Anomali Provides Threat-Sharing Expertise Before Congress

Cyber Threat Intelligence provider Anomali appeared before Congress on Wednesday, November 15th to provide threat-sharing expertise before the U.S. House of Representatives Homeland Security Committee. The purpose of this hearing was to discuss methods for improving the value of cyber threat information shared by the government and increasing participation of threat-sharing with the private sector.

Anomali was the first company to automatically share threat intelligence with the Department of Homeland Security’s Automated Indicator Sharing program (AIS), and the only cybersecurity vendor invited by the Homeland Security Committee to testify before Congress. Anomali was represented by Patricia Cagliostro, Federal Solutions Architect Manager.

Ms. Cagliostro began by explaining the current state of cyber threat intelligence sharing in the private sector, citing the 2017 Ponemon Institute Report, The Value of Threat Intelligence: A Study of North American and United Kingdom Companies that included over 1000 respondents. According to the report, 80% of organizations use threat intelligence, with 84% identifying threat intelligence as essential to a strong security posture.

Ms. Cagliostro continued by describing two key factors noted within the study that deter cyber threat intelligence sharing, excessive volumes of threat data (70% of respondents) and a lack of threat intelligence expertise. In regard to the first issue, Ms. Cagliostro noted the benefits of utilizing a threat intelligence platform to manage mass quantities of data and streamline the process of sharing. The second issue, a lack of threat intelligence expertise, was identified as the primary reason organizations do not share intelligence. The following statistics from the report detail a concerning trend for government-led initiatives such as the DHS’ AIS.

Organizations that reported sharing intelligence – 62%
Organizations that reported sharing intelligence with trusted security vendors – 50%
Organizations that reported sharing with trusted peer groups – 43%
Organizations that reported sharing with the government – 30%

Organizations are often unaware of what constitutes useful intelligence, Ms. Cagliostro explained, and are afraid of looking immature for sharing irrelevant information. This is especially true in the small and mid-sized market. Many are concerned with providing “net-new indicators,” although providing additional context for existing indicators could prove useful for companies within the same industry verticals. Many organizations already participate in same-industry or region sharing initiatives such as the Financial Services Information Sharing and Analysis Center (FS-ISAC). Anomali acts as the trusted partner for many of these ISACs and Information Sharing and Analysis Organizations (ISAOs).

In regard to the DHS’ sharing program, Ms. Cagliostro explained that “the level of effort to share intelligence within the program and lack of expertise in threat intelligence act as barriers to entry through AIS.”

Organizations connecting to AIS must:

1) Sign a terms of use document
2) Set up a TAXII client
3) Purchase a PKI certificate from a commercial provider
4) Provide their IP address to the DHS
5) Sign an Interconnection Security Agreement

This process can take private organizations weeks to complete due to legal reviews and change control processes. In the public sector this can be even more time consuming because additional processes and requirements can cause delays due to the time required to get new technologies online.

Once connected to AIS, organizations often find it difficult to share intelligence. There are a variety of methods available for sharing within the program, but each adds an additional task for overburdened analysts outside of their typical workflow. Organizations that already struggle with limited resources are not likely to expend further time and effort to stand up additional technology for little perceived gain.

Beyond the operational aspects, these analysts and security personnel such as Chief Information Security Officers (CISOs) must justify sharing intelligence to executives. Ms. Cagliostro explained, “Information sharing is a cost like any other process, new tool, or technique that is brought online. In order for that cost to make sense we have to empower organizations with the answer for the ROI question.”

The answer to that ROI could one of the government’s unique advantages – unmatched visibility. This is something that cannot be developed by companies internally, nor bought from a vendor. Up until now though the DHS has struggled to supply large quantities of high-quality and high-context indicators. Information is declassified at a slow rate, and context that would make intelligence actionable is often missing. Ms. Cagliostro offered the acceleration and increase of declassification of information as a possible solution for the DHS, as well as conversion of the process from manual to machine-to-machine. Part of accelerating the declassification process could include aggregating publicly available information to determine what indicators currently exist in the public domain. Such intelligence (barring more sensitive information such as the association to an actor and how the information was obtained) could then be released.

Throughout her testimony and responses, Ms. Cagliostro encouraged the DHS to make threat sharing as simple and mutually beneficial a process as possible.  

“When I first started at Anomali, people often asked how we forced people to share intelligence.  People assumed that when we talked about sharing, we had to be forcing people because no one would choose to share unless they had to.  Our approach wasn’t to force people to share, but to create an environment where sharing was easy and organizations received value.

The AIS program has come a long way since its inception and, as the barriers to entry are reduced, more organizations will participate and increase the quality of the data provided.”   


Source: Honeypot Tech

Death of the Tier 1 SOC Analyst

Say goodbye to the entry-level security operations center (SOC) analyst as we know it.
Source: Cyber Monitoring

Deception Technology: Prevention Reimagined

How state-of-the-art tools make it practical and cost-effective to identify and engage attackers in early lateral movement stages to prevent them from reaching critical systems and data.
Source: Cyber Monitoring

WTB: New Banking Trojan IcedID Discovered

The intelligence in this week’s iteration discuss the following threats: Business Email Compromise, Financial theft, Malspam, Phishing, Ransomware, Threat group, Trojan, and Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

New Banking Trojan IcedID Discovered (November 13, 2017)
IBM X-Force researchers have published information regarding a newly identified banking trojan, dubbed “IcedID,” that was first found in September 2017. Researchers note that the malware has similar banking trojan capabilities as the notorious “Zeus Trojan.” At the time of this writing, the malware is targeting banks, mobile services providers, payment card providers, payroll, in addition to ecommerce and webmail websites. IcedID has been observed being distributed via the “Emotet” trojan, which is distributed via malspam emails that typically contain files with malicious macros.
Recommendation: All employees should be educated on the risks of malspam, and how to identify such attempts. Poor grammar and urgent content are often indicators of these type of attacks. Additionally, messages that request a recipient to open a file attachment should also be avoided.
Tags: Malspam, Malware, Emotet, Banking trojan, IcedID

Windows Movie Maker Scam Spreads Massively due to High Google Ranking (November 13, 2017)
Threat actors are distributing malicious versions of the “Windows Movie Maker,” Windows free video editing software, with the objective of stealing money, according to ESET researchers. The actors are distributing the malicious Movie Maker, which was discontinued in January 2017, via search engine optimization of the actor’s website in Google search results. As of this writing, the website responsible for distributing the malicious Movie Maker version appears on the first page of a Google search for “movie maker,” and is also located on the first page of results from the “Bing” search engine. If the fake Movie Maker is downloaded, users receive a functioning product, however, this version claims that the user needs to upgrade to the full version for $29.95 USD.
Recommendation: Any free product should be researcher carefully prior to installation, thus features that should not be in the product, such as a paid version of Movie Maker, will be easier to identify. Furthermore, search engine results should not be taken at face value because as this story portrays, search engine results can sometimes display malicious locations. User should navigate to the official website of the creator/owner of the product for download and installation.
Tags: Impersonation, Microsoft Movie Maker, Financial theft

New Cobra Crysis Ransomware Variant Released (November 10, 2017)
Researchers have found what appears to be a new variant of the “Crysis/Dharma” ransomware. As of this writing, it is unknown how the actors are distributing this malware. However, researchers note that previous Crysis variants were distributed by compromising Remote Desktop Services and a subsequent manual installation of the ransomware. Encrypted files have an extension appended in the format “.id-[unique_id].[cranbery@colorendgrace[.]com].cobra”. It will also encrypt mapped network drives and unmapped network shares.
Recommendation: As shown in this story, it is important to make sure corporate network shares are locked down and only those who need files have access. Always run antivirus and endpoint protection software to assist in preventing ransomware infection. Maintain secure backups of all your important files to avoid the need to consider payment for the decryption key. Emails received from unknown sources should be carefully avoided, and attachments and links should not be followed or opened. Your company should sustain policies to consistently check for new system security patches. In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections. Furthermore, a business continuity plan should be created to assist in dealing with ransomware infections.
Tags: Ransomware, Cobra Crysis, Remote Desktop Services

Eavesdropper: The Mobile Vulnerability Exposing Millions of Conversations (November 9, 2017)
Appthority researchers have identified a vulnerability, dubbed “Eavesdropper,” that affects approximately 700 applications. The vulnerability resides in developers hard coding credentials in applications that use the “Twilio Rest API” or “Twilio SDK.” Researchers state that “the developers have effectively given global access to the text/SMS messages, call metadata, and voice recording from every app they’ve developed with the exposed credentials.” The applications affected by this vulnerability consist of 44% Android, and 56% iOS and are associated with 85 Twilio developer accounts. The credentials in vulnerable apps were found by using YARA to find the string “twilio” which was listed beside the plaintext account ID and token.
Recommendation: This vulnerability is worrying because it has the potential to expose sensitive information that could be stolen and subsequently sold by threat actors, or potentially lead to an information ransom scenario. This vulnerability arose because of developers failing to follow the documented guidelines set out by Twilio. Developers should always follow secure guidelines and avoid hard coding any form of credentials in an application. This vulnerability affects many applications, of which 33% are business related. Companies should identify applications that are used internally, and cease the use of the applications until the vulnerability has been addressed. Furthermore, companies should have policies that disallow employees from using applications for company-related work that have not been approved by the company.
Tags: Vulnerability, Mobile, Data leak

LockCrypt Ransomware Spreading via RDP Brute-Force Attacks (November 9, 2017)
The threat actors behind the ransomware “LockCrypt,” which was first discovered in June 2017, have increased their malicious activity to target business-owned servers, according to Alien Vault researchers. At the time of this writing, LockCrypt has infected businesses in India, South Africa, the U.K., and the U.S. One business reported that it was infected via a Remote Desktop Protocol (RDP) brute-force attack from a compromised mail/VPN server. The actors are demanding anywhere from 0.5 (approximately $3,443 USD) to 1 (approximately $6,887 USD) Bitcoin for the decryption key per server.
Recommendation: It is crucial that your company ensure that servers are always running the most current software version. In addition, your company should have policies in place in regards to the proper configurations needed for your servers in order to conduct your business needs safely. Additionally, always practice Defense in Depth (do not rely on single security mechanisms – security measures should be layered, redundant, and failsafe). In the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections. Furthermore, a business continuity plan should be in place in the case of a ransomware infection.
Tags: Brute-force attacks, RDP, Ransomware, LockCrypt

Toast Overlay Weaponized to Install Several Android Malware (November 9, 2017)
Trend Micro researchers have discovered a new Android malware family, dubbed “TOASTAMIGO,” that is capable of installing other malware via the “Toast Overlay” attack. Toast is a feature in Android used to display notifications over other applications. The Toast Overlay vulnerability, registered as “CVE-2017-0752,” was issued a patch in September 2017 and affects all Android versions except “Oreo.” The malware that exploits the vulnerability was discovered inside applications impersonating legitimate application lockers that protect apps with a PIN code, one of which was found to have been downloaded approximately 500,000 times, as of this writing. The malicious applications request Accessibility permissions upon installation which will allow it to download additional malware.
Recommendation: All applications should be carefully researched prior to installing on a personal or work machine. Applications that request additional permissions upon installation should be carefully vetted prior to allowing permissions. Additionally, all applications, especially free versions, should only be downloaded from trusted vendors. The two malicious applications on the app store had a high number of positive, fake reviews. When choosing an application to download, check the reviews with substantive wording in it, as it is common for the fake positive reviews to have little context in support of a positive rating. Also check the application description for correct grammar and spelling, the malicious applications in this case had many errors in their descriptions.
Tags: Android, Vulnerability, Toast Overlay

OilRig Deploys “ALMA Communicator” – DNS Tunneling Trojan (November 8, 2017)
The threat group “OilRig” is using a new version of their malicious “Clayside” delivery document to distribute a new custom trojan dubbed “ALMA Communicator,” according to Unit 42 researchers. The Clayside document was also observed to drop the credential stealing tool “Mimikatz.” This Clayside version is similar to past iterations in that if opened, it will display a worksheet that states that the file was created with a newer version of Excel. The document requests that the user clicks “Enable Content” to properly view the document. If Enable Content is clicked, a malicious macro will run to display the content of the decoy document, while also creating an HTML Application (.HTA) file in which HTML will run a VBScript to download ALMA Communicator.
Recommendation: Files that request content to be enabled to properly view the document are often signs of a phishing attack. If such a file is sent to you via a known and trusted sender, that individual should be contacted to verify the authenticity of the attachment prior to opening. Thus, any such file attachment sent by unknown sender should be viewed with the utmost scrutiny, and the attachments should be avoided and properly reported to appropriate personnel.
Tags: Threat group, OilRig

Hijackers Deface 800 School Websites with Pro-Islamic State Messages (November 8, 2017)
Jim Brogan, the director of technology services for school in Gloucester County, Virginia, has confirmed that approximately 800 school websites were directing users to an iFramed YouTube page depicting an Islamic State recruitment video. The attack was accomplished by injecting a file into one of the web hosting company’s, SchoolDesk, websites. The redirection caused the user to see a picture of Saddam Hussein, and an audible message in Arabic.
Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.
Tags: Compromised websites, Defacement

Linux Has a USB Driver Security Problem (November 7, 2017)
Google security researcher, Andrew Konovalov, has discovered 79 Linux USB-related vulnerabilities. The vulnerabilities can be exploited via a maliciously crafted USB device. Some of the vulnerabilities can be exploited for Denial-of-Service (DoS) attacks, and others can be exploited to allow an actor to elevate privileges and execute arbitrary code. Researchers note that not all of the 79 vulnerabilities have been reported or patched.
Recommendation: Vulnerabilities that can be exploited via a USB drive are in a state of increasing demand because of the corresponding increase the use of air-gapped systems. Therefore, the use of USB drives is a security risk, and the use of such devices should be limited to only the appropriate personnel who may need to use such equipment.
Tags: Vulnerability, Linux, USB

BEC Scammer Stealing Millions From Home Buyers (November 7, 2017)
In early May 2017, the U.S. Federal Bureau of Investigation (FBI) warned homebuyers that threat actors were targeting their email accounts, and now the agency reports that throughout 2017 threat actors have diverted or attempt to divert approximately $1 billion USD. This malicious activity was accomplished by compromising real estate email accounts, monitor them until a transaction was underway, and then send a fraudulent request to change the payment type. The payment type was typically changed from check to wire transfer, or change the account to one controlled by the actors.
Recommendation: It is important that your employees use different password for business-related accounts because actors will often test other accounts with previously stolen passwords. In addition, it is crucial that business accounts use a form of two-factor, or multi-factor authentication to make it difficult for actors to compromise accounts.
Tags: Business Email Compromise, Theft

KRACK Whacked, Media Playback Holes Packed, Other Bugs Go Splat in Android Patch Pact (November 7, 2017)
Google has released it security update for November that addresses multiple vulnerabilities in the Android operating system. Among the vulnerabilities addressed is the critical “KRACK” Wi-Fi key reinstallation flaw that could allow actors to monitor nearby wireless traffic. Overall, 31 vulnerabilities were patched by Google. Nine of said vulnerabilities could be exploited to allow an actor to execute code remotely.
Recommendation: As this story portrays, it is important that your company institute policies regarding software in use and proper maintenance. New security updates should be applied as soon as possible because they often fix minor bugs and critical vulnerabilities that delay work-flow, or can be exploited by malicious actors.
Tags: Vulnerabilities, Android, Security updates

Phishing Emails Are Being Sent to The Users of Netflix by Hackers (November 6, 2017)
Researchers have found that threat actors are targeting Netflix users with phishing emails. The objective of the campaign is to steal billing data by claiming that the recipient needs to update said information. If the recipient follows a link provided in the phishing email, they will be directed to a fake Netflix page that asks the user to log in and enter their information such as credit card data.
Recommendation: Netflix has stated that it will never contact ask its customer for personal information in an email. Therefore, if an email purporting to be Netflix requests personal data needs to changed or updated, it is likely a sign of a scam. If a user is curious, they should visit Netflix’s official website to check their account status.
Tags: Phishing, Netflix, Data theft

Watch Out: GIBON Enters The Ransomware Space (November 6, 2017)
Proofpoint researcher, Matthew Mesa, has discovered a new strain of ransomware, dubbed “GIBON.” Threat actors are distributing this ransomware via phishing campaigns. The malicious attachments contain macros that will download and execute the ransomware if they are enabled. GIBON targets every file that is not located in the Windows folder. At the time of this writing, there are minimal details discussing the technical features of this new malware, in addition to the ransom demanded for the encryption key.
Recommendation: Educate your employees on the risks of opening attachments from unknown senders. In addition, as shown in this story, employees should also be cautious of opening suspicious attachments in emails even if they appear to have been sent from within the company as the Necurs botnet is easily able to spoof email addresses. Anti-spam and antivirus applications provided from trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened. Furthermore, it is important to have a comprehensive and tested backup solution and a business continuity plan in place for the unfortunate case of ransomware infection.
Tags: Phishing, Ransomware, GIBON

Google Releases Security Update for Chrome (November 6, 2017)
The United States Computer Emergency Readiness Team (US-CERT) has issued an alert warning Google Chrome users to update their web browser as soon as possible. A vulnerability resided in Chrome for Linux, Mac, and Windows operating systems that has been addressed in Chrome version 62.0.3202.89. The vulnerability could be exploited by threat actors to take control of an affected system, according to the US-CERT.
Recommendation: The US-CERT recommends that users and administrators review the Chrome releases page located at “https://chromereleases.googleblog.com/search/label/Stable%20updates” and apply the necessary update.
Tags: Alert, Vulnerability, Google Chrome

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click here to request a trial.

TrickBot Tool Tip
TrickBot is a modular Bot/Loader malware family which is primarily focused on harvesting banking credentials. It shares heavy code, targeting, and configuration data similarities with Dyreza. It was first observed in September 2016 and both the core bot and modules continue to be actively developed. Both x86 and x64 payloads exist. It has been distributed using traditional malvertising and phishing methods. [Flashpoint](https://www.flashpoint-intel.com/blog/trickbot-targets-us-financials/) recently (2017-07-19) observed TrickBot operators leveraging the NECURS Botnet for distribution. Previously, Anomali Labs released a [Threat Bulletin](https://ui.threatstream.com/tip/17137) detailing the unpacking of this malware family.
Tags: TrickBot, Family-Trickbot, victim-Financial-Services


Source: Honeypot Tech

Restful Mash-Ups to Help Under-Staffed Infosec Teams

“This article was originally featured on Wire Data on April 2nd, 2017.”

In this post, we will couple ExtraHop’s wire data analytics, Anomali STAXX, a leading threat intelligence solution and Slack, a cloud-based collaboration platform to demonstrate how we can use orchestration and automation in a manner that helps today’s under-(wo)manned security teams meet today’s threats with the level of agility needed!  

I was fortunate enough to be selected to speak at RSAC 2017 and it was surely a career highlight for me. As several analysts pointed out post-show, automation and orchestration seemed to be the flavor of the year. Over the last 36 months, it has become glaringly obvious that we simply cannot keep bad actors and malicious software off of our networks. I have been preaching the folly of perimeter (only) based security since 2010. The speed with which systems are now compromised and the emergence of the “human vector” through phishing has all but assured us that the horde is behind the wall and needs to be directly engaged. The reliance on logs, SIEM products will give you a forensic view of what is going on but will do little to be effective against today’s threats where a system could be compromised by the time the log is written.

While the idea of automation and orchestration is a great one, there are issues with it and will not be the first time “self-defending networks” have been brought to market. Bruce Schneier makes a very good point in his “Schneier on Security” blog post when he states the following:

“You can only automate what you’re certain about, and there is still an enormous amount of uncertainty in cybersecurity”. He also makes one of the greatest quotes in INFOSEC history when he states “Data does equal information and information does not equal understanding”.

Perhaps the battle here is to get to a place of certainty, I too was once an advocate of “log everything and sort it out later” but the process of sorting through the data become extremely tedious and the amount of work it took to get to “certainty” I believe, gave bad actors time to operate while I wrote SQL queries, batch processes and parsing scripts for my context-starved data sets.  Couple this with the fact that teams are digitally bludgeoned to death with alerts and warnings that the “INFOSEC death sentence” starts to take root as people get desensitized to the alerts.

So where do we find certainty and how do we use it?
While the industry is still developing, there have been great strides in Threat Intelligence. ISACs around the world are working together to build shared intelligence around specific threats and making the information readily available via TAXII, STIXX and CIF. There is even a confidence level associated with each record that we are able to use as a guide to determine if a specific action is needed. The challenge with good threat intelligence is how we make it usable. Currently most threat Intel is leveraged in conjunction with a SIEM or logging product. While I certainly advocate for logs, there are some limitations with them.

  • Not everything logs properly (IoT Systems normally have NO logging at all)
  • You have a data gravity issue (you have to move the data into the cloud to be evaluated or you have to store petabytes of data to evaluate)
  • In some cases, only a small portion of the log is usable (but you pay to index the entire log with most platforms)
  • Their use is largely forensic with many of today’s threats

The case for Wire Data Analytics:
The key difference that I want to point out here is that using Wire Data Analytics with ExtraHop you can perform quite a bit of analysis in flight. ExtraHop “takes” data off the wire and is not dependent on another system to “give” the data to it. The only prerequisite for ExtraHop is an IP address. Examples of how I have made a SIEM more effective using wire data include:

  • Reducing Logging by 5000% by looking at logins by IP and calculating the total THEN sending a syslog message to the SIEM for those IPs with more than 100 logins vs. sending tens of thousands of logs per minute to the SIEM and checking on the back end
  • Checking an EGRESS transaction to against threat intelligence THEN sending the syslog if there is a match
  • In an enterprise with tens of thousands of employees, rather than logging EVERY failed login, aggregate records into five-minute increments then send those with more than 5 login failures to the SIEM.

The point here is that you can deliver some context when you leverage wire data analytics with your SIEM workflows. Using SIEM-only, you must achieve context by aggregating the logs and looking at them after they are written. Using ExtraHop with your SIEM, you are able to achieve context (and more importantly, get closer to Mr. Schneier’s certainty) BEFORE sending the data to the SIEM. You can keep all the workflows that are tied to the incumbent SIEM system, you are just getting better, and fewer, logs. Should I disable an account that has 50 login failures in the last five minutes (Locked out or not)…..HELL YES! While I don’t think that automation and orchestration are a panacea, I think there are SOME cases where the certainty level is high enough to orchestrate a response. Also, I believe that automation and orchestration is not just for responding but can be used to make your SOC more effective.

Now that I have, hopefully, established the merits of using Wire Data Analytics, let’s keep in mind orchestration does NOT have to be a specific action or response. Orchestration can also be used to make your team more agile and hopefully, more effective. Most security teams I come across have at least one, two and in some cases, three open positions. The fact is, at a time when threats are becoming more complex, finding people with the needed skills to confront them is harder than ever. The situation has gotten so bad that the other day I typed “Human Capital Crisis” in Google and it auto-filled “in cybersecurity”. The job is getting tougher and there are fewer of us doing it, what I am going to show you in this post will never replace a human being but it might ease some of the heavy lifting that goes into achieving situational awareness.

PHISHING: “PHUCK YOU, YOU PHISHING PHUCKS!!!”
Anyone who has ever been phished or worked in an organization that is experiencing a phishing/spear phishing campaign has felt exactly as the section title says.  Let’s have a look at how we can help our security teams get better data by leveraging the API’s of three unique platforms to warn them when a known phishing site has been accessed.

For those of us who are working too hard to bring context to the deluge of data, my suggestion…get some REST!!! Below I am going to walk you through how I can monitor activity to known phishing sites by doing a mash-up of three technologies using the RESTFUL API of all three platforms.

Solution Roster:

  • ExtraHop Discovery/Explorer appliance
    ExtraHop provides wire data analytics and surveillance by working from a mirror of the traffic. Think of it as a CCTV for packets/transactions.
  • Anomali STAXX Virtual Machine
    Anomali STAXX provides me lists of current threat intelligence. Think of this as equipping the CCTV operator with a list of suspicious characters to look for.
  • Slack Collaboration Community
    Slack provides me a community at packetjockey.slack.com where my #virtualsoc team operations from anywhere in the world.
  • A python peer (Windows or Linux)
    This is the peer system that accesses the threat intelligence and pulls it off of the STAXX system and uploads the threat intelligence to the ExtraHop appliance.

How it works:
As you can see in the drawing below, the Linux peer uses the REST API to get a list of known phishing sites then executes a Python script to upload the data into the memcache on the ExtraHop appliance equipping it with the threat intelligence it needs. The ExtraHop appliance uses an application inspection trigger that checks every outgoing URI to see if it is a known phishing site. If there is a match, an alert is sent to Slack, Email/SMS in addition to being logged on their own internal dashboards and search appliance.

What the final product looks like:
From my Linux box, (I don’t dare go to these sites on my Windows or Mac laptop) I do a “wget” on one of the known phishing sites and within milliseconds (Yes milliseconds, watch the video if you don’t believe me). We get the client IP, Server IP and the site that they went to. From here we can find out who owns that client machine and get them to change their password immediately as well as issue an ACL for the server in case this is a spear phishing campaign and they are targeting specific uses. Also, before you ask, “Yes” we can import the list of known malicious email addresses and monitor key executive recipients in case one of them gets an email from a known malicious address. We can also check HTTP referrers against the phish_url threat intelligence.

In the screenshot below, you see my “wget” command and the result at 11:23:53 and you can see that the Slack warning came in at 11:26.  If you watch the video you will see it takes milliseconds.

I believe that by using slack you can also color code certain messages for specific messages and program in that awesome “WTF” emoji (if one exists) ExtraHop sends. Also, if you are not comfortable with specific information being sent to slack, we can configure the appliance to send you a link to the LOCAL URI that ONLY you and your team can access.

Conclusion:
While there is a lot of buzz around Orchestration and Automation I believe the pessimism around it is justified. Security teams have been promised a lot over the last few years and what we have found, especially lately, is that a lot of tried-and-true solutions either lack the shutter-speed or context to be effective. Here we are doing some orchestration and automation but we are doing so in order to give the HUMAN BEING better information. Our security director made a very good point to me the other day when he said the last thing a security team wants is more data. What we have hopefully shown in this post is that if you have open platforms like Anomali, SLACK and ExtraHop, you can craft an automation and orchestration solution that can actively help security teams in a manner that still leverages the nuance and rationalization that only exists in a human being. While there will be solutions that will effectively automatically block certain traffic, issue ACLs, Disable accounts, etc. We can also use automation to do some of the heavy lifting for today’s out(wo)manned security teams. To get where I think the Cyber Security space needs to be, it is going to take more than one product/tool/platform. If you have a solution that is closed and does not support any kind of RESTFUL API or open architecture, unless it fulfills a specific niche, get rid of it. If you are a vendor and you are selling a solution that is closed, do so at your own peril as I believe closed systems are destined to go the way of the dinosaur. By leveraging wire data with existing workflows, you can drastically reduce your TTWTF (time to WTF!??) and be better positioned to trade punches with tomorrow’s threats.

Thanks so much for reading, please watch the video.

John M. Smith


Source: Honeypot Tech

Siemens Teams Up with Tenable

ICS/SCADA vendor further extends its managed security services for critical infrastructure networks.
Source: Cyber Monitoring

WTB: Over A Million Android Users Fooled by Fake WhatsApp App in Official Google Play Store

The intelligence in this week’s iteration discuss the following threats: Botnet, Data leak, Email account compromise, Malicious application, Malspam, Phishing, Ransomware, RAT, Spear phishing, Trojan, Targeted attacks, and Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

Tor Browser Flaw Leaks Users’ Real IP Address (November 6, 2017)
“We Are Segment” CEO, Filippo Cavallarin, has discovered a vulnerability in the Tor Browser that can reveal a user’s real IP address. The vulnerability, dubbed “TorMoil,” is only present in macOS and Linux versions of the Tor Browser.
Recommendation: Tor Project personnel advise its macOS and Linux users to update to version 7.0.9 or 7.5a7 as soon as possible. The security fix limits some of the browser’s functionality, but it also includes a temporary fix to the vulnerability which will likely be addressed further in another security update.
Tags: Vulnerability, Data leak, Tor Browser

Over A Million Android Users Fooled by Fake WhatsApp App in Official Google Play Store (November 4, 2017)
Researchers have found that a fake version of the “WhatsApp” messaging application was present in the Google Play store. The application was observed to have been downloaded approximately one million times. If the application is opened, it appears just like the legitimate WhatsApp application, however, it shows the user advertisements. The showing of advertisements generates revenue for the threat actor(s) behind this malicious application.
Recommendation: Google has since removed the malicious application from the Google Play store. If WhatsApp was downloaded recently, showing of advertisements is a sign that the fake version was downloaded; the application should be removed as soon as possible. Users should be wary of downloading applications because as this story portrays, even legitimate stores can sometimes contain malicious applications. Therefore a user should review the permissions an application will request upon download, and looking through user comments can sometimes reveal problems with the application. Users should also check the name of the organization in the Google Play Store when downloading an application, to see if there are any irregularities. For example, recent “WhatsApp” fakes were make by company names “WhatsApp Inc,,;” and “WhatsApp Inc….”.
Tags: Android, Google Play store, Fake application, WhatsApp

Art Galleries Targeted by Cyber-Thieves (November 2, 2017)
Threat actors are conducting email scams that target art galleries and dealers, and several galleries in the U.S. and U.K. were affected, according to The Art Newspaper. The actors were found to have monitored outgoing email messages from art gallery accounts by compromising them, and then intercepted the invoices and altered them. The scam was discovered when the “Rosenfeld Porcini” gallery in London received an invoice from a buyer that said that the original invoice was in the wrong currency and to make the payment to a different account. At the time of this writing, the gallery is working with the bank to attempt to recover the funds.
Recommendation: All business email accounts should have security features to help protect sensitive information and communications. At minimum, two-factor authentication should be applied to email accounts to better protect them against threat actors.
Tags: Email account compromise, Scam, Theft

Cisco Releases Security Updates (November 1, 2017)
The United States Computer Emergency Readiness Team (US-CERT) has issued an alert regarding vulnerabilities in Cisco products. The affected products are: Aironet 1560, 2800, and 3800 Series Access Point Platforms Extensible Authentication Protocol, Application Policy Infrastructure Controller Enterprise Module, Application Collaboration Provisioning, Firepower 4100 Series NGFW and Firepower 9300 Security Appliance, Identity Services Engine, Prime Collaboration Provisioning, Wireless LAN Controller Simple Network Management Protocol, and Wireless LAN Controller 802.11v.
Recommendation: The US-CERT and Cisco recommend that users of the products listed in this alert apply the corresponding security updates as soon as possible. Some of these vulnerabilities can be exploited to take control of an affected system, while others can result in Denial-of-Service (DoS) attacks.
Tags: Alert, Vulnerabilites, Cisco

Everybody Gets One: QtBot Used to Distribute Trickbot and Locky (November 1, 2017)
Unit 42 researchers have discovered that the “Necurs” botnet is being used by threat actors to distribute malspam that can lead to “Locky” ransomware and the “Trickbot” banking trojan. The emails contain malicious Microsoft Office Dynamic Data Exchange (DDE) files. If a user allows DDE to take place after opening the attachment, which the email purports is related to financial services, a new downloader dubbed “QtBot” will download the malware payload. Researchers note that the amalgamation of two separate campaigns in Locky and Trickbot is an interesting tactic, however, the reasons behind the combination are not yet clear.
Recommendation: Financially themed malspam emails are a common tactic among threat actors, therefore, it is crucial that your employees are aware of their financial institution’s policies regarding electronic communication. If a user is concerned due to the scare tactics often used in such emails, they should contact their financial institution via legitimate email or another form of communication. Requests to open a document in a sense of urgency and poor grammar are often indicative of malspam or phishing attacks. Said emails should be properly avoided and reported to the appropriate personnel.
Tags: Malspam, Trojan, Trickbot, Ransomware, Locky, Downloader, QtBot

Adwind Remote Access Trojan Still Going Strong (November 1, 2017)
The threat actors behind the “Adwind Remote Access Trojan (RAT)” are continuing to distribute the malware via spam emails, according to Phish Labs researchers. The spam emails were observed to have numerous attachment titles such as “DHL Delivery Notice,” “Proforma Invoice,” “Request for Information,” “Transfer Import,” and “Swift Copy,” among others. The attachments are malicious JAR files. The objective of Adwind is to steal information from an infected machine, and due to the ease of availability of the tools on underground forums, it can be modified to fit both less sophisticated and advanced threat actors.
Recommendation: Ensure that your company’s firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity. Educate your employees on the risks of opening attachments from unknown senders. Furthermore, maintain policies regarding what kind of requests and information your employees can expect to receive from colleagues and management. Anti-spam and antivirus applications provided by trusted vendors should also be employed.
Tags: Malspam, RAT, Adwind

Silence – A New Trojan Attacking Financial Organizations (November 1, 2017)
A campaign has been actively targeting financial institutions since September 2017 with a new trojan called “Silence,” according to Kaspersky Lab researchers. This campaign primarily targets Russian banks, however, infected financial institutions were also found in Armenia and Malaysia. The actors behind this campaign send spear phishing emails from a sending address of a financial institution that has already been infected to add “credibility” to the phishing email. The emails come with a malicious .chm attachment, specifically, a “Microsoft Compiled HTML Help” file that is compressed and deployed in a binary format with the .chm (compiled HTML) extension. The file can automatically use JavaScript to download and execute malware from a hardcoded URL.
Recommendation: Spear phishing emails represent a significant security risk because the sending email will often appear legitimate to the target; as this story portrays, another organization is compromised to be used to send out the phishing emails. Education is the best defense, inform your employees on what to expect for information requests from their managers and colleagues. Employees should also be aware what sort of requests to expect from business partners to better identify phishing attempts, and whom to contact when they suspect they are the target of a possible spear phishing attack.
Tags: Targeted attacks, Spear phishing, Trojan, Silence

If Your Websites Use WordPress, Put Down That Coffee and Upgrade to 4.8.3 Thank Us Later (October 31, 2017)
Engineer, Anthony Ferrara, discovered an SQL injection vulnerability in “WordPress” powered websites. Specifically, WordPress version 4.8.2 and earlier. The vulnerability does not affect the WordPress default core, but rather it resides in a security function provided to the core by plugins and themes. The function lies in the WordPress Database Access Abstraction (wpdb) class called “prepare”. The prepare function prepares a SQL query for “safe” execution. This function uses “vsprintf” to replace placeholders with values in the function. This can be abused with an array argument to perform SQL injection.
Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs. Site owners should upgrade to version 4.8.3 immediately and update all plugins that override wpdb. If you are a plugin developer for WordPress, ensure that all user input is removed from the string query part of the prepare function and instead build queries and arguments separately.
Tags: Vulnerability, SQL Injection, WordPress

Night of the Devil: Ransomware or Wiper? A Look Into Targeted Attacks in Japan (October 31, 2017)
Cybereason researchers have published information regarding a family of ransomware, dubbed “ONI,” and bootkit ransomware, dubbed “MBR-ONI,” used in targeted attacks against Japanese companies. Researchers speculate that the ransomware was used to cover up evidence of a more sophisticated attack. Researchers found that the targeted attacks took place between three to nine months and note that the actors took significant attempts to hide their operation. The infections vector for these targeted attacks goes in the following order: spear phishing email, trojanized “Ammyy Admin RAT,” reconnaissance and credential theft, lateral movement and DC takeover, log wipers, and ONI distributed via GPO (rogue group policy). The objective of the threat actors appears to be theft of sensitive information.
Recommendation: Spear phishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromised and used for such emails. Education is the best defense, inform your employees on what to expect for information requests from their managers and colleagues. Employees should also be aware of whom to contact when they suspect they are the target of a possible spear phishing attack. The use of a malicious version of a legitimate tool, Ammyy Admin, depicts the dangers of using Remote Access Tools in the workplace. In addition, legitimate tools are often used by threat actors, particularly advanced threat actors, because it assists in concealing malicious activity in the traffic of a legitimate tool. Therefore, only a select few individuals who need to use such tools should have access to them.
Tags: Targeted attacks, Spear phishing, Ransomware, Data theft

Necurs Botnet Malspam Uses DDE Attack to Push Locky (October 30, 2017)
The “Locky” ransomware is continuing to be pushed via malspam campaigns via the “Necurs” botnet, according to security researchers. One of the emails used in this campaign was identified to have the subject line “Scanned document from HP ePrint user” and purports to be from the “HP Team” with a spoofed sending address “eprintcenter@hp.com.” If the Microsoft Word document is opened, it requests permission to load another Office application, this attack method is called Microsoft “Dynamic Data Exchange” (DDE). If this process is allowed, a user will be infected with the “.asasin” variant of the Locky ransomware. The actors behind this campaign are requesting .025 bitcoins (approximately $158.25 USD) for the decryption key.
Recommendation: Educate your employees on the risks of opening attachments from unknown senders. Anti-spam and antivirus applications provided by trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened. Furthermore, it is important to have a comprehensive and tested backup solution in place, in addition to a business continuity plan for the unfortunate case of ransomware infection.
Tags: Malspam, Botnet, Necurs, Ransomware, Locky

Coin Miner Mobile Malware Returns, Hits Google Play (October 30, 2017)
Trend Micro researchers have discovered three malicious applications that made it into the Google Play store. The applications, “Recitiamo Santo Rosario,” “Safety Wireless App,” and “Car Wallpaper HD: mercedes, ferrari, bmw and audi,” were found to contain malicious cryptocurrency mining capabilities. When started, these applications will load crypto mining JavaScript from “Coinhive” and begin mining with the actor’s own Coinhive key.
Recommendation: Google has since removed the malicious applications from Google Play. Users should be cautious when downloading applications because as this story portrays, malicious applications sometimes make it into official stores. Therefore, users should carefully review the permissions an application will request prior to installation. While these versions of cryptocurrency malware are not inherently malicious, some have additional functions such as stealing user credentials. Slow response and run time on a device may be an indication of cryptocurrency malware, and installed applications should be reviewed.
Tags: Android, Mobile, Cryptocurrency malware

Oracle Security Alert Advisory – CVE-2017-10151 (October 30, 2017)
Oracle Technology network has released a security update that addresses a vulnerability, registered as “CVE-2017-10151,” that affects “Oracle Identity Manager.” Exploitation of the vulnerability can lead to compromise of Oracle Identity Manager and remote control of the affected system via a network attack. This vulnerability is critical, and Oracle requests that its customers apply the patch as soon as possible. The affected Oracle Identity Manager versions are 11.1.1.7, 11.1.1.9, 11.1.2.1.0, 11.1.2.3.0, and 12.2.1.3.0.
Recommendation: The security update should be applied as soon as possible because of the high criticality rating of this vulnerability and the potential for an actor to take control of an affected system. Additionally, your company should have policies in place to review and apply security updates for software in use to protect against known vulnerabilities that threat actors may exploit.
Tags: Vulnerability, Alert, Oracle Identity Manager

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click here to request a trial.

TrickBot Tool Tip
TrickBot is a modular Bot/Loader malware family which is primarily focused on harvesting banking credentials. It shares heavy code, targeting, and configuration data similarities with Dyreza. It was first observed in September 2016 and both the core bot and modules continue to be actively developed. Both x86 and x64 payloads exist. It has been distributed using traditional malvertising and phishing methods. [Flashpoint](https://www.flashpoint-intel.com/blog/trickbot-targets-us-financials/) recently (2017-07-19) observed TrickBot operators leveraging the NECURS Botnet for distribution. Previously, Anomali Labs released a [Threat Bulletin](https://ui.threatstream.com/tip/17137) detailing the unpacking of this malware family.
Tags: TrickBot, Family-Trickbot, victim-Financial-Services


Source: Honeypot Tech

Russian Federation Cybersecurity Report

Whether the perpetrators or the victims, the Russian Federation is often linked to cyber activities in the news. The Russian Federation was recently hit with a ransomware attack called Bad Rabbit (research conducted by Luis Mendieta, Threat Analytics Team), which security professionals theorize was a retaliation for ransomware known as Petya. Evidence was also recently released indicating that the Russian government used private Russian company Kaspersky Labs’ technology to steal confidential American documents. Entire companies are based around infiltration of secret Russian underground forums in the hopes of gathering intelligence about Russian cybercrime.

Cybercrime and cyberattacks are not unique to Russia though – every nation is active in the cyber world. And while many of these news articles report on current events in great detail, they do not delve into the historical factors that have lead to the modern day state of cybersecurity.

In an effort to understand the strategic and operational motivation that has led to the current efforts in cyber crime/espionage, Sara Moore from the Anomali Intelligence Augmentation team and Threat Analytics Team conducted research to create a detailed profile of the motivations and strategies of the Russian Federation as they pertain to cybersecurity. This helps to better profile Threat Actors and their Tactics, Techniques, and Procedures (TTPS). Therefore, the overarching research includes:

  • Current Political, Economic, Security Landscape
  • National Cyber Strategy
  • Russian-Based Organized Crime
  • Civil Society and Discontents
  • Future Concerns: Elections, Balkans, Central Europe, US

The Anomali Intelligence Augmentation Team will continue to conduct this research for other nations.

DOWNLOAD NOW


Source: Honeypot Tech

WTB: LokiBot Android Banking Trojan Turns Into Ransomware When You Try to Remove It

This section listed below contains summaries on various threat intelligence stories that occurred during the past week. The intelligence in this week’s iteration discuss the following threats: Botnet, Exploit kit, Malicious Applications, Malspam, Phishing, Ransomware, and Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

Evasive Sage 2.2 Ransomware Variant Targets More Countries (October 29, 2017)
Fortinet researchers have published information regarding a new variant of the “Sage” ransomware, dubbed “Sage 2.2.” This variant is distributed via spam emails with malicious JavaScript attachments that will download Sage 2.2. The malware will still not infect some machines if certain languages are detected, however, this variant uses a new privilege escalation technique not seen in previous variants. The added privilege allows the malware to encrypt files located in a protected folder. The actors behind the campaign request $2,000 USD in bitcoins for the decryption key. Furthermore, this variant has added more languages to its ransom note in order to infected additional users in more countries.
Recommendation: Always be on high alert while reading email, in particular when it has attachments, attempts to redirect to a URL, comes with an urgent label, or uses poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders. Additionally, it is important to have a comprehensive and tested backup solution in place for the unfortunate case of ransomware infection.
Tags: Spam, Ransomware, Sage 2.2

Vulnerability Spotlight: Apache OpenOffice Vulnerabilities (October 26, 2017)
Three new vulnerabilities have been found in the open source office suite “Apache OpenOffice,” according to Cisco Talos researchers. The first vulnerability is located within “OpenOffice Write,” the second in the “Draw” application, and the third in the “Writer” application. The vulnerable version is Apache OpenOffice 4.1.3.
Recommendation: Your company should have policies in place to monitor all software that is used to ensure that the most current and secure version is implemented. It is critical that the latest security patches be applied as soon as possible to the web browser used by your company. Vulnerabilities are discovered relatively frequently, and it is paramount to install the security patches because the vulnerabilities are often posted to open sources where any malicious actor could attempt to mimic the techniques that are described.
Tags: Vulnerability, Apache OpenOffice

AmosConnect: Maritime Communications Security Has Its Flaws (October 26, 2017)
IOActive researchers have published information discussing two critical vulnerabilities found “AmosConnect” software. Specifically, AmosConnect 8, which is a platform designed to work in a maritime environment in combination with satellite equipment. The vulnerabilities include the ability to perform SQL injection to return passwords that were stored in plain text and the presence of a privileged backdoor account. If a maritime vessel did not segment their network configurations, a threat actor may find an exposed network via the internet scanning tool “Shodan,” and access the systems via a satellite link.
Recommendation: Researchers state that these vulnerabilities pose a serious risk because they could potentially allow actors to steal sensitive data, take over a server completely, or even pivot within the vessel network. If the network is segmented, researchers state that the vulnerabilities can only be exploited by an actor with access to the IT systems network.
Tags: Vulnerabiltiy, AmosConnect 8

Malvertising Campaign Redirects Browser to Terror Exploit Kit (October 25, 2017)
Security researchers warn that some “Quit Smoking” and “20 Minute Fat Loss” advertisements are part of a malvertising campaign. Some of these advertisements, when clicked on, are directing users to landing pages that host the “Terror” exploit kit. Terror was first identified in early 2017, and this campaign was found to have increased in malicious activity beginning on September 1 and last through October 23, 2017. The Terror exploit kit is targeting two vulnerabilities in CVE-2016-0189 (scripting engine memory corruption vulnerability) and CVE-2014-6332 (flaw in Windows OLE that can lead to remote code execution). Researchers state that this campaign is currently attempting to infect user with the “Smoke Loader” malware that gives actors remote control over an infected machine.
Recommendation: Malvertising and exploit kits techniques are often updated by threat actors, therefore, keeping software updated with the latest security patches is critical for users and enterprises. This includes both the operating system and all applications being used. Make sure there is a security system in place that can proactively provide a comprehensive defense against attackers targeting new vulnerabilities.
Tags: Malvertising, Exploit Kit, Malware

SnatchLoader Reloaded (October 25, 2017)
Arbor Networks researchers have published new information regarding the downloader malware called “SnatchLoader.” The malware was first discovered in January 2017, but went dormant for a few months before recently being observed again. The malware is being delivered via spam emails. SnatchLoader is currently being used to distribute the “Ramnit” banking trojan. Researchers found that SnatchLoader is using “geo-IP blocking” to ensure that machines located only in certain regions will be infected. At the time of this writing, this campaign is at least targeting the U.K. and Italy.
Recommendation: Always be cautious while reading email, in particular when it has attachments or comes with an urgent label or poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders.
Tags: Malware, SnatchLoader

Multiple Ransomware Infections Reported (October 24, 2017)
The U.S. Computer Emergency Readiness Team (CERT) has issued an alert regarding numerous infections of a ransomware strain dubbed “Bad Rabbit.” Bad Rabbit is suspected to be a variant of the “NotPetya” ransomware. The threat actors request 0.05 bitcoins (approximately $273 USD). As of this writing, the actors behind the campaign are unknown. The U.S. CERT discourages anyone from paying the ransom because it does not guarantee that access will be restored to an infected machine.
Recommendation: The U.S.-CERT states that using unpatched and unsupported software may increase the threat and risk of this ransomware. They also ask users to report ransomware incidents to the Internet Crime Complaint Center (IC3).
Tags: Alert, Ransomware, Bad Rabbit

New Ransomware “Bad Rabbit” Spreading Quickly Through Russia and Ukraine (October 24, 2017)
On October 24, 2017, media sources and security researchers began reporting about an active ransomware campaign. The ransomware, dubbed “Bad Rabbit,” infected at least three Russian media outlets, the Kiev Metro, and others as the day progressed. The malware was spread via drive-by downloads from compromised Russian news websites which displayed fake Adobe Flash Player installers. If infected, a user will be presented with instructions in the command prompt to visit a “.onion” domain to receive further instructions. The threat actors request 0.05 bitcoins (approximately $273 USD) for the decryption key. As of the writing, the threat actors behind this campaign are unknown.
Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place. In the unfortunate case a reproducible backup is not in place, make sure to check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals.
Tags: Ransomware, Bad Rabbit

LokiBot Android Banking Trojan Turns Into Ransomware When You Try to Remove It (October 24, 2017)
A newly discovered variant of the Android banking trojan “LokiBot” has the capability to turn into ransomware, according to SfyLabs researchers. This variant transitions from displaying fake login pages impersonating banking applications to steal credentials, to locking a user’s phone when they attempt to remove the malware’s administrator privileges. At the time of this writing, LokiBot is offered for purchase on underground markets for approximately $2,000 USD. Due to a flaw in the encryption implementation, researchers found that the ransomware feature does not actually encrypt a user’s files with AES, but rather results in the renaming of the files. However, the screen locking feature does work, and the actors demand between $70 and $100 USD to unlock the device.
Recommendation: This LokiBot variant is capable of working on Android version 4.0. The malware must run with administrator privileges, which it requests upon installation, for example, by hiding in an application in the Google Play store or third-party store. Users should carefully read the permission an application will request prior to installation. It can also be useful to read the comments regarding the application to identify potential issues. Furthermore, trusted antivirus applications should also be run on mobile devices. The screen locking is able to be disabled by booting the device into “Safe Mode” and removing LokiBot’s admin user and the infected application.
Tags: Android, Mobile, Malicious applications, Malware, LokiBot

Fake Cryptocurrency Trading Apps on Google Play (October 23, 2017)
ESET researchers have found that Android users are being targeted with malicious applications, specifically, users of the cryptocurrency exchange “Poloniex.” Two malicious applications were identified in the Google Play store to be impersonating Poloniex, which is one of the world’s leading cryptocurrency exchanges. One of the malicious applications, “POLONIEX,” was downloaded approximately 5,000 times between August 28 and September 19, 2017. The second application, “POLONIEX COMPANY,” was downloaded approximately 500 times after it first appeared on Google Play on October 15, 2017. When launched, the applications present a screen impersonating Poloniex to steal user credentials, and then will request the user to sign in with their Google account to steal more credentials.
Recommendation: Google has since removed the two applications mentioned in this story. Researchers note that if a user is using two-factor authentication, he/she will be unaffected if the malicious applications were downloaded. Additionally, always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. In addition, it is important to review the permission the application will request and comments from others who have downloaded the application. Furthermore, it is paramount that mobile devices be kept up-to-date with the latest security patches and employ trusted antivirus software.
Tags: Android, Mobile, Malicious applications

Reaper: Calm Before the IoT Security Storm (October 23, 2017)
Security experts have discovered a new Internet of Things (IoT) botnet, called “IoTroop” and/or “Reaper.” Check Point researchers claim that this massive botnet, which already consists of millions of compromise IoT devices, may have the potential to take down the entire internet. Researchers note that this botnet is evolving and recruiting at a far greater pace than the Mirai botnet of 2016.
Recommendation: This botnet is actively infecting IoT devices such as IP Wireless Cameras to increase the impact of a possible Distributed Denial-of-Service (DDoS) attack. While the motives of threat actors behind IoTroop remains unclear as of this writing, this story serves as crucial evidence regarding the importance of securing IoT devices. All IoT devices, particularly IP wireless cameras in this case, should be secured by changing the default credentials. Actors are often able to create botnets, or compromise devices simply because a user did not change the default username and password.
Tags: Botnet, IoT, Reaper


Source: Honeypot Tech