Analysis

Trends and Analysis

Kaspersky Lab Incident Investigations Head Arrested In Russia For 'Treason'

Security firm says the case doesn't affect its computer incidents investigation operations. Kaspersky Lab confirmed today that one of its top cybersecurity investigators was arrested in December in Russia, reportedly amid charges of treason. News of the arrest of Ruslan Stoyanov, head of Kaspersky Lab's computer incidents investigations unit, as well as Sergei Mikhailov, deputy head of the information security department at the FSB, first came via Kommersant, a Russian economic newspaper, and word later spread to US news media outlets. Stoyanov, who had been with Kaspersky Lab since 2012, led the firm's cybercrime investigation that ultimately led to the 2016 arrests of 50 members of the so-called Lurk cybercrime gang that stole more than $45 million from Russian financial institutions.

The case was said to be Russia's largest-ever crackdown on financial cybercrime. Stoyanov's arrest sent a chill throughout the security research community, with speculation by some that his cybercrime investigative efforts may have somehow gotten a little too close to Russian nation-state hacking efforts. Russian hacking has been in the spotlight since the US intelligence community published an unclassified report that concludes Russia - under the direction of Vladmir Putin - attempted to influence the US presidential election via hacks and leaks of data from the Democratic National Committee and Clinton campaign manager John Podesta. According to Kaspersky Lab, the nature of Stoyanov's arrest predates his employment with the security firm. "The case against this employee does not involve Kaspersky Lab.

The employee, who is Head of the Computer Incidents Investigation Team, is under investigation for a period predating his employment at Kaspersky Lab," the company said in a statement. Stoyanov, a former head of network security for Russian ISP OJSC RTComm.RU, also was with Ministry Of Interior's Moscow-based Cyber Crime Unit in the early 2000s. Security experts say his arrest underscores the sometimes-blurred lines between Russian cybercrime gangs and cyber espionage activity. "I think he flew too close to the sun as his recent investigations more than likely unearthed elements of the Pawn Storm campaign," says Tom Kellermann, CEO fo Strategic Cyber Ventures. "This is a red flag to all security vendors who expose the nexus between the cybercriminal conspiracies and the Russian cyberespionage campaigns." Pawn Storm, aka Fancy Bear and APT 28, was one of the Russian state hacking groups implicated in election-related hacks against the US. Researcher Business As Usual While Kaspersky Lab said it had no information of the "details of the investigation" of Stoyanov and that no official information had been released by the Russian government on the case, the company also maintained that the arrest would not affect its current or future research into Russian cyber activities. The company said that "as an IT security company, Kaspersky Lab is determined to detect and neutralize all forms of malicious programs, regardless of their origin or purpose." For now, Stoyanov is officially suspended from his post at Kaspersky Lab, according to the company. "The work of Kaspersky Lab’s Computer Incidents Investigation Team is unaffected by these developments." Stoyanov in 2015 authored a detailed report for Kaspersky Lab on how Russian financial cybercrime works.

The report notes how the risk of prosecution is low for Russian-speaking cybercriminals: "The lack of established mechanisms for international cooperation also plays into the hands of criminals: for example, Kaspersky Lab experts know that the members of some criminal groups permanently reside and work in Russia’s neighbors, while the citizens of the neighboring states involved in criminal activity often live and operate in the territory of the Russian Federation," he wrote. "Kaspersky Lab is doing everything possible to terminate the activity of cybercriminal groups and encourages other companies and law enforcement agencies in all countries to cooperate," he wrote. Aleks Gostev, chief security expert for Kaspersky Lab's Global Research and Analysis Team, in a tweet today said that Stoyanov "never worked with any APT stuff," dismissing some online speculation that the arrest was somehow related to cyber espionage research. He tweeted that the case wouldn't stop the security firm from its work. Kaspersky Lab is "an international team of experts.
It's impossible to prevent us from releasing data." Related Content:   Kelly Jackson Higgins is Executive Editor at DarkReading.com.
She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ...
View Full Bio More Insights

‘Entire Hacking Capacity Of CIA’ Dumped On Wikileaks, Site Claims

Leaked data tranche of 8,700 documents purportedly includes tools that bypass encryption on Signal secure messaging app and turn smart TVs into covert surveillance devices.

Insider Threat Fear Greater Than Ever, Survey Shows

More than half of security pros say insider threat incidents have become more frequent in the past 12 months.

Hackers Spreading Chthonic Malware Via PayPal Emails

(Image: CNET/CBS Interactive) The total number of government requests for data on Amazon customers has doubled over the past year. The retail and cloud giant quietly announced the latest figures for the first six months of 2016 ending June in a report,...

Banking Trojan, Gugi, evolves to bypass Android 6 protection

Almost every Android OS update includes new security features designed to make cybercriminals’ life harder.

And, of course, the cybercriminals always try to bypass them. We have found a new modification of the mobile banking Trojan, Trojan-Banker.AndroidOS.Gugi.c that can bypass two new security features added in Android 6: permission-based app overlays and a dynamic permission requirement for dangerous in-app activities such as SMS or calls.

The modification does not use any vulnerabilities, just social engineering. Initial infection The Gugi Trojan is spread mainly by SMS spam that takes users to phishing webpages with the text “Dear user, you receive MMS-photo! You can look at it by clicking on the following link”. Clicking on the link initiates the download of the Gugi Trojan onto the user’s Android device. Circumventing the security features To help protect users from the impо, неact of phishing and ransomware attacks, Android 6 introduced a requirement for apps to request permission to superimpose their windows/views over other apps.
In earlier versions of the OS they were able to automatically overlay other apps. The Trojan’s ultimate goal is to overlay banking apps with phishing windows in order to steal user credentials for mobile banking.
It also overlays the Google Play Store app to steal credit card details. The Trojan-Banker.AndroidOS.Gugi.c modification gets the overlay permission it needs by forcing users to grant this permission.
It then uses that to block the screen while demanding ever more dangerous access. The first thing an infected user is presented with is a window with the text “Additional rights needed to work with graphics and windows” and one button: “provide.” After clicking on this button, the user will see a dialog box that authorizes the app overlay (“drawing over other apps”). System request to permit Trojan-Banker.AndroidOS.Gugi.c to overlay other apps But as soon as the user gives Gugi this permission, the Trojan will block the device and show its window over any other windows/dialogs. Trojan-Banker.AndroidOS.Gugi.c window that blocks the infected device until it receives all the necessary rights It gives the user no option, presenting a window that contains only one button: “Activate”. Once the user presses this button they will receive a continuous series of requests for all the rights the Trojan is looking for.

They won’t get back to the main menu until they have agreed to everything. For example, following the first click of the button, the Trojan will ask for Device Administrator rights.
It needs this for self-defense because it makes it much harder for the user to uninstall the app. After successfully becoming the Device Administrator, the Trojan produces the next request.

This one asks the user for permission to send and view SMS and to make calls. It is interesting that Android 6 has introduced dynamic request capability as a new security features Earlier versions of the OS only show app permissions at installation; but, starting from Android 6, the system will ask users for permission to execute dangerous actions like sending SMS or making calls the first time they are attempted, or allows apps to ask at any other time – so that is what the modified Gugi Trojan does. TSystem request for dynamic permission The Trojan will continue to ask the user for each permission until they agree.
Should the user deny permission, subsequent requests will offer them the option of closing the request.
If the Trojan does not receive all the permissions it wants, it will completely block the infected device.
In such a case the user’s only option is to reboot the device in safe mode and try to uninstall the Trojan. TRepeating system request for dynamic permission A standard banking Trojan With the exception of its ability to bypass Android 6 security features, and its use of the Websocket protocol, Gugi is a typical banking Trojan.
It overlays apps with phishing windows to steal credentials for mobile banking or credit card details.
It also steals SMS, contacts, makes USSD requests and can send SMS by command from the CnC. The Trojan-Banker.AndroidOS.Gugi family has been known about since December 2015, with the modification Trojan-Banker.AndroidOS.Gugi.c first discovered in June 2016. Victim profile The Gugi Trojan mainly attacks users in Russia: more than 93% of attacked users to date are based in that country. Right now it is a trending Trojan – in the first half of August 2016 there were ten times as many victims as in April 2016. TUnique number users attacked by Trojan-Banker.AndroidOS.Gugi. We will shortly be publishing a detailed report into the Trojan-Banker.AndroidOS.Gugi malware family, its functionality and its use of the Websocket protocol. All Kaspersky Lab products detect all modifications of the Trojan-Banker.AndroidOS.Gugi malware family.

Iranian Hackers Believed Behind Massive Attacks on Israeli Targets

OilRig aka Helix Kitten nation-state group leveraged Microsoft zero-day bug in targeted attacks.

New Financial System Analysis & Resilience Center Formed

Associated with Financial Services ISAC (FS-ISAC), the new FSARC works more closely with government partners for deeper threat analysis and systemic defense of financial sector. In tandem with its long-standing intelligence-sharing organization, the American financial services industry has formed an organization working on its strategic, systemic cyber-defense and resilience.

The formation of this new Financial Systems Analysis and Resilience Center (FSARC) was announced by the Financial Services Information Sharing and Analysis Center (FS-ISAC), today.   FSARC is the brainchild of eight large banks that are members of FS-ISAC - Bank of America, BNY Mellon, Citigroup, Goldman Sachs, JPMorgan Chase, Morgan Stanley, State Street, and Wells Fargo.

Through FSARC, large banks will have "closer collaboration" with government partners in the FBI, Department of Homeland Security, and US Department of Treasury.  While FS-ISAC continues to be focused on distributing timely information about active threats, FSARC will take a longer view -- performing deeper analysis to create long-term strategies to address systemic risks across financial products and practices. As Andrew Hoerner, FS-ISAC vice president of communications explains, "FS-ISAC is focused on real-time threat intelligence sharing for incident response and prevention.

FSARC is focused on proactive analysis at a meta level to identify and analyze threats and risks across the sector and come up with solutions to prevent emerging threats and risks." FSARC will use the same "circle of trust" membership model used by FS-ISAC. Bank of America’s Siobhan MacDermott and JPMorgan’s Greg Rattray will serve as interim Co-Presidents "until the center reaches full operational capability."  The formation of FSARC comes on the heels of (but not in response to) US bank regulators' releasing draft rules for cybersecurity that would require financial services organizations to (among other things) recover from any cyberattack within two hours, and finance leaders at a G7 meeting pushing a global financial cybersecurity framework.   Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full Bio More Insights

How To Use Threat Intelligence Intelligently

Sometimes it's about a beer, but it's mainly about being prepared before opening the threat intel floodgates. Sometimes the best threat intelligence strategy is to not bother adopting it at all. “You probably should not be using threat intelligence unless you can act on it,” Jason Trost, vice president of threat research at threat intel firm Anomali, said this week. “If you can’t act on it, it’s probably not worth consuming that data.” Trost, who was a panelist on the Collecting and Using Threat Intelligence Data panel in this week’s Dark Reading Virtual Event, was making a point about one of the biggest problems with the way organizations approach threat intelligence: they often sign up for feeds and services without the resources or mechanisms in place to actually use the resulting information they receive. Think of adding threat intelligence to the security operation as a commitment: “You need to take it on as a project and it’s a commitment to looking at what you [really] need. You can’t just go buy it. You have to look at the data and what you have internally and how you apply it,” says David Dufour, senior security architect at Webroot. “If you don’t have the available resources to work with it, then you’re wasting your money.” That money is then better off spent on incident response, he says. It’s about smart threat intelligence strategy, security experts say. Take It Slow, Have a Beer Intel-sharing’s humble roots began with security pros and executives from different companies in the same industry or region getting together over a beer or dinner, face-to-face, to swap their attack or threat war stories. Mark Clancy, CEO of Soltra, a joint venture between DTCC and the Financial Services Information Sharing and Analysis Center (FS-ISAC), joked during virtual event session chat that “beer = first-generation cyber threat intel sharing platform.” It’s true.

The early days of intel-sharing were mainly face-to-face, phone calls, or emails.

And that’s still the mode of operation for many organizations. How organizations collect and use threat intel depends on who they are, says Wendy Nather, research director of The Retail Cyber Intelligence Sharing Center (R-CISC), an intel-sharing group made up of retailers, restaurants, grocers, hotel chains and retail suppliers. Nather, who was also a panelist on the threat intel panel at this week’s virtual event, says sharing often starts with a social meetup after-hours in a more unofficial capacity. “It starts as gossip, you know somebody at another organization and you get together for a beer and talk about what you’ve seen,” she said. “The challenge is getting all sharing more formalized, open, and more organized. We try to support whatever we can from the Soltra structured data feed through the unstructured discussions.” Company A’s security manager tells Company B’s over a couple of IPAs that he saw a specific IP address serving up a specific amount of traffic, and the attacker shifted gears to “low and slow” once he realized he’d been spotted.

That’s a useful bit of intel for Company B, but then there’s the process of taking action: “It’s hard to put that into structured data, but it’s extremely valuable when you can tell that story and other people in other organizations can add to that story,” Nather explained. When adopting threat intel feeds and ingesting that information, take it slowly at first.

Anomali’s Trost says he often sees organizations taking in too much data and getting overwhelmed.

They’re typically under pressure from management that “we need to get into threat intelligence,” so they go all in and end up drowning in false positives and events they can’t respond to, he said. “That’s the biggest mistake we see.” Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016.

Click for information on the conference schedule and to register.
A better approach is to start slowly with an intel feed or two, assess how the organization is able to respond to the threats, and then gradually ramp up. “You may have to pivot to different [intel] providers, or processes, to make sure you’re doing it in increments, but moving forward and increasing your capability” to use and take action on the threats, said Adam Meyer, chief security strategist at SurfWatch Labs and a panelist at the virtual event. Needs v Wants Webroot’s Dufour says before taking in threat intelligence, there’s a soul-searching stage of analyzing what you want to get from the feeds as well as what you need to protect.

And sometimes, you get what you pay for. “There’s bad threat intelligence out there.
It could cost you more to get good threat intelligence, but you may not [then] need to hire three extra people” to triage and apply it, he says. Beware of dated intel data, or the data going stale before you can actually convert it into a defensive action that thwarts a would-be attack. “What exactly is the data you’re getting and what’s the timeframe reference” it’s related to, Soltra’s Clancy said. Some indicators of compromise (IOCs) are that way: they have a shelf life, as attackers shift their command-and-control servers, IP addresses, and malware variants to evade detection. The Holy Grail for threat intelligence, like anything in security, is automation, of course, but not all organizations are equipped to go there just yet. “Try to remove humans from every possible place it makes sense” in threat intel, Anomali’s Trost advised. SurfWatch Labs’ Meyer says to know why you’re collecting certain threat intel data and for what purpose. “You need clarity and context, situational awareness around threats. You need a methodology structure around collection – some instances at the machine level, correlating against tools specializing in that area, the actor’s motivations in your industry … compare that information to your own processes.

Are you well-defined in those processes or not?” It’s not just about sharing technical indictors of a threat actor, but also the techniques they use to flip the equation and put a little economic squeeze on them, according to Meyer. “Maybe [the attacker] now has to write 50 to 70 pieces of malware instead of one” to attack a vertical industry, for example, he said. He breaks threat intel “consumers” of information into three groups. “Defense is the low layer, practical, on-the-wire information to defend the organization with context, situational awareness and correlation.

Then there’s the operational level: the campaigns and actor motivations … are they targeting their industry or not? This is pure intel disciplines,” he said.

At the top is the strategic layer, the people in the organization who are evaluating the overall security strategy and evaluating its effectiveness. Bottom line: threat intelligence is not the endgame. “Threat intelligence empowers decision-making.
It’s not the end goal in itself,” says Adam Vincent, CEO of ThreatConnect. “Similar to business intelligence, threat intelligence has the power to support all different kinds of [things] and people and make faster and more accurate decisions across the security organization.” Related Content: Kelly Jackson Higgins is Executive Editor at DarkReading.com.
She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ...
View Full Bio More Insights

DocuSign’s Brand Used in Phishing Attacks

The electronic signature company issued an update alert today that it noticed a rise in phishing attacks last week and this morning.

Turkish Hacker Gets 8 Years In US Jail For ATM Theft...

Ercan Findikoglu carried out three cyberattacks that enabled theft of $55 million through worldwide ATM withdrawals.

Healthcare Breaches Hit All-Time High in 2016

More than 300 healthcare businesses reported data breaches in 2016, but a drop in leaked records put fewer Americans at risk.

Survey Points To 75% Organizations With Poor Cybersecurity

RSA research says nearly half of surveyed companies show their incident response capabilities to be nonexistent. Incident response capabilities of organizations are underdeveloped and 65% are more likely to adopt mature capabilities only after their business experiences an incident, according to the new RSA Cybersecurity Poverty Index.  This was the second RSA Cybersecurity Poverty Index conducted by the security division of EMC and designed to get organizations to assess their cybersecurity programs using the NIST Cybersecurity Framework as the yardstick.  The study found that companies invested in detection and response technologies are better placed to ward off cyber attacks than organizations that have just perimeter protection.

An important improvement from the 2015 survey was an increase in the number of organizations with better capabilities, rising from 4.9% to 7.4%. The research also revealed that for the second straight year, respondents with significant cybersecurity risk exposure stand at 75%. Amit Yoran, CEO of RSA, said “We need to change the way we are thinking about security, to focus on more than just prevention – to develop a strategy that emphasizes detection and response.” Read full survey report here. Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full Bio More Insights