New Kid On The Block: Cyber Threat Analyst

Drawing from the financial service industry, this new role uses the "art of the intelligence cycle" to drive efficiency in the security operations center. With the rapid rise, frequency, severity and cost of cyber attacks, many companies today are looking to the government military intelligence industry for the skills, talent and experience to run their security operations center. Leaders in the financial markets were the first to realize that an SOC driven by intelligence could be a force multiplier in achieving operational efficiency and effectiveness.

Early adopters such as JPMorgan Chase & Co. used this expertise to restructure personnel into new tiers with new priorities and job functions. One of the newest roles to emerge from this shift is that of the cyber threat analyst.  What is the exact role of the cyber threat analyst and how does the analyst’s work help prevent attackers from stealing critical data or causing other harm to a business? What the cyber threat analyst brings to the table is the “art of the intelligence cycle.” This is where information is directed, collected, processed, analyzed, produced, and disseminated. For example, in an organization where I once worked as a cyber analyst, my team was tasked with finding a better way to identify insider threats within the company.

First, I identified the relevant sources of data by which could identify insider threats, in this case, badge logs, web proxy traffic, and print logs.

Then I began determining the patterns likely to be associated with malicious activity.

These patterns allowed me to narrow down potential suspects to only .0001% of the employee pool. After we disseminated our report, others on the security operations team became much more effective in monitoring insider threats.
Intelligence truly began to drive operations – which was the optimal outcome. Worth the effortBuilding the capability of cyber threat analysis is a challenging endeavor that will yield tangible results – but it takes time and discipline. Here are three key principles for developing a successful cadre of analysts: The rule of three.

Cyber threat analysis is composed of three distinct skillsets, and very rarely will one individual maintain all three.

To properly learn cyber threat analysis, an analyst must learn information security (e.g. network defense, information assurance), intelligence analysis (e.g. the mastery of the intelligence cycle), and forensic science (e.g. investigations, evidence handling, discovery).
It is essential to recruit individuals strong in one or two of these areas and also facilitate a training program to compliment skillsets.  Intelligence is a journey, not a destination.

Building an intelligence program is an iterative process.

The maturation of the program should be laid out in a phased approach, where simple “quick wins” can be achieved early on in the process.

For example, a four-phased approach would include: ad hoc analysis, integration of non-traditional data into security analysis, increasing speed of searches in addition to higher tier threats, and finally, continuous feeds of real-time data and automated detection analytics. Knowledge is cumulative and must be nurtured over time.

Cyber threat analysis is like many other professions where practice is necessary to continue learning the craft.

Consider a surgeon: after eight full years of classroom education, can a newly minted physician walk into an operating room and conduct surgery? No, they must enter a five to eight year residency where they learn the craft under a seasoned, attending surgeon. Similarly, cyber threat analysts learn best under a “master operator;” a recent college graduate simply cannot operate close to the same level as a seasoned pro.

During my experience in the intelligence community, it took over a decade to develop a cadre of cyber threat analysts with the requisite skillsets. Companies implementing any of the three principles outlined above will see a reduction in the severity of cyber attacks impacting their organizations.

But those implementing all three will see the best results.  Bob Stasio is currently a Senior Product Manager at IBM i2 Safer Planet. Prior to this role, Bob worked in the private sector standing up threat intelligence programs at Bloomberg and global financial firms. He accomplished these efforts as the owner of his own consulting ...
View Full BioMore Insights

Google Lumps MalwareBytes With A Bad Security Report

GOOGLE'S SECURITY street gang Project Zero has been kicking sand in the face of Malwarebytes and picking the firm's protection precautions apart. Malwarebytes usually wears the boot in this kind of thing, but Project Zero has taken a punt in the security firm's direction and accused it of all sorts of bad things. This is not the first time that Project Zero has pointed fingers, as the gang only recently made Microsoft, FireEye and Trend Micro look bad. Malwarebytes has "multiple security issues" that can open users to man-in-the-middle attacks and other things that you might choose to avoid, according to a Project Zero report from researcher Tavis Ormandy. The post said that the problem has been fixed, but a lot of the details have been redacted which, of course, makes things more interesting. Ormandy claimed that Google told the firm about the problem last year, and gave it 90 days before getting the sandwich board out and marching round the community. "Malwarebytes fetches their signature updates over HTTP, permitting a man-in-the-middle attack. The protocol involves downloading YAML files over HTTP for each update from Although the YAML files include an MD5 checksum, as it's served over HTTP and not signed an attacker can simply replace it," he wrote. "It's possible the developer believed that an attacker cannot tamper with the data as it's encrypted with the hardcoded RC4 key [redacted] for configuration data, and [redacted] for definitions. However, this is not the case. Openssl commands can be used to decrypt, edit and then re-encrypt the definitions and configuration data." We asked Malwarebytes to talk about this by email, and are waiting for a response. It was only last week that the firm proudly announced a bug bounty reward programme which, presumably, will pay for itself. Malwarebytes did contact us over Twitter, however, to publicly acknowledge its shame and share its thanks to Google and apologies to users. The tweet led us to a blog post where the reward programme is revealed to be a reaction to such alerts. "Unfortunately, vulnerabilities are the harsh reality of software development. In fact, this year alone our researchers have found and reported several vulnerabilities with other software," wrote Marcin Kleczynski, CEO at Malwarebytes. "A vulnerability disclosure programme is one way to accelerate the discovery of these vulnerabilities and empower companies like Malwarebytes to fix them. "We are taking steps like the bug bounty programme as well as building automatic vulnerability-finding software to mitigate any potential for a future vulnerability. "In addition, our engineers have used this discovery to create new processes and methodologies that will help us continue to scrutinise our own code, identify any weak lines or processes and build additional tests and checkpoints into our ongoing development cycle." µ

eBay Refuses To Fix Flaw Exposing Users To Malware And Phishing...

A major flaw on eBay's online sales platform is being used to target customers with malware across Android, iOS and Windows devices, but eBay has said that it has no intention of fixing the vulnerability. Security company Check Point uncovered evidence of the flaw last year. It involves exploiting the ‘active content’ capability of eBay that is mostly used for nothing more than adding basic HTML on seller pages to emphasis text. eBay has a filter in place to ensure that sellers do not use anything more complex than this, such as JavaScript or iFrames, so that pop-ups and app download prompts cannot run, whether on Android, iOS or Windows machines. However, Check Point discovered that using a version of JavaScript termed JSF**K, cyber crooks are able to bypass these filters and trick users into downloading malicious apps, or present pop-up boxes asking for information. The video below shows the attack in action on an iPhone, tricking the user into downloading a malicious app. [embedded content] The fact that iOS users are at risk is particularly notable, as Apple's stringent app vetting process usually stops this kind of threat. However, Check Point explained that the crooks appear to have fraudulent mobile device management credentials, allowing them to push apps to devices when a request is received. Oded Vanunu, security research group manager at Check Point, who has previously uncovered flaws affecting Apple, WhatsApp and Google, told V3 that the flaw is surprisingly basic. "Anyone can open an online store but usually once you open it you are very restricted with the functions you can use," he said. "However, with JSF**K we found that the eBay infrastructure is blind to this so cyber criminals can bypass the filter and redirect users to their malicious servers." This is a veritable gold mine for crooks as it allows them to infect user devices and gather information that could be used for phishing scams. Worryingly, considering the scale of the risk, Check Point informed eBay of the problem in December and was told in January that eBay will not fix the problem as it wishes to keep the active content capability. "I must say I was disappointed by their handling of this. We provided them with the entire back story and proof-of-concept, but based on their feedback they’ve just said: ‘Thanks, but we allow active content," Vanunu said. “We said: 'That’s OK but your filters are being bypassed by this JSF**K language that they are blind to.' But it still hasn’t been fixed.” V3 contacted eBay for a statement on the situation and received a fairly stock response that made no direct reference to the vulnerability or whether it would be fixed. “As a company, we’re committed to providing a safe and secure marketplace for our millions of customers around the world," the firm said in a statement. "We take reported security issues very seriously, and work quickly to evaluate them within the context of our entire security infrastructure.”

Hidden tear and its spin offs

Background A while ago Turkish security group Otku Sen created the hidden tear ransomware and published the source code online. Idea behind it was to “teach” security researchers how ransomware works. Right from the beginning the reaction of various security professionals was negative. And we were right, it didn’t take long before the first ransomware variants arrived based on the hidden tear source code ([1], [2]) and of course, things escalated a bit.Wondering what else there was, I decided to analyze the samples in the Trojan-Ransom.MSIL.Tear class and was amazed to find 24 additional samples. The spin offs Hidden tear only encrypts files located on the user’s desktop in the “test” directory. If such a directory doesn’t exist, then no files are encrypted and no harm is done. In one of the first samples we classified as hidden tear Trojan-Ransom.MSIL.Tear.c, they removed the “test” directory, so in this case all the files (with a certain extension) located on the Desktop are encrypted. Another sample, Trojan-Ransom.MSIL.Tear.f calls itself KryptoLocker. According to the message, public key cryptography was used, but when we look at the code, we see something different. The author also didn’t use a CnC this time, but asked the victims to e-mail him, so he could ask for the ransom. The next variants, Trojan-Ransom.MSIL.Tear.g and Trojan-Ransom.MSIL.Tear.h , are the first versions that use a proper CnC (previous samples used a server with an internal IP address as the CnC server). Other samples, such as Trojan-Ransom.MSIL.Tear.i and Trojan-Ransom.MSIL.Tear.k share the same CnC, while Trojan-Ransom.MSIL.Tear.j uses another one. Interesting is also Trojan-Ransom.MSIL.Tear.m. This variant is specifically looking for files located in the “MicrosoftAtom” directory. Variants Trojan-Ransom.MSIL.Tear.n , Trojan-Ransom.MSIL.Tear.o, Trojan-Ransom.MSIL.Tear.p, Trojan-Ransom.MSIL.Tear.q, on the other hand just encrypt your files and doesn’t store the key anywhere. Variants Trojan-Ransom.MSIL.Tear. r to Trojan-Ransom.MSIL.Tear.v are all more or less the same. The location of the c2 is often This of course does not work. The last samples, Trojan-Ransom.MSIL.Tear.w, Trojan-Ransom.MSIL.Tear.x and Trojan-Ransom.MSIL.Tear.y all store the password on the hard drive and was also described earlier here. Conclusion As always, when malware gets open sourced, we see an increase in variants of that specific malware. We can therefore conclude that hidden tear completely missed its purpose. Researchers don’t need hidden tear to understand how ransomware works. Luckily enough, in this case, the copy cats didn’t fix the bugs in hidden tear. Therefore it is actually possible (with some computation) to recover your key and decrypt your files for free. More worrisome is when copy cats use well developed and sophisticated malware and start using that.The samples discussed in this post were all samples that were not often spotted in the wild. This means the number of victims remains relatively low. Nevertheless, bugs can be fixed and the malware can be enhanced without much effort. After this point, it is just waiting for future victims who might lose their files forever.

From Linux to Windows – New Family of Cross-Platform Desktop Backdoors...

Background Recently we came across a new family of cross-platform backdoors for desktop environments. First we got the Linux variant, and with information extracted from its binary, we were able to find the variant for Windows desktops, too. Not only that, but the Windows version was additionally equipped with a valid code signing signature. Let´s have a look at both of them. DropboxCache aka Backdoor.Linux.Mokes.a This backdoor for Linux-based operating systems comes packed via UPX and is full of features to monitor the victim’s activities, including code to capture audio and take screenshots. After its first execution, the binary checks its own file path and, if necessary, copies itself to one of the following locations: $HOME/$QT-GenericDataLocation/.mozilla/firefox/profiled $HOME/$QT-GenericDataLocation/.dropbox/DropboxCache One example would be this location: $HOME/.local/share/.dropbox/DropboxCache. To achieve persistence, it uses this not very stealthy method: it just creates a .desktop-file in $HOME/.config/autostart/$filename.desktop. Here’s the template for this: Next, it connects to its hardcoded C&C Server. From this point, it performs an http request every minute: This “heartbeat” request replies with a one-byte image. To upload and receive data and commands, it connects to TCP port 433 using a custom protocol and AES encryption. The binary comes with the following hardcoded public keys: The malware then collects gathered information from the keylogger, audio captures and screenshots in /tmp/. Later it will upload collected data to the C&C. /tmp/ss0-DDMMyy-HHmmss-nnn.sst (Screenshots, JPEG, every 30 sec.) /tmp/aa0-DDMMyy-HHmmss-nnn.aat (Audiocaptures, WAV) /tmp/kk0-DDMMyy-HHmmss-nnn.kkt (Keylogs) /tmp/dd0-DDMMyy-HHmmss-nnn.ddt (Arbitrary Data) DDMMyy = date: 280116 = 2016-01-28HHmmss = time: 154411 = 15:44:11nnn = milliseconds. This part of the code is able to capture audio from the victim’s box. However, audio capturing is not activated in the event timer of this binary, just like the keylogging feature. Since the authors have statically linked libqt, xkbcommon (the library to handle keyboard descriptions) and OpenSSL (1.0.2c) to the binary, the size of the binary is over 13MB. The criminals also didn’t make any effort to obfuscate the binary in any way. In fact, the binary contains almost all symbols, which is very useful during analysis. There are also references to the author’s source files: Apparently, it’s written in C++ and Qt, a cross-platform application framework. According to the binary’s metadata it was compiled using “GCC 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04)” on Ubuntu 14.04 LTS “Trusty Tahr”. According to the qt_instdate  timestamp, the last time the Qt sources were configured was on 2015-09-26 (qt/qtbase.git: deprecated), which implies the compilation time of the malware to be not earlier than end of September 2015. We detect this type of malware as Backdoor.Linux.Mokes.a. OLMyJuxM.exe aka Backdoor.Win32.Mokes.imv Just a few days ago, we came across a rather familiar looking sample, although it was compiled for machines running Microsoft Windows. It quickly turned out to be a 32-bit Windows variant of Backdoor.Linux.Mokes.a. After execution, the malware randomly chooses one of nine different locations in %AppData% to persistently install itself on the machine. The binary also creates a “version”-file in the same folder. As its name implies, it stores just version information, together with the full installation path of the malware itself: Then the corresponding registry keys are created in HKCUSoftwareMicrosoftWindowsCurrentVersionRun to ensure persistence in the system. After the malware has executed its own copy in the new location, the SetWindowsHook API is utilized to establish keylogger functionality and to monitor mouse inputs and internal messages posted to the message queue. The next stage in its operation is to contact the hardcoded C&C server. Besides the different IP addresses and encryption key, we see almost identical behavior. However, this particular variant uses a slightly different implementation and tries to obtain the default Windows user-agent string. If this is not successful, the sample uses its hardcoded version: Like the Linux variant, it connects to its C&C server in the same way:  once per minute it sends a heartbeat signal via HTTP (GET /v1). To retrieve commands or to upload or download additional resources, it uses TCP Port 433. It uses almost the same filename templates to save the obtained screenshots, audiocaptures, keylogs and other arbitrary data. Unlike the Linux variant, in this sample the keylogger is active. Below you can see the content of a keystroke logfile, located in %TEMP% and created by this sample: And again, we spotted some unexpected code. The following screenshot shows references to code which is able to capture images from a connected camera, such as a built-in webcam. Similar to the Linux version, the author left quite a number of suspicious strings in the binary. The following string is surprisingly honest. From the criminal’s point of view, it’s important that the software looks legitimate and that Windows doesn’t asks the user for confirmation prior to execution of unknown software. On Windows machines this can be achieved by using Trusted Code Signing Certificates. In this particular case, the criminal managed to sign the binary with a trusted certificate from “COMODO RSA Code Signing CA”. We detect this type of malware as Backdoor.Win32.Mokes.imv. What’s next Since this software was intentionally designed to be platform independent, we might see also corresponding Mac OS X samples in the future. Update (2016-02-01 10:45 UTC): We just got Backdoor.Win32.Mokes.imw. This is the first time we see a variant of Mokes, which comes with the audio capture module activated. The malware creates a new audio file every 5 minutes. IOCs Backdoor.Linux.Mokes.a c9e0e5e2aeaecb232120e8573e97a6b8 $HOME/$QT-GenericDataLocation/.mozilla/firefox/profiled$HOME/$QT-GenericDataLocation/.dropbox/DropboxCache$HOME/.config/autostart/profiled.desktop$HOME/.config/autostart/DropboxCache.desktop /tmp/ss0-$date-$time-$ms.sst Backdoor.Win32.Mokes.imv & .imw f2407fd12ec0d4f3e82484c027c7d149 (imw)91099aa413722d22aa50f85794ee386e (imv) %AppData%SkypeSkypeHelper.exe%AppData%Skypeversion%AppData%DropboxbinDropboxHelper.exe%AppData%Dropboxbinversion%AppData%GoogleChromenacl32.exe%AppData%GoogleChromeversion%AppData%GoogleChromenacl64.exe%AppData%GoogleChromeversion%AppData%MozillaFirefoxmozillacache.exe%AppData%MozillaFirefoxversion%AppData%Hewlett-Packardhpqcore.exe%AppData%Hewlett-Packardversion%AppData%Hewlett-Packardhpprint.exe%AppData%Hewlett-Packardversion%AppData%Hewlett-Packardhpscan.exe%AppData%Hewlett-Packardversion%AppData%AdobeAcrobatAcroBroker.exe%AppData%AdobeAcrobatversion %TEMP%aa$n-$date-$time-$ms.aat (imw)where $n is a decimal hash-value calculated from the soundcard’s name %TEMP%ss0-$date-$time-$ms.sst%TEMP%dd0-$date-$time-$ms.ddt%TEMP%kk$date.kkt HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun “%PERSISTENT-FILENAME%”, “%PERSISTENT-FILEPATH%” where %PERSISTENT-FILENAME% is one of the filenames aboveand %PERSISTENT-FILEPATH% is the corresponding path

Angler Exploit Kit Now Hooking Execs With Xmas Flash Hole

The Angler exploit kit is again sailing the cyber seas and pillaging with impunity, adding one of the more recent machine-hijacking Flash holes to its arsenal. The integration of Adobe Flash vulnerability (CVE-2015-8651) patched last month solidifies Angler's position as the most popular and effective exploit kit on underground criminal markets. Chinese security researcher known as ThreatBook reports the exploit kit is being used in phishing attacks under the so-called DarkHotel campaign. Those attacks also involve the compromising of hotel networks in order to compromise executives who connect to Wi-Fi. Successful exploits will drop a trojan named update.exe disguised as SSH key generation tools. It will also search for the presence of anti-virus platforms and researcher sandbox analysis tools. The exploit kit is also being used to drop the dangerous Cryptowall ransomware. The respected independent researcher known as "Kafeine" revealed the Flash exploit update. "[The update] is not yet pushed to all Angler exploit kit threads, but is widely spread," Kafeine says. The exploit works against Flash version and Firefox. Kafeine says authors of rival exploit kits Nuclear, Magnitude, and Neutrino are likely unable to mimic Angler's exploit integration thanks to its use of encryption. Those three are stuck using an October Flash vulnerability (CVE-2015-7645), while RIG and Sundown flounder with Adobe holes (CVE-2015-5122) from July. ® Sponsored: Building secure multi-factor authentication

Kaspersky DDoS Intelligence Report for Q4 2015

Q4 events Of all the Q4 2015 events in the world of DDoS attacks and the tools used to launch them, we picked out those that, in our opinion, best illustrate the main trends behind the evolution of these threats. Emergence of new vectors for conducting reflection DDoS attacks; Increase in number of botnets composed of vulnerable IoT devices; Application-level attacks – the workhorse behind DDoS attack scenarios. Attacks using compromised web applications powered by WordPress Web resources powered by the WordPress content management system (CMS) are popular with cybercriminals who carry out DDoS attacks. This is because WordPress supports the pingback function that notifies the author of a post published on a WordPress site when someone else links to that post on another site running the same CMS. When the post containing the link to the other web resource is published on a site with the enabled pingback function, a special XML-RPC request is sent to the site where the link leads and that resource receives and processes it. During processing, the recipient site may call the source of the request to check for the presence of the content. This technology allows a web resource (victim) to be attacked: a bot sends a specially formed pingback request specifying the address of the victim resource as the sender to a WordPress site with the pingback function enabled. The WordPress site processes the request from the bot and sends the reply to the victim’s address. By sending pingback requests with the victim’s address to lots of WordPress resources with pingback enabled, the attackers create a substantial load on the victim resource. This is why web resources running WordPress with the pingback function enabled are of interest to cybercriminals. In Q4 2015, resources in 69 countries were targeted by DDoS attacks #KLReportTweet In the fourth quarter of 2015, cybercriminals did not limit their activities to sites supporting pingback; they carried out a mass compromise of resources running WordPress. This was probably caused by the emergence of “zero-day” vulnerabilities either in the CMS or one of its popular plugins. Whatever the cause, we registered several cases of JavaScript code being injected into the body of web resources. The code addressed the victim resource on behalf of the user’s browser. At the same time, the attackers used an encrypted HTTPS connection to impede traffic filtering. The power of one such DDoS attack registered by Kaspersky Lab experts amounted to 400 Mbit/sec and lasted 10 hours. The attackers used a compromised web application running WordPress as well as an encrypted connection to complicate traffic filtering. IoT-based botnets In October 2015, experts registered a huge number of HTTP requests (up to 20,000 requests per second) coming from CCTV cameras. The researchers identified about 900 cameras around the world that formed a botnet used for DDoS attacks. The experts warn that in the near future new botnets utilizing vulnerable IoT devices will appear. Three new vectors for carrying out reflection DDoS attacks Reflection DDoS attacks exploit weaknesses in a third party’s configuration to amplify an attack. In Q4, three new amplification channels were discovered. The attackers send traffic to the targeted sites via NetBIOS name servers, domain controller RPC portmapper services connected via a dynamic port, and to WD Sentinel licensing servers. Attacks on mail services In Q4 2015, mail services were especially popular with DDoS attackers. In particular, activity was detected by the Armada Collective cybercriminal group, which uses DDoS attacks to extort money from its victims. The group is suspected of being involved in an attack on the ProtonMail secure e-mail service in which the cybercriminals demanded $6000 to end the DDoS attack. In Q4 2015, the largest numbers of DDoS attacks targeted victims in China, the US and South Korea. #KLReportTweet As well as the ProtonMail encrypted email service, the FastMail and the Russian Post e-mail services were also targeted. Statistics for botnet-assisted DDoS attacks Methodology Kaspersky Lab has extensive experience in combating cyber threats, including DDoS attacks of various types and levels of complexity. The company’s experts monitor botnet activity with the help of the DDoS Intelligence system. The DDoS Intelligence system (part of Kaspersky DDoS Protection) is designed to intercept and analyze commands sent to bots from command and control (C&C) servers, and does not have to wait until user devices are infected or cybercriminal commands are executed in order to gather data. This report contains the DDoS Intelligence statistics for the fourth quarter of 2015. In the context of this report, a single (separate) DDoS attack is defined as an incident during which any break in botnet activity lasts less than 24 hours. If the same web resource was attacked by the same botnet after a break of more than 24 hours, this is regarded as a separate DDoS attack. Attacks on the same web resource from two different botnets are also regarded as separate attacks. The geographic distribution of DDoS victims and C&C servers is determined according to their IP addresses. In this report, the number of DDoS targets is calculated based on the number of unique IP addresses reported in the quarterly statistics. It is important to note that DDoS Intelligence statistics are limited to those botnets that were detected and analyzed by Kaspersky Lab. It should also be highlighted that botnets are just one of the tools used to carry out DDoS attacks; therefore, the data presented in this report does not cover every DDoS attack that has occurred within the specified time period. Q4 Summary In Q4, resources in 69 countries were targeted by DDoS attacks. 94.9% of the targeted resources were located in 10 countries. The largest numbers of DDoS attacks targeted victims in China, the US and South Korea. The longest DDoS attack in Q4 2015 lasted for 371 hours (or 15.5 days). SYN DDoS, TCP DDoS and HTTP DDoS remain the most common DDoS attack scenarios. The popularity of Linux-based bots continued to grow: the proportion of DDoS attacks from Linux-based botnets in the fourth quarter was 54.8%. Geography of attacks By the end of 2015, the geography of DDoS attacks narrowed to 69 countries. 94.9% of targeted resources were located in 10 countries. Q4 saw a considerable increase in the proportion of DDoS attacks targeting resources located in China (from 34.5% to 50.3%) and South Korea (from 17.7% to 23.2%). Distribution of unique DDoS attack targets by country, Q3 vs Q4 2015 The share of DDoS targets located in the US dropped by 8 percentage points, which saw it move down to third place and South Korea climb to second. Croatia with 0.3% (-2.5 percentage points) and France, whose share fell from 1.1% to 0.7%, left the Top 10. They were replaced by Hong Kong, with the same proportion as the previous quarter, and Taiwan, whose share increased by 0.5 percentage points. The statistics show that 94% of all attacks had targets within the Top 10 countries: Distribution of DDoS attack by country, Q3 vs Q4 2015 In the fourth quarter, the Top 3 ranking remained the same, although the US and South Korea swapped places: South Korea’s contribution grew by 4.3 percentage points, while the US share dropped by 11.5 percentage points. The biggest increase in the proportion of DDoS attacks in Q4 was observed in China – its share grew by 18.2 percentage points. Changes in DDoS attack numbers In Q4 2015, DDoS activity was distributed more or less evenly, with the exception of one peak that fell in late October and an increase in activity in early November. The peak number of attacks in one day was 1,442, recorded on 2 November. The quietest day was 1 October – 163 attacks. Number of DDoS attacks over time* in Q4 2015. * DDoS attacks may last for several days. In this timeline, the same attack may be counted several times, i.e. one time for each day of its duration. Monday and Tuesday were the most active days of the week in terms of DDoS attacks. In Q4, the number of attacks carried out on a Monday was 5.7 percentage points more than in the previous quarter. The figure for Tuesdays changed slightly (-0.3 percentage points). Distribution of DDoS attack numbers by day of the week, Q4 2015 Types and duration of DDoS attacks 97.5% of DDoS targets in Q4 2015 (vs. 99.3% in Q3) were attacked by bots belonging to one family. In just 2.4% of all cases cybercriminals launched attacks using bots from two different families (used by one or more botnet masters). In 0.1% of cases three or more bots were used, mainly from the Sotdas, Xor and BillGates families. The longest DDoS attack in Q4 2015 lasted for 371 hours (or 15.5 days). #KLReportTweet The ranking of the most popular attack methods remained unchanged, although SYN DDoS (57%) and TCP DDoS (21.8%) added 5.4 and 1.9 percentage points respectively. The distribution of DDoS attacks by type Once again, most attacks lasted no longer than 24 hours in Q4 2015. The distribution of DDoS attacks by duration (hours) The maximum duration of attacks increased again in the fourth quarter. The longest DDoS attack in the previous quarter lasted for 320 hours (13.3 days); in Q4, this record was beaten by an attack that lasted 371 hours (15.5 days). C&C servers and botnet types In Q4 2015, South Korea maintained its leadership in terms of the number of C&C servers located on its territory, with its share growing by 2.4 percentage points. The US share decreased slightly – from 12.4% to 11.5%, while China’s contribution grew by 1.4 percentage points. In Q4 2015, SYN DDoS, TCP DDoS and HTTP DDoS remain the most common DDoS attack scenarios. #KLReportTweet The Top 3 ranking remained the same. The countries in fourth and fifth switched places – Russia’s share increased from 4.6% to 5.5%, while the share of the UK declined from 4.8% to 2.6%. Distribution of botnet C&C servers by country in Q4 2015 The proportion of DDoS attacks from Linux-based botnets in Q4 2015 was 54.8% #KLReportTweet In Q4, the correlation between active bots created from Windows and Linux saw the proportion of attacks by Linux bots grow from 45.6% to 54.8%. Correlation between attacks launched from Windows and Linux botnets Conclusion Events in Q4 2015 demonstrated that the cybercriminals behind DDoS attacks utilize not only what are considered to be classic botnets that include workstations and PCs but also any other vulnerable resources that are available. These include vulnerable web applications, servers and IoT devices. In combination with new channels for carrying out reflection DDoS attacks this suggests that in the near future we can expect a further increase in DDoS capacity and the emergence of botnets consisting of new types of vulnerable devices.

BlackEnergy APT Attacks in Ukraine employ spearphishing with Word documents

Late last year, a wave of cyber-attacks hit several critical sectors in Ukraine. Widely discussed in the media, the attacks took advantage of known BlackEnergy Trojans as well as several new modules. BlackEnergy is a Trojan that was created by a hacker known as Cr4sh. In 2007, he reportedly stopped working on it and sold the source code for an estimated $700. The source code appears to have been picked by one or more threat actors and was used to conduct DDoS attacks against Georgia in 2008. These unknown actors continued launching DDoS attacks over the next few years. Around 2014, a specific user group of BlackEnergy attackers came to our attention when they began deploying SCADA-related plugins to victims in the ICS and energy sectors around the world. This indicated a unique skillset, well above the average DDoS botnet master. For simplicity, we’re calling them the BlackEnergy APT group. One of the prefered targets of the BlackEnergy APT has always been Ukraine. Since the middle of 2015, one of the preferred attack vectors for BlackEnergy in Ukraine has been Excel documents with macros that drop the Trojan to disk if the user chooses to run the script in the document. A few days ago, we discovered a new document that appears to be part of the ongoing BlackEnergy APT group attacks against Ukraine. Unlike previous Office files used in previous attacks, this is not an Excel workbook, but a Microsoft Word document. The lure used a document mentioning the Ukraine “Right Sector” party and appears to have been used against a television channel. Introduction At the end of the last year, a wave of attacks hit several critical sectors in Ukraine. Widely discussed in the media and by our colleagues from ESET, iSIGHT Partners and other companies, the attacks took advantage of both known BlackEnergy Trojans as well as several new modules. A very good analysis and overview of the BlackEnergy attacks in Ukraine throughout 2014 and 2015 was published by the Ukrainian security firm Cys Centrum (the text is only available in Russian for now, but can be read via Google Translate). In the past, we have written about BlackEnergy, focusing on their destructive payloads, Siemens equipment exploitation and router attack plugins. You can read blogs published by my GReAT colleagues Kurt Baumgartner and Maria Garnaeva here and here. We also published about the BlackEnergy DDoS attacks. Since mid-2015, one of the preferred attack vectors for BlackEnergy in Ukraine has been Excel documents with macros which drop the trojan to disk if the user chooses to run the script in the document. For the historians out there, Office documents with macros were a huge problem in the early 2000s, when Word and Excel supported Autorun macros. That meant that a virus or trojan could run upon the loading of the document and automatically infect a system. Microsoft later disabled this feature and current Office versions need the user to specifically enable the Macros in the document to run them. To get past this inconvenience, modern day attackers commonly rely on social engineering, asking the user to enable the macros in order to view “enhanced content”. Few days ago, we came by a new document that appears to be part of the ongoing attacks BlackEnergy against Ukraine. Unlike previous Office files used in the recent attacks, this is not an Excel workbook, but a Microsoft Word document: “$RR143TB.doc” (md5: e15b36c2e394d599a8ab352159089dd2) This document was uploaded to a multiscanner service from Ukraine on Jan 20 2016, with relatively low detection. It has a creation_datetime and last_saved field of 2015-07-27 10:21:00. This means the document may have been created and used earlier, but was only recently noticed by the victim. Upon opening the document, the user is presented with a dialog recommending the enabling of macros to view the document. Interestingly, the document lure mentions “Pravii Sektor” (the Right Sector), a nationalist party in Ukraine. The party was formed in November 2013 and has since played an active role in the country’s political scene. To extract the macros from the document without using Word, or running them, we can use a publicly available tool such as oledump by Didier Stevens. Here’s a brief cut and paste: As we can see, the macro builds a string in memory that contains a file that is created and written as “vba_macro.exe”. The file is then promptly executed using the Shell command. The vba_macro.exe payload (md5: ac2d7f21c826ce0c449481f79138aebd) is a typical BlackEnergy dropper. It drops the final payload as “%LOCALAPPDATA%FONTCACHE.DAT”, which is a DLL file. It then proceeds to run it, using rundll32: rundll32.exe “%LOCALAPPDATA%FONTCACHE.DAT”,#1 To ensure execution on every system startup, the dropper creates a LNK file into the system startup folder, which executes the same command as above on every system boot. %APPDATA%MicrosoftWindowsStart MenuProgramsStartup{D0B53124-E232-49FC-9EA9-75FA32C7C6C3}.lnk The final payload (FONTCACHE.DAT, md5: 3fa9130c9ec44e36e52142f3688313ff) is a minimalistic BlackEnergy (v3) trojan that proceeds to connect to its hardcoded C&C server,, on Port 80. The server was previously mentioned by our colleagues from ESET in their analysis earlier this month. The server is currently offline, or limits the connections by IP address. If the server is online, the malware issues as HTTP POST request to it, sending basic victim info and requesting commands. The request is BASE64 encoded. Some of the fields contain: b_id=BRBRB-… b_gen=301018stb b_ver=2.3 os_v=2600 os_type=0 The b_id contains a build id and an unique machine identifier and is computed from system information, which makes it unique per victim. This allows the attackers to distinguish between different infected machines in the same network. The field b_gen seems to refer to the victim ID, which in this case is 301018stb. STB could refer to the Ukrainian TV station “STB”, This TV station has been publicly mentioned as a victim of the BlackEnergy Wiper attacks in October 2015. Conclusions BlackEnergy is a highly dynamic threat actor and the current attacks in Ukraine indicate that destructive actions are on their main agenda, in addition to compromising industrial control installations and espionage activities. Our targeting analysis indicates the following sectors have been actively targeted in recent years. If your organization falls into these categories, then you should take BlackEnergy into account when designing your defences: ICS, Energy, government and media in Ukraine ICS/SCADA companies worldwide Energy companies worldwide The earliest signs of destructive payloads with BlackEnergy go back as far as June 2014. However, the old versions were crude and full of bugs. In the recent attacks, the developers appear to have gotten rid of the unsigned driver which they relied upon to wipe disks at low level and replaced it with more high level wiping capabilities that focus on file extensions as opposed on disks. This is no less destructive than the disk payloads, of course, and has the advantage of not requiring administrative privileges as well as working without problems on modern 64-bit systems. Interestingly, the use of Word documents (instead of Excel) was also mentioned by ICS-CERT, in their alert 14-281-01B. It is particularly important to remember that all types of Office documents can contain macros, not just Excel files. This also includes Word, as shown here and alerted by ICS-CERT and PowerPoint, as previously mentioned by Cys Centrum. In terms of the use of Word documents with macros in APT attacks, we recently observed the Turla group relying on Word documents with macros to drop malicious payloads (Kaspersky Private report available). This leads us to believe that many of these attacks are successful and their popularity will increase. We will continue to monitor the BlackEnergy attacks in Ukraine and update our readers with more data when available. More information about BlackEnergy APT and extended IOCs are available to customers of Kaspersky Intelligence Services. Contact Kaspersky Lab products detect the various trojans mentioned here as: Backdoor.Win32.Fonten.* andHEUR:Trojan-Downloader.Script.Generic. To know more about countering BlackEnergy and similar offensives, read this article on Kaspersky Business Blog. Indicators of compromise Word document with macros (Trojan-Downloader.Script.Generic): e15b36c2e394d599a8ab352159089dd2 Dropper from Word document (Backdoor.Win32.Fonten.y): ac2d7f21c826ce0c449481f79138aebd Final payload from Word document (Backdoor.Win32.Fonten.o): 3fa9130c9ec44e36e52142f3688313ff BlackEnergy C&C Server: 5.149.254[.]114

FBI Hackers Took Down A Child Porn Ring

How does the FBI crack down on child porn on Tor? By hacking, spying and conducting home raids. The FBI has resorted to hacking to hunt down pedophiles hiding anonymously on the Internet. The Justice Department just closed a historic case, a massi...

Nivdort Trojan Found In New Facebook Phishing Attack

January 21, 2016 Share this article: Facebook users were targeted in new phishing scam. The cybercriminals who targeted WhatsApp users with malware may be behind a phishing scam that is now going after Facebook users, according to a new report. The Comodo Threat Research team said the Facebook version behaves in a similar manner as the WhatsApp malware, part of the Nivdort malware family, by representing itself as an email from Facebook telling the recipient that they have an “audible” message. In addition, each subject line ends with odd lettering groups like Yqr or sele – likely being used to dodge any onboard security software, the blog said. The emails contain an attached .zip file housing the actual malware, which is an .exe file that when clicked automatically replicates and places itself on the C drive and in the auto-run in the computers registry spreading the malware. “It will add itself into a registry by adding a new key and will register itself as a system service as well. Other records will also be created to run at startup. Removing this kind of infection requires a thorough scanning of all of these potentially affected locations,” Fatih Orhan, Comodo's Threat Research Lab told in an email Thursday. As with other Nivdort family members, Orhan said this is a trojan that collects sensitive information such as such as usernames or IDs, passwords, bank or credit card account information, tax returns and sends them to another party. Because the average user tends to trust names brands like Facebook and WhatsApp they will remain popular with criminals. “Already in 2016, we're seeing a major increase in this type of malware spreading all over via email or browser. We expect to see this continue for all types of companies and sites,” Orhan said.

Dridex Trojan Targeting UK Banks With Redirection Techniques

Researchers from IBM Security have revealed that a new variant of the Dridex malware has taken inspiration from the Dyre banking Trojan and is launching attacks on UK bank accounts. The IBM X-Force team explained that Evil Corp, the group suspected to be responsible for Dridex, has upgraded the malware to use "redirection" techniques that leave people helpless to fend off credential theft. Dridex typically spreads via bulk email phishing and allows an attacker to spy on a victim's computer and steal sensitive credentials. It has been estimated that the malware is responsible for the theft of up to £20m from UK bank accounts over the past few years. The latest version of Dridex, v.3.161, was detected on 6 January and revealed a number of "internal bug fixes". IBM analysis showed that it quickly targeted UK internet users with the help of the Andromeda botnet. The latest evolution of Dridex involves so-called "redirection" attacks that can send an infected computer to a fake banking website set up to appear legitimate and persuade the victim to enter sensitive details. Limor Kessem, senior cyber security expert at IBM Security, told V3 that redirection attacks were "one of the biggest causes for concern" uncovered during the investigation. "With this capability, the criminal can hijack the victim trying to access their bank website and redirect them to a malicious website where they cannot be protected by the security on the genuine online banking portal," she said. "These attacks require ample investment to create the forged sites, but when trojans like Dridex focus on business and corporate accounts they are more likely to make it worth their while." The latest Dridex campaign is currently targeting 13 banks in the UK using this technique, according to Kessem. "We anticipate Dridex to continue relying on the redirection scheme for as long as it can afford to," she said. "We have already seen the Dyre trojan move away from this type of attack, likely due to the resources required to maintain it and to target new brands." Dridex has targeted the bank accounts of UK citizens for several years, and remains one of the dominant cyber threats alongside Dyre, Neverquest and Zeus v2. IBM Security said that the malware is one of the top three most active banking trojans in existence.

The Asacub Trojan: from spyware to banking malware

We were recently analyzing a family of mobile banking Trojans called Trojan-Banker.AndroidOS.Asacub, and discovered that one of its C&C servers (used, in particular, by the earliest modification we know of, as well as by some of the more recent ones) at chugumshimusona[.]com is also used by CoreBot, a Windows spyware Trojan. This prompted us to do a more detailed analysis of the mobile banking Trojan. The earliest versions of Asacub that we know of emerged in the first half of June 2015, with functionality that was closer to that of spyware Trojans than to banking malware. The early Asacub stole all incoming SMS messages regardless of who sent them, and uploaded them to a malicious server. The Trojan was capable of receiving and processing the following commands from the C&C: get_history: upload browser history to a malicious server; get_contacts: upload list of contacts to a malicious server; get_listapp: upload a list of installed applications to a malicious server; block_phone: turn off the phone’s screen; send_sms: send an SMS with a specified text to a specified number. New versions of Asacub emerged in the second half of July 2015. The malicious files that we are aware of used the logos of European banks in their interface, unlike the early versions of the Trojan, which used the logo of a major US bank. There was also a dramatic rise in the number of commands that Asacub could execute: get_sms: upload all SMSs to a malicious server; del_sms: delete a specified SMS; set_time: set a new time interval for contacting the C&C; get_time: upload the time interval for contacting the C&C to the C&C server; mute_vol: mute the phone; start_alarm: enable phone mode in which the device processor continues to run when the screen goes blank; stop_alarm: disable phone mode in which the device processor continues to run when the screen goes blank; block_phone: turn off the phone’s screen; rev_shell: remote command line that allows a cybercriminal to execute commands in the device’s command line; intercept_start: enable interception of all incoming SMSs; intercept_stop: disable interception of all incoming SMSs. One command that was very unusual for this type of malware was rev_shell, or Reverse shell, a remote command line. After receiving this command, the Trojan connects a remote server to the console of the infected device, making it easy for cybercriminals to execute commands on the device, and see the output (results) of those commands. This functionality is typical of backdoors and very rarely found in banking malware – the latter aims to steal money from the victim’s bank account, not control the device. The most recent versions of Asacub – detected in September 2015 or later – have functionality that is more focused on stealing banking information than earlier versions. While earlier versions only used a bank logo in an icon, in the more recent versions we found several phishing screens with bank logos. One of the screenshots was in Russian and was called ‘ActivityVTB24’ in the Trojan’s code. The name resembles that of a large Russian bank, but the text in the screen referred to the Ukrainian bank Privat24. Phishing screens were present in all the modifications of Asacub created since September that are known to us, but only the window with bank card entry fields was used. This could mean that the cybercriminals only plan to attack the users of banks whose logos and/or names they use, or that a version of Asacub already exists that does so. After launching, the ‘autumnal version’ of the Trojan begins stealing all incoming SMSs. It can also execute the following commands: get_history: upload browser history to a malicious server; get_contacts: upload list of contacts to a malicious server; get_cc: display a phishing window used to steal bank card data; get_listapp: upload a list of installed applications to a malicious server; change_redir: enable call forwarding to a specified number; block_phone: turn off the phone’s screen; send_ussd: run a specified USSD request; update: download a file from a specified link and install it; send_sms: send an SMS with a specified text to a specified number. Although we have not registered any Asacub attacks on users in the US, the fact that the logo of a major US bank is used should serve as a warning sign. It appears the Trojan is developing rapidly, and new dangerous features, which could be activated at any time, are being added to it. As for the relationship between Asacub and the Corebot Trojan, we were unable to trace any link between them, except that they share the same C&C server. Asacub could be Corebot’s mobile version; however, it is more likely that the same malicious actor purchased both Trojans and has been using them simultaneously. Asacub today Very late in 2015, we discovered a fresh Asacub modification capable of carrying out new commands: GPS_track_current – get the device’s coordinates and send them to the attacker; camera_shot – take a snapshot with the device’s camera; network_protocol – in those modifications we know of, receiving this command doesn’t produce any results, but there could be plans to use it in the future to change the protocol used by the malware to interact with the C&C server. This modification does not include any phishing screens, but banks are still mentioned in the code. Specifically, the Trojan keeps attempting to close the window of a certain Ukrainian bank’s official app. Code used to close a banking application In addition, our analysis of the Trojan’s communication with its C&C server has shown that it frequently gets commands to work with the mobile banking service of a major Russian bank. During the New Year holidays, the new modification was actively distributed in Russia via SMS spam. In just one week, from December 28, 2015 to January 4, 2016, we recorded attempts to infect over 6,500 unique users. As a result, the Trojan made the Top 5 most active malicious programs. After that, the activity of the new Asacub modification declined slightly. We continue to follow developments related to this malware.