Category Archives: Cybersecurity

Cyberattacks against machine learning systems are more common than you think

Machine learning (ML) is making incredible transformations in critical areas such as finance, healthcare, and defense, impacting nearly every aspect of our lives. Many businesses, eager to capitalize on advancements in ML, have not scrutinized the security of their ML systems. Today, along with MITRE, and contributions from 11 organizations including IBM, NVIDIA, Bosch, Microsoft is releasing the Adversarial ML Threat Matrix, an industry-focused open framework, to empower security analysts to detect, respond to, and remediate threats against ML systems.

During the last four years, Microsoft has seen a notable increase in attacks on commercial ML systems. Market reports are also bringing attention to this problem: Gartner’s Top 10 Strategic Technology Trends for 2020, published in October 2019, predicts that “Through 2022, 30% of all AI cyberattacks will leverage training-data poisoning, AI model theft, or adversarial samples to attack AI-powered systems.” Despite these compelling reasons to secure ML systems, Microsoft’s survey spanning 28 businesses found that most industry practitioners have yet to come to terms with adversarial machine learning. Twenty-five out of the 28 businesses indicated that they don’t have the right tools in place to secure their ML systems. What’s more, they are explicitly looking for guidance. We found that preparation is not just limited to smaller organizations. We spoke to Fortune 500 companies, governments, non-profits, and small and mid-sized organizations.

Our survey pointed to marked cognitive dissonance especially among security analysts who generally believe that risk to ML systems is a futuristic concern. This is a problem because cyber attacks on ML systems are now on the uptick. For instance, in 2020 we saw the first CVE for an ML component in a commercial system and SEI/CERT issued the first vuln note bringing to attention how many of the current ML systems can be subjected to arbitrary misclassification attacks assaulting the confidentiality, integrity, and availability of ML systems. The academic community has been sounding the alarm since 2004, and have routinely shown that ML systems, if not mindfully secured, can be compromised.

Introducing the Adversarial ML Threat Matrix

Microsoft worked with MITRE to create the Adversarial ML Threat Matrix, because we believe the first step in empowering security teams to defend against attacks on ML systems, is to have a framework that systematically organizes the techniques employed by malicious adversaries in subverting ML systems. We hope that the security community can use the tabulated tactics and techniques to bolster their monitoring strategies around their organization’s mission critical ML systems.

  1. Primary audience is security analysts: We think that securing ML systems is an infosec problem. The goal of the Adversarial ML Threat Matrix is to position attacks on ML systems in a framework that security analysts can orient themselves in these new and upcoming threats. The matrix is structured like the ATT&CK framework, owing to its wide adoption among the security analyst community – this way, security analysts do not have to learn a new or different framework to learn about threats to ML systems. The Adversarial ML Threat Matrix is also markedly different because the attacks on ML systems are inherently different from traditional attacks on corporate networks.
  2. Grounded in real attacks on ML Systems: We are seeding this framework with a curated set of vulnerabilities and adversary behaviors that Microsoft and MITRE have vetted to be effective against production ML systems. This way, security analysts can focus on realistic threats to ML systems. We also incorporated learnings from Microsoft’s vast experience in this space into the framework: for instance, we found that model stealing is not the end goal of the attacker but in fact leads to more insidious model evasion. We also found that when attacking an ML system, attackers use a combination of “traditional techniques” like phishing and lateral movement alongside adversarial ML techniques.

Open to the community

We recognize that adversarial ML is a significant area of research in academia, so we also garnered input from researchers at the University of Toronto, Cardiff University, and the Software Engineering Institute at Carnegie Mellon University. The Adversarial ML Threat Matrix is a first attempt at collecting known adversary techniques against ML Systems and we invite feedback and contributions. As the threat landscape evolves, this framework will be modified with input from the security and machine learning community.

When it comes to Machine Learning security, the barriers between public and private endeavors and responsibilities are blurring; public sector challenges like national security will require the cooperation of private actors as much as public investments. So, in order to help address these challenges, we at MITRE are committed to working with organizations like Microsoft and the broader community to identify critical vulnerabilities across the machine learning supply chain.

This framework is a first step in helping to bring communities together to enable organizations to think about the emerging challenges in securing machine learning systems more holistically.”

– Mikel Rodriguez, Director of Machine Learning Research, MITRE

This initiative is part of Microsoft’s commitment to develop and deploy ML systems securely. The AI, Ethics, and Effects in Engineering and Research (Aether) Committee provides guidance to engineers to develop safe, secure, and reliable ML systems and uphold customer trust. To comprehensively protect and monitor ML systems against active attacks, the Azure Trustworthy Machine Learning team routinely assesses the security posture of critical ML systems and works with product teams and front-line defenders from the Microsoft Security Response Center (MSRC) team. The lessons from these activities are routinely shared with the community for various people:

  • For engineers and policymakers, in collaboration with Berkman Klein Center at Harvard University, we released a taxonomy documenting various ML failure modes.
  • For developers, we released threat modeling guidance specifically for ML systems.
  • For security incident responders, we released our own bug bar to systematically triage attacks on ML systems
  • For academic researchers, Microsoft opened a $300K Security AI RFP, and as a result, partnering with multiple universities to push the boundary in this space.
  • For industry practitioners and security professionals to develop muscle in defending and attacking ML systems, Microsoft hosted a realistic machine learning evasion competition.

This effort is aimed at security analysts and the broader security community: the matrix and the case studies are meant to help in strategizing protection and detection; the framework seeds attacks on ML systems, so that they can carefully carry out similar exercises in their organizations and validate the monitoring strategies.

To learn more about this effort, visit the Adversarial ML Threat Matrix GitHub repository and read about the topic from MITRE’s announcement, and SEI/CERT blog.

The post Cyberattacks against machine learning systems are more common than you think appeared first on Microsoft Security.

Affected by a Data Breach? Here Are Five Security Steps You Should Take

credit card breach

Five Tips to Secure Your Credit Card Data From This Recent Data Breach

Users share their personal information with companies for multiple reasons. Whether they’re checking into a hotel room, using a credit card to make a purchase at their favorite food spot, or collecting rewards points at a local coffee shop, consumers give companies more access to data than they may realize. While this can help you build relationships with your favorite vendors, what happens if their security is compromised?

Dickey’s BBQ Breach

Just this week, for example, cybercriminals were found online to be selling a batch of over three million credit card records – all from cards that were used at Dickey’s BBQ establishments over the past 13-15 months. Researchers stated that Dickey’s payment systems were likely compromised by card-stealing malware, with the highest exposure in California and Arizona. What’s more, financial institutions that have been working with the researchers stated that they have already observed a significant amount of fraud carried out with these cards.

Staying Secure in Light of Data Breaches

If you think you were affected by this breach, there are multiple steps you can take to help protect yourself from the potential side effects.

Check out the following tips if you think you may have been affected by a recent data breach, or just want to take extra precautions:

Keep an eye on your bank account

One of the most effective ways to determine whether someone is fraudulently using your credit card information is to monitor your bank statements. If you see any charges that you did not make, report it

Place a fraud alert

If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.

Freeze your credit

Freezing your credit will make it impossible for criminals to take out loans or open new accounts in your name. To do this effectively, you will need to freeze your credit at each of the three major credit-reporting agencies (Equifax, TransUnion, and Experian).

Consider using identity theft protection

A solution like McAfee Identify Theft Protection will help you to monitor your accounts and alert you of any suspicious activity.

Expand your security toolbox

To use your credit card safely online to make purchases, add both a VPN and password manager into your toolbox of security solutions. A VPN keeps your shopping experience private, while a password manager helps you keep track of and protect all your online accounts. And both, luckily, come included in McAfee Total Protection.

Stay Updated

To stay updated on all things McAfee  and on top of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

The post Affected by a Data Breach? Here Are Five Security Steps You Should Take appeared first on McAfee Blogs.

People-centred approach to cybersecurity needed as Canadians shift to an increasingly digital economy

By Ireen Birungi, Chief Information Security Officer, Interac Corp. For too long the cybersecurity world has viewed people as the weakest link and biggest point of vulnerability when it comes to risk. However, post COVID-19 we are starting to see a shift in this mentality – a shift that sees people as the greatest asset…

The post People-centred approach to cybersecurity needed as Canadians shift to an increasingly digital economy first appeared on IT World Canada.

Cybercrime capitalizing on the convergence of COVID-19 and 2020 election

The cybersecurity challenges of the global pandemic are now colliding with the 2020 U.S. presidential election resulting in a surge of cybercrime, VMware research reveals. Attacks growing increasingly sophisticated and destructive As eCrime groups grow more powerful, these attacks have grown increasingly sophisticated and destructive – respondents reported that 82 percent of attacks now involve instances of counter incident response (IR), and 55 percent involve island hopping, where an attacker infiltrates an organization’s network to … More

The post Cybercrime capitalizing on the convergence of COVID-19 and 2020 election appeared first on Help Net Security.

Exploring the prolific threats influencing the cyber landscape

Some of the world’s most skilled nation-state cyber adversaries and notorious ransomware gangs are deploying an arsenal of new open-sourced tools, actively exploiting corporate email systems and using online extortion to scare victims into paying ransoms, according to a report from Accenture. The report examines the tactics, techniques and procedures employed by some of the most sophisticated cyber adversaries and explores how cyber incidents could evolve over the next year. “Since COVID-19 radically shifted the … More

The post Exploring the prolific threats influencing the cyber landscape appeared first on Help Net Security.

How tech trends and risks shape organizations’ data protection strategy

Trustwave released a report which depicts how technology trends, compromise risks and regulations are shaping how organizations’ data is stored and protected. Data protection strategy The report is based on a recent survey of 966 full-time IT professionals who are cybersecurity decision makers or security influencers within their organizations. Over 75% of respondents work in organizations with over 500 employees in key geographic regions including the U.S., U.K., Australia and Singapore. “Data drives the global … More

The post How tech trends and risks shape organizations’ data protection strategy appeared first on Help Net Security.

Organizations with remote workforces need new security solutions

Remote work has left many organizations lagging in productivity and revenue due to remote access solutions. 19% of IT leaders surveyed said they often or always experience network performance and latency issues when using legacy remote access solutions, with an additional 43% saying they sometimes do. Those issues have resulted in a loss of productivity for 68% of respondents and a loss of revenue for 43%, a Perimeter 81 report reveals. According to the report, … More

The post Organizations with remote workforces need new security solutions appeared first on Help Net Security.

Addressing cybersecurity risk in industrial IoT and OT

As the industrial Internet of Things (IIoT) and operational technology (OT) continue to evolve and grow, so too, do the responsibilities of the Chief Information Security Officer (CISO). The CISO now needs to mitigate risks from cloud-connected machinery, warehouse systems, and smart devices scattered among hundreds of workstations. Managing those security risks includes the need to ensure safety in manufacturing, oil and gas facilities, public utilities, transportation, civic infrastructure, and more.

Analysts predict that we’ll have roughly 21.5 billion IoT devices connected worldwide in 2025, drastically increasing the surface area for attacks. Because embedded devices often go unpatched, CISO’s need new strategies to mitigate IIoT/OT risks that differ in crucial ways from those found in information technology (IT). The difference needs to be understood by your Board of Directors (BoD) and leadership team. Costly production outages, safety failures with injuries or loss of life, environmental damage leading to liability—all are potentially disastrous scenarios that have moved IIoT and OT to the center of cyber threat management.

An evolving threat landscape

Both IIoT and OT are considered cyber-physical systems (CPS); meaning, they encompass both the digital and physical worlds. This makes any CPS a desirable target for adversaries seeking to cause environmental contamination or operational disruption. As recent history shows, such attacks are already underway. Examples include the TRITON attack—intended to cause a serious safety incident—on a Middle East chemical facility and the Ukrainian electrical-grid attacks. In 2017, ransomware dubbed NotPetya paralyzed the mighty Maersk shipping line and nearly halted close to a fifth of the world’s shipping capacity. It also spread to pharma giant Merck, FedEx, and numerous European firms before boomeranging back to Russia to attack the state oil company, Rosneft.

In 2019, Microsoft observed a Russian state-sponsored attack using IoT smart devices—a VOIP phone, an office printer, and a video decoder—as entry points into corporate networks, from which they attempted to elevate privileges. Attackers have even compromised building access control systems to move into corporate networks using distributed denial-of-service (DDoS) attacks; wherein, a computer system is overwhelmed and crashed with an onslaught of traffic.

The current model

Since the 1990’s, the Purdue Enterprise Reference Architecture (PERA), aka the Purdue Model, has been the standard model for organizing (and segregating) enterprise and industrial control system (ICS) network functions. PERA divides the enterprise into various “Levels,” with each representing a subset of systems. Security controls between each level are typified by a “demilitarized zone” (DMZ) and a firewall.

Conventional approaches restrict downward access to Level 3 from Levels 4, 5 (and the internet). Heading upward, only Layer 2 or 3 can communicate with Layers 4 and 5, and the lowest two Levels (machinery and process) must keep their data and communications within the organization’s OT.

But in our IIoT era, data no longer flows in a hierarchical fashion as prescribed by the Purdue Model. With the rise of edge computing, smart sensors, and controllers (Levels O, 1) now bypass firewalls and communicate directly with the cloud, creating new risks for system exposure.

Modernizing this model with Zero Trust principles at Levels 4 and 5 can help bring an organization’s IIoT/OT into full compliance for the cloud era.

A new strategy

Consequence-driven cyber-informed engineering (CCE) is a new methodology designed by Idaho National Labs (INL) to address the unique risks posed by IIoT/OT. Unlike conventual approaches to cybersecurity, CCE views consequence as the first aspect of risk management and proactively engineers for potential impacts. Based on CCE, there are four steps that your organization—public or private—should prioritize:

  1. Identify your “crown jewel” processes: Concentrate on protecting critical “must-not-fail” functions whose failure could cause safety, operational, or environmental damage.
  2. Map your digital estate: Examine all the digital pathways that could be exploited by adversaries. Identify all of your connected assets—IT, IoT, building management systems (BMS), OT, smart personal devices—and understand who has access to what, including vendors, maintenance people, and remote workers.
  3. Spotlight likely attack paths: Analyze vulnerabilities to determine attack routes leading to your crown jewel processes, including possible social engineering schemes and physical access to your facilities.
  4. Mitigate and protect: Prioritize options that allow you to “engineer out” cyber risks that present the highest consequences. Implement Zero Trust segmentation policies to separate IIoT and OT devices from other networks. Reduce the number of internet-accessible entry points and patch vulnerabilities in likely attack paths.

Making the case in real terms

Your leadership and BoD have a vested interest in seeing a return on investment (ROI) for any new software or hardware. Usually, the type of ROI they want and expect is increased revenue. But returns on security software often can’t be seen in a quarterly statement. That means cybersecurity professionals have to present a solid case. Here are some straightforward benefits to investing in IIoT/OT cybersecurity software that you can take into the boardroom:

  • Prevent safety or environmental costs: Security failures at chemical, mining, oil, transportation, or other industrial facilities can cause consequences more dire than an IT breach. Lives can be lost, and costs incurred from toxic clean-up, legal liability, and brand damage can reach into the hundreds of millions.
  • Minimize downtime: As the NotPetya and LockerGoga attacks demonstrated, downtime incurs real financial losses that affect everyone—from plant personnel all the way up to shareholders.
  • Stop IP theft: Companies in the pharmaceutical industry, energy production, defense, high-tech, and others spend millions on research and development. Losses from having their intellectual property stolen by nation states or competitors can also be measured in the millions.
  • Avoid regulatory fines: Industries such as pharmaceuticals, oil/gas, transportation, and healthcare are heavily regulated. Therefore, they are vulnerable to large fines if a security breach in IIoT/OT causes environmental damage or loss of life.

The way forward

For today’s CISO, securing the digital estate now means being accountable for all digital security—IT, OT, IIoT, BMS, and more. This requires an integrated approach—embracing people, processes, and technology. A good checklist to start with includes:

  • Enable IT and OT teams to embrace their common goal—supporting the organization.
  • Bring your IT security people onsite so they can understand how OT processes function.
  • Show OT personnel how visibility helps the cybersecurity team increase safety and efficiency.
  • Bring OT and IT together to find shared solutions.

With attackers now pivoting across both IT and OT environments, Microsoft developed Azure Defender for IoT to integrate seamlessly with Azure Sentinel and Azure Sphere—making it easy to track threats across your entire enterprise. Azure Defender for IoT utilizes:

  • Automated asset discovery for both new greenfield and legacy unmanaged IoT/OT devices.
  • Vulnerability management to identify IIoT/OT risks, detect unauthorized changes, and prioritize mitigation.
  • IIoT/OT-aware behavioral analytics to detect advanced threats faster and more accurately.
  • Integration with Azure Sentinel and third-party solutions like other SIEMs, ticketing, and CMDBs.

Azure Defender for IoT makes it easier to see and mitigate risks and present those risks to your BoD. Microsoft invests more than USD1 billion annually on cybersecurity research, which is why Azure has more compliance certifications than any other cloud provider.

Plain language and concrete examples go far when making the case for IIoT/OT security software. Your organization should define what it will—and more importantly, will not—tolerate as operational risks. For example: “We tolerate no risk to human life or safety”; “no permanent damage to the ecosystem”; “no downtime that will cost jobs.” Given the potential for damages incurred from downtime, injuries, environmental liability, or tarnishing your brand, an investment in cybersecurity software for IIoT/OT makes both financial and ethical sense.

To learn more about Microsoft Security solutions, visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Addressing cybersecurity risk in industrial IoT and OT appeared first on Microsoft Security.

Solid security in the new normal a matter of the right provider

Today’s threat landscape is constantly shifting, which makes company security like a game of whack-a-mole. Full marks go to cyber-professionals for their effort and ingenuity in trying to keep hackers at bay. Unfortunately, the problem is not around effort levels but around a level of security complexity that continues to rise. Overnight, the pandemic and…

The post Solid security in the new normal a matter of the right provider first appeared on IT World Canada.

25 vulnerabilities exploited by Chinese state-sponsored hackers

The US Cybersecurity and Infrastructure Security Agency (CISA) has released a list of 25 vulnerabilities Chinese state-sponsored hackers have been recently scanning for or have exploited in attacks. “Most of the vulnerabilities […] can be exploited to gain initial access to victim networks using products that are directly accessible from the Internet and act as gateways to internal networks. The majority of the products are either for remote access or for external web services, and … More

The post 25 vulnerabilities exploited by Chinese state-sponsored hackers appeared first on Help Net Security.

5G and the IoT: A Look Ahead at What’s Next for Your Home and Community

5G

5G and the IoT: A Look Ahead at What’s Next for Your Home and Community

October is Cybersecurity Awareness Month, which is led by the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) in conjunction with the National Cyber Security Alliance (NCSA)—a national non-profit focused on cybersecurity education & awareness. McAfee is pleased to announce that we’re a proud participant.

Imagine it’s 20 years ago and someone at a dinner party predicts that one day you could pop down to the appliance store and buy an internet-connected fridge. Your year 2000 self might have shook that off and then then asked, “Why would someone ever do that?”

Yet here we are.

Today, so much is getting connected. Our appliances, security systems, and even our coffeemakers too.  So far this month, we’ve talked about protecting these connected things and securing these new digital frontiers as Internet of Things (IoT) devices transform not only our homes, but businesses and communities as well.

To wrap up Cybersecurity Awareness Month, let’s take a look ahead at how the next wave of connected devices could take shape by taking a look at the network that billions of them will find themselves on: 5G networks.

5G is the key

You’ve no doubt seen plenty of commercials from the big mobile carriers as they tout the rollout of their new, more powerful 5G networks. And more powerful they are. For starters, 5G is expected to operate roughly 10 times faster than the 4G LTE networks many of us enjoy now—with the potential to get yet faster than that over time.

While mention of faster speeds continues to be the top selling point in ads and the like, 5G offers another pair of big benefits: greater bandwidth and lower latency. Taken together, that means 5G networks can host more devices than before and with a near-instantaneous response time.

The implication of these advances is that billions and billions of new devices will connect to mobile networks directly, at terrific speeds, rather than to Wi-Fi networks. Of those, many billions will be IoT devices. And that means more than just phones.

What will those devices look like?

One answer is plenty more of what we’re already starting to see today—such as commercial and industrial devices that track fleet vehicles, open locks on tractor trailer deliveries based on location, monitor heating and air conditioning systems, oversee supply chains. We’ll also see more devices that manage traffic, meter utilities, and connect devices used in healthcare, energy, and agriculture. That’s in addition to the ones we’ll own ourselves, like wearables and even IoT tech in our cars.

All together, we’ll add about 15 billion new IoT devices to the 26 billion IoT devices already in play today for a total of an expected 41 billion IoT devices in 2025.

Securing 5G and the IoT

Citing those examples of IoT applications underscores the critical need for safety and security in the new 5G networks. This is a network we will count on in numerous ways. Businesses will trust their operations to the IoT devices that operate on it. Cities will run their infrastructure on 5G IoT devices. And we, as people, will use 5G networks for everything from entertainment to healthcare. Not only will IoT devices themselves need protection, yet the networks will need to be hardened for protection as well. And you can be certain that increased network security, and security in general, is a part of our future forecast.

The GSMA, an industry group representing more than 750 operators in the mobile space, calls out the inherent need for security for 5G networks in their 5G Reference Guide for Operators. In their words, “New threats will be developed as attackers are provided live service environment to develop their techniques. 5G is the first generation that recognizes this threat and has security at its foundation.” When you consider the multitude of devices and the multitude of applications that will find their way onto 5G, a “square one” emphasis on security makes absolute sense. It’s a must.

While standards and architectures are taking shape and in their first stages of implementation, we can expect operators to put even more stringent defenses in place, like improved encryption, ways of authenticating devices to ensure they’re not malicious, creating secure “slices” of the network, and more, which can all improve security.

Another consideration for security beyond the oncoming flood of emerging devices and services that’ll find their way onto 5G networks is the sheer volume of traffic and data they’ll generate. One estimate puts that figure of 5G traffic at 79.4 zettabytes (ZB) of data in 2025. (What’s a zettabyte? Imagine a 10 followed by 21 zeroes.) This will call for an evolution in security that makes further use of machine learning and AI to curb a similarly increased volume of threats—with technologies much like you see in our McAfee security products today.

The newest IoT devices making their way into your home

“Siri/Alexa/Cortana/Google, play Neko Case I Wish I Was the Moon.”

We’ve all gotten increasingly comfy with the idea of connected devices in our homes, like our smart assistants. Just in 2018, Juniper Research estimated that there’d be some 8 billion digital voice assistants globally by 2023, thanks in large part to things like smart TVs and other devices for the home. Expect to see more IoT devices like those available for use in and around your house.

What shape and form might they take? Aside from the voice-activated variety, plenty of IoT devices will help us automate our homes more and more. For example, you might have smart sensors in your garden that can tell when your tomatoes are thirsty and activate your soaker hoses for a drink—or other smart sensors placed near your water heater that will text you when they detect a leak.

Beyond that, we’re already purchasing connected lights and smart thermostats, yet how about connecting these things all together to create presets for your home? Imagine a setting called “Movie Night,” where just a simple voice command draws the shades, lowers the lights, turns on the gas fireplace, and fires up the popcorn maker. All you need to do is get your slippers.

Next, add in a degree of household AI, which can learn your preferences and habits. Aspects of your home may run themselves and predict things for you, like the fact that you like your coffee piping hot at 5:30am on Tuesdays. Your connected coffeemaker will have it ready for you.

These scenarios were once purely of the George Jetson variety (remember him?), yet more and more people will get to indulge in these comforts and conveniences as the technology becomes more pervasive and affordable.

Technology for All

One point of consideration with any emerging technology like the IoT on 5G is access.

This year drove home a hard reality: access to high-speed internet, whether via mobile device or a home network is no longer a luxury. It’s a utility. Like running water. We need it to work. We need it to study. We need it to bank, shop, and simply get things done.

Yet people in underserved and rural communities in the U.S. still have no access to broadband internet in their homes. Nearly 6 in 10 of U.S. parents with lower incomes say their child may face digital obstacles in schoolwork because of reduced access to devices and quality internet service. And I’ve heard anecdotes from educators about kids taking classes online who have to pull into their school’s parking lot to get proper Wi-Fi, simply because they don’t have a quality connection at home.

The point is this: as these IoT innovations continue to knit their way into our lives and the way the world works, we can’t forget that there’s still a digital divide that will take years of effort, investment, and development before that gap gets closed. And I see us closing that gap in partnership, as people and communities, businesses and governments, all stand to benefit when access to technology increases.

So as we look to the future, my hope is that we all come to see high-speed internet connections for what they are—an absolute essential—and take the steps needed to deliver on it. That’s an advance I’d truly embrace.

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

 

 

The post 5G and the IoT: A Look Ahead at What’s Next for Your Home and Community appeared first on McAfee Blogs.

Moving to the cloud with a security-first, zero trust approach

Many companies tend to jump into the cloud before thinking about security. They may think they’ve thought about security, but when moving to the cloud, the whole concept of security changes. The security model must transform as well. Moving to the cloud and staying secure Most companies maintain a “castle, moat, and drawbridge” attitude to security. They put everything inside the “castle” (datacenter); establish a moat around it, with sharks and alligators, guns on turrets; … More

The post Moving to the cloud with a security-first, zero trust approach appeared first on Help Net Security.

Preventing cybersecurity’s perfect storm

Zerologon might have been cybersecurity’s perfect storm: that moment when multiple conditions collide to create a devastating disaster. Thanks to Secura and Microsoft’s rapid response, it wasn’t. Zerologon scored a perfect 10 CVSS score. Threats rating a perfect 10 are easy to execute and have deep-reaching impact. Fortunately, they aren’t frequent, especially in prominent software brands such as Windows. Still, organizations that perpetually lag when it comes to patching become prime targets for cybercriminals. Flaws … More

The post Preventing cybersecurity’s perfect storm appeared first on Help Net Security.

Researchers open the door to new distribution methods for secret cryptographic keys

Researchers from the University of Ottawa, in collaboration with Ben-Gurion University of the Negev and Bar-Ilan University scientists, have been able to create optical framed knots in the laboratory that could potentially be applied in modern technologies. Top view of the framed knots generated in this work Their work opens the door to new methods of distributing secret cryptographic keys – used to encrypt and decrypt data, ensure secure communication and protect private information. “This … More

The post Researchers open the door to new distribution methods for secret cryptographic keys appeared first on Help Net Security.

CISOs split on how to enable remote work

CISOs are conflicted about how their companies can best reposition themselves to address the sudden and rapid shift to remote work caused by the pandemic, a Hysolate research reveals. The story emerging from the data in the study is clear: COVID-19 has accelerated the arrival of the remote-first era. Legacy remote access solutions such as virtual desktop infrastructure (VDI), desktop-as-a-service (DaaS), and virtual private networks (VPN), among others, leave much to be desired in the … More

The post CISOs split on how to enable remote work appeared first on Help Net Security.

Global spending on cloud services to surpass $1 trillion in 2024

The COVID-19 pandemic has largely proven to be an accelerator of cloud adoption and extension and will continue to drive a faster conversion to cloud-centric IT. Global spending on cloud services to rise According to IDC, total global spending on cloud services, the hardware and software components underpinning cloud services, and the professional and managed services opportunities around cloud services will surpass $1 trillion in 2024 while sustaining a double-digit compound annual growth rate (CAGR) … More

The post Global spending on cloud services to surpass $1 trillion in 2024 appeared first on Help Net Security.

Cybersecurity Visuals

The Hewlett Foundation just announced its top five ideas in its Cybersecurity Visuals Challenge. The problem Hewlett is trying to solve is the dearth of good visuals for cybersecurity. A Google Images Search demonstrates the problem: locks, fingerprints, hands on laptops, scary looking hackers in black hoodies. Hewlett wanted to go beyond those tropes.

I really liked the idea, but find the results underwhelming. It’s a hard problem.

Hewlett press release.

US charges Sandworm hackers who mounted NotPetya, other high-profile attacks

The Sandworm Team hacking group is part of Unit 74455 of the Russian Main Intelligence Directorate (GRU), the US Department of Justice (DoJ) claimed as it unsealed an indictment against six hackers and alleged members on Monday. Sandworm Team attacks “These GRU hackers and their co-conspirators engaged in computer intrusions and attacks intended to support Russian government efforts to undermine, retaliate against, or otherwise destabilize: Ukraine; Georgia; elections in France; efforts to hold Russia accountable … More

The post US charges Sandworm hackers who mounted NotPetya, other high-profile attacks appeared first on Help Net Security.

Can we trust passwordless authentication?

We are beginning to shift away from what has long been our first and last line of defense: the password. It’s an exciting time. Since the beginning, passwords have aggravated people. Meanwhile, passwords have become the de facto first step in most attacks. Yet I can’t help but think, what will the consequences of our actions be? Intended and unintended consequences Back when overhead cameras came to the express toll routes in Ontario, Canada, it … More

The post Can we trust passwordless authentication? appeared first on Help Net Security.

What is confidential computing? How can you use it?

What is confidential computing? Can it strengthen enterprise security? Sam Lugani, Lead Security PMM, Google Workspace & GCP, answers these and other questions in this Help Net Security interview. How does confidential computing enhance the overall security of a complex enterprise architecture? We’ve all heard about encryption in-transit and at-rest, but as organizations prepare to move their workloads to the cloud, one of the biggest challenges they face is how to process sensitive data while … More

The post What is confidential computing? How can you use it? appeared first on Help Net Security.

SecOps teams turn to next-gen automation tools to address security gaps

SOCs across the globe are most concerned with advanced threat detection and are increasingly looking to next-gen automation tools like AI and ML technologies to proactively safeguard the enterprise, Micro Focus reveals. Growing deployment of next-gen tools and capabilities The report’s findings show that over 93 percent of respondents employ AI and ML technologies with the leading goal of improving advanced threat detection capabilities, and that over 92 percent of respondents expect to use or … More

The post SecOps teams turn to next-gen automation tools to address security gaps appeared first on Help Net Security.

Is poor cyber hygiene crippling your security program?

Cybercriminals are targeting vulnerabilities created by the pandemic-driven worldwide transition to remote work, according to Secureworks. The report is based on hundreds of incidents the company’s IR team has responded to since the start of the pandemic. Threat level is unchanged While initial news reports predicted a sharp uptick in cyber threats after the pandemic took hold, data on confirmed security incidents and genuine threats to customers show the threat level is largely unchanged. Instead, … More

The post Is poor cyber hygiene crippling your security program? appeared first on Help Net Security.

Biometric device revenues to drop 22%, expected to rebound in 2021

In the aftermath of the COVID-19 pandemic, global biometric device revenues are expected to drop 22%, ($1.8 billion) to $6.6 billion, according to a report from ABI Research. The entire biometrics market, however, will regain momentum in 2021 and is expected to reach approximately $40 billion in total revenues by 2025. Global biometric device revenues in 2020 “The current decline in the biometrics market landscape stems from multifaceted challenges from a governmental, commercial, and technological … More

The post Biometric device revenues to drop 22%, expected to rebound in 2021 appeared first on Help Net Security.

Seven Tips for Protecting Your Internet-Connected Healthcare Devices

Healthcare from Smartphone

Seven Tips for Protecting Your Internet-Connected Healthcare Devices: Cybersecurity Awareness Month

October is Cybersecurity Awareness Month, which is led by the U.S. government’s Cybersecurity and Infrastructure Security Agency (CISA) in conjunction with the National Cyber Security Alliance (NCSA)—a national non-profit focused on cybersecurity education & awareness. McAfee is pleased to announce that we’re a proud participant.

Fitness trackers worn on the wrist, glucose monitors that test blood sugar without a prick, and connected toothbrushes that let you know when you’ve missed a spot—welcome to internet-connected healthcare. It’s new realm of care with breakthroughs big and small. Some you’ll find in your home, some you’ll find inside your doctor’s office, yet all of them are connected. Which means they all need to be protected. After all, they’re not tracking any old data. They’re tracking our health data, one of the most precious things we own.

What is internet-connected healthcare?

Internet-connected healthcare, also known as connected medicine, is a broad topic. On the consumer side, it covers everything from smart watches that track health data to wireless blood pressure monitors that you can use at home. On the practitioner side, it accounts for technologies ranging from electronic patient records, network-enabled diagnostic devices, remote patient monitoring in the form of wearable devices, apps for therapy, and even small cameras that can be swallowed in the form of a pill to get a view of a patient’s digestive system.

Additionally, it also includes telemedicine visits, where you can get a medical issue diagnosed and treated remotely via your smartphone or computer by way of a video conference or a healthcare provider’s portal—which you can read about more in one of my blogs from earlier this year. In all, big digital changes are taking place in healthcare—a transformation that’s rapidly taking shape to the tune of a global market expected to top USD 534.3 billion by 2025.

Privacy and security in internet-connected healthcare

Advances in digital healthcare have come more slowly compared to other aspects of our lives, such as consumer devices like phones and tablets. Security is a top reason why. Not only must a healthcare device go through a rigorous design and approval process to ensure it’s safe, sound, and effective, it also held to similar rigorous degrees of regulation when it comes to medical data privacy. For example, in the U.S., we have the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which sets privacy and security standards for certain health information.

Taken together, this requires additional development time for any connected medical device or solution, in addition to the time it takes to develop one with the proper efficacy. Healthcare device manufacturers cannot simply move as quickly as, say, a smartphone manufacturer can. And rightfully so.

Seven tips for protecting your internet-connected healthcare devices

However, for this blog, we’ll focus on the home and personal side of the equation, with devices like fitness trackers, glucose monitors, smart watches, and wearable devices in general—connected healthcare devices that more and more of us are purchasing on our own. To be clear, while these devices may not always be categorized as healthcare devices in the strictest (and regulatory) sense, they are gathering your health data, which you should absolutely protect. Here are some straightforward steps you can take:

1) First up, protect your phone

Many medical IoT devices use a smartphone as an interface, and as a means of gathering, storing, and sharing health data. So whether you’re an Android owner or iOS owner, get security software installed on your phone so you can protect all the things it accesses and controls. Additionally, installing it will protect you and your phone in general as well.

2) Set strong, unique passwords for your medical IoT devices

Some IoT devices have found themselves open to attack because they come with a default username and password—which are often published on the internet. When you purchase any IoT device, set a fresh password using a strong method of password creation.  And keep those passwords safe. Instead of keeping them on a notebook or on sticky notes, consider using a password manager.

3) Use two-factor authentication

You’ve probably come across two-factor authentication while banking, shopping, or logging into any other number of accounts. Using a combination of your username, password, and a security code sent to another device you own (typically a mobile phone) makes it tougher for hackers to crack your device. If your IoT device supports two-factor authentication, use it for extra security.

4) Update your devices regularly

This is vital. Make sure you have the latest updates so that you get the latest functionality from your device. Equally important is that updates often contain security upgrades. If you can set your device to receive automatic updates, do so.

5) Secure your internet router

Your medical IoT device will invariably use your home Wi-Fi network to connect to the internet, just like your other devices. All the data that travels on there is personal and private use already, and that goes double for any health data that passes along it. Make sure you use a strong and unique password. Also change the name of your router so it doesn’t give away your address or identity. One more step is to check that your router is using an encryption method, like WPA2, which will keep your signal secure. You may also want to consider investing in an advanced internet router that has built-in protection, which can secure and monitor any device that connects to your network.

6) Use a VPN and a comprehensive security solution

Similar to the above, another way you can further protect the health data you send over the internet is to use a virtual private network, or VPN. A VPN uses an encrypted connection to send and receive data, which shields it from prying eyes. A hacker attempting to eavesdrop on your session will effectively see a mish-mash of garbage data, which helps keep your health data secure.

7) When purchasing, do your research

One recent study found that 25% of U.S. homeowners with broadband internet expect to purchase a new connected consumer health or fitness device within the next year. Just be sure yours is secure. Read up on reviews and comments about the devices you’re interested in, along with news articles about their manufacturers. See what their track record is on security, such as if they’ve exposed data or otherwise left their users open to attack.

Take care of your health, and your health data

Bottom line, when we speak of connected healthcare, we’re ultimately speaking about one of the most personal things you own: your health data. That’s what’s being collected. And that’s what’s being transmitted by your home network. Take these extra measures to protect your devices, data, and yourself as you enjoy the benefits of the connected care you bring into your life and home.

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

The post Seven Tips for Protecting Your Internet-Connected Healthcare Devices appeared first on McAfee Blogs.

Review: Netsparker Enterprise web application scanner

Vulnerability scanners can be a very useful addition to any development or operations process. Since a typical vulnerability scanner needs to detect vulnerabilities in deployed software, they are (generally) not dependent on the language or technology used for the application they are scanning. This often doesn’t make them the top choice for detecting a large number of vulnerabilities or even detecting fickle bugs or business logic issues, but makes them great and very common tools … More

The post Review: Netsparker Enterprise web application scanner appeared first on Help Net Security.

Global adoption of data and privacy programs still maturing

The importance of privacy and data protection is a critical issue for organizations as it transcends beyond legal departments to the forefront of an organization’s strategic priorities. A FairWarning research, based on survey results from more than 550 global privacy and data protection, IT, and compliance professionals outlines the characteristics and behaviors of advanced privacy and data protection teams. By examining the trends of privacy adoption and maturity across industries, the research uncovers adjustments that … More

The post Global adoption of data and privacy programs still maturing appeared first on Help Net Security.

Most US states show signs of a vulnerable election-related infrastructure

75% of all 56 U.S. states and territories leading up to the presidential election, showed signs of a vulnerable IT infrastructure, a SecurityScorecard report reveals. Since most state websites offer access to voter and election information, these findings may indicate unforeseen issues leading up to, and following, the US election. Election infrastructure: High-level findings Seventy-five percent of U.S. states and territories’ overall cyberhealth are rated a ‘C’ or below; 35% have a ‘D’ and below. … More

The post Most US states show signs of a vulnerable election-related infrastructure appeared first on Help Net Security.

Most cybersecurity pros believe automation will make their jobs easier

Despite 88% of cybersecurity professionals believing automation will make their jobs easier, younger staffers are more concerned that the technology will replace their roles than their veteran counterparts, according to a research by Exabeam. Overall, satisfaction levels continued a 3-year positive trend, with 96% of respondents indicating they are happy with role and responsibilities and 87% reportedly pleased with salary and earnings. Additionally, there was improvement in gender diversity with female respondents increasing from 9% … More

The post Most cybersecurity pros believe automation will make their jobs easier appeared first on Help Net Security.

Cloud environment complexity has surpassed human ability to manage

IT leaders are increasingly concerned accelerated digital transformation, combined with the complexity of modern multicloud environments, is putting already stretched digital teams under too much pressure, a Dynatrace survey of 700 CIOs reveals. This leaves little time for innovation, and limits teams’ ability to prioritize tasks that drive greater value and better outcomes for the business and its customers. Key findings 89% of CIOs say digital transformation has accelerated in the last 12 months, and … More

The post Cloud environment complexity has surpassed human ability to manage appeared first on Help Net Security.

New research shows risk in healthcare supply chain

Exposures and cybersecurity challenges can turn out to be costly, according to statistics from the US Department of Health and Human Services (HHS), 861 breaches of protected health information have been reported over the last 24 months. New research from RiskRecon and the Cyentia Institute pinpointed risk in third-party healthcare supply chain and showed that healthcare’s high exposure rate indicates that managing a comparatively small Internet footprint is a big challenge for many organizations in … More

The post New research shows risk in healthcare supply chain appeared first on Help Net Security.

Threat intelligence platform market to reach $234.9 million by 2022

The growing volume and complexities of cyber threats present a compelling case for adopting threat intelligence platforms (TIPs), a Frost & Sullivan analysis finds. These solutions help organizations navigate the ever-increasing threat landscape and allow for further analysis and threat intelligence operationalization. The TIP market least affected by the pandemic The yhreat intelligence platform market is one of the cybersecurity markets that will be least affected by COVID-19. It is estimated to reach $234.9 million … More

The post Threat intelligence platform market to reach $234.9 million by 2022 appeared first on Help Net Security.

Banks risk losing customers with anti-fraud practices

Many banks across the U.S. and Canada are failing to meet their customers’ online identity fraud and digital banking needs, according to a survey from FICO. Despite COVID-19 quickly turning online banking into an essential service, the survey found that financial institutions across North America are struggling to establish practices that combat online identity fraud and money laundering, without negatively impacting customer experience. For example, 51 percent of North American banks are still asking customers … More

The post Banks risk losing customers with anti-fraud practices appeared first on Help Net Security.

How will blockchain impact the global economy?

An analysis by PwC shows blockchain technology has the potential to boost global gross domestic product (GDP) by $1.76 trillion over the next decade. That is the key finding of a report assessing how the technology is being currently used and exploring the impact blockchain could have on the global economy. Through analysis of the top five uses of blockchain, ranked by their potential to generate economic value, the report gauges the technology’s potential to … More

The post How will blockchain impact the global economy? appeared first on Help Net Security.

FIFA 21 Blockbuster Release Gives Fraudsters an Open Field for Theft

In-game features of the just-released FIFA 21 title give scammers easy access its vast audience.

Announcing the Zero Trust Deployment Center

Organizations have been digitally transforming at warp speed in response to the way businesses operate and how people work. As a result, digital security teams have been under immense pressure to ensure their environments are resilient and secure. Many have turned to a Zero Trust security model to simplify the security challenges from this transformation and the shift to remote work.

Over the past year, we have been hard at work helping customers navigate these challenges by listening to their difficulties, sharing our own learnings, and building controls, tools, and practices that enable the implementation of Zero Trust. However, one of the things we hear most consistently is the need for additional deployment support.

We are excited to announce the launch of the Zero Trust Deployment Center—a repository of information to improve their Zero Trust readiness as well as specific guidance on implementing Zero Trust principles across their identities, endpoints, data, applications, networks, and infrastructure. The Zero Trust Deployment Center breaks down deployment guidance into plain-language objectives across each of the technology pillars, providing an actionable list of steps needed to implement Zero Trust principles in your environment.

This repository is the perfect place to start planning and deploying your Zero Trust strategy.

A screenshot of the Zero Trust Deployment Center web page

Figure 1:  Zero Trust Deployment Center web page.

If you are already well underway in your journey, these objectives will provide a great framework to help measure your progress and ensure you are meeting critical milestones. If you’re interested in measuring your Zero Trust maturity, we’ve also created a Zero Trust assessment tool to help measure your current maturity and identify possible next milestones and priorities along with technologies.

Learn more about Zero Trust and Microsoft Security. Also, bookmark the Security blog to keep up with our expert coverage on security matters. And follow us at @MSFTSecurity for the latest news and updates on cybersecurity. 

The post Announcing the Zero Trust Deployment Center appeared first on Microsoft Security.

CISO Stressbusters: 7 tips for weathering the cybersecurity storms

An essential requirement of being a Chief Information Security Officer (CISO) is stakeholder management. In many organizations, security is still seen as a support function; meaning, any share of the budget you receive may be viewed jealously by other departments. Bringing change to an organization that’s set in its ways can be a challenge (even when you’ve been hired to do just that). But whether you’ve been brought on to initiate digital transformation or to bring an organization into compliance, you’ll need everyone to see that it’s in their best interest to work together on the program.

I sat down to discuss some CISO Stressbuster tips with my colleague Abbas Kudrati who has worked as a CISO in many different organizations for over 20 years before joining Microsoft. Here are several things we identified as important to weathering the cybersecurity storms and in Abbas’s own words.

Abbas Kudrati, a Chief Cybersecurity Advisor at Microsoft shares his advice for relieving stress in today’s CISO Stressbuster post.

1. Business engagement makes a difference

My passion is for building or fixing things. My reputation in those areas means that I am often engaged to work on a new project or implement changes to an existing system. I’m a generalist CISO who works across industries, but in every role I’ve undertaken I’ve managed to get something unique done, and often received an award as well. My tasks have ranged from achieving better compliance to improving incident response plans or aligning with international standards such as CREST UK or COBIT 5.

My focus is on implementing the changes that are needed to make a difference and then finding a good successor to take over maintaining and operating a large, complex environment. My typical tenure as a CISO was two to three years, but I know some CISOs, particularly in large, complex environments such as mining organizations, where they’ve been in their role for six to eight years and running. They have a good rapport with their management; the CISO feels supported and they’re able to support the business in return. Those two things—engagement with management and reciprocal organizational support—are essential to being a successful CISO.

2. Know what you want to accomplish

It’s often difficult to gauge the state of an organization until you’re in it. Sometimes when you start a role you’ll realize how bad it is and think, “What have I gotten into?” You don’t want to mess up your CV by staying for only six months; so, you try to stick it out. But if the support and communication aren’t there, it’s not worth the stress of staying for more than two years. This is the common reason many CISO’s leave.

A different frustration can occur when you exceed targets. There have been instances when I’ve been brought on board to deliver a targeted result within three years but managed to accomplish it within 18 months to 2 years. Then in the second stage, the company says it can afford to keep it running. That’s not what I want. I want to make a difference and be planning around that; so, I can then choose to move on.

3. Hire and build the right talent

The final challenge, particularly in the countries where I’ve worked, is hiring the right talent. In the Asia-Pacific region, there’s a very competitive market for skilled individuals. In some situations, I’ve looked to use my academic connections to hire fresh minds and build them up. Not only do I get the skills I need, but I’m helping to support the development of our profession. This isn’t easy to achieve, but I’ve developed some of my most passionate employees this way.

4. Find mentors and advisors

It can be lonely being a CISO. Not many people understand what you do, and you often won’t get the internal support you need. It helps to find a mentor. I’ve always sought out mentors in the role of CISO who are doing security in a more advanced way. Don’t be limited just to finding this in your immediate location. Find the right mentor in any industry or region, and today that person can be anywhere in the world. In Australia, there are only a handful of people in organizations large enough to have a CISO at an executive level. Finding that international connection was invaluable to me.

Vendors and partners also can be a good sounding board and source of advice. I had a good relationship with the account team at Cisco and they introduced me to their CISO, who gave me a lot of valuable insights. This is something I’ve carried into my role at Microsoft—I provide our customers with the same kinds of insights and external viewpoint that I appreciated receiving in my earlier roles. Customers appreciate the insights you can provide, helping them to make tough decisions and evolve their strategy.

5. Burnout is real and career progression can be a challenge

Being a CISO is not an easy job. You’re on the frontline during security incidents; a routine 9-5 schedule is almost impossible. In the Asia-Pacific region, there are also limitations on where you can go to develop your career. Some countries are not big enough to have sufficient mature organizations that need a CISO. For example, there is a limit on how many CISO roles will exist in Malaysia or Indonesia. Australia is slightly bigger. Singapore has even more opportunities, but it’s still not on the same scale as countries in other parts of the world.

CISO’s often move on to be advisors, consultants, or even into early retirement. It’s quite common to see CISO’s retire and become non-executive directors on company boards, where their experience is invaluable. Being a virtual CISO allows you to share expertise and support, work on specific projects (such as hiring a team), share expertise, or educate an organization without being tied into permanent employment. When moving on, a CISO will often take a reduction in salary in exchange for a reduction in stress and regained family time.

For me, the move to being Chief Security Advisor for the Asia-Pacific region at Microsoft was a logical and fulfilling step. I can pay forward to customers that support that I received from vendors as a CISO. My experience and expertise can help organizations better consider the changes required to undertake a successful digital transformation.

6. Discipline and human connections are essential

There is so much disruption in a CISO’s working life; it’s important to focus on your physical and mental well-being as much as your work. Take regular breaks; go outdoors and get some fresh air. Take time for mental well-being with meditation or physical exercise. COVID-19 has underlined how important it is to connect with your family. Since a crisis may interrupt your holidays and weekends, don’t count on those times to relax.

Building your ally network both within the company and outside is essential to maintaining your sense of balance, perspective, and support. I really like the concept of allies that Microsoft fosters across different groups, backgrounds, and environments. We all need to be there to support each other. Now that the whole world is connected, we can be, too. Checking how people are and supporting them is core to managing our group stress, and has never been more important than during a pandemic. Take the time to connect.

7. Truths to remember

This is a wake-up call for organizations that may be thinking of hiring a CISO, or just looking to fill a spot in an organizational chart—having a warm body in that position is not enough. Business executive and leadership teams must provide adequate resources and give the CISO the ability to manage risk and help the business be successful. Keep these tips in mind when you’re hiring:

  • CISO’s don’t own security incidents; they manage them.
  • CISO’s need access to all business units for success.
  • CISOs need to understand the business to be effective; please mentor them.
  • CISO’s need to collaborate with their peers; so, don’t isolate them.
  • CISOs need to be involved in all technology decisions to manage risks.

Being a CISO is a dream job for many cybersecurity professionals, including me. The job is stressful; however, many CISOs accept the challenges because they feel they’re making a difference. I enjoyed having that sense of purpose and leading teams toward a specific goal. That focus—and the opportunity to be part of a leadership team—is becoming a requirement for today’s modern security executive. With this in mind, how will your business optimize its practices for the sake of your CISO’s success?

To learn more about Microsoft Security solutions visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post CISO Stressbusters: 7 tips for weathering the cybersecurity storms appeared first on Microsoft Security.

Why a unified view of threats strengthens your cybersecurity posture

A shift in 2020 to employees working from home has changed how companies operate. In particular, the rush to work-from-home has given rise to elevated security threats. While companies are now spending significant amounts on cybersecurity, threats are still outpacing corporate outlay. As tech leaders have weighed their options on how to harden their security…

The post Why a unified view of threats strengthens your cybersecurity posture first appeared on IT World Canada.

Security Unlocked—A new podcast exploring the people and AI that power Microsoft Security solutions

It’s hard to keep pace with all the changes happening in the world of cybersecurity. Security experts and leaders must continue learning (and unlearning) to stay ahead of the ever-evolving threat landscape. In fact, many of us are in this field because of our desire to continuously challenge ourselves and serve the greater good.

So many of the advancements in security are now utilizing this amorphous, at times controversial, and complex term called “artificial intelligence” (AI). Neural networks, clustering, fuzzy logic, heuristics, deep learning, random forests, adversarial machine learning (ML), unsupervised learning. These are just a few of the concepts that are being actively researched and utilized in security today.

But what do these techniques do? How do they work? What are the benefits? As security professionals, we know you have these questions, and so we decided to create Security Unlocked, a new podcast launching today, to help unlock (we promise not to overuse this pun) insights into these new technologies and the people creating them.

In each episode, hosts Nic Fillingham and Natalia Godyla take a closer look at the latest in threat intelligence, security research, and data science. Our expert guests share insights into how modern security technologies are being built, how threats are evolving, and how machine learning and artificial intelligence are being used to secure the world.

Each episode will also feature an interview with one of the many experts working in Microsoft Security. Guests will share their unique path to Microsoft and the infosec field, what they love about their calling and their predictions about the future of ML and AI.

New episodes of Security Unlocked will be released twice a month with the first three episodes available today on all major podcast platforms. We will talk about specific topics in future blogs and provide links to podcasts to get more in-depth.

Episode 1: Going ‘deep’ to identify attacks, and Holly Stewart

Listen here.

Guests: Arie Agranonik and Holly Stewart

Blog referenced: Seeing the big picture: Deep learning-based fusion of behavior signals for threat detection

In this episode, Nic and Natalia invited Arie Agranonik, Senior Data Scientist at Microsoft, to better understand how we’re using deep learning models to look at behavioral signals and identify malicious process trees. In their chat, Arie explains the differences and use cases for techniques such as deep learning, neural networks, and transfer learning.

Nic and Natalia also speak with Holly Stewart, Principal Research Manager at Microsoft, to learn how, and when, to use machine learning, best practices for building an awesome security research team, and the power of diversity in security.

Episode 2: Unmasking threats with AMSI and ML, and Dr. Josh Neil

Listen here.

Guests: Ankit Garg, Geoff McDonald, and Dr. Josh Neil

Blog referenced: Stopping Active Directory attacks and other post-exploitation behavior with AMSI and machine learning

In this episode, members of the Microsoft Defender ATP Research team chat about how the antimalware scripting interface (AMSI) and machine learning are stopping active directory attacks.

They’re also joined by Josh Neil, Principal Data Science Manager at Microsoft, as he discusses his path from music to mathematics, one definition of “artificial intelligence,” and the importance of combining multiple weak signals to gain a comprehensive view of an attack.

Episode 3: Behavior-based protection for the under-secured, and Dr. Karen Lavi

Listen here.

Guests: Hardik Suri and Dr. Karen Lavi

Blog referenced: Defending Exchange servers under attack

In this episode, Nic and Natalia chat with Hardik Suri on the importance of keeping servers up-to-date and how behavior-based monitoring is helping protect under-secured Exchange servers.

Dr. Karen Lavi, Senior Data Scientist Lead at Microsoft, joins the discussion to talk about commonalities between neuroscience and cybersecurity, her unique path to Microsoft (Teaser: She started in the Israeli Defense Force and later got her PhD in neuroscience), and her predictions on the future of AI.

Please join us monthly on the Microsoft Security Blog for new episodes. If you have feedback on how we can improve the podcast or suggestions for topics to cover in future episodes, please email us at securityunlocked@microsoft.com, or talk to us on our @MSFTSecurity Twitter handle.

And don’t forget to subscribe to Security Unlocked.

The post Security Unlocked—A new podcast exploring the people and AI that power Microsoft Security solutions appeared first on Microsoft Security.

Becoming resilient by understanding cybersecurity risks: Part 1

All risks have to be viewed through the lens of the business or organization. While information on cybersecurity risks is plentiful, you can’t prioritize or manage any risk until the impact (and likelihood) to your organization is understood and quantified.

This rule of thumb on who should be accountable for risk helps illustrate this relationship:

The person who owns (and accepts) the risk is the one who will stand in front of the news cameras and explain to the world why the worst case scenario happened.

This is the first in a series of blogs exploring how to manage challenges associated with keeping an organization resilient against cyberattacks and data breaches. This series will examine both the business and security perspectives and then look at the powerful trends shaping the future.

This blog series is unabashedly trying to help you build a stronger bridge between cybersecurity and your organizational leadership.

A visualization of how to manage organizational risk through leadership

Organizations face two major trends driving both opportunity and risk:

  • Digital disruption: We are living through the fourth industrial revolution, characterized by the fusion of the physical, biological, and digital worlds. This is having a profound impact on all of us as much as the use of steam and electricity changed the lives of farmers and factory owners during early industrialization.
    Tech-disruptors like Netflix and Uber are obvious examples of using the digital revolution to disrupt existing industries, which spurred many industries to adopt digital innovation strategies of their own to stay relevant. Most organizations are rethinking their products, customer engagement, and business processes to stay current with a changing market.
  • Cybersecurity: Organizations face a constant threat to revenue and reputation from organized crime, rogue nations, and freelance attackers who all have their eyes on your organization’s technology and data, which is being compounded by an evolving set of insider risks.

Organizations that understand and manage risk without constraining their digital transformation will gain a competitive edge over their industry peers.

Cybersecurity is both old and new

As your organization pulls cybersecurity into your existing risk framework and portfolio, it is critical to keep in mind that:

  • Cybersecurity is still relatively new: Unlike responding to natural disasters or economic downturns with decades of historical data and analysis, cybersecurity is an emerging and rapidly evolving discipline. Our understanding of the risks and how to manage them must evolve with every innovation in technology and every shift in attacker techniques.
  • Cybersecurity is about human conflict: While managing cyber threats may be relatively new, human conflict has been around as long as there have been humans. Much can be learned by adapting existing knowledge on war, crime, economics, psychology, and sociology. Cybersecurity is also tied to the global economic, social, and political environments and can’t be separated from those.
  • Cybersecurity evolves fast (and has no boundaries): Once a technology infrastructure is in place, there are few limits on the velocity of scaling an idea or software into a global presence (whether helpful or malicious), mirroring the history of rail and road infrastructures. While infrastructure enables commerce and productivity, it also enables criminal or malicious elements to leverage the same scale and speed in their actions. These bad actors don’t face the many constraints of legitimate useage, including regulations, legality, or morality in the pursuit of their illicit goals. These low barriers to entry on the internet help to increase the volume, speed, and sophistication of cyberattack techniques soon after they are conceived and proven. This puts us in the position of continuously playing catch up to their latest ideas.
  • Cybersecurity requires asset maintenance: The most important and overlooked aspect of cybersecurity is the need to invest in ‘hygiene’ tasks to ensure consistent application of critically important practices.
    One aspect that surprises many people is that software ‘ages’ differently than other assets and equipment, silently accumulating security issues with time. Like a brittle metal, these silent issues suddenly become massive failures when attackers find them. This makes it critical for proactive business leadership to proactively support ongoing technology maintenance (despite no previous visible signs of failure).

Stay pragmatic

In an interconnected world, a certain amount of playing catch-up is inevitable, but we should minimize the impact and probabilities of business impact events with a proactive stance.

Organizations should build and adapt their risk and resilience strategy, including:

  1. Keeping threats in perspective: Ensuring stakeholders are thinking holistically in the context of business priorities, realistic threat scenarios, and reasonable evaluation of potential impact.
  2. Building trust and relationships: We’ve learned that the most important cybersecurity approach for organizations is to think and act symbiotically—working in unison with a shared vision and goal.
    Like any other critical resource, trust and relationships can be strained in a crisis. It’s critical to invest in building strong and collaborative relationships between security and business stakeholders who have to make difficult decisions in a complex environment with incomplete information that is continuously changing.
  3. Modernizing security to protect business operations wherever they are: This approach is often referred to as Zero Trust and helps security enable the business, particularly digital transformation initiatives (including remote work during COVID-19) versus the traditional role as an inflexible quality function.

One organization, one vision

As organizations become digital, they effectively become technology companies and inherit both the natural advantages (customer engagement, rapid scale) and difficulties (maintenance and patching, cyberattack). We must accept this and learn to manage this risk as a team, sharing the challenges and adapting to the continuous evolution.

In the coming blogs, we will explore these topics from the perspective of business leaders and from cybersecurity leaders, sharing lessons learned on framing, prioritizing, and managing risk to stay resilient against cyberattacks.

To learn more about Microsoft Security solutions visit our website.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Becoming resilient by understanding cybersecurity risks: Part 1 appeared first on Microsoft Security.

Advanced protection for web applications in Azure with Radware’s Microsoft Security integration

This blog post is part of the Microsoft Intelligent Security Association guest blog series. Learn more about MISA here.

The state of application security

Companies face a wide range of security challenges, such as Open Source Foundation for Application Security Project (OWASP) vulnerabilities, advanced BOT threats and the need to manage BOTs, securing APIs, and protecting against volumetric and non-volumetric DDoS attacks. Advanced threats mean that application security solutions must do much more. Organizations require a synchronized attack-mitigation system that provides advanced application protection against all the above threats, across all platforms and environments at all times; providing comprehensive security and a single view of application security events for quick incident response and a minimum impact on business.

Customers are increasingly requesting, if not requiring, a fully managed service option for security elements. Beyond the obvious complexity of managing the positive and negative security model rules, today’s attacks are dynamic and evolving. Teams managing application security are stressed by the rapid pace of new application development and application changes, all of which require vulnerability assessment and remediation in the form of automated continuous and consistent security policies.

Cloud is disrupting technology and security is the biggest challenge for customers around the world. Radware is embracing this shift by focusing on ‘Strength in Security’ with Microsoft Azure and is focused on helping Microsoft Azure customers secure their workloads and applications. Radware works closely with Microsoft’s engineering teams to create new and innovative solutions in Azure that benefit from Microsoft’s unique cloud capabilities and services like Azure DDoS Protection and Microsoft Azure Sentinel to build a more secure digital infrastructure, enabling customers to overcome security challenges. Radware Security for Azure provides local availability and easy deployment capabilities across any Azure region, enabling organizations to move to Azure with the knowledge that their applications, networks, and data will be secure around the world.

The application threat landscape

Application vulnerabilities are now the fastest-growing cybersecurity threat to organizations, according to a year-over-year comparison of Radware’s annual Global Application & Network Security Report. Applications, and the APIs they leverage, must be protected against an expanding variety of attack methods. In addition, DevOps and Agile development practices mean that applications are in a state of constant flux, and security policies must adapt to keep pace. Web application security solutions must be smarter and address a broad spectrum of vulnerability exploitation scenarios and attack types and vectors. On top of protecting the application from these common vulnerabilities, they have to protect APIs and mitigate denial-of-service (DoS) attacks, manage bot traffic, and make a distinction between legitimate bots and malicious bots.

Web applications are a critical part of most modern businesses, but many organizations continue to overlook web application security, despite escalating threats. According to a recent Gartner report, by 2023, more than 30 percent of public-facing web applications will be protected by cloud web application and API protection services that combine DDoS protection, bot mitigation, API protection, and web application firewalls (WAFs).

Cloud web application and API security and integrated BOT and DDoS protection is the evolution of cloud-delivered WAF services. Comprehensive cloud-delivered managed security services is a more comprehensive runtime protection successor to WAF appliances. It is faster to deploy and easier for organizations to maintain. Customers want to consume security products without managing the underlying infrastructure which is a big benefit that a product like Radware Security for Azure brings to customers in Azure.

Radware Security for Azure is a managed service that provides network and application security protection against small-scale to even the most sophisticated large-scale attacks ensuring applications are protected from malicious DDoS attacks and zero-day web attacks and common vulnerabilities.

By leveraging the global scale of the Microsoft network and integrating with Azure DDoS Protection, Radware Security for Azure provides enhanced Layer 3 – Layer 7 DDoS mitigation capabilities tuned for applications and resources deployed in virtual networks backed by an industry-leading service level agreement (SLA) and 24/7 incident response team.

Six steps on how to neutralize the application threat

Radware provides advanced protection for web applications in Azure with an integrated application and API security service. Radware Security for Azure provides:

Details on security solutions offered by Radware Security for Azure

To learn more about Radware Security for Azure, visit our listing in the Azure Marketplace or visit Radware.

To learn more about the Microsoft Intelligent Security Association (MISA), visit our website where you can learn about the MISA program, product integrations, and find MISA members. Visit the video playlist to learn about the strength of member integrations with Microsoft products.

For more information about Microsoft Security Solutions, visit the Microsoft Security website. Bookmark the Security blog to keep up with our expert coverage of security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Advanced protection for web applications in Azure with Radware’s Microsoft Security integration appeared first on Microsoft Security.

Stay Connected and Protected During Work, School, and Play

Stay Connected and Protected During Work, School, and Play

These days, work and home mean practically the same thing. Our house is now an office space or a classroom, so that means a lot of our day-to-day happens online. We check emails, attend virtual meetings, help our children distance learn, use social media platforms to check in on our friends and family – our entire lives are digital! This increase in connectivity could mean more exposure to threats – but it doesn’t have to. That’s why this National Cybersecurity Awareness Month (NCSAM) you should learn what it means to be cyber smart.

In our third blog for this NCSAM this year, we examine what that entails. Let’s dive in.

Stay Secure While Working Remote

According to Stanford research, almost twice as many employees work from home than at the office in the U.S. in response to the COVID-19 pandemic. And this new work-from-home economy is probably only going to expand in the future. Your pets and children will continue to make surprise guest appearances on work calls, or you may continue your new job hunt from the kitchen table. But as you work on juggling your work life and personal life at home base, this doesn’t mean that you should have to juggle security threats too.

The new WFH landscape has also brought about increased risk from . Unlike corporate offices – which usually have IT staff responsible for making any necessary network security updates and patches – users’ home network security is in their own hands. This means users must ensure that their Wi-Fi connections are private and locked with a complex password or employ the help of a VPN to prevent hackers from infiltrating your work.

Be Cybersmart While Distance Learning

Work isn’t the only element of consumers’ lives that’s recently changed – school is also being conducted out of many students’ homes as they adapt to distance learning. As a result, parents are now both professionals and teachers, coaching students through new online learning obstacles. But as more students continue their curriculum from home and online activity increases, so does the possibility of exposure to inappropriate content or other threats.

For instance, the transition to distance learning has led to an increase in online students to lose valuable time meant to be spent on their education.

To help ensure that learning from home goes as smoothly as possible, parents must stay updated on the threats that could be lurking around the corner of their children’s online classrooms. Take the time to secure all the devices that power your kids’ learning with a comprehensive security solution.

Enhance Your Streaming Security

Of course, everyone needs to find a balance between work, school, and play! These days, that means scavenging the internet for new content to help keep entertained at home. In fact, according to Nielson, there was an 85% increase in American streaming rates in the first three weeks of March this year compared to March 2019 reports. However, causing users to turn to other less secure alternatives such as illegal downloads and links to “free” content riddled with malware. This could open consumers up to a whole host of threats.

Users looking to stream the latest TV show or movie should be cautious and only access entertainment content directly from a reliable source. The safest thing to do is to subscribe to a streaming site that offers the content or download the movie from credible websites, instead of downloading a “free” version from a website that could contain malware.

If You Connect It, Protect It

We all need to be cybersmart and aware of the threats that come with our lifestyle changes. By following these pointers, you can block threats from impacting your new day-to-day and ensure security is one less thing to worry about. When looking ahead to the future, incorporate the aforementioned pointers into your digital life so that you are prepared to take on whatever the evolving security landscape brings – now that’s being cybersmart!

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, look out for our other National Cybersecurity Awareness Month blogs, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

The post Stay Connected and Protected During Work, School, and Play appeared first on McAfee Blogs.

Trickbot disrupted

As announced today, Microsoft took action against the Trickbot botnet, disrupting one of the world’s most persistent malware operations. Microsoft worked with telecommunications providers around the world to disrupt key Trickbot infrastructure. As a result, operators will no longer be able to use this infrastructure to distribute the Trickbot malware or activate deployed payloads like ransomware.

Microsoft actively tracks the threat landscape, monitoring threat actors, their campaigns, specific tactics, and evolution of malware. We share this intelligence with the community and use our research to continuously improve our products. Below, we will detail the evolution of the Trickbot malware, associated tactics, recent campaigns, and dive into the anatomy of a particular attack we observed.

Trickbot was first spotted in 2016 as a banking trojan that was created as a successor to Dyre and designed to steal banking credentials. Over the years, Trickbot’s operators were able to build a massive botnet, and the malware evolved into a modular malware available for malware-as-a-service. The Trickbot infrastructure was made available to cybercriminals who used the botnet as an entry point for human-operated campaigns, including attacks that steal credentials, exfiltrate data, and deploy additional payloads, most notably Ryuk ransomware, in target networks.

Trickbot was typically delivered via email campaigns that used current events or financial lures to entice users to open malicious file attachments or click links to websites hosting the malicious files. Trickbot campaigns usually used Excel or Word documents with malicious macro codes, but other types of attachments have been used. The campaigns were observed in a wide range of verticals and geolocation, with operators frequently reusing previously compromised email accounts from earlier campaigns to distribute emails without narrowing targets.

In addition to phishing emails, Trickbot was also deployed through lateral movement via Server Message Block (SMB) or as a second-stage payload of other malware like Emotet. Once Trickbot was launched, operators utilized it to install reconnaissance tools like PowerShell Empire, Metasploit, and Cobalt Strike. They used these tools to steal credentials and network configuration information, move laterally to high-value assets, or deliver additional malicious payloads.

Threat data from Microsoft 365 Defender, which correlates signals from endpoints, email and data, identities, and cloud apps to deliver comprehensive protection against threats, shows that Trickbot showed up in both large and small enterprises across the globe, helped no doubt by its modular nature and widespread misconception of it being a “commodity” banking trojan.

Anatomy of a Trickbot campaign

Trickbot is one of the most prolific malware operations in the world, churning out multiple campaigns in any given period. In one specific campaign, the Trickbot operators used several disparate compromised email accounts to send out hundreds of malicious emails to both enterprise and consumer accounts. Recipients were from a variety of industry verticals and geolocations and do not appear to have been specifically targeted. This campaign used a shipping and logistics theme, and had the following subject lines:

  • Shipment receipt
  • Delivery finished
  • Urgent receipt comment
  • Essential receipt reminder
  • Required declaration

The emails contained a malicious Excel attachment that, when opened, prompted the user to enable macros. If enabled, the macro wrote a malicious JScript Encoded (JSE) file to the disk, which is then executed via WScript. The JSE script connected to the affected organization’s domain controller and performed several LDAP queries to gather information about Active Directory, including the schema and user lists. The script then exfiltrated the information to attacker-controlled infrastructure. The script used the jscript.encode command to encode both server-side and client-side files in order to obfuscate content and evade detection.

Next, the JSE file performed several reconnaissance queries to obtain information about the device’s network adapter, antivirus products, domain role, and email. Once the exfiltration was completed, a dropped .bat file established a connection with two separate C2 servers: an IP address and a domain hosted on a separate IP address. Trickbot used both these C2 servers to evade network filtering configurations. The .bat file performed reconnaissance commands to find domain administrators on the network. It then dropped and launched the Greenshot screenshot tool and Cobalt Strike beacon on the device.

At this point, the operators had gained control of the affected device, only 8.5 hours after the user opened the malicious email attachment. The operators then started to copy the freeware tool ADFind.exe, which they used for discovery as well as for gathering domain configuration and organization information. They then archived data found during this discovery to a .7z file for later exfiltration.

The attackers ran several commands to obtain information about the domain controller and gather Kerberos tickets, conducted port scanning on SMB port 445, NetBIOS 139, and queried LDAP for multiple server devices. Using the information gathered, attackers pinged several potentially high-value devices. From there, they viewed the contents of specific text and log files, likely gleaned from their reconnaissance. Upon finding a device with an open port 445, they used runas /netonly (logon type 9, which is intentionally used to confuse analysis of logon events) for authentication and interactively executed commands on the device.

Once authenticated, the attackers viewed existing RDP files from prior unrelated sessions for RDP settings and credentials. From there, they dropped a Trickbot executable and stole credentials from the Windows Vault and Credentials Manager, allowing the attackers to evade many well-known security mechanisms that monitor processes accessing Local Security Authority Subsystem Service (LSASS) memory to dump the credentials. They used a .bat file to view multiple shares, ping additional servers, and read several text files. Finally, the attackers exfiltrated all gathered data.

The attackers persisted in the network via a copy of the malicious .jse file in the Startup folder. Using this .jse file, they have the capability to return to this network later and attempt to log on to other, more valuable devices and steal additional information or drop additional payloads. This highlights the importance of comprehensive response to “commodity malware” like Trickbot: the original banking trojan infection may be triaged and remediated, but without a full understanding of Trickbot as an entry vector to human adversaries, the real threat remains in the network.

Modular, multi-stage malware

Trickbot is a multi-stage malware typically composed of a wrapper, a loader, and a main malware module. The wrapper, which uses multiple templates that constantly change, is designed to evade detection by producing unique samples, even if the main malware code remains the same.

When the wrapper process runs, it runs the loader fully in its memory. The loader has a highly modular design. It decrypts each function at runtime before running it, and then encrypts it back. Likewise, all human-readable strings are decrypted and all APIs are resolved at runtime. In some scenarios, Trickbot uses UAC bypasses to elevate the privileges of its processes. On 64-bit systems, Trickbot uses the “Heaven’s Gate” technique to switch 32-bit code to 64-bit, and has an additional stage where a 64-bit loader injects the main module into the suspended process.

The loader runs the main malware module directly in memory. After creating scheduled tasks for persistence, the main malware module decrypts a configuration file, which contains the information it needs for its next steps:

  • Establish HTTPS communication with command and control (C2) server
  • Download modules from the C2 server
  • Monitor the status of the downloaded modules
  • Synchronize communication between the main module and the downloaded modules

The modules are likewise run in memory via injection into the suspended process. Over the years, Trickbot has used a wide range of modules for various malicious activities. These include the following:

 

Modules Purpose
pwgrab Gathers credentials, autofill data, history and so on from browsers
networkDll Gathers network and system information
importDll Gathers browser data
injectDll Main banker module; uses static and dynamic web browser injection and data theft
tabDll Propagates Trickbot via EternalRomance Exploit
Propagates Trickbot via SMB EternalBlue Exploit
shareDll Propagates Trickbot via Windows network shares
vncDll, BCTestDll Remote control/Virtual Network Computing module; provides backdoor for further module downloads
rdpscanDll Launches brute force attacks against selected Windows systems running Remote Desktop Protocol (RDP) connection exposed to the Internet
Systeminfo Gathers system information
mailsearcher Searches all files on disk and compares their extensions to a predefined list to harvest emails addresses
outlookDll Gather Outlook credentials
psfin Gathers point of sale (POS) software credentials
squlDll Gathers email addresses stored in SQL servers
aDll Runs various commands on a Windows domain controller to steal Active Directory credentials

Trickbot sends information like domain names and IP ranges of compromised networks back to operators, who then select some of these networks for additional exploitation and reconnaissance activities. On selected networks, Trickbot operators installed additional tools like Cobalt Strike, and switch to a hands-on-keyboard attacks. Once the operators gain foothold on a network, they used tools like Mimikatz and LaZagne to steal additional credentials and tools like BloodHound and ADFind to perform reconnaissance actions. Apart from using the stolen credentials and collected data to further the attack, operators also exfiltrated data. They then leave multiple persistence points on the network to enable the eventual delivery of other payloads like Ryuk ransomware.

While much has been made of the Trickbot’s supposed antivirus evasion capabilities, it’s a simple PowerShell command being run to turn off Microsoft Defender Antivirus, but it can perform this action only if the user has administrative rights.

Recent prominent Trickbot campaigns

In June 2020, we tracked multiple Trickbot campaigns. As is typical with Trickbot, some of the email campaigns took advantage of current events as lures to entice users to click on malicious attachments. These lures include Black Lives Matter and COVID-19. Earlier in the year, we reported that Trickbot was the most prolific malware operation using COVID-19-themed lures. Many other simultaneous campaigns used more generic lures, such as shipping and logistics, invoicing and payments, customer complaints, and various financial lures.

The email body was often simple but maintained consistency with the lure used in the subject line. The emails used a wide range of attachment types, including:

  • Word macro attachments
  • Excel VBA macro attachments
  • Excel 4.0 macro attachments
  • Java Network Launch Protocol (.jnlp) attachments

Some campaigns do away with the attachments and instead use malicious links to websites that host malicious files.

The sender infrastructure for all these emails varied as well. In most campaigns, operators used compromised legitimate email accounts and compromised marketing platforms to distribute the malicious emails. However, in one instance, the operators registered several domains using less popular top-level domains (TLDs) such as “.monster” and “.us” to create their own mail server and send malicious emails from attacker-defined email addresses. At least one of these campaigns used attacker-owned email sender infrastructure that was later used to deliver Dridex malware in a separate campaign. The Dridex malware is known to be associated with the CHIMBORAZO (also known as TA505) crime group. Additionally, CHIMBORAZO ran simultaneous campaigns that delivered Trickbot.

The following graphic illustrates the various campaigns, tactics, and techniques used by the operators. The complexity of these simultaneous campaigns and techniques indicates that this is a coordinated and professional effort conducted by a sophisticated activity group.

Extended detection and response for the full range of threats

The action against Trickbot is one of the ways in which Microsoft provide real-world protection against threats. This action will result in protection for a wide range of organizations, including financial services institutions, government, healthcare, and other verticals from malware and human-operated campaigns delivered via the Trickbot infrastructure.

In the recently released Microsoft Digital Defense Report, we called out that cybercriminals of all skill sets take advantage of the perception that commodity threats are less impactful to businesses. Trickbot is proof that this assumption is obsolete, and organizations need to treat and address Trickbot and other malware infections as the broadly damaging threats that they are.

To help protect customers from the full range of threats, from common malware to highly modular, multi-stage threats like Trickbot, as well as nation-state level attacks, Microsoft 365 Defender delivers coordinated protection for identities, endpoints, cloud apps, email and documents. Microsoft Defender for Office 365 detects malicious attachments and links in email campaigns. Microsoft Defender for Endpoint detects and blocks the Trickbot malware and all related components, as well as malicious activities on endpoints. Microsoft Defender for Identity identifies and detects suspicious user activities and compromised identities.

This breadth of cross-domain visibility allows Microsoft 365 Defender to correlate signals and comprehensively detect and resolve attack chains. Security operations teams can then use the rich set of tools in Microsoft 365 Defender to further hunt for threats and gain insights for hardening networks from compromise.

 

 

Microsoft 365 Defender Threat Intelligence Team

Microsoft 365 Defender Research Team

Digital Crimes Unit (DCU)

Detection and Response Team (DART)

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft 365 Defender tech community.

Read all Microsoft security intelligence blog posts.

Follow us on Twitter @MsftSecIntel.

The post Trickbot disrupted appeared first on Microsoft Security.

How To Unpack Malware: Personal Notes

Nowadays malware authors use a lot of techniques to hide malicious payloads in order to bypass security products and to make malware analyst life harder and fun. There are many tools that you can use to extract content from malware and there is not a standard process, you can use different tools, different techniques and different approaches to solve the same problem.

During this post I am going to quickly describe three (well, actually kind of four) of the main flows that takes me in succeed to unpack malware. But let me repeat that there are many ways to perform such a topic, I simply want to share some personal notes on my favorite flows, without pretending to write a full course material on how to Unpack Malware, which it worth of a full university class.

NB: there is a lot to say about packers, how they are, how they behave, there is much to say even on how many packers family are known, but this is not the place for that. What I am doing here is to mostly focusing on quick shot-cuts useful when you are on rush but not such powerful as debugging the entire process.

Method 0: Just Unpack It, I don’t care more

Well, if you are on rush and you just need to try to unpack a sample as quickest as possible, if you don’t care about what is going on, well Sergei Frankoff (@herrcore) and Sean Wilson (@seanmw) did a great job in releasing Unpac.ME. A web application that tries to unpack your sample, there is a limited free plan for using it, it works most of the times especially with known malware families

Method 1: The quick way

One of the quickest way to simply unpack malware is to try to figure out what packer has been used to pack your sample. Once you have the used packer you just need to run the relative un-packer and that’s it, you have done. Detect it Easy or bettern known as DiE would help you in performing such research. It has a wide signature database tracking hundreds different packers. The following image shows DiE spotting a simple (and very didactic, not really real) UPX packer.

Once you know it has been packed through UPX 3.91, just go and grab the used packer (in such case go to https://upx.github.io/) take the relative unpacker and run it against your original sample, you would see a new PE file.

Method 2: The slow but fun way to do !

This is my favorite method since it’s definitely faster than using debug and performing every step by yourself but quite powerful as well getting you the control of many actions happening into memory. Before going into this method you need to know the following main assumptions.

  1. The packer would performs some operations on bytes (read from external file or from the same file or taken from the network) then it will aggregate such a bytes and later on it will pass execution flow (EIP) to those bytes. We call those bytes the “payload“.
  2. Injecting control flows is the main strategy used by packers.
  3. Intercepting the injection flow will abstract us from the used packer

It is now interesting to understand how injection happens on Windows machine. Once we nailed it, we would agree that a quick way to unpack malware is just to grab content from the allocated and injected memory before the main sample (or stub) will make a change of control by passing EIP and Stack to new code.

Main Injection techniques to look for

Fortunately there are not thousands of different possibilities to inject shellcode into memory, so let take a closer look to the main ones. The most used is named process injection.

The process injection schema follows these main steps:

  • OpenProcess – The OpenProcess function returns a handle of an existing process object.
  • VirtualAllocEX – The VirtualAllocEx function is used to allocate the memory and grant the access permissions to the memory address.
  • WriteProcessMemory – The WriteProcessMemory function writes data to an area of memory in a specified process.
  • CreateRemoteThread – The CreateRemoteThread function creates a thread that runs in the virtual address space of another process.
Image from HERE

Another very used technique is the DLL Injection which follows these steps:

  • OpenProcess to Obtain the handle of the target process in which we intend to inject our DLL.
  • Find the address of the LoadLibraryA function using GetProcAddress & GetModuleHandleA functions. LoadLibraryA function is used for loading the DLL into the calling process.
  • VirtualAllocEX to allocate the memory space for the DLL path from where we will be loading the DLL.
  • WriteProcessMemory for writing the DLL path into the allocated memory space.
  • CreateRemoteThread for creating a new thread and passed the address of LoadLibraryA as the start address and the address of the DLL file as the parameter for LoadLibraryA function.
Image from HERE

Process Hollowing is a nice and very used trick to evade endpoint security and to inject control floes. The main idea is to build a suspended process within un-mapped memory. Then replace the un-mapped memory section with the shellcode and later on map and start the process. The steps follows:

  • Create a new target process in suspended state. This can be achieve by passing Create_Suspended value in dwCreationFlags parameter of CreateProcess Windows API.
  • Once the process is created in suspended state we will create a new executable section. It wont be bind to any process. This can be done by using ZwCreateSection function.
  • We need to locate the base address of the target process. This can be done by querying the target process using ZwQueryInformationProcess function. We can find the address of the process environment block (PEB) and then use ReadProcessMemory function to read the PEB. Once the PEB is read ReadProcessMemory function is used once again to locate the entry point from the buffer.
  • We need to bind the section to the target process in order to copy the shellcode in it. To achieve this we need to map the section into current process. This can be done by using ZwMapViewOfSection function and passing handle of the current process by using GetCurrentProcess function.
  • Now we will copy each byte of the shellcode into the mapped section which is created in Step 2.
  • Once the shellcode is copied we can proceed to map the section into the target process. This can be done by using ZwMapViewOfSection function and passing handle of the target process.
  • Once the section is mapped we will locate and construct the patch for the target process so that it can our malicious shellcode instead of the original application code.
  • Once the patch is constructed we will use WriteProcessMemory to write the constructed patch into the target process entry point.
  • After writing the constructed patch to the target process entry point we need to resume the thread. This can be achieve by using ResumeThread function.
Image from HERE

Abusing the Asynchronous Procedure Call (APC) is another way to inject shellcode into processes. The way to exploit this Microsoft functionality follows theses teps:

  • Create a new target process in suspended state. This can be achieve by passing Create_Suspended value in dwCreationFlags parameter of CreateProcess Windows API.
  • Once the process is created obtain the handle of the target process using OpenProcess Windows API.
  • Allocate the memory space for our shellcode in the target process using VirtualAllocEX Windows API.
  • Write the shellcode in the allocated memory space using WriteProcessMemory Windows API.
  • Obtain the handle of the primary thread from the target process using OpenThread Windows API.
  • After obtaining the handle of the thread from the target process we will add a user-mode asynchronous procedure call (APC) object to the APC queue of the specified thread using QueueUserAPC Windows API which will point to the memory address of our shellcode.
  • To trigger our shellcode we will resume the suspended thread using ResumeThread Windows API.
Figure from HERE

The last method that I’am going to describe in my personal notes (but there are many more out there) is called: Process Doppelgänging. Quite a recent technique it uses a very little known API for NTFS transactions.

Briefly speaking, we can create a file inside a transaction, and for no other process this file is visible, as long as our transaction is not committed. It can be used to drop and run malicious payloads in an unnoticed way. If we roll back the transaction in an appropriate moment, the operating system behaves like our file was never created.

hasherezade

The process Doppelgänging is a similar technique used to inject control and to evade common AV. It follows these steps:

  • Create a new transaction, using the API CreateTransaction.
  • Create a dummy file to store our payload (CreateFileTransacted).
  • It is used to create a section (a buffer in a special format), which makes a base for our new process.
  • Now it’s time to close it and roll back the transaction (RollbackTransaction).

All these methods are useful to inject payload into memory and to run them keeping a very low rate of detection. Our goal is to intercepts those techniques and to dump the just injected paylaod.

Intercepts these techniques and drop the payload

Now we know the main techniques used by malware to unpack themselves into memory, so we are ready to understand how to hook such functions in order to grab the payload (holding the real behavior). Again there are many techniques to perform that memory extractions, I did change at least 4 workflows until now, but the one I prefer so far is using PE-sieve (download from HERE) to extract injected objects. PE-Sieve is not able to judge the dropped file (are they malicious or not?), so you cannot consider every extracted artifact as a malicious one, you rather need to manually analyze them and express your own assumptions on them.

But let’s start with a practical example. The following image represents a PE file pretending to be a PNG image.

A PE sample pretending to be a .PNG

Looking for sections and import table (IAT) we might observe the samples imports only some of the well-known functions we ‘ve just seen in the previous section (VirtualProtect, GetProcAddress, MoveMemory, etc..) and very often used to unpack malware in memory without touching hard-drive.

Import Table

Even the embedded resources are quite “heavy” which would probably hide some piece of code (??). So … we have a PE file which pretends to be an image, it only imports suspicious functions and it has got a quite heavy resource. Would it be a Malware ?

Looking at resources

Well we do have ideas and suspects but let’s see if it injects pieces of code into the memory and let’s see what they do. Here PE-sieve comes to help us. First of all you need to sacrifice a system :D. Yep, really… you need to run on your target the sample and on the other side you need to run pe-sieve by giving the PID of the suspicious sample. PE-sieve will hook and monitor the previous injection patterns and as soon as it find the right pattern it will drop whatsoever (good files, malicious implant, etc etc) the sample injects. The following image shows the found implants running that sample.

2 Implanted Objects

The dropped files are placed into a directory named with the monitored PID.

Dropped Files

We get some files into that directory. We do have .json report in order to automate results and to wrap them into external projects without using the provided PE-sieve.dll. We have a couple of shellcode (.shc) and three PE. Interesting the 400000.cursor.exe since has 600KB of code and it is executable, and a new ICO different from the original one. Let’s check it’s own property (following image)

Unpacked Property

Now, let’s roll back our scarified VM and run this new file on it. Now let’s check its memory to see if something more is happening there.

Memory from Unpacked one

It looks like we have clear text, no additional encryption/packing stage as shown in memory. We now can follow with classic malware analyses techniques by staging static and dynamic analysis. And, yes, since you are re-scarify your virtual machine, let maximize your effort to grab network traffic and see where it tries to communicate with.

Traffic Analysis

We are facing a nice example of TrickBot version: 1000512 tag: tot793 . The following image shows the same information but coming from the internal systemcall rather then network traces.

Internal Traces

So we nailed it. We’ve just extracted the real payload and later on we figured out it was a TrickBot.

Method 3: The old fashion way (debugger)

Everything can be done from the debugger. You can find the above API patterns by yourself and then follow the System calls and stop and copy whenever you want. you can extract or modify the sample behavior on fly and decide to re-run it as many times you need. Yes, you can, but this would take you a lot of time. Time runs against the economy. More time you need to perform your anlaysis more expensive you are, more expensive you are less customers you could have in both ways: money-wise (expensive = for few ~ cheap = for many) and time-wise (sine you have 24h a day, after that hours you cannot accept more customers). So you would need to mediate between quality/fun and time.

If you are following me since time you would probably remember that I was used to this method years ago, before such a great tools were realized (just few examples: IDA Pro Universal Unpacker or All In Memory CryptoWorm or New way to detect Packers etc..) but today I would not suggest you this method unless you are a student or not a professional Malware analyst.

Sophisticated new Android malware marks the latest evolution of mobile ransomware

Attackers are persistent and motivated to continuously evolve – and no platform is immune. That is why Microsoft has been working to extend its industry-leading endpoint protection capabilities beyond Windows. The addition of mobile threat defense into these capabilities means that Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection) now delivers protection on all major platforms.

Microsoft’s mobile threat defense capabilities further enrich the visibility that organizations have on threats in their networks, as well as provide more tools to detect and respond to threats across domains and across platforms. Like all of Microsoft’s security solutions, these new capabilities are likewise backed by a global network of threat researchers and security experts whose deep understanding of the threat landscape guide the continuous innovation of security features and ensure that customers are protected from ever-evolving threats.

For example, we found a piece of a particularly sophisticated Android ransomware with novel techniques and behavior, exemplifying the rapid evolution of mobile threats that we have also observed on other platforms. The mobile ransomware, detected by Microsoft Defender for Endpoint as AndroidOS/MalLocker.B, is the latest variant of a ransomware family that’s been in the wild for a while but has been evolving non-stop. This ransomware family is known for being hosted on arbitrary websites and circulated on online forums using various social engineering lures, including masquerading as popular apps, cracked games, or video players. The new variant caught our attention because it’s an advanced malware with unmistakable malicious characteristic and behavior and yet manages to evade many available protections, registering a low detection rate against security solutions.

As with most Android ransomware, this new threat doesn’t actually block access to files by encrypting them. Instead, it blocks access to devices by displaying a screen that appears over every other window, such that the user can’t do anything else. The said screen is the ransom note, which contains threats and instructions to pay the ransom.

Screenshot of mobile ransom note in Russian language

Figure 1. Sample ransom note used by older ransomware variants

What’s innovative about this ransomware is how it displays its ransom note. In this blog, we’ll detail the innovative ways in which this ransomware surfaces its ransom note using Android features we haven’t seen leveraged by malware before, as well as incorporating an open-source machine learning module designed for context-aware cropping of its ransom note.

New scheme, same goal

In the past, Android ransomware used a special permission called “SYSTEM_ALERT_WINDOW” to display their ransom note. Apps that have this permission can draw a window that belongs to the system group and can’t be dismissed. No matter what button is pressed, the window stays on top of all other windows. The notification was intended to be used for system alerts or errors, but Android threats misused it to force the attacker-controlled UI to fully occupy the screen, blocking access to the device. Attackers create this scenario to persuade users to pay the ransom so they can gain back access to the device.

To catch these threats, security solutions used heuristics that focused on detecting this behavior. Google later implemented platform-level changes that practically eliminated this attack surface. These changes include:

  1. Removing the SYSTEM_ALERT_WINDOW error and alert window types, and introducing a few other types as replacement
  2. Elevating the permission status of SYSTEM_ALERT_WINDOW to special permission by putting it into the “above dangerous” category, which means that users have to go through many screens to approve apps that ask for permission, instead of just one click
  3. Introducing an overlay kill switch on Android 8.0 and later that users can activate anytime to deactivate a system alert window

To adapt, Android malware evolved to misusing other features, but these aren’t as effective. For example, some strains of ransomware abuse accessibility features, a method that could easily alarm users because accessibility is a special permission that requires users to go through several screens and accept a warning that the app will be able to monitor activity via accessibility services. Other ransomware families use infinite loops of drawing non-system windows, but in between drawing and redrawing, it’s possible for users to go to settings and uninstall the offending app.

The new Android ransomware variant overcomes these barriers by evolving further than any Android malware we’ve seen before. To surface its ransom note, it uses a series of techniques that take advantage of the following components on Android:

  1. The “call” notification, among several categories of notifications that Android supports, which requires immediate user attention.
  2. The “onUserLeaveHint()” callback method of the Android Activity (i.e., the typical GUI screen the user sees) is called as part of the activity lifecycle when the activity is about to go into the background as a result of user choice, for example, when the user presses the Home key.

The malware connects the dots and uses these two components to create a special type of notification that triggers the ransom screen via the callback.

Screenshot of malware code

Figure 2. The notification with full intent and set as “call’ category

As the code snippet shows, the malware creates a notification builder and then does the following:

  1. setCategory(“call”) – This means that the notification is built as a very important notification that needs special privilege.
  2. setFullScreenIntent() – This API wires the notification to a GUI so that it pops up when the user taps on it. At this stage, half the job is done for the malware. However, the malware wouldn’t want to depend on user interaction to trigger the ransomware screen, so, it adds another functionality of Android callback:

Figure 3. The malware overriding onUserLeaveHint

As the code snippet shows, the malware overrides the onUserLeaveHint() callback function of Activity class. The function onUserLeaveHint() is called whenever the malware screen is pushed to background, causing the in-call Activity to be automatically brought to the foreground. Recall that the malware hooked the RansomActivity intent with the notification that was created as a “call” type notification. This creates a chain of events that triggers the automatic pop-up of the ransomware screen without doing infinite redraw or posing as system window.

Machine learning module indicates continuous evolution

As mentioned, this ransomware is the latest variant of a malware family that has undergone several stages of evolution. The knowledge graph below shows the various techniques this ransomware family has been seen using, including abusing the system alert window, abusing accessibility features, and, more recently, abusing notification services.

Knowledge graph showing techniques used by the Android rasomware family

Figure 4. Knowledge graph of techniques used by ransomware family

This ransomware family’s long history tells us that its evolution is far from over. We expect it to churn out new variants with even more sophisticated techniques. In fact, recent variants contain code forked from an open-source machine learning module used by developers to automatically resize and crop images based on screen size, a valuable function given the variety of Android devices.

The frozen TinyML model is useful for making sure images fit the screen without distortion. In the case of this ransomware, using the model would ensure that its ransom note—typically fake police notice or explicit images supposedly found on the device—would appear less contrived and more believable, increasing the chances of the user paying for the ransom.

The library that uses tinyML is not yet wired to the malware’s functionalities, but its presence in the malware code indicates the intention to do so in future variants. We will continue to monitor this ransomware family to ensure customers are protected and to share our findings and insights to the community for broad protection against these evolving mobile threats.

Protecting organizations from threats across domains and platforms

Mobile threats continue to rapidly evolve, with attackers continuously attempting to sidestep technological barriers and creatively find ways to accomplish their goal, whether financial gain or finding an entry point to broader network compromise.

This new mobile ransomware variant is an important discovery because the malware exhibits behaviors that have not been seen before and could open doors for other malware to follow. It reinforces the need for comprehensive defense powered by broad visibility into attack surfaces as well as domain experts who track the threat landscape and uncover notable threats that might be hiding amidst massive threat data and signals.

Microsoft Defender for Endpoint on Android, now generally available, extends Microsoft’s industry-leading endpoint protection to Android. It detects this ransomware (AndroidOS/MalLocker.B), as well as other malicious apps and files using cloud-based protection powered by deep learning and heuristics, in addition to content-based detection. It also protects users and organizations from other mobile threats, such as mobile phishing, unsafe network connections, and unauthorized access to sensitive data. Learn more about our mobile threat defense capabilities in Microsoft Defender for Endpoint on Android.

Malware, phishing, and other threats detected by Microsoft Defender for Endpoint are reported to the Microsoft Defender Security Center, allowing SecOps to investigate mobile threats along with endpoint signals from Windows and other platforms using Microsoft Defender for Endpoint’s rich set of tools for detection, investigation, and response.

Threat data from endpoints are combined with signals from email and data, identities, and apps in Microsoft 365 Defender (previously Microsoft Threat Protection), which orchestrates detection, prevention, investigation, and response across domains, providing coordinated defense. Microsoft Defender for Endpoint on Android further enriches organizations’ visibility into malicious activity, empowering them to comprehensively prevent, detect, and respond to against attack sprawl and cross-domain incidents.

Technical analysis

Obfuscation

On top of recreating ransomware behavior in ways we haven’t seen before, the Android malware variant uses a new obfuscation technique unique to the Android platform. One of the tell-tale signs of an obfuscated malware is the absence of code that defines the classes declared in the manifest file.

Malware code showing manifest file

Figure 5. Manifest file

The classes.dex has implementation for only two classes:

  1. The main application class gCHotRrgEruDv, which is involved when the application opens
  2. A helper class that has definition for custom encryption and decryption

This means that there’s no code corresponding to the services declared in the manifest file: Main Activity, Broadcast Receivers, and Background. How does the malware work without code for these key components? As is characteristic for obfuscated threats, the malware has encrypted binary code stored in the Assets folder:

Screenshot of Assets folder with encrypted executable code

Figure 6. Encrypted executable code in Assets folder

When the malware runs for the first time, the static block of the main class is run. The code is heavily obfuscated and made unreadable through name mangling and use of meaningless variable names:

Figure 7. Static block

Decryption with a twist

The malware uses an interesting decryption routine: the string values passed to the decryption function do not correspond to the decrypted value, they correspond to junk code to simply hinder analysis.

On Android, an Intent is a software mechanism that allows users to coordinate the functions of different Activities to achieve a task. It’s a messaging object that can be used to request an action from another app component.

The Intent object carries a string value as “action” parameter. The malware creates an Intent inside the decryption function using the string value passed as the name for the Intent. It then decrypts a hardcoded encrypted value and sets the “action” parameter of the Intent using the setAction API. Once this Intent object is generated with the action value pointing to the decrypted content, the decryption function returns the Intent object to the callee. The callee then invokes the getAction method to get the decrypted content.

Figure 8. Decryption function using the Intent object to pass the decrypted value

Payload deployment

Once the static block execution is complete, the Android Lifecycle callback transfers the control to the OnCreate method of the main class.

Malware code showing onCreate method

Figure 9. onCreate method of the main class decrypting the payload

Next, the malware-defined function decryptAssetToDex (a meaningful name we assigned during analysis) receives the string “CuffGmrQRT” as the first argument, which is the name of the encrypted file stored in the Assets folder.

Malware code showing decryption of assets

Figure 10. Decrypting the assets

After being decrypted, the asset turns into the .dex file. This is a notable behavior that is characteristic of this ransomware family.

Comparison of code of Asset file before and after decryption

Figure 11. Asset file before and after decryption

Once the encrypted executable is decrypted and dropped in the storage, the malware has the definitions for all the components it declared in the manifest file. It then starts the final detonator function to load the dropped .dex file into memory and triggers the main payload.

Malware code showing loading of decrypted dex file

Figure 12. Loading the decrypted .dex file into memory and triggering the main payload

Main payload

When the main payload is loaded into memory, the initial detonator hands over the control to the main payload by invoking the method XoqF (which we renamed to triggerInfection during analysis) from the gvmthHtyN class (renamed to PayloadEntry).

Malware code showing handover from initial module to main payload

Figure 13. Handover from initial module to the main payload

As mentioned, the initial handover component called triggerInfection with an instance of appObj and a method that returns the value for the variable config.

Malware code showing definition of populateConfigMap

Figure 14. Definition of populateConfigMap, which loads the map with values

Correlating the last two steps, one can observe that the malware payload receives the configuration for the following properties:

  1. number – The default number to be send to the server (in case the number is not available from the device)
  2. api – The API key
  3. url – The URL to be used in WebView to display on the ransom note

The malware saves this configuration to the shared preferences of the app data and then it sets up all the Broadcast Receivers. This action registers code components to get notified when certain system events happen. This is done in the function initComponents.

Malware code showing initializing broadcast receiver

Figure 15. Initializing the BroadcastReceiver against system events

From this point on, the malware execution is driven by callback functions that are triggered on system events like connectivity change, unlocking the phone, elapsed time interval, and others.

 

Dinesh Venkatesan

Microsoft Defender Research

 

The post Sophisticated new Android malware marks the latest evolution of mobile ransomware appeared first on Microsoft Security.

Why we invite security researchers to hack Azure Sphere

Fighting the security battle so our customers don’t have to

IoT devices are becoming more prevalent in almost every aspect of our lives—we will rely on them in our homes, our businesses, as well as our infrastructure. In February, Microsoft announced the general availability of Azure Sphere, an integrated security solution for IoT devices and equipment. General availability means that we are ready to provide OEMs and organizations with quick and cost-effective device security at scale. However, securing those devices does not stop once we put them into the hands of our customers. It is only the start of a continual battle between the attackers and the defenders.

Building a solution that customers can trust requires investments before and after deployment by complementing up-front technical measures with ongoing practices to find and mitigate risks. In April, we highlighted Azure Sphere’s approach to risk management and why securing IoT is not a one-and-done. Products improve over time, but so do hackers, as well as their skills and tools. New security threats continue to evolve, and hackers invent new ways to attack devices. So, what does it take to stay ahead?

As a Microsoft security product team, we believe in finding and fixing vulnerabilities before the bad guys do. While Azure Sphere continuously invests in code improvements, fuzzing, and other processes of quality control, it often requires the creative mindset of an attacker to expose a potential weakness that otherwise might be missed. Better than trying to think like a hacker is working with them. This is why we operate an ongoing program of red team exercises with security researchers and the hacker community: to benefit from their unique expertise and skill set. That includes being able to test our security promise not just against yesterday’s and today’s, but against even tomorrow’s attacks on IoT devices before they become known more broadly. Our recent Azure Sphere Security Research Challenge, which concluded on August 31, is a reflection of this commitment.

Partnering with MSRC to design a unique challenge

Our goal with the three-month Azure Sphere Security Research Challenge was twofold: to drive new high-impact security research, and to validate Azure Sphere’s security promise against the best challengers in their field. To do so, we partnered with the Microsoft Security Response Center (MSRC) and invited some of the world’s best researchers and security vendors to try to break our device by using the same kinds of attacks as any malicious actor might. To make sure participants had everything they needed to be successful, we provided each researcher with a dev kit, a direct line to our OS Security Engineering Team, access to weekly office hours, and email support in addition to our publicly available operating system kernel source code.

Our goal was to focus the research on the highest impact on customer security, which is why we provided six research scenarios with additional rewards of up to 20 percent on top of the Azure Bounty (up to $40,000), as well as $100,000 for two high-priority scenarios proving the ability to execute code in Microsoft Pluton or in Secure World. We received more than 3,500 applications, which is a testament to the strong interest of the research community in securing IoT. More information on the design of the challenge and our collaboration with MSRC can be found here on their blog post.

Researchers identify high impact vulnerabilities before hackers

The quality of submissions from participants in the challenge far exceeded our expectations. Several participants helped us find multiple potentially high impact vulnerabilities in Azure Sphere. The quality is a testament to the expertise, determination, and the diligence of the participants. Over the course of the challenge, we received a total of 40 submissions, of which 30 led to improvements in our product. Sixteen were bounty-eligible; adding up to a total of $374,300 in bounties awarded. The other 10 submissions identified known areas where potential risk is specifically mitigated in another part of the system—something often referred to in the field as “by design.” The high ratio of valid submissions to total submissions speaks to the extremely high quality of the research demonstrated by the participants.

Graph showing the submission breakdown and the total amount of money eligible to be received through the bounty system.

Jewell Seay, Azure Sphere Operating System Platform Security Lead, has shared detailed information of many of the cases in three recent blog posts describing the security improvements delivered in our 20.07, 20.08, and 20.09 releases. Cisco Talos and McAfee Advanced Threat Research (ATR), in particular, found several important vulnerabilities, and one particular attack chain is highlighted in Jewell’s 20.07 blog.

While the described attack required physical access to a device and could not be executed remotely, it exposed potential weaknesses spanning both cloud and device components of our product. The attack included a potential zero-day exploit in the Linux kernel to escape root privileges. The vulnerability was reported to the Linux kernel security team, leading to a fix for the larger open source community which was shared with the Linux community. If you would like to learn more and get an inside view of the challenge from two of our research partners, we highly recommend McAfee ATR’s blog post and whitepaper, or Cisco Talos’ blog post.

What it takes to provide renewable and improving security

With Azure Sphere, we provide our customers with a robust defense based on the Seven Properties of Highly Secured Devices. One of the properties, renewable security, ensures that a device can update to a more secure state—even if it has been compromised. While this is essential, it is not sufficient on its own. An organization must be equipped with the resources, people, and processes that allow for a quick resolution before vulnerabilities impact customers. Azure Sphere customers know that they have the strong commitment of our Azure Sphere Engineering team—that our team is searching for and addressing potential vulnerabilities, even from the most recently invented attack techniques.

We take this commitment to heart, as evidenced by all the fixes that went into our 20.07, 20.08, and 20.09 releases. In less than 30 days of McAfee reporting the attack chain to us, we shipped a fix to all of our customers, without the need for them to take any action due to how Azure Sphere manages updates. Although we received a high number of submissions throughout multiple release cycles, we prioritized analyzing every single report as soon as we received it. The success of our challenge should not just be measured by the number and quality of the reports, but also by how quickly reported vulnerabilities were fixed in the product. When it came to fixing the found vulnerabilities, there was no distinction made between the ones that were proven to be exploited or the ones that were only theoretical. Attackers get creative, and hope is not part of our risk assessment or our commitment to our customers.

Our engagement with the security research community

On behalf of the entire team and our customers, we would like to thank all participants for their help in making Azure Sphere more secure! We were genuinely impressed by the quality and number of high impact vulnerabilities that they found. In addition, we would also like to thank the MSRC team for partnering with us on this challenge.

Our goal is to continue to engage with this community on behalf of our customers going forward, and we will continue to review every potential vulnerability report for Azure Sphere for eligibility under the Azure Bounty Program awards.

Our team learned a lot throughout this challenge, and we will explore and announce additional opportunities to collaborate with the security research community in the future. Protecting our platform and the devices our customers build and deploy on it is a key priority for us. Working with the best security researchers in the field, we will continue to invest in finding potential vulnerabilities before the bad guys do—so you don’t have to!

If you are interested in learning more about how Azure Sphere can help you securely unlock your next IoT innovation:

The post Why we invite security researchers to hack Azure Sphere appeared first on Microsoft Security.

Swiss-Swedish Diplomatic Row Over Crypto AG

Previously I have written about the Swedish-owned Swiss-based cryptographic hardware company: Crypto AG. It was a CIA-owned Cold War operation for decades. Today it is called Crypto International, still based in Switzerland but owned by a Swedish company.

It’s back in the news:

Late last week, Swedish Foreign Minister Ann Linde said she had canceled a meeting with her Swiss counterpart Ignazio Cassis slated for this month after Switzerland placed an export ban on Crypto International, a Swiss-based and Swedish-owned cybersecurity company.

The ban was imposed while Swiss authorities examine long-running and explosive claims that a previous incarnation of Crypto International, Crypto AG, was little more than a front for U.S. intelligence-gathering during the Cold War.

Linde said the Swiss ban was stopping “goods” — which experts suggest could include cybersecurity upgrades or other IT support needed by Swedish state agencies — from reaching Sweden.

She told public broadcaster SVT that the meeting with Cassis was “not appropriate right now until we have fully understood the Swiss actions.”

EDITED TO ADD (10/13): Lots of information on Crypto AG.

3 ways Microsoft helps build cyber safety awareness for all

This tumultuous year has brought paradigm shifts across every facet of daily life. A global pandemic has pushed much of our lives online—work, school, entertainment, shopping, and socializing. But one thing remains unchanged: people everywhere share a common need for safety. Today, our need for personal safety includes the digital realm. At Microsoft, we believe that a secure online experience helps empower people to do more, create more, and have trust in the technology that connects us all. It’s no wonder that cybersecurity is a vital part of everything we build.

“People are both my first and last line of defense” –Bret Arsenault, Microsoft Chief Information Security Officer

Now as we kick off Cybersecurity Awareness Month, it’s worth taking a moment to reflect on the purpose of this initiative and how Microsoft is helping to empower people around the world with seamless, integrated security. We want to help to create a safer world for everyone so that online learning, remote work, community building, and even shopping online can be enriching experiences 

My first 12 calendar weeks at Microsoft have been packed—from my first introduction at Microsoft Inspire to sharing our security, compliance, and identity innovations at Microsoft Ignite last week. In between, we’ve shared insights from our customers about their journeys to create a more secure workplace during this time of global transformation. I’m committed to listening and learning from all of you, and excited to share my enthusiasm for this dynamic industry.   

Throughout October, Microsoft will join the National Cybersecurity Alliance and other industry partners to promote online safety for consumers and businesses. I’m energized to share our plans to empower people and organizations worldwide and invite you to learn more about our efforts.  

Security awareness for all

Most of us think we’re too smart to fall for a phishing scam, and our confidence only grows when we’re logged onto a company network. Statistics show that nearly one in three security breaches starts with a phishing attackcosting the affected organization an average of $1.4 millionWith the rise in people working from home, new attacks such as consent phishing have cropped up to take advantage of remote workers dealing with home-life distractions. Terranova has partnered with Microsoft to create the Gone Phishing Tournament™ during October, using real lures (phishing emails) to capture accurate click-through statisticsproviding organizations with data-backed insights to grow their security awareness programs. 

Microsoft security help and learning will feature five new articles during October—localized for 36 languages and updating every Monday—each covering security topics that affect all types of users. The first of which, easy tips to improve cybersecurity, provides information on how to uninstall unused apps that might be compromising your security, as well as how to get rid of unwanted browser extensions. Visitors also learn how to do a deep scan for malware using Microsoft Defender Offline and how to reset their devices to factory settings using Windows 10.  

This week of October 5, “Keys to the kingdom: Securing your devices and accounts” explains how multifactor authentication (MFA) works, as well as the advantages of using the free Microsoft Authenticator app to secure your smartphone. Look for more articles on secure networking, scams and attacks, and backup and recovery to follow throughout the month. Year ‘round, the Microsoft security help & learning page is updated with educational content for students, parents, remote workers and anyone who wants to arm themselves with up-to-date information on protecting against cyber threats.  

Cybersecurity workshops

Microsoft Store will also be running virtual workshops throughout the month of October in support of Cybersecurity Awareness Month. Attendees for “Work safer and smarter with Microsoft 365” will learn how Microsoft 365 Business helps safeguard their data and lowers security risks with Windows Defender and Windows 10 device management, as well as providing app protection for Office mobile apps on iOS and Android—including a single login for all apps and services.  

“Work better together with Microsoft Teams” enables users to experience the flexibility and highly secure access Teams delivers for organizations of any size. Both workshops feature security component designed to help users stay safe and secure online. Microsoft will also feature cybersecurity resources and content on our new Small and Medium Business (SMB) Resource Centerlaunching today, October 5. Delivered the same week, our first SMB newsletter will also include cybersecurity information and resources. 

Diverse hiring for smarter AI

Building diverse cyber teams is a major source of passion and advocacy for me. It isn’t just the right thing to do; it gives us a strategic advantage as a company and as a defender against threat actors worldwide who would seem to sew confusion and harmHow? AI remains one of the best tools to confront cyber threats. But effective, responsible AI requires the input and ideas of a diverse group. This diversity of thought is not just about gender or ethnic diversityIt’s both of those, certainly, but so much more. Effective AI requires diversity of experiences, cultures, opinions, education, perspectives, and many other factors. On a team where everyone has similar skills and backgrounds, members risk sinking into groupthink and losing creativity. Data shows that diverse teams make better decisions than individuals 87 percent of the timeAnd it makes perfect sense. If we’re building solutions for all, we need to include all in the building of those solutions.  

By ensuring diversity in our teams, we help create AI systems that warrant people’s trustwhile moving closer to futureproofing against bias in tech. At Microsoft, we’ve forged partnerships, created initiatives, and built in transparency as part of our holistic approach to address systemic issues contributing to the low representation of women in cybersecurity. Listen to the podcast session where Bret Arsenault, Microsoft CISO  talks with Ann Johnson, Corporate Vice President of Business DevelopmentSecurity, Compliance & Identity at Microsoft, about why investing in diverse teams isn’t just the right thing to dothe future of cybersecurity depends on it. And be sure to watch our panel discussion, Future Proofing Against Bias, happening October 21 at EWF (Executive Women’s Forum) 

Microsoft is working every day to help empower users to achieve more while staying safe and secure.   Behind our technical innovations are people hungry to do more. We want to create an inclusive world where every human being can be a cybersecurity hero. For more information on how you can enable your security team and organization to be #cybersmartvisit our cybersecurity website.   

To learn more about Microsoft Security solutions visit the Microsoft Securitywebsite.  Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity and please reach out to me on Linkedin or follow me at @vasujakkal.  

The post 3 ways Microsoft helps build cyber safety awareness for all appeared first on Microsoft Security.

Answer these questions to find out how safe your social media profiles are

Unless you’re a hermit who lives under a rock, you probably use social media in some form or the other. You’re not alone; recent statistics reveal that you’re among 3.5 billion social media users worldwide. And it’s a rapidly increasing number that already constitutes half the world’s population. Social media…

Tracking PhishingKits for Hunting APT Evolution

Advanced and Persistent Threats are often inoculated by emails or by exploiting exposed vulnerabilities. Since vulnerability exploitation follows specific waves, it depends on vulnerability trends, the email vector become one of the most (ab)used and stable way to inoculate Malicious and unwanted software. A common way to attack victims is to make her open an eMail attachment using common social engineering techniques. For example attackers pretending to be candidate asking to HR manager to open up the “attached curriculum”, or a customer that is asking for special products or information included on a well-crafted Word document, or again attackers pretending to be friends asking for favors, or new customers asking for price lists in a malicious and attached Microsoft Excel, are only some of the (almost) infinite ways to make someone opening an attachment.

But something is slowly changing.

While Phishing was quite underestimated (so far) from Malware analysts working on state sponsored cyber attacks, since Phishing was mostly a used technique to steal credentials by criminal groups, nowadays it is increasingly used from state sponsored attackers to spread Malware (for example Android APP) and to steal credentials to start over a pre-failed attack gaining wider victim surface. Many researcher groups already noticed that slow moving from email attachments to phishing campaign, for example CheckPoint researchers in their great report on Rampant Kitten (rif: HERE) show in section “Infrastructure and Connection” (Figure 9) a nice Phishing infrastructure and the FBI in ME-000134-MW warns about both phishing and eMail attachments as well. But those are only some of many example you can find out there by reading reports and analyses from common researcher groups.

For such a reasons I believe phishing, and mostly important PhishingKits need to be studied and tracked even by cyber security analysts who dedicated their own effort on APT rather on criminality. Just to provide some information about how to track phishingkit I would share some of my tweets on the topic just to show how different they are from each other and how complex they could be.

If you agree with me that PhishingKit would play a nice role in the next few years even in the APT world and if you want to help community to analyze and to report them as quickly as you can, you might decide to start from HERE: a freshly updated repository of PhishingKit. In there you would find more than 600 archives (as today, but every day that number would increase as soon as new PK are detected by my backend system which is running and pushing on git repo) containing source code of many PhishingKits, some of them used in APT, some other used in common credential stealing campaign. You would learn how they evade detection (it’s unbelievable how some criminal implements anti-detection code 😀 ) how they call themselves and how they write codes and how administrator panels look like. If you start a deep analysis on that data you would probably be able to group by author and later on, by clustering on such results, you would be able to wrap and track author style and change over the time. That would be super interesting to track the evolution and to being in control of PK to community to gain a safer digital space.

If you think this work is worth of spreading, please go ahead, and if you use that collections and the scripts in the repository for your research, please cite it using the following BiBText section.

@misc{ MR,
       author = "Marco Ramilli",
       title = "Phishing Kits Tracker",
       year = "2020",
       url = "https://marcoramilli.com/2020/07/13/introducing-phishingkittracker/",
       note = "[Online; July 2020]"
     }

Emotet Trojan is back as the world unlocks

A threat actor named Emotet Trojan has been in the wild for more than 5 years, and now it is back after a 5 months break. It has spread globally, infecting new as well as old targets. It is re-launched with multiple Malspam Campaigns to distribute in all sectors. We…

Career change? Cybersecurity companies are hiring.

Careers in Cybersecurity

Career change? Cybersecurity companies are hiring.

If you’re thinking career change or career shift, there’s a field that has an estimated 4 million jobs open. Cybersecurity.

According to survey and research data from the International Cybersecurity Organization (ICS)2, there’s a cybersecurity workforce gap—a terrifically high volume of jobs left unfilled. Published in 2019, the gap they identified looked like this:

  • Nearly 500,000 jobs unfilled in the U.S.
  • Globally, a gap of 4 million jobs was reported.
  • 65% of the respondents say they’re short on cybersecurity staff.

Needless to say, there’s opportunity in the field for both technical and non-technical roles.

Here’s an important thing to keep in mind about cybersecurity:, it’s not solely about understanding technology. It’s about understanding people too and how people and technology interact.

The moment you see cybersecurity through that broader lens, you can see how the field opens widely to encompass a range of roles. Of course, there are analysts and engineers, yet it also includes other roles like digital forensics and cyber investigation, healthcare information security, cryptography, and even cyber law. Additionally, there’s needed expertise in the realms of privacy, governance, ethics, and even digital ethics. And if you take a role with a security company such as ours, the opportunity further extends to positions in account management, marketing, and operations. (In fact, you can drop by our careers page for a look at our current openings and what workday life is like around here.)

Why now’s a great time to consider a cybersecurity career

There are plenty of reasons. Above that data published in 2019, our unprecedented reliance on the internet to work, learn, and stay connected in 2020, demand for cybersecurity jobs is yet more so on the rise. As so many of us turned increasingly to the internet to get through our day, the same is true for hackers and crooks.

With that, let’s take a quick look at several of the factors working in your favor as you consider a change.

There’s demand for cybersecurity jobs.

We’ve all seen the news stories of major breaches at big retailers, credit reporting agencies, hotels, and even healthcare providers. It’s not just the private sector that’s been grappling with cybersecurity concerns, there’s need in the public sector as well—like municipalities. In all, every organization needs cybersecurity (just as we all need cybersecurity for our homes), and thus there’s plenty of opportunity out there. Using just one of the many possible cybersecurity roles as an example, the U.S. Bureau of Labor Statistics predicts a 32% increase in demand for information security analysts through 2028—which is far higher than the average of other professions.

You don’t need a specific degree in cybersecurity to get a job.

In fact, the same (ICS)2 survey discovered that only 42% of current cybersecurity pros said that their first job after higher education was in the field of cybersecurity. In other words, the majority of cybersecurity pros ended up that way by some means of career shift or change. And they got there through certifications and training rather than by way of a degree from a college or university.

Transferrable skills absolutely apply.

Our own Chief Human Resources Officer, Chatelle Lynch, put it quite well in an interview with Business Insider just a few weeks ago: “It’s no secret that the demand for cybersecurity staff has steadily grown over the past decade,” she says. “This means opportunity, so if you don’t have a degree, don’t let that slow you down. You may have unique work experience or relevant certifications, alternative learning, or transferable skills that you need to make sure you highlight when applying and interviewing.”

For example, she goes on to say that prior military service, IT experience, and volunteer or hobbyist activities (even online gaming) are a good foundation for cybersecurity roles.

Cybersecurity employers seek candidates with non-technical soft skills.

These skills absolutely apply, and they’re sought after skills as well. The ability to work independently, lead projects, write and document well, and particularly strong people skills are vital for a role where you’ll be interfacing with numerous individuals, departments, and business units. Likewise, as called out above, certain roles focus more on the non-technical side of security solutions.

Getting trained in cybersecurity

The beauty of making a career change to cybersecurity is that there are plenty of ways you can get it done at home and on your time.

If you’re just getting started, you can test the waters for free or at relatively low cost with a Massively Open Online Course (MOOC) that gives you the basics on cybersecurity. Future Learn’s “Introduction to Cybersecurity”  from The Open University is one example of an intro program, as is the University of Michigan’s “Securing Digital Democracy” class that’s offered through Coursera.

If you’re already an IT pro or have a strong technical background, there are similar MOOC courses available that cater to your current level of knowledge and skill. The University of Maryland’s “Cybersecurity Specialization” and “Usable Security” are geared accordingly.

For a list of cybersecurity programs available online, drop by CyberDegrees.org. Their listing is one of many good places to start.

Other free and low-cost avenues out there include subscribing to some security bloggers, grabbing some hands-on work with coding and IT networking fundamentals from online learning companies like Udemy, Codecademy, and Khan Academy, or joining some online cybersecurity groups for a little professional networking. In all, there’s plenty of opportunity to learn from others, both in structured class settings and in more unstructured peer and mentorship relationships.

Prepare for that online interview

When you’re ready to start your job search, there’s a good chance that your interview will be conducted online. Online interviews have been part of the job-hunting landscape for a few years now, yet with many employers enacting work from home measures, it’s the way hiring gets done right now. I expect this to continue, as employers have embraced its many benefits, particularly in the early stages of interviews. If the prospect of an online interview is new to you, I put together a pair of articles this spring that can help.

Your cybersecurity career

As you make the jump, here’s the most important thing you’ll need: a love of technology and a desire to protect the people who use it. If you can combine a drive to understand both technology and people better with the further drive to see it all through, you’ll be well on your way. Like any career shift or change, there’s work ahead, yet it’s my impression that our field is a welcoming and supportive one—and very much on a keen lookout for new talent.

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Career change? Cybersecurity companies are hiring. appeared first on McAfee Blogs.

Telehealth, Distance Learning, & Online Banking: Securing Digital Frontiers

2020 has propelled us into a new digital reality – one where we are reliant on technology to help us maintain our way of life. This forced all age groups, from 8-80, to learn how to conduct their day-to-day online. I personally had my mother asking a million questions about how to video conference!

But while we’re all looking to remain connectedwe need to also focus on staying protected. For those of us a little more tech-savvy, that means helping our family and friends learn how this new digital reality impacts online security.  

Let’s examine what that entails.

Keeping Personal Health Private

Digital healthcare’s rise was predicted back in January when Bain & Company reported that 40% of U.S. physicians expect to start using telemedicine over the next two years. Then came COVID-19, which drove healthcare providers to turn toward digital options to deliver socially distanced patient care. Many PCPs moved almost entirely to telehealth, with half of those surveyed using telemedicine in over 75% of their patient care.

While telehealth significantly increases patient care availability, there are also intrinsic privacy and security risks that go along with it. For example, telehealth requires that patients submit their health information through online platforms – some of which lack the proper data safeguards and don’t meet HIPAA requirements. Like all data transferred over the internet, private health information used for telemedicine could be intercepted by hackers if users don’t take proper security precautions. This means ensuring you and your loved one employ best practices – locking your platform account with a strong password, ensuring you only give your personal information to your doctor or verified resource, etc. These simple steps from McAfee experts are more important than ever before, as the healthcare industry is a preferred target for criminals.

Supporting Students Distance Learning

School may be back in session, but it looks pretty different than previous years. For parents, this means navigating the unknown terrain that is a virtual classroom – and how the new environment affects your family’s online security 

Distance learning has led to a substantial spike in online video conferencing  tools to conduct virtual lectures – which is only compounded by the fact that kids are already constantly on devices to play and socializeHowever, some of the tools  they use have proven to lack necessary security measures, which could jeopardize your students’ academic success and online security. Beyond video platform concernsthe combination of increased personal device usage on not-as-secure home networks poses a threat of its own 

Parents must ensure their students succeed – at both school and security. While they’re helping kids adjust to distance learning, parents can help keep them safe online by conducting router firmware updates, changing any default passwords on home networks, and leveraging a VPN. Additionally, parents must teach kids good security hygiene, such as always updating an app or device when an update is available. With parents juggling so much right now, they can also look for some extra support in the form of a comprehensive security solution that covers all their family’s devices with an extra layer of protection. 

Bank Online Without Prying Eyes

Many consumers have adopted digital financial services to make contactless payments or participate in online banking – some for convenienceothers to help minimize contact in light of recent events. However, as this tech grows, so does the need for up-to-date security.  

As users incorporate digital financial services into their everyday lives, they may fall victim to the risks commonly associated with making online payments. My mother, for example, is new to mobile banking and doesn’t know to look out for targeted phishing attacks from hackers who are trying to trick her out of money. Even the most tech-savvy online banking users can fall victim to more sophisticated phishing schemes out there. 

To ensure cybercriminals don’t trick my mom into sharing sensitive information by impersonating her bank, we’ve discussed some ways she can identify an attack. Now, she knows to always hover over suspicious links, avoid interacting with messages from unknown senders, and to go directly to her bank’s official website.  

Securing Our New Digital Frontiers

We can use technology to adapt and grow during this time, just as long as we all employ security best practices. So, whether it be telehealth, distance learning, or digital finances, your family should always keep the aforementioned tips top of mind 

And remember – you’re not in this alone. You’ve got the support you need during this new digital reality in the form of a comprehensive security solution, McAfee® Total Protection. With this solution, consumers are safeguarded from malware with cloud-based threat protection that uses behavioral algorithms to detect new threats. It includes comprehensive internet security, multi-faceted privacy protection, and our secure VPN to ensure your family is prepared for any potential threat. 

With robust, comprehensive security in place, your family’s devices will be consistently protected from the latest threats that came from our digital reality. With all these devices safe, everyone’s online life is free from worry.    

Stay Updated

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

The post Telehealth, Distance Learning, & Online Banking: Securing Digital Frontiers appeared first on McAfee Blogs.

Together, We Block and Tackle to Give You Peace of Mind

As a leader in cybersecurity, we at McAfee understand that every aspect of your digital life has potential weak spots that could make you vulnerable to threats and attacks. By incorporating security into everything you do online, you’re better protected from potential threats. To mount your offense, we’ve enlisted a team of partners that puts your security needs first, seamlessly blending our security with their services so you can live a confident life online. We bring our McAfee security teams together with industry players like PC & smartphone manufacturers, software & operating system developers, and more to make sure we can keep scoring security wins for you.

PC Partners Sweat the Security So You Don’t Have To

When was the last time you worried about security while you were shopping for a new PC? You were probably checking out the specs, price, and making sure it had all the capabilities you needed for working remotely, distance learning, and maybe a little gaming. And that’s all in addition to the day-to-day productivity, banking, and browsing you do. Like a strong defensive line, HP, Dell, Lenovo, and ASUS work closely with us to make sure that your personal data and devices are secure, especially as you spend more time online than ever before. That’s why so many new PCs are preloaded with a free McAfee® LiveSafe trial to provide integrated protection from malware, viruses, and spyware from day 1 with minimal impact on performance.

McAfee protection goes beyond just antivirus. We help you keep apps and Windows up to date and patched against vulnerabilities, block intruders with our firewall, and help you clean up cookies and temporary files to minimize the digital footprint on your PC.

We build our security directly into the devices consumers rely on for everything from remote yoga to distance learning, so that they know they’ll be safer online, regardless of what their new normal looks like.

Our Defense Is More Mobile Than Ever

Part of a good defense is understanding how the game has changed. We recognize that our customers are using multiple devices to connect online these days. In fact, their primary device may not even be a computer. That’s why we work with mobile providers to ensure customers like you have access to our comprehensive multidevice security options. Devices like mobile phones and tablets allow users to access social media, stream content, and even bank on their terms. For that reason, our mobile protection includes features like VPN, so that you can connect any time, any place safely and use your apps securely.

Retail Partners Make Plug and Play Even Easier

Our online and brick & mortar retail partners are also irreplaceable on the field. We understand that shopping for security can be complicated – even intimidating – when faced with a wall of choices. Whether you’re in-store or browsing online, we’ll work together to address your security needs so that your devices and personal data are protected with the solution that works best for you. Many of our retailers offer additional installation and upgrade support so you can have one less thing to worry about.

Software Partners Help Us Mount a Better Defense

Your web browser is more than a shortcut to the best chocolate chip cookie recipe; it connects you to endless content, information, and communication. Equally important is your operating system, the backbone that powers every app you install, every preference you save, and every vacation destination wallpaper that cycles through. We partner closely with web browsers, operating systems, and other software developers to ensure that our opponents can’t find holes in our defense. Everything that seamlessly works in the background stays that way, helping stop threats and intruders dead in their tracks. Whether it’s routine software updates or color-coded icons that help differentiate safe websites from phishing scams, we’re calling safety plays that keep our customers in the game.

Our Security Sets Teams Up for Success

At McAfee, we work tirelessly to do what we do best: blocking the threats you see, and even the ones you don’t. These days your “digital life” blurs the lines between security, identity, and privacy. So, we go into the dark web to hunt down leaked personal info stolen by identity thieves. We include Secure VPN in all our suites to give you privacy online. It’s these capabilities that strengthen both the offense and defense in our starting lineup of security suites like McAfee® Total Protection and McAfee® LiveSafe.

In short, your protection goes from a few reminders to scan your device to a team of experts helping you stay primed for the playoffs. It’s a roster that includes technology and humans solely devoted to staying ahead of the bad guys, from McAfee Advanced Threat Research (ATR) investigating and reporting like to artificial intelligence and machine learning that strengthens with every threat from every device. In fact, in just the first three months of this year, our labs detected over six threats per second!

Cybercriminals may be taking advantage of this current moment, but together, we can ensure our defense holds strong. After all, defense wins championships.

Stay Updated

To stay updated on all things McAfee  and on top of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Together, We Block and Tackle to Give You Peace of Mind appeared first on McAfee Blogs.

Your guide to new-age cybersecurity terms

Like every other sector, cybersecurity has its own lingo. Often, it can be difficult for us users to understand the nuances. If jargon and long lists of indecipherable acronyms are frustrating you, we’re here to keep you updated with the latest lingo in the cybersecurity world. Keep in mind though,…

Ransomware Could Be the New Data Breach: 5 Tips to Stay Secure

Cybercriminals tend to keep with the times, as they often leverage current events as a way to harvest user data or spread malicious content. McAfee COVID-19 Threat Report July 2020 points to a rather significant surge in attacks exploiting the current pandemic with COVID-19 themed malicious apps, phishing campaigns, malware, and ransomware. However, what many users don’t realize is that ransomware attacks are a lot more than meets the eye.  

COVID-19 Themed Ransomware

During the first few months of 2020, the McAfee Advanced Threat Research (ATR) team saw that cybercriminals were targeting manufacturing, law, and construction businessesAfter pinpointing their targets, hackers spread COVID-19 themed ransomware campaigns to these companies in an effort to capitalize on their relevancy during this time 

An example of one of these attacks in action is Ransomware-GVZ. Ransomware-GVZ displays a ransom note demanding payment in return for decrypting the firm’s compromised systems and the personal and corporate data they contain. The ransomware then encrypts the organization’s files and displays a lock screen if a user attempts to reboot their device. As a result, the company is left with a severely crippled network while the criminals behind the attack gain a treasure trove of data – information belonging to consumers that have previously interacted with the business.   

 

Ransomware Could Be the New Data Breach

As ransomware attacks continue to evolve, it’s not just file encryption that users need to be aware of – they also need to be aware of the impact the attack has on compromised data. Senior Principal Engineer and Lead Scientist Christiaan Beek stated, “No longer can we call these attacks just ransomware incidents. When actors have access to the network and steal the data prior to encrypting it, threatening to leak if you don’t pay, that is a data [infraction].” If a ransomware attack exploits an organization and their network is compromised, so is the data on that network. Hackers can steal this data before encrypting it and use this stolen information to conduct identity theft or spread other misfortune that can affect both the organization’s employees and their customers.  

This surge in ransomware is only compounded by traditional data infringements  which have also spiked in conjunction with the global pandemic. According to the McAfee COVID-19 Threat Report July 2020, the number of reported incidents targeting the public sector, individuals, education, and manufacturing dramatically increased. In fact, McAfee Labs counted 458 publicly disclosed security incidents in the few months of 2020, with a 60% increase in attacks from Q4 2019 to Q1 2020 in the United States alone. Coincidentally, the attacks targeting organizations also impact the consumers who buy from them, as the company’s data consists of their customer’s personal and financial information.  

Don’t Let Your Data Be Taken for Ransom

Because of the high volume of data that’s compromised by ransomware attacks, it’s crucial for consumers to shift how they approach these threats and respond in a similar way that they would a data incidentLuckily, there are actionable steps you can take as a consumer to help secure your data.  

Change your credentials

If you discover that a data leak or a ransomware attack has compromised a company you’ve interacted with, err on the side of caution and change your passwords for all of your accounts. Taking extra precautions can help you avoid future attacks. 

Take password protection seriously

When updating your credentials, you should always ensure that your password is strong and unique. Many users utilize the same password or variations of it across all their accounts. Therefore, be sure to diversify your passcodes to ensure hackers cannot obtain access to all your accounts at once, should one password be compromised. You can also employ a password manager to keep track of your credentials. 

Enable two-factor or multi-factor authentication

Two or multi-factor authentication provides an extra layer of security, as it requires multiple forms of verification. This reduces the risk of successful impersonation by hackers. 

If you are targeted, never pay the ransom

It’s possible that you could be targeted individually by a ransomware campaign. If this happens, don’t pay the ransom. Although you may feel that this is the only way to get your encrypted files back, there is no guarantee that the ransomware developers will send a decryption tool once they receive the payment. Paying the ransom also contributes to the development of more ransomware families, so it’s best to hold off on making any payments. 

Use a comprehensive security solution

Adding an extra layer of security with a solution such as McAfee® Total Protection, which includes Ransom Guard, can help protect your devices from these cyberthreats.  

Stay Updated

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?,  and ‘Like’ us on  Facebook. 

The post Ransomware Could Be the New Data Breach: 5 Tips to Stay Secure appeared first on McAfee Blogs.

Parental Control – Here’s how you can regulate your child’s computer habits

Today’s generation of children is introduced to technology from the moment they are born. So it’s not a surprise to hear that, according to one study from 2013, children are using the Internet from the age of three! This year especially has seen a mass migration from the physical to…

How to Reverse Office Droppers: Personal Notes

According to the Yoroi annual cyber security report (available HERE), to Cyber Threat Trends (available HERE) and to many additional resources, Microsoft Office files (Word documents and Excel spreadsheet) are one of the most used malware loaders in the current era. Attackers lure victims, by seducing them to open a specially crafted Office document, which loads (sometime even drops from external resources) malicious contents and execute it on the landed host. Today, I decided to write some personal notes on how to deal with them. Following a list of reverse engineering and malware analysis techniques that could help you to analyze such a droppers.

Many different file formats and methodologies plus a lot of singular ways to hide malicious content have been developed in the past years, I decided to group the techniques by paragraphs in order to smooth the whole reading in a way you can jump directly to the interested section without need to read everything.

Hope you find it interesting and useful, if so please share it in a way many professionals/practitioners can use or improve this by sending me contents to be added !

Thanks

Tool Chain

  • rtfdump.py available HERE
  • xorsearch available HERE
  • scDBg available HERE
  • oleid.py available HERE
  • oletools available HERE
  • msoffcrypto-crack.py available HERE
  • olevba available HERE
  • XLMDeobfuscator available HERE

Rich Text Format (.RTF)

Rich Text Format are interesting documents since they can carry Objects.

Rich Text Format Data

Didier Stevens built a great tool named rtfdump.py (available HERE) which can be used to deal with RTF files. Indeed if you run it against an RTF file you will see its composition and the objects that are included and used once run. The following picture shows an example of such a run on a RTF document (b98b7be0d7a4004a7e3f22e4061b35a56f825fdc3cba29248cf0500beca2523d). Usually I suggest to investigate from the heavier one, in other words from the object with higher Bytes on it.

Check RTF Content

rtfdump.py offers the way to select specific sections (-s) and you might decide to show it or to dump it to a file for additional analyses. Selecting the section 2 and showing its content through the following command you might appreciate an interesting string.

python rtfdump.py -s 2 -H  mal1.doc 
EquationEditor (CVE-2017-11882) ?

EquationEditor is always a red flag in my personal experience. Indeed CVE-2017-11882 is often abused from attacker in order to run specific shellCode. If you follow in checking in section 2’s HexView you would probably see encoding patterns: recurring characters and symbols. This is a typical behavior in XOR/ROL/SHIFT encryption functions. Didier Stevens comes out with another interesting tool names xorsearch.

Dumping BinaryContent

Before dealing with xorsearch (available HERE) we need to dump the equationeditor section into an external file. Once you have done such a dump you should move to Windows (we will need it later on) and run xorsearch.exe against the dumped binary.
“[..] XORSearch is a program to search for a given string in an XOR, ROL, ROT or SHIFT encoded binary file. An XOR encoded binary file is a file where some (or all) bytes have been XORed with a constant value (the key). A ROL (or ROR) encoded file has its bytes rotated by a certain number of bits (the key). A ROT encoded file has its alphabetic characters (A-Z and a-z) rotated by a certain number of positions. A SHIFT encoded file has its bytes shifted left by a certain number of bits (the key): all bits of the first byte shift left, the MSB of the second byte becomes the LSB of the first byte, all bits of the second byte shift left, … XOR and ROL/ROR encoding is used by malware programmers to obfuscate strings like URLs. [..] (from Didier Stevens’Blog)

XORSSearch to find-out xored positions binary

Once run xorsearch would give us offsets in where there is higher probability to find change of control. In other words where you might start your shellcode in order to run it without falling into unaligned instructions. From that point you might use another great and widly known software “The ShellCode Debugger”: scDbg (available HERE). Once you run it (the following picture shows the GUI) you need to make emulator starting from the offset found in xorsearch.exe in my specifi case it was on 0x2c74c. I suggest to check “Unlimited steps” so that the emulator would follow on shellcode without stopping it and check the Reporting Mode, so that you would have a summary view at the end of the execution.

scDbg on offset 0x2c74c

Once run, here we go ! We do have our IoC out the shellcode.

Shellcode Excetution

Sometimes the attacker uses a different syscall: ExpandEnvironmentStringsW which is not a hooked function by scDbg. In that case you might need to open up the “just dumped file” and patch the binary by replacing the string: ExpandEnvironmentStringsW with the string ExpandEnvironmentStringsA, Once you have done it, reload the patched version of your shellcode into scDbg and re-run it, you would obtain better results.

IoC:

  • b98b7be0d7a4004a7e3f22e4061b35a56f825fdc3cba29248cf0500beca2523d (mal1.doc downlaod HERE)
  • eac70cabccac5b0bd493111ec238f287e129923c27d68e5bb126d2442a4bf8da (dumped binary)
  • //yatesassociates[.co[.za/documentato/MLY.exe (download HERE)

Office Encrypted Contents

Sometimes you might experience encrypted office content. Running oleid you would see Encrypted content set to True. Once you have an OLE file with encrypted VBA you cannot access them, and you might not be able to reverse/study/understand what they do. In such a case you need to figure out the encryption key and to decrypt the content.

OLEID shows Encrypted Content

Fortunately even if you encrypt your MACROs, the running client needs to know how to decrypt them in order to run the MACRO code.

This protection seem to be relatively stable at first sight, but a more detailed analysis revealed that it is not the password that is entered (or its hash) which is used to encrypt the document, but rather a fixed key stored in the MS Excel program code. This key is generated from the password ‘VelvetSweatshop’. What a nice joke by Microsoft! Try to protect a MS Excel document with this password (or to use this password to open a document). The most surprising thing is that no password is required to open a document.

A great tool to check this issue is the msoffcrypto-crack.py (available HERE).

Finding the “Secret” Microsoft Encrypting Password 😉

Once you have found the “Encryption Key” you can just decrypt the file content (using the same msoff-crypto-crack.py) save it in “clear text” and run oledump.py over it. At this point you should see normal object contents. In this specific case one more Equation Editor is used. Let’s dump it (oledump.py).

Equation Editor no VBA Macros
python3 oledump.py -s B2 -d cracked.xlsx > out_b2.bin

Now let’s check if common control flow patterns have found with xorsearch.exe ! In case of positives, please join the analysis using scDBG.exe (from the section above: Rich Text Format (.RTF) )

XORSearch embedded binary

IoC:

  • 3f3c2a4cb476c76b8bf84d6d2b0ee1a0a589709ccc69e84ffe6b2afd2dadbb39 (XLS download from HERE)
  • 03u.ru (D&C2)

Office With VBA Macro

Maybe one of the most classic scenario happens when you are facing a document with VBA Macro on it. By running oledump.py you would check various VBA contents (M tag where MACRO are in ) and focus on the most “fat” one. In other words I definitely suggest to start investigating where more content is (so where high number of Bytes are found, in the following picture A11) since there is high probability to find interesting IoC for blocking or detection purposes.

oledump shows VB Macros

In that case olevba comes in helping us (available HERE). It emulates VBA engine and runs the MACRO script like a charm without any big issue. The execution will end up like the following image.

VBA Emulator

The emulator engine keeps going on until one known functions reaches the end. For example

IoC:

  • 84a07333851ed300b34b34a026a58636844861e2d5265f2faabddddf05815f21 (direct.07.20.doc download HERE)
  • detayworx[.com/_vsnpNgyXp84Os8Xh.php (Dropper)

Office Excel Macro 4.0

Sometime it happens you open a malicious Microsoft Excel but no MACROs are in there. This technique provides attackers a simple and reliable method to get a foothold on a target network, as it simply represents an abuse of a legitimate feature of Excel, and does not rely on any vulnerability or exploit. It is just an old feature (almost 30-year old Microsoft Excel feature) that has been exploited only from the past few years. One of the best content regarding this type of attack evasion is given by Lastline (HERE)

Excel with no MACRO !

Once you run OLEVBA, you can check if it finds something interesting. In that run it suggests that XLM Excel 4 were used on such a document. In order to deobfuscate them and to analyze their contents there are many ways, from single “find” to more complex tool-sets. In this note I would add how I did in the past months. Today there is a script which works quite well, made by DissectMalware it’s theXLMDeobfuscator (that you can find it HERE). But we will cover this tool later on the following notes.

In order to un-hide the XLM Obfuscation MACRO what I’ve successfully used the following technique.

OLEVBA.py finds MACRO 4.0

Open the malicious file with no macro enabled, open the Macro editor, copy the following reveal script, save it and re-open with macro enabled (credit HERE )

  Sub ShowAllSheets()
    Dim sh As Worksheet
    For Each sh In ActiveWorkbook.Sheets
    sh.Visible = True
    Next
    End Sub

If you cant open the malicious file since the macro get executed and you have no control over the execution (since evasion) you might open another sheet, open the VBA editor and “import” the malicious document directly with VBA in the following way

Public Sub Convert_XML_To_Excel_From_Local_Path()
    Dim xml_File_Path As String
    Dim wb As Workbook
    
    'Load XML Data into a New Workbook - Code from Officetricks.com
    Application.DisplayAlerts = False
     xml_File_Path = "c:/FileToOpen.xlm"
     Set wb = Workbooks.OpenXML(Filename:=xml_File_Path)

    'Copy Content from New workbook to current active Worksheet
     wb.Sheets(1).UsedRange.Copy ThisWorkbook.Sheets(Sheet2).Range(A1)
     
     'Close New Workbook & Enable Alerts
     wb.Close False
     Application.DisplayAlerts = True
End Sub

Now you should see the hidden sheet or the hidden cells. One more TIP here, in order to quick find the cells with the content on it, you might search for =. The following images shows what I meant.

Now, by checking the top-left box (in the following image BG35344) you can see where is the starting point. In this file Auto_Open is the first function that is called and you find its reference on there. Then you might see two main formats being used: FORMULA and GOTO

Hidden Excel 4.0 Macro Revealed

At this point you might decide to deobfuscate XLM by executing the MACRO 4 in a controlled way. In other word you might decide to delete the last GOTO in that way you will give no the control flow to the deobfuscated MACRO but you rather stop them (substituting the last GOTO with HALT) and see the deobfuscated code on the sheet.

IoC:

  • d864b4da58253cba29a8106b0727e81852a181f3ac59ec7dfb9b9dee5931b7cc (W2_tax.xls download HERE)
  • 5.182.210.133/get.php (Dropper)

.CSV Interpreted by Excel

Sometime you might find .csv files. They get imported into Microsoft Excel and become “true” Ole Files. Indeed running OleDump against a well-crafted csv you might discover interesting things such as that the CSV file holds VBA or Objects or. For example if you consider sha-256 : d5db2034631e56d58dffd797d25d286469f56690a1b00d4e6a0a80c31dbf119e you might find the following stuff in there (even if you open it with a common editor is normal text divided by commas). Running OleDump will shows a bunch of interesting sections.

OleDump Result

Now you might decide if you prefer to dump the code and to manually analyze it or if you prefer running a code emulator. By running OleVBA against that CSV your would figure-out many interesting indicators (check the following image). For example the tool points out that AutoExec is called once you would open the document with Microsoft excel. Many suspicious calls would be performed, for example: exec, run, and some hexbase64 string obfuscation techniques. On this run it was able to even decode such a strings and to recognize IoC such as URLs and file names.

oleVBA Analysis

If the code emulator wont work you might decide to dump the entire code by using OleDump. Once you have dumped the code you might analyze it trough a debugger or just reading it if it’s not obfuscated.

Extracted Component

IoC

  • d5db2034631e56d58dffd797d25d286469f56690a1b00d4e6a0a80c31dbf119e (invoice.csv)
  • omamontaggi.[it/bels.exe (Droping WB)

XLMDeobfuscator

XLMDeobfuscator (grab it HERE) is definitely a great tool developed by @DissectMalware. It can be used to decode obfuscated XLM macros (also known as Excel 4.0 macros). It utilizes an internal XLM emulator to interpret the macros, without fully performing the code. It supports both xls, xlsm, and xlsb formats.

XLMDeobfuscator

Before such a great tool the mythical OleDump plugin plugin_biffis able to overlook to every Microsoft Excel cell and to find functions and formulas. By using the -x plugin option you are able to show the hidden Macro XLM while using the -f plugin option the plugin tries to figure-out external links by interpreting encoding (such as hex and base64) and printing out strings.

oledump.py -p plugin_biff --pluginoptions "-x"

IoC

  • 1e194edbb1f28b9ecc4dc6a9a1e289d1c404470724f5fb14dd01312ed75bc298 (File_457366.xls)
  • p://45[.11[.183[.78/6f04e0be46qb4Zc[.php (Dropper)

What Security Means to Professionals

What Security Means to Professionals

Recently, we conducted a survey of 600 families and professionals in the U.S. to better understand what matters to them—in terms of security and the lives they want to lead online. The following article reflects what they shared with us, and allows us to share it with you in turn, with the aim of helping your workday go a little more smoothly.1

How many windows are open on your computer right now? Check out your browser. How many tabs do you have? If it’s a typical workday, you’ve probably run out of fingers counting them up.

Professionals put their computers through the paces. Consider the number of back-to-back meetings, video conferences, and presentations you lead and attend in a day, not to mention the time that you pour into work itself. Your computer has to keep up. It’s certainly no surprise that this is exactly the notion that came up in our research, time and time again.

What’s on the minds of professionals when it comes to their security?

In speaking with professionals about security, their answers largely revolved getting work done.

  • I need trusted apps and sites to work, always.
  • I need to maximize battery life while in transit or on a plane.
  • I need live presentations and demos to be seamless.
  • I need to multitask with multiple apps or multiple browser tabs open without locking up.
  • I need my computer to respond reliably and quickly without locking up.

While on the surface this may mean performance is top of mind, a closer look reveals that performance is often a function of security. A quick and easy example of this is the classic virus infection, where getting a virus on your computer can bring work to a screeching halt.

More broadly though, we see security as far more than just antivirus. We see it as protecting the person and helping them stay productive—giving them the tools to take care of the things that matter most to them. Thus, plenty of what we offer in a security suite focuses squarely on those concerns:

Battery optimization keeps you working longer without fretting over finding an outlet in the airport or simply working without wires for longer.

Password managers let you log into the apps and sites you count on without a second thought, also knowing that they’re securely stored and managed for protection.

Vulnerability scanners make sure that your apps always have the latest updates, which ensures you have all the upgraded features and security protocols that come along with those updates.

Inbox spam filters take yet another headache off your plate by removing junk mail before it can clutter up your inbox.

Secure VPN keeps data safe from prying eyes on public Wi-Fi in places like airports, hotels, and coffee shops, which gives you more independence to work in more places knowing that your information is secure.

Those are a few examples of specific features. Yet also important is that any security solution you use should your computer running quickly as well as smoothly. It should be lightweight and not hog resources so that your computer runs and responds quickly. (That’s a major focus of ours, where independent labs show that our performance is five times better than the average competitor.)

Where can professionals get started?

Drop by our page that’s put together just for professionals. We’ve gathered up several resources that’ll help you stay productive and safer too. Check it out, and we hope that it’ll keep you going whether you’re working on the road, in the office, or at home.

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

 

  • Survey conducted in October 2019, consisting of 600 computer-owning adults in the U.S.

 

The post What Security Means to Professionals appeared first on McAfee Blogs.

All you need to know about API Security

An Application Programming Interface (API) is a way that allows applications to communicate with one another. It provides a way for developers to build software applications while enabling the extraction and sharing of data in an accessible manner. APIs can be used to facilitate cyberattacks as APIs are widely used…

What Security Means to Elders

senior using smartphone

What Security Means to Elders

Recently, we conducted a survey of 600 families and professionals in the U.S. to better understand what matters to them—in terms of security and the lives they want to lead online. The following article reflects what they shared with us, and allows us to share it with you in turn, with the aim of helping you and your family stay safer and more secure. 1

Findings from Pew Research Center show that internet usage by elders has risen from an average of 14% in 2000 to 67% on average 2017. As these numbers continue to rise, we wanted to find out what was important to them—particularly as more and more of their lives go online.

While many of us take shopping, surfing, and banking online for granted, they mark a dramatic shift for elders. They’ve gone from the days when banking meant banker’s hours and paper passbook to around-the-clock banking and a mobile app. And even if they use the internet sparingly, banking, finances, and commerce have gone digital. Their information is out there, and it needs to be protected.

The good news is, elders are motivated.

What’s on the minds of elders when it comes to their security?

Most broadly, this sentiment captures it well: Technology may be new to me, but I still want to be informed and involved. For example, elders told us that they absolutely want to know if something is broken—and if so, how to fix it as easily as possible. In all, they’re motivated to get smart on the topic of security, get educated on how to tackle risks, and gain confidence that they go about their time on the internet safely. Areas of interest they had were:

Identity protection: This covers a few things—one, it’s monitoring your identity to spot any initial suspicious activity on your personal and financial accounts before it becomes an even larger one; and two, it’s support and tools for recovery in the even your identity is stolen by a crook. (For more on identity theft, check out this blog.)

Social Security monitoring:  Government benefits are very much on the mind of elders, particularly as numerous agencies increasingly direct people to use online services to manage and claim those benefits. Of course, hackers and crooks have noticed. In the U.S., for example, Social Security identified nearly 63,000 likely fraudulent online benefit applications in fiscal 2018, according to the agency’s Office of the Inspector General, up from just 89 in fiscal 2015.

Scam prevention: An article from Protect Seniors Online cities some useful insights from the National Cyber Security Alliance and the Better Business Bureau. According to them there are five top scams in the U.S. that tend to prey on older adults.

  • Tech support scams are run by people, sometimes over the phone, that pretend to be from a reputable company, which will then ask for access to your computer over the internet, install malware, and then claim there’s a problem. After that, they’ll claim to “help” you by removing that malware—for an exorbitant fee.
  • Ransomware scams, where a crook will block access to your computer until you pay a sum of money. This is like the tech support scam, yet without the pretense of support—it’s straight-up ransom.
  • Tax scams that attempt to steal funds by instructing people to make payments to a scammer’s account. In the U.S., note that the IRS will not call to demand payment or appeal an amount you owe.
  • False debt collectors are out there too, acting in many ways like tax scammers. These will often come by way of email, where the hacker will hope that you’ll click the phony link or open a malicious attachment.
  • Sweepstakes and charity scams that play on your emotions, where you’re asked to pay to receive a prize or make a donation with your credit card (thereby giving crooks the keys to your account).

Where can professionals get started?

With that, we’ve put together several resources related to these topics. Drop by our site and check them out. We hope you’ll find some basic information and knowledge of behaviors that can keep you safe.

Stay Updated 

To stay updated on all things McAfee and for more resources on staying secure from home, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

Survey conducted in October 2019, consisting of 600 computer-owning  adults in the U.S

 

The post What Security Means to Elders appeared first on McAfee Blogs.

eCommerce Payment System – How to Choose the Best One for Your eCommerce Startup?

There are 3,4 million digital payment system users worldwide. This figure is almost equal to the number of social media users globally and the half of word’s population to date. It is a strong enough reason to believe that online payments dominate the ways we pay for goods and transfer money. What is more, online payments for e-commerce websites are the features your online store can’t do without. So, here are all the answers to your “how” and “why” questions.

What Is an E-Payment System and Its Types?

An electronic payment system is special software that works as an intermediary the payer and the recipient of funds. In most cases, online payment systems work as non-interested parties, that is, they are only responsible for the money transfer, but not for the honesty of the relationship between the seller and buyer.

Using online payments, none of the parties need physical mediums like cash or checks. All the necessary documents and reports are formed automatically and online to be printed by any of the parties anytime.

Here are the main types of electronic payments.

  • Automated clearing house (ACH)
  • Wire transfers.
  • Item processing (IP)
  • Remote deposit capture (RDC)
  • FedLine Access Solutions.
  • Automated Teller Machines.
  • Card Services (ATM, credit, debit, prepaid)
  • Mobile payments.

What Are the Benefits of Using E-Payment Systems

  • Electronic commerce was invented to make shopping more comfortable and convenient. E-commerce payment system contributes to this goal even more.
  • Cash flows are difficult to track. This is the opinion of governments, financial institutions, business owners and a lot of ordinary people too. However, it is always easy to find put how do you spend a certain sum just be checking your financial or accounting app.
  • Electronic payments are almost instant, as well as traditional money hand-to-hand transfers. However, there is a strong reason not to do it now.
  • While other businesses suffered from a pandemic or even were completely banned, financial technology felt better than ever. Yes, precisely because it has become the safest way to use money without physical health risks. According to the recent research by BIS, “Research in microbiology examines whether pathogenic agents, including viruses, bacteria, fungi, and parasites can survive on banknotes and coins. Some viruses, including human flu, can persist for hours or days on banknotes, The Covid-19 virus can also survive on surfaces.” However, electronic payments protect you, your staff, and your customers from infection risks.

What Is the Role of an Online Payment System in E-Commerce?

Online payment is the main way to pay for the goods purchased from branded websites. What is more, there is almost no sense in the concept of e-commerce itself is there is no possibility to pay for the goods online since electronic commerce involves 100% electronic interaction between a company and a customer.

Yes, there is still cash on delivery option, which by the way, may have some benefits, but most online transactions are launched and completed online with the help of an electronic payment system in e-commerce.

What Are the Payment Options You May Choose for Your Ecommerce Store?

Here are the payment options that may potentially suit your eCommerce project. Leading e-commerce brands are using all of them at once, and it greatly contributes to the development of good relations and trust.

However, not all the alternatives may be needed for your startup since each e-commerce idea is specific. Find out what do your potential customers expect before utilizing any of them.

Credit/debit  cards In practice, this approach realized as a system that allows entering a user’s card data, receiving a confirmation code from a banking app, and completing a deal on the website.
Bank Transfers This approach is used in B2B e-commerce since corporate clients often prefer to make bank transfers and be sure in clarity of reports.
EWallets E-wallets are also convenient options that allow users to pay without revealing their banking details.
Mobile payments Mobile payments are on the rise of popularity. ApplePay and GooglePay are the most used systems.
PayPal and other gateways PayPal is the most popular payment system worldwide, however, there are others, less popular but no less usefull solutions your customers may also prefer.
Cryptocurrencies Since a lot of countries are making efforts to legalize cryptos, they are one more way to pay for the goods or services purchased online.
Cash on Delivery Cash on delivery is still required by some customers, especially if there is no trust between a newly created company, or the company addressed for the first time, and the client.

What to Look for While Choosing the E-Payment System?

As you can see, the e-payment market has a lot of offers for your e-commerce store. Here are the main factors you should take into account making the final choice.

  • Preferences of your customers. There are a lot of alternatives to choose from, however, your best electronic payment system is the one that suits your customer most. If you know that your customers are corporate clients, it is better to give them the opportunity to make bank transfers. If they are young shoppers, they most probably prefer e-wallets, PayPal, and mobile payments.
  • This is one of the most important factors since the security of the payment on your websites is one of the things that contribute to your reputation. that is why it is better to choose such a payment system that has strong protection, support service as well as embedded e-commerce fraud detection features.
  • UX impact. The best electronic payment system is one more way to provide users with a great experience when completing a transaction with you. That is why the payment system should be fast-processing, reliable, and convenient.
  • Performance metrics. Find out whether it would be profitable for you to use this or that system from the point of view of commissions, fees, and reporting.

Surely, it should be more than one option for payments for an e-commerce website. That is why you should compare and analyze the most popular alternatives and integrate your  with the most reliable and demanded by your users’ ones.

What Is the Best Online Payment System?

Here is the infographic that shows the most popular online payment systems in the USA. but since the greatest number of online shoppers is USA based, it may seem that these are the most popular systems in the world too. However, keep in mind one important note. If you are going to create a multilingual e-commerce store and reach the target audience from different countries, some e-payment systems may not be supported there or may be poorly known among customers from a specific country.

Top 5 payment

How Do I Add a Payment System to My Website?

There are several ways to add a payment system to your website.

  • If you are just going to create an eCommerce store and want to do it with the help of WordPress, you may choose the themes with payment system integration in advance.
  • If you have a ready-made website designed by you, you may contact the support service of the payment gateway provider, and set up the system following their instructions.
  • If your e-commerce project was created by a development company, ask them to make some changes and add more payment systems to your platform.

Conclusion

As you can see, the meaning of e-commerce as such is lost if there is no possibility to pay for the goods or services online. That is why payment system integration is an important stage of eCommerce store development. The choice of the most suitable solutions should be based on the careful market and your target audience analysis. What is more, the most popular payment systems are not always the most suitable ones  – sometimes there is a need to come up with a system from scratch to satisfy the business needs. Make sure to get in touch with a reliable vendor and ask for help.

The post eCommerce Payment System – How to Choose the Best One for Your eCommerce Startup? appeared first on Hacker Combat.

Special Delivery: Criminals Posing as Amazon Are Out to Steal User’s Data

Working from home

One of the joys of online shopping is instant gratification – your purchases arrive on your doorstep in just a few days! Unfortunately, consumers aren’t the only ones taking advantage of this convenience – hackers are also using it to trick users into handing over money or data. Recently, AARP recounted several scams where cybercriminals posed as Amazon’s customer service or security team as a ploy to steal your personal information.  

How These Scams Work

These scams all begin with an unsuspecting user seeking help from Amazon’s customer support or their security team, only to find the contact information of a fraudster posing as the companyFor example, in one of these scamsa user called a fraudulent customer support number to help his wife get back into her account. However, the scammer behind the phone number tried to sell the victim a fake $999 computer program to prevent hacking on his own device. Thankfully, according to AARP, the man refused to send the money.  

 Another victim reported receiving an email from the “Amazon Security Team,” stating that a fraudulent charge was made on her account and that it was locked as a result. The email asked for her address and credit or debit card information to unlock her account and get a refund on the fake charge. But upon closer review, the woman noticed that the email address ended in .ng, indicating that it was coming from Nigeria. Luckily, the woman refused to send her information and reported the incident instead.   

Not all victims are as lucky. One woman received an email that looked like it was from Amazon and gave the scammers her social security number, credit card number, and access to her devices. Another victim lost $13,300 to scammers who contacted her through a messaging platform stating that someone hacked her Amazon account and that she needed to buy gift cards to restore it.  

Steer Clear of These Tricks

Many of these fraudsters are taking advantage of Amazon’s credibility to trick unsuspecting out of money and personal data. However, there are ways that users can prevent falling prey to these scams – and that all starts with staying educated on the latest schemes so consumers know what to look out for. By staying knowledgeable on the latest threats, consumers can feel more confident browsing the internet and making online purchases. Protect your digital life by following these security tips:  

Go directly to the source

Be skeptical of emails or text messages claiming to be from organizations with peculiar asks or information that seems too good to be true. Instead of clicking on a link within the email or text, it’s best to go straight to the organization’s website or contact customer service. 

Be wary of emails asking you to act

If you receive an email or text asking you to take a specific action or provide personal details, don’t click on anything within the message. Instead, go straight to the organization’s website. This will prevent you from accidentally downloading malicious content. Additionally, note that Amazon does not ask for personal information like bank account numbers or Social Security numbers in unsolicited emails 

Only use one credit card for online purchases

By only using one payment method for online purchases, you can keep a better eye out for fraud instead of monitoring multiple accounts for suspicious activity. 

Look out for common signs of scams

Be on the lookout for fake websites and phone numbers with Amazon’s logo. Look for misspelled words and grammatical errors in emails or other correspondence. If someone sends you a message with a link, hover over the link without actually clicking on it. This will allow you to see a link preview. If the URL looks suspicious, don’t click on it, as it’s probably a phishing link that could download malicious content onto your device. It’s best to avoid interacting with the link and delete the message altogether. 

Stay updated

To stay updated on all things McAfee  and on top of the latest consumer and mobile security threats, follow @McAfee_Home  on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

The post Special Delivery: Criminals Posing as Amazon Are Out to Steal User’s Data appeared first on McAfee Blogs.

Cybersecurity Best Practices for SMB IT

It’s time to recalibrate your thinking if you believe your enterprise is safe from hackers because your business is considered small. Yes, system incursions upon the likes of Microsoft, Estee Lauder and T-Mobile get the lion’s share of media attention, however cybercriminals hungrily eye higher-volume smaller targets as well. Making them all the more appetizing is the complacency many small business owners have when it comes to network security.

With that in mind, let’s take a look at some cybersecurity best practices for SMB IT.

  1. Take It Seriously

Sure, this might sound like something that doesn’t need to be said, but a surprising number of data breaches occur because people neglect to treat security as a priority. Employees get lazy about scrutinizing emails and text messages carefully before opening links and attachments. Passwords go unchanged for years because they’re easy to remember. Access codes are shared among “trusted” employees. First and foremost, cybersecurity should be afforded the respect it deserves because ignoring it can shut a company down altogether.

  1. Carry Cyber Insurance

It’s important to operate from the mindset of what will happen when your system is attacked, as opposed to if. This makes carrying a cyber insurance policy with a reputable carrier a good idea. In addition to providing vital financial assistance in the wake of a data breach, cyber insurers scrutinize your security arrangements before agreeing to issue a policy. In other words, they look for ways to infiltrate your network and show you how to plug those gaps before they cover you.

  1. Employ Multi Factor Authentication (MFA)

This one goes somewhat hand in hand with number one above. Prioritizing convenience over security can leave your system open to infiltrators. While requiring multi-factor authentication before permitting access to your network does mean users must take additional steps, it also introduces another hurdle of protection over which interlopers must leap. Compromised, reused and weak passwords are responsible for 81 percent of hacking related breaches. MFA is one of the easiest and most effective measures you can take to ramp up enterprise cybersecurity.

  1. Implement and Enforce a Bring Your Own Device Policy

The Internet of Things has given rise to a plethora of endpoint devices, many of which represent a potential point of entry to your network. This must be addressed head-on. Forbid — and take steps to prevent — the storage of sensitive data on personal devices. Permit access to sensitive information only through an encrypted VPN. Employee owned devices should be granted guest access only over the internet. And, devise and implement an emergency response plan of the steps to take when an employee loses a device. The more endpoints are accessing your network, the more important it is to take cloud and on-premises network security seriously.

  1. ABU — Always Be Updating

Next to weak passwords, old software is another leading cause of data breaches. We know you’ve heard it hundreds of times before, but that should render it all the more important in your mind. Install software updates the moment they become available. This is especially critical for security, web server, and operating system software. Each new version of these contains updated anti-virus and anti-malware coding, typically in response to the latest breach. In other words, hackers find ways in and programmers lock those doors as soon as they become aware of them. Ignoring updates leaves your system vulnerable to people who are aware of those portals.

Always be updating.

These are five of the simplest ways to protect your network. Even better, they can be implemented at minimal cost. Being small is no guarantee criminals will overlook your business. Implementing these cyber security best practices for SMB IT helps prevent your company from being viewed as low hanging fruit, encouraging hackers to look for an easier target.

The post Cybersecurity Best Practices for SMB IT appeared first on Hacker Combat.

Speed or Security? We Say Speed AND Security

“Security software slows down my PC.”

We often hear this sentiment when users talk about malware protection. While people recognize the value of computer security, most get frustrated if the software bogs down their device. I mean, I myself become frustrated when I’m trying to crunch numbers and I’m suddenly greeted with an hourglass!

While this may happen with some online safety products, McAfee’s security suites are as light as they get. We understand that while consumers need malware protection, it shouldn’t come at the price of device performance. So, we put our products to the test – AV-TEST and AV-Comparatives to be exact – to show users that they can stay secure without interrupting their digital lives with slow software.*

*AV-Test Results

*AV-Comparatives Results

Testing the Relationship Between Security and Speed

Modern tech users are multitaskers at heart. We need our devices to run all of our favorite programs efficiently, from email to photo editing apps to music streaming services. Security software is another program we need to run – one we’re worried will slow down the rest. So how can we be sure that our PC performance won’t be poorly impacted? Answer: measure it.

To measure how much impact malware protection has on PC performance, some independent test labs include performance impact benchmarks in their security product tests. The most well-known of these test labs are AV-TEST, which is based in Germany, and the Austria-based AV-Comparatives. These independent labs are among the most reputable and well-known anti-malware test labs in the world.

These organizations work by testing and evaluating a number of security products and the impact they have on PC performance. The AV-TEST lab evaluates the latest versions of various security products and measures the average impact of the product on computer speed. On the other hand, AV-Comparatives uses low-end computers and mimics users’ daily usage as much as possible, focusing on activities like copying files, installing and uninstalling applications, launching applications, downloading files, and browsing websites. Based on these tests’ results, products are graded in award levels ranging from ADVANCED+ (the highest ranking) to STANDARD (the lowest ranking).

So, how does McAfee stand up to the competition? Since May 2018, McAfee has consistently received the highest score in all performance tests. As a result McAfee® Total Protection was awarded the ‘2019 Performance Award’ by AV-TEST in March 2020. Additionally, McAfee has achieved the ADVANCED+ ranking continuously since October 2016. In other words, McAfee Total Protection is one of the fastest and lightest products on the market. With results like these, I have to toot our own horn!

How Do These Results Impact Our Day-To-Day Lives?

During the WFH era, users are more reliant on devices than ever before. They need to work quickly and safely, without worrying about online threats. Especially since today’s malware comes in many forms, adapting to new technological advancements and the behaviors of tech-savvy consumers who use them. In fact, hackers often pair their threats to whatever is present in consumers’ lives – so lately we’ve seen malware attacks emerge via COVID-related phishing emails or known device or app vulnerabilities.

What Else Helps with McAfee’s Performance Results?

McAfee Total Protection comes with PC Boost features, which benefit both productivity and entertainment by automatically giving more horsepower to apps you are actively working in and by pausing annoying auto-play videos in your browser. While these additions don’t specifically factor into the aforementioned test results, these automated tools help your computer run faster and more efficiently.

By leveraging a comprehensive solution like McAfee Total Protection, users can ultimately be more efficient with their time online, whether that’s crunching numbers, playing games, or running multiple apps at once. And let’s face it – when our devices make us feel empowered, our digital lives are better.

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Speed or Security? We Say Speed AND Security appeared first on McAfee Blogs.

What to Do When Your Social Media Account Gets Hacked

You log in to your favorite social media site and notice a string of posts or messages definitely not posted by you. Or, you get a message that your account password has been changed, without your knowledge. It hits you that your account may have been hacked. What do you do? 

This is a timely question considering that social media breaches have been on the rise. A recent survey revealed that 22% of internet users said that their online accounts have been hacked at least once, while 14% reported they were hacked more than once. 

So, how should you respond if you find yourself in a social media predicament such as this? Your first move—and a crucial one—is to change your password right away and notify your connections that your account may have been compromised. This way, your friends know not to click on any suspicious posts or messages that appear to be coming from you because they might contain malware or phishing attempts. But that’s not all. There may be other hidden threats to having your social media account hacked. 

The risks associated with a hacker poking around your social media have a lot to do with how much personal information you share. Does your account include personal information that could be used to steal your identity, or guess your security questions on other accounts? 

These could include your date of birth, address, hometown, or names of family members and pets. Just remember, even if you keep your profile locked down with strong privacy settings, once the hacker logs in as you, everything you have posted is up for grabs. 

You should also consider whether the password for the compromised account is being used on any of your other accounts, because if so, you should change those as well. A clever hacker could easily try your email address and known password on a variety of sites to see if they can log in as you, including on banking sites. 

Next, you have to address the fact that your account could have been used to spread scams or malware. Hackers often infect accounts so they can profit off clicks using adware, or steal even more valuable information from you and your contacts. 

You may have already seen the scam for “discount  sunglasses that plagued Facebook a couple of years ago, and recently took over Instagram. This piece of malware posts phony ads to the infected user’s account, and then tags their friends in the post. Because the posts appear in a trusted friend’s feed, users are often tricked into clicking on it, which in turn compromises their own account. 

So, in addition to warning your contacts not to click on suspicious messages that may have been sent using your account, you should flag the messages as scams to the social media site, and delete them from your profile page. 

Finally, you’ll want to check to see if there are any new apps or games installed to your account that you didn’t download. If so, delete them since they may be another attempt to compromise your account. 

Now that you know what do to after a social media account is hacked, here’s how to prevent it from happening in the first place. 

How to Keep Your Social Accounts Secure 

  • Don’t click on suspicious messages or links, even if they appear to be posted by someone you know. 
  • Flag any scam posts or messages you encounter on social media to the respective platform, so they can help stop the threat from spreading. 
  • Use unique, complex passwords for all your accounts. Use a password generator to help you create strong passwords and a password manager can help store them.  
  • If the site offers multi-factor authentication, use it, and choose the highest privacy setting available. 
  • Avoid posting any identity information or personal details that might allow a hacker to guess your security questions. 
  • Don’t log in to your social accounts while using public Wi-Fi, since these networks are often unsecured and your information could be stolen. 
  • Always use comprehensive security software that can keep you protected from the latest threats. 
  • Keep up-to-date on the latest scams and malware threats.

Looking for more mobile security tips and trends? Be sure to follow @McAfee Home on Twitter, and like us on Facebook. 

The post What to Do When Your Social Media Account Gets Hacked appeared first on McAfee Blogs.

Staying Home? McAfee Report Shows Malware May Come Knocking

It’s no secret that COVID-19 continues to reshape the way we live our everyday lives. With each passing day, we become more reliant on our devices to stay connected with friends and family, move our professional work forward, participate in distance learning, or keep ourselves entertained.

Unfortunately, hackers are all too aware of these habits. In fact, findings from “McAfee’s COVID-19 Threat Report: July 2020” have shown how criminals pair threats to whatever is present in consumers’ lives – specifically targeting pandemic-related industries, device habits, behaviors, and more with new malware strains.

A Day in the Life of Today’s Consumer

The day in the life of today’s consumer involves a lot of internet time.

Back in March, users first transitioned from in-office to work from home to promote social distancing. As a result, they conduct their 9-to-5 from their personal living space. But with such a rushed transition, some of these workers aren’t trained on how the change impacts their online security and could be potentially working on unsecured Wi-Fi.

Working professionals aren’t the only ones who have had to adapt to a new remote environment. Students have also made the transition to distance learning, moving from in-person course work to virtual classrooms. But as more students continue their curriculum from home and online activity increases, they become more reliant on digital platforms, such as video conferencing, that have now caught the eye of hackers.

When these professionals or students are done for the day, they then turn to some safe ways to unwind. To keep entertained, users have turned to online gaming, shopping, podcasts, social media, and TV streaming for fun – with the latter experiencing a 12% increase in viewing time in the third week of March alone.

More Online Activity, More Opportunities for Cyberattacks

As it turns out, this increase in online activity has given hackers plenty of new avenues to exploit, almost all of which are pandemic-related. First and foremost, hackers have targeted attacks at those that feel the impacts of COVID-19 most directly, AKA the public sector. As McAfee research discovered, incidents have increased during Q1 2020 within the public sector by 73%, individuals by 59%, education by 33%, and manufacturing by 44%.

Additionally, McAfee Labs saw an average of 375 new threats per minute and a surge of cybercriminal exploits through COVID-19 themed malicious apps, phishing campaigns, malware, and more during the first quarter of this year. Specifically, McAfee researchers discovered campaigns using pandemic-related subject lines – including testing, treatments, cures, and remote work topics. Criminals are using this sneaky tactic to lure targets into clicking on a malicious link, downloading a file, or viewing a PDF, resulting in the user’s device becoming infected with malware.

The Rise of Malware

Speaking of malware – according to the latest McAfee COVID-19 Threat Report, total malware increased by 27% over the past four quarters and new Mac OS malware samples increased by 51%. New mobile malware also increased by a whopping 71%, with total mobile malware increasing almost 12% over the past four quarters. As for IoT devices, new malware samples increased by nearly 58%, with total IoT malware growing 82% over the past few quarters.

Mask Your Digital Life

During this time of uncertainty, it can be difficult to decipher what is fact from fiction, to successfully identify a malicious scheme and stop it in its tracks. However, consumers can help protect their digital lives by following security best practices, now and in the future. Here’s what you can do to safeguard your security and remain worry-free:

Stay updated on the latest threats

To track malicious pandemic-related campaigns, McAfee Advanced Programs Group (APG) has published a COVID-19 Threat Dashboard, which includes top threats leveraging the pandemic, most targeted verticals and countries, and most utilized threat types and volume over time. The dashboard is updated daily at 4pm ET.

Beware of messages from unknown users

If you receive a text, email, social media message, or phone call from an unknown user regarding the pandemic, it’s best to proceed with caution and avoid interacting with the message altogether.

Use a VPN

Avoid hackers infiltrating your network by using a VPN, which allows you to send and receive data while encrypting – or scrambling – your information so others can’t read it. By helping to protect your network, VPNs also prevent hackers from accessing other devices (work or personal) connected to your Wi-Fi.

Use a comprehensive security solution

Use a robust security software like McAfee® Total Protection, which helps to defend your entire family from the latest threats and malware while providing safe web browsing.

Stay updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post Staying Home? McAfee Report Shows Malware May Come Knocking appeared first on McAfee Blogs.

Introducing PhishingKitTracker

If you are a security researcher or even a passionate about how attackers implement phishing you will find yourself to look for phishing kits. A phishing kit is not a phishing builder, but a real implementation (actually re-implementation) of a third party website built to lure your victim. Initially attackers use a phishing builder to “clone” the original web site but after that they introduce – in the fresh re-generate website – interesting ad-dons such as for example: evasion techniques (in order to evade to phishing detectors), targeted elements (in order to targetize the victims), fast re-directors ( to follows the attack chain into the original web-site or to a relay to try to infect you) and sometimes exploit-kits to try to exploit your browser before letting you go.

Credit: Alen Pavlovic (here)

Motivation

There are places where you can buy PhishingKits, for example BleepingComputer wrote a great article on that here, but if you want to get them for free in order to study attack schema and Kit-composition you don’t’ find collections for free. So I decided to share my PhishingKit Tracker, updated automatically by my backend engine every day for study and research purposes.

You can find it HERE (PhishingKitTracker github repo)

Disclaimer

This repository holds a collection of Phishing Kits used by criminals to steal user information. Almost every file into the raw folder is malicious so I strongly recommend you to neither open these files, nor misuse the code to prank your friends. Playing with these kits may lead to irreversible consequences which may affect anything from personal data to passwords and banking information.

I am not responsible for any damage caused by the malware inside my repository and your negligence in general.

NB: Large File System Hahead

PhishingKitTracker is stored into Git Large File System (git-lfs) due to the big amount of data tracked. You should install git-lfs before cloning this repository.

RAW Data

In raw folder are tracked the Phishing Kits in the original format. No manipulation are involved in that data. A backend script goes over malicious harvested websites (harvesting from common sources) and checks if Phishing Kits are in there. In a positive case (if a PhishingKit is found) the resulting file is downloaded and instantly added to that folder. This folder is tracked by using Git Large File System since many files are bigger than 100MB. The “RAW Data” is a quite unexplored land, you would find many interesting topics with high probability. Please remember to cite that work if you find something from here, it would be very appreciated.

STATS

In stats folder are maintained two up-to-date files:

  1. files_name it holds the frequency of the found file-names associate with kits. In other words every phishing kit is saved on the phishing host with a name. filke_name keeps track about every file names and its frequency. If you are wondering why am I not tracking hashes, is because phishing kits are big compressed archives, so it would make no sense at this stage since they always differ each other (but check in src folder for additional information)
  2. sites hols the frequency of the hosting domain names. In other words where the phishing kit was found. No duplicates are tracked by meaning that the frequency and the file names are unique. So for example if you see something like: 3 li.humanbiomics-project.org it means that in li.humanbiomics-project.org have been found three different Phishing Kits over time.

Both of these files have been generate by simple bash scripts like:

  • ls raw/ | cut -d'_' -f1 | uniq -c | sort -bgr > stats/sites.txt
  • ls raw/ | cut -d'_' -f2 | uniq -c | sort -bgr > stats/files_name.txt

these scripts are run on every commit making files inline with the raw folder.

On the other side a file called similarity.csv is provided with a tremendous delay due to the vast amount of time in generating it. That file provides the similarity between the tracked Phishing Kits. It’s a simple CSV file so that you can import it on your favorite spreadsheet and make graphs, statistics or manipulate it in the way you prefer.

SIMILARITY.CSV structure

The similarity structure is like the following one: FileA,FileB,SimilarityAVG,SimilarityMin,SimilarityMax where:

  • FileA is PhishingKit which is considered in that analysis.
  • FileB is the PhishingKit to be compared to PhishingKit FileA
  • SimilarityAVG is the Average in similarity. That average is calculated by computing the similarity check to every single (interesting) file in the PhishingKit archive (FileA) to every single (interesting) file in the PhishingKit archive to be compared (FileB)
  • SimilarityMin is the lowest similarity value found between PhishingKitA and PhishingKitB
  • SimilarityMax is the highest similarity value found between PhishingKitA and PhishingKitB

If you want to generate similarity.csv by your own I provide a simple and dirty script into the src folder. So far it has several limitations (for example it computes ZIP only files). please make pull requests for improving and empower it. Each contribute would be very helpful.

SRC

Please check those variables (compute_similarity.py) and change them at your will.

EXTENSION_FOR_ANALYSIS = ['.html','.js','.vbs','.xls','.xlsm','.doc','.docm', '.ps1']
OUTPUT_FILE =  'similarity.csv'                                                 
RAW_FOLDER = '/tmp/raw/'                                                        
TEMP_FOLDER = '/tmp/tt'     

Once you’ve changed them you can run the script and take a long rest. It will navigate through the RAW_FOLDER, grab the .zip files and tries to compute code similarity between them. At the very end it will save results into OUTPUT_FILE. From now you can import such a a file into your favorite spreadsheet processor and elaborate the code similarity.

So far the python script is able to only compare zip tracked phishingkit, for different compressed format it’s still work in progress.

NB: The Python script is in a super early stage of development. Please help to improve it.

How to contribute

Introducing the walking script for different compression formats. In other words if you want to contribute you can write a new section such as the following one (code_similarity.py) but for different compression extensions such as: .tar.gz, .tar, .rar. /7z and so on and so forth.

# Extracts Zip files based on EXTENSION_FOR_ANALYSIS. It returns the etire file
# path for future works
def extractZipAndReturnsIntereistingFiles(file_to_extract):
    interesting_files = []
    n_interesting_files = []
    try:
        with ZipFile(file_to_extract, 'r') as zipObj:
            listOfFileNames = zipObj.namelist()
            for fileName in listOfFileNames:
                for ext in EXTENSION_FOR_ANALYSIS:
                    if fileName.endswith(ext):
                        try:
                            zipObj.extract(fileName, TEMP_FOLDER)
                            interesting_files.append(os.path.join(TEMP_FOLDER, fileName))
                        except Exception as e:
                            continue
                    else:
                        n_interesting_files.append(os.path.join(TEMP_FOLDER, fileName))
    except Exception as e :
        return interesting_files
    return interesting_files

One more way to contribute is to make the comparison loop smarter and quicker. You might decide to parallelized task by forking and spawning more process or by changing the way I use multi-threading in this quick and dirty statistic script. In conclusion every working pull is welcomed.

Cite the Phishing Kit

@misc{ MR,
       author = "Marco Ramilli",
       title = "Phishing Kits Tracker",
       year = "2020",
       url = "https://marcoramilli.com/2020/07/13/introducing-phishingkittracker/",
       note = "[Online; July 2020]"
     }

Mind the Gaps! The Requisite Mindset to Stay Ahead of Cybersecurity Threats

Guest Post by Matt Cable, VP Solutions Architects & MD Europe, Certes Networks

At the end of 2019, it was reported that the number of unfilled global IT security positions had reached over four million professionals, up from almost three million at the same time the previous year. This included 561,000 in North America and a staggering 2.6 million in APAC. The cybersecurity industry clearly has some gaps to fill.

But it’s not just the number of open positions that presents an issue. Research also shows that nearly half of firms are unable to carry out the basic tasks outlined in the UK government’s Cyber Essentials scheme, such as setting up firewalls, storing data and removing malware. Although this figure has improved since 2018, it is still far too high and is a growing concern.

To compound matters, the disruption of COVID-19 this year has triggered a larger volume of attack vectors, with more employees working from home without sufficient security protocols and cyber attackers willingly using this to their advantage.

Evidentially, ensuring cybersecurity employees and teams have the right skills to keep both their organisations and their data safe, is essential. However, as Matt Cable, VP Solutions Architects & MD Europe, Certes Networks explains, as well as ensuring they have access to the right skills, organisations should also embrace a mindset of continuously identifying - and closing - gaps in their cybersecurity posture to ensure the organisation is as secure as it can be.

Infrastructure security versus infrastructure connectivity
There is a big misconception within cybersecurity teams that all members of the team can mitigate any cyber threat that comes their way. However, in practice, this often isn’t the case. There is repeatedly a lack of clarity between infrastructure security and infrastructure connectivity, with organisations assuming that because a member of the team is skilled in one area, they will automatically be skilled in the other.

What organisations are currently missing is a person, or team, within the company whose sole responsibility is looking at the security posture; not just at a high level, but also taking a deep dive into the infrastructure and identifying gaps, pain points and vulnerabilities. By assessing whether teams are truly focusing their efforts in the right places, tangible, outcomes-driven changes can really be made and organisations can then work towards understanding if they currently do possess the right skills to address the challenges.

This task should be a group effort: the entire IT and security team should be encouraged to look at the current situation and really analyse how secure the organisation truly is. Where is the majority of the team’s time being devoted? How could certain aspects of cybersecurity be better understood? Is the current team able to carry out penetration testing or patch management? Or, as an alternative to hiring a new member of the team, the CISO could consider sourcing a security partner who can provide these services, recognising that the skill sets cannot be developed within the organisation itself, and instead utilising external expertise.

It’s not what you know, it’s what you don’t know
The pace of change in cybersecurity means that organisations must accept they will not always be positioned to combat every single attack. Whilst on one day an organisation might consider its network to be secure, a new ransomware attack or the introduction of a new man-in-the-middle threat could quickly highlight a previously unknown vulnerability. Quite often, an organisation will not have known that it had vulnerabilities until it was too late.

By understanding that there will always be a new gap to fill and continuously assessing if the team has the right skills - either in-house or outsourced - to combat it, organisations can become much better prepared. If a CISO simply accepts the current secure state of its security posture as static and untouchable, the organisation will open itself up as a target of many forms of new attack vectors. Instead, accepting that cybersecurity is constantly changing and therefore questioning and testing each component of the security architecture on a regular basis means that security teams - with the help of security partners - will never be caught off guard.

Maintaining the right cybersecurity posture requires not just the right skills, but a mindset of constant innovation and assessment. Now, more than ever, organisations need to stay vigilant and identify the gaps that could cause devastating repercussions if left unfilled.

Cyber Threats Trends 6 Months Of Findings

After six months from Cyber Threats Trends launch it’s time to check its main findings. When I decided to develop my own Cyber Threats Observatory I was not sure about its effectiveness and I was even more skeptical about the real usage from international cybersecurity communities. Fortunately many students, researchers and professionals used such a data to write thesis, papers and researches. Many of them cited my work (by adding a link in footnotes or in the reference section), other just dropped a “thank you email”. This was enough for me to decide to mantain Cyber Threats Trends for additional six months. Performing data collection, data analysis and data classification requires a quite expensive back-end, so it needs to be useful for somebody otherwise it would make no sense to maintain such a dedicated infrastructure.

But now let’s take a looks to what it was able to find during the past six months.

Malware Families

The most seen Malware families from January 2020 to June 2020 (6 months of activity) are the following ones:
GrandCrab ~3%
Upatre ~1,9% (!!)
Emotet ~1,8%
TrickBot ~1,25%
It looks like be inline with many available statistics and reports from the 2020 with the only exception on Upatre, which looks like super out of topic in 2020, but I have mostly discussed it here, so today I am quite confident it’s not a wrong classification. Many other families have been seen according to the following graph, but they will not be discussed in the current post.

Malware Families

Looking at the distribution of the top malware families we might focus on figure-out if some temporal pattern would emerge. The following image shows the GrandCarb family distribution over time. It is interesting to see that GrandCrab was mostly active during the last two weeks of March reaching its top detection rate on 2020-03-31 within a delicious frequency rate about 138 unique “findings” in that single day. Contrary it looks like to be less used during the months of May and June 2020.

GandCrab was a Ransomware-as-a-Service (RaaS) emerged in January 28, 2018, managed by a criminal organization known to be confident and vocal, while running a rapidly evolving ransomware campaign. Through their aggressive, albeit unusual, marketing strategies and constant recruitment of affiliates, they were able to globally distribute a high volume of their malware.

From Malpedia

Looking at pattern-wise we might agree there is a kind of frequency inside of it. If you group the date by weeks you might find that GrandCrab is mostly used twice per month. If you consider a “top” (the biggest local maximum detection rate) as the campaign launching day and the following local maximum tops in detection rate (in other words the shorter “tops” or the local maximums) as physiological campaign adjustments, it looks like attackers would take two weeks to harvest profit from previous launched campaign and to prepare new artifacts for the following one.

GrandCrab Ditribution over time

The following graph shows the Upatre family distribution over the past six months.

First discovered in 2013, Upatre is primarily a downloader tool responsible for delivering additional trojans onto the victim host. It is most well-known for being tied with the Dyre banking trojan, with a peak of over 250,000 Upatre infections per month delivering Dyre back in July 2015. In November 2015 however, an organization thought to be associated with the Dyre operation was raided, and subsequently the usage of Upatre delivering Dyre dropped dramatically, to less than 600 per month by January 2016.

From Paloalto Unit42

This is a very interesting graph because Upatre was not longer used since years (I bet since 2016). However it looks like attackers recovered it and re-started to use it from April 2020. Grouping by date you would appreciate a 3 days rhythm meaning that from one “attack wave” to another one it would take an average of 3 days. I will perform additional check on that, but static rules are perfectly matching what we are seeing int the upatre graph.

Upatre Distribution over time

Moving one TrickBot, the following image shows its distribution over time. TrickBot was mostly active during the first months of 2020 in a constant and linear way, while from March to April 2020 it experienced a quite significant speedup. Due to covid thematic campaigns Cyber Threats Trends recorded more TrickBot as never before in such time frame.

A financial Trojan believed to be a derivative of Dyre: the bot uses very similar code, web injects, and operational tactics. Has multiple modules including VNC and Socks5 Proxy. Uses SSL for C2 communication.

From Malpedia
TrickBot Distribution over time

The following image shows the Emotet Distribution over time. As plausible the Emotet’s distribution follows the TrickBot one. Even if it is not clear the relationship between TrickBot folks and Emotet folks, we are quite accustomed to see these frameworks closely delivered in common campaigns, like for example few months ago when we experienced a lot of Ryuk (ransomware) distribution using Emotet + TrickBot.

While Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets.

From Malpedia
Emotet Distribution

Some indicators, such as the detection rate in January and the detection rate in June show to us that Emotet is used on these specific months even without TrickBot and it might suggest a different attack delivery procedure highlighting a different threat actor. In other words, comparing TrickBot and Emomet we observe that there are mainly two groups: a group which delivers TrickBot and Emotet together (such as the Ryuk ransom group) and a group which uses Emotet without TrickBot.

Carrier Distribution

Excluding the file type exe, which is the most analyzed file extension in the dropper panorama, we continue to observe many office files as the main Malware carrier. For example Microsoft Word Document within MACRO files are the most observed Malware carrier followed by PDF documents and CDF contents. While PowerShell files are still one of the most emerging threats we have not observed vast amount of Malware delivery on such carrier so far, but we see a revamping in the ancient Microsoft Excel Macro 4.0 as obfuscation technique.

Frequency no EXE

Still quite interesting how that statistics change over time. Indeed PDF and OLE objects are still the most used during the analyzed period of time. Even CDF document are quite common while simple scripts such as “VBscript” of Javascript are slowly decelerate their presence in international statistics.

Conclusion

Developing Cyber Threats Trends has been a great journey ! I had many sleepless nights and additional costs due to a quite big backend network (especially “database speaking”) but I had the opportunity to collect super interesting data and to increase knowledge on malware statistics and on developing distributed systems. Moreover it turned out being a quite useful data collection and trend analysis tool for quite few people out there ! I would definitely keep it on collecting more data !

Messenger Rooms: New Video Chat Option is Fun But Has Risks

Messenger Rooms

Messenger RoomsOne of the many things we’ve learned during this season of being homebound is that video chats with friends can save the day. One of the newest channels for video chatting is Messenger Rooms. While the new Facebook feature isn’t groundbreaking in terms of how it works, it’s the ability to pull together a big group of friends spontaneously that may make this a popular digital hangout for kids.

The Basics

Messenger Rooms functions similarly to the popular video conferencing app Zoom. The exception: There’s no need for users (or guests) to download a new app, create an account, or send out pre-planned meeting invites.

Messenger Rooms is simple. One person sets up a Messenger Room, that Room is assigned a URL, the organizer sends his or her friends that link, and those friends can instantly click it and be in the room. With so many families still opting to avoid large gatherings, Rooms may be the next best way to socialize in the most organic, pre-pandemic way.

The app makes it easy to watch movies together since one user screen can be pinned to the top of the chat for shared viewing. Kids can also have game nights, birthday parties, organize workout and study groups, or have a “squad hangout” as the Room title options call out (see graphic, below).

The Fun 

A few specific features may make Messenger Rooms appealing to kids. First, it’s easy to drop friends a link and be together almost instantly in a private room. Messenger Rooms is free, doesn’t have time limits, and up to 50 friends can get together in one room — from anywhere in the world. Kids joining a Room from their mobile app can apply quirky filters to their backgrounds or faces, which brings in the creativity element they get from Instagram Stories and Snapchat.

The Risks

Privacy. So far, privacy seems to be the biggest concern being raised and here’s why. Messenger Rooms, like Facebook, collects metadata from users — including guests without Facebook accounts. Metadata may include the people you talk with, at what times, and how often, all of which can be shared with a third party. Also, Messenger Rooms, while it does not record calls (like Zoom), lacks end-to-end encryption, which makes the channel vulnerable to hackers and compromises private conversations.

Troublemakers. Live chat rooms are not password-protected, so if a Room organizer decides to make a Room public or fails to lock a room they intended to be private, anyone can pop in and do anything. Much like the Zoom bombers emerging, anyone could crash a meeting with racial rants or graphic content. A link to a room can also be shared with others by anyone who has the link.

Cyberbullying. As with any app, conflicts can arise as can cyberbullying or harassment.

The Conversation

If you notice your kids using Messenger Rooms, you may consider having a few conversations that highlight the risks.

  • Privacy settings. If you organize a Room, lock it to keep unwanted people from crashing your meet up.
  • Nothing is private. Messenger Rooms isn’t encrypted, so it’s not the place to have private conversations or share sensitive content. Note: The internet in any form isn’t the place to share any personal content. Anything exchanged online — even a “private” text between two people — is vulnerable to hackers, device theft, or the possibility of a relationship falling out.
  • Nothing is free. Remind your children that services online are free for a reason. There is always an exchange: Free use for data. Be aware that profile information and bits of a conversation could be mined and used by a third party. To understand better how data is collected, Facebook’s help center or data policy.
  • Lock your room. Unless your child adjusts his or her preferences, it will be open to anyone that person is friends with on Facebook who will see the public Room at the top of their newsfeed. That means lovable Uncle Pete may mistakenly stumble into your daughter’s “squad” rant unless the Room is locked.
  • Report and block. If an unwanted person disrupts a Room kids can block the user and report it to Facebook.
  • Age-appropriate options. For kids under 13 (Facebook age requirement), there’s Messenger Kids, a Facebook feature that allows younger kids to video call with friends in a parentally-supervised room. It’s a great tool for teaching kids safe, online practices before they use the real thing.

To stay ahead of the digital hangouts available to kids, visit McAfee Consumer Family Safety blogs each week. You may also consider monitoring your child’s devices with parental controls designed to filter content, monitor screen time, and track new apps.

The post Messenger Rooms: New Video Chat Option is Fun But Has Risks appeared first on McAfee Blogs.

How to Protect Your Privacy From Tracking Apps

Working from home

Apps – what would life be without them? Imagine opening a brand-new browser tab every time you wanted to check your email, access photos, connect with friends on social media, or even pay your bills online.

Apps have greatly enhanced the way consumers interact with and complete tasks on their mobile devices. But what many consumers don’t realize is that they are tracked by many of the apps they know and use daily. Tracking can stem from a variety of platforms, however one type in particular has brought this issue even more into the forefront: contact tracing apps, which can help slow the spread of COVID-19.

What Are Contact Tracing Apps?

According to MIT Technology Review, technologists have been working to build contact tracing apps and systems to identify and notify those who have come in contact with a virus carrier. Tech giants and public health authorities worldwide have quickly signed up to build the application programming interfaces (APIs) and apps necessary to support this project’s scale. However, many users are skeptical that they know very little about these apps, what data is collected, and who this data is shared with.

The success of these contact tracing apps rests on user participation. However, for these apps to make a real impact, developers must overcome potential privacy and security risks to assure individuals their data will only be used to fight the virus’ spread.

The Impact of Contact Tracing Technology

According to Health IT Security, the American Civil Liberties Union and the Electronic Frontier Foundation released reports outlining potential privacy and security risks developers should consider when building APIs and drafting privacy policies. Some of these risks include geo-location tracking or tracking a device’s location in real-time.

Then there’s user behavior to keep in mind. Some individuals may not understand the extent of the information they share with an app, while others are uneasy about the idea that the government – or a hacker – could easily access their whereabouts. What’s more, users are concerned that data collection will fail to end after the pandemic and authorities will use it in the future for unwarranted public surveillance.

While the privacy concerns around contact tracing apps are genuine, it’s also important to consider how this technology could greatly benefit public health. Although the privacy protection instilled in some apps is still a work-in-progress, some technologies have successfully contact traced without putting users’ privacy at risk. For example, Singapore’s app TraceTogether only collects and gathers data at the point that someone 1) is confirmed to have COVID-19 and 2) consents to the scraping of that data. From there, the data is anonymized, encrypted, and doesn’t reveal the identity of the infected user or the person that may have come in contact with them. What’s more, the data is deleted automatically after 21 days. By employing a thoughtful approach to contact tracing, positive strides can be made towards stopping the virus’s spread without risking user privacy.

How to Stay Secure

As a consumer living in a world riddled with uncertainty, you can take steps to help protect your digital life. When it comes to the rise of contact tracing technology and other apps you may use, here are some tips to consider to help safeguard your private information.

Understand and read the terms

Because this technology is relatively new, there is much to consider if you’re thinking about downloading a contact tracing app. Consumers can protect their privacy by reading the Privacy Policy and Terms of Service so they can know just what they’re dealing with.

Update your settings

If you’re concerned about an app having permission to access your location, photos, or other data, check your settings to see which apps have access to this information. Change permissions by either deleting the app or changing your settings on your device.

Consider other options

If you are not comfortable downloading a contact tracing app on your device but would like to be informed of the virus’ spread, you can visit the CDC’s website for COVID-19 cases, which can be narrowed down by state and county.

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.

The post How to Protect Your Privacy From Tracking Apps appeared first on McAfee Blogs.

How to Keep Your Celebrations Happening – Virtually & Safely!

2020 has certainly been the year of the ‘new normal’. Our new life in which we stay home and socially distance has affected the way we work and learn but just as importantly, the way we celebrate!

Without a doubt, the video call saved the day while we all stayed home and socially distanced. Work meetings continued and learning at home still happened thanks to this wonderful technology. And while some people used video calls to remain in touch with family and friends, this remarkable technology also helped many people worldwide continue to celebrate life’s important milestones such as school and university graduations; weddings and, even the celebration of life at funerals.

Graduating Virtually

One of my oldest friends has two daughters who have just virtually graduated from their high school and university. Before each occasion, the girls were sent their cap and gown and their graduation certificates via the post. On the day of each event, the girls donned their specially purchased dresses – which were purchased long before ‘lockdown’ (along with their cap and gown) – and participated in the ceremony via video call. Dressed to the 9’s, their immediate family also watched the ceremony and witnessed their daughter (and sister) officially graduate.

While there wasn’t perhaps the same sense of camaraderie as if their cohort had graduated together in person, the video call was definitely the next best thing. It allowed them to see their friends, receive the public accolades they both so deserved and, most importantly, it provided a sense of completion and closure that allowed them to start thinking about their next phase in life.

Virtual Weddings

Within weeks of lockdown, the virtual wedding industry was well established. Companies such as Simply Eloped were offering virtual wedding packages that provided planning assistance, a virtual ceremony emcee, advice on acquiring a license and tech support. Specialised tech companies were also offering to coordinate weddings on video calling apps and manage guests on multiple devices.

And if you are getting married, of course you need photography so virtual photographers became a thing as did customised wedding backdrops providers and virtual live musicians to entertain your guests. If there was ever an example of an industry that mastered the art of pivoting, it was definitely the wedding industry!

Celebrating the End Of A Life – Virtually

Probably one of the hardest milestones to miss in person during lockdown was the celebration of life – the funeral. Around the world, many countries limited attendees at funerals to as low as 10 to ensure social distancing which meant live streaming the service became the next best option.

Specialised funeral live streaming companies such as OneRoom sprung up allowing family and friends the opportunity for a private farewell even if they couldn’t attend in person.  While a funeral service is an important way to remember and celebrate the life of the recently deceased, it is also an important part of the grieving process. I have several friends who lost treasured family members during the lockdown period who were very comforted by having the option to have a copy of the live-streamed service which they could watch several times.

If there’s ever a time to be grateful for the power of technology (and video calls) it’s now! I just can’t imagine how we have all survived the isolation without being able to stay in touch and see the faces of family and friends! But just like every aspect of online life, video calling apps are fantastic when used sensibly but they do also carry some risks. Here are my top tips to ensure that you can safely celebrate life’s milestones online:

  1. Don’t Share Links to Video Calls

Whether it’s a wedding ceremony, baby shower, meeting with a virtual photographer or a funeral service, sharing links to video calls means you are essentially extending the invitation to anyone who gets their hands on the link. Not only does this compromise the privacy of everyone involved but video call ‘bombers’ have been known use threatening and intimidating language which could be very unsettling.

  1. Keep Your Personal Meeting ID Tight!

Some video calling apps allocate each user a PMI or personal meeting ID. Your PMI is basically one continuous meeting so anyone that has access to it can enter any of your future meetings or gatherings. Always generate a random meeting ID for any events where you don’t truly know your invitees.

  1. Video Calls Can Be Recorded

Don’t forget that video calls can be recorded. Even though a video call may feel like real life – it is not! So, if you are celebrating hard at your friend’s wedding, be mindful that your ‘high-energy’ behaviour may be recorded on camera!!

While ‘lockdown life’ may almost be over for some of us, many experts believe ‘social distancing’ will be a way of life for some time. So, if you have an important celebration on your radar, don’t despair – a well-planned virtual celebration can definitely be worthwhile and will be a great story to pass down to future generations!

Happy Virtual Celebrating!

Alex xx

The post How to Keep Your Celebrations Happening – Virtually & Safely! appeared first on McAfee Blogs.

How Entertaining Ourselves at Home Has Become a Risky Business

Online entertainment is certainly having a moment. While we all stayed home and socially distanced, many of us filled our time binge-watching movies and TV series  – and wasn’t it fabulous!! But did you know that researching your next binge-watching project could actually be putting you at risk?

Aussies Love TV

There is no doubt that us Aussies love our TV and the statistics confirm this. With over three-quarters of Aussies watching TV and over two-thirds browsing the internet to pass the time during lockdown, we are clearly a country of screen-time professionals. And with just under a million new Aussies gaining access to a streaming service in their household, it seems everyone is doing their bit to support the entertainment industry!

But streaming isn’t cheap and can add up fast (particularly when you have multiple accounts) prompting many of us to look for free alternatives. And our desire to save a buck or two when trying to find our next binge-watching project hasn’t escaped the attention of cybercriminals who have a knack for crafting convincing scam strategies that are in sync with consumer trends.

What’s the Most Targeted Show to Search For?

McAfee analysed over 100 of the top ‘talked about’ entertainment titles available across the leading streaming providers here in Australia and identified the 10 most targeted shows (both TV and film) to search for.

The series Unorthadox and movie Ace Ventura took the top place in their respective categories as having the highest ‘web search risk’ which means cybercriminals have put a lot of effort into developing scams around these titles. Scams could include websites offering free downloads of these titles – which require you to enter your personal information – or, pirated videos that contain malware which could access the private data on your device.

Here are the top 10 riskiest shows in both categories:

Series – Australian Top 10 Most Targeted

  1. Unorthadox
  2. You
  3. Family Guy
  4. Big Mouth
  5. Homeland
  6. The Vampire Diaries
  7. Dynasty
  8. Lost
  9. Brooklyn Nine-Nine
  10. Stranger Things

Movies – Australian Top 10 Most Targeted

  1. Ace Ventura
  2. Green Book
  3. John Wick
  4. Machinist
  5. Annihilation
  6. Ex Machina
  7. A Star Is Born
  8. Fyre
  9. Lady Macbeth
  10. Bird Box

Horror and Thriller Films seem to be the trend!

It appears as though our love for horror and thriller films may be putting us in danger, with five of the top ten films most targeted by cybercriminals falling into these genres. With social distancing restrictions in place, Aussies are clearly seeking to add some thrill back into their lives which has opened up new opportunities for cybercriminals. Consumers need to be careful when it comes to searching for stimulating content to escape reality to ensure it doesn’t translate to real-life malware horror.

How You Can Stay Safe While Binge-Watching At Home

Now, I want to make it very clear – this news doesn’t mean you need to give up nights on the couch. Not at all! Instead, just follow a few simple steps and you can continue binge-watching till your heart is content!

Here are my top tips for staying safe:

  1. Be Careful What You Click –if you are looking to catch up on the latest season of You or A Star is Born, please only access entertainment content directly from a reliable source. The safest thing to do is to subscribe to a streaming site that offers the content or download the movie from sources like iTunes or Amazon, instead of downloading a “free” version from a website that could contain malware.
  2. Do NOT use Illegal Streaming Sites – this is not negotiable! Many illegal streaming sites are riddled with malware disguised as pirated video files. Malware could cause you a world of pain. Not only could it cause your device to freeze or crash, it could steal sensitive information and give cybercrims unauthorized access to system resources. So, do your device a favor and stream your favourite show from a reputable source.
  3. Protect your Online Life with a Cybersecurity Solution –why not send your regards to malicious actors with a comprehensive security solution like McAfee Total Protection. This can help protect you from malware, phishing attacks, and other threats. It also includes McAfee WebAdvisor, which helps alert users of malicious websites.

So, when you are looking for your next binge-watching project, please take a moment before you download. Ensure the site you are accessing content from is legit (have you heard of it before? is it offering something for free when every other streaming service has a fee?) and if you are even a little unsure that it doesn’t look professional then DON’T click! The last thing you want is a bonus virus to interrupt your night in on the couch!

Happy Watching!!

Alex xx

 

 

 

 

The post How Entertaining Ourselves at Home Has Become a Risky Business appeared first on McAfee Blogs.

Why Should You Pay for a Security Solution?

Online safety

Do you ever go a single day without using a digital device? The answer is probably not. According to the Digital 2019 report by Hootsuite and We Are Social, users spend almost 7 hours a day online. And due to the recent stay-at-home orders, that number has only increased (internet hits recently surged between 50% to 70%). What’s more, U.S. households are now estimated to have an average of 11 connected devices – that’s almost 3 devices per person in my family!  

As the use of devices, apps, and online services increases daily, so do the number of online threats consumers face. That’s why it is important users consider what the best method is for securing their digital life 

My advice? Use a comprehensive security solution (and I’m not only saying this because I work for McAfee). Here’s why. 

The Limitations of Free Security Tools

Let’s be real – we all love free stuff (Costco samples anyone?). However, when it comes to my family’s security, am I willing to risk their safety due to the limitations of free solutions?  

Free tools simply don’t offer the level of advanced protection that modern technology users need. Today’s users require solutions that are as sophisticated as the threats they face, including everything from new strains of malware to hacking-based attacks. These solutions also quite literally limit consumers’ online activity too, as many impose limits on which browser or email program the user can leverage, which can be inconvenient as many already have a preferred browser or email platform (I know I do).  

Free security solutions also carry in-app advertising for premium products or, more importantly, may try to sell user data. Also, by advertising for premium products, the vendor indirectly admits that a free solution doesn’t provide enough security. These tools also offer little to no customer support, leaving users to handle any technical difficulties on their own. What’s more, most free security solutions are meant for use on only one device, whereas the average consumer owns over three connected devices. 

Security should provide a forcefield that covers users in every sense of the word – the devices they use, where they go online, how they manage and store information, and their personal data itself 

Connected Consumers Need Comprehensive Solutions

Today’s users need more than just free tools to live their desired digital life. To truly protect consumers from the evolving threat landscape, a security solution must be comprehensive. This means covering not only the user’s computers and devices, but also their connections and online behaviors. Because today’s users are so reliant on their devices and connections to bridge the gap between themselves and the outside world, security solutions must work seamlessly to shield their online activity – so seamlessly that they almost forget the solution is there. This provides the user with the protection they need without the added distractions of in-app advertising or the constant worry that their subpar solution might not secure them from common online threats.  

Why McAfee Matters

Free security products might provide the basics, but a comprehensive solution can protect the user from a host of other risks that could get in the way of living their life to the fullest. McAfee knows that users want to live their digital lives free from worry. That’s why we’ve created a line of products to help consumers do just that. With McAfee® Total Protection, users can enjoy robust security software with a comprehensive, yet holistic approach to protection.  

First, consumers are safeguarded from malware with cloud-based threat protection that uses behavioral algorithms to detect new threats – specifically protecting the device and web browsing. The software’s detection capabilities are constantly being updated and enhanced, without compromising the performance of users’ devices.  

McAfee also provides users with protection while surfing the web, where they can face a minefield of malicious ads or fraudulent websites. These pesky threats are designed to download malware and steal private information. That’s why McAfee® LiveSafe and McAfee® Total Protection include McAfee® WebAdvisor – web protection that enables users to sidestep attacks before they happen with clear warnings of risky websites, links, and files. They also include McAfee® Identity Theft Protection, which helps users stay ahead of fraud with Dark Web monitoring and SSN Trace to see if personal information has been put at risk 

Finally, we can’t forget about the importance of mobile threat detection, given that consumers spend nearly half of their online time via their mobile devices. Hackers are fully aware that we live in a mobile world, and coincidentally they’ve stepped up mobile attacks. That’s why McAfee solutions provide multi-device protection so you can safely connect while on the go.  

With robust, comprehensive security in placeyour family’s devices will be consistently protected from the latest threats in the ever-evolving security landscape. With all these devices safeeveryone’s online life is free from worry.   

Stay Updated

To stay updated on all things  McAfee  and on top of the latest consumer and mobile security threats, follow @McAfee_Homeon Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

The post Why Should You Pay for a Security Solution? appeared first on McAfee Blogs.

Is upatre downloader coming back ?

Hi Folks, today I want to share a quantitative analysis on a weird return-match by Upatre. According to Unit42 Upatre is an ancient downloader firstly spotted in 2013 used to inoculate banking trojans and active up to 2016.

First discovered in 2013, Upatre is primarily a downloader tool responsible for delivering additional trojans onto the victim host. It is most well-known for being tied with the Dyre banking trojan, with a peak of over 250,000 Upatre infections per month delivering Dyre back in July 2015. In November 2015 however, an organization thought to be associated with the Dyre operation was raided, and subsequently the usage of Upatre delivering Dyre dropped dramatically, to less than 600 per month by January 2016.

From PaloAlto Unit42

From 2016 until today I’ve never experienced a new Upatre campaign, or something like that, but something looks to be changed. Analyzing the Cyber Threats Trends findings (for an upcoming post) I spotted an interesting revival of the Upatre downloader starting from April 2020. The following image shows what I mean. Zero Upatre findings until April 21 2020 and almost 50 single detections per day since that date. Those statistics are so strange to me, that I need to doubt about that. So let’s take a closer look to it and see if there is some misclassification around.

Upatre Time Distribution

Digging a little bit on that samples by asking a second opinion to VirusTotal it looks like matches are genuine. In order to verify that “revival”, I firstly have taken some random samples (with Upatre classification tag) and then verified on VirusTotal the malware classification and the first submission date. Following an example of the performed checks. As you might see from the following picture, 9 AV classified that sample as Upatre, so we might consider not a “false positive” or a “miss-classificated” sample.

Upatre Correct Classification

The following image shows the “First Submission Date” which is aligned to what I’ve seen on Cyber Threats Trends. If you take some more samples from the following list (IoC Section) you will probably see much more cases similar to that one. I did many checks and I wasn’t able to find mismatches at all, so I decided to write up this post about it.

Upatre First Submission

Conclusion

It’s something very interesting, at least to my understanding, to see an ancient downloader be resumed in such a specific period. Many people starting from April up to today are stuck at home performing what has been called “quarantine” due to COVID pandemic. Curiously during the same time, while people are working from home and potentially have much more free time (since they can’t get out home), this older downloader reappears. Maybe somebody took advantage from this bad situation to resurrect some old tools stored in dusty external hard-drive ?

IoC (3384)

For the complete IoC list check it out: HERE

Read Before You Binge-Watch: Here are the TV Shows & Movies to Look Out For

If you’ve been following recent stay-at-home orders, it’s likely that you’ve been scavenging the internet for new content to help pass the time. In fact, according to Nielson, there was an 85% increase in American streaming rates in the first three weeks of March this year compared to March 2019 reports.   

But having multiple streaming subscriptions can quickly add up. Consequentially, users who are hesitant to pay more for online streaming subscriptions often look for free options to stream their favorite TV show or movie.  

Criminals are often behind these websites, luring unsuspecting users into schemes via “free” downloads of movies and TV shows.   Some of these movies and shows are risker than others, however.  McAfee WebAdvisor data has revealed certain titles are tied to potential malware and phishing threats. 

Let’s take a look at the TV shows and movies that could lead you to a dangerous download instead of your next film spree, as well as discuss what users can do to stay secure. 

Top 10 U.S. TV and Movie Titles That Could Lead You to a Dangerous Download:

Top 10 U.S. TV Titles  Top 10 U.S. Movie Titles 
“Brooklyn Nine-Nine”  “Warrior” 
“Elite”  “Zombieland” 
“Harlots”  “The Incredibles” 
Letterkenny”  Step Brothers”   
“Poldark”  “Bad Boys” 
“Lost”  “Aladdin” (2019) 
“You”  “The Lion King” (1994)
“Gentefied”  “Swingers” 
“PEN15”  “Frozen 2” 
“Skins  “The Invitation” 

Stay Protected While Streaming

While consumers search for new content from home, criminals are clearly searching for ways to trick eager TV and movie fans. However, there’s still way users can stay both entertained and secure during this time. Follow these tips to help ensure that your online entertainment experience is safe 

Watch what you click

Users looking to catch up on Season 2 of “You” or watch the “The Incredibles” on repeat should be cautious and only access entertainment content directly from a reliable source. The safest thing to do is to subscribe to a streaming site that offers the content or download the movie from credible websitesinstead of downloading a “free” version from a website that could contain malware. 

Refrain from using illegal streaming sites

Many illegal streaming sites are riddled with malware or adware disguised as pirated video files. Do your device a favor and stream the show from a reputable source. 

Use a comprehensive security Solution

Use a solution like McAfee Total Protection. This can help protect your devices from malware, phishing attacks, and other threats. It also includes McAfee WebAdvisor, which helps alert users of malicious websites. Additionally, McAfee WebAdvisor can be accessed as a free download.  

Use parental control software

Kids are techsavvy and may search for movies by themselves. Ensure that limits are set on your child’s device and use software that can help minimize exposure to potentially malicious or inappropriate websites. 

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.  

*Methodology: McAfee pulled the most popular TV and movie titles available on U.S. streaming sites according to “best of” articles by a range of U.S. publications. The web results for the searches of the entertainment titles with modifying terms, such as “TV show” and “torrent,” were then analyzed. Other popular modifying search terms include “free download,” “free login,” “free,” and “pirated download.” From there, the resulting URLs and domains were measured using McAfee WebAdvisor data and assigned a score of high, medium, or unverified risk. The results identified the top 10 TV shows and movie titles with the highest risk of being used by criminals to spread malware and phishing threats.  

The post Read Before You Binge-Watch: Here are the TV Shows & Movies to Look Out For appeared first on McAfee Blogs.

New Insights From McAfee’s Survey Around Remote Work

The last few months have brought about a lot of change for all of us. Due to social distancing, companies across the world saw a huge increase in the number of people working remotely over the last few months. So as countries now start to relax social distancing and organizations consider shifting back to previous in-office work environments, McAfee took a look into how this change affects the number of remote workers. Will people return to work quickly, or will remote working continue on? Let’s take a look at how remote work trends have evolved in the U.S. over the past few months. 

The Evolution of Remote Work   

As lockdown began in March, the US saw a huge increase as people moved to work from home, with a 9% increase in the amount of remote connections to our apps compared to the previous month. Now, as parts of the U.S. starts to reopen, we’re tracking these remote connections to see if people are returning to work. So far, it looks like people aren’t rushing back to the office from home, with just a 0.3% decrease in remote connections this week compared to last week. What’s the big deal if more people work from home, anyways? 

One answer: many organizations see employees returning to corporate offices as a necessity, especially from a security standpoint. Nearly half of employees say that their company isn’t currently responsible for securing their devices while they’re at home. This is likely correlated to the increase in the number of online attacks employees have reported over the past three months. In fact, a recent McAfee report shows that threats to enterprises increased by 630% over the same period, with most attacks targeting collaboration services that enable remote work. 

Security Implications Around Remote Work

While many employers are anxious to have their team return to the officea new study from McAfee revealed that 47% of employees do not want to go back to working how they were previously. Additionally, 21% stated that they intend to remain at home for as long as possible 

While it’s clear that consumers are doing their best to embrace their current work environment, both the employee and employer must take the various security implications around remote work into account. Companies must ensure that tools are set up so that they can keep all employees’ applications and systems up to date, patched, and monitored for any issues that may arise. By doing more to protect their employees remotely, businesses will be able to reap the benefits of a happier workforce and greater business continuity.  

Although many users may be unsure of whether they will continue to commute to the kitchen table or their corporate office, there are several security tips to keep in mind in the interim to help enable remote work. Check out the following tips to safeguard your work from home environment: 

Be cautious of correspondence asking you to act

You must stay vigilant if you receive an email or text asking you to take a certain action or download software. Avoid clicking on anything within the message. Instead, go straight to the organization’s website to prevent malicious content from phishing links.  

 Keep infrastructure up to date

With an ongoing trend of vulnerabilities in consumer devices like home routers or smart home products, you should be regularly reminded to update such devices. 

Browse with security protection

Use comprehensive security protection, likeMcAfee Total Protection, which can help protect devices against malware, phishing attacks, and other threats. It includes McAfee WebAdvisor which can help identify malicious websites. 

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Homeon Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

The post New Insights From McAfee’s Survey Around Remote Work appeared first on McAfee Blogs.

The Future of Work: How Technology & the WFH Landscape Are Making an Impact

Over the past few months, the American job market has seen a lot of change. Employees made the transition from commuting into an office every day to working from home. Some people lost work or experienced reduced hours, and the unemployment rate in the U.S. has jumped to 13.3% as of May 2020. However, new challenges breed new opportunities, and there are some jobs that are flourishing amid these uncertain times. What’s more, these challenges are paving a new path for the future of work and how prospective employees look for new job opportunitiesLet’s take a look. 

Jobs on the Rise

While some industries have experienced a downturn due to the pandemicothers have experienced a huge increase in demand as a result. All of them have one thing in common: they directly impact consumers’ key needs during this time.  

Essential Industries

Of course, healthcare is top of mind for us all right now, so it’s not surprising that the demand for healthcare workers and pharmacy workers has steadily increased. For example, CVS is hiring 50,000 employees and Walgreens is looking to fill 25,000 permanent and temporary positions. 

To keep up with the increase in demand for home eatingmajor grocery chains are hiring in-store shelf stockers and delivery staffAdditionally, Instacart is looking to hire 300,000 contract workers over the next three months. 

Tech

Beyond physical needs, humanity’s need to remain connected – both socially and professionally  has driven demand within the tech industry. With more users working from home than ever before, the need for dependable telecommunications software has never been greater. While telecommunication has already experienced a 44% increase over the past 5 years, thcurrent need for video conferencing platforms, online meetings, chat, and mobile collaboration services will only further facilitate this growth. With the increase in remote work, many employees found themselves helplessly fumbling with laptops and other equipment. So, its unsurprising that tech support jobs are on the rise as well. With physical call centers and operation centers shut down, companies still need agents to take customer and technical support calls.  

Security

As more employees telecommute, unprecedented stress has been placed on virtual private networks (VPNs) and other systems securing remote work arrangements. As a result, some security jobs have seen a 20% surge in demand. As businesses begin to emerge from the global lockdown, it’s likely that the need for security talent will become even more apparent as businesses look for the safest way to resume business operations. 

As the demand for security jobs has recently increased, so has the security skills gap. To guarantee that an organization’s business can continue, organizations must ensure that VPNs, network devices, and other devices being used in the remote environment are updated with the latest software patches and security configurations. Additionally, networks must be constantly monitored to prevent hackers from accessing the organization’s VPN connection. To do this, however, requires a skilled security workforce that can be hard to come by due to the ever-increasing demand. If organizations wish to close the skills gap, they will need to look beyond the typical graduate talent pool and see the value in other forms of security education such as internships. 

 How to Stay Secure While Job Hunting

Hackers know that everyone is spending more time online. They also know that many Americans have recently been laid off and are looking for new jobs, leading to a surge of fake job scams. According to Forbes, the Better Business Bureau has reported more than 13,000 job listing scams in North America alone since December. Users searching for jobs online must proceed with caution and look out for suspicious job postings disguised as real businesses to protect their personal data. 

So, if you’re looking to change career paths during this time or are on the hunt for a new job, follow these tips to protect your security and personal data.  

Go directly to the source

If you come across a job posting that seems suspicious, go directly to the business’ career page to verify that the listing is real. Likewise, beware of any so-called recruiters who reach out offering you a job that seems too good to be true. Be skeptical of emails, phone calls, or text messages claiming to be from organizations with peculiar asks as well.  

Hover over links to see and verify the URL

If someone claiming to be from an organization sends you a message with a link, hover over the link without actually clicking on it. This will allow you to see a link preview. If the URL looks suspicious, don’t interact with it and delete the message altogether. 

Beware of what you share

If you get what appears to be a suspicious request from a recruiter, an HR representative, a friend, or family member, verify the message with that person directly before opening or responding. Remember that an employer will never request sensitive information such as social security numbers or bank routing numbers over email or text. 

Stay Updated

To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook. 

 

The post The Future of Work: How Technology & the WFH Landscape Are Making an Impact appeared first on McAfee Blogs.

Passwords are and have always been an Achilles Heel in CyberSecurity

LogMeOnce, a password identity management suite provider, has published a detailed interview with myself titled 'Passwords are and have always been an Achilles Heel in CyberSecurity'. In the Q&A I talk about Passwords Security (obviously), Threat Actors, IoT Security, Multi-Factor Authentication (MFA), Anti-Virus, Biometrics, AI, Privacy, and a bit on how I got into a career in Cybersecurity.

Quotes
“I’m afraid people will remain the weakest link in security, and the vast majority of cybercriminals go after this lowest hanging fruit. It’s the least effort for the most reward.”

"There is no silver bullet with password security, but MFA comes close, it significantly reduces the risk of account compromise"

"The built-in biometric authentication capabilities of smartphones are a significant advancement for security"

"Cybercriminals go after this lowest hanging fruit, the least effort for the most reward."

"As technology becomes more secure and more difficult to defeat, it stands to reason criminals will increasingly target people more."

"The impact of the WannaCry ransomware outbreak on NHS IT systems is a recent example of such cyberattack which threatens lives."

"Machine Learning can provide real benefits, especially in large Security Operations Centres (SOC), by helping analysts breakdown the steady stream of data into actionable intelligence, reducing workload and false-positive errors"

"When I look at new technology today, I still seek to thoroughly understand how it works, naturally thinking about the weaknesses which could be exploited, and the negative impact of such exploits on the people and businesses using the technology. I developed a kind of a ‘hacker’s eye for business’"

Cyber Threats Observatory Gets Improvements

Today I am so happy to announce a big improvement in the threats observatory (available for here). The main improvement sees the introduction of clustering stereotypes for each tracked malware family in three different behaviors: Domains, Files and Processes.

Every malware does specific actions on domains, files and processes realms by meaning that every sample contacts several domain names, spawns specific processes and eventually saves file on HD (file-less malware are a separate topic here). Collecting everything coming from their execution and clustering on strings similitude would highlight several stereotypes that would be interesting for further studies or similitude blocking lists. The following image shows the current deployment state.

Screenshot Cyber Threats Observatory (HERE)

What you find

According to shared information, the Cyber Threats Observatory Dashboard is composed by the following sections:

  • Malware Families Trends. Detection distribution over time. In other words what are time-frames in where specific families are most active respect to others.
  • Malware Families. Automatic Yara rules classify samples into families. Many samples were not classified in terms of families, this happens when no signatures match the samples or if multiple family signatures match the same sample. In both ways I am not sure where the sample belong with, so it would be classified as “unknown” and not visualized on this graph. Missing slice of the cake is attributed to “unknown”.
  • Distribution Types. Based on the magic file bytes this graph would track the percentages of file types that Malware used as carrier.
  • Threat Level Distribution. From 0 to 3 is getting more and more dangerous. It would be interesting to understand the threat level of unknown families as well, in order to understand if hidden in unknown families Malware or false positives would hide. For such a reason a dedicated graph named Unknown Families Threat Level Distribution has created.
  • Stereotypes. Studying stereotypes would be useful to analyze similarities in clusters. In other words, it could be nice to see what are the patterns used by malware in both: domain names, file names and process names. It would be important for detection and even for preemptive blocking. Due to a vast amount of data, only the last (in term of recent) 10000 entries are included.
  • TOP domains, TOP processes and TOP File Names. With a sliding window of 300 last analyzed samples, the backend extracts the TOP (in terms of frequency) contacted domains, spawned processes and utilized file names. Again, there is no filter and no post-processing analysis in that fields, by meaning you could probably find as TOP domain “google.com” or “microsoft update”, which is fine, since if the sample queried them before performing its malicious intent, well, it is simply recorded and took to your attention. Same cup of tea with processes and file names.Indeed those fields are include the term “involved” into their title, if something is involved it does not mean that it is malicious , but that it is accounted to be in a malicious chain.

A simple example

Let’s assume we want to investigate LokiBot. According with any.run: Lokibot, also known as Loki-bot or Loki bot, is an information stealer malware that collects data from most widely used web browsers, FTP, email clients and over a hundred software tools installed on the infected machine.

But let’s start digging a little bit on the Cyber Threats Dashboard and see what we can find. First of all from the Malware Families section we see the overall detection rate. Today, we might easily say that LokiBit has low rate detection percentage 0.32388 if compared to different families such as GrandCrab, Emotet or TrickBot.

Malware Families

From the Family Distribution Over Time section (the following image) we might appreciate the detection distribution rate. By deselecting the unwanted malware families it is possible to track the distribution of the desire one (on our case LokiBot) over the time. In the following case all families but not LokiBot have been disable (by clicking on the Malware name directly from the graph legend). We might appreciate a compelling increment of LokiBot detection on 2020-04-28 and from 2020-04-30 to 2020-05-02. It looks like to be the most active observed period for this well documented family during the 2020. This observation perfectly fits the public mainstream information which sees many security magazines and many vendors observing such an increment as well. Mostly spread over COVID#19 malspam for example: SecurityAffairs, BankInfoSecurity, ThreatPOST, FortiNet.

Families Distribution Over Time

Digging a little bit into the specific case, we might observe the domain stereotypes. It’s nice to see that many domains stereotypes (in other words the representatives of a wide set of similar domains) have as the Top Level Domain .cf (Central Africa Republic) and some of them are quire similar: broken1.cf, broken2.cf, and so on and so forth. Something not very original to be blocked such as: broken<number>.cf

LokiBot Domain Stereotypes as 2020-05-02

Following on the diagram we might observe one more domain stereotype having as TLD .ICU, in the particular frenchman.icu (generic TLD targeting entrepreneurs and business owners) and following on this path one more domain stereotype having .co.ke (referring to Kenya). Now let’s try to focus a little bit on “Files” and check if there are some patterns in “File section”. So let’s check the following diagram.

LokiBot File Stereotypes as 2020-05-02

The linearity of the composition (every stereotype gets the same score, in that case 3) looks like the malware equally uses the different group of files, by meaning that if it starts on a victim machine it reads/creates/writes every single file at least one time per run. We might appreciate a nice pattern in the temporary file names, but it wont help us in detection since default windows temporary file pattern. However we might associate the presence of such a temporary files to the direct usage of spoolsv.exe, mrsys.exe and even explorer.exe. Even if many false positive could be triggered it would be nice to give it a try and see where it takes !

Most interested would be the presence of a specific file ([a..z][0.9]).lck that would be a nice keypoint to check its presence (by using files detection)

Conclusion

In this post I’ve introduced a big improvement of the Cyber Threat Observatory showing up a quick and dirty analysis on LokiBot through stereotypes. Aim of this project is not to give detailed analyses on Malware but rather focusing on general patterns and macro stereotypes in order to perform massive data analysis.

Hope you might find it useful, if so please share it with your fellows.

Cybersecurity Trends

Trends are interesting since they could tell you where things are going.

I do believe in studying history and behaviors in order to figure out where things are going on, so that every Year my colleagues from Yoroi and I spend several weeks to study and to write what we observed during the past months writing the Yoroi Cybersecurity Annual Report (freely downloadable from here: Yoroi Cybersecurity Report 2019).

The Rise of Targeted Ransomware

2019 was a breakthrough year in the cyber security of the European productive sector. The peculiarity of this year is not strictly related to the number of hacking attempts or in the malware code spread all over the Internet to compromise Companies assets and data but in the evolution and the consolidation of a new, highly dangerous kind of cyber attack. In 2019, we noticed a deep change in a consistent part of the global threat landscape, typically populated by States Sponsored actors, Cyber-Criminals and Hack-tivists, each one having some kind of attributes, both in motivations, objectives, methods and sophistications.

During the 2019 we observed a rapid evolution of Cyber Crime ecosystems hosting a wide range of financially motivated actors. We observed an increased volume of money-driven attacks compared to previous years. But actors are also involved in cyber-espionage, CEO frauds, credential stealing operations, PII (Personally Identifiable Information) and IP (Intellectual Property) theft, but traditionally much more active in the so called “opportunistic” cyber attacks. Attacks opportunistically directed to all the internet population, such as botnets and crypto-miners infection waves, but also involved in regional operations, for instance designed to target European countries like Italy or Germany as branches of major global-scale operations, as we tracked since 2018 with the sLoad case and even earlier with the Ursnif malware propagations waves.
In 2019 like what happened in 2018, Ransomware attacks played a significant role in the cyber arena. In previous years the whole InfoSec community observed the fast increase in o the Ransomware phenomenon, both in term of newborn ransomware families and also in the ransom payment options, driven by the consolidation of the digital cryptocurrencies market that made the traditional tracking techniques – operated by law enforcement agencies – l less effective due to new untrackable crypto currencies. But these increasing volumes weren’t the most worrying aspect we noticed.

Before 2019, most ransomware attacks were conducted in an automated, mostly opportunistic fashion: for instance through drive by download attacks and exploit kits, but also very frequently using the email vector. In fact, the “canonical” ransomware attacks before 2019 were characterized by an incoming email luring the victim to open up an attachment, most of the times an Office Document, carefully obfuscated to avoid detection and weaponized to launch some ransomware malware able to autonomously encrypt local user files and shared documents.

During 2019, we monitored a deep change in this trend. Ransomware attacks became more and more sophisticated. Gradually, even major cyber-criminal botnet operators, moved into this emerging sector leveraging their infection capabilities, their long term hacking experience and their bots to monetize their actions using new malicious business models. Indeed, almost every major malware family populating the cyber criminal landscape was involved in the delivery of follow up ransomware within infected hosts. A typical example is the Gandcrab ransomware installation operated by Ursnif implants during most of 2019. But some criminal groups have gone further. They set the threat level to a new baseline.

Many major cyber criminal groups developed a sort of malicious “RedTeam” units, lest call them “DarkTeams”. These units are able to manually engage high value targets such as private companies or any kind of structured organization, gaining access to their core and owning the whole infrastructure at once, typically installing ransomware tools all across the network just after ensuring the deletion of the backup copies. Many times they are also using industry specific knowledge to tamper with management networks and hypervisors to reach an impressive level of potential damage.
Actually, this kind of behaviour is not new to us. Such methods of operations have been used for a long time, but not by such a large number of actors and not with such kind of objectives. Network penetration was in fact a peculiarity of state sponsored groups and specialized cyber criminal gangs, often threatening the banking and retail sectors, typically referenced as Advanced Persistent Threats and traditionally targeting very large enterprises and organizations.
During 2019, we observed a strong game change in the ransomware attacks panorama.

The special “DarkTeams” replicated advanced intrusion techniques from APT playbooks carrying them into private business sectors which were not traditionally prepared to deal with such kinds of threats. Then, they started to hit organizations with high impact business attacks modeled to be very effective for the victim context. We are facing the evolution of ransomware by introducing Targeted Ransomware Attacks.

We observed and tracked many gangs consolidating the new Targeted Ransomware Attacks model. Many of them have also been cited by mainstream media and press due to the heavy impact on the business operation of prestigious companies, such as the LockerGoga and Ryuk ransomware attacks, but they only were the tip of the iceberg. Many other criminal groups have consolidated this kind of operations such as DoppelPaymer, Nemty, REvil/Sodinokibi and Maze, definitely some of the top targeted ransomware players populating the threat landscape in the last half of 2019.
In the past few months we also observed the emergence of a really worrisome practice by some of these players: the public shame of their victims. Maze was one of the first actors pionering this practice in 2019: the group started to disclose the name of the private companies they hacked into along with pieces of internal data stolen during the network intrusions.

The problem rises when the stolen data includes Intellectual Property and Personal Identifiable Information. In such a case the attacker leaves the victim organization with an additional, infaust position during the cyber-crisis: handling of the data breach and the fines disposed by the Data Protection Authorities. During 2020 we expect these kinds of practices will be more and more common into the criminal criminal ecosystems. Thus, adopting a proactive approach to the Cyber Security Strategy leveraging services like Yoroi’s Cyber Security Defence Center could be crucial to equip the Company with proper technology to acquire visibility on targeted ransomware attacks, knowledge, skills and processes to spot and handle these kind of new class of threats.

Zero-Day Malware

Well Known threats are always easier to be recognized and managed since components and intents are very often clear. For example a Ransomware, as known today, performs some standard operations such as (but not limited to): reading file, encrypting file and writing back that file. An early discovery of known threat families would help analysts to perform quick and precise analyses, while unknown threats are always difficult to manage since analysts would need to discover firstly the intentions and then bring back behaviour to standard operations. This is why we track Zero-Day Malware. Yoroi’s technology captures and collects samples before processing them on Yoroi’s shared threat intelligence platform trying to attribute them to known threats.

As part of the automatic analysis pipeline, Yoroi’s technology reports if the malicious files are potentially detected by Anti-Virus technologies during the detection time. This specific analogy is mainly done to figure-out if the incoming threat would be able to bypass perimetral and endpoint defences. As a positive side effect we collect data on detected threats related to their notoriety. In other words we are able to see if a Malware belonging to a

threat actor or related to specific operation (or incident) is detected by AV, Firewall, Next Generation X and used endpoints.
In this context, we shall define what we mean for Zero-Day Malware. We call Zero-Day malware every sample that turns out to be an unknown variant of arbitrary malware families. The following image (Fig:1) shows how most of the analyzed Malware is unknown from the InfoSec community and from common Antivirus vendors. This finding supports the even evolving Malware panorama in where attackers start from a shared code base but modify it depending on their needed to be stealth.

Immagine che contiene dispositivo, disegnando

Descrizione generata automaticamente

The reported data are collected during the first propagation of the malicious files across organizations. It means Companies are highly exposed to the risk of Zero-Day malware. Detection and response time plays a central role in such cases where the attack becomes stealth for hours or even for days.
Along with the Zero-Day malware observation, most of the known malware at time of delivery have not so high chances of being blocked by security controls. The 8% of the malware is detected by few AV engines and only 33% is actually well identified at time of attack. Even the so-called “known malware” is still a relevant issue due to its capability to maintain a low detection rate during the first infection steps. Indeed only less than 20% of analyzed samples belonging to “not Zero-Day” are detected by more than 15 AV engines.

Drilling down and observing the behavioural classification of the intercepted samples known by less than 5 AntiVirus engines at detection time, we might appreciate that the “Dropper” behaviour (i.e. the downloading or unpacking of other malicious stages or component) lead the way with 54% of cases, slightly decreasing since the 2018. One more interesting trend in the analyzed data is the surprising decrease of Ransomware behaviour, dropping from 17% of 2018 to the current 2%, and the bullish raise of “Trojan” behaviours up to 35% of times, more than doubled respect to the 15% of 2018.
This trend endorses the evidence that ransomware attacks in 2019 begun to follow a targeted approach as described in the “The Rise of Targeted Ransomware” section.

Immagine che contiene dispositivo

Descrizione generata automaticamente

A reasonable interpretation of the darkling changes on these data, could actually conform with the sophistication of the malware infection chain discussed in the previous section. As a matter of fact, many of the delivered malware are actually a single part of a more complex infection chain. A chain able to install even multiple families of malware threats, starting from simple pieces of code behaving like droppers and trojan horses to grant access to a wider range of threats.   

This trend gets another validation even in the Zero-Day malware data set: the samples likely unknown to Info.Sec. community – at the time of delivery –  substantially shifted their distribution from previous years. In particular, Ransomware behaviour detections dropped from 29% to 7% in 2019, and Trojan raised from 28% to 52% of cases, showing similar macro variations.

Immagine che contiene dispositivo

Descrizione generata automaticamente

If you want to read more details on “DarkTeams” and on what we observed during the past months, please feel free to download the full report HERE.

Working From Home: Building Your Own Setup

This is the fifth week my company (Yoroi) and I are working from home (covid-19). While every company process is running smooth and fast, personal quarantine is getting quite long and heavy especially if you are accustom to travel a lot for working purposes. Under these circumstances home office setup becomes very important as you should be comfortable in delivering as much as you did while sitting in your perfectly fitting office. Moreover during the past few weeks I received many emails and private messages from people like me asking about personal suggestions on home setup. So I decided to write up a little blog post on my personal suggestions about home setup for remote workers.

First: What you do.

My personal home desk changed a lot during the years. On one hand new technology became available but on the other hand (and mostly important) my role and interests changed a lot over time. I started with a super-nerd home setup while I was in college, including soldering irons, desoldering air heater, Arduino boards all over the shelves, Raspberry with many cover flavors, three monitors one of them vertical oriented (for reading documentation), black screen and mechanical keyboards. This environment was fitting my needs in that specific time, but it would not fit my current needs. The first thing that you should do in refactoring your own home desk is to understand what you do. Not what you would like to do, but rather what you do. Before starting surfing on gadget websites, just focus on what you are doing on daily basis. A developer and a Malware analysts share few needs but their environments wont be closed each other. If you are a CXX your environment will look definitely different respect to your IT-Manager !

Second: Less is more.

I know many of you wont agree with this paragraph but in my personal point of view: “less is more” (cit. Mies). As many objects populate your desk as higher is the probability to get distracted from them. I tended to have books on my desks, and every time I watched them I took my mind to that story or to what the book gave me in term of knowledge and.. this was really distracting me. 6 things are my minimal and best setup. A Laptop, a Mouse, a Mechy keyboard, headphones, a big monitor and my phone.

Home SetUP

Monitor

Talking about monitor I would suggest a single big one. I used to have multiple monitors on my desk and it is amazing to see how many parallel tasks you would keep on them, but many parallel tasks does not necessary mean higher productivity. In my experience I noticed that it’s best to focus on 3 or 4 parallel tasks not more. So a big screen managed by a great window managed (see software section) would help you in not exaggerate on multiple tasks. However if you are a developer an additional vertical screen would definitely help you in consulting StackOverflow, GitHub and Documentations. In many other cases, I personally wont suggest more than two displays. My favorite size is 27″ and I do prefer “border less” monitor with adjustable “neck” in order to move it depending on chair position. Actually one of my favorite is SAMSUNG SR75 4K UHD Space Monitor, it is Ultra HD, great looking and very minimal in space, so you would have much more space for your arms.

Keyboard

Mechanical keyboard is a little pleasure of life. If you are a writer it is definitely a “mush have” while if you are a developer or a malware analyst it’s mostly a fashion. Contrary if you are a penetration tester or a adversarial simulator you would probably appreciate more foldable keyboards or if you are in IT guy you would probably love small and tiny keyboards light and easy to carry between racks on “work in progress” data-centers. Like in monitor ecosystem keyboard is a humongous world where there is not a “best in class” ever, there is what “you like most”. In my case I do love Varmilo keyboards since they allow many quite interesting customizations. Ergonomic plays a fundamental role in keyword choice, but even the most ergonomic keyboards could harm you if you have not a good body posture, so before getting into a very fancy ergonomic keyboard (like the most famous one HERE) try to correct your body posture.

Mouse

Mouse is one of the most used artifact that you will be touching since you sit on your comfortable chair, so you need to put the right attention on what you choose. While Kensington trackball mouse (here) is definitely my personal suggestion, I do not use it. Since I used to travel a lot during my normal working weeks I can’t carry it back and forth from travels. It’s a trackball is not comfortable to be moved at all. So I decided to take a small but yet nice mouse. If you are used to travel a lot like me, you would probably appreciate a Bluetooth mouse with no cables on the bag (remember less is more). The mouse should be small in size and light. I would suggest having a hard (metal) and mechanical wheel with strong inertia in order to give you back a nice scrolling feeling. One of my favorite is definitely the Logitech MX everywhere 2.

Computer

This would be the most important choice, indeed it could be quite easy to change monitor or a mouse, but chaining your PC it would be much more challenging (and expensive). Depending on what you are doing on your daily basis you would have many many choices. So let’s start from the mobility. In my case I move a lot between my offices and where I go I used to have external monitors, so I prefer small laptops. My principal tasks are between malware analysis (most for fun) and management (most for work), so I need many virtual machines (most for fun) and many chrome tabs (most for work). High performances in terms of SSD, CPU and RAM are required (virtualization and Malware analysis tool sets) . If you are a podcaster or a youtuber your would need an high performance graphic processor (especially if you post-process video) , if you are a writer you would probably love to write “around the globe” (not in a small cold office) so you would love a light laptop or if you are a developer or content designer you would probably love a MAC 😀 (just kidding you). My favorite so far is the RazerBlade Stealth 13″ which has incredible performances. Touchscreen monitor and retina display, beyond i7, 16GB ram and 500GB SSD. Generally speaking if you are looking for a PC and not for a MAC I would definitely suggest to take a look to one of the following tiny little but powerful laptops such as: Dell XPS 13, HP Spectre and ASUS ZenBook.

Headphones

If you are a music lover, well you’d better jump this section. I don’t use headphones for high quality music listening but rather for conferences and calls. However from time to time I love focusing by listening my favorite playlist so I had to figure-out what, in my personal point of view, could be a good arrangement. My best compromise was Jabra Move. If you don’t need music (or if you have a separate headphones for listening to music) having two “covered” ears (in term of stereo) could be quite annoying since it’s not so natural talking without having the right feel of your natural voice (with stereo headphone your voice is quite muffled). On the other hand if you want to listen to the music, definitely you cannot do with a mono headphone. Jabra Move looks like having a nice sound quality and nice integrated microphone, so that you could easily switch between conferences and music without changing hardware.

Software

First of all let me explain why I am crazy about window managers. When you get into the productivity world, having a well-configured system with personal shortcuts is not only a way to speedup the boring tasks (open windows, resize windows, create multi-desktop environments, open up the usual web pages for reading, download stuff and place it on the right folder, saving bookmarks, etc etc) it is actually a way to organize your entire day. As many patterns are available for eMail management (I do prefer the zero-inbox pattern, even if I don’t truly succeed in using it) many are available for virtual desktop management. While I was used to manage virtual desktop by functionality (and this works pretty well on MAC OS systems) on a my Linux box I prefer keeping virtual desktops by projects. So yes, I do have many duplicated applications running but specialized on a specific topic. Questionable, I know… but in this way I feel much more confident since I prefer to classify my work into projects rather than on functionalities over multiple virtual environments. Anyway, a great window management would definitely help you out. I’ve always been fascinated in using i3 tiling windows manger but I was always skeptical in the startup phase: on one hand the time to become fluent in i3 and on the other hand the installation procedure and configuration time was kind killing me. But recently I met regolith which change my way to thing window managers. Today I definitely would suggest you to try it at least for one week.

While a lot of ToDo-list software are available out there, I do prefer the simple Todo.txt. It is damn simple, you can access it from multiple devices, it has a command line, it could manage priorities and… it has a command line !! (did I already mentioned ). If you are a more “web oriented” guy, I would suggest you Trello-CLI, but really not more than that.

One of my favorite editor is VIM. But I am not an “old school guy”, I just love the many many plugin available for it and how you can transform it !

VIM Configuration

Once you’ve learned to dominate VIM you don’t need any editor ever, VIM is everywhere and you might customize it in a very quick and fast way. If you like how my VIM looks like HERE my configuration file, feel free to grab and use it if you wish.

Conclusion

I don’t think there would be a definitive setup. It will change over time depending on your needs. You might need electronic boards and soldering irons or a simple laptop at all. It really depends on what you are doing and what are the deliverables you are working on. In this “unusual” (at least for my corner) post I wanted to answer to many questions on the “perfect home setup” that came to me in the past three weeks. Actually I have my “perfect” setup which I’ve shared with you, but I am sure it will change over and over again even if it has changed a lot in the past few years. The only real suggestion that I’d like to appoint is: “Less is More”. Few things you hold on your desk few distraction-points you would have and faster would be your deliverable.

Have fun and #StayAtHome

Is APT27 Abusing COVID-19 To Attack People ?!

Scenario

We are living hard time, many countries all around the world are hit by COVID-19 which happened to be a very dangerous disease. Unfortunately many deaths, thousands of infected people, few breathing equipment, stock burned Billion of dollars and a lot of companies are entering into a economic and financial crisis. Governments are doing their best to mitigate such a virus while people are stuck home working remotely using their own equipment.

In that scenario, jackals are luring people using every dirty way to attack their private devices. At home it’s hard to have advanced protection systems as we have in companies. For example it’s hard to have Intrusion Prevention Systems, proxies, advanced threat protection, automated sandbox and again advanced end-point protections letting personal devices more vulnerable to be attacked. In this reality ruthless attackers abuse of this situation to attack digitally unprotected people.

Today many reports are describing how infamous attackers are abusing such an emergency time to lure people by sending thematic email campaign or by using thematic IM within Malware or Phishing links. Following few of them that I believe would be a nice reading:

Today I want to contribute to such a blog-roll analyzing a new spreading variant that hit my observatory. I want to “spoil” the conclusions now, but it’s getting pretty sad if an APT group makes use of its knowledge to take advance from today’s situation.

Stage 1

The first stage is a fake PDF file. It looks like a real PDF, it has a hidden extension and a nice PDF icon, but it really isn’t a PDF, it’s actually a .lnk file, or in other words a “Microsoft Linking File”.

Sha25695489af84596a21b6fcca078ed10746a32e974a84d0daed28cc56e77c38cc5a8
ThreatDropper and Execution
Ssdeep24576:2D9JuasgfxPmNirQ2dRqZJuH3eBf9mddWoX+KIKoIkVrI:2DzuOxPm0iZLKIKRkq
DescriptionFake PDF file used to run initial infection chain

Opening up the .lnk file we might appreciate a weird linking pattern. Two main sections: one is a kind of header where it is possible to observe commands, and the other section is a big encoded payload.

.lnk file

Once beautified the first section it looks easier to understand what it does. It basically copies itself into a temporary folder (through cmd.exe), it extracts bytes from its body (from section two), it decodes such a bytes from Byte64 (through msoia.exe ) and it places the extracted content into the temporary user folder. It deflates the content (through expand) and it finally it executes a javascript file (through wscript) which was included into the compressed content. The following image shows the beautified code section of the analyzed file.

Beautified .lnk file

It is quite nice to see how the attacker copied certutils from local system, by using (*ertu*.exe) in order to avoid command line detection from public sandboxes. Indeed many sandboxes have signatures on certutils, since it’s quite a notorious tool used by some attackers, so that avoiding the behavior signature match it would take a lower score from public sandboxes.

Stage 2

Stage 1 carved Stage 2 from its body by extracting bytes and decoding them using base64 encoding. The new stage is a Microsoft compressed CAB file described in the following table.

Sha256f74199f59533fbbe57f0b2aae45c837b3ed5e4f5184e74c02e06c12c6535f0f9
ThreatMalware Carrier/Packer/Compressor
Ssdeep24576:CkL6X/3PSCuflrdNZ4J00ZcmNh3wsAR36Mge:vLK/fS200ZcYh3kqpe
DescriptionMicrosoft CAB bringing contents

Extracting files from Microsoft CAB we observe 6 more files entering in the battlefield:

  • 20200308-sitrep-48-covid-19.pdf. The original PDF from WHO explaining the COVID-19 status and how to fight it.
  • 3UDBUTNY7YstRc.tmp. PE32 Executable file (DLL)
  • 486AULMsOPmf6W.tmp. PE32 Executable (GUI)
  • 9sOXN6Ltf0afe7.js. Javascript file (called by .lnk)
  • cSi1r0uywDNvDu.tmp. XSL StyleSheet Document
  • MiZl5xsDRylf0W.tmp. Text file including PE32 file

Stage 1 executes the Javascript included in the CAB file. 9sOXN6Ltf0afe7.js performs an ActiveXObject call to WScript.Shell in order to execute Windows command lists. Once” deobfuscated” and beautified the command line looks like the following (9sOXN6Ltf0afe7.js payload beautified) . The attacker creates a folder that looks like a “file” by calling it cscript.exe trying to cheat the analyst. Then the attacker populates that folder with the needed files to follow the infection chain.

9sOXN6Ltf0afe7.js payload “deobfuscated”

A special thought goes to WINRM.VBS which helped the attacker to execute Signed Script Proxy Execution (T1216). According to Microsoft: “WINRM is the CLI interface to our WS-MGMT protocol. The neat thing about this is that you can call it from PowerShell to manage remote systems that don’t have PowerShell installed on them (including Server Core systems and Raw hardware).” The attacker also places a file called Wordcnvpxy.exe on the OFFICE12 folder. We will analyze it in a few steps but at that stage we might observe that is the “last call” before luring the victim by showing the good PDF file (also included in the CAB). But according with 9sOXN6Ltf0afe7.js the first run is on WsmPty.xsl which is the renamed version of cSi1r0uywDNvDu.tmp.

Stage 3

Stage 3 is run by stage 2 and it is a XSL (StleSheet Office file) wrapping a VBScript object.

Sha2569d52d8f10673518cb9f19153ddbe362acc7ca885974a217a52d1ee8257f22cfc
ThreatPayload Extractor and Command Executor
Ssdeep96:46Pdv3fOYCeeapSCDIKufYS2VGsBu746WJCSmCZyAcGghF:fh3fOYneaLDIgnNEFCZyAcGsF,
DescriptionDecode Additional Stage by using coding charsets and XOR

The following VBScript is run through cscript.exe, It’s an obfuscated and xor-encrypted payload. The encryption is performed by a simple xor having as key the single byte 0 while the encoding procedure is a multi conversion routine which could be summarized as follows:

chr(asc(chr(“&h”&mid(x,y,2))))

VBScript Stage3

The attacker tried to confuse the analyst by reusing variable names in private or local contexts, but after a couple of minutes, you might eventually come out with the following decryption loop.

Decryption Loop

If you run it against the embedded payload you will eventually see a new stage: Stage 4. A brand new script targeting old version of MSOffice.

Stage 4

Stage 4 is decoded and run by Stage 3. That stage runs an attacker version of MSOSTYLE.exe copied from Stage 2. It hijacks method on an old office 2007 component (Office Data Provider for – MSOSTYLE.exe).

Sha3567f230a023a399b39fa1994c3eaa0027d6105769fffaf72918adebf584edc6fe0
ThreatPersistence and Execution
Ssdeep48:zKxYaDzzXRrVHyMqHeIyJwlLGvTlGrbaTFGNT93TPTxGVhTG6TWWWsKj390C9nEm:zKxjDRt+e1sGvJG3aRGNNDtGLLqP5j3N
DescriptionSet persistence on the target system (Script File)

The following image shows the decrypted and decoded Stage. It’s quite clear the attacker wants to get persistence on the target machine and to run additional payload by abusing MSOSTYLE.exe (old component) placed in the “right folder” from stage 2. The persistence is guaranteed by adding a link called Accessories.lnk inside the startup windows folder pointing to: MiZl5xsDRylf0W.tmp.

Powershell Stage 4

Stage 5

Stage 5 is activated by Stage 2 but only after the execution of Stage 3 and Stage 4. Stage 5 is a multi-step session composed by the following additional artifacts: (i) 3UDBUTNY7YstRc.tmp renamed by Stage 2 into OINFO12.OCX and (ii) MiZl5xsDRylf0W.tmp renamed by Stage 2 into Wordcnvpxy.exe . Every single artifact is available after the execution of Stage 2 into the crafted folder called: OFFICE12 from the user home.

Sha256604679789c46a01aa320eb1390da98b92721b7144e57ef63853c3c8f6d7ea85d
ThreatRemote Control, depending on usage
Ssdeep536:/4yuzgQ5WugrQ+SccIp1t4xO67y5qHae:gyuzgKwr9bB1t4xO67y5j,
DescriptionOffice Data Provider for WBEM, not malicious but accountable.

MSOSTYLE.EXE is an old Microsoft Office Data Provider for WBEM. Web-Based Enterprise Management (WBEM) comprises a set of systems-management technologies developed to unify the management of distributed computing environments. So it could not be considered malicious, but it could be considered accountable of the entire infection chain.

Sha256a49133ed68bebb66412d3eb5d2b84ee71c393627906f574a29247d8699f1f38e
ThreatPlugX, Command Execution
Ssdeed768:jxmCQWD+TAxTRh40XfEDDnFt4AczonsT:MC5bw+zosT
DescriptionA runner plus Command Execution, Pluging Manager

At the time of writing only three AVs detect OINFO12.OCX as a malicious file. Rising AV is actually the only company which attributes it to a well-known PlugX sample. According with Trend Micro, the PlugX malware family is well known to researchers having samples dating back to as early as 2008. PlugX is a fully featured Remote Access Tool/Trojan (RAT) with capabilities such as file upload, download, and modification, keystroke logging, webcam control, and access to a remote cmd.exe shell.

OINFO12.OCX VT coverage

Taking it on static analysis it will expose three callable functions: DeleteOfficeData (0x10001020), GetOfficeData (0x10001000) and EntryPoint 0x100015ac).

Both of the methods DeleteOfficeData and GetOfficeData looks like recalling a classic method to hijacking old Office Parser (take a look to here and figure 3 in here ) to execute commands.

DeleteOfficeData (0x10001020)
GetOfficeData (0x10001000)

Indeed if run from its Entry Point, the DLL executes Wordcnvpxy.exe (as it is the default plugin component). The executable DLL must be in the same path of Wordcnvpxy.exe and it needs to have such a filename (imposed by Stage 2 and hardcoded into the library). On the other side of the coin if commands are passed through stdin, it executes the given parameters as commands.

No Input Commands, Wordcnvpxy execution

The following image shows when parameters are given and Commands are executed.

Commands Execution

Finally we have Wordcnvpxy.exe which is run in the same stage (Stage 5) by OINFO12.OCX . At the time of writing, it is well-known from static engines, it looks like a standard backdoor beacon-ing to own command and control installed as PlugX module.

Sha256002c9e0578a8b76f626e59b755a8aac18b5d048f1cc76e2c12f68bc3dd18b124
ThreatPlugX, Backdoor
Ssdeep1536:9/dlJMLIU94EYayTdHP6rUkn16O41yWCzB:93JsZxePUAFgWCz
DescriptionProbably one of the last stages, beaconing VS C2 and executing external commands
Wordcnvpxy VT coverage

The sample uses dynamic function loading avoiding static enumeration and guessing. It grabs information on the victim, PC-name, username, IP-location and send them to C2 as a first beacon.

Dynamic Loading function calls

The used Command and Control resolves to the following URL hxxp://motivation[.]neighboring[.]site/01/index.php

Command and Control

Unfortunately the attacker has shut down everything few hours after I started my analysis, so that I do not have more information about network, commands and additional Plugins. However the overall structure reminds me PlugX RAT as nicely described here.

Attribution

According to MITRE (BTW thank you @Arkbird_SOLG for the great suggestions on attribution) PlugX is a well known RAT attributed to China’s APT. APT27 (aka Emissary Panda) are the mostly notable APT group that used it. Moreover (thanks to @Arkbird_SOLG) “[…] on China culture, hijacking method are a mandatory knowledge for a job like pentesting […]” which could enforce the theory of APT27

UPDATE: I am aware that PlugX is today an opensource RAT, and I am aware that this is not enough for attribution. Indeed the intent of the title is to put doubts on that attribution by the usage of “?” (question mark). On one hand PlugX historically has been attributed to APT27 but on the other hand it’s public. So it’s hard to say Yes or Not, for such a reason the intent of this blog post is: Is APT27 Abusing COVID-19 To Attack People ?!. It’s an Open question not a position.

We all are passing a bad time. COVID-19 caused many death and is threatening entire economies. Please, even if you are an attacker and you gain profit from you infamous job, stop cyber attacks against peoples that are suffering this pandemic and rest. Ethics and compassion should be alive – even behind you monitors.

IoC

  • 95489af84596a21b6fcca078ed10746a32e974a84d0daed28cc56e77c38cc5a8 (original .lnk)
  • f74199f59533fbbe57f0b2aae45c837b3ed5e4f5184e74c02e06c12c6535f0f9 (Stage 2)
  • 9d52d8f10673518cb9f19153ddbe362acc7ca885974a217a52d1ee8257f22cfc (Stage 3)
  • 7f230a023a399b39fa1994c3eaa0027d6105769fffaf72918adebf584edc6fe0 (Stage 4)
  • a49133ed68bebb66412d3eb5d2b84ee71c393627906f574a29247d8699f1f38e (Stage 5/a)
  • 002c9e0578a8b76f626e59b755a8aac18b5d048f1cc76e2c12f68bc3dd18b124 (Stage 5/b)
  • hxxp://motivation[.]neighboring[.]site/01/index.php (C2)

Yara (auto)

import "pe"

rule MiZl5xsDRylf0W {
   meta:
      description = "yara - file MiZl5xsDRylf0W.tmp"
      date = "2020-03-17"
      hash1 = "b578a237587054f351f71bd41bede49197f77a1409176f839ebde105f3aee44c"
   strings:
      $s1 = "%ls\\%S.exe" fullword wide
      $s2 = "%XFTpX7m5ZvRCkEg" fullword ascii
      $s3 = "SK_Parasite, Version 1.0" fullword wide
      $s4 = "DINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPAD" ascii
      $s5 = "DINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD" fullword ascii
      $s6 = "SKPARASITE" fullword wide
      $s7 = "default" fullword ascii /* Goodware String - occured 709 times */
      $s8 = "59xf4qy-YXn-pkuXh=x3CXPHCcs3dXFlCtr3Cc4H4XufdZjmAZe3Ccxuibvm592g" fullword ascii
      $s9 = "SK_Parasite" fullword wide
      $s10 = "KOeS5OEThZjnYazMJ7p3Ccx-ptAMKuUMLlPEID2=Kn4XLqTM4WhSAKAHAbRMxXsa5Xj-AazEAqzEAqgg" fullword ascii
      $s11 = "ZXsDCcsTA80HdkET" fullword ascii
      $s12 = "8c9h9q9" fullword ascii /* Goodware String - occured 1 times */
      $s13 = "<&<,<6<<<F<O<Z<_<h<r<}<" fullword ascii /* Goodware String - occured 1 times */
      $s14 = "5$5@5\\5`5" fullword ascii /* Goodware String - occured 1 times */
      $s15 = "About SK_Parasite" fullword wide
      $s16 = "1/2A2o2" fullword ascii /* Goodware String - occured 1 times */
      $s17 = "z2bqw7k90rJYALIQUxZK%sO=hd5C4piVMFlaRucWy31GTNH-mED8fnXtPvSojeB6g" fullword ascii
      $s18 = "PQQQQQQWQf" fullword ascii
      $s19 = "Copyright (C) 2020" fullword wide
      $s20 = "1)1p1z1" fullword ascii /* Goodware String - occured 1 times */
   condition:
      uint16(0) == 0x0300 and filesize < 200KB and
      8 of them
}

rule sig_9sOXN6Ltf0afe7 {
   meta:
      description = "yara - file 9sOXN6Ltf0afe7.js"
      date = "2020-03-17"
      hash1 = "70b8397f87e4a0d235d41b00a980a8be9743691318d30293f7aa6044284ffc9c"
   strings:
      $x1 = "var e7926b8de13327f8e703624e = new ActiveXObject(\"WScript.Shell\");e7926b8de13327f8e703624e.Run (\"cmd /c mkdir %tmp%\\\\cscrip" ascii
      $x2 = "&for /r C:\\\\Windows\\\\System32\\\\ %m in (cscr*.exe) do copy %m %tmp%\\\\cscript.exe\\\\msproof.exe /y&move /Y %tmp%\\\\cSi1r" ascii
      $x3 = "ss?Handle=4 -format:pretty&del \\\"%userprofile%\\\\OFFICE12\\\\Wordcnvpxy.exe\\\" /f /q&ping -n 1 127.0.0.1&move /Y %tmp%\\\\48" ascii
      $x4 = "var e7926b8de13327f8e703624e = new ActiveXObject(\"WScript.Shell\");e7926b8de13327f8e703624e.Run (\"cmd /c mkdir %tmp%\\\\cscrip" ascii
      $x5 = "p %tmp%\\\\cscript.exe\\\\WsmPty.xsl&%tmp%\\\\cscript.exe\\\\msproof.exe //nologo %windir%\\\\System32\\\\winrm.vbs get wmicimv2" ascii
      $s6 = "/b %tmp%\\\\2m7EBxdH3wHwBO.tmp+%tmp%\\\\MiZl5xsDRylf0W.tmp \\\"%userprofile%\\\\OFFICE12\\\\Wordcnvpxy.exe\\\" /Y&\\\"%tmp%\\\\2" ascii
      $s7 = "6W.tmp \\\"%userprofile%\\\\OFFICE12\\\\MSOSTYLE.EXE\\\"&move /Y %tmp%\\\\3UDBUTNY7YstRc.tmp \\\"%userprofile%\\\\OFFICE12\\\\OI" ascii
      $s8 = "48-covid-19.pdf\\\"\",0);" fullword ascii
      $s9 = "e7926b8de13327f8e703624e" ascii
   condition:
      uint16(0) == 0x6176 and filesize < 2KB and
      1 of ($x*) and all of them
}

rule sig_3UDBUTNY7YstRc {
   meta:
      description = "yara - file 3UDBUTNY7YstRc.tmp"
      date = "2020-03-17"
      hash1 = "a49133ed68bebb66412d3eb5d2b84ee71c393627906f574a29247d8699f1f38e"
   strings:
      $x1 = "cmd /c notepad.exe" fullword ascii
      $x2 = "dllexec.dll" fullword ascii
      $s3 = "cmd /c calc.exe" fullword ascii
      $s4 = "Wordcnvpxy.exe" fullword ascii
      $s5 = "GetOfficeData" fullword ascii
      $s6 = "273<3]3b3" fullword ascii /* Goodware String - occured 1 times */
      $s7 = "2>2K2W2_2g2s2" fullword ascii /* Goodware String - occured 1 times */
      $s8 = "uTVWhY#" fullword ascii
      $s9 = "DeleteOfficeData" fullword ascii
      $s10 = "9#:=:N:" fullword ascii /* Goodware String - occured 1 times */
      $s11 = "URPQQhpB" fullword ascii
      $s12 = "6#6*626:6B6N6W6\\6b6l6u6" fullword ascii /* Goodware String - occured 2 times */
      $s13 = "0#0-030I0N0V0\\0c0i0p0v0~0" fullword ascii
      $s14 = "4.464<4F4L4V4\\4f4o4z4" fullword ascii
      $s15 = "<$=1=;=I=R=\\=" fullword ascii
      $s16 = ">->3>9>O>g>" fullword ascii
      $s17 = "5r5L6T6l6" fullword ascii
      $s18 = "1#1*191>1D1M1m1s1" fullword ascii
      $s19 = ":%:K:Q:{:" fullword ascii
      $s20 = "5(5L5X5\\5`5d5h5" fullword ascii /* Goodware String - occured 4 times */
   condition:
      uint16(0) == 0x5a4d and filesize < 100KB and
      ( pe.imphash() == "abba83cce6a959dc431917a65c5fe7ca" and ( pe.exports("DeleteOfficeData") and pe.exports("GetOfficeData") ) or ( 1 of ($x*) or 4 of them ) )
}

rule sig_20200308_sitrep_48_covid_19________pdf {
   meta:
      description = "yara - file 20200308-sitrep-48-covid-19.pdf.lnk"
      date = "2020-03-17"
      hash1 = "d54d85e3044a05bdafee9f30f7604ee584db91944a5149cc9e0f65f381d85492"
   strings:
      $x1 = "TVNDRgAAAADWPw0AAAAAAEwAAAAAAAAAAwEFAAYAAACtJwAAKgEAABsAAQAT6QsAAgABAC5lDAADAAEARvcMAAEAAQBbOA0AAQABABUTDQAAAAAAAABpUJOkIAAyMDIw" ascii
      $s2 = "jS61LWA3O0LZjbyOyM+Th5BHkL/6NtKERZApZAvWg3QiB7HuGbdfdfIMVwXLDLL9nVOdKplM1TlFlO5ESifhf5tgzpqP9DZt2dfrfTPS/+ZIBLzWJ99g9xXWv91bOiOD" ascii
      $s3 = "wXEkU5x/pIsmFrJtNHbdwG+bszpTRFThzR7p/shOst0DW0ZFKeRdhc/kM7yZKiZM0LkwrconqjQ3wYPZ7MTqq6M91IEWmt0TYiRCrUlVHk0W63x4OVNkZBjH3umhhGbW" ascii
      $s4 = "pUnp5YF5MVzpQVVZGZ3vjyftPMSfwPbgfq+oOoRAAyP6ZnheN9Or9fx8glHHDnXKm8PTjPiuhWhq74VNkEWr+gACxYi/wwj+yrQNyWULOGigcjQQ6ze7Zgp48Bny4X8v" ascii
      $s5 = "1WxCb+ZUBMNpgdQ9VM6Pbm/a3lOho1gNxYjJoenk4InBUmvbgaGreBVEPcshY3J0VUdR35An5FULDqPNKxb5raGeTLpm5548XATYLogWT8E22FhAi+V4d0q3ck1gZSqw" ascii
      $s6 = "GEeEP7OJ3H9kNW2EPOUbKglcK2+vp//RmYt0D/CDulYi6iBikEye9CzxoMuCHgaF8hfJC8DaiQG6B/+lrCggdq54tM4fP9SAqhqBWxW1YVMoKHKrLKhWRlMhlYtoUDbV" ascii
      $s7 = "H/sC8wh3rLxj+gB3VC89yuytzdbGEK3P9U2mmfZGvCPYQlBQgXUXRc8UuNfknuIxjz3CsTDq0QPYPvLj9sHAaK6EoZ3tzZGNYDZBV1szVLoGm4wtS68/jiqvVtmPtKB6" ascii
      $s8 = "fauCRyQIlXVt+r5GYoBBBlfOQqImEkWo6+WlQTSwYS6smIFGhlOgf7AQ4ovS1utu5CdOQaEjc8UwcEx752927tdeRp8xVz4LlZVh/2KEKumMtVfbk1vucomNeqcRsJi6" ascii
      $s9 = "yd2OnvWZvuUQw3aLFzorH9uYxOItXtCmdMmUJP9GKGsdR2VRmYbpkfJ9I5JlbjB2nR28vsrlyOLvHeftPpJaqAb2+eY3ks7r6ewL6JeeS12Gw+8/OrnmTiIrWapEgObL" ascii
      $s10 = "RhSzuRlKjfLOgyDj4lOfKOsiZNdxLSHCfbS/kEYl0BslYnQ7YtwYOHZlbWNtSdEUhvb4kKsY/+AobmfLilpGotYo3vEBKu8hhbFE1Jrc+GYGxDRue6300wqLbdIKezBr" ascii
      $s11 = "cFHaggy5a+rMrMKC4rKmWdNudM/QWEwp2clOa3lRns1Y4qmtaE5STCmdnj+hITcnvc5eyekbDY568+RUHAxtOr8y3S/vmt9OfY7y/dLNNNLQofyTgt4T7G3abUZ1bNG1" ascii
      $s12 = "VjEg4DubcQ2BtwOwevQAyxdM/FzIuPehNRKJnyLk8q2jPd+UucexECuRJKkRJ0NnnGBEv7sjLuODcKIJHEX8JgyVAcq/DoPewYcsHY8Rh9NeC2fnR6OLLctWM2n53KUn" ascii
      $s13 = "nS8AHUkUzud+yCzW6SCpcW1LiQEWsA8B0zucbgdLVskYWhOLinfePmJ6k6CUgOpcd8fVzMTGRbjV6YyhJjWxlOGgyp7v+q5MGCVbXGwpGM/1xk73XpXhTTPABA+Atm1v" ascii
      $s14 = "KeyEC9M1uHqOE/KCRd902gmpYSK9Ep1sCtzpOqSfNfLHLGoTxu3zjMaEjJ8Dw4/VNYHZo4t5c2CPkSZskDGEYG9rz8HeDf4+Hd3t7y/CyEFD89WV2zsspTFMHnSiyp3t" ascii
      $s15 = "CcCdVZZhyydWDx5BFEKNrLqFB/YFtIaCbuk52NxcwOWQ4muYqVQDbXvcIi/mrR2bXPO1koVLNJbK28cDGFSGXFGg9YXl+YxZkEYe14fqauAf3E/rZcpNs5kCKmv5y5W4" ascii
      $s16 = "cnhkpPaBto41NCLi/eWl360SSHxRUUZsmZ2dnY3wlvb2T+Nu2mRSpYtAlikPNxFZa8nOIodAkeyEVi1SsSRQngbhvRq5LpJOPh4ldQ1N+56agooQr+W0oFa2KXNsEetV" ascii
      $s17 = "FIwtpdre2Wmnc21tda09FKpZefVL43grfymCTd5K56sLOgontwiwYn1nYgVnGJPP/LVQ4JKa1rFFA3Y0HSBBKwuTrFmOAdIJwhoTUrZzBokdMSD931UQuVHTXaMnRz10" ascii
      $s18 = "VGO9VokrQADVECqvw3oyurkmSN5/sSpYnNf7Wi/ECAUmGg/S5qDAyFTPbyfhqOI58HyFRC846KnQDdn72pSAno4kdaeMLOelzq3b6bXV5l2VPj4wQfNl0GZCuJMn7LTR" ascii
      $s19 = "TXxf/IllO3bWzFUJaAMLlRUnogcNa2x0VENzHR6cEaOx79lHSoQxYVHwSUfmEjZoZ2pROh7H1UCMdmJR/3wD2YF9x4MoF5dJQiiAhb4NH9781LGhwW6JqODySrvw3EGT" ascii
      $s20 = "lTvLNEAvdSOFqYwbinqsSVNmUDf6zYKeYafaDjqm8gebMsHURHBynktlSzDsefxSefP1Q1h15TkkR3m/j6/umso0tMFngezzB4SUvUoqb1BMzfPSHU+4EpvSvStNQjKe" ascii
   condition:
      uint16(0) == 0x5654 and filesize < 3000KB and
      1 of ($x*) and 4 of them
}

rule sig_486AULMsOPmf6W {
   meta:
      description = "yara - file 486AULMsOPmf6W.tmp"
      date = "2020-03-17"
      hash1 = "604679789c46a01aa320eb1390da98b92721b7144e57ef63853c3c8f6d7ea85d"
   strings:
      $x1 = "<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\"><assemblyIdentity version=\"1.0.0.0\" processorArch" ascii
      $s2 = "emblyIdentity type=\"win32\" name=\"Microsoft.VC80.CRT\" version=\"8.0.50608.0\" processorArchitecture=\"x86\" publicKeyToken=\"" ascii
      $s3 = "0Mscoree.dll" fullword ascii
      $s4 = "<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\"><assemblyIdentity version=\"1.0.0.0\" processorArch" ascii
      $s5 = "t:\\misc\\x86\\ship\\0\\oinfop12.pdb" fullword ascii
      $s6 = "_tWinMain (Ship) commandline='%s'" fullword ascii
      $s7 = "PrintPostScriptOverText" fullword wide
      $s8 = "InstallLang" fullword wide /* base64 encoded string '"{-jYKjx' */
      $s9 = "re=\"X86\" name=\"OINFOP12.EXE\" type=\"win32\"></assemblyIdentity><description>OInfo</description><dependency><dependentAssembl" ascii
      $s10 = "SetOfficeProperties -- PublisherPageSetupType" fullword ascii
      $s11 = "\\ship\\0\\oinfop12.exe\\bbtopt\\oinfop12O.pdb" fullword ascii
      $s12 = "GetOffice type for '%S'" fullword ascii
      $s13 = "TemplateCount" fullword wide
      $s14 = "Win32_Word12Template" fullword wide
      $s15 = "'OInfoP12.EXE'" fullword ascii
      $s16 = "Queued_EventDescription= " fullword wide
      $s17 = "COfficeObj::Initialize, user='%S', namespace='%S'" fullword ascii
      $s18 = "TabIndentKey" fullword wide
      $s19 = "Win32_WebConnectionErrorMessage" fullword wide
      $s20 = "OInfo12.OCX" fullword wide
   condition:
      uint16(0) == 0x5a4d and filesize < 300KB and
      ( pe.imphash() == "3765c96e932e41e0de2bd2ed71ef99ad" or ( 1 of ($x*) or 4 of them ) )
}

Critical Infrastructure Beyond the Power Grid

The term "critical infrastructure" has earned its spot on the board of our ongoing game of cyber bingo--right next to "Digital Pearl Harbor," "Cyber 9/11," "SCADA" and "Stuxnet."

With "critical infrastructure" thrown about in references to cyber threats nearly every week, we thought it was time for a closer look at just what the term means-and what it means to other cyber threat actors.

The term "critical infrastructure" conjures up images of highways, electrical grids, pipelines, government facilities and utilities. But the U.S. government definition also includes economic security and public health. The Department of Homeland Security defines critical infrastructure as "Systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters."[1]

Certainly the U.S. definition is expansive, but some key cyber actors go a step further to include a more abstract "information" asset. Russian officials view information content, flow and influencers as an enormous component of critical infrastructure. Iran and China similarly privilege the security of their information assets in order to protect their governments.

The bottom line?

U.S. companies, who may have never considered themselves a plausible target for cyber threats, could become victims of offensive or defensive state cyber operations. Earlier this year several media outlets-including the New York Times and Washington Post-disclosed that they had been the victims of China-based intrusions. The Times and the Post linked the intrusions on their networks to their reporting on corruption in the upper echelons of the Chinese Communist Party and other issues.

These media outlets weren't sitting on plans for a new fighter jet or cutting edge wind turbines-information often assumed to be at risk for data theft. Rather, the reporters at the Times and Post were perched in key positions to influence U.S. government and public views of the Chinese leadership, possibly in a negative light. The Chinese government had conducted these intrusions against what it deemed critical infrastructure that supported the flow of valuable information.

Who's up next?

State actors motivated to target critical infrastructure (by their own definition or the U.S.') won't just be the usual attention grabbers in cyberspace. We estimate that Iran, Syria, and North Korea all have interest and would be able to conduct or direct some level of network operations. These states are also likely to conduct operations in the near term to identify red lines and gauge corporate and government reactions. With little reputational loss at stake, we expect actors sponsored by or associated with these states to target an array of critical infrastructure targets. Companies who serve as key information brokers-for the public or the U.S. government-should be particularly attuned to the criticality their work is assigned by a variety of cyber threat actors.

 


 

 

 

How Will I Fill This Web Historian-Shaped Hole in My Heart?

With the recent integration of Mandiant Web Historian™ into Mandiant Redline™, you may be asking "How do I review my Web History using Redline?" If so, then follow along as I explain how to collect and review web history data in Redline - with a focus on areas where the workflow and features differ from that of Web Historian.

For those of you unfamiliar with Redline, it is Mandiant's premier free tool, providing host investigative capabilities to help users find signs of malicious activity through memory and file analysis and the development of a threat assessment profile.

Configuring Web History Data Collection

Web Historian provided three options for choosing how to find web history data that you want to analyze: scan my local system, scan a profile folder, and parse an individual history file. Redline allows you to accomplish all three of these operations using a single option, Analyze this Computer, which is found under the Main Menu in the upper left corner. Specifying the path to a profile folder or a history file will require some additional configuration:

Figure 1: Finding your web history data Web Historian (Left) vs. Redline (Right)

Click on Analyze this Computer to begin configuring your analysis session. To ensure that Redline collects your desired web history data, click the link to Edit your script . On the View and Edit Your Script window are several options; take a look around and turn on any and all data that might interest you. For our purposes, we will be focusing on the Browser History options underneath the Network tab. This section contains all of the familiar options from Web Historian; simply select the boxes corresponding to the data you wish to collect.

One difference you may notice is the absence of an option to specify the browser(s) you would like to target. You can now find that option by selecting Show Advanced Parameters from the upper right corner of the window. Once advanced parameters are enabled, simply type the name of any browser(s) you would like to target, each on its own separate line in the Target Browser field. To have Redline collect any web history data regardless of browser, just leave this field empty.

You may also notice that enabling advanced parameters activates a field for History Files Location. As you may have guessed, this is where you can specify a path to a profile folder or history file to analyze directly, as you were able to do in Web Historian.

Figure 2: Configuring Redline to Collect Browser History Data

Now that you have finished configuring your script, choose a location to save your analysis session and then hit OK . Redline will run the script, which will require Administrator privileges and may trigger a UAC prompt before running depending on how your system is configured. After a brief collecting and processing time, your web history data will be ready for review.

Reviewing your Data

For the actual review of your web history data, you should feel right at home in Redline. Just like Web Historian, Redline uses a sortable, searchable, configurable table view for each of the individual categories of web history data.

Figure 3: Displaying your web history data for review in both Web Historian (behind) and Redline (front)

Although similar, Redline does have a few minor differences in how it visualizes your data:

  • Redline does not break the data into pages; instead it will discretely page in large data sets (25k+ rows) automatically as you scroll down through the list.
  • To configure the table view, you will need to manipulate the column headers for ordering and resizing, and right-click on a column header to show and hide columns - as opposed to using the column configuration menu in Web Historian.
  • Searching and simple filtering is done in each individual table view and is not applied globally. To access the find options, either press the magnifying glass in the bottom right corner, or press Ctrl-f while a table view is selected.
  • To export your data to a CSV (comma separated values) format file, click on export in the bottom right corner. Like Web Historian, Redline will only export data currently in the table view. If you applied any filtering or tags, those will affect the data as it is exported.

In addition to the features that have always been available in Web Historian, Redline also allows you to review your web history with its full suite of analytical capabilities and investigative tools. Check out the Redline user guide for a full description of these capabilities. Here are just a few of the most popular:

  • Timeline provides a chronological listing of all web-based events (e.g., URL last browsed to, File Download Started, etc.) in a single heterogeneous display. You can employ this to follow the activities of a user or attacker as they played out on the system. You can also quickly reduce your target investigative scope using the Timeline's powerful filtering capabilities.
  • Use tags and comments to mark-up your findings as you perform your investigation, making it easier to keep track of what you have seen while moving forward. You can then go back and export those results into your favorite reporting solution.
  • Use Indicators of Compromise (IOCs) as a quick way to determine if your system contains any potential security breaches or other evidence of compromise. Visit http://www.openioc.org/ to learn more about IOCs.
  • Last but not least, Redline gives you the ability to examine an entire system worth of metadata. With Redline, you are not simply restricted to Web History related data; you can investigate security incidents with the scope and context of the full system.

If your favorite feature from Web Historian has not yet been included in Redline (Graphing, Complex Filtering, etc.), feel free to make a request using one of the contact methods specified below. We will be taking feedback into consideration when choosing what the Redline team works on in the future.

As always, feel free to contact us with send any additional questions. And just in case you do not already have it, the latest version of Redline (v1.10 as of the time of this writing) can always be found here.