Between March 2 - 5, we detected a significant increase in scanning activities over Tenet ports via the target, ''NoThink! Telnet HoneyPot – IPs," provided by NoThink. To put this in perspective, the magnitude includes an increase of 4,000 IPs to about 130,000 IPs that were a part of the scanning on telnet ports, as presented in Figure 1 below.
Read More
LokiBot is a banking Trojan, crypto-miner and info-stealer, with versions running on both Windows and Android operating systems. The malware can also transform in to ransomware on mobile devices, if victims try to remove it from the device.
Read More
Recently, we were contacted regarding two different incidents of Business Email Compromise (BEC), where there was an attempt to redirect wire transfers from individuals to another bank account. One was successful and the victim lost six figures, one was interdicted because of an attentive individual who picked up the phone to ask, “Uh, are you sure this is right?” This kind of fraud is increasing and are more specifically targeted towards smaller firms and individuals trying to redirect high-dollar transactions.
As people start thinking about completing the upcoming United States census online, security concerns have emerged. While there are unique threats to the Census because of the impact it has on budgeting and government, these concerns tell us a great deal about the security concerns of doing business online.
Read More
Imagine This: You have a precious and valuable treasure. You keep this treasure in your bedroom. Criminals come from all over the land, every night and day, laying siege to your home to steal this treasure. You have no gated community, no security patrol, no walls around your home, no doors or windows - and every fight with a criminal happens right there in your bedroom with your treasure just feet away. You know that one misstep, one lucky punch, and you lose your most precious treasure. It’s game over.
Most ThreatSTOP customers log into the portal once a day to see what has happened on their network in the past 24 hours. Even if you can’t log in, you have a summary automatically emailed to you once a day. However, most customers do log in because they realize it’s especially important to remediate infected machines in a timely manner.
Read More
Like many technologists who are also parents, I think a great deal on how best to protect my family online. Working for a security company, I have access to more tools than the average person, so recently I’ve implanted DNS security at home. I focused more on DNS because there are no “services” offered on my home network, and I’m mostly concerned more about my kids or wife clicking on a phishing link or similar outbound malicious traffic.
Read More
Like many security researchers, I not only run my own mail servers, but I generally do not have spam filtering on many of them so I can see the interesting attacks that come in. Then, dig into them as time allows. Yesterday, I got an interesting take on the ever-present invoice maldocs campaign, this time it was spoofing a DocuSign email suggesting I had an invoice to sign.
Read More
ThreatSTOP recently had the ASN 64484 Jupiter 25 (also known as DMZHOST) brought to our attention as the source of some DDoS attacks. This AS is a fascinating one that has a single upstream (Quasi Networks – a hosting provider formerly and notoriously known as Ecatel) and announces just a single /24.
The single /24 is not, of itself, an indicator of badness. (ThreatSTOP’s AS also announces a single /24) However, it does suggest that the AS is not a major hosting provider since only about 250 separate unNATed hosts can be run on that network.
Read More
Recently, fellow researcher Vitali Kremez took a look at some new binaries from the Gamaredon Group. This is a Russian state-sponsored group that has been active since about 2013. The malware specifically is the Pteranodon implant, which provides a variety of functions such as remote command execution, downloading and executing other files, and collecting system data. It was the subject of a recent CERT UA blog post here (note: this site is in Ukrainian).