Cyber Weekly Roundup - April 28, 2017 - NetCentrics

Weekly Roundup

Cyber Weekly Roundup – April 28, 2017

By Andrew Paulette

1.) Hard Target: Fileless Malware (April 25, 2017)

https://threatpost.com/hard-target-fileless-malware/125054/

Summary: The future of client-side malware attacks is fileless. And it would appear the future has arrived with a growing number of attacks using fileless or in-memory malware to pose a threat to business that’s increasingly difficult to neutralize.

Why it matters: The only thing constant in cybersecurity is change, it seems. In a continued arms race between attacker and defender, malware is evolving and, as this article points out, our detection and incident response toolbelt will have to grow to meet the challenge.

Fileless malware runs solely in memory, leaves no trace of the malicious program on the user’s hard drive, and therefore cannot be detected through traditional anti-virus which uses signature based detection. The sudden growth in this form of attack suggests that less technically competent cyber criminals groups (instead of more savvy nation-state threat actors) are either buying malware and malware kits from the dark market, or that the knowledge on how to use this technology is trickling down to less advanced groups. Cyber defenders will need to train up on using memory-analysis tools to help analyze this malware during incident response, as well as understanding how to monitor for anomalous signs of behavior on the network (i.e., you know there’s a problem when wordpad attempts to initiate a network connection). Through proper training, security operations centers and incident responders can get a handle on the changing threat landscape, at least until it changes again.

2.) BrickerBot, the permanent denial-of-service botnet, is back with a vengeance (April 24, 2017)

https://arstechnica.com/security/2017/04/brickerbot-the-permanent-denial-of-service-botnet-is-back-with-a-vengeance/

Summary: BrickerBot, the botnet that permanently incapacitates poorly secured Internet of Things (IoT) devices before they can be conscripted into Internet-crippling denial-of-service armies, is back with a new squadron of foot soldiers armed with a meaner arsenal of weapons.

Why it matters: If you don’t mind the compromise of your IoT device to a “friendly” botnet, but the temporary solution offered by Hajime just doesn’t carry the long-term protection you’d hoped for on your IoT device, Brickerbot has the solution – the best way to ensure a device won’t be attacked is to permanently take it off the network. Brickerbot will do just that and more – by completely destroying the OS running the device, making it inoperable and “bricking” it completely (i.e., possessing all the technolgical sophistication of a brick).

The deployment of malware such as Hajime and brickerbot show escalation in the actions between cybercriminals and vigilantes over IoT device real-estate that is available in the world – and the turf war shows no signs of slowing. While the vigilantism has the potential to reduce the footprint of IoT botnets, the chances of unforseen consequences on IoT devices used for life-saving technology is a real concern which makes these “solutions” less than ideal. Both vendors and consumers of these devices must take responsibility for security their poorly configured IoT devices if any meaningful and low-risk change is to occur in the IoT Scene.

3.) AV provider Webroot melts down as update nukes hundreds of legit files (April 24, 2017)

https://arstechnica.com/security/2017/04/av-provider-webroot-melts-down-as-update-nukes-hundreds-of-legit-files/

Summary: Antivirus provider Webroot is causing a world of trouble for customers. A signature update just nuked hundreds of benign files needed to run Microsoft Windows, as well as apps that run on top of the operating system.

Why it matters: While this isn’t the first time an antivirus program has quarentined benign files and sites, this article does serve as a reminder that from time to time, unintended changes to coding can have severe consequences for its users. As antivirus becomes more complex to handle evolving malware, it’s possible that such errors may become more common as minor changes can result in a cascade of unintended consequences through the program.

4.) The Backstory Behind Carder Kingpin Roman Seleznev’s Record 27 Year Prison Sentence (April 24, 2017)

https://krebsonsecurity.com/2017/04/the-backstory-behind-carder-kingpin-roman-seleznevs-record-27-year-prison-sentence/

Summary: Roman Seleznev, a 32-year-old Russian cybercriminal and prolific credit card thief, was sentenced Friday to 27 years in federal prison. That is a record punishment for hacking violations in the United States and by all accounts one designed to send a message to criminal hackers everywhere. But a close review of the case suggests that Seleznev’s record sentence was severe in large part because the evidence against him was substantial and yet he declined to cooperate with prosecutors prior to his trial.

Why it matters: This article serves as an interesting write up on the American justice system’s handling of recent cyber crime attacks, and some of the considerations that may have led to sentencing.

5.) MIRAI AND HAJIME LOCKED INTO IOT BOTNET BATTLE (April 21, 2017)

https://threatpost.com/mirai-and-hajime-locked-into-iot-botnet-battle/125112/

Summary: Security experts say a white hat hacker is responsible for the Hajime IoT botnet, which is on a mission to secure IoT devices vulnerable to the notorious Mirai malware. Divergent goals between Mirai and Hajime, experts say, will spark a perpetual back-and-forth between Mirai black hats and a lone Hajime white hat racing to reach millions of routers, DVRs  and internet-connected cameras.

Why it matters: The turf war over IoT between DDOS providers and Grey Hats launching semi-malicious countermeasures to protect the public at large against the likes of Mirai appears to be heating up. The Hajime botnet works to penetrate IoT devices for the unique purpose of securing them against the Mirai botnet. This infection adds a sort of protection against Mirai until the device is restarted, at which point the competing botnets will work to seek out and infect the device again. Hiajime works by closing security holes on the product such as open Telnet ports to close commonly exploited vectors on these devices.While cyber solutions based on vigilatism are illegal and carry some level of risk, the Hajime botnet at least sounds less destructive than the current alternative, Brickerbot (discussed above).

6.) Tracing Spam: Diet Pills from Beltway Bandits (April 19, 2017)

https://krebsonsecurity.com/2017/04/tracing-spam-diet-pills-from-beltway-bandits/

Summary: Reading junk spam messages isn’t exactly my idea of a good time, but sometimes fun can be had when you take a moment to check who really sent the email. Here’s the simple story of how a recent spam email advertising celebrity “diet pills” was traced back to a Washington, D.C.-area defense contractor that builds tactical communications systems for the U.S. military and intelligence communities.


Why it matters: This article is one of those reminders of all the potential damage that can come from even relatively lower level cyber crime such as spamming. Compromising a company server is bad enough, but a defense contractor within the US can inadvertently lead to compromise of sensitive government or military information.
Aside from the reminder this article serves to the dangers of cyber crime, this article also provides insight into how to discover and analyze spam mail that may be useful for security professionals just starting out in their career.