Doing Threat Intel the Hard Way – Part 5: Analyze Threat Intelligence

This is the fifth post in a series on manual IOC management for threat intelligence. See the previous posts:

Analyze Threat Intelligence

Everything we have discussed to this point is meant to deliver the right information to your analysts, but the intelligence must still be analyzed. To do this an analyst work flow process must be established that includes incident escalation and response processes.

The Analyst work flow must provide a repeatable process to analyze the output of the integrations you have created in the previous steps. For example, if the SIEM determines that a server is communicating with a known botnet command and control domain, your analyst must be notified in some fashion (on screen prompt, email, SMS, IM, etc.). The analyst must then evaluate the collected information and take appropriate action based on the information’s accuracy. If the analyst determines that the notification is not valid, they should then document their findings for future reference and move on to the next analysis. If the analyst verifies that the notification is correct, they should begin a formal set of incident response steps.

In addition to providing analysts a work flow, you must also provide them with the necessary tools to gather information on the incidents they analyze. This is where enrichment of the sort discussed in the processing step can be useful. Analysts use sites like Shodan, Web of Trust, VirusTotal etc. to gather additional information on selected indicators. Integrating these sources of information into your threat intelligence platform will remove the need to seek them out manually, thus saving your analysts precious time when making an escalation decision.

One final tool you may wish to provide to analysts is the ability to perform indicator expansion in their research. Indicator expansion is a two-step process in which an analyst will first examine indicators related to the indicators seen in the local environment, then conduct a secondary search to see if any of those indicators are present. Many organizations struggle with this due to short retention periods of gathered log data. An analyst can only investigate as far back as their data reaches.

Up next in the series: Threat Intelligence Maintenance 

Source: Honeypot Tech

Breaking Down Language Barriers in Smart Buildings

Have you ever wondered why the buildings that we live and work in aren’t smarter? I have. For example, why can’t the conference room I’m sitting in sense more people entering the room and dynamically increase the airflow through the vents? And why can’t the trash bins in the restroom be equipped with sensors that can automatically push a notification to the facilities team when they’re full, ensuring on-demand versus schedule-based maintenance?

Getting building systems to communicate with each other can take a lot of effort. One of the reasons connecting building systems together can be so difficult is many original equipment manufacturers (OEMs) use a homegrown data language within their system that has no meaning to the outside world. In other words, there’s a language barrier.

Let’s say we want to know the supply air temperature for an air handling unit (AHU), one vendor might term that BACnet point as “AHU1:Temperature” and another vendor might map the same BACNET point as “FLOOR1:AHU:Temperature”. Since there is no standardization at this layer, you would ultimately need a systems integrator to “map” these points together to create a consistent data model.

Also, temperature on its own lacks context, so we need additional data to decide whether anything needs to happen. Does the data reflect actual or target temperature? Which zone and floor within a building does it belong to? And are there occupants in that space?


The wheel of connectivity includes data, information, analytics, insight and action.

Standardizing system data

What’s needed is a standardized method for describing data, making it easier to analyze, visualize and derive value from our operational data. In fact, this is a main objective of Project Haystack, an open-source initiative created to streamline the integration of data from the Internet of Things (IoT).

Members of the initiative are standardizing semantic data models and web services with the goal of helping end users and solution providers unlock value from the vast quantity of data being generated by the smart devices found in our homes, buildings, factories and cities. This work currently targets applications in automation, control, energy, HVAC, lighting and other environmental systems.

I am thrilled to announce that Intel is joining Project Haystack as a Founder Member.  My colleague Rita Wouhaybi will be the technical liaison into Project Haystack, and I will serve as the business liaison and board member.


What Is Project Haystack?

Project Haystack is a community-driven standards body for defining semantic data models that ultimately bring meaning to smart device data. These efforts are also known as semantic tagging, metadata, or data modeling. The initiative is developing the following capabilities:

  • Metadata: A simple, extensible, and flexible tagging system to support a wide range of devices and setups.
  • Taxonomy: A library of tagging models to represent the data from a wide variety of equipment based on members’ proposals.
  • Communication protocol: A highly efficient REST API to simplify the exchange of Haystack tagged data among devices and across different applications.
  • Reference software implementations: Code implementations to ease integration into applications and products using various programming languages and platforms such as Java, C++, node.js, Dart, Niagara and Python.


Intel joins Project Haystack

Intel is participating in Project Haystack to help improve the data interoperability of building systems and accelerate end-user adoption of IoT-enabled smart building solutions. “As a developer and implementer of smart building technology, Intel’s involvement will raise the awareness of Project Haystack among a broader set of end users and solution providers, so they too can benefit from Project Haystack’s standardized data models,” said John Petze, executive director of Project Haystack.

“Project Haystack is the only standards body focused on defining standardized data models for building systems and objects; however, its data model framework is also applicable to industrial, manufacturing, retail, energy and other market segments that Intel serves. We will actively encourage other IoT standards bodies focusing on device interoperability to explore the extensibility of Project Haystack,” said Sunita Shenoy, director of smart building solutions at Intel.


Interoperability through standard data models

In partnership with other industry-wide organizations, Intel is working to establish IoT data standards and messaging protocols that allow vendors to provide integrated solutions. Likewise, Project Haystack is helping remove data model barriers that are inhibiting interoperability, thereby enabling more innovative, scalable and cost-effective solutions for smart buildings.

I believe that Intel’s membership in Project Haystack has the potential to accelerate end user adoption of IoT-enabled smart building solutions.

For more information about Intel’s solutions for smart buildings, visit To learn about the latest in Intel IoT developments, subscribe to our RSS feed for email notifications of blog updates, or visit and.


Source: Network News

Anomali Weekly Threat Intelligence Briefing – March 7, 2017

Figure 1: IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Threats

This section provide summaries and links to the top threat intelligence stories from this past week. All IOCs from these stories are attached to this threat briefing and can be used for indicator matching against your logs.

RATANKBA: Delving into Large-scale Watering Holes against Enterprises (February 27, 2017)
Back in early February, Polish banks were being targeted with a new strain of malware that was named “Ratankba,” as well as financial institutions in Mexico and the U.K. Now Trend Micro researchers have identified that this campaign is not limited to financial entities as the malware has also been seen targeting organizations involved in aviation, education, information technology, insurance, management counseling, and telecommunications in Asia-Pacific countries (China, Hong Kong, and Taiwan). The attacks are conducted via watering hole attacks that attempt to compromise websites most visited by its targets and infect them with malware by redirecting visitors to exploit kits.
Recommendation: Security and system/IT administrators must practice due diligence in protecting their websites and web-based applications from threats that can undermine their security, and hijack them to do the bad guys’ bidding-delivering malware to their victims. Malicious web injections, for instance, leverage exploits that enable attackers to gain footholds into the system. An organization’s best defense is to regularly apply the latest patches, as well as routinely scan and examine traffic that goes through the enterprise’s network, which enables prompt incident response and remediation.
Tags: malware, watering hole, phishing

Google Discloses Another “High Severity” Microsoft Bug (February 27, 2017)
Researchers at Google have discovered another high-severity Microsoft Windows bug, this time in Microsoft’s flagship Edge and Internet Explorer browser. The vulnerability was identified by Ivan Fratric, with Google Project Zero, who disclosed it to Microsoft on Nov. 25. Potentially allowing remote code execution, this bug adds to the currently growing list of high-profile issues Microsoft has yet to deal with, notably skipping last month’s usual patch release.
Recommendation: Always keep your browser and operating system up to date, including any browser add-ons you may need (Flash, Java). Employ network as well as host based detection and prevention systems where possible. Be sure to apply patches in as timely a manner as possible.
Tags: zero day, microsoft, edge, internet explorer

ESET Antivirus Opens Macs to Remote Code Execution (February 27, 2017)
The Google Security Team has discovered two vulnerabilities in ESET antivirus for macOS, one of which could allow attackers to remotely execute code via malformed XML content. The first vulnerability is “CVE-2016-9892” which is located in the “esets_daemon” is statically linked with an outdated version of the POCO XML parser library. The Poco version that was being used (2.0.1) contains the publicly known XML parsing vulnerability “CVE-2016-0718” that allows for the aforementioned remote code execution via malformed XML content.
Recommendation: Always keep your software up-to-date with the latest versions because all software has the potential to be exploited by attackers and therefore must be maintained as well as possible.
Tags: antivirus, macOS

The Gamaredon Group Toolset Evolution (February 27, 2017)
A new threat group dubbed the “Gamaredon Group” is distributing new, custom malware and is also believed to be behind the campaign targeting Ukrainian military and national security called “Operation Armageddon”, according to Unit 42 researchers. The detection of new tools and malware indicates a growth in sophistication of the group, which has been active since at least 2013. This new campaign is targeting individuals with fake documents in phishing attacks regarding Ukrainian topics such as the Anti-Terrorist Zone, national security and defense, patriotism, and the presidential administration as subjects.
Recommendation: Organizations should ensure all employees are trained to identify phishing attacks and should consistently monitor for malicious activity on their networks. Keeping antivirus software up-to-date and utilizing the latest threat intelligence will assist in making threats easier to remediate, and therefore less likely to cause harm, by being able to identify new Tactics, Techniques, and Procedures (TTPs) used by threat actors.
Tags: threat group, malware, exploit kit

Severe SQL Injection Flaw Discovered in WordPress Plugin with Over 1 Million Installs (February 28, 2017)
There is a vulnerability in the popular WordPress plugin “NextGEN Gallery” that could allow an attacker to steal data from a website, according to researchers. A SQL injection vulnerability is present in two different configuration settings. The first is if NextGen Basic TagCloud Gallery is activated, and the second is if the website is open for blog post submissions. WordPress does offer a patch to fix these issues, but the patch was not described as being important and was labeled simply as “Changed: Tag display adjustment” in V2 – 02.20.2017
Recommendation: Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.
Tags: WordPress, SQL injection, defacement

Dridex’s Cold War: Enter AtomBombing (February 28, 2017)
The notorious Dridex banking trojan has underwent a significant upgrade and is currently targeting banks in Europe, according to IBM researchers. This new version is dubbed Dridex V4, and is mostly targeting banks in the U.K. Dridex has the capability to conduct atombomb attacks which uses the Windows atom table and the native API NTQueueAPCThread to copy a payload into a read-write memory space in the target process. After using a return-oriented programming chain that allocates memory, the payload is copied and then executed.
Recommendation: The best defense against malware like Dridex starts with an educated organization that empowers users to use the web safely. Policies should be in place to prevent malicious code from reaching devices, both at the network level as well as on the devices themselves. Multiple overlapping layers of security (defense in depth) should be practiced in order to prevent attacks at all levels. In the case of Dridex infection, the affected system must be wiped and restored, and all information contained on that device should be considered publicly disclosed. Passwords should be reset, and all accounts should be monitored for fraud.
Tags: malware, dridex, atombombing

Google Play Apps Infected with Malicious Iframes (March 1, 2017)
According to researchers, approximately 132 applications in the Google Play store have been discovered to be malicious. The applications, which Google has since removed, contained hidden IFrames that linked to malicious domains in their HTML pages. One of the most popular applications was observed to have been downloaded more than 10,000 times. Researchers contend that it may not have been the application developer who created malicious components, but rather the development platforms used by the developers was infected.
Recommendation: Sometimes organizations overlook mobile devices as a potential actor vector that can be exploited by cybercriminals. With mobile malware continually evolving, it is important that your employees are educated on the risks associated with mobile devices on corporate networks. Education and up-to-date anti-virus software are necessary steps in securing the internet of things.
Tags: Mobile, malware, Android

CryptoLocker Ransomware is Back with Campaigns Targeting Europe (March 1, 2017)
The CryptoLocker malware has made a resurgence after having been relatively quiet since the middle of 2015. The ransomware is now largely targeting European countries, with a specific focus on Italy. CryptoLocker is distributed via spam/phishing emails that use Italy’s Posta Elettronica Certificata, which has the same legal value as a registered letter, and masquerades as an invoice with a .js file attachment.
Recommendation: The impersonation of legitimate services continues to be an effective phishing tactic to deliver malware. All employees should be informed of the threat phishing poses, and how to identify such attempts and inform the appropriate personnel when they are identified. In the case of CryptoLocker infection, the affected system should be wiped and reformatted; avoiding paying the cyber criminals is paramount. Implement a backup solution for your users to ease the pain of losing sensitive and important data.
Tags: CryptoLocker, ransomware, malware

Online Shops Plundered by Bank Card-Stealing Malware After Backend Aptos Hacked (March 1, 2017)
Customers of the commerce cloud platform provided by Aptos, a company based in Atlanta, GA, began reaching out to researchers after they identified that their websites were infected with malware. This incident began when Aptos’ retail services servers were infected with malware from February to December of 2016. The malware was capable of stealing credit card data such as card numbers, card expiration dates, home addresses, email addresses, full names, phone numbers, and email addresses. Aptos claims that the delay in informing its customers of the breach was done upon the request of the federal law enforcement.
Recommendation: eCommerce site owners must take every step necessary to secure their data and safeguard their payment card information. A bad experience at a retailer site may mean the loss of revenue as impacted users take their money elsewhere.
Tags: ecommerce, card fraud

Dot Ransomware: Yet Another Commission-Based Ransomware-as-a-Service (March 2, 2017)
A new ransomware service called “Dot” is being advertised on underground markets, according to Fortinet researchers. The Ransomware-as-a-Service (RaaS) can be downloaded for free, with the caveat that all ransoms are split 50/50 with the developers. The actors even provide instructions on how to set up and build the ransomware, as well as how to create a Bitcoin wallet for the illicitly gained funds.
Recommendation: Ransomware is an evolving threat, and the most fundamental defense is having proper backup processes in place. Follow the 1-2-3 rule: 3 copies, 2 devices, and 1 stored in a secure location. Data loss is manageable as long as regular backups are maintained.
Tags: Ransomware, malware

DDoS Attack Pummels Luxembourg State Servers (March 2, 2017)
The government of Luxembourg has been targeted with a significant distributed denial-of-service (DDoS) attack beginning on February 27, 2017. Over 100 government servers were affected by the attack that lasted over 24 hours. At the time of this writing, it is unknown who is behind the attack, or what the attackers’ possible motivations could be.
Recommendation: Denial of service attacks can potentially cost your company loss in revenue because severe attacks can shut down online services for extended periods of time. With the leak of the Mirai botnet source code in October, the availability for threat actors to compromise vulnerable devices, and purchase DDoS for hire is a continually evolving threat. Mitigation techniques can vary depending on the specifics of the attack. For example, in the case of BlackNurse, which can disrupt enterprise firewalls, ICMP type 3 traffic should be blocked, or at least rate limited.
Tags: DDoS, government

Bye Empire, Hello Nebula Exploit Kit (March 2, 2017)
Researchers have discovered cyber criminals advertising a new exploit kit called “Nebula” on underground marketplaces. The exploit kit is advertised as having multiple features such as automatic domain scanning and generating, multiple payload file types, and remote file support, among others. The exploit is subscription based with three types available, 24 hours for $100, seven days for $600, and 31 days for $2,000.
Recommendation: Always keep your browser and operating system up to date, including any browser add-ons you may need (Flash, Java). Employ network as well as host based detection and prevention systems where possible. In the case of Nebula infection, the affected system must be wiped and reformatted, and other devices on the network should be checked for similar infections.
Tags: Nebula, exploit kit, malware

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click here to request a trial.

Locky Tool Tip
Locky is ransomware that is widely spread via phishing messages. Locky first appeared in early 2016. Locky is strongly correlated with the cyber criminal groups related to the dridex and necurs botnets. Multiple waves of Locky samples are distributed daily. The delivery mechanism has evolved over time. The delivery mechanism has been spam messages with executable attachments, MS Word document attachments using Macros to retrieve then execute Locky, and Zip files that extract JavaScript loaders that retrieve then execute Locky. Hosts compromised by Locky display a ransom-note with instructions on how to decrypt the encrypted files. Encrypted files are renamed .locky or .zepto.
Tags: Locky, Ransomware

Source: Honeypot Tech

Why A Computer Beating Poker Pros Is Great News for Cybersecurity

Use of Machine Learning (ML) is a hot topic in cybersecurity, one which will undoubtedly shape the industry for years to come. To see evidence of this we’d have to look no further than the booths at this most recent RSA Security Conference, where ML was promised as a solution for corporate cybersecurity problems. But why exactly will ML play such a prominent role, and how could it prove useful? Oddly enough the answer comes from the recent victory of ML in a game of poker.

A competition took place in Pittsburgh last month that matched top poker players against a Machine Learning system called Libratus. This tournament shared some similarities to previous victories in checkers, chess, go and Jeopardy!, all of which hinted at the promise of ML. In this particular competition, four players each individually faced the computer in a 1-1 match. Rather than the traditional setup (in which a poker face can be as important as the cards you have), this competition was more analogous to playing online- no player had access to facial expressions or visual/audio cues, and computers served as mediums.

For much of the match it was unclear who would win- at the halfway mark contestant Dong Kim was slightly beating Libratus, with other players not far behind. An arduous 120,000 hands were played to provide statistical confidence in the outcome. While it is generally assumed by poker pros that both skill and luck are required to win, in the latter half of the match it became clear that other factors prove critical as well. While Libratus never tired, human participants undoubtedly felt the effects of eleven hours of consecutive play. Even more significant than this was Libratus’ ability to pick up on each player’s strategy and subsequently use it against them, leading to its eventual victory. No matter how many times a player may alter their technique, a computer will still be able to compile enough information to produce useful “tells”. Furthermore, unlike humans, these algorithms are unaffected by regret for past hands and remember each preceding scenario perfectly.

This sounds pretty hopeless for humans, but ML’s advanced use of data actually proves to be its downfall. It needs all that data to prove effective. In the poker competition Libratus was able to leverage a large amount of data and win largely because it had unlimited access to data and the rules of the game remained consistent. But what about for cybersecurity? In threat intelligence it is nearly impossible to come across mass quantities of labeled data corpora, which makes data scoring, automation and collaboration so critical. I myself am part of a team at Anomali where we use ML to contextualize and make sense of threat data provided by our Anomali partners. The ultimate application of this technology is to enable users of our ThreatStream platform to automate the process of filtering through millions of indicators for relevant threat information.

The role of ML in cybersecurity is more nuanced though, providing some advantages over humans but ultimately not able to replace them. Touching back to our poker example, humans are limited in that they can only play or remember so many hands in a lifetime. In the near future computers will easily incorporate more data from poker hands or cybersecurity incidents than a human could ever see across generations. Machine Learning algorithms are also more effective at pattern recognition, and never tire. From this evidence it’s fairly safe to conclude that computers have the greater experience. Humans, however, prove far better in unexpected situations where there is no previous information to draw from. Therefore the future of cybersecurity and poker have been dealt the same hand, where computers will be used for general situations and human intuition will be needed for unexpected situations and common sense. This human-ML hybrid is the future of game-playing, medical diagnosis, and already cybersecurity.

ML’s unprecedented victory might help to take the cybersecurity one step ahead of adversaries. In previous iterations of man vs. machine challenges, such as with Chess and Go, both computer and player had access to the same information. Cybersecurity is more analogous to poker though- the cards are hidden, and threat actors will rarely play their full hand. Therefore it’s left to the other players to guess at breaches or malicious intent. In these situations victory depends less on individual intelligence and more on strategic maneuvering. Typical questions threat analysts need to answer are:

  • What new actors may emerge to target organizations?
  • Might multiple threat actor groups really be the same one?
  • What intentions might an actor group have?
  • Are nation-state cyberattacks just one part of a larger political strategy?

Unfortunately for us threat actors will fold before they show their cards. Attribution in cybersecurity proves very challenging. Within the poker competition the computer had access to data from 120,000 different hands, which means a lot of contextual data. Conversely with cyber-attacks, one confident connection between a threat actor and campaign won’t provide in-depth information on that attacker’s patterns. Maybe you’ll identify a few pieces of malware or a handful of targets.

However we’ve now seen an algorithm do what was thought impossible, win without all the data. This is encouraging in a field where so many of the good guys believe a fully secure future is impossible. As actors and malicious tooling increase in sophistication, the security industry should look to Machine Learning not as robots taking away human jobs, but rather a means to empower cybersecurity professionals in the next generation of cyber intelligence defense.

Source: Honeypot Tech

Anomali Weekly Threat Intelligence Briefing – February 28, 2017

Trending Threats

This section provides summaries and links to the top threat intelligence stories from this past week. All IOCs from these stories are attached to this threat briefing and can be used for indicator matching against your logs.

Malware Hijacks Microphones to Spy On Ukrainian Businesses, Scientists and Media (February 20, 2017)
Researchers have discovered that Ukraine has once again been targeted by a highly sophisticated malware campaign called “Operation BugDrop.” Threat actors have targeted approximately 70 Ukrainian entities and, as of this writing, have stolen over 600 gigabytes of data. The malware is distributed via spear phishing emails and is capable of turning on the microphone to capture audio as well as capturing screen shots, documents, and passwords. The stolen information and audio is then exfiltrated using Dropbox folders controlled by the attackers.
Recommendation: Spear phishing emails represent a significant security risk because the sending email will often appear legitimate to the target; sometimes a target company email is compromised and used for such emails. Education is the best defense, inform your employees on what to expect for information requests from their managers and colleagues. Employees should also be aware of whom to contact when they suspect they are the target of a possible spear phishing attack.
Tags: Spear Phishing, BugDrop

MalSpam – Subject: Radar Photo Proof 57628324 (February 20, 2017)
A new malicious spam operation is attempting to trick victims into following a link that is claiming to be a “negligent driving” violation. If the link is followed a malware dropper is downloaded that then downloads and installs a trojan into the system. Researchers contend that this strain may be the Zeus trojan variant, Zeus Panda Banker.
Recommendation: This email spam tactic has been used by malicious actors in the past, and police departments in the U.S. have had to inform the public that they will never email them concerning a traffic violation. It could also be useful for employees to get out of the habit of using email attachments in favor of a cloud file hosting service, as well as never following links from vendors attempting to use scare tactics.
Tags: Malspam, Zeus trojan

TeamSpy Malware Spammers Turn TeamViewer into Spying Tool in Targeted Attacks (February 21, 2017)
The threat actor group called “TeamSpy” has been identified to be behind a new spam campaign, according to Heimdal Security researchers. TeamSpy was last reported to be active after it was discovered they were engaged in a 10 yearlong cyber espionage campaign from 2003 to 2013. TeamSpy is using social engineering to trick their targets into installing malware via malicious email attachments. Using DLL hijacking, the attacker adds a VPN and keylogger to the TeamViewer application; the malware will then send stolen data back to a C2.
Recommendation: Always be on high alert while reading email, in particular when it has attachments or comes with an urgent label or poor grammar. Use anti-spam and anti-virus protection, and avoid opening email from untrusted or unverified senders.
Tags: TeamSpy, Phishing

How to Bury a Major Breach Notification (February 21, 2017)
An unnamed software company that provides a popular, and also unnamed, piece of software to major U.S. companies, had their website and update server breached for two weeks in April, 2015, according to RSA researchers. Researcher Brian Krebs believes that the compromised software package was “EVlog,” provided by Altair Technologies Ltd. The company provides software designed to assist Windows system administrators better comprehend and parse Windows event logs. Companies that use the service may have automatically downloaded compromised update versions. Entities that downloaded compromised versions include: 24 banks and financial institutions, five defense contractors, approximately 24 Fortune 500 companies, approximately 45 higher educational institutions, over 36 IT product manufacturers or solutions providers, and over 10 western military organizations.
Recommendation: Always practice defense in depth – deploy redundant, layered, and failsafe security controls at every level of your network in order to detect early, and prevent attackers before they get deep into your network.
Tags: Vulnerability, EVlog

Rogue Chrome Extension Pushes Tech Support Scam (February 21, 2017)
A new malicious advertising (malvertising) campaign has been identified to be targeting Chrome web browser users. If a user is targeted with malvertising attempts, follows a link provided by the attacker and is directed to a malicious website, the website will detect whether or not the visitor is using Chrome. If Chrome is detected as the web browser via the user agent, a pop up will appear that requests an extension to be installed in order to leave the webpage; during this time the browser is stuck in a perpetual loop of full-screen modes. Once the extension is added, malicious JavaScript will reach out to a C2 and present the infected computer with technical support scams.
Recommendation: While web browser extensions can be useful in day-to-day business activities it is possible, as this story describes, for malicious extensions to make their way into legitimate services (Google has since removed the malicious extension). Your company should only use browser extensions and add-ons provided by trusted sources.
Tags: Malvertising

Keep Your Account Safe by Avoiding Dyzap Malware (February 22, 2017)
A new version of the Dyzap trojan virus has been identified in the wild with new features, according to Fortinet researchers. Dyzap targets over 100 applications, is capable of stealing information stored in multiple web browsers, databases, and registries, as well as using keylogger functions. The malware moves the stolen information into packets in binary format before it sends it to a C2.
Recommendation: Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (don’t rely on single security mechanisms – security measures should be layered, redundant, and failsafe).
Tags: Dyzap trojan

Malware Uses Blinking Hard LEDs to Transmit Data to Nearby Cameras (February 23, 2017)
Researchers from Ben-Guiron University of the Negev in Israel, have created a custom malware that can gather data from a compromised machine via binary code represented by blinking LED lights. The researchers successfully tested their malware and were able to gather information from a machine by video recording the rapidly blinking LED lights (where the light turned on represents one, and off represents zero). The malware does not need administrator rights to execute, and was designed to steal data from air-gapped systems, albeit at a slow speed of 0.5KBs.
Recommendation: While it has not been reported how this malware could be used to infect a computer or system, simple mitigations do exist. Concealing a LED light that is in range of a camera, and covering windows so outsiders cannot peer inside can prevent this style of attack because a special camera is needed to capture the displayed binary code.
Tags: Malware

Linux Project Patches 11-Year-Old Security Flaw That Gives Attackers Root Access (February 23, 2017)
An intern at Google named Andrew Konovalov discovered a vulnerability in the Linux operating system, dubbed “CVE-2017-6074.” The vulnerability can be exploited with low-privilege access to gain root code execution rights. The double free vulnerability (occurs when an application frees the same memory address twice) affects all Linux versions beginning with version 2.6.14.
Recommendation: Your company should ensure that software and operating systems are always kept up-to-date with the newest version. New vulnerabilities that could potentially cause harm to your company are reported by security researchers quite frequently, even in software and applications previously thought to be secure as this story shows.
Tags: Vulnerability, Linux

Serious Bug Exposes Sensitive Data From Millions of Sites Sitting Behind CloudFlare (February 23, 2017)
There is a buffer overflow issue with edge servers belonging to CloudFlare, a content delivery network and web security provider, according to security researcher Tavis Ormandy. The vulnerability, dubbed “Cloudbleed,” occurs when edge servers were running past the end of a buffer and were returning memory. The returned memory contained sensitive data such as authentication tokens, encryption keys, HTTP cookies, HTTP POST bodies, and passwords; some of the leaked data has already been cached by search engines.
Recommendation: Even though Cloudflare mitigated the issue in less than an hour after discovery, your company should consider any data that passed through CloudFlare services to be at risk of having been viewed. Your company and employees should have proper policies in place in regards to changing passwords on a frequent basis..
Tags: Cloudbleed, CloudFlare

New Crypto-ransomware Hits macOS (February 24, 2017)
A new ransomware campaign is targeting MacOS users by masquerading itself in BitTorrent distribution websites as an application called “Patcher.” The malware is written entirely in the Swift programming language. The malicious torrent contains one zip file in which there are two fake applications, Adobe Premiere Pro and Office 2016 Patcher. If these applications are executed, the ransomware will generate a random 25-character string to use for encrypting files. A ransomware note will be displayed that requests 0.25 bitcoins ($300). This poorly written ransomware is not capable of decrypting any files if the ransom is paid.
Recommendation: The best approach to the threat of ransomware is for all users to maintain secured backups of their data, keep their systems fully patched, and practice good security hygiene when browsing the internet. In the case of ransomware infection, the affected system must be wiped and reformatted, other systems on the network should be assessed for similar infection, and the original attack vector must be identified in order to educate the victim and other employees.
Tags: Ransomware, MacOS

Results of the Rogue Access Point Experiment at RSA Conference 2017 (February 24, 2017)
Help Net Security researchers once again conducted their rogue Access Point (AP) experiment at this year’s RSA conference, with rather surprising results. By using a Pineapple Tetra and listening for Service Set Identifiers (SSIDs) from mobile devices, the researchers were able to capture 8,653 SSIDs and tricked 4,499 Wi-Fi clients to connect to their rogue AP.
Recommendation: While this incident was just an experiment, it shows the genuine threat of devices connecting to potentially malicious Wi-Fi networks. Mobile devices should always be kept up-to-date with the latest patches, and Wi-Fi should always be turned off when in public locations.
Tags: Rogue Access Point, Experiment

Hacker Group Defaces Hundreds of Websites After Hacking UK Hosting Firm (February 25, 2017)
A threat actor group calling themselves the “National Hacking Society” (NHA) has defaced approximately 605 websites after compromising the hosting company Mesh Digital (DomainMonster[.]com). NHA has three members known as Benajmin, GeneralEG and R3d HaXoR, according to researchers. The group has compromised over 1.5 million webpages and, in some instances, were able to install backdoors and compromise servers.
Recommendation: Sometimes webmasters discover that one of their sites has been compromised months after the initial infection. Websites, much like personal workstations, require constant maintenance and upkeep in order to adapt to the latest threats. In addition to keeping server software up to date, it is critical that all external facing assets are monitored and scanned for vulnerabilities. The ability to easily restore from backup, incident response planning, and customer communication channels should all be established before a breach occurs.
Tags: National Hacking Society, Defacements

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs.

EITest Tool Tip
The EITest gate or Traffic Direction System (TDS) is a service used by criminals to direct web traffic to Exploit Kits (EKs) to install malware on victim’s computers. In the past EITest has been observed directing traffic to Angler, Neutrino, and the Rig EK.
Tags: EITest-gate, EITest

Source: Honeypot Tech

Splunking The Modern Honey Network: Community Data (Part 4)

Over the last 3 weeks, I’ve looked at: ingesting Modern Honey Network data into Splunk, adding context to MHN data using threat feeds, and creating alerts using MHN data.

In this post I am going to give you a brief insight into the data that was reported back from the MHN honeypots in January 2017.

About MHN Community Data

The MHN Server reports anonymised attack data back to a central Anomali datastore. You can control what data from your honeypots is shared. After some analysis we also incorporate some MHN Community data into a threat feed in our Anomali Threatstream platform. Hint: you can find it in the App Store.

We provide access to the MHN Community data for those who are sharing honeypot data with us. You can read more about gaining access to the data here.

MHN Community Data Stats


There were almost 85 million distinct honeypot events. We saw peak attack volume on January 1st where 4.32 million events were reported. This fell to an 1.8 million on the January 6th (the 3rd lowest volume by day — only January 30th and 31st saw fewer events).

Honeypot Types

Digging slightly deeper, the p0f honeypots produce the most events.

The table above shows events received by each distinct p0f honeypot. You’ll notice one p0f honeypot accounts for almost 11 million events alone — over 30% of all p0f events (there were 35.2 million p0f events in total).

Honeypot Source IPs

The source IP seen most across our honeypot network in January 2017 was (almost 322,000 distinct events across 50+ honeypots). However, looking at individual attack data, 309,000 of these were against a single honeypot.

There are a number of internal IPs (10.x) in the top 20 shown below which are probably the result of local honeypot testing (note: a single internal IP is likely reporting data from a high number of distinct sources).

Digging deeper on the top IP,, in the Threatstream platform the IP is listed as an IOC by 4 threat feeds reported as a phishing IP, brute force IP, and a scanning IP (unsurprising it is reported as a scanning IP given number of events).

Further reading

The MHN documentation is the perfect starting point if you’re interested in gaining access to the MHN Community data or want to learn more about how data sharing work.

Exploring The Modern Honey Network

This is the last in the series of Splunking the Modern Honey Network posts. You can find them all, and all our previous MHN posts on the Anomali Blog.

Source: Honeypot Tech