Home Tags Indicators of Compromise (IoC)

Tag: Indicators of Compromise (IoC)

IDG Contributor Network: How to implement DI in WebAPI using NInject

Dependency injection is a software design pattern that helps you to build pluggable implementations in your application using loosely coupled, testable components.
It eliminates the hard-coded dependencies between the types and makes your types easi...

Old Malware Tricks To Bypass Detection in the Age of Big...

Kaspersky Lab has been tracking a targeted attack actor’s activities in Japan and South Korea recently.

This attacker has been using the XXMM malware toolkit, which was named after an original project path revealed through a pdb string inside the… Read Full Article

From Shamoon to StoneDrill

Beginning in November 2016, Kaspersky Lab observed a new wave of wiper attacks directed at multiple targets in the Middle East.

The malware used in the new attacks was a variant of the infamous Shamoon worm that targeted Saudi Aramco and Rasgas back in 2012.

Fileless attacks against enterprise networks

This threat was originally discovered by a bank’s security team, after detecting Meterpreter code inside the physical memory of a domain controller (DC). Kaspersky Lab participated in the forensic analysis, discovering the use of PowerShell scripts within the Windows registry.

Additionally it was discovered that the NETSH utility as used for tunnelling traffic from the victim’s host to the attacker´s C2.

Bromium Secure Platform Assembles Endpoint Sensors for Enterprise Security

Bromium expands its virtualization based security isolation and detection approach into a platform play that correlates threats across a distributed network of endpoint sensors. Security vendor Bromium announced its new Secure Platform technology on Ja...

3 Lessons From The Yahoo Breach

Your organization must address these blind spots to detect sophisticated attacks. When an organization as established and trusted as Yahoo gets breached, it seems like there's no hope for the rest of us.

And in many ways, there isn't. Despite Yahoo's perimeter defenses, the company's network was still breached. Not once, but at least twice.

This indicates that these attacks were very sophisticated and carried out by highly motivated and well-funded attackers.

Although Yahoo's breaches demonstrate that it's virtually impossible to prevent every motivated attacker from getting past perimeter defenses and gaining access to a secure network, there are ways to detect breaches before massive exfiltration can occur.When it comes to breach detection and response, most enterprises today still rely on sifting through logs from network appliances such as firewalls and web gateways.

This includes performing correlation using security information and event management systems to figure out how the breaches occurred.The Yahoo breach exposed three key blind spots that need to be addressed to detect sophisticated attacks. (Editors' Note: In the spirit of transparency, SS8, the author's company, helps organizations detect and protect against network breaches using some of the concepts described in this article.) 1. Lack of application, identity, device, and geolocation information. Tools like NetFlow can't distinguish between multiple exchanges of information in a traffic flow (for example, an email session), and at best can only provide a summary of the entire flow.

They leave out valuable application-specific information such as To, CC, From, and Subject fields in an email, as well as the presence of any potential malicious attachments.
In addition, certain obfuscated protocols such as Tor can be difficult to detect on a network, but the ability to identify their presence and investigate these connections is critical to network security. 2.

Challenges tied to archiving and network history lookup. 
Although some tools can store network log data for long periods of time, it remains difficult to access that information quickly for the purpose of cyber investigations such as correlating potentially malicious network activity to an individual device or user. Meanwhile, packet recording tools can provide more granular detail into network data, but the economics of storing full packets over an extended period of time is often cost-prohibitive. 3. Lack of automated workflows for threat detection. The volume of new, constantly-generated threat information, combined with a shortage of skilled cybersecurity personnel, often leads to "log and alert fatigue." This is generally due to a lack of automation for correlating the latest threat intelligence, and tying it to actual events happening on the network.

Currently, most cyber investigators still have to manually perform a series of complicated steps to generate useful forensic information from log reports and the limited history of full packet capture tools. The Yahoo breach, like most advanced cyberattacks, was carried out over a long period of time, with attackers hiding their communications in the normal flow of network traffic.

According to the latest Verizon Data Breach Investigations report, dwell time — that is, the length of time an attacker is in a system before being detected — is averaging more than 200 days.  Perimeter defenses have to make point-in-time decisions to allow or block a specific communication.

Therefore, it isn't possible for them to detect advanced and persistent cyberattacks carried out over long periods of time.

Even though threats can breach the perimeter through a variety of attack vectors, most malicious activity can be still be detected in the network before data exfiltration — the ultimate goal of the attack — takes place. If we want to prevent protracted infiltrations and exfiltrations, like the one experienced by Yahoo, we need to combine deeper network visibility, including the ability to rewind past activity with constantly updated threat intelligence, and automated workflows.

This will allow us to discover indicators of compromise and devices of interest early in the breach cycle, which can be investigated using actual network history to pinpoint a compromise before massive data exfiltration takes place. Prevention is the always the goal, but incident detection and fast response can save the day. Related Content: Dr.

Cemal Dikmen is Chief Security Officer for SS8, which helps companies detect and protect against network breaches. He also works with the nation's leading telecommunications service providers as well as law enforcement and intelligence agencies on cybersecurity ...
View Full Bio More Insights

Threat Attribution: Misunderstood & Abused

Despite its many pitfalls, threat attribution remains an important part of any incident response plan. Here's why. Threat attribution is the process of identifying actors behind an attack, their sponsors, and their motivations.
It typically involves forensic analysis to find evidence, also known as indicators of compromise (IOCs), and derive intelligence from them. Obviously, a lack of evidence or too little of it will make attribution much more difficult, even speculative.

But the opposite is just as true, and one should not assume that an abundance of IOCs will translate into an easy path to attribution. Let’s take a simple fictional example to illustrate: François is the chief information security officer (CISO) at a large US electric company that has just suffered a breach.

François’ IT department has found a malicious rootkit on a server which, after careful examination, shows that it was compiled on a system that supported pinyin characters. In addition, the intrusion detection system (IDS) logs show that the attacker may have been using an IP address located in China to exfiltrate data.

The egress communications show connections to a server in Hong Kong that took place over a weekend with several archives containing blueprints for a new billion-dollar project getting leaked. The logical conclusion might be that François’ company was compromised by Chinese hackers stealing industrial secrets.

After all, strong evidence points in that direction and the motives make perfect sense, given many documented precedents. This is one of the issues with attribution in that evidence can be crafted in such a way that it points to a likely attacker, in order to hide the real perpetrator’s identity.

To continue with our example, the attacker was in fact another US company and direct competitor.

The rootkit was bought on an underground forum and the server used to exfiltrate data was vulnerable to a SQL injection, and had been taken over by the actual threat actor as a relay point. Another common problem leading to erroneous attribution is when the wrong IOCs have been collected or when they come with little context. How can leaders make a sound decision with flawed or limited information? Failing to properly attribute a threat to the right adversary can have moderate to more serious consequences.

Chasing down the wrong perpetrator can result in wasted resources, not to mention being blinded to the more pressing danger. But threat attribution is also a geopolitical tool where flawed IOCs can come in handy to make assumptions and have an acceptable motive to apply economic sanctions.

Alternatively, it can also be convenient to refute strong IOCs and a clear threat actor under the pretext that attribution is a useless exercise. Despite its numerous pitfalls, threat attribution remains an important part of any incident response plan.

The famous “know your enemy” quote from the ancient Chinese general Sun Tzu, is often cited when it comes to computer security to illustrate that defending against the unknown can be challenging.
IOCs can help us bridge that gap by telling us if attackers are simply opportunistic or are the ones you did not expect. More Insights

HPE Details Global Security Operations Center Maturity Levels in New Report

Hewlett Packard Enterprise's 2017 State of of Security Operations Report reveals that 82 percent of Security Operation Centers are not running at the optimal level of maturity and meeting business goals. Hewlett Packard Enterprise (HPE) released its St...

The “EyePyramid” attacks

On January 10, 2017, a court order was declassified by the Italian police, in regards to a chain of cyberattacks directed at top Italian government members and institutions. The attacks leveraged a malware named “EyePyramid” to target a dozen politicians, bankers, prominent freemasons and law enforcement personalities in Italy.

These included Fabrizio Saccomanni, the former deputy governor of the Bank of Italy, Piero Fassino, the former mayor of Turin, several members of a Masonic lodge, Matteo Renzi, former prime minister of Italy and Mario Draghi, another former prime minister of Italy and now president of the European Central Bank. The malware was spread using spear-phishing emails and the level of sophistication is low. However, the malware is flexible enough to grant access to all the resources in the victim’s computer. During the investigation, involved LEAs found more than 100 active victims in the server used to host the malware, as well as indications that during the last few years the attackers had targeted around 16,000 victims.

All identified victims are in Italy, most of them being Law Firms, Consultancy services, Universities and even Vatican Cardinals. Evidence found on the C&C servers suggests that the campaign was active since at least March 2014 and lasted until August 2016. However, it is suspected that the malware was developed and probably used years before, possibly as far back to 2008. Two suspects were arrested on January 10th, 2017 and identified as 45-year-old nuclear engineer Giulio Occhionero and his 47-year-old sister Francesca Maria Occhionero. Investigation Although the Italian Police Report doesn’t include malware hashes, it identified a number of C&C servers and e-mails addresses used by the malware for exfiltration of stolen data. Excerpt from the Italian court order on #EyePyramid(http://www.agi.it/pictures/pdf/agi/agi/2017/01/10/132733992-5cec4d88-49a1-4a00-8a01-dde65baa5a68.pdf) Some of the e-mail addresses used for exfiltration and C&C domains outlined by the police report follow: E-mail Addresses used for exfiltration gpool@hostpenta[.]com hanger@hostpenta[.]com hostpenta@hostpenta[.]com purge626@gmail[.]com tip848@gmail[.]com dude626@gmail[.]com octo424@gmail[.]com tim11235@gmail[.]com plars575@gmail[.]com Command-and-Control Servers eyepyramid[.]com hostpenta[.]com ayexisfitness[.]com enasrl[.]com eurecoove[.]com marashen[.]com millertaylor[.]com occhionero[.]com occhionero[.]info wallserv[.]com westlands[.]com Based on these indicators we’ve quickly written a YARA rule and ran it through our systems, in order to see if it matches any samples. Here’s how our initial “blind”-written YARA rule looked like: rule crime_ZZ_EyePyramid { meta: copyright = ” Kaspersky Lab”author = ” Kaspersky Lab”maltype = “crimeware”filetype = “Win32 EXE”date = “2016-01-11”version = “1.0” strings: $a0=”eyepyramid.com” ascii wide nocase fullword$a1=”hostpenta.com” ascii wide nocase fullword$a2=”ayexisfitness.com” ascii wide nocase fullword$a3=”enasrl.com” ascii wide nocase fullword$a4=”eurecoove.com” ascii wide nocase fullword$a5=”marashen.com” ascii wide nocase fullword$a6=”millertaylor.com” ascii wide nocase fullword$a7=”occhionero.com” ascii wide nocase fullword$a8=”occhionero.info” ascii wide nocase fullword$a9=”wallserv.com” ascii wide nocase fullword$a10=”westlands.com” ascii wide nocase fullword$a11=”217.115.113.181″ ascii wide nocase fullword$a12=”216.176.180.188″ ascii wide nocase fullword$a13=”65.98.88.29″ ascii wide nocase fullword$a14=”199.15.251.75″ ascii wide nocase fullword$a15=”216.176.180.181″ ascii wide nocase fullword$a16=”MN600-849590C695DFD9BF69481597241E-668C” ascii wide nocase fullword$a17=”MN600-841597241E8D9BF6949590C695DF-774D” ascii wide nocase fullword$a18=”MN600-3E3A3C593AD5BAF50F55A4ED60F0-385D” ascii wide nocase fullword$a19=”MN600-AD58AF50F55A60E043E3A3C593ED-874A” ascii wide nocase fullword$a20=”gpool@hostpenta.com” ascii wide nocase fullword$a21=”hanger@hostpenta.com” ascii wide nocase fullword$a22=”hostpenta@hostpenta.com” ascii wide nocase fullword$a23=”ulpi715@gmx.com” ascii wide nocase fullword$b0=”purge626@gmail.com” ascii wide fullword$b1=”tip848@gmail.com” ascii wide fullword$b2=”dude626@gmail.com” ascii wide fullword$b3=”octo424@gmail.com” ascii wide fullword$b4=”antoniaf@poste.it” ascii wide fullword$b5=”mmarcucci@virgilio.it” ascii wide fullword$b6=”i.julia@blu.it” ascii wide fullword$b7=”g.simeoni@inwind.it” ascii wide fullword$b8=”g.latagliata@live.com” ascii wide fullword$b9=”rita.p@blu.it” ascii wide fullword$b10=”b.gaetani@live.com” ascii wide fullword$b11=”gpierpaolo@tin.it” ascii wide fullword$b12=”e.barbara@poste.it” ascii wide fullword$b13=”stoccod@libero.it” ascii wide fullword$b14=”g.capezzone@virgilio.it” ascii wide fullword$b15=”baldarim@blu.it” ascii wide fullword$b16=”elsajuliette@blu.it” ascii wide fullword$b17=”dipriamoj@alice.it” ascii wide fullword$b18=”izabelle.d@blu.it” ascii wide fullword$b19=”lu_1974@hotmail.com” ascii wide fullword$b20=”tim11235@gmail.com” ascii wide fullword$b21=”plars575@gmail.com” ascii wide fullword$b22=”guess515@fastmail.fm” ascii wide fullword condition: ((uint16(0) == 0x5A4D)) and (filesize < 10MB) and((any of ($a*)) or (any of ($b*)) )} To build the YARA rule above we’ve used every bit of existing information, such as custom e-mail addresses used for exfiltration, C&C servers, licenses for the custom mailing library used by the attackers and specific IP addresses used in the attacks. Once the YARA rule was ready, we’ve ran it on our malware collections.

Two of the initial hits were: MD5 778d103face6ad7186596fb0ba2399f2 File size 1396224 bytes Type Win32 PE file Compilation Timestamp Fri Nov 19 12:25:00 2010 MD5 47bea4236184c21e89bd1c1af3e52c86 File size 1307648 bytes Type Win32 PE file Compilation timestamp Fri Sep 17 11:48:59 2010 These two samples allowed us to write a more specific and more effective YARA rule which identified 42 other samples in our summary collections. At the end of this blogpost we include a full list of all related samples identified. Although very thorough, the Police Report does not include any technical details about how the malware was spread other than the use of spear phishing messages with malicious attachments using spoofed email addresses. Nevertheless, once we were able to identify the samples shown above we used our telemetry to find additional ones used by the attackers for spreading the malware in spear-phishing emails.

For example: From: Di Marco GianmariaSubject: ricezione e attivazioneTime:2014/01/29 13:57:42Attachment: contatto.zip//Primarie.accdb (…) .exe From: Michelangelo GiorgianniSubject: R: Re: CONVOCAZIONE]Time: 2014/01/28 17:28:56]Attachment: Note.zip//sistemi.pdf (…) .exe Other attachment filenames observed in attacks include: Nuoveassunzioni.7z Assunzione.7z Segnalazioni.doc (…) 7z.exe Regione.7z Energy.7z Risparmio.7z Pagati.7z Final Eight 2012 Suggerimenti Uso Auricolari.exe Fwd Re olio di colza aggiornamento prezzo.exe Approfondimento.7z Allegato.zip Eventi.bmp (…) .exe Quotidiano.mdb (…) _7z.exe Notifica operazioni in sospeso.exe As can be seen the spreading relied on spearphishing e-mails with attachments, which relied on social engineering to get the victim to open and execute the attachment.

The attachments were ZIP and 7zip archives, which contained the EyePyramid malware. Also the attackers relied on executable files masking the extension of the file with multiple spaces.

This technique is significant in terms of the low sophistication level of this attack. High profile victims Potential high-profile Italian victims (found as recipients of spear-phishing emails according to the police report) include very relevant Italian politicians such as Matteo Renzi or Mario Draghi. It should be noted however there is no proof than any of them got successfully infected by EyePyramid – only that they were targeted. Of the more than 100 active victims found in the server, there’s a heavy interest in Italian law firms and lawyers.

Further standout victims, organizations, and verticals include: Professional firms, Consultants Universities Vaticano Construction firms Healthcare Based on the KSN data for the EyePyramid malware, we observed 92 cases in which the malware was blocked, of which the vast majority (80%) of them were in Italy. Other countries where EyePyramid has been detected includes France, Indonesia, Monaco, Mexico, China, Taiwan, Germany and Poland. Assuming their compilation timestamp are legit – and they do appear correct, most of the samples used in the attacks have been compiled in 2014 and 2015. Conclusions Although the “EyePyramid” malware used by the two suspects is neither sophisticated nor very hard to detect, their operation successfully compromised a large number of victims, including high-profile individuals, resulting in the theft of tens of gigabytes of data. In general, the operation had very poor OPSEC (operational security); the suspects used IP addresses associated with their company in the attacks, discussed the victims using regular phone calls and through WhatsApp and, when caught, attempted to delete all the evidence. This indicates they weren’t experts in the field but merely amateurs, who nevertheless succeeded in stealing considerably large amounts of data from their victims. As seen from other known cyberespionage operations, it’s not necessary for the attackers to use high profile malware, rootkits, or zero-days to run long-standing cyberespionage operations. Perhaps the most surprising element of this story is that Giulio Occhionero and Francesca Maria Occhionero ran this cyber espionage operation for many years before getting caught. Kaspersky Lab products successfully detect and remove EyePyramid samples with these verdicts: HEUR:Trojan.Win32.Generic Trojan.Win32.AntiAV.choz Trojan.Win32.AntiAV.ciok Trojan.Win32.AntiAV.cisb Trojan.Win32.AntiAV.ciyk not-a-virus:HEUR:PSWTool.Win32.Generic not-a-virus:PSWTool.Win32.NetPass.aku A full report #EyePyramid, including technical details of the malware, is available to customers of Kaspersky APT Intelligence Services.

Contact: intelreports (at) kaspersky [dot] com
. To learn how to write YARA rules like a GReAT Ninja, consider taking a master class at Security Analyst Summit. – https://sas.kaspersky.com/#trainings References and Third-Party Articles Indicators of Compromise Hashes: 09ff13b020de3629b0547e0312a6c135102bccd95e5d8a56c4f7e8b902f5fb7112f3635ab1de63fbcb5e1c492424c6051391d37c6b809f48be7f09aa0dab76571498b8d6e946b5d6b529abea1359238114db577a9b0bfc62f3a25a9a51765bc517af7e00936dcc8af376ad899501ad8b192d5866cbfafae36d5ba321c817bc14325f5d379c4d091743ca8581f15d329536bd8feed1b17c59f3c653e6427661a4380b0f1921fed82e1b68b4e442b04f053c30f0114c600510fdb2573cc48d5c063fed695e2a6e63d971c16fd9e825fec547bea4236184c21e89bd1c1af3e52c8647dd1e017aae694abd2b7bc0b12cf1da47f1f9b1339147fe2d13772b4cb8103053b41dc0b8fd9663047f71bc91a317df5bc1b8c07c0f83d438a3e891dc3899545eb17f400f38c1b65990a8d60c298d956de1e478301d59ac14b8e9636b53815d75621de46a12234af0bec15620be6763778d103face6ad7186596fb0ba2399f2859f60cd5d0f0fbd91bde3c3914cbb188afb6488655cbea2737d2423843ea0779173aefe64b7704510c873e2ce7305e092c32eb72f5713ca1f2a8dc918f1f770932bd2ad79cbca4341d853a4b5ea1da594eff87eca2f054aa5fbc1877a6cf91998825a1ce35f46d004c0839e87cc27789b8571b5281f3751750d3099049098e09c57839b3f8462bd6c2d36db80cd5ecc9d3ce3246975ae6d545ee9e8ba12d1649d4b46d3c389e0144238c821670f8537a41c5374a14a2c7cbe093ff6b075e8acb39a673a5d2ceaa1fb5571769097ca77b533b082ed1458c482c3663ee12dc3a4bcfd544df7d8e9a2efe9d2ed32e74cadc0243741bfece772f02d1657dc057229c38e9edc0e4b18ff1fc5b61b771f7946ce76b690dc98844c721e6337cd5e7f4bcf391937d79ed6650893b1d5fbed0604d8432ddec880800bfa060af1f8c2e405eb604e7e27727a410fc226196c13afe9fafd293065daf126a9ad9562fc0b00b2 Related hashes identified by @GaborSzappanos: 014f69777d2e0c87f2954ad252d5281002965c8a593989ff7051ec24736da6bd04b3c63907c20d9be255e167de89a39804e949f64e962e757f5bb8566c07800b06e47736256c54d9dd3c3c533c73923e09ff13b020de3629b0547e0312a6c1350a80fd5abf270ddd8080f935058546840b3c1ff3b3b445f46594227ca2babdcd0c33c00a5f0f5bde8c426c3ce376eb110ded0389cbddeeb673836794269ffb3b0e19913ce9799a05ba97ac172ec5f0bc11062b36893c4ba278708ec3da07b1dd12b4d543ae1b98df15c8712d888c54f01334a7df1e59380206841d05d840077814cb305de2476365ef02d2226532dd341748c33cb5ac6f26d55cd1a58b68df8a18e24ef2791030693a4588bfcae1dec0192d5866cbfafae36d5ba321c817bc141b4d423350cd1159057dd7dbef4793281deb28ae7b64fb44358e69e5afd1f6002222a947ebccc8da16badeacca05df4b23beed8aaac883a5902039e6fd84ee5f2485e7ae3e0705898b7787ed0961878d2642990a46c434e7787a599f04742a32268698314c854bc483d05ffe459dc5402866ced99b46b39838f56fbe704d387b2896ae0489451d32f57c68b919b3fa7228ba7d1a4c5d64a65f2f2bf5f6ced12328e65b9577abaabf3f8c94d9fda50fc52a809644e6d07dc9fc111804a62b808930215197622f5c747fc869992768d9c6325f5d379c4d091743ca8581f15d329533890f9268023cd70c762ad2054078c73673c155eb6a0bd8a94bea265ebb8b76369cd42dfabea188fa57f802a83b55d9380b0f1921fed82e1b68b4e442b04f053a0af8bba61734b043edc0f6c61cd1893c30f0114c600510fdb2573cc48d5c063db711afc09c0a403a8ccff6a8a958df3e4365b079239b0a2451f48f337613323ebbae038d7bf19baa1bcfbc438bb5e73fed695e2a6e63d971c16fd9e825fec53ffcd0eedd79a9cc79c2c4a0f7e04b214025834a88dcfba3ed1774068c64c546417593eaf61d45e88adbad259d5585d0422fe9c78c71fb30d376e28ad1c4188444d91f49f261da6b1f183ea131d12a7f45dde4082c0407b9904c5f284080337f47bea4236184c21e89bd1c1af3e52c864a494c20bcfb77afd06908eb5a9718cb53b41dc0b8fd9663047f71bc91a317df5523aa1d4ee5f19522299be6f1111b895627cb8752c4c0774f822ccf8f1363eb56499e0b590857f73bb54f500008c656568895c8340a88316fdc0d77a7f2a91d5847072fd4db9e83d02d8b40a1d678505accd89d6483dec54acc7b1484dfbace5b5f3f65b372f9e24dbc50b21fe31f815bc1b8c07c0f83d438a3e891dc389954622fb530276a639892398410de03d05163d9e7cca593360411b5d05a555d52f36648a255610c5f60f580098bbc1d387c690cdf20faf470f828fe468a635da34e6c25a0974a907d368372ac460d8261d66c5693df933924e8a633ccfd7ef2635d6ff7876db06d9102786ae0e425aeaf3770882709d86e2a7396779f4111cd02e370f094e347d4088573c9af34430a3cd672ffb3418d3cde6fdef16b5b5db01127734cfa84d68506fe6e74eb1b038d9c707633748203b705109ededadfbe08dcfa778d103face6ad7186596fb0ba2399f277c2a369d0850c7a75487e8eee54b69e78b7d1caa4185f02b1c5ef493bf795297971c90d7533f2c69e33f2461434096a7aad90ce44e355f95b820fb59c9f5d567bf348005958658ba3fcf5ccb3e2ae227cddc3b26bb8f98e9b14d9c988f36f8f81624dc108e2d3dc712f3e6dd138736a820ca39f331f068cca71e7a7c281e4ac84c14a1327ae7c0e5a07a67a57451cc4860f607dbd0d6a2dc69cbc4f3b0eeeaf889c86aaf22876516964eafa475a2acd88c31f3b589d64a275608f471163989c89368652dc98b13f644ec2e356c7707c89696dbead484bf948c1dd86364672eb898150dea4d7275f996e7341463db21f8b27bcfa38205754c8e5fdf6a509d60e8f419bca20b767b03f128a19b82611ab915cc3c9c8cb8e200dbe04e425e7018b92c32eb72f5713ca1f2a8dc918f1f770932bd2ad79cbca4341d853a4b5ea1da598825a1ce35f46d004c0839e87cc277898b1157b9f3f3ec183bf322615f1ce419b19729531bf15afc38dd73bcc0596f89c99ecf33301e4cafdd848a7d3d77ef99cf08b15724e0eaf69a63e47690cdee2a16d8cf9a7a52e5c2ad6519766ae6b92a35312a5c0b06ee89ddadaea9ca6bad2a4c551ec6d3b5ab08a252231439e099fa615a4f5e93a63682a8f25b331f62882a6c29f9680fe5ae10a9250e5431754d4ab71ca072d4b526e258c21bd84ec0632ac6fa4005e587ac4b3456a14bd741ff0afab0fcbf8bc6595f9f2c0051b975a4eb1ddec2f71727dcf747e1d385272e24db2a756f557d273d81a61edc9fbfc9dafb2e1663647addc92bf253f389ac98027b39a673a5d2ceaa1fb5571769097ca77b533b082ed1458c482c3663ee12dc3a4b6e86ac7d3bbedf18b98437df49c1b60b70ddb9f6e4e2c85e80cf2079b10e762b89a8d3442d96161cef07552116407c3bb2a0aee38980aeb39cac06677936c96bc333001d3f458ff8fde9d989b53e16dbd7a2b795419c0b842fd041eaac36d7fbf850dcb074e0cf2e30fbee6bfaa4cd9c0d4e5ba26ef3c08dc1a29ac7496f015c38832f484645b516b57f6813c42d554c4abb3210f26d4a15a0d4fd41b47ee0ec547a30fa39f22e2093b51ed254bb1c2c69c370fcb7b645aaac086b2a3b18286c7ef4c7b12b5ad8198dafc58c4bea2a3c97ef1f13bf3d74c78f50fa7abe7766bca010bcdfe3c4965df0c6bc12b40db76ca243796e79c87c55f67a61bc3ee8ddcca9a7c6b231fadfae3466da890b434c5cf391937d79ed6650893b1d5fbed0604cf3b3c796114f6908a35542d4fd02b0ed034810ddab55c17dcddd2c2990b3ef3d1273537add3f2282391726489c65e38d20487e2d2f674bfd849cb8730225dded8432ddec880800bfa060af1f8c2e405d864ad5030d354c1e40a873a335b2611dac10dcede69eb9b4ccce8e6798f332cdb95221ebed1793bf5b5527ecb52eb0cdc64307ef67177449b31c6bb829edbf2dd734c07b94c8685bb809f83876c7193e0e862dbf001eb4a169d3340c200b501e727b444a6a9fa9d40a34a9508b1079fe7539ed9616b61c12028a663c298f6bee78ed9fac4f3e9b443abd02bfa9f3db2e85ff9e3a27899b0d1de8b958af5ad90eb604e7e27727a410fc226196c13afe9eba8aa2572cf0d6ccdf99c34cc26b6f3ec21252421f26072e9fe75586eb6b58aee9435593494f17f3efc3a795c45482eeeca6409dcf0e46d0182d53d230c701deff2d3f9f56e9aabcf970c4c09fe7ef8f0b61a531a72f0cc02d06d2ebfb935abf1a037e2edc5ddf4db4e1e7fcd33d5fbf3802442727c0b614482455d6ad9edc2f41be516fa8da87a269845c9ea688749f7d4742d2e746962440bf517b261f126f96335bf0512c6e65ea374a844ab7cebf9b4459f18ca9d2974cf5a58495c5879fa4266c305aa75a133ebae2a4dcc9b75fafd293065daf126a9ad9562fc0b00b2 Backdoor Filenames: pnbwz.exepxcfx.exeqislg.exerqklt.exerunwt.exeruzvs.exervhct.exevidhdw.exewinlng.exewxrun.exexddrv.exexdwdrv.exe Malicious attachments filenames (weak indicators): contatto.zip//Primarie.accdb (…) .exeNote.zip//sistemi.pdf (…) .exeNuoveassunzioni.7zAssunzione.7zSegnalazioni.doc (…) 7z.exeRegione.7zEnergy.7zRisparmio.7zPagati.7zFinal Eight 2012 Suggerimenti Uso Auricolari.exeFwd Re olio di colza aggiornamento prezzo.exeApprofondimento.7zAllegato.zipEventi.bmp (…) .exeQuotidiano.mdb (…) _7z.exe

How to hunt for rare malware

At SAS 2017, on April 1st and 2nd on St. Maarten, Global Director of GReAT Costin Raiu and Principal Security Researchers Vitaly Kamluk and Sergey Mineev will provide YARA training for incident response specialists and malware researchers, who need an effective arsenal for finding malware.

During the training, the experts will give participants access to some of Kaspersky Lab internal systems, which are otherwise closed to the public, to demonstrate how the company’s malware analysts catch rare samples.

After two days, even being a newcomer, you’ll walk away with the ability to write rules and start using the tool for hunting malware. You can book your seat now — the class will be limited for maximum 15 participants. Each trainer has an impressive portfolio of cyber-espionage campaigns that they have investigated, including Stuxnet, Duqu, Flame, Gauss, Red October, MiniDuke, Turla, Careto/TheMask, Carbanak and Duqu2. Why YARA training? Protective measures that were effective yesterday don’t guarantee the same level of security tomorrow.
Indicators of Compromise (IoCs) can help you search for footprints of known malware or for an active infection.

But serious threat actors have started to tailor their tools to fit each victim, thus making IoCs much less effective.

But good YARA detection rules still allow analysts to find malware, exploits and 0-days which couldn’t be found in any other way.

The rules can be deployed in networks and on various multi scanner systems. Giveaways People who go through the training will be able to start writing relatively complex YARA rules for malware – from polymorphic keyloggers all the way up to highly complex malware – that can’t be detected easily with strings.

The GReAT trainers will teach how to balance rules, in other words how to write detection rules while minimising the risk of false-positives.

They also will share their experience of what exactly they are looking for when they write YARA rules as part of their everyday jobs. What are the requirements for participation? You don’t have to be an expert in order to go through this training.
It’s enough to have basic knowledge of how to use a TextEditor and the UNIX grep tool, and a basic understanding of what computer viruses are and what binary formats look like. You’ll also need your laptop and YARA software v. 3.4.0 installed on the machine.

Experience with malware analysis, reverse engineering and programming (especially in structured languages) will help you to learn more quickly, but this doesn’t mean that you can’t learn without it. Catching a 0-day with YARA One of the most remarkable cases in which Kaspersky Lab’s GReAT used YARA was the very famous Silverlight 0-day: the team started hunting for this after Hacking Team, the Italian company selling “legal surveillance tools” for governments and LEAs, was hacked. One of the stories in the media attracted our researchers’ attention — according to the article, a programmer offered to sell Hacking Team a Silverlight 0-day, an exploit for an obsolete Microsoft plug-in which at some point had been installed on a huge number of computers. GReAT decided to create a YARA rule based on this programmer’s older, publicly available proof-of-concept exploits. Our researchers found that he had a very particular style when coding the exploits — he used very specific comments, shell code and function names.

All of this unique information was used to write a YARA rule — the experts set it to carry out a clear task, basically saying “Go and hunt for any piece of malware that shows the characteristics described in the rule”.

Eventually it caught a new sample, it was a 0-day, and the team reported it to Microsoft immediately. If you’re a scholar… Surprisingly enough, YARA can be used for any sort of classification, such as finding documents by metadata, email and so on.
If you work with any kind of rare information and lack a competitive tool for searching for it, come to St. Maarten in April and join the training — you’ll benefit greatly. You are welcome to listen the podcast to learn about how YARA can be used in malware hunting, data analysis and incident response activities. Book a seat at sas.kaspersky.com now to hunt APTs with YARA like a GReAT ninja!

DHS-FBI Report Shows Russian Attribution's A Bear

Political and technical fallout from the DHS-FBI joint 'Grizzly Steppe' report on Russia's role in the recent election-related hacks causes more chaos than closure. A joint FBI and US Department of Homeland Security (DHS)-authored report released last week that officially called out two infamous Russian state cyber espionage groups for their roles in US election-related hacks has spurred criticism - and confusion. The DHS-FBI Joint Analysis Report on the so-called GRIZZLY STEPPE operation out of Russia published last week on the the high-profile breaches and data leaks of the Democratic National Committee (DNC) as well as Clinton campaign manager John Podesta, was aimed at shedding more light on the attacks and providing organizations with the intel to defend themselves from the gangs. But the report, which experts say appears to have been heavily redacted, instead has generated more debate over hacker attribution within the security community and caused confusion outside those circles: all of this amid an increasingly political battle after the contentious presidential campaign. President-Elect Donald Trump has continued to express doubt over Russia's involvement. The report's conclusions are not new: Multiple security researchers from private industry in mid-2016 had confirmed that Russian state hacking groups were involved in the election-related hacks, and the US intelligence community in October confirmed Russia's activities. Researchers from CrowdStrike had previously identified Russian state-sponsored hacker groups Fancy Bear (aka APT28) and Cozy Bear (aka APT29) as the perpetrators.  The Obama administration on Dec. 29 delivered its official response, mainly sanctions, to the Russian government's activities. The DHS-FBI GRIZZLY STEPPE report came later that day. "There were some good insights in that [DHS-FBI] report and even some good indicators. Unfortunately, it was sort of jumbled together in a fashion that made them difficult to understand, especially for" someone without a cybersecurity research background, says John Hultquist, manager of the cybersecurity analysis team at FireEye. Hultquist says one of the most interesting revelations in the report is that the US intelligence community publicly tied the so-called Sandworm hacking team to the Russian state. Sandworm has been tied to the December 2015 attacks on the Ukrainian power grid as well as other attacks on US ICS/SCADA networks committed in 2014. "One of the things from my perspective that I found exciting is that the Sandworm team was officially linked to Russian" groups, he says. "Two of the adversaries listed [in the report], Energetic Bear and the Sandworm team, are all focused on industrial control systems in the West, including electricity and water," he says. "We don't think they are doing classic cyber espionage, looking for information on the price of energy. They are probably doing recon for an attack." Robert M. Lee, a SANS instructor and ICS/SCADA expert, says the Grizzly Steppe report basically caused unnecessary confusion. "The report was never meant to be proof of attribution of the DNC/Russia hack. The attribution to Russia of the DNC hack is very good, and is based off technical analysis over the years" of these hacking groups, says Lee, pointing to research conducted by CrowdStrike, Trend Micro, Kaspersky Lab, and other security research teams. "All the [report] had to have done is say here's the technical evidence by the private sector" as well as Germany's claims of similar hacks against its Parliament in 2014, he says, and that the feds were validating those findings and claims. "Instead, they tried to make it their own," he says. In a blog post, Lee described the report as reading "like a poorly done vendor intelligence report stringing together various aspects of attribution without evidence." That basically backfires by making the report appear thin, according to Lee. In addition, the indicators of compromise included in the report don't follow the attribution discussion in the report, either, he says. Some are outdated, for example, or lack enough detail to be useful. At least one such IoC was spotted on a laptop at a Vermont electric utility, and turned out to be connected to some everyday malware. Even so, it was incorrectly reported by at least one media outlet as a case of Russia hacking the US power grid, demonstrating the challenges of tying IoCs to specific attacks or groups. The JAR report came on the heels of President Obama's sanctions on Russian entities and individuals. The White House stated that Russia's operation was intended to influence the outcome of the US presidential election and to shake confidence in the US electoral process and institution. Obama issued wide-ranging sanctions including some against Russian intelligence agencies, the GRU and FSB, as well as against four GRU officers and three companies that allegedly supported the operations. The White House in its sanction announcements noted that the FBI and DHS would release "declassified technical information on Russian civilian and military intelligence service cyber activity, to help network defenders in the United States and abroad identify, detect, and disrupt Russia’s global campaign of malicious cyber activities." But as Lee and Hultquist note, that's not how the final report read in its final public form. Bears & Breadcrumbs Meanwhile, skeptics of naming Russia as behind the election-related hacks argue that Russia's leftover "breadcrumbs" are too obvious, and therefore could present false flags meant to implicate Vladimir Putin's government. But longtime cyber espionage investigators such as Kevin Mandia say Russian state hackers for some time have stopped caring about getting caught. In a recent interview with Dark Reading, Mandia said the leaking of DNC and Podesta emails are yet another example of a major shift in Russia's nation-state hacking machine. Mandia has watched over the past two years as Russia basically stopped retreating once its hackers were in the sights of FireEye/Mandiant investigators. They also stopped trying to hide their tracks: "The scale and scope were starting to change. Then I thought maybe their anti-forensics had gotten sloppier because now we could observe that they were not going away," he said. Rather than their usual counter-forensics cleanup, the Russians now merely left behind their digital footprints from their cyber espionage campaigns. "They used to have a working directory and would remove it when they were done. But they just stopped doing that," Mandia said. That's either because they're no longer as disciplined in their campaigns, he said, or "they've just chosen to be more noticeable." Related Content: Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio More Insights

FBI-DHS Report Provides Insight Into Russian Malicious Cyber Activity

NEWS ANALYSIS: 'GRIZZLY STEPPE' Joint Analysis Report from Department of Homeland Security and the Federal Bureau of Investigation provides insight into the techniques allegedly used by the Russian government to hack the U.S After months of speculation and allegations about Russian hacking activities related to the U.S election, the Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) issued a Joint Analysis Report (JAR) on December 29, 2016, detailing the tools and techniques used by Russian intelligence services against the U.S.The 13-page report, titled 'GRIZZLY STEPPE - Russian Malicious Cyber Activity' does not contain all of the information collected by U.S Intelligence agencies on the various alleged hacking activities of Russia, as it is classified by DHS and FBI as being Traffic Light Protocol (TLP) White.

The TLP rating system was first defined by the Forum for Incident Response and Security Teams (FIRST) as a way to help cybersecurity professionals responsibly share information on threats, without exposing organizations to additional risk.

The TLP:WHITE classification means that the information being shared carries, "minimal or no foreseeable risk of misuse," according to US-CERT.In the JAR, the U.S Government confirms that two different Russian Intelligence Services (RIS) affiliated groups, were involved in an attack against the Democratic National Committee (DNC).

The JAR notes that one group identified as APT28, hacked the DNC in the summer of 2015, while APT 29 breached the DNC in Spring 2016. On June 14, 2016, eWEEK reported on the DNC breaches, which were identified by security firm CrowdStrike.

The DNC breaches were not the first U.S attacks from APT28 and APT29 either.

CrowdStrike which refers to APT29 as 'CozyBear' has attributed multiple U.S. government attacks to CozyBear, including breaches in the White House in October 2014 and the State Department in November 2014.The JAR also confirms that the DNC was breached by way of multiple targeted spearphishing campaigns.

The report notes that one of the spearphishing campaigns achieved its initial success when a targeted individual, "…activated links to malware hosted on operational infrastructure of opened attachments containing malware." Another APT28 spearphishing campaign in spring 2016 took a different approach and was able to trick victims into changing passwords, via a fake webmail domain that was actually being hosted by APT28. "Using the harvested credentials, APT28 was able to gain access and steal content, likely leading to the exfiltration of information from multiple senior party members, the report states.After the spring 2016 attack was revealed by CrowdStrike to be associated with RIS operatives, a hacker identified as 'Guccifer' shot back online claiming responsibility for the breach and denying any connection to Russia.

The JAR report states that, in some cases, RIS actors masqueraded as third parties, hiding behind false online personas designed to cause the victim to misattribute the source of the attack.Indicators of Compromise (IOCs)As part of the JAR, US intelligence agencies have provided some direction for US government agencies and organizations to help identify any potential RIS associated hacking activities.

The JAR provides a list of Indicators of Compromise (IOCs) including IP addresses and file hashes of malware.

The IOC data is available in the Structured Threat Information eXpression (STIX) format to help make it easier for organizations to use the data.Among the IOCs in the report was a form of PHP malware that was also found to be attacking WordPress powered websites. Mark Maunder, Founder and CEO of Wordfence blogged that his firm had tracked over 130 attempts to upload the PHP malware to Wordfence protected customer sites. Maunder stated that just because an attack may make use of the same malware reported in the JAR, doesn't necessarily mean the attackers are Russian government operatives."The data in the DHS/FBI Grizzly Steppe report contains 'indicators of compromise' (IOCs) which you can think of as footprints that hackers left behind," Maunder wrote. "The IOC’s in the report are tools that are freely available and IP addresses that are used by hackers around the world."Looking beyond just the attribution of IOCs mentioned in the DHS/FBI Grizzly Steppe report, the JAR also provides organizations with a long list of actions that can be taken to help prevent and detect attacks.Among the best practices recommendations made in the JAR are for organizations to make use of multi-factor authentication and for users to use complex passwords that change regularly.

Additionally the report recommends that organizations use a multi-tier administrative model for account credentials.What is particularly interesting about the JAR is that it doesn't mention the use of any particularly unique or exotic malware. Now that doesn't mean that there were no zero-days in use, this is just a TLP:WHITE rated report, but it does mean that cybersecurity best practices and technology can work to reduce risk. While the DHS/FBI Grizzly Steppe report details actions taken by RIS operatives, the recommendations for defense and security are likely useful for organizations of all sizes to stay safe in 2017.Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com.

Follow him on Twitter @TechJournalist