DecryptedTech

Friday19 August 2022

Displaying items by tag: Malware

Dropbox, Google Docs and other cloud storage services are great tools for collaboration and to ensure that your files are kept, relatively, safe. These services can also be used by attackers with the right setup and files. The APT group know as Molerats is just such a group. They have been identified is several attacks that leveraged Dropbox and Google Docs as their C2 and payload sources. In December of 2021 the ThreatLabz team at zscaler noticed some unusual behavior that turned out to be just such an attack.

Published in Security Talk

In a list of things that should be killed with fire, Excel 4.0 Macros are high up. However, the fat that Spamming “services” like Emotet are still using Excel 4.0 Macros tells me that some are not getting the hint. According to recent research from TrendMicro, Emotet is using some very unconventional methods of obfuscating the C2 server IP addresses. The attack patter is the same, email with a poisoned Excel spreadsheet. This spreadsheet contains HTA with the command script, you know the drill.

Published in Security Talk

The Ultimate Kronos Group was the target of a Ransomware attack in Late 2021 coincidentally at the same time the Log4Shell vulnerability was disclosed. Kronos has not disclosed how the ransomware got into their environment, nor has it been revealed who might be behind the attack. Original estimates were that Kronos would be able to restore the impacted systems and be back online in a few weeks. Now, a bit more than a month later, there have been no real updates on the situation and many organizations are still feeling the effects.

Published in Security Talk

APT group 41 also known as Winnti has been tied to a wonderful new piece of malware that does not infect your operating system, but the UEFI firmware on your device. The malware in question has been dubbed MoonBounce by the security researchers at Kaspersky who are responsible for finding it. APT41 has been in operation for a while and is identified by their tactics techniques and protocols (TTPs) which include stealthy attacks meant to maintain a long-term presence for information gathering on the target.

Published in Security Talk
Tuesday, 11 January 2022 17:37

Cylance PROTECT and the mystery of Script Control

As the title implies, we will be talking about Cylance PROTECT (now wholly owned by Blackberry). Our focus will not be on the inner workings, or any type of vulnerability. Our focus today will be all about Protect’s script control function and why many people do not enable it. If this sounds like a fun read, then you might be one of those security admins that have beat your head against the wall figuring out just how to get this working right in your environment.

Published in My Ramblings

It seems that is the time once again to talk about the relationship between software vendors and the security posture of different business verticals. Why are we beating this particular dead horse? Well with the Covid-19 Pandemic, the rush to shift to remote work force and an increase in attacker activity aimed at the remote workforce and healthcare you would think that there would be an increase level of effort to fix vulnerabilities in remote access and healthcare services software. If you thought that, you would be wrong. Instead during this time, we are seeing more software vendors pushing FDA as law and healthcare organizations even refusing opportunities to patch critical software. This on top of an extremely slow response to threat to the remote workplace.

Published in Editorials
Monday, 04 February 2019 12:07

When updates go wrong, horribly wrong

When you think about operating system updates you probably do not think about the security team. Sure, there are security patches and such, but those are on the operations team and not really pushed out by the security team. Well, that is when they are done properly by the OS vendor.

Published in Editorials
Thursday, 29 June 2017 15:44

What was uncle Petya really doing?

For the last couple of days the world has been buzzing with news about the Petya malware. When the news of the outbreak broke on Tuesday morning, it was all about a new ransomware that was spreading around the globe. References to WannaCry were made and fingers pointed to the use of the same NSA exploit as the attack vector. However, Petya was not really like WannaCry in that there was no “kill-switch”. Wednesday morning the big players in the anti-malware and security markets had sent out their “what you should know emails” and a low-grade form of panic hit many enterprises.

Published in News

If you have been paying attention to the technical news lately you might have noticed more than a few articles pointing fingers back and forth between the AntiMalware company Cylance and the… well the industry. The argument (if you have not already read about it) goes something like this; the big AV/AM companies are accusing Cylance of stacking the deck in their favor when they demo their product against the competition. Cylance, for their part, claims that they provide a realistic test in comparison to what is usually done when it comes to AV/AM testing. Both sides have their points and it calls into question something that exists in all levels of the technical press and testing bodies; real world vs scripted testing.

Published in Editorials
Thursday, 14 July 2016 10:29

As printers become smarter so do the bad guys

These days it is not unheard of for something as simple as a printer to have all sorts of bells and whistles. You can find wireless, remote file access, remote (web) printing and more. These devices also have very advanced controls that are often accessible through a web interface. All of this technology can be had for very little money making advanced printers a common thing in the market. The downside? Well there is also very little security in these products. Walking through a business the other day with my WiFi sniffer on I found multiple, unprotected wireless networks screaming at me to join. Without exception these were all printers connected to the company’s network. All easy prey if I was up to no good.

Published in News
Page 5 of 17