WIXLIB

REPORTMcAfee LabsThreats ReportSeptember 2018TOP STORIES OF THE QUARTERWant to Break Into a Locked Windows 10Device? Ask Cortana (CVE-2018-8140)Threat Report: Don’t Join BlockchainRevolution Without Ensuring SecurityAsiaHitGroup Gang Again SneaksBilling-Fraud Apps Onto Google Play1McAfee Labs Threats Report, September 2018

REPORTMcAfee Global Threat Intelligence analyzed,on average, 1,800,000 URLs, 800,000 files,and another 200,000 files in a sandbox eachday in Q2.This report was researchedand written by: Christiaan Beek Carlos Castillo Cedric Cochin Ashley Dolezal Steve Grobman Charles McFarland Niamh MinihaneIntroduction Chris PalmWelcome to the McAfee Labs Threats Report September 2018. In this edition, we highlightthe notable investigative research and trends in threats statistics gathered by the McAfeeAdvanced Threat Research and McAfee Labs teams in Q2 of 2018. Eric PetersonCybercriminals continue to follow the money. Although this statement is familiar, our latestThreats Report clearly shows the migration from certain older attacks to new threat vectorsas they become more profitable. Just as in Q1, we see the popularity of cryptocurrencymining continue to rise.In this report we detail recent findings from three McAfee Labs analyses that appearedin Q2. You can read summaries of each on pages 5-7. One area of investigation by ourresearch teams is in digital assistants. In Q2 we analyzed a vulnerability in Microsoft’sCortana. This flaw allowed an attacker to log into a locked Windows device and executecode. Following our vulnerability disclosure policy, we communicated our findings toMicrosoft; the analysis resulted in CVE-2018-8140. We also examined the world ofcryptocurrency attacks with an in-depth view of blockchain technology. Our reportdetailed many of the vulnerabilities being exploited by threat actors looking for a quickreturn on their investment.2McAfee Labs Threats Report, September 2018 Steve Povolny Raj Samani Craig Schmugar ReseAnne Sims Dan Sommer Bing SunFollowShare

REPORTTurning to malware, our report details an area ofcybercrime that is often poorly reported comparedwith the large-scale and “noisy” ransomware attacks ofthe past 18 months. Billing fraud has been the modusoperandi of multiple threat actor groups for some time.We examine a campaign by the AsiaHitGroup that hasattempted to charge 20,000 victims using apps fromofficial stores such as Google Play.In Q2, McAfee Global Threat Intelligence received anaverage of 49 billion queries per day. Meanwhile, theamount of new malware has fallen for the secondsuccessive quarter; however, this may not be significantbecause we saw a spike in Q4 of 2017, and new sampleshave been relatively flat for four of the past five quarters.New mobile malware samples increased 27% in Q2; thisis the second successive quarter of growth. Coin minermalware remains very active; total samples grew by 86%in Q2, with more than 2.5 million new files added to themalware database.KEY TOPICWe are pleased to let you know that all of our researchis now available on the McAfee ePolicy Orchestrator (McAfee ePO ) platform, starting with Version 5.10.0.This is in addition to our usual social channels, detailedbelow, plus the home pages of McAfee Labs and McAfeeAdvanced Threat Research.Stay Safe. Stay Informed.—Steve Grobman, Chief Technology Officer—Raj Samani, Chief Scientist and McAfee Fellow,Advanced Threat ResearchTwitter@SteveGrobman@Raj SamaniFollowShare3McAfee Labs Threats Report, September 2018

REPORTTable of Contents4PrevNonceHashData5Want to Break Into a LockedWindows 10 Device? Ask Cortana(CVE-2018-8140)6Threat Report: Don’t JoinBlockchain RevolutionWithout Ensuring Security7AsiaHitGroup Gang AgainSneaks Billing-Fraud AppsOnto Google Play9Threats StatisticsMcAfee Labs Threats Report, September 2018

REPORTKEY TOPICTop stories of the quarterWant to Break Into a Locked Windows 10Device? Ask Cortana (CVE-2018-8140)McAfee Labs and the Advanced Threat Research teamdiscovered a vulnerability in the Cortana voice assistantin Microsoft Windows 10. The flaw, for which Microsoftprovided a fix in June, can lead to unauthorized codeexecution. We explain how this vulnerability can beused to execute code from the locked screen of a fullypatched Windows 10 machine (RS3 and RS4 before theJune patch). In this analysis, we address three vectors ofresearch that havebeen combined by Microsoft and together representCVE-2018-8140. The first of these is an information leak;we finish with a demo showing full code execution tolog in to a locked Windows device! We submitted thevulnerability to Microsoft in April as part of the AdvancedThreat Research team’s responsible disclosure policy.Attribution for this vulnerability submission goes toCedric Cochin, Cyber Security Architect and SeniorPrincipal Engineer.Microsoft CortanaVulnerabilityExecute PS1 payload(AMSI bypass, remove Defender fromthe equation, then UAC bypass)Initial Execution1st Stage PayloadExecute PS1 withHIGH integrity (no UAC)2nd Stage PayloadFigure 1. With four basic steps, an attacker can exploit Cortana and gain full control of a Windows 10 system.Credentials reset.Adversary now has full accessto locked user’s sessionActions on objectiveFollowShare5McAfee Labs Threats Report, September 2018

REPORTKEY TOPICThreat Report: Don’t Join Blockchain RevolutionWithout Ensuring SecurityDue to the increasing popularity of cryptocurrencies, theblockchain revolution is in full swing. Cybercriminals havealso found new angles including illegal coin mining andtheft leading to profits. The McAfee Advanced ThreatResearch team published in June a blockchain threatreport to explain current threats against the users andimplementers of blockchain technologies.Even if you have not heard of blockchain, you havelikely heard of cryptocurrencies, especially Bitcoin, themost popular implementation. Cryptocurrencies arebuilt on top of blockchain, which records transactionsin a decentralized way and enables a trusted “ledger”between trustless participants. Each block in the ledgeris linked to the next block, creating a chain. The chainenables anyone to validate all transactions withoutgoing to an outside source. From this, decentralizedcurrencies such as Bitcoin are possible. In this report, weexamine the primary attack vectors: phishing, malware,implementation vulnerabilities, and ncePrevNonceHashDataHashDataHashDataBlockMiners “hash” a block untila valid hash is found,incrementing the Noncebetween attempts.The valid hashbecomes part ofthe next block.The chain can be followedby using the previoushash of each block.Figure 2. A proof-of-work blockchain, building on each previous hash. Source: https://bitcoin.org/bitcoin.pdfFollowShare6McAfee Labs Threats Report, September 2018

REPORTAsiaHitGroup Gang Again Sneaks Billing-FraudApps Onto Google PlayThe McAfee Mobile Research team found a new billingfraud campaign of at least 15 apps published in 2018 onGoogle Play. Toll fraud (which includes billing fraud) is aleading category of potentially harmful apps on GooglePlay, according to the report “Android Security 2017Year in Review.” This new campaign demonstrates thatcybercriminals keep finding new ways to steal moneyfrom victims using apps on official stores such as GooglePlay. The actors behind this campaign, the AsiaHitGroupKEY TOPICGang, has been active since at least late 2016 with thedistribution of the fake-installer applications Sonvpay.A,which attempted to charge at least 20,000 victimsfrom primarily Thailand and Malaysia for the downloadof copies of popular applications. One year later, inNovember 2017, a new campaign was discoveredon Google Play, Sonvpay.B, which used IP addressgeolocation to confirm the country of the victim andadded Russian victims to the billing fraud to increaseits potential to steal money from unsuspected users.Our investigation explains how the malware in thesecampaigns works.Figure 3. Malicious apps from the AsiaHitGroup Gang formerly found on Google Play.FollowShare7McAfee Labs Threats Report, September 2018

REPORTKEY TOPICSTATISTICSMcAfee Global Threat IntelligenceEvery quarter, the McAfee Global Threat Intelligence(McAfee GTI) cloud dashboard allows us to seeand analyze real-world attack patterns that leadto better customer protection. This informationprovides insights into attack volumes that ourcustomers experience. Each day, on average, McAfeeGTI received 49 billion queries and 13 billion linesof telemetry, while analyzing 1,800,000 URLs and800,000 files, plus another 200,000 files in a sandbox.8McAfee Labs Threats Report, September 2018 McAfee GTI protections against malicious filesreported 86,000 (0.1%) of them risky in Q2, outof 86 million tested files.McAfee GTI protections against malicious URLsreported 365,000 (0.5%) of them risky in Q2, outof 73 million tested URLs.McAfee GTI protections against malicious IPaddresses reported 268,000 (0.4%) of them riskyin Q2, out of 67 million tested IP addresses.FollowShare

REPORTThreats Statistics10 Malware17 Incidents19 Web and Network Threats9McAfee Labs Threats Report, September 2018

REPORTTHREATS 32017Q4Q1Q220180Q3Q42016Q1Q2Q32017Source: McAfee Labs, 2018.Q1Q22018Total Mac OS Q1Q22018Source: McAfee Labs, 2018.10Q4Source: McAfee Labs, 2018.New Mac OS malware0Malware data comes fromthe McAfee Sample Database,which includes malicious filesgathered by McAfee spamtraps, crawlers, and customersubmissions, as well as fromother industry sources.Total malwareNew malwareMcAfee Labs Threats Report, September 20180Q3Q42016Q1Q2Q32017Q4Q1Q22018Source: McAfee Labs, 2018.FollowShare

REPORTTHREATS STATISTICSTotal mobile malwareNew mobile Q42016Q1Q2Q32017Source: McAfee Labs, 2018.Q4Q1Q22018Source: McAfee Labs, 2018.Regional mobile malware infection ratesGlobal mobile malware infection rates(Percentage of mobile customers reporting infections)(Percentage of mobile customers reporting %2%AfricaQ3 2017AsiaAustraliaEuropeQ4 2017NorthAmericaQ1 2018SouthAmericaQ2 2018Source: McAfee Labs, 2018.0%Q3Q42016Q1Q2Q32017Q4Q1Q22018Source: McAfee Labs, 2018.FollowShare11McAfee Labs Threats Report, September 2018

REPORTTHREATS STATISTICSNew ransomwareTotal rce: McAfee Labs, 2018.New Android lockscreen malwareTotal Android lockscreen 2018Source: McAfee Labs, 2018.Q1Q22018Source: McAfee Labs, ce: McAfee Labs, 2018.FollowShare12McAfee Labs Threats Report, September 2018

REPORTTHREATS STATISTICSNew malicious signed binariesTotal malicious signed Q4Q1Q220180Q3Q42016Q1Q2Q32017Source: McAfee Labs, 2018.Q4Q1Q22018Source: McAfee Labs, 2018.New exploit malwareExploits take advantage ofbugs and vulnerabilities insoftware and hardware. Zeroday attacks are examples ofsuccessful exploits. For anexample, see the McAfee Labspost “Analyzing MicrosoftOffice Zero-Day ExploitCVE-2017-11826: MemoryCorruption Vulnerability.”Total exploit 22018Source: McAfee Labs, 2018.Certificate authorities providedigital certificates that deliverinformation once a binary(application) is signed andvalidated by the contentprovider. When cybercriminalsobtain digital certificates formalicious signed binaries,attacks are much simpler toexecute.0Q3Q42016Q1Q2Q32017Q4Q1Q22018Source: McAfee Labs, 2018.FollowShare13McAfee Labs Threats Report, September 2018

REPORTTHREATS STATISTICSNew macro malwareTotal macro malwareMacro malware usuallyarrives as a Word or Exceldocument in a spam emailor zipped attachment. Bogusbut tempting filenamesencourage victims to openthe documents, leadingto infection if macros Q42016Q1Q2Q32017Source: McAfee Labs, 2018.Q4Q1Q22018Source: McAfee Labs, 2018.The Faceliker Trojanmanipulates Facebook clicksto artificially “like” certaincontent. To learn more, readthis post from McAfee Labs.Total Faceliker malwareNew Faceliker 016Q1Q2Q32017Q4Q1Q22018Source: McAfee Labs, 2018.14McAfee Labs Threats Report, September 20180Q3Q42016Q1Q2Q32017Q4Q1Q22018Source: McAfee Labs, 2018.FollowShare