Category: Detect

As cybersecurity becomes increasingly complex, having a centralized team of experts driving continuous innovation and improvement in their Zero Trust journey is invaluable. A Zero Trust Center of Excellence (CoE) can serve as the hub of expertise, driving the organization’s strategy in its focus area, standardizing best practices, fostering innovation, and providing training. It can also help organizations adapt to changes in the cybersecurity landscape, such as new regulations or technologies, ensuring they remain resilient and secure in the face of future challenges. The Zero Trust CoE also ensures that organization’s stay up-to-date with the latest security trends, technologies, and threats, while constantly applying and implementing the most effective security measures.

Zero Trust is a security concept that continues to evolve but is centered on the belief that organizations should not automatically trust anything inside or outside of their perimeters. Instead, organizations must verify and grant access to anything and everything trying to connect to their systems and data. This can be achieved through a unified strategy and approach by centralizing the organization’s Zero Trust initiatives into a CoE. Below are some of the benefits realized through a Zero Trust CoE.

A critical aspect of managing a Zero Trust CoE effectively is the use of Key Performance Indicators (KPIs). KPIs are quantifiable measurements that reflect the performance of an organization in achieving its objectives. In the context of a Zero Trust CoE, KPIs can help measure the effectiveness of the organization’s Zero Trust initiatives, providing valuable insights that can guide decision-making and strategy.

Creating a Zero Trust CoE involves identifying the key roles and responsibilities that will drive the organization’s Zero Trust initiatives. This typically includes a leadership team, a Zero Trust architecture team, a engineering team, a policy and compliance team, an education and training team, and a research and development team. These teams will need to be organized to support the cross-functional collaboration necessary for enhancing productivity.

A Zero Trust CoE should be organized in a way that aligns with the organization’s overall strategy and goals, while also ensuring effective collaboration and communication. AT&T Cybersecurity consultants can also provide valuable leadership and deep technical guidance for each of the teams. Below is an approach to structuring the different members of the CoE team:

• Leadership team: This team is responsible for setting the strategic direction of the CoE. It typically includes senior executives and leaders from various departments, such as IT, security, and business operations.
   
• Zero Trust architects: This individual or team is responsible for designing and implementing the Zero Trust architecture within the organization. They work closely with the leadership team to ensure that the architecture aligns with the organization’s strategic goals.
   
• Engineering team: This team is responsible for the technical implementation of the Zero Trust strategy. This includes network engineers, security analysts, and other IT professionals.
   
• Policy and compliance team: This team is responsible for developing and enforcing policies related to Zero Trust. They also ensure that the organization follows compliance with relevant regulations and standards.
   
• Education and training team: This team is responsible for educating and training staff members about Zero Trust principles and practices. They develop training materials, conduct workshops, and provide ongoing support.
   
• Research and lab team: This team stays abreast of the latest developments in Zero Trust and explores new technologies and approaches that could enhance the organization’s Zero Trust capabilities. AT&T Cybersecurity consultants, with their finger on the pulse of the latest trends and developments, can provide valuable insights to this team.

Each of these teams should have its own set of KPIs that align with the organization’s overall business goals. For example, the KPIs for the ‘Engineering Team’ could include the number of systems that have been migrated to the Zero Trust architecture, while the KPIs for the ‘Policy and Compliance Team’ could include the percentage of staff members who comply with the organization’s Zero Trust policies.

Monitoring and evaluating these KPIs regularly is crucial for ensuring the effectiveness of the CoE. This should be done at least quarterly but could be done more frequently depending on the specific KPI and the dynamics of the organization and the cybersecurity landscape. The results of this monitoring and evaluation should be used to adjust the CoE’s activities and strategies as needed.

There are challenges associated with monitoring and evaluating KPIs. It can be time-consuming and require specialized skills and tools. Additionally, it can be difficult to determine the cause of changes in KPIs, and there can be a lag between changes in activities and changes in KPIs. To overcome these challenges, it’s important to have clear processes and responsibilities for monitoring and evaluating KPIs, to use appropriate tools and techniques, and to be patient and persistent.

While the CoE offers many benefits, it can also present challenges. Without leadership and oversight, it can become resource-intensive, create silos, slow down decision-making, and be resistant to change. To overcome these challenges, it’s important to ensure that the CoE is aligned with the organization’s overall strategy and goals, promotes collaboration and communication, and remains flexible and adaptable. AT&T Cybersecurity consultants, with their deep expertise and broad perspective, can provide valuable leadership in each of these areas. They can help consolidate expertise, develop and enforce standards, drive innovation, and provide education and training.

The CoE should drive Zero Trust related projects, such as developing a Zero Trust Architecture that includes components such as Zero Trust Network Access (ZTNA), a capability of Secure Access Service Edge (SASE). The CoE can provide the expertise, resources, and guidance needed to successfully implement these types of projects. Implementing ZTNA requires a structured, multi-phased project that would have a plan similar to the following:

• Project initiation: Develop a project plan with timelines, resources, and budget. Identify the scope, objectives, and deliverables as well as the key stakeholders and project team members.
   
• Assessment and planning: Develop a detailed plan for implementing ZTNA. Conduct a thorough assessment of the current network infrastructure and security environment looking for vulnerabilities and areas of improvement.
   
• Design and develop: Design the ZTNA architecture, taking into account the organization’s specific needs and constraints. Create test plans to be used in the lab, pilot sites, and during deployment.
   
• Implementation: Deploy and monitor the ZTNA program in a phased manner, starting with less critical systems and gradually expanding to more critical ones.
   
• Education and training: Develop and distribute user guides and other training materials. Conduct training sessions on how to use the new system.
   
• Monitoring: Continuously monitor the performance of the platform, report on the assigned KPIs, and conduct regular audits to identify areas for improvement.
   
• Maintenance and support: Regularly update and improve the solution based on feedback and technical innovations. Provide ongoing technical support for users of the ZTNA platform.

Throughout the ZTNA implementation, the Zero Trust CoE plays a central role in coordinating activities, providing expertise, and ensuring alignment with the organization’s overall Zero Trust strategy. The CoE is responsible for communicating with stakeholders, managing risk, and ensuring the project stays on track and achieves the stated objectives.

In conclusion, a Zero Trust Center of Excellence is a powerful tool that can help organizations enhance their cybersecurity posture, stay ahead of evolving threats, and drive continuous improvement in their Zero Trust initiatives. By centralizing expertise, standardizing practices, fostering innovation, and providing education and training, a Zero Trust CoE can provide a strategic, coordinated approach to managing Zero Trust initiatives.

As cyber threats continue to evolve, the importance and potential of a Zero Trust CoE, led by AT&T cybersecurity consultants, will only increase. Contact AT&T Cybersecurity for more information on the Zero Trust journey and how to establish a Center of Excellence.

The post Leveraging AT&T Cybersecurity Consulting for a robust Zero Trust Center of Excellence appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

The installation of Active Directory (AD) on Windows Server 2019 calls for a thorough understanding of technical nuances and a steadfast dedication to security best practices. This guide will walk you through the process of securely implementing Active Directory, ensuring the highest level of protection for the information and resources within your company.

Planning and design

Start by carefully planning and designing. Analyze your organization’s requirements, network topology, and security requirements in great detail. Establish the necessary number of organizational units (OUs), domains, and user and group structures. Make a thorough design plan that complies with your organization’s compliance standards and security guidelines.

Installing Windows Server 2019

Install Windows Server 2019 on a dedicated system that satisfies the system minimums. Use the most recent Windows Server 2019 ISO and adhere to recommended procedures for a secure installation. Set a strong password for the Administrator account and enable Secure Boot if it is supported in the BIOS/UEFI settings for hardware security.

Choose the right deployment type

Select the domain controller (DC) installation as the Active Directory deployment type. By doing this, you can be confident that your server is a dedicated domain controller overseeing your domain’s directory services, authentication, and security policies.

Install Active Directory Domain Services (AD DS) role

Add the Active Directory Domain Services (AD DS) role to Windows Server 2019. For the installation, use Server Manager or PowerShell. Select the appropriate forest and domain functional levels during the procedure and specify the server as a domain controller.

Choose an appropriate Forest Functional Level (FFL)

Select the highest Forest Functional Level (FFL) compatible with your domain controllers. This enables access to the most recent AD features and security upgrades. Examine the FFL specifications and confirm that every domain controller currently in use can support the selected level.

Secure DNS configuration

AD heavily relies on DNS for name resolution and service location. Ensure that DNS is configured securely by:

a. Using Active Directory Integrated Zones for DNS storage, enabling secure updates and zone replication through AD.

b. Implementing DNSSEC to protect against DNS data tampering and for secure zone signing.

c. Restricting zone transfers to authorized servers only, preventing unauthorized access to DNS data.

d. Implementing DNS monitoring and logging for suspicious activities using tools like DNS auditing and query logging.

Use strong authentication protocols

Configure Active Directory to use strong authentication protocols such as Kerberos. To stop credential-based attacks, disable older, less secure protocols like NTLM and LM hashes. Ensure domain controllers are set up to favor robust authentication techniques over weak ones when performing authentication.

Securing administrative accounts

Safeguard administrative accounts by:

a. Creating complicated, one-of-a-kind passwords for each administrative account, following the password policy guidelines, and rotating passwords frequently.

b. Adding multi-factor authentication (MFA) to all administrative accounts to improve login security and reduce the risk of credential theft.

c. Enforcing the principle of least privilege, role-based access control (RBAC), and limiting the use of administrative accounts to authorized personnel only.

d. To reduce the attack surface and potential insider threats, administrative account privileges should be regularly reviewed, and extra access rights should be removed.

Applying group policies

Leverage Group Policy Objects (GPOs) to enforce security settings and standards across your Active Directory domain. Implement password policies, account lockout policies, and other security-related configurations to improve the overall security posture.

Protecting domain controllers

Domain controllers are the backbone of Active Directory. Safeguard them by:

a. Isolating domain controllers in a separate network segment or VLAN to minimize the attack surface and prevent lateral movement.

b. Enabling BitLocker Drive Encryption on the system volume of the domain controller to safeguard critical data from physical theft or unauthorized access.

c. Setting up Windows Firewall rules to restrict inbound traffic to critical AD services and thwart potential dangers.

d. Performing regular domain controller backups and securely storing those backups to protect data integrity and speed up disaster recovery. Create system state backups using the Windows Server Backup feature, and for redundancy, think about using off-site storage.

Monitor and audit

Implement a robust monitoring and auditing system to detect potential security breaches and unauthorized access. Employ Security Information and Event Management (SIEM) solutions for thorough threat monitoring, set up real-time alerts for crucial security events, and use Windows Event Forwarding to centralize log data for analysis.

Perform regular backups

Create regular system state backups of Active Directory to ensure data integrity and quick recovery in case of data loss or disaster. Periodically test the restoration procedure to confirm its efficacy and guarantee that backups are safely kept off-site.

Conclusion

By following this technical guide, you can confidently and securely implement Active Directory on Windows Server 2019, ensuring your organization has a robust, dependable, highly secure Active Directory environment that safeguards valuable assets and sensitive data from the constantly changing threat landscape. Always remember that security is a continuous process, and maintaining a resilient AD infrastructure requires staying current with the latest security measures.

The post Securely implementing Active Directory on Windows Server 2019 appeared first on Cybersecurity Insiders.

The Securities and Exchange Commission (SEC) has introduced a new rule for public companies that requires them to be more transparent about cybersecurity incidents. The new rule requires companies to disclose any material cybersecurity incidents within four business days of that determination. The disclosure should describe the material aspects of the incident, including the nature of the incident, the impact on the company, and the company’s response.

The SEC’s proposed rules include written cybersecurity policies and procedures, IT risk assessments, user security, and access controls, threat and vulnerability management, incident response and recovery plans, board oversight, recordkeeping, and cybersecurity incident reporting and disclosures.

To help CISOs incorporate this requirement seamlessly into their existing incident response plan, here are some actionable tips:

Revisit your incident response plan: An incident response plan is a structured approach that outlines the steps you’ll take during a security breach or other unexpected event. Your business may be unprepared for a security incident without a response plan. An effective plan helps you identify and contain threats quickly, protect sensitive information, minimize downtime, and lessen the financial impact of an attack or other unexpected event.

Update the notification procedure and proactive planning for notification: Craft a well-defined notification procedure outlining the steps to comply with the SEC’s requirement. Assign roles and responsibilities for crafting, approving, and forwarding notifications to relevant parties. Develop communication templates with pre-approved content, leaving room for incident-specific details to be filled in during a crisis.

Material incident identification and impact: Define the criteria for determining materiality, including financial, reputational, and operational implications. This step is critical in meeting the tight four-day reporting deadline.

Data protection and disclosure balance: Develop protocols to protect confidential information during public disclosures and collaborate closely with legal counsel to ensure compliance with disclosure regulations.

Regular plan reviews and third-party assessments: Regularly update your incident response plan to stay abreast of evolving threats and compliance requirements. Engage external cybersecurity experts to conduct thorough assessments, identifying gaps and potential vulnerabilities that need immediate attention.

Conduct tabletop exercises: Organize tabletop exercises that simulate real-world cybersecurity incidents. Ensure these exercises involve the business aspect, focusing on decision-making, communications, and incident impact assessment. These drills will sharpen your team’s skills and enhance preparedness for the new 4-day deadline.

Foster a culture of cybersecurity awareness: Cultivate a company-wide culture that prioritizes cybersecurity awareness and incident reporting. Encourage employees to report potential threats promptly, empowering your team to respond swiftly to mitigate risks.

To determine your readiness posture, ask yourself the following questions:

Incident reporting and management questions

• What is your process for reporting cybersecurity incidents?
• How can you effectively determine the materiality of a breach or attack?
• Are your processes for determining materiality thoroughly documented?
• Have you determined the right level of information to disclose?
• Can you report within four days?
• How will you comply with the requirement to report related occurrences that qualify as “material”?

Incident management policies and procedures

• Are your organization’s policies and procedures, risk assessments, controls, and controls monitoring strong enough to disclose publicly?
• Are your policies and procedures aligned with the specifications in at least one recognized industry framework? Are they updated regularly? Does everyone in the organization know what they are and how they are responsible for following them? Are they well-enforced?

Governance and risk management

• Is your risk assessment robust, and is it applied throughout the organization, focusing on top risks to the business?
• How often do you do risk assessments? Are assessment results incorporated into your enterprise cyber strategy, risk management program, and capital allocations?
• Have you engaged a third party to assess your cybersecurity program?

Board and leadership awareness

• How does your organization monitor the effectiveness of its risk mitigation activities and controls? How mature are your capabilities, as evaluated against an industry framework?
• How are leadership and the board informed about the effectiveness of these controls?
• Are your C-level executives getting the information needed to oversee cybersecurity at the board level?

Conclusion

In conclusion, the new SEC rule for public companies and cybersecurity incidents requires companies to be more transparent about material cybersecurity incidents. To comply with this requirement, companies should revisit their incident response plan, update their notification procedure, conduct material incident identification and impact assessments, develop protocols for data protection and disclosure balance, conduct regular plan reviews and third-party assessments, conduct tabletop exercises, and foster a culture of cybersecurity awareness. By asking the right questions and taking the necessary steps, companies can ensure they are ready to comply with the SEC’s new cybersecurity incident disclosure rule.

The post The SEC demands more transparency about Cybersecurity incidents in public companies appeared first on Cybersecurity Insiders.

Today, SC Media announced the winners of its annual cybersecurity awards for excellence and achievements.

At AT&T Cybersecurity we are thrilled that AT&T Alien Labs was awarded Best Threat Intelligence in this prestigious competition. The Alien Labs team works closely with the Open Threat Exchange (OTX), an open and free platform that lets security professionals easily share, research, and validate the latest threats, trends and techniques.

With more than 200,000 global security and IT professionals submitting data daily, OTX has become one of the world’s largest open threat intelligence communities. It offers context and details on threats, including threat actors, organizations and industries targeted, and related indicators of compromise.

The full list of winners is here.

The post AT&T Cybersecurity wins SC Media Award for Best Threat Intelligence appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Memory forensics plays a crucial role in digital investigations, allowing forensic analysts to extract valuable information from a computer’s volatile memory. Two popular tools in this field are Volatility Workbench and Volatility Framework. This article aims to compare and explore these tools, highlighting their features and differences to help investigators choose the right one for their needs.

Volatility Workbench, a powerful tool built on the Volatility Framework, is specifically designed to simplify and enhance the process of memory forensics. This article explores the capabilities of Volatility Workbench, highlighting its importance in uncovering critical evidence and facilitating comprehensive memory analysis.

Understanding Volatility Framework:

Volatility Framework is a robust tool used for memory analysis. It operates through a command-line interface and offers a wide range of commands and plugins. It enables investigators to extract essential data from memory dumps – including running processes, network connections, and passwords. However, it requires technical expertise to utilize effectively.

Volatility introduced people to the power of analyzing the runtime state of a system using the data found in volatile storage (RAM). It also provided a cross-platform, modular, and extensible platform to encourage further work into this exciting area of research. Volatility framework can be downloaded here. The Volatility Foundation provides these tools.

Introducing Volatility Workbench:

Volatility Workbench is a user-friendly graphical interface built on the Volatility Framework. It simplifies memory analysis by providing a visual interface that is more accessible, even for users with limited command-line experience. With Volatility Workbench, investigators can perform memory analysis tasks without the need for extensive command-line knowledge. Volatility Workbench can be downloaded here.

One of the key advantages of Volatility Workbench is its user-friendly interface, designed to simplify the complex process of memory forensics. With its graphical interface, investigators can navigate through various analysis options and settings effortlessly. The tool presents information in a visually appealing manner – with graphs, charts, and timelines, making it easier to interpret and draw insights from extracted data.

The initial interface when the Volatility Workbench is started looks like this:

 

The Volatility Workbench offers options to browse and select memory dump files in formats such as *.bin, *.raw, *.dmp, and *.mem. Once a memory dump file is chosen, the next step is to select the platform or operating system that the system being analyzed is using.

Once the memory image file and platform is selected, click on Get Process List in Volatility Workbench.

It will begin memory scanning. After that, you can use the multiple option in the command tab by selecting a valid command. The description of the command will be available in the dialog box on the side pane.

When the Get Process list is finished, the interface will like this:

Now we can select the command we want to use – let’s try using the command drop down menu.

Voila, we have commands available for analyzing the Windows memory dump.

Let’s try a command which lists process memory ranges that potentially contain injected code.

As seen in image above you can see the command as well as its description. You also have an option to select specific process IDs from the dropdown menu for the processes associated with the findings.

Let’s use the Malfind command to list process memory ranges that potentially contain injected code. It will take some time to process.

The analysis of the Malfind output requires a combination of technical skills, knowledge of malware behavior, and understanding of memory forensics. Continuously updating your knowledge in these areas and leveraging available resources can enhance your ability to effectively analyze the output and identify potential threats within memory dumps.

Look for process names associated with the identified memory regions. Determine if they are familiar or potentially malicious. Cross-reference them with known processes or conduct further research if necessary.

Some of the features of Volatility Workbench:

• It streamlines memory forensics workflow by automating tasks and providing pre-configured settings.
• It offers comprehensive analysis capabilities, including examining processes, network connections, and recovering artifacts.
• It seamlessly integrates with plugins for additional analysis options and features.
• It lets you generate comprehensive reports for documentation and collaboration.

Conclusion

By leveraging the capabilities of the underlying Volatility Framework, Volatility Workbench provides a streamlined workflow, comprehensive analysis options, and flexibility through plugin integration. With its user-friendly interface, investigators can efficiently extract valuable evidence from memory dumps, uncover hidden activities, and contribute to successful digital investigations. Volatility Workbench is an indispensable tool in the field of memory forensics, enabling investigators to unravel the secrets stored within a computer’s volatile memory.

The post Volatility Workbench: Empowering memory forensics investigations appeared first on Cybersecurity Insiders.

Cybersecurity as a competitive advantage

The economy is on the minds of business leaders. C-suites recognize survival depends upon the ability to safeguard systems and information. They must redesign for resilience, mitigate risk, strategically deploy assets and investments, and assign accountability. Do more with Less is the ongoing mantra across industries in technology and cyberspace.

As senior leaders revisit their growth strategies, it’s an excellent time to assess where they are on the cyber-risk spectrum and how significant the complexity costs have become. Although these will vary across business units, industries, and geographies, now for cyber, there is a new delivery model with the pay-as-you-go and use what you need from a cyber talent pool availability with the tools and platform that enable simplification.

Enter the Cybersecurity as a Service consumption model

CSaaS, or Cybersecurity-as-a-service, is a subscription-based approach to cybersecurity that offers organizations cybersecurity protection on demand. It is a pay-as-you-go model with a third-party vendor, where services can vary and be tailored to the organization’s needs. These services can include threat monitoring, compliance with industry standards, employee training, and penetration testing, which simulates an attack on the network.

One of the main advantages of CSaaS is that it takes the burden off the business to maintain a cybersecurity team, which can be challenging to hire today. It also allows organizations to scale as their business grows without needing to keep recruiting and hiring cybersecurity professionals.

Not all CSaaS vendors are created equal

When choosing a CSaaS vendor, several factors must be considered to ensure that you select the right one for your business. These factors include:

• Technical expertise and depth of services: Look for a vendor offering a comprehensive range of cybersecurity services beyond penetration testing.
• The reputation of the CSaaS: Check if the vendor has experience in your industry and if they have customers like your business. Also, ensure that they are financially stable.
• Size of the CSaaS: Make sure that the vendor can scale with your business needs as you grow.
• Terms and conditions of the relationship: Read the small print to understand all the details in various scenarios. Understand their policies and procedures.
• Cost and fee structure: Ensure that the vendor’s pricing model is transparent and that there are no hidden costs.
• Tools and technology: Make sure the vendor’s technology is solid, and they use the latest tools to provide cybersecurity services.
• Support: Check if the vendor can support your business 24×7, mainly if you operate in multiple time zones.
• Regulatory compliance: Ensure the vendor can meet the regulatory compliance you need in your industry.
• Considering these factors, you can choose a CSaaS vendor that meets your business needs and provides cybersecurity protection to keep your business safe from cyber threats.

Assess your unique cybersecurity needs

Different industries are at varying stages of maturity with digital transformation, and within each sector, some organizations have progressed much quicker than others. Therefore, it is vital to assess your organization’s specific cybersecurity requirements as it continues along the digital transformation path. That means it has never been more critical to work with a provider that suits your particular needs but can also cover a wide range of use cases.  

For more information on the Cybersecurity-as-a-Service, check out the latest eBook written by an analyst from Enterprise Strategy Group showcasing the importance behind these subscription-based solutions and how working with a security provider like AT&T to help organizations achieve their security objectives and enable to innovate faster.

The post Is Cybersecurity as a Service (CSaaS) the answer: Move faster | Do more appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

What exactly is resilience? According to the U.S. National Institute of Standards and Technology, the goal of cyber resilience is to “enable mission or business objectives that depend on cyber resources to be achieved in a contested cyber environment.” In other words, when you’re at odds with cybercriminals and nation-state actors, can you still get your job done? If not, how quickly can you get back up and running? In this article, we outline steps to ensure that if your cloud networks fail, your business won’t fail along with them.

Take stock of what you can’t (and can) live without

Being resilient during and post-cyber-attack means being able to continue business operations either leanly or back to full throttle soon after. While resources are being pooled to respond and recover from an incident, what data must be protected and what operations must go on?

Data that must be protected include those defined by regulation (e.g., personal identifiable information), intellectual property, and financial data. Data itself must be protected in multiple forms: at rest, in transit, and in use. The type of business you’re in may already dictate what’s essential; critical infrastructure sectors with essential operations include telecommunications, healthcare, food, and energy. Anything that your business relies on to survive and sustain should be treated as highest priority for security.

Ensure required availability from your cloud provider

An essential part of resilience is the ability to stay online despite what happens. Part of the cloud provider’s responsibility is to keep resources online, performing at the agreed level of service. Depending on the needs of your business, you will require certain levels of service to maintain operations.

Your cloud provider promises availability of resources in a service-level agreement (SLA), a legal document between the two parties. Uptime, the measure of availability, ranges from 99.9% to 99% in the top tiers of publicly available clouds from Amazon and Microsoft. A difference of 0.9% may not seem like much, but that translates from roughly 9 hours of downtime to over 3.5 days annually—which might be unacceptable for some types of businesses.

Store backups—even better, automate

As ransomware proliferates, enterprises need to protect themselves against attackers who block access to critical data or threaten to expose it to the world. One of the most fundamental ways to continue business operations during such an incident is to rely on backups of critical data. After you’ve identified which data is necessary for business operations and legal compliance, it’s time to have a backup plan.

While your cloud service provider provides options for backup, spreading the function across more than one vendor will reduce your risk—assuming they’re also secure. As Betsy Doughty, Vice President of Corporate Marketing of Spectra Logic says, “it’s smart to adhere to the 3-2-1-1 rule: Make three copies of data, on two different mediums, with one offsite and online, and one offsite and offline.” Automated snapshots and data backup can run in the background, preparing you in the event of a worst-case scenario.

Expose and secure your blind spots

A recent report from the U.S. Securities and Exchange Commission observes that resilience strategies include “mapping the systems and process that support business services, including those which the organization may not have direct control.” Cloud networks certainly apply here, as with any outsourced services, you relinquish some control.

Relinquishing control does not have to mean lack of visibility. To gain visibility into what data is being transferred and how people are using cloud applications, consider the services of cloud access service brokers (CASBs), who sit between a cloud user and cloud provider. CASBs can improve your resilience providing detail into your cloud network traffic, enabling assessment for both prevention of attack and impact on business operations in the event of an incident. They also enforce security policies in place such as authentication and encryption.

Test your preparedness periodically

After all the hard work of putting components and plans into place, it’s time to put things to the test. Incident response tests can range from the theoretical to a simulated real-world attack. As processes and people change, performing these tests periodically will ensure you have an updated assessment of preparedness. You could run more cost-effective paper tests more frequently to catch obvious gaps and invest in realistic simulations at a longer interval. Spending the resources to verify and test your infrastructure will pay off when an attack happens and the public spotlight is on you.

Towards a resilient cloud

Being able to withstand a cyber-attack or quickly bring operations back online can be key to the success of a business. While some responsibility lies in the cloud provider to execute on their  redundancy and contingency plans per the SLA, some of it also lies in you. By knowing what’s important, securing your vulnerabilities, and having a tested process in place, you are well on your way to a secure and resilient cloud network.

The post Securing your cloud networks: Strategies for a resilient infrastructure appeared first on Cybersecurity Insiders.

Executive summary

On April 21st, 2023, AT&T Managed Extended Detection and Response (Managed XDR) investigated an attempted ransomware attack on one of our clients, a home improvement business. The investigation revealed the attacker used AuKill malware on the client’s print server to disable the server’s installed endpoint detection and response (EDR) solution, SentinelOne, by brute-forcing an administrator account and downgrading a driver to a vulnerable version.

AuKill, first identified by Sophos X-Ops researchers in June 2021, is a sophisticated malware designed to target and neutralize specific EDR solutions, including SentinelOne and Sophos. Distributed as a dropper, AuKill drops a vulnerable driver named PROCEXP.SYS (from Process Explorer release version 16.32) into the system’s C:WindowsSystem32drivers folder. This malware has been observed in the wild, utilized by ransomware groups to bypass endpoint security measures and effectively spread ransomware variants such as Medusa Locker and Lockbit on vulnerable systems.

In this case, SentinelOne managed to isolate most of the malicious files before being disabled, preventing a full-scale ransomware incident. As a result, AT&T Managed XDR found no evidence of data exfiltration or encryption. Despite this, the client opted to rebuild the print server as a precautionary measure. This study provides an in-depth analysis of the attack and offers recommendations to mitigate the risk of future attacks.

Investigating the first phase of the attack

Initial intrusion

The targeted asset was the print server, which we found unusual. However, upon further investigation we concluded the attacker misidentified the asset as a Domain Controller (DC), as it had recently been repurposed from a DC to a print server. The attacker needed both local administrator credentials and kernel-level access to successfully run AuKill and disable SentinelOne on the asset. To gain those local administrator credentials, the attacker successfully brute-forced an administrator account. Shortly after the compromise, this account was observed making unauthorized registry changes.

  

Establishing a beachhead

After compromising the local administrator account, the attackers used the “UsersAdministratorMusicaSentinel” folder as a staging area for subsequent phases of their attack. All AuKill-related binaries and scripts were executed from this path, with the innocuous “Music” folder name helping to conceal their malicious activities.

AuKill malware has been found to operate using two Windows services named “aSentinel.exe” and “aSentinelX.exe” in its SentinelOne variant. In other variants, it targets different EDRs, such as Sophos, by utilizing corresponding Windows services like “aSophos.exe” and “aSophosX.exe”. 

Establishing persistence

We also discovered “aSentinel.exe” running from “C:Windowssystem32”, indicating that the attackers attempted to establish a foothold on the compromised server. Malware authors frequently target the system32 folder because it is a trusted location, and security software may not scrutinize files within it as closely as those in other locations. This can help malware bypass security measures and remain hidden. It is likely that the malware was initially placed in the “UsersAdministratorMusicaSentinel” directory and later copied to the system32 directory for persistence.

Network reconnaissance

Our investigation also revealed that PCHunter, a publicly accessible utility previously exploited in ransomware incidents like Dharma, was running from the “UsersAdministratorMusicaSentinel” directory. This suggests that the attackers used PCHunter as a reconnaissance tool to survey the client’s network before deploying the EDR killer malware. Additionally, PCHunter enables threat actors to terminate programs and interface directly with the Windows kernel, which aligns with the needs of the attacker. We observed PCHunter generating several randomly named .sys files, as illustrated below:

Preventing data recovery

We found that the attacker deleted shadow volume copies from the print server. Windows creates these copies to restore files and folders to previous versions in case of data loss. By removing the shadow copies, the attacker was attempting to make it more challenging for our client to recover their files if they were successfully encrypted. Although no ransomware was deployed, the deletion of shadow copies reveals the attackers’ intentions. This information, together with the usage of PCHunter and the staging of the EDR killer malware, paints a more complete picture of the attacker’s objectives and tactics.

Bypassing native Windows protection

With all these pieces in place, the attacker last needed to acquire kernel-level access. Despite gaining administrator rights early on, the attacker did not have enough control over the system to disable SentinelOne at this time. EDR solutions are classified as essential by Windows and are protected from being turned off by attackers when they escalate privileges. To successfully circumvent these safeguards, the attacker would need to travel one level deeper into the operating system and gain kernel-level access to the machine.

Investigating the second phase of the attack

Dropping the vulnerable driver

Our team discovered that AuKill had replaced the current Process Explorer driver, PROCEXP152.sys, with an outdated and vulnerable version named PROCEXP.SYS (from Process Explorer release version 16.32), located in the C:WindowsSystem32drivers directory. The alarm screenshot below demonstrates how AuKill swapped the existing driver with this older version, making the system susceptible to further exploitation.

 

Windows incorporates a security feature called Driver Signature Enforcement, which ensures that kernel-mode drivers are signed by a valid code signing authority before they can run. To bypass this security measure, the attackers exploited the insecure PROCEXP.SYS driver, which was produced and signed by Microsoft at an earlier date. As demonstrated in the SentinelOne screenshot below, the driver is signed and verified by Microsoft. Furthermore, the originating process was aSentinel.exe, an executable created to disable SentinelOne.

Acquiring kernel-level access

Process Explorer, a legitimate system monitoring tool developed by Microsoft’s Sysinternals team, enables administrators to examine and manage applications’ ongoing processes, as well as their associated threads, handles, and DLLs.

Upon startup, Process Explorer loads a signed kernel-mode driver, facilitating interaction with the system’s kernel, which is responsible for managing hardware and resources. Normally, that driver is PROCEXP152.sys. The attacker replaced the PROCEXP152.sys driver on the print server with the exploitable PROCEXP.SYS, employing what is known as a BYOVD (Bring Your Own Vulnerable Driver) attack. The attacker used this method to exploit the now vulnerable kernel mode driver to gain the kernel-level access they needed to successfully disable SentinelOne.

Disabling SentinelOne

The kernel-mode driver used by Process Explorer has the unique ability to terminate handles that are inaccessible even to administrators. A handle is an identifier that corresponds to a specific resource opened by a process, such as a file or a registry key. At this point, AuKill hijacked Process Explorer’s kernel driver to specifically target protected handles associated with SentinelOne processes running on the print server. AuKill then generated several threads to ensure that these EDR processes remained disabled and did not resume. Each thread concentrated on a certain SentinelOne component and regularly checked to see if the targeted processes were active. If they were, AuKill would terminate them. 

Response

Customer interaction

At this point, the attacker had gained privileged access to the asset, deployed their malware, and successfully killed the endpoint protection solution. Based on the Cyber Kill Chain methodology developed by Lockheed Martin, we can conclude that the attacker had now successfully reached the “Command and Control” stage. However, the attacker did not reach the “Actions on Objectives” stage, as the SentinelOne agent managed to disrupt ransomware deployment enough before it was disabled to prevent any additional damage.

Any attempts to re-deploy malware or move laterally following the disablement of the EDR were thwarted by our team, who swiftly alerted the client to the activity and advised that the asset be taken offline and isolated from the rest of the network. Our team informed the client that the shadow copies had been deleted and SentinelOne had been turned off on their print server. After having our threat hunters thoroughly review their environment, w e reassured the client that no sensitive information was exfiltrated or encrypted. In response to the attack, the client moved to rebuild their print server and reinstall SentinelOne.

Recommendations

As BYOVD attacks to bypass EDR software become more widespread, we strongly advise blacklisting outdated drivers with a known history of exploitation. Furthermore, we encourage our clients to maintain an inventory of the drivers installed on their systems, ensuring they remain current and secure. Lastly, we recommend bolstering the security of administrator accounts to defend against brute force attacks, as the incident detailed in this blog post could not have transpired without the initial privileged user compromise.

The post Stories from the SOC – Unveiling the stealthy tactics of Aukill malware appeared first on Cybersecurity Insiders.

The case for unified endpoint management and mobile threat defense

The evolution of endpoint management

Unified endpoint management (UEM) has played a significant role over the years in enabling companies to improve the productivity and security of their corporate mobile devices and applications. In the early days of endpoint management there were separate workflows and products as it pertains to traditional endpoints, such as desktops and laptops, versus mobile devices. Over time, administrators grew frustrated with the number of tools they were required to learn and manage so developers moved toward an integrated solution where all endpoint devices, regardless of type, could be inventoried, managed, and have consistent policies applied through a single pane of glass.

Today, UEMs allow IT administrators to be more productive by enabling them to set and enforce policies as to the type of data and applications an employee can access, providing the administrators with granular control and more effective security. These UEM platforms boast security features including the ability to identify jailbroken or rooted devices, enforcing passcodes, and enabling companies to wipe the data from mobile devices in the event they become lost or stolen. In general, UEMs have and continue to play an integral part in improving the management and productivity of business-critical mobile endpoints. 

Possible avenues for attack

However, in today’s environment, companies are experiencing a significant rise in the number of sophisticated and targeted malware attacks whose goal is to capture their proprietary data.  Only a few years ago, losing a mobile device meant forfeiture of content such as text messages, photographs, contacts, and calling information. Today’s smartphones have become increasingly sophisticated not only in their transactional capabilities but also represent a valuable target, storing a trove of sensitive corporate and personal data, and in many cases include financial information. If the phone stores usernames and passwords, it may allow a malicious actor to access and manipulate a user’s account via banking or e-commerce websites and apps. 

To give you a sense of the magnitude of the mobile security issues:

• The number of mobile users in enterprise environments clicking on more than six malicious links annually has jumped from 1.6% in 2020 to 11.8% in 2022
• In 2021, banking trojan attacks on Android devices have increased by 80%
• In 2022, 80% of phishing attacks targeted mobile devices or were designed to function on both mobile devices and desktops 
• In 2022, 43% of all compromised devices were fully exploited, not jailbroken or rooted-an increase of 187% YOY  

Attack vectors come in various forms, with the most common categorized below:

Device-based threats – These threats are designed to exploit outdated operating systems, risky device configurations and jailbroken/rooted devices.

App threats – Malicious apps can install malware, spyware or rootkits, or share information with the developer or third parties unbeknownst to the user, including highly sensitive business and personal data.

Web and content threats – Threats may be transmitted via URLs opened from emails, SMS messages, QR codes, or social media, luring users to malicious websites.  These websites may be spoofed to appear like a legitimate site requesting payment details or login credentials. Other websites may include links that will download malware to your device.

Network threats – Data is at risk of attack via Wi-Fi or cellular network connections.  Attacks can come in the form of man-in-the-middle attacks or rogue access points enabling hackers to capture unencrypted data.     

Enter mobile threat defense

While UEM can inventory assets, offer employees a more consistent experience, and can be used to push updates, its threat detection capabilities is extremely limited. The increased sophistication of malware attacks makes UEM platforms insufficient to detect or prevent these attacks from occurring.

To address these attacks more companies are adopting mobile threat defense solutions to work in tandem with their UEM subscriptions. Mobile threat defense (MTD) enables companies to identify and block mobile threats across most, if not, all attack vectors. The following outlines how mobile threat defense protects against the four main categories of mobile device threats: 

Device-based threats – Continuous evaluation of user and device risk posture with the ability to prevent jailbroken devices, those with outdated OS, and risky device considerations from accessing the network

App and content threats – Continuous scanning for malicious malware, viruses, trojans and side-loaded apps.  Threat detection is alerted in real-time with device remediation.

Network threats – Scans through each of the customer’s mobile devices to determine missing OS security patches, identifies man-in-the-middle attacks and other network related vectors providing remediation guidance such as fixing vulnerabilities or bug fixes.

Web and content threats – Mobile threat defense will alert users phishing attempts from email, SMS, or browsers.  It can also block malicious websites depending on the MTD features and capabilities.

Use cases

Remote payment processing

Companies are beginning to increase flexibility and decrease time to revenue by offering mobile payments in the field.  If mobile devices are part of the company’s payment path, they require protection. Malicious actors may use man-in-the-middle attacks to intercept network transactions. Equally threatening are surveillanceware attacks that capture information during a transaction. Mobile threat defense will identify these attacks, alert the user, and potentially block depending on the MTD’s solution’s capabilities.

Defend high-value targets against breach

Executives are commonly targeted as they may have access to sensitive data (e.g., financial, and strategic plans, customer, and human resources related information) and often use mobile devices while “on the road”.  Attack vectors such as spear phishing may be deployed by hackers with targeted attacks. Such highly sensitive information warrants the need to secure executives’ devices. Mobile threat defense applications will aid the IT administrator in identifying these attacks and alert the user on their device. 

Mobile threat defense vendors and solutions

There are a few mobile threat defense offers for consideration in terms of their effectiveness in addressing threat vectors that target mobile devices. 

IBM MaaS360 Mobile Threat Management: IBM recently introduced a new version of its mobile threat management application to complement its UEM offering. IBM MaaS360 Mobile Threat Management enables companies to detect, analyze and remediate enterprise malware on mobile devices. It provides SMS and email phishing detection, advanced jailbreak, root and hider detection with over-the-air updates for security definitions. Administrators can configure compliance policies based on these advanced threats and remediate vulnerabilities—improving the security of bring your own device (BYOD) and corporate-owned devices.

SentinelOne Mobile Threat Defense: This solution enables comprehensive, on-device, autonomous security for corporate-owned and personally owned BYOD devices that protects against modern day threats and exploits. The mobile agent detects application exploits in real-time, untrusted networks, man-in-the-middle attacks, system tampering, and delivers mobile phishing protection.

Lookout Mobile Endpoint Security:  Lookout Mobile Endpoint Security (MES) is considered by many to be the industry’s most advanced platform to deliver mobile endpoint detection and response (EDR). Its capabilities include extending zero trust policies to any device having access to corporate data, evaluates the risk posture of every user and mobile device throughout their session and automatically ends the session if the risk posture changes informing both user and admin of the threat.

The post Mobile threat defense or bust appeared first on Cybersecurity Insiders.

Executive summary

AT&T Alien Labs researchers recently discovered a massive campaign of threats delivering a proxy server application to Windows machines. A company is charging for proxy service on traffic that goes through those machines. This is a continuation of research described in our blog on Mac systems turned into proxy exit nodes by AdLoad.

In this research, Alien Labs identified a company that offers proxy services, wherein proxy requests are rerouted through compromised systems that have been transformed into residential exit nodes due to malware infiltration. Although the proxy website claims that its exit nodes come only from users who have been informed and agreed to the use of their device, Alien Labs has evidence that malware writers are installing the proxy silently in infected systems. In addition, as the proxy application is signed, it has no anti-virus detection, going under the radar of security companies.

In this follow up article we explore the dramatic rise in Windows malware delivering the same payload to create a 400,000 proxy botnet.

Key takeaways:

• In just one week AT&T Alien Labs researchers observed more than a thousand new malware samples in the wild delivering the proxy application.
• According to the proxy website, there are more than 400,000 proxy exit nodes, and it is not clear how many of them were installed by malware.
• The application is silently installed by malware on infected machines without user knowledge and interaction.
• The proxy application is signed and has zero anti-virus detection.
• The proxy is written in Go programming language and is spread by malware both on Windows and macOS.

Analysis

In the constantly evolving landscape of cyber threats, malicious actors continuously find new and ingenious ways to exploit technology for their own gain. Recently Alien Labs has observed an emerging trend where malware creators are utilizing proxy applications as their tool of choice. Different malware strains are delivering the proxy – relying on users looking for interesting things, like cracked software and games.

The proxy is written in the Go programming language, giving it the flexibility to be compiled into binaries compatible with various operating systems, including macOS and Windows. Despite the fact that the binaries originated from the same source code, macOS samples are detected by numerous security checks while the Windows proxy application skirts around these measures unseen. This lack of detection is most likely due to the application being signed. (Figure 1) 

 

Figure 1. As  on Virus Total: Proxy application – zero detections.

After being executed on a compromised system, the malware proceeds to quietly download and install the proxy application. This covert process takes place without requiring any user interaction and often occurs alongside the installation of additional malware or adware elements. The proxy application and most of the malware delivering it are packed using Inno Setup, a free and popular Windows installer.

Figure 2. As observed by Alien Labs: Malware embedded script to install the proxy silently.

As shown in the figure 2 above, the malware uses specific Inno Setup parameters to silently install the proxy by executing it with the following instructions:

• “/SP-” – Disables the pop up “This will install… Do you wish to continue?” that usually prompts at the beginning of the windows Setup.
• “/VERYSILENT” – When a setup is very silent the installation progress bar window is not displayed.
• “/SUPPRESSMSGBOXES” – Instructs Setup to suppress message boxes. The setup automatically answers common interaction messages box with the user.

Furthermore, the malware transmits specific parameters directly to the proxy installation process, subsequently relaying them to the proxy’s command and control server (C&C) as part of the new peer registration process. These parameters play a crucial role in identifying the origin of the proxy propagation within the proxy command and control infrastructure.

The monetization of malware propagating proxy server through an affiliate program is troublesome, as it creates a formal structure to increase the speed at which this threat will spread. The downloaded proxy application is packed with Inno Setup as well, and the installation script is responsible both for installing its files and persistence. (Figure 3)

Figure 3. As observed by Alien Labs: Proxy installation script.

The setup file drops two executable files:

• “DigitalPulseService.exe” – Is the proxy server itself that communicates constantly with its exit node operator for further instructions.
• “DigitalPulseUpdater” – Check and download for new proxy applications available.

The proxy persists in the system in two ways:

• Run registry key: HKCUSoftwareMicrosoftWindowsCurrentVersionRunDigitalPulse
• Windows schedule task named “DigitalPulseUpdateTask” that will be executed each hour: %AppData%DigitalPulseDigitalPulseUpdate.exe

The updater, which is executed through the schedule task, queries the server along with the machine unique GUID on hourly basis, to check for the presence of any update versions. (Figure 4)

Figure 4. As observed by Alien Labs: Proxy updater service.

A response from the server will include the version and download link:

{“dd”:”https://digitalpulsedata.s3.amazonaws[.]com/update/pp/0.16.14/DigitalPulseService.exe”,”vv”:”0.0.16.14″}

The proxy then continuously gathers vital information from the machine to ensure optimal performance and responsiveness. This includes everything from process list and monitoring CPU to memory utilization and even tracking battery status. This dynamic data collection underscores its capability to manage the demands of proxy requests while evading suspicion by adapting to the system’s operational context. (Figure 5)

Figure 5. As observed by Alien Labs: Sending collected machine information to the command and control.

The proxy communicates with its command and control on port 7001 to receive further instructions. Figure 6 shows an example request from a proxy node server to get information from “www.google.de” from an infected device.

Figure 6. As observed by Alien Labs: Proxy exit node communication with its C&C.

Recommended actions

To remove the proxy application from the system, delete the following entities:

Type	Data	Instructions
Folder	“%AppData%DigitalPulse”	To find current user “AppData” folder: Run -> %AppData% -> ENTER
Registry	HKCUSoftwareMicrosoftWindowsCurrentVersionRunDigitalPulse
Schedule task	DigitalPulseUpdateTask

 

Conclusion

In the constantly changing world of cyber threats, the intertwined relationship between innovation and malicious intent propels new strategies by nefarious actors. The rise of malware delivering proxy applications as a lucrative investment, facilitated by affiliate programs, highlights the cunning nature of adversaries’ tactics. These proxies, covertly installed via alluring offers or compromised software, serve as channels for unauthorized financial gains. As we have examined, this underscores the importance of remaining vigilant and adaptive in the face of ever-evolving cyber threats.

Associated Indicators (IOCs)

The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the report.

TYPE	INDICATOR	DESCRIPTION
SHA256	33585aed3e7c4387a3512b93612932718e9dff2358867ba8c4ad1e8073bbce31	Malware dropper hash
SHA256	2b79d98043030645f27bd1b061ffa27eab19462dff356e6b4a89bb1d3c9bf02d	Malware dropper hash
SHA256	b0692f201e6dfdbe1b920849a31f2b9fb73db19779fdb77c660c28fa22b70a38	Malware dropper hash
SHA256	424d35bc945ea2deda177b46978bbb45af74109a988450ea4ed5fe16c1f629f9	Malware dropper hash
SHA256	518bc3b96a97a573c61934ff65cc284c3e5545c7823318918a7cb05cbb5518b1	Malware dropper hash
SHA256	417cf3f959e1040ffe13fcf21691b05ea96da5849010b0a4d17c6cecbeaef621	Malware dropper hash
SHA256	611ce42b0866c085d751c579f00b9e76c412a7d1e1ebcf998be6b666edc22416	Malware dropper hash
SHA256	801ecf29bee98e3b942de85e08ec227373a15b0a253c9c3eb870af33709f3d8d	Malware dropper hash
SHA256	7926a84dcb6ffbe93893477f7f3ad52516cfedf8def5c43686dd6737926146a7	Malware dropper hash
SHA256	3aaaa01bdd20981fdc94d52c5ac0ed762a124b0a08c22d760ab7e43554ee84dd	Malware dropper hash
SHA256	7a33d3f5ca81cdcfe5c38f9a4e5bbf3f900aa8f376693957261cdbe21832c110	Malware dropper hash
SHA256	5a11065473b9a1e47d256d8737c2952da1293f858fc399157ab34bbaadff6cb8	Malware dropper hash
SHA256	de97da00ed54a1f021019852a23b50c82408ab7a71dc0f3e6fef3680ac884842	Malware dropper hash
SHA256	dad35cdd6213381cc350688f6c287f4f3e1192526f78b9b62779acc4b03495f9	Malware dropper hash
SHA256	42ae669786b19556de65eeb1c45ec4685016b69384c21f3bbc30aaf2cddb2126	Malware dropper hash
SHA256	e79c37dc791d1bdb01524d158421efa29dcebde250f7571e9e30714496b3c06f	Malware dropper hash
SHA256	f22452a13635e4651b51c1491312a74891ca1dcd1b5072cbb978c06dc0a560ca	Malware dropper hash
SHA256	6c3f24ff26c5d2f16ae6aa8842e97d402c2e203d0aa2798a40f4dc000554dbca	Malware dropper hash
SHA256	aad7a088f309c1e0671f327db2428a470c14d08d5f6489fcb628071d2361b6a7	Malware dropper hash
SHA256	0e364d219192854032767476173c91c3d61230990597b52e5c36ebadd0fd96d8	Malware dropper hash
SHA256	331cf0f8049fc0e68e8bd75f8efed629b41459425a971cbcec53485ba2bf4521	Malware dropper hash
SHA256	0ca119c7be4ec67355b47d8d197361e730d93153a87d09e00a68ceda340fabb0	Malware dropper hash
SHA256	db115eff8d8b013e89f398b922294b248d5d6be51d7ab60cbde3b6ff2ff3f219	Malware dropper hash
SHA256	1cff1d3a10cc36338803e37cc3c9e9121bdd8c5189ca4533d1c585715561bc4a	Malware dropper hash
SHA256	530e59f9bd99b191b54ec18eb92d6b44005e56c1dd877b4e4ce0370d3d917fb4	Malware dropper hash
SHA256	9a416904a4d942c77177770ea0680c48e5d5eddba793af3c434e4ff733daab56	Malware dropper hash
SHA256	aeeccab5b4712f4c7d75c0606fc4587f13df7a04aa4941bb6599f328ee67d950	Malware dropper hash
SHA256	3ff5e3932ba4a438c12c253ec6b00416ac6ce250173bac6be0bb8d619cea47bd	Malware dropper hash
SHA256	a10d023b10b878a09697563155799bd088ed2f797aff489b732959f917414f97	Malware dropper hash
SHA256	65a9895f5e49f8e18727fe16744c6631c0676e08499f4407b9d8c11634aae5e0	Malware dropper hash
SHA256	e07aa2d15520c6f0ab9bbbe049f48402e4b91fde59b22b5668daef2ec924a68b	Malware dropper hash
SHA256	cc3cbc8ad7f71223230a457aa2664d77b43b7f7a4988b42609ad707f0385aee3	Malware dropper hash
SHA256	cba34f77ca2a5d4dc56f4567ff1f0b2242105d532353d2868d7b2c42f1a37551	Malware dropper hash
SHA256	153de6a7d78bcce8a0cec446cdc20ec4b18ee72b74f59e76780ec5c76efddc52	Malware dropper hash
SHA256	8505c4c3d6406cc55a9492cf1a3285de9c0357691112b2ab787faa57d55d304b	Malware dropper hash
SHA256	c202911529293052006fa6bc6a87c66bbd5621738190dbd75a5b3a150fed5c41	Malware dropper hash
SHA256	550c4839f26bf81f480c5e4210be3ded43d4f8027d5d689a6fe8692c42235940	Malware dropper hash
	5324f5aae565ddc8dc2a4b574bc690cba6b35bd4bf3f63e6df14d613b68ac769	Malware dropper hash
DOMAIN	bapp.digitalpulsedata[.]com	Proxy node server

 

Mapped to MITRE ATT&CK

The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:

• • TA0001: Initial Access
    • T1189: Drive-by Compromise
  • TA0003: Persistence
    • T1547: Boot or Logon Autostart Execution
      • T1547.001: Registry Run Keys / Startup Folder
    • T1053: Scheduled Task/Job
      • T1053.005: Scheduled Task
  • TTA0007: Discovery
    • T1082: System Information Discovery
  • TA0011: Command and Control
    • T1090: Proxy
    • T1571: Non-Standard Port
  • TA0040: Impact
    • T1496: Resource Hijacking

The post ProxyNation: The dark nexus between proxy apps and malware appeared first on Cybersecurity Insiders.