Ransomware is a form of malicious software (malware) that restricts access to computer files, systems, or networks until a ransom is paid. In essence, an offender creates or purchases ransomware, then uses it to infect the target system. Ransomware is distributed in several ways including, but not limited to, malicious website links, infected USB drives, and phishing emails. Once infected, the offender encrypts the device and demands payment for the decryption key. Figure 1 provides a simplistic overview of the ransomware timeline.

Figure 1. Ransomware timeline.

how ransomware works

The earliest recorded case of ransomware was the AIDS Trojan, which was released in the late 1980s. Now, in 2023, ransomware is considered the greatest cybersecurity threat due to the frequency and severity of attacks. In 2021, the Internet Crimes Complaint Center received over 3,000 ransomware reports totaling $49.2 million in losses. These attacks are especially problematic from a national security perspective since hackers aggressively target critical infrastructure such as the healthcare industry, energy sector, and government institutions.

If ransomware has been around for over 40 years, why is it now increasing in popularity? We argue the increase in ransomware attacks can be attributed to the availability of ransomware sold on darknet markets.

Darknet markets

Darknet markets provide a platform for cyber-criminals to buy, sell, and trade illicit goods and services. In a study funded by the Department of Homeland Security, Howell and Maimon found darknet markets generate millions of dollars in revenue selling stolen data products including the malicious software used to infect devices and steal personal identifying information. The University of South Florida’s (USF) Cybercrime Interdisciplinary Behavioral Research (CIBR) sought to expand upon this research. To do this, we extracted cyber-intelligence from darknet markets to provide a threat assessment of ransomware distribution. This report presents an overview of the key findings and the corresponding implications.

Threat assessment

While drugs remain the hottest commodity on darknet markets, our threat intelligence team observed a rise in ransomware (and other hacking services). 

The study was conducted from November 2022-February 2023. We began by searching Tor for darknet markets advertising illicit products. In total, we identified 50 active markets: this is more than all prior studies. We then searched for vendors advertising ransomware across these markets, identifying 41 vendors actively selling ransomware products. The number of markets and vendors highlight the availability of ransomware and ease of access. Interestingly, we find more markets than vendors. Ransomware vendors advertise their products on multiple illicit markets, which increases vendor revenue and market resiliency. If one market is taken offline (by law enforcement or hackers), customers can shop with the same vendor across multiple store fronts.

The 41 identified vendors advertised 98 unique ransomware products. This too shows the accessibility of various forms of ransomware readily available for purchase. We extracted the product description, price, and transaction information into a structured database file for analysis. In total, we identified 504 successful transactions (within a 4-month period) with prices ranging from $1-$470. On average, ransomware sold on the darknet for $56 with the best-selling product being purchased on 62 different occasions at $14 per sale. A screenshot of the best-selling ransomware advertisement is presented in Figure 2. This product is listed as fully customizable, allowing the customer to choose their target and ransom amount. These findings illustrate that ransomware sold on the darknet is both affordable and user-friendly.

Figure 2. Ransomware advertisement found on a darknet market.

ransomware advertisement on dark web

Purchases on the darknet are facilitated using cryptocurrencies that anonymize the transaction and ensure both the buyer and seller's protection. Bitcoin is the favored method of payment, but some vendors also accept DOGE, Bitcoin Cash, Litecoin, and Dash.

Our final goal was to understand which words are associated with ransomware distribution. Using the product description, we created a word cloud (presented in Figure 3) to depict the most common words used when selling ransomware. The most commonly used words include ransomware, encrypt, systems, urgency, decryption, victims, and software. Knowing the words associated with ransomware distribution allows for the development of machine learning algorithms capable of detecting and preventing illicit transactions.

Figure 3. The most used words in a ransomware advertisement.

ransomware ad word cloud

Implications

The security concerns posed by ransomware and darknet markets have been independently identified by researchers, government agencies, and cybersecurity companies. We expand the discussion by assessing the synergetic threat posed by ransomware distributed via darknet markets. Our findings suggest the uptick in ransomware may result from product availability, affordability, and ease of use. Cyber-criminals no longer need the advanced technical skills required to develop unique forms of ransomware. Instead, they can simply purchase customizable ransomware on the darknet and launch an attack against their victims.

Acknowledgements

            This research would not be possible without the students and faculty associated with CIBR lab. Specifically, we thank Taylor Fisher, Kiley Wong-Li, Mohamed Mostafa Abdelghany Mostafa Dawood, and Sterling Michel for their continued involvement on the cyber-intelligence team. For more cutting-edge cybersecurity research, follow Dr. C. Jordan Howell, Lauren Tremblay, and the CIBR Lab on Twitter: @Dr_Cybercrime, @DarknetLaur, and @CIBRLab.

The post An assessment of ransomware distribution on darknet markets appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

More and more, people are completing the entire real estate transaction process online. From searching for properties to signing documents, online convenience can make the process easier and more efficient. However, with all of this activity taking place on the internet, it is important to be aware of the potential security risks that come along with it. Here are the eight common cybersecurity issues that can arise during the purchase of real estate online and how you can protect yourself against them.

1. Cybercrime

This is, unfortunately, the world we live in – and it makes sense, given the large sums of money involved. Cybercriminals may attempt to hack into the system and gain access to private information. They may even try to interfere with the transaction process itself, delaying or preventing it from taking place at all.

To combat this threat, make sure you are using a secure online platform when completing the transaction and be sure to only provide personal information when necessary.

When you are completing a real estate transaction online, a lot of your personal information will be requested. This can include anything from your address and phone number to your bank account information. If this information is not properly secured, it could be at risk of being accessed by cybercriminals.

To keep yourself safe, it is important to know what to look out for. You should watch for the commonly attempted ways that remote real estate buyers might be targeted and understand what you should do in the event of a breach.

2. Data breaches

Buying real estate remotely involves a number of different tools, like online payment gateways and other web services. All of these tools can be vulnerable to data breaches, which means that hackers could gain access to your personal information stored on their servers. To protect yourself, research a service’s security standards before providing any sensitive information or look for an alternative if the security measures are inadequate.

Always make sure you are observing best practices during and after an online purchase, which include doing things like updating your passwords as appropriate and monitoring your credit cards for any suspicious activity. By following these tips, you can help ensure that your online real estate transaction is secure.

3.  Phishing scams

These are attempts to obtain your personal information by pretending to be a legitimate source and they are on the rise. Be sure to only provide your information on secure websites and look for signs of legitimacy, such as “https” in the web address or a padlock icon in the URL bar.

Phishing scams that target real estate buyers might include emails, text messages, and voicemails asking you to provide your credit card details or other personal information to make a purchase. Make sure to always look for signs of legitimacy before providing any sensitive information.

They might also include bogus emails from lawyers or other professionals with malicious links or attachments. Be sure to only open emails from verified sources and never click on suspicious links.

4. Malware threats

Malicious software can be used to steal your personal information, such as banking credentials and passwords, or to install ransomware that locks you out from accessing your own files. To protect yourself from malware, make sure to install trusted antivirus and anti-malware software on your computer. Additionally, make sure to always keep your operating system up to date with the latest security patches.

5. Identity theft

Identity theft is a growing problem online and can be especially dangerous for real estate buyers. Hackers may use stolen information to gain access to your bank accounts or other financial resources, making it important to protect all your personal information from potential thieves. Make sure to use secure passwords, avoid public Wi-Fi networks, and never provide sensitive information over email.

This is especially pressing in an age where people are so much more mobile and global than they ever have been. Real estate transactions can be conducted from airports, coffee shops and all manner of unsecured wireless networks, which demands extra vigilance when it comes to cybersecurity.

6. Website hacking

Hackers can also gain access to websites and steal information stored on them, including user data. To protect yourself from website hacking, make sure that the websites you use have strong security protocols in place. Additionally, look for signs of legitimacy such as a padlock icon in the URL bar and verify any third-party links or attachments before clicking on them.

If you are dealing with a real estate agent that uses a website, make sure it is secure and they have taken proper precautions to protect your data.

7. Social engineering attacks

Social engineering attacks are when hackers use psychological tactics to get you to reveal confidential information or take some sort of action. For example, they may send fraudulent emails that appear to come from a real estate agent asking for your personal details or credit card numbers. Make sure to always verify the source of any emails before taking any action.

The best way to identify a social engineering attack is to look for suspicious language, attachments, or links in the email. If anything looks out of the ordinary, it's best to delete the message and report it to your security provider.

You can always take extra steps to protect yourself, like using two-factor authentication when logging into accounts or working with a cybersecurity professional. By staying vigilant and taking proactive measures, you can help ensure that your online real estate transactions are secure.

8. Having weak passwords

Another common cybersecurity issue is having weak passwords. Make sure to use strong passwords when creating any accounts associated with your real estate purchase. You should also change your passwords on a regular basis and never reuse old passwords or share them with anyone else.

Using a password manager can also help you keep track of all your different passwords and store them in a secure place. If you're dealing with an agent, ask them to use strong passwords as well, and make sure that they keep all of your personal information safe.

Conclusion

Real estate transactions are increasingly taking place online, which can create potential security risks if proper precautions aren't taken. By following best practices and being aware of the common cybersecurity issues associated with purchasing real estate online, you can help ensure that your transaction is secure. With a bit of extra effort and knowledge, you can rest assured knowing that your online property purchases are safe and secure.

The post 8 Common Cybersecurity issues when purchasing real estate online: and how to handle them appeared first on Cybersecurity Insiders.

MSSP graphic

In today's world, cybersecurity is an ever-growing concern for businesses. With the rising threat of cyber threats and data breaches, it can be difficult for companies to keep up with the latest security technologies and stay ahead of the curve. Managed Security Services Providers (MSSPs) provide comprehensive security solutions to clients. They offer various services, from monitoring and threat intelligence to incident response. MSSPs are ideal for businesses looking for an all-in-one security solution tailored to their specific needs. MSSPs offer a wide range of services to help protect businesses from cyber threats. Here are some initiatives that MSSPs should consider when looking to help customers in 2023.

Making Zero Trust attainable

As the global landscape continues to test our resiliency, staying focused on a security-first mindset is critical. Organizations must consider the most significant risks and take a proactive approach to address cyber risk concerns. This means assessing the current state of their cybersecurity, understanding their attack surface, and rethinking their security strategy with a Zero Trust model. By taking a risk-based approach to vulnerability management, implementing cloud security measures, and developing third-party risk management solutions, organizations can ensure they are prepared to adapt to the ever-changing digital landscape and remain resilient in the face of cyber threats.

The traditional perimeter as we know it is no longer viable due to the shift to remote and hybrid working. To keep our networks secure, Zero Trust architecture is essential. Zero Trust reduces the risk of security breaches by authenticating and authorizing every person and system before granting access. Nowadays, the security industry is figuring out how to apply Zero Trust practically. Established companies are using the term Zero Trust in their product portfolios to capitalize on the opportunity. Ultimately, Zero Trust will become more prominent with measurable results.

Risk-Based vulnerability management

Managing vulnerabilities inside your environment are challenging. New attack vectors for threat actors to breach your network are identified daily. Organizationally, the attack surface is constantly changing due to IT device and platform lifecycle issues, changing operational priorities, and the adoption of emerging technologies. With every change comes the risk that a new flaw or configuration issue will provide a threat actor with the final link in their attack chain, resulting in an impact on your users, operations, and customers.

Your network is expanding in the traditional sense and with the ever-increasing role of endpoints, devices, and the Internet of Things. Each year you see the amount of data multiply exponentially, the threat of attacks become more sophisticated, and the challenge of minimizing risk and optimizing operations grow more challenging. It can feel like a never-ending battle, yet identifying, prioritizing, and managing vulnerabilities through remediation is not only possible—it can be simple.

Vulnerability management is an established function of information security, but with technology configurations constantly evolving and cloud and container infrastructure expanding, the complexities of vulnerability management persist. Today's best vulnerability management platforms have been designed with visibility, remediation automation, and improved vulnerability prioritization.

Vulnerability and patch management are essential for any organization, as is the need for risk reduction. With the right risk reduction strategy, organizations can improve their cyber resilience and reduce their risk. To help ensure that organizations keep their IT infrastructure up-to-date and secure, they should focus on strengthening the fundamentals of vulnerability and patch management, risk reduction, and Managed Extended Detection and Response (MXDR). By implementing these strategies, organizations can reduce risk and improve security posture.

Security Mesh, Zero Trust, and SASE (Secure Access Service Edge)

These are three technology trends converging to allow organizations to consolidate and optimize their Zero Trust initiatives. Security Mesh provides a cloud-based fabric that enables organizations to connect to users, applications, and data in a secure and unified fashion. Zero Trust is a security model that eliminates the concept of trust assumptions based on internal network boundaries.

And SASE is a cloud-delivered service that combines network and security functions, including secure access, cloud security, and network security, into a single integrated solution. These technologies can be used together to reduce complexity and help organizations to implement their Zero Trust strategies quickly and effectively. By consolidating and optimizing Zero Trust initiatives, organizations can gain the security, agility, and scalability needed to accelerate their digital transformation.

The biggest challenge for SASE adoption is the split decision between networking and security components. While the two technologies have their strengths and weaknesses, their integration is the most critical factor for successful SASE deployments. Enterprises need to evaluate both solutions' performance, scalability, scalability, reliability, and cost to determine which is best suited for their needs. Additionally, at the same time, they need to consider the synergies between both solutions to make sure that the combination of them will yield the best results. The primary benefit of SASE is the integration of networking and security services, which simplifies the provisioning and maintenance of both solutions.

Additionally, the service provider can offer more tailored solutions to its customers, allowing them to customize their SASE deployments to meet their specific needs. This makes the solution more attractive to enterprises and increases the likelihood of adoption. Ultimately, the split decision between networking and security components is a challenge that SASE must overcome to remain relevant in the future. Enterprises need to weigh both solutions' pros and cons and ensure they invest in the right technologies. By doing so, they can ensure that they get the most out of their SASE deployments and guarantee that their solutions remain up-to-date and secure.

Cyber Resilience

As MSSPs look to offer a Cyber Resilience service that leverages expertise to enhance protection, detection, and response capabilities while driving an organization's ability to recover in the event of a malicious attack rapidly. MSSPs can help shift an organization's model from reactive to proactive, helping the team prepare for potential cyberattacks by implementing a resilience model. This end-to-end service capability helps reduces risk holistically and supports an organization's ability to identify, protect, detect, respond, and recover from malicious activity. Cyber Resilience service is a customized strategy to enhance your current people, processes, and technology based on comprehensive strategic and tactical evaluations across an enterprise.

The post Building blocks for Cyber resilience:  MSSPs can lead the way appeared first on Cybersecurity Insiders.

Firewall optimization (also known as firewall analysis) is the process of analyzing and adjusting the configuration and policy set of a firewall to improve performance and security. This process involves reviewing and corelating log data and device configurations, identifying potential vulnerabilities and weaknesses, and providing recommendations for remediation. Performing these processes is complex, which is why tools like firewall analyzers are useful. They offer automation, visualization, and alerting to provide recommendations that can be used to reduce the risk of attack.

What is the business impact of firewall optimization?

Firewall optimization is important because it can help organizations improve their overall security, performance, and compliance, while also reducing costs and improving decision-making. This can ultimately contribute to better overall business performance. Firewall optimization can have a positive impact on a business's overall network security and performance.

Some of the key benefits include:

  • Improved security: Analyze configurations and log data to identify potential vulnerabilities and threats in the network and provide recommendations for remediation. This can help to reduce the risk of successful cyber-attacks and data breaches.
  • Better performance: Improve overall network performance by identifying and addressing bottlenecks and inefficiencies in the firewall configuration. This can result in faster network speeds, more reliable connectivity, and better overall performance.
  • Compliance: Comply with relevant regulations and standards, such as PCI DSS and HIPAA, by providing regular compliance reports and identifying potential compliance issues.
  • Cost savings: By identifying and addressing inefficiencies and bottlenecks in the firewall configuration, firewall optimization can also help reduce costs associated with network maintenance and troubleshooting.
  • Improved decision-making: Have a better understanding of the network security posture and the capabilities of the firewall. This allows organizations to make more informed decisions about their security strategy, and to better allocate resources for security initiatives.

How is firewall optimization different from firewall management?

Firewall optimization uses software tools like a firewall analyzer to find weaknesses and vulnerabilities in network attached devices. The inspection includes analyzing configurations and log data from security devices, such as firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS).

The primary features of a firewall optimization include:

  • Log analysis: Review log data to understand utilization trends over time and recommend ways to enhance the performance of the firewall without compromising security.
  • Configuration analysis and compliance reporting: Review running configurations of firewall devices regularly and include features for generating reports that show compliance with relevant regulations and standards, such as PCI DSS and HIPAA.
  • Security analytics: Analytics capabilities allow users to visualize and analyze data from firewalls. This can help to identify trends and patterns that may indicate potential security threats.
  • Alerting: Alerting features that notify users when potential threats or vulnerabilities are detected.
  • Integration with other tools: Some firewall analyzers can be integrated with other security tools, such as vulnerability scanners or intrusion detection systems, to provide a more comprehensive view of an organization's security posture.
  • Multi-vendor support: Firewall analyzers can support multiple firewall platforms. This can be useful when migrating from one firewall platform to another, to help clean the ruleset of any vulnerabilities and test configurations prior to deployment.

A firewall management platform, on the other hand, is a comprehensive tool that helps organizations to manage, configure, and monitor their firewalls. It includes features like firewall policy management, threat detection and management, asset discovery, and security analytics. The primary features of a firewall management platform include:

  • Policy management: Allows users to create and manage firewall policies, which define the rules for allowing or blocking network traffic.
  • Asset discovery: Discover and inventory assets on a network, including servers, workstations, and other network attached devices.
  • Security analytics: Analytics capabilities that allow users to visualize and analyze data from firewalls. This can help to identify trends and patterns that may indicate potential security threats.
  • Monitoring: Monitor network traffic and alerting users when potential threats or vulnerabilities are detected.
  • Integration with other tools: In addition to firewall analyzers, some firewall management platforms can be integrated with other security tools, such as a Security Incident and Event Manager (SIEM) to provide a more comprehensive view of an organization's security posture.

One of the main differences between firewall optimization and the firewall management platform is the scope of their capabilities. Firewall optimization is focused on the performance and configuration of the firewall, by analyzing the running configuration and log data from firewalls, even in environments with multiple vendor firewalls.

Another difference is the level of control on a device that the tools provide. A firewall analyzer provides insights, recommendations, application traffic flows, and may even have device configuration and management capabilities. A firewall management platform, on the other hand, provides granular control over firewalls, including the ability to create and manage firewall policies and to monitor network traffic.

How does firewall optimization work?

Firewall optimization uses a firewall analyzer tool to provide visibility into the security posture of a network by identifying potential threats and vulnerabilities, and by providing recommendations for remediation.

The process of firewall analysis typically involves the following steps:

  • Data collection: The firewall analyzer collects log data and device configurations from the security devices on the network. This data may include information on network traffic, firewall rules, and security events.
  • Data analysis: The firewall analyzer then analyzes the collected data to identify potential vulnerabilities and threats in the network. This may include identifying open ports, misconfigured firewall rules, or unusual network traffic patterns.
  • Reporting and visualization: The firewall analyzer generates reports and visualizations that provide a detailed overview of the network's security posture. These reports may include information on compliance with relevant regulations and standards, as well as recommendations for remediation.
  • Alerting: The firewall analyzer may also include alerting features that notify security teams when potential threats or vulnerabilities are detected.

Some firewall analyzers can also be integrated with other security tools, such as vulnerability scanners or intrusion detection systems, to provide a more comprehensive view of an organization's security posture.

Firewall optimization best practices

It is not uncommon for organizations to question if both a firewall analyzer and firewall management platform are necessary for improved network security. Firewall analyzers provide a strategic and operational view of the network security environment across multiple vendors. This contrasts with the firewall management platform’s operational and tactical capabilities which are vendor specific.

In addition, firewall analyzers can provide value for non-operational roles in an organization, such as auditors. Auditors can collect the information they need without having to access the firewall management platform directly or involve the operations teams who administer the platform.

Conclusion

Overall, firewall optimization using firewall analyzer tools and firewall management platforms are important for the network’s health and security. While they serve different purposes, they also complement each other with their unique capabilities. Organizations that need visibility into the performance of the network along with recommendations for improving the firewall security should consider a firewall optimization strategy that incorporates both capabilities.

AT&T Cybersecurity Consulting has more than 20 years of experience increasing network security and performance using its firewall optimization programs. Learn more about the benefits and best practices of implementing a firewall optimization strategy that incorporates both firewall analyzer tools and firewall management platforms. Contact us today to get started.

The post What is firewall optimization? appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

This blog was jointly authored with Arjun Patel.

GuLoader is a malware downloader that is primarily used for distributing other shellcode and malware such as ransomware and banking Trojans. It was first discovered in the wild in late 2019 and has since become a popular choice among cybercriminals due to its effectiveness and ease of use. Researchers at cybersecurity firm CrowdStrike have recently published a technical write-up detailing the various techniques used by GuLoader to avoid detection.

One of the key features of GuLoader is its ability to evade detection by traditional security solutions. It uses several techniques to avoid being detected, including packing and encryption, as well as utilizing legitimate websites and services as command and control (C2) servers. It also employs advanced anti-debugging and anti-analysis techniques, which makes it difficult for security researchers to reverse engineer and analyze its code.

GuLoader is typically spread through phishing campaigns, where victims are tricked into downloading and installing the malware through emails or links containing a Visual Basic script file. It can also be distributed through other means, such as drive-by downloads, where the malware is delivered to a victim's computer through a web browser without the victim's knowledge.

GuLoader utilizes a three-stage process to deliver the final payload to the infected host. During the first stage, the VBScript dropper file gets downloaded into a registry key as a persistence mechanism and delivers a next-stage payload. The second stage payload performs anti-analysis checks before injecting shellcode into memory.

If these checks are successful, the shellcode then downloads the final payload from a remote server and executes it on the compromised host. The shellcode incorporates various anti-analysis and anti-debugging measures, including checks for the presence of a remote debugger and breakpoints, scans for virtualization software, and the use of a “redundant code injection mechanism” to avoid NTDLL.dll hooks implemented by endpoint detection and response (EDR) solutions.

encrypted payload

*encrypted final payload

NTDLL.dll API hooking is a technique used by anti-malware engines to detect and flag suspicious processes on Windows by monitoring APIs that are known to be abused by threat actors. The method involves using assembly instructions to invoke the necessary Windows API function to allocate memory and inject arbitrary shellcode into that location via process hollowing. GuLoader's “redundant code injection mechanism” is designed to avoid these NTDLL.dll hooks, making it more difficult for EDR solutions to detect and flag the malware.

One of the ways that GuLoader evades detection is through its use of legitimate websites and services such as C2 servers. This means that it uses websites that are not known to be malicious as a means of communicating with its command-and-control (C2) center. This can make it difficult for security researchers to identify the C2 servers being used by the malware, as they are not typically flagged as malicious.

In addition to its advanced evasion techniques, GuLoader is also highly customizable, which allows cybercriminals to tailor the malware to their specific needs. This includes the ability to change the appearance of the malware, as well as its behavior and functionality.

Also, GuLoader has also been observed using JavaScript malware strain RATDispenser to drop the malware via a Base64-encoded VBScript dropper. This allows the malware to bypass security measures and gain access to infected systems.

GuLoader has been used in high-profile attacks, including the Ryuk ransomware attack, which targeted government agencies and other large organizations. It has also been used in attacks on healthcare organizations, as well as in attacks targeting individuals and small businesses.

GuLoader is a highly effective and versatile malware that can evade detection and distribute a wide range of malicious payloads. With its exceptional ability to check for anti-analysis at every step of execution, the malware downloader can constantly bypass security checks and avoid being detected by some of the security solutions. Due to its capability to hide without being detected, it poses a significant threat to all levels of enterprises whether it’s small business or a large enterprise.

It is important for organizations to be vigilant in protecting their systems and data from this type of malware. This can be achieved by implementing a combination of various security tools such as Next Generation Firewall (NGFW), Security Information and Event Management (SIEM) and EDR and best security practices at each layer of the organization’s infrastructure.

GuLoader IoC

*IOC for GuLoader

Sources/Articles

​​https://gbhackers.com/guloader-malware-advanced-anti-analysis/

https://www.crowdstrike.com/blog/guloader-dissection-reveals-new-anti-analysis-techniques-and-code-injection-redundancy/

https://www.scmagazine.com/brief/malware/security-system-bypass-techniques-added-to-guloader-malware-downloader

https://thehackernews.com/2022/12/guloader-malware-utilizing-new.html

About Perimeterwatch

PerimeterWatch gives you total control and management over your data. The rate of change on the internet, mobile, distributed processing and other technologies is- simply staggering. Failing to keep up can doom even a well-established organization, but bringing in these new capabilities without fully effective security procedures and systems can be equally disastrous.

What PerimeterWatch offers is a truly secure IT infrastructure. Whether that means a completely managed IT and security function or co-managing with your in-house people, we provide the security intelligence, the technical expertise and the implementation experience necessary to make sure your solutions solve your business problems – without simply creating new ones.

www.perimeterwatch.com

The post GuLoader – a highly effective and versatile malware that can evade detection appeared first on Cybersecurity Insiders.

Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Extended Detection and Response customers.

Executive summary

As we move towards more automation, we should remember the risk of over-automating, or at least make a conscious decision to accept the risks. This is especially important in automating response actions, which left unchecked could wreak havoc with day-to-day business operations.

Investigation

The alarm

One evening after normal business hours, an alarm came in indicating a software package attempting to execute on a server was auto-mitigated by SentinelOne. The software package was behaving in a way that was taken as attempting to evade detection by the SentinelOne agent and therefore rated as “Malicious” by the SentinelOne Artificial Intelligence logic. Since the server on which the software package was attempting to execute had a “Protect” policy applied, the auto-mitigation steps for a dynamically detected “Malicious” rating included killing and quarantining the process.

A “policy” setting in SentinelOne is the defined level of automated response activity the endpoint detection and response tool (EDR) has permission to perform for each grouping of assets. Whereas a “Detect” policy will create an alert that can be managed for post-investigation response actions, a policy setting of “Protect” will take automated response actions. The intrusion level of those automated response actions can be customized, but they all perform an automated action without a person looking at the situation first.

The below image is for an alarm for malware which ended up being process automation software

Sentinel 1 alarm

but nonetheless was automitigated (process killed) by SentinelOne as shown in the log excerpt below.

automatic mitigation

The business impact

The next morning, with business hours back in full swing, the customer reached out to us concerned about the result of the automated response action. The customer stated that the software package is a critical part of their business infrastructure and should never be stopped from executing. The software had been running on that same server the prior several months, since entering SOC monitoring.

The customer questioned why after several months with the SentinelOne agent running on the server did the agent suddenly believe the software package was malicious. We were not able the answer the question specifically since the decision-making behind identifying and rating a process as “Malicious” versus “Suspicious” or benign is a proprietary logic.

What we could state is that any EDR solution worth its price will continually update indicator of compromise (IOC) signatures. Any worthwhile EDR solution will also include not only static detection but also behavior-based dynamic detection. In the case of SentinelOne, there is the pre-execution behavior analysis that allows for process termination pre-execution as well. And of course, any software package run on a server is subject to updates for security, efficiency, or product feature upgrades.

Taken as a whole, it means any endpoint being protected is a very dynamic battleground with the potential for an updated software package that did not trigger IOC rules yesterday triggering tehm today. Or a non-updated software package may suddenly be identified as potently malicious due to updated machine learning IOC behavior analysis. Remember when JNDI calls were considered benign?

Lessons learned

Just as we learn the CIA security triad is a balancing act between confidentiality, integrity and availability, there is a balance to be struck between the use of immediate automated response actions and the slower reasoning of human evaluation prior to response actions. An EDR solution will immediately and infallibly carry out the policy which it has been programmed to implement, but in a ruthless fashion. A human evaluation will take longer, but it can consider prior history, the validity of the triggering IOCs in context, and the nuances of how selecting one response action over another might impact your overall business.

Automation, machine learning, artificial intelligence, and the like have their place. Their benefits will no doubt increase as technology develops. But the human component will always be necessary. The MXDR SOC and our customers (being the humans that we are) must work together to define the critical assets and business processes that should never be touched by automated intrusion. We must also work together to find the space in your environment where those swift and ruthless automated response actions are an advantage. And it is a very human decision to conclude how much risk we can tolerate in each implementation.

The post Stories from the SOC  – The case for human response actions appeared first on Cybersecurity Insiders.

Some of the biggest prevailing challenges in the cybersecurity world over the last year have been those revolving around securing the software supply chain across the enterprise. The software that enterprises build for internal use and external consumption by their customers is increasingly made up of third-party components and code that can put applications at risk if they aren't properly secured.

It's a problem that cuts across every industry, but manufacturers are feeling it especially acutely because they're tasked with securing not only the software supply chain but the physical supply chain as well. It's a very layered risk issue for manufacturers for two big reasons.

First of all, the things that manufacturers produce today are increasingly connected and more software dependent than ever before. They depend on a host of specialized silicon and digital components that are invariably produced by third-party manufactures themselves, creating a nested chain of third-, fourth-, and Nth-party dependencies that are difficult to track, let alone manage risk against.

Secondly, the factory floor itself is a part of the supply chain that is becoming more intricately converged with the IT network and which is highly dependent on third-party equipment, software, and remote connections.

Given these factors, it becomes clear that managing cybersecurity risk across the supply chain will require manufacturers to carefully attend to the risk brought to the table by their third-party suppliers and contractors. And on the flip side, many manufacturers who provide components to clients who are also manufacturers must stay vigilant as security standards rise for what it takes to get their products in the door elsewhere.

“As I've been doing in-depth interviews for our AT&T Cybersecurity Insights Report and also doing customer calls, one of the things I've observed about manufacturers in the supply chain is that even when they're smaller—say, 50- to 100-person shops—they're still saying, 'Security is critical to us,'” says Theresa Lanowitz, security evangelist for AT&T. “They know they need to be doing everything they can to abide by their customers' security guidelines, external rules and regulations, and mitigating the risk required to keep the entire supply chain secure.”

It's an issue that cybersecurity experts at AT&T like Lanowitz and those at Palo Alto Networks have increasingly been collaborating on to help manufacturing customers address across their organizations. The following are some tips they recommend for manufacturers managing third-party cyber risk in the supply chain.

Risk scores and signals matter

Because digital components and hardware are so woven into the products that supply chain providers deliver to their manufacturing clients, risk scores and signals matter more than ever. According to Dharminder Debisarun, worldwide industry security architect for manufacturing, Internet of Things and transport at Palo Alto Networks, it's up to companies determine what their risk appetite is for their providers—depending especially on what they're delivering to the supply chain—and start finding ways to get transparency into that.

“Ask yourself, 'What's our risk appetite for suppliers that we work with?'” he says. “You want to know that before you engage with them. Then there needs to be some kind of framework or certification that says 'Hey, this company is secure enough to do business with’.”

He says some governments have provided that kind of grounding—for example in Germany the automotive industry relies on the TISAX certification to prove out baseline security proficiency. Barring that, the growing world of third-party risk management monitoring is another place to start getting transparency. Ultimately, the goal is to do third-party screening of every bit of coding or connectivity delivered by suppliers into a manufacturer's supply chain or production streams.

Supplier contracts need to account for cyber risk

Even more important, says Debisarun is that manufacturers ensure that their cyber security standards are enforced contractually.

“You can only work this out contractually. You need to have cybersecurity and cyber risk requirements embedded into all the supplier contracts you put in place,” he says. “It's something manufacturers should really consider doing.”

Some of the things that should be enforced include disclosure of big security incidents or material software vulnerabilities, how remote access is established and maintained between supplier and manufacturer, how and when security audits or certifications are provided, and so on.

Managing third-party risk on the factory floor

Meantime, because the actual manufacturing capability of organizations is so intertwined with third parties, managing factory floor vendors securely is crucial. Debisarun explains that the assembly line floor today is almost never managed by the manufacturer itself.

“It's going to be an assembly line floor run by Siemens or Rockwell or ABB. And when these assembly lines are delivered by these giants of the manufacturer ecosystem, they will never allow the customer to do maintenance on that assembly line,” he says, explaining that big vendors contractually require that they handle the maintenance on this equipment.

In most cases, this requires remote access—especially now in this post-COVID world.

“At which point the manufacturer is flying blind,” he says.

This highlights the importance of setting up mitigating controls like secure remote access and Secure Access Service Edge (SASE) architecture that creates a pathway for the manufacturer to at least control the traffic in their network. At the core of SASE is Zero Trust Network Access (ZTNA 2.0) which combines fine-grained, least-privileged access with continuous trust verification and deep, ongoing security inspection to protect all users, devices, apps, and data everywhere – all from a simple unified product. This is an integral and oft-forgotten part of managing third-party risk in the manufacturing world.

Architect and collaborate – with resilience top-of-mind

Finally, organizations should be architecting their supply chain and coordinating their vendor management to keep cyber resilience top-of-mind. According to Lanowitz, the key is remembering the concept of eliminating 'single points of failure.'

“If you are a major car manufacturer, for example, and you're using tiny suppliers to help you build out your cars, you want to make sure that if they go out of business, if there's a fire in their plant, or their operations are interrupted by ransomware, you're not going to need to stop your assembly line waiting for them,” she says.

Debisarun agrees, explaining that every manufacturer should have a plan B and C for when cybersecurity events at suppliers create downstream impact.

“If one supplier breached, how long should you wait to it's resolved?” And that basically comes back to the contracts you are signing—the plan needs to be built into that so you aren't dependent on one supplier's readiness to handle a cyber event or a physical event,” he says.

The post Third party Cybersecurity risks in securing the supply chain appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

A radius server uses a network protocol for remote user authentication and authorization. It is a client/server protocol that allows a remote user to access a network using a shared secret (usually a password). RADIUS servers are typically located on the perimeter of a network and use port 1812 (UDP) or 1645/1813 (TCP).

RADIUS was originally developed by Livingston Enterprises, Inc. in 1991. It is now an IETF standard (RFC 2865). The following are the most important things to know about RADIUS server authentication.

  •  RADIUS is a remote authentication dial-in user service

It was developed to provide centralized authentication, authorization, and accounting management for networked devices such as routers and switches.

What does dial-in refer to here? Dial-in is a type of authentication that allows a user to connect to a network remotely using a phone line or other connection. RADIUS servers are used to manage user access to a network. They can be used to control who can access the network, what services they can use, and how much bandwidth they can consume.

  •  RADIUS is an alternative to TACACS and is often used in conjunction with TACACS+ for authentication and authorization

The reason for this is that RADIUS is typically used for remote access, while TACACS+ is usually used for device administration. While both protocols can be used for both purposes, RADIUS is usually the preferred protocol for remote access.

  •  A RADIUS server typically uses UDP port 1812 (or TCP port 1645/1813) to communicate with clients

RADIUS servers typically listen on UDP port 1812 (or TCP port 1645/1813). When a RADIUS client sends a request to the server, it includes the secret key in the request. The server uses this key to authenticate the client and authorize the request.

RADIUS is a client/server protocol, which means that each RADIUS client must have a corresponding RADIUS server. A RADIUS client is typically a network device such as a router or switch. A RADIUS server is a computer that runs the RADIUS software and manages user access to the network.

What this means is that for a user to be able to access the network, they must first authenticate with the RADIUS server. The RADIUS server then authorizes the user's access to the network and controls what services they can use.

  •  RADIUS uses a client/server architecture

The RADIUS server is responsible for authenticating users and maintaining their account information, while the RADIUS client is typically a network device that forwards authentication requests to the server. The reason this distinction matters is that it allows the server to be centrally located and managed, while the clients can be distributed throughout the network. This architecture also makes it possible for the server to authenticate users against multiple databases, such as an LDAP server or a local file.

The implications of this are that if the server goes down, the entire network will be unavailable to users. This is why it is important to have redundant RADIUS servers in a production environment.

  •  A RADIUS server can authenticate users against multiple databases

RADIUS supports multiple authentication methods, including PAP, CHAP, MS-CHAP, and EAP. PAP is the simplest authentication method and sends the username and password in clear text. CHAP encrypts the password but sends it over the network in plain text. MS-CHAP encrypts both the username and password. EAP is a more secure authentication method that uses digital certificates.

  •  RADIUS uses UDP for transport

RADIUS uses UDP as its transport protocol. UDP is a connectionless protocol, which means that each packet is sent independently and does not require a connection to be established beforehand. This makes RADIUS very scalable, as it can support a large number of clients without requiring a lot of resources on the server.

It matters that RADIUS uses UDP for transport because UDP is a less reliable protocol than TCP. This means that RADIUS packets can be dropped or lost in transit. However, this is usually not a problem because RADIUS uses retransmission and error checking to ensure that packets are delivered reliably.

  •  The RADIUS server must have a shared secret with the clients

The RADIUS server and clients must have a shared secret, which is used to encrypt and decrypt packets. This shared secret is typically a password or phrase that is known only to the server and clients. Without the shared secret, an attacker would not be able to read or modify the packets being exchanged between the server and clients.

  •  RADIUS uses Access-Request and Access-Accept packets

When a client sends an authentication request to a RADIUS server, it does so using an Access-Request packet. The server then responds with an Access-Accept or Access-Reject packet, depending on whether the authentication was successful. If the authentication was successful, the server will also include an Access-Challenge packet, which contains a challenge that the client must answer to prove its identity.

  •  RADIUS can be used for AAA

RADIUS can be used for AAA, which stands for Authentication, Authorization, and Accounting. Authentication is the process of verifying a user's identity, authorization is the process of determining what resources a user is allowed to access, and accounting is the process of tracking and billing for a user's usage.

AAA is a common security model that is used to control access to network resources.

  •  RADIUS is standardized by the IETF

RADIUS is a standards-based protocol, which means that it is defined by an Internet Engineering Task Force (IETF) specification. The most recent version of the RADIUS specification is RFC 2865, which was published in June 2000.

  •  RADIUS is commonly used by ISPs

RADIUS is commonly used by Internet service providers (ISPs) to authenticate and authorize users who are trying to access the internet. RADIUS is also used by corporate networks to authenticate and authorize users who are trying to access the network.

  •  There are a few different RADIUS implementations

There are a few different RADIUS implementations, including FreeRADIUS, Microsoft NPS, and Cisco ACS. FreeRADIUS is the most popular open-source RADIUS server. Microsoft NPS is the RADIUS server included in Windows Server. Cisco ACS is a commercial RADIUS server from Cisco Systems.

Conclusion

These are the most important things to know about RADIUS server authentication. RADIUS is a critical part of many network security systems, and understanding how it works is essential for anyone who is responsible for managing a network.

The post RADIUS server authentication: Old but still relevant appeared first on Cybersecurity Insiders.

Read the previous blog on Governance of Zero Trust in manufacturing in the series here.

Manufacturers are some of the most ambitious firms on the planet when it comes to harnessing the power of edge technology to modernize their businesses. As they make plans in 2023 to  enhance business outcomes through the use of technologies such as 5G and IoT, manufacturers should also increasingly be called to innovate in the spheres of governance and cyber risk management.

OT-IT convergence drives manufacturing modernization

The convergence of operational technology (OT) on the factory floor with information technology (IT) is nearly synonymous with manufacturing modernization. OT-IT convergence enables new digital processes, remote connections, and smarter operations. It's a business outcome-oriented transformation that executive stakeholders have future success pinned upon.

Recent studies from AT&T show that manufacturers are investing in initiatives  such as smart warehousing, transportation optimization and video-based quality inspection at such a rate that the industry is advancing ahead of energy, finance, and healthcare verticals when it comes to edge adoption today.

But to reap the business benefits from these investments, manufacturers need to recognize and attend to the cyber risk realities that are part and parcel with this inevitable convergence.

Cybercriminals are increasingly targeting industrial control system (ICS) technologies that are the bedrock of the OT ecosystems. Attackers have learned to take advantage of ICS hyperconnectivity and convergence with the IT realm to great effect. Last year's warning from the federal Cybersecurity and Infrastructure Security Agency (CISA) attests to this, as do high-profile attacks last year against tire manufacturers, wind turbine producers, steel companies, car manufacturers, and more.

Reducing risk through Zero Trust

One of the most promising ways that manufacturers can begin to reduce the risk of these kinds of attacks is through the controls afforded by a Zero Trust architecture. From a technical perspective, Zero Trust unifies endpoint security technology, user, or system authentication, and network security enforcement to prevent unrestrained access to OT or IT networks—and reduce the risk of unchecked lateral movement by attackers. With Zero Trust, access is granted conditionally based on the risk level of users (or machines, or applications). It's a simple, elegant concept that requires careful execution to carry out.

Thus, when looking at building a zero-trust strategy, ZTNA 2.0 solutions have a role to play in helping apply more effective controls at the application level that are responsive to account takeover attempts. ZTNA 2.0 combines fine-grained, least- privileged access with continuous trust verification and deep, ongoing security inspection to protect all users, devices, apps, and data everywhere – all from a simple unified product.

Most importantly, too, is that Zero Trust requires business stakeholder input and collaboration to get right. Just as business stakeholders in manufacturing drive the push to the edge and the push for all nature of digital transformation and OT-IT convergence, they've got to be intimately involved with Zero Trust initiatives to spur success.

“Technology can come and go, but what manufacturers are really after are business outcomes,” says Theresa Lanowitz,  head of cybersecurity evangelism for AT&T. “That's where we need to focus when it comes to Zero Trust—at its core it needs to be driven by the business, which really sets the North Star for Zero Trust governance.”

Zero Trust should be owned by business stakeholders

At the end of the day, Zero Trust projects should be owned by the business, agrees Dharminder Debisarun, worldwide industry security architect for manufacturing, Internet of Things and transport at Palo Alto Networks, who says that when his group is approached by manufacturers interested in building out Zero Trust infrastructure, the team always turns conversations back to the business basics.

“People bring us in and say 'We want to do Zero Trust, how can you help?'” Debisarun says, explaining that they're usually starting with very technical deployment questions about elements like Secure Access Service Edge (SASE) and remote access management. “We usually take a step back then and ask, 'Why do you want to do Zero Trust? What's the business goal for it?'”

Similarly, Debisarun says they try to involve business stakeholders into collaborative risk discussions before getting into the meat of architectural design. That step back will hopefully get a manufacturer focused on doing risk assessments and other business alignment activities that will shape the way risk is managed—based on business goals, rather than narrow technical specifications. It will also get the entire team thinking about how the value of OT and IT assets are determined and establish the roadmap for where and how Zero Trust security technologies are deployed over time.

Business stakeholders have the most prescient and intimate knowledge of the emerging business conditions, regulatory demands, partnership agreements, and supply chain considerations that are going to impact risk calculations. This is why business ownership is the cornerstone and foundation for Zero Trust governance.

When manufacturers direct the security team with an eye toward  business outcomes, these technical executors are less likely to take a tools-only approach to technology acquisition to engage in reactionary spending based on the latest breach headlines. Incremental improvements will be built up around security controls that manage risk to the most critical operational processes first, and also around the processes and systems most put at risk by new innovations and business models.

The post Governance of Zero Trust in manufacturing appeared first on Cybersecurity Insiders.

We’re so excited to announce our 2023 Partner of the Year awards. These annual awards recognize AT&T Cybersecurity partners that demonstrate excellence in growth, innovation, and implementation of customer solutions based on our AT&T USM Anywhere platform.

AT&T Cybersecurity’s 2023 Global Partner of the Year award goes to Cybersafe Solutions! Cybersafe Solutions experienced incredible growth in 2022 and we’re thrilled to be partnering with their team to help customers orchestrate and automate their security.

In addition to Cybersafe Solutions as our Global Partner of the Year, we’re proud to recognize seven other partners who demonstrated excellence in 2022. See below for the full list of winners and their feedback regarding their partnership with AT&T Cybersecurity.

Global Awards:

Global Partner of the Year: Cybersafe Solutions

“I am humbled and honored to accept AT&T's 2023 Global Partner of the Year Award. Throughout our partnership, we have worked together to develop a comprehensive solution that enables Cybersafe to continuously monitor our customers' networks to identify and mitigate threats rapidly. Sincere thanks to the entire AT&T team on contributing to this success.  We are truly excited for what the future holds!”

-Mark Petersen, Vice President of Sales

Growth Partner of the Year: Xerox

New Partner of the Year: Arete Advisors

“Arete is honored to be named AT&T Cybersecurity’s New Partner of the Year. Our complementary partnership combines unique threat intelligence from AT&T’s USM Anywhere SIEM platform with Arete’s XDR platform to provide our clients with faster threat detection and greater clarity. We look forward to a future of continued growth together as we work to transform the way organizations prepare for, respond to, and prevent cybercrime.”

-Joe Mann, CEO

Distributor of the Year: Ingram Micro

“The cybersecurity threat landscape is growing in complexity—calling for greater collaboration across the IT channel ecosystem and between MSPs and their customers to stay secure. Together with AT&T Cybersecurity we are empowering channel partners with the knowledge and solutions needed to better protect their house and their customers from cyber attacks. It is an honor to be recognized three years in a row as AT&T Cybersecurity’s Distributor of the Year.”

-Eric Kohl, Vice President, Security and Networking

Regional Awards

These awards recognize partners that had the highest sales bookings in each of the 4 regions during last year.

North American Partner of the Year: Coretelligent

“We are honored to be recognized as AT&T Cybersecurity’s North American Partner of the Year and look forward to our continued partnership and delivering leading-edge security solutions to our shared clients. Coretelligent and AT&T Cybersecurity are a best-in-class pairing that provides the robust and secure cybersecurity management and monitoring that enterprises need to defend against the extreme threats of today’s cyber landscape.”

-Kevin J. Routhier, Founder and CEO

EMEA Partner of the Year: Softcat

“We are thrilled to be announced as AT&T’s Cybersecurity EMEA Partner of the year for 2023. We’ve thoroughly enjoyed working with AT&T of the course of the past year and we’re so thankful that our dedication has paid off. We’d love to thank everyone at AT&T and Softcat who has worked with us on various projects during this period.”

– Aoibhín Hamill, Cyber Managed Services Advisor

APAC Partner of the Year: Vigilant

“We are thrilled and honored to receive the prestigious AT&T Cybersecurity APAC Partner of the Year award! This recognition is a testament to our team's hard work and commitment to delivering exceptional cybersecurity solutions to our clients. At Vigilant Asia, we strive to be at the forefront of innovation and this award affirms our efforts. Here’s to more partnership success!”

-Victor Cheah, CEO

Latin American Partner of the Year: GMS

“GMS is thrilled to be named Latin American Partner of the Year for 2023. Having previously garnered this distinguished award, our partnership with AT&T Cybersecurity only gets stronger as time goes on. AT&T’s continued innovation is central to our value proposition, and we feel privileged to work so closely with a company that shares our commitment to providing optimal security for our customers throughout the Andean region.”

-Esteban Lubensky, Executive President

The post AT&T Cybersecurity announces 2023 ‘Partner of the Year Award’ winners appeared first on Cybersecurity Insiders.