Looking at the latest Ryuk activity today shows that an IP address 52[.]158[.]209[.]219 is consistently showing up and pushing the payloads associated with the Ransomware. The only question is why? With the vast resources at Microsoft it is making us wonder if they have the data needed to keep web users safe from attack. We know that many attackers utilize Azure and AWS and similar hosting providers because it's difficult if not impossible to block activity from these environ

The team at Jigsaw Security is watching closely a campaign known as Capesand. It appears as though the exploit kit is in active development and we have been tracking activity associated with the threat actor. The exploits observed are not all new but newer vulnerabilities are being leveraged to gain a foothold on victims computers. Observed Vulnerabilities Some of the observed vulnerabilities include CVE-2019-0752 aimed at targeting Internet Explorer users and CVE-2018-4878 a

During a recent review of threat intelligence data, our team outlined something we have known for quite awhile. In short Cloudflare the provider the protects companies from DDOS attacks is also propagating malicious content and caching it even after it has been taken down elsewhere. We previously reported on some issues with Verizon in which we observed caching and CDN's hosting thousands of unique malware samples that updated daily so we suspected this same issue would also

We have been watching a campaign that appears to be generating quite a bit of revenue for the threat actors. We started seeing this a few weeks back but the level of activity is increasing so we thought we would share some information with our readers. A known accomplice The domain associated with this activity www.pvtntwk[.]com is known to the Jigsaw Security team as well as VirusVault. We started seeing reports of malware being pushed from this domain starting a few weeks b

One of the most common questions we get at Jigsaw Security is routinely the question as to whether or not Anti-Virus protection is enough. When we tell our customers that we don't run Anti-Virus, some ask why and other tell us were crazy. In fact we have not run persistent Anti-Virus products since 2012. The reason being is that Anti-Virus will not detect several types of malware and is in our opinion wholly outdated. This is why vendors such as Symantec and OpenText use endp

Jigsaw Security is aware of a highly successful campaign to target Government and security industry professionals the world over. On 18 January, 2018 Jigsaw Security detected highly suspicious traffic on Windows, Linux, Android and Mac devices. We have seen similar information published from Lookout Security and at first we thought that it was just another campaign. What is troubling is that the indicators being shared are now outdated and the threat actors have moved on to a

The Security Development Team is pleased to announce that we are in final testing of an Elasticsearch, MISP (Malware Information Sharing Platform) and Maltrail sensor integration our EMM solution. We expect to release the EMM VM on November 1st, 2017. The VM will only be available as open source but those customers wanting to use Jigsaw Threat Intelligence must subscribe to get an API key for our malware feed. Maltrail: Maltrail is a malicious traffic detection system that is

One of the things we have noted is there is a shift away from Anti-Virus products and a move toward better technologies such as network traffic string detection. As we reported earlier this year we are seeing very specific attacks on Anti-Virus technology itself. In fact we have seen some actors targeting the Anti-Virus eco-system by exploiting the fact that Anti-Virus has to run as a privileged process to actually be effective. Because of this hackers are starting to target

In case you haven't been following the recent news a new variant of malware known as WCRY has been causing havoc in several countries with limited exposure so far in the US. What is interesting is that the author of the malware included a killswitch that was activated by a security researcher as soon as he identified it. This slowed the initial infection but has since been removed with additional samples being spotted that do not require the domain that was sinkholed to infec