What I’ve Learned as a Part-Time Cyber Threat Analyst Using Anomali Enterprise

A few months ago I wrote a post detailing how Anomali Enterprise helped me to identify a malware threat to my home network. Many have since emailed me asking how they can do the same (please keep them coming!).

Since writing that post my router has generated millions of logs that have been ingested by Anomali Enterprise (thankfully still no major threats). As a new “threat analyst” for my families home network I’ve learned a number of things along the way, especially the challenges and frustrations when it comes to performing security investigations.

In the interest of sharing my knowledge to the community I wanted to highlight a few things I’ve come up against, and the what I’ve found most useful.

New threats <= active threats?

Knowing a new threat has been observed is good. Knowing where a threat is in the Kill Chain can is much more useful. By giving you knowledge of where the threat is in the process of achieving it’s objective allows you to not only defend against it, but understand the context of activity of the threat prior to it becoming known.

Threat intelligence products are great at identifying threats as they happen. For example, Anomali ThreatStream integrations with SIEM products — Arcsight, QRadar, or Splunk to name a but few — can identify log data against threat intel on new logs flowing into each product.

However, this only answers the first of the three questions I’d want to ask as an analyst once a threat has been identified;

  1. Is our network impacted/compromised? What’s our exposure?
  2. How widespread is the impact? How far back does it go?
  3. Which specific assets are impacted?

As threats, by their very nature, are reported after-the-fact, there can often be a delay, sometimes weeks, before it is shared. When a threat is identified, it is vitally important to know what its behaviour and what it has potentially breached in the days it was left unreported.

Big data, big numbers

Considering the data from my home network alone from the previous blog posts the calculations required lead to some big numbers:

100,000 logs per day x 1 year of data x 10 indicators = 365,000,000

That’s three hundred sixty-five million calculations that need to be performed for just one investigation!

At enterprise scale the 0’s dramatically increase:

1 billion logs per day x 365 days x 3 years of data = 10 trillion (10,000,000,000,000) matches need to be performed, for one investigation!

Existing security log repositories (I’m using Splunk) are not designed to process queries against such large volumes of historic data. Not only are they limited by the ability to process archived data but often the cost of storing such data means much of it is filtered, and thus impossible to forensically search against.

How Anomali Enterprise helped me (answer questions 2 & 3)

It was not just me suffering some of these pains, our own security team here at Anomali experienced these problems day-in-day-out. In search of a solution we built Anomali Enterprise. Some of the functional and design goals of the product included:

  1. The ability to store years of log data online even from highly noisy sources e.g DNS traffic — trillions of logs (without filtering what gets stored due to costs)
  2. The ability to analyse these logs against millions of threat indicators in seconds — not minutes, hours, days, or even weeks (both in real-time and retrospectively)
  3. The ability for analysts to be more effective, more efficient, and more accurate in detecting and remeditating threats (better worflows for threat intel)

It’s all about time-to-resolution

Analysts want to focus on the most serious threats, not more threats in their already never-ending workload. Anomali Enterprise helps me to do this by automatically comparing threat indicators — domains, URLs, emails, file-hashes etc. — against new and historic data from all devices in my home network. I can see what has been compromised, when it was comprimised and if the threat made any lateral movement. Within an hour of malware being identified (as in the previous post), I can assess the damage, detected affected assets, and take measures to secure them.

Learn more

This post covers Anomali Enterprise’s real-time and forensic capabilities. It can do much more. Check out the Anomali Enterprise product page on our site to find out more about what it can do.


Source: Honeypot Tech

Advanced Analytics + Frictionless Security: What CISOS Need to Know

Advances in analytics technologies promise to make identity management smarter and more transparent to users. But the process is neither straightforward nor easy. Here’s why.
Source: Cyber Monitoring

Bad Rabbit Ransomware Outbreak in Russia and Ukraine

Overview

On October 24, 2017, security firms and media organization began reporting about an active ransomware campaign that, as of this writing, has primarily targeted entities in Russia and Eastern Europe. The infections are believed to have initiated on October 24 at approximately 12:16 UTC, evidenced by an infected company’s tweet as shown in Figure 1. The ransomware, dubbed “Bad Rabbit,” has infected a number of organizations across Russia and eastern Europe, including the Russian news agency Interfax and machines in the Kiev Metro. The Odessa International airport in Ukraine has also confirmed that it was targeted with a cyber-attack which caused delays in flights, however, it is unclear if this attack is Bad Rabbit. At the time of this writing, the threat actor/group behind this attack is unknown.


Figure 1 – Interfax News stating on Twitter that the servers have failed due to a virus attack

Bad Rabbit is believed to be a variant of the “Diskcoder” ransomware; other sources compare Bad Rabbit to the “Petya/NotPetya/ExPetr” ransomware, and possibly a new variant of Petya. The initial infection vector for the malware is believed to be conducted via compromised Russian websites (drive-by downloads), and a fake Adobe Flash Player installer (Figure 3). Additionally, the ransomware is able to propagate itself through a network via Server Message Block (SMB). If the ransomware infects a machine, the user will be presented with a ransom note with red letters on reboot. Interestingly, this is the same format used for the Petya attacks in June 2017. The actor/group requests 0.05 bitcoins (BTC) (approximately $286.29 USD) for the decryption key. Furthermore, the ransom note depicts a countdown, beginning at 40 hours, that indicates the time a user has to pay the ransom before the price increases.

Countries with Bad Rabbit Infections

  • Bulgaria
  • Germany
  • Russia
  • Turkey
  • Ukraine

Affected Organizations

  • Fontanka.ru
  • Interfax News
  • Kiev Metro
  • Ministry of Infrastructure of Ukraine
  • Odessa International Airport

Analysis

Infection Vector

It appears that the ransomware dropper was delivered by drive-by downloads on a number of compromised legitimate sites. All compromised sites were news and media websites. A pop-up displays that an update for “Adobe Flash” is available, with an install button. The dropper downloads from “http://1dnscontrol[.]com/flash_install.php”. The download is a Windows executable file with a Flash icon, as shown in Figure 2. The dropper is signed with two invalid digital certificates, masquerading as certificates issued by “Symantec Corporation” (Figure 3). Figure 4 shows some details extracted from the sample.


Figure 2 – Dropper with Flash Icon


Figure 3 – Digital Certificate used on Dropper


Figure 4 – Details for Fake Adobe Flash Player Installer

Ransomware

The dropper creates a file called “infpub.dat” in the Windows folder. This file is a DLL file which is executed by the dropper by creating the process “C:WindowsSysWOW64rundll32.exe C:Windowssystem32rundll32.exe C:Windowsinfpub.dat,#1 15”. This DLL performs most of the actions. The ransomware targets and encrypts files with the following file extensions:

  • 3ds, 7z, accdb, ai, asm, asp, aspx, avhd, back, bak, bmp, brw, c, cab, cc, cer, cfg, conf, cpp, crt, cs, ctl, cxx, dbf, der, dib, disk, djvu, doc, docx, dwg, eml, fdb, gz, h, hdd, hpp, hxx, iso, java, jfif, jpe, jpeg, jpg, js, kdbx, key, mail, mdb, msg, nrg, odc, odf, odg, odi, odm, odp, ods, odt, ora, ost, ova, ovf, p12, p7b, p7c, pdf, pem, pfx, php, pmf, png, ppt, pptx, ps1, pst, pvi, py, pyc, pyw, qcow, qcow2, rar, rb, rtf, scm, sln, sql, tar, tib, tif, tiff, vb, vbox, vbs, vcb, vdi, vfd, vhd, vhdx, vmc, vmdk, vmsd, vmtm, vmx, vsdx, vsv, work, xls, xlsx, xml, xvd, zip.

Once the encryption process is finished, Bad Rabbit drops the decrypter (details from the file are shown in Figure 5) at “C:Windowsdispci.exe” and creates a scheduled task to ensure that the malware is executed when the machine is booted. The added scheduled task is shown in Figure 6. The task is created by the execution of the following command:

 “C:WindowsSysWOW64schtasks.exe schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR 'C:Windowssystem32cmd.exe /C Start '' 'C:Windowsdispci.exe' -id 1639747589 && exit'”.


Figure 5 – Details for the decrypter dropped by the malware


Figure 6 – Scheduled task for executing the decrypter at startup

The ID is different for each infected machine. The task is named “rhaegal,” which is the name of one of the dragons in the television show Game of Thrones. The decrypter removes the scheduled task once it is started. This can be seen in Figure 7.


Figure 7 – The beginning of the decrypter’s Main Function

Bad Rabbit will also ensure the machine is restarted approximately 15 minutes after the infection by creating another scheduled task as shown in Figure 8. The task is added by the following command:

“C:WindowsSysWOW64cmd.exe /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR 'C:Windowssystem32shutdown.exe /r /t 0 /f' /ST 18:03:00.”

The timestamp is dependant on when the malware was executed. This task is named “drogon,” which is also the name of one of the dragons in Game of Thrones.


Figure 8 – Scheduled task for restarting the machine

Ransom Website

The ransom website is hosted on an “.onion” domain, specifically “caforssztxqzf2nm[.]onion,” and can only be accessed via the Tor network. It shows a colorful animation of text “decrypting” (Figure 9) which reveals instructions for a victim to enter their personal installation code given in the ransom note. After following instructions the victim will then be assigned a bitcoin wallet address to deposit the ransom money for the actors. The assigned address is also used to verify that the payment has been made and to receive a decryption password according to the instructions (Figure 10). The website was prepared at least a few days in advance of the attack because the “Last Modified” property of the “index.html” page of the hidden service is at Thursday, October 19, as shown in Figure 11.


Figure 9 – Fake text decryption animation


Figure 10 – Bad Rabbit ransom payment hidden service


Figure 11 – Last Modified property of the index.html file of the hidden service

Lateral Movement

Bad Rabbit uses DHCP to find other machines on the same subnet (Figure 12). For each IP address on the network the malware checks if the host either has port 445 or 139 open (Figure 13) by opening a network socket to the port.


Figure 12 – Bad Rabbit uses DHCP to enumerate machines on the subnet


Figure 13 – Port checking by opening sockets to port 445 and 139

If the ports are open, Bad Rabbit will try to authenticate to the machine over SMBv1 (Figure 14) using usernames and passwords it extracted from the host using “Mimikatz” and using a list of hardcoded usernames and passwords (Figure 15). Using the credentials, it tries to connect to a set of named pipes (Figure 16) and upload a file named “cscc.dat” (Figure 17). The file is executed on the remote host using IPC by calling the “svcctl” service.


Figure 14 – SMBv1 request


Figure 15 –Hard coded username and password combinations


Figure 16 – Hard coded list of named pipes the malware tries to access


Figure 17 – Writing the file to the ADMIN$ share and uses $IPC to run it

Similarity to ExPetr (NotPetya)

Bad Rabbit shares many similarities with the “ExPetr” malware that spread throughout Europe and primarily in Ukraine in late June 2017. Approximately 27% of the code in the loader of Bad Rabbit is shared with ExPetr and the Bad Rabbit payload has approximately 13% code reuse with ExPetr according to an Intezer report. The Bad Rabbit ransomware drops a file “infpub.dat,” to “C:/Windows/,” which is similar to the “perfc.dat” file dropped by ExPetr. According to Group-IB researchers, the same “vaccine” technique used to block ExPetr can also be used for Bad Rabbit to prevent the victim from getting their files encrypted, which involves creating the .dat file manually and setting to read only.

Conclusion

At the time of this writing, responders and researchers are still examining the Bad Rabbit attack. Anomali researchers will continue to stay engaged and post updates accordingly.


Source: Honeypot Tech

WTB: Advanced Persistent Threat Activity Targeting Energy and Critical Infrastructure Sectors

The intelligence in this week’s iteration discuss the following threats: APT, Malspam, Malvertising, Malware, Phishing, Targeted attacks, Ransomware, and Underground markets. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

OSX/Proton Spreading Again Through Supply-Chain Attack (October 23, 2017)
ESET researchers discovered that the software development company “Eltima Software” was unknowingly distributing malware on its official website. The website was offering malicious versions of “Elmedia Player” and “Folx” software that contained the “OSX/Proton” backdoor. The OSX/Proton backdoor is capable of stealing various forms of information from an infected machine such as browser information, operating systems details, and SSH private data, among others.
Recommendation: Researchers advise that any user who downloaded Elmedia Player or Folx software on October 19, before 3:15 p.m. EDT and ran it, is likely compromised. Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.
Tags: Compromised application, Backdoor, OSX/Proton

Advanced Persistent Threat Activity Targeting Energy and Critical Infrastructure Sectors (October 20, 2017)
The U.S. Computer Emergency Readiness Team (CERT) has issued a joint technical alert in collaboration with the Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI). The alert discusses Advanced Persistent Threat (APT) group activity that is targeting energy and other critical infrastructure sectors. The threat actors are using open-source reconnaissance, spear phishing emails, watering-hole domains, host-based exploitation, and ongoing credential gathering. The alert points to Symantec’s report regarding the APT group “Dragonfly” for additional information concerning this ongoing campaign.
Recommendation: Defense in depth (layering of security mechanisms, redundancy, fail safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spear phishing, and how to identify such attempts.
Tags: Technical Alert, APT, Targeted attacks

Malware Delivered via Necurs Botnet by DDE Feature in Microsoft Word (October 19, 2017)
The “Necurs” botnet is actively distributing malspam in attempts to infect recipients with “Locky” ransomware. The emails are randomly generated and purport to be an invoice. This campaign takes advantage of Microsoft’s Dynamic Data Exchange (DDE) feature for its malicious documents to contact a C2 server to download the malware. The malicious documents require a user to enable macros to begin the infection process. Researchers state that this Locky version also appears to have wormlike capabilities to infect other users on the same network.
Recommendation: All employees should be educated on the risks of malspam, and how to identify such attempts. Poor grammar and urgent content are often indicators of these type of attacks. Additionally, messages that request a recipient to open a file attachment should also be avoided.
Tags: Malspam, Ransomware, Locky

New Locky Ransomware Strain Emerges (October 19, 2017)
A new “Locky” ransomware strain has been found infecting users in the wild. The strain was first found on October 11, and has been dubbed “asasin” because of the “.asisin” the ransomware appends to encrypted files. Interestingly, this Locky variant will gather system information in addition to traditional ransomware functionality. The asasin variant will gather information such as IP address and the infected machine’s operating system.
Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place. In the unfortunate case a reproducible backup is not in place, make sure to check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals. Additionally, this augmented version may allow actors to gather intelligence on a targeted network, and potentially discovered machines which could demand a higher price for the decryption key.
Tags: Ransomware, Locky-variant, asasin

Magnitude Exploit Kit Now Targeting South Korea With Magniber Ransomware (October 18, 2017)
Trend Micro researchers have identified that the “Magnitude” exploit kit is distributing a new ransomware called “Magniber.” The threat actors behind this campaign are using malvertisements on actor-owned websites to target South Korean users with ransomware. Magniber will only fully execute if the installed language on the machine is identified to be Korean.
Recommendation: Malvertising and exploit kits in general are being developed and improved constantly by cybercriminals, so keeping software updated with the latest security patches is critical for users and enterprises. This includes both the operating system and all applications being used. Make sure there is a security system in place that can proactively provide a comprehensive defense against attackers targeting new vulnerabilities. Furthermore, in the case of ransomware infection, the affected systems should be wiped and reformatted, even if the ransom is paid. Other machines on the same network should be scanned for other potential infections.
Tags: Malvertising, Magnitude EK, Ransomware, Magniber

New Attacker Scanning for SSH Private Keys on Websites (October 18, 2017)
Threat actors are actively conducting scanning operations that with objecting of finding private SSH keys. Some researchers speculate that this sudden spike in scanning activity could be caused by a bug or perhaps a common operational mistake made by WordPress administrators. Actors are looking for SSH keys in web directories where such a key would be stored, such as “root,” “ssh,” or “id_rsa.” This scanning activity is reported to have begun on October 16, 2017.
Recommendation: Ensure that your company stores SSH keys in private locations, and do not copy a private key to the remote server that is being logged in to. SSH keys can also be protected with passwords for another layer of protections. Additionally, WordPress administrators should avoid storing their SSH keys in directories mentioned above to avoid these scanning attacks.
Tags: Threat actor, SSH key, Scanning, Theft

Android Malware on Google Play Adds Devices to Botnet (October 18, 2017)
Symantec researchers discovered eight applications in the Google Play store that are infected with “Sockbot” malware. The applications, which are themed around the game “Minecraft,” were downloaded between 600,000 to 2.6 million times. The malware appears to be primarily targeting Android users in U.S. Researchers believe that the malware could be used to launch Distributed Denial-of-Service (DDoS), and the flexible proxy topology could be used to exploit network vulnerabilities. Google has since removed the malicious applications.
Recommendation: Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. In addition, it is important to review the permission the application will request and comments from others who have downloaded the application. Furthermore, it is paramount that mobile devices be kept up-to-date with the latest security patches and employ trusted antivirus software.
Tags: Mobile, Android, Malware, Malicious applications

New Malicious Macro Evasion Tactics Exposed in URSNIF Spam (October 18, 2017)
A new malspam campaign is targeting users with “URSNIF” malware, according to Trend Micro researchers. In this campaign, the actors behind the URSNIF malware are using Microsoft Office file attachments with malicious macros to deliver the malware. The attachments are using the “AutoClose” feature will begin when a malspam recipient closes the attachment and run malicious a Powershell script to download and execute the malware.
Recommendation: Always be cautious while reading email, in particular when it has attachments or comes with an urgent label or poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders.
Tags: Malspam, Malware, URSNIF

Opening Hacker’s Door (October 17, 2017)
Cylance researchers have found that the Remote Access Trojan (RAT) called “Hacker’s Door” has reappeared in active investigations after being dormant since 2004-2005. The RAT was signed with a stolen certificate that is known to be used by the Advanced Persistent Threat (APT) group “Winnti.” The RAT is comprised of a backdoor and rootkit that, once installed, is capable of multiple remote commands including: downloading additional files, extracting Windows credentials from the current session, and gathering system information, among others.
Recommendation: Defense in depth (layering of security mechanisms, redundancy, fail safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host based security. Prevention and detection capabilities should also be in place. Furthermore, ensure that your company’s firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity. The reappearance of this tool is evident of threat groups going back to previous malicious tools after a period of inactivity. Therefore, it is important to be aware of malicious tools used by threat groups because it can sometimes indicate which actor/group may be responsible for the attack.
Tags: Malware, RAT, Hacker’s Door, APT, Winnti

ATM Malware is Being Sold on Darknet Market (October 17, 2017)
Two strains of ATM malware have been identified to being offered for purchase on an underground forum for $5,000 USD, according to Kaspersky Lab researchers. The malware specifically targets a certain, unnamed vendor’s ATM. The offer was discovered on “AlphaBay,” and has since been removed by the Federal Bureau of Investigation, however, it is possible that the malware was purchased prior to being removed. The forum post explains what kind of ATM’s are affected by the malware, and provides a manual that explains how to force an ATM to empty its cash.
Recommendation: ATM security relies on the same type of preventative measures as all others, because they are a unique type of computer. In the case of a confirmed infection, the ATM must be taken offline until it can be completely wiped and restored to its original factory settings. An audit of the transactions performed on the ATM should occur along with a formal incident response investigation.
Tags: ATM, Malware, Underground markets

Dangerous Ransomware Arriving as Fraudulent Eir Bill Email (October 17, 2017)
A new phishing has been discovered to be targeting customers of the Irish telecommunications company, “Eir,” according to ESET researchers. The emails purport to be from Eir and claims that the recipient’s bill is available and provides a link to view the fake invoice. If the link is clicked, it will download what appears to be a zipped file, but is actually an obfuscated JavaScript file. The zipped file will infect a user with the “Filecoder” ransomware if opened.
Recommendation: Always be on high alert while reading email, in particular when it has attachments, attempts to redirect to a URL, comes with an urgent label, or uses poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders. Additionally, it is important to have a comprehensive and tested backup solution in place for the unfortunate case of ransomware infection.
Tags: Phishing, Ransomware

Lenovo Quietly Patches Massive Bug Impacting Its Android Tablets and Zuk, Vibe Phones (October 17, 2017)
On October 5, 2017, Lenovo quietly issued four patches to address vulnerabilities that affect all of their Android tablets, Vibe and Zuk phones, as well as the Moto M and Moto E3 handsets. The vulnerabilities are tied to the “Lenovo Service Framework” (LSF). Successful exploitation could allow a threat actor to execute arbitrary code remotely.
Recommendation: Your company should regularly check the software you use in everyday business practices to ensure that everything is always up-to-date with the latest security features. Using the automatic update feature is a good mediation step to ensure that your company is always using the most recent version.
Tags: Vulnerabilities, Remote code execution

BlackOasis APT and New Targeted Attacks Leveraging Zero-day Exploit (October 16, 2017)
Kaspersky Lab researchers have discovered that the Advanced Persistent Threat (APT) group, “BlackOasis,” is leveraging a zero-day vulnerability (CVE-2017-11292) that affects Adobe Flash. BlackOasis exploited the vulnerability with malicious geopolitically-themed Word documents that contain an ActiveX object, which contains the Flash exploit. Opening of the Word document can lead to successful exploitation and result in the user being infected with “FinSpy” malware.
Recommendation: Defense in depth (layering of security mechanisms, redundancy, fail safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spear phishing, and how to identify such attempts. Additionally, all employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. It may also be useful for employees to stop using email attachments, in favor of a cloud file hosting service like Box or Dropbox.
Tags: Targeted attacks, APT, BlackOasis

Taiwan Heist: Lazarus Tools and Ransomware (October 16, 2017)
BAE researchers have published their findings regarding a cyber theft from a commercial firm in Taiwan of approximately $195,000 USD. The targeted firm, “Far Eastern International Bank” (FEIB) in Taiwan, had its network breached with malware that are known to be used by the Advanced Persistent Threat (APT) group called “Lazarus Group.” Researchers believe that Lazarus Group may have used a rare ransomware family called “Hermes” to distract the IT staff of FEIB while the theft of funds was occurring.
Recommendation: Defense in depth (layering of security mechanisms, redundancy, fail safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spear phishing, and how to identify such attempts.
Tags: Breach, Theft, APT, Lazarus Group

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click here to request a trial.

Locky Tool Tip
Locky is ransomware that is widely spread via phishing messages. Locky first appeared in early 2016. Locky is strongly correlated with the cyber criminal groups related to the dridex and necurs botnets. Multiple waves of Locky samples are distributed daily. The delivery mechanism has evolved over time. The delivery mechanism has been spam messages with executable attachments, MS Word document attachments using Macros to retrieve then execute Locky, and Zip files that extract JavaScript loaders that retrieve then execute Locky. Hosts compromised by Locky display a ransom-note with instructions on how to decrypt the encrypted files. Encrypted files are renamed .locky or .zepto.
Tags: Locky, Ransomware


Source: Honeypot Tech

The Catch-22 of Security Software

Malicious actors are constantly developing new and improved methods to attack companies. Innovations in security software help organizations to defend against the dynamic world of information security threats, but this protection comes with inherent drawbacks.

One of these drawbacks is that security solutions can require significant access to systems and networks to assess whether or not suspicious activity is present. Further, researchers for security vendors often need to be able to review samples and dig deep to find clues pointing to new threats. Companies receive the benefits of this access and research but should also be aware of the potential risks.

The worst case scenario of the risk associated with this kind of technology was recently brought into the spotlight by the news that Russian intelligence officers exploited the antivirus software of Kaspersky Lab, a private Russian cybersecurity company, to steal sensitive American documents. After news like this, the question on many people’s minds is, do security technologies such as antivirus software still have a place in cyber defense considering the risks the software itself poses?

The answer is more complicated than a simple yes or no. Going with or without one solution or another will always present risks either way, but at some point a company will have to accept some risk. Rather than foregoing any protection at all or drastically limiting the effectiveness of investments made in their security solutions, companies can educate themselves on the potential risks involved with different security solutions and vendors and seek to mitigate those risks as much as possible.

Businesses take different factors into account when selecting and vetting business partners, and choosing a security vendor should be no different. Asking key questions of vendors helps to ensure that both parties are protected in their relationship. Questions such as how they monitor their own systems and networks, what the expectations are as far as disclosure of their own significant security events, and how they handle access to customer data are all helpful in establishing an understanding of how they operate. References, audits, and certifications are also valuable tools in establishing background on risks and potential insights on mitigations for those risks.  

What can’t happen with current technology is the Nirvana of expecting security vendors to deliver on the promise of protecting against the plethora of ever-changing security threats without giving them any visibility into systems and/or networks. There is a trade-off here and it’s up to companies to decide what risk is acceptable and what isn’t. Is the risk of not running antivirus software greater than the risk of giving that software full access to the systems it protects? If full access isn’t given, how can it be expected to protect what it can’t see? How many other security products essentially present this same risk dilemma? Who wants to explain to management that their decision to rid the company of antivirus software likely led to a missed infection leading to a front-page breach?

Simply avoiding security software requiring broad access probably isn’t the best answer. Asking the right questions of these vendors and taking appropriate steps internally to mitigate associated risks is the better path. It’s completely acceptable to expect a certain amount of responsibility with this access on the part of vendors, but it’s also reasonable to expect that, despite their best efforts, they too may be compromised or have security flaws turn up in their products just like any other organization.


Source: Honeypot Tech

WTB: WPA2 Security Flaw Puts Almost Every Wi-Fi Device at Risk of Hijack, Eavesdropping

The intelligence in this week’s iteration discuss the following threats: Data breach, Malware, Malvertising, Phishing, RAT, Support scam, Threat group, Vulnerabilities, Wi-Fi, and Zero-day. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

WPA2 Security Flaw Puts Almost Every Wi-Fi Device at Risk of Hijack, Eavesdropping (October 16, 2017)
Security researchers have discovered a vulnerability that affects nearly every Wi-Fi enabled device. The vulnerability, dubbed “KRACK” (Key Reinstallation Attack), resides in the WPA2 protocol that is commonly used in securing wireless networks. Specifically, the flaw lies in the protocol’s four-way handshake which allows new devices with a pre-share password to join the network. An actor would first need to trick an individual into reinstalling a cryptographic nonce, a randomly generated number used to prevent replay attacks, that already exists. A reused nonce can allow a threat actor to attack the encryption of the protocol which could lead to hijacked connections and injected content into the network traffic stream.
Recommendation: Your company should be on the lookout for the necessary security patches and apply them as soon as possible, some companies and already issued patches. Additionally, measures should be in place to monitor your company’s traffic for any potential malicious activity.
Tags: Vulnerability, Wi-Fi

Decoy Microsoft Word Document Delivers Malware Through A RAT (October 13, 2017)
MalwareBytes researchers have discovered that threat actors are using malicious Microsoft Office documents, that require no user interaction, to infect users with a Remote Administration Tool (RAT). The RAT is a commercial tool known as “Orcus RAT” that is being used for malicious purposes. Using this tactic, the Office documents can appear benign. If an individual opens the Word document, it will trigger an automatic download of a malicious RTF files that deploys the exploit “CVE-2017-8759” to deliver the payload.
Recommendation: Ensure that your company’s firewall blocks all entry points for unauthorized users, and maintain records of how normal traffic appears on your network. Therefore, it will be easier to spot unusual traffic and connections to and from your network to potentially identify malicious activity. Furthermore, the patch for CVE-2017-8759 should be applied as soon as possible if it has not been already.
Tags: Malcicious Word document, RAT

Hyatt Suffers Second Card Data Breach in Two Years (October 13, 2017)
The multinational hotel operator, “Hyatt,” has acknowledged that some of their locations were compromised by unknown actors. Hyatt discovered that unauthorized access to payment card information, that was entered manually or swiped at front desks, occurred between March 18 and July 2, 2017. The breach affects 41 locations in 11 countries. As of this writing, it is unknown how many people may be affected by this incident.
Recommendation: POS Security relies on the same type of preventative measures as all others, because they are a unique type of computer. In the case of a confirmed infection, the ATM must be taken offline until it can be completely wiped and restored to its original factory settings. An audit of the transactions performed on the POS system should occur along with a formal incident response investigation.
Tags: Data breach, Data theft, Hyatt

Equifax Website Hacked Again (October 12, 2017)
Security researcher, Randy Abrams, discovered that on October 11, 2017, The U.S.-based credit bureau “Equifax” had its website compromised. Abrams discovered that for several hours, on October 11, and again on October 12, the Equifax website was offering visitors a fake Adobe Flash update. If a user downloaded the update, they would be infected with adware.
Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs. Additionally, policies should be in place for webmaster to apply updates as soon as possible from the official vendor websites.
Tags: Website compromise, Equifax

PDF Phishing Leads to NanoCore RAT, Targets French Nationals (October 12, 2017)
A new phishing campaign has been identified to be targeting French nationals, according to Fortinet researchers. The actors are using phishing emails that purport to be banking loan offers. The emails have PDF file attachments that contain embedded JavaScript that will download an HTA file from a Google Drive shared link. The HTA file will drop and subsequently execute “NanoCore” Remote Access Trojan (RAT) payload.
Recommendation: All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. Emails that request that the recipient follow a link or open an attachment can often be indicative of a phishing attack.
Tags: Phishing, RAT, Nanocore

Spoofed SEC Emails Distribute Evolved DNSMessenger (October 11, 2017)
Cisco Talos researchers have published additional information regarding threat actors spoofing emails from the U.S. Securities Exchange Commission (SEC) to deliver malware. Researchers have observed that actors are now spoofing emails to make them appear to be from the SEC’s Electronic Data Gathering Analysis and Retrieval (EDGAR) system. The emails contain a malicious attachment that begins the infection process when opened that leads to infection with “DNSMessenger” malware.
Recommendation: The impersonation of government agencies continues to be an effective phishing tactic. All users should be informed of the threat phishing poses, and how to safely make use of email. in the case of infection, the affected system should be wiped and reformatted. Implement a backup solution for your users to ease the pain of losing sensitive and important data.
Tags: Phishing, SEC, Spoofed email, Malware, DNSMessenger

Equifax: Up to 15 Million More at Risk (October 11, 2017)
The U.S.-based credit bureau “Equifax” has added additional information regarding the breach it suffered in September. The bureau has now stated that it believes that approximately 15.2 million U.K. records were affected, specifically, individuals who were entered into its database between 2011 and 2016. Researchers state that out of the 15.2 million, 693,665 individuals are categorized as “high-risk.” After news of the breach was reported in September, Equifax had first stated that approximately 400,000 U.K. consumers were affected.
Recommendation: With nearly half of the U.S. population, and a significant increase in U.K. individuals affected by this breach, it is important for individuals to check to see if they are affected by using the following website “https://www.equifaxsecurity2017.com/potential-impact/”. Affected individuals in the United Kingdom will have letters sent to them by Equifax, specifying what data was exactly accessed. Additionally, individuals should regularly check their credit statements in order to identify potential malicious activity.
Tags: Data breach, Data theft, Equifax

Watch Out for These High-Pressure Apple Malware Scams (October 11, 2017)
A new scam campaign has been found to be targeting Apple product users, according to Sophos researchers. The actors are using scare-tactics by impersonating the Apple support and stealing the company’s images to use in support scams. The alerts present to Mac users purport that the machine has been infected various forms of malware, or contains critical vulnerabilities. If a user proceeds with the directions in the “security alert,” they will be asked to install a third-party software to “fix” the issues. Researchers also note that they identified a fake Adobe Flash Player updated being used by threat actors in this round of Apple scams.
Recommendation: Technical support scams are common threats facing individuals and companies alike. Any image that appears that requests a phone number be called in order to receive assistance in repairing a machine is likely fake. Often times there are research blogs that provide instructions to remove malware related to these type of scams from an infected machine. Policies should also be in place to educate your employees on the proper steps to avoid these scams, and who to inform if such an instance occurs.
Tags: Security/Support scam, Apple

Microsoft Patches Windows Zero-Day Flaws Tied to DNSSEC (October 10, 2017)
Microsoft’s Patch Tuesday has issued security updates that address a zero-day vulnerability in the Windows DNS client. Specifically, the Windows DNS client in Windows version 8 and 10, as well as Windows Server 2012 and 2016. The heap buffer overflow vulnerabilities, registered as “CVE-2017-11779,” were identified in one of the data record features used in the secure Domain Name System (DNSSEC). If a threat actor exploits this vulnerability, it could allow her/him to take full control of the affected machine without the need for any user interaction.
Recommendation: Your company should regularly check the software you use in everyday business practices to ensure that everything is always up-to-date with the latest security features. Using the automatic update feature in Windows operating systems is a good mediation step to ensure that your company is always using the most recent version.
Tags: Vulnerability, Zero day, Microsoft

ATMii: A Small but Effective ATM Robber (October 10, 2017)
Kaspersky Labs researchers have released information on a new ATM malware, dubbed “ATMii,” that was discovered in April 2017. To compromise an ATM, an actor will first need physical access to the machine such as USB drive, or direct access to the machine over its network. The objective of ATMii is to force the ATM to dispense all of the cash it holds. The malware targets a proprietary ATM software process to inject malicious code into it, thus loading a malicious DLL file. The DLL file listens for commands, including a dispense command to dispense currency.
Recommendation: ATM security relies on the same type of preventative measures as all others, because they are a unique type of computer. In the case of a confirmed Ploutus infection, the ATM must be taken offline until it can be completely wiped and restored to its original factory settings. An audit of the transactions performed on the ATM should occur along with a formal incident response investigation.
Tags: Malware, ATMii

OilRig Group Steps Up Attacks with New Deliver Documents and new Injector Trojan (October 9, 2017)
Unit 42 researchers have published their findings on a new spear phishing campaign that is being conducted by the threat group “OilRig.” Researchers discovered in July 2017 that the group was using a custom tool called “ISMAgent” in a new campaign of targeted attacks. By August 2017, OilRig began distributing a new trojan called “Agent Injector” that is used to install the ISMAgent backdoor, dubbed “ISMInjector.” The malware is distributed via spear phishing emails that contain attachments with malicious macros.
Recommendation: It is important that your company institute policies to educate your employees on phishing attacks. Specifically, how to identify such attacks and whom to contact if a phishing email is identified. Furthermore, maintain policies regarding what kind of requests and information your employees can expect to receive from colleagues and management.
Tags: Threat group,OilRig, Phishing, Malware

Malvertising Group Spreading Kovter Malware via Fake Browser Updates (October 9, 2017)
The threat group behind the Kovter malware family, “KovterCoreG,” has been observed to be conducting a large-scale malvertising campaign, according to Proofpoint researchers. KovCoreG is using fake Adobe Flash and web browser updates to trick users into installing the Kovter malware; Kovter is capable of downloading other forms of malware such as infostealers and ransomware. The campaign focused on Australian, Canadian, U.K., and U.S. visitors to an adult website, and distributed malvertisements via “Traffic Junky,” both companies have since removed the malvertisements. Researchers note that they expect new malvertisements to be distributed to users on other online locations.
Recommendation: Users should be cautious when clicking on advertisements because as this story portrays, malicious advertisements can sometimes appear on legitimate online locations. If the advertised product is appealing, it would be safer to search for the product on the authentic website of the company who is selling the product, or other trusted online shopping locations.
Tags: Malvertising, Threat group, KoveterCoreG, Malware, Kovter

Formbook Malware Targets U.S. Defense Contractors Aerospace and Manufacturing Sectors (October 9, 2017)
FireEye researchers have identified a new malware called “FormBook” that is used in targeted attacks by unknown threat actors. The actors are targeting aerospace firms, defense contractors, and manufacturing organizations located in the U.S. and South Korea. The data-stealing malware is being distributed via phishing emails that contain malicious DOC, PDF, or XLS attachments. FormBook is capable of multiple forms of malicious activity including: extracting data from HTTP sessions, keylogging, and stealing clipboard contents. Additionally, FormBook can execute commands from a Command and Control (C2) server such as downloading files, and starting processes, among others.
Recommendation: All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. It may also be useful for employees to stop using email attachments, in favor of a cloud file hosting service like Box or Dropbox.
Tags: Phishing, Malware, Formbook


Source: Honeypot Tech

NCSAM – Dialing in on Cybersecurity Education

“The security aspect of cyber is very tough. And maybe, it’s hardly doable…We have so many things we need to be doing better…And certainly cyber is one of them.”

During the 2016 Presidential debates, Presidential candidate Donald Trump expressed his concern at the state of our Nation’s cyber readiness. It’s a concern shared by many government entities. In 2003, the Department of Homeland Security (DHS) partnered with organizations in the public and private sectors to create events and initiatives to educate the populace on the importance of cybersecurity. Every October since has been National Cyber Security Awareness Month (NCSAM), in which tools and resources are shared in the hopes of keeping people safer online.

Each week of the month has a theme aimed at different areas of cybersecurity. This year’s are listed below, along with some resources that we’ve created that fall under these categories.

Week 1 (Oct 2nd – 6th) – Simple Steps to Online Safety

Six Ways to Help Improve your Security Posture

Week 2 (Oct 9th – 13th) – Cybersecurity in the Workplace is Everyone’s Business

Improve Security Through People in Four Simple Steps

Why Brand Monitoring is a Security Issue – Compromised Credentials

Week 3 (Oct 16th – 20th) – Today’s Predictions for Tomorrow’s Internet

What the Equifax Breach means for the Social Security Number System

How Ransomware has become an ‘Ethical’ Dilemma in the Eastern European Underground

Week 4 (Oct 23rd – 27th) – The Internet Wants YOU: Consider a Career in Cybersecurity

Cybersecurity Talent Shortage

The Road Less Traveled – Building a Career in Cyberthreat Intelligence

Anomali Begins Education Outreach Initiative

This last one is perhaps the most challenging due to just how relatively new of a field cybersecurity is. There’s no direct path of education that leads to the careers within the industry and no common knowledge for how those career paths typically unfold. The more traditional avenues are to come from a computer science or networking background, but it’s not uncommon to hear that most people found their way here somewhat haphazardly.

However people may find themselves within the industry though, it’s clear that hiring and training isn’t happening quickly enough. By 2021 there will be 3.5 million unfilled jobs. Educational institutions, the private and public sectors, and government organizations can all do their part to help prevent such a drastic shortage. Universities, for example, could help streamline the hiring process by offering a dedicated cybersecurity major covering both the tactical (aimed at operations) and strategic (analysts) elements of the field.

At Anomali we’ve tried to bridge this career gap by reaching out beyond the confines of the internet and speaking at local high school computer sciences classes. We’d like to expand next to speaking at local colleges. Our employees asked students what they knew about security, spoke about how they came to the position they are currently at, and what benefits they saw for students if they chose to pursue a career in security.

It’s a message that we should all be trying to relate. Security positions can be practiced from any location, job security is ensured, and salaries can be high. What might help to inspire students and simultaneously educate the populace is for more organizations to provide real world examples to how cyber threats originate, advance, and are mitigated. It might not be easy to convince a company to explain how they were breached, but giving people concrete examples rather than the Hollywood, “I’m hacking the mainframe,” helps them to understand how real that threat may be in relation to how they interact with technology and the internet.

It’s not something that can be solved in a month or even a year, but every resource we contribute and all the time we invest in one another will help keep us safer. It’s up to all of us, at every level, to contribute.


Source: Honeypot Tech

Unstructured Data: The Threat You Cannot See

Source: Cyber Monitoring

WTB: Every Single Yahoo Account Was Hacked 3 Billion In All

The intelligence in this week’s iteration discuss the following threats: Account compromise, Botnet, Data breach, Data theft, Malspam, Phishing, Ransomware, Targeted attacks, and Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

Disqus Confirms 2012 Data Breach That Exposed Details for 17.5 Million Users (October 6, 2017)
Disqus, the U.S.-based blog comment hosting service company, has confirmed that it suffered a data breach in July 2012. Unknown threat actors were able to steal data associated with approximately 17.5 million user accounts. The stolen data consists of emails addresses, Disqus usernames, sign-up dates, and last logins in plaintext, according to the company. This breach appears to affect users who signed up between 2007 and 2012.
Recommendation: Your company should implement security policies on accounts that store any sensitive information. Multi-factor authentication can help protect trade secrets and other forms of sensitive data.
Tags: Data breach, Disqus

FreeMilk: A Highly Targeted Spear Phishing Campaign (October 5, 2017)
A new spear phishing campaign, dubbed “FreeMilk,” has been identified to have been ongoing since May 2017, according to Unit 42 researchers. The threat actors behind this campaign are compromising legitimate emails owned by various organization to then conduct the spear phishing attacks. The emails contain malicious documents that leverage the Microsoft Word CVE-2017-0199 vulnerability. Researchers observed that this campaign delivers different malware payloads together with the “PoohMilk” downloader.
Recommendation: Spear phishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromised and used for such emails. Education is the best defense, inform your employees on what to expect for information requests from colleagues, management, and business partners. Employees should also be aware of whom to contact when they suspect they are the target of a possible spear phishing attack.
Tags: Spear phishing, FreeMilk

SYSCON Backdoor Uses FTP as a C&C Channel (October 5, 2017)
Trend Micro researchers have found a botnet that uses an unusual method for its bots to communicate to a Command and Control (C2) server. A machine infected with the “SYSCON” backdoor has been identified to use an FTP server for communication as well as a C2 server. The SYSCON backdoor is distributed by actors via malicious documents with macros. Researchers note that all the observed documents mention North Korea. The FTP server tactics can potentially allow malicious activity to be overlooked, however, this method will also leave C2 traffic open to being monitored.
Recommendation: All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. It may also be useful for employees to stop using email attachments, in favor of a cloud file hosting service like Box or Dropbox.
Tags: Phishing, Malware, SYSCON

KnockKnock Campaign Targets Office 365 Corporate Email Accounts (October 5, 2017)
Researchers have identified a campaign, dubbed “KnockKnock,” in which actors from 16 countries are targeting Office 365 corporate email accounts in specific sectors. At the time of this writing, the campaign is ongoing and targets various organizations in multiple sectors such as, financial services, healthcare, and manufacturing around the globe. Researchers note that the actors are not targeting emails accounts owned by individuals, but instead are targeting automated corporate accounts because they may not have the same level of security.
Recommendation: As researchers noted in this story, sometimes automated email accounts represent a potential target to threat actors because the security on such accounts is weaker than one operated by a real person. Your company should institute security policies on all work-related email addresses, and include security measures such as two-factor authentication.
Tags: Email compromise, Office 365, KnockKnock

Password Leak Puts Online Radio Stations at Risk of Hijack (October 4, 2017)
Researchers have discovered that the New York-based broadcast site “SoniXCast” contains a vulnerability that leaks administrator passwords. The issue resides SonixCast’s API, which actors can exploit to expose the passwords that are stored in plaintext. The passwords could then potentially be used to gain full control of 50,000 radio stations that SonixCast has on its network. As of this writing, the vulnerability has not been discussed in great detail because of security researchers such as Troy Hunt, who said that this vulnerability is the fourth most critical on the web today.
Recommendation: Store a salted cryptographic hash of the SSN, preferably Bcrypt, and compare the hashes. Bcrypt is based off the Blowfish block cipher, which relies heavily on accesses to an alternating table which is not able to be efficiently implemented on a GPU. In comparison to something like SHA-256 which uses 32-bit logic operations and therefore able to be handled by GPUs much more efficiently giving attackers and edge in calculating hashes. This will reduce the risk of plain text Social Security Numbers from being leaked in the case of a breach, and also makes it difficult for threat actors to brute force the hashes.
Tags: Vulnerability, Radio station, Broadcast, SoniXCast, Password leak,

Every Single Yahoo Account Was Hacked 3 Billion In All (October 4, 2017)
Verizon Wireless, the parent company of the internet services company “Yahoo!,” has stated that the Yahoo! Breach of 2013 affected every single customer account that existed at the time. This includes Fantasy, Flickr, and Tumblr accounts. Verizon stated that, “The company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft.”
Recommendation: It is important that your company and employees use different passwords for the different accounts that are being used. Previous breaches can allow actors to gain access to other accounts because users frequently use the same username and password combinations for multiple accounts.
Tags: Account compromise

Apache Tomcat RCE if Readonly Set to False (CVE-2017-12617) (October 3, 2017)
The team behind the open source Java Servlet Container, “Apache Tomcat,” has announced that all version before 9.0.1 (beta), 8.5.23, 8.0.47, and 7.0.82 contain a Remote Code Execution (RCE) vulnerability. This vulnerability, registered as “CVE-2017-12617,” can be exploited on all operating systems if the default servlet is configured with the parameter “readonly” set to “false,” or if the WebDAV servlet is enabled with the parameter “readonly” set to “false.”
Recommendation: Tomcat users who have not set “readonly” to “false” on publicly accessible Tomcat servers should not be affected by this vulnerability. Additionally, administrators should check the default configuration of Tomcat products to ensure that they are not vulnerable to this CVE.
Tags: Vulnerability, Apache Tomcat

The Flusihoc Dynasty, A Long Standing DDoS Botnet (October 3, 2017)
Arbor Networks researchers have released a report detailing a Distributed Denial-of-Service (DDoS) botnet called “Flusihoc.” The botnet has potential origins in China due to geolocations of Command and Control (C2) servers and static attributes. Researchers have identified over 500 unique sample of Fluhisoc since 2015. In addition to conducting DDoS attacks, as of April 2017, Fluhisoc is also capable of downloading and executing a file using the Windows API.
Recommendation: Denial of service attacks can potentially cost your company loss in revenue because severe attacks can shut down online services for extended periods of time. With the leak of the Mirai botnet source code in October, the availability for threat actors to compromise vulnerable devices, and purchase DDoS for hire is a continually evolving threat. Mitigation technique can vary depending on the specifics of the attack. For example, in the case of BlackNurse, which can disrupt enterprise firewalls, ICMP type 3 traffic should be block, or at least rate limited.
Tags: Flusihoc, Botnet, DDoS

Tragic-Event-Related Scams (October 3, 2017)
The U.S. Computer Emergency Readiness Team (CERT) is warning individuals to be aware of potential scams related to the tragic event that took place in Las Vegas, Nevada. The US-CERT warns that the scams will likely be targeting individuals who wish to donate to assist victims, and victims themselves. The malicious activity could take shape in various forms such as calls, door-to-door solicitations, fraudulent websites, phishing emails, social media pleas, and texts.
Recommendation: All employees should be educated on the risks of phishing, specifically, how to identify such attempts and whom to contact if a phishing attack is identified. It may also be useful to inform employees that after a natural disaster or major political event threat actors will theme their malicious activity about what just occurred. Individuals should check for a registered charity number if they wish to donate, and do not enter banking information on dubious looking locations. Furthermore, always be cautious when reading email, particularly if the message urgently requests the recipient to visit a link or open an attachments.
Tags: Tragic event, Scams, Alert

Behind the Masq: Yet More DNS, and DCHP, Vulnerabilities (October 2, 2017)
Google researchers have discovered seven vulnerabilities in the Domain Name Server (DNS) software package, “Dnsmasq.” The vulnerabilities initial exploitation vectors are accomplished via DNS and Dynamic Host Configuration Protocol (DCHP), and affect the latest version at the project git server as of September 5, 2017. Furthermore, the vulnerabilities can result in denial of service, information leaks, and remote code execution.
Recommendation: Dnsmasq user should apply the appropriate patches as soon as possible. Additionally, this application usually runs on embedded devices, but only affects the LAN. Therefore, if no updates are available, the device could be disabled to avoid potential exploitation.
Tags: Vulnerabilities, Dnsmasq

Necurs Botnet Malspam Still Pushing “.YKCOL” Variant Locky Ransomware (October 2, 2017)
Researchers have released information discussing the ongoing malspam campaign from actors behind the “Locky” ransomware. This campaign is distributing the “.ykcol” Locky variant in malspam emails, some of which claim than an attached document is an invoice, or simply a new document. The emails are being sent by spoofed email addresses, according to researchers. The actors are requesting 0.6 bitcoins ($1,711.60 USD) for victims to decrypt their files.
Recommendation: Always be on high alert while reading email, in particular when it has attachments, attempts to redirect to a URL, comes with an urgent label, or uses poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders.
Tags: Malspam, Ransomware, Locky variant, .ykcol

Etherparty Ethereum ICO Has Been Hijacked (October 2, 2017)
The smart contract creation tool company, “Etherparty,” has announced that their website was breached by unknown actors. The company stated the actors breached the address on their Initial Coin Offering (ICO) website to reroute funds to the actors instead of Etherparty. The actors had control of the website for approximately 95 minutes. Additionally, Etherparty has stated that it will refund any affected contributors with its proprietary FUEL token. As of this writing, it is unknown how many individuals may have inadvertently given funds to malicious actors.
Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.
Tags: Compromise, Website

Study Concludes an Additional 2.5 Million Americans Affected by Equifax Breach (October 2, 2017)
The U.S. credit bureau, “Equifax,” has acknowledge that an additional 2.5 million Americans were affected by the breach that was announced on September 7, 2017. The total number of individuals whose Personally Identifiable Information (PII) was exposed from the breach now comprises of approximately 145.5 million. The security firm, “Mandiant,” that was hired by Equifax to investigate the breach, also discovered that the amount of affected Canadian citizens is closer to eight thousand rather than 100 thousand.
Recommendation: With nearly half of the U.S. population affected by this breach, it is important for individuals to check to see if they are affected by using the following website “https://www.equifaxsecurity2017.com/potential-impact/”. Additionally, individuals should regularly check their credit statements in order to identify potential malicious activity.
Tags: Data Breach, Equifax, PII

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click here to request a trial.

Locky Tool Tip
Locky is ransomware that is widely spread via phishing messages. Locky first appeared in early 2016. Locky is strongly correlated with the cyber criminal groups related to the dridex and necurs botnets. Multiple waves of Locky samples are distributed daily. The delivery mechanism has evolved over time. The delivery mechanism has been spam messages with executable attachments, MS Word document attachments using Macros to retrieve then execute Locky, and Zip files that extract JavaScript loaders that retrieve then execute Locky. Hosts compromised by Locky display a ransom-note with instructions on how to decrypt the encrypted files. Encrypted files are renamed .locky or .zepto.
Tags: Locky, Ransomware


Source: Honeypot Tech

Hacker Tactics – Part 3: Adversarial Machine Learning

Adversaries are constantly changing and improving how they attack us. In this six-part series we’ll explore new or advanced tactics used by threat actors to circumvent even the most cutting-edge defenses.

The overwhelming trend right now is to take problems old, new, and of large scale and apply machine learning or artificial intelligence to them. It’s so ubiquitous that many of the consumers of machine learning results are unaware. This increased trust and reliance on machine learning results brings new threats and requires new thinking around security of it.

What is adversarial machine learning? (And what’s machine learning?)

Machine learning is the method of allowing a system to learn a complex model based on data that is labeled and trained by people. The system can then compare future unlabeled data to that model to determine how closely it fits in the form of a score or category. Any score or category that is applied to more data than consumer interactions or employees behind that data is likely machine learning based. Mature machine learning systems have automation built around the labeling and collection of data to keep the models up to date and relevant. This makes a big difference in accuracy but is the first area of concern.

Results are usually accurate when training data is hand-selected and the results are closely examined. The rest of the time the process of tuning a model is much more automated to keep up. The system will regularly take labeled data from various sources to update the model. It makes the assumption that this data is accurate and should be used to improve the model. If the data submitted is off or intentionally wrong, the model is then thrown off.

You’ve likely experienced this first hand. For example, if someone has logged into your Amazon or Netflix accounts as you, all account activity is falsely assumed to be yours. The following recommendations are subsequently different because of the selections they made. This is a pretty benign (if not annoying) scenario, but the same concept can be applied to security and business decisions.

Malicious actors engage in adversarial machine learning when they deliberately manipulate the input data. Exploiting vulnerabilities of the learning algorithm in this way can compromise the security of the entire system.

Examples of adversarial machine learning include:

Biometric recognition
Attackers may target biometric recognition, where they can then:

  • Impersonate a legitimate user via fake biometric traits (biometric spoofing)
  • Compromise users’ template galleries that are adaptively updated over time

Computer Security
Malicious actors can exploit machine learning in computer security by:

  • Misleading signature detection
  • Poisoning the training set
  • Replacing the model elasticity

Spam filtering
Attackers may obfuscate spam messages by misspelling bad words or inserting good words.

Why is it used?

We rarely question results, ask where they come from, or how they might change. It’s relatively new, and being defensive with it always lags behind. The technology’s ability to adapt is the core reason it’s used and also makes it easier to exploit.

How is it advanced?

Adversarial machine learning is advanced largely due to the complexity of machine learning itself. Malicious actors would need a thorough understanding of how machine learning works.

No matter how confident someone may be of the accuracy of their training set, an attacker can manage to replace the model directly if it is not protected. This doesn’t require anything specific to machine learning as a practice, it’s just not often listed as a critical asset.

Machine learning security products can also be exploited by adversaries to an extent. They are tuned to avoid false positives as much as possible. If your model is supposed to find something bad and you are mimicking something good according to the model it will think it’s good. This will also not throw any alarms. Detection evasion is therefore one of the oldest and most commonly used malicious activities.

History

In this now famous and simple example (https://arxiv.org/abs/1412.6572), once the random snow is added to the training set the model is much more confident that the picture is a random snow than it ever was sure it was a panda.

In order to prevent the pandas from being classified as random pixels you need some sort of checks on the data before it is used in the training set. This can be difficult to get right because if you overly define it, it will limit the flexibility of the model to find unintuitive relationships.

There’s a more detailed exploration of techniques here: https://blog.openai.com/adversarial-example-research/. This needs to be translated to other contexts as well.

How do you defend against adversarial machine learning?

1) Add security measures to automated training of machine learning

2) Protect access to machine learning models

3) Make creation of results transparent

4) Notify when when something is outside the model

Something that is rarely mentioned is how machine learning results are presented. They are usually very opaque. Going back to Netflix as an example, when you see a recommendation that has you questioning your taste in media you can see a brief “recommended because: … ” and you can then point to the family member that poisoned your training set or recognize you have some outliers in your taste.

This is rarely done in other products, especially in security solutions. This is a critical component in catching issues in the process. If you see an IP address and a risk score, you probably don’t have any more information than what was used to create the score so you have to trust it or know how it used that information to create that score. Due to the nature of machine learning, it’s not as easy as showing an arithmetic equation. However there are some things that would help and machine learning can provide.

1. Machine Learning Model: This lets you know the approximate technique used

2. Key training samples: What are the top matches?

3. Top factors with weight: There are hundreds or more data points that are used in these models. In each result there are top data points that made an impact in that result.

With this information available you could identify a number of things that need to be adjusted or have more trust in the result.

One of the scarier realities about machine learning attacks is that they are not isolated to security products. They are everywhere and integrated into our lives. The more we trust them without being able to verify the more vulnerable we become.

Click here to check out the second part of this series, Supply Chain Attacks. Up next in the series: Exploiting Vulnerabilities through Malicious Office Documents.


Source: Honeypot Tech