Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

9/4/2018
10:30 AM
Derek Manky
Derek Manky
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Lean, Mean & Agile Hacking Machine

Hackers are thinking more like developers to evade detection and are becoming more precise in their targeting.

It's time again for another quarterly trek into the wilds of the cyber-threat landscape. As security practitioners work to put themselves in the shoes of hackers to better anticipate where attacks will be coming from, these malicious actors are starting to think more like developers to evade detection.

And lately, they are more precise in their targeting, relying less on blanket attempts to find exploitable victims. How can IT security teams keep pace with the agile development cybercriminals are employing and pinpoint the recycled vulnerabilities being used? Fortinet's latest Global Threat Landscape Report sheds light on current criminal activity and suggests how organizations can stay a step ahead.

Agile Attacks
Malware authors have long relied on polymorphism — the ability of malware to constantly change its own code as it propagates — to evade detection, but over time, network defense systems have made improvements that make them more difficult to circumvent. Never ones to rest on their laurels, malware authors recently have turned to agile development to make their malware more difficult to detect and to quickly counter the latest tactics of anti-malware products. Addressing these emerging polymorphic swarm attacks requires a hive defense, where all of your deployed security components can see and communicate with each other, and then work in a cooperative fashion to defend the network.

Cybercriminals are using not only agile development but automation to advance their attacks. Malware is on the rise that is completely written by machines based on automated vulnerability detection, complex data analysis, and automated development of the best possible exploit based on the unique characteristics of that weakness. Organizations must counter with automation of their own, using machine learning to understand and even predict bad actors' latest exploits so they can stay ahead of these advanced threats.

A prime example of malicious agile development is the 4.0 version of GandCrab.

GandCrab
The actors behind GandCrab are the first group to accept Dash cryptocurrency. It appears that they use the agile development approach to beat competitors to market and deal with issues and bugs when they arise. Another unique aspect to GandCrab is its ransomware-as-a-service model, which is based on a 60/40 profit-sharing model between the developers and criminals wishing to use their services. And lastly, GandCrab uses .BIT, a top-level domain unrecognized by ICANN, which is served via the Namecoin cryptocurrency infrastructure and uses various name servers to help resolve DNS and redirect traffic to it. GandCrab 2.x versions were most prevalent during the second quarter, but by the quarter's close, v3 was in the wild, and the v4 series followed in early July.

We noticed that when a <8hex-chars>.lock file in the system's COMMON APPDATA folder is present, the files will not be locked. This usually occurs after the malware determines the keyboard layout is in the Russian language, along with other techniques to determine computers in Russian-speaking countries. We speculate that adding this file could be a temporary solution. Based on our analysis, industry researchers created a tool that prevents files from being encrypted by the ransomware. Unfortunately, GandCrab 4.1.2 was released a day or two later, rendering the lock file useless.

Valuable Vulnerabilities
Cybercriminals are becoming smarter and faster in how they leverage exploits. In addition to using dark net services such as malware-as-a-service, they are honing their targeting techniques to focus on exploits (e.g., severe exploits) that will generate the biggest bang for the buck. The reality is that no organization can patch vulnerabilities fast enough. Rather, they must become strategic and focus on the ones that matter using threat intelligence.

To keep pace with the agile development methods cybercriminals are using, organizations need advanced threat protection and detection capabilities that help them pinpoint these currently targeted vulnerabilities. With exploits examined from the lens of prevalence and volume of related exploit detections, only 5.7% of known vulnerabilities were exploited in the wild, according to our research. If the vast majority of vulnerabilities won't be exploited, organizations should consider taking a much more proactive and strategic approach to vulnerability remediation.

Painting a New Security Landscape
This requires advanced threat intelligence that is shared at speed and scale across all of the security elements, and sandboxing that provides layered, integrated intelligence. This approach shrinks the necessary windows of detection and provides the automated remediation required for the multivector exploits of today. The Cyber Threat Alliance, a group of security companies that shares advanced threat information, was created for this reason.

While many organizations are working hard to collect as much data as they can from a variety of sources — including their own — much of the work in processing, correlating, and converting it into policy is still done manually. This makes it very difficult to respond to an active threat quickly. Ideally, the processing and correlation of threat intelligence that results in effective policy needs to be automated.

Effective cybersecurity also requires diligence in patching. With the data on which vulnerabilities are currently being exploited, IT security teams can be strategic with their time and harden, hide, isolate or secure vulnerable systems and devices. If they are too old to patch, replace them.

Network segmentation — and micro-segmentation — is a must, as well. These steps ensure that any damage caused by a breach remains localized. In addition to this passive form of segmentation, deploy macro-segmentation for dynamic and adaptive defense against the never-ending onslaught of new, intelligent attacks.

Cybercriminals are relentless, making use of and adapting the latest technology to ply their trade. IT security teams can beat them at their own game by using the information and recommendations outlined above.

Related Content:

 

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Derek Manky formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Jim, stop pretending you're drowning in tickets."
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13623
PUBLISHED: 2019-07-17
In NSA Ghidra through 9.0.4, path traversal can occur in RestoreTask.java (from the package ghidra.app.plugin.core.archive) via an archive with an executable file that has an initial ../ in its filename. This allows attackers to overwrite arbitrary files in scenarios where an intermediate analysis r...
CVE-2019-13624
PUBLISHED: 2019-07-17
In ONOS 1.15.0, apps/yang/web/src/main/java/org/onosproject/yang/web/YangWebResource.java mishandles backquote characters within strings that can be used in a shell command.
CVE-2019-13625
PUBLISHED: 2019-07-17
NSA Ghidra before 9.0.1 allows XXE when a project is opened or restored, or a tool is imported, as demonstrated by a project.prp file.
CVE-2019-3571
PUBLISHED: 2019-07-16
An input validation issue affected WhatsApp Desktop versions prior to 0.3.3793 which allows malicious clients to send files to users that would be displayed with a wrong extension.
CVE-2019-6160
PUBLISHED: 2019-07-16
A vulnerability in various versions of Iomega and LenovoEMC NAS products could allow an unauthenticated user to access files on NAS shares via the API.