Tag Archive for: session
Defending Ukraine: SecTor session probes a complex cyber war
It was a quick, but for a packed room of delegates attending a SecTor 2022 session in Toronto, an eye-opening 20-minute tutorial that explored the litany of Russian cyberattacks in Ukraine and what has been done to prevent them since the war broke out on Feb. 23.
The presentation on Wednesday from John Hewie, national security officer with Microsoft Canada, centred on a report issued in late June entitled Defending Ukraine: Early Lessons from the Cyber War, that was covered in IT World Canada the day it was released.
In a foreword to it, Brad Smith, president and vice chair at Microsoft, wrote that the invasion “relies in part on a cyber strategy that includes at least three distinct and sometimes coordinated efforts – destructive cyberattacks within Ukraine, network penetration and espionage outside Ukraine, and cyber influence operating targeting people around the world.
“When countries send code into battle, their weapons move at the speed of light. The internet’s global pathways mean that cyber activities erase much of the longstanding protection provided by borders, walls and oceans. And the internet itself, unlike land, sea and the air, is a human creation that relies on a combination of public and private-sector ownership, operation and protection.”
As Hewie pointed out to security professionals attending the conference, the feeling within Microsoft was that the cyber warfare and the attacks that were going on were being vastly underreported, “which is why we invested in the work that I am sharing with you today.”
He said that when the war began, there were cyberattacks on upwards of 200 different systems in the Ukraine: “We initially saw the targeting of government agencies in those early days, as well as the financial sector and IT sector.”
Prior to the invasion, added Hewie, Microsoft security professionals had already established a line of communication with senior officials in government and other sectors, and threat intelligence was shared back and forth.
“And then as the war went on, we saw continued expansion of those attacks in the critical infrastructure space – nuclear, for example – and continuing in the IT sector. When the…
SpyCloud Session Identity Protection prevents fraud from compromised web sessions
SpyCloud launched Session Identity Protection, a transformative early warning system designed to prevent trusted user fraud, one of the hardest forms of fraud to detect.
The new offering is powered by SpyCloud’s malware intelligence, which surfaces credentials and session tokens stolen from consumers by prevalent infostealers.
Existing anti-fraud solutions offer a fragmented overview of user activity, often designed to determine if a user is a bot or a human. Session Identity Protection, however, is the only solution to expand on standard fraud and browser checks to identify consumers whose session or trusted device cookies have been compromised or collected by malware. This allows tech firms, financial services companies, and retailers to mitigate the risk of hijacked sessions by giving organizations more comprehensive visibility into an untouched area of at-risk and exposed consumers.
“There are virtually no indicators that differentiate a legitimate user from a criminal using an anti-detect browser and stolen session cookie data. They look nearly identical, down to their geofenced IP, browser version, OS version, and even screen resolution,” said Jacob Wagh, Senior Product Manager at SpyCloud. “In some cases, analysis of SpyCloud’s database of recaptured breach and botnet data shows stolen session cookie data indicating a risk of fraud before the credentials connected to an associated account have even been compromised.”
Threat actors using stolen credentials often face the challenge of bypassing multifactor authentication (MFA), device ID checks, and newer browser fingerprinting anti-fraud technologies. However, in recent years, criminals have learned how to bypass these protections by relying on “anti-detect” browsers that can emulate a legitimate user’s trusted device and browser fingerprint. These tools are powered by a constant stream of malware infections that steal credentials, session cookies and other browser data – all available for sale on the dark web.
Trusted user fraud is one of the hardest forms of fraud to detect because it allows criminals to mimic legitimate users that have been compromised by malware. By accessing active…
Hear ye, DarkSide! This honorable ransomware court is now in session
A crime forum is holding a quasi-judicial proceeding against the makers of DarkSide, the ransomware that shut down Colonial Pipeline two weeks ago, to hear claims from former affiliates who say the makers skipped town without paying. Or at least that’s what members of crime forum XSS.is want us all to believe.
A Russian-speaking person using the handle “darksupp” took to XSS.is in November to recruit affiliates for DarkSide, researchers at security firm FireEye said recently. At the time, DarkSide was the new ransomware-as-a-service on the block, and it was in search of business partners.
Since then, DarkSide has cashed in spectacularly. According to newly released figures from cryptocurrency tracking firm Chainalysis, DarkSide netted at least $60 million in its first seven months, with $46 million of it coming in the first three months of this year.
DarkSide made another $10 million this month, with $5 million coming from Colonial Pipeline and $4.4 million from Chemical distribution company Brenntag. Last week, DarkSide suddenly went dark. A post attributed to darksupp said his group had lost control of infrastructure and its considerable holding of bitcoin.
“At the moment, these servers cannot be accessed via SSH, and the hosting panels have been blocked,” the post stated. “The hosting support service doesn’t provide any information except ‘at the request of law enforcement authorities.’ In addition, a couple of hours after the seizure, funds from the payment server (belonging to us and our clients) were withdrawn to an unknown account.”
DarkSide hasn’t been heard from since.
Under the terms of the deal struck on XSS, DarkSide pays affiliates 75 percent of ransoms that are less than $500,000. The cut rises to 90 percent for ransoms higher than $5 million. But according to multiple DarkSide affiliates on XSS, the RaaS provider has absconded without honoring its commitments. The affiliates have been asking to be reimbursed from a deposit, balance about $900,000, that DarkSide was required to make with XSS.
Here are three such posts. Notice…