This is ThreatGeek's Typepad Profile.
Join Typepad and start following ThreatGeek's activity
Join Now!
Already a member? Sign In
ThreatGeek
Recent Activity
Image
Downloaders and droppers (aka malware that delivers other malware) have been forced to live in the shadow of more famous stages of the exploit kit chain, like landing pages or the malware that's eventually dropped. One reason they are often overlooked and not analyzed as often is because they typically (and conveniently) wipe themselves from compromised hosts once they completely deliver their malicious payload. But don't mistake the lack of attention for lack of importance. Downloaders and droppers play a vital role in the web exploitation ecosystem. They're often used across multiple exploit kits and they are effective at delivering... Continue reading
Posted Feb 9, 2017 at Threat Geek
Image
We're counting down the last few days to RSA 2017. As you pack your suitcase and map out your schedule, plan on joining us for a demo at Booth #933. Stop by and say hello and grab your limited edition t-shirt. Here’s a quick rundown on where you can find us: RSA 2017 EXPO: Join Fidelis Cybersecurity at Booth #933, South Hall, at San Francisco’s Moscone Center, February 14 - 16. See a full listing of Fidelis’ RSA activities. AGC’s 2017 INFORMATION SECURITY & BROADER TECHNOLOGY GROWTH CONFERENCE: At 2:00 pm on February 13, Fidelis President and CEO Peter George... Continue reading
Posted Feb 8, 2017 at Threat Geek
Image
Producers of the 1995 James Bond film “GoldenEye” packed the plot with all the signature elements fans expect from the successful franchise. Over-the-top supervillain – check. Cool spy gadgets – check. Exotic locations – check. And, of course, 007 saves the day. The film was also slightly ahead of its time. The internet, computers and cyberespionage all factor into the plot. In the movie, a criminal element called Janus conspires to steal vast sums of money from the Bank of England. To cover their tracks and spark a global financial meltdown, they plan to knock out the planet’s electronics and... Continue reading
Posted Feb 2, 2017 at Threat Geek
Image
What does 2017 hold for security professionals and the industry as a whole? To answer this question, let’s take a quick look at what has not changed. For one, ransomware continues to be an effective extortion tool for attackers. They’re constantly honing their ability to use backdoors and rootkits to gain access. Across the board, attackers continue to create new variants of the same malware family. When they find an effective approach, they will continue to exploit it until security experts stop them. Only then do attackers move on to something different. Yet the new year also brings new challenges... Continue reading
Posted Jan 26, 2017 at Threat Geek
Image
Earlier this month, security news media reported attackers holding internet-exposed MongoDB and Elasticsearch databases for ransom. Attackers said they’d return the data if they got paid -- otherwise, the data would be erased. In many reported instances, attackers simply deleted the data. Unfortunately, more attacks are underway. Last week, Fidelis Cybersecurity Threat Research observed similar attacks on Internet-facing Hadoop Distributed File System (HDFS) installations. Like the MongoDB and Elasticsearch incidents, attackers would erase all the data on the system. To make matters worse, we confirmed additional attacks on HDFS instances worldwide. For these events, attackers are leveraging a logical blend... Continue reading
Posted Jan 18, 2017 at Threat Geek
Image
Security got the boring end of the stick when names for the generations were handed out. Instead of Millennials, Gen X, Baby Boomers or the Greatest Generation, we're stuck with "Next Gen." What comes after "Next Gen"? And where were the creative minds hiding when we needed them most? In this post, I’m going to focus on a sliver of the next-gen security stack that we get asked about every day. Specifically, where do next-gen firewalls stop and where do next-gen IPSs pick up the baton. But first, to understand next-gen security we need to take a quick trip down... Continue reading
Posted Dec 1, 2016 at Threat Geek
Image
There are two types of runners: long-distance runners and sprinters. Everything about them is different. Sprinters are built for power while marathoners are built for endurance. But what if you could break the mold and find all of those capabilities in a single athlete? Endpoint detection and response (EDR) tools have faced a similar conundrum. Vendors have historically forced users to choose between architectures that were optimized for one activity at the expense of others. In short, the choices have been: Optimize for Speed: These tools generally use a peer-to-peer architecture that enable endpoints to communicate with each other. The... Continue reading
Posted Nov 30, 2016 at Threat Geek
Image
In Part 1 of this series we asked the question: Would you re-hire your IPS if you interviewed it today? But it’s not a totally fair question. Because, before you hire someone (or in this case buy something) it’s pretty obvious that you need a deep and thorough understanding of what the job entails. Otherwise, frustration, handwringing, and assorted HR crises will emerge. So, we pose this question to you: Can you even remember why you bought your IPS in the first place? It seems like a self-answering question for a product whose name, after all, is an Intrusion Prevention... Continue reading
Posted Nov 15, 2016 at Threat Geek
Image
Vawtrak, a.k.a. Neverquest, has been a prominent trojan in the banking world and numerous researchers have reported their findings about this malware. In August 2016, we blogged about the addition of a DGA to the banking trojan known as Vawtrak. The actors behind Vawtrak reacted to this attention by adjusting their tactics - enough to warrant a change in their DGA implementation. On November 9, 2016 the Threat Research Team at Fidelis Cybersecurity noticed a Vawtrak sample that appeared to be using an updated implementation of the DGA routine. The sample we analyzed was delivered by using Hancitor embedded in... Continue reading
Posted Nov 12, 2016 at Threat Geek
Image
Commodity Remote Access Trojans (RATs) -- which are designed, productized and sold to the casual and experienced hacker alike -- put powerful remote access capabilities into the hands of criminals. RATs, such as H-W0rm, njRAT, KilerRAT, DarkComet, Netwire, XtremeRAT, JSocket/AlienSpy/Adwind and others, hold special interest for the Threat Research Team at Fidelis Cybersecurity. We're constantly following, detecting and monitoring the lifecycle of these RATs as they appear, disappear and often reappear under a new moniker. There have been recent reports 1, 2 about a new version of one such commodity RAT, H-W0rm (Hworm), and the various campaigns it is being... Continue reading
Posted Nov 9, 2016 at Threat Geek
Image
Metadata gathered from your network can be a powerful ally in the battle against cyberattacks. In fact, you can do seemingly impossible things with the right metadata. In Part 1, we explored how metadata can help you spot phishing emails, find man-in-the-middle attacks, locate weak encryption and more. In Part 2, we take a look at five more seemingly impossible tasks. If these examples sound interesting, watch the webinar I recently did with Hardik Modi, our VP of Threat Research: 3 Ways to Reduce Detection Time from Months to Minutes. Impossible Task #6. See lateral movement within the network. If... Continue reading
Posted Oct 31, 2016 at Threat Geek
Bloomberg reporter Jordan Robertson recently sat down with Fidelis Cybersecurity Senior VP Mike Buratowski to discuss the malware and other data that attackers used to pull off the breach of the Democratic National Committee’s (DNC) servers. By examining the clues the attackers left behind, Mike explains how it's possible to attribute the attacks to a specific group of nation-state actors. Listen to Bloomberg Technology’s Decrypted Podcast and get the full story. Want to learn more? Read our analysis of the DNC intrusion malware. Continue reading
Posted Oct 27, 2016 at Threat Geek
Image
Network Intrusion Prevention Systems have been a mainstay of the network security stack for well over a decade. When they first entered the mainstream in the early 2000s, the iPhone hadn't been invented. We were still in the age of the PalmPilot (anyone remember using that stylus?). But, at the time, IPSs represented real innovation. They were a welcome departure from the classic firewall, which was limited by its primitive accept-and-deny rules that were inadequate for the more sophisticated attacks to come. IPSs were a breath of fresh air. They came with new detection languages, like Snort. They could operate... Continue reading
Posted Oct 26, 2016 at Threat Geek
Image
Deception and crime go hand in hand. But knowing when you’re being deceived means you need to think like the bad guys and know what to look for. There are three elements of deception. To see these elements in action, we need look no further than a few notable cases -- including the alleged Russian state actors behind the DNC and DCCC breaches as they continue to dump documents intended to influence the upcoming U.S. election. Let’s take a look at the three elements of effective deception. 1. Plan and Prepare The key is to create a storyline that’s mostly... Continue reading
Posted Oct 25, 2016 at Threat Geek
Image
Metadata is data that describes other data. And while it may not sound sexy, metadata gathered from your network can be a powerful ally in the battle against cyberattacks. Continue reading
Posted Oct 17, 2016 at Threat Geek
Image
In November 2015, the Dyre banking trojan seemingly disappeared overnight surprising security researchers worldwide. Months later it was announced that Russian authorities had arrested most of the gang responsible for its operations. Prior to that, it was a relatively rare act for Russian authorities to take action in such matters. Since then, nothing has been heard from those actors but the speculation was that some of programmers and other elements of the criminal operation would be subsumed into other cybercriminal operations. In September 2016, Fidelis Cybersecurity was alerted to a new malware bot calling itself TrickBot that we believe has... Continue reading
Posted Oct 15, 2016 at Threat Geek
Image
For several years now, the Vawtrak trojan has been targeting banking and financial institutions, most recently in Canada as reported last week. The Fidelis Threat Research team recently analyzed a new variant to Vawtrak using HTTPS for C2 communications. Given what we've seen previously with Vawtrak, simply switching to HTTPS is not a major update in terms of development -- but it does show that the threat actors are interested in protecting their C2 communications. Here are some significant updates to Vawtrak: The malware now includes a DGA. Interestingly, it utilizes a pseudorandom number generator (PRNG) used in Vawtrak's loader.... Continue reading
Posted Aug 16, 2016 at Threat Geek
Image
Fidelis Cybersecurity is proud to support the Wall of Sheep (WoS) at Def Con 2016, but this Wall needs to come down. Over the past several years, it's been standing-room only for WoS participants. This year's event promises to be even more spectacular. For those who need background, the 'sheep' on this wall are users whose internet traffic reveals their credentials (user names and passwords) passed in the clear, for prying eyes to see. The exercise starts as users sign on to the conference’s free wireless network. A copy of that traffic is given to participants whose job is to... Continue reading
Posted Aug 2, 2016 at Threat Geek
Image
Following news reports that the Democratic Congressional Campaign Committee (DCCC) was breached via a spoofed donation website, the ThreatConnect Research team and Fidelis Cybersecurity teamed up to collaborate and take a look at the associated domain to ferret out additional details on the activity. The initial indications from the DCCC breach suggest FANCY BEAR pawprints based on the following: First, the registrant - fisterboks@email[.]com - behind the spoofed domain actblues[.]com has registered three other domains, all of which have been linked to FANCY BEAR by German Intelligence (BfV). Second, the timing is consistent with an adversary reacting to heightened focus... Continue reading
Posted Aug 1, 2016 at Threat Geek
Image
We're counting down the last few days to Black Hat USA 2016. As you pack your suitcase and map out your schedule, plan on joining a meetup, seeing a demo or hitting us up for swag at the Fidelis Networking Lounge (aka Booth #1116). We can’t promise unicorns and narwhals, but we will have cool t-shirts, pinball and comfy chairs. Here’s a quick rundown on where you can find us: TECHNOLOGY & FREEWARE: At Black Hat, we’re debuting no-cost tools to help the security community stop attacks and prevent data theft. New resources include the Barncat™ Intelligence Database, the ThreatScanner™... Continue reading
Posted Jul 28, 2016 at Threat Geek
Image
In politics, getting the dirt on your adversary is nothing new. Candidates and campaigns have been trying to dig up dirt on each other since the dawn of democracy in Athens. More recently, we’ve seen everything from burgling party headquarters, to wiretaps, and campaign stalkers that record every word a candidate utters in public. Most of these methods were employed to obtain information on an opponent so the information could be “weaponized” into a “gotcha” moment during a speech or used as a campaign talking point to discredit the opposing party. But as we watch the DNC leak unfold, it... Continue reading
Posted Jul 26, 2016 at Threat Geek
Image
Threat actors provide valuable clues when they compromise a new environment. But a single clue, such as a malware sample, seldom sheds the necessary light on an attack. Sniffing out the tools and tactics of attackers requires that you (or someone you know) has seen them before. Historical attack data can serve as a valuable resource for analysts by helping to identify and contextualize the adversary and rank the risk of an attack. Today, we are excited to make a new (and we think pretty interesting) database available to the security community at no cost. The Fidelis Barncat™ Intelligence Database... Continue reading
Posted Jul 21, 2016 at Threat Geek
Image
One of our trusted partners from Poland, Exatel S.A., has discovered that a web browser developed by Maxthon, a company from China, has been collecting sensitive data from its users. The Maxthon browser has anywhere from .75-1% of the global browser market, and has been estimated to be 2-3% of China’s own domestic browser market. Total global user count is estimated to be in the hundreds of millions. You can read their full report here: English: https://exatel.pl/advisory/maxthonreporten.pdf Polish: https://exatel.pl/advisory/maxthonreportpl.pdf Using the Fidelis Network solution, Exatel found that there was a periodic upload of encrypted content to China from the Maxthon... Continue reading
Posted Jul 13, 2016 at Threat Geek
Image
With season two of Mr. Robot approaching, the storyline follows a hacker group that takes down an evil global corporation and collapses the financial market. Led by the mysterious Mr. Robot, the hackers use a variety of tricks to evade detection, and seem to cover their tracks at every turn. There are similarities shared by the show's hackers and real-life attackers. Hackers are human. Like the rest of us, they are creatures of habit, turning to familiar tools and techniques time and time again. As they hone their craft, attackers develop their skills and accumulate knowledge. And while they go... Continue reading
Posted Jul 12, 2016 at Threat Geek
Image
We've recently observed a new crypter called Xenon used to deliver Locky, a strain of ransomware, and Ruckguv, a type of malware that can download and install other types of malware. Xenon employs a novel trick to bypass debuggers, which we’ll describe here along with the techniques it uses. We also provide a Python script to decrypt objects packed using Xenon and the Krypton crypter, which we believe is its predecessor. Delivering and monetizing malware involves a large chain of independent tools – exploit kits, traffic distribution systems, spambots and more. The crypter occupies a special place in this chain,... Continue reading
Posted Jun 28, 2016 at Threat Geek