In a recent episode of McAfee’s SOCwise Series, guest security expert Chris Crowley revealed findings of his recent survey of security efforts within SOCs. His questions were designed to gain insight into all things SOC, including how SOCs can accomplish their full potential and how they assess their ability to keep up with security technology.
Hosts Ismael Valenzuela and Michael Leland tapped into Chris’ security operations expertise as he told “A Tale of Two SOCs.”
“Chris has a tremendous experience in security operations,” Ismael said. “I always like people who have experience both in the offensive side and the defensive side. Think red, act blue, right? . . . but I think that’s very important for SOCs. Where does ‘A Tale of Two SOCs’ come from?”
In reference to the Charles Dickens’ classic, Chris explained how survey responses fell into two categories: SOCs that had management support or those that did not.
“It’s not just this idea of does management support us. It’s are we effectively aligned with the organization?” Chris said. “And I think that is manifest in the perception of management support of not management support, right? So, I think when people working in a SOC have the sense that they’re doing good things for the organization, their perceptions is that the management is supporting them.”
In this case, Chris explains “A Tale of Two SOCs” also relates to the compliance SOC versus the real security SOC.
“A lot of it has to do with what are the goals when management set up to fund the SOC, right? Maybe the compliance SOC versus the SOC that’s focused on the security outcomes on defending, right? There are some organizations that are funding for basic compliance,” Chris said. [If the] law says we have to do this, we’re doing that. We’re not really going to invest in your training and your understanding and your comprehension. We’re not going to hire really great analysts. We’re just going to buy the tools that we need to buy. We’re going to buy some people to look at monitors and that’s kind of the end of it.”
One of the easiest and telling methods of assessing where an SOC sees itself in this tale is having conversations with staff. Chris recommends asking staff if they feel aligned with management and do they feel empowered?
“If you feel like you’re being turned into a robot and you pick stuff from here and drop it over there, you’re probably in a place where management doesn’t really support you. Because they’re not using the human being’s capability of synthesis of information and that notion of driving consensus and making things work,” Chris said. “They’re looking more for people who are replaceable to put the bits in the bucket and move through.”
Chris shared other survey takeaways including how SOCs gauge their value, metrics and tools.
The survey included hypotheses designed to measure how organizations classify the value of a SOC:
“This showed that as SOC teams met the challenge of skilled staffing, they moved on to their next order of task: Let’s make the computers compute well,” Chris said.
Ismael asked about the tendency for some SOC management not to report any metrics, and those that simply reported number of incidents not reporting the right metrics. Chris reported that most people said they do provide metrics, but a still–surprising number of people said that they don’t provide metrics at all.
Here’s the breakdown of how respondents answered, “Do you provide metrics to your management?”
That roughly a third of respondents either do not report metrics or don’t know if they report metrics was telling to the survey’s author.
“In which case [metrics] obviously don’t have a central place of importance for your SOC,” Chris said.
Regarding the most frequently used metric – number of incidents – Chris speculated that several SOCs he surveyed are attempting to meet a metric goal of zero incidents, even if it means they’re likely not getting a true reading of their cyber security effectiveness.
“You’re allowed to have zero incidents in the environment. And if you consistently meet that then you’re consistently doing a great job,” Chris said. “Which is insane to me, right? Because we want to have the right number of incidents. If you actually have a cyber security problem … you should want to know about it, okay?
Among the group of respondents who said their most common metric is informational, the desired information from their “zero incidents” metrics doesn’t actually have much bearing on the performance or the value of what the SOC is doing.
“The metrics tend to be focused on what can we easily show as opposed to what truly depicts the value that the SOC has been providing for the org,” Chris said. “And at that point you have something you can show to get more funding and more support right over time.”
Chris suggests better use of metrics can truly depict the value that the SOC is providing the organization and justify the desired support it seeks.
“One which I like, which is not an easy metric to develop is actually loss prevention. If I can actually depict quantitatively, which it will not be precise, there will be some speculation in that,” Chris said. “But if I can depict quantitatively what the SOC did this month, or quarter where our efforts actually prevented or intervened in things which were going wrong and we stopped damage that’s loss prevention, right? That’s what the SOC is there for, right? If I just report, we had 13 incidents there’s not a lot of demonstration of value in that. And so always the metrics tend to be focused on what can we easily show as opposed to what truly depicts the value that the SOC has been providing for the org. “
Michael steered the discussion to the value discussion around incident metrics and their relationship with SOC capacity. How many incidents can you handle? Is it a tools issue or a people issue or a combination of both? Chris’ study also revealed a subset of tools that respondents more frequently leveraged and added value to delivery of higher capacity of incident closure.
One question on the survey asked, “Do you use it?
“Not whether you like it or not, but do you use it? And do you use it in a way where you have full coverage or partial coverage? Because another thing about technology, and this is kind of a dirty secret in technology applications, is a lot of people buy it but actually never get it deployed fully,” Chris said.
His survey allowed respondents to reveal their most-used technologies and to grade tools.
The most common used technologies reported in the survey were:
Tools receiving the most A grades:
Tools receiving the most F grades:
Chris pointed out that the reasoning behind the F grades may be less a case of failing and more a case of not meeting their full potential.
“Some of these are newer in this space and some of them just feel like they’re failures for people” Chris said. “Now, whether they’re technology failures or not this is what people are reporting that they don’t like in terms of the tech.”
For more findings read or download Chris Crowley’s 2020 survey here.
Watch this entire episode of SOCwise below.
The post SOCwise Series: A Tale of Two SOCs with Chris Crowley appeared first on McAfee Blogs.
A new wave of fraudulent apps has made its way to the Google Play store, targeting Android users in Southwest Asia and the Arabian Peninsula as well—to the tune of more than 700,000 downloads before detection by McAfee Mobile Research and co-operation with Google to remove the apps.
Figure 1. Infected Apps on Google Play
Posing as photo editors, wallpapers, puzzles, keyboard skins, and other camera-related apps, the malware embedded in these fraudulent apps hijack SMS message notifications and then make unauthorized purchases. While apps go through a review process to ensure that they are legitimate, these fraudulent apps made their way into the store by submitting a clean version of the app for review and then introducing the malicious code via updates to the app later.
Figure 2. Negative reviews on Google Play
McAfee Mobile Security detects this threat as Android/Etinu and alerts mobile users if they are present. The McAfee Mobile Research team continues to monitor this threat and is likewise continuing its co-operation with Google to remove these and other malicious applications on Google Play.
In terms of details, the malware embedded in these apps takes advantage of dynamic code loading. Encrypted payloads of malware appear in the assets folder associated with the app, using names such as “cache.bin,” “settings.bin,” “data.droid,” or seemingly innocuous “.png” files, as illustrated below.
Figure 3. Encrypted resource sneaked into the assets folder
Figure 4. Decryption flow
The figure above shows the decryption flow. Firstly, the hidden malicious code in the main .apk opens “1.png” file in the assets folder, decrypts it to “loader.dex,” and then loads the dropped .dex. The “1.png” is encrypted using RC4 with the package name as the key. The first payload creates HTTP POST request to the C2 server.
Interestingly, this malware uses key management servers. It requests keys from the servers for the AES encrypted second payload, “2.png”. And the server returns the key as the “s” value of JSON. Also, this malware has self-update function. When the server responds “URL” value, the content in the URL is used instead of “2.png”. However, servers do not always respond to the request or return the secret key.
Figure 5. Updated payload response
As always, the most malicious functions reveal themselves in the final stage. The malware hijacks the Notification Listener to steal incoming SMS messages like Android Joker malware does, without the SMS read permission. Like a chain system, the malware then passes the notification object to the final stage. When the notification has arisen from the default SMS package, the message is finally sent out using WebView JavaScript Interface.
Figure 6. Notification delivery flow
As a result of our additional investigation on C2 servers, following information was found, including carrier, phone number, SMS message, IP address, country, network status, and so forth—along with auto-renewing subscriptions:
Figure 7. Leaked data
We expect that threats which take advantage of Notification Listener will continue to flourish. The McAfee Mobile Research team continues to monitor these threats and protect customers by analyzing potential malware and working with app stores to remove it. Further, using McAfee Mobile Security can detect such threats and protect you from them via its regular updates. However, it’s important to pay attention to apps that request SMS-related permissions and Notification Listener permissions. Simply put, legitimate photo and wallpaper apps simply won’t ask for those because they’re not necessary for such apps to run. If a request seems suspicious, don’t allow it.
MITRE ATT&CK Matrix
08C4F705D5A7C9DC7C05EDEE3FCAD12F345A6EE6832D54B758E57394292BA651 | com.studio.keypaper2021 |
CC2DEFEF5A14F9B4B9F27CC9F5BBB0D2FC8A729A2F4EBA20010E81A362D5560C | com.pip.editor.camera |
007587C4A84D18592BF4EF7AD828D5AAA7D50CADBBF8B0892590DB48CCA7487E | org.my.favorites.up.keypaper |
08FA33BC138FE4835C15E45D1C1D5A81094E156EEF28D02EA8910D5F8E44D4B8 | com.super.color.hairdryer |
9E688A36F02DD1B1A9AE4A5C94C1335B14D1B0B1C8901EC8C986B4390E95E760 | com.ce1ab3.app.photo.editor |
018B705E8577F065AC6F0EDE5A8A1622820B6AEAC77D0284852CEAECF8D8460C | com.hit.camera.pip |
0E2ACCFA47B782B062CC324704C1F999796F5045D9753423CF7238FE4CABBFA8 | com.daynight.keyboard.wallpaper |
50D498755486D3739BE5D2292A51C7C3D0ADA6D1A37C89B669A601A324794B06 | com.super.star.ringtones |
d37i64jgpubcy4.cloudfront.net
d1ag96m0hzoks5.cloudfront.net
dospxvsfnk8s8.cloudfront.net
d45wejayb5ly8.cloudfront.net
d3u41fvcv6mjph.cloudfront.net
d3puvb2n8wcn2r.cloudfront.net
d8fkjd2z9mouq.cloudfront.net
d22g8hm4svq46j.cloudfront.net
d3i3wvt6f8lwyr.cloudfront.net
d1w5drh895wnkz.cloudfront.net
The post Clever Billing Fraud Applications on Google Play: Etinu appeared first on McAfee Blogs.
After experiencing a health scare that changed his life, VP of Technology Services, Paul, vowed to make incremental changes by incorporating four important health pledges into his daily routine.
Hear Paul’s life-changing story, how his diagnosis impacted his outlook on prioritizing his physical and mental health, and how he describes McAfee’s role in empowering him and others to follow their own wellness goals.
“To the leadership team and colleagues around me, thank you for giving me the time, space and flexibility to recover. The fact that we can 100% check out and focus on our wellbeing is paramount. At McAfee, that’s in our culture and our spirit.”
Here are Paul’s recommendations of four daily practices that every person can incorporate daily into their busy schedules.
Get up and Walk
Plan for virtual 1:1 walking meetings with your team, it allows you to stay active even on the busiest days.
Hydrate
Keep a cannister of ice, cold water at your desk so that you can stay hydrated throughout the workday.
Takes Breaks
Take mental breaks and intentionally unplug. Spend time away from your electronic devices by avoiding emails or going on chat.
Stand Up
It can be easy to sit at your desk all day. This doesn’t benefit your health. Instead, stand up and find ways to move.
At McAfee, we believe that your mental and physical wellbeing is a top priority. That’s why we encourage team members to take the time they need to reset, recharge, and care for their health. Between our paid holidays, unlimited vacation policy in the U.S., and leave policy, we enable our team to balance work with life’s responsibilities. We know that the key to living our best lives at and away from the office starts with focusing on wellbeing.
Want to work for a company that encourages team members to prioritize their health and wellbeing? Check out McAfee’s Latest Career Opportunities. Subscribe to Job Alerts.
Stay Connected
For more stories like this, follow @LifeAtMcAfee on Instagram and @McAfee on Twitter to see what working at McAfee is all about.
Search Career Opportunities with McAfee
Interested in joining our team? We’re hiring! Apply now.
The post McAfee VP Shares His Four Pledges for a Healthier Lifestyle appeared first on McAfee Blogs.
In a year where people relied on their digital lives more than ever before and a dramatic uptick in attacks quickly followed, McAfee’s protection stood strong.
We’re proud to announce several awards from independent third-party labs, which recognized our products, protection, and the people behind them over the course of last year.
The Cybersecurity Excellence Awards is an annual competition honoring individuals and companies that demonstrate excellence, innovation, and leadership in information security. We were honored with four awards:
Further recognition came by way of three independent labs known for their testing and evaluation of security products. Once more, this garnered several honors:
As the threat landscape continues to evolve, our products do as well. We’re continually updating them with new features and enhancements, which our subscribers receive as part of automatic product updates. So, if you bought your product one or two years ago, know that you’re still getting the latest award-winning protection with your subscription.
We’d like to acknowledge your part in these awards as well. None of this is possible without the trust you place in us and our products. With the changes in our work, lifestyles, and learning that beset millions of us this past year, your protection and your feeling of security remain our top priority.
With that, as always, thank you for selecting us.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our email, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post McAfee Awarded “Cybersecurity Excellence Awards” appeared first on McAfee Blogs.
Throw open the windows and let in some fresh air. It’s time for spring cleaning.
And that goes for your digital stuff too.
Whether it’s indeed spring where you are or not, you can give your devices, apps, and online accounts a good decluttering. Now’s the time. Cleaning them up can protect your privacy and your identity, because when there’s less lying about, there’s less for hackers to scoop up and exploit.
The reality is that we accumulate plenty of digital clutter that needs cleaning up from time to time. Think about it:
Together, these things take up space on your devices and, in some cases, can open you up to security hazards. Let’s take a look at how you can clean up in a few steps.
1. Review your accounts and delete the ones you don’t use. Look through your bookmarks, your password manager, or the other places where you store your passwords and usernames. Review the sites and services associated with them critically. If you haven’t used an account in some time, log in one last time, remove all personal info, and deactivate it.
Doing so can keep your email address, usernames, and passwords out of unnecessary circulation. Major breaches like this one happen with unfortunate regularity, and the sad thing is that you may not even be aware that a site you’ve used has been hit. Meanwhile, your name, password, and info associated with that account (such as your credit card) are in the hands of hackers. Limit your exposure. Close those old accounts.
2. Get organized, and safer too, with a password manager. While creating strong, unique passwords for each of our accounts is a must nowadays, it can be quite the feat, given all of the accounts in our lives. Here’s where a password manager comes in. It can create those strong, unique passwords for you. Not only that, but it also stores your passwords on secure servers, away from hackers and thieves.
Along those lines, never store your passwords on your computer or device, like a text document or spreadsheet. Should your device ever get compromised, lost, or stolen, having passwords stored on them are like handing over the keys to your digital life.
3. Clean your PC to improve your performance (and your security). Let’s face it, so many of us are so busy with the day-to-day that cleaning up our computers and laptops is way down the list. However, doing so once a month can keep our devices running stronger for longer and even give you that “new computer feeling,” particularly if you haven’t cleaned it up for some time. Check out or guide for improving PC performance. It’ll walk you through some straightforward steps that can make a marked difference.
Moreover, part of this process should entail bolstering your operating system and apps with the latest updates. Such updates can not only improve speed and functionality, but they also often include security upgrades as well that can make you safer in the long run. If your operating system and apps feature automatic updates, enable them, and they’ll do the work for you.
4. Organize and store your photos. Photos. Now there’s a topic all unto itself. Here’s the thing: Estimates show that worldwide we took somewhere around 1.2 trillion photos in 2018. And you certainly have your share.
However, your photos may be just sitting there, taking up storage space on your computer or phone, instead of becoming something special like an album, greeting cards, a wall hanging, or popping them into a digital picture frame for your kitchen or living room. And this is where a little spring cleaning can be a bit of fun. For tips on cleaning up your photos, backing them up, and making something special with them, check out my earlier blog.
5. Delete old apps and the data associated with them. Let’s say you have a couple of apps on your phone for tracking your walks, runs, and exercise. You’ve since stopped using one altogether. Go ahead and delete the old one. But before you do, go in and delete your account associated with the app to ensure that any data stored off your phone, along with your password and user id are deleted as well.
For your computers and laptops, follow the same procedure, recognizing that they also may have account data stored elsewhere other than on your device.
In short, many apps today store information that’s stored and maintained by the app provider. Make sure you close your accounts so that data and information is taken out of circulation as well.
6. Shred your old files and encrypt the important files you’re holding on to. This bit of advice calls for using comprehensive security software on your devices. In addition to protecting you from viruses, malware, and other cyberattacks on your privacy and identity, it can help you protect your sensitive information as well. Such security software can offer:
7. Throwing away old computers and tech—dispose of properly. When it comes time to say goodbye to an old friend, whether that’s a computer, laptop, phone, or tablet, do so in a way that’s friendly to the environment and your security.
Consider this … what’s on that old hard drive of yours? That old computer may contain loads of precious personal and financial info on it. Same thing goes for your tablets and phones. The Federal Trade Commission (FTC) offers some straightforward advice in their article about protecting your data before you get rid of your computer. You don’t want those old tax returns ending up in the trash unprotected.
When it comes time for disposal, you have a few options:
Enjoying the benefits of your work—that’s what spring cleaning is all about, right? With this little list, you can end up with a digital life that’s safer and faster than before.
The post Digital Spring Cleaning: Seven Steps for Faster, Safer Devices appeared first on McAfee Blog.
Cryptocurrency enthusiasts are flocking to the Wild West of Bitcoin and Monero to cash in on the recent gold rush. Bitcoin’s meteoric rise in value is making coin mining an appealing hobby or even a whole new career. Coin mining software is the main tool in a prospector’s belt.
Some coin miners, also known as cryptocurrency miners, are tempted by the dark side of the industry and resort to nefarious means to harness the immense computing power needed for cryptocurrency profits. Greedy cryptocurrency criminals employ a practice called cryptojacking, stealing the computer power of unsuspecting devices to help them mine faster. Your device could be at risk at being recruited to their efforts.
Let’s dig into how coin mining programs work, why they turn malicious, and how you can stay safe from cryptojackers.
Mining cryptocurrency takes a lot of time and computer processing power. A coin mining home setup requires a graphics processing unit (GPU) or an application-specific integrated circuit (ASIC). Coin mining software then runs off the GPU or ASIC. Each central processing unit (CPU), or the brain of the computer, plus the GPU or ASIC is referred to as a mining rig.
Once the software is installed, the rig is ready to mine, running mathematical calculations to verify and collect new cryptocurrency transactions. Each calculation is known as a hash, and hash rates are the number of calculations that can be run per second.
From there, casual miners may choose to join a mining pool, which is a club of miners who agree to consolidate their computing power and split the profits based on how much work each miner contributed to the output.
Bitcoin rewards miners every 10 minutes for their efforts. Each time miners solve a string of mathematical puzzles, they validate a chain of transactions, thus helping make the entire Bitcoin system more secure. Miners are paid in bitcoin and they also receive a transactional fee.
While coin mining typically starts off as a casual hobby, coin mining programs can turn malicious when cryptocurrency miners want to earn more without investing in boosting their own computing power. Instead, they reroute their targets’ computing power without asking. This is called cryptojacking.
Mining requires incredible amounts of electricity and the more rigs involved; the more cryptocurrency can be mined. Usually, the utility bills and the cost of running coin mining software negates any profit. For example, a casual miner may have one rig devoted to mining. An average rig processes approximately 500 hashes per second on the Monero network (a type of cryptocurrency). However, 500 hashes per second translates to less than a dollar per week in traditional, or fiat, currency.
Greedy cryptocurrency criminals recruit CPU soldiers to their mining army to improve their hash rate. To do so, criminals download coin mining software to a device and then program it to report back to their server. The device’s thinking power is diverted from the owner and funneled straight to the criminal’s server that now controls it. Compromised devices run considerably slower and can overheat, and the strain on the device can eventually destroy it.
Cryptojackers are not your everyday thieves. Their target is your CPU power, and they employ devious methods to funnel it for their own use. Luckily, there are a few easy ways to thwart their efforts:
Personal devices are often infected through phishing within emails and texts. There are many tell-tale signs of a phishing message. For example, they are often poorly written and use language that indicates that the sender wants a hasty response. Also, phishing attempts often charade as official organizations, like banks and credit card companies. If you are ever suspicious of an email or text, do not open any of the links and do not reply. Instead, contact the organization’s customer support to verify the legitimacy of the message.
Another way miners gain access to personal devices is by camouflaging malicious code in pop-up ads. An easy way to avoid being cryptojacked is to simply never click on these ads. Or even better, install an ad blocker to help eliminate the risk.
Public wi-fi and poorly protected networks present a vulnerable entry point for cybercriminals to hack into your devices. Cybercriminals often attempt to download software remotely to your laptop, desktop, or mobile device to reroute its computing power for their own selfish gains. Always connect to a VPN like McAfee Safe Connect VPN to safely surf unsecure networks.
Cryptojacking code is inconspicuous and generally hidden in legitimate code. Antivirus software, such as McAfee Total Protection, is a recommended way to proactively scan for malware and even identify fraudulent websites. McAfee WebAdvisor has a Chrome extension that specifically blocks cryptojackers.
Be aware of the signs your devices have been cryptojacked. For example, monitor any changes in the speed of your devices and check out your utility bills for dramatic spikes. By remaining vigilant with these tips, you will keep your devices safe from cryptocurrency miners gone rogue.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our email, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post Why Coin Miners Go Bad & How to Protect Your Tech When They Do appeared first on McAfee Blogs.
You flick through some reels and an ad for “a more private phone” crops up. You scroll through your news feed and catch wind of yet another data breach at a major retailer. You see a post from a friend who says their social media account was hacked. Maybe you don’t think about security every day, but when you do, it can feel … overwhelming. We’re here to solve that. We’re here to make security easy.
As security providers, we have to offer protection against a wide variety of threats without adding more complexity to your already busy life. Managing your security should be easy, and even enjoyable.
Enjoyable?
Yes. We want you to have a sense of accomplishment, both knowledge and a feeling that you’re safer than you were before.
With these things in mind, we set out to make your security software work better for you. We streamlined the experience to simplify what you see, while still offering robust protection. After all, true security is the security that you benefit from every day, and it’s up to us as providers to make it smooth and easy as possible.
Our new setup process now includes easier navigation, fewer screens, and clearer action items and alerts. It smoothly moves you through setting up protection across all the ways you interact online and your compatible devices. This way, you know that we’re helping to keep you safe whether you’re messaging, browsing, or shopping and banking online.
Another area where we put a lot of focus is the new home screen. This is your home base, where we clearly show you what your current protection status is in the areas that matter the most to you. This includes making it easier to monitor your personal information and strengthen protections you already use, like passwords.
The home screen is also where you come to perform essential tasks, such as running an antivirus scan. It guides you to take actions when needed, giving you proactive protection, and a clear view of your overall security in one convenient place. From here you can access details on the status of your PC, web, and identity protection.
While we’re always focused on helping you feel confident and protected online, we realize that making our tools easy to use is just as important. The digital security landscape will continue to be a complicated one, with more than a million new and unique threats cropping up each day, but we can and are making security simpler, and therefore, more effective.
With easier setup and protection that turns on automatically at the right moments, we want to make security easier for you so that you can feel safer online. We’ve heard your feedback about how we can improve, and we’ll bring all that goodness in a product that you can use every day.
You’ll find this interface across our McAfee+ family of products, along with continual upgrades and improvements as we roll out more features that will keep you safer online.
The post Let’s Make Security Easy appeared first on McAfee Blog.
The McAfee Advanced Threat Research team today published the McAfee Labs Threats Report: April 2021.
In this edition, we present new findings in our traditional threat statistical categories – as well as our usual malware, sectors, and vectors – imparted in a new, enhanced digital presentation that’s more easily consumed and interpreted.
Historically, our reports detailed the volume of key threats, such as “what is in the malware zoo.” The introduction of MVISION Insights in 2020 has since made it possible to track the prevalence of campaigns, as well as, their associated IoCs, and determine the in-field detections. This latest report incorporates not only the malware zoo but new analysis for what is being detected in the wild.
The Q3 and Q4 2020 findings include:
Additional Q3 and Q4 2020 content includes:
These new, insightful additions really make for a bumper report! We hope you find this new McAfee Labs threat report presentation and data valuable.
Don’t forget keep track of the latest campaigns and continuing threat coverage by visiting our McAfee COVID-19 Threats Dashboard and the MVISION Insights preview dashboard.
The post McAfee Labs Report Reveals Latest COVID-19 Threats and Malware Surges appeared first on McAfee Blogs.
Recently, the McAfee Mobile Research Team uncovered several new variants of the Android malware family BRATA being distributed in Google Play, ironically posing as app security scanners.
These malicious apps urge users to update Chrome, WhatsApp, or a PDF reader, yet instead of updating the app in question, they take full control of the device by abusing accessibility services. Recent versions of BRATA were also seen serving phishing webpages targeting users of financial entities, not only in Brazil but also in Spain and the USA.
In this blog post we will provide an overview of this threat, how does this malware operates and its main upgrades compared with earlier versions. If you want to learn more about the technical details of this threat and the differences between all variants you can check the BRATA whitepaper here.
First seen in the wild at the end of 2018 and named “Brazilian Remote Access Tool Android ” (BRATA) by Kaspersky, this “RAT” initially targeted users in Brazil and then rapidly evolved into a banking trojan. It combines full device control capabilities with the ability to display phishing webpages that steal banking credentials in addition to abilities that allow it capture screen lock credentials (PIN, Password or Pattern), capture keystrokes (keylogger functionality), and record the screen of the infected device to monitor a user’s actions without their consent.
Because BRATA is distributed mainly on Google Play, it allows bad actors to lure victims into installing these malicious apps pretending that there is a security issue on the victim’s device and asking to install a malicious app to fix the problem. Given this common ruse, it is recommended to avoid clicking on links from untrusted sources that pretend to be a security software which scans and updates your system—e even if that link leads to an app in Google Play. McAfee offers protection against this threat via McAfee Mobile Security, which detects this malware as Android/Brata.
The main upgrades and changes that we have identified in the latest versions of BRATA recently found in Google Play include:
During 2020, the threat actors behind BRATA have managed to publish several apps in Google Play, most of them reaching between one thousand to five thousand installs. However, also a few variants have reached 10,000 installs including the latest one, DefenseScreen, reported to Google by McAfee in October and later removed from Google Play.
Figure 1. DefenseScreen app in Google Play.
From all BRATA apps that were in Google Play in 2020, five of them caught our attention as they have notable improvements compared with previous ones. We refer to them by the name of the developer accounts:
Figure 2. Timeline of identified apps in Google Play from May to October 2020
BRATA poses as a security app scanner that pretends to scan all the installed apps, while in the background it checks if any of the target apps provided by a remote server are installed in the user’s device. If that is the case, it will urge the user to install a fake update of a specific app selected depending on the device language. In the case of English-language apps, BRATA suggests the update of Chrome while also constantly showing a notification at the top of the screen asking the user to activate accessibility services:
Figure 3. Fake app scanning functionality
Once the user clicks on “UPDATE NOW!”, BRATA proceeds to open the main Accessibility tab in Android settings and asks the user to manually find the malicious service and grant permissions to use accessibility services. When the user attempts to do this dangerous action, Android warns of the potential risks of granting access to accessibility services to a specific app, including that the app can observe your actions, retrieve content from Windows, and perform gestures like tap, swipe, and pinch.
As soon as the user clicks on OK the persistent notification goes away, the main icon of the app is hidden and a full black screen with the word “Updating” appears, which could be used to hide automated actions that now can be performed with the abuse of accessibility services:
Figure 4. BRATA asking access to accessibility services and showing a black screen to potentially hide automated actions
At this point, the app is completely hidden from the user, running in the background in constant communication with a command and control server run by the threat actors. The only user interface that we saw when we analyzed BRATA after the access to accessibility services was granted was the following screen, created by the malware to steal the device PIN and use it to unlock it when the phone is unattended. The screen asks the user to confirm the PIN, validating it with the real one because when an incorrect PIN is entered, an error message is shown and the screen will not disappear until the correct PIN is entered:
Figure 5. BRATA attempting to steal device PIN and confirming if the correct one is provided
Once the malicious app is executed and accessibility permissions have been granted, BRATA can perform almost any action in the compromised device. Here’s the list of commands that we found in all the payloads that we have analyzed so far:
In addition to the commands above, BRATA also performs automated actions by abusing accessibility services to hide itself from the user or automatically grant privileges to itself:
Earlier BRATA versions like OutProtect and PrivacyTitan were designed to target Brazilian users only by limiting its execution to devices set to the Portuguese language in Brazil. However, in June we noticed that threat actors behind BRATA started to add support to other languages like Spanish and English. Depending on the language configured in the device, the malware suggested that one of the following three apps needed an urgent update: WhatsApp (Spanish), a non-existent PDF Reader (Portuguese) and Chrome (English):
Figure 6. Apps falsely asked to be updated depending on the device language
In addition to the localization of the user-interface strings, we also noticed that threat actors have updated the list of targeted financial apps to add some from Spain and USA. In September, the target list had around 52 apps but only 32 had phishing URLs. Also, from the 20 US banking apps present in the last target list only 5 had phishing URLs. Here’s an example of phishing websites that will be displayed to the user if specific US banking apps are present in the compromised device:
Figure 7. Examples of phishing websites pretending to be from US banks
Throughout 2020, BRATA constantly evolved, adding different obfuscation layers to impede its analysis and detection. One of the first major changes was moving its core functionality to a remote server so it can be easily updated without changing the original malicious application. The same server is used as a first point of contact to register the infected device, provide an updated list of targeted financial apps, and then deliver the IP address and port of the server that will be used by the attackers to execute commands remotely on the compromised device:
Figure 8. BRATA high level network communication
Additional protection layers include string obfuscation, country and language check, encryption of certain key strings in assets folder, and, in latest variants, the use of a commercial packer that further prevents the static and dynamic analysis of the malicious apps. The illustration below provides a summary of the different protection layers and execution stages present in the latest BRATA variants:
Figure 9. BRATA protection layers and execution stages
In order get infected with BRATA ,users must install the malicious application from Google Play so below are some recommendations to avoid being tricked by this or any other Android threats that use social engineering to convince users to install malware that looks legitimate:
The activation of accessibility services is very sensitive in Android and key to the successful execution of this banking trojan because, once the access to those services is granted, BRATA can perform all the malicious activities and take control of the device. For this reason, Android users must be very careful when granting this access to any app.
Accessibility services are so powerful that in hands of a malicious app they could be used to fully compromise your device data, your online banking and finances, and your digital life overall.
When BRATA was initially discovered in 2019 and named “Brazilian Android RAT” by Kaspersky, it was said that, theoretically, the malware can be used to target other users if the cybercriminals behind this threat wanted to do it. Based on the newest variants found in 2020, the theory has become reality, showing that this threat is currently very active, constantly adding new targets, new languages and new protection layers to make its detection and analysis more difficult.
In terms of functionality, BRATA is just another example of how powerful the (ab)use of accessibility services is and how, with just a little bit of social engineering and persistence, cybercriminals can trick users into granting this access to a malicious app and basically getting total control of the infected device. By stealing the PIN, Password or Pattern, combined with the ability to record the screen, click on any button and intercept anything that is entered in an editable field, malware authors can virtually get any data they want, including banking credentials via phishing web pages or even directly from the apps themselves, while also hiding all these actions from the user.
Judging by our findings, the number of apps found in Google Play in 2020 and the increasing number of targeted financial apps, it looks like BRATA will continue to evolve, adding new functionality, new targets, and new obfuscation techniques to target as many users as possible, while also attempting to reduce the risk of being detected and removed from the Play store.
McAfee Mobile Security detects this threat as Android/Brata. To protect yourselves from this and similar threats, employ security software on your mobile devices and think twice before granting access to accessibility services to suspicious apps, even if they are downloaded from trusted sources like Google Play.
Figure 10. MITRE ATT&CK Mobile for BRATA
<h3>Indicators of compromise
Apps:
SHA256 | Package Name | Installs |
4cdbd105ab8117620731630f8f89eb2e6110dbf6341df43712a0ec9837c5a9be | com.outprotect.android | 1,000+ |
d9bc87ab45b0c786aa09f964a8101f6df7ea76895e2e8438c13935a356d9116b | com.privacytitan.android | 1,000+ |
f9dc40a7dd2a875344721834e7d80bf7dbfa1bf08f29b7209deb0decad77e992 | com.greatvault.mobile | 10,000+ |
e00240f62ec68488ef9dfde705258b025c613a41760138b5d9bdb2fb59db4d5e | com.pw.secureshield | 5,000+ |
2846c9dda06a052049d89b1586cff21f44d1d28f153a2ff4726051ac27ca3ba7 | com.defensescreen.application | 10,000+ |
URLs:
This paper will analyze five different “Brazilian Remote Access Tool Android” (BRATA) apps found in Google Play during 2020.
The post BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain appeared first on McAfee Blogs.
“It’s alive! It’s alive!”
Even if you haven’t seen the 1931 film Frankenstein, you are more than likely familiar with the story of the “monster” created by Victor Frankenstein. You may associate this cry from its titular character with the image of what Victor conjured finally opening its eyes and slowly lurching off the table.
While amusing and entertaining, this ongoing trope has a flaw that has tainted most of our memories. The fact is, in Mary Shelley’s classic 1818 novel of the same name, Victor does not excitedly exclaim when that first forward lurch occurs – but rather runs away and hides.
That’s right – fear was the first instinct met when a human, Victor, created and powered a non-human entity. While a work of fiction, was this our first brush with the concept of Artificial Intelligence (AI)? We don’t necessarily align the year 1818 in our minds as a technologically booming era. We have certainly come a long way from shipbuilding patents equaling the heights of technology to the technology that empowers life and business today.
So why are so many of us still fearful like Victor when it comes to AI? Especially since, in its earnest efforts, most AI technology today is designed to better processes, outcomes, and experiences – not to mention ensure greater security and control. We constantly see doom-and-gloom headlines asking whether AI will replace human jobs or touting added expenses associated with implementation. There’s even an entire Wikipedia page devoted to the notion of an “AI Takeover.”
But the truth is, AI – and machine learning – technology has gotten to the point today where it is more of an anomaly if a company or business does not implement it in some form. It is so commonplace that many of us don’t even know it is there. From smart assistants to progressing the healthcare industry at a time where it needs all the efficiencies it can afford, AI is everywhere and the security industry is no stranger when it comes to benefitting from its advances as well.
Our company looks at AI as an enhancement not a replacement. We know AI can improve experiences, create greater efficiencies, and solve complex problems – but at the same time are realistic. We know that humans alone cannot possibly address and respond to the sheer amount of threats businesses face today. But we also know that machines and technology do not currently have the creativity, wit, and wisdom that humans possess.
This is an important factor in the cybersecurity industry. This realism and notion that AI is an enhancement aligns with the concepts and origins of AI itself.
Most AI we see today can be categorized as strong AI, or AGI – artificial general intelligence, and weak AI. The latter means that humans are involved in some facet of programming the technology, whereas with strong AI, technology is able to use algorithms to process, inform, and make decisions independent of human interaction. What we don’t talk about as much is artificial superintelligence (ASI), where technology gains advanced cognitive abilities that can match – or even surpass – a human.
ASI can be ideal for many industries, but we’re not quite there yet. Since most AI today is still in the strong AI stage, AKA the enhancement phase where humans are still needed to process and define what technology currently cannot: emotion. Machines cannot currently replace thinking like a threat actor – imagining scenarios that only humans experience, intuition, motive, and brain power can conjure.
Therefore, we need humans and machines working together as a team. Machines are able to keep pace with the number of emerging threats and help security operation center analysts manage a tremendous amount of data and convert it into actionable intelligence. But human skill is needed to prioritize threats based on context, insight, and consciousness that machines don’t have.
It is increasingly important to remember this as we see adversarial AI on the rise and threat actors use AI to infiltrate AI-powered solutions. With this increase, speed of response is crucial, which is where we see AI have the most impact across the cybersecurity industry when coupled with human strategy to reduce potential damage done to an organization.
We are far from the point where AI needs to invoke fear, but we have a responsibility to know the shortcomings of current AI alongside its benefits.
This open-minded outlook is critical as AI in its truest form is about intelligence – and we can always add to and grow intelligence. The concept of always-on learning levels the playing field for both humans and machines. We’re the same in this aspect in that the possibilities are endless based on what we both can conjure and create based on education, learning, and knowledge.
The post AI Is Alive! But Not Without Our Help appeared first on McAfee Blogs.
Cuba ransomware is an older ransomware, that has recently undergone some development. The actors have incorporated the leaking of victim data to increase its impact and revenue, much like we have seen recently with other major ransomware campaigns.
In our analysis, we observed that the attackers had access to the network before the infection and were able to collect specific information in order to orchestrate the attack and have the greatest impact. The attackers operate using a set of PowerShell scripts that enables them to move laterally. The ransom note mentions that the data was exfiltrated before it was encrypted. In similar attacks we have observed the use of a Cobalt Strike payload, although we have not found clear evidence of a relationship with Cuba ransomware.
We observed Cuba ransomware targeting financial institutions, industry, technology and logistics organizations.
The following picture shows an overview of the countries that have been impacted according to our telemetry.
Defenders should be on the lookout for traces and behaviours that correlate to open source pen test tools such as winPEAS, Lazagne, Bloodhound and Sharp Hound, or hacking frameworks like Cobalt Strike, Metasploit, Empire or Covenant, as well as abnormal behavior of non-malicious tools that have a dual use. These seemingly legitimate tools (e.g., ADfind, PSExec, PowerShell, etc.) can be used for things like enumeration and execution. Subsequently, be on the lookout for abnormal usage of Windows Management Instrumentation WMIC (T1047). We advise everyone to check out the following blogs on evidence indicators for a targeted ransomware attack (Part1, Part2).
Looking at other similar Ransomware-as-a-Service families we have seen that certain entry vectors are quite common among ransomware criminals:
When it comes to the actual ransomware binary, we strongly advise updating and upgrading endpoint protection, as well as enabling options like tamper protection and Rollback. Please read our blog on how to best configure ENS 10.7 to protect against ransomware for more details.
For active protection, more details can be found on our website – https://www.mcafee.com/enterprise/en-us/threat-center/threat-landscape-dashboard/ransomware-details.cuba-ransomware.html – and in our detailed Defender blog.
Learn more about Cuba ransomware, Yara Rules, Indicators of Compromise & Mitre ATT&CK techniques used by reading our detailed technical analysis.
The post McAfee ATR Threat Report: A Quick Primer on Cuba Ransomware appeared first on McAfee Blogs.
Over the past year, we have seen ransomware attackers change the way they have responded to organizations that have either chosen to not pay the ransom or have recovered their data via some other means. At the end of the day, fighting ransomware has resulted in the bad actors’ loss of revenue. Being the creative bunch they are, they have resorted to data dissemination if the ransom is not paid. This means that significant exposure could still exist for your organization, even if you were able to recover from the attack.
Cuba ransomware, no newcomer to the game, has recently introduced this behavior.
This blog is focused on how to build an adaptable security architecture to increase your resilience against these types of attacks and specifically, how McAfee’s portfolio delivers the capability to prevent, detect and respond against the tactics and techniques used in the Cuba Ransomware Campaign.
As always, building adaptable defensive architecture starts with intelligence. In most organizations, the Security Operations team is responsible for threat intelligence analysis, as well as threat and incident response. McAfee Insights (https://www.mcafee.com/enterprise/en-us/lp/insights-dashboard1.html#) is a great tool for the threat intel analyst and threat responder. The Insights Dashboard identifies prevalence and severity of emerging threats across the globe which enables the Security Operations Center (SOC) to prioritize threat response actions and gather relevant cyber threat intelligence (CTI) associated with the threat, in this case the Cuba ransomware campaign. The CTI is provided in the form of technical indicators of compromise (IOCs) as well as MITRE ATT&CK framework tactics and techniques. As a threat intel analyst or responder you can drill down to gather more specific information on Cuba ransomware, such as prevalence and links to other sources of information. You can further drill down to gather more specific actionable intelligence such as indicators of compromise and tactics/techniques aligned to the MITRE ATT&CK framework.
From the McAfee Advanced Threat Research (ATR) blog, you can see that Cuba ransomware leverages tactics and techniques common to other APT campaigns. Currently, the Initial Access vector is not known. It could very well be spear phishing, exploited system tools and signed binaries, or a multitude of other popular methods.
Today’s digital enterprise is a hybrid environment of on-premise systems and cloud services with multiple entry points for attacks like Cuba ransomware. The work from home operating model forced by COVID-19 has only expanded the attack surface and increased risk for successful spear phishing attacks if organizations did not adapt their security posture and increase training for remote workers. Mitigating the risk of attacks like Cuba ransomware requires a security architecture with the right controls at the device, on the network and in security operations (SecOps). The Center for Internet Security (CIS) Top 20 Cyber Security Controls provides a good guide to build that architecture. As indicated earlier, the exact entry vector used by Cuba ransomware is currently unknown, so what follows, here, are more generalized recommendations for protecting your enterprise.
According to Threat Intelligence and Research, the initial access for Cuba ransomware is not currently known. As attackers can leverage many popular techniques for initial access, it is best to validate efficacy on all layers of defenses. This includes user awareness training and response procedures, intelligence and behavior-based malware defenses on email systems, web proxy and endpoint systems, and finally SecOps playbooks for early detection and response against suspicious email attachments or other phishing techniques. The following chart summarizes the controls expected to have the most effect against initial stage techniques and the McAfee solutions to implement those controls where applicable.
MITRE Tactic | MITRE Techniques | CSC Controls | McAfee Capability |
Initial Access | Spear Phishing Attachments (T1566.001) |
CSC 7 – Email and Web Browser Protection
CSC 8 – Malware Defenses CSC 17 – User Awareness |
Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection,
Web Gateway (MWG), Advanced Threat Defense, Web Gateway Cloud Service (WGCS) |
Initial Access | Spear Phishing Link (T1566.002) |
CSC 7 – Email and Web Browser Protection
CSC 8 – Malware Defenses CSC 17 – User Awareness |
Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection,
Web Gateway (MWG), Advanced Threat Defense, Web Gateway Cloud Service (WGCS) |
Initial Access | Spear Phishing (T1566.003) Service |
CSC 7 – Email and Web Browser Protection
CSC 8 – Malware Defenses CSC 17 – User Awareness |
Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection,
Web Gateway (MWG), Advanced Threat Defense, Web Gateway Cloud Service (WGCS) |
For additional information on how McAfee can protect against suspicious email attachments, review this additional blog post: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-protects-against-suspicious-email-attachments/
The exploitation stage is where the attacker gains access to the target system. Protection against Cuba ransomware at this stage is heavily dependent on adaptable anti-malware on both end user devices and servers, restriction of application execution, and security operations tools like endpoint detection and response sensors.
McAfee Endpoint Security 10.7 provides a defense in depth capability, including signatures and threat intelligence, to cover known bad indicators or programs, as well as machine-learning and behavior-based protection to reduce the attack surface against Cuba ransomware and detect new exploitation attack techniques. If the initial entry vector is a weaponized Word document with links to external template files on a remote server, for example, McAfee Threat Prevention and Adaptive Threat Protection modules protect against these techniques.
The following chart summarizes the critical security controls expected to have the most effect against exploitation stage techniques and the McAfee solutions to implement those controls where applicable.
MITRE Tactic | MITRE Techniques | CSC Controls | McAfee Portfolio Mitigation |
Execution | User Execution (T1204) |
CSC 5 Secure Configuration
CSC 8 Malware Defenses CSC 17 Security Awareness |
Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection, Application Control (MAC), Web Gateway and Network Security Platform |
Execution | Command and Scripting Interpreter (T1059)
|
CSC 5 Secure Configuration
CSC 8 Malware Defenses |
Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection, Application Control (MAC), MVISION EDR |
Execution | Shared Modules (T1129) |
CSC 5 Secure Configuration
CSC 8 Malware Defenses |
Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection, Application Control (MAC) |
Persistence | Boot or Autologon Execution (T1547) |
CSC 5 Secure Configuration
CSC 8 Malware Defenses |
Endpoint Security Platform 10.7 Threat Prevention, MVISION EDR |
Defensive Evasion | Template Injection (T1221) |
CSC 5 Secure Configuration
CSC 8 Malware Defenses |
Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection, MVISION EDR |
Defensive Evasion | Signed Binary Proxy Execution (T1218) |
CSC 4 Control Admin Privileges
CSC 5 Secure Configuration CSC 8 Malware Defenses |
Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection, Application Control, MVISION EDR |
Defensive Evasion | Deobfuscate/Decode Files or Information (T1027)
|
CSC 5 Secure Configuration
CSC 8 Malware Defenses |
Endpoint Security Platform 10.7, Threat Prevention, Adaptive Threat Protection, MVISION EDR |
For more information on how McAfee Endpoint Security 10.7 can prevent some of the techniques used in the Cuba ransomware exploit stage, review this additional blog post: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-amsi-integration-protects-against-malicious-scripts/
The impact stage is where the attacker encrypts the target system, data and perhaps moves laterally to other systems on the network. Protection at this stage is heavily dependent on adaptable anti-malware on both end user devices and servers, network controls and security operation’s capability to monitor logs for anomalies in privileged access or network traffic. The following chart summarizes the controls expected to have the most effect against impact stage techniques and the McAfee solutions to implement those controls where applicable:
The public leak site of Cuba ransomware can be found via TOR: http://cuba4mp6ximo2zlo[.]onion/
MITRE Tactic | MITRE Techniques | CSC Controls | McAfee Portfolio Mitigation |
Discovery | Account Discovery (T1087) |
CSC 4 Control Use of Admin Privileges
CSC 5 Secure Configuration CSC 6 Log Analysis |
MVISION EDR, MVISION Cloud, Cloud Workload Protection |
Discovery | System Information Discovery (T1082) |
CSC 4 Control Use of Admin Privileges
CSC 5 Secure Configuration CSC 6 Log Analysis |
MVISION EDR, MVISION Cloud, Cloud Workload Protection |
Discovery | System Owner/User Discovery (T1033) |
CSC 4 Control Use of Admin Privileges
CSC 5 Secure Configuration CSC 6 Log Analysis |
MVISION EDR, MVISION Cloud, Cloud Workload Protection |
Command and Control | Encrypted Channel (T1573) |
CSC 8 Malware Defenses
CSC 12 Boundary Defenses |
Web Gateway, Network Security Platform |
As a threat intel analyst or hunter, you might want to quickly scan your systems for any indicators you received on Cuba ransomware. Of course, you can do that manually by downloading a list of indicators and searching with available tools. However, if you have MVISION EDR and Insights, you can do that right from the console, saving precious time. Hunting the attacker can be a game of inches so every second counts. Of course, if you found infected systems or systems with indicators, you can take action to contain and start an investigation for incident response immediately from the MVISION EDR console.
In addition to these IOCs, YARA rules are available in our technical analysis of Cuba ransomware.
Files:
151.bat
151.ps1
Kurva.ps1
Email addresses:
under_amur@protonmail[.]ch
helpadmin2@cock[.]li
helpadmin2@protonmail[.]com
iracomp2@protonmail[.]ch
fedelsupportagent@cock.li
admin@cuba-supp.com
cuba_support@exploit.im
Domain:
kurvalarva[.]com
Script for lateral movement and deployment:
54627975c0befee0075d6da1a53af9403f047d9e367389e48ae0d25c2a7154bc
c385ef710cbdd8ba7759e084051f5742b6fa8a6b65340a9795f48d0a425fec61
40101fb3629cdb7d53c3af19dea2b6245a8d8aa9f28febd052bb9d792cfbefa6
Cuba Ransomware:
c4b1f4e1ac9a28cc9e50195b29dde8bd54527abc7f4d16899f9f8315c852afd4
944ee8789cc929d2efda5790669e5266fe80910cabf1050cbb3e57dc62de2040
78ce13d09d828fc8b06cf55f8247bac07379d0c8b8c8b1a6996c29163fa4b659
33352a38454cfc247bc7465bf177f5f97d7fd0bd220103d4422c8ec45b4d3d0e
672fb249e520f4496e72021f887f8bb86fec5604317d8af3f0800d49aa157be1
e942a8bcb3d4a6f6df6a6522e4d5c58d25cdbe369ecda1356a66dacbd3945d30
907f42a79192a016154f11927fbb1e6f661f679d68947bddc714f5acc4aa66eb
28140885cf794ffef27f5673ca64bd680fc0b8a469453d0310aea439f7e04e64
271ef3c1d022829f0b15f2471d05a28d4786abafd0a9e1e742bde3f6b36872ad
6396ea2ef48aa3d3a61fb2e1ca50ac3711c376ec2b67dbaf64eeba49f5dfa9df
bda4bddcbd140e4012bab453e28a4fba86f16ac8983d7db391043eab627e9fa1
7a17f344d916f7f0272b9480336fb05d33147b8be2e71c3261ea30a32d73fecb
c206593d626e1f8b9c5d15b9b5ec16a298890e8bae61a232c2104cbac8d51bdd
9882c2f5a95d7680626470f6c0d3609c7590eb552065f81ab41ffe074ea74e82
c385ef710cbdd8ba7759e084051f5742b6fa8a6b65340a9795f48d0a425fec61
54627975c0befee0075d6da1a53af9403f047d9e367389e48ae0d25c2a7154bc
1f825ef9ff3e0bb80b7076ef19b837e927efea9db123d3b2b8ec15c8510da647
40101fb3629cdb7d53c3af19dea2b6245a8d8aa9f28febd052bb9d792cfbefa6
00ddbe28a31cc91bd7b1989a9bebd43c4b5565aa0a9ed4e0ca2a5cfb290475ed
729950ce621a4bc6579957eabb3d1668498c805738ee5e83b74d5edaf2f4cb9e
Tactic | Technique | Observable | IOCs |
Execution | Command and Scripting Interpreter: PowerShell (T1059.001) | Cuba team is using PowerShell payload to drop Cuba ransomware | f739977004981fbe4a54bc68be18ea79
68a99624f98b8cd956108fedcc44e07c bdeb5acc7b569c783f81499f400b2745
|
Execution | System Services: Service Execution (T1569.002) |
|
|
Execution | Shared Modules (T1129) | Cuba ransomware links function at runtime | Functions:
“GetModuleHandle” “GetProcAddress” “GetModuleHandleEx” |
Execution | Command and Scripting Interpreter (T1059) | Cuba ransomware accepts command line arguments | Functions:
“GetCommandLine” |
Persistence | Create or Modify System Process: Windows Service (T1543.003) | Cuba ransomware can modify services | Functions:
“OpenService” “ChangeServiceConfig” |
Privilege Escalation | Access Token Manipulation (T1134) | Cuba ransomware can adjust access privileges | Functions:
“SeDebugPrivilege” “AdjustTokenPrivileges” “LookupPrivilegeValue” |
Defense Evasion | File and Directory Permissions Modification (T1222) | Cuba ransomware will set file attributes | Functions:
“SetFileAttributes” |
Defense Evasion | Obfuscated files or Information (T1027) | Cuba ransomware is using xor algorithm to encode data | |
Defense Evasion | Virtualization/Sandbox Evasion: System Checks | Cuba ransomware executes anti-vm instructions | |
Discovery | File and Directory Discovery (T1083) | Cuba ransomware enumerates files | Functions:
“FindFirstFile” “FindNextFile” “FindClose” “FindFirstFileEx” “FindNextFileEx” “GetFileSizeEx” |
Discovery | Process Discovery (T1057) | Cuba ransomware enumerates process modules | Functions:
“K32EnumProcesses” |
Discovery | System Information Discovery (T1082) | Cuba ransomware can get keyboard layout, enumerates disks, etc | Functions:
“GetKeyboardLayoutList” “FindFirstVolume” “FindNextVolume” “GetVolumePathNamesForVolumeName” “GetDriveType” “GetLogicalDriveStrings” “GetDiskFreeSpaceEx” |
Discovery | System Service Discovery (T1007) | Cuba ransomware can query service status | Functions:
“QueryServiceStatusEx” |
Collection | Input Capture: Keylogging (T1056.001) | Cuba ransomware logs keystrokes via polling | Functions:
“GetKeyState” “VkKeyScan” |
Impact | Service Stop (T1489) | Cuba ransomware can stop services | |
Impact | Data encrypted for Impact (T1486) | Cuba ransomware encrypts data |
Many of the exploit stage techniques in this attack could use legitimate Windows processes and applications to either exploit or avoid detection. We discussed, above, how the Endpoint Protection Platform can disrupt weaponized documents but, by using MVISION EDR, you can get more visibility. As security analysts, we want to focus on suspicious techniques used by Initial Access, as this attack’s Initial Access is unknown.
Events from McAfee Endpoint Protection and McAfee MVISION EDR play a key role in Cuba ransomware incident and threat response. McAfee ePO centralizes event collection from all managed endpoint systems. As a threat responder, you may want to create a dashboard for Cuba ransomware-related threat events to understand your current exposure.
To defeat targeted threat campaigns, defenders must collaborate internally and externally to build an adaptive security architecture which will make it harder for threat actors to succeed and build resilience in the business. This blog highlights how to use McAfee’s security solutions to prevent, detect and respond to Cuba ransomware and attackers using similar techniques.
McAfee ATR is actively monitoring this campaign and will continue to update McAfee Insights and its social networking channels with new and current information. Want to stay ahead of the adversaries? Check out McAfee Insights for more information.
The post McAfee Defender’s Blog: Cuba Ransomware Campaign appeared first on McAfee Blogs.
The connection between cybersecurity and poet Ralph Waldo Emerson is not directly evident, however he once said, “money often costs too much.”
This statement rings true across the financial services industry, as money is a key driver for cybercriminals acting with malicious intent. The always-on eye of Sauron on the financial services industry means there are greater implications to keep this industry safe as a top target – and to keep money where it belongs.
IT teams across these organizations have historically invested heavily in technology stacks to combat fraud and decrease the likelihood of an attack or breach, but attacks keep getting more sophisticated and frequent. This Sisyphean task of keeping up with modern-day breaches is complex, and protecting the money is costly, as Ralph’s quote woefully reminds us.
McAfee’s “Hidden Costs of Cybercrime” report supports this current state of the financial services industry, indicating that these organizations spend up to $3,000 per employee on cybersecurity. Another survey from the Financial Services Information Sharing and Analysis Center (FS-ISAC) found that, depending on company size, financial institutions spend between 6% and 14% of IT budgets for defense.
This spending shows no sign of stopping as organizations will always have the onus to protect data, employees, and their own bottom lines. As long as cybercriminals exist, the need for cybersecurity will be omnipresent. However, there is a major change the financial services industry can implement to manage threats faster with higher efficacy and become more proactive instead of reactive: Extended Detection and Response (XDR).
It’s been less than 10 years since JPMorgan Chase & Co. fell victim to the largest known cyberattack at the time – one that occurred two months after it had vowed to spend a quarter-billion dollars a year on cybersecurity. Due to the breach, they increased the planned spend to half a billion dollars, per Forbes. Similarly, Capital One Financial Corp. more recently agreed to pay an $80 million dollar fine, pledging also to increase its cybersecurity efforts as a result of a breach that disclosed more than 100 million customer records.
Both of these financial institutions present examples where XDR could have provided a benefit and perhaps thwarted these major breaches. With its ability to coordinate systems and processes as well as automatically aggregate threat analysis and remove manual hunting and analysis, XDR acts as a modern-day catalyst for security operations center (SOC) success. This combination of prevention, detection, analysis, and response across the SOC and enterprise allows for better decisions that are made faster.
Taking a closer look at the JPMorgan breach, it was only uncovered due to a routine and typical scan conducted by the SOC team. Hackers were able to infiltrate using custom malware and a previously unknown flaw, entering via a website owned by JPMorgan to then stealthily extract data over the course of months – all without being caught by SOC teams. This is not uncommon, as recent Ernst & Young research cited that only 26% of the SOCs polled identified a threat event.
XDR’s ability to control access across an organization’s entire infrastructure from a unified and coordinated interface, coupled with more interconnected visualization across the SOC, provides the context needed to look at cybersecurity in a holistic manner. This is critical given the erratic lateral movements of advanced threats. This means all vectors are protected together, from endpoint, network, and the cloud; therefore, providing better context and overall awareness of security posture across an entire organization.
This gift of proactivity empowering the SOC to act quicker cannot come at a better time as threat actors are still leveraging the upheaval COVID-19 wrought to take advantage of vulnerabilities created due to the pandemic. Not to mention, companies and employees are not clamoring to return to the office where endpoints are easier to track and manage.
The National Association for Business Economics found that only about 1 in 10 companies expect all employees to return to their pre-pandemic work arrangements. With employees apt to use personal devices, causing an ever-increasing endpoint explosion, hackers may again have an easy entry point to conduct crime. All industries are vulnerable, but the financial services industry remains forever-lucrative due to the monetary gains that could be achieved.
With an increase in virtual transactions and use of personal devices to conduct business, the industry is ripe for phishing attempts, malware, and ransomware attacks. Hackers are taking advantage of these surges, with McAfee and IC3 data indicating that business email compromise (BEC) scams have been increasing. This means, it may not take a zero-day approach or strategy from hackers to infiltrate if existing systems and solutions already prove insecure.
Cost is often a barrier to entry for many industries, but the financial services industry has shown it is committed to investing in cybersecurity, knowing it has the most to lose. There has been success across the industry due to this guarantee, but the breaches that do get thwarted do not make the headlines. Nonetheless, undetected breaches – and the reputation-damaging headlines that appear alongside them – lead to more information and data loss and disruption to business. For financial institutions seeking to eliminate the losses associated with cybercrime, XDR is worth exploring.
Want to learn more about McAfee’s investment in XDR and explore its approach? Check out McAfee MVISION XDR and schedule a check-up for your SOC.
The post More Money, Less Problems: XDR Investment Can Protect the Financial Services Industry appeared first on McAfee Blogs.
Learning environments are not what they used to be, and as educational institutions deploy new technology to facilitate a safe and effective remote learning environment, their cyber vulnerabilities also increase. Canadian schools especially have seen a rise in ransomware attacks with the transition to online learning, opening the door for hackers to exploit student data and sabotage academic research. To combat the rising cybersecurity concerns, educators need to implement new measures to uphold secure and efficient distance learning environments without allowing student data and privacy to hang in the balance.
Limiting disruptions remains a high priority for educators as they discover how to manage their remote classrooms. Although many teachers are familiar with supplemental technologies such as tablets and online programs, it’s another matter entirely to be completely dependent on them to support a fully virtual classroom. When investing in online learning tools, educational institutions should not allow their concern for efficiency to overshadow an equally important requirement: safety.
The education sector has seen its fair share of cybersecurity attacks since the widespread shift to remote classrooms. According to Microsoft, the global education industry has the most malware attacks, even more than prominent industries such as business, finance, and healthcare. K-12 schools especially have experienced an uptick in ransomware and Distributed Denial of Service (DDoS). Many Canadian schools are experiencing cyber security incidents, damaging the integrity of their student data and privacy. With hackers consistently seeking to take advantage of the vulnerabilities in new technology, this prompts further discussion into why education is such a highly targeted industry.
The rapid shift to remote learning is an obvious culprit for the increasing threat level, but higher education institutions were already vulnerable before the pandemic. Many students simply lack the proper security awareness when using their online devices. In Morphisec’s CyberSecurity Threat Index, more than 30% of higher education breaches were caused by students falling victim to email scams, misusing social media, or other careless online activities. Budgetary constraints are also to blame for increasing online attacks, as many schools lack adequate funding to support a robust cybersecurity infrastructure. Cybercriminals recognize the vast amount of student data that schools have on record, and this incentivizes them further to infiltrate their systems.
Many of the new remote learning technologies introduced during the pandemic have exposed the risks associated with a lack of stringent security measures. For example, until recently, Agora’s video conferencing software exhibited a vulnerability that would have allowed hackers to spy on video and audio calls. With a growing number of students accessing remote learning technologies through their schools’ networks, it’s especially critical for schools to re-evaluate their security protocols to safeguard their students.
Schools at all levels need to proactively secure their digital technologies and safeguard their students’ data integrity. With the right approach, students and educators can mitigate the risks of cyber threats. Here are four critical cybersecurity steps that schools should take immediately:
It only takes one person to allow a hacker to infiltrate a school system. Digital security training is a must to ensure that students and faculty can recognize and take the appropriate action for suspicious activities like phishing emails. For example, a common cyber threat is when hackers pose as school officials asking for important information such as tax information or identification information.
Since many of the learning technologies on the market are new to students and staff, it’s especially critical to understand the implications of a security breach and the necessary steps to mitigate risks.
2.User Access Control
The principle of “least privilege” can also help avoid a cyber attack. This principle only allows users access to data and systems on a need-to-know basis and can mitigate data breaches that occur via unauthorized or unnecessary access. Hackers often try to infiltrate lower-level devices and accounts as a way to gain access to higher-value accounts and systems. Schools can take action by optimizing a list of what users have access to, which functions they have access to, and why. Ensuring that users have access to only what they need will limit attacks to smaller areas of the system and help protect the security ecosystem as a whole.
An often overlooked but critical cybersecurity protocol is having a robust password management policy. These policies must also be in accordance with provincial and territorial legislation, which set guidelines and rules that govern how students and faculty use their devices and online learning technologies. Password management policies that encourage strong passwords and multi-factor authentication are essential to prevent password sharing and unrestricted access.
Third-party technology vendors have become an integral component of distance learning, but they are also a vulnerability. Educational institutions need to ensure that they are properly managing their technology vendors so their students’ safety is prioritized above all else. Undergoing a thorough vetting process to evaluate third-party technology, as well as vendors’ terms and conditions, will help identify any security gaps that can create greater issues down the road.
The ascendance of distance learning during the pandemic has given educators, students, and parents new insights into both the opportunities and challenges of not being in a physical classroom. One of the most critical is the importance of creating safe and secure virtual environments to ensure that students are safe. Despite the benefits that education technology provides, without proper training or technical safeguards in place, schools and students are left vulnerable to the dangers of external threats. By enhancing awareness of cyber threats and implementing a strong security strategy, educators and parents can start creating safer learning environments for students to thrive.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our email, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post Prioritizing Security in a Remote Learning Environment appeared first on McAfee Blogs.
Most of us have fond summer memories of hanging out with friends in a secret clubhouse. However, this isn’t that. While the word clubhouse stirs up instant feelings of belonging to a group of friends, the digital Clubhouse app, we’re referencing is a meeting hub for users over 18. Currently, still in its beta phase, Clubhouse is by invitation only. This exclusivity is also what makes it somewhat irresistible for tweens and teens looking for a new place to meet with friends.
Clubhouse is an all-audio social network; kind of like a podcast meets a group phone call. Guests may drop in and even speak if they raise their hand are unmuted by the speaker. Speakers create “rooms” each with different topics and invite people to join in on that discussion.
The app found its wings as a fun place to connect during the pandemic. Mom groups, business roundtables, staff meetings, political groups, think tanks, and hobbyists flocked to connect on the app and still do. The topics are plentiful and there’s always a conversation happening that you can access with a click.
Currently there aren’t any parental controls or privacy settings on Clubhouse. While the app states that there’s a minimum age requirement of 18, there isn’t an actual age-verification system. As with so many other apps, anyone under 18 can simply get an invite, fake their age, and either drop in on any of the conversations going on or start their own room.
Mature content. Topics on Clubhouse cover a wide range of topics both mainstream and fringe. So, if an underage user fills out their profile information and interests, they will automatically get invitations to several daily discussions, which may or may not be age appropriate. They can also explore and join any kind of group.
Bullying. Clubhouse discussions are uncensored. Therefore, it’s possible that a heated discussion, biased comments, or bullying can take place.
Misinformation. If you walked through a crowded mall, you might overhear a dozen different accounts about a news event, a person, or a topic. The same holds true for Clubhouse where commentary is the currency. Therefore, misinformation is likely (as is common with any other app).
Accounts can’t be locked. Another privacy gap on Clubhouse is that accounts can’t be set to private and rooms/conversations will remain open by default unless the host makes it private, which means anyone can drop in.
The celebrity hook. Clubhouse has attracted celebrities and social media influencers to its halls who host discussions. This is a big draw for kids who want to hear real-life conversations and just get a bit closer to their favorite celebrity. Again, content can be unpredictable in these rooms and potentially risky for underage users.
Why age restrictions matter. More and more, kids who ignore age restrictions on apps are wandering into trouble. Consider talking to your child about why age restrictions exist, the consequences if they are ignored, and some alternative apps that might be safer.
Why privacy matters. While Clubhouse has grown prolifically in a short time, which has caused some concern over data privacy. According to reports, Clubhouse asks users to share their contacts and has been accused of being “overly aggressive with its connection recommendations.” Also, it’s unclear how the app collects and leverages user data. As outlined by McAfee’s Advanced Threat Research Team last month, the security of user information and communication within Clubhouse has vulnerabilities that could be exploited. For these reasons, consider discussing the data “exchange” we often make when we jump on an exciting new app, why data matters, and why it’s important to understand what’s being collected and to use any and all privacy settings. According to its privacy policy, Clubhouse also “temporarily record the audio in a room when it is live.”
Why content matters. With so many images and ideas coming across our screens every day, holding fast to our content standards can be a challenge for families. Talk to kids about why age-appropriate conversations, topics, and friend groups matter online and what happens when you try to speed up that process. Discuss how content filters and parental controls work and consider them for your family.
The good news about Clubhouse (when it comes to young users) is that along with its rapid growth, the creators are reportedly responding to consumer safety demands and daily increasing in-app safety features for reporting harassment and abuse.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our email, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post Is the Clubhouse App a Safe Place for Kids to Hangout? appeared first on McAfee Blogs.
Ever since I started working in IT Security more than 10 years ago, I wondered, what helps defend against malware the best?
This simple question does not stand on its own, as there are several follow-up questions to that:
This blog will guide you through my research and thought process around these questions and how you can enable yourself to answer these for your own organization!
As mentioned above, the central question “what helps best?” has followed me throughout the years, but my methods to be able to answer this question have evolved. The first interaction I had with IT Security was more than 10 years ago, where I had to manually deploy new Anti-Virus software from a USB-key to around 100 devices. The settings were configured by a colleague in our IT-Team, and my job was to help remove infections when they came up, usually by going through the various folders or registry keys and cleaning up the remains. The most common malware was Adware, and the good-ol obnoxious hotbars which were added to the browser. I remember one colleague calling into IT saying “my internet has become so small, I can barely even read 5 lines of text” which we later translated into “I had 6 hotbars installed on my Internet Explorer so there was nearly no space left for the content to be displayed”.
Exemplary picture of the “internet” getting smaller.
Jump ahead a couple of years, I started working with McAfee ePolicy Orchestrator to manage and deploy Anti-Malware from a central place automatically, and not just for our own IT, but I was was allowed to implement McAfee ePO into our customers’ environments. This greatly expanded my view into what happens in the world of malware and I started using the central reporting tool to figure out where all these threats were coming from:
Also, I was able to understand how the different McAfee tools helped me in detecting and blocking these threats:
But this only showed the viewpoint of one customer and I had to manually overlay them to figure out what defense mechanism worked best. Additionally, I couldn’t see what was missed by the defense mechanisms, either due to configuration, missing signatures, or disabled modules. So, these reports gave me a good viewpoint into the customers I managed, but not the complete picture. I needed a different perspective, perhaps from other customers, other tools, or even other geo-locations.
Let us jump further ahead in my personal IT security timeline to about June 2020:
As you could see above, I spent quite a lot of time optimizing setups and configurations to assist customers in increasing their endpoint security. As time progressed, it became clear that solely using Endpoint Protection, especially only based on signatures, was not state of the art. Protection needs to be a combination of security controls rather than the obnoxious silver bullet that is well overplayed in cybersecurity. And still, the best product or solution set doesn’t help if you don’t know what you are looking for (Question 1&2), how to prepare (Question 4) or if you misconfigured the product including all subfolders of “C:\” as an exclusion for On-Access-Scanning (Question 5).
Then McAfee released MVISION Insights this summer and it clicked in my head:
With this data available it was possible to create a heatmap not just by geo-location or a very high number of new threats every day, hour or even minute, but on how specific types of campaigns are operating out in the wild. To start assessing the data, I took 60 ransomware campaigns dating between January and June 2020 and pulled out all the MITRE ATT&CK© techniques that have been used and displayed them on a heatmap:
Amber/Orange: Being used the most, green: only used in 1 or 2 campaigns
Reality Check 1: Does this mapping look accurate?
For me it does, and here is why:
Next, we need to understand what can be done to detect and ideally block ransomware in its tracks. For this I summarized key malware defense capabilities and mapped them to the tactics being used most:
MITRE Tactic | Security Capability | Example McAfee solution features |
Execution | Attack surface reduction | ENS Access Protection and Exploit Prevention, MVISION Insights recommendations |
Multi-layered detection | ENS Exploit Prevention, MVISION Insights telemetry, MVISION EDR Tracing, ATD file analysis | |
Multi-layered protection | ENS On-Access-Scanning using Signatures, GTI, Machine-Learning and more | |
Rule & Risk-based analytics | MVISION EDR tracing | |
Containment | ENS Dynamic Application Containment | |
Persistence | Attack surface reduction | ENS Access Protection or Exploit Prevention, MVISION Insights recommendations |
Multi-layered detection | ENS Exploit Prevention, MVISION Insights telemetry, MVISION EDR Tracing, ATD file analysis | |
Sandboxing and threat analysis | ATD file analysis | |
Rule & Risk-based analytics | MVISION EDR tracing | |
Containment | ENS Dynamic Application Containment | |
Defense Evasion | Attack surface reduction | ENS Access Protection and Exploit Prevention, MVISION Insights recommendations |
Multi-layered detection | ENS Exploit Prevention, MVISION Insights telemetry, MVISION EDR Tracing, ATD file analysis | |
Sandboxing and threat analysis | ATD file analysis | |
Rule & Risk-based analytics | MVISION EDR tracing | |
Containment | ENS Dynamic Application Containment | |
Discovery | Attack surface reduction | ENS Access Protection and Exploit Prevention |
Multi-layered detection | ENS Exploit Prevention, MVISION EDR Tracing, ATD file analysis | |
Sandboxing and threat analysis | ATD file analysis | |
Rule & Risk-based analytics | MVISION EDR tracing | |
Command & Control | Attack surface reduction | MVISION Insights recommendations |
Multi-layered detection | ENS Firewall IP Reputation, MVISION Insights telemetry, MVISION EDR Tracing, ATD file analysis | |
Multi-layered protection | ENS Firewall | |
Rule & Risk-based analytics | MVISION EDR tracing | |
Containment | ENS Firewall and Dynamic Application Containment | |
Impact | Multi-layered detection | MVISION EDR tracing, ATD file analysis |
Rule & Risk-based analytics | MVISION EDR tracing | |
Containment | ENS Dynamic Application Containment | |
Advanced remediation | ENS Advanced Rollback |
A description of the McAfee Solutions is provided below.
Now this allowed me to map the solutions from the McAfee portfolio to each capability, and with that indirectly to the MITRE tactics. But I did not want to end here, as different tools might take a different role in the defensive architecture. For example, MVISION Insights can give you details around your current configuration and automatically overlays it with the current threat campaigns in the wild, giving you the ability to proactively prepare and harden your systems. Another example would be using McAfee Endpoint Security (ENS) to block all unsigned PowerShell scripts, effectively reducing the risk of being hit by a file-less malware based on this technology to nearly 0%. On the other end of the scale, solutions like MVISION EDR will give you great visibility of actions that have occurred, but this happens after the fact, so there is a high chance that you will have some cleaning up to do. This brings me to the topic of “improving protection before moving into detection” but this is for another blog post.
Coming back to the mapping shown above, let us quickly do…
Reality Check 2: Does this mapping feel accurate too?
For me it does, and here is why:
Now with all this data at hand we can come to the final step and bring it all together in one simple graph.
Before we jump into our conclusion, here is a quick summary of the actions I have taken:
So, without further ado and with a short drumroll I want to present to you the McAfee security architecture that best defends against current malware campaigns:
For reference, here is a quick breakdown of the components that make up the architecture above:
MVISION ePO is the SaaS-based version of our famous security management solution, which makes it possible to manage a heterogenous set of systems, policies, and events from a central place. Even though I have mentioned the SaaS-based version here, the same is true for our ePO on-premises software as well.
MVISION Insights is a key data source that helps organizations understand what campaigns and threats are trending. This is based on research from our Advanced Threat Research (ATR) team who use our telemetry data inside our Global Threat Intelligence (GTI) big-data platform to enhance the details that are provided.
MVISION Endpoint Detect & Response (EDR) is present in multiple boxes here, as it is a sensor on one side, which sits on the endpoint and collects data, and it is also a cloud service which receives, stores and analyses the data.
EPP is our Endpoint Protection Platform, which contains multiple items working in conjunction. First there is McAfee Endpoint Security (ENS) that is sitting on the device itself and has multiple detection and protection capabilities. For me, the McAfee Threat Intelligence Exchange (TIE) server is always a critical piece to McAfee’s Endpoint Protection Platform and has evolved from a standalone feature to an integrated building block inside ePO and is therefore not shown in the graphic above.
McAfee Advanced Threat Defense (ATD) extends the capabilities of both EPP and EDR, as it can run suspicious files in a separated environment and shares the information gathered with the other components of the McAfee architecture and even 3rd-party tools. It also goes the other way around as ATD allows other security controls to forward files for analysis in our sandbox, but this might be a topic for another blog post.
All the items listed above can be acquired by licensing our MVISION Premium suite in combination with McAfee ATD.
Based on the components and the mapping to the capabilities, I was also able to create a graph based on our most common device security bundles and their respective malware defense score:
In the graph above you can see four of our most sold bundles, ranging from the basic MVISION Standard, up to MVISION Premium in combination with McAfee Advanced Threat Defense (ATD). The line shows the ransomware detection & protection score, steadily rising as you go from left to right. Interestingly, the cost per point, i.e. how much dollar you need to spend to get one point, is much lower when buying the largest option in comparison to the smaller ones. As the absolute cost varies on too many variables, I have omitted an example here. Contact your local sales representative to gather an estimated calculation for your environment.
So, have I come to this conclusion by accident? Let us find out in the last installment of the reality check:
Reality Check 3: Is this security architecture well suited for today’s threats?
For me it does, and here is why:
While writing up my thoughts into the blog post, I was reminded of the “Hitchhikers Guide to the Galaxy”, as my journey in cybersecurity started out with the search for the answer to everything. But over the years it evolved into the multiple questions I prompted at the start of the article:
And certainly, the answers to these questions are a moving target. Not only do the tools and techniques by the adversaries evolve, so do all the capabilities on the defensive side.
I welcome you to take the information provided by my research and apply it to your own security architecture:
Thank you for reading this blog post and following my train of thought. I would love to hear back from you, on how you assess yourself, what could be the next focus area for my research or if you want to apply the scoring mechanism on your environment! So please find me on LinkedIn or Twitter, write me a short message or just say “Hi!”.
I also must send out a big “THANK YOU!” to all my colleagues at McAfee helping out during my research: Mo Cashman, Christian Heinrichs, John Fokker, Arnab Roy, James Halls and all the others!
The post McAfee Defenders Blog: Reality Check for your Defenses appeared first on McAfee Blogs.
After much anticipation, you finally get a notification that you’re eligible to receive your COVID-19 vaccine. Upon getting your first dose, you may be eager to celebrate by sharing a picture of your vaccination card on social media. After all, many of your peers have been doing the same. However, these posts could actually put your online privacy and personal information at risk. While you want to share the good news, experts warn that scammers could potentially exploit the information on your card.
With more people becoming eligible to receive the COVID-19 vaccine, there has been a surge in social media posts featuring peoples’ vaccine cards. However, the Better Business Bureau stated that posting photos of your card can give criminals the data they need to create and sell fake vaccination cards. Not only do vaccine cards remind you of when your next appointment is, but they also contain important personal information such as your name, date of birth, and when and where you were vaccinated.
Currently, these cards are the only proof that people have that they’ve been vaccinated. While there is still uncertainty around the next phase of the pandemic and when life will return to “normal,” it’s possible these cards could be what gets you into a restaurant or on an airplane. If you post your vaccination card on social media, scammers could potentially forge your card and use it as their own pass into public places or use it to receive a second dose. Publicly posting medical information could also void your HIPAA protections. Furthermore, cybercriminals could significantly profit from your personal information since health care records sell for more than Social Security and credit card numbers on the dark web.
Your digital wellness is just as important as your physical wellness, so protecting your online data is crucial. It’s a good rule of thumb not to post photos with your name and other identifiable information on the internet. Although it may be tempting to post your vaccination card on social media, consider these tips to help protect your online security:
Think about who you want to share the good news with and what social media platform would be best for this. Create private groups or carefully select which followers can see your posts. Then, verify that you’ve updated your privacy settings accordingly. This will prevent scammers from lurking on your posts and extracting your personal information.
Instead of posting a photo of your vaccine card, share a picture of yourself outside the vaccination center. If your vaccination center provides “I got vaccinated” stickers, you can post a picture of that as well.
Taking steps towards protecting your digital well-being is just as important as taking steps towards protecting your physical health. By following these steps, you can help ensure that your online security will not be jeopardized by celebrating your vaccination.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our email, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post Protect Your Digital Wellness: Don’t Post Your Vaccination Card Online appeared first on McAfee Blogs.
In a poll conducted by the Canadian Medical Association, nearly half of Canadians have used telehealth services since the start of the pandemic. Additionally, in a recent McAfee study, we found that 21% of Canadians have used the internet for a doctor visit in 2020, and 28% said that such online visits will become a part of their routine moving forward Telehealth, or virtual care. This includes clinical services delivered remotely via electronic communications, such as videoconferencing, mobile apps and remote patient monitoring technology. Many of us have readily accepted these medical services out of necessity, as COVID have limited in-person hospital visits.
Hackers are taking advantage of the rise in virtual health services and exploiting their vulnerabilities to steal sensitive medical records. These vulnerabilities are the result of bigger issues stemming from obscure patient health information regulations and health care system budgetary constraints.
Understanding the risks associated with telehealth is the first step to securing your online safety during your virtual doctor’s visits.
At the onset of the pandemic, the number of reported Canadian cyberattacks jumped 50% from Q4 2019 to Q1 2020. Health care is one of the most targeted industries for cyberattacks. One attack even compromised the organization that manages Ontario’s medical records. Health care is such a highly targeted industry because it holds a wealth of information that fetches a high price on the dark web. Experts say medical records are more valuable than credit card details due to the amount of vital information stored in them, such as birth dates and patient ID numbers. Hackers can then hold this information for ransom or use it to steal your identity. Further, cybercriminals see health care institutions as easy targets. Canadian health care IT departments have insufficient budgets and are ill-prepared to handle the rising threats.
Canada also does not have federal guidelines governing virtual care and patient health information. Rather, health care providers and virtual care platforms are limited to the broad guidelines outlined by the Personal Information Protection and Electronic Documents Act (PIPEDA). As these are not digital security specific purpose defined guidelines and requirements, it makes it more difficult for health care providers and telehealth companies to protect patient data.
Telehealth makes care accessible to everyone; unfortunately, if you’re not careful, telehealth also opens the door for hackers. Hackers can infiltrate the technology used for online doctor’s appointments, because video conferencing technologies have several security flaws. From there, hackers can disrupt calls, eavesdrop and steal your private health information.
The advent of telehealth services has also prompted an increase in emails. Since patients may be expecting emails from their doctor, they may let their guard down and fall victim to phishers posing as a health care organization.
Prepare for your next virtual doctor’s appointment with these best practices to secure your virtual safety.
Before heading into your next telehealth appointment, ask your health care provider the right questions to online understand what risks you may face. Ascertaining this information will help you understand what actions you need to take to mitigate the risk on your end, like staying alert for eavesdroppers or finding alternative ways to confirm personal information. Here are some questions you can ask:
Phishing is a common tactic hackers use to access private health information and trick users into downloading malware. Beware of seemingly official emails under the guise of your health care provider asking for payment information or prompting you to take immediate action. If the email logo doesn’t look right, the message is poorly written, or the URL displayed doesn’t match the one that’s linked, then it’s likely a phishing scam.
Contact your health care provider before verifying sensitive information online, such as payment details or document transfer methods, to avoid falling victim to phishing. We recommend logging into your healthcare provider’s official website or app to confirm pertinent healthcare information as well. If you accidentally reply to a phishing email, perform a full malware scan on your device to ensure your private information remains secure.
It’s important to keep telehealth applications up to date to benefit from the latest bug fixes and security patches. This includes apps belonging to your IoT devices, such as glucose monitors, blood pressure monitors or other network-enabled diagnostic devices. These devices represent more entry points that hackers can infiltrate, making it especially critical to keep them up to date and close any security loopholes.
Get creative with your telehealth portal password, or better yet, use a security solution that includes a password management system. McAfee Total Protection includes a robust password management system that creates and saves strong passwords across all your accounts in one centralized location.
Ensure you’re using a telehealth platform that leverages multi-factor authentication, so even if a hacker were to acquire your password, there’s an added layer of security they won’t be able to bypass.
It’s always best to use a virtual private network (VPN) when conducting activities online, and medical visits are no exception. Using a VPN like McAfee Safe Connect VPN will ensure your data is encrypted and your private health information stays between you and your doctors. A VPN is especially important if you’re connecting from a network other than your password-protected home Wi-Fi.
Medical services are just one of many activities that have turned virtual due to the pandemic. Keep in mind these new virtual outlets come with elevated risks. Hackers are taking advantage of software vulnerabilities and taking victims unaware through social engineering tactics to steal sensitive personal information. Remember to secure your online health by taking a proactive stance against malicious threats so you can focus on your physical health during your telehealth visits.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our email, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post Check up on Your Virtual Safety: Tips for Telehealth Protection appeared first on McAfee Blogs.
The number of new viruses grows every day. In fact, McAfee registers an average of 1.1 million new malicious programs and potentially unwanted apps (PUA) each day, which contributes to the millions and millions already in existence. While there is no way to know when or how cyberattacks will occur, it’s clear that antivirus software is one of the best ways to ensure you, and your devices, are safe.
Despite its proven strengths, some long-standing myths question the effectiveness of antivirus. To set the record straight, we’ve debunked five of the most common antivirus software myths, so you can rest assured that you are safely navigating the evolving cyber landscape.
We expect a lot from our devices—faster performance every time the latest model is released. As a result, many are reluctant to install apps or software that may jeopardize device performance, including antivirus software.
Many believe that antivirus software will slow down your devices. However, contrary to popular belief, quality antivirus software can improve device performance by using advanced optimizations. It’s this simple: antivirus software conducts regular system-wide scans to identify and prevent viruses and improve performance without compromising efficacy.
To run these scans, antivirus software requires system resources, which is where this myth originates. If you download or operate more than one antivirus program or download the wrong version for your system, then yes, your device will slow to a crawl. That is why it is essential to install one high-quality antivirus software that meets all your devices’ system requirements. Additionally, best-in-class antivirus software can be set to run during specific hours to avoid delays during the busiest times of your day.
The number of malware strains and potentially unwanted applications (PUA) increases every year. It is understandable why people might think that antivirus software cannot protect against them all.
However, antivirus software can provide extensive protection against the majority of malicious programs. It does so in two ways:
Taken together, a known list of threats paired with the unique capabilities of machine learning, data science, and AI for advanced threat detection enable antivirus software to protect against a wide range of existing and evolving threats.
Can you imagine grading your own driving test? You could omit the dreaded three-point turn and pass with flying colors, but the result wouldn’t be as accurate as that of an unbiased evaluator. This same concept applies to evaluating the efficacy of computer security.
It’s easy for a company to set up a test environment where they highlight all the excellent capabilities of their antivirus software and gloss over its shortcomings. It’s equally as easy for a company to commission a third-party to conduct a custom test painting the company in a good light. However, the results will not be as comprehensive or accurate as those from an independent third-party. Additionally, they also will not provide a comparative analysis with other company offerings to help users draw their own conclusions.
Independent third-party test results offer a more thorough evaluation of antivirus software. They also do a better job at evaluating security features. Furthermore, ISO-certified independent third parties lend transparency and credibility to the techniques used and ensure that evaluations align with industry standards.
There is a common belief that Apple products are protected against viruses because cybercriminals often target Windows and Android operating systems. However, Apple devices are just as vulnerable to viruses as any other computer or smartphone. Regardless of your device or operating system—macOS, iOS, Windows, or Android—if it connects to a network, it’s susceptible to viruses.
Windows and Android have long been the dominant operating systems for computers and smartphones. That’s why macOS and iOS have, up until recently, been the lesser focus for cybercriminals. The problem is that cybercriminals want to spread their viruses to the platforms with the largest customer base which just so happens to be Windows and Android. As Apple products continue to grow in popularity, cybercriminals will continue coming out with more viruses specifically targeting Macs, iPhones, and other iOS devices.
Antivirus software is not a guarantee of protection against all viruses. Some malware can and will slip through. This is where antivirus software’s ability to detect and remove malware comes in. Ours comes with a Virus Protection Pledge, which provides a 100% guarantee we’ll remove viruses on your devices, or we’ll give you your money back, all as part of your automatically renewable subscription.
However, viruses and malware are just one form of attack that hackers and bad actors will wage on their victims. They’ll also make attempts at identity theft or likewise try to invade your privacy—with the intent of stealing passwords, account information, and personal information, which could drain your debit cards, damage your credit, or otherwise impersonate you for their financial gain.
In this way, antivirus is just one form of protection. To truly stay safe as possible online, you need online protection software that looks after your identity and privacy as well. McAfee+ Ultimate offers our most comprehensive coverage, with
It is necessary to bust common myths about antivirus software to protect yourself and your family from cyberthreats. By educating yourself and selecting a best-in-class antivirus software that’s further bolstered by identity and privacy protection, you will be well on your way to implementing an effective protection strategy.
The post Myth-busting Antivirus Software Assumptions appeared first on McAfee Blog.
The MITRE ATT&CK® Framework proves that authority requires constant learning and the actionable information it contains has never held greater currency. Likewise, XDR, the category of extended detection and response applications, is quickly becoming accepted by enterprises and embraced by Gartner analysts, because they “improve security operations productivity and enhance detection and response capabilities.”
It is less well known how these tools align to improve the efficacy of your cybersecurity defenses leveraging key active cyber security industry frameworks. In MVISION XDR there’s a dynamic synergy between the MITRE ATT@CK Framework and XDR. Let’s consider how and why this matters.
One of the biggest issues with XDR platforms, according to Gartner, is a “lack of diversity in threat intel and defensive techniques.” By aligning our XDR with MITRE, we greatly expand the depth of our investigation, threat detection, and prevention capabilities while driving confidence in preventing the attack chain with relevant insights.
With MITRE ATT&CK Framework in the hands of your incident response teams, you’re utilizing a definitive and progressive playbook that articulates adversarial behaviors in a standard and authoritative way.
The Framework is a valuable resource that contains a knowledge base of adversarial techniques that security defenders can reference to make sense of the behaviors (techniques) leading to system intrusions on enterprise networks.
In MVISION XDR, this synergy results in a shared source of truth. Adding MITRE ATT&CK into your SOC workflow is essential for analysts who need to conduct a thorough impact analysis and decide how to defend against or mitigate attacks.
Here are five powerful ways that XDR applies MITRE ATT&CK and helps operationalize the framework:
At first glance, the MITRE ATT&CK framework matrix, with its myriad of sub-techniques, reads like a checklist of concerns for your SOC analysts to evaluate. But approaching threat analysis or investigations that way may lead to a form of tunnel vision. Knowing that an attacker is not just limited to one set of techniques, MVISION XDR boosts your team’s efficacy by covering the entirety of the matrix including device, network, and cloud detection vectors.
MVISION XDR also increases your team’s situational awareness by making it easy to map and correlate tactics, techniques and procedures (TTPs) directly to MITRE ATT&CK information. XDR supplies visualizations that reduce the burden on analysts to identify patterns and assess the recommended prevention guidance.
As we’ve pointed out on other occasions, MVISION XDR can chain MITRE ATT&CK techniques into complex queries that describe behaviors, instead of individual events. MVISION XDR is hypothesis driven, utilizing Machine Learning and Artificial Intelligence to analyze threat data from multiple sources and map it to the MITRE ATT&CK framework.
Increasing the efficacy of your SOC team analysts, incident responders and other members of your team is obviously critical to producing smarter and better security outcomes including faster time to detect (MTTD) or remediate (MTTR). MVISION XDR also boosts team productivity and drives more accurate prevention by automating security functions like detection or response.
Armed with actionable intelligence your team can proactively harden the enterprise before an attack. When Gartner states that “The goal of XDR is improved detection accuracy and security operations center (SOC) productivity” we tend to think that integrating MITRE ATT&CK framework sets the standard in our competitive set.
At the end of the day, this winning combination of MITRE ATT&CK and MVISION XDR offers the C-level and Board sufficient level of evidence of resilience. A vibrant information exchange must be a two-way street. We work closely with the MITRE team and actively contributes to the development of new matrices to empower the broader MITRE ATT&CK community.
Hear more from a SOCwise expert on why MITRE matters.
The post 5 Ways MVISION XDR Innovates with MITRE ATT&CK appeared first on McAfee Blogs.
Imagine you’re driving down a highway to get to work. There are other cars on the road, but by and large everyone is moving smoothly at a crisp, legal speed limit. Then, as you approach an entry ramp, more cars join. And then more, and more, and more until all of the sudden traffic has slowed to a crawl. This illustrates a DDoS attack.
DDoS stands for Distributed Denial of Service, and it’s a method where cybercriminals flood a network with so much malicious traffic that it cannot operate or communicate as it normally would. This causes the site’s normal traffic, also known as legitimate packets, to come to a halt. DDoS is a simple, effective and powerful technique that’s fueled by insecure devices and poor digital habits. Luckily, with a few easy tweaks to your everyday habits, you can safeguard your personal devices against DDoS attacks.
The expansion of 5G, proliferation of IoT and smart devices, and shift of more industries moving their operations online have presented new opportunities for DDoS attacks. Cybercriminals are taking advantage, and 2020 saw two of the largest DDoS offensives ever recorded. In 2020, ambitious attacks were launched on Amazon and Google. There is no target too big for cybercriminals.
DDoS attacks are one of the more troubling areas in cybersecurity, because they’re incredibly difficult to prevent and mitigate.. Preventing these attacks is particularly difficult because malicious traffic isn’t coming from a single source. There are an estimated 12.5 million devices that are vulnerable to being recruited by a DDoS attacker.
DDoS attacks are fairly simple to create. All it takes are two devices that coordinate to send fake traffic to a server or website. That’s it. Your laptop and your phone, for example, could be programmed to form their own DDoS network (sometimes referred to as a botnet, more below). However, even if two devices dedicate all of their processing power in an attack, it still isn’t enough to take down a website or server. Hundreds and thousands of coordinated devices are required to take down an entire service provider.
To amass a network of that size, cybercriminals create what’s known as a “botnet,” a network of compromised devices that coordinate to achieve a particular task. Botnets don’t always have to be used in a DDoS attack, nor does a DDoS have to have a botnet to work, but more often than not they go together like Bonnie and Clyde. Cybercriminals create botnets through fairly typical means: tricking people into downloading malicious files and spreading malware.
But malware isn’t the only means of recruiting devices. Because a good deal of companies and consumers practice poor password habits, malicious actors can scan the internet for connected devices with known factory credentials or easy-to-guess passwords (“password,” for example). Once logged in, cybercriminals can easily infect and recruit the device into their cyber army.
These recruited cyber armies can lie dormant until they’re given orders. This is where a specialized server called a command and control server (typically abbreviated as a “C2”) comes into play. When instructed, cybercriminals will order a C2 server to issue instructions to compromised devices. Those devices will then use a portion of their processing power to send fake traffic to a targeted server or website and, voila! That’s how a DDoS attack is launched.
DDoS attacks are usually successful because of their distributed nature, and the difficulty in discerning between legitimate users and fake traffic. They do not, however, constitute a breach. This is because DDoS attacks overwhelm a target to knock it offline — not to steal from it. Usually DDoS attacks will be deployed as a means of retaliation against a company or service, often for political reasons. Sometimes, however, cybercriminals will use DDoS attacks as a smokescreen for more serious compromises that may eventually lead to a full-blown breach.
DDoS attacks are only possible because devices can be easily compromised. Here are three ways you can prevent your devices from participating in a DDoS attack:
Now that you know what a DDoS attack is and how to protect against it, you’re better equipped to keep your personal devices and safe and secure.
Stay Updated
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our email, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post What Is a DDoS Attack and How to Stay Safe from Malicious Traffic Schemes appeared first on McAfee Blogs.
Advancements in cloud solutions and collaboration tools in recent years, coupled with the necessity of going remote due to the pandemic, have empowered today’s workforce to choose where they want to work. While the ability to work from anywhere—home, the library, coffee shops or even the beach– gives employees increased flexibility, the shift from the traditional office setting has exposed security and logistical concerns. Remote workers often access sensitive information from unsecured devices and networks, which can result in compromised data and failed privacy compliance. It’s essential for remote workers to practice online safety to minimize the cybersecurity risks to their organizations.
It’s undeniable that the freedom to work from anywhere is an employee perk that organizations must adapt to. Here’s a breakdown of some of the risks of working remotely and what companies can do keep their sensitive information secure, even when outside the safety of their four walls:
Office closures and working-from-home mandates due to COVID-19 permanently changed the way we look at workplace connectivity. A recent Fenwick poll among HR, privacy, and security professionals across industries noted that approximately 90% of employees now handle intellectual property, confidential, and personal information on their in-home Wi-Fi as opposed to in-office networks. Additionally, many are accessing this information on personal and mobile devices that often do not have the same protections as company-owned devices. The elevated number of unprotected devices connected to unsecured networks creates weak areas in a company’s infrastructure, making it harder to protect against hackers.
One technology your organization should be especially diligent about is video conferencing software. Hackers can infiltrate video conferencing software to eavesdrop on private discussions and steal vital information. Many disrupt video calls via brute force, where they scan a list of possible meeting IDs to try and connect to a meeting. Others seek more complex infiltration methods through vulnerabilities in the actual software. Up until recently, Agora’s video conferencing software exhibited these same vulnerabilities.
Hackers will usually try to gain access to these network vulnerabilities by targeting unsuspecting employees through phishing scams which can lead to even greater consequences if they manage to insert malware or hold your data for ransom. Without proper training on how to avoid these threats, many employees wouldn’t know how to handle the impact should they become the target.
Whether you’re connecting from home or from another remote location, it’s critical to practice the same level of care as you would in the office. Here are some quick and essential security safety habits every remote employee should practice.
Phishing is one of the most common methods hackers will deploy to target unsuspecting employees to access sensitive data. In fact, over 63% of Canadian IT executives in a recent poll indicated that ransomware and phishing were the top security concerns for their organizations. Here are some ways you can spot a phishing scam:
Ensure you understand your company’s policies and confidentiality agreements when it comes to sharing files, storing documents, and other online communications. Use company-approved cloud applications that follow strict security standards to avoid inadvertently exposing sensitive company information through unsecured means. This measure can also apply when using video conferencing software. Limit the amount of sensitive information shared via video conferencing platforms and through messaging features just in case uninvited hackers are eavesdropping.
We may have brought work home with us, but nonetheless, we must strive to maintain a work/life balance and set boundaries between our personal and work life. Setting these boundaries makes it easier to separate the technology we use in our life as well. Avoid sharing your company’s devices with family members who are not aware of the best security practices, especially children. Also, keep personal accounts separate from company accounts to prevent sharing information through personal channels.
Given the flexibility to truly work from anywhere, ensure you are connected to a secure network when not connected to your home’s password-protected Wi-Fi. When connecting to an unfamiliar network, always use a VPN to encrypt data and safely share files across the internet, preferably the one your company uses, or check with your IT resource. Take preemptive measures to mitigate exposure by installing antivirus software and firewall protection to scan files and systems and protect against harmful viruses regularly.
While the COVID pandemic has sparked a remote work movement that has changed the way we look at the conventional workplace—introducing greater flexibility and the opportunity to work from anywhere—remote work is well on its way to becoming a permanent fixture in the lives of many. However, the number of employees dispersed across cities and even countries have made it more difficult to secure endpoint devices such as laptops and mobile devices. Moreover, the risk posed by unsecured networks only increases the vulnerabilities of remote workplaces. As more workplaces embrace the benefits of a fully remote workforce, we will need to give more thought to how we can facilitate a secure workplace that is collaborative yet protected. By increasing awareness of potential cyber threats and enhancing security standards for devices and home networks, we can begin to create a safer and more efficient workplace.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our email, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post How to Stay Connected and Protected in a Remote Work Environment appeared first on McAfee Blogs.
Tax return preparation might be a little more complicated this year than usual for many Canadians with millions receiving Canada Emergency Response Benefit (CERB) payments and about 40% of the Canadian labor force turned to self-employment options to help them financially weather the pandemic storm.
Where there’s money and uncertainty, you’re likely to find scammers. After all, scammers tend to capitalize on uncertainty and use it as the entry point for their attacks. Whether it’s through a phishing email with a phony notice of reassessment, a text message threatening arrest, or a fake phone call from the Canada Revenue Agency (CRA), hackers often employ elements of fear in their attacks. McAfee’s 2021 Consumer Security Mindset study revealed that roughly 2 out of 3 Canadians (65%) plan to do their taxes online in 2021, with 12% of them doing so for the first time. With the increase in activities online, consumers are potentially exposed to more digital risks and threats, and knowing how these hackers tend to work doesn’t mean you have to live in fear. To help you identify and avoid potential threats, let’s take a look at some of the most common scams that hackers use during tax season.
Phone scams take one of two primary forms:
Some sophisticated scammers will weave stolen personal or financial data that they purchased on the dark web into their calls, such as bank or social insurance information. They intend to make their phony claims sound legitimate, hoping that an unsuspecting user will hand over their data or make a fraudulent payment.
So, what does a real call from the CRA entail? The CRA clearly outlines the reasons they’d be calling on their 2020 Tax Tips page and ways that you can follow up with the CRA to determine if a call is legitimate.
There are two instances where the CRA may contact you by email. One is during a telephone call or meeting with a legitimate CRA agent. The second is to send you a notification that you have a message or document for your review on a secure CRA site such as My Account, My Business Account, or Represent a Client. Anything else is likely a scam.
The one time where the CRA will send you an email containing links is if you have a call or meeting with an agent, as outlined above. Otherwise, you can be confident that an email with links is a scam.
This one is relatively straightforward: the CRA will never contact you via text, instant messaging, Facebook, WhatsApp, or any similar messaging service. If you receive such a message, delete it, and don’t click on any links embedded within it.
In many cases, hackers will aim to separate you from your money by demanding immediate payment in some form or other. They may request payment in pre-loaded debit cards, gift cards, e-transfer, or even bitcoin. Know that the CRA will never request payment in any of those forms.
When in doubt, ask yourself why this email or phone caller is demanding that you act immediately. Have you filed on time? Have you received written notice from the CRA already? Do you owe an installment payment? If the person contacting you leaves you unsure, you can confirm that the contact was legitimate by calling the CRA.
While recognizing the signs of tax-related fraud can help ease the burdens associated with these schemes, there are multiple steps you can take to prevent becoming a victim of tax scams in the first place. Follow these tips to stay on top of your tax return while securing your digital life:
Devices benefit from physical security. This is as simple as locking your smartphones, tablets, and computers with a PIN or password. Should one of those devices get lost or stolen, a lock provides a barrier for those who might try to access your personal and financial information on them.
Protecting your devices with comprehensive security software can help block the phishing emails and suspicious links that make up many of these tax attacks. Likewise, it can further protect you from ransomware attacks, another type of tax scam on the rise, where crooks hold your data hostage for a price. All in all, security software is always a smart move—tax time or any time.
Consider what’s on your old computer hard drive or stored away on your phone. Old devices tend to contain loads of precious personal and financial information. Look into the e-waste disposal options in your community that will recycle your old technology and do so securely.
While so many of our finances are handled electronically today (taxes included), we’d be remiss if we didn’t talk about physical security as well. Mail and porch theft still occur, which is one more way a thief can steal your personal and financial information to use in a scam. A locking mailbox is a purchase you may want to consider if you don’t have one already.
Recognizing the signs of tax-related fraud could allow you to take action and significantly suppress the repercussions. If you suspect you’ve fallen victim to fraud or believe that you’ve been tricked into giving away personal information as part of a scam, contact your local police service and make a report.
By staying proactive and vigilant, you’ll be in a better position to protect your identity and your data—and live your digital life with safety at the forefront.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our email, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post Tax Season is Here: Avoid These Common Scams Targeting Canadians appeared first on McAfee Blogs.
Distance and hybrid learning environments are now the norm, and it remains to be seen if or when this will change. To adapt, many schools have adopted new software to support remote classroom management.
One such platform is Netop Vision Pro, a student monitoring system that helps teachers facilitate remote learning. The software allows teachers to perform tasks remotely on students’ computers, such as locking their devices, blocking web access, remotely controlling their desktops, running applications, and sharing documents. However, the McAfee Advanced Threat Research (ATR) team recently discovered multiple vulnerabilities with Netop Vision Pro that could be exploited by a hacker to gain full control over students’ computers.
Let’s dive into these vulnerabilities and unpack how you can help protect your students in the virtual classroom.
Just like a school science project, our researchers created a simulation to test their hypothesis regarding the potential software bugs. The McAfee ATR team set up the Netop software to mimic a virtual classroom with four devices on a local network. Three devices were appointed as students, and one was designated as the teacher. During the setup, the team noticed that there were different permission levels between student profiles and teacher profiles. They decided to see what would happen if they targeted a student profile, since this would likely be the avenue a hacker would take since they could cause more damage. With their experiment set up, it was time for our researchers to get inside the mind of a cybercriminal.
While observing the virtual classroom, the ATR team discovered that all network traffic — including sensitive information like Windows credentials — was unencrypted with no option to turn encryption on during configuration. They also noticed that a student connecting to a classroom would unknowingly begin sending screenshots to the teacher.
Furthermore, the ATR team noticed that teachers would send students a network packet (a small segment of internet data) prompting them to connect to the classroom. With this information, the team was able to disguise themselves as a teacher by modifying their code. From there, they explored how a hacker could take advantage of the compromised connection.
The McAfee ATR team turned their attention to Netop Vision Pro’s chat function, which allows teachers to send messages or files to a student’s computer, as well as delete files. Any files sent by a teacher are stored in a “work directory,” which the student can open from an instant message (IM) window. Based on the team’s discovery that a hacker could disguise themselves as a teacher, it became clear that hackers could also use this functionality to overwrite existing files or entice an unsuspecting student to click on a malicious file.
Of course, remote learning software is necessary right now to ensure that our children stay on top of their studies. However, it’s important that we educate ourselves on these platforms to help protect our students’ privacy. While the Netop Vision Pro student screen shares may seem like a viable option for holding students accountable in the virtual classroom, it could allow a hacker to spy on the contents of the students’ devices. While the functionality allows teachers to monitor their students in real-time, it also puts their privacy at risk.
If a hacker is able to impersonate a teacher with modified code, they could also send malicious files that contain malware or other phishing links to a student’s computer. Netop Vision Pro student profiles also broadcast their presence on the network every few seconds, allowing an attacker to scale their attacks to an entire school system.
Finally, if a hacker is able to gain full control over all target systems using the vulnerable software, they can equally bridge the gap from a virtual attack to the physical environment. The hacker could enable webcams and microphones on the target system, allowing them to physically observe your child and their surrounding environment.
Our researchers reported all vulnerabilities discovered to Netop and heard back from the company shortly after. In the latest software release 9.7.2, Netop has addressed many of the issues the McAfee ATR team discovered. Students can no longer overwrite system files, which could be used take control of the student machine. Additionally, Windows credentials are now encrypted when being sent over the network. Netop also told McAfee that they have plans to implement full network encryption in a future update, which will prevent an attacker from easily monitoring student’s screens and prevent them from being able to emulate a teacher.
While Netop works to remedy these issues internally, there are some critical steps parents can take to help protect and empower your children in the virtual classroom. Check out the following tips to bring you and your family peace of mind while using third-party education platforms:
If your student is required to use Netop Vision Pro or other third-party software while distance learning, have them use this technology on a device strictly used for educational purposes. If the software contains any bugs, this prevents other important accounts used for online banking, emails, remote work, etc. from becoming vulnerable to the software risks.
It’s important to keep in mind that Netop Vision Pro was never intended to be internet-facing or taken off a school network. Let’s look at this scenario through the eyes of a hacker: they will likely try to take advantage of these vulnerabilities by delivering a malicious payload (parts of cyberattacks that can cause harm) or phishing attempts. To protect your students from these threats, utilize a comprehensive security solution like McAfee® Total Protection, which helps defend your entire family from the latest threats and malware while providing safe web browsing.
Educators want to keep their students’ best interest and safety in mind, so talk to your child’s teacher or principal if you ever have concerns regarding the software they are using for distance learning. If your student is required to use Netop, ensure that the teacher or principal is aware of the vulnerabilities listed above so they can be sure to administer the necessary software updates to keep your child and their classmates safe.
A simple yet affective way to prevent hackers from spying on you and your family is to use a webcam cover for when class is not in session. Instruct your student to place a cover over their camera when they are not using it to bring you and your student greater peace of mind.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our email, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post Keep Remote Classes Safe and in Session: What You Need to Know About Netop Vision Pro appeared first on McAfee Blogs.
The McAfee Labs Advanced Threat Research team is committed to uncovering security issues in both software and hardware to help developers provide safer products for businesses and consumers. We recently investigated software installed on computers used in K-12 school districts. The focus of this blog is on Netop Vision Pro produced by Netop. Our research into this software led to the discovery of four previously unreported critical issues, identified by CVE-2021-27192, CVE-2021-27193, CVE-2021-27194 and CVE-2021-27195. These findings allow for elevation of privileges and ultimately remote code execution, which could be used by a malicious attacker, within the same network, to gain full control over students’ computers. We reported this research to Netop on December 11, 2020 and we were thrilled that Netop was able to deliver an updated version in February of 2021, effectively patching many of the critical vulnerabilities.
Netop Vision Pro is a student monitoring system for teachers to facilitate student learning while using school computers. Netop Vision Pro allows teachers to perform tasks remotely on the students’ computers, such as locking their computers, blocking web access, remotely controlling their desktops, running applications, and sharing documents. Netop Vision Pro is mainly used to manage a classroom or a computer lab in a K-12 environment and is not primarily targeted for eLearning or personal devices. In other words, the Netop Vision Pro Software should never be accessible from the internet in the standard configuration. However, as a result of these abnormal times, computers are being loaned to students to continue distance learning, resulting in schooling software being connected to a wide array of networks increasing the attack surface.
Netop provides all software as a free trial on its website, which makes it easy for anyone to download and analyze it. Within a few minutes of downloading the software, we were able to have it configured and running without any complications.
We began by setting up the Netop software in a normal configuration and environment. We placed four virtual machines on a local network; three were set up as students and one was set up as a teacher. The three student machines were configured with non-administrator accounts in our attempt to emulate a normal installation. The teacher first creates a “classroom” which then can choose which student PCs should connect. The teacher has full control and gets to choose which “classroom” the student connects to without the student’s input. Once a classroom has been setup, the teacher can start a class which kicks off the session by pinging each student to connect to the classroom. The students have no input if they want to connect or not as it is enforced by the teacher. Once the students have connected to the classroom the teacher can perform a handful of actions to the entire class or individual students.
During this setup we also took note of the permission levels of each component. The student installation needs to be tamperproof and persistent to prevent students from disabling the service. This is achieved by installing the Netop agent as a system service that is automatically started at boot. The teacher install executes as a normal user and does not start at boot. This difference in execution context and start up behavior led us to target the student installs, as an attacker would have a higher chance of gaining elevated system permissions if it was compromised. Additionally, the ratio of students to teachers in a normal school environment would ensure any vulnerabilities found on the student machines would be wider spread.
With the initial install complete, we took a network capture on the local network and took note of the traffic between the teacher and student. An overview of the first few network packets can been seen in Figure 1 below and how the teacher, student transaction begins.
Figure 1: Captured network traffic between teacher and student
Our first observation, now classified as CVE-2021-27194, was that all network traffic was unencrypted with no option to turn encryption on during configuration. We noticed that even information normally considered sensitive, such as Windows credentials (Figure 2) and screenshots (Figure 4), were all sent in plaintext. Windows credentials were observed on the network when a teacher would issue a “Log on” command to the student. This could be used by the teacher or admin to install software or simply help a student log in.
Figure 2: Windows credentials passed in plaintext
Additionally, we observed interesting default behavior where a student connecting to a classroom immediately began to send screen captures to the classroom’s teacher. This allows the teacher to monitor all the students in real time, as shown in Figure 3.
Figure 3: Teacher viewing all student machines via screenshots
Since there is no encryption, these images were sent in the clear. Anyone on the local network could eavesdrop on these images and view the contents of the students’ screens remotely. A new screenshot was sent every few seconds, providing the teacher and any eavesdroppers a near-real time stream of each student’s computer. To capture and view these images, all we had to do was set our network card to promiscuous mode (https://www.computertechreviews.com/definition/promiscuous-mode/) and use a tool like Driftnet (https://github.com/deiv/driftnet). These two steps allowed us to capture the images passed over the network and view every student screen while they were connected to a classroom. The image in Figure 4 is showing a screenshot captured from Driftnet. This led us to file our first vulnerability disclosed as CVE-2021-27194, referencing “CWE-319: Cleartext Transmission of Sensitive Information” for this finding. As pointed out earlier, the teacher and the student clients will communicate directly over the local network. The only way an eavesdropper could access the unencrypted data would be by sniffing the traffic on the same local network as the students.
Figure 4: Image of student’s desktop captured from Driftnet over the network
With the goal of remote code execution on the students’ computers, we began to dissect the first network packet, which the teacher sends to the students, telling them to connect to the classroom. This was a UDP message sent from the teacher to all the students and can be seen in Figure 5.
Figure 5: Wireshark capture of teacher’s UDP message
The purpose of this packet is to let the student client software know where to find the teacher computer on the network. Because this UDP message is sent to all students in a broadcast style and requires no handshake or setup like TCP, this was a good place to start poking at.
We created a custom Scapy layer (https://scapy.readthedocs.io/en/latest/api/scapy.layers.html) (Figure 6) from the UDP message seen in Figure 5 to begin dissecting each field and crafting our own packets. After a few days of fuzzing with UDP packets, we were able to identify two things. First, we observed a lack of length checks on strings and second, random values sent by the fuzzer were being written directly to the Windows registry. The effect of these tests can easily be seen in Figure 7.
Figure 6: UDP broadcast message from teacher
Even with these malformed entries in the registry (Figure 7) we never observed the application crashing or responding unexpectedly. This means that even though the application wasn’t handling our mutated packet properly, we never overwrote anything of importance or crossed a string buffer boundary.
Figure 7: Un-sanitized characters being written to the Registry
To go further we needed to send the next few packets that we observed from our network capture (Figure 8). After the first UDP message, all subsequent packets were TCP. The TCP messages would negotiate a connection between the student and the teacher and would keep the socket open for the duration of the classroom connection. This TCP negotiation exchange was a transfer of 11 packets, which we will call the handshake.
Figure 8: Wireshark capture of a teacher starting class
To respond appropriately to the TCP connection request, we needed to emulate how a valid teacher would respond to the handshake; otherwise, the student would drop the connection. We began reverse engineering the TCP network traffic and attempted to emulate actual “teacher” traffic. After capturing a handful of packets, the payloads started to conform to roughly the same format. Each started with the size of the packet and the string “T125”. There were three packets in the handshake that contained fields that were changing between each classroom connection. In total, four changing fields were identified.
The first field was the session_id, which we identified in IDA and is shown in the UDP packet from Figure 6. From our fuzzing exercise with the UDP packet, we learned if the same session_id was reused multiple times, the student would still respond normally, even though the actual network traffic we captured would often have a unique session_id.
This left us three remaining dynamic fields which we identified as a teacher token, student token, and a unique unknown DWORD (8 bytes). We identified two of these fields by setting up multiple classrooms with different teacher and student computers and monitoring these values. The teacher token was static and unique to each teacher. We discovered the same was true with the student token. This left us with the unique DWORD field that was dynamic in each handshake. This last field at first seemed random but was always in the same relative range. We labeled this as “Token3” for much of our research, as seen in Figure 9 below.
Figure 9: Python script output identifying “Token3”
Eventually, while using WinDbg to perform dynamic analysis, the value of Token3 started to look familiar. We noticed it matched the range of memory being allocated for the heap. This can be seen in Figure 10.
Figure 10: WinDbg address space analysis from a student PC
By combining our previous understanding of the UDP broadcast traffic with our ability to respond appropriately to the TCP packets with dynamic fields, we were able to successfully emulate a teacher’s workstation. We demonstrated this by modifying our Python script with this new information and sending a request to connect with the student. When a student connects to a teacher it displays a message indicating a successful connection has been made. Below are two images showing a teacher connecting (Figure 11) and our Python script connecting (Figure 12). Purely for demonstration purposes, we have named our attack machine “hacker”, and our classroom “hacker-room.”
Figure 11: Emulation of a teacher successful
Figure 12: Emulated teacher connection from Python script
To understand the process of reverse engineering the network traffic in more detail, McAfee researchers Douglas McKee and Ismael Valenzuela have released an in-depth talk on how to hack proprietary protocols like the one used by Netop. Their webinar goes into far more detail than this blog and can be viewed here.
Since we have successfully emulated a teacher’s connection using Python, for clarity we will refer to ourselves as the attacker and a legitimate connection made through Netop as the teacher.
Next, we began to look at some of the actions that teachers can perform and how we could take advantage of them. One of the actions that a teacher can perform is starting applications on the remote students’ PCs. In the teacher suite, the teacher is prompted with the familiar Windows Run prompt, and any applications or commands set to run are executed on the student machines (Figure 13).
Figure 13: The teacher “Run Application” prompt
Looking at the network traffic (shown in Figure 14), we were hoping to find a field in the packet that could allow us to deviate from what was possible using the teacher client. As we mentioned earlier, everything is in plaintext, making it quite easy to identify which packets were being sent to execute applications on the remote systems by searching within Wireshark.
Figure 14: Run “calc” packet
Before we started to modify the packet that runs applications on the student machines, we first wanted to see if we could replay this traffic successfully. As you can see in the video below, our Python script was able to run PowerShell followed by Windows Calculator on each of the student endpoints. This is showcasing that even valid teacher actions can still be useful to attackers.
The ability for an attacker to emulate a teacher and execute arbitrary commands on the students’ machines brings us to our second CVE. CVE-2021-27195 was filed for “CWE-863: Incorrect Authorization” since we were able to replay modified local network traffic.
When the teacher sends a command to the student, the client would drop privileges to that of the logged-in student and not keep the original System privileges. This meant that if an attacker wanted unrestricted access to the remote system, they could not simply replay normal traffic, but instead would have to modify each field in the traffic and observe the results.
In an attempt to find a way around the privilege reduction during command execution, we continued fuzzing all fields located within the “run command” packet. This proved unsuccessful as we were unable to find a packet structure that would prevent the command from lowering privileges. This required a deeper dive into the code in handling the remote command execution processed on the student endpoint. By tracing the execution path within IDA, we discovered there was in fact a path that allows remote commands to execute without dropping privileges, but it required a special case, as shown in Figure 15.
Figure 15: IDA graph view showing alternate paths of code execution
Figure 16: Zoomed in image of the ShellExecute code path
The code path that bypasses the privilege reduction and goes directly to “ShellExecute” was checking a variable that had its value set during startup. We were not able to find any other code paths that updated this value after the software started. Our theory is this value may be used during installation or uninstallation, but we were not able to legitimately force execution to the “ShellExecute” path.
This code path to “ShellExecute” made us wonder if there were other similar branches like this that could be reached. We began searching the disassembled code in IDA for calls not wrapped with code resulting in lower privileges. We found four cases where the privileges were not reduced, however none of them were accessible over the network. Regardless, they still could potentially be useful, so we investigated each. The first one was used when opening Internet Explorer (IE) with a prefilled URL. This turned out to be related to the support system. Examining the user interface on the student machine, we discovered a “Technical Support” button which was found in the Netop “about” menu.
When the user clicks on the support button, it opens IE directly into a support web form. The issue, however, is privileges are never dropped, resulting in the IE process being run as System because the Netop student client is also run as System. This can be seen in Figure 11. We filed this issue as our third CVE, CVE-2021-27192 referencing “CWE-269: Incorrect Privilege Assignment”.
Figure 17: Internet Explorer running as System
There are a handful of well-documented ways to get a local elevation of privilege (LPE) using only the mouse when the user has access to an application running with higher privileges. We used an old technique which uses the “Save as” button to navigate to the folder where cmd.exe is located and execute it. The resulting CMD process inherits the System privileges of the parent process, giving the user a System-level shell.
While this LPE was exciting, we still wanted to find something with a remote attack vector and utilize our Python script to emulate teacher traffic. We decided to take a deeper dive into the network traffic to see what we could find. Simulating an attacker, we successfully emulated the following:
During the emulation of all the above actions we performed some rudimentary fuzzing on various fields of each and discovered six crashes which caused the Netop student install to crash and restart. We were able to find two execution violations, two read violations, one write exception, and one kernel exception. After investigation, we determined these crashes were not easily exploitable and therefore a lower priority for deeper investigation. Regardless, we reported them to Netop along with all other findings.
Netop Vision Pro comes with a handful of plugins installed by default, which are used to separate different functionality from the main Netop executable. For example, to enable the ability for the teacher and student to instant message (IM) each other, the MChat.exe plugin is used. With a similar paradigm to the main executable, the students should not be able to stop these plugins, so they too run as System, making them worth exploring.
Mimicking our previous approach, we started to look for “ShellExecute” calls within the plugins and eventually discovered three more privilege escalations, each of which were conducted in a comparable way using only the mouse and bypassing restrictive file filters within the “Save as” windows. The MChat.exe, SSView.exe (Screen Shot Viewer), and the About page’s “System Information” windows all had a similar “Save as” button, each resulting in simple LPEs with no code or exploit required. We added each of these plugins under the affected versions field on our third CVE, CVE-2021-27192, mentioned above.
We were still searching for a method to achieve remote code execution and none of the “ShellExecute” calls used for the LPEs were accessible over the network. We started to narrow down the plugins that pass user supplied data over the network. This directed our attention back to the MChat plugin. As part of our initial recon for research projects, we reviewed change logs looking for any relevant security changes. During this review we noted an interesting log pertaining to the MChat client as seen in Figure 13.
Figure 18: Change log from Netop.com
The Chat function runs as System, like all the plugins, and can send text or files to the remote student computer. An attacker can always use this functionality to their advantage by either overwriting existing files or enticing a victim to click on a dropped executable. Investigating how the chat function works and specifically how files are sent, we discovered that the files are pushed to the student computers without any user interaction from the student. Any files pushed by a teacher are stored in a “work directory”, which the student can open from the IM window. Prior to the latest release it would have been opened as System; this was fixed as referenced in Figure 18. Delving deeper into the functionality of the chat application, we found that the teacher also has the ability to read files in the student’s “work directory” and delete files within it. Due to our findings demonstrated with CVE-2021-27195, we can leverage our emulation code as an attacker to write, read, and delete files within this “work directory” from a remote attack vector on the same local network. This ability to read and write files accounted for the last CVE that we filed, CVE-2021-27193 referencing “CWE-276: Incorrect Default Permissions,” with the overall highest CVSS score of 9.5.
In order to determine if the MChat plugin would potentially give us System-level access, we needed to investigate if the plugin’s file operations were restricted to the student’s permissions or if the plugin inherited the System privileges from the running context. Examining the disassembled code of the MChat plugin, as displayed in Figure 14, we learned that all file actions on the student computer are executed with System privileges. Only after the file operation finishes will the permissions be set to allow access for everyone, essentially the effect of using the Linux “chmod 777” command, to make the files universally read/writable.
Figure 19: IDA screenshot of MChat file operations changing access to everyone
To validate this, we created several test files using an admin account and restricted the permissions to disallow the student from modifying or reading the test files. We proceeded to load the teacher suite, and through an MChat session confirmed we were able to read, write, and delete these files. This was an exciting discovery; however, if the attacker is limited to the predetermined “work directory” they would be limited in the effect they could have on the remote target. To investigate if we could change the “work directory” we began digging around in the teacher suite. Hidden in a few layers of menus (Figure 20) we found that a teacher can indeed set the remote student’s “work directory” and update this remotely. Knowing we can easily emulate any teacher’s command means that we could modify the “work directory” anywhere on the student system. Based on this, an attacker leveraging this flaw could have System access to modify any file on the remote PC.
Figure 20: Changing the remote student path from a teacher’s client
Now that we knew that the teacher could overwrite any file on the system, including system executables, we wanted to automate this attack and add it to our Python script. By automating this we want to showcase how attackers can use issues like this to create tools and scripts that have real world impacts. For a chat session to begin, we had to initiate the 11-packet handshake we previously discussed. Once the student connected to our attack machine, we needed to send a request to start a chat session with the target student. This request would make the student respond using TCP, yet this time, on a separate port, initiating an MChat seven-packet handshake. This required us to reverse engineer this new handshake format in a similar approach as described earlier. Unlike the first handshake, the MChat handshake had a single unique identifier for each session, and after testing, it was determined that the ID could be hardcoded with a static value without any negative effects.
Finally, we wanted to overwrite a file that we could ensure would be executed with System privileges. With the successful MChat handshake complete we needed to send a packet that would change the “work directory” to that of our choosing. Figure 21 shows the packet as a Scapy layer used to change the work directory on the student’s PC. The Netop plugin directory was a perfect target directory to change to since anything executed from this directory would be executed as System.
Figure 21: Change working directory on the student PC
The last step in gaining System-level execution was to overwrite and execute one of the plugins with a “malicious” binary. Through testing we discovered that if the file already exists in the same directory, the chat application is smart enough to not overwrite it, but instead adds a number to the filename. This is not what we wanted since the original plugin would get executed instead of our “malicious” one. This meant that we had to also reverse engineer a packet containing commands that are used to delete files. The Scapy layer used to delete a file and save a new one is shown in Figure 22.
Figure 22: Python Scapy layers to “delete” (MChatPktDeleteFile) and “write” (MChatPkt6) files
With these Scapy layers we were able to replace the target plugin with a binary of our choosing, keeping the same name as the original plugin. We chose the “SSView.exe” plugin, which is a plugin used to show screenshots on the student’s computer. To help visualize this entire process please reference Figure 23.
Figure 23: An attack flow using the MChat plugin to overwrite an executable
Now that the SSView.exe plugin has been overwritten, triggering this plugin will execute our attacker-supplied code. This execution will inherit the Netop System privileges, and all can be conducted from an unauthenticated remote attack vector.
It is not hard to imagine a scenario where a culmination of these issues can lead to several negative outcomes. The largest impact being remote code execution of arbitrary code with System privileges from any device on the local network. This scenario has the potential to be wormable, meaning that the arbitrary binary that we run could be designed to seek out other devices and further the spread. In addition, if the “Open Enrollment” option for a classroom is configured, the Netop Vision Pro student client broadcasts its presence on the network every few seconds. This can be used to an attacker’s advantage to determine the IP addresses of all the students connected on the local network. As seen in Figure 24, our Python script sniffed for student broadcast messages for 5 seconds and found all three student computers on the same network. Because these broadcast messages are sent out to the entire local network, this could very well scale to an entire school system.
Figure 24: Finding all students on the local network.
With a list of computers running the student software, an attacker can then issue commands to each one individually to run arbitrary code with System privileges. In the context of hybrid and e-learning it is important to remember that this software on the student’s computer doesn’t get turned off. Because it is always running, even when not in use, this software assumes every network the device connects to could have a teacher on it and begins broadcasting its presence. An attacker doesn’t have to compromise the school network; all they need is to find any network where this software is accessible, such as a library, coffee shop, or home network. It doesn’t matter where one of these student’s PCs gets compromised as a well-designed malware could lay dormant and scan each network the infected PC connects to, until it finds other vulnerable instances of Netop Vision Pro to further propagate the infection.
Once these machines have been compromised the remote attacker has full control of the system since they inherit the System privileges. Nothing at this point could stop an attacker running as System from accessing any files, terminating any process, or reaping havoc on the compromised machine. To elaborate on the effects of these issues we can propose a few scenarios. An attacker could use the discoverability of these machines to deploy ransomware to all the school computers on the network, bringing the school or entire school district to a standstill. A stealthier attacker could silently install keylogging software and monitor screenshots of the students which could lead to social media or financial accounts being compromised. Lastly, an attacker could monitor webcams of the students, bridging the gap from compromised software to the physical realm. As a proof of concept, the video below will show how an attacker can put CVE-2021-27195 and CVE-2021-27193 together to find, exploit, and monitor the webcams of each computer running Netop Vision Pro.
Secure adaptation of software is much easier to achieve when security is baked in from the beginning, rather than an afterthought. It is easy to recognize when software is built for “safe” environments. While Netop Vision Pro was never intended to be internet-facing or be brought off a managed school network, it is still important to implement basic security features like encryption. While designing software one should not assume what will be commonplace in the future. For instance, when this software was originally developed the concept of remote learning or hybrid learning was a far-out idea but now seems like it will be a norm. When security decisions are integrated from inception, software can adapt to new environments while keeping users better protected from future threats.
We disclosed all these findings to Netop on December 11, 2020 and heard back from them shortly after. Our disclosure included recommendations for implementing encryption of all network traffic, adding authentication, and verification of teachers to students, and more precise packet parsing filters. In Netop Vision Pro 9.7.2, released in late February, Netop has fixed the local privilege escalations, encrypted formerly plaintext Windows credentials, and mitigated the arbitrary read/writes on the remote filesystem within the MChat client. The local privilege escalations were fixed by running all plugins as the student and no longer as System. This way, the “Save as” buttons are limited to the student’s account. The Windows credentials are now encrypted using RC4 before being sent over the network, preventing eavesdroppers from gathering account credentials. Lastly, since all the plugins are running as the student, the MChat client can no longer delete and replace system executables which successfully mitigates the attack shown in the impact section. The network traffic is still unencrypted, including the screenshots of the student computers but Netop has assured us it is working on implementing encryption on all network traffic for a future update. We’d like to recognize Netop’s outstanding response and rapid development and release of a more secure software version and encourage industry vendors to take note of this as a standard for responding to responsible disclosures from industry researchers.
The post Netop Vision Pro – Distance Learning Software is 20/20 in Hindsight appeared first on McAfee Blogs.
In this report the McAfee Advanced Threat Research (ATR) Strategic Intelligence team details an espionage campaign, targeting telecommunication companies, dubbed Operation Diànxùn.
In this attack, we discovered malware using similar tactics, techniques and procedures (TTPs) to those observed in earlier campaigns publicly attributed to the threat actors RedDelta and Mustang Panda. While the initial vector for the infection is not entirely clear, we believe with a medium level of confidence that victims were lured to a domain under control of the threat actor, from which they were infected with malware which the threat actor leveraged to perform additional discovery and data collection. We believe with a medium level of confidence that the attackers used a phishing website masquerading as the Huawei company career page to target people working in the telecommunications industry.
We discovered malware that masqueraded as Flash applications, often connecting to the domain “hxxp://update.careerhuawei.net” that was under control of the threat actor. The malicious domain was crafted to look like the legitimate career site for Huawei, which has the domain: hxxp://career.huawei.com. In December, we also observed a new domain name used in this campaign: hxxp://update.huaweiyuncdn.com.
Moreover, the sample masquerading as the Flash application used the malicious domain name “flach.cn” which was made to look like the official web page for China to download the Flash application, flash.cn. One of the main differences from past attacks is the lack of use of the PlugX backdoor. However, we did identify the use of a Cobalt Strike backdoor.
By using McAfee’s telemetry, possible targets based in Southeast Asia, Europe, and the US were discovered in the telecommunication sector. We also identified a strong interest in German, Vietnamese and India telecommunication companies. Combined with the use of the fake Huawei site, we believe with a high level of confidence that this campaign was targeting the telecommunication sector. We believe with a moderate level of confidence that the motivation behind this specific campaign has to do with the ban of Chinese technology in the global 5G roll-out.
Activity linked to the Chinese group RedDelta, by peers in our industry, has been spotted in the wild since early May 2020. Previous attacks have been described targeting the Vatican and religious organizations.
In September 2020, the group continued its activity using decoy documents related to Catholicism, Tibet-Ladakh relations and the United Nations General Assembly Security Council, as well as other network intrusion activities targeting the Myanmar government and two Hong Kong universities. These attacks mainly used the PlugX backdoor using DLL side loading with legitimate software, such as Word or Acrobat, to compromise targets.
While external reports have given a new name to the group which attacked the religious institutions, we believe with a moderate level of confidence, based on the similarity of TTPs, that both attacks can be attributed to one known threat actor: Mustang Panda.
We believe the best way to protect yourself from this type of attack is to adopt a multi-layer approach including MVISION Insights, McAfee Web Gateway, MVISION UCE and MVISION EDR.
MVISION Insights can play a key role in risk mitigation by proactively collecting intelligence on the threat and your exposure.
McAfee Web Gateway and MVISION UCE provide multi-layer web vector protection with URL Reputation check, SSL decryption, and malware emulation capabilities for analyzing dangerous active Web content such as Flash and DotNet. MVISION UCE also includes the capabilities of Remote Browser Isolation, the only solution that can provide 100% protection during web browsing.
McAfee Endpoint Security running on the target endpoint protects against Operation Dianxun with an array of prevention and detection techniques. ENS Threat Prevention and ATP provides both signature and behavioral analysis capability which proactively detects the threat. ENS also leverages Global Threat Intelligence which is updated with known IoCs. For DAT based detections, the family will be reported as Trojan-Cobalt, Trojan-FSYW, Trojan-FSYX, Trojan-FSZC and CobaltStr-FDWE.
As the last phase of the attack involves creating a backdoor for remote control of the victim via a Command and Control Server and Cobalt Strike Beacon, the blocking features that can be activated on a Next Generation Intrusion Prevention System solution such as McAfee NSP are important, NSP includes a Callback Detection engine and is able to detect and block anomalies in communication signals with C2 Servers.
MVISION EDR can proactively identify persistence and defense evasion techniques. You can also use MVISION EDR to search the indicators of compromise in Real-Time or Historically (up to 90 days) across enterprise systems.
Learn more about Operation Diànxùn, including Yara & Mitre ATT&CK techniques, by reading our technical analysis and Defender blog.
We assess with a high level of confidence that:
We assess with a moderate level of confidence that:
PLEASE NOTE: We have no evidence that the technology company Huawei was knowingly involved in this Campaign.
McAfee Advanced Threat Research (ATR) is actively monitoring this threat and will update as its visibility into the threat increases.
The post Operation Diànxùn: Cyberespionage Campaign Targeting Telecommunication Companies appeared first on McAfee Blogs.
In a recent report the McAfee Advanced Threat Research (ATR) Strategic Intelligence team disclosed an espionage campaign, targeting telecommunication companies, named Operation Diànxùn.
The tactics, techniques and procedures (TTPs) used in the attack are like those observed in earlier campaigns publicly attributed to the threat actors RedDelta and Mustang Panda. Most probably this threat is targeting people working in the telecommunications industry and has been used for espionage purposes to access sensitive data and to spy on companies related to 5G technology.
While the initial vector for the infection is not entirely clear, the McAfee ATR team believes with a medium level of confidence that victims were lured to a domain under control of the threat actor, from which they were infected with malware which the threat actor leveraged to perform additional discovery and data collection. It is our belief that the attackers used a phishing website masquerading as the Huawei company career page.
So, how can I defend my organization as effectively as possible from an attack of this type, which involves different techniques and tactics and potential impact? To answer this question, we believe it is necessary to have a multi-layer approach and analyze the various steps, trying to understand the best way to deal with them one by one with an integrated security architecture. Below is a summary of how McAfee’s Security Architecture helps you to protect against the tactics and techniques used in Operation Dianxun.
The goal is to shift-left and block or identify a threat as soon as possible within the Kill Chain to limit any further damage. Shifting-left starts with MVISION Insights, which proactively collects intelligence on the threat and provides details on the indicators of compromise and the MITRE techniques used in the attack. MVISION Insights combines McAfee’s Threat Intelligence research with telemetry from your endpoint controls to reduce your attack surface against emerging threats. MVISION Insights tracks over 800+ Advanced Persistent Threat and Cyber Crime campaigns as researched by McAfee’s ATR team, including Operation Dianxun, sharing a quick summary of the threat, providing external resources, and a list of known indicators such as files, URLs, or IP addresses.
As a threat intelligence analyst or responder, you can drill down into the MVISION Insights interface to gather more specific information on the Operation Dianxun campaign, verify the associated severity, check for geographical prevalence and links to other sources of information. Moreover, MVISION Insights provides useful information like the McAfee products coverage with details of minimum AMCore version; this kind of information is handy to verify actual defensive capabilities within the enterprise and could raise the risk severity in case of weak coverage.
Additional information is available to further investigate on IoCs and MITRE Techniques associated to the campaign. IoCs can be also exported in STIX2 format to be ingested in other tools for automating responses or updating defenses.
The first step ahead of identification is to ensure our architecture can stop or identify the threat in the initial access vector. In this case, the initial delivery vector is a phishing attack so the web channel is therefore fundamental in the initial phase of the infection. McAfee Web Gateway and MVISION UCE provide multi-layer web vector protection with URL Reputation check, SSL decryption, and malware emulation capabilities for analyzing dangerous active Web content.
MVISION UCE also includes the capabilities of Remote Browser Isolation (RBI), the only solution that can provide 100% protection during web browsing. Remote Browser Isolation is indeed an innovative new technology that contains web browsing activity inside an isolated cloud environment in order to protect users from any malware or malicious code that may be hidden on a website. RBI technology provides the most powerful form of web threat protection available, eliminating the opportunity for malicious code to even touch the end user’s device.
The green square around the page means that the web content is isolated by RBI and provided safely through a rendered dynamic visual stream which delivers full browsing experience without risk of infection.
The second phase of exploitation and persistence results from execution on the victim endpoint of Flash-based artifacts malware and, later, DotNet payload. McAfee Endpoint Security running on the target endpoint protects against Operation Dianxun with an array of prevention and detection techniques. ENS Threat Prevention and ATP provides both signature and behavioral analysis capability which proactively detects the threat. ENS also leverages Global Threat Intelligence which is updated with known IoCs. For DAT based detections, the family will be reported as Trojan-Cobalt, Trojan-FSYW, Trojan-FSYX, Trojan-FSZC and CobaltStr-FDWE.
While the execution of the initial fake Flash installer acts mainly like a downloader, the DotNet payload contains several functions and acts as a utility to further compromise the machine. This is a tool to manage and download backdoors to the machine and configure persistence. Thus, the McAfee Endpoint Security Adaptive Threat Protection machine-learning engine triggers detection and blocks execution on its behavior-based analysis.
The last phase of the attack involves creating a backdoor for remote control of the victim via a Command and Control Server and Cobalt Strike Beacon. In this case, in addition to the detection capabilities present at the McAfee Endpoint Security level, detections and blocking features that can be activated on a Next Generation Intrusion Prevention System solution such as McAfee NSP are important. NSP includes a Callback Detection engine and is able to detect and block anomalies in communication signals with C2 Servers.
We demonstrated above how a well defended architecture can thwart and counteract such an attack in each single phase. McAfee Web Gateway and MVISON Unified Cloud Edge can stop the initial entry vector, McAfee Endpoint Protection Platform can block the dropper execution or disrupt the following malicious activities but, only by using MVISION EDR, can you get extensive visibility on the full kill chain.
On MVISION EDR we have the threat detection on the monitoring dashboard for the two different stages and processes of the attack.
Once alerted, the security analyst can dig into the Process Activity and understand behavior and indicators relative to what happened like:
The initial downloader payload flashplayer_install_cn.exe is executed directly by the user and spawned by svchost.exe.
At first it connects back to hxxp://update.flach.cn registering to the c2 and creates a new executable file, flash.exe, in the Windows/temp folder.
Then the sample checks the time and the geolocalization of the infected machine via a request to http://worldclockapi.com.
Next, it connects back to the fake Huawei website “hxxp:\\update.careerhuawei.net” used for the initial phishing attack.
Finally, to further completion, you can also use MVISION EDR to search the indicators of compromise in Real-Time or Historically (up to 90 days) across the enterprise systems.
Looking for other systems with evidence of connection to the fake Huawei website:
HostInfo hostname, ip_address and NetworkFlow src_ip, proto, time, process, md5, user where NetworkFlow dst_ip equals “8.210.186.138”
Looking for indicators of the initial downloader payload linked to this campaign.
HostInfo and Files name, full_name, create_user_name, sha1, md5, sha256 where Files sha256 equals “422e3b16e431daa07bae951eed08429a0c4ccf8e37746c733be512f1a5a160a3” or Files sha256 equals “8489ee84e810b5ed337f8496330e69d6840e7c8e228b245f6e28ac6905c19f4a ” or Files sha256 equals “c0331d4dee56ef0a8bb8e3d31bdfd3381bafc6ee80b85b338cee4001f7fb3d8c” or Files sha256 equals “89a1f947b96b39bfd1fffd8d0d670dddd2c4d96f9fdae96f435f2363a483c0e1” or Files sha256 equals “b3fd750484fca838813e814db7d6491fea36abe889787fb7cf3fb29d9d9f5429” or Files sha256 equals “9ccb4ed133be5c9c554027347ad8b722f0b4c3f14bfd947edfe75a015bf085e5” or Files sha256 equals “4e7fc846be8932a9df07f6c5c9cbbd1721620a85c6363f51fa52d8feac68ff47” or Files sha256 equals “0f2e16690fb2ef2b5b4c58b343314fc32603364a312a6b230ab7b4b963160382” or Files sha256 equals “db36ad77875bbf622d96ae8086f44924c37034dd95e9eb6d6369cc6accd2a40d” or Files sha256 equals “8bd55ecb27b94b10cb9b36ab40c7ea954cf602761202546f9b9e163de1dde8eb” or Files sha256 equals “7de56f65ee98a8cd305faefcac66d918565f596405020178aee47a3bd9abd63c” or Files sha256 equals “9d4b4c39106f8e2fd036e798fc67bbd7b98284121724c0f845bca0a6d2ae3999” or Files sha256 equals “ac88a65345b247ea3d0cfb4d2fb1e97afd88460463a4fc5ac25d3569aea42597” or Files sha256 equals “37643f752302a8a3d6bb6cc31f67b8107e6bbbb0e1a725b7cebed2b79812941f” or Files sha256 equals “d0dd9c624bb2b33de96c29b0ccb5aa5b43ce83a54e2842f1643247811487f8d9” or Files sha256 equals “260ebbf392498d00d767a5c5ba695e1a124057c1c01fff2ae76db7853fe4255b” or Files sha256 equals “e784e95fb5b0188f0c7c82add9a3c89c5bc379eaf356a4d3876d9493a986e343” or Files sha256 equals “a95909413a9a72f69d3c102448d37a17659e46630999b25e7f213ec761db9e81” or Files sha256 equals “b7f36159aec7f3512e00bfa8aa189cbb97f9cc4752a635bc272c7a5ac1710e0b” or Files sha256 equals “4332f0740b3b6c7f9b438ef3caa995a40ce53b3348033b381b4ff11b4cae23bd”
Look back historically for domain name resolution and network connection to the involved indicators.
To defeat targeted threat campaigns like Operation Dianxun, defenders must build an adaptive and integrated security architecture which will make it harder for threat actors to succeed and increase resilience in the business. This blog highlights how to use McAfee’s security solutions to prevent, detect and respond to Operation Dianxun and attackers using similar techniques.
McAfee ATR is actively monitoring this campaign and will continue to update McAfee Insights and its social networking channels with new and current information. Want to stay ahead of the adversaries? Check out McAfee Insights for more information.
The post McAfee Defender’s Blog: Operation Dianxun appeared first on McAfee Blogs.
It’s popular. It’s uplifting. It’s creative. It’s entertaining. It can also be risky.
All these words equally describe TikTok, the wildly popular social network that allows teens to create and share videos and find critical connections during isolating times. So what makes TikTok both amazing and potentially risky at the same time? It isn’t the app itself but, rather, the way some kids choose to use it.
Several of those risky behaviors making headlines lately include the all-too-familiar topic of viral challenges. The secondary risk? Underage users’ common practice of bypassing TikTok’s age restrictions, which can put them in harm’s way. In 2020, TikTok classified more than a third of its 49 million daily users in the U.S. as being 14 years old or younger.
A recent webinar hosted by Cyberwise featuring Rick Andreoli, Editor-in-Chief at Parentology, and Pamela Rutledge, director of the Media Psychology Research Center, highlighted the risks of some of the latest challenges. (Listen to the full discussion here). Here are just a few of the many challenges parents should know about.
The blackout challenge. The draw to this challenge is somewhat new to TikTok but familiar in the online challenge realm. It involves users live-streaming themselves as they cut off their air supply to the point of losing consciousness. Sadly, this challenge recently had deadly consequences for a 10-year-old TikTok user, according to Newsweek reports. The incident prompted an outcry for the platform to ban users with unconfirmed ages.
Skullbreaker/trip jump challenge. TikTok users carry out this challenge in various ways, but one of the most common includes three friends side-by-side. As the video begins, everyone jumps or dances as pre-planned, only one kid is targeted to go down as the other two swipe the legs out from under them, causing either a face plant or a backward fall. This popular challenge has resulted in several medical emergencies.
The outlet or penny challenge. Fire officials have issued public cautions around this challenge, which involves sliding a penny into a partially plugged-in phone charger or cord. The goal? See who can record and post the biggest sparks or, yes, flames.
Coronavirus challenge. Here’s a challenge that thankfully didn’t gain too much traction before TikTok banned it. It was created by several “influencers” and encouraged TikTok users to post videos of themselves defying the Coronavirus by licking public objects — such as toilets and grocery store items.
A final reminder for parents is this: Challenge yourself to let go of the assumption that your child won’t try foolish things online. Smart kids also make unwise choices — a possibility that’s easily provoked in an environment where influencers, likes, and peer comments can disguise danger. It’s easy to forget that during the teen years, reason and evolving identity are at constant odds, which means emotion can suddenly commandeer logic. For parents, this means that by getting involved in your child’s digital world, you have the chance influence and guide them when they need it most.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our email, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post TikTok Update: Dangerous Viral Challenges & Age Restrictions appeared first on McAfee Blogs.
Over the last 12 months, technology has featured in our lives in a way I don’t think any of us would have predicted. Whether you were in lockdown, choosing to stay home to stay well or quite simply, out of other option – technology saved the day. It helped us work and learn from home, stay connected with friends and family, entertain ourselves, shop and essentially, live our lives.
For many parents, this was a real ‘aha’ moment. A moment when technology went from being an annoying distraction to incredibly critical to the functioning of our day to day lives. Of course, many of us had always considered technology to be useful to help us order groceries and check Facebook but to experience first-hand that technology meant life could go on during a worldwide pandemic was a real game changer.
Whether it was downloading video calling apps like Zoom or Facetime, setting up a Twitter account to get updates from the Health Department, using Google Doc to work collaboratively or experiencing what online gaming really is via a few sessions on the Xbox, 2020 means many parents had to get up to date, real fast! And you know what – that’s a good thing! I’ve had so many parents remark to me that they know finally understand why their kids are so enamoured with technology. There really is nothing like walking in someone’s shoes to experience their world!
I’m a big believer in parents taking the time to truly understand the world in which their kids exist. For years, I’ve advised parents to download and use the apps and games their kids play so they can understand the attraction and complexity of their kids’ digital life. Well, it may have taken a global pandemic, but I am delighted to report that, anecdotally at this stage, more parents are now embracing their kids’ online world.
When we first become enamoured with something, we often enter the ‘honeymoon’ phase. As a married woman of 28 years, this was many years ago for me!! The honeymoon phase is when everything is wonderful and rosy, and negatives are not always considered. And our relationship with technology can be much the same. And I’ve been there – there’s nothing quite so wonderful as discovering a new app or piece of software and almost being joyous at just how transformational it could be for your life. And this often means we gloss over or even ignore the risks because we are in love!!!
So, as Cybermum, I’m here to cheer you on and pat you on the back for embracing and using new apps and software. Yes, I’m very proud! But I also want to share with you just a few steps that you need to take to ensure you are not taking on any unnecessary risks with your new favourite app. Here are my top tips:
1. Passwords
Every app, online account or piece of software needs it own individual password. Yes, I know that it is a real pain, but it is one of the most important things you will do to protect yourself online. I’m a big fan of password managers that not only generate the most incredibly complex passwords for each of your accounts but remember them for you. McAfee’s password manager, True Key, is a free option which has completely helped me manage my 80 plus collection of passwords!! Very grateful!
2. Software Updates
The main purpose of a software update is to protect the user from security threats. Yes, you may also get some new features and possibly have a glitch or 2 removed but it is all about the user’s safety. So, if you don’t update your software, it’s a little like leaving windows open when you go out. And the longer you leave between updates – the more windows you leave open!
So, automate these updates if you can or schedule them in your diary. Why not earmark the first day of the month to check and see what you need to download to protect yourself? And don’t forget about your operating system on your phone or laptop too!
3. Be Wi-Fi Wary
Dodgy wi-fi is where so many people come unstuck. Regardless of what app or software you are using, anything you share via unsecured wi-fi could be intercepted by a hacker. So, if you find yourself using wi-fi regularly, you might want to consider a Virtual Private Network or VPN. A VPN creates an encrypted tunnel so anything you share via Wi-Fi cannot be intercepted. Genius, really! Check out McAfee’s Safe Connect for peace of mind.
So, please keep going! Keep exploring new ways technology can work for you in our new COVID world. But remember to take a break too. There is no doubt that technology has saved the day and has ensure we can all still function but there must be a balance too. So, walk the dog, play a board game or having a cuppa outside. Remember you manage the technology; it doesn’t manage you!
Till next time
Stay safe online.
Alex xx
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our email, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post How 2020 Helped Parents Understand Their Kids’ Digital Lives appeared first on McAfee Blogs.
In the eyes of hackers, scammers, and thieves, your online privacy and identity look like a giant jigsaw puzzle. One that they don’t need every piece to solve. They only need a few bits to do their dirty work, which means protecting every piece you put out there—a sort of holistic view on your personal security. One that protects you, not just your devices.
Here’s what’s at stake: we create and share loads of personal information simply by going about our day online, where each bit of information makes up a piece of that giant jigsaw puzzle. Some pieces directly identify us, like our tax returns, bank account information, or driver’s licenses. Other pieces of information indirectly identify us, like the IP addresses assigned to our computers, tablets, and phones—or device ID numbers, location information, and browsing history. And bad actors only need a few key pieces to do you harm, such as committing identity crime in your name or selling your personal information on sketchy websites or the dark web.
While people show great concern about their personal information, who has it and what’s done with it, our research shows that 70% of people feel like they have little or no control over the data that’s collected about them. However, you have plenty of ways that you can indeed take control—ways that can prevent, detect, and correct attacks on your privacy and identity. That’s where holistic protection comes in.
You can think of holistic protection as layers of shields that protect you and the devices you use. It gives you three layers in all—a Prevention Layer, Detection Layer, and a Correction Layer.
A holistic and comprehensive security solution like McAfee+ combines those three layers in a way that protects your personal information and keep your identity private, showing you how it does it along the way, so you can see exactly how safe you are. Let’s take a quick look of some of the protections you’ll find in each layer …
In the Prevention Layer, you’ll see:
In the Detection Layer, you have …
In the Correction Layer, several other protections have your back …
These are just a few examples of the protections in each layer. And you’ll find our most comprehensive holistic protection in McAfee+ Ultimate, covering your privacy, identity, and devices.
While your online privacy and identity may look a jigsaw puzzle, protecting it shouldn’t be as complicated. With a holistic security solution for your personal protection, you can minimize your exposure with layers of security that do much of the work for you.
Antivirus on your PC is not enough. It has not been enough for many decades now. And this becomes more evident as we continue to spend more time online, with the average person spending 6 hours and 54 minutes online each day, leaving clouds of personal information in their wake.
While standalone apps like a password manager, a VPN app, and an identity solution from different vendors can be piecemealed together with your device security, these are difficult to keep track of and burdensome to maintain.
We have combined the important tools you need into a seamless and comprehensive experience because good security software is something that you use daily to feel safer online. This is why we are working on your behalf to redefine security, so you can enjoy your connected life with confidence.
The post True Security Requires a Holistic Approach appeared first on McAfee Blog.
Technological advancements continually emerge that make our lives easier. Right? As beneficial and convenient as emerging tech is, it can pose serious risks to our online safety and privacy—risks that you might find yourself ill-prepared to handle. In fact, according to our 2021 Consumer Security Mindset research, 45% of Canadian respondents don’t feel very confident about their ability to prevent a cyberattack and believe that they don’t have what they need to ward one off.
With many of us turning to online platforms for things we used to do in-person, activities like banking, shopping, taxes, and more, the need for broader online privacy protection has never been greater. As we continue to integrate technology into our everyday lives, we must learn to recognize the risks they pose and understand how to safeguard our online security.
Telehealth visits have opened the door for many to get the medical care they need when visiting the doctor or going to the hospital isn’t feasible. Digital health platforms have demonstrated many benefits for optimizing time and cost efficiencies for both patients and providers, but at what cost?
Despite efforts to address barriers to virtual healthcare adoption, Canada currently lacks a national framework for governing virtual care. As a result, many healthcare providers are left to act on their best judgements regarding patient data interoperability across provinces and providers. The lack of a pan-Canadian governance framework also makes it difficult for digital health platforms to operate with the assurance of certain security protocols, leaving many of us to wonder how to best protect our data in the face of an ambiguous virtual healthcare system. The risk is made all the more severe when factoring in sensitive biometric data from monitoring devices that can be used for malicious purposes when in the hands of cyber attackers. Those of us who take advantage of digital health devices must understand how to secure our data privacy and control its usage to mitigate further risks.
The first line of defense to ensure your data remains protected is to understand the security policies put in place by your healthcare provider and any third-party digital platforms that they leverage. Additionally, you’ll want to ensure that your healthcare provider uses a telehealth platform that integrates data encryption. Take matters into your own hands by enabling two-factor authentication and use strong passwords across all devices and accounts. Using a VPN and running anti-malware and anti-virus scans can also mitigate the risk of security threats during telehealth visits and while using integrated medical devices.
Student privacy is a top concern as households turn to remote learning. In a rush to optimize remote learning experiences in the face of a rapidly evolving digital landscape, many educators and remote learners may not realize the hazards that put student privacy at risk.
We’re almost a year into distance learning and schools have now adopted a range of technologies to optimize the digital classroom, including virtual learning platforms, holistic learning solutions, and even social media applications. However, many of these digital platforms are not designed for child usage, nor do they have privacy policies in place to ensure that the student data gathered is protected. Many learning platforms may even treat student data as consumer data, raising more red flags regarding student data privacy and compliance. Online learning has also garnered the attention of cybercriminals looking to exploit student data, resulting in online bullying, identity theft, and more.
For educators and parents alike, knowledge is the greatest asset to mitigating the risks of remote learning. IT teams and educators must understand the implications of the student data they collect, govern access to it, and control its usage to comply with child privacy regulations. Parents can take proper precautions by discussing the importance of privacy with their children. Keeping learning platforms up to date and monitoring their children to prevent them from downloading suspicious apps or straying to unknown websites are all ways to ensure safer remote learning environments.
Remote work has become commonplace nowadays as more companies permit their employees to work from home long-term and, for some, permanently. Given the abrupt shift to remote workplaces in the past year, companies have found themselves severely unprepared to handle the security and logistical concerns that accompany a distributed remote workforce.
In a recent Fenwick poll among HR, privacy, and security professionals across industries, approximately 90% of employees now handle intellectual property, confidential, and personal information in their homes. Endpoint security, or the protection of end-user devices such as our laptops and mobile devices, poses more of a concern as employees trade in office networks for their in-home Wi-Fi. If these devices and networks are unsecured or if the data is not encrypted, employees run the risk of exposing sensitive information to hackers. A lack of proper employee security training opens additional opportunities for online threats to take advantage of unsuspecting victims through common phishing scams.
Those of us working from home can help ensure the safety of our company’s confidential information by boosting our awareness of security threats and prevention measures via company-mandated security trainings. Additionally, we can promote a safer remote working environment by practicing basic digital hygiene like keeping all devices and software up to date, using a VPN and a strong password across devices.
With the limited availability of in-person exercise classes, many of us have turned to virtual fitness experiences to augment our personal health regimens. Some have even taken their fitness routines one step further to include and high-tech equipment like at-home spin bikes or other wearable devices to track and monitor progress.
Although these devices create a more engaging experience and connect users across the globe through online sharing, there are risks, too. Wearables and other devices embedded with sensors and software that collect and share data across an interconnected network are considered Internet of Things (IoT) technology. IoT devices don’t have the same stringent security protocols as laptops and mobile devices, making them more susceptible to cyberthreats.
To prevent cyber attackers from infiltrating IoT devices connected to your home network, start by securing your network router. Change the default name and password of your router so hackers can’t identify the make and model. Create an additional layer of security by enabling the highest level of encryption to secure your Wi-Fi network. We also suggest creating a guest network for your IoT devices so that even if someone does infiltrate your IoT device, they won’t be able to access other devices like laptops and mobile devices.
Some of the platforms I use the most allow me to keep track of and manage my finances. Whether it’s my mobile banking app or taking advantage of online tax filing, there is such a convenience in having the ability to pay bills, deposit checks, and more, all with the devices I use every day. But many of us may not realize just how much trust we put into these platforms to protect our online privacy, especially when we don’t have a clear picture of who exactly is on the other end of our online transactions.
While recognizing the signs of online banking and tax-related fraud helps ease the burdens associated with these schemes, there are multiple steps users can take to prevent becoming a victim of these scams in the first place. If you receive a call regarding your taxes, make sure the caller is a CRA employee before handing over money or personal information on the phone. You can also double-check your tax account status and make sure the CRA has your current address and email. This will also show whether you owe a balance if a hacker does try to trick you into paying up. By being mindful of how cybercriminals take advantage of the platforms we use out of convenience, we can better protect against threats to our personal privacy.
Digital devices are part of how we live our lives every day, whether we’re taking conference calls on our laptops, tracking the latest mile on our smartwatches, or banking on the go. Although our everyday digital devices make our lives that much more convenient, securing them makes our lives that much safer by minimizing online threats to ourselves and those around us. Safeguarding the digital platforms we use for work, school, fitness, you name it, is the first step to ensuring our private information remains just that—private.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our email, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post Privacy in Practice: Securing Your Data in 2021 and Beyond appeared first on McAfee Blogs.
MITRE ATT&CK enterprise is a “knowledge base of adversarial techniques”. In a Security Operations Center (SOC) this resource is serving as a progressive framework for practitioners to make sense of the behaviors (techniques) leading to system intrusions on enterprise networks. This resource is centered at how SOC practitioners of all levels can craft purposeful defense strategies to assess the efficacy of their security investments against that knowledge base.
To enable practitioners in operationalizing these strategies, the knowledge base provides the “why” and the “what” with comprehensive documentation that includes the descriptions and relational mappings of the behaviors observed by the execution of malware, or even when those weapons were used by known adversaries in their targeting of different victims as reported by security vendors. It goes a step further by introducing the “how” in the form of adversary emulation plans which streamline both the design of threat-models and the necessary technical resources to test those models – i.e., emulating the behavior of the adversary
For scenarios where SOCs may not have the capacity to do this testing themselves, the MITRE Corporation conducts annual evaluations of security vendors and their products against a carefully crafted adversary emulation plan, and it publishes the results for public consumption. The evaluations can help SOC teams assess both strategy concerns and tactical effectiveness for their defensive needs as they explore market solutions.
This approach is transformative for cyber security, it provides an effective way to evolve from constraints of being solely dependent on IOC-centric or signature-driven defense models to now having a behavior-driven capability for SOCs to tailor their strategic objectives into realistic security outcomes measured through defensive efficacy goals. With a behavior-driven paradigm, the emphasis is on the value of visibility surrounding the events of a detection or prevention action taken by a security sensor – this effectively places context as the essential resource a defender must have available to pursue actionable outcomes.
I believe that to achieve meaningful security outcomes our products (defenses) must demonstrate how effective they are (efficacy) at enabling or preserving the security mission we are pursuing in our organizations. For example, to view efficacy in a SOC, let’s see it as a foundation of 5 dimensions:
Detection | Gives SOC Analysts higher event actionability and alert handling efficiencies with a focus on most prevalent adversarial behaviors – i.e., let’s tackle the alert-fatigue constraint! |
Prevention | Gives SOC Leaders/Sponsors confidence to show risk reduction with minimized impact/severity from incidents with credible concerns – e.g., ransomware or destructive threats. |
Response | Gives SOC Responders a capacity to shorten the time between detection and activating the relevant response actions – i.e., knowing when and how to start containing, mitigating or eradicating. |
Investigative | Gives SOC Managers a capability to improve quality and speed of investigations by correlating low signal clues for TIER 1 staff and streamlining escalation processes to limited but advanced resources. |
Hunting | Enables SOC Hunters a capacity to rewind-the-clock as much as possible and expand the discovery across environments for high value indicators stemming from anomalous security events. |
Efficacy at the Security and Technical Leadership levels confirms how the portfolio investments are expected to yield the defensive posture of our security strategy, for example, compare your investments today to any of the following:
Strategy (Investment) |
Portfolio Focus |
Efficacy Goals |
![]() |
Balanced Security |
Ability to:
Caveats:
|
![]() |
Detection Focus |
Ability to:
Caveats:
|
![]() |
Prevention Focus |
Ability to:
Caveats:
|
![]() |
Response Focus |
Ability to:
Caveats:
|
MITRE ATT&CK matters as it introduces the practical sense-making SOC professionals need so they can discern attack chains versus security events through visibility of the most prevalent behaviors.
Consequently, it allows practitioners to overcome crucial limitations from the reliance on indicator-driven defense models that skew realistic efficacy goals, thereby maximizing the value of a security portfolio investment.
The post Why MITRE ATT&CK Matters? appeared first on McAfee Blogs.
For the March 2021 Patch Tuesday, Microsoft released a set of seven DNS vulnerabilities. Five of the vulnerabilities are remote code execution (RCE) with critical CVSS (Common Vulnerability Scoring Standard) scores of 9.8, while the remaining two are denial of service (DoS). Microsoft shared detection guidance and proofs of concept with MAPP members for two of the RCE vulnerabilities, CVE-2021-26877 and CVE-2021-26897, which we have confirmed to be within the DNS Dynamic Zone Update activity. Microsoft subsequently confirmed that all seven of the DNS vulnerabilities are within the Dynamic Zone Update activity.
We confirmed from our analysis of CVE-2021-26877 and CVE-2021-26897, in addition to further clarification from Microsoft, that none of the five DNS RCE vulnerabilities are wormable.
RCE vulnerabilities
CVE-2021-26877, CVE-2021-26897 (exploitation more likely)
CVE-2021-26893, CVE-2021-26894, CVE-2021-26895 (exploitation less likely)
DoS vulnerabilities
CVE-2021-26896, CVE-2021-27063 (exploitation less likely)
A critical CVSS score of 9.8 means that an attacker can remotely compromise a DNS server with no authentication or user interaction required. Successful exploitation of these vulnerabilities would lead to RCE on a Primary Authoritative DNS server. While CVSS is a great tool for technical scoring, it needs to be taken in context with your DNS deployment environment to understand your risk which we discuss below.
We highly recommend you urgently patch your Windows DNS servers if you are using Dynamic Updates. If you cannot patch, we recommend you prioritize evaluating your exposure. In addition, we have developed signatures for CVE-2021-26877 and CVE-2021-26897 which are rated as “exploitation more likely” by Microsoft.
Per the NIST “Secure Domain Name System (DNS) Deployment Guide”, DNS threats can be divided into Platform and Transaction Threats. The platform threats can be classed as either DNS Host Platform or DNS Software Threats. Per Table 1 below, Dynamic Update is one of the four DNS Transaction types. The seven DNS vulnerabilities are within the Dynamic Update DNS transaction feature of Windows DNS Software.
Table 1: DNS Transaction Threats and Security Objectives
The DNS Dynamic Zone Update feature allows a client to update its Resource Records (RRs) on a Primary DNS Authoritative Server, such as when it changes its IP address; these clients are typically Certificate Authority (CA) and DHCP servers. The Dynamic Zone Update feature can be deployed on a standalone DNS server or an Active Directory (AD) integrated DNS server. Best practice is to deploy DNS integrated with (AD) so it can avail itself of Microsoft security such as Kerberos and GSS-TSIG.
When creating a Zone on a DNS server there is an option to enable or disable DNS Dynamic Zone Updates. When DNS is deployed as a standalone server, the Dynamic Zone Update feature is disabled by default but can be enabled in secure/nonsecure mode. When DNS is deployed as AD integrated, the Dynamic Zone Update feature is enabled in secure mode by default.
Secure Dynamic Zone Update verifies that all RR updates are digitally signed using GSS-TSIG from a domain-joined machine. In addition, more granular controls can be applied on what principal can perform Dynamic Zone Updates.
Insecure Dynamic Zone Update allows any machine to update RRs without any authentication (not recommended).
From a Threat Model perspective, we must consider Threat Actor motives, capabilities, and access/opportunity, so you can understand the risk relative to your environment. We are not aware of any exploitation in the wild of these vulnerabilities so we must focus on the access capabilities, i.e., close the door on the threat actor opportunity. Table 2 summarizes DNS Dynamic Update deployment models relative to the opportunity these RCE vulnerabilities present.
Table 2: Threat Actor access relative to deployment models and system impact
The highest risk deployment would be a DNS server in Dynamic Update insecure mode exposed to the internet; this is not best security practice and based on our experience, we do not know of a use case for such deployment.
Deploying AD integrated DNS Dynamic Update in secure mode (default) mitigates the risk of an unauthenticated attacker but still has a high risk of a compromised domain computer or trusted insider being able to achieve RCE.
All the vulnerabilities are related to the processing of Dynamic Update packets in dns.exe. The goal of our vulnerability analysis, as always for critical industry vulnerabilities, is to ensure we can generate accurate signatures to protect our customers.
Figure 1: Wireshark view of exploit packet classifying the DNS packet as malformed
Figure 2: WinDbg output of crash while attached to dns.exe
File_PlaceStringInFileBuffer()
function copies data from TXT_data
allocated from CopyWireRead()
function previously. However, the UpdateRR->TXT length value from Wireshark is not validated and used to copy from *UpdateRR->Data length. Because UpdateRR->TXT length is not validated relative to UpdateRR->Data length it results in a OOB read from heap memory.Figure 3: Packet containing many consecutive Signature RR dynamic updates. Pay special attention to the length field of the reassembled flow.
Exploiting these vulnerabilities remotely requires both read and write primitives in addition to bypassing Control Flow Guard (CFG) for execution. The DNS protocol has significant remote unauthenticated attack surface to facilitate generating such primitives which has been researched as part of CVE-2020-1350 (SigRed). In addition, per the RR_DispatchFuncForType()
function, there are read and write functions as part of its dispatch table.
Figure 4: Path of DNS RR update packet
Figure 5: Dispatch functions for reading and writing
Patching is always the first and most effective course of action. If it’s not possible to patch, the best mitigation is to audit your DNS deployment configuration to limit Dynamic Zone Updates to trusted servers only. For those McAfee customers who are unable to deploy the Windows patch, the following Network Security Platform (NSP) signatures will provide a virtual patch against attempted exploitation of both vulnerabilities, CVE-2021-26877 and CVE-2021-26897.
NSP Attack ID: 0x4030e700 – DNS: Windows DNS Server Remote Code Execution Vulnerability (CVE-2021-26877)
NSP Attack ID: 0x4030e800 – DNS: Windows DNS Server Remote Code Execution Vulnerability (CVE-2021-26897)
In addition, NIST “Secure Domain Name System (DNS) Deployment Guide” provides best practices for securing DNS deployment such as:
The post Seven Windows Wonders – Critical Vulnerabilities in DNS Dynamic Updates appeared first on McAfee Blogs.
The generosity and kindness displayed by team members across McAfee is one major factor that makes up the incredible culture of the company. At McAfee, we empower our team members to initiate meaningful ways to give back to the community. It came to no surprise when a large group of team members came together in order to run a donation drive to benefit the Make-A-Wish Foundation.
The Make-A-Wish Foundation is a nonprofit corporation that helps grant wishes to thousands of children fighting life-threatening medical conditions. One way to support the foundation is by donating airline miles. Nationally, Make-A-Wish needs more than 2.8 billion miles, or 50,000 round-trip tickets, to cover every child’s travel wish each year. Every mile donated will help kids and their families travel to destinations around the world, once it is safe to resume travel. It is just one of the ways that individuals can help create a life-changing wish experience.
Some of our team members organized an air miles donation drive and encouraged others to donate their miles to the cause. The impact was astronomical, with team members raising over 585,000 miles to benefit the Make–a–Wish Foundation in the Bay Area.
We reached out to three airline mile contributors at McAfee and discussed what inspired them to contribute to this extraordinary initiative.
I was happy to see the McAfee family come together and support a terrific cause by donating airline miles to the Make-A-Wish Foundation. Giving is a key element in my faith and a core value. I knew that I could either cash in the points and do something with my family, or I could put the miles towards an even greater purpose and help a child who is truly in need of experiencing something special. The choice was an easy one to make.
I believe that helping others is one of our top callings. That is why I choose to give and do so generously with joy. I know that I’m not alone here at McAfee. There is a great culture of generosity that I’ve witnessed across the organization and I’m happy to simply be a part of that and do what I can to help others.
Years ago, my brother was a starving college student who volunteered for a local charity and drove cancer patients to their medical appointments. When I asked him about his volunteer work, he said that he didn’t have a lot of money, but he had time. Volunteering allowed him to make a difference in someone’s life and give back. It was a life–changing moment for me because it expanded how I think about giving to include time, donations and acts of kindness.
I chose to participate in the air miles donation drive because I love that this program provides time for critically ill children to spend with their loved ones while creating memorable and happy experiences.
I am incredibly grateful to our McAfee leaders who create opportunities for us to give back. Giving back is at the core of McAfee’s DNA and having closely connected teams makes it easy for team members to answer a call to action.
Giving is all about making small differences whenever and wherever you can, in any form. We can make a huge difference in the lives of others, especially when we are in a position where we can help those who need us the most.
When team members from the enterprise organization set up a drive for the Make-A-Wish Foundation, it connected with me on a personal level. As I went through the stories of children whose wishes were granted through the program, I was moved to learn about how a little effort can create the best moments in someone’s life.
Meaningful communication from our HR team members and leadership promoting efforts to volunteer and give back to the community are motivating. I like that McAfee has a dedicated site that team members can access for giving and that there are opportunities in which McAfee matches team member donations. Collectively, we can make a big difference to the world around us. Truly, together is power.
At McAfee, we encourage and support the efforts of our team members to make a difference in their communities. If you’re interested in joining the McAfee team, we’d love to hear from you.
Search Career Opportunities with McAfee
Interested in joining our team? We’re hiring! Apply now.
Stay Connected
For more stories like this, follow @LifeAtMcAfee on Instagram and @McAfee on Twitter to see what working at McAfee is all about.
The post How a Group of McAfee Team Members Helped Change the Lives of Critically Ill Children appeared first on McAfee Blogs.
My McAfee Chronicles is a series featuring McAfee team members who have interesting and inspiring life stories to share. Meet Shiva, a Software Development Engineer in Bangalore, India.
When a traumatic road accident changed the course of Shiva’s life, he had two options – give up on life or give life his best shot. For Shiva, there was only one obvious choice. Through his unrelenting willpower and sheer determination, he was able to overcome all odds.
Shiva shares his deeply inspirational story below:
My journey at McAfee started in 2011 when I joined the company. In 2013, my life was turned upside down. I was on a road trip with a few friends when we got in a car accident. Although I was fortunate enough to survive, unlike two of my friends, I suffered from a severe nerve injury that left me paralyzed from the neck down.
The next few months were some of the roughest of my life. Due to the extent of my injuries, I spent several months recuperating in the hospital. Soon, I hit my limit for medical insurance coverage. No one is ever prepared to face such a financial situation and I was no different. However, I was extremely fortunate that McAfee came forward and supported me in every possible way, both financially and emotionally. With McAfee’s support, I was able to receive the best treatment for my needs.
I spent close to 10 months in the hospital and doing rehab, slowly picking up the pieces of my life again. Even simple things like sitting or talking to someone took me a great deal of effort. However, giving up was never an option for me. My doctors encouraged me to engage mentally, and that’s when I slowly started to contribute at work again.
Before my accident, I led two projects for my team. Even though my mobility was restricted, I still have the ability to think. So, my team came forward and encouraged me to work again. I started at a slow pace, mostly talking on the phone and sharing my thoughts with my team. My team served as my hands and legs, coding and working on my unfinished projects. My leaders and team members turned out to be my biggest strength. They would visit me often to cheer me up and we would celebrate special occasions together. I was overwhelmed by their love and support.
Finally, it was time to get back to the office. When I started walking a little, I slowly got back to work in a phased manner. McAfee gave me the flexibility that I needed to put together the pieces of my life. Although it was wonderful to be back, returning didn’t come without its challenges. I could not drive to work anymore. For some time, my teammates helped me get to the office. On other occasions, I would hire a taxi. On the days when it rained, it was challenging to find a cab, given Bangalore’s traffic.
Around the same time, McAbility was formed in India. I became a part of it and brought my commute issue to McAfee’s knowledge. I’m glad to say that McAfee did not hesitate to arrange a special cab exclusively for me. McAfee welcomed and acted on every suggestion that I shared regarding improving mobility issues in the office.
With the support of my family, team members and McAfee, life slowly started to get back to normal. I even got a chance to visit my colleagues in the Cork office, which was a life changing moment for me. The support that I received from everyone around me was a crucial part of my recovery. Even now when I’m in the office, people stop by and ask me how I am doing and it is heartwarming.
“Any emotion, if it is sincere, is involuntary”, by Mark Twain. If you want to be a good person or be kind to someone, it will come to you naturally. You wouldn’t have to try too hard.
For more stories like Shiva’s or to learn more about our company culture, follow @LifeatMcAfee on Instagram and @McAfee on Twitter.
Interested in joining McAfee? We’re hiring! Apply now.
The post Shiva’s Tragic Accident Turns into a Story of Resilience appeared first on McAfee Blogs.
By: Smriti, People Partner
McAfee continues to recognize and celebrate hardworking mothers across our global workforce. We continue to advance in our workplace culture by offering policies and programs to better serve working parents.
Meet Smriti as she shares her incredible story as a new mother and how McAfee helped her to transition comfortably into a new role as a working parent.
My journey at McAfee began in 2017 as a People Partner. My role includes developing policies and processes for People Success.
My husband and I were delighted to welcome our first-born. In 2019, we welcomed our daughter into our family. While becoming a new parent is both rewarding and fulfilling, it can also be an overwhelming experience. The job of a parent is never-ending. There is no 9 – 5 schedule and you can’t check out. You’re always on parent duty 24 hours a day, 7 days a week.
McAfee’s family-friendly policies and benefits helped our new family bond together. I spent quality time with my daughter during my maternity leave. From receiving baby gifts in the mail from McAfee to getting the insurance coverage and mental health support that I needed, McAfee’s benefits for working parents were a blessing for us.
Parenthood is never without its obstacles, and most times, unforeseen ones. When my family could not make it home due to travel restrictions because of COVID-19, I got the support I needed to extend my leave. I also opted for the Gradual Return to Work Program designed for new moms. This ensured that I would not be overwhelmed when reentering the workforce and that my priorities were well understood.
I received a warm welcome from everyone, including my team and my manager. I consider myself fortunate to work for a company that understands the value of a new family. Working moms often struggle with work and family. Still, with a little support, they can indeed thrive in their workplaces and have a fruitful career.
My Life’s Manta is to always look at the bigger picture in life and be thankful for what you have, rather than think about the downsides. Personally, this helps me to be happy and content.
All over the world, McAfee’s benefits continue to evolve to reflect the needs of working parents. From extended bonding leave to expanded opportunities that help parents transition with our Return to Workplace program, we work tirelessly to create a range of programs unique to each country. We continue to support those who have paused their careers to care for their families as well as new working parents.
Learn more about the ways McAfee is serving working parents and building an inclusive workplace by following Life at McAfee on Instagram and @McAfee on Twitter.
Interested in joining forces with us? Explore our job opportunities. Subscribe to job alerts.
The post How McAfee’s Inclusive Maternity Benefits Helped Me Thrive as a New Mom appeared first on McAfee Blogs.
John Lambert, a distinguished researcher specializing in threat intelligence at Microsoft, once said these words that changed perspectives: “Defenders think in lists. Attackers think in graphs.” This is true and, while it remains that way, attackers will win most of the time. However, the true power of graphs does not only reside in constructing them, but also in how we build them and what we do with them. For that, we need to reflect upon the nature of the data and how we can use graphs to make sense of it. I presented on this premise at the MITRE ATT&CKcon Power Hour held in January 2021.
At McAfee Advanced Threat Research (ATR), all threat intelligence relating to current campaigns, potential threats, and past and present attacks, is collated and normalized into a single truth, namely a highly redundant, scalable relational database instance, and disseminated into different categories, including but not limited to MITRE ATT&CK techniques involved, tools used, threat actor responsible, and countries and sectors targeted. This information is a subset of the data available in McAfee MVISION Insights. Much can be learned from looking at historical attack data, but how can we piece all this information together to identify new relationships between threats and attacks? We have been collecting and processing data for many years but identifying patterns quickly and making sense of the complete dataset as a whole has proven to be a real challenge.
In our recent efforts, we have embraced the analysis of threat intelligence using graphical representations. One key takeaway is that it is not just about mapping out intelligence about campaigns and threats into graphs; the strength lies in studying our datasets and applying graph algorithms to answer questions about the data.
In this paper, we provide an extensive description of the dataset derived from the threat intelligence we collect. We establish the methodology applied to validate our dataset and build our graphical representations. We then showcase the results obtained from our research journey as defenders thinking in graphs instead of lists.
The first section explains the kind of data we have at our disposal. The second section describes the goal of our research and the kind of questions we want to answer. Sections 3 and 4 establish the methodology used to process our dataset and to validate that we can actually do something useful with it by using graphs. The fifth section describes the process of building graphs, and Section 6 shows how we use these graphs to answer the questions laid out in Section 2. Section 7 introduces an additional research element to add more granularity to our experiment, and Section 8 shares the limitations of our research and potential ways to compensate for them. Sections 9 and 10 conclude this research with some reflections and proposed future work.
Our dataset consists of threat intelligence, either collected by or shared with our team, is piped into our internal MISP instance and published to relevant stakeholders. This data concerns information about campaigns, crimeware or nation-state attacks that are currently going on in the world, from potential or reoccurring threat (groups). The data is split into multiple categories used to establish everything we know about the four basic questions of what, who, where, and how. For example, certain attacks on countries in the Middle East have been conducted by the group MuddyWater and have targeted multiple companies from the oil and gas and telecom industries, leveraging spear phishing campaigns. The dataset used for this research is a collection of the answers to these four basic questions about each event.
The quantity of data we have makes it almost impossible to make sense in one pass. Information is scattered across hundreds of events, in a database that does not necessarily enable us to connect each piece of information we have in relevant patterns. The goal of this research is to create a methodology for us to quickly connect and visualize information, identify patterns in our data that could reveal trends in, for example, actor behaviour or MITRE technique usage. In this paper, we specifically focus on actor trends and MITRE technique usage.
By providing such tooling, we can answer questions about frequency of actors or techniques, popularity of techniques across actors, and patterns of behaviour in technique usage among actors. These questions are laid out as such:
These questions are not exhaustive of everything that can be achieved using this methodology, but they reveal an example of what is possible.
As we are proposing a way to build graphs to make sense of the data we have, we first need to validate our dataset to make sure graphs will deliver something useful. For that, we need to look at expected density and connectivity of the graph. Should our dataset be too dense and overly connected, building graphs will not result in something that can be made sense of.
After establishing that our dataset is graphable, we can focus on how exactly we will graph it. We need to establish what our nodes are and what defines our edges. In this case, we propose two representations: an event-centric view and actor-centric view, respectively taking events and actors as points of reference.
Once we have built our graphs, we investigate different techniques and algorithms to answer the questions laid out in the previous section. This experiment provides us insights into our data, but also into what we are missing from our data that could give us even more information.
The tooling used for this research is an internal tool referred to as Graph Playground that provides users with the possibility to build client-side undirected graphical visualizations in their browser, based on CSV or JSON files. This software also offers a toolbox with analysis techniques and algorithms to be used on the graphs.
Before building proper graphical representations, we need to assess whether the dataset is a good fit. There are a few metrics that can indicate that the dataset is not necessarily fit for graphs, one of which being the average number of connections (edges) per node:
This average gives us an approximate indication of how many edges per node we can expect. Another useful metric is graph density, defined as the number of edges divided by the total number of possible edges for an undirected simple graph. This is normally calculated using the following formula:
It is a simple equation, but it can already give great insights as to what the graph is going to look like. A graph with high density might be a super connected graph where every node relates to one another in some way. It can be great for visualisation but will not provide us with anything useful when it comes to identifying patterns or differentiating between the different components of the graph.
Based on the data at hand, one intuitive way to build graphs is using a threat event as a central node and connected nodes that represent MITRE techniques, threat actors, tools, countries, and sectors to that event node.
Figure 1: Graph representation of the data
Figure 1 depicts the initial graphical representation using each event and associated metadata registered in MISP. Relationships between event nodes and other nodes are defined as follows: techniques and tools are used in one event that is attributed to a specific actor and involves a threat or attack on certain countries and sectors.
Based on the representation and our dataset, the number of nodes obtained is |N| = 1,359 and the total number of edges is |E| = 12,327. In our case, because only event nodes are connected to other nodes, if we want to check for the average number of edges per node, we need to look specifically at event nodes. In the obtained graph g, this average is equal to:
To calculate the density, we also need to account for the fact that only event nodes have connections. The density of the obtained graph g is then equal to:
Density always results in a number between 0 and 1. With an average of 18 edges per event node and a graph density of 0.053, we can expect the resulting graph to be relatively sparse.
Figure 2: Full representation of 705 MISP events
The full graph obtained with this representation in Figure 2, against our predictions, looks much denser than expected. It has an obvious central cluster that is busy with nodes that are highly interconnected, consisting mostly of event and technique nodes. In Figure 3, we discard MITRE technique nodes, leaving event, country, sector, and tool nodes, to demonstrate where the low-density calculation comes from.
Figure 3: Representation without MITRE technique nodes
Removing MITRE technique nodes results in a much less dense graph. This may be an indication that some event and technique nodes are highly interconnected, meaning there may be a lot of overlap between events and techniques used.
Figure 4: Representation with only event and MITRE technique nodes
Figure 4 proves this statement by showing us a large cluster of interconnected event and technique nodes. There is a set of events that all appear to be using the same technique. It would be interesting to isolate this cluster and take note of exactly which techniques these are, but this research takes us down another road.
Based on the data we have, which mostly consists of events relating to crimeware, we choose to disregard country and sector information in our graphical analyses. This is because these campaigns are most often sector and country-agnostic, based on historical observation. Therefore, we proceed without country and sector data. This allows us to perform some noise reduction, keeping events as points of reference.
We can also take this a step further and collapse event nodes to switch the focus to actor nodes with regard to tools and MITRE techniques used. This results in two different representations derived from the original graph.
Removing country and sector nodes, we are left with event nodes connected to actor, technique, and tool nodes. Figure 5 illustrates this representation.
Figure 5: Representation without country and sector nodes
This resulting representation is an event-centric view, and it can help us answer specific questions about frequency of actors involved, techniques or tools used during recorded attacks and campaigns.
Figure 6: Event-centric view
The graph in Figure 6 is very similar to the original one in Figure 2, but the noise that is not of real interest at this stage has been removed, so that we can really focus on events regarding actors, techniques, and tools.
Another possible representation, because the data we have about countries and sectors is very sparse, is to center the graph around actor nodes, connected to techniques and tools.
Figure 7: Collapsed presentation of actors, techniques, and tools
Figure 7 establishes the relationship between the three remaining nodes: actor, technique, and tools. The resulting graph is displayed in Figure 8.
Figure 8: Actor-centric view
These two ways to build graphs based on our data provide an event-centric view and an actor-centric view and can be used to answer different questions about the gathered intelligence.
Based on the two generated views for our data, we demonstrate how certain algorithms and graph-related techniques can be used to answer the questions posed in Section 2. Each view provides insights on frequency, popularity, or pattern questions.
Which techniques are observed most often?
To answer questions about the frequency of techniques used, we need to take the event-centric view, because we are directly addressing how often we have observed techniques being used. Therefore, we take this view and look at the degree of nodes in the graph. Nodes with a high degree are nodes with more connections. A MITRE technique node with a very high degree is a node that is connected to a high number of events.
Figure 9: Degree analysis on the event-centric view with a focus on techniques
Figure 9 shows us the application of degree analysis on the event-centric view, revealing techniques like Spearphishing Attachment and Obfuscated Files or Information as the most often observed techniques.
Which actors are the most active?
The same degree analysis can be used on this view to identify which actors have most often been recorded.
Figure 10: Degree analysis on the event-centric view with a focus on actors
Based on the results displayed in Figure 10, Sofacy, Lazarus Group, and COVELLITE are the most recorded actors across our data.
Which techniques are the most common across actors?
To answer questions about popularity of techniques across actors, we need to look at the actor-centric view, because it will show us how techniques and actors relate to one another. While degree analysis would also work, we can make use of centrality algorithms that measure how much control a certain node has over a network, or in other terms: how popular a certain node is.
Figure 11: Centrality algorithm used on the actor-centric view
Running centrality algorithms on the graph shows us that Obfuscated Files or Information and User Execution are two of the most popular techniques observed across actors.
Can we identify groups of actors using the same techniques?
The keyword here is groups of actors, which insinuates that we are looking for clusters. To identify groups of actors who use the same techniques, we can attempt to use clustering algorithms to isolate actors who behave the same way. We need to apply these algorithms on the actor-centric view. However, we also see that our actor-centric view in Figure 8 has quite a dense bundle of nodes, and this could make the building of clusters more difficult.
Figure 12: Clustering algorithm used on the actor-centric view
Louvain Clustering is a community detection technique that builds clusters based on edge density; Figure 12 shows us the results of running this algorithm. We see that it was possible to build some clusters, with a clear distinction between the orange cluster and the bundle of nodes, but it is not possible to verify how accurate our clusters are, because of the density of the subgraph where all the nodes seem to be interconnected.
We can draw two conclusions from this:
This takes us to the last important question:
Are actors using techniques in the same way?
With the information currently at our disposal, we cannot really assess whether a technique was used in the same way. It would be ideal to specify how an actor used a certain technique and encode that into our graphs. In the next section, we introduce an additional element to hopefully provide more granularity so we can better differentiate actors.
To provide more granularity and hopefully answer the question about actors using techniques in the same way, we embed killchain step information into our graphs. A certain attack can be used for multiple killchain steps. We believe that adding killchain step information to specify where an attack is used can help us better differentiate between actors.
Figure 13: Representation that introduces a killchain step node
This is a slight modification that occurs on our actor-centric view. The resulting graph should provide us with more granularity with regards to how a technique, that is present at multiple steps, was really used.
Figure 14: Actor-centric view with killchain information
The resulting graph displayed in Figure 14 is, for lack of a better word, disappointing. That is because killchain step information has not provided us with more granularity, which in turn is because of our dataset. Unfortunately, MISP does not let users specify when a technique is used in one specific step of the killchain, if that technique can occur in multiple steps. When recording an observed MITRE technique that can occur in multiple steps, all steps will be recorded with that technique.
MISP provides granularity in terms of MITRE sub-techniques, but there is no built-in differentiation on the killchain steps. It is not yet possible to specify exactly at which step a technique present in multiple steps is used. This removes a certain level of granularity that could be useful in the actor-centric view to differentiate even more between actors. If such differentiation existed, the actor-centric view could be collapsed into:
Additionally, based on the data at hand, it is clear that actors tend to use the same techniques overall. The question of whether using MITRE techniques to differentiate between actors is actually useful then comes to mind. Perhaps it can be used to discard some noticeably different actors, but not most?
Limitations of our research also lie in the tooling used. The Graph Playground is great for quick analyses, but more extensive manipulations and work would require a more malleable engine.
Lastly, our research focused on MISP events, threat actors, and MITRE techniques. While most questions about frequency, popularity, and pattern recognition can be answered the same way for tools, and even country and sector, the list of what is achievable with graphs is definitely not exhaustive.
Building graphs the right way helps us visualize our large dataset almost instantly, and it helps us make sense of the data we see. In our case, right means the way that is most relevant to our purpose. By having sensical and relevant representations, we can connect cyber threats, campaigns, and attacks to threat actors involved, MITRE techniques used, and more.
Graphical representations are not just about piping all our data into one visualization. We need to think of how we should build our graphs to get the most out of them, while attempting to maintain satisfactory performance when scaling those graphs. Graphs with thousands of nodes often take long to render, depending on the visualization engine. The Graph Playground generates graphs from a file on the client-side, in the browser. This makes the generation incredibly fast.
Certain aspects of our research require an event-centric view, while others may, for example, require an actor-centric view. We also need to assess whether building graphs is useful in the first place. Highly dense and connected data will result in graphs that cannot be used for anything particularly interesting for our analyses of threat intelligence.
Our research has proven fruitful in the sense that much can be gained from translating our dataset to adequate representations. However, we lack a certain granularity-level that could help us differentiate between certain aspects of our data even more.
To add to John Lambert’s quote, “Defenders think in lists. Attackers think in graphs. And Threat Intelligence analysts build proper graphs and exhaustively use them.”
As mentioned, we have encountered a granularity issue that is worth looking into for future research. It would be interesting to consider incorporating analysis results from EDR engines, to isolate where a specific MITRE ATT&CK technique was used. This would provide much deeper insights and potentially even more data we can include in our visualizations. Should we succeed and process this information into our graphs, we would be able to better differentiate between actors that otherwise seem to behave the same.
We can also shift our perspective and include country and sector information but, for that, we need to exclude all crimeware-related events that are sector or country-agnostic and include only campaigns that have specific targets. Only then will such representation be useful for further analysis.
Another point worth mentioning for future work would be to consider incorporating additional resources. The Intezer OST Map, which is open source, provides insights on tools used by threat actors for well-known campaigns. It would be interesting to merge the Intezer dataset with our own and experiment with our graph representations based on this new dataset.
The post McAfee ATR Thinks in Graphs appeared first on McAfee Blogs.
To live our digital lives to the fullest, we rely on a variety of technologies to support our online activities. And while some apps and devices are meant to make certain tasks more convenient or provide us with greater security, others simply offer a false sense of security and could potentially lead to online misfortune. One such platform is SuperVPN. While users may applaud themselves for using a VPN to protect their privacy, this Android app is unfortunately spilling their secrets without their knowledge.
Let’s unpack how SuperVPN works and its recent involvement in a data breach.
VPNs (virtual private networks) are intended to create a secure tunnel between your device and the internet, offering you privacy and freedom from IP-based tracking. It protects your identity and financial information by encrypting, or scrambling, the data that flows through the tunnel, and can mask your true location, making it appear as though you are connecting from somewhere else. VPN apps have become much more popular in recent years as our awareness around privacy and security has grown. But, such is the case with all apps, it’s important to do your research before you select one to install on your phone.
According to Forbes, critical security warnings around the app SuperVPN surfaced last year. They reported research stating that 105 million people might have had their credit card details stolen, and that hackers could intercept messages between the user and provider. As of last Friday, someone leaked three databases on a popular hacking forum that purportedly contained user credentials and device data stolen from three different Android VPN services: SuperVPN, considered one of the most dangerous VPNs on Google Play with 100 million installs, GeckoVPN (10 million installs), and ChatVPN (50,000 installs). This breach exposed the data of 21 million users, including names, email addresses, usernames, payment data, device information, and even location data logs — a major red flag for a VPN.
Although a free VPN might seem like an ideal solution at first, there are multiple consequences that could potentially put your online safety in jeopardy. Since free VPNs are not making money directly from their users, many make revenue indirectly, through advertising. This means that not only will you be bombarded with ads, but you’re also exposed to tracking and malware. In fact, one study of 283 free VPN providers found that 72% included trackers. Beyond the frustration of ads, slowness, and upgrade prompts is the fact that some free VPN tools include malware that can put your sensitive information at risk. The same study found that 38% of the free VPN applications in the Google Play Store were found to have malware and some even stole the data off of users’ devices, similar to SuperVPN.
If you choose a verified, paid VPN service, however, you’ll enjoy a plethora of benefits including unlimited bandwidth, speedy performance, protection across multiple devices, and much more. Aside from choosing a premium VPN service, following these tips will help you stay secure against SuperVPN and others like it and protect your daily online communications:
Delete SuperVPN from your device as soon as possible. There are at least six other apps like SuperVPN, with identical descriptions and logos from different creators on Google Play Store. Steer clear of downloading these apps altogether to avoid any cyber misfortune.
While some malicious apps do make it through the app store screening process, most attack downloads appear to stem from social media, fake ads, and other unofficial app sources. Before downloading an app to your device, do some quick research about the origin and developer.
Reviews and rankings are still a suitable method of determining whether an app is legitimate. However, watch out for assessments that reuse repetitive or straightforward phrases, as this could be a sign of a fraudulent review.
If you suspect that your data might have been compromised, place a fraud alert on your credit. This not only ensures that any new or recent requests undergo scrutiny, but also allows you to have extra copies of your credit report so you can check for suspicious activity.
A comprehensive security suite like McAfee Total Protection includes our McAfee® Safe Connect standalone VPN with auto-renewal and takes the worry out of connecting, so you can focus on what’s important to you.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our email, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post Attention Android Users: This Free VPN App Leaked the Data of 21 Million Users appeared first on McAfee Blogs.
Shortcuts aren’t always the fastest or safest route from Point A to Point B. Providing faster “direct to cloud” access for your users to critical applications and cloud services can certainly improve productivity and reduce costs, but cutting corners on security can come with huge consequences. The Secure Access Service Edge (SASE) framework shows how to achieve digital transformation without compromising security, but organizations still face a number of difficult choices in how they go about it. Now, McAfee can help your organization take the shortest, fastest, and most secure path to SASE with its MVISION Unified Cloud Edge solution delivered alongside SD-WAN.
Decision makers seek a faster, more efficient high road to cloud and network transformation without compromising security. The need for speed and scalability is crucial, but corners cannot be cut when it comes to maintaining data and threat protection. Safety and security cannot be left behind in a cloud of transformation dust. This blog will look at the major trends driving SASE adoption, and will then discuss how a complete SASE deployment can deliver improved performance, superior threat & data security, lower complexity, and cost savings. We’ll then explain why fast AND secure cloud transformation requires an intelligent, hyperscale platform to accelerate SASE adoption.
While digital transformation promises substantial gains in productivity and efficiencies, the journey is littered with security and efficiency challenges that can detour your organization from its desired upgrades and safe destination.
Digital transformation challenges that must be addressed include:
The increasingly difficult challenge of providing a fast and safe cloud environment to an increasingly distributed workforce has become a major detour in the drive to transform from traditional enterprise networks and local data centers. Companies have had to meet the challenge to “adapt or die” in connecting their employees and devices to corporate resources, but many have generally needed to choose between two unsatisfactory compromises: secure but slow and expensive, or fast and affordable but not secure. Adopting a SASE framework is the way to achieve all of the benefits of cloud transformation without compromise:
When network and security decision makers come to the proverbial fork in the road to network transformation, what is the best path that enables fast and affordable access without leading to unacceptable security risk? A recent blog by McAfee detailed four architectural approaches based on the willingness to embrace new technologies and bring them together. After examining the pros and cons of these four paths, the ideal solution to achieve fast, secure, and cost-effective access to web and cloud resources is a SASE model that brings together a ubiquitous, tightly integrated security stack with a robust, direct-to-cloud SD-WAN integrated networking solution. This combination provides a secure network express lane to the cloud, cruising around the latency challenges of slow, expensive MPLS links for connectivity to your applications and resources.
Fast Network. Data Protection. Threat Protection. Speed, security and safety turbocharged connectivity throughout a hyperscale cloud network without compromise.
MVISION UCE is the best framework for implementing a SASE architecture to accelerate digital transformation with cloud services, enabling cloud and internet access from any device while empowering ultimate workforce productivity. MVISION UCE brings SASE’s most important security technologies – Cloud Access Security Broker (CASB), Next-gen Secure Web Gateway (SWG), Data Loss Prevention (DLP), and Remote Browser Isolation (RBI) – together in a single cloud-native hyperscale service edge that delivers single-pass security inspection with ultra-low latency and 99.999% availability.
With MVISION Unified Cloud Edge and our SD-WAN integration partners, you can lead a network transformation that reduces costs and speeds up the user experience by using fast, affordable broadband connections instead of expensive MPLS.
MVISION UCE and SD-WAN transforms your network architecture by enabling users to directly access cloud resources without having to go back through their corporate network through MLPS or VPN connection. Now users can directly access cloud resources, and the McAfee cloud infrastructure is so well-optimized that they can often access resources even FASTER than if there was no intervening security stack! Read how Peering POPs make negative latency possible in this McAfee White Paper.
Because of the way we’ve delivered our product, MVISION UCE + SD-WAN unleashes SASE’s benefits, with data and threat protection that other vendors can’t match.
If you are looking for improved productivity and lower costs of cloud transformation without cutting corners, McAfee MVISION UCE offers the fastest route to SASE — without compromising your data and threat security.
The post The Fastest Route to SASE appeared first on McAfee Blogs.
How our new identity & privacy app can help
By this point in the year you may have already broken some of your New Year’s resolutions, but here’s one to keep: better protecting your online privacy.
After all, we are likely to continue to spend more time online in 2021, whether it be for working, learning, or shopping. This makes taking some preventative steps to shield our identity information more important than ever.
That’s why McAfee has been working on a new identity and privacy app for safeguarding your personal information, and we’d love for you to try it if you’re in the U.S.
Here’s a little bit about our approach. We looked at some of the key areas where users’ private information can be vulnerable, and designed a tool that offers easy-to-use, proactive protection for Windows, Android, and iOS devices, with consistent, familiar experiences regardless of the platform.
We know, for instance, that users are vulnerable when using unsecured networks, like public Wi-Fi. This is where a cybercriminal can potentially capture your login credentials and other personal information as it flows over the network, from your laptop to your bank’s website, for example.
So, we made sure to include a Virtual Private Network (VPN) to keep your information protected from prying eyes. It does this easily, and even automatically, by detecting when you’re on a public network and prompting you to turn on your VPN. The VPN then scrambles, or encrypts, your data as it flows over the network. Unlike some VPNs that require advanced settings to shield your data, our app offers seamless security.
Another area of high risk that we want to address is data breaches. Whether one of your personal accounts is hacked–or worse–another website somehow gets ahold of your data and subsequently gets breached, your data may end up on the dark web. This is where cybercriminals buy and sell information.
To detect these dangerous leaks, we included dark web monitoring, which alerts you if your login credentials have been exposed. It can even provide you with a link to the site that uses those credentials when the information is available. This allows you to swiftly reset your passwords, mitigating the risk.
Given that we saw a spike in corporate data breaches in 2020, where 58% of victims had their personal data compromised, I believe this kind of always-on monitoring of your private information is key.
Most importantly, we wanted to make this personal protection app easy to use and available across all your compatible devices. So, whether you’re out with just your phone, or home working at your PC, you have access to your protection, and can even pick up where you left off on a different device.
I know that organizing my digital life gives me one less thing to worry about, and I hope it’s the same for you. Give the app a try, and please let us know what you think since we are always open to your feedback.
Here’s to a happy and secure year!
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our email, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post Let’s Commit To Protect Our Privacy This Year appeared first on McAfee Blogs.
Elder scams cost seniors in the U.S. some $3 billion annually. And tax season adds a healthy sum to that appalling figure.
What makes seniors such a prime target for tax scams? The Federal Bureau of Investigation (FBI) states several factors. For one, elders are typically trusting and polite. Additionally, many own their own home, have some manner of savings, and enjoy the benefits of good credit—all of which make for an ideal victim profile.
Also according to the FBI, elders may be less able or willing to report being scammed because they may not know the exact way in which they were scammed, or they may feel a sense of shame over it, or even some combination of the two. Moreover, being scammed may instill fear that family members will lose confidence in their ability to look after their own affairs.
If there’s one thing that we can do for our elders, it’s help them raise their critical hackles so they can spot these scams and stop them in their tracks, particularly around tax time. With that, let’s see how crooks target elders, what those scams look and feel like, along with the things we can do to keep ourselves and our loved ones from getting stung.
The phone rings, and an assertive voice admonishes an elder for non-payment of taxes. The readout on the caller ID shows “Internal Revenue Service” or “IRS,” the person cites an IRS badge number, and the victim is told to pay now via a wire transfer or prepaid gift card. The caller even knows the last four digits of their Social Security Number (SSN). This is a scam.
The caller, and the claim of non-payment, are 100 percent bogus. Even with those last four digits of the SSN attempting to add credibility, it’s still bogus. (Chances are, those last four digits were compromised elsewhere and ended up in the hands of the thieves by way of the black market or dark web so that they could use them in scams just like these.)
Some IRS imposter scams take it a step further. Fraudsters will threaten victims with arrest, deportation, or other legal action, like a lien on funds or the suspension of a driver’s license. They’ll make repeated calls as well, sometimes with additional imposters posing as law enforcement as a means of intimidating elders into payment.
The IRS will never threaten you or someone you know in such a way.
In fact, the IRS will never call you to demand payment. Nor will the IRS ever ask you to wire funds or pay with a gift card or prepaid debit card. And if the IRS claims you do owe funds, you will be notified of your rights as a taxpayer and be given the opportunity to make an appeal. If there’s any question about making payments to the IRS, the IRS has specific guidelines as to how to make a payment properly and safely on their official website.
It’s also helpful to know what the IRS will do in the event you owe taxes. In fact, they have an entire page that spells out how to know it’s really the IRS calling or knocking at your door. It’s a quick read and a worthwhile one at that.
In all, the IRS will contact you by mail or in person. Should you get one of these calls, hang up. Then, report it. I’ll include a list of ways you can file a report at the end of the article.
Whether it’s a disembodied voice generated by a computer or a scripted message that’s been recorded by a person, robocalls provide scammers with another favorite avenue of attack. The approach is often quite like the phone scam outlined above, albeit less personalized because the attack is a canned robocall. However, robocalls allow crooks to cast a much larger net in the hopes of illegally wresting money away from victims. In effect, they can spam hundreds or thousands of people with one message in the hopes of landing a bite.
While perhaps not as personalized as other imposter scams, they can still create that innate sense of unease of being contacted by the IRS and harangue a victim into dialing a phony call center where they are further pressured into paying by wire or with a prepaid card, just like in other imposter scams. As above, your course of action here is to simply hang up and report it.
Here’s another popular attack. An elder gets an unsolicited email from what appears to be the IRS, yet isn’t. The phony email asks them to update or verify their personal or financial information for a payment or refund. The email may also contain an attachment which they are instructed to click and open. Again, all of these are scams.
Going back to what we talked about earlier, that’s not how the IRS will contact you. These are phishing attacks aimed at grifting prized personal and financial information that scammers can use to commit acts of theft or embezzlement. In the case of the attachment, it very well may contain malware that can do further harm to their device, finances, or personal information.
If you receive one of these emails, don’t open it. And certainly don’t open any attachments—which holds true for any unsolicited email you receive with an attachment.
Beyond simply knowing how to spot a possible attack, you can do several things to prevent one from happening in the first place.
First let’s start with some good, old-fashioned physical security. You may also want to look into purchasing a locking mailbox. Mail and porch theft are still prevalent, and it’s not uncommon for thieves to harvest personal and financial information by simply lifting it from your mailbox.
Another cornerstone of physical security is shredding paper correspondence that contains personal or financial information, such as bills, medical documents, bank statements and so forth. I suggest investing a few dollars on an actual paper shredder, which are typically inexpensive if you look for a home model. If you have sensitive paper documents in bulk, such as old tax records that you no longer need to save, consider calling upon a professional service that can drive up to your home and do that high volume of shredding for you.
Likewise, consider the physical security of your digital devices. Make sure you lock your smartphones, tablets, and computers with a PIN or password. Losing a device is a terrible strain enough, let alone knowing that the personal and financial information on them could end up in the hands of a crook. Also see if tracking is available on your device. That way, enabling device tracking can help you locate a lost or stolen item.
There are plenty of things you can do to protect yourself on the digital front too. Step one is installing comprehensive security software on your devices. This will safeguard you in several ways, such as email filters that will protect you from phishing attacks, features that will warn you of sketchy links and downloads, plus further protection for your identity and privacy—in addition to overall protection from viruses, malware, and other cyberattacks.
Additional features in comprehensive security software that can protect you from tax scams include:
And here’s one item that certainly bears mentioning: dispose of your old technology securely. What’s on that old hard drive of yours? That old computer may contain loads of precious personal and financial info on it. Look into the e-waste disposal options in your community. There are services that will dispose of and recycle old technology while doing it in a secure manner so the data and info on your device doesn’t see the light of day again.
As said earlier, don’t let a bad deed go unreported. The IRS offers the following avenues of communication to report scams.
In all, learning to recognize the scams that crooks aim at elders and putting some strong security measures in place can help prevent these crimes from happening to you or a loved one. Take a moment to act. It’s vital, because your personal information has a hefty price tag associated with it—both at tax time and any time.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our email, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post How to Spot, and Prevent, the Tax Scams That Target Elders appeared first on McAfee Blogs.
It’s tax time in the United States, and even if you’re pretty sure you did everything right, you’re worried. Did I file correctly? Did I claim the right deductions? Will I get audited? Unfortunately, tax season brings out scammers eager to take advantage of your anxiety.
First, know that you’re probably doing a good job with your taxes. Less than 2% of returns get audited and most discrepancies or adjustments can get handled easily if you address them promptly.
Still, wariness of the IRS and intricate tax laws makes for ripe pickings when it comes to hackers, who prey on people’s fear of audits and penalties. Common scams include fake emails, phone calls from crooks posing as IRS agents, and even robocalls that threaten jail time. With the information they get from you, hackers can take things a step further by stealing your identity and filing tax claims in your name.
As if we didn’t have enough to worry about at tax time.
The good news is that you have plenty of ways to protect yourself from hackers. Check out these tips to stay safe this tax season.
Straight from the authority itself, the IRS has published its top 12 tax season scams with new warnings brought on by the events of 2020.
For example, new to this year are scams associated with stimulus checks sent out by the government. The IRS says they have seen “… a tremendous increase in phishing schemes utilizing emails, letters, texts and links. These phishing schemes are using keywords such as “coronavirus,” “COVID-19” and “Stimulus” in various ways.”
This is very important: The IRS does not use email. If you get an email from someone saying they are the IRS and they want to talk with you about a problem, it is a scam.
Here’s what the IRS has to say:
The IRS will never initiate contact with taxpayers via email about a tax bill, refund, or Economic Impact Payments. Don’t click on links claiming to be from the IRS. Be wary of emails and websites − they may be nothing more than scams to steal personal information.
Social media attacks also made the IRS Dirty Dozen. In a social media attack, scammers harvest information from social media profiles. Hackers use the information to gain access to your online accounts in social media and beyond, like your bank account. Make it hard for them. Make your social media profiles private so that only friends and family can see them. Also consider so you can be safer from these kinds of crimes.
When a hacker poses as an IRS agent, they try to get personal information from you, like your social security number. They might demand payment, sometimes under the threat of penalties or even jail time. These strong-arm tactics are a dead giveaway that the email or phone call is fake.
What will the IRS do? Usually, the IRS will first mail a bill to any taxpayer who owes taxes. IRS collection employees might call on the phone or make an unannounced visit to your home or business. If they require a payment, the payment will always be to the U.S. Treasury. Read about other ways to know what the IRS won’t do when they contact you.
And remember: the IRS does not use email to contact you about tax problems.
A good defense is a good offense. File early. Protect yourself by filing your claim before they have a chance to file one as you. You don’t want to be one of those identity theft victims who finds out you’ve been scammed when you file your taxes only to get a notice in the mail saying your tax claim has already been filed.
Here’s other tool that can help you fight identity theft. And get this: it’s not only helpful, it’s free. Through the Federal Trade Commission, you are entitled to a free copy of your credit report from each of the three major credit reporting companies once every 12 months. In this report, you can find inaccuracies in your credit or evidence of all-out identity theft.
Keep in mind that you get one report from each of the reporting companies each year. That works out to three reports total in one year. Consider this: if you request one report from one credit reporting company every four months, you can spread you free credit report coverage across the whole year.
The idea is that, just like with your physical wellness, there are lots of steps you can take to protect your digital wellness. We’ve covered some of those steps in this blog. Consider one more: protect your digital life with a holistic security solution like McAfee Total Protection so you can enjoy life online knowing your precious data is protected. Tax time or otherwise, security software is always a smart move.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our email, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post Who loves tax season besides accountants? Hackers appeared first on McAfee Blogs.
Tax season is always a high time for scams that put our money and information at risk. But this year securing your data may be more important than ever, due to a spike in unemployment fraud.
Millions of Americans have lost their jobs over the course of the pandemic, and states have seen a surge in unemployment applications, including fake claims using stolen information. In California, authorities report that between $10 billion and $30 billion was recently paid in fraudulent unemployment claims, while in New York authorities identified $5.5 billion in fake jobless claims since March of 2020.
ictims don’t even know that their information was used for a fraudulent claim until they receive an unemployment letter from their state, or a tax form from the IRS. Whether you’re concerned about your personal data, or just want to safely file your IRS return and hopefully get a tax refund, let’s take some steps to protect your private information for this tax season, and beyond.
The first thing to know is that there are a that we see evolving each year – according to the IRS, Criminal Investigation identified $2.3 billion in tax fraud schemes just last year. So, it’s always a good idea to take caution and be skeptical whenever you see something that seems too good to be true, like a free tax filing service you’ve never heard of before.
But recently, with so many people out of work, bad actors have decided to focus their attention on filing fraudulent jobless claims using stolen information from people who were actually employed.
If you’ve received a notice about unemployment benefits that you never applied for, contact your state unemployment agency and submit a claim. Then follow up with the Federal Trade Commission since they can help you by placing a fraud alert on your credit. This lets lenders know that you may be a victim of fraud, prompting them to take extra steps to verify your identity. The good news is that in the U.S. you only have to notify one of the three national credit bureaus and they will transmit your request to the other two.
My colleague Judy has shared some easy ways you can check your credit report and even freeze your credit in a blog post here. Starting 2021, you can also register for a six-digit Identity Protection PIN (IP PIN) with the IRS to add another layer of verification to protect yourself from tax-related identity theft.
Of course, tax season isn’t the only time your data can fall into the wrong hands. Keep your personal information safe by adopting these best practices and robust tools.
• Use comprehensive security software—For protection against the growing range of threats, choose holistic security software that goes beyond traditional antivirus products, by protecting your identity and privacy wherever and however you connect.
Stay Updated
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our email, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post Don’t Let Tax Fraud Ruin Your IRS Refund appeared first on McAfee Blogs.
The human race commonly fears what it doesn’t understand. In a time of war, this fear is even greater if one side understands a weapon or technology that the other side does not. There is a constant war which plagues cybersecurity; perhaps not only in cybersecurity, but in the world all around us is a battle between good and evil. In cyber security if the “evil” side understands or pays more attention to a technology than the “good” side, we see a spike in cyber-attacks.
This course of events demands that both offensively and defensively minded “good guys” band together to remove the unknown from as much technology as possible. One of the most common unknown pieces of technology in cybersecurity that professionals see on a regular basis are proprietary protocols running across their networks. By using both the tactics and perspectives from red and blue teams it is possible to conquer and understand these previously unknown packets. This strategy is exactly what we, Douglas McKee and Ismael Valenzuela, hoped to communicate in our webinar ‘Thinking Red, Acting Blue: Hacking Proprietary Protocols”.
Proprietary protocols are typically a mystery to many practitioners. Vendors across many industries develop them for very specific purposes and technologies. We see them in everything from the Internet of Things (IOT), to Industrial Controls Systems (ICS), to medical devices and more. Since by its nature “proprietary” technology is not shared, there is generally no public Request for Comments (RFC) or public disclosure on how they work. This provides an opportunity for attackers and a challenge for defenders. Attackers are aware these networking protocols are less reviewed and therefore more susceptible to vulnerabilities, while defenders have a hard time understanding what valid or benign traffic looks like. Unfortunately, attackers are generally more financially motivated to spend the time reversing these protocols than defenders, since the rewards can be very substantial.
During the webinar we discussed a two-prong approach to tackling these unknown protocols with the goal of a deeper understanding of this data. A red team’s purpose may be to look for vulnerabilities, while a blue team may be more interested in detecting or flagging unusual behavior in this traffic. We discuss how this can be accomplished through visual inspection using Wireshark to compare the traffic across multiple conversations, and we complemented this analysis with python libraries like pandas, numpy and matplotlib, for data exploration and visualization.
For example, consider the packets in the Wireshark captures side-by-side in Figure 1. An astute reader may notice that the UDP packets are evenly spaced between each other within the same PCAP, yet differently spaced between pcaps.
In protocol analysis this can indicate the use of a status or “heartbeat” packet, which may contain some type of data where the interval it is sent is negotiated for each conversation. We have seen this as a common trait in proprietary protocols. This can be difficult for a cybersecurity professional to discern with a small amount of data, but could be very helpful for further analysis. If we import the same data into pandas dataframes and we add matplotlib visualizations to our analysis, the behavior becomes much clearer as seen in Figure 2.
By using the reverse engineering perspective of a vulnerability researcher combined with the data analysis insight of a defender, we can strengthen and more quickly understand the unknown. If this type of deep technical analysis of proprietary protocols interests you, we encourage you to check out the recording of our presentation below. We have made all of our resources public on this topic, including pcaps and python code in a Jupyter Notebook, which can be found on Github and Binder. It is important as an industry that we don’t give into fear of the unknown or just ignore these odd looking packets on our network, but instead lean in to understand the security challenges proprietary protocols can present and how to protect against them.
The post Hacking Proprietary Protocols with Sharks and Pandas appeared first on McAfee Blogs.
Only 57% of women in the U.S. are working or looking for work right now—the lowest rate since 1988.
That telling data point is just one of several that illustrate a stark contrast in these stark times: of the millions who’ve seen their employment affected by the pandemic, women have been hardest hit.
According to the U.S. Bureau of Labor Statistics (BLS), some 2.3 million women left the workforce between the start of the pandemic and January 2021. Meanwhile, the BLS statistic for the number of men who left the U.S. workforce in that same period was 1.8 million. With International Women’s Day here, it’s time we ask ourselves how we can stem this inordinately sized tide of hard-working and talented women from leaving the workforce.
A broader BLS statistic provides a further perspective: a total of 4,637,000 payroll jobs for women have been lost in total since the pandemic began in the U.S. alone. That ranges from executive roles, jobs in retail, and educators, to work in public service and more. Of those jobs lost, about one third of women aged 25-44 cited that childcare was the reason for that unemployment.
Combine that with the fact that globally women carry out at least two and a half times more unpaid household and care work than men, and a global gender pay gap of 23%, it’s easy to see why millions of women have simply dropped out of the workforce to manage children and home schooling—even in the instances where employment is available.
Not that this should surprise us. For example, just a few years before the pandemic, research showed that few Americans wanted to revert to the traditional roles of women at home and men in the workplace. However, when push came to shove, the Pew Research showed that women most often made compromises when needs at home conflicted with work. And now we’ve seen that sentiment come home to roost. On a massive scale.
Put plainly, when the pandemic pushed, women’s working lives predominantly went over the edge.
Within these facts and figures, I’d like to focus on the women who are working remotely while caring for their families, whether that’s their children, elders in their lives, or even a mix of both. What can we do, as employers, leaders, and co-workers in our businesses to better support them?
As early as June, Forbes reported that women were reducing their working hours at a rate four to five times greater than men, ostensibly to manage a household where everything from daycare, school, elder care, and work all take place under the same roof. The article went on to cite ripple-effect concerns in the wake of such reductions like the tendency to pursue less-demanding work, greater vulnerability to layoffs, and reduced likelihood for promotion. In fact, one study conducted in the U.S. last summer found that 34% of men with children at home say they’ve received a promotion while working remotely, while only 9% of women with children at home say the same.
In an interview with the BBC, Melinda Gates, the Co-Chair of the Bill and Melinda Gates Foundation, stated her views on the situation succinctly: “I hope Covid-19 forces us to confront how unsustainable the current arrangement is—and how much we all miss out on when women’s responsibilities at home limit their ability to contribute beyond it. The solutions lie with governments, employers, and families committed to doing things more equitably.” I agree. This is a problem for us to solve together.
As for the role of employers and leaders in the solution, some thinking presented in The Harvard Business Review caught my eye. The article, “3 Ways Companies Can Retain Working Moms Right Now” focuses on what employers can do to better support the women in their workforce. The three ingredients the authors propose are:
If we think about the stressors we all face, this simple recipe actually reveals some depth. It takes knowing, and engaging with, employees perhaps more greatly than before. One sentence in the conclusion struck me in particular:
“It is no longer an option for managers to pretend that their employees do not have lives outside of their jobs, as these evaporated boundaries between home and work are not going away anytime soon.”
I see this every practically every day when I meet with my team. I’m sure you’ve seen it as well. With our laptop cameras on for sometimes hours a day, we’ve all caught glimpses into our coworker’s lives outside the office, seen that 7am meeting rescheduled for 8am to accommodate a busy breakfast rush with the family, or even kiddos pop into the frame during a call to say “hi.” What we may not see is just how much of a struggle that could be for some in the long haul.
Enter again those notions of providing certainty and clarity, rightsizing job expectations, and showing empathy. While not the end-all-be-all answers, they provide a starting point. As employers and leaders, if we can minimize the x-factors, adapt the workloads, and show compassion as we navigate the road to recovery, we can retain employees—and at least mitigate some of the stressors that are pushing women out of their jobs and careers during this pandemic. Exceptional employers and leaders have always done this. And now, in exceptional times, I believe it must become the norm.
Likewise, for co-workers, it’s absolutely okay to check in with people on your team, your vendors, your clients, and other people in your network and simply ask how they’re doing. I’ve had many meetings where we informally go around the horn and talk about what’s going on outside of work. The shared experience of working remotely has a way of creating new norms, and perhaps starting a meeting with an informal check-in way on occasion is one of them.
This is an opportunity to listen, simply so someone can feel better by being heard, and so that we can pinpoint places where we can come in and offer some support.
Some challenges women are facing are beyond our capacity to help firsthand, yet we can identify them when we see them. If you or someone you know is struggling, here are a few resources in the U.S. that can help:
The Office on Women’s Health, part of the U.S. Department of Health & Human services, offers a wealth of resources on its website, along with a help line that can provide further resources as well.
The National Institute of Mental Health has an extended list of articles, resources, and links to services that can provide immediate help for people who are struggling to cope or who are in crisis.
A Better Balance is a nonprofit legal advocacy group that “uses the power of the law to advance justice for workers, so they can care for themselves and their loved ones without jeopardizing their economic security.” They offer a confidential help line that can provide people with information about their workplace rights.
The National Women’s Law Center offers complementary legal consultations and with questions about accessing paid sick leave and paid leave to care for a child whose school or childcare provider is closed because of COVID-19.
As women leave the workforce worldwide, we’ve seen organizations lose precious talent, and we’ve seen women sacrifice their livelihoods and career paths. As such, the pandemic has exacted hard and human costs, ones that have fallen on women in outsized ways.
A problem of this scope is one for us to solve collectively. Apart from the bigger, broader solutions that may be forthcoming, as the employers and co-workers of women, there’s something we can do right now: reach out, listen, and act. These days call for more empathy and adaptation than ever before, particularly for the hard-working women who are doing it all—and then some.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our email, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post Supporting the Women Most Affected by the Pandemic appeared first on McAfee Blogs.
Editor’s Note: This is part II in a series on helping families protect their mental and digital health in times of chronic stress. The content is not intended to be a substitute for professional advice or treatment.
Over the past year of remote life, technology has become both a lifeline and a life sucker. We’ve witnessed technology author amazing moments of human connection impossible just a few decades ago. At the same time, we’ve also seen isolation and disconnection quietly settle in alongside those wins.
As discussed in our last blog, studies now confirm living under ongoing pandemic stress has triggered a growing mental health crisis across age groups. While experts debate the degree technology contributes to that crisis, all agree the increase in digital connection over the past decade has diminished important forms of human connection considered essential to mental health.
While device use has spiked during the pandemic, the rise in tech dependence is nothing new. Our digital immersion over time has generated terms such as “phubbing,” aka phone snubbing, now known as looking at your phone over the person in front of you. It’s also why doctors now treat excessive online gaming a legitimate addiction. We also know that social media companies intentionally design apps to keep us logging on, tagging, scrolling, and, most importantly sharing our data.
With more parents and kids now working and learning from home — which has only amplified time online — successfully balancing our tech feels even more impossible.
A big struggle for many parents continues to be: How much tech is too much and how can we strike a healthy balance?
The answer to that question will look different for every family. And frankly, the answer continues to evolve almost daily. The more we know, the more we can respond and recalibrate (as well as equip our kids) to move toward that healthy balance. Here are just a few of the best practices to inspire you forward.
Start over right now. Sure, you should start establishing digital habits when your kids are young. But, life. Things happen. Pandemics hit. Rules go out the window. So, start right now, right here, knowing better and doing better. Consider parental controls that will help you set healthy screen limits for kids (and yourself) and monitor the content coming into your home.
Do it together. A healthy digital balance is an all-in, family huddle, team endeavor kind of thing. No edicts or mandates tend to work here. Explain the “why” behind needed changes to your digital routines and the physical, social, and emotional reasons why balance is so important.
Separate home and work. Because so many parents are working from home, the temptation to overwork is very real. Home and work life can easily fuse together. This fusion makes it impossible to model a balanced digital life for your kids. Consider drawing thick lines between work and home. A few ideas: Maintain a separate office in the home. At close of business, shut off all devices. Create media free zones for your family after 5 p.m. such as the dinner table, homework time, friend time, and family time.
Just say “no” to notifications. Pause to examine: What unacceptable digital distractions have I accepted? Are things like email, push notifications, and alerts on my phone interrupting important conversations and time with friends and family? Flip those switches.
Ask yourself what’s missing. Technology isn’t “bad” and a lot of the time we spend online is either essential to our livelihood or a healthy social life (this especially applies tweens, teens, and young adults). Even so, when we step over that line of healthy digital behavior, do we have the courage to ask ourselves what healthy activity am I sacrificing right now? Have I put an important relationship on the back burner? Do I have an important deadline I’m ignoring? Have I let a hobby, sport, or physical exercise go? Have I sidelined outdoor activities for screen time? All of these are important, honest questions to ask yourself (and pose to your kids) to move closer to a healthy digital balance.
Put technology in its place. Stop to evaluate the role you’ve given technology in your life personally and in your home. Do you need to dust off your tech ground rules? Consider putting screens down when others are talking, being intentional about making eye contact, and listening in a way that requires your full attention. Make family mealtimes, outings, and game nights phone free.
Balance increases over time and establishing smarter, healthier family habits is a marathon, not a sprint. Every step is big so celebrate your milestones and give yourself grace to make this not-so-easy trek back to a balanced digital life. As Nike says about getting physically fit, we can say about getting back our digital health, “No one has ever regretted it.”
The post 6 Steps to Help Your Family Restore Digital Balance in Stressful Times appeared first on McAfee Blogs.
It is near-certain the need for security across the enterprise will never cease – only increase if year-over-year trends are any indication. We constantly see headlines with repetitive buzzwords and phrases calling attention to the complexity of today’s security operations center (SOC) with calls to action to reimagine and modernize the SOC. We’re no different here at McAfee in believing this to be true.
In order for this to happen, however, we need to update our thinking when it comes to the SOC.
Today’s SOC truly serves as an organization’s cybersecurity brain. Breaking it down, the brain and SOC are both the ultimate central nervous system and are extremely complex. While the brain fires neurons, connects synapses, and constantly communicates in order for the body to function, the SOC similarly works as a centralized system where people, processes, and technology must be in-sync to function. The unfortunate reality is though, SOC analysts and staff do not feel empowered to act in this manner. According to the 2021 SANS Cyber Threat Intelligence Report, respondents cited several reasons for not being able to implement cybersecurity holistically across their organization, including lack of trained staff, time, funding, management buy-in, technical capabilities, and more.
The technology that has the power to enable this synchronicity and further modernize enterprise security by taking SOC functionality to the next level is already here – Extended Detection and Response (XDR). It has the ability to provide prevention, detection, analysis, and response in a purposefully orchestrated and cooperative way, with its components operating as a whole. Think of it this way: XDR mimics the brain’s seamlessness in operation, with every element working toward the same goal of maintaining sound security posture across an entire organization.
Put another way, the human brain has approximately 100 trillion synapses, synchronizing and directing to make it possible to walk and chew bubble gum at the very same time with seemingly no effort on the human’s end. However, if one synapse misfires or becomes compromised due to an unknown element – you might end up on the ground.
Similarly, we’re already seeing many enterprises falter, trip, and fall. According to Ernst & Young, 59% of companies experienced a significant breach in the last twelve months – and only 26% of respondents say the SOC identified that event. These statistics show the case for XDR is clear – and that it is time to learn and reap the benefits of taking a proactive approach.
Organizations are still vulnerable to malicious actors attempting to take advantage of disparate remote workforces – and we’re seeing them get craftier, acting faster and more frequently. This is where XDR offers a pivotal differentiator by providing actionable intelligence and integrated functionality across control vectors, resulting in more proactive investigation cycles.
When it comes to analysis, data can quickly become overwhelming, introducing an opportunity to miss critical threats or malicious intent with more manual or siloed processes. Meaningful context is crucial and no industry is exempt from needing it.
This is where McAfee is providing the advantage with MVISION XDR powered MVISION Insights. The ability to know likely and prioritized threat campaigns based on geographical and industry prevalence – and have them correlated and assessed across your local environment – provides the situational awareness and analysis that can allow SOC teams to act before threats occur. Additionally, as endpoints only promise to increase, MVISION XDR works in conjunction with McAfee’s endpoint protection platform (EPP), increasing effectiveness with added safeguards including antivirus, encryption, data loss prevention technologies and more at the endpoint.
Think of the impact and damage that can happen without this crucial and context MVISION Insights can provide. The consequences can be dire when looking at industries that have faced extreme upheaval.
For example, in keeping with our theme, we know the importance of essential healthcare workers and cannot be grateful enough for their contributions. But as the industry faces extreme challenges and an increase in both patient load and data, we also need to be paying close attention to how this data is being managed, who has privilege to it, and what threats exist as even this typical in-person industry shifts virtual due to our updated circumstances. Having meaningful context on potential threats will help this industry avoid added challenges so focus can remain steadfast on creating impact and positive results.
Outside of the tremendous advantage of being less vulnerable to threats and breaches due to proactivity, incredible efficiencies can be gained by freeing cybersecurity staff from those previously manual tasks and management of multiple silos of solutions. The time is definitely now too – according to (ISC)², 65% of organizations already report a shortage of cybersecurity staff.
Coupled with staff shortages and lack of skilled workers, an IBM report also found that the average time to detect and contain a data breach is 280 days. Going back to the view that the SOC serves as an organization’s cybersecurity brain – 280 days can cause massive amounts of damage if an anomaly in the brain were to occur unnoticed or unaddressed.
For the SOC, the longer a breach goes undetected, the more information and data becomes vulnerable or leaked – leading not only to a disruption in business, but ultimately financial losses as well.
XDR is the future of the SOC. We know that simplified, cohesive visualization and control across the entire infrastructure leads the SOC to better situational awareness – the catalyst for faster time to remediation. The improved, holistic viewpoint XDR provides across all vectors from endpoint, network, and cloud helps to eliminate mistakes and isolated endeavors across an organization’s entire IT framework.
With AI-guided investigation, analysts have an automatic exchange of data and information to move faster from validation to decision when it comes to threats. This is promising as organizations not only tackle a shortage in cybersecurity staff, but skilled workers as well. According to the same (ISC)² survey as above, 36% of those polled cite lack of skilled or experienced staff being a top concern.
Knowing the power of data and information, we can confidently assume that malicious actors will never stop their quest to infiltrate and extort enterprises. True to the well-known anecdote, this knowledge brings about great responsibility. Enterprises will face challenges as threats increase while talent and staff decrease – all while dealing with vendor sprawl and choice-overload across the market.
SOC Assessment Tool
Time to schedule a check-up for your SOC. It may not be as healthy as you think and true to both the medical and security industries, proactivity and prevention can lead to optimized functionality.
Want to learn more about McAfee’s investment in XDR and explore its approach? Check out McAfee MVISION XDR.
The post SOC Health Check: Prescribing XDR for Enterprises appeared first on McAfee Blogs.
Babuk ransomware is a new ransomware threat discovered in 2021 that has impacted at least five big enterprises, with one already paying the criminals $85,000 after negotiations. As with other variants, this ransomware is deployed in the network of enterprises that the criminals carefully target and compromise. Using MVISION Insights, McAfee was able to plot the telemetry of targets, revealing that the group is currently targeting the transportation, healthcare, plastic, electronics, and agricultural sectors across multiple geographies.
Figure 1. Infection map (source: MVISION Insights)
McAfee’s EPP solution covers Babuk ransomware with an array of prevention and detection techniques.
ENS ATP provides behavioral content focusing on proactively detecting the threat while also delivering known IoCs for both online and offline detections. For DAT based detections, the family will be reported as Ransom-Babuk!<hash>. ENS ATP adds 2 additional layers of protection thanks to JTI rules that provide attack surface reduction for generic ransomware behaviors and RealProtect (static and dynamic) with ML models targeting ransomware threats.
Updates on indicators are pushed through GTI, and customers of Insights will find a threat-profile on this ransomware family that is updated when new and relevant information becomes available.
Initially, in our research the entry vector and the complete tactics, techniques and procedures (TTPs) used by the criminals behind Babuk remained unclear.
However, when its affiliate recruitment advertisement came online, and given the specific underground meeting place where Babuk posts, defenders can expect similar TTPs with Babuk as with other Ransomware-as-a-Service families.
In its recruitment posting Babuk specifically asks for individuals with pentest skills, so defenders should be on the lookout for traces and behaviors that correlate to open source penetration testing tools like winPEAS, Bloodhound and SharpHound, or hacking frameworks such as CobaltStrike, Metasploit, Empire or Covenant. Also be on the lookout for abnormal behavior of non-malicious tools that have a dual use, such as those that can be used for things like enumeration and execution, (e.g., ADfind, PSExec, PowerShell, etc.) We advise everyone to read our blogs on evidence indicators for a targeted ransomware attack (Part1, Part2).
Looking at other similar Ransomware-as-a-Service families we have seen that certain entry vectors are quite common amongst ransomware criminals:
When it comes to the actual ransomware binary, we strongly advise updating and upgrading your endpoint protection, as well as enabling options like tamper protection and rollback. Please read our blog on how to best configure ENS 10.7 to protect against ransomware for more details.
Learn more about the inner working of Babuk, underground forum activity, Yara Rules, Indicators of Compromise & Mitre ATT&CK techniques used by reading our detailed technical analysis.
Learn more about the inner working of Babuk, underground forum activity, Yara Rules, Indicators of Compromise & Mitre ATT&CK techniques used.
View Now
The post Babuk Ransomware appeared first on McAfee Blogs.
On February 17th, 2021, McAfee disclosed findings based on a 10-month long disclosure process with major video conferencing vendor Agora, Inc. As we disclosed the findings to Agora in April 2020, this lengthy disclosure timeline represents a nonstandard process for McAfee but was a joint agreement with the vendor to allow sufficient time for the development and release of a secure SDK. The release of the SDK mitigating the vulnerability took place on December 17th, 2020. Given the implications of snooping and spying on video and audio calls, we felt it was important to provide Agora the extended disclosure time. The affected users of Agora include popular voice and video messaging apps, with one notable application being the popular new iOS app known as Clubhouse.
Clubhouse Application Screenshot
Clubhouse has made headlines recently as one of the newest players in the social networking sphere, rising in popularity after a series of high-profile users including Elon Musk, Kanye West and influencers in various geographies posted about the platform. Released in April of 2020, Clubhouse quickly carved out a niche in Chinese social media as the platform to discuss sensitive social and political topics – perhaps aided by its invite-only approach to membership – and the spotlight shined on it by these key players further propelled it into viral status early this year. Perhaps unsurprisingly, the application was blocked for use in China on February 8th, 2021.
Last week, Stanford Internet Observatory (SIO) released research regarding the popular Clubhouse app’s use of Agora real-time engagement software and suggested that Agora could have provided the Chinese government access to Clubhouse user information and communications. While the details of Stanford’s disclosure focus on the audio SDK compared to our work on the video SDK, the functionality and flaw are similar to our recent disclosure, CVE-2020-25605. This includes the plaintext transmission of app ID, channel ID and token – credentials necessary to join either audio or video calls. We can confirm that Clubhouse updated to the most recent version of the Agora SDK on February 16th – just a day prior to our public disclosure.
Despite the recent noise surrounding Clubhouse, the reality is that this application is just one of many applications that leverage the Agora SDK. Among others, we investigated the social apps eHarmony, Skout, and MeetMe, along with several widely-used healthcare apps, some of which have a significantly larger user base. For example, MeetGroup (comprised of several apps) reported approximately 18 million monthly users compared to Clubhouse, which had approximately 600k total users as of December 2020.
We felt it was important to highlight these data points and are continuing to investigate these applications as well as monitor any potential instances of malicious actors exploiting this vulnerability. Given that Agora has released an updated SDK that fixes the call setup issues, vulnerable applications should have already switched to the secure calling SDK, thus protecting the sensitive audio and video call data as many claim to do. With that in mind, we decided to check back in with some of the Agora-based apps we previously investigated to confirm whether they had updated to the patched version. We were surprised to see many, as of February 18, 2020, still had not:
App Name | Installs | App Version | App Version Date | Updated Agora SDK |
MeetMe | 50,000,000+ | 14.24.4.2910 | 2/9/2021 | Yes |
LOVOO | 50,000,000+ | 93.0 | 2/15/2021 | No |
Plenty of Fish | 50,000,000+ | 4.36.0.1500755 | 2/5/2021 | No |
SKOUT | 50,000,000+ | 6.32.0 | 2/3/2021 | Yes |
Tagged | 10,000,000+ | 9.32.0 | 12/29/2020 | No |
GROWLr | 1,000,000+ | 16.1.1 | 2/11/2021 | No |
eharmony | 5,000,000+ | 8.16.2 | 2/5/2021 | Yes |
Clubhouse | 2,000,000+ | 0.1.2.8 | 2/16/2021 | Yes |
Practo | 5,000,000+ | 4.93 | 1/26/2021 | No |
With the context around censorship and basic privacy concerns, it will be interesting to see if these and many other apps using the vulnerable SDK update quickly, or even ever, and what kind of lasting effects these types of findings have on users’ trust and confidence in social media platforms.
For more on McAfee ATR’s research into the Agora SDK, please see our technical research blog.
For information on how users can protect themselves when using such apps, please see our consumer safety tips blog.
The post Beyond Clubhouse: Vulnerable Agora SDKs Still in Widespread Use appeared first on McAfee Blogs.
I’ve had such a busy morning! I’ve hunted down my favourite foundation, bought a puzzle mat, stocked up on special dog food for our naughty new puppy, ordered the groceries, made a few appointments and chatted with several friends. And guess what? I haven’t left my study – or changed out of my pyjamas!! Ssshhh!! Because it’s all happened online…
Of course, some of us embraced the benefits of the online world long before 2020 but the Pandemic forced almost everyone to replace our in-person activities and routines with online ones. New research from McAfee in their 2021 Consumer Security Mindset Report shows that 72% of Aussies made changes in their online activities last year out of convenience which makes complete sense!
But what’s so interesting is that now we have these super handy new online routines in place – we aren’t that keen to give them up! McAfee’s report shows that 76% of Aussies are planning on continuing with online banking, 59% of us want to keep connecting with friends and family online and 55% of us remain totally committed to online shopping! Hear, hear, I say! I am absolutely staying that course too!!
There’s no doubt that there is a lot of upside to managing our lives online but unfortunately there is also a downside – increased risk! The more time spent online, the greater the chance that we will be exposed to potential risks and threats such as phishing attacks, entering details into malicious websites or even becoming a victim of fraud.
McAfee’s research shows that we are aware of the risks of being online. In fact, 66% of us are concerned about the potential dangers of living our lives online with losing control of our financial data top of the list for the majority of us. And almost 2/3 (65%) of us are also worried about having our social media accounts hacked.
But pandemic life has meant that we are now a lot more comfortable with sharing information online. Whether it’s paperless transaction records, text and email notifications, opting to stay logged in or auto-populating forms with our credit card, this level of online sharing does make life so convenient but it can be a risky business! Why, I hear you ask? Because these conveniences usually only work when you share multiple pieces of your contact details. And the more you share, the greater your chance of being hacked or compromised. But the report was very clear – if we can make our online life more seamless then we are only too happy to share our key contact information! Oh dear!!
In addition to confessing that they don’t always take the necessary security precautions, Aussie consumers in McAfee’s report also admitted that they haven’t thought about why hackers might want their data. I don’t know how many people tell me that they don’t need to really bother with a lot of online precautions because they live a pretty boring life and don’t spend that much time online.
But this is a very dangerous way to think. Your online data is like a pot of gold to hackers. Not only can they use it to possibly steal your identity and try to empty your bank accounts but they can also on-sell it for a profit. But the majority of Aussies don’t stop to consider this with the research showing that 64% of Aussies have never considered just how valuable their online data is worth.
Hackers are ALWAYS on the lookout for new ‘up-to-date’ ways to exploit others for money. Don’t forget how quick they were to conjure up scams around COVID in early 2020 – it was just a matter of weeks before Aussies received phishing emails and malicious text messages with the aim of extracting personal information from vulnerable consumers.
But, encouragingly, 85% of Aussies said they would be far more proactive about managing their data if it could be traded as a currency.
The good news is that there are ways to secure your online life and minimise the risk of being hacked. Here are my top tips:
Yes, it might take a minute or 2 more, but using multi-factor authentication is an easy way to add an additional layer of security to protect your personal data and information. Commit to using it wherever it is offered!
If you live your life out & about like I do then you’ll be very tempted to use Wi-Fi. Using public Wi-Fi to conduct transactions, particularly financial ones is a big no-no! It takes keen hackers minimal effort to set up a fraudulent wi-fi service which could easily fool a busy person into connecting. Using a Virtual Private Network (or VPN) like McAfee® Safe Connect, is the best way of ensuring everything you share over Wi-Fi is safe and secure.
Browsing the internet with a tool like the McAfee WebAdvisor is a great way of ensuring dangerous malware is blocked if you click on a malicious link in a phishing email. You’ll have real peace of mind knowing you can manage your online life while someone looks out for you!
With 4 kids, 3 pets, 2 jobs – I know I could never get to the bottom of my ‘to-do’ lists without managing the bulk of it online. I often think I should send the internet an e-card at Christmas!! Of course, I understand why corners are cut and precautions are overlooked when we all feel so stretched for time. But just think about how much more time it would take if you were hacked and had to spend hours on the phone to your bank or if you had to reconfigure all your online accounts and social media platforms!!
So, you know what you need to do! Stay safe online everyone!
The post How 2020 Has Shaped The Way We Live Our Lives appeared first on McAfee Blogs.
We’ve all come to a realization that we don’t go anywhere without our phone. It’s a utility that helps us navigate our daily lives: directions, schedules, shopping, discounts, banking, and so on. And as our reliance on our smartphone continues to grow, it’s no wonder that hackers have taken notice. This time, it’s another case of an app gone rogue.
With over 10 million downloads, the Barcode Scanner app provided users with a basic QR code reader and barcode generator, useful for things like making purchases and redeeming discounts. Then, most likely in a recent update, the app began to deliver ad-producing malware onto users’ phones – with the malware being traced back to the Android Barcode Scanner app. While Barcode Scanner was previously benign, it is believed that a hacker injected malicious code into the app before the latest update, pushing malware onto Android devices. Once installed, the malware hijacks your default web browsers and redirects you to random advertisements.
In a typical case of malvertising, or malicious advertising, fraudsters submit infected graphic or text ads to legitimate advertisement networks, which often can’t distinguish harmful ads from trustworthy ones. Under the guise of everyday pop-ups, these malicious ads push fake browser updates, free utilities, or antivirus programs in the hope that unsuspecting users will click. Depending on what kind of programs the malicious ads succeed in downloading, hackers might steal your data, encrypt or delete your information, or hijack your computer functions – as is the case with the Barcode Scanner’s malware.
While Google has taken down the Barcode Scanner from its store, it has not been deleted from infected devices. So, if you have the app on your phone, it’s time to uninstall it from your device manually…ASAP.
We all need to reflect on the state of our digital health, especially as hackers continue to target us through the device we use most – our phones. To help protect your data, family, and friends, check out these security tactics to keep sneaky mobile threats out:
While some malicious apps do make it through the app store screening process, most attack downloads appear to stem from social media, fake ads, and other unofficial app sources. Before downloading an app to your device, do some quick research about the origin and developer.
Reviews and rankings are still a suitable method of determining whether an app is legitimate. However, watch out for assessments that reuse repetitive or straightforward phrases, as this could be a sign of a fraudulent review.
Developers are actively working to identify and address security issues. Frequently update your operating systems and apps so that they have the latest fixes and security protections.
Holistic security solutions across all devices continues to be a strong defensive measure to protect your data and privacy from online threats like malware.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our email, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post Millions Affected by Malware Attributed to Android Barcode-Scanning App appeared first on McAfee Blogs.
Use of “domain age” is a feature being promoted by various firewall and web security vendors as a method to protect users and systems from accessing malicious internet destinations. The concept is to use domain age as a generic traffic filtering parameter. The thought is that hosts associated with newly registered domains should be either completely blocked, isolated, or treated with high suspicion. This blog will describe what domain age is, how domains are created and registered, domain age value, and how domain age can be used most effectively as a compliment to other web security tools.
The sites and domains of the internet are constantly changing and evolving. In the first quarter of 2020 an average of over 40,000 domains were registered per day. If the domain of a target host is known that domain has a registration date available for lookup from various sources. Domain age is a simple calculation of the time between initial domain registration and the current date.
A domain age feature is designed for use in policy control, where an administrator can set a minimum domain age that should be necessary to allow access to a given internet destination. The idea is that since domains are so easy and cheap to establish, new domains should be treated with great care, if not blocked outright. Unfortunately, with most protocols and implementations, domain age policy selection is a binary decision to allow or block. This is not very useful when the ultimate destinations are hosts, subdomains, and destination addresses that can be rapidly activated, changed, and deactivated without ever changing the domain age. As a result, binary security decisions based solely on domain name or domain age will naturally result in both false positives and false negatives that are detrimental to security, user experience, and productivity.
IANA (Internet Assigned Numbers Authority) is the department of ICANN (Internet Corporation for Assigned Names and Numbers) responsible for managing the registries of, protocol parameters, domain names, IP addresses, and Autonomous System Numbers.
IANA manages the DNS root zone and TLDs (Top Level Domains like .com, .org, .edu, etc.) and registrars are responsible for working with the Internet Registry and IANA to register individual subdomains within the top-level domains.
Details of the registration process and definitions can be found on the IANA site (iana.org). Additional details can be found here: https://whois.icann.org/en/domain-name-registration-process This location includes the following statement:
“In some cases, a person or organization who does not wish to have their information listed in WHOIS may contract with a proxy service provider to register domain names on their behalf. In this case, the service provider is the domain name registrant, not the end customer.”
This means that service providers, and end customers are free to register a domain once and reuse, reassign or sell that domain without changing the registration date or changing any other registration information. Registrars can and do auction addresses creating a vast market for domain “squatters and trolls.” An attacker can cheaply purchase an established domain of a defunct business or register a completely new legitimate sounding domain and leave it unused for weeks, months or years. For example, as of this writing airnigeria.com is up for sale on godaddy.com for just $65 USD. The domain airnigeria.com was originally registered in 2003. IANA and the registrars have no responsibility or control over usage of domains.
Domain age is determined from the domain record in the Internet Registry managed by the registry operator for a TLD (Top Level Domain). Ultimately the registrar is responsible for the establishment of a domain registration and updating related data. The record in the registry will have an original creation date but that date doesn’t change unless the registration for a specific domain expires and the domain name is re-registered. Because of this, domain age is an extremely inaccurate measure of when an individual destination became active.
And what if only the destination IP address is known at the time of the filtering decision? This could be the case for filtering the first packet sent to a specific destination (TCP SYN or first UDP packet of some other network or transport level protocol). One way to get the domain for the destination would be a reverse DNS lookup, but the domain for the host may not match the domain that was originally submitted for resolution, so what value is domain age there?
For example, www.mcafee.com can currently resolve to 172.224.15.98 which reverse resolves to a172-224-15-98.deploy.static.akamaitechnologies.com. While the mcafee.com domain was registered on 1992-08-05, akamaitechnologies.com was registered on 1998-08-18. Both are long established domains, but just because this destination, in the well-established mcafee.com domain, is hosted on the well-established akamaitechnologies.com domain, this doesn’t provide any indication of when the www.mcafee.com, or 172.224.15.98 destination became active, or the risk of communicating with that IP address. Domain age becomes even less useful when we consider destinations hosted in the public cloud (IaaS and SaaS) using the providers’ domains.
Obtaining the wrong domain and therefore wrong domain age from reverse lookup could be somewhat mitigated by tracking the DNS queries of the client and attempting to map those domains back to the requested destination IP. However, doing this would also be dependent on having full visibility into all DNS requests from the client, and assumes that the destination IP address was determined using standard DNS or by the system providing the domain age filtering.
Even if the correct domain for the transmission can be established, and the domain age can be accurately retrieved, there are still issues that should be considered.
Registrars are free to maintain, change, and reassign established domains to any customer, and resellers can do the same. This greatly diminishes the usefulness of domain age as a stand-alone filtering parameter because a malicious actor can easily acquire an existing well-established domain with a neutral or even positive reputation. A malicious actor can also register a new domain long before it is put into use as a command and control or attack domain.
Legitimate and perfectly safe sites are constantly being registered and established in many cases within days or even hours of being put into use. When using domain age as filter criteria there will always be a tradeoff between false positive and false negative rates.
It should also be noted that domain age provides little value relative to when an individual hostname record was created within a domain. Well established domains can have an infinite number of subdomains and individual hosts within those domains, and there is no way to accurately determine hostname age or even when the name was associated with an active IP. All that could possibly be determined is that the destination hostname is part of a domain that was registered at some earlier date.
The bottom line is that domain age is not nearly granular or substantive enough to make a useful filtering decision on its own. However, domain age could provide some limited security value in the complete absence of more specific criteria, provided the false positive rate and false negative rate associated with the selected recency threshold can be tolerated. Domain age can provide supplemental value when combined with other more definitive filter criteria for example protocol, content type, host category, host reputation, host first seen, frequency of host access, web service attributes, and others.
More specific criteria are always available when the HTTP protocol is in use. HTTP and HTTPS filtering is most effectively handled via explicit or transparent proxy. If the protocol is followed (enforced by the device or service), information cannot be transferred, and a compromise or attack cannot be initiated, until after TCP connection establishment.
Given that the traffic is being proxied, and HTTPS can be decrypted, accurate Fully Qualified Domain Name (FQDNs) for the host, URL path, and URL parameters can be identified and verified by the proxy for use in filtering decisions. The ability to lookup information on the FQDN, full URL path, and URL parameters provides much more valuable information relative to the history, risk level, and usage of the specific site, destination, and service independent of the domain or the domain’s date of registration Such contextual data can be further enhanced when the proxy associates the request with a specific service and its data security attributes (such as type of service, intellectual property ownership, breach history, etc.).
Industry leading web proxy vendors maintain extensive and comprehensive databases of the most frequently used sites, domains, applications, services, and URLs. The McAfee Global Threat Intelligence and Cloud Registry databases associate sites, domains, and URLs with geolocation, category, service, service attributes, applications, data risk reputations, threat reputations and more. As a side benefit, lack of an entry in the databases for a specific host, domain, service, or URL is an extremely strong, and much more accurate, indication that the site is newly established or little used and therefore should not be inherently trusted. Such sites should be treated with caution and blocked or coached or isolated (the latter two options are uniquely available with proxied HTTP/S) based on that criteria alone, regardless of domain age.
McAfee’s Unified Cloud Edge provides all of the above functionality and includes remote browser isolation (RBI) for uncategorized, unverified, and otherwise risky sites. This virtually eliminates the risks of browsers or other applications accessing uncategorized sites, without adding the complications of false positives and false negatives from a domain age filter.
When using HTTP/S, hostname age, or even first and/or last hostname seen date could provide additional value, but domain age is pretty much useless when the FQDN and more specific site or service related information is available. Best practice is to block, isolate, or at a minimum, coach unverified sites and services without regard to domain age. Allowing unverified sites or services based on domain age adds significant risk of false negatives (risky sites and services being allowed simply because the domain was not recently registered). Generically blocking sites and services based on domain age alone would lead to over-blocking sites that have established good reputations and should not be blocked.
Domain age can be somewhat useful for supplementing filter decisions in situations where no other more accurate and specific information is available about the destination of a network packet. When considering use of domain age for HTTP/S filtering, it is an extremely poor substitute for a more comprehensive threat intelligence and service database. If the decision is made to deviate from best practice and allow HTTP/S connections to unverified sites, without isolation, then domain age can provide limited supplemental value by blocking unverified sites that are in newly registered domains. This comes at the expense of a false sense of security and much greater risk of false negatives when compared to the best practice of using comprehensive web threat intelligence, performing thorough request and response analysis, and simply blocking, isolating, or coaching unverified sites.
The post Domain Age as an Internet Filter Criteria appeared first on McAfee Blogs.
The McAfee Advanced Threat Research (ATR) team is committed to uncovering security issues in both software and hardware to help developers provide safer products for businesses and consumers. We recently investigated and published several findings on a personal robot called “temi”, which can be read about in detail here. A byproduct of our robotic research was a deeper dive into a video calling software development kit (SDK) created by Agora.io. Agora’s SDKs are used for voice and video communication in applications across multiple platforms. Several of the most popular mobile applications utilizing the vulnerable SDK included social apps such as eHarmony, Plenty of Fish, MeetMe and Skout, and healthcare apps such as Talkspace, Practo and Dr. First’s Backline. In early 2020, our research into the Agora Video SDK led to the discovery of sensitive information sent unencrypted over the network. This flaw, CVE-2020-25605, may have allowed an attacker to spy on ongoing private video and audio calls. At the time of writing, McAfee is unaware of any instances of this vulnerability being exploited in the wild. We reported this research to Agora.io on April 20, 2020 and the company, as of December 17th, 2020 released a new SDK, version 3.2.1, which mitigated the vulnerability and eliminated the corresponding threat to users.
Encryption has increasingly become the new standard for communication; often even in cases where data privacy is not explicitly sensitive. For example, all modern browsers have begun to migrate to newer standards (HTTP/2) which enforce encryption by default, a complete change from just a few years ago where a significant amount of browsing traffic was sent in clear text and could be viewed by any interested party. While the need to protect truly sensitive information such as financial data, health records, and other personally identifiable information (PII) has long been standardized, consumers are increasingly expecting privacy and encryption for all web traffic and applications. Furthermore, when encryption is an option provided by a vendor, it must be easy for developers to implement, adequately protect all session information including setup and teardown, and still meet the developers’ many use cases. These core concepts are what led us to the findings discussed in this blog.
As part of our analysis of the temi ecosystem, the team reviewed the Android application that pairs with the temi robot. During this analysis, a hardcoded key was discovered in the app.
This raised the question: What is this key and what is it used for? Thanks to the detailed logging provided by the developers, we had a place to start, https://dashboard.agora.io.
According to the website – “Agora provides the SDKs and building blocks to enable a wide range of real-time engagement possibilities” In the context of our initial robot project, it simply provides the technology required to make audio and video calls. In a broader context, Agora is used for a variety of applications including social, retail, gaming and education, among others.
Agora allows anyone to create an account and download its SDKs for testing from its website, which also provides extensive documentation. Its GitHub repositories also provide detailed sample projects on how to use the product. This is amazing for developers, but also very useful to security researchers and hackers. Using the logging comments from the above code we can look at the documentation to understand what an App ID is and what it is used for.
The last two sentences of this documentation really grabbed our attention. We had found a key which is hardcoded into an Android application that “anyone can use on any Agora SDK” and is “prudent to safeguard”.
Agora provides several different SDKs with different functionality. Since we encountered Agora through use of the video SDK, we decided to focus on only this SDK for the rest of this research. Simulating the mindset of an attacker, we began to investigate what this App ID or key could be used for. Furthermore, in the context of the video SDK, the question evolved into whether an attacker could interact with this video and audio traffic.
Since Agora provides sample projects and allows for free developer accounts, the best way to understand what potential attack vectors exists is to use these tools. Examining the GitHub example projects and the following associated documentation, we can learn exactly what is needed and how a normal user is connected to a video call.
Here we see in the example code the App ID being used to create a new “RtcEngine” object. As can be seen in the documentation, creating an RtcEngine is the foundation and first step needed to create any video call.
If we continue to examine the example code and look at the documentation’s steps for connecting to a call, we come to a function named “joinChannel”.
This function is responsible for connecting an end user to a call. In the example code, there are four parameters, three of which are hardcoded and one of which can be set to null. Without doing too much more digging, it appears that while Agora lists the App ID as important, it is not the only component needed to join a video call. An attacker would also require the values passed to the joinChannel API in order to join a call. If we assume that these values are only hardcoded for the purpose of a demo application, how would an attacker obtain the other necessary values? Code is an awesome resource, but when it comes to a network conversation the truth is in the packets. By running this example code and capturing traffic with Wireshark, we can further our understanding of how this system works.
When looking at the traffic, what immediately stands out is the values passed to joinChannel in the example code above. They are sent in plaintext across the network, in addition to the App ID needed to initiate the RtcEngine. Considering this is an example app, it is important to understand the difference between a test scenario and a production scenario. As noted in the code in Figure 5, the “token” parameter is being set to null. What is a token in this context, and would that affect the security of these parameters? We can use the Agora documentation to understand that a token is designed to be randomly generated and provide more security for a session.
With tokens being an option, it is important we see what the traffic looks like in a scenario where the token parameter is not null. The use of a token is hopefully what we find in production or at least is what is recommended in production by Agora.
Running the example application again, this time using a token and capturing traffic, we can discover that the token is also a non-issue for an attacker.
The token is sent in plaintext just like the other parameters! You may have noticed this capture does not show the App ID; in this case the App ID is still sent in plaintext, in a different packet.
Information being sent in plaintext across the network to initiate a video call is one thing, but can this actually be used by an attacker to spy on a user? Will the call support a third party? Will the user be notified of a new connection? In order to answer these questions, we can use the example applications provided by Agora to run some tests. The diagram below shows the scenario we are going to try and create for testing.
The first step for an attacker sitting on the network is to be able to identify the proper network traffic containing the sensitive information. With this information from the network packets, they can then attempt to join the call that is in progress. Using a Python framework called Scapy, we built a network layer in less than 50 lines of code to help easily identify the traffic the attacker cares about. This was done by reviewing the video call traffic and reverse engineering the protocol. Like a lot of reversing, this is done by using context clues and a lot of “guess and check”. Strings help us identify the use for certain fields and provide clues to what the fields around them might be. In some cases, fields are still unknown; however, this is normal. An attacker or researcher only needs to decipher enough of a packet to make an attack possible.
The above code identifies, parses, and displays in human readable form, only the important information in the three main packet types discovered in the Agora traffic. From here we can automate the scenario outlined in Figure 10 using Python with a few modifications to the example apps. It totally works! The demo video below shows an attacker sniffing network traffic to gather the call information and then launching their own Agora video application to join the call, completely unnoticed by normal users.
Besides using a token, were there any other security measures available to developers that might have mitigated the impact of this vulnerability? Per Agora’s documentation, the developer has the option to encrypt a video call. We also tested this, and the App ID, Channel Name, and Token are still sent in plaintext when the call is encrypted. An attacker can still get these values; however, they cannot view the video or hear the audio of the call. Despite this, the attacker can still utilize the App ID to host their own calls at the cost of the app developer. We will discuss in the next section why, even though encryption is available, it is not widely adopted, making this mitigation largely impractical.
This research started with the discovery of an App ID hardcoded into “temi”, the personal robot we were researching. Agora documents clearly on its website that this App ID should be “kept safe”, which we discovered as a vulnerability while researching temi. However, further examination shows that even if temi had kept this value safe, it is sent in cleartext over the network along with all the other values needed to join the call. So how does this impact other consumers of the Agora SDK outside of temi?
Agora’s website claims – “Agora’s interactive voice, video, and messaging SDKs are embedded into mobile, web and desktop applications across more than 1.7 billion devices globally.” To ensure our comparisons would be reasonable, we looked only at other Android applications which used the video SDK. We also focused on apps with a very large install base.
To give a quick cross-section of apps on Google Play that utilize Agora, let’s focus on MeetMe, Skout, Nimo TV, and, of course, temi. Google Play reports the number of installs at 50 million+ each for MeetMe and Skout, 10 million+ for Nimo TV and 1000+ for temi. By examining the applications’ decompiled code, we can easily determine all four of these applications have hardcoded App IDs and do not enable encryption. We see very similar code as below in all the applications:
The most important line here is the call to setEncryptionSecret which is being passed the “null” parameter. We can reference the Agora documentation to understand more about this call.
Even though the encryption functions are being called, the application developers are actually disabling the encryption based on this documentation. A developer paying close attention might ask if this is the only place the API is being called. Could it be set elsewhere? The team searched the decompiled code for all the applications reviewed and was unable to find any other instance of the API call, leading us to believe this is the only call being made. With this in mind, the cleartext traffic has a greater impact that goes well beyond a personal robot application to millions – potentially billions – of users. Without encryption enabled and the setup information passed in cleartext, an attacker can spy on a very large range of users.
Although Agora should not have been sending this sensitive information unencrypted, if it offers an encrypted traffic option, why is it not being used? This would at least protect the video and audio of the call, even though an attacker is able to join. While it is impossible to be certain, one reason might be because the Agora encryption options require a pre-shared key, which can be seen in its example applications posted on GitHub. The Agora SDK itself did not provide any secure way to generate or communicate the pre-shared key needed for the phone call, and therefore this was left up to the developers. Many calling models used in applications want to give the user the ability to call anyone without prior contact. This is difficult to implement into a video SDK post-release since a built-in mechanism for key sharing was not included. It is also worth noting that, generally, the speed and quality of a video call is harder to maintain while using encryption. These may be a few of the reasons why these application developers have chosen to not use the encryption for the video and audio. Now that the SDK properly and transparently handles encryption of call setup, developers have the opportunity to leverage a more secure method of communication for traffic. Additionally, developers still have the option to add full encryption to further protect video and audio streams.
Agora has published a list of best practices for all its developers and partners here, which does include use of encryption when possible. We generally recommend following vendors’ security best practices as they are designed to apply to the product or service directly. In this case, the vulnerability would still exist; however, its effectiveness would be extremely limited if the published best practices were followed. Although we have found Agora’s recommendations were largely not being adopted, Agora has been actively communicating with customers throughout the vulnerability disclosure process to ensure its recommended processes and procedures are widely implemented.
Privacy is always a top concern for consumers, but also remains an enticing threat vector for attackers. If we look at the two biggest apps we investigated (MeetMe and Skout), both are rated for mature audiences (17+) to “meet new people” and both advertise over 100 million users. MeetMe also mentions “flirting” on the Google Play store and its website has testimonies about people meeting the “love of their life”. Although they are not explicitly advertised as dating apps, it would be reasonable to draw the conclusion that it is at least one of their functions. In the world of online dating, a breach of security or the ability to spy on calls could lead to blackmail or harassment by an attacker. Other Agora developer applications with smaller customer bases, such as the temi robot, are used in numerous industries such as hospitals, where the ability to spy on conversations could lead to the leak of sensitive medical information.
One goal of the McAfee Advanced Threat Research team is to identify and illuminate a broad spectrum of threats in today’s complex and constantly evolving landscape. As per McAfee’s responsible disclosure policy, McAfee ATR informed Agora as soon as the vulnerability was confirmed to be exploitable. Agora was very receptive and responsive to receiving this information and further advanced its current security capabilities by providing developers with an SDK option (version 3.2.1) to encrypt the initial call setup information, mitigating this vulnerability. We have tested this new SDK and can confirm it fully mitigates CVE-2020-25605. At the time of writing, McAfee is unaware of any instances of this vulnerability being exploited in the wild, which demonstrates another powerful success story of mitigating an issue which may have affected millions of users before it is used for malicious purposes. Our partnership with Agora resulted in the release of a more secure SDK which has empowered developers across multiple companies to produce more secure video calling applications. We strongly recommend any development team which uses the Agora SDK to upgrade to the latest version, follow Agora’s outlined best practices, and implement full encryption wherever possible.
CVE: CVE-2020-25605
CVSSv3 Rating: 7.5/6.7
CVSS String: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C
CVE Description: Cleartext transmission of sensitive information in Agora Video SDK prior to 3.1 allows a remote attacker to obtain access to audio and video of any ongoing Agora video call through observation of cleartext network traffic.
The post Don’t Call Us We’ll Call You: McAfee ATR Finds Vulnerability in Agora Video SDK appeared first on McAfee Blogs.
Whether they’re attending regular work meetings or catching up with extended family across the globe, many people leverage video conferencing to better connect with others – a process that will likely continue as our world only becomes more digital. But as the rapid adoption of video conferencing tools and apps occurs, potential threats to online safety emerge.
Agora is one of these tools for connection. The company’s video conferencing software is included in apps like MeetMe, Skout, Nimo TV, temi, Dr. First Backline, and Talkspace, across more than 1.7 billion devices globally. According to McAfee Advanced Threat Research (ATR), Agora’s video software development kit (SDK) until recently included a vulnerability that could have allowed an attacker to spy on ongoing video and audio calls.
In accordance with McAfee’s safe vulnerability disclosure policy, ATR provided Agora with details of its thorough research into the issue so that the software developer could take action to address it with a software update.
But let’s take a look at what a vulnerability like this could mean for users.
So, how exactly could this vulnerability allow others to spy on private calls?
The McAfee ATR team discovered that the Agora vulnerability stemmed from an error of incomplete encryption – the process of converting information or data into seemingly random output to prevent unauthorized access. Agora’s SDK implementation did not allow applications to securely configure the setup of video/audio encryption, thereby leaving a potential for hackers to snoop on them.
Therefore, if exploited, this particular vulnerability could’ve allowed a criminal to launch man-in-the-middle attacks, which occur when a hacker secretly intercepts and possibly alters the communications between two unsuspecting users. Aka, they could spy on users’ private video calls.
The vulnerability discovery and mitigation cooperation between McAfee and Agora illustrates why it’s so important for threat researchers to work closely and constructively with app developers to make our digital lives as safe as possible.
As a consumer, however, it’s important to realize what exactly you’re getting into when downloading applications for video conferencing and other tools that help you stay connected.
While the security community encourages developers to write software code with security in mind, software apps tend to struggle with bugs and vulnerabilities in their early days. Consumers should by all means download and enjoy the hottest new apps, but they should also take steps to protect themselves from any undiscovered issues that might threaten them.
Here are a few tips that can help ensure your safety while connecting with others online:
It’s easy to click “Install later” when software updates pop up on your screen. However, these updates often come with security patches for vulnerabilities like the ones mentioned above. To ensure that your software and apps have the latest security fixes, update them immediately or select the option update automatically if available.
Until a patch is created, you should operate under the assumption that a hacker could compromise your video calls. Avoid using vulnerable apps until developers make a software security update available to help protect your calls from being infiltrated.
In order to protect yourself and your loved ones from potential risks, make sure you have a holistic security solution in place, such as McAfee Total Protection, which can help block risky downloads with McAfee WebAdvisor, protect you from malicious mobile apps, and help update Windows and your apps all in one place with Vulnerability Scanner.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post Hang Up on Hackers: Protect Yourself from Mobile App Video Conferencing Vulnerabilities appeared first on McAfee Blogs.
Editor’s Note: This is part I in a series on helping families protect their mental and digital health in times of chronic stress. The content is not intended to be a substitute for professional advice or treatment.
The data continues to confirm that living with the stress of a prolonged pandemic is taking a toll on the mental health of both the young and old. Add increased technology use to this state of chronic stress and there’s no doubt that families everywhere sit in the crosshairs of any number of mental health risks.
After nearly a year of isolation, stop-and-start school days, restricted travel, and the added layer of political tension, many are experiencing feelings of hopelessness that pandemic circumstances only magnify.
According to a nationwide survey by researchers from Rutgers and Harvard, more than one-third of young adults in the U.S. report having thoughts of hopelessness, while nearly half show symptoms of depression.
These numbers are ten times higher than what was exhibited in the general population before the COVID-19 pandemic, say researchers.
Pandemic stress is also impacting younger children. The Centers for Disease Control (CDC) reports mental health visits have spiked for young children and adolescents since the pandemic started.
A 2016 Time cover story offers critical insight into why anxiety and depression have continued to rise among young people and the role technology plays in that equation.
Time writer Susanna Schrobsdorff describes the crisis this way: “They are the post-9/11 generation, raised in an era of economic and national insecurity. They’ve never known a time when terrorism and school shootings weren’t the norm. They grew up watching their parents weather a severe recession, and, perhaps most important, they hit puberty at a time when technology and social media were transforming society.”
Janis Whitlock, director of the Cornell Research Program on Self-Injury, added that technology is the primary driver feeding young people’s anxiety and depression. “It’s that they’re in a cauldron of stimulus they can’t get away from, or don’t want to get away from, or don’t know how to get away from.”
Steve Schneider, a high school counselor, likened the constant pressure many teens feel from their phones to a scab that’s constantly being picked. “At no point do you get to remove yourself from it and get perspective.”
Even with a vaccine signaling an end in sight to a degree of our stress, other tensions are proving to be relentless, causing what some doctors are calling “headline stress disorder,” a condition in which non-stop news cycles trigger intense feelings of worry and helplessness.
So how can we help our kids bear up under the weight of it all?
Staying especially connected to one another during this time and alert to the signs of emotional distress is one way parents can help kids balance their digital and mental health. Here are a few other ways to consider.
The silent storms beneath this pandemic will continue to surface and teach us for years to come. Until then, be encouraged that no one has the “what to do,” figured out or the parental superpower to control the uncontrollable. We’re all in this together and, together, hopefully soon, we’ll be enjoying the light of better days.
Family Mental Health Resources |
For resources related to mental health, suicide prevention, crisis intervention, and COVID-19, visit the Pandemic Crisis Services Response Coalition. If you or a family member is in immediate crisis, visit the emergency room or call National Suicide Prevention Lifeline at (800) 273-8255.
To stay updated on all things McAfee and on top of the latest consumer and mobile security threats, follow @McAfee_Home on Twitter, subscribe to our email, listen to our podcast Hackable?, and ‘Like’ us on Facebook.
The post Balancing Digital: Helping Your Family Manage Ongoing Stress appeared first on McAfee Blogs.
What is your organization’s readiness for the emerging eXtended Detection Response (XDR) technology? McAfee just released the first iteration of this technology, MVISION XDR. As XDR capabilities become available, organizations need to think through how to embrace the new security operations technology destined to empower detection and response capabilities. XDR is a journey for people and organizations.
The cool thing about McAfee’s offering is the XDR capabilities is built on the McAfee platform of MVISION EDR, MVISION Insights and is extended to other McAfee products and third-party offerings. This means –— as a McAfee customer — your XDR journey has already begun.
The core value prop behind XDR is to empower the SecOps function which is still heavily burdened with limited staff and resources while the threat landscape roars. This cry is not new. As duly noted in the book, Ten Strategies of World-class Cybersecurity Operations Center, written quite a few moons ago: “With the right tools, one good analyst can do the job of 100 mediocre ones.” XDR is the right tool.
SecOps empowerment means impacting and changing people and process in a positive manner resulting in better security outcomes. Organizations must consider and prepare for this helpful shift. Here are three key considerations organizations need to be aware of and ready for:
A baseline requirement for XDR is to unify and aggregate security controls and data to elevate situation awareness. Now consider what does this mean to certain siloed functions like endpoint, network and web. Let’s say you are analyst who typically pulls telemetry from separate control points (endpoint, network, web) moving from each tool with a login, to another tool with another login and so on. Or maybe you only have access to the endpoint tool. To gain insight into the network you emailed the network folks with artifacts you are seeing on the endpoint and ask if these is anything similar, they have seen on the edge and what they make of it. Often there is a delayed response from network folks given their priorities. And you call the web folks for their input on what they are seeing. Enter XDR. What if this information and insights was automatically given to you on a unified dashboard where situation awareness analysis has already begun. This reduces the manual pivoting of copy and pasting, emailing, and phone calls. It removes the multiple data sets to manage and the cognitive strain to make sense of it. The collection, triaging, and initial investigative analysis are automated and streamlined. This empowers the analysts to get to a quicker validation and assessment. The skilled analyst will also use experience and human intuition to respond to the adversary, but the initial triaging, investigation, and analysis has already been done. In addition, XDR fosters the critical collaboration between the network operations and security operations since adversary movement is erratic across the entire infrastructure.
Imagine if your SecOps gained high priority threat intelligence before the adversary hits and enters your environment. What does it mean to your daily SecOps processes and policy? It removes a significant amount to of hunting, triaging and investigation cycles. It simply prioritizes and accelerates the investigation. It answers the questions that matter. Any associated campaign is bubbled up immediately. You are getting over a hundred high alerts, but one is related to a threat campaign that is likely to hit. It removes the guess work and prioritizes SecOps efforts. It assesses your environment and the likely impact—what is vulnerable. More importantly it suggests counter measures you can take. It moves you from swimming in context to action in minutes.
This brings the SecOps to a decision moment faster—do they have the authority to respond? Are they a participant in prevention efforts? Note this topic is Strategy Three in the Ten Strategies of World-class Cybersecurity Operations Center where it is highly encouraged to empower SecOps to make and/or participate in such decisions. Policies for response decisions and actions vary by organizations, the takeaway here is decision moments come faster and more often with significant research and credible context from MVISION XDR.
XDR is an open, integrated platform. So, what does it mean to people and process if all the pieces are integrated and security functions coordinate efforts? It depends on the pieces that are connected. For example, if SecOps can place a recommendation to update certain systems on the IT service system automatically it removes the necessity to login into the IT system and place a request or in some cases call or email IT (eliminating a time-consuming step.) There is a heightened need for what–if scenario policies driven by Secure Orchestration Automation Response (SOAR) solutions. These policies are typically reflected in a manual playbook or SOAR playbook.
Let’s consider an example, when an email phishing alert is offered the SOAR automatically (by policy/play required) compares the alert against others to see if there are commonalties worth noting. If so, the common artifacts are assigned to one analyst versus distributing separate alerts to many analysts. This streamlines the investigation and response to be more effective and less consuming. There are many more examples, but the point is when you coordinate security functions organization must think through how they want each function to act under specific circumstances—what is your policy for these circumstances.
These are just a few areas to consider when you embrace XDR. I hope this initial discussion started you thinking about what to consider when embracing XDR. We have an online SOC audit where you can assess your SOC maturity and plan where you want to go. Join us for a webinar on XDR readiness where experts will examine how to prepare to optimize XDR capabilities. We also have a SOC best practices series, SOCwise that offers regular advice and tips for your SOC efforts!
The post Are You Ready for XDR? appeared first on McAfee Blogs.
In November last year, we lost our much-loved family dog. We were all so devasted. Harley was a very handsome black and white Cavoodle who died from a paralysis tick bite after giving us 12 years of love. After lots of tears and weeks of sadness, we have decided it’s time to start our search for another fur baby.
But it seems we are not the only ones in the market for a new puppy. Thanks to COVID and our new very home focussed lives, puppies have been in hot demand since early 2020 and they still are. What better way to deal with lockdown loneliness and a home-based existence than a brand-new ball of fluff!
Over the last few weeks, I’ve spoken to multiple breeders from all around Australia who have over 50 families waiting for a puppy! A Portuguese Water Dog breeder told me yesterday that it would be 2023 before she could offer me a puppy!! So,
And this trend hasn’t gone unnoticed by cybercriminals with the Australian Competition and Consumer Commission (ACCC) reporting a four-fold increase in puppy scams in 2020!! In fact, a whopping $1.6 million was scammed from unsuspecting Aussies simply looking for a ball of fur to love between January and October 2020.
So, how do you avoid being caught up in a puppy scam and losing money? Here’s what I’m doing to ensure we don’t get swindled while we search for our new puppy:
Cybercriminals rely on us being in a rush and not doing our homework. A quick google search for popular dog breeds such as Cavoodles, Labradors or Dachshunds will yield pages of results, not all of them legit!
Scammers are very talented at making their sites look genuine. They will copy photos of puppies and breeders from legitimate sites and will even use certificates and identification numbers from these legitimate breeders too. Quite often the only detail that differs is the contact telephone number and email address.
Facebook and Instagram ads are also created using these details too making it very hard to identify what is legitimate and what isn’t.
Doing your due diligence is the best way to prevent becoming a victim of a puppy scam. Even if the person on the end of the phone sounds delightful and the pictures are gorgeous, you owe it to yourself – and your bank account – to ensure you are dealing with a legitimate breeder. Here’s what I recommend you do:
If you are not able to pick up your pet in person, requesting photos and even a video call with the breeder and your potential puppy is essential.
Ask the breeder for multiple photos of the pet with specific items – this help you ascertain that the pet is real and not photoshopped. A recent newspaper is a great item to suggest.
However, a video call is probably the best way of giving you total piece of mind. Yes, it maybe crazy and noisy but there’s nothing like seeing something with your own eyes to satisfy yourself that it is real and not photoshopped!
We all have a 6th sense and now is the time to use it:
I can’t imagine our family without pets. They play such an important, cohesive role and we take such joy in sharing photos of our crazy cats and their weird antics on our family group chat.
Next week, we are going to pickup our new puppy. After much debate about breeds, we have chosen a tri coloured beaglier – male of course! The breeder sounds delightful over the phone and the pictures are gorgeous. But just to ensure total piece of mind, I am driving nearly 7 hours to pick up our new fur baby in person. I’ll be sure to share some photos!
Happy pet shopping!
Alex xx
The post Here’s What I’m Doing to Avoid Being Caught Up in A Puppy Scam appeared first on McAfee Blogs.
Albert Einstein once said, “We cannot solve our problems with the same thinking we used when we created them”.
Security vendors have spent the last two decades providing more of the same orchestration, detection, and response capabilities, while promising different results. And as the old adage goes, doing the same thing over and over again whilst expecting different results is…? I’ll let you fill in the blank yourself.
SIEM! SOAR! Next Generation SIEM! The names changed, while the same fundamental challenges remained: they all required heavy lifting and ongoing manual maintenance. As noted by ESG Research, SIEM – being a baseline capability within SOC environments – continues to present challenges to organisations by being either too costly, exceedingly resource intensive, requiring far too much expertise, and various other concerns. A common example of this is how SOC teams still must create manual correlation rules to find the “bad” connections between logs from different products, applications and networks. Too often, these rules flooded analysts with information and false alerts and render the product too noisy to effective.
The expanding attack surface, which now spans Web, Cloud, Data, Network and more, has also added a layer of complexity. The security industry cannot only rely on its customers’ analysts to properly configure a security solution with such a wide scope. Implementing only the correct configurations, fine-tuning hundreds of custom log parsers and interpreters, defining very specific correlation rules, developing necessary remediation workflows, and so much more – it’s all a bit too much.
Detections now bubble up from many siloed tools, too, including Intrusion Prevention Systems (IPS) for network protection, Endpoint Protection Platforms (EPP) deployed across managed systems, and Cloud Application Security Broker (CASB) solutions for your SaaS applications. Correlating those detections to paint a complete picture is now an even bigger challenge.
There is also no ‘R’ in SIEM – that is, there is no inherent response built into SIEM. You can almost liken it to a fire alarm that isn’t connected to the sprinklers.
SIEMs have been the foundation of security operations for decades, and that should be acknowledged. Thankfully, they’re now being used more appropriately, i.e. for logging, aggregation, and archiving.
Now, Endpoint Detection and Response (EDR) solutions are absolutely on the right track – enabling analysts to sharpen their skills through guided investigations and streamline remediation efforts – but it ultimately suffers from a network blind spot. Similarly, network security solutions don’t offer the necessary telemetry and visibility across your endpoint assets.
Of Gartner’s Top 9 Security and Risk Trends for 2020, “Extended detection and response capabilities emerge to improve accuracy and productivity” ranked as their #1 trend. They noted, “Extended detection and response (XDR) solutions are emerging that automatically collect and correlate data from multiple security products to improve threat detection and provide an incident response capability…The primary goals of an XDR solution are to increase detection accuracy and improve security operations efficiency and productivity.”
That sounds awfully similar to SIEM, so how is an XDR any different from all the previous security orchestration, detection, and response solutions?
The answer is: An XDR is a converged platform leveraging a common ontology and unifying language. An effective XDR must bring together numerous heterogeneous signals, and return a homogenous visual and analytical representation.. XDR must clearly show the potential security correlations (or in other words, “attack stories”) that the SOC should focus on. Such a solution would de-duplicate information on one hand, but would emphasize the truly high-risk attacks, while filtering out the mountains of noise. The desired outcome would not require exceeding amounts of manual work; allowing SOC analysts to stop serving as an army of “translators” and focus on the real work – leading investigations and mitigating attacks. This normalized presentation of data would be aware of context and content, be advanced technologically, but simple for analysts to understand and act upon.
SIEMs are data-driven, meaning they need data definitions, custom parsing rules and pre-baked content packs to retrospectively provide context. In contrast, XDR is hypothesis driven, harnessing the power of Machine Learning and Artificial Intelligence engines to analyse high-fidelity threat data from a multitude of sources across the environment to support specific lines of investigation mapped to the MITRE ATT&CK framework.
The MITRE ATT&CK framework is effective at highlighting “how bad guys do what they do, and how they do it.” While traditional prevention measures are great at “spot it and stop it” protections, MITRE ATT&CK demonstrates there are many steps taking place in the attack lifecycle that aren’t obvious. These actions don’t trigger sufficient alerting to generate the confidence required to support a reaction.
XDR isn’t a single product. Rather, it refers to an assembly of multiple security products (and services) that comprise a unified platform. An XDR approach will shift processes and likely merge and encourage tighter coordination between different functions like SOC analysts, hunters, incident responders and IT administrators.
The ideal XDR solution must provide enhanced detection and response capabilities across endpoints, networks, and cloud infrastructures. It needs to prioritise and predict threats that matter BEFORE the attack and prescribe necessary countermeasures allowing the organisation to proactively harden their environment.
McAfee’s MVISION XDR solution does just that, by empowering the SOC to do more with unified visibility and control across endpoints, network, and cloud. McAfee XDR orchestrates both McAfee and non-McAfee security assets to deliver actionable cyber threat management and support both guided and automated investigations.
What if you could find out if you’re in the crosshairs of a top threat campaign, by using global telemetry from over 1 billion sensors that automatically tracks new campaigns according to geography and industry vertical? Wouldn’t that be insightful?
“Many firms want to be more proactive but do not have the resources or talent to execute. McAfee can help bridge this gap by offering organisations a global outlook across the entire threat landscape with local context to respond appropriately. In this way, McAfee can support a CISO-level strategy that combines risk and threat operations.”
– Jon Oltsik, ESG Senior Principal Analyst and Fellow
But, hang on… Is this all just another ‘platform’ play?
Take a moment to consider how ‘platform’ offerings have evolved over the years. Initially designed to compensate for the heterogeneity and volume of internal data sources and external threat intelligence feeds, the core objective has predominantly been to manifest data centrally from across a range of vectors in order to streamline security operations efforts. We then saw the introduction of case management capabilities.
Over the past decade, the security industry proposed solving many of the challenges presented in SOC contexts through integrations. You would buy products from a few different vendors, who promised it would all work together through API integration, and basically give you some form of pseudo-XDR outcomes we’re exploring here.
Frankly, there are significant limitations in that approach. There is no data persistence; you basically make requests to the lowest API denominator on a one-to-one basis. The information sharing model was a one-way ‘question and answer’ leveraging a scheduled push-pull methodology. The other big issue was the inability to pull information in whatever form – you were limited to the API available between the participating parties, with the result ultimately only as good as the ‘dumbest’ API.
And what about the lack of any shared ontology, meaning little to no common objects or attributes? There were no shared components, such as UI/UX, incident management, logging, dashboards, policy definitions, user authentication, etc.
What’s desperately been needed is an open underlying platform – essentially like a universal API gateway scaled across the cloud that leverages messaging fabrics like DXL that facilitate easy bi-lateral exchange between many security functions – where vendors and partner technologies create tight integrations and synergies to support specific use cases benefitting SOC ecosystems.
Is XDR, then, a solution or product to be procured? Or just a security strategy to be adopted? Potentially, it’s both. Some vendors are releasing XDR solutions that complement their portfolio strengths, and others are just flaunting XDR-like capabilities.
SIEMs still deliver specific outcomes to organisations and SOCs, which cannot be replaced by XDR. In fact, with XDR, a SIEM can be even more valuable.
For most organisations, XDR will be a journey, not a destination. Their ability to become more effective through XDR will depend on their maturity and readiness to embrace all the required processes. In terms of cybersecurity maturity, if you’d rate your organisation at a medium to high level, the question becomes how and when.
Most organisations using an Endpoint Detection and Response (EDR) solution are likely quite ready to embrace XDR’s capabilities. They are already investigating and resolving endpoint threats and they’re ready to expand this effort to understand how their adversaries move across their infrastructure, too.
If you’d like to know more about how McAfee addresses these challenges with MVISION XDR, feel free to reach out!
The post XDR – Please Explain? appeared first on McAfee Blogs.
Valentine’s Day is nearly upon us – and as couples and singletons alike gear up for a day that’s traditionally all about sharing, when it comes to our digital identities, might we be sharing too much, and how can we protect ourselves? With data showing that past, present and possibly even future lovers are willing to secretly snoop on your online information to find out all about you, it’s safe to say that ill-intentioned online criminals can too.
Living in a digital world has made it far easier to share more than just our hearts with the people we care about – but this can leave us more vulnerable to over sharing, and therefore to fraudsters. Online fraudsters have been known to use Valentine’s Day as an opportunity to take advantage of online dating sites and social media to scam those looking for love. And with many feeling isolated and shut off from friends and family at the moment, online dating can be a way to make connections which are currently lacking – whether that be romantic relationships or friendships. However, this opens up the opportunity for online scammers to make the most of our desire to feel connection with others, and these criminals will know where to look to find out more about you.
Whether you love it or loathe it, Valentine’s Day is going to look a little different this year. If you’re looking for that special someone, the current lockdown, working from home and simply not going out as much as usual will have taken its toll on your social and dating life. It should come as no surprise that as a result of the pandemic, time spent online has surged, with people having either introduced or significantly increased their online activity, including online dating and social media use.
While many believe the risk lies in the dating apps themselves, the information you share across any online entity – known as your digital footprint – is where you need to pay attention, and dating apps can be a safe and enjoyable way to meet new people as long as you take the right precautions. And on a day that is very social media friendly – many can’t help but share photos and post about loved ones online on Valentine’s Day – make sure you are doing so safely. While a lot of people associate online crime with malware or phishing attacks, many aren’t aware of how vulnerable they are when sharing information on social media. If you are not careful potential love interests, and criminals alike, can find information about your family, your home, and your job – all leaving you vulnerable. So it’s worth checking your privacy settings before sharing that photo on Instagram.
The threat of having your personal identity stolen, having your dating profile hacked, or being catfished, are thankfully rare, but every year person can fall victim to these threats, so it’s no wonder that so many don’t feel secure when dating online. In the worst cases, those whose dating profiles are hacked might be extorted for money, and those encountering a catfish could end up handing over personal information which can be used against them.
Not oversharing is not an art – only share information on your profile if you feel comfortable in doing so. This is important from both a personal and security standpoint. If your information is compromised, it could lead to anywhere from identity theft to harassment, so when you use a dating app, keep the sharing to a minimum—and keep your eyes peeled for any suspicious activity across your social media, online accounts, and even your finances.
These things all sound frightening – and of course, they are! But it’s important to remember that they are thankfully rare, and you can still enjoy all the benefits that dating apps and social media have to offer if you take some simple steps. My top tips include:
So whether you’re single and looking for love, or loved up and ready to shout about it online, just remember to bear the above in mind to protect yourself from online scams.
The post Why it’s Best to Stick to Sharing Chocolates and Flowers this Valentine’s Day appeared first on McAfee Blogs.
In fact, looking back at just the last 8 months of Microsoft patches, we’ve tracked at least 25 significant vulnerabilities directly related to the Windows network stack. These have ranged from DNS to NTFS, SMB to NFS and recently, several tcp/ip bugs in fragmentation and packet reassembly for IPv4 and IPv6.
That brings us to this month’s patch Tuesday, which contains several more high-profile critical vulnerabilities in tcpip.sys. We’ll focus on three of these, including 2 marked as “remote code execution” bugs, which could lead to wormability if code execution is truly possible, and a persistent denial-of-service vulnerability which could cause a permanent Blue Screen of Death on the latest versions of Windows.
There are clear similarities between all 3, indicating both Microsoft and researchers external to Microsoft are highly interested in auditing this library, and are having success in weeding out a number of interesting bugs. The following is a short summary of each bug and the progress we have made to date in analyzing them.
What is CVE-2021-24086?
The first vulnerability analyzed in this set is a Denial-of-Service (DOS) attack. Generally, these types of bugs are rather uninteresting; however, a few can have enough of an impact that although an attacker can’t get code execution, they are well worth discussing. This is one of those few. One of the things that boost this vulnerability’s impact is the fact it is internet routable and many devices using IPv6 can be directly accessible over the internet, even when behind a router. It is also worth noting that the default Windows Defender Firewall configuration does not mitigate this attack. In a worst-case scenario, an attacker could spray this attack and put it on a continuous loop to potentially cause a “permanent” or persistent DOS to a wide range of systems.
This vulnerability exists when Windows’ tcpip.sys driver attempts to reassemble fragmented IPv6 packets. As a result, this attack requires many packets to be successful. The root cause of this vulnerability is a NULL pointer dereference which occurs in Ipv6pReassembleDatagram
. The crash occurs when reassembling a packet with around 0xffff bytes of extension headers. It should be impossible to send a packet with that many bytes in the extension headers according to the RFC, however this is not considered in the Ipv6pReceiveFragments
function when calculating the unfragmented length. Leveraging a proof-of-concept through the Microsoft MAPP program, McAfee was easily able to reproduce this bug, demonstrating it has the potential to be seen in the wild.
What is CVE-2021-24094?
This vulnerability is classified by Remote Code Execution (RCE), though our analysis thus far, code execution comes with unique challenges. Similar to CVE-2021-24086, this issue involves IPv6 packet reassembly by the Windows tcpip.sys driver. It is different from 24086 in that it doesn’t require a large packet with extension headers, and it is not a NULL pointer dereference. Instead, it is a dangling pointer which, if the right packet data is sprayed from an attacker over IPv6, will causes the pointer to be overwritten and reference an arbitrary memory location. When the data at the pointer’s target is accessed, it causes a page fault and thus a Blue Screen of Death (BSOD). Additionally, an attacker can create persistence of the DoS by continually pointing the attack at a victim machine.
While the reproduction of this issue causes crashes on the target in all reproductions so far, it’s unclear how easy it would be to force the pointer to a location that would cause valid execution without crashing. The pointer would need to point to a paged-in memory location that had already been written with additional data that could manipulate the IPv6 reassembly code, which would likely not come from this attack alone, but may require a separate attack to do so.
What is CVE-2021-24074?
CVE-2021-24074 is a potential RCE in tcpip.sys triggered during the reassembly of fragmented IPv4 packets in conjunction with a confusion of IPv4 IP Options. During reassembly, it is possible to have two fragments with different IP Options; this is against the IPv4 standard, but Windows will proceed further, while failing to perform proper sanity checks for the respective options. This type confusion can be leveraged to trigger an Out of Bounds (OOB) read and write by “smuggling” an IP option Loose source and record route (LSRR) with invalid parameters. This option is normally meant to specify the route a packet should take. It has a variable length, starts with a pointer field, and is followed by a list of IP addresses to route the packet through.
By leveraging the type confusion, we have an invalid pointer field that will point beyond the end of the routing list provided in the packet. When the routing function Ipv4pReceiveRoutingHeader
looks up the next hop for the packet, it will OOB read this address (as a DWORD) and perform a handful of checks on it. If these checks are successful, the IP stack will attempt to route the packet to its next hop by copying the original packet and then writing its own IP address in the record route. Because this write relies on the same invalid pointer value as before, this turns out to be an OOB write (beyond the end of the newly allocated packet). The content of this OOB write is the IP address of the target machine represented as a DWORD (thus, not controlled by the attacker).
Microsoft rates this bug as “Exploitation more likely”, however exploitation might not be as straightforward as it sounds. For an attack to succeed, one would have to groom the kernel heap to place a certain value to be read during the OOB read, and then make it so the OOB write would corrupt something of interest. Likely, a better exploitation primitive would need to be established first in order to successfully exploit the bug. For instance, leveraging the OOB write to corrupt another data structure that could lead to information disclosure and/or a write-what-where scenario.
From a detection standpoint, the telltale signs of an active exploitation would be fragmented packets whose IP Options vary between fragments. For instance, the first fragment would not contain an LSRR option, while the second fragment would. This would likely be accompanied by a heavy traffic meant to shape the kernel heap.
Similarities and Impact Assessment
There are obvious similarities between all three of these vulnerabilities. Each is present in the tcpip.sys library, responsible for parsing IPv4 and IPv6 traffic. Furthermore, the bugs all deal with packet reassembly and the RCE vulnerabilities leverage similar functions for IPv4 and IPv6 respectively. Given a combination of public and Microsoft-internal attribution, it’s clear that researchers and vendor alike are chasing down the same types of bugs. Whenever we see vulnerabilities in network stacks or Internet-routed protocols, we’re especially interested to determine difficulty of exploitation, wormability, and impact. For vulnerabilities such as the RCEs above, a deep dive is essential to understand the likelihood of these types of flaws being built into exploit kits or used in targeted attacks and are prime candidates for threat actors to weaponize. Despite the real potential for harm, the criticality of these bugs is somewhat lessened by a higher bar to exploitation and the upcoming patches from Microsoft. We do expect to see additional vulnerabilities in the TCP/IP stack and will continue to provide similar analysis and guidance. As it is likely to take some time for threat actors to integrate these vulnerabilities in a meaningful way, the best course of action, as always, is widespread mitigation via patching.
The post Researchers Follow the Breadcrumbs: The Latest Vulnerabilities in Windows’ Network Stack appeared first on McAfee Blogs.