Home Tags Advanced Persistent Threat

Tag: Advanced Persistent Threat

An advanced persistent threat is a set of stealthy and continuous computer hacking processes, often orchestrated by human(s) targeting a specific entity. An APT usually targets organizations and/or nations for business or political motives. APT processes require a high degree of covertness over a long period of time. The “advanced” process signifies sophisticated techniques using malware to exploit vulnerabilities in systems. The “persistent” process suggests that an external command and control system is continuously monitoring and extracting data from a specific target. The “threat” process indicates human involvement in orchestrating the attack

Company releases new advanced threat protection services, a new "security sandbox" product, and upgraded storage and disaster-recovery packages. SAN FRANCISCO -- Dell, much more well known for PCs, storage and servers than for its security acumen, made a lot of news this past week in the data protection category.Item 1: The Round Rock, Texas-based corporation's SecureWorks subsidiary on March 3 launched a cloud-based service that identifies threats while they are happening by identifying malicious behavior, enabling it to become aware of attacks that may otherwise go undetected because they involve little or no malware code.Dell's Advanced Endpoint Threat Detection Red Cloak is available now as a fully managed software-as-a-service platform.
It links to endpoint monitoring capabilities and lightweight sensors in the user's data center in order to scan and analyze for activity that could indicate a network breach.The service is powered by real-time threat intelligence provided by the Dell SecureWorks Counter Threat Unit (CTU).

The system is already protecting more than 4,100 Dell clients in 61 countries, the company said. Within the unit, the company's Cyber Threat Analysis Center can provide electronic notification within 15 minutes of determining that activity constitutes a security incident, Dell said.

Targeted and/or high-impact events are then forwarded to the Senior Intrusion Analyst Team, which guarantees a response within 24 hours. Go here for more information.New Data-Protection Packages ReleasedItem 2: On the storage security side, Dell unveiled a series of new data-protection packages to help organizations better protect frontline business systems, applications, and data–either on premises or in the cloud.These offerings include Dell Data Protection/Rapid Recovery, three new data deduplication appliances models, a free edition of the new Dell Data Protection/Endpoint Recovery, and Dell's Data Protection/NetVault Backup 11.Dell Data Protection/Rapid Recovery integrates proven and familiar features of AppAssure and other Dell securityware to help eliminate downtime for customer environments.

Customers can attain ZeroImpact recovery of systems, applications and data across physical, virtual and cloud environments, the company said.Another new feature, Rapid Snap for Applications, takes snapshots of entire physical or virtual environments up to every five minutes.

This gives users immediate access to data in the event of an incident and the power to restore in real time as if nothing ever happened.
In addition, Rapid Snap for Virtual technology offers agentless protection of VMware VMs, Dell said.Go here for more information.Capture, Dell's New 'Sandbox' Security ServiceItem 3: Patrick Sweeney, Vice-President of Marketing and Product Management for Dell Security, told eWEEK at the RSA Conference here about SonicWall's new Capture service, a sandboxing technology -- which is in the same space as FireEye, Lastline and others -- that has "differentiatable attributes to it.""It's managed and controlled by the next-general firewalls, and we see packets coming in; we identify everything we know to be good, everything we know to be bad, and also what we determine to be unknown," Sweeney said. "It could be zero-day, could be something benign, or whatever. We direct it to our cloud infrastructure, where we process it through in a key differentiation: three engines in parallel.""Everybody knows that no one security engine is going to find every threat," Sweeney said.
So, in addition to the SonicWall Capture and Lastline engines (Dell is part owner of Lastline, a strong emulation engine that enables users to detect advanced malware in networks), data packets in the Capture are also fed into VMRay, a third-generation malware analysis technology that detects and protects systems from APTs (advanced persistent threats), targeted attacks, and 64-bit kernel rootkits, he said.VMRay was announced this week at the RSA conference as Dell's newest security partner.All the products noted in this article are available now.

Go here for more information.
But its role in the attack remains unclear Fresh research has shed new light on the devious and unprecedented cyber-attack against Ukraine's power grid in December 2015. A former intelligence analyst has warned that launching similar attacks is within the capabilities of criminals, or perhaps even hacktivist groups, since most of the key components are readily available online. Zach Flom, an intelligence analyst at threat intelligence firm Recorded Future and a former US DoD computer network defense analyst, has published a study on the BlackEnergy malware, noting a spike in activity prior to the Ukraine attack that left more than 200,000 people temporarily without power on December 23. "In 2014, shortly after being picked up by APT [advanced persistent threat] groups and becoming more modular, we see a large spike in references to the malware and its increasing usage in European countries, namely Ukraine," Flom notes. "Whether or not the attack was nation state-sponsored, the source code for most of the components that were used is available for purchase and download on the open Web," Flom writes. "It's no longer far fetched that a similar attack could be conducted by non-nation state-sponsored groups for criminal purposes." BlackEnergy has evolved from a "relatively simple" distributed denial-of-service attack tool of early 2007 to a highly capable blob of malware over the last eight years, according to Flom. The warning of potential future misuse of BlackEnergy comes days after a US government report concluded that the December 2015 power outage in Ukraine – which affected 225,000 customers – was caused by outside attackers. Representatives of the US Department of Homeland Security (DHS), Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and other US government agencies traveled to Ukraine to collaborate and gain more insight into the attack.

The Ukrainian government and the three impacted power utilities (named elsewhere as Prykarpattya, Oblenergo and Kyivoblenergo) collaborated with the investigation, which concluded that the assault involved a great deal of coordination and planning, culminating with an attempt to destroy evidence on field devices using wiper malware. The cyber-attack was reportedly synchronized and coordinated, probably following extensive reconnaissance of the victim networks.

According to company personnel, the cyber-attacks at each company occurred within 30 minutes of each other and impacted multiple central and regional facilities.

During the cyber-attacks, malicious remote operation of the breakers was conducted by multiple external humans using either existing remote administration tools at the operating system level or remote industrial control system (ICS) client software via virtual private network (VPN) connections.

The companies believe that the actors acquired legitimate credentials prior to the cyber-attack to facilitate remote access. All three companies indicated that the actors wiped some systems by executing the KillDisk malware at the conclusion of the cyber-attack.

The KillDisk malware erases selected files on target systems and corrupts the master boot record, rendering systems inoperable. The whole incident has generated a great deal of interest because it's reckoned to represent the first time that hackers have successfully attacked a power grid.

For context, it's worth pointing out that outages caused by squirrels chewing through electricity cables and the like are commonplace.

A growing number of experts have come to regard the Ukraine energy utility attacks as the most significant malware-based hack attack since Stuxnet hobbled Iranian nuclear centrifuges back in 2010. BlackEnergy malware was discovered on the affected companies' computer networks, however it is important to note that ICS-CERT investigators reckon the precise role of the potent cyber-pathogen in the attack remains as yet unclear. Each company also reported that they had been infected with BlackEnergy malware, however we do not know whether the malware played a role in the cyber-attacks.

The malware was reportedly delivered via spear phishing emails with malicious Microsoft Office attachments.
It is suspected that BlackEnergy may have been used as an initial access vector to acquire legitimate credentials; however, this information is still being evaluated.
It is important to underscore that any remote-access Trojan could have been used, and none of BlackEnergy's specific capabilities were reportedly leveraged. A mining company and a large railway operator in Ukraine were also hit by BlackEnergy, so the run of attacks was far from limited to the power distribution sector.

The possible motivations of the hackers range from an attempt to disable Ukraine economically to a test of the power of their malware against real life targets. Russia is the obvious prime suspect in this malfeasance, and this is supported by plenty of circumstantial evidence, although nothing incontrovertible and certainly no smoking gun. Security researchers at the SANS Institute have put together a reaction to the ICS-CERT report ahead of their own forthcoming study, which will focus on how to defend against similar attacks on industrial control systems in future. Industrial control system security expert Robert M Lee argues that ICS-CERT unnecessarily hedged its bets in calling BlackEnergy a central vector of the attack. "ICS-CERT is very shy in stating that BlackEnergy3 was involved in the incident," Lee writes. "I understand their hesitation, but the use of BlackEnergy3 to harvest credentials in the impacted organizations was very clear from publicly available sources.

The malware, however, was not responsible for the outage.
It just enabled the attackers, as the SANS team and others in the community have said all along," he added. ® Sponsored: Why every enterprise needs an Internet Performance Management (IPM) Strategy
Microsoft really, really wants everyone to dump Windows XP, Windows 7, and Windows 8 in favor of Windows 10.
It's been aggressively urging users to upgrade to Windows 10, even preinstalling the Windows 10 update on PCs unasked.

This week, it provided a new incentive to encourage Windows 10 updates, especially in businesses: enhanced security. The company announced a new service built into Windows 10 called Windows Defender Advanced Threat Protection that helps IT detect and make suggestions on how respond to attacks that have made it into the network. Windows Defender ATP does not yet actually remediate any breaches that it detects, though Microsoft plans to add such capabilities in the future. (Don't confuse Windows Defender APT with Exchange Online ATP, a for-pay add-on to Office 365. Windows Defender APT complements Exchange Online ATP, not serves as an alternative to it.) Windows Defender APT is one of several security features that Microsoft has brought to Windows 10 in hopes of upping the appeal to enterprise IT departments. Others include: Credential Guard: Built into Windows 10 Enterprise and Education editions, this tool stores credentials (NTLM hashes and Kerberos tickets) with the LSASS process that manages them in an isolated Hyper-V virtualized container. Device Guard: This tool prevents untrusted apps from running on Windows 10 Enterprise PCs.
Via virtualization, it isolates the Code Integrity services from the Windows kernel.

For this to work, you have to go through and sign your apps and determine their trustworthiness.  Windows Hello: This is a biometric authentication feature built into Windows, using fingerprint matching and facial recognition. Enterprise Data Protection: This tool works with Microsoft's Intune and Configuration Manager servers, as well as with third-party mobile management servers, to encrypt enterprise data and remotely wipe enterprise data from devices. Other mobile management tools offer similar capabilities, but Microsoft's stands apart in its integration with Azure Active Directory for access management to cloud and other sevices.  Windows 10 also provides security tools included in previous Windows versions, such as a software firewall, BitLocker drive encryption, and the Windows Defender antimalware tool.
Windows Defender APT – no, not that type of APT RSA 2016 Microsoft will be rolling out a new form of security system for enterprises later this year aimed at stopping attacks as soon as they happen. Dubbed Windows Defender Advanced Threat Protection, the system will monitor a company's computer systems looking for signs that an attack is occurring.
If someone starts trying to break in, the software will alert the IT manager and give a detailed rundown on the best way to mitigate the attack and lock down data. "Deploying Windows Defender Advanced Threat Protection gave us incredible awareness about several critical security vulnerabilities in our network, which we've already taken immediate action to address, along with updating our security policies," said Henrik Pedersen, IT Manager at TDC Hosting in a canned statement. Microsoft is already trialing the system with 500,000 enterprise users and is fine-tuning the release before launch.
It'll only be available for Windows 10 users and will be turned off by default and activated on a subscription fee basis, although pricing hasn't been announced as yet. Youtube Video Tim Rains, director of security at Microsoft, told The Register that there was no technical reason why the software couldn't run on Windows 7 or 8.1, but that it has been developed for Windows 10 primarily so that it could take advantage of the more advanced security features of the newer operating system. To develop the attack plans, he explained, the new system takes information from Microsoft's 1.2 billion sensors – primarily on computers round the world running its software – and then feeds them into a central console run by its best security bods. We'll have to see how well the system works in practice, since this is the kind of code that could drive IT managers nuts with false positives.

But Redmond is confident that the system works well and, if so, it could give rival security vendors some serious problems. ® Sponsored: Four ways to achieve more efficient and effective vulnerability management
Windows Defender Advanced Threat Protection firstly aims at detecting advanced attacks. Not a day goes by when we don't hear about another hack.

To ensure that your business is not next, Microsoft has announced Windows Defender Advanced Threat Protection, which it says "provides a new post-breach layer of protection to the Windows 10 security stack." Windows Defender Advanced Threat Protection firstly aims at detecting advanced attacks.

According to Microsoft, it employs "sophisticated threat intelligence" that can determine who may have conducted the attack, how it was done, and why it happened.

The company crunches that data with help from behavioral sensors, cloud-based security analytics, and other data compiled by Microsoft's security team. "This data is then augmented by expertise from world-class security experts and advanced threat protection Hunters from across the globe, who are uniquely equipped to detect attacks," according to Microsoft. Once the basics of the attack have been identified, Microsoft's new platform provides companies with recommendations on how they should respond.

The tool will find the files and machines that were affected and allow users to quarantine them from the network. Microsoft says it will offer "remediation tools for affected endpoints" at some point in the future to help companies eliminate the flawed data. Finally, Microsoft says that its Windows Defender Advanced Threat Protection will be continually updated and since it's based in the cloud, will not require "on-premise server infrastructure or ongoing maintenance." It will also work in tandem with Microsoft's other security solutions, including Advanced Threat Analytics. Looking ahead, Microsoft hopes to sign on more companies.

As of this writing, the company has rolled out Advanced Threat Protection to "early adopter customers." It's currently protecting 500,000 endpoints, which includes the entire Microsoft network. The launch could prove important to the growing number of companies that are adopting Windows 10, including the Department of Defense.
A new offering, called Windows Defender Advanced Threat Protection, alerts administrators if attackers gain a foothold on a network. Suffered a network breach? Microsoft's latest cloud-based data security service can help administrators prevent their Windows devices from giving up the goods.Using as a backdrop this week's RSA Conference—when the IT industry turns its attention to information security—the software giant on March 1 announced Windows Defender Advanced Threat Protection.

Borrowing the name of Windows' built-in anti-malware software, the upcoming product helps make Windows 10 systems less susceptible to data leaks, even if an attacker has already managed to breach a corporate network."To help protect our enterprise customers, we are developing Windows Defender Advanced Threat Protection, a new service that will help enterprises to detect, investigate and respond to advanced attacks on their networks," Terry Myerson, executive vice president of Microsoft's Windows and Devices group, said in a March 1 announcement. "Building on the existing security defenses Windows 10 offers today, Windows Defender Advanced Threat Protection provides a new post-breach layer of protection to the Windows 10 security stack."While businesses experienced fewer breaches in 2015 than the year before, they remain a major concern. Last year, organizations reported a total of 1,673 breaches, 46 of which involved a million records or more. On average, the total cost for a data breach rings up at $3.8 million, according to Ponemon Institute's 2015 Cost of Data Breach Study.

Generally, it takes just over 200 days to detect a breach. Windows Defender Advanced Threat Protection is Microsoft's bid to keep its customers, or at least their Windows systems, from becoming one of those statistics. "With a combination of client technology built into Windows 10 and a robust cloud service, it will help detect threats that have made it past other defenses, provide enterprises with information to investigate the breach across endpoints, and offer response recommendations," Myerson continued. The product can detect advanced attacks, courtesy of security analytics performed by Microsoft.

The company claims to gather anonymized information from over a billion Windows devices and 2.5 trillion indexed URLs, along with "detonating" a million suspicious files each day, to inform its threat intelligence system.When a threat is detected, the product can offer security administrators recommendations on how to proceed."With time travel-like capabilities, Windows Defender Advanced Threat Protection examines the state of machines and their activities over the last six months to maximize historical investigation capabilities and provides information on a simple attack timeline," Myerson said. "Simplified investigation tools replace the need to explore raw logs by exposing process, file, URL and network connection events for a specific machine or across the enterprise." The company is also working on baking remediation tools into the offering.In its current pre-release state, the product is already helping safeguard 500,000 endpoints, Myerson revealed. "Windows Defender Advanced Threat Protection is already live with early adopter customers that span across geographies and industries, and the entire Microsoft network, making it one of the largest running advanced threat protection services."
WDATP can detect anomalous behavior even when the malware scanner doesn't find anything wrong.Microsoft Microsoft is beefing up Windows Defender, the anti-malware program that ships with Windows 10, to give it the power to tell companies that they've been hacked after the fact. Attacks that depend on social engineering rather than software flaws, as well as those taking advantage of unpatched zero-day vulnerabilities, can evade traditional anti-malware software. Microsoft says that there were thousands of such attacks in 2015 and that on average they took 200 days to detect and a further 80 days to contain, giving attackers ample time to steal data and incurring average costs of $12 million per incident.

The catchily named Windows Defender Advanced Threat Protection is designed to detect this kind of attack, not by looking for specific pieces of malware, but rather by detecting system activity that looks out of the ordinary. For example, a social engineering attack might encourage a victim to run a program that was attached to an e-mail or execute a suspicious-looking PowerShell command.

The Advanced Persistent Threat (APT) software that's typically used in such attacks may scan ports, connect to network shares to look for data to steal, or connect to remote systems to seek new instructions and exfiltrate data. Windows Defender Advanced Threat Protection can monitor this behavior and see how it deviates from normal, expected system behavior.

The baseline is the aggregate behavior collected anonymously from more than 1 billion Windows systems. If systems on your network start doing something that the "average Windows machine" doesn't, WDATP will alert you. The system also strives to understand malicious behavior, too. More than 1 million suspicious files are automatically executed and examined within sandboxed environments in the cloud to build a better picture of the abnormal activities that malware and hacks can cause.

All this data is crunched and analyzed using machine learning techniques to build models of normal and abnormal system activity.

This means that not only can unusual PC behavior be identified, it can also be cross referenced against particular malware. When errant system behavior is found, WDATP alerts administrators and gives them a view not just of a machine's current activities, but also historic information about network usage, files accessed, and processes run.

That an intrusion has occurred may not be detected immediately, but this information should make it easier to determine when machines were compromised and just how far into an organization's systems the intruder managed to penetrate. As is increasingly the way with Microsoft's software, the whole thing is cloud-based with no need for any on-premises server.

A client on each endpoint is needed, which would presumably be an extended version of the Windows Defender client. Enlarge / The WDATP dashboard giving an at-a-glance view of system health. Microsoft While announced today, WDATP is currently being tested on about half a million systems in a private beta. WDATP will become more broadly available in a public preview later the year. Microsoft has yet to decide on what kind of pricing model it will have. The company says that more than 22 million enterprise customers have already made the switch to Windows 10 and points at the Department of Defense's plans to upgrade 4 million systems as further evidence that Windows 10 is not merely ready for the enterprise but is also a marked improvement on Windows 7 and 8.1. Part of the push for Windows 10 is its improved security features; Windows 10 includes a number of sensible new security features that Microsoft is trying to sell enterprise users on, such as Credential Guard (to make credential theft and lateral access within breached networks harder) and Device Guard (to more robustly lock malware out of systems). WDATP is going to be part of that same push to Windows 10, and it won't be available for older operating systems.

This arguably marks a broader shift in Microsoft's approach to enterprise software; traditionally, Redmond would, just like every other software vendor, support its software on multiple versions of Windows.
In so doing, Microsoft acted as an enabler, allowing corporations to keep old versions of Windows long past their prime. Keen to avoid Windows 7 becoming "the new Windows XP," the company is being rather more aggressive in applying pressure on users to upgrade to Windows 10 sooner rather than later.
WatchGuard’s AP300 combines modern wireless features with award-winning security to better protect against network attacksWoking, Surrey: 18/2/16 – Wick Hill is now shipping WatchGuard’s new AP300 for secure wireless access.

Designed to work with WatchGuard's award-winning Unified Threat Management (UTM) Firebox appliances, the AP300 delivers cutting-edge wireless access with advanced security services to help industry providers better protect customers across Wi-Fi networks.

The AP300 offers the latest 802.11ac standard and a host of new wireless features to solve business problems including Fast Roaming to improve quality for VoIP devices; Fast Handover, which forces "sticky" devices with low signal strength to quickly connect to the next AP; and Band Steering to move devices to the clearer 5GHz band. Ian Kilpatrick, chairman Wick Hill Group Wireless trends are growing with Wi-Fi access becoming ubiquitous in businesses, stores, corporate environments and public spaces. Organizations are offering guest Wi-Fi access so customers can go online via cell phones, laptops and devices. However, security is an often overlooked yet critical element in the explosion of wireless today.

As the use of wireless increases, so does the vulnerability to both opportunistic and targeted attacks. "Organizations across all industries are facing increased pressure from customers, vendors, and employees to offer wireless access. Unfortunately, hackers are also constantly trying to gain a foothold into the network," said Ryan Orsi, director of product management at WatchGuard. "Organizations need to play better defense, especially on Wi-Fi networks.

Businesses that fail to properly secure their Wi-Fi networks, including guest hotspots, may expose customers, partners, and internal users to a variety of risks.

The AP300 provides the latest wireless technology and best-in-class security features working together to help protect customers from threats online via Wi-Fi networks." Ian Kilpatrick, chairman of leading WatchGuard distributor Wick Hill Group, commented: “While these risks have been around for a long time, organisations and retail providers are now (often belatedly) moving to deal with this challenge. We have seen exceptional growth in demand in the last six months, driven in part by the recent spate of high profile breaches, and in part by the range of capabilities and ease of implementation.” Security threats that may involve wireless networks include: Wi-Fi Password Cracking: Wireless access points that still use older security protocols, like WEP, are easy targets because passwords are notoriously easy to crack. Rogue Hotspots: Nothing physically prevents a cyber criminal from enabling a foreign access point near a hotspot with a matching SSID, which invites customers to log in. Users that fall victim to the Rogue AP are susceptible to malicious code, which often goes unnoticed. Planting Malware: Customers that join a guest wireless network are susceptible to unknowingly walking out with unwanted malware, delivered from bad-intentioned neighboring users.

A common tactic used by hackers is to plant a backdoor on the network, which allows them to return at a later date to steal sensitive data. Eavesdropping: Guests run the risk of having their private communications intercepted, or packet sniffed, by cyber snoops while on an unprotected wireless network. Data Theft: Joining a wireless network may put users at risk of losing private documents to cyber thieves that are listening in and opportunistically intercepting data being sent through the network. Inappropriate and Illegal Usage: Businesses offering guest Wi-Fi risk playing host to a wide variety of illegal and potentially harmful communications.

Adult or extremist content can be offensive to neighboring customers, and illegal downloads can leave the business susceptible to lawsuits. Bad Neighbors: As the number of wireless users on the network grows, so does the risk of a pre-infected device entering the network. Mobile attacks, such as Android's Stagefright, can spread from guest to guest, even if "victim zero" is oblivious to the outbreak. WatchGuard protects against these threats, enabling wireless networks to pass traffic through all security services running on the WatchGuard firewall, including anti-virus (AV), Intrusion Prevention Service (IPS), WebBlocker, spamBlocker, App Control, Reputation Enabled Defense, APT Blocker, and Data Loss Prevention.

Each of these services is managed in a single-pane-of-glass console, and can be enabled without sacrificing speed or throughput. About Wick Hill Established in 1976, value added distributor Wick Hill specialises in secure IP infrastructure solutions.

The company sources and delivers best-of-breed, easy-to-use solutions through its channel partners, with a portfolio that covers security, performance, access, networking, convergence, storage and hosted solutions. Wick Hill is particularly focused on providing a wide range of value added support for its channel partners.

This includes a strong lead generation and conversion programme, technical and consultancy support for reseller partners in every stage of the sales process, and extensive training. Wick Hill Group is part of Rigby Private Equity, a subsidiary of Rigby Group Investments, an independent company within Rigby Group plc.

As such, Wick Hill has its headquarters in the UK, an office in Germany and an office in Austria. Wick Hill is also able to offer services to channel partners in thirteen European countries and worldwide, through its association with Zycko, as part of RPE. About WatchGuard Technologies, Inc.WatchGuard® Technologies, Inc. is a global leader of integrated, multi-function business security solutions that intelligently combine industry-standard hardware, best-in-class security features, and policy-based management tools. WatchGuard provides easy-to-use, but enterprise-powerful protection to hundreds of thousands of businesses worldwide. WatchGuard is headquartered in Seattle, Wash. with offices throughout North America, Europe, Asia Pacific, and Latin America.

To learn more, visit WatchGuard.com. WatchGuard is a registered trademark of WatchGuard Technologies, Inc.

All other marks are property of their respective owners. ENDS For further information on Wick Hill, please go to www.wickhill.com; Twitter www.twitter.com/wickhill.

For further press information, please contact Annabelle Brown, public relations consultant, on 01326 318212, email pr@wickhill.com.
How some cyber espionage and other advanced attack groups don't go dark anymore after being outed.The epic and ugly cyberattack on Sony in 2014 may now be one for the history books, but the attackers behind it remain active and prolific.“They didn’t disappear when the dust settled” after the Sony attacks, says Juan Andres Guerrero-Saade, senior security researcher at Kaspersky Lab.

Guerrero-Saade and fellow researcher Jaime Blasco last week at the Kaspersky Security Analyst Summit in Tenerife, Spain, detailed new activity by the Sony hackers. “It took us two years to correlate all of the information we had  … The same people were launching campaigns using information from the Sony attack,” said Blasco, who is vice president and chief scientist of AlienVault.

The attacks are mainly intelligence-gathering efforts, but occasionally the attacks include wiping disk drives, he said. The attackers, which the US government say came out of North Korea, pummeled Sony, wiping disk drives, and doxing emails and other sensitive information. There has been a noticeable shift in how some advanced threat groups such as this respond after being publicly outed by security researchers. Historically, cyber espionage gangs would go dark. “They would immediately shut down their infrastructure when they were reported on,” said Kurt Baumgartner, principal security researcher with Kaspersky Lab. “You just didn’t see the return of an actor sometimes for years at a time.” But Baumgartner says he’s seen a dramatic shift in the past few years in how these groups react to publicity.

Take Darkhotel, the Korean-speaking attack group known for hacking into WiFi networks at luxury hotels in order to target corporate and government executives.

Darkhotel is no longer waging hotel-targeted attacks -- but they aren’t hiding out, either. In July, Darkhotel was spotted employing a zero-day Adobe Flash exploit pilfered from the HackingTeam breach. “Within 48 hours, they took the Flash exploit down … They left a loosely configured server” exposed, however, he told Dark Reading. “That’s unusual for an APT [advanced persistent threat] group.” The Darkhotel group appears to care less about its infrastructure and more about its advanced attack techniques, he says. “Public exposure isn’t going to affect them,” he says. “The hotel [attack] activity focused on business travelers has come to an end, but the other operations are highly active,” including sending rigged links to Southeast Asia targets via Webmail services. ‘No Such Actor’ Meantime, one of the most advanced and infamous nation-state threat actor groups has been dark for more than a year. Kaspersky Lab still hasn’t seen any sign of the so-called Equation Group, the nation-state threat actor operation that the security firm exposed early last year and that fell off its radar screen in January of 2014. The Equation Group, which has ties to Stuxnet and Flame as well as clues that point to a US connection, was found with advanced tools and techniques including the ability to hack air gapped computers, and to reprogram victims’ hard drives so its malware can’t be detected nor erased. While Kaspersky Lab stopped short of attributing the group to the National Security Agency (NSA), security experts say all signs indicate that the Equation Group equals the NSA. “I would assume they are active but just changed their” communications, says Costin Raiu, director of the global research and analysis team at Kaspersky Lab. “We don’t detect them anymore.” Just how APT groups from various regions react to being outed is often a cultural thing. “The Far Eastern [APTs] don’t seem to care too much” about hiding out after being outed, he told Dark Reading. “The rest of the world cares a bit more.” On exception to that is the attack group behind the US Office of Personnel Management (OPM) breach, he says. “They are different kind of fish.

The moment they got discovered,” they shifted gears, he says. “We found traces of activity related to those guys.

But it was at another level of skills and capabilities versus other Chinese-speaking groups.” Related Content: Find out more about the latest security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ...
View Full BioMore Insights
As RCS ‘takes off’, carriers turn to AdaptiveMobile to proactively secure services and protect usersDALLAS and DUBLIN, 11 February 2016 – AdaptiveMobile, the world leader in mobile network security, today announced that the Company has signed landmark deals with three Tier-1 carriers in North America to protect their strategic RCS messaging infrastructures. RCS has long been projected to be the future of mobile messaging with the 2015 Global Strategic Business Report projecting “the global market for RCS Services to reach US $4.9 billion by 2020.” Google’s acquisition of Jibe Mobile, a leading provider of RCS services, in September is further evidence of the industry’s efforts to bring RCS to a global audience. The rapid uptake of AdaptiveMobile’s RCS security, which uses restful APIs, enables carriers to proactively deploy features such as “identification, authentication, privacy and security” to retain trust in their networks and gain competitive advantage over proprietary messaging Apps such as WhatsApp and Viber. “After many false dawns, we can say with confidence that RCS has finally arrived, as the operator community realise their vision of a global interoperable messaging standard,” commented Brian Collins, CEO of AdaptiveMobile. He continued: “As the industry moves towards NFV and Telco clouds, open security APIs will be increasingly important – and as the world leader in carrier security, AdaptiveMobile is at the forefront of this security revolution.” For more information about AdaptiveMobile’s mobile threat detection and prevention capabilities please visit the website at www.adaptivemobile.com. ###About AdaptiveMobile:AdaptiveMobile is the world leader in mobile network security protecting over one billion subscribers worldwide and the only mobile security company offering products designed to protect all services on both fixed and mobile networks through in-network and cloud solutions. With deep expertise and a unique focus on network-to-handset security, AdaptiveMobile’s award-winning security solutions provide its customers with advanced threat detection and actionable intelligence, combined with the most comprehensive mobile security products available on the market today. AdaptiveMobile’s sophisticated, revenue-generating, security-as-a-service portfolio empowers consumers and enterprises alike to take greater control of their own security.AdaptiveMobile was founded in 2004 and boasts some of the world’s largest mobile operators as customers and the leading security and telecom equipment vendors as partners. The Company is headquartered in Dublin with offices in North America, Europe, South Africa, Middle East and Asia Pacific. Press contact:ACSCom PR (USA)Anne Coyle, +1 857 222 6363adaptivemobile@acscompr.com AxiCom (UK)James Hayward, +44 (0)20 8392 4050adaptivemobile@axicom.com Source: RealWire
During the latter part of 2015, Kaspersky researchers from GReAT (Global Research and Analysis Team) got hold of the missing pieces of an intricate puzzle that points to the dawn of the first Portuguese-speaking targeted attack group, named “Poseidon.” The group’s campaigns appear to have been active since at least 2005, while the very first sample found points to 2001.

This signals just how long ago the Poseidon threat actor was already working on its offensive framework. Why has the Poseidon threat remained undetected for so many years? In reality, it has not. Most samples were detected promptly. However, Poseidon’s practice of being a ‘custom-tailored malware implants boutique’ kept security researchers from connecting different campaigns under the umbrella of a single threat actor.

This approach entails crafting campaigns components on-demand and sometimes fabricating entirely unique malicious artifacts. 1st Portuguese-speaking group #ThePoseidonAPT attacks companies globally #TheSAS2016Tweet Our research team was able to put together the disparate pieces of this puzzle by diligently tracing the evolution of Poseidon’s toolkit in pursuit of an overarching understanding of how the actor thinks and the specific practices involved in infecting and extorting its victims. With a set of tools developed for the sole purpose of information gathering and privilege escalation, the sophistication level of campaign highlights that, today, regional actors are not far behind better-known players in the global game of targeted attacks. Becoming familiar with the operations of the Poseidon Group meant patiently dismantling their modus operandi to unearth the custom-designed infection tools deployed to each of their selected targets.

This process revealed a series of campaigns with highly-regionalized malware practices and geographically-skewed victim tasking, unsurprising in a region with a gradually-maturing cybercrime industry.

The proper detection of each iteration of their evolving toolkit may have been enough to thwart specific efforts, but to truly understand the magnitude of Poseidon’s combined operations required an archeological effort to match. Frequently asked questions What exactly is the Poseidon Group? The Poseidon Group is a long-running team operating on all domains: land, air, and sea.

They are dedicated to running targeted attacks campaigns to aggressively collect information from company networks through the use of spear-phishing packaged with embedded, executable elements inside office documents and extensive lateral movement tools.

The information exfiltrated is then leveraged by a company front to blackmail victim companies into contracting the Poseidon Group as a security firm.

Even when contracted, the Poseidon Group may continue its infection or initiate another infection at a later time, persisting on the network to continue data collection beyond its contractual obligation.

The Poseidon Group has been active, using custom code and evolving their toolkit since at least 2005.

Their tools are consistently designed to function on English and Portuguese systems spanning the gamut of Windows OS, and their exfiltration methods include the use of hijacked satellite connections. Poseidon continues to be active at this time. Why do you call it Poseidon’s Targeted Attack Boutique? The presence of several text fragments found in the strings section of executable files belonging to the campaign reveal the actor’s fondness for Greek mythology, especially regarding Poseidon, the God of the Seas (which also coincides with their later abuse of satellite communications meant to service ships at sea).

The boutique element is reflected in their artisanally adaptive toolkit for lateral movement and data collection which appears to change from infection to infection to fit custom-tailored requirements for each of their prospective clients.

The business cycle includes what is euphemistically referred to as ‘financial forecasting’ using stolen information, so we like to say that Poseidon’s boutique not only deals in targeted attacks but also stolen treasures. How did you become aware of this threat? Who reported it? We noticed that several security companies and enthusiasts had unwittingly reported on fragments of Poseidon’s campaigns over the years. However, nobody noticed that these fragments actually belonged to the same threat actor. Perhaps because many of these campaigns were designed to run on specific machines, using English and Portuguese languages, with diverse command and control servers located in different countries and soon discarded, signing malware with different certificates issued in the name of rogue companies, and so on.

By carefully collecting all the evidence and then reconstructing the attacker’s timeline, we found that it was actually a single group operating since at least 2005, and possible earlier, and still active on the market. With this understanding, GReAT researchers were able to recognize similarities in obfuscation and development traits leading back to widely-reported but little understood variants on a sample in 2015, which searched for prominent leaders and secret documents involving them. When did you discover this targeted attack? The very first samples from this campaign were detected by Kaspersky Lab back in the early 2000s. However, as noted previously, it is a very complex task to correlate indicators and evidence in order to put together all the pieces of this intricate puzzle.

By the middle of 2015 it was possible to identify that throughout this period of time it’s been the same threat actor, which we call Poseidon Group. Who are the victims? / What can you say about the targets of the attacks? The targets are companies in energy and utilities, telecommunications, public relations, media, financial institutions, governmental institutions, services in general and manufacturing.

The geographical spread of victims is heavily-skewed towards Brazil, the United States, France, Kazakhstan, United Arab Emirates, India and Russia. Many of the victims have joint ventures or partner operations in Brazil.

The importance of the victims is not measured in numbers since each of these victims is a large-scale (often multinational) enterprise. What exactly is being stolen from the target machines? One of the characteristics of the group behind Poseidon is an active exploration of domain-based networks. Such network topology is typical for companies and enterprises. The highest value asset for these companies is proprietary information, technologies, and business-sensitive information that represents significant value in relation to investments and stock valuations.

The Poseidon Group actively targets this sort of corporate environment for the theft of intellectual property and commercial information, occasionally focusing on personal information on executives. How does Poseidon’s APT Boutique infect computers? The main infection vector for Poseidon is the use of spear-phishing emails including RTF/DOC files, usually with a human resources lure.

The executables are also often digitally signed and occasionally hidden in alternate data streams to fool security solutions. Poseidon’s toolkit displays an awareness of many antivirus providers over the years, attempting to attack or spoof these processes as a means of self-defense for their infections. Once the infection happens, it reports to the command and control servers before beginning a complex lateral movement phase.

This phase will often leverage a specialized tool that automatically collects a wide array of information including credentials, group management policies, and even system logs to better hone further attacks and assure execution of their malware.

This way the attackers actually know what applications and commands they can use without raising an alert to the network administrator during lateral movement and exfiltration. What does the Poseidon Group do? What happens after a target machine is infected? Once the target’s machine is compromised, the attacker first enumerates all processes running in the system and all services.

Then the attacker looks for all administrator accounts on both the local machine and the network.

This technique allows them to map network resources and make lateral movements inside the network, landing in the perfect machine to match the attacker’s interest.

This reflects the Poseidon Group’s familiarity with Windows network administration.
In many cases, their ultimate interest is the Domain Controller. Additionally malware reports itself to its hardcoded command and control servers and established a backdoor connection, so the attacker may have a permanent remote connection. What are the malicious tools used by the Poseidon Group? What are their functions? Poseidon utilizes a variety of tools.

Their main infection tool has been steadily evolving since 2005, with code remnants remaining the same to this day, while others have been altered to fit the requirements of new operating systems and specific campaigns.

A noteworthy addition to the Poseidon toolkit is the IGT supertool (Information Gathering toolkit), a bulking 15 megabyte executable that orchestrates a series of different information collections steps, exfiltration, and the cleanup of components.

This tool appears to be designed to operate on high-value corporate systems like Domain Controllers or IIS servers that act as repositories of valuable information, particularly for lateral movement.

The Information Gathering Tool (IGT) tool is coded in Delphi and includes powershell and SQL components across a dozen different drops.

This tool contains several other executable files made in different programming languages ranging from Visual Basic 6 to C#, each one performing a very clear task devised by the group when trying to obtain more information from an objective.

The main purpose of the IGT tool is to make an inventory of the system, saving information from the network interfaces and addresses, credentials belonging to the Domain and database server, services being run from the OS and everything that could help the Poseidon Group make its attack more customized to its victim. Are the attackers using any zero-day vulnerabilities? No zero-day vulnerabilities have been found in the analysis of the samples obtained regarding this campaign. Poseidon’s conventional means of deceiving users with executable files posing inside Word and RTF document files, and actual poisoned documents with malicious macro-scripts has been the sole method used for compromising their desired targets.

As we have seen in other targeted campaigns, social engineering and carefully crafted spear-phishing attacks play a crucial role in the effectiveness of getting a foothold in the desired system. Is this a Windows-only threat? Which versions of Windows are targeted? Poseidon is particularly focused on the Microsoft Windows operating system family, specifically customizing the infection method for each one so as to gather different information and hide its presence after the initial infection. Other products usually found in corporate environments, such as an SQL server, are being used for lateral movement and credential harvesting using a customized toolset designed by the crafty Poseidon Group.

Because of Poseidon’s longevity, there are samples targeting Windows systems as early as Windows NT 4.0 Server and Windows 95 Workstation up to current versions like Windows 8.1, as well as server variants (very important to them, given the emphasis on reaching Domain Controllers in corporate environments.) How is this different from any other targeted attack? The extortion elements of this campaign are what set it apart from others.

The exfiltration of sensitive data is done in order to coerce the victim into a business relationship under the threat of exchanging this information with competitors or leveraging it as part of the company’s offering of ‘investment forecasting’.

Additionally this is the first ever publicly known Portuguese-speaking targeted attacks campaign. Are there multiple variants of the Poseidon Group’s malware? Are there any major differences in the variants? Poseidon has maintained a consistently evolving toolkit since the mid-2000s.

The malware has not avoided detection but instead been so inconspicuous as to not arouse much suspicion due to the fact that this malware only represents the initial phase of the attack.

An altogether different component is leveraged once Poseidon reaches an important machine like an enterprise’s Domain Controller.

This is where the main collection takes place by use of the IGT (Information Gathering Tool) toolkit. Is the command and control server used by the Poseidon Group still active? Have you been able to sinkhole any of the command and controls? Poseidon Group has interesting practices when it comes to its use of command and control servers, including redundancies and quickly discarding command and control (C&Cs) servers after specific campaigns.

This has actually allowed us to sinkhole several domains.

A few of these still had active infections attempting to report to the C&Cs.

This adds an interesting dimension to the story.

As part of Kaspersky Lab’s commitment to securing cyberspace for everyone, we reached out and notified identifiable victims, regardless of their security solution and provided them with indicators of compromise (IOCs) to help root out the active infection.
In the process, we were able to confirm the previously described operating procedures for the Poseidon Group. Is this a state-sponsored attack? Who is responsible? We do not believe this to be a state-sponsored attack but rather a commercial threat player.

Collaboration with information-sharing partners and victim institutions allowed us to become aware of the more complicated business cycle involved in this story, greatly adding to our research interest in tracking these campaigns.

The malware is designed to function specifically on English and Portuguese-language systems.

This is the first ever Portuguese-speaking targeted attack campaign. How long have the attackers been active? The attackers have been active for more than ten years.

The main distribution of samples goes back to 2005 with possible earlier outliers. Operating systems such as Windows 95 for desktop computers and Windows NT for server editions were not uncommon at the time and Poseidon’s team has evolved gradually into targeting the latest flagship editions of Microsoft’s operating systems. Recent samples show interest in Windows 2012 Server and Windows 8.1. Did the attackers use any interesting/advanced technologies? During a particular campaign, conventional Poseidon samples were directed to IPs resolving to satellite uplinks.

The networks abused were designed for internet communications with ships at sea which span a greater geographical area at nearly global scale, while providing nearly no security for their downlinks. The malware authors also possess an interesting understanding of execution policies which they leverage to manipulate their victim systems.

They combine reconnaissance of GPO (Group Policy Object management for execution) with digitally-signed malware to avoid detection or blocking during their infection phases.

These digital certificates are often issued in the name of rogue and legitimate companies to avoid arousing suspicion from researchers and incident responders. Does Kaspersky Lab detect all variants of this malware? Yes, all samples are detected by signatures and also heuristics. With a fully updated Kaspersky Lab anti-malware solution, all customers are protected now. Kaspersky Lab products detect the malware used by Poseidon Group with the following detection names: Backdoor.Win32.NhoproHEUR:Backdoor.Win32.Nhopro.genHEUR:Hacktool.Win32.Nhopro.gen How many victims have you found? At least 35 victim companies have been identified with primary targets including financial and government institutions, telecommunications, manufacturing, energy and other service utility companies, as well as media and public relations firms. The archaeological effort of understanding such a long-standing group can severely complicate victim identification. We see traces of upwards of a few tens of companies targeted.

The exact number of the victims may actually vary. Since it is a very long term group, some victims may be impossible to identify now. At this time, we are reaching out to victims of active infections to offer remediation assistance, IOCs, and our full intelligence report to help them counteract this threat.

Any victims or potential targets concerned about this threat should please contact us at intelreports@kaspersky.com. Who is behind these attacks? We do not speculate on attribution. Language code used to compile implants, as well as the language used to describe certain commands used by the group, actually corresponds to Portuguese from Brazil.

The inclusion of Portuguese language strings and preference for Portuguese systems is prominent throughout the samples. The tasking of Poseidon’s campaigns appears to be heavily focused on espionage for commercial interests. Speculating further would be unsubstantiated. Reference samples hashes: 2ce818518ca5fd03cbacb26173aa60cef3499a9d9ce3de5dc10de3d7831d09380a870c900e6db25a0e0a65b8545656d42fd8bb121a048e7c9e29040f9a9a6eee4cc1b23daaaac6bf94f99f309854ea102c4aeacd3f7b587c599c2c4b5c1475daf821eb4be9840feaf77983eb7d55e5f62ce818518ca5fd03cbacb26173aa60ce Command and control servers: akamaihub[.]com – SINKHOLED by Kaspersky Labigdata[.]net – SINKHOLED by Kaspersky Labmozillacdn[.]com – SINKHOLED by Kaspersky Labmsupdatecdn[.]com – SINKHOLED by Kaspersky Labsslverification[.]net – SINKHOLED by Kaspersky Lab For more about counter Poseidon and similar attacks, read this article in the Kaspersky Business Blog.
Cybercrooks are increasingly adopting tactics from more advanced hackers in order to steal millions of dollars from banks and other financial institutions. The first of the two cybercrime groups, dubbed Metel, are mostly active in Russia. The group’s typical modus operandi involves gaining control over machines inside a bank that have access to money transactions – for example, the bank’s call centre or its support computers. Once the group has achieved this aim it can automate the rollback of ATM transactions. The rollback capability ensures that the balance on debit cards remains the same regardless of the number of ATM transactions made. In the examples seen to date, the crooks steal money by driving around cities in Russia at night and emptying ATMs belonging to a number of banks, repeatedly using the same debit cards issued by the compromised bank. As the attackers empty ATM after ATM – Metel was found inside 30 organisations – the balances on the stolen accounts used to pull off the scam remained unaltered, allowing further withdrawals. “Our investigations revealed that the attackers drove around in cars in several cities in Russia, stealing money from ATMs belonging to different banks,” Kaspersky Lab said in a report. “With the automated rollback the money was instantly returned to the account, when the cash has already been dispensed from the ATM. The group worked exclusive at nights, emptying ATM cassettes at several locations.” “The bank’s clients were withdrawing from ATMs belonging to other banks and were able to cash out huge sums of money while the balances remained untouched. It was a surprise for the victim bank to hear from other banks when they tried to recoup the money withdrawn from their ATMs.” The ongoing scam has become the focus of a law enforcement investigation. Metel is the Russian word for blizzard. Hackers in the gang burrow their way into a financial organisations by either using cleverly crafted spear phishing emails laced with malware, or by luring victims into visiting compromised sites hosting the Niteris exploit kit. Either way malicious code is used to drop a backdoor onto compromised systems, making it relatively easy for hackers to either install secondary malware or pivot towards attacking more juicy targets on infiltrated networks. The hackers typically go after domain controllers before gaining access to support computers, their primary target. Super stealthy A second group – dubbed GCMAN, because the malware is based on code compiled on the GCC compiler – has also taken to using advanced hacking techniques more commonly associated with nation state-grade hackers. In some cases the group uses legitimate pen-testing tools, including VNC, Putty and Meterpreter, to pivot inside the compromised networks. The group gained a toehold on compromised networks via spear-phishing and a malicious RAR archive disguised as a Word document. Their ultimate target is typically access to computers used to transfer money to e-currency services. The group has learned over time to move slowly and take great pains in avoiding triggering alerts on detection systems inside the bank. Researchers at Kaspersky said that in one attack, the criminals had access to the network for 18 months before stealing any money. Once they did, they were transferring $200 payments per minute using the CRON scheduler to execute malicious scripts and move money to a money-mule account. Those transaction orders were sent to an upstream payment gateway, Kaspersky Lab said, and were never logged by the victimised bank’s internal systems. This is perhaps because $200 is the upper limit for anonymous payments in Russia. “The group used an MS SQL injection in commercial software running on one of bank’s public web services, and about a year and a half later, they came back to cash out. During that time they poked 70 internal hosts, compromised 56 accounts, making their way from 139 attack sources (TOR and compromised home routers),” Kaspersky Lab explained. “We discovered that about two months before the incident, someone was trying different passwords for an admin account on a banking server. They were really persistent. They were doing it only on Saturdays, only three tries per week, all in an effort to stay under the radar.” Carbanak is back Details of two new criminal operations that have borrowed heavily from targeted nation-state attacks were unveiled by security researchers at Kaspersky Lab on Monday during its Security Analyst Summit in Tenerife, Spain. The Kaspersky Lab researchers also published fresh research into the Carbanak gang, a group that stole $1bn from more than 100 financial companies last year, according to some estimates. The Kaspersky Lab team reckoned the Carbanak crew had brought down the shutters on their operation after they were outed a year ago. But last September, researchers at CSIS in Denmark spotted new Carbanak samples. Four months later, Kaspersky Lab found further Carbanak samples inside a telecommunications company and a financial organisation, providing secondary confirmation that the gang was back in business. In the months of its hiatus the group has moved beyond banks and is now targeting budgeting and accounting departments of a much wider range of organisations. “Attacks on financial institutions uncovered in 2015 indicate a worrying trend of cybercriminals aggressively embracing APT-style attacks,” said Sergey Golovanov, principal security researcher at the Global Research and Analysis Team, Kaspersky Lab. “The Carbanak gang was just the first of many: cybercriminals now learn fast how to use new techniques in their operations, and we see more of them shifting from attacking users to attacking banks directly.” Kaspersky Lab has released Indicators of Compromise (IOC) and other data to help organisations search for traces of these attack groups in their corporate networks. More details on these various scams can be found in a blog post by Kaspersky Lab’s ThreatPost news service here. ® Sponsored: Building secure multi-factor authentication