The Exploring Information Podcast Top 10 Podcast Episodes of 2025

December 31, 2025

In 2025, the cybersecurity landscape shifted from "theoretical risk" to "operational reality." This was reflected in the listening habits of the Exploring Information Security community, where the most-consumed content focused on the internal mechanics of cybercrime and the emerging threats of the AI era.

To create the list this year, I looked at the data from two distinct data sets Apple Podcasts and the views on YouTube. Then I threw those into Gemini and had it spit out the Top 10 episodes for this year.

The Top 10 Episodes:

1. How Do Ransomware Gangs Work? (Kyle Andrus)

The Global #1: This was the undisputed heavyweight champion of 2025. It resonated because it stripped away the "hooded hacker" myth and showed ransomware for what it is: a highly organized, corporate-style business.

Key Insight: Cybercriminal groups now have HR departments, performance reviews, and 24/7 customer support.

2. Hacking Space Systems: Inside Tempest (Tim Fowler)

The Visual Standout: While popular on audio, this exploded on YouTube. Tim Fowler’s "Tempest" CubeSat project gave the community a rare, hands-on look at the vulnerabilities in our satellite infrastructure.

Key Insight: Space is simply the newest extension of the internet—and it’s just as vulnerable.

3. Exploring the Rogue AI Agent Threat (Sam Chehab)

The 2025 Trend-Setter: This episode caught the "AI anxiety" wave perfectly. It identified a new attack vector: sanctioned AI agents that go "rogue" due to over-privileged API permissions.

Key Insight: Your biggest AI threat isn't a malicious outsider; it's a misconfigured internal tool with too much power.

4. Real-World Windows Forensics & IR (JC)

The Technical Masterclass: A staple for practitioner reference. JC’s breakdown of forensic artifacts remains one of the most shared episodes among SOC analysts and incident responders.

Key Insight: Digital detective work is about meticulous troubleshooting and pattern recognition.

5. NDR with Corelight (Brian Dye)

The Visibility Anchor: As perimeter defenses failed throughout 2025, the industry turned to Network Detection and Response. This episode became the standard guide for understanding the power of open-source Zeek telemetry.

Key Insight: In 2025, if you can't see your network traffic in real-time, you've already lost.

6. Monitoring the Inner Workings of a Cybercriminal Org (Matthew Maynard)

The Intelligence Deep-Dive: This served as the perfect companion to Rank #1. Matthew Maynard provided the "how-to" for researchers looking to safely infiltrate and monitor threat actor communities.

Key Insight: Effective threat intelligence requires a mix of technical OSINT and a deep understanding of criminal psychology.

7. Info Stealers and Supply Chain Attacks (Kyle Andrus)

The Credential Crisis: This episode highlighted why MFA alone isn't enough anymore. It focused on the rise of "session hijacking" and the commodity market for stolen employee tokens.

Key Insight: The supply chain is only as strong as the browser session of your most privileged administrator.

8. How to Implement a Content Security Policy (Jason Gillam)

The Developer’s Choice: A highly technical and practical episode that broke down the stats on why most CSPs fail. It’s the "how-to" guide that many listeners used to harden their own web applications.

Key Insight: Security shouldn't be a "bolt-on"—it needs to be built into the code using modern headers like CSP.

9. Gamifying Your Incident Response Playbook (Anushree Vaidya)

The Engagement Winner: This episode stood out for its unique approach to a dry topic. Anushree's method of using game mechanics to train IR teams saw a massive spike in social media sharing and community interaction.

Key Insight: People don't learn from boring slide decks; they learn from immersive, high-stakes simulations.

10. 2025 State of the API Report (Postman)

The Data-Driven Wrap-Up: Rounding out the top 10, this provided the statistical backbone for the year. It confirmed that the explosion of AI has made API security the most critical battleground for security engineers.

Key Insight: 2025 was the year the API became the "limbs" of the AI brain, creating a massive new attack surface.

What was your favorite episode from this past year. Leave a comment below.

June 2025 - ExploreSec Cybersecurity Threat Intelligence Newsletter

June 10, 2025

This is a newsletter I create and share with my internal security team. Feel free to grab and do the same.

Ransomware Ecosystem in Flux

Coveware's latest analysis reveals a significant transformation in the ransomware threat landscape as of Q1 2025. The once-dominant Ransomware-as-a-Service (RaaS) model is unraveling due to intensified law enforcement actions, internal discord, and operational setbacks.

Key Insights:

Disintegration of Major RaaS Groups: Prominent groups like LockBit, BlackCat/ALPHV, and Black Basta have collapsed, plagued by internal conflicts and increased scrutiny. Leaked communications from Black Basta highlight challenges in targeting, risk assessment, and evasion of sanctions.

Emergence of New Threat Actors: The void left by these groups is being filled by unaffiliated extortionists, nascent ransomware brands with ties to espionage and hacktivism, and a few remnants of traditional ransomware operations.

Operational Missteps: Recent incidents, such as Clop's underwhelming Cleo campaign and a poorly executed Oracle Cloud SSO breach by a BreachForums actor, indicate a decline in the sophistication and monetization strategies of threat actors.

Rise of Phantom Scams: The appearance of fraudulent ransom notes, like those falsely attributed to BianLian, underscores a trend toward deceptive tactics as traditional extortion methods wane.

Increased Exposure and Arrests: Enhanced operational security measures and international cooperation have led to the identification and apprehension of several threat actors, diminishing the perceived anonymity that once shielded cybercriminals.

Further Reading: Coveware

Stealthy .NET Malware: Hiding Malicious Payloads as Bitmap Resources

Unit 42 researchers have identified a novel obfuscation technique employed by threat actors, wherein malicious payloads are concealed within bitmap resources embedded in seemingly benign 32-bit .NET applications. This method leverages steganography to initiate a multi-stage execution chain, ultimately deploying final payloads such as Agent Tesla, RemcosRAT, or XLoader.

Key Insights:

Steganographic Embedding: Malware is hidden within bitmap resources of .NET executables, allowing it to evade traditional detection mechanisms.

Malspam Distribution: Campaigns have been observed targeting sectors like finance in Türkiye and logistics in Asia, using localized email subjects and attachments to increase credibility.

Multi-Stage Execution: Upon execution, the infected application extracts and deobfuscates embedded payloads, loading them as dynamic-link libraries before executing the final malicious code.

Advanced Obfuscation Techniques: Additional methods such as metadata obfuscation, opcode replacement, and control flow manipulation are used to hinder static analysis and reverse engineering.

Further Reading: Unit 42

New Tool Can Trick Windows into Disabling Microsoft Defender

Security researchers have discovered a new, publicly available tool called "DefendNot" that can manipulate Windows systems into effectively disabling Microsoft Defender, the built-in antivirus software. This tool doesn't exploit vulnerabilities but instead uses legitimate system administration features in unintended ways.

Key Insights for Security Teams:

Abuse of Admin Privileges: Highlights the critical importance of least privilege principles and monitoring privileged accounts.

Bypasses Traditional Defenses: May evade detection by traditional security solutions that primarily look for malware signatures or exploit activity.

Focus on Tamper Protection: Underscores the importance of enabling and closely monitoring tamper protection features within Microsoft Defender.

Need for Behavioral Monitoring: Organizations should emphasize behavioral monitoring and anomaly detection to identify suspicious activity.

Tool is Publicly Available: Means threat actors could potentially incorporate it into their attack chains.

Further Reading: BleepingComputer

NIST Proposes Metric to Identify Likely Exploited Vulnerabilities

The National Institute of Standards and Technology (NIST), in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA), has introduced a proposed metric aimed at determining the likelihood that a given vulnerability has been exploited in the wild. This initiative seeks to enhance the efficiency and cost-effectiveness of enterprise vulnerability remediation efforts.

Key Insights:

Addressing Limitations of Existing Systems: Current remediation strategies often rely on the Exploit Prediction Scoring System (EPSS) and Known Exploited Vulnerabilities (KEV) lists. However, EPSS has been noted for inaccuracies, and KEV lists may not be comprehensive. The proposed metric aims to augment these tools by providing a more accurate assessment of exploitation likelihood.

Enhancing Vulnerability Prioritization: By estimating the probability of exploitation, organizations can better prioritize vulnerabilities, focusing resources on those most likely to be targeted.

Collaborative Approach: The success of this metric depends on collaboration with industry partners to provide necessary performance measurements and validate the effectiveness of the approach.

Further Reading: NIST CSWP 41

New Best Practices Guide for Securing AI Data Released

CISA, NSA, FBI, and international partners have jointly released a new Cybersecurity Information Sheet focused on AI Data Security: Best Practices for Securing Data Used to Train & Operate AI Systems. This guide emphasizes that robust data security is fundamental for ensuring the accuracy, integrity, and trustworthiness of AI outcomes throughout its entire lifecycle.

Key Insights:

Holistic Risk Management: The guide outlines risks stemming from data security and integrity issues across all phases of AI, from development to operation.

Target Audience: It's particularly relevant for Defense Industrial Bases, National Security Systems owners, federal agencies, and Critical Infrastructure owners/operators.

Core Recommendations: Key practices include adopting strong data protection measures, proactively managing AI-related risks, and enhancing monitoring, threat detection, and network defense capabilities.

Vigilance is Key: As AI integration grows, organizations must take deliberate steps to secure the underlying data.

Further Reading: CISA

DDoS Attack "Street Prices": What You Need to Know

Recent analysis of the underground market reveals that the "street prices" for DDoS (Distributed Denial-of-Service) attacks have remained remarkably stable over the past few years, with some new trends in service delivery. While web-based booters are still available, Telegram-based booter services are becoming a new norm, offering readily accessible attack capabilities.

Key Insights:

Stable Pricing: DDoS attack costs have remained consistent, making them a relatively affordable option for malicious actors.

Layer 3/4 Attacks (Volume-based):

1 GB/Day (Booter-Service): ~$1/day

100 GB/Day: ~$25/day

1000 GB/Day (DDoS for Hire): ~$150/day

Layer 7 Attacks (Application-layer):

10,000 RPS/Day (Booter-Service): ~$1/day

50,000 RPS/Day (DDoS for Hire): ~$20/day

100,000 RPS + Protected Services (DDoS for Hire): ~$50/day

Max monthly cost for DDoS for Hire: ~$10,000/month

DDoS-as-a-Service (DDoSaaS) Dominance: This business model continues to thrive, with attackers charging hourly or monthly fees to sustain attacks, often with extra charges for targeting protected services.

Emergence of Telegram Booters: Threat actors are increasingly leveraging Telegram for offering and managing DDoS services, simplifying access for potential customers.

Further Reading: KyberVandals Blog

Deceptive CAPTCHA "ClickFix" Campaign Uses Clipboard Injection to Deliver Malware

Threat actors are employing a new social engineering campaign, dubbed "ClickFix," that utilizes fake CAPTCHA prompts on compromised or cloned websites. This sophisticated technique tricks users into launching malware by combining clipboard injection with abuse of the Windows Run dialog, leading to the delivery of payloads like Lumma Stealer and NetSupport RAT.

Key Insights:

Social Engineering Focus: The campaign heavily relies on user fatigue with CAPTCHA mechanisms, guiding victims through seemingly familiar steps to execute malicious code.

Clipboard Injection & Run Dialog Abuse: The core of the attack involves copying a malicious PowerShell or mshta command to the clipboard, which users are then instructed to paste and execute in the Windows Run dialog.

Living Off the Land Binaries (LOLBins): Attackers extensively use trusted system binaries like PowerShell, mshta.exe, and certutil.exe to bypass traditional security defenses, making detection challenging.

Payloads: Frequently observed payloads include infostealers (e.g., Lumma Stealer targeting browser data, credentials, and crypto wallets) and remote access tools (e.g., NetSupport RAT for full system access).

Simplicity and Effectiveness: The campaign's success stems from its simplicity, avoiding zero-day exploits or complex hidden mechanisms, relying instead on user interaction.

Proactive Defense: This campaign underscores the need for robust endpoint detection and response (EDR) solutions capable of behavioral analysis and detection of LOLBin abuse, alongside user education on suspicious CAPTCHA prompts and the dangers of pasting unknown commands.

Further Reading: SecurityOnline.info

Cybercriminals Exploit AI Hype to Spread Malware

Cybercriminals are increasingly exploiting the public's interest in artificial intelligence by creating fake AI-themed websites and advertisements to distribute malware. A recent campaign identified by Mandiant Threat Defense involves the threat group UNC6032 using deceptive ads on platforms like Facebook and LinkedIn to lure users into downloading malicious software disguised as AI video generation tools.

Key Insights:

Deceptive Advertising: Thousands of malicious ads have been disseminated, impersonating legitimate AI tools such as Luma AI and Canva Dream Lab. These ads direct users to fraudulent websites designed to mimic authentic AI services.

Malware Deployment: Upon interacting with these fake sites, users are prompted to download a ZIP file containing the STARKVEIL malware dropper. This dropper installs multiple malware components, including GRIMPULL, XWORM, and FROSTRIFT, which are designed to steal sensitive information and establish persistent access to the victim's system.

Information Theft: The deployed malware targets a range of data, including login credentials, cookies, credit card information, and digital wallet contents. Some components, like XWORM, also perform keylogging and screen capture, further compromising user privacy.

Evasion Techniques: The malware employs sophisticated methods to avoid detection, such as using Braille pattern blank characters to obscure file extensions and leveraging legitimate processes for malicious activities.

This campaign underscores the importance of vigilance when engaging with online advertisements, especially those offering AI-related services. Users should be cautious of unsolicited offers and verify the legitimacy of websites before downloading any software.

Further Reading: Google Cloud Blog

Beyond the Kill Chain: How Cybercriminals Invest Their Profits

Sophos X-Ops' five-part series, Beyond the Kill Chain, explores what happens after a successful cyberattack. The series reveals how financially motivated threat actors invest their illicit earnings—often blending legitimate business with ethically questionable and outright criminal ventures.

Key Insights:

Legitimate Business Ventures: Cybercriminals are investing in seemingly lawful enterprises such as restaurants, real estate, and e-commerce platforms. These ventures help launder money while also creating additional income streams.

Ethically Dubious Activities: Some threat actors operate in legal gray zones, selling spyware, monetizing vulnerability research under the guise of security services, or manipulating online traffic for advertising profits.

Criminal Enterprises: Illicit gains are also funneled into traditional criminal operations like counterfeit goods, drug trafficking, and underground gambling, showing how cybercrime supports broader organized crime ecosystems.

Implications for Cybersecurity: Mapping how threat actors reinvest their profits helps threat intelligence teams understand evolving risk models and disrupt the infrastructure supporting ongoing cybercriminal activity.

Further Reading: Sophos News

Lumma Infostealer: Disrupted but Not Defeated

A recent global law enforcement operation disrupted parts of the Lumma Infostealer malware-as-a-service platform, seizing over 2,500 domains. However, key infrastructure—particularly servers hosted in Russia—remains intact, allowing Lumma’s core operations to continue.

Key Insights:

Partial Takedown: While many domains were seized, Lumma’s main server remains online, enabling continued malware activity.

Resilience and Recovery: The developer claimed services resumed quickly with no arrests made, signaling strong operational recovery.

Ongoing Threat: Stolen credentials and sensitive data tied to Lumma are still appearing on dark web markets.

Psychological Tactics: Authorities planted disruptive messages in Lumma’s Telegram channels and admin panels to undermine trust in the service.

Mixed Reactions: Some cybercriminals are distancing themselves from Lumma, while others remain loyal and active.

Further Reading: Check Point Blog

CFOs Targeted in Sophisticated Spear-Phishing Campaign

A recent spear-phishing campaign is targeting Chief Financial Officers (CFOs) and finance executives across banking, energy, insurance, and investment sectors in regions including Europe, Africa, Canada, the Middle East, and South Asia. The attackers use a multi-stage approach to deploy NetBird, a legitimate WireGuard-based remote access tool, onto compromised systems.

Key Insights:

Deceptive Recruitment Emails: The campaign begins with emails impersonating a Rothschild & Co recruiter offering a “strategic opportunity.” Victims are directed to a Firebase-hosted page featuring a custom CAPTCHA to access a malicious file.

Malicious Payload Delivery: After solving the CAPTCHA, users download a ZIP file containing a VBS script. When executed, it installs NetBird and OpenSSH, creates a hidden local admin account, and enables Remote Desktop Protocol (RDP) for persistent attacker access.

Evasion Techniques: The use of custom CAPTCHAs and trusted hosting services helps the attackers bypass traditional security defenses and increases credibility.

Attribution: Some infrastructure overlaps with known nation-state campaigns, but the specific threat actor remains unidentified.

Further Reading: Trellix Blog

Threat Actors Exploit Google Apps Script for Evasive Phishing Attacks

Threat actors are leveraging Google's Apps Script platform to host phishing pages that appear legitimate, allowing them to steal login credentials. These campaigns often begin with emails posing as invoice notifications, linking to webpages hosted using Google Apps Script. By operating within Google's trusted environment, attackers make their phishing pages seem more authentic, increasing the chances of success.

Key Insights:

Abuse of Trusted Services: Google Apps Script, a JavaScript-based platform used for automating Google Workspace tasks, is being exploited to host fake login pages that capture user credentials and send them to attacker-controlled servers.

Evasion of Security Measures: Because the scripts are hosted on Google's own domain, they can bypass traditional email and web filters that typically block suspicious domains.

Sophisticated Phishing Techniques: The phishing emails and login prompts are convincingly designed to mimic legitimate services, making it more likely that targets will engage and provide sensitive information.

Further Reading: BleepingComputer

HuluCAPTCHA – An Evolving Fake CAPTCHA Framework

Security researchers have identified "HuluCAPTCHA," a sophisticated fake CAPTCHA framework actively compromising websites. This advanced system tricks users into running malicious commands via fake CAPTCHA prompts and the Windows Run dialog, leading to infections with infostealers and remote access tools.

Key Insights:

Deceptive Execution: Users are redirected from compromised sites to fake CAPTCHA pages, then instructed to copy/paste malicious PowerShell or mshta commands into Windows Run.

Advanced Tracking & Stealth: The framework meticulously tracks user interactions and potential command execution. It leverages Living Off the Land Binaries (LOLBins) to evade traditional defenses.

Payload Versatility: Delivers various infostealers (e.g., Lumma, Aurotun) and remote access tools (e.g., Donut Injector).

Persistent Backdoors: Compromised WordPress sites show sophisticated hidden admin backdoors, designed for stealth and persistence.

High-Value Targets: Attackers are targeting organizations that could hold sensitive data, highlighting the potential for significant impact.

Further Reading: HuluCaptcha — An example of a FakeCaptcha framework

Phishing Campaign Exploits Google.com Open Redirects

A recent phishing campaign has been observed exploiting an open redirect vulnerability within Google's google.com/travel/clk endpoint. Threat actors are leveraging this legitimate Google Travel click-tracking mechanism to redirect users from a trusted google.com domain to malicious phishing sites. This technique adds an air of legitimacy to phishing links, making them harder for users to identify as fraudulent.

Key Insights:

Trusted Domain Abuse: Attackers are using google.com/travel/clk?pc=[token]&pcurl=[target_URL] to redirect users. The presence of google.com in the initial link provides a deceptive sense of security.

Persistent Tokens: The pc token, which controls the redirect, lacks a clear expiration mechanism and can remain valid for months or even years. This allows attackers to reuse tokens across multiple campaigns.

Ease of Exploitation: Obtaining a valid token is trivial, requiring only a visit to Google's hotel search page to copy one from a legitimate link.

Google's Stance: Google's official position classifies open redirects as "very little practical risk," claiming they invest in phishing detection rather than preventing the redirects themselves. This stance is debated given the observed abuse.

Detection Challenge: The initial legitimate google.com domain in the link makes it difficult for users and some security systems to immediately flag it as malicious.

Mitigation Recommendation for Internal Security Teams:

Flag or sandbox any google.com/travel/clk links that appear in email and other messages until Google clarifies its redirect validation mechanisms.

Further Reading: Another day, another phishing campaign abusing google.com open redirects

Cybercriminals Use Fake Booking Sites to Spread AsyncRAT Malware

Cybercriminals are exploiting fake Booking.com websites to infect users with AsyncRAT, a remote access trojan. Victims are lured through deceptive ads and social media links to counterfeit booking sites, where they are tricked into running a malicious PowerShell script. The attack results in full remote control of the infected system, putting sensitive personal information at risk.

Key Insights:

Attackers use fake CAPTCHA prompts to manipulate users into executing malware.

The AsyncRAT payload allows for full system access, including surveillance and data theft.

Domains rotate every few days, making detection and blocking more difficult.

Further Reading: Malwarebytes Blog

UNC6040 – Voice Phishing to Salesforce Data Extortion

Google Threat Intelligence Group (GTIG) is tracking UNC6040, a financially motivated threat cluster specializing in voice phishing (vishing) campaigns. This group is successfully impersonating IT support to gain access to organizations' Salesforce instances, primarily to steal large volumes of data for subsequent extortion. Their tactics rely heavily on manipulating end users rather than exploiting software vulnerabilities.

Key Insights:

Vishing is Key: UNC6040 uses convincing phone calls, often targeting English-speaking employees, to socially engineer access.

Salesforce Data Loader Abuse: They trick victims into authorizing malicious versions of Salesforce Data Loader, gaining broad access to exfiltrate sensitive data.

Lateral Movement: After Salesforce, they use stolen credentials for lateral movement into other cloud platforms like Okta and Microsoft 365.

No Platform Vulnerability: Attacks exploit user trust and process gaps, not inherent Salesforce flaws.

Persistent Threat: Extortion can occur months after the initial intrusion, indicating a patient and persistent threat.

Further Reading: The Cost of a Call: From Voice Phishing to Data Extortion

Petya/NotPetya ransomware outbreak thoughts and links

June 28, 2017

While I wait for Nashville traffic to clear (picture above), I decided to take this as an opportunity to write up some thoughts and provide links for the current “ransomware” outbreak. I became aware of this on Tuesday and started monitoring the situation via Twitter. I thought it a good idea to create a list and add people who are providing the most useful information about the current outbreak. I figured it would be useful for future security related events.

There are already some good blog posts out there with what we currently know. SANS Internet Storm Center and Symantec Security Response have really good information. What I’d like to focus on is the idea that this is outbreak is a cover up for a nation-state attack. As I watched Twitter it seemed like a very particular set of organizations were getting hit by this ransomware. There were reports in several different countries and different types of organizations, but something didn’t feel right. I didn’t know anyone experiencing this event or see reports of local government or schools getting hit with this stuff. If there is truly an outbreak I would expect to hear about outbreaks in those areas. They run IT (let alone security) on a shoestring budget. All the reports seem to focus on those areas in Ukraine.

On my ride into work this morning the Risky Business podcast floated the idea that this was a targeted attack by a nation-state (Russia) at Ukraine (don’t call it “The Ukraine). Based on what I’ve seen it makes sense. Furthering the idea is Matt Suiche who wrote up an article on Petya as a wiper not ransomware he dug into the code for the malware and found that some of it had changed. This makes things much more difficult to recover from. If this is a cyber attack on another nation then the goal is certainly destruction. Crafting malware to look like ransomware but make things irrecoverable is a good way to accomplish that goal. It also helps with creating disinformation (something Russia does).

Then there’s the article from the grugq. He tracks down the MeDoc connection, which is considered the starting point for the infection. MeDoc is an accounting software package. The malware was sent through it’s update service. Now, if I’m a criminal trying to make money of this thing I use phishing emails to send this thing out to as many places as possible. Targeting a software vendor to deliver ransomware seems like way too much work for not a lot of payout. In fact the email address for payments has already been shutdown. Even if you wanted your files back you’re not getting them, because communication with the attackers is gone. Last check of the bitcoin wallet is $10,296.2 USD, according to @petya_payments on Twitter.

The problem with news like this is that there’s a lot of information flying out there. Not all of it good. It’ll take a few days to sort through everything, even then we won’t have a clear picture. In several weeks US intelligence will have their say. Like they recently did with WannaCry (it was North Korea). I think this is a targeted attack involving countries. There will be collateral damage, but it’s unlikely to affect a majority of us. In fact it looks like the initial attack has long since passed. Again, it’s early and some of this information is likely misguided or incorrect or new information will come out. There are some researchers saying that it’s not a wiper. The link in the post is another good resource for information and a good example of the community working through early information. He does agree that the malware's purpose is destruction, he's just not sure it's a wiper. I'm not versed enough in malware analysis to make a distinction either way. Wiper or ransomware are minor details, both will cause a lot of destruction. We should have a clearer picture in the next few days.

Suggestions for defending yourself are in the SANS and Symantec articles. Simple answer is to patch your shit and evaluate SMBv1 needs. I also took this event as an opportunity to email some internal folks and ask questions about our systems and see how they responded. When people talk about war gaming a security incident, these are good opportunities, even if you’re not impacted.

Resources:

I think traffic got worse.

This blog post first appeared on Exploring Information Security.

How did I get infected with malware?

May 18, 2015

The question

“How did I get infected with malware?” is a question I get asked quite often in my day job when I am investigating a machine with a malware infection. The answer usually comes down to, “It is not your fault, you are on the internet and these things happen.” Sure, some sites are more risky than others. Go off the beaten path and there is an increased risk of viruses, trojans, cryptolocker, spyware, and all sorts of icky things will make their way onto a computer. The reality is that malware can make its way onto a computer from just about anywhere. Two examples of legitimate websites passing out malware visiting a site like Forbes, or visiting celebrity chef Jamie Oliver’s website, or any really any other site running advertisements.

Some websites are running platforms and applications with unpatched security flaws or running advertisements that have not been properly vetted by the advertising agency. Both of these security shortcomings on websites can lead to computer infections that happen behind the scenes and undetected.

What can be done?

Keep your computer up-to-date, install EMET, and implement some safe browsing tools.

To keep your computer up-to-date use Secunia's Personal Software Inspector (PSI). It's free, it's easy to use, it keeps your programs up-to-date with the latest patches.

Install the Enhanced Mitigation Experience Toolkit (EMET) from Microsoft. It's free, it's easy to use, and it protects your computer from nasty things.

Enable Click-to-Play on your browsers. Easy to implement, but a little more annoying to use. Essentially, you choose when applications like Flash play, so nothing runs that you don't want to run in your browser. Yes, it's a little more annoying to browse the web, but comes with the benefit of improved load times. It's not going to suck up bandwidth if it can't run.

If you need help or want a further explanation on any of these tools or if you want more leave a comment or email me at timothy.deblock[at]gmail.com.

This post first appeared on Exploring Information Security.

Infographic Friday October 24, 2014

October 24, 2014

A brief history of malware - Help Net Security

This post first appeared on Exploring Information Security.

InfoSec privacy links October 23, 2014

October 23, 2014

How to restore privacy - fix macosx

It appears that Apple's Spotlight app, which helps search for various items, on Max OS X Yosemite devices sends your search data to Apple. This website will show you how to disable the features that send this information. I went ahead and disabled everything, because I don't use Spotlight. For more information click here. To open Spotlight, simply swipe down on the home screen.

Bahraini Activists Hacked by Their Government Go After UK Spyware Maker - Kim Zetter - WIRED

Not long after the phantom Facebook messages, Ali discovered spyware on his computer—a powerful government surveillance tool called FinFisher made by the UK firm Gamma International. Human rights groups and technologists have long criticized Gamma International and the Italian firm Hacking Team for selling surveillance technology to repressive regimes, who use the tools to target political dissidents and human rights activists. Both companies say they sell their surveillance software only to law enforcement and intelligence agencies but that they won’t sell their software to every government. Gamma has, in fact, denied selling its tool to Bahrain, which has a long history of imprisoning and torturing political dissidents and human rights activists.

More Crypto Wars II - Bruce Schneier - Schneier on Security

I'm not sure why he believes he can have a technological means of access that somehow only works for people of the correct morality with the proper legal documents, but he seems to believe that's possible. As Jeffrey Vagle and Matt Blaze point out, there's no technical difference between Comey's "front door" and a "back door."

This post first appeared on Exploring Information Security.

InfoSec links September 24, 2014

September 24, 2014

Data Breach Victims or Enablers? - Bill Brenner - Liquid Matrix

Companies that suffer a breach — Home Depot and Target have been among this year’s biggest poster children — are victims. They don’t set out to put their customers’ data in danger and they probably thought they were practicing all due diligence until they discovered the intrusions. But they probably also mistook their compliance check lists for real security and failed to turn security into a company-wide mindset, and that makes them enablers for the hackers who beat them.

Home Depot ignored security warnings for years employees say - Sean Gallagher - ars technica

Former information technology employees at Home Depot claim that the retailer’s management had been warned for years that its retail systems were vulnerable to attack, according to a report by The New York Times. Resistance to advice on fixing systems reportedly led several members of Home Depot’s computer security team to quit, and one who remained warned friends to use cash when shopping at the retailer’s stores.

Massive Malvertising Network is 9 Times Bigger Than Originally Thought: Cisco - Brian Prince - Security Week

"The “Kyle and Stan” network is a highly sophisticated malvertising network," blogged Armin Pelkmann, threat researcher with Cisco. "It leverages the enormous reach of well placed malicious advertisements on very well known websites in order to potentially reach millions of users. The goal is to infect Windows and Mac users alike with spyware, adware, and browser hijackers."

This post first appeared on Exploring Information Security.

Friday infographic September 19, 2014

September 19, 2014

Mobile Malware Infection Rate in H1 2014 Almost as High as in the Entire 2013 - Ionut Ilascu - Softpedia

This post first appeared on Exploring Information Security.

Friday infographic September 12, 2014

September 12, 2014

What You Need to Know About Backoff - Jeffrey Roman - Data Breach

This post first appeared on Exploring Information Security.

Looking for celebrity nudes could lead to malware

September 4, 2014

As is the case with any big news, criminals and nefarious types are taking advantage of the celebrity nude photos news to get malware installed on the machines of the unwitting.

Celeb nude photos now being used as bait by Internet criminals - Sean Gallagher - ars technica

Links are being spread among social media sites such as Twitter and Facebook. I imagine they're also being spread on other social media platforms. Just don't do it, unless you're prepared to lose more than just your dignity.

This post first appeared on Exploring Information Security.

Dealing with the ransomware known as CryptoLocker

August 8, 2014

Ransomware is some pretty nasty stuff and it’s only getting nastier. This particular piece of malware encrypts a person’s drive and then locks it from the user. To unlock it the person must pay, usually by bitcoin, to get access to the freshly encrypted data. Brian Krebs recently called 2014 ‘The Year Extortion Went Mainstream’ and one of the reasons he said that was because of online criminal activities like ransomware. One of the most well known ransomware is called CryptoLocker

There are a couple of ways that ransomware can be combatted:

Take good backups

The backups should be offline. If they’re online then attackers could potentially get access to that device and take it over. Recently, it was found that some Synologys with older firmware versions could be infected with ransomware. Which leads to the next point.

Keep your system up-to-date

This is nothing now and something that has been suggested thousands of times. Still systems are being left unpatched. I know it’s not easy, especially, when there are a lot of other things to do, but one of the easiest ways to keep your system up-to-date is to use a program like Secunia. It does most of the work for you and is fairly user friendly.

Trust your intuition online

Listen to that voice in your head telling you clicking on this link or that link is a bad idea. It’s usually right. If it feels wrong or it’s too good to be true it probably is. I leave it at that, because that’s is something else that gets mentioned a lot in ‘online safety.’

If all else fails, there's an app for that

Recently, Fox IT and FireEye teamed up to offer a free Decrypt service that will get people infected with ransomware their stuff back. I haven’t tried the service, nor do I know how well it works, but both FireEye and Fox IT are legitimate security companies.

At this point and time, there is not an alternative to getting data back from a ransomware infection. You either need to avoid ransomware altogether, reinstall your operating system and have good backups, or use the FireEye/Fox IT service. If you try the service I would love to hear your experiences with it.

This post first appeared on Exploring Information Security.

InfoSec links July 15, 2014

July 15, 2014

Pandemiya Emerges As New Malware Alternative To Zeus-Based Variants - Fraud Report - EMC/RSA

This is a breakdown on some new malware called Pandemiya. It’s being offered as an alternative to the widely popular Zeus trojan. The price tag is between $1500-$2000.

Crooks Seek Revival of 'Gameover Zeus' Botnet - Brian Krebs - Krebs on Security

The previously dead Gameover Zeus botnet is apparently making a comeback. After the initial takedown, the owners of the botnet laid low for a while. Now it appears they’re trying to bring it back. The old botnet is still in lockdown, so this appears to be an effort to rebuild the botnet from the ground up.

Glenn Beck's The Blaze Site Serving Malicious Ads - Pat Belcher - invincea

My care meter for politics:

don’t care |-|---------------------| care

Glenn Beck can be a bit of a hot topic, but it’s his site I want to focus on, The Blaze. It’s been discovered that his site, via advertising, is serving up malware to people that visit the site. The site is not compromised, it’s the ad services that are running on his site. Ad services do not vet the people who submit ads, which makes it easy for nefarious folk to submit ads with malware attached to them. The Blaze, according to the article, is ranked the number two political site on the web, thus making it a target for these kinds of ads. If you see an ad that is of interest you, I would suggest doing a google search instead of clicking the ad.

This post first appeared on Exploring Information Security.

InfoSec links May 27, 2014

May 27, 2014

Hackers now crave patches, and Microsoft's giving them just what they want - Gregg Keizer - Computer World

Criminals are using Windows 7 patches to try and figure out vulnerabilities in Windows XP. According to the article, "By conducting before- and after-patch code comparisons, attackers may be able to figure out where a vulnerability lies in Windows 7 -- which will be patched -- then sniff around the same part of XP's code until they discover the bug there." Just another reason to get off Windows XP.

CBS picks up 'CSI: Cyber' with Patricia Arquette - Scott Collins - LA Times

I used to watch a lot of CSI: Las Vegas. After several seasons, though, I realized it was the same episode with slightly different variations. This looks interesting enough that I might just check it out. My expectations for an accuracy and/or entertainment quite low. Still, it could be used to give the masses a small peak into the electronic "battlefield" and might even make for a good jumping off point for infosec professionals to teach the uninitiated.

Meet the Zberp Trojan - Dana Tamir - Security Intelligence

New malware has been discovered. According to Trusteer researchers the new malware combines the Zeus and Carberp Trojans, hence the name Zberp.

This post first appeared on Exploring Information Security.