BOSTON, June 2, 2022 /PRNewswire/ -- CyberQ Technologies Inc., an authorized Splunk Partner, announces their Managed AI (MAI) offering for Splunk UBA Customers.

Making CyberSecurity humanly possible with AI is the core philosophy of CyberQ. As an MAI provider, CyberQ increases the impact of AI within customer SOC operations.

CyberQ, a CyberSecurity AI services business with HQ located in Boston Massachusetts, announces a comprehensive Managed AI Service for Splunk User Behavior Analytics (UBA) customers. CyberQ MAI manages UBA in the customer cloud provider of choice. This service helps customers focus on outcomes, detections and alerts and provides a 24/7/365 managed UBA AI stack with 99.9% uptime.

A dedicated, global team of operators manage customer's UBA stacks, integrated with Splunk Cloud, to deliver data ingestion and alert results.

The strength of the solution allows customers to complete their migrations to Cloud infrastructure and remove the complex management of the AI environment. This allows customers to focus on running their SOC business.

Richard Towle, CEO and Founder says "We set out to help customers navigate the complexities of AI in the CyberSecurity space. Managing AI in operational environments is hard, but with our expertise providing this key service, customers can spend more time focusing on their investigations and response teams."

More about CyberQ Technologies Inc.  
https://cyberq.com/managed-ai/  

SOURCE CyberQ Technologies Inc.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

CyberQ Technologies Inc. Launches Managed AI for Splunk UBA Customers

Neosec threat hunters from the 'ShadowHunt' team jumpstart the API Security process quickly and help build the knowledge in today's overstretched security teams.

PALO ALTO, Calif., June 2, 2022 /PRNewswire/ -- Neosec, the pioneer in discovering and identifying API threats using behavioral analytics, today announced the availability of ShadowHunt, an expert-staffed managed threat hunting service to augment its platform with human oversight from active threat hunters to identify the most clandestine and obfuscated API abuse. Borrowing from threat hunting capabilities in EDR and XDR, Neosec brings similar techniques to API security. ShadowHunt gives security teams peace of mind that API security experts are examining abnormal behavior on their API estate.

Combining the ShadowHunt service with the Neosec cloud-based platform enables organizations to manage the increasing risk to core business systems, assets and data from manipulation, theft or misuse. The service is ideal for companies where security teams are short-staffed or lack the expertise needed to identify threats in business API traffic, because APIs are increasingly used to connect important business systems to customers, suppliers, and partners.

"The increasing potential for insiders or attackers to utilize business APIs for criminal or malicious gain requires a new level of scrutiny and sophistication," said Giora Engel, co-founder and chief executive officer, Neosec. "The new ShadowHunt service augments our platform with an expert team to monitor API usage and hunt for fraud, abuse or critical vulnerabilities without any drain on an organization's existing security team."

Rather than focusing only on vulnerabilities within APIs, the Neosec platform addresses the problem by first automatically and continually identifying all APIs a company has in use, evaluating their risk posture and monitoring user behavioral anomalies that could involve data theft or other misuse. Most companies lack a complete API inventory, let alone understand the nature of normal API usage. Few have the ability to monitor their APIs to mitigate loss or detect abuse of business processes, financial assets and data within their APIs. Now, the ShadowHunt service can augment use of the Neosec platform with a team of experts to respond to findings quickly, investigate potential threats and recommend immediate remediation and actions.

Besides the incidents and alerts provided by the dedicated expert team of threat hunters, the ShadowHunt service also includes a monthly report to summarize findings and investigations performed by the team, news of emerging API threats discovered by Neosec across many different companies and notable changes in the use and operation of APIs currently employed by a company. The service also includes full "Ask the Experts" access to the team of threat hunters.

The ShadowHunt service and the Neosec platform together provide an effective way to quickly incorporate full monitoring and investigation of anomalous business API usage without impacting existing security operations and team workload. The combination can add protection against vulnerability exploits and API business abuse quickly and transparently.

**For more information:**

*   Read more: ShadowHunt Managed Threat Hunting
*   Datasheet: ShadowHunt Managed Threat Hunting

**About Neosec**

Neosec is re-inventing application security with a powerful platform that unifies security and development teams to protect modern applications from threats. The foundation of the SaaS platform is built on data and analytics to manage security at scale. Neosec prevents threats from abusing the complex network of APIs that connect today's businesses. The platform helps organizations discover every API and audit risk. Neosec has pioneered the use of behavioral analytics to understand normal versus abnormal API usage and delivers powerful threat hunting capabilities together with a team of expert threat hunters. Neosec prevents threats and stops abuse hiding within APIs and brings new intelligence to application security. Neosec is based in Palo Alto, California with R&D in Tel Aviv, Israel. To learn more, visit Neosec.com.

_SOURCE Neosec_

Neosec Introduces Expert Managed Threat Hunting Service for Detecting and Investigating API Abuse and Vulnerabilities

As insurers and brokers reckon with unexpected losses, they're charging more for policies and setting higher requirements.

Chaos reigns in the cyber insurance market. Brokers and cyber insurance carriers — the companies that actually offer the policies — are tightening requirements on what applicants need to do to obtain policies due to losses the insurers have suffered from ransomware coverage. During the past year, premiums grew 18% in the first quarter of 2021 and were up 34% in the fourth quarter of 2021, according to Jess Burn, senior analyst at Forrester. .

Organizations often find they cannot obtain cyber insurance, are not being renewed for coverage they already have, or are faced with soaring prices and shrinking coverage. Despite the value many organizations put on cyber insurance — in some cases, they're required to carry it to comply with regulations — obtaining such policies is getting more difficult.

While raising premiums, some insurers are reducing coverage. If an organization bought $10 million worth of coverage for a given price in 2021, for example, renewing that policy in 2022 might see the coverage amount fall to $3 million and the premiums for that lower coverage rise. This phenomenon is due, in part, to insurers trying to strike the right balance of customers' risk profile versus their risk-mitigation efforts.

In the recently released "2022 Voice of the CISO" report from Proofpoint, just 49% of CISOs at US-based organizations said they have cyber insurance and are confident that it will be there when needed. This is well below the 58% global average; Canada led the study at 88%, whereas the US ranked 11th worldwide. In that same report, 56% of global CISOs specifically cited the increase of ransomware attacks as a main driver of concern and a key reason to obtain cyber insurance.

**Losses Are Wreaking Havoc**

This situation was underscored in a March 2022 cyber insurance event, sponsored by cybersecurity vendor Sophos, called "Optimizing Your Cyber Insurance Position," where Marsh McLennan Agency (MMA) risk management consultant Marc Schein, national co-chair of the Cyber Center of Excellence, laid out why cyber insurers are revising their requirements for applicants and why their models needed to change.

Schein said the global average associated with ransomware recovery for 2021 was expected to reach roughly $20 billion. The frequency and severity of attacks are increasing, he said, and "insurers' rating models did not accurately predict some of the loss severity that they've actually been seeing \[with\] evolving privacy regulation."

Additionally, increasing regulatory fines and penalties "really have started to wreak havoc on the cyber insurance marketplace," Schein said.

The industry is seeing "increasing conservative limit deployment from certain carriers in response to an increase in volatility from large losses and deteriorating financial performance," he added. "They're not only raising prices, but they're also now starting to change the way that the coverage is structured."

Scott Godes, a partner with law firm Barnes & Thornburg, is a cyber insurance specialist. He agrees that major changes are occurring, noting that some carriers are implementing new exclusions and limitations on the types of coverage policyholders need the most. Nearly all carriers are raising their rates across the board.

"Carriers are getting significantly more aggressive on their claim positions," Godes says. "They are using outside counsel much more frequently to investigate, handle, and adjust claims. It seems very unlikely that carriers hire lawyers to adjust claims to give the most coverage possible to their insureds."

Insurers are finding that assumptions they made about potential losses, based on their experience with other insurance policies such as personal and property liability, are not accurate. Losses have been much higher on some cyber insurance policies over the past several years than insurers anticipated five years ago.

An August 2021 article in Canadian Underwriter highlighted the financial effect some of these assumptions are having on insurance companies' bottom line. "In cyber liability, total net premiums earned for the second half of 2021 were $94.15 million – $12.15 million from Canadian insurers and $82 million from foreign insurers," it reported. "But total net claims incurred (not including reinsurers' share but including adjustment expenses) were $106.26 million ($97.4 million from foreign insurers and $8.86 million from Canadian insurers), for a loss ratio of nearly 113%."

**Setting Baseline Security Controls**

Insurance brokers and carriers are responding to the higher losses from ransomware and unexpected costs by modifying how and to whom they write policies.

Insurers are beginning to require certain security controls be in place prior to sitting down with a prospect to discuss cyber insurance.

"What cyber insurance brokers and carriers want to see from policyholders is a real effort and investment made to reduce the likelihood of a ransomware attack and to be prepared to respond to one should it happen," Forrester's Burn says.

To that end, she recommends that organizations put the following controls in place immediately:

*   Securing Remote Desktop Protocol (RDP) and other remote access configurations.
*   Restricting macros from executing when downloaded from the Internet.
*   Establishing an incident response plan — companies must have playbooks for common attack scenarios like ransomware and business email compromises, and they must test those plans and playbooks regularly with tabletop exercises and crisis simulations.
*   Implementing multifactor authentication.
*   Implementing an offsite backup solution.

MMA's list of controls includes the above, plus the following:

*   Employee cybersecurity training.
*   Third-party risk management (TPRM).
*   Patch management.
*   Vulnerability management.
*   Endpoint detection and response (EDR) and managed detection and response (MDR).
*   Logging and monitoring.
*   End-of-life plan.
*   Email filtering.
*   Privileged access management (PAM).

TPRM is often poorly understood, since organizations have a difficult time determining the risks associated with their supply chains. It is even more difficult to determine the risk of a supply chain's supply chain.

Burn says she expects to see a new, focused breed of cyber insurance policies in the next 12 months to 18 months to cover the weakest link in the supply chain. What those policies will cover is still unwritten.

Turbulent Cyber Insurance Market Sees Rising Prices and Sinking Coverage

The government is putting the right skills and expertise in place to fight the rising cyber threat.

Our nation is facing some of the most daunting cybersecurity challenges in history. As the new Office of the National Cyber Director (ONCD) gets fully staffed and running, little is more important to the nation's security than making sure the right people are in the right places to address these dynamic challenges. Bringing private industry expertise into the national security ecosystem is the best way not only to prepare and protect but also to evolve the nation's security for the future.

**A Field of Challenges**

One year ago, the Colonial Pipeline ransomware attack became a defining moment for the nation's cyber strategy. In addition to being economically disruptive, this attack opened our eyes to the seriousness of the threat to critical infrastructure through purely IT intrusions. Previously, most of the thinking from policymakers centered on threats to critical infrastructure through OT systems.

Other incidents revealed the risk we face from scaled attacks. For example, last July dozens of managed security providers were affected by the REvil Kaseya hack. This attack, propagated through a malware-infected hotfix pushed out by Kaseya, affected more than 1,000 organizations, including many that rely on managed service providers to provide their security. Last fall, the Log4Shell vulnerability alerted organizations to the risks of widespread, easily exploited, and lingering vulnerabilities.

The Biden administration, to its credit, has elevated cybersecurity as the priority that it should have been long ago, taking the most aggressive measures that I've ever seen. These include an unprecedented meeting last August between industry leaders and president himself that has led to serious commitments from industry leaders and stronger private sector security buy-in. Their work across a range of issues can be seen through the Cybersecurity Coalition, Cyber Threat Alliance, and the Ransomware Task Force.

**The Threat Hasn't Diminished**

For all the progress made in a mere 12 months, the threat itself continues to morph and increase. It's critical that we redouble our efforts and build on what has worked well — an excellent place for the ONCD to pick up the baton.

The government certainly has its work cut out for it, with Russia's war in Ukraine sitting firmly atop the priority list. Many people, myself included, expected an increase in Russian cyberattacks against western interests. While there has been some increase in activity, large-scale attacks have not occurred. This could change quickly, as this war seems far from over. The ONCD will need to continue working with the national security community to defend the homeland.

All of this has forced into the open a debate over war exclusions in cyber insurance. At the policy level, cyberattacks attributed to state-actors could trigger such provisions. Major players like Lloyds of London and Marsh are grappling with how to respond, especially if the war expands. The US should consider its role in this issue, and continue to leverage industry leaders and expertise to understand the complexities of this risk.

Beyond Russia, the American midterm election process is underway. As the general election approaches this fall, expect to see increased cyberattacks and disinformation. Does this mean the government will shift focus from Ukraine? If so, does that give Russians and aligned actors a clear path to attack western interests? At a recent conference on ransomware, top government officials indicated that combatting ransomware would remain a priority but this will require experienced, steady leadership to navigate.

**The Right Expertise**

The Biden administration recently announced the appointments of Kemba Walden, Neal Higgins, and Rob Knake to the ONCD. These picks are key indicators of the value the office will hold within the administration and the priority that President Biden places on cybersecurity. In fact, Walden served as co-chair of the Institute for Security and Technology's Ransomware Task Force, which included Resilience's chief claims officer, Michael Philips. Their work culminated in a published report that includes recommendations for addressing the unprecedented rise in ransomware attacks.

For the first time, cybersecurity has been named a "national security threat," and the administration is taking action to reflect the complexity of challenges associated with cybersecurity. As the threat persists, the growth of the ONCD is a signal that the right experience and skills will help us fight this fight.

Building America's Cybersecurity Infrastructure

The malware targets Windows users via Trojanized downloads of cracked or pirated software and then starts in on cryptocurrency mining and clipboard hijacking.

The malware known as Clipminer has earned cyberattackers $1.7 million in cryptocurrency mining and theft via clipboard hijacking so far – and it shows no signs of abating.

The Clipminer Trojan, which sports numerous similarities to the KryptoCibule cryptomining Trojan, was discovered by Symantec’s Threat Hunter Team. Its whole raison d'etre is to enable fraudulent cryptocurrency transactions.

The team determined that Clipminer is likely spread through Trojanized downloads of cracked or pirated software. The infection chain begins with a self-extracting WinRAR archive and then executes a downloader file, which connects to the Tor network to download Clipminer’s components.

The malware can redirect cryptocurrency transactions made on the infected computer by replacing cryptocurrency wallet addresses copied to a clipboard with new addresses under the control of the hacker. Clipminer uses addresses matching the prefix of the targeted original address to disguise the manipulation.

The team noted that the malware contains 4,375 unique addresses of wallets controlled by the attacker, of which the vast majority were used for just three different formats of Bitcoin addresses.

The malware also uses cryptocurrency-mixing services, known as tumblers, which can help hide the fund’s original source.

Dick O’Brien, principal editor for the Symantec Threat Intelligence Team, tells Dark Reading that one of the very first questions the team asked when it started looking at Clipminer was whether the person or people behind it are making any money. The answer was yes.

“That can really help you gauge how much of a threat this is,” he explains. “If it’s profitable, they’re not going to quit, and the odds are they’ll want to expand."

What’s interesting about Clipminer, he adds, is that it seems to tread the line between making good money while maintaining a relatively low profile.

“I don’t know whether that’s by accident or design,” O’Brien says. “It’s a relatively sophisticated botnet. It’s not just your average coinminer. It’s a dual-pronged threat since it’s also capable of stealing via clipboard hijacking. And the latter is done pretty stealthily.”

He points out that Clipminer goes to some lengths to disguise the fraudulent transactions and noted the group has thousands of payment addresses. It picks the one that most resembles a legitimate payment address for each victim.

“The obvious threat for enterprises is that any kind of coinminer is a drain on computing resources,” O’Brien says. “But beyond that, you don’t want any kind of botnet getting a foothold on your network. We’ve seen in the past how botnets can evolve and be repurposed to deliver other, more potent threats.”

All of the usual best practices apply to protect against these kinds of threats, he adds, but in this case avoiding nonlegitimate software resources is the best protection.

“You need to audit what software is running on your network, and any unauthorized software, whether it’s pirated or not, needs to be addressed,” he says.

The really interesting question at the moment is how cryptocurrency-mining threats are going to evolve in the near future, O’Brien says.

“We’ve seen a lot of instability in the cryptocurrency space and even speculation that we’ll see a major crash," he says. "Obviously if the coins are worthless or near worthless, there’s going to be less interest in mining them. But that's just the start of it. Any major upheaval will have a much wider impact. Crypto underpins the entire cybercrime ecosystem.”

'Clipminer' Malware Actors Steal $1.7 Million Using Clipboard Hijacking

Although organizations should perform proper risk analysis and patch as soon as practical after there's a fix for this vulnerability, defenders still have options before that's released.

On May 27, 2022, researchers from Japan-based nao\_sec identified a malicious document in a commercial malware repository, dubbed "Follina," that revealed the document employed a novel technique to achieve code execution. \[Note: Read Dark Reading's earlier coverage on Follina.\] While referencing a remote object, similar to techniques like template injection, the document retrieves the following URL:

_hXXps://www.xmlformats\[.\]com/office/word/2022/wordprocessingDrawing/RDF842l.html!_

When still active, the URL hosted content that included follow-on code to execute PowerShell via an explicit call to the application "ms-msdt":

    

MSDT is a diagnostic tool included in Windows. As shown above, MSDT can be used to parse and execute code, such as PowerShell, and can be called through parsing a malicious resource. Abuse of MSDT isn't new, as the technique previously has been documented among known "living off the land" binary (LOLBins) abuse. However, its use via a URL redirection called from Microsoft Office was previously unknown, expanding scope of potential MSDT abuse to remote mechanisms.

Since initial reporting, Microsoft issued CVE-2022-30190 to cover this remote code execution (RCE) possibility within MSDT when called through another application. While a patch for this vulnerability has not yet been released, several mitigation strategies exist (covered in greater detail below).

As of this writing, actual abuse of this technique appears to be limited, but with examples dating back to as early as April 2022. Public disclosure and researcher notes identify only a few instances of malicious use of MSDT via Microsoft Office applications. However, since public identification, multiple proofs of concept for this technique emerged, and Gigamon Applied Threat Research (ATR) anticipates that multiple threat actors will soon incorporate this technique into operations.

**Impact**

At present, the impact of CVE-2022-30190 is largely notional given lack of identified widespread use by threat actors. Once this technique is absorbed into existing actor toolkits, however, circumstances will change, with the potential for use by multiple threat actors. On initial discovery, endpoint detection and response (EDR) solutions appeared largely blind to this execution mechanism, but as of this writing that is rapidly changing across multiple vendors and products. Furthermore, as explained in guidance from Microsoft, MSDT's capability to launch items as links can be disabled via changes to the Windows Registry, removing this intrusion vector (with the potential for unforeseen or undesired consequences) until a true patch is available.

More importantly, while much initial discussion focused on the Office mechanism for triggering this issue, CVE-2022-30190 is application-agnostic in functionality, which centers on passing code to MSDT for execution. While Office represents an obvious mechanism to reach this application through delivery of a document via phishing or malicious link, any mechanism of launching MSDT will work to enable follow-on RCE such as a malicious LNK file or via the implementation of "wget" in Windows. The Office route presents just one of many potential avenues for exploitation, with other possibilities of MSDT abuse publicly documented.

For defenders and end users, the risk is therefore not just a new malicious Office delivery vector but, rather, abuse of an internal Windows component (MSDT) for code execution via multiple potential vectors. As such, certain mitigations (such as stopping all child processes from Office applications) represent only partial fixes to one aspect of the problem. To appropriately determine the scope and risk of this scenario, defenders must orient how MSDT abuse, irrespective of vector, applies to adversary operations.

**Orienting to Adversary Operations**

As documented thus far, MSDT is leveraged in early phases of adversary operations as an initial access mechanism to victim machines. As noted by other researchers, MSDT abuse via Office results in follow-on execution with the same privileges as the active user. This is helpful if victims are running as unprivileged users, but given the wealth of mechanisms available to elevate privileges in Windows environments, this limitation would appear to be easily overcome by most adversaries.

However, even if an adversary can access and elevate privileges to a victim device, this specific action represents only one, relatively early step in the overall adversary life cycle, or "kill chain." Appropriately leveraging this vulnerability still requires follow-on actions, including command and control (C2) and lateral movement activity, that present options to defenders for identifying adversary operations. Furthermore, there are precursor actions to code execution via MSDT that defenders can leverage to identify suspicious behaviors leading to exploitation.

Overall, CVE-2022-30190 represents a concern, but only one of many potential avenues available to adversaries to achieve initial code execution in victim environments. By properly understanding how adversaries employ this technique and what are necessary pre- and post-exploit actions to achieve adversary objectives, defenders can begin identifying detection, response, and hunting strategies that work against multiple potential intrusion vectors.

**Detection and Mitigation Possibilities**

1.  **Focus on patching and host-based responses.** The initial security community focus for MSDT abuse mitigation focused on patching (or the inability to do so) and host-based responses. As a host-focused exploitation mechanism, such an approach appears reasonable, and patching will be the most effective way of addressing this specific security issue. Additionally, process parent-child relationship monitoring (or outright blocking) can significantly reduce attack surface by preventing entire categories of intrusion, such as Office or MSDT spawning child processes. Specifically unregistering the URI handler for MSDT in the Windows Registry, as outlined by Microsoft and security researchers, may also temporarily address the issue.
2.  **Look for pre- and post-exploitation activity.** As noted in the previous section though, defenders should strive for detections and mitigations that can apply irrespective of specific exploits by looking at required adversary actions pre- and post-exploitation. For example, in the case of CVE-2022-30190, current delivery mechanisms focus on Office implementations. Likely future implementations will probably expand to other file formats commonly distributed via email or malicious websites, such as LNK files, self-extracting archives, and optical disk images. Identifying and increasing visibility over these distribution pathways, limiting exposure to unknown or untrusted vectors, and similar actions may thus reduce attack surface against multiple types of delivery mechanisms that can be used for payloads beyond MSDT exploitation.
3.  **Identify potential C2 or lateral movement mechanisms**. Post-exploitation, various opportunities exist for identifying C2 or lateral movement mechanisms even if initial exploitation is missed. Following initial access, threat actors will in most cases need to migrate to other areas of the network: repositories of intellectual property or sensitive information, or critical network infrastructure such as domain controllers. The actions required to do so — such as enumerating Active Directory or remote process execution — present opportunities even without host monitoring to identify adversary operations.
4.  **Identify and classify network assets.** Further actions, such as identifying and (if possible) classifying newly observed network items (IP addresses and domain names) may allow for disclosure of unique C2 items. Where appropriate asset identification is enabled, identifying odd network traffic to new, unusual remote resources can further enable defenders to catch and categorize potentially malicious activity. Identifying unusual traffic based on User Agent strings when visible — such as a PowerShell-based User Agent string retrieving an executable file based on file MIME type or extension, as seen in the initial CVE-2022-30190 example — can further enhance visibility into insecure or undesirable network behaviors.

Overall, a variety of options remain available to network defenders even if the actual exploitation of a new, potentially unknown (or "zero-day") vulnerability takes place. Understanding one's own network and its characteristics combined with sufficient visibility into network and host behaviors allows defenders to ask (and answer) questions concerning activities of interest to flag the necessary preconditions and follow-on actions adhering to vulnerability exploitation. While not necessarily easy in all cases, proper investment in resources and people will allow organizations to achieve a redundant security posture capable of catching zero-day exploitation, supply chain intrusions, or state-sponsored attacks.

**Conclusion**

Software and application vulnerabilities are a continuous and ongoing problem in the information security space. CVE-2022-30190 represents just another example of such vulnerabilities that have the potential to facilitate adversary operations. While organizations should perform proper risk analysis and patch as soon as practical once there's a fix for this vulnerability, defenders are not lost prior to release.

Instead, by understanding how adversaries leverage exploits as part of the intrusion life cycle, defenders and network owners can structure detections and defense so that they are agnostic to specific vulnerabilities. Rather than continuously chasing specific weaknesses as they appear over time, such as specific defenses around CVE-2022-30190 weaponization, defenders can structure operations to look for necessary precursors to exploit development (reconnaissance, delivery) or required follow-on actions to achieve objectives (C2, lateral movement).

In building defense and response this way — focused on core behaviors and adversary dependencies — defenders can build a more sustainable security posture that can adapt to future, yet-to-be-discovered vulnerabilities along with current, known tradecraft. Through layering behavior-based detections along with patching, signatures, and other items, defenders can achieve the requisite defense-in-depth necessary to adapt to a dynamic threat environment, without relying on single-point-of-failure defenses easily evaded by capable adversaries.

Fighting Follina: Application Vulnerabilities and Detection Possibilities

Artificial intelligence technology can detect the latest wave of Trickbot ransomware and block the attack before it causes damage.

When malware strains disappear, it is often by choice of their creators and threat actors, rather than as a result of outside efforts to shut them down. The actions governments and organizations take to combat these threats directly have often proved short-term and limited in scope — a pattern that the resurrection of Trickbot last year unfortunately demonstrated.

An effort led by Microsoft and its partners to shut down Trickbot malware was conducted in the lead-up to the 2020 US election in an attempt to reduce the risk of election tampering. In the end, 94% of Trickbot's infrastructure was effectively eliminated, massively reducing its influence in late 2020.

Despite taking such substantial losses, however, Trickbot soon saw a resurrection of incredible proportions. Rather than dying off as some hoped it might, the strain grew back at such a rate that by June 2021 it had again become the most prevalent malware in the world.

One of the numerous businesses that Trickbot targeted that month was a European public administration organization. Unaware that one of its internal domain controllers had been compromised by Trickbot, the organization happened to begin a trial of Darktrace's artificial intelligence (AI)-driven cybersecurity technology, which shined a light on the malicious attack taking place within their network.

**AI Catches an Emerging Trickbot Ransomware Attack**

Darktrace employs AI-powered behavior-based detection, which can differentiate between benign and malicious activity within an organization. When the compromised domain controller began uploading DLL files to other devices, Darktrace's technology immediately detected the activity and suggested an appropriate response. However, it was configured in "human confirmation" mode — meaning it required a human operator to confirm the action.

As it waited for the human team to approve its actions, Darktrace continued to monitor the progression of the threat. It detected the compromised domain controller uploading Trickbot over SMB to almost 300 devices across the organization, and then utilizing Windows Management Instrumentation (WMI) to execute it.

Trickbot may be old and well-documented malware, but its modular nature makes it endlessly adaptable and therefore difficult for security tools to pin down. At this stage in the attack, traditional tools within the organization's network had still failed to spot the threat. When the nature of the attack changes with every new instance and modular configuration, intelligence-based security systems will always struggle to keep up.

The difficulty of relying on OSINT to address Trickbot was demonstrated in this attack when 160 of the 280 compromised devices were detected connecting to new C2 endpoints. Microsoft and its partners had specifically targeted C2 servers in 2020, but Trickbot's turnaround in the aftermath of that action showed how quickly new servers and endpoints can be established. In this case, OSINT did not associate any of the endpoints the 160 company devices connected to with malicious activity; however, Darktrace recognized the behavior as unusual nonetheless, and issued a high-severity threat notification to the organization.

For over a month, the attackers laid low. Darktrace then detected compromised devices scanning the network and downloading suspicious executable files — most likely Ryuk ransomware payloads. With several stages of the attack now months apart, it would have been hard for a human team to piece together its full scope.

**Targeted Action Before Encryption**

With AI constantly investigating threats across the entire digital environment, however, Darktrace pieced together this attack into a distinct lifecycle and presented it to the security team. It was at this stage that the organization took notice of the threat and turned Darktrace to "autonomous" mode, enabling the AI to take action.

While the automated tool can often stop ransomware attacks at the first signs of a compromise, it can engage at any stage of an attack. Thus, when it was activated at a very late stage by this organization, it still calculated a precise and effective response.

Several malicious actions were blocked by the AI, including SMB enumeration, network scanning, and suspicious outbound connections. Because it targeted these actions rather than the overall devices, the 280 compromised devices were able to continue with their normal business operations as the attack was brought to a halt.

Now that they could no longer complete command-and-control (C2) communications or move laterally, the attackers were unable to execute Ryuk and the attack came to an end. And not a moment too soon. If the attackers had been allowed to execute the ransomware, they likely would have exfiltrated and then encrypted data from across the company. Even if a ransom is paid, ransomware victims often incur numerous other costs, including network shutdowns and remediation, as well as PR fallout.

**Staying Ahead of Malware Trends**

It's clear that Trickbot is as strong and evasive as it ever was and that relying on rules or intelligence-based tools alone is no longer an option for organizations trying to avoid falling victim. Rather than waiting for companies and governments to launch offensives against the endlessly regenerating infrastructure of attackers, organizations should take matters into their own hands and bolster their own infrastructures with AI.

By recognizing how the business usually behaves, rather than worrying about identifying the attacker, Darktrace's AI can stop completely novel threats without rules or OSINT and won't be fooled by reconfigurations and rebrands. Protecting organizations against novel attacks in this way is the surefire way to start hitting Trickbot and other threat actors where it hurts.

Neutralizing Novel Trickbot Attacks With AI

In this Tech Talk, Darktrace's Brianna Leddy and Dark Reading's Terry Sweeney discuss ways ransomware groups adapt their activities as enterprise security teams evolve their defenses and controls.

Ransomware groups are difficult to shut down because they are constantly adapting their techniques to evade newer security defenses and controls. In this Tech Talk, Brianna Leddy, director of analysis at Darktrace, says that just because an attack group ceases operations doesn't mean they won't re-emerge in a different form.

For example, researchers believe that the DarkSide group behind the ransomware attack against Colonial Pipeline returned as Blackmatter, a ransomware-as-a-service group. DarkSide shut down its operations, presumably because of investigations by law enforcement and the US federal government clawing back the ransom payments.

This past year, several affiliate groups working with the group behind REvil ransomware were arrested. Even so, the fact that a site affiliated with REvil recently started redirecting to a new site seems like an indicator that the group is back in operation.

"I don't think it's the last that we've heard of this name," Leddy says.

Re-branding can also reflect a shift in tactics, Leddy says. As more organizations are scanning networks to look for malicious traffic, more attackers are beginning to "live off the land," Leddy says. Living off the land refers to abusing legitimate administrator tools and services to blend in their malicious activities among all other normal, day-to-day network traffic. Attackers are also increasingly targeting cloud services and backup servers to make it more difficult for organizations to recover their encrypted files from the attack group.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Darktrace's Brianna Leddy on How Ransomware Groups Adapt to New Defenses

Supply chain woes have dominated headlines, but there's another type of supply chain that's also increasingly at risk: the cloud supply chain.

Supply chain woes have dominated headlines, from raw material and labor shortages, to shipping delays and manufacturing problems. But there's another type of supply chain that's also increasingly at risk: the cloud supply chain.

Cloud supply chain risks have little to do with logistics in the literal sense of the word. Rather, they stem from vulnerabilities in cloud services and processes. Over the last 18 months, 79% of companies have experienced at least one cloud data breach, and 43% have reported 10 or more breaches in that time. And any company, in any industry, is vulnerable.

Though recent breaches have elevated awareness, cloud supply chain attacks are not going away. In fact, because cloud adoption has accelerated due to the COVID-19 pandemic, the threats may increase. So, what's at the root? Risks to the cloud supply chain primarily stem from ecosystem complexity, siloed operations, and lack of insight into software assets, all of which boil down to poor risk management.

But there's good news: gaining a clearer understanding of the supply chain as well as developing a standardized risk management protocol for the entire cloud software development life cycle can reduce the risks and challenges.

**Understanding Threats and Attack Types**

Recent studies into the supply chain have shown that at least 80% of a typical SaaS application is powered by multiple services and vendors, with each component representing a different level of risk. The complexity of this extended operating environment makes it extremely hard to manage, let alone pinpoint vulnerabilities and insecure configurations.

So, what does it look like when your cloud supply chain is under attack? Some attacks will compromise source code. In last year's PHP attack, an attacker compromised the self-hosted Git server and injected two malicious commits that were not detected by code maintainers. Organizations using the software language unknowingly downloaded the malicious code and used it in their operating environment. Dependency attacks, meanwhile, happen when attackers prey on vulnerable dependencies, also injecting them with malware.

Build pipeline threats are perhaps the most damaging types of attacks, since compromised code is turned into an executable format. During the SolarWinds attack, for example, a cybercriminal compromised the build process to insert corrupt Sunspot malware into update packages. SolarWinds did not detect the malware until much later. Though the nature of these attacks may differ, an overarching strategy can prevent them: a better understanding of what's under the hood of your cloud.

**Three Phases of Protection: Assessment, Standardization, and Partnership**

Organizations can reduce their cloud supply chain risks by developing a keen understanding of every piece of their cloud ecosystem. Yet today, just one in five organizations assesses their cloud supply chain in real time. The same number conduct weekly evaluations, and a concerning 58% evaluate their posture once a month or less frequently. This leaves the door open for bad actors.

To protect themselves, it's essential for organizations of all sizes to create a software bill of materials (SBOM), an inventory of all components in the tech stack. By doing so, companies can better understand the complexities of their environment and significantly reduce their vulnerability to cloud supply chain attack.

Once the assessment is complete and users are confident in the security of their cloud supply chains, the next step is to develop a strategy that maintains that level of security. The US National Institute of Standards and Technology's (NIST) framework for vetting cloud vendors can serve as a starting point, but companies should tailor the steps that NIST lays out to their development workflows and processes.

The right partner can also play a key role in risk management, especially for smaller businesses. While mega cloud vendors provide a solid foundation for developers to build secure products, alternative cloud providers can offer something additional: a concierge-style partnership that ensures companies aren't on their own when it comes to security.

For example, Akamai partners with the HackerOne bug bounty program, which has thousands of ethical hackers performing penetration testing against their operating environment and products. Additionally, Akamai offers security controls and protection against supply chain risk by scanning our tech stack.

**Creating a Culture of Security**

As an industry, we are currently in reaction mode. Attacks are on the rise, and organizations aren't taking enough proactive measures to prevent disaster. But as the dependency on cloud continues to grow, no company, big or small, can afford to take this gamble.

Security starts with understanding the stack, assessing the risks associated with each element, and committing to following established best practices. The software supply chain includes multiple departments — purchasing, IT, software engineering, development, release, change management, operations. It really is everyone's job to get it right.

**About the Author**

    

As senior director of information security, Joseph Zhou leads the cybersecurity program, architecture, and operations of Akamai's cloud compute operations. Zhou leads a team of security professionals spanning enterprise security architecture, network security, business continuity, security awareness training, and more. He brings a wealth of industry experience to the role, and previously served in CISO roles at Evive and Transworld Systems.

Managing Extended Software Supply Chain Risks

SeclarityIO's NetworkSage platform analyzes network traffic data to identify attacks before they become real problems.

The point of enterprise threat hunting is to give organizations a chance to find potential attacks and take corrective action before the attacks can cause damage and become a security crisis. But there is a lot of network data to scrutinize, a set number of hours in a day, and only so many analysts to do the work.

Enter NetworkSage, a cloud platform from SeclarityIO, which aims to analyze network traffic flow, focus triage alerts, and provide analysts with insights on potential problems that need to be addressed. With NetworkSage, managed service providers, security operations centers, and threat researchers can offload their entire triage workflow and get "expert analysis at machine speed," says David Pearson, co-founder and CEO of SeclarityIO.

Network data can be an "exceptionally strong source of truth," Pearson wrote in a blog post describing how threat hunters could use NetworkSage to identify phishing attacks. Threat hunters can look for traffic that could indicate a phishing attack, such as a user visiting sites and entering information, near an active email session. Or there might be sessions and communications that may indicate command-and-control activity.

In network security, anomaly detection depends on identifying "bad" activity in a network, but to do so requires establishing a meaningful baseline of "good" behavior. That is difficult in an enterprise environment because users are doing all kinds of different things and communicating with different people and systems on a daily basis. All of this contributes to high volumes of security alerts, because analysts have to track down every single deviation from so-called-normal activity. The problem is compounded by the fact that organizations are working with multiple security tools, Pearson says.

Alert fatigue is a major problem for enterprises as security practitioners receive hundreds of unprioritized alerts every day. Understanding which alerts are actually indicators of a problem is critical to security defense, but can be tedious and time-consuming. In a recent Orca Security study, 59% of respondents say they receive more than 500 public cloud security alerts per day. In the same survey, 55% said that critical alerts were being missed, often on a weekly and even daily basis.  

By using NetworkSage to automate the correlation and analysis, there is less likelihood of an analyst overlooking something or not getting to the real issues in a timely manner because they are distracted by less-important alerts.

**Finding Bad Patterns**

Pearson refers to NetworkSage as "network interpreter technology," as it analyzes network traffic to identify attack vectors, not specific payloads or individual URLs. The network flow is categorized across different categories. Analysts can find commonalities to identify traffic that is part of a malicious pattern. For example, the platform categorizes communications to any port on any site, which helps identify malicious activity associated with command-and-control servers, Pearson says.

Security analysts can load the organization's network flows into NetworkSage using an API and visualize who communicated with whom on the network, how a user interacted with a malicious site, and how many packets were sent and received, among other metrics. The platform also analyzes the flows and informs analysts if the interaction is actually problematic and requires remediation.

For example, security tools would raise an alert if the user (or multiple users) accessed a known phishing site, but they wouldn't say whether the user actually entered credentials. Without that knowledge, the analyst has to investigate and follow up with each user in order to find the ones who did fall for the phishing attack. NetworkSage looks at the organization's network data, so it can see how the user interacted with the site and identify which user entered credentials. The analyst now knows which of the potential issues resulted in an actual compromise and can respond accordingly.

In the past, security analysts would have to look at alerts and dig into the associated network logs to suss out whether a user accidentally entered the wrong credentials in a site, or if it was a malicious login attempt. NetworkSage automates that analysis to determine that the user did actually put their credentials in a phishing site, or opened a malicious executable.

**Common Use Cases**

Analysts can use NetworkSage in a number of ways, including as a tool to automatically triage alerts, review results from threat hunting exercises, and threat hunt using crowdsourced information, Pearson says. Automated triage is perhaps the most common. In that scenario, the platform captures the network activity that triggered an alert as well as activity just before and after. NetworkSage provides a high-level overview of what happened and whether it was interesting, as well as associated details that would be needing during the investigation.

Uploading the results from threat hunts to NetworkSage provides teams with an understanding of whether the activity is something that requires remediation. This could be useful if the threat hunt uncovers activity that could indicate a widespread phishing attack, for example.

There is also a community aspect, as well, Pearson says. NetworkSage can display the labelled information to all users without exposing sensitive details for each organization. This makes crowdsource threat hunting possible because everyone can see different parts of the threat landscape, and not just their own personal network view. Analysts can add details about what they are seeing and the platform shows metadata such as how long a particular flow to a specific destination has been in NetworkSage's data set. The broader perspective provides threat hunting teams with more information about places they should be looking for potential attacker activity. 

Pearson says NetworkSage is attempting to do for threat hunting and network traffic data what GreyNoiseIO does for analyzing Internet traffic to identify malicious traffic.

Source

DARKReading