Browsing category


Advanced Persistent Threat (APT), Banking Trojan, Cybercrime, Cybercrime Trends, Cybercriminals, DRIDEX, Gozi, IBM X-Force Research, Malware, Malware analysis, Ramnit, Ransomware, Threat Intelligence, Trickbot, X-Force,

The Business of Organized Cybercrime: Rising Intergang Collaboration in 2018

Banking Trojans and the gangs that operate them continue to plague banks, individuals and organizations with fraudulent transactions facilitated by malware and social engineering schemes. At last check, cybercrime cost the global economy more than $600 billion in 2017 , and forecasts for 2018 predicted $1.5 trillion in losses.

No matter how you turn these numbers, they are a burden that keeps growing and encouraging a rife, complex industry of online crime.

Going Behind the Numbers of the ‘IBM X-Force Threat Intelligence Index’

Every year, increasingly organized cybercrime gangs shuffle their tactics, techniques and procedures (TTPs) to evade security controls on the micro level and law enforcement on the macro level. Behind each malware named on the top 10 chart below, codes are distributed and operated differently and focus on different parts of the globe. The chart is populated by organized cybercrime gangs that have ties to yet other cybercrime gangs, each doing its part to feed the perpetual supply chain of a digital financial crime economy.

In cybercrime, it can be said that the more things change, the more things stay the same. In 2018, however, I must admit I was finally surprised when two malware gangs that did not appear connected at first began openly collaborating. It thus became clearer than ever that the banking Trojan arena is dominated by groups from the same part of the world, by people who know each other and collaborate to orchestrate high-volume wire fraud.

To learn more about the malware that shaped 2018, let’s begin by looking at the top constituents of the gang-owned Trojan chart and drill down on information gathered by IBM Security for the top three.

Top Trojan Chart 2018 - IBM Security Research

Figure 1: Top 10 chart of the most active banking Trojan families in 2018 (source: IBM X-Force)

1. TrickBot

TrickBot, a banking Trojan operated by a Russia-based threat group, was one of the most aggressive Trojans of 2018. It targets banks across the globe with URL-heavy configurations that often include a large number of targeted bank brands from across the globe.

TrickBot’s operators focus on business banking and high-value accounts that are held with private banking and wealth management firms, but they also diversified in 2018 to include various e-commerce and cryptocurrency exchange platforms on their target lists.

According to IBM X-Force data that was gathered since TrickBot’s rise, no other financial Trojan is as consistently active in terms of infection campaigns and deployment of redirection attacks, indicating that its operators have ample resources and connections to develop and operate the malware in different parts of the world. Despite this overall capability, X-Force saw TrickBot sharpening its focus in 2018 and targeting a handful of countries in each campaign, keeping major economies such as the U.K. and the U.S. on almost every target list.

Intergang Collaboration With IcedID

Some of the trends in TrickBot’s activity in 2018 included collaboration with another banking Trojan, IcedID, which IBM X-Force discovered in September 2017, as well as operating the Ryuk ransomware, a subset of TrickBot’s botnet monetization strategy. These highlight a larger trend of intergang collaboration among Trojan operators striving to generate larger profits in spite of growing security control sophistication.

At first, TrickBot and IcedID appeared unrelated. But about eight months into IcedID’s existence, signs of a link between the two became apparent. In May 2018, X-Force researchers observed TrickBot dropping IcedID, whereas it had previously been dropped primarily by the Emotet Trojan, the same distributor that also drops TrickBot in different campaigns.

By August 2018, our researchers noted that IcedID had been upgraded to behave in a similar way to the TrickBot Trojan in terms of its deployment. The binary file was modified to become smaller and no longer featured embedded modules. The malware’s plugins were being fetched and loaded on demand after the Trojan was installed on infected devices. These changes made IcedID stealthier, modular and more similar to TrickBot.

In addition to its increased stealth level, IcedID also started encrypting its binary file content by obfuscating file names associated with its deployment on the endpoint. Also similar to TrickBot is IcedID’s event objects, which coordinate multiple threads of execution in Windows-based operating systems. IcedID began using named events to synchronize the execution between its core binary and the plugins selected for loading. When a plugin was called upon, it was fetched by its ID number from the attacker’s server and, when loaded, assigned a unique ID.

Although malware authors do sometimes copy from one another, our research indicates these modifications were not coincidental. Even if we only looked at the fact that TrickBot and IcedID fetch one another into infected devices, that would be indication enough that these Trojans are operated by teams that work together.

Longtime Partners?

Ties between TrickBot and IcedID may have started years ago in a collaboration designed to help both groups maximize their illicit operations and profits. During the six-year activity phase of the Neverquest (aka Catch or Vawtrak) Trojan, it collaborated with the Dyre group to deliver Dyre malware to devices already infected with Neverquest.

The original Dyre group partly disbanded in late 2015, followed by the rise of TrickBot, which is believed to be the successor to Dyre. Neverquest halted operations following the arrest of one of its key members in 2016, after which the IcedID Trojan appeared. With the two featuring advanced capabilities and evident cybercrime connections with other gangs, their current-day collaboration likely started years ago.

The TrickBot-Ryuk Connection

Another TrickBot trend that started in 2018 is a connection with ransomware. Reminiscent of the Dridex Trojan’s links to the Locky and then BitPaymer ransomware, TrickBot began dropping ransomware called Ryuk. Unlike wide-cast nets that spread ransomware to as many email recipients as possible, Ryuk, like BitPaymer, is spread in targeted campaigns where attackers go through the typical advanced persistent threat (APT) kill chain and manually breach the network.

Ryuk attackers often go through reconnaissance stages, looking for valuable data to hijack. The goal: Infect established organizations with Ryuk and then demand large sums in ransom payments that average hundreds of thousands of dollars each.

Malware drop killchain

Figure 2: Ryuk campaigns — a four-step routine to drop three different Trojans to target devices (source: IBM X-Force)

Upon investigating Ryuk’s code, it quickly became apparent that this ransomware was not entirely new. Ryuk closely resembles the Hermes ransomware that was linked with malicious activity by a nation-state-sponsored group called Lazarus (aka Hidden Cobra).

Is Ryuk connected to Hermes? That’s one possibility. It could also be that some Lazarus members collaborate with banking Trojan operators through cross-border partnerships to steal and launder large amounts of cybercrime money via Eastern Europe and Asia, or that someone with access to the Hermes code reused it to create Ryuk.

Whatever the source of Ryuk, it shows that TrickBot’s operators are diversifying their nefarious activity, continuing to focus heavily on the business sector and launching targeted attacks that press organizations to pay.

Major Trojans collaborate

Figure 3: Collaboration between major malware gangs (source: IBM X-Force)

TrickBot TTPs and Evolution

In terms of its TTPs, TrickBot’s operators focus their efforts on businesses and, therefore, opt for distribution through booby-trapped productivity files and fake bank websites. After infection, TrickBot modules allow it to spread laterally in compromised networks and infect additional users.

TrickBot continues to use both server-side injections deployed on the fly from its attack server and redirection attacks hosted on its servers to hijack users and present them with a fake replica of their bank’s website.

In 2018, TrickBot’s developers added three new functions to the malware, facilitating the theft of Remote Desktop Protocol (RDP) credentials, Virtual Network Computing (VNC) credentials and PuTTY open-source terminal emulator credentials. It steals Windows system reliability and performance data and features a new mechanism for storing its configuration and elliptic curve cryptography (ECC) public keys.

The TrickBot botnet is supported by what’s considered a mature infrastructure, where some campaigns featured 2,458 unique command-and-control (C&C) IP addresses used in 493 main configuration releases across 276 versions — all in one week.

X-Force expects to see TrickBot maintain its position on the global malware chart unless it is interrupted by law enforcement in 2019.

2. Gozi

Gozi (aka Ursnif) has been highly active in the wild for more than a decade now, a rare occurrence in the cybercrime arena. The malware was first discovered in 2007, when it was operated by a closed group of developers and cybercriminals. At the time, it was used to target online banking users mostly in English-speaking countries.

Throughout the years, Gozi has gone through almost every phase a banking Trojan can go through. Its code was leaked in 2010, giving rise to other Trojans, such as Neverquest, that also dominated the cybercrime charts for years after. It was used in the Gozi-Prinimalka ordeal in 2012 and, in 2013, was fitted with a master boot record (MBR) rootkit to create high persistence through a computer’s MBR.

In 2016, X-Force reported about the rise of the GozNym hybrid, a two-headed beast spawned from the Nymaim malware and embedded with the Gozi financial fraud module. Starting in 2017, X-Force researchers reported that a new variation of Gozi was being tested in Australia: Gozi v3. The malware was based on the same code of the original Gozi ISFB but featured some modifications on the code injection level and attack tactics.

In 2018, Gozi v2 was the second-most active Trojan in the wild, working across the globe and in Japan. V2 is operated separately from the v3 version that continues to target banks in the Australia-New Zealand region. The malware is operated in a cybercrime-as-a-service model that allows different cybercriminals to use the botnet to conduct fraud.

To reach new victims, Gozi is distributed in document and spreadsheet attachments that prompt the user to enable macros. In recent campaigns, when the user complies, the macro runs the WMI Provider Host process (wmiprvse) to execute a malicious PowerShell script. The script is designed to fetch the payload and uses string concatenation to evade detection.

Recently, in the case of attack schemes against banks in Europe, Gozi delivered custom-tailored client-side code for each targeted bank brand users accessed, likening its tactics to redirection attacks in which each brand is targeted in a specific way.

Gozi’s distributors use malicious websites to host their resources but check the target device’s Geo IP to reduce the potential of exposure. If either Russian or Chinese keyboard settings are detected during its installation, the deployment ends.

This malware has been part of the top-most constituents of the global malware chart for the past five years, and X-Force expects to see this longtime staple of the organized cybercrime arena maintain its position on the chart in 2019.

3. Ramnit

Ramnit is a prolific banking Trojan that has been active in the wild since 2010. Ramnit started out as a self-replicating worm, leveraging removable drives and network shares to spread to new endpoints. As the project evolved, Ramnit morphed into a modular banking Trojan and started spreading via popular exploit kits such as Angler and RIG.

Although it was one of the most prominent Trojans between 2011 and 2014, Ramnit was targeted by law enforcement in 2015. While it was one of the only botnets to ever survive a coordinated disruption, its operators have not returned to the same level of activity since. In recent years, Ramnit has been an on-again-off-again operation, seeing long lulls in its cybercrime activity and narrowing its attack turf over time to focus mostly on the U.K., Canada and Japan.

2018: Reemergence and Intergang Collaboration

In 2018, the Ramnit Trojan returned to the cybercrime arena with revamped code and a new partner, a proxy malware known as Ngioweb. Ramnit’s developer modified its financial module to enhance its capabilities and changed the internal module’s name from “Demetra” to “Camellia.”

Ramnit’s 2018 comeback resulted in a reported infection of more than 100,000 devices within the span of two months, as part of an operation code-named “Black.” In this campaign, Ramnit went back to its worm roots and was used as a first-stage infection in a kill chain designed to amass a large proxy botnet for Ngioweb.

How good was this new partnership for Ramnit? We can only assume that it was used to create a massive proxy botnet that would resemble the Gameover Zeus botnet in its architecture. The Black campaign was short-lived, and by the end of 2018, Ramnit was linked with Emotet, Dridex and BitPaymer for using the same dropper as those Trojans and being used itself as a dropper for Dridex.


Configuration and code comments show that Ramnit is probably being developed by new team members. Configuration injects were modified to Lua programming and, in many cases, came bugged or unsophisticated. This was not the case for this malware in past years.

For its deployment routine, Ramnit began leveraging code that relies on PowerShell scripts in what’s known as reflective PE injection. Its modules are not pulled from a remote server but come packed with the core malware, and its reliance on a domain generation algorithm (DGA) has been modified to include hardcoded domains.

Will we continue to see Ramnit in 2019? X-Force researchers expect to see the same activity pattern for this malware with its come-and-go nature in Japan and Europe. Ramnit will likely drop from its current rank on the global Trojan chart and be overtaken by IcedID and newcomers like BackSwap and DanaBot.

Threat Landscape Staples

Banking Trojans have been a burdensome part of the cybercrime threat landscape for more than a decade now. The past five years have shown us that this breed of attackers is only becoming more sophisticated over time, incorporating technical knowledge with advance social engineering to focus schemes on victims that can yield the biggest profits: businesses, cryptocurrency and high-value individuals.

While previous years saw gangs operate as adversaries, occupy different turfs and even attack each other’s malware, our research from 2018 connected the major cybercrime gangs together in explicit collaboration. This trend is a negative sign that highlights how botnet operators join forces, revealing the resilience factor in these nefarious operations.

While it can be hard to detect this type of evolving malware, it’s possible to stop banking Trojans before they make it into your device or your organization. Proper security controls and user education, as well as planned incident response, can help keep this threat at bay and contain its detrimental effects if ever an account is taken over and robbed by highly experienced criminals.

To learn more about the top security threats of 2018 and what 2019 may have in store, download the “IBM X-Force Threat Intelligence Index.” Check out page 30 in the report for our expert team’s tips on mitigating threats and increasing preparedness for a possible breach.

Read the full “IBM X-Force Threat Intelligence Index”

The post The Business of Organized Cybercrime: Rising Intergang Collaboration in 2018 appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Limor Kessem

Cybercriminals, Data Privacy, Data Protection, Education, FBI, Government, Personal Data, Personal Health Information (PHI), Personally Identifiable Information (PII), Ransomware,

FBI Warns EdTech Needs Stronger Defenses for Students’ Personal Data

Terms like “privacy,” “personally identifiable information (PII)” or “educational technology (EdTech)” often sound abstract and far from the responsibility of the average person, meant primarily for security and IT professionals. But when schools are forced to close after parents and kids receive ominous, personalized messages, as they did recently in an Iowa school district, according to the Des Moines Register, internet security becomes very real for the whole community.

Late last year, a cybercriminal group known as Dark Overlord — infamous for attempting to extort Netflix — stole data from school districts around the country, according to The Washington Post. Then, as part of ongoing extortion attempts, it used the pilfered information to threaten parents and students around the country. Districts in Montana, Texas and Alabama also closed schools after attackers texted threats to parents, according to CSO Online.

The Department of Education issued a warning and that round of attacks subsided, but others continue. Earlier this year, a Massachusetts school district paid cybercriminals $10,000 in bitcoin to regain control of its data after a ransomware attack, according to ABC News.

Inform the Public

Incidents like these have federal authorities increasingly worried about security at school districts around the country, even as schools increasingly rely on technology for everything from tracking performance to attendance.

The Federal Bureau of Investigation (FBI) recently issued a sharply worded public service announcement aimed at schools and parents titled “Data Collection and Unsecured Systems Could Pose Risks to Students.”

Software used in schools collects a lot of very sensitive information, the FBI warned, including “[PII]; biometric data; academic progress; behavioral, disciplinary and medical information; web browsing history; students’ geolocation; IP addresses used by students; and classroom activities.” That data is a potential treasure trove for a group like Dark Overlord.

“Malicious use of this sensitive data could result in social engineering, bullying, tracking, identity theft, or other means for targeting children,” the FBI said.

Social Engineering 101: How to Hack a Human

Expand District Resources

It is unclear whether the FBI’s warning came in response to a specific threat — as the Department of Education’s warning did — or was just a renewed call to action. Either way, the challenges are steep.

While increased use of EdTech products creates an ever-expanding set of targets for threat actors, many districts are facing tighter budgets, unable to buy the latest security technology that corporations employ, warned the Future of Privacy Forum, an industry group.

“Schools rarely have the resources to establish dedicated security staff, leaving technologists with a full plate — combating malicious access attempts while also handling humdrum IT issues and attempting to comply with new state student privacy laws; more than 120 laws were passed in 40 states since 2013,” it said.

How to Manage the Full EdTech Attack Surface

In the Iowa case, authorities say student and family data was stolen from a third-party supplier. Vendor management is a headache for all manner of organizations. The proliferation of outside organizations with access to students’ most personal information creates a vast attack surface for threat actors, warned privacy law expert Bradley Shear, CEO of school security consultancy Digital Armour LLC.

“Our public schools are fast becoming targets of cybercriminals. These types of incidents are increasing and costing taxpayers tens of thousands of dollars per incident,” Shear said. “It’s not just school districts we have to protect from cybercriminals, but also their vendors.”

In its PSA, the FBI also called attention to internet of things (IoT) devices.

“EdTech connected to networked devices or directly to the [internet] could increase opportunities for cyber actors to access devices collecting data and monitoring children within educational or home environments,” it said. It also pointed to the risk of take-home devices, like tablets, or monitoring devices that allow remote access.

How to Give Power to the Parents

The FBI alert called on parents to become more aware of potential risks, and urged families to keep in contact with school districts about various EdTech programs they use. It also recommended participation in parent coalitions, and suggested regular internet searches to identify children’s exposure and spread of their information on the internet.

The Future of Privacy Forum also offers a number of tools to parents on FERPA|Sherpa, named for the federal law that governs data collection and sharing at schools, the Family Educational Rights and Privacy Act (FERPA). The organization recommends parents regularly ask districts how they handle directory information, what the rules are for recording devices, how they secure children’s information and a set of other queries in their document, “Parents: Raise Your Hand and Ask Schools How They Protect Student Data.”

How School Districts Are Improving Data Privacy

School districts are beginning to tackle the problem by sharing resources and strategies with one another. Nearly 500 districts in more than a dozen states participate in the Student Data Privacy Consortium (SDPC), and they’ve implemented a model contract that vendors must use to ease vendor management, available on the SDPC website.

The SDPC says it leverages privacy-related projects by member districts “to have their good work utilized and no reinvention of existing work.” The Department of Education also offers a “Student Privacy 101” resource for various stakeholders, from K-12 administrators to vendors.

But for Shear, improving cybersecurity at schools needs to begin with an attitude about collection minimization. The less data schools and vendors collect and store, the smaller the opportunity for threat actors. Most critically, vendors and schools should delete information as soon as it is no longer necessary.

“Technology vendors have a huge bull’s-eye on them because of their insatiable appetite for personal information,” he said. “Recent data breaches … demonstrate why it’s necessary to have strict sunset provisions inherent in the data collection process.”

School districts must perform a balancing act when deleting data, however, as there are various data retention requirements to take into account. There are also juggling acts to perform when setting strict requirements around data to keep out threat actors while enabling access for educators and parents when necessary. Take allergy requirements: If a substitute teacher has trouble accessing his or her students’ health records because of a tricky login process, a dangerous situation could develop.

Parents, teachers, administrators and security experts need to engage in an ongoing dialogue about what schools must do to keep kids safe while ensuring they have access to the tools they need.

The post FBI Warns EdTech Needs Stronger Defenses for Students’ Personal Data appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Bob Sullivan

Attribution, Cyberattacks, Cybercriminals, Cyberthreats, Threat Detection, threat hunting, Threat Management, Threat Monitoring,

The Cyber Attribution Dilemma: 3 Barriers to Cyber Deterrence

Given that the most serious threats in cyberspace are other state actors and their proxies, traditional thinking is focused on deterrence. Yet there are significant challenges for cyber deterrence.

The concept of deterrence was originally developed during the rise of nuclear technology. It relies on second-strike capabilities of opponents and complete certainty of who the opponent is, that it can survive the first strike and that it can strike back. This is known as mutually assured destruction (MAD).

Deterrence strategies have worked well throughout history to deter nuclear proliferation because only nation-states have access to the resources and technologies to get in the game. Of those actors, a basic self-interest in survival underpins the effectiveness of MAD.

There are many methods available for monitoring the mining and use of nuclear materials and technologies, and we have a fairly accurate inventory. In the cyber theater, however, the cyber attribution dilemma essentially nullifies the traditional model of deterrence as previously applied to military strategies in conventional warfare. As mentioned, MAD depends on knowing who your opponent is and understanding their capabilities for a second strike. In the cyber theater, both of these requirements are virtually impossible to fulfill.

What Are the Top Challenges to Cyber Deterrence?

Because of the inherent architecture of the internet and threat actors’ ability to obfuscate the source of an attack, it is nearly impossible to attribute attacks with a high degree of certainty. This results in a cyber attribution dilemma whereby the need to impose the costs necessary for cyber deterrence is juxtaposed with the potential costs of misattribution.

1. Misattribution

Many are concerned about the dangers of misattribution in cyber warfare and the potential escalations it could cause. The current deterrence paradigm of mutually assured disruption — the equivalent of MAD in the cyber arena — has a high risk of escalating into a tit-for-tat exchange as a result of a false accusation.

2. False Flags

Adversaries have historically used false flag operations to make an operation appear as though it was perpetrated by someone else. Because of the cyber attribution dilemma, false flags are much easier to execute in cyberspace, where the challenge of attribution already exists. False flags in cyberspace exploit this existing uncertainty and further compound doubt by casting suspicion on other actors.

3. Plausible Deniability

The attribution dilemma also gives threat actors the benefit of plausible deniability, further reducing the risks and costs associated with cyber actions. If you can’t be certain who is responsible, once again, you can’t impose costs without risking imposing the costs on the wrong actor.

In the Absence of Attribution, Resilience Is Critical

The stakes are high in cyberspace and growing daily. Deterrence rests on enterprises’ ability to impose costs or deny gains. Without the ability to impose costs while avoiding misattribution and escalation, denying gains and surviving cyberattacks through resilience is hypercritical.

Advanced attacks executed by sophisticated actors who know how to stay under the radar often cause the most damage. Adopting threat hunting in your security operations center (SOC) can help reduce dwell time as well as the cost and impact of attacks.

Read the SANS threat hunting survey

The post The Cyber Attribution Dilemma: 3 Barriers to Cyber Deterrence appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Jan Dyment

Computer Security, Cyber Attack, Cyber Security News, Cybercriminals, Malware, Ransomware, SamSam Ransomware, Security Hacker,

Targeted SamSam Ransomware Attacks Continues to Breaking & Lock 67 Different Organizations Network

SamSam Ransomware

Cybercriminals group behind the SamSam Ransomware continuously targeting various organizations network which is located in different countries in order to encrypt the sensitive data. This is one of the ransomware which is highly active in 2018 to break down the 67 different types of organization network across the world especially in the U.S. Mainly targeting […]

The post Targeted SamSam Ransomware Attacks Continues to Breaking & Lock 67 Different Organizations Network appeared first on GBHackers On Security.

Advanced Threats, Cybercriminals, IBM X-Force Incident Response and Intelligence Services, Incident Response, Malware, Point-of-Sale (POS) Malware, Point-of-Sale (POS) Systems, POS Malware, Retail, Threat Intelligence, X-Force,

X-Force IRIS Identifies FIN6 Activity on POS Networks

IBM X-Force Incident Response and Intelligence Services (IRIS) identified malicious actors using the FrameworkPOS and GratefulPOS malware to harvest massive amounts of payment card data from point-of-sale (POS) systems in 2017 and 2018. Based on the alignment of tactics, techniques and procedures (TTPs) with those previously identified in similar attacks, X-Force IRIS assessed that the cybergang known as FIN6, which was first identified in April 2016, is behind the attack. This is only the second time that FIN6 activity has been publicly documented and attributed to the group since FireEye’s initial discovery in 2016.

Our team also identified several additional TTPs that will help organizations identify and respond to FIN6 attacks. Let’s take a closer look at FIN6’s history, tactics and indicators of compromise (IoCs) and outline actionable intelligence to assist in strengthening defenses against this threat actor.

Who Is FIN6?

FIN6 is an organized gang of cybercriminals that specializes in stealing payment card data from organizations in the retail and hospitality sectors. The group has stolen data on millions of payment cards, which it then monetized by selling the information on the dark web. While it is unclear how much money FIN6 has made in this manner, we estimate the group’s profit to be in the millions of dollars from 2015 to 2018.

FIN6 targets organizations that process a significant number of POS transactions, such as retail outlets and hotels. It typically uses commercial POS malware to harvest payment card data. According to data on the group’s activity, its focuses on retailers in the U.S. and Europe.

Attribution: Why FIN6?

According to X-Force IRIS research, the recent activity we observed on POS machines is attributable to FIN6, based on an alignment of over 90 percent of the TTPs our team observed with TTPs previously attributed to FIN6 activity.

In addition to commonalities with past TTPs, we observed FIN6 employing additional tactics, such as leveraging IT management software to deploy malware and using Windows Management Instrumentation Command (WMIC) to automate the remote execution of PowerShell commands and scripts.

While many of the TTPs associated with this threat group are publicly available and widely used, either individually or in small groupings, the strong correlation between observed activity and alignment of specific behavior patterns led us to make the attribution.

New TTPs Observed in This Investigation

Our investigation identified TTP’s that were not previously attributed to FIN6. Of these, we consider the following to be among the most noteworthy:

  • Deploying the FrameworkPOS malware via an enterprise software deployment application.
  • Using WMIC to automate the remote execution of PowerShell commands and scripts.
  • Metasploit-like behavior:
    • Randomly generating service names in Windows event logs associated with service installations and service starts or stops (7035, 7036, 7045, etc.).
    • Dynamically generating file names for binaries on disk (usually a backdoor installed as a service).
    • Dynamically generating hostnames in event logs.
  • Injecting malicious Meterpreter code into legitimate Windows processes.
  • Obfuscating PowerShell commands with base64 encoding and gzip compression (often base64-encoded, gzip compressed, base64-encoded PowerShell script).
  • Exclusion of specific processes for FrameworkPOS targeting.
  • Filename of memsniff_dll.dll for Framework POS.
  • Using a winhlp.dat file as a cover file name for a malicious PowerShell script designed to inject FrameworkPOS into “lsass.exe.”
  • Using specific PowerShell parameters to attempt to avoid detection and bypass antivirus application whitelisting.
  • Using “1.txt”, “services.txt” and “.csv” files as reconnaissance output names.

While some of these TTPs may be side effects of tools FIN6 actors were using or specific to the environment in which the actors were operating, we believe many represent new TTPs that could become characteristic of evolved FIN6 standard operating procedures.

Of the TTPs that aligned with previously identified FIN6 activity, the most notable include:

  • Widely deploying FrameworkPOS on compromised POS systems;
  • Collecting compromised data in numbered “.dll” files;
  • Extensive use of Metasploit and PowerShell to move laterally and deploy malware;
  • Frequent use of Windows Scheduled Tasks to maintain persistence;
  • Heavy SQL database reconnaissance and data theft;
  • Using Secure Shell (SSH) tunnels for SQL database exfiltration;
  • Compromising the Active Directory Database (ntds.dit), allowing for credential harvesting and password cracking offline; and
  • Using a specific Metasploit-like downloader that generates a random 15-character filename. It is possible this is the SHIPBREAD or HARDTACK downloader previously attributed to FIN6’s use.

FIN6 Returns to the POS Attack Arena

In the recent activity investigated by X-Force IRIS, the FIN6 gang demonstrated its ability to gain systemic footholds in targeted networks, advance laterally and eventually achieve its objective of exfiltrating valuable data from the victim organization’s infrastructure.

FIN6’s Easy Does It: Unsophisticated Yet Effective

FIN6 uses a variety of publicly available tools for reconnaissance and lateral movement. For example, it deploys the FrameworkPOS malware for the phase of harvesting payment card data from POS endpoints’ memory.

Most of FIN6’s tools are either simplistic or publicly available, and the group’s encoding mechanisms are relatively easy to decipher. The malware used to steal the card data is available commercially on dark web markets. While it might seem that the group is not highly sophisticated, this is not the case.

FIN6’s skill lies in its ability to bypass security controls and employ stealthy techniques, which allows the group to steal large amounts of data and sell at least some of it for a profit in dark web markets.

X-Force IRIS’s investigation into the destination of the stolen cards harvested by FIN6 found that the group most likely used the dark web forum Joker’s Stash to advertise and collect payments for batches of credit card data. Various reports on the value of payment card data on the dark web estimate the price of a newly stolen card at about $20 per card.

Breach and Internal Reconnaissance

Available evidence did not conclusively confirm how FIN6 gained the initial access to systems it compromised, although previous publications on its techniques noted that the group appears to use legitimate login credentials. The use of these credentials — either stolen or bought — is a plausible scenario in this case.

Once within an environment, FIN6 uses several reconnaissance techniques to locate the data it wishes to exfiltrate. In particular, X-Force IRIS observed the group running WMIC queries, which were then used to automate the remote execution of PowerShell commands and scripts, among other functions designed to run queries, search databases, access directories and connect to systems of interest.

We observed the attackers extensively targeting internal SQL databases during the attack. They then dumped the database’s contents using output filenames that were often named “1.txt” and “services.txt” for reconnaissance on the processes and services running on the system, as well as various .csv files for database tables.

In addition, the attackers compromised the majority of domain controllers in the environments they accessed and probably collected the Active Directory Database (ntds.dit), which would provide access to password hashes that they could then crack offline or attempt pass-the-hash attacks to expand their access and privilege levels.

Lateral Movement

To move laterally inside the breached networks, the attackers made extensive use of PowerShell and Metasploit throughout their operation.

To avoid detection and bypass antivirus application whitelisting, the attackers used PowerShell scripts with parameters such as:

PowerShell Script

The “-w hidden” and “-noni” parameters prevent PowerShell windows from popping up on victim systems or accepting any interaction, while “-ep bypass” allows PowerShell scripts to run even on systems that limit PowerShell use.

In addition, FIN6 used PowerShell to create backdoors by leaving a running PowerShell process on a system with a base64 encoded payload. The attackers then used SSH and Remote Desktop Protocol (RDP) for access and lateral movement.

The Metasploit framework was another favorite tool in the FIN6 arsenal, probably selected for several purposes, including creating backdoors that downloaded or listened on a particular port for shellcode to execute.

X-Force IRIS observed FIN6 using Metasploit to inject the Meterpreter payload into legitimate Windows processes, including “services.exe” and “WinLogon.exe.” We also observed several examples of the actors using Metasploit modules for lateral movement within the environment.

POS Malware Deployment

Once the attackers identified POS systems in the target environment, they deployed the FrameworkPOS malware as well as its variant, GratefulPOS, on those systems. In some cases, the actors employed an enterprise software deployment application to place the malware on a system.

The attackers deployed the FrameworkPOS malware with its original filename, “memsniff_dll.dll.” Our forensic experts observed the actors using the name “winhlp.dat” for a PowerShell script that injected FrameworkPOS into the “lsass.exe” process, using a component of the PowerSploit framework.

The contents of the file “winhlp.dat” shown in the figure below revealed that the attackers were running a base64-encoded instruction set within PowerShell to inject the FrameworkPOS malware into the lsass.exe process via Invoke-RPEInj.

Contents of winhlp.dat file

Figure 1: Contents of winhlp.dat file

To evade detection by antivirus solutions, which may only look for malware on the disk, the instructions were converted into a memorystream, compressed, injected and then eventually executed into the “lsass.exe” memory space. It is also worth noting that Invoke-RPEInj, or Invoke-ReflectivePEInjection, is a PowerSploit module that injects an executable into a PowerShell or remote process.

Find and Amass Card Data

FrameworkPOS’s functionality has been well-documented in existing security literature, and most of what we observed with this malware aligns with previous observations about it.

Once executed on the system, FrameworkPOS searched running processes for track 1 and track 2 payment card data, and then wrote a string (;<;MachineName>;runOK64) to a log file called “Perflib_perfdata_f44.dat” in “%WINDIR%temp” on the POS terminal.

When writing data, the malware marked track 1 data with tt1 and track 2 data with tt2. The malware also used a simple XOR encoding mechanism to obfuscate the payment card information.

Of note, the FrameworkPOS malware targets all running processes — with the exception of the process it is injected into. It will further ignore processes with fewer than five characters of module path and processes with the following names:

Hardcoded Processes Where FrameworkPOS Does Note Search for Payment Card Data

Figure 2: List of hardcoded processes where FrameworkPOS does not search for payment card data

Data Exfiltration

To exfiltrate the stolen data, the attackers employed scheduled tasks with innocuous names such as “WindowsSys” from compromised servers to collect and put the data into numbered .dll files.

Previous studies have detailed FrameworkPOS’s use of Domain Name System (DNS) tunneling for data exfiltration, and the 2016 attribution of FIN6 noted that the group had used FTP command lines for exfiltration. X-Force IRIS did not observe a particular exfiltration methodology in the cases we researched; however, we consider DNS tunneling to be a plausible method based on tactics used by other groups that operate the FrameworkPOS malware.

Similar to previous cases in which the GratefulPOS variant was used, we observed communications with a command-and-control (C&C) domain the malicious actors created to appear as a legitimate security vendor’s website. Once we identified the domain in the samples we analyzed, we sinkholed it to help prevent further criminal use.

Attack Flow Illustration

The graphic below illustrates FIN6’s attack flow according to the activity X-Force IRIS observed. This attack behavior corresponds with the steps X-Force IRIS observed and are characteristic of most attackers. This is illustrated in more detail in our Cyberattack Preparation and Execution Frameworks, which were released in July 2018.

FIN6 Cyberattack Execution Framework

Figure 3: X-Force IRIS observed FIN6 activity establishing a foothold in the environment, escalating privileges, moving laterally, conducting internal reconnaissance, maintaining persistence and meeting its objective by exfiltrating payment card data.

Dig Deeper to Enhance Defenses

FIN6’s skill at acquiring legitimate login credentials, bypassing antivirus systems, and quietly exfiltrating data on millions of credit cards underscores the value of digging deeper into threat data to identify and eradicate potential POS malware. Basic antivirus services are unlikely to provide sufficient protection against cybercriminal groups who specialize in POS Malware operations, particularly in high-risk verticals such as the retail sector.

By continuing to track and share the TTPs of POS malware groups, X-Force IRIS aims to identify additional security measures to help organizations mitigate the threat to both their networks and their valued customers.

To help lower the risk of mass credit card data theft from POS machines, organizations that deploy point-of-sale endpoints can consider the following security practices:

  • Decrease the potential for login credential theft by enhancing employee education of credential harvesting techniques, ensuring robust physical security, employing software to detect phishing emails and implementing a strong password policy.
  • Allow Domain Administrator accounts for POS systems to interact only with Domain Controllers to segregate these accounts from internet-facing systems and reduce their risk of credential compromise.
  • Use additional segregation techniques to isolate POS systems from the rest of the network, including firewalls and separate login accounts for authorized users.
  • Strictly limit the number of individuals with access to the POS portion of the network based on job duty and necessity. Implement careful audit logging and multifactor authentication (MFA).
  • Harden internet-facing systems by disabling unused ports, unused accounts and other functionalities not necessary for system operations.
  • Whitelist processes and not just applications, such as allowing the execution of only signed PowerShell scripts.
  • Employ threat hunting to proactively discover advanced threats that often evade traditional detection techniques.
  • Follow threat intelligence on the POS malware threat and incorporate up-to-date IoCs into internal security mechanisms to improve the likelihood of identifying known FIN6-related activity on the network.
  • Contract periodic penetration testing services for both software and hardware of the POS installations used across the business.

Indicators of Compromise

Below are the indicators of compromise (IoCs) associated with this attack.

File Hashes and File Size

  • First Stage PowerShell Script
    • MD5 : 0d30c2748e70246acbfa726e9d5ae289
    • SHA1 : 3fc9c9826a454bb121787f6b5b8849cf323e93ba
    • SHA256 : 3e745df7511308b18bab51a08e929bbf96aa69df91c077497db33a6390b09493
    • Size : 354,391 bytes
  • Second Stage PowerShell Script
    • MD5 : b793c45911b99f6bb1be8cb6e9403e7a
    • SHA1 : 98aab54447f182f98d4c2f1a71162dabd62189f2
    • SHA256 : 864af4f3e9e9e77bfcc443fcacd1a478c511fd997cd4b76a937e6903ce8a8c02
    • Size : 1,050,557 bytes
  • FrameworkPOS Malware (32bit)
    • MD5 : b8dfbdd7b8d23295bb800804ec8d5fe6
    • SHA1 : a493c58aa8b931bbc9dd6f2919e47aac89d8e590
    • SHA256 : 81e870caebc9b4e6e886a9bb0c9c03c117275c9bf377fd6d9fa3f1fa15cb29e4
    • Size : 111,104 bytes
  • FrameworkPOS Malware (64bit)
    • MD5 : 964f6b08a5bd0c4455262b20e07cb4b7
    • SHA1 : 0ae937fdb26b08e3878c0301676329f7189bcb8e
    • SHA256 : 3d9ef7a0a768aff27301606b60d72b6c43f06f2003f81f477b8163a82183ffed
    • Size : 133,632 bytes
  • GratefulPOS
    • MD5 : 117df747e05bfcf5b522de28b8d0193a
    • SHA1 : 4828103a4e37442a54376d92e852029def2a661e
    • SHA256 : 60b2d56e71cfb46ec98576eaa5f8d5649fd73bfa792c9e8412b70dfc8bb97bde
    • Size : 155,136 bytes
  • Shellcode Loader (via an open TCP port)
    • MD5 : 93c1efc5ae0932cdbf89778d4414168c
    • SHA1 : 01c40a7b571ea8452cab9009802f93a1bb22a3f1
    • SHA256 : f5c7910327299ca1fdb8cfe6e56f4e978964207730318e08fb0c17ea29417803
    • Size : 115,200 bytes
  • Downloader
    • MD5: d07592865f601d5238535fc4500479b7
    • SHA1: 22d665e25cd00d3d16b0b97b040d74d40ec75be3
    • SHA256: fde15da4af0e966bba2988dbeb7787f4547a7338054053bb532c82ce275b88fc
    • Size: 128,730 bytes
  • Stager Shellcode
    • MD5: 316c9547c7568b8c8b77642aa06b533c
    • SHA1: d338285aabbb15e3efa802eed1bac16cb4451a07
    • SHA256: 506c9c7817409c9706f100d1bf2d24862bf1ea2ebb766c106d8d90fb03ee01a3
    • Size: 471 bytes
  • Downloader
    • MD5 : 117df747e05bfcf5b522de28b8d0193a
    • SHA1 : 4828103a4e37442a54376d92e852029def2a661e
    • SHA256 : 60b2d56e71cfb46ec98576eaa5f8d5649fd73bfa792c9e8412b70dfc8bb97bde
    • Size : 155,136 bytes

File Information (Respectively)

  • 1st Stage PowerShell Script: PowerShell script
  • 2st Stage PowerShell Script: PowerShell script
  • FrameworkPOS Malware (32bit): Win32 DLL
  • FrameworkPOS Malware (64bit): Win64 DLL
  • Shellcode Loader: Win32 EXE
  • Downloader: Win32 PE
  • Stager Shellcode: Binary blob
  • Downloader: Win32 EXE, File name: bodvbhjg.exe

The post X-Force IRIS Identifies FIN6 Activity on POS Networks appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: X-Force IRIS

Cybercrime, Cybercriminals, Cybersecurity Training, Incident Response, Incident Response (IR), insider threat, Security Awareness, Security Training,

Security Gamification Engineer Richard Moore Proves That Anyone Can Be a Hacker

Richard Moore makes his living literally building games.

Richard’s work as a security gamification engineer seems to be the stuff of legend, which is why he must often stress to people that it’s very much a real job. As he sees it, he’s not just playing games all day — he’s building engaging challenges to help teach the next generation of professionals about cybersecurity.

For Richard, one critical aspect of building these gamified scenarios is learning to think like a hacker. You may be picturing the Hollywood hacker stereotype, but the reality is that anyone can be a hacker in the real world. This is why understanding how threat actors work can be so intricate.

“A lot of people have this idea of a hacker in a basement in a hoodie, and it’s really dark — and they’re furiously typing away, coding,” Richard said. “That’s not quite how it happens, so being able to raise awareness through these scenarios helps people learn.”

Indeed, it’s Richard’s job to introduce this line of thinking to businesses and students at the IBM X-Force Command Center and Cyber Range in Cambridge, MA.

A Lifelong Passion for Technology

Having shown a knack for technology since childhood, Richard built his first computer at age 14 and learned a lot by continually losing data and having to start again from scratch. Those experiences taught him how to look at the whole system rather than at isolated pieces.

While he knew early on that technology was his passion, he wasn’t always sure about his focus. After briefly dabbling in web design, Richard finally found his calling when he discovered computer programming.

An opportunity at IBM arose when Richard was fresh out of college, and he seized it with open arms. He’s been at IBM ever since — getting into the minds of malicious actors and showing people how to build more robust systems through security gamification.

Unlocking the Competitive Spirit of Security

Richard wants to bring out the competitive streak in everyone and believes that competition is a “huge motivator” that adds an edge to learning.

“We’ve all seen presentations from people trying to teach us something about a subject, but there’s only so much you can consume through that method of delivery,” Richard said. “Challenging people to really think about the problem gains better results, and learning on your own does not yield as much as learning with other people.”

Richard’s seen it all at his capture the flag (CTF) challenges at IBM, where security teams compete by taking turns hacking and defending a network. During these competitions, he’s witnessed everything from competitors shouting across the room and hurling insults to name-calling — and even shushing and waving people away when they’re trying to help.

“It’s so interesting to see people who are in that mode,” he chuckled. “They are so deep into it.”

By taking on the role of a malicious actor in one of these scenarios, a security professional can gain valuable insights into the motivations and tactics of cybercriminals. In order to make the games and challenges as believable as possible, it’s Richard’s job to think of how a company would build a secure system — and how a cybercriminal would attack those systems.

“A developer might develop code and know to look out for things like Cross-Site Scripting (XSS), but they’ve never actually tried to trigger one of those exploits themselves,” Richard said. “Giving them that perspective is a really interesting way for them to learn — being able to execute the exploits, being able to see what a hacker sees when they’re hacking.”

If hacking is a battle of wits between humans and machines, Richard must outwit them all.

Richard Moore's job is to outwit hackers

Security Gamification Shows That Anyone Can Be a Hacker

At the 2018 IBM Think conference in Las Vegas, Nevada, his team ran a booth that featured a two-minute hacking challenge. Visitors were tasked with breaking into an unpatched system, and many people were amazed at how easy it was to run and execute remote commands on the target network.

“One of the major problems right now is script kiddies,” Richard said. “These are people who just download open source tools that are meant for good, and they point them at whatever they want, press ‘Go,’ and it fires a suite of exploits at a system hoping one of them will work.”

Although 99 percent of these attempts fail, Richard emphasized, a script kiddie only needs to be right once.

“These people don’t fully understand what they’re doing— they have no awareness — but they want to boast on forums that they took down this website or managed to find an exploit in this website,” he added.

Script kiddies are just a nuisance, though. The biggest problem Richard sees these days is insider threats — the fact that anyone can easily become an unwitting accomplice to cybercrime.

“A company spends millions on defensive software to stop hacks coming in through the internet, but if one guy with a USB stick walks through the door and plugs in some malware, all those millions have been bypassed, and all that software is useless,” Richard said. “Now there’s a backdoor into the network while the security monitors the front door.”

Why Lack of Cyber Awareness Is the True Enemy

While most big companies are already working to remediate these risks, it’s the smaller businesses, charities and nonprofits that most worry Richard. These organizations don’t have money to throw at user education and are more likely to assign dual roles to one person. For example, the web designer might also be responsible for security simply because he or she is well-versed in technology.

“We need more people in security, there’s no doubt about that,” Richard said. “But on top of that, it’s ordinary people with lack of awareness. Security is not taught in schools unless you’re on a specific course, so the majority of people who get into jobs don’t know how easy it is to hack things and get at data, and how easy it is to manipulate people.”

Emphasizing that being manipulated by a hacker “is not about intelligence,” Richard noted that data could be harvested from anywhere — especially in an age when we share so many personal details online. Cybercriminals can use any of that data to trick unsuspecting users into opening the door to enterprise networks, and dedicated threat actors will persist until they hit the payload.

“It’s very much a human-versus-human battle: You can’t just write something and think ‘I’m now protected,’” Richard said. “You have to think of what they’re going to do to counteract what you’ve come up with. It’s a circle of counteracting the counteraction to your counteraction.”

And here we circle back to the theme of competitiveness driving an outcome: Whether it’s in a gamified scenario or the very real cyberthreat landscape, we need more security specialists like Richard to help us arm ourselves with a battle cry.

Meet IBM distinguished engineer and master inventor Mike Spisak

The post Security Gamification Engineer Richard Moore Proves That Anyone Can Be a Hacker appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Lauren McMenemy

Advanced Threats, Cyberattacks, Cybercriminals, IBM Security, IBM X-Force Incident Response and Intelligence Services, Incident Management, Incident Response, Incident Response (IR), Phishing, Security Framework, Security Intelligence & Analytics, Social Engineering, Threat Intelligence, Threat Management, Threat Monitoring, Threat Protection, X-Force,

How a Cyberattack Framework Can Help Reduce Risk at All Levels, Part 4

This article is the final installment in a four-part series that examines how the X-Force IRIS cyberattack frameworks can help identify opportunities for security practitioners to increase network security and lower risk by addressing the steps an adversary typically takes to attack a network. Be sure to check out the entire series for the full scoop.

Even after an organization’s network has been compromised, the security team still has opportunities to find and dispel the attackers before they can expand their access within the network and achieve other objectives. Attackers, particularly advanced attackers who are good at evading detection, may spend a significant amount of time in a network, giving defenders time to foil their schemes.

The IBM X-Force Incident Response and Intelligence Services (IRIS) cyberattack framework helps security practitioners understand how a cyberattack occurs and provides a model to identify opportunities to lower the risk of a successful breach.

IBM IRIS Cyberattack Preparation Framework — Schematic View

IBM IRIS Cyberattack Preparation Framework — Schematic View

Since we’ve already recommended actions to help identify and subvert attackers throughout their preparation and the early stages of an attack, we can now explore the final opportunities a security team has to thwart an attack before it can cause financial, reputational and other types of damage.

By dissecting the phases of the framework in which attackers conduct internal reconnaissance, move laterally, escalate privileges and meet their objective, security teams can determine what steps they must take to help reduce the risk of attackers moving around the network and stealing privileged data.

Read the white paper: IBM X-Force IRIS Cyberattack Preparation and Execution Frameworks

Beyond the Initial Compromise: Expand Access Stage

Advanced attackers often spend significant time and effort in the expand access stage, gaining the required visibility and searching for proprietary information that accomplishes their mission.

Attackers’ activities during this phase can mimic the commands and actions of typical users, and it can be difficult to distinguish the activities of the “expand access phase” from normal operations. Still, finding and mitigating against an attack at these stages represents defenders’ final opportunity to prevent further harm.

Internal Reconnaissance

Once attackers enter the network, they may collect additional information about users and groups on the network, examine the access levels used and identify available files or databases before determining the next steps to gain greater access.

Security teams don’t always have a smoking gun to alert them to internal reconnaissance activities because attackers often use commands inherent to the operating system rather than malware, which makes this activity harder to detect with traditional controls.

However, security teams can help detect malicious activity by building a baseline for typical user behavior and threat hunting for anomalies. To enrich information about legitimate user patterns, security teams can use machine learning for behavioral biometrics and equip their logging and analysis platform with artificial intelligence (AI)-enabled applications.

Another option to help detect internal reconnaissance is to set up honeypots. A honeypot is a deceptive file or system designed to trick attackers into accessing it. A honeypot can be as simple as a file that contains false information disguised as lucrative data that an attacker would be likely to search for. It could also be a false subnetwork that an attacker might spend a lot of time filtering through.

If an attacker accesses a honeypot, the system will send an immediate alert to security teams with details regarding the activity on the honeypot, including user information and logged keystrokes. Although it is not guaranteed that attackers would ever access a honeypot even if after compromising the network, a honeypot can be both simple to implement and low-cost.

An Attacker Moves Through the Network

During the “move laterally” and “escalate privileges” phases, the attacker gains access to more resources within the compromised network by moving to additional hosts with different or greater access, such as an administration account. This process can include obtaining additional credential information, stealing public key infrastructure (PKI) certificates, and accessing privileged accounts or computers.

Impede Attackers’ Steps With the Principle of Least Privilege

The principle of least privilege can limit the attacker’s ability to easily move throughout the network. We had previously considered least privilege in terms of system access authorizations, but the principle is best applied to user account access when discussing lateral movement and privilege escalation.

Attackers often seek multiple user credential sets to gain additional access to other parts of the network. By restricting all user access to only the resources required for their daily tasks, security teams can limit what an attacker would be able to achieve with the same credentials. In addition to role-based privilege restrictions, access restrictions can also be made based on the expected context of the activity, such as restrictions on the time of day that remote access is allowed and what users from certain geographic locations are able to do.

When it comes to administration accounts and the principle of least privilege, administrators should also have a standard user account. The administration account should only be accessed for specific, required tasks with the standard account used for the bulk of daily activities.

The administration accounts should be monitored for anomalies, such as a user spending an unusually large amount of time on it. If possible, use the separation of duties and rotation principles to divide administration tasks among several accounts to limit the access that an attacker would have with one set of administrator credentials.

The principle of least privilege also applies to the network. Segment the network into logical components where trust and communication between the segments is strictly controlled. Segmenting the network is akin to creating several mini-networks under the larger network umbrella. In this sense, an attacker would need to invest the same amount of effort to compromise each segment as the initial compromise, slowing or restricting the attacker’s ability to gain access to the full environment. At the same time, defenders would have a better chance to identify the intrusion through threat hunting and other security controls.

Harden Password Policies

Finally, security teams and administrators should enforce strong user password policies. Enabling multifactor authentication (MFA) can help limit an attacker’s ability to access additional user accounts with a stolen username and password. If employees use multiple systems to perform their job duties, restrict the ability to use the same password across systems. At the administrative level, protect against pass the hash and other password-stealing methods by storing password hashes in secured locations.

The Attacker Accomplishes the Goals of the Cyberattack

By completing some or all of the phases in the cyberattack framework, attackers hope to complete their objective of the intrusion. Threat actors’ end goals can range from reconnaissance to theft of data or finances to destruction of victims’ assets.

Often advanced attackers will exfiltrate privileged information as their goal or as a step toward achieving their goal. This information can be used for espionage purposes in the case of state-sponsored cyberintelligence groups or corporate competitors or sold for a profit by financially motivated adversaries.

Learn more about the X-Force IRIS Cyberattack Preparation and Execution Frameworks

Look for Data in Transit

To identify attackers beginning the final stage of the cyberattack, security teams can monitor or restrict unusual data transfers, such as:

  • Creation of RAR files: It is common for attackers hoping to exfiltrate large amounts of data quickly to compress and encrypt the information. To accomplish this, attackers typically convert the data into RAR files, although other archives can be used. Security teams can monitor for and inspect the creation of RAR files.
  • High volume of email to external addresses: An attacker using valid employee credentials may use an employee’s email account to exfiltrate data from a network. Security teams should investigate spikes in emails to external addresses, particularly if these emails contain attachments.
  • Creation of auto-forwarding rules or delegated email accounts: To steal emails, attackers may create email forwarding rules or account delegates to access emails from their own accounts. Security teams should monitor for the creation of auto-forward rules and new email delegates or prohibit this activity.
  • Increase in uploads to websites: Security teams can also look for spikes in the volume of employee uploads to non-corporate websites. Attackers may use a valid user account to upload proprietary data to an attacker-controlled website or cloud storage service.
  • Unsanctioned port activity: Attackers can use a variety of ports and protocols to exfiltrate data, including file transfer protocol (FTP) and Domain Name Server (DNS). Security teams can monitor for excessive traffic leaving through these protocols. To take proactive action, security teams can use dedicated servers for these protocols and close these ports on other servers.

A Defender’s Work Isn’t Over

If defenses are insufficient or unable to track and stop attackers from accomplishing their mission, the organization’s security team and business leaders still have a lot of work to do to contain and remedy the compromise.

A breached organization would likely activate its incident response team and procedures and may require additional expertise from a specialized security vendor. After a security compromise, the organization needs to explore what happened, what the damage consisted of, how to mitigate the damage and, finally, how to prevent it from happening again.

Organizations can prepare for an attack by building a dedicated team and training it to respond to security incidents. To practice relevant attack scenarios, the response team can participate in tabletop exercises or simulations that mimic a cyberattack to find shortcomings in their mitigation and remediation processes. Simulations can help security leaders establish quick-action response processes and communication policies in anticipation of a breach. Continuous training can help prepare the team to act quickly and efficiently during a real-world event.

Even after attackers have accomplished their objectives, they will often leave their backdoors in the network open to return to the environment at a later date. For this reason, an effective incident response must include finding and closing those security gaps.

Forensic analysis is part of understanding the attack and learning from it. A thorough examination of available forensics can help security teams understand details of the attack, which can aid in establishing mitigation priorities, providing data to law enforcement and planning risk reduction strategies to protect against future threats.

Learn More About the IBM X-Force Cyberattack Framework

By dissecting each phase of the IBM X-Force cyberattack preparation and execution framework, security leaders can create a prioritized and cost-effective collaborative-defense strategy that can help minimize the attack surface and reduce the risk of an attack succeeding.

To learn more, read the X-Force IRIS cyberattack preparation and execution frameworks white paper and listen to the recent SecurityIntelligence podcast episode, “Fight Back with the X-Force IRIS Cyberattack Preparation and Execution Frameworks.”

The post How a Cyberattack Framework Can Help Reduce Risk at All Levels, Part 4 appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Alexandrea Berninger

Cyberattacks, Cybercriminals, Fraud Protection, IBM Security, IBM X-Force Incident Response and Intelligence Services, Incident Management, Incident Response, Incident Response (IR), Phishing, Security Framework, Security Intelligence & Analytics, Social Engineering, threat hunting, Threat Intelligence, Threat Management, Threat Monitoring, Threat Protection, X-Force,

How a Cyberattack Framework Can Help Reduce Risk at All Levels, Part 3

This article is the third installment in a four-part series that examines how the X-Force IRIS cyberattack framework can help identify opportunities for security practitioners to increase network security and lower risk by addressing the steps an adversary typically takes to attack a network. Be sure to check out part 1 and part 2 for the full scoop.

Any determined attacker has a good chance of being able to infiltrate a network. However, just because an attacker makes it through the front door, that doesn’t mean they will walk away with the organization’s proprietary data. While the first two posts in this series recommended actions to hinder an attacker’s ability to plan and launch an attack, this post will explore how to subvert an attacker already in a network.

The IBM X-Force Incident Response and Intelligence Services (IRIS) cyberattack framework helps organizations understand how cyberattackers achieve their objectives and provides a model for identifying actions security practitioners can take to lower the risk of a successful breach.

The process for defenders to find and halt the activities of attackers already in the network begins with recognizing and mitigating the initial compromise and then covers opportunities to find and track attackers as they establish a foothold in the network.

Read the Complete White Paper: IBM X-Force IRIS Cyberattack Preparation and Execution Frameworks

IBM IRIS Cyberattack Execution Framework

IRIS Cyberattack Preparation Framework — Schematic View

Beyond Perimeter Defense

Although the goal may be to stop an attack from occurring, the reality is that perimeter defense — such as antivirus solutions and firewalls designed to stop malware from entering the network — is not a failproof solution and cannot be relied on as the only defense. Perimeter defense has value as one of several defense layers and can be effective at stopping opportunistic attacks, those where an attacker uses known vulnerabilities, and malware against multiple organizations hoping to breach the least-prepared target.

Perimeter defense is less likely to stop a targeted attack where a persistent and adaptive attacker has tailored an attack to circumvent defenses and can adapt their tactics to changes or roadblocks.

There are countless opportunities for an attacker to breach a network and there is no single solution that will stop them from compromising the organization’s network if they are motivated to find a way inside. Instead, defenders need to consider how to prioritize controls that can increase the odds of finding and stopping an attacker from achieving their goal.

Organizations have a finite amount of resources to devote to security, and using a cyberattack framework to analyze attacker techniques can aid in finding the defensive strategy that will give the most significant return on investment.

Initial Compromise (Think: Phishing Attacks!)

The IBM X-Force IRIS cyberattack framework initiates after an cyberthreat actor has launched an attack, beginning with a successful initial compromise. The initial compromise occurs when the attacker has gained access to at least one host on the network or has otherwise gained access to the network — perhaps via logging on with stolen or brute-forced credentials.

Phishing emails are the most common threat vector for attackers to gain network access. Therefore, focusing resources to harden this initial attack surface can help reduce the risk of initial compromise.

In a phishing or spear phishing attack, a fraudulent email or electronic communication is sent to users within an organization, luring them into revealing network credentials, clicking a link or downloading a legitimate-looking attachment with hidden malware. Depending on the attacker’s techniques and goals, phishing attacks can occur with or without the use of malware.

Implementing the following security features, educating employees, and revisiting internal security and reporting processes can reduce the risk of a phishing email being successful:

  • Disable macros: Windows macros are programs that are embedded within other programs to automate repetitive tasks. Although Windows’ security features now include an automatic pop-up that requires the user to enable macros in many productivity files, users can still be fooled into doing so after receiving a well-crafted phishing scam. Disabling macros as a policy can help prevent malicious attachments from running the embedded malware and reduce chances of infection.
  • Enforce policies that prevent users from running untrusted code: Macros are not the only option for attackers who want to embed malicious code within phishing emails or attachments. Since attackers use a variety of other methods, preventing users from running any untrusted code can further mitigate this threat.
  • Create banners that identify emails coming from external addresses: Easily identifiable banners could alert employees to typo-changed email addresses. These are designed to look like trusted emails but are actually crafted by attackers, making them hard to spot visually.
  • Configure intrusion prevention systems (IPS) and intrusion detection systems (IDS) to alert on potential phishing emails: IPS and IDS solutions monitor network traffic, and can either alert (in the case of an IDS) or block (in the case of an IPS) malicious traffic. These systems can be configured to alert on known or suspected malicious emails.

Both solution types are valuable defense layers. IDS can be configured to alert on a broader set of signatures, while IPS detection signatures should be based on higher confidence of malicious activity. To enhance protection, make a point of maximizing storage and retention policies for data collected from an IDS or IPS. This data can be valuable forensic evidence for incident response teams looking to analyze, contain and mitigate a breach.

  • Employ protection platforms on email servers: A malicious email detection solution implemented at the email gateway can further help defenders identify and block fraudulent emails. These services can blacklist known sources of ransomware and phishing attacks and will analyze all attachments or URLs sent via email in a sandbox before users access them. Making sure email content is “clean” means employees are less likely to fall prey to a phishing attempt.
  • Ensure hosts are equipped with solutions to identify and prevent malware from running: Endpoint protection platforms (EPPs) and endpoint detection and response (EDR) platforms are additional layers that can help detect indicators of an attack and may help stop malicious files from running. They can also alert the security team to a potential attack.

In addition to phishing attacks, which target the operating systems employees use (also known as client-side attacks), cyber adversaries can also employ server-side attacks that target servers and can include web compromise or exploit a network vulnerability to infiltrate servers the organization operates. Good network hygiene — such as securing open ports, performing input validation and ensuring effective patch management — is one way to reduce the risk of server-side attacks.

Attackers Establish a Foothold and Maintain Persistence

In the next phase in the framework, the attacker establishes a foothold by ensuring access and control of at least one host or user account within the organization’s network. An attacker can accomplish this by having gained access to network credentials, installing remote control malware on endpoints or installing a backdoor on the network. Typically, attackers will establish a link to their command and control (C2) infrastructure and use it to control endpoints they have infected remotely.

To maintain persistence, an attacker will work to strengthen their foothold in the target environment by securing redundant and overlapping access to the network in case the system is restarted or rebuilt, an access point fails or stolen credentials are reset.

Often, actions to maintain persistence occur simultaneously when the attacker establishes a foothold. For example, an attacker may reference the initial backdoor in a Windows Registry location that could ensure it will run each time the host is restarted. Moreover, actions to maintain persistence can continue to occur throughout the remainder of the attack as the attacker moves deeper into the organization’s networks.

Actions taken by attackers, both for establishing a foothold and for maintaining persistence, can be visible and mitigated. In some cases, malicious activities can be flagged by an IDS/IPS platform or an EPP/EDR platform, which can be configured to search for known threats.

Defenders Go Threat Hunting

While detecting known threats is part of protecting against attacks, when it comes to threats and attacker methodologies that are not yet known, a well-established and effective threat-hunting program can aid in threat identification and mitigation. A new or existing threat-hunting program can be scoped and augmented to help reduce the operational burden on security teams — all while adding value to the overall ability of the organization to find intruders before they can do any harm.

Building a threat profile, as described in the first part of this blog series, can aid in prioritizing threat-hunting requirements around an organization’s most valuable assets and the likely threats most relevant to those assets. To scope a threat-hunting program, it can be helpful to start with a “crawl, walk, run” approach. A narrow focus can begin by examining networks for signs of specific activities of an attacker — for example, establishing a foothold and maintaining persistence — particularly if those actions are against the highest priority assets.

As a threat-hunting team succeeds in these aspects, the scope can be expanded to include more types of activities attackers are likely to take and to search across additional environments and assets.

Once an unknown threat is discovered through threat hunting, the associated indicators of the threat can be migrated as signatures into the detection and protection platforms, and any other instances will be identified automatically.

Additionally, investment in a centralized logging and analysis platform can automatically prioritize data, setting it into tiers ranging from benign activities to those likely indicating maliciousness. Understanding and labeling telemetry data that is likely due to normal business operations as benign can be just as important at identifying suspicious activity. Whitelisting and creating a baseline for normal activity, as well as performing frequency analysis, can aid in detecting anomalies. Performing this analysis, however, is difficult without some type of centralized logging and analysis platform.

Take Defensive Actions to Mitigate Risk

Examining the IBM X-Force IRIS cyberattack framework and the steps attackers take to initially compromise, establish a foothold and maintain persistence can help in identifying prioritized avenues to increase security.

The final post in this blog series will examine defensive actions that can help identify attackers as they move through an organization’s network, escalate their access and exfiltrate proprietary data.

Read the Complete White Paper: IBM X-Force IRIS Cyberattack Preparation and Execution Frameworks

The post How a Cyberattack Framework Can Help Reduce Risk at All Levels, Part 3 appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Alexandrea Berninger

Advanced Threats, Cyberattacks, Cybercriminals, IBM Security, IBM X-Force Incident Response and Intelligence Services, Incident Management, Incident Response (IR), Network, Security Framework, Security Intelligence & Analytics, Threat Intelligence, Threat Management, Threat Monitoring, Threat Protection, Vulnerabilities, X-Force,

How a Cyberattack Framework Can Help Reduce Risk at All Levels, Part 2

This article is the second installment in a four-part series that examines how the X-Force IRIS framework can help identify opportunities for security practitioners to increase network security and lower risk by addressing the steps an adversary typically takes to attack a network. Be sure to read part one for the full scoop.

Attackers are continually researching companies that are vulnerable to attack and refining their attack plan. However, there are opportunities to undermine a threat actor’s attack preparation and ability to compromise your organization successfully.

IBM X-Force Incident Response and Intelligence Services (IRIS) developed a cyberattack framework to better understand, track and defend against patterns of malicious behavior used by various adversarial actors.

The IBM X-Force IRIS cyberattack preparation framework focuses on implementing security procedures applicable to an organization’s internet-facing environment. Increasing network infrastructure security to guard against the attacker’s external reconnaissance and launch attack phases can help reduce the risk of a successful system compromise.

IRIS Cyberattack Preparation Framework

IRIS Cyberattack Preparation Framework — Schematic View

External Reconnaissance: How Attackers Gain Visibility Into Internal Networks

During the external reconnaissance phase of the framework, the attacker will research the target organization and look for exploitable access points, such as unsecured vulnerabilities, unpatched applications and open ports.

Attackers may search forums for usernames and passwords that could give them remote access to the organization’s internal network. They may also reach out to employees to try to convince them to provide their network access credentials or other information the attacker could use.

Finally, attackers seek opportunities to access organizations indirectly. For example, attackers may compromise companies that have third-party access to an organization’s network. This type of attack is known as a supply chain attack. Several publicly known data breaches involved an attacker exploiting an entry point through a third party with weaker security controls than the target company.

Read the complete white paper: IBM X-Force IRIS Cyberattack Preparation and Execution Frameworks

Stop Attackers in Their Tracks

On the defender’s side, there are opportunities to increase visibility on the organization’s internet-facing networks to help analysts find the anomalous or malicious activity that may indicate that an attacker is conducting external reconnaissance. The key to risk reduction during the attacker’s external reconnaissance is understanding the organization’s networks and hardening the attack surface.

First, security teams should examine the organization’s online exposure and opportunities customers have to interact with it via the internet — since a malicious actor can misuse these.

Defenders can gain visibility into an attacker’s actions during the external reconnaissance phase by closely monitoring for unusual browsing of the organization’s external-facing websites. Additionally, an organization can hunt for signs that employee authentication credentials are posted on darknet forums.

Monitoring for unusual activity on public domains can include:

  • Identify the top users on company domains: Identify the most active users on an organization’s customer-facing web pages, and determine whether there are any abnormalities in their account use. Traffic from geographic regions that the company doesn’t operate in or an unusual amount of traffic coming from one internet service provider (ISP) may warrant further investigation. Often, unusual traffic can be more easily spotted after a baseline is established for what is normal.
  • Be cognizant of unusual browsing of web page directories: An attacker may map the organization’s website directories and subdirectories in search of common structures that can be exploited. For example, an attacker may try to use a directory traversal attack to attempt to gain access to restricted directories. To map directories, the attacker will follow the site’s directory tree starting at the parent directory and then drill down to all subfolders and files. When monitoring network traffic, directory mapping appears unusual when compared to how a typical user would browse a webpage. For example, user activity tends to involve less systemic page accesses with highly varying amounts of time spent on any given page.
  • Limit opportunities for attackers to take advantage of input validation vulnerabilities: Attackers may test input fields and search queries to determine whether there are opportunities to inject malicious code into the website. One example of an input validation vulnerability is an SQL injection attack, where malicious SQL statements are inserted into query fields for execution, potentially resulting in database information exposure or execution of malicious code on the server. Attackers may also try this path to obtain user credential sets from the underlying database.
  • Monitor for abnormal user-agent strings: Attackers can also look for vulnerabilities in the web server by sending code in the user-agent string. The user-agent string is a field in the HTTP header that indicates the platform, operating system and software being used to access the web page. When a web browser requests a page from a web server, it sends the user-agent string. Defenders can whitelist typical user-agent strings and create automatic alerts to highlight any abnormal or rare user-agent strings. Finally, because this is a user-controlled input, hackers can attempt to insert malicious code into the string with the hope it will execute on the receiving system.

Although monitoring for unusual browsing may not provide conclusive evidence of a pending attack, it’s part of the overall risk picture and can provide an avenue for further research and monitoring.

Remove Excess Privileges

Attackers may search for vulnerable access points into a network using a port scanner or an exploit kit. For defenders, the best practice is to follow the principle of least privilege, meaning that a user or system should only receive the access privileges that correspond with their role. Although cyberdefense strategies most commonly reference this concept when establishing user access controls, it also applies to systems, applications and processes. Removing excess privileges can reduce the attack surface and make it more difficult for the attacker to enter and move around the network.

First, security teams should map the organization’s network and identify ports that are accessible from the internet. These open ports act as doors to confidential data on the network and threat actors can exploit ports left unlocked to gain unauthorized entry. Mapping the network properly (and periodically) can help identify risky ports to close or monitor.

When applying the concept of least privilege to servers, only allow each server to perform the roles for which it’s authorized. Ideally, for example, a domain controller should only allow traffic and protocols required for domain administration and should not directly access the internet.

By contrast, a web server should only interact with the internet in the specific way that was intended by the business and network administrators. In reality, when servers are set up with default settings, more ports are open than are required for that server’s vocation, which can result in unmonitored security gaps.

The Launch Attack Phase: Hardening the Attack Surface

Once the attacker has completed the phases of the IBM X-Force IRIS cyberattack preparation framework, he or she may choose to launch an attack against the target. However, if an attacker failed to complete some of the prepare attack phases, he or she may choose to postpone an attack until more information is garnered or move on to another, more vulnerable target.

Therefore, one of the defender’s goals is to harden the attack surface and deter most attackers from viewing the organization as an easy target.

An attacker could use stolen credentials with remote access to directly infiltrate a network, or the attacker could also choose to exploit a server. Attacks to infiltrate an internal server can take many shapes and can be as diverse as domain name system (DNS) poisoning or the use of a self-propagating worm delivered from an external network.

Closing the Gaps by Patching

Efficient and timely patch management can help reduce the risk of a successful compromise. Although patching is a basic security practice, an alarming number of companies have suffered breaches due to unpatched vulnerabilities.

According to a Ponemon Institute study of 3,000 companies, 48 percent of respondents admitted they had suffered a data breach within the past two years — and of those respondents, 57 percent of the breaches were due to an unpatched vulnerability. A 2016 study by software company Symantec found that over 75 percent of legitimate websites have unpatched vulnerabilities.

Despite this, many organizations struggle to build an efficient recurring process due to operational complexities, outdated systems and business priorities. One reason systems may go unpatched is a concern — whether perceived or legitimate — that it may result in performance tradeoffs or disruption to operations during patch testing and implementation.

To make the right decisions for the business, security teams need to be aware of business trade-offs and weigh them against the risks of continuing to operate with an unpatched system.

One way to encourage patch management is to include security and patch management performance metrics as part of the system administration processes for service, application and system owners. This strategy will incentivize operations teams to include patch management in their operations — whereas most teams are only incentivized to ensure that there is no disruption to operations.

Also, developing clear procedures to test patch implementation can help to assuage concerns that the patch will break critical business processes. Creating and using a virtual environment is one option to test patches before deploying them in the live environment. Alternatively, segmenting the network and patching in batches can limit the potential negative consequences.

The second reason that patch management often fails is that it’s a manual process where teams have difficulty prioritizing and implementing the most important patches. Ensuring that IT teams have an up-to-date inventory of every asset and automated checks for patches can help identify when and what needs to be patched.

Also, building a centralized platform that automates certain processes will create a more organized and efficient patch-management program that can result in fewer security vulnerabilities.

Attackers Come Prepared: Take Defensive Actions to Mitigate the Risk of a Cyberattack

Although there is no way to guarantee that an organization’s network will not be compromised, implementing cost-effective security recommendations can help minimize the attack surface and reduce the risk of an attack occurring.

The next installments in this series will analyze the X-Force cyberattack execution framework, which models the activities an attacker takes after compromising the network. We will provide recommendations to help defenders increase their visibility of attackers lurking in their networks and best practices to decrease the likelihood of attackers being able to accomplish their mission.

You can also learn more by reading the X-Force IRIS cyberattack preparation and execution frameworks whitepaper or listening to the recent SecurityIntelligence podcast episode, “Fight Back with the X-Force IRIS Cyberattack Preparation and Execution Frameworks.”

View the white paper: IBM X-Force IRIS Cyberattack Preparation and Execution Frameworks

The post How a Cyberattack Framework Can Help Reduce Risk at All Levels, Part 2 appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Alexandrea Berninger