With almost a million new potential malware samples being seen a day, it is becoming increasingly critical to bulk up the speed at which malware can be processed to filter out what needs manual analysis, what needs to be sandboxed and what can be handled by mere static processing.
Recently, I spoke at Analyze 2015 about extracting malware configurations at scale and some of our early experiences in building a system to do exactly that. So far, we’ve been able to process almost 6,000 configurations successfully for the month of May using that system. This can be analyzed further for actionable intelligence but it has also led to some interesting findings.
By running the IP addresses of the command and control (C2s) we retrieved for the various RAT families, we were able to determine the top ten global cities with the highest number of RAT controllers using the Maxmind GeoIP database (90% confidence level). Please note, this should not be interpreted to mean anything other than the RAT controller resides in a given city, not that there is specific nation-state involvement.
Posted by ThreatGeek at 10:00 AM in advanced malware, advanced threats, cyber threat intelligence, cyber threat security, John Bambenek, malware, malware detection , threat geek, threat intelligence | Permalink | Comments (0)
In June 2015, we published Fidelis Threat Advisory #1017 and a blog post on unrelated hostile cyber criminal activity based on the exploitation of CVE-2014-4114, using a novel technique leading to zero antivirus detections for this well-known vulnerability. What originally drew our attention was the fact that cyber criminals were now leveraging the vulnerability that was initially exploited by advanced persistent threat (APT) actors in October 2014.
Yesterday (June 15, 2015), CitizenLab published a report revealing that hostile actors were using precisely the same technique involving CVE-2014-4114 against Tibetan and pro-democracy Hong Kong groups. While no explicit attribution was made in the report, preliminary analysis suggests that actors working in the interest of a government may be behind this activity. Suspected Chinese government-affiliated cyber espionage actors have historically conducted cyber operations against these groups to monitor their developments.
During our research, we noticed that several files had the same original creation date (2011) and author (“aaa”) in the PowerPoint metadata. We traced this file to the original document: a PowerPoint document written in Chinese about China Cloud Computing Technology, entitled “Big Data as a Means of Ensuring Internet Security for the Military”(approximate translation). While the contents of that document had been removed, it is clear that someone had built and distributed phishing messages using it as the original PowerPoint document. The document is publicly available, but obscure enough for this to be a very interesting finding.
Posted by ThreatGeek at 10:00 AM in advanced malware, Advanced Persistent Threat, advanced persistent threat protection, advanced threats, APT prevention, APT protection, cyber threat intelligence, cyber threat security, cybercrime , malware, malware detection , prevent cyber attacks, protect against APT, threat assessment , threat geek, threat intelligence , threat intelligence feed, threat mitigation | Permalink | Comments (0)
This Week in Cybersecurity News
Spy Virus Linked to Israel Targeted Hotels Used for Iran Nuclear Talks by Adam Entous and Danny Yadron, Wall Street Journal
Kaspersky Lab discovered a new version of Duqu, a virus commonly linked to Israel’s intelligence agency on its own network and three luxury European hotels that had hosted nuclear negotiations between Iran and other world powers. The spyware was designed with over 100 discrete modules which allowed the program to compress video feeds, target communications from phones and Wi-Fi networks and take control of elevator microphones and alarm systems.
Memory Scrapping Malware Targets Oracle Micros Point-of-Sale Customer by Lucian Constantin, IDG News Service
Businesses using Oracle Micros point-of-sale systems are being targeted by a new malware program called MalumPoS. The new malware, identified by researchers at TrendMicro looks for payment card track data – the information that’s encoded on the magnetic strip of payment cards – in the memory of processes associated with Oracle Micros.
Adobe, Microsoft Issue Critical Security Fixes by Brian Krebs, KrebsOnSecurity
Adobe released software updates to fix at least 13 security holes in its Flash Player software on June 10. Microsoft also issued patches for at least 36 flaws in Windows and associated software. The majority of Microsoft’s patches addressed issues in Internet Explorer along with Office, Windows OS and Windows Media Player
Serious iOS Bug makes it Easy to Steal Users’ iCloud Passwords by Dan Goodin, Ars Technica
A proof-of-concept attack has been published that exploits a flaw in Mail.app, the default iOS e-mail program which allows attackers to steal iCloud passwords. Since the release of version 8.3 in April, the app has failed to properly strip out potentially dangerous HTML code from incoming e-mail messages which allows for the exploit to download a form from a remote server that looks identical to the legitimate iCloud log-in prompt.
Army Homepage Shut Down Following Hack by Stephanie Kanowitz, FierceGovernmentIT
Hackers tied to Syria have claimed responsibility for an attack on the Army’s homepage on June 8 that led military officials to take the site down. Army officials said that no classified or personally identifiable information was compromised because Army.mil does not have any classified information.
ICYMI Threat Geek Post of the Week: Fidelis Threat Advisory #1017: Phishing in Plain Sight
Posted by ThreatGeek at 10:00 AM in advanced malware, Advanced Persistent Threat, advanced threats, Cyber Scoop, cyber threat intelligence, cyber threat security, cybercrime , malware, threat assessment , threat geek, threat intelligence | Permalink | Comments (0)
Nigerian 419 scammers have long been known for their involvement in advanced fee fraud scams where individuals were contacted via letter or e-mail with a business proposal. However, in the past year, these actors have begun to embrace the sophisticated techniques seen in recent high profile and successful criminal and espionage campaigns. Earlier this week we published a more detailed report on recent cyber crime activity leveraging vulnerabilities first exploited by espionage actors. Nigerian groups are suspected of being behind some of this activity.
In May 2015, the computer security firm Panda released a report identifying hostile cyber activity directed against companies involved in the oil industry it dubbed “Operation Oil Tanker." While the attack seemed to bear the hallmark of an advanced persistent threat (APT) actor based on the targeted nature and the intended victims, researchers concluded that the perpetrators were Nigerian 419 operators, according to the report.
Fidelis Threat Advisory #1017
Phishing in Plain Sight
Fidelis Cybersecurity analysis has identified unrelated cyber criminal activity leveraging the vulnerability cited in CVE-2014-4114, which was initially exploited by advanced persistent threat (APT) actors in October 2014. Notably, some of this recent activity demonstrated actors implementing a technique that bypassed antivirus detection by saving a PowerPoint document in which malware executed once the document was opened in Slide Show presentation format. The identification of cyber crime actors, particularly Nigerian 419 scam operators, attempting to exploit CVE-2014-4114 demonstrates how quickly cyber criminals are trying to exploit a vulnerability previously associated with espionage actors, using similar tactics, techniques, and procedures (TTP) to maximize their chances of success, with additional innovation as seen with these samples.
To see the full report and findings, visit Fidelis Threat Advisory #1017
For a more detailed look at the technical indicators visit Fidelis Threat Advisory #1017 Appendix
Posted by ThreatGeek at 09:00 AM in advanced malware, Advanced Persistent Threat, advanced threats, cyber threat intelligence, cyber threat security, cybercrime , data breach prevention, data leakage prevention, data loss prevention, Fidelis Threat Advisories, malware, malware detection , network defense, threat assessment , threat geek, threat intelligence , threat intelligence feed, zero day attacks | Permalink | Comments (0)
Technorati Tags: advanced malware, advanced persistent threat, advanced threat, cyber crime, cybersecurity, fidelis, fidelis cybersecurity, Fidelis Threat Advisory, information security, infosec, Nigerian 419, vunlerability
Chinese Breach Data of 4 Million Federal Workers by Ellen Nakashima, Washington Post
Hackers working for the Chinese government breached the Office of Personnel Management (OPM) in December 2014 compromising the personal information of 4 million current and former U.S. federal government employees. This was the second breach at OPM in less than a year. After the first breach, discovered in March 2014, OPM deployed new tools and capabilities to the network, one of which was used to discover the second breach. The intruders accessed the network using spear-phishing and a zero-day vulnerability. Private researchers have linked the attack to the same group responsible for the breach at Anthem in March 2015.
Computers Stolen from Heartland Believed to Contain Personal Databy Maria Armental, Wall Street Journal
Heartland Payment Systems, the victim of a January 2009 data breach, announced on June 1 that some electronics including four computers believed to contain personal information of customers were stolen from its payroll office. The computers were stolen as part of a burglary and may have compromised the personal information of 2,200 customers but there is no evidence the information has been accessed or used in a fraudulent manner as of June 1.
Ruskies Behind German Govt Cyber Attack – Report by Jennifer Baker, The Register
According to Der Spiegel, Russia is the chief suspect in the recent hack of the Bundestag. The German government is not publicly accusing Russia but sources have claimed that indications point towards a state-sponsored attack. The sophisticated trojan used in the attack, was similar to malware used in a 2014 attack on a German data network and compromised 20,000 accounts on the Bundestag network.
New Exploit leaves most Macs Vulnerable to Permanent Backdooring by Dan Goodin, Ars Technica
Macs shipped prior to the middle of 2014 that are allowed to go into sleep mode are vulnerable to exploits that remotely overwrite the firmware that boots up the machine. Researcher, Pedro Vilaca discovered the exploit that attacks the BIOS protections immediately after a Mac restarts from sleep mode when the protection mechanism known as FLOCKDN is deactivated. The exploit is not expected to be used on a large scale but only in highly targeted attacks.
Chinese ISP: China Is Victim of Foreign State-Backed APT Group by Sara Peters, Dark Reading
A state-funded advanced persistent threat group known as OceanLotus has been stealing information from Chinese government agencies and maritime institutions since 2012.This marks the first time Chinese researchers have come forth with a major technical report detailing APT attacks against China. Ninety-two percent of OceanLotus’s targets were based in China, mostly in Beijing.
ICYMI Threat Geek Post of the Week: A New Look at APT – China as Victim by Emilio Iasiello
Posted by ThreatGeek at 10:00 AM in advanced malware, Advanced Persistent Threat, advanced threats, Cyber Scoop, cyber threat intelligence, cyber threat security, cybercrime , data breaches , malware, situational awareness, threat assessment , threat geek, threat intelligence , threat intelligence feed, zero day attacks | Permalink | Comments (0)
Note: Much of this information has been taken from an English translation of Qihoo 360’s SkyEye Labs report, and has been interpreted accordingly. The original report in Chinese can be found here.
In May 2015, the Chinese Internet company Qihoo 360’s SkyEye Labs accused an advanced persistent threat (APT) hacker group named “OceanLotus” of stealing Chinese government information. Specifically, the company claimed the activity was in direct employ of a hostile foreign government.
According to the English-translation of the report, the activity has been targeting China since April 2012, targeting maritime institutions, shipping enterprises, Chinese government departments, and research institutes, and stealing sensitive information. Two primary tactics have been identified: socially engineered e-mails with attractive lures designed to entice recipients to click on attachments with embedded Trojans, and what is best described as watering hole attacks. More than 100 OceanLotus Trojan program samples of four different types of Trojans had been planted in computers in 29 Chinese provincial regions, and 36 countries, according to SkyEye Labs.
The activity started in April 2012 employing the “watering hole” technique, but then stopped for a period of two years. It commenced again in February 2014 in the form of spearphishing. Despite the fact that this activity targeted other countries, 92% of the victims were located in China, with Beijing suffering the lion’s share of attacks.
Posted by ThreatGeek at 10:00 AM in advanced malware, Advanced Persistent Threat, advanced persistent threat protection, advanced threats, APT prevention, APT protection, cyber threat intelligence, cyber threat security, Emilio Iasiello, prevent cyber attacks, protect against APT, threat assessment , threat geek, threat intelligence | Permalink | Comments (0)
The Department of Homeland Security recently announced that over the next couple of months its U.S. Computer Emergency Readiness Team (US-CERT) would begin using two emerging technical specifications – STIX (Structured Threat Information eXpression) and TAXII (Trusted Automated eXchange of Indicator Information)– to automate how cyber threat information will be shared with the public and private sectors.
Sharing cyber threat information has been identified as a necessary contributor to help mitigate cyber threats. To continue to bolster these efforts, in February 2015, the President signed an executive order promoting the sharing of cybersecurity information between the government and the private and public sectors. Complementing the executive order, Congress is trying to pass a bill that will indemnify organizations from incurring liability for sharing potentially damaging information. This “one-two” punch may be the catalyst needed for public and private organizations to readily share information with one another because the same actor groups are generally using the same tools, tactics, techniques and procedures to target both sectors.
Cyber threat information sharing has not traditionally enjoyed a tremendous amount of success, particularly in the private sector, although there are isolated cases such as the Financial Services Information Sharing and Analysis Center (ISAC) that have yielded positive results. Two potential reasons for this are cultural and technical.
Posted by ThreatGeek at 10:00 AM in advanced threats, cyber threat intelligence, cyber threat security, cybercrime , Cybersecurity legislation, Emilio Iasiello, threat geek, threat intelligence | Permalink | Comments (1)
The Christian Science Monitor reported on this survey and observed,
“More than four in 10 of the directors in the survey felt that a company’s chief executive officer should take the rap for a data breach. When asked to prioritize who should be held accountable for such incidents, corporate boards ranked the chief executive officer first, followed by the chief information officer, and then the entire executive team.”
To me, the entire premise of this discussion needs to shift from blame to preparedness, governance and mostly to teamwork. We live in a world of continuous compromise. Threat actors, many funded by nation states, are highly sophisticated, well-funded and patient. If they target you, they will at some point compromise your network. While prevention serves as a meaningful and necessary deterrent, no preventive solutions are 100% effective. Admitting these realities is the first step to moving on.
Posted by ThreatGeek at 10:00 AM in advanced threats, data breach prevention, data breaches , data leakage prevention, data loss prevention, data theft prevention, incident response, Ken Rutsky, network analysis and visibility , network monitoring , network visibility, prevent data breaches, threat geek | Permalink | Comments (0)