Kingminer – a Crypto-Jacking Botnet Under the Scope
n late 2017, crypto currencies in general (and Bitcoin in particular) have appreciated tremendously. As some digital currencies spiked to $20,000 in fiat money, a new kind of gold rush started. By compromising computers with coin miners, cyber-criminals could take in great profits at zero hardware costs.
This white-paper tells the story of Kingminer, a botnet that has undergone significant changes to stay relevant and avoid detection.
StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure
StrongPity, also known as Promethium, is a threat group that is assumed to have been active since at least 2012. Information about this actor was first publicly reported in October 2016 with details on attacks against users in Belgium and Italy. Later, in 2018, the attackers shifted their focus on another geographical region, compromising Turkish telecommunication companies to target hundreds of users in Turkey and Syria.
It is believed that the attacks attributed to StrongPity are government-sponsored and are used for population surveillance and intelligence exfiltration. More so, it is believed that these attacks are used as support for the geo-political conflicts in the region. The known preferred infection vector used by the StrongPity group is a watering hole technique, delivering malicious versions of legitimate installers to
BitterAPT Revisited: the Untold Evolution of an Android Espionage Tool
In 2016, a sophisticated malware campaign targeting Pakistani nationals made headlines. Dubbed Bitter, the Advanced Persistent Threat group (also known as APT-C-08) has been active both in desktop and mobile malware campaigns for quite a long time, as their activity seems to date back to 2014.
This paper is a technical account of the developments related to Bitter, its evolution and how, steadily and surely, threat actors are upping their game and poking holes in Google Play to use it as a propagation vector.
Bitdefender 10 IN 10 Study: The Indelible Impact of COVID-19 on Cybersecurity
The Indelible Impact of COVID-19 on Cybersecurity Study was conducted among 6,724 Security and IT workers in May 2020 across the UK, US, Australia/New Zealand, Germany, France, Italy, Spain, Denmark and Sweden.
Representing a broad cross-section of organisations and industries, from fledgeling SMEs, through to publicly listed 10,000+ person enterprises. The report, which will form part of the yet to be released 10 in 10 Study, details the pressures faced by IT professionals during the COVID-19, how these pressures are testing the effectiveness of security measures and the changes they will need to make within their organisations as a result.
Loading DLLs for illicit profit. A story about a Metamorfo distribution campaign
Late last year, we noticed a massive ongoing campaign of banker malware concentrated primarily in Brazil. The threat
actors behind this campaign have a predilection for defense evasion, with their signature modus operandi revolving around a technique named dynamic-link library (DLL) hijacking.
During the time we monitored the Metamorfo campaign, we’ve seen 5 different software components, manufactured
by respected software vendors, abused in the attack. This whitepaper covers the technical details of the attack and how operators abuse legitimate tools to evade detection.
Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia
Chafer APT is a threat group with an apparent Iranian link. It is known to be active since 2014, focusing on cyber espionage campaigns. Bitdefender has spotted the group targeting critical infrastructure from the Middle East, presumably for intelligence gathering.
Bitdefender researchers have found attacks conducted by this actor in the Middle East region, dating back to 2018. The campaigns were based on several tools, including “living off the land” tools, which makes attribution difficult, as well as different hacking tools and a custom built backdoor.
Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years
In early 2020 we identified a new, highly sophisticated Android espionage platform that had been active in the wild for at least 4 years. We named the threat Mandrake as the actor(s) behind it used names of toxic plants, or other botanical references, for major development branches: e.g. Briar, Ricinus or Nerium.
This whitepaper provides insight into how the malware operates, what its end goal was and how it successfully managed to stay undetected in an official app store for more than 4 years.
Coronavirus Report: Popular Android Apps Impersonated by Malware
The serious isolation measures adopted to stop the Coronavirus pandemic has forced people to turn to technology as a bridge to the rest of the world.
Whether it’s for working from home, online school courses or entertainment, people rely more than ever on smart devices to ease the effects of social distancing, and malware developers have been quick to adapt to the new reality.
Here at Bitdefender we keep a close eye on cyber-criminals’ techniques, and we develop mitigations for a safer experience at home, at the office or at school. For the past three months, we have monitored trending mobile applications and have looked for cloned applications rigged with malware.
At the end of May 2019, a new family of ransomware called Maze emerged into the gaping void left by the demise of the GandCrab ransomware. Bitdefender experts take a deep dive into Maze Ransomware to expose the shady techniques it uses to perform obfuscation, evasion, exploitation and ultimately, encryption.
New TrickBot Module Bruteforces RDP Connections, Targets Select Telecommunication Services in US and Hong Kong
Bitdefender researchers have discovered a new TrickBot module (rdpScanDll) built for RDP bruteforcing operations on select targets. The new module was discovered on January 30 and, based on the IP addresses it targets, victims seem to be US and Hong Kong-based, predominantly in the telecom industry.
While TrickBot is a Trojan that has been around since 2016, it started out as a credential-harvesting threat mostly focusing on e-banking, while its plugin-based design has made it much more than just a threat focused on financial data theft. S
Severe Vulnerability in iBaby Monitor M6S Camera Leads to Remote Access to Video Storage Bucket
Baby monitors have become increasingly common in modern homes. To many parents, the ability to keep an eye on children while away is worth the risk of having video feeds or pictures leaked to unauthorized parties.
This whitepaper – part of a series developed in partnership with PCMag – aims to shed light on the security of the world’s bestsellers in the IoT space. PCMag contacted the research team at Bitdefender and asked us to look at several popular internetconnected devices, including the iBaby Monitor M6S camera.
Like ‘AI’, ‘machine learning’, or ‘actionable intelligence’, ‘Cyber Threat Hunting’ has become an industry buzzword that is used in multiple contexts and now has no clear definition. But understanding how to hunt across an environment requires that we must first understand exactly what Cyber Threat Hunting is
MDR Reduces Threat Detection and Response Challenges
Organization struggle with threat detection and response (TDR) because of high volume of s and the increasing sophistication of attacks. Savvy CISOs turn to managed detection and response (MDR) services to utilize providers’ technical acumen, machine-based detection, and threat curation, and to respond faster. The best solutions will feature services that have high fidelity threat intelligence and take preapproved proactive response actions on behalf of the customer.
Languages: au, br, de, en, es, fr, it, latin, nl, pt, ro, uk
08 January 2020
Help Found: Cyber Skills Through Managed Detection and Response Services
With the cybersecurity skills shortage continuing unabated year after year, organizations turn to managed detection and response (MDR) services for help. Specialized human acumen and tailored threat data in MDR offerings help reduce the security volume faced by security analysts. The best solutions will feature threat data that is curated by a service provider with a long history in threat detection and align that data with customers’ industry and market segment requirements in order to take proactive response actions to thwart the adversary.
Languages: au, br, de, en, es, fr, it, latin, nl, pt, ro, uk
18 December 2019
RDP Abuse and Swiss Army Knife Tool Used to Pillage, Encrypt and Manipulate Data
Bitdefender researchers recently found threat actors abusing a legitimate feature in the RDP service to act as a fileless attack technique, dropping a multi-purpose off-the-shelf tool for device fingerprinting and for planting malware payloads ranging from ransomware and cryptocurrency miners to information and clipboard stealers.
The campaigns do not seem to target specific industries or companies; instead, threat actors have used a shotgun approach, focusing on reaching as many victims as possible. In terms of financial impact, estimated cryptocurrency earnings based on the cryptocurrency wallets found indicate attackers have netted at least $150,000 through some of their campaigns.
Multiple Vulnerabilities in Belkin WeMo Insight Switch
Internet of Things devices have become commonplace in modern homes. Relatively inexpensive and easy to control remotely, they promise a world at your fingertips. Security vulnerabilities in connected devices can not only affect the user experience but can also give cyber-criminals an open door to your local network. This is also the case with the Belkin WeMo Insight Switch, a smart power plug that lets you turn any conventional device into a smart one.
Threat Intelligence Required for Effective Managed Detection and Response
Cybersecurity professionals are responsible for threat prevention, detection, and response and most invest abundant resources, both human and budgetary, into security controls and processes in this area.
Threat prevention starts with good security tools hygiene and must-have controls like endpoint security software, intrusion prevention, and the like. However, despite all the controls in place, adversaries still break through threat defenses and compromise the environment. The rise to prominence of detection and response over mere protection capabilities is a direct result of security tool vulnerability to the continued rise in adversarial sophistication.
The first half of 2019 brought interesting developments in malware targeting popular operating systems, in hardware and software vulnerabilities affecting consumer and businesses, and in the increased number of attacks aimed at (and even carried out by) IoTs.
With the money motive driving the proliferation of malware, cybercriminals are nothing if not resourceful when developing new malware strands or coming up with more successful attack vectors. The number of malware samples roaming the internet is about to reach the 1 billion1 milestone.
Dozens of Apps Still Dodging Google’s Vetting System, Dropping Aggressive Adware in Play Store
Bitdefender researchers recently analyzed 25 apps that made it into Google Play, at least for a time, packing aggressive adware SDKs that bombarded users with ads and avoided removal by hiding their presence. Cumulatively, the apps were apparently downloaded almost 700,000 times by Google Play users.
While Google has gone to great lengths to ban malicious or potentially unwanted applications from the official Android app store, malware developers are nothing if not imaginative when coming up with new ideas to dodge Google Play Protect.
Increasing Cybersecurity Resilience through Security Automation
The ever-evolving threat landscape, coupled with the increased number of cyberattacks aimed at businesses and organizations, has accelerated adoption of a growing number of security solutions. The malware-as-a-service industry has lowered the bar for cybercriminals -- not having the right technical skills is no longer a barrier for those who want an exploit kit, ransomware kit, or even a botnet.
Cyber risk is now among the top 5 risks affecting businesses, according to 65 percent of executives. At the same time, the risk of cyberattacks ranks the third most likely occurrence, right after natural disasters, according to the World Economic Forum’s Global Risk Report for 2018. Cybercrime as an industry has also grown from $450 billion in 2016 and is estimated to reach a whopping $2 trillion by 2019, according to the same report.
A close look at Fallout Exploit Kit and Raccoon Stealer
Over the last few months, we have seen increased Exploit Kit activity. One example is the Fallout Exploit Kit, which we will describe in depth in this article.
Since its emergence in August 2018, threat actors have intensively used the Fallout Exploit Kit to deliver ransomware (GandCrab, Kraken, Maze, Minotaur, Matrix and Stop), Banker Trojans (DanaBot) and information stealers (RaccoonStealer, AZORult, Vidar), and others.
Who IsErIk: A Resurface of an Advanced Persistent Adware?
As the malware industry expands, new tricks added to the cyber-criminal arsenal show up on a daily basis. Our Advanced Threat Control team has identified a massive expansion of the malicious repertoire meant to resurface old, but not-forgotten threats. The main focus of this analysis is an adware loader, first discovered in 2016, which has kept such a low profile that researchers still haven’t agreed to a common denomination, generically identifying it as APA – Advanced Persistent Adware.
Worm-Cryptominer Combo Lets You Game While Using NSA Exploits to Move Laterally
Bitdefender researchers recently found and analyzed a worm-cryptominer combo that uses a series of exploits to move laterally and compromise victims. What makes it interest is that it pauses the resource-intensive cryptomining process if it finds popular games running on the victim’s machine.
The investigation revealed that the worm-cryptominer has been constantly updated by its developers. Some of its modules were updated to make it difficult for security researchers to analyze it, as well as improve lateral movement and other capabilities.
Astaroth Trojan Resurfaces, Targets Brazil through Fileless Campaign
During routine detection monitoring from our Advanced Threat Control technology, Bitdefender researchers found an interesting spike in malware activity that involved using Microsoft binaries in the infection process, as well as GitHub and Google Drive for delivering payloads.
After analyzing the detection details, we identified this activity as a resurgence of the Astaroth spyware, a Trojan and information stealer known since late 2017.
Scranos Revisited – Rethinking persistence to keep established network alive
In April, Bitdefender broke the news of an emerging botnet dubbed Scranos. Originating from China, it has spread across Europe and the United States, snaring Windows and Android devices with advertising fraud and social network manipulation.
We kept an eye on the developments in the weeks after the publication and documented how the operators tried to rebuild the botnet and restore functionality. This led us to identify new components used to generate ad revenue in the background by visiting arbitrary URLs with Google Chrome and to disguise these ads as notifications, generating additional ad revenue at the user’s expense.
An APT Blueprint: Gaining New Visibility into Financial Threats
In mid-2018, Bitdefender researchers investigated a targeted attack on an Eastern European financial institution, gaining new insights and creating a complete event timeline showing how the infamous group Carbanak infiltrates organizations, how it moves laterally across the infrastructure, and the time it takes to set up the actual heist.
The initial point of compromise found in our investigation involved the use of spear-phishing emails with malicious URLs and tainted documents rigged to download a Cobalt Strike beacon component. Within hours of compromise, the cybercriminal group would begin to move laterally across the infrastructure, identify critical documents and prepare them for exfiltration, and try to access the organization’s ATM and banking applications.
The Challenges of Digital Parenting in the Connected Home
What are the challenges of digital parenting and how can parents live in harmony with their digital-native kids? As families grow more connected and daily life moves online, privacy and security should become top priorities in each smart home.
Boosting SOC Efficiency with Contextual and Real-Time Insights into the Global Threat Landscape
The cybercrime industry has evolved over the past couple of years, and is becoming increasingly sophisticated and lucrative. It generated over $1.5 trillion in illicit profit during 2017 and 2018, and is predicted to inflict over $6 trillion dollars in damages by 2021. Destructive malware attacks have become one of the most prevalent and expensive
consequences of advanced cybercrime. While the number of reported data breaches fell slightly in 2018 from 2017, the number of exposed records is estimated at 5 billion.
Inside Scranos – A Cross Platform, Rootkit-Enabled Spyware Operation
Last year, the Bitdefender Cyber Threat Intelligence Lab started analysis of a new password- and data-stealing operation based around a rootkit driver digitally signed with a possibly stolen certificate. The operation, partially described in a recent article by Tencent, primarily targeted Chinese territory until recently, when it broke out around the world.
In just the past few years, ransomware has evolved from a novelty to the most feared malware of the digital era. Amateur hackers have amassed fortunes thanks to this prolific crypto-viral extortion scheme, but things are beginning to change. Advanced criminals with increasingly sophisticated attack avenues and obfuscation techniques are putting the original small crooks to shame.
Today’s bad guys not only manage to evade corporate defenses, they are also insatiable in their ransom demands. Ransomware drains billions from the global economy each year and shows no signs of slowing down. However, the highest cost of a ransomware attack is no longer the ransom itself.
In an increasingly complex environment (IoT, BYOD, etc.) and a digital economy riddled with cyber incidents and threats, organizations clearly need a more proactive solution.
A solution with visibility into network-level threats and traffic anomalies, and the ability to detect risky user behavior that can lead to breaches and data leaks.
They want automated security analytics to reduce noise and improve threat-hunting efficiency. And they need quick, actionable insights to speed up incident response.
Network traffic analytics represents the next generation of threat detection. It is a solution tailored for combating advanced threats in a security analytics market that Research and Markets predicts will reach $6.5 billion in 2022.
Bitdefender Network Traffic Security Analytics (NTSA) is the Bitdefender NTA solution offering real0-time breach detection and complete threat visibility to help CISOs employ a more comprehensive and effective approach.
Ransomware – A Growing Menace for Healthcare Providers
Costs associated with data breaches in healthcare are nearly three times higher than in other industries. Health or clinical data is also the most common type of personal data compromised. Electronic health records contain highly sensitive data, yet many clinics communicate through unsecure channels and their systems are poorly patched. Stolen patient health information that makes its way onto the dark can be used for various kinds of fraud and extortion, such as banking and credit fraud, healthcare fraud, identity theft and ransom extortion.
Linux in the Datacenter: Why Baseline Security is Not Enough
The Linux kernel has been characterized as the most exposed operating system in the world, surpassing even Mac OS X. Beyond kernel, a wide range of vulnerabilities can affect a Linux machine’s application stack, be it proprietary or open source.
Given the prevalence of Linux in the datacenter, such vulnerabilities can cause widespread damage to businesses. Read this Bitdefender whitepaper to learn about notorious Linux attacks from Heartbleed to Erebus ransomware and ways to protect your environment against them.
Top Security Challenges for the Financial Services Industry in 2018
How Well Is the Financial Services Industry Doing on Security? Healthcare, manufacturing and financial services have one thing in common: they are the three most-targeted industries in 2018. Not only do they provide access to reams of data, but the sectors are also critical to society. So, if hackers want to seriously do harm, they can go after either of these sectors to succeed. Companies in the financial services sector manage money, covering banking, offshore financial operations, stock brokers, credit card vendors, insurance companies and investment funds.
What is the actual cost of breaches in this sector and what kind of measures do CISOs leading financial services institutions take to ensure proper cyber defense, data security and prevent business disruption? The financial services sector currently spends as much as 40 percent more on breach containment and detection than it did three years ago, Accenture found, making it easily “the highest cost of cybercrime” in comparison with other industries. Financial services companies are severely impacted by business disruption and information loss, which end up draining the mitigation budget.
Bitdefender Global Mid-Year Threat Landscape Report 2018
The first half of 2018 brought interesting developments in terms of new emerging threats, significant “upgrades” to old threats, and a change in cybercriminal tactics when choosing targets and tools to increase revenue.
From an increase in the number of reported vulnerabilities to ransomware, cryptocurrency miners, fileless malware, and Android threats, we've also seen adware that is now borderline malware and IoT malware that both persistent and resilient.
Triout - The Malware Framework for Android That Packs Potent Spyware Capabilities
Bitdefender researchers have identified a new Android spyware that seems to act as a framework for building extensive surveillance capabilities into seemingly benign applications. Found bundled with a repackaged app, the spyware’s surveillance capabilities involve hiding its presence on the device, recording phone calls, logging incoming text messages, recoding videos, taking pictures, collecting GPS coordinates, and broadcasting all of that to an attacker-controlled C&C server.
Many experts say that data, and not gold or oil, has become the most valuable commodity in the world in recent years. As the value of data increases, cyber-attacks become a threat that business leaders have no choice but to place at the top of their priority list. But how can organizations manage cyber risks and improve readiness for regulations like GDPR?
This whitepaper uncovers software vulnerabilities as a major risk exposure for organizations. It also shows how frameworks like NIST and patch management solutions can be of great help in eliminating vulnerabilities and manage cyber risk exposure.
Six Years and Counting: Inside the Complex Zacinlo Ad Fraud Operation
The line between adware and spyware has become increasingly fuzzy during recent years as modern adware combines aggressive opt-outs with confusing legal and marketing terms as well as extremely sophisticated persistence mechanisms aimed at taking control away from the user.
This whitepaper details an extremely sophisticated piece of spyware that has been running covertly since early 2012, generating revenue for its operators and compromising the privacy of its victims.
Evolution of Top 3 Threats Reveals that Hype, Maturity and Stealth Drive Cybercrime
Ransomware has undoubtedly been among the most prevalent threats for the past couple of years, inflicting financial losses estimated in the billions of dollars globally. Its success in generating revenue has even spurred creation of an entire industry – ransomware-as-a-service – where cybercriminals focus on developing tools, offering support, and even implementing business models ranging from upfront payments to subscriptions for anyone interested in starting their own ransomware campaign.
The stability, maturity, and constant development of ransomware has made it a weapon of choice for cybercriminals. While only 50 percent of victims pay ransom, other threats guarantee instant return-on-investment. Cryptojacking – or the use of coin mining software to illicitly use a victim’s computing power to mine for crypto currency – has become the latest hype.
RadRAT: An all-in-one toolkit for complex espionage ops
Around February this year, we came across a piece of malware that had previously gone unnoticed. Buried in the malware zoo, the threat seems to have been operational since at least 2015, undocumented by the research community.
Our interest was stirred by its remote access capabilities, which include unfettered control of the compromised computer, lateral movement across the organization and rootkit-like detection-evasion mechanisms. Powered by a vast array of features, this RAT was used in targeted attacks aimed at exfiltrating information or monitoring victims in large networked organizations.
This whitepaper details on the technical capabilities of RadRAT, its complex lateral movement mechanisms and other particularities that make it an advanced threat.
Endpoint Detection & Response (EDR) - How to safeguard customers’ personally identifiable information under the GDPR
More data records were lost or stolen in the fi rst half of 2017 than in all of 2016. And in 2017, Gartner found organizations were gravely underprepared for the European Union’s General Data Protection Regulation (GDPR). More than half of companies affected by the regulation will not be in full compliance when it takes effect in May, the group said.
With only two months to go before the regulation is enforced, studies show little has changed. Yet the pressure of complying with the upcoming law weighs more heavily on everyone’s shoulders by the day. Fortunately, solutions are readily available to businesses big and small seeking to ensure cyber resilience on their way to GDPR compliance.
Cryptocurrency Mining Craze Going for Data Centers
Cybercriminals have always been financially motivated, and cryptocurrency mining is the latest trend in generating revenue by abusing the same age-old malware attack vectors previously associated with ransomware dissemination. The recent Bitcoin craze, with the currency peaking at $19,000 per unit, has focused cybercriminals on crypto mining, instead of traditional ransomware.
Bitdefender telemetry has shown that crypto currency-enabled malware is increasingly outdoing ransomware in popularity, with the rise in adoption picking up in the past six months.
Hybrid Architectures and Software-Defined Datacenters Drive New Requirements for Security Solutions
The evolution of IT architecture, with the software-defined and cloud technologies at its heart, is fundamental to business transformation. It allows organizations to capitalize on scalable, flexible infrastructure and rapidly roll out new applications, products, and services. At the same time, datacenter modernization introduces security challenges that many solutions struggle to address.
Read this IDC whitepaper, sponsored by Bitdefender, to learn about transformative datacenter technologies (including software-defined compute, storage, networking, hyperconverged infrastructure, and hybrid cloud), the security challenges they entail and new requirements for security solutions they impose.
Playing Hide ‘N Seek: World’s first IoT Botnet with custom-built P2P communication
Bitdefender researchers have uncovered an emerging botnet that uses advanced communication techniques to exploit victims and build its infrastructure. The bot, dubbed HNS, was intercepted by our IoT honeypot system following a credentials dictionary attack on the Telnet service.
The bot was first spotted on Jan. 10 then faded away in the following days, only to re-emerge on Jan. 20 in a significantly improved form.
Operation PZCHAO - Inside a highly specialized espionage infrastructure
This whitepaper tells the story of a custom-built piece of malware that we have been monitoring for several months as it wrought havoc in Asia.
Our threat intelligence systems picked up the first indicators of compromise in July last year, and we have kept an eye on the threat ever since.
This whitepaper takes an in-depth look at the the attack chain, the infrastructure used by the threat actors, the malware subdomains they control and the payloads delivered on the targeted systems, as well as other telltale signs about a possible return of the Iron Tiger APT.
Quo Vadis RGPD ? Données personnelles : à l'aube de nouveaux principes de responsabilité
Ce livre blanc se penche sur les problèmes à corriger par les organisations traitant de grands volumes de données personnelles, sur les défis organisationnels internes auxquels elles devront faire face pour assurer leur conformité, ainsi que sur les processus professionnels et technologiques majeurs nécessaires pour répondre aux nouvelles obligations imposées par le RGPD.
Terdot: Zeus-based malware strikes back with a blast from the past
This whitepaper is a technical analysis of the Terdot, a Banker Trojan that derives inspiration from the 2011 Zeus source code leak. Highly customized and sophisticated, Terdot can operate a MITM proxy, steal browsing information such as login credentials and stored credit card information, as well as inject HTML code in visited Web pages.
EHDevel – The story of a continuously improving advanced threat creation toolkit
More than a year ago, on July 26th 2016, the Bitdefender Threat Intelligence Team came across a suspicious document called News.doc.
Upon preliminary investigation, the sample revealed a set of similar files that bear the same features, but appear to have been used in separate attacks targeted at different institutions.
This plug-and-play malware framework uses a handful of novel techniques for command and control identification and communications, as well as a plugin-based architecture, a design choice increasingly being adopted among threat actor groups in the past few years.
Dubbed EHDevel, this operation continues to this date, the latest known victims reportedly being several Pakistani individuals. In their case, the threat actors have chosen different lures than the ones presented in this paper, but the modus operandi is identical.
New Pacifier APT Components Point to Russian-Linked Turla Group
In 2016, Bitdefender uncovered a new advanced persistent threat dubbed Pacifier, targeting government institutions starting in 2014. Using malicious .doc documents and .zip files distributed via spear phishing e-mails, attackers would lure victims with invitations to social functions or conferences into executing the attachments. Our previous analysis of the Pacifier components revealed that it’s capable of dropping multi-stage backdoors and that the analyzed first stage dropper is also known as “Skipper” by other security vendors.
Our new whitepaper covers an in-depth analysis of the three new backdoor modules, as well a short description of their capabilities and features.
Remote Exploitation of the NeoCoolcam IP Cameras and Gateway
The Internet of connected things has changed the way we interact with our homes, offices or even with our own bodies. But although connected devices are sold mostly everywhere, manufacturers haven’t dived deep into the technology, as more innovation is expected to emerge the more connected we are.
In 2016, security researchers from Bitdefender detected multiple vulnerabilities in a number of Internet of Things devices. This paper is another investigative effort in the IoT space and it details the compromise of a vendor’s line of IPTV and gateway products by trivial remote exploitation.
The DarkHotel threat actors have been known to operate for a decade now, targeting thousands of businesses across the world via Wi-Fi infrastructure in hotels.
This whitepaper covers a sample of a particular DarkHotel attack, known as Inexsmar. Unlike any other known DarkHotel campaigns, the isolated sample uses a new payload delivery mechanism rather than the consacrated zero-day exploitation techniques. Instead, the new campaign blends social engineering with a relatively complex Trojan to infect its selected pool of victims.
On January 27th, reports of a rapidly spreading ransomware attack started to emerge from Ukraine. The speed at which critical infrastructure networks were shutting down pointed to a ransomware application with a wormable component, whose virality called to mind the WannaCry ransomware. In less than three hours, the infection crippled banks, ATMs, public transport and an airport, as well as utilities provider Kyivenergo. Then it spread outside the Ukraine.
As multiple critical infrastructure networks reported major blackouts, Bitdefender started an internal investigation over the isolated malware samples to trace the attack’s origin and better understand what it targeted, and how. The following report is based on our internal telemetry and reflects what we know as of the moment of writing.
Everything you need to know about the WannaCry ransomware
For the past decade or so, increasing tensions between International governments have led to what IT security experts call today “cyberterrorism” – the use of cyberweapons (hacks) to spy on or to commission cyber-attacks overseas.
The most recent such example occurred on May 12, 2017 when an unknown group of hackers deployed what was to become the most dangerous ransomware attack ever recorded. WannaCry, as the malware is dubbed, leverages a (now patched) 0-Day vulnerability developed by hackers contracted by the NSA. This whitepaper is a technical detail into how the malware operates and its spreading techniques.
In May 2016, the Bitdefender threat response team isolated a number of samples from the internal malware zoo while looking into a custom file-packing algorithm. A deeper look into the global telemetry revealed that this piece of malware was strictly affecting a limited pool of hosts belonging to a number of IP addresses marked as sensitive targets.
Its unusual build could have easily make it pass like a regular threat that organizations block on a daily basis ; however, telemetry information provided by our event correlation service has pointed out that most of its victims are government agencies.
Delivering strong security in a hyperconverged data center environment
A new trend is emerging in data center technology that could dramatically change the way enterprises manage and maintain their IT infrastructures. It’s called hyperconvergence, and it’s gaining momentum as companies look for ways to run more efficient and agile technology environments.
Sensibilisation à la sécurité à l'ère de l'Internet des Objets
Ce livre blanc vise à mettre en lumière la perception qu'ont les particuliers des technologies connectées et à illustrer la manière dont les internautes américains et européens comprennent et adoptent l'IoT (Internet des Objets). Nul doute, les gens apprécient le côté innovant de ces objets connectés. Mais comment gèrent-ils les problématiques de sécurité et de confidentialité ? Sont-ils compétents, ou non, en tant qu'administrateurs des Objets de leurs maisons ?
Die Rolle des CIO wächst mit der Virtualisierung (Eine Studie unter IT-Entscheidern in Deutschland)
Die Studie von Bitdefender unter 100 IT-Entscheidern in deutschen Unternehmen mit mehr als 1000 PCs im Einsatz zeigt, dass die Rolle der IT innerhalb der Unternehmenshierarchien zunehmend wichtig wird. CEOs und Vorstandsmitglieder sind einer wachsenden Zahl interner und externer Sicherheitsrisiken ausgesetzt, die das Potenzial haben, Kundenvertrauen und Geschäftserfolg nachhaltig zu beinträchtigen. Dennoch haben nicht alle Vorstandsetagen bereits einen CIO oder CISO in ihren Entscheidungsprozessen eingebunden. Die von iSense Solution durchgeführte Studie zeigt auf, wie Entscheidungsträger in der IT ihre Rolle innerhalb von Organisationen wahrnehmen und was sie benötigen, um die Erwartungen des Unternehmens an sie zu erfüllen. Wie hat das Thema Virtualisierung die Spielregeln für Security verändert? Können Angriffe mit den gegebenen Mitteln gestoppt werden? Sind Unternehmen zu Zahlungen bereit, wenn Sie damit eine öffentliche Bloßstellung vermeiden können?
Since the APT28 group’s emergence in 2007, Bitdefender has become familiar with the backdoors used to compromise Windows and Linux targets, such as Coreshell, Jhuhugit and Azzy for the former OS or Fysbis for the latter.
This year we have been able to finally isolate the Mac OS X counterpart - the XAgent modular backdoor. This whitepaper describes our journey in dissecting the backdoor and documenting it piece by piece.
A Bitdefender survey of 153 IT decision makers in the United Kingdom in companies with more than 1,000 PCs, shows they will rise in companies’ hierarchies, as CEOs and board members face increasing internal and external security risks that could ruin customer trust and business forecasts. Still, not all C-suites include CIOs/CISOs in the business decision-making process. This survey, carried out by iSense Solutions, shows how IT decision makers perceive their role inside the organizations and what they need to meet shareholder
expectations. How has virtualization changed the security game? How many attacks can be stopped with the current resources? Would they pay to avoid public shaming?
An October 2016 Bitdefender survey of 250 IT decision makers in the United States in companies with more than 1,000 PCs, shows they will rise in companies’ hierarchies, as CEOs and board members face increasing internal and external security risks that could ruin customer trust and business forecasts. Still, not all C-suites include CIOs/CISOs in the business decision-making process. This survey, carried out by iSense Solutions, shows how IT decision makers perceive their role inside the organizations and what they need to meet shareholder expectations. How has virtualization changed the security game? How many attacks can be stopped with the current resources? Would they pay to avoid public shaming?
Chiffrer les données des entreprises : une activité rentable pour les cybercriminels
Le ransomware, cybermenace la plus prolifique du moment, se propage au sein des entreprises via les réseaux de partage de fichiers, les pièces jointes, les liens malveillants ou encore les sites Internet compromis autorisant les téléchargements directs. Le premier trimestre 2016 a enregistré une croissance de 3 500% du nombre de domaines utilisés pour la diffusion de ransomwares, établissant au passage un nouveau record.
Découvrez dans ce livre blanc quels sont les principaux pays touchés par les ransomwares, quelles sont les familles de ransomwares les plus diffusées, les types de ransomwares sous Android ou encore les risques liés aux adwares.
Security Awareness in the Age of Internet of Things (A 2016 Bitdefender Study)
This paper looks to shed light on home users’ perception of smart technologies, to showcase how consumer IoT is embraced and understood by Internet users around the United States and Europe. Without a doubt, people are excited by the novelty of connected objects, but how well do they manage security and privacy? Are they succeeding or failing as the administrator of Things in their homes?
Des idées aux brevets. Transformer des approches visionnaires de la sécurité en technologies révolutionnaires
Ces dernières années, le terme « innovation » est devenu un mot à la mode dans toutes les industries du numérique. Des applications aux technologies, les idées révolutionnaires se propagent dans le but de changer le monde. Bitdefender a commencé à proposer des solutions de sécurité dès 2001 et, après 15 années d’innovation continue, ces solutions protègent désormais un demi-milliard d’endpoints dans le
monde. L’innovation nous a permis de gagner la confiance de nombreux foyers et d’entreprises dans plus de 150 pays et nous a permis de remporter de très nombreuses récompenses.
Ransomware, the most prolific cyber threat of the moment, gains foothold in organizations and companies via file-sharing networks, e-mail attachments, malicious links or compromised websites that allow direct downloads. The first quarter of 2016 saw 3,500% growth in the number of ransomware domains created, setting a new record.
From ideas to patents. How visionary security dreams become breakthrough technologies
The R&D team is at the center of Bitdefender to ensure we are fully equipped to look after our customers’ interests, both now and in the future. Our team of engineers and researchers reached the 600+ milestone this year. To keep the innovation flame burning bright, Bitdefender invests 25% of its yearly research and development budget in visionary security dreams. From a total of 72 patents, Bitdefender has 42 patents issued for core technologies in past three years alone. In addition, 35 more are currently filed for examination. With almost 10 percent of Bitdefender patents pertaining to machine-learning algorithms for detecting malware and other online threats, deep learning and anomaly-based detection techniques play a vital role in proactively fighting new and unknown threats.
Virtualization brings new security challenges for large companies (UK)
A November 2016 Bitdefender survey of 153 IT decision makers in the United Kingdom in companies with more than 1,000 PCs shows that virtualization is a strategic priority, yet they are still not fully ready for the security challenges this environment brings. Hybrid infrastructures have become the major common architecture in the enterprise environment and CIOs have to adapt to the new world. This survey, carried out by iSense Solutions, shows the main security concerns and issues they face. What cyber threats are companies not ready to handle? What are the main concerns regarding the security management of hybrid infrastructures? Why do IT decision makers fear for their jobs?
Ce que vous devez savoir sur les ransomwares - et sur la façon dont Bitdefender vous protège
Avec les cybercriminels qui génèrent des millions, voire des milliards de dollars, grâce aux demandes de rançons en ligne, les ransomwares sont unanimement considérés comme l’une des plus grandes menaces auxquelles les entreprises doivent faire face de nos jours.
Dans ce livre blanc, vous apprendrez ce que vous devez savoir sur ce type de menace et quelles technologies Bitdefender utilise pour protéger votre entreprise contre l’un des plus grands fléaux en ligne auxquels elle est confrontée aujourd’hui.
Virtualisierung: Neue Sicherheits- Herausforderungen für Unternehmen
Virtualisierung ist in deutschen Unternehmen mittlerweile zu einem strategischen Faktor geworden, dennoch können bislang viele die notwendigen Sicherheitsanforderungen nicht erfüllen, die eine solche Umgebung mit sich bringt. Das ist das Ergebnis einer Bitdefender-Umfrage bei 100 IT-Entscheidungsträgern deutscher Unternehmen mit mehr als 1.000 PC-Arbeitsplätzen. Hybride Infrastrukturen sind
mittlerweile ein wichtiger Bestandteil in einer großen umfassenden Architektur im Unternehmensumfeld geworden, dieser neuen Welt müssen sich CIOs anpassen. Die Umfrage, die von iSense durchgeführt wurde, zeigt die wichtigsten Sicherheitsbedenken und Probleme auf. Welche Cyber-Bedrohungen können Unternehmen heutzutage noch nicht abwehren? Was sind die Hauptanliegen hinsichtlich des
Sicherheitsmanagements von hybriden Infrastrukturen? Warum haben IT-Entscheider Angst um ihre Jobs?
Virtualization brings new security challenges for large companies
An October 2016 Bitdefender survey of 250 IT decision makers in the United States in companies with more than 1,000 PCs shows that virtualization is a strategic priority, yet they are still not fully ready for the security challenges this environment brings. Hybrid infrastructures have become the major common architecture in the enterprise environment and CIOs have to adapt to the new world.
This survey, carried out by iSense Solutions, shows the main security concerns and issues they face. What cyber threats are companies not ready to handle?
What are the main concerns regarding the security management of hybrid infrastructures? Why do IT decision makers fear for their jobs?
Delivering Security and Performance in the Continuous Data Center
Enterprises are rapidly transforming how applications, services, and data are delivered and have brought tremendous transformation to enterprise cybersecurity. The changes brought by virtualization, public and private clouds, and the adoption of enterprise management practices such as DevOps are nothing short of astounding.
Unfortunately, when it comes to being both swift and nimble, cybersecurity efforts sometimes can get in the way—at least if they aren’t done right. To successfully secure the continuous data center, security must be continuous, manageable, and unobtrusive.
Bitdefender Hypervisor Introspection : détecter les attaques ciblées avec l’introspection de l‘hyperviseur
Découvrez dans ce document comment Bitdefender a développé une technologie capable de révéler une activité malveillante au sein des systèmes d’exploitation invités, au niveau de l’hyperviseur sous-jacent. Cette approche ne représente pas une simple évolution dans la sécurisation des charges de travail et des endpoints, on peut parler de révolution pour leur sécurité.
Hypervisor Introspection - A Revolutionary Approach to Targeted Attacks
Recent headlines about data breaches are clear – securing infrastructures against increasingly targeted attacks is imperative, yet traditional endpoint security tools are not closing the gap with attack technologies, let alone getting ahead of them.
A study conducted in February 2016 shows it takes companies an average of 5 months to detect a data breach. What’s more, 53% of them needed external investigators to discover them, as internal resources showed no signs of a breach.
Un point de vue sur la valeur réelle des protections contre les APT
Au cours des dernières années, un nouveau type de menace est devenu un sujet de prédilection chez les journalistes et les analystes en sécurité. Considérées comme étant les menaces les plus sophistiquées, les APT (Advanced Persistent Threats) rendent vulnérables les entreprises à des cas de cyber-espionnage et de vol de données.
Dans cet article nous allons passer en revue une à une les affirmations faites au sujet des APT, et les réfuter en utilisant des cas réels. Nous terminerons notre analyse par une série de questions que les entreprises devraient poser aux fournisseurs de solutions contre les APT, si elles souhaitent s’assurer qu'elles choisissent les bons produits pour répondre à leurs besoins.
Le nouvel acronyme IT : KISSME (Keep IT Security Simple, Manageable and Effective)
Les environnements informatiques ont évolué pour permettre aux utilisateurs d’être plus productifs et à l’IT d’être plus flexible. Dans le même temps, les attaquants ont eux aussi fait évoluer leurs méthodes, adoptant des malwares polymorphes pour échapper à la détection des contrôles préventifs. Par ailleurs, les DSI continuent de pratiquer une approche au coup par coup, réactive, de colmatage de brèches et cela met les entreprises dans une situation périlleuse.
Découvrez dans ce dossier technique :
- Les défis les plus significatifs auxquels doivent faire face les DSI
- Comment gérer la complexité de la sécurité informatique
- Quelles sont les techniques de sécurité pour faire face à des menaces de plus en plus sophistiquées
- Des données sur la cybersécurité en 2014 : augmentation des failles et des coûts, diminution de la confiance et des budgets
- Un rapport sur la pression subie par les professionnels de la sécurité informatique
- 10 éléments clés pour une paranoïa saine dans le cadre d’un rôle de leader de la sécurité de l’information
Les 11 questions les plus fréquentes sur les Botnets – et leurs réponses !
Ce livre blanc a pour vocation de répondre aux questions que vous vous posez sur les botnets. Au-delà des définitions d’un bot et d’un botnet, découvrez notamment :
- Quels sont les types d’actions que peut effectuer un bot
- Comment et pourquoi apparaît un botnet
- Comment un botnet est-il contrôlé
- Comment on enquête sur les botnets et comment ils sont détectés
-Si il est possible de bloquer les communications entre les bots avec des solutions d’analyse de trafic
The Impact of Virtualization Security on Your VDI Environment
VDI empowers employees and employers with many benefits, no matter the size of the organization. However, as with any environment, security should always play a pivotal role and should complement the business environment. With VDI it’s no different; security should be seamless, without any effect on the user experience.
The New IT Acronym KISSME: Keep IT Security Simple, Manageable, and Effective
IT has evolved immensely over the past decade, always adapting to become faster, more agile, and more efficient. Unfortunately, security threats have evolved as well, and are more stealthy, more intelligent, and more malicious than ever before.
Virtual machines in a cloud environment are as susceptible to nefarious exploitation – where sensitive data is highly valuable – as physical machines. The same exposure profile exists regardless of the underlying platform (traditional physical, virtualized, private cloud or public cloud). Although traditional security can be used in the cloud, it is neither built, nor optimized for the cloud.
Évoluer ou mourir : L’adaptation de la sécurité au monde virtuel
En juin 2011, le Conseil des normes de sécurité PCI (Payment Card Industry) a publié un supplément informatif attendu depuis très longtemps, qui complète la norme de sécurité des données (DSS) et qui se nomme PCI DSS Virtualization Guidelines. Ce guide collaboratif, réalisé par un groupe d’experts en sécurité et en conformité, regroupe des conseils à l’intention des équipes informatiques, en particulier des experts, pour procéder à l’évaluation des infrastructures virtualisées qui rentrent dans le champ d’application des obligations de mise en conformité des cartes de paiements. Deux parties essentielles de ce document se démarquent : la première présente les risques de la virtualisation ; la seconde formule des recommandations de contrôle.