Our Top 10 Blog Posts of 2016

Cybersecurity had a turbulent 2016, to say the least. We saw the rise of ransomware, the emergence of IoT botnets, landmark security legislation and Yahoo’s disclosure about its 1-billion-record-hack, the largest in history.

Not surprisingly, the most popular blog posts on our site last year revolved around new and ongoing threats and how to prevent them. The deep technical attack analyses and Attack Prevention in Action videos by Morphisec Lab drew the most readers. Of particular note is that many of the attacks were not prevented by other solutions at the time of their discovery, leaving (non-Morphisec) users vulnerable until solutions were updated and/or patches available. Morphisec Lab, headed by our VP R&D Michael Gorelik, has made a mission of sharing time and knowledge with the cyber community.

The other top posts of 2016 concerned MTD (Moving Target Defense) techniques and technology, by our CSO Mordechai Guri. As a pioneer in this field, Mordechai brings a unique viewpoint on cybersecurity to our blog pages.

Just in case you missed them, here are our 10 most viewed blog posts of the year:

1.     How the EPS File Exploit Works to Bypass EMET (CVE-2015-2545) – A Technical Exploration

The most popular post of 2016 and still going strong, this post arose when Morphisec Lab, in testing our solution against a new type of malicious document threat (it prevented it no problem), traced the malicious behavior back to EPS file processing. Experimenting further, they discovered that the sample fully bypassed the latest version of EMET. This technical analysis examines how the exploit works at the PostScript abstraction level. Read the post.

2.     Less is More (Dangerous): A Dissection of Fileless In-Memory Attacks

With fileless malware popping up more and more frequently, particularly sophisticated PowerShell attacks, we thought it useful to examine these threats by reverse engineering those in-memory samples from Virus Total that have the lowest detection rates. This analysis took real document samples with embedded macro and in-memory attacks from VirusTotal, decrypted the macro commands, and looked at the different types of evasive techniques. Read all about it.

3.     Recycling Known Vulnerabilities -  Old Cyber Attack Goes Stealth

In the course of our research we constantly see how malware authors easily bypass popular security products with small variations to their code. Security products search for something specific. The search can be smart and intelligent and fuzzy, but still they search for something specific, using prior knowledge acquired from a particular attack that was investigated. Malicious authors overcome that capability by understanding what the security products search for, giving a twist to their code, and - voilà! - it goes undetected. This technical analysis presents the inner details of a vulnerability identified several years back, but which remerged in an Excel-transmitted version, which was able to evade almost all popular security solutions. Read the analysis.

4.     Javascript in IE Overtakes Flash as Number One Target for Angler Exploit Kit

Morphisec Labs constantly tracks the behavior of the exploit kits that make life easy for hackers and complicated for security managers. Since the EKs need to take advantage of whatever vulnerability they can find on an end user’s device, they typically have a roster of vulnerabilities to try, and if the first one does not work, they go on to the next one. This post explores the shift in exploit kits from targeting Flash vulnerabilities to Javascript in Internet Explorer.

5.     Moving Target Defense: Common Practices

In the arms race between cyber attackers and cyber defense technologies, attackers currently claim control. They employ sophisticated deception techniques designed to evade traditional and even “next generation” defense mechanisms, for example by hiding malicious behavior and disguising it as benign or unknown behavior. But there is a cyber defense strategy that breaks the attack-patch cycle. Moving Target Defense (MTD) uses counter-deception techniques that constantly change the target surface, so that attackers can’t get a foothold. This post introduces the main categories and techniques of MTD.

6.     New Locky – Zepto Variant Prevented by Morphisec

Since Locky’s discovery in February 2016, it became one of the most prevalent and devastating ransomware threats of 2016. Ransomware in general evolved greatly in delivery technique complexity, with Locky among the most insidious. In particular, Locky moved to the Zepto variant, executing from dll and not an executable, started using quant loader, and added more evasion techniques to its arsenal. In September, Morphisec identified a new spamming campaign delivering Locky by email (.js files inside zip archives). Whereas other security solutions do not detect this attack, Morphisec was able to prevent the malware from executing. Read the complete technical analysis of the new variant.

7.     New Wave of Fileless Kovter Backdoor Trojan Attacks Via “Targeted” Macro-Based Malspam Campaign

During October 17 to 21, Morphisec identified and prevented several malicious and sophisticated macro-based documents at the site of one of our customers delivering a fileless Kovter backdoor Trojan attack. This and similar attacks illustrate the troubling trend that macro-based malspam campaigns are attacking enterprises with modified evasion techniques now on a weekly basis. The analysis describes the attack chain in full detail, starting from the emails and ending with the persistent Kovter backdoor.

8.     ASLR - What It Is, and What It Isn’t

We often get asked how our Moving Target Defense (MTD) approach differs from ASLR. While the concepts may sound similar, they are fundamentally different and ASLR is missing several key elements to make it successful at countering zero-day and targeted attacks. Read this post for a better understanding how ASLR works, its benefits and its shortcomings.

9.     Dridex is Back with a Vengeance. Adding More Evasion Techniques to its Arsenal

When Angler disappeared last summer it left a gaping hole in the malware market that cybercriminals were only too happy to fill with new variants of old standbys. Enter a bigger and badder Dridex, with more sophisticated evasion tactics, including a new sandbox evasion technique. The Dridex version analyzed in this post had a score of 0/55 score on VirusTotal for the first 2 days it was uploaded making it one of the sneakiest we’ve seen.

10.  Moving Target Attacks: Techniques & Deception Methods

Cyber attackers constantly develop new methods to overcome organizations’ detection and response mechanisms. The most effective and insidious are deception techniques, collectively known as Moving Target Attacks (MTA). All of these tactics involve recurring modifications of source, static signatures, and/or behavior signatures. The most dangerous also hide their malicious intent from defense systems, appearing as benign or unknown behavior. This post looks at the eight main techniques attackers use.