Category: Detect

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

“While defenders pursue the most powerful and advanced solutions they can find, the enemy needs only a single user with a bad password or an unpatched application to derail an entire defensive position.” This quote by Dr. Chase Cunningham from his book, “Cyber Warfare – Truth, Tactics, and Strategies,” seems a fitting way to begin the topic of cybersecurity battlegrounds.

Regardless of the techniques used, going big, expensive, and glossy – while potentially useful – doesn’t replace the need for a well-reasoned approach to securing assets founded on traditional activities and principles. Innumerable assets are housed behind APIs, and the widespread use of APIs means they are high-profile targets. Securing them is of the utmost importance.

Two historical books came to mind for this topic:

• Art of War, by Sun Tzu
• Book of Five Rings, by Miyamoto Musashi

I chose these two due to their applicability to the topic (oddly enough because they are less specific to modern security – something about their antiquity allows for a broader application).

After revisiting the books, I decided to take Musashi’s five (5) principles (scrolls; Earth, Water, Fire, Wind, and Void) and match them as best as possible with 5 of the numerous teachings from Sun Tzu. I then applied them to securing APIs in the growing cybersecurity arena where there are an increasing number of threat actors.

Musashi’s focus in the Earth Scroll is seeing the bigger picture. Practitioners need to know the landscape or the 30,000 ft view. Sun Tzu said, “The supreme art of war is to subdue the enemy without fighting.”

One needs to understand the nature of API attacks and attackers in securing APIs. One example of a common exploit category is Security Misconfiguration.

Some fundamental API security activities that can prevent attacks before they even get started including following an SDLC, implementing access control, deploying some form of edge protection, using continuous monitoring and alerting, and using appropriate architecture and design patterns.

API attackers are ruthless and relentless. Most criminals want an easy win and using good defense will fend off a high percentage of attacks.

Encryption is a must, both in transit and at rest. The enemy can be thwarted by not being able to use what was stolen.

It’s important to be experienced and flexible – or fluid – on an individual level, and that includes one’s role in the company. Sun Tzu said, “Be flexible.”

Gathering cyber threat intelligence (CTI) makes it possible to adapt to changing threats in real time. Intelligence gathering, even using Contextual Machine Learning (CML), means that one doesn’t depend on past information, hearsay, rumors, or peer information. Rely on as much clear, relevant, and current information as possible about threats and risks for one’s own company.

In addition to CTI, focus on a well-designed and tested incident response plan.

Intelligence and responding to incidents go a long way toward making company security agile and adaptable.

The Fire aspect is about the actual use of the weapons (tools) on the battlefield. Sun Tzu said, “The enlightened ruler lays his plans well ahead; the good general cultivates his resources.”

Now that the proper foundations have been built, it’s time to use the API tools that have been implemented.

Manage and maintain the API resources and identify the strengths and weaknesses of the API system, Ensuring secure authentication and authorization methods for API access.

Also, set fire to vulnerabilities through regular security testing. This should include vulnerability scanning and pentesting, if not red/blue/purple teaming, or even something like Chaos Monkey to test uptime (an oft-overlooked aspect of API security).

This is also interpreted as “Style.” Here, the goal is to study (not just passively observe) opponents. Sun Tzu said, “If you know the enemy and know yourself, you need not fear the result of a hundred battles.”

For the modern day, we’ll expand this to studying how other companies have dealt with cybercrime and cyberattacks. One will improve by studying others based on facets such as industry, regulations, and org size.

It's easy for a company to a) think it's alone or b) believe it does better than anyone. This can lead to isolation. Org leaders have every reason to set their org apart – distinction is a major component in having a chance at creating a profitable, if not lasting, business. But there aren't all that many ways to uniquely secure a business – phishing is phishing whether against an international enterprise or a local coffee shop; an API for a fintech org is much the same as an API for ice cream shop (the architectures available are only in a few flavors) – many people can use it and abuse it.

Intelligence sharing with other companies can be helpful in creating a secure community.

The idea here – also called Emptiness, is understood as “no mind.” This doesn’t mean that no brain activity is involved, but points more to intuition, awareness, and acting on instinct. Action doesn’t always require thinking things through, getting input from others, and planning something. Some things – whether by natural inclination or by training – are just second nature.

Sun Tzu said, “Utilize your strengths.”

Play to your strengths: individual, departmental, corporate. There’s no one else like you or your company.

Leverage the strengths of your API resources to enhance security. Make sure you know your tools in and out. Often, they’re expensive and very likely, they’re not used to full capacity.

Focus on continuous learning and improvement. This requires a team of individuals who work well together and are independently passionate about defending data.

This intuitiveness is not based on industry, spreadsheets, or data analysis but depends on relevant stakeholders' individual and collective expertise. Often, it will be addressing many fronts at once, such as improved IR, developer training, choosing a platform that provides numerous API protections (while also avoiding a single point of failure), getting legal and compliance teams to determine next steps in the privacy regulation landscape, and performing regular incident response and disaster recovery exercises.

To paraphrase the classic ending of many of Musashi’s teachings, these ideas should be given careful and thorough reflection.

The post API security: the new security battleground appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. ​

According to the Open Web Application Security Project (OWASP, 2019), broken object-level authorization (BOLA) is the most significant vulnerability confronting modern application programming interfaces (APIs). It can be exciting to pursue innovations in the API area, but while doing so, programmers must ensure that they are adequately attentive to security concerns and that they develop protocols that can address such concerns. This article will describe the problem of BOLA and its consequences, and then it will present potential actions that can be taken to solve the problem.

The problem

​OWASP (2019) indicates the following regarding BOLA: “Attackers can exploit API endpoints that are vulnerable to broken object-level authorization by manipulating the ID of an object that is sent within the request” (para. 1). For example, a hacker may access information regarding how various shops make requests to an e-commerce platform. The hacker may then observe that a certain pattern exists in the codes for these requests. If the hacker can gain access to the codes and has the authorization to manipulate them, then they could establish a different endpoint in the code and thereby redirect all the data to themselves.

The exploitation of BOLA vulnerabilities is very common because, without the implementation of an authorization protocol, APIs essentially have no protection whatsoever against hackers. To attack this kind of APIs, the hacker only needs the capability to access request code systems and intercept data by manipulating the codes, which can be done rather easily by anyone who has the requisite skills and resources (Viriya & Muliono, 2021). APIs that do not have security measures in place are thus simply hoping that no one will know how to conduct such an attack or have the desire to do so. Once a willing hacker enters the picture, however, the APIs would have no actual protections to stop the hacker from gaining access to the system and all the data contained within it and transmitted across it.

The consequences

​BOLA attacks have significant consequences in terms of data security: “Unauthorized access can result in data disclosure to unauthorized parties, data loss, or data manipulation. Unauthorized access can also lead to full account takeover” (OWASP, 2019, para. 3). In short, BOLA attacks produce data breaches. Stories about data breaches are all too common in the news, with a very recent one involving a healthcare organization in Texas (Marfin, 2022). While not all data breaches are the result of BOLA attacks, many of them are, given that BOLA is a very common vulnerability in APIs. The specific consequences of a successful BOLA attack, as well as the magnitude of those consequences, would depend on the target of the attack.

For example, if the target is a healthcare organization, then the data breach could lead to hackers gaining access to patients' private health insurance. If the target is a bank, then the hackers would likely be able to access customers’ social security numbers. If the target is an e-commerce website, then data regarding customers’ credit card numbers and home addresses would be compromised. In all cases, the central consequence of a BOLA attack is that hackers can gain access to personal information due to a lack of adequate security measures within the APIs in question.

The solution

​The solution to BOLA is for programmers to implement authorization protocols for accessing any data or codes within an API. As OWASP (2019) indicates, prevention of BOLA will require the implementation of “an authorization mechanism to check if the logged-in user has access to perform the requested action on the record in every function that uses input from the client to access a record in the database” (para. 9).

BOLA vulnerability essentially has to do with APIs and assuming that if a user has access to the information required to make a request, then they must automatically be authorized to make that request. This assumption is obviously fallacious since hackers can gain access to the information and then use it to manipulate the API even though they have no actual authorization to do so.

Therefore, preventing BOLA vulnerability requires a system that not only responds to the user’s inputs but is also able to verify whether the user is authorized to perform the desired actions (Blokdyk, 2022). For example, the system may require an external password that a hacker would not be able to find simply by perusing data and information within the API itself.

The solution to BOLA, then, is straightforward one. APIs currently focus on object IDs for authenticating requests, which is altogether inadequate from a data security standpoint. To prevent BOLA, APIs must track the users themselves and focus on ensuring that users are properly authorized to make requests, take actions, and provide inputs within the system. The BOLA vulnerability is based entirely on the fact that programmers often fail to implement such a protocol. Such implementation would eliminate the entirety of the vulnerability insofar as hackers will then not be able to access and manipulate target APIs.

Perhaps BOLA is thus a case study in humility. As programmers explore new frontiers of modern APIs, they must also ensure that they do not neglect the basics. The implementation of user authorization protocols to prevent BOLA vulnerability must be understood as a foundational element for any sound API, and doing so will address a key OWASP priority. 

References

Blokdyk, G. (2022). User authentication and authorization. 5STARCooks.

Marfin, C. (2022, July 12). Tenet Healthcare faces lawsuit after data breach affects 1.2 million ​patients. Dallas Morning News. ​​https://www.dallasnews.com/news/courts/2022/07/12/tenet-healthcare-faces-lawsuit-after-data-breach-affects-12-million-patients/

Open Web Application Security Project. (2019). API2:2019 broken object level authorization. ​GitHub. https://github.com/OWASP/API-Security/blob/master/2019/en/src/0xa1-broken-​object-level-authorization.md

Viriya, A., & Muliono, Y. (2021). Peeking and testing broken object level authorization ​vulnerability onto e-commerce and e-banking mobile applications. Procedia Computer ​Science, 179, 962-965.

The post Broken Object Level Authorization: API security’s worst enemy appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Introduction:

Dridex, also known as Cridex or Bugat, is a banking Trojan that has been active since 2011. The malware is primarily used to steal sensitive information, such as login credentials and financial information, from victims. Dridex is known for its ability to evade detection by using dynamic configuration files and hiding its servers behind proxy layers.

The Dridex malware typically spreads through spam email campaigns, with the emails containing a malicious attachment or link that, when clicked, will install the malware on the victim's computer. The malware then uses web injections to steal financial information from the victim.

One of the interesting features of Dridex is its use of a peer-to-peer (P2P) network for command and control (C&C) communication. This allows the attackers to evade detection by security researchers and law enforcement, as the C&C servers can be quickly changed if one is discovered.

In terms of atomic techniques, Dridex uses a variety of methods to evade detection and maintain persistence on an infected system. Some of these techniques include:

• Fileless infection: Dridex can infect a system without leaving any trace of a malicious file on the hard drive.
•  Process hollowing: Dridex can inject its code into a legitimate process in order to evade detection by security software.
•  Anti-debugging and anti-virtualization: Dridex can detect if it is running in a virtualized environment or if it is being debugged, and will terminate itself if it is.

Dridex is a well-known and sophisticated banking trojan that has been active for more than a decade, the malware has been known to target financial institutions, businesses, and individuals. Despite the arrest of one of its administrators in 2015, the malware continues to be active and evolve.

Recent infection on Macs:

The recent variant of Dridex malware that targets MacOS systems delivers malicious macros via documents in a new way. The malware typically spreads through spam email campaigns, with the emails containing a malicious attachment or link that, when clicked, will install the malware on the victim's computer. The variant overwrites document files to carry Dridex's malicious macros, but currently, the payload it delivers is a Microsoft exe file, which won't run on a MacOS environment. This suggests that the variant may still be in the testing stages and not yet fully converted to work on MacOS machines. However, it's possible that the attackers will make further modifications to make it compatible with MacOS in the future.

Once the malware is installed on the system, it searches for files with .doc extensions and overwrites them with the malicious code. The overwritten code has a D0CF file format signature, implying it is a Microsoft document file. This means that the malicious macros are delivered via document files, which makes it harder for the user to determine if the file is malicious or not.

The malware also uses basic string encryption to hide the malicious URL it connects to in order to retrieve a file. This method of delivery is different from the traditional method of delivery, which is through email attachments. This shows that the attackers behind Dridex are trying to find new targets and more efficient methods of entry.

How it works:

Dridex is a banking Trojan that is typically distributed through phishing email campaigns. The malware is delivered as an attachment, often in the form of a Word or Excel document, that contains a malicious macro. Once the macro is enabled, it will download and execute the Dridex payload on the victim's system.

Once installed, Dridex can perform a variety of malicious actions, including keylogging, capturing screenshots, and stealing login credentials. The malware can also be used to create a botnet, allowing the attackers to remotely control the infected systems.

Dridex uses web injects, which are modules that can inject HTML or JavaScript code into a web page before it is rendered. This allows the malware to manipulate the appearance of web pages and trick the user into entering sensitive information, such as login credentials or credit card numbers. The malware can then send this information to its command and control (C2) server.

Dridex uses a variety of techniques to evade detection and maintain persistence on an infected system. These include using code injection to infect other processes, using named pipes to communicate with other processes, and using anti-debugging and anti-virtualization techniques to evade analysis.

In addition, Dridex uses a technique called “Heaven's Gate” to bypass Windows' WoW64 (Windows 32-bit on Windows 64-bit) layer, allowing it to execute 64-bit code on a 32-bit system. This technique involves using a feature in Windows that allows 32-bit applications to call 64-bit functions. By running malware code in a 64-bit environment, Dridex evades detection and anti-analysis by security tools that are not designed to detect 64-bit malware on 32-bit systems.

Remediation:

1. Isolate and remove the malware: Identify and isolate any infected systems and remove the malware using reputable anti-virus software.

2. Change all passwords: Dridex malware is known to steal login credentials, so it is important to change all passwords on the affected systems.

3. Patch the system: Ensure that all systems are fully patched and updated with the latest security fixes.

4. Use endpoint protection: Implement endpoint protection software to detect and block Dridex malware and other malicious software.

5. Monitor network traffic: Monitor network traffic for suspicious activity and use intrusion detection systems (IDS) to detect and block malicious traffic.

6. Employee education: Educate employees on how to identify and avoid phishing scams, and to be cautious when opening email attachments or clicking on links.

7. Regular backups: Regularly backup important data and keep backups in a secure location.

8. Use a firewall: Use a firewall to block incoming and outgoing connections from known malicious IP addresses.

Conclusion:

In conclusion, Dridex is a well-known banking trojan that has been active since 2012, targeting financial institutions and their customers. The malware is typically distributed through phishing email campaigns, using attachments or links that lead to the downloading of the malware. Once on a system, Dridex can use various techniques to steal sensitive information and uses a technique called web injection to manipulate web pages and steal credentials. Remediation efforts should include monitoring for suspicious activity, blocking known malicious IPs and domains, keeping software updated, and educating users on how to identify and avoid phishing attempts. Additionally, monitoring for known indicators of compromise and inspecting processes and dll files that are known to be targeted by Dridex can help detect and prevent Dridex infections.

The post Dridex malware, the banking trojan appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Customers’ willingness to give you their personal data begins with the experience they receive. Convincing them requires the right tone, an outlook of what they’ll get in return, and most importantly, a high level of trust. But while companies depend on customer data to unlock growth, user-centric data collection can be tricky.

43% of U.S. consumers say they would not allow companies to collect personal data, even to accommodate more personalized, customized experiences, while 88% will give you their data if they trust your brand.

With this in mind, how do you meet customer expectations and proactively build consumer trust throughout the entire customer lifecycle? Effective user journey orchestration, supported by a robust Customer Identity & Access Management (CIAM) solution, can help you balance security, privacy, and convenience, resulting in a trust-worthy digital experience.

5 ways CIAM safely orchestrates your customers’ journey

CIAM is an effective solution for hassle-free and secure logins that enables you to retain more customers with seamless access across various digital channels. This is how CIAM safely orchestrates your customers’ journey.

1. Capture and manage customer identities to remove friction at registration and login

Businesses spend a lot to acquire new customers but tend to invest less in the experience once acquired. Meanwhile, providing a seamless and convenient experience is what eventually brings loyalty – and thus, the base to harness true ROI.

With CIAM, you no longer need to push every customer through the same rigid authentication processes when they visit your site. Put simply, CIAM ensures customers are always met at the digital front door, conveniently and without friction.  

For example, if customers are registering for the first time, you don't need to ask them to enter all their personal data immediately. Ask your customer for only needed information, at the right point in their journey. This will allow them to focus on their shopping experience or the task at hand rather than filling in forms.

When an existing customer wants to log into your site, you can make smarter decisions about how many authentication hoops you should make them jump through. For example, suppose the risk environment remains unchanged, and their behavioral context is the same as before. You might decide they don't need to enter their password again or authenticate using MFA.

CIAM allows you to adjust your authentication experience's friction level to make your customers' experience seamless.

2. Build robust customer profiles based on first-party, consent-based data

CIAM captures the personal data that the customer has released to your brand. This first-party data, which is based on consumer consent, enables your business to compile comprehensive client profiles by collecting and combining data from multiple channels. The data produced can assist your company in achieving a unified customer experience as your consumer engages with various business divisions.

First-party data is essential as third-party cookies are being blocked from browsers, and businesses need to invest in privacy-friendly ways to gather data for profiling their prospective customers. Besides from harnessing the value of data, consent-based data collection is a demonstration of respecting your customer’s privacy – a building block to achieving customers’ trust.

3. Orchestrate customer profiles in near real-time to other engagement solutions to deliver personalized experiences

Storing your customers' profile data in a single platform allows you to make timely and data-informed decisions furthering engagement with your customer with other solutions.

Take, for example, the way Spotify works. When you search for your favorite artist, the platform suggests other artists with the same style. These suggestions allow you to listen to more of your favorite music and offer an impeccable personalized experience. Wouldn’t you like your brand to treat your customers the same way?

If you get to know your customers better by building rich user profiles, you can use these profiles to tailor experiences across every digital property. And your customer will keep coming back to you for more.

4. Drive the adaptive authentication experience to limit burden and enhance security

Requiring your customers to provide an additional authentication factor by implementing MFA is one of the simplest ways to increase the security of the login flow. Email is an option that is often easier to implement, but it can increase customers’ effort at the authentication flow, and building frustration might cause them to opt for a competitor.

With CIAM, you can choose the authentication options, i.e., biometrics, that will be easiest or most secure for your customers without any additional worry about how difficult they might be to integrate and maintain within your application.

A customer identity platform only asks for the authentication you need and always asks for it when you need it, providing two sides of the same coin. If you can prove to customers that the friction added to the experience is always proportionate to the situation, you'll find it much easier to win their trust.

5. Adopt progressive profiling

A customer's introduction to your application is often a registration process, and you need to ensure that the process is efficient, seamless, and secure so that you don't lose the customer's attention along the way. This might mean primarily collecting only the minimum amount of information you require from your users. A 'just in time' and 'just enough' approach to data collection is the best strategy for building a frictionless and secure prospect-to-customer journey that leads to better conversion rates.

A CIAM solution can be configured to require as many or as few pieces of information about your customers as you wish to gather. This information can be stored centrally so that you can utilize the CIAM solution as the source of truth regarding customer personal information and be assured that this data is always secured. 

The main advantage of effective user journey orchestration

A significant benefit of deploying a cloud identity platform, and thereby adopting a user journey orchestration process, is that it helps establish the trust needed to build long-lasting relationships with your customers.

Businesses can acquire more customers by using CIAM and progressive profiling to streamline the registration process and asking for information over time rather than forcing new customers to fill out a long sign-up form at the very beginning. Also, reducing friction during login when existing customers return to any digital property can help your business retain customers.

By enforcing appropriate security measures in every situation, CIAM shows your customers that you are a trustworthy steward of their accounts and personal data. This increases the likelihood of repeat business, reduces the risk of account abandonment, and acts as a disincentive for churn.

The post How CIAM safely orchestrates your customers’ journey and its benefits  appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

In today’s digital world, it’s no surprise that cyberattacks are becoming more frequent and intense. Enterprises worldwide are trying to defend themselves against attacks such as ransomware, phishing, distributed denial of service and more.

In this challenging cybersecurity landscape, now is the time for companies to prioritize security audits. What are cybersecurity audits and how often should they be to remain safe in the threatening IT world?

Cybersecurity audits and their importance

A cybersecurity audit establishes a set of criteria organizations can use to check the preventive cybersecurity measures they have in place to ensure they’re defending themselves against ongoing threats.

Because cybersecurity risks and threats are growing more sophisticated and frequent in nature, organizations must plan and conduct cybersecurity audits regularly. In doing so, they will have continuous protection from external and internal threats.

How often companies should perform security audits

There’s no official schedule companies must follow for their cybersecurity audits, but in general, it’s recommended that they perform audits at least once a year. However, the IT landscape is changing so quickly that more audits often amount to better protection for an organization.

Businesses working with sensitive information — such as personally identifiable information — should consider conducting cybersecurity audits twice a year, if not more frequently. However, keep in mind that your company may need more time or resources to perform quarterly or monthly audits. The goal is to balance the number of audits you perform and the amount you spend on the audits themselves.

There are many types of audits out there. For example, a blended audit that combines remote and in-person auditing tasks can be helpful for global organizations with remote workers. But two types of audits — routine and event-based — are important to know.

You should certainly conduct routine audits annually or semi-annually, and event-based audits should be done when any major events happen within your IT infrastructure. For example, suppose you add servers to your network or transition to a new project management software. In that case, these “events” require you to perform another audit, as the changes could impact your cybersecurity posture.

4 Benefits of performing audits

The primary purpose of a security audit is to find weaknesses in your cybersecurity program so you can fix them before cybercriminals exploit them. It can also help companies maintain compliance with changing regulatory requirements. Here are some of the primary benefits you can reap by performing regular security audits.

1. Limits downtime

Extended downtime can cost your business a lot of money. According to Information Technology Intelligence Consulting, 40% of organizations surveyed say hourly downtime can cost them between one and five million dollars, excluding legal fees, penalties or fines.

Downtime can occur due to poor IT management or something more serious like a cybersecurity incident. Auditing is the first step companies must take to identify weaknesses that could eventually lead to downtime.

2. Reduces the chance of a cyberattack

As stated above, the main goal of a security audit is to identify vulnerabilities in your cybersecurity program. However, this is only helpful if you and your IT team develop solutions to patch these vulnerabilities and weaknesses. In doing so, you’re improving your overall cybersecurity posture and increasing your level of protection against potential cyber risks, such as malware or phishing attacks, ransomware, and business email compromise — to name a few.

3. Helps maintain client trust

Customers and clients want to know the companies they do business with prioritize physical and cybersecurity. This gives them peace of mind that their sensitive data is not at risk of being exposed, stolen or even sold on the dark web.

Maintaining client trust should be an important objective for any company offering products or services. It can help build your customer base, enhance customer loyalty, and even improve brand recognition.

4. Supports compliance efforts

Security audits are beneficial for businesses looking to take their compliance efforts up a notch. Various data privacy and protection laws are emerging to try and protect consumers and their sensitive information.

For example, the EU’s General Data Protection Regulation can impact your company, especially if it has customers or does business with other organizations in the EU. It can be challenging to keep up with changing regulatory requirements. However, conducting a security audit can help IT teams ensure they’re helping their companies comply with all these rules to avoid fees or penalties.

Protect your business with regular security audits

The cybersecurity landscape is evolving rapidly, with more threats emerging and attacks becoming more sophisticated than ever before. It’s come to the point where hackers leverage advanced technologies such as artificial intelligence to launch automated attacks on enterprises. It’s critical for your business to perform regular security audits to ensure you’re protecting your assets and data. Consider performing audits on a semi-annual basis to offer the best defense against ongoing cybersecurity threats.

The post How often should security audits be? appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

“Why are you here if you cannot decrypt our data?” This is how people sometimes react to the arrival of the external incident response team. In this article, I will try to answer this question, but at the same time, I am going to describe the stages of incident response, list the main mistakes that play into the hands of hackers, and give basic advice on how to respond.

Let's start by defining what a security incident is. Although the concept is straightforward, various companies may interpret it differently. For instance, some companies may consider incidents to include situations such as a power supply failure or a hard drive malfunction, while others may only classify malicious actions as incidents.

In theory, an incident is a moment when some kind of undesirable event occurs. In practice, the definition of an “undesirable event” is determined by each company's own interpretation and perspective.

For one organization, the discovery of a phishing email is what requires investigation. Other companies may not see the point in worrying about such incidents. For instance, they may not be concerned about a phishing email being opened on an employee device in a remote location not connected to the main infrastructure since it poses no immediate threat.

There are also interesting cases here. For example, online traders consider a drop in the speed of interaction with the online exchange by 1% to be a serious incident. In many industries, proper incident response steps and cybersecurity in general, cannot be overestimated. But if we are talking about serious incidents, then most often, these are events related to the penetration of an attacker into the corporate network. This annoys the vast majority of business leaders.

Incident response stages

While the interpretation of certain events as security incidents may vary depending on various factors such as context and threat model, the response steps are often the same. These response steps are primarily based on the old SANS standard, which is widely used by many security professionals.

SANS identifies six stages of incident response:

1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Lessons learned

It is important to note that the external response team is not immediately involved in this process.

Preparation

Preparation involves properly aligning organizational and technical processes. These are universal measures that should be implemented effectively across all areas:

• Inventory networks
• Build subnets correctly
• Use correct security controls and tools
• Hire the right people

All this is not directly related to the external response team and, at the same time, affects its work significantly. The response is based on preparatory steps. For example, it relies heavily on the log retention policy.

Each attack has its own dwell time – the time from an attacker entering the network until their activity is detected. If the attack has an extended dwell time (three-four months) and the logs are kept for seven days, it will be much more difficult for the investigation team to find the “entry point.” The required data will no longer be available. If such a situation arises, the response team can take action, but the likelihood of achieving a 100% successful outcome is significantly reduced.

Identification

This stage is entirely based on how well the preparation was done in the first stage. If everything is done correctly, there is a good chance that you will discover something in advance that can potentially lead to an unacceptable event.

Even primitive and basic steps can greatly increase the likelihood of early detection of a cyber threat. By building your own Security Operations Center (SOC) or engaging a capable third-party provider and implementing effective monitoring practices, you can greatly improve your chances of detecting potential security incidents. Careful preparation allows you to detect an attack in its early stages before the attacker has done any harm.

Ideally, the response process should be initiated at this stage. Alas, in practice, there are many cases when the sad consequences of an attack are the only thing due to which the incident is detected. Everything goes along the logical chain: preparation is terrible, detection and analysis fail, and an incident occurs. And the investigation, in this case, turns out to be a non-trivial task.

Containment

This stage is performed in close cooperation between the external response team and the customer. IT personnel often simply reboot computers before the external incident response team arrives. Yes, this is also a containment method, although not the most elegant.

The problem is that this deprives the response team of a lot of important data. And what is more important, it does not always work. Today hackers rarely use just one technique to achieve persistence. They usually employ Remote Desktop Protocol (RDP) for lateral movement, and stopping them is not always easy. Therefore, joint analytics are vital to understand which connection is legitimate and which is not. When the external response team and their customers work together closely, it becomes simpler to understand the situation and develop effective tactics to contain specific threats.

Eradication

At this stage, it is generally expected that the incident response team has already provided the customer with an incident analysis, including malware analysis, indicators of compromise, etc. A thorough process of scanning the network is in progress, followed by the removal of all detected anomalies.

Recovery

At this stage, a consistent and accurate restoration of the customer's IT systems is carried out. It implies not just recovering from backups but also the reactivation and testing of information security tools.

Usually, restoring protections is a fairly simple task. The fact is that attackers, as a rule, act just by bypassing protection mechanisms. They get administrative privileges and, if possible, “turn off” security solutions. Yes, hackers can use malware that interferes with Windows logging or disrupt Critical Event Management, but such cases are relatively rare.

Although not a common occurrence, some attackers may leave bookmarks to enable repeated attacks. It is vital to remain vigilant and check for such bookmarks, even in the case of a seemingly straightforward attack.

Lessons learned

It may seem that the incident response team's main task is to restore everything to its previous state, but this is a simplification. The response team is invited for a different purpose. Its tasks are to understand:

• The attack vector used by the hackers.
• The specific entry point used to gain unauthorized access to the IT systems.
• A detailed timeline of how the attack progressed.
• Identification of potential prevention measures that could have been implemented at different stages.
• Recommendations for addressing the root cause of the incident to prevent future attacks.

The answers help give better recommendations. For example:

• If the attack started with phishing, it is advised to set up an email sandbox, adjust spam filters, and train employees.
• If a vulnerability is to blame, changing the updatepatch and network monitoring procedures is recommended.

Why is the final stage so important? First, most attacks are not very inventive. Actually, they are formulaic. Therefore, you can draw conclusions from one attack and prevent a dozen similar ones.

Second, the hackers usually come back. Here is a real-life example. The IR team identified an entry point, studied that PC, and found that some files were encrypted a year before the incident. It turned out that the customers were aware but did not pay attention to the incident since the first time, it caused almost no damage. As a result, a second attack occurred through the same entry point. This time, hackers spent a little more of their time and encrypted everything and destroyed the entire domain.

Third, without adequate response procedures, it is impossible to enhance security awareness training and incident detection, which serve as the bedrock of a company's security system.

How to improve security

Basic knowledge is important

The basic things you probably already know about are already cool and very useful. Every year, thousands of companies fall victim to attacks due to the most banal reasons. The most common cases are the exploitation of unpatched vulnerabilities. The second common thing is phishing.

So, a significant number of potential security issues can be mitigated by prioritizing effective patch management, maintaining an accurate inventory of infrastructure, and providing staff with training in digital hygiene.

There are a lot of organizations that have already done all the basic things. However, it does not guarantee the complete absence of incidents. They can be recommended to run penetration tests. However, you need to “grow up” to this kind of thing. It makes no sense to conduct penetration testing when only 20% of the infrastructure is covered with Intrusion Detection and Response (IDRIDS) solutions.

Follow trends and industry reports

Numerous security reports and news can tell you what tools and attacks hackers use. This way, you can establish relevant security criteria for your company. The reports often provide specific recommendations on how to protect from a particular attack. One of the best sources for such information is MITRE ATT&CK Matrix.

Do not panic, and do not do rash things

A typical mistake is to reboot all the computers involved in the attack. Yes, there are urgent situations when this is crucial, but, if possible, please make copies of infected machines. This will enable you to preserve evidence for any subsequent investigation.

In general, do not act impulsively. Quite often, upon discovering encrypted files, employees immediately disconnect the power supply. This approach is akin to gambling. Nothing can be guaranteed after that. Yes, the encryption stops, and you can probably save several untouched files. On the other hand, such an abrupt stop corrupts the disc and data affected by the encryption process. Even if the security community comes up with a decryptor or you pay a ransom (which is not recommended), restoring data whose encryption has been interrupted may not be possible.

Contacting the experts

Is it possible to cope with an attack on our own? Yes, if you have well-established procedures. Mitigation efforts can be prioritized. It is not very difficult to protect mobile devices, implement multi-factor authentication, or set efficient patch management procedures. From a financial standpoint, relying on backups and minimizing recovery time can be an acceptable strategy. However, when it is essential to stop the attack promptly, determine the exact nature of the incident, understand who is to blame, and chart an effective course of action – there are no alternatives – call the external response team.

The post Insights from an external incident response team: Strategies to reduce the impact of cybersecurity attacks appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

In a highly connected, internet-powered world, transactions take place online, in person, and even somewhere in between. Given the frequency of digital information exchange on our devices, including smartphones and smart home gadgets, cybersecurity has never been more important for protecting sensitive customer information. In response, the US Federal Trade Commission has rolled out updated measures to ensure that customers’ details are fully protected. 

Due to supply chain issues and qualified employee shortages, however, the FTC has granted a six-month extension on the original deadline, so businesses and financial institutions now have more time to complete the required changes. This article will look at the updated federal data security measures and how they will impact businesses. 

Updated federal data security measures

In November, the United States Federal Trade Commission announced that it would grant a six-month extension for companies that have yet to update their security measures in compliance with updated FTC standards. 

The new deadline for businesses and financial institutions to implement the required changes will be June 9, 2023. By that point, all businesses must have updated their policies and procedures in keeping with the Financial Data Security Rule, also known as the Safeguards Rule.

Initial changes to the Safeguards Rule

Initially, the Federal Trade Commission approved changes to the Safeguards Rule in October 2021. These changes included updated criteria for financial institutions, providing more specific requirements about which safeguards they must include in their information security programs. 

Some of these updates to the Safeguards Rule were implemented 30 days after the rule was published in the Federal Register, while other specific criteria were on track to be implemented on December 9, 2022. 

Why has the deadline been extended?

The deadline has been extended to June 2023 due to reports presenting compelling arguments for postponing the required implementation. The Small Business Administration’s Office of Advocacy, for example, filed a letter addressed to the FTC. The letter stated that several factors would bar companies from effectively implementing these updated security requirements in the allotted time. 

Between supply chain issues that could cause delays in transporting essential equipment for the requisite security system upgrades, and a widespread shortage of qualified information security experts who could implement the changes on time, the letter from the SBA convincingly spelled out why businesses would need more time to complete the security system upgrades in compliance with FTC rules. 

The global COVID-19 pandemic further exacerbated these issues, making it difficult for small-scale businesses and financial institutions to meet the deadlines. The FTC voted unanimously to approve this deadline extension.

Reasons for FTC data security rule updates

The changes to the Financial Data Security Rule are meant to ensure that financial institutions put sufficient security measures in place to keep their customers’ personal information safe from any hacking attempts. Boosting the data security of financial institutions is vital to strengthening the overall cybersecurity of the country’s interconnected financial networks. 

Given the increasing rates of identity theft and financial fraud attempts, this is an essential form of protection. In 2021, for instance, the FTC encountered almost 390,000 reports of credit card fraud alone, making this the most common type of financial fraud in the United States. Since credit card fraud can often be enacted during unsecured store transactions, the FTC is determined to bolster security measures at every level. 

The FTC Safeguards Rule updates apply to in-person businesses, financial institutions, and online platforms, including the more recent cryptocurrency industry. Since 2009, more than 6,600 distinct cryptocurrencies have been released. With such a sustained influx of different cryptocurrencies, regulations have been slow to catch up in comparison to other trading platforms such as forex or options trading. Now the FTC is working to ensure that online and cryptocurrency transactions are sufficiently secure. 

What does this mean for businesses?

Businesses and financial institutions will need to get busy implementing the necessary changes. For example, companies may need to update their software to remain in compliance with the updated FTC rules. 

This process can take time, as companies will need to search for highly capable technical writers to document the software adjustments. According to Shaun Connell, technical writers and documentation creators must be involved in the software update project from the start. So to meet the June deadline, businesses will need to make this security update a top priority. 

Who does it affect?

Banks are not affected by The Safeguards Rule, but any other non-banking financial institutions, including motor vehicle dealers, payday lenders, and mortgage brokers, will need to update their security protocols by the deadline. 

Depending on the specific institution and its pre-existing security setup, businesses may need to create, enact, and upkeep a strong security system that will protect their customers’ sensitive information, such as financial details, home address, personal preferences, and even name, age, and gender. 

Cybercriminals can use any and all of this information to steal customers’ identities, so setting up a comprehensive security protocol will ensure that customers’ details are safe throughout every transaction.

Specific provisions under the extended deadline

Not all the updated criteria of the Safeguards Rule are affected by this six-month-long extended deadline. The specific provisions that businesses and financial institutions must enact by June 9, 2023, are as follows:

• Appoint a highly qualified individual to oversee the new information security program.
• Encrypt all sensitive information that passes through a business’s servers and systems. 
• Appoint and train security personnel who can manage and oversee the updated security systems and enact any security protocols in case of a cybersecurity breach. 
• Craft an incident response plan so that clear protocols are established. 
• Write a comprehensive risk assessment of their current security system. 
• Enact ongoing monitoring of who has access to sensitive customer details within the company.
• Limit who has access to sensitive customer details within the company. 
• Set up multi-factor authentication for any company member who attempts to access customer data. Or, instead of multi-factor authentication, another authentication system that provides equal protection can be implemented. 
• Conduct periodic assessments of the security practices used by their service providers to ensure added layers of security between businesses as well. 

These measures may require significant lead times to be well-established and running effectively by the June deadline. But once they are set up, they should provide significant additional security for all business-to-customer interactions. 

Government policies to prevent cybersecurity threats

At the core of these required security protocol updates is protection for customers. These necessary government policies have individual consumers’ security in mind and rely on multiple layers of cooperation and adjustment to keep sensitive data safe. Businesses and financial institutions will have to cooperate with the widespread Safeguards Rule implementation to fulfill federal trade commission standards designed to prevent cybersecurity threats from taking effect.

The post FTC extends deadline by six months for compliance with some changes to financial data security rules appeared first on Cybersecurity Insiders.

Firewall optimization (also known as firewall analysis) is the process of analyzing and adjusting the configuration and policy set of a firewall to improve performance and security. This process involves reviewing and corelating log data and device configurations, identifying potential vulnerabilities and weaknesses, and providing recommendations for remediation. Performing these processes is complex, which is why tools like firewall analyzers are useful. They offer automation, visualization, and alerting to provide recommendations that can be used to reduce the risk of attack.

What is the business impact of firewall optimization?

Firewall optimization is important because it can help organizations improve their overall security, performance, and compliance, while also reducing costs and improving decision-making. This can ultimately contribute to better overall business performance. Firewall optimization can have a positive impact on a business's overall network security and performance.

Some of the key benefits include:

• Improved security: Analyze configurations and log data to identify potential vulnerabilities and threats in the network and provide recommendations for remediation. This can help to reduce the risk of successful cyber-attacks and data breaches.
• Better performance: Improve overall network performance by identifying and addressing bottlenecks and inefficiencies in the firewall configuration. This can result in faster network speeds, more reliable connectivity, and better overall performance.
• Compliance: Comply with relevant regulations and standards, such as PCI DSS and HIPAA, by providing regular compliance reports and identifying potential compliance issues.
• Cost savings: By identifying and addressing inefficiencies and bottlenecks in the firewall configuration, firewall optimization can also help reduce costs associated with network maintenance and troubleshooting.
• Improved decision-making: Have a better understanding of the network security posture and the capabilities of the firewall. This allows organizations to make more informed decisions about their security strategy, and to better allocate resources for security initiatives.

How is firewall optimization different from firewall management?

Firewall optimization uses software tools like a firewall analyzer to find weaknesses and vulnerabilities in network attached devices. The inspection includes analyzing configurations and log data from security devices, such as firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS).

The primary features of a firewall optimization include:

• Log analysis: Review log data to understand utilization trends over time and recommend ways to enhance the performance of the firewall without compromising security.
• Configuration analysis and compliance reporting: Review running configurations of firewall devices regularly and include features for generating reports that show compliance with relevant regulations and standards, such as PCI DSS and HIPAA.
• Security analytics: Analytics capabilities allow users to visualize and analyze data from firewalls. This can help to identify trends and patterns that may indicate potential security threats.
• Alerting: Alerting features that notify users when potential threats or vulnerabilities are detected.
• Integration with other tools: Some firewall analyzers can be integrated with other security tools, such as vulnerability scanners or intrusion detection systems, to provide a more comprehensive view of an organization's security posture.
• Multi-vendor support: Firewall analyzers can support multiple firewall platforms. This can be useful when migrating from one firewall platform to another, to help clean the ruleset of any vulnerabilities and test configurations prior to deployment.

A firewall management platform, on the other hand, is a comprehensive tool that helps organizations to manage, configure, and monitor their firewalls. It includes features like firewall policy management, threat detection and management, asset discovery, and security analytics. The primary features of a firewall management platform include:

• Policy management: Allows users to create and manage firewall policies, which define the rules for allowing or blocking network traffic.
• Asset discovery: Discover and inventory assets on a network, including servers, workstations, and other network attached devices.
• Security analytics: Analytics capabilities that allow users to visualize and analyze data from firewalls. This can help to identify trends and patterns that may indicate potential security threats.
• Monitoring: Monitor network traffic and alerting users when potential threats or vulnerabilities are detected.
• Integration with other tools: In addition to firewall analyzers, some firewall management platforms can be integrated with other security tools, such as a Security Incident and Event Manager (SIEM) to provide a more comprehensive view of an organization's security posture.

One of the main differences between firewall optimization and the firewall management platform is the scope of their capabilities. Firewall optimization is focused on the performance and configuration of the firewall, by analyzing the running configuration and log data from firewalls, even in environments with multiple vendor firewalls.

Another difference is the level of control on a device that the tools provide. A firewall analyzer provides insights, recommendations, application traffic flows, and may even have device configuration and management capabilities. A firewall management platform, on the other hand, provides granular control over firewalls, including the ability to create and manage firewall policies and to monitor network traffic.

How does firewall optimization work?

Firewall optimization uses a firewall analyzer tool to provide visibility into the security posture of a network by identifying potential threats and vulnerabilities, and by providing recommendations for remediation.

The process of firewall analysis typically involves the following steps:

• Data collection: The firewall analyzer collects log data and device configurations from the security devices on the network. This data may include information on network traffic, firewall rules, and security events.
• Data analysis: The firewall analyzer then analyzes the collected data to identify potential vulnerabilities and threats in the network. This may include identifying open ports, misconfigured firewall rules, or unusual network traffic patterns.
• Reporting and visualization: The firewall analyzer generates reports and visualizations that provide a detailed overview of the network's security posture. These reports may include information on compliance with relevant regulations and standards, as well as recommendations for remediation.
• Alerting: The firewall analyzer may also include alerting features that notify security teams when potential threats or vulnerabilities are detected.

Some firewall analyzers can also be integrated with other security tools, such as vulnerability scanners or intrusion detection systems, to provide a more comprehensive view of an organization's security posture.

Firewall optimization best practices

It is not uncommon for organizations to question if both a firewall analyzer and firewall management platform are necessary for improved network security. Firewall analyzers provide a strategic and operational view of the network security environment across multiple vendors. This contrasts with the firewall management platform’s operational and tactical capabilities which are vendor specific.

In addition, firewall analyzers can provide value for non-operational roles in an organization, such as auditors. Auditors can collect the information they need without having to access the firewall management platform directly or involve the operations teams who administer the platform.

Conclusion

Overall, firewall optimization using firewall analyzer tools and firewall management platforms are important for the network’s health and security. While they serve different purposes, they also complement each other with their unique capabilities. Organizations that need visibility into the performance of the network along with recommendations for improving the firewall security should consider a firewall optimization strategy that incorporates both capabilities.

AT&T Cybersecurity Consulting has more than 20 years of experience increasing network security and performance using its firewall optimization programs. Learn more about the benefits and best practices of implementing a firewall optimization strategy that incorporates both firewall analyzer tools and firewall management platforms. Contact us today to get started.

The post What is firewall optimization? appeared first on Cybersecurity Insiders.

AT&T Alien Labs researchers have discovered a new variant of BlackGuard stealer in the wild, infecting using spear phishing attacks. The malware evolved since its previous variant and now arrives with new capabilities.

Key takeaways:

• BlackGuard steals user sensitive information from a wide range of applications and browsers.
• The malware can hijack crypto wallets copied to clipboard.
• The new variant is trying to propagate through removable media and shared devices.

Background

BlackGuard stealer is malware as a service sold in underground forums and Telegram since 2021, when a Russian user posted information about a new malware called BlackGuard. It was offered for $700 lifetime or $200 monthly, claiming it can collect information from a wide range of applications and browsers.

In November 2022, an update for BlackGuard was announced in Telegram by its developer. Along with the new features, the malware author suggests free help with installing the command & control panel (Figure 1)

Figure 1. Announcement of new malware version in its Telegram channel.

Analysis

When executed, BlackGuard first checks if another instance is running by creating a Mutex.

Then to ensure it will survive a system reboot, the malware adds itself to the “Run” registry key. The malware also checks if it's running in debugger mode by checking TickCount and checking if the current user belongs to a specific list to determine whether it is running in a malware sandbox environment. (Figure 2)

Figure 2. Malware will avoid execution if running under specific user names.

Now all is ready for stealing the user’s sensitive data. It collects all stolen information in a folder where each piece of data is stored in a specific folder, such as Browsers, Files, Telegram, etc. (Figure 3)

Figure 3. BlackGuard main folder with stolen data divided into folders.

When it finishes collecting sensitive data, the malware will zip the main folder using the password “xNET3301LIVE” and send it to its command & control. (Figure 4)

Figure 4. Zipping exfiltrated data with password and uploading to command & control.

Browser stealth

Along with collecting cookies, history and downloads of different browsers, BlackGuard also looks for the existence of special files and folders of different browsers. (This includes “Login Data”, AutoFill, History and Downloads. (Figure 5)

 

Figure 5. Collecting browser information.

Below is the list of browsers BlackGuard is looking for:

Chromium	Chrome	ChromePlus
Iridium	7Star	CentBrowser
Chedot	Vivaldi	Kometa
Elements Browser	Epic Privacy Browser	uCozMedia
Sleipnir5	Citrio	Coowon
liebao	QIP Surf	Orbitum
Comodo Dragon	Amigo	Torch
Comodo	360Browser	Maxthon3
K-Melon	Sputnik	Nichrome
CocCoc	Uran	Chromodo
Opera	Brave-Browser	Edge
Edge Beta	OperaGX	CryptoTab browser

 

In addition, the malware steals Chrome, Edge, and Edge Beta browsers’ crypto currency addons data. It supports the addons listed below by looking for their hardcoded installation folder path in “MicrosoftEdgeUser DataDefaultLocal Extension Settings”. For example, the specific folder for “Terra Stations” is “ajkhoeiiokighlmdnlakpjfoobnjinie”. BlackGuard looks for Edge/EdgeBeta addons listed below:

Auvitas	Math	Metamask
MTV	Rabet	Ronin
Yoroi	Zilpay	Exodus
Terra Station	Jaxx

 

For Chrome it looks for those addons:

Binance	Bitapp	Coin98
Equal	Guild	Iconex
Math	Mobox	Phantom
Tron	XinPay	Ton
Metamask	Sollet	Slope
Starcoin	Swash	Finnie
Keplr	Crocobit	Oxygen
Nifty	Keplr	Forbole X
Slope Wallet	Nabox Wallet	ONTO Wallet
Goby	FINX	Ale
Sender Wallet	Leap Wallet	Infinity Wallet
Zecrey	Maiar Wallet	Flint Wallet
Liquality

 

Cryptocurrency

The malware also steals cryptocurrency wallets. It copies the wallet directory for each of the following crypto wallets below and sends them to its command & control.

Zcash	Armory	Jaxx Liberty
Exodus	Ethereum	Electrum
Atomic	Guarda	Zap
Binance	Atomic	Frame
Solar wallet	Token Pocket	Infinity

 

It will also query the registry for the installation path of “Dash” and “Litecoin” keys and do the same.

Messaging and gaming applications:

BlackGuard supports the stealing of a wide range of messaging applications. For some of the applications such as Telegram, Discord and Pidgin, the malware has a specific handler for each. For example, for Discord, it copies all data for the following folders in the Application Data folder which stored the Discord tokens: “DiscordLocal Storageleveldb”, “Discord PTBLocal Storageleveldb”, “Discord Canaryleveldb”. In addition, it copies all strings in files with the extension of “.txt” and “.ldb” if they match Discord’s token regular expression. (Figure 6)

Figure 6. Stealing Discord’s tokens and data.

Below is the list of messaging applications the malware looking to steal sensitive information from:

Discord	Telegram	Tox
Element	Miranda NG	Signal
Adamant-IM	Wire	WhatsApp
Vipole	Proxifier	Steam
Pdgin	Battlet net

 

Outlook, FTP, VPN, and other applications

BlackGuard steals login data and other sensitive information from additional communication programs. For email applications, the malware queries specific Outlook registry keys under the CURRENT_USER hive to extract user, password and server information. (Figure 7)

Figure 7. Exfiltration of Outlook stored information.

The malware also handles different FTP and VPN applications to extract stored users and passwords. For example, for NordVPN, the malware will search the application’s folder and if found, it parses all user.config files to extract the users and passwords. (Figure 8)

Figure 8. Exfiltrating NordVPN information.

In addition to Outlook and NordVPN, BlackGuard also steals information from WinSCP, FileZilla, OpenVPN, ProtonVPN and Total Commander.

Other data collected      

Additionally, the malware also collects information from the machine such as anti-virus software installed on the machine, external IP address, localization, file system information, OS and more.

New BlackGuard features

Crypto wallet hijacking

In addition to stealing crypto wallets saved/installed on the infected machine, BlackGuard is hijacking cryptocurrency addresses copied to clipboard (such as CTRL+C) and replacing them with the threat actor’s address. This can cause a victim to send crypto assets to the attacker without noticing it when trying to transfer/pay to other wallets. This is done by tracking any content copied to the clipboard and matching it to relative different crypto wallets’ regex. (Figure 9)

Figure 9. Specific regex to search in clipboard for listed coins.

Once there is a match, the malware will query its command and control for the alternative wallet and replace it in the clipboard instead of the one that was copied by the user. The malware supports stealing the popular crypto assets below:

BTC (Bitcoin)	ETH (Ethereum)	XMR (Monero)
XLM (Stellar)	XRP (Ripple)	LTC (Litecoin)
NEC (Nectar)	BCH (Bitcoin Cash)	DASH

 

Propagate through shared / removable devices

Although this feature was limited since Windows 7 to be used only for CDROM, the malware copies itself to each available drive with an “autorun.inf” file that points to the malware to execute it automatically. This includes removable and shared devices. For example, if a USB device is connected to an old version of Windows, the malware will be executed automatically and infect the machine. (Figure 10)

Figure 10. Propagate to all available drives.

Download and execute additional malware with process injection

The new variant of BlackGuard downloads and executes additional malware from its command & control. The newly downloaded malware is injected and executed using the “Process Hollowing” method. With that the malware will be running under legitimate/whitelisted processes and can make more detection more difficult. (Figure 11)

Figure 11. Download and execute additional malware using process injection.

The targeted process is RuntimeDirectory folder, RegASM.exe (C:WindowsMicrosoft.NETFramework64runtime_versionRegAsm.exe)

Massive malware duplication

The malware copies itself to every folder in C: drive recursively, each folder the malware generates a random name to be copied to. This feature is not common for malware, and this is mostly annoying, as the malware gains no advantage from that.

Persistence
The malware added persistence to survive system reboot by adding itself under the “Run” registry key. (Figure 12)

Figure 12. Setting registry persistence.

Documents – stealth activity

The malware searches and sends to its command and control all documents end with extensions “.txt”, “.config”, “.docx”, “.doc”, “.rdp” in the user folders (including sub directories): “Desktop”, “My Documents”, UserProfile folder.

Detection methods

The following associated detection methods are in use by Alien Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research.

SURICATA IDS SIGNATURES

2035716: ET TROJAN BlackGuard_v2 Data Exfiltration Observed

2035398: ET TROJAN MSIL/BlackGuard Stealer Exfil Activity

 

Associated indicators (IOCs)

The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the report.

TYPE	INDICATOR	DESCRIPTION
IP ADDRESS	http://23[.]83.114.131	Malware command & control
SHA256	88e9780ce5cac572013aebdd99d154fa0b61db12faffeff6f29f9d2800c915b3	Malware hash

 

Mapped to MITRE ATT&CK

The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:

• TA0001: Initial Access
  • T1091: Replication Through Removable Media
• TA0002: Execution
  • T1106: Native API
  • T1047: Windows Management Instrumentation
• TA0003: Persistence
  • T1547.001: Registry Run Keys / Startup Folder
• TA0005: Defense Evasion
  • T1027: Obfuscated Files or Information
• TA0006: Credential Access
  • T1003: OS Credential Dumping
  • T1539: Steal Web Session Cookie
  • T1528: Steal Application Access Token
  • T1552: Unsecured Credentials
    • .001: Credentials In Files
    • .002: Credentials In Files
• TA0007: Discovery
  • T1010: Application Window Discovery
  • T1622: Debugger Evasion
  • T1083: File and Directory Discovery
  • T1057: Process Discovery
  • T1012: Query Registry
  • T1082: System Information Discovery
  • T1497: Virtualization/Sandbox Evasion
• TA0008: Lateral Movement
  • T1091: Replication Through Removable Media
• TA0009: Collection
  • T1115: Clipboard Data
  • T1213: Data from Information Repositories
  • T1005: Data from Local System
• TA0011: Command and Control
  • T1071: Application Layer Protocol
  • T1105: Ingress Tool Transfer
• TA0010: Exfiltration
  • T1020: Automated Exfiltration

The post BlackGuard stealer extends its capabilities in new variant appeared first on Cybersecurity Insiders.