Tag Archive for: Detecting

Stock brokers to report cyber threats within 6 hours of detecting them: Sebi

/in


Market regulator Sebi has asked stock brokers and depositories participants to report all cyber attacks, threats and breaches experienced by them within six hours of detecting such incidents.

The incident will also be reported to the Indian Computer Emergency Response team (CERT-In) in accordance with the guidelines issued by CERT-In from time to time, Sebi said in a circular.

Additionally, the stock brokers and depository participants, whose systems have been identified as ‘protected system’ by National Critical Information Infrastructure Protection Centre (NCIIPC) will also report such incidents to NCIIPC.

“All cyber attacks, threats, cyber incidents and breaches experienced by stock brokers/ depositories participants shall be reported to stock exchanges/ depositories and Sebi within six hours of noticing/ detecting such incidents or being brought to notice about such incidents,” Sebi said in the circular.

The quarterly reports containing information on cyber attacks, threats, cyber incidents and breaches experienced by the stock brokers and depository participants and measures taken to mitigate the vulnerabilities, including information on bugs vulnerabilities, threats that may be useful for others, will have to be submitted to the exchanges and depositories within 15 days from the end of every quarter.

Earlier this month,  the capital markets regulator tweaked the cyber security and cyber resilience framework for asset management companies (AMCs) and mandated them to conduct a comprehensive cyber audit at least twice in a financial year.

AMCs have been asked…

Source…

Identifying And Detecting Malware Threats

/in


When it comes to malware threats, there are many different types of attacks that can occur. However, the most common ones are: Trojan horses, viruses, worms and spyware.

1. Trojan horse

Source: paubox.com

A Trojan horse is a type of malware that disguises itself as another program in order to infiltrate your computer system undetected. Once it’s installed on your machine, the Trojan horse can do anything from stealing your personal information to causing total system destruction.

To protect yourself against Trojans, be sure to only download programs from trusted sources and always keep your antivirus software up-to-date.

2. Viruses

Viruses are perhaps one of the best known types of malware and they’re responsible for infecting millions of computers each year. Unlike Trojans or worms which spread through file sharing or email attachments respectively, viruses attach themselves to legitimate files and get activated when those files are opened by unsuspecting users.. This makes them particularly dangerous as often people don’t even realize their computer has been infected until it’s too late!

3. Spyware

Source: paubox.com

Spyware is a type of malware that installs itself on devices without the user’s knowledge in order to collect information like passwords, banking details and other sensitive data.

It can also be used to track the user’s activity online or even spy on them through their webcam or microphone.

Spyware typically comes bundled with free software downloads or attached to spam emails, so it’s important to be careful when downloading anything from the internet and always scan files for viruses before opening them.

Registry Cleaners

Source: tapscape.com

There are a lot of myths and misconceptions when it comes to registry cleaners. The truth is, there really isn’t much of a need for them. Unless your computer is running extremely slow or you’re experiencing other problems, there’s no reason to use a registry cleaner. In fact, using one can often do more harm than good.

Registry cleaners work by identifying incorrect or obsolete information in the Windows Registry and removing it. This…

Source…

Ransomware on the Rise, Organizations Doing Better at Detecting Intrusions – MeriTalk

/in


More security incidents were detected by the intruded organizations last year, a positive trend in the cybersecurity sector as cyber threat actors are increasingly exploiting the remote work setup, a 2021 trends report by Fire Eye and Mandiant – both cybersecurity firms – found.

The report also found that ransomware has become a “multifaceted extortion” scheme, identified a financial cyber threat group, and detailed how Mandiant worked with law enforcement after finding the initial SolarWinds Orion intrusion.

“Security practitioners faced a series of challenges in this past year which forced organizations into uncharted waters. As ransomware operators were attacking state and municipal networks alongside hospitals and schools, a global pandemic response to COVID-19 necessitated a move to remote work for a significant portion of the economy. Organizations had to adopt new technologies and quickly scale outside of their normal growth plans,” the report says.

“As organizations settled into a new understanding of “normal,” UNC2452, a suspected nation-state threat actor, conducted one of the most advanced cyber espionage campaigns in recent history,” the report continues. “Many security teams were forced to suspend wide-ranging analyses around the adoption of remote work policies and instead focus on a supply chain attack from a trusted platform.”

In addition to naming UNC2452, the report also names FIN11 as a threat actor to be aware of. FIN11 is a financially motivated group, suspected of committing “widespread phishing operations” and “several multifaceted extortion operations.”

On a positive note, the report notes that 59 percent of the intrusions Mandiant investigated were self-reported by the organizations experiencing the intrusion, a reported 12 percent increase from the year before.

Source…

Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool

/in


Summary

This Alert announces the CISA Hunt and Incident Response Program (CHIRP) tool. CHIRP is a forensics collection tool that CISA developed to help network defenders find indicators of compromise (IOCs) associated with activity detailed in the following CISA Alerts:

Similar to Sparrow—which scans for signs of APT compromise within an M365 or Azure environment—CHIRP scans for signs of APT compromise within an on-premises environment.

In this release, CHIRP, by default, searches for IOCs associated with malicious activity detailed in AA20-352A and AA21-008A that has spilled into an on-premises enterprise environment.

CHIRP is freely available on the CISA GitHub Repository. For additional guidance watch CISA’s CHIRP Overview videoNote: CISA will continue to release plugins and IOC packages for new threats via the CISA GitHub Repository.

CISA advises organizations to use CHIRP to:

  • Examine Windows event logs for artifacts associated with this activity;
  • Examine Windows Registry for evidence of intrusion;
  • Query Windows network artifacts; and
  • Apply YARA rules to detect malware, backdoors, or implants.

Network defenders should review and confirm any post-compromise threat activity detected by the tool. CISA has provided confidence scores for each IOC and YARA rule included with CHIRP’s release. For confirmed positive hits, CISA recommends collecting a forensic image of the relevant system(s) and conducting a forensic analysis on the system(s).

If an organization does not have the capability to follow the guidance in this Alert, consider soliciting third-party IT security support. Note: Responding to confirmed positive hits is essential to evict an adversary from a compromised network.

Click here for a PDF version of this report.

Technical Details

How CHIRP Works

CHIRP is a command-line executable with a dynamic plugin and indicator system to search for signs of compromise. CHIRP has plugins to search through event logs and registry keys and run YARA rules to scan for signs of APT tactics, techniques, and procedures. CHIRP also has a YAML file that contains a list of IOCs that CISA associates with the malware and APT activity detailed in CISA Alerts AA20-352A and AA21-008A.

Currently, the tool looks for:

  • The presence of malware identified by security researchers as TEARDROP and RAINDROP;
  • Credential dumping certificate pulls;
  • Certain persistence mechanisms identified as associated with this campaign;
  • System, network, and M365 enumeration; and
  • Known observable indicators of lateral movement.

Network defenders can follow step-by-step instructions on the CISA CHIRP GitHub repository to add additional IOCs, YARA rules, or plugins to CHIRP to search for post-compromise threat activity related to the SolarWinds Orion supply chain compromise or new threat activity.

Compatibility

CHIRP currently only scans Windows operating systems.

Instructions

CHIRP is available on CISA’s GitHub repository in two forms:

  1. A compiled executable

  2. A python script

CISA recommends using the compiled version to easily scan a system for APT activity. For instructions to run, read the README.md in the CHIRP GitHub repository.

If you choose to use the native Python version, see the detailed instructions on the CHIRP GitHub repository.

Mitigations

Interpreting the Results

CHIRP provides results of its scan in JSON format. CISA encourages uploading the results into a security information and event management (SIEM) system, if available. If no SIEM system is available, results can be viewed in a compatible web browser or text editor. If CHIRP detects any post-compromise threat activity, those detections should be reviewed and confirmed. CISA has provided confidence scores for each IOC and YARA rule included with CHIRP’s release. For confirmed positive hits, CISA recommends collecting a forensic image of the relevant system(s) and conducting a forensic analysis on the system(s).

If you do not have the capability to follow the guidance in this Alert, consider soliciting third-party IT security support. Note: Responding to confirmed positive hits is essential to evict an adversary from a compromised network.

Frequently Asked Questions

  1. What systems should CHIRP run on?

    Systems running SolarWinds Orion or believed to be involved in any resulting lateral movement.

  2. What should I do with results?

    Ingest the JSON results into a SIEM system, web browser, or text editor.

  3. Are there existing tools that CHIRP complements and/or provide the same benefit as CHIRP?

    1. Antivirus software developers may have begun to roll out detections for the SolarWinds post-compromise activity. However, those products can miss historical signs of compromise. CHIRP can provide a complementary benefit to antivirus when run.

    2. CISA previously released the Sparrow tool that scans for APT activity within M365 and Azure environments related to activity detailed in CISA Alerts AA20-352A and AA21-008A. CHIRP provides a complementary capability to Sparrow by scanning for on-premises systems for similar activity.

  4. How often should I run CHIRP?

    CHIRP can be run once or routinely. Currently, CHIRP does not provide a mechanism to run repeatedly in its native format.

  5. Do I need to configure the tool before I run it?

    No.

  6. Will CHIRP change or affect anything on the system(s) it runs on?

    No, CHIRP only scans the system(s) it runs on and makes no active changes.

  7. How long will it take to run CHIRP?

    CHIRP will complete its scan in approximately 1 to 2 hours. Duration will be dependent on the level of activity, the system, and the size of the resident data sets. CHIRP will provide periodic progress updates as it runs.

  8. If I have questions, who do I contact?  

    For general questions regarding CHIRP, please contact CISA via email at [email protected] or by phone at 1-888-282-0870. For reporting indicators of potential compromise, contact us by submitting a report through our website at https://us-cert.cisa.gov/report. For all technical issues or support for CHIRP, please submit issues at the CISA CHIRP GitHub Repository

Revisions

March 18, 2021: Initial Publication

This product is provided subject to this Notification and this Privacy & Use policy.

Source…