Posts tagged Malware

4 min Project Sonar

VPNFilter's Potential Reach — Malware Exposure in SMB/Consumer-grade Devices

(Many thanks to Rebekah Brown [/author/rebekah-brown/] & Derek Abdine for their contributions to the post.) How does VPNFilter work? Over the past few weeks, Cisco’s Talos [https://www.cisco.com/c/en/us/products/security/talos.html] group has published some significant new research [https://blog.talosintelligence.com/2018/06/vpnfilter-update.html] on a new malware family called VPNFilter. VPNFilter targets and compromises networking devices to monitor the traffic that goes through them. The mal

4 min Threat Intel

Simplicity, Harmony, and Opportunity: Rapid7 Threat Report Q3 2017

John Archibald Wheeler, the theoretical physicist who first coined the term “wormhole” (and therefore brought us Deep Space 9) once listed Albert Einstein’s Three Rules of Work: > Out of clutter find simplicity; from discord find harmony; in the middle of difficulty lies opportunity. These rules seemed fitting for our third quarter threat report [https://www.rapid7.com/info/threat-report/2017-q3-threat-report/]. Q3 brought us plenty of clutter, discord, and difficulty, but in this threat repo

3 min Malware

The BadRabbit Ransomware Attack: What You Need To Know

What’s Up? Rapid7 has been tracking reports of an expanding ransomware campaign dubbed BadRabbit. Russian news outlets and other organizations across Europe have reported being victims of this malware and the “outbreak” is continuing to spread. The BadRabbit attackers appear to have learned some lessons from previous outbreaks earlier this year and have both limited the external spreading capabilities of the ransomware as well as made the payments a bit harder for researchers, responders and au

6 min Malware

The CIS Critical Controls Explained- Control 8: Malware Defenses

This is a continuation of our CIS critical security controls [/2017/04/19/the-cis-critical-security-controls-series] blog series. Workstations form the biggest threat surface in any organization. The CIS Critical Security Controls [https://www.rapid7.com/solutions/compliance/critical-controls/] include workstation and user-focused endpoint security in several of the controls, but Control 8 (Malware Defenses) is the only control to strictly focus on antivirus and malware across the organization.

3 min Incident Detection

Introspective Intelligence: Understanding Detection Techniques

To provide insight into the methods devised by Rapid7, we'll need to revisit the detection methods implemented across InfoSec products and services and how we apply data differently. Rapid7 gathers volumes of threat intelligence on a daily basis - from new penetration testing tools [https://www.rapid7.com/products/metasploit/download.jsp?CS=blog], tactics, and procedures in Metasploit [https://www.rapid7.com/products/metasploit/index.jsp?CS=blog], vulnerability detections in Nexpose [https://www

4 min Malware

Malware and Advanced Threat Protection: A User-Host-Process Model

[Editor's Note: This is a sneak peek at what Tim will be presenting at UNITED 2016 in November. Learn more and secure your pass at http://www.unitedsummit.org [http://www.unitedsummit.org/?CS=blog]!] In today's big data and data science age, you need to think outside the box when it comes to malware and advanced threat protection. For the Analytic Response team [https://www.rapid7.com/services/] at our 24/7 SOC in Alexandria, VA, we use three levels of user behavior analytics [https://www.rapid

4 min InsightIDR

Compromised Credentials Have a High ROI for Attackers

Given that detecting the use of compromised credentials is at the core of user behavior analytics', and InsightIDR's, focus, I want to explain why compromised credentials are so valuable to attackers. To effectively understand any attacker tools and techniques, we have to put them into the context of their challenges and goals the same way you would a business, or supply chain of businesses. Accordingly, I will use some common microeconomics terms to explain. Phishing has a high expected return

4 min Malware

Attackers Take Advantage Of The Options You Give Them - Malware vs. Credentials

When InsightIDR was purpose-built to detect compromised credentials in the first months of 2014, we did so because we identified a significant gap in detection solutions currently available to security teams. The 2014 Verizon DBIR just happened to subsequently quantify the size of this gap (and it has repeated in 2015 and 2016). User behavior analytics, as an industry, emerged to cover this gap in SIEM and other solutions. This does not mean that malware is not heavily used in attacks today, but

3 min Malware

Ransomware FAQ: Avoiding the latest trend in malware

Recently, a number of Rapid7's customers have been evaluating the risks posed by the swift rise of ransomware as an attack vector. Today, I'd like to address some of the more common concerns. What is Ransomware? Cryptowall [http://www.theregister.co.uk/2015/11/09/cryptowall_40/] and Cryptolocker [https://www.us-cert.gov/ncas/alerts/TA13-309A] are among of the best known ransomware criminal malware packages today. In most cases, users are afflicted by ransomware by clicking on a phishing link o

2 min Malware

Hammertoss Demonstrates Need for Applying Attacker Knowledge to Behavior Analytics

A recent report on a new type of malware dubbed “Hammertoss [http://www.cnet.com/news/hammertoss-extra-sneaky-malware-acts-just-like-you/]” highlights the importance of applying knowledge of attacker methodologies to behavior analytics. As an industry, we get very fixated on the latest intruder tools. The risk here is that we can't see the forest for the trees. To effectively detect intruders, we must look at the entire attack chain and the methods attackers will always use to complete their mi

8 min Flash

More Flash Exploits in the Framework

As todb [/author/tod-beardsley/] pointed out in the last weekly metasploit update wrapup [/2015/06/26/weekly-metasploit-wrapup] we recently added two new exploits for Flash: CVE-2015-3090 [http://www.cvedetails.com/cve-details.php?cve_id=CVE-2015-3090] and CVE-2015-3105 [http://www.cvedetails.com/cve-details.php?cve_id=CVE-2015-3105], based on the samples found in the wild. As you're probably aware, the last years, and especially the end of 2014 and 2015, Flash has become the trending target f

2 min Malware

What exactly is Duqu 2.0?

Overview: Duqu, a very complex and modular malware platform thought to have gone dark in late 2012, has made its appearance within the environment of Kaspersky Labs. [https://threatpost.com/duqu-resurfaces-with-new-round-of-victims-including-kaspersky-lab/113237] Dubbed “Duqu 2.0” by Kaspersky, the level of complexity found within the malware represents a high level of sophistication, skill, funding and motivation seen by nation-sponsored actors. Infections related to this malware have reveale

2 min Malware

Rapid7 UserInsight Brings User Context to Palo Alto WildFire Alerts

According to the Ponemon Institute's 2014 Industry Report, 74% of security professionals claim incident investigation solutions lack integration with existing security products. UserInsight, our intruder analytics solution, now integrates with Palo Alto WildFire to provide user context and investigative tools to their advanced malware alerts. What does user context mean? For incident alerts, monitoring solutions often provide the IP addresses or assets affected. However, as users connect to the

2 min Phishing

Top 3 Takeaways from the "Getting One Step Ahead of the Attacker: How to Turn the Tables" Webcast

For too long, attackers have been one step (or leaps) ahead of security teams. They study existing security solutions in the market and identify gaps they can use to their advantage. They use attack methods that are low cost and high return like stolen credentials and phishing, which works more often than not. They bank on security teams being too overwhelmed by security alerts to be able to sift through the noise to detect their presence. In this week's webcast, Matt Hathaway [/author/matt-hat

4 min Malware

Weekly Metasploit Wrapup: On Insecure Updates

Updating Like It's 1999 Now, before I get started, let me just say that I love the folks over at Malwarebytes. They do a lot of good work, and I'm constantly recommending their products to my friends and family in those vulnerable times of need. And if that all sounds like an apology, it is. Sorry, guys. But dang. This week, we have an exploit module from community contributor Gabor Seljan [https://twitter.com/gaborseljan] which exploits a design flaw in the way MalwareBytes handled updates pri