Cybersecurity had a turbulent 2016, to say the least. We saw the rise of ransomware, the emergence of IoT botnets, landmark security legislation and Yahoo’s disclosure about its 1-billion-record-hack, the largest in history.
The FireFox zero-day recently used in the wild made headlines when TOR users that fell victim to the attack lost the one thing they were looking for: anonymous browsing. Speculation ran rife that the exploit may have been created by the FBI or another governmental agency, especially as the attack resembled past investigations used to identify Tor users.
Ransomware has grabbed mainstream media attention recently but it’s nothing new – in fact, its origins can be traced back to floppy disk times. Part of ransomware’s new found notoriety is certainly due to the criminals’ latest target of choice, the healthcare industry, which is considered sacrosanct to most. And ransomware’s very nature lends itself to news-worthy headlines. Unlike other types of malware which rely on stealth to infiltrate systems or quietly siphon off data, ransomware boldly declares its presence and intent, often with a clever name to go with it.
This year’s Black Hat USA conference was bigger and badder than ever, with attendance up nearly 30% according to show organizers. Of all the security conferences, Black Hat has the most clear divide between the technical practitioner side and the security vendors, and the main themes varied depending on which side of the divide you were standing. From the practitioner side, these ranged from enhancing technical skills (excellent training) to strategies and threats, to leadership and alignment with the business. The instructors and presenters were world class, the content was superb, and thoughtfulness and creativity were everywhere.
All good for the practitioners and kudos to the organizers. On the vendor side, things were a little more nuanced.
There are kits for everything these days: beer brewing, engine tuning, and, yes, hacking. Hacking's “exploit kits” (EKs)—toolkits with packaged exploit codes—let almost anyone become a digital intruder, from the guy down the hall to the nation-state operator oceans away. I'm going to share some key areas you need to be aware of when preparing for an EK-driven attack.
The disappearance of Angler has left a gaping hole in the malware market which cybercriminals are only to happy to fill with new variants of old standbys. The latest to reemerge after a period of disuse are Locky and Dridex. A new Locky campaign spotted in the wild on June 20 is analyzed by Pierluigi Paganini on the Security Affairs site. Now a bigger and badder Dridex has reappeared, with more sophisticated evasion tactics, including a new sandbox evasion technique.
Imagine a conversation like this.
ASPIRING VIOLINIST: Maestro, what should I do to be a violin virtuoso?
MAESTRO: You must practice 48 hours every day on the tuba. I will sell you a tuba.
ASPIRING VIOLINIST: But there are only 24 hours in a day. Did you say tuba?
MAESTRO: If you won’t follow my advice, I can’t help you.
More Madness than Method
It sounds absurd, but conversations like this unfold daily when enterprise cyber practitioners meet with industry vendors and security consultants. The industry tells them that they are not doing enough. They must install more security technology, hire more analysts, and patch more frequently. This may seem simple; merely a matter of budget and execution. But the technology is not up to the task and the cost of following this advice to the letter would force enterprises to spend themselves out of existence. And it still wouldn’t work. Not enough hours, wrong instrument.
With fileless malware popping up more and more frequently, particularly sophisticated PowerShell attacks, we thought it useful to examine these threats by reverse engineering those in-memory samples from Virus Total that have the lowest detection rates.
CVE-2015-2545 is the vulnerability that just keeps on giving. First spotted in August 2015, in a targeted attack by the Platinum Group, it allows attackers to bypass system memory protections via a malicious EPS image file embedded in a Microsoft Office document. Morphisec’s Michael Gorelik published a detailed technical analysis at the PostScript Abstraction Level back in February, when it popped up again in connection with attacks against Indian governmental agencies.