Threat actors launch one malicious attack every minute

BlackBerry’s inaugural Quarterly Threat Intelligence Report highlights the volume and model of treats across a range of organisations and regions, including industry-specific attacks targeting the automotive and manufacturing, healthcare and financial sectors.

In the 90 day period between September 1 and November 30 2022, BlackBerry says it stopped 1,757,248 malware-based cyberattacks. This includes 62 unique samples per hour, or one sample each minute. The most common cyber-weapons used in  attacks include the resurgence of the Emotet botnet after a four-month dormancy period, the extensive presence of the Qakbot phishing threat, which hijacks existing email threads to convince victims of their legitimacy, and the increase in infostealer downloaders like GuLoader.

“Annual threat reports have been a fantastic way to provide insight into overall trends, but now more than ever, organisations need to make well-informed decisions and take prompt effective actions, using the latest actionable data,” said Ismael Valenzuela, Vice President, Threat Research & Intelligence at BlackBerry. “Our public and private reports are written by our top threat researchers and intelligence analysts, world-class experts that not only understand the technical threats but also the global and local geopolitical situation, and how it affects organisational threat models in each region. This expertise allows us to provide actionable and contextualised threat intelligence to increase cyber resilience and to enable mission and business objectives.”

Other revelations from the report include:

  • MacOS is not immune. It is a common misconception that macOS is a “safe” platform due to it being used less among enterprise systems. However, this could be lulling IT managers into a false sense of security. BlackBerry explores the pernicious threats targeting macOS, including malicious codes that are sometimes even explicitly downloaded by users. In Q4, the most-seen malicious application on macOS was Dock2Master which collects users’ data from its own surreptitious ads. BlackBerry researchers noted that 34 percent of client organisations using macOS had Dock2Master on their network.
  • RedLine was the most active and widespread infostealer in this last quarter. Post-pandemic work models have necessitated the need for businesses to support remote and hybrid employees, putting corporate credentials at greater risk of attack from malicious actors than ever before. RedLine is capable of stealing credentials from numerous targets including browsers, crypto wallets, and FTP and VPN software, among others, and selling them on the black market. Cybercriminals and nation state threat actors rely on initial access brokers trading stolen credentials. RedLine is one of them providing initial access to another threat actors. 

The post Threat actors launch one malicious attack every minute appeared first on IT Security Guru.

Obrela’s 2022 Digital Universe Study – A look at today’s threat landscape  

Obrela Security Industries recently launched their H1 2022 Digital Universe Study, which provides detailed insight into this year’s security and threat landscape. The results provide a ‘funnel’ view of real-time visibility data, and allow organisations to gain a better understanding of how threats are security are developing, and how they can better protect themselves.  

To put together this report, Obrela collected and analysed 1 PBs of logs as well as 100,000 devices. In this time, they detected 7,369 cyber incidents with an average response time of 7 seconds.  

Using this, Obrela’s security team was able to find out what attack vectors were most prominent and what type of methods threat actors tended to execute when attempting to gain unauthorised access. Some of the more significant shifts within the threat landscape included: 

  • A 16% increase in data breaches, as well as attacks that targeted end users as opposed to corporations.  
  • A 6% upswing in zero-day attacks, particularly exploiting vulnerabilities.  
  • A 12% surge in attacks related to internal threats, such as policy violations, privileged user activity and inadvertent actions.

Looking at particular attack methods, Obrela found that those most utilised were typically malware infection, reconnaissance, data exfiltration and phishing attacks, along with the exploitation of malicious insiders.  

The study also looks into which sectors are most vulnerable to cyber criminals, with banking & financial services, and government/corporate being at the top of the list. This is mostly down to the monetary value that threat actors can extract from exploiting weaknesses in security, as well as the personal and confidential data they store on their servers. In addition, banking, finance, government and corporate sectors play an important role in global economic activity, making them an incredibly attractive target for a criminal looking to exfiltrate information and extort.   

What can companies do to protect themselves?  

To decrease risk and make sure their security posture is up to scratch, organisations must remember to do the ‘basics’. This means, following best practices such as implementing security training, user authentication and access, and protecting their endpoints and brand. In order to boost security and improve security, organisations should extend their best practices to also include network management, as well as network segmentation and Zero trust. These should be deployed across the whole company and its network. Another option is for organisations to partner with an MSSP, who can monitor their IT and cloud infrastructure, removing the pressure from their own IT teams and allowing them to focus on internal issues and tasks; this could make the difference between a secure corporate nature and becoming another breach statistic. 

Emerging use cases 

After analysing the data and devices, Obrela found new incident cases, including:  

Domain impersonation: this is often associated with phishing campaigns, where employees of an organisation or end-users are targeted by cyber criminals pretending to be from their bank. Victims are taken to an impersonation site, via a phishing link, which will prompt them to enter personal information, including bank details or passwords. By the time the victim notices it is often too late, and malicious actors will already have access to their accounts or network.  

Internal Directory Busting: This vector is similar to a brute force web attack, which targets public facing websites. In using this method, threat actors can then exfiltrate personal and confidential data to use for malicious purposes.  

Unfortunately, cyber criminals are becoming increasingly sophisticated and are adaptable to the evolving threat landscape. Organisations must ensure they have the basic cybersecurity infrastructure, but they should also implement an extra layer of protection around their end users and networks. A network or system breach can not only impair their business operation, but it can also significantly affect their reputation, damaging their brand image and often leading to loss of customer trust.  

In partnering with an MSSP who understands the fluid nature of the security market, organisations can better secure their environments and keep their employees and customers protected from numerous cyber threats.  

 The Digital Universe study can help organisations understand what these types of threats are and how to protect against them.

You can find the full report here:  

The post Obrela’s 2022 Digital Universe Study – A look at today’s threat landscape   appeared first on IT Security Guru.

The Nation State Threat — Philip Ingram Discusses DDoS and the Possibilities of Cyberwar

According to Philip Ingram, the concept of “cyber war” is nothing new. He cites World War One as one of the earliest notable examples—in which the United Kingdom cut Germany’s transatlantic cables. This action forced the German High Command to switch its communication line to a different cable, which the United Kingdom was listening in to, taking advantage of this rerouting in order to intercept the Zimmerman Telegram, and ultimately decoding Germany’s messages. This is a prime example of the now all too common Distributed Denial of Service attack, otherwise known as DDoS.

Although DDoS has its benefits, it can be just as well used for more nefarious activities. Even so, the motives behind a malicious DDoS attack are not always clear from an outsider’s perspective. Ingram notes:

“What we don’t look at very often is the WHY the countries are doing it. Who are they targeting, and therefore understanding that WHY will give us an opportunity to understand whether we could be a target for some of these organisations… Whether directly to have an effect on us, or whether indirectly to try and get a stepping stone to somewhere else.”

But based on previous experiences, inferences can be drawn in order to postulate ideas on the reasoning behind more recent attacks, as well as the motives behind strategic movements such as misinformation and the causation of political unrest. Take Russia, for instance. As Ingram discusses in his interview, while Russia is interested in economic information, it most prioritises details pertaining to the political and military fields. Other countries adopt different stances—with China maintaining, as Ingram phrases it, “a wary eye on the effectiveness of a combat effect is going to have an economic impact on China itself”. Rather, China cautiously takes note of other countries’ movements, meaning that it doesn’t need to invest huge sums of money in developing their own technologies or products—as it is more efficient for them to steal designs or plans from other countries, one of which is named by Ingram as the United Kingdom. 

“So… when it comes to [China] getting so many markets, [it means] something is going to be a lot cheaper and a lot faster, without all the checks and balances, and everything else that we do. And that is happening with technology, it’s happening with drugs, [and] it’s happening with your other engineering [and] manufacturing.” 

Shifting his focus to North Korea, Ingram asks how a country that strives to prevent its people from using the internet or having access to any sort of modern technology is capable of “[producing] so many highly qualified computer engineers that can set up massive cyber threats for the rest of the world.” Yet despite the fact that North Korea is considered to be one of the United Kingdom’s most dangerous cyber-adversaries due to its force of skilled engineers, it only has two internet pipelines—one supplied by China, and the other from Russia. This means that, should either China or Russia decide to execute a DDoS attack, they have plausible deniability, often blaming it on North Korea —opening up the floor for international cyber-attacks. 

In light of the war—and thus, the resulting tensions—between Russia and Ukraine, Ukraine has been repeatedly subjected to Russian-initiated disinformation campaigns since 2003. Furthermore, even with a significant time window spanning several years, Ukraine hasn’t been able to create cyber defences strong enough to fend off the countless attacks Russia sends its way. But these cyber-attacks aren’t restricted to just the realm of computers and servers in a lab. Rather, they bear influence on the battlefield, corralling Ukraine into a disadvantage in its conflict against Russia—with methods including interception of data, as was initially done with the Zimmerman Telegram, as well as signal jamming and, again, a denial of service, intended to inhibit, if not outright block, communication between Ukrainian forces. 

However, for the time being at least, this is the extent to which it is possible to harness technology as a mode of attack against other countries across the world—for Ingram doesn’t believe that we are yet at the stage at which countries can declare a full-fledged cyberwar against one another. In fact, Ingram argues that “there is no such thing as cyber war [because] we are not going to find a complete conflict in the cyber domain.” Rather, these cyber-attacks are just another method of attack, similar to launching ammunition or mobilising a country’s standing forces. Even so, according to Jens Stoltenberg—who is currently serving as the Secretary General of NATO—it is possible to deem cyber-attacks as an Article Five issue given certain circumstances, which means that, should a country attack another country within the NATO sphere, this attack will be interpreted as an attack on all other countries under NATO, and these countries will react accordingly. United, the countries under NATO bear an immense force that Vladimir Putin doesn’t wish to have directed towards Russia. 

To provide further context on the threats that may lie within the digital world, one can turn to the mobile game Pokémon Go. Though it is really just a harmless game intended to pass the time—in which players must catch monster characters and advance through the game by manoeuvring throughout their real world surroundings—it does use  location services, meaning that the information about where users currently are, as well as what areas they frequent, is being processed and uploaded online in real-time, which may put them at risk should the data be threatened, especially since many of these accounts are connected to personal data or are possessed by minors. Ingram finds this to be a concern because, when one examines the game’s terms and conditions, they find that, Pokemon Go “[allows] the app to access absolutely everything in your device, your emails, your SMS messages, your WhatsApp messages, your photographs, every bit of data and every other app that was in there.”

The creator of Pokémon Go, John Hanke, has a breadth of projects under his belt, one example being the company dubbed Keyhole. This particular name choice takes on an interesting connotation when one takes into account that, as Ingram says, “[Keyhole] is the code word for the top-secret spy satellites that the Americans put up into space in 1950s… [and Keyhole is] the front company of the CIA and US intelligence… So [because] we’ve got Keyhole, [and] we’ve got CIA funding, this makes for a concerning trend.” In other words, because of how intricately the CIA, US intelligence, and user’s personal data and geographical activities are intertwined as a result of this game, Pokémon Go users should be especially mindful of how they use the app. That isn’t to say, however, that Pokémon Go is a dangerous app, nor is it to say that anyone on the development team is at fault for endangering users. Rather, users should go about the game with caution, should they choose to play it.

Lastly, in his closing remarks, Ingram says: 

“There’ll be a lot that we don’t know about, and one of the future [goals]… is to start talking about what will happen in the metaverse… and everything [that’s] coming in there. And that gives a completely new environment to start exploiting people to connect the virtual world into the physical world. And these intelligence agencies in particular in China are looking at it now. Are we from a defence perspective?”

The post The Nation State Threat — Philip Ingram Discusses DDoS and the Possibilities of Cyberwar appeared first on IT Security Guru.

DomainTools Launches Global Partner Program to Bring Best-in-Class Internet Intelligence and Threat Hunting Capabilities to Enterprise Security Teams

DomainTools, the leader for Internet intelligence, today launched its Global Partner Program led by Tim Durant, the recently appointed Vice President, Global Channels and Alliances. 

Threat intelligence plays an increasing role in the Security Operations Center (SOC) as security teams struggle to cope with the rising threat landscape. The DomainTools Global Partner Program features the company’s best-in-class threat intelligence solutions, providing channel partners with the tools needed to help enterprise security teams proactively detect emerging threats and attackers lurking in their networks. 

According to Chris Nelson, Chief Revenue Officer at DomainTools, “We’re thrilled that Tim Durant has joined our executive team and to launch our new Global Partner Program. Tim brings more than 15 years of experience creating high-impact programs that build revenue through new partners, products/services and routes to market on a global scale. The channel is one of the key growth drivers for DomainTools and we’re excited for Tim to spearhead our channel strategy and growth, and to reinforce our commitment as a channel-first organization.” 

“Having worked with DomainTools since 2019, it’s great to see them bolster their commitment and investment into their channel business and partnerships like ours,” said Phil Higgins, CEO at Brookcourt Solutions, a leading UK-based IT services provider. “The data and products from DomainTools have allowed us to meaningfully enhance the security postures of dozens of firms. We look forward to building many further opportunities with DomainTools as a trusted partner.” 

The DomainTools Global Partner Program will expand existing channel relationships as well as build new partnerships across the globe. It offers a wide range of benefits to channel partners, including generous and simple margin structure for new and renewal business, access to in depth training, online deal registration, and joint promotional programs. 

“I’m eager to deepen our existing partner relationships and to expand our incredible partner ecosystem,” said Tim Durant. “DomainTools seeks to work with a wide variety of partners, from cybersecurity technology companies, to VARs, and MSSPs. Each of these partners brings specialized expertise and market knowledge, and we’re excited about the opportunity to not only expand their portfolio but also work together to help augment an organization’s limited threat intelligence resources.” 

In his new role, Tim will lead the DomainTools channel program and sales and revenue goals and will be responsible for go-to-market strategies within the diverse DomainTools partner ecosystem. Prior to DomainTools, Tim spent nearly a decade at Hitachi Vantara, where he was Sr. Director of Strategic Global Alliances. 

The post DomainTools Launches Global Partner Program to Bring Best-in-Class Internet Intelligence and Threat Hunting Capabilities to Enterprise Security Teams appeared first on IT Security Guru.

Collaboration in Cyber Security is the Key to Combatting the Growing Cyber Threat. Here’s Why

Cyber security has never been so important and in a post-pandemic world it is more important than ever. According to a recent report by Kaspersky, the number of the number of Trojan-PSW (Password Stealing Ware) detections increased by almost a quarter globally – 4,003,323 in 2022 compared to 3,029,903 in 2021.

In addition, internet attacks also grew from 32,500,00 globally in 2021 to almost 35,400,000 in 2022. With cybercrime still massively on the rise, organisations of all sizes can no longer adopt a head in the sand approach when it comes to cyber security and say that it isn’t something they need to bother with or worry about.

Many in cyber security have an excellent record of collaborating, but the industry remains fragmented and suffers from silos which can leave organisations vulnerable. These silos often arise because of an outdated, silo-based corporate structure. This in turn can leave an organisation vulnerable to data loss and disruptions to business continuity.

There are many organisations who are doing great work globally to help combat the growing cyber threat, but they largely remain isolated. As a result, the industry is often unaware of this great work. Greater collaboration with associations and entities in cyber security is the key to being stronger together as an industry when it comes to combatting cybercrime, but how can this be achieved?

Why is collaboration so powerful in cyber security?

Collaboration with associations and other key stakeholders in cyber security globally can reduce the time between the discovery of new threats and protection implementation, which in turn allows organisations to keep up with the ever-evolving threat landscape.  Speeding up the delivery of threat intelligence is crucial for building a strong cyber security programme, and vendors should work on making it as easy as possible to break down the silos between different security disciplines.

Various associations, councils and other groups within cyber security have been founded globally, but they tend to work alone and work to “keep out” any perceived outsiders. Usually this is because of a competitive threat, and sometimes this is entirely justified for organisations to keep their distance from others. But if these important bodies joined forces and worked together to help combat the growing cyber threat this might go some way to help combatting it.

Barriers to successful collaboration in cyber security

Historically there have been many barriers to sharing threat intelligence, which can make collaboration difficult to implement at scale. For example, associations may be working on projects that they deem as strictly confidential, or they may include sensitive information from a national security perspective. Vendors might use data formats or APIs that require plug-ins or proprietary tools in commercial products for translation.

Cyber security often has a misguided perception that it is solely focused on a lone person sitting in a darkened room wearing a hoodie responding to the “bad guys”, and in terms of breaking down silos this image is not very appealing to those who are searching for a career that is focused on people and being part of a strong team.

The industry also needs to start talking about cyber security being beyond the default “ransomware” and “attackers” it often defers to. Therefore, the industry must change its siloed perception. While these barriers are of course a legitimate concern, there are many ways they can be overcome to enable greater collaboration.

Collaborating beyond borders to help combat the growing cyber threat

Many non-profit organisations have already been established which aim to make cybercrime more difficult and less lucrative, and they already collaborate well together on a global scale. Examples include the Cyber Threat Alliance, which takes threat information sharing to a new level in the hope that it will lead to greater protection for the public against cyber-attacks. This not-for-profit organisation encourages greater collaboration between cyber security organisations by enabling near real-time high quality cyber threat information sharing amongst its members and with the world.

In the UK associations and organisations such as the Cyber Security Alliance and the National Cyber Security Centre work together to foster greater collaboration, but the newly created entity Cyber Security Unity aims to take this to the next level by joining up with and collaborating with trade associations globally.  The ethos of Cyber Security Unity is that associations are stronger together when it comes to combatting the growing cyber threat.

The role of governments in collaborating with associations

Governments need to play a major role in achieving greater collaboration, but the industry associations, who all operate in and fully appreciate the increasingly dangerous cyber-threat landscape, must take the initiative for real progress on greater collaboration to begin. The digital world is borderless, and attacks coming through are having a huge global impact. It may fall to the associations to educate governments on just how serious the cyber-threat problem is and of the potentially catastrophic impact they may have.

Once governments are working more closely with industry and treating cyber-threats with the seriousness they deserve, they can develop the necessary global infrastructure to foster collaboration. For example, the development of an international communication system, enabling intelligence to be rapidly passed between governments and organizations, in the same way as there are tsunami and terror warnings. The cyber industry must be at the forefront of such an approach and communication is key to global collaboration, but caution should be exercised as there has to be a strategy in place. To communicate effectively between different countries and organizations, associations need to join hands with everyone to build it together.

Final thoughts

If associations in cyber security join up to work in a collaborative fashion, this will help to establish a more sound, successful, and strategic framework for cyber security. By making a conscious effort to improve information sharing globally, as well as through government and law enforcement agencies – the world will benefit from gaining intelligence and insights that will help strengthen defences against cybercrime. And that can only be a good thing.

Lisa is a Security Serious Unsung Heroes Awards finalist in the Security Leader / Mentor category.  The awards, sponsored by Beazley, KnowBe4, KPMG, Qualys and The Zensory and organised by Eskenzi PR, aim to celebrate the people, not products in the cybersecurity industry.

The post Collaboration in Cyber Security is the Key to Combatting the Growing Cyber Threat. Here’s Why appeared first on IT Security Guru.

Microsoft Threat Intelligence Center Links Threat Group to Austrian Spyware Vendor DSRIF

Microsoft has linked the efforts of the threat group Knotweed to an Austrian spyware vendor. The group has so far used the malware dubbed ‘SubZero’ to attack groups in Europe and Central America. The Subzero malware, as used by Knotweed, can be used to hack a target’s phone, computers, network, and internet-connected devices.

DSRIF markets itself as a company that provides information research, forensics, and data-driven intelligence services to corporations. Yet, Microsoft has found multiple associations between the two apparently dissimilar groups which establishes a concrete link.

“These include command-and-control infrastructure used by the malware directly linking to DSIRF, a DSIRF-associated GitHub account being used in one attack, a code signing certificate issued to DSIRF being used to sign an exploit, and other open-source news reports attributing Subzero to DSIRF,” Microsoft said.

“Observed victims to date include law firms, banks, and strategic consultancies in countries such as Austria, the United Kingdom, and Panama.”

In 2021, the cyber mercenary group was also linked to the exploitation of a fourth zero-day, a Windows privilege escalation flaw in the Windows Update Medic Service (CVE-2021-36948) used to force the service to load an arbitrary signed DLL.

“To limit these attacks, we issued a software update to mitigate the use of vulnerabilities and published malware signatures that will protect Windows customers from exploits Knotweed was using to help deliver its malware,” said Cristin Goodwin, General Manager at Microsoft’s Digital Security Unit.

“We are increasingly seeing PSOAs selling their tools to authoritarian governments that act inconsistently with the rule of law and human rights norms, where they are used to target human rights advocates, journalists, dissidents and others involved in civil society,” Goodwin added.

The post Microsoft Threat Intelligence Center Links Threat Group to Austrian Spyware Vendor DSRIF appeared first on IT Security Guru.