STE WILLIAMS

The notorious Trickbot banking Trojan is undergoing code modifications as operators ramp up global attacks, which are increasingly targeting Japan this holiday season, researchers report.

IBM X-Force data indicates TrickBot is currently the most active banking Trojan. As its many targets have evolved over the years, so has Trickbot: The threat was modified in August to target mobile device users, and it’s the primary payload in attacks against healthcare firms. Earlier this year, TrickBot operators began to use redirection instead of malicious email attachments to spread malware. It also made Webroot’s list of nastiest malware for 2019.

TrickBot has mostly appeared in campaigns in Western and English-speaking countries. While it has been spotted in other regions, this marks the first time TrickBot has been seen at Japanese banks. X-Force researchers urge shoppers in Japan to be wary of TrickBot on e-commerce sites and cryptocurrency platforms. While most campaigns aim for online banking (76%), e-commerce (5%), payment cards (3%), credit unions (3%), and Bitcoin exchanges (3%) are also targeted.

Campaigns targeting Japanese entities have been using malicious spam and distribution by the Emotet botnet to drop TrickBot onto target devices. Most attacks use Web injections on banking websites, which ultimately lead to bank fraud. One of TrickBot’s go-to tactics, pulled from the attacker’s server, involves tricking victims into sharing personally identifiable data, payment card details, PINs, and transaction authorization details, researchers explain in a blog.

TrickBot’s appearance in Japan is concerning in itself; however, researchers warn of TrickBot attacks potentially turning into Ryuk ransomware. “A kill chain that begins with Emotet and TrickBot infections has been known to result in Ryuk attacks, widespread ransomware infections that can paralyze organizations and extort them with demands of millions of dollars in ransom money,” X-Force’s Limor Kessem and Itzik Chimino wrote in a blog post on the news.

Ryuk has also proved an active threat in 2019. The ransomware is known for its “dwell time,” or the amount of time between the initial infection and damage to a target system. It’s also known to change the ransom amount depending on how much it thinks the victim is able to pay. In an alert issued by the UK’s National Cyber Security Centre in July, officials explained an initial infection starts with Emotet, followed by a TrickBot infection bringing obfuscation capabilities. If a target system provides information indicating they can pay ransom, then Ryuk is deployed.

Kessem and Chimino advise businesses to keep strict control of operating system and application update schedules, as malware often seeks an unpatched systems. “Segregate and use compensating controls on assets that cannot be patched,” they note.

Businesses can also use role-based training to alert accounting employees to TrickBot, business email compromise, and wire fraud attacks. Suspicious activity should be rapidly escalated to incident response, especially if a device is communicating with known bad IP addresses.

Related Content:

• 6 Top Nontechnical Degrees for Cybersecurity
  
• StrandHogg Vulnerability Affects All Versions of Android
• Leveraging the Cloud for Cyber Intelligence
• Home Safe: 20 Cybersecurity Tips for Your Remote Workers

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “A Cause You Care About Needs Your Cybersecurity Help.”

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/trickbot-expands-in-japan-ahead-of-the-holidays/d/d-id/1336510?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In a recent New York Times opinion piece, National Security Agency General Counsel Glenn Gerstell described how traditional national security systems, developed after World War II, dependably gave early warning of foreign military developments, such as firing missiles and the movement of tanks, aircraft, ships, and submarines. Fusing telemetry data with advanced surveillance technology gave us a level of confidence that we were safe and could manage contingencies. However, Gerstell makes a compelling argument that that is no longer the case. The technology revolution has “upended” our national security infrastructure and institutions, according to Gerstell.

Gerstell is not alone in his thinking. Joseph Hill, the acting director of National Intelligence, also believes cyberspace is our biggest vulnerability. Outside of government and the military, a recent survey of America’s businesses of all sizes, conducted by Travelers Companies, found that cybersecurity was respondents’ No. 1 concern.

As an enterprise leader, it is worth recalling why our post-World War II strategy was successful: We integrated what we knew about foreign military developments in real time. Unfortunately, today we are too focused on finding a better mousetrap and not integrating what we know.

Time to Stop Playing Security Whack-a-Mole
I recently spoke with a CISO about how he won approval to procure 15 tools to bolster security operations but heard little about fusing output datasets to create a real-time understanding of suspicious activity across the enterprise.

The CISO’s focus was on more analysts, who are hard to find and burn out quickly from a daily whack-a-mole game of responding to redundant incidents without correlating them with what they’ve seen in the past. Companies that can afford one of everything acknowledge this strategy generates too much noise. The combination of too many tools, redundant threat feeds, and analyst burnout leads companies to spend more and become less secure. This strategy at-scale becomes even more inefficient and costly when whole sectors and industries choose to “tool up” rather than take a disciplined approach of managing and fusing cyber intelligence. We must reset our strategy on how best to secure ourselves rather than search for a better mousetrap (or buy more of them). We must fuse the tools that we already have.

How to Leverage What You Have
Start by taking a page from how security teams handle traditional security threats to weave together a system of ecosystems in the cloud. There are typically three stages.

Stage 1. Companies leveraging the cloud fuse alerts from their own systems with their external intelligence providers. This requires companies to easily integrate the output from their existing tech stack (SIEM, EDR, case management, orchestration) with input from internal intel sources without disrupting analyst workflow.

Stage 2. Layer in security-related activity beyond security operations to fraud and abuse. Each leads to security problems within the enterprise and for companies down-range. For example, account takeovers (ATOs) can not only be used for malicious activity inside a company but can also lead to adversaries misusing an account to attack others.

Stage 3. Reach out to other companies to exchange information about your common security and fraud challenges. This is where the cloud holds significant advantages as companies choose partners based on a variety of needs, ranging from securing supply chains to battling specific threats within and between sectors. The cloud allows both the public and private sector to work with each other. Rather than just sharing information, companies can define use cases and have the means to quickly and seamlessly exchange and analyze data. The cloud also enables companies to derive insights and trends within their own company as well as how they compare with others.

A New Model: LA CyberLab
Hundreds of companies are already changing course to a cloud-based model to fuse their internal data with external threat information. They ingest and enrich cyber intel from a variety of tools ranging from security event management systems to endpoint detection and case management systems to third-party intelligence. A successful platform combines several capabilities: ingesting and normalizing structured and unstructured data, permissions and access management, fusing and enriching data, and redacting sensitive and proprietary information. A platform must also be extensible so that companies can fuse data between separate security-related operations such as security operations centers, fraud, and internal investigations within companies and between companies.

In September, Los Angeles Mayor Eric Garcetti launched the LA CyberLab, a TruStar customer, to fuse data from the public and private sector, local municipalities, and consumers. The exchange of suspicious event data will speed investigations, identify trends, and ultimately improve security. It has backing from the mayor, the Department of Homeland Security, IBM, innovative technology platforms, as well as some of Los Angeles’ biggest business leaders.

LA’s model can be replicated, creating new ecosystems of fused data involving suspicious events. Leaders recognized that threat actors commodify and replicate attacks across sectors and local, state, and federal government. Sector-based sharing models like ISACs and ISAOs will remain important, but LA’s model is different. The potential power of fusion is immense when we start to think about security in terms of interconnected systems instead of siloing data between tools and sectors. We must converge our cyber intelligence systems in order to achieve full visibility of the attack landscape. We should look to LA as a model of where we must go.

Related Content:

• 10 Tips for Building Compliance by Design into Cloud Architecture
• Former White House CIO Shares Enduring Security Strategies
• 5 Cybersecurity CISO Priorities for the Future

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “In the Market for a MSSP? Ask These Questions First“

Paul Kurtz is the CEO and cofounder of TruSTAR Technology. Prior to TruSTAR, Paul was the CISO and chief strategy officer for CyberPoint International LLC where he built the US government and international business verticals. Prior to CyberPoint, Paul was the managing partner … View Full Bio

Article source: https://www.darkreading.com/cloud/leveraging-the-cloud-for-cyber-intelligence-/a/d-id/1336457?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Siemens recently issued a security advisory with workarounds and mitigations for a vulnerability uncovered by researchers in its S7-1200 programmable logic controllers (PLCs) that could be used to bypass a firmware integrity check to load malware or hijack the industrial processes of the devices.

Researchers from Ruhr University Bochum in Germany found an undocumented hardware-based special access feature in Siemens’ S7-1200 PLCs while studying its bootloader, which handles software updates and verifies the integrity of the PLC’s firmware when the device starts up.

Ali Abbasi, a research scholar at Ruhr-University Bochum, doctoral student Tobias Scharnowski, and professor Thorsten Holz will present their findings this week in London at Black Hat Europe. The researchers alerted Siemen, which says it plans to fix the flaw.

It’s unclear whether the flaw can be fixed in software or if it requires a hardware swap, according to Abbasi, and the researchers are not sure if additional models of the PLC also are affected.

In a statement in response to an inquiry on the nature of the fix, Siemens said it’s still working on the issue, pointing to the SSA-686531 advisory it released late last month. “We are in the process of reviewing our product models and will post updates to SSA-686531 if further models are affected,” Siemens said. “With respect to a final solution, Siemens experts continue to work on the issue. Siemens provided workarounds and mitigations within the Siemens Security Advisory (SSA-686531) and Siemens will update the document when a final solution is available.”

Abassi and his fellow researchers also found that the special access feature in the PLCs could also be used for good: as a forensic tool for defenders. They employed the feature to view the contents of the PLC’s memory, so a plant operator could also use it to find malicious code on the device, for example.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “A Cause You Care About Needs Your Cybersecurity Help.”

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/siemens-offers-workarounds-for-newly-found-plc-vulnerability/d/d-id/1336503?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A Magecart group has compromised the website of American gun manufacturer Smith Wesson by injecting malicious code designed to lift customers’ payment data at checkout.

The incident was found by Sanguine Security’s Willem de Groot, who was investigating payment skimmers impersonating Sanguine Security’s anti-skimming service. He found attackers were registering malicious domains named after Sanguine and using his name as the registrant.

These fake skimmers have been used on several high-profile stores, including Smith Wesson, de Groot explains in a blog post. Not all of the malware impersonates the Sanguine domain name; however, the major skimmers share identical code and infrastructure. Smith Wesson was hit with a skimmer on Nov. 27, he says, and it was present when he published on Dec. 2.

The skimmer on this website is “exceptionally sophisticated” and contains multiple levels of obfuscation, each rendering a new anonymous function to complicate debugging, de Groot says. Most of the site’s script is benign, though the Magecart code appears on the checkout page for visitors who use a US-based IP address and non-Linux browser and who aren’t on AWS. In these cases, the file size changes from 11KB to 20KB upon visiting the checkout page.

When someone under these conditions goes to the checkout page, they are shown a fake payment form. The details they submit are exfiltrated to a server controlled by attackers.

Read more details here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “A Cause You Care About Needs Your Cybersecurity Help.”

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/smith-and-wesson-is-magecarts-latest-target/d/d-id/1336505?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

As someone with responsibility over both marketing and security teams, I’ve noticed some remarkable parallels between the two. The relationship that feels particularly pertinent today is the idea that every employee is responsible for security, not just the IT/security organization.

Rewind to the early 2000s, and accountability for a brand’s reputation lay squarely with the marketing department. The most effective ways to shape public perception were through traditional means, using advertising and corporate PR campaigns. Fast forward a decade and everything has changed. With social media accounts and an always-on communications sphere, suddenly every employee has the power to cause a brand crisis and send share prices tumbling. Marketing has had to adjust fast, and there are now all kinds of technologies and processes that significantly reduce reputational risk while empowering employees to avoid disasters and actively become advocates for the brand.

What does this have to do with security? Well, there’s a familiar trend taking place in this space, too.

The Good Old Days
One of the issues facing security leaders over the past few years has been the almost overwhelming growth of attack vectors. Even a decade ago, the vast majority of employees sat behind desks using Windows computers inside corporate offices, accessing corporate data over Ethernet cables into a protected intranet. Smartphones were just starting to make inroads, but business apps were limited in number and functionality, and 4G was in its infancy. IT and security teams were almost exclusively responsible for managing the risk of a cybersecurity crisis — just like with marketing and PR crises.

Today’s workplace is almost unrecognizable. More employees than ever access corporate data via mobile devices, outside the traditional corporate environment and using an incredibly diverse array of corporate-issued and their own devices running on Windows, macOS, iOS, and Android. There’s also a wider variety of network connections, from cellular LTE to home or public Wi-Fi hotspots. 5G and Wi-Fi 6 are both ready to make a bigger splash, too. Developing a robust security strategy that intelligently accommodates these sweeping shifts has been a challenge for many in the industry.

The Front Line Has Shifted
Examining the situation a little closer can help provide answers. Given the shift toward mobile-centric, perimeter-free working environments, the days when security could totally isolate and protect employees, effectively keeping them inside a secure bubble, are long gone. As LTE connectivity has improved, mobile workers are now at the forefront of external threats. The traditional perimeter is dead.

And that’s the key point. IT and security roles have changed, just as the role of mobile employees has shifted. It’s time to radically rethink the way we perceive our employees. They are our troops and our front line of defense. They are ambassadors for the security of the organization, in the same way that they’re ambassadors for the brand.

That’s not to say that mobile employees are totally prepared. Humans are often the weakest link when it comes to cybersecurity, and that’s why hackers focus on them as soft targets.

Walking a Fine Line
What needs to change? Locking down mobile devices with strict policies that don’t consider workflow can frustrate employees. This kind of authoritarian attitude toward what mobile workers can and cannot do unfortunately leads to many unforeseen consequences, not the least of which is shadow IT and internal friction. Even more worrying is the potential loss of productivity and the increase in worker frustration. Employees must be seen as allies in the fight against threats, not antagonists — winning hearts and minds internally has never been more important.

The alternative, preferred philosophy is to empower employees. Ask them what tools and applications they need. Figure out how much “freedom” they require in order to be productive and get their jobs done. Introduce reasonable content controls that prioritize work-related applications but allow non-work-related ones too — policies that can be applied to any device using any network. Implement sensible password and authentication controls that work for their purposes, such as single sign-on or multifactor authentication — and make sure the impact on employee experience is as small as possible. Establish security policies that take context into account whenever possible; apply them lightly when conditions are low-risk, and heavily when they’re not.

The critically important step in this process is to educate and re-educate workers so that they can be trusted to identify and avoid common pitfalls and risks. Train them to recognize phishing emails and text messages. Teach them how to recognize an insecure Wi-Fi hotspot. And give them tools that help them understand risk, react to situations, and escalate concerns. The best security is almost invisible to end users — it becomes something they feel personally responsible for rather than something imposed upon them that they find ways to tolerate or circumvent.

Security Is Everyone’s Responsibility
It’s undeniable that the work environment has changed for most workers today and security must find new ways to accommodate them. Yes, workers are possibly the biggest security risk to your organization, especially when they increasingly use devices and networks beyond your control. Those same workers are the biggest reputational risk to your organization, even more so now that they are able to post about — and in some cases on behalf of — the company on social media and elsewhere.

The reaction from marketing to these changes was to find new ways of educating, equipping, and empowering employees to avoid disasters and to endorse and amplify the brand online. Security leaders can learn a lot from this approach.

Employees can no longer be pawns who need protecting. They must become partners in the battle against threats. With the right technologies, policies and training, workers will take on more responsibility in identifying and preventing potential threats in this new mobile-first, perimeter-free workplace. And it’s your job to help them get there.

Related Content:

• 6 Top Nontechnical Degrees for Cybersecurity
• Time to Warn Users About Black Friday Cyber Monday Scams
• The 5-Step Methodology for Spotting Malicious Bot Activity on Your Network
• 3 Fundamentals for Better Security and IT Management

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “A Cause You Care About Needs Your Cybersecurity Help.”

Christopher Kenessey is the CEO of NetMotion Software and brings nearly two decades of mobile industry experience to the role. He has worked in sales, management, and leadership roles at Cisco and VFX software company The Foundry, and he holds a bachelor’s … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/vulnerability-management/what-security-leaders-can-learn-from-marketing/a/d-id/1336453?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Researchers who operate undercover in the Dark Web are noticing an increase in activity among rogue employees selling access and stolen data from their organizations — mainly financial and telecommunications companies — for profit.

Charity Wright, cyber threat intelligence analyst and researcher at IntSights, says the rogue employee, often working via underground brokers, is a growing phenomenon in the Dark Web. Researchers have observed sellers, especially in Russian language-speaking forums, openly discussing how they offer services where they steal and sell information from their employers.

The researchers spotted a pair of telecommunications employees selling text message logs and geolocation information from phone SIM cards, for example. “There’s huge potential for damage if they use it to target VIPs or government employees,” for instance, Wright notes. “These services are relatively cheap, and all you have to do is provide them a phone number and they can give you everything they have on it.”

Rogue financial firm employees typically get paid more: Brokers offer 10 times more money for information supplied by bank insiders. “Because they have the keys to the kingdom … with customer bank information they have access to, and deals that are being closed, for insider trading,” she says.

IntSights has been studying the rogue insider trend in the Dark Web for the past four years. In 2017, IntSights and RedOwl published a report, “Monetizing the Insider: The Growing Symbiosis of Insiders and the Dark Web,” on their two-year study of Dark Web forums that recruit insiders. At the time, they noted a twofold increase in insider outreach and forum discussions between 2015 and 2016. 

Insider recruits go through an elaborate selection and verification process by the forums, including confirming the access the insider has within its organization and how fast they can grab it and release it. Once they are in, they are protected with a shroud of anonymity, the study found.

Most recently, IntSights has found the most active forums for rogue insiders include Dark Money, a forum for buying and selling stolen banking information; cc, a Dark Web site; and exploit.IN, a popular Russian Dark Web forum, she says. Genesis Market, Joker’s Stash, and Bitify are among some of the underground markets where stolen bank cards can go for anywhere from $30 to $50 apiece, or $95 for “fresh” cards, for example, Wright says.

What’s unclear, however, is just how these employees gone bad access the information they steal and monetize. “It looks like they already have access to it in their jobs, whether they are supposed to or maybe they have admin access they are not supposed to have. … We’re not really sure how they got the access,” she says. “But they are definitely out there and in some certain regions, like Russia, they are pretty blatant and open about what company they work for. They’re not even trying to hide it.”

That openness is not the case in English-speaking forums, however, where rogue insiders and sellers are more cautious and suspicious of buyers and questions. “In English-language forums, they tend to be a lot more cautious and suspicious,” especially now that they are aware of researchers and law enforcement infiltrating their spaces, she says. And because law enforcement has been shuttering some of these forums over the past couple of years, it’s harder to track where the rogue insiders go next, notes Wright, who will present some of IntSights’ latest Dark Web findings at Black Hat Europe in London this week.

But identifying in the Dark Web just who’s behind what and from where it came isn’t necessarily always cut and dried. There are plenty of cybercriminals selling data they have stolen from their victims.

“The economy of scale of the Dark Web has a multitude of participants — not all of them full-time cybercriminals,” notes Tom Kellermann, head cybersecurity strategist for Carbon Black, now part of VMware, which has seen an increase of 41% in so-called “island-hopping,” where attackers pivot from one victim to its business partners or other connected targets to steal information.

“The challenge is determining whether these are true insiders or digital insiders commandeering the digital transformation of the corporation and using it to island-hop and access-mine” data, he says.

Finding Out the Hard Way
IntSights gets hired by organizations to drill down on their stolen data in the Dark Web. They often don’t have visibility into their data leaking out of the organization, Wright notes. “A lot of organizations are very aware of what’s going on in their networks and what’s attacking them [and going on] inside, but they aren’t aware very much of what is exposed … outside of their network,” she says.

Organizations already are flooded with security incidents on a daily basis, often with an understaffed security team, so they triage the main threats first. “They start with the closest targets and biggest threats first,” Wright says. “First, it’s malware and data loss, and then if you mature your organization to a point where you can afford an insider-threat team, it’s usually one person. Then they are overwhelmed once they start digging into the insider threat.”

Related Content:

• Metasploit Creator HD Moore’s Latest Hack: IT Assets
• Demystifying the Dark Web: What You Need to Know
• 3 Modern Myths of Threat Intelligence
• 6 Top Nontechnical Degrees for Cybersecurity 

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “A Cause You Care About Needs Your Cybersecurity Help.”

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/when-rogue-insiders-go-to-the-dark-web/d/d-id/1336509?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple