Moving Target Defense Blog

Remote work is no longer limited to outside sales reps traveling across the country. Today, the remote employee movement has reached into practically every industry. So much so, in fact, that according to Owl Labs, 54 percent of people work remotely at least once per month, 48 percent work remotely at least once per week, and 30 percent work remotely full-time. This marks a substantial change from only a decade ago, when the only people working remotely were often contractors or sales reps.

Organizations in every industry and at every level of government face more cyberattacks each day. According to Ponemon Institute’s recent research, 68 percent of organizations note an increased frequency of attacks against their endpoints. Often, these threats are zero days, fileless attacks, in-memory exploits, and evasive malware designed to circumvent antivirus and endpoint detection and response solutions.

Protecting your organization from advanced threats has always been difficult. Adversaries innovate constantly, changing their attack vectors and finding new ways to infiltrate their target environment. The Trickbot trojan is one of the best examples; its authors have used news coverage from President Trump’s impeachment trial and the WSReset UAC Bypass among other changes to push the trojan past antivirus and malware scanners.

Antivirus protection is a baseline cost of doing business for the modern organization. At first, companies and governments only needed signature-based antivirus that tracked known malware. As fileless malware and exploits accelerated, next-gen antivirus that leveraged AI and behavioral analysis came on the scene to respond.

In this blog, we will present some findings on how NanoCore RAT 1.2.2.0 is actively being delivered in new and different ways that we discovered at Morphisec Labs in the last couple of months. Specifically, we will focus on the sophisticated fileless methods for delivering the RAT without touching the disk.

In August of 2019, just a month after our publication on a targeted BitPaymer/IEncrypt campaign, Morphisec identified a new and alarming evasion technique that the same adversaries adopted while targeting yet another enterprise in the automotive industry.

With summer waning, kids back in school, and year-end quotas looming, we’re coming up to the busiest business travel season of the year. From September through November, business travelers log more trips than any other period. Most organizations take pains to keep their road warriors comfortable and protected from travel hazards, but what about the many lurking cyber hazards risks?

This week, headlines blew up with warnings of a design flaw in the CTF subsystem (msctf) of the Windows Text Services Framework that affects all current Windows systems and those going back as far as twenty years.

With their highly valuable payment card and personal sensitive information, Point-of-Sale (POS) systems present a ripe target for cybercrime groups. A successful breach can have enormous consequences for the attacked organization, from detecting and responding, to notifying victims, post-response support, lost business and potentially hefty government fines. Modern POS environments are complicated systems with multiple entry points for attack, from phishing emails or drive-by-download exploits on employee computers to vulnerable third-party suppliers. And while payment card security standards have introduced a basic protection framework, POS-attacks have not abated under the regulations — some of the largest breaches of the past several years are due to POS systems attacks.

Morphisec Labs recently investigated an ongoing BitPaymer ransomware campaign that has been attacking companies across the U.S., both public and private, over the last 3 months.