Top IT Security Bloggers

TrendLabs - Malware Blog
  • A Closer Look at North Korea’s Internet

    TrendLabs - Malware Blog
    This blog post summarizes our findings from studying internet traffic going in and out of North Korea. It reviews its small IP space of 1024 routable IP addresses. It will also cover spam waves that originate in part from spambots in the country, DDoS attacks against North Korean websites and their relation to real-world events, as well as recurring watering hole attacks on North Korean websites.
    Post from: Trendlabs Security Intelligence Blog - by Trend Micro
    A Closer Look at North Korea’s Internet
  • From Cybercrime to Cyberpropaganda

    TrendLabs - Malware Blog
    A couple of common questions that arise whenever cyberpropaganda and hacktivism issues come up: who engages in it? Where do the people acquire the tools, skills, and techniques used? As it turns out, in at least one case, it comes from the traditional world of cybercrime. We’ve come across a case where a cybercriminal based in Libya turned from cybercrime to cyberpropaganda. This highlights how the cybercrime underground in the Middle East/North African region (covered in our paper titled Digital Souks: A Glimpse into the Middle Eastern and North African Underground) can expand their activity into areas beyond their original area of expertise.
    Post from: Trendlabs Security Intelligence Blog - by Trend Micro
    From Cybercrime to Cyberpropaganda
  • Microsoft’s October Patch Tuesday Fixes 62 Vulnerabilities, including an Office Zero-Day

    TrendLabs - Malware Blog
    Microsoft’s Patch Tuesday for October addresses 62 vulnerabilities, 27 of which are critical and 35 important in terms of severity; many of these flaws can lead to remote code execution (RCE). Microsoft’s fixes are patches for features in the Windows operating system (OS) and Microsoft Office (including Office Web Apps), Skype for Business, Edge, Internet Explorer (including the Chakra Core browser engine), Exchange Server, and .NET development framework, among others. As per Microsoft’s previous advisories, this month’s Patch Tuesday also marks the end of support and patches/updates for Office 2007 and Outlook 2007.
    Of note is Microsoft’s fix for CVE-2017-11826, a memory corruption vulnerability in Microsoft Office that was publicly disclosed and reported to be actively exploited in the wild.
    Post from: Trendlabs Security Intelligence Blog - by Trend Micro
    Microsoft’s October Patch Tuesday Fixes 62 Vulnerabilities, including an Office Zero-Day
  • WannaCry Ransomware Sold in the Middle Eastern and North African Underground

    TrendLabs - Malware Blog
    For $50, one could purportedly get a lifetime license to upgradeable variants of WannaCry. We saw this advertisement in an Arabic-speaking underground forum on May 14, two days after WannaCry’s outbreak. Indeed, a threat that left a trail of significant damage in its wake was objectified into a commodity, and even a starting point for others to launch their own cybercriminal businesses.
    WannaCry’s relatively low price also reflects another unique aspect of the Middle Eastern and North African underground: a sense of brotherhood. Unlike marketplaces in Russia and North America, for instance, where its players aim to make a profit, the Middle East and North Africa’s underground scene is an ironic juncture where culture, ideology, and cybercrime meet.
    Post from: Trendlabs Security Intelligence Blog - by Trend Micro
    WannaCry Ransomware Sold in the Middle Eastern and North African Underground
  • Dnsmasq: A Reality Check and Remediation Practices

    TrendLabs - Malware Blog
    Dnsmasq is the de-facto tool for meeting the DNS/DHCP requirements of small servers and embedded devices. Recently, Google Security researchers identified seven vulnerabilities that can allow a remote attacker to execute code on, leak information from, or crash a device running a Dnsmasq version earlier than 2.78, if configured with certain options.
    Post from: Trendlabs Security Intelligence Blog - by Trend Micro
    Dnsmasq: A Reality Check and Remediation Practices
  • SYSCON Backdoor Uses FTP as a C&C Channel

    TrendLabs - Malware Blog
    Bots can use various methods to establish a line of communication between themselves and their command-and-control (C&C) server. Usually, these are done via HTTP or other TCP/IP connections. However, we recently encountered a botnet that uses a more unusual method: an FTP server that, in effect, acts as a C&C server.
    Post from: Trendlabs Security Intelligence Blog - by Trend Micro
    SYSCON Backdoor Uses FTP as a C&C Channel
  • Business Process Compromise and the Underground’s Economy of Coupon Fraud

    TrendLabs - Malware Blog
    The fraudulent redemption of freebies, discounts, and rebates in the form of coupons is reportedly costing U.S. businesses $300–600 million every year. And where there’s money to be made, there are cybercriminals rustling up schemes to take advantage of it. Unsurprisingly, that was the case when it comes to coupon fraud, which we found to be rife and thriving in the underground.
    What does coupon fraud mean for businesses? In 2012, major manufacturers were victimized by counterfeit coupons, with one consumer goods corporation pegging its losses to around $1.28 million. Another coupon fraud scheme almost a decade in the making stole at least $250 million from companies.
    Post from: Trendlabs Security Intelligence Blog - by Trend Micro
    Business Process Compromise and the Underground’s Economy of Coupon Fraud
  • An Elaborate ATM Threat Crops Up: Network-based ATM Malware Attacks

    TrendLabs - Malware Blog
    Infecting automated teller machines (ATMs) with malware is nothing new. It’s concerning, yes. But new? Not really. We’ve been seeing physical attacks against ATMs since 2009. By physical, we mean opening the target machine’s casing, accessing the motherboard and connecting USB drives or CD-ROMs in order to infect the operating system. Once infected, the ATM is at the attackers’ mercy, which normally means that they are able to empty the money cassettes and walk away with fully loaded wallets. In 2016, we released a joint paper with Europol’s European Cybercrime Centre (EC3) that discussed the shift from physical to digital means of emptying an ATM and described the different ATM malware families that had been seen in the wild by then.
    What has happened since? On top of many more malware families entering the landscape – something that was expected in these cases – there is one new development we forecast that unfortunately has come to pass: Attackers have started infecting ATMs with malware through the network. Five distinct incidents of network-based ATM malware attacks have already been reported in the media, and we believe this to be significant because it shows how cybercriminals have had ATMs firmly in their crosshairs.
    Post from: Trendlabs Security Intelligence Blog - by Trend Micro
    An Elaborate ATM Threat Crops Up: Network-based ATM Malware Attacks
  • ZNIU: First Android Malware to Exploit Dirty COW Vulnerability

    TrendLabs - Malware Blog
    The Linux vulnerability called Dirty COW (CVE-2016-5195) was first disclosed to the public in 2016. The vulnerability was discovered in upstream Linux platforms such as Redhat, and Android, which kernel is based on Linux. It is categorized as a serious privilege escalation flaw that allows an attacker to gain root access on the targeted system. Dirty COW attacks on Android has been silent since its discovery, perhaps because it took attackers some time to build a stable exploit for major devices. Almost a year later, Trend Micro researchers captured samples of ZNIU (detected as AndroidOS_ZNIU)—the first malware family to exploit the vulnerability on the Android platform.
    Post from: Trendlabs Security Intelligence Blog - by Trend Micro
    ZNIU: First Android Malware to Exploit Dirty COW Vulnerability
  • EITest Campaign Uses Tech Support Scams to Deliver Coinhive’s Monero Miner

    TrendLabs - Malware Blog
    We’ve uncovered the notorious EITest campaign delivering a JavaScript (JS) cryptocurrency miner (detected by Trend Micro as HKTL_COINMINE) using tech support scams as a social engineering lure. These are fraud activities impersonating legitimate technical support services, conning unwitting victims to avail/pay for these services (or hand out financial data), by scaring them that their machine has been infected with malware, for instance.
    The EITest campaign’s main arsenal is compromised websites. Its activity can be traced to as early as 2014 and once used the Angler exploit kit to deliver ransomware. Starting January 2017, it has eschewed exploit kits in favor of “HoeflerText” (a popular font) phishing attacks or  . In a month, we identified 990 compromised websites injected with a malicious script that diverts the would-be victim to a website related to the tech support scam. Of late, though, the campaign has added the Coinhive JS miner into ongoing attacks, turning the victim’s computer into a Monero cryptocurrency miner. Analysis also revealed that this JS cryptocurrency miner is the same “Coinhive” JS miner found embedded in The Pirate Bay’s website.
    Post from: Trendlabs Security Intelligence Blog - by Trend Micro
    EITest Campaign Uses Tech Support Scams to Deliver Coinhive’s Monero Miner

Editor's Recommendations

Solution Centres

Events

View all events Submit your own security event

Latest Videos

More videos

Blog Posts

Media Release

More media release