Posts

Detecting and Mitigating WannaCry and Its Copycats Using GuardiCore Centra Platform

Attack overview WannaCry and its copycat attacks work by exploiting the Microsoft Windows SMB Server critical vulnerability (MS17-010). Patched Windows machines are safe while any unpatched Windows machine is at risk. The WannaCry campaign threatens internet facing as well as internal networks, since a compromised laptop/server in the network will try to propagate and infect […]

The Bondnet Army: Questions & Answers

Last week we announced the discovery of Bondnet, a new botnet that was uncovered by GuardiCore Labs. The originator of Bondnet had installed a cryptocurrency miner and backdoor in thousands of servers of varying power and conscripted them into a botnet – a group of computing devices that can be centrally controlled for malicious purposes.

The Bondnet Army

GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the Bondnet is currently used to mine different cryptocurrencies and is ready to be weaponized immediately for other purposes such as mounting DDoS attacks as shown by the Mirai Botnet. Among the botnet’s victims are high profile global companies, universities, city councils and other public institutions.

Using GuardiCore Reputation Services to Detect Dormant and Hidden Threats

Imagine this, you’ve been coming to the office for the past few months, contacting customers, updating and documenting important information, sending confidential corporate emails, connecting to critical databases in the network data center, and all this time someone, or more precisely something, is watching your every move. A malware is on the loose in your network, collecting information, harvesting credentials and abusing them to connect to those same databases that you cherish.
Read more

New Virus Attacks All Windows-based Computers

A new type of malware is beginning to circulate and attack nationwide, according to GuardiCore, a vendor of software that detects breaches in real time. And, right now, the malware can be detected by only two anti-virus engines.

“This is new malware capable of running on every Windows version from XP through Server 2012 R2,” the company reported in a blog. That means it runs on every single Windows version, “so 100 percent of your Windows endpoints are vulnerable,” says Daniel Goldberg, a security researcher at GuardiCore. The malware has been named Trojan.sysscan.

Ravaging RDP Servers? Backdoor Trojan Ramps Up Enterprise Risk

Trojan-laden malware remains a huge problem for enterprises and individual users alike. As noted by Palo Alto Networks, some cybercriminals are targeting users with creative Mac OS X malware that uses a PDF detailing Russian space program projects over the next decade as a decoy to infect systems with information-stealing code. Softpedia, meanwhile, reported that enterprises have more to fear from a new set of brute-force remote desktop protocol (RDP) attacks that use a backdoor Trojan to infect connected servers and grab everything from banking credentials to tax data and browser cookies. Here’s a look at the new RDP risk.

Brand-New Delphi Trojan Exfiltrates Vast Amounts of Info

A never-before-seen credential-stealing Trojan has been uncovered, found to be backdooring machines and exfiltrating large amounts of information. Written in Delphi coding language (should we call it the Oracle at Delphi?), the Trojan.sysscan malware is being used by a single source as the payload for attacks that repeatedly use brute-force passwords for RDP credentials, according to GuardiCore.

The Oracle of Delphi Will Steal Your Credentials

It was one of those warm summer nights, no clouds, just a bright full moon lighting the way. Someone had unknowingly stumbled upon our honeypot, completely unaware of the fact that her every move was recorded and fully analyzed. Thanks to our deception technology, we could easily reroute the attacker, making her believe she reached her real target.

PhotoMiner Worm Spreads via Vulnerable FTP Servers, Mines for Crypto-Currency

PhotoMiner is a worm that propagates with the help of vulnerable FTP servers, infects public Web pages, spreads to Windows computers and sets up a mining process for the Monero crypto-currency. Security firm GuardiCore discovered the worm this past January, when it also published a quick summary of its abilities. In the meantime, the company found that the worm was created in early December 2015 and received several updates after its January write-up.
.