The DNC Attacked by Bears?

romantic teddy-bears

Following the Democratic National Committee’s (DNC) announcement of a breach in June 2016, a report by CrowdStrike detailed its findings about the threat actors behind the attack concluding it was the work of two different sophisticated Russian-based APT groups.

Subsequently, an individual called Guccifer 2.0 claimed responsibility for the attack – countering Crowdstrike’s claims that it was a sophisticated breach – and leaked documents to Wikileaks as proof. ArsTechnica reported, “…either CrowdStrike misattributed the breach to the wrong groups or failed to detect that one or more additional actors had also gained high-level access and made off with a trove of confidential information.”

The Crowdstrike report claimed it was the work of adversaries dubbed Fancy Bear and Cozy Bear. Some background on the suspected threat actors:

Fancy Bear

  • a.k.a. Sofacy and APT28
  • Known for spear-phishing attacks against government and military organizations worldwide
  • Registers domains similar to commonly-used websites to phish victims for credentials
  • Sends trojans through weaponized documents to conduct cyber espionage
  • Believed to have been used to breach the DNC in April to obtain opposition research on Donald Trump

Cozy Bear

  • a.k.a. CozyDuke and APT29
  • Known for use in targeting a wide range of industries, including defense, legal, and financial organizations
  • Sends spear-phishing emails to drop Remote Access Trojans (RATs) that allow attackers to have persistent access to the victim’s networks
  • Tied to hacks of the White House, State Department, and the Joint Chiefs of Staff
  • Believed to have been used to breach the DNC in the summer of 2015

New ThreatSTOP Research Report on Why Healthcare Data is Under Attack

Healthcare whitepaper graphic

Last year, 1 out of every 3 Americans was the victim of a healthcare data breach.

The healthcare sector has many points of weakness and highly desirable data. Factors such as multiple types of systems in hospital networks, clinical devices that are not or cannot be updated, and the lack of cybersecurity knowledge of users with access to highly sensitive data, all create high levels of risk in the industry.

ThreatSTOP’s latest research report, “Healthcare Data Under Siege: Ransomware and the Cyber Threat Landscape” provides insight into what makes the healthcare industry both an attractive and vulnerable target for attacks. The report discusses attacks commonly used including ransomware, phishing attacks, and DDoS.

Click here to get the full report.

Release 3.95

ThreatSTOP 3.95 release includes:

  • Reporting improvements


  • A new Date Summary report has been added for users with DNS Firewall Devices.

The Date Summary report displays the number of threats broken down by date and severity level. This versatile, interactive report gives you a granular view of when your organization’s traffic was vulnerable so you can quickly identify possible threats on your network, track threat patterns, and build accurate investigations.

date summary chart


For more detailed information on the features in this release, please visit our Documentation section.


Going to Microsoft Ignite? Stop by and visit ThreatSTOP at booth #314.

Patchwork Attack – Are You Covered?

PatchworkPatchwork, so dubbed for its use of copy-and-pasted code from various online sources, is a targeted attack focused on obtaining documents from governments and government-affiliated organizations with dealings in Southeast Asia and the South China Sea. According to researchers from Cymmetria, Patchwork targeted personnel working on military and political assignments worldwide. They suspect that the attackers originate from India.

The attackers were able to infect their victims using targeted spear-phishing emails with malicious PowerPoint file attachments weaponized with the CVE-2014-4114 vulnerability, nicknamed Sandworm. Once opened, these attachments download and run executables that allow for data exfiltration to a control server, as well as establish persistence in the infected machine. Patchwork is estimated to have infected 2,500 machines since its first recognized infection by researchers in December 2015.

It is important to mention that this attack is very simple on the technical side of things – it utilizes a vulnerability that was patched long ago and uses mostly open source code that is widely available online for everyone to grab. And yet, this campaign has managed to infect so many. “This group shows how low the bar has been moved for a successful APT attack to take flight,” said Gadi Evron CEO and founder of Cymmetria to “We are impressed that these attacks were able to infiltrate high-end organizations given the apparent low technical aptitude of the attackers”.

The vulnerability used in this attack was patched by Microsoft back in 2014, which only highlights the need of preforming regular system updates.

ThreatSTOP customers are protected from Patchwork.

More Bad News for Android Users


There has been a recent surge of a malware most commonly known as Shedun or HummingBad that has infected around 10 million Android phones. Lookout discovered Shedun back in November of 2015, and found that the creators of the malware have made it quite easy to deceive their victims into unintentionally downloading the software. The user will go to the Google Play store and download what they believe is a legitimate app such as Facebook, Twitter, WhatsApp etc., but what they’re actually doing is installing the Shedun malware on to their phone.

Shedun is a rootkit type of malware, which allows the threat actors to have access and control over the infected users device. Rootkit can gain access to documents and files on the device, which can allow the hackers to steal or alter any documents. This type of malware has also been known to conceal other form of password stealing malware such as key logger.

Check Point has stated that Shedun has the ability to read the text that is on users a screen. The malware has been reported by BBC News to have the ability to watch browsing habits of its infected host. In addition to these threats for the user, once the software is downloaded it can “insert itself deep inside a phone’s operating system to help it avoid detection”. This of course makes it difficult for a person to know whether or not their phone has been infected. Unaware users will continue being accessed and controlled by these hackers. However, even if the user knows that they are infected with Shedun, it is hard to remove it from the device. If the user resets their phone to its factory setting this won’t remove the malware from the device.

The creators of the Shedun malware have been making about $300,000 a month from these infected users. The main way these hackers have been gaining this money is through fraudulent ad revenue. The Check Point researchers believe that the creators of Shedun can potentially start increasing their profits by selling the access they have over the devices under their control to the highest bidder.

The countries that have been hit the worst by Shedun are China, India, the Philippines and Indonesia.

Check IOC Powerful Research, Consolidated Information

Indicators of compromise (IOC) are important breadcrumbs that let you know your organization may have been exposed to an attack. Learning what these indicators are and how to recognize them will help you to stay one step ahead of attackers and stop breaches before they happen, or enable you to stop attacks while they are still in the early stages.

Some of these indicators include unusual DNS requests, unaccounted for file changes, mismatched port traffic, unusual account activity, and irregular network traffic – including traffic from odd geographic locations.

There are multiple tools security professionals can use to research and monitor this activity. ThreatSTOP has simplified the process by introducing a powerful new research tool called Check IOC, which with one query, gives you access to all of this information in one place.

Check IOC


Check IOC enables you to simply input a domain and gather a wealth of information connected to that name. The query lets you know if the suspicious domain is actively present or has been historically present on any of your assets so you can isolate those targets for remediation.

You get a list of related records which includes the targets where the domain is present plus the IP address it resolves to. You can also drill down into the IP addresses for additional information.

Check IOC 2


Check IOC also includes DNS Lookup information and Whois info – this will expose any of that strange geographical traffic and associate it with a specific user.

And last, but not least, you get passive DNS information. Monitoring passive DNS is crucial to your security routine because it provides a context for your network traffic data. Once a domain name or IP address has been marked as malicious, it is very simple for a Passive DNS database to identify other potentially malicious domain names that have mapped to that IP address as opposed to sorting through cumbersome DNS logs.

If you have used ThreatSTOP’s Check lookup tool, you’ll love all of the additional capabilities you get with Check IOC. If you’re not currently a ThreatSTOP customer, sign up here for a free trial and start checking your IOCs.

Know before you (Pokémon) Go


I have noticed that everyone, even those dolts on the Today Show, is talking Pokémon. No one has said Pokémon in years, and it is now on everyone’s lips. We can thank Pokémon Go. The app, which launched last week, quickly became a viral phenomenon, topping download charts in the United States, Australia and New Zealand. It’s estimated that around five percent of all Android users in America have downloaded the app to date.

The wild popularity of Pokémon Go may have led to it becoming a victim of its own success. Server issues aside, the game became a target for attackers keen to take advantage of the trend, and shortly following the official release, a malicious Pokémon Go app containing the remote access tool “DroidJack” popped up, and players eager to get their hands on the game in countries where it had not yet been released fell for it.

Infected users got the malicious version by “sideloading” the app – circumventing the Google Play store by downloading an APK format from the web. This is nothing new, Android users have been able to do this for quite some time by simply changing their security settings but this particular incident being attached to such a popular game has shined a spotlight on the loophole once again.

Back in 2012, a study by McAfee found that more than sixty percent of Android malware samples were from a family known as “Fakeinstaller”. This malware disguises itself as a legitimate app and once installed, would send premium-rate SMS messages in the background – costing users real money.

The lesson to be learned here is if something is too good to be true, it probably is. To be secure you have to be cautious and sometimes that means being patient and waiting a few more days before you snag a Snorlax.

So you might be thinking “I never download anything illegally,” but does the same apply for everyone in your organization? The reality today is that people bring their personal, mobile devices to work all the time and those devices touching your network could be infected with malicious software. The only way to be truly safe is to stop threats at the source by blocking them from reaching your network in the first place.

« Older Entries