Security Research


I discovered and reported multiple critical zero-day vulnerabilities in Adobe Flash Player last November. This Tuesday, Adobe released a security patch which fixed them. [Read More]
by RSS Kai Lu  |  Feb 19, 2017  |  Filed in: Security Research
At the end of last year, a critical vulnerability in PHPMailer that affected millions of websites – CVE-2016-10033 -  was discovered by Polish security researcher Dawid. This vulnerability allows an attacker to compromise the target’s web application by executing remote code on the vulnerable web server. There are numerous open source web applications that use PHPMailer as their main library for sending emails, including WordPress, Joomla, Yii, SugarCRM… More than a month after PHPMailer released a patch for this critical... [Read More]
by RSS Tien Phan   |  Feb 16, 2017  |  Filed in: Security Research
Given the popularity and success of ransomware, it is no surprise that malware authors have been developing more ransomware than ever before. Last year’s cost of ransomware attacks reached $1 billion, which not only shows how this affects businesses, but for cybercriminals the potential pay-out for cyber-extortion can be very lucrative. The rise of ransomware infections may also be attributed to the attractiveness growing availability of Ransomware-as-a-Service (Raas). Ransomware authors posts are now developing user-friendly... [Read More]
by RSS Rommel Joven  |  Feb 16, 2017  |  Filed in: Security Research
Remcos is another RAT (Remote Administration Tool) that was first discovered being sold in hacking forums in the second half of 2016. Since then, it has been updated with more features, and just recently, we’ve seen its payload being distributed in the wild for the first time. This article demonstrates how this commercialized RAT is being used in an attack, and what its latest version (v1.7.3) is capable of doing. Remcos is currently being sold from $58 to $389, depending on the license period and the maximum number of masters or clients... [Read More]
by RSS Floser Bacurio and Joie Salvio  |  Feb 14, 2017  |  Filed in: Security Research
Domain Name System Security Extensions (DNSSEC) secures the Domain Name System (DNS), right? Yes, but that’s not the whole story. DNSSEC can also introduce troubles into your DNS server. Recently, a BIND bug caused by a missing RRSIG record, which is a part of DNSSEC, was fixed by a patch from the Internet Systems Consortium (ISC). This bug affects all versions of BIND recursive servers, and can cause a denial of service (DoS.) This potential DoS vulnerability is caused by a RUNTIME CHECK error in Resolver.c when handling the DNS... [Read More]
by RSS Dehui Yin  |  Feb 06, 2017  |  Filed in: Security Research
Every year during holiday seasons, the number of phishing websites increases. This is particularly true for online gaming distribution platforms. In some cases, users not only have their login credentials stolen, but they also end up downloading and executing malicious executables. As expected, the more popular a platform is, the more targeted it will be, which is why this research blog focuses on two malware samples obtained from fake Origin and Steam websites. Figure 1. Fake Origin phishing website Origin Malware Sample In addition... [Read More]
by RSS Lilia Elena Gonzalez Medina  |  Feb 06, 2017  |  Filed in: Security Research
Sage 2.0 is the new kid on an already crowded block of ransomware, demanding hefty ransom of 2.22188 bitcoins (roughly 2000 USD) per infection. We have recently begun seeing this malware being distributed by the same malicious spam campaigns that serve better-known ransomware families, such as Cerber and Locky. In this article we will take a closer look at some notable characteristics of this new threat, and provide some simple ways to mitigate it. Spam Campaign Sage ransomware has been seen spreading through the usual spam email channels... [Read More]
by RSS Floser Bacurio, Joie Salvio, Rommel Joven  |  Feb 02, 2017  |  Filed in: Security Research
Since its discovery in early 2016, we have tracked a number variations of Petya, a ransomware variant famous for multi-stage encryption that not only locks your computer, but also overwrites the Master Boot Record. Petya continues to persist, and in this blog we will take a deeper look at its more complex second stage of attack. Petya overwrites the Master Boot Record (MBR), along with its neighboring sectors using its boot code and a small kernel code. The MBR contains the master boot code, the partition table,... [Read More]
by RSS Raul Alvarez  |  Feb 01, 2017  |  Filed in: Security Research
FortiGuard is currently investigating a new wave of attacks targeting kingdom of Saudi Arabia organizations that use an updated version of the Shamoon malware (also known as DistTrack.) We described this malware in detail a few months ago in a previous article. The key features of that version remain the same, yet some voluntary changes are taking place: Images used. Shamoon still overwrites files with an image of the drowned Syrian toddler Alan Kurdi, but this time the picture size is different. In November 2016 it was using a picture... [Read More]
by RSS Artem Semenchenko  |  Jan 30, 2017  |  Filed in: Security Research
Summary Last year, I discovered and reported two Cross-Site Scripting (XSS) vulnerabilities in IBM’s Infosphere BigInsights. This week, IBM released a security bulletin which contains the fix for these vulnerabilities. CVE numbers CVE-2016-2924 and CVE-2016-2992 are assigned to them respectively. InfoSphere BigInsights is an analytics platform for analyzing massive volumes of unconventional data in its native format. The software enables advanced analysis and modeling of diverse data, and supports structured, semi-structured, and unstructured... [Read More]
by RSS Honggang Ren  |  Jan 27, 2017  |  Filed in: Security Research
Tags: