Research Saturday

Researchers at Cisco's Talos Unit recently published research exploring the tactics, technics and procedures of the global malvertising ecosystem. Craig Williams is head of Talos Outreach at Cisco, and he guides us through the life cycle of malicious online ads, along with tips for protecting yourself and your organization. The research can be found here: https://blog.talosintelligence.com/2019/07/malvertising-deepdive.html Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at Reversing Labs have been tracking malware hidden in software package manager repositories, and it's use as a supply chain attack vector. Robert Perica is a principal engineer at Reversing Labs, and he joins us to share their findings. The research can be found here: https://blog.reversinglabs.com/blog/suppy-chain-malware-detecting-malware-in-package-manager-repositories Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at bot mitigation firm White Ops have been tracking fraudulent apps in the Google Play store. These apps often imitate legitimate apps, even going so far as to lift code directly from them, but instead of providing true functionality they harvest user data and send it back to command and control servers. Marcelle Lee is a principal threat intel researcher at White Ops, and she shares their findings. The original research can be found here — https://www.whiteops.com/blog/another-day-another-fraudulent-app Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at Guardicore Labs have been tracking an unusual cryptominer that seems to be based in China and is targeting Windows MS-SQL and phpMyAdmin servers. Some elements of the exploit make use of sophisticated components previously associated with nation-state actors. Ophir Harpaz and Daniel Goldberg are members of the Guardicore Labs team, and they join us to explain their findings. The research can be found here - https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/ Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at Netscout's ASERT Team have been tracking the growth of botnets originating in Egypt and targeting routers in South Africa. The payload is a variant of the Hakai DDoS bot. Richard Hummel is threat intelligence manager at Netscout, and he joins us to share their findings. The original research is here: https://www.netscout.com/blog/asert/realtek-sdk-exploits-rise-egypt Learn more about your ad choices. Visit megaphone.fm/adchoices

Synopsys recently published the 2019 edition of their Open Source Security and Risk Analysis (OSSRA) Report, providing an in-depth look at the state of open source security, compliance, and code quality risk in commercial software. Tim Mackey is principal security strategist within the Synopsys Cyber Research Center, and he joins us to share their findings. The research can be found here: https://www.synopsys.com/software-integrity/resources/analyst-reports/2019-open-source-security-risk-analysis.html Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at Cloudflare have been examining HTTPS interception, a technique that weakens security, and have developed tools to help detect it. Nick Sullivan is head of cryptography at Cloudflare, and he joins to us share their findings. The research can be found here: https://blog.cloudflare.com/monsters-in-the-middleboxes/ Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at Zscaler have been tracking look-alike apps in third-party Android app stores that carry malicious code. Deepen Desai is VP of security research and operations and Zscaler, and he joins us to share their findings. The original research can be found here: https://www.zscaler.com/blogs/research/third-party-android-store-sms-trojan Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at AT&T Alien Labs have been tracking a new malware family they've named "Xwo" that's scanning systems for default credentials and vulnerable web services. Tom Hegel is security researcher with AT&T Alien Labs, and he share their findings. The original research is here: https://www.alienvault.com/blogs/labs-research/xwo-a-python-based-bot-scanner Learn more about your ad choices. Visit megaphone.fm/adchoices

Adrian Bednarek is a senior research analyst at Independent Security Evaluators. He and his colleagues looked at weak private cryptocurrency keys on the Ethereum blockchain in an attempt to discover how and why they are being generated as well as how bad actors are taking advantage of them. The original research is here: https://www.securityevaluators.com/casestudies/ethercombing/ Learn more about your ad choices. Visit megaphone.fm/adchoices

Chronicle researchers Juan Andres Guerrero Saade and Silas Cutler recently published research tracking the development of the Stuxnet family of malware, which ultimately led them to the GOSSIPGIRL Supra Group of threat actors. Juan Andres Guerrero Saade joins us to share their findings. The research can be found here: https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0 Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at Symantec have been tracking an espionage group known as Elfin (aka APT 33) that has targeted dozens of organizations over the past three years, primarily focusing on Saudi Arabia and the United States. Alan Neville is a principal threat intelligence analyst at Symantec, and he joins us to share their findings. The research can be found here: https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at Blackberry Cylance have been tracking payload obfuscation techniques employed by OceanLotus (APT32), specifically steganography used to hide code within seemingly benign image files. Tom Bonner is director of threat research at Blackberry Cylance, and he joins us to share their findings. The original research can be found here: https://www.cylance.com/en-us/lp/threat-research-and-intelligence/oceanlotus-steganography-malware-analysis-white-paper-2019.html Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at Cisco Talos have been tracking what they believe is a state-sponsored attack on DNS systems, targeting the Middle East and North Africa. This attack has the potential to erode trust and stability of the DNS system, so critical to the global economy. Craig Williams is director of Talos Outreach at Cisco, and he joins us to share their findings. The original research can be found here: https://blog.talosintelligence.com/2019/04/seaturtle.html Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at Ben Gurion University in Israel have developed techniques to infiltrate medical imaging system networks and alter 3D medical scans within, fooling both human and automated examiners with a high rate of success. Yisroel Mirsky is a cybersecurity researcher and project manager at Ben Gurion University, and he joins us to share what his team discovered. The original research can be found here: https://arxiv.org/pdf/1901.03597.pdf A video demonstrating the exploit is here: https://youtu.be/_mkRAArj-x0 Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers have discovered a number of vulnerabilities in the SwissPost e-vote system which could allow undetectable manipulation of votes. Dr Vanessa Teague is Associate Professor and Chair, Cybersecurity and Democracy Network at the Melbourne School of Engineering, University of Melbourne, Australia. She joins us to explain her team's findings. The original research is here: https://people.eng.unimelb.edu.au/vjteague/SwissVote Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at Carnegie Mellon University's CyLab Security and Privacy Institute claim to have made an important breakthrough in establishing root of trust (RoT) to detect malware in computing devices. Virgil Gligor is one of the authors of the research, and he joins us to share their findings. Link to original research - https://www.ndss-symposium.org/ndss-paper/establishing-software-root-of-trust-unconditionally/ Learn more about your ad choices. Visit megaphone.fm/adchoices

Joep Gommers from EclecticIQ joins us to share their research tracking the information operations and and security methods they've been tracking that Russians have been using in advance of the recently held elections in Ukraine. The research can be found here: https://www.eclecticiq.com/resources/fusion-center-report-situational-awareness-ukraine-elections Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at Pen Test Partners recently examined a variety of third-party automotive security systems and found serious security issues, potentially giving bad actors the ability to locate, disable or meddle with multiple vehicle systems. Ken Munro is a security researcher with Pen Test Partners, and he joins us to share their findings. The original research can be found here: https://www.pentestpartners.com/security-blog/gone-in-six-seconds-exploiting-car-alarms/ Learn more about your ad choices. Visit megaphone.fm/adchoices

Investigators from McAfee's advanced threat research unit, working with partners at Coveware, have reevaluated hasty attributions of Ryuk ransomware to North Korea and have explored the inner workings of the threat. John Fokker is head of cyber investigations in McAfee's Advanced Threat research unit. He join us to share their findings. The original research can be found here: https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-exploring-the-human-connection/ Learn more about your ad choices. Visit megaphone.fm/adchoices

Akamai's Larry Cashdollar joins us to describe an exploit he recently came across while researching MageCart incidents. It's a remote command execution vulnerability affecting ThinkPHP, a popular web framework. The original research can be found here: https://blogs.akamai.com/sitr/2019/01/thinkphp-exploit-actively-exploited-in-the-wild.html Learn more about your ad choices. Visit megaphone.fm/adchoices

Vitali Kremez is a Director of Research at Flashpoint. His team discovered that the recently disclosed intrusion suffered in December 2018 by Chilean interbank network Redbanc involved PowerRatankba, a malware toolkit with ties to North Korea-linked group Lazarus. The intrusion represents the latest known example of Lazarus-affiliated tools being deployed within financially motivated activity targeted toward financial institutions in Latin America. The original research can be found here: https://www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties/ Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at Zscaler have been tracking a variety fake versions of the popular Fortnite game on the Google Play store, along with associated scams. Deepen Desai is head of security research at Zscaler, and he joins us to share their findings. The original research can be found here: https://www.zscaler.com/blogs/research/fake-fortnite-apps-scamming-and-spying-android-gamers Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at security firm Cylance have been tracking a threat group targeting the Rosneft Russian oil company. As Cylance uncovered details, suspicions shifted from state-sponsored espionage to business email compromise. Kevin Livelli is director of threat intelligence at Cylance, and he joins us to share what they found. The original research can be found here: https://threatvector.cylance.com/en_us/home/poking-the-bear-three-year-campaign-targets-russian-critical-infrastructure.html Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at Symantec have been tracking Seedworm, a cyber espionage group targeting the Middle East as well as Europe and North America. The threat group targets government agencies, oil & gas facilities, NGOs, telecoms and IT firms. Al Cooley is director of product management at Symantec, and he joins us to share their findings. The original research can be found here: https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group Learn more about your ad choices. Visit megaphone.fm/adchoices

The team at Palo Alto Networks' Unit 42 recently published research tracking trends in how organizations are addressing cloud security, along with tips for improvement. Ryan Olson is VP of threat intelligence at Palo Alto Networks, and he joins us to share their findings. The original research can be found here: https://unit42.paloaltonetworks.com/unit-42-cloud-security-trends-tips/ Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at Trend Micro recently published their look inside online underground marketplaces in the Middle East and North Africa, where criminals are buying and selling malware, laundering money and event booking their next discount vacation. Jon Clay is director of global threat communications at Trend Micro, and he joins us with their findings. The original research can be found here: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/cash-and-communication-new-trends-in-the-middle-east-and-north-africa-underground Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers from Duo Security have been analyzing the behavior of Twitter bots in a series of posts on their web site. Their most recent dive into the subject explores amplification bots, which boost the impact of tweets through likes and retweets. Jordan Wright is a principal R&D engineer at Duo Security, and he joins us to share their findings. Link to the original research - https://duo.com/labs/research/anatomy-of-twitter-bots-amplification-bots Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers from Netscout's ASERT team have been making use of honeypots to gather information on rapidly evolving IoT botnets that take advantage of default usernames and passwords to gain access and take control of unprotected devices. Matt Bing is a security research analyst with Netscout, and he guides us through their findings. The original research can be found here: https://asert.arbornetworks.com/dipping-into-the-honeypot/ Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at RiskIQ have been tracking a series of web-based credit card skimmers known as Magecart. We take a closer look at attacks on Ticketmaster, British Airways, NewEgg and Shopper Approved payment card pages. Yonathan Klijnsma is lead of threat research at RiskIQ, and he guides us through what they've learned. Links to RiskIQ research: https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/ https://www.riskiq.com/blog/labs/magecart-british-airways-breach/ https://www.riskiq.com/blog/labs/magecart-newegg/ https://www.riskiq.com/blog/labs/magecart-shopper-approved/ Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers from Unit 42 at Palo Alto Networks have discovered an interesting relationship between the NOKKI and DOGCALL malware families, as well as a new RAT being used to deploy the malware. Jen Miller-Osborn is Deputy Director of Threat Intelligence with Unit 42, and she joins us to share their findings. The original research can be found here: https://unit42.paloaltonetworks.com/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/ Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at Duo Security have been looking into Apple's Device Enrollment Program (DEM) and have discovered vulnerabilities that could expose users of the service to potential issues from social engineering and rogue devices. James Barclay is Senior R&D Engineer at Duo Security, and he joins us to share what they've found. The original research can be found here: https://duo.com/blog/weak-apple-dep-authentication-leaves-enterprises-vulnerable-to-social-engineering-attacks-and-rogue-devices Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at Risk Based Security took a detailed look back at the 2014 Sony hack, comparing analysis that occurred while the facts were still unfolding with what we know, today. There are interesting lessons to be learned, especially when it comes to attribution. Brian Martin is V.P. of vulnerability intelligence at Risk Based Security, and he shares their findings. The research can be found here: https://www.riskbasedsecurity.com/2018/09/you-didnt-think-the-sony-saga-was-over-did-you/ Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at Trend Micro uncovered a supply chain attack targeting organizations in South Korea. With the goal of information theft, attackers compromised the update server of a third party support provider, resulting in the installation of a RAT, or remote access trojan. Rik Ferguson is Vice President of Security Research at Trend Micro, and he guides us through their discoveries. The research can be found here: https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/ Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers from Secureworks' Counter Threat Unit have been tracking a threat group spoofing login pages for universities. Evidence suggests the Iranian group Cobalt Dickens is likely responsible. Allison Wikoff is a senior researcher at Secureworks, and she joins us to share what they've found. The original research is here: https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities Learn more about your ad choices. Visit megaphone.fm/adchoices

The NETSCOUT Arbor ASERT team has been tracking Cobalt Group campaigns targeting financial institutions. Richard Hummel is manager of threat intelligence with ASERT, and he joins us to share his team's findings. The research can be found here: https://asert.arbornetworks.com/double-the-infection-double-the-fun/ Learn more about your ad choices. Visit megaphone.fm/adchoices

Joseph Nye is former dean of the Harvard Kennedy School of Government. He served as Chair of the National Intelligence Council, and as Assistant Secretary of Defense for International Security Affairs under President Clinton. He serves as a Commissioner for the Global Commission on Internet Governance, and is the author of over a dozen books, including, “Soft Power: The means to success in work politics,” and “The future of power.” Learn more about your ad choices. Visit megaphone.fm/adchoices

Symantec technical director Vikram Thakur returns to share his team's look at threat groups APT 28 and APT 29, the influence they had on the 2016 election, and how the cyber security industry has responded in preparation for the 2018 midterms. The original research can be found here: https://www.symantec.com/blogs/election-security/election-hacking-faq Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at security firm Check Point Software Technologies explored the possibility of exploiting old, complex fax protocols to gain access to modern multifunction office printers, and then pivot to connected networks. Yaniv Balmas is head of security research at Check Point, and he joins us to share what he and his colleague Eyal Itkin discovered. The research can be found here: https://research.checkpoint.com/sending-fax-back-to-the-dark-ages/ Learn more about your ad choices. Visit megaphone.fm/adchoices

Security firm Lastline recently took a close look at threats to the Office 365 cloud environment, taking advantage of the insights they gain protecting their clients. Andy Norton is director of threat intelligence at Lastline, and he joins us to describe their findings. The research can be found here: https://www.lastline.com/blog/malspam-malscape-snapshot-malicious-activity-in-the-office-365-cloud/ Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at Virginia Tech investigate possible ways to manipulate GPS signals and send drivers to specific locations without their knowledge. Gang Wang is Assistant Professor of Computer Science at Virginia Tech, and he joins us to share his team's findings. The original research can be found here: https://people.cs.vt.edu/gangwang/sec18-gps.pdf Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at Palo Alto Networks' Unit 42 have been tracking the rise of cryptocurrency mining operations run by criminal groups around the world. Ryan Olson is V.P. of threat intelligence at Palo Alto Networks, and he joins us to share what they've learned. The original research can be found here: https://researchcenter.paloaltonetworks.com/2018/06/unit42-rise-cryptocurrency-miners/ Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at security firm FireEye have been tracking malicious actors they call FIN7, a group which targets payment card data in the hospitality industry and elsewhere. They make use of targeted phishing campaigns, telephone vishing and even a convincing front company to do their deeds. Nick Carr and Barry Vengerick are coauthors of the research, along with their colleagues Kimberly Goody and Steve Miller. The research is titled On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. It can be found here: https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at security firm Cybereason recently set up online honeypots to attract adversaries interested in industrial control system environments. It didn't take long for sophisticated attackers to sniff out the virtual honey and start snuffling around. Ross Rustici is senior director of intelligence services at Cybereason, and he joins us to share what they learned. The research is titled ICS Threat Broadens: Nation-state Hackers are no Longer the Only Game in Town. It can be found here: https://www.cybereason.com/blog/industrial-control-system-specialized-hackers Learn more about your ad choices. Visit megaphone.fm/adchoices

A team of researchers from Northeastern University and UC Santa Barbara examined over 17,000 Android apps, and revealed a number of alarming privacy risks. Elleen Pan and Christo Wilson were members of the research team, and they join us to share what they found. The research is titled Panoptispy: Characterizing Audio and Video Exfiltration from Android Applications. It can be found here: https://recon.meddle.mobi/papers/panoptispy18pets.pdf Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at Symantec recently published their findings on an active attack group named Leafminer that's targeting government organizations and businesses in the Middle East region. Vikram Thakur is a technical director at Symantec, and he joins us to share what they've found. The research can be found here: https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east Learn more about your ad choices. Visit megaphone.fm/adchoices

Threat researcher Marcelle Lee from LookingGlass Cyber Solutions joins us to share her research on the growing threat of ATM hacks in the U.S. The research can be found here: https://www.lookingglasscyber.com/blog/atm-hacking-you-dont-have-to-pay-to-play/ Learn more about your ad choices. Visit megaphone.fm/adchoices

Threat intelligence firm Recorded Future recently published research describing espionage activities originating from servers at a major Chinese university, coinciding with international economic development efforts. Winnona DeSombre and Sanil Chohan are authors of the report, Chinese Cyberespionage Originating from Tsinghua University Infrastructure, along with their colleague Justin Grosfelt. The research can be found here: https://www.recordedfuture.com/chinese-cyberespionage-operations/ Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at Bitdefender have been tracking a bit of complex rootkit malware called Zacinlo that they suspect has been operating virtually undetected for over six years. Bogdan Botezatu is a senior cyber security analyst with Bitdefender, and he describes what they've found. Research link: https://labs.bitdefender.com/2018/06/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/ Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at Symantec have been tracking a wide-ranging espionage operation that's targeting satellite, telecom and defense companies. Jon DiMaggio is a senior cyber intelligence analyst at Symantec, and he takes us through what they've discovered. The research can be found here: https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets Learn more about your ad choices. Visit megaphone.fm/adchoices