security – Page 903 – STE WILLIAMS

Palo Alto Buys Evident.io to Secure the Cloud

library
crime | hacking | security

The $300 million deal is part of an industry-wide consolidation of cloud, data, and network security companies.

Palo Alto Networks has confirmed plans to acquire Evident.io in a $300 million cash transaction. This is the latest in a series of acquisitions within the security industry as cloud providers, network security firms, and datacenter security companies buy cloud-focused startups.

Evident.io was founded in 2013 by Justin Lundy and Tim Prendergast, both of whom will join Palo Alto as part of the acquisition. The company’s focus is on security and compliance automation and its Evident Security Platform monitors cloud deployments, assesses risk, and provides remediation guidance.

Palo Also intends to leverage Evident.io’s technology to extend its API-based security capabilities, and help organizations analyze configurations and account settings to ensure cloud deployments are both secure and compliant. Its idea is to integrate both companies’ tools into a single approach for monitoring, storage security, and compliance reporting.

“This acquisition is validation of the market’s need to adapt legacy IT security based on broad public cloud adoption,” says Threat Stack CEO Brian Ahearn. “No company is just a software company — most are also quickly becoming cloud companies.”

Security companies have been shopping for cloud startups as more businesses transfer their applications to the public cloud. Legacy security solutions don’t accommodate cloud environments, an issue driving consolidation among security providers.

Other major companies ramping up their cloud offerings through acquisitions include Trend Micro, which bought application security firm Immunio in November 2017, and McAfee, which acquired Skyhigh Networks the same month. VMware snapped up VeloCloud Networks in December. Oracle confirmed plans to purchase Zenedge in February 2018.

Read more details on the Palo Alto/Evident.io merger here.

Related content:

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Early bird rates expire tomorrow, Friday March 16. Use code 200KS to save an extra $200 off the early bird discount.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/cloud/palo-alto-buys-evidentio-to-secure-the-cloud/d/d-id/1331282?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Critical Start to Buy Advanced Threat Analytics

library
crime | hacking | security

Firms previously had teamed up in SOC services.

Managed security services provider Critical Start today announced it will acquire security analytics firm Advanced Threat Analytics. Financial details of the cash and stock deal were not disclosed.

Critical Start already has had a partnership with Advanced Threat Analytics, running its analytics platform in its security operations center.

“We have won major enterprise deals against the largest legacy MSSPs because the combination of our CyberSOC, expert analysts and the ATA platform offer our clients something unique – managed security services delivered in a completely transparent process using a mobile-first, zero trust platform,” said Rob Davis, CEO of Critical Start. “We’re excited to have the Advanced Threat Analytics employees and technology join Critical Start as they will provide clear and compelling competitive differentiation for us in the rapidly expanding market for MSSP/MDR services.”

Critical Start also plans to provide resellers the combined CyberSOC/ATA team and technology for the managed security services space.

Microsoft starts buying speculative execution exploits

library
crime | hacking | security

Microsoft has created a new class of bug bounty specifically for speculative execution bugs like January’s Meltdown and Spectre processor CPU design flaws.

Noting that the Project Zero discoveries “represented a major advancement in the research in this field”, Redmond said the bounties will be available until 31 December 2018.

If someone demonstrates a new speculative execution attack, they’ll be eligible for Microsoft’s top-rate bounty of up to US$250,000. Bypassing existing Microsoft mitigations for Windows (information disclosure on a fully-patched system) or Azure (reading memory not allocated to the attacker’s VM) are worth up to $200,000.

OK, deep breath, relax… Let’s have a sober look at these ‘ere annoying AMD chip security flaws

A researcher who turns up a new instance of Meltdown or Spectre in Windows 10 or Microsoft Edge can earn up to $25,000, but only if they can demonstrate their exploit can “enable the disclosure of sensitive information across a trust boundary”.

As Phillip Misner of the Microsoft Security Response Centre wrote in the announcement of the new bounties, “we expect that research is already underway exploring new attack methods” in the speculative execution class.

Full terms and conditions for the speculative execution bounty are here.

In the time since the bugs were found, Redmond’s had time to understand them better, and has put a detailed post discussing Meltdown and Spectre here. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/15/redmond_buying_new_speculative_execution_bugs/

VPN tests reveal privacy-leaking bugs

library
crime | hacking | security

A virtual private network recommendation site decided to call in the white hats and test three products for bugs, and the news wasn’t good.

VPNMentor hired Paulos Yibelo, a Cure53 researcher whose handle is “File Descriptor” and one anonymous researcher to put Pure VPN, Zenmate, and Hotspot Shield to the test. The researchers found IP leaks in all three.

Only Hotspot Shield responded to the test, according to VPNMentor co-founder Ariel Hochstadt.

Hotspot Shield’s vulnerabilities were only present in its Chrome extension, Hochstadt wrote, but its desktop and mobile app are sound. The first allowed an attacker to hijack a user’s traffic if they were redirected to a malicious site.

“It detects if the current URL has the query parameter act=afProxyServerPing, and if it does, it routes all traffic to the proxy hostname provided by the server parameter”, he wrote.

That bug seemed to be some internal test code that remained in the public version, and it’s been fixed, as were a DNS leak bug, and another IP address leak.

The IP leak happened because the extension had a loose whitelist for “direct connection”, as you can see in the code chunk below.

let whiteList = /localhost|accounts.google|google-analytics.com|chrome-signin|freegeoip.net|event.shelljacket|chrome.google|box.anchorfree|googleapis|127.0.0.1|hsselite|firebaseio|amazonaws.com|shelljacket.us|coloredsand.us|ratehike.us|pixel.quantserve.com|googleusercontent.com|easylist-downloads.adblockplus.org|hotspotshield|get.betternet.co|betternet.co|support.hotspotshield.com|geo.mydati.com|control.kochava.com/;if(isPlainHostName(host) || shExpMatch(host, '*.local') || isInNet(ip, '10.0.0.0', '255.0.0.0') || isInNet(ip, '172.16.0.0', '255.240.0.0') || isInNet(ip, '192.168.0.0', '255.255.0.0') || isInNet(ip, '173.37.0.0', '255.255.0.0') || isInNet(ip, '127.0.0.0', '255.255.255.0') || !url.match(/^https?/) || whiteList.test(host) || url.indexOf('type=a1fproxyspeedtest') != -1) return 'DIRECT';

Any domain that includes localhost in the URL bypasses the proxy (for example, localhost.foo.bar.com), and “any URL with type=a1fproxyspeedtest will bypass the proxy”, Hochstadt explained.

For now, the details about bugs in Zenmate and VPN Shield are being kept under wraps because those vendors haven’t responded to VPN Mentor. Both leaked user IPs.

“If you are a user of Zenmate or PureVPN, contact the support team and ask for the vulnerabilities to be fixed ASAP”, the post said. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/15/vpn_tests_reveal_privacy_leaking_bugs/

Ex-Equifax exec charged with insider trading after bagging 1 MEEELLION dollars in stock sale

library
crime | hacking | security

A former Equifax exec was today charged with insider trading for offloading almost $1m of shares before the company went public about the scandalous mass data breach.

The global credit reporting agency was hacked in May ’17, which exposed the personal data of 148 million people. The firm discovered the breach at the end of July, but customers weren’t informed until September.

It appears at least one exec, namely Jun Ying, CIO of the US information solutions unit and a rising star in Equifax, may have used the time delay and his inside knowledge to cash in his shares before the price crashed, the Securities and Exchange Commission stated.

“Ying, who was next in line to be the company’s global CIO, allegedly used confidential information entrusted to him by the company to conclude that Equifax had suffered a serious breach,” the SEC said in a statement.

It alleged that, before Equifax went public, Ying “exercised all of his vested Equifax stock options and then sold the shares, reaping proceeds of nearly $1 million”.

The complaint said that by doing so, he had “avoided more than $117,000 in losses”. That’s because, once the news hit, Equifax’s share price plummeted from about $142.72 to $93 at its lowest point.

Richard Best, director of the SEC’s Atlanta regional office, alleged that Ying “used confidential information to conclude that his company had suffered a massive data breach, and he dumped his stock before the news went public”.

He added: “Corporate insiders who learn inside information, including information about material cyber intrusions, cannot betray shareholders for their own financial benefit.”

The SEC is seeking repayment of his ill-gotten gains, plus interest, penalties and injunctive relief.

In addition to the SEC’s charge of insider trading, Ying is also facing criminal charges from the US Attorney’s Office for the Northern District of Georgia.

At the end of 2017, alarm bells rang when four senior managers – chief financial officer John Gamble, president of US information solutions Joseph Loughran, president of workforce solutions Rodolfo Ploder, and senior veep of investor relations Douglas Brandberg – sold off company stock worth a total of about $1.8m.

However, they were cleared of insider dealing by a panel of three directors from other firms. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/14/equifax_exec_charged_insider_trading/

Transport for NSW scrambles to patch servers missing fixes released in 2007

library
crime | hacking | security

Around a third of servers at Transport for New South Wales, the public transport department in Australia’s largest state, need security patches, some dating back to 2007. But IBM, which provides IT services to the agency, doesn’t have enough people dedicated to the the job in the required timeframe or in a manner that will let the agency operate as it desires.

The Register understands that Transport for New South Wales (TfNSW) runs a mixed fleet of AIX, Solaris, Red Hat Linux and Windows servers, all of which need patching. It is unclear what applications run on the un-patched servers, or their sensitivity, but TfNSW has mobilised an effort to quickly catch up on its patching.

IBM, however, has found itself with just a “skeleton crew” at the agency due to personal circumstances and staff being moved to other, higher-priority jobs. The company has therefore not been able to implement all of TfNSW’s desired changes or keep up with its client’s requests, leaving many servers without patches. Some of the fixes were released as far back as 2007. We understand IBM is not responsible for the tardy patching effort.

Transport for New South Wales told to stop tracking oldies, students

Sources tell The Register IBM has called for teams working at other clients to lend staff to sort things out at TfNSW, as while offshore labour will be involved it can only do so much when on-premises mission-critical servers require reboots. The request for help is an offer other teams dare not refuse.

IBM’s therefore tried to find specialists in all the operating systems mentioned above, preferably with patch-preparation expertise, for a few weeks work. Whoever is recruited is in for a torrid time: we’re told midnight shifts and weekend work will be required as change windows are scheduled beyond business hours.

An IBM spokesperson told The Register such shout-outs for assistance are not unusual. “IBM shifts resources on a continuous basis, based on clients’ project requirements and the need for skills. This is common with any services delivery organisations operating a shared services model.”

The problems at TfNSW seem to have come about in part due to Meltdown patches throwing other plans out of kilter. The resulting mess has created a requirement for change windows so long and so numerous that TfNSW has balked at the effort required, further complicating patching plans.

The Register understands IBM can’t hire new people fast enough to address the problem, a state of affairs that is perhaps the result of IBM’s made numerous rounds of redundancies and decision to stop hiring contractors. IBM has described such changes as ensuring its business is an appropriate size.

But in this case it appears IBM Australia has so little fat, its TfNSW team can’t cover a handful of staff becoming unavailable. And with new contract hires forbidden, it can’t make a quick fix.

Ironically, sources tell The Register that one of the few exceptions to the contractor ban is hires made by offshore teams seeking a better liaison in the nations where IBM clients reside.

The Register has asked TfNSW to describe the state of its server fleet. If the agency replies, we’ll update this story. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/14/ibm_australian_transport_for_new_south_wales_patch_drama/

Segmentation: The Neglected (Yet Essential) Control

library
crime | hacking | security

Failure to deploy measures to contain unauthorized intruders is a recipe for digital disaster.

Throughout the past decade, the information security profession has pursued an approach centered around protecting the network perimeter. While this proactive strategy has become the foundation of most enterprise programs, organizations must be equally capable of reacting to attacks by containing intruders once they have entered the network.

Although identifying and mitigating perimeter threats is essential, the fact remains that cybercriminals and nation-state actors are, with alarming frequency, defeating the most-hardened networks. Therefore, it is imperative that practitioners acknowledge this dynamic and deploy containment measures to isolate intrusions.

Network segmentation is a critical weapon in the escalating battle to protect against unauthorized access.

Segmentation
The vast majority of cyberattacks originate within the most vulnerable area of an organization, the user environment. Once the initial compromise occurs through the use of stolen credentials or the successful delivery of a social engineering overture, those launching the attack enjoy a foothold from which to search for critical platforms and sensitive data. By dividing a network into segments and restricting lateral access, security teams are capable of containing intruders and dramatically reducing the entity’s attack surface.

When intruders enter an inadequately segmented, or “flat,” network, they often enjoy unbridled movement and will eventually gain access to payment applications, sensitive databases, and critical infrastructure systems. Through segmentation, these critical technologies may be isolated and thereby protected.

Although many high-profile and destructive cyber campaigns have been attributed to poor segmentation, perhaps the most widely reported incident was the 2013 Target breach. According to multiple sources, a group based in Eastern Europe breached the retailer’s perimeter by first stealing credentials from one of the company’s service providers, an HVAC vendor.

Once inside the system that monitors Target’s heating and air conditioning functions, the cybercriminals were able to proceed, without detection, to the point-of-sale environment. Ultimately, malware was installed on approximately 36,000 payment terminals, allowing for the hackers to steal 40 million credit and debit card numbers from unsuspecting shoppers.

This scenario is the digital equivalent of a bank robber entering the lobby of a major financial institution and proceeding, unimpeded and without being noticed, to a vault containing its customers most-valuable items.

The Path Forward
Management has long avoided the deployment of comprehensive network segmentation due to a variety resource and operability concerns. Recently, however, dramatic advances in enterprise software solutions provide practitioners with scalable, customized options to address this issue.

Prior to implementing a segmentation strategy, a clear consensus must be reached regarding an organization’s sensitive data and critical platforms. Given that isolating these environments will be the ultimate goal, there can be no ambiguity on this issue. Also, it is necessary to map the existing communication paths and application dependencies within the network. Once these preliminary tasks have been completed, the following segmentation options may be considered:

Environmental: Isolates the most vulnerable environments, such as user and development, from the rest of the network and prevents intruders from breaching the low-hanging fruit and then moving laterally. This is known as the “coarsest” form of segmentation and should exist in every organization.

Application: Ensures that certain high-value applications are insulated from all others and provides an additional roadblock for attackers attempting to travel across applications.

Process: The “finest-grain” form of segmentation ensures that only active communications channels may be used and prevents any use of dormant paths.

The rapidly evolving nature of the cyber-threat landscape requires adaptive information security professionals. Although preventing intrusions is, and should remain, a primary goal, failure to deploy measures to contain unauthorized intruders is a recipe for digital disaster.

Related Content:

Join Dark Reading LIVE for two cybersecurity summits at #InteropITX. Check out the security track agenda here, then register! Early Bird Rates expire Friday March 16. Use Promo Code DR200 save $200.

John Moynihan, CGEIT, CRISC, is President of Minuteman Governance, a Massachusetts cybersecurity consultancy that provides services to public and private sector clients throughout the United States. Prior to founding this firm, he was CISO at the Massachusetts Department of … View Full Bio

Article source: https://www.darkreading.com/endpoint/segmentation-the-neglected-(yet-essential)-control/a/d-id/1331244?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

77% of Businesses Lack Proper Incident Response Plans

library
crime | hacking | security

New research shows security leaders have false confidence in their ability to respond to security incidents.

Your incident response plan probably isn’t as strong as you think it is, according to a new pool of research showing a broad gap between the perceived strength of incident response plans and their true effectiveness.

In “The Third Annual Study on the Cyber Resilient Organization,” Ponemon researchers surveyed more than 2,848 IT and IT security pros from around the world. They learned businesses continue to struggle to respond to security incidents, primarily because they lack formal incident response plans and sufficient budgets.

Nearly half (48%) of respondents rate their “cyber resilience” as high or very high, an increase from 32% one year prior. Researchers define cyber resilience as “the alignment of prevention, detection and response capabilities to manage, mitigate and move on from cyber attacks.”

However, 77% of respondents admit they don’t have a formal incident response plan applied consistently across their organization. Nearly half say their plan is informal or nonexistent.

“There’s a bit of a discrepancy,” says Ted Julian, vice president of product management at IBM Resilient. “Respondents are saying they’re feeling more confident about their cyber resilience, yet when you look at the details of the components that would create good cyber resiliency, they didn’t score nearly as well.”

These components include skilled talent, information governance practices, formal incident response plan across the business, technologies addressing the severity and volume of attacks, sufficient funding, senior management support, and visibility into data and applications.

The top reason cited for improved cyber resiliency was hiring skilled personnel (61%), followed by better information governance (60%), and visibility into data assets and applications (57%).

Yet hiring continues to be an obstacle: the inability to hire and retain skilled personnel was the second-most common barrier to cyber resilience, reported 56% of respondents. Seventy-nine percent said the importance of having skilled security pros in an incident response plan was “high” or “very high,” and 77% rated the difficulty in hiring and retaining them as very high.

Part of the reason is incident response experts need a broad range of skills. They have to know a little bit of everything: endpoint, network, operating system, the ins and outs of malware.

“It’s notoriously difficult, both to keep these people and to find them,” he says. “People with incident response skills are in extremely high demand … it’s a diverse, hard-to-find skill set that exacerbates this talent crunch.”

The largest barrier to cyber resiliency was lack of investment in new cybersecurity technologies including artificial intelligence and machine learning (60%). Julian explains how tools leveraging AI can help with “alert fatigue” so analysts can focus on more complex tasks. Some key components of incident reponse plans — checking the EDR platform, deploying URL monitoring — can all be automated, he says.

Incident Response Isn’t One-Size-Fits-All

Some will have an incident response plan that’s really thin, and it’s hard to say it does anything particularly well, says Julian. Others will try to overcompensate by including every possible scenario in one plan, in which case their strategy is unwieldy.

Different incidents require different responses. What will you do if there’s a DDoS attack? A ransomware attack? What happens in the case of a stolen laptop? Creating a separate plan for each distinct type of incident is critical.

You also must factor in everyone involved. A common mistake, especially in organizations with less mature plans, is neglecting to include third parties. If an incident occurs at a company that handles your customers’ data, you need a process to respond appropriately.

Julian emphasizes the importance of practicing plans once they’ve been developed. Fire drills and tabletop exercises, during which team members go through the motions to understand their roles and responsibilities, will prove critical in the chaos following a data breach.

Related Content:

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Early Bird Rates Expire March 16. Use Promo Code 200KS to Save an Extra $200. Check out the security track here.

Article source: https://www.darkreading.com/attacks-breaches/77--of-businesses-lack-proper-incident-response-plans/d/d-id/1331275?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

New Hosted Service Lowers Barriers to Malware Distribution

library
crime | hacking | security

BlackTDS is a traffic distribution service for directing users to malware and exploit kits based on specific parameters.

A newly discovered malware distribution operation that has been advertising its services on underground markets since late December 2017 is the latest example of the growing maturation of cybercrime as a service.

BlackTDS is a cloud-hosted traffic distribution system (TDS) for distributing malware. Security vendor Proofpoint, which has been tracking the service for the past several weeks, describes it as lowering the entry barrier for threat actors that want to engage in drive-by attacks.

The service isn’t a completely turnkey one, since threat actors must still find a way to drive traffic to BlackTDS. “[But] it is otherwise a fairly complete solution, including social engineering for Web-based attacks that is fairly simple and inexpensive to configure and use,” says Kevin Epstein, vice president of threat operations at Proofpoint.

A TDS is designed to take traffic from different sources; filter it based on parameters such as user agent, browser, and geography; and then redirect users to various websites, depending on their profile. Malicious distribution systems like BlackTDS use the parameters to redirect users of interest to specific malicious websites and payloads instead.

“For example, an actor might want to send Australian users who click on a malicious link in an email to a banking Trojan configured with injects for Australian banks but make sure that everyone else gets ransomware,” Epstein explains.

The use of traffic distribution systems to distribute malware is not new. As far back as 2011, Symantec had reported on cybercriminals using a TDS to distribute exploit kits and malware to targets matching specific profiles. In 2016, Forcepoint reported on a threat actor using a malicious TDS dubbed BlackHat-TDS to redirect users to websites that hosted exploit kits.

As Forcepoint had noted at the time, threat actors running a TDS can set up blacklists of IP ranges to filter out traffic from security vendors and Web crawlers while ensuring traffic from ordinary users gets redirected to malware and exploits.

What makes BlackTDS different is that it is being delivered as a highly scalable, easy to deploy, and relatively inexpensive service. Threat actors can simply drive traffic to BlackTDS using spam, malicious advertisements, and other means; set up or provide access to their malware; and then let the service handle the rest of the distribution process.

“The actual redirection, filtering, and hosting of social engineering templates with connections to hosted malware or exploit kits, as well as the user-facing mechanisms behind drive-by attacks, all get handled by this single cloud-based service,” Epstein says. “All the actor needs to provide is the traffic and payload or exploit kit access.”

BlackTDS promises hosting that is difficult for researchers and sandboxes to identify and for anti-malware filters to automatically reject. BlackTDS is also relatively inexpensive, with some of its advertised services starting at $6 per day to $90 per month.

One indication of how effective BlackTDS has been so far is its use by TA505, a threat actor known for distributing ransomware and banking Trojans at massive scale. According to Proofpoint, TA505 recently used BlackTDS in a huge spam campaign designed to direct Internet users to a site selling discount pharmaceuticals.

TA505’s use of BlackTDS shows the service is quite scalable and has attracted the attention of one of the most prolific malware distributors on the Web, Epstein says. “We can only speculate on the exact implications here, but we will continue to watch for the use of BlackTDS by TA505,” he says.

For enterprises, services like BlackTDS once again reinforce the need for defenses at multiple layers such as the network layer, Web and email gateways, and endpoint devices, Epstein says. Attacks are becoming less dependent on active exploits than on user clicks, so education and training are critical as well, he says.

Related content:

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/new-hosted-service-lowers-barriers-to-malware-distribution-/d/d-id/1331277?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

New ‘Mac-A-Mal’ Tool Automates Mac Malware Hunting & Analysis

library
crime | hacking | security

Researchers at Black Hat Asia will demonstrate a new framework they created for catching and studying Apple MacOS malware.

Malware targeting Windows machines still dominates the threat landscape, but hackers gradually have been expanding their target range to increasingly popular Apple MacOS platforms. A team of researchers now has created an automated MacOS malware analyzer that streamlines and simplifies the process of detecting and studying the growing ecosystem of malicious code targeting Macs.

MacOS research tools typically have relied on manual analysis of malware, notes Pham Duy Phuc, a malware analyst with Netherlands-based Sfylabs BV. Phuc says he first began developing the so-called Mac-A-Mal tool while pursuing his Master’s Degree at the University of Trento in Italy.

“There are tools for malware reverse-engineering, debugging, and malware analysis on Mac,” including commercial tools like Hopper and IDA, and open-source tools like Radare2, MachO View, lldb, Otool, and Dtrace, Phuc noted in an email interview. But these tools mostly require manual analysis, which means the researcher also must have some know-how in order to use them.

“Each tool only solves one piece of the puzzle and it depends on experience of the researcher. Using these tools manually takes too much time and effort, and will never combat malicious software,” said Phuc. “For a demand of thousands [of] malware per day, an automated framework with combination of useful tools would make malware analyst daily job easier.”

Phuc and Fabio Massacci, his former professor at the University of Trento, will demonstrate Mac-A-Mal at Black Hat Asia in Singapore next week. The two also plan to soon release the tool as open-source.

[See researchers demonstrate Mac-A-Mal live at Black Hat Asia in Singapore next week, March 22-23: conference and registration information.]

Mac-A-Mal uses a combination of static- and dynamic code analysis to detect MacOS malware, as well as to cheat anti-analysis methods that some malware authors use to evade detection and investigation. It gathers malware binary behavior patterns, such as network traffic, evasion methods, and file operation. The tool uses kernel-level system calls, which allows it to operate undetected. “It takes actual behavioral data of malware samples, executions, inside a sandbox,” he said.

Half of Mac Malware = Backdoors

The researchers used the tool to parse some 2,000 Mac samples on VirusTotal, which led to the discovery of a previously unknown adware campaign that uses legitimate Apple developer certificates, keyloggers, and Trojans. They believe the adware operation is the handiwork of the APT32 aka OceanLotus group believed to be out of Vietnam, and it’s targeting Chinese and Vietnamese organizations.

“By studying the first generation of Mac OceanLotus samples through our framework, we found some similar behavioral signatures amongst the family. In March 2017, we found a second generation of Mac APT32 which [has a] zero-detection rate over more than 50 antivirus vendors … hunting those behaviors on VirusTotal,” he said. That new variant is more advanced, he said.

Phuc says the team also discovered hundreds of other Mac malware samples that with manual tools would be difficult to identify, and nearly half of all Mac malware collected in 2017 on VirusTotal were backdoor Trojans. The majority of malware samples were adware, mostly OSX/Pirrit and OSX/MacKeeper. “We observed a total of 86 different Mac malware families until 2017, and 49% of them belongs to backdoor/Trojan” categories, he said.

Mac-A-Mal basically works like this: it finds MacOS malware and places the samples in a sandbox where it performs static analysis on multiple samples at the same time. “The sandbox is armored with network sniffer, system calls and behavior logging, as well as anti-evasion from kernel-mode to send back a report to analysis machine,” Phuc explained.

Kernel-level monitoring has its advantages, according to Phuc. Namely it’s a more complete view from the lower level of the operating system, while at the same time keeping Mac-A-Mal under cover from anti-analysis detection. Next up for Mac-A-Mal is machine learning capabilities: “We would like to later apply more robust and advanced techniques for better features extraction from the analysis, and machine learning for a larger scale of Mac samples,” Phuc said.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/endpoint/privacy/new-mac-a-mal-tool-automates-mac-malware-hunting-and-analysis/d/d-id/1331278?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple