Featured Post

Avira Antivirus Pro - Review 2020 - PCMag India

Avira Antivirus Pro - Review 2020 - PCMag IndiaAvira Antivirus Pro - Review 2020 - PCMag IndiaPosted: 11 Jun 2020 12:00 AM PDTEvery computer needs antivirus protection, and one way companies can support that aim is to provide free antivirus to the masses. But these companies can't survive unless some users shell out their hard-earned cash for paid antivirus utilities. Piling on pro-only tools and components is one way companies encourage upgrading to a paid antivirus. Avira Antivirus Pro adds several components not available to users of Avira Free Security, but they don't really add much value. The biggest reason to pay for it is if you want to use Avira in a commercial setting, which isn't allowed with the free version.Avira's pricing is undeniably on the high side, with a list price of $59.88 per year for one license, $71.88 for three, and $95.88 for five. Admittedly, it seems to be perpetually on sale; just now, the one-license price is discounted to $44.99. That…

4 ways to fight back against coronavirus phishing and malware attacks - TechRadar

4 ways to fight back against coronavirus phishing and malware attacks - TechRadar

4 ways to fight back against coronavirus phishing and malware attacks - TechRadar

Posted: 23 Mar 2020 06:00 AM PDT

Sadly, with the widespread media attention around the coronavirus, attackers are already using the topic to bait victims into opening malicious attachments. Researchers at IBM X-Force have identified several campaigns which, when an attachment is opened, results in an Emotet banking trojan being downloaded silently in the background. This can then steal sensitive information from the user. Kaspersky, Proofpoint and Mimecast have all seen similar attacks.

For businesses, malware can wreak havoc. Not only can it cause websites and mobile applications to be taken down, but it can also access sensitive information which can have devastating security, reputational and financial consequences. For banks, attackers can use sensitive information to commit fraud. So, what can banks and businesses do to ensure they and their customers are protected during this period of heightened threat activity?

Implement expert rules

Process Injection Tops Attacker Techniques for 2019 - Dark Reading

Posted: 18 Mar 2020 01:56 PM PDT

Attackers commonly use remote administration and network management tools for lateral movement, a new pool of threat data shows.

The threat landscape of 2019 was dominated with worm-like activity, researchers report in a new analysis of confirmed threats from the past year. Attackers are growing more focused on lateral movement, with an emphasis on using remote administration network tools to execute it.

Red Canary's "2020 Threat Detection Report" contains an analysis of 15,000 confirmed threats to appear in customer environments throughout 2019. Researchers used the equivalent MITRE ATT&CK data to determine which attack techniques were most prevalent over the past year. Their findings illustrate which methods are most common and how attackers are using them.

The popularity of automated lateral movement is largely driven by TrickBot, the data-stealing Trojan that contributed to thousands of detections. TrickBot, combined with the use of remote admin and network management tools, is not fully responsible for the frequency of common attack techniques, but the three play a major role in why cybercriminals choose specific tactics.

TrickBot is typically seen as part of a string of infections that starts with the Emotet Trojan and ends in a Ryuk ransomware infection. Emotet lands on a device and loads TrickBot, which steals credentials from infected devices as it moves laterally across a network. When TrickBot is done, it launches Ryuk, which encrypts the infected machines on a network and demands a ransom.

"Overwhelmingly, ransomware was the trend in 2019 in terms of payloads and what adversaries set out to do," says Keith McCammon, co-founder and chief security officer at Red Canary, of a general pattern the research team noticed in analyzing the data. Another prominent trend is threats to confidentiality: Attackers will lock up target systems and demand money to return system access — or they threaten to publish the company's data online.

"If someone takes system access away, you might not have great options for getting that access back, but you have some options," says McCammon. This shift is "a different calculus" because organizations may not know what the adversary has. Without that insight, "you kind of have to assume the worst." For many organizations, this data dump could pose an existential threat.

The most common attack technique researchers list is process injection, which TrickBot uses to run malicious code through Windows Server Host. Why isn't an Emotet technique, used to land on a machine, more popular? As researchers explain in a blog post, a growing portion of their visibility comes from incident response, much of which brought them into environments where Emotet had completed its actions and TrickBot had arrived on a number of devices. As a result, they couldn't detect initial access or early-stage payloads, only the threats left behind.

Many of the companies Red Canary worked with in incident response were "really large, well-established organizations with a high percentage of systems impacted," says McCammon, noting this can be attributed to tactics, automation, and refinement that enable attackers to get into a complex enterprise and infect several systems at the same time. "We saw more big companies hit with very, very impactful attacks than we've seen before."

Process injection, which makes up 17% of all threats analyzed, affects 35% of organizations and appeared in 2,734 confirmed threats in 2019, the researchers report. It was the top attack technique from 2018 into 2019 due to the widespread TrickBot and Emotet outbreaks that occurred throughout the same time frame. Using this method, attackers can conduct malicious activity in the context of a legitimate process, so they blend in.

The second-most-popular attack technique is scheduled task, which, like process injection, is seen in worm-like and TrickBot activity. This tactic, which schedules tasks to launch malicious binaries and persist on target devices, affects 33% of businesses and makes up 13% of threats overall. It's handy for attackers because it allows them to schedule tasks remotely; it's also useful for execution and persistence alongside common scripting languages such as PowerShell.

Tying with scheduled task is Windows Admin Shares, a technique that also made up 13% of total threats and affected 28% of organizations in 2019. This enables worm-like activity and falls under the category of remote/network admin tools. Self-propagating threats — in particular, those that used EternalBlue — drove Windows Admin Shares from the 10th-most-popular threat in 2018 to third place in 2019. Administrators often use them for remote host management, giving attackers a subtle means to move laterally throughout an environment.

Eight of the top 10 attack techniques involve features of a platform being misused, McCammon says. They're not standout strategies that would normally put teams on alert.

"The [techniques] I think we are definitely starting to see more of, and will continue to see escalate and refined, are going to be a lot of the lateral movement techniques … almost entirely the ones that depend on living off the land," says McCammon, listing PowerShell and WMI as examples. Attackers are "using the features of these platforms that businesses rely on to operate their network and can't just turn off." As it gets harder to put malware onto a system, the adversaries are getting better at using tools that are already there, he explains.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

More Insights


Popular Posts

System detected an overrun of a stack-based buffer in this application [FIX] - Windows Report

Valorant anti-cheat lead answers many questions on Reddit - Millenium US