How Do I Defend Against Threats in the Latest McAfee Labs Report?

McAfee Labs provides important information about threats in a variety of ways, from our McAfee Global Threat Intelligence service that feeds into many of our products, to published Threat Reports, our online Threat Center, and many active bloggers. Although it is useful for security professionals to know about the latest threats, one question that I often hear from customers is “How does McAfee technology protect me from this threat?”

Along with today’s publication of the McAfee Labs Threats Report: November 2014, we are also publishing two solution briefs that answer this question for key threats highlighted in the report. These documents identify which McAfee products will help protect you from these threats and how that protection works.

One solution brief explains how to defend against the recent BERserk vulnerability. BERserk is not your typical unlocked backdoor or another way to steal passwords. Instead, this flaw makes it possible to forge RSA signatures. An attacker can then act as a man in the middle, capturing sensitive data or hijacking the session, while the user sees a supposedly secure and authenticated session. Servers and websites are the primary targets of BERserk attacks, so it is up to you to protect your company’s assets. McAfee Vulnerability Manager and McAfee Asset Manager work together to scan your network and build an inventory of network-connected systems. When new threats are discovered, they enable you to quickly and confidently identify which systems are running vulnerable versions. Armed with this information, your security department can patch or isolate the vulnerable machines, reducing your time to containment. Another product, McAfee Application Control, provides a similar function for your applications. McAfee Application Control maintains a dynamic whitelist as applications are patched or updated. For the BERserk vulnerability, it can block execution of applications that call the vulnerable RSA code.

BERserk is one of the most recent examples of a vulnerability or malware that takes advantage of people’s trust in systems and the Internet. Other examples include malicious advertising, which deliver malware through popular ad-driven websites. Or malware that uses valid certificates from a Certificate Authority (CA) that are similar to the name of a legitimate company. Or counterfeit applications that pretend to be an update to familiar and widely distributed apps, such as Adobe Flash Player.

Protecting against trust abuse is the subject of the second solution brief. Multiple McAfee technologies have a role in defending the trust that has been carefully nurtured between you and your customers. For example, at the remote end, McAfee VirusScan can detect and defeat copycat malware without disrupting your workday. McAfee Global Threat Intelligence delivers real-time information on certificate, site, and file reputation to proactively defend against digital con men. McAfee Email Gateway and McAfee Web Gateway watch for malicious URLs, deleting them from phishing emails and web traffic.

McAfee will continue to develop and publish solution briefs with each new McAfee Labs Threats Report and you will be able to find them here. We hope you find these solution briefs useful.

The post How Do I Defend Against Threats in the Latest McAfee Labs Report? appeared first on McAfee.

Defence-in-depth, more than a buzzword

Beyond the relentless headlines of data breaches, credit card theft, and many other cybersecurity related stories lies a very simple explanation.  Sometimes it’s as simple as an employee clicking onto a link within an email, or a user of a popular cloud service using 123456 as their password.  So with recent headlines reporting the widespread theft of ‘millions’ from ATMs infected with Tyupkin malware we undertook analysis in an effort to understand the simple explanation behind the attack. A clue to this simple explanation is of course in the title of this post.  Simply put, the attackers were able to gain physical access to the ATMs and rebooted using a Live CD, they would then follow-up with directly manipulation of security controls and follow up with installation of the malware executable onto the machine.   Not only could the attackers infect the system, and then ultimately steal the millions we all saw across the 140 characters that inevitably follow such stories, but the malware was also able to delete itself, and clear all logs in an effort to cover the tracks of the criminals. Herein lies the nub of the issue.  There are solutions that can greatly reduce ths risk of malware attacks.  However, there is not just ONE solution that will accomplish this.  ATM security must be implemented in a layered approach.  The layers create barriers of protection to make the criminals job more difficult.    Changing the boot order sequence, would go far in preventing the attacks..  Eliminating the capability to boot from external media would also be effective as another layer of protection.To add more protection, consideration needs to be given to how ATMs are deployed.  Some models are designed to be used in certain settings.   Additional physical protection to make access to the ATM CPU need to be implemented.  In such circumstances there are approaches that should be considered that not only include physical security controls (e.g. alarms, CCTV) but also considering tamper-proof security controls.  Best practice recommends a layered approach to security so that there are lots of hurdles to jump and not just one. A weakness in one layer is mitigated by security provision elsewhere. A combination of physical, process and logical controls provide a robust environment. Determining the level of security for such environments means that in future risk assessments should not assume that all devices will be in physical environments that are controlled, and that today criminals are becoming more brazen in mixing physical and cyber with modern-day crimes. We would like to thank the team at Kaspersky in providing their analysis into the criminal campaign to our research team.

The post Defence-in-depth, more than a buzzword appeared first on McAfee.

Product Coverage and Mitigation for ICSA-14-178-01 (Havex/ICS-Focused Malware)

McAfee product coverage and mitigations for malware or indicators associated with the recent attacks (a.k.a. Dragonfly, Energetic Bear, Havex/SYSMain) on industrial control systems (ICS’s) are listed below.

The Havex remote access tool is common across these associated attacks or campaigns–including Dragonfly. We have seen Havex in ICS-specific targeted campaigns. It can detect and affect ICS- and SCADA-specific services, such as OPCServer (OLE for Process Control).

McAfee Product Coverage and Mitigation

  • McAfee VirusScan (AV):  Known, associated, malware samples are covered by the current DAT set (7486).   Updated coverage will be included in the July 2 DAT set
  • McAfee Web Gateway (AV): Same as VirusScan coverage.
  • McAfee Application Control: Provides coverage via whitelisting.  Nonconforming executables will not run.
  • McAfee Next Generation Firewall: Partial coverage (for malware artifacts) is available via built-in McAfee AV inspection of  mail, web, and file transfers.


Please check back often for updated technical details and product coverage.



The post Product Coverage and Mitigation for ICSA-14-178-01 (Havex/ICS-Focused Malware) appeared first on McAfee.

Product Coverage and Mitigation for CVE-2014-1776 (Microsoft Internet Explorer)

On April 26, Microsoft released Security Advisory 2963983 for Microsoft Internet Explorer. In-the-wild exploitation of this vulnerability has been observed across limited, targeted attacks. The flaw is specific to a use-after-free vulnerability in VGX.DLL (memory corruption). Successful exploitation can give an attacker the ability to run arbitrary code (via remote code execution). The flaw affects the following:

  • Microsoft Internet Explorer 6
  • Microsoft Internet Explorer 7
  • Microsoft Internet Explorer 8
  • Microsoft Internet Explorer 9
  • Microsoft Internet Explorer 10
  • Microsoft Internet Explorer 11


Current McAfee Product Coverage and Mitigation

  • McAfee Vulnerability Manager:  The FSL/MVM package of April 28 includes a vulnerability check to assess if your systems are at risk.
  • McAfee VirusScan (AV):  The 7423 DATs (release date April 29, 2014) provide coverage for perimeter/gateway products and the command-line scanner-based technologies.  Full detection capabilities, across all products, will be released in the 7428 DAT update (release date May 4, 2014).
  • McAfee Web Gateway (AV): The 7423 DATs (release date April 29, 2014) provide coverage.
  • McAfee Network Security Platform (NIPS): The UDS Release of April 28 contains detection.
    • Attack ID: 0x4512e700
    • Name: “UDS-HTTP: Microsoft Internet Explorer CMarkup Object Use-After-Free vulnerability”
  • McAfee Host Intrusion Prevention (HIPS):  Generic buffer overflow protection is expected to cover code execution exploits.
  • McAfee Next Generation Firewall (NGFW): Update package 579-5211 (released April 29, 2014) provides detection.
  • McAfee Application Control: McAfee Application Control provides coverage via the MP-CASP feature. Whitelisting will also prevent post exploitation behavior (ex: execution of dropped executables or the loading of dropped dlls.)



The post Product Coverage and Mitigation for CVE-2014-1776 (Microsoft Internet Explorer) appeared first on McAfee.