Events

VB2012 day 2

One of the things I dont like from conferences is when there are two talks you want to attend scheduled at the same time. And this is what happened to me in VB2012.

Fortunatelly David was on the stage for a whole hour, so I attended his first half and then I switched to Fabios talk.

versus

Both talks are somehow related with “unsuspicious” devices being abused by cybercriminals.
David talked about how most of the AV industry probably does not pay enough attention to protect unix/linux-based devices and servers. We see on a regular basis how cybercriminals abuse all kind of *nix servers for the distribution of malware and to set up their malicious infrastructure. As David says: “Why Im here talking about something 10 years old? because we have done nothing!”

Fabio explained a real example on how other unsuspicious devices are being abused in Brazil, in this case home DSL routers. The existence of well known vulnerabilities for these devices and the easyness to find vulnerable devices on the Internet was abused by brazilian cybercriminals to redirect their victims to their DNS servers. Making more than 50,000 USD a month, cybercriminals then decided to spend all their money on Rio de Janeiro in prostitutes! But the problem is how all the players here (ISPs, LE and vendors) are not taking security seriously.

Who was the winner in this battle? Im sorry David, but Fabio won the #presentattionGame and said the secret word during his talk!

However there was more interesting material in VB2012 day 2. One of the talks I found most interesting was “Measuring the cost of cybercrime” by Tyler Moore. He and his team have been working on a comprehensive economic framework to calculate the true cost of cybercrime based on solid data and economic implications. I really thing this is necessary for the whole industry and for the society, to truly understand and base our risk perception on solid foundations and not estimations. You can find more details here .

And as an extra bonus, here you can find the presentation I did today on privacy:

I will prepare a more detailed article on this, as I understand it might be difficult to follow the PDF without the explanation, but I hope you find this interesting.


Follow me on Twitter

VB2012 day 2

Your email address will not be published. Required fields are marked *

 

Reports

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

What did DeathStalker hide between two ferns?

While tracking DeathStalker’s Powersing-based activities in May 2020, we detected a previously unknown implant that leveraged DNS over HTTPS as a C2 channel, as well as parts of its delivery chain. We named this new malware “PowerPepper”.

Subscribe to our weekly e-mails

The hottest research right in your inbox