Great collaboration and report on the latest cyber crime tactics and techniques. Gives a birds eye view of where the technologies and advancements utilized by cyber criminals are headed. A really good read, recommended.
The document discusses cybersecurity trends for 2018, focusing on ransomware, attacks on critical infrastructure, malware analysis, electoral cyberthreats, and privacy issues. It summarizes the major ransomware attacks of 2017 like WannaCry and describes how ransomware is evolving to target more devices and infrastructure. The document advises regularly backing up important data offline as the best protection against ransomware.
The document summarizes McAfee's Threats Report for the third quarter of 2013. Some key points:
- Mobile malware increased 33% while overall new malware exceeded 20 million. New ransomware and rootkits also rose.
- Digital currencies like Bitcoin are increasingly used by cybercriminals for money laundering and anonymous transactions on dark web markets. The shutdown of Silk Road prompted new illegal sites.
- The "Deep Web" contains unregulated online markets selling illegal drugs, weapons, credit cards, and even murder-for-hire services accessible through Tor and paid with Bitcoin.
- Hacktivism and political hacking increased, while spam volume reached its highest level since 2010. Browser
The document summarizes a mobile threat report for Q3 2013. It finds that 252 of the 259 new mobile threat families and variants discovered were for Android, with trojans making up the largest percentage at 88%. It also notes an increasing trend of profit-motivated mobile malware, with 81.1% of new threats aiming to generate money through unauthorized SMS messages. The report discusses recent developments like the identification of the creator of the Pincer Android banking trojan and the emergence of tools that simplify inserting malware into legitimate apps.
Shamoon is a a destructive disk-wiping malware that first emerged in 2012, before reappearing towards the end of 2016. This sophisticated malware appears to specifically target organizations in Saudi Arabia.
The document discusses ransomware, including its definition, evolution, types, targets, top strains of 2016, trends of 2016-2017, a case study, and advice on protecting yourself. Ransomware is a type of malware that encrypts files on an infected device and demands ransom for the decryption key. The top ransomware strains of 2016 included Locky, TeslaCrypt, and HDDCryptor. Trends show ransomware growing significantly and targeting more organizations and individuals. Effective backups and awareness are key to protecting yourself.
Press articles often try to simplify reading and, as a result, don’t always go that much into detail when illustrating a new cyber-attack to the broad public. That being said, we thought it might be helpful to write a post on this exact topic and demystify malware typology. Because, whereas we might not all be cybersecurity prodigies, understanding more about the threats on our machines can help us better protect ourselves. Without further ado, we give to you our very own Malware Dictionary.
In a twist of irony, the global spread of WannaCry, the malware that recently attacked the NHS, was caused by spying tools leaked from the US’ National Security Agency (NSA). Highly infectious, WannaCry (also known as WannaCryptor and WCry) spread to at least 150 countries within a few hours.
This document discusses cyber security and tasks related to preventing cyber attacks. It covers different types of frauds and scams like malware, phishing attacks, and ransomware. It provides methods to prevent these attacks, such as avoiding unknown emails, using strong passwords, and keeping anti-virus software updated. Network monitoring tools like Wireshark are described that can detect malware by analyzing network traffic and ports. Laws related to cyber crimes in New Zealand are also summarized. Common denial of service attacks and methods to design protective systems are outlined, including using firewalls, intrusion detection, and anti-malware programs.
The document discusses cybersecurity trends for 2018, focusing on ransomware, attacks on critical infrastructure, malware analysis, electoral cyberthreats, and privacy issues. It summarizes the major ransomware attacks of 2017 like WannaCry and describes how ransomware is evolving to target more devices and infrastructure. The document advises regularly backing up important data offline as the best protection against ransomware.
The document summarizes McAfee's Threats Report for the third quarter of 2013. Some key points:
- Mobile malware increased 33% while overall new malware exceeded 20 million. New ransomware and rootkits also rose.
- Digital currencies like Bitcoin are increasingly used by cybercriminals for money laundering and anonymous transactions on dark web markets. The shutdown of Silk Road prompted new illegal sites.
- The "Deep Web" contains unregulated online markets selling illegal drugs, weapons, credit cards, and even murder-for-hire services accessible through Tor and paid with Bitcoin.
- Hacktivism and political hacking increased, while spam volume reached its highest level since 2010. Browser
The document summarizes a mobile threat report for Q3 2013. It finds that 252 of the 259 new mobile threat families and variants discovered were for Android, with trojans making up the largest percentage at 88%. It also notes an increasing trend of profit-motivated mobile malware, with 81.1% of new threats aiming to generate money through unauthorized SMS messages. The report discusses recent developments like the identification of the creator of the Pincer Android banking trojan and the emergence of tools that simplify inserting malware into legitimate apps.
Shamoon is a a destructive disk-wiping malware that first emerged in 2012, before reappearing towards the end of 2016. This sophisticated malware appears to specifically target organizations in Saudi Arabia.
The document discusses ransomware, including its definition, evolution, types, targets, top strains of 2016, trends of 2016-2017, a case study, and advice on protecting yourself. Ransomware is a type of malware that encrypts files on an infected device and demands ransom for the decryption key. The top ransomware strains of 2016 included Locky, TeslaCrypt, and HDDCryptor. Trends show ransomware growing significantly and targeting more organizations and individuals. Effective backups and awareness are key to protecting yourself.
Press articles often try to simplify reading and, as a result, don’t always go that much into detail when illustrating a new cyber-attack to the broad public. That being said, we thought it might be helpful to write a post on this exact topic and demystify malware typology. Because, whereas we might not all be cybersecurity prodigies, understanding more about the threats on our machines can help us better protect ourselves. Without further ado, we give to you our very own Malware Dictionary.
In a twist of irony, the global spread of WannaCry, the malware that recently attacked the NHS, was caused by spying tools leaked from the US’ National Security Agency (NSA). Highly infectious, WannaCry (also known as WannaCryptor and WCry) spread to at least 150 countries within a few hours.
This document discusses cyber security and tasks related to preventing cyber attacks. It covers different types of frauds and scams like malware, phishing attacks, and ransomware. It provides methods to prevent these attacks, such as avoiding unknown emails, using strong passwords, and keeping anti-virus software updated. Network monitoring tools like Wireshark are described that can detect malware by analyzing network traffic and ports. Laws related to cyber crimes in New Zealand are also summarized. Common denial of service attacks and methods to design protective systems are outlined, including using firewalls, intrusion detection, and anti-malware programs.
A collection of musical masterpieces that may have very well been inspired by the best (or the worst, it depends how you look at it) hacks recorded in the second half of 2016.
Symantec Intelligence Report December 2014Symantec
This document provides a summary of cybersecurity threats from Symantec's December 2014 Intelligence Report. Key points include:
- The average number of spear-phishing attacks dropped to 33 per day in December from 43 in November. Manufacturing was the most targeted industry for these attacks.
- There were 8 data breaches reported in December, with real names, government ID numbers, and home addresses as the most common types of exposed information.
- Trojan.Swifi was the most common malware in December. A new zero-day Flash Player vulnerability (CVE-2014-9163) was also disclosed.
- 428 vulnerabilities were disclosed in December, including 1 zero-day. Internet Explorer
Ransomware attacks are on the rise due to several factors: unemployed hackers see it as easy money; organizations have weak security policies; more data is stored online; and pirated software contains malware. Ransomware encrypts users' files and demands payment for the decryption key. Victims should not panic, disconnect infected devices, avoid paying ransoms, and seek help from experts. Users have an ethical duty to help prevent future attacks through backups, updated security software, legal software, and education.
ISSA Journal Paper - JavaScript Infection ModelAditya K Sood
This document discusses how advancements in Web 2.0 technologies have created security threats to the World Wide Web. It focuses on the negative exploitation of JavaScript, which is heavily used by malware writers to spread infections online. The document describes the JavaScript Infection Model (JIM), which outlines the typical methods used by attackers to inject malware onto websites. These include using an attacker-controlled domain to host malware, exploiting vulnerabilities to inject malicious JavaScript onto legitimate sites, and using JavaScript's abilities to conduct stealth attacks and spread the infection across multiple domains.
The WannaCry ransomware virus infected over 200,000 organizations in 150 countries, crippling many hospitals and other organizations. It exploited a vulnerability in Windows to encrypt files and demand ransom payments in bitcoin. While a "kill switch" was discovered that stopped the spread, many systems already infected could not be recovered without paying ransom. It highlighted the need to keep systems updated and have backups to prevent future attacks.
The document provides a weekly intelligence summary covering security bulletins, ransomware developments, payment card breaches affecting two grocery store chains, analysis of mobile malware and its ability to spread rapidly, the use of steganography in a click fraud malware campaign, and reports on cybercriminal activities in Africa and India. It also summarizes an internet disruption caused by routing table overflow and Cisco's efforts to prevent future incidents.
This document provides an overview of ransomware, including:
- An introduction defining ransomware as malware that encrypts a user's device or data and demands ransom for decryption.
- A ransomware attack diagram showing how it is commonly delivered via email attachments and then encrypts files using strong encryption, demanding ransom for the encryption key.
- Details of a 2017 case study where a construction company suffered a devastating ransomware attack, encrypting backups and workstations and paralyzing operations for 10 days.
- The conclusion that ransomware is a serious threat not only to organizations but also individuals, and better prevention through updated antivirus and device security is needed.
The document provides an intelligence report from MessageLabs with the following key points:
- Spam, viruses, and phishing rates from February to March 2020. Rates of spam increased while viruses and phishing decreased slightly.
- An analysis of targeted cyber attacks which found many originate from China, Romania, and Cameroon rather than just locations of mail servers. Common targets were those in roles like directors, officials, and managers in areas like Asian policy and trade.
- The most common file types in emails were .xls, .doc, and .zip but encrypted .rar files posed the highest risk of containing malware when attached to emails.
- The Rustock botnet was sending
This document is a report from Comodo Threat Research Labs summarizing malware trends in 2017. It finds that trojans were the most common malware type, making up 41% of detections, followed by applications at 24.7% and backdoors at 10.1%. Russia and the US had the most malware detections. The report analyzes trends in specific malware types like trojans, applications, backdoors, and worms. It also examines detections by country and region. Comodo predicts backdoor detections will continue rising in Q1 2018 based on a rise seen in Q4 2017.
The Wannacry Effect - Provided by RaconteurGary Chambers
The WannaCry ransomware attack in May 2017 was one of the largest and most widespread cyber attacks in history, infecting over 250,000 systems across 150 countries. It exploited a vulnerability in Microsoft Windows XP to encrypt files and demand ransom payments of $300 worth of bitcoin. Though victims were advised not to pay, some funds were sent to the attackers. The attack disrupted organizations like the UK's National Health Service, German railways, and Japanese companies like Hitachi and Nissan.
Ransomware is a PC or Mac-based malicious piece of software that encrypts a user or company’s files and forces them to pay a fee to the hacker in order to regain access to their own files.
Not only can ransomware encrypt the files on your computer; the software is smart enough to travel across your network and encrypt any files located on shared network drives. This can lead to a catastrophic situation whereby one infected user can bring an entire company to a halt.
Hospitals, school districts, state and local governments, law enforcement agencies, small businesses, large businesses—these are just some of the entities impacted recently by ransomware, an insidious type of malware that encrypts, or locks, valuable digital files and demands a ransom to release them. And, of course, home computers are just as susceptible to ransomware, and the loss of access to personal and often irreplaceable items—including family photos, videos, and other data—can be devastating for individuals as well.
This document outlines the history of computer viruses from their theoretical conception in 1949 through major viruses in the early 2000s. Some key events include the first viruses found "in the wild" in 1981, Fred Cohen formally defining the term "computer virus" in 1983, the first file and macro viruses in the late 1980s, the rise of antivirus software in the early 1990s as viruses proliferated, and some of the most widespread and damaging viruses of the late 1990s and early 2000s like Melissa, ILOVEYOU, CodeRed, and MyDoom. The document traces how viruses evolved from early isolated incidents to become a major threat as connectivity and software increased.
The document summarizes malware threats from Q1 2012. There was significant growth in PC malware, mobile malware (especially on Android), and rootkits like ZeroAccess. Signed malware and password-stealing Trojans also increased substantially. Overall, 2012 is shaping up to be a challenging year for cybersecurity as attackers continue pushing technological boundaries.
This document provides an overview of computer viruses, including their definition, how they spread, common symptoms, and classifications. It discusses how viruses work, are transmitted over the internet, and examples like Melissa (a macro virus) and Bubbleboy (a worm). The document emphasizes that most viruses target Windows systems by exploiting software vulnerabilities, and stresses the importance of antivirus software, proper configurations, and limiting unnecessary programs to prevent infection.
Given at TRISC 2010, Grapevine, Texas.
http://www.trisc.org/speakers/aditya_sood/#p
The talk sheds light on the new trends of web based malware. Technology and Insecurity goes hand in hand. With the advent of new attacks and techniques the distribution of malware through web has been increased tremendously. Browser based exploits mainly Internet Explorer have given a birth to new world of malware infection. The attackers spread malware elegantly by exploiting the vulnerabilities and drive by downloads. The infection strategies opted by attackers like malware distribution through IFRAME injections and Search Engine Optimization. In order to understand the intrinsic behavior of these web based malware a typical analysis is required to understand the logic concept working behind these web based malwares. It is necessary to dissect these malwares from bottom to top in order to control the devastating behavior. The talk will cover structured methodologies and demonstrate the static, dynamic and behavioral analysis of web malware including PCAP analytics. Demonstrations will prove the fact and necessity of web malware analysis.
August was a big month for zero-day vulnerabilities, in which a total of 11 were reported. This is by far the largest number disclosed in a given month to-date.
Six of these zero-day vulnerabilities impact industrial control systems, devices used in industrial sectors and critical infrastructures, across five vendors. The vulnerabilities cover a wide range of possible attacks, including remote code execution and denial of service attacks.
Two further zero-day vulnerabilities were discovered in the Apple OS X operating system. When used in tandem, these two vulnerabilities can cause memory corruption in the OS X kernel and gain the attacker escalated privileges on the compromised computer.
These vulnerabilities come on the heels of a new OS X threat called OSX.Sudoprint. This threat exploits a local privilege escalation vulnerability in the OS X operating system, which was patched by Apple at the beginning of August. This threat comprised over 77 percent of the OS X threats we saw on OS X endpoints this month.
Ransomware has evolved significantly since the AIDS Trojan in 1989. Nowadays, ransomware encrypts users' files and demands ransom payments in cryptocurrency to decrypt them. There are two main types: locker ransomware that denies computer access, and crypto ransomware that encrypts files. Notable ransomware variants discussed include CryptoLocker (2013), Cryptowall (2014), TorrentLocker (2014), KeRanger (2016 Mac), Locky (2016), and the new "ransomware as a service" called Ransom32. Future threats may target infrastructure, cloud services, hardware, and corporate networks. The IC3 has received over $57 million in ransomware damages since 2005, with
This document provides an overview of ransomware, including how it spreads, common types, and how to protect against it. Ransomware encrypts files and demands payment, usually in bitcoin, to decrypt them. It spreads mainly through spam emails containing malicious attachments or links. Common ransomware types discussed are CryptoLocker, CryptoWall, CTB-Locker, Locky, TeslaCrypt, and TorrentLocker. They each encrypt files using techniques like AES encryption and demand ransom payments after encrypting user files. The document advises how to protect against ransomware, such as avoiding suspicious email attachments.
A collection of musical masterpieces that may have very well been inspired by the best (or the worst, it depends how you look at it) hacks recorded in the second half of 2016.
Symantec Intelligence Report December 2014Symantec
This document provides a summary of cybersecurity threats from Symantec's December 2014 Intelligence Report. Key points include:
- The average number of spear-phishing attacks dropped to 33 per day in December from 43 in November. Manufacturing was the most targeted industry for these attacks.
- There were 8 data breaches reported in December, with real names, government ID numbers, and home addresses as the most common types of exposed information.
- Trojan.Swifi was the most common malware in December. A new zero-day Flash Player vulnerability (CVE-2014-9163) was also disclosed.
- 428 vulnerabilities were disclosed in December, including 1 zero-day. Internet Explorer
Ransomware attacks are on the rise due to several factors: unemployed hackers see it as easy money; organizations have weak security policies; more data is stored online; and pirated software contains malware. Ransomware encrypts users' files and demands payment for the decryption key. Victims should not panic, disconnect infected devices, avoid paying ransoms, and seek help from experts. Users have an ethical duty to help prevent future attacks through backups, updated security software, legal software, and education.
ISSA Journal Paper - JavaScript Infection ModelAditya K Sood
This document discusses how advancements in Web 2.0 technologies have created security threats to the World Wide Web. It focuses on the negative exploitation of JavaScript, which is heavily used by malware writers to spread infections online. The document describes the JavaScript Infection Model (JIM), which outlines the typical methods used by attackers to inject malware onto websites. These include using an attacker-controlled domain to host malware, exploiting vulnerabilities to inject malicious JavaScript onto legitimate sites, and using JavaScript's abilities to conduct stealth attacks and spread the infection across multiple domains.
The WannaCry ransomware virus infected over 200,000 organizations in 150 countries, crippling many hospitals and other organizations. It exploited a vulnerability in Windows to encrypt files and demand ransom payments in bitcoin. While a "kill switch" was discovered that stopped the spread, many systems already infected could not be recovered without paying ransom. It highlighted the need to keep systems updated and have backups to prevent future attacks.
The document provides a weekly intelligence summary covering security bulletins, ransomware developments, payment card breaches affecting two grocery store chains, analysis of mobile malware and its ability to spread rapidly, the use of steganography in a click fraud malware campaign, and reports on cybercriminal activities in Africa and India. It also summarizes an internet disruption caused by routing table overflow and Cisco's efforts to prevent future incidents.
This document provides an overview of ransomware, including:
- An introduction defining ransomware as malware that encrypts a user's device or data and demands ransom for decryption.
- A ransomware attack diagram showing how it is commonly delivered via email attachments and then encrypts files using strong encryption, demanding ransom for the encryption key.
- Details of a 2017 case study where a construction company suffered a devastating ransomware attack, encrypting backups and workstations and paralyzing operations for 10 days.
- The conclusion that ransomware is a serious threat not only to organizations but also individuals, and better prevention through updated antivirus and device security is needed.
The document provides an intelligence report from MessageLabs with the following key points:
- Spam, viruses, and phishing rates from February to March 2020. Rates of spam increased while viruses and phishing decreased slightly.
- An analysis of targeted cyber attacks which found many originate from China, Romania, and Cameroon rather than just locations of mail servers. Common targets were those in roles like directors, officials, and managers in areas like Asian policy and trade.
- The most common file types in emails were .xls, .doc, and .zip but encrypted .rar files posed the highest risk of containing malware when attached to emails.
- The Rustock botnet was sending
This document is a report from Comodo Threat Research Labs summarizing malware trends in 2017. It finds that trojans were the most common malware type, making up 41% of detections, followed by applications at 24.7% and backdoors at 10.1%. Russia and the US had the most malware detections. The report analyzes trends in specific malware types like trojans, applications, backdoors, and worms. It also examines detections by country and region. Comodo predicts backdoor detections will continue rising in Q1 2018 based on a rise seen in Q4 2017.
The Wannacry Effect - Provided by RaconteurGary Chambers
The WannaCry ransomware attack in May 2017 was one of the largest and most widespread cyber attacks in history, infecting over 250,000 systems across 150 countries. It exploited a vulnerability in Microsoft Windows XP to encrypt files and demand ransom payments of $300 worth of bitcoin. Though victims were advised not to pay, some funds were sent to the attackers. The attack disrupted organizations like the UK's National Health Service, German railways, and Japanese companies like Hitachi and Nissan.
Ransomware is a PC or Mac-based malicious piece of software that encrypts a user or company’s files and forces them to pay a fee to the hacker in order to regain access to their own files.
Not only can ransomware encrypt the files on your computer; the software is smart enough to travel across your network and encrypt any files located on shared network drives. This can lead to a catastrophic situation whereby one infected user can bring an entire company to a halt.
Hospitals, school districts, state and local governments, law enforcement agencies, small businesses, large businesses—these are just some of the entities impacted recently by ransomware, an insidious type of malware that encrypts, or locks, valuable digital files and demands a ransom to release them. And, of course, home computers are just as susceptible to ransomware, and the loss of access to personal and often irreplaceable items—including family photos, videos, and other data—can be devastating for individuals as well.
This document outlines the history of computer viruses from their theoretical conception in 1949 through major viruses in the early 2000s. Some key events include the first viruses found "in the wild" in 1981, Fred Cohen formally defining the term "computer virus" in 1983, the first file and macro viruses in the late 1980s, the rise of antivirus software in the early 1990s as viruses proliferated, and some of the most widespread and damaging viruses of the late 1990s and early 2000s like Melissa, ILOVEYOU, CodeRed, and MyDoom. The document traces how viruses evolved from early isolated incidents to become a major threat as connectivity and software increased.
The document summarizes malware threats from Q1 2012. There was significant growth in PC malware, mobile malware (especially on Android), and rootkits like ZeroAccess. Signed malware and password-stealing Trojans also increased substantially. Overall, 2012 is shaping up to be a challenging year for cybersecurity as attackers continue pushing technological boundaries.
This document provides an overview of computer viruses, including their definition, how they spread, common symptoms, and classifications. It discusses how viruses work, are transmitted over the internet, and examples like Melissa (a macro virus) and Bubbleboy (a worm). The document emphasizes that most viruses target Windows systems by exploiting software vulnerabilities, and stresses the importance of antivirus software, proper configurations, and limiting unnecessary programs to prevent infection.
Given at TRISC 2010, Grapevine, Texas.
http://www.trisc.org/speakers/aditya_sood/#p
The talk sheds light on the new trends of web based malware. Technology and Insecurity goes hand in hand. With the advent of new attacks and techniques the distribution of malware through web has been increased tremendously. Browser based exploits mainly Internet Explorer have given a birth to new world of malware infection. The attackers spread malware elegantly by exploiting the vulnerabilities and drive by downloads. The infection strategies opted by attackers like malware distribution through IFRAME injections and Search Engine Optimization. In order to understand the intrinsic behavior of these web based malware a typical analysis is required to understand the logic concept working behind these web based malwares. It is necessary to dissect these malwares from bottom to top in order to control the devastating behavior. The talk will cover structured methodologies and demonstrate the static, dynamic and behavioral analysis of web malware including PCAP analytics. Demonstrations will prove the fact and necessity of web malware analysis.
August was a big month for zero-day vulnerabilities, in which a total of 11 were reported. This is by far the largest number disclosed in a given month to-date.
Six of these zero-day vulnerabilities impact industrial control systems, devices used in industrial sectors and critical infrastructures, across five vendors. The vulnerabilities cover a wide range of possible attacks, including remote code execution and denial of service attacks.
Two further zero-day vulnerabilities were discovered in the Apple OS X operating system. When used in tandem, these two vulnerabilities can cause memory corruption in the OS X kernel and gain the attacker escalated privileges on the compromised computer.
These vulnerabilities come on the heels of a new OS X threat called OSX.Sudoprint. This threat exploits a local privilege escalation vulnerability in the OS X operating system, which was patched by Apple at the beginning of August. This threat comprised over 77 percent of the OS X threats we saw on OS X endpoints this month.
Ransomware has evolved significantly since the AIDS Trojan in 1989. Nowadays, ransomware encrypts users' files and demands ransom payments in cryptocurrency to decrypt them. There are two main types: locker ransomware that denies computer access, and crypto ransomware that encrypts files. Notable ransomware variants discussed include CryptoLocker (2013), Cryptowall (2014), TorrentLocker (2014), KeRanger (2016 Mac), Locky (2016), and the new "ransomware as a service" called Ransom32. Future threats may target infrastructure, cloud services, hardware, and corporate networks. The IC3 has received over $57 million in ransomware damages since 2005, with
This document provides an overview of ransomware, including how it spreads, common types, and how to protect against it. Ransomware encrypts files and demands payment, usually in bitcoin, to decrypt them. It spreads mainly through spam emails containing malicious attachments or links. Common ransomware types discussed are CryptoLocker, CryptoWall, CTB-Locker, Locky, TeslaCrypt, and TorrentLocker. They each encrypt files using techniques like AES encryption and demand ransom payments after encrypting user files. The document advises how to protect against ransomware, such as avoiding suspicious email attachments.
Jay Beale is a cybersecurity expert who has created defensive security tools. He warns that malware is becoming more sophisticated and dangerous. Recent worms like WannaCry and NotPetya have caused major damage by spreading using leaked NSA exploits. Cryptojacking malware that secretly uses computers to mine cryptocurrency is also a growing threat, with some malware infecting hundreds of thousands of devices in a single day. Fully automated malware could achieve domain administrator access on networks and steal large amounts of sensitive data and intellectual property. Strong defenses like patching, network segmentation, privileged access management, and Active Directory security reviews are needed to protect against these evolving threats.
The most well known closed vulnerabilitiesRiyadh Khan
The document summarizes some of the most well-known closed vulnerabilities from 2017, including Cloudbleed, Shadow Broker Exploit Dumps containing the EternalBlue exploit, Apache Struts vulnerabilities like CVE-2017-5638 which enabled the Equifax breach, the Toast Overlay Android vulnerability, and BlueBorne issues in Bluetooth. It notes that vulnerabilities like these, whether known or unknown, pose risks if attackers are aware of them. Prioritizing fixes for the most widely known issues first can help improve security.
This document summarizes predictions for cyber threats in 2013 from McAfee Labs researchers. They predict:
- Mobile worms that buy malicious apps and steal payment info using NFC. Malware that blocks security updates on phones. Ransomware "kits" for mobile.
- Covert, persistent attacks targeting below the kernel of Windows. Rapid development of ways to attack the new Windows 8 and HTML5.
- Large-scale infrastructure attacks like Stuxnet. Highly targeted attacks using the Citadel Trojan to evade detection. Malware that reconnects after botnets are taken down.
Ransomware became a major cyberthreat in 2016, especially in the United States. Ransomware payments increased 771% from 2015 to 2016. The healthcare and education industries were among the most affected. In 2017, experts predict that ransomware will continue to spread rapidly across more devices and sectors. New variants will emerge using improved encryption and different delivery methods. Ransomware criminals are expected to make over $5 billion. Strong backups remain the best defense against ransomware attacks.
One of the key methods cybercriminals are using is ransomware, most famously the Cryptolocker malware,
and its numerous variants, which encrypts the files on a user’s computer and demands the user to pay a ransom, usually in Bitcoins, in order to receive the key to decrypt the files. But Cryptolocker is just one approach that criminals are taking to demand ransom, and the techniques are evolving on a daily basis. To guard against ransomware, it is not enough to know the malware that is making the rounds that day. It is vital to have a broader understanding of the topic, so one can take effective countermeasures against this evolving threat.
This document discusses the evolution of ransomware from early SMS ransomware variants to more advanced file encryptors. It describes how ransomware has surpassed fake antivirus software in popularity due to its profitability. The document outlines the delivery methods for ransomware including spam emails and exploit kits. It then provides details on different types of ransomware like Winlockers, MBR ransomware, and file encryptors. Examples of ransomware screens are also shown.
The evolution of ransomware began in 1989 with the AIDS Trojan virus, moving to more advanced encryption techniques over time. By 2013, CryptoLocker used strong encryption via RSA 2048-bit keys and Bitcoin payments, making ransomware payments hard to trace. Later strains like CryptoWall and Locky continued advancing techniques to infect more systems and ensure payment, demonstrating ransomware as an ongoing cybersecurity threat.
Cybersecurity Trends 2018: The costs of connectionESET Middle East
To help the reader navigate through the maze of current threats, ESET’s thought leaders have zeroed in on several areas that top the priority list in our exercise in looking forward.
A comprehensive survey ransomware attacks prevention, monitoring and damage c...RSIS International
Ransomware is a type of malware that prevents or
restricts user from accessing their system, either by locking the
system's screen or by locking the users' files in the system unless
a ransom is paid. More modern ransomware families,
individually categorize as crypto-ransomware, encrypt certain
file types on infected systems and forces users to pay the ransom
through online payment methods to get a decrypt key. The
analysis shows that there has been a significant improvement in
encryption techniques used by ransomware. The careful analysis
of ransomware behavior can produce an effective detection
system that significantly reduces the amount of victim data loss.
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...AshishDPatel1
This document summarizes a research paper on ransomware attacks, including prevention, monitoring, and damage control. It provides an overview of ransomware, how it has evolved over time, and the techniques used in various ransomware families. It also discusses methods for detecting and preventing ransomware, such as monitoring file system and registry activities. The document concludes that careful analysis of ransomware behavior can help develop effective detection systems to reduce data loss from attacks.
A Comprehensive Survey: Ransomware Attacks Prevention, Monitoring and Damage ...RSIS International
Ransomware is a type of malware that prevents or
restricts user from accessing their system, either by locking the
system's screen or by locking the users' files in the system unless
a ransom is paid. More modern ransomware families,
individually categorize as crypto-ransomware, encrypt certain
file types on infected systems and forces users to pay the ransom
through online payment methods to get a decrypt key. The
analysis shows that there has been a significant improvement in
encryption techniques used by ransomware. The careful analysis
of ransomware behavior can produce an effective detection
system that significantly reduces the amount of victim data loss.
This presentation is about Ransomware. It tells you about how ransomware creates problem and how it can be removed. It also describes different types of Ransomware.
This document summarizes several notorious malware strains and cybercriminal groups that were active in 2021:
- LemonDuck is a cryptomining and credential-stealing malware that can infect both Windows and Linux systems. It removes competing malware and security protocols from infected devices.
- REvil conducted the high-profile ransomware attack on Kaseya in July 2021 that impacted many American companies. It offers ransomware-as-a-service and uses affiliate networks to conduct attacks.
- Trickbot and Dridex are longstanding banking trojans that are frequently used to deploy ransomware by moving laterally through networks and harvesting credentials.
- Conti is a prolific ransomware group behind
The document summarizes various cybersecurity incidents that occurred in July 2021. It reports on ransomware attacks against Fujifilm in Japan and UnitingCare Queensland in Australia. It also discusses data breaches affecting Alibaba, CVS Health, and Cisco vulnerabilities being exploited. New malware such as DarkRadiation ransomware targeting Linux and the return of Agent Tesla RAT in COVID-19 vaccine phishing scams. The gaming, technology, healthcare and government sectors were most affected. Attack vectors included ransomware, data leaks, malware/trojans and exploitation of known vulnerabilities. Consequences involved encryption of systems and files, theft of personally identifiable information and system compromise.
The document discusses the history and evolution of ransomware attacks from 1989 to the present. It provides details on notable ransomware attacks like WannaCry in 2017 and NotPetya in 2017. WannaCry spread to over 150 countries and encrypted data on hundreds of thousands of computers, demanding ransom payments in bitcoin. It exploited a Windows vulnerability. NotPetya similarly spread rapidly through Ukraine and globally, affecting a major shipping company and causing over $10 billion in damages by encrypting and wiping data. The document outlines the modus operandi and impacts of these attacks as well as measures to prevent future ransomware infections like patching systems, isolating infected devices, and implementing security best practices.
The document provides an overview of threats in the first quarter of 2012 according to McAfee Labs. It saw significant increases in many areas of malware and threats after declines in late 2011. Mobile malware targeting Android devices increased dramatically, reaching nearly 7,000 samples. Established rootkits like Koutodoor rebounded and the new ZeroAccess rootkit emerged. Signed malware and password-stealing Trojans also increased substantially. Spam volume grew early in the quarter but resumed its downward trend. The US continued to host the most malicious web content.
Similar to MLabs - Cyber Crime Tactics and Techniques Q2 2017 (20)
Last ned dersom du har lyst å bruke A3 skuffen til noe, les resten av rapporten her for å skjønne alle forkortelsene ... https://nsm.stat.no/globalassets/rapporter/helhetlig_ikt-risikobilde_2017_orig_enkeltsider_low.pdf
The AV-Comparatives Guide to the Best Cybersecurity Solutions of 2017Jermund Ottermo
The document summarizes the results of AV-Comparatives' Whole Product Dynamic "Real-World" Protection Test conducted between July and November 2017. It tested 19 security programs and found that most programs were able to block over 99% of malware with few systems compromised. Panda blocked all malware attempts without any issues. Programs like Bitdefender and Trend Micro blocked nearly all attempts, allowing just 1 malware case. Others like Symantec and Kaspersky blocked the majority but had some user-dependent cases. eScan and Adaware had lower protection rates between 95-97%.
58%
av de norske respondentene har vært utsatt for
cyberangrep i løpet av det siste året.
55%
av de norske respondentene har blitt utsatt for
utpressing (f.eks. ransomware) i løpet av de
siste 12 månedene.
66%
av de norske respondentene mener at de i
fremtiden må endre sine rutiner og prosedyrer
for å tilpasse seg EUs nye personvernforordning.
The changing threat landscape reality and
the frequency, sophistication and targeted
nature of adversaries requires an evolution of
security operational practices to a combination
of prevention, detection and response of
cyber attacks.
AV-Comparatives’ 2017 business software reviewJermund Ottermo
The review looks at security products for business Windows endpoints, focusing the following:
- EDR features
- Management Console
- Windows client (desktop and server) protection software
Keep your data and files away from the attacks, why not? Automate the cyber-security job, good! Allowing malware and attacks to run and probe for weaknesses, bad!
Fikk tilsendt denne artikkelen fra ComputerWorld. Der NorSIS snakker om en digital/sikkerhetsdugnad på nasjonal basis. Har tidligere publisert og snakket om Mørketallsundersøkelsen fra samme kilde.
The document discusses tools and strategies for effective incident response using the OODA (Observe, Orient, Decide, Act) loop model. It summarizes how the AlienVault security platform helps with each stage of the OODA loop:
- Observe: It provides unified security monitoring and threat intelligence to detect incidents from all angles.
- Orient: It helps determine the scope and impact of attacks using threat intelligence and establishes a timeline of events.
- Decide: It provides guidance on immediate response steps and helps prioritize response by reviewing asset details.
- Act: It is not discussed in the summary.
Prevention is futile in 2020 - Gartner Report in RetrospectJermund Ottermo
Published in 2013 and refreshed in 2016. Observe that Panda Security’s Adaptive Defense approach has historically progressed in the right direction according to the analysis. Find questions from the report below and answers highlighted in the report itself.
Why a cloud-based, collective intelligence, big-data solution as Adaptive Defense?
Why do we have a huge opportunity ahead of us?
Why should we move faster that competitors?
Why Adaptive Defense is a cost-effective solution well positioned to face the shift From Control-Centric to People-Centric Security?
Why can we state that Adaptive Defense is a well-positioned solution to face the Shift Security Program Emphasis to Rapid Detection and Response?
What do Adaptive Defense monitoring and capabilities represent? How can ART help to understand the dynamics of an attack?
Adaptive Defense provides EPP+EDR capabilities into a single product already tested on the field, so it is a good answer for Gartner’s recommendations of this report?
Jeg forbereder meg til en egen ringerunde/markedsundersøkelse mot norske bedrifter der jeg vil høre om hvilke tiltak de har ihverksatt siden denne rapporten i 2016. Det vil også bli mulighet for å få booket seg inn til demoer og teste selv våre løsninger, som drastisk styrker IT-sikkerheten til din organisasjon for fremtiden, uten store tiltak. Ikke bare med hensyn til utpressings/løsepengevirus, men vi ser også personvern/GDPR, datainnbrudd og identitetstyveri mm. Vil du være først? Ikke nøl med å kontakte meg.
PANDA | Cloud Systems Management Presentasjon [Norsk]Jermund Ottermo
Den beste programvaren for administrasjon av bedrifters IT-infrastruktur er RMM (Remote Management Module).
Perfekt for driftspartnere/forhandlere som enten blir outsourcet til å ivareta klinters vedlikehold av IT-miljø samt gir teknisk støtte, eller ønsker rådgive og tilby løsninger til bedrifter for intern drift.
Her kan dette arbeidet gjøres oversiktlig og brukervennlig på tvers av plattformer, kunder og sites direkte fra skyen med noen klikk.
RMM er også svaret for konsulenter som vil tjene penger på det som blir igjen på bakken etterhvert som tjenester svever opp i skyen. Ypperlig for bl.a. klienthåndtering.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
2. TABLE OF CONTENTS
01 Executive summary
02 Windows malware
03 Cerber joins forces with friends
03 Locky won’t die
04 Jaff ransomware: the new kid on the
block
05 WannaCry
06 Petya, NotPetya
06 Windows predictions
07 Mac malware
07 Proton RAT via Handbrake
07 Dok malware
07 Mac predictions
08 Mobile malware
08 Mobile predictions
09 Potentially Unwanted Programs
(PUPs)
09 Fireball
09 WDFLoad
10 PUPs predictions
11 Exploits
11 SMBv1 troubles
12 Exploit kits
12 Domain shadowing and IP-literals
13 Private kits
13 Social engineering variations
14 Malvertising distribution campaigns
14 Exploit predictions
15 Tech support scams
15 Tech support scam predictions
16 Breaches
16 Personally identifiable information
17 Financial information
18 Breaches in Q2
19 Researcher spotlight:
Jean-Philippe Taggart
21 Conclusion
21 Contributors
3. 1Cybercrime tactics and techniques Q2 2017
Introduction
The second quarter of 2017 left the security world wondering, “What the hell happened?” With leaks of government-
created exploits being deployed against users in the wild, a continued sea of ransomware constantly threatening our
ability to work online, and the lines between malware and potentially unwanted programs continuing to blur, every new
incident was a wakeup call.
In this report, we are going to discuss some of the most important trends, tactics, and attacks of Q2 2017, including an
update on ransomware, what is going on with all these exploits, and a special look at all the breaches that happened
this quarter.
Executive summary
If ransomware weren’t big enough news already, it went
global in Q2 with the WannaCry outbreak that rapidly
spread around the world. Although not as sophisticated
as its ransomware counterparts, it had an unusual
distribution method. WannaCry didn’t come via spam or
drive-by downloads as one would expect, but instead
was propagated via vulnerability in the SMBv1 protocol
for which exploits had recently been leaked.
However, WannaCry wasn’t the only piece of malware to
take advantage of the SMB flaw. Indeed, several other
threat actors had already been busy loading Remote
Administration Tools and other digital currency miners
onto unpatched machines.
In the meantime, the usual suspects such as Cerber
were joined by some newcomers in the already bulging
ransomware scene. Incidentally, a large Jaff ransomware
wave came via spam the day before the WannaCry
outbreak, and although it did not gain as much publicity,
it continued for multiple days, no doubt impacting many
users.
Mac users were kept busy dealing with more malware in
Q2 than they had seen in all of 2016. Meanwhile, Android
users had their hands full with the continued rise in ad
fraud, where many alluring free apps come bundled
with more than what is advertised. This is something
already familiar to Windows users dealing with
Potentially Unwanted Programs (PUPs) that abuse digital
certificates and attempt to disable security applications
and are especially hard to remove,.
The exploit kit landscape remained fairly quiet but
for a few interesting developments. Popular kit RIG
EK was disrupted in its use of domain shadowing,
resorting to plain IP addresses and relying increasingly
on malvertising campaigns for its distribution.
Compromised websites were less and less of a factor in
EK traffic and strangely even redirected to tech support
scams at one point.
Social engineering and scams are still what threat actors
rely upon the most. Nevertheless, defenders have
been reminded the hard way that exploits can inflict
tremendous damage when put in the wrong hands.
Just like with data breaches, we can now expect regular
leaks of ready-to-use exploits from mysterious groups
less interested in cashing in on their trove than watching
the aftermath from their release.
4. 2 Cybercrime tactics and techniques Q2 2017
0% 20% 40% 60% 80% 100%
Cerber
Jaff
Locky
Sage
Spora
Troldesh
Other
Ransomware
Jun-17
May-17
Apr-17
0% 20% 40% 60% 80% 100%
Ransomware
Downloader
Backdoor
Banker
Botnet
AdFraud
Other
Jun
May
Apr
Mar
Feb
Jan
Windows malware has had an interesting quarter. While the majority of threats continued to consist of Cerber
ransomware and the Kovter ad fraud Trojan, we also got a look at some interesting ransomware families being
distributed in non-traditional ways, for which we can thank the NSA, ShadowBrokers, and some overly ambitious
cybercriminals.
Clearly, ransomware continues to dominate the Windows malware scene. Here’s a look at the types of malware being
dropped by exploits and malspam in the first half of the year.
Figure 1. Exploit & malspam drops in 2017 (so far)
With some slight variation month to month, we’ve been on the same path all year, with ransomware increasingly being
used as the go-to malware.
Figure 2. Second quarter 2017 ransomware family trends
Focusing on ransomware families, Cerber tops the list for the quarter with a massive lead over the next contender,
Troldesh (a.k.a. Shade). In third place is Locky, who can’t seem to stay dead.
Since we covered Cerber’s dominance in the previous two reports, we aren’t going to spend much time on it here. Take a
look at the Cybercrime Tactics and Techniques 2016 and Q1 2017 reports, as well as the Labs blog for more information.
Windows malware
5. 3Cybercrime tactics and techniques Q2 2017
CERBER JOINS FORCES WITH FRIENDS
Other than continuing to dominate the threat landscape as the most heavily distributed ransomware since December
2016, it seems that the top dog in malware payloads is joining forces with the second most distributed malware, the ad
fraud Trojan, Kovter.
In March 2017, Malwarebytes detected variants of Cerber being distributed along with Kovter, which seemed like a
serious threat to users. Not long after, criminals added a third and fourth wheel to the party: Boaxxee (Info Stealer) and
Nymaim (Downloader), both Trojans that create backdoors on the system.
LOCKY WON’T DIE
One of our predictions for Q1 2017 was that Locky was going to be a huge contender in the ransomware marketplace
for a long time. Shortly after, Locky died…or so we thought. Over the last few months, Locky has severely decreased its
distribution, failed to be distributed at all, popped back up again, vanished, and popped up again.
Figure 3. Sandbox report of one malicious script
dropping three different malware families
During an attack using this method, the victim
receives malicious spam with an attachment,
probably a Word document. The document is
opened and a Macro script is activated, downloading
and executing Nymaim, which then identifies
whether the victim system is a user or a security
researcher, and installs two of the other malware
families.
Figure 4. Locky ransomware seems to return with
new C2
Turns out that instead of being abandoned by
its creators, Locky simply went dark to continue
development. On April 21, 2017, we observed
Locky back at it again, this time being pushed
through the Necurs spam botnet.
With all three combined, the attack becomes three times as deadly, where users could lose both personal files and login
credentials. To top it off, when trying to navigate to a security solution, the browser keeps getting redirected to an ad.
This time, Locky was not nearly as heavily distributed as it was last year. By April 23, we observed Necurs pushing Jaff
ransomware instead of Locky. Once again, we assumed Locky was dead, only to be proven wrong again in late June when
Locky made another appearance using a new file extension (.loptr) to encrypt files. Turns out this extension has been in use
by Locky (with less distribution) since May.
6. 4 Cybercrime tactics and techniques Q2 2017
.locky Feb 2016
.zepto Jun 2016
.odin Sep 2016
.shit Oct 2016
.thor Oct 2016
.aesir Nov 2016
.zzzzz Nov 2016
.osiris Dec 2016
.loptr May 2017
Figure 5. Locky extension history
One thing we can be sure about with Locky
is that its distribution has been severely
decreased. What the future holds for this
malware is anyone’s guess.
JAFF RANSOMWARE: THE NEW KID
ON THE BLOCK
Since its debut in early May 2017, Jaff has had
at least three evolutions. Its campaign timing
was so perfect (right before WannaCry) and its
distribution so heavy that it caused confusion in
the security community. Analysts of Forcepoint
Security Lab reported that a malicious campaign
to spread Jaff ransomware started on May 11,
2017. Necurs immediately started sending out
about 5 million malicious emails per hour.
In June 2017, Kaspersky researchers identified
a vulnerability in the Jaff code, which made it
possible to create a decryptor. However, it’s
unlikely this will work with future versions of Jaff.
Jaff ransomware looks like Locky. It has the
same distribution via the Necurs botnet. It uses
the same PDF that opens a Word document
with a macro. It even has a similar payment
page. Make no mistake, though, Jaff is its own
ransomware. And with the backing of the Necurs
botnet, it’s a very real threat to users and
businesses alike.
Jaff is still a threat, and we expect to see more
of it in the coming months. However, many
security researchers’ first exposure to Jaff
was as a red herring in the investigation of
WannaCry.
Figure 6. Jaff ransomware lock screens
ATTRIBUTE VALUE
Encryption AES
Ransom $ 2 BTC (nearly $5,000 as of this writing)
# of extensions attacked 423
Offline encryption Yes
Encrypted extension .Jaff
Interesting indicator of
compromise
HKCUControl PanelDesktopWallpaper “C:
ProgramDatauserWallpapeR.bmp”
Distribution method Malspam with blank body and subject including
“Payment” or “Receipt”
Figure 7. Jaff properties
7. 5Cybercrime tactics and techniques Q2 2017
WANNACRY
By far one of the more captivating events of the quarter—if not the last 5 years—was the months-long spectacle created
by ShadowBrokers and the release of a purported NSA hacking toolkit. The group had the entire security industry on its
toes with a barrage of cryptic messages, auctions, and various releases containing documentation, code, and exploits
targeting popular versions of Windows and Linux operating systems.
While most of the released exploits had long been patched, one dubbed EternalBlue managed to cause havoc and wide-
spread pandemonium in ways not seen since the Conficker or MyDoom worms.
Similar to other released exploits, Microsoft had issued a patch for EternalBlue (CVE-2017-0144) prior to attackers
weaponizing the code, but many IT admins apparently didn’t get the memo.
On Friday, May 12, computers across the globe were hit with the WannaCry/WanaCrypt0r ransomware, which used the
EternalBlue exploit to cripple machines, leaving companies such as the NHS and FedEx paralyzed in the wake of its
destruction.
Figure 8. WannaCry GUI
The malicious actors behind the world’s
most profound ransomware outbreak
failed to capitalize on the opportunity,
making critical mistakes that allowed
security researchers to shut down
the attack before it had a chance to
cause what would have inevitably been
much greater damage. And while the
ransomware made all the headlines,
the real story was the underlying SMB
vulnerability that allowed it all to happen.
Before the original infection vector of Internet-facing SMB ports being exploited by the ransomware/worm was identified,
a lot of folks claimed it was spreading through a malicious spam campaign.
Security researchers spent hours digging through honeypots, inboxes, and forums trying to find the “original infection
email” but to no avail. Many thought they had found the WannaCry email when, in reality, the world was under attack by a
5 million mph (mails per hour) malspam campaign from Necurs pushing Jaff ransomware.
8. 6 Cybercrime tactics and techniques Q2 2017
PETYA, NOTPETYA
Just when we thought the Internet was safe from NSA exploits being used by public-facing ransomware, on June 27, new
malware that appeared to be inspired by the year-old Petya ransomware showed up on systems all over the world. The
malware was spread in large scale, using a mix of different distribution methods that included EternalBlue.
Petya was a ransomware family that showed up in April 2016. Its main claim to fame was the ability to modify and encrypt
the Master Boot Record (MBR) and Master File Table (MFT). In effect, it would redirect the user to a ransom note instead
of a normal operating system when the computer was rebooted. This same functionality was duplicated in the GoldenEye
family, which we discussed in the Cybercrime Tactics and Techniques 2016 report.
Figure 9. Petya April 2016 ransom screen
The malware that spread throughout the world
on June 27 had a lot of similarities with Petya,
including modifications to the MBR and MFT,
however there were enough differences to classify
it as a completely new family. Kaspersky labeled it
“NotPetya,” while a few other names were introduced
by different security vendors, continuing the trend of
non-standard naming conventions in the computer
security world.
Figure 10. EternalPetya / NotPetya ransom screen
This malware attack was another instance of the EternalBlue
exploit being used in the wild instead of for state-sponsored
government espionage missions, which was likely its original
intent. (Although as of this writing, the true actors behind the
malware and its purpose remain a mystery.) In addition to this
malware, we’ve observed cryptocurrency miners and botnets also
infecting systems using the same door that WannaCry opened.
As analysis continues on this malware and the attack, we will
continue to keep our users updated through our blog. You can
expect a more detailed look at NotPetya in next quarter’s report.
WINDOWS PREDICTIONS
Looking into Q3 2017, we can make a few predictions.
• Cerber will continue to dominate the landscape.
• Jaff is going to make a bigger splash in the ransomware market share.
• We will see at least one more massive attack that leverages leaked NSA exploits against systems in the wild.
We’re especially sure of our last prediction because, as of this writing, there are still over a million unpatched, unsecured
Windows systems with outward-facing SMB ports online. Unless system and network administrators start updating their
systems or at least adding security to block external attacks, we are going to keep seeing the same attack throughout
the year.
9. 7Cybercrime tactics and techniques Q2 2017
Mac malware
In the Mac world, instances of malware are steadily increasing. More new malware families have appeared so far this
year than in any other previous year in all the history of Mac OS X, and the year’s only half over.
PROTON RAT VIA HANDBRAKE
Of the new malware this year, none has been more notable than the infamous Handbrake hack. A mirror server for
distributing the Handbrake application—a popular open-source DVD ripping program—was hacked, and on May 2,
it began serving up a modified copy of Handbrake. This continued until May 6, when the issue was discovered, but
during that time, half of all Handbrake downloads were infected with malware.
The modified version of Handbrake installed a variant of Proton, a RAT that had been found for sale on cybercrime
forums earlier in the year. This variant of Proton was focused on exfiltrating password data from a variety of sources,
including the macOS keychain, 1Password vaults, and browser auto-fill data.
The most frightening aspect of this event was how many experienced, security-minded people were either infected
or nearly infected. This was an apt lesson for Mac users, who are often told that they are safe if they’re careful about
what they download. If experts can be fooled, behaving cautiously should not be considered the sole necessary
security measure in a Mac user’s arsenal.
DOK MALWARE
Another interesting piece of malware was Dok, so
named because it masquerades as a Microsoft Word
file named “Dokument.” In actuality, it is a malicious
application and not a Word file at all.
Figure 11. Trying to open a Word Dokument
What is most notable about the Dok malware is that it
is primarily distributed via email, which is not something
that previous Mac malware has used as a primary
infection vector. It also comes in many different variants
MAC PREDICTIONS
Every quarter, we see more and more malware created for and targeting Apple operating systems. This quarter was no
different and we can expect the same moving through the rest of year.
distributed over a relatively short period of time, each
with slightly varying behaviors, which is also unusual in
Mac malware.
The Dok malware modifies the system in non-trivial
ways: modifying the sudoers file, installing a new
certificate as a trusted system root certificate, and
routing all web traffic through a malicious proxy server.
This year has also seen the emergence of two different
ransomware Trojans: Findzip and MacRansom. Neither
was particularly sophisticated or widespread, and
neither included any means for saving or transmitting
the encryption key. This means that if you were affected
and paid the ransom, you would get nothing in return.
The hackers behind the ransomware had no way to
decrypt your files, reinforcing the importance of never
paying the ransom.
10. 8 Cybercrime tactics and techniques Q2 2017
Mobile malware
WannaCry made big news this quarter and many wanted to jump on the train, including Android developers. Although,
neither the EternalBlue exploit nor the WannaCry ransomware was a threat to Android devices, there were some who
wanted to take advantage of the situation.
With the paranoia from Windows users in full effect, it was understandable that users would wonder if WannaCry affected
other platforms, too. The creators of one app wanted to make sure you were protected on Android with “WannaCry
ransomware protection,” which turned out to be nothing but an app that pushes ads and app installs.
Figure 12. Fake Wannacry protection app
For what it’s worth, the app does do a rudimentary scan of installed apps, checking permissions
and flagging those with ‘’risky” permissions—including itself. What it doesn’t do is tell you if you
are protected against WannaCry.
MOBILE PREDICTIONS
This upcoming quarter we expect to see a continued rise in ad fraud. This form of malware uses a victim’s device to
generate ad traffic resulting in revenue for the app developer. The ad traffic is generated by going behind the scenes
without the user’s knowledge. Besides being used as a bot, the victim could expect to see increased amount of data
usage.
11. 9Cybercrime tactics and techniques Q2 2017
Potentially Unwanted Programs (PUPs)
Every quarter we observe more obvious malicious behavior coming from the creators of Potentially Unwanted Programs
(PUPs). However, some PUP creators have cleaned up their acts, leaving only the truly malicious developers the primary
focus of companies that fight against PUPs, like Malwarebytes.
FIREBALL
A widespread PUP of Chinese origin that made
a notable impact was FireBall. This is a typical
example of the “malware overkill” which seems to
be a trademark of the Adware.Elex family. They
have made a name for themselves by using RATs,
rootkits, and other serious threats to get clicks for
their advertisements. As of this writing, FireBall is in
use as a browser-and-search-hijacker, being spread
by bundlers. But it deploys the added possibility to
use tracking pixels to keep track of the browsing
habits of their users.
The bad news is that FireBall has a backdoor
capability to download and run additional software
on the affected computers. This means that the
issuing company (Rafotech) has the option to drop
any software they want on the 250 million infected
systems. Imagine what would happen if they used
that number to perform DDOS attacks or even to
infect the machines with some ransomware.
The chances of these scenarios are highly unlikely,
because attribution would be easy and the effect on
the company would be disastrous. But what if some
clever cybercriminal finds a way to take control? The
damage could still be done and every finger would
point to Rafotech. Either way, it must pay well at
an estimated 30 billion fraudulent impressions per
minute!
WDFLoad
WFDLoad has been an active infection for a while now, and
especially the last few weeks of the quarter. It is classified
as an adware Trojan and injects advertisements into search
results and other websites. At least some variants have
been found with bitcoin miners wrapped in bundlers such
as InstallCube, InstallCore, and possibly Amonetize.
Cryptocurrency miners hijack your computer resources,
which in turn uses your electricity, and they profit from
it because the infected machine is mining coins for the
malware creator.
We have observed potentially unwanted programs like
toolbars and bundlers install miners before, but what
WDFLoad does takes it out of the realm of shady business
practices into criminal action.
Basically, the software does the following to the system:
• Schedules a task that launches a DLL component,
which in turn launches a coin miner
• Acts as “clicker” malware, encouraging the user to
click on the ads it pushes
• Uses aggressive techniques to block anti-malware’s
ability to remove
• It does this by inserting “disallowed signatures” for
applications like Malwarebytes and several other AV
companies so Windows will not allow them to run.
By using the “disallowed certificates” list, Windows User
Access Control (UAC) may pop up a warning informing the
user that the program was blocked or the user may get a
warning from security software stating it cannot connect to
its service.
12. 10 Cybercrime tactics and techniques Q2 2017
Because security solutions cannot launch, the adware cannot be removed. They want to do this because the more
clicks they get, the more money they make.
Figure 13. Untrusted certificates created by WDFLoad
POTENTIALLY UNWANTED PROGRAMS
PREDICTIONS
While legitimate browser developers like Firefox and
Chrome are making efforts to tighten security, the
adware industry is creating its own custom browsers
without any built-in security features and bundling
them along with adware applications. They will
shamelessly replace your own browser as the default
browser and expose you to the greater risks of using
such a browser.
We expect to see even closer ties between the
potentially unwanted system optimizers and tech
support scammers. Given the whack-a-mole game
most system optimizers are playing now, they will be
looking for a bigger return on investment.
The growing budget in advertising will undoubtedly
result in numerous and more advanced developments
of adware and ad fraud malware. As some of these
companies apparently have the budget and the
resources to do so, we may see them use the latest
ShadowBroker releases and other vulnerabilities without
consequence. We are already seeing the use of rootkits
and the manipulation of certificates to block security
software, which we also expect to get worse.
13. 11Cybercrime tactics and techniques Q2 2017
Exploits
What an interesting quarter for exploits! While in general, exploit activity has been shadowed by the use of malicious
spam for malware distribution, the leaks made by the ShadowBrokers group allowed criminals to use targeted exploit
attacks against vulnerable victims.
Figure 14. EternalBlue SMBv1 exploit traffic capture
The DoublePulsar exploit, also released by ShadowBrokers,
played a pivotal role in the spread of the WannaCry ransomware.
DoublePulsar is what’s called a malware loader and was used to
install WannaCry in an elevated state to compromised machines.
DoublePulsar is a Windows kernel Ring-0 exploit. This means that
the exploit code runs with the highest privileges possible and can
facilitate any modification or addition to the system with ease.
Once executed, DoublePulsar uses an APC (Asynchronous
Procedure Call) to inject a DLL into the user mode process of lsass.
exe. The code establishes a high-level connection, allowing an
attacker to exfiltrate information and/or install additional software
to the system.
The combination of these powerful attack mechanisms, along with
a well-crafted plan to seek out and identify vulnerable machines,
allowed for one of the most vicious and dangerous ransomware
strains ever seen to spread across the globe like wildfire.
The quick weaponization of the EternalBlue exploit sparked a
national debate regarding the stockpiling of vulnerabilities for use
by nation states, and even caused Microsoft President Brad Smith
to call for a set of Geneva Convention–like rules in cyberspace as
a means to prevent similar outbreaks. While the likelihood of this
remains to be seen, what is for certain is that we haven’t seen the
end of ShadowBrokers or their release of dangerous code capable
of inflicting damage on unprecedented scales.
SMBv1 TROUBLES
EternalBlue was part of the collection
of tools released by the ShadowBrokers
group in mid-April. The dump contained
several exploits with ornate names
such as EternalRomance, DoublePulsar,
ExplodingCan, and EternalChampion—all
affecting various Windows protocols and
systems.
A number of the disclosed tools were
capable of exploiting vulnerabilities
in SMBv1 to allow propagation of the
malicious code. SMB, also known as
Server Message Block, allows applications
on a computer to read and write files and
to request services from server programs
in a computer network. This ability allows
for applications to access files or other
resources and to read, create, and update
files on a remote computer. Furthermore,
SMB can also communicate with any
server program that is configured to
receive an SMB request.
This ability to communicate with any
server that is configured to receive an
SMB request allows for infected machines
to beacon out to other computers on a
connected network in attempts to spread
the malicious code by exploiting the
vulnerabilities in the SMB protocol.
14. 12 Cybercrime tactics and techniques Q2 2017
EXPLOIT KITS
There has been increased scrutiny on the RIG exploit kit from the security community and several takedown actions in
the past quarter. We also continue to observe private kits such as Magnitude EK and Neutrino EK with limited targeting.
One interesting aspect is the trend towards social engineering, which has expanded beyond focusing solely on Chrome
users as part of a notable website infection campaign. One surprising case we wrote about was the numeric tech support
scam campaign, which for a while was pushed onto Internet Explorer users instead of trying to infect them via exploits.
DOMAIN SHADOWING AND IP-LITERALS
RIG is one of the most well-documented exploit kits due in part to the fact that it is the most widespread and easiest to
catch. The EK operators have gone through a few URL patterns variations and added a gate to pre-filter against bots.
There was also a concentrated takedown operation of some of RIG’s infrastructure initiated by RSA Research, going after
the use of domain shadowing, a technique that has been in use for years and continues to work well.
RIG EK, like other exploit kits, operates on a constantly moving infrastructure, where subdomains—hence the name
“domain shadowing”—act as reverse proxies. Threat actors rotate through subdomains to avoid detection by maintaining
a large pool of stolen hosting credentials.
While RIG still relies on domain shadowing post takedown, it has been heavily using IP-literal hostnames in Q2.
Figure 15. RIG EK traffic
We also see Terror EK with the same domain-less URI pattern:
Figure 16. Terror EK traffic
15. 13Cybercrime tactics and techniques Q2 2017
PRIVATE KITS
Magnitude EK is, as usual, targeting certain Asian countries and delivering the Cerber ransomware.
Figure 17. Magnitude EK traffic
Neutrino EK is seen here and now, but remains quite elusive in general. It boasts better exploits than most of its
counterparts, except for the even stealthier Astrum EK which have seen only a few rare occasions.
Figure 18. Neutrino EK traffic
SOCIAL ENGINEERING
VARIATIONS
The EITest campaign (which
is comprised of hacked but
legitimate websites) has been
redirecting to several different
kinds of exploit kits over
the years. However, in this
quarter we saw some rather
unusual activity. Indeed, in
addition to the HoeflerText
social engineering scheme, it
also redirected users to tech
support scams.
This was a rather puzzling
move considering those
redirections happened if a
visitor was running Internet
Explorer, even if outdated
and exploitable. This is
symptomatic of an exploit kit
landscape in search of itself.
Figure 19. EITest campaign pushing tech support scams
16. 14 Cybercrime tactics and techniques Q2 2017
MALVERTISING
DISTRIBUTION CAMPAIGNS
Exploit kit activity stemmed
from various malvertising
campaigns while redirections
from compromised websites are
fewer in between. This is a sign
that malvertising remains a top
threat especially as it leverages
techniques promoted by certain ad
networks to bypass ad-blockers,
including RoughTed.
Malvertising feeds into specific
malware distribution channels
that are quite different from each
other. However, most tend to do
IP filtering for geolocation and
blacklisting of known security
researchers or crawlers. Some of
those campaigns have been around
for a long time and evolved, while
others are much newer. Figure
20 shows the most common
malvertising chains we have been
running into for Q2 2017, leading to
RIG EK.
Figure 20. Q2 2017 Malvertising chains
EXPLOIT PREDICTIONS
It has been just over a year since the Angler exploit kit vanished, following a series of arrests tied to the Lurk gang. With it
gone, we witnessed a decrease in quality exploits and techniques, followed by an overall stagnation.
The cost to acquire new exploits, especially zero-days, seems out of reach for current threat actors evolving in this space.
Most of them have actually been reusing code and stealing from each other. However, exploit dumps and leaks are a new
reality because of ShadowBrokers, and there is no doubt EK authors are paying close attention to any public release of
proof-of-concept code that would help them rejuvenate their arsenal.
It is possible that a critical flaw in a popular browser (not just a plugin) will be leaked and weaponized very rapidly. The
exact extent of future exploits has yet to be determined, but if the ShadowBrokers yet-to-be released exploits are of the
scale and caliber as we have seen with previous releases, then rest assured we haven’t seen the end of this show just yet.
17. 15Cybercrime tactics and techniques Q2 2017
Tech support scams
In late May, a wave of spoofed Amazon emails hit consumers, claiming to be about a cancelled order. This is a relatively
common pitch that has traditionally led to malware. This wave was notable for leading to a tech support scam. Upon
clicking the order number, the user was redirected to a compromised site.
Figure 21. Tech support scammer email phish
The second redirect lands on a (now down) tech support scam
site. A look at the infrastructure for the initial hacked site shows
a new batch of redirects pushing mostly pharmaceutical spam
that coincides with a second wave of fake Amazon emails in
early June.
Figure 22. Domains used by tech support scammers
The TTPs on display here are a little unusual, and most likely
indicative of a third party renting infrastructure for tech support
scammers to use. The general lack of technical sophistication
on the part of scammers has been well known for years, and it’s
unsurprising that other criminals would see this as a business
opportunity. We assess the current scam market as having
potential to expand into new tactics like these, sold by more
technically proficient third parties.
TECH SUPPORT SCAM PREDICTIONS
We predict that, considering the payment processing crunch outlined in last quarter’s report, the more successful
scammers will continue to migrate away from outbound calls for lead generation, and towards social media, email, and
malvertising. Tech Industry practices make meaningful defense against these vectors almost impossible, so moving
scam infrastructure to use them would be a logical progression.
Tech support scams will continue to have a long tail at the bottom of the sophistication scale, almost exclusively
due to prominent bargain hosting companies’ unwillingness to consider these scams abuse of their services. Twitter
will continue to play a significant role in the perpetuation of these scams as well, given their historic inability to deal
meaningfully with IP fraud and abuse of link shortening services to serve malicious sites.
18. 16 Cybercrime tactics and techniques Q2 2017
Breaches
Database breaches make up a significant component
of the threat ecosystem. Malicious actors search
out vulnerable systems using a large number of
methodologies and then compromise those systems
for the purpose of data exfiltration or ransom. Once
systems have become compromised, user databases
are collected and then released to the Internet.
Some malicious actors simply do this as a form of
entertainment while others have a financial incentive
or personal vendetta. Regardless of the motive, the
confidential information of companies, purchasers,
voters, employees, and applicants are available for the
world to see—if you know where to look.
Unfortunately, these leaks occur on almost a daily basis
and affect businesses large and small. No database is
immune to attack from a curious or dedicated attacker
and no one’s information is safe from release. Most of us
PERSONALLY IDENTIFIABLE INFORMATION
The personal information of potentially hundreds of
millions of individuals has been compromised over the
past quarter. This includes names, email addresses,
phone numbers, and student records.
On April 19, AllRecipes, the self-described “food-focused
social network” notified users who registered since June
2013 that their email address and password may have
been stolen. While AllRecipes has yet to confirm the
number of affected users, the site boasts membership
totals of more than 30 million.
Atlassian, the makers of the instant messaging service
Hipchat, began resetting passwords on April 24 after a
possible breach of their systems. While the number of
affected users has not been released, the company IPO
filing indicates 5 million users.
By far the largest of the compromised databases is
DocuSign, with potentially 100 million email addresses
being used for spam campaigns. On May 9, the
company announced that a malicious third party had
hacked a non-core system the company uses to send
out service announcement emails.
Zomato is India’s largest online restaurant guide. On
May 17, the company announced that user records
containing email addresses and hashed passwords
were stolen from internal systems. 17 million accounts
may have been affected by the breach.
To round out the top 5, on May 31, password
management firm OneLogin reported that an
unauthorized individual had gained access to a
database containing various stored records. Way back
in 2013, the company had 700 business customers
and 12 million licensed users. The current number of
affected users has not yet been reported.
have probably already had our personal information leaked
to the Internet and we don’t even know it.
This past quarter was no exception. Databases of
organizations large and small were compromised and
released to the Internet or offered for sale. The list of
compromised organizations is exhaustive, and we could
write an entire quarterly report discussing the various
attacks and leaks. Instead, we will focus on database
leaks affecting (or suspected of affecting) more than 1M
individuals, or affecting more than 200 locations.
This report will also exclude the various database
vulnerabilities reported by security researchers
encompassing potentially hundreds of millions of
personal records, yet have not been proven to have
been compromised by malicious actors. This includes
the Republican voter database reportedly containing 198
million records.
19. 17Cybercrime tactics and techniques Q2 2017
Zomato
Students
OneLogin
Fashion Fantasy
Docusign
Bell Canada
Atlassian
AllRecipes
1%
59%
1%
10%
18%
3%
7%
1%
Figure 23. Chart shows percentage of known records over
1M released in Q2
This excludes a number of reports impacting smaller
organizations or companies that have yet to release the
number of compromised users. This includes TripAdvisor,
BankGiro Lottery, and a number of medical facilities. If you
think your email might have been compromised, check out
https://haveibeenpwned.com to find out.
FINANCIAL INFORMATION
Organizations dealing with financial information
and transactions are highly sought-after targets
for attackers. Notable attacks this past quarter
targeted several large retailers including Kmart, Saber
Corporation, and Chipotle.
On April 4th, clothing retailer Brooks Brothers
acknowledged in a Breach Filing to the State of
California that systems were compromised and credit
card information was possibly stolen. While the
company has yet to release total figures, the company
operates 220 locations.
Gaming retailer GameStop acknowledged to Brian
Krebs on April 7th that they were investigating a serious
breach of compromised credit card information. While
the company has yet to release what information may
have been compromised or the number of locations
affected, the company operates a total of 6,614 stores.
On April 14th, IHG-branded franchise locations including
Holiday Inn and Holiday Inn Express, alerted customers
to a credit card data breach affecting some Point of Sale
systems. This attack affects potentially 1,175 locations.
May 1st, travel giant Sabre Corporation disclosed
a significant breach of the payment and customer
data systems tied to bookings and reservations. The
system serves more than 32,000 hotels and lodging
establishments – making this the largest breach of a
payment system in Q2.
Chipotle released notice on May 30th that the credit
card information of 2,250 locations may have been
compromised in a breach.
And just one day later, Kmart announced they had found
a security breach involving ‘unauthorized’ credit card
activity following the some customer purchases. While
the company has not yet released total figures, 624 of
their famous red and blue are still scattered across the
country.
20. 18 Cybercrime tactics and techniques Q2 2017
Sabre Corp
Kmart
IHG
Gamestop
Chipotle
Brooks Brothers
75%
1% 5%
15%
3%
1%
BREACHES IN Q2
OneLogin
Atlassian
Concordia
AllRecipes
Zomato
MacKeeper
Spotify
Prairie Mountain Health
Figure 25. Breaches in Q2 2017 with links to relevant articles
TripAdvisor
Docusign
IHG
GameStop
Chipotle
Kmart
Shoney’s
Carwashes
Figure 24. Chart showing percentage of financial information released in Q2
This graph also excludes a number of reports affecting smaller organizations. This includes FAFSA, Scottrade, Full House
Lottery, Shoney’s, and a large number of car washes.
Attacks against infrastructure are a continual battle that enterprises must face, and there is no indication that the
attacks are slowing down. Rather, services such as Shodan make it easier than ever to find vulnerable machines and
services, and with the ever-increasing sophistication of attacks, we expect to continue to see these types of breaches
released to the wild.
Waterworks
Brooks Brothers
Full House Lottery
Free Application for Federal
Student Aid (FAFSA)
Bowlmor AMF Bowling Centers
Sabre Corp
21. 19Cybercrime tactics and techniques Q2 2017
Researcher Spotlight
JEAN-PHILIPPE
TAGGART
Senior Security Researcher
at Malwarebytes Labs
Tell us three things about yourself.
I like hardware. I like building boxes. I used to be a computer repair
technician in a past life and I always liked building bespoke systems. I was
deathly afraid of virtualization when that came on the scene. I learned
to embrace it eventually, as you need to build pretty beefy underlying
hardware to run all these VM’s. That being said, I still love wiring switches,
running color-coded cables from one system to another. I like the physical
aspect of a network.
My battle station is epic. I’m surrounded by monitors and I’m convinced
lights dim in my neighborhood when I turn everything on. I find the soft
glow of LEDs, the blinking lights of switches, and the low whirr of cooling
fans strangely soothing. I love that I have at my disposal tools and
environments that would only really make sense to own and deploy if you
were a business.
I’m operating system agnostic. Too many people get evangelic about
what they use. Linux, MacOS, Windows…it’s all just different flavors of the
same things. It’s challenging to maintain them all, but there are some
programs or tasks that just work better in specific environments.
Q.
JT:
What do you like to work on?
I like designing environments that are hardened and “safe” to detonate
malware. Being able to see exactly what is taking place, what files are
modified by the malware, what network traffic is generated, where the
malware is trying to reach out to. All these things are fascinating to
me. This is a challenging thing to deploy. The bad guys never rest and
they’re continually innovating. Being able to poke and probe at samples
and most of all successfully fooling a tricky piece of malware that
actively tries to prevent analysis is an exhilarating feeling.
Q.
JT:
What cool or interesting things have you written about/researched/
discovered?
I once successfully deployed a memory acquisition environment on a
live system using a firewire card and laptop. The laptop masqueraded
as an external drive to have DMA access to the internal memory of the
victim system. I thought this was pretty cool, as memory acquisition
gives a unique perspective in malware analysis. For a bonus, this
was done with pretty much junk hardware I had lying around. Other
commercial solutions are super expensive or simply not made available
to the general public.
Q.
JT:
22. 20 Cybercrime tactics and techniques Q2 2017
What’s the biggest security failure you’ve
seen?
Witnessing a small business owner having to
pay for a ransomware decryption key. This
particular individual had no disaster recovery
plan and would have had to put the key under
the door and close the business as critical data
was encrypted. Never in my life was buying
bitcoins and acquiring the decryption key a more
depressing event. This is the worst-case scenario
and the worst possible outcome. Not only did
such an event demonstrates the viability of a
ransomware attacks to criminals, it is something
I never want to have to do again. Needless
to say, this particular victim now has multiple
backup solutions, as well as a strictly enforced
work-only machine policy. I was profoundly
uneasy in providing assistance with this
ransomware infection, as I am a strong advocate
in never paying, but in this case they saw no
other solution. Despite successfully recovering
most of the data, it felt like a defeat.
Advice for newcomers to the field?
Air gap. Roll out a completely separate
environment to play in. Computers have never
been cheaper. Dedicate some boxes to analysis
and keep them separate from your personal
stuff. It takes discipline, and it adds a cost to
deploying a malware lab, but it’s worth it. Also,
make bare metal backups and test them! If you
go in with the knowledge that is a when and
not an if, it will make rebuilding from scratch
that much less painful. Accept that these are
disposable machines that should go from your
lab to the bin once their usefulness has been
expanded. Be prepared to deal with an outbreak
in your lab. No one is perfect, and it is hubris to
think you’ll never make a mistake.
Who are some of your heroes in the industry?
It’s going to sound super cheesy, but Marcin
is my infosec hero. Here is someone who has
achieved more in the battle against malware
than most, and at such an early age. He has
put together an amazing team, who made an
amazing anti-malware solution, and I feel very
proud to be part of it..
What could we do better?
Petition our governments to stop hoarding zero-
days. The “nobody but us” doctrine has been
proven wrong time and time again. Allowing
these vulnerabilities to exist unpatched and not
notifying the software or hardware vendors for
long periods of time only means that they will be
independently discovered by others or escape
their control. This weakens everyone’s security
posture and results in widespread infections,
such as the recent Wannacry incident.
Name your favorite security events and why.
Defcon without a doubt. It’s an ever-expanding
mosaic of everything security related. A
melding pot of security professionals, law
enforcement, and sometimes also less savory
characters! Defcon is a conference that rewards
participation. You get what you put in. It’s an
opportunity to meet amazing people and it never
fails to surprise me, even with the recent rapid
growth it has experienced. I have walked into
talks I would never have thought about attending
because the ones I wished to attend were full
and discovered passionate presenters and fresh
new ideas.
Nastiest/cleverest infection you’ve seen?
There are so many to choose from. I would pick
the virtualization aware threats as whole family.
Any piece of malware that actively checks what
environment it is in before detonating presents
interesting challenges. Malware authors can
do these check in a variety of ways, and it is a
fascinating game of cat and mouse.
Q.
JT:
Q.
JT:
Q.
JT:
Q.
JT:
Q.
JT:
Q.
JT:
23. 21Cybercrime tactics and techniques Q2 2017
Conclusion
What a quarter this was! Two massive global attacks using ransomware combined with leaked NSA exploits, tech
support scams all over the place, and more malware than ever before. To a computer security specialist, these are
interesting times, however to a regular user, it’s likely quite scary.
To calm nerves, it helps to remember that the best way to combat the threats you see online are to use a combination
of technological security solutions (antivirus, anti-malware, etc.) and awareness of threats and how to avoid them.
KEY TAKEAWAYS
• Cerber continued to dominate the ransomware
market share for the third quarter in a row
• WannaCry and Petya attacks using the
EternalBlue exploit have forever shaken the
computer security world
• Jaff ransomware joined the fray, being heavily
pushed by the Necurs botnet in early May
• Locky ransomware still managed to make a small
dent in the ransomware market share, however it
has yet to return to its former glory
• Mac users are dealing with more malware than
in all of 2016 and can expect that to continue
throughout the year
• The WDFLoad potentially unwanted program
modifies trusted certificates on infected systems,
disabling antivirus/antimalware software
• The popular RIG exploit kit was disrupted heavily
by security researchers following poor practices
• Tech support scams are being pushed through
malvertising attacks, bundlers, and toolbars
• Q2 2017 saw a massive amount of breaches,
meaning lots of user information is in the hands
of the bad guys
KEY PREDICTIONS FOR Q3 2017
• Cerber will continue to dominate the landscape
• Jaff is going to make bigger splashes in the
ransomware market share
• We will see at least one more massive attack
that leverages one or more leaked NSA exploits
against systems in the wild for malware
spreading, distribution, and scams
• More Apple product malware is going to be
developed; the end of this year is going to look
very different than the beginning if you are a Mac
user
• More ad fraud malware will be developed for
mobile devices
• Custom adware browsers are going to try and
replace legitimate browsers, likely used to
push users to tech support scams as well as
advertisements
• We expect to see a greater effort to push users to
tech support scams using malicious means, such
as malvertising
CONTRIBUTORS
Adam Kujawa – Editor-in-Chief
Wendy Zamora – Editor
Phoebe Tai – Designer
Jérôme Segura – Exploits, Windows malware, Editor
Marcelo Rivero – Windows malware
Thomas Reed – Mac malware
Armando Orozco – Android malware
Nathan Collier – Android malware
Adam McNeil – Breaches, Windows malware
William Tsing – Tech support scams
Tammy Stewart – Potentially unwanted programs
Pieter Arntz – Potentially unwanted programs
Jean-Philippe Taggart – Researcher profile
24. ABOUT MALWAREBYTES
Malwarebytes is the next-gen cybersecurity company that millions worldwide
trust. Malwarebytes proactively protects people and businesses against
dangerous threats such as malware, ransomware, and exploits that escape
detection by traditional antivirus solutions. The company’s flagship product
combines advanced heuristic threat detection with signature-less technologies
to detect and stop a cyberattack before damage occurs. More than 10,000
businesses worldwide use, trust, and recommend Malwarebytes. Founded in
2008, the company is headquartered in California, with offices in Europe and
Asia, and a global team of threat researchers and security experts.
malwarebytes.com
corporate-sales@malwarebytes.com
1.800.520.2796
Santa Clara, CA