14.6 C
London
Tuesday, September 26, 2017
Home Tags Cyber Espionage

Tag: Cyber Espionage

IT threat evolution Q2 2017

The threat from ransomware continues to grow.

Between April 2016 and March 2017, we blocked ransomware on the computers of 2,581,026 Kaspersky Lab customers.
In May, we saw the biggest ransomware epidemic in history, called WannaCry.

APT Trends report Q2 2017

Since 2014, Kaspersky Labrsquo;s Global Research and Analysis Team (GReAT) has been providing threat intelligence reports to a wide-range of customers worldwide, leading to the delivery of a full and dedicated private reporting service. Prior to the new service offering, GReAT published research online for the general public in an effort to help combat the ever-increasing threat from nation-state and other advanced actors.
Today, a dangerous new trend is emerging: steganography is increasingly being used by actors creating malware and cyber-espionage tools. Most modern anti-malware solutions provide little, if any, protection from steganography, while any carrier in which a payload can be secretly carried poses a potential threat.
CopyKittens persistent but easy to find, monitor and counter Security researchers have lifted the lid on a new cyber-espionage crew that has targeted the German Bundestag and Turkish diplomats.…
Move demotes US cyber diplomats as part of department overhaul.
Former MI5 chief says cyber-espionage and the balance between security and privacy means 'we're facing a very difficult world'.
Spies, bank raiders gravitate to growing stealth technique A newly uncovered cyber-espionage campaign targeting Israeli organisations relies on "fileless" malware hidden in Microsoft Word documents, a hacker tactic that's becoming a growing menace.…
Spies, bank raiders gravitate to growing stealth technique A newly uncovered cyber-espionage campaign targeting Israeli organisations relies on "fileless" malware, a hacker tactic that's becoming a growing menace.…
Deployment of THAAD upsets China, seen as espionage tool.
Gosh, this is awkward...

Evidence of Chinese cyber-espionage against the US has been uncovered on the eve of an important Sino-US presidential summit.…
EyePyramid operation targeted politicians and business leaders A hacking operation featuring the EyePyramid trojan successfully compromised the systems of numerous high-profile Italian targets, including two former prime ministers, say Italian police. High-profile targets were targeted by a spear-phishing campaign that served a remote-access trojan codenamed "EyePyramid" as a malicious attachment. Targets of the spying included bankers, businessmen and even several cardinals.

The president of the European Central Bank, Mario Draghi, and two former Italian prime ministers, Matteo Renzi and Mario Monti, were among targets of the campaign, according to a copy of an Italian arrest warrant obtained by Politico. The malware was used to successfully exfiltrate over 87 gigabytes worth of data – including usernames, passwords, browsing data, and other files – from compromised systems. Federico Maggi, a senior threat researcher at Trend Micro, has published a blog post here and in a technical summary (on GitHub) here. Brother and sister Giulio Occhionero, 45, and Maria Occhionero, 48, were arrested in Rome on Tuesday and detained over hacking and espionage charges related to the EyePyramid campaign, Reuters reports.
Investigators appear to be proceeding on the basis that the hacking operation was used to harvest insider intelligence as part of a criminally tainted investment strategy rather than politically motivated cyber-espionage. The "stolen data was stored in servers in Prior Lake, Minnesota, and Salt Lake City, Utah," according to a court document seen by Reuters. The FBI has seized the servers and will ship them to Italy, the head of Italy's cyber crime unit told the news agency. Hackers behind the spear-phishing campaign used the compromised email accounts of attorneys and associates in several law firms as a platform to launch the second stage of the attacks, targeting businessmen and politicians, according to Trend Micro's Maggi. ® Bootnote Grazie molto to Milan-based reader Alex for the heads-up on this interesting case, which is unsurprisingly getting a lot of coverage in the Italian press. Sponsored: Want to know more about Privileged Access Management? Visit The Register's hub
At SAS 2017, on April 1st and 2nd on St. Maarten, Global Director of GReAT Costin Raiu and Principal Security Researchers Vitaly Kamluk and Sergey Mineev will provide YARA training for incident response specialists and malware researchers, who need an effective arsenal for finding malware.

During the training, the experts will give participants access to some of Kaspersky Lab internal systems, which are otherwise closed to the public, to demonstrate how the company’s malware analysts catch rare samples.

After two days, even being a newcomer, you’ll walk away with the ability to write rules and start using the tool for hunting malware. You can book your seat now — the class will be limited for maximum 15 participants. Each trainer has an impressive portfolio of cyber-espionage campaigns that they have investigated, including Stuxnet, Duqu, Flame, Gauss, Red October, MiniDuke, Turla, Careto/TheMask, Carbanak and Duqu2. Why YARA training? Protective measures that were effective yesterday don’t guarantee the same level of security tomorrow.
Indicators of Compromise (IoCs) can help you search for footprints of known malware or for an active infection.

But serious threat actors have started to tailor their tools to fit each victim, thus making IoCs much less effective.

But good YARA detection rules still allow analysts to find malware, exploits and 0-days which couldn’t be found in any other way.

The rules can be deployed in networks and on various multi scanner systems. Giveaways People who go through the training will be able to start writing relatively complex YARA rules for malware – from polymorphic keyloggers all the way up to highly complex malware – that can’t be detected easily with strings.

The GReAT trainers will teach how to balance rules, in other words how to write detection rules while minimising the risk of false-positives.

They also will share their experience of what exactly they are looking for when they write YARA rules as part of their everyday jobs. What are the requirements for participation? You don’t have to be an expert in order to go through this training.
It’s enough to have basic knowledge of how to use a TextEditor and the UNIX grep tool, and a basic understanding of what computer viruses are and what binary formats look like. You’ll also need your laptop and YARA software v. 3.4.0 installed on the machine.

Experience with malware analysis, reverse engineering and programming (especially in structured languages) will help you to learn more quickly, but this doesn’t mean that you can’t learn without it. Catching a 0-day with YARA One of the most remarkable cases in which Kaspersky Lab’s GReAT used YARA was the very famous Silverlight 0-day: the team started hunting for this after Hacking Team, the Italian company selling “legal surveillance tools” for governments and LEAs, was hacked. One of the stories in the media attracted our researchers’ attention — according to the article, a programmer offered to sell Hacking Team a Silverlight 0-day, an exploit for an obsolete Microsoft plug-in which at some point had been installed on a huge number of computers. GReAT decided to create a YARA rule based on this programmer’s older, publicly available proof-of-concept exploits. Our researchers found that he had a very particular style when coding the exploits — he used very specific comments, shell code and function names.

All of this unique information was used to write a YARA rule — the experts set it to carry out a clear task, basically saying “Go and hunt for any piece of malware that shows the characteristics described in the rule”.

Eventually it caught a new sample, it was a 0-day, and the team reported it to Microsoft immediately. If you’re a scholar… Surprisingly enough, YARA can be used for any sort of classification, such as finding documents by metadata, email and so on.
If you work with any kind of rare information and lack a competitive tool for searching for it, come to St. Maarten in April and join the training — you’ll benefit greatly. You are welcome to listen the podcast to learn about how YARA can be used in malware hunting, data analysis and incident response activities. Book a seat at sas.kaspersky.com now to hunt APTs with YARA like a GReAT ninja!