Tag Archive for: Detection

Socks5Systemz: How Darktrace’s Anomaly Detection Unraveled a Stealthy Botnet

/in


How does Loader Malware work?

Throughout 2023, the Darktrace Threat Research team identified and investigated multiple strains of loader malware affecting customers across its fleet. These malicious programs typically serve as a gateway for threat actors to gain initial access to an organization’s network, paving the way for subsequent attacks, including additional malware infections or disruptive ransomware attacks.

How to defend against loader malware

The prevalence of such initial access threats highlights the need for organizations to defend against multi-phase compromises, where modular malware swiftly progresses from one stage of an attack to the next. One notable example observed in 2023 was Pikabot, a versatile loader malware used for initial access and often accompanied by secondary compromises like Cobalt Strike and Black Basta ransomware.

While Darktrace initially investigated multiple instances of campaign-like activity associated with Pikabot during the summer of 2023, a new campaign emerged in October which was observed targeting a Darktrace customer in Europe. Thanks to the timely detection by Darktrace DETECT™ and the support of Darktrace’s Security Operations Center (SOC), the Pikabot compromise was quickly shut down before it could escalate into a more disruptive attack.

What is Pikabot?

Pikabot is one of the latest modular loader malware strains that has been active since the first half of 2023, with several evolutions in its methodology observed in the months since. Initial researchers noted similarities to the Qakbot aka Qbot or Pinkslipbot and Mantanbuchus malware families, and while Pikabot appears to be a new malware in early development, it shares multiple commonalities with Qakbot [1].

First, both Pikabot and Qakbot have similar distribution methods, can be used for multi-stage attacks, and are often accompanied by downloads of Cobalt Strike and other malware strains. The threat actor known as TA577, which has also been referred to as Water Curupira, has been seen to use both types of malware in spam campaigns which can lead to Black Basta ransomware attacks [2] [3].Notably, a rise in Pikabot campaigns were observed in September and October 2023,…

Source…

Ensemble averaging deep neural network for botnet detection in heterogeneous Internet of Things devices

/in


In this section, the results of the simulation modeling and benchmarking study are presented and discussed. The findings of this research are discussed in the context of their impact on ensemble averaging for NIDS in heterogeneous IoT devices. Additionally, potential areas for future research in this field are highlighted.

Experiment environment

This research used a server with the following specifications: Processor 2.3 GHz 16-Core Intel(R) Xeon(R) CPU E5-2650 v3 and 128 GB memory. The operating system used was Ubuntu 22.04.2 LTS. Python version 3.10.6 and Keras version 2.12 were employed as the machine learning library for conducting the DNN experiments. Jupyter notebook version 6.5.3 was used for presenting the experiment and simulation results.

Preliminaries analysis

In this section, the explanation of results from both Scenario 1 and Scenario 2 is provided. The main objective of Scenario 1 was to assess the performance of individual DNN models constructed using device-specific traffic for the purpose of detecting botnet attacks occurring within the traffic of each respective device.

Table 7 Scenario 1 result.

The results of Scenario 1 are presented in Table 7. The findings indicate that the DNN models within each device exhibited robust performance when analyzing the traffic generated by that specific device. Notably, accuracy for each device reached 100%, signifying accurate identification of both true positive and true negative instances of botnet attacks within the corresponding device’s traffic. Precision and recall metrics also demonstrated performance exceeding 99%, implying the models’ ability to minimize misclassifications of normal traffic while accurately recognizing positive instances. Moreover, the DNN models achieved a high F1-score in detecting botnet attacks, highlighting their proficiency in both precision and recall aspects. Both training and prediction times for each model were influenced by dataset volume, with larger datasets leading to longer training and prediction durations. Remarkably, the model size remained consistent at around 70 Kb for each DNN model, indicating a stable size unaffected by variations in training data volume.

Figure 6
figure 6

Average accuracy,…

Source…

IBM FlashSystem update focuses on ransomware detection

/in


IBM is looking to detect ransomware in storage as early as possible by adding AI to its primary storage offering, reducing recovery time objectives.

In the latest update of its FlashSystem primary storage device, IBM made changes to both its primary storage hardware and Storage Defender software. FlashCore Modules, flash storage it uses in place of SSDs, are now in their fourth generation and provide extra computation to power an analysis of I/Os. IBM Storage Defender, primary and secondary data protection software, will now use low-powered AI sensors to search for anomalies.

In storage, ransomware detection is often relegated to backup software and products. But data resiliency and data protection is everyone’s job, according to Scott Sinclair, an analyst at TechTarget’s Enterprise Strategy Group. The responsibility stretches beyond the cybersecurity team or the backup team to all parts of the IT stack.

“The storage team needs to prioritize data protection,” he said. “The faster you can identify an issue, the faster you recover, the better off you are.”

Security in the media

FlashCore Modules look like traditional 2.5-inch SSDs but have more Arm-based cores and a field-programmable gate array, a configurable device to meet desired requirements, that turns the modules into computational storage devices, according to Sam Werner, vice president of storage product management at IBM. The modules use quad-level cell NAND but can perform at a faster, triple-level cell performance at a lower cost, he said.

The additional Arm cores provide the FlashSystem with extra computation to conduct an analysis of I/Os and look for anomalies, Werner said. This means the FlashCore Modules can detect ransomware on the flash itself, in under a minute, he added. When data is stored using flash technology, it is not updated but is instead rewritten somewhere else in the media, with a second copy existing for a short period of time. Ransomware detection can now analyze one copy outside the data path, without slowing performance.

Tools such as AI detection in primary storage can help organizations fight against ransomware, according to Sinclair. These attacks will continue and increase in…

Source…

USENIX Security ’23 – Black-box Adversarial Example Attack Towards FCG Based Android Malware Detection Under Incomplete Feature Information

/in


Author/Presenters: Heng Li, Zhang Cheng, Bang Wu, Liheng Yuan, Cuiying Gao, Wei Yuan, Xiapu Luo

Many thanks to USENIX for publishing their outstanding USENIX Security ’23 Presenter’s content, and the organizations strong commitment to Open Access.
Originating from the conference’s events situated at the Anaheim Marriott; and via the organizations YouTube channel.

Permalink

*** This is a Security Bloggers Network syndicated blog from Infosecurity.US authored by Marc Handelman. Read the original post at: https://www.youtube-nocookie.com/embed/jRE11W_ZSGI?si=QNu1Ntq_FqLIsNOE

Source…