How to Use VMware Carbon Black’s Real-Time Endpoint Query to Identify BlueKeep Vulnerability Risk

Recently, security researchers revealed a Proof of Concept attack that leverages the BlueKeep vulnerability. Whenever this type of news breaks on the twittersphere, organizations are left with the question: "Are we susceptible to this type of attack?" Using CB LiveOps, a real-time endpoint query...

CB TAU Technical Analysis: DLTMiner Campaign Targeting Corporations in Asia

A CB customer recently provided a series of commands that they had observed for analysis. The customer felt that the associated attacker activity may have been attempting to tamper with the Carbon Black product. It turned out they were not, but the attackers were specifically looking for the...

Querying Windows Event Logs for Faster Investigation and Response

With this week’s release on the VMware Carbon Black Cloud, users can now remotely inspect Windows devices’ event logs to pull back information that could be helpful during an investigation or response scenario. This new capability comes as part of an update to the Live Query functionality provide...

TAU Threat Intelligence Notification: NanoCore – Old Malware, New Tricks!

In analyzing the stream of raw emails seen in the wild, TAU discovered a campaign of what first appeared to be a fairly standard spear-phishing attack. The email contained a Word document which carried an exploit for CVE-2017-11882, a vulnerability that allows for Microsoft Office documents to ru...

7 Predictions for Ransomware’s Evolution

During the past six months, the Carbon Black Threat Analysis Unit TAU analyzed more than 1,000 ransomware samples, categorizing them into 150 families, and found attackers are looking to make quick, easy money with unsophisticated malware, combined with sophisticated delivery methods. Our samplin...

Technical Analysis: Hackers Leveraging COVID-19 Pandemic to Launch Phishing Attacks, Fake Apps/Maps, Trojans, Backdoors, Cryptominers, Botnets & Ransomware

The global COVID-19 pandemic is generating a substantial uptick in the production and delivery of Coronavirus themed malware. Due to a rapidly growing number of Indicators of Compromise IOC’s, this report covers the key behaviors by aligning to the MITRE ATT&CK Framework. MITRE ATT&CK launched in...

TAU Threat Advisory: Microsoft Exchange Servers Targeted with Four Zero-day Exploits

The following advisory from VMware Threat Analysis Unit TAU is to provide guidance, best practices and capabilities to identify risk, prevent, detect and respond to this emerging threat. Summary On March 2, 2021 Microsoft announced four zero-day vulnerabilities CVE-2021-26855, CVE-2021-26857,...

Wild Blue Yonder: VMware Carbon Black ThreatSight Dissects BlueKeep Windows Exploit

VMware Carbon Black’s ThreatSight TS team monitors customer environments to detect and alert on new and emerging threats. Recently, ThreatSight detected malicious behavior that leveraged several attack vectors, including one of the first known uses of the newly released BlueKeep Windows exploit i...

Threat Analysis: CVE-2020-0796 – EternalDarkness (ghostSMB)

On March 10, 2020 analysis of a SMB vulnerability was inadvertently shared, under the assumption that Microsoft was releasing a patch for that vulnerability CVE-2020-0796. As of March 12, Microsoft has since released a patch for CVE-2020-0796, which is a vulnerability specifically affecting SMB3...

TAU Threat Advisory: Imminent Ransomware threat to U.S. Healthcare and Public Health Sector

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency CISA issued a joint alert this week with regards to an imminent cybercrime threat to US hospitals and healthcare providers. The alert was coauthored by CISA, the Federal Bureau of Investigation FBI, and the...

Threat Analysis: Equation Equals Backdoor

On November 20, 2017 the exploit for CVE-2017-11882 was publicly released, which allowed for code execution in vulnerable versions of Microsoft’s Equation editor. CVE-2017-11882 affects the following versions of Microsoft Office: Microsoft Office 2007 Service Pack 3 Microsoft Office 2010 Service...

Using Live Query to Audit Your Environment for the Windows CryptoAPI Spoofing Vulnerability

This week, as part of its monthly patch Tuesday release, Microsoft disclosed an important security vulnerability CVE-2020-0601 affecting millions of Windows 10 and Windows Server 2016 & 2019 systems. More specifically, this vulnerability is a result of the way Windows CryptoAPI validates Elliptic...

Threat Analysis Unit (TAU) Threat Intelligence Notification: Tick Downloaders (Operation ENDTRADE)

Trend Micro released a white paper about Tick, a Chinese cyberespionage threat actor targeting east asian countries. The report details several new downloader malware families. VMware Carbon Black Threat Analysis Unit TAU reviewed the malware and is providing product rules to detect and identify...

Threat Analysis: Pylot (Travle) Malware Family

The Pylot or Travle malware family appears to be an evolution of the NetTravler malware family which has been linked to attackers out of China by numerous sources. Over the last year a variant has been observed as a secondary payload often used in conjunction with malicious carrier files typicall...

Steganography in the Modern Attack Landscape

Steganography the hiding of data in other content types such as images, videos, network traffic etc. continues to play a role in modern attacks in several forms. Most uses of steganography in malware can be divided into two broad categories: concealing the actual malware contents and concealing t...

TAU Threat Intelligence Notification: PPID Spoofing – Explorer CLSID

Summary Popular Attack Surface Reduction bypasses allow adversaries to hinder threat hunting activities by spoofing Parent Process ID. PPID to PID relationships have always been a key indicator of compromise and removing these conditions lead to false sense of security. Upon investigation its bee...

VMware Carbon Black TAU: Ryuk Ransomware Technical Analysis

Ryuk Ransomware has been crippling both the public and private sector recently with the ability to disrupt its target environment. The ransomware will typically be dropped by an already compromised system that has been infected by Trickbot or Emotet through a phishing email. Once the Ryuk payload...

CB TAU Threat Intelligence Notification: Trickbot Banking Trojan Continues to Evolve

There has been various coverage recently regarding newly identified Trickbot samples found in the wild. A recent sample identified by TAU includes additional techniques that leverage LOLBin's, which are used by Trickbot to enumerate the network environment, and additionally perform a dump of the...

CB ThreatSight Uncovers & Stops Active WannaMine Cryptocurrency Attack Targeting Software Provider

CB ThreatSight, Carbon Black’s 24×7 managed threat hunting service for CB Defense, recently investigated an alert within a software provider’s environment that uncovered an ongoing WannaMine attack campaign. This blog will introduce some of the processes and remediation steps involved when an...

CB TAU Threat Intelligence Notification: RobbinHood Ransomware Stops 181 Windows Services Before Encryption

According to source articles, RobbinHood ransomware has been discovered and it will stop 181 Windows services prior to the encryption taking place. It is thought that the ransomware might not be distributed through a typical spam campaign, but instead via other methods such as hacked remote deskt...

10 Endpoint Security Problems Solved by the Cloud – Identifying Problems

Last week we looked at how the cloud keeps your endpoints from becoming sluggish and pointed out why it is uniquely positioned to predict new threats. This week, we’re going to examine why the cloud outperforms traditional antivirus when it comes to identifying problems. Can't Fix What You Can't...

Threat Analysis Unit (TAU) Threat Intelligence Notification: AsyncRAT

AsyncRAT is a Remote Access Tool RAT designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop...

Carbon Black TAU & ThreatSight Analysis: GandCrab and Ursnif Campaign

Summary Analysis conducted by Andrew Costis, Cathy Cramer, Emily Miner and Jared Myers. The Carbon Black ThreatSight team observed an interesting campaign over the last month. ThreatSight worked with the Threat Analysis Unit TAU to research the campaign. This report is being released to help...

TAU Threat Intelligence Notification – WindTail (OSX)

Summary Dark Matter researcher Taha Karim recently presented his research on the APT group WindShift at Hack in the Box Singapore. This group primarily focuses on highly targeted campaigns directed toward Middle Eastern government and commercial entities. One of the custom macOS backdoors employe...

MITRE ATT&CK Evaluation Demonstrates the Power of the VMware Carbon Black Cloud

MITRE has released the results for its latest endpoint detection and response EDR product evaluation using its now industry-standard open methodology, the ATT&CK® framework. This year’s results further demonstrate why VMware Carbon Black, now a two-time participant, is a top choice of security an...

TAU Threat Intelligence Notification – LockerGoga Ransomware

LockerGoga ransomware has recently surfaced with a few successful infections mostly discovered in Europe that have caused very large and notable damage to businesses. This ransomware uses Windows “living off the land” tools LOLBins for the most part in order to infect and encrypt the victim’s...

TAU Threat Intelligence Notification – MongoLock Ransomware

Summary The new variant of MongoLock Ransomware will delete users’ files immediately instead of encrypting them. Upon execution, MongoLock will scan specific locations such as Desktop, Documents, or Recycle Bin Folders, then delete files and format the local disk drives. The following is the list...

Threat Analysis: Carbon Black Threat Research Dissects PNG Dropper

UPDATE 8/14/17: After posting the original analysis, the Carbon Black Threat Research team received numerous requests for the tools to extract the second stage payload from the initial PNGdropper file. As a result, the source code and compiled binaries are being made public and are posted to the...

Risk Score 101: What to look for in a Risk Score

Editors Note: Monica White, a guest author on the Carbon Black blog, is the Director of Product Marketing at Kenna Security When we at Kenna Security originally looked at adding a risk score to enumerate vulnerability risk in VMware Carbon Black Cloud Workload, we knew that Common Vulnerability...

TAU Threat Intelligence Notification: Operation SharpShooter

Operation Sharpshooter, leverages an embedded shellcode as an in-memory implant to download and retrieve a second-stage implant, which is known as Rising Sun. Rising Sun uses source code from the Duuzer backdoor that has been used in a past campaign of Lazarus group. This newly discovered campaig...

Threat Analysis: ROKRAT Malware

ROKRAT also referred to as DOGcall is a family of malware that has been used by attackers originating from North Korea. The family continues to evolve and adopt techniques from other families also used by the same attack group. The ROKRAT core payload is typically deployed by a loader, which has...

The Twenty Minute VC with Carbon Black CEO Patrick Morley

Editor's Note: This post originally appeared on TheTwentyMinuteVC.com. Patrick Morley is the President and CEO @ Carbon Black, the company that combines unfiltered data collection, predictive analytics, and cloud-based delivery to provide superior endpoint protection. Prior to their IPO in April...

Attack Madness: The “Final Four” Cyber Threats According to Security Professionals

In the spirit of March Madness, we’re evaluating the type of cyberattacks that most concern our community of security experts. When approximately one million cyberattacks are attempted per day, this “madness” takes on a whole new level for organizations looking to protect themselves against the...

Carbon Black’s Victor Baez Recognized as a 2018 CRN Channel Chief

CRN®, a brand of The Channel Company, has named Victor Baez, Vice President, WW Channels of Carbon Black, to its prestigious list of 2018 Channel Chiefs. The executives on this annual list represent top leaders in the IT channel who excel at driving growth and revenue in their organization throug...

TAU Threat Intelligence Notification: Spear Phishing Targeting Italy

Summary This campaign is targeting users in Italy with spear phishing email containing malicious attachments. Figure 1: Emails with the malicious XLS attachment The image above show one of the sample has attached in multiple email that has been sent to email address with Italy ccTLD. The attached...

Fighting Back in 2021: 4 Best Practices for Security Teams

“Attacks these days don’t have a natural beginning or ending. For an adversary, every attack is an opportunity to learn something that can then be used against additional organizations.” -- Greg Foss, Senior Cybersecurity Strategist, VMware Security Business Unit. Attackers versus defenders will...

CB TAU Threat Intelligence Notification: Winnti Malware 4.0

Winnti is a family of malware used by multiple Chinese threat actors like APT41. Carbon Black’s Threat Analysis Unit TAU is providing this technical analysis, YARA rules, IOCs and product rules for the research community. Behavioral Summary Winnti malware is installed manually with stolen...

CB TAU Threat Intelligence Notification: Hunting APT28 Downloaders

Recently the Carbon Black Threat Analysis Unit TAU analyzed the APT28 downloaders SedUploader and Zebrocy which has been observed over the previous six months. There have been several good publications regarding the code analysis of SedUploader and Zebrocy already 125679. Therefore, in this artic...

CyberAegis Aether Competition Team Reflects Bright Future for Young Women in STEM & Cybersecurity

I am always excited to get involved in conversations around getting more young women into STEM earlier. Recently, I was able to catch up with the members of the CyberAegis Aether team, an all-girls, middle school cybersecurity competition team. Here is what they had to say: Tell us a little bit...

COVID-19: Cybersecurity Community Resources

Novel Coronavirus COVID-19 has thrust personal safety and security into the public’s consciousness in an unprecedented way. Families, employees and global businesses have been forced to upend their lives to make their respective communities healthier and more resilient. Our collective response to...

Carbon Black TAU Threat Analysis: Recent Dharma Ransomware Highlights Attackers’ Continued Use of Open-Source Tools

In June of 2018, an organization contacted the Carbon Black Threat Analysis Unit TAU about a ransomware attack they were currently investigating. TAU team members worked with the firm investigating the incident. After the initial analysis was completed, it became apparent that this network had be...

10 Tips for Effective Threat Hunting

Editor’s Note: The text appears in the free eBook: “Threat Hunting for Dummies.” Consider the fact that attackers don’t think of their success as optional. Given that, effectiveness and success of a threat hunting program are critical. Organizations that start a threat hunting program have succes...

September 26, 2017 – Morning Cyber Coffee Headlines – “The Beatles” Edition

Good morning! Sit with Carbon Black this morning over a cup of coffee or tea and browse a few industry headlines to get the day started. We’ve got just enough information below to get you through that first cup…enjoy! September 26, 2017 - Headlines Carbon Black in the News: Sophisticated threats?...

CB TAU Threat Intelligence Notification: GermanWiper Ransomware

GermanWiper Ransomware was found distributed via spam email campaign in Germany. It’s a data-wiping malware and the ransom note was written in German language. The malware pretends to be ransomware but is actually a wiper that destroys the data instead of encrypting it. Figure 1: Screenshot of th...

Boosting Your Linux & Docker Security with CB LiveOps

Today we’re excited to announce Linux support for CB LiveOps, Carbon Black’s real-time endpoint query & remediation solution that helps security teams audit and change the state of their systems. This release expands the product’s footprint to cover all major operating systems, including Amazon...

CB TAU Threat Intelligence Notification: Maze Ransomware

Maze Ransomware, also known as ChaCha Ransomware, has been discovered being distributed by the Fallout exploit kit. After the encryption, it will create a ransom note named ‘DECRYPT-FILES.html’ in each of the encrypted file’s folders. The bottom of the ransom note is a base64 string which contain...

Partner Perspectives: Optimize your Case Management with CB Defense and Swimlane

Jay Spann is a SOAR Evangelist for Swimlane. As today’s threat landscape continues grow and change, security operations centers SOCs are inundated with endless alerts and have to implement incident response processes and policies to address them. This typically means long days of tedious, manual...

Threat Analysis Unit (TAU) Threat Intelligence Notification: SNAKE Ransomware

A new enterprise targeting ransomware named ‘SNAKE’ was recently discovered. Similar to the other variants of ransomware, it will stop numerous processes or services such as antivirus software and perform the deletion of volume shadow copies to ensure all the data cannot be restored easily. After...

Threat Analysis Unit (TAU) Technical Report: The Prospect of Iranian Cyber Retaliation

Several different events in the Middle East ME region have escalated in the last several weeks between Iran and the United States. After a series of military operations between the two countries, several alerts were released from the U.S. government of a potential for cyberattacks. Traditionally...

fn_fuzzy: Fast Multiple Binary Diffing Triage with IDA

Summary This week at HITBSecConf, Takahiro Haruyama, a Senior Threat Researcher for the CB Threat Analysis Unit TAU, presented his work on fnfuzzy, a tool which aims to help researchers and reverse engineers triage samples quicker. This blog post details the motivation for and current standing of...