The election hackers: Some uncovered points
3 November 2016
The group known as Fancy Bear, reportedly behind recent attacks against the U.S. Democratic National Committee and U.S. political figures, has been widely discussed. But some interesting details about these attackers have not been covered, and this blog aims to provide more details and fill in some of the blanks.
Moonlight: Targeted attacks in the Middle East
26 October 2016
Vectra Threat Labs researchers have uncovered the activities of a group of individuals currently engaged in targeted attacks against entities in the Middle East. We identified over 200 samples of malware generated by the group over the last two years. These attacks are themed around Middle Eastern political issues and the motivation appears to relate to espionage, as opposed to opportunistic or criminal intentions.
Triggering MS16-030 via Targeted Fuzzing
11 October 2016
The need to analyze the patch for MS16-030 recently presented itself to us due to some related product research. After the analysis was complete, we realized that the attack surface of the patch was pretty interesting and determined it may be beneficial to share part of the analysis. This post will focus on triggering a patched bug from MS16-030.
Reverse engineering the Shadow Brokers dump: A close look at NOPEN
12 September 2016
While digging and reversing my way through the Equation Group dump, I've come across a few interesting pieces that probably are not getting the attention they deserve. While a lot of the initial research has focused on the potential 0-days, the dump also gives a glimpse into the backbone tools and operational methods of a serious hacking group.
In-depth technical analysis: Own a printer, own a network with point and print drive-by
12 July 2016
Printers present an interesting IoT example because they are more powerful than most other IoT devices but are not always considered real computers by most network administrators. This dichotomy is at the forefront of the printer watering-hole vulnerabilities CVE-2016-3238 (MS16-087) and CVE-2016-3239 discovered by Vectra Threat Labs.
How to interpret network-based malware detection
23 May 2016
This research paper by Vectra CSO Günter Ollmann examines the ecosystem nuances of network-based malware detection and the limits imposed on intelligence extraction of captured malware samples. It also explains the impact on organizations that strive to mitigate malware threats using network-based detection systems.
Insights from inside the kill chain
20 April 2016
The Spring 2016 Post-Intrusion Report from Vectra reveals that cyber attackers know they're being watched and are responding by blending in with users and hiding in normal network traffic. The report analyzed data from 120 Vectra customer networks comprised of more than 1.3 million hosts over the first quarter of 2016. All organizations showed signs of targeted attacks, including internal reconnaissance, lateral movement or data exfiltration.
Turning a webcam into a backdoor
12 January 2016
Reports of successful hacks against Internet of Things (IoT) devices have been on the rise. Most of these efforts have involved demonstrating how to gain access to such a device or to break through its security barrier. Most of these attacks are considered relatively inconsequential because the devices themselves contain no real data of value (such as credit card numbers or PII). The devices in question generally don't provide much value to a botnet owner as they tend to have access to lots bandwidth, but have very little in terms of CPU and RAM.
Critical vulnerabilities in Adobe Reader and Internet Explorer
14 October 2015
Today, Vectra researchers discovered critical vulnerabilities that impact the security of Adobe Reader, VBScript, and Internet Explorer.
The vulnerability in Adobe Reader (CVE-2015-6687) is a use-after-free bug that could lead to arbitrary code execution. An analysis of this and other recently patched Adobe vulnerabilities can be found here.
Additionally, researchers found additional critical vulnerabilities (MS15-106 and MS15-108) that allow attackers to bypass Address Space Layout Randomization (ASLR) protections. These vulnerabilities are particularly significant because ASLR protects against memory corruption attacks by making the layout of memory unpredictable. As a result, any vulnerability that bypasses ASLR is highly valuable to attackers.
Belkin F9K1111 V1.04.10 firmware analysis
18 August 2015
Researchers in the Vectra Threat Labs recently analyzed vulnerabilities in the Belkin F9K1111 wireless repeater. This analysis includes a close inspection of the vulnerabilities, how they could be exploited, as well as fixes from vendor.
Zero-day vulnerability discovered in Internet Explorer 11
14 July 2015
Researchers in the Vectra Threat Labs recently discovered a high-severity vulnerability in the Internet Explorer 11 web browser. It's an exploitable use-after-free vulnerability that occurs within a custom heap in JSCRIPT9.
23 June 2015
We observed spikes in reconnaissance and lateral movement, changes in command-and-control attack techniques, and a penchant for using hidden tunnels to conceal communication within HTTPS traffic. Check out the cool infographic
A technical analysis of Hola
1 June 2015
Lab researchers found that user machines that are loaded with the Hola privacy and unblocker application can enable a targeted, human-driven cyber-attack on the network they're connected to.
Post-Breach Industry Report
5 November 2014
This groundbreaking inaugural report reveals what cyber-attackers do inside your network after they evade perimeter defenses. Ironically, once inside, their actions create opportunities to stop them.