Anomali Raises $40 Million in Series D Funding

Today I’m pleased to share the news of our latest fundraising efforts, and the addition of Lumia Capital, Deutsche Telekom Capital Partners, Telstra Ventures and Sozo Ventures to the Anomali family. With this funding, we’ll continue to invest in developing innovative threat management and collaboration solutions and expand our global reach.

This milestone comes on the heels of a very exciting 2017 at Anomali – a year in which we:

On the Products and Engineering side we kept the teams very busy, rolling out release after release with tons of new capabilities and functionality to help organizations stay ahead of threats and react more quickly and efficiently. Here’s a sampling of the updates:

  • ThreatStream: added Phishing Indicator extraction, bi-directional STIX/TAXII 2.0 support, multi-analyst collaboration on threat bulletins, powerful new rules engine that can trigger automated actions
  • Anomali Enterprise: launched AE 3.0 including updated UI with streamlined workflows and new dashboards; released Real Time Forensics for automatic threat indicator threat detection, and added Malware family attribution for DGA domains
  • STAXX: released STAXX 2.0 (and, more recently 3.0) including bidirectional threat sharing, support for STIX/TAXII 2.0, threat indicator expansion on STAXX portal, Anomali Limo feed integration, and STIX/TAXII “bridge” translator between v1.0 and 2.0
  • Limo: launched a free collection of threat intelligence feeds, curated by the Anomali Intelligence Acquisition Team, and fully integrated with STAXX.

The best news of all is the growth in our relationship with you. In 2017 we saw record customer growth and added many new ISACs, ISAOs and other threat sharing communities to the Anomali platform. 2018 is already off to fast start and we are looking forward to another exciting year working closely with our customers and partners.

Hope to see you at our Detect ’18 Conference!

Source: Honeypot Tech

WTB: New Mirai Variant Targets Billions of ARC-Based Endpoints

The intelligence in this week’s iteration discuss the following threats: APT, Disk-wiper, DNS hijacking, Malicious extensions, Malicious application, Malvertising, Targeted attacks, and Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

New Mirai Variant Targets Billions of ARC-Based Endpoints (January 16, 2018)
Security researchers are discussing a new variant of the Internet-of-Things (IoT) malware “Mirai” dubbed “Okiru.” The new malware was first observed by MalwareMustDie researcher “@unixfreaxjp.” Researchers now believe that Okiru is the first malware designed to target “Argonaut RISC Core” (ARC) processors. In addition, researchers also believe that there are over 1.5 billion devices that have ARC processors such as cameras, cars, cell phones, and televisions (among others). At the time of this writing, it is unknown how many devices have been infected with Okiru, however, researchers state that the malware is specifically targeting ARC Linux devices.
Click here for Anomali recommendation

New KillDisk Variant Hits Financial Organizations in Latin America (January 15, 2018)
A new variant of the disk-wiping malware “KillDisk” is targeting financial organizations in Latin America, according to Trend Micro researchers. The malware appears to be dropped by another process rather than being directly installed. This KillDisk variant changes its file name to “c:windows23456789” while it is running. In addition, KillDisk will go through all logical drives and before it deletes a file, it is first randomly renamed. It is capable of reading the Master Boot Record (MBR) as well as overwriting the Extended Boot Record (EBR).
Click here for Anomali recommendation

Malicious Chrome Extensions Enable Criminals to Impact Over Half a Million Users and Global Businesses (January 15, 2018)
Researchers from U.S.-based cyber security firm “ICEBERG” have discovered four malicious Chrome browser extensions which were available for download on the official Chrome Web Store. The four extensions were titled “Change HTTP Request Header,” “Nyoogle – Custom Logo for Google,” “Lite Bookmarks,” and “Stickies – Chrome’s Post-it Notes” which were found to have been downloaded approximately 500,000 times. The extensions were designed in such a way that could allow a threat actor to send commands to an affected user’s browser via JavaScript code. Researchers discovered that the actors behind this campaign are using the extension to conduct click fraud by loading a website in the background and clicking on advertisements.
Click here for Anomali recommendation

Warning: New Undetectable DNS Hijacking Malware Taregting Apple macOS Users (January 12, 2018)
A security researcher has published information regarding what may be the first reported macOS specific malware of 2018. The malware was first identified via a post on a Malwarebytes forum. The malware, dubbed “OSC/MaMi,”is an unsigned Mach-O 64-bit executable that is reported to be similar another malware family called “DNSChanger.” In 2012, DNSChanger infected millions of machines around the globe. DNSChanger would change Domain Name Server (DNS) server settings to route traffic through actor controlled servers, this would allow actors to intercept potentially sensitive data. OSC/MaMi appears to be doing the same thing, in addition to installing a new root certificate in an attempt to intercept encrypted communications.
Click here for Anomali recommendation

Update on Pawn Storm: New Targets and Politically Motivated Campaigns (January 12, 2018)
The Advanced Persistent Threat (APT) group “APT28” has added new targets in its cyber espionage campaign “Operation Pawn Storm,” according to Trend Micro researchers. Researchers note that the group’s tactics in this campaign have remained the same. APT28 uses well prepared, politically-themed spear phishing emails to target political organizations around the world. The group has been conducting this campaign since 2015. Now researchers have observed the group distributing phishing emails that attempt to steal user credentials. In October and November APT28 distributed emails that purported to be a message from the recipient’s Microsoft Exchange server regarding an expired password, and another that purported that there is a new file on the recipient company’s OneDrive system.
Click here for Anomali recommendation

Hackers Make Whopping $226K Installing Monero Miners on Oracle WebLogic Server (January 11, 2018)
Researchers Johannes B. Ullrich (SANS) and Renato Marinho (Morphus Labs) have discovered that threat actors are actively exploiting a vulnerability in Oracle WebLogic servers. The vulnerability, registered as “CVE-2017-10271,” was patched by Oracle in October 2017. However, the proof-of-concept code released for the vulnerability is likely a driving force behind the current malicious activity. Actors have been able to compromise enterprise-owned WebLogic server and gain access to corporate networks. Interestingly, instead of stealing information, the actors installed a “Monero” cryptocurrency miner. As of this writing, the actors have been able to mine approximately 611 Monero, valuing at approximately $226,000 USD.
Click here for Anomali recommendation

Adobe Patches Information Leak Vulnerability (January 10, 2018)
As part of Patch Tuesday, Adobe has issued a security patch to address a vulnerability registered as “CVE-2018-4871.” The vulnerability could be exploited by threat actors to leak sensitive data. This vulnerability affects Adobe Flash Player on Mac, Linux, and Windows machines. In addition, Adobe Flash Player for the web browser Chrome, Edge, and Internet Explorer versions and earlier are also affected.
Click here for Anomali recommendation

Microsoft Releases Patches for 16 Critical Flaws, Including a Zero-day (January 9, 2018)
In Microsoft’s first Patch Tuesday of 2018, the company addressed 56 CVE-registered vulnerabilities that affect multiple products including ASP.NET, ChakraCore, Edge, Internet Explorer, and the .NET framework. Microsoft issued a patch for a zero-day vulnerability, registered as “CVE-2018-0802,” in Office that was observed to have been exploited by threat actors in the wild.
Click here for Anomali recommendation

Diplomats in Eastern Europe Bitten by a Turla Mosquito (January 9, 2018)
Researchers from the IT security company ESET, have released a report discussing new malicious activity which is attributed to Advanced Persistent Threat (APT) group “Turla.” Researchers discovered that a custom backdoor used by the group called “Mosquito” was packaged with the legitimate Flash installer and it appeared to have been downloaded from adobe[.]com. Turla has been observed using a fake Adobe Flash installer in previous campaigns. The group was also observed using their “Gazer” malware to primarily target consulates and embassies in Eastern Europe, although some private companies were also infected.
Click here for Anomali recommendation

RIG Exploit Kit Campaign Gets Deep Into Crypto Craze (January 9, 2018)
As cryptocurrencies continue to become more popular, due in part to the significant rise in value of Bitcoin, so too are malicious campaigns designed to mine cryptocurrency. Researchers have discovered such a campaign, dubbed “Ngay,” is distributing the RIG exploit kit via malicious advertisements (malvertising). If a malvertisement is followed, a user is infected with RIG, which then downloads a “Monero” or “Electroneum” cryptocurrency miner on to the affected machine.
Click here for Anomali recommendation

First Kotlin-Developed Malicious App Signs User Up for Premium SMS Services (January 9, 2018)
Trend Micro researchers have identified a malicious application on the Google Play store that impersonated the utility cleaning tool application for Android devices called “Swift Cleaner.” The application was written in the “Kotlin” programming language, which was announced by Google in May 2017, used to create Android applications. The fake application was observed to have been downloaded between 1,000 and 5,000 times. The malicious application is capable of click advertisement fraud, data theft, remote code execution, URL forwarding, and signing up for paid SMS subscription services without user permission.
Click here for Anomali recommendation

Apple Releases Multiple Security Updates (January 8, 2018)
The United States Computer Emergency has issued an alert regarding vulnerabilities in multiple Apple products. The affected Operating Systems (OS) are macOS High Sierra 10.13.2, macOS Sierra 10.12.6, and OS X El Capitan 10.11.6. The products affected by vulnerabilities are iPhone 5s and later, iPad Air and later, and iPod 6th generation. A threat actor could exploit these vulnerabilities to gain access to sensitive information.
Click here for Anomali recommendation

A North Korean Monero Cryptocurrency Miner (January 8, 2018)
A new application, identified to have been compiled on December 24, 2017, is being used to mine “Monero” cryptocurrency, according to AlienVault labs researchers. The currency, after being mined, is then sent to “Kim Il Sung University” in Pyongyang, North Korea. Researchers believe that it is likely that the installer is associated with the open source Monero mining software “XMRig.” Interestingly, it was discovered that the actors behind this campaign used a hostname no longer resolves, which means XMRig cannot send the mined currency to actors on most networks. Researchers believe that this fact, in addition to the use of a North Korean server, may indicate that this a testing phase of a potential malicious campaign, or this may be a genuine Monero mining operation. However, the use of a North Korean server may indicate that actors within the country are mining cryptocurrencies as a way to bypass United Nation’s sanctions. Lastly, the observation of Monero being sent to Kim Il Sung University does not necessarily attribute this activity to a North Korean citizen because the university is “unusually open” and analysis of the code samples reveal French text.
Click here for Anomali recommendation

Source: Honeypot Tech

Doh!!! The 10 Most Overlooked Security Tasks

Here’s a list of gotchas that often slip past overburdened security pros.
Source: Vulnerabilitys & Threats

IoT-Driven Manufacturing Trends to Look for in 2018

Male models pose in a factory run by women.

With Internet of Things (IoT) technology spending forecast to reach $772.5 billion this year — an increase of 15 percent over 2017 — the world’s top manufacturers are set to shift into exhilarating overdrive down the path to AI-driven and IoT-enabled automation. So where will 2018 take us on this journey? First and foremost, the year ahead will see manufacturers rapidly connecting the unconnected, consolidating workloads, focusing on data analytics and virtualizing as much as they can on the manufacturing floor. Furthermore, the manufacturing industry will continue its quest to connect to the data halos transmitted by all of the instrumented people, places and things. They will make further sense of this data by applying analytic algorithms to turn data into actionable information, providing better insight into facilities and production.

Shifting Roles and Revealing Value in IoT

While the industry is embracing IoT, they’ll begin to reveal its value in 2018. Unlike the enterprise resource projects (ERPs) of the 1980s and ‘90s, manufacturers understand that there’s tremendous value in IoT. As a result, 2018 will see a growth in pilots that will showcase results to inform further investment and business benefits — from intelligent manufacturing and field service automation to industrial system consolidation and robotic assembly. Industry leaders will emerge and apply these experiments at high-value locations where they see that they can automate functions.

The rapid growth in automation of routine tasks will free up humans to apply their own unique intuition and creativity to infer associations from disassociated objects. That’s where humans are most effective. Manufacturers will increasingly look for places and ways to automate functions while also looking for ways to apply IoT for improving their business processes. This will certainly appear across the supply chain as businesses take a closer look at the quality of the raw materials that arrive, work in progress and quality steps along the way.

As businesses dig in and begin to uncover the value of IoT, they will increasingly deploy analytic solutions where it makes sense. It’s a tremendously exciting time for the industry, at a time when IoT technology is still growing and being developed. There are nuances and new discoveries that need to be made, as with any new major evolution in the industry. While we’re still very early on, everyone is experimenting, learning quickly, failing quickly, and gleaning solid learning objectives out of the pilots they deploy, slowly bringing it on board.

Positive Disruption through Automation

IoT will also disrupt the market in places where technology can enable businesses to provide more personalization for customers. If a customer wants a certain part created from a certain pattern, from a certain material, delivered on a certain date then they should be able to convert that request to a manufacturing line to delight the customer when it shows up at their door. Manufacturing is heading down the path toward personalization, shaped by the increasing amounts of data insights that are streaming from people, places and things. It will give manufacturers the ability to become so much more efficient and safe in how they deliver their product to customers, aided by disruption in automation and controls, virtualization and software-defined machine control.

The Path to a Smarter Factory

As manufacturers continue on their journey with IoT they can start to make sense of industrial data by applying algorithms and analytics. This, in turn, will enable the ability to leverage machine learning that will inform them on normal versus abnormal behaviors. The next phase will be able to make smart machines to use that data in decision-making and the introduction of control logic. As a result, analytics for large, unstructured data sets like video and audio will increasingly occur at the edge, or other places along the network. This will allow manufacturers to detect anomalies for further examination back at the factory command center.

Looking Ahead

From workload consolidation and virtualization to revealing IoT insights and expanding automation, as manufacturers apply analytic algorithms that turn data into actionable information there’s not a place in our lives that won’t be touched by industrial IoT. We are in as transformative a phase right now as when electricity was invented. In 100 years, people will look back at this time and wonder how we ever got along without IoT devices, or solutions invented because of IoT. 2018 is shaping up to be a tremendously transformative year that will usher us forward to a better tomorrow.

To stay informed about Intel IoT developments, subscribe to our RSS feed for email notifications of blog updates, or visit and Twitter.

Source: Network News

The Rise of Malware Using Legitimate Services for Communications

Malware often includes the ability to communicate with attacker controlled systems on the Internet from within compromised networks. This gives the attacker several important capabilities.

Some examples of this communication include:

  • Receive “heartbeats” to maintain an inventory of compromised systems
  • Send Remote control commands and receive the results of those commands
  • Exfiltrate data from inside compromised networks
  • Send updates or new capabilities to already compromised hosts

This communication between malware and attacker controlled servers on the Internet is often referred to as “command and control.” This is also a primary area of focus for detection of malware infections in security software outside of detecting the malware itself.

As defenders have gotten better at detecting Internet hosts and domains used for malware command and control, attackers have had to develop their own countermeasures to try and stay ahead of detection and blocking efforts. Techniques such as Domain Generating Algorithms have been employed to try and evade traditional detection mechanisms put in place by defenders.

One of the new evolutions in malware capabilities is the use of legitimate services as a conduit for command and control communications. Imagine malware that uses Github, or Google Docs, or Facebook to communicate with attackers.  Defenders are stuck trying to discern between legitimate traffic and malicious traffic that is all encrypted and going to the same popular and very legitimate services on the Internet. The dominant way to refer to this technique is “Legit Services C2.”

A variety of legitimate services seen abused for C2

There are many possible services available across the Internet that could be used for malware command and control. As new services are constantly popping up, there is essentially an unlimited supply of options for using legit services for malware command and control.

We did some detailed research into malware that uses legit services for C2. We identify a number of malware families that have been observed taking advantage of legit services. We also dig into how malware uses legit services for C2.  Finally, we offer some suggestions for potentially sifting out malware usage vs. legitimate usage of these services.  We packed all this research into a white paper titled, Rise of Legit Services for Backdoor Command and Control which can be downloaded here without registration. Please feel free to use this research and we hope that others will expand on it.

Source: Honeypot Tech

Hak5 2318 – [[ PAYLOAD ]] – Best Payload Practices

Our Site:
Contact Us:
Threat Wire RSS:
Threat Wire iTunes:
Help us with Translations!

Source: Security news

Source: Zologic

'Back to Basics' Might Be Your Best Security Weapon

A company’s ability to successfully reduce risk starts with building a solid security foundation.
Source: Vulnerabilitys & Threats

CISOs' Cyber War: How Did We Get Here?

We’re fighting the good fight — but, ultimately, losing the war.
Source: Vulnerabilitys & Threats

WTB: Malicious Document Targets Pyeonchang Olympics

The intelligence in this week’s iteration discuss the following threats: Banking trojan, Botnet, Credit card theft, Data breach, Hardcoded backdoor, Malicious applications, Phishing, and Vulnerabilities. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

Hardcoded Backdoor Found on Western Digital Storage Devices (January 8, 2018)
GulfTech researcher James Bercegay discovered vulnerabilities in the company Western Digital’s “WDMyCloud” firmware before version 2.30.165. The unrestricted file upload vulnerabilities affect multiple MyCloud products. In addition to the vulnerabilities, it was also found that some MyCloud products contain a hardcoded administrator account that can function as a backdoor. The vulnerabilities could be exploited to gain remote root code execution on the affected personal cloud storage units by sending a crafted HTTP POST request. Furthermore, the backdoor administrator account, when logged in to, can function as a root shell from which actors to execute arbitrary commands.
Click here for Anomali recommendation

Malicious Document Targets Pyeonchang Olympics (January 6, 2018)
A new phishing campaign has been identified to be targeting organizations associated with the Pyeongchang Olympics, according to McAfee researchers. The actors behind this campaign are distributing malicious Microsoft Word documents that have the original file name “Organized by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics.” This campaign is primarily targeting organizations in South Korea. If the Word document is opened, it requests the recipient to “Enable Content” which, if enabled, will launch an obfuscated PowerShell script. The script sets up communication to a Command and Control (C2) server for additional instructions, some of which were found to be executing commands on the infected machine to download additional malware.
Click here for Anomali recommendation

Microsoft Issues Warning for Meltdown Fix (January 5, 2018)
Microsoft has issued security updates out-of-cycle of their typical Patch Tuesday in response to a vulnerability dubbed “Meltdown” and registered as “CVE-2017-5754” that affects “Intel CPUs.” The Meltdown vulnerability allows normal applications to access the content of private kernel memory. This could potentially expose sensitive information on machines use cloud-based features. In addition to possibly exposing sensitive data, Meltdown can also cause compatibility issues with some antivirus tools.
Click here for Anomali recommendation

LightsOut: Shining a Light On Malicious Flashlight Apps on Google Play (January 5, 2018)
22 applications inside of the Google Play store were identified contain scripts that override a user’s ability to disable advertisements, and hides the icon of itself in an attempt to prevent it from being removed, according to Check Point researchers. The malware, dubbed “LightsOut,” was found inside of flashlight and utility applications that ranged from 1.5 million to 7.5 million downloads.
Click here for Anomali recommendation

Avamar Zero-day (January 4, 2018)
Digital Defense researchers have released information regarding three vulnerabilities, registered as “CVE-2017-15548,” “CVE-2017-15550,” and “CVE-2017-15549” discovered on Dell’s “EMC Data Protection Suite Family” products. The affected products were found to be “Avamar Server” versions 7.1.x, 7.2.x, 7.3.x, 7.4.x, and 7.5.0, NetWorker Virtual Edition versions 0.x, 9.1.x, and 9.2.x, and the Integrated Data Protection Appliance versions 2.0. Exploitation of the vulnerabilities can result in authenticated arbitrary file access and file upload in “UserInputService,” or conduct an authentication bypass in “SecurityService.” All three vulnerabilities can be exploited by an actor to gain root login on an affected machine.
Click here for Anomali recommendation

Reading Privileged Memory with A Side-Channel (January 3, 2018)
Google’s Project Zero team has released a report regarding three vulnerabilities, registered as “CVE-2017-5753,” “CVE-2017-5715,” and “CVE-2017-5754,” that affect some modern processors created by AMD, ARM, and Intel. Exploitation of the vulnerabilities can result in bounds check bypass, branch target injection, or rogue data cache load. These vulnerabilities are also known as “Spectre” (CVE-2017-5753 and CVE-2017-5715) and “Meltdown” (CVE-2017-5754).
Click here for Anomali recommendation

New Python-based Crypto-Miner Botnet Flying Under The Radar (January 3, 2018)
A new cryptocurrency mining botnet, dubbed “PyCryptoMiner,” has been observed infecting machines via brute forcing credentials for the SSH protocol, according to FS researchers. The Linux botnet malware is written in the Python programming language uses the text-storing website “Pastebin[.]com” under the username “WHATHAPPEN” to receive new Command and Control (C2) to receive commands if the original C2 server is unreachable. Researchers have observed the malware has scanning capabilities that search for JBoss servers vulnerable to “CVE-2017-12149.” The botnet mines “Monero” cryptocurrency on an infected device.
Click here for Anomali recommendation

Satori IoT Botnet Malware Code Given Away for Christmas (January 3, 2018)
An unknown threat actor has publicly released the code for a vulnerability, registered as “CVE-2017-17215,” on “Pastebin[.]com.” The vulnerability affects “Huawei GH532” devices. Prior to the posting, the vulnerability has already been used by two Internet-of-Things (IoT) malware families in “Satori” and “Brickerbot.”
Click here for Anomali recommendation

Android Banking Trojan Targets More Than 232 Apps Including Apps Offered by Indian Banks (January 3, 2018)
Researchers from Quick Heal Security Labs have detected an Android Banking Trojan that targets approximately 232 apps. The trojan is being distributed through a fake Flash Player application located on third-party app stores. Once the application is installed it will ask the user to enable administrative rights. Once enabled the Trojan looks for 232 applications on the device, mainly banking and cryptocurrency applications. If a targeted application is found on the device, a notification is shown and if the user clicks on it, a fake login page is displayed which harvests the user’s credentials. The Trojan can also exfiltrate contacts, locations, and SMS messages from the device.
Click here for Anomali recommendation

VMware Releases Security Updates (January 2, 2018)
The United States Computer Emergency Readiness Team (US-CERT) has issued an alert regarding vulnerabilities in “VMware’s” “vSphere Data Protection.” The vSphere Data Protection is a backup and recovery solution created for vSphere environment, according to VMware. In addition, the company ranks the vulnerabilities, registered as “CVE-2017-15548,” “CVE-2017-15549,” and “CVE-2017-15550,” as critical severity. The vulnerabilities could be exploited to allow a threat actor root access to an affected machine.
Click here for Anomali recommendation

Forever 21 Breach Lasted Over Seven Months (January 2, 2018)
The U.S.-based retail store “Forever 21” has made a statement regarding its investigation into a data breach that was first confirmed in November 2017. At that time, the company said that the breach affected card transactions at its stores from March to October 2017. Now Forever 21 has changed the timeframe in which card transactions were potentially compromised to April through November 2017. The retail company also stated that encryption features for Point of Sale (POS) machines at various locations were turned off during the April through November 2017 timeframe. This could allow threat actors to more easily steal payment data as it was processed. Additionally, the company identified malware “installed on some devices in some U.S. stores at varying times during the period from April 3, 2017 to November 18, 2017.”
Click here for Anomali recommendation

Source: Honeypot Tech

Vulnerability Management: The Most Important Security Issue the CISO Doesn't Own

Information security and IT need to team up to make patch management more efficient and effective. Here’s how and why.
Source: Vulnerabilitys & Threats