Security Labs

The June 2017 Petya (Petna, Petrwrap, etc.) outbreak injected some much un-needed excitement into an IT sector just starting to come to terms with the implications of the WannaCry outbreak a few weeks beforehand.

In the immediate wake of WannaCry there was a discussion around what could have been done to reduce the impact of the outbreak, but even without the benefit of hindsight it was easy to point to slow patching cycles and the questionable architectural/configuration decision of allowing SMB traffic from external addresses past the network boundary.

However, as discussed in our earlier blog post, June 2017’s Petya... Read more

Please note:​ This is an update to our original analysis posted on June 27, 2017.

Forcepoint Security Labs will continue to refer to this as a Petya outbreak, although other vendors have chosen to apply additional or alternative names to it.

In straightforward terms, the samples analysed have passed the ‘duck test’ https://en.wikipedia.org/wiki/Duck_test) as Petya which has previously been seen to:

Microsoft Security Advisory 4025685 [1] was released on Tuesday 13 June 2017 and quickly gathered a large amount of attention for fixing a significant number of SMB exploits in supported versions of Windows and for Microsoft's decision, once again, to provide patches for now-unsupported versions of their operating systems.

While Microsoft rate the SMB vulnerabilities as Important rather than Critical, it should be borne in mind that vulnerabilities within network services such as these are inherently 'wormable' as demonstrated by WannaCry's rapid spread via the exploitation of an SMB vulnerability just last month (see https://... Read more

At around 09:00 BST yesterday, Forcepoint Security Labs™ observed a significant malicious email campaign from the Necurs botnet. Necurs is a prevalent botnet that is known to spread Locky ransomware, pump-and-dump stock scams, and more recently the Jaff ransomware.

This time, however, Necurs has been observed spreading the Trickbot banking Trojan for the first time. The malicious email campaign ended at around 18:00 yesterday and nearly 9.6M related emails were captured and stopped by our system. The following is a sample screenshot of a related email:

In addition, below are details of this campaign:

A week on from the WannaCry outbreak, a huge number of articles have been written on the topic. These have covered everything from in-depth analyses of WannaCry itself to discussion pieces about the EternalBlue and DoublePulsar exploits and, latterly, warnings about other pieces of malware using the same propagation techniques as WannaCry.

Forcepoint™ customers are protected against the underlying EternalBlue exploit via NGFW at the following stages of attack:

Stage Four (Exploit Kit) - The EternalBlue exploit attempts are blocked.

For threats where communication or distribution is performed via... Read more

Many of the technical aspects of the WannaCry ransomworm outbreak on Friday 12 May 2017 are well documented by this point: the primary means by which the malware spread appears to have been the use of the DoublePulsar and EternalBlue code released by the Shadow Brokers earlier this year and patched as part of Microsoft's MS17-010 update on 14 March 2017.

As we noted in our initial blog post on the topic (https://blogs.forcepoint.com/security-labs/wannacry-ransomware-worm-targets-unpatched-systems), WannaCry's ability to self-propagate marks something of a watershed moment in the evolution of ransomware. Whereas previous variants... Read more

Please note: Forcepoint Security Labs have now published an in-depth analysis of the EternalBlue propagation method used by the WannaCry campaign. This can be found here: https://blogs.forcepoint.com/security-labs/wannacry-post-outbreak-analysis

Yesterday, the world saw one of the most significant malware outbreaks for quite some time: our news feeds are full of the news of this cyber attack with institutions in many countries being impacted and reports of whole computer networks being shut down. The malware's ability to self-propagate was a significant change from what we have become used to in recent years,... Read more

Please note: this post is not related to the global WannaCry outbreak on Friday 12 May 2017. For ongoing up dates on WannaCry, please see our blog post at https://blogs.forcepoint.com/security-labs/wannacry-ransomware-worm-targets-unpatched-systems

Forcepoint Security Labs™ have observed today a major malicious email campaign from the Necurs botnet spreading a new ransomware which appears to call itself 'Jaff', peaking within our telemetry at nearly 5m emails per hour. 

The emails sent by this campaign may look spartan to the professional eye but, as ever, the human point of interaction with systems is... Read more

Forcepoint Security Labs have recently observed a malicious email campaign delivering what appears to be a new variant of the Geodo/Emotet banking malware, predominantly to .UK TLDs across a range of sectors including addresses at major business and government departments.

Several prior campaigns have been recorded with researchers noting a progressive evolution in the methods employed by the actors behind the malware: earlier versions were reported delivering the malware as an attachment to fake telephone bills. This then changed to embedding links to malicious files within the emails - the same approach as has been observed in... Read more

In a recent blog we talked about how the current ransomware pandemic continues to attract would-be cybercriminals to ransomware-as-a-service (RaaS) platforms. In this post we will look into a new piece of ransomware called "CradleCore" - a crimeware kit that is currently being offered to cybercriminals looking to own customisable ransomware source code.

CradleCore,  a.k.a. "Cradle Ransomware", is peculiar in the sense that it is being sold as source code. Typically, ransomware is monetized by developers using the RaaS business model. If that doesn't work, only then the will the developers consider selling the source code.