June 26, 2013 | Alberto Ortega

Take care of your server, or it will be hacked and sold

Have you ever had a server open to the internet with SSH service running? Then you know how common it is to receive break in attempts against your servers produced by automated bots that scan wide ranges of hosts trying weak combinations of user/password to log into remote machines. But what happens next? What is the business behind these…

June 17, 2013 | Alberto Ortega

Urausy ransomware family, a quick internals overview

Ransomware is popular among bad actors. Reveton malware family (based on Citadel) made a difference last year, now it is loosing popularity in favor of Urausy, just another lock-screen ransomware. There are a plenty of them living in the wild, but in this post we are going to focus on Urausy. These malware families are being spread by using exploit…

Get the latest security news in your inbox.

Subscribe via Email

May 23, 2013 | Jaime Blasco

Yara rules and network detection for Operation Hangover

Last week, our friends from Norman published a great report on a cyber espionage campaign named Operation Hangover.  We have released some Yara rules to detect most of the payloads mentioned on the paper. You can download the rules from our Github space:     On the other hand the Hangover attackers have been using several payloads with network…

May 5, 2013 | Jaime Blasco

New Internet Explorer zeroday was used in the DoL Watering Hole campaign

In our first analysis we reported that the exploited vulnerability was CVE-2012-4792 . Further analysis showed that the vulnerability exploited wasn’t CVE-2012-4792 but a new zeroday vulnerability affecting Internet Explorer 8 (CVE-2013-1347). It was confirmed by Microsoft that released a Security Advisory on Friday as well as FireEye. In addition we have…

May 1, 2013 | Kate Brew

U.S. Department of Labor website hacked and redirecting to malicious code

During the last few hours we have identified that one the U.S. Department of Labor website has been hacked and it is serving malicious code. Clarification: The website affected is the The Department of Labor (DOL) Site Exposure Matrices (SEM) Website  “The Department of Labor (DOL) Site Exposure Matrices (SEM) Website is a repository…

April 29, 2013 | Eduardo De la Arada

UrlQuery Chrome Extension

UrlQuery is a service for detecting and analyzing web-based malware, claims its website, this service is very useful and provides a detailed report of the submitted webpage. We use these services a lot in the lab, so we’ve decided to make our lives easier by developing a simple context menu extension which automatically sends…

April 16, 2013 | Jaime Blasco

How cybercriminals are exploiting Bitcoin and other virtual currencies

- What is Bitcoin? Bitcoin is an online decentralised virtual currency based on an open source, P2P protocol. Bitcoins can be transferred using a computer without relying on a financial institution. If you haven’t heard about Bitcoin I recommend you watch the following video: Both the Bitcoin creation and transfer is performed by computers called “miners…

April 16, 2013 | Dominique Karg

Of Dragons, Elephants & Aliens: A decade of OSSIM

2003-2013 With the launch of our new Unified Security Management virtual appliances, it’s hard not to look back at the origins of our ‘baby’— OSSIM—that spawned both our company and our commercial USM platform. Join me for a little nostalgic walk down memory lane… It’s been almost 10 years since we…

March 21, 2013 | Jaime Blasco

New Sykipot developments

Summary During the last few years, we have been publishing about a group of hackers who have focused on targeting DIB (Defence Industrial Base) and other government organizations: - Another Sykipot sample likely targeting US federal agencies - Are the Sykipot’s authors obsessed with next generation US drones? - Sykipot variant hijacks DOD and Windows smart cards -…

March 20, 2013 | Jaime Blasco

A theory on the South Korean attacks

During the day I’ve been thinking about what have just happened in South Korea. It is a very simple piece of code that overwrites the MBR (Master Boot Record) making the affected system unable to start after reboot. Other companies have published information about the wiper payloads but anyone is giving information about how the attackers gained…

March 20, 2013 | Jaime Blasco

Information about the South Korean banks and media systems attacks

As many of you would probably know several South Korean banks and media companies have been affected by an attack that has wiped several systems. It seems the South Korean security company Nshc has published more details on his Facebook Page Based on the samples we collected, the malware overwrites the MBR (Master Boot Record) of the system. After reboot…

March 14, 2013 | Jaime Blasco

Latest Adobe PDF exploit used to target Uyghur and Tibetan activists

Last month Adobe released a fix to patch a vulnerability that was being exploited in the wild. Kaspersky found that the 0day was being used by a very sophisthicated group to target different governments  using a malware called MiniDuke. Alienvault Labs have detected that a different group of attackers have been using this vulnerability to target non-governmental and…

Watch a Demo ›
Get Price Free Trial