DOCSLIB.ORG

IT-Sa Vortrag 3

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
IT-Sa Vortrag 3 SPLUNK Ransomware – wie kann ich mich schützen? Angelo Brancato | Security Specialist, EMEA © 2017 SPLUNK INC. Who am I? Angelo Brancato Security Specialist THREATS NOT CLOSING SECURITY TO ARE MORE THE SKILLS GAP ENABLE BUSINESS COMPLEX AND AND THE MISSION FAR REACHING © 2017 SPLUNK INC. Enterprise Machine Data Fabric Application Security DIFFERENT Development & Operations People Delivery ASKING DIFFERENT Splunk Internet of Things Questions OF THE Business Analytics IT Same Data Operations © 2017 SPLUNK INC. The Ransomware Trend Ransomware Discoveries https://fatsecurity.com/article/ransomware-protection-guide © 2017 SPLUNK INC. The Ransomware Trend Santy Bolgimo Worm Discoveries Ransomware Discoveries Caribe Blaster Netsky Welchia/ Nachi MyDoom SQL Slammer Bagle Zobot Brontok Boobface Daprosy 2003 2004 2005 2012 … 2017 & Sobig L10n Nyxem Storm Conficker Duqu Worm Ransom Stration Stuxnet Swen Witty Ware Sasser Sober Rugrat Agobot https://en.wikipedia.org/wiki/Timeline_of_computer_viruses_and_worms https://fatsecurity.com/article/ransomware-protection-guide (0-Day) Exploit © 2017 SPLUNK INC. The Ransomware Trend DOUBLEPULSAR Backdoor ETERNALBLUE WANNACRY Remote Exploit DOUBLEPULSAR Ransomware Backdoor ETERNALBLUE RATs Remote Exploit Remote Access Trojans DOUBLEPULSAR Backdoor ETERNALBLUE Remote Exploit ADYLKUZZ DOUBLEPULSAR Bitcoin Miner Backdoor ETERNALBLUE UIWIX Remote Exploit Ransomware Ransomware Bitcoin Miner Bot-Net (DDoS, Spam) Remote Access Trojan (Targeted Attacks) etc. © 2017 SPLUNK INC. Ransomware Kill Chain Criminal Syndicate Watering Hole /Exploit Kit Malicious Email Ransomware (Link/Attachment) Vulnerability Command and Actions on Reconnaissance Weaponization Delivery Exploitation Installation Control (C2) Objectives © 2017 SPLUNK INC. Analytics-Driven Security Human-driven and Supervised ML-driven Analytics Analytics Driven SIEM Unsupervised ML-driven Analytics Ransomware Anti-Fraud Security CIS Top 20 Essentials Family Cyber Security Critical Security Controls Investigator DGA App Splunk App for Splunk Machine Learning PCI Compliance Stream Toolkit Add-Ons etc. Developer Platform (REST API, SDKs) Enterprise On-Premise, Cloud, Hybrid © 2017 SPLUNK INC. Analytics-Driven Security Human-driven and Supervised ML-driven Analytics 3 Analytics Driven SIEM Unsupervised ML-driven Analytics 1 Ransomware Anti-Fraud Security CIS Top 20 Essentials Family Cyber Security Critical Security Controls 2 Investigator DGA App Splunk App for Splunk Machine Learning PCI Compliance Stream Toolkit Add-Ons etc. Developer Platform (REST API, SDKs) Enterprise On-Premise, Cloud, Hybrid © 2017 SPLUNK INC. Analytics-Driven Security Human-driven and Supervised ML-driven Analytics Analytics Driven SIEM Unsupervised ML-driven Analytics 1 Ransomware Anti-Fraud Security CIS Top 20 Essentials Family Cyber Security Critical Security Controls Investigator DGA App Splunk App for Splunk Machine Learning PCI Compliance Stream Toolkit Add-Ons etc. Developer Platform (REST API, SDKs) Enterprise On-Premise, Cloud, Hybrid © 2017 SPLUNK INC. 1 Splunk CIS* Top 20 (Best Practice) Critical Controls https://splunkbase.splunk.com/app/3064/ Splunk CIS Top 20 Critical Security Controls CIS Top 20 controls improve risk posture against real-world threats The control areas grew out of an international consortium Splunk can monitor PCI compliance and generate Alerts for non-compliance In case of non-compliance Splunk can carry out recommended actions 40+ Dashboards *CIS: Center of Internet Control https://www.cisecurity.org/controls/ https://www.cisecurity.org/controls/ © 2017 SPLUNK INC. Splunk CIS* Top 20 (Best Practice) Critical Controls https://splunkbase.splunk.com/app/3064/ Splunk CIS Top 20 Critical Security Controls © 2017 SPLUNK INC. Analytics-Driven Security Human-driven and Supervised ML-driven Analytics Analytics Driven SIEM Unsupervised ML-driven Analytics Ransomware Anti-Fraud Security CIS Top 20 Essentials Family Cyber Security Critical Security Controls 2 Investigator DGA App Splunk App for Splunk Machine Learning PCI Compliance Stream Toolkit Add-Ons etc. Developer Platform (REST API, SDKs) Enterprise On-Premise, Cloud, Hybrid © 2017 SPLUNK INC. Security Essentials for Ransomware https://splunkbase.splunk.com/app/3593/ Security Essentials for Ransomware 17 Use Case Suggestions Detection Methods Detect Journal Clearing Office Spawns Unusual Process Detect Lateral Movement With WMI Detection via Statistical Analysis Detect Log Clearing With wevtutil Detection via Windows Registry Fake Windows Processes Detection via Shannon Entropy Malicious Command Line Executions Detection via Fake Windows Processes Monitor AutoRun Registry Keys Detection via File Encryption Events Monitor Successful Backups Detection via DNS Traffic Monitor Successful Windows Updates Detection via Sysmon Logs Monitor Unsuccessful Backups Detection via Firewall Logs Monitor Unsuccessful Windows Updates Detection via IDS Events Ransomware Extensions Detection via Network Activity Ransomware Note Files Detection via SMB Events Detection via Deletion of Shadow Ransomware Vulnerabilities Copies SMB Traffic Allowed Forensics via log2timeline Spike in SMB Traffic Prevention via Lag Detection TOR Traffic Prevention via Vulnerability Windows Event Log Clearing Events Management Prevention via Backup Activity Prevention via Automated File Analysis © 2017 SPLUNK INC. Security Essentials for Ransomware https://splunkbase.splunk.com/app/3593/ Security Essentials for Ransomware 17 Use Case Suggestions Detection Methods Detect Journal Clearing Office Spawns Unusual Process Detect Lateral Movement With WMI Detection via Statistical Analysis Detect Log Clearing With wevtutil Detection via Windows Registry Fake Windows Processes Detection via Shannon Entropy Malicious Command Line Executions Detection via Fake Windows Processes Monitor AutoRun Registry Keys Detection via File Encryption Events Monitor Successful Backups Detection via DNS Traffic Monitor Successful Windows Updates Detection via Sysmon Logs Monitor Unsuccessful Backups Detection via Firewall Logs Monitor Unsuccessful Windows Updates Detection via IDS Events Ransomware Extensions Detection via Network Activity Ransomware Note Files Detection via SMB Events Detection via Deletion of Shadow Ransomware Vulnerabilities Copies SMB Traffic Allowed Forensics via log2timeline Spike in SMB Traffic Prevention via Lag Detection TOR Traffic Prevention via Vulnerability Windows Event Log Clearing Events Management Prevention via Backup Activity Let’s take a quick look at this… Prevention via Automated File Analysis © 2017 SPLUNK INC. © 2017 SPLUNK INC. Let’s build the SPL Step-by-Step… Windows PC Sysmon Event Data Event Code 1 = start of a process © 2017 SPLUNK INC. Let’s build the SPL Step-by-Step… Calculate the length of each command line command used by a process after it starts © 2017 SPLUNK INC. Let’s build the SPL Step-by-Step… calculate the standard deviation for each host calculate the average length of command lines © 2017 SPLUNK INC. Let’s build the SPL Step-by-Step… stats on the calculated fields © 2017 SPLUNK INC. Let’s build the SPL Step-by-Step… Filter on hosts with 10x standard deviation à these are probably infected! © 2017 SPLUNK INC. Splunk Online Experience Try it out! Learn Splunk Skills for Security • Use sample data to safely practice security investigation techniques • Embedded help features step-by- step how to guides on finding 1 Step by step instruction security problems • Contains data set and tips and tricks for this ransomware webinar for you to learn 2 Launch instruction video One click Online Session 3 https://www.splunk.com/en_us/form/security-investigation-online-experience-endpoint.html © 2017 SPLUNK INC. Analytics-Driven Security Human-driven and Supervised ML-driven Analytics 3 Analytics Driven SIEM Unsupervised ML-driven Analytics Ransomware Anti-Fraud Security CIS Top 20 Essentials Family Cyber Security Critical Security Controls Investigator DGA App Splunk App for Splunk Machine Learning PCI Compliance Stream Toolkit Add-Ons etc. Developer Platform (REST API, SDKs) Enterprise On-Premise, Cloud, Hybrid © 2017 SPLUNK INC. Analytics-Driven Security SOC Playbooks Tier 1 - Alert Analyst Tier 2 - Incident Responder Tier 3 - SME / Hunter Adaptive Response People Process Technology Machine Data Monitor Detect Investigate Respond Schema-On-Read Universal Indexing Enterprise Security Enterprise On-Premise, Cloud, Hybrid http://detect-respond.blogspot.de/2013/03/the-pyramid-of-pain.html © 2017 SPLUNK INC. Enterprise Security Adaptive Response Framework Ransomware Runbook with Adaptive Response Actions SECURITY NERVE CENTER Network Web Proxy Threat Intelligence Firewall WAF & App Orchestration Security Cloud Endpoints Security Identity and Access © 2017 SPLUNK INC. Visit us @10.0-116 THANK YOU.
Load more

Recommended publications
  • A the Hacker
    A The Hacker Madame Curie once said “En science, nous devons nous int´eresser aux choses, non aux personnes [In science, we should be interested in things, not in people].” Things, however, have since changed, and today we have to be interested not just in the facts of computer security and crime, but in the people who perpetrate these acts. Hence this discussion of hackers. Over the centuries, the term “hacker” has referred to various activities. We are familiar with usages such as “a carpenter hacking wood with an ax” and “a butcher hacking meat with a cleaver,” but it seems that the modern, computer-related form of this term originated in the many pranks and practi- cal jokes perpetrated by students at MIT in the 1960s. As an example of the many meanings assigned to this term, see [Schneier 04] which, among much other information, explains why Galileo was a hacker but Aristotle wasn’t. A hack is a person lacking talent or ability, as in a “hack writer.” Hack as a verb is used in contexts such as “hack the media,” “hack your brain,” and “hack your reputation.” Recently, it has also come to mean either a kludge, or the opposite of a kludge, as in a clever or elegant solution to a difficult problem. A hack also means a simple but often inelegant solution or technique. The following tentative definitions are quoted from the jargon file ([jargon 04], edited by Eric S. Raymond): 1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.
    [Show full text]
  • Attacking from Inside
    WIPER MALWARE: ATTACKING FROM INSIDE Why some attackers are choosing to get in, delete files, and get out, rather than try to reap financial benefit from their malware. AUTHORED BY VITOR VENTURA WITH CONTRIBUTIONS FROM MARTIN LEE EXECUTIVE SUMMARY from system impact. Some wipers will destroy systems, but not necessarily the data. On the In a digital era when everything and everyone other hand, there are wipers that will destroy is connected, malicious actors have the perfect data, but will not affect the systems. One cannot space to perform their activities. During the past determine which kind has the biggest impact, few years, organizations have suffered several because those impacts are specific to each kinds of attacks that arrived in many shapes organization and the specific context in which and forms. But none have been more impactful the attack occurs. However, an attacker with the than wiper attacks. Attackers who deploy wiper capability to perform one could perform the other. malware have a singular purpose of destroying or disrupting systems and/or data. The defense against these attacks often falls back to the basics. By having certain Unlike malware that holds data for ransom protections in place — a tested cyber security (ransomware), when a malicious actor decides incident response plan, a risk-based patch to use a wiper in their activities, there is no management program, a tested and cyber direct financial motivation. For businesses, this security-aware business continuity plan, often is the worst kind of attack, since there is and network and user segmentation on top no expectation of data recovery.
    [Show full text]
  • 1.Computer Virus Reported (1) Summary for This Quarter
    Attachment 1 1.Computer Virus Reported (1) Summary for this Quarter The number of the cases reported for viruses*1 in the first quarter of 2013 decreased from that of the fourth quarter of 2012 (See Figure 1-1). As for the number of the viruses detected*2 in the first quarter of 2013, W32/Mydoom accounted for three-fourths of the total (See Figure 1-2). Compared to the fourth quarter of 2012, however, both W32/Mydoom and W32/Netsky showed a decreasing trend. When we looked into the cases reported for W32/Netsky, we found that in most of those cases, the virus code had been corrupted, for which the virus was unable to carry out its infection activity. So, it is unlikely that the number of cases involving this virus will increase significantly in the future As for W32/IRCbot, it has greatly decreased from the level of the fourth quarter of 2012. W32/IRCbot carries out infection activities by exploiting vulnerabilities within Windows or programs, and is often used as a foothold for carrying out "Targeted Attack". It is likely that that there has been a shift to attacks not using this virus. XM/Mailcab is a mass-mailing type virus that exploits mailer's address book and distributes copies of itself. By carelessly opening this type of email attachment, the user's computer is infected and if the number of such users increases, so will the number of the cases reported. As for the number of the malicious programs detected in the first quarter of 2013, Bancos, which steals IDs/Passwords for Internet banking, Backdoor, which sets up a back door on the target PC, and Webkit, which guides Internet users to a maliciously-crafted Website to infect with another virus, were detected in large numbers.
    [Show full text]
  • Detecting Botnets Using File System Indicators
    Detecting botnets using file system indicators Master's thesis University of Twente Author: Committee members: Peter Wagenaar Prof. Dr. Pieter H. Hartel Dr. Damiano Bolzoni Frank Bernaards LLM (NHTCU) December 12, 2012 Abstract Botnets, large groups of networked zombie computers under centralised control, are recognised as one of the major threats on the internet. There is a lot of research towards ways of detecting botnets, in particular towards detecting Command and Control servers. Most of the research is focused on trying to detect the commands that these servers send to the bots over the network. For this research, we have looked at botnets from a botmaster's perspective. First, we characterise several botnet enhancing techniques using three aspects: resilience, stealth and churn. We see that these enhancements are usually employed in the network communications between the C&C and the bots. This leads us to our second contribution: we propose a new botnet detection method based on the way C&C's are present on the file system. We define a set of file system based indicators and use them to search for C&C's in images of hard disks. We investigate how the aspects resilience, stealth and churn apply to each of the indicators and discuss countermeasures botmasters could take to evade detection. We validate our method by applying it to a test dataset of 94 disk images, 16 of which contain C&C installations, and show that low false positive and false negative ratio's can be achieved. Approaching the botnet detection problem from this angle is novel, which provides a basis for further research.
    [Show full text]
  • Gothic Panda Possibly Used Doublepulsar a Year Before The
    Memo 17/05/2019 - TLP:WHITE Gothic Panda possibly used DoublePulsar a year before the Shadow Brokers leak Reference: Memo [190517-1] Date: 17/05/2019 - Version: 1.0 Keywords: APT, DoublePulsar, China, US, Equation Group Sources: Publicly available sources Key Points Gothic Panda may have used an Equation Group tool at least one year before the Shadow Brokers leak. It is unknown how the threat group obtained the tool. This is a good example of a threat actor re-using cyber weapons that were originally fielded by another group. Summary According research conducted by Symantec, the Chinese threat actor known as Gothic Panda (APT3, UPS, SSL Beast, Clandestine Fox, Pirpi, TG-0110, Buckeye, G0022, APT3) had access to at least one NSA-associated Equation Group tool a year before they were leaked by the Shadow Brokers threat actor. On April 14, 2017, a threat actor called the Shadow Brokers released a bundle of cyber-attack tools purportedly coming from the US NSA, also referred to as the Equation Group. Among the released material there was the DoublePulsar backdoor implant tool, which was used alongside EternalBlue in the May 2017 destructive WannaCry attack. DoublePulsar is a memory-based kernel malware that allows perpetrators to run arbitrary shellcode payloads on the target system. It does not write anything on the hard drive and will thus disappear once the victim machine is rebooted. Its only purpose is to enable dropping other malware or executables in the system. According to Symantec, Gothic Panda used the DoublePulsar exploit as early as in 2016, a full year before the Shadow Brokers release.
    [Show full text]
  • Chrome Flaw Allows Sites to Secretly Record Audio
    Chrome Flaw Allows Sites to Secretly Record Audio/Video Without Indication Chrome Flaw Allows Sites to Secretly Record Audio/Video Without Indication Sounds really scary! Isn’t it? But this scenario is not only possible but is hell easy to accomplish.A UX design flaw in the Google’s Chrome browser could allow malicious websites to record audio or video without alerting the user or giving any visual indication that the user is being spied on. AOL developer Ran Bar-Zik reported the vulnerability to Google on April 10, 2017, but the tech giant declined to consider this vulnerability a valid security issue, which means that there is no official patch on the way. How Browsers Works With Camera & Microphone Before jumping onto vulnerability details, you first need to know that web browser based audio-video communication relies on WebRTC (Web Real-Time Communications) protocol – a collection of communications protocols that is being supported by most modern web browsers to enable real-time communication over peer-to-peer connections without the use of plugins. However, to protect unauthorised streaming of audio and video without user’s permission, the web browser first request users to explicitly allow websites to use WebRTC and access device camera/microphone. Once granted, the website will have access to your camera and microphone forever until you manually revoke WebRTC permissions. In order to prevent ‘authorised’ websites from secretly recording your audio or video stream, web browsers indicate their users when any audio or video is being recorded. « Activating this API will alert the user that the audio or video from one of the devices is being captured, » Bar-Zik wrote on a Medium blog post.
    [Show full text]
  • System Center Endpoint Protection for Mac
    System Center Endpoint Protection for Mac Installation Manual and User Guide Contents Context menu 19 System Center Endpoint Protection 3 System requirements 3 Advanced user 20 Import and export settings 20 Installation 4 Import settings 20 Typical installation 4 Export settings 20 Proxy server setup 20 Custom installation 4 Removable media blocking 20 Uninstallation 5 21 Beginners guide 6 Glossary Types of infiltrations 21 User interface 6 Viruses 21 Checking operation of the system 6 Worms 21 What to do if the program does not work properly 7 Trojan horses 21 Work with System Center Endpoint Adware 22 Spyware 22 Protection 8 Potentially unsafe applications 22 Antivirus and antispyware protection 8 Potentially unwanted applications 22 Real-time file system protection 8 Real-time Protection setup 8 Scan on (Event triggered scanning) 8 Advanced scan options 8 Exclusions from scanning 8 When to modify Real-time protection configuration 9 Checking Real-time protection 9 What to do if Real-time protection does not work 9 On-demand computer scan 10 Type of scan 10 Smart scan 10 Custom scan 11 Scan targets 11 Scan profiles 11 Engine parameters setup 12 Objects 12 Options 12 Cleaning 13 Extensions 13 Limits 13 Others 13 An infiltration is detected 14 Updating the program 14 Update setup 15 How to create update tasks 15 Upgrading to a new build 15 Scheduler 16 Purpose of scheduling tasks 16 Creating new tasks 16 Creating user-defined task 17 Quarantine 17 Quarantining files 17 Restoring from Quarantine 17 Log files 18 Log maintenance 18 Log filtering 18 User interface 18 Alerts and notifications 19 Alerts and notifications advanced setup 19 Privileges 19 System Center Endpoint Protection As the popularity of Unix-based operating systems increases, malware authors are developing more threats to target Mac users.
    [Show full text]
  • Computer Viruses, in Order to Detect Them
    Behaviour-based Virus Analysis and Detection PhD Thesis Sulaiman Amro Al amro This thesis is submitted in partial fulfilment of the requirements for the degree of Doctor of Philosophy Software Technology Research Laboratory Faculty of Technology De Montfort University May 2013 DEDICATION To my beloved parents This thesis is dedicated to my Father who has been my supportive, motivated, inspired guide throughout my life, and who has spent every minute of his life teaching and guiding me and my brothers and sisters how to live and be successful. To my Mother for her support and endless love, daily prayers, and for her encouragement and everything she has sacrificed for us. To my Sisters and Brothers for their support, prayers and encouragements throughout my entire life. To my beloved Family, My Wife for her support and patience throughout my PhD, and my little boy Amro who has changed my life and relieves my tiredness and stress every single day. I | P a g e ABSTRACT Every day, the growing number of viruses causes major damage to computer systems, which many antivirus products have been developed to protect. Regrettably, existing antivirus products do not provide a full solution to the problems associated with viruses. One of the main reasons for this is that these products typically use signature-based detection, so that the rapid growth in the number of viruses means that many signatures have to be added to their signature databases each day. These signatures then have to be stored in the computer system, where they consume increasing memory space. Moreover, the large database will also affect the speed of searching for signatures, and, hence, affect the performance of the system.
    [Show full text]
  • 2007 Threat Report | 2008 Threat and Technology Forecast Executive Summary
    2007 Threat Report | 2008 Threat and Technology Forecast Executive Summary Last year, Trend Micro’s 2006 Annual Roundup As we highlight the threats that made rounds and 2007 Forecast (The Trend of Threats Today) in 2007, it will become clear that all of these predicted the full emergence of Web threats predictions have indeed materialized, and some as the prevailing security threat in 2007. Web in an interesting fashion. threats include a broad array of threats that The shifting threat landscape demands a move operate through the Internet, typically comprise away from the traditional concept of malicious more than one fi le component, spawn a large code. Digital threats today cover more ground number of variants, and target a relatively smaller than ever. They may come to a user through audience. This was predicted to continue the simply having a vulnerable PC, visiting trusted “high focus/low spread” themes seen by some Web sites that are silently compromised, clicking attacks in 2006. an innocent-looking link, or by belonging to a Trend Micro also predicted that the growth and network that is under attack by a Distributed expansion of botnets during 2007 would be Denial of Service attacker. mostly based on new methods, ingenious social In the following roundup, Trend Micro summarizes engineering, and the exploitation of software the threats, malware trends, and security vulnerabilities. The roundup also indicated highlights seen during 2007. Real-life victims of that crimeware would continue to increase and these security threats include interest groups, become the prevailing threat motivation in 2007 individuals, organizations, and on some occasions and onwards.
    [Show full text]
  • Bluekeep Update 12/05/2019
    BlueKeep Update 12/05/2019 Report #: 201912051000 Agenda • What is BlueKeep • Timeline of BlueKeep • BlueKeep Today • Initial Attempts to Exploit BlueKeep • Why Initial Attempts Failed • BlueKeep Tomorrow • Mitigations • Indicators of Compromise (IOCs) • HC3 Contact Information • References Slides Key: Non-Technical: managerial, strategic and high-level (general audience) Technical: Tactical / IOCs; requiring in-depth knowledge (sysadmins, IRT) TLP: WHITE, ID# 201912051000 2 What is BlueKeep • BlueKeep (CVE-2019-0708) • Vulnerability in Microsoft’s (MS) Remote Desktop Protocol • Grants hackers full remote access and code execution on unpatched machines • No user interaction required • Essential owns the machine, malicious actor can do as they please • Affects: Windows XP, 7, Server 2003, Server 2008, and Server 2008 R2 • Deja Blue(Related BlueKeep Vulnerabilities) affects: Windows 8, 10, and all older windows versions • EternalBlue affects: Server Message Block version 1 (SMBv1) • “Wormable” meaning it has the ability to self propagate (think WannaCry level of damage) • MS, NSA, DHS, many other security vendors released advisories and warning on this exploit TLP: WHITE, ID# 201912051000 3 BlueKeep Timeline Metasploit Team Microsoft Released Patch: DHS Tested a Working BlueKeep Scanner Significant Uptick in Releases BlueKeep Coin Miner Exploit CVE-2019-0708 Exploit Against W2000 Discovered in Malicious RDP Activity Exploit Module BlueKeep Vulnerability Watchdog Malware 34 Days (Private Exploit) 70 Days (Semi-Public Exploit) 115 Days (Public
    [Show full text]
  • Threat Landscape Report – 1St Quarter 2018
    TLP-AMBER Threat Landscape Report – 1st Quarter 2018 (FINAL) V1.0 – 10/04/2018 This quarterly report summarises the most significant direct cyber threats to EU institutions, bodies, and agencies (EU-I or 'Constituents') in Part I, the development of cyber-threats on a broader scale in Part II, and recent technical trends in Part III. KEY FINDINGS Direct Threats • In Europe, APT28 / Sofacy threat actor (likely affiliated to Russia military intelligence GRU) targeted government institutions related to foreign affairs and attendees of a military conference. Another threat actor, Turla (likely affiliated to Russia’s security service FSB) executed a cyber-operation against foreign affairs entities in a European country. • A spear-phishing campaign that targeted European foreign ministries in the end of 2017 was attributed to a China-based threat actor (Ke3chang) which has a long track record of targeting EU institutions (since 2011). As regards cyber-criminality against EU institutions, attempts to deliver banking trojans are stable, ransomware activities are still in decline and cryptojacking on the rise. Phishing lures involve generic matters (’invoice’, ‘payment’, ‘purchase’, ‘wire transfer’, ‘personal banking’, ‘job application’) and more specific ones (foreign affairs issues, European think tanks matters, energy contracts, EU delegation, EU watch keeper). Almost all EU-I are affected by credential leaks (email address | password) on pastebin-like websites. Several credential- harvesting attempts have also been detected. Attackers keep attempting to lure EU-I staff by employing custom methods such as spoofed EU-I email addresses or weaponisation of EU-I documents. Broader Threats • Critical infrastructure. In the energy sector, the US authorities have accused Russian actors of targeting critical infrastructure (including nuclear) for several years and are expecting this to continue in 2018.
    [Show full text]
  • Vmwatcher.Pdf
    Stealthy Malware Detection and Monitoring through VMM-Based “Out-of-the-Box” 12 Semantic View Reconstruction XUXIAN JIANG North Carolina State University XINYUAN WANG George Mason University and DONGYAN XU Purdue University An alarming trend in recent malware incidents is that they are armed with stealthy techniques to detect, evade, and subvert malware detection facilities of the victim. On the defensive side, a fundamental limitation of traditional host-based antimalware systems is that they run inside the very hosts they are protecting (“in-the-box”), making them vulnerable to counter detection and subversion by malware. To address this limitation, recent solutions based on virtual machine (VM) technologies advocate placing the malware detection facilities outside of the protected VM (“out-of- the-box”). However, they gain tamper resistance at the cost of losing the internal semantic view of the host, which is enjoyed by “in-the-box” approaches. This poses a technical challenge known as the semantic gap. In this article, we present the design, implementation, and evaluation of VMwatcher—an “out- of-the-box” approach that overcomes the semantic gap challenge. A new technique called guest view casting is developed to reconstruct internal semantic views (e.g., files, processes, and ker- nel modules) of a VM nonintrusively from the outside. More specifically, the new technique casts semantic definitions of guest OS data structures and functions on virtual machine monitor (VMM)- level VM states, so that the semantic view can be reconstructed. Furthermore, we extend guest view casting to reconstruct details of system call events (e.g., the process that makes the system This work was supported in part by the US National Science Foundation (NSF) under Grants CNS-0716376, CNS-0716444 and CNS-0546173.
    [Show full text]