From the report, “In this SPIE, we shine a spotlight on the phishing prevention approaches of one start-up company, Area 1 Security; and one long-tenured cybersecurity vendor, IBM. Although complete elimination cannot be promised, each is taking steps that reduce the potential of their business clients (Area 1’s Horizon) and their clients’ clients (IBM Trusteer Rapport) from becoming victims. Secondarily, by removing the burden of phishing defense from employees and consumers, employees’ productivity is positively affected, and consumers’ trust in online activities is strengthened.”

By the end of this report, you’ll have a better understanding of today’s approaches to evading detection tools and the trajectory of evasion into the next year. This way, you’ll have a better sense regarding your endpoint security architecture and your plans for maintaining or improving its effectiveness.

The DataVisor Fraud Index Report Q2 2018 is based on attacks that were detected by the DataVisor UML Engine from April through June 2018 with additional recent attack trend data. This report provides unprecedented insights into the evolving attack trends and characteristics of fraud attacks across a number of industries including social platform, e-commerce, financial services, and mobile gaming.

The DataVisor Fraud Index Report: Q1 2018 is based on attacks that were detected by the DataVisor UML Engine from January through March of 2018, analyzing 40 billion events and 680 million user accounts. This report provides unprecedented insights into the attack techniques that bad actors use to engage in malicious activities and evade detection.

From the report, “The large-scale attacks and disastrous outcomes in this paper underscore the fact that targeted phishing is the overwhelming cause of nearly all breaches. Phishing attacks cost companies an incalculable amount of money, prestige, goodwill, confidential data, and competitive advantage, as well as brand identity and integrity. The Verizon Data Breach Investigations report supports the overwhelming impact of phishing, which targets businesses consistently across email, web, and network traffic. Siloed approaches lead only to siloed and ineffective protection. Partial, reactive defenses such as employee education, perimeter protection, and spam filtering simply don’t work against today’s phishing threats.”

This report offers insight into OilRig an Iranian-linked Advanced Persistent Threat. It discusses who they are and why you should care.

RiskIQ uses its repository of scanned mobile application stores to perform analysis on threat trends in the mobile application space. Q3 showed a nearly 220 percent increase in blocklisted apps over Q2. Due to a surge in total apps observed, the percentage of blocklisted apps dropped from 4% in Q2 to 3% in Q3.

This report posits the opinion that state-sponsored cybercrime is the fastest growing threat in cybersecurity. They discuss how usually state sponsored groups attack other governments and militaries, but in the last few years they are starting to see more activity directed towards the financial sector.

The goal of this white paper is to bring clarity to cyber threat intelligence. It explains the different categories of CTI and discusses some use cases to illustrate ways it can be applied and utilized to augment security teams’ efficiency and gain an edge over the attackers. Finally, it discusses CrowdStrike’s approach to threat intelligence.

This report takes a look at a new global campaign targeting nuclear, defense, energy, and financial companies.

Fidelis Threat Research analysts have discovered a new version of ThreadKit, malware notorious for it’s use by the cybercrime organization known as Cobalt Group. This report will provide analysis of a recent campaign, seen October 30th , utilizing the Cobalt Group malware frameworks. Cobalt Group was believed to have suffered a hit earlier this year[1] with the reported arrest of one of its members. After the arrest, the campaigns appear to have slowed significantly however despite this, there has been continued development concerning the groups malware framework.

This paper provides information on Bad Rabbit a new ransomware roving the internet.

This report offers insight into the Cyber security landscape of The People’s Republic of Korea.

This e-book contains insights on breach readiness, response and resiliency based on in-depth interviews conducted with the Security for Business Innovation Council (SBIC). The SBIC is comprised of forward-thinking security executives from Global 1000 enterprises committed to advancing the state of information security worldwide by sharing insights from their real-world experience.

On April 20, Proofpoint observed a targeted campaign focused on financial analysts working at top global financial firms operating in Russia and neighboring countries. These analysts were linked by their coverage of the telecommunications industry, making this targeting very similar to, and likely a continuation of, activity described in our “In Pursuit of Optical Fibers and Troop Intel ” blog. This time, however, attackers opportunistically used spearphishing emails with a Microsoft Word attachment exploiting the recently patched CVE-2017-0199 to deploy the ZeroT Trojan, which in turn downloaded the PlugX Remote Access Trojan (RAT). Proofpoint is tracking this attacker, believed to operate out of China, as TA459. The actor typically targets Central Asian countries, Russia, Belarus, Mongolia, and others. TA549 possesses a diverse malware arsenal including PlugX, NetTraveler, and ZeroT. [1][2][3] In this blog, we also document other 2017 activity so far by this attack group, including their distribution of ZeroT malware and secondary payloads PCrat/Gh0st.

In mid-July, Palo Alto Networks Unit 42 identified a small targeted phishing campaign aimed at a government organization. While tracking the activities of this campaign, we identified a repository of additional malware, including a web server that was used to host the payloads used for both this attack as well as others. We’ll discuss how we discovered it, as well as possible attribution towards the individual behind these attacks.

Palo Alto Networks Unit 42 has identified a series of phishing emails containing updated versions of the previously discussed CMSTAR malware family targeting various government entities in the country of Belarus. We first reported on CMSTAR in spear phishing attacks in spring of 2015 and later in 2016. In this latest campaign, we observed a total of 20 unique emails between June and August of this year that included two new variants of the CMSTAR Downloader. We also discovered two previously unknown payloads. These payloads contained backdoors that we have named BYEBY and PYLOT respectively.

Unit 42 has identified malware with recent compilation and distribution timestamps that has code, infrastructure, and themes overlapping with threats described previously in the Operation Blockbuster report, written by researchers at Novetta. This report details the activities from a group they named Lazarus, their tools, and the techniques they use to infiltrate computer networks. The Lazarus group is tied to the 2014 attack on Sony Pictures Entertainment and the 2013 DarkSeoul attacks. This recently identified activity is targeting Korean speaking individuals, while the threat actors behind the attack likely speak both Korean and English. This blog will detail the recently discovered samples, their functionality, and their ties to the threat group behind Operation Blockbuster.

Unit 42 has been closely tracking the OilRig threat group since May 2016. One technique we’ve been tracking with this threat group is their use of the Clayslide delivery document as attachments to spear-phishing emails in attacks since May 2016. In our April 2017 posting OilRig Actors Provide a Glimpse into Development and Testing Effortswe showed how we observed the OilRig threat group developing and refining these Clayside delivery documents.

Unit 42 has discovered a persistent attack campaign operating primarily in the Middle East dating back to at least mid-2016 which we have named Magic Hound. This appears to be an attack campaign focused on espionage. We were able to collect over fifty samples of the tools used by the Magic Hound campaign using the AutoFocus threat intelligence tool. The earliest malware sample we were able to collect had a compile timestamp in May 2016. The samples themselves ranged from IRC bots, an open source Python remote access tool, malicious macros, and others. It is believed the use of specific tools may have coincided with specific attack waves by this adversary, with the most recent attacks using weaponized Microsoft Office documents with malicious macros. Due to the large amount of data collected, and limitations on attack telemetry, this blog will focus primarily on the most recent attacks occurring in the latter half of 2016.

In late February 2017, FireEye as a Service (FaaS) identified a spear phishing campaign that appeared to be targeting personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. Based on multiple identified overlaps in infrastructure and the use of similar tools, tactics, and procedures (TTPs), we have high confidence that this campaign is associated with the financially motivated threat group tracked by FireEye as FIN7.