Lucian Constantin

Author Archives: Lucian Constantin

Machine learning could help companies react faster to ransomware

File-encrypting ransomware programs have become one of the biggest threats to corporate networks worldwide and are constantly evolving by adding increasingly sophisticated detection-evasion and propagation techniques.In a world where any self-respecting malware author makes sure that his creations bypass antivirus detection before releasing them, enterprise security teams are forced to focus on improving their response times to infections rather than trying to prevent them all, which is likely to be a losing game.Exabeam, a provider of user and entity behavior analytics, believes that machine-learning algorithms can significantly improve ransomware detection and reaction time, preventing such programs from spreading inside the network and affecting a larger number of systems.To read this article in full or to leave a comment, please click here

Industrial control systems vendors get careless about domain squatting

Many companies protect their brands by registering domain names that are slight variations on their own, but manufacturers of industrial control systems don't seem to have followed suit, potentially leaving customers open to attack.Researchers from security consultancy Digital Bond have found 433 so-called "squat" domains whose names are similar to those of 11 industrial manufacturers, and which have been registered by unknown third parties. Some of the domains have been hosting scams, malicious redirects and malware.Attackers engage in domain squatting for various reasons: to host phishing pages in order to steal credentials, direct accidental visitors to malware, profit from the brand's popularity by displaying ads, or sell the domain to the brand owner for a large fee.To read this article in full or to leave a comment, please click here

When you isolate your industrial control systems don’t forget about DNS

Many organizations that run industrial control systems strive to isolate them from the Internet, but sometimes forget to disallow Domain Name System (DNS) traffic, which provides a stealthy way for malware to exfiltrate data.Sometimes referred to as supervisory control and data acquisition (SCADA) systems, industrial control systems (ICS) are notoriously insecure. Not only is their firmware full of flaws, but the communication protocols many of them use lack authentication or encryption.Since most ICS systems are typically meant to last over a decade once deployed, they're not easily replaceable without considerable costs. As such, ICS operators tend to focus on securing the perimeter around control systems instead of patching the devices themselves, which is not always possible. This is done by isolating ICS environments from corporate networks and the larger Internet, an action sometimes referred to as airgapping.To read this article in full or to leave a comment, please click here

When you isolate your industrial control systems don’t forget about DNS

Many organizations that run industrial control systems strive to isolate them from the Internet, but sometimes forget to disallow Domain Name System (DNS) traffic, which provides a stealthy way for malware to exfiltrate data.Sometimes referred to as supervisory control and data acquisition (SCADA) systems, industrial control systems (ICS) are notoriously insecure. Not only is their firmware full of flaws, but the communication protocols many of them use lack authentication or encryption.Since most ICS systems are typically meant to last over a decade once deployed, they're not easily replaceable without considerable costs. As such, ICS operators tend to focus on securing the perimeter around control systems instead of patching the devices themselves, which is not always possible. This is done by isolating ICS environments from corporate networks and the larger Internet, an action sometimes referred to as airgapping.To read this article in full or to leave a comment, please click here

Check your BITS, because deleting malware might not be enough

Attackers are abusing the Windows Background Intelligent Transfer Service (BITS) to re-infect computers with malware after they've been already cleaned by antivirus products.The technique was observed in the wild last month by researchers from SecureWorks while responding to a malware incident for a customer. The antivirus software installed on a compromised computer detected and removed a malware program, but the computer was still showing signs of malicious activity at the network level.Upon further investigation, the researchers found two rogue jobs registered in BITS, a Windows service that's used by the OS and other apps to download updates or transfer files. The two malicious jobs periodically downloaded and attempted to reinstall the deleted malware.To read this article in full or to leave a comment, please click here

Check your BITS, because deleting malware might not be enough

Attackers are abusing the Windows Background Intelligent Transfer Service (BITS) to re-infect computers with malware after they've been already cleaned by antivirus products.The technique was observed in the wild last month by researchers from SecureWorks while responding to a malware incident for a customer. The antivirus software installed on a compromised computer detected and removed a malware program, but the computer was still showing signs of malicious activity at the network level.Upon further investigation, the researchers found two rogue jobs registered in BITS, a Windows service that's used by the OS and other apps to download updates or transfer files. The two malicious jobs periodically downloaded and attempted to reinstall the deleted malware.To read this article in full or to leave a comment, please click here

Massive DDoS attacks reach record levels as botnets make them cheaper to launch

There were 19 distributed denial-of-service (DDoS) attacks that exceeded 100 Gbps during the first three months of the year, almost four times more than in the previous quarter. Even more concerning is that these mega attacks, which few companies can withstand on their own, were launched using so-called booter or stresser botnets that are common and cheap to rent. This means that more criminals can now afford to launch such crippling attacks. "In the past, very few attacks generated with booter/stresser tools exceeded the 100 Gbps mark," researchers from Akamai said in the company's State of the Internet security report for the first quarter of 2016 that was released Tuesday.To read this article in full or to leave a comment, please click here

Massive DDoS attacks reach record levels as botnets make them cheaper to launch

There were 19 distributed denial-of-service (DDoS) attacks that exceeded 100 Gbps during the first three months of the year, almost four times more than in the previous quarter. Even more concerning is that these mega attacks, which few companies can withstand on their own, were launched using so-called booter or stresser botnets that are common and cheap to rent. This means that more criminals can now afford to launch such crippling attacks. "In the past, very few attacks generated with booter/stresser tools exceeded the 100 Gbps mark," researchers from Akamai said in the company's State of the Internet security report for the first quarter of 2016 that was released Tuesday.To read this article in full or to leave a comment, please click here

Android gets patches for serious flaws in hardware drivers and media server

The June batch of Android security patches addresses nearly two dozen vulnerabilities in system drivers for various hardware components from several chipset makers. The largest number of critical and high severity flaws were patched in the Qualcomm video driver, sound driver, GPU driver, Wi-Fi driver, and camera driver. Some of these privilege escalation vulnerabilities could allow malicious applications to execute malicious code in the kernel leading to a permanent device compromise. Similar high-risk flaws were fixed in the Broadcom Wi-Fi driver, NVIDIA camera driver, and MediaTek power management driver. These vulnerabilities can give regular applications access to privileges or system settings that they shouldn't have. In some cases, the flaws allow kernel code execution, but only if the attacker compromises a different service first to communicate with the vulnerable driver.To read this article in full or to leave a comment, please click here

Android gets patches for serious flaws in hardware drivers and media server

The June batch of Android security patches addresses nearly two dozen vulnerabilities in system drivers for various hardware components from several chipset makers. The largest number of critical and high severity flaws were patched in the Qualcomm video driver, sound driver, GPU driver, Wi-Fi driver, and camera driver. Some of these privilege escalation vulnerabilities could allow malicious applications to execute malicious code in the kernel leading to a permanent device compromise. Similar high-risk flaws were fixed in the Broadcom Wi-Fi driver, NVIDIA camera driver, and MediaTek power management driver. These vulnerabilities can give regular applications access to privileges or system settings that they shouldn't have. In some cases, the flaws allow kernel code execution, but only if the attacker compromises a different service first to communicate with the vulnerable driver.To read this article in full or to leave a comment, please click here

Widespread exploits evade protections enforced by Microsoft EMET

It's bad news for businesses. Hackers have launched large-scale attacks that are capable of bypassing the security protections added by Microsoft's Enhanced Mitigation Experience Toolkit (EMET), a tool whose goal is to stop software exploits.Security researchers from FireEye have observed Silverlight and Flash Player exploits designed to evade EMET mitigations such as Data Execution Prevention (DEP), Export Address Table Access Filtering (EAF) and Export Address Table Access Filtering Plus (EAF+). The exploits have been recently added to the Angler exploit kit.Angler is one of the most widely used attack tools used by cybercriminals to launch Web-based, "drive-by" download attacks. It is capable of installing malware by exploiting vulnerabilities in users' browsers or browser plug-ins when they visit compromised websites or view maliciously crafted ads.To read this article in full or to leave a comment, please click here

Widespread exploits evade protections enforced by Microsoft EMET

It's bad news for businesses. Hackers have launched large-scale attacks that are capable of bypassing the security protections added by Microsoft's Enhanced Mitigation Experience Toolkit (EMET), a tool whose goal is to stop software exploits.Security researchers from FireEye have observed Silverlight and Flash Player exploits designed to evade EMET mitigations such as Data Execution Prevention (DEP), Export Address Table Access Filtering (EAF) and Export Address Table Access Filtering Plus (EAF+). The exploits have been recently added to the Angler exploit kit.Angler is one of the most widely used attack tools used by cybercriminals to launch Web-based, "drive-by" download attacks. It is capable of installing malware by exploiting vulnerabilities in users' browsers or browser plug-ins when they visit compromised websites or view maliciously crafted ads.To read this article in full or to leave a comment, please click here

Hackers breach social media accounts of Mark Zuckerberg and other celebrities

Over the weekend hackers managed to access Facebook founder Mark Zuckerberg's Twitter and Pinterest accounts, as well as the social media accounts of other celebrities. Someone posted to Zuckerberg’s Twitter feed on Sunday, claiming to have found his password in account information leaked from LinkedIn. A group calling itself the OurMine Team took credit for breaking into Zuckerberg's Twitter, Pinterest and Instagram accounts, but there's no evidence that the Instagram account has been breached. "You were in LinkedIn Database with password 'dadada'," read a message supposedly posted by hackers from Zuckerberg's @finkd Twitter account. To read this article in full or to leave a comment, please click here

Hackers breach social media accounts of Mark Zuckerberg and other celebrities

Over the weekend hackers managed to access Facebook founder Mark Zuckerberg's Twitter and Pinterest accounts, as well as the social media accounts of other celebrities. Someone posted to Zuckerberg’s Twitter feed on Sunday, claiming to have found his password in account information leaked from LinkedIn. A group calling itself the OurMine Team took credit for breaking into Zuckerberg's Twitter, Pinterest and Instagram accounts, but there's no evidence that the Instagram account has been breached. "You were in LinkedIn Database with password 'dadada'," read a message supposedly posted by hackers from Zuckerberg's @finkd Twitter account. To read this article in full or to leave a comment, please click here

A new WordPress plug-in exploit endangers thousands of websites

Over the past few days, attackers have been exploiting an unpatched vulnerability in WP Mobile Detector, a WordPress plug-in installed on over 10,000 websites.The plug-in's developer fixed the flaw Tuesday in version 3.6, but in addition to updating immediately, users should also check if their websites haven't already been hacked.The vulnerability is located in a script called resize.php script and allows remote attackers to upload arbitrary files to the Web server. These files can be backdoor scripts known as Web shells that provide attackers with backdoor access to the server and the ability to inject code into legitimate pages.The flaw was discovered by WordPress security outfit PluginVulnerabilities.com after it observed requests for the wp-content/plugins/wp-mobile-detector/resize.php even though it didn't exist on its server. This indicated that someone was running an automated scan for that specific file, likely because it had a flaw.To read this article in full or to leave a comment, please click here

A new WordPress plug-in exploit endangers thousands of websites

Over the past few days, attackers have been exploiting an unpatched vulnerability in WP Mobile Detector, a WordPress plug-in installed on over 10,000 websites.The plug-in's developer fixed the flaw Tuesday in version 3.6, but in addition to updating immediately, users should also check if their websites haven't already been hacked.The vulnerability is located in a script called resize.php script and allows remote attackers to upload arbitrary files to the Web server. These files can be backdoor scripts known as Web shells that provide attackers with backdoor access to the server and the ability to inject code into legitimate pages.The flaw was discovered by WordPress security outfit PluginVulnerabilities.com after it observed requests for the wp-content/plugins/wp-mobile-detector/resize.php even though it didn't exist on its server. This indicated that someone was running an automated scan for that specific file, likely because it had a flaw.To read this article in full or to leave a comment, please click here

Mysterious malware targets industrial control systems, borrows Stuxnet techniques

Researchers have found a malware program that was designed to manipulate supervisory control and data acquisition (SCADA) systems in order to hide the real readings from industrial processes.The same technique was used by the Stuxnet sabotage malware allegedly created by the U.S. and Israel to disrupt Iran's nuclear program and credited with destroying a large number of the country's uranium enrichment centrifuges.The new malware was discovered in the second half of last year by researchers from security firm FireEye, not in an active attack, but in the VirusTotal database. VirusTotal is a Google-owned website where users can submit suspicious files to be scanned by antivirus engines.To read this article in full or to leave a comment, please click here

Mysterious malware targets industrial control systems, borrows Stuxnet techniques

Researchers have found a malware program that was designed to manipulate supervisory control and data acquisition (SCADA) systems in order to hide the real readings from industrial processes.The same technique was used by the Stuxnet sabotage malware allegedly created by the U.S. and Israel to disrupt Iran's nuclear program and credited with destroying a large number of the country's uranium enrichment centrifuges.The new malware was discovered in the second half of last year by researchers from security firm FireEye, not in an active attack, but in the VirusTotal database. VirusTotal is a Google-owned website where users can submit suspicious files to be scanned by antivirus engines.To read this article in full or to leave a comment, please click here

Extortion schemes expand, threatening consumers and businesses with data leaks

Ransomware authors are not the only cybercriminals who use extortion tactics to make money from users and companies. Data thieves are also increasingly resorting to intimidation.The FBI's Internet Crime Complaint Center (IC3) has received many reports from users whose data was stolen in various high-profile breaches and then received emails threatening to publicly disclose their personal information, including phone numbers, home addresses and credit card information.The ransom amount asked by the extortionists ranged from 2 to 5 bitcoins or approximately $250 to $1,200, IC3 said in an advisory Wednesday.To read this article in full or to leave a comment, please click here

Extortion schemes expand, threatening consumers and businesses with data leaks

Ransomware authors are not the only cybercriminals who use extortion tactics to make money from users and companies. Data thieves are also increasingly resorting to intimidation.The FBI's Internet Crime Complaint Center (IC3) has received many reports from users whose data was stolen in various high-profile breaches and then received emails threatening to publicly disclose their personal information, including phone numbers, home addresses and credit card information.The ransom amount asked by the extortionists ranged from 2 to 5 bitcoins or approximately $250 to $1,200, IC3 said in an advisory Wednesday.To read this article in full or to leave a comment, please click here

1 29 30 31 32 33 58