Data Privacy in a World of Outsourced Artificial Intelligence

Artificial intelligence(AI) and deep learning can lead to powerful business insights.  Many executives are ready to harness the power of this technology but one main challenge holds them back.  Hiring technical talent for cybersecurity is hard enough in itself; hiring technical talent for AI is a much bigger challenge.

This problem was recently faced by the UK’s National Health Service(NHS).  Tremendous results have been demonstrated recently using computer vision techniques to identify specific types of illness in medical patients by looking at scans of the patient’s body.  Artificial Intelligence has a strong track record of effectively predicting medical conditions such as Cancer, Heart attacks and many other image-based diagnoses.

Medical information is particularly sensitive to medical organizations like the NHS, but it is also among the most lucrative types of PII to cybercriminals.  Many freely available AI/machine learning software packages exist such libraries as theano, torch, cntk, and tensorflow.  Despite the availability of these tools, many organizations like the NHS do not have sufficient access to experts able to run powerful machine learning tools.  Without this type of collaboration many illnesses may go unidentified and people could die.  So the NHS* decided to partner with DeepMind, a company acquired by Alphabet/Google.  The University of Cambridge and the Economist wrote an article detailing many aspects of the contract.

As a result, DeepMind gets access to 1.6 million medical records and a neat application of its technology, in addition to undisclosed funding. This data includes blood tests, medical diagnostics and historical patient records but also even more sensitive data such as HIV diagnosis and prior drug use. In the sub-discipline of machine learning called Deep Learning, the algorithms are particularly dependent on having a large data corpus.

When an organization is faced with the choice of outsourcing sensitive information to experts, what are the choices?  Any organization outsourcing information should redact all personally identifiable information such as name and personal identifiers.  This instead can be represented by a pseudonym – a unique mapping such as a hash function – where the unique identifier and the PII are held only by the trusted entity (NHS  in this case).  Furthermore, semi-sensitive information that would have value to the ML model should be abstracted.  For example, geographical location may be a powerful indicator of an illness, but the raw data could be used to reverse-engineer PII of a given patient.  In this case binning the information so a little fidelity is lost is an effective trade-off between empowering the AI’s prediction power and protecting patient confidentiality.  For example, grouping specific addresses into zip codes or counties may be a nice trade-off in this space.

The tradeoff of security and predictive power will likely be a challenging problem for data owners. AI is able to combine many weak signals and often make surprising conclusions.  In one study by CMU researchers found social security numbers were surprisingly predictable, and the AI algorithms could usually reconstruct a SSN from information such as birthdate and gender.  So being able to guarantee that AI can’t reconstruct your PII is an unsolved problem, and likely very dependent on the data.   However, best-effort strategies like those outlined above can help mitigate against most concerns.

In the future this issue may change significantly.  Recent developments in federated learning may allow for increased flexibility where keeping data on premise may become more available.  A related technology of homomorphic encryption has been in the works for far longer.  In homomorphic encryption the computations occur on encrypted data without ever having to decrypt the data, which would significantly reduce the security concern.  We are still years out of technology solving this problem directly. In the interim the promise of the AI benefits are too great for most organizations to wait.

At Anomali, we deal with sensitive information regularly, as we help many organizations around the world winnow down data from across the enterprise and focus on the applicable security threats.  We address privacy issues with on-premise deployments such as Anomali Enterprise; or by very tight access controls and data isolation like our Trusted Circles feature for sharing threat intelligence in our Threat Intelligence Platform, ThreatStream.

*The agreement was signed by the Royal Free NHS Trust, a small subordinate component of the much larger NHS. The Royal Free Trust is comprised of three hospitals in London.

Source: Honeypot Tech

The Definitive Guide to Sharing Threat Intelligence

Threat Intelligence sharing is becoming more mainstream as ISACs and other industry sharing collectives gain popularity. As intelligence sharing becomes more popular, there are some things to consider to get the most out of it. Anomali’s new whitepaper, The Definitive Guide to Threat Intelligence Sharing explores this topic in-depth.

Like many other things, the more you put into sharing threat intelligence, the more you can potentially get out of it. It starts with choosing who to share with. Understanding what is good to share is another import aspect to consider. Most of all, collaborating with those you share with is key to improving the value for everyone involved. Adding context to what is shared, or including extra details observed from your own analysis is an important element of sharing threat intelligence.

Sharing with others in our own industry is the best place to start with sharing intelligence.  This is essentially “home” for sharing intelligence and interacting with peers around threats and defenses.  For most organizations, this is the full extent of who they share intelligence with and there is nothing wrong with that.  There are other considerations for adding additional sharing partners, however.  For one, not all attacks come over the Internet; some require a physical presence such as attacks against WIFI infrastructure.  Finding local sharing partners, potentially not in your own industry, can be important for localized intelligence sharing.  Also important is finding partners to share with outside the echo chamber of your industry or vertical.  Sharing within your industry is certainly the best place to start, but looking for organizations to share with beyond your industry as a next step is a good idea.

In addition to sharing intelligence, other considerations might be sharing defensive measures such as YARA rules, snort rules, scripts, system or application configuration tweaks, security tool configurations, and so on. The idea is to collaborate closely with other sharing partners to:

  • Improve visibility for better intelligence analysis
  • Deliver stronger defenses that are optimized against observed and perceived threats
  • Provide a useful vehicle for coordinating intelligence collection and analysis

Further thoughts on these topics as well as additional insights on threat intelligence sharing can be found in The Definitive Guide to Threat Intelligence Sharing.

The Definitive Guide to Sharing Threat Intelligence

Read It Now

Source: Honeypot Tech

Anomali Weekly Threat Intelligence Briefing – April 25, 2017

Figure 1: IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Threats

This section provides summaries and links to the top threat intelligence stories from this past week. All IOCs from these stories are attached to this threat briefing and can be used for indicator matching against your logs.

Dridex Style Malspam Pushed Locky Ransomware Instead (April 21, 2017)
Researchers have discovered that malspam messages that follow known Dridex formats are instead sending Locky ransomware to recipients. Actors behind this campaign are sending malicious attachments impersonating payment receipts, and PDFs.
Recommendation: Always be cautious while reading email, in particular when it has attachments or comes with an urgent label or poor grammar. Use anti-spam and anti-virus protection, and avoid opening email from untrusted or unverified senders.
Tags: Malspam, Malware

MilkyDoor Android Malware uses SSH Tunnels to Access Secure Corporate Networks (April 21, 2017)
An Android malware called “Milkydoor” has been discovered to have been present in approximately 200 applications in the Google Play Store (Google has since removed the malicious applications). Researchers estimate that the malicious applications have been downloaded between 500,000 and one million times. Milkydoor uses SSH tunnels to allow the actors access to internal company networks.
Recommendation: Mobile applications should only be downloaded from official locations such as the Google Play Store and the Apple App Store. Websites and documents that request additional software is needed in order to access, or properly view content should be properly avoided. Additionally, mobile security applications provided from trusted vendors are recommended.
Tags: Mobile, Malicious Applications

Cardinal RAT Active for Over Two Years (April 20, 2017)
A new Remote Access Trojan (RAT) called “Cardinal,” has been discovered by Unit 42 researchers. Cardinal has been active for at least two years and is being distributed via malicious macros in Microsoft Excel documents that compile C Sharp source into an executable. Researchers believe that the small amount of samples discovered in the wild is because the malware has remained undetected for an extended period of time.
Recommendation: Ensure that your company’s firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity.
Tags: Malware, RAT

Turn The Light On and Give Me Your Passwords (April 19, 2017)
Android users are being targeted with a banking trojan masquerading as a Flashlight application in the Google Play Store (Google has since removed the application). Researchers discovered that the malicious application called “Flashlight LED Widget” has been downloaded approximately 5,000 times. The trojan contained inside the application is capable of using overlays to target certain applications in order to steal banking information or credit card information.
Recommendation: If this application has been downloaded, a user can find in the Settings, Application Manager, and then Flashlight Widget. The application can be uninstalled by booting your device in Safe mode. Even though this application was in the Google Play Store, that is still the safest location to download applications. Additionally, anti-virus applications provided by trusted vendors should be employed.
Tags: Mobile, Malicious Applications

InterContinental Confirms Card Data Breach at Over 1,000 Locations (April 19, 2017)
InterContinental Hotels Group (IHG) has issued a statement confirming that approximately 1,000 of its locations in Puerto Rico and the U.S. have been compromised with information stealing malware. The malware searched for cardholder name, card number, expiration date, and internal verification code. They believe that malware was first present in some IHG payment systems on September 29, 2016 and lasted until December 29, 2016. However, IHG did not identify the unauthorized access until their systems were “investigated in February and March 2017” so it is possible that card data was stolen up until that time.
Recommendation: Customer facing companies that store credit card data must actively defend against Point-of-sales (POS) threats and stay on top of industry compliance requirements and regulations. All POS networks should be aggressively monitored for these type of threats. In the case of malware infection, the affected networks should be repopulated, and customers should be notified and potentially offered fraud protection to avoid negative media coverage and reputation.
Tags: Breach, POS

Flaw in Drupal Exposes 120,000 Sites to Attacks (April 19, 2017)
The security team for the open source Drupal platform have discovered a vulnerability in third-party module called “References.” Drupal did not release additional information about the vulnerability to assist in preventing exploitation, however, the team did release a security patch to fix the problem. Additionally, Drupal stated that they will be releasing more information about this vulnerability in the next few weeks.
Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.
Tags: Compromised websites

BankBot Trojan Found Lurking on Google Play (April 18, 2017)
An Android banking trojan called “BankBot,” which is based off of leaked source code of a different Android trojan, has been identified to have expanded its target list. Initially the malware was primarily targeting Russian users, but now BankBot is targeting users all over the world in attempts to steal financial data. Researchers discovered a target list that consists of over 400 applications associated with financial institutions around the globe. The malware is being distributed by masquerading as legitimate applications in the Google Play Store, and third-party application stores (Google has since removed the malicious applications).
Recommendation: Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. Additionally, do not rely on ratings alone for applications in the Google Play Store, further research into the applications is a good mitigation step because sometimes malicious applications make it into legitimate stores.
Tags: Mobile, Malicious Applications

Fake LinkedIn Emails Phishing Job Seekers (April 18, 2017)
A new phishing campaign has been identified to be targeting LinkedIn users. The actors behind the campaign are attempting to trick recipients into sending their curriculum vitae (CV). With the plethora of personal information contained in a CV, cybercriminals would be able to sell the information on underground forums or use it to further target individuals with additional phishing attacks.
Recommendation: Phishing continues to be one of the easiest ways for cybercriminals to make money quickly with a low level of technical expertise. Educate your employees on the dangers of phishing, how the attacks work, and how to avoid them. This includes the safe and proper use of email as well as web browsing activities.
Tags: Phishing

New Karmen Ransomware-as-a-Service Advertised on Hacking Forums (April 18, 2017)
Malware researchers have discovered a new Ransomware-as-a-Service (RaaS) called Karmen that is being advertised on a Russian cybercrime forum. The ransomware creators advertise multiple features, such as sandbox and virtual machine detection capabilities, undetected by anti-virus vendors, and access to a web-based control panel all available for purchase for $175.
Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place. If a reproducible backup is not available, there may a decryptor available that can assist in retrieving encrypted files. Additionally, educate your employees about the dangers of downloading applications when they are not offered from the website of the official provider/developer.
Tags: Ransomware, RaaS

CradleCore Ransomware Sold as Source Code (April 17, 2017)
Forcepoint researchers have discovered threat actors engaging in an interesting tactic while selling a new ransomware dubbed “CradleCore.” The cybercriminals behind the malware are offering the source for purchase for a negotiable price starting at 0.35 Bitcoins ($419). This tactic will likely cause new variants to be observed in the wild in the near future because the available source code will allow actors to customize the ransomware.
Recommendation: The ransomware landscape continues to evolve and become a larger cause for concern and potential risk. The use of endpoint prevention systems can make all the difference between infection or not. In the case of any ransomware infection, the victim should avoid paying the ransom, and the infected system should be wiped and reformatted.
Tags: Ransomware

This Phishing Attack is Almost Impossible to Detect on Chrome, Firefox, and Opera (April 17, 2017)
Researcher Xudong Zheng has discovered a new phishing attack that affects multiple web browsers. Zheng cautioned that actors can use vulnerabilities in Chrome, Firefox, and Opera web browsers to display fake domains to steal financial and login credentials. The style of attack that affects said web browsers is a “Homograph” attack which uses Unicode characters in the domain name to make a malicious website appear legitimate.
Recommendation: Your company should have appropriate anti-virus, anti-spam, and policies in place that will prevent your employees from visiting potentially malicious websites. Education is also a great mitigation technique that can assist your company in awareness of the risks posed by visiting less reputable online locations. Additionally, always ensure that your web browser kept up-to-date with latest versions as soon as possible.
Tags: Phishing, Homograph

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click here to request a trial.

Locky Tool Tip
Locky is ransomware that is widely spread via phishing messages. Locky first appeared in early 2016. Locky is strongly correlated with the cyber criminal groups related to the dridex and necurs botnets. Multiple waves of Locky samples are distributed daily. The delivery mechanism has evolved over time. The delivery mechanism has been spam messages with executable attachments, MS Word document attachments using Macros to retrieve then execute Locky, and Zip files that extract JavaScript loaders that retrieve then execute Locky. Hosts compromised by Locky display a ransom-note with instructions on how to decrypt the encrypted files. Encrypted files are renamed .locky or .zepto.
Tags: Locky, Ransomware

Source: Honeypot Tech

Threatstream App for Splunk: Introducing Seamless Integration with Enterprise Security

Splunk continues lead the way with it’s powerful big data SIEM capabilities inside their Enterprise Security App.

Here at Anomali we were especially excited with one initiative the company introduced last year, Adaptive Response. We liked it so much we partnered with Splunk to give security teams a powerful way to integrate Threatstream capabilities within the Enterprise Security workflow using the Adaptive Response framework.

An Introduction to Adaptive Response

Adaptive Response

Splunk’s Adaptive Response enables security analysts—from hunters to less skilled security staff—to better handle threats. The Adaptive Response Framework resides within Splunk Enterprise Security (ES) and optimizes threat detection and remediation using workflow-based context. Having spent years working with all layers of security teams, I like to think of Adaptive Response as the “security nerve center” to bridge intelligence from multiple security domains, including threat intelligence.

One of the key parts of the Adaptive Response framework is the ability for analysts to automate actions or individually review response actions to quickly gather more context and take appropriate actions across their multi-vendor environment. For an increasing number of people this means comparing security data against threat feeds, or threat intelligence sources like Threatstream.

Anomali Threatstream Splunk App

Introducing Adaptive Response Integration

The Anomali Threatstream Splunk App already provides users the ability to download millions of IOCs directly into Splunk to cross-reference against security data, providing dashboards and alerts for analysis. The app now has support for the Adaptive Response action framework providing seamless integration with Enterprise Security.

Familiar workflows

Splunk Workflows

An analyst will likely start an investigation once a notable event has been triggered in Splunk’s Enterprise Security. It is at this point they want to add as much context to a notable event, or security incident, in order to complete their investigation as quickly and accurately as possible. One way to do this is to compare raw events that trigger notable event against the Threatstream IOC database. For example, an analyst might want to look up the suspicious destination of an event that triggered the notable event in ES, to validate whether it should be of concern.

Perform actions inside Enterprise Security

Incident Response

Within the Enterprise Security Incident Review dashboard an analyst can select to run an “Adaptive Response Action”, in this case “Analyze with Threatstream”. They can then select as many fields in the raw events they want to analyse against Threatstream IOCs. When the analyst runs the action a Threatbullitin will be created within Threatstream and visible within the Threatstream platform.

Bi-directional sync

Bi-directional Sync

The Threatbullitin created will contain all incident data and comments from the notable event in Splunk, including the raw event data that triggered the notable event in the first place. Millions IOCs in the Threatstream database are automatically matched against the raw data of the notable event stored in the Threatbullitin to identify matches.

When matches are found they can be examined and triaged in the Threatstream user interface. Users can approve approve malicious indicators and reject those found to be benign. This threat intelligence, including full information about each IOC matched to a notable event can then be pushed back down to your security tools, including back into Splunk using Threatstream Link, to continue any investigation.

tl;dr – Anomali Threatstream App for Splunk Key features

  • Seamless integration with Enterprise Security Incident Review workflow
  • Bi-directional flow of threat intelligence data for additional enrichment, correlation and analysis
  • Automated IOC matching and customizable alerting against your security data in Splunk
  • Dashboards detailing event data associated with IOCs allowing you to pivot on severity, type, classification, time…
  • Access to weekly Anomali Threat Intelligence briefings

Download the app now

Source: Honeypot Tech

Why Brand Monitoring is a Security Issue – Typosquatting

Corporate brands are generally thought of as intangible objects that carry the company’s image and reputation. However, your brand is very tangible in the eyes of attackers and can absolutely be targeted and damaged with cyber threats. To prevent such damage, companies can engage in “brand monitoring”. More specifically, this means searching for typosquatting and compromised credentials. While different in intent and practice, both tactics rely on human behaviors to achieve their goals. Such attacks are difficult to detect because the damage can occur outside of a company’s domain, and difficult to prevent because they involve a change in habit rather than corporate policy. In the first part of this series we’ll explore what typosquatting is, why it matters, and what courses of action a company can take to effectively protect their brand.


Typosquatting (also known as URL hijacking) refers to when malicious 3rd parties will register domains that are similar to legitimate corporate domains. The motives for registering a similar domain are numerous, but all are guaranteed to have a nefarious intent. With a deceptive domain typosquatters have the potential to:

  • Orchestrate phishing schemes to collect customer credentials
  • Install malware onto visitor devices
  • Coerce the targeted company into buying the domain
  • Redirect traffic to competing or malicious sites
  • Embarrass the company by displaying inappropriate messaging

The exact variation of the domain will depend on the adversary’s intent. There are two general options- register a domain that looks visually similar or register a domain that looks credible. True to the “typo” part of typosquatting, visually similar domains consist of slight misspellings of either the root domain or country-code top level domain. Potentially credible domains will instead add keywords that viewers won’t find suspicious. For example, malicious domains “” and “” might look like:

Malicious Domain Variations

Such domains might seem obviously fake when examined with scrutiny, but even these examples could be surprisingly effective. Malicious actors know that the most effective attacks are those based on human predispositions, some of which are to be trusting of visual cues and inattentive in routine situations. If a webpage and its domain look similar enough to what an individual is accustomed to then it is unlikely to raise any red flags.

To investigate the widespread use of malicious domains, the Anomali Labs Team released a report of the Financial Times Stock Exchange 100 (FTSE 100 Index). The Anomali Labs Team examined the FTSE 100 companies over a period of three months and found 81 of the 100 companies had potentially malicious domain registrations against them. A total of 527 malicious domains were detected.

Industries with the highest instances of domain name compromise

What to do About Typosquatting

So what can companies do in response to such a frequent and effective attack? As always, educating employees on the possibility of false domains is critical. Companies can also take large-scale measures to ensure that their brand is protected.

For one, organizations can purchase any domains similar to, or affiliated with, their own. Think of any large company and it’s likely that they currently own “theircompanyname” This is a time-consuming endeavor, but ultimately worthwhile as it prevents malicious actors from forcing them into buying the domain or using it to garner negative publicity.

Unfortunately, many companies are often unable to anticipate which domains might be used against them, and the creativity of malicious actors to dream up confusing or damaging domains seems unlimited. Or they are simply too slow to the draw and those domains have already been registered. In this case organizations can work with any number of 3rd party services to issue take down notices. Companies like Verizon, Lufthansa, and Lego are known to aggressively chase down typosquatters, with Lego having spent upwards of $500,000 to get malicious domains taken down.

Companies can also block any known malicious domains in their proxies or email security products, which protects employees from phishing scams. In this case the malicious domain might not be their own – it could relate to any and all known phishing sites. If such a domain is found, organizations may wish to triage the registrant information to see if there are other associated domains targeting the company.

One of the more effective tools for researching and monitoring malicious typosquatting is a Threat Intelligence Platform (TIP). The ThreatStream platform from Anomali provides users the ability to define base domains – the platform will monitor existing and newly registered domains and flag any similarities. The tool also provides the ability to define more complex pattern detection via Regular Expression matching. A machine learning algorithm is used to make the search for new domain registrations more sophisticated, and those found are added to individual customer threat bulletins. The Anomali Labs team also provides a feed of domains registered by disposable domains that customers can access.

Once a malicious domain is identified, users can then attempt to identify the country of origin, other domains they’ve created, and all IPs associated with the domain. This allows companies to not only investigate suspicious domains, but also to predict a potential attack vector. For example, with the right tools you can discover that a typosquatted domain belongs to an actor who has registered other malicious domains, uses a specific set of IP addresses, and is known to utilize a particular type of attack (phishing, malware, etc). With this information you can then apply appropriate firewall, SIEM, endpoint, IDS/IPS, etc. rules to block and/or monitor for suspicious activity.

Bad domain monitoring

Taking Brand Monitoring a step further, organizations should also scan the Dark Web for mentions of corporate domains. Anomali automates this type of scanning and keyword matching and will also scan the Dark Web for internal project names (yes, like the ones you’d hear in movies), mentions of executive names or emails, and company’s public IP ranges.

Concluding Summary

Malicious actors do damage to a company’s reputation and steal data by typosquatting. This tactic relies on predictable human behaviors, and is best mitigated through education, research, and tighter regulations. A Threat Intelligence Platform can simplify the process, and ultimately protect employees, customers, and brands.

Similar reports to the FTSE 100 were conducted for the DAX 100 and OMX 30.

Source: Honeypot Tech

Anomali Weekly Threat Intelligence Briefing – April 18, 2017

Figure 1: IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Threats

This section provides summaries and links to the top threat intelligence stories from this past week. All IOCs from these stories are attached to this threat briefing and can be used for indicator matching against your logs.

Shoney’s Hit by Apparent Credit Card Breach (April 14, 2017)
Multiple sources in the financial industry have reported patterns of fraud on their customers’ credit cards that were used at Shoney’s restaurant locations, according to researcher Brian Krebs. The restaurant chain consists of approximately 150 locations that are mostly located in southern states throughout the U.S. Best American Hospitality Corp. released a statement confirming that malware was identified on some of its Point of Sale (POS) terminals. The company believes that an unknown amount of terminals were compromised from December 27 to March 6, 2017 that resulted in the theft of the cardholder name, card number, expiration date, and internal verification code.
Recommendation: Customer facing companies that store credit card data must actively defend against POS threats and stay on top of industry compliance requirements and regulations. All POS networks should be aggressively monitored for these type of threats. In the case of malware infection, the affected networks should be repopulated, and customers should be notified and potentially offered fraud protection to avoid negative media coverage and reputation.
Tags: POS, Credit card theft

“Callisto Group” Advanced Threat Actor Identified (April 13, 2017)
F-Secure researchers have published a new report detailing activity of an advanced threat actor called “Callisto Group” which they believe has never been previously identified. The group is believed to have been active since at least 2015. Callisto uses both phishing emails that are designed to steal user credentials as well as others that contain malicious attachments. Researchers claim the malware is associated with the Italian software company “HackingTeam.”
Recommendation: Spear phishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromised and used for such emails. Education is the best defense, inform your employees on what to expect for information requests from their managers and colleagues. Employees should also be aware of whom to contact when they suspect they are the target of a possible spear phishing attack.
Tags: Spear phishing

New Breed of Cerber Ransomware Employs Anti-Sandbox Armoring (April 12, 2017)
Researchers have discovered a new strain of the Cerber ransomware that has sandbox detection abilities. The malware will execute in different ways when being hooked to APIs in a sandboxed environment such as crashing the hooking module, calling useless window APIs in a long loop, and stealing API addresses from the main executable.
Recommendation: If you run your own malware sandbox you may want to open MS Word (and other Office applications) and open and close several documents in order to populate the Recent Documents list. Also, consider running your Sandbox from a consumer grade cable or DSL line instead of using Amazon or other SaaS providers. Lastly, if you are a security company, you probably should not be sandboxing malware from systems whose IPs are easily associated with your company.
Tags: Ransomware

Mole Ransomware Distributed Through Fake Online Word Docs (April 12, 2017)
A new spam email campaign has been discovered to be distributing a new strain of the CryptoMix ransomware family dubbed “Mole.” The emails are masquerading as shipment notifications that imply that an item was not able to be delivered and offers a link for additional information, according to researcher Brad Duncan. The link directs the recipient to a Word document that requests that a new plugin version is needed to properly read the document, but will actually begin to execute the ransomware.
Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place. In the unfortunate case a reproducible backup is not in place, make sure to check for a decryptor before considering payment; avoid payment at all costs. Additionally, educate your employees on the dangers of spam emails and have policies in place regarding who to contact when a malicious email has been identified.
Tags: Ransomware, Phishing, Malspam,

Cybercriminals Target Amazon Third-Party Sellers with Password Reuse Attacks (April 11, 2017)
Cybercriminals have been able to gain access to active third-party seller accounts on Amazon by testing previously stolen passwords against them. Actors are then changing the bank account details in order to transfer the revenue from online purchases to their own accounts. Actors are also identifying old and unused third-party accounts and promoting offers with substantial discounts, and again diverting the funds to their own accounts.
Recommendation: It is important that your company and employees use different passwords for the different accounts that are being used. As this story portrays, previous breaches can allow actors to gain access to other accounts because users frequently use the same username and password combinations for multiple accounts. Furthermore, policies should be in place that require your employees to change their passwords on a frequent basis.
Tags: Breached accounts

Ewind – Adware in Applications’ Clothing (April 11, 2017)
Unit 42 researchers have been observing a mobile adware campaign since mid-2016 targeting Android users, and have released information regarding how the actors behind the adware “Ewind” are operating. The actors download a legitimate application, decompile it, add their malicious features, then repackage the Android Application Package (APK). When users download the application they are infected with Ewind that displays advertisements to accumulate revenue for the actors, however, researchers have also discovered that the malware is capable of stealing information and remotely control an infected device.
Recommendation: Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores.
Tags: Adware, Malware

Dridex Campaigns Hitting Millions of Recipients Using Unpatched Microsoft Zero-Day (April 10, 2017)
A new spam campaign has been identified to be sending millions of emails in attempts to distribute malware to for the Dridex botnet. According to Proofpoint researchers, the campaign is primarily targeting organizations located in Australia. The actors behind the campaign are exploiting a new zero-day that affects Microsoft Word. The emails in this campaign have Word Rich Text Format (RTF) documents which, if opened, is capable of executing processes to install the Dridex banking trojan.
Recommendation: Always be cautious while reading email, in particular when it has attachments or comes with an urgent label or poor grammar. Use anti-spam and anti-virus protection, and avoid opening email from untrusted or unverified senders.
Tags: Dridex, Malspam, Zero-day

Alleged Spam King Pyotr Levashov Arrested (April 10, 2017)
Pytor Levashov, believed to be behind the alias “Severa,” has been arrested while vacationing in Spain with his family. Severa was a well-known figure on Russian cybercrime websites where he was the moderator of several spam related forums. The U.S. Justice Department believes that Levashov is the partner of American spammer Alan Ralsky, who ran schemes to inflate the value of penny stocks. Researcher Brian Krebs contends that Severa was also behind multiple operations in which he paid virus writers and spammers to install fake anti-virus software onto victims’ machines.
Recommendation: Always be on high alert while reading email, in particular when it has attachments, attempts to redirect to a URL, comes with an urgent label, or uses poor grammar. Use anti-spam and anti-virus protection, and avoid opening email from untrusted or unverified senders.
Tags: Spam, Botnet

British Payday Loan Firm Wonga Suffers Data Breach (April 10, 2017)
Threat actors have managed to breach the payday loan firm “Wonga,” located in the U.K., according to a statement from the company. Actors have gained access to information consisting of bank account numbers, full names, email addresses, home addresses, partial payment card numbers, phone numbers, and sort codes. This breach is believed to affect approximately 270,000 current and previous customers in Poland and the U.K.
Recommendation: Bank accounts and credit card numbers should be protected with the utmost care, and only used with vendors that you trust to keep your information in compliance with the relevant standards. Regular monitoring of financial accounts in addition to identity protection and fraud prevention services can assist in identifying potential theft of data.
Tags: Data breach

Hackers Steal Customer Card Data From GameStop (April 10, 2017)
The video game retail company “GameStop” has acknowledged that a breach has taken place that resulted in credit card information being stolen from gamestop[.]com. Two sources in the financial industry informed researcher Brian Krebs that reports from a credit card processor made it appear that GameStop had been compromised since at least September 2016. Researchers believe that due to the length of the breach, it is possible that other sensitive information was also stolen from GameStop customers.
Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.
Tags: Website, Compromise

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click here to request a trial.

Cerber Ransomware Tool Tip
Cerber is ransomware that surfaced in January of 2016. Cerber is sold on hacking forums and criminal bulletin board systems. Cerber has been in constant development with version 4 being released around the month of October of 2016. Cerber has been distributed through phishing lures, exploit kits and malvertisement.
Tags: cerber, ransomware

Source: Honeypot Tech

Shedding Some Light on the Dark Web

Underground markets may have originated in the time of Internet Relay Chats (IRCs), but the appearance of cryptocurrencies and anonymous communications like Bitcoin and TOR have allowed these markets to develop far past their genesis. Darknet forums are now a very efficient platform through which to conduct illegal business. Some forums are accessible only via the TOR network, while others are only accessible via traditional web browsing (clearnet). These forums offer a variety of real world and digital items, ranging from illicit drug sales, counterfeit items (passports, driver licenses, bank notes), and weapons, to services such as carding (credit card fraud), PII (personal identifiable information) fraud, 0 day exploits, botnet services, and bulletproof hosting.

Gaining access to some of these forums can be a complicated ordeal, and forums with more extreme vetting tend to have a higher quality of malicious activity. A user might have to compromise and deface a web site of the forum’s choice to gain a full profile, or create a new variant of ransomware. This is suspected to be a primary cause of the recent outbreak of ransomware. Due to the illicit nature of the content and services offered it’s not uncommon for a site to be populated with decoy users from both criminals and law enforcement personnel.

Below we’ll explore the terminology, services, and quality of some of the dark web’s more popular forums. Just don’t get any ideas…


The underground is filled with a heavy amount of jargon and slang that may be unfamiliar. Here are some common terms:

  • Crypters – tools that encrypt malware in order to bypass detection by Antivirus engines
  • Binders – tools used to trojanize a legitimate program with a malware sample
  • Zero-Day exploits – techniques that exploit a previously unpatched vulnerabilities, used by attackers to gain unauthorized access to computing systems.
  • “FUD” – “fear, uncertainty, and doubt” in the normal security world, in the underground forum world it means “Fully UnDetectable”
  • “Rippers” – actors on forums identified as ripping off and scamming other users without delivering useful services or contraband

The table below shows a list of common underground marketplaces.

Marketplace Name Marketplace URL Tor Site Clearnet Site Currency Used
Sky-Fraud, http://bcbm4y7yusdxthg3.onion/ yes yes BTC
Lampeduza no yes BTC no yes BTC
LeakForums no yes BTC, Paypal
HackForums no yes BTC, Paypal
TheRealDeal http://trdealmgn4uvm42g.onion yes no BTC
Alphabay http://pwoah7foa6au2pul.onion yes no BTC

Sky-Fraud Underground Forum

Sky-Fraud is a Russian underground forum that has been in operation since 2014. Its user base consists of 26k active users all between Russian and English speaking languages.

Access: Free without vetting. This forum is easy for scammers, non-reputable members, law enforcement, and security researchers to access.

Services/Items Offered:

  • Escrow services
  • Bulletproof hosting services.
  • PII (Personal Identifiable Information) and CC (Credit Card) data.
  • Botnets, Exploits, and Malware.
  • BlackHat SEO (Search Engine Optimization) and Web design.
  • Payment Systems: BTC (Bitcoin), Paypal, Webmoney, Entropay

Trustworthiness/Quality: The data found in this forum seems to be low fidelity given the number of amateur hackers that operate on the site.

Lampeduza Underground Marketplace

Lampeduza is a Russian underground forum. This site was previously discussed in 2013 by krebsonsecurity when one of the forum members `rescator` was involved in the sale and distribution of breach related data of a large retailer. In addition, Lampeduza seems to be strongly related with the notorious carding forum `rescator[.]cm`, where credit card data related to the massive series of 2013 retailer breaches was offered for sale.

Access: $50 registration fee plus an invitation code

Services/Items Offered:

  • Carding
  • Dump services
  • Overall credit card fraud
  • Hacking
  • Anonymization practices
  • Spam
  • Black Hat SEO (Search Engine Optimization)

Trustworthiness/Quality: Data offered in this marketplace seems to be of medium value, challenging prospective buyers with discerning which vendors are credible. The site offers a reputation system in which the user can voice any complaints and action can be taken against the vendor if needed. This is a common feature amongst many of the anonymous marketplaces. Marketplace is a Russian language based hacking forum that resembles the operations of other hacking forums such as Leakforums and HackForums. has been in operation since 2007, with around 35k total users. Some areas discussing non-criminal activities are readable by the public, including discussions on web-design, programming, and hardware. Other sections, like security and hacking, virology, anonymity, and marketplace, require a valid user account.

Access: Free, but need to be vouched for by an existing member who can communicate in the forum’s Russian internet slang. Due to a closed registration process, this forum is less polluted with fake accounts.

Services/Items Offered:

  • Carding services
  • Bulletproof hosting
  • Malware distribution services
  • Zero Day Software vulnerabilities
  • Malware such as exploit kits, Trojans, and crypters

Trustworthiness/Quality: Much of the value derived from this marketplace lies in the relationships between highly-connected users. Many of the real users have multiple profiles on other forums. Out of the 35k total users on the site: 

  • 36 users are vendors.
  • Only 1 user has an admin designation.
  • Only 5 users are moderators.
  • 54 users are verified users.
  • 43 users are specialists.

This proportion of real, active accounts to non-active accounts is fairly common amongst forums. It is also compounded by the anonymity of the users. The blacklist complaint threads are useful for weeding out rippers, but this lead to a heavy turn over in vendors. Successful vendors appear to have strong relationships with one another in other forums or venues, allowing each them to vouch for one another. It is likely due to this high amount of turnover that the more interesting vendors seem to create a new profile with new contact information each time they offer new items for sale.

LeakedForums Marketplace

Leakforums surfaced on the hacking scene in 2011, and currently has 1 million users. This marketplace is an initial source of many leaks, and is useful for obtaining copies of well-known malware such as ORCA or Adwind. LeakForums specializes in leaks related with PII, social media accounts and the trade of paid hacker tools (Keyloggers, RATs, Crypters, and Binders).

Access: Free without vetting

Services/Items Offered:

  • Malware including Njrat, Adwind, and Orcus (free for registered users)
  • Serial keys for commercial programs (including MS Windows, MS Office, Antivirus engines)
  • Stolen Credentials (social media accounts)
  • Hacked databases (Streaming service database leaks)
  • Cracked programs of well-known trojan programs (including Njrat, Adwind, Orcus)

Trustworthiness/Quality: The quality of the data found in this marketplace is very low, and the quality of the forum itself debatable. This is partially due to a high number of amateur criminals attempting to increase their profile but selling very low quality tools. This site also lacks the reputation system that the more mature markets like Alphabay and TheRealDeal have, which makes it harder for a potential buyer to trust in the vendor.

HackerForums Marketplace homepage

HackForums is one of the longest running hacking forums of the internet, and is notorious for housing a large number of amateur hackers. It was founded in 2006 and has approximately 600k total users. The forum covers several topics in information security such as hacking, programming, computer games, web design, and web development, as well as the sale of hacking tools and services. Hackforums was spotlighted this year after the MalwareHunterTeam noted a campaign that appeared to originate from here that used the ORCUS RAT. Krebsonsecurity published an additional article on the authors behind this malware as well.

Access: Free without vetting. This forum is prone to a high number of fake profiles, amateur criminals, scammers, and law enforcement personnel.

Services/Items Offered:

  • Stresser services (e.g. DDOS (Distributed Denial of Service Programs)
  • RAT (Remote Access Tools)
  • Stolen Social Media accounts (including Facebook, Twitter, and YouTube)
  • Crypters (tools that obfuscate malware from Antivirus engines)
  • VPS (Virtual Private Server), VPN (Virtual Private Network), and hosting services.

Trustworthiness/Quality: Similar to LeakForums, the quality of the data found in this marketplace is very low. This is likely due to the lack of a reputation system or initial vetting of users. This marketplace is useful, though, for downloading a fresh copy of a given RAT builder to help build detection capabilities.

TheRealDeal Marketplace

TheRealDeal is a dark web market that began with an emphasis on zero day exploits. In 2016 this marketplace rose to the public’s attention after several data dumps that involved high-profile organizations. These dumps were offered by a single reputable member of this forum, peace_of_mind.

Access: Free without vetting. Many non-reputable members, security researchers, or law enforcement personnel are part of the marketplace.

Services/Items Offered:

  • Weapons
  • Counterfeit items (bank notes, passports, driver’s licenses)
  • Stolen credit card data
  • Hacked database dumps
  • Illicit drugs (MDMA, LSD, pharmacy, cocaine)
  • Exploits: FUD (Fully UnDetectable by antivirus engines), one-day (vulnerability that has been disclosed but not patched) and zero-day (vulnerability that hasn’t been disclosed).

Trustworthiness/Quality: The quality of services in this marketplace is mixed. Each vendor’s reputation can be determined by their rank as well as the feedback provided in their profile, which means that potential customers must do more research into each vendor. The marketplace also offers the multisig transaction method to provide additional security. There is also a more restricted forum that accompanies the Real Deal which hints at further illegitimate activities (although these activities are hard to verify).

Alphabay Marketplace

The Alphabay market is a newer forum that has sustained considerable growth since its start in 2014. The Tor based market currently houses 240k users.

Access: Free without vetting. Its user base constitutes of a considerable number of suspected security researchers and non-reputable users.

Services/Items Offered:

  • Dumps (databases containing credit card data), Bank drops, CVV (card verification value number) and CC (credit card) data
  • Illicit drugs
  • Weapons
  • Counterfeit items (bank notes, passports, driver’s licenses)
  • Courses on how to make money through illicit activities
  • Malicious software: Exploits, Exploit Kits, botnets.

Trustworthiness/Quality: The quality of the products is varied. It’s up to the potential buyer to ensure the vendor has the highest vendor level and trust level. The quality of Credit Card data and Personal Identifiable Information sold in this forum depends upon the vendor. Some of that data comes from compromised e-commerce sites as well as compromised point of sale terminals. Alphabay ensures transactions are secure and seamless by offering the multisig transaction method, and two factor authentication to access the marketplace.

Alphabay also offers what is called Digital contracts. Digital contracts are a system that utilizes the user reputation system to decrease the risk in transactions. Each contract has a cost of five dollars paid to the market admins, although the content of the contract is at the discretion of the users. Digital contracts don’t necessarily eliminate scamming in its entirety, but do help to build trust among members. One interesting aspect of AlphaBay is that it allows users to access the marketplace programmatically via an API.


Underground markets offer a variety of services that are very attractive to criminals from all walks of crime. They provide a fascinating view of how underground economies operate to anyone that has access to a web browser and TOR. Most of the market places are of questionable value, but there are a few handfuls of reputable criminals operating within the forums. The most useful markets are extremely exclusive and hard to access, but the open markets offer an initial view into these communities.

Source: Honeypot Tech

The New and Improved Anomali Threatstream Splunk App

Over the past few months I have had the opportunity to talk to so many Anomali customers using our Splunk Commercial App to seamlessly match their data against Threatstream Indicators of Compromise (IOCs). It has been great to see the excitement around the dashboards and insights our app offers that have been able to immediately identify malicious activity then significantly reduce the investigation and troubleshooting time for analysts.

Though the variation of how users interact and use Splunk Apps for security, fraud, and compliance use-cases vary significantly — after all, no organisation is identical. As such, we’ve received lots of customer feedback for new features (email us your requests).

Today we’re thrilled to announce the new and improved Anomali Threatstream Commercial Splunk App 6.0. In this post, I want to cover some of the cool new features we added in this release.

Expanded context-relevant threat intelligence

Threatstream users know and love the context provided for each IOC, including actor and threat bulletin information. We’ve now added actor and threat bulletin information to our Splunk App. You can now understand if you’re suffering a more serious targeted attack from known advisories to help you better prioritise matches.

Enhanced and Updated Dashboards 

To help users investigate IOC matches we’ve included lots of new dashboards and views, including the ability to filter and pivot on panels. Ultimately, you want to review IOC matches as quickly and accurately as possible. We’ve reduced the number of steps required for you to analyse any potential threats.

Integration with Splunk Enterprise Security

Splunk’s Enterprise Security App is one of the most widely used SIEM products on the market today. Many of our customers utilise the app’s Incident Review functionality. To avoid disrupting existing workflows, users can now lookup events that triggered a notable event against IOCs, all within Splunk’s Enterprise Security App.

Supercharged searches

All our IOCs are now stored in Splunk KV Stores. I won’t bore you with the technical details here, the important thing is you’ll now see matches are performed much faster than in previous iterations of our app. You can now respond to incidents as they happen.

Available to download now…

Threatstream users can download the updated Anomali Threatstream Splunk Commercial App via the Threatstream download page here.

Let us know what you want us to build next

Source: Honeypot Tech

Forget the Tax Man: Time for a DNS Security Audit

Here’s a 5-step DNS security review process that’s not too scary and will help ensure your site availability and improve user experience.
Source: Cyber Monitoring

Anomali Weekly Threat Intelligence Briefing – April 11, 2017

Figure 1: IOC Summary Charts.  These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click here to request a trial.

REMCOS Backdoor Tool Tip
The REMCOS Backdoor is a publicly available Remote Access Tool. It has been available since 2016 and is under active development. The author, who goes by _Viotto_, offers both free and paid versions at their website ``. REMCOS is currently being used in the wild with malicious intent despite the author’s claims that the tool is for legitimate use only.

Source: Honeypot Tech