APT cloaks identity using script-kiddie messages and advanced deployment and targeting techniques.
Read More
The post Mysterious APT Leaves Curious ‘KilllSomeOne’ Clue appeared first on Malware Devil.
Cannabis journaling platform GrowDiaries exposed more than 3.4 million user records online, many from countries where pot is illegal.
Read More
The post GrowDiaries Exposes Emails, Passwords of 1.4M Cannabis Growers appeared first on Malware Devil.
The post Core Frameworks to Streamline Financial Services Cybersecurity Compliance appeared first on Security Boulevard.
The post Core Frameworks to Streamline Financial Services Cybersecurity Compliance appeared first on Malware Devil.
More than 200 Google Forms impersonate top brands – including Microsoft OneDrive, Office 365, and Wells Fargo – to steal victims’ credentials.
Read More
The post Google Forms Abused to Phish AT&T Credentials appeared first on Malware Devil.
The post Core Frameworks to Streamline Financial Services Cybersecurity Compliance appeared first on Security Boulevard.
The post Core Frameworks to Streamline Financial Services Cybersecurity Compliance appeared first on Malware Devil.
The post Core Frameworks to Streamline Financial Services Cybersecurity Compliance appeared first on Security Boulevard.
The post Core Frameworks to Streamline Financial Services Cybersecurity Compliance appeared first on Malware Devil.
The sudden shift to remote work rocked IT teams around the world–disrupting systems that had been carefully designed to keep the business secure almost overnight. As remote work continues, IT teams will need complete visibility of their network more than ever. ExtraHop’s Mike Campfield joins Security Weekly to make the case for why Network Detection and Response (NDR) should have a place in security strategies in 2021.
This segment is sponsored by ExtraHop Networks. Visit https://securityweekly.com/extrahop to learn more about them!
Visit https://www.securityweekly.com/esw for all the latest episodes!
Show Notes: https://securityweekly.com/esw205
The post Why Network Detection/Response Belongs In Your 2021 Strategy – Mike Campfield – ESW #205 appeared first on Malware Devil.
The sudden shift to remote work rocked IT teams around the world–disrupting systems that had been carefully designed to keep the business secure almost overnight. As remote work continues, IT teams will need complete visibility of their network more than ever. ExtraHop’s Mike Campfield joins Security Weekly to make the case for why Network Detection and Response (NDR) should have a place in security strategies in 2021.
This segment is sponsored by ExtraHop Networks. Visit https://securityweekly.com/extrahop to learn more about them!
Visit https://www.securityweekly.com/esw for all the latest episodes!
Show Notes: https://securityweekly.com/esw205
The post Why Network Detection/Response Belongs In Your 2021 Strategy – Mike Campfield – ESW #205 appeared first on Malware Devil.
A current and active cyberattack is spreading rapidly across organizations, propagating via open redirector domains and subsidiary domains belonging to multiple global brands. The comprehensive and multi-layered attack is delivered via phishing emails, attempting to steal corporate email credentials and deploy malware. Find out how organizations detect this attack. And, we’ll discuss how this attack compares to the Proud Boys phishing campaign.
This segment is sponsored by GreatHorn.
Visit https://securityweekly.com/GreatHorn to learn more about them!
Visit https://www.securityweekly.com/esw for all the latest episodes!
Show Notes: https://securityweekly.com/esw205
The post Massive Cyberattack Spreading Across 68% of Organizations – Kevin O’Brien – ESW #205 appeared first on Malware Devil.
Offsite-training is expensive and inefficient. It takes key resources away from their jobs and then demands even more time from them by requiring that they then train the rest of the team on what they learned. On-demand training for the entire team through platforms like Cybrary enables leads to train and simultaneously develop training programs for the rest of the team that focus on hands-on skill development in the areas that are relevant and tailored.
This segment is sponsored by Cybrary.
Visit https://cybrary.it/solved to learn more about them!
Visit https://www.securityweekly.com/esw for all the latest episodes!
Show Notes: https://securityweekly.com/esw205
The post The Benefits of Online, On-Demand Training For Teams – Mike Gruen – ESW #205 appeared first on Malware Devil.
The Houston-based PAS Global will operate as part of Hexagon’s PPM (formerly Intergraph Process, Power & Marine) division.
The post Hexagon Announces Deal to Acquire PAS Global appeared first on Malware Devil.
With Election Day Fast Approaching in the USA, Many Are Concerned About Cybersecurity at the Polls It’s almost that time again. Election Day is just a few weeks away for…
The post How Safe is Your Vote? appeared first on Hashed Out by The SSL Store™.
The post How Safe is Your Vote? appeared first on Security Boulevard.
The post How Safe is Your Vote? appeared first on Malware Devil.
This blog post was authored by Jérôme Segura and Hossein Jazi.
The 2020 US elections have been the subject of intense scrutiny and emotions, while happening in the middle of a global pandemic. As election night ended and uncertainty regarding the results began to creep in, threat actors decided to jump in on it too.
Those tracking the threat landscape know very well that major world events do not go unnoticed by criminals. In this case, we began observing a new spam campaign delivering malicious attachments that exploit doubts about the election process.
The QBot banking Trojan operators return with yet another themed spam wave using the same hijacked email thread technique enticing victims with malicious election interference attachments.
The malicious emails come as thread replies, similar to what Emotet does to add legitimacy and make detection harder. They contain zip attachments aptly named ElectionInterference_[8 to 9 digits].zip.
While the election results are still being evaluated and debated, victims are enticed to open up the document to read about alleged election interference:
The extracted file is an Excel spreadsheet that has been crafted as if it were a secure DocuSign file. Users are tricked to allow macros in order to ‘decrypt’ the document.
This tried and tested trick will download a malicious payload onto the victim’s machine. The URL for that payload is encoded in a cell of a Cyrillic-named sheet “Лист3”.
Once executed, the QBot Trojan will contact its command and control server and request instructions. In addition to stealing and exfiltrating data from its victims, QBot will also start grabbing emails that will later be used as part of the next malspam campaigns.
At the core of the malware attacks we witness each day are typical social engineering schemes. Threat actors need to get victims to perform a certain set of actions in order to compromise them.
Spam campaigns routinely abuse email delivery notifications (Fedex, DHL, etc.) or bank alerts to disguise malicious payloads. But world events such as the Covid pandemic or the US elections provide ideal material to craft effective schemes resulting in high infection ratios.
Malwarebytes users were already protected against this attack thanks to our Anti-Exploit technology. Additionally, we detect the payload as Backdoor.Qbot.
Malicious Excel documents
b500a3c769e22535dfc0c0f2383b7b4fbb5eb52097f001814d8219ecbb3048a1
f2fb3e7d69bf1b8c0c20484e94b20be33723b4715e7cf94c5cbb120b800328da
0282a796dec675f556a0bf888eda0fe84f63558afc96321709a298d7a0a4f8e5
e800b0d95e02e6e46a05433a9531d7fb900a45af7999a262c3c147ac23cd4c10
7dec31d782ab776bcbb51bd64cbbd40039805ad94733d644a23d5cf16f85552c
0bec208127e4a021dccb499131ea91062386126b75d098947134a37e41c4b035
30de8dcd4e894549d6d16edb181dd1a7abec8f001c478cf73baf6075756dc8c2
a8329913c8bbccb86b207e5a851f7696b1e8a120929ca5c0a5709bd779babedf
ef8a17c3bb01d58bfea74a19f6cb8573cfb2d94d9e6159709ac15a7e0860dbce
7ddc225ad0ed91ce90b3bde296c5ce0b4649447fb3f02188e5303e22dc7cb5f0
QBot
china[.]asiaspain[.]com/tertgev/1247015.png
1edfe375fafa1f941dc4ee30702f4af31ba636e4b639bcbb90a1d793b5d4b06c 06be75b2f3207de93389e090afd899f392da2e0f1c6e02226db65c61f291b81b
QBot C2s
142.129.227[.]86
95.77.144[.]238
| Tactic | ID | Name | Details |
| Execution | T1059 | Command-Line Interface | Starts CMD.EXE for commands execution |
| T1106 | Execution through API | Application launched itself | |
| T1053 | Scheduled Task | Loads the Task Scheduler COM API | |
| Persistence | T1050 | New Service | Executed as Windows Service |
| T1060 | Registry Run Keys / Startup Folder | Changes the autorun value in the registry | |
| T1053 | Scheduled Task | Loads the Task Scheduler COM API | |
| Privilege Escalation | T1050 | New Service | Executed as Windows Service |
| T1055 | Process Injection | Application was injected by another process | |
| T1053 | Scheduled Task | Loads the Task Scheduler COM API | |
| Defense Evasion | T1553 | Install Root Certificate | Changes settings of System certificates |
| T1055 | Process Injection | Application was injected by another process | |
| Discovery | T1087 | Account Discovery | Starts NET.EXE to view/change users group |
| T1135 | Network Share Discovery | Starts NET.EXE for network exploration | |
| T1069 | Permission Groups Discovery | Starts NET.EXE to view/change users group | |
| T1012 | Query Registry | Reads the machine GUID from the registry | |
| T1018 | Remote System Discovery | Starts NET.EXE for network exploration | |
| T1082 | System Information Discovery | Reads the machine GUID from the registry | |
| T1016 | System Network Configuration Discovery | Uses IPCONFIG.EXE to discover IP address |
The post QBot Trojan delivered via malspam campaign exploiting US election uncertainties appeared first on Malwarebytes Labs.
The post QBot Trojan delivered via malspam campaign exploiting US election uncertainties appeared first on Malware Devil.
Companies hit by ransomware often face a dual threat: Even if they avoid paying the ransom and can restore things from scratch, about half the time the attackers also threaten to release sensitive stolen data unless the victim pays for a promise to have the data deleted. Leaving aside the notion that victims might have any real expectation the attackers will actually destroy the stolen data, new research suggests a fair number of victims who do pay up may see some or all of the stolen data published anyway.
The post Why Paying to Delete Stolen Data is Bonkers appeared first on Security Boulevard.
The post Why Paying to Delete Stolen Data is Bonkers appeared first on Malware Devil.
Companies hit by ransomware often face a dual threat: Even if they avoid paying the ransom and can restore things from scratch, about half the time the attackers also threaten to release sensitive stolen data unless the victim pays for a promise to have the data deleted. Leaving aside the notion that victims might have any real expectation the attackers will actually destroy the stolen data, new research suggests a fair number of victims who do pay up may see some or all of the stolen data published anyway.
The findings come in a report today from Coveware, a company that specializes in helping firms recover from ransomware attacks. Coveware says nearly half of all ransomware cases now include the threat to release exfiltrated data.
“Previously, when a victim of ransomware had adequate backups, they would just restore and go on with life; there was zero reason to even engage with the threat actor,” the report observes. “Now, when a threat actor steals data, a company with perfectly restorable backups is often compelled to at least engage with the threat actor to determine what data was taken.”
Coveware said it has seen ample evidence of victims seeing some or all of their stolen data published after paying to have it deleted; in other cases, the data gets published online before the victim is even given a chance to negotiate a data deletion agreement.
“Unlike negotiating for a decryption key, negotiating for the suppression of stolen data has no finite end,” the report continues. “Once a victim receives a decryption key, it can’t be taken away and does not degrade with time. With stolen data, a threat actor can return for a second payment at any point in the future. The track records are too short and evidence that defaults are selectively occurring is already collecting.”
Image: Coveware Q3 2020 report.
The company said it advises clients never to pay a data deletion ransom, but rather to engage competent privacy attorneys, perform an investigation into what data was stolen, and notify any affected customers according to the advice of counsel and application data breach notification laws.
Fabian Wosar, chief technology officer at computer security firm Emsisoft, said ransomware victims often acquiesce to data publication extortion demands when they are trying to prevent the public from learning about the breach.
“The bottom line is, ransomware is a business of hope,” Wosar said. “The company doesn’t want the data to be dumped or sold. So they pay for it hoping the threat actor deletes the data. Technically speaking, whether they delete the data or not doesn’t matter from a legal point of view. The data was lost at the point when it was exfiltrated.”
Ransomware victims who pay for a digital key to unlock servers and desktop systems encrypted by the malware also are relying on hope, Wosar said, because it’s also not uncommon that a decryption key fails to unlock some or all of the infected machines.
“When you look at a lot of ransom notes, you can actually see groups address this very directly and have texts that say stuff along the lines of, Yeah, you are fucked now. But if you pay us, everything can go back to before we fucked you.’”
The post Why Paying to Delete Stolen Data is Bonkers appeared first on Malware Devil.
Risk is relative. What one person perceives is a significant risk may be observed simply as irritation to another. Others […]
The post IAM: A Critical Element of Corporate Risk Literacy appeared first on Sonrai Security.
The post IAM: A Critical Element of Corporate Risk Literacy appeared first on Security Boulevard.
The post IAM: A Critical Element of Corporate Risk Literacy appeared first on Malware Devil.
Many thanks to DEF CON and Conference Speakers for publishing their outstanding presentations; of which, originally appeared at the organization’s DEFCON 28 SAFE MODE Conference, and on the DEF CON YouTube channel. Enjoy!
The post DEF CON 28 Safe Mode ICS Village – Dor Yardeni’s & Mike Lemley’s ‘Vulnerability Discovery Tips For Surviving’ appeared first on Security Boulevard.
The post DEF CON 28 Safe Mode ICS Village – Dor Yardeni’s & Mike Lemley’s ‘Vulnerability Discovery Tips For Surviving’ appeared first on Malware Devil.
Organizations that update business models to include cybersecurity as part of a strategic planning process may be able to better withstand unexpected disruptions.
The post Prepare for the Unexpected: Costs to Consider in Security Budgets appeared first on Malware Devil.
As a mechanism to offload PCI risks, many retailers are now using third-party credit card processing for their online transactions. The retailer’s benefit is they are no longer handling the credit card data, thereby reducing the cardholder footprint (and PCI exposure). The potential drawback to this approach is that now a third-party controls that data. […]
The post Tales from the Front Lines: How Third-Party APIs Simplify Enumeration Attacks appeared first on Cequence.
The post Tales from the Front Lines: How Third-Party APIs Simplify Enumeration Attacks appeared first on Security Boulevard.
The post Tales from the Front Lines: How Third-Party APIs Simplify Enumeration Attacks appeared first on Malware Devil.
via the comic delivery system monikered Randall Munroe resident at XKCD!
The post XKCD ‘Election Impact Score Sheet’ appeared first on Security Boulevard.
The post XKCD ‘Election Impact Score Sheet’ appeared first on Malware Devil.
In 1801, the United States had a small Navy. Thomas Jefferson deployed almost half that Navy—three frigates and a schooner—to the Barbary C...
