Tag: Threat Analysis

Security analytics to reach $12 billion by 2024

Amid a maelstrom of cybersecurity threats and rampant hacking attempts that leverage the power of the IoT against itself, organizations are forced to realize that they are on the losing side of this war.

As such, market vendors have no choice but to enhance their cybersecurity arsenal with more sophisticated tools which allow a deeper understanding of their users, devices, and systems. This will drive the security analytics market toward an impressive revenue of $12 billion by 2024, according to ABI Research.

Read more about the prognosis by ABI Rresearch on Help Net Security.

Emotet Malware Gets More Aggressive

Emotet, a nasty botnet and popular malware family, has proven increasingly dangerous over the past year as its operators adopt new tactics. Now armed with the ability to drop additional payloads and arriving via business email compromise (BEC), it’s become a major threat to organizations.

Security watchers are wary of Emotet, which was among the first botnets to spread banking Trojans laterally within target organizations, making removal difficult. After ramping up in early 2018, Emotet increased again during the holiday season. Through the start of 2019, the malware continued to spread.

Read more about the rise and rise of the Emotet botnet on DarkReading.

Cyberwar predictions for 2019: The stakes have been raised

Before the internet era, geopolitical tensions drove traditional espionage, and periodically erupted into warfare. Nowadays, cyberspace not only houses a treasure-trove of commercially and politically sensitive information, but can also provide access to control systems for critical civil and military infrastructure.

It’s therefore no surprise to find nation-state cyber activity high on the agendas of governments. In 2019, nation-state cyber activity is expected to increase to unprecedented levels.

Read more about the predictions for nation-state cyber activity in 2019 on ZDNet.

Last Week’s Bomb Hoaxers Are Serial Online Extortionists

A hoax bomb campaign that rattled organizations across the US and Canada at the end of last week was launched by attackers previously known for individually targeted sextortion scams. Jaeson Schultz, technical leader of Cisco Talos Security Intelligence & Research Group, explained in a blog post that they had obviously made a decision to threaten a much larger number of people.

“So far, all of the samples Talos has found to be associated with the bomb threat attack were sent from IP addresses belonging to the domain registrar and hosting company reg.ru, suggesting that the attackers in this case may have compromised credentials for domains that are hosted at this particular domain registrar,” he continued.

Read more about the criminals behind the hoax campaign on InfoSecurity.

Shamoon Disk-Wiping Malware Re-emerges with Two New Variants

Two new samples of the Shamoon data-wiping malware have been discovered in the wild, after a period of silence that lasted for about two years. Shamoon was first seen in attacks against Saudi Aramco oil provider in 2012 when it erased data on more than 35,000 computer systems belonging to the company. Four years later, it was spotted in attacks against private organizations in the same region that perpetuated until January 2017.

In a report, the research team from Chronicle says that the new strains were uploaded to VirusTotal on December 10, from Italy. One variant of Shamoon Chronicle is currently investigating, has the trigger date and local time set to about one year before it was uploaded to VirusTotal.

Read more about the re-emergence of Shamoon on BleepingComputer.

Highly Active MuddyWater Hackers Hit 30 Organizations in 2 Months

The cyberespionage group referred to as MuddyWater has hit over 130 victims in 30 organizations from late September to mid-November, Symantec security researchers said in a report. Highly active over the past several months, MuddyWater was first detailed in 2017. Numerous attacks were linked to the group this year, when security researchers also noticed that the actor expanded its target list.

In late November, Trend Micro found a new PowerShell-based backdoor strikingly similar to malware employed by MuddyWater. Symantec too has noticed the new backdoor, and has named it Powemuddy. The threat actor, which Symantec refers to as Seedworm, has been focused on gathering intelligence on targets in the Middle East, Europe and North America.

Read more about the MuddyWater campaign on SecurityWeek.

Old-School Bagle Worm Spotted in Modern Spam Campaigns

Fresh mass-email campaigns spreading the long-running Bagle worm have recently been spotted, affecting Microsoft Windows machines. These appear to be a throwback to an earlier time. Also referred to as Beagle, Bagel contains a backdoor that listens on TCP port 6777 which is hardcoded in the worm’s body. This backdoor component provides remote access to the infected computer and can be used to download and execute other malware.

The bad code was first seen in January 2004, and since then has morphed to spawn plenty of different variants. The latest campaigns are going old-school, according to researchers at Comodo. They involve the use of the very first two variants of the worm, Bagle.A and Bagel.B.

Read more about the spam campaigns relying on old worms on Threatpost.

Satan Ransomware Variant Exploits 10 Server-Side Flaws

A new version of ransomware that first surfaced about two years ago is garnering attention for its ability to spread via as many as ten different vulnerabilities in Windows and Linux server platforms.

“Lucky,” as the new malware is called, is a variant of Satan, a data encryption tool that first became available via a ransomware-as-a-service offering in January 2017. Like Satan, Lucky also is worm-like in behavior and capable of spreading on its own with no human interaction at all. Security vendor NSFocus spotted the variant on systems belonging to some of its financial services customers in late November, and described it as likely to cause extensive infections worldwide.

Read more about Lucky ransomware on DarkReading.

A botnet of over 20,000 WordPress sites is attacking other WordPress sites

Crooks controlling a network of over 20,000 already-infected WordPress installations are using these sites to launch attacks on other WordPress sites, ZDNet has learned from WordPress security firm Defiant.

The company, which manages and publishes the Wordfence plugin, a firewall system for WordPress sites, says it detected over five million login attempts in the last month from already-infected sites against other, clean WordPress portals. The attacks are what security experts call “dictionary attacks.”

Read more about the WordPress attack campaign on ZDNet.

Russian Hackers Have Just Shown Their First Sign Of Interest In Brexit

A groups of hackers believed by American intelligence to be controlled by a Russian spy agency has launched its first attacks with Brexit as a focus.

Known as Fancy Bear, the hackers have previously stolen files from the Democratic National Committee in the U.S. They often use recent events, like the October crash of a Lion Air 737 MAX plane off the coast of Indonesia, as lures for malicious documents that, when opened, infect the target computer. But the interest in Brexit is a first for the prolific Russian crew, also known as APT28 and Sofacy. That’s according to a former FBI official, Howard Marshall, who now heads up cybersecurity intelligence at Accenture.

Read more about the new Brexit-themed campaign by Fancy Bear on Forbes.