Showing posts sorted by relevance for query ransomware. Sort by date Show all posts
Showing posts sorted by relevance for query ransomware. Sort by date Show all posts

Cyber Security - Ransomware Guidance For Financial Firms.

     


    DFS Ransomware Guidance - Financial Sector.


    The Department of Financial Services (DFS) of New York released a letter outlining how regulated organizations need to cooperate to thwart and lessen ransomware attacks. 

    The letter outlines nine controls that need to be implemented by regulated companies. 

    Both regulated financial institutions and the MSSPs (Managed Security Service Provider) who supply them with services should take note of the letter. 

    MSSPs will need to demonstrate how they can assist their customers in following DFS's guidelines in order to engage with regulated businesses.


    Fighting ransomware requires technology that codifies efficient procedures, such as those suggested by DFS, promptly interprets data from various security instruments, and coordinates the necessary reaction.


    DFS Analysis of Financial Services Ransomware Attacks.


    The advisory letter states that the "good news" is that most ransomware assaults can be avoided, which is unusual when discussing ransomware. 

    This is due to the fact that ransomware perpetrators often utilize the same methods. 


    Attackers gained access to the target's network in the 74 recent assaults that the DFS examined by using: 

    1. phishing, 
    2. remote desktop protocols, 
    3. or unpatched vulnerabilities. 


    In order to launch their ransomware, the attackers would then increase their privileges, often by acquiring and decrypting encrypted passwords.

    The advice letter points out that there are well-known defenses worth considering against the ransomware attackers' common tactics that might assist shield their intended victims.



    DFS's Ransomware Security Controls for Financial Services Companies Subject to Regulation


    The letter outlines nine particular measures that regulated businesses are required to put in place wherever feasible. 

    The first seven concentrate on avoiding ransomware while the latter two discuss preparing for a ransomware occurrence. The nine controls are listed below:



    1. Anti-Phishing education and email filtering.


    The advice emphasizes the need of employing both technical and educational tools to safeguard against phishing emails.


    2. Patch and Vulnerability Management.


    According to the recommendations, businesses should have a written program for controlling vulnerabilities that includes regular security fixes and upgrades.


    3. Two-factor identification.


    According to the advice, employing MFA for user accounts is successful at preventing hackers from entering the network and growing their rights.


    4. Turn off RDP Access.


    The guidelines advise regulated companies to limit access to remote desktop protocol to whitelisted sources and deactivate it wherever feasible.


    5. Password administration.


    Access control and password management are essential for limiting dangerous threat actors, including ransomware.


    6. Manage Privileged Access.


    According to the recommendations, businesses should rigorously guard, audit, and limit the usage of privileged accounts, and individuals should be granted the least amount of access necessary to carry out their tasks.


    7. Response and monitoring.


    According to the recommendations, businesses need to have ways to keep an eye on their systems and react to any questionable behavior. 

    EDR and SIEM are among the proposed techniques.


    8. Backups that have been tested and separated.


    The advice stipulates that regulated organizations should store several backups, at least one set of which should be separated from the network, in the first control that deals with preparing for an incident (the first seven addressed preventing an occurrence). 

    Businesses should routinely check their ability to recover systems using backups.


    9. An emergency action plan.


    Companies should develop incident response plans that particularly target ransomware, according to the recommendations for the second incident preparedness control.


    ~ Jai Krishna Ponnappan

    Find Jai on Twitter | LinkedIn | Instagram


    You may also want to read and learn more Cyber Security Systems here.


    Cyber Security - Malware Analysis.

     




    Malware stands for 'malevolent software,' which refers to any program that engages in malicious behavior. Malware and malicious code are phrases that are used interchangeably. 


    Malware comes in a variety of shapes and sizes, as well as several categories, such as viruses, Trojans, worms, spyware, botnet malware, ransomware, and so on. 

    Many cyberattacks on the Internet are carried out through malware, including nation-state cyberwar, criminality, fraud, and scams. 

    Trojans, for example, may create a backdoor into a government network, allowing nation-state attackers to steal confidential data. Ransomware may encrypt data on a user's computer, rendering it inaccessible to the user, and only allowing the data to be decrypted when the user pays a fee. 


    Many Distributed Denial-of-Service (DDoS) assaults, as well as spam and phishing, are carried out via botnet malware. 

    To better comprehend cyberattacks and build effective remedies, we need to investigate the mechanisms underlying malware generation and dissemination. 

    The complexity and durability of both cyber defense measures and malware technologies and operating models have grown as the political and financial stakes have risen. 

    For example, to evade malware detection systems, attackers now use obfuscation techniques like packing and polymorphism, as well as metamorphism , and they set up adaptive network infrastructures on the Internet to support malware updates, command-and-control, and other logistics like data transits. 


    In summary, malware research is growing more vital, but also more difficult. 


    We'll go through a malware taxonomy, as well as their usual destructive actions, eco-systems, and support infrastructure. 

    After that, we'll go over the tools and strategies for analyzing malware behavior, as well as network and host-based detection methods for detecting malware activity, as well as forensic analysis and attribution processes and techniques for responding to malware assaults. 




    A MALWARE TAXONOMY.



    Malware comes in a variety of forms . The creation of a taxonomy to systematically categorize the huge range of malware kinds is instructive. 


    This taxonomy defines the common properties of each form of malware and may therefore be used to drive the creation of countermeasures for an entire malware category (rather than a specific malware). 

    Our taxonomy may encompass several dimensions due to the different features of malware technology and attack activities that can be used to categorize and label malware. 

    We'll go through a handful of the more crucial ones here. It's worth noting that other, more specialized features, such as target CPU architecture or operating system, might also be employed. 



    The first axis of our taxonomy is whether malware is a stand-alone (or independent) program or only a set of instructions to be implanted in another program. 


    Once installed and launched on a compromised system, standalone malware is a full application that can function on its own. 

    Worms and botnet malware, for example, are examples of this sort of malware. 

    The second kind requires the execution of a host program, i.e., it must infect a program on a computer by injecting its instructions into the program, causing the malware instructions to be executed as well. 

    Document macro infections and malicious browser plug-ins, for example, are examples of this sort. 

    In general, standalone malware is simpler to detect since it is a separate application or running process that may be spotted by the operating system or security solutions. 



    The second factor to consider is whether malware is persistent or not. 


    The majority of malware is installed in persistent storage (usually a file system) as independent malware or as an infection of another software that already has a persistent storage presence. 

    Other malware is memory-resident, which means that once the computer is restarted or the infected running software terminates, it is gone from the system. 

    Many anti-virus programs that depend on file scanning are unable to identify memory-resident malware. 

    Such ephemeral malware also has the benefit of being simple to clean up (or cover-up) when it has completed its assault. 

    The traditional method for malware to become memory-resident is to delete the malicious program (which had previously been downloaded and installed) from the file system as soon as it has been run. 

    Newer methods use system administration and security technologies like PowerShell to directly inject malware into memory . 

    According to one report , meterpreter malware was downloaded and injected into memory using PowerShell instructions following an initial vulnerability that resulted in the unauthorized execution of PowerShell, and it gathered passwords on the compromised machine. 



    The third dimension, which only relates to persistent malware, classifies malware according to whatever tier of the system stack it is installed and runs on. 


    Firmware, boot-sector, operating system kernel, drivers and Application Programming Interfaces (APIs), and user applications are the layers in increasing sequence. 

    Lower-layer malware is often more difficult to detect and remove, and it causes more damage since it has more power over the affected machine. 

    On the other hand, since there are more limits, such as a more constrained programming environment in terms of both the kinds and quantity of code permitted, it is also more difficult to build malware that can be implanted at a lower layer. 



    The fourth dimension is whether malware is initiated by a user activity or runs and spreads automatically. 


    When auto-spreading malware starts, it searches the Internet for additional susceptible devices, compromises them, and installs itself on them; the malware copies on these newly infected machines then do the same – run and propagate. 

    Auto-spreading malware may obviously propagate swiftly via the Internet, exponentially increasing the number of vulnerable systems. 

    User-activated malware, on the other hand, is installed on a computer when a user unintentionally downloads and runs it, such as by clicking on an attachment or URL in an email. 

    More crucially, while this virus can 'spread' by sending email with itself as an attachment to contacts in the user's address book, this spreading is not effective until the recipient of the email activates the malware. 



    The fifth dimension is whether malware is static, or only updated once, or constantly updated. 


    Most current malware is backed by infrastructure that allows a hacked computer to get a software update from a malware server, which results in the installation of a new version of the malware on the infected machine. 

    There are several advantages to upgrading malware from the attacker's perspective. 

    Updated malware, for example, may elude detection systems based on the features of previous malware samples. 



    The sixth factor is whether malware operates alone or as part of a larger network (i.e., a botnet). 


    While botnets are responsible for many assaults such as DDoS, spam, phishing, and other kinds of targeted attacks, standalone malware has grown more widespread. 

    That is, malware may be tailored to infect a target company and carry out destructive operations based on the company's assets that are valuable to the attacker. 

    To prevent detection, most current malware employs some type of obfuscation (and hence we do not explicitly include obfuscation in this taxonomy). 

    A virus creator may employ a variety of obfuscation methods and tools that are publicly accessible on the Internet. 

    Polymorphism, for example, may be exploited to evade detection approaches that rely on malware code 'signatures' or patterns. 

    That is, the malware's recognizable traits are altered to make each instance unique. 

    As a result, malware instances vary in appearance, yet they all perform the identical malicious functions. 

    Packing, which involves compressing and encrypting a portion of the infection, and rewriting recognizable bad instructions into other comparable instructions are two popular polymorphic malware tactics. 



    As an example, we may apply this taxonomy to a variety of malware kinds (or names). Take a look at the table below: 





    A virus, in particular, requires the execution of a host-program since it infects it by injecting a harmful code sequence into the program. 


    When the host software starts, the malicious code is executed, and it might hunt for other applications to infect in addition to completing the specified destructive operations. 

    A virus is usually persistent, residing in all layers of the system stack except the hardware. 

    It can propagate on its own because it can autonomously insert itself into applications. 


    If a virus can connect to a malware update server, it may also be dynamically updated. 


    Although the technique for mutation is built in the virus's own code, a polymorphic malware virus may change itself so that fresh copies seem different. 

    A virus isn't usually part of a coordinated network since, although it may infect a large number of computers, the viral code doesn't usually undertake coordinated actions. 


    Malicious browser plug-ins and extensions, scripts (e.g., JavaScript on a web page), and document macros are examples of malware that need a host application (e.g., macro viruses and PDF malware). 


    These sorts of malware may be disguised and constantly updated. 

    They can also create a coordinated network. 

    Any malware that is part of a coordinated network with a botnet architecture that offers command-and-control is referred to as botnet malware. 

    Malware updates and other logistical assistance are frequently provided via botnet infrastructure. 


    Botnet malware is persistent and frequently obfuscated, living in the kernel, driver, or application layers. 


    Some botnet malware, such as malicious browser plug-ins and extensions, need a host application and user activation to propagate (e.g., malicious JavaScript). 

    Other botnet malware is stand-alone and spreads automatically across the Internet by infecting weak machines or users. 

    Trojans, keyloggers, ransomware, click bots, spam bots, mobile malware, and other malware are examples. 



    PUPs (Potentially Unwanted Programs) 


    A potentially undesirable program (PUP) is usually a piece of code that is downloaded as part of a valuable software. 


    When a user downloads the free edition of a mobile gaming app, for example, adware, a kind of PUP that shows ad banners on the game window, may be installed. 

    Adware often gathers user data (such as geo-location, time spent playing the game, friends, and so on) without the user's knowledge or agreement in order to provide more targeted adverts to the user and increase the advertising's efficacy. 

    Adware is classified as spyware in this scenario, which is described as an undesirable application that steals data about a computer and its users. 


    PUPs exist in a gray area because, although most download agreements offer information about these dubious behaviors, most users do not study the finer details and so do not comprehend what they are installing. 


    PUPs should be classified as malware from the standpoint of cybersecurity, and this is the approach used by many protection solutions. 

    The basic explanation is that a PUP has the ability to evolve into full-fledged malware; once installed, the user is completely dependent on the PUP operator. 

    For example, spyware included in a spellchecker browser extension might collect information about the user's preferred websites. 

    It may, however, collect user account information such as logins and passwords. 

    In this situation, the spyware has evolved from a PUP to a malware.



    ~ Jai Krishna Ponnappan

    Find Jai on Twitter | LinkedIn | Instagram


    You may also want to read and learn more Technology and Engineering here.

    You may also want to read and learn more Cyber Security Systems here.










    Cyber Security - MALWARE'S MALICIOUS ACTIVITIES.

     


    Malware effectively codifies the harmful behaviors that an attacker intends to carry out. 



    The Cyber Kill Chain Model may be used to analyze cyberattacks, as illustrated in Table. 

    It represents (iterations of) stages that are generally involved in a cyberattack. 

    Reconnaissance is the initial phase, in which an attacker locates or attracts possible targets. 

    This may be done by searching the Internet for susceptible machines (computers that execute network services like sendmail and have known vulnerabilities) or sending phishing emails to a group of users. 

    The next step is to acquire access to the targets, for example, by providing crafted input to trigger a vulnerability in the susceptible network service software, such as a buffer overflow, or by embedding malware in a web page to compromise a user's browser and take control of his machine. 



    This relates to the Cyber Kill Chain Model's Weaponization and Delivery (of exploits) stages. 


    Once the victim has been hacked, another piece of malware is often downloaded and installed; this corresponds to the Cyber Kill Chain Model's Installation (of malware) stage. 


    This malware is the attacker's main workhorse and can perform a variety of tasks, including: 


    confidentiality – it can steal valuable data, such as user authentication information and financial and health information; 

    integrity – it can inject false information (e.g., send spam and phish emails, create fraudulent clicks, etc.) or modify data; and 

    availability – it can send traffic as part of a distributed denial-of-service (DDoS) attack. 


    Because there are toolkits (e.g., a key-logger) freely available for carrying out many 'standard' activities (e.g., recording user passwords), and malware can be dynamically updated to include or activate new activities and take part in a longer or larger 'campaign' rather than just performing isolated, one-off actions, most modern malware performs a combination of these attack actions. 


    In the Cyber Kill Chain Model, these are the Actions on Objectives. 



    Botnets are a kind of malware that has been operating for a long time and is well-coordinated. 


    A botnet is an attacker-controlled network of bots (or hacked computers). 


    Each bot is infected with botnet malware, which connects with the botnet command-and-control (C&C) server on a regular basis to receive instructions on particular destructive operations or malware upgrades. 

    For example, a spamming botnet's C&C server sends each bot a spam template and a list of email addresses every day, resulting in the botnet sending a significant number of spam messages. 

    If the botnet is disrupted as a result of detection and response activities, such as the current C&C server being taken down, the botnet malware is already designed to contact an alternate server and may receive updates to switch to a peer-to-peer botnet. 

    Because there are numerous bots in various networks, botnets are often fairly loud, i.e., reasonably simple to identify. 


    Botnet C&C is an example of the Cyber Kill Chain Model's Command & Control stage. 


    Unlike botnets, malware used by so-called advanced persistent threats (APTs) usually targets a single organization rather than attempting large-scale assaults. 

    It may, for example, seek for a certain kind of controller in the organization to infect and cause it to deliver incorrect control signals, resulting in machine failures. 

    APT malware is usually designed to last a long time (thus the label "persistent"). 

    This means it not only gets frequent updates, but it also avoids discovery by reducing the volume and intensity of its activity (i.e., 'low and sluggish'), moving across the organization (i.e., 'lateral motions,' and hiding its traces. 

    Instead of sending all of the stolen data to a 'drop site' at once, it can send a small piece at a time and only when the server is already sending legitimate traffic; once it has finished stealing from one server, it moves to another (e.g., by exploiting trust relationships between the two) and removes logs and even patches the vulnerabilities in the first server. 

    When analyzing a cyberattack using the Cyber Kill Chain Model, we must look at each step's activities. 

    This necessitates familiarity with the assault strategies involved. 

    The ATT&CK Knowledge Base is a significant resource for analysts since it chronicles the most up-to-date assault strategies and procedures based on real-world observations. 


    The Eco-System Below Ground.


    Malware assaults in the early days were mostly annoyance attacks (such as defacing or spraying graffiti on a company's website). 


    Malware assaults have evolved into full-fledged cyberwars (e.g., attacks on vital facilities) and sophisticated crimes in recent years (e.g.,ransomware, fake-AntiVirus tools, etc.). 

    There has also evolved an underground eco-system to support the whole malware lifecycle, which includes creation, deployment, operations, and monetization. 

    There are individuals in this eco-system who specialize in certain aspects of the malware lifecycle, and by giving their services to others, they partake in the (money) benefits and rewards. 


    The quality of malware increases as a result of this specialization. 


    For example, an attacker may employ the top exploit researcher to create the section of the malware that compromises a susceptible machine remotely. 


    Specialization may also help to give believable denial or, at the very least, reduce culpability. 


    For example, a spammer merely 'rents' a botnet to transmit spam and is not responsible for infecting machines and converting them into bots; similarly, an exploit 'researcher' is simply experimenting and is not responsible for building the botnet as long as the malware was not released by him. 

    That is, although they are all responsible for malware-related harm, they individually share just a fraction of the overall burden.





    ~ Jai Krishna Ponnappan

    Find Jai on Twitter | LinkedIn | Instagram


    You may also want to read and learn more Technology and Engineering here.

    You may also want to read and learn more Cyber Security Systems here.







    Cyber Security - What Methods Do Hackers Use To Hack In 2022?



      We devote a lot of effort to attempting to explain to different organizations and people the many sorts of hackers that exist and how people are likely to come into touch with them, as this is the root cause from a social engineering perspective. 

      The sorts of hackers to be on the lookout for are listed below, along with some information on how they could attempt to take advantage of you or your company.


      Which Major Hacker Organizations Should We Be Aware Of?


      1. Nation States:

      We won't include any names for political reasons, but you can probably guess which nations are engaged in global cyberwarfare and attempting to hack into pretty about everywhere they believe they can gain an advantage.

      A list of target names, nations, and industries will be managed by highly sophisticated industrial style espionage, sabotage, and ransom attack type activities in accordance with the nation state's present agenda.

      Please keep in mind, though, that western governments won't be totally blameless in this.


      2. Organized Crime:

      Most of us are probably most familiar with organized crime, which consists of groups or people whose only goal is to steal money from anybody they can hack. Rarely is it personal or political; they usually simply ask "where they can get money from."


      3. Hacktivists: 

      While it might be difficult to forecast the kind of targets that these organizations will attack, in reality, they are self-described cyber warriors that attack political, organizational, or private targets in order to promote their "activist" agendas.


      What Are The Most Likely Ways That You Could Be Hacked?


      1. Device Exploits: 

      This is one of the most typical methods of hacking. Basically, all that occurs is that you will get a link to click on that seems safe but really tries to execute some local malware to attack a weakness on your computer.

      Therefore, you are vulnerable since you haven't properly updated Windows Updates (or any other device you're using), handled vulnerabilities in the software you've placed on your devices, or misconfigured software that you've installed (I.e all macros enabled in your Microsoft Office or something like that).

      Once the attacker has "got you," which is often done with a remote access trojan of some kind, they will look for another place to hide inside your network, prolonging their capacity to take advantage of you. 

      They will often search for whatever on your network they can obtain a remote shell on since they will effectively know that the way they got you in the first place (through your computer) can be readily fixed (i.e a printer or an old switch or something).


      2. IP address exploits:  

      Discovering your office's, data center's, or home's exterior endpoints is another frequent method of hacking. 

      Your IP addresses are initially determined using a variety of techniques; sadly, this is relatively readily done via internet lookups or rather often by simple social engineering.

      It would be simple for someone to call your workplace and claim to be from your IP service provider in an effort to persuade you to reveal your office's IP address. 

      For nation governments and bigger organized criminal organizations, they will simply efficiently maintain databases of known ports and known susceptible software operating on those ports while continuously scanning through millions of IP addresses depending on the nations and regions they are interested in.

      Millions upon millions of IP addresses, ports, and known vulnerabilities are posted on Shodan, which is essentially a "Hacker Search Engine," and are available for anyone to see and query at any time. 

      In reality, anybody with access to the Shodan API may quickly search across the whole Shodan database, gaining instant access to millions of entries.


      3. Cloud / SaaS Phishing: 

      Multi-factor authentication is thus beginning to fend against this issue, however many organizational accounts continue to exist throughout the globe without it enabled.

      In actuality, you or a member of your team might be the target of an attack on your Office 365, Google G-Suite, or even your online accounting platform. 

      In many cases, you will simply get a link to something that seems absolutely innocuous or nice in order to "re-enter" your login information for a crucial platform (something you wouldn't want the bad guys to have access to).

      Once within the platform, the bad guys may do a wide range of things to attempt to take advantage of you; a popular tactic is to send emails pretending to be a senior staff member in order to transfer money to an account.

      The hackers will continue to keep an eye on you in an attempt to uncover new methods to cause havoc in your digital life. They may even just discreetly send communications for a senior member of staff to another external anonymous account.

      In reality, anybody may strike you at any moment. However, how you should approach your defense will rely on your cyber security risk profile (i.e., what you could have that adversaries might attempt to exploit). 

      To begin with, it's wise to maintain tabs on anyone you suspect of wanting to hack you and their motivations.


      What Are Some Examples Techniques Used By Hackers?



      You are more likely to be targeted by a "Nation State" if you work for a government contractor on specialized intellectual property. 

      This doesn't have to be drugs or weapons; it might be anything that a Nation State would want to duplicate or own for itself.


      You're far more likely to be targeted by organized crime if you're the CEO of a corporation or the finance department (which granted can also be a Nation State). 

      You are probably aware that in phishing campaigns and other situations where bad guys use LinkedIn and Google to scrape information about people's job titles and seniorities in order to figure out how to target their attacks more precisely to the most valuable targets, hackers will target business leaders more frequently.


      If you're the CEO of a large company, national security hackers will attempt to target your children's or family's gadgets in an effort to gain access to your house for espionage or other similar operations. 

      This is why it makes sense to have a closed network at home/private spaces that are only for the gadgets of family/children.


      At the lower end of the spectrum, all of us are sometimes targeted by hackers using phishing emails. 

      As indicated above, emails sent requesting us to click on links are also used to attempt to run remote access trojans in order to allow the bad guys access to your workstations, so we need to be aware that this isn't only for our credentials (i.e., that Multi-Factor authentication may save us from). 

      Once a back door has been built, gangs may manually disseminate ransomware using this.


      Hacktivists are likely to attack you if you work as an executive for a corporation that pollutes foreign rivers and ecosystems.


      Therefore, the main goal of this blog isn't to spook people or incite worry, but rather, we believe that having a basic awareness of the many kinds of adversaries out there may help individuals frame how they should be thinking about their own security.


      ~ Jai Krishna Ponnappan

      Find Jai on Twitter | LinkedIn | Instagram


      You may also want to read and learn more Cyber Security Systems here.



      Analog Space Missions: Earth-Bound Training for Cosmic Exploration

      What are Analog Space Missions? Analog space missions are a unique approach to space exploration, involving the simulation of extraterrestri...