Category Archives: McAfee

  • 0

How a Hacking Group Used Britney Spears’ Instagram to Operate a Command and Control Server

Category : McAfee

A nasty piece of malware is currently being tested by a Russian hacking group named Turla, and its trial round has been conducted in an unexpected area of the internet — the comments section of Britney Spears’ Instagram. As a matter of fact, they’re using her Instagram as a way to contact the malware’s command and control (C&C) server.

So how does Turla make this happen, exactly? Leveraging a recently discovered backdoor found in a fake Firefox extension, the cybercriminals instruct the malware to scroll through the comments on Spears’ photos and search for one that has a specific hash value. When the malware finds the comment it was told to look for, it converts it into this Bitly link: The shortened link resolves to a site that’s known to be a Turla watering hole.

This way, in the chance their attack becomes compromised, the cybercriminals can ensure their C&C can be changed without having to change the malware. If the attackers want to create a new meetup location, all they have to do is delete the first infected comment, and infiltrate a new one with same hash value.

This infected comment on Spears’ post doesn’t look exactly normal, but most people probably would think it’s just spam — unless they clicked it. If someone does in fact click on the link, they’ll be directed to the hacker group’s forum, which is where they actually infect innocent users. For this Trojan in particular, visitors who click will get taken to a site and asked to install the extension with the benign name “HTML5 Encoder.”

The good news is — this is, after all, just a test. Plus, Firefox is said to be already working on a fix so that the extension being used won’t work anymore.


  • 0

Building Trust in a Cloudy Sky

Category : McAfee

The state of cloud adoption and security

This report, based on responses from nearly 300 IT professionals in financial services from around the globe, looks at cloud adoption, changes in data center environments, and the challenges with visibility and control over these new architectures.

Full Report
 Download Financial
Services Summary


  • 0

Cybersecurity: For Defenders, It’s about Time

Category : McAfee

In multiple areas of cybersecurity, time works in favor of the attackers—making time the strategic advantage that defenders need to regain. In this report, Aberdeen Group provides four illustrative examples of how recapturing the advantage of time helps you reduce risk in the fundamental categories of data protection, threat detection and incident response, data center and cloud security, and endpoint security.

Download Full Report

  • 0

Cybersecurity: For Defenders, It’s about Time

Category : McAfee

In multiple areas of cybersecurity, time works in favor of the attackers—making time the strategic advantage that defenders need to regain. In this report, Aberdeen Group provides four illustrative examples of how recapturing the advantage of time helps you reduce risk in the fundamental categories of data protection, threat detection and incident response, data center and cloud security, and endpoint security.

Download Full Report


  • 0

Expanding Automated Threat Hunting and Response with Open DXL

Category : McAfee

Today everyone is talking about security automation. However, what are the right processes and actions to automate safely? What are the right processes and actions to automate that will actually achieve some security outcome, such as improving sec ops efficiency or reducing attacker dwell time? Just look in the latest industry report and you will find a statistic about how long attackers linger in a network without detection. It’s getting better, but the average is still heavily in favor of the attacker.

One of the reasons why attackers are so successful at maintaining persistence is that most organizations struggle to make effective use of threat intelligence. Making effective use means taking the volumes of threat intelligence data, primarily technical Indicators of Compromise (IOCs), hunting for affected systems with those IOCs, and then adapting countermeasures to contain the incident or just update protection. These critical tasks, collecting and validating intelligence, performing triage, and adapting cyber defenses to contain incident must be automated if we ever want to get ahead of the attackers.

McAfee’s Intelligent Security Operations solution automates many key threat hunting tasks. In this solution, McAfee Advanced Threat Defense (ATD), a malware analytic system, produces the local IOCs based on malware submissions from the endpoint and network sensors. It automatically shares the new intelligence with McAfee Enterprise Security Manager (ESM) for automated historical analysis, with the McAfee Active Response component of McAfee Endpoint Threat Defense and Response (ETDR) for real time endpoint analysis, and with McAfee Threat Intelligence Exchange (TIE) for automated containment at the endpoint or network.

However, wouldn’t it be great if we could automate hunting and incident containment for all threat intelligence, not just file hashes? We can expand the capability of the Intelligent Security Operations solution to handle more intelligence and automate more incident response tasks using the power of OpenDXL.

Consolidate Threat Intelligence Collection with OpenDXL and MISP

Organizations need threat intelligence from three different sources:

  • Global intelligence from vendors or large providers
  • Community Intelligence from closed sources, and
  • Enterprise, or Local-Produced

Local threat intelligence, typically produced by malware sandboxes, such as McAfee Advanced Threat Defense (ATD), or learned from previous incident investigations, usually relates to attacks targeted at the enterprise and would not be visible through other external intelligence feeds. Large organizations typically consolidate these feeds inside a threat intelligence platform to simplify the management, sharing and processing of the data.

Using OpenDXL, we can more simply push locally-produced intelligence from ATD into threat intelligence platforms, such as Malware Information Sharing Platform (MISP), an open source intelligence sharing platform. Inside MISP, ATD data can be labeled and combined with other sources providing a central repository to operationalize threat intelligence. Using OpenDXL, MISP can then push all threat intelligence-based IOCs to ESM and Active Response for further triage and out to firewalls, proxies, endpoints and other cyber defense tools for automated containment.

Full IOC Hunting with ESM, Active Response and OpenDXL

One of the best ways to reduce attacker dwell time is to use threat intelligence to hunt for compromised systems in the enterprise with ESM and Active Response. With threat intelligence centrally collected in MISP, we can automate historical analysis using the existing back trace feature in ESM. Using OpenDXL integration with MISP, we can also hunt on all the IOCs and send the results back to ESM or Kibana. This expands the capability of the original solution fully automating the hunting process with both historical and real time searches for all IOCs, not just local intelligence.

Automated Incident Containment with OpenDXL

If a system is found to be comprised, the next task is to contain and update defenses as fast as possible. When it comes to updating cyber defense countermeasures, such as firewalls or web proxy, internal procedures or business silos can slow response. For example, sending a ticket to the firewall team or service provider to block a command-and-control IP address or domain could take hours even in mature organizations. These silos slow down incident response and increase attackers’ dwell time.

With OpenDXL integration with MISP, we can reduce dwell time by pushing all indicators, not just file hashes, out to network and endpoint countermeasures. With OpenDXL integration with MISP, indicators such as command-and-control IP addresses, malicious URLs or domains, and file hashes can be automatically shared with the McAfee Dynamic Endpoint, Network Firewalls such as Force Point or Checkpoint, or Web Proxies such as McAfee Web Gateway. With OpenDXL integration with MISP, we can automate indicator-sharing with any countermeasures on the network or endpoint, to reduce dwell time and better protect your business.

For more information on automated threat hunting with OpenDXL and to get connected with the community of OpenDXL users, I’d encourage you to check out the McAfee DXL architecture guide and the data sheet.

  • 0

Become a Modern Endpoint Security Master

Category : McAfee

A new wave of advanced, targeted malware is seeking out the gaps in conventional endpoint defenses and finding novel ways to exploit them. These attacks use packing, encryption, and polymorphism to mask their true intent, hammering away at your organization with previously unseen “zero-day” attacks that signature-based mechanisms are too slow to catch. They use sophisticated executables that can recognize when they’re being sandbox-analyzed and delay execution. They weaponize legitimate files and applications that appear clean on the surface but have malicious code buried deep within.

It all adds up to a nonstop, overwhelming effort as your endpoint administrators race against the clock to detect, contain, and remediate new malware threats. And if you’re like many organizations, this is a race you’re losing far too often. Too many threats get through. Too many resources are needed to sift through alerts from multiple siloed point solutions and clean up infections. And the time between detection and remediation keeps growing.

There’s an underlying problem here that may sound familiar. When you’re relying on multiple siloed endpoint defense products that can’t talk to each other, you require extra steps and manual effort from your administrators. That takes time and slows your response. Why not try a different approach? Instead of racing around swiveling between half a dozen siloed security tool interfaces, what if your team could use next-generation machine learning techniques to stop most threats before they ever gain a foothold on your endpoints? What if you had a unified, fully integrated, multi-layered defense fabric that could respond to new events and information immediately, without human intervention?

Peel Away the Malware Mask

Next-generation anti-malware capabilities from McAfee can help your organization combat the most evasive modern threats. Drawing on powerful machine learning analysis and application containment tools, your team can unmask hidden threats and stop them in their tracks—much faster with much less effort. These capabilities are delivered through three new innovations:

  • Real Protect Static: Malware authors may be able to change how their code looks, but it’s still malware. So it’s likely to share many attributes with known attacks, such as the compiler used, the shared libraries it references, and many other features. Real Protect Static pre-execution analysis goes beneath the surface, performing an exhaustive machine learning statistical comparison of static binary code features to compare suspicious executables against known threats. It unmasks most malware for what it is in milliseconds, without signatures.
  • Real Protect Dynamic: Even if a sophisticated attack masks its static attributes, it can’t hide how it behaves. Real Protect Dynamic behavioral analysis also provides machine learning statistical analysis, but now comparing the code’s actual behavior against profiles of hundreds of millions of malware samples. The executable is allowed to run while being closely monitored by the endpoint. If it starts behaving maliciously—such as overwriting files or making registry changes that match known malware behavior—the endpoint shuts it down, typically within seconds.
  • Dynamic Application Containment: This new endpoint defense, available only from McAfee, protects against zero-day malware by blocking process actions that malware often uses. Unlike techniques that would hold up the file (and the user) for minutes at a time, Dynamic Application Containment lets the suspicious file load into memory without allowing it to make certain changes to the endpoint or infect other systems while it is under suspicion. The endpoint and user can remain fully productive while providing an opportunity for security teams to perform in-depth analysis.

With these capabilities, your administrators can stop most threats before they can damage an endpoint. They can take on the most sophisticated, evasive malware without needing a team of highly trained security experts. They can fine-tune application containment tools to restrict what can happen on endpoints, and achieve the right balance of security and flexibility for the organization.

Drive Down Complexity, Accelerate Response

Real Protect and Dynamic Application Containment work with each other, as well as the other elements of McAfee Endpoint Security, and with other solutions such as McAfee Threat Intelligence Exchange and McAfee Advanced Threat Defense as a single, integrated system. For example, when Real Protect identifies an evasive threat as zero-day malware, it immediately communicates that information to McAfee Threat Intelligence Exchange, which then automatically inoculates the broader environment, in near real time.

The result is a continually evolving threat model for your organization. Each new threat detected enhances the organization’s defenses as a whole. Previously manual steps in the detect, correct, and protect phases of the threat defense lifecycle disappear. And you gain the flexibility to mix and match the industry’s broadest portfolio of threat defense capabilities through a single interface.

Armed with these capabilities, your team can:

  • Unmask the attack: Stop more attacks by stripping away obfuscation techniques to see more malware threats.
  • Limit the impact: Contain, shield, and prevent damage to systems, either before an attack occurs or before it can cause irreversible damage or infection.
  • Track and adapt: Use automated, integrated defenses to perform a wider range of security operations without having to think about them or manually activate them.

  • 0

New Ransomware Adjusts Its Price Based Off Where You Live

Category : McAfee

Discovered on Exploit, a Russian hacking forum, a new kind of RaaS (ransomware-as-a-service) portal named Fatboy Ransomware has emerged. The service, which is currently available for cybercriminals on the forum to leverage for their own benefit, is unique because it’s programmed to change its ransom amount based on the victim’s location, raising the amount in countries with a higher cost of living, based on the Big Mac Index.

The Big Mac Index, first introduced by The Economist in the 1980s, was meant to innocently gauge currency misalignment, but has grown to become a global standard for measuring international purchasing power parity. And now, is being used by a threat actor using the handle “polnowz,” who has apparently already made $5,321 in ransomware payments off the tool. The cybercriminal also seems to be all about transparency, as anyone that signs up for Fatboy will work directly via Jabber with the author of the product instead of a third-party distributor.

And though it is the first known online extortion product that is designed to automatically change ransom amounts based on the victim’s location, this threat comes as no surprise. Cybercriminals are mostly financially motivated, so it is expected that we see business models that facilitate increased profit. This specific financially-motivated model, ransomware-as-a-service, has been around since at least mid-2015, and was popularized by Tox, a short-lived ransomware service.

So, how does this particular case of RaaS work? The encryption algorithms used are standard, leveraging AES-256 and RSA-2048 and an offsite private key storage until the ransom is paid. And when it comes to RaaS, the buyer is generally responsible for delivering the payload while the developer hosts other services. As such, the method of delivery can be numerous. If the buyer of the portal wants to check in on the results of such delivery, they can log into an online panel for infection statistics. Other malware services have seen success by adding user friendly features such as these panels.

Fatboy is not particularly sophisticated as a malware sample, but it is a good indicator that the ransomware business model for cybercriminals is still working. As long as there are sufficient profits, we will see more offerings, tools, and support for cybercriminals without the skills or time to develop their own ransomware.

Now, the next step is to think about protection. Users should keep their security products up-to-date and engage in good security behaviors. As for IT professionals, they should be watching for artifacts of this ransomware. While the infection is generally an executable, Python is used during encryption, so be on the lookout for suspicious activity with .pyc and .pyd files.

And if you do become infected by Fatboy ransomware, No More Ransom has come together to pull together a plethora of decryption tools victims can leverage, which you can find here. Also, learn more about preventing ransomware, here.

  • 0

Beyond the Red and Blue Pill – Maintaining Data Usability while Protected

Category : HP Security , McAfee

Many of us remember, or have at least have seen the meme, presented by the movie The Matrix, where Morpheus offers Neo a choice between a red pill and a blue pill. The decision is to either live in a harsh reality or choose blissful ignorance. Neo takes the red pill, preferring to explore the harsh reality of the Matrix.

Now, if you’re a security administrator working with an application team or line of business owners, you may not realize that you offer your business a similar choice each day:

  • Do you encrypt sensitive data and leave it blissfully unusable, happy to remain at rest within your storage and servers, free from potential abuses? Or,
  • Do you make data available in the clear to applications within the harsh Matrix-like reality that exists in IT with the potential insider misuse and external threats to steal it?

In the Matrix, Agent Smith wants to attack your data, Neo!

Back in IT reality, it’s a tough call when weighing the trade-offs between business continuity and reliable access to data with the need to protect sensitive data. The “red pill” of open data usability must be considered as a risk trade-off with the “blue pill” of constant protection where one need not worry.

But what if I told you there was a Purple Pill compromise for usable data protection and it has a name? It’s format-preserving encryption and offers the best of both worlds—data usability with security.

Let’s stay in Wonderland and go further down the rabbit-hole with format-preserving encryption…

Traditional encryption forces a risk decision to encrypt or to leave data exposed in clear text. This creates gaps in security controls when data moves from at-rest, in-motion, to in-use. Instead, format-preserving encryption (FPE) maintains data in an encrypted state, while also making it useful to applications with limited or discretionary risk exposure. If data needs to be exposed for a particular use, it can be limited to specific elements of the data, such as partial masking of a phone number (think, XXX-XXX-3265). But how does FPE do it?

HPE SecureData’s FPE implementation, as an industry-leading example, are based on standardized AES encryption to protect data reliably, while keeping the format of the data unmodified. A social security number looks like one to a database without requiring schema modifications, and a date field will still look like a date to an application, and so on. At the same time, referential integrity is preserved for the data class, so Big Data analytics or database joins can be run on the encrypted data, just like normal, without an application choking on the operation.

This is a game changer when compared to traditional encryption that lacks this dynamic and is a differentiator that HPE can offer for today’s high-volume, data-intensive applications that act on protected information, without exposing unnecessary risks, such as Big Data data lake mining and IoT applications.

By addressing both utility and security, FPE doesn’t need to compromise on either aspect. Security is transformed from a business inhibitor to now the opposite—an accelerator of new initiatives while still mitigating risks. Encrypted data that retains its format looks and acts the same to applications, making it possible to avoid revealing it in clear text unless absolutely required for a specific use case.

Unleash the power of your data initiatives without the fear!

What a boring movie it would have been if Neo simply chose to live in harsh reality, but never needed to use his amazing bullet-time martial arts as a defense. He simply got on with his day without worries, while Mr. Smith gave up against a proven competitor. Now, any security administrator can be a hero to their line of business owners!

Consider today how your data can be afforded the same luxury using the data-centric approach of format-preserving encryption. If an authorized application requires data to be revealed, it would be a situational choice if required for that application, rather than a constant risk when data moves from storage, across the network and into various applications. To learn more about format-preserving encryption, products and solutions, swallow the purple pill and visit these links:

  • 0

Further Analysis of WannaCry Ransomware

Category : McAfee

McAfee Labs has closely monitored the activity around the ransomware WannaCry. Many sources have reported on this attack and its behavior, including this post by McAfee’s Raj Samani and Christiaan Beek and this post by Steve Grobman. In the last 24 hours, we have learned more about this malware. These findings mainly concern the malware’s network propagation, Bitcoin activity, and differences in observed variants.

Malware network behavior

WannaCry uses the MS17-010 exploit to spread to other machines through NetBIOS. The malware contains exploits in its body that are used during the exploitation phase. These are related to CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, and CVE-2017-0148, all based on the MS17-10 security bulletin.

In many reports we read that the malware generates a list of internal IPs. We found that the malware generates random IP addresses, not limited to the local network. The following is an example attempt at propagation:

With this, the malware can spread not only to other machines in same network, but also across the Internet if sites allow NetBIOS packets from outside networks. This could be one reason for the widespread infection seen in this outbreak and why many people are unsure about the initial infection vector of the malware.

Another interesting characteristic of the malware is that once a machine with an open NetBIOS port is found, the malware will send three NetBIOS session setup packets to it. One has the proper IP of the machine being exploited, and the other two contain two IP addresses hardcoded in the malware body:

The preceding packet contains the IP of the machine being exploited. It uses the test network The other two packets, below, contain different IPs that the malware has in its code:

This activity and the presence of two hardcoded IP addresses (, could be used to detect the exploit using network intrusion prevention systems.

Server message block (SMB) packets also contain the encrypted payload, which consists of exploit shellcode and the file launcher.dll. During our analysis, we found the malware is encrypted using a 4-byte XOR key, 0x45BF6313.

Encrypted payload with the key 0x45BF6313.

Decrypted launcher.dll payload.

We also found following x64 shellcode being transferred during network communication over SMB.

EternalBlue code.

DoublePulsar code.

Worm behavior

Machine A at left, Machine B at right. 

The infection flow to the vulnerable host (Machine B).

Kernel mode at left, user mode at right.

Infection using kernel exploit

In our analysis, we found that on infected machines the SMB driver srv2.sys is vulnerable in kernel module and is exploited by the malware to spread using SMB communication.

A compromised srv2.sys will inject launcher.dll into the user-mode process lsass.exe, which acts as the loader for mssecsvc.exe. This DLL contains only one export, PlayGame:

The code simply extracts the ransomware dropper from the resource shown previously, and starts it using the function CreateProcess:


Injected launcher.dll in the lsass.exe address space.

Malware variants in the wild

As reported by several sources, the malware dropper contains code to check to two specific domains before executing its ransomware or the network exploit codes.

  • hxxp://www[dot]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[dot]com
  • hxxp://www[dot]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[dot]com

While looking for more samples in our malware database, we came across several other droppers (MD5: 509C41EC97BB81B0567B059AA2F50FE8) that did not exhibit this same behavior. These other droppers did not have the code to exploit machines through NetBIOS or to check for the kill-switch domain. With these samples, the ransomware code would be executed in all cases.

These samples were found in the wild, which means they are capable of infecting and spreading, but in a much less aggressive way. Once the ransomware infects a machine, it also tries to infect any network shares mounted as local disks. Anyone accessing these shares could execute the malware sample by mistake and infect themselves. This infection vector is not as effective as the network exploit but could nonetheless wreak havoc in a corporate environment.

We also examined the droppers (for example, MD5: DB349B97C37D22F5EA1D1841E3C89EB4) that had the exploit code to compare with the other samples. We found that this exploit-aware dropper is a wrapper around the other droppers.

Looking at the exploit-aware sample, we found that one of the resources contains a 3.4MB .exe file that is the same as the other type of droppers:

The preceding resource is extracted after the remote host is exploited and sent to the victim and installed as a service. This event starts the infection on the remote machine.

File decryption

WannaCry offers free decryption for some random number of files in the folder C:\Intel\<random folder name>\f.wnry. We have seen 10 files decrypted for free.

In the first step, the malware checks the header of each encrypted file. Once successful, it calls the decryption routine, and decrypts all the files listed in C:\Intel\<random folder name>\ f.wnry.

A code snippet of the header check:

The format of the encrypted file:

To decrypt all the files on an infected machine we need the file 00000000.dky, which contains the decryption keys. The decryption routine for the key and original file follows:

Bitcoin activity

WannaCry uses three Bitcoin wallets to receive payments from its victims. Looking at the payment activity for these wallets gives us an idea of how much money the attackers have made.

The current statistics as of May 13 show that not many people have paid to recover their files:

  • Wallet 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
  • Wallet 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
  • Wallet 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

The attackers appear to have earned a little over BTC 15.44 (US$27,724.22). That is not much considering the number of infected machines, but these numbers are increasing and might become much higher in the next few days. It’s possible that the sink holing of two sites may have helped slow things down:

  • hxxp://www[dot]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[dot]com
  • hxxp://www[dot]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[dot]com

Multiple organizations across more than 90 countries have been impacted, according to reports.

  • 0

Mastering Endpoint Security

Category : McAfee

DATE: Wednesday, May 10, 2017
TIME: 11:00AM PDT | 1:00PM CDT | 2:00PM EDT

In the face of constantly evolving threat vectors, IT security decision makers struggle to manage endpoint security effectively. More than two-thirds of enterprises have had their organization’s sensitive data compromised in the past year, and incidents require that significant time and manual effort to remediate. Incidents that are remediated are often only remediated for certain devices, not for the entire fleet. What is clear is that security decision makers desire integrated solutions that increase their efficiency, visibility, and overall protection across their endpoint technologies.

Join guest Forrester Research analyst Chris Sherman and Joakim Lialias from McAfee, as they discuss these issues along with insights from a recent Forrester security leaders survey, commissioned by McAfee.

Please complete the form