Blog: RSA Research & Innovation

Innovating ahead of the market and offering the latest threat intelligence on the ever-expanding attack surface.

  • 11/13/2018 - Dialing Up Deception: The New Vishing Scam While vishing accounts for less than one percent of total phishing-type attacks, it remains a very real threat, as evidenced by its recent evolution. Traditionally believed to originate from an inbound call, vishing is now being deployed in reverse where a potential victim unknowingly calls a fraudster. Gain insight into the tactics being used to deceive consumers into calling fraudulent phone numbers and how to fight back.
  • 10/24/2018 - Beyond Your Bank Account: Ten Astounding Finds Uncovered by Financial Malware Financial malware is prevalent and capable of stealing more than your bank account number. Across many cybercrime investigations, RSA intelligence analysts have uncovered astounding finds stolen by financial malware. It is an alarming trend that should raise awareness among every digitally connected individual about how vulnerable we really are.
  • 9/19/2018 - Making Risk Count: Winning Strategies from Global CISOs A new Security for Business Innovation Council (SBIC) report explores modern approaches to risk management and measurement. Learn which factors, including the type of industry you compete in and how quickly your company is embracing digitization, may impact your risk measurement approach.
  • 8/14/2018 - RSA Report: Rogue Mobile Apps Account for 28 Percent of Fraud Attacks Rogue mobile apps accounted for 28 percent of fraud attacks observed by RSA in the second quarter of 2018 and over 70 percent of fraud transactions originated in the mobile channel. Learn more about the current state of global cybercrime and how to combat it more effectively.
  • 6/13/2018 - RSA Labs: Staying Secure Means Staying Relevant Keeping up with, if not a step ahead, of the bad guys isn’t all that security researchers find themselves battling. Staying upright on a rapidly shifting terrain is made all the more difficult as companies embrace cloud computing, microservice architectures and mobility.
  • 6/4/2018 - Ovum on Business-Driven Security A new report from Ovum Ltd., “Business-Driven Security: An Essential Approach to Enterprise Protection and Compliance” describes the practicality of the situation facing many digitally enabled organizations, reinforcing the need of business-driven security to effectively manage digital risk.
  • 5/23/2018 - RSA Report: Mobile App Fraud Transactions Increased Over 600 Percent in Three Years Phishing accounted for 48% of all cyber attacks observed by RSA in the first quarter of 2018 while two out of every three fraud transactions originated in the mobile channel. Learn more about the current state of cybercrime and fuel the conversation about how to combat it more effectively.
  • 4/30/2018 - The Dark Web Goes Social Due to the rise in popularity of newer social media outlets throughout the world, many fraudsters have expanded their activities to include multiple platforms. Gain insight on why social media has become so attractive to fraudsters and what types of information and tools are being sold and traded in these virtual storefronts.
  • 12/4/2017 - Anatomy of an Attack: CARBANAK Throughout 2017, RSA Incident Response has observed new TTPs associated with the CARBANAK threat actor group. These TTPs show an increase in situational awareness, organization, and attacker forensic discipline. Discover these new TTPs in detail and the methods used by RSA Incident Response to effectively neutralize them.
  • 11/22/2017 - The Carbanak/Fin7 Syndicate: A Historical Overview Of An Evolving Threat While Carbanak/Fin7 may use APT-style tactics and demonstrate persistence, RSA Research does not consider them to be an APT. Read the full report to understand why.
  • 11/2/2017 - Blockchain: the New Crutch for Fraud Blockchain is no longer used solely for cryptocurrencies such as Bitcoin; fraudsters are now adopting this technology to host their websites and use blockchain-based DNS in order to make their websites bulletproof.
  • 10/10/2017 - RSA Labs: The Next Generation RSA Laboratories has been in existence since the early '90s when it was the resource for Cryptography Research and Education. The RSA Labs organization has since evolved, even going underground for a period of time, to re-emerge now with a renewed mission and purpose for RSA.
  • 7/28/2017 - Operational Rhythm at the Black Hat 2017 NOC By Matt Tharp Operational rhythm is the term for the nebulous flow of information between parts of a team that makes it so effective. Who needs what, and when to be successful? In the Black Hat NOC, we have very little time to establish such a rhythm. However, a process for distributing critical information isn’t...
  • 7/25/2017 - Black Hat NOC 2017: CAN YOUR SIEM DO THIS? Setup of the Black Hat NOC is an exciting time. The entire network infrastructure is dropped in place at Mandalay Bay. Multiple Black Hat NOC teams work long hours to get the network in place, configured and tested. The attention then turns to the NOC setup where the infrastructure is tied together. RSA, one of...
  • 7/18/2017 - Demand More from Your SIEM By Mike Adler, VP Product, NetWitness Suite If you’re like a lot of IT security professionals, you’ve always been able to rely on your SIEM to provide log data for threat detection. But that’s just not enough to keep up with all the new threats from new sources that are bombarding organizations today. Can your...
  • 7/17/2017 - Hypothesis in Threat Hunting Today’s threat landscape requires organizations to operate more proactively to keep up with advanced and persistent threats. There is no doubt that the practice of threat hunting has emerged as a key capability to detect stealthy threat actors trying to gain access to the organizational IT infrastructure by evading traditional security measures. Hunting aims to...
  • 7/5/2017 - Cat-Phishing Hackers for Fun and Profit On June 14th, 2017, a new variant of ZXShell appears to have been uploaded from the Marmara region of Turkey. The Trojan itself is well known and contained x32 and x64 rootkits. This blog describes the functionality of ZXShell, as well as the associate rootkits. The Trojan source code is available here. Metadata File Name:...
  • 6/28/2017 - Detecting "Petya/NotPetya" with RSA NetWitness Endpoint and RSA NetWitness Packets By Alex Cox, Christopher Elisan and Erik Heuser, RSA Research A Ransomware variant known as “Petya/NotPetya” began making the rounds on June 27, 2017. This ransomware takes a different approach to denying access to the victim’s files. Instead of the usual displaying of a message and letting the victim browse to really see that the...
  • 6/5/2017 - Shadowfall Over the last several months, RSA Research embarked on a cross-organizational effort against RIG Exploit Kit (RIG EK or just plain RIG), which led to insight into the operational infrastructure (and possibly the entire ecosystem), as well as significant discoveries related to domain shadowing. Domain shadowing is “a technique in which attackers steal domain account...
  • 5/19/2017 - What Really Led to WannaCry? Much of the focus on WannaCry has been on how it works and what organizations need to do in the near term to recover. It’s important, however, to take a step back and ask ourselves why WannaCry became such a tour-de-force in the first place. After all, the security community has been talking about concepts...
  • 5/10/2017 - How Ransomware uses TMP files and the Temp folder In my previous blog, Why Malware Installers Use TMP files and the Temp folder, I discussed the advantages malware can have by using atomic writes instead of simply copying the malware to the intended location. In this blog, I discuss how ransomware uses the same technique for its purpose and how it is different from...
  • 5/3/2017 - SuperCMD RAT On April 8th, an interesting DLL was uploaded from Canada to VirusTotal. What makes it interesting is that the detections on VirusTotal are mostly heuristics and do not settle on a single family. The malware is also configured to beacon to an RFC1918 internal IP address, however, the name 816db8a1916201309d2a24b4a745305b.virus indicates it was picked up...
  • 4/21/2017 - Get to the Choppah A new variant of this tool, previously reported in 2013 by TrendLabs, was submitted to VirusTotal from the Philippines on March 27th, 2017. Its original filename, 2017.exe, was prescient since it has the ability to exploit CVE-2017-5638 and other previous Apache STRUTS vulnerabilities. File Details File Name: 2017.exe File Size: 107008 bytes MD5:        ...
  • 4/14/2017 - A Different Take on Keystroke Logging On March 29th a file was uploaded to VirusTotal containing a fake Microsoft Update Authenticode certificate. Soon thereafter, RSA Research investigated the sample based on certain artifacts that matched those present on Shell_Crew malware RSA Research previously reported on. This Windows DLL file was compiled on October 28th, 2014 at 06:35:47 GMT (Table 1). File...
  • 4/13/2017 - The Fiesta Exploit Kit - Not So Festive After All Exploit kits (EK) are a very popular with attackers to compromise a target system. The ease of use and its success rate compared to other infection vectors are among the reasons attackers are attracted to using these kits. In recent years, exploit kits were used to deliver ransomware, the most famous of which was the...
  • 4/6/2017 - Why Malware Installers Use TMP files and The Temp folder when infecting Windows Ever wonder why there are too many TMP files detected on an infected system? Even if they have different names, the file are exact copies of one another, why? The first thing a malware installer (first stage of infection) does when executed on a target system – be it a dropper or downloader – is...
  • 4/4/2017 - The evolution of a Threat Pattern In an era of agile development and digital transformation, any application is subject to ongoing enhancement and improvement. Indeed, software engineering is a complex process with many interdependent tasks where multiple functions share responsibilities to strike a balance between software quality and business objectives, regardless of the specialized nature of the teams within the organizational...
  • 2/13/2017 - Kingslayer - A Supply Chain Attack Today, RSA is publishing new research on a sophisticated software supply-chain attack – dubbed “Kingslayer”. RSA Research investigated the source of suspicious, observed beaconing thought to be associated with targeted malware. In the course of their investigation, RSA discovered a sophisticated software supply-chain attack involving a Trojan inserted in otherwise legitimate software; software that is...
  • 2/13/2017 - Schoolbell: Class is in Session by Kent Backman and Kevin Stear, RSA Research Backstory If a sophisticated exploitation campaign is broad enough, it will attract the attention of multiple threat researchers. Such is the case of the malicious, multi-faceted exploitation campaign and botnet RSA Research has dubbed “Schoolbell.” In this blog, RSA will build on existing industry research and dig...
  • 1/31/2017 - 3 Steps to a Secure ICS Network Industrial Control Systems (ICS) attacks have a direct impact on people’s lives. The consequences of these attacks can be unpredictable, which is why ICS protection is a hot topic in security right now. Defining the right protection layer and best approach to secure communications in this environment is crucial. Historically, ICS departments operated independently from...
  • 1/25/2017 - Mastering the implementation of a Threat Pattern In previous posts we have discussed two of the most critical phases in the “The Lifecycle of a Threat Pattern”: analysis and design. In the analysis phase the objective is to fully understand the asset in scope by getting deeper into the context to formulate a set of residual risks to which the asset might be...
  • 12/1/2016 - Proximity-Based Identity Assurance: Balancing Act Between Security & Convenience For years, finding the right balance between security and usability has been one of the biggest challenges for identity and access management (IAM) solution architects and designers. There are ongoing efforts in the industry to replace password-based authentication with something more secure, more convenient, and with minimum investment; such proposed methods seem to fall into...
  • 11/22/2016 - The Criminal Appeal of Advanced Ransomware: How Can Companies Protect Their Files? Advanced ransomware—malicious software designed to take control of a computer system and hold it hostage until the victims pay for its release—is one of the fastest-growing areas of cybercrime. Another closely related threat is cyberextortion, where attackers threaten to cause harm to a company by releasing sensitive information to the public or sustaining distributed denial-of-service...
  • 11/13/2016 - Industrial Control Systems (ICS) Ambiguity? Authored by Gareth Pritchard, Azeem Aleem, Peter Tran From the days of Slammer, Stuxnet, Shamoon, etc., to the recent Ukrainian (black energy) Power Grid and “Panel Shock” Attacks, we are witnessing a sophisticated surge in the attack domains across industrial control systems. The shift from legacy systems towards process control networks with connectivity around enterprise...
  • 11/3/2016 - Tales from the Black Hat NOC: Setup in London Arrival into London went without a hitch. I then took the train to Angel station and walked to the Business Design Center, which is my home for the next week, during the Black Hat Europe 2016. After walking through the doors and finding my way I was greeted by a room full of boxes. Time to...
  • 10/31/2016 - Dyn DDoS Attack - How IoT Can Take Down the "Global Information Grid" Backbone (Part II) Authored by Nick Murray, Demetrio Milea, Peter Tran and Davide Veneziano In Part I, How IOT Can Take Down The “Global Information Grid” Back Bone, we discussed the mechanics of DNS in context of the Dyn DDoS attack. In Part II of this blog, we will dive a bit deeper into the anatomy of the...
  • 10/25/2016 - The Dyn Attack - How IoT Can Take Down the "Global Information Grid" Back Bone (Part I) Authored by Nick Murray and Peter Tran Imagine that you are driving through downtown New York City (NYC) and only relying on your GPS for directions. All of a sudden, the GPS stops working and you are stuck in mid-town Manhattan traffic during rush hour. If you have ever tried to drive in NYC, you...
  • 10/4/2016 - The Life Cycle of a Threat Pattern Applying a structured approach to developing and maintaining significant threat patterns is absolutely key to successfully hunting for the advanced TTPs used by many motivated threat actors. In the post, Context in Risk-Based Threat Patterns, author Demetrio Milea suggested a simple and effective method borrowed from the Software Development Life Cycle (SDLC) to design and maintain threat patterns...
  • 8/20/2016 - Major Events and Hacktivism #OpOlympicHacking Introduction As anyone who tracks attacks on the internet can tell you, Activists using hacking activity, aka “Hacktivists”, have discovered that a relatively basic hacking approach, with buy-in from disenfranchised groups of people, can have significant effects on online businesses. With names like #OpISIS, #OpParis, #OpMonsanto, #OpWhales, #OpKillingBay, #OpKKK, and #OpTrump, you can easily see...
  • 8/12/2016 - After Black Hat: Shaming is Easy (When You Don't Encrypt) During the Black Hat 2016 NOC outbrief session, Grifter, aka Neil Wyler made a counter-intuitive statement to a crowd of roughly 500 attendees, eager to see which of their online activities would be exposed center stage: “I look forward to the day when I can’t see anything you’re doing on the Black Hat network”. Wait… what?...
  • 8/5/2016 - Tales From The Black Hat NOC: Chaos So Organized, Even a T-Rex Can Do It By Wednesday morning, the traffic profile switched from compartmentalized, per-classroom monitoring, to a chaotic sea of conference wireless...
  • 8/1/2016 - Tales from the Black Hat NOC: Data in the Clear I started my day by reading an article about how to stay safe during Black Hat and DEF CON.  There were suggestions like – don’t bring a laptop, not to bring your smartphone, to leave your wallet at home, and only carry cash.  Why would such recommendations be made?  Black Hat and DEF CON attract security professionals, as well...
  • 7/31/2016 - Tales from The Black Hat NOC: Organizing the Chaos A glimpse into training day. Yesterday marked the official start of Black Hat 2016, kicked off with various training courses spread throughout the convention center. For the RSA NOC team this meant a chance to validate yesterday’s installation and get an initial glimpse into the activity within and around the classroom and conference networks before the...
  • 7/6/2016 - Cybersecurity's Poverty Gap As we pass the halfway point of 2016, the United States Presidential election process is in full swing. Candidates continue to make the case for why their worldview is in the best interests of the nation. Perhaps no other topic polarizes the candidates and receives more prominence in this context than wealth inequality. Within cybersecurity,...
  • 6/30/2016 - Identifying Fraud Faster with Intelligence Feeds - Web Threat Detection v6 Online fraud remains as much a part of digital life as URLs. Fraudsters are constantly devising new ways to separate consumers from their money, login credentials, Personally Identifiable Information (PII), healthcare data and anything else that can be monetized. Even more, they are doing it with speed and sophistication, but most damaging, they do it...
  • 6/13/2016 - Current State of Cybercrime in 2016 The bon mot that “crime doesn’t pay” certainly predates the advent of cybercrime. Today, these digital hold-ups against businesses are highly profitable.  Let’s face it: if cybercrime was a publicly traded stock, realizing the return on investment, we’d all be on the phone with our respective broker begging for them to include it in our...
  • 6/8/2016 - Cyber Risk Appetite: Defining and Understanding Risk in the Modern Enterprise In April, I wrote two blogs (How Hungry… and Appetite and Exercise) on the concept of risk appetite. I highlighted the fact that organizations must take on risk to drive growth within the business. That risk must be balanced with activities to manage the risk within a tolerance that is acceptable to the organization. Some...
  • 4/20/2016 - Find Friends and Credit Cards on Facebook: The New Cybercrime Reality Social media attracts all kinds. These sites are used for catching up with friends on Facebook, instant news dissemination on Twitter, partisan political viewpoints expressed in online forums, real-time reach outs on Snapchat, professional networking on LinkedIn — and now, not surprisingly, they’re used as global havens for cybercrime. With the release of the second...
  • 4/13/2016 - Appetite and Exercise In my last blog post, I posed the concept of Cyber Risk Appetite as something that all organizations need to consider today.  I used the analogy of a balanced diet of risk – taking some risks to keep the business growing while avoiding so much risk that the business becomes bloated.   The objective is to...
  • 4/11/2016 - /əbˈskjʊə.rɪ.ti/ - we need more of it. You have no idea what I think we need more of? Congratulations, that’s exactly my point. If you haven’t already googled the phrase above let me help you: /əbˈskjʊə.rɪ.ti/ means “obscurity”. All I did was write it using the International Phonetic Alphabet. That wasn’t that hard to find out but it wasn’t my intention to...
  • 4/6/2016 - How Hungry is your Organization? As someone that tries to watch my diet, I know how hard it is to deal with your own appetite. Several things that are my weakness – fresh bread, cold beer, pizza, the list goes on – are definitely not the best elements for a balanced diet.  Most of the time I am able to deal...
  • 4/5/2016 - Defend the Kingdom - My Final Thoughts Episode #6 of Defend the Kingdom, “Ghost in the Machine”, brings to close the dramatic battle between good and evil in both Marty’s imagination and his daily work as a security “hunter”.   The episode reveals a highly skilled, persistent, maniacal adversary bent on the Kingdom’s ultimate destruction.  In Marty’s alter-universe, he sees this as an...
  • 4/1/2016 - An Update on Terracotta VPN An update on the Chinese VPN service Terracotta, research reported by RSA in August 2015. Linked to APT threat groups Deep_Panda / Shell Crew
  • 3/29/2016 - E6 - Ghost in the Machine - Curtain Call The Hunter’s horse panted heavily and churned up dust as it raced down the dirt road towards the Frontier.  The moonlight glanced off the swirling clouds of powder in the horse’s wake.  The Hunter gritted his teeth as the horse careened around a corner. His mind raced.  He wondered if he would make it in...
  • 3/22/2016 - The Apple iMessage Encryption Vulnerability A team of researchers at Johns Hopkins (Christina Garman, Matthew Green, Gabriel Kaptchuk, Ian Miers, and Michael Rushanan) discovered a profound vulnerability in how Apple’s iMessage encrypts data. The flaw allows the attacker to correctly guess the cryptographic key that decrypts iMessage attachments, which enables the attacker to determine the contents of the underlying data....
  • 3/22/2016 - E6 - Ghost in the Machine - No Longer Fun and Games Dave Reinhardt, gritty, determined, wizard of MagnaCorp security, arranged his notes on the conference room table once more.   He sat alone briefly while the team took a break.  As he arranged the pages for his upcoming briefing to his fellow executives, he paused to look around the room.  The whiteboards of the breach war room...
  • 3/17/2016 - Ransomware: The New Cyber Kryptonite And then, there was irony. While Apple has been able to hold out against the FBI demanding it produce a backdoor into the iPhone used in the recent San Bernardino attack, it was unable to render a similar defense against a strain of ransomware that recently, albeit briefly, infected its own Mac computers. The recent...
  • 3/15/2016 - E6 - Ghost in the Machine - Phantom Tracks The Ghost exited the massive wagon nodding at the Guard as he passed. His trips to the wagon had been spaced out such that he knew each Guard had only seen him minimally. Once he had figured out the rotation of the guards’ schedules, it took only patience and time to determine the frequency and...
  • 3/9/2016 - The Defining Issue of our Time In his acceptance speech for the Lifetime Achievement Award at RSA Conference, Art Coviello once again, as so many times in the past, showed the exceptional insight and leadership that has been his hallmark throughout his career. There have been many discussions this week about the interrelationship of privacy and security, particularly in the context...
  • 3/8/2016 - E6 - Ghost in the Machine - Honey, I'm Home Greg and Marty exited the data center and made a beeline to their cubicles. Their smug looks made it apparent they were up to no good and enjoying it. They had just left their partners in crime – Erin and Carl – with a laundry list of To Dos. Erin and Carl were now busily...
  • 3/1/2016 - How Organizations Think About Threat Detection: Results from the RSA Threat Detection Survey The famous British naturalist Charles Darwin believed that it isn’t the strongest or fastest who survive, but rather it’s those who are most adaptable to change. For RSA’s customers, that requires acknowledging and understanding how effective they are at detecting as well as investigating cyber threats today, and determining how they should best evolve moving...
  • 2/29/2016 - Hiding in Plain Sight: The Growth of Cybercrime in Social Media Social media attracts all kinds. These sites are used for catching up with friends on Facebook, instant news dissemination on Twitter, partisan political viewpoints expressed in online forums, real-time reach outs on Snapchat, professional networking on LinkedIn — and now, not surprisingly, they’re used as global havens for cybercrime. Today, we are announcing the release...
  • 2/23/2016 - E5 - The Flies and the Hornet - Technical Dialogue Episode #5 of Defend the Kingdom, “The Flies and the Hornet”, begins with Marty briefing Dave Reinhardt the CISO on a significant compromise of MagnaCorp’s security.  Improper logins, remnants of cracking utilities and other evidence clearly indicates a serious problem.  The source of the intrusion, while still unknown at this time, points towards a nefarious...
  • 2/19/2016 - Threat Detection Techniques - ATM Malware There once was a time when stealing money from a bank ATM required actual physical manipulation of the terminal itself.  Many criminal schemes have been repeated throughout the years, ranging from physical destruction of the terminal (ramming it with a vehicle) to the use of ‘skimmers’ to steal customer credentials.  Successful ATM capers were not...
  • 2/16/2016 - E5 - The Flies and the Hornet - The Hornet's Sting The Ghost waited patiently on a hill overlooking the castle and contemplated his last few days.  His journey from the Frontier had been eventful.  Hiding from shadow to shadow, he had traversed the miles with deliberation and an overabundance of caution from his first entry into the Kingdom.  Abandoned hunting shacks, ancient caves, run down...
  • 2/10/2016 - E5 - The Flies and the Hornet - Swatting Flies “How’s it coming?”  Marty entered Erin’s office unannounced.  They had spent so much time shuttling back and forth between his desk and her office that they dropped all formalities and decorum. Erin looked up from her screen.  “Swatting flies,” she said wearily. ‘Swatting flies’ had become their slogan as they tracked down compromised accounts and...
  • 2/5/2016 - The Role of Tor in Cybercrime Tor is used by anyone who wants to remain anonymous on the Internet.  The price of anonymity is performance and an increased risk of malicious content. And while Tor can be used to conduct both legal and illegal activities, the predominant use cases are not good.
  • 2/2/2016 - E5 - The Flies and the Hornet - Insect Bites A cool breeze whisked through the window causing the scrolls on the Wizard’s desk to rattle and tremor.  The wise man shifted a large scroll to weigh down some loose papers.  He reallocated a heavy paper weight to secure some more papers.  The weather had turned cold but the Wizard enjoyed the brisk air flowing...
  • 1/28/2016 - First principles of a Cyber Threat Intelligence Program Recently, as part of the scope in establishing a Security Operation Center for a European telecommunications company, I have been asked to develop a cyber threat intelligence (CTI) program. The goal is to better understand the motives, capabilities and objectives of threat actors that might seek to target the organization so that adequate countermeasures could...
  • 1/26/2016 - E5 - The Flies and the Hornet - Holes in the Screen Door The Hunter sat in the shadows cast by the immense castle tower. Beneath his right hand purred his intrepid companion, The Cat. Together they languished in the relatively coolness of the shade waiting patiently. Their position gave them an excellent view of the gate leading into the inner realm of the castle. Staring across the...
  • 1/19/2016 - E4 - Storms on the Horizon - Technical Dialogue Defend the Kingdom security mini series
  • 1/15/2016 - Saving two birds with one stone: A new fast and robust coding scheme There is a lot of important data in our digital world, which – whether in transit or at rest – we want to keep secure and available in the face of unexpected loss or corruption. Error correcting codes (ECCs) are an important tool for achieving reliable data transmission or storage over unreliable networks or media,...
  • 1/12/2016 - E4 - Storms on the Horizon - Gathering Forces Defend the Kingdom security series
  • 1/5/2016 - E4 - Storms on the Horizon - The Weather Turns Cold Defend the Kingdom security series