Print Divider Print Divider Branding

Threat Intelligence Updates: October 2017

10/16/2017  |  By: Jason Riddle, CISSP, President, COO


Social Logo Social Logo Social Logo Social Logo

Use Kaspersky? You Might Want to Rethink That.

For the past decade, many in the cybersecurity community have suggested that, at worst, Kaspersky Lab is a front for Russian intelligence services, and, at best, the company could, at some point, be coerced into allowing the Russian intel services to use its infrastructure for spying.

On October 10th, The New York Times broke a story describing how Israeli intelligence officers hacked into Kaspersky in 2014 and observed Russian government hackers using the Kaspersky customer base to search computers around the globe for U.S. government classified documents.

From all accounts, The New York Times story rings true and has largely confirmed the decade-old suspicions. Kaspersky’s leadership team has denied any involvement in the use of its systems to conduct intelligence operations, but that point is largely moot. Whether Eugene Kaspersky and his leadership team were witting or unwitting participants in the activity, the end result is the same—Kaspersky’s software and systems have been used by the Russian intelligence services to commit espionage.

Based on the above, we believe it’s time for U.S. companies to put Kaspersky in the trash bin and implement another endpoint protection solution. There are many other comparable products available, and the risk of using Kaspersky simply can't be justified any longer.

For more information on the topic, visit the following links:

Ransomware Update: WannaCry Persists. Locky Rises from the Ashes.

After recent detections of both Locky and WannaCry ransomware, LBMC Information Security has noted that both strains of malware are alive and well. We have several reports from other independent sources confirming that Locky is resurfacing after remaining dormant for several months. This time, there are two new variants, which are distributed via botnet-based spam. One variant is referenced as Diablo6, as it encrypts the victim’s files and leaves them with a .diablo6 file extension. The second variant appends a .Lukitus file extension to the victim’s encrypted files. 

Researchers have reported that the Lukitus campaign alone has sent more than 23 million spam email messages in 24 hours. The emails typically do not include many details but usually reference photos, documents, or receipts in an attempt to entice the user to open a .ZIP file attachment within the email, which contains malicious scripts that download the ransomware. 

Some spam emails appear to imitate DropBox and include malicious links to fake DropBox pages. Upon clicking the link, the user is prompted with a dialog, stating that they do not have the HoeflerText font installed. If the user agrees to “update” the font, the malware is downloaded, and Locky begins its infection process on the victim’s system.

More recently, a Locky variant with the .Asasin file extension has surfaced, however, the spam emails distributing it do not appear to correctly attach the malicious file. 

At LBMC Information Security, we utilize various sources of threat intelligence to actively identify and block malicious domains and IP addresses associated with phishing activity and serving malware. We have also implemented signatures to detect the presence of Locky, WannaCry, and DoublePulsar, a backdoor often used to install WannaCry.

As part of your ransomware defense strategy, we also recommend performing regular data backups and testing those backups to ensure a working copy is available to recover from at a moment’s notice. 

For additional information on the resurgence of these ransomware variants, please visit:

Please Patch MS17-010. Trust Us On This.

We are still running across companies who haven’t yet applied the MS17-010 patch to their vulnerable Windows systems. We can't over-emphasize how important it is to apply this patch. The fix from Microsoft repairs the critical vulnerability (CVE-2017-0144) used by WannaCry and several other forms of malware.

If left unpatched, the vulnerable computers will at some point be compromised. If the patch can't be applied for business reasons, consider disabling SMBv1. If that is not an option, isolate the vulnerable system on a dedicated VLAN, and use network access controls to restrict SMB traffic to the specific IP addresses and ports needed to deliver business services—and monitor these connections for malicious activity.

To learn more, visit the following links: