Monthly Archives: May 2018

Banking Botnet Operators Strike Profit-Sharing Partnership

Banking Botnet Operators Strike Profit-Sharing Partnership

Instead of ripping each other’s malware out of victim systems, the groups behind Trickbot and IcedID are playing nice with each other, says Flashpoint.

In what could be the beginning of a significant new trend, the operators of two separate banking botnets appear to have begun collaborating with each other in targeting systems and stealing money from victims.

Flashpoint says it has evidence suggesting the operators of the Trickbot and IcedID botnets have gotten into some kind of a profit-sharing arrangement in which they are using each other’s malware and infrastructure to cash out victim bank accounts.

Such partnerships are extremely rare in the cybercrime world where rival groups are more likely to rip each other’s malware out of victim systems than collaborate on a malicious campaign. For enterprises, the trend could spell new trouble.

“This collaboration indicates that sophisticated botnet malware operators will … team up to defeat anti-fraud measures in place when [a] reasonable profit-sharing agreement can be reached amongst various groups,” says Vitali Kremez, director of research at Flashpoint.

According to the vendor, some malware samples that it has recently analyzed suggest that computers infected with IcedID are also downloading the Trickbot banking Trojan.

IcedID is a banking malware sample that first popped up in the wild last April and is being massively distributed via spam email. Its victims have included financial services companies, retailers, and technology firms.

Up to now, IcedID has typically been installed on systems via a downloader called Emotet. But Flashpoint says that it now appears IcedID is being sent directly as spam. When the malware is installed on a system, it then acts as a downloader for Trickbot, which in turn installs other malware modules on the compromised system.

“IcedID is a primarily banking malware with downloader capabilities to install additional malware,” Kremez says. One of its key features is its ability to maintain persistence on infected machines. TrickBot is more of a multi-modular banking malware that has targeted victims in a slew of industries. The group behind it has used infected systems for a range of different malicious activities including bank account hijacking and for cryptocurrency mining.

“It is considered to be the successor to the Dyre banking malware and contains various credential-stealing, cryptocurrency mining as well as network propagation [features], amongst others,” Kremez notes.

Flashpoint says the collaboration between the IcedD and Trickbot groups has given the pair significant new capabilities. The two groups are using their respective malware tools to steal credentials for breaking into bank accounts belonging to the owners of infected systems and stealing money from them.

Members from the two groups monitor infected systems for activities that are of specific interest. For instance, when the owner of a system that is infected with Trickbot and IcedID malware tries to log into a bank account of interest, the botmaster grabs the login credentials and other details and passes it on to affiliates.

The affiliates then use the login credentials and other information required to access the victim’s account and transfer money out of it to rogue accounts previously opened by money mules. The mules often open the fraudulent bank accounts in the same financial institution and same geographic location as the victim’s own account.

“The group botmasters collaborate on cashing out compromised bank accounts and share profits from their infections,” Kremez says.

IcedID appears to be more focused on banking account-stealing operation, while TrickBot group also deploys additional modules to maximize profits from the compromised machines. Each compromised machine bears indicators of who exactly delivered the infection so it is easier to share the spoils.

Based on how the collaboration between IcedID and Trickbot has been working so far and the shared infrastructure they have built, it is quite likely that the operators of the two groups will continue to partner, Flashpoint said.

Expect to see more malware developers and fraud masters try and foster such collaborative partnerships if doing so can help them bypass the latest anti-fraud measures, the security vendor said.

Related Content:


 


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

More Insights

from Dark Reading – All Stories https://ubm.io/2J2sm86
via IFTTT

New Federal Report Gives Guidance on Beating Botnets

New Federal Report Gives Guidance on Beating Botnets

A report from the Departments of Commerce and Homeland Security provides five goals for protecting infrastructure from botnets and other automated threats.

In May 2017, the Trump administration issued Executive Order 13800, “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure.” Yesterday, one response to that order was made public as the secretaries of Commerce and Homeland Security jointly released “A Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats.”

The report, at 51 pages, is a relatively concise look at the state of defense against botnets and similar threats. Reports such as these “are important in terms of being able to assess what the current state of cybersecurity is, what we’re able to do, and what we need to be able to do about it,” says Chris Pierson, CEO of Binary Sun Cyber Risk Advisors.

More than the specifics of the assessment, the level of the report is important, says Chris Wysopal, founder and CTO of CA Veracode. “This looks at the whole system development life cycle, from planning through end of life,” he says. He argues that the level of conversation is critical because consumers buy products with gaping security holes — and will continue to do that until vendors make safe products an economic priority.

Five Goals
The report is based on five goals for improving security. The five broad goals are:

  • Goal 1: Identify a clear pathway toward an adaptable, sustainable, and secure technology marketplace.
  • Goal 2: Promote innovation in the infrastructure for dynamic adaptation to evolving threats.
  • Goal 3: Promote innovation at the edge of the network to prevent, detect, and mitigate automated, distributed attacks.
  • Goal 4: Promote and support coalitions between the security, infrastructure, and operational technology communities, domestically and around the world.
  • Goal 5: Increase awareness and education across the ecosystem.

The goals are important because they give guidance to a variety of stakeholders on which steps they should be taking to secure their systems and networks. The real question is whether any of those stakeholders will take meaningful action.

A History of Reports
“Look up the ‘2004 NIAC Hardening the Internet Report and Recommendations.’ About 80% of that report is reflected in this report,” says Andy Ellis, CSO of Akamai. That isn’t entirely a reflection on the skills or dedication of IT security professionals, though. “It’s because a lot of the problems are really hard,” explains Ellis.

“The issues are, ‘what are the action items, who owns the action items, and what dollars are being put behind fixing them?” says Pierson. Now, he says, it’s time to move forward. “Given 10 years of describing the risk, what are the low-hanging fruits, what are we going to do about it, and who’s going to pay for it?”

At the federal level those questions are critical, given the just-released “OBM Federal Cybersecurity Risk Determination Report and Action Plan,” in which 71 of 96 federal agencies were shown to be at risk or at high risk for cybercrime issues. “We’re talking about the bad things that are happening, but when are we going to take about solving them? How do we solve them, when do we solve them, who solves them?” asks Pierson.

Steps Ahead
There’s at least one step that would be direct, if not necessarily easy to implement. “The government could just change their procurement to follow the recommendations. That would incent vendors to change their practices if they wanted government business,” says Wysopal.

“Everyone who’s in the industry should read through the list and see what they can work on,” says Ellis. As an example, he mentions the recommendation that education for every engineering and technical discipline have a cybersecurity component, instead of waiting until young professionals are in the field to begin their training on the subject.

Ultimately, though, Ellis sees real value in the process. “I think that the important thing is that this represents the work of a lot of groups that have come together. It’s not a final product but part of a process to make things better,” he says.

Pierson acknowledges the value of the process but has a stark assessment of the progress made so far. “It’s 10 years later and we’re still at the same place.”

Related Content:



Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

More Insights

from Dark Reading – All Stories https://ubm.io/2xCqD8u
via IFTTT

Building Blocks for a Threat Hunting Program

Building Blocks for a Threat Hunting Program

Guidance for businesses building threat intelligence strategies while overwhelmed by threats, lack of talent, and a healthy dose of skepticism about the market.

The number and severity of cyberattacks are sending businesses scrambling to figure out their threat intelligence strategies: how to collect threat data, organize it into actionable information, prioritize the most severe threats, and address the biggest problems.

Threat intelligence is among the hottest buzzwords in cybersecurity today, and with good reason. As attacks become more severe, frequent, and complex, businesses struggle to detect and mitigate them with limited resources. New platforms promise artificial intelligence to pick up the slack by processing alerts, freeing up employees for focus on more complex tasks.

In the past, threat intel has meant a tactical feed of malicious IP addresses feeding into the security operations center (SOC) with little context or relation to the business. Now, it means feeds of domains, hashes, and IP address related to malicious activity, with threat intelligence platforms attempting to organize them. These platforms aim to supplement existing tech like SIEMs, IPS systems, and firewalls.

But the infosec community isn’t fully sold. A recent study by the Ponemon Institute found 70% of security professionals surveyed think threat intelligence is too overwhelming or intricate to offer usable insight. Only 27% report their organization is “very effective” in using threat data to detect threats; only 31% of board and C-level members receive intelligence on security issues.

Part of the appeal of threat intelligence platforms is they’re intended to perform the function of a tier-one SOC analyst, someone who is normally responsible for clicking through alerts generated by firewalls, IDS/IPS, SIEM, and endpoint security tools and gauging their intensity. This ideally gives employees more time to focus on mitigating advanced threats.

The problem is there are precious few people who know what to do with threat intelligence once they have it, and they don’t come cheap. Even companies with generous security budgets have to figure out how to hire these employees and keep them on board. Corporate giants struggle with these issues because they lack sufficient resources, says JASK CEO Greg Martin.

“You don’t have to have ten years of experience to be a threat hunter, but you have to have the aptitude, you have to know what you’re doing to be effective in this space,” says Martin. “Only the best companies in the world have true threat-hunting teams internally.”

Building a Threat Management Program

“I think a lot of people approach threat hunting in the wrong way,” says Alert Logic principal analyst Matt Downing, who shares a few pointers for building a threat management strategy. He, of course, starts with people.

“You have to allocate manpower,” he emphasizes, adding that companies should form a team for this if they don’t already have one. “You need an experienced staff to go in and look at this … have you seen threats, seen how attackers operate.”

The most popular threat hunting skills for security pros include threat intelligence (69%), user and entity behavior analytics (57%), automatic detection (56%), and machine learning and automated analytics (55%), Alert Logic discovered in a recent survey.

Next, he advises reading through publicly reported incidents and asking whether it would happen to your company. Alert Logic does a lot of network inspection, he explains, and specifically focuses on endpoints. No matter how sophisticated and fancy the attacker is, they need to communicate with the target machine, he explains.

When asked about the biggest challenge in threat hunting, Downing says a major obstacle is lack of knowledge about what attacks look like. Threat management challenges include detecting advanced threats (55%) and lack of security expertise (43%).

“Part of it is understanding what people do normally,” he continues. “You have to understand what’s benign if you’re going to understand what’s malicious.” By taking this approach and looking at the tactics, processes, and tools used in an attack, you get an end-to-end story of detection that can serve as a blueprint for pinpointing future threats.

New Approaches to Threat Hunting

What if you don’t have the manpower in-house? In an effort to mitigate challenges for short-staffed companies, JASK launched a service called Special Ops. The idea can be summed up as Threat Hunting-as-a-Service: JASK supplements clients’ existing security staff with its “Special Ops” team, which has threat analysts and researchers poached from Palo Alto Networks, Dell SecureWorks, and RSA FirstWatch.

The role of SpecialOps is to detect threats, help analysts identify what they should care about, and provide guidance for next steps. If JASK analysts detect an anomaly, they alert the company. From there, they escalate internally with the team and, if necessary, connect them with law enforcement or a partner like CrowdStrike or Mandiant to pursue an investigation.

“A lot of organizations come to us because they don’t have the resources,” he explains.

With talent expensive and hard to find, this service puts skilled analysts in one place so companies from enterprises to SMBs have them on-call. Instead of digging through the data themselves, or relying on software, they have a means of leveraging human talent to weed out threats. More than three-quarters (76%) of Alert Logic respondents say not enough time is spent searching for emerging and complex threats in the SOC. 

“We used to kill ourselves looking for the needle in the haystack,” Martin notes. “We have a big stack of needles, now we need to find out which is the sharpest.”

Related Content:



Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio

More Insights

from Dark Reading – All Stories https://ubm.io/2LMYG0K
via IFTTT

Thoma Bravo Acquires Majority Stake in LogRhythm

Thoma Bravo Acquires Majority Stake in LogRhythm

The SIEM vendor sells 51% stake to private equity firm.

SIEM vendor LogRhythm today announced that it has entered into an agreement for a majority stake (51%) of the company to be acquired by private equity firm Thoma Bravo. Financial details of the deal were not disclosed.

LogRhythm, a 15-year-old vendor of security information and event management systems, has more than 2,500 global customers. The purchase, expected to close in the third quarter of 2018, is intended to support future operational and product development plans.

In the statement announcing the purchase, LogRhythm’s chairman, president, and CEO, Andy Grolnick, described the step as an exciting strategic step forward for the company.

Read more here.


Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

More Insights

from Dark Reading – All Stories https://ubm.io/2xveguR
via IFTTT

We found 1 good reason to get the iOS 11.4 update – rogue message handling

Earlier today, we wrote about iOS 11.4, Apple’s latest but not-yet-documented security update for iPhone and iPad users.

We updated simply because we could, but some people have said to us, “We want something concrete to go on, not just the word ‘because’.”

They’ve got a point: a security update that doesn’t give you a reason to install it is unusual these days, and makes you think that all you’re getting is a bunch of new features.

That might not be enough to get you across the patch line on its own.

Well, even without Apple’s official security advisory email, we think we’ve found a more-than-good-enough reason.

Remember the WhatsApp “message of death” and the iMessage “black dot” problem from the start of May 2018?

These were publicly circulating text messages that looked as though they were just one line long, but actually contained thousands of Unicode control characters to change text direction.

The offending characters are formally known as LEFT-TO-RIGHT MARK and RIGHT-TO-LEFT MARK – they don’t take up any space on the screen, but they are commonly needed when rendering text in languages such as Arabic and Hebrew.

Those languages write their text from right to left, but commonly write numbers left to right using Indian numerals, just as we do in English.

So Arabic and Hebrew routinely need to typeset text from the right, then to jump ahead and set numerals backwards from the left towards the text just printed out, then to switch back again, skipping over the numerals and again laying out the text from right to left.

However, it seems that the text rendering code in Apple’s products was clearly never designed to switch left/right/left/right thousands of times in a row for no good reason at all other than to cause mischief.

Indeed, earlier this month, we deliberately sent several rogue “messages of death” to the iOS Messages app, and we quickly ended up in trouble.

We couldn’t easily get back from the message screen, where the app was trying desperately to process the rogue messages, to the main list of conversations, where we could have deleted all the rogues in one go.

Unfortunately, we couldn’t open individual messages from the message screen to invoke the “delete message menu”, either.

The app would typically freeze solid, or crash before we could fix things, whereupon restarting the app just jumped us straight back to where it had been when it crashed, and so the cycle continued.

Better after the update?

Anyway, after updating to iOS 11.4, we tried sending rogue messages again, and things were nowhere near as bad as before.

We can’t be sure that Apple set out to fix this flaw, but it looks as though the Messages app is now automatically cutting off long messages to limit the number of invisible Unicode control characters that can be flung at the app.

As far as we can see – and this is entirely down to basic deduction, not the result of any actual analysis, so don’t hold it to this! – these truncated “messages of death” can fairly easily be deleted, which wasn’t the case when we tried this before the update.

We were able to delete rogue messages them one by one, as well as to escape out to the main Messages to delete entire conversations in one go.

So, if you’re looking for a good reason to update to iOS 11.4 even in the face of Apple’s security silence, perhaps this is enough to convince you?

As we said, this is all down to deduction – we can’t easily tell if Apple has changed the Messages app at all, let alone with the intention of mitigating the “message of death” problem…

…but we certainly didn’t find things worse than before, so we’re pleased anyway.


from Naked Security – Sophos http://bit.ly/2Jjkkv6
via IFTTT

The Good News about Cross-Domain Identity Management

The Good News about Cross-Domain Identity Management

Adoption of the SCIM open source, standards-based approach for syncing user information between applications is ratcheting up among SaaS vendors as well as enterprises.

The System for Cross-domain Identity Management, or SCIM, has existed for a while, but adoption by solution providers had been sporadic and inconsistent … that is, until recently. In recent months, this standards-based approach for syncing user information between applications is finally ratcheting up, and adoption rates are showing no signs of slowing down.

What exactly is SCIM? It’s an open standard developed out of the need for a way to synchronize user information between multiple applications. SCIM is fantastic for streamlining processes while also reducing mistakes and data inconsistencies between identity ecosystems.

For example, while onboarding a new employee, it’s common for companies to create a new user profile in a central identity directory. It’s also likely that the user also needs access to other services or applications, such as Salesforce, G Suite, or Slack. But it’s inefficient for administrators to enter user information in all those environments. Provided the identity directory and the applications support a standards-based SCIM connector, users can be automatically provisioned to those enterprise apps.

SCIM also has security benefits. In many cases, when an employee is terminated or leaves a company, administrators often forget to deprovision the user’s account for applications that contain sensitive data. According to the FBI, unprovisioned account access is one of the leading causes for data breaches and insider threat attacks.

This is where SCIM really shines. When a user departs from your company, admins can terminate the user in your central directory with the knowledge that the user’s account will also be suspended or deleted in your SCIM-enabled apps.

SCIM Adoption Is Surging
Many large SaaS vendors started supporting SCIM a few years ago, and today, some enterprise solutions are starting to enable it. Recently, I’ve seen a large surge in both the number of vendors supporting SCIM, and the number of customers who have happily adopted it.

SCIM adoption by OneLogin customers

SCIM adoption by OneLogin customers

When we analyzed our customer base at OneLogin, we found that our most widely used SCIM connector is Slack, followed by a top 10 list that includes the likes of well-known brands such as Lucidchart, Facebook Workplace, Github, Trello, Envoy, and Asana. Over the past few months, we’ve added over a dozen new SCIM connectors to Evernote, LastPass, and Wrike, with many more like Zscaler, Netskope, and RingCentral coming soon. It’s getting to the point where enterprise-level companies are demanding that vendors support SCIM. As their complex web of interconnected apps continues to grow out of control, SCIM provides some relief in ensuring that user provisioning is taken care of and ghost user accounts aren’t floating around all over the place.

Wrike, a cloud-based collaboration and project management software company, for example, identified an opportunity to strengthen its enterprise scalability story by adding a SCIM connector after a number of requests for SCIM from large prospects and customers. It has an interesting story that starts out implementing SCIM for enterprise customers and ends up with it also finding value internally. Wrike used SCIM to integrate its internal identity management system for employees and partners with its own software for project management and collaboration. The SCIM integration enabled it to automate user provisioning and deprovisioning between the two systems, which immediately took some of the load off the IT department. This also opened the door for more customization when company officials realized they could also sync custom attributes for things such as granting different privileges in Wrike based on an employee’s department. It’s still early days for Wrike on its SCIM journey, but indications are very positive so far.

I am excited about the future of SCIM as another building block in successful unified access management strategies. Companies can save time and effort by streamlining the onboarding/offboarding of employees, with the added benefit of improving security and standardized processes. If your cloud-based software vendors don’t yet support SCIM, it’s time to nudge them in that direction.

Related Content:


 


Rich Chetwynd is the head of developer experience at OneLogin, the leader in Unified Access Management. Chetwynd is responsible for all things developer at the company. Before OneLogin he started three companies including Litmos.com (acquired by CallidusCloud Inc), … View Full Bio

More Insights

from Dark Reading – All Stories https://ubm.io/2J2uZGX
via IFTTT

How to set up 2FA on eBay – go do it now!

A little under two years ago, I looked into how one might go about securing an eBay account using two-factor authentication (2FA).

At the time, it wasn’t clear if 2FA was supported on eBay officially or not, and I found a number of dead-end paths when trying to actually set up my account with 2FA – old documentation pages about 2FA appeared to be buried or completely deprecated, many links were completely dead. Calls to customer service didn’t help much, as the reps I spoke to had no idea what I was talking about or why I was asking.

There were legacy documentation pages about using a third-party time-based token authentication service, but these were mostly dead-ends as well and I had, to put it mildly, an extraordinarily difficult time trying to set things up.

By the end of it all, I had tried (and tried!) to set up 2FA on my account, but really to no avail. I concluded my piece with a plea for readers to let me know if I’d missed something obvious in trying to secure my account, or at the very least to ask eBay nicely to make this process easier.

Over time, many of our Naked Security readers chimed in on my story saying that either they’d had similar processes, or they’d discovered a workaround entirely.

As more time passed, the comments started to change tone entirely, that actually the 2FA process was super simple and easy to do now. Based on what readers like you had commented, it sounded like something had changed for the better. Clearly, it was past time for me to revisit this story.

I’m quite relieved and thankful to report that since I first wrote this the eBay 2FA story, eBay has not only binned its previous byzantine 2FA procedure, but it’s replaced it with something that’s both easy to find and easy to use.

Now, happily, this is how you can easily set up 2FA on your eBay account.

  • Log in to your account.
  • Go to your account settings by clicking on your name in the upper left (where it says “Hi [your name]!”) and clicking Account settings in the dropdown.
  • In the My Account menu on the left that now appears, click Personal information.
  • Scroll to the bottom of the Personal Information screen, and you’ll now see a field that says Security Information, with the 2 step verification option underneath it. If it is switched to “off”, click the Edit option on the right.
  • Follow the instructions on the screen. eBay 2FA supports voice and SMS factors (no support for time-based token authentication, like Google Authenticator or Duo, as far as I can tell).
  • You’ll get a confirmation once it’s set up. Easy peasy!

I’m relieved that eBay has now made this much easier for users, and hope if you’re an eBay user you’ll take a quick moment to get this set up on your account.


from Naked Security – Sophos http://bit.ly/2slByhI
via IFTTT