Tuesday, June 14, 2016

To Russia with Love

Yes... we know it was "From Russia with Love", however, in this case it's a Post not a Get.  Say what?  Well... there is a malicious M$ Word document/macro that is on the loose currently.  As usual, the AV vendors are asleep at the wheel with only 2 of 57 solutions currently protecting our IT Assets:


Why are we so confident that McAfee and others are wrong?  This Forcepoint Sandbox Report proves that rather conclusively. 

OK, Ok, ok... why "To Russia..."?  Per below, the Dropper file performs an HTTP Post to a WWW site in Mother Russia.  This is an obvious outlier as most HTTP/S traffic is Get based rather than Post. 


Why would a Post occur rather than a Get?  Likely to send out your confidential information.  Question - do you have a Data Loss Prevention (DLP) solution monitoring those outbound Posts?  What if it was HTTPS vs HTTP?  Connect w/ESPO Systems for a free consultation.
Posted by at No comments:

Tuesday, May 31, 2016

Macro Malware on the Loose

Heads Up!  Another malicious MS Word file is on the loose with a very low detection rate.  Forcepoint File Sandbox Report here.

Note that only 3 of 57 Anti Virus Companies are properly detecting this malware:


Importantly, per below, note that a number of outbound HTTP Gets occur in which additional malware is downloaded:


Are you safe with old fashion URL Filtering?  Ummmm...nope.  Per below, this Russian Site is new (Uncategorized).  As such, you'll need a sophisticated anti-malware engine on your web proxy, ala Forcepoint's ACE Engine, to stop the 2nd stage of this attack:


Need more info about the Dridex Crew, who's targets have evolved from online banking credentials to this latest round of Locky Ransomware?  See the ESPO Systems Multimedia Portal here.
Posted by at No comments:

Wednesday, April 20, 2016

Symantec Misses on Dropper

A malicious Microsoft Word File w/associated macro is making its way across the Internet this morning.  How do we know?  Our Forcepoint Sandbox detected it... report here.

Unfortunately, and as is the case all too often, Symantec is not detecting this malware as proven by VirusTotal:


What makes us so certain that this file is indeed malicious?  Per below, it's pulling another file down via HTTP:


What does that prove you may ask?  Per below, that file is detected as another Dropper by our Forcepoint ACE Engine which is resident on our proxies:


In summary, AntiVirus is a commodity.  Do not buy into the pitch that it will solve your security problems.  Reduce your security spend on AV and insert Next Gen Security Solutions.  Call ESPO Systems for a free consultation/demonstration.

Posted by at No comments:

Tuesday, March 29, 2016

Control-as-a-Service (CaaS)

Anyone tired of hearing that the following architectures solve all the world's problems - SaaS, IaaS, Cloud?  Here's a novel concept, why don't we take "control" of our solutions, from a security perspective, and leave our fate in our own hands.  Case in point - MedStar Health:

- Per this Computerworld Article, MedStar was attacked over the weekend with the same ransomware that hit the Hollywood Presbyterian Medical Center in mid-February.  Per the report, the organization lost "control" of files and their system.  Does that sound like a potential HIPAA issue to you?

- Per this earlier ESPO Systems Blog, the Locky Ransomware is leveraging holes in our security controls.  To be precise, the malware authors know we dare not block Microsoft Attachments... even if they have malicious macros.  They also know AV Signatures are too slow to provide value.  As such, the only answer is Sandboxing... ala Forcepoint's Solution.

- So, you likely are asking, what does the MedStar Health Organization use to protect against these threats?  Well... they've bought into the Cloud Saves Everything dogma and have given "control" of their security to Google/Postini:



One final question, considering MedStar has given up "control" of their email security, is there much of a chance that outbound email is being monitored for PII or PHI?  It may be time to take back control of our security solutions.
Posted by at No comments:

Thursday, March 3, 2016

Comprehensive Threat Protection?

With the RSA Security Conference coming to a close, we suspect a lot of Security Pros are asking the same questions as us regarding all the dollars thrown at marketing, "really"?  That's not to say this intangible expense isn't needed.  If the products perform as advertised... we need to get-the-word-out.  However, when the marketing is nothing other than an attempt to obfuscate what is happening in the real word, as is the case currently with McAfee, it is our obligation to shed light on this.  Case in point:

McAfee is proclaiming to the world that they provide "Comprehensive Threat Protection"


However, as is often the case, malware is currently propagating across the internet via Microsoft Word Documents with Malicious Macros in which McAfee is not providing the protection their Mkting Dept claims.  Per below, only 3 of 55 AV Engines currently find a problem with this file:


Need further proof that the file is indeed malicious?  Note that files are dropped locally, processes are affected and outbound HTTP calls to Mother Russia are occurring:


In summary, and as is often stated on this blog, AV is a commodity.  Improve your security posture by implementing Next Gen Solutions with the cost savings found by reducing your spend on AV.

Posted by at No comments:

Friday, February 26, 2016

Malicious Excel File

Around 7:30amCST an Excel Spreadsheet w/macro began propagating across the Internet.  If you trust your security to the Anti Virus Vendors, you're likely sipping on a cup of coffee expecting to have an easy day heading into the weekend... as neither McAfee nor Symantec are currently detecting a problem:


However, per this Forcepoint File Sandbox Report, your day is about to change as this file is indeed malicious.  Per the report, it attempts to modify 21 Files, 2 Processes and 412 Registry Entries.  If that isn't bad enough, this Dropper File will also communicate to sites in Russia and Vietnam to pull down additional malware:


Additionally, if you've entrusted your Web Security to Cisco Ironport and are hoping the phone home to uggs-fashion.ru is blocked... you'll be disappointed.  Per below, the site name implies it's a fashion site, and, the Senderbase Reputation System unfortunately agrees:


In summary, security is moving far too fast to rely upon AV Signatures.  Contact ESPO Systems for a free consultation regarding how you can protect your IT Assets across the entire Kill Chain.
Posted by at 2 comments:

Thursday, February 18, 2016

Locky Ransomware on the Loose

It appears the Dridex Crew has expanded their Cyber Crime Portfolio from the stealing of login credentials to your favorite Financial Institution... to Ransomware.  Case in point:

- M$ Word Documents with malicious macros are being distributed via email attachments (sound familiar).

First Question - Will your users allow you to block all inbound Microsoft Word attachments?  Likely not...

Second Question - Are your spam prevention techniques 100% effective?  Ummm... no.

Third Question - Should we therefore feel confident that your Anti Virus Solution has your back and will detect the file at the gateway or desktop?  PLEASE!!!

- Thankfully, the Forcepoint File Sandboxing feature will detect this Ransomware.  On the other hand, if you are using an inferior solution, you are likely seeing Help Desk Tickets describe something looking like this:


- Anyone care to know the current AV Detection Rate?  Currently only 5 of 54 AV Engines are detecting the file properly.  How long do you think it will take before McAfee and Symantec get their act together?



In summary, this is the same crew who took down the Hollywood Presbyterian Medical Center over the weekend.  Do you wish to stay out of the news?  Need help from an organization who performed over 600 Security Projects in 2015??  Contact ESPO Systems here.

Posted by at 1 comment:
Subscribe to: Comments (Atom)