[From the desk of Paul Davis – his opinions and no-one else’s]
Apart from the reporter’s opinions đ
So onto the news:
Hideouts for Lease: The Silent Role of Bulletproof Hosting Services in Cybercriminal Operations
Spamz have in common? All of them, at one point or another, have functioned as cybercriminal hideouts in the form of bulletproof hosting services (BPHS).
Simply put, BPHS is any âhosting facility that can store any type of malicious content like phishing sites, pornography, and command-and-control (C&C) infrastructure.â If I were to compare them with real-life crime rings, BPHS would be those hideouts criminals use to perform their illegal activities in private. In the context of cybercrime, it is very common to belittle the role of BPHSs in cybercriminal operations and instead focus on revealing the bad guysâ identities or discussing their modus operandi. But the truth is: BPHSs are crucial. They are so crucial, in fact, that many major cybercriminal groups would not be able to operate without them.
It is important for these BPHS providers to be able to retain their name or domain for a long time to show how adept they are in keeping customersâ activities confidential, particularly from security researchers and law enforcers. Longtime providers are usually kept afloat by their capability to provide immediate technical support, quickly migrate in case theyâre blacklisted, protect from DDoS attacks, and advertise cleverly to reach their specific clientele.
Pricing for BPHSs depends on the risk involved in hosting certain content. Providers in several countries offer as low as US$2 per month for low-risk content, while servers based in China, Bolivia, Iran, and the Ukraine can go as high as US$300 per month for critical infrastructure projects or high-risk content. (You can find a more detailed description of the risk ratings or the toxicity of BPHS servers in the paper.)
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=94d583bcc3&e=20056c7556
Flu season starting early: the H1N1 Loader
The H1N1 Loader appears to be a relatively new downloader family that to our knowledge was initially discovered and analyzed in May 2015 [1, 2]. We have seen several show up in our malware zoo this Spring and are documenting our preliminary findings.
Prior to actually trying to contact its command & control (CnC) server, H1N1 will first attempt to determine whether or not it has Internet connectivity at all. It performs this check by using the wininet.dll APIs to send an HTTP request to a URL of the following formatâŚ
Prior to phoning home, H1N1 must de-obfuscate some of its sensitive strings. For example, the URL of this sample’s CnC server is http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=626f0e6966&e=20056c7556 but one typically won’t find pieces of this string, much less the URL in its entirety, within an H1N1 memdump. Instead, the malware constructs the CnC server name (fastnode.info) and relative URI path (rel/gate.php) on the fly just before phoning home. It performs this construction four bytes at a time by performing a sequence of arithmetic operations on the EAX register and writing the intermediate values of EAX to a memory buffer
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=9b26ac3150&e=20056c7556
New point-of-sale malware distributed by Andromeda botnet
Cybercriminals are casting increasingly wider nets in their search for new point-of-sale systems to infect. This appears to be the case with a new memory scraping malware program called GamaPoS that’s distributed by a botnet known as Andromeda.
GamaPoS was recently discovered by security researchers from antivirus vendor Trend Micro, which found systems infected with it inside organizations from 13 U.S. states and Vancouver, British Columbia.
The program is written in Microsoft’s .NET, which is unusual for RAM scraping malware. These type of threats monitor the memory of point-of-sale systems for payment card data and steal it while it’s being passed from the physical card readers to the commerce applications.
Their attacks start with spam, according to the Trend Micro researchers. They send rogue emails purporting to include PCI DSS (Payment Card Industry Data Security Standard) compliance documents or updates for back-office customer service systems from the Oracle Micros PoS suite.
The documents contain malicious macros — automation scripts — that install a backdoor program if allowed to execute. The infected systems then become part of the Andromeda botnet, which has been around since 2011 and has seen an increasing presence in the U.S. this year.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=2d0cd86cfc&e=20056c7556
Cyber security for critical infrastructure: Are IT and OT managers ready to tackle the issue?
From the very beginning, critical infrastructure networks were designed solely for control purposes and to provide operators with information. Cyber security was not even a distant consideration, as cyber attacks were practically unheard of.
Today, the transition from traditional circuit-switched to new packet-switched networksgreatly increases the risk of cyber threats directed at critical infrastructure.Critical infrastructure networks are becoming smarter, automated and more connected. As a result, they are also more susceptible than ever to cyber threats.
Equipment vendors long assumed that systems would remain immune to cyber attacks as long as they kept interface and communication protocols secret. They confidently reasoned that without a detailed specification, attackers would be unable to communicate with the equipment (and most likely, would not even bother to try). Many claimed that this would block any possibility of cyber attacks on devices or networks, and while that may partially be true, the growing use of standard hardware, software and protocols has rendered this approach ineffective.
One rarely discussed aspect of security vulnerability analysis is the underlying network technology. Since legacy networks were seldom attacked and more modern networks are mostly protected only to a small degree â the operational network was not well defended against cyber threats. There are two major vulnerabilities that can be associated with the network layer:
A properly designed ICS is surrounded by multiple layers of defense, whereby each layer addresses a different type of attack. When one layer filters some of the attack, the next layer protects its vulnerabilities. The underlying ICS network can only be fully secured when all layers function together. Otherwise, each can be attacked and defeated relatively easily.
Ultimately, network security must be seriously considered at every stage of the design, and not only as an afterthought. Diligent planning can dramatically improve the resilience of the network and reduce the expense of securing it.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=fa9a9d6725&e=20056c7556
VoIP vulnerable to cyber attacks
New research out of the UK has revealed VoIP infrastructure has become more susceptible to cyber attacks.
The research, performed by security consultancy firm Nettitude, says VoIP infrastructure is vulnerable due to the proliferation of both its use and the tools that can used for malicious purposes.
According to the report, Nettitude observed a large number of VoIP attacks against servers during the first quarter of 2015.
Nettitude found attackers were very active out of office hours, with analysis revealing 88% of attacks occurred during downtime.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=931ac4c94a&e=20056c7556
White Paper Identifies Deep & Dark Web Data as Essential Source of Context for Threat Intelligence Programs
NEW YORK, July 15, 2015 /PRNewswire/ — Flashpoint, the leading commercial provider of data, intelligence, and insights from the Deep & Dark Web, released a new white paper that reviews the benefits-and ultimate necessity-of integrating the rich data from the underbelly of the Internet into a comprehensive threat intelligence program.
The white paper, “Illuminating the Deep & Dark Web,” explains how the data from this part of the Internet can be used to produce Indicators of Context (IOCXs), which can significantly enhance IOCs by offering contextual intelligence about the actors behind that compromise as well as associated actors who may be targeting the same or similar organizations. Answering the questions of who, what, where, when, why, and how an actor operates, security teams can subsequently use these IOCXs to understand current threats more comprehensively as well as be forward-thinking and proactive about future threats.
“Security teams without a mature Deep & Dark Web monitoring solution remain blind to critical data about their adversaries which limits their effectiveness in preventing and mitigating threats,” advised Matt Wong, Director of Intelligence at Flashpoint. “Fortunately, enacting a Deep & Dark Web monitoring program equips those same teams with a powerful tool to glean greater insight into their threat landscape and make better informed decisions to protect their company and customers.â
To download a complimentary copy of the white paper, please visit flashpoint-intel.com.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=99be4df360&e=20056c7556
Are You InfoSec Geek Enough? Take This Quiz and Letâs See What You Got!
Answers, and some explanations, are at the bottom of the article. Just write down your own answers on a piece of paper. To grade it, turn to the Answers Section and check your own paper. No cheating! If you cheat on this quiz, you are not cheating on me, but you are cheating yourself.
There are 35 questions in this quiz, so just record your score and find out whatâs your InfoSec Geek rating. Are you ready?
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d7d459dd9f&e=20056c7556
NJ partnership fights financial cyber threats
In order to better protect state banking institutions from cybersecurity threats, the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) is partnering with the Financial Services Information Sharing and Analysis Center (FS-ISAC) to share and analyze financial cyber threat information.
Under the terms of the agreement, NJCCIC cyber threat analysts will be able to discover trends, tactics and vulnerabilities with the use of shared data leveraged from global financial institutions.
Both FS-ISAC and the NJCCIC will use Soltra Edge, an automated threat intelligence platform, to exchange intelligence in real-time between FS-ISACâs Security Operations Center and the NJCCIC at the New Jersey Regional Operations Intelligence Center.
Link: http://paulgdavis.us3.list-manage2.com/track/click?u=45bf3caf699abf9904ddc00e3&id=d9776cd283&e=20056c7556
============================================================
Feedback, questions? Our mailing address is: ** dailynews@paulgdavis.com (mailto:dailynews@paulgdavis.com)
If someone forwarded this email to you and you want to be added in,
please click this: ** Subscribe to this list (http://paulgdavis.us3.list-manage.com/subscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a)
** Unsubscribe from this list (http://paulgdavis.us3.list-manage.com/unsubscribe?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556&c=a1c50ceb0d)
** Update subscription preferences (http://paulgdavis.us3.list-manage.com/profile?u=45bf3caf699abf9904ddc00e3&id=e09452545a&e=20056c7556)