Category: Detect

This blog was jointly written by Fernando Martinez Sidera and Ofer Caspi, AT&T Alien Labs threat intelligence researchers.

Executive summary 

AdLoad malware is still infecting Mac systems years after its first appearance in 2017. AdLoad, a package bundler, has been observed delivering a wide range of payloads throughout its existence. During AT&T Alien Labs’ investigation of its most recent payload, it was discovered that the most common component dropped by AdLoad during the past year has been a proxy application turning MacOS AdLoad victims into a giant, residential proxy botnet.

Key takeaways: 

• AdLoad malware is still present and infecting systems, with a previously unreported payload.
• At least 150 samples have been observed in the wild during the last year.
• AT&T Alien Labs has observed thousands of IPs behaving as proxy exit nodes in a manner similar to AdLoad infected systems. This behavior could indicate that thousands of Mac systems have been hijacked to act as proxy exit nodes.
• The samples analyzed in this blog are unique to MacOS, but Windows samples have also been observed in the wild.

Analysis 

AdLoad is one of several widespread adware and bundleware loaders currently impacting macOS. The OSX malware has been present since 2017, with big campaigns in the last two years as reported by SentinelOne in 2021 and Microsoft in 2022. As stated in Microsoft’s report on UpdateAgent, a malware delivering AdLoad through drive-by compromise, AdLoad redirected users’ traffic through the adware operators’ servers, injecting advertisements and promotions into webpages and search results with a Person-in-The-Middle (PiTM) attack.

These two previous campaigns, together with the campaign described in this blog, support the theory that AdLoad could be running a pay-per-Install campaign in the infected systems.

• The main purpose of the malware has always been to act as a downloader for subsequent payloads.
• It has been identified delivering a wide range of payloads (adware, bundleware, PiTM, backdoors, proxy applications, etc.) every few months to a year, sometimes conveying different payloads depending on the system settings such as geolocation, device make and model, operating system version, or language settings, as reported by SentinelOne.
• In all observed samples, regardless of payload, they report an Adload server during execution on the victim’s system.
• This beacon (analyzed later in Figure 3 & 4) includes system information in the user agent and the body, without any relevant response aside from a 200 HTTP response code.
• This activity probably represents AdLoad’s method of keeping count of the number of infected systems, supporting the pay-per-Install scheme.

AT&T Alien Labs has observed similar activity in our threat analysis systems throughout the last year, with the AdLoad malware being installed in the infected systems. However, Alien Labs is now observing a previously unreported payload being delivered to the victims. The payload corresponds to a proxy application, converting its targets into proxy exit nodes after infection. As seen in Figure 1, the threat actors behind this campaign have been very active since the beginning of 2022.

Figure 1. Histogram of AdLoad samples identified by Alien Labs.

The vast number of samples in the wild have consequently led to many devices becoming infected. Alien Labs has identified over 10,000 IPs reaching out to the proxy servers each week that have the potential to be proxy exit nodes. It is unclear if all these systems have been infected or are voluntarily offering their systems as proxies, but it could be indicative of a bigger infection globally.

The intentions behind the users of this botnet for residential proxy systems is still unclear, but so far it has already been detected delivering SPAM campaigns. A campaign was suffered by the University of Illinois, who had to release an internal alert to notify their students of this thread.

Figure 2. University of Illinois alert at https://answers.uillinois.edu/illinois/page.php?id=120871.

This blog will focus on a sample of AdLoad, which AT&T Alien Labs observed in the wild during the month of June: 6587e61a8a7edb312da5798ffccf4a5ef227d3834389993b4df3ef0b173443dc. This sample was named “app_assistant”. Together with ‘main_helper’ or ‘mh’ are the most common filenames observed for this malware.

The sample initiates the execution with a system profiler. The system profiler pulls system information focusing in on the UUID (Universally Unique Identifier) that can be used later to identify the system with the Command and Control (C&C) on the proxy servers.

It then reaches out to an AdLoad server to report the infection. The URL is hardcoded in the sample. Alien Labs has observed two different patterns thus far:

Pattern 1 includes:

• POST request to a URL with path “/l”.
• Host with api. Subdomain.
• Content Type is “application/x-www-form-urlencoded”.
• The body starts with “cs=” and is followed by around 300 base64 characters.

This behavior had already been observed in the wild and is detected by ET (Emerging Threats) with a public rule attributing the activity to OSX/SHLAYER (Rule in the appendix).

Figure 3: Example from Alien Labs of network traffic of sample 54efc69cb6ee7fde00c0320202371dcdad127d0e7c8babce4659be8230d81a81.

Pattern 2 includes:

• POST request to a URL with path “/a/rep”
• Host with m. subdomain
• Content Type is charset=utf-8
• The body starts with “smc” and is followed by encrypted data.

No public rules were identified for this behavior as of the publishing of this blog, however Alien Labs has provided a rule in the appendix.

In both cases, the User Agent is formed by the filename of the executed file followed by “(unknown version) CFNetwork/$version” plus the Darwin version number.

Figure 4: Example from Alien Labs: network traffic of sample 6587e61a8a7edb312da5798ffccf4a5ef227d3834389993b4df3ef0b173443dc.

After beaconing to the AdLoad server, the sample reaches out to a different domain, usually vpnservices[.]live or upgrader[.]live, appearing to be a proxy server’s C&C. The request carries as a parameter the UUID of the infected machine among other encoded parameters. This request responds with a link of the file to download, usually in digitaloceanspaces[.]com. It also includes the environment to use and the version number of the payload.

Figure 5 summarizes the different connections Alien Labs has observed as of the publishing of this article (steps 1-5), and the activity we will describe next (steps 5-8).

Figure 5: Infection process as analyzed by Alien Labs.

Attack chain, Steps 5-8

• Once the malware downloads the proxy app, it is unzipped with a password, and xattr -rd is executed on the files to remove the quarantine attribute from them. This bypasses Gatekeeper’s security.
• The existing files are copied to ‘/Users/$user/Library/Application Support/$randomstring’. Any unnecessary files placed in the system, the /tmp directory, and the original zip file are deleted.
• At this point, the newly generated folder under Application Support has two files: the first is a version control named ‘pcyx.ver’ and the second contains the proxy application, usually named ‘helper’ or ‘main’. If the proxy application is already running, the malware kills it, and then executes it in the background. During its execution, AdLoad gains persistence by installing itself as a Launch Agent with organization name usually formed by org.[random long string].plist, which points at the proxy application executable in the Application Support folder.
• The application is already running, and the hosts start operating as a proxy server. Its initial configuration is usually hardcoded (figure 6), but it can be modified through the previous request to the proxy C&C, modifying the used domain, port, environment, etc. The communication with proxy servers usually occurs over port 7001, but it has also been seen over port 7000 and 7002, probably alternatives in case 7001 is taken.

Figure 6: As observed by Alien Labs: the malware configuration includes C&C address, certificate, malware version and more.

• As the application runs, its first action is to beacon system information and status to the proxy server. It sends a registration message to its C&C after collecting the machine’s information. This data includes macOS version, hardware stats like CPU, memory, and battery status. Additionally, it extracts the machine’s UUID, labeled as “peer_id”, that is used as identifier of the machine with the C&C (figure 7).
• After registration with its C&C, the malware receives the proxy manager server to which it forwards proxy requests.

Figure 7: Collecting system information before registering as new peer.

Many of the proxy requests immediately issued after an infection appear to be testing queries, i.e., iplookups or access to streaming services like Netflix, HBO or Disney, from specific locations. Figure 8 shows the beacon and the response from the server, together with the request for an IP Lookup, which arrived at the infected system through port 7001.

Figure 9 shows more clearly how the IP Lookup is forwarded to its actual destination and the received response is sent back to the proxy server.

Figure 8: Beacon and and IPlookup as observed by Alien Labs, d94f62ec4b6ffcec35d5e639d02a52ce226629a5eb3e2a7190174ea8d3b40b5b.

Figure 9: Proxy flow, as observed by Alien Labs, d94f62ec4b6ffcec35d5e639d02a52ce226629a5eb3e2a7190174ea8d3b40b5b.

The beacon message shown in figure 8 is sent every few seconds to get further instructions from the C&C. This includes requests for updated hardware information to check if the machine may be running into issues soon and should not be loaded as proxy (low battery or high CPU usage) (Figure 10).

Figure 10: Pinging C&C for further instructions, observed by Alien Labs.

Alien Labs has identified several domains as proxy server nodes that were relaying the proxy requests to the infected systems. These domains all had generic randomly generated names, like bapp.pictureworld[.]co and were hosted in usually reliable cloud services, like Amazon or Oracle. However, they appeared to only be used as DNS resolvers, since those IPs happened to all resolve to a private company domain around the time of infection. The company name also showed up in the certificates of some of these generic domains.

Based on the above information, a small business selling proxy services appears to be behind the proxy activity. The list of prices published in this private company webpage, does include residential IP proxys as an offered service.

In addition to the Mac samples analyzed in this blog, Alien Labs has also identified other Windows samples replicating the behavior just explained. These Windows samples also end up acting as proxies through the known ports 7000, 7001 and 7002, with traffic coming from the same domains. AT&T Alien Labs will be releasing a new blog in the upcoming weeks with that analysis.

Recommended actions 

To remove AdLoad samples from the system:

1. AdLoad samples can be identified with the Yara rule included in the Appendix, originally created by SentinelOne in a previous AdLoad report.
2. Analyze any system matching suricata rules 4002758 and 2038612.

To remove the proxy application from the system:

1. Review ‘/Users/X/Library/Application Support/’ and look for a folder named with a string of over 20 randomly generated characters, which contains files like: main, helper, pcyx.ver; and are currently running in your system in the background.
2. Understand the need for all the existing Launch Agents plists in /Library/LaunchAgents/. Especially looking for another long string of random characters, and identify the existing agents, deleting the unnecessary ones.
3. Analyze any systems communicating though port 7000, 7001 or 7002 to suspicious IPs (or matching suricata rules 4002756 and 4002757).

Conclusion 

The pervasive nature of AdLoad potentially infecting thousands of devices worldwide — indicates that users of MacOS devices are a lucrative target for the adversaries behind this malware and are being tricked to download and install unwanted applications. The underreporting of MacOS based threats may lead users to a false sense of security and underscores that any popular operating system can become a target for skilled adversaries.

AT&T Alien Labs is not aware whether the private company relaying the proxy requests is actively infecting the systems, or they are buying what they believe to be legitimate systems. However, their proxy servers are accessing these systems and selling a similar service to their clients. Buyers are leveraging the benefits of a residential proxy botnet: anonymity, wide geolocation availability and high IP rotation; to deliver SPAM campaigns through the last year.

Detection methods

The following associated detection methods are in use by Alien Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research. 

SURICATA IDS SIGNATURES

alert tcp $HOME_NET any -> $EXTERNAL_NET [7000:7002] (msg:”AV TROJAN AdLoad Proxy Node Beacon”; flow:to_server,established; content:”|7B 22|peer_id|22 3A|”; offset:0; depth:11; content:”|22 2C 22|connect_version|22|”; distance:0; content:”|22|action|22|”; distance:0; classtype:bad-unknown; sid:4002756; rev:2;)

alert tcp $EXTERNAL_NET [7000:7002] -> $HOME_NET any (msg:”AV TROJAN AdLoad Proxy Node Response”; flow:established; content:”|7B 22|result|22 3A|”; offset:0; depth:10; content:”|22|error|22 3A 22|”; distance:0; content:”|22 2C 22|action|22 3A 22|result|22|”; distance:0; content:”|22|uuid4|22|”; distance:0; content:”|22|version|22|”; distance:0; classtype:bad-unknown; sid:4002757; rev:2;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:”AV TROJAN OSX AdLoad CnC Beacon”; flow:established,to_server; content:”POST”; http_method; content:”/a/rep”; http_uri; depth:6; isdataat:!1,relative; content:”m.”; depth:2; http_host; content:”|20 28|unknown|20|version|29 20|CFNetwork|2f|”; http_user_agent; fast_pattern; content:”charset=utf-8″; http_content_type; pkt_data; content:”smc”; http_client_body; depth:3; content:”$”; distance:7; within:1; http_client_body; isdataat:200,relative; threshold:type limit, count 1, seconds 600, track by_dst; classtype:trojan-activity; sid:4002758; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:”ET TROJAN OSX/SHLAYER CnC Activity M2″; flow:established,to_server; content:”POST”; http_method; content:”/l”; http_uri; depth:2; isdataat:!1,relative; content:”|20 28|unknown|20|version|29 20|CFNetwork|2f|”; http_user_agent; fast_pattern; content:”cs=”; http_client_body; depth:3; pcre:”/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})/PR”; http_content_type; content:”application/x-www-form-urlencoded”; depth:33; isdataat:!1,relative; threshold:type limit, count 1, seconds 600, track by_dst; classtype:trojan-activity; sid:2038612; rev:1; metadata:affected_product Mac_OSX, attack_target Client_Endpoint, created_at 2022_08_25, deployment Perimeter, former_category MALWARE, malware_family Shlayer, performance_impact Low, signature_severity Major, updated_at 2022_08_25;)

 

YARA RULES

private rule Macho {        meta:               description = “private rule to match Mach-O binaries”        condition:               uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca }   rule adload_2021_system_service {        meta:               description = “rule to catch Adload .system .service variant”               author = “Phil Stokes, SentinelLabs”               version = “1.0”               last_modified = “2021-08-10”               reference = “https://s1.ai/adload”        strings:               $a = { 48 8D 35 ?? ?? 00 00 48 8D 5D B8 BA B8 00 00 00 48 89 DF E8 ?? ?? FB FF 48 8B 43 08 48 2B 03 66 48 0F 6E C0 66 0F 62 05 ?? ?? 00 00 66 0F 5C 05 ?? ?? 00 00 0F 57 C9 66 0F 7C C0 48 8D 7D A0 0F 29 0F F2 0F 59 05 }        condition:               Macho and all of them }

 

Associated indicators (IOCs) 

The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the report. 

TYPE	INDICATOR	DESCRIPTION
SHA256	d94f62ec4b6ffcec35d5e639d02a52ce226629a5eb3e2a7190174ea8d3b40b5b	AdLoad sample
SHA256	956aae546af632ea20123bfe659d57e0d5134e39cdb5489bd6f1ba5d8bbd0472	AdLoad sample
SHA256	6587e61a8a7edb312da5798ffccf4a5ef227d3834389993b4df3ef0b173443dc	AdLoad sample
SHA256	3d063efde737b7b2e393926358cbb32469b76395e1a05e8c127a12e47550f264	AdLoad sample
SHA256	2d595880cfb1691dd43de02d1a90273919f62311a7668ef078709eff2fd6bd87	AdLoad sample
SHA256	7cb10a70fd25645a708c81f44bb1de2b6de39d583ae3a71df0913917ad1dffc3	AdLoad sample
SHA256	4a7c9829590e1230a448dd7a4272b9fbfbafccf7043441967c2f68f6082dde32	AdLoad sample
SHA256	68b6beb70bd547b75f2d36d70ca49f8b18542874480d39e33b09ee69eb1048b3	AdLoad sample
SHA256	1904b705105db4550371d678f8161826b98b1a9fca139fa41628214ed816d2f5	AdLoad sample
SHA256	2fb1d8e6454f43522f42675dcf415569e5df5d731e1d1390f793c282cce4a7aa	AdLoad sample
SHA256	ee9ebdb1d9a7424cd64905d39820b343c5f76e29c9cd60c0cdd3bfe069fb7d51	AdLoad sample
SHA256	c7721ab85bad163576c166a0a71c0dbe4cc491dda68c5a5907fd1d8cac50780d	AdLoad sample
URL	hxxp://m.skilledobject[.]com/a/rep	AdLoad beacon
URL	hxxp://m.browseractivity[.]com/a/rep	AdLoad beacon
URL	hxxp://m.enchantedreign[.]com/a/rep	AdLoad beacon
URL	hxxp://m.activitycache[.]com/a/rep	AdLoad beacon
URL	hxxp://m.activityinput[.]com/a/rep	AdLoad beacon
URL	hxxp://m.opticalupdater[.]com/a/rep	AdLoad beacon
URL	hxxp://m.connectioncache[.]com/a/rep	AdLoad beacon
URL	hxxp://m.analyzerstate[.]com/a/rep	AdLoad beacon
URL	hxxp://m.essencecuration[.]com/a/rep	AdLoad beacon
URL	hxxp://m.microrotator[.]com/a/rep	AdLoad beacon
URL	hxxp://m.articlesagile[.]com/a/rep	AdLoad beacon
URL	hxxp://m.progresshandler[.]com/a/rep	AdLoad beacon
URL	hxxp://m.originalrotator[.]com/a/rep	AdLoad beacon
URL	hxxp://m.productiveunit[.]com/a/rep	AdLoad beacon
URL	hxxp://api.toolenviroment[.]com/l	AdLoad beacon
URL	hxxp://api.inetfield[.]com/l	AdLoad beacon
URL	hxxp://api.operativeeng[.]com/l	AdLoad beacon
URL	hxxp://api.launchertasks[.]com/l	AdLoad beacon
URL	hxxp://api.launchelemnt[.]com/l	AdLoad beacon
URL	hxxp://api.validexplorer[.]com/l	AdLoad beacon
URL	hxxp://api.majorsprint[.]com/l	AdLoad beacon
URL	hxxp://api.essentialenumerator[.]com/l	AdLoad beacon
URL	hxxp://api.transactioneng[.]com/l	AdLoad beacon
URL	hxxp://api.macreationsapp[.]com/l	AdLoad beacon
URL	hxxp://api.commondevice[.]com/l	AdLoad beacon
URL	hxxp://api.compellingagent[.]com/l	AdLoad beacon
URL	hxxp://api.lookupindex[.]com/l	AdLoad beacon
URL	hxxp://api.practicalsync[.]com/l	AdLoad beacon
URL	hxxp://api.accessiblelist[.]com/l	AdLoad beacon
URL	hxxp://api.functionconfig[.]com/l	AdLoad beacon
Domain	hxxps://vpnservices[.]live	Proxy C&C to report infected systems
Domain	hxxps:// upgrader[.]live	Proxy C&C to report infected systems
Domain	hxxp://bapp.pictureworld[.]co	Proxy Node

 

Mapped to MITRE ATT&CK

The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques: 

• • TA0001: Initial Access
    • T1189: Drive-by Compromise
  • TA0003: Persistence
    • T1543: Create or Modify System Process
      • T1543.001: Launch Agent
  • TA0005: Defense Evasion
    • T1140: Deobfuscate/Decode Files or Information
    • T1497: Virtualization/Sandbox Evasion
      • T1497.001: System Checks
    • T1222: File and Directory Permissions Modification
      • T1222.002: Linux and Mac File and Directory Permissions Modification
    • T1553: Subvert Trust Controls
      • T1553.001: Gatekeeper Bypass
    • T1562: Impair Defenses
      • T1562.001: Disable or Modify Tools
  • TA0007: Discovery
    • T1082: System Information Discovery
  • TA0011: Command and Control
    • T1090: Proxy
    • T1571: Non-Standard Port
  • TA0040: Impact
    • T1496: Resource Hijacking

The post Mac systems turned into proxy exit nodes by AdLoad appeared first on Cybersecurity Insiders.

Executive summary

AT&T Alien Labs researchers recently discovered a massive campaign of threats delivering a proxy server application to Windows machines. A company is charging for proxy service on traffic that goes through those machines. This is a continuation of research described in our blog on Mac systems turned into proxy exit nodes by AdLoad.

In this research, Alien Labs identified a company that offers proxy services, wherein proxy requests are rerouted through compromised systems that have been transformed into residential exit nodes due to malware infiltration. Although the proxy website claims that its exit nodes come only from users who have been informed and agreed to the use of their device, Alien Labs has evidence that malware writers are installing the proxy silently in infected systems. In addition, as the proxy application is signed, it has no anti-virus detection, going under the radar of security companies.

In this follow up article we explore the dramatic rise in Windows malware delivering the same payload to create a 400,000 proxy botnet.

Key takeaways:

• In just one week AT&T Alien Labs researchers observed more than a thousand new malware samples in the wild delivering the proxy application.
• According to the proxy website, there are more than 400,000 proxy exit nodes, and it is not clear how many of them were installed by malware.
• The application is silently installed by malware on infected machines without user knowledge and interaction.
• The proxy application is signed and has zero anti-virus detection.
• The proxy is written in Go programming language and is spread by malware both on Windows and macOS.

Analysis

In the constantly evolving landscape of cyber threats, malicious actors continuously find new and ingenious ways to exploit technology for their own gain. Recently Alien Labs has observed an emerging trend where malware creators are utilizing proxy applications as their tool of choice. Different malware strains are delivering the proxy – relying on users looking for interesting things, like cracked software and games.

The proxy is written in the Go programming language, giving it the flexibility to be compiled into binaries compatible with various operating systems, including macOS and Windows. Despite the fact that the binaries originated from the same source code, macOS samples are detected by numerous security checks while the Windows proxy application skirts around these measures unseen. This lack of detection is most likely due to the application being signed. (Figure 1) 

 

Figure 1. As  on Virus Total: Proxy application – zero detections.

After being executed on a compromised system, the malware proceeds to quietly download and install the proxy application. This covert process takes place without requiring any user interaction and often occurs alongside the installation of additional malware or adware elements. The proxy application and most of the malware delivering it are packed using Inno Setup, a free and popular Windows installer.

Figure 2. As observed by Alien Labs: Malware embedded script to install the proxy silently.

As shown in the figure 2 above, the malware uses specific Inno Setup parameters to silently install the proxy by executing it with the following instructions:

• “/SP-” – Disables the pop up “This will install… Do you wish to continue?” that usually prompts at the beginning of the windows Setup.
• “/VERYSILENT” – When a setup is very silent the installation progress bar window is not displayed.
• “/SUPPRESSMSGBOXES” – Instructs Setup to suppress message boxes. The setup automatically answers common interaction messages box with the user.

Furthermore, the malware transmits specific parameters directly to the proxy installation process, subsequently relaying them to the proxy’s command and control server (C&C) as part of the new peer registration process. These parameters play a crucial role in identifying the origin of the proxy propagation within the proxy command and control infrastructure.

The monetization of malware propagating proxy server through an affiliate program is troublesome, as it creates a formal structure to increase the speed at which this threat will spread. The downloaded proxy application is packed with Inno Setup as well, and the installation script is responsible both for installing its files and persistence. (Figure 3)

Figure 3. As observed by Alien Labs: Proxy installation script.

The setup file drops two executable files:

• “DigitalPulseService.exe” – Is the proxy server itself that communicates constantly with its exit node operator for further instructions.
• “DigitalPulseUpdater” – Check and download for new proxy applications available.

The proxy persists in the system in two ways:

• Run registry key: HKCUSoftwareMicrosoftWindowsCurrentVersionRunDigitalPulse
• Windows schedule task named “DigitalPulseUpdateTask” that will be executed each hour: %AppData%DigitalPulseDigitalPulseUpdate.exe

The updater, which is executed through the schedule task, queries the server along with the machine unique GUID on hourly basis, to check for the presence of any update versions. (Figure 4)

Figure 4. As observed by Alien Labs: Proxy updater service.

A response from the server will include the version and download link:

{“dd”:”https://digitalpulsedata.s3.amazonaws[.]com/update/pp/0.16.14/DigitalPulseService.exe”,”vv”:”0.0.16.14″}

The proxy then continuously gathers vital information from the machine to ensure optimal performance and responsiveness. This includes everything from process list and monitoring CPU to memory utilization and even tracking battery status. This dynamic data collection underscores its capability to manage the demands of proxy requests while evading suspicion by adapting to the system’s operational context. (Figure 5)

Figure 5. As observed by Alien Labs: Sending collected machine information to the command and control.

The proxy communicates with its command and control on port 7001 to receive further instructions. Figure 6 shows an example request from a proxy node server to get information from “www.google.de” from an infected device.

Figure 6. As observed by Alien Labs: Proxy exit node communication with its C&C.

Recommended actions

To remove the proxy application from the system, delete the following entities:

Type	Data	Instructions
Folder	“%AppData%DigitalPulse”	To find current user “AppData” folder: Run -> %AppData% -> ENTER
Registry	HKCUSoftwareMicrosoftWindowsCurrentVersionRunDigitalPulse
Schedule task	DigitalPulseUpdateTask

 

Conclusion

In the constantly changing world of cyber threats, the intertwined relationship between innovation and malicious intent propels new strategies by nefarious actors. The rise of malware delivering proxy applications as a lucrative investment, facilitated by affiliate programs, highlights the cunning nature of adversaries’ tactics. These proxies, covertly installed via alluring offers or compromised software, serve as channels for unauthorized financial gains. As we have examined, this underscores the importance of remaining vigilant and adaptive in the face of ever-evolving cyber threats.

Associated Indicators (IOCs)

The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the report.

TYPE	INDICATOR	DESCRIPTION
SHA256	33585aed3e7c4387a3512b93612932718e9dff2358867ba8c4ad1e8073bbce31	Malware dropper hash
SHA256	2b79d98043030645f27bd1b061ffa27eab19462dff356e6b4a89bb1d3c9bf02d	Malware dropper hash
SHA256	b0692f201e6dfdbe1b920849a31f2b9fb73db19779fdb77c660c28fa22b70a38	Malware dropper hash
SHA256	424d35bc945ea2deda177b46978bbb45af74109a988450ea4ed5fe16c1f629f9	Malware dropper hash
SHA256	518bc3b96a97a573c61934ff65cc284c3e5545c7823318918a7cb05cbb5518b1	Malware dropper hash
SHA256	417cf3f959e1040ffe13fcf21691b05ea96da5849010b0a4d17c6cecbeaef621	Malware dropper hash
SHA256	611ce42b0866c085d751c579f00b9e76c412a7d1e1ebcf998be6b666edc22416	Malware dropper hash
SHA256	801ecf29bee98e3b942de85e08ec227373a15b0a253c9c3eb870af33709f3d8d	Malware dropper hash
SHA256	7926a84dcb6ffbe93893477f7f3ad52516cfedf8def5c43686dd6737926146a7	Malware dropper hash
SHA256	3aaaa01bdd20981fdc94d52c5ac0ed762a124b0a08c22d760ab7e43554ee84dd	Malware dropper hash
SHA256	7a33d3f5ca81cdcfe5c38f9a4e5bbf3f900aa8f376693957261cdbe21832c110	Malware dropper hash
SHA256	5a11065473b9a1e47d256d8737c2952da1293f858fc399157ab34bbaadff6cb8	Malware dropper hash
SHA256	de97da00ed54a1f021019852a23b50c82408ab7a71dc0f3e6fef3680ac884842	Malware dropper hash
SHA256	dad35cdd6213381cc350688f6c287f4f3e1192526f78b9b62779acc4b03495f9	Malware dropper hash
SHA256	42ae669786b19556de65eeb1c45ec4685016b69384c21f3bbc30aaf2cddb2126	Malware dropper hash
SHA256	e79c37dc791d1bdb01524d158421efa29dcebde250f7571e9e30714496b3c06f	Malware dropper hash
SHA256	f22452a13635e4651b51c1491312a74891ca1dcd1b5072cbb978c06dc0a560ca	Malware dropper hash
SHA256	6c3f24ff26c5d2f16ae6aa8842e97d402c2e203d0aa2798a40f4dc000554dbca	Malware dropper hash
SHA256	aad7a088f309c1e0671f327db2428a470c14d08d5f6489fcb628071d2361b6a7	Malware dropper hash
SHA256	0e364d219192854032767476173c91c3d61230990597b52e5c36ebadd0fd96d8	Malware dropper hash
SHA256	331cf0f8049fc0e68e8bd75f8efed629b41459425a971cbcec53485ba2bf4521	Malware dropper hash
SHA256	0ca119c7be4ec67355b47d8d197361e730d93153a87d09e00a68ceda340fabb0	Malware dropper hash
SHA256	db115eff8d8b013e89f398b922294b248d5d6be51d7ab60cbde3b6ff2ff3f219	Malware dropper hash
SHA256	1cff1d3a10cc36338803e37cc3c9e9121bdd8c5189ca4533d1c585715561bc4a	Malware dropper hash
SHA256	530e59f9bd99b191b54ec18eb92d6b44005e56c1dd877b4e4ce0370d3d917fb4	Malware dropper hash
SHA256	9a416904a4d942c77177770ea0680c48e5d5eddba793af3c434e4ff733daab56	Malware dropper hash
SHA256	aeeccab5b4712f4c7d75c0606fc4587f13df7a04aa4941bb6599f328ee67d950	Malware dropper hash
SHA256	3ff5e3932ba4a438c12c253ec6b00416ac6ce250173bac6be0bb8d619cea47bd	Malware dropper hash
SHA256	a10d023b10b878a09697563155799bd088ed2f797aff489b732959f917414f97	Malware dropper hash
SHA256	65a9895f5e49f8e18727fe16744c6631c0676e08499f4407b9d8c11634aae5e0	Malware dropper hash
SHA256	e07aa2d15520c6f0ab9bbbe049f48402e4b91fde59b22b5668daef2ec924a68b	Malware dropper hash
SHA256	cc3cbc8ad7f71223230a457aa2664d77b43b7f7a4988b42609ad707f0385aee3	Malware dropper hash
SHA256	cba34f77ca2a5d4dc56f4567ff1f0b2242105d532353d2868d7b2c42f1a37551	Malware dropper hash
SHA256	153de6a7d78bcce8a0cec446cdc20ec4b18ee72b74f59e76780ec5c76efddc52	Malware dropper hash
SHA256	8505c4c3d6406cc55a9492cf1a3285de9c0357691112b2ab787faa57d55d304b	Malware dropper hash
SHA256	c202911529293052006fa6bc6a87c66bbd5621738190dbd75a5b3a150fed5c41	Malware dropper hash
SHA256	550c4839f26bf81f480c5e4210be3ded43d4f8027d5d689a6fe8692c42235940	Malware dropper hash
	5324f5aae565ddc8dc2a4b574bc690cba6b35bd4bf3f63e6df14d613b68ac769	Malware dropper hash
DOMAIN	bapp.digitalpulsedata[.]com	Proxy node server

 

Mapped to MITRE ATT&CK

The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:

• • TA0001: Initial Access
    • T1189: Drive-by Compromise
  • TA0003: Persistence
    • T1547: Boot or Logon Autostart Execution
      • T1547.001: Registry Run Keys / Startup Folder
    • T1053: Scheduled Task/Job
      • T1053.005: Scheduled Task
  • TTA0007: Discovery
    • T1082: System Information Discovery
  • TA0011: Command and Control
    • T1090: Proxy
    • T1571: Non-Standard Port
  • TA0040: Impact
    • T1496: Resource Hijacking

The post ProxyNation: The dark nexus between proxy apps and malware appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Where do vulnerabilities fit with respect to security standards and guidelines? Was it a coverage issue or an interpretation and implementation issue? Where does a product, environment, organization, or business vertical fail the most in terms of standards requirements? These questions are usually left unanswered because of the gap between standards or regulations on the one hand, and requirements interpretation and implementation, on the other. Certified products and environments often suffer from security issues that were supposed to be covered by the requirements of the standard.

In [1], for instance, the authors give examples of vulnerable products that were IEC 62443 certified. In [2], SANS discusses the case of PCI-certified companies and why they are still being breached. This “interpretation gap,” whether it manifests in the implementation of requirements or in the assessment process, hinders security and leads to the fact that being compliant is not necessarily the same as being secure.

Admittedly, the interpretation of guidelines and requirements in standards, which have a descriptive approach in general, is not an easy task. Requirements can be rather generic and wide open to interpretation depending on the context, resources, the current threat landscape, the underlying technologies, etc. Specific requirements might also lead to conflicting interpretations depending on the type of stakeholder, which will inevitably affect the implementation side.

Threat modeling is one way to avoid shortcomings (or even possible shortcuts) in the implementation of standards, and the organization’s own security policies. Think of threat modeling as an enforcement mechanism for the proper implementation of requirements. The reason this is the case is simple; threat modeling thinks of the requirements in terms of relevant threats to the system, and determines mitigations to reduce or completely avoid the associated risks. Consequently, each requirement is mapped to a set of threats and mitigations that covers relevant use cases under specific conditions or context, e.g., what are the trust boundaries, protocols and technologies under use or consideration, third-party interactions, dataflows, data storage, etc.

This is becoming a must-have nowadays since, when it comes to technical requirements, the concern about their interpretation still persists even when companies have been audited against them. In the following, the presented data analysis makes the link between disclosed vulnerabilities in Industrial Control Systems (ICS) and the technical requirements reported in the ‘gold standard’ of standards in this area, namely the IEC 62443. It shows the difficulty of satisfying the requirements in broad terms and the need for more specific context and processes.

CISA ICS advisories’ mapping

The analysis of CISA ICS advisories data, representing close to 2,5K advisories released between 2010 and mid-2023 [3], reveals the extent of the challenge an implementer or an assessor is faced with. Table 1 presents the top weaknesses and the associated count of advisories as well as IEC 62443 requirements’ mapping. Affected sectors, the CVSS severity distribution, and top weaknesses per sector are also reported; in Figures 1 and 2, and Table 2.

Table 1. Top weaknesses in CISA’s ICS advisories and their IEC 62443 mapping.

Weakness	Name	Number of advisories	IEC 62443 technical requirement
CWE-20	Improper Input Validation	266	SR/CR 3.5 – Input validation
CWE-121	Stack-based Buffer Overflow	257
CWE-79	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	205
CWE-119	Improper Restriction of Operations within the Bounds of a Memory Buffer	185
CWE-284	Improper Access Control	159	FR1 – Identification and authentication control (IAC)   FR2 – Use control (UC)
CWE-125	Out-of-bounds Read	158	SR/CR 3.5 – Input validation
CWE-22	Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)	149
CWE-400	Uncontrolled Resource Consumption	145	SR/CR 7.1 – Denial of service protection   SR/CR 7.2 – Resource management
CWE-787	Out-of-bounds Write	139	SR/CR 3.5 – Input validation
CWE-287	Improper Authentication	137	SR/CR 1.1 – Human user identification and authentication   SR/CR 1.2 – Software process and device identification and authentication
CWE-122	Heap-based Buffer Overflow	128	SR/CR 3.5 – Input validation
CWE-200	Exposure of Sensitive Information to an Unauthorized Actor	115	FR4 – Data confidentiality (DC)   SR/CR 3.7 – Error handling
CWE-798	Use of Hard-coded Credentials	101	SR/CR 1.5 – Authenticator management
CWE-306	Missing Authentication for Critical Function	98	SR/CR 1.1 – Human user identification and authentication   SR/CR 1.2 – Software process and device identification and authentication   SR/CR 2.1 – Authorization enforcement
CWE-352	Cross-Site Request Forgery (CSRF)	84	SR/CR 1.4 – Identifier management
CWE-89	Improper Neutralization of Special Elements Used in an SQL Command (‘SQL Injection’)	81	SR/CR 3.5 – Input validation
CWE-319	Cleartext Transmission of Sensitive Information	75	SR/CR 4.1 – Information confidentiality
CWE-427	Uncontrolled Search Path Element	64	SR/CR 3.5 – Input validation   CR 3.4 – Software and information integrity
CWE-120	Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)	62	SR/CR 3.5 – Input validation
CWE-522	Insufficiently Protected Credentials	62	SR/CR 1.5 – Authenticator management

 

Figure 1. Number of vulnerabilities per sector

 

Figure 2. CVSS severity distribution.

 

Table 2. Top weaknesses per sector.

Sector	Top Weakness	Name	Number of advisories
Critical Manufacturing	CWE-121	Stack-based Buffer Overflow	175
Energy	CWE-20	Improper Input Validation	147
Water and Wastewater	CWE-20	Improper Input Validation	87
Commercial Facilities	CWE-79	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	42
Food and Agriculture	CWE-20	Improper Input Validation	55
Chemical	CWE-20	Improper Input Validation	54
Healthcare and Public Health	CWE-284	Improper Access Control	32
Transportation	CWE-121	Stack-based Buffer Overflow	31
Oil and gas	CWE-119	Improper Restriction of Operations within the Bounds of a Memory Buffer	18
Government Facilities	CWE-121	Stack-based Buffer Overflow	18

 

Guiding requirements’ interpretation

Table 1 shows the varied levels of abstraction the vulnerabilities map to. This is one of the main issues leading to the increased complexity associated with the interpretation of requirements; for both the implementation and the assessment. While a high level of granularity allows for the definition of needed security mechanisms, a low level of granularity during the interpretation and implementation is necessary as it allows for a better understanding of all the types of threats or failures that a specific system might be subject to, e.g., given a deployment model or an underlying technology.

The case of the “Input validation” requirement is revealing, with eleven of the top twenty weaknesses in Table 1 falling under it. On the surface, input validation is rather straightforward; analyze inputs and disallow anything that can be considered unsuitable. In practice, however, the number of properties of the data and input use cases to potentially validate can be daunting. It might also be hard, or even impossible, to flush out all possible corner cases. The IEC 62443 “input validation” requirement is quite generic and encapsulates two CWE categories; “Validate Inputs” [4] and “Memory Buffer Errors” [5]. It is then essential to have a clear understanding of the target application or system to be able to identify relevant threats under each requirement and how to prevent them, i.e., achieve the said requirement.

On the other hand, the “Improper access control” weakness [6] is also an interesting use case. It is extremely high-level and maps to two foundational requirements of the IEC 62443. This highlights an issue in vulnerability reports, where high-level abstraction weaknesses are being misused in disclosure reports. More specific weaknesses related to the kind of access control involved would have been more appropriate, e.g., missing or weak authentication, missing or incorrect authorization, etc. This is not useful for trend analysis, especially on how real-world vulnerabilities relate to technical requirements in standards and regulations.

Threat modeling is helpful in both cases. Software developers, system architects, and security professionals can understand the requirements and address the predictable security issues that fall under them, given specific assumptions about the application or the system setup. In addition, current threat modeling tools can speed up the process by generating the relevant threats and their mitigations automatically, including based on threat intelligence data. The set of mitigations can also be tailored to meet different needs; for instance, the strength of a potential adversary, as is the case in the IEC 62443 standard, where four security levels are defined. These security levels (1 to 4) define technical requirements, along with requirement enhancements, in order to counter different levels of risk.

I believe that by using threat modeling as a framework, the interpretation and mapping of requirements into implementation and deployment measures become more predictable. It will also give developers and system architects a better chance of more complete coverage and accurate description of what the requirements ought to be, given the target system context, its dependencies, and the current threat landscape.

The guest author of this blog is a security researcher at iriusrisk.com.

References

[1] https://arxiv.org/pdf/2303.12340.pdf

[2] https://www.sans.org/white-papers/36497/

[3] https://www.cisa.gov/news-events/cybersecurity-advisories

[4] https://cwe.mitre.org/data/definitions/1019.html

[5] https://cwe.mitre.org/data/definitions/1218.html

[6] https://cwe.mitre.org/data/definitions/284.html 

The post Mind the (Interpretation) gap: Another reason why threat modeling is important appeared first on Cybersecurity Insiders.

We’re pleased to announce the availability of the 2023 AT&T Cybersecurity Insights Report: Focus on State and Local government and higher Education in the United States (US SLED). It looks at the edge ecosystem, surveying US SLED leaders, and provides benchmarks for assessing your edge computing plans. This is the 12th edition of our vendor-neutral and forward-looking report. Last year’s Focus on  US SLED report documented trends in securing the data, applications, and endpoints that rely on edge computing (get the 2022 report).

Get the complimentary 2023 report.

The robust quantitative field survey reached 1,418 security, IT, application development, and line of business professionals worldwide. The qualitative research tapped subject matter experts across the cybersecurity industry.

At the onset of our research, we established the following hypotheses.

• Momentum edge computing has in the market.
• Approaches to connecting and securing the edge ecosystem – including the role of trusted advisors to achieve edge goals.
• Perceived risk and perceived benefit of the common use cases in each industry surveyed.

The results focus on common edge use cases in seven vertical industries – healthcare, retail, finance, manufacturing, energy and utilities, transportation, and US SLED- delivering actionable advice for securing and connecting an edge ecosystem, including external trusted advisors. Finally, it examines cybersecurity and the broader edge ecosystem of networking, service providers, and top use cases. For this Focus on US SLED, 178 respondents represented the vertical.

The role of IT is shifting, embracing stakeholders at the ideation phase of development.

Edge computing is a transformative technology that brings together various stakeholders and aligns their interests to drive integrated outcomes. The emergence of edge computing has been fueled by a generation of visionaries who grew up in the era of smartphones and limitless possibilities. Look at the infographic below for a topline summary of key findings.

In this paradigm, the role of IT has shifted from being the sole leader to a collaborative partner in delivering innovative edge computing solutions. In addition, we found that US SLED leaders are budgeting differently for edge use cases. These two things, along with an expanded approach to securing edge computing, were prioritized by our respondents in the 2023 AT&T Cybersecurity Insights Report: Edge Ecosystem.

In 2023, US SLED respondents’ primary edge use case is building management, which involves hosted HVAC applications, electricity and utility monitoring applications, and various sensors for large buildings. This is just the beginning of the evolution in the public sector to increase the value of public investments, so every dollar goes a bit further. In higher education, edge uses cases are being used for things like immersive and interactive learning and helping faculty to be more accessible with solutions like real-time feedback.

Edge computing brings the data closer to where decisions are made.

With edge computing, the intelligence required to make decisions, the networks used to capture and transmit data, and the use case management are distributed. Distributed means things work faster because nothing is backhauled to a central processing area such as a data center and delivers the near-real-time experience.

With this level of complexity, it’s common to re-evaluate decisions regarding security, data storage, or networking. The report shares the trends emerging as US SLED embraces edge computing. One area examined is expense allocation, and what we found may surprise you. The research reveals the allocation of investments across overall strategy and planning, network, application, and security for the anticipated use cases that organizations plan to implement within the next three years.

How to prepare for securing your edge ecosystem.

Develop your edge computing profile. It is essential to break down the barriers that typically separate the internal line of business teams, application development teams, network teams, and security teams. Technology decisions should not be made in isolation but rather through collaboration with a diverse group of stakeholders. Understanding the capabilities and limitations of all stakeholders makes it easier to identify gaps in evolving project plans.

The edge ecosystem is expanding, and expertise is available to offer solutions that address cost, implementation, mitigating risks, and more. Including expertise from the broader SLED edge ecosystem increases the chances of outstanding performance and alignment with organizational goals.

Develop an investment strategy. During edge use case development, organizations should carefully determine where and how much to invest. Think of it as part of monetizing the use case. Building security into the use case from the start allows the organization to consider security as part of the overall project cost. It’s important to note that no one-size-fits-all solution can provide complete protection for all aspects of edge computing. Instead, organizations should consider a comprehensive and multi-layered approach to address the unique security challenges of each use case.

Increase your compliance capabilities. Regulations in the public sector and for education can vary significantly. This underscores the importance of not relying solely on a checkbox approach or conducting annual reviews to help ensure compliance with the growing number of regulations. Keeping up with technology-related mandates and helping to ensure compliance requires ongoing effort and expertise. If navigating compliance requirements is not within your organization’s expertise, seeking outside help from professionals specializing in this area is advisable.

Align resources with emerging priorities. External collaboration allows organizations to utilize expertise and reduce resource costs. It goes beyond relying solely on internal teams within the organization. It involves tapping into the expanding ecosystem of edge computing experts who offer strategic and practical guidance. Engaging external subject matter experts (SMEs) to enhance decision-making can help prevent costly mistakes and accelerate deployment. These external experts can help optimize use case implementation, ultimately saving time and resources.

Build-in resilience. Consider approaching edge computing with a layered mindset. Take the time to ideate on various “what-if” scenarios and anticipate potential challenges. For example, what measures exist if a private 5G network experiences an outage? Can data remain secure when utilizing a public 4G network? How can business-as-usual operations continue in the event of a ransomware attack?

Successful SLED edge computing implementations require a holistic approach encompassing collaboration, compliance, resilience, and adaptability. By considering these factors and proactively engaging with the expertise available, organizations can unlock the full potential of edge computing to deliver improved outcomes, operational efficiency, and cost-effectiveness.

The post Get the AT&T Cybersecurity Insights Report: Focus on US SLED appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

APIs, formally known as application programming interfaces, occupy a significant position in modern software development. They revolutionized how web applications work by facilitating applications, containers, and microservices to exchange data and information smoothly. Developers can link APIs with multiple software or other internal systems that help businesses to interact with their clients and make informed decisions.

Despite the countless benefits, hackers can exploit vulnerabilities within the APIs to gain unauthorized access to sensitive data resulting in data breaches, financial losses, and reputational damage. Therefore, businesses need to understand the API security threat landscape and look out for the best ways to mitigate them.

The urgent need to enhance API security 

APIs enable data exchanges among applications and systems and help in the seamless execution of complex tasks. But as the average number of APIs rises, organizations often overlook their vulnerabilities, making them a prime target of hackers. The State of API Security Q1 Report 2023 survey finding concluded that the attacks targeting APIs had increased 400% during the past six months.

Security vulnerabilities within APIs compromise critical systems, resulting in unauthorized access and data breaches like Twitter and Optus API breaches. Cybercriminals can exploit the vulnerabilities and launch various attacks like authentication attacks, distributed denial-of-service attacks (DDoS), and malware attacks. API security has emerged as a significant business issue as another report reveals that by 2023, API abuses will be the most frequent attack vector causing data breaches, and also, 50% of data theft incidents will happen due to insecure APIs. As a result, API security has. become a top priority for organizations to safeguard their data, which may cost businesses $75 billion annually.

Why does API security still pose a threat in 2023?

Securing APIs has always been a daunting task for most organizations, mainly because of the misconfigurations within APIs and the rise in cloud data breaches. As the security landscape evolved, API sprawl became the top reason that posed a threat to API security. API sprawl is the uncontrolled proliferation of APIs across an organization and is a common problem for enterprises with multiple applications, services, and development teams.

As more APIs are created, they expanded the attack surface and emerged as an attractive target for hackers. The issue is that the APIs are not always designed by keeping security standards in mind. This leads to a lack of authorization and authentication, exposing sensitive data like personally identifiable information (PII) or other business data. 

API sprawl produces shadow and zombie APIs that further threaten API security. A zombie API is an exposed, abandoned, outdated, or forgotten API which increases the API security threat landscape. These APIs proved helpful at some point, but later they got replaced by newer versions. As organizations work on building new products or features, they neglect the already existing APIs to wander in the application environment allowing the threat actors to penetrate the vulnerable API and access sensitive data.

Contrastingly, shadow APIs are third-party APIs often developed without proper surveillance and remain untracked and undocumented. Enterprises that fail to protect against shadow APIs introduce reliability issues, unwanted data loss, penalties for non-compliance, and increased operational costs.

Moreover, the emergence of new technologies like the Internet of Things (IoT) has introduced more difficulty in maintaining API security. With more devices connected to the internet that can be accessed remotely, any inadequate security measures can lead to unauthorized access and potential data breaches. In addition, generative AI algorithms can pose security challenges. Hackers can use AI algorithms to detect the vulnerabilities within the APIs and launch targeted attacks.

Best practices to improve API security amid rising threats

API discovery is crucial in uncovering modern API security threats like zombie and shadow APIs. The security teams are trained in protecting the mission-critical APIs but discovering the internal, external, and third-party APIs is also vital to enhance API security. Organizations must invest in automated API discovery tools that detect every API endpoint and provide visibility into which APIs are live, their location, and how they function.

Developers should also monitor the API traffic by integrating API gateways and proxies that may indicate the presence of shadow APIs. In addition, creating policies that define how the APIs are documented, used, and managed further helps locate unknown or vulnerable APIs.

Assess all APIs via testing

As API security threats become more prevalent, security teams can’t rely on common testing methods. They need to adopt an advanced form of security testing methods like SAST (static application security testing). It is a white-box security testing method that identifies the vulnerabilities and remediates the security flaws within the source code. Providing immediate feedback to developers allows them to create a secure code that ultimately leads to secure applications. However, as this testing cannot detect vulnerabilities outside the code, security teams can consider using other security testing tools like DAST, IAST, or XDR to improve security standards.

Adopt a Zero Trust security framework

Also, users must authorize and authenticate themselves to access the data, and this way plays a vital role in reducing the attack surface.

Users must authorize and authenticate themselves to access them and help reduce the attack surface. In addition, by leveraging Zero Trust architecture (ZTA), APIs can be segmented into smaller units having their own set of authentication, authorization, and security policies. This gives security architects more control over API access and enhances API security.

API posture management

API posture management is another great way that helps organizations to detect, monitor, and minimize potential security threats due to vulnerable APIs. Various posture management tools continuously monitor the APIs and notify them about suspicious or unauthorized activities. This enables organizations to respond promptly to API security threats and reduce the attack surface.

These tools also perform regular vulnerability assessments that scan the APIs for security flaws, allowing organizations to take measures to strengthen API security. Besides this, these tools provide API auditing capabilities and ensure compliance with leading industry regulations such as HIPAA or GDPR and other internal policies to maintain transparency, and maximize overall security standards.

The post Why is API security the next big thing in Cybersecurity? appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

The installation of Active Directory (AD) on Windows Server 2019 calls for a thorough understanding of technical nuances and a steadfast dedication to security best practices. This guide will walk you through the process of securely implementing Active Directory, ensuring the highest level of protection for the information and resources within your company.

Planning and design

Start by carefully planning and designing. Analyze your organization’s requirements, network topology, and security requirements in great detail. Establish the necessary number of organizational units (OUs), domains, and user and group structures. Make a thorough design plan that complies with your organization’s compliance standards and security guidelines.

Installing Windows Server 2019

Install Windows Server 2019 on a dedicated system that satisfies the system minimums. Use the most recent Windows Server 2019 ISO and adhere to recommended procedures for a secure installation. Set a strong password for the Administrator account and enable Secure Boot if it is supported in the BIOS/UEFI settings for hardware security.

Choose the right deployment type

Select the domain controller (DC) installation as the Active Directory deployment type. By doing this, you can be confident that your server is a dedicated domain controller overseeing your domain’s directory services, authentication, and security policies.

Install Active Directory Domain Services (AD DS) role

Add the Active Directory Domain Services (AD DS) role to Windows Server 2019. For the installation, use Server Manager or PowerShell. Select the appropriate forest and domain functional levels during the procedure and specify the server as a domain controller.

Choose an appropriate Forest Functional Level (FFL)

Select the highest Forest Functional Level (FFL) compatible with your domain controllers. This enables access to the most recent AD features and security upgrades. Examine the FFL specifications and confirm that every domain controller currently in use can support the selected level.

Secure DNS configuration

AD heavily relies on DNS for name resolution and service location. Ensure that DNS is configured securely by:

a. Using Active Directory Integrated Zones for DNS storage, enabling secure updates and zone replication through AD.

b. Implementing DNSSEC to protect against DNS data tampering and for secure zone signing.

c. Restricting zone transfers to authorized servers only, preventing unauthorized access to DNS data.

d. Implementing DNS monitoring and logging for suspicious activities using tools like DNS auditing and query logging.

Use strong authentication protocols

Configure Active Directory to use strong authentication protocols such as Kerberos. To stop credential-based attacks, disable older, less secure protocols like NTLM and LM hashes. Ensure domain controllers are set up to favor robust authentication techniques over weak ones when performing authentication.

Securing administrative accounts

Safeguard administrative accounts by:

a. Creating complicated, one-of-a-kind passwords for each administrative account, following the password policy guidelines, and rotating passwords frequently.

b. Adding multi-factor authentication (MFA) to all administrative accounts to improve login security and reduce the risk of credential theft.

c. Enforcing the principle of least privilege, role-based access control (RBAC), and limiting the use of administrative accounts to authorized personnel only.

d. To reduce the attack surface and potential insider threats, administrative account privileges should be regularly reviewed, and extra access rights should be removed.

Applying group policies

Leverage Group Policy Objects (GPOs) to enforce security settings and standards across your Active Directory domain. Implement password policies, account lockout policies, and other security-related configurations to improve the overall security posture.

Protecting domain controllers

Domain controllers are the backbone of Active Directory. Safeguard them by:

a. Isolating domain controllers in a separate network segment or VLAN to minimize the attack surface and prevent lateral movement.

b. Enabling BitLocker Drive Encryption on the system volume of the domain controller to safeguard critical data from physical theft or unauthorized access.

c. Setting up Windows Firewall rules to restrict inbound traffic to critical AD services and thwart potential dangers.

d. Performing regular domain controller backups and securely storing those backups to protect data integrity and speed up disaster recovery. Create system state backups using the Windows Server Backup feature, and for redundancy, think about using off-site storage.

Monitor and audit

Implement a robust monitoring and auditing system to detect potential security breaches and unauthorized access. Employ Security Information and Event Management (SIEM) solutions for thorough threat monitoring, set up real-time alerts for crucial security events, and use Windows Event Forwarding to centralize log data for analysis.

Perform regular backups

Create regular system state backups of Active Directory to ensure data integrity and quick recovery in case of data loss or disaster. Periodically test the restoration procedure to confirm its efficacy and guarantee that backups are safely kept off-site.

Conclusion

By following this technical guide, you can confidently and securely implement Active Directory on Windows Server 2019, ensuring your organization has a robust, dependable, highly secure Active Directory environment that safeguards valuable assets and sensitive data from the constantly changing threat landscape. Always remember that security is a continuous process, and maintaining a resilient AD infrastructure requires staying current with the latest security measures.

The post Securely implementing Active Directory on Windows Server 2019 appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

The supply chain, already fragile in the USA, is at severe and significant risk of damage by cyberattacks. According to research analyzed by Forbes, supply chain attacks now account for a huge 62% of all commercial attacks, a clear indication of the scale of the challenge faced by the supply chain and the logistics industry as a whole. There are solutions out there, however, and the most simple of these concerns a simple upskilling of supply chain professionals to be aware of cybersecurity systems and threats. In an industry dominated by the need for trust, this is something that perhaps can come naturally for the supply chain.

Building trust and awareness

At the heart of a successful supply chain relationship is trust between partners. Building that trust, and securing high quality business partners, relies on a few factors. Cybersecurity experts and responsible officers will see some familiarity – due diligence, scrutiny over figures, and continuous monitoring. In simple terms, an effective framework of checking and rechecking work, monitored for compliance on all sides.

These factors are a key part of new federal cybersecurity rules, according to news agency Reuters. Among other measures are a requirement for companies to have rigorous control over system patching, and measures that would require cloud hosted services to identify foreign customers. These are simple but important steps, and give a hint to supply chain businesses as to what they should be doing; putting in measures to monitor, control, and enact compliance on cybersecurity threats. That being said, it can be the case that the software isn’t in place within individual businesses to ensure that level of control. The right tools, and the right personnel, is also essential.

The importance of software

Back in April, the UK’s National Cyber Security Centre released details of specific threats made by Russian actors against business infrastructure in the USA and UK. Highlighted in this were specific weaknesses in business systems, and that includes in hardware and software used by millions of businesses worldwide. The message is simple – even industry standard software and devices have their problems, and businesses have to keep track of that.

There are two arms to ensure this is completed. Firstly, the business should have a cybersecurity officer in place whose role it is to monitor current measures and ensure they are kept up to date. Secondly, budget and time must be allocated at an executive level firstly to promote networking between the business and cybersecurity firms, and between partner businesses to ensure that even cybersecurity measures are implemented across the chain.

Utilizing AI

There is something of a digital arms race when it comes to artificial intelligence. As ZDNet notes, the lack of clear regulation is providing a lot of leeway for malicious actors to innovate, but for businesses to act, too. While regulations are now coming in, it remains that there is a clear role for AI in prevention.

According to an expert interviewed by ZDNet in their profile of the current situation, digital threat hunters are already using sophisticated AI to look for patterns, patches and unusual actions on the network, and are then using these large data sets to join up the dots and provide reports to cyber security officers. Where the challenge arrives is in that weapons race; as AI models become more sophisticated and powerful, they will ‘hack’ faster than humans can. The defensive models need to stay caught up but will struggle with needing to act within regulatory guidelines. The key here will be in proactive regulation from the government, to enable businesses to deploy these measures with assurance as to their legality and safety. 

With the supply chain involving so many different partners, there are a wider number of wildcards that can potentially upset the balance of the system. However, businesses that are willing to take a proactive step forward and be an example within their own supply chain ecosystem stand to benefit. By building resilience into their own part of the process, and influencing partners to do the same, they can make serious inroads in fighting back against the overwhelming number of supply chain oriented cybersecurity threats.

The post Building Cybersecurity into the supply chain is essential as threats mount appeared first on Cybersecurity Insiders.

Black Hat 2023 is in full swing.

Check out this new episode of ITSecurityGuyTV on cybersecurity and healthcare. AT&T’s head of evangelism, Theresa Lanowitz, visits with ITSecurityGuyTV, Charlie Harold, in this new episode on edge computing’s role in healthcare.

2984 Cybersecurity.ATT.com with Theresa Lanowitz at BHUSA2023 from Security Guy TV on Vimeo.

The post Edge computing’s role in healthcare appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

What exactly is resilience? According to the U.S. National Institute of Standards and Technology, the goal of cyber resilience is to “enable mission or business objectives that depend on cyber resources to be achieved in a contested cyber environment.” In other words, when you’re at odds with cybercriminals and nation-state actors, can you still get your job done? If not, how quickly can you get back up and running? In this article, we outline steps to ensure that if your cloud networks fail, your business won’t fail along with them.

Take stock of what you can’t (and can) live without

Being resilient during and post-cyber-attack means being able to continue business operations either leanly or back to full throttle soon after. While resources are being pooled to respond and recover from an incident, what data must be protected and what operations must go on?

Data that must be protected include those defined by regulation (e.g., personal identifiable information), intellectual property, and financial data. Data itself must be protected in multiple forms: at rest, in transit, and in use. The type of business you’re in may already dictate what’s essential; critical infrastructure sectors with essential operations include telecommunications, healthcare, food, and energy. Anything that your business relies on to survive and sustain should be treated as highest priority for security.

Ensure required availability from your cloud provider

An essential part of resilience is the ability to stay online despite what happens. Part of the cloud provider’s responsibility is to keep resources online, performing at the agreed level of service. Depending on the needs of your business, you will require certain levels of service to maintain operations.

Your cloud provider promises availability of resources in a service-level agreement (SLA), a legal document between the two parties. Uptime, the measure of availability, ranges from 99.9% to 99% in the top tiers of publicly available clouds from Amazon and Microsoft. A difference of 0.9% may not seem like much, but that translates from roughly 9 hours of downtime to over 3.5 days annually—which might be unacceptable for some types of businesses.

Store backups—even better, automate

As ransomware proliferates, enterprises need to protect themselves against attackers who block access to critical data or threaten to expose it to the world. One of the most fundamental ways to continue business operations during such an incident is to rely on backups of critical data. After you’ve identified which data is necessary for business operations and legal compliance, it’s time to have a backup plan.

While your cloud service provider provides options for backup, spreading the function across more than one vendor will reduce your risk—assuming they’re also secure. As Betsy Doughty, Vice President of Corporate Marketing of Spectra Logic says, “it’s smart to adhere to the 3-2-1-1 rule: Make three copies of data, on two different mediums, with one offsite and online, and one offsite and offline.” Automated snapshots and data backup can run in the background, preparing you in the event of a worst-case scenario.

Expose and secure your blind spots

A recent report from the U.S. Securities and Exchange Commission observes that resilience strategies include “mapping the systems and process that support business services, including those which the organization may not have direct control.” Cloud networks certainly apply here, as with any outsourced services, you relinquish some control.

Relinquishing control does not have to mean lack of visibility. To gain visibility into what data is being transferred and how people are using cloud applications, consider the services of cloud access service brokers (CASBs), who sit between a cloud user and cloud provider. CASBs can improve your resilience providing detail into your cloud network traffic, enabling assessment for both prevention of attack and impact on business operations in the event of an incident. They also enforce security policies in place such as authentication and encryption.

Test your preparedness periodically

After all the hard work of putting components and plans into place, it’s time to put things to the test. Incident response tests can range from the theoretical to a simulated real-world attack. As processes and people change, performing these tests periodically will ensure you have an updated assessment of preparedness. You could run more cost-effective paper tests more frequently to catch obvious gaps and invest in realistic simulations at a longer interval. Spending the resources to verify and test your infrastructure will pay off when an attack happens and the public spotlight is on you.

Towards a resilient cloud

Being able to withstand a cyber-attack or quickly bring operations back online can be key to the success of a business. While some responsibility lies in the cloud provider to execute on their  redundancy and contingency plans per the SLA, some of it also lies in you. By knowing what’s important, securing your vulnerabilities, and having a tested process in place, you are well on your way to a secure and resilient cloud network.

The post Securing your cloud networks: Strategies for a resilient infrastructure appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Photo by Tom Fisk

Many industries are experiencing rapid growth thanks to the seemingly overnight advancement of new technologies. Artificial intelligence, for example, has swiftly gone from a vague possibility to being a major component in numerous digital systems and processes. Another technology that has somewhat snuck up on us is blockchain.

Many people associate blockchain with cryptocurrency. However, while blockchain was primarily being used as a decentralized ledger to secure and confirm cryptocurrency trades, it is now being used in numerous other applications across a range of industries.

Blockchain-as-a-service, for example, is offered as a third-party management of cloud-based networks for companies building blockchain applications. And as a whole, many industries are starting to use blockchain for securing transactions such as the shipping and logistics sector.

What is blockchain and where did it all begin?

Blockchain is quickly becoming the new must-have technology, but like any new tech, it has seen an interesting evolution from where it started to where it is today.

Blockchain was first created to make the trading of digital currency more secure. The concept was to have a decentralized currency that could easily be tracked without relying on banks. Thus, blockchain was invented as a public ledger that stored all information in blocks, with each block representing a transaction. Each new block that was created would then include a sequence from the previous block, which would then link or chain all of the blocks together.

This blockchain technology is what makes transactions or the exchange of information so much more secure because blocks are difficult to replicate or change. If someone wanted to replicate or change one block, they would have to change all the previous ones that it is linked to as well.

Once other industries realized the genius of the concept, they started adopting it as well. Financial institutions, for example, which of course, are founded on the idea of transactions and exchanging of money, quickly saw the appeal of using blockchain. Fintech companies, in particular, that had their sights set on building finance systems of the future were early adopters of blockchain technologies. Many of these same businesses are now combining blockchain technologies with mobile tech offerings, among others, to increase efficiency.

Now, we are seeing what is being called “blockchain scaling,” which is the newest innovation using blockchain. Traditionally, every computer in a network must process every transaction, which is slow. But with blockchain, the process can be scaled and accelerated without sacrificing security.

Today, a scaled blockchain is believed to be fast enough to power our more advanced technologies that store and exchange data and information, like the Internet of Things (IoT). This makes blockchain ideal for any number of industries, not just cryptocurrency trading and banks.

How blockchain is revolutionizing transportation, shipping, and logistics

If there is one process that encompasses transportation, shipping, and logistics, it’s the supply chain. And supply chain management, like numerous other processes, has seen a sudden growth with digitalization and the adoption of new technologies that allow for optimization and fewer inefficiencies.

Supply chain processes rely on the linking of various systems to coordinate the manufacturing and shipping of products. In other words, a wealth of data is being shared and transferred throughout the supply chain process, making this an ideal sector to use blockchain technology.

Global shipping

The global shipping industry has long faced a number of issues that result in delays and other errors, which can come at high costs. With blockchain, however, shipping companies will have the framework to mitigate these issues and speed up operations.

In particular, the U.S. Department of Transportation Maritime Administration reports that blockchain can help with the following to increase shipping efficiency:

• Shipment tracking;
• Smart bills of lading (B/Ls);
• Smart contracts.

For example, a lack of real-time information availability and poor tracking capabilities leads to high volumes of canceled orders and cargo loss, which can cost companies thousands of dollars. But these issues can be solved with blockchain technologies.

Delays related to B/Ls are another problem. A B/L provides all the necessary information for the processing of a shipment from carrier to shipper, serving as a receipt, contract, and document of ownership. But traditionally, B/Ls can take days to arrive but are needed for a shipment to be processed.

Fraud is also a concern, as B/Ls can easily be modified and forged. Blockchain, however, enables the digitalization of these documents and speeds up the process of exchanging data throughout the entire shipping process, creating an overall more efficient shipping system.

Transportation

The transportation industry is also expected to benefit greatly from blockchain. The implementation of this technology in the freight industry is slow-moving, but once it happens, it will benefit carriers in various ways. Such changes with blockchain that are expected include:

• Enabling carriers to connect to a permissioned blockchain network;
• Carriers soliciting freight from third-party providers more easily, through a connected blockchain network;
• Blockchain networks matching carriers with available trucks to loads;
• Faster generating and sending of smart contracts;
• Faster and more secure shipment tracking;
• Faster generating and sending of invoices so carriers can be paid more easily.

As a whole, blockchain can increase efficiency across the freight and transportation sector while also reducing administrative burdens and increasing transparency.

Aviation

The aviation sector is another industry that deals in transportation and shipping, where blockchain has captured interest. It can help with security and identity management, baggage management, ticketing, maintenance orders, loyalty programs, and more. Any process that involves sharing data or information, which is most processes these days as everything is digitized, can benefit from blockchain technologies.

Wrapping up

As a final note, it’s important to understand that, for all the advantages of using blockchain, the implementation of any new technology comes with risks. Though people sing the praises of blockchain for how secure it is, it’s not foolproof.

Cybercriminals, for example, get more clever with every passing day, and they can and will find ways to compromise blockchain technology. This is not to say that the shipping and transportation industries should avoid blockchain, but rather that when implementing this new technology, companies should make cybersecurity a priority. 

To ensure blockchain is the most efficient, it’s necessary to first understand all the risks that come with it to mitigate issues going forward. Only then can shipping and logistics companies truly benefit and revolutionize their industries using blockchain technology.

The post The impact of blockchain technology on the future of shipping and logistics appeared first on Cybersecurity Insiders.