Home   Blog   Twitter   Database  

How to Get the Best Layered and Integrated Endpoint Protection

Security teams have historically been challenged by the choice of separate next-gen endpoint security technologies or a more integrated solution with a unified management console that can automate key capabilities. At this point it’s not really a choice at all – the threat landscape requires you to have both. The best layered and integrated defenses now include a broad portfolio of advanced prevention technologies, endpoint security controls, and advanced detection/response tools – all within an integrated system that goes beyond alerts and into insights that even a junior analyst can act on.

More Endpoints = More Vulnerabilities

Endpoints are long beyond on-premises servers, PCs, and traditional operating systems. Internet of things devices such as printers, scanners, point-of-sale handhelds, and even wearables are vulnerable and can provide entry points for organized attacks seeking access to corporate networks. Mobile devices—both BYOD and corporate issued—are among the easiest targets for app-based attacks. Per the 2019 McAfee Mobile Threat Report, the number one threat category was hidden apps, which accounted for almost one-third of all mobile attacks.

Many enterprises are unaware of their target-rich endpoint environments, resulting in security teams struggling to maintain complete vigilance. A 2018 SANS Survey on Endpoint Protection and Response revealed some sobering statistics:

Endpoint attacks are designed to exploit the hapless user, including web drive-by, social engineering/phishing, and ransomware. Because these attacks rely on human actions, there’s a need for increased monitoring and containment, along with user education.

The latest attacks have the ability to move laterally across your entire environment, challenging every endpoint until a vulnerability is found. Once inside your walls, all endpoints become vulnerable. Modern endpoint security must extend protection across the entire digital terrain with visibility to spot all potential risks.

Less Consoles = Better Efficiency

A 2018 MSA Research report on security management commissioned by McAfee revealed that 55% of organizations struggle to rationalize data when three or more consoles are present. Too many security products, devices, and separate consoles call for a large budget and additional employees who might struggle to maintain a secure environment.

In contrast, single management consoles can efficiently coordinate the defenses built into modern devices while extending their overall posture with advanced capabilities—leaving nothing exposed. With everchanging industry requirements, an integrated endpoint security approach ensures that basic standards and processes are included and up to date.

Why McAfee Endpoint Security

McAfee offers a broad portfolio of security solutions that combine established capabilities (firewall, reputation, and heuristics) with cutting-edge machine learning and containment, along with endpoint detection and response (EDR) into a single-agent all-inclusive management console.

Is it time you took a fresh look at your strategy? Learn more in this white paper: Five ways to rethink your endpoint protection strategy.

The post How to Get the Best Layered and Integrated Endpoint Protection appeared first on McAfee Blogs.

Posted: 20 May 2019 | 10:00 am

Sophos tells users to roll back Microsoft's Patch Tuesday run if they want PC to boot

Yes, the one with the critical security fixes

Brit security software slinger Sophos has advised its customers to uninstall Microsoft's most recent Patch Tuesday run – the same patches that protect servers against the latest Intel cockups.…

Posted: 20 May 2019 | 8:15 am

CEO told to hand back 757,000 fraudulently obtained IP addresses

A company accused of fraudulently obtaining 757,000 IPv4 addresses has been ordered to hand them back.

Posted: 20 May 2019 | 6:24 am

Trickbot Watch: Arrival via Redirection URL in Spam

by Miguel Ang (Threats Analyst)

We discovered a variant of the Trickbot banking trojan (detected by Trend Micro as TrojanSpy.Win32.TRICKBOT.THDEAI) using a redirection URL in a spam email. In this particular case, the variant used Google to redirect from the URL hxxps://google[.]dm:443/url?q=<trickbot downloader>, whereby the URL in the query string, url?q=<url>, is the malicious URL that the user is redirected to. The redirection URL is a way to sidestep spam filters that may block Trickbot at the onset.

At first glance, the spam email could pass as legitimate, even adding social media icons for good measure. The content indicates a processed order that is ready for shipping. The mail then goes into detail with the freight number for the package, delivery disclaimer, and contact details of the seller. The cybercriminals used the Google redirection URL in the email to trick unwitting users and deflect from the hyperlinks’ actual intention. Moreover, since the URL is from a known site, it lends some air of authenticity to the email and redirection.

Figure 1. Sample spam email with redirection URL

Figure 1. Sample spam email with redirection URL

The URL in the email is used to redirect the user from Google to a Trickbot download site. The browser will show a redirection notice stating that the user will be sent to a link with “order review” in it.

Figure 2. Redirection notice

Figure 2. Redirection notice

After clicking the link to confirm the redirection, the user is then led to the malicious site disguised as an order review page. The said webpage has a prompt that informs the user that their order will be available in three seconds.

Figure 3. Malicious site purported to be an order review

Figure 3. Malicious site purported to be an order review

However, the site will download a .zip file that contains a Visual Basic Script (VBS), which is the Trickbot downloader. Once executed, Trickbot then performs its malicious routines. Due to its modular structure, Trickbot can quickly deploy new capabilities depending on the modules that it downloads and installs. The modules that it uses have distinct functions that can be easily swapped, enabling customized attacks. Listed below are the modules that this particular strain uses.

Figure 4. Deobfuscated script

Figure 4. Deobfuscated script

Figure 5. Trickbot processes

Figure 5. Trickbot processes

Here’s a quick rundown of Trickbot’s known modules:

Figure 6. Trickbot modules

Figure 6. Trickbot modules

Although using a link in malspam to spread Trickbot is not a particularly new technique, the way it uses this old trick might be its latest attempt to bypass spam filters using “good URLs” and abuse their services and/or functions. Since the URL in the email is that of a well-known service, the cybercriminals behind Trickbot might be betting on “masking” its infection and getting in a few more clicks in the infection chain with a stealthier approach.

Trickbot’s many tricks: arrival via spam, macro and more

We have observed spam waves involving Trickbot payloads in the past. Typically, related campaigns use spammed mail with malicious attachments disguised as a Microsoft Excel file. While other incidents used fake payment notifications that claim to come from known banks and financial institutions, the Trickbot variant in the aforementioned case gets delivered under the guise of an order review. The attachment prompts the user to enable macros that will then lead to the execution of a PowerShell command, access of a malicious link, and download of the Trickbot payload.

Trickbot arrives in a variety of ways involving macro, password-protected documents, and links. Variants were seen with capabilities that range from stealing credentials from numerous applications to detection evasion and screen-locking.

Defending against Trickbot: Trend Micro recommendations and solutions

Trickbot has seen developments beyond that of a typical banking trojan, and updates to it aren’t likely to go away anytime soon. For instance, it has also been found being delivered as a payload by attacks like those of Emotet. Cybercriminals that take advantage of Trickbot primarily use phishing techniques that trick users into downloading attachments and visiting malicious sites that steal their credentials.

Users and enterprises can protect themselves by following these best practices against spam and other phishing techniques:

Users and enterprises can also benefit from protection that uses a multilayered approach against risks brought by threats like Trickbot. We recommend employing endpoint application control that reduces attack exposure by ensuring only files, documents, and updates associated with whitelisted applications and sites can be installed, downloaded, and viewed. Endpoint solutions powered by XGen™ security such as Trend Micro™ Security, Trend Micro™ Smart Protection Suites, Trend Micro Worry-Free™ Business Security, and Trend Micro Network Defense can detect malicious files and URLs and protect users’ systems.

Indicators of Compromise (IoCs):

importDll32.dll be201f8a0ba71b7ca14027d62ff0e1c4fd2b00caf135ab2b048fa9c3529f98c8 TSPY_TRICKBOT.NL
injectDll32.dll a02593229c8e75c4bfc6983132e2250f3925786224d469cf881dbc37663c355e TrojanSpy.Win32.
mailsearcher32.dll 7f55daf593aab125cfc124a1aeeb50c78841cc2e91c8fbe6118eeae45c94549e TrojanSpy.Win32.
networkDll32.dll c560cca7e368ba23a5e48897e2f89ed1eb2e5918a3db0b94a244734b11a009c6 TrojanSpy.Win32.
psfin32.dll f82d0b87a38792e4572b15fab574c7bf95491bf7c073124530f05cc704c1ee96 TrojanSpy.Win32.
pwgrab32.dll fe89e399b749ee9fb04ea5801a99a250560ad1a4112bbf6ef429e8e7874921f2 TrojanSpy.Win32.
shareDll32.dll 7daa04b93afff93bb2ffe588a557089fad731cac7af11b07a281a2ae847536d5 TrojanSpy.Win32.
systeminfo32.dll 312dec124076289d8941797ccd2652a9a0e193bba8982f9f1f9bdd31e7388c66 TrojanSpy.Win32.
wormDll32.dll 55f74affe702420ab9e63469d2b6b47374f863fe06ef2fffef7045fb5cbb1079 TrojanSpy.Win32.
8_81_32.vbs 11b4c8b88142e9338a3cee2464e2ac1f4caccbdf94ab0ccf40c03b6960b35dd2 Trojan.VBS.TRICKBOT.SMDLDR
84_692_6.vbs 23b3cbf50531ff8cb4f81cc5d89e73f2b93f24bec575334bc133722fd9abb8fb Trojan.VBS.TRICKBOT.SMDLDR
Day5Inypriv ce46ce023e01d2afa2569962e3c0daa61f825eaa1fb5121e982f36f54bb6ab53 TrojanSpy.Win32.

Malicious site:

The post Trickbot Watch: Arrival via Redirection URL in Spam appeared first on .

Posted: 20 May 2019 | 5:28 am

CyberESI at the 2019 NCSA and NASDAQ Cybersecurity Summit

“Incident Response and Recovery” was the theme of the National Cyber Security Alliance (NCSA) and NASDAQ Cybersecurity Summit on April 17 in New York City. Security and risk professionals from the Department of Homeland Security and various organizations convened at the Nasdaq Marketsite to discuss methods that focus on resilience and recovery following a cyber attack or data breach.

Matt Barrett, CyberESI’s chief operating officer, participated in a panel discussion focused on the topic of Reducing Uncertainty and Looking Beyond IT. “When you think about incident response and the parties involved … those who truly speak cybersecurity, really and truly speak cybersecurity, are in the minority,” said Barrett.

Read more at https://www.darkreading.com/risk/tips-for-the-aftermath-of-a-cyberattack/d/d-id/1334460 and https://staysafeonline.org/blog/incident-response-ncsa-nasdaq-cybersecurity-summit/

The post CyberESI at the 2019 NCSA and NASDAQ Cybersecurity Summit appeared first on CyberESI.

Posted: 30 Apr 2019 | 8:27 am

Introducing Reneo

Reneo is a Windows tool to help incident responders, forensics specialists, and security researchers analyze and reverse engineer malicious and obfuscated scripts and other content. This tool can convert from/to various formats, transform, deobfuscate, encode/decode, encrypt/decrypt, and hash strings. The … Continue reading

Posted: 27 Jun 2018 | 8:14 am

Rootkit Umbreon / Umreon - x86, ARM samples

Pokémon-themed Umbreon Linux Rootkit Hits x86, ARM Systems
Research: Trend Micro

There are two packages
one is 'found in the wild' full and a set of hashes from Trend Micro (all but one file are already in the full package)


Download Email me if you need the password  

File information

Part one (full package)

#File NameHash ValueFile Size (on Disk)Duplicate?
1.umbreon-ascii0B880E0F447CD5B6A8D295EFE40AFA376085 bytes (5.94 KiB)
2autoroot1C5FAEEC3D8C50FAC589CD0ADD0765C7281 bytes (281 bytes)
3CHANGELOGA1502129706BA19667F128B44D19DC3C11 bytes (11 bytes)
4cli.shC846143BDA087783B3DC6C244C2707DC5682 bytes (5.55 KiB)
5hideportsD41D8CD98F00B204E9800998ECF8427E0 bytes ( bytes)Yes, of file promptlog
6install.sh9DE30162E7A8F0279E19C2C30280FFF85634 bytes (5.5 KiB)
7Makefile0F5B1E70ADC867DD3A22CA62644007E5797 bytes (797 bytes)
8portchecker006D162A0D0AA294C85214963A3D3145113 bytes (113 bytes)
9promptlogD41D8CD98F00B204E9800998ECF8427E0 bytes ( bytes)
10readlink.c42FC7D7E2F9147AB3C18B0C4316AD3D81357 bytes (1.33 KiB)
11ReadMe.txtB7172B364BF5FB8B5C30FF528F6C51252244 bytes (2.19 KiB)
12setup694FFF4D2623CA7BB8270F5124493F37332 bytes (332 bytes)
13spytty.sh0AB776FA8A0FBED2EF26C9933C32E97C1011 bytes (1011 bytes)Yes, of file spytty.sh
14umbreon.c91706EF9717176DBB59A0F77FE95241C1007 bytes (1007 bytes)
15access.c7C0A86A27B322E63C3C29121788998B8713 bytes (713 bytes)
16audit.cA2B2812C80C93C9375BFB0D7BFCEFD5B1434 bytes (1.4 KiB)
17chown.cFF9B679C7AB3F57CFBBB852A13A350B22870 bytes (2.8 KiB)
18config.h980DEE60956A916AFC9D2997043D4887967 bytes (967 bytes)
19config.h.dist980DEE60956A916AFC9D2997043D4887967 bytes (967 bytes)Yes, of file config.h
20dirs.c46B20CC7DA2BDB9ECE65E36A4F987ABC3639 bytes (3.55 KiB)
21dlsym.c796DA079CC7E4BD7F6293136604DC07B4088 bytes (3.99 KiB)
22exec.c1935ED453FB83A0A538224AFAAC71B214033 bytes (3.94 KiB)
23getpath.h588603EF387EB617668B00EAFDAEA393183 bytes (183 bytes)
24getprocname.hF5781A9E267ED849FD4D2F5F3DFB8077805 bytes (805 bytes)
25includes.hF4797AE4B2D5B3B252E0456020F58E59629 bytes (629 bytes)
26kill.cC4BD132FC2FFBC84EA5103ABE6DC023D555 bytes (555 bytes)
27links.c898D73E1AC14DE657316F084AADA58A02274 bytes (2.22 KiB)
28local-door.c76FC3E9E2758BAF48E1E9B442DB98BF8501 bytes (501 bytes)
29lpcap.hEA6822B23FE02041BE506ED1A182E5CB1690 bytes (1.65 KiB)
30maps.c9BCD90BEA8D9F9F6270CF2017F9974E21100 bytes (1.07 KiB)
31misc.h1F9FCC5D84633931CDD77B32DB1D50D02728 bytes (2.66 KiB)
32netstat.c00CF3F7E7EA92E7A954282021DD72DC41113 bytes (1.09 KiB)
33open.cF7EE88A523AD2477FF8EC17C9DCD7C028594 bytes (8.39 KiB)
34pam.c7A947FDC0264947B2D293E1F4D69684A2010 bytes (1.96 KiB)
35pam_private.h2C60F925842CEB42FFD639E7C763C7B012480 bytes (12.19 KiB)
36pam_vprompt.c017FB0F736A0BC65431A25E1A9D393FE3826 bytes (3.74 KiB)
37passwd.cA0D183BBE86D05E3782B5B24E2C964132364 bytes (2.31 KiB)
38pcap.cFF911CA192B111BD0D9368AFACA03C461295 bytes (1.26 KiB)
39procstat.c7B14E97649CD767C256D4CD6E4F8D452398 bytes (398 bytes)
40procstatus.c72ED74C03F4FAB0C1B801687BE200F063303 bytes (3.23 KiB)
41readwrite.cC068ED372DEAF8E87D0133EAC0A274A82710 bytes (2.65 KiB)
42rename.cC36BE9C01FEADE2EF4D5EA03BD2B3C05535 bytes (535 bytes)
43setgid.c5C023259F2C244193BDA394E2C0B8313667 bytes (667 bytes)
44sha256.h003D805D919B4EC621B800C6C239BAE0545 bytes (545 bytes)
45socket.c348AEF06AFA259BFC4E943715DB5A00B579 bytes (579 bytes)
46stat.cE510EE1F78BD349E02F47A7EB001B0E37627 bytes (7.45 KiB)
47syslog.c7CD3273E09A6C08451DD598A0F18B5701497 bytes (1.46 KiB)
48umbreon.hF76CAC6D564DEACFC6319FA167375BA54316 bytes (4.21 KiB)
49unhide-funcs.c1A9F62B04319DA84EF71A1B091434C644729 bytes (4.62 KiB)
50cryptpass.py2EA92D6EC59D85474ED7A91C8518E7EC192 bytes (192 bytes)
51environment.sh70F467FE218E128258D7356B7CE328F11086 bytes (1.06 KiB)
52espeon-connect.shA574C885C450FCA048E79AD6937FED2E247 bytes (247 bytes)
53espeon-shell9EEF7E7E3C1BEE2F8591A088244BE0CB2167 bytes (2.12 KiB)
54espeon.c499FF5CF81C2624B0C3B0B7E9C6D980D14899 bytes (14.55 KiB)
55listen.sh69DA525AEA227BE9E4B8D59ACFF4D717209 bytes (209 bytes)
56spytty.sh0AB776FA8A0FBED2EF26C9933C32E97C1011 bytes (1011 bytes)
57ssh-hidden.shAE54F343FE974302F0D31776B72D0987127 bytes (127 bytes)
58unfuck.c457B6E90C7FA42A7C46D464FBF1D68E2384 bytes (384 bytes)
59unhide-self.pyB982597CEB7274617F286CA80864F499986 bytes (986 bytes)
60listen.shF5BD197F34E3D0BD8EA28B182CCE7270233 bytes (233 bytes)

part 2 (those listed in the Trend Micro article)
#File NameHash ValueFile Size (on Disk)
1015a84eb1d18beb310e7aeeceab8b84776078935c45924b3a10aa884a93e28acA47E38464754289C0F4A55ED7BB556489375 bytes (9.16 KiB)
20751cf716ea9bc18e78eb2a82cc9ea0cac73d70a7a74c91740c95312c8a9d53aF9BA2429EAE5471ACDE820102C5B81597512 bytes (7.34 KiB)
30a4d5ffb1407d409a55f1aed5c5286d4f31fe17bc99eabff64aa1498c5482a5f0AB776FA8A0FBED2EF26C9933C32E97C1011 bytes (1011 bytes)
40ce8c09bb6ce433fb8b388c369d7491953cf9bb5426a7bee752150118616d8ffB982597CEB7274617F286CA80864F499986 bytes (986 bytes)
5122417853c1eb1868e429cacc499ef75cfc018b87da87b1f61bff53e9b8e86709EEF7E7E3C1BEE2F8591A088244BE0CB2167 bytes (2.12 KiB)
6409c90ecd56e9abcb9f290063ec7783ecbe125c321af3f8ba5dcbde6e15ac64aB4746BB5E697F23A5842ABCAED36C9146149 bytes (6 KiB)
74fc4b5dab105e03f03ba3ec301bab9e2d37f17a431dee7f2e5a8dfadcca4c234D0D97899131C29B3EC9AE89A6D49A23E65160 bytes (63.63 KiB)
88752d16e32a611763eee97da6528734751153ac1699c4693c84b6e9e4fb08784E7E82D29DFB1FC484ED277C70218781855564 bytes (54.26 KiB)
9991179b6ba7d4aeabdf463118e4a2984276401368f4ab842ad8a5b8b730885222B1863ACDC0068ED5D50590CF792DF057664 bytes (7.48 KiB)
10a378b85f8f41de164832d27ebf7006370c1fb8eda23bb09a3586ed29b5dbdddfA977F68C59040E40A822C384D1CEDEB6176 bytes (176 bytes)
11aa24deb830a2b1aa694e580c5efb24f979d6c5d861b56354a6acb1ad0cf9809bDF320ED7EE6CCF9F979AEFE451877FFC26 bytes (26 bytes)
12acfb014304b6f2cff00c668a9a2a3a9cbb6f24db6d074a8914dd69b43afa452584D552B5D22E40BDA23E6587B1BC532D6852 bytes (6.69 KiB)
13c80d19f6f3372f4cc6e75ae1af54e8727b54b51aaf2794fedd3a1aa463140480087DD79515D37F7ADA78FF5793A42B7B11184 bytes (10.92 KiB)
14e9bce46584acbf59a779d1565687964991d7033d63c06bddabcfc4375c5f1853BBEB18C0C3E038747C78FCAB3E0444E371940 bytes (70.25 KiB)

Posted: 20 Mar 2018 | 6:29 am

Freedome VPN For Mac OS X

Take a look at this:

F-Secure Freedome Mac OS X

F-Secure Freedome for OS X (freshly installed on a Labs Mac Team MacBook).


The beta is now open for everyone to try for 60 days at no cost.

Download or share.

On 24/04/15 At 12:37 PM

Posted: 24 Apr 2015 | 1:37 am