menu

Contact Us

1 (800) 723-1166 |

Security Labs

HomeSecurity Labs
HomeSecurity Labs

Forcepoint Security Labs™ brings together researchers, engineers and thought leaders from around the world to discover, investigate, report and – ultimately – protect our customers from sophisticated, evasive and evolving Web- and email-based threats.

Find out more about the work we do through our blogs, annual reports, conference presentations and podcasts.

For many, ‘virtual’ currencies such as Bitcoin remain a mystery primarily associated with online criminals, despite no longer being far removed from the monetary system and transactions we’re used to.

This article is intended to serve as a primer, rather than one of our more usual technical analyses: cryptocurrencies continue to play a key role in many areas of cyber-crime being used for everything from online marketplace transactions to ransomware demands. However, with a number of legitimate organisations ranging from the Bank of England[1] to EY[2] also taking an interest cryptocurrencies and the technologies behind them, it’s... Read more

Researchers at Google and CWI have been the first to create a practical collision attack against the SHA-1 cryptographic hash function.  Previously a collision was only possible in theory with the premise that a significant amount of computing power would be necessary to generate a collision.  Now it seems as though that computing power has been harnessed by the team who have named the collision issue “SHAttered”.

Cryptographic hash functions such as SHA-1 are used extensively in applications of data integrity and data storage.  Some applications rely on a cryptographic hash function being collision-resistant, others that... Read more

Sometimes old threats continue to remain relevant for a long period of time. The longevity of the x86 CPU architecture means that rootkits leveraging its features to achieve stealth on compromised systems may have a long shelf life and enable attackers to evade detection over an extended period. In this article, we look at “Subversive” (https://github.com/falk3n/subversive), a Linux rootkit that uses x86 debug registers to hook the operating system kernel. Despite the last change in Subversive’s Github repository being in 2011, it compiled and operated successfully in a modern environment, on the latest release of Red Hat Enterprise... Read more

Forcepoint Security Labs™ came across a malicious reconnaissance campaign that targets websites. It is unknown what is the intent behind the campaign as of this writing, however, the profile of the targets resembles those that are common targets of Advanced Persistent Threat (APT) actors. As the attack is currently active, it effectively turns compromised sites into attack surfaces against their visitors.

Furthermore, the injections resemble those used by the Turla group, such as those previously documented by Swiss GovCERT last year. In this post, we will share our findings on this campaign's targets and injected code as well... Read more

Forcepoint Security Labs™ recently investigated a trojanized RTF document which we tied to the Carbank criminal gang. The document contains an encoded Visual Basic Script (VBScript) typical of previous Carbanak malware. Recent samples of the malware have now included the ability to use Google services for command-and-control (C&C) communication. We have notified Google of the abuse and are working with them to share additional information.

Carbanak (also known as Anunak) are a group of financially motivated criminals first exposed in 2015. The actors typically steal from financial institutions using targeted malware. Recently... Read more

Introduction

by Nicholas Griffin and Roland Dela Paz

In October 2016 Forcepoint Security Labs™ discovered new versions of the MM Core backdoor being used in targeted attacks. Also known as “BaneChant”, MM Core is a file-less APT which is executed in memory by a downloader component. It was first reported in 2013 under the version number “2.0-LNK” where it used the tag “BaneChant” in its command-and-control (C2) network request. A second version “2.1-LNK” with the network tag “StrangeLove” was discovered shortly after.

In this blog we will detail our discovery of the next two versions of MM Core, namely “BigBoss” (2.2-... Read more

Like us, cybercriminals enjoy the festive season and that can sometimes reflect in their malicious activities. In 2011 we saw a Zeus banking trojan Panel - a user interface for herding Zeus-infected machines - with a Christmas-themed background. This time Forcepoint Security Labs™ has noticed that the CryptXXX gang have started to offer Christmas discounts to victims who intend to pay ransom.

Also known as UltraCrypter, CryptXXX is one of the active ransomware families currently in the wild. Last June we reported CryptXXX as a malware payload originating from a compromised anime site that silently redirected to the Neutrino... Read more

First spotted in February 2016, the Locky crypto-ransomware has become a dangerous threat to both large organisations and residential users alike. In this blog we give a brief overview of what Locky is and cover the significant aspects of its infamous history.

What is Locky?

Locky is a crypto-ransomware which aims to infect machines, encrypt sensitive information, and hold the data to ransom by requesting a payment to get the files decrypted.

Locky actors aim to make significant financial gain from successfully extorted users. There appear to be several different actors who utilise and distribute unique builds... Read more

What is Sledgehammer?

Operation Sledgehammer translated into Turkish is Balyoz Harekâtı, which was the name of a 2003 attempted military coup d'etat in Turkey. It’s also the name of a recent Distributed Denial of Service (DDoS) attack that targeted organizations with political affiliations that the attacker deems out of  line with Turkey’s current government. These organizations include the German Christian Democratic Party (CDU), The People’s Democratic Party of Turkey, the Armenian Genocide Archive and the Kurdistan Workers Party (PKK).

In our latest report, called Sledgehammer - The Gamification Of DDoS Attacks, we document... Read more

The Horse Pill rootkit was presented at Black Hat 2016 by Michael Leibowitz, a security engineer and member of the Red Team at Intel. Horse Pill is a proof-of-concept Linux rootkit that demonstrates two interesting techniques: 1. infecting systems via the initial ramdisk, and 2. deceiving system owners using container primitives. In this article we explore those techniques and how our product, Forcepoint Threat Protection for Linux, fares against them.

Initrd Infection

The initial ramdisk, or initrd, is a compressed archive containing files needed by a Linux system early in the boot process. The initrd is loaded into memory,... Read more