Symantec Company Profile (Archived Report)











PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The reader
is available for free
download
.

Archived Report
Symantec
Company Profile

by Karen Spring

Docid: 00014983

Publication Date: 2002

Report Type: VENDOR

Preview

Symantec was a leading IT security vendor. Best
known for its popular Norton antivirus products for the consumer market, Symantec
delivered
security for email, endpoints, networks, and the cloud and catered to the
enterprise market. In late 2019, Broadcom purchased Symantec’s Enterprise
Security software unit, along with the Symantec name, for $10.7 billion. The
remaining consumer business from Symantec was rebranded NortonLifeLock. In early
2020, Accenture announced that it would buy Symantec’s Cyber Security Services
business from Broadcom.  

Report Contents:

Fast Facts

[return to top of this report]

Name:

Broadcom 
Headquarters:
1320 Ridder Park Drive


San Jose, CA 95131

 (408) 433-8000
Web site: https://www.broadcom.com/
Founded: 1961
Service Areas:
Semiconductors, infrastructure software


Profile

[return to top of this report]

Symantec was previously known as a leading IT security software vendor
with customers ranging from the consumer to the enterprise. The name
"Symantec" was a portmanteau of the words "syntax" and
"semantics." The company’s flagship offering, Norton, offered
antivirus,
Internet security, and spyware protection for both businesses and consumers. Enhanced by acquisitions, Symantec’s product portfolio also
included endpoint
security, risk management, and compliance software; and managed and hosted services.

Founded in 1982, Symantec grew into a Fortune 500 company
through a combination of internal development, strategic acquisition, and
partnering with industry leaders. Symantec provided solutions,
products, and services to more than 350,000 organizations and 50 million
individuals around the world. 

The company went through a major restructuring so that Symantec could increase its focus on enterprise security while exiting the data
management market after its 2016 divestiture of Veritas.

In November 2019, Symantec’s Enterprise Security software division was sold to
Broadcom in a deal valued at nearly $11 billion. The transaction included the
purchase of the Symantec name. The remaining portion of Symantec, which caters
to the consumer security market, has been rebranded NortonLifeLock. In January
2020, Accenture announced plans to purchase Symantec’s Cyber Security Services
business from Broadcom. 

History & Milestone Events

Symantec’s history included several acquisitions. Some major milestones are shown in the following
timeline:

  • 1982 – Symantec was founded by Dr. Gary Hendrix.
  • 1984 – The company was purchased by Gordon E.
    Eubanks, former founder of C&E Software. He went on to serve as
    president and CEO.

  • 1989 – Symantec went public through an IPO on
    NASDAQ.

  • 1990 – Symantec merged with Peter Norton Computing. The
    company began offering many of its products under the Norton brand name.

  • 1997 – Symantec divested its FormFlow product line
    to JetForm.

  • 1998 – The company purchased the anti-virus
    operations of IBM and Intel.

  • 1999 – The company acquired Quarterdeck, its major
    rival.

  • 1999 – John Thompson took the CEO position,
    becoming the first African-American CEO of a major software player.

  • 2000 – Symantec became a major player in the enterprise
    security industry through its acquisition of AXENT Technologies in
    December.

  • 2001 – The company acquired Mountain Wave, Riptech,
    SecurityFocus, and Recourse Technologies.

  • 2003 – Acquired PowerQuest.
  • 2004 – Acquired ON Technology.
  • 2005 – Acquire Veritas, Sygate Technologies, and
    WholeSecurity.

  • 2006 – Acquired Bindview Development
    Corporation, IMlogic, and Relicore.
  • 2007 – Purchased Altiris and Vontu.
  • 2008 – Purchased AppStream, PC Tools, and
    MessageLabs. CEO and chairman John W. Thompson retired, but remained with the company as chairman.
  • 2009 – Bought Mi5 Network, a Web security
    company. New CEO Enrique Salem took the helm.
  • 2010 – Agreed to buy Gideon Technologies, a
    provider of information security products. Inked exclusive resale deal
    with Comcast. Purchased VeriSign’s identity and authentication
    business for $1.28 billion.
  • 2011 – Exited joint venture with Huawei and
    sold off its 49% stake in that business for $530 million. Purchased
    Clearwell Systems for $390 million.
  • 2012 – Hired new CEO Steve Bennett after decision
    by Board that Enrique Salem should step down. Acquired LiveOffice, a
    cloud-based archiving company, for $115 million.
  • 2013 – During his first year as CEO, Bennett
    launches a reorganization to reunite consumer and business operations
    in recognition of crossover brought on by mobile devices and the
    cloud. Bennett assures investors amid layoffs of sales and marketing
    that the company will still have a Norton brand.
  • 2014

    Hired another CEO, Michael Brown, in August as reorganization
    continued. Symantec also faced damages of about $145 million USD sought
    by the US Department of Justice related to the company’s alleged use
    of fraudulent heightened warnings to scare consumers into buying higher-priced security plans.

  • 2015 – Forced to pay $17 million
    USD in damages after a federal jury ruled in February that Symantec
    had violated two patents owned by Intellectual Ventures. The fine was
    far less than the original $298 million lawsuit, and the jury ruled
    that Symantec did not infringe a third patent in question.
  • 2016 – Symantec sold its Veritas
    subsidiary, acquired in 2005, which the company had never fully been
    able to integrate into its operations. In August, Symantec acquired
    Blue Coat, a provider of Web security offerings for enterprises and
    governments, for approximately $4.65 billion. Michael Fey is named
    president and COO of the company. In December, Symantec filed a
    patent infringement suit against Zscaler claiming that certain
    Zscaler products violate seven of Symantec’s patents across its
    network security lines. Symantec announced it would acquire LifeLock
    for $2.3 billion. 
  • 2017 – DigiCert completed the acquisition of Symantec’s
    Website Security and related PKI solutions in October for $950
    million. In July, Symantec announced plans to acquire Skycure, an
    Israeli-based mobile threat defense vendor. 
  • 2018 – Symantec acquired Appthority, a provider of mobile
    application security technology; and Javelin Networks, a company
    that offered software to defend against Active Directory-based
    attacks. COO and President Michael Fey resigned his positions with
    Symantec. CEO Greg Clark takes on the role of president. 
  • 2019 – Greg Clark stepped down as CEO and Richard Hill was
    appointed to take Symantec’s helm. The vendor acquired Luminate
    Security, a privately held company with experience in
    software-defined perimeter technology. Executive Vice President and
    CFO Nicholas Noviello announces he will step down and the company
    embarks on a search for a new CFO. Symantec announced in August that
    it would sell off its Enterprise Security assets – including the
    Symantec name – to Broadcom in a transaction valued at $10.8
    billion. The sale closed in November. The remaining portion of the
    company, which markets to consumers, has been renamed NortonLifeLock. 
  • 2020 – Accenture will acquire Symantec’s Cyber Security
    Services business from Broadcom. 

Strategy

[return to top of this report]

Symantec’s products are marketed as vital protection to securing the
enterprise and ensuring network continuity. Broadcom purchased the
Enterprise Software division of Symantec in 2019 along with the Symantec
name. The remaining consumer business from Symantec is now performing
under the NortonLifeLock name. 

Broadcom’s purchase of Symantec is part of that vendor’s broader push into
the enterprise cybersecurity market. The Symantec acquisition certainly
gives Broadcom a wealth of security portfolios to offer alongside its
storage, optical products, and enterprise software.

Symantec’s name continues to live on through its enterprise security products
which are now part of Broadcom’s solutions portfolio. However, Symantec as a
company is no more. In January 2020, Accenture announced that it would acquire
Symantec’s Cyber Security business from Broadcom will take the global threat
monitoring and analysis offerings in a deal expected to close in March. Although
Symantec had made some changes over the past few years to reposition itself in
the enterprise security market, it seems that the entire company has now been
dismantled. The name "Symantec" is now only attributable to 
security products. 

Product Lines

[return to top of this report]

Symantec’s products are build upon its Integrated Cyber Defense platform,
which combines cloud and on-premises security to deliver advanced threat
protection and information protection across endpoints, networks, email, and
cloud applications. Key components in this suite are:

Core Services

  • Advanced Threat Protection
  • Information Protection

Control Points

  • Endpoint Security
  • Network Security
  • Email Security
  • Cloud Security

Symantec’s security products are marketed to small businesses,
small/home offices, and the enterprise.
Table 1 outlines Broadcom’s Symantec security products for the enterprise.

Table 1.
Broadcom’s Symantec Security Products
Product Description Competing Products
Advanced Threat Protection This portfolio uses threat prevention,
detection, and forensics to provide a view of malicious activities
across all control points.

Endpoint Protection Family

  • Endpoint Detection and Response

Messaging Security Family

  • Email Threat Detection and Response

Hybrid Cloud Security Family

Encrypted Traffic Management Family

Secure Web Gateway Family

  • Content and Malware Analysis
  • Network Forensics and Security Analytics
  • Web Isolation
  • WebFilter/Intelligence Services
  • Web Application Firewall and Reverse Proxy
McAfee, Palo Alto Networks, FireEye, IBM,
Dell EMC, Trend Micro, Kaspersky, Sophos
Endpoint Security To keep everything from the desktop and
server to mobile and Internet of Things devices, Symantec offers the
following Endpoint Security products:

Endpoint Security Family

  • Endpoint Security Enterprise
  • Endpoint Security Complete 
  • Endpoint Protection Mobile
  • Endpoint Detection and Response
  • Endpoint Threat Defense for Active Directory

IoT Family

Hybrid Cloud Security Family

  • Data Center Security
  • Cloud Workload Protection
  • Storage Protection

Endpoint Management Family

  • Client Management Suite
  • Server Management Suite
  • Asset Management Suite
  • Ghost Solution Suite
McAfee, Microsoft, Kaspersky, Sophos
Information Protection Products within the Information Protection
suite consist of:

DLP Family

  • Data Loss Prevention
  • Data Loss Prevention Cloud and Symantec CloudSOC
  • Data Loss Prevention Cloud Service for Email

Information Centric Security Family

  • Information Centric Analytics
  • Information Centric Tagging
  • Information Centric Encryption

Identity Family 

  • VIP Enterprise
  • VIP Consumer

Encryption Family

  • Endpoint Encryption
  • Desktop Email Encryption
  • File Share Encryption
RSA, McAfee, Microsoft, Dell EMC
Email Security To protect email and other forms of
communication, Symantec’s products include:

Email Security

  • Email Security.cloud
  • Messaging Gateway
  • Advanced Threat Protection for Email
  • Phishing Readiness
  • Mail Security for Microsoft Exchange

DLP Family

  • Data Loss Prevention Cloud Service for Email

Encryption Family

  • Desktop Email Encryption
  • Gateway Email Encryption
Microsoft, Proofpoint, Sophos
Cloud App Security To secure cloud access, infrastructure, and
applications, Symantec offers the following:

Hybrid Cloud Security Family

  • Cloud Workload Protection
  • Control Compliance Suite
  • Storage Protection

Secure Web Gateway Family

  • Web Security Services
  • Secure Access Cloud
  • Web Isolation
  • Malware Analysis Service
  • Trusted Mobile Device Security Service
  • Web Application Firewall and Reverse Proxy

DLP Family

  • Data Loss Prevention Cloud and Symantec CloudSOC
  • Data Loss Prevention Cloud Service for Email

Email Security Family

  • Email Security.cloud
  • Email Threat Detection and Response

Identity Family

  • VIP
McAfee, Cisco, Dell EMC, Kaspersky, Sophos
Web and Network Security The Network Security portfolio delivers
multi-layered protection against both inbound and outbound threats.

Security Web Gateway Family

  • Web Security Service
  • ProxySG and Advanced Secure Gateway
  • Web Isolation
  • Secure Access Cloud
  • Content and Malware Analysis
  • WebFilter/Intelligence Services
  • Web Application Firewall and Reserve Proxy
  • Management Center and Reporting

Encrypted Traffic Management Family

  • SSL Visibility Appliance

Network Performance Optimization Family

  • MACH5
  • PacketShaper

Cloud Access Security Broker Family

DLP Family 

Identify Family

Palo Alto Networks, FireEye, Cisco, McAfee

Major Competitors

The cybersecurity market is saturated with vendors who offer an array of product
and service offerings to deflect various types of threats. The following
companies challenge
Symantec in the cybersecurity realm. 

Activity

[return to top of this report]

Mergers, Acquisitions, and Divestitures

Accenture reached
an agreement to acquire Symantec‘s Cybersecurity
Services business from Broadcom. This transaction
is expected to bolster Accenture Security’s capabilities for
managed security services, in turn enhancing its ability to help
anticipate, detect, and respond to cyber-related threats.
Symantec’s Cybersecurity Services includes global threat
monitoring and analysis, via its network of security operation
centers, as well as real-time adversary and industry-specific
threat-intelligence and incident-response services. The group
operates centers in the US, UK, India, Australia, Singapore, and
Japan. The purchase is subject to “customary closing conditions,”
and is expected to close “in March 2020.” Terms were not
released.

(01/07/2020)

Accenture
announced it would purchase Symantec‘s Cyber Security
Services business from Broadcom two months after
Broadcom itself acquired Symantec’s enterprise security unit. The
Cyber Security Services business was part of the enterprise
security unit which Symantec sold to Broadcom for $10.7 billion
USD on November 4. Financial terms of the acquisition by
Accenture have not been disclosed.

(01/07/2020)

Broadcom
completed the buyout of Symantec‘s Enterprise
Security business. This unit will now operate as the Symantec
Enterprise division of Broadcom, and will be led by SVP and GM,
Art Gilliland. Terms were not posted.

(11/04/2019)

Symantec
completed the sale of its Enterprise Security Assets to Broadcom for $10.7 billion
USD. The company also announced that it has transferred the
Symantec brand to Broadcom and changed its name to
NortonLifeLock. effective immediately. Norton LifeLock’s common
stock is now trading under the ticker symbol “NLOK” on the
Nasdaq stock exchange.

(11/04/2019)

Broadcom signed a
deal to acquire Symantec‘s enterprise
security business. This $10.7 billion transaction – which
includes software and services for endpoint security, Web
security services, cloud-based security, and data loss prevention
– will expand Broadcom’s infrastructure software footprint.
Broadcom will own and incorporate the Symantec brand name into
its own portfolio, deploying the suite throughout its channels.
The transaction is expected to close in the first quarter of
Broadcom’s fiscal year 2020, and is subject to “regulatory
approvals” and “other customary closing conditions.”

(08/12/2019)

Symantec acquired
Luminate Security, a privately held company offering software
defined perimeter technology. Luminate’s Secure Access Cloud
technology further extends Symantec’s Integrated Cyber Defense
Platform to users as they access workloads and applications
regardless of where those workloads are deployed or what
infrastructure they are accessed through.

(02/12/2019)

Products and Services

Symantec warned that organizations should
be vigilant as political tensions in the Middle East could
heighten the risk of attacks from Iranian-sponsored cyberspy
groups. Attackers associated with Iran have periodically carried
out highly destructive disk-wiping attacks against targets in the
Middle East. The researchers say that Iranian attackers could use
wipers to target critical infrastructure; attacks on
telecommunications infrastructure may be conducted to disrupt
service; hactivists could deface Web sites; and distributed
denial-of-service attacks could be launched on financial entities

(02/03/2020)

Symantec noted an uptick
in Emotet activity beginning in September 2019 as the vendor
began blocking spam messages laced with the Trojan. At times,
Symantec products blocked more than one million hits per day.
Prior to September, Emotet activity had dwindled.

(01/22/2020)

Research on living-off-the-land tools, which are
features and tools already present on native systems, shows that
attackers were most focused on PowerShell, the Windows
Management Instrumentation, and the WMI command line
capabilities to download or copy payloads to target computers.
Using these tools became prominent beginning in September. Symantec blocked more
than 480,000 malicious PowerShell scripts on endpoints during
that month.

(12/27/2019)

Symantec warned that the Nemty ransomware,
initially detected in August 2019, has increased its reach by
partnering up with the Trik botnet, which now delivers Nemty to
compromised computers. Most Nemty infections have been spotted
in China and Korea. A new version of Trik delivers a tiny
component that uses the Server Message Block protocol and a list
of hardcoded credentials to try to connect to remote computers
with port 139 open. The malware can infect public IP addresses
with port 139 open that are using any of the common administrator
usernames and passwords on its list.

(11/04/2019)

Symantec has observed a surge in detections for the
malicious Xhelper app that can hide itself from users, download
additional malicious apps, and display advertisements. The
Android app is persistent. is able reinstall itself after users
uninstall it, and is designed to stay hidden by not appearing on
the system’s launcher. The app has infected over 45,000 devices
within a six-month period. Xhelper mainly targets users in India,
Russia, and the US.

(10/29/2019)

Symantec
introduced Endpoint Security (SES), which delivers protection,
detection and response along with attack surface reduction,
threat hunting, and breach assessment and prevention
capabilities. Customers can deploy and manage SES via the cloud
or on-premises, or a hybrid of both, for all operating systems
including mobile devices, with single agent installation.

(10/15/2019)

Symantec notified Google of a batch of malicious
apps, with over 2.1 million downloads, found in the Play store.
Twenty-five Android Package Kits (APKs), mostly masquerading as
a photo utility app and a fashion app, were published under 22
different developer accounts, with the initial sample uploaded in
April 2019. These 25 malicious hidden apps share a similar code
structure and app content. It is likely that monetary gain was
the motivating factor behind these apps. Google has since removed
the apps from Play.

(09/24/2019)

A previously undocumented attack group dubbed
“Tortoiseshell” is using both custom and off-the-shelf malware to
target IT providers in Saudi Arabia in what appear to be supply
chain attacks with the end goal of compromising the IT providers’
customers. Tortoiseshell has been active since at least July
2018. Symantec has identified a total of 11
organizations hit by the group, the majority of which are based
in Saudi Arabia. In at least two organizations, evidence suggests
that the attackers gained domain admin-level access.

(09/18/2019)

Symantec has linked two threat groups and now believes
they are one and the same. Thrip, a Chinese espionage group, is
using a previously unseen backdoor known as Hannotog and
another backdoor known as Sagerunex. Analysis of Sagerunex
shows close links to another long-established espionage group
called Billbug (aka Lotus Blossom) and it is likely the two
entities are the same. Since June 2018, Thrip has attacked at
least 12 organization within Southeast Asia, including those in
the military, maritime communications, education, and media
sectors. The Hannotog backdoor has been in use since at least
January 2017 and provides the attackers with a persistent
presence on the victim’s network. Sagerunex delivers remote
access to the attackers.

(09/09/2019)

Two apps were spotted using a new method to
stealthily perform ad-clicking on user devices. A notepad app
(Idea Note: OCR Text Scanner, GTD, Color Notes) and a fitness
app (Beauty Fitness: daily workout, best HIIT coach), are packed
using legitimate packers originally developed to protect the
intellectual property of Android applications. The two apps had a
collective download count of about 1.5 million. After identifying
the apps’ behavior, Symantec contacted Google and the apps were
removed from the Play store.

(08/31/2019)

Symantec announced that its technologies blocked 289
million extortion scam emails between January 1 and May 29 – 85
million (nearly 30%) of those messages were blocked in one 17-day
period alone. It is not clear which threat actors are behind
these scams.

(07/30/2019)

According to Symantec telemetry, the average daily
volume of business email compromise (BEC) messages was
significantly higher in the first quarter of 2019 than in the
same period one year ago. From January to March 2018, the
average daily BEC email volume was 85,816, while from January to
March 2019, the average daily volume was 128,700, a 50%
increase. The top five nations targeted by BEC scammers between
mid-2018 and mid-2019 were as follows: the US (39%), the UK
(26%), Australia (11%), Belgium (3%), and Germany (3%),

(07/24/2019)

Symantec has found that the number of organizations being
attacked by targeted ransomware has grown rapidly since the
beginning of 2018. After a period where SamSam and then Ryuk
were the only major ransomware groups, Symantec noted that
beginning in 2019, such activity began to multiply as more threat
actors embraced targeted ransomware. Among these groups are
GoGalocker (also known as LockerGoga), MegaCortex,
RobbinHood, Crysis, and the now defunct GandCrab.

(07/24/2019)

The team at Symantec identified a malicious app
named MobonoGram 2019 advertising itself as an unofficial version
of the Telegram messaging
app and claiming to provide even more features than both the
official and other unofficial versions in the market.. The fake
app was found to be running unauthorized services on the victim
device and loading and browsing malicious Web sites in the
background. The app, which was downloaded from Google Play over 100,000
times, was available to mobile users even in regions that have
banned Telegram, such as Iran and Russia, and was also
downloadable by US users. Google has since pulled the app from
Play.

(07/16/2019)

Symantec rolled out
enhancements to its cloud access security offerings. These
include updates to Software-as-a-Service application security for
its CloudSOC Mirror Gateway and new integrations for the Web
Security Service.

(07/16/2019)

Symantec‘s Cloud Security
Threat Report
has found that while 53% of enterprise compute
workloads have been migrated to the cloud, 54% of enterprises
indicate their organization’s cloud security maturity is not able
to keep up with the rapid expansion of cloud apps. Ninety-three
percent of the 1,250 security decision-makers surveyed report
issues with keeping tabs on all cloud workloads and 73%
experienced a security incident due to immature security
practices. The report also showed that 65% of organizations fail
to implement multi-factor authentication in
Infrastructure-as-a-Service configurations and 80% don’t use
encryption.

(06/27/2019)

Symantec
announced a new service for its Cloud Workload Protection (CWP)
offering and Amazon
GuardDuty to provide automated remediation and enhanced threat
intelligence for Amazon Web Service (AWS) workloads and
storage. The new service provides continuous assessment,
automated remediation, and threat intelligence to detect security
threats and infrastructure misconfigurations in AWS workloads and
storage.

(06/27/2019)

Symantec has uncovered 152 malicious Android
apps being circulated online that claim to provide free data
boosts for Jio customers. The apps masquerade as apps from
Reliance Jio Infocomm, the largest 4G network in India. Users who
download these malicious apps will discover their devices being
used to generate advertising revenue for the developers of the
apps. Between January and June, the fake apps were downloaded
over 39,000 times.

(06/27/2019)

Recorded
Future
has observed an increase in Iranian-linked APT33’s
(also known as Elfin) infrastructure building and targeting
activity. This includes the usage of over 1,200 domains since
March 28 and infiltrating of Saudi Arabian organizations across a
wide variety of industries. Following Symantec‘s publication of a
March report that exposed APT33’s operations, the
group changed hosting providers. APT33 has also begun using a
remote access Trojan (RAT) – njRAT – which has never before been
attributed to this threat entity.

(06/26/2019)

Two extensions for the Chrome browser were found secretly mining for
cryptocurrency after they were installed on devices. Both
extensions were spotted by Symantec on the official Google Chrome Web Store.
One of the extensions, called 2048, is a version of a popular
math-based strategy game, was published in August 2017, and
has over 2,100 users. The other extension, Mp3 Songs Download,
claims to be an MP3 downloader but instead redirects the user to
an MP3 download Web site when the victim clicks on the extension
button. The coin mining persists for as long as the browser (with
the 2048 extension installed) or Web site (in the case of the Mp3
Songs Download extension) remains open. Both extensions have
been removed from the Chrome Web Store.

(06/19/2019)

An assessment by Symantec of a massive
dataset released by Twitter in
October 2018 and pertaining to content posted on its service by
the Internet Research Agency (IRA) shows the extent of this
Russian propaganda campaign against the US. The dataset
consisted of 3,836 Twitter accounts and nearly 10 million tweets.
The accounts consist of two main categories and each played a
different role in attempting to influence the 2016 US
presidential election. Main accounts, consisting of at least
10,000 followers, were mostly fake news outletsmasquerading as
regional news outlets, or pretending to be political parties or
hashtag games. Auxiliary accounts had less than 10,000 followers
each and pretended to be individuals, spreading the content
created by the main accounts by retweeting it. Fifty-five percent
of the most prolific IRA accounts were fake news accounts.

(06/05/2019)

An attack group known as Buckeye was using Equation Group
tools to gain persistent access to organizations at least a year
prior to the Shadow Brokers leak, according to research by Symantec. Variants of
Equation Group tools used by Buckeye appear to be different from
those released by Shadow Brokers, potentially indicating that
they didn’t originate from that leak. Buckeye’s use of the tools
also involved the exploit of a previously unknown Windows
zero-day vulnerability which Symantec reported and Microsoft patched in March.
While Buckeye appeared to cease operations in mid-2017, the
Equation Group tools it used continued to be used in attacks
until late 2018 although it is not clear which threat entity was
using them.

(05/08/2019)

A cryptojacking campaign that Symantec‘s investigative
team has dubbed Beapy is abusing the EternalBlue exploit and
primarily impacting enterprises in China. Beapy was first
observed in January and uses the stolen National Security
Agency’s (NSA) EternalBlue
exploit along with pilfered and hardcoded credentials to spread
rapidly across networks. Beapy is a file-based coinminer that
uses email as an initial infection vector and behaves like a
worm. Ninety-eight percent of Beapy victims are enterprises.

(04/24/2019)

Symantec has
joined the Department of Defense’s (DOD) Defense Industrial Base
(DIB) Cybersecurity program. This program is a voluntary cyber
threat information-sharing initiative established by the DOD to
enhance and support DIB participants’ capabilities to mitigate
cyber attacks. The program features a collaborative
information-sharing environment where members voluntarily report
cyber threats as well as information on how to prevent/mitigate
those threats.

(04/23/2019)

Sixty-seven percent of hotel Web sites assessed by Candid Wueest at Symantec are leaking
booking reference codes to third-party sites such as advertisers
and analytics companies. The information shared could allow the
third-party services to log into a reservation, view personal
details, and even cancel the booking. Wueest tested 1,500 hotels
in 54 countries and found that the majority exposed full names,
email and postal addresses, mobile phone numbers, passport
numbers, and the last four digits of credit cards, card type, and
expiration dates. Fifty-seven percent of the tested sites send a
confirmation email to customers with a direct access link to
their booking. This enables customers to click on the link and go
straight to the reservation without having to log in. Wueest
said, “Since the email requires a static link, HTTP POST Web
requests are not really an option, meaning the booking reference
code and the email are passed as arguments in the URL itself. On
its own, this would not be an issue. However, many sites directly
load additional content on the same Web site such as
advertisements. This means that direct access is shared either
directly with other resources or indirectly through the referrer
field in the HTTP request. My tests have shown that an average of
176 requests are generated per booking, although not all these
requests contain the booking details. This number indicates that
the booking data could be shared quite widely.”

(04/10/2019)

Symantec discovered 81 potentially unwanted
applications on the Microsoft Store, some of
which displayed pornographic images and gambling content. The
apps, some of which remain available from the app store, cover a
range of categories and use familiar-sounding names to trick
victims into downloading them.

(04/03/2019)

According to Symantec‘s 2018 Norton
LifeLock Cyber Safety Insights Report, based on an online survey
of over 1,000 adults, 72% of Americans are worried about their
privacy. However, the majority accept certain risks to their
online privacy in exchange for convenience (66%) and are willing
to sell or give away certain personal information, such as their
location (55%) and Internet search history (55%), to companies.
Ninety-four percent of Americans express little (40%) or no (54%)
trust in social media providers when it comes to managing and
protecting their personal information. Twenty-eight percent of
Americans with a social media account have deleted an account in
the past 12 months due to privacy concerns.

(04/01/2019)

A threat entity has been busily launching attacks in the
Middle East, particularly Saudi Arabia, but has branched out to
infiltrate organizations in the US and other countries. The Elfin
espionage group (also known as APT33) became active in late
2015 or early 2016, specializes in scanning for vulnerable Web
sites, and uses this information to identify potential targets,
either for attacks or creation of command and control
infrastructure. It has compromised a wide range of targets,
including governments along with organizations in the research,
chemical, engineering, manufacturing, consulting, and other
sectors. Elfin initially focused heavily on Saudi Arabia, which
accounted for 42% of attacks observed by Symantec since the
beginning of 2016. However, 18 organizations in the US have been
attacked since Elfin first became active.

(03/27/2019)

A July 2018 cyber attack on Singapore’s largest health
organization that resulted in a breach of 1.5 million patient
records can be attributed to WhiteFly, an attack entity that has
been operating since at least 2017, researchers at Symantec say. WhiteFly has targeted
organizations based mostly in Singapore across a wide variety of
sectors and is primarily interested in stealing large amounts of
sensitive information. It compromises its victims using custom
malware alongside open-source hacking tools and
living-of-the-land tactics, such as malicious PowerShell scripts.

(03/06/2019)

Symantec‘s Internet Security Threat
Report
shows that nearly one in 10 targeted attack groups use
malware to destroy and disrupt business operations, an increase
of 25% compared to 2017. The report determined that formjacking
attacks, in which cyber thieves inject malicious code into
retailers’ Web sites to steal shoppers’ payment card details,
have become a new method for criminals to get rich quick. On
average, more than 4,800 unique Web sites are compromised with
formjacking code every month, Symantec found. The report
analyzed data from Symantec’s Global Intelligence Network, which
records events from 123 million attack sensors worldwide.

(02/20/2019)

Symantec debuted
Email Fraud Protection, an offering to help organizations block
fraudulent emails from reaching enterprises. Email Fraud
Protection integrates with Symantec Email Security to support
email authentication standards and help block platform threats
on-premises or in the cloud, such as spam, malware, and phishing
attacks. It can also integrate with Symantec Email Threat
Isolation to minimize the risk of spear phishing, credential
theft, account takeover, and ransomware attacks.

(02/19/2019)

Symantec discovered several potentially
unwanted applications on the Microsoft Store that used
the victim’s CPU power to mine cryptocurrency. The apps came
from three developers – DigiDream, 1clean, and Findoo – and all
showed the same risky behavior. Once contacted, Microsoft
removed the apps from the store.

(02/18/2019)

Tech support scams have upped the ante by tricking victims
into installing a potentially unwanted application (PUA) rather than urging them
to call a support helpline. Symantec learned that the scam typically
begins after a victim has visited a malicious Web site or is
redirected to one through malvertising. The scam prompts the
victim to approve a fake 10-second scan of the supposedly
infected computer. At the end of the fake scan, the victim is
informed that the PC is indeed infected and then asked to
download and install an update to their antivirus software. Once
the user clicks, a PUA is downloaded and installed onto the
victim’s computer.

(02/06/2019)

Personnel and Organizational

Symantec
announced changes to its leadership. Richard S. Hill, current
Symantec director, has been appointed interim president and CEO.
He succeeds Greg Clark, who has stepped down. Vincent Pilette,
CFO of Logitech, been appointed executive vice president and CFO
and will join the company on May 21. Symantec has begun a
search to find a permanent CEO.

(05/13/2019)

Symantec appointed Debora B. Tomlin to the position of chief marketing officer, effective February 22. Ms. Tomlin will oversee Symantec’s global marketing organization and report directly to president and CEO Greg Clark.

(02/05/2019)

Symantec announced that Nicholas Noviello will be stepping
down from his role as executive vice president and chief
financial officer in the coming months to pursue other
opportunities. Mr. Noviello will continue as CFO until a
successor is appointed.

(02/04/2019)

Financials

For the fourth fiscal quarter which ended on March 29, Symantec reported GAAP
revenue of $1.2 billion USD and GAAP earnings per diluted share
(EPS) of $0.05. For the fiscal year, the vendor announced GAAP
revenue of $4.7 billion and GAAP diluted EPS of $0.05.

(05/13/2019)

Symantec announced GAAP revenue of $1.21 billion USD for
the third fiscal quarter that ended on December 28, 2018. The
company reported GAAP diluted earnings per share of $0.10.
Symantec’s board of directors appointed Matthew Brown, who is
currently its vice president, finance and corporate controller,
to the position of vice president, finance and chief accounting
officer

(02/04/2019)

Products and Services

Symantec warned that organizations should
be vigilant as political tensions in the Middle East could
heighten the risk of attacks from Iranian-sponsored cyberspy
groups. Attackers associated with Iran have periodically carried
out highly destructive disk-wiping attacks against targets in the
Middle East. The researchers say that Iranian attackers could use
wipers to target critical infrastructure; attacks on
telecommunications infrastructure may be conducted to disrupt
service; hactivists could deface Web sites; and distributed
denial-of-service attacks could be launched on financial entities

(02/03/2020)

Symantec noted an uptick
in Emotet activity beginning in September 2019 as the vendor
began blocking spam messages laced with the Trojan. At times,
Symantec products blocked more than one million hits per day.
Prior to September, Emotet activity had dwindled.

(01/22/2020)

Research on living-off-the-land tools, which are
features and tools already present on native systems, shows that
attackers were most focused on PowerShell, the Windows
Management Instrumentation, and the WMI command line
capabilities to download or copy payloads to target computers.
Using these tools became prominent beginning in September. Symantec blocked more
than 480,000 malicious PowerShell scripts on endpoints during
that month.

(12/27/2019)

Symantec warned that the Nemty ransomware,
initially detected in August 2019, has increased its reach by
partnering up with the Trik botnet, which now delivers Nemty to
compromised computers. Most Nemty infections have been spotted
in China and Korea. A new version of Trik delivers a tiny
component that uses the Server Message Block protocol and a list
of hardcoded credentials to try to connect to remote computers
with port 139 open. The malware can infect public IP addresses
with port 139 open that are using any of the common administrator
usernames and passwords on its list.

(11/04/2019)

Symantec has observed a surge in detections for the
malicious Xhelper app that can hide itself from users, download
additional malicious apps, and display advertisements. The
Android app is persistent. is able reinstall itself after users
uninstall it, and is designed to stay hidden by not appearing on
the system’s launcher. The app has infected over 45,000 devices
within a six-month period. Xhelper mainly targets users in India,
Russia, and the US.

(10/29/2019)

Symantec
introduced Endpoint Security (SES), which delivers protection,
detection and response along with attack surface reduction,
threat hunting, and breach assessment and prevention
capabilities. Customers can deploy and manage SES via the cloud
or on-premises, or a hybrid of both, for all operating systems
including mobile devices, with single agent installation.

(10/15/2019)

Symantec notified Google of a batch of malicious
apps, with over 2.1 million downloads, found in the Play store.
Twenty-five Android Package Kits (APKs), mostly masquerading as
a photo utility app and a fashion app, were published under 22
different developer accounts, with the initial sample uploaded in
April 2019. These 25 malicious hidden apps share a similar code
structure and app content. It is likely that monetary gain was
the motivating factor behind these apps. Google has since removed
the apps from Play.

(09/24/2019)

A previously undocumented attack group dubbed
“Tortoiseshell” is using both custom and off-the-shelf malware to
target IT providers in Saudi Arabia in what appear to be supply
chain attacks with the end goal of compromising the IT providers’
customers. Tortoiseshell has been active since at least July
2018. Symantec has identified a total of 11
organizations hit by the group, the majority of which are based
in Saudi Arabia. In at least two organizations, evidence suggests
that the attackers gained domain admin-level access.

(09/18/2019)

Symantec has linked two threat groups and now believes
they are one and the same. Thrip, a Chinese espionage group, is
using a previously unseen backdoor known as Hannotog and
another backdoor known as Sagerunex. Analysis of Sagerunex
shows close links to another long-established espionage group
called Billbug (aka Lotus Blossom) and it is likely the two
entities are the same. Since June 2018, Thrip has attacked at
least 12 organization within Southeast Asia, including those in
the military, maritime communications, education, and media
sectors. The Hannotog backdoor has been in use since at least
January 2017 and provides the attackers with a persistent
presence on the victim’s network. Sagerunex delivers remote
access to the attackers.

(09/09/2019)

Two apps were spotted using a new method to
stealthily perform ad-clicking on user devices. A notepad app
(Idea Note: OCR Text Scanner, GTD, Color Notes) and a fitness
app (Beauty Fitness: daily workout, best HIIT coach), are packed
using legitimate packers originally developed to protect the
intellectual property of Android applications. The two apps had a
collective download count of about 1.5 million. After identifying
the apps’ behavior, Symantec contacted Google and the apps were
removed from the Play store.

(08/31/2019)

Symantec announced that its technologies blocked 289
million extortion scam emails between January 1 and May 29 – 85
million (nearly 30%) of those messages were blocked in one 17-day
period alone. It is not clear which threat actors are behind
these scams.

(07/30/2019)

According to Symantec telemetry, the average daily
volume of business email compromise (BEC) messages was
significantly higher in the first quarter of 2019 than in the
same period one year ago. From January to March 2018, the
average daily BEC email volume was 85,816, while from January to
March 2019, the average daily volume was 128,700, a 50%
increase. The top five nations targeted by BEC scammers between
mid-2018 and mid-2019 were as follows: the US (39%), the UK
(26%), Australia (11%), Belgium (3%), and Germany (3%),

(07/24/2019)

Symantec has found that the number of organizations being
attacked by targeted ransomware has grown rapidly since the
beginning of 2018. After a period where SamSam and then Ryuk
were the only major ransomware groups, Symantec noted that
beginning in 2019, such activity began to multiply as more threat
actors embraced targeted ransomware. Among these groups are
GoGalocker (also known as LockerGoga), MegaCortex,
RobbinHood, Crysis, and the now defunct GandCrab.

(07/24/2019)

The team at Symantec identified a malicious app
named MobonoGram 2019 advertising itself as an unofficial version
of the Telegram messaging
app and claiming to provide even more features than both the
official and other unofficial versions in the market.. The fake
app was found to be running unauthorized services on the victim
device and loading and browsing malicious Web sites in the
background. The app, which was downloaded from Google Play over 100,000
times, was available to mobile users even in regions that have
banned Telegram, such as Iran and Russia, and was also
downloadable by US users. Google has since pulled the app from
Play.

(07/16/2019)

Symantec rolled out
enhancements to its cloud access security offerings. These
include updates to Software-as-a-Service application security for
its CloudSOC Mirror Gateway and new integrations for the Web
Security Service.

(07/16/2019)

Symantec‘s Cloud Security
Threat Report
has found that while 53% of enterprise compute
workloads have been migrated to the cloud, 54% of enterprises
indicate their organization’s cloud security maturity is not able
to keep up with the rapid expansion of cloud apps. Ninety-three
percent of the 1,250 security decision-makers surveyed report
issues with keeping tabs on all cloud workloads and 73%
experienced a security incident due to immature security
practices. The report also showed that 65% of organizations fail
to implement multi-factor authentication in
Infrastructure-as-a-Service configurations and 80% don’t use
encryption.

(06/27/2019)

Symantec
announced a new service for its Cloud Workload Protection (CWP)
offering and Amazon
GuardDuty to provide automated remediation and enhanced threat
intelligence for Amazon Web Service (AWS) workloads and
storage. The new service provides continuous assessment,
automated remediation, and threat intelligence to detect security
threats and infrastructure misconfigurations in AWS workloads and
storage.

(06/27/2019)

Symantec has uncovered 152 malicious Android
apps being circulated online that claim to provide free data
boosts for Jio customers. The apps masquerade as apps from
Reliance Jio Infocomm, the largest 4G network in India. Users who
download these malicious apps will discover their devices being
used to generate advertising revenue for the developers of the
apps. Between January and June, the fake apps were downloaded
over 39,000 times.

(06/27/2019)

Recorded
Future
has observed an increase in Iranian-linked APT33’s
(also known as Elfin) infrastructure building and targeting
activity. This includes the usage of over 1,200 domains since
March 28 and infiltrating of Saudi Arabian organizations across a
wide variety of industries. Following Symantec‘s publication of a
March report that exposed APT33’s operations, the
group changed hosting providers. APT33 has also begun using a
remote access Trojan (RAT) – njRAT – which has never before been
attributed to this threat entity.

(06/26/2019)

Two extensions for the Chrome browser were found secretly mining for
cryptocurrency after they were installed on devices. Both
extensions were spotted by Symantec on the official Google Chrome Web Store.
One of the extensions, called 2048, is a version of a popular
math-based strategy game, was published in August 2017, and
has over 2,100 users. The other extension, Mp3 Songs Download,
claims to be an MP3 downloader but instead redirects the user to
an MP3 download Web site when the victim clicks on the extension
button. The coin mining persists for as long as the browser (with
the 2048 extension installed) or Web site (in the case of the Mp3
Songs Download extension) remains open. Both extensions have
been removed from the Chrome Web Store.

(06/19/2019)

An assessment by Symantec of a massive
dataset released by Twitter in
October 2018 and pertaining to content posted on its service by
the Internet Research Agency (IRA) shows the extent of this
Russian propaganda campaign against the US. The dataset
consisted of 3,836 Twitter accounts and nearly 10 million tweets.
The accounts consist of two main categories and each played a
different role in attempting to influence the 2016 US
presidential election. Main accounts, consisting of at least
10,000 followers, were mostly fake news outletsmasquerading as
regional news outlets, or pretending to be political parties or
hashtag games. Auxiliary accounts had less than 10,000 followers
each and pretended to be individuals, spreading the content
created by the main accounts by retweeting it. Fifty-five percent
of the most prolific IRA accounts were fake news accounts.

(06/05/2019)

An attack group known as Buckeye was using Equation Group
tools to gain persistent access to organizations at least a year
prior to the Shadow Brokers leak, according to research by Symantec. Variants of
Equation Group tools used by Buckeye appear to be different from
those released by Shadow Brokers, potentially indicating that
they didn’t originate from that leak. Buckeye’s use of the tools
also involved the exploit of a previously unknown Windows
zero-day vulnerability which Symantec reported and Microsoft patched in March.
While Buckeye appeared to cease operations in mid-2017, the
Equation Group tools it used continued to be used in attacks
until late 2018 although it is not clear which threat entity was
using them.

(05/08/2019)

A cryptojacking campaign that Symantec‘s investigative
team has dubbed Beapy is abusing the EternalBlue exploit and
primarily impacting enterprises in China. Beapy was first
observed in January and uses the stolen National Security
Agency’s (NSA) EternalBlue
exploit along with pilfered and hardcoded credentials to spread
rapidly across networks. Beapy is a file-based coinminer that
uses email as an initial infection vector and behaves like a
worm. Ninety-eight percent of Beapy victims are enterprises.

(04/24/2019)

Symantec has
joined the Department of Defense’s (DOD) Defense Industrial Base
(DIB) Cybersecurity program. This program is a voluntary cyber
threat information-sharing initiative established by the DOD to
enhance and support DIB participants’ capabilities to mitigate
cyber attacks. The program features a collaborative
information-sharing environment where members voluntarily report
cyber threats as well as information on how to prevent/mitigate
those threats.

(04/23/2019)

Sixty-seven percent of hotel Web sites assessed by Candid Wueest at Symantec are leaking
booking reference codes to third-party sites such as advertisers
and analytics companies. The information shared could allow the
third-party services to log into a reservation, view personal
details, and even cancel the booking. Wueest tested 1,500 hotels
in 54 countries and found that the majority exposed full names,
email and postal addresses, mobile phone numbers, passport
numbers, and the last four digits of credit cards, card type, and
expiration dates. Fifty-seven percent of the tested sites send a
confirmation email to customers with a direct access link to
their booking. This enables customers to click on the link and go
straight to the reservation without having to log in. Wueest
said, “Since the email requires a static link, HTTP POST Web
requests are not really an option, meaning the booking reference
code and the email are passed as arguments in the URL itself. On
its own, this would not be an issue. However, many sites directly
load additional content on the same Web site such as
advertisements. This means that direct access is shared either
directly with other resources or indirectly through the referrer
field in the HTTP request. My tests have shown that an average of
176 requests are generated per booking, although not all these
requests contain the booking details. This number indicates that
the booking data could be shared quite widely.”

(04/10/2019)

Symantec discovered 81 potentially unwanted
applications on the Microsoft Store, some of
which displayed pornographic images and gambling content. The
apps, some of which remain available from the app store, cover a
range of categories and use familiar-sounding names to trick
victims into downloading them.

(04/03/2019)

According to Symantec‘s 2018 Norton
LifeLock Cyber Safety Insights Report, based on an online survey
of over 1,000 adults, 72% of Americans are worried about their
privacy. However, the majority accept certain risks to their
online privacy in exchange for convenience (66%) and are willing
to sell or give away certain personal information, such as their
location (55%) and Internet search history (55%), to companies.
Ninety-four percent of Americans express little (40%) or no (54%)
trust in social media providers when it comes to managing and
protecting their personal information. Twenty-eight percent of
Americans with a social media account have deleted an account in
the past 12 months due to privacy concerns.

(04/01/2019)

A threat entity has been busily launching attacks in the
Middle East, particularly Saudi Arabia, but has branched out to
infiltrate organizations in the US and other countries. The Elfin
espionage group (also known as APT33) became active in late
2015 or early 2016, specializes in scanning for vulnerable Web
sites, and uses this information to identify potential targets,
either for attacks or creation of command and control
infrastructure. It has compromised a wide range of targets,
including governments along with organizations in the research,
chemical, engineering, manufacturing, consulting, and other
sectors. Elfin initially focused heavily on Saudi Arabia, which
accounted for 42% of attacks observed by Symantec since the
beginning of 2016. However, 18 organizations in the US have been
attacked since Elfin first became active.

(03/27/2019)

A July 2018 cyber attack on Singapore’s largest health
organization that resulted in a breach of 1.5 million patient
records can be attributed to WhiteFly, an attack entity that has
been operating since at least 2017, researchers at Symantec say. WhiteFly has targeted
organizations based mostly in Singapore across a wide variety of
sectors and is primarily interested in stealing large amounts of
sensitive information. It compromises its victims using custom
malware alongside open-source hacking tools and
living-of-the-land tactics, such as malicious PowerShell scripts.

(03/06/2019)

Symantec‘s Internet Security Threat
Report
shows that nearly one in 10 targeted attack groups use
malware to destroy and disrupt business operations, an increase
of 25% compared to 2017. The report determined that formjacking
attacks, in which cyber thieves inject malicious code into
retailers’ Web sites to steal shoppers’ payment card details,
have become a new method for criminals to get rich quick. On
average, more than 4,800 unique Web sites are compromised with
formjacking code every month, Symantec found. The report
analyzed data from Symantec’s Global Intelligence Network, which
records events from 123 million attack sensors worldwide.

(02/20/2019)

Symantec debuted
Email Fraud Protection, an offering to help organizations block
fraudulent emails from reaching enterprises. Email Fraud
Protection integrates with Symantec Email Security to support
email authentication standards and help block platform threats
on-premises or in the cloud, such as spam, malware, and phishing
attacks. It can also integrate with Symantec Email Threat
Isolation to minimize the risk of spear phishing, credential
theft, account takeover, and ransomware attacks.

(02/19/2019)

Symantec discovered several potentially
unwanted applications on the Microsoft Store that used
the victim’s CPU power to mine cryptocurrency. The apps came
from three developers – DigiDream, 1clean, and Findoo – and all
showed the same risky behavior. Once contacted, Microsoft
removed the apps from the store.

(02/18/2019)

Tech support scams have upped the ante by tricking victims
into installing a potentially unwanted application (PUA) rather than urging them
to call a support helpline. Symantec learned that the scam typically
begins after a victim has visited a malicious Web site or is
redirected to one through malvertising. The scam prompts the
victim to approve a fake 10-second scan of the supposedly
infected computer. At the end of the fake scan, the victim is
informed that the PC is indeed infected and then asked to
download and install an update to their antivirus software. Once
the user clicks, a PUA is downloaded and installed onto the
victim’s computer.

(02/06/2019)

Personnel and Organizational

Symantec
announced changes to its leadership. Richard S. Hill, current
Symantec director, has been appointed interim president and CEO.
He succeeds Greg Clark, who has stepped down. Vincent Pilette,
CFO of Logitech, been appointed executive vice president and CFO
and will join the company on May 21. Symantec has begun a
search to find a permanent CEO.

(05/13/2019)

Symantec appointed Debora B. Tomlin to the position of chief marketing officer, effective February 22. Ms. Tomlin will oversee Symantec’s global marketing organization and report directly to president and CEO Greg Clark.

(02/05/2019)

Symantec announced that Nicholas Noviello will be stepping
down from his role as executive vice president and chief
financial officer in the coming months to pursue other
opportunities. Mr. Noviello will continue as CFO until a
successor is appointed.

(02/04/2019)

Financials

For the fourth fiscal quarter which ended on March 29, Symantec reported GAAP
revenue of $1.2 billion USD and GAAP earnings per diluted share
(EPS) of $0.05. For the fiscal year, the vendor announced GAAP
revenue of $4.7 billion and GAAP diluted EPS of $0.05.

(05/13/2019)

Symantec announced GAAP revenue of $1.21 billion USD for
the third fiscal quarter that ended on December 28, 2018. The
company reported GAAP diluted earnings per share of $0.10.
Symantec’s board of directors appointed Matthew Brown, who is
currently its vice president, finance and corporate controller,
to the position of vice president, finance and chief accounting
officer

(02/04/2019)

About the Author

[return to top of this report]

Karen M. Spring is a staff editor for Faulkner Information
Services, tracking several high-tech industries. She has research experience in
various topics including network security, data breaches, malware, public
safety, business continuity and resilience and vulnerabilities. She has written
on high-tech topics for publications in the k-12 and higher education industry.
Ms. Spring started her career as a marketing specialist for two computer
distributors, working closely with such clients as 3Com, IBM, Okidata, Unisys,
and Acer. 

[return to top of this report]