Black Friday alert

Banking Trojans traditionally target users of online financial services; looking for financial data to steal or building botnets out of hacked devices for future attacks. However, over time, several of these banking Trojans have enhanced their functionality, launching new variants and extending their range. Some are now able to obtain root access to infected devices, perform transactions, inject other malicious code, record video, and more. And the victims of such malware are not just people who bank online but online shoppers in general.
According to Kaspersky Lab data, 14 malware families are targeting e-commerce brands to steal from victims. The main ones are Betabot, Panda, Gozi, Zeus, Chthonic, TinyNuke, Gootkit2, IcedID and SpyEye. They are all banking Trojans. Detections of their e-commerce-related activity has increased steadily over the last few years, from 6.6 million in 2015 to an estimated 12.3 million by the end of 2018 (based on the extrapolation of a detection number of 9.2 million at the end of Q3, 2018), with a 12% increase between 2016 and 2017, and a 10% expected rise between 2017 and 2018.

Move Over, Ransomware: Cryptojacking is the New Kid in Town

Ransomware has been the “go-to” play for attackers, taking advantage of the relative anonymity of cryptocurrency payouts and hitting a record-breaking $2 billion in 2017. While ransomware can result in lucrative payouts, it also requires vast research, social engineering and technical acumen, and comes with some risk for criminals. As a result, this year ransomware has taken a back seat to cryptomining and cryptojacking as the attacks of choice. The first half of 2018 saw a 956 percent increase in cryptojacking attacks compared to the first half of 2017, according to a recent report by Trend Micro.

Beyond Passwords: 2FA, U2F and Google Advanced Protection

Last week I wrote a couple of different pieces on passwords, firstly about why we’re going to be stuck with them for a long time yet and then secondly, about how we all bear some responsibility for making good password choices. A few people took some of the points I made in those posts as being contentious, although on reflection I suspect it was more a case of lamenting that we shouldn’t be in a position where we’re still dependent on passwords and people needing to understand good password management practices in order for them to work properly.

Is Your Vulnerability Management Program Efficient and Successful?

Be organized and efficient. It’s a simple rule of life that makes things run a whole lot smoother.This is something especially important when running your vulnerability management program. There are only so many hours in a day, rather, there are only so many hours in a down cycle where the business will let you scan their environment for vulnerabilities!Let’s assume for a minute that your vulnerability management solution is not safe to run during production hours. (If you’re not using IP360, this may be the case, but that’s a topic for another day!)Most lines of business will only let the security team scan their environments after hours. These days, that means after about 8 or 9 pm and before 5 or 6 am. That leaves you with somewhere between 8 and 10 scanning hours each night, plus weekends if you’re lucky.Further to that, some folks who are scheduling these scans end up with scenarios where they only want to scan the Unix servers that are supporting application X on Wednesday Night, the databases servers supporting that application on Friday, the supporting network gear on Monday and the web servers on Sunday morning.Take that scenario and multiply it by the hundreds of applications, and you have yourself a hot mess of scheduling tasks. I’ve seen some organizations with thousands of scanning windows and tasks that are next to impossible to manage!This is definitely not fun and can be extremely time-consuming. Who has time for that?The end result is that you end up unsure if you’re actually covering everything in your environment and hoping that you didn’t miss recommending remediating something that an attacker can easily take advantage of.Well, what should we do about this, you ask?Firstly, when selecting a VM solution, find one that is non-intrusive. (This buyer’s guide may help.) Have the system owners monitor their system usage when you run a scan. This will prove to them that the load on the system is quite low.Furthermore, if they prefer that you do not do a credentialed scan, you can use a lightweight agent that will provide the data without needing to log in.Business value: This speeds up the scan and ensures even cloud assets and transient devices are monitored for their vulnerability risk.Secondly, organize your scans based on IP subnets. Work with your networking team to get a solid understanding of how the networks are deployed in your organization. You can strategically set up scanners to have minimal impact on the network by not having scans running through firewalls.For larger subnets, you can configure multiple scanners to pool together for a much faster run through of those subnets.Business value: This will simplify the number of groups and tasks the security team needs to configure and keep up-to-date as well as minimize the network traffic.Finally, once the assets are discovered, sort your reporting by line of business or system owner, so the organization can track the risk and report in a manner best suited for your particular organization.You can do this by leveraging your vulnerability vendors reporting options or by integrating with something like ServiceNow’s SecOps tool.Business value: This will allow you to sort, organize and prioritize your remediation based on not only on what is the greatest risk to the organization but also based on what matters most to your particular organization.Having a solid vulnerability management program is part of every organization’s information security program. Ensuring that it is configured in an efficient manner will make your organization successful in reducing risk and allow your security professionals to focus on actioning the data rather than administering a tool.

Emotet infection with IcedID banking Trojan, (Thu, Nov 15th)

Introduction

Emotet malware is distributed through malicious spam (malspam), and its active nearly every day–at least every weekday.  Sometimes the criminals behind Emotet take a break, such as a one month-long hiatus from early October through early November, but the infrastructure pushing Emotet has been very active since Monday 2018-11-05.

Are Browser Extensions Safe? | Avast

While it makes a great title, not ALL browser extensions are evil. In fact, most can be helpful. The problem is that each and every browser extension, no matter its intended function, has the capability to turn your digital world upside down. Given the amount of personal data users store and share on the web, web browsers have emerged as one of the largest and most vulnerable attack surfaces for cybercriminals. If a browser extension gets compromised or, even worse, is designed to be malicious from the start, your most sensitive data could fall into the wrong hands.

FLARE VM Update

FLARE VM is the first of its kind reverse engineering and malware
analysis distribution on Windows platform. Since its introduction
in July 2017
, FLARE VM has been continuously trusted and used by
many reverse engineers, malware analysts, and security researchers as
their go-to environment for analyzing malware. Just like the
ever-evolving security industry, FLARE VM has gone through many major
changes to better support our users’ needs. FLARE VM now has a new
installation, upgrade, and uninstallation process, which is a long
anticipated feature requested by our users. FLARE VM also includes
many new tools such as IDA 7.0, radare and YARA. Therefore, we would
like to share these updates, especially the new installation process.

Alex Jones blames “leftist stay-behind networks in US intelligence agencies” for malware on his site

Alex Jones, starved of attention since he was no-platformed by Big Tech, has launched a desperate bid for notoriety, releasing an unhinged (even by Jones’s standards) statement blaming the credit-card skimming malware his online store was serving on “a zero-day hack probably carried out by leftist stay behind networks hiding inside US intelligence agencies” (he also blamed it on “big tech, the communist Chinese, and the Democratic party” “globalist forces, “the corporate press, Antifa and rogue intelligence operatives”).

Reported Breaches In The First 9 Months Of 2018 Exposed 3.6 Billion Records

There have been 3,676 publicly disclosed data compromise events through September 30. Breach activity continues at a consistent pace for 2018, which although significant in level, will likely not reach the numbers we saw in 2017, according to the 2018 Q3 Data Breach QuickView report by Risk Based Security. “The number of reported breaches shows some improvement compared to 2017 and the number of records exposed has dropped dramatically,” said Inga Goddijn, Executive Vice President for Risk Based Security. “However, an improvement from 2017 is only part of the story, since 2018 is on track to have the second most reported breaches and the third most records exposed since 2005. Despite the decrease from 2017, the overall trend continues to be more breaches and more mega breaches impacting tens of millions, if not hundreds of millions, of records at once.”