Chris Doman | AlienVault Blogs

More Details on an ActiveX Vulnerability Recently Used to Target Users in South Korea

June 11, 2018 | Chris Doman
Chris Doman

Chris Doman

Threat Engineer

I’ve had a long interest in security, but joined the industry after winning the civilian section of the Department of Defense’s forensics competition. I run a popular threat intelligence portal (ThreatCrowd.org) in my spare time, and hold a CCHIA (Certified Host Intrusion Analyst) from CREST and a degree in Computer Science from the University of Cambridge.

June 11, 2018 | Chris Doman

More Details on an ActiveX Vulnerability Recently Used to Target Users in South Korea

Written By Chris Doman and Jaime BlascoIntroductionRecently, an ActiveX zero-day was discovered on the website of a South Korea think tank that focuses on national security. Whilst ActiveX controls are disabled on most systems, they are still enabled on most South Korean machines due to mandates by the South Korean government.…

May 1, 2018 | Chris Doman

MassMiner Malware Targeting Web Servers

Written in collaboration wih Fernando MartinezOne of the biggest malware-trends of 2018 has been the increasing variety of crypto-currency malware targeting servers.One family of mining malware, we’ve termed “MassMiner”, stands out as a worm that not only spreads itself through number of different exploits, but also brute-forces access to Microsoft SQL Servers. It surprised us…

Get the latest security news in your inbox.

Subscribe via Email

February 15, 2018 | Chris Doman

North Korean Cyber-Attacks and Collateral Damage

WannaCry was incredibly destructive. The attackers made about $150,000 - but the total damage caused by WannaCry has been estimated in the billions of dollars.There is strong evidence linking WannaCry to a group of hackers known as ‘Lazarus’, reportedly operating out of the DPRK (North Korea). Whilst WannaCry is perhaps the most famous attack by Lazarus, it isn…

January 30, 2018 | Chris Doman

OTX Trends Part 3 - Threat Actors

By Javvad Malik and Chris DomanThis is the third of a three part series on trends identified by AlienVault in 2017.Part 1 focused on exploits and part 2 addressed malware. This part will discuss threat actors and patterns we have detected with OTX.Which threat actors should I be most concerned about?Which threat actors your organization should be most…

January 23, 2018 | Chris Doman

OTX Trends Part 2: Malware

By Javvad Malik and Christopher DomanThis is the second of a three part series on trends identified by AlienVault.Part 1 focused on the exploits tracked by OTX. This blog will talk about the malware, and Part 3 will discuss trends we’re seeing in threat actors.Which malware should I be most concerned about?Most security incidents that a…

January 16, 2018 | Chris Doman

OTX Trends Part 1- Exploits

By Javvad Malik and Christopher DomanIntroductionEvery year, AlienVault records billions of anonymised security events from our customers. This telemetry can be aggregated to establish macro trends. And for many years, we have also been comprehensively recording other vendors' threat reports in our Open Threat Exchange (OTX) platform.We have combined these two data-sets to help…

January 8, 2018 | Chris Doman

A North Korean Monero Cryptocurrency Miner

AlienVault labs recently analysed an application compiled on Christmas Eve 2017. It is an Installer for software to mine the Monero crypto-currency. Any mined currency is sent to Kim Il Sung University in Pyongyang, North Korea.The Installer copies a file named intelservice.exe to the system. The filename intelservice.exe is often associated with…

November 9, 2017 | Chris Doman

LockCrypt Ransomware Spreading via RDP Brute-Force Attacks

We previously reported on SamSam ransomware charging high ransoms for infected servers. But SamSam isn’t the only ransomware out there charging eye-watering amounts to decrypt business servers.Initial reports of a new variant of ransomware called LockCrypt started in June of this year. In October we saw an increase in infections.LockCrypt doesn’t have heavy code…

October 19, 2017 | Chris Doman

ARP Spoofing Used to Insert Malicious Adverts

Recently we came across a new variant of the malware ServStart. ServStart is primarily used by attackers located in China, in a mix of targeted and opportunistic attacks. The attackers are hosting the ServStart malware on a file server that is open for anyone to view.The open file server at http://222.186.11[.]182:9999The Rar ArchiveOne of the…

August 21, 2017 | Chris Doman

YARA Support and Other Recent Additions to OTX

AlienVault OTX now supports YARA rules!YARA rules are a great way of detecting, classifying and hunting for malware. We are happy to announce you can now develop, test and share YARA rules on AlienVault OTX.If you'd like to deploy these rules on your own network, here is a script to download the rules (and a big…

August 17, 2017 | Chris Doman

The Upgraded AlienVault OTX API & Ways to Score Swag!

We've made a number of improvements to the depth of data in OTX recently, which are now available via the free API tool.Some of the API functions now include:Malware anti-virus and sandbox reports (example) A Whois API, including reverse whois and reverse SSL (example) View IP addresses that our telemetry indicates a specific network signature has fired…

June 21, 2017 | Chris Doman

SamSam Ransomware Targeted Attacks Continue

Normally new variants of ransomware families aren't particularly interesting.SamSam, however, is different. Whereas most ransomware is automatically propagated, SamSam is deployed manually.In addition, the group behind SamSam charges very high ransoms because of the amount of effort invested in their operations, which made them the subject of two FBI Alerts last year.The attacks seem to peak…

Watch a Demo ›
GET PRICE FREE TRIAL