Arts and Culture
More from Google
Add by RSS Feed
Get the Android app
Get the iOS app
Every Saturday, we sit down with cybersecurity researchers to talk shop about the latest threats, vulnerabilities, and technical discoveries.
6 days ago
Encore: Using global events as lures for malicious activity.
The goal of malicious activity is to compromise the system to install some unauthorized software. Increasingly that goal is tied to one thing: the user. Over the past several years, we as an industry improved exploit mitigation and the value of working exploits has increased accordingly. Together, these changes have had an impact on the threat landscape. We still see large amounts of active exploitation, but enterprises are getting better at defending against them. This has left adversaries with a couple of options, develop or buy a working exploit that will defeat today's protections, which can be costly, or pivot to enticing a user to help you. In today's threat landscape, adversaries are always trying to develop and implement the most effective lures to try and draw users into their infection path. They've tried a multitude of different tactics in this space, but one always stands out — current events. Joining us on this week's Research Saturday from Craig Williams from Cisco's Talos Outreach team to walk us through how current events are used as lures. The research and blog post can be found here: Adversarial use of current events as lures
Nov 21, 2020
Misconfigured identity and access management (IAM) is much more widespread.
Identity and access are intrinsically connected when providing security to cloud platforms. But security is only effective when environments are properly configured and maintained. In the 2H 2020 edition of the biannual Unit 42 Cloud Threat Report, researchers conducted Red Team exercises, scanned public cloud data and pulled proprietary Palo Alto Networks data to explore the threat landscape of identity and access management (IAM) and identify where organizations can improve their IAM configurations. During a Red Team exercise, Unit 42 researchers were able to discover and leverage IAM misconfigurations to obtain admin access to a customer’s entire Amazon Web Services (AWS) cloud environment – a potentially multi-million dollar data breach in the real-world. These examples highlight just how serious the failure to secure IAM can be for an organization. Joining us in this week's Research Saturday to discuss the report for Palo Alto Networks' Unit 42 is CSO of Public Cloud, Matt Chiodi. The research can be found here: Highlights from the Unit 42 Cloud Threat Report, 2H 2020
Nov 14, 2020
That first CVE was a fun find, for sure.
In the late 90s, hackers who discovered vulnerabilities would sometimes send an email to Bugtraq with details. Bugtraq was a notification system used by people with an interest in network security. It was also a place that might have been monitored by employees of software companies looking for reports of vulnerabilities pertaining to their software. The problem was - there wasn't an easy way to track specific vulnerabilities in specific products. It was May 1999. Larry Cashdollar was working as a system administrator for Bath Iron Works under contract by Computer Sciences Corporation. Specifically, he was a UNIX Systems Administrator, level one. His team managed over 3,000 UNIX systems across BIW's campuses. Most of these were CAD systems used for designing AEGIS class destroyers. This position gave me access to over 3,000 various flavors of UNIX ranging from Sun Solaris to IBM AIX. Joining us in this week's Research Saturday to discuss his journey from finding that first CVE through the next 20 years and hundreds of CVEs is Akamai Senior Response Engineer Larry Cashdollar. The research can be found here: MUSIC TO HACK TO: MY FIRST CVE AND 20 YEARS OF VULNERABILITY RESEARCH
Nov 7, 2020
PoetRAT: a complete lack of operational security.
Cisco Talos discovered PoetRAT earlier this year. Since then, they observed multiple new campaigns indicating a change in the actor's capabilities and showing their maturity toward better operational security. They assess with medium confidence this actor continues to use spear-phishing attacks to lure a user to download a malicious document from temporary hosting providers. They currently believe the malware comes from malicious URLs included in the email, resulting in the user clicking and downloading a malicious document. These Word documents continue to contain malicious macros, which in turn download additional payloads once the attacker sets their sites on a particular victim. As the geopolitical tensions grow in Azerbaijan with neighboring countries, this is no doubt a stage of espionage with national security implications being deployed by a malicious actor with a specific interest in various Azerbajiani government departments. Joining us in this week's Research Saturday to discuss the research from Cisco's Talos Outreach is Craig Williams. The research can be found here: PoetRAT: Malware targeting public and private sector in Azerbaijan evolves
Oct 31, 2020
Leveraging for a bigger objective.
The U.S. government has charged seven men in relation to hundreds of cyber attacks against organizations in the U.S. and multiple other countries in Asia and Europe. Two of the men, who were based in Malaysia, were arrested and their extradition to the U.S. has been requested. The other five are based in China and remain at large. The attacks were attributed to a China-linked organization dubbed APT41 and involved a combination of intellectual property theft and financially motivated cyber crime. While some of our peers monitor APT41 as a single operation, Symantec regards it as two distinct actors: Grayfly and Blackfly. Joining us in this week's Research Saturday to discuss the research from Symantec's Threat Hunter Team is Jon DiMaggio. The research can be found here: APT41: Indictments Put Chinese Espionage Group in the Spotlight
Oct 30, 2020
The Malware Mash!
Oct 24, 2020
Just saying there are attacks is not enough.
Ben-Gurion University researchers have developed a new artificial intelligence technique that will protect medical devices from malicious operating instructions in a cyberattack as well as other human and system errors. Complex medical devices such as CT (computed tomography), MRI (magnetic resonance imaging) and ultrasound machines are controlled by instructions sent from a host PC. Abnormal or anomalous instructions introduce many potentially harmful threats to patients, such as radiation overexposure, manipulation of device components or functional manipulation of medical images. Threats can occur due to cyberattacks, human errors such as a technician's configuration mistake or host PC software bugs. As part of his Ph.D. research, Tom Mahler has developed a technique using artificial intelligence that analyzes the instructions sent from the PC to the physical components using a new architecture for the detection of anomalous instructions. Joining us in this week's Research Saturday to discuss his research is CBG - Cyber@Ben Gurion University's Tom Mahler. The research can be found here: A Dual-Layer Architecture for the Protection of Medical Devices from Anomalous Instructions
Oct 17, 2020
Intentionally not drawing attention.
Bitdefender researchers recently uncovered a sophisticated APT-style attack targeting an international architectural and video production company. The attack shows signs of industrial espionage, similar to another of Bitdefender’s recent investigations of the StrongPity APT group. The real-estate industry is highly competitive, and information exfiltrated by APT mercenary group can give negotiation advantages to other players in high-profile real-estate contracts. While APT groups traditionally could only be afforded by governments or were financially motivated purely out of self-interest, they recently appear to have become a commodity. Joining us in this week's Research Saturday to discuss the research is Global Cybersecurity Researcher Liviu Arsene from Bitdefender. The research can be found here: APT Hackers for Hire Used for Industrial Espionage
Oct 10, 2020
It's still possible to find ways to break out.
Containers offer speed, performance, and portability, but do they actually contain? While they try their best, the shared kernel is a disturbing attack surface: a mere kernel vulnerability may allow containerized processes to escape and compromise the host. This issue prompted a new wave of sandboxing tools that use either unikernels, lightweight VMs or userspace-kernels to separate the host OS from the container's OS. One of these solutions is Kata Containers, a container runtime that spawns each container inside a lightweight VM, and can function as the underlying runtime in Docker and Kubernetes. Kata's virtualized containers provide two layers of isolation: even if an attacker breaks out of the container, he is still confined to the microVM. Joining us in this week's Research Saturday to discuss the research is Yuval Avrahami from Palo Alto Networks Unit 42. The research presented at Black Hat USA 2020 can be found here: Escaping Virtualized Containers
Oct 3, 2020
Smaug: Ransomware-as-a-service drag(s)on.
Threat actors and cybercriminals that don’t have the ability to develop their own ransomware for malicious campaigns can turn to the Smaug Ransomware as a Service (RaaS) offering, which is available via a Dark Web Onion site. At least two threat actors are operating the site, providing ransomware that can be used to target Windows, macOS, and Linux machines. The site is built with ease of use in mind. To launch an attack, threat actors simply need to sign up, create a campaign, and then start distributing the malware. The site also handles decryption key purchasing and tracking for victims. Joining us in this week's Research Saturday to discuss the research is Anomali's Joakim Kennedy and Rory Gould. The research can be found here: Anomali Threat Research Releases First Public Analysis of Smaug Ransomware as a Service
Sep 26, 2020
What came first, the Golden Chickens or more_eggs?
Throughout March and April, QuoIntelligence (QuoINT) observed four attacks (i.e. sightings) utilizing various tools from the Golden Chickens (GC) Malware-as-a-Service (MaaS) portfolio – they recently declassified their findings, after first notifying their clients. Further, during their analysis of the sightings, QuoIntelligence confirmed the GC MaaS Operator, Badbullzvenom, released improved variants with code updates to three tools in the service portfolio. Joining us in this week's Research Saturday to discuss the research is QuoIntelligence's Vice President of Threat Intelligence, Chaz Hobson. The research can be found here: Latest Golden Chickens MaaS Tools Updates and Observed Attacks
Sep 19, 2020
Election 2020: What to expect when we are electing.
After the 2016 General Election, the talk was all around foreign meddling. Rumors swirled that some votes may have been changed or influenced by state-sponsored actors. Sanctions and accusations followed. Four years later, is the U.S. any more prepared to protect the results of its largest elections? More than you may realize. Talos researchers take a deep dive into election security after spending the past four years talking to local, state and national officials, performing their own independent research and even watching one state plan an election in real-time. Joining us in this week's Research Saturday to discuss the report on this timely topic is Cisco Talos' Matt Olney. The research can be found here: What to expect when you’re electing: Talos’ 2020 election security primer.
Sep 12, 2020
Leveraging legitimate tools.
Researchers at Symantec spotted a Sodinokibi targeted ransomware campaign in which the attackers are also scanning the networks of some victims for credit card or point of sale (PoS) software. It is not clear if the attackers are targeting this software for encryption or because they want to scrape this information as a way to make even more money from this attack. Joining us in this week's Research Saturday to discuss the report is Jon DiMaggio of Symantec. The research can be found here: Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike
Sep 5, 2020
Going after the most valuable data.
A look at the realities of ransomware from Sophos, including an industry-first detailed look at new detection evasion techniques in WastedLocker ransomware attacks that leverage the Windows Cache Manager and memory-mapped I/O to encrypt files. A complementary article examines the evasion-centric arms race of ransomware, providing a months-long review of how cybercriminals have been escalating and markedly changing evasion techniques, tactics and procedures (TTPs) since Snatch ransomware in December 2019. The research also breaks down the five early warning signs organizations are about to be attacked by ransomware and why ransomware attacks continue to occur. Joining us on this week's Research Saturday to walk us through the research and share their findings is Sophos' Principal Research Scientist Chet Wisniewski and EVP & Chief Product Officer Dan Schiappa. The media alert and research articles can be found here: Media Alert: Sophos Reports on the Realities of Ransomware WastedL…
Aug 29, 2020
They fooled a lot of people.
Docker containers have been gaining popularity over the past few years as an effective way of packaging software applications. Docker Hub provides a strong community-based model for users and companies to share their software applications. This is also attracting the attention of malicious actors intending to make money by cryptojacking within Docker containers and using Docker Hub to distribute these images. Palo Alto Networks' Unit 42 researchers identified a malicious Docker Hub account, azurenql, active since October 2019 that was hosting six malicious images intended to mine the cryptocurrency, Monero. The images hosted on this account have been collectively pulled more than two million times. Additionally, when last checked minexmr.com for this wallet ID, Palo Alto's team saw recent activity indicating that it’s still being used. Joining us on this week's Research Saturday is Jen Miller-Osborn from Palo Alto Networks' Unit 42 group to share the research and findings. The resea…
Aug 22, 2020
Using global events as lures.
The goal of malicious activity is to compromise the system to install some unauthorized software. Increasingly that goal is tied to one thing: the user. Over the past several years, we as an industry improved exploit mitigation and the value of working exploits has increased accordingly. Together, these changes have had an impact on the threat landscape. We still see large amounts of active exploitation, but enterprises are getting better at defending against them. This has left adversaries with a couple of options, develop or buy a working exploit that will defeat today's protections, which can be costly, or pivot to enticing a user to help you. In today's threat landscape, adversaries are always trying to develop and implement the most effective lures to try and draw users into their infection path. They've tried a multitude of different tactics in this space, but one always stands out — current events. Joining us on this week's Research Saturday from Craig Williams from Cisco's Ta…
Aug 15, 2020
Waiting for their victims.
Bitdefender researchers have recently found the APT group StrongPity has been targeting victims in Turkey and Syria. Using watering hole tactics to selectively infect victims and deploying a three-tier C&C infrastructure to thwart forensic investigations, the APT group leveraged Trojanized popular tools, such as archivers, file recovery applications, remote connections applications, utilities, and even security software, to cover a wide range of options that targeted victims might be seeking. Joining us on this week's Research Saturday to discuss the research is Bitdefender's Liviu Arsene. You can find the research here: StrongPity APT – Revealing Trojanized Tools, Working Hours and Infrastructure
Aug 8, 2020
Like anything these days, you have to disinfect it first.
“Cyberbunker” refers to a criminal group that operated a “bulletproof” hosting facility out of an actual military bunker. “Bullet Proof” hosting usually refers to hosting locations in countries with little or corrupt law enforcement, making shutting down criminal activity difficult. Cyberbunker, which is also known as “ZYZtm” and “Calibour”, was a bit different in that it actually operated out of a bulletproof bunker. In September of last year, German police raided this actual Cyberbunker and arrested several suspects. While most of the group's assets were seized during the initial raid, the IP address space remained and was later sold to Legaco Networks. Before being shut down, Legaco Networks temporarily redirected the traffic to the SANS Internet Storm Center honeypots for examination. Joining us on this week's Research Saturday from SANS Technology Institute is graduate student Karim Lalji and Dean of Research Johannes Ullrich to discuss their experiences. The…
Aug 1, 2020
Detecting Twitter bots in real time.
NortonLifeLock Research Group (NRG) released a prototype browser extension called BotSight that leverages machine learning to detect Twitter bots in real-time. The tool is intended to help users understand the prevalence of bots and disinformation campaigns within their Twitter feeds, particularly with the increase in disinformation of COVID-19. Joining us on this week's Research Saturday to discuss this tool is Daniel Kats from NortonLifeLock Research Group. You can find the research here: Introducing BotSight
Jul 25, 2020
It was only a matter of time.
On April 29, 2020, the Salt management framework, authored by the IT automation company SaltStack, received a patch concerning two CVEs; CVE-2020-11651, an authentication bypass vulnerability, and CVE-2020-11652, a directory-traversal vulnerability. On April 30, 2020, researchers at F-Secure disclosed their vulnerability findings to the public, with an urgent warning for Salt users - patch now. Before the weekend was out, criminals were deploying malware and targeting vulnerable Salt installations, successfully affecting operations at Ghost, DigiCert, and LineageOS. The malware is a cryptominer, but there is an additional component, a Remote Access Tool written in Go called nspps. Researchers at Akamai have also observed in-the-wild attacks on Salt vulnerabilities. Joining us on this week's Research Saturday is Larry Cashdollar, Senior Security Response Engineer at Akamai, to discuss this issue. The research can be found here: SaltStack Vulnerabilities Actively Exploited in the…
Jul 18, 2020
Every time we get smarter, the bad guy changes something.
Researchers at Symantec identified and alerted customers to a string of attacks against U.S. companies by attackers attempting to deploy the WastedLocker ransomware (Ransom.WastedLocker) on their networks. The end goal of these attacks is to cripple the victim’s IT infrastructure by encrypting most of their computers and servers in order to demand a multimillion dollar ransom. At least 31 Symantec customer organizations have been attacked, meaning the total number of attacks may be much higher. The attackers had breached the networks of targeted organizations and were in the process of laying the groundwork for staging ransomware attacks. Joining us in this week's Research Saturday to discuss the report is Jon DiMaggio of Symantec. The research can be found here: WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations
Jul 11, 2020
Are you running what you think you're running?
Built into virtually every hardware device, firmware is lower-level software that is programmed to ensure that hardware functions properly. As software security has been significantly hardened over the past two decades, hackers have responded by moving down the stack to focus on firmware entry points. Firmware offers a target that basic security controls can’t access or scan as easily as software, while allowing them to persist and continue leveraging many of their tried and true attack techniques. Joining us on this week's Research Saturday is Maggie Jauregui, security researcher at Dell, to discuss this issue. The research can be found here: Three firmware blind spots impacting security
Jun 27, 2020
Enter the RAT.
A new report examines how five related APT groups operating in the interest of the Chinese government have systematically targeted Linux servers, Windows systems and Android mobile devices while remaining undetected for nearly a decade. The report comes on the heels of the U.S. Department of Justice announcing several high-profile indictments from over 1,000 open FBI investigations into economic espionage as part of the DOJ’s China Initiative. Joining us in this week's Research Saturday to discuss the report is Eric Cornelius of Blackberry. The research can be found here: Decade of the RATs: Novel APT Attacks Targeting Linux, Windows and Android
Jun 20, 2020
Click here to update your webhook.
Slack is a cloud-based messaging platform that is commonly used in workplace communications. Slack Incoming Webhooks allow you to post messages from your applications to Slack. Generally, Slack webhooks are considered a low risk integration. A deeper dive into webhooks shows that this is not entirely accurate. Joining us in this week's Research Saturday is Ashley Graves from AT&T Cybersecurity's Alien Labs to discuss her research. The research can be found here: Slack phishing attacks using webhooks
Jun 13, 2020
The value of the why and the who.
Proactive, efficient threat mitigation and risk management require understanding adversaries’ fundamental thought processes, not just their tools and methods. Cyber threat intelligence analysts combed through 15 years (2004 to 2019) of public sources that have documented the activities of one prolific threat actor, Russia’s military intelligence agency, the GRU. Analysis shows that the timing, targets, and impacts of this activity mirrored Russian strategic concerns about specific events and developments. Joining us in this week's Research Saturday are Brad Stone & Nate Beach-Westmoreland from Booz Allen Hamilton to discuss their report and some of the 33 case studies presented in it. The research can be found here: Bearing Witness: Uncovering the Logic Behind Russian Military Cyber Operations
Jun 6, 2020
Due diligence cannot be done as a one-off.
Earlier this year, a Virgin Media database containing the personal details of 900,000 people was discovered to be unsecured and accessible online for 10 months. The breach was discovered by researchers at the security firm TurgenSec. This breach had major implications under GDPR. Joining us in this week's Research Saturday are George Punter and Peter Hansen from TurgenSec to talk about the discovery of the breach. The research can be found here: Virgin Media Disclosure Statement & Resources
May 30, 2020
Twofold snooping venture.
Working with many different honeypot implementations, a security researcher did an experiment expanding on that setting up a simple docker image with SSH, running a guessable root password. The catch? What happened in the next 24 hours was unexpected. Joining us in this week's Research Saturday to talk about his experiment is Larry Cashdollar of Akamai. The research can be found here: A Brief History of a Rootable Docker Image
May 23, 2020
Naming and shaming is the worst thing we can do.
In December 2019, the GOLD VILLAGE threat group that operates the Maze ransomware created a public website to name and shame victims. The threat actors used the website to dump data they exfiltrated from victims' networks before they deployed the ransomware. Secureworks Counter Threat Unit (CTU) researchers have observed several ransomware operators following suit. Joining us in this week's Research Saturday is Alex Tilley of SecureWorks' Counter Threat Unit.
May 16, 2020
Gangnam Industrial Style APT campaign targets South Korea.
Section 52, CyberX’s threat intelligence team, has uncovered an ongoing industrial cyberespionage campaign targeting hundreds of manufacturing and other industrial firms primarily located in South Korea. CyberX has identified more than 200 compromised systems from this campaign, including one belonging to a multi-billion dollar Korean conglomerate that manufactures critical infrastructure equipment such as heavy equipment for power transmission and distribution facilities, renewable energy, chemical plants, welding, and construction. Joining us in this week's Research Saturday is Phil Neray, one of the authors of this report. The research can be found here: Gangnam Industrial Style: APT Campaign Targets Korean Industrial Companies
May 9, 2020
The U.S. campaign trail is actually quite secure.
Multiple media reports have indicated that the United States’ (U.S.) 2020 general election could be targeted by foreign and domestic actors after the successful cyber and misinformation attacks during the 2016 general election. The responsibility of secure and ethical online campaigning has become a central issue in the 2020 election. In some cases, it has become part of candidate platforms. Joining us in this week's Research Saturday is Paul Gagliardi from Security Scorecard, discussing their recent report detailing the cybersecurity of the 2020 Presidential race. The research can be found here: 2020 Democratic Presidential Candidates Get Smart to Cybersecurity Report
May 2, 2020
Fingerprint authentication is not completely secure.
Passwords are the traditional authentication methods for computers and networks. But passwords can be stolen. Biometric authentication seems the perfect solution for that problem. Our guest today is Craig Williams, director of Talos outreach at Cisco. He'll be discussing and providing insights into their report which shows that fingerprints are good enough to protect the average person's privacy if they lose their phone. However, a person that is likely to be targeted by a well-funded and motivated actor should not use fingerprint authentication. The research can be found here: Fingerprint cloning: Myth or reality?
Apr 25, 2020
Contact tracing as COVID-19 aid.
Successful containment of the Coronavirus pandemic rests on the ability to quickly and reliably identify those who have been in close proximity to a contagious individual. Mayank Varia from Boston University describes how his team suggests an approach based on using short-range communication mechanisms, like Bluetooth, that are available in all modern cell phones. The research can be found here: Anonymous Collocation Discovery: Harnessing Privacy to Tame the Coronavirus
Apr 18, 2020
How low can they go? A spike in Coronavirus phishing.
As much of the world grapples with the new coronavirus, COVID-19, and how to handle it, attackers are taking advantage of the widespread discussion of COVID-19 in emails and across the web. Joining us today is Fleming Shi, CTO of Barracuda discussing their report on these types of attacks, which are up 667-percent since the end of February. The research can be found here: Threat Spotlight: Coronavirus-Related Phishing To learn more about our Academic and Military discounts, visit The CyberWire and click on the Contact Us button in the Academic or Government & Military box.
Apr 11, 2020
Profiling an audacious Nigerian cybercriminal.
By day, he is Dton, an upstanding Nigerian citizen. He believes in professionalism, hard work and excellence. He’s a leader, a content creator, an entrepreneur and an innovator; an accomplished business administrator; a renaissance man who is adored by his colleagues. But by night, he is Bill Henry, Cybercriminal Entrepreneur. We sat down with a researcher at CheckPoint for the inside scoop into this fascinating, brazen individual. The research can be found here: The Inside Scoop on a Six-Figure Nigerian Fraud Campaign
Apr 4, 2020
A rough year ahead for ransomware attacks - and how to stop them.
2020 is shaping up to be a rough year. Ransomware attacks will continue to grow as cybercriminals get more sophisticated in their methods and expand their reach. Allan Liska, Senior Analyst at Recorded Future, shares their findings and predictions in a new report. The research can be found here: 5 Ransomware Trends to Watch in 2020
Mar 28, 2020
Hidden dangers inside Windows and LINUX computers.
Eclypsium has issued a study that suggests the prevalence of “unsigned firmware in WiFi adapters, USB hubs, trackpads, and cameras used in computers from Lenovo, Dell, HP and other major manufacturers.” Here to discuss their findings is Rick Altherr, a Principle Engineer at Eclypsium. The research can be found here: Perilous Peripherals: The Hidden Dangers Inside Windows and LINUX Computers.
Mar 21, 2020
The security implications of cloud infrastructure in IoT.
Cloud computing is now at the center of nearly every business strategy. But, as with the rapid adoption of any new technology, growing pains persist. The key findings in these reports shed light on security missteps that are actually in practice by organizations across the globe. Joining us in this special Research Saturday are Palo Alto Network's Matthew Chiodi and Ryan Olson. They discuss their findings in two different threat reports. The research can be found here: Cloud Threat Report IoT Threat Report
Mar 14, 2020
TLS is here to stay.
As websites and apps more widely adopt TLS (Transport Layer Security) and communicate over HTTPS connections, unencrypted traffic may draw even more attention, since it’s easier for analysts and security tools to identify malicious communication patterns in those plain HTTP sessions. Malware authors know this, and they’ve made it a priority to adopt TLS and thereby obfuscate the contents of malicious communication. Joining us on this week's Research Saturday is Chester Wisniewski from SophosLabs discussing their research on the subject. The research can be found here: Nearly a quarter of malware now communicates using TLS
Mar 7, 2020
Overworked developers write vulnerable software.
Why do some developers and development teams write more secure code than others? Software is written by people, either alone or in teams. Ultimately secure code development depends on the actions and decisions taken by the people who develop the code. Understanding the human factors that influence the introduction of software vulnerabilities, and acting on that knowledge, is a definitive way to shift security to the left. On this Research Saturday, our conversation with Anita D’Amico from CodeDX on which developers and teams are more likely to write vulnerable software. The research can be found here: Which Developers and Teams Are More Likely to Write Vulnerable Software?
Feb 29, 2020
Application tracking in Wacom tablets.
Today's Research Saturday features our conversation with Robert Heaton, a software engineer with Stripe who penned a blog post about his disappointing discovery involving his Wacom tablet tracking his applications. The post struck a nerve and has since been widely distributed. The research can be found here: Wacom drawing tablets track the name of every application that you open
Feb 22, 2020
New vulnerabilities in PC sound cards.
SafeBreach Labs discovered a new vulnerability in the Realtek HD Audio Driver Package, which is deployed on PCs containing Realtek sound cards. On this week's Research Saturday, our conversation with Itzik Kotler, who is Co-Founder and CTO at SafeBreach. The research can be found here: Realtek HD Audio Driver Package - DLL Preloading and Potential Abuses
Feb 15, 2020
If you can't detect it, you can't steal it.
BGN Technologies, the technology transfer company of Ben-Gurion University (BGU) of the Negev, Israel, is introducing the first all-optical “stealth” encryption technology that will be significantly more secure and private for highly-sensitive cloud computing and data center network transmission. Joining us in this special Research Saturday is BGN's Dan Sadot who helped pioneer this technology. The Research can be found here: Ben-Gurion University Researchers Introduce the FirstAll-Optical, Stealth Data Encryption Technology
Feb 8, 2020
The Chameleon attacks Online Social Networks.
The Chameleon attack technique is a new type of OSN-based trickery where malicious posts and profiles change the way they are displayed to OSN users to conceal themselves before the attack or avoid detection. Joining us to discuss their findings in a new report entitled "The Chameleon Attack: Manipulating Content Display in Online Social Media" is Ben-Gurion University's Rami Puzis. The research can be found here: The Chameleon Attack: Manipulating Content Display in Online Social Media Demonstration video of a Chameleon Attack
Feb 1, 2020
Tracking one of China's hidden hacking groups.
Operation Wocao (我操, “Wǒ cāo”, is a Chinese curse word) is the name that Fox-IT uses to describe the hacking activities of a Chinese based hacking group. We are joined by Fox-IT's Maarten van Dantzig who shares his insights into their new report entitled "Operation Wocao: Shining a light on one of China’s hidden hacking groups". The Research can be found here: Operation Wocao: Shining a light on one of China’s hidden hacking groups
Jan 25, 2020
Know Thine Enemy - Identifying North American Cyber Threats.
The electric utility industry is a valuable target for adversaries seeking to exploit industrial control systems (ICS) and operations technology (OT) for a variety of purposes. As adversaries and their sponsors invest more effort and money into obtaining effects-focused capabilities, the risk of a disruptive or destructive attack on the electric sector significantly increases. Selena Larson from Dragos joins us to discuss their new report North American Electric Cyber Threat Perspective. The report can be found here: North American Electric Cyber Threat Perspective
Jan 18, 2020
Clever breaches demonstrate IoT security gaps.
Some of our favorite and most trusted IoT devices help make us feel secure in our homes. From garage door openers to the locks on our front doors, we trust these devices to recognize and alert us when people are entering our home. It should come as no surprise that these too are subject to attack. Steve Povolny is head of advanced research at McAfee; we discuss a pair of research projects they recently published involving popular IoT devices. The research can be found here: McAfee Advanced Threat Research demo McLear NFC Ring McAfee Advanced Threat Research Demo Chamberlain MyQ
Jan 11, 2020
Profiling the Linken Sphere anti-detection browser.
Multiple e-commerce and financial organizations around the world are targeted by cybercriminals attempting to bypass or disable their security mechanisms, in some cases by using tools that imitate the activities of legitimate users. Linken Sphere, an anti-detection browser, is one of the most popular tools of this kind at the moment. Staffan Truvé is the CTO and Co-Founder of Recorded Future, he joins us to discuss their new report on the browser. The research can be found here: Profiling the Linken Sphere Anti-Detection Browser
Jan 2, 2020
A Jira vulnerability that’s leaking data in the public cloud.
Unit 42 (the Palo Alto Networks threat intelligence team) released new research on a Jira vulnerability that’s leaking data of technology, industrial and media organizations in the public cloud. The vulnerability (a Server Side Request Forgery -- SSRF) is the same type that led to the Capital One data breach in July 2019. Jen Miller-Osborn is the Deputy Director of Threat Intelligence for Unit 42 at Palo Alto Networks, and she joins us to share their findings. The research can be found here: https://unit42.paloaltonetworks.com/server-side-request-forgery-exposes-data-of-technology-industrial-and-media-organizations/
Dec 21, 2019
Inside Magecart and Genesis.
Dan Woods is VP of the intelligence center and Shape Security. He shares insights on two noteworthy attacks tools, Genesis and Magecart. Before joining Shape Security Dan served as assistant chief agent of special investigations at the Arizona attorney general's office, where he investigated complex fraud. Prior to that, he spent 20 years with federal law enforcement agencies and intelligence organizations, including the CIA and FBI, where he specialized in information operations and cybercrime.
Dec 14, 2019
WAV files carry malicious data payloads.
Researchers at BlackBerry Cylance have been tracking ordinary WAV audio files being used to carry hidden malicious data used by threat actors. Eric Milam is VP of threat research and intelligence at BlackBerry Cylance, and he joins us to share their findings. The research can be found here: https://threatvector.cylance.com/en_us/home/malicious-payloads-hiding-beneath-the-wav.html
Dec 7, 2019
Targeting routers to hit gaming servers.
Researchers at Palo Alto Networks' Unit 42 recently published research outlining attacks on home and small-business routers, taking advantage of known vulnerabilities to make the routers parts of botnets, ultimately used to attack gaming servers. Jen Miller-Osborn is the Deputy Director of Threat Intelligence for Unit 42 at Palo Alto Networks. She joins us to share their findings. The research can be found here: https://unit42.paloaltonetworks.com/home-small-office-wireless-routers-exploited-to-attack-gaming-servers/
Nov 23, 2019
Mustang Panda leverages Windows shortcut files.
Researchers at Anomali have been tracking China-based threat group, Mustang Panda, believing them to be responsible for attacks making clever use of Windows shortcut files. Parthiban is a researcher at Anomali, and he joins us to share their findings. The research is here: https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
Nov 16, 2019
Sodinokibi aka REvil connections to GandCrab.
Researchers at McAfee's Advanced Threat Research Team have been analyzing Sodinokibi ransomware as a service, also known as REvil. John Fokker is head of cyber investigations for McAfee Advanced Threat Research, and he joins us to share their findings. The research is here: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/
Nov 9, 2019
Monitoring the growing sophistication of PKPLUG.
Researchers from Palo Alto Networks' Unit 42 have been tracking a Chinese cyber espionage group they've named PKPLUG. The group mainly targets victims in the Southeast Asia region. Ryan Olson is VP of threat intelligence at Palo Alto Networks, and he joins us to share their findings. The original research is here: https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/
Nov 2, 2019
Usable security is a delicate balance.
Until recently, usability was often an afterthought when developing security tools. These days there's growing realization that usability is a fundamental part of security. Lorrie Cranor is director of the CyLab Usable Privacy and Security lab (CUPS) at Carnegie Mellon University. She shares the work she's been doing with her colleagues and students to improve security through usability. The research can be found here: https://www.cylab.cmu.edu/news/2019/07/29-usability-history.html
Oct 26, 2019
Masad Steals via Social Media.
Researchers at Juniper Networks have been tracking a trojan they call Masad Stealer, which uses the Telegram instant messaging platform for part it its command and control infrastructure. (Telegram wasn't hacked; it's the innocent conduit.) Mounir Hahad is head of Juniper Threat Labs at Juniper Networks and he joins us to share their findings The original research is here: https://forums.juniper.net/t5/Threat-Research/Masad-Stealer-Exfiltrating-using-Telegram/ba-p/468559
Oct 19, 2019
Hoping for SOHO security.
Researchers at Independent Security Evaluators (ISE) recently published a report titled SOHOpelessly Broken 2.0, Security Vulnerabilities in Network Accessible Services. This publication continues and expands previous work they did examining small office/home office (SOHO) routers, network-attached storage devices (NAS), and IP cameras. Shaun Mirani is a security analyst at ISE, and he joins us to share their findings. The original research is here: https://www.ise.io/whitepaper/sohopelessly-broken-2/
Oct 12, 2019
Decrypting ransomware for good.
Michael Gillespie is a programmer at Emsisoft, as well as a host of the popular ID Ransomware web site that helps victims identify what strain of ransomware they may have been infected with, and what decryptors may be available. He's written many decryptors himself, most recently for the Syrk strain of ransomware. Links to the research and Michael's work: https://blog.emsisoft.com/en/33885/emsisoft-releases-a-free-decryptor-for-the-syrk-ransomware/ https://id-ransomware.malwarehunterteam.com/ https://www.youtube.com/user/Demonslay335
Oct 5, 2019
The fuzzy boundaries of APT41.
Researchers at FireEye recently released a report detailing the activities of APT41, a Chinese cyber threat group notable for the range of tools they use, their origins in the world of video gaming, and their willingness to shift from seemingly state-sponsored activity to hacking for personal gain. Nalani Fraser and Fred Plan contributed to the report, and they join us to share their findings. The original research is here: https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html
Sep 28, 2019
Focusing on Autumn Aperture.
Researchers at Prevalion have been tracking a malware campaign making use of antiquated file formats and social engineering to target specific groups. Danny Adamitis and Elizabeth Wharton are coauthors of the report, and they join us to share their findings. The research can be found here: https://blog.prevailion.com/2019/09/autumn-aperture-report.html
Sep 21, 2019
Leaky guest networks and covert channels.
Many users of inexpensive internet routers use guest network functionality to help secure their home networks. Researchers at Ben Gurion University have discovered methods for defeating these security measures. Dr. Yossi Oren joins us to share their findings. The original research is here: https://www.usenix.org/system/files/woot19-paper_ovadia.pdf
Sep 14, 2019
Bluetooth blues: KNOB attack explained.
A team of researchers have published a report titled, "KNOB Attack. Key Negotiation of Bluetooth Attack: Breaking Bluetooth Security." The report outlines vulnerabilities in the Bluetooth standard, along with mitigations to prevent them. Daniele Antonioli is from Singapore University of Technology and Design, and is one of the researchers studying KNOB. He joins us to share their findings. The research can be found here: https://knobattack.com
Sep 7, 2019
VOIP phone system harbors decade-old vulnerability.
Researchers at McAfee's Advanced Threat Research Team recently published the results of their investigation into a popular VOIP system, where they discovered a well-know, decade-old vulnerability in open source software used on the platform. Steve Povolny serves as the Head of Advanced Threat Research at McAfee, and he joins us to share their findings. The original research can be found here: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/avaya-deskphone-decade-old-vulnerability-found-in-phones-firmware/
Aug 31, 2019
Emotet's updated business model.
The Emotet malware came on the scene in 2014 as a banking trojan and has since evolved in sophistication and shifted its business model. Researchers at Bromium have taken a detailed look at Emotet, and malware analyst Alex Holland joins us to share their findings. The research can be found here: https://www.google.com/url?q=https://www.bromium.com/resource/emotet-a-technical-analysis-of-the-destructive-polymorphic-malware
Aug 24, 2019
Gift card bots evolve and adapt.
Researchers at Distil Networks have been tracking online bots targeting ecommerce gift card systems of major online retailers. The threat actors show remarkable resourcefulness and adaptability. Jonathan Butler is technical account team manager at Distil Networks, part of Imperva, and he joins to share their findings. The research can be found here: https://resources.distilnetworks.com/all-blog-posts/giftghostbot-attacks-ecommerce-gift-card-systems
Aug 17, 2019
Detecting dating profile fraud.
Researchers from King’s College London, University of Bristol, Boston University, and University of Melbourne recently collaborated to publish a report titled, "Automatically Dismantling Online Dating Fraud." The research outlines techniques to analyze and identify fraudulent online dating profiles with a high degree of accuracy. Professor Awais Rashid is one of the report's authors, and he joins us to share their findings. The original research can be found here: https://arxiv.org/pdf/1905.12593.pdf
Aug 10, 2019
Unpacking the Malvertising Ecosystem.
Researchers at Cisco's Talos Unit recently published research exploring the tactics, technics and procedures of the global malvertising ecosystem. Craig Williams is head of Talos Outreach at Cisco, and he guides us through the life cycle of malicious online ads, along with tips for protecting yourself and your organization. The research can be found here: https://blog.talosintelligence.com/2019/07/malvertising-deepdive.html
Aug 3, 2019
Package manager repository malware detection.
Researchers at Reversing Labs have been tracking malware hidden in software package manager repositories, and it's use as a supply chain attack vector. Robert Perica is a principal engineer at Reversing Labs, and he joins us to share their findings. The research can be found here: https://blog.reversinglabs.com/blog/suppy-chain-malware-detecting-malware-in-package-manager-repositories
Jul 27, 2019
Day to day app fraud in the Google Play store.
Researchers at bot mitigation firm White Ops have been tracking fraudulent apps in the Google Play store. These apps often imitate legitimate apps, even going so far as to lift code directly from them, but instead of providing true functionality they harvest user data and send it back to command and control servers. Marcelle Lee is a principal threat intel researcher at White Ops, and she shares their findings. The original research can be found here — https://www.whiteops.com/blog/another-day-another-fraudulent-app
Jul 20, 2019
Nansh0u not your normal cryptominer.
Researchers at Guardicore Labs have been tracking an unusual cryptominer that seems to be based in China and is targeting Windows MS-SQL and phpMyAdmin servers. Some elements of the exploit make use of sophisticated components previously associated with nation-state actors. Ophir Harpaz and Daniel Goldberg are members of the Guardicore Labs team, and they join us to explain their findings. The research can be found here - https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Jul 13, 2019
Opportunistic botnets round up vulnerable routers.
Researchers at Netscout's ASERT Team have been tracking the growth of botnets originating in Egypt and targeting routers in South Africa. The payload is a variant of the Hakai DDoS bot. Richard Hummel is threat intelligence manager at Netscout, and he joins us to share their findings. The original research is here: https://www.netscout.com/blog/asert/realtek-sdk-exploits-rise-egypt
Jun 29, 2019
Giving everyone a stake in the success of Open Source implementation.
Synopsys recently published the 2019 edition of their Open Source Security and Risk Analysis (OSSRA) Report, providing an in-depth look at the state of open source security, compliance, and code quality risk in commercial software. Tim Mackey is principal security strategist within the Synopsys Cyber Research Center, and he joins us to share their findings. The research can be found here: https://www.synopsys.com/software-integrity/resources/analyst-reports/2019-open-source-security-risk-analysis.html
Jun 22, 2019
Middleboxes may be meddling with TLS connections.
Researchers at Cloudflare have been examining HTTPS interception, a technique that weakens security, and have developed tools to help detect it. Nick Sullivan is head of cryptography at Cloudflare, and he joins to us share their findings. The research can be found here: https://blog.cloudflare.com/monsters-in-the-middleboxes/
Jun 15, 2019
Apps on third-party Android store carry unwelcome code.
Researchers at Zscaler have been tracking look-alike apps in third-party Android app stores that carry malicious code. Deepen Desai is VP of security research and operations and Zscaler, and he joins us to share their findings. The original research can be found here: https://www.zscaler.com/blogs/research/third-party-android-store-sms-trojan
Jun 8, 2019
Xwo scans for default credentials and exposed web services.
Researchers at AT&T Alien Labs have been tracking a new malware family they've named "Xwo" that's scanning systems for default credentials and vulnerable web services. Tom Hegel is security researcher with AT&T Alien Labs, and he share their findings. The original research is here: https://www.alienvault.com/blogs/labs-research/xwo-a-python-based-bot-scanner
Jun 1, 2019
Blockchain bandits plunder weak wallets.
Adrian Bednarek is a senior research analyst at Independent Security Evaluators. He and his colleagues looked at weak private cryptocurrency keys on the Ethereum blockchain in an attempt to discover how and why they are being generated as well as how bad actors are taking advantage of them. The original research is here: https://www.securityevaluators.com/casestudies/ethercombing/
May 25, 2019
A fresh look at GOSSIPGIRL and the Supra Threat Actors.
Chronicle researchers Juan Andres Guerrero Saade and Silas Cutler recently published research tracking the development of the Stuxnet family of malware, which ultimately led them to the GOSSIPGIRL Supra Group of threat actors. Juan Andres Guerrero Saade joins us to share their findings. The research can be found here: https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0
May 18, 2019
Elfin APT group targets Middle East energy sector.
Researchers at Symantec have been tracking an espionage group known as Elfin (aka APT 33) that has targeted dozens of organizations over the past three years, primarily focusing on Saudi Arabia and the United States. Alan Neville is a principal threat intelligence analyst at Symantec, and he joins us to share their findings. The research can be found here: https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
May 11, 2019
Steganography enables sophisticated OceanLotus payloads.
Researchers at Blackberry Cylance have been tracking payload obfuscation techniques employed by OceanLotus (APT32), specifically steganography used to hide code within seemingly benign image files. Tom Bonner is director of threat research at Blackberry Cylance, and he joins us to share their findings. The original research can be found here: https://www.cylance.com/en-us/lp/threat-research-and-intelligence/oceanlotus-steganography-malware-analysis-white-paper-2019.html
May 4, 2019
Sea Turtle state-sponsored DNS hijacking.
Researchers at Cisco Talos have been tracking what they believe is a state-sponsored attack on DNS systems, targeting the Middle East and North Africa. This attack has the potential to erode trust and stability of the DNS system, so critical to the global economy. Craig Williams is director of Talos Outreach at Cisco, and he joins us to share their findings. The original research can be found here: https://blog.talosintelligence.com/2019/04/seaturtle.html
Apr 27, 2019
Deep Learning threatens 3D medical imaging integrity.
Researchers at Ben Gurion University in Israel have developed techniques to infiltrate medical imaging system networks and alter 3D medical scans within, fooling both human and automated examiners with a high rate of success. Yisroel Mirsky is a cybersecurity researcher and project manager at Ben Gurion University, and he joins us to share what his team discovered. The original research can be found here: https://arxiv.org/pdf/1901.03597.pdf A video demonstrating the exploit is here: https://youtu.be/_mkRAArj-x0
Apr 20, 2019
Undetectable vote manipulation in SwissPost e-voting system.
Researchers have discovered a number of vulnerabilities in the SwissPost e-vote system which could allow undetectable manipulation of votes. Dr Vanessa Teague is Associate Professor and Chair, Cybersecurity and Democracy Network at the Melbourne School of Engineering, University of Melbourne, Australia. She joins us to explain her team's findings. The original research is here: https://people.eng.unimelb.edu.au/vjteague/SwissVote
Apr 13, 2019
Establishing software root of trust unconditionally.
Researchers at Carnegie Mellon University's CyLab Security and Privacy Institute claim to have made an important breakthrough in establishing root of trust (RoT) to detect malware in computing devices. Virgil Gligor is one of the authors of the research, and he joins us to share their findings. Link to original research - https://www.ndss-symposium.org/ndss-paper/establishing-software-root-of-trust-unconditionally/
Apr 6, 2019
Lessons learned from Ukraine elections.
Joep Gommers from EclecticIQ joins us to share their research tracking the information operations and and security methods they've been tracking that Russians have been using in advance of the recently held elections in Ukraine. The research can be found here: https://www.eclecticiq.com/resources/fusion-center-report-situational-awareness-ukraine-elections
Mar 30, 2019
Alarming vulnerabilities in automotive security systems.
Researchers at Pen Test Partners recently examined a variety of third-party automotive security systems and found serious security issues, potentially giving bad actors the ability to locate, disable or meddle with multiple vehicle systems. Ken Munro is a security researcher with Pen Test Partners, and he joins us to share their findings. The original research can be found here: https://www.pentestpartners.com/security-blog/gone-in-six-seconds-exploiting-car-alarms/
Mar 23, 2019
Ryuk ransomware relationship revelations.
Investigators from McAfee's advanced threat research unit, working with partners at Coveware, have reevaluated hasty attributions of Ryuk ransomware to North Korea and have explored the inner workings of the threat. John Fokker is head of cyber investigations in McAfee's Advanced Threat research unit. He join us to share their findings. The original research can be found here: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-exploring-the-human-connection/
Mar 16, 2019
ThinkPHP exploit from Asia-Pacific region goes global.
Akamai's Larry Cashdollar joins us to describe an exploit he recently came across while researching MageCart incidents. It's a remote command execution vulnerability affecting ThinkPHP, a popular web framework. The original research can be found here: https://blogs.akamai.com/sitr/2019/01/thinkphp-exploit-actively-exploited-in-the-wild.html
Mar 9, 2019
Job-seeker exposes banking network to Lazurus Group.
Vitali Kremez is a Director of Research at Flashpoint. His team discovered that the recently disclosed intrusion suffered in December 2018 by Chilean interbank network Redbanc involved PowerRatankba, a malware toolkit with ties to North Korea-linked group Lazarus. The intrusion represents the latest known example of Lazarus-affiliated tools being deployed within financially motivated activity targeted toward financial institutions in Latin America. The original research can be found here: https://www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties/
Mar 2, 2019
Fake Fortnite app scams infect gamers.
Researchers at Zscaler have been tracking a variety fake versions of the popular Fortnite game on the Google Play store, along with associated scams. Deepen Desai is head of security research at Zscaler, and he joins us to share their findings. The original research can be found here: https://www.zscaler.com/blogs/research/fake-fortnite-apps-scamming-and-spying-android-gamers
Feb 23, 2019
Rosneft suspicions shift from espionage to business email compromise.
Researchers at security firm Cylance have been tracking a threat group targeting the Rosneft Russian oil company. As Cylance uncovered details, suspicions shifted from state-sponsored espionage to business email compromise. Kevin Livelli is director of threat intelligence at Cylance, and he joins us to share what they found. The original research can be found here: https://threatvector.cylance.com/en_us/home/poking-the-bear-three-year-campaign-targets-russian-critical-infrastructure.html
Feb 16, 2019
Seedworm digs Middle East intelligence.
Researchers at Symantec have been tracking Seedworm, a cyber espionage group targeting the Middle East as well as Europe and North America. The threat group targets government agencies, oil & gas facilities, NGOs, telecoms and IT firms. Al Cooley is director of product management at Symantec, and he joins us to share their findings. The original research can be found here: https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group
Feb 9, 2019
Trends and tips for cloud security.
The team at Palo Alto Networks' Unit 42 recently published research tracking trends in how organizations are addressing cloud security, along with tips for improvement. Ryan Olson is VP of threat intelligence at Palo Alto Networks, and he joins us to share their findings. The original research can be found here: https://unit42.paloaltonetworks.com/unit-42-cloud-security-trends-tips/
Feb 2, 2019
Online underground markets in the Middle East.
Researchers at Trend Micro recently published their look inside online underground marketplaces in the Middle East and North Africa, where criminals are buying and selling malware, laundering money and event booking their next discount vacation. Jon Clay is director of global threat communications at Trend Micro, and he joins us with their findings. The original research can be found here: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/cash-and-communication-new-trends-in-the-middle-east-and-north-africa-underground
Jan 26, 2019
Amplification bots and how to detect them.
Researchers from Duo Security have been analyzing the behavior of Twitter bots in a series of posts on their web site. Their most recent dive into the subject explores amplification bots, which boost the impact of tweets through likes and retweets. Jordan Wright is a principal R&D engineer at Duo Security, and he joins us to share their findings. Link to the original research - https://duo.com/labs/research/anatomy-of-twitter-bots-amplification-bots
Jan 19, 2019
Luring IoT botnets to the honeypot.
Researchers from Netscout's ASERT team have been making use of honeypots to gather information on rapidly evolving IoT botnets that take advantage of default usernames and passwords to gain access and take control of unprotected devices. Matt Bing is a security research analyst with Netscout, and he guides us through their findings. The original research can be found here: https://asert.arbornetworks.com/dipping-into-the-honeypot/
Jan 12, 2019
Magecart payment card theft analysis.
Researchers at RiskIQ have been tracking a series of web-based credit card skimmers known as Magecart. We take a closer look at attacks on Ticketmaster, British Airways, NewEgg and Shopper Approved payment card pages. Yonathan Klijnsma is lead of threat research at RiskIQ, and he guides us through what they've learned. Links to RiskIQ research: https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/ https://www.riskiq.com/blog/labs/magecart-british-airways-breach/ https://www.riskiq.com/blog/labs/magecart-newegg/ https://www.riskiq.com/blog/labs/magecart-shopper-approved/
Jan 5, 2019
NOKKI, Reaper and DOGCALL target Russians and Cambodians.
Researchers from Unit 42 at Palo Alto Networks have discovered an interesting relationship between the NOKKI and DOGCALL malware families, as well as a new RAT being used to deploy the malware. Jen Miller-Osborn is Deputy Director of Threat Intelligence with Unit 42, and she joins us to share their findings. The original research can be found here: https://unit42.paloaltonetworks.com/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/
Dec 22, 2018
Apple Device Enrollment Program vulnerabilities explored.
Researchers at Duo Security have been looking into Apple's Device Enrollment Program (DEM) and have discovered vulnerabilities that could expose users of the service to potential issues from social engineering and rogue devices. James Barclay is Senior R&D Engineer at Duo Security, and he joins us to share what they've found. The original research can be found here: https://duo.com/blog/weak-apple-dep-authentication-leaves-enterprises-vulnerable-to-social-engineering-attacks-and-rogue-devices
Dec 15, 2018
The Sony hack and the perils of attribution.
Researchers at Risk Based Security took a detailed look back at the 2014 Sony hack, comparing analysis that occurred while the facts were still unfolding with what we know, today. There are interesting lessons to be learned, especially when it comes to attribution. Brian Martin is V.P. of vulnerability intelligence at Risk Based Security, and he shares their findings. The research can be found here: https://www.riskbasedsecurity.com/2018/09/you-didnt-think-the-sony-saga-was-over-did-you/
Dec 8, 2018
Operation Red Signature targets South Korean supply chain.
Researchers at Trend Micro uncovered a supply chain attack targeting organizations in South Korea. With the goal of information theft, attackers compromised the update server of a third party support provider, resulting in the installation of a RAT, or remote access trojan. Rik Ferguson is Vice President of Security Research at Trend Micro, and he guides us through their discoveries. The research can be found here: https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/
Dec 1, 2018
Getting an education on Cobalt Dickens.
Researchers from Secureworks' Counter Threat Unit have been tracking a threat group spoofing login pages for universities. Evidence suggests the Iranian group Cobalt Dickens is likely responsible. Allison Wikoff is a senior researcher at Secureworks, and she joins us to share what they've found. The original research is here: https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities
Nov 17, 2018
Doubling down on Cobalt Group activity.
The NETSCOUT Arbor ASERT team has been tracking Cobalt Group campaigns targeting financial institutions. Richard Hummel is manager of threat intelligence with ASERT, and he joins us to share his team's findings. The research can be found here: https://asert.arbornetworks.com/double-the-infection-double-the-fun/
Nov 10, 2018
Establishing international norms in cyberspace.
Joseph Nye is former dean of the Harvard Kennedy School of Government. He served as Chair of the National Intelligence Council, and as Assistant Secretary of Defense for International Security Affairs under President Clinton. He serves as a Commissioner for the Global Commission on Internet Governance, and is the author of over a dozen books, including, “Soft Power: The means to success in work politics,” and “The future of power.”
Nov 3, 2018
Symantec technical director Vikram Thakur returns to share his team's look at threat groups APT 28 and APT 29, the influence they had on the 2016 election, and how the cyber security industry has responded in preparation for the 2018 midterms. The original research can be found here: https://www.symantec.com/blogs/election-security/election-hacking-faq
Oct 27, 2018
Researchers at security firm Check Point Software Technologies explored the possibility of exploiting old, complex fax protocols to gain access to modern multifunction office printers, and then pivot to connected networks. Yaniv Balmas is head of security research at Check Point, and he joins us to share what he and his colleague Eyal Itkin discovered. The research can be found here: https://research.checkpoint.com/sending-fax-back-to-the-dark-ages/
Oct 20, 2018
Stormy weather in the Office 365 cloud.
Security firm Lastline recently took a close look at threats to the Office 365 cloud environment, taking advantage of the insights they gain protecting their clients. Andy Norton is director of threat intelligence at Lastline, and he joins us to describe their findings. The research can be found here: https://www.lastline.com/blog/malspam-malscape-snapshot-malicious-activity-in-the-office-365-cloud/
Oct 13, 2018
Driving GPS manipulation.
Researchers at Virginia Tech investigate possible ways to manipulate GPS signals and send drivers to specific locations without their knowledge. Gang Wang is Assistant Professor of Computer Science at Virginia Tech, and he joins us to share his team's findings. The original research can be found here: https://people.cs.vt.edu/gangwang/sec18-gps.pdf
Oct 6, 2018
Cryptojacking criminal capers continue.
Researchers at Palo Alto Networks' Unit 42 have been tracking the rise of cryptocurrency mining operations run by criminal groups around the world. Ryan Olson is V.P. of threat intelligence at Palo Alto Networks, and he joins us to share what they've learned. The original research can be found here: https://researchcenter.paloaltonetworks.com/2018/06/unit42-rise-cryptocurrency-miners/
Sep 29, 2018
Sophisticated FIN7 criminal group hits payment card data.
Researchers at security firm FireEye have been tracking malicious actors they call FIN7, a group which targets payment card data in the hospitality industry and elsewhere. They make use of targeted phishing campaigns, telephone vishing and even a convincing front company to do their deeds. Nick Carr and Barry Vengerick are coauthors of the research, along with their colleagues Kimberly Goody and Steve Miller. The research is titled On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. It can be found here: https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html
Sep 22, 2018
ICS honeypots attract sophisticated snoops.
Researchers at security firm Cybereason recently set up online honeypots to attract adversaries interested in industrial control system environments. It didn't take long for sophisticated attackers to sniff out the virtual honey and start snuffling around. Ross Rustici is senior director of intelligence services at Cybereason, and he joins us to share what they learned. The research is titled ICS Threat Broadens: Nation-state Hackers are no Longer the Only Game in Town. It can be found here: https://www.cybereason.com/blog/industrial-control-system-specialized-hackers
Sep 15, 2018
Android device eavesdropping investigation.
A team of researchers from Northeastern University and UC Santa Barbara examined over 17,000 Android apps, and revealed a number of alarming privacy risks. Elleen Pan and Christo Wilson were members of the research team, and they join us to share what they found. The research is titled Panoptispy: Characterizing Audio and Video Exfiltration from Android Applications. It can be found here: https://recon.meddle.mobi/papers/panoptispy18pets.pdf
Sep 8, 2018
Leafminer espionage digs the Middle East.
Researchers at Symantec recently published their findings on an active attack group named Leafminer that's targeting government organizations and businesses in the Middle East region. Vikram Thakur is a technical director at Symantec, and he joins us to share what they've found. The research can be found here: https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east
Sep 1, 2018
ATM hacks on the rise.
Threat researcher Marcelle Lee from LookingGlass Cyber Solutions joins us to share her research on the growing threat of ATM hacks in the U.S. The research can be found here: https://www.lookingglasscyber.com/blog/atm-hacking-you-dont-have-to-pay-to-play/
Aug 25, 2018
Cyber espionage coming from Chinese University.
Threat intelligence firm Recorded Future recently published research describing espionage activities originating from servers at a major Chinese university, coinciding with international economic development efforts. Winnona DeSombre and Sanil Chohan are authors of the report, Chinese Cyberespionage Originating from Tsinghua University Infrastructure, along with their colleague Justin Grosfelt. The research can be found here: https://www.recordedfuture.com/chinese-cyberespionage-operations/
Aug 18, 2018
Stealthy ad fraud campaign evades detection.
Researchers at Bitdefender have been tracking a bit of complex rootkit malware called Zacinlo that they suspect has been operating virtually undetected for over six years. Bogdan Botezatu is a senior cyber security analyst with Bitdefender, and he describes what they've found. Research link: https://labs.bitdefender.com/2018/06/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/
Aug 11, 2018
Thrip espionage group lives off the land.
Researchers at Symantec have been tracking a wide-ranging espionage operation that's targeting satellite, telecom and defense companies. Jon DiMaggio is a senior cyber intelligence analyst at Symantec, and he takes us through what they've discovered. The research can be found here: https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets
Aug 4, 2018
Cortana voice assistant lets you in.
Researchers at McAfee recently discovered code execution vulnerabilities in the default settings of the Cortana voice-activated digital assistant in Windows 10 systems. Steve Povolny is head of advanced threat research at McAfee and he shares their findings. The research can be found here: https://securingtomorrow.mcafee.com/mcafee-labs/want-to-break-into-a-locked-windows-10-device-ask-cortana-cve-2018-8140
Jul 28, 2018
BabaYaga strangely symbiotic Wordpress malware.
Researchers at Defiant recently analyzed a malware family they named "BabaYaga," which has the curious behavior of clearing out other malware and keeping infected sites up to date. Brad Hass is a senior security analyst at Defiant, and he guides us through their findings. The research can be found here: https://www.wordfence.com/blog/2018/06/babayaga-wordpress-malware/
Jul 21, 2018
Measuring the spearphishing threat.
Researchers Gang Wang and Hang Hu from Virginia Tech recently conducted an end-to-end measurement on 35 popular email providers and examining user reactions to spoofing through a real-world spoofing/phishing test. Gang Wang joins us to share the sobering results. End-to-End Measurements of Email Spoofing Attacks https://people.cs.vt.edu/gangwang/usenix-draft.pdf
Jul 14, 2018
A new approach to mission critical systems.
Andy Bochman is senior grid strategist for Idaho National Lab’s National and Homeland Security directorate. Today we’re discussing the research the INL has been doing, developing new approaches to protecting mission critical systems.
Jul 7, 2018
No Distribute Scanners help sell malware.
Sellers of malware on Dark Web forums often use No Distribute malware scanning tools to help verify the effectiveness of their wares, while preventing legitimate virus scanning tools from adding the malware to their database. Daniel Hatheway is a Senior Security Analyst at Recorded Future, and he takes us through their recently published research, Uncover Unseen Malware Samples with No Distribute Scanners.
Jun 30, 2018
VPNFilter malware could brick devices worldwide.
Researchers from Cisco Talos continue to track malware they've named VPNFilter, a multi-stage infection with multiple capabilities, targeting consumer-grade routers. Craig Williams is head of Cisco Talos Outreach, and he joins us with the details.
Jun 23, 2018
LG smartphone keyboard vulnerabilities.
Researchers at Check Point Research recently discovered vulnerabilities in some LG smartphone keyboards, vulnerabilities that could have been used to remotely execute code with elevated privileges, act as a keylogger and thereby compromise the users’ privacy and authentication details.
Jun 16, 2018
Cyber bank heists.
Carbon Black's Chief Cybersecurity Officer Tom Kellerman shares the results of their recent report, Modern Bank Heists: Cyberattacks & Lateral Movement in the Financial Sector. For the report, they interviewed CISOs at 40 major financial institutions, revealing attack and mitigation trends.
Jun 9, 2018
Winnti Umbrella Chinese threat group.
Researchers from ProtectWise's 401TRG team recently published research linking a variety of new and previously reported Chinese cyber threat groups. Tom Hegel is a Senior Threat Researcher with the 401TRG, and he joins us to share their findings.
Jun 2, 2018
Islamic State propaganda persistence.
Researchers from Flashpoint recently explored ISIS' ability to distribute propaganda across the internet, and their use of major internet service providers to help them achieve persistence. Ken Wolf is a Senior Analyst at Flashpoint, and he describes what they learned.
May 26, 2018
UPnProxy infiltrates home routers.
Researchers at Akamai recently published a white paper titled UPnProxy: Blackhat proxies via NAT Injections. In it, they describe vulnerabilities with Universal Plug and Play capabilities in home routers, and how malicious actors could take advantage of them. Chad Seaman is a senior CERT engineer at Akamai, and he's our guide.
May 19, 2018
Threat actors hijack Lojack.
Researchers from Arbor Networks' ASERT Threat Intelligence Team recently published a report titled, "Lojack Becomes a Double Agent." It outlines how threat actors are altering legitimate recovery utility software and simulating its command and control servers to gain access to target machines. Richard Hummel is manager of the ASERT Threat Research Team, and he joins us to describe their work.
May 12, 2018
Three pillars of Artificial Intelligence.
Bobby Filar is a Principal Data Scientist at Endgame, and coauthor of the research paper, The Malicious Use of Artificial Intelligence: Forecasting, Prevention, and Mitigation. The report surveys the landscape of potential security threats from malicious uses of AI, and proposes ways to better forecast, prevent, and mitigate these threats. Bobby Filar joins us to discuss the paper, and his views on the evolving role of AI in cybersecurity. The Malicious Use of Artificial Intelligence: Forecasting, Prevention, and Mitigation
May 5, 2018
BlackTDS and ThreadKit offered in criminal markets.
Kevin Epstein is Vice President of Proofpoint's Threat Operations Center. We’re discussing two bits of research with him today. The first is about BlackTDS, a traffic distribution tool for sale in dark web markets. A little later in the show, he’ll tell us about ThreadKit, a document exploit builder.
Apr 28, 2018
New MacOS backdoor linked to OceanLotus.
Researchers at Trend Micro recently discovered a backdoor targeting MacOS users that they believe is the work of the OceanLotus threat group, an organization previously thought to have launched targeted attacks against human rights organizations, media organizations, research institutes, and maritime construction firms. Mark Nunnikhoven is VP of Cloud Research at Trend Micro, and he explains what they've learned. https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/
Apr 21, 2018
InnaputRAT exfiltrates victim data.
Researchers with Arbor Networks ASERT team have been tracking a malware campaign targeting commercial manufacturing, and have uncovered various samples dating back to at least 2016. Richard Hummel is Threat Intelligence Manager for Arbor Networks' ASERT Team, and he takes us through what they've discovered. https://www.arbornetworks.com/blog/asert/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/
Apr 14, 2018
Energetic Dragonfly and DYMALLOY Bear 2.0.
Researchers at Cylance recently uncovered the malicious use of a core router in a campaign aimed at critical infrastructure around the world. Kevin Levelli is Director of Threat Intelligence at Cylance, and he takes us through what they've discovered.
Apr 7, 2018
Crypto crumple zones.
In their recently published paper, "Crypto Crumple Zones: Enabling Limited Access Without Mass Surveillance," coauthors Charles Wright and Mayank Varia make their case for an alternative approach to the encryption debate, one based on economics as a limiting factor on government overreach and surveillance. Crypto Crumple Zones: Enabling Limited Access Without Mass Surveillance
Mar 31, 2018
FlawedAMMYY is a newly discovered remote access trojan (RAT) that’s been used in malicious email campaigns, as far back as 2016. Ryan Kalember is Senior Vice President of Cyber Security Strategy at Proofpoint, and he takes us through their research.
Mar 24, 2018
Code comments cause SAML conundrum.
Researchers at Duo Security recently unearthed a new vulnerability class that affects SAML-based single sign-on (SSO) systems. This vulnerability can allow an attacker with authenticated access to trick SAML systems into authenticating as a different user without knowledge of the victim user’s password. Kelby Ludwig is a Senior Application Security Engineer at Duo security, and he takes us through his discoveries.
Mar 17, 2018
Cryptojacking injections heat up.
There's been an epidemic of cryptojacking code injections recently, as bad actors attempt to cash in on the cryptocurrency craze through unauthorized cryptomining operations on unsuspecting users. Marcelle Lee is a threat researcher at LookingGlass, and she takes us through her recently published research, Cryptojacking — Coming to a Server Near You.
Mar 10, 2018
Dark Caracal APT steals out of Lebanon.
Researcher from Lookout and the EFF have discovered an APT group operating out of Lebanon they've named Dark Caracal. The group is running a global espionage campaign, targeting journalists, military personnel, activists, lawyers, medical professionals and educational institutions. Mike Murray is VP of Security Intelligence at Lookout, and he's our guide through their research.
Mar 3, 2018
Lebal malware phishes for victims.
Researchers at Comodo Security Solutions have been tracking a recently discovered strain of malware named Lebal. The malware uses several clever techniques to attempt to hide itself, and once installed targets credentials and cryptocurrency wallets. Fatih Orhan is VP of Threat Labs at Comodo, and he takes us through their research.
Feb 24, 2018
Phishing for holiday winnings.
Or Katz is principal lead security researcher for Akamai's Enterprise Security Business Unit, and the research he’s sharing today is a widespread phishing campaign targeting users using an advertising tactic. The research is titled, “Gone Phishing for the Holidays."
Feb 17, 2018
The uncanny HEX men.
The research we’re discussing today is called, “Beware the Hex Men”, and it tracks multiple attack campaigns conducted by a Chinese threat actor. The GuardiCore Labs team identified three attack variants that they named Hex, Hanako and Taylor, targeting SQL servers.
Feb 10, 2018
IcedID banking trojan.
IcedID is a banking trojan recently discovered and tracked by IBM's X-Force research team, targeting banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites in the U.S. Limor Kessem is an executive security advisor with IBM Security. She returns to Research Saturday to describe what she and her team found.
Feb 3, 2018
Advanced adware with nation-state tactics.
Adware is generally considered unsophisticated, and because of its low perceived threat level it's often ignored. Researchers at the Booz Allen Dark Labs' Advanced Threat Hunt Team have recently published research describing a more advanced type of adware, using infection techniques usually attributed to nation-state actors. Jay Novak is a threat hunter and tech lead at Booz Allen, and he takes us through their research.
Jan 27, 2018
Targeting Olympic organizations.
This week we’re discussing the a campaign the McAfee Advanced Threat Research team recently discovered, one that’s targeting organizations involved with the upcoming Pyeongchang Winter Olympics. Raj Samani is chief scientist at McAfee, and he shares the campaign's clever details.
Jan 20, 2018
Fancy Bear Duping Doping Domains.
Researchers at ThreatConnect have discovered evidence that Fancy Bear, a cyber espionage group generally associated with Russia's military agency GRU, may be spoofing domains belonging to the World Anti-Doping Agency (WADA), the US Anti-Doping Agency (USADA), and the Olympic Council of Asia. Kyle Ehmke is a threat intelligence researcher with ThreatConnect, and he takes us through their work.
Jan 13, 2018
Shake Your MoneyTaker.
A group of Russian-speaking hackers have stolen nearly $10 million from banks around the world. Group-IB, a company with expertise in computer forensics, information security and, specifically, Russian‑speaking criminal groups, have named these thieves MoneyTaker. Nicholas Palmer is the director of international business development at Group-IB, and he's joined by their head of threat intelligence, Dmitry Volkob to explain the MoneyTaker group's schemes.
Jan 6, 2018
TRISIS Malware: Fail-safe fail.
Robert M. Lee. is CEO of Dragos Security, a company that specializes in the protection of industrial control systems. He’s describing his team's research on TRISIS, tailored ICS malware infecting safety instrumented systems (SIS), so far found only in the middle east. It's only the fifth known incident of malware targeting ICS systems.
Dec 30, 2017
Hunting the Sowbug.
Alan Neville is a senior threat intelligence analyst at Symantec located in Dublin. He is responsible for leading and documenting investigations into high priority attacks. He recently published research on the Sowbug cyber espionage group targeting South American and Southeast Asian governments. https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments
Dec 23, 2017
Keyboys back in town.
In this edition of the CyberWire Research Saturday, we'll take a look at a more recent intrusion PwC has uncovered, named KeyBoy and highly likely a China-based threat actor. It uses compromised Word documents to gain access. Bart Parys is a lead researcher in PwC's cyber threat intelligence team, responsible for tracking cyber threat actors, their latest toolsets and methodologies. https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html
Dec 16, 2017
The unique culture of the Middle Eastern and North African underground.
Online underground markets thrive across the globe, with the Middle East and North Africa being no exception. Researchers at Trend Micro recently too a look inside these digital souks, and while much of what they discovered matches similar online marketplaces, there are unique cultural elements that set these regional trading posts apart. Jon Clay is a cyber security expert from Trend Micro, and he takes us through their research paper, "Digital Souks: A Glimpse into the Middle East and North African Underground."
Dec 9, 2017
Stealthy Zberp Banking Trojan.
Zberp is a stealthy banking trojan with an unconventional process injection technique. A hybrid of the ZeusVM and Carberp malware, Zberp uses a variety of techniques to prevent detection while it gathers information from infected systems. Limor Kessem is an executive security advisor for IBM, and she's our guide.
Dec 2, 2017
Staying ahead of Fast Flux Networks.
Bad actors are using Fast Flux Networks with quickly-changing IP addresses and domain names to help hide their activities. Or Katz, Principal Lead Security Researcher at Akamai, takes us through their recently-published white paper, "Digging Deeper — An In-Depth Analysis of a Fast Flux Network."
Nov 25, 2017
Waiting for Terdot, a sneaky banking Trojan.
The Terdot Banker Trojan is a descendant of the Zeus family of malware, and has evolved to feature serious espionage capabilities. It can compromise transactions, steal accounts and credit card information, and can eavesdrop on and modify traffic on social media and email platforms. While not yet widely spread, it's a threat to consumers and businesses alike. Bogdan Botezatu is a senior e-threat analyst at Bitdefender, and he takes us through their recently published whitepaper.
Nov 18, 2017
Dark Net Pricing with Flashpoint's Liv Rowley.
Cybercriminals offer all sorts of illicit goods for sale on Deep and Dark Web markets. In this episode, Liv Rowley, cybercrime intelligence analyst at Flashpoint, takes us through her team's research into the pricing of certain illegal goods online, including "Fullz", exploit kits, DDoS for hire, RDP servers, card data, bank logs and passports. Supply meets demand in this shady underground ecosystem.
Nov 11, 2017
Taiwan Bank Heist and Lazurus Group with BAE's Adrian Nish.
Dr. Adrian Nish is head of cyber threat intelligence at BAE Systems. His team has been tracking a new cyber-enabled bank heist in Asia. Some of the tools used are reminiscent of the Bangladesh Bank attack from February 2016. The full report can be found here.
Nov 4, 2017
Exploring Phishing Kits with Duo Security's Jordan Wright.
In this episode of the CyberWire’s Research Saturday we are joined by Jordan Wright, Senior Research and Development Engineer at Duo Security. He’s the author of the research report, “Phish in a Barrel,” which describes his work gathering and examining thousands of phishing kits from around the web.
Oct 28, 2017
Tracking a Trojan: KHRAT.
The moniker KHRAT came about because of the identification of a Remote Access Trojan (RAT) with command and control infrastructure found in Cambodia (KH). In the most recent episode of the CyberWire's Research Saturday, Ryan Olson, Director of Threat Intelligence at Palo Alto Networks, talks with us about the capabilities of KHRAT and shares details the feature set it provides to threat actors that use it. https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/
Oct 21, 2017
WireX BotNet with Justin Paine from Cloudflare.
In August 2017, multiple Content Delivery Networks (CDNs) and content providers were subject to significant attacks from a botnet dubbed WireX. (The botnet is named for an anagram for one of the delimiter strings in its command and control protocol.) The WireX botnet is primarily made up of Android devices running malicious applications and is designed to create DDoS traffic. The botnet is sometimes associated with ransom notes to targets. Justin Paine is Head of Trust and Safety at Cloudflare, and he joins us to share the WireX story. https://blog.cloudflare.com/the-wirex-botnet/
Oct 14, 2017
Synthesized DNA Malware with Peter Ney.
Peter Ney is a PhD candidate in the Allen School of Computer Science and Engineering at the University of Washington where he is advised by Professor Tadayoshi Kohno. His current research is focused on understanding computer security risks in emerging technologies like DNA synthesis and sequencing and the new threats posed by maliciously crafted, synthetic DNA. He and his team found that security of DNA processing programs is poor and show with a proof-of-concept that it is possible to attack computer systems with adversarial synthetic DNA.
Oct 7, 2017
Android Toast Overlay: Ryan Olson from Palo Alto Networks.
Android Toast Overlay enables attackers to trick Android users into enabling permissions on infected devices by making them think they are clicking on benign buttons superimposed over the user interface. Ryan Olson is Director of Threat Intelligence at Palo Alto Networks' Unity 42, and he joins us to share their research.
Sep 30, 2017
APT 33: FireEye's John Hultquist on an Iranian Cyber Espionage Group.
APT 33 is an Iranian cyber espionage group that targets aerospace and energy sectors and has ties to destructive malware. John Hultquist is Director of Intelligence Analysis at FireEye, and he takes us through their research.
Sep 23, 2017
Pacifier APT : Bitdefender's Liviu Arsene describes a sophisticated, multifaceted malware campaign.
In 2016 Bitdefender uncovered a new advanced persistent threat dubbed Pacifier, targeting government institutions starting in 2014. Using malicious .doc documents and .zip files distributed via spear phishing e-mails, attackers would lure victims with invitations to social functions or conferences into executing the attachments. It’s capable of dropping multi-stage backdoors. Liviu Arsene is a senior e-threat analyst at BitDefender, and he's our guide to the complex components of Pacifier APT.
Sep 16, 2017
Cobian RAT: Zscaler’s Deepen Desai describes some clever malware.
Deepen Desai, senior director of security research and operations at Zscaler, describes research he and his team have been doing since discovered a clever bit of malware they’ve named Cobian RAT. (RAT stands for Remote Access Trojan.) It’s available for free, but contains a back door that allows the original author to access and control the RAT remotely.