Cybersecurity had a turbulent 2016, to say the least. We saw the rise of ransomware, the emergence of IoT botnets, landmark security legislation and Yahoo’s disclosure about its 1-billion-record-hack, the largest in history.
Not surprisingly, the most popular blog posts on our site last year revolved around new and ongoing threats and how to prevent them. The deep technical attack analyses and Attack Prevention in Action videos by Morphisec Lab drew the most readers. Of particular note is that many of the attacks were not prevented by other solutions at the time of their discovery, leaving (non-Morphisec) users vulnerable until solutions were updated and/or patches available. Morphisec Lab, headed by our VP R&D Michael Gorelik, has made a mission of sharing time and knowledge with the cyber community.
The other top posts of 2016 concerned MTD (Moving Target Defense) techniques and technology, by our CSO Mordechai Guri. As a pioneer in this field, Mordechai brings a unique viewpoint on cybersecurity to our blog pages.
Just in case you missed them, here are our 10 most viewed blog posts of the year:
The most popular post of 2016 and still going strong, this post arose when Morphisec Lab, in testing our solution against a new type of malicious document threat (it prevented it no problem), traced the malicious behavior back to EPS file processing. Experimenting further, they discovered that the sample fully bypassed the latest version of EMET. This technical analysis examines how the exploit works at the PostScript abstraction level. Read the post.
With fileless malware popping up more and more frequently, particularly sophisticated PowerShell attacks, we thought it useful to examine these threats by reverse engineering those in-memory samples from Virus Total that have the lowest detection rates. This analysis took real document samples with embedded macro and in-memory attacks from VirusTotal, decrypted the macro commands, and looked at the different types of evasive techniques. Read all about it.
In the course of our research we constantly see how malware authors easily bypass popular security products with small variations to their code. Security products search for something specific. The search can be smart and intelligent and fuzzy, but still they search for something specific, using prior knowledge acquired from a particular attack that was investigated. Malicious authors overcome that capability by understanding what the security products search for, giving a twist to their code, and - voilà! - it goes undetected. This technical analysis presents the inner details of a vulnerability identified several years back, but which remerged in an Excel-transmitted version, which was able to evade almost all popular security solutions. Read the analysis.
In the arms race between cyber attackers and cyber defense technologies, attackers currently claim control. They employ sophisticated deception techniques designed to evade traditional and even “next generation” defense mechanisms, for example by hiding malicious behavior and disguising it as benign or unknown behavior. But there is a cyber defense strategy that breaks the attack-patch cycle. Moving Target Defense (MTD) uses counter-deception techniques that constantly change the target surface, so that attackers can’t get a foothold. This post introduces the main categories and techniques of MTD.
Since Locky’s discovery in February 2016, it became one of the most prevalent and devastating ransomware threats of 2016. Ransomware in general evolved greatly in delivery technique complexity, with Locky among the most insidious. In particular, Locky moved to the Zepto variant, executing from dll and not an executable, started using quant loader, and added more evasion techniques to its arsenal. In September, Morphisec identified a new spamming campaign delivering Locky by email (.js files inside zip archives). Whereas other security solutions do not detect this attack, Morphisec was able to prevent the malware from executing. Read the complete technical analysis of the new variant.
During October 17 to 21, Morphisec identified and prevented several malicious and sophisticated macro-based documents at the site of one of our customers delivering a fileless Kovter backdoor Trojan attack. This and similar attacks illustrate the troubling trend that macro-based malspam campaigns are attacking enterprises with modified evasion techniques now on a weekly basis. The analysis describes the attack chain in full detail, starting from the emails and ending with the persistent Kovter backdoor.
We often get asked how our Moving Target Defense (MTD) approach differs from ASLR. While the concepts may sound similar, they are fundamentally different and ASLR is missing several key elements to make it successful at countering zero-day and targeted attacks. Read this post for a better understanding how ASLR works, its benefits and its shortcomings.
When Angler disappeared last summer it left a gaping hole in the malware market that cybercriminals were only too happy to fill with new variants of old standbys. Enter a bigger and badder Dridex, with more sophisticated evasion tactics, including a new sandbox evasion technique. The Dridex version analyzed in this post had a score of 0/55 score on VirusTotal for the first 2 days it was uploaded making it one of the sneakiest we’ve seen.
Cyber attackers constantly develop new methods to overcome organizations’ detection and response mechanisms. The most effective and insidious are deception techniques, collectively known as Moving Target Attacks (MTA). All of these tactics involve recurring modifications of source, static signatures, and/or behavior signatures. The most dangerous also hide their malicious intent from defense systems, appearing as benign or unknown behavior. This post looks at the eight main techniques attackers use.