STE WILLIAMS

Officials in Alexandria, Va. this weekend began selecting jury members for the trial of Ruslans Bondars, a Latvian national accused of running a Dark Web service through which hackers could determine whether their malware was likely to get flagged.

Bondars allegedly teamed up with Russian national Jurijs Martisevs to run the service, which checked attackers’ malware code for virus signatures used in common security software. If the malware was likely to be detected in the wild, its developer could make the necessary changes to bypass their targets’ security defenses. The service ran from 2009 through May 2017, during which time it was connected to cyberattacks on organizations in the US.

Martisevs pleaded guilty in March to one charge of conspiracy and one charge of aiding and abetting computer intrusion. Bondars currently faces federal charges of conspiracy, wire fraud, and computer hacking. He’s set to be sentenced in July. It’s believed other co-conspirators participated in the operation, including a malware author based in Virginia.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/trial-begins-for-latvian-man-accused-of-malware-operation/d/d-id/1331732?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Most every organization has been affected by a distributed denial-of-service (DDoS) attack in some way: whether they were hit directly in a traffic-flooding attack, or if they suffered the fallout from one of their partners or suppliers getting victimized.

While DDoS carries less of a stigma than a data breach in the scheme of security threats, a powerful flooding attack can not only take down a company’s network, but also its business. DDoS attacks traditionally have been employed either to merely disrupt the targeted organization, or as a cover for a more nefarious attack to spy on or steal data from an organization.

The April takedown by the UK National Crime Agency and Dutch National Police and other officials of the world’s largest online market for selling and launching DDoS attacks, Webstresser, was a big win for law enforcement. Webstresser boasted more than 136,000 registered users and supported some four million DDoS attacks worldwide.

But in the end, Webstresser’s demise isn’t likely to make much of a dent in DDoS attack activity, experts say. Despite reports that the takedown led to a significant decline in DDoS attacks, Corero Network Security saw DDoS attacks actually rise on average in the second half of the month of April. “Our own evidence is that attack volumes globally and in Europe have, if anything, increased in the week since the Europol take-down action,” said Andrew Lloyd, president of Corero.

Even without a mega DDoS service, it’s still inexpensive to wage a DDoS attack. According to Symantec, DDoS bot software starts as low as a dollar to $15, and less than one-hour of a DDoS via a service can go from $5 to $20; a longer attack (more than 24 hours) against a more protected target, costs anywhere from $10 to $100.

And bots are becoming even easier to amass and in bigger numbers, as Internet of Things (IoT) devices are getting added to the arsenal. According to the Spamhaus Botnet Threat Report, the number of IoT botnet controllers more than doubled last year. Think Mirai, the IoT botnet that in October of 2016 took down managed DNS provider Dyn, taking with it big names like Amazon, Netflix, Twitter, Github, Okta, and Yelp – with an army of 100,000 IoT bots.

Scott Tierney, director of cyber intelligence at Infoblox, says botnets increasingly will be comprised of both traditional endpoints—Windows PCs and laptops—as well as IoT devices. “They are going to be blended,” he said in an interview. “It’s going to be harder to tell the difference” in bots.

The wave of consumer products with IP connections without software or firmware update capabilities will exacerbate the botnet problem, according to Tierney.

While IoT botnets appear to be the thing of the future, some attackers have been waging old-school DDoS attacks: in the first quarter of this year, a long-tail DDoS attack lasted more than 12 days, according to new Kaspersky Lab research. That type of longevity for a DDoS was last seen in 2015.

Hardcore heavy DDoS attacks have been breaking records of late: the DDoS attack on Github recently, clocked at 1.35 terabytes, was broken a week later by a 1.7TB DDoS that abused the Memcached vulnerability against an undisclosed US service provider. “That Github [DDoS] record didn’t even last a week,” Tierney said in a presentation at Interop ITX in Las Vegas last week.

The DDoS attack employed Memcached servers exposed on the public Internet. Memcached, an open-source memory-caching system for storing data in RAM for speeding access times, doesn’t include an authentication feature, so attackers were able to spoof requests and amplify their attack. If properly configured, a Memcached server sits behind firewalls or inside an organization.

“Memcached amplification attacks are just the beginning” of these jacked-up attacks, Tierney said. “Be ready for multi-vector attacks. Rate-limiting is good, but alone it’s not enough. Get ready for scales of 900Mbps to 400Gbps to over a Terabyte.”

Tierney recommended ways to prepare for a DDoS attack, including: 

• Establish a security policy, including how you’ll enact and enforce it
• Track issues that are security risks
• Enact a business continuity/disaster recovery plan
• Employ good security hygiene
• Create an incident response plan that operates hand-in-hand with a business continuity/disaster recovery plan
• Have a multi-pronged response plan, so that while you’re being DDoSed, your data isn’t also getting stolen in the background
• Execute tabletop attack exercises
• Hire external penetration tests
• Conduct user security awareness and training
• Change all factory-default passwords in devices
• Know your supply chain and any potential risks they bring
• Use DDoS traffic scrubbers, DDoS mitigation services

Related Content:

• Memcached Servers Being Exploited in Huge DDoS Attacks
• DDoS Attacks Become More Complex and Costly
• GitHub Among Victims of Massive DDoS Attack Wave
• 7 Things to Know About Today’s DDoS Attacks

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/endpoint/privacy/why-ddos-just-wont-die/d/d-id/1331734?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The authors of the SynAck ransomware family appear to have found a way to make the malware considerably more dangerous for enterprises.

Kaspersky Lab this week reported discovering a new version of SynAck that uses a very sophisticated technique called Process Doppelganging to try and evade anti-malware tools. In an advisory this week, Kaspersky Lab researchers said they have observed the new variant being used in limited but highly targeted attacks against organizations in the United States, Germany, Kuwait and Iran.

“Enterprises should be aware that threat actors [have] switched to targeted attacks with ransomware,” says Anton Ivanov, lead malware analyst, Kaspersky Lab. “Threat actors are beginning to use custom made ransomware with complicated techniques to bypass security solutions,” Ivanov says. 

The authors of the new SynAck version have been using a combination of remote desktop protocol brute-force attacks and manual downloads to install the malware on vulnerable systems. The ransomware is designed to encrypt office documents, multimedia files, and database files.

Ransom amounts associated with the new variant have tended to average $3,000, which is a somewhat modest amount considering the sophistication behind the malware and the targeted nature of the campaign. That suggests that the threat actor behind the new SynAck is hoping to make money through volume infections rather than by attempting to extort large sums of money from a small number of victims.

The SynAck version is the first ransomware sample to use the Doppelganging Process, which basically involves a way to run malicious code in the guise of a harmless and legitimate Windows process. Security vendor enSilo demonstrated the technique at Black Hat Europe 2017 last December.

enSilo has described Process Doppelganging as a fileless evasion technique for bypassing real-time file scanning by most AV software and next generation AV tools for all versions of Windows since Windows Vista. Unlike malware that has to be written to disk or run completely from memory, with Process Doppelganging, threat actors can build malware that can run from what appears to be a completely legitimate-looking file.

“By manipulating how Windows handles file transactions, attackers can pass off malicious actions as harmless, legitimate processes, even if they are using known malicious code,” Kaspersky Lab security researchers said in their advisory. The technique allows attackers to run malicious code without leaving any trace behind, making intrusions extremely hard to detect.

Doppelganging is not the only feature that sets the new SynAck variant apart from other ransomware tools.

Other notable features of the variant include the manner in which the malware obfuscates its executable code before compilation. Instead of using a custom packer to protect the malware code, the new SynAck version obfuscates the executable before compilation, thereby making it significantly harder for security researchers to reverse-engineer the code.

SynAck’s latest version also can detect whether it’s being launched from an automated sandbox: if so, it will promptly exit the sandbox. Before it actually begins to encrypt files, SynAck also checks the hashes of all processes that are running on the compromised machine, and tries to kill any processes that match a list of processes hard-coded into the malware.

Processes that SynAck is designed to kill include virtual machines, database applications, backup systems, and gaming applications in what appears to be a bid to make it easier to seize high-value files which may otherwise be tied to a running process, Kaspersky Lab said in its report.

Related Content:

• How Hackers Hide Their Malware: The Basics
• LockPoS Malware Sneaks onto Kernel via new Injection Technique
• Ransomware Attacks Jumped 400% Worldwide in 2017

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/synack-ransomware-gets-dangerous-doppleganging-feature/d/d-id/1331736?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

(Image: Curtis Franklin, Jr. for Dark Reading

Success in the enterprise Internet Of Things (IoT) is about connecting devices, securing, monitoring, and managing the processes in an intelligent way. It is, to a great extent, far more about the process than about any given technology, and security must be built into both the processes and each piece of technology used.

Significant opportunities are emerging for enterprises to create new and innovative processes around products and services, both on the enterprise premises and in the cloud. IoT has now developed to the point at which it has begun to disrupt many traditional manufacturing industries with new service propositions and has created new expectations and relationships with customers. Each of these processes, devices, and relationships must be secured and managed if it’s to be successful.

As with any architecture built on a network, interoperability between IoT systems is critical. At InteropITX in Las Vegas, the Demo Showcase team provided practical demonstrations of some of the issues surrounding IoT. By design, the team utilized concepts discussed in the conference tracks of Security, Infrastructure, and Data Analytics. At each station and demonstration, members of Interop ITX’s volunteer engineering team explained the technology and process of putting it in the field, and led discussions with attendees individually and in small groups.

(Image: Curtis Franklin, Jr. for Dark Reading

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/iot/10-lessons-from-an-iot-demo-lab/d/d-id/1331726?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Until recently, one of the biggest challenges for cybercriminals has been matching a target with an exploit. While newer attacks might be preloaded with multiple exploits, many still function like a traditional waterhole. More proactive attacks, like worms, also spread via multiple exploits, but they still tend to be “dumb worms” that can use only whatever they have been loaded with.

Over the past few months, however, new malware trends have arisen. Recent Internet of Things (IoT) botnets, such as Reaper and Hajime, have not only been designed to target multiple vulnerabilities simultaneously but they also have the capability to attack “a la carte” by intelligently selecting an attack method from a growing exploit base.

Reaper’s flexible framework, for example, means that its code can be easily updated on the fly to run new and more malicious attacks as soon as they become available. The technique is clearly effective, as exploit volumes associated with Reaper after it appeared last October jumped from 50,000 to 2.7 million in just a few days.

Automatic Exploitation
And now, there is a new toolkit known as AutoSploit, which is an automated mass exploiter. This new tool automates the exploitation of remote hosts by collecting specific targets through online search engines such as Shodan or ZoomEye that are designed to locate specific connected devices. It includes additional options to further customize targets and host lists. Once a set of targets has been identified, it leverages the penetration testing tool Metasploit to target those devices.

This brings the idea of malware-as-a-service to a whole new level. Because it is open source, even individuals with limited technical skills can now run their own cybercriminal enterprises by targeting and launching attacks through a nearly entirely automated system.

Creating Swarm Network
From there, AutoSploit will empower people to build large swarm networks. This will enable traditionally dumb botnets to now function as swarms that can accelerate an attack as a cooperative, integrated system. Simple swarm intelligence will refine this process even further, as individual swarmbots will be able to share real-time information about which exploits are the most successful and shorten the time between targeting and compromise. This will also help cybercriminals better guarantee a return on their investment. These capabilities already exist in the wild.

The next step is to more effectively hide malware once it has successfully breached a network’s defenses. The next generation of self-camouflaging assembler malware will be able to dynamically assemble bits of code from all over the Internet. This would allow local swarms to be built by code stitching itself together through a careful assembly process rather than using a single monolithic block of code that could easily be detected. Adding simple machine learning functionality would then permit a mutant attack to monitor and mimic traffic patterns to avoid detection by tools looking for aberrant behaviors.

The problem is compounded further by the ongoing expansion of the attack surface as organizations add things like software-defined networking, cloud infrastructure and services, mobile user, and IoT devices to their networks. Very few legacy security solutions are able to even detect these sorts of attacks, let alone prevent them.

What’s Needed
Addressing these emerging polymorphic swarm attacks requires a hive defense, where all of your deployed security components can see and communicate with each other, and then work in a cooperative fashion to defend the network. Here is a brief set of strategies to consider in order to effectively combat this new generation of threats:

Patch your devices. Targeted, automated attacks like AutoSploit mean that your vulnerable systems and devices are more exposed than ever. If they are too old (or too new) to patch, replace them. If you can’t replace them, then harden them, hide them, isolate them, or secure them behind advanced security tools such as intrusion-prevention systems and sandboxes.

Segment your network. Leveraging segmentation and microsegmentation ensures that once a device is compromised, the attack is limited to a small portion of your network. Passive segmentation, however, is just the start. What is also needed is agile macro segmentation for dynamic and adaptive defense against new, intelligent attacks.

Rethink your security strategy. Your security strategy needs to undergo digital transformation. Start by designing a flexible, adaptive security fabric that spans the network as a single, organic entity. Then tie that fabric to an integrated threat intelligence feed to ensure your network defenses constantly receive the latest threat profiles. This becomes the foundation for future hive defense strategies.

Leverage open integration standards. Combining best practices, centralized orchestration and advanced, purpose-built components provides the speed, scale, and intelligence required to secure today’s networks. This architectural approach extends visibility and protection across the entire attack surface, from remote devices to deep in the data center and from IoT to the cloud. This lets you secure any digital resource in any deployment scenario and marshal resources from any location to respond to threats.

Legacy approaches to security no longer work. The only way to beat cybercriminals at their game is to be smarter, faster, and stronger. To do this, you must adopt a new mindset around security that embraces integration, automation, and adaptability. Organizations that fail to make this transition are likely to be left behind in the new digital economy.

Related Content:

• AutoSploit: Mass Exploitation Just Got a Lot Easier
• 10 Social Engineering Attacks Your End Users Need to Know About
• Deconstructing the Possibilities and Realities of Enterprise IoT Security

Derek Manky formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy … View Full Bio

Article source: https://www.darkreading.com/endpoint/defending-against-an-automated-attack-chain-are-you-ready/a/d-id/1331696?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A pair of Romanian men face charges in the US after netting $18 million in a vishing and smishing scheme targeting US citizens. Teodor Laurentiu Costea and Robert Codrut Dumitrescu have been extradited from Romania to the US and have been charged with wire fraud conspiracy, wire fraud, computer fraud and abuse, and aggravated identity theft.

The extradition comes after a federal grand jury returned a 31-count indictment against the pair. A third co-defendant in the case, Cosmin Draghici, remains in Romanian custody while awaiting extradition.

According to US Attorney Byung J. “BJay” Pak, the defendants targeted US citizens from their base in Romania, using US-based telephones to initiate phone calls to others for the purpose of fraud. The pair were engaged in vishing, which communicates a phishing message through a voice recording, and smishing, which phishes via text messages.

Costea and Dumitrescu would identify vulnerable computers in the U.S. and install interactive voice response software that would automatically interact with call recipients. They also used computers in the Atlanta area to install software that placed telephone calls and text messages to victims around the country.

The messages purported to be from a financial institution and directed victims to call a telephone number due to a problem with their respective financial account. When victims called the telephone number, they were prompted by the interactive voice response software to enter their bank account numbers, PINs, and full or partial Social Security numbers. Draghici then allegedly helped the pair turn the information into money.

For more, read here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/us-extradites-romanian-hackers-charged-with-vishing-smishing/d/d-id/1331729?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Data visibility is a chief concern for companies moving to the cloud. In an effort to help organizations control their information, Google recently announced security updates intended to protect containers and application development.

Sam Ramji, vice president of Google Cloud product development, emphasized the importance of DevOps security in his keynote last week at InteropITX. “This explosion of connectivity has led to a golden age of software development,” he said, pointing to the opportunities and challenges that come with having more than one billion people using each of Google’s seven products.

No matter the industry, he said, all businesses are under pressure to keep up with the demands of an increasingly connected population.

Ramji urged attendees to embrace the change. “If you build a system that can’t easily connect, you’ll probably regret it in the future,” he said. “Problems that can be reduced to software will be reduced to software,” and companies should build with that idea in mind.

This demands the means to build securely – a problem, he noted, given the shortfall of developers and security professionals. Ramji explained the rollout of Asylo, a new open-source framework and SDK built by Google for developing applications to run in trusted execution environments (TEEs). Asylo simplifies production so any container can run in secure mode.

TEEs use specialized environments called enclaves to protect against threats targeting the operating system, drivers, hypervisor, firmware, and other underlying layers of the stack, officials write in a blog post. Enclaves block malicious insiders and unauthorized threat actors. Asylo encrypts sensitive information and verifies the integrity of code in each enclave to protect the applications and the data stored inside each one.

“The actual running code in the cloud, I want it to be completely opaque to the provider,” Ramji said. “I want it to be encrypted in runtime.”

The process of developing and running applications in a TEE previously required developers to have specialized tools and knowledge. Asylo makes TEEs accessible to a larger pool of developers without specific hardware requirements; TEE implementations in the past have been tied to certain hardware environments both on-prem and in the cloud, Google explains.

Now developers can use TEEs without rewriting their source code or gaining technical knowledge on how they work. Asylo users are provided a Docker image via Google Container Registry; this gives them the dependencies they need to run a container anywhere.

Security Controls in the Cloud

Speaking of containers, Ramji also touched on Google’s upcoming rollout of Cloud Security Command Center (Cloud SCC), a management tool in the Google Cloud platform where admins can view security data across their organization. Cloud SCC was announced a few weeks ago; however, Ramji noted five container security companies have integrated their tools to improve security for containers running on the Google Kubernetes Engine.

“Observability becomes absolutely critical in this infrastructure,” said Ramji of the cloud. “The medium is abundant. What’s scarce is observability.”

These integrations let admins see security alerts for Kubernetes Engine clusters in one place, and view and organize cluster assets within projects across the business. Visibility is critical in managing container security, which generally requires admins to create a baseline of typical behavior and use rules to detect when activity goes outside the norm.

“Your ability to get into the data and crawl down is absolutely critical, filtering ends up being absolutely critical,” he said, pointing to the importance of organizing and labeling data resources.

Related Content:

• 5 Ways to Better Use Data in Security
• RSA CTO: ‘Modernization Can Breed Malice’
• Encryption is Necessary, Tools and Tips Make It Easier
• 6 Enterprise Password Managers That Lighten the Load for Security

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/cloud/google-security-updates-target-devops-containers/d/d-id/1331730?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple