Top IT Security Bloggers

Trend Micro - Security Intelligence
  • Cybercriminals Use Malicious Memes that Communicate with Malware

    Trend Micro - Security Intelligence
    Steganography, or the method used to conceal a malicious payload inside an image to evade security solutions, has long been used by cybercriminals to spread malware and perform other malicious operations. We recently discovered malicious actors using this technique on memes. The malware authors have posted two tweets featuring malicious memes on October 25 and 26 via a Twitter account created in 2017. The memes contain an embedded command that is parsed by the malware after it's downloaded from the malicious Twitter account onto the victim’s machine, acting as a C&C service for the already- placed malware. It should be noted that the malware was not downloaded from Twitter and that we did not observe what specific mechanism was used to deliver the malware to its victims.
    The post Cybercriminals Use Malicious Memes that Communicate with Malware appeared first on .
  • Tildeb: Analyzing the 18-year-old Implant from the Shadow Brokers’ Leak

    Trend Micro - Security Intelligence
    On April 14, 2017, The Shadow Brokers (TSB) leaked a bevy of hacking tools named “Lost in Translation.” This leak is notorious for having multiple zero-day remote code execution (RCE) vulnerabilities targeting critical protocols such as Server Message Block (SMB) and Remote Desktop Protocol (RDP) and applications like collaboration and web server-based software. The exploit toolkit includes EternalBlue, EternalChampion, EternalSynergy, EsteemAudit, EchoWrecker, ExplodingCan, EpicHero, and EWorkFrenzy, among others.
    The leak also contains multiple post-exploitation implants and utilities, used for maintaining persistence on the infected system, bypassing authentication, performing various malicious activities, and establishing command-and-control (C&C) channels with a remote server, among others. Five of the most notable implants include DoublePulsar, PeddleCheap, ExpandingPulley, KillSuit (KiSu), and DanderSpritz, which all have different capabilities, features, and usage.
    The post Tildeb: Analyzing the 18-year-old Implant from the Shadow Brokers’ Leak appeared first on .
  • Cryptocurrency Miner Spreads via Old Vulnerabilities on Elasticsearch

    Trend Micro - Security Intelligence
    We detected mining activity on our honeypot that involves the search engine Elasticsearch, which is a Java-developed search engine based on the Lucene library and released as open-source. The attack was deployed by taking advantage of known vulnerabilities CVE-2015-1427, a vulnerability in its Groovy scripting engine that allows remote attackers to execute arbitrary shell commands through a crafted script, and CVE-2014-3120, a vulnerability in the default configuration of Elasticsearch.
    The post Cryptocurrency Miner Spreads via Old Vulnerabilities on Elasticsearch appeared first on .
  • December Patch Tuesday: Year-End Batch Addresses Win32k Elevation of Privilege and Windows DNS Server Vulnerabilities

    Trend Micro - Security Intelligence
    The just-released Patch Tuesday for December includes a fix for the actively exploited Win32k Elevation of Privilege Vulnerability (CVE-2018-8611). The flaw allows an attacker to exploit a bug in the Windows Kernel and run arbitrary code to install programs; view, change, or delete data; or create new accounts with full user rights. It is also pointed out as likely being used with other bugs in targeted attacks.
    The post December Patch Tuesday: Year-End Batch Addresses Win32k Elevation of Privilege and Windows DNS Server Vulnerabilities appeared first on .
  • New Exploit Kit “Novidade” Found Targeting Home and SOHO Routers

    Trend Micro - Security Intelligence
    We identified a new exploit kit we named Novidade that targets home or small office routers by changing their Domain Name System (DNS) settings via cross-site request forgery (CSRF), enabling attacks on a victim’s mobile device or desktop through web applications in which they’re authenticated with. Once the DNS setting is changed to that of a malicious server, the attacker can execute a pharming attack, redirecting the targeted website traffic from all devices connected to the same router.
    The post New Exploit Kit “Novidade” Found Targeting Home and SOHO Routers appeared first on .
  • Machine-to-Machine (M2M) Technology Design Issues and Implementation Vulnerabilities

    Trend Micro - Security Intelligence
    We delve into the protocol security issues that may crop up from a technology perspective. The scarce awareness that we’ve observed around the current state of MQTT and CoAP can enable attackers in achieving their goals, ranging from reconnaissance and lateral movement to remote control and targeted attacks.
    The post Machine-to-Machine (M2M) Technology Design Issues and Implementation Vulnerabilities appeared first on .
  • New PowerShell-based Backdoor Found in Turkey, Strikingly Similar to MuddyWater Tools

    Trend Micro - Security Intelligence
    MuddyWater is a well-known threat actor group that has been active since 2017. They have regularly targeted various organizations in Middle East and Central Asia, primarily using spear phishing emails with malicious attachments. We recently observed a few interesting delivery documents with similarities to the known MuddyWater tools, techniques and procedures.
    The post New PowerShell-based Backdoor Found in Turkey, Strikingly Similar to MuddyWater Tools appeared first on .
  • Water and Energy Sectors Through the Lens of the Cybercriminal Underground

    Trend Micro - Security Intelligence
    In our research Exposed and Vulnerable Critical Infrastructure: Water and Energy Industries, we not only found exposed industrial control system (ICS) human machine interfaces (HMIs) but also pointed out how these systems were at risk. This risk is corroborated by the active interest in water and energy ICSs shown by different kinds of cybercriminal groups.
    The post Water and Energy Sectors Through the Lens of the Cybercriminal Underground appeared first on .
  • Proofs of Concept Abusing PowerShell Core: Caveats and Best Practices

    Trend Micro - Security Intelligence
    We explored possible strategies attackers can employ when abusing PowerShell Core. These proofs of concept (PoCs) would help in better understanding — and in turn, detecting and preventing — the common routines and behaviors of possible and future threats that attackers might use. The PoCs we developed using PowerShell Core were conducted on Windows, Linux, and mac OSs. Most of the techniques we applied can be seen from previous threats involving PowerShell-based functionalities, such as the fileless KOVTER and POWMET. The scenarios in our PoCs are also based on the PowerShell function they use.
    The post Proofs of Concept Abusing PowerShell Core: Caveats and Best Practices appeared first on .
  • Fake Voice Apps on Google Play, Botnet Likely in Development

    Trend Micro - Security Intelligence
    Several apps on Google Play posing as legitimate voice messenger platforms have automated functions such as fake survey pop-ups and fraudulent ad clicks. Observed variants were deployed one by one since October, with its evolution including evasive techniques and its infection behavior divided into several stages, as well as botnet codes possibly indicative of future attacks.
    The post Fake Voice Apps on Google Play, Botnet Likely in Development appeared first on .

Editor's Recommendations

Solution Centres

Events

View all events Submit your own security event

Latest Videos

More videos

Blog Posts

Media Release

More media release