Security Research


Fortinet has partnered with INTERPOL over the past two years to assist in identifying and thwarting cybercrime. Today, INTERPOL announced that a new operation across the ASEAN region, built around threat intelligence provided by Fortinet and other public and private sector security organizations, has resulted in the identification of nearly 9,000 Command and Control (C2) servers and hundreds of compromised websites, including government portals. [Read More]
by RSS Bill McGee  |  Apr 24, 2017  |  Filed in: Security Research
Summary On March 24 2017, I discovered and reported on a remote password change vulnerability in Hewlett-Packard Enterprise’s (HPE) Vertica Analytic Database. This week, HPE released Security Bulletin HPESBGN03734, which contains the fix for this vulnerability and identifies it as CVE-2017-5802. Fueled by ever-growing volumes of Big Data found in many corporations and government agencies, HPE’s Vertica Analytics Platform provides an SQL analytics solution built from the ground up to handle massive volumes of data and delivers blazingly... [Read More]
by RSS Honggang Ren  |  Apr 20, 2017  |  Filed in: Security Research
FortiGuard Labs has put together answers to some of the most frequently asked questions you may have about the new emerging technology called WebAssembly (WA). What is WebAssembly? WebAssembly is a low-level, portable, binary format for the web that aims to speed up web apps. It is designed to parse faster (up to 20X), and execute faster than JavaScript (JS). When was it announced? The WebAssembly Community Group was created in April 2015, with the mission of “promoting early-stage cross-browser collaboration on a new, portable,... [Read More]
by RSS David Maciejak  |  Apr 13, 2017  |  Filed in: Security Research
In every country and region in the world, tax season is also a time when we see a spike in scams, phishing, and targeted malware. The tax return season in the US is coming to the end. Have you filed your tax return yet? Did you receive any notifications from the IRS (the Internal Revenue Service) in your email?  We did, but not from the real IRS. (Remember, the IRS never communicates important information with taxpayers by email.) FortiGuard Labs recently collected a number of malware samples related to the current tax season in the US.... [Read More]
by RSS Xiaopeng Zhang  |  Apr 13, 2017  |  Filed in: Security Research
During the process of analyzing android malware, we usually meet some APK samples which hide or encrypt their main logic code.  Only at some point does the actual code exist in the memory, so we need to find the right time to extract it.  In this blog, I present a case study on how to repair a DEX file in which some key methods are erased with NOPs and decrypted dynamically when ready to be executed. Note: All the following analysis is based on android-4.4.2_r1(KOT49H). Let’s start our journey! First, I open the classes.dex... [Read More]
by RSS Kai Lu  |  Apr 05, 2017  |  Filed in: Security Research
In part 1 of FortiGuard Labs’ analysis of a new variant of the BADNEWS backdoor, which is actively being used in the MONSOON APT campaign, we did a deep technical analysis of what this backdoor of capable of and how the bad guys control it using the command and control server. In this part of the analysis, we will try to discover who might be behind the distribution of these files. [Read More]
by RSS Jasper Manuel and Artem Semenchenko  |  Apr 05, 2017  |  Filed in: Security Research
Three weeks ago, FortiGuard Labs, along with @_ddoxer (Roland de la Paz), using VirusTotal Intelligence queries, spotted a document with the politically themed file name (Senate_panel.doc). This malicious RTF file takes advantage of the vulnerability CVE-2015-1641. [Read More]
by RSS Jasper Manuel and Artem Semenchenko  |  Apr 05, 2017  |  Filed in: Security Research
In the blog we posted on March 22, FortiGuard Labs introduced a new Word Macro malware sample that targets both Apple Mac OS X and Microsoft Windows. After deeper investigation of this malware sample, we can confirm that after a successful infection the post-exploitation agent Meterpreter is run on the infected Mac OS X or Windows system. Meterpreter is part of the Metasploit framework. More information about Meterpreter can be found here. For this to work, the attacker’s server must be running Metasploit as the controller to control the... [Read More]
by RSS Chris Navarrete & Xiaopeng Zhang  |  Mar 29, 2017  |  Filed in: Security Research
Today, Fortinet released our quarterly Threat Landscape Report for Q4 of 2016. The data in it was drawn from millions of security devices located around the world that analyze up to 50 billion threats a day. Which means that the conclusions and trends detailed in this report are based on over a trillion security events that occurred between Oct 1 and Dec 31, 2016. [Read More]
by RSS Derek Manky  |  Mar 28, 2017  |  Filed in: Security Research
A monthly review of some of the previous month's most interesting security research publications [Read More]
by RSS Axelle Apvrille  |  Mar 24, 2017  |  Filed in: Security Research