download Kali Linux 2019.1 now! – This is the first major update for Kali Linux ever since version 4.0 was released in 2011. Kali Linux is one of the most popular Debian-based Linux distribution for advanced Penetration Testing and that is why the InfoSec community eagerly waits for its new versions. So wait no more and download Kali Linux […]

This is a post from HackRead.com Read the original post: Download Kali Linux 2019.1 with Metasploit 5.0

LPG Gas Company Leaked Details, Aadhaar Numbers of 6.7 Million Indian Customers

Why would someone bother to hack a so-called "ultra-secure encrypted database that is being protected behind 13 feet high and 5 feet thick walls," when one can simply fetch a copy of the same data from other sources. French security researcher Baptiste Robert, who goes by the pseudonym "Elliot Alderson" on Twitter, with the help of an Indian researcher, who wants to remain anonymous,

Popular Torrent Uploader ‘CracksNow’ Caught Spreading Ransomware

It's not at all surprising that downloading movies and software from the torrent network could infect your computer with malware, but it's more heartbreaking when a popular, trusted file uploader goes rogue. Popular software cracks/keygens uploader "CracksNow," who had trusted status from many torrent sites, has now been banned from several torrent sites after he was repeatedly found

Over 92 Million New Accounts Up for Sale from More Unreported Breaches

All these numbers…. "More than 5 billion records from 6,500 data breaches were exposed in 2018" — a report from Risk Based Security says. "More than 59,000 data breaches have been reported across the European since the GDPR came into force in 2018" — a report from DLA Piper says. …came from data breaches that were reported to the public, but in reality, more than half of all data breaches

Websites Including Ixigo Hacked, Leaving 127 Million Accounts Exposed For Sale






Over 127 million accounts were broken into from around 8 separate websites. This is the doing of a hacker who’d stolen records of 620 million people before.

The travel booking site “Ixigo” seems to be one of the major victims from which records were stolen.

Allegedly, these infamous records include the users’ names, email addresses, passwords and other personal details.

According to a research, 18 million user records were wrested from Ixigo and around 40 million were stolen from YouNow which is a live-video streaming site.

1.8 million accounts were wrested from Ge.tt and 57 million records were snatched off from Houzz.

Hakcer’s listings showed that an antiquated “MD5” hashing algorithm was applied to “scramble” passwords which are otherwise easy to “unscramble”.

It was claimed by the hacker themselves that they had user records from mainstream sites like MyFitnessPal and Animoto with declaring number of records to be 151 million and 25 million respectively.

Bitcoin currency of $20,000 could now be used in exchange for databases which make life easier for hackers, from the Dream Market cyber-souk in the Tor network.

The price is pretty hacker-pocket friendly. The major target audience for the deal seem to be spammers and credential stuffers.

These credentials could further be used to hack into other sites and wrest other user details.

The victimized websites have started alerting their users about the hazard and it would only be fit for the users to stay vigilant about it all.

Ex-US Intelligence Agent Charged With Spying and Helping Iranian Hackers

The United States Department of Justice has announced espionage charges against a former US Air Force intelligence officer with the highest level of top-secret clearance for providing the Iranian government classified defense information after she defected to Iran in 2013. Monica Elfriede Witt, 39, was a former U.S. Air Force Intelligence Specialist and Special Agent of the Air Force Office

Google Reveals How Much They Paid Out Under Their Bug Bounty Program in 2018

In 2010, Google launched its Vulnerability Reward Program (VRP) to help them identify bugs and other problems with their apps

Google Reveals How Much They Paid Out Under Their Bug Bounty Program in 2018 on Latest Hacking News.

Russian to shut down Internet to test its cyber deterrence

By Carolina

To test the security of its data, Russia is considering disconnecting its Internet service for a short period of time. The test will affect all the data sent by Russian citizens or organizations as Internet access would be limited only within the national territory, meaning that they will not be routed internationally. The test has […]

This is a post from HackRead.com Read the original post: Russian to shut down Internet to test its cyber deterrence

First Android Clipboard Hijacking Crypto Malware Found On Google Play Store

A security researcher has discovered yet another cryptocurrency-stealing malware on the official Google Play Store that was designed to secretly steal bitcoin and cryptocurrency from unwitting users. The malware, described as a "Clipper," masqueraded as a legitimate cryptocurrency app and worked by replacing cryptocurrency wallet addresses copied into the Android clipboard with one belonging

PNG Image File Security Flaw Could Give Hackers Access to Your Android Phone

Most people will get pictures of cute animals and other funny memes sent to them throughout the day. In many

PNG Image File Security Flaw Could Give Hackers Access to Your Android Phone on Latest Hacking News.

Multiple Airline Check-In Systems Exposing Passenger Data

Given the high security at the airport, it would be logical to assume that airlines are tough with the security

Multiple Airline Check-In Systems Exposing Passenger Data on Latest Hacking News.

Bank details of Bernard Matthews employees stolen

A suspected cyber-attack "potentially compromised" the bank account details of 200 workers at Bernard Matthews.

The turkey producer has made staff aware of the suspected hack.

The Norfolk-based company said it was alerted by its bank on 22 January, as first reported in the EDP.

A spokesman said: “After being first alerted by our bank, we reported the incident to the relevant authorities and put in place extra security measures, as well as offering additional security advice to those affected.” "We continue to monitor the situation but we are not aware colleagues have been affected any further," he added.

The person or group behind the hack is unknown.

Bernard Matthews employs 3,000 people across East Anglia. The company is a major employer in Norfolk and Suffolk, including at its plant at Holton, near Halesworth, and its headquarters at Great Witchingham.
The business has been through a difficult time in recent years, coming close to collapse in 2013.

Last year, it was one of two interested parties bidding to take over Banham Poultry, in Attleborough, which was eventually sold to Chesterfield Poultry.

In 2016 the Boparan Private Office, owned by food tycoon and 2 Sisters Food Group entrepreneur Ranjit Boparan, known as the “Chicken King”, bought the firm in a pre-pack deal in 2016 from Rutland Partners, saving 2,000 jobs after the firm posted pre-tax losses of £5.2m.

Pen Testing Firm Claims 92% Successful Breach Rate of Their Clients

On the 6 February, cyber-security firm Positive Technologies published its penetration testing activity report for 2018. The firm claimed that

Pen Testing Firm Claims 92% Successful Breach Rate of Their Clients on Latest Hacking News.

Android Phones Can Get Hacked Just by Looking at a PNG Image

Using an Android device? Beware! You have to remain more caution while opening an image file on your smartphone—downloaded anywhere from the Internet or received through messaging or email apps. Yes, just viewing an innocuous-looking image could hack your Android smartphone—thanks to three newly-discovered critical vulnerabilities that affect millions of devices running recent versions of

14 Essential Bug Bounty Programs of 2019

In 2017, The State of Security published its most recent list of essential bug bounty frameworks. Numerous organizations and government entities have launched their own vulnerability reward programs (VRPs) since then. With that in mind, I think it’s time for an updated list. Here are 14 essential bug bounty programs for 2019. Apple Website: Invite-only […]… Read More

The post 14 Essential Bug Bounty Programs of 2019 appeared first on The State of Security.

Critical Zcash Bug Could Have Allowed ‘Infinite Counterfeit’ Cryptocurrency

The developers behind the privacy-minded Zcash cryptocurrency have recently discovered and patched a highly dangerous vulnerability in the most secretive way that could have allowed an attacker to coin an infinite number of Zcash (ZEC). Yes, infinite… like a never-ending source of money. Launched in October 2016, Zcash is a privacy-oriented cryptocurrency that claims to be more anonymous

Secrecy Reigns as NERC Fines Utilities $10M citing Serious Cyber Risks

The North American Electric Reliability Corp. (NERC) imposed its stiffest fine to date for violations of Critical Infrastructure Protection (CIP) regulations, citing scores of violations. But who violated the standards and much of what the agency found remains secret. 

The post Secrecy Reigns as NERC Fines Utilities $10M citing Serious Cyber...

Read the whole entry... »

Related Stories

Ethical hacker may get 8 years in prison for reporting flaws in Magyar Telekom

By Waqas

Hungary’s Prosecution Service has accused an ethical hacker and computer specialist of infiltrating the Magyar Telekom database. The office found him involved in a crime that disrupted the operations of a “public utility” thereby attempting to endanger the society. Reportedly, the hacker identified serious vulnerabilities in Magyar Telekom and reported them to the company. He […]

This is a post from HackRead.com Read the original post: Ethical hacker may get 8 years in prison for reporting flaws in Magyar Telekom

HIV Records of 14k People in Singapore Leaked

Singapore has suffered its second attack on private medical records in seven months. This time, the records of around 14

HIV Records of 14k People in Singapore Leaked on Latest Hacking News.

Hacker who reported flaw in Hungarian Telekom faces up to 8-years in prison

Many of you might have this question in your mind: "Is it illegal to test a website for vulnerability without permission from the owner?" Or… "Is it illegal to disclose a vulnerability publicly?" Well, the answer is YES, it’s illegal most of the times and doing so could backfire even when you have good intentions. Last year, Hungarian police arrested a 20-year-old ethical hacker accused of

New Mac Malware Steals Cookies, Cryptocurrency & Computing Power

Dubbed CookieMiner on account of its cookie-stealing capabilities, this newly discovered malware is believed to be based on DarthMiner, another recently detected Mac malware that combines the EmPyre backdoor and

The post New Mac Malware Steals Cookies, Cryptocurrency & Computing Power appeared first on The Cyber Security Place.

Matrix Ransomware: A Threat to Low-Hanging Fruit

In its 2019 Threat Report, Sophos predicted a rise in targeted ransomware attacks. According to new research, Matrix, a copycat targeted ransomware that is flying under the radar, is one such threat that

The post Matrix Ransomware: A Threat to Low-Hanging Fruit appeared first on The Cyber Security Place.

Email Attacks Increasingly Using Compromised Accounts

Hackers are realising that it’s easier to defraud someone if you’re using a legitimate email address, rather than creating one yourself. With that in mind, they’re increasingly using compromised emails

The post Email Attacks Increasingly Using Compromised Accounts appeared first on The Cyber Security Place.

Radware Blog: Attackers Are Leveraging Automation

Cybercriminals are weaponizing automation and machine learning to create increasingly evasive attack vectors, and the internet of things (IoT) has proven to be the catalyst driving this trend. IoT is the birthplace of many of the new types of automated bots and malware. At the forefront are botnets, which are increasingly sophisticated, lethal and highly automated digitized […]

The post Attackers Are Leveraging Automation appeared first on Radware Blog.



Radware Blog

Top 10 Best Antivirus software for 2019

By Zehra Ali

Open the Internet and your screen will be flooded with hacking news and exploits carried out through the use of sophisticated techniques. It is not uncommon to land on news reports of millions of compromised Internet devices. These stories emerge not merely because of the hacker’s expertise, although this plays a large part. Just as crucial is the lack […]

This is a post from HackRead.com Read the original post: Top 10 Best Antivirus software for 2019

DoJ Charges Huawei Execs in Broad Indictment Spanning 10 Years of Criminal Activity

The Department of Justice (DoJ) filed broad charges against Chinese telecom giant Huawei Technologies Co. Ltd. and its CFO Wanzhou Meng for allegedly stealing trade secrets from U.S. mobile firm T-Mobile and deceiving U.S. stakeholders about its business activity in Iran, among a number of other fraud and conspiracy activities over a 10-year...

Read the whole entry... »

Related Stories

Malware: Three Industry Problems and How to Solve Them

In the last few years, organizations have been subject to extortion through ransomware. Now, hackers are bypassing the nasty business of trying to get people to give them cryptocurrency to simply hijacking your processor to mine for cryptocurrency. As a result, the methods employed are growing in sophistication and creativity, including using internet memes to […]… Read More

The post Malware: Three Industry Problems and How to Solve Them appeared first on The State of Security.

DailyMotion Victim of Credential Stuffing Attack

Popular video sharing platform DailyMotion announced it has become the victim of a credential stuffing attack. According to an email

DailyMotion Victim of Credential Stuffing Attack on Latest Hacking News.

Buyer Beware: Not All Threat Intel Add-Ons are Equal

Like leather upholstery for your new car, add-ons to your threat intelligence service are hard to resist. But Chris Camacho of Flashpoint* says “buyer beware:” threat intel add-ons may be more trouble than they’re worth. If you’ve ever shopped for a new car, you’re likely familiar with the dizzying number of add-on...

Read the whole entry... »

Related Stories

Researchers Release Tool That Finds Vulnerable Robots on the Internet

A team at a robot cybersecurity startup has released a free, open-source tool for information security professionals to help them easily 'footprint' and detect unprotected robots, not only connected to the Internet, but also to the industrial environments where they operate. Dubbed "Aztarna," the framework has been developed by Alias Robotics, a Spanish cybersecurity firm focused on robots and

Impending Ukraine Election Targeted by Hackers

Ukraine is reporting an increase in cyber attacks aimed at disrupting the upcoming presidential elections. The Ukraine Government believe that

Impending Ukraine Election Targeted by Hackers on Latest Hacking News.

Why You Need to Block the Threat Factory. Not Just the Threats.

 

Cyber criminals will create roughly 100 million new malware variants over the next 12 months. Security vendors will respond with new malware signatures and behaviors to stop them, but thousands of companies will be victimized in the process, experiencing costly or catastrophic breaches. This isn’t new - it’s a cycle.

Malspam Campaign Targeting Russian Speakers with Redaman Malware

An ongoing malicious spam campaign is currently targeting Russian-speaking users with samples of the Redaman banking malware. Since at least September 2018, the malspam campaign has been sending out malicious spam emails written in Russian to users who mostly have email addresses ending in “.ru.” The emails use various subject lines, message content and attachment […]… Read More

The post Malspam Campaign Targeting Russian Speakers with Redaman Malware appeared first on The State of Security.

Malvertising Campaign Used Steganography to Distribute Shlayer Trojan

A short-lived malvertising campaign leveraged a steganography-based payload to target Mac users with the Shlayer trojan. Named for its use of veryield-malyst[dot]com as one of its ad-serving domains, the “VeryMal” threat actor conducted its malvertising campaign between 11 January 2019 and 13 January 2019. That’s not a long time period to remain active. But the […]… Read More

The post Malvertising Campaign Used Steganography to Distribute Shlayer Trojan appeared first on The State of Security.

Ex-employee of WP MultiLingual’s (WPML) Leaks Customer Data Then Defaces Their Website

A former employee of WP MultiLingual’s (WPML) claimed he exploited vulnerabilities over the weekend. The ex-employee sent out mass emails to

Ex-employee of WP MultiLingual’s (WPML) Leaks Customer Data Then Defaces Their Website on Latest Hacking News.

Alleged Russian Hacker Pleads Not Guilty After Extradition to United States

A Russian hacker indicted by a United States court for his involvement in online ad fraud schemes that defrauded multiple American companies out of tens of millions of dollars pleaded not guilty on Friday in a courtroom in Brooklyn, New York. Aleksandr Zhukov, 38, was arrested in November last year by Bulgarian authorities after the U.S. issued an international warrant against him, and was

Twitter Android App Bug Revealed Private Tweets Spanning Five Years

Social media giant Twitter has just announced a bug fix that has been affecting users of its Android App. However,

Twitter Android App Bug Revealed Private Tweets Spanning Five Years on Latest Hacking News.

New Android Malware Apps Use Motion Sensor to Evade Detection

Even after so many efforts by Google for preventing its Play Store from malware, shady apps somehow managed to fool its anti-malware protections and get into its service to infect Android users with malware. Two such Android apps have recently been spotted on the Google Play Store by security researchers with the Trend Micro malware research team, infecting thousands of Android users who have

Bug bounty: Hack Tesla Model 3 to win your own Model 3

By Waqas

Tesla is partnering with Pwn2Own’s bug bounty to identify vulnerabilities in its Model 3 car software. Electric car maker Tesla announced recently that the company is partnering with Pwn2Own hacking contest organizers in order to help the company identify security issues in its automobiles. Tesla will be a partner in the Pwn2Own bug bounty program […]

This is a post from HackRead.com Read the original post: Bug bounty: Hack Tesla Model 3 to win your own Model 3

How to Secure Your Mid-Size Organization From the Next Cyber Attack

If you are responsible for the cybersecurity of a medium-sized company, you may assume your organization is too small to be targeted. Well, think again. While the major headlines tend to focus on large enterprises getting breached – such as Sony, Equifax, or Target the actual reality is that small and mid-sized companies are experiencing similar threats. According to Verizon’s 2018 Data

Unpatched vCard Flaw Could Let Attackers Hack Your Windows PCs

A zero-day vulnerability has been discovered and reported in the Microsoft's Windows operating system that, under a certain scenario, could allow a remote attacker to execute arbitrary code on Windows machine. Discovered by security researcher John Page (@hyp3rlinx), the vulnerability was reported to the Microsoft security team through Trend Micro's Zero Day Initiative (ZDI) Program over 6

Does WhatsApp Have A Privacy Bug That Could Expose Your Messages?

In-short conclusion—Whatsapp service or its 45-days deletion policy doesn't seem to have a bug. For detailed logical explanation, please read below. An Amazon employee earlier today tweeted details about an incident that many suggest could be a sign of a huge privacy bug in the most popular end-to-end encrypted Whatsapp messaging app that could expose some of your secret messages under

Police Can’t Force You To Unlock Your Phone Using Face or Fingerprint Scan

Can feds force you to unlock your iPhone or Android phone? ..."NO" A Northern California judge has ruled that federal authorities can't force you to unlock your smartphone using your fingerprints or other biometric features such as facial recognition—even with a warrant. The ruling came in the case of two unspecified suspects allegedly using Facebook Messenger to threaten a man with the

Over 202 Million Chinese Job Seekers’ Details Exposed On the Internet

Cybersecurity researcher has discovered online a massive database containing records of more than 202 million Chinese citizens that remained accessible to anyone on the Internet without authentication until last week. The unprotected 854.8 gigabytes of the database was stored in an instance of MongoDB, a NoSQL high performance and cross-platform document-oriented database, hosted by an

Google DNS Service (8.8.8.8) Now Supports DNS-over-TLS Security

Almost every activity on the Internet starts with a DNS query, a key function of the Internet that works as an Internet's directory where your device looks up for the server IP addresses after you enter a human-readable web address (e.g., thehackernews.com). Since DNS queries are sent in clear text over UDP or TCP without encryption, the information can reveal not only what websites an

Turns Out Kaspersky Labs Helped FBI Catch Alleged NSA Leaker

Remember "The Shadow Brokers" and the arrest of a former NSA contractor accused of stealing 50 Terabytes of top secret documents from the intelligence agency? It turns out that, Kaspersky Lab, which has been banned in US government computers over spying fears, was the one who tipped off the U.S. government and helped the FBI catch NSA contractor Harold T. Martin III, unnamed sources familiar

Dynamic Content Acceleration in Imperva CDN Improves Enterprise Website Performance

Today we introduced a new dynamic content acceleration network enhancement feature designed to improve response times to the origin server by up to 30%.

Clients using the Imperva content delivery network (CDN) service are now able to more fully leverage the high-quality connectivity between PoPs in the Imperva network. The enhancement translates to an even better experience for our clients’ end users and increased conversion rates for e-commerce websites and alike. And it will especially allow clients who have distributed end users to see a boost to their website performance, with zero code changes required on their end.

How Dynamic Content Acceleration Works

The origin PoP is selected based on the network distance (according to latency, not geographic distance) between the client’s origin server and the Imperva PoP.

Origin PoPs have dedicated machines called forwarders, part of a preconfigured setting. The purpose of the forwarder is to serve as an access point to the origin server.

With this enhancement there’s no change to the traffic inspection process, as traffic will continue to be analyzed in the entry PoP (the access point for the end user’s request).

Example

Say www.example.com is located in a datacenter in New York City and is using the dynamic content acceleration service.

When a request to www.example.com reaches one of our proxy servers (e.g. Sydney) the proxy decides if the content is static or dynamic (A2).

If the content is dynamic, the proxy routes the traffic to the forwarder server in our New York City PoP (B2).

When the request reaches the forwarder in our New York City PoP, it sends the request forward to the origin server in New York City (C2).

When the origin sends a response, the forwarder receives it and sends it to the relevant proxy, which provides a faster response to the user. See our documentation for more information.

Improved Round-Trip Latency

Our improvements in round-trip latency are fueled by our cloud application security single stack architecture, PoPs strategically located to meet user demands, a broad peering footprint, and the fact that our entire network is tuned for DDoS mitigation, mandating the use of the same T1 transit providers across all our PoPs. A side effect of this IP engineering principle is a high-quality connection between PoPs.

Open connections are maintained between the PoPs which eliminates TCP slow start, an algorithm which balances the speed of a network connection. Connectivity to the origin from a nearby PoP also significantly reduces the latency required for the TLS handshake.

And when a packet moves from one PoP to another, it goes through fewer providers. In most cases it goes through just one provider. As a result, there is less packet loss and better latency.

Effect on Production Environment Analysis

As an additional benefit of dynamic content acceleration, clients utilizing XRAY will be able to have more visibility into requests to their origin and understand if a request passed through an origin PoP or not. This may come in handy in cases where there are potential connectivity improvements to the origin that need to be addressed.

The Development Process

We’ve been developing and testing this feature for about a year prior to release, measuring improvements in round-trip latency, time to first byte, and open connection time to the origin.

We found it takes much less time to open a connection to the origin from the forwarder compared to the origin from a faraway proxy (i.e. New York City <-> Tokyo). The forwarder can take 10 ms while a faraway proxy can take up to 300 ms).

Cedexis Testing

We use Cedexis to test different network optimization features. In the above testing we’ve set up two different networks to be monitored via Cedexis, both with origin servers in the same AWS EU-Central-1 Region in Frankfurt, Germany.

Then we applied dynamic content acceleration to one of the platforms by setting its origin PoP to the our Frankfurt PoP.

Lastly, we compared the latency of both networks as measured by eyeballs around the world.

The above results show an average latency of 308 ms vs 188 ms in the last 24 hours – a 120 ms decrease (which is also better than any other dynamic CDN vendor in Cedexis).

Performance improvement will vary based on the geographic traffic distribution of the site and the origin’s proximity to one of our PoPs. But our tests have shown an average improvement of 30% in round-trip time latency.

Considerations

It’s important to remember that dynamic content acceleration does add an additional hop, so in some cases if the origin server is not close to the origin proxy (forwarder), clients may not see an improvement in round-trip latency.

And since only a few proxy servers connect to the origin server with dynamic content acceleration, if a client implements rate limiting or load balancing based on IP only, the fact that all traffic reaches the origin from fewer proxies may trigger a rate threshold and result in dropped traffic.

However, in general we expect dynamic content acceleration to have a widespread, positive performance impact. And this enhancement is just one of many benefits to come as we continue to invest in our CDN service.

 

The post Dynamic Content Acceleration in Imperva CDN Improves Enterprise Website Performance appeared first on Blog.

German Police Seek Help In Finding Parcel Bomber With MAC Address

German police are seeking your help in gathering information related to a MAC address that could lead to the cell phone device used by a DHL blackmailer who last year parceled out bombs at different addresses in Brandenburg and Berlin. Between November 2017 and April 2018, someone used German parcel delivery service DHL to sent out several so-called improvised explosive devices (IEDs) in

Get 10 Popular Books To Learn Advanced Hacking [2018 Bundle]

It should come as no surprise that cybersecurity is one of the most important and lucrative fields in the world right now, and it’s becoming more important every day—thanks to a growing number of cyber attacks that are targeting everything from individuals and startups to Fortune 500 companies and entire government agencies. So it should also come as no surprise that demand for talented and

Social-Engineer Newsletter Vol 08 – Issue 112

Social Engineering Can Make You a Better Person

When social engineering makes the headlines, it is generally as a negative term where S.E. principles are used to initiate, perpetuate, or assist a large hack that exfiltrates data or distributes ransomware. With headlines like “Social engineering at the heart of critical infrastructure attack” and “Iranian phishers bypass 2fa protection offered by Yahoo Mail and Gmail,” it is easy to see how the term has developed negative connotation . However, here at SECOM and SEORG we utilize social engineering with the goal to “leave others better for having met [us]” while employing, practicing, and curating strong social engineering skillsets. Here, we discussed whether all social engineers are bad people and, though people rarely fall cleanly into the category of “good” or “bad,” this conversation is constantly being debated.

Almost a year ago, I made my newsletter debut examining how SE skills could be used in everyday life. Since then, I look for opportunities to practice my craft, improve my abilities, and be a stronger SE whenever I can. After reflecting on this last year, I can absolutely say that social engineering makes me a better person, and if you choose to social engineer as a white hat, it can make you one too.

How Social Engineering Can Make You a Better Person

As social engineers, we must quickly build rapport with our targets, maintain that rapport, and accomplish our goals without being burnt. We do this via email through phishing, phone calls through vishing, and in person via impersonation. As white hat social engineers, the skills needed to accomplish these goals effectively range from utilizing Dr. Robert Cialdini’s influence principles to awareness of vocal tone, body language, and facial expressions. Let’s examine some of the positive skills social engineering can foster:

  • Reciprocity – the reciprocity principle indicates that people will want to return something, a gift, favor, information, etc., that they are given in equal or greater value. However, it is important to remember that the recipient determines the value of what they have received. To effectively use this, an SE must remember that the target needs to value whatever they are given. In personal life, this causes us to think more about what others value over what we may value. This makes us more conscientious and encourages us to prioritize the other person.
  • Awareness of others – in the field, SEs are constantly looking to pick up queues from their targets. What internal jargon do they use? How do they speak? What is their body during the interaction? Do they seem like they want to get away? Are they in a rush? This has caused me, when meeting new people, to study how they are speaking and attempt neutrality until I understand how to communicate most effectively to the person I am speaking with. Additionally, I pay attention to how they are behaving, whether they seem like they need to go, and respect their boundaries. This creates a safe space for the people you interact with.
  • Speaking less and listening more – As an SE, we are usually on the hunt for information. It is challenging to get information out of someone if you’re the one doing all the talking. At home, I employ reflective questioning and allow my friends and family to get more speaking time and work to truly listen to the information they are sharing. People appreciate when they feel heard. This will strengthen your interpersonal relationships and improve your conversation skills.
  • Empathy – you never know where the other person in the conversation is coming from. They could have just gotten rough news, missed breakfast, or not had enough sleep the night before. While listening, really work to understand the perspective the individual is coming from and assume positive intent. Figuring out where a person is coming from and how they may feel connects you more closely to others.
  • Patience – Jumping into an engagement too hard too fast throws your targets off. In my day-to-day life, I have a tendency to want answers RIGHT NOW. However, the value of waiting for others to get on the same page cannot be stressed enough. I am now far more inclined to lay the foundations of a conversation and then wait for the other party to address topics when they are ready.

Social Engineering can make you a Better Person

Great resources to build social engineering and life skills

If you want to practice these skills in your daily life, as well as your career, here are some great resources to start with:

  • The Social-Engineer Podcast hosts great guests who explain unique skill sets and tools that are used in both life and social engineering.

The intention with which you take an action can determine the quality of that action and, broadly, whether it is “good” or “bad.” Should you use your social engineering skills to exploit individuals for your own personal gain, that action is not good. However, by practicing the skillsets of strong social engineers while attempting to leave others better for having met you, you may inadvertently realize you have grown into a better version of yourself. Social engineering can make you a better person, and I challenge you to look for opportunities to practice these skills for the benefit of others in this new year. If you are curious about how to S.E. for good, check out the Social Engineering Code of Ethics. I hope you see yourself grow in the process!

Be secure and be kind,

Written By: Cat Murdock
Twitter: @catmurd0ck

Sources:
https://www.social-engineer.com/are-all-social-engineers-bad/
https://www.computerweekly.com/news/252454369/Social-engineering-at-the-heart-of-critical-infrastructure-attack

https://arstechnica.com/information-technology/2018/12/iranian-phishers-bypass-2fa-protections-offered-by-yahoo-mail-and-gmail/
https://www.influenceatwork.com/principles-of-persuasion/
https://www.social-engineer.org/newsletter/social-engineer-newsletter-vol-08-issue-101/
https://www.social-engineer.org/newsletter/social-engineer-newsletter-vol-08-issue-103/
https://www.social-engineer.org/framework/general-discussion/code-of-ethics/

Image: https://twitter.com/tim_fargo/status/628552609360683008

The post Social-Engineer Newsletter Vol 08 – Issue 112 appeared first on Security Through Education.

Over 120 Malicious Domains Discovered in Analysis on New Roaming Mantis Campaign

Since April of this year, news of a rapidly evolving crypto mining malware, dubbed Roaming Mantis, has hit the cyber news headlines. Roaming Mantis debuted with a DNS hijacking attack vector, infecting android running machines. Once installed, the malware redirected infected devices to phishing sites by spoofing legitimate applications, while using the stolen credentials to run a crypto mining script on PCs.

Do You Suffer From Breach Optimism Bias?

If you’ve been in the information security field for at least a year, you’ve undoubtedly heard your organization defend the lack of investment in, change to or optimization of a cybersecurity policy, mitigating control or organizational belief. This “It hasn’t happened to us so it likely won’t happen” mentality is called optimism bias, and it’s an issue in our field that predates the field itself.

Read my full article over at Forbes.com.

NIST Issues Guidance for Medical IoT Device Security

As the popularity of medical IoT devices grows, so do security vulnerabilities. There are more connected devices than there are humans on Earth. Organizations have been as quick to embrace the Internet of Things as consumers have, and the healthcare industry is no exception. Medical IoT devices have exploded in popularity and grown in complexity.… Read More

The post NIST Issues Guidance for Medical IoT Device Security appeared first on .

Insurance Occurrence Assurance?

You may have seen my friend Brian Krebs’ post regarding the lawsuit filed last month in the Western District of Virginia after $2.4 million was stolen from The National Bank of Blacksburg from two separate breaches over an eight-month period. Though the breaches are concerning, the real story is that the financial institution suing its insurance provider for refusing to fully cover the losses.

From the article:

In its lawsuit (PDF), National Bank says it had an insurance policy with Everest National Insurance Company for two types of coverage or “riders” to protect it against cybercrime losses. The first was a “computer and electronic crime” (C&E) rider that had a single loss limit liability of $8 million, with a $125,000 deductible.

The second was a “debit card rider” which provided coverage for losses which result directly from the use of lost, stolen or altered debit cards or counterfeit cards. That policy has a single loss limit of liability of $50,000, with a $25,000 deductible and an aggregate limit of $250,000.

According to the lawsuit, in June 2018 Everest determined both the 2016 and 2017 breaches were covered exclusively by the debit card rider, and not the $8 million C&E rider. The insurance company said the bank could not recover lost funds under the C&E rider because of two “exclusions” in that rider which spell out circumstances under which the insurer will not provide reimbursement.

Cyber security insurance is still in its infancy and issues with claims that could potentially span multiple policies and riders will continue to happen – think of the stories of health insurance claims being denied for pre-existing conditions and other loopholes. This, unfortunately, is the nature of insurance. Legal precedent, litigation, and insurance claim issues aside, your organization needs to understand that cyber security insurance is but one tool to reduce the financial impact on your organization when faced with a breach.

Cyber security insurance cannot and should not, however, be viewed as your primary means of defending against an attack.

The best way to maintain a defensible security posture is to have an information security program that is current, robust, and measurable. An effective information security program will provide far more protection for the operational state of your organization than cyber security insurance alone. To put it another way, insurance is a reactive measure whereas an effective security program is a proactive measure.

If you were in a fight, would you want to wait and see what happens after a punch is thrown to the bridge of your nose? Perhaps you would like to train to dodge or block that punch instead? Something to think about.

What is Data Privacy and why is it an important issue?

The question of whether privacy is a fundamental right is being argued before the honorable Supreme Court of India. It is a topic to which a young India is waking up too. Privacy is often equated with Liberty, and young Indians wants adequate protection to express themselves.

Privacy according to Wikipedia is the ability of an individual or group to seclude themselves, or information about themselves, and thereby express themselves selectively. There is little contention over the fact that privacy is an essential element of Liberty and the voluntary disclosure of private information is both part of human relationships and a digitized economy.

The reason for debating data privacy is due to the inherent potential for surveillance and disclosure of electronic records which constitute privacy such as sexual orientation, medical records, credit card information, and email.

Disclosure could take place due to wrongful use and distribution of the data such as for marketing, surveillance by governments or outright data theft by cyber criminals. In each case, a cybercitizens right to disclosure specific information to specific companies or people, for a specific purpose is violated.

Citizens in western countries are legally protected through data protection regulation. There are eight principles designed to prevent unauthorized use of personal data by government, organizations and individuals

Lawfulness, Fairness & Transparency
Personal data need to be processed based on the consent given by data subjects. Companies have an obligation to tell data subjects what their personal data will be used for. Data acquired cannot be sold to other entities say marketers.
Purpose limitation
Personal data collected for one purpose should not be used for a different purpose. If data was collected to deliver an insurance service, it cannot be used to market a different product.
Data minimization
Organizations should restrict collection of personal data to only those attributes needed to achieve the purpose for which consent from the data subject has been received.
Accuracy
Data has to be collected, processed and used in a manner which ensures that it is accurate. A data subject has to right to inspect and even alter the data.
Storage limitation
Personal data should be collected for a specific purpose and not be retained for longer than necessary in relation to this purposes.
Integrity and confidentiality
Organizations that collect this data are responsible for its security against data thefts and data entry/processing errors that may alter the integrity of data.
Accountability
Organizations are accountable for the data in their possession
Cross Border Personal information
Requirements.
Personal information must be processed and stored  in secured environment which must be ensured if the data is processed outside the border of the country

It is important for cybercitizens to understand their privacy rights particularly in context of information that can be misused for financial gain or to cause reputational damage.




Disgruntled Driver asks Share Ride Cab Company OLA to Pay Ransom for Kidnapped Passenger

A doctor called a shared ride cab to drive him to the private hospital where he worked. The shared ride arrived on time, but instead of taking the doctor to his destination, the driver threatened the doctor and kidnapped him.  The OLA cab driver, in turn posted a ransom request of Rs 5 Crore (750,000 USD) to the shared ride company, even calling up the hospital were the doctor worked to pressurize the company into paying. The Delhi police, were successful after a 13 day chase to free the doctor unharmed and nab the kidnapper.

The motive for the kidnapping was to teach the shared ride company a lesson as they were miffed due to alleged nonpayment of incentives.

The incident simply highlights the damage disgruntled employees can cause, many a times due to uncontrolled emotions. While the kidnapping seems to be one of a kind, incidents caused by employees in the workplace is quite common. In the early days, it used to be sabotage of plan and machinery, but in a digital world it is the theft of IP, data or even online defamation of the company and its personnel.

Twelve Commandments that will never fail to Keep You Cyber Safe Online

As the digital world explodes with a variety of new online services, cyber threats have become more ingenuous, dangerous, and spawned multiple variants and types. As each new threat makes the headline, the accompanying set of threat specific security recommendations confuses cybercitizens. Cybercitizens want a comprehensive list of recommendations that do not change frequently.

There are twelve foundational security practices that will help keep you and your family safe. Practicing them will harden your defenses against cybercrime and also reduce the negative effects of social media use.

1)    Thou shalt not use a device with pirated software
Pirated software is not patched as it is unlicensed. Unpatched software have security vulnerabilities which can be easily exploited to steal data and credentials

2)    Thou shalt not use a device which is not set for automatic updates of Operating System patches
Automatic patching for personal devices is the best way to ensure that the latest security patches are applied and security loopholes closed before cybercriminals can get to them

3)    Thou shalt not use a device without updated antimalware (antivirus) software installed
Antimalware software reduces the probability of a malware infection (e.g. ransomware) on your device. For it to be effective to catch the latest malware variants, it has to be automatically updated with the latest updates.

4)    Thou shall not download pirated movies, games and other such material
Something free may turn out to be expensive, both financially and to your reputation. Malware is usually bundled with pirated content or applications

5)    Thou shall not use a site without trying to verify its authenticity
Authenticity of a site can be verified by the Lock Icon and accompanying digital certificate. While not fool proof, it reduces the possibility of spoofed lookalike sites designed to steal your credentials

6)    Thou shall not ignore inappropriate content on social networks, always report or dislike it
Inappropriate content influences the minds of our children as they stumble upon it online. Hate content in particular may induce biases which take a long time to reverse.

7)    Thou shalt not indulge or encourage cyber bullying online
A parent or teacher has the additional responsibility of guiding children on the right online behavior. You do not want your children to bully or be bullied

8)    Thou shalt not use passwords that can be easily guessed and promise to  keep the password a secret
Try to choose complex passwords, do not reuse them on multiple sites and always store them securely. The easiest way to get into your online accounts is by stealing your passwords

9)    Thou shalt not fall be tempted by fraudulent emails promising financial windfalls or miracle cures or cheap medicines
Try to check the authenticity of the email. Electronic communication is easily manipulated, as it is difficult to verify the authenticity of the sender. Scams like these can cost you money and affect your health.

10) Thou shall not forsake your responsibility of helping your older parents or young kids to be safe as they use the internet
Be a guide and easily available as both old and young learn to use the internet and face cyber risks. Being available, requires that you can be reached for instant advice on problems they encounter

11) Thou shalt never trust a stranger blindly online
Always be suspicious when dealing with online strangers. At any point during the relationship never let down your guard. The identity of an online person cannot be easily verified. It can however be easily manipulated. Online friends sometimes have the vilest of intention which can lead to all forms of blackmail, particularly if they have incriminating pictures and videos. Besides adults, young children are potential victims

12) Thou shalt not set a weak password for your mobile phone or keep it unlocked
A stolen phone with an easy to guess password or if unlocked, is a sure invitation into all your signed in accounts and personal data. A large number of phones are left unattended or lost each year.



Are my password freely available on the Internet? Four actions that can minimize damage

Frequently we hear of large data breaches from email, social networking, news and other types of websites which we are members off.  Many of us may have been challenged by the site owner to change our password when the site suffered a breach and would even have received a breach notification email.

It would however be useful to have a service which could tell us if our passwords were available in plain text online, anytime we wished. The good news is that a security blogger Troy Hunt has set-up a site http://haveibeenpwned.com/   Here you could enter your email id (a common login credential) and find out if the corresponding password was exposed on breached sites.  The bad news is that it covers only data breaches where the hacker has dumped the compromised list of passwords on paste sites such as PasteBin. This represent a small fraction of the passwords exposed and in all probability allowed a window of time for the hacker to gain access to your account before the breach was uncovered. It also allows anyone (friend, foe, bully, ex-partner, relative, competitor and colleague) who knows your email id to check for the password, and selectively target you.

My advice to all Cybercitizens in general but more specifically after you discover that your password has been exposed is to”

1.    Never reuse that exposed password and to never reuse password on multiple sites. A single exposure can have a cascading effect in the compromise of your online assets. If you have used the same password on multiple sites then quickly change the password on all of them.
2.    To use two factor authentication which a large majority of sites offer to limit the use of disclosed passwords
3.    To change your passwords once every 3 months to limit the exposure window. In large dumps the hacker may take time to target your account and if you have changed your password by then, you would get lucky
4.    To quickly change passwords once you are aware that there has been a breach


IQ Retail Guards Against New Age Threats with Panda Security

iq-retail-1

“Stories of cyber-attacks hit the news almost daily – data breaches, DDos attacks, email hacks and phishing attacks – reminders of the dangers of the internet” says Jeremy Matthews Regional Manager of Panda Security Africa. “Yet somehow all of these attacks still seem foreign– as though it would never happen to you, however the reality is, South African businesses are affected by these threats” continues Matthews.

IQ Retail MD, Chris Steyn knows this all too well and has seen first-hand the dramatic rise of new age threats such as Ransomware. Software company IQ Retail, provides expertise in complete financial and business administration solutions, focusing on the development of business systems for the accounting and retail management environment. Since its inception in 1986, IQ Retail has grown to become one of the premium providers of innovative business solutions.

“Few businesses realise the seriousness of these threats and the damage they can have on a business’’, says Steyn. “ The problem we have found is twofold; firstly, businesses do not have adequate security software protecting their network, and secondly, they do not have effective backups in place”, continues Steyn.

He recognises that these advanced threats stem from a situation in which hackers no longer need to be tech savvy, with access to ready-made Malware toolkits available on the dark web. New malware variants are created daily and many security vendors are unable to keep up. As a result, businesses are being attacked more often and Cybercrime has become more profitable and easier to implement than ever before.

Speaking to Panda Security about his experience working with many South African businesses Steyn says, “We have noticed two week spikes in attacks that most often occur on the weekend when there are few people in the office. This puts businesses in a tough position that often leads to payment of the ransom or worse, a loss of company data”

Taking note of the shifting dynamic, IQ Retail developed a multi-layered approach, implementing security solutions at every level of their infrastructure, as well as ensuring backups are in place and procedures are being followed. Despite their efforts, Ransomware was still able to penetrate their network.

Advanced Protection

In order to prevent further breaches, Steyn and his team did extensive research into solutions offered by various vendors. They discovered that conventional AV solutions are unable to prevent zero-day Ransomware and other advanced threats from entering the network.
Steyn turned to Panda to implement a final effort to mitigate the threat of Ransomware. “Through our research, we realised that Panda’s Adaptive Defense 360 software is the only solution that could give us comprehensive protection. AD360 allows us to proactively manage the security on our network and track possible risk situations” says Steyn.

The Solution

Steyn explains that the current environment requires new generation protection solutions such as Adaptive Defense 360 that provide an Endpoint Detection and Response (EDR) service to accurately classify all running programs on your network. This means that only legitimate programs are able to run.

Panda’s EDR technology model is based on three phases: Continuous monitoring of applications on a company’s computers and servers. Automatic analysis and correlation using machine learning on Panda’s Big Data platform in the cloud. Finally, Endpoint hardening and enforcement – blocking all suspicious or dangerous processes, with notifications to alert network administrators.

AD 360 combines EDR with full conventional Endpoint Protection (EPP) to deliver comprehensive protection.
For more information on how to protect your business from the advanced threats we see today, contact Panda Security.

The post IQ Retail Guards Against New Age Threats with Panda Security appeared first on CyberSafety.co.za.

Analyzing the Malware Analysts – Inside FireEye’s FLARE Team

At the Black Hat USA 2016 conference in Las Vegas last week, I was fortunate to sit down with Michael Sikorski, Director, FireEye Labs Advanced Reverse Engineering (FLARE) Team.

During our conversation we discussed the origin of the FLARE team, what it takes to analyze malware, Michael’s book “Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software,” and the latest open source freeware tools FLOSS and FakeNet-NG.

Listen to the full podcast here.

Cerber: Analyzing a Ransomware Attack Methodology To Enable Protection

Ransomware is a common method of cyber extortion for financial gain that typically involves users being unable to interact with their files, applications or systems until a ransom is paid. Accessibility of cryptocurrency such as Bitcoin has directly contributed to this ransomware model. Based on data from FireEye Dynamic Threat Intelligence (DTI), ransomware activities have been rising fairly steadily since mid-2015.

On June 10, 2016, FireEye’s HX detected a Cerber ransomware campaign involving the distribution of emails with a malicious Microsoft Word document attached. If a recipient were to open the document a malicious macro would contact an attacker-controlled website to download and install the Cerber family of ransomware.

Exploit Guard, a major new feature of FireEye Endpoint Security (HX), detected the threat and alerted HX customers on infections in the field so that organizations could inhibit the deployment of Cerber ransomware. After investigating further, the FireEye research team worked with security agency CERT-Netherlands, as well as web hosting providers who unknowingly hosted the Cerber installer, and were able to shut down that instance of the Cerber command and control (C2) within hours of detecting the activity. With the attacker-controlled servers offline, macros and other malicious payloads configured to download are incapable of infecting users with ransomware.

FireEye hasn’t seen any additional infections from this attacker since shutting down the C2 server, although the attacker could configure one or more additional C2 servers and resume the campaign at any time. This particular campaign was observed on six unique endpoints from three different FireEye endpoint security customers. HX has proven effective at detecting and inhibiting the success of Cerber malware.

Attack Process

The Cerber ransomware attack cycle we observed can be broadly broken down into eight steps:

  1. Target receives and opens a Word document.
  2. Macro in document is invoked to run PowerShell in hidden mode.
  3. Control is passed to PowerShell, which connects to a malicious site to download the ransomware.
  4. On successful connection, the ransomware is written to the disk of the victim.
  5. PowerShell executes the ransomware.
  6. The malware configures multiple concurrent persistence mechanisms by creating command processor, screensaver, startup.run and runonce registry entries.
  7. The executable uses native Windows utilities such as WMIC and/or VSSAdmin to delete backups and shadow copies.
  8. Files are encrypted and messages are presented to the user requesting payment.

Rather than waiting for the payload to be downloaded or started around stage four or five of the aforementioned attack cycle, Exploit Guard provides coverage for most steps of the attack cycle – beginning in this case at the second step.

The most common way to deliver ransomware is via Word documents with embedded macros or a Microsoft Office exploit. FireEye Exploit Guard detects both of these attacks at the initial stage of the attack cycle.

PowerShell Abuse

When the victim opens the attached Word document, the malicious macro writes a small piece of VBScript into memory and executes it. This VBScript executes PowerShell to connect to an attacker-controlled server and download the ransomware (profilest.exe), as seen in Figure 1.

Figure 1. Launch sequence of Cerber – the macro is responsible for invoking PowerShell and PowerShell downloads and runs the malware

It has been increasingly common for threat actors to use malicious macros to infect users because the majority of organizations permit macros to run from Internet-sourced office documents.

In this case we observed the macrocode calling PowerShell to bypass execution policies – and run in hidden as well as encrypted mode – with the intention that PowerShell would download the ransomware and execute it without the knowledge of the victim.

Further investigation of the link and executable showed that every few seconds the malware hash changed with a more current compilation timestamp and different appended data bytes – a technique often used to evade hash-based detection.

Cerber in Action

Initial payload behavior

Upon execution, the Cerber malware will check to see where it is being launched from. Unless it is being launched from a specific location (%APPDATA%\&#60GUID&#62), it creates a copy of itself in the victim's %APPDATA% folder under a filename chosen randomly and obtained from the %WINDIR%\system32 folder.

If the malware is launched from the specific aforementioned folder and after eliminating any blacklisted filenames from an internal list, then the malware creates a renamed copy of itself to “%APPDATA%\&#60GUID&#62” using a pseudo-randomly selected name from the “system32” directory. The malware executes the malware from the new location and then cleans up after itself.

Shadow deletion

As with many other ransomware families, Cerber will bypass UAC checks, delete any volume shadow copies and disable safe boot options. Cerber accomplished this by launching the following processes using respective arguments:

Vssadmin.exe "delete shadows /all /quiet"

WMIC.exe "shadowcopy delete"

Bcdedit.exe "/set {default} recoveryenabled no"

Bcdedit.exe "/set {default} bootstatuspolicy ignoreallfailures

Coercion

People may wonder why victims pay the ransom to the threat actors. In some cases it is as simple as needing to get files back, but in other instances a victim may feel coerced or even intimidated. We noticed these tactics being used in this campaign, where the victim is shown the message in Figure 2 upon being infected with Cerber.

Figure 2. A message to the victim after encryption

The ransomware authors attempt to incentivize the victim into paying quickly by providing a 50 percent discount if the ransom is paid within a certain timeframe, as seen in Figure 3.

 

 

Figure 3. Ransom offered to victim, which is discounted for five days

Multilingual Support

As seen in Figure 4, the Cerber ransomware presented its message and instructions in 12 different languages, indicating this attack was on a global scale.

Figure 4.   Interface provided to the victim to pay ransom supports 12 languages

Encryption

Cerber targets 294 different file extensions for encryption, including .doc (typically Microsoft Word documents), .ppt (generally Microsoft PowerPoint slideshows), .jpg and other images. It also targets financial file formats such as. ibank (used with certain personal finance management software) and .wallet (used for Bitcoin).

Selective Targeting

Selective targeting was used in this campaign. The attackers were observed checking the country code of a host machine’s public IP address against a list of blacklisted countries in the JSON configuration, utilizing online services such as ipinfo.io to verify the information. Blacklisted (protected) countries include: Armenia, Azerbaijan, Belarus, Georgia, Kyrgyzstan, Kazakhstan, Moldova, Russia, Turkmenistan, Tajikistan, Ukraine, and Uzbekistan.

The attack also checked a system's keyboard layout to further ensure it avoided infecting machines in the attackers geography: 1049—Russian, ¨ 1058—Ukrainian, 1059—Belarusian, 1064—Tajik, 1067—Armenian, 1068—Azeri, (Latin), 1079—Georgian, 1087—Kazakh, 1088—Kyrgyz (Cyrillic), 1090—Turkmen, 1091—Uzbek (Latin), 2072—Romanian (Moldova), 2073—Russian (Moldova), 2092—Azeri (Cyrillic), 2115—Uzbek (Cyrillic).

Selective targeting has historically been used to keep malware from infecting endpoints within the author’s geographical region, thus protecting them from the wrath of local authorities. The actor also controls their exposure using this technique. In this case, there is reason to suspect the attackers are based in Russia or the surrounding region.

Anti VM Checks

The malware searches for a series of hooked modules, specific filenames and paths, and known sandbox volume serial numbers, including: sbiedll.dll, dir_watch.dll, api_log.dll, dbghelp.dll, Frz_State, C:\popupkiller.exe, C:\stimulator.exe, C:\TOOLS\execute.exe, \sand-box\, \cwsandbox\, \sandbox\, 0CD1A40, 6CBBC508, 774E1682, 837F873E, 8B6F64BC.

Aside from the aforementioned checks and blacklisting, there is also a wait option built in where the payload will delay execution on an infected machine before it launches an encryption routine. This technique was likely implemented to further avoid detection within sandbox environments.

Persistence

Once executed, Cerber deploys the following persistence techniques to make sure a system remains infected:

  • A registry key is added to launch the malware instead of the screensaver when the system becomes idle.
  • The “CommandProcessor” Autorun keyvalue is changed to point to the Cerber payload so that the malware will be launched each time the Windows terminal, “cmd.exe”, is launched.
  • A shortcut (.lnk) file is added to the startup folder. This file references the ransomware and Windows will execute the file immediately after the infected user logs in.
  • Common persistence methods such as run and runonce key are also used.
A Solid Defense

Mitigating ransomware malware has become a high priority for affected organizations because passive security technologies such as signature-based containment have proven ineffective.

Malware authors have demonstrated an ability to outpace most endpoint controls by compiling multiple variations of their malware with minor binary differences. By using alternative packers and compilers, authors are increasing the level of effort for researchers and reverse-engineers. Unfortunately, those efforts don’t scale.

Disabling support for macros in documents from the Internet and increasing user awareness are two ways to reduce the likelihood of infection. If you can, consider blocking connections to websites you haven’t explicitly whitelisted. However, these controls may not be sufficient to prevent all infections or they may not be possible based on your organization.

FireEye Endpoint Security with Exploit Guard helps to detect exploits and techniques used by ransomware attacks (and other threat activity) during execution and provides analysts with greater visibility. This helps your security team conduct more detailed investigations of broader categories of threats. This information enables your organization to quickly stop threats and adapt defenses as needed.

Conclusion

Ransomware has become an increasingly common and effective attack affecting enterprises, impacting productivity and preventing users from accessing files and data.

Mitigating the threat of ransomware requires strong endpoint controls, and may include technologies that allow security personnel to quickly analyze multiple systems and correlate events to identify and respond to threats.

HX with Exploit Guard uses behavioral intelligence to accelerate this process, quickly analyzing endpoints within your enterprise and alerting your team so they can conduct an investigation and scope the compromise in real-time.

Traditional defenses don’t have the granular view required to do this, nor can they connect the dots of discreet individual processes that may be steps in an attack. This takes behavioral intelligence that is able to quickly analyze a wide array of processes and alert on them so analysts and security teams can conduct a complete investigation into what has, or is, transpiring. This can only be done if those professionals have the right tools and the visibility into all endpoint activity to effectively find every aspect of a threat and deal with it, all in real-time. Also, at FireEye, we go one step ahead and contact relevant authorities to bring down these types of campaigns.

Click here for more information about Exploit Guard technology.

Cyber Risks in a “Connected World” can take human lives and cause physical damage

I believe that the cyber risks are always grossly underestimated or trivialized. Over the last few years due to the rapid digitization of businesses, there has been a growing spate of cyber-attacks the world over. New start-ups offer a panacea of digitized solutions through cloud platforms. With limited budgets and a focus on perfecting their business model, companies need to navigate the tradeoff between the portions of their financial capital that goes into product security as against growing the business.

The next phase of digital evolution is themed “connected” – connected cars, connected homes, and connected humans (with intelligent body parts like wireless enabled pacemakers). As businesses race to bring new connected products or to make intelligent existing products using internet enabled sensors, wireless, cloud management and mobile apps, they still seem to not realize the criticality of fool proofing these systems against cyber threats.

The risks have now extended beyond purely financial and reputation losses to threats which affect human lives.  As the world digitizes, cyber threats that damage property, cause physical harm and even kill will materialize at a scale that is virtually impossible to contain.

An early indication is the recent recall of 1.4m vehicles by Fiat Chrysler Automobiles, the world's seventh largest automaker, to fix a vulnerability that allowed hackers to use the cellular network to electronically control vital functions.Functions, which when manipulated could shut the engine down while it was being driven down the highway, take control of the steering wheel and disable the brakes. Similar threats would materialize if hackers were able to find flaws in a wireless pacemakers or other such devices.

The core issue is twofold. Firstly as the connected world becomes individualized,  malicious hackers would find and exploit flaws in products used by individuals or organizations they target. Remotely engineered assassinations may just become a reality.

The second and more dangerous consequence, is of terrorist organizations utilizing vulnerabilities that affect products used by many, cars for example, to launch mass attacks which would instantly cause more damage and widespread chaos, than detonating explosives. Such remote attacks from the Internet will bypass all conventional border security measures.

In a digitized world, cybersecurity and safety become intrinsically linked and as new standards slowly evolve, an immediate concerted attempt must be made by companies to build secure products to protect naïve cyber citizens against all sort of risks.


For a cybercitizen, security should be under the hood, so as to speak. Cybercitizens are unable to determine the extent to which these products are safe to use. Besides building safe products, systems to securely and instantly plug vulnerabilities will need to be perfected.

Cyber Security Is A Critical Element In The Modern Business World

In today's business world, nearly everyone is connected to the internet in some way, shape or form.  It's virtually unavoidable.  Businesses conduct majority of their operations online and through electronic mediums. Whether you walk into a store and make a purchase with a credit card or decide to engage in an online transaction between two businesses, information is being stored, moved and analyzed via electronics. 
Someone has the ability to access this kind of data somewhere, whether it is a company that handles your credit card information or a medical office that has your social security number. At one point or another, all data is accessible which means that cyber security is a critical element to every company's success. 
                How does your business prepare against attacks? Do you have a plan of action to defend against hackers and criminals that seek to undermine your security and steal valuable information? The network security of your business is the lifeblood, and if it is at risk, the entire network is susceptible.  If technology is not something that you understand thoroughly or have had much experience with then investing in security consultants could be one of the best choices that you could make. 
                Companies of all sizes evaluate their risk analysis and probe their defenses for weak spots. The best way to make sure that your company has the ability to successfully defend against a cyber-attack is to get an individual or organization in there that is completely familiar with protecting companies against these types of threats.  Whether it is an IT risk assessment that you need or you have to conduct a penetration test of your network, Secure Anchor can help meet and exceed your cyber-security needs.

With New Cyber Terror Threats, Investing In Cyber Security Is More Important Than Ever


In our times, network security is the most critical aspect and function of any business; almost all business are connected to online data in some way.  Even smaller companies such as small music store chains have specific email passwords and critical data that can be easily hacked by criminals.  To avoid these types of issues and to eliminate the chances of such security breaches, computer network security should be your number one priority.  There are criminals out there unlike what the world has previously witnessed; these are not people who wait to break in to your business at night.  The modern criminal is rapidly becoming a cyber threat; unseen, unheard and many times unstoppable to those who do not have proper cyber security.
                The threat is growing across the world as well; enemies of America and other countries throughout the world are rapidly planning more cyber-attacks than ever before.  Federal institutions have had their websites targeted and taken over by terror organizations, and the threat continues to grow.  It is only a matter of time before terrorist cells will see the harm they can cause by targeting the websites of average, everyday business, and conduct terror opportunities through the internet and cyberspace.  Network security should be more important than ever to every business owner; why take the risk of losing the trust of your customers and employees?  Protect your business from the unseen threats in the world, just as you would protect it from physical threats.

The Importance of Cyber Security


Cyber security is crucial to any major business, for many different reasons. We are here to provide the highest quality cyber security. To give a background on cyber security, the United States Department of National Security defines cyber security as, “preventing, detecting, and responding to attacks.” We have a staff of cyber security experts, who can handle all three of those aspects.
    Without cyber security, your network is at high risk. For starters, without cyber security a virus can completely erase any and all data, from your network.  Also, a hacker can easily invade your network, without the proper cyber security service. This means, they can alter your private information, steal your credit card numbers, or even take the private information of your customers. Once skilled hackers have this information, they can cause serious financial damage. Our cyber security services ensure your valuable information stays protected.
    Our cyber security team customizes cyber security to fit the needs of your company. Just like people, no two businesses are the same. We will take in all of your information and set up the perfect cyber security plan. One of the greatest features to our cyber security service is a penetration test. A penetration test shows exactly how vulnerable your network is. The penetration test simulates hackers, trying to steal your valuable information. Our cyber security service can take the information from a penetration test and know the exact parts of your network, which need higher cyber security.
    Our cyber security services have been trusted by Fortune 500 companies, as well as, the military and legal industries. Just to name a few. We have the cyber security experience needed to be a leader in the cyber security field.  When your company needs the highest quality cyber security, our cyber security specialists are happy to help.