Fidelis Threat Advisory #1014
"Bots, Machines, and the Matrix"
In the recent past, a Fidelis XPS user reported seeing detections of what appeared to be botnet-related malware. While that customer was protected, we at General Dynamics Fidelis Cybersecurity Solutions decided to take a closer look. The analysis of the malicious code revealed that it appeared to be Andromeda but the delivery infrastructure looked interesting. Further telemetry from our sensors showed that this server in China was also hosting and distributing many other malicious specimens. Analysis of the data revealed a pattern in the filenames. Our analysts used this pattern to discover other systems distributed across the globe serving up various botnet malware, so far assumed to be used in distinct campaigns but clearly related in this case:
Analysis also showed how attackers continue to benefit from the use of globally-distributed hosting providers to perform their malicious activities. Further, the analysis revealed how attackers are hosting and distributing identical copies of the malware from servers in different countries including China, Poland, Russia, and the United States.
For the period of time researched in this activity, we observed the following targeted sectors in the US:
Note that our footprint is largely in the Enterprise space and it is possible that we’re seeing spillover from wider campaigns.
The following diagram illustrates the relationship between some of the malicious servers, malware hosted/distributed, and vertical markets:
The following diagram illustrates the relationship between some of the malicious servers, locations, malware hosted/distributed, and malicious servers to which the malware beacons to with POST requests and to download additional malware:
This document uncovers various servers hosting Bots and other related malware, provides a triage analysis of various pieces of malware hosted by these malicious servers, and provides indicators that network defenders can use to protect their networks.
To see the full report and findings, visit the Fidelis Threat Advisory #1014 here.
Fighting through the noise of breaking breaches and new vulnerabilities, something else in the security industry has been making headlines lately: security research collaboration, often involving vendors that might compete in the marketplace.
The reason for this is fairly obvious - we all face the same common enemy (malicious threat actors targeting organizations’ networks) and it’s important to form a united front. In the battle against cyber threats, this can take shape in different ways:
Posted by ThreatGeek at 10:00 AM in advanced threats, Computer Forensics, cyber threat intelligence, cyber threat security, cybercrime , data breaches , Hardik Modi, information assurance , information protection, intelligent network forensics, network forensics, network forensics tools, threat assessment , threat intelligence , threat intelligence feed, threat mitigation | Permalink | Comments (0)
Tags: breach forensics, cybersecurity, data breaches, threat intelligence, vulnerabilities
It has simply been one hell of a year. We've seen shocking vulnerabilities in technologies that are
supposed to be the bedrock of our digital lives: the "Heartbleed" SSL vulnerability and the "Shellshock" bash bugs shook our confidence in any software's ability to keep its promises about security. We've seen a continuing and unabated string of high profile credit card breaches. There's a long list of companies falling like dominoes to online bad guys and yet this list includes companies you'd rightly expect to have the right combination of security people, process and technology to keep their names out of the papers. What the hell is going on?
"Our adversaries are out for the whole ball of wax: stealing the ball, setting fire to the wax factory and giving away forty billion free candles."
I've been in this business long enough to approach headline after headline with a degree of cynicism. There's more than enough hysteria to go around about the shifting threat landscape, and with each ever-more-breathless headline I've been shrugging it off with a few tried-and-true themes: "if they want you bad enough they are going to get you." "Retailers haven't been substantially harmed by decades of credit card breaches; they buy identity protection for those affected and they move on." "This is a very hard problem and there's no solving it with technology alone." "You don't have to run faster than the bear, just faster than your buddy." And so on.
Posted by ThreatGeek at 10:00 AM in advanced malware, Advanced Persistent Threat, advanced threats, content monitoring, cyber threat security, cybercrime , Cybersecurity legislation, data breach prevention, data breaches , incident response, malware, network defense, network forensics, situational awareness, threat assessment , threat intelligence | Permalink | Comments (0)
Tags: credit card breaches, cybersecurity, data breaches, incident response, network breach, retail breaches