RSS Security

๐Ÿ”’
โŒ About FreshRSS
There are new articles available, click to refresh the page.
Before yesterdayMcAfee Blogs

McAfee Labs Report Highlights Ransomware Threats

24 June 2021 at 04:01

The McAfee Advanced Threat Research team today published the McAfee Labs Threats Report: June 2021.

In this edition we introduce additional context into the biggest stories dominating the year thus far including recent ransomware attacks. While the topic itself is not new, there is no question that the threat is now truly mainstream.

This Threats Report provides a deep dive into ransomware, in particular DarkSide, which resulted in an agenda item in talks between U.S. President Biden and Russian President Putin. While we have no intention of detailing the political landscape, we certainly do have to acknowledge that this is a threat disrupting our critical services. Furthermore, adversaries are supported within an environment that make digital investigations challenging with legal barriers that make the gathering of digital evidence almost impossible from certain geographies.

That being said, we can assure the reader that all of the recent campaigns are incorporated into our products, and of course can be tracked within our MVISION Insights preview dashboard.

This dashboard shows that โ€“ beyond the headlines โ€“ many more countries have experienced such attacks. What it will not show is that victims are paying the ransoms, and criminals are introducing more Ransomware-as-a-Service (RaaS) schemes as a result. With the five-year anniversary of the launch of the No More Ransom initiative now upon us itโ€™s fair to say that we need more global initiatives to help combat this threat.

Q1 2021 Threat Findings

McAfee Labs threat research during the first quarter of 2021 include:

  • New malware samples averaging 688 new threats per minute
  • Coin Miner threats surged 117%
  • New Mirai malware variants drove increase in Internet of Things and Linux threats

Additional Q1 2021 content includes:

  • McAfee Global Threat Intelligence (GTI) queries and detections
  • Disclosed Security Incidents by Continent, Country, Industry and Vectors
  • Top MITRE ATT&CK Techniques APT/Crime

We hope you enjoy this Threats Report. Donโ€™t forget to keep track of the latest campaigns and continuing threat coverage by visiting our McAfee Threat Center. Please stay safe.

The post McAfee Labs Report Highlights Ransomware Threats appeared first on McAfee Blogs.

DarkSide Ransomware Victims Sold Short

14 May 2021 at 10:32
How to check for viruses

Over the past week we have seen a considerable body of work focusing on DarkSide, the ransomware responsible for the recent gas pipeline shutdown. Many of the excellent technical write-ups will detail how it operates an affiliate model that supports others to be involved within the ransomware business model (in addition to the developers). While this may not be a new phenomenon, this model is actively deployed by many groups with great effect. Herein is the crux of the challenge: while the attention may be on DarkSide ransomware, the harsh reality is that equal concern should be placed at Ryuk, or REVIL, or Babuk, or Cuba, etc. These, and other groups and their affiliates, exploit common entry vectors and, in many cases, the tools we see being used to move within an environment are the same. While this technical paper covers DarkSide in more detail, we must stress the importance of implementing best practices in securing/monitoring your network. These additional publications can guide you in doing so:

DarkSide Ransomware:ย  What is it?

As mentioned earlier, DarkSide is a Ransomware-as-a-Service (RaaS) that offers high returns for penetration-testers that are willing to provide access to networks and distribute/execute the ransomware. DarkSide is an example of a RaaS whereby they actively invest in development of the code, affiliates, and new features. Alongside their threat to leak data, they have a separate option for recovery companies to negotiate, are willing to engage with the media, and are willing to carry out a Distributed Denial of Service (DDoS) attack against victims. Those victims who do pay a ransom receive an alert from DarkSide on companies that are on the stock exchange who are breached, in return for their payment. Potential legal issues abound, not to mention ethical concerns, but this information could certainly provide an advantage in short selling when the news breaks.

The group behind DarkSide are also particularly active. Usingย MVISION Insights we can identify the prevalence of targets. This map clearly illustrates that the most targeted geography is clearly the United States (at the time of writing). Further, the sectors primarily targeted are Legal Services, Wholesale, and Manufacturing, followed by the Oil, Gas and Chemical sectors.

Coverage and Protection Advice

McAfeeโ€™s market leading EPP solution covers DarkSide ransomware with an array of early prevention and detection techniques.

Customers using MVISION Insights will find a threat-profile on this ransomware family that is updated when new and relevant information becomes available.

Early Detection

MVISION EDR includes detections on many of the behaviors used in the attack including privilege escalation, malicious PowerShell and CobaltStrike beacons, and visibility of discovery commands, command and control, and other tactics along the attack chain. We have EDR telemetry indicating early detection before the detonation of the Ransomware payload.

Prevention

ENS TP provides coverage against known indicators in the latest signature set. Updates on new indicators are pushed through GTI.

ENS ATP provides behavioral content focusing on proactively detecting the threat while also delivering known IoCs for both online and offline detections.

ENS ATP adds two (2) additional layers of protection thanks to JTI rules that provide attack surface reduction for generic ransomware behaviors and RealProtect (static and dynamic) with ML models targeting ransomware threats.

For the latest mitigation guidance, please review:

https://kc.mcafee.com/corporate/index?page=content&id=KB93354&locale=en_US

Technical Analysis

The RaaS platform offers the affiliate the option to build either a Windows or Unix version of the ransomware. Depending on what is needed, we observe that affiliates are using different techniques to circumvent detection, by masquerading the generated Windows binaries of DarkSide. Using several packers or signing the binary with a certificate are some of the techniques used to do so.

As peers in our industry have described, we also observed campaigns where the affiliates and their hacking crew used several ways to gain initial access to their victimโ€™s network.

  1. Using valid accounts, exploit vulnerabilities on servers or RDP for initial stage
  2. Next, establish a beachhead in the victimโ€™s network by using tools like Cobalt-Strike (beacons), RealVNC, RDP ported over TOR, Putty, AnyDesk and TeamViewer. TeamViewer is what we also see back in the config of the ransomware sample:

The configuration of the ransomware contains several options to enable or disable system processes, but also the above part where it states which processes should not be killed.

As mentioned before, a lot of the current Windows samples in the wild are the 1.8 version of DarkSide, others are the 2.1.2.3 version. In a chat one of the actors revealed that a V3 version will be released soon.

On March 23rd, 2021, on XSS, one of the DarkSide spokespersons announced an update of DarkSide as a PowerShell version and a major upgrade of the Linux variant:

In the current samples we observe, we do see the PowerShell component that is used to delete the Volume Shadow copies, for example.

  1. Once a strong foothold has been established, several tools are used by the actors to gain more privileges.

Tools observed:

  • Mimikatz
  • Dumping LSASS
  • IE/FireFox password dumper
  • Powertool64
  • Empire
  • Bypassing UAC
  1. Once enough privileges are gained, it is time to map out the network and identify the most critical systems like servers, storage, and other critical assets. A selection of the below tools was observed to have been used in several cases:
  • BloodHound
  • ADFind
  • ADRecon
  • IP scan tools
  • Several Windows native tools
  • PowerShell scripts

Before distributing the ransomware around the network using tools like PsExec and PowerShell, data was exfiltrated to Cloud Services that would later be used on the DarkSide Leak page for extortion purposes. Zipping the data, using Rclone or WinSCP are some of the examples observed.

While a lot of good and in-depth analyses are written by our peers, one thing worth noting is that when running DarkSide, the encryption process is fast. It is one of the areas the actors brag about on the same forum and do a comparison to convince affiliates to join their program:

DarkSide, like Babuk ransomware, has a Linux version. Both target *nix systems but in particular VMWare ESXi servers and storage/NAS. Storage/NAS is critical for many companies, but how many of you are running a virtual desktop, hosted on a ESXi server?

Darkside wrote a Linux variant that supports the encryption of ESXI server versions 5.0 โ€“ 7.1 as well as NAS technology from Synology. They state that other NAS/backup technologies will be supported soon.

In the code we clearly observe this support:

Also, the configuration of the Linux version shows it is clearly looking for Virtual Disk/memory kind of files:

Although the adversary recently claimed to vote for targets, the attacks are ongoing with packed and signed samples observed as recently as today (May 12, 2021):

Conclusion

Recently the Ransomware Task Force, a partnership McAfee is proud to be a part of, released a detailed paper on how ransomware attacks are occurring and how countermeasures should be taken. As many of us have published, presented on, and released research upon, it is time to act. Please follow the links included within this blog to apply the broader advice about applying available protection and detection in your environment against such attacks.

MITRE ATT&CK Techniques Leveraged by DarkSide:

Data Encrypted for Impact โ€“ T1486

Inhibit System Recovery โ€“ T1490

Valid Accounts โ€“ T1078

PowerShell โ€“ T1059.001

Service Execution โ€“ T1569.002

Account Manipulation โ€“ T1098

Dynamic-link Library Injection โ€“ T1055.001

Account Discovery โ€“ T1087

Bypass User Access Control โ€“ T1548.002

File Permissions Modification โ€“ T1222

System Information Discovery โ€“ T1082

Process Discovery โ€“ T1057

Screen Capture โ€“ T1113

Compile After Delivery โ€“ T1027.004

Credentials in Registry โ€“ T1552.002

Obfuscated Files or Information โ€“ T1027

Shared Modules โ€“ T1129

Windows Management Instrumentation โ€“ T1047

Exploit Public-Facing Application โ€“ T1190

Phishing โ€“ T1566

External Remote Services โ€“ T1133

Multi-hop Proxy โ€“ T1090.003

Exploitation for Privilege Escalation โ€“ T1068

Application Layer Protocol โ€“ T1071

Bypass User Account Control โ€“ T1548.002

Commonly Used Port โ€“ T1043

Compile After Delivery โ€“ T1500

Credentials from Password Stores โ€“ T1555

Credentials from Web Browsers โ€“ T1555.003

Credentials in Registry โ€“ T1214

Deobfuscate/Decode Files or Information โ€“ T1140

Disable or Modify Tools โ€“ T1562.001

Domain Account โ€“ T1087.002

Domain Groups โ€“ T1069.002

Domain Trust Discovery โ€“ T1482

Exfiltration Over Alternative Protocol โ€“ T1048

Exfiltration to Cloud Storage โ€“ T1567.002

File and Directory Discovery โ€“ T1083

Gather Victim Network Information โ€“ T1590

Ingress Tool Transfer โ€“ T1105

Linux and Mac File and Directory Permissions Modification โ€“ T1222.002

Masquerading โ€“ T1036

Process Injection โ€“ T1055

Remote System Discovery โ€“ T1018

Scheduled Task/Job โ€“ T1053

Service Stop โ€“ T1489

System Network Configuration Discovery โ€“ T1016

System Services โ€“ T1569

Taint Shared Content โ€“ T1080

Unix Shell โ€“ T1059.004

The post DarkSide Ransomware Victims Sold Short appeared first on McAfee Blogs.

McAfee Labs Report Reveals Latest COVID-19 Threats and Malware Surges

13 April 2021 at 04:01

The McAfee Advanced Threat Research team today published the McAfee Labs Threats Report: April 2021.

In this edition, we present new findings in our traditional threat statistical categories โ€“ as well as our usual malware, sectors, and vectors โ€“ imparted in a new, enhanced digital presentation thatโ€™s more easily consumed and interpreted.

Historically, our reports detailed the volume of key threats, such as โ€œwhat is in the malware zoo.โ€ The introduction of MVISION Insights in 2020 has since made it possible to track the prevalence of campaigns, as well as, their associated IoCs, and determine the in-field detections. This latest report incorporates not only the malware zoo but new analysis for what is being detected in the wild.

The Q3 and Q4 2020 findings include:

  • COVID-19-themed cyber-attack detections increased 114%
  • New malware samples averaging 648 new threats per minute
  • 1 million external attacks observed against MVISION Cloud user accounts
  • Powershell threats spiked 208%
  • Mobile malware surged 118%

Additional Q3 and Q4 2020 content includes:

  • Leading MITRE ATT&CK techniques
  • Prominent exploit vulnerabilities
  • McAfee research of the prolific SUNBURST/SolarWinds campaign

These new, insightful additions really make for a bumper report! We hope you find this new McAfee Labs threat report presentation and data valuable.

Donโ€™t forget keep track of the latest campaigns and continuing threat coverage by visiting our McAfee COVID-19 Threats Dashboard and the MVISION Insights preview dashboard.

The post McAfee Labs Report Reveals Latest COVID-19 Threats and Malware Surges appeared first on McAfee Blogs.

Staying Safe While Working Remotely

18 March 2020 at 13:51

Special thanks to Tim Hux and Sorcha Healy for their assistance.

The demand for remote working as a result of the COVID-19 pandemic will invariably place pressures on organizations to ensure the availability of corporate resources in geographic locations outside of corporate control. Such demands go beyond the provision of additional capacity, with potentially remote working policies and security awareness assets in urgent need of updating and communication.

These demands are being required against the reported backdrop of cybercriminals and potential nation states continuing and even leveraging the global crisis for their own personal gain. Without respite, many cybercriminal groups appear to be continuing attacks against many sectors including healthcare. Furthermore, there are even those threat actors actively using concern related to COVID-19 as a lure to invoke user behaviour. This post is not intended to be exhaustive and will be updated as we make more resources available to enable organizations and users to stay safe and connected.

Threat Landscape

We have identified and reviewed multiple reports related to the criminal use of COVID-19 as potential bait, whether that be phishing emails, domains, malware, etc. While its use is not unexpected, with criminals always trying to leverage large events to their advantage, it is disappointing to see at a time when the world needs to come together that there are those who have scant regard for the sense of community. Our subsequent focus at this time is to attempt to determine whether any geographies specifically being targeted. The chart below maps our visibility of the targets for all known (at the time of writing) threats leveraging COVID-19.

Figure 1. Targeted COVID-19 related threats by country

As we see, the geographic dispersion of โ€œtargetsโ€ is relatively wide and includes many countries we typically see on the list of broader phishing targets. However, there are some anomalies, in particular Panama, Taiwan, and Japan. This requires us to undertake further analysis but does suggest that certain campaigns may be targeting specific countries.

It is equally important to add that this landscape is changing daily, with more threats being identified and included as part of our detection across the entire product portfolio (where appropriate). Moreover, the McAfee Advanced Threat Research (ATR) team is undertaking deeper analysis into the findings to understand why certain countries are receiving more threats related to COVID-19 than others, as well a deeper dive into sector analysis. We will regularly report any relevant details, and of course share all IoCs with the wider community to ensure we all remain safe.ย  As we continue to hunt for further threat artefacts, we will make our findings available through this forum.

Working from home threats contextualized

All over the world large numbers of people are rushed to work from home unprepared, sometimes even from their personal devices. Often, these devices are not maintained with proper security measures and possibly leave organizations open to various attacks.

Over the last year we have published several articles on how targeted ransomware attacks are fuelling the increased demand in the underground for compromised corporate networks. One often-used criminal access method is through โ€œcommodity malware,โ€ such as banking malware and info-stealers. The criminals are actively sifting through thousands of logs hoping to find corporate network or remote management credentials.

Commodity malware is often focused directly at consumers, so accessing corporate networks from possible pre-infected personal machines without adequate security measures creates a much larger attack surface for cybercriminals. This increases the risk of an organization falling victim to a potential breach and ransomware lockdown.

Figure 2. A screenshot of the popular KPOT info stealer, part of an underground advertisement to sell stolen credentials. (notice the malware collects VPN, RDP and Mail credentials)

Just like we are all fighting to flatten the COVID-19 curve by social isolation and washing our hands, we should aim to flatten the cyber-attack surface of our organizations by having proper cyber security hygiene by using multi-factor authentication, VPNs, and robust End-Point security software.

Remote working

Employees working from home will need clear guidance on acceptable security practices from an organizational perspective:

  • Remote working policy guidance: While many organizations may employ wider guidance on cybersecurity/privacy guidance within their organizations there will likely be employees unaware of the expectations for remote working. Equally, this may also apply to security expectations, therefore any such policy must be reviewed but also effectively communicated to a wider group of employees now working from outside the organizationโ€™s offices.
  • Asset classification: With a larger set of the workforce now working from home, previously inaccessible information assets will need to be available for remote use. Subsequently, enhanced security measures will be necessary to ensure that information is only made available to those with a clear need to know.
  • Strong authentication: With passwords ubiquitous, and two-factor authentication now commonplace, ensuring the appropriate level of authorization for key assets is in place will be critical.
  • Awareness: All of the processes, and technology deployed within an organization can be simply undone by a lack of awareness. Ensuring all employees are made aware of the potential risks of connecting remotely is critical. It is especially important to be aware of cloud services authorized for work purposes and extra vigilant for targeted phishing emails.
  • VPN access: The term untrusted network is rarely a consideration when working in the office, however with so many employees connecting from externally located environments there is the potential for certain networks to be untrusted. While many will not be venturing into public spaces to limit social contact, there is no assurance that the connection every employee is connecting from is secure. Therefore, leveraging a VPN will be imperative, and indeed organizations may want to enforce certain assets only being accessible via the VPN.

Secure Mobile Working

Here are some key considerations for those responsible for enabling secure remote working capability:

  • Protecting against accidental data loss. Data encryption is fundamental to good device security hygiene and essential for enabling secure mobile working. Ensure that you have situational awareness of the end user security controls and can quickly report on the status when the inevitable question comes down from the CISO.
  • Providing an equivalent level of threat prevention. While on the office network or VPN, end user devices enjoy a defense in depth capability. However, do they have that same protection when not on the VPN? Using anti-malware solutions which employ cloud-based behavior analysis and threat intelligence combined with cloud-based web security can help ensure an equivalent level of security both on and off the network.
  • Secure cloud collaboration. Many employees will need to leverage cloud-based services such as Microsoft Teams and WebEx to collaborate both internally and externally. Ensure you can apply your corporate DLP policies to those cloud-native applications and that your users are fully aware of the authorized collaboration tools at their disposal.
  • Secure cloud access. Attackers will leverage spear-phishing emails with Corona Virus themes and watering hole attacks from compromised web sites to target workers and prey on the situation. Reduce the attack surface by tightening web security policies and block access to risky cloud services.
  • Phishing incident response. You will not be able to prevent everything so having a balanced security capability with detection and response is important. Security Operations should review incident response procedures for phishing, deploy Cloud-based EDR for rapid identification of compromised remote end user devices, and ensure users know how to submit suspect emails to the SOC.

Conclusion

A wealth of good advice and information is freely available including the Security Awareness Work-from-Home Deployment Kit[1] ย from the SANS Institute which provides โ€œmultiple assets that address everything from securing a home network to best practices when working remotely to identifying social engineering attacks.โ€ While the need to enable access as quickly as possibly is understandable, there are those hoping to exploit this urgency for their own personal gain.

Additional Resources

We will continue to make resources available to further enable secure home working, as well as insights into the threat landscape from this blog.

Please register for the webinar detailing Adaptable Security for Flexible Working Environments here:ย  https://mcafee.zoom.us/webinar/register/WN_AeXoyA-tT_eUFZ2_NvhpSA

[1] https://www.sans.org/security-awareness-training/sans-security-awareness-work-home-deployment-kit

The post Staying Safe While Working Remotely appeared first on McAfee Blogs.

No More Ransom Blows Out Three Birthday Candles Today

26 July 2019 at 08:00

Collaborative Initiative Celebrates Helping More Than 200,000 Victims and Preventing More Than 100 million USD From Falling into Criminal Hands

Three years ago, on this exact day, the public and private sectors drew a line in the sand against ransomware. At that time, ransomware was becoming one of the most prevalent cyber threats globally. We were hearing stories of patients being turned away from hospitals and the urgent medical attention they needed because someone clicked on a link in an email! Since that time, every sector has had a litany of examples where companies targeted by ransomware attacks were faced with the digital equivalent of Sophieโ€™s Choice: pay criminals or potentially lose your business.

Three years ago, to this very day, the No More Ransom initiative gave victims a third option: retrieve their files back for free. Of course, a silver bullet for all forms of ransomware does not exist but, as the free decryptor made available by the initiative for the GandCrab ransomware has shown, there is hope.

A Public Private Collaboration Where Success is Measured by Every Victim Saved

No More Ransom began because of an operational problem that could only be solved through collaboration. A Law Enforcement Agency had seized a server which contained private keys that could help decrypt thousands of victims of a particular ransomware family. This provided a great opportunity to help thousands of peopleโ€”but there was a problem.

A Law Enforcement Agency is bound by a geographical jurisdiction; further, developing decryption software is not its core competency. Fortunately, both global reach and software development happened to be exactly what cybersecurity companies could bring to the table.

It is exciting to see how the initiative has expanded at an enormous rate. Back when we started, we would never have believed that in merely three years we would have helped over 200,000 victims and prevented more than 100 million US dollars from falling into criminal hands.

Even though cyber threats, including ransomware, are constantly evolving we remain confident that, together, we can continue to take a stand and disrupt this form of cybercrime. We are also delighted that so many public and private sector institutions have joined in this fight against the threat of ransomware. What began as a small group of individuals in a room in the Hague is now a global initiative, working together to fight back.

Remember #DontPay #NoMoreRansom

The post No More Ransom Blows Out Three Birthday Candles Today appeared first on McAfee Blogs.

Why Process Reimaging Matters

20 June 2019 at 16:04

As this blog goes live, Eoin Carroll will be stepping off the stage at Hack in Paris having detailed the latest McAfee Advanced Threat Research (ATR) findings on Process Reimaging.ย  Admittedly, this technique probably lacks a catchy name, but be under no illusion the technique is significant and is worth paying very close attention to.

Plain and simple, the objective of malicious threat actors is to bypass endpoint security. It is this exact game of cat and mouse that the security industry has been playing with malware writers for years, and one that, quite frankly, will continue. This ongoing battle will shape the future of cyber, and drive innovation in attack techniques and the ways in which we defend against them.ย  As part of this process it is crucial that we, the McAfee ATR team, continually identify techniques that could be used by malicious actors successfully.ย  It is this work that has led to the identification of a technique we call Process Reimaging, which was successful in bypassing endpoint security solutions (ESSs). To be clear, our objective is to stay ahead of malicious actors in identifying evasion techniques, with the broader goal of providing a safer computing environment for all organizations.

This technique is detailed by Eoin in a comprehensive technical blog titled In NTDLL I Trust โ€“ Process Reimaging and Endpoint Security Solution Bypass. The following is a summary of the findings.

Process Reimaging targets non-EDR ESSs.ย  Itโ€™s a post exploitation technique, meaning it targets users who have already fallen victim, for example to a phishing or a drive-by-download attack, so that the process can execute undetected and dwell on an endpoint for an significant period of time. The Windows kernel exports functionality to support the user mode components of ESSs which they depend on for protection and detection capabilities. There are numerous APIs such as K32GetProcessImageFileName that allows the ESSs โ€œto verify a process attribute to determine whether it contains malicious binaries and whether it can be trusted to call into its infrastructure.โ€ It was this functionality that our research focused on since the APIs return stale and inconsistent FILE_OBJECT paths, this potentially allows a malicious actor to bypass the process attribute verification undertaken by the Windows Operating System.ย ย  To be more precise, this allowed McAfee ATR to develop a proof-of-concept that was not detected by Windows Defender and will not be detected until a signature is created to block the file on disk before the process itself is created or a full scan is executed.

It is because the ESS relies on the Windows operating system to verify the process attributes that this technique is actually successful.ย  Whereby the ESS will naturally trust a particular process with a non-malicious file on disk since it makes the assumption that the O/S has verified the correct file on disk associated with that process, for the ESS to scan.

Releasing details of the technique

With the public release of security research, there is always a significant risk that any released information can be utilized by adversaries for nefarious activities. The balance of security research versus irresponsible disclosure is an issue we continually wrestle with, and these findings are no different. In the process of conducting due diligence, we were able to identify the use of Process Doppelganging with Process Hollowing as its fallback defense evasion technique within the SynAck ransomware in 2018.ย  Since Process Doppelganging technique was weaponized within SynAck ransomware less than five months after itโ€™s disclosure at Blackhat Europe in 2017, we can only assume that the Process Reimaging technique itself is, or rather will be close to usage by threat actors to bypass detection.

The post Why Process Reimaging Matters appeared first on McAfee Blogs.

McAfee Labs Threats Report Examines Cybercriminal Underground, IoT Malware, Other Threats

19 December 2018 at 05:01

The McAfee Advanced Threat Research team today published the McAfeeยฎ Labs Threats Report, December 2018. In this edition, we highlight the notable investigative research and trends in threats statistics and observations gathered by the McAfee Advanced Threat Research and McAfee Labs teams in Q3 of 2018.

We are very excited to present to you new insights and a new format in this report. We are dedicated to listening to our customers to determine what you find important and how we can add value. In recent months we have gathered more threat intelligence, correlating and analyzing data to provide more useful insights into what is happening in the evolving threat landscape. McAfee is collaborating closely with MITRE Corporation in extending the techniques of its MITRE ATT&CKโ„ข knowledge base, and we now include the model in our report. We are always working to refine our process and reports. You can expect more from us, and we welcome your feedback.

As we dissect the threat landscape for Q3, some noticeable statistics jump out of the report.ย  In particular, the continued rise in cryptojacking, which has made an unexpected emergence over the course of a year. In Q3 the growth of coin miner malware returned to unprecedented levels after a temporary slowdown in Q2.

Our analysis of recent threats included one notable introduction in a disturbing category. In Q3 we saw two new exploit kits: Fallout and Underminer. Fallout almost certainly had a bearing on the spread of GandCrab, the leading ransomware. Five years ago we published the report โ€œCybercrime Exposed,โ€ which detailed the rise of cybercrime as a service. Exploit kits are the epitome of this economy, affording anyone the opportunity to easily and cheaply enter the digital crime business.

New malware samples jumped up again in Q3 after a decline during the last two quarters. Although the upward trend applies to almost every category, we did measure a decline in new mobile malware samples following three quarters of continual growth.

This post is only a small snapshot of the comprehensive analysis provided in the December Threats Report. We hope you enjoy the new format, and we welcome your feedback.

The post McAfee Labs Threats Report Examines Cybercriminal Underground, IoT Malware, Other Threats appeared first on McAfee Blogs.

A Year in Review: Threat Landscape for 2020

14 January 2021 at 14:00

As we gratefully move forward into the year 2021, we have to recognise that 2020 was as tumultuous in the digital realm as it has in the physical world. From low level fraudsters leveraging the pandemic as a vehicle to trick victims into parting with money for non-existent PPE, to more capable actors using malware that has considerably less prevalence in targeted campaigns. All of which has been played out at a time of immense personal and professional difficulties for millions of us across the world.

Dealing with the noise

What started as a trickle of phishing campaigns and the occasional malicious app quickly turned to thousands of malicious URLs and more-than-capable threat actors leveraging our thirst for more information as an entry mechanism into systems across the world. There is no question that COVID was the dominant theme of threats for the year, and whilst the natural inclination will be to focus entirely on such threats it is important to recognise that there were also very capable actors operating during this time.

For the first time we made available a COVID-19 dashboard to complement our threat report to track the number of malicious files leveraging COVID as a potential lure.ย  What this allows is real time information on the prevalence of such campaigns, but also clarity about the most targeted sectors and geographies.ย  Looking at the statistics from the year clearly demonstrates that the overarching theme is that the volume of malicious content increased.

Whilst of course this a major concern, we must recognise that there were also more capable threat actors operating during this time.

Ransomware โ€“ A boom time

The latter part of 2020 saw headlines about increasing ransom demands and continued successes from ransomware groups. An indication as to the reason why was provided in early 2020 in a blog published by Thomas Roccia that revealed โ€œThe number of RDP ports exposed to the Internet has grown quickly, from roughly three million in January 2020 to more than four and a half million in March.โ€

With RDP a common entry vector used predominantly by post intrusion ransomware gangs, there appears some explanation as to the reason why we are seeing more victims in the latter part of 2020.ย ย  Indeed, in the same analysis from Thomas we find that the most common passwords deployed for RDP are hardly what we would regard as strong.

If we consider the broader landscape of RDP being more prevalent (we have to assume due to the immediate need for remote access due to the lockdowns across the globe), the use of weak credentials, then the success of ransomware groups become very evident.ย  Indeed, later in the year we detailed our research into the Netwalker ransomware group that reveals the innovation, affiliate recruitment and ultimately financial success they were able to gain during the second quarter of 2020.

A year of major vulnerabilities

The year also provided us with the added gifts of major vulnerabilities. In August, for example, there was a series of zero-day vulnerabilities in a widely used, low-level TCP/IP software library developed by Treck, Inc.ย  Known as Ripple 20, the affect to hundreds of millions of devices resulted in considerable concern related to the wider supply chain of devices that we depend upon. In collaboration with JSOF, the McAfee ATR team developed a Detection Logic and Signatures for organizations to detect these vulnerabilities.

Of course the big vulnerabilities did not end there; we had the pleasure of meeting BadNeighbour, Drovorub, and so many more. The almost seemingly endless stream of vulnerabilities with particularly high CVSS Scores has meant that the need to patch very high on the list of priorities.

The โ€˜sophisticatedโ€™ attacker

As we closed out 2020, we were presented with details of โ€˜nation statesโ€™ carrying out sophisticated attacks.ย ย  Whilst under normal circumstances such terminology is something that should be avoided, there is no question that the level of capability we witness from certain threat campaigns are a world away from the noisy COVID phishing scams.

In August of 2020, we released the MVISION Insights dashboard which provides a free top list of campaigns each week. This includes, most recently, tracking against the SUNBURST trojan detailed in the SolarWinds attack, or the tools stolen in the FireEye breach.ย ย  What this demonstrates is that whilst prevalence is a key talking point, there exists capable threat actors targeting organizations with real precision.

For example, the Operation North Star campaign in which the threat actors deployed an Allow and Block list of targets in order to limit those they would infect with a secondary implant.

The term sophisticated is overused, and attribution is often too quickly relegated to the category of nation state.ย  However, the revelations have demonstrated that there are those campaigns where the attack did use capabilities not altogether common and we are no doubt witnessing a level of innovation from threat groups that is making the challenge of defence harder.

What is clear is that 2020 was a challenging year, but as we try and conclude what 2021 has in store, we have to celebrate the good news stories.ย ย  From initiatives such as No More Ransom continuing to tackle ransomware, to the unprecedented accessibility of tools that we can all use to protect ourselves (e.g. please check ATR GitHub repo, but recognise there are more).

McAfee 2021 Threat Predictions

Our experts share their 2021 predictions for the new year and how to protect yourself and your enterprise.

Read Now

ย 

The post A Year in Review: Threat Landscape for 2020 appeared first on McAfee Blogs.

McAfee Labs Report Reveals Continuing Surge of COVID-19 Threats and Malware

5 November 2020 at 16:00

The McAfee Advanced Threat Research team today published the McAfee Labs Threats Report: November 2020.

In this edition, we follow our preceding McAfee Labs COVID-19 Threats Report with more research and data designed to help you better protect your enterpriseโ€™s productivity and viability during challenging times.

What a year so far! The first quarter of 2020 included a rush of malicious actors leveraging COVID-19, and the trend only increased in the second quarter. For example, McAfeeโ€™s global network of more than a billion sensors registered a 605% increase in total Q2 COVID-19-themed threat detections. Itโ€™s an example of updated pandemic-related threats you can track on our McAfee COVID-19 Threats Dashboard.

This edition of our threat report also looks at other notable Q2 20 malware increases including:

  • Attacks on cloud services users reached nearly 7.5 million
  • New malware samples grew 11.5%, averaging 419 new threats per minute
  • PowerShell malware surged 117%

To help ensure your data and systems remain secure, we have also made available the MVISION Insights preview dashboard to demonstrate the prevalence of such current campaigns. This dashboard also provides access to the Yara rules, IoCs, and mapping of such campaigns against the MITRE ATT&CK Framework. We update these campaigns on a weekly basis so, in essence, this threat report has an accompanying dashboard with more detail on specific campaigns.

I certainly hope that you see the value not only in the data presented within the threats report, but also with the dashboards. Your feedback is important to us.

Stay safe.

ย 

McAfee Labs Quarterly Threat Report โ€“ November 2020

What a year so far! We exited the first quarter of 2020 battling the rush of malicious actors leveraging COVID-19, and in the second quarter there are no signs that these attacks seem to be abating.

Download Now

ย 

The post McAfee Labs Report Reveals Continuing Surge of COVID-19 Threats and Malware appeared first on McAfee Blogs.

McAfee COVID-19 Report Reveals Pandemic Threat Evolution

22 July 2020 at 04:01

The McAfee Advanced Threat Research team today published the McAfeeยฎ Labs COVID-19 Threats Report, July 2020.

In this โ€œSpecial Editionโ€ threat report, we delve deep into the COVID-19 related attacks observed by our McAfee Advanced Threats Research and McAfee Labs teams in the first quarter of 2020 and the early months of the pandemic.

What started as a trickle of phishing campaigns and the occasional malicious app quickly turned to thousands of malicious URLs and more-than-capable threat actors leveraging our thirst for more information as an entry mechanism into systems across the world.

Thus far, the dominant themes of the 2020 threat landscape have been cybercriminalโ€™s quick adaptation to exploit the pandemic and the considerable impact cyberattacks have had. For example, many ransomware attacks have escalated into data breaches as cybercriminals up the ante by leaking sensitive, often regulated, data, regardless of whether victims have paid the ransom.

Some of the other significant threat findings in our COVID-19 report include:

  • Average of 375 threats per minute in Q1 2020
  • Nearly 47% of all publicly disclosed security incidents took place in the United States
  • New PowerShell Malware increased drastically
  • Disclosed incidents largely targeted Public, Individual, and Education sectors

In a first, we also have made available a COVID-19 dashboard to complement this threat report and extend its impact beyond the publication date. Timeliness is a challenge for publishing any threat report, but through the development of MVISION Insights our threat reports will include a link to another live dashboard tracking the worldโ€™s top threats. We will also make available the IOCs, Yara rules, and mapping to the MITRE ATT&CK framework as part of our continuing commitment to sharing our actionable intelligence. I hope these McAfee resources will be useful to you, the reader.

As we head into the second half of the year, we must consider how the threat landscape has changed when we address and define each attack. Simply assigning a technical descriptor or reverting to the same attack classifications fail to communicate the impact such campaigns have on the broader society.

All too often, we are called into investigations where businesses have been halted, or victims have lost considerable sums of money. While we all have had to contend with pandemic lockdown, criminals of all manner of capability have had a field day.

We hope you enjoy these new threat report approaches, and moreover we would appreciate you sharing these findings far and wide. These tools and insights could be the difference between a business remaining operational or having to shut its doors at a time when we have enough challenges to contend with.

ย 

The post McAfee COVID-19 Report Reveals Pandemic Threat Evolution appeared first on McAfee Blogs.

โŒ