Tag Archive for: Highly

Iranian hackers exposed in a highly targeted espionage campaign

/in


iran

Threat analysts have spotted a novel attack attributed to the Iranian hacking group known as APT34 group or Oilrig, who targeted a Jordanian diplomat with custom-crafted tools.

The attack involved advanced anti-detection and anti-analysis techniques and had some characteristics that indicate lengthy and careful preparation.

Security researchers at Fortinet have gathered evidence and artifacts from the attack in May 2022 and compiled a technical report to highlight APT34’s latest techniques and methods.

Targeting diplomats

The spear-phishing email seen by Fortinet targeted a Jordanian diplomat, pretending to be from a colleague in the government, with the email address spoofed accordingly.

The email carried a malicious Excel attachment that contained VBA macro code that executes to create three files, a malicious executable, a configuration file, and a signed and clean DLL.

The macro also creates persistence for the malicious executable (update.exe) by adding a scheduled task that repeats every four hours.

“Since Excel is a signed binary, maintaining persistence in this way may be missed by some behavioral detection engines,” comment Fortinet’s analysts.

Another unusual finding concerns two anti-analysis mechanisms implemented in the macro: the toggling of sheet visibility in the spreadsheet and the other a check for the existence of a mouse, which may not be present on malware analysis sandbox services.

The payload

The malicious executable is a .NET binary that checks program states and puts itself to sleep for eight hours after launching. The analysts believe the hackers probably set this delay on the assumption that the diplomat would open the email in the morning and leave after eight hours so that the computer would be unattended.

When active, the malware communicates with C2 subdomains using a domain generation algorithm (DGA) tool. DGA is a widely-used technique that makes malware operations more resilient to domain takedowns and block-listing.

Domain generation algorithm system
Domain generation algorithm system (Fortinet)

It then sets up a DNS tunnel to communicate with the provided IP address. This is a rarely seen technique that helps threat actors encrypt the data exchanged in the context of…

Source…

Menlo Security Finds Cloud Migration and Remote Work Gives Rise to New Era of Malware, Highly Evasive Adaptive Threats (HEAT)

/in


MOUNTAIN VIEW, Calif.–()–Menlo Security, a leader in cloud security, today announced it has identified a surge in cyberthreats, termed Highly Evasive Adaptive Threats (HEAT), that bypass traditional security defenses. HEAT attacks are a class of cyber threats targeting web browsers as the attack vector and employs techniques to evade detection by multiple layers in current security stacks including firewalls, Secure Web Gateways, sandbox analysis, URL Reputation, and phishing detection. HEAT attacks are used to deliver malware or to compromise credentials, that in many cases leads to ransomware attacks.

In an analysis of almost 500,000 malicious domains, The Menlo Security Labs research team discovered that 69% of these websites used HEAT tactics to deliver malware. These attacks allow bad actors to deliver malicious content to the endpoint by adapting to the targeted environment. Since July 2021, Menlo Security has seen a 224% increase in HEAT attacks.

“With the abrupt move to remote working in 2020, every organization had to pivot to a work from an anywhere model and accelerate their migration to cloud-based applications. An industry report found that 75% of the working day is spent in a web browser, which has quickly become the primary attack surface for threat actors, ransomware and other attacks. The industry has seen an explosion in the number and sophistication of these highly evasive attacks and most businesses are unprepared and lack the resources to prevent them,” said Amir Ben-Efraim, co-founder and CEO of Menlo Security. “Cyber Threats are a mainstream problem and a boardroom issue that should be on everyone’s agenda. The threat landscape is constantly evolving, ransomware is more persistent than ever before, and HEAT attacks have rendered traditional security solutions ineffective.”

HEAT attacks leverage one or more of the following core techniques that bypass legacy network security defenses:

  • Evades Both Static and Dynamic Content Inspection: HEAT attacks evade both signature and behavioral analysis engines to deliver malicious payloads to the victim using innovative techniques such as HTML Smuggling. This technique is used by…

Source…

Defense Contractors Highly Susceptible to Ransomware

/in


Even as cybercriminals take aim at critical infrastructure, many of the United States’ top 100 federal contractors are inadequately prepared to repel ransomware attacks.

These were among the findings of a report from Black Kite, which assessed the cybersecurity risk posture of U.S. defense contractors and found 20% of the country’s largest 100 contractors were highly susceptible to a ransomware attack.

The study found 42% of defense contractors have had at least one compromised credential within the past 90 days, and 40 contractors received an “F” grade in credential management.

Overall, the top 100 federal contractors averaged a “ransomware susceptibility index” score of 0.39, but 20% scored above the critical threshold of 0.6, according to the report.

Crossing the Threshold

By comparison, earlier Black Kite reports showed that 10% of pharmaceutical manufacturers and 49% of automobile manufacturers were above what Black Kite considered a critical threshold, indicating they were highly susceptible to ransomware attacks.

“We’re continuing to see the exact same issues pop up through industries—issues that should be addressed by basic cybersecurity hygiene,” said Bob Maley, chief security officer at Black Kite. “These are defense contractors that should be taking advice from the Department of Homeland Security. The attack vectors for ransomware aren’t new.”

He pointed out that Homeland Security has been issuing alerts on what people should be doing to protect themselves in these particular areas over the past decade.

“So, it’s not that bad actors are finding new things to exploit to make ransomware effective,” he said. “They’re exploiting issues that have been around for a long time that people just aren’t paying attention to.”

Maley explained there is no single category of malicious actor perpetuating threats against federal contractors: Generally speaking, the types of actors that are a threat here are the people that may not necessarily target defense contractors specifically because they may not even know that they are doing so.

“They’re bad actors that will target a company that is vulnerable and that looks like they have enough financials to…

Source…

Third Party Data Breach of GE Vendor Exposes Highly Sensitive Employee Information – CPO Magazine

/in

Third Party Data Breach of GE Vendor Exposes Highly Sensitive Employee Information  CPO Magazine
“data breach” – read more