Search This Blog

Showing posts with label Threat Intelligence. Show all posts

Lazarus Hackers are Using Log4j to Hack US Energy Companies

 

A new cyber espionage campaign targeting US, Canadian, and Japanese energy providers has been linked to the North Korean state-sponsored Lazarus hacking group, according to security researchers.

Cisco Talos, a threat intelligence company, announced Thursday that Lazarus, also known as APT38, was observed targeting unidentified energy providers in the United States, Canada, and Japan between February and July of this year. 

According to Cisco's findings, the hackers exploited a year-old Log4j vulnerability known as Log4Shell to compromise internet-exposed VMware Horizon servers in order to gain an initial foothold on a victim's enterprise network before deploying bespoke malware known as "VSingle" and "YamaBot" to gain long-term persistent access. 

Japan's national cyber emergency response team, known as CERT, recently linked YamaBot to the Lazarus APT. Symantec first disclosed information of this espionage campaign in April of this year, attributing the operation to "Stonefly," another North Korean hacking group with some overlaps with Lazarus.

However, Cisco Talos discovered a previously unknown remote access trojan (RAT) called "MagicRAT," which is attributed to the Lazarus Group and is used by hackers for reconnaissance and credential theft.

Talos researchers Jung soo An, Asheer Malhotra, and Vitor Ventura, “The main goal of these attacks was likely to establish long-term access into victim networks to conduct espionage operations in support of North Korean government objectives. This activity aligns with historical Lazarus intrusions targeting critical infrastructure and energy companies to establish long-term access to siphon off proprietary intellectual property.”

However, in recent months, the group has shifted its focus to blockchain and cryptocurrency organisations. It has been associated with the recent thefts of $100 million in cryptocurrency from Harmony's Horizon Bridge and $625 million in cryptocurrency from the Ronin Network, an Ethereum-based sidechain created for the popular play-to-earn game Axie Infinity.

Pyongyang has long used stolen cryptocurrency and information theft to finance its nuclear weapons programme. In July, the United States offered a $10 million reward for data on members of state-sponsored North Korean threat groups, including Lazarus, more than doubling the amount previously offered. The State Department made the announcement in April.

The Lazarus Group is a North Korean-backed hacking organisation best known for the high-profile Sony hack in 2016 and the WannaCry ransomware attack in 2017. Lazarus is also motivated by efforts to support North Korea's state objectives, such as military R&D and evasion of international sanctions.

Microsoft Launches New External Attack Surface Audit Tool

 

Microsoft has released a new security solution that enables security teams to identify Internet-exposed resources in their organization's environment that attackers may use to access their networks. The emphasis is on unmanaged or unknown assets that have been introduced to the environment as a result of mergers or acquisitions, generated by shadow IT, are absent from inventory owing to insufficient cataloguing, or have been overlooked due to rapid corporate expansion. 

This new tool, dubbed Microsoft Defender External Attack Surface Management, offers users an overview of their organisations' attack surface, making it easier to uncover vulnerabilities and prevent possible attack routes. This tool will develop a database of the organization's full environment, including unmanaged and agentless devices, by continually scanning Internet connections. 

Microsoft Corporate VP for Security Vasu Jakkal said, "The new Defender External Attack Surface Management gives security teams the ability to discover unknown and unmanaged resources that are visible and accessible from the internet – essentially, the same view an attacker has when selecting a target. Defender External Attack Surface Management helps customers discover unmanaged resources that could be potential entry points for an attacker." 

Microsoft Defender External Attack Surface Management helps security teams to see their environment as an attacker does and uncover exploitable flaws before they do by continually watching connections and hunting for unsecured devices vulnerable to Internet assaults. 

Microsoft also introduced Microsoft Defender Threat Information, a second security solution that will provide threat intelligence to security operations (SecOps) teams in order to uncover attacker infrastructure and accelerate attack investigations and remediation efforts. It will also provide SecOps team members with real-time data from Microsoft's large database of 43 trillion daily security signals, allowing them to actively seek threats in their surroundings. The data is offered as a library of raw threat intelligence containing information on enemies' identities as well as correlations between their tools, strategies, and techniques. 

"This depth of threat intelligence is created from the security research teams formerly at RiskIQ with Microsoft's nation-state tracking team, Microsoft Threat Intelligence Center (MSTIC) and the Microsoft 365 Defender security research teams," Jakkal added. 

"The volume, scale and depth of intelligence is designed to empower Security Operations Centers to understand the specific threats their organization faces and to harden their security posture accordingly." 

According to Microsoft, all of this additional information about threat actors' TTPs and infrastructure will assist customers' security teams in detecting, removing, and blocking hidden adversary tools within their organization's environment.

VirusTotal Hacking: Hackers can Access Trove of Stolen Credentials on VirusTotal

 

By conducting searches on VirusTotal, an online service that analyses suspicious files and URLs, security researchers have discovered a technique to gather large volumes of stolen user credentials. 

The SafeBreach research team used this technique to acquire over a million credentials using a €600 (about $679) VirusTotal licence and a few tools. The purpose was to determine what information a criminal could obtain with a licence for VirusTotal, a Google-owned service that allows users to submit and verify suspected files and links using multiple antivirus engines for free. 

A VirusTotal licenced user can use a mixture of questions to search the service's dataset for file type, file name, submitted data, country, and file content, among other things. Many data thieves gather credentials from various forums, mail accounts, browsers, and other sites, write them to a specific hard-coded file name — for example, "all credentials.txt," and then exfiltrate the file from the victim's device to the attackers' command-and-control server. 

Researchers used VirusTotal tools and APIs like search, VirusTotal Graph, and Retrohunt to locate files containing stolen data using this strategy. 

Tomer Bar, director of security research at SafeBreach stated, "It is quite a straightforward technique, which doesn't require strong understanding in malware. All you need is to choose one of the most common info stealers and read about it online." 

To collect critical data, the researchers used well-known malware such as RedLine Stealer, Azorult, Raccoon Stealer, and Hawkeye, as well as well-known forums like DrDark and Snatch Cloud. They discovered that their strategy worked on a large scale.

RedLine Stealer is a type of malware that may be purchased individually or as part of a subscription on underground forums. It collects information such as saved credentials, autocomplete data, and credit card information across browsers. When malware is installed on a target machine, it creates a system inventory that contains usernames, location data, hardware settings, and security software details. RedLine Stealer can upload and download files as well as run commands.

To begin, the researchers utilized VirusTotal Query to look for binaries that had been classified as RedLine by at least one antivirus engine, which yielded 800 matches. They also looked for files with the name DomainDetects.txt, which is one of the file names used by the malware. Hundreds of files had been exfiltrated as a result of this. 

They then resorted to VirusTotal Graph, a visual exploration tool for licenced VirusTotal customers. The researchers discovered a file from their search results in a RAR file containing exfiltrated data from 500 individuals, including 22,715 passwords to a variety of websites. There were also larger files with more passwords in the other results. 

According to the researchers, several of the URLs were for government-related websites. While there are many different types of data thieves, the researchers chose five of the most popular ones because they had a higher chance of being found in the VirusTotal dataset. 

Researchers wrote in their blog post, "A criminal who uses this method can gather an almost unlimited number of credentials and other user-sensitive data with very little effort in a short period of time using an infection-free approach. We called it the perfect cybercrime, not just due to the fact that there is no risk and the effort is very low, but also due to the inability of victims to protect themselves from this type of activity." 

The researchers informed Google of their discoveries and asked VirusTotal for the files containing personal information. They also suggested screening for and erasing files containing sensitive user data regularly, as well as prohibiting API keys from uploading those files.

Security Researchers Discovered Crimea Manifesto Buried in VBA Rat

 

On Thursday, Hossein Jazi and the Threat Intelligence team at Malwarebytes released a report revealing a new threat actor that may be targeting Russian and pro-Russian individuals. A manifesto regarding Crimea was included by the assailants, implying that the attack was politically motivated. A suspicious document called "Manifest.docx" is used in the attacks, and it downloads and runs two attack vectors: remote template injection and CVE-2021-26411, an Internet Explorer exploit. Malwarebytes' Threat Intelligence team discovered the "Манифест.docx" ("Manifest.docx") on July 21.

"Both techniques have been loaded by malicious documents using the template injection technique. The first template contains a url to download a remote template that has an embedded full-featured VBA Rat. This Rat has several different capabilities including downloading, uploading, and executing files," Jazi said. 

The second template is imported into the document and is included in Document.xml.rels. According to the threat research teams at Google and Microsoft, the loaded code contains an IE Exploit (CVE-2021-26411) that was previously utilized by Lazarus APT to target security researchers working on vulnerability disclosure. The shell code used in this vulnerability loads the same VBA Rat as the remote template injection exploit. 

The attack, according to Jazi, was motivated by the ongoing conflict between Russia and Ukraine, which includes Crimea. Cyberattacks on both sides have been on the rise, according to the report. The manifesto and Crimea information, however, might be utilized as a false flag by threat actors, according to Jazi. 

The attackers used a combination of social engineering and the exploit, according to the report, to boost their chances of infecting victims. Malwarebytes was unable to pin the assault on a single actor but said that victims were shown a decoy document with a statement from a group linked to a figure named Andrey Sergeevich Portyko, who supposedly opposes Russian President Vladimir Putin's Crimean Peninsula policies. 

The decoy document is loaded after the remote templates, according to Jazi. The document is written in Russian but also has an English translation. A VBA Rat is also included in the attack, which collects victim information, identifies the AV product installed on the victim's workstation, runs shell-codes, deletes files, uploads and downloads files, and reads disc and file system information. Instead of using well-known API calls for shell code execution, which can easily be flagged by AV products, the threat actor employed the unique EnumWindows to run its shell-code, according to Jazi.

IBM X-Force Publishes a List of Top 10 Cybersecurity Vulnerabilities of 2020

 

The severity of cyber-attacks has grown over the past year especially during the global pandemic. Threat actors are looking for unpatched issues or common vulnerabilities and exposures (CVEs) and are exploiting those vulnerabilities to gain initial access to a network. 

According to the 2021 X-Force Threat Intelligence Index, the list of the 10 most exploited susceptibilities of 2020 was dominated by older security issues, with just two out of the top 10 being spotted in 2020. Since 1988, the number of flaws discovered each year has followed a general upward trend with 17,992 new flaws discovered in 2020. 

 Top 10 CVEs exploited by threat actors 

IBM security X-force revealed a list of top 10 CVEs of 2020 based on how frequently threat actors exploited them. The list is based on both IBM X-Force incident response (IR) and IBM managed security services (MSS) data for 2020. Mostly, threat actors targeted common enterprise applications and open-source frameworks that many organizations use within their networks.

•CVE-2019-19871: Citrix Application Delivery Controller (ADC)
 
•CVE-2018-20062: NoneCMS ThinkPHP Remote Code Execution
 
•CVE-2006-1547: ActionForm in Apache Software Foundation (SAF) Struts
 
•CVE-2012-0391: ExceptionDelegator component in Apache Struts
 
•CVE-2014-6271: GNU Bash Command Injection
 
•CVE-2019-0708: ‘Bluekeep’ Microsoft Remote Desktop Services Remote Code Execution
 
•CVE-2020-8515: Draytek Vigor Command Injection
 
•CVE-2018-13382 and CVE-2018-13379: Improper Authorization and Path Traversal in Fortinet FortiOS
 
•CVE-2018-11776: Apache Struts Remote Code Execution
 
•CVE-2020-5722: HTTP: Grandstream UCM6200 SQL Injection 

How to manage the flaws and shield the network from CVEs? 

To patch the vulnerabilities or to protect the network from CVEs, you need to make hard decisions and require accounting for asset and data classification, business goals, risk, performance benchmarks, and much more. Some networks have sensitive machines and infrastructure that need rigorous testing to ensure nothing will fail when an update or patch is applied.

Three important techniques can be used to execute a robust patch-management program: 

(1). Organizations can use vulnerability management tools and crown jewel analysis to identify which assets are classified as critical to your organization, and which flaws are most likely to impact those assets. 

(2). Organizations can design a test environment that can assist in discovering the problems that may occur once a patch is installed in your enterprise environment.

(3). Companies should update their devices, operating systems, applications, versions, and cloud assets every quarter.

TruKno TTP based Threat Intelligence Platform

TruKno’s ThreatBoard is a platform that helps security professionals uncover the root causes behind emerging cyber-attacks, Improving proactive defense postures..

TTP Based Threat Intelligence

Trukno, a Community-based Threat Intelligence Platform uncovering the root causes behind the latest cyber-attacks, is set to release their open-access beta December 22nd.

Every second a new attack in cyberspace takes place, according to a report by Acronis, 32% of all major companies are attacked at least once a day. Unless the outcome of these attacks are notable (like the FireEye breach), the reports of these attacks often get buried in the never-ending flow of new cyber information. These reports, when in the hands of the right people, oftentimes contain valuable intelligence on the Tactics, Techniques, and Procedures used by adversaries. This knowledge can help cyber defenders better assess risk and take proactive measures to prevent these same attack techniques from being effective against their organization. It can give valuable insights on where to funnel resources for more effective defense postures.

Hunt Smarter, not Harder.

Traditionally, uncovering root causes and criteria behind emerging cyber attacks is done in one of two ways:

    1. Manually scrolling through vendor blogs, government reports, and news outlets to find long-winded reports of cyber-attacks (trivial & time-intensive)

    2. Getting hand-curated, confidential reports from your threat intelligence team (requires multiple employees dedicated full-time to threat analysis)

The thing is, cyber security professionals rarely have time to do the manual sourcing, and even if they did, there is no certainty they would be able to find that one attack report that is relevant to their situation. Additionally, Threat intelligence analysts are in high demand and low supply, making them reserved for only the most mature security operations. 

TruKno’s AI engine ensures with a high level of confidence that not breach, campaign, or attack report goes unnoticed. It is actively keeping a pulse on the industry’s leading intelligence sources, identifying critical reports in real-time. TruKno’s analyst team then does manual analysis on these reports, identifying affected industries, technologies, actors, malware, and more. Most importantly, TruKno analyses these cyber-attacks through the lens of the MITRE ATT&CK Framework, offering a universal lexicon and database of observed threat techniques. 

TruKno wants to make TTP-based threat intelligence the foundation of any organization’s (or individual’s) Security posture. 

E Hacking news had a discussion with TruKno’s Founding Team: 

Manish Kapoor (Founder & CEO), Ebrahim Saed (Co-Founder & CTO), and Noah Binstock (Co-Founder & COO), in which we talked about the importance of TTP-Based Security and their upcoming beta release on the 22nd.

Manish Kapoor discussed the origins of TruKno:

 “Trukno was founded with the mission of arming security professionals with the information they need to keep us safe. The name itself is a translation of Gyaan, or True Knowledge. It is the clarity that comes from knowing the right information, at the right time.”

Before Founding TruKno, Manish spent 10 years helping the world’s largest service providers better understand the evolving threat landscapes to build better cybersecurity solutions for their customers. 

“My job required me to always be up to date with the latest emerging attacks, but there was no way for me, as a busy professional, to quickly and accurately stay up to date with new adversarial techniques and procedures. I knew there had to be a better solution than scrolling through hundreds of articles a day.”

Manish commented on the ‘gray-space’ between advanced intelligence tools reserved for advanced analysts at mature security organizations, and tools available to the cyber security community as a whole.

“There are a lot of incredible intelligence tools out there. The issue is, they are reserved for a very select group within the industry due to price point and complexity. Cyber security is a team sport, and a winning team is built up of individuals. There is a need for universal tools that can benefit all security stakeholders.”

Noah Binstock, Head of Operations at TruKno, also commented on their mission and the power of accessible intelligence.

“Informed decision making starts with having a full understand of the subject matter, this is true no matter what industry you are in. People are at the core of cybersecurity, and it is our mission to arm them with the tools they need to make the best decisions on behalf of us all.”

TruKno built its foundation off of the MITRE ATT&CK Matrix, a globally accessible knowledge base of adversary tactics and techniques based on real-world observation.

“We are seeing MITRE ATT&CK become a staple in many security organizations, and we align very closely with their mission of empowering the cyber community as a whole. We use the ATT&CK Framework to offer a common lexicon for all defenders”

Ebrahim Saed, the CTO of TruKno, is at the core of TruKno’s technical capabilities, allowing TruKno users to access an infinite database of cyber intelligence with no load time on the user end. He commented on the importance of responsive & user-friendly interfaces when it comes to intelligence.

“Gathering the intelligence is one thing. The real differentiator is making this critical intelligence instantly available, all at the users fingertips.”

Ebrahim is currently developing a mobile application for TruKno as well, enabling users to access real-world intelligence anywhere anytime. 

The Product:

Since its founding in October of 2018, TruKno has interviewed over 500 cybersecurity professionals, from Threat Analysts to CISOs, working in close collaboration with the cybersecurity community during product development. Here is what they are unveiling:

CyberFeed: 

Trukno’s CyberFeed is a free, customizable cybersecurity news manager to help the community easily access and organize the industry’s top intelligence and news channels. Access key articles while avoiding information overload. 

ThreatBoard: 

TruKno’s Threat Intelligence platform, ThreatBoard uses an AI engine to identify cyber-attacks as they are first reported on the web. They are then broken down by TruKno’s analyst team, extracting & curating key information, affected Industries, Technologies, Actors, Malware, and more. Additionally, Techniques behind these latest breaches are documented and paired with MITRE’s ATT&CK Framework, enabling users to identify potential risks to their organization based off of real-world observations. 

Upcoming Features: 

    • TruKno has already developed team collaboration functionalities, enabling users to securely collaborate on intelligence from Threatboard with their teams. They are waiting for key user feedback before they release team collaboration (TeamBoards).

    • Cyberfeed is currently being developed to allow users to upload their own source URLs, social media intelligence feeds and more. Sharing functions will also be enabled to empower the security community to easily share valuable resources.

    • TruKno is actively finding new ways to present the data being extracted from these reports and are currently improving interoperability between Threatboard analysis and the MITRE Organization’s ATT&CK Framework. 

    • TruKno’s AI effort, led by Dr. Rob Guinness, is constantly improving, automating more and more analysis, meaning more insights.

    • The team is currently working with key industry stakeholders to enable API integration with TruKno’s intelligence data, enabling more actionable intelligence for security teams.

Hunt Smarter, Not Harder

In short, TruKno’s goal is to help the cyber security community get the intelligence they need to help keep us safe. TTP based threat intelligence is a valuable lens for all security professionals, and they hope that their tools can help make it a community staple.

The TruKno Open beta is live at  www.TruKno.com