Firewall Security Management

Firewall Security Management


Firewall Security Management

Firewall Security Management

Firewall Hardening Checklist More »

Firewall Security Monitoring

Firewall Security Monitoring

Giving You a Proactive Approach to Your Cyber security with Security Monitoring More »

Best TOP Enterprise Network Firewalls

Best TOP Enterprise Network Firewalls

List of Top Firewall Providers Company / Companies in India More »


Tag Archives: Cyber Security Company

The tale of the prolific Cobalt threat group’s massive phishing campaigns against financial institutions

  • The cybercriminal group ‘Cobalt’ has been named after its penetration testing tool ‘Cobalt Strike’.
  • The threat group has targeted several banks and financial institutions across countries such as Armenia, Bulgaria, Belarus, Estonia, Georgia, Kyrgyzstan Moldova, the Netherlands, Poland, Romania, Russia, Spain, Britain, Malaysia, and more.

Cobalt group was first spotted in 2016. The cybercriminal group has been named after the penetration testing tool ‘Cobalt Strike’ used by them to move from infected computers in banks’ networks to specialized servers that control ATM machines.

The group was arrested in Spain in March 2018 for attacking almost 100 banks across 40 countries and stealing over 1 billion Euros. The malware and tools used by the threat group include Cobalt Strike, CobInt, SpicyOmlette, Threadkit exploit kit, and More_eggs.

Cobalt group’s attack against ATM machines

In November 2016, cybercriminals have raided ATM machines across Europeusing the technique ‘Jackpotting’ that forces infected ATM machines to dispense cash by installing malware on the machine’s computer. The attack has affected Diebold Nixdorf and NCR Corp, two of the world’s largest ATM makers.

This attack has affected almost 14 countries including Armenia, Bulgaria, Belarus, Estonia, Georgia, Kyrgyzstan, Moldova, the Netherlands, Poland, Romania, Russia, Spain, Britain, and Malaysia. Researchers noted that this attack has been conducted by a threat actor group named Cobalt.

Cobalt targeted banks via a spear phishing campaign

In November 2017, the Cobalt group targeted banks via a spear phishing campaign. The phishing emails sent to targeted banks contained RTF attachments with an exploit for CVE-2017-8759. Once victims open and download the attachment, the malicious code downloads and executes the Cobalt Strike tool. The tool then connects to the Command and Control server operated by the Cobalt gang.

After the RCE vulnerability (CVE-2017-8759), the same month, the Cobalt group started targeting banks and financial institutions with phishing emails containing RTF attachments with an exploit for CVE-2017-11882.

Cobalt group revealed its targets – Intentionally or Accidentally?

In its spear phishing email campaign that targeted banks with phishing emails containing RTF attachments, the Cobalt group included the targets’ email address in the email’s ‘To:’ field, instead of including in the email’s BCC field. By doing so, the group let researchers and other victims know the campaign’s targets. The group made this error accidentally or intentionally remains unknown.

Cobalt group arrested but resumes attacks against banks with Cobint malware

The Cobalt threat actor group was arrested in March 2018 in Spain for attacking 100 banks across 40 countries and stealing over 1 billion Euros. However, the Cobalt gang continued its attack against banks. This attack was observed in May 2018 and used ‘CobInt’ malware to target bank employees in Russia and the Commonwealth of Independent States via phishing emails.

The phishing emails purported to come from a “leading antivirus company” and stated that the bank’s systems were in violation of the law. The emails urged recipients to download the attachment and read the document. Upon opening the attachment, the ‘CobInt’ malware infected the bank’s computer system.

Three phishing campaigns in May-July 2018

In the first campaign, the phishing emails purported to be from the European Banking Federation contained a malicious PDF file. This malicious file persuades victims into downloading a weaponized RTF file that contains three exploits. The attackers dropped a JScript backdoor called More_eggs which allowed the attackers to gain remote control of the targeted system.

The second campaign started on June 19 with phishing emails containing a malicious URL. Upon clicking, the malicious URL redirected the victim to a malicious Word doc, which in turn, triggered the infection chain. The targeted organization in this campaign was a major ATM and payment systems manufacturer.

The third campaign, which began on July 10, saw the attackers targeting various businesses with phishing emails sent along with a malicious RTF file packed with exploits that triggered the infection chain.

Cobalt gang distributed SpicyOmelette malware

In September 2018, the Cobalt threat actor group used a new Remote Access Trojan (RAT) dubbed SpicyOmelette to target banks worldwide. This malware is a JavaScript RAT and comes packed with multiple detection-evading features. SpicyOmelette is also capable of stealing system information, checking for antivirus tools and installing additional malware into the system.

The Cobalt Group’s new malware ‘SpicyOmlette’ was used as part of the initial intrusion stage in an attack. The malware was delivered via phishing emails containing a malicious PDF document. Upon clicking the PDF doc, the malicious link redirected the victim to Amazon Web Service (AWS) URL which is controlled by the Cobalt group. This link installed and executed the SpicyOmelette malware onto the victim’s system.

Cobalt was spotted using an updated version of Threadkit exploit kit

In October 2018, researchers spotted Cobalt group leveraging a new version of the Threadkit malware, a macro delivery framework, which was previously used in its 2017 attacks.

The Threadkit malware was distributed via phishing emails containing an RFT Microsoft Office attachment which contained an evolved version of the exploit builder kit. Researchers noted that CobInt, which is the payload of Threadkit, now has an added layer of obfuscation using an XOR routine for decoding the initial payload, making it complex to detect.

Australia parliament hit by cyber-hack attempt

Authorities in Australia say they are investigating an attempt to hack into its parliament’s computer network.

Lawmakers said there was “no evidence” that information had been accessed or stolen, but politicians’ passwords have been reset as a precaution.

Local cyber-security experts have suggested the hack likely came from a foreign state.

Australian PM Scott Morrison said he didn’t intend to comment in depth on “the source or nature of this”.

He said there was “no suggestion” that government agencies or departments had been targeted. MPs and their staff use the parliament network to store emails, among other data.

  • Australia defence data in ‘extensive’ hack
  • ‘Spies hacked’ Australia weather bureau
  • China denies Australia weather ‘hack’

Earlier, senior lawmakers said there was no evidence that the hacking attempt aimed to “disrupt or influence electoral or political processes”.

However, opposition leader Bill Shorten described the incident as a “wake-up call”. It also sparked commentary from other lawmakers.

The Australian government has faced a number of cyber-attacks in recent years, some of which have been attributed in local media to nations such as China.

In 2015 and 2016, there were high-profile attacks on the government’s weather and statistics agencies. In 2011, senior Australian ministers also had their email systems breached.

“It looks like another nation state is behind this attack as well,” said Fergus Hanson of the Australian Strategic Policy Institute, a Canberra-based think tank.

“You would be having access to swathes of correspondence between politicians, staffers and people who run Parliament House – lots of juicy information there.”

Longest DDoS attack since 2015 lasts 329 hours

While the number of DDoS attacks have declined, they have become much more sophisticated, according to a Kaspersky Lab report.

The last quarter of 2018 saw the longest DDoS attack since 2015, lasting 329 hours—almost 2 weeks—according to a Kaspersky Lab report released on Thursday. But the top three countries with the most DDoS attacks are still the same: China in first place (43%), the US in second (29%), and Australia in third (6%).

While the number of DDoS attacks decreased in 2018, the average attack duration increased, the report found. The average length of attacks more than doubled from the beginning of 2018 to the end—from 95 minutes to 218 minutes. These attacks increased in length because they have become more complex and difficult to stop or mitigate, the report added.

The most common complex attack executed included an HTTP component, which requires both time and money to launch, the report said. Both the HTTP flood method and mixed attacks involving an HTTP factor made up approximately 80% of all DDoS attacks for 2018, revealing the success of this strategy.

Since attacks are predicted to become even more specialized in 2019, the report recommended the following three steps to help protect organizations from DDoS attacks:

  • Train and increase IT employees’ awareness of how to respond to DDoS attacks.
  • Prepare the organization’s websites and web applications to handle high traffic volume.
  • Use professional solutions to protect systems against all varieties of DDoS attacks.

The big takeaways for tech leaders:

  • While DDoS attacks decreased in 2018, the complexity of the attacks increased. — Kaspersky Lab, 2019
  • DDoS attacks will only become more complex and specialized in 2019, meaning the enterprise needs to properly prepare. — Kaspersky Lab, 2019


As noted in the SentinelOne-sponsored EMA Security Megatrends 2019 report, the two greatest threats currently facing enterprise are ransomware and ATAs, advanced targeted attacks that have been designed for a specific environment. The last two years have seen an increase in both kinds of threats, as well as their combination: targeted ransomware such as Ryuk, SamSam, and now Matrix.

Matrix variants have been observed before, but a recent report notes that Matrix has moved firmly into the targeted realm. This development suggests they have taken lessons from their malware brothers-in-arms and have even added a new twist, as we explain in this post.

The Matrix Ransomware

Matrix targets endpoints through Windows Remote Desktop (RDP) services, likely by brute forcing passwords of internet-connected computers to gain entry and spread.

On execution, the malware looks for and encrypts certain types of files, as shown below:

Image of Matrix filetype extensions

The Matrix ransomware obfuscates the original filename and appends its own custom extension to it, typically with either an email address-style syntax such as .[] or an uppercase suffix such as .MTXLOCK. At least 30 different file extensions are known, and there is no known public decryptor for the Matrix malware at this time.

As is common with ransomware, Matrix attempts to delete the snapshots automatically created by Windows Volume Shadow Copy service (VSS) to prevent the user or backup software from easily restoring to a known good point.

The Matrix Revolution

At this point in any ransomware story, you would normally expect there to be a ransom note demanding a certain amount of bitcoin. But that’s where the Matrix ransomware shakes things up. The malware authors have dispensed with the convention of a ransom note demanding a specific fee in cryptocurrency. Instead, they aim to capitalise on their tactic of using a targeted attack.

The criminals first ask the victim to send a few samples of their encrypted files, between 3 and 5, along with the KEYIDS.KLST file deposited by the malware on the victim’s Desktop. The attackers then privately decrypt the user’s files, determining who the victim is and what kind of data they are likely to have lost. They then contact the victim with a ransom demand, presumably based on their evaluation of the victim’s resources and the value of the data.

As we pointed out earlier, this is particularly brutal on the enterprise. In a typical opportunistic ransomware attack, the attackers have no idea – and little concern – who their victims are or what data have been rendered inaccessible. Everybody gets hit for the same amount. The Matrix ransomware instead sets a variable price based on the attackers’ own assessment of the worth of the victim. The bigger the fish, the bigger the prize. Although one researcher posing as a victim reported that the criminals became increasingly desperate and started lowering their demand as time went on, it’s not certain that they would follow the same pattern with an enterprise victim.

The Matrix malware authors have also potentially started a new trend by demanding the bitcoin equivalent of a dollar amount rather than a fixed bitcoin amount. This puts the problem of fluctuations in cryptocurrency value firmly in the buyer’s court. Concern about volatile prices could also indicate the criminals intend to cash out in the short-term.

Matrix Reloaded

Some reports suggest that Matrix ransomware attempts to disable Sophos security software. That’s not uncommon these days. Time was most malware would rather abort than try to take on AV software head-to-head. The risk of getting their signatures caught and publicly disseminated was too great. But times have changed. Security solutions that rely on that kind of technology have become less intimidating to malware authors. The prize of execution is too great, particularly with AV bypassesand vulnerabilities becoming increasingly known.

Here at SentinelOne, we decided to load up the Matrix and give it a run for its (or our?) money. We even decided to give it a head start. We set the SentinelOne policy to its weaker “detect only” setting rather than the usual “Protect” policy which blocks the malware automatically without user intervention. With the “detect only” policy, the SentinelOne agent only issues a warning on detection, but otherwise allows malware to execute as the authors intended. If you’re wondering why we would load ransomware onto one of our endpoints and let it encrypt all our files, watch the video to find out!


As the video demonstrates, SentinelOne and the endpoint it was protecting came out the clear winners. With no loss of data and immediate rollback, SentinelOne customers can be assured that they are protected from targeted attacks by Matrix ransomware. Even better, customers using SentinelOne on the default “Protect” policy would see the automated detection and response block the ransomware on the local machine.

Attackers rely on Google Sheets to spread malware through CSV files

  • The malware appears to be a variant of the infamous NanoCore trojan.
  • CSV files containing the malware payload circumvent Google filters using Google Sheets as a distribution method.

A unique malware that uses Google Sheets has been discovered by well-known cyber security researcher Marco Ramili. The malware is found to be an improved version of the NanoCore RAT detected in 2014. It seems that attackers write malicious code in the cells of CSV files to automatically inject the system with the malware.

Ramili who received a spam mail containing this CSV file, mentioned that one of the cells had an executable command. “A series of empty fields preceding a final and fake formula piping a CMD.exe command is spawned. By using the bitsadmin technique the attacker downloads a file called now.exe and stores it into a temporary system folder for later execution,” he said.

Google Sheets as a malware vector

Earlier, attackers relied on desktop applications such as Microsoft Excel, LibreOffice and Apache OpenOffice due to the reason that they supported Dynamic Data Exchange (DDE). This feature/bug was the main exploit for threat actors. OpenOffice and LibreOffice patched this vulnerability in versions 4.1.1 and 4.3.1 respectively.

However, Microsoft Excel only introduced two user warnings, while still allowing this malicious behavior to exist. The warnings in Microsoft Excel are not effective enough as they only ask the users if they trust the source of the file.

In case of files shared through Google Sheets, normal users are likely to consider the file trustworthy, thus exposing themselves to the malware lying in the file if they download and open it locally with Excel.

Modus Operandi

The attackers bypass Google security filters by injecting malicious code in CSV files which are not heavily scanned by Google. Then they share this file with unsuspecting users, asking them to download and open it Microsoft Excel, citing compatibility issues.

Many users fall for this trick and download the file to open it locally on their device. Thus, Google Sheets acts as a malware dropper. As soon as they open it locally, Microsoft Excel becomes the malware executor.

Though the issue has been reported to Google by the security researcher, it has not been considered as a security bug by the company.

Google adds Password Checkup Chrome extension

Google has rolled out a new Chrome extension that will inform users if their passwords have been compromised.

The service, which was introduced as part of Google’s Safer Internet Day offerings, is called Password Checkup. The Chrome extension checks a person’s username and password against a list of four billion credentials that are known to be compromised. If a match occurs the extension will automatically warn the user and suggest the password in question be changed.

“We built Password Checkup so that no one, including Google, can learn your account details. To do this, we developed privacy-protecting techniques with the help of cryptography researchers at both Google and Stanford University,” Google said in a blog post.

The extension is now available.

Google has also implemented an additional layer of security called Cross Account Protection. This security service, which the company already supplies to Google accounts, is now being extended to apps and websites where people use Google Sign In to gain access. 

Websites that adopt the service will receive a notification if a user’s credentials have been exposed so the third-party site can implement the proper security protocols and notify the individual.

“We created Cross Account Protection by working closely with other major technology companies, like Adobe, and the standards community at the Internet Engineering Task Force (IETF) and OpenID Foundation to make this easy for all apps to implement,” Google said, adding that it is included by default for app developers using Firebase or Google Cloud Identity for Customers & Partners.

Google releases February 2019 security patch for Pixel devices, Essential Phone gets updated too

Google has started pushing out latest monthly Android security update for its Pixel smartphones and Pixel C tablet. On Monday, Google Pixel 3, Pixel 3 XL, Pixel 2, Pixel 2 XL, Pixel, Pixel XL, and Pixel C devices got their latest February 2019 security patch along with bug fixes. Parallely, Essential has also rolled out the latest February 2019 security update for Essential Phone as well.

Google has also put up OTA images and factory images of the Android security update for Pixel devices. The changelog notes that there were 15 issues previously, but it didn’t get any report of customers being affected. Now, these issues have been fixed. Unlike previous patches, this one does not include any functional update.

“The most severe of these issues is a critical security vulnerability in Framework that could allow a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed. We have had no reports of active customer exploitation or abuse of these newly reported issues,” noted Google on Android Security Bulletin.

At the same time, Essential has tweeted out about the update for Essential Phone. It has noted that Essential Phone’s February’s security patch is rolling out now, so users should keep an eye out.

A month ago, Google’s January 2019 Android security update brought fixes for a lot of issues and security vulnerabilities at the kernel and system level. Notably, the latest Pixel 3 and Pixel 3 XL also got enhanced audio quality while recording videos.

Google’s New Tool Alerts When You Use Compromised Credentials On Any Site

With so many data breaches happening almost every week, it has become difficult for users to know if their credentials are already in possession of hackers or being circulated freely across the Internet.

Thankfully, Google has a solution.

Today, February 5, on Safer Internet Day, Google launches a new service that has been designed to alert users when they use an exact combination of username and password for any website that has previously been exposed in any third-party data breach.

The new service, which has initially been made available as a free Chrome browser extension called Password Checkup, works by automatically comparing the user’s entered credential on any site to an encrypted database that contains over 4 billion compromised credentials.

If the credentials are found in the list of compromised ones, Password Checkup will prompt users to change their password.

Wondering if Google can see your login credentials? No, the company has used a privacy-oriented implementation that keeps all your information private and anonymous by encrypting your credentials before checking them against its online database.

You can also check this easy 4-step visual explanation to learn more about how it works under the hood.

The Chrome browser extension, Password Checkup, is available from today, and anyone can download it for free.

Besides launching the new Chrome extension, Google also lists five Official Security Tips which includes keeping your software up-to-date, using unique passwords for every site, taking the Google security checkup, setting up a recovery phone number or email address, and making use of two-factor authentication.

Chrome users can follow these security tips to keep themselves safe on the Internet.

Attackers Use CoAP for DDoS Amplification

Attackers recently started abusing the Constrained Application Protocol (CoAP) for the reflection/amplification of distributed denial of service (DDoS) attacks, NETSCOUT warns. 

CoAP is a simple UDP protocol designed for low-power computers on unreliable networks that appears similar to HTTP, but which operates over UDP (User Datagram Protocol) port 5683. The protocol is mainly used by mobile phones in China, but is also present in Internet of Things (IoT) devices.

A DDoS attack leveraging CoAP begins with scans for devices that can be abused, and continues with a flood of packets spoofed with the source address of their target. At the moment, the attackers appear to have only basic knowledge of the protocol, but attacks could become more sophisticated.

According to NETSCOUT’s security researchers, the scanning for the CoAP protocol has been constant, with almost all GET requests for “/.well-known/core”. In January 2019, however, the researchers noticed a spike in the number of DDoS attacks leveraging the protocol. 

The average amplification factor for CoAP is 34 and the vast majority of Internet-accessible CoAP devices reside in China and utilize a mobile peer-to-peer network, the researchers reveal. With CoAP devices transient by nature and their addresses changing within weeks, attackers need to continually rescan to find IPs to abuse. 

Even so, it is possible for a threat actor to build a list of IPs that respond to CoAP, and then abuse these devices to continually send a flood of packets with a spoofed source address of the intended target, NETSCOUT says. 

The DDoS attacks leveraging CoAP hit targets “geographically and logically well distributed, with little commonality between them.” The attacks last on average just over 90 seconds and feature around 100 packets per second.

The security researchers found 388,344 CoAP devices on the Internet, with 81% of them located in China, but also some discovered in Brazil, Morocco, South Korea, and the United States. Most of the devices in China responded to /.well-known/core with a QLC Chain response (a peer-to-peer network). 

Given that the IP address of CoAP devices will change often, the vast majority of devices would have a different IP address within two weeks. This means that CoAP is less efficient in organizing DDoS attacks compared to SSDP, which boasts a similar amplification factor (but devices don’t move on the network as often). 

Although there are around 12 times as many SSDP devices accessible on the Internet compared to CoAP, attackers still decided to add the CoAP reflection/amplification DDoS vector to their arsenal, meaning that the protocol is likely to continue being abused in attacks. 

“With the vast majority of CoAP devices being located in China and running QLC Chain, it appears that the currently-abusable CoAP reflectors/amplifiers are part of a limited-scope software monoculture that will likely change as CoAP grows in popularity. The initial wave of attacks utilizes well known behavior of the protocol but there are other features, perhaps not as widely implemented, that could make CoAP even more effective,” NETSCOUT concludes. 

Over 3000 Magneto shops have been hacked via insecure extensions in the last 3 months

  • Attackers use an extension bug to download other extensions and later search for zero-day security issues.
  • Failing to keep the extensions up-to-date is one of the main cause for the rise in such attacks.

In the latest research, it has been found that Magneto shops can be targeted by leveraging vulnerable third-party extensions or modules. The attackers can abuse these weak third-party extensions to perform a global scan and find vulnerable victims.

Attack process

According to security researcher and Magneto forensic investigator William de Groot, attackers use an extension bug to download other extensions and later search for zero-day security issues such as POI (PHP Object Injection), SQL injection and Cross-Site Scripting flaws.

“The method is straightforward: attacker uses an extension bug to hack into a Magento store. Once in, they download all of the other installed extensions. The attacker then searches the downloaded code for 0day security issues, such as POI, SQLi and XSS flaws. Once found, the attacker launches a global scan to find vulnerable victims. Rinse and repeat,” said Groot in a blog post.

The researcher, who has been monitoring and documenting card-skimming activities on Magneto shops, estimates that over 3000 stores have been due to insecure extensions in the last 3 months.

Failing to keep the extensions up-to-date is one of the main cause for the rise in such attacks.

“Many extension releases are backward incompatible, which requires costly developer hours. There is no standardized way to get notified of critical releases. And most important: merchants value stability above all, which does not fit well with a continuous upgrade policy,” he noted.


William De Groot has compiled a list of vulnerable Magento extensions. Online merchants can scan their sites against the repository using Magerun module or a single-line command. Both the processes require access to the server. As a result of the scan, the merchants can figure out:

  • The name of the vulnerable modules
  • The latest version of extensions
  • Part of the URL that attackers use to exploit each module
  • Name of the URLs which are under attack
  • The URL with upgrade instructions.

Groot claims that most of the vulnerable extensions are discovered on Magento 1 installations.

Firewall Company | Firewall Company India | Firewall Provider India | Firewall Company