Cyber security information center

Cyber attack of the clones

Posted by Chris Morales on Nov 27, 2016 12:00:00 PM

As the holidays roll in, there are going to be a lot of Internet-enabled devices gifted, from Star Wars droids to fridges, that know what you eat better than you do. Attackers are happy. New devices mean bigger clone armies.

 

In previous research from the Vectra Threat Labs, we learned that seemingly innocuous vulnerabilties can become serious problems in the context of the Internet of Things (IoT). IoT is the unattended attack surface. The recent public release of source code for malware named "Mirai" has proven exactly that. Mirai continuously scans the Internet for IoT devices using factory default usernames and passwords, primarily CCTV and DVRs.

Read More »

Topics: Vulnerabilities, IoT


Election 2016: The bungling of big data

Posted by David Pegna on Nov 17, 2016 12:00:00 PM

We live in the age where big data and data science are used to predict everything from what I might want to buy on Amazon to the outcome of an election.

The results of the Brexit referendum caught many by surprise because pollsters suggested that a “stay” vote would prevail. And we all know how that turned out.

History repeated itself on Nov. 8 when U.S. president-elect Donald Trump won his bid for the White House. Most polls and pundits predicted there would be a Democratic victory, and few questioned their validity.

The Wall Street Journal article, Election Day Forecasts Deal Blow to Data Science, made three very important points about big data and data science:

  • Dark data, data that is unknown, can result in misleading predictions.
  • Asking simplistic questions yields a limited data set that produces ineffective conclusions.
  • “Without comprehensive data, you tend to get non-comprehensive predictions.”
Read More »

Topics: Data Science, cyber security, machine learning


InfoSec skills shortage: The No. 1 threat to Internet security

Posted by Günter Ollmann on Nov 15, 2016 12:00:00 PM

When asked a poorly bounded question such as “What is the biggest threat to Internet security?”, the majority of quick-fire answers can likely be represented by the flags of a handful of nation states. Certainly the front-of-mind answer – identifying a cluster of hackers – represents a constant and escalating threat to business continuity and potential compromise.

Yet, if we introspectively examine the nature of our industry, we can easily argue that the biggest risk that Internet security faces is in fact our general inability to respond and counter the attacks launched by adversaries from around the world.

It is estimated that today there are over 1 million InfoSec positions unfilledgrowing to over 1.5 million by 2019 – and more than 200,000 of those vacancies are in the U.S. This global shortage of expertise and experience lies at the very heart of the InfoSec world’s ability to respond to cyber attacks – affecting vendors and consumers alike.

Read More »

Topics: it-security, cybersecurity, InfoSec


The election hackers: Some uncovered points

Posted by Chris Doman on Nov 3, 2016 1:30:00 AM

The group known as Fancy Bear[1], reportedly behind recent attacks against the U.S. Democratic National Committee and U.S. political figures, has been widely discussed. Detailed reports about the group’s operation have been published by Microsoft, ESET, FireEye and Trend Micro.

But some interesting details about these attackers have not been covered, and this blog aims to provide more details and fill in some of the blanks.

This isn’t their first election hack

In 2014, the Ukrainian Election Commission was compromised during the presidential election by pro-Russian hackers calling themselves CyberBerkut. They delayed the counting of votes and posted a false claim on the election commissions website that a right-wing candidate had won the election.

Read More »

Topics: Targeted Attacks, Malware Attacks, cyber security, Threat Labs


Moonlight – Targeted attacks in the Middle East

Posted by Chris Doman on Oct 26, 2016 1:30:00 AM

Vectra Threat Labs researchers have uncovered the activities of a group of individuals currently engaged in targeted attacks against entities in the Middle East. We identified over 200 samples of malware generated by the group over the last two years. These attacks are themed around Middle Eastern political issues and the motivation appears to relate to espionage, as opposed to opportunistic or criminal intentions.

Read More »

Topics: Targeted Attacks, Malware Attacks, cyber security, Threat Labs


Triggering MS16-030 via targeted fuzzing

Posted by Bill Finlayson on Oct 11, 2016 11:05:35 AM

The need to analyze the patch for MS16-030 recently presented itself to us due to some related product research.  After the analysis was complete, we realized that the attack surface of the patch was pretty interesting and determined it may be beneficial to share part of the analysis.  This post will focus on triggering a patched bug from MS16-030.

Read More »

Topics: fuzzing, patch analysis, Microsoft, Threat Labs, reverse engineering


Exploiting the firewall beachhead: A history of backdoors into critical infrastructure

Posted by Günter Ollmann on Sep 28, 2016 11:00:00 AM


Sitting at the edge of the network and rarely configured or monitored for active compromise, the firewall today is a vulnerable target for persistent and targeted attacks

Read More »

Topics: Detection, Datacenter, firewall, backdoors, infrastructure, Data Center


Bringing attack detection to the data center

Posted by Wade Williamson on Sep 12, 2016 11:59:00 PM

Today, we are proud to announce a major update that extends the Vectra cybersecurity platform to the enterprise data centers and public clouds. For this release we wanted to do much more than simply port the existing product into a virtualized environment. Instead, Vectra security researchers, data scientists, and developers started with a fresh sheet of paper to address the real-world challenges and threats that are unique to the enterprise data centers and clouds.

 

Visibility and intelligence that spans the enterprise

First, it was important to remember that the data center can be both integrally connected, yet in some ways separated from the physical enterprise. For example, attacks can spread from the campus environment to the data center environment, and security teams absolutely need to know how these events are connected. On the other hand, 80% of data center traffic never leaves the data center, making it invisible to traditional security controls.

Read More »

Topics: Cyberattacks, cybersecurity, Data Center


Reverse engineering the Shadow Brokers dump: A close look at NOPEN

Posted by Nick Beauchesne on Sep 12, 2016 11:58:00 PM

While digging and reversing my way through the Equation Group dump, I’ve come across a few interesting pieces that probably are not getting the attention they deserve.  While a lot of the initial research has focused on the potential 0-days, the dump also gives a glimpse into the backbone tools and operational methods of a serious hacking group.

Certainly 0-days are great, but in my opinion the previously disclosed Fortidoor exploit is 100x more significant than the Fortigate HTTP 0-days disclosed in the dump.  And while most of the dump is around firewall implants and a few exploits, there are some very interesting ops tools in the drop.  One of those tools is NOPEN. It is referenced multiple times in their script/ops/doc, and seem to be one of the cornerstones of their infrastructure.  It is significant both as a backdoor in a target network or as a tool deployed on a listening post to let you create a multi-layer call-back network. So let's take a closer look at this software.

Read More »

Topics: Malware Attacks, cyber security, Detection


From the Iron Age to the “Machine Learning Age”

Posted by Günter Ollmann on Aug 30, 2016 8:00:00 AM

It is likely self-evident to many that the security industry’s most overused buzzword of the year is “machine learning.” Yet, despite the ubiquity of the term and its presence in company marketing literature, most people – including those working for many of the vendors using the term – don’t actually know what it means.

Read More »

Topics: cyber security, machine learning, cybersecurity