threat research


A look back and forward for our 2017 Cybersecurity Predictions. Threats are compounding at digital speeds, while resolutions, like manufacturers building security safeguards into their products, are proceeding at a snail’s pace. We need to start building security into tools and systems on day zero. We need alignment on ways to effectively see and combat new cybercrime. And we need to adopt integrated, collaborative, and automated procedures and technologies end to end to help us see and protect resources. [Read More]
by RSS Derek Manky  |  Aug 08, 2017  |  Filed in: Industry Trends
This blog post is a summary of SSTIC, a major infosec conference held in France. As usual, this year’s conference came with excellent presentations. The sessions have been recorded, and the papers are available on the website, although most of the content is in French. For a detailed wrap-up of SSTIC, please read @xme: Day 1 Day 2 Day 3 SSTIC is one of the few IT conferences which (1) ask authors to submit full papers, (2) from which you return with information or tools to work on, and (3) whose presentations are mostly... [Read More]
by RSS Axelle Apvrille  |  Jul 04, 2017  |  Filed in: Industry Trends
As human beings, we are continually looking for knowledge or information to help improve any situation. If we live or work in a crowded city, for example, we want to know which routes are best to avoid getting stuck in traffic. When we enter a restaurant or movie theater we look for the exits. And when suspicious looking person enters the room, part of our mind automatically keeps track of him. This behavior is known as situational awareness, and it’s second nature to most of us. But while such behavior often occurs in our everyday... [Read More]
by RSS Anthony Giandomenico  |  Jun 27, 2017  |  Filed in: Industry Trends
Summary In December 2016, FortiGuard Labs discovered and reported a WINS Server remote memory corruption vulnerability in Microsoft Windows Server. In June of 2017, Microsoft replied to FortiGuard Labs, saying, "a fix would require a complete overhaul of the code to be considered comprehensive. The functionality provided by WINS was replaced by DNS and Microsoft has advised customers to migrate away from it." That is, Microsoft will not be patching this vulnerability due to the amount of work that would be required. Instead, Microsoft... [Read More]
by RSS Honggang Ren  |  Jun 14, 2017  |  Filed in: Security Research
The recent WannaCry attack was interesting for a couple of reasons. First, the speed and scale of the attack was impressive. Over the course of a couple of days, hundreds of thousands of systems were affected and disrupted. Second, it also unveiled a disturbing trend. The attack malware exploited a known vulnerability that not only had been revealed through the highly public release of stolen cyber tools, but Microsoft had also released a patch for the targeted vulnerability over two months before. Which means that the scale of the attack was... [Read More]
by RSS Derek Manky  |  Jun 14, 2017  |  Filed in: Industry Trends
A major challenge facing security vendors today is that most solutions and products are developed based on knowledge of previous threats that already exist. This makes many security solutions reactive by their very design, which is not a tenable strategy for facing the volume of new attacks and strategies arising today. This arms race of identifying new threats, then reacting has been the primary strategy since the dawn of malware: A new virus is identified and then security vendors write the antivirus signature to block it; a polymorphic virus... [Read More]
by RSS Douglas Jose Pereira  |  May 23, 2017  |  Filed in: Security Research
A Windows 2003 RDP Zero Day Exploit In this blog, the FortiGuard team takes a look at Esteemaudit, which is an exploit that was included in the set of cybertools leaked by the hacker group known as "Shadow Brokers." They claim that they collected this set of cybertools from the compromised data of "Equation Group," a threat actor alleged to be tied to the United States National Security Agency (NSA). Esteemaudit is a Remote Desktop Protocol (RDP) exploit that targets Microsoft Windows Server 2003 / Windows XP. The vulnerability... [Read More]
by RSS Dehui Yin  |  May 11, 2017  |  Filed in: Security Research
This is the second part of FortiGuard Labs’ deep analysis of the new Emotet variant. In the first part of the analysis we demonstrated that by bypassing the server-side Anti-Debug or Anti-Analysis technique we could download three or four modules (.dll files) from the C&C server. In that first blog we only analyzed one module (I named it ‘module2’). In this blog, we’ll review how the other modules work. Here we go. [Read More]
by RSS Xiaopeng Zhang  |  May 09, 2017  |  Filed in: Security Research
Background Last week, FortiGuard Labs captured a JS file that functions as a malware downloader to spread a new variant of the Emotet Trojan. Its original file name is Invoice__779__Apr___25___2017___lang___gb___GB779.js.  A JS file, as you may be aware, is a JavaScript file that can be executed by a Window Script Host (wscript.exe) simply by double-clicking on it. In this blog we will analyze how this new malware works by walking through it step by step in chronological order. A JS file used to spread malware The original JS code... [Read More]
by RSS Xiaopeng Zhang  |  May 03, 2017  |  Filed in: Security Research
The Bricker bot made the news a couple of weeks ago as being responsible for knocking unsecured IoT devices offline, rather than hijacking them into other botnets and using them for a DDoS attack like the massive event we saw last year against DYN. This is the third botnet that targets insecure IoT devices, but the only one that is destructive. The second, dubbed Hajime, breaks the into IoT devices, but instead of bricking them, it makes them more secure by disabling remote access to the device from the internet. Of course, Mirai was the first,... [Read More]
by RSS Douglas Jose Pereira dos Santos  |  May 02, 2017  |  Filed in: Security Research