Discover how Versa DNS Security detects and blocks advanced DNS-based threats, including malware hidden in TXT records and DNS tunneling attacks.
In the crowded landscape of cloud-delivered Security Service Edge (SSE), relying on vendor claims of performance and security can often lead to disappointment. Increasingly, enterprises are seeking actual test results to validate the solutions they are considering.
The SolarWinds attack leaves many unanswered questions and the most prominent amongst them is the question of how the attacker entered internal systems of SolarWinds network and was able to infiltrate and move inconspicuously across the development chain. The malware was able to camouflage its activity among the highly secure network of the prominent organization for an extended period of time, evading all their security detection and prevention defenses. In this particular blog, our team will mainly focus on the chain of events that occurred, and the evasive methods employed to remain completely stealthy despite moving around and compromising a highly secure network environment.
On December 13, 2020, FireEye reported a global campaign that targeted a large sector of industries by threat actors who inserted malicious code within a software component used by the popular network management software SolarWinds. It is not yet known how the threat actors managed to gain access to the development environment in which they added and distributed this malicious code as part of an update to the software. This trojanized version of the dynamic-link library (DLL) has been given the name ‘Sunburst’ by FireEye. Surprisingly enough, researchers have found evidence of the presence of a second backdoor in the SolarWinds product.
The National Security Agency published a list of 25 CVEs (Common Vulnerabilities and Exposures) that were most exploited by threat actors in recent times. Some of these CVE’s were used to deliver malicious software that allowed monitoring remote networks, maintaining continued access to remote networks, and, in some cases, using these CVEs to pivot to other systems within the internal network. For example, CVE-2019-11510 was used to gain access to sensitive VPN information of user accounts and then use the credentials to deliver ransomware like Sodinokibi. Similarly, CVE-2019-0803 was used to establish a backdoor to gain and maintain access to…
FireEye recently provided information about the widespread attack campaign registered against components of the SolarWinds Orion platform. The SolarWinds Orion platform has a huge customer base of 300,000 clients and issued this advisory on Sunday, December 20th. In this blog post, we will focus on answering specific questions that organizations may have regarding the Solarwinds attack.
After several weeks of quiet, especially during the Christmas holidays, the Emotet malware bot is up and running again, and it seems stronger and smarter. Several IT security firms have reported seeing phishing emails delivering Emotet via malicious Word documents and even delayed holiday e-greetings. Cyber-attackers using Emotet seem to have used this brief hiatus to improve the malware’s social engineering abilities, with almost a fourth of infected emails being sent as replies to existing email threads. Designed initially as a banking malware, the Emotet Trojan was first identified by security researchers in 2014. The malware delivery botnet spreads itself…
Server Message Block or SMB is a protocol used extensively by windows. It allows windows computers to communicate, locate file servers, locate and communicate with windows networks services and even communicate with other operating systems that understand the SMB protocol. The latest version of SMB is SMB version 3 which is affected. Over the years numerous vulnerabilities were discovered in the protocol which were actively exploited and used by malware authors to build ransomware, cryptominers, SCADA malware etc. MS08-067 saw the rise of the Conficker worm, MS10-061 was used by the infamous Stuxnet malware and MS17-061 was used by ransomware’s…
Versa Security Lab recently analyzed couple of malware samples which arrives on a computer through phishing emails containing documents with embedded link which eventually leads to the download of the malware. Some of these may arrive through websites pretending to provide information on the recent Corona virus outbreak. The past few months have seen several malicious webservers and domains being set up, purportedly serving information on the Covid-19 virus outbreak. Most of these sites are hosts to ransomware and other malware types. In this blog we are going to look at one sample which encrypts files contents and updates the…
Subscribe to the Versa Blog
Gartner Research Report
Trial
ROI
Contact