STE WILLIAMS

While vulnerability management has been around for years, it remains a top issue for organizations. And while new vulnerability management tools are deployed regularly, they haven’t stopped attackers from exploiting vulnerabilities. The reality is that vulnerability management isn’t a technology problem. It’s a people and process problem.  

Deploying tools is easy, but implementing the right strategy for your organization is a significant challenge. Worse, implementing a vulnerability remediation strategy that clashes with your organizational culture will fail to be effective. Consider how these strategies might fare at your organization.

1. The Fire Brigade
Strategy: Incident response. Treat vulnerabilities as incidents and respond to them individually, remediating quickly under pressure.

Organizational Profile: Do you know someone who works better with a deadline? Some organizations are the same way. If you work where people only really respond to emergencies, then tie vulnerability management to a tight deadline.

Pros: Fixing the highest-risk vulnerabilities is better than doing nothing.

Cons: Lots of residual vulnerability risk.

• This strategy is only going to hit the high-profile vulnerabilities, leaving lots of opportunity for attackers.
• Doesn’t address root cause. An incident response strategy is unlikely to affect the underlying causes of vulnerability proliferation within an organization.
• Potential for staff burnout. People eventually get worn out responding to emergencies.

2. Building Blocks
Strategy: Asset-focused. Identify the highest-risk assets and fix them first, regardless of specific vulnerability conditions.

Organizational Profile: Do you have system owners who largely correspond to assets? Can you identify an owner for most of the “boxes” on your network? If your organization builds processes around assets, this strategy may be effective.

Pros: Iterative improvement. 

• As you address high-risk assets, you’ll reduce the average asset vulnerability risk so that the highest-risk assets are consistently lower in objective vulnerability risk.
• Positive feedback loop. System owners won’t want to regularly patch vulnerabilities individually and will seek ways to reduce work by making wholesale changes, such as retiring assets more efficiently.
• Aligned to the business. By prioritizing around assets with a business value, you are generally aligning risk reduction to the business.

Cons: Inefficient use of resources.

• Addressing individual assets ignores opportunities for systemic improvement.

3. Vulcan Logic
Strategy: Vulnerability-focused. Prioritize the vulnerabilities, fix the highest priorities first. Rinse and repeat.

Organizational Profile: Do you have effective workflow systems in place already? Can you assign a task and follow it to completion easily? If your organization is a well-oiled machine, start feeding that machine vulnerabilities.

Pros: Seriously effective at reducing vulnerability risk.

• If you can prioritize and fix vulnerabilities, you’ll reduce risk.
• Iterative improvement. Fixing highest-risk vulnerabilities first continuously reduces risk over time.

Cons: Only as good as the priorities. 

• You can’t fix everything at once. Pick the wrong priorities, and you leave risk hanging around to be exploited.
• Potential whack-a-mole. You can hit high-risk vulnerabilities individually but miss opportunities to make systemic changes to reduce risk.

4. The Hive
Strategy: Central analysis, distributed work. Information security performs analysis of the vulnerability scanning results and provides very directed remediation instructions to the larger organization.

Organizational Profile: Does your organization rely on a clear “tone from the top”? Is information security a centralized group in a distributed organization? If your organization operates with a clear chain of command, then focus on building the most effective analysis to reduce risk.

Pros: Systematic reduction of vulnerability risk.

• A well-executed centralized strategy can follow through on multiple steps without continuously explaining the plan to everyone.
• Consistency of risk. If the whole organization executes, then decisions can be made organization-wide. This can produce a very responsive information security practice.

Cons: Lowest common denominator execution.

• A centralized analysis may be less tuned to individual execution. The whole organization can only move as fast as its slowest parts.
• Poor analysis, poor results. A misstep in analysis at the top affects all areas, leaving room for systemic problems.

5. Board of Directors
Strategy: Distributed analysis and work, centralized tracking. Identify metrics for tracking progress overall, then allow each group within the organization the freedom to reduce vulnerability risk as they see fit.

Organizational Profile: Do the groups across your organization require autonomy? Is your organization metrics-driven? If your organization likes independence and a results-oriented approach, then focus on the metrics to drive outcomes.

Pros: Business-focused.

• Choosing metrics that matter to the business can drive risk reduction that matters.
• With different groups executing differently, they can compete based on the metrics and drive improvement.

Cons: Bad metrics, bad results.

• If you choose metrics that don’t matter, you’ll end up with groups doing busy work rather than reducing risk.
• When groups compete, someone ends up at the bottom, which can create internal conflict.

6. Process Optimizer
Strategy: Reduce attack surface. Forget about vulnerabilities and focus on reducing the overall attack surface through aggressive implementation of least privilege and elimination of unnecessary services and systems. Measure the results with vulnerability risk metrics.

Organizational Profile: Does your organization fail to decommission systems effectively? Do people install whatever they want on their systems? If your organization’s digital clutter is its own biggest threat, then cleaning house can eliminate serious vulnerability risk.

Pros: Dramatic vulnerability risk reduction.

• Since vulnerabilities exist in applications, eliminating the unneeded applications can dramatically eliminate vulnerabilities.
• If you’ve removed an application from your environment, newly discovered vulnerabilities in that application won’t affect you.
• Focusing on configurations and reducing attack surface generally results in a better managed environment, which can drive cost-reduction, operational efficiency, and stability.

Cons: Limited duration of effectiveness and high-priority risk gap.

• Once you’ve removed unnecessary applications and hardened configurations, you’ll be left with the harder-to-address vulnerabilities in required systems.
• If you’re focused on eliminating attack surface, you might be ignoring serious vulnerabilities in critical systems.

There’s no perfect strategy for eliminating vulnerability risk. While employing the right tools helps, knowing how your organization operates is what will make the difference between an expensive product and an effective program.

Related Content:

• 2019 Security Spending Outlook
• The Matrix at 20: A Metaphor for Today’s Cybersecurity Challenges
• 3 Lessons Security Leaders Can Learn from Theranos
• In Security, Programmers Aren’t Perfect

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Tim Erlin is VP of Product Management Strategy at Tripwire. He previously managed Tripwire’s Vulnerability Management product line, including IP360 and PureCloud. Erlin’s background as a sales engineer has provided a solid grounding in the realities of the market, allowing … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/selecting-the-right-strategy-to-reduce-vulnerability-risk/a/d-id/1334357?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Many organizations talk about website security, but how many live up to the talk? That’s the question the Internet Society’s Online Trust Alliance (OTA) sought to answer with its annual “Online Trust Audit Honor Role,” which examined more than 1,200 websites to measure their implementation of best practices in three areas: consumer protection (DNS, domain, and brand protection); site, server, application, and infrastructure security; and privacy, transparency, and disclosures.

This marks the 10th year of the comprehensive audit.

“Every year we adjust, looking for the latest best practices that are practical and reasonable for companies of most sizes,” says Jeff Wilbur, technical director of the Online Trust Initiative for The Internet Society. The changing perspective on best practices is important, he says, “especially these days with cloud services, where you can get pretty sophisticated things even if you’re a small organization.”

The good news is that 70% of the websites analyzed this year scored high enough to qualify for the honor roll, up from 54% in the 2017 audit. “Overall, the two big things that jumped out were [best practices around] email authentication and end-to-end encryption of the entire Web session,” Wilbur says. About 40% more companies are encrypting their entire Web sessions this year compared with last year, he adds, and that increase accounts for much of the improvement.

According to the report, 93% of sites encrypt all Web sessions. Certain industries made even more dramatic improvements. US government sites were the best-performing of all market segments, with 91% of audited sites making the honor roll. This is up from a fifth place performance in 2017. Consumer sites came in second, with 85% of audited sites making the honor roll. The category came in first place in the 2017 audit, but high breach rates—34% of audited sites reported a breach during the year—prevented a repeat performance.

Federal government sites also scored very well for email protection, with DMARC adoption shown for 93% of sites. This is a critical measure of security, the OTA says, because business email compromise (BEC) remains the leading source of malware infection in organizations of all sorts.

The lowest-performing market segment was also the newest in the audit: Healthcare found only 57% of its audited sites making the honor roll.

Improvements in security were not matched by improvements in privacy, Wilbur says, and that’s disappointing. Much of that disconnect can be laid at the doorstep of online advertising. “Sharing your data so that someone can advertise to you — depending on individuals, they may or may not have an issue with that,” he says. The problem, he says, language on websites about privacy and how the individual data will be used is “fuzzy enough and vague enough that we think it needs to be clearer and properly set consumer expectations.”   

But both the overall status and trends are quite good, Wilbur says, and future audits will help organizations continue to improve.

“We try to choose criteria that are practically implementable by organizations of any size. This can be used as kind of a guidebook for the right thing to do,” he says.

Wilbur points out that one of the appendices is a checklist of the criteria an organization could take to a service provider or IT organization with questions about how every point could be answered. The goal, he says, is simple. “Hopefully, if we can get the word out that everyone should be able to do nearly all these things and that they’re the right thing to do, we can help improve security and privacy overall, for everybody,” Wilbur says.

Related Content:

• Microsoft Downplays Scope of Email Attack
• The Single Cybersecurity Question Every CISO Should Ask
• ‘Dragonblood’ Vulnerabilities Seep Into WPA3 Secure Wifi Handshake
• 6 Ways Effective CISOs Are Changing their Role
• Data Privacy Manifestos: Competitive Advantage or the Start of Something Bigger?

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/security-audit-shows-gains-though-privacy-lags/d/d-id/1334439?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Millions of people continue to be flummoxed and frustrated by the much-publicized leaks of their personal information from the likes of Marriott, Facebook, and Equifax, to cite three recent examples. Such data breaches are causing companies and organizations everywhere to re-examine the things they procure, the services they use, the individuals they hire, and the people and firms with whom they partner and do business. Across the board, organizations have sunk money into staff, strategies, and equipment to comply with new, tighter customer privacy rules and sidestep major fines and other penalties.

On May 25, 2018, the EU’s General Data Protection Regulation (GDPR) took effect, and other privacy laws and regulations worldwide are evolving and expanding. Cisco’s 2019 Data Privacy Benchmark Study details how scores of organizations are having a hard time meeting all the demands of the new regulatory regimes — and the ones that took early action to address security concerns are seeing positive results from their investments.

GDPR Readiness
Data privacy is now a topic of discussion in corporate boardrooms, and clients, vendors, and other business partners are all paying more attention to how well the companies they patronize and work with safeguard private information. If a company doesn’t measure up, those groups may look elsewhere.

Interestingly, however, a mere 59% of the respondents in the Cisco survey said they are measuring up to most of GDPR’s requirements. Twenty-nine percent indicated that they would be GDPR-ready within 12 months, while 9% said it would take them more than a year.

The respondents also identified their biggest hurdles in terms of getting ready for GDPR. The top five challenges were data security (cited by 42% of respondents), internal training (39%), ever-changing regulations (35%), and privacy by design requirements as well as meeting data subject access requests (each at 34%).

“Data privacy risks have become a major issue for most businesses. Many companies are preparing for data privacy litigation. Having a defense strategy in place can be a huge benefit,” says Tim Wybitul, partner in Latham Watkins’ Frankfurt office. “For instance, you can determine roles, press communication and a process in advance,” he adds.

Sales Delays Due to Privacy
The survey also asked participants whether their customers’ concerns about data privacy was slowing down or delaying sales cycles. Some 87% replied in the affirmative, saying that the slowdowns stemmed from worried customers or prospects. This is a much higher figure than the 66% of respondents who reported the same delays in the 2018 survey, but this shouldn’t come as a big surprise given the ink that’s been spilled on the importance of data privacy, GDPR, and the onset of new privacy regulations and requirements.

Roughly half (49%) of the respondents said that their sales-cycle delays stem in part from having to look into specific requests from customers who want to know more about the company’s data policies. Slightly fewer companies (42%) must translate their privacy policies/processes into the customer’s/prospect’s language, while 39% regard the customer’s/prospect’s enquiries about privacy policies or processes as a tactic used to deliberately slow the pace of a sales process.

The estimates regarding the length of delays were far from consistent. For sales delays stemming from privacy concerns, the average slowdown for selling to existing customers was 3.9 weeks. The organizations that said they’re meeting all or most of GDPR’s requirements reported a slightly shorter delay — an average of 3.4 weeks — in contrast to 4.5 weeks for companies that expect to be GDPR-ready within a year, and 5.4 weeks for those that are more than a year away. Put another way, the delays at the least-prepared organizations are almost 60% longer than the most prepared.

In light of the above, it should come as no surprise that the GDPR-ready companies also experienced lower overall costs related to data breaches.

“This research provides evidence for something privacy professionals have long understood — that organizations are benefiting from their privacy investments beyond compliance,” says Peter Lefkowitz, chief digital risk officer at Citrix Systems. “The study demonstrates that strong privacy compliance shortens the sales cycle and increases customer trust.”

Data Breaches Happen Less Often with GDPR-Readiness
Most companies in the survey reported having a data breach in 2018, but fewer (74%) of the GDPR-ready companies were affected. In comparison, breaches struck 80% of the firms that are less than a year from GDPR readiness, and 89% of the ones that still have a long way to go before they fully comply.

That’s not all. Not only were the most GDPR-ready companies hit less often; the impacts of the breaches they did experience were smaller — an average of 79,000 records, as opposed to 212,000 for those that are least GDPR-ready. The system downtime for the most-prepared was also significantly less (6.4 hours versus 9.4 hours). Of these firms, only 37% suffered data-breach losses of more than $500,000, while 64% of the least-prepared companies lost at least that much.

The respondents were nearly unanimous in one area: Almost all of them (97%) said they are enjoying side benefits from their investments in privacy protection, citing agility/innovation, competitive advantage, operational efficiency, reduced losses from breaches, fewer sales delays, and greater appeal among investors.

The takeaway from all this? The Girl Scouts probably say it best: “Be prepared.”

Related Content:

• 6 Ways to Strengthen Your GDPR Compliance Efforts
• Data Privacy Manifestos: Competitive Advantage or the Start of Something Bigger?
• A Glass Ceiling? Not in Privacy
• Debunking 5 Myths About Zero Trust Security

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across … View Full Bio

Article source: https://www.darkreading.com/endpoint/benefiting-from-data-privacy-investments/a/d-id/1334333?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A new rootkit-based malware family known as “Scranos” is being used in global cyberattacks as its authors grow their potential target base while adding new components and fixing bugs.

The cross-platform threat was first detected by Bitdefender researchers in mid-December; the team has been tracking it ever since. Its rootkit component was what made Scranos stand out, says Bogdan “Bob” Botezatu, Bitdefender’s head of threat research and reporting. Rootkit-based malware is rare, he says, and accounts for less than 1% of the malware they see daily. Researchers watch for rootkits because they’re usually linked to high-profile attacks, he adds.

Scranos is a password- and data-stealing operation based around a rootkit driver, which has been digitally signed with a certificate believed to be stolen. When it was first detected, Scranos was localized to the Asian market; specifically, China. Botezatu hypothesizes China’s technology restrictions and security practices made for an appealing test ground to cyberattackers. 

“My guess – and it’s still a guess – is that the cybercriminals started up and ran a test on the Chinese market … it’s much easier to infect people in China or India, than in the rest of the world,” he says. Piracy in these regions is still high and people are more likely to download apps from third-party stores. There, Scranos often lies disguised as cracked software or apps posing as legitimate software including ebook readers, video players, and anti-malware products.

“This created a perfect context to infect a pool of victims in China, see how the malware performs, do whatever needs fixing, and throw it into production,” Botezatu explains.

In late Jan. and early Feb., researchers saw Scranos start spreading to other countries. Now, it has a global presence and is especially prevalent in India, Romania, Brazil, France, Italy, and Indonesia. Its growth is a sign that operators believe it’s mature enough to be monetized.

Inside Scranos: a Work in Progress

The cracked software or Trojanized app is bundled with the initial dropper, which doubles as a password stealer and steals cookies, login credentials, and payment data from Facebook, YouTube, Amazon, and Airbnb before sending it to the CC. From there, the dropper installs the rootkit, which achieves persistence and injects a downloader into a legitimate process so attackers can download future payloads. The downloader also sends system data to the CC.

Researchers discovered several types of payloads linked to Scranos. One adware file manipulates YouTube pages and gets victims to start and mute videos, subscribe to channels, and click advertisements by entering instructions in Chrome in debugging mode. Another payload installs adware extensions in Chrome. A Facebook spam payload sends friend requests to other users, and spams contacts with links to malicious Android apps.

Scranos’ authors are continuously improving old components and testing new ones on already infected computers. “They’re still in the experimentation stage,” says Botezatu. Right now, authors are tinkering with code and trying to get a foothold on devices while fixing bugs. He anticipates they’re also likely advertising their wares on underground forums.

The many components for Scranos serve different purposes, but researchers note these functions are among the most important:

• Extract cookies and steal login credentials from Chrome, Chromium, Firefox, Opera, Edge, Internet Explorer, Baidu, and Yandex browsers
• Steal payment accounts from Facebook, Amazon, and Airbnb
• Send friend requests from the user’s Facebook account to other accounts
• Inject JavaScript adware into Internet ExplorerExfiltrate browsing history
• Subscribe users to YouTube channels
• Silently display ads or muted YouTube videos to users via Chrome

“Their approach is pretty unique,” says Botezatu of Scranos’ authors. This threat is more aggressive and versatile than adware: it hunts for personal information, credit card data, and social media data; the Facebook tool lets them spread to mobile devices. He notes there has been increased interest in both data collection and YouTube manipulation capabilities. 

System drivers are tough to spot as they’re hidden in the Windows directory. “It’s very difficult for a regular person, who is not into forensics, to spot any malicious activity until it’s too late,” he says. One sign of infection is social activity: if you notice Facebook or YouTube displaying activity from you that you didn’t initiate, it’s a sign someone else is controlling your account.

While it’s difficult to predict what attackers will do next, Botezatu expects Scranos’ next big step will be using its footholds to deliver more nefarious third-party malware. Its next monetization scheme could be making the platform available to different cybercrime groups, he says, or using ransomware to generate quick cash from its growing pool of victims.

Related Content:

• Microsoft Downplays Scope of Email Attack
• New Details Emerge on Windows Zero Day
• 8 ‘SOC-as-a-Service’ Offerings
• Cloudy with a Chance of Security Breach

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/meet-scranos-new-rootkit-based-malware-gains-confidence/d/d-id/1334436?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In one of the biggest malvertising campaigns in the last 18 months, a previously known threat group called eGobbler is taking advantage of a security bug in Google’s Chrome browser to target millions of iOS users. 

Security vendor Confiant, which has been tracking the campaign since it launched April 6, estimates that more than 500 million malicious ads have been served to iOS users already. Users are being redirected to scam “You’ve won a gift card” landing pages hosted on a top-level domain previously associated with eGobbler.

Google, which makes most of its money from online advertisements, is currently working on a fix for the bug after being notified about the issue April 11, Confiant said in a report Tuesday. The company did not respond immediately to a request for comment.

According to Confiant, the problem exists in the manner in which Chrome for iOS handles pop-ups. Like other browsers, Chrome incorporates ad sandboxing features to ensure that any code used to insert ads into a Web page only has limited ability to interact with other components.

Sandboxing is a method of restricting what actions are available to any advertisement that is served from a different domain than the page hosting it, says Eliya Stein, senior security engineer at Confiant. The goal is to prevent malicious advertisements from hijacking browser sessions via pop-ups and redirects to websites and landing pages the user did not intend to visit.

Normally, an ad sandbox should prevent a pop-up from being launched unless the user takes some direct action to enable it. The Chrome vulnerability allows attackers a way around this protection.

Chrome Sandboxing Fail
According to Stein, the exploit that eGobbler has developed and is using with such success essentially tricks Chrome for iOS into allowing pop-ups without any direct interaction. “The security bug in Chrome is around Chrome’s built-in pop-up blocker,” Stein says. “All versions of Chrome on iOS are impacted.”

Because the eGobbler exploit allows the attacker to redirect a user with a pop-up, any other standard sandboxing protections that Chrome has against browser redirections, such as disallowing JavaScript, are moot, he says. “We believe that this exploit was key in magnifying the impact of this attack,” Stein says.

He adds that Confiant wants to give Google’s Chrome team a reasonable amount of time to fix the bug before releasing more details on how it works. Confiant will release a full analysis of the bug at a later date.

So far, eGobbler has launched eight individual malvertising campaigns mostly targeting iOS users in the US over a six-day period starting April 6. Each individual campaign has lasted between one to two days, Confiant said.

The threat group managed to place over 30 malicious advertisements on legitimate but previously compromised ad servers and used cloaked intermediate CDN domains as part of their ad delivery.

“The CDN domains are used to host the payload that performs the actual redirect and/or the pop-up,” Stein says. These are intermediate domains in the ad-serving process that attackers often use for loading ad-serving code. “Attackers rotate these kinds of domains often in attempt to fly under the radar,” Stein noted.

The original campaign targeting iOS users has now pivoted to another platform and is ongoing, though Stein declined to name the targeted platform. It is not clear whether eGobbler is exploiting the same Chrome bug, but chances are high they are, he says. “This requires some follow-up on our end,” Stein says.

Related Content:

• Online Ads vs. Security: An Invisible War
• Enterprise Malware Detections Up 79% as Attackers Refocus
• Fileless Malware: Not Just a Threat, but a Super-Threat
• What You Should Know About Grayware (and What to Do About It)

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/threat-group-exploits-chrome-bug-to-serve-malicious-ads-to-ios-users/d/d-id/1334440?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

It’s an expansive cyber espionage operation that canvasses a victim’s network with backdoors, loaders, keyloggers, audio recorders, screen- and webcam grabbers, and even siphons data from printer-queues, burned CDs, and Apple iOS smartphone backups.  

The so-called TajMahal attack framework operated invisibly for five years until it was uncloaked last fall by researchers at Kaspersky Lab who found it embedded deep in the network of a diplomatic organization in Central Asia, where it had been spying and stealing documents since 2014. TajMahal comes with a whopping 80 different attack modules, including an unusual and rare one that lets the attacker steals specific files from a USB stick when the device is inserted into a computer.

Given the breadth of TajMahal’s attack arsenal, there are likely other victims that have not yet been identified. “They’re possibility using this framework elsewhere, but we’re not [able to see] in those organizations. It would be highly unusual for a malware set that looks like this to be for” a single use, said Kurt Baumgartner, principal security researcher with Kaspersky Lab, which last week shared its findings on TajMahal at the Kaspersky Security Analyst Summit in Singapore.

The researchers found no ties between TajMahal to existing nation-state threat groups, nor any similarities in its code base to others’. It appears to be a “new” previously unknown cyber espionage group that’s especially advanced and well-resourced and that expects to be well-entrenched in a victim’s network for long periods of time, according to Baumgartner. “They actually exfiltrate an entire mobile phone backup – that’s something that takes a lot of time.”

While TajMahal’s mobile-theft capability is rare, it’s also reminiscent of the epic Red October APT cyber espionage campaign that Kaspersky Lab first unearthed in 2013. “Red October built out modules that were purpose-built for exfiltrating mobile data,” Baumgartner said.

Red October stole terabytes of information from computers, smartphones, routers, and VoIP phones of government, diplomatic, and scientific research organizations spanning multiple regions worldwide, and at the time was considered one of the most sophisticated cyber espionage operations in the world.

Baumgartner said TajMahal, with its massive number of plug-in modules, falls into the category of a well-resourced APT the likes of Flame and Duqu, two other infamous cyber espionage attack groups. Another interesting element of TajMahal is its virtual file system (VFS), an indexed and encrypted file system it uses for its attack tools, he said.

It’s likely the attackers also have changed IP addresses to evade detection, according to Alexey Shulman, lead malware analyst at Kaspersky Lab. “They are probably on other machines” that haven’t yet been discovered, he said.

Tokyo Yokohama

TajMahal, which was named after the file the attackers use to exfiltrate data, is comprised of two main components: Tokyo and Yokohama. Tokyo helps launch the first stage of the attack, and includes three modules including the main backdoor and command control communication, using PowerShell to remain hidden in the network.

Yokohama is the second stage of the attack, the full-blown spying operation, and uses the attackers’ VFS with the 80 modules, which also include command-and-control communicators, cryptography key-stealers, and browser cookie-stealers that target Internet Explorer, Firefox, and Netscape Navigator, for example.

Still unknown, however, is the initial attack or infection vector for TajMahal.

While Kaspersky researchers declined to speculate on just which nation-state is behind TajMahal, other experts say its well-resourced and comprehensive attack arsenal indicates that it’s one of the most advanced APT groups in operation. “The modular nature of the code, coupled with advanced persistence features to engage in proximity attacks, makes it truly formidable,” said Tom Kellermann, chief cybersecurity officer at Carbon Black. “This code is being selectively deployed across the [Central Asia] region and should serve as a harbinger of APTs to come.” 

TajMahal’s capabilities demonstrate how cyberattacks can be executed “in the physical world” as well, he said, by pilfering data from printer queues, burnt CDs, USBs, and turning on computer microphones and cameras from afar.

While protecting networks from determined nation-states and other advanced attackers is never foolproof, the usual best practices can minimize exposure. Kaspersky Lab recommends schooling users on phishing and social engineering scams, keeping software updated, and employing advanced endpoint security tools.

The researchers also released indicators of compromise and other technical details for TajMahal.

Related Content:

• MuddyWater’ APT Spotted Attacking Android
• Digital Doppelganger’ Underground Takes Payment Card Theft to the Next Level
• 19 Minutes to Escalation: Russian Hackers Move the Fastest
• 8 ‘SOC-as-a-Service’ Offerings

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/decoding-a-new-elite-cyber-espionage-team-/d/d-id/1334441?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple