- The Register: Cavalry riding to the rescue of DDOS-deluged memcached users – “Attacks tapering, as experts argue over ‘kill switch'”
- ESET: New DDoS attack method breaks record again, adds extortion
- Help Net Security: Robots hijacked by ransomware may soon become a reality. Summarizes an IOActive Labs article by Lucas Apa (@lucasapa) and Cesar Cerrudo (@cesarcer) – Robots Want Bitcoins too! – in which they suggest that “As human-robot interactions evolve, new attack vectors emerge and threat scenarios expand. To be prepared for these future threats, we should understand the key elements needed for ransomware for robots to succeed.”
- Help Net (again): Not all who pay a ransom successfully recover their compromised data. Summarizes data from a report from the CyberEdge Group that suggests that while 19.1% of those surveyed paid up and recovered their data, 19.6% paid up but didn’t get their data back.
(1) Paul Ducklin for Sophos: Cryptomining versus cryptojacking – what’s the difference?
(2) Bleeping Computer tells us: Microsoft Stops Malware Campaign That Tried to Infect 400,000 Users in 12 Hours
ZDNet is even more enthusiastic: Windows security: Microsoft fights massive cryptocoin miner malware outbreak – “Microsoft has blocked a malware outbreak that could have earned big bucks for one criminal group.”
Other players in the security industry were more restrained (as per the entry for March 8th below), notably myself, Sean Sullivan and Luis Corrons, quoted in an article by Kevin Townsend: Microsoft Detects Massive Dofoil Attack. Kevin didn’t quote me in full, so here’s (most of) what I said:
I don’t read that article as actually saying that Defender detected that particular campaign and no-one else did/does (which isn’t the case: note that some of the hashes in the figures show a VirusTotal score), or claiming that Microsoft actually disrupted the campaign, or even that it was the first product to detect this particular iteration of Dofoil or the Coinminer it’s delivering. If there’s a suggestion that detection by other products was tested, I missed it.
If it gives the impression that this detection ‘proves’ that all such attacks will be detected by Defender, well, that’s what AV products (often) do, but the phrase ‘hostage to fortune’ springs to mind. But the way I read it, Windows Defender did a good job of detecting this particular campaign, and deserve credit for it. As does any company that offers prompt/proactive detection of a sophisticated campaign, and there are several that do.
Do the Defender team have an unfair advantage? Well, I guess they have direct access to the OS developers, but spotting behavioural anomalies is bread-and-butter lab work, and incorporating such detection into cloud protection and machine learning is standard stuff. And I’m sure most labs value good knowledge of OS processes.