Tuesday, June 14, 2016

To Russia with Love

Yes... we know it was "From Russia with Love", however, in this case it's a Post not a Get.  Say what?  Well... there is a malicious M$ Word document/macro that is on the loose currently.  As usual, the AV vendors are asleep at the wheel with only 2 of 57 solutions currently protecting our IT Assets:


Why are we so confident that McAfee and others are wrong?  This Forcepoint Sandbox Report proves that rather conclusively. 

OK, Ok, ok... why "To Russia..."?  Per below, the Dropper file performs an HTTP Post to a WWW site in Mother Russia.  This is an obvious outlier as most HTTP/S traffic is Get based rather than Post. 


Why would a Post occur rather than a Get?  Likely to send out your confidential information.  Question - do you have a Data Loss Prevention (DLP) solution monitoring those outbound Posts?  What if it was HTTPS vs HTTP?  Connect w/ESPO Systems for a free consultation.

No comments:

Post a Comment