Vectra Threat Labs researchers have uncovered the activities of a group of individuals currently engaged in targeted attacks against entities in the Middle East. We identified over 200 samples of malware generated by the group over the last two years. These attacks are themed around Middle Eastern political issues and the motivation appears to relate to espionage, as opposed to opportunistic or criminal intentions.
Updated June 3, 2015 11:00 AM (see details)
Recently a popular privacy and unblocker application known as Hola has been gaining attention from the security community for a variety of vulnerabilities and highly questionable practices that allow the service to essentially behave as a botnet-for-hire through its sister service called Luminati. Vectra researchers have been looking into this application after observing it in customer networks over the past several weeks, and the results are both intriguing and troubling. In addition to its various botnet-enabling functions that are now part of the public record, the Hola application contains a variety of features that make it an ideal platform for executing targeted cyber attacks.
Time is a big expense when it comes to detecting cyber threats and malware. The proliferation of new malware variants makes it impossible to detect and prevent zero-day threats in real-time. Sandboxing takes at least 30 minutes to analyze a file and deliver a signature – and by then, threats will have spread to many more endpoints.
Yesterday Anthem became the latest company to suffer a massive, high-profile data breach that almost certainly will become the largest data breach to date in the healthcare industry. Attackers were able to infiltrate the network and steal personal information for over 80 million customers. The stolen data included a variety of Personally Identifiable Information (PII) including Social Security numbers, contact details as well as employment and income information.
This is a particularly dangerous combination of data that is worth significantly more on the black market than stolen credit card numbers. Unlike a credit card, which can be easily cancelled and replaced, a full identity can be used for long-term fraud such as taking out loans in the victim’s name. Employment information is particularly sought after when selling an identity. The one silver lining is that it does not appear that medical records and other Personal Health Information (PHI) were exposed in the breach.
Periodically, articles are published highlighting the difficulty authorities have investigating illegal activity on the Internet when the perpetrators make use of the anonymity that Tor provides.
Last week saw another such article appear in The Wall Street Journal, highlighting an operation that took down more than four hundred Web sites accessible only via Tor, which are essentially Tor “services”, arrested 17 people and confiscated plenty of Bitcoins associated with running these web sites. These web sites are referred to as “darknet marketplaces” and basically connect purveyors of illegal goods (e.g., drugs, guns) and services (e.g., contract killings) with people seeking these things. An August article in Wired spent more time detailing how the FBI goes about fighting the demand side of the problem – by infecting machines belonging to potential seekers of such goods and services via drive-by-downloads.
Home Depot, Target, JP Morgan, and Community Health Systems have all been victims of a network security breach, resulting in loss of customer’s personal data and millions of dollars in revenue. We ask ourselves “who will be next?” – because the assault on the digital economy has become an asymmetric war and businesses are on the losing side.
The first edition of "The Post Breach Industry Report" is an industry study using real-world data from enterprise networks, revealing what attackers do inside an organizations network once they evade perimeter defenses.
Salespeople. They're charismatic, they're informative, and if they're good, they'll convince you that what they have is exactly what you need. I remember being tasked with finding a new corporate travel solution by a former manager. When information I found online looked promising, or was too vague, I'd request a sales demo. During the meeting, I would experience total clarity. What a perfect solution. This is exactly what we need. I'm not an easy sell, am I? The assurance salespeople provide is comforting, but the thing is, not all solutions are an ideal fit, and a salesperson isn't in the business of helping you find an ideal fit.
Topics: Targeted Attacks
Meaningful information security metrics seem to come in as many shapes and sizes as there are CISAs, CISMs, and CISSPs brave enough to weigh in on the subject. There are plenty of risk and security frameworks available to help guide a security team to a reasonable answer to nearly any question posed regarding the appropriate allocation of resources required to reduce a given business risk to a specific level.
While meeting with a customer last week, we looked through the detections report to see if some of the new algorithms we released had produced detections. I noticed the lines for all categories of detections dropped precipitously and then increased nearly as rapidly two days later. Nearly as fast as I pointed my finger at the screen, he said, "Yeah, that's the weekend."It took 3 seconds for us both to say, "Laptops." If you ever wanted evidence that most malware is walked in the front door on mobile devices like laptops, tablets and smartphones, then this is the graph for you.
A customer recently shared her perspective in the growing security white noise – a term she uses to describe the increasingly high volume of alerts coming out of the defense in depth security. To punctuate her point, she pulled up a recent Wall Street Journal blog with an example from Gartner analyst Avivah Litan of a client who receives over 135,000 security alerts a day. As Avivah aptly stated, "It becomes like the car alarms going off in a parking lot – no one takes them seriously because generally there are too many false car alarms."
Looking back at the Bloomberg BusinessWeek coverage of the Target breach, the article focused on multiple security alerts of the malware used to initiate the attack. While these alerts were marked as high priority, it is easy to imagine that an enterprise the size of Target may have been receiving hundreds or thousands of security alerts of varying priority that created white noise.
Topics: Targeted Attacks
In talking to customers, I am frequently reminded of the fact that people's understanding of how malware is built and delivered hasn't kept up with the changing landscape over the past few years. While most people expect actual targeted attacks to evolve through multiple stages, much of the run-of-the-mill botnet malware no longer infects a system in a single stage either.Much of this multi-stage malware starts off with a small dropper that only represents the initial stage of an exploit. We’ve seen small droppers come bundled in Microsoft Word documents, PDF files and spreadsheets attached to emails or be retrieved when browsers access URLs – whether the user clicks on a link embedded in an email or visits a compromised web site.
Target, Neiman Marcus, Michael’s. There’s no doubt that the retail sector is under attack, but prominent retailers are not alone. Criminals are targeting banks, healthcare providers, government agencies and even high schools—anyone with high-value data or a reputation to protect. Whether your business is big or small, chances are that hackers have already penetrated your network.
But what do you do?
A new Gartner report, “Designing an Adaptive Security Architecture for Protection from Advanced Attacks,” advises: “All organizations should now assume that they are in a state of continuous compromise.” The challenges outlined are the insufficiency of blocking and prevention capabilities to protect against motivated, advanced hackers.