Morphisec Cyber Security Blog

So far, 2018 has turned out to be anything but business as usual, at least on the cybersecurity front. The revelation about CPU vulnerabilities Meltdown and Spectre (and all the offshoots); the explosion in cryptojacking – which is likely even more widespread than current estimates; the lightning speed at which the newest sophisticated attack technology is adopted by mass market criminals.

After more than four years with no weaponized exploits for Adobe Acrobat Reader, researchers at ESET identified a weaponized PDF that allows attackers to execute arbitrary code on the targeted machine and eventually assume full system control. The PDF exploits two previously unknown vulnerabilities, Acrobat Reader vulnerability CVE-2018-4990 and a privilege escalation vulnerability in Microsoft Windows, CVE-2018-8120.

Adobe Reader has a built-in sandbox feature that usually makes exploitation difficult. By combining vulnerabilities, this attack achieves code execution and then bypasses the sandbox protection to fully compromise the targeted system.

We all wish we were smarter. And I believe that the vast majority of people, in some way, strive to GET smarter.

As someone who has been involved in the cybersecurity industry for years, and watched it evolve, I see countless companies in this market using the aspect of intelligence to position themselves as being smarter than others. But if you have to proclaim your intelligence, are you actually smart? Or even smarter than me? Or than the next company?

After less than two years in the market, Morphisec has deployed its Endpoint Threat Prevention platform to over one million endpoints worldwide, making it the fastest subscription-based B2B cybersecurity company to reach this milestone.

In April, researchers at Qihoo 360 Core Security Division discovered a VBScript vulnerability actively exploited in targeted attacks. Since then, it has appeared in additional attack campaigns. The vulnerability, CVE-2018-8174, dubbed "Double Kill",  is significant on several counts.

If you’ve stayed at any large hotel chain in the past year, there’s a good chance your personal details have been compromised. According to Verizon’s 2018 Data Breach Investigations Report, the accommodation industry had one of the highest number of breaches, second only to healthcare. 

On the 12th of April, Morphisec, identified and prevented a major wave of malspam purporting to be from HSBC Bank. The phishing campaign targeted several industrial manufacturing and service enterprises in Asia, using standard but still often effective social engineering tactics. The malicious email delivered a sophisticated info-stealing trojan via a weaponized ISO attachment. ISO files are a type of image archive format used for optical disk images, which can be opened using WinRAR and other programs.

Morphisec is honored to have received awards in three out of six categories at this year's Midmarket CIO Spring Forum. The annual Vendor Excellence and Midmarket CIO Awards recognize leaders in technology collaboration. 

Over 77% of all cyber crimes target small and midsize enterprises. According to the 2017 State of Cybersecurity in Small & Medium-Sized Businesses (SMB) report by the Ponemon Institute, cyberattacks cost small and medium-sized businesses an average of $2,235,000.

One of the hottest topics at last week’s RSA Conference was GDPR. Over twenty sessions covered GDPR from various angles and many more touched upon the subject in some way. This was hardly surprising – with the May 25^th compliance deadline looming, companies are frantically trying to understand the implications, their responsibilities and actions they need to take.

Although I’m excited to be at the RSA Conference with my Morphisec colleagues, it reminds me of the impetus for starting our Women in Cybersecurity Scholarship. Of 28 keynote speakers at RSAC, only seven are women, and six of these were added at the last minute following a string of scathing tweets and articles. This 25% figure seems to be the average percentage in the general sessions as well. I attended several that were one woman in a panel of four, a few that had only male speakers and a single session that had a majority female panel. If I had to guess the overall attendee and exhibitor gender split I’d say it fell along the same lines, but that percent is skewed by the number of women simply scanning badges.