15.2 C
Monday, August 21, 2017

Moscow Raids Could Signal End Of Dyre Bank Trojan

Police keep mum as malware activity flatlines One of the worst examples of financial malware appears to have fallen silent after operators were reportedly arrested in Moscow after a rare raid by the Federal Security Service of the Russian Federation (FSB). Reuters reports Russian police raided Moscow film studio 25th Floor and a neighbouring office in November. Western law enforcement authorities are apparently aware of the incident but Moscow has kept mum with requests to the FSB for comment unanswered at the time of writing. The Register has inquired with police and threat intelligence sources previously tracking the malware group. Little is known about the gang behind the Dyre malware.
It is understood to have links to the FBI's most wanted cyber criminal Evgeniy Mikhailovich Bogachev aka Slavik ,who switched over to the crimeware after his pet project Gameover was take down in raids by authorities. The malware is an advanced trojan capable of evading white hat analysis tools and antivirus products and was spreading rapidly last year.

But Dyre became less so as 2015 wore on, then fell silent in November. It is known to be responsible for inflicting tens of millions of dollars in damages to Western banks and businesses in the US, the UK, and Australia, spreading through dozens of separate spam and phishing campaigns since June 2014. In May Dyre was fingered for stealing some US$5.5 million from budget carrier RyanAir and has fleeced individual businesses of up to $1.5 million each in large scale wire transfers using stolen online banking credentials. Dyre flatlines.
Image: IBM. IBM analysis shows the Dyre activity flatlined in November after a steady decline since October. Sudden silence from malware operators is generally a hallmark of arrests in the cybercrime world but an intentional hiatus it is not without precedent. Researchers from Russia's Kaspersky Labs reported the Carbanak gang had resumed campaigns with renewed gusto after falling silent for five months last year during which time analysts assumed the gang had disbanded. Dyre's domination.
Image: IBM. IBM security expert Limor Kessem suggests the death in activity gives credibility to the possible arrests. "It has been close to three months now since Dyre went silent," Kessem says. "This in and of itself could have been a pause taken by its operators, an occurrence that happens from time to time. "But cybercrime gangs like Dyre do not typically stay out of the game for three whole months unless they are in trouble." Kessem says the arrests if confirmed would be one of the most significant in Russia's history. "A world without Dyre would definitely be safer for the financial sector in just about every country where the malware regularly attacked banks," she says. "But Dyre’s absence will also give a bigger market share to other malware." ® Sponsored: Building secure multi-factor authentication

How I hacked my hospital

Sergey Lozhkin, senior researcher at Kaspersky Lab’s GReAT gave a talk about several critical vulnerabilities he found in one hospital’s IT infrastructure.

From Kaspersky Security Analyst Summit 2016 on Tenerife, Spain.

Skype Users Warned Of T9000 Malware Threat

Skype users are at risk of being infected with a new trojan dubbed T9000 that can record video calls, audio calls and chat messages. Researchers at Palo Alto Networks discovered the new type of backdoor malware and explained that once installed it can evade detection by many popular antivirus systems, including some big names such as Kaspersky and Panda. The full list from Palo Alto of security firm's software it can dodge is: Sophos, INCAInternet, DoctorWeb, Baidu, Comodo, TrustPort, GData, AVG, BitDefender, VirusChaser, McAfee, Panda, Trend Micro, Kingsoft, Norton, Micropoint, Filseclab, AhnLab, JiangMin, Tencent, Avira, Kaspersky, Rising and Qihoo 360. T9000 is a new variant of T5000, first spotted in 2013.

The payload is hidden inside spearfishing emails with an infected .rtf document, but is sophisticated enough to get in through other means, when its controllers have the will. Once installed the software can record Skype calls and upload them along with text chats to a server.
It can also take regular screenshots.

The only saving grace is that a user has to give it permission, albeit unknowingly. An API request asking for permission for explorer.exe to access Skype appears.
In reality this should never be needed so it should be quite clear it's dodgy. The researchers explained: "The victim must explicitly allow the malware to access Skype for this particular functionality to work. However, since a legitimate process is requesting access, the user may allow this access without realising what is actually happening. Once enabled, the malware will record video calls, audio calls and chat messages." A computer with granted permissions could also have documents stolen, even on removable drives. Skype is used more and more by businesses as part of the Office suite, so there is the potential for hackers to uncover potentially lucrative information. Palo Alto has published a list of indicators that your machine is infected as the sheer complexity and audacity of T9000 means that prevention is more or less the only form of protection at the moment. Meanwhile, Microsoft has said that it protects users from the malware with security updates. “To further protect our customers, we’ve added detection for the malicious software known as T9000 to Windows Defender," the firm said. "Customers that have installed security updates released in 2012 (MS12-060) and 2014 (MS14-033), either manually or by enabling automatic updates, will already be protected. Our recommendation is to enable automatic updates, which installs the latest security protections, and to use the latest version of Skype."

Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage

During the latter part of 2015, Kaspersky researchers from GReAT (Global Research and Analysis Team) got hold of the missing pieces of an intricate puzzle that points to the dawn of the first Portuguese-speaking targeted attack group, named “Poseidon.” The group’s campaigns appear to have been active since at least 2005, while the very first sample found points to 2001.

This signals just how long ago the Poseidon threat actor was already working on its offensive framework. Why has the Poseidon threat remained undetected for so many years? In reality, it has not. Most samples were detected promptly. However, Poseidon’s practice of being a ‘custom-tailored malware implants boutique’ kept security researchers from connecting different campaigns under the umbrella of a single threat actor.

This approach entails crafting campaigns components on-demand and sometimes fabricating entirely unique malicious artifacts. 1st Portuguese-speaking group #ThePoseidonAPT attacks companies globally #TheSAS2016Tweet Our research team was able to put together the disparate pieces of this puzzle by diligently tracing the evolution of Poseidon’s toolkit in pursuit of an overarching understanding of how the actor thinks and the specific practices involved in infecting and extorting its victims. With a set of tools developed for the sole purpose of information gathering and privilege escalation, the sophistication level of campaign highlights that, today, regional actors are not far behind better-known players in the global game of targeted attacks. Becoming familiar with the operations of the Poseidon Group meant patiently dismantling their modus operandi to unearth the custom-designed infection tools deployed to each of their selected targets.

This process revealed a series of campaigns with highly-regionalized malware practices and geographically-skewed victim tasking, unsurprising in a region with a gradually-maturing cybercrime industry.

The proper detection of each iteration of their evolving toolkit may have been enough to thwart specific efforts, but to truly understand the magnitude of Poseidon’s combined operations required an archeological effort to match. Frequently asked questions What exactly is the Poseidon Group? The Poseidon Group is a long-running team operating on all domains: land, air, and sea.

They are dedicated to running targeted attacks campaigns to aggressively collect information from company networks through the use of spear-phishing packaged with embedded, executable elements inside office documents and extensive lateral movement tools.

The information exfiltrated is then leveraged by a company front to blackmail victim companies into contracting the Poseidon Group as a security firm.

Even when contracted, the Poseidon Group may continue its infection or initiate another infection at a later time, persisting on the network to continue data collection beyond its contractual obligation.

The Poseidon Group has been active, using custom code and evolving their toolkit since at least 2005.

Their tools are consistently designed to function on English and Portuguese systems spanning the gamut of Windows OS, and their exfiltration methods include the use of hijacked satellite connections. Poseidon continues to be active at this time. Why do you call it Poseidon’s Targeted Attack Boutique? The presence of several text fragments found in the strings section of executable files belonging to the campaign reveal the actor’s fondness for Greek mythology, especially regarding Poseidon, the God of the Seas (which also coincides with their later abuse of satellite communications meant to service ships at sea).

The boutique element is reflected in their artisanally adaptive toolkit for lateral movement and data collection which appears to change from infection to infection to fit custom-tailored requirements for each of their prospective clients.

The business cycle includes what is euphemistically referred to as ‘financial forecasting’ using stolen information, so we like to say that Poseidon’s boutique not only deals in targeted attacks but also stolen treasures. How did you become aware of this threat? Who reported it? We noticed that several security companies and enthusiasts had unwittingly reported on fragments of Poseidon’s campaigns over the years. However, nobody noticed that these fragments actually belonged to the same threat actor. Perhaps because many of these campaigns were designed to run on specific machines, using English and Portuguese languages, with diverse command and control servers located in different countries and soon discarded, signing malware with different certificates issued in the name of rogue companies, and so on.

By carefully collecting all the evidence and then reconstructing the attacker’s timeline, we found that it was actually a single group operating since at least 2005, and possible earlier, and still active on the market. With this understanding, GReAT researchers were able to recognize similarities in obfuscation and development traits leading back to widely-reported but little understood variants on a sample in 2015, which searched for prominent leaders and secret documents involving them. When did you discover this targeted attack? The very first samples from this campaign were detected by Kaspersky Lab back in the early 2000s. However, as noted previously, it is a very complex task to correlate indicators and evidence in order to put together all the pieces of this intricate puzzle.

By the middle of 2015 it was possible to identify that throughout this period of time it’s been the same threat actor, which we call Poseidon Group. Who are the victims? / What can you say about the targets of the attacks? The targets are companies in energy and utilities, telecommunications, public relations, media, financial institutions, governmental institutions, services in general and manufacturing.

The geographical spread of victims is heavily-skewed towards Brazil, the United States, France, Kazakhstan, United Arab Emirates, India and Russia. Many of the victims have joint ventures or partner operations in Brazil.

The importance of the victims is not measured in numbers since each of these victims is a large-scale (often multinational) enterprise. What exactly is being stolen from the target machines? One of the characteristics of the group behind Poseidon is an active exploration of domain-based networks. Such network topology is typical for companies and enterprises. The highest value asset for these companies is proprietary information, technologies, and business-sensitive information that represents significant value in relation to investments and stock valuations.

The Poseidon Group actively targets this sort of corporate environment for the theft of intellectual property and commercial information, occasionally focusing on personal information on executives. How does Poseidon’s APT Boutique infect computers? The main infection vector for Poseidon is the use of spear-phishing emails including RTF/DOC files, usually with a human resources lure.

The executables are also often digitally signed and occasionally hidden in alternate data streams to fool security solutions. Poseidon’s toolkit displays an awareness of many antivirus providers over the years, attempting to attack or spoof these processes as a means of self-defense for their infections. Once the infection happens, it reports to the command and control servers before beginning a complex lateral movement phase.

This phase will often leverage a specialized tool that automatically collects a wide array of information including credentials, group management policies, and even system logs to better hone further attacks and assure execution of their malware.

This way the attackers actually know what applications and commands they can use without raising an alert to the network administrator during lateral movement and exfiltration. What does the Poseidon Group do? What happens after a target machine is infected? Once the target’s machine is compromised, the attacker first enumerates all processes running in the system and all services.

Then the attacker looks for all administrator accounts on both the local machine and the network.

This technique allows them to map network resources and make lateral movements inside the network, landing in the perfect machine to match the attacker’s interest.

This reflects the Poseidon Group’s familiarity with Windows network administration.
In many cases, their ultimate interest is the Domain Controller. Additionally malware reports itself to its hardcoded command and control servers and established a backdoor connection, so the attacker may have a permanent remote connection. What are the malicious tools used by the Poseidon Group? What are their functions? Poseidon utilizes a variety of tools.

Their main infection tool has been steadily evolving since 2005, with code remnants remaining the same to this day, while others have been altered to fit the requirements of new operating systems and specific campaigns.

A noteworthy addition to the Poseidon toolkit is the IGT supertool (Information Gathering toolkit), a bulking 15 megabyte executable that orchestrates a series of different information collections steps, exfiltration, and the cleanup of components.

This tool appears to be designed to operate on high-value corporate systems like Domain Controllers or IIS servers that act as repositories of valuable information, particularly for lateral movement.

The Information Gathering Tool (IGT) tool is coded in Delphi and includes powershell and SQL components across a dozen different drops.

This tool contains several other executable files made in different programming languages ranging from Visual Basic 6 to C#, each one performing a very clear task devised by the group when trying to obtain more information from an objective.

The main purpose of the IGT tool is to make an inventory of the system, saving information from the network interfaces and addresses, credentials belonging to the Domain and database server, services being run from the OS and everything that could help the Poseidon Group make its attack more customized to its victim. Are the attackers using any zero-day vulnerabilities? No zero-day vulnerabilities have been found in the analysis of the samples obtained regarding this campaign. Poseidon’s conventional means of deceiving users with executable files posing inside Word and RTF document files, and actual poisoned documents with malicious macro-scripts has been the sole method used for compromising their desired targets.

As we have seen in other targeted campaigns, social engineering and carefully crafted spear-phishing attacks play a crucial role in the effectiveness of getting a foothold in the desired system. Is this a Windows-only threat? Which versions of Windows are targeted? Poseidon is particularly focused on the Microsoft Windows operating system family, specifically customizing the infection method for each one so as to gather different information and hide its presence after the initial infection. Other products usually found in corporate environments, such as an SQL server, are being used for lateral movement and credential harvesting using a customized toolset designed by the crafty Poseidon Group.

Because of Poseidon’s longevity, there are samples targeting Windows systems as early as Windows NT 4.0 Server and Windows 95 Workstation up to current versions like Windows 8.1, as well as server variants (very important to them, given the emphasis on reaching Domain Controllers in corporate environments.) How is this different from any other targeted attack? The extortion elements of this campaign are what set it apart from others.

The exfiltration of sensitive data is done in order to coerce the victim into a business relationship under the threat of exchanging this information with competitors or leveraging it as part of the company’s offering of ‘investment forecasting’.

Additionally this is the first ever publicly known Portuguese-speaking targeted attacks campaign. Are there multiple variants of the Poseidon Group’s malware? Are there any major differences in the variants? Poseidon has maintained a consistently evolving toolkit since the mid-2000s.

The malware has not avoided detection but instead been so inconspicuous as to not arouse much suspicion due to the fact that this malware only represents the initial phase of the attack.

An altogether different component is leveraged once Poseidon reaches an important machine like an enterprise’s Domain Controller.

This is where the main collection takes place by use of the IGT (Information Gathering Tool) toolkit. Is the command and control server used by the Poseidon Group still active? Have you been able to sinkhole any of the command and controls? Poseidon Group has interesting practices when it comes to its use of command and control servers, including redundancies and quickly discarding command and control (C&Cs) servers after specific campaigns.

This has actually allowed us to sinkhole several domains.

A few of these still had active infections attempting to report to the C&Cs.

This adds an interesting dimension to the story.

As part of Kaspersky Lab’s commitment to securing cyberspace for everyone, we reached out and notified identifiable victims, regardless of their security solution and provided them with indicators of compromise (IOCs) to help root out the active infection.
In the process, we were able to confirm the previously described operating procedures for the Poseidon Group. Is this a state-sponsored attack? Who is responsible? We do not believe this to be a state-sponsored attack but rather a commercial threat player.

Collaboration with information-sharing partners and victim institutions allowed us to become aware of the more complicated business cycle involved in this story, greatly adding to our research interest in tracking these campaigns.

The malware is designed to function specifically on English and Portuguese-language systems.

This is the first ever Portuguese-speaking targeted attack campaign. How long have the attackers been active? The attackers have been active for more than ten years.

The main distribution of samples goes back to 2005 with possible earlier outliers. Operating systems such as Windows 95 for desktop computers and Windows NT for server editions were not uncommon at the time and Poseidon’s team has evolved gradually into targeting the latest flagship editions of Microsoft’s operating systems. Recent samples show interest in Windows 2012 Server and Windows 8.1. Did the attackers use any interesting/advanced technologies? During a particular campaign, conventional Poseidon samples were directed to IPs resolving to satellite uplinks.

The networks abused were designed for internet communications with ships at sea which span a greater geographical area at nearly global scale, while providing nearly no security for their downlinks. The malware authors also possess an interesting understanding of execution policies which they leverage to manipulate their victim systems.

They combine reconnaissance of GPO (Group Policy Object management for execution) with digitally-signed malware to avoid detection or blocking during their infection phases.

These digital certificates are often issued in the name of rogue and legitimate companies to avoid arousing suspicion from researchers and incident responders. Does Kaspersky Lab detect all variants of this malware? Yes, all samples are detected by signatures and also heuristics. With a fully updated Kaspersky Lab anti-malware solution, all customers are protected now. Kaspersky Lab products detect the malware used by Poseidon Group with the following detection names: Backdoor.Win32.NhoproHEUR:Backdoor.Win32.Nhopro.genHEUR:Hacktool.Win32.Nhopro.gen How many victims have you found? At least 35 victim companies have been identified with primary targets including financial and government institutions, telecommunications, manufacturing, energy and other service utility companies, as well as media and public relations firms. The archaeological effort of understanding such a long-standing group can severely complicate victim identification. We see traces of upwards of a few tens of companies targeted.

The exact number of the victims may actually vary. Since it is a very long term group, some victims may be impossible to identify now. At this time, we are reaching out to victims of active infections to offer remediation assistance, IOCs, and our full intelligence report to help them counteract this threat.

Any victims or potential targets concerned about this threat should please contact us at intelreports@kaspersky.com. Who is behind these attacks? We do not speculate on attribution. Language code used to compile implants, as well as the language used to describe certain commands used by the group, actually corresponds to Portuguese from Brazil.

The inclusion of Portuguese language strings and preference for Portuguese systems is prominent throughout the samples. The tasking of Poseidon’s campaigns appears to be heavily focused on espionage for commercial interests. Speculating further would be unsubstantiated. Reference samples hashes: 2ce818518ca5fd03cbacb26173aa60cef3499a9d9ce3de5dc10de3d7831d09380a870c900e6db25a0e0a65b8545656d42fd8bb121a048e7c9e29040f9a9a6eee4cc1b23daaaac6bf94f99f309854ea102c4aeacd3f7b587c599c2c4b5c1475daf821eb4be9840feaf77983eb7d55e5f62ce818518ca5fd03cbacb26173aa60ce Command and control servers: akamaihub[.]com – SINKHOLED by Kaspersky Labigdata[.]net – SINKHOLED by Kaspersky Labmozillacdn[.]com – SINKHOLED by Kaspersky Labmsupdatecdn[.]com – SINKHOLED by Kaspersky Labsslverification[.]net – SINKHOLED by Kaspersky Lab For more about counter Poseidon and similar attacks, read this article in the Kaspersky Business Blog.

Adwind: FAQ

Adwind – a cross-platform RAT, multifunctional malware program which is distributed through a single malware-as-a-service platform.

Different versions of the Adwind malware have been used in attacks against at least 443,000 private users, commercial and non-commercial organizations around the world.

APT-style bank robberies increase with Metel, GCMAN and Carbanak 2.0 attacks

Introduction In late 2014, Kaspersky Lab researchers made a worrying prediction: financially-motivated cyber-criminals would adopt sophisticated tactics and techniques from APT groups for use in bank robberies. Just a few months later, in February 2015, we announced the discovery of Carbanak, a cyber-criminal gang that used custom malware and APT techniques to steal millions of dollars while infecting hundreds of financial institutions in at least 30 countries. Since then, we have seen an increase in these covert, APT-style attacks that combine the use of reconnaissance, social engineering, specialized malware, lateral movement tools and long-term persistence to steal money from financial institutions (particularly ATMs and money transfer systems). In summer 2015, a #bank in #Russia lost millions of rubles in a one night #bankingAPT #TheSAS2016Tweet Today at the Security Analyst Summit (SAS 2016), Kaspersky Lab is announcing the discovery of two new gangs engaged in APT-style bank robberies – Metel and GCMAN – and the reemergence of the Carbanak group with new targets in its sights. In 2015, Kaspersky Lab researchers conducted Incident Response for 29 organizations located in Russia and infected by these three groups. Due to the active nature of law enforcement investigations and non-disclosure agreements with victim organizations, Kaspersky Lab cannot provide extensive details of the attacks. Kaspersky Lab is releasing crucial Indicators of Compromise (IOC) and other data to help organizations search for traces of these attack groups in their corporate networks (see below). The story of Metel – ATM balance rollbacks In summer 2015, a bank in Russia discovered it had lost millions of rubles in a single night through a series of strange financial transactions. The bank’s clients were making withdrawals from ATMs belonging to other banks and were able to cash out huge sums of money while their balances remained untouched. The victim bank didn’t realize this until it tried to recoup the money withdrawn from the other banks’ ATMs. During our incident response, we discovered the solution to this puzzle: Metel, a modular malware program also known as Corkow. The malware, used exclusively by the Metel group, infected the bank’s corporate network via e-mail and moved laterally to gain access to the computers within the bank’s IT systems. Having gained access to the bank operator’s money-processing system, the gang pulled off a clever trick by automating the rollback of ATM transactions. This meant that money could be stolen from ATM machines via debit cards while the balance on the cards remained the same, allowing for multiple transactions at different ATM machines. Encrypted configuration for Metel malware plugins Our investigations revealed that the attackers drove around several cities in Russia, stealing money from ATMs belonging to different banks. With the automated rollback in place the money was instantly returned to the account after the cash had been dispensed from the ATM. The group worked exclusively at night, emptying ATM cassettes at several locations. GCMAN group planted cron script into #bank server, stealing $200/min #bankingAPT #TheSAS2016Tweet In all, we discovered Metel in more than 30 financial institutions, but Kaspersky Lab’s incident responders were able to clean the networks before any major damage could be done. It is highly likely that this threat is far more widespread and we urge financial institutions around the world to scan their networks for signs of the Metel malware. The Metel criminal group is still active. At the moment, we don’t have any information about any victims outside Russia. A second group, which we call GCMAN because the malware is based on code compiled on the GCC compiler, emerged recently using similar techniques to the Metel Group to infect banking institutions and attempt to transfer money to e-currency services. The initial infection mechanism is handled by spear-phishing financial institution targets with e-mails carrying a malicious RAR archive to. Upon opening the RAR archive, an executable is started instead of a Microsoft Word document, resulting in infection. Once inside the network, the GCMAN group uses legitimate and penetration testing tools such as Putty, VNC, and Meterpreter for lateral movement. Our investigation revealed an attack where the group then planted a cron script into bank’s server, sending financial transactions at the rate of $200 per minute. A time-based scheduler was invoking the script every minute to post new transactions directly to upstream payment processing system. This allowed the group to transfer money to multiple e-currency services without these transactions being reported to any system inside the bank. Decompiled code of GCMAN malware that is responsible for connecting to CnC In a stroke of luck, the financial institutions discovered the suspicious activity on their network in time to neutralize the threat and cancel the transactions. One interesting observation is that the real attack happened approximately 18 months before it was discovered. The group used an MS SQL injection in commercial software running on one of bank’s public web services, and about a year and a half later, they came back to cash out. During that time they poked 70 internal hosts, compromised 56 accounts, making their way from 139 attack sources (TOR and compromised home routers). We discovered that about two months before the incident someone was trying different passwords for an admin account on a banking server. They were really persistent but doing it only three times a week and then only on Saturdays, in an effort to stay under the radar. Kaspersky Lab’s research team responded to three financial institutions in Russia that were infected with the GCMAN malware. It is likely that this threat is far more widespread and we urge banks to sweep their networks for signs of this cyber-criminal group. Carbanak 2.0: new targets beyond banks After our exposure of the Carbanak group exactly a year ago, the group disappeared for about five months, leading us to believe that the operation was disbanded. However, in September last year, our friends at CSIS published a blog detailing a new Carbanak variant affecting one of its customers. In December 2015, we confirmed that the group was still active. Kaspersky Lab discovered signs of Carbanak in two institutions – a telecommunications company and a financial institution. Executable files founded in SHIM during Carbanak incident response One interesting characteristic of Carbanak 2.0 is a different victim profile. The group has moved beyond banks and is now targeting the budgeting and accounting departments in any organization of interest to them, using the same APT-style tools and techniques. In one remarkable case, the Carbanak 2.0 gang used its access to a financial institution that stores information about shareholders to change the ownership details of a large company. The information was modified to name a money mule as a shareholder of the company, displaying their IDs. It’s unclear how they wanted to make use of this information in future. #Carbanak gang is now targeting budgeting & accounting departments #bankingAPT #TheSAS2016Tweet Kaspersky Lab products successfully detect and block the malware used by the Carbanak 2.0, Metel and GCMAN threat actors with the following detection names: Trojan-Dropper.Win32.Metel Backdoor.Win32.Metel Trojan-Banker.Win32.Metel Backdoor.Win32.GCMan Backdoor.Win64.GCMan Trojan-Downloader.Win32.GCMan Trojan-Downloader.Win32.Carbanak Backdoor.Win32.Carbanak Kaspersky Lab urges all organizations to carefully scan their networks for the presence of Carbanak, Metel and GCMAN and, if detected, to disinfect their systems/computers/networks and report the intrusion to law enforcement. All this information has been made available to customers of our APT intelligence reporting service and they received the indicators of compromise and context information as soon as they became available. Indicators of Compromise (IOC) are available here:MetelGCMANCarbanak 2.0 For more about the measures to be taken against these Bank Busters and similar offensives, read this article in the Kaspersky Business Blog.

Kaspersky Security Analyst Summit 2016: The Live Blog

Live blog from Kaspersky Security Analyst Summit on Tenerife, Spain. Stay tuned for updates, photos and news.

Social Media Wall: TheSAS2016

Wonderful tweets and posts from Kaspersky Security Analyst Summit 2016 on Tenerife, Spain

Kaspersky Security Bulletin. Spam and phishing in 2015

The year in figures According to Kaspersky Lab, in 2015 The proportion of spam in email flows was 55.28%, which is 11.48 percentage points lower than in 2014. 79% of spam emails were no more than 2 KB in size. 15.2% of spam was sent from the US. 146,692,256 instances that triggered the ‘Antiphishing’ system were recorded. Russia suffered the highest number of phishing attacks, with 17.8% of the global total. Japan (21.68 %) took the lead in the ranking of unique users attacked by phishers. 34.33% of phishing attacks targeted online financial organizations (banks, payment systems and online stores). New domain zones in spam In early 2015, we registered a surge in the number of new top-level domains used for distributing mass mailings. This was caused by the growth in interest among spammers for the New gTLD program launched in 2014. The main aim of this program is to provide organizations with the opportunity to choose a domain zone that is consistent with their activities and the themes of their sites. The business opportunities provided by New gTLD were enthusiastically endorsed by the Internet community, and active registration of new domain names is still ongoing. In 2015, proportion of #spam was 55.28% down from 66.76% in 2014 #KLReportTweet However, new domain zones almost immediately became an arena for the large-scale distribution of spam, as cybercriminals registered domains to spread mass mailings. At first, there was some logical connection between the theme of the spam and the domain name, but this changed as the year went on and the domain names used in mass mailings were, on the whole, not related to the subject of the spam. However, even now we still come across isolated cases where the connection is noticeable. For example, online dating sites are often placed in the .date zone. This lack of any connection between the domain name and spam theme was mainly caused by the cost of new domains. The attackers try to choose the cheapest possible hosting because the sites will often be used just once for a specific spam mass mailing, so the domain name does not play a major role. Instead, the deciding factors tend to be the cost of the domains and the discounts that small registrars are willing to provide for bulk purchases. Spammer tricks: methods for expressing domain names Scammers try to make every email unique in order to bypass mass filtering and complicate the work of content filters. It is quite easy to make each text different by using similar characters from other alphabets, or by changing the word and sentence order, etc. But there is always the address of the spammer site – it can’t be changed so easily, and the whole point of sending out spam is for users to click a link to the advertised site. Over the years, spammers have come up with numerous ways to hide the spammer site from anti-spam filters: redirects to hacked sites, generation of unique links to short URL services, the use of popular cloud services as redirects, etc. In 2015, 79% of spam emails were less than 2 KB in size #KLReportTweet In 2015, in addition to the methods mentioned above, spammers also focused on ways of expressing domain names and IP addresses. Here we take a closer look at these tricks by studying examples taken from a variety of spam messages. Special features of the IP protocol: different IP formats The standard method of writing IP addresses IPv4 is the dotted-decimal format where the value of each byte is given as a decimal number from 0 to 255, and each byte is separated by a dot. However, there are other formats that browsers will interpret correctly. These are binary, octal, hexadecimal formats, and the format dword/Undotted Integer when every IP byte is first converted to a hexadecimal format, then all the bytes are written in one number in the order they were written in the IP address, and then this number is converted into the decimal system. All these formats can be combined by writing each part of the IP in a different way, and the browser will still interpret it correctly! These techniques are exploited by spammers. They write the same IP addresses in many different ways, including the method of combining different formats: oct – hex oct – dword hex – dword Addresses in hexadecimal format can be written with and without dots separating the numbers: Additionally, 4294967296 (256*4) can be added any number of times to the number in the Integer format, and the result will still be interpreted as the same IP address. In 2015, 15.2% of spam was sent from the US #KLReportTweet In the decimal format, the number 256 can be added to each part of the IP address any amount of times – as long as there is a three-digit result, the address will be interpreted correctly. In the octal format, any number of leading zeros can be added to the IP address, and it will remain valid: You can also insert any number of forward slashes in the address: Although in some legal libraries IP addresses can be stored in different formats, it is prohibited to use any format other than the standard dotted-decimal in the URL (i.e., in the links being referred to). Obfuscation of an IP address, or how many ways can a number be written in Unicode We have already written about the obfuscation of key words in spam using various Unicode ranges. The same tricks can be applied when writing IP addresses and domain names. With regards to an IP, in 2015 spammers often used Unicode numbers from the so-called full-size range. Normally, it is used with hieroglyphic languages so that Latin letters and numbers do not look too small and narrow compared to the hieroglyphics. We also came across figures from other ranges – figures in a circle, figures that are underscored, etc.: Obfuscation of domains As mentioned above, this trick also works with domains. Unicode has even more letter ranges than numerical. Spammers often used multiple ranges in a single link (changing them randomly in every email, thereby increasing the variability within a single mass mailing). To make the links even more unique, rather than obfuscating the spammer site itself the scammers obfuscated short URL services where the links to the main site were generated in large quantities: Interpreting URL symbols URLs contain special symbols that spammers use to add ‘noise’. Primarily, it is the @ symbol which is intended for user authentication on the site. A link such as http://login:password@domain.com means that the user wants to enter the site domain.com using a specific username (login) and password. If the site does not require authentication, everything that precedes the @ symbol, will simply be ignored. We came across mass mailings where spammers simply inserted the @ symbol in front of the domain name and mass mailings where the @ symbol was preceded with a random (or non-random) sequence: It is interesting that this technique was used to obfuscate links; that is usually the prerogative of phishers. This method of presenting URLs can be used by fraudsters to trick users into thinking that a link leads to a legitimate site. For example, in the link http://google.com@spamdomain.com/anything the domain that the browser accepts is spamdomain.com, not google.com. However, in order to trick users, spammers have used another domain-related technique: they registered lots of domains beginning with com-. With third-level domains the links in emails looked like this: http://learnmore.com-eurekastep.eu/find If you don’t look carefully, you might think that the main domain is learnmore.com, whereas it is in fact com-eurekastep.eu. In addition to the @ symbol, scammers filled links with other symbols: www.goo&zwj.g&zwjl/0Gsylm. For example, in the case above the “&zwj” fragment in the goo.gl domain has been inserted randomly in different parts of the domain making the link unique in each email. This insertion is called a zero-width joiner; it is used to combine several individual symbols in the Hindi languages as well as emoticons in one symbol. Within the domain, it obviously carries no semantic meaning; it simply obfuscates the link. Yet another method of obscuring links is the use of a “soft hyphen” (SHY). In HTML, SHY is a special symbol that is not visible in the text, but if a word containing a special symbol doesn’t fit in at the end of a line, the part after the special symbol is moved to the next line, while a hyphen is added to the first part. Typically, browsers and email clients ignore this symbol inside links, so spammers can embed it anywhere in a URL and as often as they like. We came across a mass mailing where soft hyphens had been inserted in the domain more than 200 times (hexadecimal encoding): As well as the soft hyphen there are other special symbols used in domains – the sequence indicator (& ordm;), the superscripts 1 and 2 (& sup1 ;, & sup2;) – that can be interpreted by some browsers as the letter “o” and the figures “1” and “2” respectively. Reiteration of a popular domain name Another original way of adding noise to links used by spammers in 2015 was the use of a well-known domain as a redirect. This trick is not new, but this time the fraudsters added the same well-known domain several times: Emails without a URL It is also worth mentioning those cases where no domains were used at all. Instead of a URL, a number of spam mailings contained a QR-code. Other mass mailings prompted the user to enter a random sequence in a search engine; the link to the site appeared at the top of the search results: World events in spam The next Olympic Games in Brazil only take place in the summer of 2016, but already in 2015 fraudulent notifications of lottery wins dedicated to this popular sporting event were being registered. These included emails containing an attached PDF file that informed recipients that their address had been randomly selected out of millions of email addresses. In order to claim the prize it was necessary to respond to the email and provide specific personal information. In addition to the text, the attachments contained different graphical elements (logos, photos, etc.). The fake lottery win notifications, which were of a considerable length, were often sent out with attachments to bypass spam filtering. In 2015, ‘Nigerian’ scammers exploited political events in Ukraine, the war in Syria, the presidential elections in Nigeria and earthquake in Nepal to convince recipients that their stories were genuine. The authors primarily sought help to invest huge sums of money or asked for financial assistance. These so-called Nigerian letters made use of the customary tricks to deceive recipients and extort money from them. Emails about the war in Syria often mentioned refugees and Syrian citizens seeking asylum in Europe. Some emails were made to look as if they had been sent directly from refugee camps and contained complaints about the poor conditions. Statistics Proportion of spam in email traffic In 2015, the proportion of spam in email traffic was 55.28%, which is 11.48 percentage points lower than the previous year. The proportion of spam in email traffic, 2015 The most noticeable drop was registered in the first months of 2015 – from 61.86% in January to 53.63% in April. The fluctuations throughout the rest of the year were inconsiderable – within 1-2 percentage points. Sources of spam by country Sources of spam by country, 2015 In 2015, there was a slight change to the top three sources of spam: China (6.12%) dropped to fourth although the proportion of spam distributed from that country actually increased by 0.59 percentage points. Replacing it in third place was Vietnam (6.13%), which saw 1.92 percentage points added to its share. Russia (6.15%) remained in second place with an increase of 0.22 percentage points, while the US (15.16%) remained the undisputed leader despite a decrease of 1.5 percentage points. In 2015, users in USA were targeted by 4.92% of worldwide malicious emails #KLReportTweet As was the case in 2014 Germany came fifth (4.24%), with its contribution increasing by 0.24 percentage points. The rest of the Top 10 consisted of Ukraine (3.99%, +0.99 p.p.), France (3.17%, +0.62 p.p.), India (2.96%, no change), Argentina (2.90%, -0.65 p.p.) and Brazil (2.85%, +0.42 p.p.). The size of spam emails The size of spam emails in 2015 The proportion of super-short spam emails (under 2 KB) grew in 2015 and averaged 77.26%, while the share of emails sized 2-5 KB fell to 9.08%. The general trend of 2015 was a reduction in the size of emails. Malicious attachments in email The Top 10 malicious programs spread by email in 2015 The notorious Trojan-Spy.HTML.Fraud.gen remained the most popular malicious program sent by email. This program is a fake HTML page sent via email that imitates an important notification from a large commercial bank, online store, or software developer, etc. This threat appears as an HTML phishing website where a user has to enter his personal data, which is then forwarded to cybercriminals. Trojan-Downloader.HTML.Agent.aax was in second, while ninth and tenth positions were occupied by Trojan-Downloader.HTML.Meta.as. and Trojan-Downloader.HTML.Meta.ay respectively. All three are HTML pages that, when opened by users, redirect them to a malicious site. Once there, a victim usually encounters a phishing page or is offered a download – Binbot, a binary option trading bot. These malicious programs spread via email attachments and the only difference between them is the link that redirects users to the rigged sites. Third was Trojan-Banker.Win32.ChePro.ink. This downloader is a CPL applet (a Control Panel component) that downloads Trojans designed to steal confidential financial information. Most malicious programs of this type are aimed at Brazilian and Portuguese banks. Email-Worm.Win32.Mydoom.l was in fourth place. This network worm spreads as an email attachment via file-sharing services and writable network resources. It harvests email addresses from infected computers so they can be used for further mass mailings. To send the email, the worm directly connects to the SMTP server of the recipient. Next came Trojan.JS.Agent.csz and Trojan-Downloader.JS.Agent.hhi, which are downloaders written in JavaScript. These malicious programs may contain several addresses (domains) which the infected computer consecutively calls. If the call is successful, a malicious EXE file is downloaded in the temp folder and run. Trojan-PSW.Win32.Fareit.auqm was in eighth position. Fareit Trojans steal browser cookies and passwords from FTP clients and email programs and then send the data to a remote server run by cybercriminals. Malware families Throughout the year, Upatre remained the most widespread malware family. Malware from this family downloads the Trojan banker known as Dyre/Dyreza/Dyzap. MSWord.Agent and VBS.Agent occupied second and third places respectively. To recap, these malicious programs are DOC files with an embedded macro written in Visual Basic for Applications (VBA), which runs on opening the document. It downloads and runs other malware, such as Andromeda.VBS.Agent. As the name suggests, it uses the embedded VBS script. To download and run other malware on the user’s computer the malicious programs of this family utilize the ADODB.Stream technology. The Andromeda family came fourth. These programs allow the attackers to secretly control infected computers, which often become part of a botnet. Noticeably, in 2014 Andromeda topped the rating of the most widespread malware families. In 2015, #Japan (21.68 %) took the lead in the ranking of unique users attacked by phishers #KLReportTweet The Zbot family came fifth. Representatives of this family are designed to carry out attacks on servers and user computers, and also for capturing data. Although ZeuS/Zbot is capable of carrying out various harmful actions, it is most often used to steal banking information. Countries targeted by malicious mailshots Distribution of email antivirus verdicts by country, 2015 For the previous three years, the Top 3 countries most often targeted by mailshots has remained unchanged – the US, the UK and Germany. However, in 2015, spammers altered their tactics and targets. As a result, Germany came first (19.06%, +9.84 p.p.) followed by Brazil (7.64%, +4.09 p.p.), which was only sixth in 2014. The biggest surprise in Q3, and the whole of 2015, was Russia’s rise to third place (6.30%, +3.06 p.p.). To recap, in 2014 Russia was ranked eighth with no more than 3.24% of all malicious spam being sent to the country. We would like to believe that despite the trend seen in recent quarters, the number of malicious mass mailings sent to Russia will decrease. As for the total number of malicious attachments sent via email, their number is likely to grow in 2016 and the theft of personal information and Trojan ransomware will occupy the top places. Special features of malicious spam In spam traffic for 2015 we registered a burst of mass mailings with macro viruses. The majority of emails containing macro viruses in Q1 were sent in attachments with a .doc or .xls extension and belonged to the Trojan downloader category designed to download other malicious programs. As a rule, the malicious attachments imitated various financial documents: notifications about fines or money transfers, unpaid bills, payments, complaints, e-tickets, etc. They were often sent on behalf of employees from real companies and organizations. In 2015, 34.33% of phishing attacks targeted clients of financial organizations #KLReport #bankingTweet The danger posed by macro viruses is not restricted to their availability and ease of creation. A macro virus can infect not only the document that is opened initially but also a global macro common to all similar documents and consequently all the user’s documents that use global macros. Moreover, the VBA language is sufficiently functional to be used for writing malicious code of all kinds. In 2015, cybercriminals specializing in malicious spam continued to distribute malware in non-standard archive formats (.cab, .ace, .7z, .z, .gz). These formats were introduced long ago and are used by specialists in software development and installation, but they are largely unknown to ordinary users, unlike ZIP and RAR. Another difference is the high degree of file compression, which is used to reduce email sizes to a minimum and bypass spam filtering. These malicious archives were passed off as a variety of attachments (orders, invoices, photographs, reports, etc.) and contained different malicious programs (Trojan-Downloader.Win32.Cabby, Trojan-Downloader.VBS.Agent.azx, Trojan-Spy.Win32.Zbot .iuk, HawkEye Keylogger, etc.). The vast majority of emails were in English, though there were messages in other languages. In 2014, cybercriminals were particularly active in sending out fake emails from mobile devices and notifications from mobile apps containing malware and adverts. In 2015, the mobile theme continued: malicious programs were distributed in the form of .apk and .jar files, which are in fact archived executable application files for mobile devices. Files with the .jar extension are usually ZIP archives containing a program in Java, and they are primarily intended to be launched from a mobile phone, while .apk files are used to install applications on Android. In particular, cybercriminals masked the mobile encryption Trojan SLocker behind a file containing updates for Flash Player: when run, it encrypts images, documents and video files stored on the device. After launching, a message is displayed telling the user to pay a fee in order to decrypt his files. Another .jar archive contained Backdoor.Adwind written in Java. This multi-platform malicious program can be installed not only on mobile devices but also on Windows, Mac and Linux. The attackers who send out malware in files for mobile devices are most probably hoping that recipients using email on a mobile device will install the malicious attachment. With every year, cybercriminals are becoming more interested in mobile devices. This is primarily due to the constant increase in activity by mobile users (using messengers and other methods of exchanging data) and the migration of different services (e.g., financial transactions) to mobile platforms, and of course, one user may have several mobile devices. Secondly, it is due to the emergence of various popular apps that can be used by cybercriminals both directly (for sending out spam, including malicious spam) and indirectly (in phishing emails). For example, users of the popular messenger WhatsApp fall victim to not only traditional advertising spam but also virus writers. Mobile users should be especially careful because cybercriminal activity in this sphere is only likely to increase. Phishing Main trends In 2015, the Anti-Phishing system was triggered 148,395,446 times on computers of Kaspersky Lab users. 60% (89,947,439) of those incidents were blocked by deterministic components and 40% (58,448,007) by heuristic detection components. Methods of distributing phishing content The methods used by cybercriminals to spread phishing content have long gone beyond the framework of email clients. For example, one of the most popular ways of distributing phishing pages is pop-up ads. In 2015, we came across a variety of fraudulent schemes utilizing this simple trick: the fake page automatically opens in the browser when a user visits certain sites, including legitimate ones, but uses pop-up advertising. Cybercriminals used this technique to attack customers of Russian banks in the third and fourth quarters of 2015. The fraudulent page to which the victim is redirected by a pop-up advert Other popular themes of the year As we mentioned in Q1, the contribution of the ‘Delivery company’ category is very small (0.23%), but it has recently experienced a slight increase (+0.04 p.p.). In addition, DHL, one of the companies in this category, was among the Top 100 organizations most often targeted by phishers. This method – an email sent on behalf of a delivery firm – is often used by fraudsters to distribute malicious attachments, gather personal information and even collect money. Phishing email sent on behalf of FedEx The attackers are especially active in this category in the run-up to holidays when people tend to buy presents using popular delivery services. Email tricks Scammers have long made successful use of PDF attachments in phishing attacks. These files are usually a form for entering personal information that is sent to the fraudsters by pressing a button in the file. However, in 2015 we saw a surge of emails in which the text message and the link to the phishing page were included in the PDF document. The text in the body of the message was reduced to a minimum to bypass spam filtering. These tricks are used against organizations in all categories. In 2015, many attacks of this type targeted banking and mail organizations. Example of a phishing email. The body of the message contains only the text imitating the heading of the email to which this email is allegedly responding. The email has an attached PDF file that contains the link to the phishing page. We came across numerous PDF files that redirected victims to phishing websites. The fraudsters encouraged the user to click on ‘View pdf File’ to read the contents of the file. A phishing email with an attached PDF file containing a redirect to a phishing website The geography of attacks Top 10 countries by percentage of attacked users Japan had the highest proportion of users subjected to phishing attacks (21.68%), a 2.17 p.p. increase from the previous year. The percentage of users on whose computers the anti-phishing system was triggered out of the total number of users of Kaspersky Lab products in the country, 2015 Top 10 countries by percentage of attacked users Japan 21.68% Brazil 21.63% India 21.02% Ecuador 20.03% Mozambique 18.30% Russia 17.88% Australia 17.68% Vietnam 17.37% Canada 17.34% France 17.11% Last year’s leader, Brazil (21.63%), fell to second place with a drop of 5.77 percentage points in the number of attacked users. It was followed by India (21.02%, -2.06 p.p.) and Ecuador (20.03%, -2.79 p.p.). The distribution of attacks by country Russia accounted for the greatest share of phishing attacks, with 17.8% of the global total, an increase of 0.62 percentage points compared to the previous year. Distribution of phishing attacks by country in 2015 Behind Russia in second place was Brazil (8.74%, +1.71 p.p.), followed by India (7.73%, +0.58 p.p.), the US (7.52%, +0.32 p.p.), with Italy rounding off the Top 5 (7.04%, +1.47 p.p.). Organizations under attack The statistics on organizations used in phishing attacks are based on the triggering of the heuristic component in the anti-phishing system. The heuristic component is triggered when a user tries to follow a link to a phishing page and there is no information about the page in Kaspersky Lab’s databases. Distribution of organizations subject to phishing attacks by category, 2015 In 2015, we saw significant growth in the proportion of phishing attacks on organizations belonging to the ‘Online finances’ category (34.33%, +5.59 pp): they include the ‘Banks’, ‘Payment Systems’ and ‘Online stores’ categories. Of note is the increase in the percentage of targeted organizations in the ‘Telephone and Internet service providers’ (5.50%, +1.4 p.p.) and ‘Social networking sites and blogs’ (16.40%, +0.63 p.p.) categories. Top 3 organizations attacked Organization % of detected phishing links 1 Yahoo! 14.17 2 Facebook 9.51 3 Google 6.8 In 2015, Yahoo! was once again the organization targeted most by phishers, although its share decreased considerably – 14.17% vs 23.3% in 2014. We presume this decrease is a result of the company combating these fake domains. We see that Yahoo!, as well as many other organizations, registers lots of domains that could theoretically be used by the attackers as they are derived from the original domain name. Conclusion and forecasts In 2015, the proportion of spam in email traffic decreased by 11.48 percentage points and accounted for 55.28%. The largest decline was observed in the first quarter; from April the fluctuations stabilized and were within a few percentage points. This reduction was caused by the migration of advertising for legal goods and services from spam flows to more convenient and legal platforms (social networks, coupon services, etc.), as well as by the expansion of the “gray” zone in mass mailings (mass mailings sent both to voluntary subscribers and to people who have not given their consent). We assume the share of spam will continue to decrease in 2016, though the decline will be insignificant. The number of malicious and fraudulent messages, however, will increase. It is possible that the attackers will once again make use of their customary tricks as was the case in 2015 (mass mailings of macro viruses and non-standard attachment extensions). The mobile theme may also become yet another weapon in the cybercriminals’ arsenal to spread malware and fraudulent spam. The number of new domains created by spammers especially for distributing mass mailings will continue to grow. We also expect to see an expansion in new domain zones used as spammer resources.

Newly Fired CEO Of Norse Fires Back At Critics

Critics maintain that Norse Corp. is peddling threat data as threat intelligence.A massive and potentially company-ending shakeup at security vendor Norse Corp. in recent weeks amid controversy over its practices may be a signal that the threat intelligence industry is finally maturing.KrebsonSecurity last week reported that Norse had fired its CEO Sam Glines after letting go some 30% of its staff less than a month earlier.

The blog quoted unnamed sources as saying Norse’s board of directors had asked board member Howard Bain to take over as an interim CEO. The remaining employees at the Foster City, Calif.-based threat intelligence firm were apparently informed they could continue showing up for work, but there would be no guarantee they would be paid, KrebsonSecurity reported. Shortly thereafter, Norse’s website went dark and remained unavailable through the week -- prompting some speculation on whether the company had been shuttered.

A spokesperson for a PR agency representing Norse today said the company is still operational, but she did not elaborate. The KrebsonSecurity article, which was contested by Glines and former Norse chief architect Jason Belich, blamed Norse’s problems on a fast and loose business culture focused on taking quick advantage of the booming interest in threat intelligence rather than on delivering real value for customers. One former employed quoted by Krebs described Norse as a "scam" operation designed to suck in investors. Norse, once a rising star in the threat intelligence industry and which as recently as Sept 2015 received an investment of over $11 million from KPMG, has been in the news for wrong reasons before. As KrebsonSecurity noted in its blog, a Norse report last year on growing attacks against critical industrial control systems in the US was soundly trashed for being grossly exaggerated and unsubstantiated by facts.

A subsequent review of the report showed that what Norse had described as dangerous attacks was really network scans conducted from locations in Iran against honeypot systems.

Another Norse report that claimed Sony’s massive data breach was the result of an insider attack was similarly slammed for being unsubstantiated. In comments to Dark Reading today, Glines accused his critics of harboring an agenda against Norse. He described Krebs’ article as causing “incredible damage in very short order” and confirmed that Bain had been named interim CEO. “The quality of Norse's threat intelligence data is extremely good,” says Glines. “The company has one of the largest malware pipelines in the industry and just one of the sinkholes in use has over 1 billion callbacks, after being in operation for less than 3 months,” he says. He described the sinkhole as just one example of the many techniques used by the company to collect threat intelligence. Glines downplayed the criticisms about Norse’s threat intelligence reports being over the top, but conceded to Norse being beaten up in the media over the past year. He says that was mainly the result of handful of individuals complaining about the company’s practices; others have jumped on the bandwagon because Norse chose not to respond, he says. Critics have accused Norse of going to market too soon with the data in had, and of drawing conclusions not actually supported by the data. “I’d respond that the entire cyber threat intelligence industry is still young, growing, but relatively immature,” Glines says. “But I’d also add that our customers and partners were getting tremendous value from the data.

Every product, every application, every service, is a work in process.” Robert M. Lee, founder and CEO of critical infrastructure security firm Dragos Security and one of Norse’s strongest critics, says Norse’s problem is that it is tries to make too much of the data it has. A lot of the raw data that Norse collects from its sensors around the world is threat information, not threat intelligence, he told Dark Reading. “Data is just data without context,” Lee says. Some of it can help organizations answer fundamental questions like whether their systems are infected or not.

But that is not the same thing as threat intelligence, which involves the ability to take data from multiple sources, analyze it and predict with a high degree of confidence, he says. “Real threat intelligence is not something you can plug into a firewall," he says.
It requires a much higher degree of expertise both technical and domain, than simply gathering and looking at threat data. “If Norse had used their data for what it was, it would have helped companies simplify what they were looking at,” he says. “Instead they were taking threat data and billing it as actionable intelligence.” The questions being raised over Norse’s practices pointing to a maturing overall of the threat intelligence industry, Lee says. “I don’t see this as impacting the larger threat intelligence industry.
I see this as an indicator that the market won’t accept bad threat data anymore.” Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ...
View Full BioMore Insights

WordPress Hacks Silently Deliver Ransomware To Visitors

If you're a gamer (or anyone else), this is not a screen you want to see.Bromium LabsIt's still not clear how, but a disproportionately large number of websites that run on the WordPress content management system are being hacked to deliver crypto ransomware and other malicious software to unwitting end users. In the past four days, researchers from three separate security firms have reported that a large number of legitimate WordPress sites have been hacked to silently redirect visitors to a series of malicious sites.

The attack sites host code from the Nuclear exploit kit that's available for sale in black markets across the Internet. People who visit the WordPress sites using out-of-date versions of Adobe Flash Player, Adobe Reader, Microsoft Silverlight, or Internet Explorer can then find their computers infected with the Teslacrypt ransomware package, which encrypts user files and demands a hefty ransom for the decryption key needed to restore them. "WordPress sites are injected with huge blurbs of rogue code that perform a silent redirection to domains appearing to be hosting ads," Malwarebytes Senior Security Researcher Jérôme Segura wrote in a blog post published Wednesday. "This is a distraction (and fraud) as the ad is stuffed with more code that sends visitors to the Nuclear Exploit Kit." According to a Monday blog post published by website security firm Sucuri, the compromised WordPress sites he observed have been hacked to include encrypted code at the end of all legitimate JavaScript files.

The encrypted content is different from site to site, but once decrypted, it looks similar to that shown in the image below: EnlargeSucuri To prevent detection by researchers visiting the compromised site, the code takes pains to infect only first-time visitors.

To further conceal the attack, the code redirects end users through a series of sites before delivering the final, malicious payload. Sucuri said Google's Safe Browsing mechanism—which browser makers use to help users avoid malicious websites—had blacklisted some of the Internet domains used in the ruse.

A post published Thursday by Heimdal Security, however, listed a different domain, leaving open the possibility that the attackers are regularly refreshing as old ones get flagged. Heimdal Security also warned that antivirus programs may do little to protect end users.

During the latest leg of the campaign, for instance, the exploit code was detected by just two of the 66 leading AV packages, while the payload it delivered was also limited (the blog post didn't provide specifics). Driveby attacks not just on porn sites anymore The attacks are the latest reminder that people can be exposed to potent malware attacks even when visiting legitimate websites they know and trust.

The best defense against such driveby attacks is to install security updates as soon as they become available. Other measures include running Microsoft's Enhanced Mitigation Experience Toolkit on any Windows-based computers and using the 64-bit version of Google's Chrome browser if possible. It's not yet clear how the WordPress sites are getting infected in the first place.
It's possible that administrators are failing to lock down the login credentials that allow the site content to be changed.
It's also feasible that attackers are exploiting an unknown vulnerability in the CMS, one of the plugins it uses, or the operating system they run on. Once a system is infected, however, the website malware installs a variety of backdoors on the webserver, a feature that's causing many hacked sites to be repeatedly reinfected.

As Sucuri researcher Denis Sinegubko wrote: The malware tries to infect all accessible .js files.

This means that if you host several domains on the same hosting account all of them will be infected via a concept known as cross-site contamination.
It’s not enough to clean just one site (e.g. the one you care about) or all but one (e.g. you don’t care about a test or backup site) in such situations – an abandoned site will be the source of the reinfection.
In other words, you either need to isolate every site or clean/update/protect all of them at the same time! People running WordPress sites should take time to make sure their servers are fully patched and locked down with a strong password and two-factor authentication.

This post will be updated if researchers uncover a cause of this ongoing hack campaign. Until then, admins and end users alike should stay vigilant for signs one of their systems is being targeted and follow the usual best practices listed earlier.

Cybersecurity Smackdown: What Side Are You On?

Analytics vs.

Encryption. Prevention vs.

Detection. Machine Learning: Promise or Hype? The Firewall: Dead or Still Breathing? The sharpest minds in the security industry debate some of the industry's most contentious issues.It’s debate season – at least in the political realm. So to get into the spirit of the US primary election, Dark Reading has put together in one place excerpts from our ongoing series of great cybersecurity debates about four hot new information security technologies versus their legacy counterparts.
Industry leaders make impassioned arguments for the new versus the tried and true, or a combination of the two.   ANALYTICS VS.

ENCRYPTION Encryption Has Its Place But It Isn’t Foolproof By Doug Clare, Vice President of Product Management, FICO Encryption technology is improving, as are best practices in deploying it; and everyone should embrace these improvements.

But encryption alone is not enough, and may induce a false sense of security among those who depend on it. Read more. As Good As They're Getting, Analytics Don't Inherently Protect Data By Scott Petry, Co-Founder & CEO of Authentic8 The suggestion to “use analytics to secure your system” is flawed, and the argument to shift away from data security systems like encryption and move to analytics is fallacious.
In fact, analytics is not an either-or-choice with encryption. Suggesting that firms choose between the two is like a doctor telling a patient to choose either vitamins or exercise.

Both have their place in a healthy lifestyle. Read more.   MACHINE LEARNING: HYPE VS. PROMISE    Machine Learning Is Cybersecurity's Latest Pipe Dream By Simon Crosby, co-founder and CTO at Bromium There is a huge difference between being pleased when Netflix recommends a movie you like, and expecting Netflix to never recommend a movie that you don’t like. So while applying machine learning to your security feeds might deliver some helpful insights, you cannot rely on such a system to reliably deliver only valid results. Read more. Machine Learning: Perception Problem? Maybe. Pipe Dream? No Way! By Mike Paquette, VP Products, Prelert In the most common misperception, machine learning is thought to be a magic box of algorithms that you let loose on your data and they start producing nuggets of brilliant insight for you.
If you apply this misperception to the use of machine learning for cybersecurity, you might think that after deploying it, your security experts will be out of a job since algorithms will be doing all their important threat detection and prevention work.

The reality is that ML is a practical way to use newer technology to automate the analysis of log data to better detect cyberthreat activity, under the direction and guidance of an organization's security experts. Read more.    PREVENTION VS.

DETECTION Time’s Running Out for the $76 Billion Detection Industry By Simon Crosby, co-founder and CTO at Bromium Enterprises spend a mind-boggling $76 billion each year to “protect” themselves from cyber-attacks, but the bad guys keep winning because most protection solutions are based on detection instead of prevention. What’s wrong? The answer is the same today as it was in ancient Troy when the Greek army suddenly disappeared, leaving behind an innocent-looking horse that the Trojans willingly brought inside the gates. Read more. Detection: A Balanced Approach For Mitigating Risk By Josh Goldfarb, VP and CTO - Emerging Technologies, FireEye Prevention is necessary, but not sufficient, for a robust and mature security program. Only detection and response can complete the security picture that begins with prevention. Read more.    THE FIREWALL IS DEAD. LONG LIVE THE FIREWALL. Why the Firewall is Increasingly Irrelevant By Asaf Cidon, Co-Founder & CEO, Sookasa Firewalls only protect what work used to be, not what it is today, a distributed collection of employees connected by mobile devices, in turn connected to the cloud.

The only way to secure all company data, then, is to extend enterprise-grade security to these employees’ devices and cloud applications. Read more. Firewalls Sustain Foundation of Sound Security By Jody Brazil, Co-Founder & CEO, FireMon Effective security management will always retain a multi-layered approach necessitating mechanisms that control and limit access. While this may not someday require dependence on network security devices, in today’s environment the firewall remains one of the critical building blocks of network security. Read more.   Find out more about cutting edge security at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200. Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full BioMore Insights