SC Magazine: “After Norse: VCs, pros eye cyber investments”

The sudden demise of Norse Security has left many vendors and information security professionals in the industry wondering what happened. Brian Krebs wrote in detail about the activities that led up to Norse shuttering its operations over the weekend of January 30.

SC Magazine has also weighed in with an article focused on “…looking at lessons that can be learned from the collapse of a company that was until recently considered one of the fastest-growing threat intelligence companies.”

The article quotes Paul Mockapetris, chief scientist at ThreatSTOP and inventor of the Domain Name System (DNS) saying: …the situation is a “wake-up call” to figure out what products actually work. However, he doesn’t believe consumers will be able to determine the products and services that are most effective. “The analyst community and journalists are going to need to ask the hard questions,” he said. For instance, last year Norse was placed on the industry’s Cybersecurity 500 list.”

The SC Magazine article concludes with a second statement from Mockapetris at ThreatSTOP: …he expects cybersecurity will continue to attract investors. Speaking with, he said, “The fact that investors pour so much money into cyber companies proves that it’s an unmet need.”

Mockapetris has spoken about the difference between security companies doing well financially, vs those that do good. Companies of all sizes are continuously under attack and need solutions from vendors they can trust. A few high-flying, free wheeling security vendors may be giving information security professionals the wrong impression. Vendors that are led by true security industry veterans and contribute to the larger security community continue to innovate and deliver effective defenses against attacks.



I Smell a (Trochulis) RAT


A RAT or, Remote Access Trojan, enables attackers to remotely control malware residing on a victim’s machine to steal or corrupt data. The Trochilus RAT was discovered last October by Arbor Networks when threat actors used it to infect visitors to a website in Myanmar. The threat actors compromised the Myanmar Union Election Commission’s (UEC) website around the time of the nation’s first election since 2011.

Read more here:


Analysts revealed a connection to source code shared at https://github%5B.%5Dcom/5loyd/trochilus known as the Trochilus RAT. Trochilus is a character from Greek mythology credited with inventing the chariot, but the word also means “a kind of small bird” and can refer to several types of hummingbirds. A third meaning comes from architecture, however, the exact meaning intended by the developer is unknown.


The Trochulis RAT is specifically engineered to evade detection by sandboxing and other more traditional signature-based malware detection techniques. The RAT runs only on memory and not on the hard disk, and leaves little trace behind so it is difficult to detect. Sandboxing is used to test unverified programs that may contain a virus or other malicious code, without allowing the software to harm the host device. Trochulis RAT can evade even best-in-class sandboxing technologies.

With an ability to move laterally between targets, it can jeopardize an entire network.

Additional capabilities

  • Download/upload and execute
  • Remote uninstall
  • File manager


Trochulis RAT is part of a cluster of seven malwares called the “Seven Pointed Dagger,” which is being operated by sophisticated attackers dubbed by researchers as Group 27. Researchers consider this as a multi-stage attack campaign, targeting Asian governments and (perhaps, in the future) non-government organizations.


When dealing with such evasive malware, standard techniques of blocking incoming malicious traffic, such as signature-based blocking and sandboxing, can be powerless. Once a device has been compromised, the malware can be remotely controlled and send private information home to the attackers. ThreatSTOP technology isolates the malware and prevents its ability to steal data by blocking the communications channels with its command and control.

ThreatSTOP began blocking the indicators for this campaign on January 14, 2016.

Wearables: The New Security Attack Frontier

Wearable devices are gaining traction, with estimates that more than 175 million will be in use by 2018. Today, one in five Americans own such a device, and one in 10 wears one daily (PwC). Most HR and IT departments have little concern for employees’ use of these devices. We don’t think of them as having a hard drive with sensitive data, or WiFi or cellular activity. In fact, no continuous connection to the Internet. You may want to think twice.

Case in point: Fitbit – a wearable device for fitness has now proven to be vulnerable to hackers. By just passing within 30 feet of a victim, attackers can pass malware via Bluetooth within 10 seconds, and infect the device on your wrist. Your Fitbit automatically synchs over Bluetooth with your mobile device (phone, tablet, what have you) which uploads your data along with the malware to the Fitbit server. This in turn executes in the your browser next time you visit the Fitbit site to track health statistics.

The code that was uploaded up to the legitimate Fitbit site from your mobile device, is then capable of infecting your laptop at your next login. Your attack surface has potentially now expanded from your Fitbit to your corporate laptop as a result of visiting a trusted site.

Such attacks can spread to any number of wearable device types. And, neither HR nor corporate IT can prevent employees from using these devices. Not yet anyway.

Bah-Humbug: Targeting Children’s Identities During the Holiday Season

Two recent massive breaches appear to be targeting children’s identities—attacks on VTech and Hello Kitty. Stealing the identities of children is not only far more morally egregious than targeting adults, the crimes will likely not be uncovered for many years—no one expects their child’s identity to be stolen, and therefore do not monitor for such activity. It is usually detected when a child matures and seeks to secure credit for a student loan or first auto loan, only to find these credit facilities unavailable at a critical point in young adulthood.

Why children’s identities? Unlike adult identities that may or not be useful due to a certain percentage having low or mid-range credit scores, children’s identities have no history and usually register credit scores good enough to secure credit.

Hello Kitty

According to CSO Online, a database for, the official online community for Hello Kitty and other Sanrio characters, has been discovered online by researcher Chris Vickery. The database houses 3.3 million accounts and has ties to a number of other Hello Kitty portals.

The records exposed include first and last names, birthday (encoded, but easily reversible Vickery said), gender, country of origin, email addresses, unsalted SHA-1 password hashes, password hint questions, their corresponding answers, and other data points that appear to be website related.

Vickery also noted that accounts registered through the fan portals of the following websites were also impacted by this leak:;;;; and

In addition to the primary sanriotown database, two additional backup servers containing mirrored data were also discovered. The earliest logged exposure of this data is November 22, 2015.

Researchers are actively seeking to get access to the data dump, which has not been made public as of publication.


According to ABC News, “the scope of the VTech cyberattack in November was global. The Hong Kong-based company said its customer database includes people in various countries: the United States, Canada, United Kingdom, Republic of Ireland, France, Germany, Spain, Belgium, the Netherlands, Denmark, Luxembourg, Hong Kong, China, Australia and New Zealand, in addition to various Latin American countries.

VTech said 4,854,209 parent accounts and 6,368,509 related kid profiles were affected by the security breach, after its Learning Lodge store, a portal where customers can download educational content to their child-friendly VTech devices, had been accessed by an unauthorized party Nov. 14.

VTech’s customer database includes “general user profile information,” according to the company.

That includes a customer’s name, email address, password, secret question and answer for retrieving a lost password, IP address, mailing address and download history. In addition, VTech says its “database also stores kids’ information including name, genders and birthdates.”

The information in both of these attacks is adequate to successfully steal the identities of millions and millions of children. Unlike credit card fraud, which is limited to enabling a fraudster to access your account, identity fraud enables a fraudster to take over the identity of an innocent person to open accounts or loans for an auto, home, wireless phone or credit card in the victim’s name, and abuse that credit. It often results in massive, delinquent debt linked to the victim’s good name. It is a crime that is difficult to prosecute, and even more difficult for the victim to recover from.

Christmas Spam, And We Don’t Mean the Canned Stuff

It’s the time to be jolly! Fa la la la la la la la la la…

And, it is also the time of year to do your best to avoid holiday spam.

Scammers and spammers use this time of year and seasonal themes to attract unsuspecting victims to their elaborate malicious campaigns using Santa, Christmas and other holiday titles and icons.

We have collected some samples of SPAM that ThreatSTOP employees received over the last few days, and looking forward with holiday spirit to see what is behind those smiling Santa emoticons. No big surprise there –no gift cards, no big discounts, and no – they did not manage to make our kids believe in Santa — they just hoped to install malicious software or try to steal our information…

xmas spam 3xmas spam 5

xmas spam 6

So, just our 2 cents: make this time of year happy for you and your loved ones: as always, d not open any suspicious emails, do not try to win big from some internet faux marketing campaign. Instead – just relax and enjoy the company of friends and family!

Happy Holidays and a Happy New Year from all of us here at ThreatSTOP!











Rovnix Downloader Evades Sinkholing

The Rovnix downloader malware is now capable of checking for sinkholing of its domains before connecting to them to evade detection by security tools. This is a new capability not previously observed in malware operations.

The activity we’re seeing with this this latest functionality maps to evasion technology in other malware and exploit kits, that avoids detection by security tools and security professionals.

In the case of Rovnix, it will not communicate with its command and control servers if it perceives potential interdiction by security researchers, thus bypassing security measures that rely on behavior-based detection.

Information about the Rovnix malware and this new behavior was published recently by McAfee (Intel Security) – more information  can be found here.

ThreatSTOP customers are protected from Rovnix.

dinCloud: Security Experts Share Thoughts on What Measures Organizations Should Implement to Secure their Cloud Environments

Cloud security has always been a hot topic, especially more recently when you consider the multiple high profile outages with large cloud providers like Amazon, GoDaddy, and Google Aps.

Generally speaking, most cloud providers are quite reliable compared to a company running its own servers on premises. In a recent report, Forrester Research said that companies will spend $2 billion over the next five years to protect their data in the cloud. Whether you decide to have a cloud service provider run your IT infrastructure or take the DIY route, there are a number of security measures organizations can implement to safeguard their cloud infrastructure.

We polled several security experts who shared their thoughts on some of the measures organizations should put in place in order to make sure their cloud environment is secure. Here’s what they had to say…

Francis Turner, VP Research and Security, ThreatSTOP

“By far the most important thing any enterprise moving to the cloud can do is decide who shouldn’t have access to the resources in the cloud and denying access based on this. If, for example, the organization never expects its cloud resources to be accessed by people in China or Eastern Europe, then blocking all access to these resources from those locations provides a huge amount of security at very little cost. Similarly, it makes sense to block known scanners, even if they scan (currently) for ports of protocols that you do not use. As seen with Heartbleed and Shellshock, once a new exploit becomes available, malicious actors use their existing infrastructure to scan everything they can find for that vulnerability. By blocking all access to your cloud resources from places you don’t need access from and known bad actors, you get protection against zero days and also see significantly lower resource utilization overall.”

Jason Bystrak, Executive Director the Americas, Ingram Micro Cloud, and Erik Walczak, Field Technical Consultant, Management and Security Solutions at Ingram Micro

“In our opinion, the most challenging aspect of security not only rests in its requirement for a multi-layered technical approach, but the awareness and involvement needed from everyone in the organization. To get the obvious out the way, we highly recommend every organization has endpoint security, anti-spam, message archiving, and firewall and perimeter defense (such as intrusion detection and prevention, single sign-on, and mobile device management) implemented into their security strategy. Also, with the cloud IaaS model, scaling and managing resources can be as simple as a few clicks. Make sure you are properly organizing your user and group accounts so access and control rights are only granted to specific people. Otherwise, you might wake up one day and realize someone accidentally deleted your environment, or added a plethora of resources – mishaps that happen regularly, but can be easily avoided.”

Jim Poole, Vice President, Global Service Providers at Equinix

“As the cloud pulls enterprise IT service delivery off –premise and out to the edge, security becomes extremely important. Enterprise customers moving to the cloud should look for situations where they can establish a direct connection to cloud service providers. This will not only increase their security, but it will also boost performance of their cloud-based applications.”

dinCloud’s Take

dinCloud CTO Mike Chase says, “A secure cloud is one where all traffic is filtered, every endpoint defended, multiple products catch what one alone may not, key elements may be replicated geographically, and when you’ve done all you can do and it’s still not enough – that full rollback to a prior point in time is assured.”

« Older Entries