One of the challenges in threat intelligence is taking the massive amount of data we have about the threat landscape and distilling it into its most relevant components. A huge part of the reason for growth in data science (and in cyber security specifically) is habitually struggling with too much information. (With some exceptions) With this roadblock, it’s a challenge to focus in on the data that’s truly relevant.

Georgia Tech recently notified almost 1.3 million people about a potential breach of sensitive data, and in some cases, including a social security number. Over a four month period, there was a vulnerable server that allowed people to enumerate records on a back-end database, allowing the exfiltration of sensitive information. While universities are seen as more open environments, they do have sensitive information they have to protect.

On top of the RDP vulnerability out there, additional Microsoft Windows zero-days are out there, which can exploit enterprises and give attackers full system control. The RDP vulnerability had the potential to be used in a WannaCry like worm. 

In the past, a green padlock icon would inform the user that a site is secure and legit, whether it was true or false. Now, that is no longer the case. We are seeing more and more phishing sites using SSL/TLS certificates to try and fool people into thinking that a phishing site is actually legitimate. The appearance of free SSL/TLS certificates, which can be applied with ease (Let’s Encrypt, Comodo and more), allow scammers to harness SSL certificates to their own agenda, giving misguided people the felling of false security.

DNS is one of the single biggest important components to making the global internet work and it is often the most neglected aspects of a network. Invented in the 80's, DNS “just works," but its ease of use has people overlooking the power of using it to protect their customers. DNS offers the first clues to what is going on in your network and is used by criminals to steal data.

Last week, Cyberscoop reported that someone was launching a scan of the entire internet using packets spoofed with a source address of major American banks. That event is interesting in its own right, and follows an occasional pattern by which attackers occasionally try to manipulate the automation our industry uses to protect against attackers.

Between March 2 - 5, we detected a significant increase in scanning activities over Tenet ports via the target, ''NoThink! Telnet HoneyPot – IPs," provided by NoThink. To put this in perspective, the magnitude includes an increase of 4,000 IPs to about 130,000 IPs that were a part of the scanning on telnet ports, as presented in Figure 1 below.

LokiBot is a banking Trojan, crypto-miner and info-stealer, with versions running on both Windows and Android operating systems. The malware can also transform in to ransomware on mobile devices, if victims try to remove it from the device.

Recently, we were contacted regarding two different incidents of Business Email Compromise (BEC), where there was an attempt to redirect wire transfers from individuals to another bank account. One was successful and the victim lost six figures, one was interdicted because of an attentive individual who picked up the phone to ask, “Uh, are you sure this is right?” This kind of fraud is increasing and are more specifically targeted towards smaller firms and individuals trying to redirect high-dollar transactions.

As people start thinking about completing the upcoming United States census online, security concerns have emerged. While there are unique threats to the Census because of the impact it has on budgeting and government, these concerns tell us a great deal about the security concerns of doing business online.