Tag Archive for: Techniques

International Ransomware Gangs Are Evolving Their Techniques. The Next Generation Of Hackers Will Target Weaknesses In Cryptocurrencies

/in


(MENAFN– The Conversation) In May 2023, the Dallas City Government was hugely disrupted by a ransomware attack. Ransomware attacks are so-called because the hackers behind them encrypt vital data and demand a ransom in order to get the information decrypted.

The attack in Dallas put a halt to hearings, trials and jury duty, and the eventual closure of the Dallas Municipal Court Building. It also had an indirect effect on wider police activities, with stretched resources affecting the ability to deliver, for example, summer youth programmes . The criminals threatened to publish sensitive data, including personal information, court cases, prisoner identities and government documents.

One might imagine an attack on a city government and police force causing widespread and lengthy disruption would be headline news. But ransomware attacks are now so common and routine that most pass with barely a ripple of attention. One notable exception happened in May and June 2023 when hackers exploited a vulnerability in the Moveit file transfer app which led to data theft from hundreds of organisations around the world. That attack grabbed headlines, perhaps because of the high profile victims, reported to include British Airways, the BBC and the chemist chain Boots.

According to one recent survey , ransomware payments have nearly doubled to US$1.5 million (£1.2 million) over the past year, with the highest-earning organisations the most likely to pay attackers. Sophos, a British cybersecurity firm, found that the average ransomware payment rose from US$812,000 the previyear. The average payment by UK organisations in 2023 was even higher than the global average, at US$2.1 million.

Meanwhile, in 2022 The National Cyber Security Centre (NCSC) issued new guidance urging organisations to bolster their defences amid fears of more state-sponsored cyber attacks linked to the conflict in Ukraine. It follows a series of cyber attacks in Ukraine which are suspected to have involved Russia, which Moscow denies.

This article is part of Conversation Insights
The Insights team generates long-form journalism derived from interdisciplinary research. The team is working with academics from different…

Source…

Enterprises Unprepared to Defend Against MITRE ATT&CK Techniques

/in


Enterprises lack detections for more than three-quarters of all MITRE ATT&CK techniques, while 12% of SIEM rules are broken and will never fire due to data quality issues including misconfigured data sources and missing fields.

These were among the results of a CardinalOps report which analyzed real-world data from production SIEMs including from Splunk, Microsoft Sentinel, IBM QRadar and Sumo Logic.

The data covered more than 4,000 detection rules, nearly one million log sources and hundreds of unique log source types, spanning industry verticals ranging from banking and financial services to manufacturing and energy. 

The study also indicated that while organizations are implementing “detection-in-depth”—collecting data from multiple security layers including Windows endpoints and email—monitoring of containers lags behind.

Broken Rules

Mike Parkin, senior technical engineer at Vulcan Cyber, said the biggest issue he sees is the number of “broken rules” that will never trigger an event.
“While some of them are undoubtedly edge cases that would have been unlikely to trigger an event in any case, many are almost certainly the result of misconfiguration or broken logic,” he said. 

John Gallagher, vice president of Viakoo Labs at Viakoo, said two study findings were particularly concerning.

“While it is encouraging to see there is already sufficient data to detect 94% of potential MITRE ATT&CK techniques, it raises the question of what the missing 6% is and how impactful such attacks might be,” he said.

For example, if the missing 6% resulted in catastrophic damage (e.g., an IoT attack vector that is highly damaging) it might put more focus on achieving higher than 94% coverage. 

He added that “security layers” is a term defined by CardinalOps and is useful for organizations to plan resources and strategies based on their specific organization. “However, it includes containers but not IoT/OT, which seems like a significant oversight,” Gallagher noted.

For example, IoT/OT is used by almost all organizations (more than the 68% who reported using containers) and is less covered by a security layer within their SIEM than containers are.

“Lack of high-fidelity data…

Source…

Ransomware Attacks Adapt With New Techniques: Kaspersky Report

/in


Attackers are employing more sophisticated ransomware attack methods and incorporating key attributes from defunct criminal groups to target individuals, according to the latest report from Kaspersky.

The changes underscore evolving concerns in the cybersecurity landscape.

The report, New ransomware trends in 2023, was published today ahead of Anti-Ransomware Day 2023 on Friday.

According to the report, the top five ransomware groups that have the most impact and produce the most attacks have undergone significant changes in the past year.

In the first half of 2022, REvil and Conti were ranked second and third respectively, in terms of attacks. However, in Q1 2023, these groups were replaced by Vice Society and BlackCat. The remaining ransomware groups in the top five for Q1 2023 are Clop and Royal.

Read more on Vice Society threat actors: Vice Society Claims Ransomware Attack Against University of Duisburg-Essen

Kaspersky added that, according to their review of last year’s ransomware trends, all of these groups persisted. The researchers have taken notice of some significant cross-platform ransomware variations, such as Luna and Black Basta.

As for 2023, Kaspersky experts highlighted three key ransomware trends. Firstly, ransomware groups are incorporating self-spreading functionality or imitations into their malware, as seen with examples like Black Basta, LockBit and Play.

Secondly, cybercriminals are exploiting vulnerabilities in antivirus drivers, even targeting industries like gaming. 

Finally, large ransomware gangs are adopting capabilities from leaked or purchased code, strengthening their offensive capabilities.

“Ransomware gangs continually surprise us and never stop developing their techniques and procedures,” said Dmitry Galov, a senior security researcher at Kaspersky’s Global Research and Analysis Team.

Further, over the past 18 months, the executive said the company observed that ransomware gangs are transitioning their operations into fully-fledged businesses.

“This fact makes even amateur attackers quite dangerous. So, to make your business and your personal data safe, it’s very important to keep your cybersecurity services…

Source…

Technical Analysis of DanaBot Obfuscation Techniques

/in


Key Points

DanaBot is a malware-as-a-service platform discovered in 2018 that is designed to steal sensitive information that may be used for wire fraud, conduct cryptocurrency theft, or perform espionage related activities

The malware is heavily obfuscated which makes it very difficult and time consuming to reverse engineer and analyze
Zscaler ThreatLabz has reverse engineered the various obfuscation techniques used by DanaBot and developed a set of tools using IDA Python scripts to assist with binary analysis

DanaBot, first discovered in 2018, is a malware-as-a-service platform that threat actors use to steal usernames, passwords, session cookies, account numbers, and other personally identifiable information (PII). The threat actors may use this stolen information to commit banking fraud, steal cryptocurrency, or sell access to other threat actors.

While DanaBot isn’t as prominent as it once was, the malware is still a formidable and active threat. Recently, version 2646 of the malware was spotted in the wild and also a researcher tweeted screenshots of Danabot’s advertisement website shown in Figure 1.

Figure 1: DanaBot’s advertisement website

Unfortunately, the DanBot developers have done a very good job of obfuscating the malware code. Therefore, it is very difficult and time consuming process to to reverse engineer and analyze. This is a companion blog post to a set of IDA Python scripts that Zscaler ThreatLabz is releasing on our Github page. The goal of the scripts is to help peel away some of the layers of DanaBot’s obfuscations and inspire additional research into not only the obfuscation techniques, but the malware itself.

Technical Analysis

The following sections summarize the numerous techniques that the DanaBot developers have implemented to obfuscate the malware binary code.

Junk Byte Jumps

One of the first anti-analysis techniques that DanaBot employs is a “junk byte jump” instruction. This is an anti-disassembly technique where a jump instruction will always jump over a junk byte. The junk byte is skipped during normal program execution, but causes IDA Pro to display an incorrect disassembly. An example of this technique is shown in Figure…

Source…