STE WILLIAMS

Newly named APT39 hacking team exemplifies Iran’s growing sophistication in nation-state hacking operations.

Iran’s nation-state hacking machine mostly is known for its destructive cyberattacks: first with Web defacements, then crippling distributed-denial-of-service (DDoS) attacks, and most recently, data-wiping. But Iran increasingly is increasingly honing its operations in pure intelligence-gathering cyber espionage.

Cyber spying is nothing new, but over the past few years it has evolved into more of a step one for sophisticated nation-state hackers to know their targets, burrow in them, and ultimately wage more damaging attacks, such as ransomware, financial crime, data leaks/doxing, intellectual property theft – and in the case of some Iranian hacking teams such as the one behind Shamoon, data-wiping.

FireEye’s research group this week officially christened one Iranian hacking team it has been tracking for more than four years, as APT39 – the same group of hackers that Symantec already calls Chafer and CrowdStrike calls Helix Kitten. The hacking group operates as an old-fashioned cyber espionage operation, but with advanced stealthy tactics and tools to meet its intel-gathering objectives.

Benjamin Read,  senior manager of cyber espionage analysis at FireEye, says his team spotted APT39 in December of last year waging attacks against the telecommunications, travel, and technology services sectors, in campaigns aimed at gathering information and records on individuals. The attackers likely were rooting around for details on phone calls of specific individuals, as well as their travel plans and patterns in support of a broad Iranian government espionage operation, he says.

APT39, unlike its counterparts in Iran that wage influence-peddling, disruption, or destructive cyberattacks, focuses specifically on the theft of personal information for use in monitoring, tracking, and surveillance operations by the nation. “They’re generally stealing data … in bulk and then processing it” for usefulness and use, he says, adding that FireEye does not have insight into the types of individuals APT39 is after.

“They’re gaining information on the very target itself,” Jon DiMaggio, senior threat intelligence analyst at Symantec, says of APT39/Chafer. “It appears they do have some cooperation with other groups” in the Middle East region, he says. “That region’s groups really play together often, which is one of the big differences in attacks” there, he notes.

Symantec by policy doesn’t identify nation-state hacking teams by country, but rather, by general region.

US Intel Community Calls Out Iran

Meanwhile, US intelligence officials see Iran as one of the biggest cyber threats to the US in the next year. Daniel Coats, US director of national intelligence, in a report yesterday said Iran is among the main hacking adversaries to target the US in 2019, along with Russia, China, and North Korea. “The use of cyber attacks as a foreign policy tool outside of military conflict has been mostly limited to sporadic lower-level attacks. Russia, Iran, and North Korea, however, are testing more aggressive cyber attacks that pose growing threats to the United States and US partners,” according his statement in the Worldwide Threat Assessment of the US Intelligence Community, which was given to Congress yesterday.

Iran will “continue working to penetrate US and Allied networks for espionage and to position itself for potential future cyber attacks, although its intelligence services primarily focus on Middle Eastern adversaries — especially Saudi Arabia and Israel. Tehran probably views cyberattacks as a versatile tool to respond to perceived provocations, despite Iran’s recent restraint from conducting cyber attacks on the United States or Western allies,” the report said.

And like many nation-state groups, APT39/Chafer uses legitimate hacking tools such as Mimikatz and Microsoft apps like Windows Credential Editor, which makes the group difficult to detect. The key to catching them using legit tools is monitoring and looking of unusual behavioral trends and usage, DiMaggio notes. “Anyone can download and use Mimikatz,” he says. “A lot comes down to behaviors, targets, the patterns and sequence of operations, how they get onto the network … Attribution is getting harder, not easier” with these types of tools in use, he says.

If a tool is used at an odd time of day, or if a file gets dropped onto the network that hasn’t been seen before,  that could indicate an attacker is behind the tool, he says.

Other Iranian APTs

FireEye also closely follows other Iranian nation-stage hacking groups – APT33, APT34, and APT35. APT33 typically targets the defense industrial base, and has waged data-wiping attacks on victims; APT34 (aka OilRig), which may be related to APT39, conducts traditional cyber espionage, but mainly against foreign affairs ministries, Read notes. APT35 also targets the defense industrial base sector, but isn’t known for the typical spear phishing attack in its initial step, for example.

What sets APT39 apart from its Iranian counterparts is its more “personal” touch of getting information on individuals. The group mostly uses the Seaweed and CacheMoney Trojan backdoors, as well as a variant of the Powbat backdoor, FireEye found. The attackers also employ relatively strong operational security to avoid detection; they were spotted running an altered version of Mimikatz that bypasses anti-malware tools, as well as conducting credential harvesting outside the victim’s network.

“They are a bit stealthier and more careful than other Iranian groups,” Symantec’s DiMaggio says.

However, so far, according to DiMaggio, Iran hasn’t retaliated cyber-wise against the US for withdrawing from the Joint Comprehensive Plan of Action (JCPO) nuclear agreement, however.

Related Content:

• New Hacker Group Behind ‘DNSpionage’ Attacks in Middle East
• Iranian Hacker Group Waging Widespread Espionage Campaign in Middle East
• ‘Chafer’ Uses Open Source Tools to Target Iran’s Enemies
• Iranian Cyberspy Group Targets Aerospace, Energy Firms

 

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/iran-ups-its-traditional-cyber-espionage-tradecraft/d/d-id/1333764?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

“I’m walking!” squealed the adorable, 4-year-old Mighty Miss Maya, born premature and later diagnosed with spastic diplegia cerebral palsy, when she took her first independent steps.

“Ka-CHING!!!!” enthused one or more Instagram swindlers, who promptly swiped Maya’s photo and videos to plaster onto fake fundraising accounts.

Earlier this month, Maya’s family, the Tisdales, posted onto her Facebook page the news about the imposter accounts, along with a screen capture of one of them that had been written in Russian and featured Maya’s stolen images:

It was brought to our attention a few weeks ago that someone has been stealing Maya’s pictures and videos from our account. They have set up an account and have been using Maya’s pictures and videos to try to get donations. Obviously we are very angry and we are working to have this account shut down ASAP. We are also working on having these individuals charged with fraud for collecting money under false pretenses (a lawyer friend has reached out to us and they are working on this end of things).

Maya’s mother, Ann Tisdale, said that her family has been hacked and harassed on Instagram after a video of Maya went viral last month.

The Tisdales said that Instagram was initially unresponsive, even after they filed the appropriate take-down forms and after followers had also reported the account. After the Tisdales asked followers to comment on the post and to tag @instagram, or perhaps after they contacted the media, Instagram finally took down the account… which, unfortunately but predictably, precipitated a game of whack-a-mole as the scammer(s) put up new fake accounts as fast as Instagram took them down.

It went beyond mere imposter accounts when one fraudster tried to extort the family, Ann Tisdale told ABC News.

A scammer sent a direct message on Instagram to extort the Tisdales, saying that they’d keep posting fake accounts to “spite you” unless the family paid $30,000.

From ABC News’s translation of the message:

You cannot delete my account. I will and will create it again. Spite you until you stop putting us into the story. Or give 30 thousand and I will no longer create your page

Instagram said in a statement to the TV station that it’s shut down a number of accounts and blocked the users behind them from opening new ones.

How do you stop imposters when you’re a public cause?

In spite of Instagram’s actions, the fraudsters are putting up new fake accounts as fast as they’re taken down. That, unfortunately, is the price you pay when you have an account that’s open to the public instead of being private.

The Tisdales have openly shared Maya’s journey on Instagram, where her page has over 35,000 followers, and on Facebook, where her “cause” page has 19,000 likes. Since the girl was born – four months early, at 26 weeks, weighing only 1 pound, 10 ounces, and so tiny that her family put her father’s wedding ring around her wrist to wear as a bracelet – her story has inspired others, who’ve in turn lent emotional support to the family.

According to the family’s website, Maya’s specific type of cerebral palsy caused “the muscles in her hips, legs and feet to be tight or spastic” and left her “unable to stand on her own for more than a few seconds, or walk without the use of walker.” She received surgery and regularly goes to physical therapy to get stronger.

Why should the family have to give up on the mutual support they’re getting from social media? Why should an Instagram crook – one who’s profiteering off them, harassing them and extorting them – get to chase them offline?

They shouldn’t. And they won’t.

On 12 January, the family posted a defiant message to Instagram, saying that they weren’t going anywhere, in spite of Instagram’s dragging its feet to respond to their takedown messages. The family thanked followers for reporting the fraud:

When these scammers saw YOUR force they changed their user name. 😂 They thought they could hide their criminal behavior behind a new user name @pomzsh_angeline23 but it took less than 6 hours for our followers to catch this and report it to us. #teammaya #bettertogether. Thank you for showing us that our Mighty Girls story really means something to you. ❤️.

They also called out for the type of support you need if you don’t have the luxury of keeping your account private: a swarm of followers who continue to keep report these fake accounts:

We ask that you help us by remaining vigilant in reporting these scammers. If you see they have changed their name please report to us. We know they will keep changing their name until they get tired of running or our legal team catches up with them. #icantwaituntilthishappens #dontmesswiththismomma👩🏼‍💻. We will continue to post their scam accounts to our feed like we did yesterday and ask that you blast @instagram and @facebook until they do the right thing and shut these accounts down. Thanks again for your love and support. You all are awesome. 👏

Imposters, fraudsters and hijackers…

Besides being preyed on by imposters, Instagram accounts themselves can be whisked right out from under you. In October, we saw a rash of attacks in which hackers demanded ransoms from high-profile Instagram users whose accounts they’d hijacked.

That wasn’t the first time. Back in 2017, Selena Gomez’s account was ripped off and used to post nude photos of her ex, Justin Bieber. Instagram subsequently warned that its API had sprung a leak, exposing high-profile Instagram users’ email addresses and phone numbers.

Six million Instagram accounts lost personal information from that bug, and then somebody went and created a database out of it: it included all the Instagram accounts with over a million followers, and it charged $10 per search.

Between bugs like that, phishing attacks and SIM swapping attacks – when attackers socially engineer cellular carrier employees to switch a cellphone’s number to a new SIM and thereby skewer the protection of multi-factor authentication (MFA) – it’s important to buckle up your Instagram account, even if you’re not an Instagram celebrity.

Last year, Instagram announced an improvement on its SMS-based 2FA (two-factor authentication) with enhanced security with support for mobile app-based authentication.

Here’s how to set up your Instagram account to use a third-party authenticator app:

• Go to your profile.
• Tap the Menu icon.
• Select Settings.
• Choose Two-Factor Authentication.
• Select Authentication App.
• If you’ve already installed an authentication app, Instagram will automatically find it and send it a login code. In that case…
• Go to the app, retrieve the code, and enter it on Instagram. That will automatically turn on 2FA.
• If you haven’t already installed an authentication app, Instagram will shuffle you on over to Apple’s App Store or Google Play to download the app of your choosing (Sophos has you covered here: consider downloading Sophos Authenticator which is also included in our free Sophos Mobile Security for Android and iOS). Once you’ve installed your chosen authenticator, return to Instagram to continue setting up 2FA.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/5qy1P7LN8e0/

In April 2018, Dutch police inflicted a whole lot of “access denied” when they shut down Webstresser, the world’s biggest market for distributed-denial-of-service (DDoS) attacks.

Law enforcement working in multiple countries nabbed at least four of the attack-for-hire site’s admins, and then they went knocking on the doors of its users. Some got arrested, while some got away with warnings.

Well, going on a year later, it’s still mop-up time.

The UK’s National Crime Agency (NCA) announced that it’s been working with law enforcement agencies from 14 countries as part of what it’s calling Operation Power Off: an ongoing project to get at all the people and services behind DDoS attacks.

Police in the UK and Scotland have issued 8 warrants and seized more than 60 personal computers, tablets and mobile phones, the NCA said. An unspecified number of users have also received cease and desist notices. Police are eyeing another 400 Webstresser users for possible prosecution.

Webstresser: So easy to use, so devastating

At the time of the service’s shutdown in April, Europol said that its top users were in the Netherlands, Italy, Spain, Croatia, the UK, Australia, Canada and Hong Kong. With over 136,000 registered users, Webstresser was credited with being behind an estimated 6 million cyber attacks worldwide.

The Webstresser-enabled attacks targeted critical online services for banks, government institutions, police forces, and people in the gaming industry.

DDoS attacks are blunt instruments that work by overwhelming targeted sites with so much traffic that nobody can reach them. They can be used to render competitor or enemy websites temporarily inoperable out of malice, lulz or profit: some attackers extort site owners into paying for attacks to stop.

Much mayhem could be had for what was basically pocket change. According to Webstresser’s pricing table, archived on 19 April before the site was taken down, memberships started at the “bronze” level, for €15 or USD $18.99/month, went up to $49.99/month for the “platinum” service, and topped out at $102/month for “lifetime bronze.”

A service like Webstresser can be used by those with nary a smidgen of technical skill. All they had to do to paralyze target sites was to hand over a modest amount of money: PayPal payments were accepted, but the site’s admins preferred Bitcoin payments enough to offer a sweet 15% discount.

Well, so much for hiding behind cryptocurrency and supposedly anonymous usernames. Jim Stokley, Deputy Director of the NCA’s National Cyber Crime Unit, said that none of that will shield DDoS-ers from getting busted by a police force that crosses borders to track them down:

The action taken shows that although users think that they can hide behind usernames and crypto currency, these do not provide anonymity. We have already identified further suspects linked to the site, and we will continue to take action.

Our message is clear. This activity should serve as a warning to those considering launching DDoS attacks. The NCA and our law enforcement partners will identify you, find you and hold you liable for the damage you cause.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/dXhc-zYydRc/

Firefox has introduced a new set of controls to make it easier for users to protect themselves from online ad trackers.

The browser’s redesigned Content Blocking section makes it easier for users to switch off cross-site trackers. These are mechanisms that advertisers and data brokers use to track your activity across different websites, giving them a clearer picture of what you’re doing online so that they can target you with marketing messages more accurately.

Firefox has gradually introduced more anti-tracking protections for its users over the years. In 2015, it began blocking trackers by default in its private browsing mode, later expanding that to include optional tracking protection in non-private browsing mode in November 2017.

To block both trackers, Mozilla works with Disconnect, a company that makes free and premium anti-tracking tools. It creates a list of known trackers to help protect its users, and Mozilla uses that information to spot and block trackers.

In October 2018, Mozilla began enabling users to optionally block cross-site ad-tracking cookies alongside traditional trackers. A Mozilla spokesperson explained the difference to Naked Security:

Cookie blocking prevents domains on the list from using cookies and other browser storage when they are loaded as third parties. Tracker blocking blocks the loading of all content from domains on the Disconnect list.

The revamped interface is the latest step in a longer-term effort to enhance user privacy called Enhanced Tracking Protection. The Mozilla spokesperson said:

Enhanced Tracking Protection is a suite of protections encompassing both the traditional tracker blocking introduced in Firefox 42 and the cookie blocking feature introduced in Firefox 63. Both tracker blocking and cookie blocking have made use of the Disconnect list since they were introduced.

Mozilla’s latest measures get it further along the path to a long-term goal of blocking third-party trackers by default, but it has to walk a delicate line. Blocking trackers too aggressively can break the functionality in certain websites.

To help users decide for themselves what to block, Mozilla has revamped the tracking options in Firefox 65 to make them easier to configure. Selecting content blocking options from the ⓘ in the address bar brings up three broad tracking options.

Standard mode is the current default, which blocks known trackers in private browsing mode and doesn’t block third-party tracking cookies at all. Strict mode blocks known trackers in non-private browsing mode too.

Finally, there’s a custom mode that lets users set their own anti-tracking options, selecting either basic or strict Disconnect lists. The basic list, selected by default, blocks common trackers used for analytics, social sharing, and advertising. The strict list blocks all known trackers including content trackers, and is more likely to break websites.

In future, Mozilla hopes to turn on third-party tracker blocking by default in Standard mode, it said.

While Firefox’s policy blocks the use of cookies for cross-site tracking, it isn’t yet blocking some other techniques. Parameter-based tracking attaches a unique identifier to the end of a web address to track user activity. Supercookies store data persistently so that they survive standard browser cookie resets. Browser fingerprinting identifies a user by their browser properties. Nevertheless, all of these are in its sights. It said:

While this type of tracking is not currently blocked in Firefox, we may apply additional restrictions to the third parties engaged in this type of tracking in future.

Firefox will also allow some tracking techniques designed to protect users, such as those that help to authenticate clients during the login process, or those that help to filter out bots.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Jz7QlSA8QlA/

A researcher has discovered an alarming way that an attacker controlling a Microsoft Exchange mailbox account could potentially elevate their privileges to become a Domain Administrator.

The consequences of this would be devastating, but according to Dirk-jan Mollema of Dutch company Fox-IT, it can be achieved by combining three separate weaknesses in some configurations of Exchange into a single attack.

The first issue, writes Mollema, is that by default, members of the Exchange Windows Permissions group have the ability to modify advanced privileges on the Domain object in Active Directory (AD):

Users or computers with this privilege can perform synchronization operations that are normally used by Domain Controllers to replicate, which allows attackers to synchronize all the hashed passwords of users in the Active Directory.

That makes compromising Exchange a choice target for an attacker looking to take control of the Domain Admin account – but how to achieve this?

One well-understood possibility is through a relay attack against Microsoft’s aged NTLM authentication protocol (encapsulated inside SMB or HTTP/S) to steal an Exchange user’s credentials.

To simplify, the attacker infects that computer, relays the credentials, and impersonates them on the Exchange server without setting off any alarms.

There is a limitation, however – the attacker’s machine that sets up the relay must be on the same network.

Mollema then noticed that another researcher had discovered how Exchange could be made to authenticate to an arbitrary URL over HTTP using the Exchange PushSubscription feature, a version of the so-called ‘reflection attack’.

Integrating this with the relay attack already mentioned could bridge a remote attacker to the Exchange server, giving them a path to the Domain admin prize.

It might even be possible to do this without credentials:

If we perform an SMB to HTTP (or HTTP to HTTP) relay attack (using LLMNR/NBNS/mitm6 spoofing) we can relay the authentication of a user in the same network segment to Exchange EWS and use their credentials to trigger the callback.

Mollema has released proof-of-concept tools, PrivExchange, which demonstrates the attack against the following fully patched versions of Exchange:

• Exchange 2013 on Server 2012R2, relayed to a Server 2016 DC
• Exchange 2016 on Server 2016, relayed to a Server 2019 DC
• Exchange 2019 on Server 2019, relayed to a Server 2019 DC

Exchange 2010 SP3 seemed not to be not affected, said Mollema.

While the vulnerability described by Mollema has a lot of moving parts, the only current fixes involve configuration tweaks.

Mitigations include removing Exchange’s Domain object privileges where possible, stopping Exchange servers form connecting to computers on arbitrary ports, implementing Microsoft’s November mitigation for the privilege elevation flaw covered by CVE-2018-8581.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/rJ9kMeE1nVg/

If you’re already using Sophos at work, you might well be aware of the artificial intelligence (AI) technology Sophos has built into its enterprise products.

Well, from today, Sophos Home Premium for PC has those capabilities too. This means it can detect and block both known and unknown malware before it executes.

Not only that, new enhanced real-time protection against application and OS exploits stops the bad guys from controlling trusted apps, using unpatched vulnerabilities to gain access to a system, and stealing credentials.

What else?

In addition to the features that are new for Sophos Home Premium for PC, above, all versions of Sophos Home have had an update. Here’s what’s new:

• Scheduled Scan – Users can now setup and administer scheduled file system scans for customized protection.
• Quarantine – More advanced users can now reconcile true and false positive file detections.
• UI Enhancements – Updates to the user interface make it easier to manage multiple devices’ security from one browser, wherever the device is.

Try it now

You can try Sophos Home Premium for free for 30 days. Let us know what you think!

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/zzST9cANbrw/

Thanks to SophosLabs expert Luca Nagy for the research behind this article.

In the world of computer security, a great deal of time and column inches are devoted to the extremes. At the extreme of simplicity, we have the immortal mystery of how to make basics like “don’t click on that email attachment” stick. At the other, we have the conundrum of how to avoid becoming collateral damage at the hands of complex, organised, highly evolved, state-sponsored threats.

As in many things, while the extremes are interesting they are dwarfed and separated by a vast and important middle, where most of the important work happens, and much of it goes unacknowledged.

Your 2019 next-gen protection doesn’t just need to stop this year’s most dangerous, as-yet-unseen threats. It needs to stop this year’s workhorses, schlubs and turkeys too. And the complete catalogue of last year’s threats. And the ones from the year before that. And the year before that, and everything else between that and the beginning of the history of malware.

The malware middle ground is an enormous army of malicious software journeymen, wallflowers and also-rans. They may not be as advanced as Emotet or as explosive as WannaCry, but they’ll bite you just as hard if you let them.

One such might-have-been is Matrix, a form of ransomware that sulks in the shadow cast by BitPaymer, Ryuk and GandCrab. You probably won’t encounter it, but if you do it could make your life very miserable indeed, and you’ll be glad that people like SophosLabs’ Luca Nagy were paying attention to it.

In 2018, Luca presented an extensive analysis of Matrix at the November Blackhoodie event.

Convergence

Like BitPaymer and Ryuk, Matrix is targeted ransomware. Instead of arriving in an email, like Locky or GandCrab, it arrives courtesy of a hacker, who breaks into your network and places Matrix on to as many vulnerable computers as they can.

Why? Because it pays. One guided Ryuk attack can rake in more than $100,000 from a single victim.

In a targeted attack, a criminal hacker:

1. Gains entry to a victim’s network.
2. Escalates their privileges until they’re an administrator.
3. Uses their powerful access rights to overcome security software.
4. Spreads and runs ransomware that encrypts a victim’s files.
5. Leaves a note demanding payment in return for decrypting the files.
6. Waits for the victim to contact them via email or a dark web website.

One of the signature features of targeted ransomware is the field’s convergence on a standard set of tools and tactics.

Matrix emerged in 2016, at the beginning of the trend for targeted ransomware. It’s been improved steadily since and the methods used by its operators have evolved too. Tactics that were unusual, or that made Matrix a bit different, have slowly been passed over in favour of a template common to almost all targeted ransomware.

For example, the malware has given up its use of an exploit kit to gain a foothold on a victim’s network in favour of the near-universal tactic of exploiting weak RDP credentials.

Until recently, victims were told to contact the malware’s operators using an instant messaging service. Since the messaging service disappeared in December 2018 the attackers have switched, like many other types of targeted ransomware, to simply using email.

Earlier versions of the malware also contained a ransom note that attempted to trick victims into believing their files had been locked by the FBI. That crude piece of social engineering has since given way to a lengthy, more matter-of-fact ransom note that’s part threat, part help file, and which could just as easily have come from SamSam or BitPaymer.

The convergence of targeted ransomware tactics is evidenced by the SophosLabs Targeted Ransomware Playbook, reproduced below, which compares five types of well known targeted ransomware and contrasts them with GandCrab, one of the most popular varieties of Ransomware‑as‑a‑Service (Raas).

You can read more about the ransomware mentioned in this chart in our articles about SamSam, Ryuk, BitPaymer and the rise of targeted ransomware.

Enter the Matrix

The crooks behind targeted ransomware aim to make the extra effort they put into delivering their malware pay off in the form higher ransoms. By guiding their software into sensitive parts (or even all parts) of a victim’s network, they hope to cause crippling damage to an entire organisation.

Whereas a fire-and-forget ransomware like Locky or WannaCry will charge a fixed fee, targeted ransomware opens the door for crooks to vary their demands and offer victims “deals”. Some attackers offer to decrypt a few computers for free, to prove they can. Others will offer different price bands for decrypting different numbers of computers, and prices can shift up and down depending on what the attackers think they can get away with, how quickly victims pay, and so on.

Unusually, the Matrix ransom note doesn’t tell victims how much they’ll need to pay. To find that out, victims have to get in touch with the crooks using a number of email addresses.

As part of her research, Luca posed as a victim of the ransomware and communicated, briefly, with its operators. The first email attempts to remove all hope for the victim by reassuring them of the strength of the encryption used in the attack:

The next email includes the price. The crooks ramp up the social engineering with price incentives for early payment, threats, time limits and disdain for “stupid questions”. Unusually, the price is listed in US dollars rather than Bitcoin, perhaps in an attempt to insulate the crooks from Bitcoin price fluctuations.

Of course, Luca wasn’t about to pay a ransom, so the crooks are left to wonder what to do with a victim who isn’t intimidated by their threats and doesn’t seem bothered about restoring their files.

What happens next shows you what any good sales person knows: if you can convince the person you’re talking to that you don’t want to buy what they’re selling, the price goes down.

What to do?

The similarities across targeted ransomware attacks gives defenders one advantage: the same diligence and precautions required to prevent an attack by one form of targeted ransomware are much the same as those required to stop any other. You can read more about those precautions in the article How to defend yourself against SamSam ransomware.

Sophos Endpoint and Intercept X can block Matrix and will detect it and its components as Troj/Matrix-*.

You can read much more about Luca’s exhaustive dissection of Matrix in her research paper Matrix: a low-key targeted ransomware.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/gA_afGaanSg/

In recent months, machine-learning code has become readily available in the open source community, putting security analysts on a path toward easier data pattern recognition.

As a data scientist, I’m always looking for new patterns and insights that guide action — especially ways to make data science more effective for cybersecurity. One pattern I see consistently throughout the industry is the inability to operationalize machine learning in a modern security operations center. The challenge is that the capabilities behind different machine-learning models are difficult to explain. And if those of us in security can’t understand how something works, and how to apply it to what we do, why on earth would we trust it?

Machine learning (ML) can revolutionize the security industry, change the way we identify threats, and mitigate disruption to the business. We’ve all heard that. Things break down when we start to talk about ML more in practice and less in theory.  

Trust is built through education, testing, and experience. Unfortunately, commercial interests have impaired the situation. Far too often, we see commercial offerings rolled out assuring their audiences they can hit the ground running on day one — without explaining how the artificial intelligence (AI) behind it arrives at specific insights. We call this a “black-box approach.” But more “explainable AI” approaches are needed. We don’t need to be told why to use a hammer. We need to be told how.

Understanding the “how” comes from practice and learning from others. This points to another fundamental requirement: easy access to ML code with which to experiment and share outcomes and experiences with a like-minded community.

That door leads us to the open source community. The typical security analyst is coming to the table with a specific challenge needed to be solved in a network environment, such as defending against sophisticated threat actors. The analyst knows how to write rules to prevent a specific tactic or technique from being used again, but he cannot detect the patterns to proactively hunt threats because he does not have the models to dynamically assess data as it arrives. If machine learning can be demonstrated to solve particular use cases in an open forum, more analysts will be willing to adopt the technology in their workflows.

Sharing code for use and constant alteration by others — and for the good of others and the enterprises they serve — has proved to be a wonderful learning mechanism. Two decades ago, we saw a similar challenge facing security engineers and analysts when few understood how to accurately assess network packets. Then came along Snort, which changed the game. They learned how to assess at their pace, experiment with the codes and models in simple ways, and in time began to trust real-time traffic analysis in the network intrusion detection system. The open signature ecosystem has grown over time into a global effort.

In recent months, ML code has become readily available in the open source community, offering security analysts opportunities to explore, experiment with, and exchange ideas about ML models, putting them on a path toward easier data pattern recognition. As analysts begin their journey testing out ML codes and models for themselves, here are three best practices to keep in mind:

• Come prepared with a specific problem: No technology is magic. Machine learning can only solve problems for which it is well-suited. Coming to the table with a defined problem will make it easier to determine whether ML can help and, more importantly, it will help avoid wasting time and spinning wheels that force going back to square one.
• Start with the end in mind: Having an idea about how the model could be used in production is a helpful guide during model development. A great model that can’t be deployed in production is worthless. Starting with the end guides decisions about algorithm choice, data selection, and which question to address.
• Remember that simplicity is the name of the game: Start with simple data counts, look at frequency and standard deviations, and gradually move to statistics and then onto the ML models. Simpler approaches can be deployed more easily. Remember: A model in the lab does not produce value until it is used on live data.

Sharing one’s experiences with the experimentation of models is vital to advancing the adoption of machine learning and building trust over time. As more problems are shared, a deeper catalog of use-case recipes can be generated to help analysts optimize their ML models. Analysts helping other analysts — for the good of the community, for the good of enterprises — is common. It is very easy to detect a pattern here. All doors lead to open source.

Related Content:

• 2018: The Year Machine Intelligence Arrived in Cybersecurity
• AI in Security Carries as Many Questions as Answers
• 10 Open Source Security Tools You Should Know
• Cutting Through the Jargon of AI ML: 5 Key Issues

Andrew Fast is the chief data scientist and co-founder of CounterFlow AI. CounterFlow AI builds advanced network traffic analysis solutions for world-class security operation centers (SOC). Previously, Dr. Fast served as the chief scientist at Elder Research, a … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/open-source-and-machine-learning-a-dynamic-duo/a/d-id/1333720?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Attacks intended to sway the outcome of the 2020 US Presidential election are probably already underway, according to the nation’s head of intelligence.

Daniel Coats, Director of National Intelligence, told the the US Senate Intelligence Committee on Tuesday that China, Russia, and Iran are most likely already well into their operations aimed at influencing the outcome of the election to suit their national interests. It’ll make 2016 look like a warm up, he warned.

“More broadly, US adversaries and strategic competitors almost certainly will use online influence operations to try to weaken democratic institutions, undermine US alliances and partnerships, and shape policy outcomes in the United States and elsewhere,” Coats said in his remarks (PDF) to the bipartisan panel.

“We expect our adversaries and strategic competitors to refine their capabilities and add new tactics as they learn from each other’s experiences, suggesting the threat landscape could look very different in 2020 and future elections.”

In addition to the current tactics of trolling, hacking political operatives, and social media influence, Coats said deep fake videos are likely to rear their ugly heads in 2020.

“Adversaries and strategic competitors probably will attempt to use deep fakes or similar machine-learning technologies to create convincing—but false—image, audio, and video files to augment influence campaigns directed against the United States and our allies and partners,” he told the Senate.

Let’s be careful out there

The remarks were part of an annual security briefing that Coats and his counterparts at other intelligence agencies give to the committee on the various network and data threats they expect the US to face in the coming months and years.

In addition to messing with elections, the US intel boss said that he expects hostile nations to continue cyberattacks against the US, with each country choosing a different tactic based on its strengths and needs.

US midterms barely over when Russians came knocking on our servers (again), Democrats claim

READ MORE

Russia, for example, will likely continue to go after critical infrastructure and focus on stealing intel from NATO and Five Eyes (US, Canada, UK, Australia and New Zealand) allies in an attempt to get military and diplomatic dirt.

Iran, meanwhile, is likely to focus on social media campaigns to help boost its public image and sway opinions in its favor and North Korea will look to boost its coffers with financial hacks.

China, however, was specifically singled out as the biggest threat to the US. Coats pointed out that Beijing has the capacity and desire to go after American targets for not only diplomatic and military information, but also for attacks on infrastructure and private-sector business.

“China remains the most active strategic competitor responsible for cyber espionage against the US Government, corporations, and allies,” Coats noted.

“It is improving its cyber attack capabilities and altering information online, shaping Chinese views and potentially the views of US citizens—an issue we discuss in greater detail in the Online Influence Operations and Election Interference section of this report.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/01/30/us_election_meddling/

A new survey shows more Americans are more concerned about their computer’s security than the US border’s.

According to a new survey, Americans are worried about security, but they’re far more worried about cybersecurity than border security.

Some 63% of those surveyed said that “making sure our computers are protected and privacy respected” is the most urgent security issue compared to 29% who think that physical border security is the most important.

The survey, conducted by Vrge Analytics and sponsored by the Internet Education Foundation, asked 897 adult Americans about a number of technology-related issues. Some 45% said that it’s unlikely that digital platforms will ever fully regain their trust, while just under a quarter say it’s likely a trusting relationship will eventually be restored.

The survey was conducted in conjunction with the annual State of the Net conference which was held today in Washington, DC.

For more, read here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities-and-threats/americans-worried-more-about-computer---not-border---security/d/d-id/1333754?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple