849 matches found
fn_fuzzy: Fast Multiple Binary Diffing Triage with IDA
Summary This week at HITBSecConf, Takahiro Haruyama, a Senior Threat Researcher for the CB Threat Analysis Unit TAU, presented his work on fnfuzzy, a tool which aims to help researchers and reverse engineers triage samples quicker. This blog post details the motivation for and current standing of...
CB TAU Threat Intelligence Notification: Sodinokibi Ransomware
Sodinokibi otherwise known as Sodin or REvil is a ransomware variant that has recently been observed evolving its delivery techniques, leveraging fake antivirus software and PowerShell droppers. This malware appears to be related to GandCrab and is likely a result of their operation closing up...
CB TAU Threat Intelligence Notification: State-Sponsored Espionage Group Targeting Multiple Verticals with ‘Crosswalk’
FireEye recently reported on APT41, a Chinese state-sponsored espionage group. The group has been documented as targeting healthcare, high-tech, and telecommunications companies for traditional corporate espionage purposes. Additionally this group has also targeted companies in the video game...
4 Common Misconceptions About Threat Hunting
Editor’s Note: Sam Bocetta, a guest author on the Carbon Black blog, is a freelance journalist specializing in U.S. diplomacy and national security, with emphases on technology trends in cyber warfare, cyber defense, and cryptography. Looking for cyber threats isn't new, but threat hunting as a...
TAU Threat Intelligence Notification: DarkHydrus/RogueRobin
Recently, Palo Alto Unit 42 released an updated report regarding new DarkHydrus delivery documents, which includes the installation of an updated variant of the RogueRobin trojan. This document includes details on both DarkHydrus and RogueRobin, along with detection rules and search queries that...
Carbon Black Cybersecurity Experts to Present in 4 Sessions at RSA 2019
We hope you’ll join Carbon Black at one of the company’s four presentations at RSA 2019. And don’t forget the company will also host a book launch and advanced signing of “Gray Day: My Undercover Mission to Expose America’s First Cyber Spy,” with Carbon Black’s National Security Strategist and...
Partner Perspectives: SOAR with Demisto and Carbon Black
Abhishek Iyer is the Technical Marketing Manager for Demisto. Automate your Endpoint Protection and Incident Response Demisto’s security orchestration and automation platform enables organizations to standardize, automate and coordinate response processes across their security stack. Playbooks...
Carbon Black Named a Finalist in 2019 Cybersecurity Excellence Awards and SC Media Awards
Carbon Black has been a leader in endpoint security for years and, yet, we’re still extremely grateful for continued recognition in the industry. Most recently, Carbon Black is honored to be recognized as a finalist in four categories for the 2019 Cybersecurity Excellence Awards including: Best...
VMware Carbon Black Champions Data Privacy Day 2021
Today is Data Privacy Day, an annual effort hosted by the National Cybersecurity Alliance NCSA to raise awareness about the importance of privacy and protection of personal information. VMware Carbon Black is proud to be an official Champion, supporting the principle that all organizations share...
CB TAU Threat Intelligence Notification: Qbot/Qakbot Attempts to Evade Detection By Overwriting Itself
Qbot, or Qakbot, is a banking trojan that has been seen in the wild for at least 10 years. Recent campaigns have been often delivered by exploit kits and weaponized documents delivered via context-aware phishing campaigns. Qbot has also been suspected of delivering MegaCortex ransomware. Many...
CB TAU Threat Intelligence Notification – Recent Emotet Campaign Leverages Phishing, PDFs & Droppers Impersonating Legitimate Applications
This past week, CB ThreatSight analysts were investigating suspicious events in an environment. This customer had installed the CB Defense sensor on a subset of systems in monitor only mode for evaluation. While investigating suspicious events, a CB ThreatSight analyst uncovered a new Emotet...
TAU Threat Intelligence Notification: Shade Ransomware
Summary Recently there is a new wave of malicious spam campaign distributing Shade ransomware via sending malicious JavaScript attachments. The spam campaign was mainly targeting users from Russia, and the ransom note was written in both Russian and English. This variant of Shade ransomware will...
CB TAU Threat Intelligence Notification: Nemty Ransomware
While Nemty Ransomware is distributed by various exploit kits, its behavior is similar to other variants of ransomware. It will perform “task kill” on processes to ensure the encryption of files such as databases SQL server, perform the deletion of volume shadow copies, and disable Windows...
Carbon Black Leaders Share the Best Advice They’ve Ever Received From Their Moms
Mother’s Day is on May 12 and right around the corner! In honor of all mothers and mother-figures, members of Carbon Black's leadership team shared advice and personal stories about the impact their mothers made on their own lives and careers. Victor Baez, VP of Worldwide Channel “Troubles come a...
TAU Threat Intelligence Notification: Djvuu Ransomware
Summary Djvuu ransomware is believed to be a newer variant of the “Stop” ransomware strain, which was seen circulating in the early part of 2018. There are also similarities to the Goren-B trojan originally reported by Sophos back in 2016. Djvuu is likely to be delivered through phishing e-mail...
CB TAU Threat Intelligence Notification: HopLight Campaign (Linked to North Korea) is Reusing Substantial Amount of Code
On April 10, 2019 the US Department of Homeland Security DHS released a Malware Analysis Report MAR-10135536-8 which detailed the trojan HopLight. HopLight has been linked to different North Korean DPRK campaigns also known as the Lazarus Group. The CB Threat Analysis Unit TAU has continued to...
Enter to Win a Trip to #CBConnect2019 in San Diego during #RSAC19
We know RSA 2019 is exciting, but why should the fun stop in San Francisco? We want to give one of you the chance to win a trip to San Diego to attend CB Connect 2019, our premier customer and partner event, held June 4-5, 2019. This trip includes roundtrip airfare, a free pass to CB Connect 2019...
CB TAU Threat Intelligence Notification: GandCrab 5.2 Ransomware Attempts to Delete Volume Shadow Copies
GandCrab 5.2 ransomware will append seven randomly generated strings as the file extension to each encrypted file and drop a ransom note named as ‘generated file extension-MANUAL.txt’, for example, “office.doc.uahmthl” and “UAHMTHL-MANUAL.txt”. It will also change the desktop background of the...
Threat Analysis Unit (TAU) Threat Intelligence Notification: MailTo (NetWalker) Ransomware
MailTo is a ransomware variant that has recently been reported to have been part of a targeted attack against Toll Group, an Australian freight and logistics company. This ransomware makes no attempt to remain stealthy, and quickly encrypts the user’s data as soon as the ransomware is launched...
TAU Threat Intelligence Notification – Fake Movie File Attack Targeting Cryptocurrency
A malicious Windows shortcut file is posing as a movie available on a torrent site - its payload is used to conduct web-injection, ultimately targeting victim’s web searches in browsers like Chrome, Firefox and Internet Explorer. The payload has the ability to search for and steal cryptocurrency...
Partner Perspectives: Faster Response with Carbon Black and Tines.io
Tines was founded by former DocuSign and eBay security engineers who were frustrated by existing security automation platforms. “I was leading an enterprise security team that had to work harder and harder every day just to keep up with the volume of alerts that required investigation,” said Eoin...
Corner-Case Bug Potentially Affecting 10 Cb Response Customers
On Thursday, August 10, Carbon Black discovered a corner-case bug potentially affecting 10 Cb Response customers. The bug was introduced in April 2017 and requires a set of specific conditions to occur in order to be triggered. We have remediated the bug, proactively notified the 10 potentially...
Threat Advisory & Analysis: ‘Bad Rabbit’ Ransomware
On October 24, a large-scale ransomware campaign spread across Europe, in campaigns closely mimicking the NotPetya attacks from earlier this year. Just as was the case with NotPetya, the sample appeared to spread through traditional methods of making SMB connections within a corporate environment...
“The 101” – Episode 8 – What Makes a Trojan… a Trojan?
We’re back with another episode of The 101! This weekly security series aims to define endpoint security one question at a time. Tune in each week as we tackle a new term, concept, or comparison in our ongoing effort to provide clear definitions. This week we’re going to profile a type of malware...
The State of Healthcare Cybersecurity: VMware Carbon Black Explores the Surge in Cyber Threats
On the frontline of the pandemic, perhaps no industry was impacted and forced to innovate and transform as quickly as healthcare in 2020. Whether it was the rapid development of COVID-19 testing technology or the explosion of telehealth, healthcare organizations accelerated digital transformation...
CB Threat Analysis Unit Technical Breakdown: GermanWiper Ransomware
Editor's Note: The TAU-TIN related to this write up can be located here. GermanWiper Ransomware was found distributed via spam email campaign in Germany. It’s a data-wiping malware and the ransom note was written in German language. The malware pretends to be ransomware but is actually a wiper th...
Carbon Black and Siemplify Announce Integration Partnership
Carbon Black and Siemplify are excited to announce a partnership to deliver a fully integrated solution for incident response. By combining forces, Siemplify and Carbon Black will provide clients around the world with stronger prevention, detection and response strategies and capabilities. The...
CB TAU Threat Intelligence Notification: Smominru Botnet Leverages New Attack Techniques
Carbon Black’s Threat Analysis Unit TAU and CB ThreatSight discovered the resurgence of a previously active crypytomining botnet campaign called Smominru. This campaign has evolved since its original discovery in the latter half of 2017, leveraging new techniques including LOLbins, polymorphic...
How Carbon Black is Prioritizing Living Off the Land Attacks Part 2
What are Living Off the Land LoL Attacks? In recent years, Living off the Land Binaries and Scripts LoLBas have become increasingly popular tools for cybercriminals. These types of attacks leverage native, signed, and often pre-installed applications in malicious ways that their creators never...
CB TAU Threat Intelligence Notification: CryptoMix Clop Ransomware Disables Startup Repair, Removes & Edits Shadow Volume Copies
Summary A wew variant of CryptoMix Clop ransomware has been distributed as a binary that is digitally signed and verified which makes it look like a legitimate executable. In addition, CryptoMix Clop ransomware will append ‘.clop’ or ‘.ciop’ as a file extension to the encrypted file and drop a...
Defeating Compiler-Level Obfuscations Used in APT10 Malware
Summary The Carbon Black Threat Analysis Unit TAU recently analyzed a series of malware samples that utilized compiler-level obfuscations. For example, opaque predicates were applied to Turla mosquito and APT10 ANEL. Another obfuscation, control flow flattening, was applied to APT10 ANEL and Dhar...
Partner Perspectives: The Power of Shared Intelligence: Juniper Sky ATP and Cb Response
Scott Emo is the Director of Field Readiness, Security, for Juniper Networks. Uncover and Mitigate the Most Sophisticated Cyber Attacks The rapid growth of emerging technologies, combined with an increasing number of connected devices running business-critical applications in highly distributed...
CB TAU Threat Intelligence Notification: Formbook Harvests Data By Intercepting Clients
Formbook is an information stealer which has been around for the past few years. Formbook acts as a form grabber which harvests credentials, passwords, banking details, key strokes and network requests, by intercepting web browser and other clients such as email and IM. The particular sample...
Partner Perspectives: 3 Tips for Starting a Threat Hunting Program
Peter Silberman is the Director of Detection & Response, Innovation at Expel. Mary Singh is a Detection and Response Lead at Expel. So, you want to build a threat hunting program…but where do you start? There are lots of ways to build a threat hunting program for your own org and depending on you...
CB TAU Threat Intelligence Notification: Danabot Trojan Targets Financial Services Industry via Stolen Credentials
Summary Danabot is a banking trojan written in the Delphi programming language. Delivery methods are typically via phishing emails that contain malicious attachments, which further call out to download the main payload using PowerShell or VBScript. Danabot is modular in nature and has capabilitie...
CB TAU Threat Intelligence Notification: Common to Russian Underground Forums, AZORult Aims to Connect to C&C Server, Steal Sensitive Data
AZORult is an info stealing trojan that will steal various sensitive data from the victim's computer. It is commonly sold in Russian underground forums and is often actively being delivered via spear-phishing campaigns or, as in the recent attack, distributed via a fake website, pretending to be...
The Need for an Updated Kill Chain
“Cyber Kill Chain” The “Cyber Kill Chain”—created in 2011 by Lockheed Martin—was designed to be a model that “identifies what…adversaries must complete in order to achieve their objective.” This framework has been widely used through the cybersecurity world and informs prevention-heavy strategy. ...
The Future of Endpoint Security is the Cloud, Part 1: Predictive Security
Security Meets Big Data Technology has certainly empowered the adversary, across far more attack surfaces than just endpoints alone. In fact, many other security disciplines have been forced to adapt to increasingly sophisticated attacks — and when they do, they all turn to the same foundation: b...
Carbon Black Named a Visionary in Gartner’s 2018 Magic Quadrant for Endpoint Protection Platforms
For the second consecutive year, Carbon Black has been named a “Visionary” in Gartner’s Magic Quadrant for Endpoint Protection Platforms. For this year’s edition of the MQ, Gartner evaluated Cb Defense, our flagship solution built on the Cb Predictive Security Cloud ™ PSC. Our vision for the PSC ...
8 Live Queries That Will Speed Up Your Next PCI Audit
It’s no secret that kicking off any kind of compliance audit can be a slow, tedious project. This is especially true when it comes to performing a pre-assessment gap analysis for PCI-DSS. Ask any qualified security assessor QSA, and they’ll tell you that the data gathering, scoping, and gap...
Threat Analysis: Word Documents with Embedded Macros Leveraging Emotet Trojan
Many customers have recently asked how Carbon Black's solutions detect macros and droppers specifically referencing Emotet dropper files. Customers often say that macros and droppers are an ongoing problem in their environments. They are also seen day-to-day by most practitioners. The analysis...
VMware Carbon Black TAU Threat Research: Visualizing Ransomware with MITRE ATT&CK
If no one had ever heard of ransomware prior to May 2017, then one thing that is fairly certain is that the WannaCry ransomware outbreak unquestionably put ransomware on the security radar, and sent shivers up CISO’s and analysts’ spines for the weeks and months that followed. Only a few weeks...
CB Customer Spotlight: Q&A with Chick-fil-A’s Geoffrey Cole
In his 3-year tenure at Chick-fil-A’s Atlanta headquarters, Geoffrey Cole has already made a big impact in the company’s cybersecurity posture. Starting in systems engineering, Cole then moved to managing the endpoint security suite for both the corporate hub and satellite restaurants, and now...
Carbon Black Report: An Evolution of Cyberattacks
Quarterly Incident Response Threat Report An Evolution of Cyberattacks From Grab-and-Go Breaches to Long-Term Campaigns The data in this report reveals that today’s cyberattacks manifest as increasingly complex, long-term campaigns. Employing high-level tools and techniques, attackers set out to...
Partner Perspectives: From Alert to Action: How VMRay Provides Carbon Black with Detail-Rich Threat Intelligence
Good things happen when two leaders in their respective fields bring together their complementary capabilities. That’s the case with Carbon Black’s deep expertise in endpoint detection and response EDR and VMRay’s singular focus on dynamic malware analysis. The sum ends up being even greater than...
CB Partner Spotlight Series: Slipstream Cyber Security
Slipstream Cyber Security is a managed cyber-security service provider enterprise with a Cyber Security Operations Centre CSOC is located in Perth, Western Australia. Staffed by experienced security professionals with backgrounds in cyber operations, anti-fraud, intelligence and more, the team...
CB TAU Threat Intelligence Notification: JCry Ransomware Pretends to be Adobe Flash Player Update Installer
JCry is a new family of ransomware that has the unique characteristic of being written in the Go programming language and being delivered as multiple executables, each with their own purpose. It was pretending to be an Adobe flash player update installer on a compromised website to lure users to...
Customer Case Study: Stonewall Kitchen Prevents a New Trend in Malware with Carbon Black
In the retail industry, a new level of security and compliance challenges have emerged making IT’s role even more pivotal and challenging. This is certainly the case for Stonewall Kitchen, creator of specialty food products. Since the company does all of their own manufacturing, distribution,...
TAU Threat Intelligence Notification: BlackRouter Ransomware
According to the article from BleepingComputer, BlackRouter Ransomware was being promoted as a Ransomware-as-a-Service on Telegram by an Iranian developer. BlackRouter Ransomware will append ‘.BlackRouter’ as file extension to the encrypted file. In addition, it will attempt to delete volume shad...
TAU Threat Intelligence Notification – Crypt0r Ransomware
Summary Crypt0r ransomware is a new strain of ransomware that operates similar to WannaCry and NotPetya. When executed, it first checks for a hardcoded mutex value, and if it isn’t found, creates it as “crypt0r-mutex”. It then retrieves the temporary path of the currently logged in user, and...