STE WILLIAMS

Reports on new strains of malware and dissection of its operation are common at security conferences. Less common: Full end-to-end reports of the malware, the infrastructure underneath it, and the organization behind it. But on Aug. 9, that’s what Lookout’s Andrew Blaich and Michael Flossman will present at Black Hat USA.

“Our presentation is covering a targeted surveillance campaign where we identified an Android tool called Stealth Mango being deployed in targeted attacks, as well as a related iOS tool that was identified as being created by the same developers,” says Flossman, head of Lookout’s threat intelligence services. “While we do focus primarily on the Android tool and the information that the actors behind that tool were able to steal, we also dive into the background information around the group that was responsible for its development and creation.”

Stealth Mango and the related iOS software, Tangelo, are surveillanceware that is based on technology developers use for their more common offerings in spouseware. “The capabilities are really similar between [Stealth Mango and], for example, a spouseware tool — an application that is something that you would deploy on your significant other’s phone or desktop to keep tabs on them,” Flossman says. “Basically what we’ve found in a lot of our investigations is that the kind of people that would deploy spouseware are interested in the same kinds of information that a nation-state would be interested in.”

(See Blaich and Flossman’s Black Hat USA talk on August 9, “Stealth Mango and the Prevalence of Mobile Surveillanceware“)

The two researchers weren’t necessarily looking for Stealth Mango when it showed up in the research. “We were just looking for interesting cases of surveillanceware, and as we were working in-depth and started to examine the malware and look at more about the servers it was talking to, we really discovered what we had on our hands there,” says Blaich, security researcher and head of device intelligence at Lookout.

And what they had was a campaign that was successful despite its lack of cutting-edge technology or technique.

“We’re quite certain that it was created specifically for this customer,” Flossman says. “So in that regard, it’s like a bespoke solution” — though one built almost entirely from “off-the-rack” parts.

“It’s quite standard, and nothing really stands out,” Flossman says. “What I would say is interesting is the overall context around its use: the actors deploying it, but also just how much success they’ve had with this tool despite what might be taken as a lack of sophistication.”

That success offers an economics lesson to other threat actors. “It really shows that sometimes you don’t need a very complex or expensive solution to achieve your goals,” Blaich says.

“A good way of thinking about this is that if you purchased Pegasus and it came with a bunch of zero-day exploits, you’d be quite cautious in how you deploy them. You’d make sure that they never would fall into the hands of researchers because basically, if that happened, you’d be burning a zero-day investment which these days is well over $100,000,” Flossman says. “Comparatively, an attack like [Stealth Mango] is something that would cost several thousand dollars, max.”

Those several thousands dollars in this case would be spent with a group that Blaich and Flossman say has been behind earlier attacks against the Indian military, including Operation C Major and Operation Transparent Tribe. In the current Stealth Mango campaign, they’re covering their bases by using both their surveillanceware and commodity Trojans like Crimson RAT.

Flossman says that the group’s Trojan use isn’t new, but, like the surveillanceware, it is evolving. “If we look at the mobile malware they used in [C Major and Transparent Tribe], it was even less sophisticated than what we saw now, so they’ve evolved that tool and have worked on building it out,” he says. “And we can see they’re getting a fair bit of value from the mobile side of things now.”

“[As a whole], this ties back into providing really good insight into exactly what adversaries in the mobile space need to do in order to be effective,” Flossman adds. “It’s a lot lower than what we often expect.”

Related Content:

• New Android Smartphones in Developing Markets Sold With Pre-installed Malware
• 10 Tips for More Secure Mobile Devices
• Modern Cybersecurity Demands a Different Corporate Mindset
• APT Attacks on Mobile Rapidly Emerging

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/endpoint/privacy/stealth-mango-proves-malware-success-doesnt-require-advanced-tech/d/d-id/1332408?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Your security budget is small. You know this. You have a staff of three that must do “all things cybersecurity” for a midsize or large enterprise. Or maybe you’re a solo security manager whose outsourced security monitoring service only occasionally sends real incidents. You might even be that IT guy who is expected to wear multiple security hats for a few hours each week. You show no sympathy as you listen to a panel webcast consisting of large financial institutions discuss how hard it is to find the 20, 40, or 100 skilled staff members they need.

You wish you had more personnel to cover more ground, but additional head count (or additional budget for a managed security services provider) just isn’t coming. And all the while, your attack surface grows and the data generated by expanding digitization of your business skyrockets. How can you effectively defend your enterprise like the “fat cats” do? A mixture of old school and new, emerging technology “ingredients” give you capabilities that even those with larger cybersecurity budgets would be hard-pressed to match.

Ingredient #1: Core telemetry. When you can’t do everything, you need to focus — and that focus should be on the endpoint and network. There is a reason that these two areas have long attracted attention and automation — they can tell you a lot about whether you are compromised or not. The good news for resource-strapped teams is that most every organization has existing telemetry, including endpoint protection platforms — aka anti-malware/antivirus — and intrusion detection/prevention systems. These may not be sexy (did I just use that term in a security website?), but they still offer a wealth of capabilities. Before you chase after the latest, greatest, machine learning (ML)-based widget, look to deploy proven (and relatively inexpensive) core telemetries first.

Ingredient #2: Context. Getting an alert is only half of the security equation. The other half is figuring out if it matters. To determine the impact for any alert, you must understand its context. Therefore, know your IT infrastructure, especially where the critical assets and system vulnerabilities are. Strive to spend resources, time, and energy tracking down indicators that truly matter, and don’t just chase every alert.

Ingredient #3: Automated analysis. We’ve finally reached the point where artificial intelligence (AI)- and ML-based solutions can perform tasks that up till now have been manual. This goal, however, is not simply to acquire a tool claiming ML or AI (because every security vendor can sell you one). The ingredient you need uses software to perform tasks that people either aren’t good at or consume too much time, including monitoring high-volume, repetitive data involving ingredients #1 and #2. The key questions you must ask those offering this new-fangled ingredient include “does it save me time/resources without adding time/resources elsewhere?” (the bane of security information and event management systems, user entity and behavior analytics software, and orchestration tools) and “can you prove it works?”

Ingredient #4: Easy scaling. A common strategy among security teams is to create a funnel to match the available resources of a team. For example, only investigate critical alerts because the team doesn’t have the bandwidth to process the highs, mediums, and lows. Although such strategies offer useful coping mechanisms, this approach guarantees things will be missed. New solutions — especially those that offer hybrid or cloud-only architectures — offer to turn this funnel into a pipe, providing the needed extra capacity and associated processing power on demand. Just don’t forget to include service-level agreement terms to ensure your supplier expands as you need it.

Ingredient #5: Automated upkeep and learning. As mentioned above, many of today’s core security operations products require significant setup and ongoing attention to deliver on their promise. Here’s my advice for resource-constrained security teams: Beware of the platform! In most cases, that term means both “power to configure to your situation” (good!) and “you must pay the costs to maintain over time” (bad!). Instead, adopt technologies that can upgrade automatically, a practice that is increasingly common. (Note: Although Respond offers this, so do many other companies in this market.) Also look for solutions that can automatically adapt over time via self-learning to produce better results. Don’t get too caught up in how — concentrate more on the nature of what is adapted or learned and which tasks it removes from your team.

These five ingredients can elevate your smaller-budgeted security team. With a mixture of old- and new-school approaches and technologies — especially emerging solutions aimed at automating previously manual tasks without hidden costs — your security team can perform like a much larger organization.

Related Content:

• 10 Open Source Security Tools You Should Know
• 9 SMB Security Trends
• Breakout Time: A Critical Key Cyber Metric
• Meet ‘Bro’: The Best-Kept Secret of Network Security

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info. 

Mike Armistead is co-founder and CEO of Respond Software, a Silicon Valley software company that brings artificial intelligence (AI) to cybersecurity teams to help them more effectively defend their enterprise.  Mike is a serial entrepreneur with multiple successful … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/5-ways-small-security-teams-can-defend-like-fortune-500-companies/a/d-id/1332351?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Like a bad penny, the notorious Kronos banking Trojan has turned up again after disappearing from the threat landscape for well more than a year.

Security vendor Proopoint this week said it had recently observed a new variant of Kronos being used in separate campaigns against users in Germany, Japan, and Poland. A fourth campaign involving the malware appears to be in the works and is currently being tested.

The new variant is very similar to older versions except for the fact that it now uses the Tor anonymizing network for hiding its command-and-control (CC) server.

Otherwise, the new version uses the same Windows API hashing techniques and hashes, encryption technique, CC encryption mechanism, Zeus webinject format, and CC panel layout. The new malware even includes a self-identifying string labeling it as Kronos.

The sudden reappearance is consistent with a broader resurgence in malicious activity involving banking Trojans so far this year, says Sherrod DeGrippo, director of emerging threats at Proofpoint. “We can only speculate on the reasons for the disappearance [of Kronos], but banking Trojans have come to dominate the threat landscape over the first half of 2018,” she says.

One reason could be that ransomware has fallen out of favor among cybercriminals because of the volatility in prices of the cryptocurrencies used to make ransom payments, DeGrippo notes. Development activity around banking Trojans has surged even as threat actors’ interest in ransomware has declined.

According to Proofpoint, a recent advertisement in an underground forum suggests that the authors of the latest Kronos variant are attempting to pass it off as a new banking Trojan dubbed Osiris. The description for Osiris — including the fact that it is written in C++, has keylogging and form-grabbing capabilities, and uses Tor and Zeus-formatted webinjects — suggests that the malware is simply the latest Kronos variant with a new name.

“This is essentially a rebranding of the old version of Kronos,” DeGrippo says. “The use of Tor is really the only new feature of significance.”

Kronos first surfaced in 2014 and is designed to steal the credentials and other information people use to log into their online banking accounts. The malware uses man-in-the-browser (MITB) techniques and webinjects to stealthily modify the Web pages of the financial institution a user might be attempting to log into in order to grab that person’s credentials and later use it to steal money from the account.

The FBI has accused British security researcher Marcus Hutchins — the individual credited with stopping the WannaCry outbreak last year — of developing Kronos and distributing it to others between 2014 and 2015. Hutchins was arrested in August 2017 and is currently awaiting trial in the US on charges related to this and another malware kit dubbed Upas.

Kronos is similar to several other successful banking Trojans in many ways. But it does appear to have a habit of re-emerging every now and then, DeGrippo says. “Like Dridex, Zeus, Ursnif, and other bankers with substantial staying power, it comes down to malware authors and threat actors who are willing to invest in development and maintenance, as well as distribution and configuration of injects,” she says.

The campaigns in Germany, Poland, and Japan that Proofpoint recently observed all involve the new Kronos variant but use slightly different techniques to infect end user systems. In Germany, users are being targeted via emails purporting to be from financial companies and seemingly pertaining to account updates and other accounts reminders. The emails contain Word documents with malicious macros that, if enabled, download the new Kronos variant.

The campaign in Japan has involved the use of a malvertising chain to send victims to a site with malicious JavaScript injections that redirect them to the RIG exploit kit, which then dumps the new Kronos variant on their systems. Polish users, meanwhile, are being targeted with emails containing a malicious attachment that, when executed, exploits CVE-2017-11882, a memory corruption issue in Microsoft Office, to download Kronos. Like the campaign in Germany, the emails in Poland come with subject headers designed to fool recipients into opening the attachments.

Banking Trojans are very hard for banks themselves to address since the malware operates on the client side and typically uses MITB-style attacks, DeGrippo says.

Much of the onus must fall on individuals to prevent infection in the first place. “While banks can implement two-factor authentication for some degree of protection, even this is not a panacea for modern, sophisticated banking Trojans and is often considered too burdensome by consumers,” she says.

Related Content:

• Banking Botnet Operators Strike Profit-Sharing Partnership
• Terdot Banking Trojan Spies on Email, Social Media
• 9 Banking Trojans Trends Costing Businesses in 2017
• FBI Slaps New Charges Against Researcher Who Stopped WannaCry

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/endpoint/kronos-banking-trojan-resurfaces-/d/d-id/1332409?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

As artificial intelligence capabilities continue to grow at a rapid pace, AI technologies are becoming ubiquitous for both protecting against cyberattacks and also as an instrument for launching them. Last year, Gartner predicted that almost every new software product would implement AI by 2020. The advancements in AI and its ability to make automated decisions about cyber threats is revolutionizing the cybersecurity landscape as we know it, from both a defensive and an offensive perspective.

AI in Cyber Defense
As a subdivision of AI, machine learning is already easing the burden of threat detection for many cyber defense teams. Its ability to analyze network traffic and establish a baseline for normal activity within a system can be used to flag suspicious activity, drawing from vast amounts of security data collected by businesses. Anomalies are then fed back to security teams, which make the final decision on how to react. 

Machine learning is also able to classify malicious activity on different layers. For example, at the network layer, it can be applied to intrusion detection systems, in order to categorize classes of attacks like spoofing, denial of service, data modification, and so on. Machine learning can also be applied at the web application layer and at endpoints to pinpoint malware, spyware, and ransomware.

AI/machine learning is already here to stay as a key component in a security team’s toolbox, particularly given that attacks at every level are becoming more frequent and targeted.

AI and Cybercriminals
Even though implementing machine learning technologies is an asset for defense teams, hackers are armed with the very same ammunition and capabilities, creating a seemingly never-ending arms race.

At the beginning of 2018, the Electronic Frontier Foundation’s “The Malicious Use of Artificial Intelligence” report warned that AI can be exploited by hackers for malicious purposes, including the ability to target entire states and alter society as we know it. The authors of the report contend that globally we are at “a critical moment in the co-evolution of AI and cybersecurity and should proactively prepare for the next wave of attacks.” They point to the alleged attacks by Russian actors in manipulating social media in a highly targeted manner as a current example of this threat. 

It’s no surprise that cyber experts are concerned. After all, for hackers, AI presents the ideal tool to enable scale and efficiency. Similar to the way machine learning can be used to monitor network traffic and analyze data for cyber defense, it can also be used to make automated decisions on who, what, and when to attack. There is potential for hackers to use AI in order to alter an organization’s data, as opposed to stealing it outright, causing serious damage to a brand’s reputation, profits, and share price. In fact, cybercriminals are already able to utilize AI to mold personalized phishing attacks by collecting information on targets from social media and other publicly available sources.

Guarding Against the “Weaponization” of AI
To protect against AI-launched attacks, security teams should be mindful of three key steps to cement a strong defense:

Step 1: Understand what AI is protecting.
Identify the specific attacks that are you protecting against and what AI or machine learning technologies you have in place to guard against these attacks. Once teams lay this out clearly, they can implement appropriate solutions for patch management and threat vulnerability management to ensure that important data is encrypted and there is sufficient visibility into the whole environment. It is vital that an option exists to rapidly change course when it comes to defense because the target is always moving.

Step 2: Have clearly defined processes in place.
Organizations that have the best technology in the world are only as effective as the process they model. The key here is to make sure both security teams and the wider organization understand procedures that are in place. It is the responsibility of the security teams to educate employees on cybersecurity best practices.

Step 3: Know exactly what is normal for the security environment.
Having context around attacks is crucial but this is often where companies fail. By possessing a clear understanding of assets and how they communicate will allow organizations to correctly isolate events that aren’t normal and investigate them. Ironically, machine learning is an extremely effective tool for providing this context. To safeguard against the weaponization of AI, organizations must build a robust architecture on which the technology operates and be mindful that the right education internally is key to staying a step ahead of attackers.

Related Content:

• The Best and Worst Tasks for Security Automation
• The Looming War of Good AI vs. Bad AI
• Why Artificial Intelligence Is Not a Silver Bullet for Cybersecurity
• Finding Your Appetite for Security Automation (and Why That’s Important)

Learn from the industry’s most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info. 

Rodney Joffe has been a sought-after cybersecurity expert who, among other notable accomplishments, leads the Conficker Working Group to protect the world from the Conficker worm. Providing guidance and knowledge to organizations from the United States government to the … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/the-double-edged-sword-of-artificial-intelligence-in-security/a/d-id/1332359?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The combination of poor programming practices and poor control over business partners can be dangerous for a company’s customers. Just ask LifeLock.

According to a post on KrebsonSecurity, a researcher named Nathan Reese discovered a vulnerability on a website that could provide the email address of every LifeLock subscriber. While Reese demonstrated the potential with a proof-of-concept script, there is no evidence that the data was accessed by any other unauthorized person.

The vulnerability was a bit of logic in a website allowing someone to enter a specific URL containing a subscriber key (unique identifying number) and receive a page displaying that user’s email address. Since the subscriber keys are sequential, writing the script to harvest the email addresses was trivial.

While the impact of this type of breach would not be the same as for a breach involving credit card or Social Security numbers, it could still provide source material for compelling and unusually effective spear-phishing campaigns. In a statement provided to Dark Reading, Mounir Hahad, head of threat research at Juniper Networks, said, “The trouble begins when these email addresses and subscriber IDs are cross-referenced with the billions of previously leaked online accounts from other incidents, such as the Yahoo leak in 2013. From there, phishing campaigns can be very persuasive and may lead to people unknowingly handing out their passwords to scammers.” 

According to Symantec, which owns LifeLock, the issue was on a third-party managed marketing page and has been fixed.

Read here for more.

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/application-security/lifelock-learns-lesson-from-leaky-links/d/d-id/1332395?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple