[From the desk of Paul Davis – his opinions and no-one else’s]
Apart from the reporter’s opinions đ
So onto the news:
The CSA is the new VIP of information security
About 95 percent of the firms in the U.S. are small-to-midsize businesses. These small firms with even smaller IT departments canât afford to burn an FTE slot on a CISO. They need a security architect or engineer, who can also hopefully provide security, privacy and risk management leadership. The bottom line is that good security design goes a very long way.
So what exactly does a cyber security architect (CSA) do? An architect is defined as a person who plans, designs and oversees the construction of buildings. To practice architecture means to provide services in connection with the design and construction of buildings and the space within the site surrounding the buildings.
With a bit of license, a CSA can be defined as the person who plans, designs and oversees the information security components of networks, systems and applications (software). The CSA provides key constituent stakeholders with effective architectural guidance to apply a consistent set of information security principles, mechanisms and guidelines to ensure that the data, applications and devices are secure.
The Cisco annual security report states that modern threats are capable of infecting mass audiences silently and effectively, not discriminating by industry, business size, or country. Thatâs the new reality every firm is dealing with. That means every firm, everywhere, needs a CSA.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b5506ae4e3&e=20056c7556
Is the information security industry having a midlife crisis?
According to Cybersecurity Ventures, âWorldwide spending on information security was expected to reach $71.1 billion in 2014, with the data loss prevention segment recording the fastest growth at 18.9 percent, according to a forecast from Gartner. Total information security spending is expected to grow a further 8.2 percent in 2015 to reach $76.9 billion.â
In order to shift the trajectory of InfoSec onto the course of awesomeness, more than the blueprints need to change. Mindsets need to shift. Security administrators need to start saying yes. âBusinesses need to move, and we live in a world of yes. We need to stop saying no because they will find someone who says yes.â
Agreeing with Gonen, Earl Perkins, research vice president at Gartner, noted, âWe have reached a point in time where the pace of change and the level of threat are beginning to collapse and not work.â Perkins talked about the need to shift the mindset about information technology as well. âAlthough IT isnât a failure, itâs not deliberate in the way business would like it to be,â Perkins said.
The era of detection and response demands that organizations can no longer have malware that goes undetected for more than 200 days. âWe are moving toward scouting parties and proactive offense. Improving the way you have monitoring,â said Perkins.
Perkins said, âSecurity has to move into a business resiliency phase. When does cyber security become a business continuity concern?â Cyber attacks have the potential to bring a company to its knees, and security has to be in place to allow the business to bounce back.
Shifting the way they think about security with a focus on the user experience will redirect the future of information security. âThinking about awesomeness is a huge career move because two years from now the security officers are going to be the ones who know how to build awesome in to their environments,â Gonen said.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=a249053360&e=20056c7556
Businesses exposing confidential data to ex-employees
Just under one third (32 per cent) of UK companies have admitted that people who’ve left their employ still have access to confidential files and systems, meaning their business could be wide open to a major security breach.
However, the number is much higher in the US, where over half of all companies said outgoing employees were probably able to log into systems after leaving the organisation.
Almost half of respondents to the research carried out by Centrifyy said they had the processes in place to ‘offboard’ leavers, the same number again have access rights and password knowledge that would allow them to break into systems up to a week after they cease working at the company.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=939a6b41d0&e=20056c7556
HTML5 Can Be Used to Hide Malware in Drive-by Download Attacks
Researchers at two Italian universities in Rome and Salerno have identified methods through which malware can be hidden in drive-by download exploits using modern HTML5 APIs.
According to the research paper in cause, HTML technologies and APIs like Canvas, WebSocket, Web Workers, IndexedDB, localStorage, Web SQL, Cross-Origin Client Communication, and the File API, when combined can help attackers obfuscate drive-by download exploits.
The initial research was carried out in the spring of 2013 and was redone in July 2015. Scientists used well-known security bugs in Firefox and Internet Explorer and tested out their HTML5-based obfuscation techniques using the VirusTotal antivirus engine aggregator.
While all exploits were detected without using obfuscation, when researchers applied their HTML5-based techniques, both in 2013 and in 2015, very few to none antivirus engines were able to detect them.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=1dab5425f6&e=20056c7556
International hacker site Darkode taken offline by cross-borders task force
Notorious cybercrime forum Darkode, frequented by Lizard Squad and other hacking groups, has been taken offline in a coordinated international law enforcement clampdown across 20 countries.
Coinciding with the seizure, 28 people were arrested on Tuesday under charges of cybercrime offences by the joint cyber operation in countries including Israel, Germany, the UK, Sweden, Denmark, India and Romania, where 16 individuals were arrested, according to reports. The action brought the total of arrests under the operation to 70 across 20 countries.
According to reports in Brazil, an investigation into hackers in the country was opened in March this year by Federal Police in conjunction with the FBI, leading to the arrest of several people and seizure of the siteâs equipment.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=15c4f36c7b&e=20056c7556
Report: Malvertisers now using SSL redirects
An AOL-owned advertising network has begun serving up malicious advertising that disguises itself with multiple SSL redirects
Advertising networks have gotten better at spotting malicious downloads embedded into advertisements, so criminals began using redirects, even chains of a dozen redirects or more, to keep their malicious ads from being detected.
Advertising networks wised up to that, as well, so the latest technique is SSL redirects which has proven effective on an AOL-owned network that serves ads in many non-English-speaking countries.
The specific ad network affected is AOL-owned adtech.de, which serves clients in 74 countries.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=59071c14f2&e=20056c7556
SAN FRANCISCO, July 15, 2015 /PRNewswire/ — Today, Black Hat, the world’s leading family of information security events releases its first-ever research report ahead of the annual conference this August. Based on a survey of nearly 500 top-level security experts who have attended the annual Black Hat USA conference, this research highlights the trends and pitfalls of t
The CSA is the new VIP of information security
About 95 percent of the firms in the U.S. are small-to-midsize businesses. These small firms with even smaller IT departments canât afford to burn an FTE slot on a CISO. They need a security architect or engineer, who can also hopefully provide security, privacy and risk management leadership. The bottom line is that good security design goes a very long way.
So what exactly does a cyber security architect (CSA) do? An architect is defined as a person who plans, designs and oversees the construction of buildings. To practice architecture means to provide services in connection with the design and construction of buildings and the space within the site surrounding the buildings.
With a bit of license, a CSA can be defined as the person who plans, designs and oversees the information security components of networks, systems and applications (software). The CSA provides key constituent stakeholders with effective architectural guidance to apply a consistent set of information security principles, mechanisms and guidelines to ensure that the data, applications and devices are secure.
The Cisco annual security report states that modern threats are capable of infecting mass audiences silently and effectively, not discriminating by industry, business size, or country. Thatâs the new reality every firm is dealing with. That means every firm, everywhere, needs a CSA.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=956e67158f&e=20056c7556
Is the information security industry having a midlife crisis?
According to Cybersecurity Ventures, âWorldwide spending on information security was expected to reach $71.1 billion in 2014, with the data loss prevention segment recording the fastest growth at 18.9 percent, according to a forecast from Gartner. Total information security spending is expected to grow a further 8.2 percent in 2015 to reach $76.9 billion.â
In order to shift the trajectory of InfoSec onto the course of awesomeness, more than the blueprints need to change. Mindsets need to shift. Security administrators need to start saying yes. âBusinesses need to move, and we live in a world of yes. We need to stop saying no because they will find someone who says yes.â
Agreeing with Gonen, Earl Perkins, research vice president at Gartner, noted, âWe have reached a point in time where the pace of change and the level of threat are beginning to collapse and not work.â Perkins talked about the need to shift the mindset about information technology as well. âAlthough IT isnât a failure, itâs not deliberate in the way business would like it to be,â Perkins said.
The era of detection and response demands that organizations can no longer have malware that goes undetected for more than 200 days. âWe are moving toward scouting parties and proactive offense. Improving the way you have monitoring,â said Perkins.
Perkins said, âSecurity has to move into a business resiliency phase. When does cyber security become a business continuity concern?â Cyber attacks have the potential to bring a company to its knees, and security has to be in place to allow the business to bounce back.
Shifting the way they think about security with a focus on the user experience will redirect the future of information security. âThinking about awesomeness is a huge career move because two years from now the security officers are going to be the ones who know how to build awesome in to their environments,â Gonen said.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=27ae9681bb&e=20056c7556
Businesses exposing confidential data to ex-employees
Just under one third (32 per cent) of UK companies have admitted that people who’ve left their employ still have access to confidential files and systems, meaning their business could be wide open to a major security breach.
However, the number is much higher in the US, where over half of all companies said outgoing employees were probably able to log into systems after leaving the organisation.
Almost half of respondents to the research carried out by Centrifyy said they had the processes in place to ‘offboard’ leavers, the same number again have access rights and password knowledge that would allow them to break into systems up to a week after they cease working at the company.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=f4896ec4c9&e=20056c7556
HTML5 Can Be Used to Hide Malware in Drive-by Download Attacks
Researchers at two Italian universities in Rome and Salerno have identified methods through which malware can be hidden in drive-by download exploits using modern HTML5 APIs.
According to the research paper in cause, HTML technologies and APIs like Canvas, WebSocket, Web Workers, IndexedDB, localStorage, Web SQL, Cross-Origin Client Communication, and the File API, when combined can help attackers obfuscate drive-by download exploits.
The initial research was carried out in the spring of 2013 and was redone in July 2015. Scientists used well-known security bugs in Firefox and Internet Explorer and tested out their HTML5-based obfuscation techniques using the VirusTotal antivirus engine aggregator.
While all exploits were detected without using obfuscation, when researchers applied their HTML5-based techniques, both in 2013 and in 2015, very few to none antivirus engines were able to detect them.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=837a5904a7&e=20056c7556
International hacker site Darkode taken offline by cross-borders task force
Notorious cybercrime forum Darkode, frequented by Lizard Squad and other hacking groups, has been taken offline in a coordinated international law enforcement clampdown across 20 countries.
Coinciding with the seizure, 28 people were arrested on Tuesday under charges of cybercrime offences by the joint cyber operation in countries including Israel, Germany, the UK, Sweden, Denmark, India and Romania, where 16 individuals were arrested, according to reports. The action brought the total of arrests under the operation to 70 across 20 countries.
According to reports in Brazil, an investigation into hackers in the country was opened in March this year by Federal Police in conjunction with the FBI, leading to the arrest of several people and seizure of the siteâs equipment.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b29c0ed564&e=20056c7556
Report: Malvertisers now using SSL redirects
An AOL-owned advertising network has begun serving up malicious advertising that disguises itself with multiple SSL redirects
Advertising networks have gotten better at spotting malicious downloads embedded into advertisements, so criminals began using redirects, even chains of a dozen redirects or more, to keep their malicious ads from being detected.
Advertising networks wised up to that, as well, so the latest technique is SSL redirects which has proven effective on an AOL-owned network that serves ads in many non-English-speaking countries.
The specific ad network affected is AOL-owned adtech.de, which serves clients in 74 countries.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=1104b41b24&e=20056c7556
SAN FRANCISCO, July 15, 2015 /PRNewswire/ — Today, Black Hat, the world’s leading family of information security events releases its first-ever research report ahead of the annual conference this August
Based on a survey of nearly 500 top-level security experts who have attended the annual Black Hat USA conference, this research highlights the trends and pitfalls of the InfoSec world with responses from one of the most security-savvy audiences in the industry. The 2015 Black Hat Attendee Survey reveals a significant gap between the priorities and concerns as well as the actual expenditure of security resources in the average enterprise. For more information and to download the full report, 2015: Time to Rethink Enterprise IT Security, visit: blackhat.com/latestintel/07152015-attendee-survey.html.**
In 2015, enterprises will spend more than $71.1 billion on information security â more than they have ever spent before, according to Gartner Group figures. Yet, the incidence of major data breaches shows no signs of abating. As enterprises continue to struggle with online attacks and data leaks, many are asking one common question: What are we doing wrong?
– Sophisticated Targeted Attacks: 57% of respondents indicated attacks targeted directly at their organization as their greatest concern. However, only 26% indicated that mitigating these attacks were among the top three security spending priorities in their organization. Further, only 20% said targeted attacks were among the top three tasks they spend the most time on day-to-day.
– Social Engineering: At 46%, the second greatest concern was phishing, social network exploits or other forms of social engineering. Yet, only 22% indicated their organization spends a large portion of their security budget here. And only 31% indicated that they spend a large amount of their time on social engineering.
– More than a third of Black Hat attendees said that their most time-consuming tasks are in addressing vulnerabilities introduced by internally developed software (35%) and vulnerabilities introduced by off-the-shelf software (33%). The data suggest that application flaws across the enterprise consume a great deal of time for the IT staff, yet are seldom considered the greatest threats.
– Staffing Shortage: Only 27% of respondents said they feel their organization has enough staff to defend itself against current threats.
– Measly Budgets: Only one-third (34%) said their organization has enough budget to defend itself against current threats.
– In Need of Training: While 36% said they have the skills they need to do their jobs, some 55% said they could use some training.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c9902551f2&e=20056c7556
The latest addition to their arsenal is the SeaDuke backdoor and downloader Trojan.
Not much is known about the cyber espionage group that wields the so-called “Dukes”: backdoors and information stealers that all have “Duke” in their name, and have been used to compromise high-value, government-level targets.
For their attacks, they use several malware tools: the MiniDuke backdoor, the CozyDuke backdoor and downloader Trojan, the CosmicDuke backdoor and info-stealer.
The latest addition to their arsenal is the SeaDuke backdoor and downloader Trojan.
“SeaDuke is a low-profile information-stealing Trojan which appears to be reserved for attacks against a small number of high-value targets. SeaDuke victims are generally first infected with CozyDuke and, if the computer appears to be a target of interest, the operators will install SeaDuke,” Symantec researchers have found.
“The malware hides behind numerous layers of encryption and obfuscation and is capable of quietly stealing and exfiltrating sensitive information such as email from the victimâs computer.â
“SeaSuke securely communicates with the C&C server over HTTP/HTTPS beneath layers of encoding (Base64) and encryption (RC4, AES). To an untrained eye, the communications look fairly benign, no doubt an effort to stay under the radar on compromised networks.â
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=c9ed218226&e=20056c7556
Oracle and Microsoft shuffle out anti-Hacking Team patches while Adobe takes the heat
Oracle and Microsoft have quietly rushed out patches to fix security flaws exposed in the Hacking Team crack at the same time that Adobe has issued its patches to fix security flaws exposed in the same attack.
Oracle has released a patch for Java intended to fix 24 vulnerabilities, as well as a zero-day flaw that is known to have been actively exploited in the wild. The latest version is Java 8, Update 51. It also offers the choice of disabling Java content in web browsers, which some security specialists have recommended.
Microsoft, in the meantime, shuffled in a dozen security fixes into its latest Patch Tuesday release. It included a major patch for the Internet Explorer web browser, intended to fix 28 bugs – including zero-day vulnerabilities exploited by Hacking Team. The flaws were so wide that Internet Explorer users could become infected merely by browsing a compromised web page.
At the same time, Adobe has rushed out fixes to the two critical flaws highlighted over the weekend, as promised. The flaws, code-named CVE-2015-5122 & CVE-2015-5123 by Adobe, were “use-after-free” and BitmapData use-after free” bugs respectively.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=846f665e9e&e=20056c7556
Half of Aussie IT managers report weekly cyber breaches: Centrify
The company commissioned the survey of more than 100 IT attendees at last monthâs AusCERT event to evaluate the frequency of breaches on organisations that donât make front page headlines. The survey reports that 46 per cent of IT managers believe their organisations had experienced an attempted security breach in the previous seven days. A considerable 13 per cent of respondents believed that such an attack had occurred in the previous 60 seconds.
The firm said 56 per cent of respondents nominated security as the biggest concern for the next year, closely followed by Cloud computing at 55 per cent. The third most pressing concern was mobile applications and management at 21 per cent. The Australian findings are said to tally with the results of Centrify research undertaken in the US and the UK where security is also a leading concern. Centrify senior director APAC sales, Niall King, said the survey findings reinforced what customers were telling the company.
Link: http://paulgdavis.us3.list-manage1.com/track/click?u=45bf3caf699abf9904ddc00e3&id=21e71a846b&e=20056c7556
Threat Detection Evolution: Quick Wins
As we wrap up this series on Threat Detection Evolution, weâll work through a quick scenario to illustrate how these concepts come together to impact on your ability to detect attacks. Letâs assume you work for a mid-sized super-regional retailer with 75 stores, 6 distribution centers, and an HQ. Your situation may be a bit different, especially if you work in a massive enterprise, but the general concepts are the same.
The first step is always to leverage what you already have. The good news is that youâve been logging and vulnerability scanning for years. The data isnât particularly actionable, but itâs there. So you can start by aggregating it into a common place. Fortunately you donât need to spend a ton of money to aggregate your security data. Maybe itâs a SIEM, or possibly an offering that aggregates your security data in the cloud. Either way youâll start by putting all your security data in one place, getting rid of duplicate data, and normalizing your data sources, so you can start doing some analysis on a common dataset.
To look for activity you donât know about, you need to first define normal for your environment. Traffic that is not ânormalâ provides a good indicator of potential attack. Activity outliers are a good place to start because network traffic and transaction flows tend to be reasonably stable in most environments. So you start with anomaly detection by spending a week or so training your detection system, setting baselines for network traffic and system activity.
On the back of your high-profile win detecting attackers, you now want to start taking advantage of attacks you havenât seen. That means integrating threat intelligence to benefit from the misfortune of others. You first need to figure out what external data sources make sense for your environment. Your detection/monitoring vendor offers an open source threat intelligence service, so that first decision was pretty easy. At least for initial experimenting, lower cost options are better.
The good news is that your new detection capability has shown value almost immediately. But as we discussed, it required significant tuning and demands considerable care and feeding over time. And you still face significant resource constraints, both at headquarters and in distribution centers and stores. So it makes sense to look for places where you can automate remediation.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=3f41ec83d7&e=20056c7556
The End Of Whack-A-Mole: From Incident Response To Strategic Intelligence
I am an old U.S. Army guy. In the early 2000s, I ran the Armyâs Computer Emergency Response Team, the ACERT, and my job was to coordinate offensive and defensive operations across the Army. One of my main tasks back then was to respond to computer incidents.
Fifteen years later, advanced network defenders have realized that playing whack-a-mole with the adversary is not sufficient. It is lacking in several key areas. Whack-a-mole gives the network defender no intelligence about what these adversary groups were trying to accomplish, why they were trying to accomplish it, where they went once they compromised the endpoint, and whether or not they had the capacity to materially impact their business or organization. Playing whack-a-mole with the adversary back in the early 2000s was fine because we did not know any better. Today, the process seems quaint and is very tactical.
Since then, advanced network defender organizations have realized that they need to up their game. We all need to transform our tactical incident response teams into strategic intelligence teams. Here is what I mean.
The successful adversary group develops repeatable processes so that it does not have to re-invent the wheel every time it goes after a new victim. Those repeatable processes leave traces in the network. We call them âindicators of compromiseâ and we can track them. In my day, we assigned this work to the tactical incident responders, but it became clear early on that those groups did not have the skillset needed to track adversary groups with this kind of granularity. We still needed the incident responders to do what they do, but it was not sufficient to gain an understanding of what the adversary group was about in the aggregate. We needed full-scale intelligence teams.
The evolution has begun. Advanced organizations have already transformed their tactical incident response teams into strategic intelligence teams. Palo Alto Networks created their team, Unit 42, last year. You are going to have to do this eventually. I recommend that you start now.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=825ecb2c9f&e=20056c7556
Automobile Industry Gears Up For Cyber-Threat Intel-Sharing
A year in the making, the automobile industry’s new intelligence sharing and analysis center (ISAC) is now official and revving up to begin disseminating and exchanging cyber threat information later this year.
Heightened concerns over the safety of a rapidly emerging generation of networked vehicles initially led the Alliance of Automobile Manufacturers and the Association of Global Automakers to first begin mulling an ISAC in July of 2014, when they announced plans to address security weaknesses and vulnerabilities in vehicle automation and networking features that could put cars at risk of being hacked for sabotage or other purposes.
Officials from the Alliance of Automobile Manufacturers — of which 12 major carmakers, such as BMW Group, Fiat Chrysler, Ford, General Motors, Mazda, and Toyota are members — and the Association of Global Automakers — which includes Honda, Nissan, Subaru, and others — Booz Allen Hamilton, and SAE International, today announced that the auto industry’s ISAC is now officially close to going live. Word of the ISAC came in conjunction with the 2015 SAE Battelle Cyber Auto Challenge in Detroit, where students work with automakers and government agencies on secure system design via hands-on cybersecurity activities.
The challenge for automakers with their new ISAC will be both the trust factor among fierce competitors–true for nearly all ISACs when they first get up and running–and the fact that a vulnerability or threat may only affect a very specific make, model and year of a vehicle. Even so, the auto industry OEM ecosystem is such that most automakers use a lot of the same suppliers, so if the OEM products have bugs, so will many of the cars.
The ISAC initially will not include suppliers from the auto industry, but it will extend to them as well as telecommunications and other technology providers as the ISAC matures, he said.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=b7a500fbf9&e=20056c7556
he InfoSec world with responses from one of the most security-savvy audiences in the industry. The 2015 Black Hat Attendee Survey reveals a significant gap between the priorities and concerns as well as the actual expenditure of security resources in the average enterprise. For more information and to download the full report, 2015: Time to Rethink Enterprise IT Security, visit: blackhat.com/latestintel/07152015-attendee-survey.html.
In 2015, enterprises will spend more than $71.1 billion on information security â more than they have ever spent before, according to Gartner Group figures. Yet, the incidence of major data breaches shows no signs of abating. As enterprises continue to struggle with online attacks and data leaks, many are asking one common question: What are we doing wrong?
– Sophisticated Targeted Attacks: 57% of respondents indicated attacks targeted directly at their organization as their greatest concern. However, only 26% indicated that mitigating these attacks were among the top three security spending priorities in their organization. Further, only 20% said targeted attacks were among the top three tasks they spend the most time on day-to-day.
– Social Engineering: At 46%, the second greatest concern was phishing, social network exploits or other forms of social engineering. Yet, only 22% indicated their organization spends a large portion of their security budget here. And only 31% indicated that they spend a large amount of their time on social engineering.
– More than a third of Black Hat attendees said that their most time-consuming tasks are in addressing vulnerabilities introduced by internally developed software (35%) and vulnerabilities introduced by off-the-shelf software (33%). The data suggest that application flaws across the enterprise consume a great deal of time for the IT staff, yet are seldom considered the greatest threats.
– Staffing Shortage: Only 27% of respondents said they feel their organization has enough staff to defend itself against current threats.
– Measly Budgets: Only one-third (34%) said their organization has enough budget to defend itself against current threats.
– In Need of Training: While 36% said they have the skills they need to do their jobs, some 55% said they could use some training.
Link: http://paulgdavis.us3.list-manage.com/track/click?u=45bf3caf699abf9904ddc00e3&id=9cea1cf966&e=20056c7556
The latest addition to their arsenal is the SeaDuke backdoor and downloader Trojan.
Not much is known about the cyber espionage group that wields the so-called “Dukes”: backdoors and information stealers that all have “Duke” in their name, and have been used to compromise high-value, government-level targets.
For their attacks, they use several malware tools: the MiniDuke backdoor, the CozyDuke backdoor and downloader Trojan, the CosmicDuke backdoor and info-stealer.
The latest addition to their arsenal is the SeaDuke backdoor and downloader Trojan.
“SeaDuke is a low-profile information-stealing Trojan which appears to be reserved for attacks against a small number of high-value targets. SeaDuke victims are generally first infected with CozyDuke and, if the computer appears to be a target of interest, the operators will install SeaDuke,” Symantec researchers have found.
“The malware hides behind numerous layers of encryption and obfuscation and is capable of quietly stealing and exfiltrating sensitive information such as email from the victimâs computer.â
“SeaSuke securely communicates with the C&C server over HTTP/HTTPS beneath layers of encoding (Base64) and encryption (RC4, AES). To an untrained eye, the communications look fairly benign, no doubt an effort to stay under the radar on compromised networks.â
Link: http://paulgdavis.us3.list-ma