Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

9/4/2018
10:30 AM
Derek Manky
Derek Manky
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Lean, Mean & Agile Hacking Machine

Hackers are thinking more like developers to evade detection and are becoming more precise in their targeting.

It's time again for another quarterly trek into the wilds of the cyber-threat landscape. As security practitioners work to put themselves in the shoes of hackers to better anticipate where attacks will be coming from, these malicious actors are starting to think more like developers to evade detection.

And lately, they are more precise in their targeting, relying less on blanket attempts to find exploitable victims. How can IT security teams keep pace with the agile development cybercriminals are employing and pinpoint the recycled vulnerabilities being used? Fortinet's latest Global Threat Landscape Report sheds light on current criminal activity and suggests how organizations can stay a step ahead.

Agile Attacks
Malware authors have long relied on polymorphism — the ability of malware to constantly change its own code as it propagates — to evade detection, but over time, network defense systems have made improvements that make them more difficult to circumvent. Never ones to rest on their laurels, malware authors recently have turned to agile development to make their malware more difficult to detect and to quickly counter the latest tactics of anti-malware products. Addressing these emerging polymorphic swarm attacks requires a hive defense, where all of your deployed security components can see and communicate with each other, and then work in a cooperative fashion to defend the network.

Cybercriminals are using not only agile development but automation to advance their attacks. Malware is on the rise that is completely written by machines based on automated vulnerability detection, complex data analysis, and automated development of the best possible exploit based on the unique characteristics of that weakness. Organizations must counter with automation of their own, using machine learning to understand and even predict bad actors' latest exploits so they can stay ahead of these advanced threats.

A prime example of malicious agile development is the 4.0 version of GandCrab.

GandCrab
The actors behind GandCrab are the first group to accept Dash cryptocurrency. It appears that they use the agile development approach to beat competitors to market and deal with issues and bugs when they arise. Another unique aspect to GandCrab is its ransomware-as-a-service model, which is based on a 60/40 profit-sharing model between the developers and criminals wishing to use their services. And lastly, GandCrab uses .BIT, a top-level domain unrecognized by ICANN, which is served via the Namecoin cryptocurrency infrastructure and uses various name servers to help resolve DNS and redirect traffic to it. GandCrab 2.x versions were most prevalent during the second quarter, but by the quarter's close, v3 was in the wild, and the v4 series followed in early July.

We noticed that when a <8hex-chars>.lock file in the system's COMMON APPDATA folder is present, the files will not be locked. This usually occurs after the malware determines the keyboard layout is in the Russian language, along with other techniques to determine computers in Russian-speaking countries. We speculate that adding this file could be a temporary solution. Based on our analysis, industry researchers created a tool that prevents files from being encrypted by the ransomware. Unfortunately, GandCrab 4.1.2 was released a day or two later, rendering the lock file useless.

Valuable Vulnerabilities
Cybercriminals are becoming smarter and faster in how they leverage exploits. In addition to using dark net services such as malware-as-a-service, they are honing their targeting techniques to focus on exploits (e.g., severe exploits) that will generate the biggest bang for the buck. The reality is that no organization can patch vulnerabilities fast enough. Rather, they must become strategic and focus on the ones that matter using threat intelligence.

To keep pace with the agile development methods cybercriminals are using, organizations need advanced threat protection and detection capabilities that help them pinpoint these currently targeted vulnerabilities. With exploits examined from the lens of prevalence and volume of related exploit detections, only 5.7% of known vulnerabilities were exploited in the wild, according to our research. If the vast majority of vulnerabilities won't be exploited, organizations should consider taking a much more proactive and strategic approach to vulnerability remediation.

Painting a New Security Landscape
This requires advanced threat intelligence that is shared at speed and scale across all of the security elements, and sandboxing that provides layered, integrated intelligence. This approach shrinks the necessary windows of detection and provides the automated remediation required for the multivector exploits of today. The Cyber Threat Alliance, a group of security companies that shares advanced threat information, was created for this reason.

While many organizations are working hard to collect as much data as they can from a variety of sources — including their own — much of the work in processing, correlating, and converting it into policy is still done manually. This makes it very difficult to respond to an active threat quickly. Ideally, the processing and correlation of threat intelligence that results in effective policy needs to be automated.

Effective cybersecurity also requires diligence in patching. With the data on which vulnerabilities are currently being exploited, IT security teams can be strategic with their time and harden, hide, isolate or secure vulnerable systems and devices. If they are too old to patch, replace them.

Network segmentation — and micro-segmentation — is a must, as well. These steps ensure that any damage caused by a breach remains localized. In addition to this passive form of segmentation, deploy macro-segmentation for dynamic and adaptive defense against the never-ending onslaught of new, intelligent attacks.

Cybercriminals are relentless, making use of and adapting the latest technology to ply their trade. IT security teams can beat them at their own game by using the information and recommendations outlined above.

Related Content:

 

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Derek Manky formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21981
PUBLISHED: 2021-04-19
VMware NSX-T contains a privilege escalation vulnerability due to an issue with RBAC (Role based access control) role assignment. Successful exploitation of this issue may allow attackers with local guest user account to assign privileges higher than their own permission level.
CVE-2021-20989
PUBLISHED: 2021-04-19
Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older initiate SSH connections to the Fibaro cloud to provide remote access and remote support capabilities. This connection can be intercepted using DNS spoofing attack and a device initiated remote port-forward channel can be us...
CVE-2021-20990
PUBLISHED: 2021-04-19
In Fibaro Home Center 2 and Lite devices with firmware version 4.600 and older an internal management service is accessible on port 8000 and some API endpoints could be accessed without authentication to trigger a shutdown, a reboot or a reboot into recovery mode.
CVE-2021-20991
PUBLISHED: 2021-04-19
In Fibaro Home Center 2 and Lite devices with firmware version 4.540 and older an authenticated user can run commands as root user using a command injection vulnerability.
CVE-2021-20992
PUBLISHED: 2021-04-19
In Fibaro Home Center 2 and Lite devices in all versions provide a web based management interface over unencrypted HTTP protocol. Communication between the user and the device can be eavesdropped to hijack sessions, tokens and passwords.