BluSapphire | Intelligent Cyber Defense
1.jpg

Blog

Rapid Ransomware Analysis

Again a new ransomware attack “aka Rapid Ransomware” has been surfaced. Similar to previous variants, Rapid Ransomware will scan the system for data files and encrypt them. This variant will append “.rapid” as extension to the encrypted file's name.

Once done with encrypting the system it will open "recovery.txt" ransom notes in Notepad.  These ransom notes tell the victim to send an email to "frenkmoddy@tuta.io" to receive further instructions on restoring files and payment.

This post is an overview of the analysis been made by BluSapphire.

ANALYZED SAMPLE:

MD5: 46f5092fcedc2fee4bfbd572dd2a8f6f

BEHAVIORAL ANALYSIS:

Upon execution of the sample, it deletes the existing shadow copies within the infected machine making it almost impossible to recover.

Attacker used windows utility "bcdedit.exe" and disabled windows automatic repair mode. Also executed "taskkill.exe" commands to kill any running database processes if they exists.

Noticed that the malware places a file named "info.exe" in folder "%APPDATA%/Roaming/" and configures itself to auto-run on every login by setting a new registry entry under key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\". 

With the ability to run on every logon, it appears that the malware is capable of checking for newly created files and encrypt them. 

Unfortunately, As of this writing we haven't come across any methods that could help us decrypt the files encrypted by Rapid Ransomware.

3 Likes Share

Older PostDissecting Olympic Destroyer Malware

Read More
Kiran VangavetiComment
Dissecting Olympic Destroyer Malware

Pyeongchang Winter Olympics that took place in South Korea was disrupted by cyber attack, which took down most of the systems including ticketing, WI-FI devices, televisions, and media rooms in the stadium during the opening ceremony.

It was identified to be wiper malware named “Olympic Destroyer” that was built with focus on taking down the systems and wiping out the data. “Olympic Destroyer” is weaponized to delete/wipe out all the files, shadow copies and event logs making the system unusable even for recovery.

Similar to Not-Petya and BadRabbit that were surfaced in 2017, “Olympic Destroyer” uses windows features Psexec and WMI for lateral moments and named-pipes as a channel for communication between itself for execution.

Last week one of our sensors has collected the sample and this post is an overview of the analysis been made by BluSapphire.

 

ANALYZED SAMPLE:

MD5 Hash: cfdd16225e67471f5ef54cab9b3a5558

 

BEHAVIORAL ANALYSIS:

To make it almost impossible to recover or repair, attacker has used windows "bcdedit.exe" utility, which is used for managing Boot Configuration Data (BCD)

In order to to cover their tracks, attacker used windows utility "wevtutil.exe" for deleting Security and System windows event log.

During the execution, the sample drops two different files in "%temp%" directory that were used during lateral moment and uses named-pipes as a channel for communication for propagation around the network.

With an intension of wiping out all the data, attacker has used "vssadmin.exe" to delete all the available shadow copies make it difficult for recovery.

Tagged: Olympic Destroyerwiper malwareBadrabbit

2 Likes Share

Newer PostRapid Ransomware Analysis

Older PostZeroDay Detection with Machine Learning(ML) BluSapphire

Read More
Kiran VangavetiComment
ZeroDay Detection with Machine Learning(ML) BluSapphire

Year 2016 & 2017 has witnessed the rise in cyber attacks targeting various sectors like banking, industrial, etc. New variants and types (fileless/in-memory) of malware families are being surfacing each day (wannacry, Petya/NotPetya/Nyetya/Goldeneye, BadRabbit, etc) which a traditional antivirus engine couldn’t detect without a signature.

With advancement in today’s cybercrime, there’s being advancement in detection of such potential threats, which brings me to Machine Learning (ML). According to wiki, Machine Learning (ML) is a field of computer science that gives computers the ability to learn without being explicitly programmed. In other words, computer trained to learn and identify malicious threats on its own.

BluSapphire is being integrated with Machine Learning (ML) engine that is capable of detecting any potential threats the moment they enter the network, making it easy to detect such sophisticated threats.

Last week one of our sensors has collected a file, which was flagged malicious by our Machine Learning (ML) engine. Being a zero-day, at that point in time, it has not triggered any AV flags. This post is an overview of the analysis made by BluSapphire ML engine.

ANALYZED SAMPLE:

MD5 Hash :              9d55d1c81605209fc2b537e74af9c91c

ANALYSIS:

We observed that the file was being downloaded from url “.pigcherrytoky.download”

Machine learning (ML) engine has flagged the file malicious and the file is loaded with some Anti-Debug techniques, making it difficult for debugging.

Being a zero-day, it has not triggered any AV flags, but the code within was matched over 176 known trojan malwares samples.

Malware being multipartite, it has refused to execute in pieces.

ABUSE USE OF APIS:

GetCommandLineA
InitializeCriticalSection
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
VirtualFree
VirtualAlloc
TlsDetValue

Right after few hours the same PUP has being flagged malicious by multiple AV’s.

3 Likes Share

Newer PostDissecting Olympic Destroyer Malware

Older PostBadRabbit Analysis using BluSapphire

Read More
Kiran VangavetiComment
BadRabbit Analysis using BluSapphire

Since the outbreak of Petya/NotPetya which was surfaced in the month of June, again last week a new ransomware attack “aka BadRabbit” is making the headlines effecting machines in Ukraine, Russia, Turkey and Bulgaria.

Initial Attack Vector:

Unlike Petya/NotPetya that use SMB (Eternal Blue) as the initial vector, this variant uses drive-by-download type of attack to deliver the malware (BadRabbit) that spreads via malicious websites.

BadRabbit utilizes:

  1. Diskcryptor to encrypt the files with selected extensions

  2. SCmanager, schtasks and rundll32.exe to invoke other components

  3. For lateral movement, it scans the local networks for SMB shares and spread via SMB

  4. Mimikatz for credential harvesting on compromised machine

Analyzed samples:

MD5 HashDescriptionfbbdc39af1139aebba4da004475e8839Adobe_Flash_Update – Dropper1d724f95c61f1055f0d02c2154bbccd3infpub.dat – Main DLLb4e6d97dafd9224ed9a547d52c26ce02cscc.dat – Driver for Encryptionb14d8faf7f0cbcfad051cefe5f39645fdispci.exe – DiskCryptor Client

Behavioral analysis:

Once downloaded, the executable dropper pretending to an Adobe Flash Update convincing the victim to install it

Upon execution it drops the main module DLL “infpub.dat” in “C:\Windows” directory that is further initiated by rundll.exe with arguments.

C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15

Executes the command “schtasks /Delete /F /TN rhaegal” to delete any existing tasks with name “rhaegal”.

During the execution of main DLL “infpub.dat” other components (cscc.dat, dispci.exe) responsible for encrypting are being dropped.

To launch the newly dropped components of diskcryptor “dispci.exe” on the startup, a new task is scheduled with name “rhaegal”.

New service named “cscc” is created for DiskCryptor Driver “cscc.dat”.

ServiceName=cscc,DisplayName=Windows Client Side Caching DDriver, BinaryPathName=cscc.dat

Schedules a task named “drogon” to forcefully reboot the machine at 04:46hrs, it appears that a reboot is required to install the DiskCryptor drivers.

BadRabbit encrypts only selected file extension as below and displays a ransom note.

3ds, 7z, accdb, ai, asm, asp, aspx, avhd, back, bak, bmp, brw, c, cab, cc, cer, cfg, conf, cpp, crt, cs, ctl, cxx, dbf, der, dib, disk, djvu, doc, docx, dwg, eml, fdb, gz, h, hdd, hpp, hxx, iso, java, jfif, jpe, jpeg, jpg, js, kdbx, key, mail, mdb, msg, nrg, odc, odf, odg, odi, odm, odp, ods, odt, ora, ost, ova, ovf, p12, p7b, p7c, pdf, pem, pfx, php, pmf, png, ppt, pptx, ps1, pst, pvi, py, pyc, pyw, qcow, qcow2, rar, rb, rtf, scm, sln, sql, tar, tib, tif, tiff, vb, vbox, vbs, vcb, vdi, vfd, vhd, vhdx, vmc, vmdk, vmsd, vmtm, vmx, vsdx, vsv, work, xls, xlsx, xml, xvd, zip

Abuse use of APIs:

CloseHandle
CreateFileW
CreateProcessW
ExitProcess
GetCommandLineW
GetCurrentProcess
GetFileSize
GetModuleFileNameW
GetModuleHandleW
GetSystemDirectoryW
HeapAlloc
ReadFile
TerminateProcess
UnhandledExceptionFilter
WriteFile

URL Found:

http://rb.symcb.com/rb.crl0W
http://s.symcb.com/universal-root.crl0
http://ocsp.verisign.com0
https://www.verisign.com/rpa
https://www.verisign.com/rpa0
http://rb.symcb.com/rb.crt0
http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
https://d.symcb.com/cps0%
http://s.symcd.com06
http://crl.verisign.com/pca3-g5.crl04
http://ts-ocsp.ws.symantec.com0;
https://d.symcb.com/rpa0@
https://d.symcb.com/rpa0
https://www.verisign.com/cps0
https://d.symcb.com/rpa06
http://crl.thawte.com/ThawteTimestampingCA.crl0
http://s.symcd.com0
http://ocsp.thawte.com0
https://d.symcb.com/rpa0.
http://rb.symcd.com0&
http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
http://sf.symcb.com/sf.crt0
http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
http://logo.verisign.com/vslogo.gif04
http://sf.symcd.com0&
http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
http://sf.symcb.com/sf.crl0W
http://ts-ocsp.ws.symantec.com07

Lateral Movement:

To perform credential harvesting, it creates and loads mimikatz to a file with extension “.tmp” (xxxx.tmp) in “C:\Windows\” and initiates a new process from the temp file “495E.tmp” with pipe.

Notice that the malware scans the local network for ports 139, 445 and spreads via SMB shares with credentials harvested using mimikatz.

- Praveen Kolanuvada

4 Likes Share

Newer PostZeroDay Detection with Machine Learning(ML) BluSapphire

Older PostReserve Bank of India - Cyber Security Framework for Banks - Part I

Read More
Kiran VangavetiComment
Reserve Bank of India - Cyber Security Framework for Banks - Part I

On June 2, 2016 Reserve Bank of India published its circular on cyber security requirements for banks operating in India, a much awaited initiative from RBI, as most of its western counterparts have had similar regulations in place for a while. This is a major overhaul compared to the guidelines provided in summer of 2011. In light of the fact that India has been, both the source & target of a multiple cyber crimes over the past decade, both malicious and nation state attacks against its financial industry aimed at disrupting and/or destabilizing the financial system. It should be noted that CERT-IN, has been a key player in providing resources and education, with key objective of enabling the country to defend against large scale cyber attacks.

In its circular, RBI notes that it is essential for banks to enhance their cyber security safeguards, and improve resiliency to cyber attacks. RBI has noted the importance of Top executive managements role in ensuring success of cyber security programs and their acceptance across the organization. It stressed on the importance of the Board and its executives being up-to-date on the state of cyber security using relevant metrics. If this is not already part of your Board's agenda, then it absolutely should be. We are actively moving into an era, where Cyber Security is seen as an organizational risk, and should be given the same visibility at the Board level as financial risk or operational risk.

Top Management & Board should educate themselves on Cyber Risk, and proactively promote Cyber Resilience among their Customers, 3rd Parties and relevant Stake-Holders

RBI has laid out a number of requirements for banks, in its circular. Major components of the requirements are laid out below. We will take a deeper dive into each of them further in this series.

1) Banks should have a comprehensive Cyber Security Policy

2) Banks' Board should approve the Cyber Security Policy

3) Banks should setup a Security Operations Center (SOC)

4) Banks should have a Continuous Security Monitoring program in place. (RBI calls it Continuous Surveillance)

5) Banks should have a Security Architecture in place that aligns with IT Architecture.

6) Banks should implement adequate security measures in place to protect networks and data (Due Diligence).

7) Banks are mandated to protect Customer Information, irrespective of where the data is stored or in transit. This includes bank itself, 3rd parties or at the customer.

8) Banks should revisit their Business Continuity Plan/Disaster Recovery Plan, in the context of Cyber Risk.

9) Banks should have an Incident Response Plan (Cyber Crisis Management Plan, in RBI language)

10) Banks should share Cyber Security Incidents with RBI using a prescribed format provided.

11) Banks should perform periodic GAP Assessments to review their cyber security preparedness.

In the second part of this series, we will get into more details on each individual action and best practices in these areas. Our goal is to help Banks understand these requirements and help implement them.

______________________________________________________________________

Kiran Vangaveti is the Founder of BluSapphire Technologies that provides Managed Security Asset Management, Continuous Security Monitoring, Risk Assessments and Compliance assistance to Small & Medium Enterprises in Financial and Health Care industries. He is the thought leader behind BluSapphire Intelligent Cyber Defense, security tool providing unrivaled visibility into Advanced Persistent Threats (APT) and malicious activity on client's infrastructure, operating across the entire Cyber Defense stack, utilizing Advanced Behavioral Analytics, Multi-layered Anomaly Detection.

2 Likes Share

Newer PostBadRabbit Analysis using BluSapphire

Older PostNY State DFS - Cyber Security Requirements for Financial Services

Read More
Kiran VangavetiComment
NY State DFS - Cyber Security Requirements for Financial Services

New York State Department of Financial Services has released its proposed Cyber Security requirements for Financial Services. It is applicable to any entity that is operating under or required to operate under a license, registration, charter, certificate, permit, accreditation under the Banking lawInsurance law or the Financial Services law. Its open for public comments until Nov 14' 2016.

DFS believes the purpose of this law is to ensure Financial Services businesses operating under its jurisdiction, have robust cyber security measures in place. These requirements are not in conflict with Gramm-Leach-Bliley Act, and are put forth to address, improve and include institutions that currently do not fall under GLB. DFS has proposed some limited exemptions to small business operating with less than $5M in gross annual revenue.

DFS requires that Top Management/Board of Directors/Executive Board or equivalent should review the business's Cyber Security Program, Policy and Incident Response Policy and ensure that they understand Cyber Risk.

Some Financial Institutions that are regulated under SEC, may already be in part be compliant with these requirements. Again, as emphasized by the security community and DFS requires that Top Management/Board of Directors/Executive Board or equivalent should review the business's Cyber Security Program, Policy and Incident Response Policy and ensure that they understand Cyber Risk. Another note-worthy requirement is the use of Multi-Factor authentication for all remote access, 3rd party access, trusted databases with Non-Public information.

An executive summary of the requirements is as below:

1.Maintain an active cyber security program that

  • Identifies and addresses internal and external risks, identifies technology, policy and process controls required for mitigation

  • Addresses Detection, Mitigation, Response and Recover process

2. Implement a Cyber Security Policy / Information Security Policy that addresses

  • Cyber Security Technology (system & network) controls, Access Controls & Identity Management

  • Application Security & Secure Development practices for in-house & external applications

  • Data Governance, Data Classification, Data Privacy (customer)

  • Systems Operations, Capacity, Performance, Availability, Disaster Recovery and Business Continuity

  • Continuous Security Monitoring, Risk Assessments and Incident Response

  • Third Party risk identification & minimum cyber security requirements

3. Establish an Incident Response Plan that at a minimum addresses

  • process for responding to events - playbooks

  • roles & responsibilities, specially document levels of decision making authority.

  • Communications - external and internal

  • Revision process for addressing any failures

4. Encryption of Non Public Information in transit and at rest. Document compensating controls where this is not possible.

5. Appoint / Designate a Chief Information Security Officer (CISO). CISO shall be responsible managing the cyber security program, cyber security policy, Incident Response Plan. He is responsible for reviewing and updating the policies and procedures as required, at least once annually. Any exceptions and compensating controls have to approved by the CISO.

6. Perform a Penetration Test of IT systems annually, and a Vulnerability Assessment at least Quarterly

7. Cyber Risk Assessments should be performed at least annually

8. Provide adequate levels of Cyber Security Awareness training. DFS also recommends training cyber security personnel be trained with updated skills at least annually.

9. DFS requires mandatory notification of a material breach to the Superintendent within 72 hours.

10. DFS requires filing of a written statement of compliance by Jan 15 each year.

These requirements will be effective Jan ' 2017. Entities that fall under the purview of these requirements will be required to prepare and submit a Certificate of Compliance with NY State Department of Financial Services annually, by Jan 15.

______________________________________________________________________

Kiran Vangaveti is the Founder of BluSapphire Technologies that provides Managed Security Asset Management, Continuous Security Monitoring, Risk Assessments and Compliance assistance to Small & Medium Enterprises in Financial and Health Care industries. He is the thought leader behind BluSapphire Intelligent Cyber Defense, security tool providing unrivaled visibility into Advanced Persistent Threats (APT) and malicious activity on client's infrastructure, operating across the entire Cyber Defense stack, utilizing Advanced Behavioral Analytics, Multi-layered Anomaly Detection.

Tagged: #NY#FinancialServices#Cybersecurity#DFS

0 Likes Share

Newer PostReserve Bank of India - Cyber Security Framework for Banks - Part I

Older PostKeeping Kids Safe on Social Media

Read More
Kiran VangavetiComment
Keeping Kids Safe on Social Media

October is Cyber Security Awareness Month. During the course of this month we will share cyber security tips and resources, that will empower you and your family to understand and take preventative measures against Cyber Threats. These tips will focus on and explain a specific topic with steps you can take to protect yourself, your family and workplace.

 

“ Keeping Kids Safe on Social Media”

 

You’ve probably heard the names – FacebookInstagram, Twitter etc., These are some of the top social networking websites, that have become an online craze for teens and for many adults. You’ve probably also heard some stories about how pedophiles are surfing these pages for their next targets, or how teens are having their identities stolen after posting too much information online. The good news is that young people can protect themselves and their personal information easily, if they know how.

"Make sure your kids understand that you won’t blame them or ban them from Internet. Encourage them to report anything that makes them uncomfortable."

None of this technology is inherently dangerous, and if used safely, can be a great creative outlet for young people and a way to get them excited about technology. However, many young people are sharing too much personal information online and aren’t aware that anyone with an Internet connection can view it - even pedophiles, identity thieves, employers, teachers, their school nemesis, and you. As a parent, you can teach your children how to safely use social networking websites and make sure that they do. Below are some ways that you can protect your children and their personal information online.

 

Talk to your kids about the risks.

·         Explain that online information and images can live forever. It can be very hard and sometimes impossible to take down information that is posted, and photos and information may already have been copied and posted elsewhere.

·         Tell your children not to post any identifying information online. This includes their cell phone number, address, hometown, school name, and anything else that a stranger could use to locate them.

·         Explain that anyone in the world can access what they post online. Inform your children that many college admissions boards and employers are checking social networking sites before they admit students or hire people.

·         Remind your children never to give out their passwords to anyone – not even their friends. Explain that if someone has their password, they could post embarrassing and unsafe information about them on their personal pages and even pose as your children to talk to other people.

·         Make sure that children understand that some people they meet online may not be who they say they are. Explain that on the Internet many people are not truthful about their identity and may even pretend to be someone else.

Protect them from dangers.

·         Most social networking websites require that young people be at least 13-years old, and sometimes even 18, to create an account. Don’t let younger children pretend to be older to use these websites.

·         Social networking websites let users set their profiles to private so that only their friends – usually defined as people that know their full name or email address – can contact them. Make sure younger teens’ profiles are set to private.

·         Go online with your children and have them show you all of their personal profiles. Ask to see some of their friends’ profiles too. If they have a blog or share photos online, ask to see them too.

·         Treat your children’s online activities like you do their offline ones. Ask questions about what they do, who their friends are, and if they have made any new friends.

·         Set clear rules that you can all agree on regarding what your children are allowed to do online. Make sure you decide if your children are allowed to post photos of themselves and open accounts without your permission.

How you can help them

·         Have your children tell you if they ever see anything online that makes them uncomfortable. Make sure they understand that you won’t blame them.

·         Ask them to come to you if anything happens online that hurts or scares them. Tell them that you won’t punish them by banning them from the Internet – this is a big reason why many kids don’t talk to their parents about their online problems.

 

Report any cases of possible child sexual exploitation, no matter how small, to the Cyber Tip Line at https://report.cybertip.org.

0 Likes Share

Newer PostNY State DFS - Cyber Security Requirements for Financial Services

Older PostIOTs - Impact on Enterprise Security

Read More
Kiran VangavetiComment
IOTs - Impact on Enterprise Security

“Anything that can be connected would eventually be connected.”

The statement would have been no less than a myth a couple of decades ago, but, over this short span of time, the world has undergone an incredible transition from real to digital, forming a parallel cloud world. From automated medical equipment and ATMs to android driven cars, it is not just your phone that has gone smart – the smart revolution has taken over the world, setting up new standards and giving an entirely different meaning to communication, interaction and networking.  Human interaction has eventually evolved into today's machine versus machine communication with zero human input requisite. While this has proved its efficacy at all levels, it comes at a price we are bound to pay; the exorbitant cost of our privacy and security.

The IoT sensation took its toll on the digital world, completely altering the conventional definitions of integrated systems and connectivity, creating a parallel cloud world. As the interaction between the real and the cloud world goes from binary to digital and vice versa, its share of pros and cons too, fairly and equally, increases. And no matter how much we attempt to beautify the concept with cosmetic terms like ease of access, world going-smarter, innovation, promising, convenient, digital global village, the fact of the matter is, it comes with certain concealed costs that have made us prone to more vulnerabilities than we have ever seen before.

Every new device addition into the cyber connected system means another new end point, a potential door to welcome another vulnerability. As we strive to make machines go smart and intelligent, we create systems that connect devices and machines programmed to operate in a close system, interacting with each other, sharing critical information and data and working accordingly. While this may validate the automated functioning aspect, it also points out to an alarming fact that even a single and minute loophole may turn into a big security threat, putting the entire networked enterprise at stake.

The Internet of Things phenomenon, specifically in the world of business and enterprise, has opened doors to a new vector of security threats and hazards. The internet of things, in the course of revolutionizing e-Enterprise operations, has also altered the nature and magnitude of risks and threats involved.

Major Vulnerabilities

POTENTIAL LOOPHOLES

As mentioned earlier, every new device addition into the network means a new gateway, a potential wreck point or a loophole that might let the intruders in, bypassing security barriers. The vulnerabilities inflicted upon an enterprise through IoT may originate not from the end-point device but also from the transit and connected communication passages, software component and the object and devices at the other end, all of which may provide a good loophole to break into the system.

IOT NETWORKS WITH ENTERPRISE SYSTEM

The IP enabled devices forming the enterprise system tend to lose their individual confidentiality and functionality, no matter what segmentations and gap techniques are implied. As validated in a statement by Amit Yoran, former director at US Department of Homeland Security, the interconnectedness of multiple devices onboard a single system with a mutual sharing of information will passively ensure an unintended and unnecessary flow of information within the system, taking the magnitude of network and connectivity to a point where it would be almost impossible to keep the cloud information store safe and inaccessible from unnecessary access. This implies that IoT itself could be a major internal threat for the enterprise security.

AN UNCONVENTIONAL, COMPLEX ARCHITECTURE OF SOFT AND HARD UNITS

IoT mechanism is a complex system of devices that are integrated through hardware & software. These devices vary in their function, modules and physiology, thereby providing multiple target options. Since the structure is built upon individual devices, each fundamental unit has its own security requisites. The IoTs in the enterprise will differ from the layered design, since they have micro operating systems designed around tightly coupled hardware. Hence, they will require a custom designed security mechanism to fill gaps and eliminate loopholes that prevail within the system. In some cases, this may be not be possible at all.

NEWER PROBLEMS

IOTs in enterprises will provide tremendous stealth opportunities to attackers, and will over burden enterprise cyber security teams with ever expanding device types and data. Cyber Security analysts equate APT detection to finding needle in a haystack. Emergence of IOTs in the enterprise will only compound the problems and enterprises need to understand the complexity and be prepared, before they embrace IOTs.

IOTs are definitely here to stay. There is tremendous potential for productivity and efficiency improvements along with lives to be saved by use of IOTs. Parallely we should consider the downfalls of the current state of IOTs, and the threats they pose to privacy, security and life in some instances.

0 Likes Share

Newer PostKeeping Kids Safe on Social Media

Older PostBangladesh Bank Heist

Read More
Kiran VangavetiComment
Bangladesh Bank Heist

Bangladesh Bank hack is one of the biggest bank heists in global financial history. There have been larger scams and scandals, but cyber heists from a single bank, this takes the cake.

The heist of over $80 million sent shock-waves through the global financial system and security experts scrambled to find out how it had happened. Political and administrative authorities played the blame game, as was expected of them. Resignations were offered and statements were issued. It was a complete chaos.

But now, the storm is over and the dust seems to be settling. But as the bigger picture comes into focus, it is becoming clearer as to what exactly went wrong. 

How it happened

It all began on one fateful Friday with a printer failure. On 5 February 2016, Jubair Bin Huda, the bank’s joint director for accounts, discovered the printer failure which left him unable to collect the previous day’s transactions, Financial Times reports. The printer failure was just a tip of the iceberg though. Three days later, the bank discovered that the printer was not the only thing that had failed. The magnitude of the theft suggested that the bank’s cyber security system did not fare much better.

The hackers managed to break into the bank’s security system and transferred more than $80 million from the New York Federal Reserve account to multiple bank accounts located in Sri Lanka and Philippines. A significant number of transfer requests, 30 out of 35, were blocked by the Federal Reserve, saving the bank a loss of $850 million. But the five requests that managed to pass through, amounting to more than a 80 million dollars, were devastating enough in their consequences.

Security analysts suggest that they did it by installing a malware on one of bank’s computers which enabled them to spy on the bank’s monetary activities for weeks to observe how money transfers took place.

However, investigators believe that the heist involved hackers utilizing a Remote Access Trojan (RAT). Through this, they were able to secure remote control to the bank’s computers to initiate funds transfer. It may have taken the hackers almost a year of planning and preparations which involved opening multiple accounts in various banks of Philippines and Sri Lanka through fake documentation. It is ironic, though, that despite all the meticulous planning, a typo in a transfer request turned out to be the Achilles heel, and helped uncover the entire operation.

According to BBC, the bank didn't have a firewall and used cheap $10 internet routers. This just made the malicious actors job very easy. Good prevention and detection controls would at least have helped detect the whole operations much sooner.

SWIFT software security

Perhaps the most troubling aspect of the whole episode was that the hackers managed to hack into the SWIFT software. SWIFT, lies at the heart of the global financial system and is a network which connects majority of the world’s financial institutions and enables them to send and receive financial information about financial transactions.

However, It was the bank's systems or controls that were compromised, not the software, according to an independent security consultant, William Murray. "The SWIFT software behaved as it was intended to, but was not operated by the intended person or process. This is a bank problem, not a SWIFT problem." 

The major take-away from this is that financial institutions must pay extra attention to ensure the protection of the computers with the SWIFT software installed.

Takeaways

CYBER SECURITY IS NOT AN IT PROBLEM

It is a business problem. Businesses should view cyber risk on par with operation, regulatory and financial risk. Unfortunately, most organization boards fail to recognize this.

Lutfus Sayeed, an Information Systems professor at California State University, believes that cyber security must be incorporated into any organization’s central business strategy. IT Security must have a seat at the boardroom, at the executive table. It must not be viewed as a specialized function that is detached from the core business processes.

CYBER SECURITY IS NOT A CHECKLIST

Security should not be a compliance checklist, regulatory or otherwise. You will never be secure by being compliant. You will always be compliant by practicing good security processes. A learned friend, who was involved with ensuring a major card compliance program is implemented at banks worldwide, reveals, many banks in the east, would just write-off compliance fines and pay them, rather than comply. They consider it more cost-effective.

Bangladesh bank heist, has hopefully driven the point, that cybersecurity cannot be an afterthought. The business impact of poor cybersecurity practices are harsh and real.

CYBER SECURITY NEEDS ATTENTION

 

Cyber Security is a critical business function that needs attention. Organizations that do not have resources to manage cybersecurity should look at Managed Security Service Providers for assistance. There are some benefits to engaging a Managed Security Service provider:

 

a)  They are more economical than investing in personnel, software, hardware and processes yourself

b)  They provide round the clock monitoring, which most business can't do themselves. Remember, attackers don't adhere to your work hour schedule, and hence its important to have a team that monitors your system round the clock.

c)  They are more efficient at responding to cyber threats. MSSPs, due to the nature of the business they are in, have more threat intelligence, and are able to respond faster than most businesses themselves can.

d) They have dedicated teams to handle cyber threats, and can provide rapid staff augmentation OR send skilled analysts onsite to handle the situation.

 

ASSUME COMPROMISE

Always assume your business has been compromised. APTs have been known to exist in businesses IT systems for many years without being detected. It is safe to assume that the Bangladesh Bank Heist perpetrators have been inside, for at least a year, before they pulled off the heist. Threat hunting, an act of assuming compromise, and looking for "bad". It is an exercise worth investing in. Work with your team or your provider in conducting these exercises.

The business impact of poor cybersecurity practices are harsh and real. Don't let your businesses fall victim to cyber threats.

Tagged: side

0 Likes Share

Newer PostIOTs - Impact on Enterprise Security

Older PostLearnings from Canara Bank hack

Read More
Kiran VangavetiComment
Learnings from Canara Bank hack

On August 2, the visitors on the website of Canara Bank—one of India’s biggest lenders—saw a strange sight.

A Pakistani hacker, who called himself Faisal, had managed to hack the bank’s website. He had defaced the site by adding a malicious page and had even tried to block some of the bank’s online payment services.

What actually happened?

Canara Bank, one of the leading lending and banking institution suffered a cyber incident. Their main page read, “We are a team of Pak Cyber Attackers. Go Home Kiddo. Need Security? Contact me".

It was serious, particularly because memory of the recent attack on Bangladesh Bank was still fresh. It was also particularly troublesome because the hacker had attempted, albeit unsuccessfully, to disrupt tax & e-payments by the bank’s customers. The number of hacking attacks on Indian banks has increased in the last few months. This was merely the latest one in a series of similar attempts.

The bank’s response

Canara bank sprung to action after the attack. It lodged a complaint with the local law enforcement and took several actions to protect their customers. These involved isolating the server and diverting the traffic to a standby server.

Even the Reserve Bank of India got involved. Within just a day of the attack, it sent a confidential letter to the Canara Bank authorities asking for a review of the funds in their overseas accounts and reconcile SWIFT payments on an hourly basis. The post-attack efforts spent much of the bank’s time, and resources.

But the bank could easily have avoided all that with a simple measure—continuous security monitoring.

What is continuous security monitoring (CSM)?

Many of the organizations follow a rather simplistic, approach to cyber security. They either try to get ahead of the threat or be prepared to face the consequences of the cyber attack and aim to minimize the losses.

But there is a middle ground. A better way, Continuous Security Monitoring.

According to the definition by the National Institute of Standards and Technology, CSM refers to “maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.”

What this means is that, through continuous security monitoring, helps you keep a constant vigil on your most critical organizational assets. This enables you to detect and eliminate potential threats in real time. CSM helps detect vulnerabilities and threats before the bad actor detects them. Prevention is better than cure. And nowhere does this piece of conventional wisdom apply more than cyber security.

How could CSM have prevented the embarrassing hack?

The global cyber threat landscape is extremely dynamic. The nature of the threats evolves faster than the organization’s ability to prevent those threats.

Canara Bank, or any other financial institution for that matter, can never hope to compete with that. What they can do, however, is to constantly assess their vulnerability in the threat landscape through continuous security monitoring.

The Cyber and Continuous Monitoring Practice Manager for Symantec, Ken Durbin, calls Continuous Security Monitoring “threat agnostic”. When organizations make efforts to identify the critical assets and place appropriate controls in place to protect those assets, it can help prevent potential threats from breaching the system. If the bank had a CSM program in place, it could not only have prevented the hack in the first place, but also saved themselves from negative media attention and the post-hacking disruptions.

How can a Managed Security Services Provider help?

The story of cyber security is the story of trying to keep up with the rapidly evolving threats. And you just cannot win. All you can do is to keep a constant eye out for threats. But most organizations do not have the time, resources, or the incentive for continuous security monitoring processes. And this is where the final piece of the puzzle seamlessly fits in—Managed Security Services Providers (MSSPs).

One of the greatest concerns for any organization when it comes to continuous security monitoring is the cost of the endeavor. Hiring in-house and full-time security experts can end up costing a fortune. Not only would you need a team of security specialists, you would also need to build the necessary tooling & infrastructure. Managed Security Services Provider can offer both these elements at a much more affordable price.

One of the biggest advantages of MSSPs is round-the-clock support. This means you have trained security staff monitoring your network and devices on a 24/7. Other advantages include on-demand cybersecurity skills, help with incident response, one-demand high-profile skills and staff augmentation.

0 Likes Share

Newer PostBangladesh Bank Heist

Older Post3rd Party Risk Assessments

Read More
Kiran VangavetiComment
3rd Party Risk Assessments

In today's business world, IT risk plays an important role. Every business executive understands Risk and the need to balance "risk and reward" effectively; and have a good handle on risks viz., credit risk, operation risk and market risk among others. In many instances this is even strengthened by regulatory requirements. Still most business fail to measure IT Risk appropriately, some entirely fail to incorporate Third party IT risk.

“when your infrastructure is attacked your business may fail to relive the attack


In an era, where cyber-attacks are imminent, it is increasingly important for businesses to understand their IT Risk, and specifically Third Party Risk. According to a recent report by Booz Allen Hamilton, third parties were the number-one security risk to financial services firms in 2015.
Some businesses are making an effort to review their 3rd party agreements, and include cyber security requirements and annual reviews into their contracts, but is this enough?


Third party security risk management requires regular reassessments to ensure security, privacy and compliance is in order. Though most vendors prefer multi-year agreements, but risk assessments should be an annual practice. Maintain a quality IT risk assessment questionnaire to elicit responses from your third parties. As a best practice you should also reassess risk and security posture, whenever the contracts are updated or changed. A key point worthy of mention here is to pay attention to the tone of the responses, rather than just content alone. Your questionnaire should elicit responses and possibly discussions from the service provider and should not be a simple binary "Yes"/"No" checklist.


Now this could be burdensome for many organizations. In such cases, you may be able to lean on MSSPs to engage resources for this effort. Independent third party certifications like SSAE 16, SOC1 and SOC2 or ISO 27001 may be of value too. "SecurityScoreCard.com" is also a good resource. Don't forget to ask for evidence of a recent DR/BCP test, incident response test and  Risk Assessment reports. Keeping track of these results and documenting them year over year, will go a long way in helping track the provider’s progress over time.


Communication processes or "who notifies who, of what, when and how" is very important. Lay down clear guidelines about data ownership, breach notifications and subpoenas, and responsibilities of either party. Understand where the hand-offs occur and who are responsible. Prefer titles to names. 


Businesses are constantly changing and evolving, so should the relationship with your third parties. Third party due diligence will help maintain a healthy relationship with your third parties, and with a good understanding of security risks, your business can innovate, grow and reach its business goals.
 

Tagged: side

1 Likes Share

Newer PostLearnings from Canara Bank hack

Older PostContinuous Security Monitoring - How MSSPs Can Add Value

Read More
Kiran VangavetiComment
Continuous Security Monitoring - How MSSPs Can Add Value

Preserving your organization’s information security can be like playing a game of chess with an opponent that gets smarter with every move. If you want to win, you need to stay one step ahead of your opponent. You need to know what to expect. You need to predict what their next move could be. The only difference is that the stakes are much higher here. One misstep or one momentary lapse in attention can cost you the whole game. And if you lose here, you may lose your entire business.

It’s a typical good-news-bad-news scenario. The good news is that with effective Continuous Security Monitoring (CSM), you can constantly monitor the threat landscape and prevent your data and systems from being exposed. The bad news, unfortunately, is that no matter how sophisticated your monitoring tools, systems, and processes are, the task won’t be easy since the nature of threats is constantly evolving, sometimes even faster than your ability to mitigate those threats. This is why CSM is even more crucial for your organization than it seems at first glance. But, before we proceed further, let us first examine how CSM can be defined and what some of its key components are.

What is CSM?

The National Institute of Standards and Technology (NIST) defines continuous security monitoring as “maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.”

In simple terms, we may describe it as the uninterrupted monitoring of critical organizational assets, such as devices on your network, to detect and mitigate potential threats in real time. In even simpler terms, it means that you need to be focussed on Detection controls, instead of just preventative controls. You need to go out there to look for the threats rather than wait for the threats to come seeking you.

However, many organizations don’t realize that. And when they do, it’s usually too late. Many organizations turn to continuous security monitoring and a variety of other measures, such as tightening their compliance processes, after experiencing a major attack on their information system. The CSM process is specifically designed to prevent just that.

The key to understanding CSM lies in the term itself. It involves a Continuous stream of never-ending practices, designed to enhance Security involving constant Monitoring. You need to dedicate resources or staff to perform real-time inspections of not just the devices and the network, but also the implementation of the existing compliance processes to ensure maximum protection.

The Role of MSSPs

If you are aiming to run a successful business by cutting down on savings, increase profitability, and outrun your competition, all the while trying to survive in an increasingly dire economic situation, you may already have a lot on your plate. And we haven’t even begun to discuss how to ensure the highest levels of cyber security possible. It’s now understandable why companies choose to seek external services.

But if you are still unsure how exactly an MSSP can add value to your organization, here’s the answer:

Cyber threat intelligence

If there’s one thing that can be claimed with certainty about the cyber landscape, it’s that everyone’s at risk. Verizon Data Breach Investigations Report (DBIR) repeatedly notes, “We don’t see any industries flying completely under the radar… everyone is vulnerable to some type of event.” And a lot of companies, irrespective of their size and the nature of the business, seek the services of some of the leading MSSPs. Consequently, these security service providers have access to, and experience in monitoring a large number of networks on a 24/7 basis.

This enables the MSSPs to gather threat intelligence from a variety of sources on a huge scale. Their knowledge base, particularly on threats & potential vulnerabilities, is significantly vast. Maintaining that knowledge base is critical to navigating the cyber landscape and staying up-to-date with the nature of the threats. No other business organization, including large corporations, can dedicate that many resources to cyber intelligence gathering. Consequently, MSSPs can be an excellent value add for your business.

Cost-effective

When it comes to CSM, the decision doesn’t hinge upon whether it’s important or not. Rather, you are required to choose whether to “build or buy.” Do you have enough resources to buy new tools, formulate new processes, and bolster the capabilities of your IT team? And, more importantly, would doing all that yield significantly better results than its alternative? This is where MSSPs step in.

Many managed security services providers have the requisite tools and capabilities to effectively monitor your network for threats. They also have a dedicated team of professional security experts and analysts. But, to top it all off, their services are affordable. Depending on the specific requirements of your organization, seeking assistance from a managed security services provider can be quite cost-effective. 

Scalability

MSSPs are better prepared to deal with organizations of all sizes. The scalability of the monitoring processes is one more thing you can tick off your worry list.

1 Likes Share

Newer Post3rd Party Risk Assessments

Older PostFocus On Detection, Not Just Prevention

Read More
Kiran VangavetiComment
Focus On Detection, Not Just Prevention

The cyber threat landscape is transforming rapidly on a daily basis. The nature of attacks is becoming more sophisticated and security mechanisms are struggling to keep up at their best, and, at worst, are woefully inadequate when it comes to dealing with these threats. This is one of the reasons why the rate of cyber crimes has increased exponentially. According to Identity Theft Resource Center (ITRC) statistics, first five months of 2016 saw a total of 430 data breaches in US alone. And this does not include the MySpace, tumblr and LinkedIN announcements last week.

One of the major reasons why many businesses fail in ensuring cyber security is that they are focusing only on half of the problem. Most of the organization’s cyber security budget is assigned to prevention mechanisms, but not enough goes into detection. Also, mostly due to the FUD factor that current vendor landscape focusses on. Perhaps this is the reason why, according to EY’s Global Information Security Survey, more than one third organizations are utterly incapable of detecting a sophisticated cyber attack.

Hackers and cyber criminals are fully aware of this glaring shortcoming. And they’re leaving no stone unturned to exploit it. They are constantly in search of innovative ways to breach an organization’s prevention mechanisms. This is what makes the attacks even more devastating. Relying on a variety of attack vectors, these criminals are bigger threats than ever before. And what’s even more surprising is that many of these sophisticated attacks simply go undetected unless severe damage is done.

This is why your organization must stop relying primarily on prevention mechanisms. Firewalls, anti-viruses, secure gateways, and intrusion prevention systems can only take you so far. If you think your organization is fully capable of dealing with cyber threats through preventive mechanisms alone, you have are living in the dark. Continuous monitoring and threat detection mechanisms are some of the innovations you will need to implement.

The difference between detection and prevention

Detection and prevention are, to some extent, similar mechanisms. The tools they require are similar and many managed security services providers offer both.While prevention mechanisms are designed to block incoming threats, detection mechanisms are designed to locate and identify potential threats.  

Simply put, if you want maximum security, you need to realize that you cannot prevent your organization from all cyber attacks. Even if you could, that would require considerably more resources than what you can assign for cyber security. That’s why it’s more realistic to assume that many threats would easily pass through your Prevention systems.

When it comes to threat detection, you must stay up to date with the current trends in the threat landscape. Gathering cyber intelligence is integral to the functioning of the whole process. And if your organization does not have the capability of monitoring patterns of vulnerability across networks, there is always the option to seek assistance from managed security service providers (MSSPs).

Maintaining the balance

Many industry analysts now claim that since the nature of the threats is too sophisticated to be prevented, detection must be your organization’s top priority. This is a dangerous trend. The latter approach is as flawed as the former. In order to ensure maximum security, there must be a balance between the two approaches. Detection and prevention should go hand-in-hand.

Gartner’s Neil MacDonald sums it up succinctly. “We overspend on increasingly ineffective prevention technologies — network and host based firewalls, intrusion prevention systems and antivirus technologies in a futile attempt to prevent all infections,” says Neil. “Complete protection requires both investments in both prevention and detection. We have been too lopsided in our investments for too long.”

2 Likes Share

Newer PostContinuous Security Monitoring - How MSSPs Can Add Value

Older PostCyberSecurity A Priority

Read More
Kiran VangavetiComment
CyberSecurity A Priority

When it comes to cyber security, corporate executives are either woefully under prepared or completely ignorant about the potential threats their organization may face due to a cyber-attack. Those who have the will and the requisite technology to prevent such an attack and those who stay up-to-date with the current trends and newer threats, as they emerge, are still equally vulnerable. But how is that exactly? How real is the threat of cyber security for your organization? Let’s begin by looking at the numbers.

 

What the statistics say

 

The data on cyber security threats is distressing. And that’s not just due to the innovative nature of the attacks. The real cyber security threat emerges from the lack of preparation by organizations to stave off potential attacks. And this is where we come face-to-face with the stark reality. Many surveys and research reports highlight this lack of preparation, or sometimes even lack of basic understanding of the issue.

 

Let’s begin with the most recent survey, conducted in April 2016. A staggering 90 percent of the surveyed corporate executives stated that they were unable to comprehend a cyber-security report and were not sufficiently prepared to handle a major attack. Even more surprising was that around 40 percent executives believed they could not be held responsible in case of hacking or loss of customer data.

 

This, then, leads us to conclude that the biggest cyber security threat to any organization is the failure of the executives to recognize the lack of cyber security as a threat. It’s a troublesome thought, one that quite clearly bothers Dave Damato, chief security officer at Tanium, who conducted the survey. “I think the most shocking statistic was really the fact that the individuals at the top of an organization — executives like CEOs and CIOs, and even board members — didn't feel personally responsible for cyber security or protecting the customer data,” said Damato. “As a result they're handing this off to their techies, and they're really just placing their heads in the sand right now.”

Damato’s words cut to the core of the problem, which is that cyber security is treated as an IT problem. Usually, it is relegated to the dark corners of the office, and the technical staff is left to deal with it. This blatant disregard for securing sensitive customer and financial information, combined with management’s lack of initiative, leads to half-baked cyber security measures, as Trustwave’s State of Risk Report suggests. A majority of the organizations surveyed had partial or no methods at all in place to control and track sensitive data.

 

The nature of the threats

 

Apart from the aforementioned problems, the nature of the looming cyber security threats is also disturbing. Each year, cyber attacks grow both in number and destructive capability. Symantec’s Internet Security Threat Report lays out this problem in great detail. According to the report, the company discovered an astounding 430 million new unique pieces of malware in just 2015. This indicated a 36 percent increase from the year before. And this is just the number of threats encountered by one cyber-security company, out of many that are out there.

 

The report also states that over half a billion of personal records were lost or stolen in 2015. But this is not even the tip of the iceberg. The real problem lies underneath. A lot of companies simply don’t report the data breach. “In 2015, more and more companies chose not to reveal the full extent of the breaches they experienced,” according to the report. “Companies choosing not to report the number of records lost increased by 85 percent.”

 

What needs to be done?

 

This is the big question that all organizations need to answer. Yes, cyber security poses a real threat but what can organizations do to prevent security breaches? Fortunately, we have some answers. Here are some of the steps your organization may take in order to prevent cyber security threats.

 

Better management

 

The most significant way organizations need to handle cyber security is by getting involved at the top management level. Leaving it for the technical staff to deal with, will not bring you any closer to the solution. In fact, it would do just the opposite. Executives need to step up to the task and take responsibility for their actions.

 

“Gone are the days when cyber security was considered just an IT issue,” says Stuart R. Levine. “Now, it requires a multi-disciplinary approach for preparedness, oversight and execution. For board members, cyber security preparedness is an enterprise risk management priority, involving both management and the board.”

 

Employee training

 

One of the biggest cyber security threats facing your organization is the carelessness of the employees who handle sensitive information. Having weak passwords, losing mobile devices containing sensitive company information, and clicking on suspicious links are some of the actions of the employees that threaten the security of the company.

 

Therefore, companies need to comprehensively train their employees on cyber security and the proper way to handle company information. By learning to protect themselves online, the employees can also be better prepared to handle company data.

 

Data encryption and security updates

 

Data encryption and running patch management programs on potentially vulnerable software are the two of the most basic steps that you can take to prevent cyber-attacks. It is essential not just to encrypt all cloud-based data but to use strong encryption, for instance the AES 256-bit. It is also essential to regularly update and patch all office software to protect them from vulnerability due to latest cyber threat.

 

Only with a comprehensive approach, focusing on all possible weak points, can your organization ensure maximum cyber security.

0 Likes Share

Newer PostFocus On Detection, Not Just Prevention

Older PostPlatinum malware using Hot Patching since 2009

Read More
Kiran VangavetiComment
Platinum malware using Hot Patching since 2009

Platinum malware using Hot Patching since 2009

Kiran Vangaveti 

April 9, 2016

A group that Microsoft researchers call Platinum has been leveraging a technique known as hot patching to hide it's malware from security products. This group has been effectively using this technique since 2009, and has possibly infected many Asian government, defence and intelligence agencies.

The group has traditionally used spear phishing to target specific organizations and individuals as its main attack vector, following it with exploits for zero-day vulnerabilities to install custom malware. To remain stealth, it launches only a few attack campaigns each year. The custom malware used by this group has self-deletion capabilities and is designed to hide in target's peak traffic, by only operating during target's business hours.

 

Hotpatching is an obscure feature that was first introduced in Windows Server 2003 and allows dynamic update of system components without the need for a system restart. Hotpatching was removed in Windows 8 and later versions, because it was rarely used. During the 12-year support life of Windows Server 2003, only 10 patches used this technique. The potential use of hotpatching as a stealth way to inject malicious code into running processes was described by security researcher Alex Ionescu at the SyScan security conference in 2013. And it is his technique that the Platinum group uses.

0 Likes Share

Newer PostCyberSecurity A Priority


Read More
Kiran VangavetiComment
Get in Touch