Last week, Universal Health Services, confirmed that the ransomware attack on their networks on September 27th affected computers at all of their US care sites and hospitals. The ransomware that hit UHS, one of the largest health systems in the US, is the infamous Ryuk, which has been wreaking havoc in targeted ransomware attacks since 2018. During the attack, the Ryuk began shut down systems in the emergency department, as well as additional systems causing some ambulances had to be diverted, and lab test results became delayed. Technicians at some UHS-owned facilities described reverting to pen-and-paper during the attack.Read More
The alarming concept of IoT cyber attacks sends us straight to a dystopic vision of crashing automatic cars, and smart elevators stuck in place with evil music playing in the background. Looming over the excitement for next generation technology is a cloud of worry about the cyber implications of connecting everyday devices to the internet. While we’re sure that a hospital whose critical scanning machines are being held captive by ransomware will pay up, we don’t tend to stop and think about our small day-to-day actions that may be affected as well. If your printer was held hostage by ransomware before a critical meeting, and you had to pay $100 to free it – would you?Read More
Many online merchants use Magento, a leading digital commerce platform, to host their online store. Last week, thousands of these merchants found themselves under attack. This massive, automated campaign dubbed “Cardbleed” by Sansec, because of its ability to steal credit card information from online store customers, is the largest of its kind to date.Read More
Since the beginning of the Coronavirus epidemic, threat actors have been exploiting the panic around the deadly virus to deploy cyber attacks. Every day, more and more Coronavirus-related campaigns are spotted, and we are seeing a surge in the number of suspicious domains registered in relation to the virus every day.
To combat these prevalent attacks, our Security Research Team has curated a blocklist including thousands of malicious Covid19-related domains, integrated from our threat intelligence sources and supplemented with additional IOCs found by our team through manual analysis.
We highly recommend adding the Covid-19 domain target to your policy in order to protect yourself from these threats. You can do so by enabling the COVID19 Fake Domains – Domains target, or by enabling our Phishing bundle.Read More
This is an opportunistic time for cyber attackers. While people are in a frenzy to buy food and masks, to figure out how they are going to work from home or how to cope with the loss of their job, cyber attackers show no mercy in taking advantage of the situation to deploy a grandiose variety of Coronavirus-themed attacks.Read More
Most malware is often delivered from otherwise legitimate sites. Sometimes this occurs via compromising existing websites, but more often than not, it is by using existing advertising networks as a means to ultimately deliver malware. Quite simply, the attacker buys impressions via existing channels and uses a variety of malvertising tricks to either directly compromise the web browser, or at the least trick the user to installing the malware. This specialized form of malware delivery requires a specialized collection methodology to detect such attacks.Read More
While it does not boast any special or complex installation tactics, Shlayer’s distribution vector has made it a tremendous success - the malware has been the most prevalent MacOS strain since its debut two years ago, never falling off its leading spot. Shlayer uses a well-known infection tactic – pressing on a bad link directs the victim to a fake Adobe Flash update.Read More
Photo Cred: Forbes
Last week, I had the pleasure of speaking at Virus Bulletin on the recent news of iPhone (first reported on by Google Project Zero) and Android (first reported on by Volexity) mobile malware being used to target Tibetans (as reported by Citizen Lab) and Uighur Muslims inside and outside the People’s Republic of China. Lots of great research is linked above and you should definitely read it.
Whenever events like these occur, researchers from many organizations are researching pieces of it. If you are interested in Chinese APT attacks against these groups, certainly take a look.
One of the most interesting things to me when looking into these attacks is the sophistication and persistence of the adversary. As vulnerabilities got patched, they reused what pieces they could from their attacks and discovered new vulnerabilities to maintain their ability to action on the surveillance objectives. Some of the tools used indicate relationships to other Chinese APT groups, and certainly these types of attacks could be used against truly foreign adversaries as well.Read More
Making connections and finding new indicators is an important part of IOC analysis, and is probably the most enjoyable part as well. Blog posts and reports on new threats will usually mention the indicators seen to be used by the specific malware sample or attack vector analyzed, yet in many cases there is a larger malicious infrastructure behind them just waiting to be uncovered (and blocked!). Sometimes, a whole other malicious infrastructure can be revealed by examining IOCs related to malicious IPs and domains. There are a variety of tools out there that can help analysts investigate indicators of compromise and their infrastructure, and perform enrichment to shed light on related, malicious IOCs.
In this post, we will review some of our Security Research Team’s favorite connection and enrichment platforms.
The first step in IOC analysis is obtaining the indicators to analyze. Some analysts will opt to stick with one source, and analyze whichever IOCs come their way, while others may search various sources for a specific threat type such as Ransomware, or threat such as Lokibot. Threat exchanges are open and free community platforms for information sharing and collaboration, and are an excellent source for IOCs. Another source for IOC collection which may come off as less intuitive is social media, with Twitter being the best SM platform to find new, relevant IOCs.
In this post, we will describe our Top 5 Free IOC Sources for Analysis.